ML20210G679
| ML20210G679 | |
| Person / Time | |
|---|---|
| Site: | Catawba  |
| Issue date: | 09/22/1986 |
| From: | Jabbour K Office of Nuclear Reactor Regulation |
| To: | Tucker H DUKE POWER CO. |
| References | |
| GL-85-06, GL-85-6, NUDOCS 8609250451 | |
| Download: ML20210G679 (3) | |
Text
G Docket Nos.: 50-413 and 50-414 SEP 2 21986 Mr. H. B. Tucker, Vice President Nuclear Production Departnent Duke Power Company 422 South Church Street Charlotte, North Carolina 28242
Dear Mr. Tucker:
SUBJECT:
ANTICIPATED TRANSIENTS WITHOUT SCRAM - CATAWBA NUCLEAR PLANT, UNITS 1 AND 2 The Nuclear Regulatory Comission (NRC) staff has completed its review of the Westinghouse Owners' Group (WOG) Topical Report WCAP-10858 "AMSAC Generic Design Package" submitted in response to 10 CFR 50.62 " Requirements for Re-duction of Risk from Anticipated Transient Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants." Guidance for meeting the require-ments of 10 CFR 50.62 was provided in the preamble to that rule and was further provided to all licensees in Generic Letter 85-06 " Quality Assurance Guidance for ATWS Equipment That is Not Safety Related."
The results of the staff's review of the generic design for the ATWS mitiga-tion system actuation circuitry (AMSAC) are contained in the attached Safety Evaluation (SE). The staff has concluded that the generic design is acceptable; however, many plant specific details needed in order to ensure conformance with the rule are not addressed by the WOG generic design. These details needed by the NRC to complete the review are defined in the SE.
We request that you review the SE and provide, within 30 days of receipt of this letter, your schedules for addressing the plant specific design features discussed in Appendix A of the SE, and for implementation following the staff's approval of your plant specific design.
This request for information is covered under OMB clearance number 3150-0011 which expires September 30, 1986.
If you have any questions, please contact me at (301) 492-7367.
i Sincerely,
\O Kahtan Jabbour, Project Manager i
PWR Project Directorate #4 Division of PWR Licensing-A r
j
Enclosure:
As Stated cc: See next page DISTRIBUTION: See next page l
(d'3 i PWR#4/0PWR-A PWRfyqPWR-A PWR#4/ PWR-A KJabbour/mac htfuncpn BJYoungblood 09/p)/86 09//'l/86 09/[j/86 8609250451 860*722 PDR ADOCK 05000413 P PDR
- 'o UNITED STATES
- ~g 8' o NUCLEAR REGULATORY COMMISSION h : WASHINGTON. D. C. 20555 SEP 8 2 ,986 k * . . . . ,o#
Docket Nos.: 50-413 and 50-414 -
Mr. H. B. Tucker, Vice President Nuclear Production Department Duke Power. Company 422 South Church Street Charlotte, North Carolina 28242
Dear Mr. Tucker:
SUBJECT:
ANTICIPATED TRANSIENTS WITHOUT SCRAM - CATAWBA NUCLEAR PLANT, UNITS 1 AND 2 The Nuclear Regulatory Comission (NRC) staff has completed its review of the Westinghouse Owners' Group (WOG) Topical Report WCAP-10858 "AMSAC Generic Design Package" submitted in response to 10 CFR 50.62 " Requirements for Re-duction of Risk from Anticipated Transient Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants." Guidance for meeting the require-ments of 10 CFR 50.62 was provided in the preamble to that rule and was further provided to all licensees in Generic Letter 85-06 " Quality Assurance Guidance for ATWS Equipment That is Not Safety Related."
The results of the staff's review of the generic design for the ATWS mitiga-tion system actuation circuitry (AMSAC) are contained in the attached Safety Evaluation (SE). The staff has concluded that the generic design is acceptable; however, many plant specific details needed in order to ensure conformance with the rule are not addressed by the WOG generic design. These details needed by the NRC to complete the review are defined in the SE.
