NL-16-109, Indian Point, Unit 2, Amendment Update to the Updated Final Safety Analysis Report (Ufsar), Revision 26 - Chapter 7, Instrumentation and Control
Text
IP2 FSAR UPDATE Chapter 7, Page 1 of 111 Revision 2 6, 201 6 CHAPTER 7 INSTRUMENTATION AND CONTROL 7.1 GENERAL DESIGN CRITERIA Complete supervision of both the nuclear and turbine
-generator sections of the plant is accomplished by the instrumentation and control systems from the control room. The instrumentation and control systems are designed to permit periodic online tests to demonstrate the operability of the reactor protection system.
Criteria applying in common to all instrumentation and control systems are given in the following listing. Thereafter, criteria that are specific to one of the instrumentation and control systems are discussed in the appropriate portion of the description of that system.
7.1.1 Instrumentation and Control Systems Criteria Criterion:
Instrumentation and controls shall be provided as required to monitor and maintain within prescribed operating ranges essential reactor facility operating variables. (GDC 12)
Instrumentation and controls essential to avoid undue risk to the health and safety of the public are provided to monitor and maintain neutron flux, primary coolant pressure, flow rate, temperature, and control rod positions within prescribed operating ranges.
Westinghouse designed and procured all systems that actuate reactor trip and safety feature actions for Indian Point Unit 2. The design of protective grade instrumentation and logic systems are in accordance with the proposed IEEE criteria for nuclear power plant protection system (IEEE
-279 Code), dated August 28, 1968. The functional design is originated at Westinghouse with equipment procurement through vendor supplies. Equipment compatibility and integration of component hardware was factored into the design by Westinghouse or under the direct supervision of Westinghouse.
The non-nuclear regulating process and containment instrumentation measures temperatures, pressure, flow, and levels in the reactor coolant system, steam systems, containment, and other auxiliary systems. Process variables required on a continuous basis for the startup, power operation, and shutdown of the plant are controlled from and indicated or recorded in the control room. The quantity and types of process instrumentation provided ensure the safe and orderly operation of all systems and processes over the full operating range of the plant.
7.1.2 Related Criteria
The following criteria are related to all instrumentation and control systems but are more specific to other plant features or systems, and therefore are discussed in other sections, as listed. Name Discussion Suppression of power oscillations (GDC 7)
Chapter 3 Reactor core design (GDC 6)
Chapter 3 Quality standards (GDC 1)
Chapter 4 Performance standards (GDC 2)
Chapter 4 Fire protection (GDC 3)
Chapters 5 and 9
IP2 FSAR UPDATE Chapter 7, Page 2 of 111 Revision 2 6, 201 6 Missile protection (GDC 40)
Chapters 4, 5, and 6 Emergency power (GDC 39)
Chapter 8 7.1.3 Environmental Qualifications
- Original Plant Operations As part of the original plant design for Indian Point Unit 2, environmental requirements were established for all safety
-related electrical equipment in the facility.
These requirements included environmental conditions, testing, and qualifications as discussed in this section. For a discussion of equipment requalification in accordance with recent NRC guidelines, see Section 7.1.4. Table 7.1
-1 lists the equipment located within the primary containment (reactor containment building), which is required to be operable during or following a loss
-of-coolant or a steam line break accident. In addition, Table 7.1
-1 lists the equipment operational and environmental testing requirements as established as part of the original facility operations. Figures 7.1
-1 and 7.1-2 present the environmental conditions of pressure and temperature, respectively, for both the Table 7.1
-1 required equipment test conditions and for the containment post loss
-of-coolant design accident (LOCA) conditions. Figures 7.1
-3 and 7.1-4 present the maximum calculated instantaneous and integrated radiation dose levels inside the containment as a function of time following a TID
-14844 model LOCA.
7.1.3.1 Category 1
- Instrumentation Except for sump level channels LT
-938, 939, and 941, the supplier completed preliminary qualification tests on pressure and differential pressure transmitters. These are reported in WCAP-7354-L, 2 which has been superseded by WCAP-7410-L.3 Additional instrumentation tests were performed by Westinghouse on equipment obtained from the Indian Point Unit 2 plant equipment supplier. The results of these tests confirmed that the equipment would provide the required signals in the post-LOCA environment.
The test conditions of the Westinghouse test were as follows:
steam environment, a 5
-sec period rise to 286 F and 60-psig pressure and the maintenance of these conditions for 2 hr. All equipment, listed below, continued to operate throughout the test and are typical of transmitter ranges used in the containment.
Static Pressure Differential Pressure Transmitters Transmitters
0-2500 psig 0-240-in. of water 1700-2500 psig 0-300 psid Containment sump and recirculation sump level channels consist of hermetically sealed magnetic switches in a stainless steel housing. The instrumentation was designed for submerged service in borated water at 295 oF at a pressure of 69 psig. Since instruments of this design have seen considerable actual service in applications more severe than the post
-LOCA design conditions, environmental testing for these instruments was not required.
7.1.3.2 Category 2
- Valves The Indian Point Unit 2 valve operator supplier conducted loss
-of-coolant environmental tests on a motor operated valve with a Class H unit similar to those used in this plant. Reports of IP2 FSAR UPDATE Chapter 7, Page 3 of 111 Revision 2 6, 201 6 results indicated that the unit operated satisfactorily at test conditions more severe than those expected in the Indian Point Unit 2 loss
-of-coolant or steam break accident environment.
In addition, Westinghouse performed environmental tests on a unit similar to that being used in the Indian Point Unit 2 plant. The results of the Westinghouse tests indicated that the equipment would perform its required function in the post
-LOCA environment.
Tests performed on motor operated valve operators, both Class H and Class B, included the following:
- 1. Preliminary heat tests (dry heat for 16 hr at 375F) on limit and torque switches. All parts operated freely.
- 2. Preliminary heat tests on actuator. A complete operator assembled and baked at 325ºF for 12 hr. Unit operated every 0.5 hr for 2 min, full open to full close. All operations were satisfactory.
- 3. Preliminary live steam test. Live steam injected into switch compartment. Unit operated every 0.5 hr for 2 min over a period of 9 hr. All operations were satisfactory.
- 4. Heat aging of motor. Heat aging at 180C for 100 hr [Deleted] was performed. Comparison of insulation resistance between new and aged motor indicated no significant insulation degradation.
- 5. Life cycle test. 150 life cycle test under loaded conditions (valve operator produced ~ 16,500 lb of thrust). No noticeable change in operator following test.
- 6. Environmental test. Valve operators subjected to environmental conditions shown in Figures 7.1
-1 and 7.1-2 and sprayed continuously for a period of 3 hr with a solution of boric acid and sodium hydroxide.
Results of the tests are as follows:
- 1. Class H operator (actual peak test conditions 320F at 90 psig): operator survived 1st day of exposure during which 12 complete reversing cycles were accomplished. Following 1
-week exposure to 247F and 14.7 psig, the unit was operated for two complete reversing cycles. The unit operated satisfactorily.
- 2. Class B operator: operator survived the 1st day of exposure with 12 complete reversing cycles, However, after 5 days of exposure, the operator failed (failure found to be a short in the motor winding).
As a result of the above tests, Class H operators were supplied where long
-term operation is required. Class B operators were supplied where short
-term (less than 12 hr) operation is required.
A production line valve motor was irradiated to a level of 2 x 10 8 rads using a cobalt
-60 irradiation source. The irradiated motor and an identical unirradiated motor underwent a series of reversing tests at room temperature, followed by a series of reversing tests at 275F. The room temperature test was repeated while vibrating the motors at a frequency of 30 cycles per IP2 FSAR UPDATE Chapter 7, Page 4 of 111 Revision 2 6, 201 6 sec. Both motors operated satisfactorily during all of the tests. No significant difference was evident in the comparison of the data for the two units throughout the test period.
7.1.3.3 Category 3 Miscellaneous Items 7.1.3.3.1 [Deleted]
7.1.3.3.2 Hydrogen Recombiner System
The original flame recombiner system has been replaced with a Passive Autocatalytic Recombiner System (PARS). Qualification testing of the PARS is discussed in Section 6.8.4.1.
7.1.3.3.3 Cable and Splice Tests
Cabling of the type that is installed in the Indian Point Unit 2 plant was tested under simulated loss-of-coolant accident conditions. The tests were conducted by the cable manufacturer and Westinghouse and consisted of the following:
- 1. A test was performed by the cable manufacturer in a steam environment of 214F for 436 hr. During this test, some cable was energized and was carrying current. A visual inspection following this test showed the cables to be in excellent condition. High voltage, tensile elongation, and stretch showed insignificant changes in their characteristics.
- 2. A test was performed by the cable manufacturer where the specimens were exposed to a gamma radiation field of 2.8 x 10 7 rads followed by exposure in a steam atmosphere of 85 psig for two 30
-min cycles. Following these tests, the physical appearance of the cables was excellent. Changes in electrical characteristics were as follows:
- a. Insulation resistance percent of original value.
- b. Specific inductance (SIC) - No change.
- c. Dissipation factor
- Change from 2.2 to 2.1
-percent. d. AC breakdown percent of original value.
These percentages represent an average of seven samples.
Westinghouse performed cable testing in a postaccident steam and chemical environment of 80 psig (maximum) and a temperature in excess of 300
ºF. The durations of these tests were in excess of 200 hr in the postaccident steam and chemical environment, 68 hr of which was at a steam pressure higher than containment design pressure.
The general appearance of the cables following these tests was good. Some loosening of the jacket from the insulation at the cable ends occurred, generally believed to be due to the rapid decrease in pressure during the tests. Had the cable ends been properly made up, this separation could have been prevented.
Westinghouse performed additional testing on 18 cable and cable splice test specimens. The testing consisted of the following:
- 1. Thermal aging [Deleted] (Kerite cable
- 150C for 192 hr; silicone cable
- 210 C for 30 days.)
- 2. Irradiation to levels up to 2 x 10 8 rads.
IP2 FSAR UPDATE Chapter 7, Page 5 of 111 Revision 2 6, 201 6 3. Exposing the cables for three weeks to the environmental test conditions shown in Figures 7.1
-1 and 7.1-2.
- 4. Applying a potential of 480
-V (with respect to ground) to the cables and conducting rated current through the cables on a daily schedule of 8 hr on and 16 hr off.
Before the admission of steam to the test chamber, it was found that four of the test specimens had open conductors. These four specimens were removed from the chamber, and subsequent examination indicated that the conductors had not been crimped properly.
Of the 14 specimens tested in the environment, 13 survived. The 14th was found to have shorted against the test grounding pipe surrounding the cable.
The short appeared to have occurred because of the whipping of the cable caused by the steam injection against the cable.
According to the above test results, the safeguards cable and splices used on the Indian Point Unit 2 plant will maintain their required integrity under post
-LOCA conditions.
7.1.3.4 Post-accident Equipment Radiation Exposure
The design basis for the reactor protection system and engineered safety feature equipment radiation exposure is that the equipment must function after exposure associated with the TID
-14844 model accident. The maximum anticipated exposure for components located within the containment was originally specified as 1.6 x 10 8 rads, which is accumulated during 1 year following the accident (note that the integrated exposure for safeguards equipment during 40 years of operation is less than 5 x 10 5 rads). In the determination of exposure no credit was taken for containment cleanup or other removal mechanism other than isotope decay. The expected integrated exposure on the outside of the containment building, again assuming TID
-14844 releases and no credit for cleanup, was originally specified to be less than 10 2 rads integrated over a year at the containment outside surface. These radiation exposure values are updated and are maintained by the ongoing Environmental Qualification Program described in Section 7.1.4.
To establish the combined effect of long
-term operation followed by exposure to accident conditions inside the containment, selected components were subjected to thermal aging followed by irradiation. In addition, components were first irradiated and then subjected to thermal aging. Results of the tests indicated that the components would perform satisfactorily following a design
-basis accident.
Indian Point Unit 2 cables were tested using the same approach as described above, that is, first irradiation, and then thermal aging followed by steam exposure. During exposure to steam the cables carried nominal voltage and current.
7.1.4 Environmental Qualifications An ongoing program of evaluating the environmental qualification of safety
-related electrical equipment at the Indian Point Unit 2 facility has been in progress since early 1980. On May 23, 1980, the NRC Commissioners issued Memorandum and Order C LI-80-21, which describes the NRC environmental qualification requirements. CLI 21 states that the Division of Operating Reactors guidelines and NUREG
-0588 set the requirements that licensees and applicants must meet regarding the environmental qualification of safety
-related electrical equipment to satisfy 10 CFR 50, Appendix A, GDC 4.
IP2 FSAR UPDATE Chapter 7, Page 6 of 111 Revision 2 6, 201 6 In February 1980, the NRC included Indian Point Unit 2 in the systematic evaluation program for the purpose of the equipment environmental qualification review.
On March 5, 1980, Con Edison was formerly asked to address the environmental qualification of safety-related electrical equipment for Indian Point Unit
- 2. This evaluation information was detailed in several responses. The original response was transmitted to the NRC by Con Edison on May 9, 1980, 7 with additional information in subsequent transmittals.
8-10 This information was evaluated and a safety evaluation report (SER) was issued by the NRC on May 21, 1981. The Con Edison response to this SER was made on September 4, 1981.
11 As a result of this SER, containment accident pressure was changed to 40.6 psig with a saturation temperature of 287
ºF, and this information was recorded as a part of the review for the September 4, 1981 response 11 to the NRC Staff SER.
The assessment of additional electrical equipment was provided to the NRC Staff by Con Edison submittal dated May 4, 1982.
12 Included in this program were evaluations of the following variables and environmental parameters: function, service, location, operating time, temperature, pressure, relative humidity, chemical spray, radiation, aging, submergence, and qualifying method. This evaluation program was based on the provisions of the Guidelines for Evaluating Environmental Qualification of Class 1E Electrical Equipment in Operating Reactors (DOR Guidelines), or NUREG-0588, Interim Staff Position on Environmental Qualification of Safety Related Electrical Equipment, December 1979.
The information submitted by Con Edison was evaluated by the Franklin Research Center and a technical evaluation report (TER) was issued in June 1982. A safety evaluation report was subsequently issued in January 1983 with the TER as an attachment. Con Edison responded to the safety evaluation report items and also presented the general methodology for compliance with 10 CFR 50.49, Environmental Qualification of Electrical Equipment, which had become effective in February 1983, in a submittal to the NRC in October 1984.
13 In accordance with schedule requirements for environmental qualification contained in 10 CFR 50.49, all components falling within the scope of this program were to be qualified, replaced, or modified to ensure their operation. The submittal was evaluated by the NRC and a final resolution was issued in December 1984.14 The NRC evaluation concluded the following:
- 1. Con Edison's electrical equipment environmental qualification program complies with the requirements of 10 CFR 50.49.
- 2. The proposed resolution for each of the environmental qualification items identified in the safety evaluation report of January 1983 is acceptable.
- 3. Continued operation until completion of the licensee's environmental qualification program will not present undue risk to the public health and safety.
A comprehensive list of all electrical equipment important to safety, pursuant to the environmental qualification rule, 10 CFR 50.49, has been submitted to the Nuclear Regulatory Commission by Reference 1. This list called the "EQ Master List" is periodically updated to reflect plant modifications, procedure changes, or new analysis.
Further EQ evaluations were performed to support plant operation at an intermediate core thermal power level of 3071.4 MW (3083.3 MW NSSS) and a 1.4% power uprate to 3114.4 MW and were reevaluated for steam generator replacement and stretch power level of 3216 MWt.
IP2 FSAR UPDATE Chapter 7, Page 7 of 111 Revision 2 6, 201 6 LOCA containment re
-analysis performed as part of IP2 stretch power uprate (3216 MWt) conditions and issues raised by NSAL-06-6 and NSAL-11-5 resulted in a peak containment pressure of 45.44 psig and a peak temperature of 266.41 oF (UFSAR Section 14.3.5.1.1).
For EQ purposes, maximum pressure and temperature of 45.81 psig and 266.97 o F are used. Post-accident chemistry changes due to the elimination of the spray additive tank and installation of Trisodium Phosphate Baskets were evaluated and it was determined that these changes did not affect the environmental qualification of equipment located within the containment required to mitigate the consequences of design basis accidents.
For the purpose of responding to Generic Letter 2004
-02 (Generic Safety Issue 191), the Trisodium Phosphate pH buffer was replaced by Sodium Tetraborate. The new buffer material was evaluated for its effect on equipment located in the containment required to mitigate the consequences of design basis accidents (Reference 31). The evaluation concluded that due to the similarities between post
-LOCA Trisodium Phosphate and Sodium Tetraborate buffered sump solutions; the equipment qualified for Trisodiu m Phosphate remains qualified for the new Sodium Tetraborate buffered solution. Therefore, there would be no impact on existing IP2 EQ equipment as a result of the subject post
-LOCA buffered sump chemistry change.
Complete and auditable records are available and will be maintained at a central location. These records describe the environmental qualification methods used for all safety
-related electrical equipment in sufficient detail to document the degree of compliance with the DOR Guidelines, NUREG
-0588, and/or 10 CFR 50.49. Such records were updated and maintained current as equipment was replaced, further tested, or otherwise further qualified.
7.1.5 Regulatory Guide 1.97 Compliance Compliance of the instrumentation at Indian Point Unit 2 with the intent of Regulatory Guide 1.97, Revision 2, as required by NUREG
-0737, Supplement 1 (Generic Letter 82
-33), has been addressed in submittals to the Nuclear Regulatory Commission, dated August 30, 1985 15 , September 12, 1986 16, October 26, 1988 17, October 27, 1989 18, August 7, 1991 19, November 19 1992 20 , November 26,1986 22, November 15, 1994 21, April 7, 1995 23, and September 18, 1995
- 24. The submittals included the degree of compliance and intended upgrades or justifications where deviations of present instrumentation were identified. The NRC determined that the plant design is acceptable with respect to conformance to Regulatory Guide 1.97 Rev 2 In SERs dated September 27, 1990 25, August 31, 1992 26, August 27, 1993 27, February 2, 1995 28 , and November 27, 19 95 29. Control room indicators and recorders for instrumentation designated as Types A, B, and C and Categories 1 and 2 of Regulatory Guide 1.97 are specifically identified on the control room panels.
IP2 FSAR UPDATE Chapter 7, Page 8 of 111 Revision 2 6, 201 6 REFERENCES FOR SECTION 7.1
- 1. Letter from J. D. O'Toole, Con Edison, to S. A. Varga, NRC,
Subject:
Environmental Qualification Rule, dated May 20, 1983.
- 2. J. Nay, Topical Report Supplier Post Accident Testing of Process Instrumentation, WCAP-7354-L (Proprietary), Westinghouse Electric Corporation, July 1 969. 3. J. Locante, Topical Report Environmental Testing of Engineered Safety Features Related Equipment (NSSS
-Standard Scope), WCAP-7410-L (Volumes I and II, Proprietary), Westinghouse Electric Corporation, December 1970
- 4. C. V. Fields, Fan Cooler Motor Unit Development and Test, WCAP-9003 (Proprietary), Westinghouse Electric Corporation, January 1969.
- 5. Westinghouse Electric Corporation, Reactor Containment Fan Cooler Motor Insulation Irradiation Testing, WCAP-7343-L (Proprietary), WCAP
-7829 (Nonproprietary), July 1969.
- 6. Schulz Electric Report No. N4446EQFWCD, "Environmental Qualification Report Number N4446EQFWCD for Schulz Electric Company's Form Wound, Continuous Duty Insulation System."
- 7. Schulz Electric Report No. 45925
-1, "Schulz Electric Company's Environmentally Qualified Insulation System Supplement 1."
- 8. Letter from Con Edison response to NRC,
Subject:
Response to NRC request of March 5, 1980, on Environmental Qualification Program, dated May 9, 1980.
- 9. Letter from Con Edison to NRC,
Subject:
Additional Material on Environmental Qualification Program, dated October 31, 1980.
- 10. Letter from Con Edison to NRC,
Subject:
Additional Material on Environmental Qualification Program, dated January 14, 1981.
1 1. Letter from Con Edison to NRC,
Subject:
Additional Material on Environmental Qualification Program, dated April 13, 1981.
1 2. Letter from Con Edison, to NRC,
Subject:
Response to NRC Safety Evaluation Report issued by NRC on May 21, 1981, dated September 4, 1981.
1 3. Letter from Con Edison, to NRC,
Subject:
Additional Information on Environmental Qualification of Safety Related Electrical Equipment, dated May 4, 1982. 1 4. Letter from J. D. O'Toole, Con Edison, to S. A. Varga, NRC,
Subject:
Environmental Qualification of Safety Related Electrical Equipment, dated October 5, 1984.
IP2 FSAR UPDATE Chapter 7, Page 9 of 111 Revision 2 6, 201 6 1 5. Letter from S. A. Varga, NRC, to J. D. O'Toole, Con Edison,
Subject:
Final Resolution of Environmental Qualification of Electric Equipment Important to Safety, dated December 7, 1984.
1 6. Letter from J.D. O'Toole, Con Edison, to H.L. Thompson, Jr., NRC,
Subject:
Compliance with Guidance of Regulatory Guide 1.97, Revision 2, dated August 30, 1985.
1 7. Letter from M. Selman, Con Edison, to H. L. Thompson, Jr., NRC, dated September 12, 1986, with attachment "Response to Preliminary Technical Evaluation Report."
1 8. Letter from John Basile, Con Edison, to Document Control Desk, NRC,
Subject:
Additional Information Regarding NUREG
-0737, Supplement 1 (Regulatory Guide 1.97 Revision 2), dated October 26, 19
- 88.
1 9. Letter from Stephen Bram, Con Edison, to Document Control Desk, NRC,
Subject:
Clarification of Information Regarding NUREG
-0737 Supplement 1 (Regulatory Guide 1.97 Revision 2) dated October 27, 1989.
- 20. Letter from Stephen Bram, Con Edison, to Document Control Desk, NRC,
Subject:
Supplemental Information Regarding NUREG
-0737, Supplement 1 (Regulatory Guide 1.97, Revision 2) dated August 7, 1991.
2 1. Letter from Stephen Bram, Con Edison, to Document Control Desk, NRC,
Subject:
Supplemental Information Regarding NUREG
-0737, Supplement 1 (Regulatory Guide 1.97, Revision 2) dated November 19, 1992.
2 2. Letter from Stephen Quinn, Con Edison, to Document Control Desk, NRC,
Subject:
Steam Generator Wide Range Level Indication Upgrade (Regulatory Guide 1.97, Revision 2) dated November 15, 1994
2 3. Letter from J. Basile, Con Edison, to M. Slosson, NRC,
Subject:
Indian Point Unit No. 2, Docket No. 50
-247, dated November 26, 1986.
2 4. Letter from Stephen E. Quinn, Con Edison, to Document Control Desk, NRC ,
Subject:
Response to Request for Additional Information Regarding Neutron Flux Instrumentation (TAC No. M81727) dated April 7, 1995.
