NRC-16-0034, Fermi, Unit 2, Revision 20 to Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Controls
Text
FERMI 2 UFSAR CHAPTER 7: INSTRUMENTATION AND CONTROLS
7.1 INTRODUCTION
7.1.1 Identification
and Classification of Safety
-Related and Power Generation Systems 7.1.1.1 General Depending on their function, instrumentation and control systems may be classified as either power generation systems or safety systems. In some cases, portions of a system may have a safety function while other portions of the same system may be classified as power generation. A complete description of the reasoning behind this system of classification can be found in Subsection 1.2.1.
The systems presented in this chapter have been classified under safety design
-basis systems, power generation design
-basis systems, reactor protection systems (RPS), engineered safety feature (ESF) systems (containment isolation, emergency core cooling system, etc.), safe shutdown systems, other safety and power generation systems, and control systems. Figure 7.1-1 lists the Fermi 2 safety
-related instrumentation, control, and supporting systems. Instrumentation and control systems identical to those of nuclear power plants of similar design that have recently received construction permits or operating licenses are identified in Table 7.1-1. 7.1.1.2 Identification of Individual Systems The RPS instrumentation and control initiates an automatic reactor shutdown (scram) if monitored system variables exceed preestablished limits. This action prevents fuel damage, limits system pressure, and thus restricts the release of radioactive material.
The primary containment and reactor vessel isolation control system (CRVICS) initiates closure of various automatic isolation valves in response to a limiting value of a system variable. The closure of isolation valves enables containment of radioactive materials either inside the reactor pressure vessel (RPV) or inside the primary containment.
The system responds to various indications of pipe breaks or radioactive material release.
The emergency core cooling system (ECCS) instrumentation and control provides initiation and control of specific core cooling systems such as the high
-pressure coolant injection (HPCI) system, the automatic depressurization system (ADS), the core spray system, and the low-pressure coolant injection (LPCI) system.
The neutron monitoring system (NMS) instrumentation and control uses in
-core neutron detectors to monitor core neutron flux. The NMS provides signals to the RPS to shut down the reactor when an overpower condition is detected. High average neutron flux is used as the overpower indicator during power operation. Intermediate range detectors are used as overpower indicators during startup and shutdown. The NMS also provides power level indication during planned normal operation.
The refueling interlocks instrumentation and control serves as a backup to procedural core reactivity control during refueling operations.
7.1-1 REV 1 9 1 0/1 4 FERMI 2 UFSAR The reactor manual control system (RMCS) instrumentation and control allows the operator to manipulate control rods and to determine their positions. Various interlocks are provided in the control circuitry to prevent multiple operator errors or equipment malfunctions from requiring the action of the RPS.
The RPV instrumentation monitors and transmits information concerning key RPV operating variables.
The recirculation flow control system (RFCS) instrumentation and control controls the reactor recirculation pumps and motor
-generator sets to vary the coolant flow rate through the core. This system permits either manual or automatic control. The recirculation pump trip (RPT) function of the RFCS is designed to mitigate the effects of an anticipated transient without scram (ATWS) event.
The feedwater system instrumentation and control regulates the feedwater system flow rate so that proper RPV water level is maintained. The feedwater control system uses RPV water level, main steam flow, and feedwater flow signals to regulate feedwater flow. The system is arranged to permit single
-element (level only), three
-element (level, steam flow, feed flow), or manual operation.
Pressure-regulator and turbine
-generator instrumentation and control work together to allow proper generator and reactor response to load
-demand changes. The pressure regulator acts to keep nuclear system pressure essentially constant, so that pressure
-induced core reactivity changes are controlled. To maintain constant pressure, the pressure regulator adjusts the turbine control valves or turbine bypass valves. The turbine
-generator controls regulate turbine speed during startup. If the generator electrical load is lost, the turbine
-generator speed-load controls initiate rapid closure of the turbine control valves (coincident with fast opening of the bypass valves) to prevent excessive turbine overspeed.
The process radiation monitor system (PRMS) instrumentation and control for process liquid and gas lines provides control of radioactive material released from the Fermi site. The main steam line radiation monitors detect gross release of fission products from the fuel and provide a trip signal resulting in reactor scram and MSIV isolation.
The area radiation monitor system (ARMS) instrumentation provides gamma
-sensitive detectors throughout the plant. Outputs are recorded on multipoint recorders.
Reactor core isolation cooling (RCIC) system instrumentation and control causes the addition of makeup water to the RPV in the event that the reactor feedwater supply system is lost during plant operation.
Standby liquid control system (SLCS) instrumentation and control provides for manual initiation of a reactivity control system redundant to manual control rod movement which can shut the reactor down from rated power to the cold condition if withdrawn control rods cannot be inserted to achieve reactor shutdown. In addition, SLCS instrumentation and control provides for manual initiation of a pH control system following a LOCA in the even t
of fuel failure.
Reactor water cleanup (RWCU) system instrumentation and control provides for manual initiation of system equipment to maintain high water purity and reduce concentrations of fission products in the reactor water.
7.1-2 REV 1 9 1 0/1 4 FERMI 2 UFSAR The leak detection system (LDS) instrumentation and control uses various temperature, pressure, and flow sensors to detect, annunciate, and isolate (in certain cases) water and steam leaks in selected reactor systems.
The residual heat removal (RHR) system instrumentation and control provides for manual initiation of cooling to remove the decay and sensible heat from the RPV so that the reactor can be refueled and serviced.
Radwaste system instrumentation and control supports manual processing and disposing of the radioactive process wastes generated during power operation.
The emergency diesel generator (EDG) instrumentation and controls automatically provide ac power to those devices necessary to effect a safe shutdown with subsequent reactor decay heat removal should normal offsite power not be available.
The alternate rod insertion (ARI) function of the control rod drive (CRD) system is designed to mitigate the potential consequences of an ATWS. The ARI equipment is redundant and diverse to the RPS and has its own detection and actuation logic.
The various instrumentation and control system designers and fabricators are identified in Table 7.1-2. Emergency support facilities, which include an onsite technical support center (TSC), an onsite operational support center (OSC), an onsite emergency operations facility (EOF), an alternate (offsite) EOF, and the Integrated Plant Computer System (IPCS) for data handling and computational capabilities are provided to support operations in the event of an emergency.
7.1.1.3 Classification 7.1.1.3.1 Safety-Related Systems Safety systems are those systems whose actions are necessary to protect the integrity of radioactive material barriers and/or prevent the release of radioactive material. These systems may be components, groups of components, or groups of systems. A complete list of these systems is shown in Figure 7.1
-1. 7.1.1.3.2 Power Generation Systems Power generation systems are systems whose actions are not required to protect the integrity of radioactive material barriers and/or prevent the release of radioactive material. The instrumentation and control portions of these systems may, by their actions, prevent the plant from exceeding preset limits that would cause action of the safety systems. A complete list of these systems is shown in Figure 7.1
-1. 7.1.1.3.3 General Functional Requirements Power generation systems and safety systems may have both a safety design basis and a power generation design basis, depending on their function. The safety design basis states in functional terms the unique design requirements that establish limits for the operation of the system. The general functional requirements portion of the safety design basis is those 7.1-3 REV 1 9 1 0/1 4 FERMI 2 UFSAR requirements that have been determined to be sufficient to ensure the adequacy and reliability of the system from a safety viewpoint. Many of these requirements have been introduced into various codes, criteria, and regulatory requirements.
7.1.1.3.4 Specific Regulatory Requirements All systems have been examined with respect to specific regulatory requirements applicable to instrumentation and control. These regulatory requirements consist of all applicable codes including 10 CFR 50, Appendix A, General Design Criteria; 10 CFR 50, Appendix B, Quality Assurance Criteria; and regulatory guides.
As a result of this examination, it has been determined that two IEEE standards are applicable to the instrumentation and control associated with every safety
-related system: IEEE 344-1971 and IEEE 323
-1971. Compliance with the requirements of IEEE 323
-1971 and IEEE 344
-1971 for GE
-supplied systems is discussed in NEDO
-10678, respectively, and Sections 3.11 and 3.10 of the UFSAR.
Fermi 2 complies with IEEE 336
-1971, except as modified by the Edison Quality Assurance (QA) procedures.
The specific regulatory requirements applicable to each system's instrumentation and control are specified in appropriate subsections. The four most important safety systems have been reduced to the subsystem level and the applicable regulatory requirements are specified. This information is contained in Figures 7.1-2 through 7.1
-5. 7.1.2 Identification of Safety and Power Generation Criteria Design bases and criteria for instrumentation and control equipment design are based on the need to have the system perform its intended function while meeting requirements of applicable general design criteria, regulatory guides, and industry standards.
The plant instrumentation and control systems are listed by functional classification and regulatory classification in Figure 7.1
-1. Nominal instrument setpoints and ranges are shown in Chapter 7. Final instrument setpoints are provided in the Technical Specifications.
7.1.2.1 Design Bases IEEE 279-1971 defines the design requirements with respect to the design bases of safety
-related systems. Using the IEEE 279
-1971 format, the following fulfills these requirements:
- a. The generating station conditions that require protective action are
- 1. Excessive radioactive releases to the atmosphere
- 2. Excessive nuclear system stress
- 3. Excessive containment stress.
- b. The generating station variables that require monitoring to provide protective actions are listed in Tables 7.2
-2, 7.2-3, 7.3-5 through 7.3
-8, and 7.3
-10 7.1-4 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- c. The minimum number of sensors and locations required to monitor safety
-related variables is shown in Tables 7.2
-2, 7.2-3, 7.3-5 through 7.3
-8, and 7.3
-10 d. Conservative operational limits for each safety
-related variable are discussed in the Technical Specifications
- e. The margin between operational limits and the level of determining the onset o f unsafe conditions is discussed in the Technical Specifications
- f. Levels requiring protective action are discussed in the Technical Specifications
- g. Range of energy supply and environmental conditions of safety systems is shown in Section 8.3 and Tables 3.11-1 through 3.11
-4, respectively
- h. Malfunctions, accidents, and other unusual events that could cause damage to safety systems are discussed in Subsections 7.2.2.2.2.1 and 7.3.1.3
- i. Minimum performance requirements are shown in Tables 7.2
-2, 7.2-3, 7.3-5, 7.3-6, 7.3-8, and 7.3
-10. 7.1.2.1.1 Reactor Protection System 7.1.2.1.1.1 Safety Design Bases General Functional Requirements The RPS is designed to meet the following functional requirements:
- a. The RPS initiates a reactor scram with precision and reliability to prevent or limit fuel damage following abnormal operational transients
- b. The RPS initiates a scram with precision and reliability to prevent damage to the nuclear system process barrier as a result of excessive internal pressure: that is, to prevent nuclear system pressure from exceeding the limit allowed by applicable industry codes
- c. To limit the uncontrolled release of radioactive materials from the fuel or nuclear system process barrier, the RPS precisely and reliably initiates a reactor scram upon gross failure of either of these barriers
- d. To detect conditions that threaten the fuel or nuclear system process barriers, RPS inputs are derived from variables that are true direct measures of operational conditions
- e. The RPS responds correctly to the sensed variables over the expected range of magnitudes and rates of change
- f. An adequate number of sensors are provided for monitoring essential variables that have spatial dependence
- g. The following bases ensure that the RPS is designed with sufficient reliability
- 1. If failure of a control or regulating system causes a plant condition that requires a reactor scram but also prevents action by necessary RPS 7.1-5 REV 1 9 1 0/1 4 FERMI 2 UFSAR channels, the remaining portions of the RPS meet the requirements of Items a., b., and c. above
- 2. Loss of one power supply neither causes nor prevents a reactor scram
- 3. Once initiated, a RPS action goes to completion. Return to normal operation requires deliberate operator action
- 4. There is sufficient electrical and physical separation between redundant instrumentation and control equipment monitoring the same variable to prevent environmental factors, electrical transients, or physical events from impairing the ability of the system to respond correctly
- 5. Earthquake ground motions, as amplified by building and supporting structures, do not impair the ability of the RPS to initiate a reactor scram. See also Section 3.10
- 6. No single failure within the RPS prevents proper RPS action when required to satisfy the safety design bases Items a., b., and c. above
- 7. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability does not impair the ability of the RPS to respond correctly
- 8. The system is designed for a high probability that when the required number of sensors for any monitored variable exceeds the scram setpoint, the event results in an automatic scram and does not impair the ability of the system to respond correctly as other monitored variables exceed their scram trip points.
- 9. The operation of the Hydrogen Water Chemistry System is prevented from affecting RPS operation by the use of contact
-to-coil separation.
- h. The following bases reduce the probability that RPS operational reliability and precision will be degraded by operator error:
- 1. Access to trip settings, component calibration controls, test points, and other terminal points are under the control of plant operations supervisory personnel 2. Manual bypass of instrumentation and control equipment components is under the control of the main control room operator. If the ability to trip some essential part of the system has been bypassed, this fact is continuously indicated in the main control room.
7.1-6 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- 1. Equipment associated with the RPS, primary containment isolation system, and ESF equipment is identified so that two facts are apparent:
first, that the equipment is part of the RPS, primary containment isolation system, or an ESF system; and second, that the equipment is associated with a particular grouping (or division) of enforced segregation
- 2. Panels and racks associated with these systems are labeled with marker plates that are conspicuous by means of color, shape, or color of engraving fill. The information on the marker plate includes both system and division identification
- 3. Junction and/or pull boxes enclosing wiring for the RPS and an ESF system have identification similar to and compatible with the panels and racks described above
- 4. Wiring and cables outside cabinets and panels are suitably color
-coded to identify the division. Identification tags or markers for wiring conduits are conspicuously different from other similar tags and markers and shall include both system and division identity
- 5. Those trays or conduits that carry RPS or ESF system wiring are to be identified with conspicuous tags at entrance and exit points of each room through which they pass. Specific Regulatory Requirements The RPS is designed to meet the following functional requirements:
- a. Industry Standards
- In addition to the previous functional design requirements, the RPS complies with the requirements of IEEE 279
-1971. A point-by-point comparison of IEEE 279
-1968 is contained in Topical Report NEDO
-10139. Section 7.2.2.2.2 of the UFSAR lists those topics where IEEE 279
-1971 differs from IEEE-279-1968 and shows conformance to those differences. IEEE 323
-1971, IEEE 338
-1971, IEEE 379-1972, and IEEE 344
-1971 also apply to the RPS b. General Design Criteria of (GDC) l0 CFR 50
- GDC 13,20-24, and 29 of l0 CFR 50, Appendix A, have also been implemented in the design of the RPS
- c. Regulatory Guides
- Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Function, applies with respect to periodic testing, and Regulatory Guide 1.53, Trial
-Use Guide for the Application of the Single
-Failure Criterion to Nuclear Power Generating Station Protection Systems, applies with respect to single
-failure criteria.
7.1.2.1.1.2 Power Generation Design Basis The RPS has no power generation objective. The setpoints, power sources, and instrumentation and control are arranged in such a manner as to preclude spurious scrams.
7.1-7 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.1.2.1.2 Containment and Reactor Vessel Isolation Control System Safety Design Bases
- General Functional Requirements The following functional design bases are implemented in the containment and reactor vessel isolation control system (CRVICS):
- a. The time required to close the main steam isolation valves (MSIVs) is short in order to minimize the loss of coolant from a main steam line break
- b. The time required to close the MSIVs is not so short that inadvertent isolation of steam lines causes a more severe transient than the transient resulting from closure of the turbine stop valves coincident with failure of the turbine bypass system. This ensures that the MSIV closure speed is compatible with the ability of the RPS to protect the fuel and nuclear system process barrier
- c. To ensure the timely isolation of main steam lines, at least one of the isolation valves in each of the main steam lines does not rely on continuity of any variety of electrical power to achieve closure
- d. To provide the operator with means redundant to the automatic isolation functions to take action in the event of a failure of the nuclear system process barrier, it is possible for the main control room operator to manually initiate isolation of the RPV
- e. To limit the release of radioactive materials to the environs, the containment, drywell, and reactor vessel isolation control system, with precision and reliability, initiates timely isolation of penetrations through the containment and drywell structure whenever the values of monitored variables exceed preselected operational limits
- f. To provide assurance that important variables are monitored with precision, an adequate number of sensors are provided (Table 7.3
-9) g. To provide assurance that conditions indicating a failure of the nuclear system process barrier are detected with sufficient timeliness and precision, primary CRVICS inputs are derived, to the extent feasible and practical, from variables that are direct measures of operational conditions
- h. The steam resulting from a design
-basis LOCA flows to the pressure suppression pool to limit pressure in the containment
- i. The power supplies for the containment, drywell, and reactor vessel isolation control system are arranged so that loss of one supply cannot prevent automatic isolation when required
- j. The system is designed so that, once initiated, automatic isolation action goes to completion. Return to normal operation after isolation action requires deliberate operator action
- k. Earthquake ground motions do not impair the ability of the containment, drywell, and reactor vessel isolation control system to initiate automatic isolation 7.1-8 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- l. Any one failure, maintenance operation, calibration operation, or test to verify operational availability does not impair the functional ability of the isolation control system to respond correctly to essential monitored variables, assuming no other active failure occurs
- m. The system is designed for a high probability that, should any essential monitored variable exceed the isolation setpoint, the event results in automatic isolation and does not impair the ability of the system to respond correctly as other monitored variables exceed their trip points
- n. There is sufficient electrical and physical wiring and piping separation between trip channels monitoring the same essential variables to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly, in accordance with Paragraph 4.6 of IEEE 279
-1971. Safety Design Bases
- Specific Regulatory Requirements The requirements of IEEE 279
-1971 and IEEE 338
-1971 are met by the CRVICS. See Section 3.10 for IEEE 344
-1971 and Section 3.11 for IEEE 323
-1971 conformance discussions.
7.1.2.1.3 Emergency Core Cooling System Safety Design Bases
- General Functional Requirements The ECCS instrumentation and control is designed to meet the following functional safety design bases:
- a. They automatically initiate and control the ECCS to prevent fuel cladding temperatures from reaching the NRC interim acceptance criterion
- b. They respond to a need for emergency core cooling, regardless of the physical location of the malfunction or break that causes the need
- c. The following safety design bases are specified to limit dependence on operator judgment in times of stress:
- 1. The ECCS responds automatically so that no action is required of plant operators within 10 minutes after a LOCA
- 2. The performance of the ECCS is indicated by main control room instrumentation.
- d. Facilities for manual control of the ECCS are provided in the main control room. Safety Design Bases
- Specific Regulatory Requirements The ECCS instrumentation and control is designed to meet the following specific regulatory requirements:
- a. The instrumentation and control meets the requirements of IEEE 279
-1971. The following safety design bases are specified to ensure reliability:
7.1-9 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- 1. No single malfunction, maintenance, calibration, or test procedure prevents function of the ECCS, assuming no other active or passive failure occurs
- 2. No protective device automatically interrupts performance or availability of the ECCS unless continued operation would cause complete failure.
Such protective devices indicate abnormal conditions for operator decision and action.
- b. The instrumentation and control meets the requirements of IEEE 338
-1971 c. The instrumentation and control meets the requirements of IEEE 323
-1971 as discussed in Section 3.11
- d. The instrumentation and control meets the requirements of IEEE 344
-1971 as discussed in Section 3.10
- e. The requirements of GDC 13, 35, 36, and 37 of 10 CFR 50, Appendix A, are met f. The requirements of Regulatory Guide 1.22 are met.
7.1.2.1.4 Neutron Monitoring System 7.1.2.1.4.1 Source Range Monitor System The source range monitor (SRM) system meets the following power generation design bases:
- a. Neutrons generated by irradiated fuel and neutron detectors together provide a signal-to-noise ratio of at least 2:1 and a count rate of at least 3 counts per second with all control rods fully inserted prior to initial power operation The minimum count rate may be reduced to 0.7 CPS provided the signal
-to-noise ratio is 20 and is not applicable during certain refueling operations covered by Technical Specification 3.3.1.2 when the minimum count rate may not be able to be maintained.
- b. The SRM system is able to
- 1. Indicate during the worst possible startup rod withdrawal conditions a measurable increase in output signal from at least one detecting channel before the reactor period is less than 20 sec
- 2. Indicate substantial increases in output signals with the maximum permitted number of SRM system channels out of service during normal reactor startup operations
- 3. Have channels on scale when the intermediate range monitor (IRM) system first indicates neutron flux during a reactor startup 7.1-10 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- 4. Provide a measure of the time rate of change of the neutron flux (reactor period) for operational convenience
- 5. Generate interlock signals to block control rod withdrawal if the count rate exceeds a preset value or falls below a preset limit if the IRMs are not above the second range or if certain electronic failures occur.
7.1.2.1.4.2 Intermediate Range Monitor System Safety Design Basis The IRM system generates a trip signal that can be used to prevent fuel damage caused by abnormal operational transients that occur while operating in the intermediate power range. The independence and redundancy incorporated in the design of the IRM system are consistent with the safety design bases of the RPS. The IRM system is designed in accordance with the same federal codes, regulatory guides, and IEEE standards applied to the RPS. Power Generation Design Bases The IRM system generates a trip signal to block rod withdrawal if the IRM system reading exceeds a preset value or if the IRM system is not operating properly. The IRM system has overlapping neutron flux indications relative to the SRM system and power range monitoring subsystems.
7.1.2.1.4.3 Local Power Range Monitor System Power Generation Design Bases The local power range monitor (LPRM) system meets the power generation design bases and supplies the following:
- a. Signals to the average power range monitor (APRM) system proportional to the local neutron flux at various locations within the reactor core
- b. Signals to the rod block monitor (RBM) system to indicate changes in local relative neutron flux during the movement of control rods
- c. Signals to alarm high or low local neutron flux
- d. Signals proportional to the local neutron flux to operator display assemblies to be used for operator evaluation of power distribution, local heat flux, minimum critical power ratio, and fuel burnup rate
7.1.2.1.4.4 Average Power Range Monitor System Safety Design Basis During the worst permitted input LPRM system bypass conditions, the APRM system generates a trip signal in response to average neutron flux increases resulting from abnormal operational transients in time to prevent fuel damage. Each APRM also includes an OPRM 7.1-11 REV 1 9 1 0/1 4 FERMI 2 UFSAR Upscale Function that generates a trip signal upon detection of thermal hydraulic induced power oscillations. The APRM system is designed in accordance with the requirements of the safety design bases of the RPS.
Power Generation Design Bases The APRM system provides
- a. A continuous indication of average reactor power from a few percent to 125 percent rated reactor power to the operator in the main control r oom b. A continuous indication of average reactor power from a few percent to 125 percent rated reactor power to the Integrated Plant Computer System (IPCS)
- c. Interlock signals for blocking further rod withdrawal to avoid an unnecessary scram actuation
- d. A reference power level for the RBM system 7.1.2.1.4.5 Rod Block Monitor System The power generation design bases for the RBM system meet the following power generation design bases:
- a. Prevent local fuel damage that may result from a single rod withdrawal error
- b. Provide a signal used by the operator to evaluate the change in the local relative power level during control rod movement
- c. Prevent any single short or open of any single input to the RBM system from affecting any other inputs to the RBM system d. Meet GDC 24 of 10 CFR 50, Appendix A.
7.1.2.1.4.6 Traversing In
-Core Probe System The traversing in
-core probe (TIP) system meets the following power generation design bases: a. Provides a signal proportional to the axial neutron flux distribution at selected small axial intervals over the regions of the core where LPRM system detector assemblies are located. This signal is of high precision to allow reliable calibration of LPRM system gains
- b. Provides accurate indication of the position of the flux measurement which allows pointwise or continuous measurement of the axial neutron flux distribution.
7.1.2.1.5 Refueling Interlocks Refueling interlocks meet the following safety design bases:
- a. During fuel movements in or over the reactor core, all control rods are in their fully inserted positions 7.1-12 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- b. No more than one control rod can be withdrawn from its fully inserted position at any time when the reactor is in the refuel mode.
7.1.2.1.6 Reactor Manual Control System Power Generation Design Basis The RMCS provides the reactor operator with the means for controlling the power level and power distribution in the core. This is done by control rod positioning capability, which depends on electrical circuitry and switches. Position and power indicators provide surveillance of actions taken and the results of these actions.
Classification This system is a power generation system, not essential for safety, and is classified in Chapter 3.
7.1.2.1.7 Reactor Vessel Power Generation Instrumentation The power generation design bases for the RPV instrumentation consist of maintaining proper operating conditions. To maintain proper operating conditions, the RPV instrumentation is designed to provide the operator with sufficient indication of RPV temperature, reactor core flow rate, RPV water level, RPV pressure, and nuclear system leakage. These instruments augment existing information such that the operator can start up, operate, shut down, and service the reactor efficiently. Because the RPV instrumentation used for RPS, ESF, safe shutdown systems, and certain control systems is described and evaluated in other portions of this document, only those instruments not required for safety systems are described (Subsection 7.6.l.2).
7.1.2.1.8 Recirculation Flow Control System Safety Design Bases The RFCS functions so that no abnormal operational transient resulting from a malfunction in the RFCS can result in damaging the fuel or exceeding nuclear system pressure limits.
Power Generation Design Bases The RFCS is designed to allow manual recirculation flow adjustment, thereby enabling manual control of reactor power level.
7.1.2.1.9 Feedwater Control System The feedwater control system meets the power generation design bases by regulating the feedwater flow to maintain adequate water level in the RPV according to the requirements of the steam separators, and to prevent uncovering of the reactor core over the entire power range of the reactor.
7.1.2.1.10 Pressure Regulator and Turbine
-Generator Control One of the main features of direct cycle BWRs is the direct passage of the nuclear steam supply system (NSSS) generated steam through the turbine. In this system the turbine is slaved to the reactor, in that all the steam generated by the reactor is normally accepted by 7.1-13 REV 1 9 1 0/1 4 FERMI 2 UFSAR the turbine. The operation of the reactor demands that the pressure regulator concept be applied to maintain a constant turbine inlet pressure with load
-following ability handled by variation of the reactor recirculation flow or control rod position.
The turbine pressure regulator, in maintaining constant stop valve pressure, operates the steam bypass system such that up to 2 3.5 percent of nuclear boiler rated flow can be bypassed when operating below the maximum steam flow limit as well as during the startup and shutdown phases.
The pressure regulator and turbine
-generator control system accomplishes the following control functions:
- a. Controls turbine speed and turbine acceleration
- b. Operates the steam bypass system to keep reactor pressure within limits, and avoids large power transients
- c. Adjusts (manually) 52
-in. manifold pressure to nullify a 30 psi drop over a reactor flow of 0 to 100 percent.
7.1.2.1.11 Process Radiation Monitor System The process radiation monitor system is discussed in Section 11.4.
7.1.2.1.12 Area Radiation Monitor System The area radiation monitor system is discussed in Section 12.1.
7.1.2.1.13 Offsite Environs Radiological Monitoring Programs This material is discussed in the Offsite Dose Calculation Manual (ODCM).
7.1.2.1.14 Rad-Chem Radiation Monitoring Instruments This material is discussed in Section 12.3.
7.1.2.1.15 Plant Computer Systems 7.1.2.1.15.1 Integrated Plant Computer System (IPCS)
The IPCS is a non
-safety related computer system that combines various functions of legacy computer systems that it replaced. The IPCS provides the capability of monitoring, recording and displaying plant parameters via strategically located display devices.
The IPCS meets the following power generation design basees:
- a. The IPCS is designed for use with, and has capacity for, the Fermi 2 plant alone.
- b. The Scan, Log and Alarm (SLA) function provides continuous monitoring of plant parameters through on
-line data acquisition equipment. Plant parameters are alarmed and logged based on pre
-determined setpoints.
7.1-14 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- c. The IPCS supplies information to the operator via a man
-machine interface (MMI) consisting of video displays and printers mounted within the operating panels. d. Data archival of plant parameters is provided on both a short term (at process scan rates) and on a long term basis (at a reduced scan rate).
- e. The Nuclear Steam Supply System (NSSS) function processes the heat balance data related to core operation into a condensed and usable form that assists in operating the core within prescribed limits.
Reactor heat balance analysis is accomplished with both periodic and on
-demand programs.
The results from these calculations are displayed through alarms and on
-demand and periodic computer printouts.
- f. The Balance of Plant (BOP) function provides extended features beyond the NSSS function to other plant systems. The on
-line data values required for monitoring BOP systems are obtained from BOP system sensors shared with other systems and from sensors installed specifically to provide input data for the computer. The IPCS is able to perform certain BOP calculations to aid with equipment operation and equipment operation documentation.
The on-line data-gathering and computation ability of the IPCS allows the display of on
-line equipment performance indicators. These indicators provide a condensed summary of BOP equipment operational status.
- g. The Emergency Response function is designed to gather data from selected plant parameters and data systems for use in the Safety Parameter Display System (SPDS) function and Emergency Response Data System (ERDS) function. The SPDS function calculates and displays the value and status of the primary variables of the following systems:
- 1. Core Cooling
- 2. Fuel integrity
- 3. Reactivity
- 4. Reactor coolant system integrity
- 5. Containment integrity
- 6. Radioactivity effluent to the environment The design basis of the SPDS function is to display to operating personnel a minimum set of parameters that define the status of the plant as necessary to assess plant safety status.
The ERDS function provides the NRC with SPDS data through a dedicated datalink.
7.1-15 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- h. The Meteorological (MET) function is designed to provide calculations using various meteorological parameters obtained from the Meteorological Data Acquisition System (MDAS). These calculations are used to support the requirements of Regulatory Guide 1.23 "Onsite Meteorological Programs".
- i. The Transient Recording and Analysis (TRA) function is designed to provide high-speed recording of select plant parameters that are of significant importance during plant transients. The analysis portion of the function provides statistical data reduction capabilities to aid operating personnel in understanding the event.
The IPCS interfaces with a wide variety of external systems through specialized data links for providing or obtaining process parameters. These systems include: a. 3D-Monicore Computer System (3DM)
- b. Power Range Neutron Monitor System (PRNM)
- c. Rod Worth Minimizer System (RWM)
- d. Traversing Incore Probe (TIP) System
- e. Radiological Dose Assessment Application (Raddose V)
- f. Meteorological Data Acquisition System (MDAS) 7.1.2.1.15.2 3D-Monicore Computer System (3DM)
The 3DM computer is designed to determine periodically the three
-dimensional power density distribution for the reactor core, and to provide printed logs that permit accurate assessment of core thermal performance.
The 3DM computer provides nearly continuous monitoring of the core margins to operating limits and appropriate alarms based on established core operating limits. This aids the operator in ensuring that the core is operating within acceptable limits at all times, especially during periods of power level changes.
7.1.2.1.16 Standby Gas Treatment System Safety Design Basis
- General Functional Requirements The standby gas treatment system (SGTS) instrumentation and control meets the following safety design bases:
- a. The instrumentation and control initiates the SGTS to provide filtration of air released from the reactor building following a fuel
-handling accident or LOCA
- b. The instrumentation and control limits the possibility of exfiltration from the reactor building to outdoors by maintaining negative pressure in the reactor building area
- c. The SGTS responds automatically so that no initiating action is required of plant operators following a LOCA or fuel
-handling accident d. The responses of the SGTS are indicated on the main control panel 7.1-16 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- e. Facilities for the manual control of the SGTS are provided in the main control room f. No single failure, maintenance, calibration, or test prevents operation of the SGTS g. Any installed means of manually interrupting the availability of the SGTS is under the control of the operator or other supervisory personnel
- h. Loss of interruptible instrument air and/or offsite electric power does not affect the normal function of the SGTS i. The physical events accompanying a LOCA or fuel
-handling accident could not prevent correct functioning of the instrumentation and controls
- j. Seismic motions resulting from earthquake ground motion of the design
-basis earthquake, missile, wind, and flood do not impair the operation of the instrumentation and control.
Safety Design Basis
- Specific Regulatory Requirements The requirements of IEEE 279
-1971 and IEEE 344
-1971 are met by the SGTS instrumentation and control. Additionally, GDC 13, 20-24, and 29 of 10 CFR 50, Appendix A, and Regulatory Guide 1.22 have been implemented in the design of this control system.
7.1.2.1.17 Control Center Atmospheric Control System The control center atmospheric control is provided by the control center heating, ventilation, and air conditioning (HVAC) system, described in Subsection 9.4.1. The instrumentation and control for this system meets the following design bases.
Safety design bases include all the bases described under power generation design bases and the following:
- a. The system controls are interlocked with the RMS to isolate the main control room and automatically route the outside makeup air for the control center HVAC system through the emergency and recirculation filter trains so that main control room habitability is maintained
- b. The system operates in conjunction with ionization detection systems to annunciate in the main control room on detection of combustion products in the main control room ceiling space
- c. The system has the capability to purge rooms manually with 100 percent outside air, or to route the outside air and recirculation air mixture of the control center HVAC system manually through odor, smoke, and halogen
- removing filters that are normally bypassed
- d. No single failure, maintenance, calibration, or test operation prevents the functioning of the control center HVAC instrumentation and control. A single active failure in the Halon fire protection system will cause closure of smoke/Halon dampers to the relay room, cable spreading room or computer room. Manual actions are required to reopen these dampers to reestablish airflow. 7.1-17 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- e. Any installed means of manually interrupting the availability of the control center HVAC system is under the control of the operator or other supervisory personnel f. Loss of offsite electric power does not affect the normal functioning of instrumentation and controls
- g. The physical events accompanying a LOCA or fuel
-handling accident do not prevent correct functioning of the instrumentation and controls
- h. Seismic motions resulting from earthquake ground motion, missile, wind, and flood do not impair the operation of the instrumentation and controls
- i. The requirements of IEEE 279
-1971, IEEE 323
-1971, IEEE 338
-1971, and IEEE 344-1971 are met by the control center HVAC system instrumentation and control. Additionally, GDC 13, 19, 20
-24, and 29 of 10 CFR 50, Appendix A, and Regulatory Guide 1.22 have been implemented in the design of this control system.
- j. The system has the following controls, interlocks, and overrides:
- 1. The system can be manually selected to any of the four modes (i.e., normal, purge, chlorine or recirculation).
- 2. The system will transfer to the purge or recirculation mode automatically upon receipt of the appropriate signals.
- 3. The automatic purge mode will override the normal mode.
- 4. The manual chlorine mode will override all modes except the automatic recirculation mode.
- 5. The automatic recirculation mode will override all modes.
Power Generation Design Bases The power generation design bases are
- a. To control the temperature and humidity in the control center for operator comfort and electronic equipment stability. A small net positive pressure is maintained with respect to the outdoors and other areas of the plant on a year
-round basis
- b. To indicate temperature and status of operating equipment, such as supply and return air fans and the refrigeration unit, in the main control room
- c. To annunciate on the control panel any operating transients that require operator's attention. This includes high temperature, loss of airflow from supply and return air fans, loss of refrigeration unit, high pressure drop across the supply air filters, and low positive pressure differential between the contro l
center atmosphere and outdoors
- d. To provide capability in the main control room to manually control and operate various components of the control center HVAC system 7.1-18 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- e. To provide a means to test instrumentation and controls and operation of redundant equipment to ensure availability at all times.
7.1.2.1.18 Emergency Equipment Cooling Water System Safety Design Bases General Functional Requirements
- The instrumentation and control of the emergency equipment cooling water (EECW) system is designed to initiate and maintain operation of the EECW system automatically when normal operation of the reactor building closed cooling water (RBCCW) system is impaired (as indicated by a low differential header pressure), high drywell pressure is experienced, or upon loss of offsite ac power. The controls are provided
- a. To open or close appropriate motor
-controlled valves to retain essential cooling circuits and isolate those that are not required to be in service in an emergency
- b. To start operation of the pumps of both loops to establish flow of the emergency equipment service water (EESW) system (the latter is used to remove heat from the EECW system heat exchangers)
- c. To regulate the temperature of the EECW within the required range at the outlet of the EECW system heat exchanger
- d. To maintain the demin level in the EECW makeup tank within the required range during normal plant operation.
Manual controls for initiating operation of the EECW system and its return to the standby state are also provided. The EECW makeup tanks are supplied with demineralized water during normal plant operation. The EECW system makeup tank is supplied via a crosstie line and a makeup pump from the EESW system to provide an alternate makeup supply for each division when the normal makeup supply to the tank is lost during and after the design basis accident. After EECW start, the EECW makeup tanks are replenished and pressurized by makeup pumps utilizing EESW water. The makeup pumps automatically start on makeup tank low pressure or low level, if the makeup tank isolation valve is open and normal makeup pump suction pressure is achieved. Instrumentation and controls are provided to automatically maintain EECW makeup tank pressure, and provide a source of safety
-related water (EESW) during EECW system operation.
Specific Regulatory Requirements
- The protection system functions contained in functions a. and b. above are required to comply with IEEE 279
-1971, IEEE 308
-1971, IEEE 323
-1971, IEEE 336
-1971, IEEE 338
-1971 and IEEE 34 4-1971; GDC 18, GDC 20
-24, and GDC 29 of 10 CFR 50, Appendix A and Appendix B; and Regulatory Guide 1.22. EECW system monitoring and control functions c. and d. are required to comply with the requirements of GDC 13. Power Generation Design Basis EECW may be manually initiated with the nonessential loads subsequently restored to facilitate RBCCW heat exchanger cleaning, to enhance drywell cooling during high lake water (GSW) temperature, for testing, or to provide RHR Reservoir freeze protection during extreme cold weather. A Loss of RBCCW while EECW is operating in this mode will not 7.1-19 REV 1 9 1 0/1 4 FERMI 2 UFSAR reinitiate EECW or re
-isolate the nonessential loads. This action is not required, however, since this is not a condition requiring protective action as described in Section 7.1.2.1. The demineralized water level in the makeup tank is automatically maintained above a specified minimum amount during normal plant operation. Automatic makeup from EESW is provided for the condition when the normal demineralized water makeup supply is not available and the makeup tank is connected to the EECW loop (i.e., when the P4400F602A(B) valve is open).
7.1.2.1.19 Emergency Core Cooling System Auxiliary Systems The ECCS auxiliary systems support operation of ECCS equipment. Instrumentatio n
required for operation of this ECCS equipment, therefore, meets the redundancy and separation requirements of the ECCS equipment. The ECCS auxiliary systems consist of
- a. Cooling water (EECW) system described in Subsection 7.1.2.1.18
- b. Essential electric power systems described in Subsection 7.1.2.1.25
- c. Area coolers for rooms and areas containing ECCS equipment (Section 9.4)
- d. Leak detection in ECCS equipment rooms and areas, as described in Subsection 7.1.2.1.26.
Safety Design Basis The EECW system is designed to be available for essential equipment as outlined in Subsection 7.1.2.1.18. The electric power available for the EECW system is also described in Subsection 7.1.2.1.25. Either the area coolers are designed for operation during emergency conditions, or the ECCS equipment is designed so that loss of the coolers does not jeopardize operation of the ECCS. Leak detection instrumentation monitors primarily for leaks of reactor water or steam. Leak detection instrumentation that automatically isolates ECCS equipment meets the redundancy/ separation requirements for those ECCSs.
Subsection 7.1.2.1.26 describes the leak detection instrumentation design bases in more detail. The EECW system is designed for the maximum expected heat load of ECCS emergency equipment that is used to provide equipment cooling and ventilation space cooling for the HPCI, RCIC, RHR, and core spray systems.
Power Generation Design Bases The EECW and electrical power sources for the ECCS equipment are maintained in readiness so that they are available when needed. This includes maintaining a minimum level of condensate in the makeup tank. The room air ventilation system is also designed to filter and/or reroute air from rooms where airborne radiation may be present.
The LDS initiates an alarm in the main control room in sufficient time for operating personnel to correct or isolate the leak. In some cases the LDS automatically isolates the leaking system.
7.1.2.1.20 Reactor Core Isolation Cooling System Safety Design Basis
- General Functional Requirements The RCIC system is designed to meet the following general functional requirements:
7.1-20 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- a. The system is capable of maintaining sufficient coolant in the RPV in case of a loss of main feedwater flow
- b. Provisions are made for automatic and remote manual operation of the system
- c. To provide a high degree of assurance that the system operates when necessary, the power supply for the system is from immediately available energy sources of high reliability
- d. To provide a high degree of assurance that the system operates when necessary, provision is made for periodic testing during reactor operation.
Safety Design Basis
- Specific Regulatory Requirements The RCIC system is considered a safety system rather than an ECCS because it is required for safe shutdown. The system is designed to meet the requirements, with exceptions as described in Subsection 7.4.2.2.2, of the federal codes, regulatory guides, and IEEE standards applied to the ESF systems.
7.1.2.1.21 Standby Liquid Control System Safety Design Bases General Functional Requirements
- The major components of the SLCS consist of a storage tank, two positive displacement pumps, two explosive valves, and two check valves between the explosive valves and the reactor, as shown in Figure 7.4
-3. The flow path is from the storage tank through the pumps, explosive valves, and check valves, and into the reactor to the bottom of the core plate. This system is capable of shutting the reactor down from full power to cold shutdown and maintaining the reactor in a subcritical state at atmospheric temperature and pressure conditions by pumping sodium pentaborate, a neutron absorber, into the reactor.
The sodium pentaborate also increases suppression pool pH to prevent iodine r e-evolution following a LOCA in the event of fuel failure.
Dual components and dual circuits are used in portions of the system; however, this manually operated system is subject to single failure. Monitoring and testability have been provided for the components and circuits that are deemed most likely to fail. Redundant power sources supply power to this system.
The SLCS electrical components necessary for the injection of boron have been classified as QA Level 1M to indicate that they were not originally intended, procured, designed, or classified as safety related, but will be maintained and tested as a safety
-related system.
Specific Regulatory Requirements
- General Design Criterion 26 of 10 CFR 50, Appendix A, which requires the provision of an independent method of reactivity control, applies.
Power Generation Design Basis The system is designed to shut the reactor down from full power to cold atmospheric conditions with sufficient margin to maintain the reactor subcritical at the cold condition in the event that manual control rod movement cannot be accomplished with the RMCS.
7.1-21 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.1.2.1.22 Primary Containment Monitoring System The primary containment monitoring system consists of four instrumentation subsystems that collectively monitor the primary containment atmosphere for hydrogen concentration, oxygen concentration, gaseous radiation level, and temperature and pressure, and that monitor the pressure suppression pool water for temperature and level. The radiation monitor is principally provided to enhance the capability for detecting reactor water or steam leaks. The radiation monitor activates an alarm upon detecting radiation at or above a predetermined level. Monitoring of the other parameters is provided to secure information on transients resulting from a LOCA. The monitored parameters are indicated and recorded in the main control room.
The primary containment atmosphere monitoring system also serves to provide information on monitored parameters in the course of plant operations when conditions are normal. The four primary containment monitor subsystems are designated
- a. Primary containment radiation monitor and the hydrogen/ oxygen monitor subsystem b. Primary containment temperature monitor subsystem
- c. Primary containment pressure monitor subsystem
- d. Pressure suppression pool water level indicator subsystem.
The design bases and regulatory requirements for each of these subsystems are individually defined below.
7.1.2.1.22.1 Primary Containment Radiation Monitor and Hydrogen/ Oxygen Monitor Subsystems Safety Design Bases General Functional Requirements
- The primary containment radiation monitor is designed to meet the following safety design bases:
- a. Provide continuous radiation monitoring of the primary containment atmosphere during power operation, startup and hot shutdown of the reactor.
- b. Provide particulate and halogen filters in the atmospheric sample flow line to collect integrated samples of these substances, on separate filters, for purposes of radiation analysis
- c. Provides a high
-radiation alarm with fully adjustable setpoints in the main control room.
- d. Provide a diverse reactor coolant pressure boundary leak detection method using noble gas activity.
Specific Regulatory Requirements
- The instrumentation and control of the primary containment radiation monitor subsystem is designed to conform to General Design Criterion 30 of 10 CFR 50, Appendix A and Regulatory Guide 1.45. The hydrogen/oxygen monitor subsystem is designed to meet Regulatory Guides 1.7 and 1.97, Category 3 and 2 requirements, respectively.
7.1-22 REV 1 9 1 0/1 4 FERMI 2 UFSAR Power Generation Design Bases The primary containment radiation monitor and hydrogen/oxygen monitor subsystems are designed to meet the following power generation design bases:
- a. Provide indication in the main control room of the noble gas radioactivity and hydrogen/oxygen content of the primary containment atmosphere during normal operation The oxygen monitors provide verification of the status of the inerted atmosphere of containment and oxygen levels in the containment atmosphere following a significant beyond
-design-basis accident for combustible gas control and accident management, including emergency planning.
The hydrogen monitors provide diagnosis of the course of significant beyond
-design-basis accidents for accident management, including emergency planning. b. Provide means for obtaining radioactivity analysis of particulate and halogen content in the primary containment atmosphere
- c. Provide an instrument failure (offscale low) alarm.
- d. Provide high hydrogen and high oxygen alarms with fully adjustable setpoints in the main control room.
7.1.2.1.22.2 Primary Containment Temperature Monitor Subsystem Safety Design Bases General Functional Requirements
- The primary containment temperature monitor subsystem is designed to meet the following safety design bases:
- a. Provide continuous monitoring of the drywell atmosphere temperature with a distributed arrangement of temperature sensors to secure representative temperature data in the drywell region
- b. Provide continuous monitoring of drywell cap atmospheric temperature with a sensor suitably located to secure representative temperature information in the cap region
- c. Provide continuous measurement of drywell wall temperature with an arrangement of sensors distributed to obtain a representative determination of the wall temperature conditions in the drywell region
- d. Provide continuous measurement of atmospheric temperature in the pressure suppression chamber e. Provide continuous measurement of water temperature in the pressure suppression chamber.
Safety Design Bases 7.1-23 REV 1 9 1 0/1 4 FERMI 2 UFSAR Specific Regulatory Requirements
- The primary containment temperature monitor subsystem is designed to conform to GDC 13 of 10 CFR 50, Appendix A, and QA Criteria of 10 CFR 50, Appendix B, for nuclear power plants.
7.1.2.1.22.3 Primary Containment Pressure Monitor Subsystem Safety Design Bases General Functional Requirements
- The primary containment pressure monitor subsystem is designed to meet the following safety design bases:
- a. Provide continuous measurement of drywell atmospheric pressure
- b. Provide continuous measurement of pressure suppression chamber atmospheric pressure. Specific Regulatory Requirements
- The primary containment pressure monitor subsystem is designed to meet GDC 13 of l0 CFR 50, Regulatory Guide 1.97, Appendix A, and QA Criteria of 10 CFR 50, Appendix B, for nuclear power plants.
Power Generation Design Basis The primary containment pressure monitor subsystem provides a chart recorder in the main control room to continuously record and display the primary containment pressure monitored by this subsystem.
7.1.2.1.22.4 Pressure Suppression Pool Water Level Indicator Subsystem Safety Design Bases General Functional Requirements
- The pressure suppression pool water level indicator subsystem is designed to provide measurement of water level in the pressure suppression chamber over the maximum practical range.
Specific Regulatory Requirements
- The pressure suppression pool water level indicator system is designed to meet GDC 13 of 10 CFR 50, Regulatory Guide 1.97, Appendix A, and QA Criteria of 10 CFR 50, Appendix B, for nuclear power plants.
Power Generation Design Basis The pressure suppression pool water level indicator subsystem is designed to provide a display in the main control room that indicates the water level in the pressure suppression chamber. 7.1.2.1.23 Radwaste Control System 7.1.2.1.23.1 Liquid Radwaste System The safety design bases ensure that the liquid radwaste system instrumentation and control is designed to provide information to the liquid radwaste process operator. This information is needed to limit releases of radioactivity to the environment. Further discussion can be found in Subsection 7.7.1.6 and in Sections 11.2 and 11.4.
7.1-24 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.1.2.1.23.2 Gaseous Radwaste System The safety design bases ensure that the gaseous radwaste system instrumentation and control system is designed to monitor and control the gaseous processing systems (offgas system and 2-minute holdup pipe system). It also detects, indicates, and alarms improper or abnormal conditions in the gaseous radwaste systems in time for corrective action. Further discussion can be found in Subsection 7.7.1.5 and in Sections 11.3 and 11.4.
7.1.2.1.24 Reactor Water Cleanup System The purpose of the RWCU system is to provide continuous processing of the reactor water so that the purity is maintained within specified limits. The system also provides the means for removal of reactor water. For example, to maintain reactor water level during startup, it is necessary to dump water due to swell.
7.1.2.1.25 Power Systems The power systems considered in this subsection include those electrical power sources used in, or associated with, shutting down the reactor and limiting the release of radioactive material following a design
-basis event. The power systems include the standby ac system (Subsection 8.3.1), the plant dc system (Subsection 8.3.2), instrument ac power (Subsection 8.3.1), RPS power supplies (Subsection 8.3.1), and special power supplies for individual systems. Electrical power supplies are available onsite as required to provide the electrical energy requirements of the ESF and safe
- shutdown systems during all safety design
-basis events and as long thereafter as required to satisfy safety requirements.
The design of the standby ac power system complies with accepted industrial standards for nuclear power plants and is compatible with the ESF system equipment design and arrangement.
Safety Design Bases General Functional Requirements
- The power systems are designed to meet the following general functional requirements:
- a. Standby ac Power System
- 1. General - The primary requirement of the standby ac power system is to maintain a high degree of reliability and timely availability of power sources for the ESF and safe
-shutdown systems. This power is required to be made available promptly, within approximately 10 sec, and automatically on either a failure of preferred power sources at any time, or on a LOCA signal Before the diesel generator is connected to a bus, all offsite source breakers and bus load breakers, with the exception of certain selected breakers, are signaled to trip. The generator is then sequentially loaded to prevent overload or excessive voltage drop. Shutdown of the diesel 7.1-25 REV 1 9 1 0/1 4 FERMI 2 UFSAR generator is manual only, except for specific automatic trips to prevent equipment destruction
- 2. Load Assignment
- Assignment of loads to emergency safety system buses is such that failure of a single standby power source does not prevent a safe shutdown of the reactor under conditions of a design
- basis accident (DBA) concurrent with a design
-basis event. "Design
-basis event" is used here in the same sense as defined in IEEE 308
-1971, i.e., any or all of a set of postulated environmental events for which the plant and ESF systems have been designed Automatic starting is required of all loads that may be required within 10 minutes after a LOCA. Automatically started loads may be stopped manually and other loads started manually as required by plant conditions.
Automatically connected loads include the emergency core cooling pumps and valves, safety
-related instrument power supply transformers, containment isolation valves (ac only), drywell cooling equipment, emergency lighting, standby gas treatment and control center heating, ventilation, and air
- conditioning, main control room habitability, EECW system, ECCS room coolers, auxiliary building heating and ventilation, EDG auxiliary equipment, RHR complex ventilation equipment, and reactor building sumps Manually connectable loads are defined in Table 8.3
-3. b. Plant dc Power System
- The primary requirement of the plant dc power system is to maintain highly reliable and continuously available sources of dc power for the control of a minimum complement of the ECCS and the ac power system equipment during operating conditions and during a DBA concurrent with a design
-basis event Voltage variations are maintained within the demonstrated operating limits of each connected device with appropriate allowances for voltage drop in the cabling. Control battery terminal voltage range on a 130
-V dc system is discussed in section 8.3.2.2.4 The dc power sources for redundant ESF equipment must be arranged so as not to compromise the required independence or reduce redundancy below an acceptable level during a design
-basis event (i.e., loss of one battery shall not disable any ESF function)
The EDGs are equipped with sufficient protective devices to prevent destruction of the unit, e.g., overspeed trip, low oil pressure trip, generator differential relays, and crankcase overpressure. Other protective devices are used for protection when in test mode, but such devices alarm only when the unit is required to perform the designed safety function 7.1-26 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- c. Instrument ac Power
- Power for process instrumentation associated with redundant ESF systems is to be provided by a standby source from the same division as the pump motors and ac valve motors for each system. This power is not classified as essential to nuclear safety, but is to be made available automatically when the bus to which it is connected is energized The instrumentation power for the HPCI and RCIC systems is to be from a separate inverter that feeds from the same station battery that powers HPCI and RCIC controls, respectively.
- d. Other Power Supplies
- Power supplies for the RPS are required to have sufficient stored energy to ride through switching transients within the switchyard or auxiliary power system. The safe failure characteristic of the RPS on loss of power exempts the RPS power supplies from being classified essential. However, redundancy is provided to avoid unnecessary plant shutdown on interruption of power to one RPS bus
- 2. Process Radiation Monitoring System
- Certain aspects of the PRMS require 120
-V ac power for purposes of recording and/or control. This power is provided from an instrument bus or an inverter power supply as appropriate.
Safety Design Bases Specific Regulatory Requirements
- The standby ac power and dc power systems are essential to safe shutdown of the reactor and/or for emergency core cooling, and therefore comply with all applicable AEC and IEEE standards for design, qualification, and testing.
These include IEEE 279
-1971, IEEE 308
-1971, IEEE 323-1971, IEEE 338
-1971, IEEE 344
-l97l; GDC 1 through 5, 12, 18 and 19 of 10 CFR 50, Appendix A, and Regulatory Guides 1.6 and 1.9. 7.1.2.1.26 Leak Detection System 7.1.2.1.26.1 Reactor Coolant Pressure Boundary Leakage Detection Safety Design Bas es General Functional Requirements
- The safety design basis for the LDS for setting leakage rate limits is that signals are provided to permit isolation of abnormal leakage before the results of this leakage become unacceptable.
The unacceptable results are a threat of significant compromise to the nuclear system process barrier and a leakage rate in excess of the coolant makeup capability to the reactor vessel.
Specific Regulatory Requirements
- The part of leak detection that is related to isolation circuits is designed to meet requirements of the ESF systems and to conform to those federal codes, regulatory guides, and IEEE standards which apply to ESF systems.
Power Generation Design Basis 7.1-27 REV 1 9 1 0/1 4 FERMI 2 UFSAR A means is provided to detect abnormal leakage from the nuclear system process barrier.
7.1.2.1.26.2 Emergency Core Cooling System Suction Line Detection The ECCS suction line LDS is designed to provide information that would allow the manual closing of the valve in the broken line before the net positive suction head (NPSH) is lost to the redundant ECCS.
7.1.2.1.27 Reactor Shutdown Cooling System Safety Design Bases The instrumentation and control for the reactor shutdown cooling mode of the RHR system is designed to meet the following functional design bases:
- a. Instrumentation and manual control are provided to enable the system to remove the residual heat (decay heat and sensible heat) from the RPV during normal shutdown b. All facilities for manual control of the shutdown cooling system are provided in the main control room
- c. Response of the shutdown cooling system is indicated by main control room instrumentation.
Power Generation Design Bases The instrumentation and control for the reactor shutdown cooling system is designed to meet the following power generation design bases:
- a. Provide cooling for the reactor during the shutdown operation when the vessel pressure is below the design pressure of the shutdown piping system
- b. Cool the reactor water to a temperature which is practical for refueling and servicing operation.
7.1.2.1.28 Plant Cooling Systems Two closed cooling water systems are used at Fermi 2 for removal of heat from equipment and space coolers. These are the RBCCW system and the turbine building closed cooling water (TBCCW) system, both described in Section 9.2. The EECW system, an ESF described in Subsection 7.3.4.2, forms an integral part of the RBCCW system.
7.1.2.1.28.1 Reactor Building Closed Cooling Water System Power Generation Design Bases The instrumentation and control of the RBCCW system is designed in accordance with the following functional requirements:
- a. It maintains the required flow of cooling water in the system and its two divisions during normal conditions and postulated abnormal conditions of the plant 7.1-28 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- b. On loss of offsite power, high drywell pressure, or on drop of differential pressure across the supply and return headers of either division beyond the preset limit, the EECW system will automatically isolate areas of the RBCCW system not essential for emergency cooling and to take over supplying the coolant flow that is required. A loss of RBCCW while EECW is operating for RBCCW heat exchanger cleaning, enhanced drywell cooling, testing, or RHR reservoir freeze protection will not reinitiate EECW or reisolate the nonessential loads. This action is not required, however, since this is not a condition requiring protective action as described in Section 7.1.2.1.
- c. Restoration of the system to normal operation is by manual control.
7.1.2.1.28.2 Turbine Building Closed Cooling Water System Power Generation Design Bases The instrumentation and control of the TBCCW system is designed in accordance with the following functional requirements.
- a. It maintains the required flow of cooling water in this system during normal conditions of plant operation
- b. It automatically becomes deactivated on loss of offsite power
- c. Restoration of the system to normal operation after gain of power is by manual control. 7.1.2.1.29 Fuel Pool Cooling and Cleanup System The fuel pool cooling and cleanup system (FPCCS) instrumentation and control is not required for power generation. Its function is to provide annunciation and control so that the FPCCS can maintain the spent fuel and equipment storage pools and the reactor water well below a desired temperature and at a degree of clarity necessary to refuel and service the reactor. 7.1.2.1.30 Post-LOCA Combustible Gas Control System The NRC amended 10 CFR 50.44, "Standards for combustible gas control system in light
-water-cooled power reactors" on October 16, 2003 to eliminate the requirements for hydrogen recombiners. The hydrogen recombiner Technical Specification requirements were subsequently removed by License Amendment 159, dated March 15, 2004. The wording in this UFSAR section associated with these changes will remain unaltered until after the hydrogen recombiner system has been abandoned in place or removed f r o m the plan t. The instrumentation and control for the post
-LOCA combustible gas control system (CGCS) is designed to meet the following functional safety design bases:
- a. Provides for manual actuation of the system by placing the selector switch in the main control room in the READY position, and then manually initiating the system from the relay room cabinet, energizing the blower, starting water flow to the gas cooler, and regulating electric power to the heater elements 7.1-29 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- b. On the basis of signals from redundant thermocouples, maintains the proper temperature of the gas leaving the heater section by regulating electric power to the heaters
- c. When the gas temperature reaches the preset operating setpoint (about 1200F), further throttle open (manually) the gas inlet valves as required, to maximize the flow of gas from the containment atmospheres (drywell or suppression chamber as selected by the reactor operator)
- d. Manually adjusts and regulates the flow mix between the gas being recirculated from the recombiner outlet and the flow from the containment atmosphere, in order to maintain a predetermined combustible gas concentration in the gas mixture entering the heater unit and recombiner chamber
- e. Provides automatic regulation of the heater power to maintain the proper operating temperature in the recombiner chamber
- f. Provides heater overtemperature protection and such other alarms, instruments, and signals that permit the reactor operator to readily determine the operational status and performance of the CGCS
- g. Meets applicable regulatory requirements of IEEE 279
- 1971, Regulatory Guide 1.7, and GDC 41 of Appendix A of l0 CFR 50.
7.1.2.1.31 Control Air System The instrumentation and control of the control air system is designed in accordance with the following functional requirements.
- a. The control air system maintains the required quantity and quality of control air to both interruptible and noninterruptible control air users
- b. On loss of control air pressure below a preset limit, the control air compressors are automatically started. If pressure continues to decay further to a lower preset value, the two divisions of the control air system are automatically isolated from all interruptible control air users and the station air system so that each control air compressor is supplying only its own essential division
- c. It provides for manual actuation of the system from the main control room for testing of the system or for manual initiation of the system.
7.1.2.1.32 Alternate Rod Insertion The safety design bases are as follows:
- a. The sensors, transmitters, trip units, and associated logic for the ARI are Class 1E, redundant to the reactor protection system, and environmentally and seismically qualified to IEEE 323
-1974 and IEEE 344
-1975 b. The ARI sensors monitor reactor pressure and water level and trip the reactor if these variables reach their respective trip setpoints. The trip is accomplished by energizing the ARI valves, thereby venting the air supply holding the scram valves shut.
7.1-30 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.1.2.2 Independence of Redundant Safety
-Related Systems The criteria for the separation of safety
-related mechanical and electrical equipment are discussed in Section 3.12 and Subsection 8.3.1. The independence of redundant safety
-related systems satisfies the applicable requirements of IEEE 279
-1971. The requirements of 10 CFR 50, Appendix B, are met as described in Chapter 17.
7.1.2.3 Physical Identification of Safety
-Related Equipment Equipment associated with the RPS, the ESF, the safe shutdown systems, and the auxiliary electrical equipment associated with these systems are identified so that it is apparent that
- a. The equipment is part of the RPS, ESF, or safe shutdown system
- b. The equipment item is associated with a particular grouping (or division) of enforced segregation.
The identification consists of marking panels and equipment racks with marker plates that are conspicuously different in color than those for other panels or racks. These markers include identification of the proper division of the equipment within the system.
The equipment identification number and the applicable segregation code, both numerical and color code, are applied to each piece of safety
-related equipment either before or during that equipment's installation. 7.1.2.4 Conformance To IEEE
-317 Qualification of the penetration assemblies and their associated electrical services is provided by compliance with IEEE 317
-1972. Power cables are provided with reliable decoupling devices at their load centers to ensure fault interruption prior to any penetration damage. All cables having safety
-related functions are separated from their redundant counterparts in different penetration assemblies.
7.1.2.5 Conformance To IEEE
-323 IEEE 323-1971 applies to equipment purchased before November 15, 1974, and IEEE 323
-1974 applies to equipment purchased on or after November 15, 1974.
Written procedures and responsibilities are developed for the design and qualification of all Class 1 electric equipment. This includes preparation of specifications, qualification procedures, and documentation for Class 1 equipment. Qualification testing or analysis is accomplished prior to release of the engineering design for production. Standards manuals are maintained containing specifications, practices, and procedures for implementing qualification requirements; and an auditable file of qualification documents is available for review. 7.1.2.6 Conformance To IEEE
-336 The implementation of the Quality Assurance Procedures for construction activities ensures compliance with the requirements of IEEE 336
-1971. 7.1-31 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.1.2.7 Conformance To IEEE
-338 and Regulatory Guide 1.22 For a more detailed description of conformance, for all safety
- related systems, see Subsections 7.2.2, 7.3.2, 7.4.2, and 7.6.2.
7.1.3 Protection System Inservice Testability This section is provided to describe the analog transmitter/trip unit (AT/TU) system. The AT/TU system is a plant protection system testability feature generically applied to th e reactor protection (trip) system, ESF systems, and the RCIC system.
The AT/TU system provides highly accurate continuous monitoring of process parameters, excellent setpoint stability, and convenient on
-line testability.
For additional testability discussions, refer to Topical Report NEDO
-21617-A, dated December 1978, Analog Transmitter/Trip Unit System for Engineered Safeguard Sensor Inputs (Reference 1).
7.1.3.1 General Description The AT/TU system uses analog instrument channels to monitor important plant variables (e.g., reactor water level, reactor pressure, drywell pressure, and process flow). The analog transmitter converts the process variable sensed to a 4
- to 20-mA linear signal. The signal is transmitted to electronic trip units located on the fourth floor of the auxiliary building. The trip units compare the transmitted signal with a fixed reference signal (setpoint). When the transmitted signal increases above or decreases below the setpoint, the trip unit activates an associated relay. The relay provides either open or closed contacts on activation.
The trip units consist of master trip assemblies, slave trip assemblies, and calibration units. The master trip unit is a plug
-in printed circuit assembly designed to accept a 4
- t o 20-mA signal from a remote transmitter. The trip unit contains the circuitry necessary to condition the transmitter current, compare with the setpoint, provide trip output, and provide analog output signals. An alarm is generated by an inoperative or o ut-of- service trip unit. The master trip unit also contains a panel meter that displays transmitter current and is scaled in the units of the process variable being measured by the transmitter wired to the master trip unit. A switch position selection internal to the master trip unit allows for selection of either high trip point or low trip point. This allows the testing of trip circuitry for a particular channel with the trip circuitry either energized or deenergized during normal operation.
The slave trip unit is used in conjunction with a master trip unit when different setpoints from a common transmitter are desired. The slave trip unit receives its input signal from the analog output of a master trip unit. There is no direct connection to any 4
- to 20-mA transmitter. No analog output signals are generated by the slave unit. Calibration of the slave unit is accomplished by commanding the master trip unit, which drives the slave unit under test into the calibration mode, and then performing the normal calibration procedure.
The calibration unit furnishes the means by which an in
-place calibration check of the master and slave trip units can be performed. The calibration unit contains a stable current source and a transient current source. The stable current source is used to verify the calibration 7.1-32 REV 1 9 1 0/1 4 FERMI 2 UFSAR point of any given channel. The transient current source is used to provide step current input into a selected trip unit so that the response time of that channel can be determined.
During calibration, the trip action is displayed on the removable display assembly. The accuracy of the analog output of the master trip unit may also be checked during the calibration procedure with an external meter or recorder.
7.1.3.2 Analysis For a discussion of conformance with regulatory guides and IEEE standards, see Reference
- 1. 7.1-33 REV 1 9 1 0/1 4 FERMI 2 UFSAR
7.1 INTRODUCTION
REFERENC ES 1. General Electric Company, Analog Transmitter/Trip Unit System for Engineered Safeguard Sensor Inputs, NEDO
-21617-A, December 1978.
7.1-34 REV 1 9 1 0/1 4 FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.1-1 LICENSED REACTOR SYSTEMS FUNCTIONALLY IDENTICAL TO FERMI 2
- Plants With Construction System Permit or Operating License Reactor protection system Hatch 1, Duane Arnold Primary containment and RPV isolation control system Hatch 1, Duane Arnold Emergency core cooling system Hatch 1, Duane Arnold
Neutron monitoring system Hatch 1, Duane Arnold
Refueling interlocks Hatch 1, Duane Arnold, Dresden 2 and 3
Reactor core isolation cooling system Hatch 1, Duane Arnold Standby liquid control system Dresden 2 and 3
Reactor water cleanup system Hatch 1, Duane Arnold
Shutdown cooling system Hatch 1, Duane Arnold
______________
- This table was a true comparison with the listed Nuclear Power Plants' systems at the time NRC issued NUREG
-0798, "Safety Evaluation Report Related to the Operation of Enrico Fermi Atomic Power Plant, Unit No. 2.," July 1981. Refer to pages 7
-1 and 7-2 in the SER for the NRC acknowledgement.
FERMI 2 UFSAR TABLE 7.1-2 INSTRUMENTATION AND CONTROL SYSTEMS DESIGNERS AND FABRICATORS
System Designer Fabricator Page 1 of 4 REV 16 10/09 1. Reactor protection system GE GE 2. Containment and RPV isolation control system Edison/GE GE
- 3. Emergency core cooling system:
GE GE
- 4. Neutron monitoring system GE GE
- 5. Refueling interlocks GE GE
- 7. Recirculation flow control system GE GE
- 9. Pressure regulator and turbine generator control system GE/GEC GEC
- 10. Process radiation monitoring system Edison/GE GE/Gulf GA Eberline
- a. Process liquid radiation monitoring system GE/Gulf GA GE/Gulf GA
(1) Radwaste bldg. effluent radiation monitor Edison/GE GE (2) General service water effluent radiation monitor GE GE (3) Circulating water reservoir decant radiation monitor Gulf GA Gulf GA (4) RBCCW system radiation monitor GE GE (5) EECW system radiation monitor Gulf GA Gulf GA (6) RHRSW radiation monitor Gulf GA Gulf GA FERMI 2 UFSAR TABLE 7.1-2 INSTRUMENTATION AND CONTROL SYSTEMS DESIGNERS AND FABRICATORS
System Designer Fabricator Page 2 of 4 REV 16 10/09 b. Main steam line radiation monitor system GE GE
- c. Offgas system radiation monitors (1) 2-minute holdup pipe radiation monitor Gulf GA Gulf GA (2) Offgas radiation monitor GE GE
- d. Reactor bldg.
exhaust plenum radiation monitor Edison Eberline
- e. Reactor bldg. ventilation exhaust radiation monitor Edison Gulf GA
- f. Fuel pool ventilation exhaust radiation monitor GE GE
- g. Standby gas treatment system exhaust radiation monitor Edison Eberline
- h. Control Center makeup air radiation monitor Edison Gulf GA
- i. Radwaste bldg. ventilation exhaust radiation monitor Edison Eberline
- j. Deleted
- k. Turbine bldg. ventilation exhaust radiation monitor Edison Eberline
- 11. Area radiation monitoring system Edison/GE GE
- 12. Site environs radiation monitoring system Edison Refer to Chapter 11
- 13. Health physics and laboratory analysis radiation monitoring Edison Refer to system Chapter 12
- 14. Integrated plant computer system DS&S Various FERMI 2 UFSAR TABLE 7.1-2 INSTRUMENTATION AND CONTROL SYSTEMS DESIGNERS AND FABRICATORS
System Designer Fabricator Page 3 of 4 REV 16 10/09 15. Standby gas treatment system CVI Inc. CVI Inc.
- 16. Control center HVAC control system Edison Various
- 17. Emergency equipment cooling water control system Edison Various
- 18. Emergency core cooling system, auxiliary systems, control systems Edison Various
- 19. Reactor core isolation cooling system GE GE
- 20. Standby liquid control system GE GE
- 21. Primary containment monitor system
- a. Primary containment radiation monitor and hydrogen/oxygen monitoring system Edison Exo-Sensors/ GA
- b. Primary containment temperature monitor system Edison Various
- c. Primary containment pressure monitor system Edison Various
- d. Pressure suppression pool water level indicator system Edison Various
- 22. Radwaste control system GE GE
- a. Liquid radwaste system NUS NUS/Edison
- b. Gaseous radwaste system Edison/ Various Kraftwerk Unio n
- 23. Reactor water cleanup system GE GE 24. Power systems
- a. Standby ac Edison Various b. Plant dc Edison Various c. Instrumentation ac Edison Various FERMI 2 UFSAR TABLE 7.1-2 INSTRUMENTATION AND CONTROL SYSTEMS DESIGNERS AND FABRICATORS
System Designer Fabricator Page 4 of 4 REV 16 10/09 25. Leak detection system
Reactor coolant pressure boundary leakage detection GE GE
- 26. Residual heat removal shutdown cooling control system GE GE
- 27. Plant cooling system
- a. Reactor building closed cooling water system Edison Edison/ Erector
- b. Turbine building closed cooling water system Edison Edison/ Erector 28. Fuel pool cooling and cleanup system GEGE
- 29. Reactor/Auxiliary building HVAC and pressure control A. H. Smith Various Associates
- 30. Post-LOCA combustible gas control system AI AI
- 31. Remote shutdown system Edison Reliance
- 32. Turbine-generator overspeed trip GEC/Edison/
GEC/Edison GE (set points)
- 33. Vital buses/load
-shedding instrumentation and control Edison Various
- 34. Plant emergency communication Edison GAI/Tronics
- 35. Supplemental cooling chilled
water system Edison Various
FERMI 2 UFSAR 7.2 REACTOR PROTECTION SYSTEM
7.2.1 Description
7.2.1.1 Reactor Protection System Instrumentation and Control
System Description
7.2.1.1.1 System Identification 7.2.1.1.1.1 Identification The reactor protection system (RPS) includes the motor
-generator power supplies, sensors, relays, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. It also includes outputs to the Integrated Plant Computer System (IPCS) and annunciators, although these latter two systems are not part of the RPS. Trip functions are summarized in Figure 7.2
-1. A completely redundant capability, the alternate rod insertion function of the control rod drive (CRD) system is provided to mitigate anticipated transient without scram (ATWS) events (see Subsection 7.6.1.18).
7.2.1.1.1.2 Classification The RPS is classified as Safety Class 2, Category I, and Quality Group B.
7.2.1.1.1.3 Reference Design The Fermi 2 RPS is similar, except for system size, to the Edwin I. Hatch, Unit 1 RPS. There are no differences other than those instrument panel locations within the plant and manual scram logic arrangement.
7.2.1.1.2 Power Sources The RPS receives power from two high
-inertia ac motor
-generator sets (Figure 7.2
-2). A flywheel provides high inertia sufficient to maintain voltage and frequency within 5 percent of rated values for at least 1 sec following a total loss of power to the drive motor.
Alternate power is available to reach the RPS buses. The 120
-V ac supply bus A is available to RPS bus A, and the 120
-V ac alternate supply bus B is available to RPS bus B.
The RPS power supplies have been modified to prevent the inadvertent application of out
-of-tolerance voltage or frequency power to the RPS relay trip logic. The electrical protection assembly consists of a GE type TFJ
-175A circuit breaker with an under
-voltage release controlled by a protection logic circuit card. The protection logic disconnects the RPS logic from the RPS power supply whenever voltage or frequency exceeds normal tolerances.
The protection is redundant and includes each alternate power supply, as shown in Figure 7.2-2. The electrical protection assemblies (EPA) are packaged in enclosures that are mounted seismically on the outside wall of each RPS motor
-generator set cubicle. Two assemblies are connected in electrical series between each source of RPS power and the 7.2-1 REV 1 9 1 0/1 4 FERMI 2 UFSAR respective RPS distribution panel. Controls for testing and operation are provided on each assembly along with status indication for the particular trip parameters. Following a trip, the breaker must be reset locally.
The EPA's are qualified to meet IEEE 344
-1975 and IEEE 323
-1974. The EPA trip setpoints are within
+10 percent of nominal ac voltage and
-5 percent of the nominal frequency of 60 Hz.
Each protection logic has an independent time delay adjustable from 0.3 to 3.6 sec to prevent spurious trips and the resulting scrams.
7.2.1.1.3 Equipment Design 7.2.1.1.3.1 Initiating Circuits Neutron monitoring system (NMS) instrumentation is described in Section 7.6. Figure 7.2
-3 clarifies the relationship between NMS channels, NMS logics, and the RPS logics. The NMS channels are part of the NMS. The NMS logics are part of the RPS. As shown in Figure 7.2
-4, there are four NMS logics associated with each trip system of the RPS. Each RPS logic receives inputs from two NMS logics.
Each NMS logic receives signals from one intermediate range monitor (IRM) channel and one average power range monitor (APRM) voter channel. The position of the mode switch determines which input signals effect the output signal from the logic. The NMS logics are arranged so that failure of any one logic cannot prevent the initiation of a high neutron flux scram. The RPS logic is a "one
-out-of-two-taken-twice" system as discussed in Subsection 7.2.l.l.3.2.
Reactor pressure is measured at two locations.
A pipe from each location is routed through the primary containment and terminates in the reactor building. Two panel
-mounted pressure transmitters monitor the pressure in each pipe. Cables from these transmitters are routed to the main control room. One pair of the transmitters is physically separated from the other pair. Each transmitter provides a high
-pressure signal to one channel. The transmitters are arranged so that two transmitters provide an input to trip system A and two transmitters provide an input to trip system B, as shown in Figure 7.2
-5. The physical separation and the signal arrangement ensure that no single physical event can prevent a scram caused by nuclear system high pressure.
Reactor pressure vessel (RPV) low
-water-level signals are initiated from differential pressure transmitters that sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. A reference leg backfill system provides a continuous flow of water from the CRD charging header to the reactor water level reference legs. This flow prevents accumulation of non
-condensable gases in the reference leg, and the associated erroneous high water level indication which could result from degassing in the reference leg upon system depressurization. The transmitters are arranged on two sets of taps in the same way as the nuclear system high pressure transmitters (Figure 7.2
-5). Two instrument lines attached to taps on the RPV, one above and one below the water level, are required for the differential pressure measurement for each transmitter. The two pairs of lines terminate outside the primary containment and inside the reactor building. They are 7.2-2 REV 1 9 1 0/1 4 FERMI 2 UFSAR physically separated from each other and tap off the RPV at widely separated points. Other systems sense pressure and level from these same pipes. The physical separation and signal arrangement ensure that no single physical event can prevent a scram due to RPV low water level. Turbine stop valve closure inputs to the RPS come from valve stem position switches mounted on the four turbine stop valves. To provide the earliest positive indication of closure, each of the double
-pole, double
-throw switches opens before the valve is more than 10 percent closed. Either of the two channels associated with one stop valve can signal valve closure, as shown in Figure 7.2
-6. The logic is arranged so that closure of three or more stop valves initiates a scram, when the reactor is operating above 29.5 percent of rated power.
Turbine control valve fast closure inputs to the RPS come directly from contacts of the relays that effect control valve fast closure. Operation of any two of these relays will initiate control valve fast closure. Fast closure of one control valve in each RPS logic will initiate a scram whenever the reactor is operating above 29.5 percent of rated power.
Position switches mounted on the eight main steam isolation valves (MSIVs) signal MSIV closure to the RPS. To provide the earliest positive indication of closure, each of the double
-pole, double
-throw switches is arranged to open before the valve is more than 10 percent closed. Either of the two channels associated with one isolation valve can signal valve closure. To facilitate the description of the logic arrangement, the position
-sensing channels for each valve are identified and assigned to RPS logics as follows:
Valve Identification Position-Sensing Channels Trip Channel Relays Assignments Main steam line A, inboard valve F022A (1) and (2)
A, B A1, B1 Main steam line A, outboard valve F028A (1) and (2)
A, B A1, B1 Main steam line B, inboard valve F022B (1) and (2)
E, D A1, B2 Main steam line B, outboard valve F028B (1) and (2)
E, D A1, B2 Main steam line C, inboard valve F022C (1) and (2)
C, F A2, B1 Main steam line C, outboard valve F028C (1) and (2)
C, F A2, B1 Main steam line D, inboard valve F022D (1) and (2)
G, H A2, B2 Main steam line D, outboard valve F028D (1) and (2)
G, H A2, B2 Thus, each logic receives signals from the valves associated with two steam lines as shown in Figure 7.2
-7. The arrangement of signals within each logic requires closing of at least one 7.2-3 REV 1 9 1 0/1 4 FERMI 2 UFSAR valve in each of the steam lines associated with that logic to cause a trip of that logic. For example, closure of the inboard valve of steam line A and the outboard valve of steam line C causes a trip of logic B1. This in turn causes trip system B to trip. No scram occurs because no trips occur in trip system A. In no case does closure of two valves or isolation of two steam lines cause a scram due to valve closure. Closure of one valve in any three steam lines causes a scram.
Wiring for the position
-sensing channels from one position switch is physically separated in the same way that wiring to duplicate sensors on a common process tap is separated. The wiring for position
-sensing channels feeding the different trip logics of one trip system is also separated.
The MSIV closure scram function is effective only if the reactor mode switch is in RUN.
The effects of the logic arrangement and separation provided for the MSIV closure scram are as follows:
- a. Closure of one valve for test purposes with one steam line already isolated will not cause a scram resulting from valve closure
- b. Automatic scram will occur on isolation of any three steam lines
- c. No single failure can prevent an automatic scram required for fuel protection due to MSIV closure.
Four nonindicating level switches (one for each channel) provide scram discharge volume (SDV) high-water-level inputs to the four RPS channels. An additional level
-indicating switch (trip unit), with transmitter, in each channel is redundant to the level switch in that channel. This arrangement provides diversity to ensure that no single event could prevent a scram caused by SDV high water level. With the scram setting listed in Table 7.2
-1 and in the Technical Specifications, a scram is initiated when sufficient capacity remains in the SDV to accommodate a scram. Both the amount of water discharged and the volume of air trapped above the free surface during a scram have been considered in the selection of the trip setting.
Drywell pressure is monitored by four pressure transmitters as described in Subsection 7.3.2.2.8.f. The transmitters are physically separated and electrically connected to the RPS so that no single failure can prevent a scram caused by primary containment high pressure.
Main steam line radiation is monitored by four radiation monitors, which are discussed and evaluated in Section 11.4. Each monitor provides a trip signal to one channel when high gamma radiation is detected in the vicinity of the main steam lines (Figure 7.2
-5). Main condenser low vacuum trip will be effected indirectly through main steam line isolation. A main condenser vacuum of approximately 7 PSIA will cause steam line isolation valve closure, which in turn causes reactor trip.
Four turbine first
-stage pressure transmitters are provided to initiate the automatic bypass of the turbine control valve fast closure and turbine stop valve closure scrams when the first
-stage pressure is below some preset fraction of rated pressure corresponding to 29.5 percent of rated power. The transmitters are arranged so that no single failure can prevent a turbine
stop valve closure scram or turbine control valve fast closure scram.
7.2-4 REV 1 9 1 0/1 4 FERMI 2 UFSAR Channel and logic relays are fast
-response, high
-reliability relays. Power relays for interrupting the scram pilot valve solenoids are magnetic contactors. The system response time, from the opening of a sensor contact up to and including the opening of the trip actuator contacts, is less than 50 msec. The time requirements for control rod movement are discussed in Subsection 4.5.2.
Sensing elements have enclosures to withstand conditions resulting from a steam or water line break long enough to perform satisfactorily. Environmental specifications for the instruments of the RPS are given in Table 3.11
-1. To gain access to those calibration and trip setting controls located outside the main control room, operations personnel must remove a cover plate, access plug, or sealing device before any trip setting can be adjusted.
Wiring for the RPS, outside of the enclosures in the main control room, is run in rigid metallic conduits used for no other wiring. The wires from duplicate sensors on a common process tap are run in separate conduits. Wires from sensors of different variables in the same RPS logic can be run in the same conduit.
The scram pilot valve solenoids are powered from eight actuator logic circuits, four circuits from trip system A and four from trip system B. The four circuits associated with any one trip system are run in separate conduits.
Electrical panels, junction boxes, and components of the RPS are prominently identified by nameplates. Circuits entering junction boxes or pull boxes are conspicuously marked inside the boxes. Wiring and cabling outside cabinets and panels are identified by color, tag, or other conspicuous means.
7.2.1.1.3.2 Logic The basic arrangement of the RPS actuators and actuator logic is illustrated in Figure 7.2
-8. The system is arranged as two separately powered trip systems. Each trip system has two automatic trip logics, as shown in Figure 7.2
-9. Each logic used for automatic trip receive s input signals from at least one channel for each monitored variable. At least four channels for each monitored variable are required, one for each of its four automatic trip logics.
Each automatic trip logic provides two inputs into each of the actuator logics of one trip system, as shown in Figure 7.2
-8. Thus, either of the two automatic trip logics associated with one trip system can produce a trip
-system trip. The logic is a "one
-out-of-two" arrangement. To produce a scram, the actuator logics of both trip systems must be tripped. The overall logic of the RPS is termed "one
-out-of-two taken twice." 7.2.1.1.3.3 Scram Bypasses A number of manual and automatic scram bypasses are provided. These account for the varying protection requirements that depend on reactor conditions. They also allow for instrument service during reactor operations. All manual bypass switches are in the main control room under the direct control of the main control room operator. The bypass status of trip system components is continuously indicated in the main control room.
7.2-5 REV 1 9 1 0/1 4 FERMI 2 UFSAR To properly reset the RPS at plant shutdown and during initial plant startup, a bypass is required for the MSIV closure scram trip. This bypass has been designed to be in effect when the mode switch is in the SHUTDOWN, REFUEL, or STARTUP position.
Hence, the bypass is necessary to provide for proper RPS reset action whenever the MSIVs are closed during very low power operation.
In the terms of the power generation design bases, the actual pressure scram setpoint is established from considerations of reducing reactor overpressure in the event of isolation at high power levels.
Since the high
-pressure scram and reactor relief valves provide protection against overpressure, there would be no safety problem if the reactor were held at normal operating pressure and at a low power level with the MSIVs closed.
The scram initiated by placing the mode switch in SHUTDOWN is automatically bypassed after a short time delay. The bypass allows the CRD hydraulic system valve lineup to be restored to normal. An annunciator in the main control room indicates the bypassed condition. The turbine control valve fast closure scram and turbine stop valve closure scram are automatically bypassed if the turbine first
-stage pressure is less then 29.5 percent of rated power. Closure of these valves from a low initial power level does not threaten the integrity of any radioactive material release barrier.
Turbine and generator trip bypass is effected by four pressure switches associated with the turbine first stage. Any one channel in a bypass state produces a main control room annunciation.
Bypasses for the NMS channels are described in Subsection 7.6.1.13.
The scram discharge high water level trip bypass is controlled by the manual operation of two keylocked switches, a bypass switch, and the mode switch. The mode switch must be in either the SHUTDOWN or the REFUEL position. Four bypass channels emanate from the four banks of the RPS mode switch and are each connected into the RPS logic. This bypass allows the operator to reset the RPS scram relays so that the system is restored to operation while the operator drains the scram discharge volume. In addition, actuating the bypass initiates a control rod block. Resetting the trip actuators opens the scram discharge volume vent and drain valves. An annunciator in the main control room indicates the bypass condition.
The RPS reset switch is used to momentarily bypass the seal
-in contacts of the final actuators of the reactor shutdown systems. These seal
-in contacts are located downstream from the protection channel outputs. The reset is effected in conjunction with auxiliary relays. If a single channel is tripped, the reset is accomplished immediately upon operation of the reset switch. On the other hand, if a reactor scram situation is present, manual reset is prohibited for a 10-sec period to permit the control rods to achieve their fully inserted position.