We request that you review the SE and provide, within 30 days of receipt of this letter, your schedules for addressing the plant specific design features discussed in Appendix A of the SE, and for implementation following the staff's approval of your plant specific design.
This request for infonnation is covered under OMB clearance number 3150-0011 which expires September 30, 1986.
If you have any questions, please contact me at (301) 492-7367.
Sincerely,
/ & l=. Y Y "
Kahtan Jabbour, Project Manager PWR Project Directorate #4 Division of PWR Licensing-A
Enclosure:
As Stated cc: See next page
Mr. H. B. Tucker Duke Power Company Catawba Nuclear Station cc: --
William L. Porter, Esq. North Carolina Electric Membership Duke Power Compary Corp.
P.O. Box 33189 3333 North Boulevard Charlotte, North Carolina 28242 P.O. Box 27306 J. Michael McGarry, III, Esq.
Bishop, Libennan, Cook, Purcell Saluda River Electric Cooperativo, and Reynolds Inc.
1200 Seventeenth Street, N.W. P.O. Box 929 Washington, D. C. 20036 Laurens, South Carolina 29360 North Carolina MPA-1 Senior Resident Inspector Suite 600 Route 2, Box 179N 3100 Smoketree Ct. York, South Carolina 29745 P.O. Box 29513 Raleigh, North Carolina 27626-0513 Regional Administrator, Region II U.S. Nuclear Regulatory Consnission, Mr. C. D. Markham 101 Marietta Street, NW, Suite 2900 Power Systems Division Atlanta, Georgia 30323 Westinghouse Electric Corp.
P.O. Box 355 Pittsburgh, Pennsylvania 15230 Mr. Heyward G. Shealy, Chief
, Bureau of Radiological Health NUS Corporation South Carolina Department of Health 2536 Countryside Boulevard and Environmental Control Clearwater, Florida 33515 2600 Bull Street Columbia, South Carolina 29201 County Manager of York County York County Courthouse Karen E. Long York South Carolina 29745 Assistant Attorney General N.C. Department of Justice Richard P. Wilson, Esq. P.O. Box 629 Assistant Attorney General Raleigh, North Carolina 27602 S.C. Attorney General's Office P.O. Box 11549 Spence Perry, Esquire Columbia, South Carolina 29211 Associate General Counsel Federal Emergency Management Agency Piedmont Municipal Power Agency Room 840 100 Memorial Drive 500 C Street Greer, South Carolina 29651 Washington, D. C. 20472 Mark S. Calvert Esq. Mr. Michael Hirsch Bishop, Libennan, Cook, Federal Emergency Management Agency Purcell & Reynolds Office of the General Counsel 1200 17th Street, N.W. Room 840 Washington, D. C. 20036 500 C Street, S.W.
Washington, D. C. 20472 Brian P. Cassidy, Regional Counsel Federal Emergency Management Agency, Region !
J. W. McConnach P0CH Boston, Massachusetts 02109
.. . , , e Mr. L. D. Butterfield, Chairman ATWS Subcomittee e Westinghouse Owner's Group Connonwealth Edison P.O. Box 767 Chicago, Illinois 60690 JUL 07 g
~~
Dear Mr. Butterfield:
SUBJECT:
ACCEPTANCE FOR REFERENCING OF LICENSING TOPICAL REPORT The Nuclear Regulatory Comission (NRC) staff has completed its review of the Topical Report WCAP-10858.
We find the report to be acceptable for referencing in license applications to the extent specified and under the limitations delineated in the report and the associated NRC evaluation, which is enclosed. The evaluation defines the basis for acceptance of the report.
- In accordance with procedures established in NUREG-0390, it is requested that Westinghouse publish an accepted version of this report within three months of receipt of this letter. The accepted version shall incorporate this letter and the enclosed evaluation after the title page. The accepted version shall include an -A (designating accepted) following the report identification symbol.