2 5. Letter from Stephen E. Quinn, Con Edison, to Document Control Desk, NRC,
Subject:
Supplemental Submittal Regulatory Guide 1.97 Qualification of Neutron Flux Instrumentation (TAC No. M81727) dated September 18, 1995.
2 6. Letter from Donald S. Brinkman, NRC, to Stephen B. Bram, Con Edison,
Subject:
Conformance to Regulatory Guide 1.97, Revision 2 (TAC No. M51098) dated September 27, 1990.
2 7. Letter from F. J. Williams, Jr., NRC,
Subject:
- Instrumentation to Follow the Course of an Accident, Indian Point Nuclear Generating Unit No. 2 (TAC No. M51098) dated August 31, 1992.
IP2 FSAR UPDATE Chapter 7, Page 10 of 111 Revision 2 6, 201 6 2 8. Letter from F. J. Williams, NRC, to Stephen B. Bram, Con Edison
Subject:
Supplemental Safety Evaluation
- Regulatory Guide 1.97 Instrumentation to Follow the Course of an Accident, Indian Point Nuclear Generating Unit NO.2 (TAC No. M81727) dated August 27, 1993.
2 9. Letter from F. J. Williams, Jr., to Stephen E. Quinn, Con Edison, NRC,
Subject:
Steam Generator Wide Range Level Indication Upgrade, Indian Point Nuclear Generating Unit No. 2 (TAC No. M81727) dated February 2, 1995.
- 30. Letter from F. J. Williams, Jr., NRC, to Stephen E. Quinn, Con Edison,
Subject:
Conformance to Regulatory Guide 1.97, Revision 2, Post
-Accident Neutron Flux Monitoring Instrumentation for Indian Point Nuclear Generating Unit NO. 2 (TAC No. M81727), dated November 27, 1995.
- 31. "Evaluation of IP2 and IP3 Post
-LOCA Buffered Borate Sump Chemistry for Equipment Qualification," IP
-RPT-08-00025, Revision 0.
IP2 FSAR UPDATE Chapter 7, Page 11 of 111 Revision 2 6, 201 6 TABLE 7.1-1 Postaccident Equipment (Inside Containment)
Operational and Testing Requirements Equipment Name and Tag Number Operating Mode Environmental Testing CATEGORY 1
- INSTRUMENTATION Pressurizer pressure channels:
PT-455, 456, 457,474 Continuous Required Pressurizer level channels:
LT-460, 459, 461 Continuous Required High-head flow channels:
FT-924, 925, 926, 927 Continuous Required Steam generator level channels:
LT-417A-C, 427A-C,437A-C, 447A-C Continuous Required Recirculation spray flow channels:
FT-945A, B Intermittent Required Recirculation sump level channel:
LT-3301 Continuous Required Containment sump level channel:
LT-3300 Continuous Required Residual heat loop flow channels:
FT-640, 946A, B, C, D Continuous Required
IP2 FSAR UPDATE Chapter 7, Page 12 of 111 Revision 2 6, 201 6 TABLE 7.1-1 (Cont.) Postaccident Equipment (Inside Containment)
Operational and Testing Requirements CATEGORY 2
- VALVES Equipment Name and Tag Number Operating Mode Environmental Testing Safety injection line valves:
MOV-856A, C, D, E MOV-856B, F Open or close on demand 1 Open or close on demand 2 Required Required Recirculation spray valves:
MOV-889A, B Open or close on demand Required Recirculation pump discharge valves:
MOV-1802A, B Open after injection phase, close on demand Required Containment sump isolation valve:
MOV-1805 Open or close on demand Required Residual heat exchanger cooling water supply valves:
MOV-822A, B Open on demand 1 Required Residual heat exchanger isolation valves:
MOV-745A 4 , B 4 , 746 1, 747 1 Open or close on demand Required Residual heat loop flow control valves:
HCV-638, 640 Open or close on demand Required Ai r-operated isolation valves Close on demand Not required 3 CATEGORY 3
- MISCELLANEOUS ITEMS Fan cooler motors: 21, 22, 23, 24, 25 Continuous Required Internal recirculation pump motors Start after injection phase and continue operating Required Hydrogen recombiner system Operate on demand Required Safeguard equipment power, control and instrument cable Continuous Required Notes: 1. Also open on SI signal.
- 2. Deenergized closed per Technical Specifications.
- 3. All air-operated valves fail in closed position.
- 4. Deenergized open per Technical Specifications.
IP2 FSAR UPDATE Chapter 7, Page 13 of 111 Revision 2 6, 201 6 TABLE 7.1-2 DELETED TABLE 7.1-3 DELETED TABLE 7.1-4 DELETED TABLE 7.1-5 DELETED 7.1 FIGURES Figure No.
Title Figure 7.1
-1 ENVIRONMENTAL CONDITIONS FOR EQUIPMENT TESTING
- PRESSURE VS TIME Figure 7.1
-2 ENVIRONMENTAL CONDITIONS FOR EQUIPMENT TEMPERATURE VS TIME Figure 7.1
-3 INSTANTANEOUS GAMMA DOSE RATE INSIDE THE CONTAINMENT AS A FUNCTION OF TIME AFTER RELEASE
- TID - 14844 MODEL Figure 7.1
-4 INTEGRATED GAMMA DOSE LEVEL INSIDE THE CONTAINMENT AS A FUNCTION OF TIME AFTER RELEASE
- TID - 14844 MODEL Figure 7.1
-5 Deleted Figure 7.1
-6 Deleted Figure 7.1
-7 Deleted Figure 7.1-8 Deleted 7.2 PROTECTION SYSTEMS
The protection systems consist of both the reactor protection system and the engineered safety features. Equipment supplying signals to any of these protection systems is considered a part of that protection system. 7.2.1 Design Bases 7.2.1.1 Control Room
Criterion:
The facility shall be provided with a control room from which actions to maintain safe operational status of the plant can be controlled. Adequate radiation protection shall be provided to permit continuous occupancy of the control room under any credible post
-accident condition or as an alternative, access to other areas of the facility as necessary to shut down and maintain safe control of the facility without excessive radiation exposures of personnel. (GDC 11)
The plant is equipped with a control room that contains those controls and instrumentation necessary for the operation of the reactor and turbine generator under normal and accident conditions.
The control room is continuously occupied by the qualified operating personnel under all operating and maximum credible accident conditions.
IP2 FSAR UPDATE Chapter 7, Page 14 of 111 Revision 2 6, 201 6 As part of the initial plant design, sufficient shielding, distance, and containment integrity were provided to ensure that control room personnel would not be subjected to doses under postulated accident conditions during occupancy of, ingress to, and egress from the control room, which in the aggregate, would exceed limits in 10 CFR 100. The control room ventilation consists of a system having a large percentage of recirculated air. The fresh air intake is automatically diverted to charcoal filters to remove airborne activity if monitors indicate that such action is appropriate.
An earlier study was performed to evaluate the system and structures pertaining to the habitability of the control room in accordance with NUREG
-0737, TMI Action Plan Requirements, item III.D.3.4. This TMI action item was to ensure that control room operators will be adequately protected against the effects of accidental releases of toxic and radioactive gases and that the plant can be safely operated or shut down under design
-basis accident conditions. The results of an evaluation for specifically measured central control room conditions 1 indicated that the radiation doses in the control room integrated over 30 days post
-LOCA were below the dose guidelines. Additional radiation detectors were installed in the central control room outside air intake. As a result of an analysis of the toxic chemical data within a 5
-mile radius of Indian Point, redundant toxic chemical monitors were also installed. High concentrations of the specific toxic gases of concern result in an alarm and automatic isolation of the control room.
Two independent toxic gas detection systems, each capable of detecting chlorine and anhydrous ammonia, shall be operable at all times except as specified in the Unit 2 Technical Requirements Manual (TRM). [Note:] This was moved out of Technical Specifications by NRC SER for TS Amendment 208. The requirements of the Tech Spec per the NRC Order were relocated to the UFSAR and in Rev. 21 to the UFSAR were relocated to the TRM and need to remain as a License Condition.
Smoke detection capability has also been provided at the central control room outside air intake. The detection of smoke results in an alarm and automatic isolation of the control room. For further information, see NRC Safety Evaluation Report (SER) dated January 27, 1982 (Reference 6).
More recently the application of the NUREG
-1465 alternative source term methodology for Indian Point Unit 2 includes verification that the radiological dose to control room personnel following postulated accidents remains within the limits specified in 10 CFR 50.67 as presented in Section 14.3.6.5.
IP2 FSAR UPDATE Chapter 7, Page 15 of 111 Revision 2 6, 201 6 7.2.1.2 Reactor Protection System Criterion:
Core protection systems, together with associated equipment, shall be designed to prevent or to suppress conditions that could result in exceeding acceptable fuel damage limits. (GDC 14)
The basic reactor tripping philosophy is to define a region of power and coolant temperature conditions allowed by the primary tripping functions, the overpower high T trip, the overtemperature high T trip, and the nuclear overpower trip. The allowable operating region within these trip settings is provided to prevent any combination of power, temperature, and pressure, which would result in departure from nucleate boiling with all reactor coolant pumps in operation. Additional tripping functions such as a high pressurizer pressure trip, low pressurizer pressure trip, high pressurizer water level trip, loss of flow trip, steam and feedwater flow mismatch trip, steam generator low
-low water level trip, turbine trip, safety injection trip, nuclear source and intermediate range trips, fuel cooldown trip, and manual trip are provided as backup to the primary tripping functions for specific accident conditions and mechanical failures.
A dropped rod signal provides a turbine load runback if above a given power level. The dropped rod is indicated from individual rod position indicators or by a rapid neutron flux decrease on any of the power range nuclear channels (as discussed in Section 14.1.4).
Intermediate Range and Power Range rod stops, Overtemperature T and Overpower T rod stops, are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal initiated by operator violation of administrative procedures.
The core protection system is shown schematically on the plant logic diagrams, Plant Drawings 225094 through 225107 [Formerly UFSAR Figures 7.2
-1 through 7.2
-14]. 7.2.1.3 Engineered Safety Features Protection System
Criterion:
Protection systems shall be provided for sensing accident situations and initiating the operation of necessary engineered safety features. (GDC 15)
Instrumentation and controls provided for the protection systems are designed to trip the reactor, to prevent or limit fission product release from the core and to limit energy release, to signal containment isolation, and to control the operation of engineered safety features equipment.
The engineered safety features systems are actuated by the engineered safety features actuation channels. Each coincidence network energizes an engineered safety features actuation device that operates the associated engineered safety features equipment, motor starters, and valve operators. The channels are designed to combine redundant sensors and independent channel circuitry, coincident trip logic, and different parameter measurements so that a safe and reliable system is provided in which a single failure will not defeat the channel function. The action initiating sensors, bistables, and logic are shown in the figures included in the detailed engineered safety features instrumentation description given in the system design section. The engineered safety features instrumentation system actuates (depending on the severity of the condition) the safety injection system, the containment isolation system, the containment air recirculation system, and the containment spray system.
IP2 FSAR UPDATE Chapter 7, Page 16 of 111 Revision 2 6, 201 6 The passive accumulators of the safety injection system do not require signal or power sources to perform their function. The actuation of the active portion of the safety injection system is described in Section 7.2.3.
The containment air recirculation coolers are normally in use during plant operation. These units are, however, in the automatic sequence, which actuates the engineered safety features upon receiving the necessary actuating signals indicating an accident condition. The fan cooler bypass valves open on safety injection to provide maximum service water flow.
Containment spray is actuated by coincident and redundant high containment pressure signals.
The containment isolation system provides the means of isolating the various pipes passing through the containment walls as required to prevent the release of radioactivity to the outside environment in the event of a loss
-of-coolant accident.
The engineered safety features protection systems are shown schematically on the plant logic diagrams, Plant Drawings 225094 through 225107 [Formerly UFSAR Figures 7.2
-1 through 7.2
-14]. 7.2.1.4 Protection Systems Reliability
Criterion:
Protection systems shall be designed for high functional reliability and in
-service testability necessary to avoid undue risk to the health and safety of the public. (GDC 19)
The reactor uses the Westinghouse magnetic
-type control rod drive mechanisms. Upon a loss of power to the coils, the rod cluster control (RCC) assemblies with full
-length absorber rods are released and fall by gravity into the core. The undervoltage trip coils and the shunt trip coils of the reactor trip breakers are used as the primary and backup devices, respectively, for the automatically initiated reactor trip signals. The reactor internals, fuel assemblies, RCC assemblies, and drive system components are designed as seismic Class I equipment. The RCC assemblies are fully guided through the fuel assembly and for the maximum travel of the control rod into the guide tube. Furthermore, the RCC assemblies are never fully withdrawn from their guide thimbles in the fuel assembly. Because of this and the flexibility designed into the RCC assemblies, abnormal loadings and misalignments can be sustained without impairing operation of the RCC assemblies.
The RCC assembly guide system is locked together with pins throughout its length to ensure against misalignments that might impair control rod movement under normal operating conditions and credible accident conditions. An analogous system has successfully undergone 4132 hr of testing in the Westinghouse reactor evaluation channel, during which about 27,200
-ft of step-driven travel and 1461 trips were accomplished with test misalignments in excess of the maximum possible misalignment that may be experienced when installed in the plant.
All reactor trip protection channels are supplied with sufficient redundancy to provide the capability for channel calibration and test at power.
Reliability and independence are obtained by redundancy within each tripping function. In a two-out-of-three circuit, for example, the three channels are equipped with separate primary sensors. Each channel is continuously fed from its own independent electrical source. Failure to deenergize a channel when required would be a mode of malfunction that would affect only IP2 FSAR UPDATE Chapter 7, Page 17 of 111 Revision 2 6, 201 6 that channel. The trip signal furnished by the two remaining channels would be unimpaired in this event.
7.2.1.5 Protection Systems Redundancy and Independence
Criterion:
Redundancy and independence designed into protection systems shall be sufficient to assure that no single failure or removal from service of any component or channel of such a system will result in loss of the protection function. The redundancy provided shall include, as a minimum, two channels of protection function to be served. (GDC 20)
The reactor protection systems are designed so that the most probable modes of failure in each protection channel result in a signal calling for the protective trip. Each protection system design combines redundant sensors and channel independence with coincident trip philosophy so that a safe and reliable system is provided in which a single failure will not defeat the channel function, cause a spurious plant trip, or violate reactor protection criteria.
Channel independence is carried throughout the system extending from the sensor to the relay actuating the protective function. The protective and control functions when combined are combined only at the sensor. Both of these functions are fully isolated in the remaining part of the channel, control being derived from the primary protection signal path through an isolation amplifier. As such, a failure in the control circuitry does not affect the protection channel. This approach is used for pressurizer pressure and water level channels, steam generator water level, Tavg and delta T channels, steam flow
-feedwater flow, and nuclear source and power range channels.
A nonelectrical backup to the pressurizer pressure and level indication exists that uses pneumatic transmitters with indicators located inside and outside the containment.
The transmitters are supplied with air from the instrument air headers inside the containment with a backup supply from the nitrogen system also located inside the containment.
The same nonelectrical backup is used to provide indication of steam
-generator levels inside and outside the containment.
The engineered safety features equipment is actuated by either one or both of the engineered safety features actuation channels. Each coincidence network actuates an engineered safety actuation device that operates the associated engineered safety features equipment, motor starters, and valve operators. As an example, the control circuit of a safety injection pump is typical of the control circuit for a large pump operated from switchgear. The actuation relay, energized by the engineered safety features instrumentation system, has normally open contacts. These contacts energize the circuit breaker closing coil to start the pump when the control relay is energized.
In the reactor protection system, two reactor trip breakers are provided to interrupt power to the full-length rod drive mechanisms. The breakers main contacts are connected in series (with power supply) so that opening either breaker interrupts power to all full
-length rod mechanisms, permitting them to fall by gravity into the core. In the event of a loss of rod control power, the reactor trip breakers are deenergized and trip to an open mode.
Further information on redundancy is provided through the detailed descriptions of the respective systems covered by the various sections in this chapter. In summary, reactor IP2 FSAR UPDATE Chapter 7, Page 18 of 111 Revision 2 6, 201 6 protection is designed to meet all presently defined reactor protection criteria and is in accordance with the proposed IEEE criteria for nuclear power plant protection system (IEEE
-279 Code), dated August 28, 1968. Redundancy and independence are more than achieved by protection channel designs, which combine more than one sensor and Parameter measurement with coincident trip circuitry (e.g., pressure coincident with level and interlocked with flow or nuclear flux).
Required continuous electrical supply is discussed in Chapter 8.
7.2.1.6 Protection Against Multiple Disability for Protection Systems
Criterion:
The effects of adverse conditions to which redundant channels or protection systems might be exposed in common, either under normal conditions or those of an accident, shall not result in loss of the protection function or shall be tolerable on some other basis. (GDC 23)
The components of the protection system are designed and laid out so that the mechanical and thermal environments accompanying any emergency situation in which the components are required to function do not interfere with that function.
The separation of redundant analog protection channels originates at the process sensors and continues back through the field wiring and containment penetrations to the analog protection racks. Physical separation is used to the maximum practical extent to achieve the separation of redundant transmitters. The separation of field wiring is achieved using separate wireways, cable trays, conduit runs, and containment penetrations for each redundant channel.
Redundant analog equipment is separated by locating redundant components in different protection racks. Each channel is energized from a separate vital instrument bus.
7.2.1.7 Demonstration of Functional Operability of Protection Systems Criterion:
Means shall be included for suitable testing of the active components of protection systems while the reactor is in operation to determine if failure or loss of redundancy has occurred. (GDC 25)
The signal conditioning equipment of each protection channel in service at power is capable of being tested and tripped independently by simulated analog input signals to verify its operation.
This includes checking through to the trip breakers, which necessarily involves the trip logic. Thus, the operability of each trip channel can be determined conveniently and without ambiguity.
The testing of the diesel
-generator starting is performed from the diesel
-generator control board. The generator breaker is not closed automatically after starting during this testing. The generator may be manually synchronized to the 480
-V bus for loading. Complete testing of the starting of diesel generators can be accomplished by tripping the associated 480
-V undervoltage relays. The ability of the units to start within the prescribed time and to carry load is periodically checked. (The electrical system is discussed in more detail in Section 8.2.3.)
7.2.1.8 Protection Systems Failure Analysis Design
Criterion:
The protection systems shall be designed to fail into a safe state or into a state established as tolerable on a defined basis if conditions such as disconnection of the system, loss of energy (e.g., electrical power, instrument air), or adverse IP2 FSAR UPDATE Chapter 7, Page 19 of 111 Revision 2 6, 201 6 environments (e.g., extreme heat or cold, fire, steam, or water) are experienced. (GDC 26)
Each reactor trip circuit is designed so that circuit trip occurs when the circuit is deenergized; therefore, loss of channel power causes the system to go into its trip mode. In a two
-out-of-three circuit, the three channels are equipped with separate primary sensors and each channel is energized from an independent electrical bus. Failure to deenergize when required is a mode of malfunction that affects only one channel. The trip signal furnished by the two remaining channels is unimpaired in this event.
Reactor trip is implemented by interrupting power to the magnetic latch mechanisms on all drives allowing the full
-length rod clusters to insert by gravity. The reactor protection system is thus inherently safe in the event of a loss of power.
The engineered safety features actuation circuits are designed on the same "deenergize to operate" principle as the reactor trip circuits, with the exception of the containment spray actuation circuit, which is energized to operate in order to avoid spray operation on inadvertent power failure.
Automatic starting of all emergency diesel generators is initiated by under
-voltage relays on any 480-V bus or by the safety injection signal. Engine cranking is accomplished by a stored energy system supplied solely for the associated diesel generator. The undervoltage relay scheme is designed so that loss of 480
-V power does not prevent the relay scheme from functioning properly.
7.2.1.9 Redundancy of Reactivity Control
Criterion:
Two independent control systems, preferably of different principles, shall be provided. (GDC 27)
One of the two reactivity control systems employs rod cluster control assemblies to regulate the position of Ag
-In-Cd neutron absorbers within the reactor core. The other reactivity control system employs the chemical and volume control system to regulate the concentration of boric acid solution (neutron absorber) in the reactor coolant system.
7.2.1.10 Reactivity Control System Malfunction Criterion:
The reactor protection system shall be capable of protecting against any single malfunction of the reactivity control system, such as unplanned continuous withdrawal (not ejection or dropout) of a control rod, by limiting reactivity transients to avoid exceeding acceptable fuel damage limits. (GDC 31) Reactor shutdown with rods is completely independent of the normal control functions since the trip breakers completely interrupt the power to the full
-length rod mechanisms regardless of existing control signals. Effects of continuous withdrawal of a rod control assembly and of deboration are described in Sections 7.3.1, 7.3.2, 9.2, and 14.1.
IP2 FSAR UPDATE Chapter 7, Page 20 of 111 Revision 2 6, 201 6 7.2.1.11 Seismic Design For earthquake (operational basis or design basis), the equipment is designed to ensure that it does not lose its capability to perform its function, that is, shut the plant down and maintain it in a safe shutdown condition. For the maximum potential earthquake, there may be permanent deformation of equipment provided that the capability of the equipment to perform its function is maintained.
The instrumentation and electrical equipment, associated with emergency core cooling, will not cause an interruption of this function during the earthquake.
Instrumentation and control specifications include only static "g" level requirements. As a result of seismic criteria subsequently established, the static requirements were considered inappropriate and Westinghouse adopted the position of type testing equipment to demonstrate design adequacy. A safeguards signal may be initiated by an instrument or transmitter that has the ability to withstand seismic forces as demonstrated in WCAP
-7397-L, Section 4.8.
2 This signal is carried in conduit and cable trays whose supports have been studied for resistance to seismic forces. The signal passes to the process control racks proved as described in WCAP
-7397L, Section 4.2.
2 The signal is sent next to the safeguards actuation racks proved as described in WCAP
-7397-L, Section 4.3.
2 The actuation signal proceeds through a switch on the control board to the appropriate switch
-gear. The control boards were specified to "be designed such that the maximum stresses, including simultaneous seismic accelerations of 0.52g in the horizontal and 0.35g in the vertical directions, shall not dislodge or cause relative movement between components, such as to impair the functional integrity of circuits or equipment." These accelerations exceed that calculated as input to the boards from the floor of the central control room. In shipment, boards of typical manufacture and construction have recorded shocks of 8 to 10g, and when wired, the switches have operated without repair.
The switchgear equipment has been specified to withstand accelerations in excess of 0.15g horizontally and 0.10g vertically. This capability was a matter of the procurement specification of Westinghouse and their design agents and design action of the vendors. The safeguards circuits for Indian Point Unit 2 employ Westinghouse Series W motor control centers, type DB circuit breakers, and associated metal
-enclosed or metal
-clad switchgear. A review of this switchgear for proof of adequacy of the seismic
-resistant design determined that the Series W motor control centers and DB breakers, mounted in the metal enclosures, have been shock tested and proved to remain fully operable for shocks of at least 3g in any direction. Since original construction, five (5) new motor control centers have been installed and certain essential loads were rearranged to enhance reliability in a Loss of Offsite Power (LOOP) event. The new motor control centers were procured in accordance with IEEE
-344 and seismically installed. Seismic qualification of the reactor trip breaker shunt trip attachments (type DB
-50) was performed on a generic basis by the Westinghouse Owner's Group. It has been determined that this generic qualification adequately envelopes Indian Point Unit 2 seismic parameters
- 4. Proof of resistance of the similar DH metal
-clad switchgear to a seismic response spectrum established for the Point Beach plant has been demonstrated by vibration testing of typical, equivalent metal
-clad switchgear, incorporating the similar DHP circuit breaker. The DH circuit breakers installed in the Point Beach plant were of an earlier design than the DHP.