7.2.1.1.3.4 Interlocks The scram discharge volume high
-water-level trip bypass signal interlocks with the reactor manual control system (RMCS) to initiate a rod block. The interlock is performed using isolating relay contacts so that no failure in the control system can prevent a scram. 7.2-6 REV 1 9 1 0/1 4 FERMI 2 UFSAR The RPV low water level, primary containment high pressure, and turbine stop valve position signals are shared with the primary containment and reactor vessel isolation
-control system (CRVICS). The sensors feed sensor relays in the RPS. Contacts from these relays interlock to the primary containment and reactor vessel isolation system.
7.2.1.1.3.5 Redundancy and Diversity The RPS is divided into two divisions. Each division duplicates the function of the other to the extent that either may perform the required function regardless of the state of operation or failure of the other.
Functional diversity is provided by monitoring dependent RPV variables. Pressure, water level, and neutron flux are all interdependent and are separate inputs to the system. Also, MSIV closure, turbine stop valve closure, and turbine control valve fast closure are anticipatory of an RPV high pressure and are separate inputs to the system.
7.2.1.1.3.6 Actuated Devices The actuator logic opens when a trip signal is received, and then deenergizes the scram valve pilot solenoids. There are two pilot solenoids per control rod. Both solenoids must deenergize to open the inlet and outlet scram valves to allow drive water to scram a control rod. One solenoid receives its signal from trip system A and the other from trip system B. The failure of one control rod to scram will not prevent a complete shutdown.
The individual control rods and their controls are not part of the RPS. Further information on the scram valves and control rods is contained in Subsection 4.5.2.
7.2.1.1.3.7 Separation Four sensor channels monitor these various process variables listed in Subsection 7.2.1.1.3.1.
Separation criteria for the sensors are given in Section 3.12. The sensor devices are separated in such a way that no single failure can prevent a scram. All protection system wiring outside the control system cabinets is run in rigid metal conduit. Six physically separated cabinet bays are provided for the four scram logics. Where two RPS channels of the same trip system enter the same bay they are separated by barriers.
The mode switch, scram discharge volume high
-water-level trip bypass switch, scram reset switch, and manual scram switch are all mounted on one control panel. Each device is mounted in a can and has a sufficient number of barrier devices to maintain adequate separation. Conduit is provided from the cans to the logic cabinets.
The outputs from the logic cabinets to the scram valves are run in four conduits for tri p system A and four conduits for trip system B. The four conduits match the four scram groups shown in Figure 7.2
-2. The groups are selected so that the failure of one group to scram will not prevent a reactor shutdown.
7.2.1.1.3.8 Testability The RPS can be tested during reactor operation by six separate tests. The first of these is the manual actuator test. By depressing the manual scram button for one trip channel, the 7.2-7 REV 1 9 1 0/1 4 FERMI 2 UFSAR manual actuators are deenergized, opening contacts in the actuator logics. After the first trip channel is reset, the remaining three manual trip channels are tested sequentially in a similar manner. The total test verifies the ability to deenergize all eight groups of scram pilot valve solenoids by using the manual scram pushbutton switches. In addition to main control room and sequence recorder indications, scram group indicator lights verify that the actuator contacts have opened.
The second test is the automatic actuator test. It is accomplished by operating the keylocked test switches one at a time for each automatic logic. The switch deenergizes the actuators for that logic and causes the associated actuator contacts to open. The test verifies the ability of each logic to deenergize the actuator logics associated with the parent trip system. In addition to annunciator and sequence recorder indications, the actuator and contact action can be verified by observing the physical position of these devices.
The third test includes calibration of the NMS by means of simulated inputs from calibration logic. Subsection 7.6.1.13 describes the calibration procedure.
The fourth test is the single rod scram test, which verifies capability of each rod to scram. It is accomplished by operating a toggle switch on the RPS test cabinet in the control center particular CRD. Timing traces can be made for each rod scrammed. Prior to the test, a physics review must be conducted to ensure that the rod pattern during scram testing will not create a rod of excessive reactivity worth.
The fifth test involves applying a test signal to each RPS channel in turn and observing that a logic trip results. The test signals can be applied to the process type sensing instruments (pressure and differential pressure) through calibration taps.
The sixth test involves applying a test signal to each RPS trip channel associated with the CRD Scram Discharge Volume High Water Level, Drywell High Pressure, Reactor High Pressure, Reactor Low Water Level and Main Steam Line High Radiation and observing a trip relay contact closure using the RPS Test Box (RTB).
The RTB lamp connected across the contacts of the trip relay during the functional test maintains circuit continuity and keeps the RPS Scram contactors energized while monitoring the status of the trip relay contacts (open/closed).
RPS response times are verified on a channel basis during preoperational testing and can be verified thereafter by similar tests with exception to the sensors. The neutron flux and radiation sensors, the primary sensor response time is included in the measurement of overall channel response time. This measured response time is added to an allowance for instrument line delay, as appropriate, for each application. This approach is consistent with the definition of response time, which is the maximum allowable time from when the variable being measured just exceeds the trip setpoint to the deenergizing of the control rod scram solenoids. The applicable test criterion is that the adjusted test
-based value must not exceed the value used for the safety analysis.
During preoperational testing, and subsequently on a surveillance basis, the sensor response time was measured using a hydraulic ramp
-test method similar to that described in Electric Power Research Institute Report No.
NP-267, Sensor Response Time Verification. To the results of this measurement is added the delay for instrument line length as appropriate for 7.2-8 REV 1 9 1 0/1 4 FERMI 2 UFSAR each application. Also, the noise analysis method can be used for the sensor response verification.
The periodic response time testing for the reactor vessel steam dome pressure
-high and the reactor vessel low water level
-L3 have been eliminated. The BWROG Report NEDO
-32291A and Supplement 1 provide the required analyses as briefly described in 7.2.1.1.3.8.1.
The response time of the trip comparators and trip delays is determined using the transient current source test method described in NEDO 21617
-A, Analog Transmitters/Trip Unit System for Engineered Safeguard Sensor Trip Inputs. This test is performed as part of the preoperational test.
The balance of the RPS channel logic response time is tested using accepted methods that are documented in existing preoperational test procedures.
The reactor protection system instrumentation response times are shown in Technical Requirements Manual Volume I Table 3.3.1.1
-1, which is referenced in UFSAR Table 7.2
-4. Response time testing is required by the Technical Specifications. Technical Specification Table 3.3.1
-2 was deleted from the Technical Specifications and added to the UFSAR as Table 7.2-4 (TRM Table 3.3.1.1
-1) in agreement with NRC Generic Letter 93
-08 and Amendment Number 100 to the Technical Specifications. The response times information of UFSAR Table 7.2
-4 was then relocated to the Technical Requirements Manual Volume I.
7.2.1.1.3.8.1 Elimination of Response Time Testing The elimination of selected response time testing requirements are supported by the analyses performed by the Boiling Water Reactor Owner's Group (BWROG) report. The BWROG report demonstrated that other periodic tests required by Technical Specifications (TS), such as channel calibrations, channel checks, channel functional tests, and logic system functional tests provide adequate assurance that instrument response times are within acceptable limits. The evaluation is documented in NEDO
-32291A and Supplement 1, "System Analyses for Elimination of Selected Response Time Testing Requirements." The analyses assert that the response time tests are of little safety significance and result in unnecessary personnel radiation exposure, reduced availability of systems during plant shutdown, increased potential for inadvertent actuations of safety systems, and a significant burden to utility resources.
The basis for eliminating response time testing is consistent with Regulatory Guide 1.118 (Revision 2) which endorses IEEE 338
-1977 which states:
"Response time testing of all safety equipment, per se, is not required if, in lieu of response time testing, the response time of safety system equipment is verified by functional testing, calibration checks or other tests, or both. This is acceptable if it can be demonstrated that changes in response time beyond acceptable limits are accompanied by changes in performance characteristics which are detectable during routine periodic tests."
NEDO-32291A and Supplement 1 identify the potential failure modes of components in the affected instrumentation loops which could potentially impact the instrument loop response time. In addition, industry operating experience was reviewed to identify failures that affect response times and how they were detected. The failure modes identified were then 7.2-9 REV 1 9 1 0/1 4 FERMI 2 UFSAR evaluated to determine if the effect on response time would be detected by other testing requirements contained in TS. The results of this analysis demonstrate that other TS testing requirements (channel calibrations, channel checks, channel functional tests, and logic system functional tests) are sufficient to identify failure modes or degradations in instrument response times and assure operation of the analyzed instrument loops within acceptable limits. Furthermore, there were no failure modes identified that can be detected by response time testing that cannot also be detected by other TS
-required tests.
A BWROG survey has concluded that instrument response time delays of 5 seconds can be reasonably detected by instrument technicians. A safety evaluation has confirmed that a 5
-second increase in the response time of individual specific functions has a very low safety significance. This realistic bases evaluation showed that significant margin exists in the licensing analysis.
Within the trip function, redundancy exists in most safety trip functions (e.g., neutron flux, water level, drywell pressure). Also for most of these instruments, the response times are insignificant compared to the system actuation times.
NEDO-32291A and Supplement 1 are applicable to Fermi 2 and the affected components are evaluated in NEDO
-32291A and Supplement 1. The vendors do not require periodic response time testing for these components. Fermi is in compliance with the guidelines of Supplement 1 to NRC Bulletin 90
-01. The recommendations from EPRI NP
-7243 "Investigation of Response Time Testing Requirements" are:
- 1. The response time testing is required after replacing or refurbishing the transmitter (e.g., sensor cell, or variable damping) prior to returning the transmitters to service.
- 2. The transmitters that utilize capillary tubes are not used in any application that require s response time testing.
Furthermore, the technicians are in direct communication to verify that the response of the transmitter to the step input change or fast ramp is prompt, and in all cases less than five seconds. During this excursion, the transmitter/instrument loop is monitored for sluggishness or erratic operation that would be indicative of degraded transmitter/instrument loop performance.
The sensor response time may be assumed to be the design sensor response time. This will allow Fermi 2 to use manufacturer response time data and eliminate the requirement for a separate measurement of the sensor response time. Prior to return to service of a new transmitter or following refurbishment of a transmitter (e.g., sensor cell or variable damping components), a hydraulic response time test will be performed to determine an initial sensor
-specific response time value.
7.2.1.1.4 Environmental Considerations Electrical modules for the RPS are located in the primary containment, in the reactor building, and in the turbine building. The environmental conditions for these areas are shown in Tables 3.11
-1 and 3.11
-4. 7.2-10 REV 1 9 1 0/1 4 FERMI 2 UFSAR Cabling for the RPS will be run in conduit or in an enclosed ferromagnetic cable tray. Separation will be in accordance with Section 3.12 and Subsection 8.3.1.
7.2.1.1.5 Operational Considerations 7.2.1.1.5.1 Normal During normal operation, all sensor and trip contacts essential to safety are closed; channels, logics, and actuators are energized. In contrast, however, trip contact bypass channels consist of normally open contact networks that close to bypass.
7.2.1.1.5.2 Scram Functions The following paragraphs discuss the functional considerations for the variables or conditions monitored by the RPS. Table 7.2
-1 lists the preliminary specifications for instruments that provide signals for the system. Figure 7.2
-1 summarizes the locations from which the RPS may receive a signal that causes a scram.
There are two pilot scram valves and two scram valves for each control rod, arranged as shown in Figure 7.2
-2. Each pilot scram valve is solenoid operated, with the solenoids normally energized. The pilot scram valves control the air supply to the scram valves for each control rod. When either pilot scram valve is energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for CRD water. As shown in Figure 7.2
-2, one of the scram pilot valves for each control rod is controlled by actuator logics A, and the other valve is controlled by actuator logics B. There are two dc solenoid-operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. The dc solenoid for each backup scram valve is normally deenergized. The backup scram valves are energized (initiate scram) when trip systems A and B are both tripped.
The functional arrangement of sensors and channels that constitute a single logic is shown in Figure 7.2
-2. A simplified logic schematic is included in Figure 7.2-9. When a channel sensor contact opens, its sensor relay deenergizes, causing contacts in the logic to open. The opening of contacts in the logic deenergizes its actuators. When deenergized, the actuators open contacts in all of the actuator logics for that trip system. This action results in deenergizing the scram pilot valve solenoids associated with that trip system (one scram pilot valve solenoid for each control rod). However, the other scram pilot valve solenoid for each rod must also be deenergized before the rods can be scrammed.
If a trip also occurs in any of the logics of the other trip system, the remaining scram pilot valve solenoid for each rod is deenergized. This permits the air to vent from the scram valves and allows CRD drive water to act on the CRD piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is vented into a scram discharge volume. When the solenoid for each backup scram valve is energized, the backup scram valves vent the air supply for the scram valve. This action initiates insertion of any errant control rods regardless of the action of the scram pilot valves (Figure 7.2
-2). A scram can be initiated manually. There are two sets of manual scram pushbuttons located on the surface of the main operating panel. The first set associated with logics A1 and B1 is 7.2-11 REV 1 9 1 0/1 4 FERMI 2 UFSAR located directly above the control rod pushbutton matrix on the "A" surface of the reactor control panel as shown on Figure 7.5
-1. A second set of pushbuttons associated with logics A2 and B2 is located on the "B" surface of the reactor control panel as shown in Figure 7.5
-1. These pushbuttons are approximately 21 in. apart and 12 in. from the first set of the manual scram pushbuttons. Each of the four manual scram pushbuttons is individually canned and the control wiring is run in conduit within the control panel. To cause a manual scram, at least one button in each trip system must be depressed.
The manual scram pushbuttons in the first set are close enough to permit one hand motion to initiate the scram. By operating the manual scram button for one logic at a time and then resetting that logic, each actuator logic can be tested for manual scram capability. The reactor operator also can scram the reactor by interrupting power to the reactor protection system or by placing the mode switch in its shutdown position.
To restore the RPS to normal operation following any single trip system trip or scram, the actuators must be reset manually. The actuators can be reset only after a 10
-sec delay, and only if the conditions that caused the scram have been cleared. The actuators are reset by operating switches in the main control room. Figure 7.2
-2 shows the functional arrangement of reset contacts for trip system A.
When an RPS sensor trips, it lights a printed red annunciator window, common to all the channels for that variable, which indicates the out
-of-limit variable. This window is located on the reactor control panel in the main control room. Each trip system lights a red annunciator window which indicates which trip system has tripped. An RPS channel trip also sounds a buzzer or horn that can be silenced by the operator. The annunciator window lights latch in until the initiating contact is reset. Reset is not possible until the condition causing the trip has been cleared. A sequence
-of-events recorder identifies each tripped channel; however, the physical position of the RPS relays may also be used to identify the individual sensor that tripped in a group of sensors monitoring the same variable. The location of alarm windows permits the operator to quickly identify the cause of RPS trips and to evaluate the threat to the fuel or nuclear system process barrier.
All RPS trip events are recorded on a sequence
-of-events recorder that includes nuclear steam supply system (NSSS) inputs. This record permits analysis of operational transient events that occur too rapidly for operator recognition.
The sequence
-of-events recorder provides the time and alarm type of each event and can resolve the order of occurrence down to 1 msec. A lesser time difference causes the events to be treated as simultaneous.
Use of the events recorder is not required for plant safety. The printout of trips is particularly useful in routinely verifying the correct operation of pressure, level, and valve position switches as trip points are passed during startup, shutdown, and maintenance operations.
Reactor protection system inputs to annunciators, recorders, and the computer are arranged so that no malfunction of the annunciating, recording, or computing equipment can functionally disable the RPS. Direct signals from RPS sensors are not used as inputs to annunciating or data
-logging equipment. Relay contact isolation is provided between the primary signal and the information output.
7.2-12 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.2.1.1.5.3 Operation Information Indicators Indicators are installed in the manual scram switches to indicate a trip system manual trip. Scram group indicators extinguish when an actuator logic opens. Process indicators for all RPS trip variables are available in the main control room.
Annunciators Each RPS input is provided to the annunciator system through isolated relay contacts.
Manual and automatic trip system trips also signal the annunciator system.
7.2.1.1.5.4 Setpoints Nominal values for trip system setpoints are summarized in Table 7.2
-1. In response to the NRC letter from J. F. Stolz to W. H. Jens dated April 12, 1977, that defined specific requirements for instrument trip setpoint values, Edison has instituted a formal program with the cooperation of GE to develop the required technical data. The referenced setpoint data are presently included in the Technical Specifications.
Neutron Monitoring System Trip To protect the fuel against high heat generation rates, neutron flux is monitored and used to initiate a reactor scram. The NMS setpoints and their bases are discussed in Subsection 7.6.1.13. Nuclear System High Pressure High pressure within the nuclear system threatens to rupture the nuclear system process barrier. A nuclear system pressure increase during reactor operation compresses the steam voids and results in a positive reactivity insertion. This causes increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing core fission heat generation. The nuclear system high
-pressure scram setting is chosen slightly above the RPV maximum normal operating pressure to permit normal operation without spurious scram, yet provides a wide margin to the maximum allowable nuclear system pressure. The location of the pressure measurement, as compared to the location of highest nuclear system pressure during transients, has also been considered
in the selection of the high
-pressure scram setting. The nuclear system high
-pressure scram setting also protects the core from exceeding thermal
-hydraulic limits due to pressure increases during events that occur when the reactor is operating below rated power and flow.
Reactor Vessel Low Water Level Low water level in the RPV indicates that the fuel is in danger of being inadequately cooled.
Decreasing the water level while the reactor is operating at power decreases the reactor coolant inlet subcooling.
The effect is the same as raising feedwater temperature. Should water level decrease too far, fuel damage could result. A reactor scram protects the fuel by reducing the fission heat generation within the core. The RPV low
-water-level scram setting has been selected to prevent fuel damage following abnormal operational transients. These transients are caused by either single equipment malfunctions or single operator errors, and 7.2-13 REV 1 9 1 0/1 4 FERMI 2 UFSAR result in a decreasing RPV water level. The scram setting is far enough below normal operational levels to avoid spurious scrams. The setting is high enough above the top of the active fuel to ensure that enough water is available to account for evaporation loss and displacement of coolant following the most severe abnormal operational transient involving a level decrease. The selected scram setting was used in developing thermal
-hydraulic limits. The limits set operational limits on the thermal power level for various coolant flow rates.
Turbine Stop Valve Closure Closure of the turbine stop valve with the reactor at power can result in a significant addition of positive reactivity to the core as the nuclear system pressure rise causes steam voids to collapse. The turbine stop valve closure scram initiates a scram earlier than does either the NMS or nuclear system high pressure. It provides a satisfactory margin below core thermal
-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity resulting from increasing pressure by inserting negative reactivity with control rods. Although the nuclear system high
-pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine stop valve closure scram provides additional margin to the nuclear system pressure limit. The turbine stop valve closure scram setting provides the earliest positive indication of valve closure.
Turbine Control Valve Fast Closure With the reactor and turbine generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram initiates a scram earlier than either the NMS or nuclear system high pressure. It provides a satisfactory margin to core thermal
-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity resulting from increasing pressure by inserting negative reactivity with control rods. Although the nuclear system high
-pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control valve fast closure scram provides additional margin to the nuclear system pressure limit. The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure.
Main Steam Line Isolation The MSIV closure scram protects the reactor on loss of the heat sink. The MSIV closure initiates scram earlier than the NMS or nuclear system high pressure. Automatic closure of the MSIVs is initiated when conditions indicate a steam line break. The main steam line isolation scram setting is selected to give the earliest positive indication of isolation valve closure. The logic allows functional testing of main steam line trip channels with one steam line isolated.
Scram Discharge Volume High Water Level Water displaced by the CRD pistons during a scram goes to the scram discharge volume. If the scram discharge volume fills with the water so that insufficient capacity remains for the water displaced during a scram, control rod movement would be hindered during a scram.
To prevent this situation, the reactor is scrammed when the water level in the discharge 7.2-14 REV 1 9 1 0/1 4 FERMI 2 UFSAR volume is filling up, yet is low enough to ensure that the remaining capacity in the volume can accommodate a scram.
Primary Containment High Pressure High pressure inside the primary containment may indicate a break in the nuclear system process barrier. It is prudent to scram the reactor in such a situation, to minimize the possibility of fuel damage and to reduce energy transfer from the core to the coolant. The drywell high
-pressure scram setting is selected to be as low as possible without inducing spurious scrams.
Main Steam Line High Radiation High radiation in the vicinity of the main steam lines may indicate a gross fuel failure in the core. When high radiation is detected near the steam line, a scram is initiated to limit the release of fission products from the fuel. This condition also signals the primary CRVICS to initiate containment of the released fission products. The high radiation trip setting is selected high enough above background radiation levels to avoid spurious scrams, yet low enough to promptly detect a gross release of fission products from the fuel. More information on the trip setting is available in Subsection 11.4.3.8.2.3.
Manual Scram Pushbuttons are located in the main control room to enable the operator to shut down the reactor by initiating a scram.
Mode Switch in SHUTDOWN When the mode switch is in SHUTDOWN, the reactor is to be shut down with all control rods inserted. This scram is not considered a protective function because it is not required to protect the fuel or nuclear system process barrier, and it bears no relationship to minimizing the release of radioactive material from any barrier. The scram signal is removed after a short delay, permitting a scram reset that restores the normal valve lineup in the CRD hydraulic system.
7.2.1.1.5.5 Mode Switch A conveniently located, multiposition, keylock mode switch is provided to select the necessary scram functions for various plant conditions. The mode switch selects the appropriate sensors for scram functions and provides appropriate bypasses. The switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the RPS. The switch is designed to provide separation between the two trip systems. The mode switch positions and their related scram functions are a. SHUTDOWN - Initiates a reactor scram; bypasses main steam line isolation scram b. REFUEL - Selects NMS scram for low neutron flux level operation; bypasses main steam line isolation scram 7.2-15 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- c. STARTUP - Selects NMS scram for low neutron flux level operation; bypasses main steam line isolation scram
- d. RUN - Selects NMS scram for power range operation.
7.2.1.2 Design-Basis Information The design
-basis information required by Section 3 of IEEE 279
-1971 is provided in Subsection 7.1.2.1.1.
7.2.2 Analysis 7.2.2.1 General Presented below are analyses to demonstrate how the various general functional requirements and the specific regulatory requirements listed under the RPS design bases described in Subsection 7.1.2.1.1.1 are satisfied. Considerations of loss of instrument air and loss of cooling water to vital equipment are discussed in Chapter 15.
7.2.2.2 Reactor Protection System 7.2.2.2.1 Conformance With General Functional Requirements The RPS is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the nuclear system process barrier. Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and nuclear system process barrier. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are sought and identified, are presented in that chapter.
Design procedure has been to select tentative scram trip setting such that spurious scrams and operating inconvenience are avoided. It is then verified by analysis that the reactor fuel and nuclear system process barriers are protected. In all cases, the specific scram trip point selected is a value that prevents damage to the fuel or nuclear system process barriers, taking into consideration previous operating experience.
The scrams initiated by NMS variables, nuclear system high pressure, turbine stop valve closure, turbine control valve fast closure, and RPV low water level, prevent fuel damage
following abnormal operational transients. Specifically, these scram functions initiate a scram in time to prevent the core from exceeding the thermal
-hydraulic safety limit during abnormal operational transients. Chapter 15 identifies and evaluates the threats to fuel integrity posed by abnormal operational events. In no case does the core exceed the thermal
-hydraulic safety limit.
The scram initiated by nuclear system high pressure, in conjunction with the pressure relief system, is sufficient to prevent damage to the nuclear system process barrier as a result of internal pressure. For turbine
-generator trips, the stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the nuclear system pressure safety limit than does the high pressure scram. Chapter 15 identifies and evaluates accidents 7.2-16 REV 1 9 1 0/1 4 FERMI 2 UFSAR and abnormal operational events that result in nuclear system pressure increases. In no case does pressure exceed the nuclear system safety limit.
The scrams initiated by the main steam line MSIV closure, and RPV low water level satisfactorily limit the radiological consequences of gross failure of the fuel or nuclear system process barriers. Chapter 15 evaluates gross failures of the fuel and nuclear system process barriers.
In no case does the release of radioactive material to the environs result in exposures that exceed the guideline values of applicable published regulations.
Neutron flux is the only essential variable of significant spatial dependence that provides inputs to the RPS. The basis for the number and locations of neutron flux detectors is discussed in Subsection 7.6.1.13. The other requirements are fulfilled through the combination of logic arrangement, channel redundancy, wiring scheme, physical isolation, power supply redundancy, and component environmental capabilities.
The RPS uses "one
-out-of-two-taken-twice" logic. Theoretically, its reliability is slightly higher than a "two
-out-of-three" system and slightly lower than a "one
-out-of-two" system. The differences can be neglected in a practical sense, however, because they are slight. The dual trip system is advantageous because it can be thoroughly tested during reactor operation without causing a scram. This capability for a thorough testing program significantly increases reliability.
The use of a different channel for each logic input allows the system to sustain any channel failure without preventing other sensors that monitor the same variable from initiating a scram. Any maintenance operation, calibration operation, or test results in only a single trip system trip. This leaves at least two channels per monitored variable capable of initiating a scram. The resistance to spurious scrams contributes to plant safety because reduced cycling of the reactor through its operating modes decreases the probability of error or failure.
When an essential monitored variable exceeds its scram trip point, it is sensed by at least two independent sensors in each trip system. Only one channel must trip in each trip system to initiate a scram. Thus, the arrangement of two channels per trip system ensures that a scram will occur as a monitored variable exceeds its scram setting.
Each control rod is controlled as an individual unit. A failure of the controls for one rod would not affect other rods. The backup scram valves provide a second method of venting the air pressure from the scram valves, even if either scram pilot valve solenoid for any control rod fails to deenergize when a scram is required.
Sensors, channels, and logics of the RPS are not used for control of process systems. Therefore, failure in the instrumentation and control of process systems cannot induce failure of any portion of the protection system.
Failure of either RPS motor
-generator set would result, at worst, in a single trip system trip. Alternative power is available to the RPS buses. A complete, sustained loss of electrical power to both buses would result in a scram, delayed by the motor
-generator set flywheel inertia. The environment in which the instruments and equipment of the RPS must operate was considered in setting the environmental specifications given in Tables 3.11
-1, 3.11-3, and 3.11-4. The specifications for the instruments located in the reactor or turbine buildings are based on the worst expected ambient conditions.
7.2-17 REV 1 9 1 0/1 4 FERMI 2 UFSAR Design of the system to comply with safety class requirements and the fail
-safe characteristics of the system ensure safe shutdown of the reactor during earthquake ground motion. The system fails in a direction that causes a reactor scram only when subjected to extremes of vibration and shock.
To ensure that the RPS remains functional, the number of operable channels for the essential monitored variables is maintained at or above the minimum given in Tables 7.2-2 and 7.2-3. The minimum applies to any untripped trip system; a tripped trip system may have any number of inoperative channels. Because reactor protection requirements vary with the mode in which the reactor operates, the tables show different functional requirements for the RUN and STARTUP modes. These are the only modes in which more than one control rod can be withdrawn from the fully inserted position.
In case of a LOCA, reactor shutdown occurs immediately following the accident, as one or more process variables exceed their specified setpoint. Operation verification that shutdown has occurred may be made by observing one or more of the following indications:
- a. Control rod status lamps indicating each rod fully inserted
- b. Control rod scram pilot valve status lamps indicating open valves
- c. Neutron monitoring power range channels and recorders downscale
- d. Annunciators for RPS variables and trip logic in the tripped state
- e. Sequence-of-events recorder log of trips
- f. IPCS control rod position log.
7.2.2.2.2 Conformance To Specific Regulatory Requirements 7.2.2.2.2.1 Industry Standards IEEE 279-1971 IEEE 279-1971 is satisfied as follows (except for manual scram, which is addressed below):
NEDO-10139, "Compliance of Protection Systems to Industry Criteria: General Electric BWR Nuclear Steam Supply System," demonstrates compliance of the RPS with IEEE 279
-1968. The following paragraphs address the differences between IEEE 279
-1968 and IEEE 279-1971 standards:
- a. Paragraph 4.7
- Control and Protection System Interaction. The RPS interlocks to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the RPS
- b. Paragraph 4.22
- Identification of Protection System. Each system cabinet is marked with the words "Reactor Protection System" and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified by color coding (as discussed in Subsection 8.3.1). Exact design comparisons with the testability requirements of IEEE 279
-1971 4.9, 4.10, and 4.11 are given in NEDO
-10139: 7.2-18 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- a. Scram discharge volume Pages 2-26, 2-27 b. Main steam line isolation valve Page 2-39 c. Turbine stop valve Pages 2-56, 2-57 d. Turbine control valve Pages 2-69, 2-70 e. Reactor water level Page 2-99 f. Main steam line radiation Pages 2-112, 2-113 g. Neutron monitoring system Page 2-125 (Plus NEDC-32410P-A, Pages 4-5, 4-6) h. Drywell pressure Page 2-138 i. Reactor pressure Page 2-146 j. Mode switch Pages 2-164, 2-165 k. Discharge volume bypass Pages 2-170, 2-171 l. Main steam line valve bypass Page 2-178 m. Turbine trip bypass Page 2-186 The RPS manual scram function satisfies IEEE 279
-1971 as follows: a. Paragraph 4.2
- Single Failure Criterion RPS manual controls comply with the single failure criterion. Four manual scram pushbuttons are arranged into two groups on one main control room Bench Board and the switches are provided with physical and electrical separation.
- b. Paragraph 4.3
- Quality of Components and Modules The RPS manual switches are selected to be of high quality and reliability.
- c. Paragraph 4.4
- Equipment Qualification Manual switches and trip logic components are certified by the vendor that they perform in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification, in 7.2-19 REV 1 9 1 0/1 4 FERMI 2 UFSAR conjunction with the existing field experience with these components in this application, serves to qualify these components.
- d. Paragraph 4.5
- Channel Integrity The manual switches and components are specified to operate under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents.
- e. Paragrap h 4.6 - Channel Independence The manual scram pushbutton is a channel component. The trip channels are physically separated and electrically isolated to comply with this design requirement.
- f. Paragraph 4.7
- Control and Protection System Interaction The manual scram pushbutton has no control interaction.
- g. Paragraph 4.8
- Derivation of System Inputs Not applicable.
- h. Paragraph 4.9
- Capability for Sensor Checks Not applicable.
- i. Paragraph 4.10
- Capability for Test and Calibration A manual scram switch permits each individual trip logic, trip actuator, and trip actuator logic to be tested on a periodic basis.
- j. Paragraph 4.11
- Channel Bypass or Removal from Operation Since actuation of one manual scram pushbutton places its RPS trip system in a tripped condition, it is in compliance with this design requirement.
- k. Paragraph 4.12
- Operating Bypasses Not applicable.
- l. Paragraph 4.13
- Indication of Bypasses Not applicable.
- m. Paragraph 4.14
- Access to Means for Bypassing Not applicable.
- n. Paragraph 4.15
- Multiple Set Points Not applicable.
- o. Paragraph 4.16
- Completion of Protective Action Once It Is Initiated Once the manual scram push buttons are depressed, it is only necessary to maintain them in that condition until the scram contactors have de
-energized and open their seal
-in contacts. At this point, the trip actuator logic proceeds to initiate reactor scram regardless of the state of the manual scram push buttons.
- p. Paragraph 4.17
- Manual Actuation 7.2-20 REV 1 9 1 0/1 4 FERMI 2 UFSAR Four manual scram pushbutton controls are provided on one main control room Bench Board to permit manual initiation of reactor scram at the system level. The four manual scram pushbuttons (one in each of the four RPS trip logics) comply with this design requirement. The logic for the manual scram is one
-out-of-two twice. No single failure in the manual or automatic portions of the RPS can prevent either a manual or automatic scram.
- q. Paragraph 4.18
- Access to Set Point Adjustments, Calibration, and Test Poin ts Not applicable.
- r. Paragraph 4.19
- Identification of Protective Actions When any manual scram pushbutton is depressed, a control room annunciation is initiated and an IPCS alarm record is produced to identify the tripped RPS trip logic.
- s. Paragraph 4.20 - Information Readout The manual scram function complies with this requirement.
- t. Paragraph 4.21
- System Repair The manual scram function complies with this requirement.
The RPS is fail
-safe and its power supplies are thus unnecessary for scram. A total loss of power causes a scram. A loss of one power source causes a trip system trip. IEEE 308
-1971 does not apply to the RPS.
IEEE 323-1971 "General Guide for Qualifying Class I Electric Equipment" is satisfied by complete qualification testing and certification of all essential components. Records covering all essential components are maintained. For a complete summary of how the RPS complies with IEEE 323
-1971, refer to NEDO
-10698. See also Section 3.11.
IEEE 336-1971 "Installation, Inspection, and Testing Requirements for Instrumentation and Electric Equipment During Construction of Nuclear Power Generating Stations" is satisfied except as modified by the Edison Quality Assurance Procedures.
IEEE 338-1971 "Periodic Testing of Protection Systems" is complied with by being able to test the RPS from sensors to final actuators at any time during plant operation. The test must be performed in overlapping portions.
IEEE 344-1971 Conformance to IEEE 344
-1971 is described in Section 3.10.
IEEE 379-1972 "Trial-Use Guide for the Application of the Single
-Failure Criterion to Nuclear Power Generating Station Protection Systems" is judged to be satisfied by the RPS design criteria described in NEDO
-10139. 7.2-21 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.2.2.2.2.2 Conformance To Regulatory Guides and 10 CFR 50 The RPS is designed so that it may be tested during plant operation from sensor device to final actuator device in compliance with Regulatory Guide 1.22. The test must be performed in overlapping portions so that an actual reactor scram does not occur as a result of the testing. The RPS is judged to comply with Regulatory Guide 1.53 since all of the additional provisions of Regulatory Guide 1.53 as applied to IEEE 379 are met or exceeded by the actual design.
10 CFR 50, Appendix B "Quality Assurance Criteria for Nuclear Power Plants." A Quality Assurance program has been established that includes quality control at the component vendor, at the nuclear steam supplier, at various stages of construction, and during installation at the nuclear power plant site. System design is continually checked for conformance to the applicable industry criteria. Periodic testing ensures that the system is available and adequate to perform its intended purpose. Quality assurance records are maintained by the nuclear steam supplier and Edison. For a complete description of the Quality Assurance Program, see Chapter 17.
General Design Criteria of 10 CFR 50, Appendix A
- a. Criterion 13
- Each RPS input is monitored and annunciated
- b. Criterion l9
- Instrumentation and control is provided in the main control room. The reactor can also be shut down from outside the main control room by opening breakers
- c. Criterion 20
- The RPS constantly monitors the appropriate plant variables to maintain the fuel barrier and primary coolant pressure boundary. It automatically initiates a scram when the variables exceed the established setpoints d. Criterion 2l
- The RPS is designed with four independent and separated output channels. No single failure or operator action can prevent a scram. The system can be tested during plant operation to ensure its availability
- e. Criterion 22
- The redundant portions of the RPS are separated such that no single failure or credible natural disaster can prevent a scram. Functional diversity is used by measuring flux, pressure, and level (all dependent variables) in the reactor vessel
- f. Criterion 23
- The RPS is fail
-safe. A loss of electrical power or air supply will not prevent a scram. Postulated adverse environments will not prevent a scram
- g. Criterion 24
- The RPS has no control function
- h. Criterion 29
- The RPS is highly reliable so that it is able to scram in the event of anticipated operational occurrences.
7.2-22 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.2.2.2.2.3 Instrument Ranges and Setpoints The design criteria used in selecting instrument span and trip setpoints for safety
-related applications consider the following factors:
- a. The selection of instrument range is based on knowledge of the expected variation of the process variable being monitored. In all cases, the range selected is greater than the expected variable excursions
- b. The accuracy of each trip setpoint is better than or equal to the accuracy assumed in the accident analysis performed for the Fermi 2 plant design
- c. Trip setpoints are normally located in the portion of the instrument range of greatest accuracy. In all cases, the setpoint is located in the portion of the instrument's range that is consistent with the required accuracy
- d. All of the safety
-related trip setpoints are chosen to allow for the normal expected instrument setpoint drift without exceeding associated Technical Specifications
- e. All setpoints are verified on a prescribed schedule as outlined in the Technical Specifications.
7.2-23 REV 1 9 1 0/1 4 FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.2-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION SPECIFICATIONS Scram Function Instrument Nuclear system high pressure Trip Setting a Pressure transmitter 1080 psig Primary containment high pressure Pressure transmitter 1.68 psig RPV low water level Level transmitter 173.4 in. above top of active fuel Scram discharge volume high water level Level switch/ transmitter 50 gal Turbine stop valve closure Position switch Before 10 percent valve closure Turbine control valve fast closure Valve fast closure initiation logic Start of control valve fast closure Main steam line isolation valve closure Position switch Before 10 percent valve closure Neutron monitoring system scram Neutron detector (IRM) 120/125 divisions of FS APRM)
Refer to UFSAR Table 7.6
-9 for APRM system trip setpoints.
Main steam line high radiation Gamma ion chamber 3.0 x full power background a Nominal values given for information. See Technical Specifications for actual operational settings.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.2-2 This table shows the normal and minimum number of channels required for the functional performance of the RPS in the STARTUP mode. The "Normal" column lists the normal number of channels per trip system. The "Minimum" column lists the minimum number of
channels per untripped trip system required to maintain functional performance.
CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF REACTOR PROTECTION SYSTEM: STARTUP MODE Channel Description Normal MinimumNeutron monitoring system (APRM) c a,b 2 2 Neutron monitoring system (IRM) 2 2 Nuclear system high pressure 2 2 Primary containment high pressure 2 2 RPV low water level 2 2 Scram discharge volume high water level 2 2 Manual scram 2 2 Each main steam line isolation valve position 0 (bypassed) 0 a During testing of sensors, the channel should be tripped when the initial state of the sensor is not essential to the test. b Nominal values given for information.
See Technical Specifications for operational requirements.
c Number of channels refers to final two
-out-of-four voter channels for APRM. See Technical Specifications for more specific requirements related to APRM channels.
FERMI 2 UFSAR TABLE 7.2-3 CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE OF REACTOR PROTECTION SYSTEM: RUN MODE This table shows the normal and minimum number of channels required for the functional performance of the RPS in the RUN Mode. The "Normal" column lists the normal number of channels per trip system. The "Minimum" column lists the minimum number of channels per untripped trip system required to maintain functional performance.
Channel Description Normal Minimuma,b Neutron monitoring system (APRM) c 2 2 Nuclear system high pressure 2 2 Primary containment high pressure 2 2 RPV low water level 2 2 Scram discharge volume high water level 2 2 Manual scram 2 2 Each main steam line isolation valve position 4 4 Each turbine stop valve position 4 4 Turbine control valve fast closure 2 2 Turbine first
-stage pressure (bypass channel) 2 2 a During testing of sensors, a channel may be placed in an inoperable status for up to 6 hr for required surveillance without placing the trip system in the tripped condition, provided that at least one operable channel in the same trip system is monitoring that parameter.
b Nominal values given for information. See Technical Specifications for operational requirements.
c Number of channels refers to final two
-out-of-four voter channels for APRM including the OPRM function. OPRM/APRM functions are independently voted in the two
-out-of-four voters. See Technical Specifications for more specific requirements related to APRM channels.
Page 1 of 1 REV 20 05/16 FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.2-4 (TRM TABLE 3.3.1.1
-1) REACTOR PROTECTION SYSTEM RESPONSE TIMES The Reactor Protection System Response Times are listed in Technical Requirements Manual (TRM) Volume I Table 3.3.1.1-1. TRM Volume I is incorporated by reference into the UFSAR.
FERMI 2 UFSAR 7.3 ENGINEERED SAFETY FEATURE SYSTEMS Included in this section are descriptions and analyses of the instrumentation and controls for the following engineered safety feature (ESF) systems:
- b. Primary containment and reactor vessel isolation control system
- c. Emergency core cooling auxiliary system
- d. Emergency equipment cooling water system
- e. Main control room atmospheric control system
- g. Standby power system h. Post-LOCA combustible gas control system. The format of this section departs from the Regulatory Guide 1.70, Revision 2, Standard Format Guide in that the description and analysis are grouped together under each system heading rather than by descriptions and by analyses. The main steam isolation valve leakage control system is discussed in Subsection 6.2.6.
7.3.1 Emergency Core Cooling System 7.3.1.1 Design-Basis Information The design-basis information for the ECCS, required by Section 3 of IEEE 279-1971, is provided in Subsection 7.1.2.1.3.
7.3.1.2 System Description The ECCS includes the following subsystems:
- a. High-pressure coolant injection system (HPCI)
- c. Core spray system
- d. Low-pressure coolant injection (LPCI) mode of the residual heat removal (RHR) system.
The purpose of ECCS instrumentation and control is to initiate appropriate responses from the ECCS to ensure that the fuel is adequately cooled in the event of a design-basis LOCA. The cooling provided by the system restricts the release of radioactive materials from the fuel by preventing or limiting the extent of fuel damage following situations in which reactor coolant is lost.
The equipment involved in the control of these systems includes automatic injection valves, steam turbine pump controls, electric pump controls, relief valve controls, and the switches, contacts, and relays that make up sensory logic channels. Testable check valves and certain 7.3-1 REV 20 05/16 FERMI 2 UFSAR automatic isolation valves are not included in this description since they are pertinent to the containment and reactor vessel isolation control system (CRVICS).
Power Sources The instrumentation and control of the ECCS is powered by the 130-V dc and 120-V ac systems, and by the standby power system when required. The redundancy and separation of these power supply systems are consistent with the redundancy and separation of the ECCS instrumentation and control. Both of these power supply systems are described in detail in Chapter 8.
7.3.1.2.1 High Pressure Coolant Injection System Instrumentation and Control When actuated, the HPCI system pumps water from either the condensate storage tank or the suppression chamber to the reactor pressure vessel (RPV) via the "A" feedwater pipeline.
The HPCI system includes one turbine-driven pump, one dc motor-driven auxiliary oil pump, one barometric condenser dc condensate pump, one barometric condenser dc vacuum pump, other auxiliaries, automatic valves, control devices for this equipment, sensors, trip channels, and logic circuitry. The arrangement of equipment and control devices is shown in Figure 7.3-1. Pressure and level transmitters used in the HPCI system are located on racks in the reactor building. The only operating component for the HPCI system that is located inside the primary containment is one of the two isolation valves in the HPCI turbine steam supply isolation valves. The rest of the HPCI system instrumentation and control components are located outside the primary containment. Cables connect the sensors to control circuitry in the main control room. The system is arranged to allow a full
-flow functional test of the system during normal reactor power operation. The system will automatically return from the full-flow test mode to accident response operation. The controls automatically initiate the HPCI system on receipt of either an RPV low water level signal or a primary containment high-pressure signal, and bring the system to its design flow rate, given in Section 6.3, within 60 sec. The controls then function to provide design makeup water flow to the RPV until the water level in the RPV reaches an upper limit. At this time the HPCI system shuts down until further need is indicated. The HPCI system would automatically restart on low water level and operate indefinitely without manual intervention. The controls are arranged to allow manual startup, operation, and shutdown from the main control room.
7.3.1.2.1.1 Initiating Circuits The RPV low water level is monitored by four level transmitters that sense the differences between the pressure of a constant reference column of water and the pressure due to the actual height of water in the vessel. Two pipelines, attached to taps above and below the normal water level on the RPV, are required for the level transmitters. The lines are physically separated from each other and tap off the RPV at widely separated points. These same lines are also used for pressure and water level instruments for other systems.
A backfill system is installed on each level instrument reference leg. The system provides a metered flow of water from the control rod drive system to each leg. The flow is low enough 7.3-2 REV 20 05/16 FERMI 2 UFSAR to not affect the performance of the instrumentation. The backfill is designed to prevent the accumulation of dissolved noncondensable gases in the reference legs. The level transmitters and primary containment high-pressure transmitters for the HPCI are arranged in pairs, with the transmitter contacts in a "one-out- of-two taken twice" electrical arrangement. This arrangement ensures that no single event can prevent HPCI initiation from RPV low water level or drywell high pressure. Cables from the level transmitters lead to the trip unit racks located in the fourth floor of the reactor building for logic and sequencing action. The primary containment high-pressure initiation signal for the HPCI system uses output from the same trip unit that serves the RHR and core spray systems, as described in Subsection 7.3.1.2.3. The HPCI system turbine is functionally controlled as shown in Figure 7.3-2. A speed governor limits the turbine speed to its maximum operating level. A control governor receives a pump flow signal and adjusts the turbine steam control valve so that design HPCI pump discharge flow rate is obtained. Manual control of the governor is possible in the test mode, but the governor automatically returns to automatic control on receipt of a HPCI initiation signal.
Figure 7.3-2 shows the various modes of turbine control. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the HPCI pump discharge line. The governor controls the pressure applied to the hydraulic operator of the turbine control valve, which in turn controls the steam flow to the turbine. Hydraulic pressure is supplied for both the turbine control valve and the turbine stop valve by the dc-powered oil pump during startup, and then by the shaft-driven hydraulic oil pump when the turbine reaches a certain speed. On receipt of an initiation signal, the auxiliary oil pump starts, providing hydraulic pressure for the turbine stop valve and turbine control valve hydraulic operator. Since there is no flow at first in the HPCI system, the flow signal runs the control governor to the high speed stop.
As hydraulic oil pressure is developed, the turbine stop valve and the turbine control valve open simultaneously, and the turbine accelerates toward the speed setting of either the control governor or the speed governor, whichever is lower. As HPCI flow increases, the flow signal adjusts the control governor setting so that rated flow is maintained. The turbine is automatically or manually shut down by tripping the turbine stop valve closed if any of the following signals are detected:
- a. Turbine overspeed (automatic) b. High turbine exhaust pressure (automatic)
- c. Low pump suction pressure (automatic) d. RPV high water level (automatic)
- e. HPCI isolation signal (automatic)
- f. Manual pushbutton
- g. HPCI steam supply pressure low (automatic).
7.3-3 REV 20 05/16 FERMI 2 UFSAR Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust line. Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump, which could place it out of service. A turbine trip is initiated for these conditions so that if the causes of the abnormal conditions can be found and corrected, the system can be quickly restored to service. The trip settings are selected far enough above or below normal values so that a spurious turbine trip is unlikely, but not too close to values that could cause damage before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed detection device. Two pressure transmitters are used to detect high turbine exhaust pressure; either transmitter can initiate turbine shutdown. One pressure switch is used to detect low HPCI pump suction pressure. High water level in the RPV indicates that the HPCI system has performed satisfactorily in providing makeup water to the RPV. Further increase in level could result in HPCI turbine damage caused by gross carryover of moisture. The RPV high-water-level setting, which trips the turbine, is near the top of the steam separators and is sufficient to prevent gross moisture carryover to the turbine. Two level transmitters that sense differential pressure are arranged so that both transmitters are required to trip simultaneously to initiate a turbine shutdown. The control scheme for the turbine auxiliary oil pump is shown in Figure 7.3-2. The controls are arranged for automatic manual control. On receipt of an HPCI initiation signal, the auxiliary oil pump starts and provides hydraulic pressure to open the turbine stop valve and the turbine control valve. As the turbine gains speed, the shaft-driven oil pump begins to supply hydraulic pressure. Should the shaft-driven oil pump malfunction, causing oil pressure to drop, the auxiliary oil pump restarts. Operation of the barometric condenser components, which consist of the barometric condenser condensate pump (dc), the barometric condenser vacuum pump (dc), and the barometric condenser water level instrumentation, prevents outleakage from the turbine shaft seals. Operation of this equipment is automatic, as shown in Figure 7.3-2, and failure does not prevent the HPCI system from providing water to the RPV.
7.3.1.2.1.2 Logic and Sequencing The RPV low water level and primary containment (drywell) high pressure are the two functions that can automatically start the HPCI system, as indicated in Figure 7.3-2 Sheet 1. The RPV low water level is an indication that reactor coolant is being lost and that the fuel is in danger of being overheated. Primary containment high pressure is an indication that a breach of the nuclear system process barrier has occurred inside the drywell.
The logic scheme used for the initiating functions is a "one-out-of-two taken twice" arrangement for both RPV low water level and high drywell pressure. Either one can initiate HPCI. The logic is powered from reliable dc buses. Level transmitters and drywell pressure transmitters are shared with core spray initiation.
Instrument settings for the HPCI system instrumentation and control are listed in Table 7.3-1. The RPV low water level (L2) setting for HPCI initiation is selected high enough above the 7.3-4 REV 20 05/16 FERMI 2 UFSAR active fuel to start the HPCI in time to prevent fuel clad failure and to prevent an unacceptable fraction of the core from reaching the temperature at which fuel fragmentation occurs (Section 6.3). The water level setting is far enough below normal levels that spurious HPCI system startups are avoided. The primary containment high-pressure setting is selected to be as low as possible without inducing spurious HPCI system startup.
To prevent the turbine pump from being damaged by overheating at reduced HPCI pump discharge flow, a pump discharge bypass is provided to route the water discharged from the pump to the suppression chamber. The bypass is controlled by an automatic, dc motor-operated valve whose control scheme is shown in Figure 7.3-2. At high HPCI flow, the valve is closed; at low flow, the valve is opened. Flow switches that measure the pressure difference across a flow element in the HPCI pump discharge line provide the signals used for flow indication. The HPCI initially uses the condensate storage tank as the source of coolant to provide high-grade water to the reactor. A single failure of the condensate low
-level switches or suppression pool high-level switches could cause a switchover of HPCI source water from the condensate storage tank to the suppression pool. A premature switchover has no adverse safety impact. The transfer to the suppression pool feature is to ensure an adequate long-term quantity of coolant or to control the pool level. The long-term source of water for the HPCI system is the suppression pool; thus a failure causes switchover to the desired suction source.
7.3.1.2.1.3 Bypasses and Interlocks To prevent the HPCI steam supply line from filling up with water and cooling, a condensate drain pot, steam line drain, and appropriate valves are provided in a drain line arrangement just upstream of the turbine supply valve. The control scheme is shown in Figure 7.3-2. The controls position valves so that during normal operation, steam line drainage is routed to the main condenser. On receipt of an HPCI initiation signal, the drainage path is isolated. The water level in the steam line drain condensate pot is controlled by a level switch and a pilot air-operated solenoid valve that energizes to allow condensate to flow out of the pot. During test operation, the HPCI pump discharge is routed to the condensate storage tank.
Two valves, a dc motor operated valve (E4150F008) and an air operated valve (E41F011),
are installed in the pump discharge to the condensate storage tank line. The piping arrangement is shown in Figure 7.3-1. The control scheme for the two valves is shown in Figure 7.3-2. On receipt of an HPCI system initiation signal, the two valves close and remain closed. The valves are interlocked to close if either of the suppression chamber suction valves are fully open. Valve E41F011 functions as a throttle valve while operating in the test mode. It is a fail
-close globe valve with flow over the seat, capable of fast closure. It is credited for closure against pump shut off head. Valve E4150F008 is a slower motor operated valve which provides redundant isolation of the test line. If manual transfer from the test mode to vessel injection is desired, operator action is needed to close E41F011 prior to opening the HPCI injection valve. Numerous indications pertinent to the operation and condition of the HPCI system are available to the main control room operator. Figures 7.3-1 and 7.3-2 show the various indications provided.
7.3-5 REV 20 05/16 FERMI 2 UFSAR 7.3.1.2.1.4 Redundancy and Diversity The HPCI system is actuated either by RPV low water level or by primary containment high pressure. Both of these conditions could result from a LOCA. The redundancy of the HPCI system initiating circuits is consistent with the design of the HPCI system. A single failure does not prevent activation.
7.3.1.2.1.5 Actuated Devices All automatic valves in the HPCI system are equipped with remote manual test capability so that the entire system can be operated from the main control room. Motor-operated valves are provided with appropriate limit switches to turn off the motors when the fully open or fully closed positions are reached. Valves that are automatically closed upon isolation signals are equipped with manual reset devices so that they cannot be reopened without operator action. All essential components of the HPCI system controls operate independently of offsite ac power. To ensure that the HPCI system can be brought to the design flow rate within 60 sec from the receipt of the initiation signal, the following operating times for essential HPCI system valves are provided by the valve operation mechanisms.
- c. HPCI pump minimum flow bypass valve - 22.5 sec. The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa. A HPCI steam supply line inboard isolation valve and the bypass valve around the HPCI outboard isolation valve are provided; they are intended to isolate the HPCI steam line in the event of a break in that line. A normally closed dc motor
-operated isolation valve is located in the turbine steam supply line just upstream of the turbine stop valve. The piping and logic scheme for this valve is shown in Figures 7.3-1 and 7.3-2. On receipt of a HPCI system initiation signal, this valve opens and remains open until closed by operator action from the main control room.
Two isolation valves are provided in the steam supply line to the turbine. The valve inside the drywell is a Division I ac-powered valve that is normally open. The valve outside the drywell is a Division II dc-powered valve and is normally closed. A small bypass valve provides a warmup path around the closed valve to keep the turbine steam line free of water.
The HPCI steam supply outboard isolation valve is signaled open on a HPCI initiation, and the HPCI steam supply inboard, and outboard isolation valves, and the bypass valve around the HPCI steam supply outboard isolation valve close automatically on a HPCI system isolation. The isolation signal takes precedence over the initiation signal. The control diagram is shown in Figure 7.3-2. The primary element instrumentation for HPCI system isolation consists of the following:
- a. Inside valve E41-F002 1. Ambient temperature sensor - emergency area cooler high temperature. Isolation started as soon as activated 7.3-6 REV 20 05/16 FERMI 2 UFSAR
- 2. Differential pressure transmitter - HPCI steam line high flow; a time delay has been added to this isolation to prevent spurious trips that could result from pressure spikes associated with pump startup 3. Pressure transmitters - HPCI turbine exhaust diaphragm high pressure 4. Pressure transmitters - HPCI steam supply pressure low. b. Outside valve E41-F003 - Instrumentation similar to that described for the inside valve causes the outside valve to isolate if the conditions warrant isolation. Both valves can be individually actuated by manual pushbutton switches Three pump suction valves are provided in the HPCI system. One valve allows pump suction from the condensate storage tank while the other two series valves allow water to be taken from the suppression chamber. The condensate storage tank is the preferred source. All three valves are operated by dc motors.
The control arrangement is shown in Figure 7.3-2 On receipt of a HPCI system initiation signal, the condensate storage tank suction valve receives an open signal. If the water level in the condensate storage tank falls below a preselected level, the suppression chamber suction valves automatically open and the condensate storage tank suction valve automatically closes. Two level transmitters detect the condensate storage tank low-water-level condition. Either transmitter causes the suppression chamber suction valves to open and the condensate storage tank suction valve to close.
The suppression chamber suction valves also automatically open if a high water level is detected in the chamber. Two level transmitters monitor the water level. Either transmitter can initiate opening of the suppression chamber suction valves. If open, the suppression chamber suction valves automaticall y close on receipt of the signals that initiate HPCI steam line isolation Two dc motor-operated HPCI pump discharge valves in the pump discharge pipeline are provided. The control schemes for these two valves are shown in Figure 7.3-2. Both valves are arranged to open on receipt of either one of the HPCI system initiation signals. One of the pump discharge valves closes automatically on receipt of a turbine trip signal. The other valve remains open after HPCI system initiation until closed by the operator in the main control room. 7.3.1.2.1.6 Separation General Separation within the ECCS is such that no single failure can prevent core cooling.
Instrumentation and control equipment and wiring are segregated into separate divisions designated Divisions I and II. Separate requirements are also maintained for the control and motive power for the ECCS. System separation is as follows:
7.3-7 REV 20 05/16 FERMI 2 UFSAR Division I Division II Core spray pump A and pump C Core spray pump B and pump D Automatic depressurization HPCI RHR A and C RHR B and D Systems shown opposite each other are redundant. In addition, should HPCI fail to reduce RPV pressure through coolant makeup injection, the ADS will depressurize the RPV to allow LPCI and Core Spray to provide adequate core cooling. Control logic for all Division I systems is the 260/130-V dc Division I battery and for Division II systems is the 260/130-V dc Division II battery. Specific The HPCI system is a Division II system except for the HPCI main pump test line isolation valve E41F011, in which its motive force is fed from the interruptible air supply (note: the solenoid valves for E41F011 remain in Division II logic), and inside isolation valve E4150-F002, which is Division I ac powered. The E4150-F002 valve is controlled by logic operated from Division I 260/130-V dc battery so that no single failure can prevent the automatic closure of at least one valve of the pair of isolation valves. To maintain the required separation, HPCI system logic relays, instruments, and manual controls are mounted so that separation from Division I is maintained. Logic relays, instruments, and manual controls for outboard steam line isolation valve E41-F003 and bypass valve E41-F600 are separated from Division I equipment.
7.3.1.2.1.7 Testability Instrumentation and control of the ECCS is designed to be completely testable during reactor operation. Specific test schedules for this and subsequent systems in this section (Section 7.3) are given in the Technical Specifications. Systems providing core cooling water are arranged with bypass valves so that pumps may be operated at design flow. Instrumentation and control is designed to establish that the following functions are met:
- a. Each instrument channel functions independently of all others b. Sensing devices respond to process variables and provide channel trips at correct values
- c. Sensors and associated instrument channels respond to both steady-state and transient changes in the process variable within specified accuracy and time limitations, and provide channel trips at correct values even when affected by process variations that may extend grossly beyond the expected trip setpoint d. Paralleled circuit elements can perform their intended functions independently
- e. Series circuit elements are free from shorts that can abrogate their function
- f. Redundant instrument or logic channels are free from interconnecting shorts that could violate independence if a single malfunction should occur 7.3-8 REV 20 05/16 FERMI 2 UFSAR
- g. No element of the system is omitted from the test if it could impair system operability in any way. (If the test is done in parts, then the parts must overlap sufficiently to ensure operability of the entire system)
- h. Each monitoring alarm or indication function is operable. The emergency core cooling system response times are shown in Technical Requirements Manual Volume I Table 3.3.5.1-1, which is referenced in UFSAR Table 7.3-11. Response time testing is required by the Technical Specifications. Technical Specification Table 3.3.3-3 was deleted from the Technical Specifications and added to the UFSAR as Table 7.3-11 (TRM Table 3.3.5.1
-1) in agreement with NRC Generic Letter 93-08 and Amendment Number 100 to the Technical Specifications. The response times information of the UFSAR Table 7.3-11 was then relocated to the Technical Requirements Manual Volume I. The periodic response time testing for the ECCS instrument channels has been eliminated. The BWROG Report NEDO-32291A provides the required analyses as briefly described in
7.2.1.1.3.8.1. Specific The HPCI system is provided with test jacks in each logic. The low reactor level or high drywell pressure "one-out-of-two taken twice" circuit can be tested completely by actuating only one instrument channel at a time. Insertion of the test plug at the logic relay panel actuates an annunciator in the main control room, indicating that the HPCI system is in test status. 7.3.1.2.1.8 Environmental Considerations The control mechanism for the inboard isolation valve on the HPCI system turbine steam line is the only HPCI system control component located inside the primary containment that must remain functional in the environment resulting from a LOCA. The environmental capabilities of this valve are discussed in Subsection 7.3.2.2.9. The HPCI system instrumentation and control equipment located outside the primary containment is selected in consideration of the normal and accident environments in which it must operate. These conditions are listed in Table 3.11-3.
7.3.1.2.1.9 Operational Considerations The HPCI system is not required for normal operations. Under the abnormal or accident conditions when it is required, initiation and control are provided automatically for at least 10 minutes. The automatic depressurization system (ADS) can also depressurize the reactor vessel to a point when the low pressure ECCS systems can be initiated to inject water into RPV. With the incorporation of the high drywell pressure signal bypass timer into the ADS automatic initiation logic, as discussed in Subsection 7.3.1.2.2.2, no operator actions are required to actuate ADS after any LOCA. When the bypass timer times out, the high drywell pressure initiation permissive signal is bypassed, and the ADS will be automatically initiated based on reactor vessel low water level signal alone. This is true even when the main steam line isolation valves (MSIV) line breaks outside the drywell and the break becomes isolated due to MSIV closure.
7.3-9 REV 20 05/16 FERMI 2 UFSAR 7.3.1.2.2 Automatic Depressurization System Instrumentation and Control Automatically controlled relief valves are installed on the main steam lines inside the primary containment. The valves are dual purpose in that they relieve pressure either by normal mechanical action or by automatic action of an electric
-pneumatic control system. Actuation is initiated on receipt of a signal indicating high drywell pressure, low RPV water level, and core spray and/or RHR pumps running. A time delay allows the operator to delay
actuation if the HPCI system is in operation. The relief by normal mechanical action is intended to prevent overpressurization of the nuclear steam supply system (NSSS). If the HPCI system is not available during a small-break LOCA, the depressurization by automatic action of the ADS is intended to reduce NSSS pressure so that the core spray system or LPCI system can inject water into the RPV.
The automatic instrumentation and control equipment for the relief valves is described in this subsection. The instrumentation and control for one of the relief valves is discussed. Other relief valves equipped for automatic depressurization are identical.
The control system consists of pressure and water level sensors arranged in trip systems that control a solenoid-operated pilot air valve. The solenoid-operated pilot valve controls the pneumatic pressure applied to a bellows-actuator that operates the relief valve directly. An accumulator is included with the control equipment to store pneumatic energy for relief valve operation. The accumulator is sized to provide pneumatic pressure for five actuations of the pilot valve during interruptions if the pneumatic supply to the accumulator is switched from the normal to the emergency backup supply source. Cables from the sensors lead to the trip unit racks located in the reactor building, where the logic arrangements are formed in cabinets. The electrical control circuitry is powered by dc power from the plant batteries. The power supplies for the redundant control circuits are selected and arranged to maintain tripping ability in the event of an electrical power circuit failure. Electrical elements in the control system energize to open the relief valve.
7.3.1.2.2.1 Initiating Circuits The pressure and level transmitters used to initiate one ADS logic are separated from those used to initiate the redundant logic on the same ADS valve. Reactor pressure vessel low water level is detected by six transmitters that measure differential pressure. Primary containment high pressure is detected by four pressure transmitters. The primary containment high pressure signals are arranged to seal into the control circuitry. These signals must be manually reset to clear.
A timer is used in each ADS logic. The time delay setting before actuation of the ADS is long enough that the HPCI system has time to operate, yet not so long that the LPCI and core spray systems are unable to adequately cool the fuel if the HPCI system cannot. An alarm in the main control room is activated when either of the timers is timing. Resetting the ADS initiating signals recycles the timer. A display of the time remaining before the ADS actuates is available to the operator in the main control room.
7.3-10 REV 20 05/16 FERMI 2 UFSAR 7.3.1.2.2.2 Logic and Sequencing The two initiating signals used for ADS are RPV low water level (level 1) and drywell high pressure. Simultaneous occurrences of RPV low water level and drywell high pressure conditions initiate a nominal 105 second time delay. After that time delay, ADS safety relief valves will operate if a sufficient number of low pressure ECCS pumps (RHR and/or core spray) are available for adequate core cooling. RPV low water level (level 1) signal also initiates a bypass timer which is set for a nominal 7 minutes. This time delay is provided to bypass the drywell high pressure permissive. If for some reason the drywell high pressure is not detected, the RPV low water level signal alone will actuate the ADS safety relief valves.
The 7 minute bypass time delay, plus the original 105 second time delay and the permissive from appropriate ECCS pump discharge pressure will provide for ADS actuation. The instrument trip settings are given in Table 7.3-2. Figure 7.3-6 shows the logic for ADS actuation, with the High Drywell Pressure Bypass Timer started on level 1. A nominal bypass timer time delay setpoint of 7 minutes was established for Fermi 2 from the unique analyses performed by General Electric, which is consistent with the analysis presented in NEDO-24708A (Figure Group 3.5.2.1-33). The results of these analyses demonstrate that adequate core cooling is ensured for isolation events, even with the ADS blowdown delayed after level 1 for an analytical time of 10 minutes. A subsequent confirmatory analysis established the adequacy of the bypass timer setpoint including increases in reactor rated thermal power to 3486 MWth (refer to Subsection 6.3.2.2 for analytical values). Starting the bypass timer at level 1 allows the operator enough time to control the system manually and still ensure automatic depressurization in time to prevent excessive fuel heat
-
up, even under the worst-case conditions described above. Primary containment high pressure indicates a breach in the nuclear system process barrier inside the drywell. For each logic train, a permissive signal indicating LPCI or core spray pump discharge pressure is also required. Discharge pressure on either of the two LPCI pumps or two of the core spray pumps (one discharge pressure sensor per pump) in the same division is sufficient to give the permissive signal. This signal prevents initiation of the ADS until the low-pressure ECCS is operating. After receipt of the initiation signals and after a delay provided by timers, each of the solenoid pilot air valves is energized. This allows pneumatic pressure from the accumulator to act on the air cylinder operator. The air cylinder operator holds the relief valve open.
Lights in the main control room indicate when the SRV is opened. Manual reset switches are provided for the ADS initiation signal and primary containment high-pressure signals. By resetting these signals manually, the delay times are recycled. The operator can use the reset pushbuttons to delay or prevent automatic opening of the relief valves if such delay or prevention is prudent. A manual inhibit switch is also provided for each ADS trip system. These switches allow the operator to inhibit ADS operation without repeatedly pressing the reset pushbuttons.
Operation of the manual inhibit switch will activate a white indicating light and an annunciator to alert the operator of the inhibit action. Enabling the inhibit function will not terminate an ADS logic actuation after the 105 second time delay has elapsed. At this point, 7.3-11 REV 20 05/16 FERMI 2 UFSAR only the reset pushbutton can be used to affect the ADS operation. Refer to Subsection 6.3.2.17 for criteria in using the reset pushbutton switch. Control switches are available in the main control room for each SRV associated with the ADS. The OPEN position is for manual SRV operation. Two divisional ADS logic systems are provided: ADS "A,C" logic and ADS "B,D" logic (Figure 7.3-4). Division I sensors for low reactor water level and high drywell pressure initiate ADS "A,C" logic, Division II sensors initiate ADS "B,D" logic. Either ADS "A,C" logic or "B,D" logic actuates the solenoid pilot valve on each ADS valve. The RPV low water level initiation setting for the ADS is selected to depressurize the RPV in time to allow adequate cooling of the fuel by the LPCI system or core spray system following a LOCA in which the HPCI system fails to perform its function adequately. The primary containment high-pressure setting is selected as low as possible without inducing spurious initiation of the ADS. This provides timely depressurization of the RPV if the HPCI system fails to start or fails after it successfully starts following a LOCA. Since the ADS is a backup for HPCI, different drywell pressure
-sensing transmitters are used for ADS and HPCI. The low-pressure pump discharge pressure setting used as a permissive for depressurization is selected to ensure that at least one of the four LPCI pumps or one of the core spray loops has received electrical power, has started, and is capable of delivering water into the RPV. The setting is high enough to ensure that the pump will deliver at near rated flow without being so low as to provide an erroneous signal indicating that the pump is actually running.
7.3.1.2.2.3 Bypasses and Interlocks It is possible for the operator to manually delay the depressurizing action by depressing the timer reset pushbutton. The operator may also interrupt the depressurization at any time by the same action.
A manual switch is also provided to allow the operator to inhibit ADS operation (prior to its automatic initiation) instead of successively pressing the reset pushbuttons to reset the ADS timer. The operator would make these decisions based on an assessment of other plant conditions.
7.3.1.2.2.4 Redundancy and Diversity The ADS is initiated by a combination of high drywell pressure and low RPV water level.
The initiating circuits for each of these parameters are redundant, as verified by the circuit description in this section.
7.3.1.2.2.5 Actuated Devices All relief valves in the ADS are equipped with remote manual switches so that the ADS valves can be manually as well as automatically operated. The valves also relieve pressure by built-in mechanical action.
7.3-12 REV 20 05/16 FERMI 2 UFSAR 7.3.1.2.2.6 Separation General Refer to Subsection 7.3.1.2.1.6. Specific The ADS is a Division I system, but also makes use of Division II power and pneumatic supply. The "A,C" sensing and control logic is connected to the Section 1 half of the 260/130-V dc Division I battery. The "B,D" control logic is fed from the Section 2 half of the 260/130-V dc Division I battery, with automatic transfer to the Section 1 half. The "B,D" sensing and interposing relay circuitry (to the "B,D" control logic) is fed from the Division II battery. Each valve is normally fed from the Section 1 half of the Division I battery, but each has a power monitor to automatically transfer to the Section 2 half of Division I battery on a power failure. 7.3.1.2.2.7 Testability Refer to Subsection 7.3.1.2.1.7. Specific The ADS has two trip systems; either one can initiate automatic depressurization. Each trip system has two trip logics, both of which must trip to initiate depressurization. Four test jacks are provided, one in each trip logic. To prevent spurious actuation of the ADS during testing, only one trip logic is actuated at a time. An alarm is provided if a test plug is inserted on both trip logics. Operation of the test plug switch along with actuation of the ADS reactor level interlock and the ac interlock (RHR or core spray pumps running) closes one of the two series relay contacts in the valve-solenoid circuit. This causes a light to turn on, indicating proper trip logic operation. When the test is performed, continuity of the solenoid circuit is verified. Testing of the other trip logic and trip system is accomplished in a similar manner.
Annunciation is provided in the main control room whenever a test plug is inserted to indicate ADS in test status.
7.3.1.2.2.8 Environmental Considerations The signal cables, solenoid valves, pressure switches for indication, and SRV operators are the only instrumentation and control equipment for the ADS located inside the primary containment. They remain functional in the environment resulting from a LOCA. These items operate in the most severe environment resulting from a design
-basis LOCA (Section 3.11). Gamma and neutron radiation is also considered in the selection of these items.
Equipment located outside the drywell also operates in its normal and accident environments.
7.3.1.2.2.9 Operational Considerations The instrumentation and control of the ADS is not required for normal plant operations.
When automatic depressurization is required, it is initiated automatically by the circuits 7.3-13 REV 20 05/16 FERMI 2 UFSAR described in this section. No operator action is required for at least 10 minutes following initiation of the system.
A temperature element is installed on the SRV discharge piping several feet from the valve body. The temperature element is connected to a multipoint recorder in the main control room so that a means of detecting SRV leakage during plant operation is provided. When the temperature in any SRV discharge line exceeds a preset value, an alarm is sounded in the main control room. The alarm setting is enough above normal rated power temperatures to avoid spurious alarms, yet low enough to give early indication of SRV leakage.
7.3.1.2.3 Core Spray System Instrumentation and Control The core spray system consists of two independent spray loops, as illustrated in Figure 7.3-7.
The core spray system is capable of supplying sufficient cooling water to the RPV to adequately cool the core following a design-basis LOCA. The two spray loops are physically and electrically separated so that no single physical event makes both loops inoperable. Each loop includes two ac pumps, appropriate valves, and the piping to route water from the suppression chamber to the RPV. The instrumentation and control for the core spray system includes the sensors, relays wiring, and valve-operating mechanisms used to start, operate, and test the system. Except for the testable check valve in each spray loop, which is inside the primary containment, the sensors and valve closing mechanisms for the core spray system are located in the reactor building.
Cables from the sensors are routed to the trip unit racks located in the auxiliary building, where the control circuitry is assembled in electrical panels. Each core spray pump is powered from a different ac bus which is capable of receiving standby power. The power supply for automatic valves in each loop is the same as that used for the core spray pump in that loop. Control power for each of the core spray loops comes from separate dc buses. The electrical equipment for one core spray loop is located in a separate cabinet from that used for the electrical equipment for the other loop.
7.3.1.2.3.1 Initiating Circuits Primary containment pressure is monitored by four pressure transmitters mounted on instrument racks outside the drywell, but inside the reactor building. Cables are routed from the transmitters to the relay logic cabinets. Each drywell high-pressure trip channel provides an input into the trip logic shown in Figure 7.3-8. Pipes that terminate in the reactor building allow the transmitters to communicate with the drywell interior.
Four drywell pressure transmitters are electrically connected to a "one-out-of-two taken twice" circuit as well as four water
-level transmitters to both loops, so that no single event can prevent the initiation of the core spray system due to primary containment high pressure.
Contacts from the primary containment high-pressure signal relays are also used in the HPCI, LPCI/RHR, and core spray systems.
Contacts from the RPV low water level (Level 1), initiation signal relays are used in the ADS, core spray, LPCI, and primary CRVICS systems.
7.3-14 REV 20 05/16 FERMI 2 UFSAR 7.3.1.2.3.2 Logic and Sequencing The control scheme for the core spray system is illustrated in Figure 7.3-8. Trip settings are given in Table 7.3-3. The overall operation of the system following the receipt of an initiating signal is as follows:
- a. Test bypass valves are closed and interlocked to prevent opening b. If normal ac power is available, the core spray pumps in both spray loops start 5 sec after receiving the initiation signal
- c. If normal ac power is not available, the core spray pumps in both spray loops start 5 sec after standby power becomes available to that particular pump
- d. When the RPV pressure drops to a preselected value, valves open in the pump discharge lines, allowing water to be sprayed over the core.
The RPV low water level indicates that the core is in danger of being overheated due to loss of coolant. Drywell high pressure indicates that a breach of the nuclear system process barrier has occurred inside the drywell. The considerations used in establishing the RPV low water level and primary containment high-pressure settings and the instruments that provide the initiating signals are the same as those used for the HPCI system.
To prevent pump overheating at reduced core spray pump flow, a pump discharge bypass is provided from each loop. The bypass routes the discharge from both pumps in a loop back to the suppression chamber. The bypass is controlled by an automatic motor-operated valve whose control scheme is shown in Figure 7.3-8. At core spray high loop flow, the bypass valve is closed; at low flow, the bypass valve is opened. A flow switch measures the flow in each of the two loops.
7.3.1.2.3.3 Bypasses and Interlocks During test operation, each core spray loop discharge can be routed to the suppression pool.
Motor-operated valves are installed in the test lines. On receipt of a core spray initiation signal, the bypass valve closes and remains closed. The piping arrangement is shown in Figure 7.3-7; the control scheme for the two valves is shown in Figure 7.3-8.
7.3.1.2.3.4 Redundancy and Diversity The core spray system is completely redundant with two independent spray loops. Initiation of the system is described in Subsection 7.3.1.2.3.1.
7.3.1.2.3.5 Actuated Devices The control arrangements for the core spray pumps are shown in Figure 7.3-8. The circuitry provides for the detection of power available so that all pumps are automatically started. Each of the four pumps can be controlled by a main control room remote switch, or by the automatic control system. A pressure transducer on the discharge line from each core spray pump provides a signal in the main control room to indicate the successful startup of a pump.
If a core spray initiation signal is received when normal ac power is not available, all core spray pumps start 5 sec after restoration of the particular bus voltage from which the pump 7.3-15 REV 20 05/16 FERMI 2 UFSAR motor receives power, and avoids overloading the source of standby power. The core spray pump motors are provided with overload protection. Overload relays are applied to maintain power as long as possible without immediate damage to the motors or emergency power system. Valve motors are protected by overload alarms and trips.
Flow measuring instrumentation is provided in each of the two core spray loop discharge lines. The instrumentation provides flow indication in the main control room. Except where specified otherwise, the remainder of this description of the core spray system refers to one spray loop. The second core spray loop is identical. The control arrangements for the various automatic valves in the core spray system are indicated in Figure 7.3-8. Each of the valves is equipped with limit switches to turn off the valve motor when the valve reaches the limits of movement. Appropriate interlocks prevent the incorrect positioning of the valves by manual action after the system has been automatically actuated. All motor
-operated valves are equipped with limit switches that provide main control room indication of valve position. Each automatic valve can be operated from the main control room. On receipt of an initiation signal, the test bypass valve is interlocked shut. Having received the initiation signal, the core spray pump discharge valves are automatically opened when NSSS pressure drops to a preselected value. The setting is selected low enough so that the low-pressure portions of the core spray system are not overpressurized, yet high enough to open the valves in time to provide adequate cooling for the fuel. Four pressure transmitters are used to monitor nuclear system pressure. The transmitters can initiate opening of the discharge valves on a "one-out-of-two taken twice" basis. The signal received on automatic core spray initiation overrides all other signals. The full-stroke operating times of the motor
-operated pump discharge valves are selected to be rapid enough to ensure proper delivery of water to the RPV in a design
-basis accident (DBA). The full stroke operation times are as follows: a. Test bypass valve - 108 sec b. Pump suction valve - 80 sec
- c. Outboard pump discharge isolation valves - 13 sec d. Inboard pump discharge isolation valves - 12 sec 7.3.1.2.3.6 Separation General Refer to Subsection 7.3.1.2.1.6. Specific The core spray system consists of independent Division I and II systems. Pumps A and C are in Division I and pumps B and D are in Division II. Two separate logics located in separate panels are used. Logic for the "A" loop is operated by the 260/130-V dc Division I battery and logic for the "B" loop is operated by the 260/130-V dc Division II battery.
7.3-16 REV 20 05/16 FERMI 2 UFSAR 7.3.1.2.3.7 Testability General Refer to Subsections 7.1.3.1 and 7.3.1.2.1.7. Specific The core spray system is provided with a test jack in both "A" and "B" logics. The low reactor level or high drywell pressure "one-out-of-two taken twice" circuit can be completely tested by only actuating one instrument channel at a time. Insertion of the test plug at either logic relay panel actuates an annunciator in the main control room, which indicates that the core spray system is in test status.
7.3.1.2.3.8 Environmental Considerations The only control components pertinent to core spray system operation that are located inside the primary containment are those controlling the testable check valve on each of the two injection lines. Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate (Table 3.11-3). 7.3.1.2.3.9 Operational Considerations The core spray system is not required for normal operations. When it is required for accident conditions, it is initiated automatically by the circuitry described in this section. No operator action is required for at least 10 minutes following initiation. After this time, manual operation may be assumed by the operator. Core spray system pressure between the two pump discharge valves is monitored by a pressure switch to permit detection of leakage from the nuclear system into the core spray system outside the primary containment. A detection system is provided to continuously confirm the integrity of the core spray piping between the inside of the RPV and the core shroud. A differential pressure switch measures the pressure difference between the bottom of the core and the inside of the core spray sparger pipe just outside the RPV. If the core spray sparger piping is sound, this pressure difference will be the pressure drop across the core. If integrity is lost, this pressure drop will include the core pressure drop and the steam separator pressure drop. An increase in the normal pressure drop initiates an alarm in the main control room. Pressure in the core spray pump suction line is monitored by a locally mounted pressure indicator to permit determination of suction head and pump performance.
7.3.1.2.4 Low-Pressure Coolant Injection Instrumentation and Control Low-pressure coolant injection is an operating mode of the RHR system. The LPCI system is designed to provide water to the RPV following the design-basis LOCA.
Figure 5.5-13 shows the entire RHR system, including the equipment used for LPCI operation. The instrumentation for LPCI system operation controls other valves in the RHR system. This ensures that the water pumped from the suppression chamber by the main system pumps is routed directly to the reactor. These interlocking features are described in this subsection.
7.3-17 REV 20 05/16 FERMI 2 UFSAR Operation of the LPCI system uses four pumps and two loops, although only three out of four pumps are needed for LPCI cooling. Each loop injects into the reactor through the recirculation pump loop. Figure 5.5-13 shows the location of instruments, control equipment, and LPCI system components. Except for the LPCI system testable check valves, the components pertinent to LPCI system operation are located outside the primary containment. Power for the LPCI system pumps is supplied from ac buses that can receive standby ac power. Each pump is powered from a separate bus. Motive power for the automatic valves comes from one of the lines that powers the pumps for that loop. Control power for the LPCI
components comes from the dc buses. The LPCI is arranged for automatic and remote manual operation from the main control room. Manual operation allows the operator to act independently of the automatic controls in the event of a LOCA.
7.3.1.2.4.1 Initiating Circuits The two automatic initiation functions provided for the LPCI systems are RPV low water level and primary containment (drywell) high pressure. Either of these functions initiates the LPCI system.
The low level initiation signal for the LPCI system is a "one-out-of-two taken twice" circuit arrangement using relay contacts from the core spray system. It is used in conjunction with the primary containment high
-pressure initiation signal. The high
-pressure initiation signal uses pressure transmitters such as those described for the core spray system in Subsection 7.3.1.2.3. A discussion of the LPCI mode loop selection logic is provided in Subsection 6.3.2. Additional information can be found in Subsection 7.3.1.2.4.10.
7.3.1.2.4.2 Logic and Sequencing The overall LPCI system operating sequence following the receipt of an initiation signal is as follows: a. All four main system pumps start with no delay, taking suction from the suppression chamber. The valves in the suction paths from the suppression chamber are kept open so that no automatic action is required to line up suction, except when the system is lined up in shutdown cooling. For the loop in shutdown cooling, the suction path requires manual action to realign, and the operating pump(s) need to be reset after trip. b. Valves used for other RHR operating modes (containment spray, RHR, etc.) are automatically positioned so that the water pumped from the suppression chamber is routed correctly
- c. When nuclear system pressure has dropped to a value at which the LPCI system pumps are capable of injecting water into the vessel, the LPCI system injection valves automatically open. If a shutdown cooling isolation has occurred, then the logic needs to be manually reset to permit the LPCI system injection valves, F015A/B to open.
7.3-18 REV 20 05/16 FERMI 2 UFSAR
- d. The LPCI loops then deliver water to the RPV until vessel water level is adequate to provide core cooling. Cooling water level is ensured since the pump is sealed in. The LPCI cannot be canceled for 5 minutes. In the descriptions of the LPCI system instrumentation and control that follow, Figure 5.5-13 can be used to determine the physical location of sensors. Figure 7.3-9 can be used to determine the functional use of each sensor in the control circuitry for LPCI system components. Instrument characteristics and settings are given in Table 7.3-4. Actuation logic is shown in Figures 7.3-9 Sheets 1 and 2. Additional information that provides a more detailed description of the differential pressure sensors used in the LPCI loop selection logic and additional clarification of the loop selection logic can be found in Subsection 7.3.1.2.4.10.
7.3.1.2.4.3 Bypasses and Interlocks When an RHR loop is operating in the SDC mode, the loop is designed to isolate automatically on low reactor water level (i.e., Level 3) or high reactor pressure. If the system isolates on decreasing level before LPCI initiates (since Level 3 is higher than Level 1), the common SDC suction (E11F008 and 9) valves and the LPCI injection valves (E11F015A and B) in both divisions close, and pumps in the loop that is operating in the SDC mode trip on loss of suction path. The LPCI loop pumps that are lined up in standby mode are not affected. Under these circumstances, if LPCI injection is necessary, operator action would be necessary to align RHR to the LPCI mode. The LPCI injection valves' logic would have to be reset for both the loop in SDC and the loop in LPCI standby mode using the divisional push buttons in the control room. In the loop that was in SDC, the pump control logic would have to be reset before the pump could be started. The torus suction valves for the loop that was in SDC would have to be opened. All of these actions would be performed at the control room panels for the associated RHR loops. As shown on Sheet 2 of Figure 7.3-9, there are three time-delay interlocks in the loop selection logic:
- a. A 0.5-sec delay to determine if either recirculation loop is shut down (in which case, the other loop is also shut down) b. A 2.0-sec delay to allow momentum effects to settle and system parameters to stabilize c. A 0.5-sec delay while loop selection logic is being cycled.
Once the specific recirculation loop is selected for injection and the reactor pressure is below the RHR overpressure interlock setpoint, the RHR outboard and inboard valve circuits for that loop receive an OPEN permissive and a CLOSE block. The signal to the outboard valve is locked in for 5 minutes; this time is considered sufficient for the system to reflood the core to at least two-thirds of its height. Expiration of the 5-minute lock-in period does not initiate valve closure, but does give the operator the facility to throttle the flow. The other loop, the loop not selected for LPCI injection, receives a CLOSE signal for 10 minutes when the loop selection is made. If the LPCI initiation signal remains, there is no 7.3-19 REV 20 05/16 FERMI 2 UFSAR capability in the logic to manually bypass the 10- and 5-minute delays in the loop selection logic. Once the loop is selected, the operator cannot change loops for 10 minutes. To protect the main system pumps from overheating at low flow rates, a minimum flow bypass line is provided that routes water from the pump discharge to the suppression chamber. A motor- operated valve controls the flow in each bypass line. The minimum-flow bypass valve automatically opens on sensing low flow in the discharge line, and automatically closes when flow is above the low flow setting. Figure 5.5-13 shows the location of the flow sensors. The OPEN circuit contains a 15-sec delay permissive; this prevents loss of reactor vessel inventory to the suppression pool during shutdown cooling mode initiation.
The valves that divert water for containment cooling (F016, F021, F024, F027, F028) are signaled closed on receipt of an LPCI system initiation signal. These valves cannot be opened by manual action unless two conditions exist: the accident initiation signal indicating the need for containment cooling is present; and the RPV water level inside the core shroud is above the level equivalent to two-thirds the core height, which indicates that the pumps are not needed for the LPCI function. Two differential-pressure transmitters are used to monitor water level inside the core shroud. Each is separately piped to the RPV. A keylock switch in the main control room allows manual override of the two-thirds core height and accident initiation signal permissives for the containment cooling valves. The RHR heat exchanger bypass valve, F048, receives an OPEN and block CLOSE permissive from the LPCI initiation signal so maximum flow is available for injection. After 3 minutes, this permissive is blocked and the operator can manually close, throttle, or leave the valve in the open position.