Should our criteria or regulations change such that our conclusions as to the acceptability of the report are invalidated Westinghouse and/or the applicants referencing the topical report will be expected to revise and resubmit their respective documentation, or submit justification for the continued effective applicability of the topical report without revision of their respective documentation.
Sincerely, .
0d CicnicicaoghT[
Charles E. Rossi, Assistant Director l
l Division of PWR Licensing-A Office of Nuclear Reactor Regulation
Enclosure:
Safety Evaluation ec: See attached list
- E1CSB/DPA SL/EICS BC/EICSJ/
JMauck:cp SHWeiss FRosacye 7// /86[ 7/ / /86 7/M/86 [/ W86 0FFICIALRECORDC03Y i
~
t
L. L. Butterfield ,
- . e cc: M. Adler, Westinghouse . .
M. Burrynski, TVA T. Lordi, Westinghouse -
T. Speis 1
F. Miraglia R. Bernero 1 G. Lainas
- D. Crutchfield j J. Calvo r R. Kendall i Distribution
Central Files EICSB Rdg J.Mauck(PF)(2)
- S. Weiss F. Rosa
, C. E. Rossi NRC PDR T. Novak E. Weinkam R. Diggs, LFMS
- R. Emch, PPAS
! J. Wilson, RSB
)
i l
l I
's
SAFETY EVALUATION OF TOPICAL REPORT (WCAP-10858)
, "AM5AC GENERIC DESIGN PACKAGE"
1.0 INTRODUCTION
In response to 10 CFR 50.62 " Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear' Power Plants",
Westinghouse on behalf of the Westinghouse Owner's Group (WOG) has submitted for review WCAP-10858 "AMSAC Generic Design Package." This document details the WOG's proposed generic ATWS Mitigation System Actuation Circuitry (AMSAC) designs for compliance with 10 CFR 50.62.
2.0 BACKGROUND
On July 26, 1984 the Code of Federal Regulations (CFR) was amended to include Section 10 CFR 50.62, " Requirements for Reduction of Risk from Anticipated Transients Without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants" (known as the "ATWS Rule"). An ATWS is an expected operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power) which is accompanied by a failure of the reactor trip system (RTS) to shut down the reactor.
The ATWS rule requires specific improvements in the design and operation of com'-
mercial nuclear power facilities to reduce the likelihood of failure to shut down the reactor following anticipated transients, and to mitigate the consequences of an ATWS event.
i 3.0 CRITERIA The basic requirement for Westinghouse plants is specified in paragraph (c)(1) of 10 CFR 50.62, "Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, I
j --
~
~(M fAfO
- - , - - - _ - . - + - - - - - - - - - . , , _ , . . , , . _ , . , , - . , _ , , - . ~ -. , . - - - . _ . _ _ _ , _ . _ - - _ . _ _ _ . _ _ . _ _ _ . _ _ . . . , _ _ _ _ . . . _ . , . _ , _ . _
.2 ,
to automatically initiate the auxiliary (or emergency) feedwater system and ini-tiate a turbine trip under conditions indicative of an ATWS. This equipment must 4
be designed to perform its function in a reliable manner and be independent (from sensor cutput to the final actuation device) from the existing reactor trip system."
i The criteria used in evaluating the Westinghouse report include; (1) 10 CFR 50.62, (2) guidance 'and infomation published as the preamble to that Rule, and (3)
Generic Letter 85-06 " Quality Assurance Guidance for ATWS Equipment that is not Safety-Related." The evaluation was done on a generic basis, and the relevant criteria is presented below.
The systems and equipment required by 10 CFR 50.62 do not have to meet all of the stringent requirements normally applied to safety-related equipment. However, this equipment is part of the broader class of structures, systems, and com-ponents defined in the introduction to 10 CFR 50, Appendix A (General Design Criteria).