However, the general configuration, weight distribution, and vibration
-resistant design approach of the DH are essentially identical to the DHP. When subjected to a seismic spectrum equivalent to or greater than the seismic test envelope given in Figure B
-2 of Reference 2, there was no loss of function of the DHP metal
-clad switchgear. This seismic test envelope IP2 FSAR UPDATE Chapter 7, Page 21 of 111 Revision 2 6, 201 6 given in Reference 2 is estimated to include all low seismic plants, that is, plants with a design
-basis earthquake horizontal ground acceleration of 0.2g or less. This similarity between the DH and DB circuit breakers gives added confidence in the seismic suitability of the DB circuit breakers installed at Indian Point Unit 2.
The power supply leaving the switchgear operates the safeguards equipment completing the actuation train. The seismic design of this equipment is described in Sections 7.1 and 1.11.
The direct current power supply may be considered as a branch to this main train of actuation. The source of direct current power is the station batteries. The Class 1E station batteries and associated battery racks have been determined to be seismically qualified for their installation locations. The conduit and cable trays carrying the direct current power to the safeguards equipment train received the same study for seismic support as described above. The seismic qualification requirements for DC power panels 21 and 22 are enveloped by the generic equipment qualification described above. Additionally, these DC power panels were evaluated using Seismic Qualification Utility Group data. The evaluation shows a significant seismic margin for the two panels
- 5. Westinghouse designed and procured all systems that actuate reactor trip and safety feature actions for Indian Point Unit 2. The design of protective grade instrumentation and logic systems are in accordance with the proposed IEEE criteria for nuclear power plant protection system (IEEE
-279 Code), dated August 28, 1968. The functional design is originated at Westinghouse with equipment procurement through vendor supplies. Equipment compatibility and integration of component hardware are factored into the design by Westinghouse or under the direct supervision of Westinghouse.
7.2.2 Principles of Design 7.2.2.1 Redundancy and Independence The protection systems are redundant and independent for all vital inputs and functions. Each channel is functionally independent of every other channel and receives power from an independent source. The isolation of redundant protection channels is described in further detail elsewhere in this section as well as in Section 7.2.3.
7.2.2.2 Manual Actuation
Means are provided for manual initiation of protection system action. Failures in the automatic system do not prevent the manual actuation of protective functions. Manual actuation requires the operation of a minimum of equipment.
7.2.2.3 Channel Bypass or Removal From Operation The system is designed to permit any one channel to be maintained, and when required, tested or calibrated during power operation without protection system trip. Since the channel under test is either tripped or bypassed, superimposed test signals are used that do not negate the process signal. Systems are permitted to violate the single
-failure criterion during channel bypass; acceptable reliability of operation has been demonstrated and the bypass time interval is short.
IP2 FSAR UPDATE Chapter 7, Page 22 of 111 Revision 2 6, 201 6 7.2.2.4 Capability for Test and Calibration The bistable portions of the protection system (e.g., relays and bistables) provide trip signals only after signals from analog portions of the system reach preset values. Capability is provided for calibrating and testing the performance of the bistable portion of protection channels and various combinations of the logic networks during reactor operation.
The analog portion of a protection channel provides analog signals of reactor or plant parameters. The following means are provided to permit checking the analog portion of a protection channel during reactor operation:
- 1. Varying the monitored variable.
- 2. Introducing and varying a substitute transmitter signal.
- 3. Cross checking between identical channels or between channels, which bear a known relationship to each other and which have readouts available.
The design permits the administrative control of the means for manually bypassing channels or protection functions.
The design permits the administrative control of access to all trip settings, module calibration adjustments, test points, and signal injection points.
Protection system setpoints are maintained under procedural control and are the nominal values at which the bistables may be set. The limiting safety system settings (LSSS) for these
setpoints have been determined in order to accommodate instrument drift (which is assumed to occur between operational tests) and the limitations on accuracy of measurement and calibration, and are contained in the Improved Technical Specifications as Allowable Valves. A setpoint is considered to be consistent with the nominal value when the "as left" value is within the band allowed for calibration accuracy, as defined by the plant setpoint study and calibration procedures.
7.2.2.5 Information Readout and Indication of Bypass
The protection systems are designed to provide the operator with accurate, complete, and timely information pertinent to their own status and to plant safety.
Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service. Trips are indicated and identified down to the channel level
. 7.2.2.6 Safeguards Initiating Circuitry The safeguards actuation circuitry and hardware layout are designed to maintain required circuit isolation throughout, from the process sensors through the slave relays, which actuate individual safeguards components. The channelization design is shown in Plant Drawing 243318 [Formerly UFSAR Figure 7.2
-15].
The safeguards bistables, mounted in the analog protection racks, drive both A and B logic matrix relays. Each individual coincident matrix contains its own test light and test circuitry. The A and B logic matrices operate separate master relays to actuate channels A and B, respectively, as shown in Plant Drawing 243319 [Formerly UFSAR Figure 7.2
-16]. Control IP2 FSAR UPDATE Chapter 7, Page 23 of 111 Revision 2 6, 201 6 power for logic trains A and B, is supplied from separate direct current sources 1 and 2, respectively. These redundant actuating channels operate the various safeguards components required, with the large loads sequenced as necessary.
Manual reset of the safeguards actuation relays may be accomplished 2 min following their operation. Manual initiation will override reset and result in safeguards actuation at all times.
Protection channel identity is lost in the intermixing of the relay matrix wiring. Physical separation of A and B logic trains is maintained by the separate logic racks.
7.2.2.7 Analog Channel Testing
The basic elements composing an analog protection channel are shown in Plant Drawing 243320 [Formerly UFSAR Figure 7.2
-17]. This system consists of a transmitter, power supply, bistable, bistable trip switch and proving lamp, test signal injection switch, test signal injection jack, and test point.
Each protection rack includes a test panel containing those switches, test jacks, and related equipment needed to test the channels contained in the rack. A hinged cover encloses the signal injection switch and signal injection jack of the test panel.
Opening the cover or placing the test operate switch in the "test" position initiates an alarm identifying the rack under test. These alarms are arranged on a rack basis to preclude entry to more than one redundant protection rack (or channel) at any time. The test panel cover is designed such that it cannot be closed (and the alarm cleared) unless the test device plugs (described below) are removed. Closing the test panel cover mechanically returns the test switches to the "normal" position.
To minimize the risk of a trip during on
-line testing of instrument channels, the bistables are bypassed to maintain the logic relays energized. A proving lamp across the bistable output facilitates checking the bistable trip setting during channel calibration. The bistable trip switches must be manually reset after the completion of a test. Closing the test panel cover will not restore these switches to the untripped mode. Procedures limit bistable testing to one circuit at a time.
Actual channel calibration consists of producing a test signal using the transmitter power supply external calibration device, which plugs into the signal injection jack. In this application, where specified the channel power supply serves as a power source for the calibration device to permit verifying the output load capacity of the power supply. Test points are located in the analog channel and provide an independent means of measuring and/or monitoring the calibration signal level.
7.2.2.8 Logic Channel Testing Testing of the logic matrices is described in UFSAR Section 7.2.4.6.
IP2 FSAR UPDATE Chapter 7, Page 24 of 111 Revision 2 6, 201 6 7.2.2.9 Isolation of Reactor Protection and Engineered Safety Feature Signals The following device is used to ensure that electrical isolation exists between protection and control grade signals: where protection signal intelligence is required for other than protection functions, an isolation amplifier (part of the protection set) is used to transmit the intelligence. The isolation amplifier prevents the perturbation of the protection channel signal (input) due to any disturbance of the isolated signal (output), which could occur near any termination of the output wiring external to the protection racks. A detailed discussion of the isolation amplifiers that are used in Indian Point Unit 2 is given in WCAP
-9011.3 The isolation of reactor protection and engineered safety feature signals in the reactor protection logic racks is achieved by physical separation and circuit protection to meet the single failure criteria. There are three decks containing the contacts on each logic relay used. The configuration, in general, utilizes the rear deck for reactor protection and engineered safety feature signals. The center and front decks are typically used for annunciator and computer signals, respectively. The necessary isolation between the safety signals and the annunciator and/or computer signals is provided at the contacts of the relays. Separation is typically maintained by using separate wireways for safety signals, annunciator signals, and computer signals. The design basis for protection of reactor protection and engineered safety system circuit cables include protection from failure of other non
-safety system circuit cables routed in the same raceway by having the non
-safety cables (like safety cables) (a) designed using conservative margins with respect to their current carrying capacities, insulation properties, and mechanical construction, (b) protected against overloads by coordinated fuses or circuit breakers, and (c) fire retardant.
8 7.2.2.10 Vital Protection Functions and Functional Requirements
The reactor protection system monitors those parameters related to safe operation and trips the reactor to protect the reactor core against fuel rod cladding damage caused by departure from nucleate boiling, and to protect against reactor coolant system damage caused by high system pressure. The engineered safety features instrumentation system monitors parameters to detect failure of the reactor coolant system and initiates containment isolation and engineered safety features operation to contain radioactive fission products.
Section 7.2 covers those protection systems provided to:
- 1. Trip the reactor to prevent or limit fission product release from the core and to limit energy release.
- 2. Isolate containment and activate the isolation valve seal water system and weld channel penetration pressurization system when necessary.
- 3. Control the operation of engineered safety features provided to mitigate the effects of accidents.
IP2 FSAR UPDATE Chapter 7, Page 25 of 111 Revision 2 6, 201 6 The core protection systems in conjunction with inherent plant characteristics are designed to prevent anticipated abnormal conditions from causing fuel damage exceeding limits established in Chapter 3, or reactor coolant system damage exceeding effects established in Chapter 4.
7.2.2.11 Completion of Protective Action Where operating requirements necessitate automatic or manual bypass of a protection function, the design is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of the bypass of a protective function are part of the protection system and are designed in accordance with the criteria of this section.
The protection systems are so designed that, once initiated, a protective action goes to completion. Return to normal operation requires administrative action by the operator.
7.2.2.12 Multiple Trip Settings
Where it is necessary to change to a more restrictive trip setting to provide adequate protection for a particular mode of operation or set of operating conditions, the design provides positive means of ensuring that the more restrictive trip setting is used. The devices used to prevent improper use of less restrictive trip settings are considered a part of the protection system and are designed in accordance with the other provisions of these criteria.
7.2.2.13 Interlocks and Administrative Procedures
Interlocks and administrative procedures required to limit the consequences of fault conditions other than those specified as limits for the protection function comply with the protection system criteria. 7.2.2.14 Deleted 7.2.3 System Design 7.2.3.1 Reactor Protection System Description
Plant Drawing 243321 [Formerly UFSAR Figure 7.2
-18] is a block diagram of the reactor protection system. Reactor trips are described in Section 7.2.5.1.
Figure 7.2
-19 illustrates the core thermal limits and shows the trip points that are used for the protection system. The solid lines are a locus of limiting design conditions representing the core thermal limits at four pressures. The core thermal limits are based on the conditions, which yield the applicable limit value for departure from nucleate boiling ratio (DNBR) or those conditions, which preclude bulk boiling at the vessel exit. The dashed lines indicate the maximum permissible trip points for the over
-temperature high T reactor trip including allowances for measurement and instrumentation errors.
The maximum and minimum pressures shown (24 40 and 1860 psia) represent the limiting setpoints for the high
-pressure and low
-pressure reactor trips.
IP2 FSAR UPDATE Chapter 7, Page 26 of 111 Revision 2 6, 201 6 Adequate margins exist between the worst steady
-state operating point (including all temperature, calorimetric, and pressure errors) and required trip points to preclude a spurious plant trip during design transients.
7.2.3.2 Engineered Safety Features Instrumentation Description
Plant Drawings 225102, 225103, and 225104 [Formerly UFSAR Figures 7.2
-9, 7.2-10, and 7.2
-12] show the logic diagrams, and Plant Drawings 243313 and 243314 [Formerly UFSAR Figures 7.2
-20 and 7.2
-21] show the level and pressure action initiating sensors and bistables for the engineered safety features instrumentation.
7.2.3.2.1 Indication
All transmitted signals (flow, pressure, temperature, etc.), which can cause a reactor trip, are either indicated or recorded for every channel.
The channel isolation and separation criteria as described for the reactor protection circuits are applied to the engineered safety features actuation circuits.
7.2.3.2.2 Protective Actions
The engineered safety features actuation system automatically performs the following vital functions:
- 1. Start operation of the safety injection system upon low pressurizer pressure signal, or high containment pressure signals (high pressure and high
-high pressure), or on high differential pressure between any two steam generators, or on coincidence of high steam flow in any two steam lines (automatically blocked when Tavg and steam pressure are above certain limits).
- 2. Operate the containment ventilation isolation valves and the automatic containment isolation valves in nonessential process lines (phase A containment isolation) and generate a feedwater isolation signal upon detection of a safety injection signal as described in item 1 above. The isolation valve seal water system (IVSW) and the weld channel penetration pressurization system (WCPPS) are actuated automatically by the containment isolation signal. In addition, a high containment or plant ventilation radioactivity signal will operate the containment ventilation isolation valves.
- 3. Start the containment spray system and close the main steam line isolation valves upon detection of a higher containment pressure signal than in item 2 above (high
-high containment pressure). The containment spray signal will operate the remaining automatic containment isolation valves (Phase B containment isolation) and the containment ventilation isolation valves. In addition, the main steam line isolation valves will close upon receipt of a signal from the steam line break protection logic.
- 4. Start operation of the safeguards equipment actuation sequence signal. This includes actuation signals to such components as auxiliary feedwater pumps, service water pumps, fan coolers, and diesel generators.
IP2 FSAR UPDATE Chapter 7, Page 27 of 111 Revision 2 6, 201 6 7.2.3.2.3 Safety Injection Trips
The safety injection is provided to detect breaks in the primary or secondary systems and to initiate operation of components associated with the engineered safeguards system. The reactor is tripped upon receipt of a safety injection signal to limit the severity of the accident.
The initiation of these signals is discussed in this section. The safety injection signal diagram is shown in Plant Drawing 225105 [Formerly UFSAR Figure 7.2
-12].
The safety injection trip signal is initiated by any one of the following events: 1. Low pressurizer pressure.
- 2. Steam break upstream of the steam line isolation valves.
- 3. Steam break downstream of the steam line isolation valves.
- 4. High containment pressure (approximately 2 psig).
- 5. High-high containment pressure (approximately 24 psig). 6. Manual signal.
In addition to providing a reactor trip, the safety injection signal wi ll: 1. Initiate a turbine trip, which will, after an approximate 30 second delay, initiate a generator trip and bus transfer.
- 2. Initiate a feedwater system isolation.
- 3. Initiate a safeguards equipment sequence signal, including starting of the diesels. 4. Initiate a containment ventilation isolation.
- 5. Initiate a containment phase A isolation.
- 6. Place-the isolation valve seal water system and weld channel penetration pressurization system into service.
7.2.3.2.3.1 Low Pressurizer Pressure
This particular phase of the safety injection trip signal is provided to shut down the reactor in the event of a break in the reactor coolant system whereby the reactor coolant would be released either to containment or to the secondary side of the steam generators, depending on the location of the leak. This trip also serves as a backup to the steam break protection logic for the secondary plant. A steam break would be accompanied by excessive heat removal from the primary coolant and a rapid reduction in Tavg. This in turn will cause a drop in pressurizer pressure as well as an increase in reactivity.
There are three low pressurizer pressure channels, and any two of the three initiates a safety injection signal before pressurizer pressure drops below 1801 psig, in accordance with Technical Specification requirements. Pressurizer level channels that previously were included in this logic were eliminated as a direct result of the TMI incident, which demonstrated that pressurizer level will rise if the primary system leakage path is above the pressurizer vapor space. The pressurizer pressure signals are derived from the same channels used for the low
-pressure reactor trip; however lead/lag units are not used. This trip is manually bypassed on a reactor coolant system cooldown once the pressure (as sensed by two
-out-of-three channels) has been IP2 FSAR UPDATE Chapter 7, Page 28 of 111 Revision 2 6, 201 6 reduced below 1940 psig, by manual action of the "Block SI" switch on the safeguards panel. This bypass will be automatically removed when pressurizer pressure exceeds 1940 psig. A manual unblock feature is also provided for the case where it is desired to place this circuit back in service following a block signal and with the pressurizer pressure below 1940 psig. The low pressurizer pressure signal logic is shown schematically in Plant Drawing 225105 [Formerly UFSAR Figure 7.2-12]. 7.2.3.2.3.2 Steam Line Break Upstream of Steam Line Isolation Valves/High Steam Line P A steam line break in this section of pipe would be characterized by a low steam
-generator pressure because the non
-return valve would close and the particular steam generator in question would feed directly into containment or to the atmosphere through the open
-ended pipe. An absolute value of steam
-generator pressure cannot be used to indicate this type of break because the steam
-generator pressure will vary from atmospheric pressure to a no
-load value of approximately 1000 psig during startup and then back down to approximately 700 psig as full load is reached. Therefore, a comparison circuit (as shown in Plant Drawing 225103
[Formerly UFSAR Figure 7.2
-10]) is employed whereby each steam generator's pressure is compared to the pressure in each of the other three steam generators. A two
-out-of-three logic is employed such that if a given steam
-generator's differential pressure increases above a fixed setpoint when compared to two of the remaining three steam generators, a safety injection signal will be initiated.
A steam generator being out of service would not affect the logic because, in this case, ther e will be a reverse reactor coolant flow through the steam generator and the pressure in the steam generator would be that corresponding to the saturation point for the reactor inlet temperature. This will be approximately 1000 psig assuming the air
-operated steam line isolation valve was closed. If this valve were not closed, the pressure in the steam generator out of service would just follow that of the remaining steam generators, and likewise, this would not affect the logic. Although three
-loop operational capability is possible on a continued basis, the plant Technical Specifications do not permit this mode of operation.
A steam line break, whether it be upstream or downstream of the isolation valves, will result in a cooldown of the reactor coolant system and a subsequent addition of reactivity, due to the negative moderator temperature coefficient, and also a decrease in the reactor coolant system water volume, due to the density change as discussed in Section 14.2.5.1. The safety injection signal, as previously discussed, will initiate safeguards systems to protect against the adverse conditions resulting from the steam line break.
7.2.3.2.3.3 Steam Line Break Downstream of the Isolation Valves A steam line break in this section of pipe will be characterized by an abnormally high steam flow in the four steam lines because they are cross connected in a header arrangement and will all feed the break. To prevent the steam generators from continuing to feed the break, this particular mode of steam line break protection will close the four main steam isolation air
-operated check valves.
An absolute value of steam flow cannot be used to initiate the protection since the steam flow will vary from 0 lb/hr at cold shutdown to approximately 3.
5 x 10 6 lb/hr per steam generator at full load. Therefore, a comparison circuit is used in which steam flow is compared to a programmed signal on the basis of turbine inlet pressure.
IP2 FSAR UPDATE Chapter 7, Page 29 of 111 Revision 2 6, 201 6 Steam flow is sensed by measuring the differential pressure (P) across a steam flow element in the main steam line. One flow element and two p transmitters are used for each main steam line associated with each steam generator; the steam flow is proportional to the square root of the P across the nozzles. For this particular circuit, however, the steam flow signal is not used, but the steam flow squared or P signal is used (steam flow squared P). Turbine inlet pressure increases with load and varies from 0 psia at no load to approximately 655 psia at full load, based on modifications to the HP Turbine and its steam inlet configuration. It is sensed by two pressure transmitters and applied to a programmer (controller) that generates the function K 1 + K 2 Pturbine inlet. The constants K 1 and K 2 are chosen such that the output of the programmer will correspond to the P signal for 40
-percent steam flow from no load to 20
-percent load and ramped to 110
-percent for full load (see Plant Drawing 243315
[Formerly UFSAR Figure 7.2
-22]).
The output from one programmer is used as an input to a comparison bistable. A steam flow signal from one steam generator is used as the second input. If the steam flow signal exceeds the programmed signal, that particular channel will be tripped.
The second steam flow and programmed turbine inlet pressure signals are used in a redundant bistable comparison circuit. The output of the two bistables is sent to a one
-out-of-two logic circuit.
Each programmed turbine inlet pressure signal is applied to four comparison circuits, one for each steam generator.
Each of the four one
-out-of-two logic circuits is then fed to a two
-out-of-four logic for the generation of the steam line break signal. Thus, a steam line break downstream of the isolation valves must be sensed by two
-out-of-four channels to initiate a safety injection signal. See Plant Drawing 225103
[Formerly UFSAR Figure 7.2
-10] for the logic diagram of this circuitry.
The high steam line flow signal is so interlocked that it cannot initiate a safety injection signal unless it is accompanied by either a low Tavg signal (two
-out-of-four Tavg channels below 54 2F) or a low steam
-generator pressure signal (two
-out-of-four steam pressure channels below 565.3 psig). The Tavg channels are derived from resistance temperature detectors in the reactor coolant system. These interlocks are provided to allow for startup, steam dump, or atmospheric relief valve protection. Under these conditions the steam flow will be greater than the value programmed by the turbine inlet pressure; however, it is acceptable under these circumstances. If a steam line break did actually occur, the average reactor coolant temperature would decrease as would the steam generator pressure because there is now an uncontrollable steam release.
The high steamline flow coincident with low Tavg or a low steam generator pressure signal is delayed up to two seconds prior to being sent out to safeguard activation logic to provide main steam line isolation and safety injection.
IP2 FSAR UPDATE Chapter 7, Page 30 of 111 Revision 2 6, 201 6 7.2.3.2.3.4 High Containment Pressure A containment pressure of 2.0 psig, as indicated by two
-out-of-three containment pressure signals, will initiate a safety injection trip signal. This protection is provided for the case where a small leak into containment (either primary or secondary) exists and is within the bounds of the control and protection systems. It is required in order to limit the maximum pressure inside containment should the leak increase to major proportions. See Plant Drawing 225105 [Formerly UFSAR Figure 7.2
-12] for this logic diagram.