7.3.1.2.4.4 Redundancy and Diversity The LPCI system is redundant in that two separate loops are provided with pumps A and C feeding into loop A, and pumps B and D feeding into loop B. Loops A and B are tied together by means of a cross-header with a locked-open valve in the header. Initiation of the system is described in Subsection 7.3.1.2.4.
7.3.1.2.4.5 Actuated Devices The functional control arrangement for the LPCI system pumps is shown in Figure 7.3-9. If ac power is available, all four LPCI system pumps start with no delay. Otherwise, they start as soon as the emergency power is available. The operator can manually control the pumps from the main control room. This permits him to use the pumps for other purposes such as containment cooling. Two pressure-indicating transmitters are installed in each pump discharge line to verify that pumps are operating following an initiation signal. The pressure signal is used in the ADS to verify availability of low-pressure core cooling. The pressure transmitters are located upstream of the pump discharge check valves to prevent the operating pump discharge pressure from concealing a pump failure.
7.3-20 REV 20 05/16 FERMI 2 UFSAR The main system pump motors are provided with overload protection. The overload relays maintain power on the motor as long as possible without harming the motor or jeopardizing the emergency power system.
All automatic valves used in the LPCI function are equipped with remote-manual test capability. The entire system can be operated from the main control room. Motor-operated valves have limit switches to turn off the motors when the fully open positions are reached.
Torque switches are also provided to control valve motor forces when valves are closing.
Thermal overload devices are used to trip motor-operated valves. Valves that have vessel and containment isolation requirements are described in Subsection 7.3.2. The LPCI system pump suction valves from the suppression pool are normally open. To reposition the valves, a keylock switch must be turned in the main control room. On receipt of an LPCI initiation signal, certain reactor shutdown cooling system valves and the RHR test line valves are signaled to close, although they are normally closed, to ensure that the LPCI system pump discharge is correctly routed. Included in this set of valves are the valves that, if not closed, would permit the main system pumps to take suction from the reactor recirculation loops, a lineup used during normal shutdown cooling system operation. A timer similar to that used in the LPCI system pump control circuitry cancels the LPCI open signal to the heat exchanger bypass valves after a 3-minute delay, which is time enough to permit satisfactory start of the LPCI system. The signal cancellation allows the operator to control the flow through the heat exchangers for other postaccident purposes. Canceling the open signal does not cause the bypass valves to close.
7.3.1.2.4.6 Separation General Refer to Subsection 7.3.1.2.1.6. Specific The LPCI system is a Division I and II system. Pumps A and C are in Division I, and pumps B and D are in Division II. Two separate logics located in separate panels are used. Logic for loop A (pumps A and C) is operated by the 260/130-V dc Division I battery and logic for loop B is operated by the 260/130-V dc Division II battery.
7.3.1.2.4.7 Testability General Refer to Subsection 7.3.1.2.1.7. Specific The LPCI system is provided with test jacks in each logic. The low reactor level or high drywell pressure "one-out-of-two taken twice" circuit can be completely tested by actuating only one instrument channel at a time. The other test jacks are used in the logic to facilitate testing as required. Insertion of the test plug in any jack actuates an annunciator in the main control room, indicating that LPCI is in test status.
7.3-21 REV 20 05/16 FERMI 2 UFSAR 7.3.1.2.4.8 Environmental Considerations The only control components pertinent to LPCI system operation that are located inside the primary containment are those controlling the testable check valves on the injection lines. Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate, as described in Table 3.11-3.
7.3.1.2.4.9 Operational Considerations The LPCI system is a mode of the RHR system. The pumps, valves, piping, and other equipment used for the LPCI system are used for other modes of the RHR system. The LPCI mode is not required for normal operation.
7.3.1.2.4.10 Low-Pressure Coolant Injection Loop Selection Logic Because the LPCI system injects water into the reactor through the discharge piping of one of the recirculation loops, it is necessary to make certain that the water is not injected into a broken recirculation loop. To satisfy this requirement, a break-detection system is provided to select the recirculation loop that is broken. This system then provides a signal that causes the LPCI water to be injected through the unbroken loop. The location of the break in the recirculation system is determined by comparing the pressure of the two recirculation loops. The broken loop will indicate a lower pressure than the unbroken loop. The loop with the higher pressure is then used for LPCI injection or, if both pressures are the same, loop B is selected for injection. A diagram showing the relative physical location of the loop selection differential measurement can be found in Figure 5.5-2. This logic system for break detection or loop selection is shown in Figure 7.3-9 and the details follow:
- a. The entire LPCI system is activated by either high drywell pressure or reactor low water level. Each of these signals is of the one-out-of-two-twice type
- b. The recirculation pump differential switches set up the network logic in the optimum arrangement depending on whether one pump or two pumps are operating. If only one pump is operating, the pressure difference due to the pump flow tends to mask the pressure difference due to the break. To avoid this, the loop selection time is delayed (0.5 sec) to determine if either recirculation pump is shut down and to allow proper selection of the unbroken loop. If only one pump is operating, the pump is tripped by the logic circuit
- c. The reactor
-vessel-pressure permissive delays the one- pump-operating side of the logic network until the reactor pressure has dropped to less than about 900 psig. The delay is added to provide time for the recirculation pump coastdown d. After satisfaction of the reactor-pressure permissive mentioned above or if both recirculation pumps have indicated P greater than the setpoint, the logic network is delayed about 2 sec to allow momentum effects to settle and system parameters to stabilize 7.3-22 REV 20 05/16 FERMI 2 UFSAR
- e. Finally, the loop selection is made. If loop A pressure is greater than that of loop B, then loop B is broken and injection will occur in loop A. If the pressure at loop A is not greater than that at loop B, the 0.5-sec timer will run out, causing loop B to be selected. The 0.5-sec time delay allows the loop selection logic to function. The P is measured from each recirculation loop riser pipe to the corresponding riser pipe on the other recirculation loop. The taps are located as close to the reactor vessel as possible. This arrangement provides a one-out-of-two-twice logic Loop selection differential pressure trip comparator set-points are adjusted to a value that gives the earliest valid indication of a break. The differential pressure comparator output contact is closed when the pressure in the recirculation pump A riser is approximately 1.0 psi higher than the pressure in the B recirculation pump riser
- f. Once the specific recirculation loop is selected for injection and the reactor pressure is below about 500 psig, the RHR outboard and inboard valve circuits for that loop receive an "open" permissive and a "close" block. Because of the design of the logic circuitry, all cases except when a loop B break is detected cause injection through loop B. The interconnecting line between both RHR loop discharge lines permits total injection to either recirculation loop. In the accident mode, the core is flooded to an adequate height and the level is maintained by the LPCI operating alone with three of four pumps operating. The design basis requires 30,000 gpm (three of four pumps).
Injecting into both loops simultaneously would produce some loss of inventory due to a postulated break in one of the loops. A complete description of the sensors and trip units is the main subject of NEDO-21617, Analog Transmitter/Trip Unit System for Engineered Safeguard Sensor Trip Inputs.
7.3.1.3 Analysis of the Emergency Core Cooling System 7.3.1.3.1 Conformance To General Functional Requirements In Chapters 6 and 15, the individual and combined capabilities of the ECCS are evaluated.
Consideration of failure in plant instrument air and loss of cooling water to vital equipment is presented in Chapter 15. The safety design bases mentioned below are given in Subsection 7.1.2.1.3. The control equipment characteristics and trip settings are described in Subsection 7.3.1.2 and were considered in the analysis of ECCS performance. For the entire range of nuclear process system break sizes, the cooling systems are effective both in preventing fuel
-cladding failure and in preventing more than a small fraction of the reactor core from reaching the temperature at which a gross release of fission products can occur. This conclusion is valid even with significant failures in individual cooling systems because of the overlapping capabilities of the ECCS. The instrumentation and control for the ECCS satisfies the requirements of safety design basis Item a.
Safety design basis Item b. requires that instrumentation for the ECCS respond to the potential inadequacy of core cooling regardless of the location of a breach in the nuclear system process barrier. The RPV low water level initiating function, which alone can actuate 7.3-23 REV 20 05/16 FERMI 2 UFSAR HPCI, LPCI, and core spray, meets this safety design basis because a breach in the nuclear system process barrier inside or outside the primary containment is sensed by the low water level trip channels. Because of the isolation responses of the CRVICS to a breach of the nuclear system outside the primary containment, the use of the RPV low-water signal is satisfactory as the only emergency cooling system initiating function that is completely independent of breach location. The other major initiating function, primary containment high pressure, is provided as a diverse backup to water level to ensure isolation of all NSSS breaches inside the primary containment. This second initiating function is independent of the physical location of the breach within the drywell. The method used to initiate the ADS, which employs RPV low water level and primary containment high pressure, requires that the nuclear system breach be inside the drywell because of the required primary containment high pressure signal. For breaks outside primary containment, or for breaks inside primary containment which do not result in primary containment high pressure, the primary containment high pressure permissive is bypassed after a time delay following a low reactor water signal. This control arrangement is satisfactory in view of the automatic isolation of the RPV by the CRVICS for breaches outside the primary containment, and because the ADS is required only if the HPCI fails. This meets Safety design basis Item b.
An evaluation of ECCS controls shows that no operator action is required to initiate the correct responses of the ECCS.
The alarms and indications provided to the operator in the main control room allow interpretation of any situation requiring ECCS operations, and verify the response of each system. Manual controls are illustrated on functional control diagrams. The main control room operator can manually initiate every essential operation of the ECCS.
The degree to which safety is dependent on operator judgment and response has been appropriately limited by the design of the ECCS control equipment. Therefore, safety design bases Items c.1., c.2., and d. of Subsection 7.1.2.1.3 are satisfied. The redundancy provided in the design of the control equipment for the ECCS is consistent with the redundancy of the cooling systems themselves. The arrangement of the initiating signals for the ECCS which come from common sensors is the same as that provided by the dual trip system arrangement of the RPS. No failure of a single initiating trip channel can prevent the start of the cooling systems.
The numbers of control components provided in the design for individual cooling system components are consistent with the need for the controlled equipment. An evaluation of the control schemes for each ECCS component shows that no single control failure can prevent the combined cooling systems from providing the core with adequate cooling. In performing this evaluation, the redundancy of components and cooling systems was considered. The functional control diagrams provided with the descriptions of cooling systems controls were used in assessing the functional effects of instrumentation failures. In the course of the evaluation, protection devices that can interrupt the planned operation of cooling system components were investigated for the results of their normal protective action as well as the effect of maloperation on core cooling effectiveness. The only protection devices that can act to interrupt planned ECCS operation are those that must act to prevent 7.3-24 REV 20 05/16 FERMI 2 UFSAR complete failure of the component or system. Examples of such devices are the HPCI turbine overspeed trip, HPCI steam line break isolation trip, pump trips on low suction pressure, and automatically controlled minimum flow bypass valves for pumps. In every case the action of a protective device cannot prevent other redundant cooling systems from providing adequate cooling to the core.
The minimum number of trip channels and sensors, as given in Tables 7.3-5 through 7.3-8, is sufficient to ensure correct functional performance of the ECCS. In determining the minimum number of trip channels needed to ensure functional performance, the use and redundancy of sensors in control circuitry and the redundancy of the controlled equipment in any individual cooling system were considered. Where no redundancy of trip channels is available in the controls of a cooling system component required to function if the system is to operate, functional performance is not possible unless the trip channels are operable. Where two or more sensors of a monitored variable are arranged in parallel in control circuitry, inoperability of one parallel branch does not compromise performance of the system. It should be noted that the various degrees of redundancy in control circuitry for the components of the ECCS reflect considerations for the integrated performance of the systems. The tables referenced in this subsection consider only the functional performance of each individual cooling system. To determine the proper state in which an inoperable sensor or trip channel should be placed, the functional effect of the channel and the proper action of the controlled equipment in a LOCA are considered. The condition given in the tables for inoperable sensors provides assurance that the essential functions of each individual ECCS are not degraded in a LOCA situation. Because the control arrangement used for the ADS is designed to avoid spurious actuation, the information in Table 7.3-6 is worthy of special consideration. The relief valves are controlled by two trip systems, either one of which can initiate automatic depressurization.
Each trip system has two trip logics, both of which must trip to initiate depressurization. Table 7.3-6 shows the minimum number of functional trip channels necessary for automatic depressurization. The conditions indicated by Table 7.3-6 result in both trip systems always remaining capable of initiating automatic depressurization. If an inoperable sensor is in the tripped state or if a synthetic trip signal is inserted in the control circuitry, automatic depressurization can be initiated when the other initiation signals are received. The prohibition against simultaneously inoperative RPV low water level and primary containment high pressure trip channels in any one trip logic is necessary to prevent situations where a trip logic is continuously in the tripped condition. If the trip logics containing the timers are affected, the planned delay in automatic depressurization is eliminated. The trip channel conditions indicated in Table 7.3-6 avoid these undesirable situations. The LPCI system logic arrangement for the injection valves and recirculation loop valves warrants special consideration in the evaluation of conditions affecting LPCI system performance. The LPCI system sensing circuit for break detection and valve selection is arranged so that failure of a single device or circuit to function on demand does not prevent correct selection of a loop for injection. The system is effective in providing the proper 7.3-25 REV 20 05/16 FERMI 2 UFSAR amount of coolant flow into the undamaged recirculation loop under all combinations of recirculation loop pumping conditions, break sizes, and break location. The conditions represented by Tables 7.3-5 through 7.3-8 are the result of a functional analysis of each individual ECCS. Because of the redundancy in methods of supplying cooling water to the fuel in LOCA situation, and because it is the cooling of the fuel that must be ensured in such a situation, the minimum trip channel conditions in these tables are in excess of those required operationally to ensure core cooling capability. Operational requirements for the ECCS will be determined from the reliability aspects of the integrated performances of the systems when the specific characteristics of core cooling system components are known. The locations of controls where operation of ECCS components can be adjusted or interrupted have been surveyed. Controls are located in areas under the surveillance of operations personnel. The environmental capabilities of instrumentation for the ECCS are discussed in the descriptions of the individual systems. Components located inside the primary containment that are essential to ECCS performance are designed to operate in the environment resulting from a LOCA.
7.3.1.3.2 Conformance To Specific Regulatory Requirements Conformance to Regulatory Guide 1.22 is discussed in Subsections 7.3.1.2.1 through 7.3.1.2.4. Conformance to the requirements of General Design Criteria (GDC) 13, 35, 36, and 37 of 10 CFR 50, Appendix A, is discussed in Subsections 7.3.1.2.1 through 7.3.1.2.4.
The requirements of 10 CFR 50, Appendix B, are met as described in Chapter 17.
7.3.1.3.3 Conformance To IEEE 279-1971 The provisions of the HPCI, ADS, core spray, and LPCI systems design that fulfill the general requirements of IEEE 279-1971 are given, for the most part, in the GE Topical Report, Compliance of Protection Systems to Industry Criteria; General Electric BWR Nuclear Steam Supply System, NEDO-10139, Subsections 3.4.3, 3.5.2, 3.2.2, and 3.3.2, respectively.
The HPCI, ADS, core spray, and LPCI interlock no control systems; therefore, no failure or combination of failures in the control systems can have any effect on the HPCI, ADS, core spray, or LPCI system. The ECCS equipment cabinets are identified by means of colored nameplates, in conformance with the 1971 identification requirements. Controls for each subsystem are grouped in one area of the control panel. Relays are located in separated panels for each division and subsystem.
7.3.1.3.4 Industry Standard IEEE 338-1971 The ECCS conforms to IEEE 338-1971.
7.3-26 REV 20 05/16 FERMI 2 UFSAR 7.3.1.3.5 Industry Standard IEEE 323-1971 Conformance to IEEE 323-1971 is described in NEDO-10698. See also Section 3.11.
7.3.1.3.6 Industry Standard IEEE 344-1971 Conformance to IEEE 344-1971 is described in NEDO-10678. See also Section 3.10.
7.3.2 Containment and Reactor Vessel Isolation Control System 7.3.2.1 Design-Basis Information The design-basis information for the CRVICS, as required by Section 3 of IEEE 279-1971, is provided in Subsection 7.1.2.1.2 and is supplemented by the following:
- a. To limit the uncontrolled release of radioactive materials to the environs, the CRVICS shall initiate, with precision and reliability, timely isolation of penetrations through the primary containment structure, which could otherwise allow the uncontrolled release of radioactive materials whenever the values of monitored variables exceed preselected operational limits
- b. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis Item a., the CRVICS shall respond correctly to the sensed variables over the expected range of magnitudes and rates of change
- c. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis Item a., an adequate number of spatially independent sensors are provided for monitoring essential variables that have spatial dependence
- d. To provide assurance that conditions indicative of a gross failure of the nuclear system process barrier are detected with sufficient timeliness and precision to fulfill safety design basis Item a., CRVICS inputs shall be derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions
- e. The time required for closure of the main steam isolation valves (MSIVs) shall be short, so that the release of radioactive material and the loss of coolant as a result of a breach of a steam line outside the primary containment are minimal
- f. The time required for closure of the MSIVs shall not be so short that inadvertent isolation of steam lines causes a more severe transient than that resulting from closure of the turbine stop valves coincident with failure of the turbine bypass system. This basis ensures that the MSIV closure speed is compatible with the ability of the reactor protection system (RPS) to protect the fuel and nuclear system process barrier
- g. To provide assurance that closure of Class A and Class B automatic isolation valves is initiated (Subsection 7.3.2.2.1) when required, with sufficient reliability to fulfill safety design basis Item a., the following safety design bases 7.3-27 REV 20 05/16 FERMI 2 UFSAR are specified for the systems controlling Class A and Class B automatic isolation valves: 1. Any one failure, maintenance operation, calibration operation, or test to verify operational availability shall not impair the functional ability of the isolation control system to respond correctly to essential monitored variables, assuming no other single active failure 2. The system shall be designed for a high probability that when any essential monitored variable exceeds the isolation setpoint, the event shall either result in automatic isolation or shall not impair the ability of the system to respond correctly as other monitored variables exceed their trip points 3. Where a plant condition that requires isolation can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more isolation control system channels designed to provide protection against the unsafe condition, the remaining portions of the isolation control system shall meet the requirements of safety design bases Items a., b., c., and g.1. 4. The power supplies for the CRVICS shall be arranged so that loss of one supply cannot prevent automatic isolation when required 5. The system shall be designed so that, once initiated, automatic isolation action goes to completion. Return to normal operation after isolation action requires deliberate operator action
- 6. There shall be sufficient electrical and physical separation between trip channels monitoring the same essential variable to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly 7. Earthquake ground motions shall not impair the ability of the CRVICS to initiate automatic isolation.
- h. To ensure that the timely isolation of main steam lines is accomplished, when required, with extraordinary reliability, at least one of the isolation valves in each of the steam lines does not rely on continuity of any variety of electrical power for the motive force to achieve closure
- i. To reduce the probability that the operational reliability and precision of the CRVICS are degraded by operator error, the following safety design bases are specified for Class A and Class B automatic isolation valves:
- 1. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored 7.3-28 REV 20 05/16 FERMI 2 UFSAR variables shall be under the physical control and supervision of the main control room operator 2. The means for bypassing trip channels, trip logics, or system components is under the control of the main control room operator. If the ability to trip some essential part of the system has been bypassed, this fact shall be continuously indicated in the main control room.
- j. To provide the operator with a means independent of the automatic isolation functions to take action in the event of a failure of the nuclear system process barrier, it shall be possible for the main control room operator to manually initiate isolation of the primary containment and RPV
- k. The following bases are specified to provide the operator with the means to assess the condition of the CRVICS and to identify conditions indicative of a gross failure of the nuclear system process barrier
- 1. The CRVICS is designed to provide the operator with information pertinent to the status of the system 2. Means are provided for prompt identification of instrument channel and trip system responses.
- l. It shall be possible to check the operational availability of each trip channel and trip logic during reactor operation.
7.3.2.2 System Description 7.3.2.2.1 Identification Class A isolation valves are in lines that communicate directly with the RPV and penetrate the primary containment. These lines generally have two isolation valves in series, one inside the primary containment and the other outside the primary containment. Class B isolation valves are in lines that do not communicate directly with the RPV, but penetrate the primary containment free space. These lines have two isolation valves in series, both of which are outside the primary containment. Class C isolation valves are in lines that penetrate the primary containment, but do not communicate directly with the RPV, the primary containment free space, or the environs (closed systems). These lines require one isolation valve located outside the primary containment. The CRVICS includes the sensors, trip channels, switches, and remotely activated valve-closing mechanisms associated with the valves, which, when closed, effect isolation of the primary containment and/or the RPV.
It should be noted that the control systems for the Class A and Class B isolation valves, which close by automatic action pursuant to the safety design bases, are the main subjects of this section.
However, Class C remotely operated isolation valves are included because they add to the operator's ability to effect manual isolation. Testable check valves are also included because 7.3-29 REV 20 05/16 FERMI 2 UFSAR they provide the operator with the ability to ensure that the check valve disk can respond to reverse flow.
7.3.2.2.2 Power Supply The two power supplies for the trip systems and trip logics are fed from the same two electrical buses that supply the RPS trip systems. Each of the buses has its own motor-generator set. Either bus can receive alternative power from a bus that can be energized by standby power. The buses cannot be simultaneously supplied from the same power source. Isolation valves receive electrical power from buses that are reliable, in that power would be available from standby power sources except those isolation valves that are powered from the RPS. These valves automatically isolate on loss of offsite power. Power for the operation of the two valves in a line comes from different divisional sources. The MSIVs use ac, dc, and air or nitrogen pressure in the control scheme.
7.3.2.2.3 Physical Arrangement Table 6.2-2 lists the lines that penetrate the primary containment and indicates the types and locations of the isolation valve(s) installed in each line. Lines that penetrate the primary containment and are in direct communication with the RPV generally have two Class A isolation valves, one inside the primary containment and one which is outside the primary containment. Lines that penetrate the primary containment and that communicate with the primary containment free space, but which do not communicate directly with the RPV, generally have two Class B isolation valves located outside the primary containment.
Class A and Class B automatic isolation valves are considered essential for protection against the gross release of radioactive material in the event of a breach in the nuclear system process barrier. Process lines that penetrate the primary containment but do not communicate directly with the RPV, the primary containment free space, or the environs, have at least one Class C isolation valve located outside the primary containment. This Class C valve may close either by process action (reverse flow) or by remote manual operation.
Table 6.2-2 presents information about all piping penetrations in the primary containment.
Only the controls for the automatic isolation valves are discussed in this subsection. The valves that are the subject of this text are specially identified in the detailed descriptions that follow. Power cables are run in conduits from appropriate electrical sources to the motor or solenoid involved in the operation of each isolation valve. Valve position switches are mounted on the valve for which position is to be indicated. Switches are enclosed in cases to protect them from environmental conditions. The control arrangement for the MSIVs includes pneumatic piping and an accumulator for each valve. Pressure and water-level sensors are mounted on instrument racks in either the reactor building or the turbine building. Cables from each sensor are routed in conduits and cable trays to the trip unit racks located in the reactor building. All signals transmitted to the main control room are electrical; no pipe from the nuclear system or the primary containment penetrates the main control room. Pipes used to transmit level information from the RPV to sensing instruments terminate inside the secondary containment (reactor building). The 7.3-30 REV 20 05/16 FERMI 2 UFSAR sensor cables and power supply cables are routed to cabinets in the control center where the logic arrangements of the system are formed.
To ensure continued protection against the uncontrolled release of radioactive material during and after earthquake ground motions, the control system required for automatic closure of Class A and Class B valves is seismic designed as Category I equipment as described in Subsection 7.1.2.1.2. This meets safety design basis Item g.7.
7.3.2.2.4 Logic The basic logic arrangement is one in which an automatic isolation valve is controlled by redundant trip systems. In cases where many isolation valves close on the same signal, two trip systems control the entire group. Where just one or two valves must close in response to a special signal, two trip systems may be formed from the instruments provided to sense the special condition. Valves that respond to the signals from common trip systems are identified in the detailed description of isolation functions. Each trip system has two trip logics, each of which receives input signals from at least one trip channel for each monitored variable. Thus, two trip channels are required for each essential monitored variable to provide independent inputs to the trip logics of one trip system. A total of four trip channels for each essential monitored variable is required for the trip logics of each trip system. The trip actuators associated with one trip logic provide inputs into the trip actuator logics for either one or two isolation trip systems. The two automatic trip logics associated with each trip system can produce a redundant isolation valve closure. For main steam line isolation valves only, both trip systems are used to actuate closure of inboard and outboard isolation valves. The logic is "one-out-of-two taken twice" arrangement for each variable.
The basic logic arrangement described above does not apply to Class C isolation valves and testable check valves. Exceptions to the basic logic arrangement are made in several instances for certain Class A and Class B isolation valves. The reasons for this are explained in Subsection 7.3.2.1.
7.3.2.2.5 Operation During normal operation of the isolation control system, when isolation is not required, sensor and trip contacts essential to safety are closed; trip channels, trip logics, and trip actuators are normally energized. Whenever a trip channel sensor contact opens, its auxiliary relay deenergizes, causing contacts in the trip logic to open. The opening of contacts in the trip logic deenergizes its trip actuators. When deenergized, the trip actuators open contacts in all the trip actuator logics for that trip system. If a trip then occurs in any of the trip logics of the other trip system, the trip actuator logics for the trip system are deenergized. With both trip systems tripped, appropriate contacts open or close in valve-control circuitry to actuate associated valve
-closing mechanisms. Automatic isolation valves that are normally closed also receive the isolation signal.
The control system for each Class A isolation valve is designed to provide closure of the valve in time to prevent uncovering of the fuel as a result of a break in the pipeline which the valve isolates. The control systems for Class A and Class B isolation valves are designed to 7.3-31 REV 20 05/16 FERMI 2 UFSAR provide closure of the valves with sufficient rapidity to restrict the release of radioactive material to the environs below the guideline values of published regulations. All automatic Class A and Class B valves and remotely operable Class C valves can be closed by manipulating switches in the main control room, thus providing the operator with a means independent of the automatic isolation functions to take action in the event of a failure of the nuclear system process barrier. This meets safety design basis Item j.
Once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. The operator must manually operate switches in the main control room to reopen a valve that has been automatically closed. Unless manual override features are provided in the manual control circuitry, the operator cannot reopen the valve until the conditions that initiated isolation have cleared. This is the equivalent of a manual reset and meets safety design basis Item g.5.
A trip of an isolation control system trip channel is annunciated in the main control room so that the operator is immediately informed of the condition. The response of isolation valves is indicated by "open-closed" lights. All motor
-operated Class A and Class B isolation valves have a set of "open-closed" lights. The lights for each valve are located on the main control room panel at the manual control switches that control the valve. A second set of valve group displays that indicate status of the eighteen (18) containment isolation valve groups and individual valve status is available on the Integrated Plant Computer System (IPCS) as part of SPDS.
Inputs to annunciators, indicators, and the computer are arranged so that no malfunction of the annunciating, indicating, or computing equipment can functionally disable the system.
Signals directly from the isolation control system sensors are not used as inputs to annunciating or data-logging equipment. Isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the CRVICS satisfies safety design bases Items k.1. and k.2.
7.3.2.2.6 Isolation Valve Closing Devices Table 6.2-2 itemizes the type of closing device provided for each isolation valve intended for use in automatic or remote manual isolation of the primary containment or RPV. In order that automatic Class A valves be fully closed in time to prevent the RPV water level from falling below the top of the active fuel as a result of a break of the line the valve isolates, the valve-closing mechanisms are designed to give the maximum closing times specified in the Technical Requirements Manual. In many cases a standard closing rate of 12 in./minute is adequate to meet isolation requirements. Using the standard rate, a 12-in. valve is closed in 60 sec. Because of the relatively long time required for fission products to reach the containment atmosphere following a break in the nuclear system process barrier inside the primary containment, a 1-minute closure time is adequate for the automatic closing devices on most Class B isolation valves.
Motor-operators for Class A and Class B isolation valves are selected with capabilities suitable to the physical and environmental requirements of service. The required valve-closing rates were considered in selecting motor-operators. Appropriate torque and limit switches are used to ensure proper valve seating. Handwheels, which are automatically 7.3-32 REV 20 05/16 FERMI 2 UFSAR disengaged from the motor-operator when the motor is energized, are provided for local-manual operation. Direct solenoid-operated isolation valves and solenoid air-pilot valves are chosen with electrical and mechanical characteristics that make them suitable for their services. Appropriate water- tight or weather tight housing is used to ensure proper operation under accident conditions.
The pneumatic actuator used for testable check valves is designed to allow for the opening of the valve at near zero psi differential pressure across the valve. The actuator cannot close the valve against forward flow, or prevent the closing of the valve against reverse flow. Thus, the check valve will neither hinder forward fluid flow nor fail to stop reverse flow regardless of the condition of the actuator. The MSIVs are spring-closing, pneumatic, piston-operated valves designed to close on loss of pneumatic pressure to the valve operator. This is a fail-safe design. The control arrangement is shown in Figure 7.3-10. Closure time for the valves is adjustable between 3 and 10 sec. Each valve is piloted by two, three-way, packless, direct-acting, solenoid-operated pilot valves, one of which is powered by ac and the other by dc. An accumulator is located close to each isolation valve to provide pneumatic pressure for valve closing in the event of failure of the normal gas supply system. The valve pilot system and the pneumatic lines, as shown in Figure 7.3-11, are arranged so that when one or both solenoid-operated pilot valves are energized, normal gas supply provides pneumatic pressure to the gas-operated pilot valve to direct gas pressure to the main valve operator. This overcomes the closing force exerted by the spring and keeps the main valve open. When both pilots are deenergized, as would be the result when both trip systems trip, or when the manual switch is placed in the closed position, the path through which gas pressure acts is switched so that the opposite side of the valve operator is pressurized. This assists the spring in closing the valve. In the event of gas-supply failure, the loss of gas pressure causes the gas-operated pilot valve to move by spring force to the position resulting in main valve closure. Main valve closure is then effected by means of the gas stored in the accumulator and by the spring. Gas pressure, acting alone, and the force exerted by the spring, acting alone, are each capable of independently closing the valve. The isolation valves inside the primary containment (inboard) are designed to close under either pneumatic pressure or spring force with the vented side of the piston operator at the containment peak accident pressure. The outboard valve is exactly the same design, although it will be subjected only to atmospheric pressures. The accumulator volume was chosen to provide enough pressure to close the valve when the pneumatic supply to the accumulator has failed. The supply line to the accumulator is large enough to make up pressure to the accumulator at a rate faster than the rate that the valve operation bleeds pressure from the accumulator during valve opening or closing. A separate, single, solenoid-operated pilot valve with an independent test switch is included to allow manual testing of each isolation valve from the main control room. The testing arrangement is designed to give a slow closure of the isolation valve being tested so that rapid changes in steam flow and NSSS pressure are avoided. Slow closure of a valve during testing requires 50 to 60 sec. 7.3-33 REV 20 05/16 FERMI 2 UFSAR 7.3.2.2.7 Isolation Functions and Settings The isolation trip settings of the CRVICS are listed in Table 7.3
-9. The functions that initiate automatic isolation are itemized in Table 6.2
-2 in terms of the lines that penetrate the primary containment. Table 6.2-2 includes all lines of concern for isolation purposes. Although this section is concerned with the electrical control systems that initiate isolation to prevent direct release of radioactive material from the primary containment or nuclear system process barrier, the additional information given in Table 6.2-2 can be used to assess the overall (electrical and mechanical) isolation effectiveness of each system having lines that penetrate the primary containment.
Isolation functions and trip settings used for the electrical control of isolation valves in fulfillment of the previously
-stated safety design bases are discussed in the following subsection. The role each isolation function plays in initiating isolation of barrier valves o r
groups of valves is illustrated in the functional control diagrams of Figures 7.3-2, 7.3-12, 7.3-13, 7.3-14, and 7.4-1.
7.3.2.2.7.1 Reactor Vessel Low Water Level A low-water level in the RPV could indicate that reactor coolant is being lost through a breach in the nuclear system process barrier and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. Reactor vessel low-water level initiates closure of various Class A valves and Class B valves. The closure of Class A valves is intended to either isolate a breach in any of the lines in which valves are closed, or to conserve reactor coolant by closing off process lines. The closure of Class B valves is intended to prevent the escape of radioactive materials from the primary containment through process lines that are in communication with the primary containment free space.
Three RPV low water
-level isolation trip settings are used to completely isolate the RPV and the primary containment. The level signals are defined as follows and are shown in Figure 7.3-12: a. Level 3 (L3) is the highest of the three and also initiates the level scram and isolates the RHR system
- b. Level 2 (L2) is the initiation level for the reactor core isolation cooling (RCIC) and HPCI systems and is selected to be less than the volume resulting from a void collapse occurring in the event of a scram from full power. Level 2 also closes certain containment isolation valves
- c. Level 1 (L1) is selected far enough above the top of the active fuel and is selected based on the time required for the RHR and core spray systems to function in the event of a large break. Level 1 also isolates the MSIVs. Isolation of the following lines occurs when the level reaches L3, which is the highest or most conservative level (Table 6.2-2, signal C):
- c. RHR shutdown cooling 7.3-34 REV 20 05/16 FERMI 2 UFSAR
- d. Traversing in
-core probe (TIP) system withdrawal.
The second level (L2) isolates the majority of the nuclear pressure boundary lines and the primary and secondary containment paths. This is also the level that starts the HPCI and RCIC systems, and it has been selected to be lower than the level change resulting from a void collapse following a scram from full power. Specifically, isolation of the following lines is initiated on Level 2 (Table 6.2-2, signal B):
- a. Reactor sample lines
- c. Drywell air and nitrogen inlet d. Suppression chamber exhaust
- e. Suppression chamber air and nitrogen inlet
- f. Drywell exhaust
- g. Drywell pressure control
- h. Suppression chamber pressure control
- i. Purge to standby gas treatment
- j. Control center heating, ventilation, and air conditioning (HVAC) k. Reactor building ventilation
- l. Recirculation pump seal purge
- m. Torus water management
- n. Primary containment radiation monitoring.
The final isolation level is Level 1 (L1). This level setting provides automatic isolation for the following lines, which penetrate the primary containment, if they are open (Table 6.2-2, signal A):
- a. RHR containment spray b. RHR test line
- c. Core spray test line
- d. Suppression chamber spray
- e. Main steam
- f. Main steam line drains.
7.3.2.2.7.2 Main Steam Line High Radiation High radiation in the vicinity of the main steam lines could indicate a gross release of fission products from the fuel. High radiation near the main steam lines initiates isolation of the following pipelines (Table 6.2-2, signal D):
- a. All main steam lines 7.3-35 REV 20 05/16 FERMI 2 UFSAR
- b. Main steam line drain
- c. Reactor water sample line.
The high-radiation trip setting is selected high enough above background radiation levels so that spurious isolation is avoided, yet low enough to promptly detect a gross release of fission products from the fuel. Further information regarding high-radiation setpoint is available in Section 11.4.
7.3.2.2.7.3 Main Steam Line Space High Temperature High temperature in the space in which the main steam lines are located outside the primary containment could indicate a breach in a main steam line. The automatic closure of various Class A valves prevents both the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperatures occur in the main steam line space, all four main steam lines and the main steam line drain are isolated.
The main steam line space high
-temperature trip is set far enough above the temperature expected during operations at rated power so that spurious isolation is avoided, yet low enough to provide early indication of a steam line break.
7.3.2.2.7.4 Main Steam Line High Flow Main steam line high flow could indicate a break in a main steam line. The automatic closure of various Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. On detection of the main steam line high flow, all four main steam lines and the main steam line drain are isolated.
The main steam line high
-flow-trip setting was selected high enough to permit the isolation of one main steam line for the test at rated power without causing an automatic isolation of the rest of the steam lines, yet low enough to permit early detection of a steam line break.
7.3.2.2.7.5 Low Steam Pressure at Turbine Inlet Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the nuclear system pressure regulator, at which time the turbine control valves or turbine bypass valves open fully. This action causes rapid depressurization of the nuclear system. From part-load operating conditions, the rate of decrease of nuclear system saturation temperature could exceed the allowable rate of change of vessel temperature. A rapid depressurization of the RPV while the reactor is near full power could result in undesirable differential pressure across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. Such depressurizations, without preventive action, could require thorough vessel analysis or core inspection prior to returning the reactor to power operation. To avoid the time-consuming requirements following a rapid depressurization, the steam pressure at the turbine inlet is monitored. On falling below a preselected value with the reactor in the RUN mode, isolation of all four main steam lines and the main steam drain line is initiated.
7.3-36 REV 20 05/16 FERMI 2 UFSAR The low-steam-pressure isolation setting was selected far enough below normal turbine inlet pressures so that spurious isolation is avoided, yet high enough to provide timely detection of a pressure regulator malfunction. Although this isolation function is not required to satisfy any of the safety design bases for this system, this discussion is included here to make the listing of isolation functions complete.
7.3.2.2.7.6 Primary Containment (Drywell) High Pressure High pressure in the drywell could indicate a breach of the nuclear system process barrier inside the drywell. The automatic closure of various Class B valves prevents the release of significant amounts of radioactive material from the primary containment. On detection of a high drywell pressure, the following pipelines are isolated:
- a. Drywell equipment drain discharge b. Drywell floor drain discharge
- e. Suppression chamber exhaust valves
- f. Suppression chamber air and nitrogen inlet
- g. Drywell exhaust
- h. Drywell pressure control
- i. Suppression chamber pressure control
- j. Purge to standby gas treatment k. Control center HVAC recirculation mode
- l. Reactor building ventilation system isolation
- m. Torus water management
- n. Primary containment radiation monitoring. o. Reactor recirculation pumps seal purge supply lines
- p. EECW Division 1 and 2 drywell cooling supply lines (Note: isolation signal from ECCS logic, not from RPS logic)
The primary containment high pressure isolation setting was selected to be as low as possible without inducing spurious isolation trips.
7.3.2.2.7.7 Reactor Core Isolation Cooling Turbine Steam Line Space High Temperature High temperature in the vicinity of the RCIC turbine could indicate a break in the RCIC steam line.
The automatic closure of certain Class A valves prevents the excessive loss of radioactive material from the nuclear system process barrier. When high temperature occurs in the RCIC area, the RCIC turbine steam line is isolated. The high-temperature isolation setting was selected far enough above anticipated normal RCIC system operational levels so 7.3-37 REV 20 05/16 FERMI 2 UFSAR that spurious operation is avoided, yet low enough to provide timely detection of an RCIC turbine steam line break.
7.3.2.2.7.8 Reactor Core Isolation Cooling Turbine High Steam Flow Reactor core isolation cooling turbine high steam flow could indicate a break in the RCIC turbine steam line. The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. The RCIC turbine high
-steam-flow trip setting was selected high enough to avoid spurious isolation, yet low enough to provide timely detection of a RCIC turbine steam line break. An electrical time-delay circuit prevents spurious isolations on the turbine startup transient. The logic arrangement used for this function is shown in Figure 7.4-1, and is an exception to the usual logic requirements since high steam flow is the second method of detecting a RCIC turbine steam line break.
7.3.2.2.7.9 Reactor Core Isolation Cooling Turbine Steam Line Low Pressure The RCIC turbine steam line low pressure is used to automatically close the two isolation valves in the RCIC turbine steam line so that steam and radioactive gases do not escape from the RCIC turbine shaft seals into the reactor building after steam pressure has decreased to such a low value that the turbine cannot be operated. The isolation setpoint is chosen at a pressure below that at which the RCIC turbine can operate effectively.
7.3.2.2.7.10 High-Pressure Coolant Injection Turbine Steam Line Space High Temperature High temperature in the vicinity of the HPCI turbine could indicate a break in the HPCI turbine steam line. The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperature occurs in the HPCI turbine area, the HPCI turbine steam supply line is isolated. The high-temperature isolation setting was selected far enough above anticipated normal HPCI system operational levels so that spurious isolation is avoided, yet low enough to provide timely detection of an HPCI turbine steam line break.
7.3.2.2.7.11 High-Pressure Coolant Injection Turbine High Steam Flow The HPCI turbine high steam flow could indicate a break in the HPCI turbine steam line.
The automatic closure of certain Class A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier.
On detection of HPCI turbine high steam flow, the HPCI turbine steam line is isolated. The high-steam-flow trip setting was selected high enough to avoid spurious isolation, yet low enough to provide timely detection of an HPCI turbine steam line break. An electrical time
-delay circuit prevents spurious isolations on the turbine startup transient.
7.3-38 REV 20 05/16 FERMI 2 UFSAR The logic arrangement used for this function is shown in Figure 7.3-2, and is an exception to the usual logic requirement since high steam flow is the second method of detecting an HPCI turbine steam line break.
7.3.2.2.7.12 High-Pressure Coolant Injection Turbine Steam Line Low Pressure The HPCI turbine steam line low pressure is used to automatically close the two isolation valves in the HPCI turbine steam line so that steam and radioactive gases do not escape from the HPCI turbine shaft seals into the reactor building after steam pressure has decreased to such a low value that the turbine cannot be operated. The isolation setpoint is chosen at a pressure below that at which the HPCI turbine can operate.
7.3.2.2.7.13 Reactor Building Ventilation Exhaust High Radiation High radiation prior to the reactor building ventilation exhaust fans could indicate a breach of the nuclear system process barrier inside the primary containment, which would result in increased airborne radioactivity levels in the primary containment exhaust to the secondary containment. The automatic closure of certain Class B valves acts to close off release routes
for radioactive material from the primary containment into the secondary containment (reactor building). Reactor building ventilation exhaust high radiation initiates isolation of the following pipelines:
- a. Drywell air and nitrogen inlet b. Suppression chamber exhaust
- c. Suppression chamber air and nitrogen inlet d. Drywell exhaust
- e. Drywell pressure control
- f. Suppression chamber pressure control
- g. Purge to standby gas treatment h. Reactor building supply and exhaust (vent)
- i. Control center normal air intake and exhaust. The high-radiation trip setting selected is far enough above background radiation levels to avoid spurious isolation, yet low enough to provide timely detection of nuclear system process barrier leaks inside the primary containment. Because the primary containment high pressure isolation function and the RPV low-water-level isolation function are adequate in effecting appropriate isolation of the above pipelines for gross breaks, the reactor building ventilation exhaust high-radiation isolation function is provided as a third redundant method of detecting breaks in the nuclear system process barrier significant enough to require automatic isolation.
7.3-39 REV 20 05/16 FERMI 2 UFSAR 7.3.2.2.8 Instrumentation Sensors providing inputs to the CRVICS are not used for the automatic control of the process system. Thus, the functional controls of the protection and process systems are separated.
Trip channels are physically and electrically separated to reduce the probability that a single physical event could prevent isolation. Trip channels for one monitored variable that are grouped near each other provide inputs to different isolation trip systems. The sensors are used functionally in the isolation control system, as illustrated in Figures 7.3-2, 7.3-9, 7.3-12, 7.3-13, and 7.4-1. Table 7.3-9 lists instrument characteristics. The sensors are described in the following paragraphs:
- a. Reactor vessel low
-water-level signals are initiated from eight level transmitters (differential pressure transmitters) that sense the difference between the pressure due to the constant reference column of water and the pressure due to the actual water level in the vessel.
A backfill system is installed on each level instrument reference leg. The system provides a metered flow of water from the control rod drive system to each leg. The flow is low enough to not affect the performance of the instrumentation. The backfill is designed to prevent the accumulation of dissolved noncondensable gases in the reference legs. Four narrow-range transmitters provide an input to individual trip units that provide an isolation signal when the reactor water level drops to the first (highest) water level (L3) trip settings. Each of the four wide
-range transmitters provides signals to two trip units. One trip unit provides the isolation signal for the second low water level (L2) trip setting. The other trip unit provides the isolation signal for the third and lowest (L1) trip setting Logic channel trips are arranged in one-out-of-two-twice logic. Channels A or C and B or D are required to initiate isolation for both inboard and outboard MSIVs. Two of the four transmitters for each trip level are connected to one pair of taps (A and B). The other two transmitters (C and D) are connected to taps that are 180 o around the RPV from the first pair. This physical separation ensures that no single physical event can prevent isolation if it were required.
Cables from the transmitters are routed to the trip units in the auxiliary building b. Main steam line radiation is monitored by four radiation monitors, which are described in Subsection 11.4.3.8.2.3
- c. High temperature in the vicinity of the main steam lines is detected by 16 resistance temperature detectors (RTDs) located along the main steam lines between the drywell wall and the reactor building steam tunnel pressure relief doors. Eight additional RTDs sense high temperature in the turbine building steam tunnel. The detectors are located or shielded so that they are sensitive to air temperature and not to the radiated heat from hot equipment. The main steam line space temperature detection system is designed to detect leaks of from 1 percent to 10 percent of rated steam flow 7.3-40 REV 20 05/16 FERMI 2 UFSAR
- d. High flow in each main steam line is sensed by four differential pressure transmitters that sense the pressure difference across the flow restrictor in that line. The logic is arranged as two trip systems with two trip logics in each system. Any two trip logics can trip the isolation valve. Each trip logic receives an input from a high
-steam-flow trip channel for each steam line
- e. Main steam line low pressure is sensed by four pressure transmitters that sense pressure downstream of the outboard MSIVs. The sensing point is located at the header that connects the four steam lines upstream of the turbine stop valves. The logic is arranged as two trip systems with two trip logics per system. Any two trip logics associated with each trip system can trip the isolation valves
- f. Primary containment pressure is monitored by four pressure transmitters that are mounted on instrument racks outside the drywell. Pipes that terminate in the reactor building connect the transmitters to the drywell interior. Cables are routed from the transmitter to the main control room. The transmitters are grouped in pairs, physically separated, and electrically connected to the isolation control system so that no single event prevents isolation due to primary containment high pressure
- g. High temperature in the vicinity of the RCIC turbine is sensed by two ambient and two differential temperature measurements. Only the ambient temperature sensors can initiate RCIC isolation
- h. High flow in the RCIC turbine steam line is sensed by two differential pressure transmitters, which monitor the differential pressure across a mechanical flow element installed in the RCIC turbine steam supply pipeline. The tripping of either trip channel initiates isolation of the RCIC turbine steam line. This is an exception to the usual sensor requirement
- i. Low pressure in the RCIC turbine steam line is sensed by four pressure transmitters from the RCIC turbine steam line upstream of the isolation valves.
The transmitters are arranged as two trip systems, either of which must trip to initiate isolation of the RCIC turbine steam line. Each trip system receives inputs from two pressure transmitters, both of which must trip to trip the system
- j. High temperature in the vicinity of the HPCI turbine is sensed by two ambient and two differential temperature measurements. Only the ambient temperature sensors can initiate isolation
- k. High flow in the HPCI turbine steam line is sensed by two differential pressure transmitters which monitor the differential pressure across a mechanical flow element installed in the HPCI turbine steam line. The tripping of either transmitter initiates isolation of the HPCI turbine steam line
- l. Low pressure in the HPCI turbine steam line is sensed by four pressure transmitters from the HPCI turbine steam line upstream of the isolation valves. The transmitters are arranged as two trip systems, either of which can initiate isolation of the HPCI turbine steam line. Each trip system receives inputs from two pressure transmitters, both of which must trip to trip the trip system 7.3-41 REV 20 05/16 FERMI 2 UFSAR
- m. Reactor building ventilation exhaust radiation is monitored by two independent redundant monitors. Each monitoring trip channel provides the isolation function as described in Subsections 7.3.2.2.7.13 and 11.4.3.8.2.4. The primary containment high pressure isolation function and the RPV low water level isolation function are adequate in effecting the isolation of the pipelines that could release radioactivity due to breach of the nuclear system process barrier inside the primary containment. The reactor building ventilation exhaust radiation is provided as a third redundant method of detecting breaks in the nuclear system process barrier (significant enough to require automatic isolation).
In addition to the above, the fuel pool ventilation exhaust radiation monitoring system is provided to detect a high radiation level in the ductwork that could be due to fission gases from a refueling accident. Four fuel pool ventilation exhaust detectors in a redundant "one out of two" logic provide the isolation function as described in Subsection 11.4.3.8.2.11. n. High temperature in the spaces occupied by the reactor shutdown cooling system piping outside the primary containment is sensed by temperature switches that activate alarms only, indicating possible pipe breaks. Automatic isolation on high temperature is not required since the RPV low-water-level isolation function is adequate in preventing the release of significant amounts of radioactive material in the event that either of these two systems suffers a breach. Sensor trip channel and trip logic relays are high reliability relays equal to type-HFA relays made by GE. Table 7.3-10 lists the minimum numbers of trip channels needed to ensure that the isolation control system retains its functional capabilities.
7.3.2.2.9 Environmental Capabilities Special consideration has been given to isolation requirements during a LOCA inside the drywell. Components of the CRVICS that are located inside the primary containment and that must operate during a LOCA are the cables, control mechanism, and valve operators or isolation valves inside the drywell. These isolation components are required to be functional in a LOCA environment.
Electrical cables for isolation valves in the same lines are routed separately. Motor
-operators for valves inside the primary containment are of the totally enclosed type; those outside the primary containment have weatherproof type enclosures. Solenoid valves, whether used for direct valve isolation or as an air or gas pilot, are provided with watertight enclosures. All cables and operators are capable of operation in the most unfavorable ambient conditions anticipated for design-basis accident (DBA) conditions. Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high radiation areas have radiation-resistant insulation. Shielded cables are used whenever necessary to eliminate interference from magnetic fields. Electrical cables are selected with insulation designed for this service. Closing mechanisms and valve operators are considered satisfactory for use in the isolation control system only after completion of environmental testing under LOCA conditions or 7.3-42 REV 20 05/16 FERMI 2 UFSAR after submission of evidence from the manufacturer describing the results of suitable prior tests. Verification that the isolation equipment has been designed, built, and installed in conformance to the specified criteria is accomplished through the following series of tests in the vendor's shop or after installation at the plant before startup, during startup, and thereafter, where appropriate, during the service life of the equipment:
- a. Material qualification tests
- b. Weld qualification tests
- c. Metallurgical tests
- d. Hydrostatic tests
- e. Leakage tests
- f. Closing time tests
- g. Preoperational tests
- h. Startup tests
- i. Periodic tests
- j. Verification of type of materials used for insulation
- k. Environmental testing of electrical equipment under simulated accident conditions. Control is also exercised through review of equipment design during bid review and by approval of vendor's drawings during the fabrication stage. Purchase specifications require extensive control of materials and of the fabrication procedure.
7.3.2.3 Analysis The CRVICS is described in Subsection 7.3.2.2. The safety design bases and specific regulatory requirements of this system are stated in Subsection 7.3.2.1. This analysis shows compliance with these requirements.
7.3.2.3.1 Safety Evaluation Analysis The CRVICS, in conjunction with other safety systems, is designed to provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barriers. It is the objective of Chapter 15 to identify and evaluate postulated events resulting in gross failure of the fuel barrier and the nuclear system process barrier. The consequences of such gross failures are described and evaluated in that section.
Design procedure has been to select tentative isolation trip settings that are far enough above or below normal operating levels that spurious isolation and operating inconvenience are avoided. It is then verified by analysis that the release of radioactive material following postulated gross failures of the fuel and nuclear system process barrier is kept within 7.3-43 REV 20 05/16 FERMI 2 UFSAR acceptable bounds. Trip-setting selection is based on operating experience and constrained by the safety design and the safety analyses.
Chapter 15 shows that the actions initiated by the CRVICS, in conjunction with other safety systems, are sufficient to prevent releases of radioactive material from exceeding the guide values of published regulations. Because the actions of the system are effective in restricting the uncontrolled release of radioactive materials under accident situations, the CRVICS meets the precision and timeliness requirements of safety design basis Item a.
The CRVICS meets the precision and timeliness requirements of safety design basis Item a.
using instruments with the characteristics described in Table 7.3-9. Therefore, it is concluded that safety design basis Item b. is met. Temperatures in the spaces occupied by various steam lines outside the primary containment are the only essential variables of significant spatial dependence that provide inputs to the CRVICS. The large number of temperature sensors and their dispersed arrangement near the steam lines requiring this type of break protection provide assurance that a significant break will be detected rapidly and accurately. The number of sensors provided for steam line break detection satisfies safety design basis Item c.
Because the CRVICS meets the timeliness and precision requirements of safety design basis Item a. by monitoring variables that are true, direct measures of operational conditions, it is concluded that safety design basis Item d. is satisfied. Subsection 15.6.4 evaluates a gross breach in a main steam line outside the primary containment during operation at rated power. The evaluation shows that the main steam lines are automatically isolated in time to prevent both a release of radioactive material in excess of the guideline values of published regulations, and to prevent the loss of coolant from being
great enough to allow uncovering of the core. The time required for automatic closure of the MSIVs meets the requirements of safety design basis Item e. The shortest closure time of which the MSIVs are capable is 3 sec. The transient resulting from a simultaneous closure of all MSIVs in 3 sec during reactor operation at rated power is considerably less severe than the transient resulting from inadvertent closure of the turbine stop valves (which occurs in a small fraction of 1 sec) coincident with failure of the turbine bypass system. This conclusion is substantiated in Subsection 15.2.3. This meets safety design basis Item f. The safety design bases Items g., h., and i. must be fulfilled for the CRVICS to meet the design reliability requirements of safety design basis Item a. It has already been shown that safety design bases Items g.5. and g.7. have been met. The remainder of the reliability requirement is met by a combination of logic arrangement, sensor redundancy, wiring scheme, physical isolation, power supply arrangement, and environmental capabilities.
These subjects are discussed in the following paragraphs. Because essential variables are monitored by four trip channels arranged for physical and electrical independence, and because a dual trip system arrangement is used to initiate closure of automatic isolation valves, no single failure, maintenance operation, calibration operation, or test can prevent the system from initiating valve closure. An analysis of the isolation control system shows that the system does not fail to respond to essential variables as a result of single electrical failures such as short circuits, ground, and open circuits. A single trip system trip is the result of these failures. Isolation is initiated on a trip of the 7.3-44 REV 20 05/16 FERMI 2 UFSAR remaining trip system. For some of the exceptions to the usual logic arrangement, a single failure could result in inadvertent isolation of a pipeline. With respect to the release of radioactive material from the nuclear system process barrier, such inadvertent valve closures are in the safe direction and do not pose any safety problems. This meets safety design basis Item g.1. The redundancy of trip channels for all essential variables provides a high probability that whenever an essential variable exceeds the isolation setting, the system initiates isolation. In the unlikely event that all trip channels for one essential variable in one trip system fail in such a way that a system trip does not occur, the system could still respond properly as other monitored variables exceed their isolation settings. This meets safety design basis Item g.2.
The sensors, circuitry, and logic channels used in the CRVICS are not used in the control of any process system. Thus, malfunction and failures in the controls of process systems have no direct effect on the isolation control system. This meets safety design basis Item g.3.
The various power supplies used for the isolation control system logic circuitry and for valve operation provide assurance that the required isolation can be effected in spite of power failures. If ac power for valves inside the primary containment is lost, dc power is available for operation of valves outside the primary containment. The main steam isolation valve control arrangement is resistant to both ac and dc power failures. Because both solenoid-operated pilot valves must be deenergized, loss of a single power supply neither causes inadvertent isolation nor prevents isolation if required. The logic circuitry for each channel is powered from the separate sources available from the RPS buses. A loss of power here results in a single trip system trip. In no case does a loss of a single power supply prevent isolation. This meets safety design basis Item g.4. The isolation control system can operate under the most unfavorable environmental condition associated with normal operation. The discussion of the effects of rapid nuclear system depressurization on level measurement given in Subsection 7.2.1.1.3.1 is equally applicable to the RPV low-water-level transmitters used in the CRVICS. The temperature, pressure, differential pressure, and level transmitters, cables, and valve-closing mechanisms used were selected with ratings that make them suitable for use in the environment in which they must operate. The special considerations made for the environmental conditions resulting from a LOCA inside the drywell are adequate to ensure operability of essential isolation components located inside the drywell.
The wall of the primary containment effectively separates adverse environmental conditions that might otherwise affect both isolation valves in a line. The location of isolation valves on either side of the wall decouples the effects of environmental factors with respect to the ability to isolate any given line. The previously discussed electrical isolation of control circuitry prevents failures in one part of the control system from propagating to another part.
Electrical transients have no significant effect on the functioning of the isolation control system. Therefore, it is concluded that safety design basis Item g.6. is satisfied. The design of the MSIVs meets the requirement of safety design basis Item h.1. in that the motive force for closing each MSIV is derived from both a source of pneumatic or gas pressure, and the energy is stored in a spring. Either energy source is capable of 7.3-45 REV 20 05/16 FERMI 2 UFSAR independently closing the valve. None of the valves rely on continuity of any sort of electrical power to achieve closure in response to essential safety signals. Total loss of the power used to control the valves would result in closure. This meets safety design basis Item
h.2. Calibration and test controls for pressure and level transmitters are located on the transmitters themselves. These transmitters are located in the turbine building and reactor building. To gain access to the setting controls on each transmitter, a cover plate, access plug, or sealing device must be removed by operations personnel before any adjustment in trip settings can be effected. The location of calibration and test controls in areas under the control of supervision or of the main control room operator reduces the probability that operational reliability will be degraded by operator error. This meets safety design basis Item i.1.
Because no manual bypasses are provided in the isolation control system, safety design basis Item 1.2. is met. Because safety design bases Items g., h., and i. have been met, it can be concluded that the CRVICS satisfies the reliability requirement of item safety design basis a. That the system satisfied safety design bases Items j., k.1., and k.2. was shown in the description of the system. The following subsection, covering inspection and testing of the system, demonstrates that safety design basis Item 1. is satisfied.
7.3.2.3.2 Inspection and Testing All parts of the primary containment isolation control system are testable during reactor operation. Isolation valves can be tested to ensure that they are capable of closing by operating manual switches in the main control room and observing the position lights and any associated process effects. Testable check valves are arranged to verify that the valve disk is free to open and close. The trip channel and trip system responses can be functionally tested by applying test signals to each trip channel and observing the trip system response. Functional testing and calibration schedules developed using available failure rate data, reliability analyses, and operating experience are presented in the Technical Specifications.
The schedules represent an optimization of CRVICS reliability by considering, on one hand, the failure probabilities of individual components, and, on the other hand, the reliability effects during individual component testing on the portions of the system not undergoing tests. The isolation actuation system instrumentation response times are shown in Technical Requirements Manual Volume I Table 3.3.6.1-1, which is referenced in UFSAR Table 7.3-
- 12. Response time testing is required by the Technical Specifications. Technical Specification Table 3.3.2-3 was deleted from the Technical Specifications and added to the UFSAR as Table 7.3-12 (TRM Table 3.3.6.1-1) in agreement with NRC Generic Letter 93
-08 and Amendment Number 100 to the Technical Specifications. The response times information of UFSAR Table 7.3-12 was then relocated to the Technical Requirements Manual Volume I. The response time testing for the trip functions associated with the diesel start and sequencing of loads is eliminated in agreement with NRC Generic Letter 93-05 and Amendment Number 99 to the Technical Specifications.
7.3-46 REV 20 05/16 FERMI 2 UFSAR The periodic sensors response time testing for the reactor vessel low water level-level 1 and the main steam line flow-high has been eliminated. The BWROG Report NEDO-32291A provides the required analyses as briefly described in 7.2.1.1.3.8.1.
7.3.2.3.3 Specific Regulatory Requirements Conformance 7.3.2.3.3.1 IEEE 279-1971 Conformance to IEEE 279-1971 is demonstrated in Topical Report NEDO-10139, Paragraph 4.2. The 21 subparagraphs of 4.2 cover the 21 subparagraphs of IEEE 279-1968. The following discussion is addressed to IEEE 279-1971, subparagraphs 4.7, 4.17, and 4.22, which are different from those in IEEE 279-1968:
- a. Paragraph 4.7.1: Classification of Equipment - There is no control function in the system. It is strictly a protection system
- b. Paragraph 4.7.2: Isolation Devices - Since there is no control function, no isolation devices are required
- c. Paragraph 4.7.3: Single Random Failure - No single random failure of a control system can prevent proper action of the isolation system channel designed to protect against the condition d. Paragraph 4.7.4 - Analysis of 4.7.3 applies directly
- e. Paragraph 4.17: Manual Initiation - Manual initiation controls are provided and separated in such a manner as to prevent a single failure from inhibiting an isolation. The separation of devices is maintained in both the manual and automatic portions of the system so that no single failure in either the manual or automatic portions can prevent an isolation by either manual or automatic means. There are no areas of the system that are common to manual and automatic functions
- f. Paragraph 4.2: Identification - Panels and racks that house isolation system equipment are identified with a distinctive color marker plate listing the system name and the designation of the particular redundant portion of the system.
Instrument cables are identified in accordance with IEEE 279
-1971. 7.3.2.3.3.2 Industry Standard IEEE 323-1971 Compliance with this standard is discussed in Section 3.11 and NEDO-10698.
7.3.2.3.3.3 IEEE 338-1971 The system is testable during reactor operation. The tests that may be performed will cover the sensors through the final actuators, demonstrate independence of channels, and bare any credible failures while not negating any isolation.
7.3.2.3.3.4 Industry Standard IEEE 344-1971 Compliance with this standard is discussed in Section 3.10 and NEDO-10678.
7.3-47 REV 20 05/16 FERMI 2 UFSAR 7.3.2.3.3.5 Regulatory Guide 1.22 Regulatory Guide 1.22 requires periodic testing of protection system actuation functions. The MSIVs and associated logic and sensor devices may be tested from the sensor device to one of the two solenoids required for valve closure. The valve may be exercised closed with either a slow-acting test solenoid or the normal closing solenoid to verify that there are no obstructions to the valve stem at full power. A reduction in power is necessary before performing a valve closure. All the isolation valves, other than the MSIVs, may be tested from sensor to actuator during plant operation. The test may cause isolation of the process lines involved, but their isolation is tolerable.
7.3.2.3.3.6 10 CFR 50, Appendix A General Design Criterion 13 The integrity of the reactor core and the reactor coolant pressure boundary (RCPB) is ensured by monitoring the appropriate plant variables and closing various isolation valves, as detailed in the various description sections.
7.3.2.3.3.7 10 CFR 50, Appendix B The guidelines of 10 CFR 50, Appendix B, are met as described in Chapter 17.
7.3.3 Emergency Core Cooling System Auxiliary Systems Instrumentation and Control 7.3.3.1 Design-Basis Information The design-basis information for the instrumentation and control of the reactor building closed cooling water (RBCCW) system, as required by Section 3 of IEEE 279-1971, is provided in Subsection 7.1.2.1.28.
7.3.3.2 System Description 7.3.3.2.1 Cooling System for Reactor Auxiliaries The RBCCW system and its backup, the emergency equipment cooling water (EECW) system, provide cooling water for the ECCS auxiliary equipment and area air coolers, as described in Subsection 9.2.2. A discussion of the EECW system is contained in Subsection 7.3.4. A description of the RBCCW system, including instrumentation and control, is presented in Subsection 7.6.1.14.
7.3.3.2.2 Control Circuits The RBCCW system operates and supplies services during normal operation of the plant. It continues to operate during an accident unless interrupted by some abnormal condition. The system is shut down by the head tank low-level signal using "one-out-of-two taken twice" logic. Each individual RBCCW pump (outside of the RBCCW supplemental cooling loops) shuts down on low pump suction, also using "one-out-of-two taken twice" logic.
7.3-48 REV 20 05/16 FERMI 2 UFSAR In the event that the RBCCW system cannot maintain adequate flow to the EECW loops, the EECW system is automatically started by low differential pressure between the supply and return headers. Logic is "one-out-of-two." A loss of offsite power directly initiates the EECW system to anticipate the loss of power to the RBCCW system. The EECW system is also auto-initiated on high drywell pressure.
7.3.3.3 Analysis Description of the analysis of the EECW system is found in Subsection 7.3.4.3.
7.3.4 Emergency Equipment Cooling Water System 7.3.4.1 Design-Basis Information The design-basis information for the instrumentation and control of the EECW system, as required by Section 3 of IEEE 279-1971, is provided in Subsection 7.1.2.1.18.
7.3.4.2 System Description The EECW system ensures cooling water to remove heat from emergency equipment on loss of offsite power, on high drywell pressure, or failure of the RBCCW system. Since this system is described in Subsection 9.2.2, the following discussion provides additional information on the EECW instrumentation and control. The EECW system is shown in Figures 9.2-3 and 9.2-4.
7.3.4.2.1 Power Sources Instruments and controls for the EECW system receive electrical power from the redundant 120-V, 60-Hz instrument power systems described in Subsection 8.3.1 and from Division I and Division II 130 V dc Class IE batteries as described in Subsection 8.3.2.1.2. Those instruments and controls requiring pneumatic power receive plant instrument air as described in Subsection 9.3.1.
7.3.4.2.2 Equipment Design Each of the two redundant and separate EECW loops has electrically and physically separate controls and instruments.
7.3.4.2.3 Initiation and Control Circuits The EECW system can be started manually from the main control room. Low RBCCW flow to the EECW loops causes loss of EECW header differential pressure, which automatically isolates the RBCCW and starts the EECW loops. If EECW has already been initiated for the purposes of RBCCW heat exchanger cleaning, enhanced drywell cooling, testing, or RHR reservoir freeze protection, the location of the differential pressure sensors inside the EECW system envelope will not sense a RBCCW low flow condition and, therefore, will not cause EECW to automatically reinitiate and reisolate the nonessential loads. This action is not required since this is not a condition requiring protective action as described in Section 7.1.2.1. The EECW system is also automatically initiated by a loss of offsite power or on 7.3-49 REV 20 05/16 FERMI 2 UFSAR high drywell pressure. Automatic start of EECW makeup pump is achieved if makeup tank has low pressure or level and makeup tank isolation valve is open, and normal pump suction pressure. 7.3.4.2.4 Logic The EECW system logic is shown in Figure 7.3-15. These logic schemes are identical for each of the two redundant EECW loops. Level switches are used to alarm when there is insufficient water inventory. If offsite power is available, the EECW pumps start nominally 1.5 seconds after receipt of the initiation signal. If offsite power is unavailable, the EECW pumps are sequenced on the EDG buses by the automatic load sequencer. See Table 8.3-5.
7.3.4.2.5 Testability Control and logic circuitry can be tested by placing that loop in operation from the main control room. If an auto-initiate signal is received during a test, the manual signal is automatically overridden by the auto-initiate signal, and both loops will be placed into operation as required.
7.3.4.3 Analysis 7.3.4.3.1 Conformance To Specific Regulatory Requirements The specific requirements of IEEE 279-1971, to which attention has been directed in the design of the EECW system, are itemized below by paragraph number as they appear in IEEE 279-1971. a. Paragraph 4.1: Automatic Initiation - This requirement is met by incorporating capability in the design for automatic startup of the EECW system on loss of offsite power, on high drywell pressure, or on occurrence of low pressure across the supply and return headers of either cooling loop b. Paragraph 4.2: Single Failure - The single
-failure criterion is met by having an independently controlled EECW loop for each of the two RBCCW divisions
- c. Paragraph 4.3: Quality Assurance - This requirement is met as described in Chapter 17 d. Paragraph 4.4: Equipment Qualification - This requirement is met as described in Chapter 3
- e. Paragraph 4.5: Channel Integrity - This requirement is met by supplying electrical power to the EECW system from buses backed up by diesel generators. The routings of power, signal, and control circuits take separate paths. The EECW system is designed to withstand seismic accelerations
- f. Paragraph 4.6: Channel Independence - This requirement is met by the independent instrumentation and controls provided in the EECW system and separate power feeds that are used 7.3-50 REV 20 05/16 FERMI 2 UFSAR
- g. Paragraph 4.7: Control Interaction - The requirement of this criterion is met by the complete independence of controls of the two divisions of the EECW system h. Paragraph 4.8: Direct Inputs - This requirement is met by the provision of separate and independent instrumentation to supply signal inputs for control of the two loops of the EECW system
- i. Paragraph 4.9: Sensor Checks - This requirement is met by introducing a test signal (in one channel at a time) sufficient to verify that a logic trip is achievable when the parameter deviates beyond the setpoint. Correct response of each sensor is verified by observing that its output indicates a deviation of the parameter beyond the setpoint value
- j. Paragraph 4.10: Testability - This requirement is satisfied by the automatic override of a manual control command if an emergency condition arises during testing k. Paragraph 4.11: Channel Bypass - This requirement is met by the cooling adequacy of one loop, allowing one loop to be tested during operation without loss of protection
- l. Paragraph 4.12: Operation of Bypasses - This requirement is met by the automatic override of manual control, which is provided to automatically initiate operation of the system if an emergency arises during a test
- m. Paragraph 4.13: Bypass Indication - This requirement is met by the display provisions in the main control room, which indicate the operational or nonoperational state of the EECW system n. Paragraph 4.14: Bypass Access - This requirement is met by the administrative control that is imposed on use of the operational controls of the EECW system o. Paragraph 4.15: Multiple Setpoints - This requirement is not applicable to the EECW system
- p. Paragraph 4.16: Action Completion - This requirement is satisfied by the functional characteristics of the automatic controls of the EECW system
- q. Paragraph 4.17: Manual Access - This requirement is satisfied by the manual control provisions incorporated in the EECW system controls
- r. Paragraph 4.18: Setpoint Access - This requirement is satisfied by the administrative control that is imposed on use of the setpoint adjustments
- s. Paragraph 4.19: Identification - This requirement is satisfied by the indicating lamps and sequential recorders that the design incorporates to indicate the state of the EECW system and its valves and pumps
- t. Paragraph 4.20: Information Readout - This requirement is satisfied by the readout instruments provided to display temperature, pressure, and flow parameters in the EECW system 7.3-51 REV 20 05/16 FERMI 2 UFSAR A sequential recorder is provided to register initiation of water pump operation and tripout of the pump motor circuit breaker
- u. Paragraph 4.21: System Repair - This requirement is met by the readily identifiable modular design of the instrumentation and control components v. Paragraph 4.22: Identification - This requirement is met by using appropriate tags and color schemes to enable easy identification of circuits and components that are part of the EECW safeguard system The following additional IEEE criteria are met by the provisions outlined in the sections or chapters of this UFSAR that are indicated:
- a. IEEE 323-( ): Section 3.11 (IEEE 323-1971 for equipment purchased before November 15, 1974; IEEE 323-l974 for equipment purchased on or after November 15, 1974) b. IEEE 336-1971: Chapter 17
- c. IEEE 338-1971: Subsection 7.3.1.3.4 d. IEEE 344-1971: Section 3.10. The requirements of Regulatory Guide 1.22 are met on the basis of the manual test and control provisions that the EECW system design incorporates. Evaluation of the EECW system against criteria of 10 CFR 50, Appendix A and Appendix B, is as follows:
- a. Criterion 13 - This criterion is met by using qualified differential pressure sensors and operating them in a "one-out-of-two" logic arrangement
- b. Criterion 20 - This criterion is met by providing the automatic mode of startup as stated in Subsection 7.1.2.1.18
- c. Criterion 21 - The EECW system provides assurance that, through its standby redundancy, each loop has sufficient reliability to fulfill the single-failure criterion. No single component failure, maintenance operation, calibration operation, or test to verify operational availability impairs the ability of the system to perform its intended safety function. There is sufficient electrical and physical separation between channels and between trip logic circuits monitoring the same variable to prevent environmental factors, electrical transients, and physical events from impairing the ability to respond correctly The EECW system includes design features that permit inservice testing. This enhances the functional reliability of the system by enabling early detection of malfunctioning components in the course of routine tests d. Criterion 22 - Physical separation, separate power feeds, and separate controls are provided for the two cooling loops. This ensures that the EECW system of each loop, providing necessary cooling capacity, is available for the required safety function. Details of separation criteria and independence are contained in Section 3.12 and Subsection 9.2.2 7.3-52 REV 20 05/16 FERMI 2 UFSAR
- e. Criterion 23 - Since the two loops are independent, failure of one loop will not affect operation of the other
- f. Criterion 24 - Since no signals required for control of the reactor are used for control of the EECW system, this criterion is satisfied
- g. Criterion 29 - High functional reliability of the EECW system is achieved through the combination of sensor redundancy, control logic arrangement, functional and physical separation of loops, operating power independence, fail-safe design, and inservice testability. These requirements are discussed in detail in Criteria 21 through 24. An extremely high probability of correct system response to anticipated operational occurrences is maintained by a thorough program of inservice testing and surveillance. Active components can be tested or removed from service for maintenance during reactor operation without compromising protective control functions, even in the event of a subsequent single failure.
Components important to safety are tested during normal reactor operation.
Functional testing and calibration schedules are developed using available failure rate data, reliability analyses, and operating experience. These schedules represent an optimization of system reliability by considering the failure probabilities of individual components, and also the reliability effects during individual component testing on the portion of the system not undergoing test. The capability for inservice testing ensures the high functional reliability of the system should a monitored parameter exceed the corrective action setpoint. The guidelines of 10 CFR 50, Appendix B, are met as described in Chapter 17.
7.3.5 Control Center Atmospheric Control System Instrumentation and Control 7.3.5.1 Design-Basis Information The design-basis information for the instrumentation and control of the control center atmospheric control system, as required by Section 3 of IEEE 279-1971, is provided in Subsection 7.1.2.1.
7.3.5.2 System Description The instrumentation and control for the control center HVAC system functions to ensure the habitability of the control center under all plant operating conditions is described in Section 6.4 and Subsections 9.4.1 and 12.2.2.1.
7.3.5.2.1 Power Sources Each redundant control center HVAC system is comprised of a supply air fan, return air fan, electric heating coil, and a refrigeration unit. Power supply for these components of each control center HVAC system is from separate essential ac buses that can receive standby ac power. Control power for isolation dampers, instrumentation, and controls comes from the bus that powers the corresponding equipment train.
7.3-53 REV 20 05/16 FERMI 2 UFSAR 7.3.5.2.2 Initiating Circuits, Logic, and Sequencing Various components of each redundant control center HVAC system are initiated as follows:
- a. The supply and return air fans are initiated manually by control switches at the main control board b. The refrigeration unit is provided with a manual/ automatic selector switch on the main control board. While in automatic mode, the refrigeration unit is initiated by the demand signal from the thermostat in the chilled water piping
- c. A subsystem of the process radiation monitoring system (PRMS) monitors radiation levels in the main control room air intake. High radiation indication by detectors in the main control room air intake duct downstream of the filter train activates an alarm within the control center. High
-high level automatically places the control center HVAC system in full recirculation mode
- d. If combustion products are detected in the control center by the smoke (ionization) detectors, one of the following manual actions is initiated via hand switches in the main control room at the discretion of the operator: 1. The outside air intake and exhaust air damper can be fully opened and the recirculation air damper fully closed to purge the control center air (smoke purge mode) 2. Route outside air and recirculation air mixture (approximately 7 percent of the total mixture) from the control center HVAC system through normally bypassed odor and smoke-removing filters.
- e. If the control center HVAC system is operating in the normal mode and one of the automatic gaseous suppression systems is initiated automatically by the fire detection system, the smoke purge mode is automatically initiated. However, the smoke purge mode is overridden if the recirculation mode is signaled to start. f. If an automatic isolation occurs due to detection of a potential breach of the primary reactor pressure boundary, as indicated by low reactor water level, high drywell pressure, high radiation level as monitored by the fuel pool ventilation exhaust, or the reactor building ventilation exhaust, the emergency makeup outside air is automatically provided to pressurize the main control room.
7.3.5.2.3 Bypasses and Interlocks All of the isolation dampers in each control center HVAC system equipment are interlocked with the operation of corresponding supply air and return air fans. Operation of any of these fans opens all the corresponding isolation dampers. The supply-air and return
-air fans are operated manually by hand switches.
To prevent short-cycling and a possible freeze-up of the evaporator, the refrigeration machine start is interlocked with the operation of the supply-air fan and corresponding return-air fans, condenser cooling water, and chilled water pump. The operation of the 7.3-54 REV 20 05/16 FERMI 2 UFSAR refrigeration machine is further interlocked with safety protection cutout; i.e., low-pressure and high-pressure cutout in refrigerant circuit, and oil failure switch in the compressor lubrication circuit. To guard against overheating, the electric heating coil is interlocked with supply-air fan operation and a thermal cutout switch. Low temperature of the chilled
-water line is alarmed.
Zone mixing dampers are controlled by thermostats in each zone. The operation of the refrigeration machine is controlled by a thermostat in the chilled
-water return pipe. The electric heating coil is controlled by a thermostat in the hot deck of the air handling unit.
All of the isolation dampers in the outside air intakes and the emergency-makeup-air filter train are appropriately interlocked to serve the required function. The electric heating coil for humidity control in the emergency-makeup-air filter train is interlocked with the emergency-makeup-air fans. 7.3.5.2.4 Redundancy and Diversity Instrumentation and control equipment for each control center HVAC system is completely independent of one another.
7.3.5.2.5 Actuated Devices The normal and emergency operation of each control center HVAC system involves the following actuated devices:
- a. Supply-air fan b. Return-air fan c. Electric heating coil
- d. Refrigeration unit
- e. Emergency-makeup-air electric heating coil
- f. Emergency-makeup-air fan g. Corresponding isolation and control dampers h. Chilled water pump.
7.3.5.2.6 Separation The channels and logic circuits are physically and electrically separated to preclude the possibility that a single event would prevent operation of the control center HVAC system.
Electrical cables for instrumentation and control on each control center HVAC system are routed separately.
7.3.5.2.7 Testability Control and logic circuitry used in the controls for the control center HVAC system can be individually checked by applying test or calibration signals to the sensors and observing trip or control responses. Operation of each redundant HVAC system is periodically rotated to permit on-line checking and testing of performance of the complete system.
The automatic 7.3-55 REV 20 05/16 FERMI 2 UFSAR control circuitry for the emergency equipment is designed to restore its normal function in response to initiation signals.
7.3.5.2.8 Environmental Considerations Temperature, pressure, humidity, and radiation dosage are considered in selection of various equipment, instrumentation, and controls for the control center HVAC system. These are described in Section 3.ll and Subsection 9.4.l.
7.3.5.2.9 Operational Considerations The control center HVAC system is required during normal and abnormal plant operating conditions. The automatic circuitry is designed to start the emergency equipment if the signal for its initiation is received, as described in this section.
7.3.5.3 Analysis Conformance To General Functional Requirements The control center HVAC system instrumentation and controls are designed to ensure the habitability of the main control room during and after all the normal and abnormal plant operating conditions. Certain components of the system are required during normal and abnormal plant operating conditions only. The controls for the system provide warning to the operator of any abnormal operating transients in the system, and automatically initiate action that provides protection against the consequences of the release of radioactive material to outdoor environs following any accident. Chapter 15 identifies and evaluates postulated events that can result in release of fission products due to an accident. The consequences of such an accident are described and evaluated.
Because essential variables are monitored by channels arranged for physical and electrical independence, no single failure, maintenance operation, calibration operation, or test can prevent the system from performing its function. A single active failure in the Halon fire protection system will cause closure of smoke/Halon dampers to the relay room, cable spreading room or computer room. Manual actions are required to reopen these dampers to reestablish airflow.
The sensor circuitry and logic used in the control center HVAC system are not used in the control of any process system. Thus, malfunction and failures in the controls of the process systems have no direct effect on the control center HVAC system.
The power supplies used for the system logic circuitry and controls provide assurance that the required performance cannot be affected by a loss of offsite electric power or loss of instrument air. In no case does the loss of a single power supply prevent function of the control center HVAC system.
Portions of the system required to operate during and following the design basis accident to provide acceptable environments within the control center have been qualified both environmentally and seismically.
7.3-56 REV 20 05/16 FERMI 2 UFSAR Inputs to annunciators and indicators are arranged so that no malfunction of the annunciating and indicating device can functionally disable the system. Direct signals from the control center HVAC system control system sensors are not used as inputs to annunciating or data-logging equipment. All controls for interrupting any part of the system operation are located in the main control room. All controls and instrumentation essential to the operation of the control center HVAC system meet the IEEE 279-1971 criteria.
7.3.6 Standby Gas Treatment System Instrumentation and Control 7.3.6.1 Design-Basis Information The design basis information for the instrumentation and control of the standby gas treatment system (SGTS), as required by Section 3 of IEEE 279-1971, is provided in Subsection 7.1.2.1.16.
7.3.6.2 System Description The instrumentation and control of the SGTS are used to maintain, when necessary, a preset constant flow that will maintain the reactor building at a negative pressure and preclude leakage of radioactive particulates and gases directly to the outdoors. The SGTS is designed to reduce radioactive particulates and gaseous concentration in the exhaust air from the reactor building before exhausting to the outdoors. The SGTS is described in detail in Subsection 6.2.3 and is shown schematically in Figure 6.2-20. 7.3.6.2.1 Power Sources Each SGTS exhaust equipment train has an exhaust fan, a standby cooling fan, an electric heating coil, and associated air- operated isolation valves that require power. Power supply for various components of each SGTS equipment train and the instrument air compressor is from separate essential ac buses that can receive standby ac power. Motive power for isolation valves and the controls comes from the bus that powers the corresponding equipment train, except for the isolation valves in the reactor building ventilation system supply and exhaust duct headers. These valves are operated by air cylinders with instrument air being controlled by solenoid valves for each isolation valve. If either control air or electric control power were lost, the isolation valves would be closed by springs mounted on the valves.
7.3.6.2.2 Initiating Circuits The system is automatically started in response to any one of the following signals:
- a. High drywell pressure (Subsection 7.3.2.2.7.6) b. Low reactor water level (Subsection 7.3.2.2.7.1)
- c. High radiation in fuel pool ventilation exhaust (Subsection 11.4.3.8.2.11) 7.3-57 REV 20 05/16 FERMI 2 UFSAR
- d. High radiation in the reactor building ventilation exhaust (Subsection 11.4.3.8.2.4)
- e. Manual activation from the main control room
- f. Downscale trip due to loss of offsite power to radiation monitors located in the Reactor Building and fuel pool ventilation exhaust system.
7.3.6.2.3 Logic and Sequencing The following actions take place simultaneously on receipt of an initiation signal:
- a. Closure trip of reactor building isolation valves b. Trip of reactor building ventilation system
- c. Opening of SGTS isolation valves d. Startup of both SGTS equipment trains and annunciation of an alarm on the main control panel. When both trains are automatically started, the audible and visual alarm on the main control panel warns the operator to shut down one of the trains. Individual hand switches located on the main control panel for each of the equipment trains permit manual operation.
7.3.6.2.4 Bypasses and Interlocks All of the air-operated isolation valves pertinent to a SGTS equipment train are interlocked through a relay circuit with the operation of the SGTS unit. The SGTS cooling fan is interlocked so as not to operate when the SGTS exhaust fan is in operation. To protect against overheating, the electric heating coil for relative humidity control of the charcoal filters is interlocked with the SGTS exhaust fan operation, and high temperature is indicated by an alarm in the main control room. Airflow through the SGTS is controlled automatically with a vortex damper on the exhaust fan valve, and flow is recorded on the main control panel. Low flow initiates an alarm to alert the operator to start the redundant SGTS equipment train. To prevent fire in the charcoal bed, a source of CO 2 will purge air from the charcoal filters if the bed temperature exceeds 310F. A pressure switch in the discharge line of the CO 2 unit will annunciate an alarm on the main control panel after the purge process begins.
On receipt of an initiation signal, the reactor building ventilation isolation valves close and remain closed unless a manual reset switch is activated.
7.3.6.2.5 Redundancy and Diversity Each SGTS unit is automatically initiated by independent control systems.
7.3-58 REV 20 05/16 FERMI 2 UFSAR 7.3.6.2.6 Actuated Device Initiation of the SGTS includes starting of the SGTS exhaust fan, energizing electric heating for preheating air, deenergizing charcoal bed heaters, and opening valves on the inlet and outlet sides of the SGTS equipment train.
7.3.6.2.7 Separation The channels and logic circuits are physically and electrically separated to preclude the possibility that a single event would prevent operation of the SGTS. Electrical cables for instrumentation and control on each SGTS equipment train are routed separately.
7.3.6.2.8 Testability Control and logic circuitry used in the controls for the SGTS can be individually checked by applying test or calibration signals to the sensors and observing trip or control responses.
Operation of the isolation valves and fans from manual switches verifies the ability of breaker and damper mechanisms to operate.
7.3.6.2.9 Environmental Considerations Temperature, pressure, humidity, and radiation dosage are considered in the selection of the various equipment, instrumentation, and controls for the SGTS described in Section 3.11 and Subsection 6.2.3.
7.3.6.2.10 Operational Considerations The SGTS is available, if required, during normal plant operating conditions when any division is being tested. The other division is available for operation should it be needed.