! GDC-1 requires that " structures, systems, and components important to safety shall l
be designed, fabricated, erected, and tested to quality standards comensurate with the importance of the safety functions to be performed." Generic Letter 85-06
" Quality Guidance for ATWS Equipment that is not Safety-Related" details the quality assurance that must be applied to this equipment.
. __ __ _ _ ___. ~ . - _ - . _- _ ._ . - _
\ . .
.l ,
-3 ,
l 4
In general, the equipment to be installed in accordance with the'AfkS rule is required to be diverse from the existing RTS, and must be testable at ' power.
This equipment is intended to provide needed diversity (where only minimal diversity currently exists) to reduce the potential for common mode failures
! that could result in an ATWS leading to unacceptable plant conditions.
The ATWS mitigation design is not required to be safety-related (e.g., meet i .
IEEE-279). However, the implementation should incorporate good engineering practice and must be such that the existing protection system continues to meet
) all applicable safety related criteria. Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause failures
! is required from the sensors to, but not including the final actuation device.
j All mitigating system instrument channel components (excluding sensors and isola-l tion devices) must be diverse from the existing RTS. It is desirable, but not
! required, to use sensors and isolation devices that are not part of the RTS.
. The basis for not requiring diverse isolators is that the RTS unavailability and
- AMSAC availability (without a reactor trip signal) are similar with or without l
l the addition of a diverse isolator. Furthermore, with the addition of a new component (e.g., the diverse isolator) within AMSAC, the probability of not get-ting a reactor trip signal or AMSAC signal will be increased somewhat by the additional failure rate of the diverse isolator. However, if existing RTS sen-l sors and isolators are utilized, particular emphasis should be placed on the l method (s) used to qualify the isolators for their particular function. This -
w_---.-.-_.--- --.-,.---..-c--.,----we.-.ww,-..- ---.-.-- --,-.--..--.----,-,--w,---------%.--- ,y,---,- - , - .mw-w-- r-.----,.- , . . .
I ,
]
should include an analysis and tests which will demonstrate that the existing 2
isolator will function under the maximum worst case fault conditions. The required method for qualifying the isolators is presented in Appendix A.
! The capability for test and surveillance at power is required, however, sur-veillance frequencies have not been established at this time. During surveil-lance at power, the mitigating system may be bypassed, however, the bypass condi-l tion must be automatically and continuously indicated in the main control room.
) The AMSAC system design may also permit bypass of the mitigating function to l .
! allow for maintenance, repair, test, or calibration to prevent inadvertent actua-i tion of the protective action at the system level. Where operating requirements
- necessitate automatic or manual bypass of a mitigating system, the design should be such that the bypass will be removed automatically whenever pennissive conditions
!~
are not met.
The use of a maintenance bypass should not involve lifting leads, pulling fuses l or tripping breakers or physically blocking relays. A pennanently installed by-i pass switch or similar device should be used.
t
, t 7
The design should be such that once the ATWS mitigation system has been initiated, r
the protective action at the system level shall go to completion. Return to operation should require subsequent deliberate operator action.
l Manual initiation capability of the mitigating systems at the system level is desirable but not required. Manual initiation should depend upun the cperation t
4 I
l
. 5 e
of a minimum of equipment. The mitigating system should be designed to provide
~
the operator with accurate, complete and timely information pertinent to its own status.
Displays and controls for manual bypass and initiation of the mitigating system should be integrated into the main control room through system functional ana-
. lysis and should conform to good human engineering practices in design and layout. It is important that the displays and controls added to the control room as a result of the ATWS rule not increase the potential for operator error.
A human factor analysis should be performed taking into consideration:
(a) the use of this information and equipment by an operator during both normal and abnormal plant conditions.
(b) integration into emergency procedures, (c) integration into operator training, and (d) the presence of other alarms during an emergency and need for prioritization of alarms.