7.2.3.2.3.5 High-High Containment Pressure High-high containment pressure, as indicated by the actuation of redundant two
-out-of-three logics, will initiate a containment spray actuation signal. The bistable devices will be actuated when the containment pressure reaches 24 psig. In addition to initiating containment spray, high-high containment pressure will also result in a phase B containment isolation, a containment ventilation isolation, safety injection trip signal, and steam line isolation. This safety injection actuation acts as a backup to the high containment pressure logic. The steam line air-operated check valves are closed to prevent overpressurization of containment from a steam break inside containment with simultaneous failure of the non
-return check valve in that loop, as discussed in UFSAR Section 14.2.5.4
[Deleted]. A secondary reason is that had the increase in pressure been caused by a steam line rupture, a path through the rupture will exist, which connects the containment atmosphere to the secondary plant or outside atmosphere. This path must be blocked to prevent any uncontrolled radioactivity release.
[Deleted] Dual actuation logic is used in the formation of the high
-high containment pressure signal in each redundant Train, to prevent containment spray system actuation on a spurious signal. See Plant Drawing 225105 [Formerly UFSAR Figure 7.2
-12]for this logic diagram.
7.2.3.2.3.6 Manual Push Buttons
Two push buttons are provided for manual initiation of safety injection. Each button will activate one train of safety injection logic. While the primary purpose of these push buttons is to initiate safety injection manually, pressing these buttons will also result in a reactor trip.
Safety injection can be reset without first clearing the automatic initiating signal(s), by placing the Train A or Train B "Normal
- Defeat" key interlock switches in the "Defeat" position, and then using the reset push buttons. When these key switches are in "Defeat" position, lights above the switches illuminate and an alarm annunciates in the CCR. The manual actuation push button will override the defeat and reset function to reinitiate safety injection.
Push buttons for manual system actuation are provided for the containment isolation Phase A, containment isolation Phase B, and containment spray functions. Key interlock "Defeat" switches for system level reset are not provided for these functions. However, key bypass switches are provided for containment isolation Phase A and containment ventilation isolation (Train B only) to enhance reset capability at the equipment level in case of a failure in the daisy chain reset logic.
The automatic initiating signal(s) for containment isolation Phase A, containment isolation Phase B, and containment spray functions must first be cleared before the system actuation can be reset. The manual system actuation push buttons may be used at any time to reinitiate the system function.
IP2 FSAR UPDATE Chapter 7, Page 31 of 111 Revision 2 6, 201 6 7.2.3.2.3.7 Steam Line Isolation
Any of the following signals (discussed in Sections 7.2.3.2.3.2 and 7.2.3.2.3.3) will close all steam line isolation valves:
- 1. Coincidence of high steam flow in any two steam lines with low Tavg (2/4) or low steam pressure (2/4). Automatically blocked when Tavg and steam pressure are above certain limits
. 2. High-high containment pressure signals (2/3 high
-high + 2/3 high
-high pressure).
- 3. Steam line isolation valves can also be closed one at a time by manual action.
7.2.3.2.3.8 Main Feedwater Line Isolation A safety injection signal or high
-high water level (2/3) in any steam generator will close the discharge valves from both main feedwater pumps and will close feedwater control (main and low flow bypass) valves. Each main feedwater pump will trip on closure of its discharge valve. See Plant Drawing 225106 [Formerly UFSAR Figure 7.2
-13]. 7.2.3.2.3.9 Deleted 7.2.4 System Safety Features 7.2.4.1 Separation of Redundant Protection Channels
The reactor protection system is designed on a channelized basis to achieve separation between redundant protection channels. The channelized design, as applied to the analog as well as the logic portions of the protection system, is illustrated by Figure 7.2
-23 and is discussed below. Although shown for four
-channel redundancy, the design is applicable to two
- and three-channel redundancy.
The separation of redundant analog channels originates at the process sensors and continues through the field wiring and containment penetrations to the analog protection racks. Physical separation is used to the maximum practical extent to achieve the separation of redundant transmitters. The separation of field wiring is achieved using separate wireways, cable trays, conduit runs, and containment penetrations for each redundant channel. Analog equipment is separated by locating redundant components in different protection racks. Each channel is energized from a separate AC power feed.
The reactor trip bistables are mounted in the protection racks and are the final operational component in an analog protection channel. Each bistable drives two logic relays ("C" and "D"). The contacts from the C relays are interconnected to form the required actuation logic for trip breaker 1 through DC power feed 1. The transition from channel identity to logic identity is made at the logic relay coil/relay contact interface. As such, there is both electrical and physical separation between the analog and the logic portions of the protection system. The above logic network is duplicated for trip breaker 2 using DC power feed 2 and the contacts from the D relays. Therefore, the two redundant reactor trip logic channels will be physically separated and electrically isolated from one another. Overall, the protection system is IP2 FSAR UPDATE Chapter 7, Page 32 of 111 Revision 2 6, 201 6 composed of identifiable channels that are physically, electrically, and functionally separated and isolated from one another.
7.2.4.1.1 Reactor Protection and Engineered Safety Equipment Identification
A color code of red, white, blue, and yellow is established for analog protection channel sections I, II, III, and IV, respectively. Large identification plates with the appropriate background color are attached at the front and back surface of each analog rack for the identification of analog protection channel racks. Protection and safeguards relay racks are identified similarly on the input side of the racks where protection signals from the various protection channels are received.
Cable trays and cables have numbered tags for identification, which in conjunction with plant drawings, can be related to specific functions. The identification tags do not themselves differentiate between protection and non
-protection cables and trays.
7.2.4.1.2 Access to Reactor Protection System Panels Because of the control room arrangement, access to the protection racks is under the administrative control of the plant operator as authorized by the shift supervisor. The opening of a rack door is not annunciated; however, the opening of any of the test panel covers that give access to the switches and signal injection points are annunciated on a protection set basis (i.e., four windows, one for each protection set). Access to these switches and signal injection points permits the channel to be defeated.
7.2.4.1.3 Physical Separation The physical arrangement of all elements associated with the protection system reduces the probability of a single physical event impairing the vital functions of the system.
System equipment is distributed between instrument cabinets so as to reduce the probability of damage to the total system by some single event. Wiring between vital elements of the system outside of equipment housing is routed and protected so as to maintain the true redundancy of the systems with respect to physical hazards.
The separation of channels is established wherever practical by the use of separate trays and conduits. In the cable spreading room, electrical tunnel, and other areas with a high density of electrical cables, multiple channels are run in a single ladder tray, but separation is generally maintained within the tray by the use of 16
-gauge sheet metal divider, equal in height to the tray side (typically four inches), between the different channels. Where such dividers are used in heavy power or medium power cable trays, a double sheet metal divider with approximately 1
-in. of space between is used. The double divider is used in congested trays (e.g., heavy power trays to the Electrical Penetration Area) a single divider is used. In addition, whenever a power tray is located beneath an instrument or control channel tray, or a different channel of heavy power cables, a transite barrier or sheet metal barrier of sufficient thic kness (approximately 0.25 inches) is installed between the trays. Such barriers are considered to be redundant as the power cable insulation being used is fire retardant and will not support combustion without excitation. Thermal blankets are used to enhance separation of cables in certain locations. Use of blankets inside the containment has been evaluated to show they will not degr ade and block the recirculation sump in the event of a loss
-of-coolant accident. Thermal blankets are IP2 FSAR UPDATE Chapter 7, Page 33 of 111 Revision 2 6, 201 6 not intended to be rated fire barriers for purposes of meeting requirements of NFPA or I0 CF R 50 Appendix R.
A few non-safety related power cables run with or cross
-over redundant safety circuits. Fuses and/or current limiters (which are similar to fuses) have been installed in these circuits to ensure that an overload or fault will not cause them to exceed thermal limits and affect redundant channels.
The electrical tunnel consists of a square concrete conduit having an inside dimension of approximately 10
-ft wide and 8
-ft high. Arrayed on either side of a 3
-ft aisle are seven 36
-in. ladder trays on one side and four 36
-in. and one 1
-ft tray on the other side. These trays in the Electrical Tunnel are arranged in two vertical stacks with one stack supplying the PAB upper elevations and EDG Building and the other supplying the PAB lower elevations, the Auxiliary Feedwater Building and the Containment.
Separation between redundant channels is a minimum of 7.5" vertically and varies horizontally from a 16
-gauge sheet metal divider to the width of the aisle. The four channels on nuclear instrumentation sensor cables are in individual conduits that are supported at the end of the four trays and have a separation of approximately
12-in.
Inside the Electrical Tunnel, the power channels have a vertical separation of 7.5
-in. which includes a 0.25-in. transite barrier or 16
-gauge sheet metal barrier between trays as previously described. Power channels are separated horizontally by two 16
-gauge sheet metal dividers with approximately 1-in. space between them.
Trays outside the Electrical tunnel are generally arranged in stacked configurations. Trays are separated vertically to the maximum extent practicable since vertical separation between trays varies based on cable functionality and location within the plant.
Plant Drawing 243317 [Formerly UFSAR Figure 7.2
-24] shows a section view of the tunnel and identifies the channeling used within the area.
7.2.4.1.4 Reactor Protection and Engineered Safety System Cable Circuits
The reactor protection and engineered safety system cable circuits are divided into as many channels as is required to preserve the basic redundancy and independence of the systems. Channel separation is maintained as indicated below and is continuous from the sensors at the entrance to the receiver racks to logic cabinets to actuation devices in such a manner that failure within a single channel is not likely to cause the loss of the basic protection system or cause a failure that would prevent the actuation of the minimum safeguards devices when called for.
To satisfy the above criteria, the following are provided: for instrument cables, four separate channels throughout; for control and small power cables, a minimum of two separate channels throughout, a third in many portions of the raceway system and a fourth as required; for heavy power cables, a minimum of two separate channels throughout and a third in most portions of the raceway system; and diesel and switchgear direct current control feeds that originally utilized two battery power supplies have been upgraded to four battery power supplies as part of the improvements made to the 1 25-V DC supplies. In addition to such channels of separation, cables are also assigned to individual routing systems in accordance with voltage level, size, and function category.
IP2 FSAR UPDATE Chapter 7, Page 34 of 111 Revision 2 6, 201 6 Seven (7) major independent conduit and/or tray systems are used for such purposes and establish the separation of the following:
- 1. 6.9-kV AC power cables.
2 Heavy 125-V DC power cables and heavy 480
-V AC (over 100 hp) power cables.
- 3. Lighting panel feeders and medium power (greater than No. 12 AWG wire size) 480-V AC cables
. 4. Control and small power cables.
- 5. Instrument cables.
- 6. Rod control cables.
- 7. 13.8KV AC power cables.
Typically, cables are routed in cable trays consistent with their voltage level classification. There are instances where cables are routed in a cable tray that is associated with a different voltage class, which results in a mixing of cables. The voltage class mixing of certain cables is governed by the IP2 Electrical Separation Design Criteria standard or by approved Design Engineering evaluations. 7.2.4.1.5 Electrical Penetrations
The electrical penetrations are in a single area, composed of about 60 assemblies arrayed in a group of low voltage power, control, and instrument wire assemblies and a separate group of 6.9-kV assemblies. The 6.9
-kV assemblies are separated from the rest of the units by a distance of approximately 6
-ft.
The main group of assemblies (penetration canisters) are arranged in four rows high, with each row separated from another row by 3
-ft. Each assembly in a row is spaced on approximately 3
-ft centers. Each assembly has only one category of circuit within it. The various penetration canisters consist of units of No. 12 AWG, No. 16 AWG shielded twisted pairs, No. 16 AWG shielded twisted quads, No. 10 AWG, No. 4 AWG, 250 MCM No. 4/0 AWG, and triax. Channel separation is maintained to and from the penetrations and no two safety system channels are run through a single penetration. Heavy power assemblies are placed in the bottom two rows of penetrations. The bottom row of penetrations is below the postulated post
-LOCA flood level and included no safety
-related assemblies. Redundant heavy power penetrations are not adjacent to each other nor are they vertically stacked. The northwest portion of the Electrical Penetration area is dedicated for Train "A", the middle portion for Train "B" and the southeast potion for Train "C" heavy power penetrations.
In general, the separation between redundant or channelized circuits is expected to be greater than the spacing between two adjacent assemblies.
In the containment electrical penetration area, the free air spacing between redundant channel conductors, located in adjacent penetrations is at least twenty
-eight (28") inches. It is unlikely that any incident could affect more than one penetration. However, transite barriers above the power cables at the penetrations inside and outside of containment are designed to give added protection against damage to cables located above in the event of a high
-capacity fault.
IP2 FSAR UPDATE Chapter 7, Page 35 of 111 Revision 2 6, 201 6 However, some low voltage power, control and instrumentation channels, located in adjacent electrical penetrations, have free air spacing between redundant channel conductors, of at least twenty-eight (28") inches. The control instrument and small power assemblies are furnished with factory installed pigtails, and field splices are therefore well away from the canister face.
The electrical penetration area is in a concrete vault, dead ended at one end so that no traffic is expected in this area.
7.2.4.1.6 Cable Separation The design and use of fire stops, seals and barriers to meet 10 CFR 50.48 criteria for the prevention of flame propagation where cable and cable trays pass through walls and floors is found in the document under separate cover entitled, "IP2 Fire Hazards Analysis
."
The safeguards control panels (SB
-1, SB-2) have protective barriers installed to prevent inadvertent contact or damage to control cables, fuses, relays, and switches by personnel in the service aisle. These devices consist of barriers over horizontal terminal strips, vulnerable switch terminals, and expanded metal covers over the back of the front safeguards panels and the front of the rear safeguards panels.
Cables are protected in hostile environments by a number of devices. Running the cable in a rigid, galvanized conduit is the most frequently used method of protection. For underground runs, polyvinyl chloride heavy wall conduit encased in a concrete envelope provides maximum protection. When cable is run in a tray, peaked covers are used in areas where physical damage to cables may result from falling objects or liquids. In addition, covers are provided on horizontal cable trays that are exposed to the sun.
Conduits and cables are marked by tags attached at each end. These tags are embossed to conform to the identification given in the Conduit and Cable Schedule. At each conductor cable termination, the conductors are marked to indicate the terminal designation of each conductor.
The control over and administrative responsibility for all of the above during design and installation rested with United Engineers and Constructors, Inc., as the architect
-engineer and with WEDCO as the construction contractor.
In the containment electrical penetration area, the free air spacing between redundant channel conductors, located in adjacent penetrations, is at least twenty
-eight (28") inches. It is considered unlikely that any incident could affect more than one penetration. However, transite barriers above the power cables at the penetrations inside and outside of containment are designed to give added protection against damage to cables located above in the event of a high-capacity fault.
Redundancy and separation requirements were initiated by the cognizant electrical or mechanical design engineer. These were then reviewed by the designers of the electrical system installation, thus providing a check. The work of the designer, who prepared the applicable circuit schedule sheet (which designates the cable routing and termination), was spot checked by the cognizant electrical engineer.
The construction group installed the cable as directed by the circuit schedule sheet. The installations were followed by Westinghouse field engineers, and spot checks of circuit IP2 FSAR UPDATE Chapter 7, Page 36 of 111 Revision 2 6, 201 6 installations were made to ensure further that the installation was in accordance with the design. Con Edison also spot checked the installation.
7.2.4.1.7 Cables The bulk of original plant cables outside the containment, with the exception of the 8
-kV, are insulated with polyvinyl chloride with a fire retardant asbestos jacket. Excluding the 8
-kV cables, cables used inside the containment are silicone rubber or Kerite insulated to provide greater radiation resistance. The 8
-kV cables are insulated with XLPE and are run in separate trays with maintained spacing. Cables used for plant additions include EPR/neoprene insulation for outside the containment and cross
-linked polyethylene insulation for inside and outside of the containment. [Deleted] Cables used for plant additions or cables entering the Safeguards Raceway have been designed to originally referenced FSAR cable tests and the latest applicable versions of IEEE
-383. Cables that do not enter the Safeguards Raceway, i.e. cables rated above 600V, maintenance and test cables, grounding and communication / data processing cables and Unit 1 cables are not designed to meet the requirements of IEEE
-383.
Physical loading of cable trays was controlled by means of the conduit and cable schedule. Trays containing instrumentation
, control and small / medium power cables were regulated to have a maximum full of 70
-percent of the tray area, while those containing larger power cables were limited to one or two layers depending on the size and use of the cables
.
Cables in trays with no maintained spacing were derated according to their temperature rating, the number of cables in the tray, and size variation of these cables. The base rating and foundation for all derating calculations was taken from IPCEA Publication P-46-426, "Power Cable Ampacities
- Copper Conductors," using the proper conductor temperature and ambient conditions for the application. A derating factor was then applied to the base rating according to the number of conductors in the tray. Cables on opposite sides of the dividers in power trays were considered to be in different trays for this calculation. The derating factor used was based on standard load diversity. Lastly, the cables were derated to eliminate any hot spots that might occur due to the presence of larger
-than-average size conductors in the tray. For the pressurizer heater cables that have no diversity, a thermal study was made using actual load conditions to determine that the internal temperature of the cables was within safe limits.
All cables serving 6.9
-kV motors, station service transformers, 480
-V switchgear supplied motors, and 480
-V motor control centers are protected against overloads by circuit breakers. The 480-V circuits for motors under 125 hp are protected by fuses and/or circuit breakers. In some instances, fuses are backed up by circuit breakers or overload devices in the starters for these motors. Instrumentation and direct current circuits are protected by circuit breakers.
To provide forced
-air circulation to maintain cable conductor temperatures within acceptable limits, two separate fans either of which is capable of removing all heat necessary to prevent excessive cable temperatures during operation of the safeguard equipment, have been provided for the electrical tunnel. These fans are supplied from separate diesel
-generator buses.
IP2 FSAR UPDATE Chapter 7, Page 37 of 111 Revision 2 6, 201 6 7.2.4.2 Electrical Equipment Design The safety
-related electrical equipment is designed to operate and perform its design function within specified safe limits without degradation of performance (accuracy, repeatability, time response) under the expected normal and abnormal ambient conditions associated with its location. The normal ambient design temperature range is 75F plus or minus 10F for equipment located in the central control room. The abnormal ambient condition associated with the design of the safety equipment in the central control room is 120F for short
-term operation associated with a loss of air conditioning. Safety
-related electrical equipment in other than the central control room is designed to operate under the worst
-case environment for which it is required to perform its function. For example, in the containment, the ex
-core neutron detectors and cables are designed to operate continuously in an ambient temperature of 135F and for a period of at least eight (8) hours in an ambient temperature of 175F, and a maximum pressure of 100 psia, provided the detector connectors are protected against moisture intrusion. However, as discussed in the NRC's November 27, 1995 Supplemental Safety Evaluation, the excore neutron flux instrumentation doesn't need to be environmentally qualified per Regulatory Guide 1.97 Revision 2 because accident diagnosis and plant recovery can be accomplished using alternate instrumentation and boron capability as directed by plant Emergency Operating Procedures. All plant areas which can be subjected to harsh environmental conditions as a result of LOCA or HELB and environmental parameters for those areas, at IP2, are identified by Calculation #PGI
-00408-00 Rev. 0 (Reference 9). Environmentally qualified safety related process transmitters and sensors throughout the plant will function normally in a normal environmental conditions, and under an accident situation to abnormal environmental conditions, subjected to environmental parameters as defined by their site specific locations per Tables 9.1
-1 & 9.1-2 of the Electrical Equipment Environmental Qualification Program (Reference 10) and IP2
-EQ Master List (Reference 11). The effective inside containment normal temperature for calculating equipment qualified life is a continuous annual temperature of 120°F. It has been demonstrated by analyses that a continuous annual temperature of 120°F is a conservative temperature for equipment qualification purposes, as it envelopes the thermal degradation resulting from utilization of average monthly temperatures ranging from 95 to 130°F (Reference 9).
The ventilation systems of concern outside the central control room are designed to cope with a single active failure. For example, in the event of a design basis accident with the single active failure occurring in the PAB ventilation system, all safety related systems would survive the resulting increase in area temperature. Credit is taken for operator action upon entry into the recirculation phase. The limiting case is the Small Break Loss of Coolant Accident, wherein recirculation is delayed until 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after the accident. At this point the maximum temperature is 144F (by analysis) in the SI pumps room.
The central control room contains most of the safety
-related equipment; therefore, it represents the limiting condition for temperature that would require reactor shutdown. The central control room ventilation system is designed to accommodate certain active or passive failures. Operator action is not required to prevent unacceptable temperatures in safety
-related equipment located in the central control room.
The central control room air conditioning system consists of an air conditioning unit with design flow of 9,200 cfm, a back
-up ventilation fan in parallel with the same design capacity, one 2,000 cfm high efficiency particulate air (HEPA) charcoal filter unit, two (for redundancy) 2,000 cfm booster fans for filter operation, one 2,300 cfm emergency ventilation fan located in the IP2 FSAR UPDATE Chapter 7, Page 38 of 111 Revision 2 6, 201 6 supervisory control panel exhaust system, and associated duct work and dampers. The back up fan unit starts automatically on a loss
-of-air flow. The Indian Point Unit 2 central control room air conditioning and ventilating system is powered from redundant buses serviced by the emergency diesel generators.
It is design policy that the functional capacity of the central control room shall be maintained at all times inclusive of accident conditions, such as a maximum credible accident (MCA) or a fire. Hence, to specify the limiting conditions, two cases must be considered: failure of the air conditioning system during normal operation and failure subsequent to or coincident with an MCA. Considering first the case where failure occurs during normal operation, the objective is to ensure that temperatures do not exceed levels where reactor protection system and safeguards system setpoints are altered appreciably and to ensure that remote hot shutdown capability is not compromised. The maximum tolerable upper limit is 120 F. On a loss of the Indian Point Unit 2 air conditioning system, the control room temperature under operating conditions and outside design temperatures of 93F dry bulb and 75F wet bulb will rise to a level where the heat released to the room by the equipment and lights will balance the transmission losses through the walls, floor, and ceiling. This temperature has been calculated for the following condition:
Unit 1 air conditioning system operating with 100
-percent recirculated air (no outside air).
In this case, when the loss of Unit 2 air conditioning occurs, the following action will take place:
- 1. All lights except emergency lights will be turned off.
- 2. The emergency vent fan on the supervisory control panel exhaust system will start automatically.
Under these conditions, the maximum room temperature will be 104.6 F. The room supply air to the supervisory panel will be at a temperature approximately 2F lower than this room temperatures because of stratification. Therefore, the supervisory panel temperatures will be approximately:
104.6 F - 2F + 4.7F = 107.3 F [Note: 4.7F = temperature rise due to heat pickup in supervisory control panel based on 3
-kW load] There is no latent heat released to the room from equipment and an insignificant amount from the operators. Therefore, the humidity will remain 50
-percent or lower and will decrease as the temperature increases.
The design basis is that the safety
-related analog
-type electrical equipment will perform its required functions within the required accuracies for ambient conditions of 120F. If the central control room (CCR) temperature reaches 104°F with no outside air, or 109°F with outside air intake, a plant shutdown will be initiated. If the CCR temperature reaches 120°F, the reactor will be manually tripped. Central control room annunciation is not provided for high ambient temperatures or loss of air conditioning.