7.3.6.3 Analysis Conformance To General Functional Requirements The SGTS control system is designed to initiate action that provides timely protection against the consequences of the release of radioactive materials inside the secondary containment following any accident. Chapter 15 identifies and evaluates postulated events that can result in release of fission products due to an accident. The consequences of such an accident are described and evaluated.
Because essential variables are monitored by channels arranged for physical and electrical independence, and because a dual trip system arrangement is used to initiate the SGTS, no single failure, maintenance operation, calibration operation, or test can prevent the system from operating when required. The sensor circuitry and logics used in the SGTS control system are not used in the control of any process system. Thus, malfunction and failures in the controls of process systems have no direct effect on the SGTS control system. The various motive power supplies used for the SGTS logic circuitry and controls provide assurance that the required initiation can be effected in spite of loss of electric power or loss of instrument air. In no case does a loss of single power supply prevent initiation of the 7.3-59 REV 20 05/16 FERMI 2 UFSAR SGTS when required. Required instruments, isolation valve closing mechanisms, and cables of the SGTS can operate under the environmental conditions associated with postaccident operation. Active components of SGTS instrumentation and control can be tested and calibrated during plant operation. All sensors and associated equipment are designed to meet Category I requirements, and are protected from fire, explosion, missiles, lightning, wind, and flood to preclude functional degradation of the system performance.
Inputs to annunciators and indicators are arranged so that no malfunction of the annunciating and indicating device can functionally disable the system. Direct signals from the SGTS control system sensors are not used as inputs to annunciating or data-logging equipment.
Isolation is provided between primary signal and the information output.
7.3.7 Standby Power System 7.3.7.1 Design-Basis Information The design-basis information for the instrumentation and control of the standby power system, as required by Section 3 of IEEE 279-1971, is provided in Subsection 7.1.2.1.
7.3.7.2 System Description Four emergency diesel generators (EDGs) provide the power necessary for the ECCS during a loss of system power. A detailed explanation of this system and its corresponding instrumentation and control can be found in Subsection 8.3.1. A battery system of redundant 130-V dc power-control batteries provides the dc power required during any ECCS function. Full- size battery chargers normally carry the load.
However, the capability of the batteries is enough to handle the load for a sufficient amount of time should power to the chargers be lost. A detailed explanation of the battery system can be found in Subsection 8.3.2.
7.3.7.3 Analysis Conformance To General Functional Requirements The standby power systems are designed to provide electrical power availability to the ECCS and other safety
-related systems at maximum reliability should normal offsite power not be available. Each supply has an independent redundant counterpart, thereby ensuring against single failure (IEEE 279-1971, Paragraph 4.2). The equipment, cabling interconnections, and circuit breakers are all qualified to Class 1E standards and housed in Category I structures. An explanation of the EDGs and their conformance is found in Subsection 8.3.1. An explanation of the battery systems and their conformance is found in Subsection 8.3.2.
7.3.8 Post-LOCA Combustible Gas Control System The NRC amended 10 CFR 50.44, "Standards for combustible gas control system in light-water-cooled power reactors" on October 16, 2003 to eliminate the requirements for 7.3-60 REV 20 05/16 FERMI 2 UFSAR hydrogen recombiners. The hydrogen recombiner Technical Specification requirements were subsequently removed by License Amendment 159, dated March 15, 2004. The wording in this UFSAR section associated with these changes will remain unaltered until after th e hydrogen recombiner system has been abandoned in place or removed from the plant.
7.3.8.1 Design-Basis Information The design bases for the post-LOCA CGCS are described in Subsection 6.2.5, and functional requirements for the instrumentation and control system are given in Subsection 6.2.5 and 7.1.2.1.30. Gas concentrations inside the primary containment are monitored by the Hydrogen/Oxygen analyzer subsystem of the primary containment monitor system. The primary containment monitor system is further described in Subsection 7.6.1.12.
7.3.8.1.1 Redundancy The instrumentation and control for the post-LOCA combustible gas control system (CGCS) conforms to the redundancy requirements of IEEE 279-1971. The post-LOCA CGCS includes two complete and independent sets of recombiner controls and power supplies. In general, the components in each are not further duplicated for additional redundancy, except that more heater capacity is provided than required and all thermocouples are duplicated.
7.3.8.1.2 Separation Separation is such that no single failure can prevent the operation of the CGCS.
Instrumentation and Control equipment is segregated into separate divisions designated Division I and II. The CGCS conforms to the separation requirements of IEEE 279-1971.
7.3.8.1.3 Reliability and Testability Refer to subsection 7.3.1.2.1.7.
7.3.8.2 System Description 7.3.8.2.1 General The purpose of the Fermi 2 post-LOCA CGCS is to control combustible gas concentrations in the containment atmosphere to ensure that the concentration is maintained below stated limits, in conformance with the requirements of Regulatory Guide 1.7. Oxygen is the minority constituent in an inerted containment and is the controlled parameter.
The Control Console contains the instrumentation, annunciators, switches and lights to facilitate remote operation of the recombiner system. The control console contains the following equipment which controls and monitors the operation of the recombiner:
- a. Operate switch
- b. Inlet valve flow controller
- c. Recirc valve flow controller
- c. Reaction chamber temperature controller 7.3-61 REV 20 05/16 FERMI 2 UFSAR
- e. Annunciators and status lights
- f. Motor operated valve control switches. The system is initiated by actuating the operate switch, which starts the Blower, opens the cooling water valve and starts the heaters. Automatic temperature control and temperature limits have been preset and temperature rises to the point where a controlled exothermic chemical recombination of Hydrogen and Oxygen occurs. The power to the heaters is controlled to cycle the heaters to maintain reaction chamber temperature at 1300F. Periodically, as the Hydrogen and Oxygen concentrations decrease, the inlet flow would be manually increased and recirc flow manually decreased, until the recirc valve is fully closed.
The system continues to operate automatically as the Hydrogen and Oxygen gases are depleted, with the heater power gradually increasing to maintain the reaction chamber temperature at its control setpoint. The control room is provided with status lights for:
- a. Trickle heat power off
- b. System in ready mode
- c. System in start up mode
- d. System in operate mode.
7.3.8.2.2 Subsystems 7.3.8.2.2.1 Electrical Heater and Control System The electric heater in each recombiner consists of 36 U-shaped, horizontally mounted elements. Each heater is independently replaceable from its cold end without interfering with the process piping. These heaters radiate their heat to a pipe coil containing the process gas to be heated.
Power to the heater bank is regulated by a 90-kW, 480-V three-phase silicon-controlled rectifier controller. This SCR unit is controlled by one of two solid-state temperature controllers acting through an "auctioneer" circuit. The Temperature controllers are proportional mode controllers with an adjustable control zone. The temperature controllers operate from type K thermocouples, in Inconel sheaths, exposed directly to the process gas.
Control thermocouples are located at the heater outlet and at a location in the reaction chamber where the H 2/O 2 reaction is normally essentially complete. If either of the temperature signals varies from the preselected setpoint, the signal controls the SCR through
the auctioneer circuit and thereby regulates the heater power.
Heater overtemperature protection is provided by a temperature switch and a contactor capable of interrupting power to the SCR controller.
7.3.8.2.2.2 Gas Cooler Unit A direct-contact water-spray gas cooler is provided to cool the gases leaving the reaction chamber from about 1300F to 210F (maximum) prior to return to the pressure suppression chamber. The cooling water is turned on or off by a motorized valve actuated by the main start switch. Indication is provided from the valve-open limit switch.
7.3-62 REV 20 05/16 FERMI 2 UFSAR 7.3.8.2.2.3 Recirculation Flow Control System The recirculation flow control system (RFCS) includes two flow-meters, two motor
-operated valves, and a centrifugal blower. The purpose of these components is to move controlled amounts of process gas through the system, and control the recirculation of controlled amounts of the reacted effluent back to the inlet to act as a diluent. The inlet and bypass valves are positioned remotely to modulate flow based on the use of curves or tables. The flow control valves are 3-in. pipe size and can regulate flow rates between zero and 150 scfm. 7.3.8.2.2.4 Trickle Heat System To ensure that the heated components of the system remain dry over the long periods of standby, a low-power heater is provided to maintain the temperature of these components between 100F and 175F. A controller located in the power cabinet will be used to regulate the temperature, with display provided in the main control room to indicate that the heater is off. 7.3.8.2.3 System Interlocks and Shutdown circuits The system logic and shutdown circuits are shown in Figure 5 of Reference 4. A summary is provided below:
- a. The Blower motor starts when: 1. Both the control room and relay room Off-Ready switches are in "Ready" 2. Blower interface relay is energized
- 3. System permissives are within following limits:
(a) Blower discharge temperature (b) Inlet pressure (c) Reaction chamber shell temperature (d) Return gas temperature (e) Heater wall temperature.
- b. The Main heater contactor closes when:
- 1. Water valve is open
- 2. Blower flow is above preset limit
- 3. System permissives are within following limits:
(a) 2/3 through heater temperature (b) Heater outlet gas temperature.
- c. The Main heater SCR modulates the power output when:
7.3-63 REV 20 05/16 FERMI 2 UFSAR
- 1. Heater contactor is closed
- 2. The Reaction chamber temperature controller provides an output signal. This occurs when reaction chamber temperature is outside of the setpoint control zone (nominal +/-50 F) d. High temperature signals will shutdown the heaters and blowers.
- e. A loss of cooling water causes a rise in gas temperatures which automatically shuts off heater power.
- f. A loss of power to the heater and blower shuts down the system. Further details of system operation and instrumentation and control circuits are contained in Reference 4.
7.3.8.3 Power Supply The two power sources for the system are supplied by 480-V ESF buses. These two buses are supplied from 4l60-V buses, which in an emergency are supplied by onsite EDGs. Each recombiner unit requires l20 kW. The power panel distributes 480 V ac and 120 V ac for power and control.
7.3.8.4 Physical Location and Environmental Conditions The recombiners are located in an area outside containment in the reactor building. The power control center is located in the auxiliary building. The control package is located in the relay room and will be accessible to personnel after the postulated LOCA. The environmental conditions for these areas are discussed in Section 3.11.
7.3.8.5 Analysis The redundant post-LOCA CGCS is provided to ensure that, under conservatively assumed conditions, the concentration of combustible gases in the containment atmosphere does not exceed the volume percent limits of Regulatory Guide 1.7. An analysis of the system, described in Subsection 6.2.5, confirms that the system accomplishes the required safety function, if needed, with adequate margin and redundancy to ensure that containment integrity is not endangered. Adequate redundancy of the instrumentation and control system ensures that a single failure of any active component does not prevent the system from performing its required safety function.
7.3.9 Residual Heat Removal Service Water System Instrumentation and Control 7.3.9.1 Design-Basis Information The design-basis information for the instrumentation and control of the residual heat removal service water (RHRSW) system, as required in Section 3 of IEEE 279-1971, is provided in Subsection 7.1.2.1.27.
7.3-64 REV 20 05/16 FERMI 2 UFSAR 7.3.9.2 System Description The RHRSW system provides cooling water to remove heat from the RHR system. The RHRSW system includes a closed-cycle supply of water, pumps, and mechanical draft cooling towers to reject the heat to the environment. The system will operate with or without a loss of offsite power. The RHRSW system is described in Subsection 9.2.5 and the system diagram is provided in Figure 9.2-6. The following discussion provides additional information on the RHRSW instrumentation and control.
7.3.9.2.1 Power Sources Instrumentation and controls for the RHRSW system receive electrical power from the redundant 120-V, 60-Hz instrument power systems described in Subsection 8.3.1. Part of the control logic is direct current, powered by the Class 1E direct current system described in Subsection 8.3.2. The pressure control valves requiring pneumatic power receive plant instrument air as described in Subsection 9.3.1.
7.3.9.2.2 Equipment Design Each of the two separate, redundant RHRSW loops has electrically and physically separate controls and instruments.
7.3.9.2.3 Initiation and Control Circuits The RHRSW pumps, valves, and cooling tower fans are all initiated manually from the main control room.
7.3.9.2.4 Logic The RHRSW system is a manually initiated system; therefore, there is no automatic initiation logic. The RHRSW pumps automatically trip if they are operating and a LOCA signal is received, as indicated in Figure 7.3-9, Sheet 1. This trip is provided to allow the automatic loading of other emergency safety feature equipment on the emergency diesel generators if a loss of offsite power occurs. The interlock can be bypassed by a keylock switch so that the pumps can be started if there is a long
-term LOCA signal present.
The cooling tower fan motors automatically load-shed if a loss of offsite power occurs. The motors must be manually reset from the main control room before they will restart.
7.3.9.2.5 Testability Each RHRSW loop can be tested from the control room by starting the RHRSW pumps and/or cooling tower fans. If an accident signal is received during a test, the system pumps trip off and remain off until the operator manually restarts.
7.3-65 REV 20 05/16 FERMI 2 UFSAR 7.3 ENGINEERED SAFETY FEATURE SYSTEMS REFERENCES
- 1. U.S. Nuclear Regulatory Commission, NRC Action Plan Developed as a Result of the TMI-2 Accident, NUREG-0660, May 1980; Revision 1, August 1980.
- 2. U.S. Nuclear Regulatory Commission, Clarification of TMI Action Plan Requirements, NUREG-0737, October 1980.
- 3. Letter from W. H. Jens, Detroit Edison, to B. J. Youngblood, NRC,
Subject:
Modifications of ADS Logic (NUREG-0737, Item II.K.3.18), dated July 31, 1984 (EF2-66712). 4. J.O. Henrie and S.A. Itow, Thermal Hydrogen Recombiner System for Mark I and II Boiling Water Reactors, Report AI-77-55, Atomics International Division of North American Rockwell, September 12, 1977.
7.3-66 REV 20 05/16 FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-1 HPCI Function HIGH PRESSURE COOLANT INJECTION SYSTEM INSTRUMENT SPECIFICATIONS Instrument Trip Settingsa Instrument Range RPV high water level turbine trip Level transmitter Level 8b 10 to 220 in.c Turbine exhaust diaphragm high pressure Pressure transmitter 10 psig 0 to 50 psig Turbine exhaust high pressure Pressure switch 140 psig 0 to 200 psig HPCI system pump low suction pressure Pressure switch 15 in. Hg V ac 30 in Hg to 0.5 psig HPCI system pump high suction pressure Pressure switch 70 psig 2 to 75 psig RPV low water level Level transmitter Level 2b 10 to 220 in.c Primary containment (drywell) high pressured Pressure transmitter 2 psig 0 to 5 psig HPCI system steam supply low pressure Pressure transmitter 100 psig 0 to 200 psig Condensate storage lank low level Level transmitter 45,000 gal -10 in./0/+10 in.
H 2O Turbine overspeed Centrifugal device 122 percent of turbine rated speed a Nominal values are given for information. See Technical Specifications for actual operational settings.
b Shown in Figure 7.3
-12. c Zero is at the top of the active fuel.
d Incident detection circuitry instrumentation.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-2 AUTOMATIC DEPRESSURIZATION SYSTEM INSTRUMENT TRIP SETTINGS System Function Instrument Trip SettingsInstrument a Reactor vessel low water level (permissive)d Range Level transmitter Level 3b 160 to 220 in.c Reactor vessel low water level (permissive)d Level transmitter Level 1b 10 to 220 in.c Primary containment (drywell) high pressured Pressure transmitter 1.68 psig 0 to 5 psig Primary containment (drywell) high pressure bypass time delayd Timer 7 min 1 to 30 min Automatic depressurization time delayd Timer 105 sec 10 to 300 sec LPCI pump discharge pressured Pressure transmitter 118.5 psig 0 to 500 psig Core spray pump discharge pressured Pressure transmitter 143.5 psig 0 to 500 psig a Nominal values are given for information.
See Technical Specifications for actual operational settings. b Shown in Figure 7.3-12.
c Zero is at the to p of the active fuel.
d Incident detection circuitry instrumentation.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-3 CORE SPRAY SYSTEM INSTRUMENT SPECIFICATIONS Core Spray Function Instrument Trip Settingsa RPV low water leveld Instrument Range Level Transmitter Level 1b 10 to 220 in.c Primary containment high pressured Pressure transmitter 1.68 psig 0 to 5 psig RPV low pressure Pressure transmitter 469 psig e Decreasing 0 to 1200 psig Core spray sparger high differential pressure Differential pressure switch 0.2 psid -7 to +2 psid Pump discharge flow Flow indicator
-- 0 to 10,000 gpm Pump suction pressure Pressure indicator
-- -30 in. Hg to 30 psig Pump discharge pressure Pressure transmitter 143.5 psig 0 to 50 psig a Nominal values are given for information. See Technical Specifications for actual operational settings. b Shown in Figure 7.3
-12. c Zero is at the top of the active fuel.
d Incident detection circuitry instrumentation.
e Approximate setting.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-4 LPCI FunctionF LOW PRESSURE COOLANT INJECTION INSTRUMENT SPECIFICATIONS Instrument Trip Settings a Instrument Range RPV low water level (LPCI loop selection) d Level transmitter Level 2 b 10 to 220 in.
c RPV water level (LPCI pump start signal)d Level transmitter Level 1 b 10 to 220 in.
c Primary containment (drywell) high pressure(LPCI initiation) d Pressure transmitter 1.68 psig 0 to 5 psig RPV low water level (inside shroud) Level transmitter Level 0 b -150 to +50 in. Recirculation loop break detection Differential pressure transmitter 0.63 psid e Trip on upscale 0 to 2 psid LPCI break detection circuit Timer 1/2 sec 0.15 to 3 sec LPCI break detection circuit Timer 2 sec 0.15 to 3 sec LPCI reactor vessel low pressure Pressure transmitter 925 psig 0 to 1500 psig LPCI valve initiation signal cancellation Timer 10 minutes 3 to 30 minutes LPCI pump low flow Flow switch 1500 gpm 0 to 20 in. WC RPV pressure permissive (loop selection) Pressure transmitter 469.5 psig 0 to 1200 psig Recirculation pumps differential pressure transmitter Differential pressure transmitter 1.63 psid Trip on downscale 0 to 5 psid a Nominal values are given for information. See Technical Specifications for actual operational settings. b Shown in Figure 7.3
-12. c Zero is at the top of the active fuel.
d Incident detection circuitry instrumentation.
e Repeatability of +/-0.5 percent on trip point. Return from overrange of 200 psi to 0 psi in 100 msec maximum.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-5 Component Affected HIGH PRESSURE COOLANT INJECTION SYSTEM: MINIMUM NUMBERS OF TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE Trip Channel Instrument Type Number of Trip Channels Provided Minimum Number of Trip Channels Required To Maintain Functional Performance a HPCI system initiation RPV low water level Level transmitter 4 2 per untripped trip system HPCI system initiation Primary containment high pressure Pressure transmitter 4 2 per untripped trip system HPCI system turbine HPCI system pump discharge flow Flow indicator controller 1 1 HPCI system turbine RPV high water level Level transmitter 2 1 per untripped sytem HPCI system turbine Turbine exhaust diaphragm high pressure Pressure transmitter 2 1 b HPCI system turbine HPCI system pump low suction pressure Pressure switch 1 1 b Minimum flow bypass valve HPCI system pump flow Flow switch 1 1 HPCIS steam supply valve and suppression chamber suction valve HPCI system steam supply low pressure Pressure transmitter 4 2 per untripped trip system Suppression chamber suction valve Condensate storage tank low level and suppression pool high level Level transmitter 4 c 2 a Nominal values are given for information. See Technical Specifications for operational requirements.
b An inoperable trip channel should be placed in the untripped state.
c Two each: condensate storage low, suppression pool high.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-6 Initiating Function AUTOMATIC DEPRESSURIZATION SYSTEM: MINIMUM NUMBERS OF TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE Instrument Type Number of Trip Channels Provided Minimum Number of Trip Channels Required To Maintain Functional Performancea,b RPV low water level (Level 1)
Level transmitter 2 per trip system 2 per untripped trip system RPV low water level (Level 3)
Level transmitter 1 per trip system 1 per untripped trip system Primary containment high pressure Pressure transmitter 2 per trip system 2 per untripped trip system Time delay (ADS timer)
Timer 1 per trip system 2 per untripped trip system Time delay (ADS drywell high pressure bypass timer)
Timer 2 per trip system 2 per untripped trip system ac interlock (RHR or core spray pump running) Pressure transmitter 1 per pump 1 per pump a One trip logic of each trip system must be fully operable. Both an RPV low water level trip channel and a primary containment high-pressure trip channel should not be inoperable in any one trip logic.
b Nominal values are given for information.
See Technical Specifications for operational requirements.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-7 Component Affected CORE SPRAY SYSTEM:
MINIMUM NUMBERS OF TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE Trip Channel Instrument Type Number of Trip Channels Provided Minimum Number of Trip Channels Required to Maintain Functional Performance a Core spray system RPV low water level Level transmitter 4 2 per untripped trip system Core spray system Primary containment high pressure Pressure transmitter 4 2 per untripped trip system Core spray discharge valve RPV low pressure Pressure transmitter 4 2 per untripped trip system Core spray sparger leak detection Core pressure differential Differential pressure switch 1 per sparger (alarm only) 1 per sparger (alarm only) a Nominal values are given for information. See Technical Specifications for operational requirements.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-8 Component Affected LOW-PRESSURE COOLANT INJECTION: MINIMUM NUMBERS OF TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCE Trip Channel Instrument Type Number of Trip Channels Provided Minimum Number of Trip Channels Required To Maintain Functional Performance a LPCI initiation RPV low water level Level transmitter 4 2 per untripped trip system LPCI initiation Primary containment high pressure Pressure transmitter 4 2 per untripped trip system Containment spray valves RPV low water level inside shroud Level transmitter 1 1 b Minimum flow bypass valves LPCI pumps discharge low flow Flow switch 1, 2 c (one per loop) 1, 2c LPCI injection valves and recirculation loop valves Recirculation loop break Differential pressure transmitter 4 2 LPCI injection valves RPV low pressure Pressure transmitter 4 2 Reactor recirculation pumps RPV low water level Level transmitter 4 2 Containment coo ling valves Primary containment (drywell) high pressure Pressure transmitter 4 2 a Nominal values are given for information. See Technical Specifications for operational requirements.
b An inoperable sensor should be placed in the untripped state.
c One channel to open, two channels to close.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE7.3-9 Isolation Function PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM INSTRUMENTATION SPECIFICATIONS Sensor Instrument Range Trip Settinga RPV low water level (L3) Differential pressure transmitter 160 to 220 in.
L3b Reactor vessel low water level (L2)
Differential pressure transmitter 10 to 220 in.
L2b Reactor vessel low water level (L1)
Differential pressure transmitter 10 to 220 in.
L1b Main steam line high radiation Radiation monitor 0 to 10 6 mR/hr 3.0 x full power background Main steam tunnel high temperature Temperature sensor 50 to 350°F 140°F Main steam line high flow Differential pressure transmitter 0 to 150 psi 102 psid Main steam line low pressure Pressure transmitter 0 to 1200 psig 756 psig Primary containment high pressure Pressure transmitter 0 to 5 psig 1.68 psig RCIC turbine area high temperature Temperature sensor 50 to 350°F 154°F RCIC turbine steam line high flow Differential pressure transmitter
-300 to +300 in H 2O +109 in. H 2O -109 in. H 2 O RCIC turbine steam line low pressure Pressure transmitter 0 to 200 psig 62 psig HPCI turbine area high temperature Temperature sensor 50 to 350°F 154°F HPCI turbine steam line high flow Differential pressure transmitter
-500 to +500 in. H 2 O +425 in. H 2O -425 in. H 2O HPCI turbine steam line low pressure Pressure transmitter 0 to 200 psi 110 psig Fuel pool ventilation exhaust high radiation Radiation monitor 0.01 to 100 mR/hr 10 mR/hr Reactor water cleanup system space high temperature Temperature sensor 50 to 350°F 175°F a Nominal values are given for information. See Technical Specifications and/or Technical Requirements Manual, Vol I for actual operational limits. b See Figure 7.3-12 Sheet 3.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-10 PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM: MINIMUM NUMBERS OF TRIP CHANNELS REQUIRED FOR FUNCTIONAL PERFORMANCETrip Channel Description a Normal Number of Trip Channels Per Trip System Minimum Number of Trip Channels Required Per Untripped Trip System To Maintain Functional Performance b RPV low water level (first setting) (level 3) 2 2 RPV low water level (second setting) (level 2) 2 2 RPV low water level (third setting) (level 1) 2 2 Main steam line high radiation 2 2 Main steam line space high temperature 4 4 Main steam line high flow 2/line 2/line Main steam line low pressure 2 2 Primary containment high pressure 2 2 RCIC steam line space high temperature 1 1 RCIC steam line high flow 1 1 RCIC steam line low pressure 2 2 HPCI steam line space high temperature 1 1 HPCI steam line high flow 1 1 HPCI steam line low pressure 2 2 Fuel pool ventilation exhaust high radiation 2 2 a These data are derived from Technical Specifications.
b Nominal values are given for references only. See Technical Specifications for operational limits.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-11 (TRM - 3.3.5.1-1) EMERGENCY CORE COOLING SYSTEM RESPONSE TIMES The Emergency Core Cooling System Response Times are listed in Technical Requirements Manual (TRM) Volume I Table 3.3.5.1-1. TRM Volume I is incorporated by reference into the UFSAR.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.3-12 (TRM TABLE 3.3.6.1-1) ISOLATION ACTUATION SYSTEM INSTRUMENTATION RESPONSE TIME The Isolation Actuation System Instrumentation Response Times are listed in Technical Requirements Manual (TRM) Volume I Table 3.3.6.1-1. TRM Volume I is incorporated by reference into the UFSAR.
FERMI 2 UFSAR 7.4-1 REV 16 10/09 7.4 SAFE-SHUTDOWN SYSTEMS
7.4.1 Description
7.4.1.1 Reactor Core Isolation Cooling System Instrumentation and Control 7.4.1.1.1 System Identification 7.4.1.1.1.1 Function The reactor core isolation cooling (RCIC) system provides core cooling during reactor shutdown by pumping makeup water into the reactor pressure vessel (RPV) in case of a loss of flow from the main feedwater system. It is activated in time to preclude conditions that lead to inadequate core cooling.
7.4.1.1.1.2 Classification Electrical modules for the RCIC system are classified as Safety Class 2 and Category I.
7.4.1.1.2 Power Sources The RCIC pump is turbine driven and the RCIC trip system is powered by the Division I 260/130-V dc battery.
7.4.1.1.3 Equipment Design When actuated, the RCIC system pumps water from either the condensate storage tank or the suppression chamber to the RPV via the feedwater lines. The RCIC system includes one turbine-driven pump, one barometric condenser dc vacuum pump, one vacuum dc condensate pump, automatic valves, control devices for this equipment, sensors, and logic circuitry. The arrangement of equipment and control devices is shown in Figure 5.5-7. Pressure and level transmitters used in the RCIC system are located on racks in the reactor building. The only operating component of the RCIC system that is located inside the primary containment is one of the two RCIC system turbine steam supply isolation valves. The rest of the RCIC system instrumentation and control components are located outside the primary containment. Cables connect the sensors to control circuitry in the main control room. The system is designed to allow a full flow functional test of the system during normal reactor power operation. The system will automatically return to normal system operation if called upon to do so during the test.
7.4.1.1.3.1 Initiating Circuits Reactor pressure vessel low water level is monitored by four level transmitters which sense the difference between the pressure of a constant reference leg of water and the pressure resulting from the actual height of water in the vessel. Two pipelines, attached to taps above and below the water level on the RPV, are required for each of the two reference legs used FERMI 2 UFSAR 7.4-2 REV 16 10/09 with the RCIC. The lines are physically separated from each other and tap off the RPV at widely separated points. Two pairs of differential-pressure sensing lines from the two reference legs terminate outside the primary containment and inside the reactor building. A backfill system is installed on each level instrument reference leg. The system provides a metered flow of water from the control rod drive system to each leg. The flow is low enough to not affect the performance of the instrumentation. The backfill is designed to prevent the accumulation of dissolved noncondensable gases in the reference legs. The RCIC system is initiated only by low water level. The RCIC initiation circuit is arranged in a "one-out-of-two taken twice" logic.
The RCIC system is automatically initiated after the receipt of an RPV low water level signal, and produces the design flow rate within 50 sec. The controls then function to provide a flow of makeup water to the RPV until the amount of water delivered to the RPV is adequate to restore vessel level. At this time, the RCIC system automatically shuts down by closing the turbine steam supply valve and the steam warmup bypass valve, if it is still open.
The system will automatically reinitiate if the water level returns to the low-level trip point. The controls are arranged to allow remote manual startup, operation, and shutdown. The RCIC turbine is functionally controlled as shown in Figure 7.4-1. Minimizing initial peak speed of the turbine is accomplished by use of a warmup bypass valve. A speed governor limits the turbine speed to its maximum operating level. A control governor receives a RCIC system flow signal and adjusts the turbine steam control valve so that design pump discharge flow rate is obtained. Manual control of the governor is possible in the test mode; however, the governor automatically returns to automatic control on receipt of an RCIC system initiation signal. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the RCIC pump discharge line. The governor controls the position of the hydraulic operator on the turbine control valve, which in turn controls the steam flow to the turbine. Hydraulic pressure is supplied by the shaft-driven hydraulic oil pump. The turbine is automatically shut down by tripping the turbine trip and throttle valve closed if any of the following conditions are detected
- a. Turbine overspeed b. High turbine exhaust pressure
- c. An RCIC isolation signal from Logic A or B d. Low pump suction pressure
- e. Manual trip.
Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust line.
Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump which could place it out of service. A turbine trip is initiated for these conditions so that the system can be quickly restored to service if the causes of the abnormal conditions can be found and corrected. The trip settings are selected far enough from normal values so that a spurious turbine trip is unlikely, but not so far that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed mechanical device.
FERMI 2 UFSAR 7.4-3 REV 16 10/09 Two pressure switches are used to detect high turbine exhaust pressure; either switch can initiate turbine shutdown. One pressure switch is used to detect low RCIC system pump suction pressure. High water level (Level 8) in the RPV indicates that the RCIC system has performed satisfactorily in providing makeup water to the RPV. Further increase in level could result in RCIC system turbine damage caused by gross carryover of moisture. The RPV high water level setting that closes the RCIC turbine steam supply valve is near the top of the steam separators and is sufficient to prevent gross moisture carryover to the turbine. Two level transmitters that sense differential pressure are arranged so that both transmitters are required to trip in order to halt RCIC operation.
7.4.1.1.3.2 Logic and Sequencing Reactor pressure vessel low water level automatically starts the RCIC system, as indicated in Figure 7.4-1. The RCIC trip is powered by the Division I 260/130-V dc battery. Instrument settings for the RCIC system instrumentation and control are listed in Table 7.4-1. The water level setting is far enough below normal levels that spurious RCIC system startups are avoided.
To prevent the turbine pump from being damaged by overheating at reduced RCIC pump discharge flow, a pump discharge bypass is provided to route the water discharged from the pump back to the suppression pool. The bypass is controlled by an automatic, dc motor-operated valve whose control scheme is shown in Figure 7.4-2. At RCIC high flow, the valve is closed; at low flow, the valve is opened. A flow switch that measures the pressure difference across a flow element in the RCIC pump discharge line provides the signals.
7.4.1.1.3.3 Bypasses and Interlocks The RCIC steam supply line is maintained hot to prevent build-up of condensate by utilizing a condensate drain pot, steam line drain, and appropriate valves in a drain line arrangement just upstream of the turbine supply valve. The water level in the steam line drain condensate pot is controlled by a level switch and a solenoid piloted air operator, which energizes to allow condensate to bypass a manually controlled globe valve during periods of high condensate such as warming the steam line. The control scheme is shown in Figure 7.4-1.
The controls position valves so that during normal operation, steam line drainage is routed to the main condenser. On receipt of a RCIC initiation signal and subsequent opening of RCIC turbine inlet valve E5150F045, the drainage path is isolated. During test operation, the RCIC pump discharge is routed to the condensate storage tank. A dc motor-operated valve is installed in the pump-discharge-to-condensate-storage-tank line. The piping arrangement is shown in Figure 5.5-7. The control scheme for the valves is shown in Figure 7.4-1. On receipt of a RCIC system initiation signal, the valve closes and remains closed. The valve is interlocked closed if either of the suppression chamber suction valves is not fully opened. Numerous indications pertinent to the operation and condition of FERMI 2 UFSAR 7.4-4 REV 16 10/09 the RCIC system are available to the main control room operator. Figure 7.4-1 shows the various indications provided. Keylock switches have been added to inboard and outboard steam isolation valve control circuitry, as shown in Figure 7.4-1, to ensure deliberate operator action to manually close these valves. Additionally, a control room annunciator alarms when the F007 and F008 valves are not in the fully open position. This prevents damage from water hammer caused by inadvertent valve reopening. Should either or both of these valves be closed, the outboard isolation valve can be slowly reopened to allow any moisture in the line to drain. Then line pressure across the inboard isolation valve is equalized, and the downstream line is warmed by slowly opening the inboard isolation valve.
7.4.1.1.3.4 Redundancy and Diversity Four reactor water level sensors in a "one-out-of-two taken twice" circuit supply the signal which results from a loss-of-water inventory condition.
7.4.1.1.3.5 Actuated Devices All automatic valves in the RCIC are equipped with remote manual test capability so that the entire system can be operated from the main control room. Motor-operated valves are provided with appropriate limit switches to turn off the motors when the fully open or fully closed positions are reached. Logic circuitry that controls valves which are automatically closed on isolation or turbine trip signals is equipped with manual reset devices so that the valves cannot be reopened without operator action. All required components of the RCIC controls operate independently of ac power. To ensure that the RCIC system can be brought to design flow rate within 50 sec from the receipt of the initiation signal, the following maximum operating times for essential RCIC valves are provided by the valve operation mechanisms:
- a. RCIC turbine steam supply valve - 45 sec b. RCIC steam warmup bypass valve - 10 sec c. RCIC pump discharge injection valves - 30 sec d. RCIC pump minimum flow bypass valve - 25 sec The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa. The two RCIC steam supply line isolation valves are normally open. They are intended to isolate the RCIC steam line in the event of a break in that line. A normally closed dc motor-operated isolation valve and a normally closed dc motor-operated warmup bypass valve are located in the turbine steam supply line just upstream of the turbine stop valve. The control schemes for these valves are shown in Figure 7.4-1. On receipt of a RCIC initiation signal, the valves open. The turbine steam supply valve remains open until closed by operator action or a level 8 trip. The warmup bypass valve remains open for 25 seconds then auto closes if a level 2 signal is not present. Two normally open isolation valves are provided in the steam supply line to the turbine. The valve inside the drywell is controlled by an ac motor. The valve outside the drywell is FERMI 2 UFSAR 7.4-5 REV 16 10/09 controlled by a dc motor. The control diagram is shown in Figure 7.4-1. The valves automatically close on receipt of an RCIC isolation signal.
The instrumentation for RCIC isolation consists of the following:
- a. Inside valve 1. Ambient temperature sensor - emergency area cooler high temperature. Isolation is initiated immediately
- 2. Differential pressure transmitter - RCIC steam line high flow or instrument line break. A time delay has been installed to prevent inadvertent system isolation due to pressure spikes associated with pump startup. The delay device setpoints (approximately 3 sec), along with the surveillance intervals, are included in the Technical Specifications 3. Two pressure transmitters - RCIC turbine exhaust diaphragm high pressure. Both transmitters must activate to isolate
- 4. Two pressure transmitters - RCIC steam supply pressure low. Both transmitters must activate to isolate.
- b. Outside valve A similar set of instrumentation causes the outside valve to isolate with the addition of manual isolation if the low-level initiation signal is present.
Three pump suction valves are provided in the RCIC system. One valve lines up pump suction from the condensate storage tank, the other two from the suppression chamber. The condensate storage tank is the preferred source. All three valves are operated by dc motors.
The control arrangement is shown in Figure 7.4-1. On receipt of an RCIC initiation signal, the condensate storage tank suction valve automatically opens. On receipt of a condensate storage tank low level signal, RCIC suction is automatically switched to the suppression pool. This is further discussed in Subsection 7.4.1.1.3.8. Two dc motor-operated RCIC pump discharge valves are provided in the pump discharge line. The control schemes for these two valves are shown in Figure 7.4-1. Both valves are arranged to open on receipt of the RCIC initiation signal. One of the pump discharge valve s closes automatically if a turbine trip occurs. The other valve remains open after RCIC initiation until closed by operator action in the main control room.
7.4.1.1.3.6 Separation As in the emergency core cooling system (ECCS), the RCIC system is separated into divisions designated I and II (Subsection 7.3.1.2.1.6). The RCIC is a Division I system, but the inside steam line valve is in Division II: therefore, part of the RCIC logic is treated as Division II. The inside valve is an ac powered valve. The rest of the valves are dc-powered valves. Division I logic is powered by a 260/130-V dc Division I battery, and the Division II logic is powered by a 260/130-V dc Division II battery.
FERMI 2 UFSAR 7.4-6 REV 16 10/09 7.4.1.1.3.7 Testability The RCIC may be tested to design flow during normal plant operation. Water is drawn from the condensate storage tank and discharged through a full flow test return line to the condensate storage tank. The discharge valve from the pump to the feedwater line remains closed during the test, and reactor operation remains undisturbed. Design of the control system is such that the RCIC system returns to the operating mode from the full flow test if system initiation is required.
7.4.1.1.3.8 Automatic Switchover of RCIC System Suction In the original design, the switchover from the condensate storage tank to the suppression chamber as a source of water was to be manually controlled. However, as a result of discussions with the NRC, this was changed to automatically controlled. Automatic RCIC suction transfer occurs when the trip logic is deenergized. The trip logic is developed within the Division II HPCI system from redundant analog CST level transmitters and trip units.
The HPCI level trip units provide redundant signals to the Division I RCIC suction transfer circuitry through auxiliary relay contacts. Either of these redundant low level signals will automatically open RCIC valves F029 and F031 (refer to Figures 5.5-7, 7.4-1, and 7.4-2).
The RCIC suction transfer then uses the fu ll-open position limit switches on F029 and F031 to initiate the closure of F010, the valve in the pump suction connection to the condensate storage tank. Panel status information is provided for the operator in the form of valve position indication. The condensate storage tank level instrumentation is designed to meet the position of the NRC's Instrumentation and Controls System Branch with respect to freeze protection. A single source connection penetrates the tank. This source connection is common to both the analog transmitters that monitor tank level for the purpose of transferring the RCIC/HPCI pump suction and the transmitter associated with the continuous wide- range tank level indication provided in the main control room. This equipment is contained within a large insulated steel cabinet (H21-P492) welded directly to the exterior of the condensate storage tank about 3 ft above ground level. The environment within the cabinet is maintained above freezing by a radiant strip heater and a local-control thermostat. A temperature
-sensing device that is independent of the strip heater and its associated control thermostat is also located within the cabinet. This sensor produces a visual and audible alarm in the main control room whenever the temperature in the transmitter cabinet falls below 40F. The cabinet temperature control and the low-temperature alarm are electrically independent and powered from completely independent and diverse power sources. A failure of either would not affect the ability of the other to perform its function. To guarantee the continued performance of the environmental control and monitoring systems, Edison will perform a yearly functional surveillance of the systems prior to the advent of freezing weather. Edison has based its justification of the nonseismic location of the transmitters used in the suction transfer system primarily on the degree of conservatism in instrumentation seismic design. The level transmitters used in this transfer application were seismically qualified as described in the licensing topical report NEDO-21617.
FERMI 2 UFSAR 7.4-7 REV 16 10/09 Fermi site ground response spectra applicable to a transmitter mounting on the tank located at grade level would fall well below the values used for qualification of the transmitters in the reference document. As a result, the transmitters are expected to operate properly during and after a seismic event. As an added degree of conservatism, a failure of the tank which results in a loss of inventory and/or loss of the current signal from either transmitter will cause trip units (E41-N661 B and D) and associated trip relays to transfer the RCIC and HPCI suction valves to the suppression pool. These trip units and relays are located on the fourth floor of the reactor building in panel H21-P081. These devices and cabinet are located within the seismically qualified portion of the plant and meet the environmental and seismic qualification requirements for Class 1E electrical equipment.
All of the equipment that accomplishes the automatic suction valve transfer on low condensate tank level is classified as Quality Level 1. The transmitters were purchased as qualified instruments along with the balance of the transfer system and are included with the trip units and relays in the Technical Specifications because the surveillance requirement includes the entire measurement loop.
7.4.1.1.4 Environmental Considerations The only RCIC control component located inside the primary containment that must remain functional in the environment resulting from a LOCA is the control mechanism for the inside isolation valve. The environmental capabilities of this valve are discussed in Subsection 7.3.2.2.9. The RCIC instrumentation and control equipment located outside the primary containment is selected in consideration of the normal and accident environments in which it must operate. Refer to Subsection 7.4.1.1.3.8 for information on the environmental considerations for the HPCI/RCIC instruments on the condensate storage tank. Level sensing instrumentation used as inputs to the RCIC logic from residual heat removal (RHR) is discussed in Subsection 7.3.1.2.4.
7.4.1.1.5 Operational Considerations 7.4.1.1.5.1 General Information Core cooling is required in the event that the reactor becomes isolated from the main condensers during normal operation by a closure of the main steam isolation valves (MSIVs).
Cooling is necessary because of the core fission product decay heat. Steam is vented through the pressure safety/relief valves to the suppression pool. The RCIC system maintains reactor water level by providing the makeup water. Initiation and control are automatic. The provisions taken in accordance with General Design Criterion (GDC) 19 of 10 CFR 50, Appendix A, to provide the required equipment outside the main control room for hot and cold shutdown, are described in Subsection 7.5.1.5.1.
7.4.1.1.5.2 Setpoints A list of setpoints for the RCIC system can be found in Table 7.4-1.
7.4.1.2 Standby Liquid Control System Instrumentation and Control FERMI 2 UFSAR 7.4-8 REV 16 10/09 7.4.1.2.1 System Identification 7.4.1.2.1.1 Function The instrumentation and control system for the standby liquid control system (SLCS) is designed to inject water-soluble neutron-absorber solution well above saturation temperature.
7.4.1.2.1.2 Classification The SLCS is a backup method of manually shutting down the reactor to cold subcritical independently from the control rod drive system. Thus, the system is considered a control system and not a safety system. The standby liquid control process equipment, instrumentation, and control essential for injection of the neutron-absorber solution into the reactor are designed to withstand Category I earthquake loads. Nonprocess equipment and instrumentation and control are designed as a nonseismic system. The SLCS has been reclassified to identify that it was not originally intended, procured, designed, or classified as safety related, but it will be maintained and tested as a safety
-related system after completion of its preoperational tests.
7.4.1.2.2 Power Sources The power supply to explosive valve F004A and injection pump C001A is from automatically restored MCC 72B-4C. The power supply to explosive valve F004B and injection pump C001B is from automatically restored MCC 72E-5B. The location of these pumps and valves is shown in Figure 7.4-3. The power supply to the tank heaters and heater controls can also be connected to an engineered safety feature (ESF) bus. The 120-V ac power supply to the main control room benchboard indicator lights is powered from an inductive BOP MPU, and the level and pressure transmitters are powered from restorable instrument MPU 1.
7.4.1.2.3 Equipment Design 7.4.1.2.3.1 Initiating Circuits The standby liquid control is initiated in the main control room by turning a keylocking switch to either system A or system B. The key is removable in the center OFF position.
When either system is initiated, both explosive valves (F004A and F004B) are fired, and the selected pump C001A or C001B is started. Should the selected pump fail to start, the key switch may be turned to the alternate pump.
7.4.1.2.3.2 Logic and Sequencing When the SLCS is initiated, both the explosive valves fire and the pump that has been selected for injection starts.
FERMI 2 UFSAR 7.4-9 REV 16 10/09 7.4.1.2.3.3 Bypasses and Interlocks There are no bypasses. When the SLCS is initiated to inject soluble neutron absorber into the reactor, the outboard isolation valve of the reactor water cleanup (RWCU) is automatically closed. 7.4.1.2.3.4 Redundancy and Diversity The redundancy exists in duplicated pumps, explosive valves, and power supply as outlined in Subsection 7.4.1.2.2.
7.4.1.2.3.5 Actuated Devices When the SLCS is initiated to inject soluble neutron absorber into the reactor, one of the two injection pumps and each of the two explosive valves are actuated.
7.4.1.2.3.6 Testability The instrumentation and control system of the SLCS is tested when the system test is performed as outlined in Subsection 4.5.2.4.4.
7.4.1.2.4 Environmental Considerations The environmental considerations for the instrumentation and control portions of the SLCS are the same as for the active mechanical components of the system. This is discussed in Section 3.11 and Subsection 4.5.2.4.3.
7.4.1.2.5 Operational Considerations 7.4.1.2.5.1 General Information The control scheme for the SLCS can be found in Figure 7.4-3. The standby liquid control is manually initiated in the main control room by inserting the proper key into the keylocking switch and turning it to either system A or system B. The time it takes to complete the injection is between 50 and 125 minutes. When the injection is completed, the system is manually turned off by returning the keylocking switch to the OFF position.
7.4.1.2.5.2 Operator Information The SLCS indicators are as follows:
- a. The system pressure is indicated with an indicator that has a range of 0-1800 psig in the main control room b. The storage tank level is indicated with an indicator that has a range of near empty to near full, calibrated to read in inches of liquid storage in the main control room
- c. The continuity of the explosive valve dual primer ignition circuit is monitored by measuring a trickle current through the primers. If either of the dual primer FERMI 2 UFSAR 7.4-10 REV 16 10/09 or the primer ignition circuit becomes open-circuited, the continuity meter reads downscale
- d. Indicator lights in the main control room show if either pump is running, stopped, or tripped
- e. Indicator lights in the main control room show whether or not the explosive valve firing circuitry has continuity
- f. Indicator lights in the main control room show if service valve F008 is open or closed, as shown in Figure 7.4-3
- g. Indicator lights in the main control room show if the F006 check valve disk is open or closed h. Indicator lights on the local panel show if the manually controlled high-power storage tank heater is on or off
- i. Indicator lights on the local panel for the low-power storage tank heater have been de-energized and abandoned in place. The SLCS main control room annunciators annunciate when
- a. There is a loss of continuity of either explosive valve primers b. The standby liquid storage temperature becomes too hot or too cold
- c. The standby liquid tank level is too high or too low.
7.4.1.2.5.3 Setpoints The SLCS has setpoints for the various instruments as follows:
- a. The loss of continuity meter is set to activate the annunciator just below trickle current that is observed when the primers of the explosive valves are new
- b. The high and low standby liquid temperature switch is set to activate the annunciator at temperatures of approximately 110F and 48F, respectively
- c. The high and low standby liquid storage tank level switch is set to activate the annunciator when the volume is approximately 2975 gal net and 2618 gal net of the storage tank capacity, respectively 7.4.1.3 Reactor Shutdown Cooling System Instrumentation and Control 7.4.1.3.1 System Identification The shutdown cooling mode is a function of the RHR system and is placed in operation during a normal shutdown and cooldown.
7.4.1.3.2 Power Sources The power sources for the reactor shutdown cooling system instrumentation and control are as described in the ECCS discussion in Subsection 7.3.1.2.
FERMI 2 UFSAR 7.4-11 REV 16 10/09 7.4.1.3.3 Equipment Design The reactor water is cooled by taking suction from one of the recirculation loops as shown in Figure 5.5-13. During the shutdown cooling mode, only one RHR system heat exchanger is required. This allows the remaining RHR system division to be held in standby for use in either the low-pressure coolant injection (LPCI) mode or containment cooling mode. One RHR division's valve alignment is shifted from the standby mode lineup (suction from the torus) needed for LPCI and containment cooling to the shutdown mode lineup (suction from reactor recirculation loop
-B) after the reactor is depressurized. One RHR heat exchanger removes enough decay heat, even with declining reactor water approach temperature, so that the proper cooldown rate may be achieved. If it is necessary to discharge a complete core load of reactor fuel to the spent fuel pool, the cooling capacity of the fuel pool cooling and cleanup system (FPCCS) heat exchangers may be exceeded. A means is provided for making a physical connection between the spent fuel pool and the RHR system. The RHR heat exchangers have greater cooling capacity than the FPCCS heat exchangers, and can maintain the spent fuel pool within its design temperature until the decay heat load is within the capacity of the FPCCS.
7.4.1.3.3.1 Initiating Circuits The reactor shutdown cooling system is initiated only by manual action. The system cannot be actuated unless certain requirements, described in the following subsections, are met.
7.4.1.3.3.2 Bypasses and Interlocks To prevent opening the shutdown cooling valves except under proper conditions, interlocks are provided as shown in Table 7.4-2. The two RHR pumps used for shutdown cooling are interlocked to trip the pumps if the shutdown cooling valves and suction valves from the suppression pool are not properly positioned.
7.4.1.3.3.3 Actuating Devices All motor-operated valves in the shutdown cooling system are equipped with remote manual switches in the main control room.
7.4.1.3.3.4 Testability The shutdown cooling system pumps of the RHR system may be tested to full capacity during normal plant operation.
7.4.1.3.4 Environmental Considerations The only shutdown cooling control component located inside the drywell that must remain functional in the environment is the control mechanism for the (inboard) isolation shutdown cooling suction valve. The environmental capabilities of this valve are discussed in Subsection 7.3.2.2.9. The instrumentation and control equipment located outside the drywell FERMI 2 UFSAR 7.4-12 REV 16 10/09 is selected in consideration of the normal and accident environments in which it must operate. 7.4.1.3.5 Operational Considerations All controls for the shutdown cooling system are located in the main control room. Operator information is provided as described in the RHR discussion of the LPCI mode in Subsection
7.3.1.2.4. The provisions taken in accordance with GDC 19 of 10 CFR 50, Appendix A, to provide the required equipment outside the main control room for hot and cold shutdown, are described in Subsection 7.5.1.5.1.
7.4.2 Analysis 7.4.2.1 General Presented below are analyses that show how the safe shutdown systems satisfy their design bases listed in Section 7.1.
7.4.2.2 Reactor Core Isolation Cooling System Instrumentation and Control 7.4.2.2.1 Conformance To General Functional Requirements For events other than pipe breaks, the RCIC system has a makeup capacity sufficient to prevent the RPV water level from decreasing to the level where the core is uncovered without using the ECCS. To ensure to a high degree that the RCIC system operates when necessary and in time to provide adequate core cooling, the power supply for the system is taken from reliable sources that are immediately available. Evaluation of instrumentation configuration for the RCIC system shows that no failure of a single initiating sensor either prevents the starting or causes false starting of the system.
A design flow functional test of the RCIC system can be performed during plant operation by taking suction from the demineralized water in the condensate storage tank and discharging through the full flow test return line back to the condensate storage tank. During the test, the discharge valve to the feed line remains closed and reactor operation is undisturbed. Control system design provides automatic return from the full flow test mode to the operating mode if system initiation is required during testing.
7.4.2.2.2 Conformance To Specific Regulatory Requirements of IEEE 279-1971 7.4.2.2.2.1 Single-Failure Criterion (IEEE 279-1971, Paragraph 4.2) The RCIC system, by itself, is not required to meet the single- failure criterion. The control logic circuits for the RCIC system initiation and control are housed in a single relay cabinet, and the power supply for the control logic and other RCIC equipment is from a single dc power source.
FERMI 2 UFSAR 7.4-13 REV 16 10/09 The RCIC initiation sensors and wiring up to the RCIC relay logic cabinet do, however, meet the single-failure criterion. Physical separation of instrument lines is provided so that no single instrument rack destruction or single instrument line (pipe) failure can prevent RCIC initiation. Wiring separation between divisions also provides tolerance to single wireway destruction (including shorts, opens, and grounds) in the accident detection portion of the control logic. The single-failure criterion is not applied to the logic relay cabinet or to other equipment required to function for RCIC operation.
7.4.2.2.2.2 Quality Components (IEEE 279-1971, Paragraph 4.3) This requirement is described in NEDO-10139, which applies equally to the core spray and RCIC systems.
7.4.2.2.2.3 Equipment Qualification (IEEE 279-1971, Paragraph 4.4) Environmental No components of the RCIC control system are required to operate in the drywell environment. The RCIC steam line isolation valve located inside the drywell is a normall y open valve and is required to operate only to isolate the primary containment. Other process sensor equipment for RCIC initiation is located in the reactor building and is capable of accurate operation in ambient temperature conditions that result from abnormal conditions. Panels and relay cabinets are located in typical power station control room and/or auxiliary relay room environments. Therefore, environmental testing of components mounted in these enclosures is not warranted. There are no components in the RCIC control system that have not demonstrated their reliable operability in previous applications in nuclear power plant protection systems or in extensive industrial use.
7.4.2.2.2.4 Channel Integrity (IEEE 279-1971, Paragraph 4.5) The RCIC system instrument initiation channels meet the single- failure criterion as discussed in Subsection 7.4.2.2.2.1 above, and thus satisfy the channel integrity objective of this paragraph. By definition (IEEE 279-1971, Paragraph 2.2), a channel loses its identity where single
-action signals are combined. Therefore, since instrument channels are combined into a single trip system, this paragraph of IEEE 279-1971 does not strictly apply for the RCIC control system. 7.4.2.2.2.5 Channel Independence (IEEE 279-1971, Paragraph 4.6) Channel independence for initiation sensors is provided by electrical and mechanical separation. The A and C sensors for RPV level, for instance, are located on one local instrument panel identified as Division I equipment, and the B and D sensors are located on a second instrument panel widely separated from the first and identified as Division II equipment.
FERMI 2 UFSAR 7.4-14 REV 16 10/09 The A and C sensors have a common pair of process taps that are widely separated from the corresponding taps for sensors B and D. Disabling of one or both sensors in one location does not disable the control for RCIC initiation.
7.4.2.2.2.6 Control and Protection Interaction (IEEE 279-1971, Paragraph 4.7) The RCIC system is strictly an off-on system, and no signal whose failure could cause need of RCIC can also prevent RCIC from starting. Annunciator circuits using contacts of sensor relays and logic relays cannot impair the operability of the RCIC system control because of the electrical separation between controls. A short between the annunciator wiring and the RCIC control wiring could result in a single ground on the dc control circuit without affecting circuit operability.
7.4.2.2.2.7 Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8) The input that starts the RCIC system is a direct measure of the variable that indicates need for core cooling; e.g., RPV low water level.
7.4.2.2.2.8 Capability for Sensor Checks (IEEE 279-1971, Paragraph 4.9) All sensors are of the pressure-sensing type and are installed with calibration taps and instrument valves so that testing during normal plant operation or during shutdown is permitted.
The reactor low
-pressure transmitters can be easily checked for operability during plant operation by observing the analog output of respective transmitters. The RPV level transmitters are also checked for operability in a similar fashion. Refer to Subsection 7.1.3.1.
7.4.2.2.2.9 Capability for Test and Calibratio n (IEEE 279-1971, Paragraph 4.l0)
The RCIC control system is capable of being completely tested under normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Sensors can be exercised by applying test pressures. The RCIC system can be manually started in the test mode by opening steam supply valves to the RCIC turbine to pump water from the condensate storage tank through the test return valves back to the condensate storage tank, while the reactor is at pressure.
Motor-operated valves can be exercised by the appropriate control relays and starters, and all indications and annunciations can be observed as the system is tested.
7.4.2.2.2.10 Channel Bypass or Removal From Operation (IEEE 279-1971, Paragraph 4.11)
Calibration of a sensor that introduces a single instrument channel trip will not cause a protective function without the coincident trip of a second channel. There are no instrument channel bypasses in the RCIC system. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning.
7.4.2.2.2.11 Operating Bypasses (IEEE 279-1971, Paragraph 4.12) The RCIC system design contains no operating bypasses.
FERMI 2 UFSAR 7.4-15 REV 16 10/09 7.4.2.2.2.12 Indication of Bypasses (IEEE 279-1971, Paragraph 4.13) Indication of bypasses provided is as discussed in Subsection 7.4.2.2.2.11.
7.4.2.2.2.13 Access To Means for Bypassing (IEEE 279-1971, Paragraph 4.14) Access to motor control centers and instrument valves is controlled. Access to other means of bypassing is located in the main control room and is therefore under the administrative control of the operators.
7.4.2.2.2.14 Multiple Setpoint (IEEE 279-1971, Paragraph 4.15) This is not applicable because all setpoints are fixed.
7.4.2.2.2.15 Completion of Protective Action Once It Is Initiated (IEEE 279-1971, Paragraph 4.16) The final control elements for the RCIC system are essentially bi-stable, i.e., motor-operated valves stay open or closed once they have reached their desired position, even though their starter may drop out (which they do when the limit switch is reached). In the case of pump starters, the automatic initiation signal is electrically sealed in.
Thus, once protection action is initiated (i.e., flow established), it must go to completion or continue until terminated by deliberate operator action or automatically stopped on high vessel water level or system malfunction trip signals.
7.4.2.2.2.16 Manual Actuation (IEEE 279-1971, Paragraph 4.17) Each piece of RCIC actuation equipment required to operate (pumps and valves) is capable of manual initiation electrically from the control panel in the main control room. Failure of logic circuitry to initiate the RCIC system will not affect the manual control of equipment. However, failures of active components or control circuit failure which produces a turbine trip may disable the manual actuation of the RCIC system. Failures of this type are continuously monitored by alarms.
7.4.2.2.2.17 Access To Setpoint Adjustment (IEEE 279-1971 Paragraph 4.18) Setpoint adjustments for the RCIC system sensors are integral with the sensors on the local instrument racks and cannot be changed without the use of tools to remove covers over these adjustments. Control relay cabinets are capable of being locked to prevent unauthorized actuation. Because of these restrictions, compliance with this requirement of IEEE 279-1971 is considered complete.
7.4.2.2.2.18 Identification of Protective Actions (IEEE 279-1971, Paragraph 4.19) Protective actions are directly indicated and identified by annunciator operation or action of the sensor relay, which has an identification tag and a clear glass window front that permits convenient visible verification of the relay position. This combination of annunciation and visible relay actuation is considered to fulfill the requirements of this criterion.
FERMI 2 UFSAR 7.4-16 REV 16 10/09 7.4.2.2.2.19 Information Readout (IEEE 279-1971, Paragraph 4.20) The RCIC control system is designed to provide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the operator. Periodic testing is the means provided for verifying the operability of the RCIC components and, by proper selection of test periods, to be compatible with the historically established reliability of the components tested, complete and timely indications are made available. Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the RCIC function is available and/or operating properly. In addition to the annunciator alarms shown on the functional control diagram in Figure 7.4-1, the following alarms are provided:
- a. Failure of control power to the RCIC system b. Valve overload alarm.
In addition to the annunciators, the other indications on the main control room panel are
- a. Valve position lights
- b. Pump monitor lights
- c. Pump suction/discharge pressure indicator d. RCIC pump flow indicator
- e. Turbine exhaust line pressure indicator
- f. Turbine steam inlet pressure indicator
- g. Turbine speed indicator h. Turbine supervisory indicators.
- i. Barometric condenser vacuum pump current
- j. Barometric condenser condensate pump current 7.4.2.2.2.20 System Repair (IEEE 279-1971, Paragraph 4.21) The RCIC control system is designed to permit repair or replacement of components.
Recognition and location of a failed component will be accomplished during periodic testing.
The simplicity of the logic will make the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. Sensors that are connected to the instrument piping cannot be changed so readily but are connected with separable screwed or bolted fittings.
7.4.2.2.2.21 Identification (IEEE 279-1971, Paragraph 4.22) The RCIC system is identified uniquely as a Division I system. All controls and instruments are located in one area of the main control room panel and are clearly identified by nameplates.
FERMI 2 UFSAR 7.4-17 REV 16 10/09 Relays are located in one panel for RCIC use only. Relays and panels are identified by nameplates.
7.4.2.2.3 Conformance To Specific Regulatory Requirements The RCIC system conforms to the following regulatory requirements:
- a. IEEE 323-1971 - This is discussed in Section 3.11 and GE Topical Report NEDO-10698 b. IEEE 338-1971 - Only paragraphs of IEEE 338-1971 that apply to the design of the RCIC system will be covered Capability for Sensor Checks (IEEE 338-1971, 2.1) is discussed in Subsection 7.4.2.2.2.8. Capability for Test and Calibration (IEEE 338-1971, 2.2) is discussed in Subsection 7.4.2.2.2.9
- c. IEEE 344-1971 - This is discussed in Topical Report NEDO-10678 d. 10 CFR 50, Appendix A requirements - 1. Criterion 13 - Subsections 7.4.1.1.3.1, 7.4.1.1.3.2, 7.4.1.1.3.3
- 2. Criterion 37 - Subsection 7.4.1.1.3.7.
- e. 10 CFR 50, Appendix B requirements - The requirements of 10 CFR 50, Appendix B, are met as described in Chapter 17
- f. Regulatory Guide 1.22 - Subsections 7.4.2.2.2.8 and 7.4.2.2.2.9.
7.4.2.3 Standby Liquid Control System Instrumentation and Control 7.4.2.3.1 Conformance To General Functional Requirements Redundant positive displacement pumps, explosive valves, and control circuits for these components have been provided as described in Subsection 7.4.1.2. This constitutes all the active equipment required for injection of the sodium pentaborate solution. Continuity relays provide monitoring on the explosive valves, and indicator lights provide indication on the main reactor control panel of system status as described in Subsection 7.4.1.2.5.2.
Testability is described in Subsection 7.4.1.2.3.6. Redundant power sources are described in Subsection 7.4.1.2.2.
7.4.2.3.2 Conformance To Specific Regulatory Requirements Qualification of Class 1E electrical equipment in accordance with IEEE 323-1971 and seismic design of Class 1E electrical equipment in accordance with IEEE 344-1971 are covered in Topical Reports NEDO-10698 and NEDO-l0678, respectively, and Sections 3.11 and 3.10. The requirements of 10 CFR 50, Appendix B, are described in Chapter 17.
7.4.2.4 Reactor Shutdown Cooling System Instrumentation and Control FERMI 2 UFSAR 7.4-18 REV 16 10/09 7.4.2.4.1 Conformance To General Functional Requirements The design of the reactor shutdown cooling system instrumentation and controls meets all the functional requirements of Subsection 7.1.2.1.27 as follows:
7.4.2.4.1.1 Valves Manual controls and position indicators are provided in the main control room. Interlocks are provided to prevent opening of the valves if shutdown conditions are not met. Interlocks are also provided to close the valves if an isolation signal is present or if high reactor pressure exists.
Redundant sensors (N111A and B) are provided for the RHR shutdown cooling pressure interlocks. These sensing loops meet or exceed the EICSB-3 Branch Technical Position. The interlocks are designed as part of the testability option and, therefore, formal diversity of the sensors and trip units has not been provided. Formal test procedures are used to verify operability of the interlocks. It is Edison's position that the accuracy, reliability, testing, and inherent on-line status monitoring of the analog transmitter/trip unit design obviate the need for diverse instruments.
7.4.2.4.1.2 Instrumentation Shutdown flow indicator is provided. The RHR cooling water and service water temperatures are provided. Head spray flow indication is no longer provided. A permanent modification has removed the head spray piping, disabling this flow path.
7.4.2.4.1.3 Annunciation The following annunciators are provided:
- a. Division I/Division II RHR valves thermal overload b. RHR heat exchanger cooling water discharge temperature high
7.4.2.4.1.4 Pumps Manual controls and stop and start indicators are provided in the main control room. Interlocks are provided to trip the pumps if the shutdown cooling valves are not properly set
up. 7.4.2.4.2 Conformance To Specific Regulatory Requirements Conformances to regulatory requirements are the same as those specified for the ESF systems. Consideration of failure of plant instrument air and loss of cooling water to safe-shutdown equipment is given in Chapter 15. These systems are not specifically designed for FERMI 2 UFSAR 7.4-19 REV 16 10/09 consideration of plant load rejection or turbine trip, but the plant is designed to handle those situations and shut down safely.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.4-1 RCIC Function REACTOR CORE ISOLATION COOLING INSTRUMENT SPECIFICATION Instrument Trip Settingsa Range RPV high water level turbine trip Level transmitter Level 8b 10 to 220 in.c Turbine exhaust diaphragm high pressure Pressure transmitter 10 psig 0 to 30 psi RCIC system pump low suction pressure Pressure switch Low - 20 in. Hg vacuumd 30 in. Hg vacuum to 10 psig RCIC system pump high suction pressure Pressure switch High - 70 psig 0.5 to 80 psig RPV low water levele Level transmitter Level 2 b 10 to 220 in.
c RCIC system steam supply low pressure Pressure transmitter 50 psig 0 to 200 psig Turbine overspeed Centrifugal device 122.3 percent of rated speed a Nominal values are given for information. See the Technical Specifications for operational limits. b Figure 7.3-12.
c Zero is at the top of the active fuel. d Approximate setting. e Incident detection circuitry instrumentation.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.4-2 Valve Function REACTOR SHUTDOWN COOLING BYPASSES AND INTERLOCKS Manual Open Reactor Pressure Exceeds Shutdown Isolation Valve Closure Signal Inboard suction isolation Cannot open Cannot open Outboard suction isolation Cannot open Cannot open Reactor injection Can open Cannot open Head spray c Cannot open Cannot open Valve function Automatic aManual close or b close Inboard suction isolation Closes A and M Closes A and M Reactor injection Closes A and M Closes A and M Head spray cCloses A and M Closes A and M
a Automatic is abbreviated as "A."
b Manual is abbreviated as "M."
c Head spray piping attached to reactor pressure vessel (RPV) is removed. The remaining pipe in drywell is blanked off.
FERMI 2 UFSAR 7.5 SAFETY-RELATED AND POWER GENERATION DISPLAY INSTRUMENTATION
7.5.1 Description
7.5.1.1 General A description of the instrumentation that provides information to the operator to enable him to perform required safety functions is provided in this subsection.
A Human Factors Engineering design review program was established to maintain control room and remote shutdown panel instrumentation in conformance with the general human factors conventions adapted from NRC Human Factors Criteria (NUREG
-0700 "Guidelines for Control Room Design Reviews") as well as plant specific conventions. This program was originally described in section 5.0 of Supplement 2 to the DCRDR "Summary Report for the Fermi 2 Control Room."
7.5.1.2 Normal Operation The normal plant process variable indicators and recorders are described in Section 7.6 and are shown on the piping and instrumentation diagrams for the various nuclear steam supply systems (NSSSs). Information channel ranges and indicators are selected on the basis of giving the operator the necessary information, during expected operational perturbations, to perform all the normal plant maneuvers and to be able to track all the process variables pertinent to safety. Description of the control rod position indicating system is given in Subsection 7.7.1.1.5.
7.5.1.3 Abnormal Transient Occurrences The ranges of indicators and recorders provided are capable of covering the extremes of process variables and providing necessary information to enable the operator to perform required safety functions.
7.5.1.4 Accident Conditions Information readouts are provided to accommodate events up to and including a LOCA.
These readouts are designed from the standpoint of operator action, information, and event tracking requirements, providing assurance that requirements for all other credible events or incidents will be covered. 7.5.1.4.1 Initial Accident Event The design basis of all engineered safety feature (ESF) systems to mitigate accident event conditions takes into consideration that no operator action or assistance is necessary for the first 10 minutes of the event. This requirement makes it mandatory that all protective action necessary in the first 10 minutes be automatic. Therefore, although continuous tracking of process variables is available, no operator action based on them is required or recommended.
7.5-1 REV 20 05/16 FERMI 2 UFSAR 7.5.1.4.2 Postaccident Tracking After 10 minutes, operator action is optional, based on the information available. Within 30 minutes, however, containment cooling must be initiated.
The process instrumentation described in the following subsections provides information to the operator for his use in monitoring reactor conditions after a LOCA.
This instrumentation was designed to conform to the requirements of Regulatory Guide 1.97
[formerly, Branch Technical Position (BTP) ICSB
-23]. A formal type
-test seismic qualification based on IEEE Standar d 344-1971 was obtained for the strip
-chart recorders used in the systems.
Details of the tests performed are available in the General Electric Seismic Summary Report for panel H11
-P602, dated December 1977.
7.5.1.4.2.1 Reactor Water Level Appropriate vessel water level instrumentation described below is operable during and after postulated design
-basis accidents.
The emergency core cooling system (ECCS) equipment and reactor protection and containment isolation system initiation is automatic. In addition, 11 level indicators are located in the control room. These instrument designations, their ranges, and control room location are presented in Table 7.5
-1. Their ranges vary to cover the active fuel to the top of the reactor vessel so that the required range of the reactor vessel water level is monitored.
Two wide-range water level signals are transmitted from two nuclear boiler system independent differential pressure transmitters and are recorded on two, multi-point recorders in the main control room. One point records the wide
-range level and the other point records the reactor pressure on each of the two recorders. The differential pressure transmitters have one side connected to a condensing
-type chamber reference leg and the other side connected directly to a vessel nozzle for the variable leg. The water level system is uncompensated for variation in reactor water density and is calibrated to be most accurate at operational pressure and temperature conditions. The range of the recorded level is from the top of the feedwater control range (just above the high level turbine trip point) down to a point near the top of the active fuel. The power sources for the two channels are inverter
-fed from the two divisional batteries. Both pressure and level recorders are equipped to automatically switch from a low (normal) speed to high speed when signal levels reach preset values as shown in
Figure 7.3
-12. Two fuel-zone water level signals are transmitted from two nuclear boiler system independent differential
-pressure transmitters. Signals go to water level recorders (programmable), one in each division. The differential
-pressure transmitters have one side connected to a condensing
-type chamber reference leg and the other side connected directly to the bottom tap of a calibrated jet pump for the variable leg. The water level system is uncompensated for variation in reactor water density and is calibrated to be most accurate at saturated atmospheric conditions. The programmable recorders perform mathematical conversion of the fuel
-zone water level measurements to readings which account for the difference between calibration and off
-calibration conditions expected during the accident.
7.5-2 REV 20 05/16 FERMI 2 UFSAR The recorders use reactor vessel pressure signals to calculate the signal conversions. The level range is from near the bottom of the active fuel to over the top of the active fuel, as shown in Figure 7.3
-12. The ranges of the wide
-range level and the fuel
-zone level overlap. Power sources are as stated in the previous paragraph. The feedwater control system has other reactor water level recorders/indicators in the main control room.
Fermi 2 is a BWR/4 design that uses only nonheated reference columns that are maintained full of condensate by the condensing chambers for all of the level measurements. A backfill system is installed on each level instrument reference leg. The system provides a metered flow of water from the control rod drive system to each leg. The flow is low enough to not affect the performance of the instrumentation. The backfill is designed to prevent the accumulation of dissolved noncondensable gases in the reference legs. Yarway reference columns are not used. Reactor vessel taps are divided into two separate divisions to maintain spatial diversity. Fermi 2 has three upper
-steam-space taps (one on the head vent line), similar to the BWR/3 design. There are two intermediate (water zone) taps that sense the water variable leg inside the vessel annulus approximately 13 ft above the top of the active fuel. There are two lower taps that sense the water variable leg inside the vessel annulus outside the core shroud at approximately 10 in. above the top of the active fuel. Additionally, two lower taps that sense the water variable leg inside the jet pump above the pump diffuser tap similar to the BWR/3 are provided.
The power for the feedwater system level instrumentation is supplied from a vital instrument bus. Power is supplied to the reactor protection system (RPS) trip system level instruments from the RPS motor
-generator sets. Power for the balance of the level instrumentation that is part of the ECCS is supplied by safety
-grade inverter power supplies powered by the appropriate divisional battery. With respect to drywell sensing line routing, Fermi 2 meets the requirements outlined in Figure 2.3.2.2
-8 of NEDO 24708A, and, therefore, the level instruments are relatively independent of drywell temperature changes.
All of the level sensors are located on spatially separated divisional safety
-grade instrument racks located in the reactor building approximately 15 ft from the drywell wall. All the level instrument channel response times are well within the design criteria.
In response to NRC requests for additional information on water level indication errors, Edison has provided information to further demonstrate the adequacy of the Fermi 2 water
-level instrument design in response to high drywell temperatures that may lead to reference
-leg flashing. In the unlikely case that flashing occurred, the expected error would be about 4 in. of indicated level. Even if the entire reference
-leg portion in the drywell boiled off, the hypothetical error would not seriously impact adversely either manual or automatic actions to safely mitigate the worst
-case transient identified.
7.5.1.4.2.2 Reactor Pressure Two reactor pressure signals are transmitted from two independent pressure transmitters and are recorded on two, multi
-point recorders in the main control room (same recorders described in Subsection 7.5.1.4.2.1 above). One point records pressure; the other records the wide-range level. The range of recorded pressure is from 0 to 1500 psig. Additionally, fuel-zone water level recorders (programmable) use reactor pressure signals to correct water level 7.5-3 REV 20 05/16 FERMI 2 UFSAR measurements for off
-calibration pressure. The feedwater control system has other pressure signals recorded in the main control room. This range is sufficient to include the safety limit pressure. 7.5.1.4.2.3 Shutdown, Isolation, and Core Cooling Indication The following information furnished to the main control room operator permits him to assess reactor shutdown, isolation, and availability of emergency core cooling following the postulated accidents.
- a. Reactor shutdown occurs as one or more process variables exceed their specified setpoint. Operator verification that shutdown has occurred may be made by observing one or more of the following indications:
- 1. Control rod status lamps indicating each rod fully inserted. Power source is a battery
-powered inverter supply (Figure 7.5
-1) 2. Control rod scram valve status lamps indicating open valves. Power source is a battery
-powered inverter supply (Figure 7.5
-1) 3. Neutron-monitoring power
-range channels and recorders downscale. Power sources are the RPS motor
-generator sets (Figure 7.5
-1) and battery-powered inverters
- 4. Annunciators for RPS variables and trip logic in the tripped state. Power source is dc from station battery (Figure 7.5
-1) 5. Logging of control rod positions on the Integrated Plant Computer System (IPCS). Power source is computer power supply from uninterruptible power supply (UPS) A and B
- 6. Events recorder logging of trips. Power source is from station battery.
- b. Reactor isolation occurs after the accident as various environmental and process variables exceed their setpoints. The operator may verify reactor isolation by observing one or more of the following indications:
- 1. Isolation valve position lamps indicating valve closure. Power source is the same as for the associated motor operator
- 2. Main steam line flow indication downscale. Power source is a battery-powered inverter supply (Figure 7.5
-1) 3. Annunciators for the primary RPS variables and trip logic in the tripped state. Power source is dc from station battery
- 4. Events recorder logging of trips.
- c. Operation of emergency core cooling following the LOCA may be verified by observing the following instrumentation:
7.5-4 REV 20 05/16 FERMI 2 UFSAR
- 1. Annunciators for high pressure coolant injection (HPCI), core spray, residual heat removal (RHR), and automatic depressurization system (ADS) sensor initiation logic trips. Power source is dc from a station battery 2. HPCI pump discharge pressure and flow indicators (Figure 7.3
-1). Power for these instruments is derived from a battery
-operated inverter supply
- 3. ADS valve position status (Figure 7.3
-4). Position
-indicator power is derived from battery powered inverters
- 4. Divisional core spray discharge pressure indicators, loop flow indicators, and pump motor ammeters (Figures 7.3
-7 and 7.3-8). Power for the respective instruments is derived from the appropriate ESF bus
- 5. Divisional low pressure coolant injection (LPCI) (RHR) pump discharge header pressure indicators, loop flow indicators, loop flow recorders, and pump motor ammeters (Figure 7.3
-9). Power for these instruments is derived from the associated ESF bus
- 6. Divisional RHR service water loop flow indicators and outlet temperature recorders (Figure 7.3
-9). Power for these instruments is derived from the associated ESF bus
- 7. Injection valve position status. Power source is the same as for the valve motor 8. Events recorder logging of trips in the emergency core cooling network. Power source is the l30
-V dc power system
- 9. Relief valve discharge pipe temperature monitors. Power source is 120
-
V ac supplied from a 120
-V ac instrument bus.
- d. Conditions of significant timed interlocks that restrict the flexibility of the ESF systems are indicated by the following devices:
- 1. An indicating timer, which displays the amount of time remaining until manual ADS activation is permissive. This device is powered from the ADS logic supply
- 2. Four timers, which indicate that the required time has elapsed and the RHR (LPCI) "failed" loop injection valves can be reopened. These devices are powered from their respective divisional logic supply
- 3. Two timers, which indicate that the required time has elapsed and the RHR (LPCI) injection valves can be closed manually. These devices are powered from their respective divisional logic supply.
7.5-5 REV 20 05/16 FERMI 2 UFSAR
- e. The following indicating devices are provided to permit rapid assessment of the standby power system status and to enhance the manual reconnection of loads:
- 1. Each of the emergency diesel generator (EDG) automatic load sequencer systems provides visual indication of the exact state of the automatically sequenced loads.
These devices are powered by the sequencer system power supply. Specific details of this system are described in Subsection 8.3.1.1.7.
- 2. A digital meter that displays remaining generator capacity for each EDG is provided. Power is supplied to these instruments from the respective EDG bus. This system is described more fully in Subsection 8.3.1.1.11.
7.5.1.4.2.4 Primary Containment Indication The following systems provide the control room operator with necessary information regarding the full range of environmental conditions possible within the primary containment following an accident or incident.
- a. Drywell temperature in various locations within the drywell volume is recorded on redundant strip
-chart recorders (Subsection 7.6.1.12.2). The power supply for these recorders is derived from the respective ESF bus
- b. Drywell pressure is monitored by both narrow
-range and wide
-range pressure transmitters and recorded on redundant strip
-chart recorders (Subsection 7.6.1.12.3). The power supply for these devices is derived from battery
-powered inverters
- c. Torus temperature is monitored by thermocouples located in both the torus air space and the suppression pool water. Continuous strip
-chart recording of these temperatures is provided on redundant recorders (Subsection 7.6.1.12.2).
The recorders are supplied with power from the appropriate ESF bus
- d. Torus pressure is monitored by both narrow
-range and wide
-range pressure transmitters and recorded on redundant strip
-chart recorders (Subsection 7.6.1.12.3). The power supply for these devices is derived from battery
-powered inverters
- e. Suppression pool water level is continuously recorded on redundant recorders (Subsection 7.6.1.12.4). Power for this instrumentation is supplied by the battery-powered inverters
- f. Radiation level within the drywell is monitored and recorded (Section 11.4).
The power for this instrumentation is derived from a 120
-V ac instrument bus.
7.5.1.4.2.5 Bypassed and Inoperable Status Indication for Nuclear Safety Systems In addition to administrative procedures for determining and indicating bypassed or inoperable status of systems, channel bypassed and inoperable status indication is provided for the RPS and ESF systems in accordance with the requirements of IEEE 279
-1971, Section 4.13. As stated in Sections 7.1, 7.2 and 7.3, the RPS and ESF systems comply with 7.5-6 REV 20 05/16 FERMI 2 UFSAR IEEE 279-1971, as supported by NEDO
-10139, which has been incorporated into the UFSAR by reference. Refer to Sections 7.2 and 7.3 for descriptions of control room indication related to specific RPS and ESF functions.
7.5.1.4.3 Safety Parameter Display System (SPDS)
SPDS is a function of the Integrated Plant Computer System (IPCS) that provides a specific selection of emergency response information. SPDS uses data from selected plant data systems and processes the data for display on the IPCS. SPDS information can be displayed on any IPCS terminal, which includes those specifically located in the control room, the technical support center (TSC), and the emergency operations facility (EOF). The SPDS display in the control room is provided to assist the operators in assessing the safety status of the plant following an accident. The IPCS and SPDS are described in subsections 7.6.1.9.1 and 7.6.1.9.1.2.5.1 respectively.
7.5.1.5 Special Condition: Loss of Habitability of Main Control Room 7.5.1.5.1 Criteria It is necessary to be able to carry out the reactor shutdown functions from outside the main control room and to bring the reactor to cold condition in an orderly fashion in compliance with General Design Criterion 19 of 10 CFR 50, Appendix A. This requirement applies when the main control room becomes uninhabitable for any reason and is accomplished using the remote shutdown panel discussed in this section.
Appendix R to 10 CFR 50 requires that the plant be safely shut down remote from the control room in the event of a fire in the main control room, relay room, cable spreading room, and other areas containing equipment or cabling of both divisions required for safe shutdown.
This capability is provided by the alternative shutdown system described in Subsection
7.5.2.5. 7.5.1.5.2 Remote Shutdown Panel The remote shutdown panel is located in the Division I switchgear room on the second floor of the reactor building. At this location it cannot be damaged by failure of any other equipment. The remote shutdown system panel is designed to comply with the requirements of Quality Assurance Level I, Seismic Category I. The following systems have instrumentation and controls on the remote panel, as shown in Figures 7.5
-2 and 7.5-3. a. Reactor core isolation cooling (RCIC) system
- b. RHR system
- c. Recirculation flow control system
- d. Nuclear boiler system
- e. Control rod drive (CRD) system
- f. Residual heat removal service water (RHRSW) system
- g. Primary containment monitoring system.
7.5-7 REV 20 05/16 FERMI 2 UFSAR 7.5.1.5.3 Conditions Assumed To Exist As the Main Control Room Becomes Inaccessible
- a. The plant is operating normally at, or less than, design power
- b. Loss of offsite ac power is considered unlikely, but credible. For shutdown outside the control room coincidental with the loss of offsite ac power, the instrumentation and controls of the alternative shutdown system, e.g., dedicated shutdown panel and its associated procedures, will be used as described in UFSAR Section 7.5.2.5.2.
- c. No LOCA or transients shall be assumed; therefore, complete control of ESF systems from outside the main control room will not be required
- d. Plant personnel evacuate the main control room
- e. The main control room continues to be inaccessible during the entire shutdown procedure f. The event that causes the main control room to become inaccessible is assumed to be such that the operator can manually scram the reactor before leaving the main control room. As a backup, the operator can manually scram the reactor, and if necessary, close the MSIVs from outside the Main Control Room. g. The main turbine pressure regulators may be controlling reactor pressure via the bypass valves; however, in the interest of simplicity and safety, it is assumed that this function is lost. Therefore, main steam line isolation is assumed to occur, and reactor pressure is relieved through the relief valves to the suppression pool. The feedwater control system is also assumed to be unavailable due to reactor isolation
- h. Reactor water is made up by the RCIC system
- i. The dc services are supplied from at least one plant dc power system for each essential system or equipment item in the remote shutdown system.
7.5.1.5.4 Description The system provides remote control for the reactor systems needed to carry out the shutdown function from outside the main control room and to bring the reactor to cold condition in an orderly fashion. This system also provides a variation to the normal system used in the main control room, permitting the shutdown of the reactor when feedwater is unavailable and the normal heat sinks (turbine and condenser) are lost.
Automatic activation of relief valves and the RCIC system brings the reactor to a hot shutdown condition. During this phase of shutdown, the suppression pool is cooled by operating the RHR system in the suppression pool cooling mode. Reactor pressure is controlled and core decay and sensible heat are rejected to the suppression pool by relieving steam pressure through the relief valves. Reactor water inventory is maintained by the RCIC system. Manual operation of the relief valves cools the reactor and reduces its pressure at a controlled rate until reactor pressure becomes so low that the RCIC system discontinues operation. This 7.5-8 REV 20 05/16 FERMI 2 UFSAR condition is reached at 50 to 100 psig reactor pressure. The RHR system is then operated in the shutdown cooling mode wherein the RHR system heat exchanger is connected directly into the reactor water circuit to bring the reactor to the cold low
-pressure condition.
7.5.1.5.5 Procedure for Reactor Shutdown From Outside the Main Control Room
- a. If evacuation becomes necessary, the operator will scram the reactor by the manual scram switches or reactor mode switch at the main control room panel as he leaves the main control room
- b. The main turbine pressure regulator will, under normal conditions, control the reactor pressure while rejecting heat (steam) through the turbine bypass valves.
The feedwater control system will control water level
- c. As a backup, the operator can manually scram the reactor and close the MSIVs from outside the Main Control Room
- d. The remainder of the procedure as described assumes that the automatic pressure regulator is not available from time zero and the main steam isolation valves (MSIVs) are closed, but the actual procedure may be written to utilize any plant equipment that is available as long as this worse case condition is provided for
- e. Key-controlled transfer switches at the remote panel are operated to transfer control to the remote shutdown panel
- f. Relief valves open automatically and cycle to control reactor pressure. Reactor level starts to drop at a rate depending on prior power level and elapsed time from scram
- g. The operator starts the RCIC system manually before Level 2 (Figure 7.3
-12) is reached and monitors the water level thereafter. The water level will continue to fall h. One relief valve opens and closes automatically, by the Low
- Low Set Function i. Reactor level reaches its lowest point at about 80 in. above top of active fuel if the RCIC system was initiated at low level. Level starts to rise as a result of RCIC system flow. Pressure relief is through one relief valve in automatic intermittent operation
- j. Water level is returned to normal by operation of the RCIC system
- k. One relief valve is still in automatic intermittent operation. The RCIC system turbine automatically shuts down when Level 8 is reached. It starts automatically when the level drops to the initiation level
- l. Reduction of reactor pressure is started by manually actuating one relief valve.