The power supplies are not required to be safety-related but they must be capable of performing safety functions with a loss of offsite power, Logic power must be from an instrument power supply independent from the power supplies for the existing reactor trip system. Existing RTS sensor and instrument channel power
,---...n-.. , . - - - - - , . - . , = - - - - -
6-l e
I supplies may be used only if the possibility of common mode failure is prevented.
1 The most severe ATWS scenarios were determined (see NUREG-0460 Appendix IV, WCAP-8330 and subsequent Westinghouse submittals) to be those in which there was a complete loss of normal feedwater. These included:
L,rrss of Normal Feedwater/ATWS Transient (LONF/ATWS)
A complete loss of norwal feedwater occurs which results from a malfunction in the feedwater condensate system or its control system from such causes as the simultaneous trip of all condensate pumps, the simultaneous trip of all main feedwater pumps or the simultaneous closure of all main feedwater control,' pump discharge or block valves.
Because of a postulated common mode failure in the RPS, the reactor is incapable of being automatically tripped when any of several plant pro-cess variables have reached their reactor trip setpoints.
Loss of Load /ATWS Transient (LOL/ATW5)
The most severe plant conditions that could result from a loss of load occur following a turbine trip from full power wh(9 the turbine trip is caused by a loss of main condenser vacuum. Because of a common mode failure in the protection system, the reactor is incapable of being automatically tripped as a result of the turbine trip or as the result of any of several other reactor trip signals that occur later in time when several plant process variables reach their reactor trip setpoints.
e
Upon loss of the main condenser vacuum, the main feedwater turbine-driven 1
~
pumps that exhaust into the main condenser are tripped, thereby cutting off feedwater flow to the steam generators. Not all nuclear plants are subject to this transient since many plants have motor-driven main feedwater pumps or they have turbine-driven pumps which do not exhaust into the main con-I denser. Since there is a complete loss of normal feedwater during both these transients (LONF/ATWS and LOL/ATWS), both transients assumed auxiliary feedwater (AFW) flow is started 60 seconds after the initiating event for long tenn reactor protection. Also the Complete Loss of Nomal Feedwater
-transient assumed a turbine trip 30 seconds after the initiating event to i
maintain short term RCS pressures below 3200 psig. Normally these features would be actuated by the Reactor Protection System (RPS) and the Engineered Safety Features Actuation System (ESFAS).
The primary safety concern from these two transients is the potential for
- high pressure within the RCS. If a comon mode failure in the RPS and the ESFAS incapacitates AFW flow initiation and/or turbine trip in addition to prohibiting a scram, then an alternate method of providing AFW flow and a turbine trip is required to maintain the RCS pressure below 3200 psig.
l The final rule which was approved by the Comissioners on November 11, 1983, requires that Westinghouse designed plants install ATWS Mitigating System Actuation Circuitry (AMSAC) to initiate a turbine trip and actuate AFW flow independent of the RPS (from the sensor output). These two functions, turbine trip and AFW flow actuation, are provided via the AMSAC. .
I
- \
. e j
l
~~
4.0 DESIGN DESCRIPTION The Westinghouse Owners Group (WOG) has developed generic designs to meet the requirements of 10 CFR 50.62. Three designs were developed which permits each 4
utility to select the design which best fits a particular plant's needs. Factors that may determine the design utilized at a plant range from the current control 1
and protection system design to the ease and cost of installation. The three designs are as follows:
The first design would actuate a turbine trip and auxiliary feedwater flow upon sensing that the steam generator inventory is below the low-low level setpoint.
This logic senses conditions indicative of an ATWS event when a loss of heat sink has occurred but will not actuate until after the reactor protection signals should have been generated. A turbine trip and start-up of all auxiliary feedwater pumps will occur upon receipt of an AMSAC signal.