IP2 FSAR UPDATE Chapter 7, Page 39 of 111 Revision 2 6, 201 6 A self-contained refrigerant air conditioning system has been installed to further circulate and cool air within the central control room. The system provides more cooling for operator comfort during the summer months. The system is not required for an accident. For this reason, the system does not meet seismic Class I design criteria, but it has been reinforced to withstand the safe-shutdown earthquake in order to prevent it from damaging the central control room postaccident ventilation system on the roof and the safety equipment inside the central control room. The outside makeup air to the Indian Point Unit 1 control room has been cut off. The outside control dampers are disconnected and sheet metal closure plates are installed.
During the postaccident period, the Indian Point Unit 2 charcoal filter and fan system for the central control room ventilation system functions to remove fission products as described in Section 9.9.
Factory testing was performed on various safety
-related systems such as process control, nuclear instrumentation, and logic relay racks. This testing involved demonstrating the operation of proper safety functions with increased ambient temperatures of at least 120F for process control and nuclear instrumentation. The logic relay racks were tested to determine temperature rise of the cabinet under full
-load conditions. From this test, it was determined that the relays would perform their function in an ambient temperature of 130 F.
7.2.4.2.1 Loss of Instrument Power
A loss of power in the reactor protection system ensures the affected channel to trip. All bistables operate in a normally energized state and go to a deenergized state to initiate action. Loss of power thus automatically forces the bistables into the tripped state.
The availability of power at each instrument bus is continuously monitored by selecting individual bus voltage indication at a common voltmeter located at the rear of Flight Panel FD.
The loss of instrument power to sensors or instruments in a protection channel deenergizes the bistable(s) to actuate the engineered safety features (ESF) logic associated with that channel, except for containment spray, where the bistable(s) energize to actuate the containment spray logic.
7.2.4.2.2 Primary Power Source
The primary source of control power for the reactor protection system is the vital instrument buses described in Section 8.2. The source of power for the measuring elements and the actuation circuits in the engineered safety features instrumentation is also from those buses. The safety injection master and auxiliary relays are energized to actuate by the 125
-V DC system. 7.2.4.3 Reactor Trip Signal Testing Provisions on nonnuclear instrumentation are made for "at power" testing of all portions of each trip circuit including the reactor trip breakers. Administrative procedures require that the final element in a trip channel (required during power operation) is placed in the trip or bypass mode before that channel is taken out of service for repair or testing. In the source and intermediate IP2 FSAR UPDATE Chapter 7, Page 40 of 111 Revision 2 6, 201 6 ranges where the trip logic is one
-out-of two for each range, bypasses are provided for this testing procedure.
Nuclear power range channels are tested by superimposing a test signal on the normal sensor signal so that the reactor trip protection is not bypassed. On the basis of coincident logic (two
-out-of-four), this will not trip the reactor; however, a trip will occur if a reactor trip is required.
Provision is made for the insertion of test signals in each analog loop. The verification of the test signal is made by station instruments at test points specifically provided for this purpose. This enables testing and calibration of meters and bistables. Transmitters and sensors are checked against each other and against precision readout equipment during normal powe r operation.
7.2.4.3.1 Analog Channel Testing
Testing of analog protection channels is discussed in Section 7.2.2.7.
Administrative controls prevent the nuclear instrumentation source range and intermediate range protection channels from being disabled during periodic testing. Power range overpower protection cannot be disabled because this function is not affected by the testing of circuits. Administrative controls also prevent the power range dropped rod protection from being disabled by testing. In addition, the rod position system would provide indication and associated corrective actions for a dropped rod condition.
7.2.4.3.2 Logic Channel Testing The general design features of the logic system are described below. The trip relays for typical trip functions are shown in Plant Drawing 243323 [Formerly UFSAR Figure 7.2
-26]. The analog portions of these channels are described in Plant Drawings 243324 and 243311 [Formerly UFSAR Figures 7.2
-27 and 7.2
-28]. Each bistable drives two relays ("A" and "B" for level and "C" and "D" for pressure). Contacts from the A and C relays are arranged in two
-out-of-three and two-out-of-four trip matrices, which actuate the trip relays for trip breaker A. These configurations are duplicated for trip relays for breaker B using contacts from the B and D relays. A series configuration is used for the trip breakers as they are actuated (opened) by undervoltage coils. This approach is consistent with a deenergize
-to-trip preferred failure mode. Additionally, the reactor trip breakers are equipped with shunt trip coils, which are activated on a trip signal (Figure 7.2
-30). The logic system testing includes exercising the reactor trip breakers to demonstrate system integrity. Bypass breakers are provided for this purpose. During normal operation, these bypass breakers are open and racked out. Administrative control is used to minimize the amount of time these breakers are closed. Closure of the breaker is controlled from its respective logic test panel in the central control room. An interlock is provided that trips both bypass breakers open if a second bypass breaker is closed. The status of the reactor trip breaker is indicated in the central control room by indicating lights.
As shown in Plant Drawing 243323 [
Formerly UFSAR Figure 7.2
-26], the trip signal from the logic network is simultaneously applied to the main trip breaker associated with the specific logic chain as well as the bypass breaker associated with the alternative trip breaker. Should a valid trip occur while BYA is bypassing RTA, RTB will be opened through its associated logic train. The trip signal applied to RTB is simultaneously applied to BYA, thereby opening the IP2 FSAR UPDATE Chapter 7, Page 41 of 111 Revision 2 6, 201 6 bypass around RTA. RTA would either have been opened manually as part of the test or would be opened through its associated logic train, which would be operational or tripped during a test. An auxiliary relay is located in parallel with the undervoltage coils of the trip breakers. This relay is tied to the safety assessment system to indicate the transmission of a trip signal through the logic network during testing, and to record trip system demands. Lights are also provided to indicate the status of the individual logic relays.
The following procedure illustrates the method used for testing trip breaker A and its associated logic network:
- 1. With the bypass breaker BYA racked out, manually close and trip BYA to verify operation.
- 2. Rack in and close BYA. Trip RTA.
- 3. Sequentially deenergize the trip relays (A1,A2,A3) for each logic combination (1
-2,1-3,2-3). Verify that the logic network deenergizes the undervoltage coil on RTA for each logic combination. Neon lights have been provided to indicate the operation of the undervoltage coil.
- 4. Repeat step 3 for every logic combination in each matrix.
- 5. Reset RTA. Rack BYB to the test position.
- 6. Trip RTA and BYB by their undervoltage coils to validate prior test results as evidenced by the neon lights.
- 7. Reset RTA, then trip it by the shunt trip coil.
- 8. Reset RTA. Trip and rack out BYA and BYB.
7.2.4.4 Bypass Breakers The intention is to leave the bypass breakers, housed in their respective switchgear units, locked in the withdrawn (non
-operating) position. The positioning of these breakers to the operating position for logic system testing is under the administrative control of the operator. The closing of the breaker is controlled from its respective logic test panel in the central control room. The status of the breaker is indicated in the control room by indicating lights. An interlock is provided that will trip both bypass breakers open if a second bypass breaker is closed. Reactor trip breaker position lights for both the main and bypass breakers (four) are in the control room on the reactor protection test panels.
In order to minimize the possibility of operational errors from either the standpoint of tripping the reactor inadvertently or only partially checking all logic combinations, each logic network includes a logic channel test panel. This panel includes those test switches and indicating lights, needed to verify correct functional performance of the reactor protection system logic trip matrices. The test switches used to deenergize the trip bistable relays operate through interposing relays as shown in Plant Drawings 243322 and 243324 [Formerly UFSAR Figures IP2 FSAR UPDATE Chapter 7, Page 42 of 111 Revision 2 6, 201 6 7.2-25 and 7.2
-27]. This approach avoids violating the separation philosophy used in the analog channel design. Thus, although test switches for redundant channels are conveniently grouped on a single panel to facilitate testing, physical and electrical isolation of redundant protection channels is maintained by the inclusion of the interposing relay, which is actuated by the logic test switches.
7.2.4.5 Engineered Safety Features Actuation Instrumentation Description
The engineered safety features actuation circuitry is designed to maintain channel isolation up to and including the bistable operated logic relay, similar to that of the reactor protection circuitry. The general arrangement of this layout is shown in Figure 7.2
-15, with supplemental details in Plant Drawings 243319 and 243320 [Formerly UFSAR Figures 7.2
-16 and 7.2
-17]. Although a four
-channel system is illustrated in Figure 7.2
-15, circuitry and hardware layout discussion is sufficiently general to apply to an "n" channel system. Channel separation is maintained by providing separate racks for each analog protection channel and separate relay rack compartments for each logic train. Channel identity is lost in the relay wiring required for matrix logic makeup. It should be noted that although channel individualization is lost, twin matrix logic trains are developed, thus ensuring a redundant actuation system.
The engineered safety feature bistables drive the logic relay coils C and D as shown in Figures 7.2-15 and 7.2
-17. These logic relay coils are deenergized by their bistables when an abnormal condition exists; exceptions to this deenergized
-to-operate principle are initiation of containment spray and the pressurizer pressure manual block permissive. Each bistable will actuate two (2) logic relays, one for each Train, which contacts are utilized to develop the logic matrices for initiating safeguards action. In Figure 7.2
-15, these relay contacts are shown directly below th e relay coil. Because these coils would normally be energized, their contacts would remain open and thus an open circuit between the voltage source and master actuating relay would exist. Deenergizing any of the two logic relay coils would cause their corresponding contacts to close, which would complete the circuit and energize the master actuating relays. Although the illustration here is for a two
-out-of-four matrix, the design and sequence of operation for any of the logic matrices is the same. The master actuating relay (M) is a latch
-type relay having an operate (M/0), an intermediate (K) and a reset (M/R) coil. Once the logic matrix is made up, as described above, the circuit that energizes the master actuating relay is complete. Figure 7.2
-15 illustrates the master actuating relay (M); an enlarged view may be found in Plant Drawing 243319 [Formerly UFSAR Figure 7.2
-16]. With potential applied to the relay, the operate coil (M/0) is energized, thus closing the (M) contacts that energize the slave relays (SRs), as shown in Figure 7.2
-15. The master relay is latched in this position until the reset coil (M/R) is energized.
As a minimum, slave relay outputs from the Train A logic system actuate the Train A safeguards components, and slave relay outputs from the Train B logic system actuate the Train B safeguards components. All components not identified with a specific Train and many safeguards components are actuated by both logic systems.
After an approximately 2
-min time delay to ensure the completion of the actuation sequence, the master actuating relay may be manually reset by operating the reset switch (see Figure 7.2-15 and Plant Drawing 243319 [Formerly UFSAR 7.2-16]). With the reset coil (M/R) energized, all of the (M) contacts are returned to their deenergized positions as shown in Figure 7.2
-15.
IP2 FSAR UPDATE Chapter 7, Page 43 of 111 Revision 2 6, 201 6 Resetting the master relay does not interfere with the operation status of the engineered safety features equipment. Manual safety injection initiation is maintained even with reset activated.
A study was conducted to determine whether or not, upon the reset of an engineered safety features actuation signal, all associated safety
-related equipment remains in its emergency mode. The review resulted in the addition of some actuation relays with a self-seal-in feature that will maintain the respective safeguards equipment in the emergency or safeguards mode when the engineered safety features signal is reset.
7.2.4.6 Engineered Safety Features Logic Testing
Figures 7.2
-15 and 7.2-17, and Plant Drawing 243319 [Formerly UFSAR Figure 7.2
-16] illustrate the basic logic test scheme. Test switches are located in the associated relay racks rather than in a single test panel. The following steps indicate the method of testing the logic matrices: 1. Test of either train A or train B is performed one train at a time; this is under administrative control.
- 2. A selection of the matrix function to be tested is made. Plant Drawing 243319
[Formerly UFSAR Figure 7.2
-16], for example, illustrates some of these functional matrices.
- 3. The logic test switch is a dual function switch that is first turned to operate one series of contacts and then depressed to operate other contacts. Turning the logic test switch to the right will illuminate the "test switch in test position" lamp. The slave actuating relays are removed from this part of the test by opening Flexitest switches located in the output circuit of the master relay in order to avoid unintentional starting of the engineered safety features equipment. Intentional start is available through the other train that has operational status.
- 4. Depressing the logic test switch, will deenergize the logic relay coil, thus closing contacts of that logic relay (i.e., closing logic relay contacts forms the logic matri x to energize the associate master relay as shown in Figure 7.2
-15 or 7.2-17). By performing the above sequence, it is possible to simulate all actuating logic combinations required to develop the matrix. When the matrix is made, the master relay is actuated, which verifies proper operation of this matrix. As indicated in paragraph 3 above the slave relays remain deenergized, preventing actuation of ESF equipment.
- 5. Proper test development of a logic matrix would be indicated by illumination of a matrix test lamp, as shown in Figure 7.2
-17.
- 6. When testing of the logic matrix is complete, the equipment is returned to operational status by turning all test switches to the left and closing the Flexitest switches. The control board annunciator warns the operator of any test switch left in the test position; thus, return to operational status by action of the individual doing the test is verified by the operator at the control board. Testing steps for the logic matrices of train B are identical to that described above for train A.
IP2 FSAR UPDATE Chapter 7, Page 44 of 111 Revision 2 6, 201 6 7.2.5 Protective Actions 7.2.5.1 Reactor Trip Description Rapid reactivity shutdown is provided by the insertion of the rod cluster control assemblies by gravity fall to compensate for fast reactivity effects (e.g., doppler and moderator temperature effects). Duplicate series
-connected circuit breakers supply all power to the control rod drive mechanisms. The full
-length control rod drive mechanism coils must be energized for the rod cluster control assemblies to remain withdrawn from the core. The rod cluster control assemblies fall by gravity into the core upon loss of power to the control rod drive mechanism coils. The trip breakers are opened by the undervoltage coils on both breakers (normally energized), which become deenergized by any of several trip signals.
The shunt trip coils of the breakers provide a backup to the undervoltage trip coils for the automatically initiated reactor trip signals with the utilization of relays ST and ST
-1 in the trip coil circuits shown schematically in Figure 7.2
-30. Both relays must be deenergized to actuate the shunt coil.
The electrical state of the devices providing signals to the circuit breaker undervoltage trip coils is such as to cause these coils to trip the breaker in the event of reactor trip or power loss.
Certain reactor trip channels are automatically bypassed at low power where they are not required for safety. Nuclear source range and intermediate range trips that are specifically provided for protection at low
-power or subcritical operation are bypassed by operator manual action after receiving a permissive signal from the next higher range of instrumentation to establish operational status to permit low
-power operation.
During power operation, a sufficiently rapid shutdown capability in the form of rod cluster control assemblies is administratively maintained through the control rod insertion limit monitors. Administrative control requires that all shutdown rods be in the fully withdrawn position during power operation.
A resume of reactor trips, means of actuation, and the coincident circuit requirements is given in Table 7.2
-1. The permissive circuits (e.g., P
-7) are listed in Table 7.2
-2.
7.2.5.1.1 Manual Trip
The manual actuating devices are independent of the automatic trip circuitry and are not subject to failures that make the automatic circuitry inoperable. Either of two manual trip devices located in the control room will initiate a reactor trip. There are no interlocks associated with these trip actuating devices.
A manual trip energizes the shunt trip coils of the reactor breakers. The coils are fed by two independent sources. The channelization matches the power trains of the reactor protection trip logic channels associated with each reactor breaker, enhancing the manual reactor trip availability.
IP2 FSAR UPDATE Chapter 7, Page 45 of 111 Revision 2 6, 201 6 7.2.5.1.2 High Nuclear Flux (Power Range) Trip This circuit trips the reactor when two
-out-of-four power range channels read above the trip setpoint. There are two independent trip settings, a high and a low setting. The high trip setting provides protection during power operation. The low setting, which provides protection during startup, can be manually bypassed when two
-out-of-four power range channels read above approximately 10-percent power (P
-10). Three-out-of-four channels below 10
-percent automatically reinstates the trip protection. The high setting is always active.
7.2.5.1.3 High Nuclear Flux (Intermediate Range) Trip
This circuit trips the reactor when one
-out-of-two intermediate range channels reads above the trip setpoint. This trip, which provides protection during reactor startup, can be manually bypassed if two
-out-of-four power range channels are above approximately 10
-percent power (P-10). Three
-out-of-four channels below this value automatically reinstates the trip protection. To prevent inadvertent and unnecessary reactor trips during power reductions prior to shut down, operating procedures allow these trips to be manually bypassed until they have reset to the untripped condition and the reset has been verified. The intermediate channels (including detectors) are separate from the power range channels.
7.2.5.1.4 High Nuclear Flux (Source Range) Trip
This circuit trips the reactor when one of the two source range channel count levels (neutron flux) reads above the level trip setpoint. The trip, which provides protection during reactor startup, can be manually bypassed when one
-out-of-two intermediate range channels reads above the P
-6 setpoint value. This trip is also bypassed by two-out-of-four high power range signals (P
-10). It can be reinstated below P
-10 by an administrative action requiring coincident manual actuation.
The trip point is set between the source range cutoff power level and the maximum source range power level.
7.2.5.1.5 Overtemperature T Trip The purpose of this trip is to protect the core against departure from nucleate boiling (DNB). This circuit trips the reactor on coincidence of two
-out-of-four signals, with two sensors (two sets of temperature measurements, hot and cold) per loop. The setpoint for this reactor trip is continuously calculated for each channel by solving equations of this form:
I f P P K T T s s K K T Tsetpo 1 3 2 1 2 1 0int')'(1 1 where T 0 = loop specific indicated T at rated power ( F) K 1 = setpoint bias K 2 , K 3 = constants based on the effect of temperature and pressure on the DNB limits
IP2 FSAR UPDATE Chapter 7, Page 46 of 111 Revision 2 6, 201 6 S = laplace transform operator, sec
-1 T = measured reactor coolant average temperature (oF), two measurements (Tc, Th) in each loop)
T' = loop specific indicated average temperature at rated power (o F) 1 2 = time constants, sec
P = measured pressurizer pressure, four independent measurements (psig)
P' = nominal pressure at rated power, 2235 psig F 1 (I) = function of the indicated difference between top and bottom detectors of the power range nuclear ion chambers with gains to be selected on the basis of measured instrument response during plant startup tests 7.2.5.1.6 Overpower T Trip The purpose of this trip is to protect against excessive power (fuel rod rating protection). This circuit trips the reactor on coincidence of two
-out-of-four signals, with two hot and cold sensors (two sets of temperature measurements) per loop.
The setpoint for this reactor trip is continuously calculated for each channel by solving equations of the form:
I f T T K T K K T T osetpo 2 6 3 3 5 4int)" (s 1 s where T= loop specific indicated T at rated power ( F) K 4 = setpoint bias
K 5 = constant
3 = time constants, sec
S= laplace transform operator, sec
-1 T = measured reactor coolant average temperature (F), two measurements (T c , T h) in each loop ( F) K 6 = constant T" = loop specific indicated average temperature at rated power ( F)
IP2 FSAR UPDATE Chapter 7, Page 47 of 111 Revision 2 6, 201 6 F 2 (I) = function of the indicated difference between top and bottom detectors of the power range nuclear ion chambers with gains to be selected on the basis of measured instrument response during plant startup tests
7.2.5.1.7 Low Pressurizer Pressure Trip
The purpose of this circuit is to protect against excessive core steam voids that could lead to departure from nucleate boiling. The circuit trips the reactor on coincidence of two
-out-of-four low pressurizer pressure signals. This trip is blocked when three
-out-of-four power range channels and two
-out-of-two turbine inlet pressure channels read below approximately 10
-percent power (P
-7). 7.2.5.1.8 High Pressurizer Pressure Trip The purpose of this circuit is to limit the range of required protection from the overtemperature T trip and to protect against reactor coolant system overpressure. This circuit trips the reactor on coincidence of two
-out-of-three high pressurizer pressure signals.
7.2.5.1.9 High Pressurizer Water Level Trip
This trip is provided as a backup to the high pressurizer pressure trip. The coincidence of two
-out-of-three high pressurizer water level signals trips the reactor. This trip is bypassed when any of three
-out-of-four power range channels and two
-out-of-two turbine inlet pressure channels read below approximately 10
-percent power (P
-7). 7.2.5.1.10 Low Reactor Coolant Flow Trip
A reactor trip on underfrequency is generated by a signal indicating an underfrequency condition on two
-out-of-four buses, which opens all reactor coolant pump breakers, which in turn trips the reactor. The purpose of this trip is to provide protection following a major network frequency disturbance. This design satisfies the proposed IEEE criteria for nuclear power plant protection system (IEEE
-279 Code), dated August 28, 1968.
An undervoltage trip is also generated on a signal indicating an under
-voltage condition of two
-out-of-four buses, with one signal per bus.
An undervoltage trip is provided for protection following a complete loss of power. This design satisfies the proposed IEEE criteria for nuclear power plant protection system (IEEE
-279 Code), dated August 28, 1968.
With a reactor coolant pump bus underfrequency, all reactor coolant pumps are tripped with this signal generating a reactor trip. In the event of a frequency disturbance, the primary requirement is to release the reactor coolant pumps from the network to preserve their kinetic energy.
The means of sensing a loss
-of-coolant-flow accident are as follows:
IP2 FSAR UPDATE Chapter 7, Page 48 of 111 Revision 2 6, 201 6 1. Measured low flow in the reactor coolant loop - The low flow trip signal is actuated by the coincidence of two
-out-of-three signals for any reactor coolant loop. The loss of flow in any two loops causes a reactor trip in the power range above approximately 10
-percent (P
-7). Above approximately 2 0-percent power (P-8), the loss of flow in any loop causes a reactor trip. The instrument used for flow measurement is an elbow tap and is discussed in Chapter 4.
- 2. Undervoltage on any two
-out-of-four reactor coolant pump buses will cause a reactor trip above approximately 10
-percent power (P
-7). 3. Reactor coolant pump circuit breaker open
- a. Underfrequency on any two
-out-of-four reactor coolant pump buses will trip the breakers of all four reactor coolant pumps and cause a reactor trip above approximately 10-percent power (P
-7). b. Undervoltage on any single bus will trip the breaker of the associated reactor coolant pump after a time delay. Above approximately 10
-percent power (P-7) a reactor trip will occur if any two reactor coolant pump circuit breakers are open. Above approximately 20
-percent power (P
-8) any open reactor coolant pump circuit breaker will cause a reactor trip.
Technical Specification 3.3.1 allows the single loop loss of flow trip to be bypassed whenever reactor power is below approximately 20
-percent power (P
-8 setpoint). Below this setpoint and above the permissive setpoint P
-7, a loss of flow in two loops would cause a reactor trip.
This permits an orderly plant shutdown under administrative control following a single
-loop loss of flow during low
-power operation. Since the plant will not be maintained in operation above permissive power setting P
-7 without three loops in service, independent accidents simultaneous with a single
-loop loss of flow at low power are not considered in the protection system design.
7.2.5.1.11 Control Rod Protection Trip
This trip provides a backup to the manually initiated action (during reactor coolant system cooldown) of opening the reactor trip breakers prior to Tcold decreasing below 381F. This trip is required to avoid mechanical interference caused by thermal contraction between the fuel and control rods. Two
-out-of-three channels will actuate this trip.