While activating relief valves, the operator observes the reactor level and suppression pool temperature 7.5-9 REV 20 05/16 FERMI 2 UFSAR
- m. Relief valves are closed before level drops below Level 3. The reactor cooldown rate will be controlled to not exceed 100F per hour. Reactor level varies between Level 3 and Level 8
- n. The RHR system with one pump, one heat exchanger, and the RHRSW system is used to cool the suppression pool
- o. The operator activates two relief valves to maintain reduction of pressure to 250 psig while observing pool temperature, which is not to exceed 140F unless the reactor pressure decreases to less than 250 psig
- p. Reactor pressure is reduced to 100 psig, allowing the suppression pool temperature to reach 170F if necessary
- q. The RHR system is placed in the shutdown cooling mode. The RHR operation continues until the reactor is in the cold/low
-pressure condition
- r. Normal reactor water level is maintained after being placed in the shutdown cooling mode.
7.5.2 Analysis 7.5.2.1 General The safety
-related and power
-generation display instrumentation provides adequate information to allow operators to make correct decisions as bases for manual control actions permitted under normal, abnormal transient, and accident conditions.
Information instrumentation having no direct input to ESF systems, except through the operator as a link, is considered to be outside the scope of existing IEEE Standards.
However, insofar as practical, instruments are selected from those types qualified under IEEE
-1971. Redundancy and independence or diversity are provided in all of the information systems used for the basis of operator
-controlled safeguards action.
This instrumentation is designed to operate during normal operation, accident, and postaccident environmental conditions. The design criteria that the instrumentation must meet are discussed more fully in Subsection 7.1.2. The specific design qualifications of the instruments referenced in this section are tabulated in Table 7.5
-2. 7.5.2.2 Normal Operation Subsection 7.5.1.2 describes the basis for selecting ranges for instrumentation and, inasmuch as monitoring requirements for abnormal transient or accident conditions exceed those for normal operation, the normal ranges are covered adequately.
7.5.2.3 Abnormal Occurrences These occurrences will result in conditions lesser in consequence than those defined to be accident conditions in Subsection 7.5.2.4. Proper accident tracking, therefore, qualifies abnormal occurrence tracking.
7.5-10 REV 20 05/16 FERMI 2 UFSAR 7.5.2.4 Accident Conditions The LOCA is the most extreme operational event. Information readouts are designed to accommodate this event from the standpoint of operator action, information, and event tracking requirements, and therefore cover all other design
-basis events or incidents requirements.
7.5.2.4.1 Initial Accident Event The design bases of all ESF systems to mitigate accident event conditions take into consideration that no operator action or assistance is required or recommended for the first 10 minutes of the event. This requirement makes it mandatory that all protective action necessary in the first 10 minutes be automatic. Therefore, although continuous tracking of variables is available, no operator action based upon them is intended.
7.5.2.4.2 Postaccident Tracking After 10 minutes, operator action is optional. The following process instrumentation provides information to the operator after a design
-basis accident (DBA) for his use in monitoring reactor conditions within the primary containment.
7.5.2.4.2.1 Reactor Water Level Vessel water
-level instrumentation described in Subsection 7.5.1.4.2.1 is redundant, electrically independent, and is operable following all credible accident events. Subsection 15.6.2 discusses the postulated instrument line break scenarios. This instrumentation complies with independence and redundancy requirements of IEEE 279
-1971. 7.5.2.4.2.2 Reactor Pressure Pressure instrumentation described in Subsection 7.5.1.4.2.2 is redundant, electrically independent, and is operable following all credible accident events. This instrumentation complies with the independence and redundancy requirements of IEEE 279
-1971. 7.5.2.4.2.3 Shutdown, Isolation, and Core Cooling Indication This information instrumentation will have no direct input to the ESF systems and is considered to be outside the scope of existing 36IEEE Standards. However, insofar as practical, instruments will be selected from those types that are qualified under IEEE
-279 and IEEE-323. Redundancy and independence or diversity will be provided in all systems which are used for operator control and ESF status information.
7.5.2.4.2.4 Primary Containment Indication Primary containment instrumentation described in Subsection 7.5.1.4.2.4 is designed to be redundant, electrically independent, and remain operable following all credible accident events. The ranges have been selected to cover the design conditions of the containment.
7.5-11 RE V 20 05/16 FERMI 2 UFSAR 7.5.2.4.3 Safety Parameter Display System See Subsection 7.6.1.9.1.2.5.1 for a discussion of the design analysis of the SPDS.
7.5.2.5 Special Condition: Post-Fire Reactor Shutdown From Outside the Main Control Room Analysis of reactor shutdown from outside the main control room is included in Subsection 7.5.1.5 for non-fire scenarios requiring control room evacuation.
This section discusses the alternative shutdown system, which includes the dedicated shutdown panel, used for post
-fire shutdown for fires in the main control room and selected other areas
. 7.5.2.5.1 Design Bases The alternative shutdown system was designed and installed to meet the requirements of 10 CFR 50, Appendix R, Section III, paragraphs G and L. The alternative shutdown system was designed to provide safe
-shutdown capability separate and remote from the control center complex (control room, relay room, and cable spreading room, fire zones 0 3 AB , 0 7 AB and 0 9 AB) and other selected auxiliary building fire zones 08AB, 11AB and 13AB when a fire in the complex or these zones is assumed to significantly damage the equipment/cabling in these zones. In the context of the discussion of alternative shutdown design basis, these six fire zones are referred to as the dedicated shutdown areas of concern. The above fire zones are described in UFSAR 9A.4. These zones are not the Fire Detection Zone numbers. UFSAR Figure 9A
-1 provides a descriptive table cross
-referencing the UFSAR Fire Zones and the Fire Detection Zones used in the abnormal operating procedure.
The objectives of the alternative shutdown system are to
- a. Achieve and maintain subcritical reactivity conditions in the reactor
- b. Maintain reactor coolant inventory
- c. Achieve and maintain hot shutdown
- d. Achieve cold shutdown conditions within 72 hr
- e. Maintain cold shutdown conditions thereafter.
The reactor is shut down and maintained subcritical by control rod insertion. The portions of the CRD system necessary for reactor scram are designed to fail safely (actuate) if subjected to a fire. The core is kept covered by establishing standby feedwater flow to make up for loss of reactor vessel water inventory. Hot shutdown is achieved and maintained by establishing primary containment cooling and torus cooling. The primary containment fan and cooling unit operation (Subsection 9.4.5) and the torus cooling mode of the system (Subsection 5.5.7) are established prior to exceeding established drywell temperature and suppression pool water temperature design limits, respectively. Cold shutdown is achieved by the shutdown cooling mode of the RHR system.
The alternative shutdown system provides a dedicated shutdown panel located in the radwaste building, second floor
- , from which an operator can monitor the reactor and keep the reactor core covered with water. The system design uses appropriate systems already 7.5-12 REV 20 05/16 FERMI 2 UFSAR installed, with installation of the panel and necessary control and transfer switches to make it functional.
NOTE:
- In past correspondence with the NRC, the dedicated shutdown panel has also been called the 3L panel because it satisfies Paragraph III.L, of Appendix R to 10 CFR 50.
7.5.2.5.2 System Description The alternative shutdown system consists of one of the four combustion turbine generators (CTGs), the standby feedwater (SBFW) system, a dedicated shutdown control panel and associated instrumentation, a Distributed Control System (DCS), and Division I portions of the following systems: RHR, RHRSW, emergency equipment cooling water (EECW), and emergency equipment service water (EESW). The dedicated shutdown panel is supplemented by local manual operator actions to achieve hot or cold shutdown.
The four CTGs (Subsection 8.2.1.2) are oil
-fired turbine generators located onsite, remote from the fire areas of concern. The CTG 11
-1 is used to provide emergency power when a fire occurs in the fire areas of concern, or on loss of offsite power should the EDGs be unavailable. CTG 11
-1 has black start capability. The CTG starting diesel is located in an enclosed heated compartment and is equipped with a float tank, which provides an initial supply of warm fuel oil, to ensure its operability. Diesel fuel is maintained in the CTG Fuel Oil Tank with a fuel level maintained by plant procedures to ensure nominal fuel availability for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of operation for a single CTG unit at 10 MW load.
If CTG 11-1 is not available, either CTG 11
-2, CTG 11-3 or CTG 11
-4 (with AC starting motors) can be established on a standby basis as the black start power source for alternative shutdown power source using a standby starting diesel generator. Cold weather equipment preparation is addressed within the System Operating Procedure during the cold weather season. The CTGs' control, instrumentation, and power cabling is located, isolated, and/or routed independent from the fire areas of concern, except for the CTG supervisory control circuit, which has transfer and lockout features that ensure that it is isolated from control room CT G circuitry.
Control of the breakers in the Fermi 120
-kV switchyard and control of the CTGs is via a supervisory system. The essential elements of the system consist of a Distributed Control System panel (with local I/O) located at the 120
-kV switchyard/SBO DG area, fiber optic communication lines, and actuating devices.
The Distributed Control System (DCS) functions as follows: field devices interface with the local DCS I/O panels and processors for 120
-kV switchyard & CTGs process the signals and transmit the data via redundant fiber optic lines to a 3L Remote I/O panel in the Dedicated Shutdown Panel area in Fermi 2. The 3L Remote I/O panel interfaces with the Dedicated Shutdown panel for monitoring and control functions for the CTGs and 120
-kV switchyard equipment. A block diagram of the CTG DCS control system is presented in Figure 7.5
-4. A dedicated shutdown system transfer pushbutton is provided in the control room, which, when activated, communicates with the DCS to initiate a start signal to CTG 11-1, arm the 120-kV switchyard undervoltage scheme, and inhibit control signals for the 120
-kV 7.5-13 REV 20 05/16 FERMI 2 UFSAR Switchyard and CTGs from the Fermi 2 control room. At the same time, 120
-kV Switchyard and CTG 11
-1 control is transferred to the Dedicated Shutdown Panel (H21
-P623). If the control room is abandoned before the transfer pushbutton is activated, transfer can be accomplished at the Dedicated Shutdown Panel H21
-P623 and the CTG 11
-1 can be started manually after transfer. The possible fire induced spurious equipment actuations before transfer occurs are recoverable at the H21
-P623 panel. The undervoltage scheme isolates 120-kV switchyard buses from offsite supplies and aligns breakers to provide power for Dedicated Shutdown from CTG 11
-1. The CTG power is supplied via peaker bus 1
-2B through breaker A6 to the 4160
-V Class 1E bus or via the main 120
-kV bus through transformer SS64 (see Figure 8.3
-1). The 4160
-V bus provides power for the SBFW pumps; the Division I RHR, RHRSW, EECW, and EESW pumps and associated powered equipment through downstream electrical buses (Figure 7.5
-5). The SBFW system, Figure 7.5
-6, described in Subsection 10.4.8, provides an alternative makeup water source for the reactor vessel. After transfer, the SBFW system is manually
controlled and operated from the dedicated shutdown panel to maintain level above the top of the core. Control and transfer switches necessary for operating associated feedwater system valves and breakers are installed on the dedicated shutdown panel. Also, SBFW system flow is indicated on the dedicated shutdown panel. Power for the feedwater pump motors is from the CTGs or offsite power via the 4160
-V electrical bus.
If the CTG is operating in parallel on the grid at the time offsite power is lost, the CTG output breaker is assumed to trip. However, the CTG turbine will not trip. The plant operator must take steps to isolate the grid, reclose the CTG output breaker and line up the two SBFW buses. If the CTG was not in operation, it could be started from the main control room before abandonment, but in the worst case, it would be started from the dedicated shutdown panel. The RHR and RHRSW systems, described in Subsections 5.5.7 and 9.2.5, provide cooling capability for the reactor and torus water. The RHR system functional modes (1) torus cooling (Figure 7.5
-7) and (2) shutdown cooling (Figure 7.5
-8) modes, are described in Subsections 5.5.7.3.1 and 5.5.7.3.2.
The RHRSW system (Subsection 9.2.5) provides the heat sink for the reactor core by providing the cooling medium for the RHR heat exchanger. The EECW system functions as described in Subsection 9.2.2.1 to cool equipment required for reactor shutdown. The EECW is cooled by the EESW described in Subsection 9.2.5; a simplified flow diagram is shown in Figure 7.5
-9. The dedicated shutdown control panel is a local operation station, remote from the fire areas of concern, with instrumentation and control switches and transfer switches necessary for operating the SBFW shutdown system required to keep the reactor core covered with water.
Instrumentation, control switches, and transfer switches on the panel are listed in Table 7.5
-3. Hot and cold shutdown can be achieved from the dedicated shutdown panel with manual operator action required locally in the reactor/auxiliary building and RHR complex. Local operation includes controlling equipment at local panels, switchgear, MCCs, distribution 7.5-14 REV 20 05/16 FERMI 2 UFSAR panels, and valves. Figures 7.5
-7 and 7.5-8 show the flow paths involved for both hot and cold shutdown.
Auxiliary systems required to support the alternative shutdown system are listed below and are described in the sections identified.
The SBFW system requires no auxiliary support system. Both pump and motor have a forced-flow lube-oil system that is driven off the pump shaft. The lube
-oil system is cooled by a portion of the pump discharge flow routed to an oil cooler. Motor windings are designed to take a 74F rise in temperature over a continuous rating of 111F, which results in a maximum temperature of 185 F in approximately 60 hr. Once in shutdown cooling, the SBFW system will be turned off; inventory makeup will no longer be required. Shutdown cooling will be started in less than 1 1.75 hr. Space cooler, heat exchanger, and pump/motor cooling for the other systems is supplied either by EECW, EESW, or RHRSW as specified in Subsections 9.2.2 and 9.2.5.
Auxiliary support systems (i.e., heating, ventilation, and air conditioning [HVAC], or other fluid systems) are not required for the EECW system, EESW system, or the Division I switchgear room. This is because of the small heat loads generated (under the scenario very little electric equipment is energized) and because the EECW and EESW pumps require no external cooling or seal water.
The dedicated shutdown panel area in the second floor of the radwaste building is provided with a local area cooler as described in Section 9.4.3. The function of the Dedicated Shutdown Air Conditioning Unit is to provide cooling, if needed, to maintain habitability at the Dedicated Shutdown Panel location for the duration of a post
-fire shutdown requiring the use of the panel. This cooler is manually restored to the 72M Bus which is powered by dedicated shutdown power sources, including CTG 11
-1. Once started using a switch near the Dedicated Shutdown Panel, area temperature is automatically controlled by local thermostat
. The RHR pump requires the support of a room cooler and a pump bearing cooler. Both the bearing cooler and pump room cooler are supplied by the EECW system. The room cooler also requires operation of a fan unit.
Drywell cooling is accomplished by establishing EECW flow to the drywell cooling units and operation of their associated fan units.
If normal communications links are not available, communications between the operators at locations in the plant and the dedicated shutdown panel operator are via hand
-held portable radios that operate by either radio
-to-radio, or radio
-to-portable, repeater
-to-radio communication links.
Communication between the Dedicated CTG operator and the Main Control Room or local Dedicated Shutdown Panel operator is achieved using the local telephone system.
Eight-hour emergency lighting for safe
-shutdown capability is provided for all local operations and for access/egress routes to and from local safe
-shutdown areas.
Use of local emergency lighting for the CTG area is addressed within the System Operating Procedure
. To implement the alternative shutdown concept, it must be ensured that cabling and required devices are not in, or do not pass through, a fire zone for which the concept is being relied upon, or that an adequate level of protection is provided. To achieve this objective, transfer switches have been installed that completely isolate any cabling that passes through the fire 7.5-15 REV 20 05/16 FERMI 2 UFSAR zones of concern from their associated actuating devices. New cable that is required for instrumentation and CTG supervisory control is routed to ensure it does not pass through the fire areas of concern.
Interfaces between Class 1E and non
-Class 1E components meet the electrical separation criteria for Section 8.3 and appropriate IEEE criteria for environmental and seismic qualification.
Table 7.5-5 lists the 4160
-V switchgear and motor control center (MCC) positions that have the above-described transfer function. 7.5.2.5.3 Procedure An Abnormal Operating Procedure provides procedural guidance to achieve and maintain safe shutdown in the event that a fire in any of the dedicated shutdown areas of concern warrants post
-fire shutdown from outside the main control room using the dedicated shutdown panel. The procedure provides direction regarding conditions upon which the procedure should be entered, actions to be taken in the control room before it is abandoned, as well as immediate and longer
-term manual actions at the dedicated shutdown panel and other plant locations. These actions, in the aggregate, assure that the plant is put in a known and analyzed configuration to support the performance of the design basis functions described in Section 7.5.2.5.1 consistent with the safe shutdown analysis described in Appendix 9A.
When the standby diesel generator is utilized, the system operating procedure addresses starting and maintaining the standby diesel generator to power the CTG 11
-2, CTG 11-3, or CTG 11-4 480 volt starting motors and auxiliaries. An additional dedicated CTG operator is required at the CTG area whenever the standby diesel generator is used to provide power for the Dedicated Shutdown System. 7.5.2.5.4 Safety Evaluation Post-fire shutdown outside the control room using the alternative shutdown system and dedicated shutdown panel has been analyzed as described in Section 9A.3. This analysis includes circuit faults including open circuits, shorts to ground and hot shorts that could directly affect safe shutdown systems as well as common shutdown functions, e.g., loss of RPV inventory or spurious SRV operation. The safe shutdown analysis demonstrates that the core will remain covered with the Standby Feedwater System delivering flow to the RPV within 29 minutes. The time studies for establishing SBFW flow include allowance for the power supply starting times, breaker and valve operating times and operator transit times. In addition, the analysis demonstrates that design limits for suppression pool and drywell cooling established within approximately 3 and 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />, respectively, following reactor scram from full power.
Therefore, the alternative shutdown system (including the instrumentation and controls located on the dedicated shutdown panel), in conjunction with proceduralized manual actions taken at the panel and at other plant locations, provides the capability required to achieve and maintain safe shutdown following a fire that requires shutdown from outside the control room. 7.5-16 REV 20 05/16 FERMI 2 UFSAR A black start test of an alternate CTG demonstrated that use of an alternate CTG supported the performance goal of the alternative Dedicated Shutdown system which is Standby Feedwater system delivering flow to the RPV within 29 minutes.
7.5.2.5.5 Tests and Inspections Except for where equipment directly interfaces with essential Class 1E components, the alternative shutdown system is considered a BOP system. Quality assurance requirements for the Class 1E portion of the alternative shutdown system will be the same as for the Class 1E equipment it is interfacing with. Quality assurance requirements applied to those portions of the system not interfacing directly with a Class 1E system will be appropriate for the use of that portion of that system. Periodic testing is described in Section 9A.6.
7.5.3 DELETED IN REVISION 20 7.5-17 REV 20 05/16 FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.5-1 Instrument Name CONTROL ROOM LEVEL INDICATION Type and No.
Scale (in.)
Control Room Panel Postaccident pressure/level recorder A MRE-R623A +10 to +220 601 Postaccident pressure/level recorder B MRE-R623B +10 to +220 602 Core level recorder LR-R615 602 Core level recorder LR-R610 601 Flood-up level indicator LIE-R605 +160 to +560 603 Wide-range level indicator A LI-R604A +10 to +220 601 Wide-range level indicator B LI-R604B +10 to +220 602 Narrow-range level indicator A LI-R606A +160 to +220 603 Narrow-range level indicator B LI-R606B +160 to +220 603 Narrow-range level indicator C LI-R606C +160 to +220 603 Narrow-range level recorder A/B LR-R614 +160 to +220 603 FERMI 2 UFSAR Page 1 of 5 REV 17 05/11 TABLE 7.5-2 SAFETY-RELATED AND POWER GENERATION DISPLAY INSTRUMENTATION Reactor Water Level Transmitter B21-N091A-D & B21-N085A-BReactor Pressure Transmitter a Pressure/ Level Recorder B21-N051A-B Neutron Monitoring Power Range Recorders B21-R623A-B Design classes C51-R603A-B QA level/seismic category i I/I I/I I/I 1M/II/I Power supply 120-V ac Div. I/II inverter bus 120-V ac Div. I/II inverter bus 120-V ac Div. I/II inverter bus 120-V ac BOP inverter bus Number of channels 6 2 2 4 b Alarm setpoint(s) c 173 in. decreasing for N091 d - 42 in. for N085 NA e Alarm on Auto-switchover to high chart speed NA Control logic ECCS level logic NA NA NA Instrument range N091 d - 10 to 220 in.
N085 d - -150/0/50 in.
0-1500 psig Compatible with inputs 0-125 percent Instrument accuracy f , j N091 - +/-0.25 percent f N085 - +/-0.25 percent
+/-0.25 percent
+/-0.5 percent
+/-0.5 percent Annuciators RPS Variables l Sequence-of-Events Integrated Plant Computer Main Steam Flow Recorder Recorder l Design classes C32-R607 g QA level/seismic category i NQ/II/I NQ/II/I NQ/II/I NQ/II/I Power supply 130-V dc BOP battery inverter supply 120 V ac from UPS A and B 130-V dc BOP battery inverter supply 120-V ac BOP inverter bus Number of channels 2 per variable 1 per variable 2 per variable 1 Alarm setpoint(s)
NA NA NA NA Control logic Open circuit to alarm NA Open circuit to alarm NA Instrument range NA NA NA 0-17 x 10 6 lb/hr Instrument accuracyf, j NA NA NA +/-0.5 percent
FERMI 2 UFSAR Page 2 of 5 REV 17 05/11 TABLE 7.5-2 SAFETY-RELATED AND POWER GENERATION DISPLAY INSTRUMENTATION HPCI Discharge Pressure Transmitter HPCI Discharge Pressure Indicator E41-N009 HPCI Discharge Flow Transmitter E41-R609 HPCI Discharge Flow Indicator E41-N008 ADS Valve Position E41-R613 Indicator Lamp Design classes s QA level/seismic category i I/I 1M/II/I I/I I/I I/I Power supply Inverter from Div. II Battery Inverter from Div. II Battery Inverter from Div. II Battery Inverter from Div. II Battery Div. I battery Number of channels 1 1 1 1 1 per valve Alarm setpoint(s)
NA NA NA NA NA Control logic NA NA NA NA NA Instrument range 0-1500 psig 0-1500 psig 0-8000 gpm 0-8000 gpm NA Instrument accuracyf,j +/-0.4percent
+/-0.5 percent
+/-0.25 percent
+/-.2 percent NA Core Spray Discharge Pressure Transmitter Core Spray Discharge Pressure Indicator E21-N001A-B Core Spray Discharge Flow Transmitter E21-R600A-B Core Spray Discharge Flow Indicator E21-N003A-B Design classes E21-R601A-B QA level/seismic category i I/I 1M/II/I I/I 1M/II/I Power supply 120-V ac Div. I/II 120-V ac Div. I/II 120-V ac Div. I/II 120-V ac Div. I/II Number of channels 2 2 2 2 Alarm setpoint(s)
NA NA NA NA Control logic NA NA NA NA Instrument range 0-600 psig 0-600 psig 0-10,000 gpm*
0-10,000 gpm*
Instrument accuracyf,j +/-0.4 percent
+/-0.5 percent
+/-0.25 percent
+/-1 percent
- 9150 to 10,000 gpm on the scale not used Core Spray Pump RHR (LPCI Mode) Pump Discharge Header Pressure Transmitter Motor Current RHR (LPCI Mode) Pump Discharge Header Pressure Indicator E11-N056A-D RHR (LPCI Mode) Flow Transmitter E11-R803/R804 Design classes QA level/seismic category 1 E11-N015A-B NQ/II/I I/I 1M/II/I I/I Power Supply Current transformer 120-V ac. Div. I/II inst. bus 120-V ac. Div. I/II inst. bus 120-V ac. Div. I/II inst. bus Number of channels 4 (1 per motor) 4 (1 per motor) 4 (1 per motor) 4 (1 per motor)
Alarm setpoint(s) c 125 percent NA NA NA Control logic NA NA NA NA Instrument range 0-200 percent 0-500 psig 0-500 psig 0-774.8" W.C.
Instrument accuracyf,j +/-2 percent
+/-0.25 percent
+/-0.5 percent
+/-0.25 percent
FERMI 2 UFSAR Page 3 of 5 REV 17 05/11 TABLE 7.5-2 SAFETY-RELATED AND POWER GENERATION DISPLAY INSTRUMENTATION RHR (LPCI Mode) Flow Recorder RHR Pump E11-R608A-B RHR Service Water Flow Transmitter Motor Current RHR Service Water Flow Indicator E11-N007A-B RHR Service Water Thermocouples E11-R602A-B Design classes E11-N005A-B QA level/seismic category 1 1M/II/I NQ/II/I I/I 1M/II/I NQ/II/I Power Supply 120-V ac Div. I/II inst. bus Current transformer 120-V ac Div. I/II inst. bus 120-V ac Div. I/II inst. bus NA Number of channels 2 4 (1 per motor) 2 2 2 Alarm setpoint(s) c NA 289 amps NA NA NA Control logic NA NA NA NA NA Instrument range 0-28,000 gpm 0-500 amps 0-10,000 gpm 0-10,000 gpm 0-400 °F Instrument accuracyf,j +/-0.5 percent
+/-2 percent
+/-0.4 percent
+/-1 percent NA RHR Service Water Outlet Temperature Recorder Relief Valve Discharge Thermocouples E11-R601A-B Relief Valve Discharge Temperature Recorder B21-N004A-H, J-N, P, R B21-R614 Design classes Indicating Timer on ADS QA level/seismic category i NQ/II/I NQ/II/I 1M/II/I NQ/II/I Power supply 120-V ac Div. I/II inst. Bus NA 120-V ac BOP inst. Bus 120-V ac Div. I battery Number of channels 2 15 15 (one recorder) 1 Alarm setpoint(s) c 175 °F NA 220 °F NA Control logic NA NA NA Starts on energization of ADS timers Instrument range 0-400 °F 0-600 °F 0-600 °F 105-0 sec (count down)
Instrument accuracyf,j +/-0.5 percent Per ANSI C96.1
+/-0.2 percent
+/-1 sec.
FERMI 2 UFSAR Page 4 of 5 REV 17 05/11 TABLE 7.5-2 SAFETY-RELATED AND POWER GENERATION DISPLAY INSTRUMENTATION Automatic Load Digital "Remaining Sequencer Drywell Thermocouples Capacity" Meter Drywell and Torus Temperature Recorder T50-N409B, - N412A Pressure Transmitter (Narrow Range)
T50-R800A-B Design classes T50-N401A-B QA level/seismic category i I/I NQ/II/I I/I I/I I/I Power supply 260-130-V dc Div. I&II battery 120-V ac inst. Buses Div. I&II NA 120-V ac Div I: Instrument Bus Div II: Inverter Bus Div. I: battery inverter on Div. I Div. II: battery inverter on Div. II Number of channels 4 4 2 6 (2 - Drywell) (4 - Torus) page 7.5-33 2 Alarm setpoint(s) c NA NA NA NA NA Control logic NA NA NA NA NA Instrument range NA 3000-0 kW See recorder 0-400 °F -5 to +5 psig Instrument accuracyf, j NA +/-1 percent Standard TC wire
+/-0.3 percent
+/-0.25 percent Drywell Pressure Transmitter (Wide Range)
Drywell Narrow Range, Wide Range and Torus Wide Range, Narrow Range Pressure Recorder T50-N415A-B Design classes T50-R802A-B QA level/seismic category i I/I I/I Power supply CH A battery inverter on Div. I CH B battery inverter, Div. II Div. I - battery inverter on Div. I Div. II - battery inverter on Div. II Number of channels 2 2 Alarm setpoint(s) c NA NA Control logic NA NA Instrument range k 0-250 psig -5 to +5 psig, 0 to 250 psig, 0-80 psig, -5 to +15 psig Instrument accuracyf, j +/-0.25 percent
+/-0.25 percent
FERMI 2 UFSAR Page 5 of 5 REV 17 05/11 TABLE 7.5-2 SAFETY-RELATED AND POWER GENERATION DISPLAY INSTRUMENTATION Torus Thermocouples T50-N402A, -N403B, Containment Radiation
-N405B, &N404A Torus Pressure Transmitters Wide
-Range D11-K816 A-B Torus Pressure Transmitters Narrow
-Range T50-N414A-B Design classes T50-N499 A-B QA level/seismic category i I/I I/I I/I I/I Power supply NA CH A-120-V ac inst. bus, Div. I CH B-120-V ac inst. bus, Div. II CH A-battery - inverter on Div. I CH B-battery - inverter on Div. II CH A-battery - inverter on Div. I CH B-battery - inverter on Div. II Number of channels 4 2 2 2 Alarm setpoint(s) c NA NA NA NA Control logic NA NA NA NA Instrument range NA See recorder 10 0 to 10 8 rad/hr NA 0 to 80 psig NA -5 to +15 psig Instrument accuracyf,j Standard TC wire
-- +/-0.25 percent
+/-0.25 percent Suppression Pool Water Level Transmitter Suppression Pool Water Level Recorder T50-N406 A-B Drywell Radiation Instrument T50-R804 A-B Drywell Radiation Recorder T50-N003 Design classes T50-R809 QA level/seismic category i I/I I/I IM/II/I 1M/II/I Power supply Div. I-Battery inverter on Div. I Div. II-Battery inverter on Div. II 120-V ac inst. buses Div. 1 & II 120-V ac inst. buses BOP 120-V ac inst. buses BOP Number of channels 2 2 1 1 Alarm setpoint(s) c NA NA To be established after background is measured To be established after background is measured Control logic NA NA NA NA Instrument range
-144 to +56 in.
-144 to +56 in.
Variable over suitable range Compatible with radiation instrument recorder output Instrument accuracyf,j +/-0.25 percent
+/-0.25 percent 2 percent +/-0.5 percent a Wide range shutdown indication. Reads full scale when jet pumps are operating.
b Two recorders display two channels each.
c Nominal values are given for information. See Technical Specifications for operational limits. d Measured from top of active fuel.
e NA = Not Applicable.
f Accuracy specified in percent of full scale unless otherwise noted.
g Recorder shared with feedwater flow signal.
h May be obtained from analyzers or recorders or combination of the two depending on make selected.
i The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
j The instrument accuracy information provided in the UFSAR tables is a bounding value.
For actual value see the Fermi 2 Central Component Database.
k Deleted l The Visual Annunciator System (C9700) combines the annunciator and sequence
-of-events recorder function using redundant hardware and application software.
FERMI 2 UFSAR Page 1 of 2 REV 16 10/09 TABLE 7.5-3 DEDICATED SHUTDOWN PANEL INSTRUMENTATION AND CONTROLS Reactor pressure Instrumentation Reactor level Condensate storage tank level Torus temperature Torus level Primary containment temperature (drywell)
Standby feedwater flow Bus voltage monitor for buses 101, 102, 1, 1
-2, 64 Combustion turbine generator
- voltage, frequency, watts, VARs Undervoltage trip armed Supervisory control transferred 120 - kV breaker control Controls CTG control
- 1) breaker GM
- 1) raise/lower voltage
- 2) breaker GK
- 2) raise/lower governor
- 3) breaker GH
- 3) power block control
- 4) breaker GD 13.8- kV breaker control Standby feedwater system
- 1) breaker A2
- 1) SBFW pump A (4160
-V breaker V2)
- 2) breaker A6
- 2) SBF W pump B (4160
-V breaker W4)
- 3) breaker A7
- 3) SBFW discharge isolation valve (N2103 F001)
- 4) breaker B6
- 4) SBFW low flow discharge valve (N2103 F003)
- 5) SBFW high flow discharge valve (N2103 F002) 13.2 kV breaker control
- 1) breaker A 2) breaker B Safety/relief valve B21-F013G 3) breaker C 4) breaker D FERMI 2 UFSAR Page 2 of 2 REV 16 10/09 TABLE 7.5-3 DEDICATED SHUTDOWN PANEL INSTRUMENTATION AND CONTROLS 4160-V breaker control Transfer switches
- 1) breaker V1
- 1) EF2 Supervisory Control
- 2) breaker V2
- 2) EF2 System Controls
- 3) breaker V3
- 4) breaker W4
- 5) breaker W5
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09
TABLE 7.5-4 HAS BEEN INTENTIONALLY DELETED
FERMI 2 UFSAR TABLE 7.5-5 4160-V SWITCHGEAR AND MOTOR CONTROL CENTERS WITH TRANSFER AND LOCAL CONTROL CAPABILITY Page 1 of 3 REV 16 10/09 Breaker V1, V2, V3, W4, W5, C5, C6, C8, C11, C9, C10 (no local control for C9 and C10, just transfer) 480-V MCC 72B-2A: P4400F616 (EECW inboard containment isolation)
E1150F028A (RHR torus return)
Valve E1150F024A (RHR torus return)
E1150F004A (RHR torus pump suction)
E1150F611A (RHR valve F017 bypass)
T4700C001 Fan 480-V MCC 72C-F:
B3105F031A (reactor recirculation pump discharge isolation)
Valve E1150F010 (RHR Division II cross tie)
E1150F015A (RHR shutdown cooling return to vessel)
E1150F017A (RHR shutdown cooling return to vessel)
480-V MCC 72C-3A E1150F009 (RHR shutdown cooling inboard suction)
Valve P4400F606A (EECW supply
- outboard containment isolation)
E1150F003A (RHR heat exchanger outlet)
E1150F004C (RHR torus pump suction)
FERMI 2 UFSAR TABLE 7.5-5 4160-V SWITCHGEAR AND MOTOR CONTROL CENTERS WITH TRANSFER AND LOCAL CONTROL CAPABILITY Page 2 of 3 REV 16 10/09 E1150F047A (RHR heat exchanger inlet)
E1150F068A (RHR service water throttle)
E1150F048A (RHR heat exchanger bypass)
P4400F601A (EECW return to RBCCW)
P4400F602A (EECW make
-up tank outlet)
P4400F603A (RBCCW supply to EECW)
E1150F006C (RHR pump suction isolation)
E1150F016A (RHR drywell spray line)
E41-F400 (torus water level isolation valve)
T50-F412A (torus water level isolation valve)
T4700C002 (containment cooling fan)
Fan T4100B018 (RHR room cooler fan)
MCC 2PC 1 N2103F001 (SBFW discharge isolation) Valve N2103F002 (SBFW high flow discharge throttle valve)
N2103F003 (SBFW low flow discharge throttle valve)
MCC 72F-4A (with alternate supply from 72M
-3B)
P4400F607A (EECW return
- outboard containment isolation)
R3200S022A (BOP Battery Charger 2C
-1, DC power for SBFW valves)
Battery Charger
FERMI 2 UFSAR TABLE 7.5-5 4160-V SWITCHGEAR AND MOTOR CONTROL CENTERS WITH TRANSFER AND LOCAL CONTROL CAPABILITY Page 3 of 3 REV 16 10/09 MCC 72S-2A, Compt 5C R3200S022C (BOP Battery Charger 2C1
-2, DC power for SBFW valves)
Battery Charger
FERMI 2 UFSAR 7.6 OTHER SYSTEMS REQUIRED FOR SAFETY AND POWER GENERATION
7.6.1 Description
7.6.1.1 Refueling Interlocks System 7.6.1.1.1 System Identification The purpose of the refueling interlocks system is to restrict the movement of control rods and the operation of refueling equipment to reinforce operational procedures that prevent making the reactor critical during refueling operations.
7.6.1.1.2 Power Sources Both channels are powered by the control rod drive (CRD) system power supply. A failure of this power supply will prevent any rod motion.
7.6.1.1.3 Equipment Design 7.6.1.1.3.1 Circuit Description The refueling interlocks circuitry senses the condition of the refueling equipment and the control rods. Depending on the sensed condition, interlocks are actuated to prevent the movement of the refueling equipment or withdrawal of control rods (rod block). Dual channel Circuitry is provided to sense the following conditions:
- a. All rods inserted
- b. Refueling platform positioned near or near over the core
- c. Refueling platform hoists fuel-loaded (fuel grapple, frame-mounted hoist, trolley-mounted hoist) d. Fuel grapple not at full-up position.
The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operations and control rod movement (Figure 7.7-1). A two-channel dc circuit indicates that all rods are in. The rod-in condition for each rod is established by the closure of a magnetically operated reed switch in the rod position indicator probe. The rod-in switch must be closed for each rod position indicator probe. The rod-in switch must be closed for each rod before the "all-rods-in" signal is generated. Both channels must register the "all
-rods-in" signal for the refueling interlock circuitry to indicate the "all-rods-in" condition. During refueling operations, no more than one control rod is permitted to be withdrawn.
This restriction is enforced by a redundant logic circuit that uses the "all
-rods-in" signal and a rod selection signal to prevent the selection of a second rod for movement with any other rod not fully inserted. The simultaneous selection of two control rods is prevented by the interconnection arrangement of the select pushbuttons. With the mode switch in the REFUEL position, the circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn.
7.6-1 REV 20 05/16 FERMI 2 UFSAR Operation of refueling equipment is prevented by interrupting the power supply to the equipment. The refueling platform is provided with two mechanical switches attached to the platform, which are tripped open by a long, stationary ramp mounted adjacent to the platform rail. The switches open before the platform or any of its hoists are physically located over the reactor pressure vessel (RPV) to indicate the approach of the platform toward its position over the core.
The hoists on the refueling platform and the service platform are provided with switches that open when the hoists are fuel loaded. This circuitry indicates when fuel is loaded on any hoist.
7.6.1.1.3.2 Bypasses and Interlocks NOTE: Service platform and hoist equipment are permanently removed. However, bypass for the load interlock system will remain in place in order to provide original function. A bypass for the service platform hoist load interlock is provided. When the service platform is no longer needed, its power plug is removed. This deenergizes the power supply to the hoist. The platform can then be moved away from the core. Deenergizing the hoist power supply opens the hoist load switches and gives a false indication that the hoist is loaded. This indication prevents control rod withdrawal with the mode switch in the STARTUP or REFUEL position. A bypass plug allows control rod movement in this situation. The bypass plug is physically arranged to prevent the connection of the service platform power plug unless the bypass plug is removed. The rod block interlocks and refueling platform interlocks provide two independent levels of interlock action. The interlocks that restrict operation of the platform hoist and grapple provide a third level of interlock action since they would be required only after a failure of a rod block and refueling platform interlock. It is pertinent to note that the strict procedural control exercised during refueling operations may be considered a fourth level of backup.
7.6.1.1.3.3 Redundancy and Diversity The refueling interlocks are designed such that a single interlock failure will not cause an accident. These refueling interlocks are provided for use during planned refueling operations. Criticality is prevented during the insertion of fuel, provided control rods in the vicinity of the vacant fuel space are fully inserted during the fuel insertion. The refueling interlock system accomplishes this by:
- a. Preventing operation of the fuel-loaded refueling equipment over the core whenever any control rod is withdrawn b. Preventing control rod withdrawal whenever fuel-loading equipment is over the core c. Preventing withdrawal of more than one control rod when the mode switch is in the REFUEL position. The refueling interlocks have been carefully designed using redundancy of sensors and circuitry, to provide a high level of reliability and assurance that the stated design bases will 7.6-2 REV 20 05/16 FERMI 2 UFSAR be met. Each of the individual refueling interlocks discussed above need not meet the single-failure criterion of IEEE 279-1971 because the four essentially independent levels of protection provide assurance that the design basis is met. For any of the "situations" listed in Table 7.6-1, a single interlock failure will not cause an accident, result in potential physical damage to fuel, or result in radiation exposure to personnel during fuel-handling operations.
7.6.1.1.3.4 Testability Complete functional testing of all refueling interlocks before refueling outages positively indicates that the interlocks operate in the situations for which they were designed. The interlocks are subjected to valid operational tests by loading each hoist with a suitable test weight, positioning the refueling platform, and withdrawing control rods.
7.6.1.1.4 Environmental Considerations The refueling equipment is subject to conditions during normal operation that are less severe than those listed in Table 3.11-1. The refueling interlocks are not required to operate under the conditions listed in Table 3.11-1.
7.6.1.1.5 Operational Considerations The refueling interlocks system is required only during refueling operations. In the refueling mode, the main control room operator has an indicator light for "refuel mode one rod permissive" whenever all control rods are fully inserted. He can compare this indication with control rod position data from the computer as well as control rod in/out status display. Furthermore, whenever a control rod withdrawal block situation occurs, the operator receives annunciation and computer logging of the rod block. He can compare these outputs with the status of the variable providing the rod block condition. Both channels of the control rod withdrawal interlocks must agree that permissive conditions exist in order to move control rods; otherwise, a control rod withdrawal block is placed into effect. Failure of one channel may initiate a rod withdrawal block, but does not prevent
application of a valid control rod withdrawal block from the remaining operable channel. In terms of refueling platform interlocks, the platform operator has indicators for the platform x-y position and z position of the fuel grapple. Pushbuttons and rotary control switches are provided for local control of the platform and its hoists. The platform operator can immediately determine whether the platform and hoists are responding to his local instructions. In conjunction with the main control room operator, the local operator can verify proper operation of each of the three categories of interlocks listed previously.
7.6.1.2 Reactor Pressure Vessel Instrumentation Figure 7.3-12 shows the instrument numbers, arrangements of the sensors, and sensing equipment used to monitor the RPV conditions. Because the RPV sensors used for the reactor protection system (RPS), engineered safety feature (ESF) systems, and control systems have been described and evaluated in other portions of this document, only the sensors that are not required for those systems are described in this subsection.
7.6-3 REV 20 05/16 FERMI 2 UFSAR 7.6.1.2.1 System Identification The purpose of the RPV instrumentation is to monitor the key RPV operating parameters during plant operation.
7.6.1.2.1.1 Function These instruments and systems are used to provide the operator with information during normal plant operation, startup, and shutdown. They are monitoring devices only and provide no active power control or safety function.
7.6.1.2.1.2 Classification The systems and instruments discussed in this subsection are designed to operate under normal and peak operating conditions of system pressures and ambient pressures and temperatures. However, no special industry classifications are imposed on these instruments.
7.6.1.2.2 Equipment Design The instrument sensing lines to the various pressure and level sensors slope downward from the vessel to the instrument rack at a nominal 1/8 in./ft (including allowance for piping sag).
7.6.1.2.3 Circuit Description Basic design information for this system is given in Table 7.6-2. 7.6.1.2.3.1 Reactor Pressure Vessel Temperature The RPV temperature is determined on the basis of reactor coolant temperature.
Temperatures needed for operation and for compliance with the Technical Specifications operating limits are obtained from one of several sources, depending on the operating condition. During normal operation, either reactor pressure and/or the inlet temperature of the coolant in the recirculation loops can be used to determine the vessel temperature. Below the operating span of the resistance temperature detectors in the recirculation loop, the vessel pressure is used for determining the temperature. Below 212F the vessel coolant temperature, and thus the vessel temperature, is reasonably well shown by the reactor water cleanup (RWCU) system inlet temperature. These three sources of input are most conveniently available from the Integrated Plant Computer System (IPCS). During normal operation, vessel thermal transients are limited via operational constraints on parameters other than temperature.
Reactor pressure vessel thermocouples are provided as a means of observing vessel metal surface temperature behavior in response to changes in vessel coolant temperature during startup and during power-operation testing. Indications based on the thermocouples are not used for controlling the rate of heating or cooling or limiting the vessel thermal stresses.
7.6-4 REV 20 05/16 FERMI 2 UFSAR 7.6.1.2.3.2 Reactor Pressure Vessel Water Level The reactor vessel water level instrumentation systems are discussed in other sections as follows: a. Reactor water level instrumentation that initiates reactor scram is discussed in Subsection 7.2.1.1.3.1 b. Reactor water level is maintained by the feedwater control system (Subsection 7.7.1.3). The reactor water level system that pertains to this section is used to monitor, in the main control room, the reactor water level during the shutdown condition when the reactor system is flooded for maintenance and head removal. The water level design is the condensate chamber reference leg type that is not compensated for change in density. The vessel condition that provides accurate water level information is 0 psig pressure and ambient temperature. The range of the instrument is from the bottom of the feedwater control operating range to a level over the top of the RPV head. Figure 7.3-12 shows specific values at which alarms and safety actions are initiated.
7.6.1.2.3.3 Reactor Core Hydraulics Figure 7.3-12 shows the flow instruments, differential pressure instruments, and recorders provided so that the core coolant flow rates and the hydraulic performance of RPV internals can be determined.
The differential pressure between the throat of each jet pump and of the core inlet plenum is measured and indicated in the relay room. Four jet pumps, two associated with each recirculation loop, are specially calibrated. They are provided with pressure taps in the diffuser sections. The differential pressure measured between the diffuser tap and the throat tap allows precise flow calibration using the jet pump prototype test performance data for each of the calibrated jet pumps. The flow rates through the remaining jet pumps are calculated from the flows shown by the four calibrated jet pumps. The flow rates through the jet pumps associated with each recirculation loop are summed to provide main control room indication of the core flow rate associated with each recirculation loop (Figure 7.3-12). Total flows for both loops are summed and recorded in the main control room to indicate the total flow through the core. During the operation of a single recirculation loop, total core flow indication is derived by subtracting the reverse flow signal from the forward flow signal of the active jet pumps. This function is provided automatically any time a single recirculation pump is operating. A differential pressure transmitter indicates core plate pressure drop by measuring the pressure difference between the core inlet plenum and the space just above the core support assembly. The instrument sensing line used to determine the pressure in the core inlet plenum is the same line used for the injection of the standby liquid from the standby liquid control system (SLCS). An instrument sensing line is provided for measuring pressure above the core support assembly. The differential pressure across the core plate is indicated and recorded in the main control room.
7.6-5 REV 20 05/16 FERMI 2 UFSAR A differential pressure transmitter and control room indicator indicate the jet pump developed head by measuring the difference between the jet pump suction pressure (reactor annulus - between vessel wall and core shroud) and the jet pump discharge pressure (pressure below the core plate).
This instrumentation permits the determination of total core flow in two ways. The first method is the readout of the summed flow measurements from all the jet pumps as described in the preceding paragraphs. The second method involves establishing a correlation between drive loop flow rate and core flow rate with reactor power as a parameter. The correlation can then be used to convert the flow in the recirculation pump loops to core flow rate. This correlation is of a temporary nature because it changes with a fixed core arrangement over a period of time as a result of crud buildup on the fuel. The main control room flow rate readouts of the specially calibrated jet pumps can be used to cross check the flow rate readouts of all the other jet pumps. A discrepancy in the cross-checks is reason enough to check local flow indications.
7.6.1.2.3.4 Reactor Pressure Vessel Pressure Pressure indicators and transmitters detect RPV internal pressure from the same instrument lines used for measuring RPV water level.
The following list shows the subsections in which the RPV pressure-measuring instruments are discussed:
- a. Pressure transmitters for initiating scram or for bypassing main steam isolation valve (MSIV) closure are discussed in Subsection 7.2.1.1.3 b. Pressure transmitters used for high-pressure coolant injection (HPCI), core spray, low-pressure coolant injection (LPCI), and the automatic depressurization system (ADS) are discussed in Subsection 7.3.1.2
- c. Pressure transmitters and recorders used for feedwater control are discussed in Subsection 7.7.1.4 d. Pressure transmitters used for wide range pressure recordings are discussed in Subsection 7.5.1.4.2.
7.6.1.2.3.5 Reactor Pressure Vessel Head Seal Leak Detection The pressure between the inner and outer head-seal rings is sensed by a pressure switch. If the inner seal fails, the pressure at the pressure switch is the vessel pressure and the pressure switch trips, sounding an annunciator in the main control room. The plant continues to operate with the outer seal as a backup and the inner seal can be repaired at the next outage when the head is removed. If both the inner and outer head seals fail, the leak is detected by an increase in drywell temperature and pressure. This system is part of the leak detection system (LDS), which is described in Subsection 7.6.1.8.
7.6.1.2.3.6 Safety/Relief Valve Seat Leak Detection Thermocouples are located near the discharge of the safety/relief valve seat. The temperature signal goes to a multipoint recorder with an alarm. The alarm will be activated by any 7.6-6 REV 20 05/16 FERMI 2 UFSAR temperature in excess of a set temperature, signaling that one of the safety/ relief valve seats has started to leak. This system is part of the LDS (Subsection 7.6.1.8).
7.6.1.2.3.7 Other Instruments
- a. The steam temperature is measured at the steam manifold and is recorded in the main control room b. The feedwater temperature is measured and transmitted to the main control room. 7.6.1.2.4 Testability Pressure, differential pressure, water level, and flow instruments are located outside the drywell and are piped so that calibration and test signals can be applied during reactor operation.
7.6.1.2.5 Environmental Considerations There are no special environmental considerations for the instruments described in this subsection.
7.6.1.2.6 Operational Considerations 7.6.1.2.6.1 Normal The RPV instrumentation discussed in this subsection is designed to augment the existing information from the ESF such that the operator can start up, operate at power, shut down, and service the RPV in an efficient manner. None of this instrumentation is required to initiate any ESF.
7.6.1.2.6.2 Operator Information The following information is available to the operator:
- a. Selected RPV thermocouples are recorded on a multipoint recorder at a local rack b. The shutdown flooding water level is indicated in the main control room
- c. The flow for each of the four calibrated jet pumps is indicated in the main control room d. The differential pressure for all the jet pumps (calibrated and uncalibrated) is indicated in the main control room and relay room
- e. The recirculation core flow that is generated by each recirculation loop is indicated in the main control room
- f. The total core flow is recorded by one pen of a two-pen recorder in the main control room. The other pen records the core plate differential pressure
- g. The jet pump developed head is indicated in the main control room 7.6-7 REV 20 05/16 FERMI 2 UFSAR
- h. The reactor head seal LDS activates an annunciator when the reactor head inner seal fails
- i. The discharge temperatures of all the safety/relief valves (SRVs) are shown on a multipoint recorder in the relay room. Any temperature in excess of setpoint turns on an annunciator indicating that an SRV seat has started to leak.
7.6.1.2.7 Setpoints The annunciator alarm setpoints for the reactor head seal leak detection, SRV seat leak detection, and feedwater corrosion product monitor are set so the sensitivity to the variable being measured provides adequate information. Figure 7.3-12 includes a chart showing the relative indicated water levels at which various automatic alarms and safety actions are initiated. Specific level values are shown in Figure 7.3-12. Each of the listed actions is described and evaluated in the subsection of this report where the system involved is described. The following list tells where various level measuring components and their setpoints are discussed:
- a. Level transmitters for initiating scram are discussed in Subsection 7.2.1.1 b. Level transmitters for initiating primary containment or vessel isolation are discussed in Subsection 7.3.2.2.8
- c. Level transmitters used for initiating HPCI, LPCI, core spray, and ADS, and the level transmitters to shut down the HPCI pump drive turbine, are discussed in Subsection 7.3.1.2 d. Level transmitters to initiate reactor core isolation cooling (RCIC) and the level transmitters to shut down the RCIC pump drive turbine are discussed in Subsection 7.4.1.1
- e. Level trips to initiate various alarms and trip the main turbine and the turbine
-driven feed pumps are discussed in Subsection 7.7.1.3 and 7.7.1.4.
7.6.1.3 Process Radiation Monitor System The Process Radiation Monitor system is described in Section 11.4.
7.6.1.4 Area Radiation Monitor System The Area Radiation Monitor system is described in Subsection 12.1.4.
7.6.1.5 Offsite Environs Radiation Monitor Systems These systems are described in the Offsite Dose Calculation Manual (ODCM).
7.6.1.6 Rad-Chem Radiation Monitoring Instruments These systems are described in Section 12.3.
7.6.1.7 Reactor Water Cleanup System Instrumentation and Control 7.6-8 REV 20 05/16 FERMI 2 UFSAR 7.6.1.7.1 System Identification The purpose of the RWCU system instrumentation and control is to provide protection for the system equipment from overheating and overpressurization and to provide the operator with information concerning the effectiveness of operation of the system. This system is not safety related, and all instrumentation components in the system used only for RWCU operation are nonessential. The instrumentation is a standard industrial type for which performance has been proven by years of service throughout the industry.
7.6.1.7.2 Power Sources The RWCU instrumentation is fed from the 120-V ac instrumentation bus. No backup power source is necessary since the RWCU system is not a safety
-related system. The RWCU instrumentation is arranged in groups or circuits, and each such circuit is protected by a suitable fuse. Thus, a short-circuit within the system will have only a local effect that can be corrected easily without interrupting reactor operation.
7.6.1.7.3 Equipment Design 7.6.1.7.3.1 Circuit Description The RWCU system is described in Subsection 5.5.8. This subsection describes the circuitry used to protect the resin and the filter-demineralizer. These circuits are shown in Figure 5.5
-19 and the operating logic is shown in Figure 7.6-1. To prevent resins from entering the reactor recirculation system in the event of a filter
-demineralizer resin support failure, a strainer is installed on the outlet of each filter
-demineralizer unit. Each strainer is provided with a local alarm energized by high differential pressure. A bypass line is provided around the filter-demineralizer units for bypassing the units when necessary.
Relief valves and instrumentation are provided to protect the equipment against overpressurization and the resins against overheating. The system is automatically isolated when signaled by any of the following occurrences:
- a. High temperature downstream of the nonregenerative heat exchanger - to protect the ion exchange resins from deterioration due to high temperature (Table 7.6-
- 2) b. Reactor vessel low water level - to protect the core in case of a possible break in the RWCU system piping and equipment (Subsection 7.3.2.2.7.1)
- d. Cleanup system equipment area high ambient temperatures - part of the plant LDS e. High temperature increase across the system's ventilation ducts - part of the plant LDS 7.6-9 REV 20 05/16 FERMI 2 UFSAR
- f. High change in system inlet flow in comparison to the system outlet flow - part of the plant LDS. In the event of low flow or loss of flow in the system, flow is maintained through each filter-demineralizer by its own holding pump. Sample points are provided upstream of the RWCU system and downstream of each filter-demineralizer unit for continuous indication and recording of system conductivity. High conductivity is annunciated in the main control room. The influent sample point is also used as the normal source of reactor coolant samples. Samples analysis also indicates the effectiveness of the filter
-demineralizer units.
7.6.1.7.3.2 Testability Because the RWCU system is usually in service during plant operation, satisfactory performance is demonstrated without the need for any special inspection or testing.
7.6.1.7.4 Environmental Considerations The RWCU system is not required for safety purposes, nor is it required to operate after the design-basis accident (DBA). The RWCU system is required to operate in the normal plant environment for power generation purposes only. The RWCU control instrumentation located in the RWCU equipment area is subject to the environment described in Table 3.11-3.
7.6.1.7.5 Operational Considerations The RWCU system instrumentation and control is not required for safe operation of the plant. It provides a means of monitoring parameters of the system and protecting the system.
7.6.1.8 Leak Detection System 7.6.1.8.1 System Identification This subsection discusses the instrumentation and controls associated with the LDS. The system itself is discussed in Subsection 5.2.7. The LDS serves to detect leakage from the nuclear boiler pressure boundary and auxiliary and ESF systems. It also generates isolation signals to systems that are leaking in excess of determined limits.
7.6.1.8.2 Power Sources Power source separation is applicable to leak detection channels that are associated with the isolation valve system. Two power sources are used to comply with separation criteria so that redundant channels receive power from separate sources. Power is provided by dc/ac inverter A and dc/ac inverter B. Inboard and outboard isolation valves in the same line are on separate power sources.
7.6-10 REV 20 05/16 FERMI 2 UFSAR 7.6.1.8.3 Systems and Components Provided With Leak Detection Systems The following systems and components include leak detection instrumentation and control:
- c. High-pressure coolant injection
- d. Recirculation pumps
- g. Safety/relief automatic depressurization system valves
- h. Reactor vessel head seal
- i. Emergency core cooling system suction lines.
7.6.1.8.4 System Design The LDS detects leaks by use of the following techniques:
- a. Sensing excess flow in process piping systems b. Sensing pressure and temperature changes in the primary containment
- c. Monitoring temperatures in areas containing equipment and piping systems (Figure 7.6-2) d. Monitoring activity of the drain sumps.
Detected leaks are annunciated in the main control room and, in certain cases, isolated from the nuclear steam supply system (NSSS) pressure boundary. Leaks as small as 5 gpm are detected by either temperature and pressure changes or drain sump activities. Leaks greater than 5 gpm are also detected by changes in reactor water level and by change of flow in process lines. Temperature detectors are located or shielded such that they are sensitive to air temperature only, and not to heat radiated from the equipment. Temperature sensors have individual alarm setpoints adjustable over a range of flow rates corresponding to leakage of up to 35 gpm. Reactor coolant leakage of 5 gpm actuates an alarm in the main control room. Specific information concerning the LDS is given in Table 7.6-2.
7.6.1.8.5 Leak Detection Within the Primary Containment 7.6.1.8.5.1 General Leaks within the primary containment are detected by the following methods (Figure 7.6-3): 7.6-11 REV 20 05/16 FERMI 2 UFSAR
- a. Monitoring pressure and temperature in the primary containment b. Monitoring equipment drain and floor drain sump pump activity
- c. Monitoring the drywell floor drain sump level d. Monitoring the cooling water differential temperature of the closed cooling water system
- e. Monitoring reactor water level.
In addition, a second method of leak detection uses recognition of increased containment atmosphere radioactivity as indicative of a system leak.
7.6.1.8.5.2 Pressure Measurement in Primary Containment The primary containment is pressurized and maintained at a slightly positive pressure during reactor operation. The normal operating pressure is about 0.5 psig. The pressure may fluctuate as a result of barometric pressure changes and outleakages, but a pressure rise above the operating level indicates a process system leak.
Drywell pressure is monitored in the main control room as part of the primary containment monitoring system (Subsection 7.6.l.l2). High drywell pressure activates an alarm in the main control room and initiates automatic response of the RPS and ESF systems (Sections 7.2 and 7.3). 7.6.1.8.5.3 Temperature Measurement in Primary Containment Drywell atmosphere temperature is maintained at approximately 135F during reactor operation by heat exchangers of the drywell cooling system. An abnormal temperature rise significantly above 135F indicates a high
-energy process leak. A temperature rise will be detected by monitoring: a. Drywell temperature at various elevations
- b. Differential water temperature of closed cooling water system.
7.6.1.8.5.4 Primary Containment Sump Activity Monitoring Equipment drain and floor drain sumps are provided with "fill-up" and "pump-out" rate measurements. Excessive rates are annunciated in the main control room.
The equipment drain sump collects only identified leakage and is equipped with high/low-level switches that control the sump drain. A sump filling/pump frequency in excess of the normal rate or excessive pumping time activates an annunciator in the main control room (Figure 7.6-4). Normal leakage (filling/pumping frequency) is to be determined during operational testing. The equipment drain sump receives drainage from pump seal leakoff, RPV head flange vent drain, and valve packing leakoff. The floor drain sump is provided with the normal level switches for control of the pumps similar to the equipment drain sump. Additionally, an analog level transmitter is installed in the floor drain sump to provide a very sensitive level change measurement. A continuous analog display of sump level is derived from the transmitter and is located in the control 7.6-12 REV 20 05/16 FERMI 2 UFSAR center. An operator alarm is activated whenever the level measurement detects a sump inleakage greater than 1 gpm. This level monitor is designed and installed to remain functional following a seismic event and thereby meet the requirements of Regulatory Guide 1.45. The floor drain sump collects unidentified leakage. This leakage is collected from CRDs, valve flanges, floor drains, the closed cooling water system, drywell cooling unit drains, and other potential sources not already identified. Leakage from the closed cooling water system is detected by decreased levels in the system surge tank.
The unidentified-leakage rate is that portion of the total leakage rate received in the drywell floor drain sump. A leakage rate of 150 gpm has been calculated to be the liquid leakage from a crack large enough to propagate rapidly. An allowance for reasonable leakage that does not compromise barrier integrity and is not identifiable is made for normal plant operation. The unidentified-leakage rate limit is established at 5 gpm, which is far enough below the 150-gpm leakage rate to allow time for corrective action to be taken before the process barrier is significantly compromised. Normal background leakage will be determined during operational testing. 7.6.1.8.5.5 Reactor Vessel Head Seal Leak Detection The RPV head is provided with double seals with a pressure switch sensing the pressure between the seals. High pressure (Table 7.6
-2) is indicative of leakage past the inner seal and activates an annunciator in the main control room. The RPV head seal leak detection is also described in Subsection 7.6.1.2.3.5.
7.6.1.8.5.6 Recirculation Pump Seal Leak Detection There are two recirculation pump LDSs, one for each of the pumps in the recirculation loop.
Each LDS monitors the flow rate (leakage) past its associated pump's shaft by measuring the pressure within the seal cavity. There are two monitored seal cavities per pump. The recirculation pump LDS consists of two types of monitoring circuits (Figure 7.6-5). The first of these monitors the pressure levels within the seal cavities, presenting the plant operator with a visual display of the pressure in each cavity. The second type of circuit monitors the rate of liquid flow from the seal cavities.
The pressure levels within seal cavity number 1 and seal cavity number 2 are measured with identical instrumentation (Table 7.6
-2). All condensate flowing past the recirculation pump seal packings and into the seal cavities is collected and sent by one of two drain systems to the drywell equipment sump for disposal.
The first system drains the major portion of the condensate collected within the number 2 seal cavity. The condensate flow rate through the drain system is measured (high/low) by a flow switch. The point at which the microswitch closes can be adjusted so that switch actuation occurs only above or below certain flow rates (Table 7.6-2). Excessively high or low flow rates through this drain system activate the "Pump Seal Staging Flow" annunciator in the main control room.
7.6-13 REV 20 05/16 FERMI 2 UFSAR 7.6.1.8.5.7 Safety/Relief Valve Automatic Depressurization System Leak Detection A temperature element (sensor) is used to detect leakage past each relief or safety valve. These temperatures are recorded on a multipoint recorder in the relay room. Normally, all relief and safety valves are in the shut-tight condition and remain at about the same temperature.
Steam passage through the valve elevates the sensed temperature at the exhaust, causing an "abnormal" temperature reading on the recorder. Microswitch contacts on the recorder close on high temperature (Table 7.6-2) to activate the "SRV Open" annunciator in the main control room.
7.6.1.8.6 Reactor Building Sump Activity Monitoring Instrumentation for monitoring equipment drain sump and floor drain sump activities is the same in design as that described for drywell sump monitoring in Subsection 7.6.1.8.5.4.
7.6.1.8.7 Main Steam Line Leak Detection System 7.6.1.8.7.1 System Function The main steam lines are continuously monitored for leaks by the main steam line LDS.
Steam line leaks will cause changes in at least one of the following monitored operating parameters: sensed temperature, flow rate, or low water level in the RPV. If a leak is detected, the LDS responds by triggering an annunciator in the main control room and, depending upon the activating parameter, initiates steam line isolation action.
7.6.1.8.7.2 Physical Description The main steam line LDS resistance temperature detectors (RTDs) are located throughout the main steam line tunnel, positioned such that they are screened from direct thermal radiation and yet are still able to respond to the temperature of the ambient air. The RTDs are used to trip the MSIVs closed. The flow-rate monitoring components of the main steam line LDS consist of a set of four differential pressure transmitters and an associated flow element for each main steam line.
The outputs of the differential pressure transmitters are connected to components of the nuclear steam supply shutoff system that give a coincidence signal for main steam line isolation at a flow of approximately 130 percent. Reactor water level and main steam line tunnel area temperature are monitored by circuits associated with the containment and reactor vessel isolation system to indicate the presence of a steam leak. The coverage of this discussion extends only to the sensing instrumentation and not to circuit arrangement or response. Such information may be found in the description of the primary containment and reactor vessel isolation control system. Under conditions of normal reactor operation at constant power, reactor water level should remain fairly constant since the rate of steam mass flow leaving the reactor is matched by the feedwater mass flow rate into the RPV. However, given a condition of continued steam 7.6-14 REV 20 05/16 FERMI 2 UFSAR leakage from the closed system, the condensate reservoir level and the reactor water level decrease. Reactor water level is monitored by level transmitters of the containment and reactor vessel isolation control system in addition to the normal complement of process-monitoring instruments. Reactor water level falling below the predetermined minimum allowable level results in switch actuation and subsequent containment and reactor vessel isolation control system responses.
7.6.1.8.8 Reactor Water Cleanup System Leak Detection Leakage in the high temperature process flow of the RWCU system external to the primary containment is detected by temperature- sensing elements. Temperature sensors are located in the inlet and outlet ventilation ducts to measure the temperature difference. Local ambient-temperature sensors are located in all compartments containing equipment for these systems. Alarms in the main control room annunciate a temperature rise corresponding to excessive leakage. In addition to annunciation, a high cleanup- room temperature rise actuates automatic isolation of the RWCU system.
In addition to the temperature-detection method, leakage is detected by means of a flow comparison between RWCU system inlet and outlet. If the inlet flow exceeds outlet flow by approximately 55 gpm, as governed by the Technical Specifications, an alarm is actuated and the RWCU system is isolated automatically.
7.6.1.8.9 Residual Heat Removal System Leak Detection The residual heat removal (RHR) leak detection components are divided into two groups, one sensitive to RHR system leaks external to the primary containment, and the other sensitive to system leaks internal to the primary containment. Leak detection instruments of the first group use devices that are sensitive to temperature and that monitor area ambient and differential temperatures. The second group of instruments monitors the pressure level within the drywell. Additionally, liquid leakage from system components contained within the drywell is collected and the rate of accumulation measured. The ambient and differential temperature monitoring circuits consist of thermocouples, switch point modules, and meters. The thermocouples are mounted in their individual holders which, in turn, are mounted in the RHR equipment area such that they are sensitive primarily to the air temperature. The switch-point modules and meters are mounted on the leak detection panel in the relay room. A high ambient temperature lights the point module alarm indicator on the leak detection panel and activates the high ambient temperature alarm.
7.6.1.8.10 Reactor Core Isolation Cooling and High-Pressure Coolant Injection Systems Leaks in the RCIC or HPCI systems are detected by differential pressure transmitters and by local temperature detectors that are functionally the same as those described for main steam
line leak detection (Subsection 7.6.1.8.7). Downstream of the differential pressure elements, gross leaks in the system are detected by a set of two differential pressure transmitters sensing differential pressure across an orifice plate. Flow in excess of specified limits isolates the system and activates an alarm in the 7.6-15 REV 20 05/16 FERMI 2 UFSAR main control room. A 3-sec time delay has been installed to prevent inadvertent system isolation due to pressure spikes. Gross leaks upstream of the differential pressure elements may be detected by a set of four pressure transmitters. The primary function of these transmitters is to detect low reactor pressure and to provide HPCI or RCIC turbine isolation signal. The turbine exhaust vent lines of the HPCI system and the RCIC system are monitored for pressure by means of four pressure transmitters. A high-pressure signal isolates the system and activates an alarm in the main control room. Temperature sensors are located in the inlet and outlet of the ventilation duct of the equipment area and in the inlet to emergency coolers for measuring temperature
-difference rise and room ambient temperature in the event of steam leakage. High temperature and high temperature difference are annunciated in the main control room. A high area temperature will automatically isolate the respective system.
The power required to operate the logics associated with the RCIC and HPCI LDSs is continuously monitored. Loss of power is identified by the "RCIC LOGIC POWER FAILURE" or "HPCI LOGIC POWER FAILURE" annunciators in the main control room.
7.6.1.8.11 Leak Detection in the Emergency Core Cooling System Piping Routing Area Adjacent to Suppression Pool Temperature elements are located in the inlet and outlet of the ventilation ducts of the suppression pool area. High temperature and high temperature differences are annunciated in the main control room.
7.6.1.8.12 Emergency Core Cooling System Suction Lines Leak Detection The purpose of this LDS is to provide information that would allow the closing of the valve in a broken emergency core cooling system (ECCS) line before net positive suction head (NPSH) is lost to the redundant system. A sump-level alarm contact notifies the operator that a significant leak exists in the torus area. This signal allows the operator to terminate the loss of torus water.
7.6.1.8.13 Feedwater Leak Detection A separate feedwater LDS is not provided. Leaks from the feedwater lines will be detected by one or a combination of the following methods:
- a. Primary containment sumps high flow rate b. Differential water temperature of closed cooling water system
- c. Primary containment high pressure d. Primary containment high temperatures
- e. Reactor building sump high flow rate.
7.6-16 REV 20 05/16 FERMI 2 UFSAR 7.6.1.8.14 Testability The proper operation of the sensors and the logic associated with the LDS are verified for proper operation during the LDS preoperational test and during inspection tests that are provided for the various components as they apply during plant operation. Each temperature switch, both ambient- and differential-type, is connected to dual thermocouple elements. Each temperature switch can be checked for operation by observing the ambient temperature or differential, and then turning the trip-point adjustment and verifying that the switch operates at the proper temperature. Each temperature switch contains a trip light that lights when temperature exceeds the setpoint. The setpoint is reset manually to its required value by adjusting the setpoint on the meter in the main control room. In addition, keylock test switches are provided so that logic can be tested without sending an isolation signal to the system involved. Thus, complete system check can be confirmed by checking activation of the isolation relay associated with each switch.
The containment drain monitor system can be tested by supplying makeup water to the sump at a sufficient flow rate to bring the water level above the sump high
-level pump
-actuation point in less than predetermined time.
The RWCU differential-flow leak detection is tested by inputting a mA signal to simulate a high differential flow. Alarm and indicator lights monitor the status of the trip circuit.
7.6.1.8.15 Environmental Considerations The sensors, wiring, other equipment, and electronics associated with the isolation valve logic are designed to withstand the conditions that follow a LOCA.
7.6.1.9 Plant Computer Systems 7.6.1.9.1 Integrated Plant Computer System (IPCS) 7.6.1.9.1.1
System Description
The IPCS is a computer system that combines various functions of the legacy computer systems that it replaced. The IPCS provides the capability of monitoring, recording and displaying plant parameters via strategically located display devices. The IPCS is designed to be highly reliable and provide current information for selected plant variables. All real-time data displays will update the current field conditions in a timely manner.
The IPCS is not required for safe operation of the plant. Hardwired instrumentation and control allows the operator to safely operate the plant in all modes in the absence of the IPCS. There is no safety objective for the IPCS. The IPCS consists of several computing nodes interconnected through a local area network (LAN) configuration. These computing nodes work in conjunction with each other to form a single cohesive system.
The IPCS computing nodes have self-checking provisions. It performs diagnostic checks to determine the functionality of certain portions of the system hardware and software. It also 7.6-17 REV 20 05/16 FERMI 2 UFSAR performs internal software checks to verify that input signals and selected program computations are within specific limits or reasonable bounds. The IPCS consists of two redundant computers, operating in parallel, simultaneously monitoring the same field signals. Either of the computers can be designated as the main computer (Master), and the other will be designated as the backup computer (Slave). Under normal operating conditions, both the Master computer and Slave computer perform all the key functions; however, only the Master computer is allowed to output data and calculation results. In the event the Master computer fails, the Slave computer will become the Master computer, and automatically assume control of all functions. The operating personnel will be informed of the fail-over. If the Slave computer fails while the Master computer is operating normally, the operating personnel will be informed and the Master computer will continue to function normally. The operating personnel use display consoles to enter information into the IPCS, and to request various functions. Diagnostic messages on the display consoles, together with printer outputs and annunciator outputs permit the IPCS to communicate plant and system status to the operating personnel. The IPCS has the capability for on-line storage and retrieval of historical data, which are to be used for time-history displays and other data analysis functions. These analysis functions include, but are not limited to, determining the plant steady-state operating conditions prior to an initiating event and evaluating the transient conditions producing the event and the post-event equipment performance. The IPCS has on-line storage for pre-event and post-event data. The declaration of an event is signaled to the system from the display consoles or automatically for a scram. Additional post-event data can be stored at the operator's request. The historical data storage and recovery are performed by the IPCS without interrupting the other functions of the system, such as data acquisition and console display. The IPCS has the capability of transferring the historical data onto magnetic media.
The IPCS consolidates the following functions into a homogenous computer system.
Separate legacy computers provided these functions during the initial licensing of the plant:
- a. Scan, Log and Alarm (SLA) b Man-Machine Interface (MMI)
- c. Nuclear Steam Supply System (NSSS) Function
- d. Balance of Plant (BOP) Function
- e. Emergency Response Functions 1. Safety Parameter Display System (SPDS) Function
- 2. Emergency Response Data System (ERDS) Function
- f. Meteorological (MET) Function
- g. Transient Recording and Analysis (TRA) Function h. Data Archival Function
- i. Special Functions 7.6-18 REV 20 05/16 FERMI 2 UFSAR In addition to the function consolidation listed above, the IPCS provides external interfaces with the digital processor/computer equipment associated with each of the following systems, which are further described in Section 7.6.1.9.1.3: GE 3D-Monicore Computer System (3DM) Interface GE Multi-Vendor DAS (MVD) Interface (PRNM and RWM Interface)
GE Traversing Incore Probe (TIP) Interface Eberline SS-1 Radiation Monitor System Radiological Dose Assessment Application Interface Meterological Data Acquisition System (MDAS) Interface Visual Annunciator System (VAS) Interface 7.6.1.9.1.2 System Functions 7.6.1.9.1.2.1 Scan, Log and Alarm (SLA) Functions The SLA function gathers data from selected plant data systems, provides the signal conditioning for conversion to engineering units, provides out-of-scale checking of each data point, and keeps a live database of all the current values of the data points. The IPCS has the capability to alarm the main control room annunciator system in the event of abnormal IPCS operation.
7.6.1.9.1.2.2 Man-Machine Interface (MMI)
The IPCS generates displays and data summaries for use in the control room, technical support center (TSC), and emergency operations facility (EOF). The IPCS also retains a
history of each data point. The current value or the historical values of a data point are accessible from the display consoles. The MMI, the display consoles, and the form of the display on these consoles are designed considering human factors engineering. The system has predesigned displays that are called onto the screen by the operator.
7.6.1.9.1.2.3 Nuclear Steam Supply System (NSSS) Function The NSSS functions provided are based on Fermi 2 requirements and General Electric recommendations for BWR heat balance and interface support to core monitoring software 3DM. MMI screens and reports are provided in support of the NSSS performance calculations.
7.6.1.9.1.2.4 Balance of Plant (BOP) Function The BOP function provides calculations that are based on Fermi 2 requirements, General Electric recommendations, industry recognized practices, and an analysis of the Fermi 2 BOP cycle arrangement and operation.
7.6-19 REV 20 05/16 FERMI 2 UFSAR Accumulation calculations are provided for the determination of BOP related accumulated data. These accumulated data values are primarily associated with the plant electrical generation data and require the determination of both daily and monthly accumulated totals.
7.6.1.9.1.2.5 Emergency Response Functions The Emergency Response Functions include the Safety Parameter Display System (SPDS) and the Emergency Response Data System (ERDS). When the plant was originally licensed, various capabilities to support the Emergency Plan were implemented on a dedicated computer system called the Emergency Response Information System (ERIS). These capabilities have been incorporated into the IPCS and are referred to as the Emergency Response Function.
7.6.1.9.1.2.5.1 Safety Parameter Display System (SPDS) Function Description An IPCS display with continuous SPDS status indication is provided in the control room, the TSC, and the EOF. The SPDS function of the IPCS was added to the Fermi 2 design to aid operating personnel in assessing the safety status of the plant. The SPDS function display is accessible and visible to operating personnel and is distinguishable from other displays. The SPDS function display does not inhibit physical or visual access to operator interfaces with other systems located in the control room. The SPDS design provides for the validation of parameters associated with the function. Operating personnel are alerted to any unsuccessful validation.
Interfaces between the SPDS function and safety
-related systems are through isolation means. Interfaces between the SPDS function and non-safety-related systems are designed to ensure the integrity of the SPDS function. The SPDS functional design includes the consideration of the following human engineering criteria: a. Presenting information in directly usable form
- b. Designing displays for quick identification of unsafe conditions
- c. Easy selection of the display required
- d. Minimizing reflection and glare.
The SPDS function presents the value or status of the primary variables of the following safety parameters:
- a. Core cooling
- b. Fuel integrity
- c. Reactivi ty d. Reactor coolant system integrity
- e. Containment integrity 7.6-20 REV 20 05/16 FERMI 2 UFSAR
- f. Radioactivity effluent to the environment. A primary variable is defined as the monitored variable that provides the most direct indication needed to assess the status or value of a safety parameter. Secondary variables are those monitored variables that provide additional information about the safety parameters. The primary variable associated with each safety parameter is shown in Table 7.6-3 and is discussed below:
- a. Core cooling. The primary method to assess adequate cooling in BWRs is by a direct measurement of the reactor water level. Natural circulation capability is an inherent BWR feature. There are no traps that might block the natural circulation. Steam and noncondensibles rise to the top during normal operation and during accident conditions. As long as there is adequate water level, there is assurance of adequate core cooling
- b. Core and fuel integrity. When the containment is isolated, the presence of fuel damage is determined by taking a sample of reactor coolant and performing a spectral analysis of the sample. During normal operation, the presence of fuel damage is determined by offgas radiation readings
- c. Reactivity. The neutron instrument is the primary variable for determining this parameter d. Reactor coolant system integrity.
This parameter is assessed by monitoring reactor pressure, drywell pressure, drywell sump collection rate, and RPV isolation e. Containment integrity.
This parameter is assessed by measuring drywell and torus pressure, containment isolation, combustible gas level, torus temperature, torus level, and drywell temperature
- f. Radioactivity effluent to environment. This parameter is assessed by monitoring the radioactivity at planned plant release points. The parameters associated with the SPDS displays are listed in Table 7.6-4. Emergency procedure guidelines (EPGs) have been developed by the BWR Owners Group; they are symptom based and designed to improve the operator's ability to mitigate the
consequences of a broad range of initiating events and subsequent multiple operator errors. The Fermi 2 Emergency Operating Procedures (EOPs) are based on the EPGs. The EOPs identify entry conditions and contain parameter versus parameter limit curves. Th e
emergency response function includes the EOP limit curves and parameter information that is supportive of determining entry conditions. The SPDS function displays are comprised of an overview display, critical safety function displays (generally a bar and/or trend), and the EOP limit curves. Design Analysis The graphics provided to the operator by the SPDS function are one of the man-machine interfaces to the IPCS. The IPCS acquires both digital and analog inputs from field sensors and computer data links with monitoring and control systems throughout the plant.
7.6-21 REV 20 05/16 FERMI 2 UFSAR Existing signal loops of monitoring and control systems were tapped to provide inputs for the SPDS function. The isolation requirement for analog safety-related circuits was provided by using a qualified modulator isolator for each circuit and a demodulator card in the data acquisition system. Dry contact inputs were provided for digital inputs. Engineering was completed in accordance with applicable design criteria to ensure that the SPDS function cannot adversely affect safety
-related systems.
Signals to the IPCS for the SPDS function are processed and validated to prevent misleading the operator. Redundant input signals are used for selected parameters and comparison limits are performed for validation. Additional information processing is performed for analog, digital, and derived parameters and includes the following:
- a. Sensor range limit checks
- b. Conversion to engineering units
- c. Validation routine processing
- d. On-line diagnostics for transmissi on e. Time tagging of data.
The SPDS function incorporates human factors engineering guidance. The operator's interface with the displays and keyboard have been designed to provide easily accessed and readily understood displays. The BWR Owners Group Control Room Improvements Committee developed the initial Graphic Display System (GDS) in a program which had extensive human factors evaluation. The program included development and dynamic screening of the GDS and later a simulator evaluation of the displays by operators. The Fermi 2 SPDS function includes many features of the GDS, and has incorporated most of the recommendations from the findings of the simulator evaluation. Some of the human factors criteria that were considered in the SPDS function are listed in the Description subsection above. The SPDS design requirements with regard to parameter selection, isolation, signal validation, and human factors engineering have been analyzed. The critical safety function based, and EOP-related, selected parameters are sufficient to assess the safety status of the identified functions for a wide range of events, which include symptoms of severe accidents.
7.6.1.9.1.2.5.2 Emergency Response Data System (ERDS) Function The Fermi 2 ERDS function provides selected plant parameters from the IPCS computer to the NRC. The ERDS function was developed to provide the NRC accurate and timely data on four types of plant parameters, namely:
- a. Core and coolant system conditions
- b. Conditions inside the containment
- c. Radioactivity release rates
- d. Data from the plant's meteorological tower.
The ERDS function is for use during emergencies to transmit information to the NRC Operations Center. The ERDS function datalink will operate in conjunction with the 7.6-22 REV 20 05/16 FERMI 2 UFSAR Emergency Notification System (ENS), and would be supplemented with voice transmission of essential data not available from the ERDS function.
7.6.1.9.1.2.6 Meteorological (MET) Function Section 2.3.3.2 describes the Meteorological Data Acquisition System (MDAS) and its interface with the IPCS hardware that replaced the legacy MDAS computer system. The dual-processor IPCS hardware and associated peripherals support the Regulatory Guide 1.23 meteorological function requirements of the orignal system and provide a platform for performing calculations, providing meteorological data for display at various plant locations, and archiving meteorological data.
The following are examples of calculations (based on data obtained from MDAS) done as part of the IPCS meteorological function:
Sigma Phi (measure of wind stability based on the variability of the vertical component of wind direction and and horizontal wind speed) Pasquill Stability Class Lake Breeze Status.
In addition, the IPCS MET function uses a Best Value algorithm to determine which value to archive from either the primary or secondary MDAS instrument train data.
7.6.1.9.1.2.7 Transient Recording and Analysis (TRA) Function The TRA function replaces the legacy General Electric GETARS computer system functionality. The TRA has the capability to process analog and digital points at a scan rate equal to or faster than 100 samples per second, continuously, without degradation of performance of any other IPCS function. The TRA supports auto archiving of data based on data triggers. The ability to utilize both digital states and analog alarm setpoints is provided.
The TRA function plot and report resolution is 10 milliseconds. The TRA function plot and report function provides summary statistics such as mean, minimum, maximum, and standard deviation.
7.6.1.9.1.2.8 Long Term Data Archive (LTA) Function A computer that is separate from the Master/Slave computers performs the Long Term Data Archive (LTA) function of the IPCS. The LTA computer communicates with the Master computer to receive current plant process data, both analog and digital, at a predefined interval. The LTA computer contains specialized software and a separate I/O database.
Data for points that have been deleted from the IPCS computer database, are retained on the LTA computer, for later retrieval.
7.6.1.9.1.3 External Interfaces 7.6-23 REV 20 05/16 FERMI 2 UFSAR 7.6.1.9.1.3.1 GE 3D-Monicore Computer System (3DM) Interface The 3DM operation requires periodic transmission of live and static plant data to and from the IPCS. All communications with the 3DM are initiated and monitored by the IPCS. Live and static plant data transmitted from the IPCS to 3DM includes the following plant inputs and status (represented as individual points):
- a. Heat balance input points
- c. Control rod data
- d. TIP data (static)
Live plant data transmitted from the 3DM to IPCS includes the following:
- a. RWM messages 7.6.1.9.1.3.2 GE Multi-Vendor DAS (MVD) Interface The MVD is a data acquisition system interface to the General Electric Power Range Neutron Monitor (PRNM) and the Rod Worth Minimizer (RWM) NUMAC systems. The IPCS MVD interface provides the necessary analog and digital points acquired by the PRNM and RWM in support of real-time plant monitoring and application functions. All data received by the MVD from the PRNM and RWM is date and time stamped and is accessible by a two
-way communication protocol interface. The IPCS RWM acquired data, through the MVD interface, consists of the following signals:
- a. Control rod positions and status (including substitute)
- b. Control rod movement messages
- c. RBM digital points
- a. LPRM flux and associated digital points
- b. APRM flux and associated digital points
- c. RBM flux and associated digital points
- d. Recirculation flow
- e. Oscillation Power Range Monitor Units (OPRM) 7.6.1.9.1.3.3 GE Traversing Incore Probe (TIP) Interface The IPCS interfaces with the GE TIP system to collect the analog and digital data generated during TIP operation. The IPCS can collect this data simultaneously from all five TIP machines. The IPCS MMI capabilities support viewing TIP traces and TIP operational status in real time. 7.6-24 REV 20 05/16 FERMI 2 UFSAR The IPCS accumulates the TIP data collected for all TIP machines and combines it with other plant data obtained from the real-time database and archives, writing such data into the TIP files. TIP data files are created and saved for use by the 3D Monicore system.
7.6.1.9.1.3.4 Eberline SS-1 Radiation Monitor System (SS1) Interface The SS1 radiation monitor has replaced the legacy Eberline CT2B radiation monitor. The SS1 interface acquires current value/status and historical value/status of various radiation monitoring points and processes them for storage in the real-time and archive database, as appropriate. The IPCS performs all necessary calculations in support of the SPDS function and Dose Assessment interface, including a complex, best channel selection algorithm.