The steam generator blowdown isolation and sample isolation valves would be automatically closed in all loops when AMSAC is actuated.
i The AMSAC signal will be generated by low water level signals in the steam gen-erators using existing sensor / transmitter units. For two loop plants, AMSAC will use two channels per loop with 3/4 coincidence to actuate AMSAC. The AMSAC coin-cidence logic for three loop plants is 2/3 with one channel per steam generator and the four loop plants coincidence logic is 3/4 with one channel per steam generator. ,
e The AMSAC signal will be automatically biccked below 70% power since short term protection against high reactor coolant system pressure is not required until 70% of nominal power. This will prevent spurious AMSAC actuation during start-up. To ensure that AMSAC remains armed long enough to perform its function in the event of a turbine trip, a C-20 permissive signal will be maintained for approximately 60 seconds. The AMSAC signal will be delayed by approximately 25 seconds to permit the RPS to respond first.
The second design mitigates the consequences of an ATWS loss of heat sink event by initiating AMSAC on low main feedwater flow measurements.
Actuation of AMSAC will occur on low main feedwater flow as measured by existing main feedwater flow sensor / transmitters. The setpoint to actuate AMSAC is 50%
of nominal main feedwater flow. Although 50% flow is more than ample to protect against overpressure in the event of an ATWS, instrumentation error would become unacceptably large if a substantially lower setpoint were used.
. To avoid inadvertent AMSAC actuation on the loss of one main feedwater pump, AMSAC actuation will be delayed approximately 25 seconds to permit the unfaulted main feedwater pump (s) to automatically increase the flow rate to above the AMSAC actuation setpoint. Recovery in this circumstance is possible since each main feedwater pump is capable of delivering typically 60% of full load capacity.
A turbine trip and start-up of all auxiliary feedwater pumps will occur upon receipt of an AMSAC signal. The steam generator blowdown isolation and sample a
e r
isolation valves should be automatically closed in all loops when AMSAC is actuated. ,
The AMSAC signal will be generated by low main feedwater flow to the steam generators. The AMSAC logic is two channels per loop with 3/4 coincidence logic for two loop plants; one channel per loop with 2/3 coincidence logic for three loop plants; and 3/4 coincidence logic for four loop pl, ants.
As in the fir'st'de' sign, the AMSAC signal will be automatically blocked below 70% power; the AMSAC signal will be delayed by 25 seconds; removal of the C-20 permissive signal will be delayed by approximately 60 seconds.
The third design determines that conditions indicative of an ATWS event are present by monitoring the feedwater control and isolation valves and the feedwater pump status, i Actuation of AMSAC will occur when it has been determined that all main feedwater pumps have been tripped or when main feedwater flow to the steam generators has been blocked due to valve closures.
Failures in the main feedwater system upstream of the main feedwater pumps that could result in the loss of main feedwater to the steam generators, e.g., trip-ping of all condensate pumps, will result in automatic main feedwater pump trips on low suction pressure. Therefore, explicit actuation of AMSAC based on fail-ures of componentsNupstream of the main feedwater pumps is not necessary.
. e Since AMSAC anticipates the plant response due to the loss of main feedwater pumps prior to the reactor protection system detecting an anticipated operational oc-currence, it is desirable to delay AMSAC actuation. A 30 second delay is suffi-cient to allow the reactor protection system to respond, Either of two different AMSAC concepts may be used, depending upon whether or not the main feedwater flow to the steam generators is split during normal power operation. Plants which contain D-4 and D-5 steam generators have split flow during nonnal. power operation. All other plants do not, although all plants with preheaters will have a minimal bypass flow through the feedwater bypass temper-ing valve (FBTV). For preheater plants which have split flow during normal power operation, approximately 10 to 20% of the total feedwater flow is passed through the feedwater preheater bypass valves (F/BV), while most of the remaining flow is passed through the feedwater isolation valve (FIV). If all FIVs were to close simultaneously, the flow through the FPBY would increase substantially and still provide protection against RCS overpressurization in the event of an ATWS.