7.2.5.1.12
[Deleted] 7.2.5.1.13 Safety Injection System Actuation Trip
A reactor trip occurs when the safety injection system is actuated. The means of actuating the safety injection system trip are listed below. This design satisfies the proposed IEEE criteria for nuclear power plant protection system (IEEE
-279 Code), dated August 28, 1968. 1. Low pressurizer pressure (2/3).
- 2. High containment pressure (2/3), set at approximately 2 psig. (10.0 psig assumed in safety analysis).
- 3. High differential pressure between any two steam lines (2/3).
IP2 FSAR UPDATE Chapter 7, Page 49 of 111 Revision 2 6, 201 6 4. High steam flow (2/4) coincident with lo w Tavg (2/4) or low steam line pressure (2/4). 5. High-high containment pressure (2 sets of 3, 2/3, high
-high pressure) set at approximately 50
-percent of containment design pressure.
- 6. Manual. 7.2.5.1.14 Pressurizer Signal Diversity
In 1970, the available pressurizer automatic protection functions were a reactor trip on low pressurizer pressure and an ESF trip on low pressurizer pressure coincident with low pressurizer water level. These two trips provided functional diversity in the event of depressurizations of the primary system. To provide additional diversity in the event of small breaks in the primary system, a Containment Pressure High ESF trip setpoint of 2.0 psig was chosen.
In 1979 following the Three Mile Island Unit 2 (TMI
-2) event, IE Bulletin 79-06A (Revision 0 and Revision 1) identified actions to be taken by the licensees of reactors designed by Westinghouse. One of the actions identified in IE Bulletin 79
-06A was to eliminate the coincident requirement of low pressurizer water level with low pressurizer pressure for an ESF trip. As a result, an ESF trip occurs on low pressurizer pressure only. In the review of the TMI
-2 event, it was determined that the low pressurizer water level coincidence limited the reliability of the pressurizer ESF trip. Also, analyses of small breaks located at the top of the pressurizer showed that the pressurizer water level would increase (although the pressure and mass of the primary system would be decreasing), which would preclude an ESP trip. The NRC in their Safety Evaluation Report dated July 10, 1979, concluded that this change satisfied the requirements of IEEE 279
-1971 and that none of the transient and accident analyses are adversely affected by the change.
7 As such, the diversity of the pressurizer trip functions was strengthened by removing the pressurizer water level coincidence logic from the pressurizer ESF trip function. The low pressurizer pressure reactor trip signal and the low pressurizer ESF trip signal are actuated by separate and diverse logic trains. Also, the overtemperature delta
-temperature ( TT) reactor trip is available depending on initial conditions for providing diverse reactor trip in the event of a depressurization of the primary system. Although the Containment Pressure High ESF safety analysis trip setpoint is relaxed to 10.0 psig, it is still available to provide diverse protection for a range of breaks in the primary system.
7.2.5.1.15
[Deleted]
7.2.5.1.16 Steam/Feedwater Flow Mismatch Trip
This trip protects the reactor from a sudden loss of heat sink. The trip is actuated by (1/2) steam/feedwater flow mismatch, coincident with (1/2) low steam
-generator water level, in the same loop. Plant Drawing 225103 [Formerly UFSAR Figure 7.2
-10] shows the logic of this trip. The design satisfies the Control and Protection System Interaction Criteria of the proposed IEEE criteria for nuclear power plant protection system (IEEE
-279 Code), dated August 28, 1968, for plants with three level channels per steam generator.
IP2 FSAR UPDATE Chapter 7, Page 50 of 111 Revision 2 6, 201 6 7.2.5.1.17 Low-Low Steam-Generator Water Level Trip The purpose of this trip is to protect the steam generators in case of a sustained steam/feedwater flow mismatch. The trip is actuated on two
-out-of-three low-low water level signals in any steam generator. A diagram of the steam
-generator level control and protection system is shown in Plant Drawing 243328 [Formerly UFSAR Figure 7.2
-32].
7.2.5.1.18 Turbine Trip/Reactor Trip
A turbine trip is sensed by two
-out-of-three signals from auto
-stop oil pressure. The analysis discussed in Section 14.1.8 indicates that an immediate reactor trip on turbine trip is not required for reactor protection; therefore, the design need not satisfy the proposed IEEE criteria for nuclear power plant protection system (IEEE
-279 Code), dated August 28, 1968.
Plant Drawing 225096 [Formerly UFSAR Figure 7.2
-3] is a logic diagram for the turbine and generator trips. A turbine trip signal redundantly dumps the auto
-stop oil, which, in turn, closes all turbine stop valves. Conversely, a reactor trip on turbine trip is generated by redundantly sensing the loss of auto
-stop oil.
IP2 FSAR UPDATE Chapter 7, Page 51 of 111 Revision 2 6, 201 6 7.2.5.1.19 Steam Line Isolation Any of the following conditions will generate a steam line isolation signal; the design satisfies the proposed IEEE criteria for nuclear power plant protection system (IEEE
-279 Code), dated August 28, 1968.
- 1. High steam flow (2/4) in coincidence with low Tavg (2/4) or low steam pressure (2/4). 2. High-high containment pressure (2/3, twice).
- 3. Manual action.
7.2.5.1.20 Turbine Runback
A turbine runback is employed following a rod drop event (bypass switches have been installed, which are normally in the DEFEAT position, so as to bypass the runback on this signal) or loss of one main feedwater pump. A turbine runback, which uses the mechanical hydraulic turbine governor control, is achieved by reducing the signal to each of two load limit valves as required to achieve the required load reduction. Turbine runback is not required for reactor protection; therefore, this design need not satisfy the proposed IEEE criteria for nuclear power plant protection system (IEEE
-279 Code), dated August 28, 1968. Beginning with the Cycle 11 reload up to and including the current cycle, dropped rod analyses with and without Turbine Runback were used and the DNB design basis was satisfied as discussed in Section 14.1.4.
7.2.5.2 Rod Stops A list of rod stops is provided in Table 7.2
-3. Some of these have been previously noted under permissive circuits, but are listed again for completeness.
7.2.5.2.1 Rod Drop Protection
Two independent systems are provided to sense a dropped rod: (1) a rod bottom position detection system and (2) a system, which senses sudden reduction in ex
-core neutron flux. Both protection systems initiate protective action in the form of a turbine load cutback if above a given power level (see below). This action compensates for possible adverse core power distributions and permits an orderly retrieval of the dropped rod cluster control (as discussed in Section 14.1.4).
The primary protection for the dropped rod cluster control accident is the rod bottom signal derived for each rod from its individual position indication system. With the position indication systems, initiation of protection is independent of rod location or reactivity worth (as discussed in Section 14.1.4).
Backup protection is provided by use of the out
-of-core power range nuclear detectors and is particularly effective for larger nuclear flux reductions occurring in the region of the core adjacent to the detectors. Bypass switches have been installed, which are normally in the DEFEAT position, so as to bypass this runback signal. The use of these bypass switches is acceptable based on the results of analyses discussed in Section 14.1.4.
The rod drop detection circuit from nuclear flux consists basically of a comparison of each ion chamber signal with the same signal taken through a first
-order lag network. Since a dropped IP2 FSAR UPDATE Chapter 7, Page 52 of 111 Revision 2 6, 201 6 rod cluster control assembly will rapidly depress the local neutron flux, the decrease in flux will be detected by one or more of these four sensors. Such a sudden decrease in ion chamber current will be seen as a different signal as discussed in Section 14.1.4. A signal greater than 5-percent reactor power reduction with an impulse unit time constant of 5 sec from any one of the four power range channels will actuate the rod drop protection circuitry if the turbine runback switches are not in the DEFEAT position.
Figure 7.4
-2 indicates schematically the dropped rod detection circuit and the nuclear protection system in general. The potential consequences of any dropped rod cluster control assembly are discussed in Section 14.1.4.
7.2.5.2.2 Alarms Any of the following conditions actuate an alarm:
- 1. Reactor trip (first
-out annunciator).
- 2. Trip of any reactor trip analog channel.
- 3. Actuation of any permissive circuit or override. (Note: P
-7, P-8, pressurizer low pressure trip block permissive, and auto rod control permissive (15
-percent power) are provided with an indication light only on the flight panel.)
- 4. Significant deviation of any major control variable (pressure, Tavg, pressurizer water level, and steam
-generator water level).
7.2.5.2.3 Control Group Rod Insertion Limits
The lower insertion limit system is used in an administrative control procedure with the objective to maintain a rod cluster control assembly shutdown margin.
The control group rod insertion limits, Z LL, are calculated as a linear function of reactor power and reactor coolant average temperature. The equation is Z A T B T C LLavgavg where A and B are preset manually adjustable gains and C is a preset manually adjustable bias. The (T)avg and (Tavg) are the average of the individual temperature differences and the coolant average temperatures, respectively, measured from the reactor coolant hot leg and the cold leg. One insertion limit monitor with two alarm setpoints is provided for control bank D. A description of control and shutdown rod groups is provided in Section 7.3.2. The "APPROACHING ROD INSERTION LIMIT 12.5" alarm alerts the operator of an approach to a reduced shutdown reactivity situation requiring boron addition by following normal procedures with the chemical and volume control system (Section 9.2). Actuation of "ROD INSERTION LIMIT 0" alarm requires the operator to take immediate action to add boron to the system by any one of several alternative methods.
IP2 FSAR UPDATE Chapter 7, Page 53 of 111 Revision 2 6, 201 6 7.2.6 System Evaluation 7.2.6.1 Reactor Protection System and Departure From Nucleate Boiling The following is a description of how the reactor protection system prevents departure from nucleate boiling (DNB).
The plant variables affecting the DNB ratio (DNBR) are as follows:
- 1. Thermal power.
- 2. Coolant flow.
- 3. Coolant temperature.
- 4. Coolant pressure.
- 5. Core power distribution (hot
-channel factors).
Figures 7.2
-33 Sh. 1 & 2 illustrates the core limits for which DNBR for the hottest rod is at the design limit and shows the overpower and overtemperature T reactor trips locus as a function of Tavg and pressure.
Reactor trips for a fixed high pressurizer pressure and for a fixed low pressurizer pressure are provided to limit the pressure range over which core protection depends on the variable overpower and overtemperature T trips. Reactor trips on nuclear overpower and low reactor coolant flow are provided for direct, immediate protection against rapid changes in these variables. However, for all cases in which the calculated DNBR approaches the applicable DNBR limit, a reactor trip on overpower and/or overtemperature T would be actuated.
The T trip functions are based on the differences between measurements of the hot
-leg and cold-leg temperatures, which are proportional to core power.
The T trip functions are provided with a nuclear flux feedback to reflect a measure of axial power distribution. This will assist in preventing an adverse distribution that could lead to exceeding allowable core conditions.
7.2.6.1.1 Overpower Protection In addition to the high power range nuclear flux trips, an overpower T trip is provided (two
-out-of-four logic) to limit the maximum overpower. This trip is of the following form:
I f T T K T K K T Tsetpo 2 6 3 3 5 4 0int" s 1 s where T 0 = loop specific indicated T at rated power ( F) K 4 = setpoint bias
IP2 FSAR UPDATE Chapter 7, Page 54 of 111 Revision 2 6, 201 6 K 5 = constant
3 = time constants, sec S = laplace transform operator, sec
-1 T = measured reactor coolant average temperature (F), two measurements (T C , T h) in each loop K 6 = constant T"= loop specific indicated average temperature at rated power (F) F 2 (I) = function of the indicated difference between top and bottom detectors of the power range nuclear ion chambers with gains to be selected on the basis of measured instrument response during plant startup tests In addition, a rod stop function is provided in the form:
ptripstop rod B T T where B P is the setpoint bias (F). 7.2.6.1.2 Overtemperature Protection A second T trip (two
-out-of-four logic) provides an overtemperature trip that is a function of coolant average temperature and pressurizer pressure derived as follows:
I f P P K T T s s K K T Tsetpo 1 3 2 1 2 1 0int1 1 where T 0 = loop specific indicated T at rated power (ºF) K 1 = setpoint bias
K 2 , K 3 = constants based on the effect of temperature and pressure on the DNB limits
3 = time constants, sec
S = laplace transform operator, sec
-1 T = measured reactor coolant average temperature (ºF), two measurements in each loop (T c , T h) T' = loop specific indicated average temperature at rated power ( F) P = measured pressurizer pressure, four independent measurements (psig)
IP2 FSAR UPDATE Chapter 7, Page 55 of 111 Revision 2 6, 201 6 P' = nominal pressure at rated power, 2235 psig F 1 (I) = function of the indicated difference between top and bottom detectors of the power range nuclear ion chambers with gains to be selected on the basis of measured instrument response during plant startup tests
Four long ion chamber pairs are provided, and each one independently feeds a separate overtemperature T trip channel. Thus, a single failure neither defeats the function nor causes a spurious trip. The reset function is only in the direction of decreasing the trip setpoint; it cannot increase the setpoint.
As shown above, if the difference between the top and bottom detectors exceeds a preset limit indicative of excess power generation in either half of the core, a proportional signal is transmitted to the overtemperature T trip to reduce its setpoint.
A similar rod stop function is provided in the form:
T T Bstoptrip T where B T is the setpoint bias (F). Automatic feedback signals are provided to reduce the overpower
-overtemperature trip setpoints and block rod withdrawal to the trip setpoint.
7.2.6.2 Interaction of Control and Protection The design basis for the control and protection system permits the use of a detector for both protection and control functions. Where this is done, all equipment common to both the protection and control circuits are classified as part of the protection system. Isolation amplifiers prevent a control system failure from affecting the protection system. In addition, where failure of a protection system component can cause a process excursion that requires protective action, the protection system can withstand another independent failure without loss of function. Generally, this is accomplished with two
-out-of-four trip logic. Also, wherever practical, provisions are included in the protection system to prevent a plant outage because of single failure of a sensor.
IP2 FSAR UPDATE Chapter 7, Page 56 of 111 Revision 2 6, 201 6 7.2.6.2.1 Specific Control and Protection Interactions 7.2.6.2.1.1 Nuclear Flux
Four power range nuclear flux channels are provided for overpower protection. Isolated outputs from all four channels are averaged for automatic control rod regulation of power. If any channel fails in such a way as to produce a lower output, that channel is incapable of proper overpower protection. Two
-out-of-four overpower trip logic will ensure an overpower trip if needed, even with an independent failure in another channel.
In addition, the control system will respond only to rapid changes in indicated nuclear flux; slow changes or drifts are overridden by the temperature control signals. The setpoint for this rod stop is below the reactor trip setpoint.
7.2.6.2.1.2 Coolant Temperature Four Tavg channels are used for overtemperatur e-overpower protection. (See Plant Drawing 243330 [Formerly UFSAR Figure 7.2
-34] for single channel.) Isolated output signals from all four channels are also averaged for automatic control rod regulation of power and temperature.
In addition, channel deviation alarms in the control system will block automatic rod insertion if any temperature channel deviates significantly from the others. Two
-out-of-four trip logic is used to ensure that an overtemperature trip will occur if needed even with an independent failure in another channel. Finally, as shown in Section 14.1, the combination of trips on nuclear overpower, high pressurizer water level, and high pressurizer pressure also serve to limit an excursion for any rate of reactivity insertion.
Additional reactor coolant temperature measurements are provided for the alternate safe shutdown system by four strap
-on resistance temperature detectors installed on loops 21 and 22 with display in the fan house. These provide measurements of the hot
- and cold-leg temperatures of their respective loops.
7.2.6.2.1.3 Pressurizer Pressure
Four pressure channels are used for high
- and low-pressure protection and for overpower protection. Isolated output signals from these channels also are used for pressure control and compensation signals for rod control. These are discussed separately below.
- 1. Control of rod motion: The discussion for coolant temperature is applicable (i.e., two-out-of-four logic for overpower protection as the primary protection), with backup from multiple rod stops and "backup" trip circuits. In addition, the pressure compensation signal is limited in the control system such that failure of the pressure signal cannot cause more than about a 10F change in Tavg. This change can be accommodated at full power without a DNBR being reduced below the applicable safety analysis DNBR limit. Finally, the pressurizer safety valves are adequately sized to prevent system overpressure.
- 2. Pressure control: Spray, power
-operated relief valves, and heaters are controlled by isolated output signals from the pressure protection channels.
IP2 FSAR UPDATE Chapter 7, Page 57 of 111 Revision 2 6, 201 6 a. Low Pressure A spurious high
-pressure signal from one channel can cause low pressure by spurious actuation of a pressurizer spray valve. Additional redundancy is provided in the protection system to ensure underpressure protection, i.e., two-out-of-four low pressure reactor trip logic and two
-out-of-three logic for safety injection.
In addition, interlocks are provided in the pressure control system such that a relief valve will close if either of two independent pressure channels indicates low pressure. Spray reduces pressure at a lower rate, and some time is available for operator action (about 3 min. at maximum spray rate) before a low pressure trip is reached.
- b. High Pressure The pressurizer heaters are incapable of overpressurizing the reactor coolant system. Maximum steam generation rate with heaters is about 15,000 lb/hr, compared with a total capacity of 1,224,000 lb/hr for the three safety valves and a total capacity of 358,000 lb/hr for the two power
-operated relief valves. Therefore, overpressure protection is not required for a pressure control failure. Two
-out-of-three high
-pressure trip logic is therefore used.
In addition, either of the two relief valves can easily maintain pressure below the high-pressure trip point. The two relief valves are controlled by independent pressure channels, one of which is independent of the pressure channel used for heater control. Finally, the rate of pressure rise achievable with heaters is slow, and ample time and pressure alarms are available for operator action.
7.2.6.2.1.4 Pressurizer Level
Three pressurizer level channels are used for high
-level reactor trip (2/3). Isolated output signals from these channels are used for volume control, increasing or decreasing water level. A level control failure could fill or empty the pressurizer at a slow rate (on the order of half an hour or more).
- 1. High Level A reactor trip on pressurizer high level is provided to prevent rapid thermal expansions of reactor coolant fluid from filling the pressurizer: the rapid change from high rates of steam relief to water relief can be damaging to the safety valves and the relief piping and pressure relief tank. However, a level control failure cannot actuate the safety valves because the high
-pressure reactor trip is set below the safety valve set pressures. Therefore, a control failure does not require protection system action. In addition, ample time and alarms are available for operator action.
IP2 FSAR UPDATE Chapter 7, Page 58 of 111 Revision 2 6, 201 6 2. Low Level For control failures that tend to empty the pressurizer, a signal of low level from either of two independent level control channels will isolate letdown, thus preventing the loss of coolant. Also, ample time and alarms exist for operator action.
7.2.6.2.1.5 Steam-Generator Water Level/Feedwater Flow
Before describing control and protection interaction for these channels, it is beneficial to review the protection system basis for this instrumentation.
The basic function of the reactor protection circuits associated with low steam generator water level and low feedwater flow is to preserve the steam generator heat sink for removal of long
-term residual heat. Should a complete loss of feedwater occur with no protective action, the steam generators would boil dry and cause an overtemperature
-overpressure excursion in the reactor coolant. Reactor trips on temperature, pressure, and pressurizer water level will trip the plant before there is any damage to the core or reactor coolant system. However, residual heat after trip would cause thermal expansion and discharge of the reactor coolant to containment through the pressurizer relief valves. Redundant auxiliary feedwater pumps are provided to prevent this. Reactor trips act before the steam generators are dry to reduce the required capacity and starting time requirements of these pumps and to minimize the thermal transient on the reactor coolant system and steam generators. Independent trip circuits are provided for each steam generator for the following reasons:
- 1. Should severe mechanical damage occur to the feedwater line to one steam generator, it is difficult to ensure the functional integrity of level and flow instrumentation for that unit. For instance, a major pipe break between the feedwater flow element and the steam generator would cause high flow through the flow element. The rapid depressurization of the steam generator would drastically affect the relation between downcomer water level and steam
-generator water inventory.
- 2. It is desirable to minimize thermal transient on a steam generator for credible loss of feedwater accidents.
It should be noted that controller malfunctions caused by a protection system failure affect only one steam generator. Also, they do not impair the capability of the main feedwater system under either manual control or automatic Tavg control. Hence, these failures are far from being the worst case with respect to decay heat removal with the steam generators.
- a. Feedwater Flow A spurious high signal from the feedwater flow channel being used for control would cause a reduction in feedwater flow and prevent that channel from tripping. A reactor trip on low
-low water level, independent of indicated feedwater flow, will ensure a reactor trip if needed.
IP2 FSAR UPDATE Chapter 7, Page 59 of 111 Revision 2 6, 201 6 In addition, the three
-element feedwater controller incorporates reset on level, such that with expected gains, a rapid increase in the flow signal would cause only a 12
-in. decrease in level before the controller reopens the feedwater valve. A slow increase in the feedwater signal would have no effect at all.
- b. Steam Flow A spurious low steam flow signal would have the same effect as a high feedwater signal, discussed above.
- c. Level A spurious high water level signal from the protection channel used for control will tend to close the feedwater valve. This level channel is independent of the level and flow channels used for reactor trip on low flow coincident with low level.
(1) A rapid increase in the level signal will completely stop feedwater flow and actuate a reactor trip on low feed
-water flow coincident with low level. (2) A slow drift in the level signal may not actuate a low feedwater signal. Since the level decrease is slow, the operator has time to respond to low-level alarms. Since only one steam generator is affected, automatic protection is not mandatory and reactor trip on two
-out-of three low-low level is acceptable.
REFERENCES FOR SECTION 7.2
- 1. Letter from J. D. O'Toole, Con Edison, to D. G. Eisenhut, NRC,
Subject:
Control Room Habitability Studies, Enclosure 2, dated May 12, 1981.
- 2. E. L. Vogeding, Seismic Testing of Electrical and Control Equipment, WCAP-7397-L (Proprietary), Westinghouse Electric Corporation, January 1970.
- 3. J. Lipchak and R. Bartholomew, Test Report of Isolation Amplifier, WCAP-9011 (Proprietary), Westinghouse Electric Corporation.
- 4. Letter from J. D. O'Toole, Con Edison, to S. A. Varga, NRC,
Subject:
Seismic Qualification of Reactor Trip Breaker Shunt Trip Attachment, dated February 14, 1986.
- 5. Letter from M. Selman, Con Edison, to S. A. Varga, NRC,
Subject:
Seismic Qualification of DC Power Panels No. 21 and 22, Indian Point Unit 2, dated August 14, 1986.
- 6. Letter (with attachments) from S. A. Varga, NRC, to J. D. O'Toole, Con Edison,
Subject:
-0737, Item No. III.D.3.4 Control Room Habitability for Indian Point Unit No. 2, Dated January 27, 1982
IP2 FSAR UPDATE Chapter 7, Page 60 of 111 Revision 2 6, 201 6 7. Letter from A. Schwencer, NRC, to W.J. Cahill,
Subject:
Safety Evaluation Report - Indian Point Station Unit 2
- Evaluation of Safety Injection System Actuation Technical Specification Change Request
-Amendment No. 56 dated July 10, 1979
- 8. Letter from J. Durr, NRC, to S. Bram,
Subject:
Inspection Report No. 50
-247/89-12 (including Attachment 1
- Safety Evaluation Relating to Design Criteria for Electrical Cable Separation)
- 9. Calculation #PGI
-00408-00 Rev. 0, Identification Of Plant Areas Which Can Be Subjected To Harsh Environmental Conditions As A Result Of LOCA or HELB And The Environmental Parameters For The Area, Indian Point 2, dated December 1999.