7.6.1.9.1.3.5 Radiological Dose Assessment Application Interface The Radiological Dose Assessment program calculates the off
-site radiological doses based on meteorological and radiological data available in the IPCS. The Earth Tech Raddose V software has been selected to replace the legacy ERIS dose assessment program. The Raddose V implementation method runs on IPCS MMI in the control room, EOF, and TSC in two separate modes:
- a. Utilizing manually input data
- b. Using selected partial (or total) meteorological and radiological data automatically acquired from the IPCS.
Data and control files, necessary for sharing information between multiple dose assessment nodes, reside in multiple locations within the IPCS.
7.6.1.9.1.4 Power Sources The IPCS has a reliable AC UPS power source. In the event of a complete loss of offsite power, data will be retained by the IPCS during the outage for display once power is restored. Non-essential peripheral devices are supplied from a reliable AC source with an automatic throw-over switch between normal and standby sources.
7.6.1.9.1.5 Environmental Considerations All the IPCS equipment is designed for continuous duty up to 105F and 90 percent relative humidity, except meteorological instrument building equipment, which is designed for 95 percent relative humidity.
7.6.1.9.1.6 Human Factors Engineering Industry-accepted human factors considerations are followed in designing the man
-machine interface. These considerations include, but are not limited to, the following:
- a. Simplicity of entering commands
- b. Feedback recognition of operator commands 7.6-25 REV 20 05/16 FERMI 2 UFSAR
- c. Operator input error prevention and error detection
- d. Flexibility of display access
- e. Flexibility of data entry 7.6.1.9.2 3D-Monicore Computer System (3DM) 7.6.1.9.2.1
System Description
The objectives of the 3DM are to provide a quick and accurate calculation of core thermal performance and to facilitate data reduction, accounting, and logging functions. The 3DM is not required for safe operation of the plant. Hardwired instrumentation and control allows the operator to safely operate the plant in all modes in the absence of the 3DM. There is no safety objective for the 3DM. The 3DM consists of two redundant computers. Either of the computers can be designated as the main computer (Normal), and the other will be designated as the backup computer (Standby). Under normal operating conditions, the Normal computer performs all the functions and outputs data and calculation results. The Normal computer also updates the Standby computer at predefined intervals. In the event the Normal computer fails, the Standby computer will become the Normal computer after manual intervention by operating personnel, and assume control of all functions. If the Standby computer fails while the Normal computer is operating normally, the Normal computer will continue to function normally. Either computer can be placed in Failover mode for off-line activities without affecting the operating computer. 3DM receives all plant process data from the IPCS via a high speed datalink. The IPCS gathers, formats and transmits the plant process data at predefined intervals.
The key 3DM features and capabilities are:
- b. Use of full or partial TIP measurements of LPRM calibration c. PANACEA 11 diffusion theory based substitute for non-functional TIPs and LPRMs d. Calculating core performance parameter distributions and supplying gain corrections for each of the 172 LPRMs based on TIP data measurements
- e. Calculating core margins based on LPRM and thermo-hydraulic readings
- f. Providing displays and printouts of core thermal margins and core performance parameters automatically and on demand
- g. Providing predictive capability to study and evaluate potential impact of operational changes
- h. Providing a digital interface between the Power Range Neutron Monitor (PRNM) system and the IPCS. The interface is provided by a GE Multi-Vendor 7.6-26 REV 20 05/16 FERMI 2 UFSAR Data Acquisition System (MVD) component as described in Section 7.6.1.9.1.3.2. The MVD also transmits calibration data to the PRNM from 3DM
- i. Receiving and displaying RWM messages.
7.6.1.9.2.2 Operational Considerations The local power density of every 6-in segment for every fuel assembly is calculated, using plant inputs of pressure, temperature, flow, LPRM levels, control rod positions, and the calculated fuel exposure. Total core thermal power is calculated from a reactor heat balance.
Iterative computational methods are used to establish a compatible relationship between the core coolant flow and core power distribution. The results are subsequently interpreted as local power at specified axial segments for each fuel bundle in the core.
The core power distribution calculation sequence may be completed periodically or on demand. The computer has the capability to automatically print a periodic log for record purposes. Flux level and position data from the plant are read into the IPCS, processed and formatted, and subsequently transmitted to 3DM. 3DM evaluates the data and determines gain adjustment factors by which the LPRM amplifier gains can be altered to compensate for exposure-induced sensitivity loss. The LPRM amplifier gains are not physically altered except immediately prior to calibration of the affected LPRM using the traversing in
-core probe (TIP) system. The gain adjustment factor computations help to indicate to the operator when such a calibration procedure is necessary.
Using the power distribution data, a distribution of fuel-exposure increments from the time of the previous power distribution calculation is determined and is used to update the distribution of cumulative fuel exposure. Each fuel bundle is identified by batch and location, and its exposure is stored for each of the axial segments used in the power distribution calculation.
Exposure increments are determined periodically for each section of each control rod. The corresponding percent boron depletions are periodically updated. The exposure increment of each LPRM is determined periodically and is used to update both the cumulative ion chamber exposures and the correction factors for exposure-dependent LPRM sensitivity loss. 3DM provides on-line capability to determine monthly isotopic composition for each fuel bundle in the core. This evaluation consists of computing the weight of one isotope of neptunium, three of uranium, and five of plutonium, as well as the total uranium and total plutonium content. The isotopic composition is calculated for each segment of each fuel bundle and summed accordingly by bundles and batches. The method of analysis consists of relating the computed fuel exposure and average void fraction for the fuel to computer-stored isotopic characteristics applicable to the specific fuel type.
All functions and reports can be executed on demand by the operating personnel.
7.6.1.9.2.3 Power Sources The 3DM has a reliable AC source with an automatic throw-over switch between normal and standby sources.
7.6-27 REV 20 05/16 FERMI 2 UFSAR 7.6.1.9.2.4 Environmental Considerations All the 3DM equipment is designed for continuous duty up to 105F and 90 percent relative humidity.
7.6.1.10 (Deleted) 7.6.1.11 Sequence of Events Recorder The sequence of events recorder function provides the basic alarm detection management, reorting and real-time display of all sequence of events input signals to the annunciator system. The inputs include NSSS and balance-of-plant (BOP) data.
The input signals are independent of the IPCS and are electrically isolated from it. An outage of the computer would not affect operation or reliability of the sequence of events recorder. The sequence of events recorder displays the time and alarm type of each event and can resolve the time of occurrence with a resolution approaching 1 msec.
7.6.1.12 Primary Containment Monitor System The primary containment monitor system consists of the following five monitor subsystems:
- a. Primary containment radiation monitor
- b. Primary containment temperature monitor
- c. Primary containment pressure monitor d. Pressure suppression pool water level indicator
- e. Hydrogen/oxygen monitor. Division II AOVs T5000F420B and T5000F421B are designed to be reopened in the event of an extended AC power failure, using DC solenoid valves T50F459B and T50F468B respectively, as show in Figure 7.6-11. The primary containment radiation monitor subsystem supplements the LDS. The primary containment radiation monitor is not designed to operate following the DBA. The radiation monitor designed to monitor post-DBA containment radiation is the containment area high range monitor discussed in Section 11.4. The other four primary containment monitor subsystems, namely, the primary containment temperature monitor, primary containment pressure monitor, the pressure suppression pool water-level indicator, and the hydrogen/oxygen monitor, are required to operate after a LOCA, and are designed to meet the redundancy and separation requirements listed in Subsection 7.6.2.12. Under normal plant operation, however, these subsystems provide display of the monitored parameters for additional information on the operating conditions of the plant. Descriptions of the five subsystems that compose the primary containment monitor system are presented in Subsections 7.6.1.12.1 through 7.6.1.12.4.
7.6-28 REV 20 05/16 FERMI 2 UFSAR 7.6.1.12.1 Primary Containment Radiation and Hydrogen/Oxygen Monitor Subsystem 7.6.1.12.1.1 System Identification The primary containment radiation monitor subsystem is incorporated for monitoring the radioactivity of the atmosphere within the primary containment to provide additional information related to primary coolant leak detection. This provision improves the total drywell leak-detection diversity and enhances the sensitivity of leak detection beyond that which is available with the drywell sump system. An alarm and annunciator are actuated when the radiation level reaches a predetermined setpoint level. This subsystem has no control function (Table 7.6-2). The primary containment radiation monitor uses a beta scintillation detector viewing a sample flow of primary containment atmosphere as it passes through a gaseous detector chamber. The sample is drawn from the primary containment, through the filters, past the gaseous sample detector, and returned to the containment by a sample pump. The piping and valve arrangement for sample flow are illustrated in Figure 7.6-11. Remotely controlled valves are used to select either all the drywell atmosphere sampling points, selected locations within the drywell, or the suppression chamber atmosphere for radiation monitoring. The main sample flow loop supplies both the primary containment radiation monitor subsystem and the hydrogen/oxygen monitor subsystem in parallel. The hydrogen/oxygen monitor subsystem operates continuously to provide indication in the main control room of the concentration of hydrogen/oxygen in the containment. Levels of hydrogen and oxygen in excess of preset limits are alarmed in the main control room (Table 7.6
-2). The total time lag from intake of drywell atmosphere sample loop manifold to the monitoring instrument sampling point is designed to be less than 5 minutes. Within the primary containment radiation monitor are particulate and halogen filters to collect integrated samples for subsequent analysis. Associated with each beta scintillation detector is a logarithmic count rate circuit, power supply unit, and meter readout. A recorder is provided in the main control room for display of radiation level. A flowmeter is provided in the sample line, with local display of flow rate, and means for actuation of the alarm and annunciator associated with the primary containment radiation monitor on loss of sample flow.
7.6.1.12.1.2 Classification The primary containment hydrogen/oxygen monitor subsystem is seismically and environmentally qualified to meet the requirements of Regulatory Guide 1.97, Rev 2, Category 3 and 2, respectively. The radiation monitor has not been qualified environmentally or seismically.
7.6.1.12.1.3 Supporting Systems Electrical Power 7.6-29 REV 20 05/16 FERMI 2 UFSAR The electrical power required for operation of the primary containment radiation and hydrogen/oxygen monitor subsystems is supplied from the 480-V ESF motor control centers (MCCs) and the 120-V ac instrument bus as described in Subsection 8.3.1. Pneumatic Power The pneumatic power required for operation of valves in the sample lines will be supplied by an uninterruptible air system for the primary containment monitoring system isolation valves and an interruptible air system for the primary containment radiation monitoring system isolation valves as described in Subsection 9.3.1.
7.6.1.12.1.4 Equipment Design Initiating Circuits Control of the primary containment radiation and hydrogen/oxygen monitor subsystems for normal operation, test, and calibration is manual. The hydrogen/oxygen monitor subsystem is normally operated continuously from plant startup to shutdown. Logic The primary containment radiation monitor subsystem incorporates trip logic circuits for alarm and annunciator operation. A low mode alarm trip is provided to indicate instrument failure on loss of normal background reading, and a high mode trip to indicate a radiation level exceeding a predetermined normal background level. The hydrogen/oxygen monitor has alarms as defined in Table 7.6-2. Actuated Devices The primary containment radiation monitor and hydrogen/oxygen monitor subsystems have no control function. Devices actuated by the primary containment radiation monitor are an alarm and an annunciator on high radiation and on loss of background signal, the latter being indicative of instrument failure.
Testability The primary containment radiation monitor and the hydrogen/oxygen monitor subsystems are fully testable during normal plant operation.
7.6.1.12.1.5 Environmental Considerations The primary containment hydrogen/oxygen monitor subsystem is designed to operate reliably under normal and postulated abnormal environmental conditions in the equipment area. The local environmental conditions are defined in Table 3.11-1. The oxygen monitors provide verification of the status of the inerted atmosphere of containment and oxygen levels in the containment atmosphere following a significant beyond design-basis accident for combustible gas control and accident management, including emergency planning.
The hydrogen monitors provide diagnosis of the course of significant beyond-design-basis accidents for accident management, including emergency planning.
7.6-30 REV 20 05/16 FERMI 2 UFSAR 7.6.1.12.1.6 Operational Considerations Normal During power operation, startup, or hot shutdown of the reactor, the primary containment radiation monitor subsystem is in continuous operation to detect and alarm a high level of radiation in the monitored atmosphere. The hydrogen/oxygen monitor subsystem is normally operated continuously from plant startup to shutdown. Safety Function On occurrence of radiation above the alarm setpoint level, the abnormal condition will be alarmed and annunciated in the main control room. High levels of hydrogen and/or oxygen are alarmed in the main control room. Operator Information The primary containment radiation monitor subsystem has provisions in the main control room for indicating the radiation count rate per unit volume of sample, for checking the setpoint at which the high radiation alarm is actuated, and for alarming low sample flow rate.
A chart recorder is provided to record the monitored radiation levels. By the actuation of an alarm and annunciator, the operator is informed of high radiation level, instrument failure as evidenced by loss of normal background reading, or loss of sample flow. A number of functional alarms are provided in the hydrogen/oxygen monitors to ensure proper system operation. Setpoints The setpoint for actuation of the alarm and annunciator on high radiation will be established after the normal background is determined. The setpoint is adjustable over the instrument range. The alarm setpoints for the hydrogen/oxygen monitors can be found in Table 7.6-2.
7.6.1.12.2 Primary Containment Temperature Monitoring Subsystem 7.6.1.12.2.1 System Identification The primary containment temperature monitor subsystem uses thermocouple detectors to measure drywell atmosphere temperature, pressure suppression pool chamber atmospheric temperature, and pressure suppression pool water temperature. To achieve representative temperature measurements in the primary containment, 16 sensors in the drywell, four sensors for suppression pool atmosphere, and four sensors for suppression pool water are used. The monitored temperatures are continuously recorded on two stripchart recorders.
The primary containment temperature monitor subsystem has no control function; its purpose is that of data acquisition. Because of the importance of securing these temperature data on postulated accident (LOCA) conditions and other abnormal plant conditions, two redundant temperature monitors are provided. In parallel with the primary containment temperature monitor subsystem (PCTMS), and in response to additional design requirements, two additional temperature monitoring systems have been installed to monitor the drywell air temperature and the suppression pool 7.6-31 REV 20 05/16 FERMI 2 UFSAR temperature, during normal mode of plant operation and transient condition, as discussed below. The additional drywell air temperature monitoring subsystem uses 28 thermocouples (which are independent of the PCTMS) installed at six elevations. The temperature information is recorded in the main control room and is used by the operators to compute the volumetric average temperature for determination of the Technical Specifications operating limit. The additional suppression pool temperature monitoring subsystem uses a recorder and eight thermocouples (which are all independent of the PCTMS). These eight thermocouples in the torus are used by operators to compute the suppression pool water bulk average temperature for determination of the Technical Specification operating limit. The thermocouples are placed so that each thermocouple monitors the discharge of two SRVs. The recorder is located in the main control room and will alarm on bulk average water temperature 95.0 F or detection of an open T/C. The technical specifications allow the maximum average temperature of the suppression pool to be 95F during operational conditions 1 or 2 unless the thermal power is less than or equal to 1%, or a test is being performed which adds heat to the suppression chamber. To alert an operator of this limit, an alarm will be set at approximately 95.0F (increasing).
The additional thermocouples in the drywell and torus and the associated recorders which are used during normal mode of operation to monitor the drywell volumetric average and suppression pool bulk average temperature are classified as quality assurance (QA) level 1M and seismic category II/I. This classification means that these components are maintained like a QA level 1 component, and they will maintain their structural and mounting integrity during a seismic event.
The torus water temperature recorder and Division I drywell air temperature recorder are powered from a non-class IE distribution cabinet that is fed by a bus which is automatically restored by the emergency diesel generators (EDG) on a loss-of-offsite power. Thus, in the event of loss-of-offsite power, these recorders can be powered from the EDGs by closing a breaker. The Division II drywell air temperature recorder is powered from a class IE power bus. 7.6.1.12.2.2 Classification The primary containment temperature monitor subsystem is not a fully qualified system. The set of 24 primary containment monitoring thermocouples have been installed seismically.
Two thermocouples in the drywell, two in the suppression pool air space, and two in the suppression pool water have also been qualified environmentally for postulated accident conditions.
7.6.1.12.2.3 Power Sources Operating power for the two identical temperature monitors of the primary containment temperature monitor subsystem is supplied from separate 120-V ac instrument buses to prevent total loss of monitoring capability on interruption of an instrument bus.
7.6-32 REV 20 05/16 FERMI 2 UFSAR 7.6.1.12.2.4 Equipment Design Initiating Circuits Both monitors are in service when the reactor is operating in order to provide necessary backup monitoring. Redundancy Two identical monitors are provided in the primary containment temperature monitor subsystem. Separation Instrument control and power feed circuits of the two monitors comprising this subsystem are separate. Routing of thermocouple and power circuits by separate paths and penetrations precludes total loss of temperature monitoring capability by a single destructive event.
Testability To facilitate test and calibration, the temperature detectors are removable from their working locations. The recorders are tested and checked for calibration by the standard technique of using a millivolt box after disconnection of the thermocouple circuits.
7.6.1.12.2.5 Environmental Considerations The thermocouples, associated thermocouple lead circuits, and recording instrumentation are of a design that provides reliable operation under normal and postulated abnormal environmental conditions. The environmental conditions of specific plant areas are defined in Tables 3.11-1, 3.11-3, and 3.11-4.
7.6.1.12.2.6 Operational Considerations Normal The primary containment temperature monitor subsystem operates continuously during operation of the reactor, and secures recordings of the monitored temperatures. Should a LOCA occur, obtained recordings provide essential information about the temperatures monitored by the primary containment temperature monitor subsystem.
Operator Information Monitored temperatures are displayed on the recorder chart in the main control room, making this information directly available to the operations personnel when the plant is in operation.
7.6.1.12.3 Primary Containment Pressure Monitor Subsystem 7.6.1.12.3.1 System Identification The primary containment pressure monitor subsystem monitors the atmospheric pressure of the drywell and the pressure suppression chamber and records on redundant chart recorders in the main control room. The instrumentation for the drywell uses two pressure ranges, -5 to
+5 psig and 0 to 250 psig. The instrumentation for the pressure suppression chamber uses 7.6-33 REV 20 05/16 FERMI 2 UFSAR two ranges also, -5 to +15 psig and 0 to 80 psig. The low range of the pressure monitoring instrumentation enables detection of a change in drywell and or pressure suppression chamber pressure resulting from a primary containment leak and containment sprays, and provides for sensitive monitoring during normal operation of the plant and during shutdown and LOCA conditions. In order to provide continued monitoring of the drywell pressure during an extended loss of AC power, T5000F420B can be reopened using the DC solenoid valve T50F459B, as shown in Figure 7.6.11. The low range pressure monitoring instrumentation may also provide a means of detecting degradation of the containment pressure boundary. The high pressure ranges provide the capability to measure a pressure transient arising from a LOCA. Pressure is displayed on a multipoint recorder. Two complete and independent pressure monitors comprise the primary containment pressure monitor system. This subsystem has no control function; its purpose is that of data acquisition and advisory information. Pressure transmitters used to initiate ECCSs or to provide inputs to the RPS are described in Subsection 7.3.1 and Section 7.2.
7.6.1.12.3.2 Classification The primary containment pressure monitor subsystem is designed and installed as Category I.
The pressure transmitters incorporated in this subsystem are also environmentally qualified for postulated accident conditions.
7.6.1.12.3.3 Power Sources The electrical power for the powered equipment of the two pressure monitors in this subsystem is supplied from separate battery
-powered inverters.
7.6.1.12.3.4 Equipment Design Initiating Circuits Control of operation of the pressure detector equipment is manual. Operation of this monitoring subsystem is continuous when the reactor is in operation. Redundancy Two identical monitors are provided in the primary containment pressure monitor subsystem. Separation Electrical circuits of the two identical pressure monitors comprising this subsystem are routed separately to minimize vulnerability to total impairment of the monitor subsystem by a single destructive event.
Testability To facilitate periodic checks of operation of this subsystem, provisions are incorporated to allow for in
-place testing of the detectors and convenient removal for testing when the reactor is shut down.
7.6-34 REV 20 05/16 FERMI 2 UFSAR 7.6.1.12.3.5 Environmental Considerations The equipment of the primary containment pressure monitor subsystem is designed to operate reliably under the normal and postulated abnormal conditions of the equipment areas.
The environmental conditions of these areas are defined in Table 3.11-1.
7.6.1.12.3.6 Operational Considerations Normal The primary containment pressure monitor subsystem operates continuously during operation of the reactor, securing recordings of the pressures within the primary containment.
Safety Function Should a LOCA occur, secured recordings provide information sought about transients in the pressures monitored by the primary containment pressure monitor subsystem. Operator Information Monitored pressures are displayed on the recorder chart in the main control room as they are being recorded, making this information directly available while the plant is in normal operation. The pressure may fluctuate for a variety of reasons including changes in barometric pressure. A pressure rise above normal could indicate a process system leak as described in Subsection 7.6.1.8.5.2. The low range pressure monitoring instrumentation may also provide a means of detecting degradation of the containment boundary depending on the magnitude of the degradation. Unexplained changes in pressure during normal operation would therefore result in an investigation to determine the cause using the Corrective Action program as appropriate. If the drywell pressure increases above the trip value, the chart recorder increases chart speed to obtain better transient resolution. Peak pressure is also obtained by a peak-pressure indicator.
7.6.1.12.4 Pressure Suppression Pool Water Level Indicator Subsystem 7.6.1.12.4.1 System Identification The pressure suppression pool water-level indicator subsystem continuously monitors and records on a chart recorder in the main control room the water level in the pressure suppression chamber. The principal function of this monitor subsystem is to obtain data on water level in the pressure suppression chamber on occurrence of a LOCA. The subsystem also serves to indicate and record the water level in the course of normal operation of the plant and during shutdown and LOCA condition. In order to provide continued monitoring of the suppression pool level during an extended loss of AC power, T5000F421B can be reopened using the DC solenoid valve T50F468B, as shown in Figure 7.6.11. This is a supplementary function because the pressure suppression chamber water level is maintained, and the level indication is necessarily provided in the main control room as part of the torus water management system.
7.6-35 REV 20 05/16 FERMI 2 UFSAR 7.6.1.12.4.2 Classification The pressure suppression pool water level indicator subsystem is designed and installed as Category I. The transmitters are qualified to meet the environmental conditions of postulated accidents.
7.6.1.12.4.3 Power Sources Operating electrical power for the pressure suppression pool water level indicator subsystem is supplied from separate battery-powered inverters.
7.6.1.12.4.4 Equipment Design Initiating Circuits Control of operation of the pressure suppression pool water level indicator subsystem is manual. Operation of the subsystem is continuous during reactor operation and when the reactor is shut down. Redundancy Two identical level-indicator instrumentation provisions comprise the pressure suppression pool water level indicator system.
Separation The two independent level-indicator provisions comprising this subsystem have signal and power lines routed separately to minimize vulnerability to impairment of both subsystems by a single destructive event.
Testability The pressure suppression pool water level indicator subsystem incorporates means to allow for complete testing of the subsystem during periods when the reactor is shut down.
7.6.1.12.4.5 Environmental Considerations The equipment of the pressure suppression pool water level indicator subsystem is designed to operate reliably under the normal and postulated abnormal conditions to which the equipment would be exposed. The environmental conditions of the equipment areas are defined in Tables 3.11-1, 3.11-3, and 3.11-4.
7.6.1.12.4.6 Operational Considerations Normal The pressure suppression pool water level indicator subsystem is in continuous operation during operation of the reactor as well as during periods of shutdown, unless the equipment is taken out of service for test or maintenance purposes. Safety Function Should a LOCA occur, the recordings obtained provide essential information about the pressure suppression chamber water level during the abnormal conditions.
7.6-36 REV 20 05/16 FERMI 2 UFSAR Operator Information The water level in the pressure suppression pool is continuously indicated as well as recorded on a chart in the main control room.
7.6.1.13 Neutron Monitoring System Instrumentation and Control The neutron monitoring system (NMS) consists of six major subsystems which are
- a. Source range monitor b. Intermediate range monitor
- c. Local power range monitor d. Average power range monitor
- e. Rod block monitor
- f. Traversing in
-core probe.
7.6.1.13.1 System Identification The purpose of this system is to monitor neutron flux levels of the core over the range from shutdown to full power, and to provide signals to the RPS (Section 7.2). It also provides information for operation and control of the reactor. Basic system information is given in Table 7.6-2. Certain portions of the intermediate range monitor (IRM) and average power range monitor (APRM) systems provide a safety function, and portions of the rod block monitor (RBM) have been designed to meet IEEE 279-1971. All other portions of the NMS have no safety function.
7.6.1.13.2 Power Sources The power supplies for each system are discussed in the individual circuit description.
7.6.1.13.3 Source Range Monitor System 7.6.1.13.3.1 Equipment Design Circuit Description The source range monitor (SRM) provides neutron flux information during reactor startup and low-flux-level operations. There are four SRM channels. Each includes one detector that can be physically positioned in the core from the main control room (Figures 7.6-12 through 7.6-14). The detectors are inserted into the core for a reactor startup. They can be withdrawn if the indicated count rate is between preset limits or if the IRM is on the third range or above.
The power for the monitors is supplied from the two separate +24 V dc buses. Two monitors are powered from each bus. The detector drives are powered by a 208-V ac three-phase bus.
7.6-37 REV 20 05/16 FERMI 2 UFSAR Each detector assembly consists of a miniature fission chamber and a low-loss, insulated transmission cable.
The sensitivity of the detector is 1.2 x 10-3 cps/nv nominal. The detector cable is connected underneath the RPV to shielded coaxial cable. This shielded cable carries the pulses to a pulse current preamplifier located outside the primary containment. The detector and cable are located inside the RPV in a dry tube sealed against reactor vessel pressure. A remote-controlled detector drive system moves the detector along the dry tube. Vertical positioning of the chamber is possible from above the centerline of the active length of fuel to approximately 2-1/2 ft below the reactor fuel region, as shown in Figure 7.6-13.
When a detector arrives at a travel endpoint, detector motion is automatically stopped. The SRM/IRM drive control logic is presented in Sheet 6 of Figure 7.6-16. The electronics for the SRMs, their trips, and their bypasses are located in one cabinet. Source
-range signal
-conditioning equipment is designed so that it can be used for open-core experiments.
A charge-sensitive preamplifier provides amplification and impedance matching for the signal conditioning electronics (Figure 7.6-17). The signal conditioning equipment converts the current pulses to analog dc voltages that correspond to the logarithm of the count rate.
The equipment also derives the period. The output is displayed on front panel meters and is provided to remote meters and recorders.
The logarithmic count rate meter displays the rate of occurrence of the input current pulses.
The period meter displays the time in seconds for the count rate to change by a factor of 2.72.
In addition, the equipment contains integral test and calibration circuits, trip circuits, power supplies, and selector circuits. The trip outputs of the SRM operate in the fail-safe mode. Loss of power to the SRM causes the associated outputs to become tripped (Figure 7.6-16, Sheet 2). The SRM provides signals indicating SRM upscale, downscale, inoperative, and incorrect detector position to the RMCS to block rod withdrawal under certain conditions. Any SRM channel can initiate a rod block. These rod blocking functions are discussed in Subsection 7.7.1.1.3.5. Appropriate lights and annunciators are also actuated to indicate the existence of these conditions (Table 7.6-5). One in one group of four SRM channels can be bypassed at any one time by the operation of a switch on the operator's console. Testability Each SRM channel is tested and calibrated. Inspection and testing are performed as required on the SRM detector drive mechanism. The mechanism can be checked for full insertion and retraction capability. The various combinations of SRM trips can be introduced to ensure the operability of the rod blocking functions.
7.6.1.13.3.2 Environmental Considerations The wiring, cables, and connectors located within the drywell are designed for the environmental conditions identified in NEDO 31558A per References 7 and 8 in Appendix A.
7.6.1.13.4 Intermediate Range Monitor System 7.6-38 REV 20 05/16 FERMI 2 UFSAR 7.6.1.13.4.1 Equipment Design Circuit Description The IRM monitors neutron flux from the upper portion of the SRM range to the lower portion of the power range monitoring subsystems. The IRM system has eight IRM channels, each of which includes one detector that can be positioned in the core by remote control. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor mode selector switch is turned to the RUN position and the LPRM is operative. Power Supply Power is supplied separately from the two 24-V dc sources. The supplies are split according to their use so that loss of a power supply results in the loss of only one trip system of the RPS. Physical Arrangement Each detector assembly consists of a miniature fission chamber attached to a low-loss, insulated transmission cable. When coupled to the signal conditioning equipment, the detector produces a reading of approximately 30 percent on the most sensitive range with a neutron flux of 10 8 nv. The detector cable is connected underneath the RPV to a shielded cable that carries the pulses generated in the fission chamber through the primary containment to the preamplifier.
The detector and cable are located in the drywell. They are movable in the same manner as the SRM detectors and use the same type of mechanical arrangement (Reference 1) and power supply. Signal Conditioning A voltage amplifier unit located outside the primary containment serves as a preamplifier. This unit converts the current pulses to voltage pulses, modifies the voltage signal, and provides impedance matching. The preamplifier output signal is coupled by a cable to the IRM signal conditioning electronics as shown in Figure 7.6-18. Each IRM channel receives its input signal from the preamplifier and operates on it with various combinations of preamplification gain and amplifier attenuation ratios. The amplification and attenuation ratios of the IRM and preamplifier are selected by an operator's console-mounted range switch that provides 10 ranges of increasing attenuation acting on the signal from the fission chamber (the first six ranges are called low range and the last four ranges are called high range). As the neutron flux of the reactor core increases from 1 x 10 8 nv to 1.5 x 1013 nv, the signal from the fission chamber is attenuated to keep the input signal to the inverter in the same range. The output signal, which is proportional to neutron flux at the detector, is amplified and supplied to a locally mounted meter. Outputs are also provided for a remote meter and recorder.
Trip Functions The IRMs are arranged in the core as shown in Figure 7.6-12 and are divided into two groups of IRM channels. Each group is associated with one of the two trip systems of the RPS.
Two IRM channels and their trip auxiliary are installed in each bay of a four-bay cabinet.
7.6-39 REV 20 05/16 FERMI 2 UFSAR Full-length side covers isolate the cabinet bays. The arrangement of IRM channels allows one IRM channel in each group to be bypassed without compromising intermediate range neutron monitoring. Each IRM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates on when the high voltage drops below a preset level, when one of the modules is not plugged in, or when the OPERATE-CALIBRATE switch is not in the OPERATE position. Each of the other trip circuits can be specified to trip when preset downscale or upscale levels are reached.
The trip functions actuated by the IRM trips are indicated in Table 7.6-6. The reactor mode switch determines whether IRM trips are effective in initiating a rod block or a reactor scram (Figure 7.6-16, Sheet 1). Subsection 7.7.1.1 describes the IRM rod block trips. With the reactor mode switch in REFUEL or STARTUP, an IRM upscale or inoperative trip signal actuates a NMS trip of the RPS. Only one of the IRM channels must trip to initiate an NMS trip of the associated trip system of the RPS. Testability Each IRM channel is tested and calibrated using the appropriate Checkout and Initial Operations, Preoperational, or Surveillance Procedures. The IRM detector drive mechanisms and the IRM rod blocking functions are checked in the same manner as for the SRM channels. Each IRM channel can be checked to ensure that the IRM high flux scram function is operable.
7.6.1.13.4.2 Environmental Considerations The wiring, cables, and connectors located in the primary containment are designed for the environmental conditions identified in NEDO 31558A per References 7 and 8 in Appendix A.
7.6.1.13.5 Local Power Range Monitor System 7.6.1.13.5.1 Equipment Design Description The LPRM consists of fission chamber detectors, signal conditioning equipment, and trip functions. The LPRM also provides outputs to the APRM, RBM, and Integrated Plant Computer System (IPCS).
Power Supply Detector polarizing voltage for the LPRMs is supplied by eight pairs of redundant-dc power supplies, adjustable from 75 to 200 V dc. The 75-200 V dc power supplies can supply up to 3 milliamperes for each LPRM detector which ensures that the chambers can be operated in the saturated region at the maximum specified neutron fluxes. Each dc power supply pair powers approximately one-eighth of the LPRMs. Power for the dc power supplies comes redundantly from the two 120 V ac Reactor Protection System buses via intermediate dc power supplies. These intermediate dc supplies also provide power for the LPRM amplifiers. 7.6-40 REV 20 05/16 FERMI 2 UFSAR Physical Arrangement The LPRMs include 43 LPRM detector strings having detectors located at different axial heights in the core. Each string contains four fission chambers. These assemblies are distributed to monitor four horizontal planes throughout the core. Figure 7.6-12 shows the LPRM detector radial layout scheme that provides a detector assembly at every fourth intersection of the water channels around the fuel bundles. Thus, every location has either an actual detector assembly or a symmetrically equivalent assembly in some other quadrant. The detector assemblies (see Figure 7.6
-19) are inserted in the core in spaces between the fuel assemblies. They are inserted through thimbles mounted permanently at the bottom of the core lattice and penetrate the bottom of the RPV. These thimbles are welded to the RPV at the penetration point. They extend down into the access area below the RPV where they terminate in a flange. The flange mates to the mounting flange on the in
-core detector assembly. The detector assemblies are locked at the top end to the top fuel guide by means of a spring
-loaded plunger. Special water
-sealing caps are placed over the connection end of the assembly and over the penetration at the bottom of the vessel during installation or removal of an assembly. This prevents loss of reactor coolant water on removal of an assembly, and also prevents the connection end of the assembly from being immersed in the water during installation or removal.
Each LPRM detector assembly contains four miniature fission chambers with an associated solid sheath cable. The chambers are vertically spaced in the LPRM detector assemblies in a way that gives adequate axial coverage of the core, complementing the radial coverage given by the horizontal arrangement of the LPRM detector assemblies. Each fission chamber produces a current that is coupled with the LPRM signal conditioning equipment to provide the desired scale indications.
Each miniature chamber consists of two concentric cylinders that act as electrodes. The inner cylinder (the collector) is mounted on insulators and is separated from the outer cylinder by a small gap. The gas between the electrodes is ionized by the charged particles produced as a result of neutron fissioning of the uranium-coated outer electrode. The chamber is operated at a polarizing potential of approximately 100 V dc. The negative ions produced in the gas are accelerated to the collector by the potential difference maintained between the electrodes. In a given neutron flux, all the ions produced in the ion chamber can be collected if the polarizing voltage is high enough. When this situation exists, the ion chamber is considered to be saturated. Output current is then independent of operating voltage and is reasonably linear over the design operating range (Reference 1).
Each assembly also contains a calibration tube for a traversing in
-core probe (TIP). The enclosing tube around the entire assembly contains holes that allow circulation of the reactor coolant water to cool the fission chambers. Numerous tests have been performed on the chamber assemblies, including tests of linearity, gamma sensitivity, and cable effects (Reference 1). These tests and experience in operating reactors provide confidence in the ability of the LPRM system to monitor neutron flux to the design accuracy throughout design lifetime. Signal Conditioning 7.6-41 REV 20 05/16 FERMI 2 UFSAR The current signals from the LPRM detectors are transmitted to the LPRM amplifiers in the main control room. The current signal from a chamber is transmitted directly to its amplifier through shielded cable. The amplifier is a linear current amplifier whose voltage output is proportional to the current input and therefore proportional to the magnitude of the neutron flux. The amplifier output is "read" by the digital processing electronics. The digital electronics applies hardware gain corrections, performs filtering and applies the LPRM gain factors. The digital electronics provides suitable output signals for the computer recorders, annunciators, etc. The LPRM amplifiers also isolate the detector signals from the rest of the processing so that individual faults in one LPRM signal path will not affect other LPRM signals. The LPRM signals are indicated on the reactor console. When a central control rod is selected for movement, the LPRM values associated with the nearest 16 LPRM detectors are displayed on console readouts. Each of the four axially spaced LPRM detector signals from each of the four LPRM assemblies are displayed. The operator can readily obtain readings of all the LPRM amplifiers by selecting the control rods in the correct order or by selecting summary LPRM screens on digital operator displays. Subsection 7.7.1.1 describes in greater detail the indications on the reactor console. Trip Functions The trip functions for the LPRM provide trip signals to activate displays and annunciators.
The outputs for the trip functions are designed to go to the "tripped" state on loss of power to the processing electronics. Table 7.6-7 indicates the trips. The trip levels can be adjusted to within 0.1 of full-scale deflection, and the expected error is approximately 1 percent of full scale.
Testability LPRM channels are calibrated using data from previous full power runs and TIP data and are tested. 7.6.1.13.5.2 Environmental Considerations Each individual chamber of the assembly is a moisture-proof, pressure-sealed unit. The chambers are designed for the environmental conditions identified in NEDO 31558A per References 7 and 8 in Appendix A.
7.6.1.13.6 Average Power Range Monitor System 7.6.1.13.6.1 Equipment Design Description The APRM system has four APRM channels, each of which uses input signals from a number of LPRM channels. Each of the four APRM channels provide inputs to four two-out-of-four voter channels. Two of the voter channels are associated with each of the trip systems of the Reactor Protection System. All four APRM channels are associated with both of the Reactor Protection System trip systems in that they provide inputs to each of the four voter channels.
7.6-42 REV 20 05/16 FERMI 2 UFSAR Each APRM also includes an Oscillation Power Range Monitor (OPRM) Upscale Function which monitors small groups of LPRM signals to detect thermal
-hydraulic instabilities. The OPRM Upscale function is enabled in the intended region on the plant power/flow map. The OPRM Upscale Function receives input signals from the LPRMs within the reactor core, which are combined into cells for evaluation by the OPRM algorithms. An OPRM Upscale trip function is generated from an APRM channel when the period based detection algorithm (basis for the safety analysis) in that channel detects oscillatory changes in the neutron flux, indicated by the combined signals of the LPRM detectors in a cell, with the period confirmations and relative cell amplitude exceeding specific setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel trip. An OPRM Upscale trip is also issued from any channel if either the growth rate or amplitude based algorithms detect growing oscillatory changes in the neutron flux for one or more cells in that channel. Power Supply The APRM channels receive power redundantly from the 120-V ac supplied RPS buses.
Each APRM two-out-of-four voter channel receives power from the same 120 V ac power as the Reactor Protection System trip system with which it is associated.
Signal Conditioning The APRM channel uses digital electronic equipment which averages the output signals from a selected set of LPRMs, generates trip outputs via the two-out-of-four voter channels, and provides signals to readout equipment. Each APRM channel can average the output signals from up to 43 LPRM channels. Assignment of LPRM channels to an APRM is shown in Figure 7.6-20. The letters at the detector locations in Figure 7.6
-20 refer to the axial positions of the detectors in the LPRM detector assembly. Position A is the bottom position, position B and C are above position A, and position D is the topmost LPRM detector position. The pattern provides LPRM signals from all four core axial LPRM detector positions throughout the core. Some LPRM detectors may be bypassed, but the averaging logic automatically corrects for these by removing them from the average. The APRM value calculated from the LPRM inputs is adjusted by a digitally entered factor to allow calibration of the APRM. Each APRM channel calculates a recirculation flow signal which is used to determine the APRM's flow-biased rod block and scram setpoints. Each signal is determined by summing the flow signals from the two recirculation loops (Figure 5.5-2). These signals are sensed from two flow elements, one in each recirculation loop. The differential pressure from each flow element is routed to four differential pressure transducers (eight total). The signals from two differential pressure transducers, one from each flow element, are routed to two inputs to the APRM digital electronics. Table 7.6-8 indicates the flow function trips. The APRM Channel Check surveillance will include a step to confirm that an APRM self-test is still running. It will also include a step to confirm that the RBM self
-test is still running since the RBM hardware performs the recirculation flow comparison checks, however, the alarm is bypassed when the reactor mode switch is not in the "RUN" position. A surveillance (channel check) finding that the self-test is not operating in both RBMs (means the recirculation flow comparison function is not available) will not automatically result in any APRM/OPRM channel being declared inoperable, but will result in an increased rate of "flow comparison" manual surveillances. The flow comparison surveillance will be 7.6-43 REV 20 05/16 FERMI 2 UFSAR performed at nominally hourly frequencies to correspond to the self-test frequencies assumed in the unavailability analysis for the PRNM system.
All APRM channels are powered redundantly, via intermediate low voltage dc power supplies, from both the "A" and "B" Reactor Protection System 120 V ac power buses. The LPRM signal processing equipment is powered by the same sources as their associated APRM channels.
Trip Function The digital electronics for the APRM channel provides trip signals directly to the Reactor Manual Control System and via the APRM two-out-of-four voter channels to the Reactor Protection System (RPS). Any two unbypassed APRM channels, via the APRM two-out-of-four voter channels, can initiate an RPS trip in both RPS trip systems. Any one unbypassed APRM can initiate a rod block. Table 7.6-9 lists the APRM trip functions. A simplified circuit arrangement is shown in Figure 7.6-21. The APRM simulated thermal power upscale rod block and scram trip setpoints are varied as a function of reactor recirculation flow. The slope of the upscale rod block and scram trip response curves is set to track the required trip setpoints with recirculation flow changes.
Subsection 7.7.1.1.3.5 discusses the thermal power monitor and the APRM in greater detail.
At least two unbypassed APRM channels must be in the upscale or inoperative trip state to cause an RPS trip output from the APRM two-out-of-four voter channels. In that condition, all four voter channels will provide an RPS trip output, two to each RPS trip system. If only one unbypassed APRM channel is providing a trip output, each of the four APRM two-out-of-four voter channels will have a half-trip, but no trip signals will be sent to the RPS. The trips from one APRM can by bypassed by operator action in the control room. Trip outputs to the RPS are transmitted by removing voltage to a relay coil, so loss of power results in actuating the RPS trips. A simplified APRM/RPS interface circuit arrangement is shown in
Figures 7.2-3a and 7.2-3b. In the startup mode of operation, the APRM "fixed" upscale trip setpoint is set down to a low level. This trip function is provided in addition to the existing IRM upscale trip in the startup mode. The trip settings are listed in Table 7.6-9. The trip functions are performed by digital comparisons in APRM electronics. The APRM flux value is developed by averaging the LPRM signals and then adjusting the average to be APRM power. The APRM power is processed through a first order filter with a six second time constant to calculate simulated thermal power. These calculations are all performed by the digital processor and result in a digital representation of APRM and simulated thermal power. For each RPS trip and rod block alarm, the APRM power or simulated thermal power, as applicable (see Table 7.5-4), is digitally compared to the setpoint (which was previously entered and stored). If the power value exceeds the setpoint, the applicable trip is issued. Testability The APRM channels are calibrated using data from previous fullpower runs and are tested by procedures in the applicable instruction manual. Each APRM channel can be tested individually for the operability of the APRM scram and rod blocking functions by introducing test signals. 7.6-44 REV 20 05/16 FERMI 2 UFSAR 7.6.1.13.6.2 Environmental Considerations All APRM equipment is installed and operated in the main control room environment as described in Table 3.11-
- 4. 7.6.1.13.7 Rod Block Monitor System 7.6.1.13.7.1 Equipment Design Circuit Description The RBM has two channels; each channel uses input signals from a number of LPRM channels. A trip signal from either RBM channel initiates a rod block. One RBM channel can be bypassed without loss of subsystem function. The minimum number of LPRM inputs required for each RBM channel to prevent an instrument inoperative alarm is four when using four LPRM assemblies, three when using three LPRM assemblies, and two when using two LPRM assemblies (Figures 7.6-22 and 7.6-22(a)). Power Supply The RBM power is supplied by two pairs of redundant dc power supplies, one pair for each RBM. Each dc supply in a pair is supplied by one of the two 120-V ac RPS buses, one RBM per bus. Signal Conditioning The RBM signal is generated by averaging a set of LPRM signals. The LPRM signals used depends on the control rod selected. Upon selection of a rod for withdrawal or insertion, the conditioned signals from the LPRMs around the rod will be automatically selected by the two RBM channels. (Figure 7.6-22 shows examples of the four possible LPRM/selected rod assignment combinations.) For a typical non-edge rod, each RBM channel averages LPRM inputs from two of the four B-position and D-position detectors, and all four of the C-position detectors. A-position LPRM detectors are not included in the RBM averages, but are displayed to the operator. When a rod near, but not at, the edge of the core is selected, where there are fewer than four, but at least two, LPRM strings around the rod, the number of detectors used by the RBM channels is either six or four depending on how many LPRM strings are available. If a detector has been bypassed in the LPRM system, that detector is automatically deleted from the RBM processing and the averaging logic is adjusted to average only the remaining detectors.
After selection of a control rod, each RBM channel calculates the average of the related LPRM detectors and calculates a gain factor that will adjust the average to 100. Thereafter, until another rod is selected, the gain factor is applied to the LPRM average to obtain the RBM signal value. The RBM signal value is compared to RBM trip setpoints. When a peripheral rod is selected, or if the APRM value from the RBM's associated APRM is below the automatic bypass level (approximately 30% power), the RBM function is automatically bypassed, the rod block outputs are set to "permissive", and the RBM average is set to zero.
7.6-45 REV 20 05/16 FERMI 2 UFSAR Each RBM channel receives the total recirculation flow and status from all four APRMs using high-speed fiber optic communication links to provide circuit isolation. The RBM channel provides a trouble alarm (flow compare) when the difference between max and min values for total recirculation flow exceeds a user defined setpoint (typically 10%), however, the alarm is bypassed when the reactor mode switch is not in the "RUN" position. A surveillance (channel check) finding that the self-test is not operating in both RBMs (means the recirculation flow comparison function is not available) will not automatically result in any APRM/OPRM channel being declared inoperable, but will result in an increased rate of "flow comparison" manual surveillances. The flow comparison surveillance will be performed at nominally hourly frequencies to correspond to the self-test frequencies assumed in the unavailability analysis for the PRNM system.
Trip Function The RBM supplies a trip signal to the Reactor Manual Control System to inhibit control rod withdrawal. The trip is set whenever the RBM signal value exceeds the RBM setpoint.
There are three different setpoints, each a percentage above the RBM initial value of 100.
Figure 7.6-22(b) illustrates the trip setpoints. The particular setpoint that is applied is selected based on the simulated thermal power value from the RBM's associated APRM channel (an alternate APRM channel is assigned and is automatically used for inputs if the primary APRM channel is bypassed or inoperative). Higher APRM simulated thermal power values select a lower setpoint. That is, at higher power levels, the percentage increase in the RBM value allowed is less than at lower power levels. Below 30 percent power, fuel damage cannot occur for any single rod withdrawal; hence, the RBM system is automatically bypassed. The low trip setpoint (LTSP) is enforced between 30 percent and 65 percent power, the intermediate trip setpoint (ITSP) is enforced between 65 percent and 85 percent power, and the high trip setpoint (HTSP) is enforced between 85 percent and 100 percent power. The core power input used to automatically select the applicable RBM trip is provided by the APRM. The RBM system is automatically bypassed if the control rod has one or more adjacent fuel bundles comprising the outer boundary of the core. The operator can bypass one of the two RBMs at any time. Either RBM can inhibit control rod withdrawal (Figure 7.6-16, Sheet 1). Table 7.6-10 indicates the trips. Isolation Separation and Redundancy - The RBM channels A and B are redundant, separate, and isolated. The only exception is the sharing of LPRM C level detectors by both RBM channels. The impact on the availability of the RBM system due to the sharing of the C level detectors is small (Reference 9) and the benefits of the improved signal response far outweigh any perceived loss in signal redundancy; some other salient features are:
- a. Redundant, separate, isolated rod selection information (including isolated contacts for each rod selection push button) provided directly to each RBM channel. b. Independent, isolated RBM level readouts and status displays from the RBM channels. c. Independent, isolated rod block signals from RBM to the RMCS circuitry. Testability 7.6-46 REV 20 05/16 FERMI 2 UFSAR The RBM channels are tested and calibrated. The RBMs are functionally tested by introducing test signals into the RBM's channels.
7.6.1.13.7.2 Environmental Considerations See the description for the APRM.
7.6.1.13.8 Traversing In
-Core Probe System 7.6.1.13.8.1 Equipment Design Circuit Description The TIP system includes five TIP machines. Each TIP machine includes the following components:
- a. One TIP b. One drive mechanism
- c. One indexing mechanism
- d. Up to 10 in-core guide tubes
- e. One chamber shield
- f. One guide tube valve. The subsystem allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. The guide tubes inside the reactor are divided into groups. Each group has its own associated TIP machine. Physical Arrangement A TIP drive mechanism uses a fission chamber attached to a flexible drive cable. The cable is driven from outside the drywell by a gearbox assembly. The flexible cable is contained by guide tubes that penetrate the reactor core. The guide tubes are a part of the LPRM detector assembly. The indexing mechanism allows the use of a single detector in any one of ten different tube paths. The tenth tube is used for TIP cross-calibration with the other TIP machines. The control system provides both manual and semiautomatic operation. Electronics on the TIP panel amplifies and displays the TIP signal. Core position versus neutron flux is recorded on an X-Y recorder in the relay room and is provided to the computer. A block diagram of the drive system is shown in Figure 7.6-23. The heart of each TIP machine is the probe (Figure 7.6-24). It consists of a detector (fission chamber) and the associated signal drive cable. The body of the fission chamber is made of titanium with a neutron-sensitive inner coating of uranium-235. The chamber can operate in a neutron flux level of greater than 1014 nv. The saturation voltage is approximately 150 V dc (Reference 1).
7.6-47 REV 20 05/16 FERMI 2 UFSAR The signal current from the detector is transmitted from the TIP to amplifiers and readout equipment by means of signal cable, which is an integral part of the mechanical drive cable. The cable drive mechanism contains the drive motor, the cable takeup reel, an analog probe position indicator for the recorder, and a mechanical counter. The mechanical counter provides digital pulses to the control unit for positioning the TIP at specific locations along the guide tube. The drive mechanism inserts and withdraws the TIP and its cable from the reactor and provides detector position indication signals. The drive mechanism consists of a motor and drive gearbox that drives the cable in the manner of a rack and opinion. A two-speed motor provides a high speed for insertion and withdrawal (approximately 60 fpm) and a low speed for scanning the reactor core (approximately 7.5 fpm). A takeup reel is included in the cable drive mechanism to coil the drive cable as it is withdrawn from the reactor. This reel makes it possible to connect the TIP and its cable to the amplifier through a connector rather than slip rings. This reduces possible noise and maintenance problems. The analog position indicator and the mechanical counter (digital) are also driven directly from the output shaft of the cable drive motor. The analog position signal and a flux amplifier output are used to plot neutron flux versus TIP position. The TIP position signal is also available to the Integrated Plant Computer System (IPCS). The digital counter is used to position the TIP in the guide tube with a linear position accuracy of +/-1 in. The digital counter can control TIP positions at the top of the core for initiation of scan and at the bottom of the core for changing to fast withdrawal speed.
A circular transfer machine with 10 indexing points functions as an indexing mechanism. One of the 10 locations is available for access to the guide tube common to all the TIP machines. Indexing to a particular tube location is accomplished manually at the control panel by means of a position selector switch that energizes the electrically actuated rotating mechanism.
The tube transfer mechanism is part of the indexing mechanism and consists of a fixed circular plate containing 10 holes on the reactor side that mate to a rotating single-hole plate. The rotating plate aligns and mechanically locks with each fixed-hole position in succession. The indexing mechanism is actuated by a motor
-operated rotating drive. Electrical interlocks prevent the indexing mechanism from changing positions until the probe cable has been completely retracted beyond the transfer point. Additional electrical interlocks prevent the cable drive motor from moving the cable until the probe cable has been completely retracted beyond the transfer point. Additional electrical interlocks prevent the cable drive motor from moving the cable until the transfer mechanisms have indexed to the preselected guide tube location (Figure 7.6-16, Sheet 7). A valve system is provided with a valve on each guide tube entering the primary containment. These valves are closed except when the TIP system is in operation. A ball valve and a cable shearing valve are mounted in the guide tubing just outside the primary containment. They prevent the loss of containment integrity. A guide tube ball valve is opened manually prior to TIP insertion. The shear valve is used only if containment isolation is required when the TIP is beyond the ball valve and when power to the TIP system fails.
The shear valve, which is controlled by a manually operated keylock switch, can cut the 7.6-48 REV 20 05/16 FERMI 2 UFSAR cable and close off the guide tube. The shear valves are actuated by detonation squibs. The continuity of the squib circuits is monitored by indicator lights in the main control room. A guide tube ball valve is normally deenergized and is in the closed position. When the ball valve is manually opened, it actuates a set of contacts which gives a signal light indication at the TIP control panel (Figure 7.6-16). Signal Conditioning The readout instruments and electrical controls for the TIP machines are mounted in a cabinet in the relay room. Because there are several groups of guide tubes, each with an associated TIP machine, there are also several groups of readout equipment controls mounted in the cabinet. Each set of readout equipment consists of a dc amplifier and a dc power supply for the TIP polarizing voltage. A common X-Y recorder records the flux variations of each scan. An X-Y output is provided for the operator through the man-machine interface of the Integrated Plant Computer System (IPCS). Testability The TIP system equipment is tested and calibrated using heat balance data and by use of the common channel.
7.6.1.13.8.2 Environmental Considerations The equipment and cabling located in the primary containment are designed for the environmental conditions identified in NEDO 31558A per References 7 and 8 in Appendix A.
7.6.1.13.9 Thermal Power Monitor (TPM) The thermal power monitor (TPM) typically involves the flow-weighted APRM scram in conjunction with a 6-sec time constant circuit.
The APRM has two output signals. The APRM neutron flux signal is representative of the core average neutron flux. The APRM
-simulated thermal power (STP) signal represents the fuel surface heat flux. This signal is obtained by passing the neutron flux signal through a nonadjustable, 6-sec first order ("RC") filter to represent the fuel dynamics. A scram signal occurs when
- a. The APRM neutron flux signal exceeds a setpoint that is independent of the recirculation flow rate or
If the time constant, which affects scram initiation by the TPM, is less than the effective time constant for the fuel for this type of transient, the TPM should provide a conservative measure of the time variation in surface heat flux. However, if the time constant is appreciably larger than that for the fuel, the fixed APRM trip without a time constant would provide the scram protection. The resulting maximum critical power ratio (MCPR) would then be less than that predicted for the TPM scram, which has a lower setpoint.
7.6-49 REV 20 05/16 FERMI 2 UFSAR A General Electric analysis reported in the Supplemental Reload Licensing Report indicates that with a 6
-sec time constant, the TPM scram occurs before the high-neutron-flux scram, because of its lower setpoint of 117 percent nuclear boiler rated (NBR). Therefore, it was appropriate to take credit for TPM scram for the loss of feedwater heater event. Assuming the APRM neutron-flux scram occurs first, the surface heat flux will be below the 117 percent setpoint, and the result will be even less severe. The TPM used in Fermi 2 is safety grade and is designed to be single-failure proof.
7.6.1.14 Plant Cooling Water Systems Instrumentation and Control 7.6.1.14.1 System Identification 7.6.1.14.1.1 Reactor Building Closed Cooling Water System The reactor building closed cooling water system (RBCCW) contains three 50 percent-capacity water pumps, two 50 percent-capacity heat exchangers, a makeup tank, a bypass valve for regulating the differential pressure across the supply and return water headers, motorized isolation valves, and a service water supply for discharge of heat from the heat exchangers. During normal operation(with or without RBCCW supplemental cooling in operation), two heat exchangers and two pumps are in service, and one pump is retained in standby. Automatic controls are provided in the RBCCWS to maintain within their operational range the demin water level in the makeup tank, the water temperature at the outlet of the heat exchanger, and the differential pressure between the supply and return water headers.
When the GSW temperature is 60F or greater, operators have the option of placing the RBCCW supplemental cooling loops in service. Each loop is furnished with two 100 percent-capacity pumps and a plate and frame heat exchanger. Each RBCCW-SC loop takes suction from the RBCCW return header downstream of the RBCCW/EECW system interface, passes this water through a plate and frame heat exchanger in that loop to cool the RBCCW supplemental cooling water with chilled water from the supplemental cooling chilled water (SCCW) system, and discharges the cooled water to the RBCCW supply header just upstream of the RBCCW/EECW interface. When the RBCCW supplemental cooling pumps are in operation, each RBCCW supplemental cooling loop alone provides RBCCW flow to its respective division of EECW; thus the RBCCW supplemental cooling loops operate in parallel with the two 50 percent-capacity RBCCW pumps that service the nonessential loads outside of the EECW loops. Further details of the RBCCW supplemental cooling loops are described under Section 9.2.2.2.
7.6.1.14.1.2 Turbine Building Closed Cooling Water Systems The TBCCWS contains three 50 percent-capacity water pumps, two 100 percent-capacity heat exchangers, a makeup tank, a bypass valve for regulating the differential pressure across the supply and return headers, and a service water supply for discharge of heat from the heat exchangers. One pump and one heat exchanger are retained on standby. Automatic controls are provided to maintain condensate level in the makeup tank and the water temperature at 7.6-50 REV 20 05/16 FERMI 2 UFSAR the outlet of the heat exchanger outlet to the supply header, and to regulate the differential pressure across the supply and return headers.
7.6.1.14.1.3 Classification The RBCCWS is classified by regions, as indicated in Subsection 9.2.2. In the regions of the RBCCWS pumps, heat exchangers, makeup tank, and service water system, (including the RBCCW supplemental cooling loops), the classification is Quality Group D. In the regions of the drywell and the emergency equipment cooling water system (EECWS) components, the classification is Category I, Quality Group B and C, respectively. Elsewhere the classification is Quality Group D. The turbine building closed cooling water system (TBCCWS) and the supplemental cooling chilled water (SCCW) system are classified Quality Group D.
7.6.1.14.2 Supporting Systems 7.6.1.14.2.1 Electrical Power The electrical power for the instrumentation and control of the RBCCWS and TBCCWS is from the 120-V ac circuit which is stepped down from the 480 bus supplying power to the pumps. Power for operating the coils of the pump circuit breakers and associated condition-indicating lights is 130 V dc. A detailed description of the ac and dc power system is contained in Subsection 8.3.1.
7.6.1.14.2.2 Pneumatic Power In the RBCCWS and TBCCWS, pneumatic power is used for operation of the makeup tank level controller, heat exchanger outlet temperature controller, and water header differential pressure controller. In the RBCCW supplemental cooling loop, pneumatic power is used for operation of the temperature control valves. The pneumatic power is supplied by the air system described in Subsection 9.3.1.
7.6.1.14.2.3 Service Water Cooling water for the RBCCWS and TBCCWS heat exchangers is taken from the general service water (GSW) system of the plant. Details of the GSW system are contained in Subsection 9.2.1. GSW also provides the source of condenser cooling water for the supplemental cooling chilled water auxilliary support system to the RBCCW supplemental cooling loops. Details of the SCCW system are contained in Subsection 9.2.9.
7.6.1.14.3 Equipment Design 7.6.1.14.3.1 Initiating Circuits Normal initiation of pump operation and shutdown in the RBCCWS and TBCCWS is by manual control. Selection of one or two pumps to be operational is made by the operator in 7.6-51 REV 20 05/16 FERMI 2 UFSAR response to bypass-valve position indications that are activated by two position switches, one closing at the 10 percent valve open position and the other at the 85 percent open position.
Auxiliary controllers within the RBCCWS and TBCCWS function automatically to regulate the demin water level in the makeup tank, temperature at the process outlet of the heat exchanger, and the differential pressure across the supply and return headers. Separate controls automatically regulate the bypass of RBCCW flow around the RBCCW supplemental cooling plate-and-frame heat exchangers to regulate the temperature of the water supplied by the RBCCW supplemental cooling loops when they are in operation.
Manual operation of the temperature control valve is described in section 9.2.2.2. When RBCCW supplemental cooling is not in service, the RBCCW differential pressure controller functions to maintain EECW differential header pressure. With RBCCW supplemental cooling in operation, EECW differential header pressure is maintained by operation of the RBCCW supplemental cooling pumps themselves. In this mode of operation, the RBCCW differential pressure controller does not function to maintain EECW header differential pressure; however, it functions to allow two RBCCW pump operation outside of the RBCCW supplemental cooling loops.
7.6.1.14.3.2 Logic and Sequencing The control logic diagrams for the RBCCWS and TBCCWS pumps are illustrated in Figures 7.6-25(1) (excluding RBCCW Supplemental Cooling) and 7.6-26, respectively. Operation of the pumps is prevented if the level in the associated makeup tank or the suction pressure at the pump inlet is at or below the lower limit of the established control range (Table 7.6-2). The control logic diagram for the RBCCW supplemental cooling loops is illustrated in Figure 7.6-25(2). RBCCW supplemental cooling pump operation is prevented on the same RBCCW makeup tank low level level signal. The RBCCW supplemental cooling pumps are not equipped with low pump suction trips. Equipment protection is provided instead with low flow trips. An EECW start signal initiates closure of the RBCCW/EECW system isolation valves; a low flow condition in the RBCCW supplemental cooling loops results, which trips the RBCCW supplemental cooling pumps. The low flow trip is not required to assure the operation of the EECW during or after receipt of the initiation signal.
Four sensors for each of the two parameters (demin water level and suction pressure) supply inputs to a "one-out-of-two taken twice" logic arrangement to inhibit pump operation if these parameters are below normal. Activation of the logic for low suction pressure trips only the pump at which the low pressure is sensed. Activation of the logic for low demin water level in the makeup tank trips all the pumps in that system.
7.6.1.14.3.3 Bypasses and Interlocks Loss of offsite power, high drywell pressure, or drop in differential pressure across the supply and return headers of the RBCCWS results in isolation of coolant circuits that are not essential in an emergency and in automatic initiation of EECWS operation. Restoration of RBCCWS operation after power becomes available is by manual control. On loss of offsite power, the TBCCWS is deactivated. Initiation of system operation after power becomes available is by manual control.
7.6-52 REV 20 05/16 FERMI 2 UFSAR 7.6.1.14.3.4 Redundancy and Diversity The RBCCWS contains two divisions of flow, one of which is a redundant division. Under normal conditions both divisions are operational. On loss of offsite power, high drywell pressure, or drop in differential pressure across the supply and return headers, the EECWS automatically takes over the function of supplying cooling water to vital equipment served by the two divisions (Section 7.3).
7.6.1.14.3.5 Testability The controls of the RBCCWS and TBCCWS are fully testable during normal operation of the plant as well as during shutdown periods.
7.6.1.14.4 Environmental Considerations The instrumentation and control of the RBCCWS and TBCCWS is designed to function with reliability under the environmental conditions that would be encountered under normal or postulated abnormal conditions. These conditions are defined in Tables 3.11-3 and 3.11-4.
7.6.1.14.5 Operational Considerations 7.6.1.14.5.1 Normal Under normal plant conditions, the RBCCWS and TBCCWS are operated with one or two pumps, initiated manually, to meet the cooling needs as they arise. In the event of a malfunction of a pump or heat exchanger, operation of the standby unit is manually initiated, and the malfunctioning unit is deactivated by manual action or by automatic trip. When the GSW supply temperature exceeds 60F, the operators have the option of initiating the RBCCW supplemental cooling loop(s) to provide additional RBCCW cooling capacity.
7.6.1.14.5.2 Operator Information Attention of the operator is secured when the need arises for an increase or decrease of pumping capacity in the RBCCWS or TBCCWS by control room annunciators which indicate the near
-open or near-closed positions of the bypass valve. Readout instruments are provided locally to display the demin water level and gas pressure in the makeup tanks and the pumps discharge pressure. Control room annunciators also alert operators to abnormal demin water level or gas pressure in the makeup tanks Readout instruments provided in the main control room display process outlet temperature of the heat exchangers and supply/return header pressure. With the RBCCW supplemental cooling loops in operation, the supply temperature to the EECW loops is indicated by the EECW divisional supply temperatures to the drywell. High and low demin water level, low gas pressure in the makeup tanks, and drop in differential pressure or in the supply and return headers of either EECW division are alarmed. Recorders register the initiation, shutdown, or tripout of the pumps in each system.
7.6.1.15 Fuel Pool Cooling and Cleanup System Instrumentation and Control 7.6-53 REV 20 05/16 FERMI 2 UFSAR 7.6.1.15.1 System Identification 7.6.1.15.1.1 Function The purpose of the fuel pool cooling and cleanup system (FPCCS) instrumentation and control is to provide protection for the system from overheating and to provide the operator with information concerning the effectiveness of operation of the system.
7.6.1.15.1.2 Instrumentation Classification The FPCCS is not a safety
-related system. Therefore, the instrumentation is classified as nonessential. The instrumentation is a standard industrial type for which performance has been proven by years of service throughout the industry.
7.6.1.15.2 Power Sources The FPCCS instrumentation is fed from the plant instrumentation bus. No backup power source is necessary since the FPCCS is not a safety
-related system. The system wiring is protected against short circuit by appropriate fuses. Thus, a short circuit within the FPCCS wiring has only a local effect, which can be corrected without shutting down the FPCCS.
7.6.1.15.3 Equipment Design The equipment for the FPCCS system is comprised of circulating pumps, heat exchangers, filters, surge tanks, and required piping, valves, instrumentation and controls. The spent fuel pool water is continually circulated in a closed loop except when the FPCCS is used to drain the reactor well and dryer-separator pit. The FPCCS functions and description are explained in Section 9.1.3. The operating configurations for the FPCCS are obtained by means of manually operated valves and weir gates. The system operation is monitored by instrumentation that provides the operator with a means of evaluating system performance and also provides alarms in the event of a malfunction. Irradiated components and spent fuel require cooling in addition to the shielding provided by the spent fuel pool. The cooling is provided on a continuous basis during normal operation of the FPCCS. The instrumentation of the FPCCS measures conductivity, temperature, system flow rate, level, and leakage. Indications of the system performance are furnished to the plant operators.
7.6.1.15.3.1 Conductivity The ionic concentration in the water leaving each demineralizer unit is monitored by a conductivity-measuring system consisting of a conductivity cell, indicating transmitter, and a recorder. 7.6-54 REV 20 05/16 FERMI 2 UFSAR 7.6.1.15.3.2 Pump Discharge Pressure The discharge pressure of each FPCCS pump is monitored by its pressure-indicating switch. If the pump discharge pressure falls below the switch setpoint, a contact set of the switch actuates a local indicator lamp. Another flow switch contact set opens in the actuating path of the alarm annunciator "Fuel Pool Cooling Trouble."
7.6.1.15.3.3 Temperature The temperature of the liquid in the piping system associated with the FPCCS pumps, heat exchangers, and valves is monitored by individual temperature elements, and the observed temperatures are recorded by a multipoint recorder. Temperature elements monitor the operation of the FPCCS. In each instance, the temperature levels observed by the temperature monitoring circuits are recorded on a multipoint recorder in the main control room. 7.6.1.15.3.4 Leakage The leakage rates past the refueling bellows and the gate seal or drywell
-to-reactor-well seal are monitored by circuit arrangements consisting of a flow switch and alarm annunciator (Figure 9.1-23). Liquid leakage past the refueling bellows is caught and routed past the flow switch before being piped to the drywell equipment drain sump. When the leakage liquid flow rate through the flow switch exceeds the high flow setpoint, flow switch contact sets energize an indicator lamp and initiate the alarm annunciator, "Fuel Pool Cooling Trouble." 7.6.1.15.3.5 Level The water levels in both the spent fuel pool and the skimmer surge tank are monitored by alarm annunciator circuits. The spent fuel pool water level is monitored by a level sensor switch assembly that trips if the water level rises above the high level setpoint. On the high
-level trip, the alarm annunciator activates and a local indicator lamp lights. Lowered water level automatically resets the level
-sensing alarm circuitry.
The skimmer surge tank water level is monitored for both high and low water level. A high-water condition trips a level switch, which activates the alarm annunciator and lights a white indicator lamp. Subsequent lowering of the water level below the high trip setpoint
automatically resets the alarm circuitry. Excessively low water levels in the skimmer surge tank cause a trip in the low water level sensor level switch. An alarm annunciator actuates and a white indicator lamp lights on the trip. The alarm circuit automatically resets with normal water level restored in the tank.
All annunciator alarms are located in the main control room panel with their attendant instrumentation located at local panels. The sensors are located at their respective monitoring positions. Specific alarm points are listed in Table 7.6-11. To comply with NRC Order EA 12-051, spent fuel pool levels are monitored by Primary and Backup instrument channels. Each channel consists of a seismically installed level probe in the spent fuel pool, a signal processor with battery backup, and a remote level indicator. Primary and backup indicators are located in the main control room and reactor building 7.6-55 REV 20 05/16 FERMI 2 UFSAR second floor which are capable of supporting the following spent fuel pool actual water levels: Level 1: Level that is adequate to support operation of the normal fuel pool cooling system, i.e. the surface of the water is maintained at Elevation 683'6" by scuppers that act as skimmers and wave suppressors. Level 2: Level that is adequate to provide substantial radiation shielding for a person standing on the spent fuel pool operating deck, i.e. 18' above the top of the fuel in the storage racks (el. 679' 1/8") Level 3: Level where fuel remains covered and actions to implement make-up water addition should no longer be deferred, i.e. <12 in. above the top of the fuel in the storage racks (el. 661' 1/8")
7.6.1.15.4 Testability Because the FPCCS is usually in service during plant operation, satisfactory performance is demonstrated without the need for any special inspection or testing beyond that specified in the manufacturer's instructions.
7.6.1.15.5 Environmental Considerations The FPCCS is not required for safety purposes, nor is it required to operate after the DBA.
The FPCCS is required to operate in normal plant environment only.
7.6.1.15.6 Operational Considerations The FPCCS instrumentation and control is not required for safe operation of the plant. It provides a means of monitoring parameters of the system and protecting the system.
7.6.1.16 Deleted 7.6.1.17 Control Air System 7.6.1.17.1 System Function The station air system normally provides control air for operation and control of various plant systems that are safety related as well as those that are nonsafety related. If the control air system pressure drops to 85 psig, indicating an abnormal loss of air pressure, the control air compressors will automatically start for the purpose of supply to its associated division. If pressure drops to 75 psig, the control air system will be isolated from the station air system and also the nonsafety related plant systems. See Subsection 9.3.1 for a more detailed discussion of the control air system.
7.6.1.17.2 Classification The noninterruptible portion of the control air system, including the compressors, filters, dryers, afterfilters, and receivers, is classified as Category I. The interruptible portion of the 7.6-56 REV 20 05/16 FERMI 2 UFSAR control air system, including its filter, dryer, afterfilter, and receiver, is classified as nonseismic.
7.6.1.17.3 Supporting Systems 7.6.1.17.3.1 Electrical Power The electrical power required for operation of the control air system is supplied from the 480-V ac bus as described in Subsection 8.3.1.
7.6.1.17.3.2 Service Water The cooling water required for operation of the control air system is supplied from the RBCCW or EECW system as described in Subsection 9.2.2.
7.6.1.17.4 Equipment Design 7.6.1.17.4.1 Initiating Circuits Initiation of the noninterruptible control air system compressors occurs automatically on detection of low control air header pressure (85 psig), loss of offsite power, or a level 2 LOCA signal. In addition, isolation of the noninterruptible control air system from the station air and interruptible control air systems occurs automatically on detection of low noninterruptible control air header pressure (75 psig) or a loss of offsite power. Normally, the interties between the station air system and control air systems are open and the noninterruptible control air compressors are in auto standby.
7.6.1.17.4.2 Logic and Sequencing Pressure sensors are provided to detect low control air system pressure. Activation of the logic for low control air header pressure causes isolation of the control air system and startup of the control air compressor.
7.6.1.17.4.3 Bypasses and Interlocks A drop in control air header pressure results in isolation to prevent the use of noninterruptible control air by nonessential control air users. If offsite power is available, the control air compressors start prior to system isolation. On loss of offsite power, the control air compressors are started by the automatic load sequencer when diesel generator power becomes available. See Subsection 8.3.1.1.7 for a more detailed discussion of the automatic load sequencer.
7.6.1.17.4.4 Redundancy and Diversity The noninterruptible control air system consists of two divisions for redundancy. Under normal operating conditions both divisions are supplied from the station air system. On loss of noninterruptible control air pressure, the control air compressors automatically take over the function of supplying control air to the vital equipment served by the two divisions of the 7.6-57 REV 20 05/16 FERMI 2 UFSAR control system. The interruptible control air system is supplied separately from the station air system. A normally closed tie from this system can be opened to provide air supply (if available) to the Division II noninterruptible control air system in the event of loss of its normal and control air compressor supply.
7.6.1.17.4.5 Testability The controls for the control air system are fully testable during normal plant operation as well as during shutdown periods.
7.6.1.17.5 Environmental Considerations The instrumentation and control of the control air system is designed to function with reliability under the environmental conditions that would be encountered under normal or postulated accident conditions. These conditions are defined in Table 3.11-4.
7.6.1.17.6 Operational Considerations 7.6.1.17.6.1 Normal Under normal operating conditions, station air is the supply to both control air systems through their respective dryers. Under these conditions, the noninterruptible control compressors are normally in standby. In the event of low control air header pressure, the noninterruptible control air system divisions are isolated from the interruptible air users. The control air compressors will start automatically prior to this isolation.
7.6.1.17.6.2 Operator Information Readout instruments are provided in the main control room to display and record the Division I and II control air pressures. Recorders register the automatic initiation of the control air system compressors.
7.6.1.18 Alternate Rod Insertion 7.6.1.18.1 Equipment Identification The alternate rod insertion (ARI) components of the CRD system are designed to mitigate the potential consequences of an anticipated transient without scram (ATWS) event. The ARI components are redundant to the RPS.
7.6.1.18.2 Equipment Design 7.6.1.18.2.1 Initiating Circuits There are three initiating signals used for the ARI logics, namely:
- a. Reactor dome high pressure 7.6-58 REV 20 05/16 FERMI 2 UFSAR
- b. Reactor low water level 2
- c. Manual initiation in the main control room Any one of the above signals can initiate the divisional ARI logics as shown in Figure 7.7-3, Sheet 4. Additional immediate response to the initiation signals includes the recirculation pump motor generator field breaker trip (see Subsection 7.7.1.2.3.1).
7.6.1.18.2.2 Logic Two divisional ARI logic systems are provided: Division I, consisting of logic channels A and C, and Division II for logic channels B and D. The signal to insert the control rods is generated in two separate divisions on two-out-of-two logic channels in a given division. The ARI logic receives reactor dome pressure and water level signals from the nuclear boiler system. The logic causes automatic energization of the ARI solenoid valves when either the reactor high-pressure trip set point or low-water level 2 set point is reached. The ARI logic can also be initiated manually from the main control room. Each ARI logic channel is provided with a disarmed/armed pushbutton switch. Both pushbutton switches in a given division must be depressed to energize the ARI logic and initiate control rod insertion. The ARI initiation signals are designed to seal in the initiation logic to ensure completion of the ARI function until it is reset manually. A reset pushbutton per division is provided in the main control room to clear the ARI logic. A timer is used in each of the ARI logic channels to inhibit the reset function for approximately 30 seconds after the initiation signal is received. A 30-second time delay is selected to ensure completion of the ARI function before the logic can be reset.
The initiation of the two separate ARI logics results in the energization of eight Class 1E dc solenoid valves (four per division). Two of these, F160A and B, vent the scram air supply line just downstream of the F110A and B backup scram valves. (Refer to Figure 7.6-36).
These ARI valves also act to block the supply of air to the scram header. Check valves F161A and B provide an air-flow path around the F160 valves in the event one or more of them fails. Four additional ARI valves, F162A, B, C, and D, vent the A and B scram header to the atmosphere. As the header depressurizes, the scram valves at each hydraulic control unit will spring open scramming the rods. Two ARI valves, F163A and B, vent the scram air header to the scram discharge volume drain and vent valves, closing these valves and isolating the scram discharge volume. All eight ARI valves are normally deenergized.
7.6.1.18.2.3 Annunciation and Indication The manual initiation pushbutton switch in the main control room activates an annunciator window whenever it is placed in armed position. A separate annunciator window is activated upon initiation of the ARI logic circuits. The open and close position of the ARI solenoid valves are also indicated in the main control room.
7.6.1.18.2.4 Testability Four separate ARI initiation logic channels are provided to permit maintenance, repair, test, or calibration of all circuit devices (at power) up to but not including the final trip devices 7.6-59 REV 20 05/16 FERMI 2 UFSAR (ARI solenoid valves). Each ARI logic channel is provided with a test jack and indicating lights to verify logic activation in any given division.
7.6.1.19 Safety/Relief Valves 7.6.1.19.1 System Identification The nuclear pressure relief system is designed to prevent over-pressurization of the nuclear system that could lead to the failure of the reactor coolant pressure boundary.
7.6.1.19.2 Safety/Relief Valve Equipment Design Safety/relief valves (SRVs) are dual
-functioning types: automatic self-actuating and solenoid operated. The valves are self
-actuated when reactor pressure exceeds spring set pressures that are adjustable in range. The SRVs are divided into three spring-set-pressure groups. The first group consists of five valves set to open when vessel pressure exceeds 1135 psig, the second group consists of five valves set to open when vessel pressure exceeds 1145 psig, and the third group consists of five valves set to open when vessel pressure exceeds 1155 psig. The solenoid-operated air pilot valves permit remote manual or automatic opening.
The pilot valve controls the pneumatic pressure applied to an air cylinder operator that controls valve opening and closing. Each valve associated with ADS has an accumulator to store pneumatic energy with sufficient capacity for several relief valve operations. The valves are capable of remote manual opening at any pressure above 100 psig and staying open, once opened, until pressure decreases to 50 psig. Five of the SRVs are used for ADS (Subsection 7.3.1.2.2). Two SRVs are used for low-low setpoint relief (Subsection 7.6.1.19.9).
7.6.1.19.3 Initiating Circuits Reactor pressure exceeding the setpoint actuates the SRV. The SRV can also be manually actuated (by remote manual switch) or automatically by the ADS and low
-low setpoint relief logic. 7.6.1.19.4 Logic and Sequencing No automatic logic is involved in the overpressure safety function of the SRVs. (See Subsection 7.6.1.19.9 for low-low setpoint relief logic and Subsection 7.3.1.2.2 for the ADS logic.) 7.6.1.19.5 Bypasses and Interlocks Bypasses are not used in the normal SRV function. An arming circuit is used as an interlock to prevent the low-low setpoint valves from prematurely actuating during normal plant operation. The interlock is required because the reopening setpoint of the low valve is near the normal reactor operating range.
7.6-60 REV 20 05/16 FERMI 2 UFSAR 7.6.1.19.6 Redundancy and Diversity Seven of the SRVs and their respective monitoring system pressure switches are powered by Division I. The other eight SRVs and their respective monitoring system pressure switches are powered by Division II. The SRVs are designed to meet ASME Boiler and Pressure Vessel Code Section III, and therefore diversity is not provided.
7.6.1.19.7 Actuated Devices Relief valves are actuated by the following two means:
- a. Self-actuation by reactor pressure exceeding the spring set pressure setpoint
- b. Solenoid pilot operation by remote manual control or automatically by ADS (Subsection 7.3.1.2.2) or low-low set relief logic.
7.6.1.19.8 Separation Logic circuitry, controls, and instrumentation are designed to maintain physical and electrical separation between Division 1 and Division II.
7.6.1.19.9 Low-Low Setpoint Relief Logic Two of the 15 SRVs are provided with lower opening and closing setpoints that override the normal setpoints following initial opening of one or more SRVs using the normal setpoint.
Logic for this low
-low setpoint consists of reactor pressure transmitters that are enabled (armed) by a separate reactor high-pressure (scram) signal and a signal that one or more SRVs are open. The two low-low set SRVs have slightly different opening and closing setpoints, thus ensuring that only one SRV at a time will reopen on increasing pressure after initial SRV actuation and closure. This arrangement serves to damp reactor pressure surges. The low-low set logic automatically seals itself into control of the two selected valves and actuates an annunciator in the control room. This logic remains sealed in until manually reset by the operator.
Since the two valves will already have opened when reactor pressure exceeded the original (normal) overpressure safety setpoint, the low-low set logic acts to hold the valves open past their normal reclose points until the pressure decreases to a predetermined "low
-low" setpoint. Thus, the valves remain open longer than the other SRVs. The low-low set logic is designed with redundancy and single-failure criteria; that is, no single electrical failure will(1) prevent any low
-low set function from operating, and (2) cause inadvertent seal-in of low-low set logic.
The two valves associated with low-low set are arranged in two independent secondary setpoint groups or ranges (low and high). The low- and high-pressure groups consist of one valve each, having both reopen and reclose setpoints independently and uniquely adjustable.
These are set considerably lower than their normal SRV setpoints. Each SRV valve has its own set of two tailpipe pressure switches. These pressure switches are arranged in two divisions for each low-low set valve so that opening of a single SRV will 7.6-61 REV 20 05/16 FERMI 2 UFSAR result in arming of both divisions of low-low set logic. The single
-failure criterion is thus met for this function. The operability of the low-low function is dependent on the operability of the instrumentation channels providing inputs to the low-low set logic. Besides the reactor steam dome pressure-high and low-low set pressure setpoint signals, each division of the low-low set logic normally receives at least five SRV pressure switch inputs from one group of SRVs with the same pressure setpoint. The low-low set logic is capable of performing its function (i.e., preventing multiple actuations of the SRVs) even if both pressure switches associated with one SRV tailpipe become inoperable. The loss of SRV position indication in this case will not challenge the assumptions of the safety analyses for a stuck-open SRV event (see Section 15.1.4).
7.6.1.19.10 Low-Low Setpoint Relief Logic Testability The SRV system has two low-low setpoint logics, one in Division I and one in Division II. Either one can perform the low-low set function. Each valve has its own set of pressure switches. The sensors are arranged in two separate channels per each division and two-out-of-two logic is used to open the valves. Thus, the sensors and logic of each channel can be tested separately without actually actuating the valves. Indicator lights are provided to facilitate logic testing.
7.6.1.19.11 Environmental Considerations The solenoid valves and their cables, pressure switches for indication, and the SRV operators are the only SRV controls located inside the drywell. All equipment will meet applicable environmental requirements.
7.6.1.19.12 Operator Information A temperature element is installed on the SRV discharge piping several feet from the valve body. The temperature element is connected to a multipoint recorder in the control center to provide a means of detecting SRV leakage during plant operation. When the temperature in any SRV discharge piping exceeds a preset value, an alarm is sounded in the control room. The alarm setting is far enough above normal (rated power) drywell ambient temperatures to avoid spurious alarms, yet low enough to give early indication of significant SRV leakage.
Valve actuation is monitored by the SRV open/closed monitoring system (SRVOCMS) pressure switches connected to the SRV discharge line. An open SRV pressurizes the discharge line, which actuates the pressure switch that provides the input to the SRV monitor circuit. The monitor circuit provides inputs to SRV annunciators in the control room, to the Integrated Plant Computer System (IPCS), to the open-close indicators in the control room, and to the low-low setpoint relief logic. The SRVOCMS setpoint is selected so the pressure switch will actuate when the SRV opens in the expected operating range but will not respond to a leaking SRV. The expected operating range of the SRVOCMS is from 200 psig to the SRV safety function actuation point. The SRVOCMS uses Class 1E power and has a power supply monitor with annunciation upon loss of power. If a pressure switch becomes inoperable, SRV position indication relies on monitoring the SRV tail-pipe temperature recorder in the relay room as a backup means for determination of an open SRV.
7.6-62 REV 20 05/16 FERMI 2 UFSAR 7.6.1.20 Rod Worth Minimizer (RWM) 7.6.1.20.1 System Identification 7.6.1.20.1.1 Function The objective of RWM is to provide backup to the operator for control rod pattern control in reactor startup and for control rod manipulation during low power operations. The nuclear measurement analysis and control RWM function is described in Reference 7.
7.6.1.20.1.2 Classification The RWM is used for power generation only.
7.6.1.20.2 Power Source The RWM receives its power from the 120V AC uninterruptible power supply.
7.6.1.20.3 Description The RWM microcomputer system is a stand
-alone microcomputer
-based system with an RWM operator display and a continuous operating self-test feature that enforces adherence to established startup, shutdown, and low power level control rod procedures. The RWM microprocessor prevents the operator from establishing control rod patterns that are not consistent with prestored RWM sequences by initiating appropriate rod withdrawal block and rod insert block signals to the reactor manual control system rod block circuitry. The RWM sequences stored in the microprocessor memory are based on control rod worth at acceptable levels as determined by the design basis rod drop accident analyses.
7.6.1.20.3.1 RWM Inputs Sequence Up to four sequences are simultaneously stored for sequence control operation. The operator is permitted to switch between sequences when all rods are in or when above the low power alarm point (LPAP). The operator is permitted to switch between sequences at any power level, when both sequences conform to the present rod configuration within a single insert or withdraw error, not exceeding two notches. Sequence selection is accomplished under keylock control with insert and withdraw blocks applied. Bypass/Operate/Test A keylock switch is provided for selection of operate or alternately bypass during sequence control operation.