Therefore the accidental closure of all FIVs is not a factor for plants which contain D-4 or D-5 steam' generators. All other plants however must account for the accidental closure of all FIVs as well as the accidental closure of all feed-water control valves (FCVs) and the accidental tripping of all main feedwater pumps.
A turbine trip and start-up of all auxiliary feedwater pumps will occur upon receipt of an AMSAC signal. The steam generator blowdown isolation and stmple l
l
-12 ,,
isolation valves should be automatically closed in all loops when KMSAC is actuated.
The AMSAC signal will be generated by the simultaneous tripping of all main feedwater pumps or the blocking of all main feedwater lines to the steam gen-erators due to valve malfunctions. The AMSAC coincidence logic is as follows:
Coincidence FW Valves FW Ftaps Loops Closed Tripped 2 3/4 N/N 3 2/3 N/N 4 3/4 N/N where N is the number of main feedwater pumps.
As in the first two designs, the AMSAC signal will be automatically blocked below 70% power and the removal of the C-20 permissive signal shall be delayed by ap-proximately 60 seconds.
5.0 CONCLUSION
Generic The staff has reviewed the Westinghouse Topical Report WCAP-10858, "AMSAC Gen-eric Design Package" and has concluded that the generic designs presented in WCAP-10858 adequately meet the requirements of 10 CFR 50.62 and follow the review l
guidelines that have been discussed previously.
l f
Plant specific WCAP-10858 presents a generic design, however many details and interfaces are of a plant specific nature. The staff will review the implementation of plant spe-cific designs to evaluate compliance with ATWS rule requirements. Key elements of the plant specific design reviews are denoted below.
o Diversity The plant specific submittal should indicate the degree of diversity ~ that exists between the AMSAC equipment and the existing Reactor Protection System. Equipment diversity to the extent reasonable and practicable to minimize the potential for common cause failures is required from the sen-sors output to, but not including, the final actuation device, e.g., exist-ing circuit breakers may be used for the auxiliary feedwater initiation.
The sensors need not be of a diverse design or manufacture. Existing protection system instrument-sensing lines, sensors, and sensor power
. supplies may be used. Sensor and instrument sensing lines should be l
selected such that adverse interactions with existing control systems are avoided, i
i
- o Logic power supplies ._
The plant specific submittal should discuss the logic power supply design.
According to the rule, the AMSAC logic power supply is not required to be safety-related (Class IE). However.. logic power should be from an instrument power supply that is independent from the reactor protec-tion system (RPS) power supplies. Our review of additional information submitted by WOG indicated that power to.the logic circuits will utilize RPS batteries and inverters. The staff finds this portion of the design unacceptable, therefore, independent power supplies should be provided.
o Safety-related interface The plant specific submittal should show that the implementation is such that the existing protection system continues to meet all applicable safety criteria.
o Quality assurance The plant specific submittal should provide information regarding com-pliance with Generic Letter 85-06, " Quality Assurance Guidance for ATWS Equipment that is not Safety-Related."
o Maintenance bypasses The plant specific submittal should discuss how ~maintenance at power is accomplished and how good human factors engineering practice is incorporated into the continuous indication of bypass status in the control room.
, e . -, --
15-
. - e
-~
o Operating bypasses The plant specific submittal should state that operating bypasses are continuously indica'ed t in the control room; provide the basis for the 70% or plant specific operating bypass level; discuss the human factors design aspects of the continuous indication; and discuss the diversity and independence of the C-20 pemissive signal (Defeats the block of AMSAC).
o Means for bypassing The plant specific submittal should state that the means for bypassing is accomplished with a pemanently installed, human factored, bypass switch or similar device, and verify that disallowed methods mentioned in the guidance are not utilized.
o Manual initiation
, The plant specific submittal should discuss how a manual turbine
. , trip and auxiliary feedwater actuation are accomplished by the operator.