- 10. Electrical Equipment Environmental Qualification Program Rev. 13, dated April
1999. 11. IP2-EQ Master List.
IP2 FSAR UPDATE Chapter 7, Page 61 of 111 Revision 2 6, 20 1 6 TABLE 7.2-1 (Sheet 1 of 5) List of Reactor Trips and Causes for Reactor Trips Reactor trip Coincidence Circuitry and Interlocks Comments 1. Manual 1/2, no interlocks
- 2. Overpower nuclear flux 2/4 High and low settings; manual block and automatic reset of low setting by P
-10 Permissive 10, Table 7.2
-2 3. Overtemperature T 2/4, no interlocks 4. Overpower T 2/4, no interlocks
- 5. Low pressurizer pressure 2/4, blocked by P
-7 6. High pressurizer pressure (fixed setpoint) 2/3, no interlocks
- 7. High pressurizer water level 2/3, blocked by P
-7 8a. Low reactor coolant flow 2/3 per loop, 2/4 loops, blocked by P
-7 2/3 per loop, 1/4 loops, blocked by P
-8 8b. Reactor coolant pump breaker open 1/1 per loop, 2/4 loops, blocked by P
-7 1/1 per loop, 1/4 loops, blocked by P
-8 Underfrequency on 2/4 reactor coolant pump buses trips all reactor coolant pump breakers. 8c. Undervoltage on reactor coolant pump bus 2/4, blocked by P
-7 IP2 FSAR UPDATE Chapter 7, Page 62 of 111 Revision 2 6, 20 1 6 TABLE 7.2-1 (Sheet 2 of 5) List of Reactor Trips and Causes for Reactor Trips Reactor trip (continued)
Coincidence Circuitry and Interlocks Comments 9. Safety injection signal (actuation) 2/3 low pressurizer pressure, provided safety injection is not manually blocked (i.e., manual block permitted for 2/3 low pressurizer pressure if reactor coolant system pressure is below 1940 psig); or 2/3 high containment pressure (Hi pressure); or 2/3 high differential pressure between any two steam generators; or two sets of 2/3 high
-high containment pressure (Hi-Hi pressure); or 1/2 manual; or 2/4 high steam flow coincident with 2/4 low Tavg or 2/4 low steam line pressure.
- 10. Turbine generator (Low auto stop oil pressure signal) 2/3, blocked by P
-7 or P-8 Trip not activated until both P
-7 and P-8 have been unblocked.
- 11. Steam/feedwater flow mismatch
1/2 steam/feedwater flow mismatch, coincident with 1/2 low steam generator water level, in the same loop.
- 12. Low-low steam generator water level 2/3, per loop
- 13. High intermediate range nuclear flux 1/2, manual block permitted by P
-10 Manual block and automatic reset 14. High source range nuclear flux 1/2, manual block permitted by P
-6, also blocked by P
-10 Manual block Manual reset
IP2 FSAR UPDATE Chapter 7, Page 63 of 111 Revision 2 6, 20 1 6 TABLE 7.2-1 (Sheet 3 of 5) List of Reactor Trips and Causes for Reactor Trips Containment isolation actuation Coincidence Circuitry and Interlocks Comments 15. Safety injection signal (phase A) See item 9 Actuates all nonessential service containment isolation trip valves and actuates isolation valve seal water system.
- 16. Containment pressure (phase B) Coincidence of two 2/3 containment pressure (high
-high pressure, same signal which actuates containment spray), or manual 1/2 Actuates all essential service containment isolation trip valves.
- 17. Containment or plant ventilation activity High-High activity signal, from the containment air particulate or the plant ventilation radiogas detector (1/3)
The containment air particulate and radiogas monitors also directly actuate the containment purge supply and exhaust valves and the containment pressure relief valves on high
-high activity.
Engineered safety features actuation
- 18. Safety injection signal (S)
(phase A) See Item 9
- 19. Containment spray signal (P) (phase B) Coincidence of two sets of 2/3 containment pressure (high
-high pressure); or manual 1/2 Manual (1/2 spray push buttons) initiation will position valves and start the spray pumps anytime before or after automatically safety injection initiated pump sequencing is in progress. Safety injection reset will block automatic spray initiation.
IP2 FSAR UPDATE Chapter 7, Page 64 of 111 Revision 2 6, 20 1 6 TABLE 7.2-1 (Sheet 4 of 5) List of Reactor Trips and Causes for Reactor Trips Engineered safety features actuation (continued)
Coincidence Circuitry and Interlocks Comments 20. Deleted 21. Containment air recirculation cooling signal Safety injection signal initiates starting of all fans in accordance with the safety injection starting sequence, 2/3 high containment pressure or manual 1/2
- 22. Isolation valve seal water signal Containment isolation (phase A) signal Steam line isolation actuation
- 23. Steam flow High steam flow in 2/4 lines plus (a) low Tavg in 2/4 lines or (b) low steam line pressure in 2/4 lines.
- 24. Containment pressure Coincidence of two sets of 2/3 containment pressure (high
-high pressure) (NOTE: bistables are energized
-to-operate) 25. Manual 1/1 per steam line
IP2 FSAR UPDATE Chapter 7, Page 65 of 111 Revision 2 6, 20 1 6 TABLE 7.2-1 (Sheet 5 of 5) List of Reactor Trips and Causes for Reactor Trips Auxiliary feedwater actuation Coincidence Circuitry and Interlocks Comments 26. Turbine driven pump Low-low level in any two steam generators; or Blackout (i.e., 1/2 480
-V busses 5A and 6A undervoltage), coincident with a unit trip without safety injection; or 1/2 AMSAC; or 1/2 manual.
- 27. Motor driven pumps 2/3 low-low level in any steam generator; Blackout (i.e., 1/2 480
-V busses 5A and 6A undervoltage) and a unit trip; or trip of 1/2 main feedwater pump turbines; or 1/2 AMSAC; all without safety injection; or safety injection (i.e., with either offsite or onsite power available), coincident with a sequenced pump start; or 1/2 manual.
Main feedwater isolation
- 28. Close main feedwater control valves trip main feedwater pumps Any safety injection signal (see item 9)
Control rod protection
- 29. Reactor trip breakers 2/3 During RCS cooldown prior to Tcold decreasing below 381 F IP2 FSAR UPDATE Chapter 7, Page 66 of 111 Revision 2 6, 20 1 6 TABLE 7.2-2 Interlock and Permissive Circuits Number Function Input for Blocking 1 Prevent rod withdrawal on overpower 1/4 high nuclear flux (power range) or 1/2 high nuclear flux (intermediate range) or 1/4 overtemperature T or 1/4 overpower T 2 Deleted 3 Deleted 5 Steam dump interlock Rapid decrease of MWe load signal 6 Manual block of source range level trip 1/2 high intermediate range flux allows manual block, 2/2 low intermediate range defeats block 7 Permissive power (block various trips required only at power) 3/4 low nuclear flux signals (power range) and 2/2 low turbine inlet pressure signals 8 Block single primary loop loss of flow trip 3/4 low nuclear flux (power range) 10 Manual block of low trip (power range) and intermediate range trips 2/4 high nuclear flux allows manual block, 3/4 low nuclear flux (power range) defeats manual block TABLE 7.2-3 Rod Stops Rod Stop Actuation Signal Rod Motion to be Blocked 1 Deleted 2 Nuclear overpower 1/4 high power range nuclear flux or 1/2 high intermediate range nuclear flux Manual withdrawal 3 High T 1/4 overpower T or 1/4 overtemperature T Manual withdrawal 4 Deleted 5 Tavg deviation 1/4 Tavg deviation from average Tavg Automatic insertion
IP2 FSAR UPDATE Chapter 7, Page 67 of 111 Revision 2 6, 20 1 6 7.2 FIGURES Figure No.
Title Figure 7.2
-1 Index And Symbols
- Logic Diagram, Replaced With Plant Drawing 225094 Figure 7.2
-2 Reactor Trip Signals
- Logic Diagram, Replaced With Plant Drawing 225095 Figure 7.2
-3 Turbine Trip Signals
- Logic Diagram, Replaced With Plant Drawing 225096 Figure 7.2
-4 6900 Volt Bus Automatic Transfer - Logic Diagram, Replaced With Plant Drawing 225097 Figure 7.2
-5 Nuclear Instrumentation Trip Signals
- Logic Diagram, Replaced With Plant Drawing 225098 Figure 7.2
-6 Nuclear Instrumentation Permissives And Blocks
- Logic Diagram, Replaced With Plant Drawing 225099 Figure 7.2
-7 Emergency Generator Starting
- Logic Diagram, Replaced With Plant Drawing 225100 Figure 7.2
-8 Safeguard Sequence
- Logic Diagram, Replaced With Plant Drawing 225101 Figure 7.2
-9 Pressurizer Trip Signal
- Logic Diagram, Replaced With Plant Drawing 225102 Figure 7.2
-10 Steam Generator Trip Signals - Logic Diagram, Replaced With Plant Drawing 225103 Figure 7.2
-11 Primary Coolant System Trip Signals And Manual Trip
- Logic Diagram, Replaced With Plant Drawing 225104 Figure 7.2
-12 Safeguard Actuation Signals
- Logic Diagram, Replaced With Plant Drawing 225105 Figure 7.2
-13 Feedwater Isolation
- Logic Diagram, Replaced With Plant Drawing 225106 Figure 7.2
-14 Rod Stops And Turbine Loads Cutbacks
- Logic Diagram, Replaced With Plant Drawing 225107 Figure 7.2
-15 Safeguards Actuation Circuitry And Hardware Channelization, Replaced With Plant Drawing 243318 Figure 7.2-16 Simplified Diagram For Overall Logic Relay Test Scheme, Replaced With Plant Drawing 243319 Figure 7.2
-17 Analog And Logic Channel Testing, Replaced With Plant Drawing 243320 Figure 7.2-18 Reactor Protection Systems
- Block Diagram, Replaced With Plant Drawing 243321 Figure 7.2
-19 Core Coolant Average Temperature Vs Core Power Figure 7.2
-20 Pressurizer Level Control And Protection System, Replaced With Plant Drawing 243313 Figure 7.2
-21 Pressurizer Pressure Control And Protection System, Replaced With Plant Drawing 243314 Figure 7.2
-22 Steam Flow P Vs Power, Replaced With Plant Drawing 243315 Figure 7.2
-23 Design Philosophy To Achieve Isolation Between Channels Figure 7.2
-24 Cable Tunnel
- Typical Section, Replaced With Plant Drawing 243317 IP2 FSAR UPDATE Chapter 7, Page 68 of 111 Revision 2 6, 20 1 6 Figure 7.2
-25 Typical Analog Channel Testing Arrangement, Replaced With Plant Drawing 243322 Figure 7.2
-26 Typical Simplified Control Schematic, Replaced With Plant Drawing 243323 Figure 7.2
-27 Analog Channels, Replaced With Plant Drawing 243324 Figure 7.2
-28 Analog System Symbols, Replaced With Plant Drawing 243311 Figure 7.2
-29 Deleted Figure 7.2
-30 Reactor Trip Breaker Actuation Schematic Figure 7.2
-31 Deleted Figure 7.2
-32 Steam Generator Level Control And Protection System, Replaced With Plant Drawing 243328 Figure 7.2
-33 Sh. 1 Illustrations Of Overpower And Temperature T Trips High Temperature Operation Figure 7.2
-33 Sh. 2 Illustrations Of Overpower And Temperature T Trips Low Temperature Operation Figure 7.2
-34 Tavg/T Control And Protection System, Replaced With Plant Drawing 243330 7.3 REGULATING SYSTEMS 7.3.1 Design Basis
The reactor control system is designed to limit nuclear plant transients for prescribed design load perturbations, under automatic control, [Note - The automatic control rod withdrawal feature in plant operation has been physically disabled, allowing only the automatic control rod insertion mode to be in effect when rod control is automatic.] within prescribed limits to preclude the possibility of a reactor trip in the course of these transients.
Overall reactivity control is achieved by the combination of chemical shim and 53 control rod clusters of which 29 are in control bank and 24 are in shutdown bank. Long
-term regulation of core reactivity is accomplished by adjusting the concentration of boric acid in the reactor coolant. Short term reactivity control for power changes or reactor trip is accomplished by the movement of control rod clusters.
The primary function of the reactor control system is to provide automatic control of the rod clusters during power operation of the reactor. The system uses input signals including neutron flux, coolant temperature and pressure, and plant turbine load. The chemical and volume control system (Section 9.2) serves as a secondary reactor control system by the addition and removal of varying amounts of boric acid solution.
There is no provision for a direct continuous visual display of primary coolant boron concentration. When the reactor is critical, the best indication of reactivity status in the core is the position of the control group in relation to plant power and average coolant temperature.
There is a direct, predictable, and reproducible relationship between control rod position and power, and it is this relationship that establishes the lower insertion limit calculated by the rod insertion limit monitor. There are two alarm setpoints to alert the operator to take corrective action in the event a control bank approaches or reaches its lower limit.
Any unexpected change in the position of the control group when under automatic control or a change in coolant temperature when under manual control provides a direct and immediate IP2 FSAR UPDATE Chapter 7, Page 69 of 111 Revision 2 6, 20 1 6 indication of a change in the reactivity status of the reactor. In addition, periodic samples of coolant boron concentration are taken. The variation in concentration during core life provides a further check on the reactivity status of the reactor including core depletion.
The reactor control system is designed to enable the reactor to follow load reductions automatically when the plant output is above 15
-percent of nominal power. Control rod insertion may be performed automatically when plant output is above this value. Control rod insertion and withdrawal may be performed manually at any time.
The system as originally designed enabled the plant to accept a generation step load increase of 10-percent and a ramp increase of 5
-percent per minute within the load range of 15 to 100
-percent without reactor trip subject to possible xenon limitations. The elimination of the automatic rod withdrawal function could require the use of manual rod control to have the reactor respond to the turbine load change and to restore the coolant average temperature to the programmed value during these load increase transients. Similar step and ramp load reductions are possible within the range of 100 to 15
-percent of nominal power with automatic control rod insertion operational
.
The operator is able to select any single bank of rods (shutdown or control) for manual operation. Using a single switch, he may not select more than one bank from these two groups. During reactor startup with the rod control bank selector switch in manual, the control banks can be moved only in their normal sequence with some overlap as one bank reaches its full withdrawal position and the next bank begins to withdraw. Power supplied to the rod banks is controlled so that no more than two banks can be withdrawn simultaneously.
The control system is capable of restoring coolant average temperature to within the programmed temperature deadband following a load reduction.
The reactor can be placed under automatic control in the power range between 15
-percent of load and full load for the following design transients: 1. 10-percent step reduction in load without turbine bypass.
- 2. 5-percent per minute unloading.
- 3. 25-to-50-percent change in load at 200%/minute maximum turbine unloading rate from approximately 100
-percent load with steam dump (load change capability depends on full power Tavg; see Section 7.3.3.1)
.
A programmed pressurizer water level as a function of load is provided in conjunction with the programmed coolant average temperature to minimize the requirements of the chemical and volume control system and waste disposal system resulting from coolant density changes during loading and unloading from full power to zero power.
Following a reactor and turbine trip, sensible heat stored in the reactor coolant is removed without the actuation of steam
-generator safety valves by means of controlled steam bypass to the condenser and by the injection of feedwater to the steam generators. Reactor coolant system temperature is reduced to the no
-load condition. This no
-load coolant temperature is maintained by steam bypass to the condensers to remove residual heat.
IP2 FSAR UPDATE Chapter 7, Page 70 of 111 Revision 2 6, 20 1 6 The control system was originally designed to operate as a stable system over the full range of automatic control throughout core life without requiring operator adjustment of setpoints other than normal calibration procedures.
7.3.2 System Design
A block diagram of the reactor control system is shown in Figure 7.3
-1. 7.3.2.1 Rod Control
There were originally 61 total rod cluster control assemblies of which 53 are full
-length and 8 were part-length rods. The part
-length rods have been since removed. The full
-length rods are divided into (1) a shutdown group comprised of two shutdown banks of eight rod clusters each and two shutdown banks of four rod clusters each, and (2) a control group comprised of four control banks containing eight, four, eight, and nine rod clusters.
Figure 3.2
-2 shows the locations of the full
-length rods in the core. The four banks of the control group are the only rods that can be manipulated under automatic control. The banks are divided into subgroups to obtain smaller incremental reactivity changes. All rod cluster control assemblies in a subgroup are electrically paralleled to step simultaneously. Position indication for each rod cluster control assembly type is the same. There are two types of drive mechanism for the rod cluster control assemblies, those for the control and shutdown groups and those for the part
-length rod group since removed.
7.3.2.1.1 Control Group Rod Control The automatic rod control system maintains a group programmed reactor coolant average temperature with adjustments inward of control group rod position for equilibrium plant conditions. The system is capable of restoring programmed average temperature following a scheduled or transient reduction in load. The coolant average temperature increases linearly from zero power to the full
-power conditions. Wherein, the plant is being operated on a Tavg program of 547F to 562 F. Compensation for fuel depletion and/or xenon transients is periodically made with adjustments of boron concentration. The control system has the ability to readjust the control group rod in the inward direction in response to changes in coolant average temperature resulting from changes in boron concentration.
The average coolant temperature is determined by using the hot
-leg and the cold
-leg temperature measurements in each reactor coolant loop. The average of the four loop average temperatures is the main control signal. This signal is sent to the control group rod programmer through a proportional plus rate compensation unit. The control group rod programmer commands the direction and speed of control group rod motion. A compensated pressurizer pressure signal and a power
-load mismatch signal are also employed as control signals to improve the plant performance. The power
-load mismatch channel takes the difference between nuclear power (average of all four power range channels) and a signal of turbine load (turbine inlet pressure), and passes it through a high
-pass filter so that only a rapid change in flux or power causes rod motion. The power
-load mismatch compensation serves to speed up system response and to reduce transient peaks.
IP2 FSAR UPDATE Chapter 7, Page 71 of 111 Revision 2 6, 20 1 6 The rod control group is divided into four banks comprised of eight, four, eight, and nine rod cluster controls, respectively, to follow load changes over the full range of power operation. Each rod control bank is driven by a sequencing, variable speed rod drive control unit. The rods in each control bank are divided into two subgroups, and the subgroups are moved sequentially one step at a time. The sequence of motion is reversible; that is, a withdrawal sequence is the reverse of the insertion sequence. Any reactor trip signal causes the rods to insert by gravity into the core.
Manual control is provided to move a control bank in or out at a preselected fixed speed.
Proper sequencing of the rod cluster control assembly is ensured first, by fixed programming equipment in the rod control system, and second, through administrative control of the reactor plant operator. Startup of the plant is accomplished by first manually withdrawing the shutdown rods to the full
-out position. This action requires that the operator select the SHUTDOWN BANK position on a control board mounted selector switch and then position the IN
-HOLD-OUT level (which is spring return to the HOLD position) to the OUT position.
Rod cluster control assemblies are then withdrawn under manual control of the operator by first selecting the MANUAL position on the control board mounted selector switch and then positioning the IN
-HOLD-OUT lever to the OUT position. A hinged mechanical interlock is also installed on top of the In
-Out-Hold rod control lever that requires operator action to lift the interlock away from the rod control lever prior to rod withdrawal. The hinged mechanical interlock does not inhibit rod insertion. In the MANUAL selector switch position, the rods are withdrawn (or inserted) in a predetermined programmed sequence by the automatic programming equipment.
The predetermined programmed sequence is set so that as the first bank out (control bank C
-2) reaches a preset position near the top of the core, the second bank out (control bank C
-3) begins to move out simultaneously with the first bank. When control bank C
-2 reaches the top of the core, it stops, and control bank C
-3 continues until it reaches a preset position near the top of the core where control bank C
-4 motion begins. This withdrawal sequence continues until the plant reaches the desired power level. The programmed insertion sequence is the opposite of the withdrawal sequence, i.e., the last control bank out is the first control bank in.
A permissive interlock limits automatic control to reactor power levels above 15
-percent. In the AUTOMATIC position, the rods can only be inserted in a predetermined programmed sequence by the automatic programming equipment.
With the simplicity of the rod sequence program, the minimal amount of operator selection, and two separate position indications available to the operator, there is very little possibility that rearrangement of the control rod sequencing could be made.
7.3.2.1.2 Shutdown Rod Group Control
The shutdown group of control rods together with the control group are capable of shutting the reactor down. They are used in conjunction with the adjustment of chemical shim and the control group to provide shutdown margin of at least 1
-percent following reactor trip with the most reactive control rod in the fully withdrawn position for all normal operating conditions.
IP2 FSAR UPDATE Chapter 7, Page 72 of 111 Revision 2 6, 20 1 6 The shutdown banks are manually controlled during normal operation and are moved at a constant speed with staggered stepping of the subgroups within the banks. Any reactor trip signal causes them to insert by gravity into the core. They are fully withdrawn during power operation and are withdrawn first during startup. Criticality is always approached with the control group after withdrawal of the shutdown banks. Four shutdown banks with a total of 24 clusters are provided.
7.3.2.1.3 Part-Length Rod Control
Eight part
-length rods were provided in the reactor in the original operating configuration in addition to the normal control rods. The function of these rods, which had neutron absorber material in only the bottom one quarter of the length (3
-ft), was intended to shape the axial power distribution and thus stabilize axial xenon oscillations. In addition, they would flatten the axial power distribution and thus reduce hot
-channel factors. The part
-length rods were intended for operation only by manual control by the operator from the control console. They were moved together as a bank to make the upper and lower ion chamber readings approach a prescribed relationship within a prescribed allowable region of travel.
However, subsequent to the initial plant operation, the part
-length control rods were physically removed from the reactor. Their associated rod position indication system has been removed from the central control room.
7.3.2.1.4 Interlocks
The rod control group is interlocked with measurements of turbine
-generator load and reactor power to prevent automatic control below 15
-percent of nominal power. The manual controls are further interlocked with measurements of nuclear flux, T, and rod drop indication to prevent approach to an overpower condition.
7.3.2.1.5 Rod Drive Performance
The control banks are driven by a sequencing, variable speed rod drive programmer. In the control bank of rod cluster control assemblies, control subgroups (each containing a small number of rod cluster control assemblies) are moved sequentially in a cycle such that all subgroups are maintained within one step of each other. The sequence of motion is reversible, that is, withdrawal sequence is the reverse of the insertion sequence. The sequencing speed is proportional to the control signal from the reactor coolant system. This provides control group speed control proportional to the demand signal from the control system.