7.6-63 REV 20 05/16 FERMI 2 UFSAR During reactor shutdown, the test mode provides a single rod permissive function and a shutdown margin test facility.
Control Rod Selected The input is a binary coded identification of the control rod selected by the operator. Control Rod Position The input is a binary coded identification of all rod positions. Control Rod Drive Selected and Driving The RWM uses the rod selected and driving input to identify the envelope of rod motion for the selected rod.
Control Rod Bypass A maximum of eight control rods can be bypassed under keylock control. Reactor Power Level Feedwater system signals are used to implement two digital inputs to permit automatic bypass of the RWM function. The low power set point (LPSP) identifies the power level at which the RWM is automatically bypassed on reactor startup and automatically initiated on reactor shutdown. The low power alarm point (LPAP) identifies the approach to the LPSP on reactor shutdown. Select Insert and Select Withdraw The select insert and select withdraw inputs identify the direction of intended rod motion to permit termination of insert or withdraw motion at the respective insert or withdraw limit.
Insert Bus and Withdraw Bus The reactor manual control system insert and withdraw bus is monitored to permit timing of rod drive motion.
7.6.1.20.3.2 RWM Outputs Isolated contact outputs provide RWM Block and Annunciator functions. RWM insert block and withdraw block are applied for each rod selection to inhibit rod motions which would result in insert or withdraw error. RWM rod drive block and settle functions are used to terminate continuous rod motion at the respective insert or withdraw limit or if the RWM senses Multiple Rod Motion (See Section 7.6.1.20.3.4). RWM annunciation draws operator attention to the RWM message log which identifies the reason for the action taken. RWM Annunciation is not systematically applied with insert or withdraw block since these are routinely applied to limit and inhibit rod motion.
7.6.1.20.3.3 RWM Indications The RWM operator display panel provides indications of operating status including 7.6-64 REV 20 05/16 FERMI 2 UFSAR
- a. Selected Rod Identification of the coordinate of the selected rod along with Position of the selected rod Select error status Insert block status Withdraw block status
- b. Insert Error Identification of control rod coordinate and rod position for up to three insert error rods. Insert error is corrected as the next rod motion.
- c. Withdraw Error Identification of control rod coordinate and position identification for one withdraw error. Withdraw error is corrected as the next rod motion. d. Latched Step Identification of the current RWM sequence step number.
- e. Selected Sequence Identification of the selected sequence.
- f. Power Level Identification of power level is identified as "Below LPSP", "Transition Region", "Above LPAP", or "Unknown". When power level is indicated to be below LPSP and above LPAP, the power level is identified as "Unknown" and the RWM defaults to below LPSP operation.
7.6.1.20.3.4 Additional Functions In addition to enforcing adherence to established control rod sequences, the RWM performs additional functions. These additional functions, with the exception of the multiple rod motion (MRM) rod drive block and display, are "utilities" which are used to record and display rod position/time data.
- a. Single Rod Scram Timing Single rod scram timing is selected by the operator to record rod position/time data during single rod scram testing. b. Full Core Scram Timing Full core scram timing is automatically initiated by a reactor scram signal and records the rod position/time data during a reactor scram.
- c. Rod Drive Timing Rod drive timing is selected by the operator to record rod position/time data for the rod being driven/tested.
7.6-65 REV 20 05/16 FERMI 2 UFSAR
- d. Single Rod Scram Data Display Single rod scram data display is selected by the operator during single rod scram testing to display the actual scram time for the rod under test, the average Technical Specification scram time, and margin of the scram time of the tested rod to the Technical Specification time. The display is available at the RWM operators display and RWM computer.
- e. Shutdown Verification Display The Shutdown Verification display is automatically initiated by a reactor scram signal and immediately displays if all rods are full
-in, if all rods are inserted to or beyond the shutdown margin limit, and how many rods are not full-in. The shutdown verification screen is displayed at the RWM operators display.
- f. Multiple Rod Motion (MRM) Rod Drive Block and Display The multiple rod motion (MRM) rod drive block and display are initiated when the RWM senses that a rod (or rods) other than the selected rod is moving.
MRM is defined as a movement of an unselected rod (or rods) that has resulted from a failure in the reactor manual control system (RMCS) when a valid rod is selected and being moved by the operator. The purpose of the MRM rod drive block is to terminate and limit rod motion of both the selected and any unselected rods to one notch, if an MRM were to occur. The MRM firmware will actuate the existing RWM rod drive block and settle relays to the RMCS and automatically initiate the MRM display at the RWM operator display if the RWM senses that an unselected rod (or rods) is moving. If the RWM is bypassed (keylock switch on the operator display), the MRM screen is automatically selected, but the MRM rod drive block is inhibited by the RWM bypass relay.
7.6.1.20.4 Environmental Considerations The RWM is not used for credit in the safety analysis, nor is it required to operate during or after any design basis accidents. The RWM is employed to operate in the normal plant environment for power operation.
7.6.1.20.5 Operational Considerations The RWM function does not interface with normal reactor operation, and in the event of its failure does not cause new rod patterns. The RWM function may be bypassed and its rod block function disables only by specific procedural control initiated by the operator, in accordance with the Technical Specifications.
With the RWM inoperable, a second licensed operator or other technically qualified member of the unit technical staff who is present at the reactor control console verifies the control rod movement compliance with the prescribed control rod pattern. The requirements for a rod motion verifier and the specified actions expected of the operator and verifier are proceduralized including: Procedural guidance for control of Rod Pull Sheets to ensure correct pullsheets are used 7.6-66 REV 20 05/16 FERMI 2 UFSAR Explicit instructions to the operator and verifier are contained in a Rod Pull Cover Sheet Each operator and verifier reviews the cover sheet prior to pulling rods.
Explicit instructions are included to the verifier as to how and where to verify proper rod selection and positioning.
7.6.2 Analysis 7.6.2.1 Refueling Interlock System Instrumentation and Control 7.6.2.1.1 Conformance To General Functional Requirements
- a. Safety Evaluation The refueling interlocks, in combination with core nuclear design and refueling procedures, limit the probability of an inadvertent criticality. The nuclear characteristics of the core ensure that the reactor is subcritical even when the highest-worth control rod is fully withdrawn. Also, refueling procedures are written to avoid situations in which inadvertent criticality is possible. The combination of refueling interlocks for control rods and the refueling platform provides redundant methods of preventing inadvertent criticality even after procedural violations. The interlocks on hoists provide yet another method of avoiding inadvertent criticality.
Table 7.6-1 illustrates the effectiveness of the refueling interlocks. This table considers various operational situations involving rod movement, hoist load conditions, refueling platform movement and position, and mode switch manipulation. The initial conditions in situations 4 and 5 appear to contradict the action of refueling interlocks, because the initial conditions indicate that more than one control rod is withdrawn, yet the mode switch is in REFUEL. Such initial conditions are possible if the rods are withdrawn when the mode switch is in STARTUP and then turned to REFUEL. In all cases, correct operation of the refueling interlock prevents either the operation of loaded refueling equipment over the core when any control rod is withdrawn or the withdrawal of any control rod when fuel-loaded refueling equipment is operating over the core. In addition, when the mode switch is in REFUEL, only one rod can be withdrawn; selection of a second rod initiates a rod block.
7.6.2.1.2 Conformance To Specific Regulatory Requirements No specific regulatory requirements apply to refueling interlocks. The refueling interlocks are designed to be normally energized (fail
-safe). IEEE standards do not apply because the refueling interlocks are not required for any postulated DBA or for safe shutdown. Furthermore, the interlocks are required only for the refueling mode of plant operation. The requirements of 10 CFR 50, Appendix B, are met in the manner set forth in Chapter 17.
7.6.2.2 Reactor Pressure Vessel Instrumentation and Control 7.6-67 REV 20 05/16 FERMI 2 UFSAR 7.6.2.2.1 Conformance To General Functional Requirements The RPV instrumentation and systems are designed to augment the existing information from the ESF systems such that the operator can start up, operate at power, shut down, and service the reactor systems in an efficient manner. None of this instrumentation is required to initiate an RPS or ESF system.
7.6.2.2.2 Conformance To Specific Regulatory Requirements There are no specific regulatory requirements imposed on the RPV instruments and subsystems discussed in Subsection 7.6.1.2 because of the reasons stated in Subsection 7.6.2.2.1 above. The requirements of 10 CFR 50, Appendix B, are met in the manner set forth in Chapter 17.
7.6.2.3 Process Radiation Monitor Systems The process radiation monitor systems are described in Section 11.4.
7.6.2.4 Area Radiation Monitor System Instrumentation and Control See Subsection 12.1.4.
7.6.2.5 Offsite Environs Radiation Monitor Systems See the Offsite Dose Calculation Manual (ODCM).
7.6.2.6 Rad-Chem Radiation Monitoring Instruments See Section 12.3.
7.6.2.7 Reactor Water Cleanup System Instrumentation and Control 7.6.2.7.1 General The RWCU system is not a safety
-related system. Therefore, the instrumentation supplied is for the plant equipment protection only.
7.6.2.7.2 Conformance To General Functional Requirements The RWCU system is protected against overpressurization by relief valves. The ion exchange resin is protected from high temperature by temperature switches upstream of the filter-demineralizer unit. One switch activates an alarm when the water temperature reaches 130F. A second switch provides a signal at 140ºF to close a motor-operated valve in the suction line to the RWCU pumps, which subsequently trips the pumps on low discharge flow. Three motor-operated isolation valves close automatically on a reactor low water level signal. The outermost isolation valves G33F004 and G33F220 also close automatically when 7.6-68 REV 20 05/16 FERMI 2 UFSAR the standby liquid control system is activated. The isolation valves provide a pump trip when the valves close.
A high differential pressure across the filter
-demineralizer or its discharge strainer automatically closes the unit's outlet valve after sounding an alarm. The holding pump starts whenever there is low flow through a filter-demineralizer. The precoat pump does not start when the level in the precoat tank is low. Sampling stations are provided to obtain reactor water samples from the entrance and exit of both filter
-demineralizers.
The system instrumentation and control for flow, pressure, temperature, and conductivity is recorded and/or indicated on a panel in the main control room. Instrumentation and control for backwashing and precoating the filter
-demineralizers is on a local panel in the reactor building. Alarms are sounded in the main control room to alert the operator to abnormal conditions. The RWCU system is controlled by the operator from the main control room.
A list of the RWCU system annunciators is given in Table 7.6-14.
7.6.2.7.3 Conformance To Specific Regulatory Requirements Since the RWCU system is not a safety
-related system, no specific regulatory requirement is applicable.
7.6.2.8 Leak Detection System Instrumentation and Control 7.6.2.8.1 General The part of LDS instrumentation that is related to the system isolation circuitry is designed to meet requirements of the ESF system.
7.6.2.8.2 Conformance To General Functional Requirements There are at least two different methods of detecting abnormal leakage from each system within the nuclear system process barrier and in each area as shown in Table 5.2-11. The instrumentation is designed so that it may be set to provide alarms at established leakage rate limits and isolate the affected system,if necessary. The alarm points are determined analytically based on design data and on measurements of appropriate parameters made during startup and preoperational tests. This satisfies the power generation design basis and safety design basis.
The unidentified leakage rate limit is based, with an adequate margin for contingencies, on the crack size large enough to propagate rapidly. The established limit is sufficiently low so that even if the entire unidentified leakage rate were coming from a single crack in the nuclear system process barrier, corrective action could be taken before the integrity of the barrier is threatened with significant compromise.
The limit on total leakage rate is established so that in the absence of normal ac power and feedwater, and without using the ECCSs, the leakage loss from the nuclear system could be 7.6-69 REV 20 05/16 FERMI 2 UFSAR replaced. The limit on total leakage also allows a reasonable margin below the discharge capability of either the floor drain or equipment drain sump pumps. Thus, the established total leakage rate limit allows sufficient time for corrective action to be taken before either the nuclear system coolant makeup or the drywell sump removal capabilities are exceeded.
7.6.2.8.3 Conformance To Specific Regulatory Requirements Compliance With Regulatory Guide 1.22 The portion of the LDS that provides outputs to the system isolation logic is designed so that complete periodic testing of the isolation system actuation function is provided. This is accomplished by tripping the LDS one channel at a time from the leak detection panel in the main control room. An indicator lamp is provided to show that the particular channel is tripped. Compliance With General Design Criteria 13 and 19-24 of 10 CFR 50 The leak detection sensors and associated electronics are designed to monitor the reactor coolant leakage over all expected ranges required for the safety of the plant. Automatic initiation of the system isolation action, reliability, testability, independence, and separation have been factored into leak detection design as required for isolation systems.
Compliance With IEEE 279-1971 Compliance of the LDS with IEEE 279-1971 is included in the IEEE 279-1971 compliance discussion of the CRVICS (Subsection 7.3.2.3.3.1) for which this system provides logic trip signals. Compliance With IEEE 323-1971 - Leak detection compliance is shown in Topical Report NEDO-l0698. See also Section 3.11. Compliance With IEEE 338-1971 - Leak detection compliance with IEEE 338-1971 is shown. All active components of the LDS associated with the isolation signal can be tested during plant operation. Compliance With IEEE 344-1971 - Leak detection compliance with IEEE 344-1971 is shown in Topical Report NEDO-10678. See also Section 3.10.
7.6.2.9 Integrated Plant Computer System (IPCS)
The IPCS, exclusive of the meteorological and emergency response functions, is designed to provide the operator with certain information as defined in the equipment description in Subsection 7.6.1.9. The system augments existing information from other systems such that the operator can start up, operate at power, and shut down in an efficient manner. There are no specific regulatory requirements associated with this portion of the IPCS capabilities.
See Subsection 7.6.1.9.1.2.5.1 for a discussion of the design analysis of the IPCS Safety Parameter Display System (SPDS) function. NRC guidance on safety parameter systems is contained in Supplement 1 to NUREG-0737.
7.6-70 REV 20 05/16 FERMI 2 UFSAR The IPCS, inclusive of all its functions, is not required to initiate any ESF or safety-related system. 7.6.2.10 (Deleted) 7.6.2.11 Sequence Recorder The sequence recorder is designed to provide the necessary data and information systems to permit diagnosing the causes of unscheduled reactor shutdowns and determine the proper functioning of safety-related equipment. The requirements of generic letter 83
-28 are met for post-trip review. The power source is reliable and non-interruptible. The system meets the requirements to record, recall, and display data and information to permit post-trip review.
7.6.2.12 Primary Containment Monitor Systems 7.6.2.12.1 Primary Containment Radiation and Hydrogen/Oxygen Monitor System Conformance To Specific Regulatory Requirements The primary containment radiation monitor subsystem is designed to monitor the primary containment for determination of radiation level during reactor operation or shutdown periods. The rate of flow of drywell atmosphere sample is sufficiently high to provide readings representative of the radiation level in the drywell in less than 5 minutes. Filters are provided in the sample supply line to the primary containment radiation monitor to collect particulates and halogens, on separate filters, for analysis. Monitored radiation level above a predetermined level is alarmed and annunciated in the main control room. The diversity requirement of Regulatory Guide 1.45 is met by the noble gas activity monitor alarm; activity (cpm) is not required to be correlated with leak rate (gpm) per an exemption granted in NUREG 0798, Section 5.2.5. The requirements of General Design Criterion (GDC) 30 of 10 CFR 50, Appendix A, are met in that the primary containment radiation monitor system provides means, as required, for monitoring the reactor primary containment atmosphere radioactivity.
In addition, the primary containment is monitored for hydrogen/oxygen with indication and high alarms in the main control room in compliance with Regulatory Guide 1.7 and Regulatory Guide 1.97, Rev 2, Category 3 and 2 requirements, respectively. The design of the primary containment radiation monitor system incorporates provisions for indicating activity level of noble gases, and collecting particulates and halogens on filter papers for laboratory analysis. Also provided are trip logic provisions for actuating an alarm and an annunciator to inform operations personnel of low-scale conditions that would be indicative of instrument failure.
7.6.2.12.2 Primary Containment Temperature Monitor Subsystem 7.6-71 REV 20 05/16 FERMI 2 UFSAR 7.6.2.12.2.1 Conformance To General Functional Requirements The primary containment temperature monitor subsystem is designed to fulfill the safety and power generation design bases and industry standards that are stated under Subsection
7.1.2.1.22.
7.6.2.12.2.2 Conformance To Specific Regulatory Requirements The primary containment temperature monitor subsystem is designed to monitor continuously the temperature of the drywell atmosphere, drywell walls, drywell cap atmosphere, pressure suppression chamber atmosphere, and pressure suppression chamber water pool. The requirements of GDC 13 of 10 CFR 50, Appendix A, are met in that the primary containment temperature monitor system provides instrumentation to obtain temperature measurements in the designated areas during normal operation, as well as postulated abnormal conditions of a LOCA. The requirements of 10 CFR 50, Appendix B, are met in the manner set forth in Chapter 17.
The design of the primary containment temperature monitor subsystem includes multipoint recorders in the main control room, on which the temperatures monitored by the subsystem are continuously recorded and displayed.
7.6.2.12.3 Primary Containment Pressure Monitor Subsystem 7.6.2.12.3.1 Conformance To General Functional Requirements The primary containment pressure monitor subsystem is designed to fulfill the safety and power generation design bases and industry standards stated in Subsection 7.1.2.1.22.
7.6.2.12.3.2 Conformance To Specific Regulatory Requirements The primary containment pressure monitor system is designed to continuously monitor atmospheric pressure in the drywell and in the pressure suppression chamber. The requirements of GDC 13 of 10 CFR 50, Appendix A, are met in that the primary containment pressure monitor subsystem has instrumentation that is provided, as required, for measurement and recording of pressure during normal operation, as well as postulated abnormal conditions of a LOCA. The requirements of 10 CFR 50, Appendix B, are met in the manner set forth in Chapter 17.
The design of the primary containment pressure monitor subsystem includes chart recorders in the main control room, on which the pressure monitored by the subsystem is continuously recorded and displayed.
7.6.2.12.4 Pressure Suppression Pool Water Level Indicator Subsystem 7.6-72 REV 20 05/16 FERMI 2 UFSAR 7.6.2.12.4.1 Conformance To General Functional Requirements This system is designed to fulfill the safety and power generation design bases and industry standards stated in Subsection 7.1.2.1.22.
7.6.2.12.4.2 Conformance To Specific Regulatory Requirements The design of the pressure suppression pool water level indicator subsystem provides continuous monitoring of the water level in the pressure suppression chamber. The requirements of GDC 13 of 10 CFR 50, Appendix A, are met in that the pressure suppression pool water level indicator system constitutes instrumentation that is provided, as required, to monitor the pool water level during normal operation as well as postulated abnormal conditions of a LOCA. The requirements of 10 CFR 50, Appendix B, are met in the manner set forth in Chapter 17.
The pressure suppression pool water level indicator subsystem design includes chart recorders in the main control room on which the monitored level of the water pool is continuously recorded and displayed.
7.6.2.13 Neutron Monitoring System Instrumentation and Control 7.6.2.13.1 Source Range Monitor System 7.6.2.13.1.1 Conformance To General Functional Requirements The arrangement of the source range monitors (SRM) in the reactor is shown in Figure 7.6-12. This arrangement and irradiated fuel produce at least three counts per second in the SRM using the sensitivity noted in Subsection 7.6.1.13.3. If the discriminator setting is adjusted to produce the specified sensitivity, the signal-to-noise count ratio is well above the 2:1 design basis for cold startup. If the multiplication of one section of the core increases to put that section of the reactor on a 20-sec period, the nearest SRM chamber shows an increase in count rate. In general, at least one detector indicates the change in multiplications.
Normal startup procedures ensure that withdrawal of control rods is distributed about the core to prevent excessive multiplication in any one section of the core. Hence, each SRM chamber can respond in some degree during the initial rod withdrawal. Examination of the sensitivity of the SRM detectors and their operating ranges of 10 6 counts per second indicates that the IRM is on scale before the SRM reaches full scale (Figure 7.6
-15). Further overlap is provided by partial retraction of the SRM chambers. Such retraction is possible only if the indicated SRM count rate remains above the rod block trip level (approximately 100 counts per second), or if the IRM has been set to the third or any less sensitive (higher) IRM range.
7.6-73 REV 20 05/16 FERMI 2 UFSAR 7.6.2.13.1.2 Conformance To Specific Regulatory Requirements There are no specific regulatory requirements of the SRM system.
7.6.2.13.2 Intermediate Range Monitor System 7.6.2.13.2.1 Conformance To General Functional Requirements Subsection 7.2.1.1 evaluates the arrangement of redundant input signals to the RPS. The NMS trip input to the RPS and the trip channels used in actuating a NMS trip are of equivalent independence and redundancy to other RPS inputs. The number and locations of the IRM detectors have been analytically and experimentally determined to provide sufficient intermediate range flux level information under the worst permitted bypass or detector failure conditions. To verify this, a range of rod withdrawal accidents has been analyzed. The most severe case assumes that the reactor is barely subcritical. One-fourth of the control rods plus one more rod have been removed in the normal operating sequence (Figure 7.6
-37). The error or malfunction is removal of the control rod adjacent to the last rod withdrawn. This rod has been chosen to maximize the distance to the second nearest detector for each trip system. It is assumed that the nearest detector in each RPS trip system is bypassed. A scram signal is initiated when one IRM detector in each RPS trip system reaches its scram trip level. The neutron flux versus distance resulting from this withdrawal is shown in Figure 7.6-38. Note that the second nearest detector in trip system B is farther away than the second nearest detector in trip system A. The ratio of the neutron flux at this point to the peak flux is l:4l00. This detector reaches its high scram trip setting of 95 percent of full scale at a local flux approximately 3.3 x 10 8 nv. At that time the peak flux in the core is 1.35 x 1012 nv or 2.7 percent rated average flux. The core average power is 0.07 percent when scram occurs.
For this scram point to be valid, the IRM must be on the correct range. To ensure that each IRM is on the correct range, a rod block is initiated any time the IRM is both downscale and not on the most sensitive (lowest) scale. A rod block is initiated if the IRM detectors are not fully inserted in the core unless the reactor mode switch is in the RUN position. The IRM scram trips and the IRM rod block trips are automatically bypassed when the reactor mode switch is in the RUN position.
The IRM detectors and electronics have been tested under operating conditions and verified to have the operational characteristics described. They provide the level of precision and reliability required by the RPS safety design bases.
The IRM is the primary source of information as the reactor approaches the power range. Its linear steps (approximately a half decade) and the rod blocking features on both high flux level and low flux level require that all the IRM'S are on the correct range as core reactivity is increased by rod withdrawal. The SRM overlaps the IRM. The sensitivity of the IRM is such that the IRM is on scale on the least sensitive (highest) range with approximately 15 percent reactor power.
7.6-74 REV 20 05/16 FERMI 2 UFSAR 7.6.2.13.2.2 Conformance To Specific Regulatory Requirements Compliance With Regulatory Guide 1.22 The portion of the IRM system that provides outputs to the RPS is designed to provide complete periodic testing of protection system actuation function as desired. This provision is accomplished by initiating an output trip on one IRM channel at any given time, which will result in tripping one of the two RPS trip systems. Details are provided in Topical Report NEDO-10139, Subsection 2.2.8 (Reference 8). Operator indication of IRM bypass is provided by indicator lamps as described in NEDO-10139, Subsection 2.2.8.13 (Reference 8). Compliance With General Design Criteria 13 and 22-24 of 10 CFR 50 The IRM detectors and associated electronics are designed to monitor the in-core flux over all expected ranges required for safety of the plant.
Automatic initiation of RPS action, reliability, stability, independence, and separation has been factored into the IRM design as required for protection systems. Compliance With IEEE 279-1971 - The IRM design is shown to comply with the design requirements of IEEE 279-1971 in Subsection 2.2.8 of Reference 8. Compliance With IEEE 323-1971 - IRM compliance is shown in Topical Report NEDO-10698. See also FSAR Section 3.11. Compliance with IEEE 338-1971 - IRM compliance with IEEE 338-1971 is shown in Subsections 2.2.8.9 and 2.2.8.10 of Reference 8. Compliance With IEEE 344-1971 - IRM compliance is shown in Topical Report NEDO-10678. See also FSAR Section 3.10. Compliance with 10 CFR 50, Appendix B - The requirements of 10 CFR 50, Appendix B, are met in the manner set forth in Chapter 17.
7.6.2.13.3 Local Power Range Monitor System 7.6.2.13.3.1 Conformance To General Functional Requirements The LPRM provides detailed information about neutron flux throughout the reactor core.
The number of LPRM assemblies and their distribution is determined by extensive calculational and experimental procedures. The division of the LPRM into various groups for ac power supply allows operation with one ac power supply failed or in service without limiting reactor operation.
Individual failed chambers can be bypassed. Neutron flux information for a failed chamber location can be interpolated from nearby chambers. Also, a substitute reading for a failed chamber can be derived from an octant
-symmetric chamber, or an actual flux indication can be obtained by inserting a TIP to the failed chamber position. Each output is electrically isolated so that an event (grounding the signal or applying a stray voltage) on the reception end does not destroy the validity of the LPRM signal. Tests and experience attest to the 7.6-75 REV 20 05/16 FERMI 2 UFSAR ability of the detector to respond proportionately to the local neutron flux changes (Reference 1).
7.6.2.13.3.2 Conformance To Specific Regulatory Requirements There are no specific regulatory requirements of the LPRM subsystem. Because they form inputs to the APRM system, however, a minimum number of LPRMs must be operable for each APRM as defined in the APRM safety design basis.
7.6.2.13.4 Average Power Range Monitor System 7.6.2.13.4.1 Conformance To General Functional Requirements Each APRM derives its signal from LPRM information. The assignment, power separation, cabinet separation, and LPRM signal isolation are in accord with the safety design bases of the RPS. There are four APRM channels with the Reactor Protection System trip outputs from each routed to each of four APRM two-out-of-four voter channels. Two voter channels are associated with each Reactor Protection System trip system. This configuration allows one APRM channel to be bypassed plus one failure while still meeting the Reactor Protection System safety design basis.
Above a plant power level defined by Technical Specifications, the APRM power (and simulated thermal power) is adjusted periodically based on heat balance to match true reactor power. This adjustment is made regularly at a rate sufficient to compensate for LPRM burnup and the related change in APRM values. However, coolant flow changes, control rod movements, and failed or bypassed LPRM inputs can also affect the relationship between APRM measured flux and true reactor power. These predictable APRM variations are included in the analysis performed to determine minimum number of LPRM inputs required to be operable in order for the APRM channel to be operable. The analysis is performed considering worst case combinations of failed LPRM inputs, at rated conditions by assuming both continuous withdrawal of the maximum worth control rod and reduction of recirculation flow to 40% of rated flow. The minimum number of LPRM inputs for an APRM is determined such that the average of the remaining operable LPRM inputs still allows the APRM to track power excursions within the acceptance criteria assumed in plant safety analysis. If the number of operable LPRMs is less than the required minimum, the APRM channel is declared inoperable.
The flow-referenced APRM scram setpoint is adequate to prevent fuel damage during an abnormal operational transient, as demonstrated in Chapter 15. The APRM also includes an OPRM Upscale function to provide compliance with GDCs 10 and 12, thereby providing protection from exceeding the fuel MCPR safety limit due to anticipated thermal hydraulic induced power oscillations. The OPRM utilizes three algorithms for detecting thermal
-hydraulic instability related neutron flux oscillations: the period based detection, the amplitude based, and the growth rate based algorithms. All three are implemented in the OPRM Upscale function, but the safety analysis takes credit for the period based algorithm. The remaining algorithms provide defense in depth and additional protection against unanticipated oscillations. The OPRM Upscale function receives input signals from the LPRMs within the reactor core, which are combined into cells for evaluation 7.6-76 REV 20 05/16 FERMI 2 UFSAR by the OPRM algorithms. The OPRM Upscale function is enabled in the intended region on the plant power/flow map. The plant power level and recirculation drive flow conditions are defined by Technical Specifications.
7.6.2.13.4.2 Conformance To Specific Regulatory Requirements
- a. Compliance With Regulatory Guide 1.22 The portion of the APRM subsystem that provides outputs to the RPS is designed to provide complete periodic testing of protection system actuation functions as desired. This provision is accomplished by initiating an output trip of one APRM channel at any given time, which will result in tripping one of the two RPS trip systems. Details are provided in Subsection 2.2.8 of Reference 8. Compliance With General Design Criteria 10 and 12 The OPRM Upscale Function provides compliance with GDC 10 and GDC 12 by providing a
hardware/software system that detects and acts to suppress thermal
-hydraulic instabilities, thereby providing protection from exceeding the fuel MCPR safety limit due to thermal hydraulic induced power oscillations. Compliance With General Design Criteria 13 and 20-24 of 10 CFR 50 The APRM detection and associated electronics are designed to monitor the in-core flux over all expected ranges required for safety of the plant.
Automatic initiation of protection system action, reliability, testability, independence, and separation has been factored into the APRM design as required for protection systems. The requirements of 10 CFR 50, Appendix B, are met in the manner set forth in Chapter 17. Compliance With IEEE 279-1971 - The APRM design is shown to comply with the design requirements of IEEE 279-1971 in Subsection 2.2.8 of Reference 8 and Subsection 4.4.1.1 of Reference 10.
Compliance With IEEE 323-1971 - APRM compliance is shown in Topical Reports NEDO-10698 and NEDC 32410P-A. See also FSAR Section 3.11. Compliance With IEEE 338-1971 - APRM compliance with IEEE 338-1971 is shown in Subsections 2.2.8.9 and 2.2.8.10 of Reference 8. Compliance with IEEE 344-1971 - APRM compliance is shown in Topical Reports NEDO-10678 and NEDC 32410P-A. See also FSAR Section 3.10.
7.6.2.13.5 Rod Block Monitor System 7.6.2.13.5.1 Conformance To General Functional Requirements Motion of a control rod causes the LPRMs adjacent to the control rod to respond strongly to the change in power in the region of the rod in motion. Figure 7.6-41 illustrates the calculated responses of the two RBMs to the withdrawal of a selected control rod. The RBM setpoints may be selected such that the rod withdrawal error (RWE) is not the limiting transient. Figure 7.6-42 shows the relationship between MCPR and the RBM setpoint. It 7.6-77 REV 20 05/16 FERMI 2 UFSAR also shows that for an example operating limit MCPR (OLMCPR) requirement of 1.28, there is a 0.08 margin with 108 percent RBM setpoint (0.03 for 111 percent RBM setpoint). These margins are more than adequate to protect against any RWE events. The RBM setpoints conservatively assume a probability of 15 percent that any given LPRM has failed. The RBM setpoints are also valid for peripheral cells with less than four LPRM strings (the RBM cells near the core periphery may possess fewer than four control rods and have one, two, or three LPRM strings). In some peripheral cases, the responses are actually improved because the missing strings are the weaker signal inputs in a standard RBM cell.
7.6.2.13.5.2 Conformance To Specific Regulatory Requirements Compliance With General Design Criterion 24 of 10 CFR 50, Appendix A The RBM provides an interlocking function in the control rod withdrawal portion of the CRD RMCS. This design is separated from the protective functions in the plant to ensure their independence. The RBM is designed to prevent control rod withdrawal error, given an imposed single failure within the RBM. One of the two RBM channels is sufficient to provide an appropriate control rod withdrawal block. Compliance with 10 CFR 50, Appendix B The requirements of 10 CFR 50, Appendix B, are met in the manner set forth in Chapter 17.
7.6.2.13.6 Traversing In-Core Probe Subsystem 7.6.2.13.6.1 Conformance To General Functional Requirements An adequate number of TIP machines is supplied to ensure that each LPRM assembly can be probed by a TIP and that one LPRM assembly (the central one) can be probed by every TIP to allow intercalibration. Typical TIPs have been tested to prove linearity (Reference 1). The system has been field tested in an operating reactor to ensure reproducibility for repetitive measurements. The mechanical equipment has undergone life testing under simulated operating conditions to ensure that all specifications can be met. The system design allows semiautomatic operation for LPRM calibration and Integrated Plant Computer System (IPCS) TIP processing function use. The TIP machines can be operated manually to allow pointwise flux mapping. 7.6.2.13.6.2 Conformance To Specific Regulatory Requirements There are no specific regulatory requirements of the TIP subsystem.
7.6.2.14 Plant Cooling Water Systems Instrumentation and Control Conformance To General Functional Requirements The instrumentation and control of the RBCCWS and TBCCWS is designed to permit reliable operation and testing for each instrument loop or subsystem. Controls for the essential portion of the RBCCWS are described in Subsection 7.3.4 7.6-78 REV 20 05/16 FERMI 2 UFSAR The nonessential portions of the RBCCWS and the TBCCWS are designed to shut down upon loss of offsite ac power. These systems can be restarted manually from the main control room. These systems are designed for manual startup, shutdown, and testing.
Automatic controls are provided for maintaining condensate level in the makeup tank, gas pressure in the makeup tank, heat exchanger outlet temperature, and differential pressure across the supply and return headers. Indications, alarms, and/or warning lights for thes e variables are provided in the main control room. Deviations from normal conditions are thereby brought to the attention of the main control room operator who subsequently can take the appropriate action.
7.6.2.15 Fuel Pool Cleanup System Instrumentation and Control 7.6.2.15.1 General The FPCCS is not a safety-related system. Therefore, the instrumentation supplied is for the plant equipment protection and for operator information about the system.
7.6.2.15.2 Conformance To General Functional Requirements The FPCCS is monitored for conductivity, temperature, pool level, flow rate, and leakage. The conductivity measurement provides the operator with information required to ensure that impurities in the water are limited to acceptable levels. The low flow (pump discharge pressure) and temperature monitoring provide the operator with information required to ensure that the desired temperature is not exceeded and that filtering is maintained. Pool level and leakage monitoring provide the operator with information assuring the maintenance of adequate shielding and cooling. Interface The FPCCS is an independent system during normal operations. Evaporative losses in the system are replaced by the condensate storage system. If the heat load should become excessive, the shutdown cooling portion of the RHR system is operated in parallel with the FPCCS to remove the excess heat load.
7.6.2.15.3 Conformance To Specific Regulatory Requirements System analysis shows that none of the regulatory requirements are applicable to the FPCCS.
7.6.2.17 Control Air System Conformance To General Functional Requirements The instrumentation and control of the control air system is designed to permit reliable operation and testing of each divisional loop of the control air system. The control air system is designed to fulfill the safety and power generation design bases stated in Subsection
7.1.2.1.31.
7.6-79 REV 20 05/16 FERMI 2 UFSAR 7.6.2.18 Alternate Rod Insertion Conformance To General Functional Requirements The sensors, transmitters, trip units, associated logic, and ARI valves are Class 1E, redundant to and diverse from the reactor protection system, are seismically and environmentally qualified to meet IEEE 323-1974 and IEEE 344-1975, and are supplied with Class 1E dc power. The ARI equipment is physically separated into two redundant divisions. Either division will be automatically energized to actuate and scram the reactor upon receipt of high reactor pressure or vessel low
-water-level 2 signals. The ARI logic may also be initiated manually from the main control room. (See Subsection 7.6.1.18.2 for further details).
7.6.2.19 Safety/Relief Valves Analysis 7.6.2.19.1 Conformance To General Functional Requirements The SRVs furnished meet requirements of the ASME Boiler and Pressure Vessel Code Section III, Article 9. The valves are operable in two modes: self-actuated or power-actuated solenoid pressure relieving mode. The automatic mode is independent of the power-actuated mode. Failure of the power-actuated mode does not affect the self
-actuated mode.
7.6.2.19.2 Conformance To Specific Regulatory Requirements Compliance With Regulatory Guide 1.22 The logic channels up to the SRV solenoid operators are designed to enhance periodic testing. Compliance With IEEE 279-1971 A demonstration of the single-failure withstand capability of the generic low-low set design was presented in the BWR Owners Group letter to the NRC, D. B. Vassallo, dated November 19, 1982, titled "Low-Low Set Logic/Lowered MSIV for Mark I Plants." Compliance With IEEE 323-1974 System components are environmentally qualified as described in Section 3.11. Compliance With IEEE 344-1975 System components are seismically qualified as described in Section 3.10.
7.6.2.20 Rod Worth Minimizer System 7.6.2.20.1 Conformance to General Functional Requirements The RWM protects against the existence of a rod worth which could result in the damage to the reactor coolant pressure boundary in the unlikely event of a control rod drop accident.
7.6-80 REV 20 05/16 FERMI 2 UFSAR 7.6.2.20.2 Conformance to Specific Regulatory Requirements There are no specific regulatory requirements for the RWM. The Fermi 2 RWM has been designed to enforce operator adherence to the predetermined sequence of control rod motions during operation at low power levels.
7.6-81 REV 20 05/16 FERMI 2 UFSAR 7.6 ALL OTER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY REFERENCES
- 1. W. R. Morgan, In-Core Neutron Monitoring System for General Electric Boiling Water Reactors, General Electric Co., APED-5706, Nov. 1968, revised April 1969.
- 2. General Electic Co., "Licensing Summary, The Nuclear Measurement Analysis and Control Rod Worth Minimizer (NUMACRWM) Enhanced RPCS Application,"
NEDO-31146, June 1986.
- 3. General Electic Co., "Compliance of Protection Systems to Industry Criteria: General Electric BWR Nuclear Steam Supply System," NEDO-10139, June 1970.
- 4. GE Nuclear Energy, Maximum Extended Operating Domain Analysis for Detroit Edison Company Enrico Fermi Energy Center Unit 2, NEDC-31843P, July 1990
- 5. GE Nuclear Energy, Licensing Topical Report, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC-PRNM) Retrofit Plus Option III Stability Trip Function," NEDC-32410P-A, Volumes 1 and 2, October 1995, Including Supplement 1, November 1997.
7.6-82 REV 20 05/16 FERMI 2 UFSAR Page 1 of 2 REV 16 10/09 TABLE 7.6-1 REFUELING INTERLOCK EFFECTIVENESS Refueling Platform Situation RefuelingPosition TMHPlatform a FMH b Hoists FGService Platform c Hoist Control Rods Mode Switch Attempt 1. Result Not near core UL d UL UL UL All rods in Refuel Move refueling platform over core No restrictions
- 2. Not near core UL UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod
- 3. Not near core UL UL UL UL One rod withdrawn Refuel Move refueling platform over core No restrictions
- 4. Not near core Any hoist loaded or FG not fully up UL One or more rods withdrawn Refuel Move refueling platform over core Platform stopped before over core
- 5. Not near core UL UL UL UL More than one rod withdrawn Refuel Move refueling platform over core Platform stopped before over core
- 6. Over core UL UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod
- 7. Over core Any hoist loaded or FG not fully up All rods in Refuel Withdraw rods Rod block 8. Not near core UL UL UL L e All rods in Refuel Withdraw rods Rod block 9. Not near core UL UL UL L All rods in Refuel Operate service platform hoist No restrictions
- 10. Not near core UL UL UL L One rod withdrawn Refuel Operate service platform hoist Hoist operation prevented
- 11. Not near core UL UL UL UL All rods in Startup Move refueling platform over core Platform stopped before over core
- 12. Not near core UL UL UL L All rods in Startup Operate service platform hoist No restrictions
- 13. Not near core UL UL UL L One rod withdrawn Startup Operate service platform hoist Hoist operation prevented
- 14. Not near core UL UL UL L All rods in Startup Withdraw rods Rod block FERMI 2 UFSAR Page 2 of 2 REV 16 10/09 TABLE 7.6-1 REFUELING INTERLOCK EFFECTIVENESS Refueling Platform Situation RefuelingPosition TMHPlatform a FMH b Hoists FGService Platform c Hoist Control Rods Mode Switch Attempt 15. Result Not near core UL UL UL UL All rods in Startup Withdraw rods No restrictions
- 16. Over core UL UL UL UL All rods in Startup Withdraw rods Rod block 17. Any UL Any condition UL Any condition Any condition reactor not at power Startup Turn mode switch to run Scram a THM - trolley mounted hoist.
b FMH - frame mounted hoist.
c FG - fuel grapple.
d UL - unloaded e L - fuel loaded
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 1 of 12 REV 16 10/09 Reactor Pressure Vessel Reactor Pressure Vessel Level Wide Range During Temperature Reactor Core Shutdown Reactor Core Hydraulics Hydraulics Flow Design classes quality/seismic category b Differential Pressure III/NA a III/NA III/NA III/NA Power supply 120-V ac inst. bus 120-V ac inst. bus 120-V ac inst. bus 120-V ac inst. bus No. of channels 12 1 20 1 Alarm setpoint(s) c NA NA NA NA Control logic NA NA NA NA Instrument range 0 to 600° 160 to 560 in. H 2O 0 to 80 x 10 6 pph 0-30 psid Instrument accuracy c +/-6 °F +/-0.2 percent
+/-2 percent
+/-2 percent a NA = Not Applicable b The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
c The instrument accuracy information provided in the UFSAR tables is a bounding value.
Reactor Pressure Vessel Reactor Pressure Vessel Steam Pressure Reactor Pressure Vessel Temperature RBCCW System Radiation Monitoring Feedwater Temperature Design classes quality/seismic category c Subsystem I/I III/NA a III/NA III/NA Power supply 120-V ac invert. bus 120-V ac inst. bus 120-V ac inst. bus 24-V dc and 120
-V ac inst. bus No. of channels 2 2 6; 4 computer input 1
-2 flow correctors 1 Alarm setpoint(s) b NA NA NA (b) Control logic NA NA NA for computer input 1/1 temp. correction mass flow meter NA Instrument range 0 to 1500 psig 400 to 550 °F 300 to 450 °F 10-1 to 10 6 cps gamma Instrument accuracy d sensitivity e +/-30 psig +/-0.3 °F +/-0.35 °F 1 x 10-4 µCi/ml estimated a NA = Not Applicable.
b Variable to be set periodically in the field.
c The instrument seismic category and the QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
d The instrument accuracy information provided in the UFSAR tables is a bounding value.
e Instrument sensitivity is provided to be consistent with other radiation monitors.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 2 of 12 REV 16 10/09 EECW Radiation RHR System Water Radiation Monitoring Monitoring Subsystem General Service Water Radiation Monitoring Subsystem Radwaste Effluen Radiation Monitoring Subsystem Design classes quality/seismic category d Subsystem III/NA a III/NA III/NA III/NA Power supply 120-V ac inst. buses 120-V ac inst. buses 24-V dc and 120
-V ac inst. bus 24-V dc and 120
-V ac inst. bus No. of channels 2 2 1 1 Alarm setpoint(s)
(b) (b) (b) (c) Control logic NA NA NA 1/1 Instrument range 10 1 to 10 7 cpm gamma 10 1 to 10 7 cpm gamma 10 1 to 10 6 cps gamma 10 1 to 10 6 cps gamma Instrument sensitivity 5 cpm Cs-137 8 cpm Cs-137 5 x 10-9 µCi/cm 3 estimated 1 x 10-4 µCi/ml estimated a NA = Not Applicable.
b Variable; to be set periodically in the field. REV 10 11/00 c Alarm setpoints to be field determined such that discharge concentration in decant line is less than 10 CFR 20 Table II, Column 2 limits.
d The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
Circulating Water Decant Line, Radiation Main Steam Line Radiation Monitoring Monitoring Subsystem Off-Gas Radiation Subsystem Reactor Building Exhaust Plenum Radiation Monitoring Monitoring Subsystem Design classes quality/seismic category c Subsystem III/NA a I/I III/NA III/NA Power supply 120-V ac inst. buses 120-V ac RPS buses 120-V ac inst. buses RPS buses A & B 24-V dc bus A 120-V ac inst. bus No. of channels 1 4 3 (2 log, 1 linear) 1 Alarm setpoint(s)
(b) b3 x background (b) (b) Control logic NA 1/2 twice NA NA Instrument range 10-1 to 10 7 cpm gamma 10 0 to 10 6 mR/h 10 0 to 10 6 mR/h See Table 11.4-1 Instrument sensitivity 8 cpm Cs-137 3.7 x 10-10 amp/R/h 3 x 10-10 amp/R/hr 80 cpm/mR/hr a NA = Not Applicable.
b Variable; to be set periodically in the field.
c The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 3 of 12 REV 16 10/09 Offgas Vent Pipe Radiation Monitoring Subsystem Fuel Pool Ventilation Exhaust (Installed Spare)
Turbine Building Ventilation Exhaust Radiation Monitoring Subsystem Design classes quality/seismic category d Radiation Monitoring Subsystem III/NA a I/I III/NA Power supply 24-V dc bus A&B RPS buses A&B 120 Vac inst. bus 24-V dc bus A&B RPS buses A&B 120 V ac inst. bus 120-V ac inst. buses No. of channels 2 4 1 Alarm setpoint(s)
(b) (c) (b) Control logic 1/6 1/4 1/1 Instrument range 10-1 to 10 6 cps 10-2 to 10 2 mR/h (G-M) See Table 11.4-2 Instrument sensitivity Not specified 0.01 mR/hr 80 cpm/mR/hr a NA = Not Applicable.
b Variable; to be set periodically in the field.
c Refer to Technical Specifications d The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to mee t the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
Radwaste Building Ventilation Exhaust Radiation Monitoring Reactor Building Ventilation Exhaust Radiation Monitoring Subsystem Control Center Makeup Air Manifold Radiation Subsystem Standby Gas Treatment System, Vent Exhaust Radiation Monitoring Monitoring Subsystem Design classes quality/seismic category c Subsystem III/NA a III/NA III/NA III/NA Power supply 120-V ac inst. buses 120-V ac inst. buses 120-V ac inst. buses 120-V ac inst. buses No. of channels 1 2 2 2, 1 per vent Alarm setpoint(s)
(b) (b) (b) (b) Control logic 1/1 1/2 1/2 NA Instrument range See Table 11.4-2 10 1 to 10 7 cpm (Beta) 10 1 to 10 7 cpm (Beta)
See Table 11.4-2 Instrument sensitivity 80 cpm/mR/hr 8 cpm Xe-133 8 cpm Xe-133 80 cpm/mR/hr a NA = Not Applicable.
b Variable; to be set periodically in the field.
c The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 4 of 12 REV 16 10/09 Two-Minute Holdup Pipe Radiation Area Radiation Monitoring Subsystem Reactor Water Cleanup Non-Regenerative Heat Exchanger Downstream Monitoring System Drywell Leak Detection Temperature Design classes quality/seismic category d System Pressure III/NA a III/NA III/NA I/I Power supply 120-V ac inst. buses 120-V inst. local 120
-V ac power bus 120-V ac RPS bus 120-V ac invert. and/or inst. buses No. of channels 2 48 1 8 4 drywell 4 suppr. Pool Alarm setpoint(s) c (b) Varies with location 130° NA Control logic 1/2 NA 1/1 NA Instrument range 10 1 to 10 7 cpm gamma Varies 10-2 to 10 2 up to 10 2 to 10 6 mR/h 75° to 205° 0 to 250 psig
-5 to +5 paig 0 to 80 psig
-5 to +15 psig Instrument accuracy e 10 cpm (sensitivity)
+/-20 percent
+/-3 °F +/-0.25 percent span a NA = Not Applicable.
b Variable; to be set periodically in the field.
c Nominal value or refer to technical specification for setpoint information (as applicable).
d The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database. e The instrument accuracy information provided in the UFSAR tables is a bounding value.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 5 of 12 REV 16 10/09 Control Center Emergency Air South Inlet Control Center Emergency Air North Inlet Radiation Monitor Design classes quality/seismic category c Radiation Monitor I/I I/I Power supply 120-V ac inst buses 120-V ac inst buses No. of channels 2 2 Alarm setpoint(s)
(b) (b) Control logic 1/2 1/2 Instrument range 10-1 to 10 7 cpm (Beta) 10-1 to 10 7 cpm (Beta)
Instrument sensitivity 8 cpm/pci/cm 3 8 cpm/pci/cm 3 a NA = Not Applicable.
b Variable; to be set periodically in the field.
c The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
Drywell Leak Detection System Area Drywell Leak Detection System Closed Cooling Water Differential Temperature from Temperature Drywell sump Level Monitors Leak Detection Atmospheric Coolers Drywell Sump Level Monitors Leak Detection System Sump Pumpout Rate Design classes
Quality/seismic category d System Sump Fill Rate III/I a III/NAb III/NA III/NA Power supply 120-V ac inst. bus 120-V ac inst. bus 120-V ac inst. bus 120-V ac inst. bus No. of channels 29 2 2 2 Alarm setpoint(s) c 4 to 115, 135, 145, 180 °F 35 °F Diff 5.1 min. 6.8 min 80.4 min. (Floor drain) 20.1 min. (Equip. drain)
Control logic NA NA NA NA Instrument range 0 to 360 °F 95 to 150 °F NA NA Instrument accuracy e +/-1.6 °F +/-0.1 percent +/-9 sec +/-45 sec. +/-45 sec. (Floor drain)
+/-45 sec. (Equip. drain) a Seismic installation.
b NA = Not Applicable.
c Nominal value or refer to technical specification for setpoint information (as applicable).
d The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
e The instrument accuracy information provided in the UFSAR tables is a bounding value.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 6 of 12 REV 16 10/09 Reactor Pressure Vessel Head Seal Leak Detection Recirculation Pump Leak Detection System (Inter-seal Pressure)
Recirculation Pump Detection System Seal Seal Cavity Pressure Safety Relief Valve Leak Detection System Discharge Pipe Leakage Rate Design classes quality/seismic category c Temperature III/NAa III/NA III/NA III/NA Power supply 120-V ac inst. bus 120-V ac inst. bus 120-V ac inst. bus 120-V ac inst. bus No. of channels 1 1 per cavity to 2 cavity per pump 1 per pump 15 Alarm setpoint(s) b 600 psig NA 0.1 gpm 220 °F Control logic NA NA NA NA Instrument range 0 to 1500 psig 0 to 1250 psig 0 to 0.55 gpm(A) 0 to 1.25 gpm(B) 0 to 600° Instrument accuracy d +/-30 psig +/-2 percent
+/-2percent +/-6 °F a NA = Not Applicable.b Nominal value or refer to technical specification for setpoint information (as applicable).
c The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
d The instrument accuracy information provided in the UFSAR tables is a bounding value. Main Steam Line Leak Detection Area Main Steam Line Leak Detection Temperature Main Steam Line Tunnel Detection System System Flow Main Steam Line Tunnel Leak Detection System Differential Temperature Design classes quality/seismic category d Temperature III/NAa I/I III/NA I/I Power supply 120-V ac invt. bus 120-V ac RPS bus es 120-V ac invt. bus 120-V ac RPS bus No. of channels 2 16 2 16 Alarm setpoint(s)c 160 °F increasing NA b 70 °F increasing NAa,b Control logic NA 1/4 isolates monitored steam line NA 1/4 isolates monitored steam line Instrument range 50° to 350° 0 to 150 psid 50 to 350 ° Instrument accuracy e +/-6 °F psi +/-3 °F +/-2 °F a NA = Not Applicable.
b See Technical Specifications for trip setpoint.
c Nominal value or refer to technical specification for setpoint information (as applicable).
d The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
e The instrument accuracy information provided in the UFSAR tables is a bounding value.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 7 of 12 REV 16 10/09 RWCU System Leak Detection System Area RWCU System Leak Detection System Temperature Monitor RWCU Differential High Flow Rate RHR Leak Detection Temperature Trip Design classes quality/seismic category d System Area Temperature I/I I/I I/I III/NA a Power supply 120-V ac invt. bus 120-V ac in st. bus 120-V ac invt. bus 120-V ac invt. bus No. of channels 12 2 4 2 Alarm setpoint(s) c 175 °Fb NAa,b NAa,b 148 °F Control logic 1/5 per valve 1 per valve 1/5 per valve NA Instrument range 50 to 350 °F 0 to 400 gpm 0 to 150° T 50 to 350° Instrument accuracy e +/-6 °F +/-2.5 percent
+/-1 percent span
+/-6 percent a NA = Not Applicable.
b See Technical Specifications for trip setpoint.
c Nominal value or refer to technical specification or Technical Requirements Manual for setpoint information (as applicable).
d The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
e The instrument accuracy information provided in the UFSAR tables is a bounding value.
RHR Leak Detection System Area Differential RCIC Leak Detection System Steam Line Low Temperature RCIC Leak Detection Pressure RCIC Leak Detection System Vent Differential System Area Temperature Design classes quality/seismic category d Temperature III/NA a I/I I/I I/I Power supply 120-V ac invt. bus 120-V ac invt. bus 120-V ac invt. bus 120-V ac invt. bus No. of channels 2 4 3 2 Alarm setpoint(s) c NA b NA b 50 °F T Control logic NA 2/2 (Redundant) 1/2 NA Instrument range 0 to 150 ° 0 to 200 psig 50 to 350° 0 to 150 ° Instrument accuracy e +/-3 °F +/-0.25 percent
+/-6 °F +/-3 °F a NA = Not Applicable.
b See Technical Specifications for trip setpoint.
c Nominal value or refer to technical specification for setpoint information (as applicable).
d The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
e The instrument accuracy information provided in the UFSAR tables is a bounding value.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 8 of 12 REV 16 10/09 RCIC Leak Detection HPCI Leak Detection System Steam Line Steam Flow Rate ('P)
HPCI Leak Detection Low Pressure HPCI Leak Detection System Area System Area Temperature Design classes quality/seismic category d Differential Temperature I/I I/I I/I I/I Power supply 120-V ac invt. bus 120-V ac inst. bus 120-V ac invt. bus 120-V ac invt. bus 120-V ac invt. bus No. of channels 2 4 3 2 Alarm setpoint(s)
NAa,b NAa,b NAa,b c Control logic 1/2 2/2 redundant 1/2 NA Instrument range
+/-300 inch H 2O 0 to 200 psig 50° to 350° Instrument accuracy e +/-0.25 percent
+/-0.25 percent
+/-6 °F +/-3 °F a NA = Not Applicable.
b See Technical Specifications for trip setpoint.
c Nominal value or refer to technical specification for setpoint information (as applicable).
d The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
e The instrument accuracy information provided in the UFSAR tables is a bounding value.
HPCI Leak Detection System Suppression Pool Leak Detection Steam Flow (Differential Pressure)
Suppression Pool Leak Detection System Area Differential System Area Temperature Design classes quality/seismic category d Temperature I/I a I/I I/I Power supply 120-V invt. bus 120-V ac invt. bus 120-V ac in st. bus 120-V ac inv t. bus No. of channels 2 4 4 Alarm setpoint(s)c NA b 90 °F > ambient 50 °F 'T Control logic 1/2 NA NA Instrument range
+/-500 in. H 2O 50° to 350 °F 0 to 150° 'T Instrument accuracy e +/-0.25 percent
+/-6 °F +/-3 °F a NA = Not Applicable.
b See Technical Specifications for trip setpoint.
c Nominal value or refer to technical specification for setpoint information (as applicable).
d The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
e The instrument accuracy information provided in the UFSAR tables is a bounding value.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 9 of 12 REV 16 10/09 ECCS Suction Lines Leak Detection Sequence of Events Recorder, Nuclear System Sump Level Fill Rate Primary Containment Steam Supply / Balance
-of- Plant Design classes quality/seismic category b Radiation Monitor III/II/I III/NA a III/NA Power supply 130-V dc inst. bus 130-V dc BOP battery inverter supply 120-V ac inst. bus No. of channels 1 2560 inputs 1 each for gas and particulates (particulates is installed sp are) Alarm setpoint(s)
Field set during startup NA Control logic Sump fill rate NA NA Instrument range Timer (0 to 30 min)
NA Instrument accuracy c +/-2 percent Records inputs with a 1 msec resolution a NA = Not Applicable.
b The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Databas
- e. c The instrument accuracy information provided in the UFSAR tables is a bounding value.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 10 of 12 REV 16 10/09 Primary Containment Hydrogen AnalyzerPrimary Containment f Oxygen AnalyzerSuppression Pool g Neutron Monitor System, Source Water Level Neutron Monitor System, Intermediate Range Monitor Design classes quality/seismic category c Range Monitors I/I I/I I/I III/NA a I/I Power supply 120-V ac inst. bus 120-V ac inst. bus 120-V ac invert. Bus 120-V ac invert
+/-24-V dc buses
+/-24-V dc buses No. of channels 2 2 2 4 8 Alarm setpoint(s)b High H 2 1.0 percent 3.5 percent High O 2 3.5 percent
4.5 percent
NA 3 c/s down 10 5 c/s up Control logic NA NA NA 1/4 for rod block 1/8 trips RPS; 1 channel isolatable Instrument rangee 0 to 30 percent H 2 0 to 10 percent O2 0 to 30 percent O 2 +56 to -144 in. referenced to normal H 2O level 1x10 3 to 1x 10 9 nv 10 8 to 1.5x10 13 nv Instrument accuracy d +/-2.0 percent full scale
+/-3.0 percent full scale +/-0.025 percent
+/-10 percent linear 1.2 x 10-3 cps/nv (nominal sensitivity)
+/-15 percent a NA = Not Applicable.
b Nominal value or refer to technical specification for setpoint information (as applicable).
c The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
d The instrument accuracy information provided in the UFSAR tables is a bounding value. e The oxygen analyzer instrument range of 0 to 10% oxygen is provided to meet Regulatory Guide 1.97 Rev 2 requirements and 0 to 30% oxygen is provided for information only.
f The hydrogen analyzer is required to meet Regulatory Guide 1.97, Rev 2 Category 3 requirements.
g The oxygen analyzer is required to meet Regulatory Guide 1.97, Rev 2 Category 2 requirements.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 11 of 12 REV 16 10/09 Neutron Monitor System Local Neutron Monitor System Average Power Power Range Monitor Neutron Monitor System Transversing Range Monitor Neutron Monitor System In-Core Probe Design classes quality/seismic category b Rod Block Monitor I/I I/I III/NA a 1M/II/I Power supply RPS buses 120-V ac RPS buses 120-V ac local power b 120-V ac RPS buses No. of channels 172 4 5 2 Setpoint(s)
See Table 7.6-7 See Table 7.6-9 NA See Table 7.6
-10 Control logic Loss of power causes APRM to trip RPS See Table 7.6-9 NA a 1/2 Instrument range to 10 14 nv 0 to 125 percent full power 2.8 x 10 12 to 2.8 x 1014 nv 0 to 125 percent power/flow Instrument accuracy c +/-1 percent full scale
+/-1 percent full scale Position +/-1 in flux +/-1.0 pe rcent full scale
+/-1.5 percent a NA = Not Applicable.
b The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
c The instrument accuracy information provided in the UFSAR tables is a bounding value.
RBCCW Makeup T ank RBCCW Low Suction Level Trip TBCCW Makeup Tank Pressure Trip TBCCW Low Suction Condensate Level Trip Design classes quality/seismic category c Pressure Trip III/NA a III/NA III/NAa III/NA Power supply 120-V ac from power to pump 120-V ac from power to pumps 120-V ac from power to pumps 120-V ac from power to pumps No. of channels 4 4 4 4 Alarm setpoint(s)b 6 in. decreasing
< 6 psig 6 in decreasing
< 7 psig Control logic 1/2 twice 1/2 twice 1/2 twice 1/2 twice Instrument range 0 to 80 in. WCD 30 HG to 20 psig 0 to 80 in. WCD 0 to 20 psig Instrument accuracy d +/-1/2 in. H 2O +/-1/2 percent +/-1/2 in. H 2O +/-0.25 percent a NA = Not Applicable.
b Nominal value or refer to technical specification for setpoint information (as applicable).
c The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
d The instrument accuracy information provided in the UFSAR tables is a bounding value.
FERMI 2 UFSAR TABLE 7.6-2 GENERAL INSTRUMENTATION INFORMATION Page 12 of 12 REV 16 10/09 FPCC Pump FPCC Conductivity FPCC Pump Low Discharge Pressure FPCC Refueling Bellows Suction Pressure Design classes quality/seismic category c Leakage Rate III/NA a III/NA III/NA III/NA Power supply 120-V ac inst. bus 120-V ac local power bus 130-V dc @ SWGR 120-V ac local power bus No. of channels 2 1 per demineralizer 2 1 per pump 2 1 per pump 1 Alarm setpoint(s)b 90 psig decreasing = low -10 ft H 2O 5 gpm Control logic NA NA 1/1 NA Instrument range 0 to 10 micromhos/cm 0 to 200 psig 0.908 - 34.05 ft H 2 O g 2 to 20 gpm Instrument accuracy d +/-4 psig +/-3 ft H 2 O g +/-1 gpm a NA = Not Applicable.
b Nominal value or refer to technical specification for setpoint information (as applicable).
c The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database.
d The instrument accuracy information provided in the UFSAR tables is a bounding value.
FPCC Gate Seal Level FPCC Pool Water Level Design classes quality/seismic category c FPCC Surge Tank Level III/NA a III/NA III/NA Power supply 120-V ac local power bus 120-V ac local power bus 120-V ac local power bus No. of channels 1 1 3; High, Low and Low
-Low level switches Alarm setpoint(s)b 5 gpm High + 3 in. Low, 4 in. (normal = 0 in.)
High = 250 ft 3 Low = 100 ft 3 Control logic NA NA 1/1 Instrument range 2 to 20 gpm 8 in. H 2O NA Instrument accuracy d +/-1 gpm +/-1/2 in. H 2O +/-1/2 in. H 2O a NA = Not Applicable.
b Nominal value or refer to technical specification for setpoint information (as applicable).
c The instrument seismic category and QA level information provided in the UFSAR tables may have been upgraded to meet the Pressure Boundary Integrity (PBI) or other requirements. The instrument seismic category and QA level information is available in the Fermi 2 Central Component Database. d The instrument accuracy information provided in the UFSAR tables is a bounding value.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.6-3 Safety Parameter SPDS SAFETY PARAMETERS AND ASSOCIATED PRIMARY VARIABLES Primary Variable Core cooling Reactor water level Fuel integrity Reactor coolant sample analysis, offgas pretreatment radiation Reactivity Startup range monitor log count rate Reactor coolant system integrity Reactor pressure, drywell pressure, drywell sump collection rate, RPV isolation, safety/relief valve position Containment integrity Containment pressure, containment isolation valve positions, containment oxygen concentration, suppression pool/wetwell/torus level , drywell temperature Radioactivity effluent to environment Radiation level at plant release points
FERMI 2 UFSAR TABLE 7.6-4 PARAMETERS ASSOCIATED WITH SPDS DISPLAYS Page 1 of 2 REV 16 10/09 Reactor Water Level Wide Range Div I Wide Range Div II Narrow Range Div I Narrow Range Div II Fuel Zone Range Div I Fuel Zone Range Div II Shutdown Range
Reactor Pressure Wide Range Div I Wide Range Div II Dome Pressure Wide Range Dome Pressure Narrow Range Neutron Monitoring APRM 1 SRM A APRM 2 SRM B APRM 3 SRM C APRM 4 SRM D Main Steam Line Radiation Containment High Range Rad Mon Div I Containment High Range Rad Mon Div II Drywell Pressure Wide Range Div I Wide Range Div II Narrow Range Div I Narrow Range Div II Primary Containment 02 Level Div I Primary Containment 02 Level Div II Primary Containment Water Level (Elevation 545 feet to 650 feet)
Torus Water Level Wide Range (-156 in. to +44 in.)
Torus Water Level Narrow Range (-10 in. to +10 in.) Channels B and D Torus Pressure Div I FERMI 2 UFSAR TABLE 7.6-4 PARAMETERS ASSOCIATED WITH SPDS DISPLAYS Page 2 of 2 REV 16 10/09 Suppression Pool Temperature Drywell Temperature Fuel Pool Div I Rad Mon A Fuel Pool Div I Rad Mon C SJAE Radiation Mon A SJAE Radiation Mon B
Drywell Floor Drain Sump Level Primary Containment Isolation Valves/Signal Status Safety Relief Valve Status SGTS Exhaust Fan Div I Status SGTS Exhaust Fan Div II Status Turbine Bldg Exhaust Fan Status Radwaste Bldg Exhaust Fan Status Reactor Bldg Exhaust Fan Status Gaseous Effluent Radiation Monitors SGTS Div I Exhaust SGTS Div II Exhaust Reactor Bldg Exhaust Radwaste Bldg Exhaust Turbine Bldg Exhaust
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.6-5 SRM SYSTEM TRIPS Nominal a Trip Function Setpoint Trip ActionSRM Upscale (high) b 10 5c/s Rod block, amber light display, annunciator SRM Instrument Inoperative (c) Rod block, amber light display, annunciator Detector Retraction Permissive (SRM downscale)
Bypass detector full
-in-limit switch when above present limit, annunciator, green light display, rod block when below preset limit with IBM range switches on first two ranges SRM Period 50 Annunciator, amber light display SRM Downscale 3c/s White light display, annunciator, rod block SRM Bypassed White light display a Nominal setpoints are included for reference only. See Technical Specifications for actual operational values.
b Also refer to Figure 7.6
-17. c Operate-Calibrate Switch not in Operate, module interlocks open, detector
-polarizing voltage below 300 V.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.6-6 IRM SYSTEM TRIPS Nominal a Trip Function Setpoint Trip ActionIRM Upscale (High
-High) b 120/125 fs Scram, annunciator, red light display IRM Instrument Inoperative (c) Scram, annunciator, red light display IRM Upscale (High) 108/125 fs Rod block, annunciator, amber light display IRM Downscale 5/125 fs Rod block (exception on most sensitive scale), annunciator, white light display IRM Bypassed NA White light display a Nominal setpoints are included for references. See Technical Specifications for actual operational values.
b Also refer to Figure 7.6
-17. c Operate-Calibrate Switch not in Operate, module interlocks open, detector-polarizing voltage below 80 V.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.6-7 LPRM SYSTEM TRIPS Trip Function Trip** Trip Range Setpoint LPRM Downscale Trip Action 0 percent to full scale 3 fs APRM ODA* indication and annunciator LPRM Upscale 0 percent to full scale 100 fs APRM ODA* indication and annunciator LPRM Bypass Manual selection NA APRM ODA* indication and APRM averaging compensation
- Digital Operator Display Assembly
- Nominal Setpoints are included for reference only
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.6-8 APRM FLOW FUNCTIONAL TRIPS Nominal a Trip Function Setpoint Upscale Trip Action 108 fs Rod block, APRM ODA* indication and annunciator
- Digital Operator Display Assembly a Nominal values are included for reference only.
FERMI 2 UFSAR TABLE 7.6-9 APRM SYSTEM TRIP Trip Function Trip Point Range Nominal a Value Actionb APRM Downscale 0 percent to full scale 5 percent of rated thermal power Rod block, annunciator, APRM ODA* APRM Upscale (Rod block)
(two recirc loops)
Varied with flow, intercept and slope adjustable (0.62Wc +54.5 percent with a clamp of 108 percent) 12 percent of rated thermal power in startup mode Rod block, annunciator, APRM ODA* APRM Upscale (thermal)
(two recirc loops)
Varied with flow, intercept and slope adjustable (0.62Wc +60.2 percent) with max of 113.5 percent of rated thermal power Scram, annunciator, APRM ODA*
APRM Inoperative OPER-INOP switch, module interlocks open, or self
-test Not in OPER mode or critical self-test fault Scram, rod block, annunciator, APRM ODA* APRM Bypass Manual switch
-- White light APRM Upscale (neutron) 0 percent to full scale 118 percent of rated thermal power 15 percent of rated therma l
power in startup mode Scram annunciator, APRM ODA*
OPRM Upscale Trip Growth: 1.00
-1.50 Amplitude: 1.05
-1.50 Confirmation count:
2-25 (Trip) and 1.00-1.30 (Amplitude)
Growth: 1.30 Amplitude: 1.30 Confirmation Count:
14 (Trip) and 1.11 (Amplitude)
Scram, Annunciator, APRM ODA*
OPRM Upscale 1.05-1.50 Growth: 1.00
-1.50 Amplitude: 1.20 Confirmation Count: 2-25 (Trip) Growth: 1.20 APRM ODA* Confirmation Count 12 (Trip)
Annunciator, Amplitude:
OPRM Inoperative 0-44 (Min. OPRM Cells required)
<21 OPRM Cells operable Annunciator, APRM ODA*
OPRM Enable STP: 10-40% Flow: 50-100% 27.5% STP <60% drive flow Annunciator, APRM ODA*
- Digital Operator Display Assembly a See Technical Specifications for actual operational values b Also see Figure 7.6-16. c W is recirculation loop flow.
Page 1 of 1 REV 19 10/14 FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.6-10 Trip Function RBM SYSTEM TRIPS Nominal Setpoint(a) Trip Action RBM Downscale RBM ODA*
94% Rod block, annunciator, RBM Inoperative (b) Rod block, annunciator, RBM ODA*
RBM Upscale(c) LTSP = 114.0; Rod block, annunciator, ITSP = 118.2; RBM ODA* HTSP = 104.4 RBM Bypassed Manual switch RBM ODA*, White light Display
- Digital Operator Display Assembly (a) Nominal setpoints for reference only. See Core Operating Limits Report (COLR) for actual operational values.
(b) OPER - INOP switch not in OPER, module interlocks open, too few inputs, failure to adjust gain or more than one rod selected. (c) These setpoints are in percent of reference level (Refer to Figure 7.6
-22(b) for additional information).
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.6-11 Condition SPENT FUEL POOL LEAKAGE ALARMS IN CONTROL ROOM Setpoint (nominal) Fuel pool system temperature high 130 °F Fuel pool water level low 4 in. below normal level Fuel pool system trouble Any alarm contacts from surge tank high or low, gate leakage, refueling bellows leakage, pump A or pump B discharge pressure low. Fuel pool water level high 3 in. above normal level
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09
TABLE 7.6-12 HAS BEEN INTENTIONALLY DELETED
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09
TABLE 7.6-13 HAS BEEN INTENTIONALLY DELETED
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.6-14 REACTOR WATER CLEANUP ANNUNCIATORS Function Trip Point Reactor Water Cleanup Pump Low Flow 70 gpm Reactor Water Cleanup Pump Seal Gland Plate Temperature High 250 °F Reactor Water Filter
-Demineralizer Inlet High Temperature 130 °F Reactor Water Cleanup/Blowdown Line Pressure High 140 psi Reactor Water Cleanup/Blowdown Line Pressure Low 5 psi Reactor Water Cleanup Steam Leakage High Area Temperature 175 °F a Reactor Water Cleanup Filter Demineralizer Trouble Any alarm on load operated
Reactor Water Cleanup Valves Thermal Overload Any valve over-load operated Reactor Water Cleanup Differential High 55.1 gpm a Reactor Water Conductivity High Multiple setpoints a Nominal value - refer to Technical Specifications for setpoint information
.
FERMI 2 UFSAR 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY
7.7.1 Description
This subsection discusses control systems whose functions are not essential for the safety of the plant. These systems are the reactor manual control system (RMCS), recirculation flow control system (RFCS), feedwater control system, pressure regulator and turbine-generator controls, and the radwaste processing system controls.
7.7.1.1 Reactor Manual Control System Instrumentation and Control 7.7.1.1.1 Identification The RMCS instrumentation and control consists of the electrical circuitry, switches, indicators, and alarm devices provided for operational manipulation of the control rods and the surveillance of associated equipment. This system includes the interlocks that inhibit rod movement (rod block) under certain conditions. The RMCS does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in Sections 7.2 and 7.6. In addition, the mechanical devices of the control rod drive (CRD) and the CRD hydraulic system are not included in the RMCS. The latter mechanical components are described in Subsection 4.5.2.
7.7.1.1.1.1 Function The objective of the RMCS is to provide the operator with the means for changing reactor power by manipulating the control rods.
7.7.1.1.1.2 Classification This system is a power generation system, nonessential for safety, and is classified in Chapter 3.
7.7.1.1.2 Power Sources 7.7.1.1.2.1 Normal The RMCS receives its power from the 120-V ac instrumentation and control power buses, either bus A or bus B. Each of these buses receives its normal power supply from the appropriate 480-V ac engineered safety feature (ESF) bus as described in Subsection 8.3.1.
One subsystem, the control rod position indication system, is powered by the 120-V ac instrument bus, as described in Subsection 8.3.1.
7.7.1.1.2.2 Alternate On loss of normal auxiliary power, the station diesel generator provides backup power to the 480-V ac ESF bus and the 120-V ac instrument bus.
7.7.1.1.3 Equipment Design 7.7-1 REV 19 10/14 FERMI 2 UFSAR 7.7.1.1.3.1 General Figure 4.5-15 shows the layout of the CRD hydraulic system. Figure 7.7-1 shows the functional arrangement of devices for the control of components in the CRD hydraulic system. Although the figures also show the arrangement of scram devices, these devices are not part of the RMCS. Control rods are moved by admitting water, under pressure, from a CRD water pump into the appropriate end of the CRD cylinder. The pressurized water forces the piston, which is attached by a connecting rod to a control rod, to move. Three modes of control rod operation are used: insert, withdraw, and settle. Four solenoid-operated valves are associated with each control rod to accomplish the actions required for the operational modes. The valves control the path the CRD water takes to the cylinder. The RMCS controls the valves. The settle mode of control rod operation is provided to decelerate the control rod at the end of either an insert cycle or a withdraw cycle. The settle action smooths out the control rod movement and prolongs the life of the CRD hydraulic system components. During the settle mode, the withdraw valve associated with the settle operation is opened or remains open while the other three soleno id-operated valves are closed. During an insert cycle, the settle action vents the pressure from the insert drive water supply line to the exhaust header, thus gradually reducing the differential pressure across the drive piston of the selected rod.
During a withdraw cycle, the settle action holds open the discharge path for withdraw water while the withdraw drive water supply is shut off. This also allows for a gradual reduction in the differential pressure across the control drive piston. After the control rod has slowed down, the collet fingers engage the index tube and lock the rod in position. The arrangement of control rod selection pushbuttons and circuitry permits the selection of only one control rod at a time for movement. A rod is selected for movement by depressing a button for the desired rod on the reactor control benchboard in the main control room (Figure 7.5-1). The direction in which the selected rod moves is determined by the position of a switch, called the "rod movement" switch, which is also located on the reactor control benchboard.
This switch has "rod-in" and "rod-out-notch" positions and returns by spring action to the "off" position. The rod selection circuitry is arranged so that a rod selection is sustained until the movement cycle of the selected rod has been completed. Reversion to the no-rod-selected condition is not possible, except for loss of control-circuit power until any moving rod has completed the movement cycle.
7.7.1.1.3.2 Insert Cycle The following is a description of the detailed operation of the RMCS during an insert cycle.
The response of a selected rod when the various commands are transmitted has been explained in Subsection 7.7.1.1.3.1. Figure 7.7-1 can be used to follow the sequence of an insert cycle. A three-position rod movement switch is provided on the reactor control benchboard. The switch has a "rod-in" position, a "rod-out-notch" position, and an "off" position. The switch 7.7-2 REV 19 10/14 FERMI 2 UFSAR returns by spring action to the "off" position. When a control rod is selected for movement, the operator places the rod movement switch in the "rod-in" position and then releases the switch. This action energizes the insert command for a limited time. Just before the insert command is removed, the settle command is automatically energized for a limited time. The insert command time setting and the rate of drive water flow provided by the CRD hydraulic system determine the distance traveled by a rod. The time setting results in a one
-notch (6 in.) insertion of the selected rod for each momentary application of a "rod-in" signal from the rod movement switch. Continuous insertion of a selected control rod is possible by holding the rod movement switch in the "rod-in" position. A second switch can be used to initiate insertion of a selected control rod. This switch is the "rod-out-notch-override" switch and is called the RONOR switch. The RONOR switch has three positions: "emergency-in," "notch override," and "off." The switch returns to the "off" position by spring action. By holding the RONOR switch in the "emergency-in" position, the logic maintains the insert command in a continuously energized state to cause continuous insertion of the selected control rod.
7.7.1.1.3.3 Withdraw Cycle This subsection describes the detailed operation of the RMCS during a withdraw cycle. The response of a selected rod when the various commands are transmitted has been explained in Subsection 7.7.1.1.3.1. Figure 7.7-1 can be used to follow the sequence of a withdraw cycle. When a control rod is selected for movement, the operator places the rod movement switch in the "rod-out-notch" position, which energizes the insert commands for a short time.
Energizing the insert command at the beginning of the withdraw cycle is nec essary to allow the collet fingers to disengage the index tube. When the insert command is deenergized, the withdraw and settle commands are energized for a controlled period of time. The withdraw command is deenergized before the settle command; this tends to decelerate the selected rod. When the settle command is deenergized, the withdraw cycle is complete. This withdraw cycle is the same whether the rod movement switch is held continuously in the "rod-out-notch" position or is released. The timer that controls the withdraw cycle is set so that the rod travels one notch (6 in.) per cycle.
Provisions are included to prevent further control rod motion in the event of timer failure. A selected control rod can be continuously withdrawn if the rod movement switch is held in the "rod-out-notch" position at the same time that the RONOR switch is held in the "notch
-override" position. When both switches are held in these positions, the withdraw and settle commands are continuously energized.
7.7.1.1.3.4 Control Rod Drive Hydraulic System Control A motor-operated pressure control valve, two air-operated flow control valves, and four solenoid-operated stabilizer valves are included in the CRD hydraulic system to maintain smooth and regulated system operation. These devices are shown in Figure 4.5-15. The motor-operated pressure-control valve is positioned by manipulating a pushbutton in the main control room. The pushbuttons for this valve are located close to the pressure indicator that responds to the pressure changes caused by the movements of the valve. The air-operated flow control valves are automatically positioned in response to signals from an 7.7-3 REV 19 10/14 FERMI 2 UFSAR upstream flow measuring device. The stabilizer valves are automatically controlled by the energization of the insert and withdraw commands. The control scheme is shown in Figure 7.7-1. There are two drive-water pumps, one of which is a spare. They are controlled by switches in the main control room. Each pump automatically stops on indication of low suction pressure. 7.7.1.1.3.5 Rod Block Interlocks General Figure 7.7-1 shows the general functional arrangement of the rod block interlocks used in the RMCS. To achieve an operationally desirable performance objective where most failures of individual components would be easily detected or would not disable the rod movement inhibiting functions, the rod block logic circuitry is arranged as two similar logic circuits.
These circuits are energized when control rod movement is allowed. Each logic circuit receives input trip signals from a number of trip channels, and each logic circuit can provide a separate rod block signal to inhibit rod withdrawal. The rod block circuitry is effective in preventing rod withdrawal, if required, during both normal (notch) withdrawal and continuous withdrawal. If a rod block signal is received during a rod withdrawal, the control rod is automatically stopped at the next notch position, even during a continuous rod withdrawal. The components used to initiate rod blocks in combination with refueling operations provide rod block trip signals to these same rod block circuits. These refueling rod blocks are described in Subsection 7.6.1.1. Rod Block Functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed in Subsection 7.6.1.13. The rod block functions provided specifically for refueling situations are described in Subsection 7.6.1.1. With the mode switch in the SHUTDOWN position, no control rod can be withdrawn. This enforces compliance with the intent of the shutdown mode. The circuitry is arranged to initiate a rod block, regardless of the position of the mode switch, for the following conditions:
- a. Any average power range monitor (APRM) upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require reactor protection system (RPS) action if allowed to proceed. The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached b. Any APRM inoperative alarm. This ensures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or are correctly bypassed 7.7-4 REV 19 10/14 FERMI 2 UFSAR
- c. Either rod block monitor (RBM) upscale alarm. This function is provided to stop the erroneous withdrawal of a control rod so that local fuel damage does not result. Although local fuel damage poses no significant threat in terms of radioactive material released from the nuclear system, the trip setting is selected so that no local fuel damage results from a single control rod withdrawal error during power range operation
- d. Either RBM inoperative alarm. This ensures that no control rod is withdrawn unless the RBM channels are in service or are correctly bypassed
- e. Any APRM indicating recirculation flow upscale. This ensures that no control rod is withdrawn unless the recirculation flow functions, which are necessary for the proper operation of APRM rod block function, are operable
- f. Deleted g. Scram discharge volume high water level. This ensures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block earlier than the scram that is initiated on scram discharge volume high water level
- h. Scram discharge volume high water level scram trip bypassed. This ensures that no control rod is withdrawn while the scram discharge volume high water level scram function is out of service
- i. The rod worth minimizer (RWM) can initiate a rod insert block and a rod withdrawal block. The RWM limits the worth of any control rod that could be dropped by regulating the withdrawal sequence. This system prevents the movement of an out-of-sequence rod in the 100 percent control rod density to the preset low power level, the RWM will allow only BPWS mode withdrawals or insertions. The rod block trip settings are based on the allowable control rod worth limits established for the design-basis control rod drop accident. Additional information on the RWM function is available in Subsection
7.6.1.20 j. Rod position information system malfunction. This ensures that no control rod can be withdrawn unless the rod position information system is in service k. Rod movement timer malfunction during withdrawal. This ensures that continuous withdrawal of a control rod does not result from failure of the normal rod timer during the withdrawal portion of the timing sequence. With the mode switch in the RUN position, any of the following conditions initiates a rod block: a. Any APRM downscale alarm. This ensures that no control rod will be withdrawn during power range operation unless the average power range neutron monitoring channels are operating correctly or are correctly bypassed.
All unbypassed APRMs must be on scale during reactor operations in the RUN mode b. Either RBM downscale alarm. This ensures that no control rod is withdrawn during power range operation unless the RBM channels are operating correctly 7.7-5 REV 19 10/14 FERMI 2 UFSAR or are correctly bypassed. An RBM which reads downscale (downscale alarm) and not automatically bypassed by the APRM low power feature is considered to have failed. This results in the rod withdrawal permissive not being given unless this RBM is bypassed.
With the mode switch in the STARTUP or REFUEL position, any of the following conditions initiates a rod block:
- a. Any source range monitor (SRM) detector not fully inserted into the core when the SRM count level is below the retract permit level and any IRM range switch is on either of the two lowest ranges. This ensures that no control rod is withdrawn unless all SRM detectors are correctly inserted when they must be relied on to provide the operator with neutron flux level information b. Any SRM upscale level alarm. This ensures that no control rod is withdrawn unless the SRM detectors are correctly retracted during a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is designed to detect and measure neutron flux
- c. Any SRM downscale alarm. This ensures that no control rod is withdrawn unless the SRM count rate is above the minimum rate prescribed for low neutron flux level monitoring d. Any SRM inoperative alarm. This ensures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available in that all SRM channels are in service or are correctly bypassed
- e. Any intermediate range monitor (IRM) detector not fully inserted into the core.
This ensures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all IRM detectors are correctly located
- f. Any IRM upscale alarm. This ensures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is correctly upranged during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring RPS action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations
- g. Any IRM downscale alarm except when range switch is on the lowest range.
This ensures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being correctly monitored. This rod block prevents the continuation of a reactor startup if the operator upranges the IRM too far for the existing flux level. Thus, the rod block ensures that the IRM is on scale if control rods are to be withdrawn h. Any IRM inoperative alarm. This ensures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available in that all IRM channels are in service or are correctly bypassed.
7.7-6 REV 19 10/14 FERMI 2 UFSAR Rod Block Bypasses To permit continued power operation during repair or calibration of equipment for selected functions that provide rod block interlocks, the limited number of manual bypasses that are permitted are:
- a. One SRM channel
- b. Two IRM channels (one on bus A and one on bus B)
- c. One APRM channel
- d. One RBM channel.
The permissible IRM bypasses are arranged in two groups, each having an equal number of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained when one channel is bypassed in each group.
The arrangement allows the bypassing of one IRM in each rod block logic circuit. These bypasses are effected by positioning switches in the main control room. A light in the main control room indicates the bypassed condition. An automatic bypass of the SRM detector position rod block is effected as the neutron flux increases beyond a preset low level on the SRM instrumentation. The bypass allows the detectors to be partially or completely withdrawn as a reactor startup is continued.
An automatic bypass of the RBM rod block occurs when the power level is below a preselected level or when a peripheral control rod is selected. Either condition indicates that local fuel damage is not threatened and that RBM action is not required. The RWM rod block function is automatically bypassed when reactor power increases above a preselected value in the power range.
Arrangement of Rod Block Trip Channels Half of the total neutron monitoring equipment (SRM, IRM, APRM, RBM) provides input to one of the two rod block logic circuits and the other half provides input to the other logic circuit. Two of the flow functions from each of the two recirculation loops provides a rod block signal to one logic circuit and the other two flow functions for each recirculation loop provides an input to the other logic circuit. Scram discharge volume high water level signals are provided as inputs into both of the two rod block logic circuits. Both rod block logic circuits sense when the high water level scram trip for the scram discharge volume is bypassed. The rod withdrawal block from the RWM trip affects both rod block logic circuits. The rod insert block from the RWM function prevents energizing the insert bus for both notch insertion and continuous insertion. The APRM rod block settings are varied as a function of recirculation flow. The RBM rod block settings are power dependent. Analyses show that the selected settings are sufficient to avoid both RPS action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. Additional detail on all the neutron monitoring system (NMS) trip channels is available in Subsection 7.6.1.13.