o Electricalindepende2efromexistingreactorprotectionsystem c
The plant specific submittal should show that electrical independence is achieved. This is required from the sensor output to the final actuation device at which point non-safety-related circuits must be isolated from safety related circuits by qualified Class IE isolators. Use of existing isola!. ors is etceptable. However, each plant specific submittal should pro-vide an analysis and tests which demonstrates that the existing isolator will
' ~
function under the maximum worst case fault conditions. The required method for qualifying either the existing or diverse isolators is, presented in Appendix A.
o Physical separation from existing reactor protection system Physical separation from existing reactor protection system is not required, unless redundant divisions and channels in the existing reactor trip system are not physically separated. The implementation must be such that separa-tion criteria applied to the existing protection system are not violated.
The plant specific submittal should respond to this concern.
o Environmental qualification The plant specific submittal should address the environmental qualification of ATWS equipment for anticipated operational occurrences only, not for accidents.
o Testability at power Measures are to be established to test, as appropriate, non safety related ATWS equipment prior to installation and periodically. Testing of AMSAC may be performed with AMSAC in bypass. Testing of AMSAC outputs through the final actuation devices will be performed with the plant shutdown.
The plant specific submittals should present the test program and state that the output signal is indicated in the control room in a manner con-sistent with plant practices including human factors.
9
- e o Completion of mitigative action -
AMSAC shall be designed so that, once actuated, the completion of mitigating action shall be consistent with the plant turbine trip and auxiliary feed-water circuitry. Plant specific submittals should verify that the pro-tective action, once initiated, goes to completion, and that the subsequent return to operation requires deliberate operator action. -
o Technical specifications Technical specification requirements related to AMSAC will have to be addressed by plant specific submittals.
l e
APPENDIX A AMSAC ISOLATION DEVICE -
REQUEST FOR ADDITIONAL INFORMATION Each light water cooled nuclear reactor shall be provided with a system for the mitigation of the effects-from anticipated transients without scram (ATWS). The Comission approved requirements for the ATWS are defined in the C6de of Federal Regulations (CFR) Section 10, paragraph 50.62. ,
The staff has reviewed the Westinghouse Owner's Group generic functional AMSAC designs for compliance with the ATWS Rule. As a result, the staff has deter-mined that the use of isolators within AMSAC will be reviewed on a plant specific basis. The following additional information is required to continue and com-plete the plant specific isolator review:
Isolation Devices Please provide the following:
- a. For the type of device used to accomplish electrical isolation, describe the specific testing performed to demonstrate that the device is acceptable for its ' application (s). This description should include elementary diagrams when necessary to indicate the test configuration and how the maximum credible faults were applied to the devices.
- b. Data to verify that the maximum credible faults applied during the test were the maximum voltage / current to which the device could be exposed, and de-fine how the maximum voltage / current was determined.
- c. Data to verify that the maximum credible fault was applied to the output of the device in the transverse mode (between signal and return) and other faults were considered (i.e., open and short circuits).
- d. Define the pass / fail acceptance criteria for each type of device.
- e. Provide a comitment that the isolation devices comply with the environ-ment qualifications (10 CFR 50.49) and with the seismic qualifications which were the basis for plant licensing.
- f. Praide a description of the measures taken to protect the safety systems from electrical interference (i.e., Electrostatic Coupling, EMI, Common Mode and Crosstalk) that may be generated by the ATWS circuits,
- g. Provide information to verify that the Class IE isolator is powered from a Class 1E source.
(
O
o' *%
v s
l
/
a <C PDR l 4
Local PDR ,
i PRC System t PWR#4 Reading MDuncan 3 BJYoungblood Reading l l KJabbour
! ACRS (10)
OGC-Bethesda i JPartlow BGrimes EJordan NThompson i 1
i 1
l i
I s
i I
t I
i f
4 l
l t
_ _ _ . , _ _ . _ _ _ _ _ _ . . . _ . . _ - . _ _ _ _ . _ . _ . . . _ _ _ - _ _ _ . _ . . _ _ . _ . _ . _ _ _ _ .