7.7-7 REV 19 10/14 FERMI 2 UFSAR The rod block from scram discharge volume high water level uses one nonindicating float switch installed on the scram discharge volume. A second float switch provides a main control room annunciation of increasing level.
7.7.1.1.3.6 Inspection and Testing The RMCS can be routinely checked for correct operation by manipulating control rods using the various methods of control. Detailed testing and calibration can be performed by using standard test and calibration procedures for the various components of the reactor manual control circuitry.
7.7.1.1.4 Environmental Considerations The RMCS is not required for safety functions, nor is it required to operate after the design-basis accident (DBA). The RMCS is required to operate in the normal plant environments for power generation purposes only. The hydraulic control units are located in the reactor building. The logic, control units, and instrumentation readouts are located in the main control room. The control rod position detectors are located beneath the reactor pressure vessel (RPV) in Zone 3 of the primary containment. The normal design environments encountered in these areas are listed in Table 3.11-5.7.7.1.1.5 Operational Consideration 7.7.1.1.5.1 Normal The RMCS is totally operable from the main control room. Manual operation of individual control rods is possible with a jog switch to effect control rod insertion, withdrawal, or settle.
Rod position indicators, described in Subsection 7.7.1.1.5.2, provide the necessary information to ascertain the operating state and position of all control rods. Conditions that prohibit control rod insertion are alarmed by the rod block annunciator.
7.7.1.1.5.2 Operator Information Instrumentation Table 7.7-1 gives information on instruments for the RMCS. A large rod information display on the vertical portion of the reactor control benchboard is patterned after a top view of the reactor core, as shown in Figure 7.5-1. The display allows the operator to acquire information rapidly by scanning. Colored windows provide an overall indication of rod pattern and allow the operator to quickly identify an abnormal indication. The following information for each control rod is presented in the display:
- a. Rod fully inserted (green) b. Rod fully withdrawn (red)
- c. Rod identification (coordinate position, white) d. Accumulator trouble (amber) 7.7-8 REV 19 10/14 FERMI 2 UFSAR
- e. Rod scram (blue)
- f. Rod drift (red).
Also available on digital operator display assemblies (ODAs), one for each two APRM channels, are local power range monitor (LPRM) readings as well as indications of LPRM low flux level and LPRM high flux level. A separate, smaller display is located just below the large display on the vertical part of the benchboard. This display shows the positions of the control rod selected for movement and the positions of the other rods in the rod group. For display purposes, the control rods are considered in groups of four adjacent rods centered around a common core volume monitored by four LPRM strings. Rod groups at the periphery of the core may have less than four rods. The small rod display shows the positions, in digital form, of the rods in the group to which the selected rod belongs. A white light indicates which of the four rods is selected for movement. On either side of the four-rod position display are indicated (on RBM ODAs
- one for each RBM) the readings of the 16 LPRM channels (four LPRM strings) surrounding the core volume common to the four rods of the group. The four-rod display allows the operator to easily focus his attention on the core volume of concern during rod movements. This arrangement eliminates the problems inherent in larger, full core displays where the operator must concentrate his attention on a small portion of a large display. The four-rod display also allows the operator to quickly investigate any volume of the core by simply selecting a control rod located in that volume.
The position signals of selected control rods, together with a rod identification signal, are provided as hardwired digital signals to the rod worth minimizer (RWM). These signals are then provided by the RWM as digital data to the Integrated Plant Computer System (IPCS) via the Multi-Vendor Data Acquisition System (MVD) component of the 3D-Monicore Computer System (3DM). Control rod position information is obtained from reed switches in the CRD that open or close as a magnet attached to the rod drive piston passes during rod movement. Reed switches are provided at each 3-in. increment of piston travel. Because a notch is 6 in. long, indication is available for each half
-notch of rod travel. The reed switches located at the half-notch positions for each rod are used to indicate rod drift. Both the rod selected for movement and the rods not selected for movement are monitored for drift. A drifting rod is indicated by an alarm and red light in the main control room. The rod drift condition is also monitored by the IPCS. Reed switches are provided at locations that are beyond the limits of normal rod movement. If the rod drive piston moves to these overtravel positions, an alarm is sounded in the main control room. The overtravel alarm provides a means to verify that the drive-to-rod coupling is intact because the drive cannot be physically withdrawn to the overtravel position when the coupling is in its normal condition. Coupling integrity can be checked by attempting to withdraw the drive to the overtravel position. The following main control room lights are provided to enable the operator to be aware of the conditions of the control rod drive hydraulic system and the control circuitry:
- a. Stabilizer valve selector switch position
- b. Insert command energized 7.7-9 REV 19 10/14 FERMI 2 UFSAR
- c. Withdraw command energized
- d. Settle command energized
- e. Withdrawal not permissive
- f. Notch override
- g. Pressure control valve position
- h. Flow control valve position
- i. Drive water pump low suction pressure (alarm only)
- j. Drive water filter high differential pressure (alarm only)
- k. High pressure of charging water to accumulator (alarm only)
- l. CRD temperature
- m. Scram discharge volume not drained (alarm only) n. Scram valve pilot air heater high/low pressure (alarm only).
7.7.1.2 Recirculating Flow Control System Instrumentation and Control 7.7.1.2.1 System Identification 7.7.1.2.1.1 Function The objective of the RFCS is to control reactor power level, over a limited range, by controlling the flow rate of the reactor recirculating water (Figure 5.5-2). The control involves varying the speed of the recirculation pumps by varying the voltage and frequency of the ac supply to each pump motor. The ac supply is provided by a motor-generator set for each pump. Each motor-generator set consists of a squirrel-cage induction motor driving a variable-frequency generator through a variable-speed converter. The generator output is varied by varying the slip within the converter. Since flow rate is directly proportional to pump speed which is proportional to generator speed, generator speed is considered the controlled variable of the system. Manual input to the individual loop controllers is the reference input to the system. The RFCS is also designed to limit the range and rate of change of pump speed, and to otherwise ensure proper operation and equipment protection.
7.7.1.2.1.2 Classification This system is a power generation system, nonessential for safety, and is classified in Chapter 3.
7.7.1.2.2 Power Sources The RFCS consists of Remote Distributed Control System
- Reactor Recirculation (Remote DCS-RR) and Remote Input/Output - Reactor Recirculation (Remote I/O
-RR). The RFCS has redundant power supplies and redundant processing units. Both the flow loops A and B 7.7-10 REV 19 10/14 FERMI 2 UFSAR are controlled by Remote DCS
-RR. The Remote DCS-RR is powered by 120 V ac instrument and control bus and 125 V dc power and Remote I/O-RR is powered by 120 V ac Bus A and Bus B for redundancy.
7.7.1.2.3 Equipment Design 7.7.1.2.3.1 General Reactor recirculation flow is changed by adjusting the speed of the two reactor recirculating pumps by adjusting the frequency and voltage of the electrical power supplied to the recirculation pump motors. Control of pump speed, and thus core flow, is such that at various control rod patterns, different power level changes can be accommodated. Refer to Section 4.4.3.5 for a discussion of BWR operation with recirculation flow control. An increase in recirculation flow temporarily reduces the void content of the moderator by increasing the flow of coolant through the core. The additional neutron moderation increases the reactivity of the core, causing the reactor power level to increase. The increased steam generation rate increases the steam volume in the core with a consequent negative reactivity effect, and a new steady
-state power level is established. When recirculation flow is reduced, the power level is reduced in the reverse manner. Figure 7.7-2 is a simplified illustration of the RFCS. Figure 7.7-3 shows the system functional control diagram (FCD).
Each recirculation pump motor has its own motor-generator set for a power supply. A variable-speed converter is provided between the motor and generator of the motor-generator set. To change the speed of the reactor recirculation pump, the variable
-speed converter varies the generator speed, which changes the frequency and magnitude of the voltage supplied to the pump motor so that the desired pump speed is attained. The RFCS uses a demand signal from the operator. The RFCS is a digital microprocessor based distributed control system (DCS). The DCS features modular design consisting of input/output, redundant processor and communication. The DCS equipment is located in the relay room, control room and reactor building 4 th floor. The operator interface consists of manual/automatic (M/A) controllers, bar graph indicators, recorders, pushbuttons, control switches, indicating lights and video display. The controls permit the operator to operate in manual or automatic mode. An individual, independent M/A controller will provide speed control for each reactor recirculation pump. The manual mode of operation bypasses closed loop speed control. The M/A controller is placed in AUTO for control loop regulation by the feedback signal of generator speed, subject to the limiters. A manual runback indicating pushbutton is provided in the control room to manually runback the recirculation pumps. The M/A controller display includes speed setpoint, generator speed, and speed demand signal. A flat panel display with a touch screen is provided in the control room to access various system parameter data.
The system locks up the scoop tube on fault conditions. The system has the capability to monitor the initiation and clearance of the fault condition.
7.7-11 REV 19 10/14 FERMI 2 UFSAR Each MG set has three magnetic pick-up speed sensors for redundancy, which provide speed feedback inputs into the Remote DCS-RR. The system transfers the M/A controller to MANUAL mode on either loss of two speed signals or communication failure with DCS processors. A provision has been included in the Fermi 2 design to trip the recirculation pump motor-generator field breakers and drive motor breakers on receipt of ATWS initiation signals. The Fermi 2 RPT design employs two trip coils in each recirculation system motor generator set field breaker and drive motor breaker. This design provides redundant trips of both motor-generator sets following the transient and failure
-to-scram. To minimize the possibility of breakers being tripped inadvertently, the automatic trip signals are arranged in two-out-of-two logic.
The breaker automatic trip signal is a combined ARI/RPT logic. That is, a low reactor vessel water level (level 2) or high reactor vessel pressure signal will initiate the trip of both sets of field breakers. (Refer to Figure 7.7-3, sheet 4). The RPT may be manually initiated by the same two pushbuttons in the control room (on a divisional basis) as ARI, the difference being that initiation of one division will trip both sets of breakers.
The RPT logic delays MG set field breaker trip on low reactor vessel water level for 9 seconds. This time delay was provided to account for the difference in the pump coastdown time if the field breaker is tripped rather than the motor-generator set drive motor, as was assumed in the LOCA analysis. The manual reset of the generator field breaker trip seal-in circuit does not have any time delay due to the rapid operation of the circuit breaker. The manual reset of the drive motor breakers will have a time delay because the reset logic is ARI logic. 7.7.1.2.3.2 Motor-Generator Sets Each of the two motor-generator sets and its controls are identical; therefore, only one description is given of the motor-generator set. Figure 5.5-2 shows the general arrangement and rating of the motor-generator set. The motor-generator set can continuously supply power to the pump motor at any speed between approximately 19 percent and 96 percent of the drive motor speed. The motor-generator set is capable of starting the pump and accelerating it from standstill to the desired operating speed when the pump motor thrust bearing is fully loaded by reactor pressure acting on the pump shaft. The main components of the motor-generator set are
- a. Drive motor - The drive motor is an ac induction motor that drives the input shaft of the variable speed converter b. Generator - The variable-frequency generator is driven by the output shaft of the variable-speed converter. During normal operation, the generator exciter is powered by the drive motor. The excitation of the generator is provided from an auxiliary source during pump startup
- c. Variable-speed converter and actuation device - The variable
-speed converter transfers power from the drive motor to the generator. The variable-speed 7.7-12 REV 19 10/14 FERMI 2 UFSAR converter actuator automatically adjusts the slip between the converter input shaft and output shaft as a function of the signal from the speed controller. If the speed controller signal is lost, the actuator causes the speed converter slip to remain "as is." Manual reset of the actuation device is required to return the speed converter to normal operation.
7.7.1.2.3.3 Speed Control Configuration The speed control system (Figure 5.5-2) controls the variable speed converters of both motor-generator sets. The micro-processor-based scoop tube positioner directly interfaces with the speed control system. The motor-generator sets can be manually controlled individually.
The control system configuration for each motor-generator set consists of a manual automatic transfer station, a speed control function, a signal failure alarm, a startup mode function and a speed limiter. Components in the new speed control system contain I/O modules feeding the redundant main processing units. The control system is comprised of an arrangement of discrete modules which run the main processing unit. The operator interface is manual/automatic setpoint stations.
Speed Control There is one speed control for each motor-generator set. The speed control system transmits the signal that adjusts the motor
-generator set variable-speed converter. The speed control for each motor-generator set compares the setpoint signal from the operator station to the feedback signal from triple redundant magnetic speed sensors for each motor-generator set. The control system adjusts its output to the speed converter so that the speed feedback signal is made to equal the setpoint signal. The speed controller setpoint signal is received during automatic operation and during motor-generator set manual operation or during pump startup from the startup signal generator.
System Trouble Alarm There is one system trouble alarm for each motor
-generator set. The system trouble alarm actuates an alarm in the main control room and acts to prevent any change of slip within the variable-speed converter.
Startup Mode There are triple redundant magnetic speed sensors for each motor
-generator set. The triple redundant speed sensors supply the setpoint signal to the speed control system. This function sets the motor-generator set variable speed converter for approximately 50 percent recirculation pump speed. Speed Limiter There are four speed limiter functions for each motor-generator set. Number 1 limiter is an adjustable high limit. The speed control setpoint signal is automatically limited by the Number 1 limiter if the recirculation pump main discharge valve is not fully open or if the feedwater flow is less than 20 percent of rated flow. Number 2 or 3 limiter acts on the position demand to the scoop tube positioner and is actuated when a feedwater pump is tripped and level is below the low alarm setpoint (Number 2 limiter) or when both heater drain pumps are not pumping forward to the suction of the feed pumps (Number 3 limiter).
7.7-13 REV 19 10/14 FERMI 2 UFSAR A manual defeat of runback 2 and 3 logic is used during startups, shutdowns and single loop operation. Number 4 limiter limits speed controller setpoint signal of operating pump following a trip of a single recirculation pump. The limiters are enabled during manual operation of the operator station. A manual runback indicating pushbutton is provided in the control room to manually runback the recirculation pumps.
7.7.1.2.3.4 Recirculation Loop Starting Sequence Each recirculation loop is independently put into operation by operating the controls of each recirculation loop as follows:
- a. Whenever the generator field breaker is open, the control system is automatically placed in startup mode. Startup mode bypasses the normal speed control circuits to position the variable-speed converter for startup. The minimum speed of the recirculation pumps is 20 percent as established by the mechanical stops. Startup operations of the plant are normally carried out with the recirculation pumps operating at approximately 30 percent speed. The power-versus-flow operating state for the reactor follows the 30 percent speed line for the normal control rod withdrawal sequence. (See Section 4.4.3.3.1 and Figure 4.4-
- 3) b. The starting sequence is manually initiated by placing the drive motor control switch for one motor-generator set in the start position.
- c. Once the variable-speed converter has achieved its startup position, the following events occur: 1. The auxiliary source of field excitation is engaged after a time delay
- 2. The generator field breaker is closed after a time delay.
- d. When the generator field breaker is closed, the manual/automatic setpoint station is automatically transferred to give the desired initial generator speed (typically <30 percent of rated speed) after the startup sequence is complete.
- e. Deleted f. After recirculation pump start is sensed by a combination of field breaker position and generator output current, the generator is automatically transferred to self-excitation
- g. Recirculation flow is increased during startup by manually increasing recirculation pump speed h. Deleted 7.7.1.2.3.5 Inspection and Testing The motor-generator set, and the speed control system are functioning during normal power operation. Any abnormal operation of these components can be detected during operation.
The components that do not continually function during normal operation can be tested and inspected for calibration and operability during scheduled plant shutdowns. All the RFCS 7.7-14 REV 19 10/14 FERMI 2 UFSAR components are tested and inspected according to the component manufacturer's recommendations. This can be done during scheduled shutdowns.
7.7.1.2.4 Environmental Considerations The RFCS is not required for safety purposes, nor is it required to operate after the DBA. The system is required to operate in the normal plant environment for power generation purposes only. The following normal design environments are encountered by parts of the RFCS. The recirculation flow-control equipment in Zone 4 of the primary containment is the pump motor, which is subject to the environment specified in Table 3.11-5 under environmental conditions. The control system hardware, operator controls, and instrumentation terminals are located in the main control room, relay room and reactor building (remote I/O) and are subject to the normal environments of these areas.
7.7.1.2.5 Operational Considerations Indicators and alarms are provided to keep the operator informed of the status of the system so that he may quickly determine the location of malfunctioning equipment. Temperature monitoring of equipment is recorded and alarmed if safe levels are exceeded. Indicators are provided to show pumping power requirements, motor-generator set speed, recirculation loop flow, valve positions, and analog control signal, all of which determine system status. Alarms are provided to alert the operator of malfunctioning control signals, excessive cooling water temperatures, inability to change pump speed, and the status of the motor-generator circulating lube-oil supply.
7.7.1.3 Feedwater Control System Instrumentation and Control 7.7.1.3.1 System Identification 7.7.1.3.1.1 Function The feedwater control system automatically controls the flow of feedwater into the RPV so
that the water in the vessel is maintained within predetermined levels during all modes of plant operation. The range of water level is based on the requirements of the steam separators, including limiting carryover and carryunder, which affects turbine performance and recirculation pump operation. The range of water level is also based on the need to prevent exposure of the reactor core. The feedwater control system uses water level, steam flow, and feedwater flow as a three-element control. Single-element control, based on water level only, is also available.
Normally, the signal from the feedwater flow is equal to the steam flow signal; thus, if a change in the steam flow occurs, the feedwater flow follows. The steam flow signal provides anticipation of the change in water level that would result from change in load. The level signal provides a correction for any mismatch between the steam and feedwater flow, which causes the level of the water in the RPV to rise or fall accordingly. Figure 7.7-4 shows the system IED.
7.7-15 REV 19 10/14 FERMI 2 UFSAR 7.7.1.3.1.2 Classification This system is a power generation system, nonessential for safety, and is classified in Chapter 3.
7.7.1.3.2 Power Sources The feedwater control system power is supplied by two (2) redundant uninterruptible power supplies. Interruptible instrument air and power is supplied to certain feedwater system (N21) control valves and operators.
7.7.1.3.3 Equipment Design 7.7.1.3.3.1 General During normal plant operation, the feedwater control system automatically regulates feedwater flow into the RPV. The system is a distributed control system (DCS) using redundant processors and communication links. This system can be manually operated from the main control room. The feedwater flow control instrumentation measures the water level in the RPV, the feedwater flow rate into the RPV, and the steam flow rate from the RPV. During automatic three-element operation, these measurements are used for controlling feedwater flow. The optimum RPV water level is determined by the requirements of the steam separators.
The separators limit water carryover in the steam going to the turbines and limit steam carryunder in water returning to the core. The water level in the RPV is maintained within
+/-2 in. of the setpoint level. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the RPV with the steam flow from the RPV.
The feedwater flow is regulated by adjusting the speed of the turbine-driven feedwater pumps to deliver the required flow to the RPV.
7.7.1.3.3.2 Reactor Pressure Vessel Water Level Measurement Reactor pressure vessel water level is measured by two independent sensing systems. Two (2) redundant differential pressure transmitters in each system sense the difference between the pressure caused by a constant reference column of water and the pressure caused by the variable height of water in the RPV. A backfill system is installed on each reactor water level instrument reference leg in compliance with the requirements of USNRC Generic Letter 92-04 and Bulletin 93-03. The system provides a metered flow of water from the control rod drive system (CRD) to each leg to prevent the accumulation of the noncondensable gases in the reference legs and assure a high reliability of the water level indication. The backfill flow rate is low enough to not affect the performance of the instrumentation. The differential pressure transmitters are installed on lines that serve other systems (Subsection 7.6.1.2). The differential pressure signals are used for level indication and control. The amplifier transmits the level signal for indication and control. The RPV water level signals from each sensing system are indicated in the main control room. The level signal from either sensing system can be manually selected by the operator as the signal to be used for feedwater flow control.
7.7-16 REV 19 10/14 FERMI 2 UFSAR The redundant level signals in the operator selected sensing system and both level signals from the nonselected sensing system are applied to a median signal selector. The median signal is compared against the operator selected level and will automatically assume the lead level control signal if the operator selected sensing system fails. The water level for control is continuously recorded in the main control room.
7.7.1.3.3.3 Steam Flow Measurement Steam flow is sensed at each main steam line flow restrictor by differential pressure transmitter. These steam flow signals are indicated in the main control room. The signals are summed to produce a total steam flow signal for indication and feedwater flow control. The total steam flow signal is recorded in the main control room.
7.7.1.3.3.4 Feedwater Flow Measurement Feedwater flow is sensed at a flow element in each feedwater line by differential pressure transmitters. Each feedwater signal is summed to provide a total mass flow signal for the feedwater control system. The total feedwater flow signal is also recorded and integrated in the main control room. In addition, feedwater flow is sensed by an ultrasonic flow meter in each feedwater line and processed in the associated central processing unit to provide mass flows to the Integrated Plant Computer System (IPCS) for the sole purpose of the IPCS heat balance calculation and is not used for any direct control function.
7.7.1.3.3.5 Feedwater Control Signal The level control system produces the feedwater control signal through digital control logic, the master level controller and the reactor feed pump manual/automatic control stations. The signal can be controlled either manually or automatically.
The master level control and the reactor feed pump manual/automatic stations contain a setpoint meter, level indicator, and a manual output control indicator. The master manual/automatic setpoint station contains a setpoint meter, level indicator and a manual output control with an indicator. Input to the control system is derived from either the single-element signal (level only) or the three
-element signal. The three
-element signal is the summation of steam flow, feedwater flow, and the selected reactor water level. Single
-
element or three
-element level control is manually selected by the operator. When three-element level control is selected, automatic transfer to single
-element level control will occur if one of the feedwater flow signals or two of the steam flow signals should fail. Manual level control is automatically initiated if the control system cannot provide automatic level control. During automatic operation of the feedwater control system, the level control system output is proportional to the level error in the system. During manual operation, output is set and indicated at the manual/automatic setpoint station.
The level demand signal from the master control is applied to the input of two manual/automatic stations that have capabilities to add or subtract a bias signal from the master level demand, when in automatic. The bias capabilities allow independent adjustment of the speed demand signals to the turbine-driven feedwater pumps during automatic 7.7-17 REV 19 10/14 FERMI 2 UFSAR operation. During manual operation of the bias stations, the speed demand signal is manually adjusted by the operator. Selection of automatic or manual control is made by the operator at a master manual/automatic setpoint station.
Normal Automatic Operation The feedwater control system provides function block through the I/O modules to compute the three-element control signal to maintain RPV water level within a small margin of optimum water level during plant load changes. The total steam flow signal and the total feedwater flow signal are subtracted from each other to derive a flow error signal. When steam flow exceeds feedwater flow, the error signal is positive in polarity from its normal zero value. The flow error signal is multiplied by a gain factor referred to as mismatch gain. The mismatch gain determines how much level effect the flow error signal has when the error is 100 percent. The mismatch gain is used as a dynamic control system adjustment.
The flow error signal is limited for +/-20 percent multiplied by the mismatch gain. The flow error signal is then subtracted from the selected level signal to provide the three-element control signal. When feedwater flow exceeds steam flow, the error signal is negative polarity. The three-element signal is modified further by a lead/lag function before being used for level control. The control system compares this signal against the level setpoint adjusted by the operator. Following a reactor scram, the RPV water level controller setpoint is capable of being automatically lowered so that the Reactor Feed Pump Turbines do not overfill the reactor vessel. On receipt of a scram signal via a contact of an RPS auxiliary relay, the Post
-Scram Reactor Water Level Setdown Logic lowers the level controller setpoint after the time delay. A momentary actuated switch in the control room allows the operator to reset the Post-Scram Reactor Water Level Setdown Logic after the scram signal is cleared.
Optional Automatic Operation A single-element control signal (RPV water level) can be used to replace the above three
-element signal. The operator manually transfers the level controller input to the "1 element control" signal. In the event of failure of the three-element signal, the control system will automatically transfer to single element. Reactor water level is then controlled in accordance with the controller setpoint. Auxiliary Functions The level control system also provides interlocks and control functions to other systems.
When one of the reactor feed pumps is lost and coincident or subsequent low water level exists, reactor recirculation flow is reduced to within the power capabilities of the remaining reactor feed pumps. This reduction aids in avoiding a low-level scram by reducing the steaming rate.
Reactor recirculation flow is also reduced on sustained low feedwater flow to ensure that adequate net positive suction head (NPSH) is provided for the recirculation system. Interlocks from steam flow and feedwater flow are used to initiate insertion of the RWM block. An alarm on low steam flow indicates that the RWM insertion interlock setpoint is being approached. Alarms from the control system are also provided for high and low water 7.7-18 REV 19 10/14 FERMI 2 UFSAR level, reactor high pressure and failures. High reactor water level (L-8) from the nuclear boiler system trips the turbine driven feedwater pumps, see subsection 7.6.1.2.7.
7.7.1.3.3.6 Turbine-Driven Feedwater Pump Control Feedwater is delivered to the RPV through turbine-driven feedwater pumps arranged in parallel. The turbines are driven by steam from the RPV. During normal operation, the feedwater control signal from the level controller is fed to the turbine control mechanisms.
The turbine control mechanisms adjust the speed of their associated turbines so that feedwater flow is proportional to the feedwater control signal. Each turbine can be controlled by its manual/automatic transfer station. The master manual/automatic setpoint station and the manual/automatic station associated with each turbine speed controller are configured to have "bumpless transfer". The turbine-driven feedwater pump control has speed limiters to restrain maximum feedwater flow to 117 percent.
7.7.1.3.3.7 Inspection and Testing All feedwater control system components can be tested and inspected according to the manufacturers' recommendations. This can be done prior to plant operation and during scheduled shutdowns. Reactor pressure vessel water level indications from the two water level sensing systems are compared during normal operation to detect instrument malfunctions. Steam mass flow rate and feedwater mass flow rate can be compared during constant load operation to detect inconsistencies in their signals.
7.7.1.3.4 Environmental Considerations The feedwater control system is not required for safety purposes, nor is it required to operate after the DBA. This system is required to operate in the normal plant environment for power generation purposes only. The reactor feed pumps in the turbine building experience the normal design environments listed in Table 3.11-5.
7.7.1.3.5 Operational Considerations 7.7.1.3.5.1 Normal All control stations are located in the main control room where, at the operator's discretion, the feedwater control system can be operated either manually or automatically. Manual control of the individual turbine-driven feedwater pumps is available to the operator in the main control room. Manual control of the individual turbine-driven feedwater pumps is used during control of the startup level control valve. The startup level control valve is used to supply feedwater during periods of low reactor pressure and/or flow demand. The startup control system will automatically hold reactor water level to an operator selected setpoint as a single-element unmodified control system. It can also be operated manually. Subsequent to a scram, the feedwater flow demand is very low. To ensure adequate control at this low flow, the feedwater control system automatically diverts feedwater flow through the startup control valve when a scram occurs. A minimum flow recirculation line valve 7.7-19 REV 19 10/14 FERMI 2 UFSAR automatically opens to maintain flow through each feedwater pump so that the pump is protected from overheating.
7.7.1.3.5.2 Operator Information Indicators and alarms, provided to keep the operator informed of the status of the system, are discussed in Subsection 7.7.1.3.3.
7.7.1.4 Pressure Regulator and Turbine-Generator Instrumentation and Control 7.7.1.4.1 System Identification 7.7.1.4.1.1 Function Power Generation - The pressure regulator system maintains constant main turbine inlet steam pressure.
7.7.1.4.1.2 Classification The main turbine pressure regulator and bypass system is a conventional analog/hydraulic control system and is classified in Chapter 3.
7.7.1.4.2 Normal Power Sources The main turbine pressure regulator control system is supplied by two independent 120-V ac instrument buses.
7.7.1.4.3 Equipment Design 7.7.1.4.3.1
System Description
Control and supervisory equipment for the turbine generator is conventional and arranged for remote operation from the main control room. Normally, the initial pressure regulator controls steam throttle valve position to maintain constant reactor pressure. The ability of the plant to follow system load demands is accomplished by adjusting reactor power level, either by changing flow in the reactor recirculation system (manually) or moving control rods (manually). However, the turbine speed governor, which is supplied by the turbine supplier, can override the initial pressure regulator. The steam valves close when an increase in system frequency or a loss of generator load causes the speed of the turbine to increase. In the event that the reactor is delivering more steam than the admission valves pass, the excess steam is automatically and directly bypassed to the main condenser by pressure-controlled bypass valves. Figure 7.7-5 is a simplified control diagram.
7.7.1.4.3.2 Steam Pressure Control During normal plant operation, steam pressure is controlled by the turbine control valves.
These control valves are positioned in response to either the pressure regulation signal or the turbine speed-load signal as selected by a "low value gate" circuit in the BOP turbine control 7.7-20 REV 19 10/14 FERMI 2 UFSAR system. The change in steam production is sensed by the pressure regulator, which signals the turbine control valves to adjust position to accept the change in steam flow, thereby regulating steam pressure.
A main steam line resonance filter is included in the pressure regulator circuits to prevent cycling from false pressure signals. These false pressure signals could be caused by sonic resonances in the main steam lines.
7.7.1.4.3.3 Steam Bypass System The steam bypass equipment is designed to control steam pressure when reactor steam generation exceeds turbine requirements such as during startup (speed raising and synchronizing), sudden load reduction, and cooldown. Capacity of the system is 23.5 percent of 105 percent of nuclear steam supply system (NSSS) rated steam flow, and sudden load reductions of up to 25 percent of rated power can be accommodated without reactor scram. Normally, the bypass system valves are held closed while the pressure regulator controls the turbine control valves, directing all steam flow to the turbine. If the speed governor or the load limiter restricts steam flow to the turbine, the regulator controls system pressure by opening the bypass valves. If the capacity of the bypass valves is exceeded while the turbine cannot accept an increase in steam flow, the system pressure rise and RPS action causes shutdown of the reactor. The bypass valves are the automatically operated, regulating type. They are proportionately controlled by the NSSS pressure regulator which compares the steam pressure signal with the turbine control valve signal to bypass excess steam to the main condenser. Bypass valves and controls are designed so the valves close on loss of control system electric power or hydraulic pressure.
7.7.1.4.3.4 Turbine Speed/Load Control System The turbine control system is discussed in Chapter 10.
7.7.1.4.3.5 Turbine Generator to Reactor Protection System Interface The RPS initiates reactor scram when it is required by the particular monitored plant conditions (Section 7.2). Two such conditions are turbine stop valve closure and turbine control valve fast closure when reactor power is above 29.5 percent. The turbine stop valve closure signal is generated before the turbine stop valves have closed more than 10 percent (opened less than 90 percent). This signal originates from position switches that sense stop-valve motion away from fully open. The switches are closed when the stop valves are fully open, and the switches open within 10 msec after the setpoint is reached. The switches are electrically isolated from each other and from other turbine plant equipment. The control-valve-fast-closure signal is generated by the relay logic that initiates the fast control valve closure. Separate circuits are associated with each of the control valves. Relay contacts are closed whenever the control valves are not being closed in the fast mode, and these relay contacts open when the fast closure mode is initiated.
7.7-21 REV 19 10/14 FERMI 2 UFSAR To avoid reactor scram due to turbine stop or control valve fast closure when power is below 29.5 percent of rated power, two independent sensing lines are provided from the turbine first-stage pressure transmitter/trip units, which supply power level logic contacts to the RPS. The pressure taps are located to provide a pressure signal proportional to turbine steam flow.
The pressure taps are shared with other instrumentation sensors. All sensors have individual isolation or root valves.
7.7.1.4.3.6 Inspection and Testing Testing controls for testing the turbine valve RPS interface signal switches are provided to:
- a. Actuate each stop valve individually to the 10 percent closed point with no interaction with other valves b. Actuate one stop valve to the ten percent closure point and simulate another stop valve at the 10 percent closure point in the following combinations: valves 1 and 2; valves 1 and 3; valves 2 and 4; valves 3 and 4
- c. Actuate one control valve at a time in the fast closure mode with no interaction with other valves.
7.7.1.4.4 Environmental Considerations The pressure regulator and turbine-generator control system is not required for safety nor is it required to operate after the DBA. This system is required to operate in the normal plant environment for power generation purposes only. Instrumentation and control on the turbines that experience the turbine building normal design environment is listed in Table 3.11-1. The logic, remote control units, and instrument terminals located in the main control room experience the environment listed in Table 3.11-1.
7.7.1.4.5 Operational Considerations 7.7.1.4.5.1 Normal Two pressure control channels (A and B), operating redundantly, receive inputs from the pressure reference unit and from independent pressure transducers in the main steam lines upstream of the main steam stop valves. Main steam pressure is indicated on meters on the turbine control panel. The pressure setpoints for the pressure reference circuit are produced by tandem potentiometers driven by a common motor. The motor is controlled by use of pushbuttons on the PRESSURE SETPOINT SELECTOR section of the main control panel. Desired setpoints for Channels A and B are indicated on meters on the main control panel. Pressure setpoint adjustment is limited to a maximum of 1 psi/sec by motor speed. In the event of failure of both regulators, alarm communication is provided in the main control room.
Pushbutton operation is provided to remove the system from operation.
7.7-22 REV 19 10/14 FERMI 2 UFSAR 7.7.1.4.5.2 Operator Information Nuclear Steam Supply System Control and Display The NSSS pressure regulator has the following controls and information displayed in the main control room:
- a. Main steam pressure regulator setpoint A b. Main steam pressure regulator setpoint B
- c. Individual bypass valve position indicators d. Bypass valve test controls
- e. Pressure regulator selection control. Balance of Plant Control and Display A list of the conventional turbine-generator control and supervisory instrumentation provided for operational analysis and malfunction diagnosis is described in Section 10.2.
7.7.1.5 Gaseous Radwaste System Instrumentation and Control 7.7.1.5.1 System Identification 7.7.1.5.1.1 Function The objective of the gaseous radwaste system is to process and control the release of gaseous radioactive wastes to the site environs so that the total radiation exposure to persons outside the controlled area is as low as practicable, and does not exceed applicable regulations.
7.7.1.5.1.2 Classification This system is required for power generation only.
7.7.1.5.2 Power Sources The 120-V ac instrument bus normally provides power for the gaseous radwaste system instrumentation.
7.7.1.5.3 Equipment Design 7.7.1.5.3.1 General The radiation levels at the offgas delay pipe and at the discharge of the offgas system are
continuously monitored by detectors described in Section 11.4. This system is also monitored by flow and temperature instrumentation and by a hydrogen analyzer to ensure correct operation and control and to ensure that hydrogen concentration is maintained below the flammable limit. Table 7.7-2 lists process instruments that cause alarms and whether or not they are indicated or recorded in the main control room.
7.7-23 REV 19 10/14 FERMI 2 UFSAR 7.7.1.5.3.2 Catalytic Recombiner Instrumentation The catalytic recombiner vessel temperatures are monitored by thermocouples and are then recorded. High or low temperature is annunciated in the main control room. The standby recombiner is temperature controlled, maintained, monitored, and recorded. Any low temperature is annunciated in the main control room. Inlet process gas is monitored for pressure and temperature. If abnormal measurements are obtained, they are annunciated in the main control room.
7.7.1.5.3.3 Offgas Condenser Condensate Level Control The offgas condenser condensate level is maintained at a given level within the condenser shell. A level control system is used to provide drainage of condensate from the condenser shell. High level is annunciated in the main control room.
7.7.1.5.3.4 Offgas System Flow Measurements Offgas system flow measurements are made between the charcoal adsorbers and the absolute filter downstream of the ring water buffer tanks before discharge into the reactor building ventilation stack.
7.7.1.5.3.5 Hydrogen Analyzer Measurement System One hydrogen analyzer is used to measure the hydrogen content of the offgas process stream in the delay pipe. The hydrogen concentration percentage output from the analyzer is indicated and recorded in the main control room along with alarm annunciation for high hydrogen concentration percentage in the offgas process stream.
The hydrogen analyzer system continuously withdraws a sample of the process offgas, analyzes the hydrogen content, and returns the sample gas to the delay pipe. A loss of ac
power to the analyzer system stops the analyzer.
7.7.1.5.3.6 Charcoal Vessel and Vault Temperature and Flow Monitoring and Control Each charcoal vessel is temperature monitored. High vessel temperature is alarmed and annunciated at 100F in the main control room. The charcoal vessel vault is also temperature monitored and recorded in the main control room along with high temperature alarm and annunciation. Three refrigeration units maintain the vault at a nominal temperature of 70 F. The charcoal vessel train is flow monitored at the outlet and is indicated and recorded in the main control room along with highflow alarm and annunciation.
7.7.1.5.3.7 Differential Pressure Measurements Differential pressure measurements are made across the precoolers, the sandfilter, the chillers, the charcoal vessel train, and the absolute filters. High differential pressure is annunciated in the main control room.
7.7-24 REV 19 10/14 FERMI 2 UFSAR 7.7.1.5.4 Environmental Considerations The offgas control system is not required for safety purposes, nor is it required to operate after the DBA. The offgas control systems are required to operate in the normal plant environment for power generation purposes only. Radwaste instrumentation and controls located in the offgas equipment area are subject to the environment under design conditions listed in Table 3.11-5. The control circuitry, remote control units, and instrument terminals in the main control room experience the normal design environment also listed in Table 3.11-5.
7.7.1.5.5 Operational Considerations 7.7.1.5.5.1 General No operator action is required on the equipment described unless an alarmed condition occurs. The offgas trip signal is taken from the relay room panel H11-P913. Employing contact-to-coil separation prevents HWC System operation from affecting the Offgas system. Operator indicators and alarms are described in Subsection 7.7.1.5.3.
7.7.1.5.5.2 Setpoints Hydrogen Analyzer A hydrogen level of ~1.5 percent alarms and annunciates in the main control room. Flow A high flow of approximately 70 scfm alarms and annunciates in the main control room.
7.7.1.6 Liquid Radwaste System Instrumentation and Control 7.7.1.6.1 System Identification 7.7.1.6.1.1 Function The objective of the liquid radwaste system is to control the release of liquid radioactive waste material to the environs and to package these wastes in suitable containers for offsite shipment and burial.
7.7.1.6.1.2 Classification Since this system is required for power generation only, it does not include any Quality Class 1 or Category I components with the exception of the drywell drain isolation valve controls.
The closure of these valves is necessary for sealing the primary containment under postulated accident conditions. The initiating signal is from the containment and reactor isolation control system (Subsection 7.3.2.2).
7.7-25 REV 19 10/14 FERMI 2 UFSAR 7.7.1.6.2 Power Sources The 120-V ac instrument power is used for the liquid radwaste system.
7.7.1.6.3 Equipment Design 7.7.1.6.3.1 General The liquid radwaste system is designed to process liquid waste water to remove particulates, impurities, and other materials, and to return the processed water for plant usage. The resulting solid wastes are then packaged in suitable containers for offsite burial. Only those portions of the liquid radwaste system related to safety are described herein.
7.7.1.6.3.2 Instrumentation and Control The radiation levels of the waste materials packaged for burial are monitored by plant personnel and are not part of this control system. Wastewater is collected in various sumps throughout the plant and is pumped into the radwaste collection tanks where it is processed.
Excess processed liquids that are discharged from the plant are radiation monitored, flow controlled, and recorded. The instrumentation and control system of the radwaste process is typical of a standard chemical and water treatment process. Tank levels are indicated and recorded in the radwaste control room and high tank levels are annunciated in the radwaste control room. Radiation from the liquid releases is monitored and recorded with high and low/inoperative alarms in the radwaste control room and alarms only in the main control room.
7.7.1.6.3.3 Drywell Sumps Control There are two sumps within the containment that collect waste water which is pumped out to the liquid radwaste system collector tanks. Each sump is equipped with two pumps that automatically start and stop on high and low sump levels, respectively. The pumps are alternately started on each high level signal. Each pump is equipped with a separate float switch in a separate float well and is electrically connected to provide level backup for the other pump if one float device should fail. A high-high level is provided by each float switch which will start both pumps and annunciate an alarm in the main control room. The liquid discharge lines to the radwaste collector tanks are provided with two isolation valves. When either isolation valve is closed, the sump pumps are interlocked to prevent their operation. The sumps are automatically isolated on high drywell pressure or low reactor water level (L3). 7.7.1.6.3.4 Reactor and Turbine Building Sumps These sumps collect waste water from their respective areas and automatically pump out the sumps on level control. These are not safety systems. An alarm and annunciation in the radwaste control room will occur on a high-high sump level to allow the operator to take corrective action. 7.7-26 REV 19 10/14 FERMI 2 UFSAR 7.7.1.6.3.5 Tank Level and Process Control All tanks containing waste liquids throughout the radwaste liquid processing system are provided with liquid level indicators or recorders and alarms, and annunciators in the radwaste control room for high liquid level to inform the operator that corrective action is to be taken. The process control is by an operator from the radwaste control room panel. The control system is designed for manual startup and automatic stop when a process is completed (i.e., tank liquid contents have been emptied to next process). Since this is a batch system, the operator has full control and responsibility for the system control process. The Side Stream Liquid Radwaste Processing System (SSLRPS) operation is controlled from the local control panel in the Radwaste Building Basement. Tank liquid level indicators, recorders and alarms are provided in the local control panel. Radwaste Control Room is provided with a trouble indicating alarm, as a backup, to alert the Radwaste Control Room Operators when the system operation drifts from the normal range.
7.7.1.6.4 Environmental Considerations The radwaste control systems are not required for safety purposes, nor are they required to operate after the DBA. The radwaste control systems are required to operate in the normal plant environment for power generation purposes only. This environment is listed in Table 3.11-1.
7.7.1.6.5 Operational Considerations 7.7.1.6.5.1 General The operator is in full control of the process system batches. Indicators and recorders are provided for all liquid tanks to inform the operator of the status of the system. Alarms and annunciation are provided to inform the operator either that a tank must be emptied or processed, or that a particular piece of equipment has malfunctioned so that corrective action may be taken.
7.7.1.6.5.2 Setpoints All tank levels are set to alarm and annunciate in a timely manner in order to avoid overflow.
This allows sufficient time for the operator to take corrective action in the process control.
7.7.2 Analysis 7.7.2.1 General This subsection demonstrates that the protection systems are capable of coping with all failure modes of the control system.
7.7.2.2 Reactor Manual Control System Instrumentation and Control 7.7-27 REV 19 10/14 FERMI 2 UFSAR 7.7.2.2.1 Conformance To General Functional Requirements The circuitry used in the RMCS is completely independent of the circuitry controlling the scram valves. This separation of the scram and normal rod control functions prevents failures in the reactor manual control circuitry from affecting the scram circuitry. The scram circuitry is discussed in Section 7.2. Because each control rod is controlled as an individual unit, a failure that results in the energizing of any of the insert or withdraw solenoid valves can affect only one control rod. The effectiveness of a reactor scram is not impaired by the malfunctioning of any one control rod. Therefore, no single failure in the RMCS can result in the prevention of a reactor scram. Repair, adjustment, or maintenance of RMCS components does not affect the scram circuitry.
The RMCS is an operational system used for regulating power level and power distribution.
This system is self-monitoring with the automatic rod blocks, operator annunciators, and operating status lights (such as the rod position indicators) as part of the system design. The rod blocks are an internal subsystem of this nonsafety system. As such they are designed to be single- failure-proof, but are not designed to stringent safety standards. The RMCS receives rod block signals from the NMS to prevent improper rod motion that could result in reactor scram. Common LPRM, IRM, and SRM detectors are used, but the signal is physically and electrically isolated before use in the RMCS. This isolation is achieved through two separate relay trip units that prevent any feedback from the RMCS to the RPS. Subsections 7.6.l and 7.6.2 describe this interface. The performance of the RMCS is monitored by the RPS. If a variable, such as the neutron flux, which is controlled by the RMCS, exceeds specific limits, the RPS takes independent action to cause reactor shutdown. It is thus seen that the RMCS is not required for safety nor for reactor shutdown, but only for changing plant power. Accident analyses in Chapter l5 show that failures in the RMCS, such as continuous withdrawal of a control rod, do not result in any fuel damage. No fuel damage results from any single operator error or single equipment malfunction.
7.7.2.2.2 Conformance To Specific Regulatory Requirements The RMCS meets the requirements of GDC 24 of l0 CFR 50, Appendix A. No part of the RMCS is required for scram. The rod block functions provided by the NMS and the scram discharge volume high water level trip bypass signal interlocks are the only instances where the RMCS uses any instruments or devices used by the RPS. This includes relay contacts to the reactor mode switch and the scram discharge volume high level bypass switch. The rod block signals received from the NMS prevent improper rod motion before limits causing reactor scram are reached. Common LPRM, IRM, and SRM detectors are used, but physically and electrically separate trip signals are supplied to the RMCS and RPS systems. A description of this interface is contained in Subsections 7.6.l and 7.6.2. The scram discharge volume high water level trip bypass signal interlocks with the RMCS to initiate a rod block. The interlock is performed using isolating relay contacts so that no failure in the control system can prevent a scram.
7.7-28 REV 19 10/14 FERMI 2 UFSAR 7.7.2.3 Recirculating Flow Control System Instrumentation and Control 7.7.2.3.1 Conformance To General Functional Requirements The RFCS is designed so that coupling is maintained between a motor-generator set drive motor and its generator even if the ac power or a speed controller signal fails. This ensures that the drive motor inertia contributes to power supplied to the recirculation pump during the coastdown of the motor-generator set after loss of ac power, and also ensures that the generator continues to be driven if the speed controller signal is lost. Transient analyses described in Chapter l5 show that no malfunction in the RFCS can cause a transient sufficient to either damage the fuel barrier or exceed the nuclear system pressure limits as required by the safety design basis.
7.7.2.3.2 Conformance To Specific Regulatory Requirements Except for the recirculation pump trip function, there are no specific regulatory requirements for the RFCS. The RFCS is not a safety-related system and is not required for safe shutdown of the plant, nor is it required during or after accident conditions. The recirculation pump trip function meets the requirements of IEEE 323-1974 and IEEE 344-1975.
7.7.2.4 Feedwater Control System (Turbine-Driven Pumps) Instrumentation and Control 7.7.2.4.1 Conformance To General Functional Requirements The feedwater is a power generation system for the purposes of maintaining proper RPV water level. Should the RPV water level rise too high, the feedwater pumps and plant main turbine would be tripped. This is an equipment protective action which would result in reactor shutdown by the RPS as outlined in Section 7.2. Lowering of the RPV water level would also result in action of the RPS to shut down the reactor. Further decrease would actuate the emergency core cooling system (ECCS). Loss of feedwater is analyzed in Chapter 15.
7.7.2.4.2 Conformance To Specific Regulatory Requirements The feedwater control system is not a safety-related system and is not required for safe shutdown of the plant, nor is it required during or after accident conditions. The Feedwater Control System Contains QA Level 1 transmitters classified as NUREG-0588 Category 2B (mechanical) for pressure boundary integrity and Category 2C (electrical).
There is no interface with safety
-related systems, with the exception of the Reactor Protection System which provides a Post Scram Signal to the Feedwater Control System.
7.7.2.5 Pressure Regulator and Turbine-Generator Instrumentation and Control 7.7-29 REV 19 10/14 FERMI 2 UFSAR 7.7.2.5.1 Conformance To General Functional Requirements The pressure regulator and turbine-generator instrumentation and control is designed to maintain constant reactor pressure, to follow system load demand fluctuations, and to control turbine speed. Excessive reactor pressure swings caused by failure of this system would be dealt with by the RPS (Section 7.2) and/or the safety/relief valves.
7.7.2.5.2 Conformance To Specific Regulatory Requirements The pressure regulator and turbine-generator instrumentation and control is neither safety
-related nor required for the safe shutdown of the plant. It is also not required during or after accident conditions.
7.7.2.6 Gaseous Radwaste System Instrumentation and Control 7.7.2.6.1 Conformance To General Functional Requirements The objectives of the gaseous radwaste system instrumentation and control are to indicate and alarm the level of radioactivity within offgas process lines, to provide a record of all radioactive plant site releases, and to initiate appropriate action that would prevent the release of radioactive materials to the environs that exceed the operational limits established in 10 CFR 20 and Regulatory Guide 1.21. The flow recorder is provided to keep a record of all discharge volumes. The flow measurements and recording accuracies are within 5 percent of indication for the flows measured. 7.7.2.6.2 Conformance To Specific Regulatory Requirements The gaseous radwaste system instrumentation and control is neither safety
-related nor required for the safe shutdown of the plant. It is not required to operate after a DBA. The gaseous radwaste system instrumentation and control is required to operate in the normal plant environment for power generation purposes only.
7.7.2.7 Liquid Radwaste System Instrumentation and Control 7.7.2.7.1 Conformance To General Functional Requirements The liquid radwaste effluent for discharge to the circulating water blowdown is flow controlled and monitored for activity level. The discharge flow shutoff valve is operated by a keylock switch that requires plant supervisory control of any releases. The flow is recorded in the radwaste control room. The packaged wastes are stored in the plant in a storage area set aside for this purpose. The radioactivity and quantity is the responsibility of plant supervisory personnel. This complies with Regulatory Guide 1.21, Revision 0.
7.7-30 REV 19 10/14 FERMI 2 UFSAR 7.7.2.7.2 Conformance To Specific Regulatory Requirements Section 11.2 discusses the conformance of the liquid radwaste system to specific regulatory requirements.
7.7-31 REV 19 10/14 FERMI 2 UFSAR Page 1 of 3 REV 16 10/09 TABLE 7.7-1 REACTOR MANUAL CONTROL SYSTEM INSTRUMENT SPECIFICATIONS Measured Variable Instrument Type Instrument Range Trip Accuracy d SettingDrive water header pressure a Pressure indicator 0 to 2000 psig +/-1/2 percent full scale
- Drive water pump discharge pressure Pressure indicator 0 to 2000 psig +/-1/2 percent full scale
- Drive water pump suction pressure Pressure indicator 30 in. Hg to 60 psig +/-1.5 percent full scale
- Drive water filter differential pressure Differential pressure switch (indicating) 0 to 75 psig +/-1/2 percent full scale 25 psid, increasing Cooling water header pressure Pressure indicator 0 to 2000 psig +/-1/2 percent full scale
- Exhaust water header pressure Pressure indicator 0 to 2000 psig +/-1/2 percent full scale
- Charging water accumulator header pressure Pressure indicator 0 to 2000 psig +/-1/2 percent full scale
- Charging water header pressure Pressure indicator 0 to 1800 psig +/-1 percent full scale - Drive water pump suction Pressure Pressure switch 30 in. Hg to 10 psig +/-1 percent full scale 25 in. Hg, decreasing Drive water system flow rate Flow indicator 0 to 100 gpm +/-1 percent full scale
- Drive water header flow rate Flow indicator 0 to 8 gpm +/-2 percent full scale
- Cooling water header flow rate Flow indicator 0 to 80 gpm +/-2 percent full scale
- Stabilizing flow rate Flow indicator 0 to 8 gpm +/-0. 5 percent full scale
-
FERMI 2 UFSAR Page 2 of 3 REV 16 10/09 TABLE 7.7-1 REACTOR MANUAL CONTROL SYSTEM INSTRUMENT SPECIFICATIONS Measured Variable Instrument Type Instrument Range Trip Accuracy d SettingControl rod drive Temperature a Temperature switch and monitor 0 to 500°F +/-1 percent full scale 250°F Control rod position (normal range) Reed switches Full in to full out every 3 in.
NA b - Control rod drive overtravel (withdraw direction)
Reed switches NA NA 2 in. beyond full out position Insert bus time energized (for rod insertion)
Timer - - 2.8 sec Insert bus time energized (for rod withdrawal)
Timer - - 0.62 sec Withdraw bus time energized (for rod withdrawal) Timer - - 1.5 sec Settle bus time energized (for rod insertion)
Timer - - 4.4 sec Settle bus time energized (for rod withdrawal)
Timer - - 5.8 sec Rod block scram discharge volume high water level Level switch
+/-3 in.
25 g al c Rod block neutron monitoring system trip channels Section 7.1.2.1.4, Neutron Monitoring System Rod block rod worth minimizer Subsection 7.6.1.20, Rod Worth Minimizer System Rod block flow upscale Section 7.1.2.1.4, Neutron Monitoring System
FERMI 2 UFSAR Page 3 of 3 REV 16 10/09 TABLE 7.7-1 REACTOR MANUAL CONTROL SYSTEM INSTRUMENT SPECIFICATIONS Measured Variable Instrument Type Instrument Range Trip Accuracy d Setting a Nominal setting - see Technical Specifications for setpoint and allowable values.
a b NA = not applicable.
c For 1/2 total instrument volume.
d The instrument accuracy information provided in the UFSAR tables is a bounding value.
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.7-2 PROCESS INSTRUMENT ALARMS OFFGAS SYSTEM Main Control Room Parameter Indicated Preheater discharge temperature - low Recorded X Recombiner catalyst temperature - high/low X Offgas condenser drain well level
- high X Offgas condenser gas discharge temperature - high X H 2 analyzer - high X Precooler temperature
- high X Chiller pressure a - high X Charcoal bed temperature
- high X Absolute filter pressure a - high X Delay pipe pressure - high X Sandfilter pressure aX - high Offgas system flow - high X a Differential pressure.
FERMI 2 UFSAR 7.8 EMERGENCY RESPONSE FACILITIES
7.8.1 Introduction
Edison has a technical support center (TSC), an operational support center (OSC), and an emergency operations facility (EOF) onsite; an alternative EOF is located offsite. The TSC is located in the office building annex. The OSC is located in the turbine building on the third floor close to the main control room. An alternative OSC is located in the machine shop. The EOF is located in the basement of the nuclear operations center approximately 6000 ft southwest of the reactor building outside the protected area. The alternative EOF is located at the Detroit Edison Western Wayne Center, 22 miles northwest of the Fermi 2 site. See Figure 7.8
-1 for the location of the facilities within the owner controlled area.
7.8.2 Technical Support Center 7.8.2.1 General The TSC has been established to provide the capability to display and transmit plant status information to individuals knowledgeable and responsible for engineering and management support of reactor operations in the event of an emergency condition. The TSC building i s sited inside the protected area to lessen the time needed by personnel working in the plant to reach the building during an emergency condition. Other key factors considered in the selection of the TSC location included (1) the time needed by personnel working in the control room, in other plant areas, and at offsite locations to reach the TSC; (2) the availability of shielding to minimize exposure to direct radiation from the primary containment for personnel traveling to the TSC from the control room and other plant areas; and (3) the radiation protection (shielding) provided by existing plant structures to personnel arriving from offsite locations. The site chosen for the TSC also supports the efficient routine staffing of the building by plant operations and support groups who will provide added assurance that the systems and equipment necessary for TSC functioning will be maintained in a state of readiness.
The TSC is the emergency operations work area for designated Edison technical, engineering, and management personnel; other Edison personnel required to provide any needed technical support; and a small staff of NRC personnel. The TSC personnel will provide guidance and technical support for the Shift Manager in the control room. However, all control operations will be performed by licensed operators.
7.8.2.2 Design Basis Information on plant status is provided to the TSC for use by technical and management personnel in support of command and control functions executed from the control room. The TSC does not affect the reliability or availability of the power plant and its safety systems.
The design bases for the TSC are as follows:
- a. Function. The onsite TSC will have the following functions:
7.8-1 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- 1. Provide plant management and technical support to plant operations personnel during emergency conditions
- 2. Relieve the reactor operators of peripheral duties and communications not directly related to reactor system manipulations
- 3. Prevent congestion in the control room
- b. Activation time. The TSC is activated according to the RERP Plan and is made functional within prescribed times
- c. Information availability. The TSC is equipped with Integrated Plant Computer System (IPCS) displays that provide information on plant status to support control room operations and emergency management. The IPCS also provides sufficient data for the assessment of offsite radiological and meteorological conditions. See Subsection 7.6.1.9.1.2
.5. d. Communications. The TSC is provided with the capability to communicate with all emergency facilities and locations to implement the Radiological Emergency Response Preparedness Plan
- e. Habitability. The TSC is habitable during postulated radiological emergencies to the same degree as the main control room. Special shielding and heating, ventilation, and air conditioning (HVAC) systems are provided to minimize personal exposure and to ensure that NRC limits for whole
-body exposure and airborne concentrations are satisfied
- f. Size and layout. Adequate space is provided for proper functioning of the TSC emergency organization. Adequate space is also provided for equipment necessary for operation of the TSC. (See Figure 7.8
-2) g. Security. Normal plant security measures are maintained during the activation of the TSC
- h. Access. The TSC is readily accessible to members of the TSC emergency organization arriving from both onsite and offsite locations. The exposure of personnel manning the TSC to potential direct radiation from the primary containment has been minimized by the selection of an appropriate TSC site and of appropriate access routes to the TSC
- i. Fire protection. The TSC construction minimizes the use of combustible materials. Appropriate portable and permanent fire
-extinguishing equipment is provided for the TSC and for the HVAC system. Fire
-detection instrumentation is provided for automatic shutdown of the building's HVAC system j. Record storage. Adequate space is provided within the TSC for permanent storage of records, diagrams, and design drawings that are considered necessary to support the functioning of the TSC during emergency conditions 7.8-2 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- k. Protection against natural phenomena. The TSC is sited and constructed to withstand the maximum postulated 100
-year winds and 100
-year floods.
7.8.2.3 Codes and Standards The TSC building is designed and constructed according to the following codes and standards:
- a. ACI-318 American Concrete Institute, Building Code Requirements for Reinforced Concrete
- b. AISC-1978 - American Institute of Steel Construction, Specification for the Design Fabrication and Erection of Structural Steel for Buildings
- c. ANSI A58.1 American National Standards Institute, Building Cod e Requirements for Minimum Design Loads in Buildings and Other Structures, with 1. Seismic Loadings conforming to Uniform Building Code (UBC) requirements for Zone 1
- 2. Wind loads based on 100
-year mean recurrence intervals for exposure type C. d. UBC Michigan Uniform Building Code, Seismic Zone 1
- e. ACI-531 American Concrete Institute, Building Code Requirements for Concrete Masonry Structures.
The TSC is not classified as a nuclear safety
-related facility. Its mechanical and electrical design bases are as follows:
- a. Mechanical systems: Quality Group D (includes mechanical system supports) design governed by the codes listed in Tables 7.8
-1 and 7.8-2 b. Electrical systems: Non
-Class 1E. 7.8.2.4 Description The TSC is located within the protected area of the Fermi 2 site, approximately 3
-1/2 minutes walking time from the control room, as shown in Figure 7.8
-3. It is located on the ground floor of the two
-story office building annex, partially steel framed, with a 12-in.-thick reinforced
-concrete ceiling slab on metal decking. The exterior walls, including labyrinths, are 12-in.- thick reinforced hollow
-core concrete block filled with grout. The foundation incorporates spread footing under columns and strip footing under concrete block walls. There is a forced
-air supply system, but no forced
-air exhaust system; therefore, under normal operating conditions, the TSC will be under slight positive pressure with all entrance doors closed.
The site for the TSC was chosen to optimize the trade
-off between travel time from the control room to the TSC and the radiation exposure of personnel enroute from onsite and offsite locations to the TSC. The Fermi 2 plant design was essentially completed at the time of TSC site selection, with the location of the primary containment and control room on the 7.8-3 REV 1 9 1 0/1 4 FERMI 2 UFSAR northwest side of the plant, as shown in Figure 7.8
-3. To satisfy the NRC guidelines for a 2
-minute transit time from the control room to the TSC, it would have been necessary to locate the TSC to the north or west of the plant, which would increase the exposure of personnel traveling to the facility to radiation from the primary containment. Because the TSC could be activated at any time of day, the final site was selected so that members of the TSC emergency organization have access to the TSC from several locations, including the control room, offsite locations, and the plant supervisory offices located in the office building annex. The structures adjacent to the site offer the advantage of maximum shielding to the TSC and its access routes, thus providing acceptable, safe travel time from the control room, should this route have to be traveled.
The TSC, as shown in Figure 7.8
-2, covers about 5000 ft
- 2. Approximately 2075 ft 2 of this area is devoted to occupancy by TSC personnel. The remaining space consists of rooms for records storage, toilets, HVAC equipment, telephone and communications equipment, and electrical equipment. Status boards and marking boards are conveniently located within the monitor room. Telephone jacks and electrical outlets are in the computer floor.
The NRC has defined four emergency action levels (see Subsection 7.8.2.13) to categorize the severity of various operational emergencies. Additional guidance is published in NUREG-0654, Appendix 1 (Reference 1). The TSC will be activated for events at or beyond the "alert" level. Upon activation, the TSC will be placed in operation after occupancy by a specified number and type of personnel (staffing of the TSC is described in the Fermi 2 Radiological Emergency Response Preparedness Plan) and after TSC communication, monitoring, and occupancy support systems have been energized.
7.8.2.5 Habitability The TSC occupants are protected from radiological hazards, including exposure to direct radiation and airborne contaminants. Specific design features and administrative procedures ensure that the radiation dose received by TSC personnel does not exceed the limits and guidelines of General Design Criterion (GDC) 19 of 10 CFR 50, and NRC Standard Review Plan, Section 6.4 (Reference 2).
The contributions of several radiation sources are considered in calculating the dose equivalent to TSC personnel. Radiation exposure may derive from immersion in or inhalation of radio
-activity in the TSC atmosphere as well as direct shine from sources outside the TSC shield envelope (e.g., reactor building, standby gas treatment system [SGTS]
exhaust plume, TSC makeup filters). Shielding is used to reduce the dose equivalent from any single external source to a negligible level; that is, less than one
-tenth of the allowable dose equivalent. The radiation shield design takes into account all shield penetrations, as well as potential radiation sources within the habitable area.
The HVAC system has been designed to facilitate the occupation of all necessary personnel for winter and summer environmental and radiological accident conditions. It is designed to maintain a habitable environment of the same quality as the control room, even though it is not rated safety related, seismic, or redundant. The HVAC system is capable of the following:
- a. Maintaining room temperature by removing all heat released by equipment, lights, occupants, and thermal transmission 7.8-4 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- b. Maintaining room temperature by replacing all heat loss due to thermal transmission, with no credit for lighting, occupants, or equipment
- c. Limiting the thyroid radioiodine dose received by personnel inside the TSC
- d. Introducing outside air into the TSC envelope will result in a slight positive pressure with respect to the outdoors.
Simplified process flow diagrams for the TSC HVAC system are provided as Figures 7.8
-5, 7.8-6, and 7.8
-7. The HVAC equipment consists of the following:
- a. Air-handling unit:
a three-zone, multizone air
-handling unit with an air delivery of 5500 cfm. The unit is equipped with a direct
-expansion cooling coil with a cooling capacity of 15 tons. Pressure
-equalizing baffles are provided in the hot deck, as each zone shall have its own electric heating coil
- b. Supply air filter: bag filters that are 80 to 85 percent efficient. The filter
-element efficiency is based on the National Bureau of Standards' dust spot test
- c. Purge fan: a ceiling
-mounted, vane
-axial, 4900
-cfm purge fan d. Steam generator: a self
-contained, all
-electric steam generator. The unit is capable of generating 20 lb/hr of steam for humidification
- e. Steam humidifiers: Each zone is provided with a steam humidifier. The steam for humidification is provided from the steam generator
- f. Air-cooled condensing unit: a floor
-mounted, air
-cooled condensing unit with a cooling capacity of 15 tons
- g. Electric heating coils: Duct
-mounted heating coils for each zone are provided and are rated for their respective zones
- h. Toilet room exhaust fan: an air
-line, duct
-mounted exhaust fan with a 400
-cfm capacity i. HVAC and electric equipment room air
-handling unit: This unit has a capacity of 3600 cfm
- j. Duct-mounted electric heating coils and unit heaters are also provided for HVAC and electric equipment rooms.
The HVAC system for the TSC has an emergency makeup air system to filter a combination of outside makeup air and recirculation air for pressurization and to maintain the TSC dose within allowable limits. The emergency makeup air system consists of the following components:
- a. Prefilters capable of no less than 85 percent filtration efficiency based on the ASHRAE dust spot test
- b. A single-stage electric heating coil, capable of raising the air temperature and reducing the relative humidity of the airstream to 70 percent, or less, for the worst inlet condition
- c. High-efficiency particulate air (HEPA) filters capable of removing 99.97 percent of particulate matter 0.3 m and larger in size based on a hot dioctyl 7.8-5 REV 1 9 1 0/1 4 FERMI 2 UFSAR phthalate (DOP) test. The HEPA filters are provided upstream and downstream of the charcoal adsorber. The HEPA filters need not be tested as specified in Regulatory Guide 1.52 and need not meet the quality assurance requirements of
- d. Two charcoal adsorbers (total charcoal thickness of 4 in.) that are capable of removing radioactive and nonradioactive forms of iodine are provided. The charcoal adsorbers are of the drawer type, filled with impregnated coconut shell where the depth of charcoal is 2 in. These adsorbers together have the iodine removal efficiency of not less than 99 percent. The charcoal adsorbers meet the requirements of Regulatory Guide 1.52, and of Table 7.8
-3 e. A belt-driven centrifugal fan located upstream of the filter unit is provided to maintain the filter unit at a positive pressure
- f. Each charcoal adsorber bank is provided with a two
-stage continuous thermistor located across the discharge air path from each adsorber
- g. Each charcoal adsorber bank includes a fire protection system for extinguishing a charcoal fire
- h. The makeup air unit is provided with instrumentation as required in Table 4.2 of ANSI N509
- i. The makeup air unit is provided with drain connections for each compartment
of the housing, which are piped to the side of the unit, valved, and drain to the sanitary sewer.
The filter train for the emergency makeup air system is designed to remove radioactive particulates and absorb radioactive iodine. Circulated air consists of a mixture of recirculated air and sufficient outside air to maintain the TSC at a positive pressure of 1/8-in. water gage. TSC doses will be maintained within allowable limits provided the introduction of outside air does not exceed 1000 cfm.
An area radiation monitor is provided to continuously measure and indicate the general area radiation levels in the TSC. Friskers are available at the entrance to the TSC to provide radiological access control of persons entering the TSC. The TSC has provisions for monitoring iodine by using specific cartridges that can detect iodine levels as low as 1 x 10
-7 Ci/cm 3. The TSC radiation monitoring equipment is calibrated according to Health Physics procedures and to manufacturers' recommendations.
Sufficient protective clothing is stored in the TSC for personnel. If additional clothing is required, it is available from various designated locations in the plant.
Stationery supplies and duplicating equipment are also available in the TSC.
7.8.2.6 Staffing Staffing of the TSC is described in the Fermi 2 Radiological Emergency Response Preparedness Plan. The TSC emergency organization is activated for conditions involving an alert, site area emergency, and general emergency.
7.8-6 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.8.2.7 Communicati ons The communications system is discussed in detail in the Radiological Emergency Response Preparedness Plan.
The plant intercom (HiCom) system used for general plant operations also has extensions in the TSC and other site emergency facilities. There is a public address system within the TSC for general announcements to all TSC personnel.
The communications systems have been tested and their performance evaluated during practice drills and a full
-scale exercise. The systems have been found satisfactory for implementing the emergency plan.
7.8.2.8 Instrumentation and Power Supplies Electric power is furnished to the TSC via two independent non
-Class 1E 480
-V ac feeders derived from separate offsite sources, each sized to carry the entire TSC load. The feeders are connected to the TSC power distribution system through an automatic transfer switch. On complete loss of offsite power, combustion turbine generators (not associated with the emergency diesel generators) located at the site are capable of providing power. Since the TSC is powered from non
-Class 1E sources, TSC loads or faults in the TSC power distribution system will not affect the plant's safety
-related power distribution system.
The TSC power distribution system consists of a single motor control center that provides power to the HVAC equipment, lighting and instrumentation power supply transformers, and other TSC auxiliary loads, such as copying machines and microfilm viewers. A separate instrumentation power supply transformer protects the solid
-state TSC IPCS data display equipment from power
-line disturbances.
Lighting for the TSC consists of recessed fluorescent ceiling fixtures. Emergency battery
-pack lighting is also furnished.
7.8.2.9 Information Systems The TSC data display system, documentation, plant drawings, control room records, plant chemistry data, plant historical data, analytical data, verbal and recorded information provided by plant operations personnel, radiological assessment and other analyses available from offsite sources, and data provided by the radiological monitoring teams enable the TSC staff to determine the following:
- a. The plant status and dynamics before and during the accident
- b. The performance of accident mitigation functions
- c. The nature and trend of the accident
- d. The damage to the plant and equipment
- e. The status of the operation (including personnel activity in the plant)
- f. The amount of radioactive release to the environment
- g. The prevailing meteorological conditions 7.8-7 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- h. The radiation and radioactivity level of the environs
- i. The offsite dose assessment.
A computer-based data handling system, IPCS (see Subsection 7.6.1.9.1), is provided to supply emergency response information for display in the TSC. The IPCS is of high quality and reliability, and is non
-Class 1E and nonseismic.
The IPCS displays emergency response information in the control room, TSC, and EOF. Recording, trending, and time
-history plotting capabilities are provided within the system. In the event of a complete loss of offsite power, data will be retained by the IPCS during the outage for display once TSC power is restored.
Six workstations for data display are located in the TSC.
7.8.2.10 Records Storage A file of copies of the following documents is maintained for use in the TSC:
- a. General arrangements
- b. Process and instrumentation diagrams
- c. Piping drawings
- d. Logic diagrams
- e. Electrical schematics
- f. Operating procedures
- g. Emergency procedures
- h. Technical Specifications
- i. Master instrument lists (retrieval by computer)
- k. Plant operating records
- l. Radiological Emergency Response Preparedness Plan and its implementing procedures
- m. Radiation exposure histories (retrieval by computer)
- n. Other documents sufficient to diagnose potential plant operating problems at the system level. Other plant documents, or copies, are available for use by the TSC as needed during the course of an emergency. Such documents include those normally stored in other locations at the plant site, such as in the technical staff offices or in the records storage center next to the TSC. A conventional office copy machine and microfilm viewing and copying devices are located in the TSC for the purpose of copying documents likely to be used during an emergency.
7.8-8 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.8.2.11 Fire Protection The TSC is constructed using the following noncombustible materials:
- a. Exterior: reinforced concrete block walls, reinforced concrete roof, and hollow metal doors. Exposed structural steel has been fireproofed
- b. Interior: stud drywall
-type partitions and suspended acoustical ceiling. All floor areas except the electrical equipment room, the HVAC room, and the monitor and rest rooms are carpeted. The monitor area has a computer floor with vinyl asbestos tile.
The following fire
-protection equipment is provided: a. Portable carbon dioxide units
- b. A water deluge system for the charcoal filters in the emergency makeup filter unit c. Smoke detectors in the fresh air intake and in the return
-air duct of the TSC HVAC system.
7.8.2.12 Evaluation Edison has provided for a TSC separate from but near the control room. The location in the office building annex ensures operating personnel familiarity with the facility. The TSC has the capability to display and transmit plant status to individuals knowledgeable of and responsible for engineering and management support of plant operations in the event of an accident. The overall data handling system is the IPCS. The emergency response capability of the IPCS includes measurements that permit assessment of reactivity control, reactor core cooling, reactor coolant system integrity, containment integrity, meteorology, and dose assessment. The IPCS incorporates features and recommendations from NUREG
-0696 (Reference 3).
Upon activation, the TSC will provide the initial main communications link between the plant, the OSC, the NRC, and the offsite emergency response organizations until the EOF is available. The TSC will be habitable to the same degree as the control room during postulated accident conditions in accordance with the requirements of NUREG
-0578 (Reference 4).
Records pertaining to as
-built conditions and layout of structures, systems, and components are available to personnel in the TSC.
In summary, the TSC provides the integrated emergency response capability required by the NRC. 7.8.2.13 Emergency Action Levels
- a. Notification of unusual event: Events are in process or have occurred that indicate a potential degradation of the level of the safety of the plant 7.8-9 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- b. Alert: Events are in process or have occurred that involve an actual or potential substantial degradation of the level of the safety of the plant
- c. Site area emergency: Events are in process or have occurred that involve actual or likely major failures of plant functions needed for the protection of the public d. General emergency: Events are in process or have occurred that involve actual or imminent substantial core degradation or melting with imminent potential for loss of containment integrity.
7.8.3 Operational Support Center The function of the OSC is to act as an onsite area, separate from the control room and the TSC, where licensee operations support personnel will assemble in an emergency. The OSC will: a. Provide a location where plant logistic support can be coordinated during an emergency b. Restrict control room access to those support personnel specifically requested by the Shift Manager.
The OSC is a designated area at the north end of the third floor (Elevation 643 ft) of the turbine building. The OSC is located on the same floor and in close proximity to the main control room. The area is served by normal building HVAC systems. Figures 1.2-13 and 1.2-14 show the location of the OSC relative to the main control room.
The OSC provides a designated assembly point for shift support personnel for assignment of duties to support emergency operations. Personnel such as instrument technicians and operators will be dispatched from this area. The OSC is activated for an alert, site area emergency, or general emergency condition. The emergency organization is described in the Radiological Emergency Response Preparedness Plan. An alternate OSC has been designated in the machine shop and is equipped as necessary with supplies and equipment to
ensure continued support of the OSC emergency organization. The machine shop is located such that it would be highly improbable that both the primary and the alternate locations would not be habitable at the same time. The two OSC locations are served by separate HVAC systems.
The OSC and alternate OSC are equipped with communications systems and supplies, including protective clothing and equipment. Portable Health Physics equipment is provided to monitor radiological conditions in the OSC. Procedures have been established for control and for periodic inventories, recalibrations, and replenishments of perishable items.
Communication to the OSC is via the emergency telephone communications network, radio communications using hand
-held VHF transmitters, and the plant intercom system.
The OSC also has radiation monitoring capabilities, though its habitability requirements are not the same as those of the control room. The monitoring equipment consists of friskers, dose rate meters, and high range dosimeters. The OSC personnel also have available the use of self-contained breathing apparatus and partial sets of protective clothing. At the direction 7.8-10 REV 1 9 1 0/1 4 FERMI 2 UFSAR of the Emergency Director, the OSC supervisors shall relocate the OSC personnel to the alternate OSC and establish this as the staging area.
The OSC emergency organization, equipment, and communications systems have been evaluated during a full
-scale exercise and have been found acceptable.
7.8.4 Emergency Operations Facility 7.8.4.1 General The EOF functions as an operational support center with capabilities for the following:
- a. Management of overall licensee emergency response
- b. Coordination of radiological and environmental assessment
- c. Determination of recommended public protective actions d. Coordination of emergency response activities with federal, state, and local agencies Facilities are provided in the EOF for the acquisition, display, and evaluation of radiological, meteorological, and plant system data pertinent to determining offsite protective measures. These facilities are used to evaluate the magnitude and effects of actual or potential radioactive releases from the plant and to determine offsite dose projections. The EOF is used to coordinate emergency response activities with those of local, state, and federal agencies, including the NRC. Edison personnel in the EOF will make protective action recommendations for the public to the state emergency response organization.
The EOF is located in the basement of the nuclear operations center (NOC), approximately 6000 ft southwest of the Fermi 2 reactor building, and has been designed for habitability in the event of a postulated accidental radioactive release from Fermi 2. Shielding and HVAC system design ensure that NRC regulations for personnel exposure are satisfied.
The EOF is activated for conditions involving an Alert or higher emergency classification.
Emergency plan implementing procedures define the transition of responsibility from the control room to the TSC and the EOF until the latter facilities become functional. The NOC also provides space for managing recovery operations and media briefings.
An alternative EOF is located at the Western Wayne Center, 22 miles northwest of the Fermi 2 site. The facility has adequate communications equipment and sufficient space to accommodate the additional personnel required for continuity of dose projection and decisionmaking capability, including coordination of the offsite teams. Portable equipment is provided for the personnel to perform their assigned functions.
7.8.4.2 Description The primary EOF is located in the NOC building. Besides housing the EOF, the NOC provides room for supporting personnel required for assistance to Fermi 2 operations. This includes licensing, data control, administrative support, and training personnel. Also contained in the NOC will be the recovery center, a media briefing area, and a food processing and service area. Over 60,000 ft 2 of space will be provided in the NOC for these 7.8-11 REV 1 9 1 0/1 4 FERMI 2 UFSAR support personnel. Detailed information about staffing and the emergency organization is contained in the Fermi 2 Radiological Emergency Response Preparedness Plan.
The EOF is located about 6000 ft southwest of the power plant, just west of Quarry Lakes, within the Edison
-controlled property boundary (see Figure 7.8
-1). The facility can be reached from two directions via roads under the control of Edison. Electrical power is available from either one of two major power substations. An emergency generator is also available to automatically restore power in the improbable event of the loss of both power supplies. The NOC building has been designed for the following:
- a. Roof snow load: 40 lb/ft 2 minimum, plus provisions for drifted snow
- b. Floors: 150 lb/ft 2 for entire second floor and for first floor at EOF
- c. Stairs: 100 lb/ft 2 d. Wind load: conforms to ANSI A58.1
-72, based on 100
-year mean recurrence interval for exposure type C
- e. Seismic: conforms to UBC for Zone 1.
The construction is standard except for special concrete shield walls surrounding the EOF that provide a protection factor of approximately 20. The internal layout of the EOF is shown in Figure 7.8
-10 and consists of space allocated for records, counting facilities, offices, NRC office space, communications equipment, and emergency power (batteries) for communications equipment.
Habitability of the EOF is provided by an HVAC system, which includes a HEPA filter.
Radiation detection alarms are set at approximately three times the background levels to provide an early visual and audible warning to the EOF occupants. Air sampling capability is also provided in the EOF, with the capability to detect iodine concentrations as low as 1 x 10-7 Ci/cm 3. The EOF also has available friskers, dose rate meters, dosimeters of legal record (DLRs), iodine air sampler/detectors, and dosimeters to monitor radiation levels. The quality and quantity of this instrumentation has been determined by surveys, data research, and professional experience. The radiation monitoring equipment used in the EOF is calibrated according to Health Physics procedures and to manufacturers' instructions.
The EOF backup laboratory is equipped with a high
-resolution gamma spectroscopy system and other equipment required to perform chemistry and radiochemistry.
Emergency supplies and equipment are stored and maintained in the EOF in accordance with the implementing procedures for the Radiological Emergency Response Preparedness Plan.
These are periodically inventoried and calibrated to ensure their availability if needed. These supplies include protective clothing, stationery supplies, and duplicating equipment.
The EOF communication network is described in detail in the Radiological Emergency Response Preparedness Plan. 7.8-12 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.8.4.3 Information Systems The EOF information systems are commensurate with the EOF functions of
- a. Coordination of offsite response
- b. Coordination of radiological, meteorological, and environmental assessment
- c. Recommendations for protective actions.
The information required to perform the above functions includes
- a. Assessment of plant status
- b. Radiation releases
- c. Meteorological data
- d. Atmospheric dispersion models
- e. Field monitoring for offsite radioactivity.
In addition to the information included in Subsections 7.8.2.9 and 7.8.2.10 for the TSC, the following are available for use in the EOF:
- a. Offsite population data
- b. Environmental radiological monitoring records
- c. State and local emergency response plans
- d. Evacuation plans.
7.8.4.4 Staffing Staffing of the EOF is described in the Radiological Emergency Response Preparedness Plan.
7.8.4.5 Emergency Response Facilities Integration During emergency conditions, it is essential that there be a continuous high level of interaction and communication among key personnel in the control room, emergency response facilities, and the NRC to ensure that all emergency actions are fully understood and coordinated.
The emergency response facilities are developed to function as an integrated system. Edison's emergency response facilities are designed to provide coordinated support to the control room during emergency operating conditions. These facilities are integrated into the Radiological Emergency Response Preparedness Plan to facilitate coordination with state and local emergency response facilities.
The system design of the emergency response facilities has the following functional criteria:
- a. The operation of any system or subsystem within the emergency response facilities does not degrade the performance or reliability of any reactor safety or control system or of any safety
-related displays in the control room 7.8-13 REV 1 9 1 0/1 4 FERMI 2 UFSAR
- b. The operation of any system or subsystem in the emergency response facilities does not degrade or interfere with the functional operation of other systems in those facilities
- c. The data acquisition hardware and software are protected against unauthorized manipulation or interference with input signals, data processing, data storage, and data output.
The emergency response function of the IPCS provides a fully integrated data processing system serving all emergency response facilities and systems.
The equipment to be used in the control room during an emergency is identified in Subsection 7.6.1.9. Subsection 7.6.1.9 also addresses the primary variables to be displayed.
7.8-14 REV 1 9 1 0/1 4 FERMI 2 UFSAR 7.8 EMERGENCY RESPONSE FACILITIES REFERENCES
- 1. U.S. Nuclear Regulatory Commission, Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants, NUREG-0654, Revision 1, November 1980.
- 2. U.S. Nuclear Regulatory Commission, Standard Review Plan, Section 6.4 , "Habitability Systems," NUREG
-75/087, Revision 1.
- 3. U.S. Nuclear Regulatory Commission, Functional Criteria for Emergency Response Facilities, for Interim Use and Comment, Draft NUREG
-0696, July 1980.
- 4. U.S. Nuclear Regulatory Commission, TMI-2 Lessons Learned Task Force Status Report and Short
-Term Recommendations, NUREG-0578, July 1979; Revised August 1979 by NRC letter, enclosure 6.
7.8-15 REV 1 9 1 0/1 4 FERMI 2 UFSAR Page 1 of 1 REV 1 8 10/12 TABLE 7.8-1 GOVERNING CODES AND STANDARDS FOR HVAC SYSTEM COMPONENTS Components Codes and Standards Fans AMCA 210-74: Laboratory Methods of Testing Fans for Rating AMCA 211A-74: Certified Rating Program Air Performance AMCA 300-67: Test Code for Sound Rating Motors Cooling coils NEMA MG 1-74: Motors and Generators ARI 410-72: Standard for Forced Circulation Air
-Cooling and Air
-Heating Coils (nuclear safety related and nonnuclear safety related)
Isolation, modulation dampers, and damper operators AMCA 500: Test Method for Louvers, Dampers and Shutters Supply filter units Applicable portions of ANSI N509
-76: Nuclear Power Plant Air Cleaning Units and Components ASHRAE 52-68: Air Cleaning Devices Used in General Ventilation for Removing Particulate Matter, Method of Testing Regulatory Guide 1.52 (Revision 2, March 1978): Design Testing and Maintenance Criteria for Engineered
-Safety-Feature Atmosphere Cleanup System Air Filtration and Absorption Units of Light-Water-Cooled Nuclear Power Plants, including S&L Standard Position and excepting testing and quality assurance requirements.
Energy loads ASHRAE Handbook and Product Directory, Fundamentals
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.8-2 Components GOVERNING CODES AND STANDARDS FOR MECHANICAL SYSTEM COMPONENTS Codes and Standards Pressure vessel ASME Boiler and Pressure Vessel (B&PV) Code,Section VIII, Division I Heat exchangers TEMA C and ASME B&PV Code,Section VIII, Division I Piping ANSI B31.1.0 Valves ANSI B31.1.0 Pumps Manufacturer's standards Atmospheric storage tank API-650, AWWA-D100, or ANSI B96.1 Storage tanks, 0 to 15 psig API-620 Filter package ANSI N509 and N510
FERMI 2 UFSAR Page 1 of 1 REV 16 10/09 TABLE 7.8-3 Test PERFORMANCE REQUIREMENT AND PHYSICAL PROPERTI ES OF (UNUSED) ACTIVATED CARBON Method Acceptance Value Molecular iodine, 30 °C, 95 percent RHPerformance Requirements aASTM D3803 0.1 percent penetration, maximum Molecular iodine, 180 °C 99.5 percent retentivity, minimum Methyl iodine, 30 °C, 95 percent RH 3 percent penetration, maximum Methyl iodine, 80 °C, 95 percent RH a 1 percent penetration, maximum Particle-size distribution Physical Properties ASTM D2862 8 x 16 U.S. mesh Retained on No. 6 sieve:
0.1 percent maximum Retained on No. 8 sieve:
5.0 percent maximum Through No. 8, on No. 12 sieve:
60 percent maximum Through No. 12 on No. 16 sieve:
40 percent maximum Through No. 16 sieve:
5.0 percent maximum Through No. 18 sieve:
1.0 percent maximum Ball pan hardness ASTM D3802 92 minimum C Cl 4 activity (onbase) ASTM D3467 60 minimum Apparent density ASTM D2854 0.38 g/cm 3 minimum Ash content (onbase) ASTM D2866 State value Ignition temperature ASTM D3466 330 °C minimum Moisture content ASTM D2867 State value pH of water extract Appendix D State value
a Tests shall be performed for qualification purposes only.
FERMI 2 UFSAR REV 17 05/11 FIGURE 7.8-4 HAS BEEN DELETED THIS PAGE INTENTIONALLY LEFT BLANK