A solid-state control system provides power to the rod drive mechanism coils from the output of two paralleled motor
-generator sets. Two reactor trip breakers are placed in series with the output of the motor
-generator sets. To permit online testing, a bypass breaker is provided across each of the two breakers. 7.3.2.1.6 Rod Cluster Control Assembly Position Indication
Two separate systems are provided to sense and display control rod position as described below:
IP2 FSAR UPDATE Chapter 7, Page 73 of 111 Revision 2 6, 20 1 6 1. Analog System
- An analog signal is produced for each individual rod by a linear position transmitter.
An electrical coil stack is located above the stepping mechanisms of the control rod magnetic jacks, external to the pressure housing, but concentric with the rod travel. When the associated control rod is at the bottom of the core, the magnetic coupling between the primary and secondary coil winding of the detector is small and there is a small voltage induced in the secondary. As the control rod is raised by the magnetic jacks, the relatively high permeability of the lift rod causes an increase in magnetic coupling. Thus, an analog signal proportional to rod position is obtained.
Direct, continuous readout of every control rod is presented to the operator on individual indicators.
A deviation monitor alarm is actuated if an individual rod position deviates from its group position by a preselected distance.
Lights are provided for rod bottom positions for each rod. The lights are operated by bistable devices in the analog system.
- 2. Digital System
- The digital system counts pulses generated in the rod drive control system. One counter is associated with each subgroup of control and shutdown rods. Readout of the digital system is in the form of electromechanical add-subtract counters reading the number of steps or rod withdrawal with one display for each subgroup. These readouts are mounted on the control panel.
The digital and analog systems are separate systems; each serves as backup for the other. Operating procedures require the reactor operator to compare the digital and analog readings upon recognition of any apparent malfunction. Therefore, a single failure in rod position indication does not in itself lead the operator to take erroneous action in the operation of the reactor.
7.3.2.1.7 Part-Length Rod Position Indicatio n Deleted 7.3.2.2 Full-Length Rod Drive Power Supply
The full-length control rod drive power supply concept using a single scram bus system has been successfully employed on all Westinghouse PWR plants. Potential fault conditions with a single scram bus system are discussed in this section. The unique characteristics of the latch
-type mechanism with its relatively large power requirements make this system with the redundant series trip breakers particularly desirable.
The solid-state rod control system is operated from two parallel connected 438
-kVA generators that provide 260
-V line-to-line, three
-phase, four
-wire power to the rod control circuits through two series connected reactor trip breakers. This AC power is distributed from the trip breakers to a line-up of identical solid
-state power cabinets using a single overhead run of enclosed bus duct that is bolted to and therefore composes part of the power cabinet arrangement.
IP2 FSAR UPDATE Chapter 7, Page 74 of 111 Revision 2 6, 20 1 6 Alternating current from the motor
-generator sets is converted to a profiled direct current by the power cabinet and is then distributed to the mechanism coils. Each complete rod control system includes a single 70
-V DC power supply that is used for holding the mechanisms in position during maintenance of normal power supply.
This 70-V supply, which receives its input from the AC power source down
-stream of the reactor trip breakers, is distributed to each power cabinet and permits holding mechanisms in groups of four by manually positioning switches located in the power cabinets. The 50
-A output capacity limits the holding capability to six rods cold or eleven rods hot.
7.3.2.2.1 Reactor Trip
Current to the mechanisms is interrupted by opening either of the reactor trip breakers. The 70-V DC maintenance supply will also be interrupted as this supply receives its input power through the reactor trip breakers.
7.3.2.2.2 Trip Breaker Arrangement The trip breakers are arranged in the reactor trip switchgear in individual metal
-enclosed compartments. The 1000
-A bus work, making up the connections between scram breakers, is separated by metal barriers to prevent the possibility that any conducting object could short circuit, or bypass, scram breaker contacts.
7.3.2.2.3 Maintenance Holding Supply
The 70-V DC holding supply and associated switches have been provided to avoid the need for bringing a separate DC power source to the rod control system during maintenance on the power cabinet circuits. This source is adequate for holding a maximum of six mechanisms cold or eleven mechanisms hot and will satisfy all maintenance holding requirements.
7.3.2.2.4 Control System Construction
The rod control system is assembled in enclosed steel cabinets. Three
-phase power is distributed to the equipment through a steel
-enclosed bus duct bolted to the cabinets. Direct current power connections to the individual mechanisms are routed to the reactor head area from the solid
-state cabinets through insulated cables, enclosed junction boxes, enclosed reactor containment penetrations, and sealed connectors. In view of this type of construction, any accidental connection of either an AC or DC power source, either internal or external to the cabinets, is not considered credible.
7.3.2.2.5 Alternating Current Power Connections
The three-phase fo ur-wire supply voltage required to energize the equipment is 260
-V line-to-line, 58.3
-Hz, 438-kVA capacity, zig
-zag connected. It is unlikely that any power supply, and in particular one as unusual as this four
-wire power source, could be accidentally connected, in phase, in the required configuration. Also, it should be noted that this requires multiple connections, not single connections. The closest outside sources available in the plant are 480-V auxiliary power sources and 208
-V lighting sources.
IP2 FSAR UPDATE Chapter 7, Page 75 of 111 Revision 2 6, 20 1 6 Connection of either a 480 or 208 volt, 60
-Hz source to the single AC bus supplying the Rod Control System will cause currents to flow between the sources due to an out
-of-phase condition. These currents will flow until the generator accelerates to a speed synchronous with the 60-Hz out-of-phase source, a time sufficient to trip the generator breakers. The out
-of-phase currents for an unlimited capacity outside source, an outside source with a capacity equivalent to the normal generator kVA, and for either one or two M
-G Sets in service, are tabulated below:
Out-of-Phase Currents (Amperes)
One M-G Set Two M-G Sets In Service In Service Unlimited Capacity 25,000 50,000 480-V 400-kVA Capacity 12,500 25,000 Unlimited Capacity 16,000 32,000 20 8-V 400-kVA Capacity 8,000 16,000 All of the foregoing currents are sufficiently high to trip out the generator breakers on either overcurrent or reverse current. This trip
-out is detectable by annunciation in the control room. If the outside power source trips, the connection is of no concern.
Each solid
-state power cabinet is tied to the main AC bus through three fused disconnect switches: one for the stationary gripper coil circuits, one for the movable gripper coil circuits, and one for the lift coil circuits. Reference voltages to operate the control circuits for all three coil circuits must be in phase with the supply to all coil circuits for proper operation of the system. If the outside power source were brought in to an individual cabinet, nine normal source connections would have to be disconnected and the outside source would have to be tied in phase to the proper nine points plus one neutral point to allow the movement of the rods. This is not considered credible.
The connection of a single-phase AC source (i.e., one line to neutral) is also considered improbable. This would again require a high
-capacity source that would have to be connected in phase with the non
-synchronous motor
-generator set supply. Again, more than one connection is needed to achieve this condition. Each power cabinet contains three alarm circuits (stationary, movable, and lift) that would annunciate the condition to the operator. In addition, calculations show that a single phase source of 208
-V, 260-V, or 480-V will not supply enough current to hold the rods. Therefore, a jumper across two trip circuit breaker contacts in series, which results in a single phase remaining closed would not provide sufficient current to hold up the rods.
The normal source generators are connected in a zig
-zag winding configuration to eliminate the effects of direct current saturation of the machines resulting from the direct currents that flow in the half-wave bridge rectifier circuits. If this connection were not used, the generator core IP2 FSAR UPDATE Chapter 7, Page 76 of 111 Revision 2 6, 20 1 6 would saturate and loss of generating action would occur. This condition would also occur in a transformer. An outside source not having the zig
-zag configuration would have to have a large capacity (>400 kVA) to avoid the loss of transformer action from saturation.
Most of the components in the equipment are applied with a 100
-percent safety factor. Therefore, the possibility exists that the system will operate at 480
-V with a source of sufficient capacity. The system will definitely operate at 208-V with a source of sufficient capacity.
The connection of an outside source of AC power to one rod control system would first require a need for this source. No such need exists since two power sources (motor
-generator sets) are already provided to supply the system. If the source were connected in spite of the need, extreme measures would have to be taken by the intruder to complete the connection. The outside source would have to be a large capacity (400 kVA). The currents that flow would require the routing of large conductors or bus bars, not the usual clip leads. Then, the disassembly of switchgear or the enclosed bus duct would be required to expose the single alternating current bus. Large bolted cable or bus bar terminations would have to be completed. A total of four conductors would have to be connected in phase with a non
-
synchronous source. To expect that a connection could be completed with the equipment either energized or deenergized in view of the obstacles that would prevent such a connection is incredible. However, even if the connection were completed, the outside source connection would be detectable by the operator through the tripping of the generator breakers.
7.3.2.2.6 Direct Current Power Connections
An external DC source could, if connected inside the Power Cabinet, hold the rods in position. This would require a minimum supply voltage of 50
-V. Since the holding current for each mechanism coil is 4 amperes, the DC capacity would have to be approximately 180 amperes t o hold all rods. Achieving this situation would require several acts bringing in a power source which is not required for any type of operation in the Rod Control System, preferentially connecting it into the system at the correct points, and actuating specific holding switches so as to interconnect all rods. Closure of twelve switches, in four separate cabinets would be required to hold all rods. One switch could hold as many as four rods.
The application of a DC voltage to an individual rod external to the Power Cabinet would affect only a single rod; connection with other rods in the group would be prevented by the blocking diodes in the power circuits.
Should an external DC source be connected to the system, the system is provided with features to permit its detection.
Each Power Cabinet contains circuitry, which compares the actual currents in the stationary and movable gripper coils with the reference signals from the step sequencing unit (Slave Cycler). In taking a single step, the current to the stationary gripper coil will be profiled from the holding value to the maximum, to zero, and return to the holding level after the completion of the step. Correspondingly, the movable gripper coil must change from zero to maximum and return to zero. The presence of an external DC source on either the stationary or movable coils would prevent the related currents from returning to zero.
This situation would be instantaneously annunciated by way of the comparison circuit. Therefore, any rod motion would actuate an alarm indicating the presence of an external DC IP2 FSAR UPDATE Chapter 7, Page 77 of 111 Revision 2 6, 20 1 6 source. In addition, an external DC source would prevent rods from stepping. Thus, an external source could be detected by the rod position indication system indicating failure of the rod(s) to move. Connection of an external DC power source to the output lines of the 70
-V DC power supply can be detected by opening the three
-phase primary input of the supply and checking the output with a built
-in indicating lamp.
7.3.3 Evaluation Summary
In view of the preceding discussion, the postulated connection of an external power source (either AC or dc) or the occurrence of short circuits that could prevent dropping of the rods is not considered credible. Specifically:
- 1. The need for an outside power source has been eliminated by incorporating built-in holding sources as part of the rod control system and by providing two motor-generator sets.
- 2. The equipment is contained within enclosed steel cabinets precluding the possibility of an accidental connection of either AC or DC power in the cabinets.
- 3. Alternating current power distribution is accomplished using a steel
-enclosed bus duct. The high
-capacity (400
-kVA) AC power source is unique and not readily available. Multiple connections are required.
- 4. Direct current power is distributed to the individual mechanisms through insulated cables and enclosed electrical connections precluding the accidental connection of an outside DC source external to the cabinets. The high
-capacity DC source required to hold rods is not readily available in the rod control system, would require multiple connections, and would require deliberate positioning of switches within the enclosed cabinets.
- 5. Provisions are made in the system to permit the detection of an external DC source that could preclude a rod release.
The total capacity of the system including the overload capability of each motor
-generator set is such that a single set out of service does not cause limitations in rod motion during normal plant operation. In order to minimize reactor trip as a result of a unit malfunction, the power system is normally operated with both units in service.
7.3.3.1 Turbine Bypass
A turbine bypass system is provided to accommodate a reactor trip with turbine trip and i n conjunction with automatic reactor control can accommodate a load rejection without reactor and turbine trip. The maximum load rejection that can be accommodated without reactor and turbine trip depends on the full load Tavg. A maximum of 25% load rejection can be accommodated for the minimum acceptable full load Tavg of 550.5 oF. As the full load Tavg is increased, larger load rejections can be accommodated until for full load Tavg values of 558oF or higher a maximum load rejection of 50% can be accommodated. The turbine bypass system removes steam to reduce the transient imposed upon the reactor coolant system so that the control rods can be positioned to reduce the reactor power to a new equilibrium value without allowing overtemperature and overpressure conditions in the reactor coolant system.
IP2 FSAR UPDATE Chapter 7, Page 78 of 111 Revision 2 6, 20 1 6 A turbine bypass is actuated by the coincidence of compensated coolant average temperature higher than the programmed value by a preset value and turbine load decrease greater than a preset value. All the turbine bypass valves open immediately upon receiving the bypass signal. The bypass valves are modulated by the compensated coolant average temperature signal after they are open. The turbine bypass reduces proportionally as the control rods act to reduce the coolant average temperature. The artificial load is therefore removed as the coolant average temperature is restored to its programmed equilibrium value.
The turbine bypass steam capacity is 40
-percent of full
-load steam flow at full
-load steam pressure. The bypass flows to the main condenser.
7.3.3.2 Part-Length Power Supply
[Deleted] 7.3.3.3 Feedwater Control
Each steam generator is equipped with a three
-element feedwater controller that maintains a programmed water level as a function of load on the secondary side of the steam generator. The three-element feedwater controller continuously compares actual feedwater flow with steam flow compensated by steam pressure with a water level setpoint to regulate the feedwater valve opening. The individual steam generators are operated in parallel, both on the feedwater and on the steam side.
Continued delivery of feedwater to the steam generators is required as a sink for the heat stored and generated in the primary coolant following a reactor trip and turbine trip. A low
-low steam generator water level initiates a reactor trip and also generates an increased level demand signal for the feedwater control system. The main feedwater valves move to the fully open position in response to this level demand. This provides an additional heat sink for the reduction of reactor coolant temperature to the no
-load average temperature value. The feedwater regulating valves close on high steam
-generator water level, safety injection, or a reactor trip coincident with low Tavg. In the latter case, the low flow feedwater bypass valve closure may be delayed by means of an installed timer to allow main feedwater to moderate the cooler auxiliary feedwater before it enters steam generators. Manual override of the feedwater control systems is also provided.
7.3.3.4 Pressure Control
The reactor coolant system pressure is controlled by electrical immersion heaters located near the bottom of the pressurizer, and spray in the steam region. A portion of the heater groups are proportional heaters and are used for pressure variation control and to compensate for ambient heat losses. The remaining (backup) heaters are turned on either when the pressurizer pressure is below a preset value or when the pressurizer level exceeds the programmed level setpoint by a preset amount. A small continuous spray flow is maintained when required to reduce boron stratification in the pressurizer and/or control the thermal gradient in the surge line. Heaters are operated as required to compensate for the spray and control pressure.
A spray nozzle is located at the top of the pressurizer. Spray is initiated when the pressure controller signal is above a preset setpoint. Spray rate increases proportionally with increasing IP2 FSAR UPDATE Chapter 7, Page 79 of 111 Revision 2 6, 20 1 6 pressure until it reaches the maximum spray capacity. Steam condensed by spray reduces the pressurizer pressure. A small continuous spray is normally maintained to reduce thermal stresses and thermal shock when the spray valves open and to help maintain uniform water chemistry and temperature in the pressurizer.
Two power relief valves are designed to limit system pressure to 2335 psig for large load reduction transients. The relief valves are operated on the actual pressure signal. A separate interlock (set at approximately 2300 psig) is provided for each so that if a pressure channel indicates abnormally low, the valve activation is blocked. The logic for each is thus basically two out of two.
7.3.3.5 Overpressurization Protection System
This system uses a two
-out-o f-three actuation logic on high reactor coolant pressure, when reactor coolant temperature is less than a predetermined arming temperature, to open the power-operated relief valves automatically. This relief prevents the reactor coolant system from exceeding pressure limits given in 10 CFR 50, Appendix G.
Three spring
-loaded safety valves are sized to limit system pressure to 2750 psia following a complete loss of load without direct reactor trip or turbine bypass. (See Section 4.3.4.)
7.3.4 System Design Evaluation 7.3.4.1 Plant Stability
Automatic Rod Control is only used once the plant has reached stable conditions. This allows for inward rod motion during the early stages of a plant transient without the need for operator action to limit Reactor Coolant System temperature increase. Operator action is required following the transient to restore reactor coolant average temperature to the programmed setpoint. 7.3.4.2 Step-Load Changes Without Turbine Bypass
A typical reactor power control requirement is to accept a 10
-percent step
-load decrease, without a plant trip, over the 15 to 100
-percent power range for automatic control. The design must necessarily be based on conservative conditions, and a greater transient capability is expected for actual operating conditions.
The function of the control system is to minimize the reactor coolant average temperature increase during the transient within an acceptable value. Excessive pressurizer pressure variations are prevented by using spray and heaters in the pressurizer. Operator action is required following the transient to restore reactor coolant average temperature to the programmed setpoint.
7.3.4.3 Loading and Unloading Ramp unloading is provided over the 15 to 100
-percent power range under automatic control. Loading is performed under manual operator control only.
IP2 FSAR UPDATE Chapter 7, Page 80 of 111 Revision 2 6, 20 1 6 The coolant average temperature is increasing during loading, and there is a continuous insurge to the pressurizer resulting from coolant expansion. The sprays limit the resulting pressure increase. Conversely, as the coolant average temperature is decreasing during unloading, there is a continuous outsurge from the pressurizer resulting from coolant contraction. The heaters limit the resulting system pressure decrease. The pressurizer level is programmed such that the water level has an acceptable margin above the low
-level heater cutout setpoint during the loading and unloading transients. Operator action is required to restore reactor coolant average temperature to the programmed setpoint. 7.3.4.4 Loss of Load With Turbine Bypass
The reactor coolant system is designed to accept
-25 to 50-percent (depending on full power Tavg; see Section 7.3.1 and 7.3.3.1) loss of load accomplished as a turbine runback at a maximum rate of 200%/minute. No reactor trip or turbine trip will be actuated. The automatic turbine bypass system is able to accommodate this abnormal load rejection and to reduce the transient imposed upon the reactor coolant system. The reactor power is reduced at a rate
consistent with the capability of the rod control system. The reducing of the reactor power is automatic down to 15
-percent of full power. Manual control is used when the power is below this value. The bypass is removed as fast as the control rods are capable of inserting negative reactivity.
The pressurizer relief valves might be actuated for the most adverse conditions, for example, the most negative Doppler coefficient, and the minimum incremental rod worth. The relief capacity of the power
-operated relief valves is sized large enough to limit the system pressure to prevent the actuation of high
-pressure reactor trip for the most adverse conditions.
7.3.4.5 Turbine-Generator Trip With Reactor Trip Turbine-generator unit trip is accomplished by reactor trip. With a secondary
-system design pressure of 1100 psia, the plant is operated with a programmed average temperature as a function of load, with the full
-load average temperature higher than the saturation temperature corresponding to the steam
-generator safety valve setpoint. This, together with the fact that the thermal capacity in the reactor coolant system is greater than that of the secondary system, requires a heat sink to remove heat stored in the reactor coolant to prevent the actuation of steam-generator safety valves for turbine and reactor trip from full power.
This heat sink is provided by the combination of controlled release of steam to the condenser and by makeup of auxiliary feedwater to the steam generators. The turbine bypass system is controlled from the reactor coolant average temperature signal whose reference setpoint is reset upon trip to the no
-load value. Turbine bypass actuation must be rapid to prevent steam
-generator safety valve actuation. With the bypass valves open, the coolant average temperature starts to reduce quickly to the no
-load setpoint. A direct feedback of reactor coolant average temperature acts proportionally to close the valves to minimize the total amount of steam bypassed.
Following turbine trip, the steam voids in the steam generators will collapse, and the opened feedwater valves will provide sufficient feedwater flow to restore water level in the downcomer. The feedwater flow is cut off when the reactor coolant average temperature decreases below a preset temperature value or when the steam
-generator water level reaches a preset high setpoint.
IP2 FSAR UPDATE Chapter 7, Page 81 of 111 Revision 2 6, 20 1 6 Additional auxiliary feedwater makeup is then controlled manually to restore and maintain the steam-generator level while maintaining the reactor coolant at the no-load temperature. Residual heat removal (manually selected) is maintained by the steam
-generator pressure controller, which controls the amount of turbine bypass to the condensers. This controller operates the same bypass valves to the condensers that are controlled by coolant average temperature during the initial transient following turbine and reactor trip.
The pressurizer pressure and level fall during the transient resulting from the coolant contraction. If heaters become uncovered following the trip, the chemical and volume control system will provide full charging flow to restore water level in the pressurizer. Heaters are then turned on to heat pressurizer water and restore pressurizer pressure to normal.
The turbine bypass and feedwater control systems are designed to prevent the coolant average temperature from falling below the programmed no
-load temperature following the trip to ensure adequate reactivity shutdown margin.
7.3 FIGURES
Figure No.
Title Figure 7.3-1 Simplified Block Diagram Of Reactor Control Systems Figure 7.3
-2 [Deleted] 7.4 NUCLEAR INSTRUMENTAT ION 7.4.1 Design Bases 7.4.1.1 Fission Process Monitors and Controls Criterion:
Means shall be provided for monitoring or otherwise measuring and maintaining control over the fission process throughout core life under all conditions that can reasonably be anticipated to cause variations in reactivity of the core. (GDC 13)
The nuclear instrumentation system is provided to monitor the reactor power from source range through the intermediate range and power range up to 120
-percent full power. The system provides indication, control, and alarm signals for reactor operation and protection.
The operational status of the reactor is monitored from the central control room. When the reactor is subcritical (i.e., during cold or hot shutdown, refueling, and approach to criticality), the relative status (neutron source multiplication) is continuously monitored and indicated by proportional counters located in instrument wells in the primary shield adjacent to the reactor vessel. Two source
-detector channels are provided for supplying information on multiplication while the reactor is subcritical. A reactor trip is actuated from either channel if the neutron flux level becomes excessive. This system is checked prior to operations in which criticality may be approached. This is accomplished by the use of an incore source to provide a meaningful count rate even at the refueling shutdown condition. Any appreciable increase in the neutron source multiplication, including that caused by the maximum physical boron dilution rate, is slow enough to give ample time to start corrective action (boron dilution stop and/or emergency boron injection) to prevent the core from becoming critical (as discussed in Sections 14.1.5.2.3 IP2 FSAR UPDATE Chapter 7, Page 82 of 111 Revision 2 6, 20 1 6 and 14.1.5.3). A third channel is provided for use under conditions requiring alternate safe
-shutdown system operation
. The third channel may be used for core monitoring in MODE 6 with a safety related power supply and a read out in the Control Room.
Means for showing the relative reactivity status of the reactor are as follows:
- 1. Rod position.
- 2. Source, intermediate, and power range detector signals.
- 3. Boron concentration.
- 4. RCS average temperature.
The position of the control banks is directly related to the reactivity status of the reactor when at power, and any unexpected change in the position of the control banks under automatic control or change in the RCS average temperature (Calculated from hot
-leg and cold
-leg temperatures) under manual or automatic control provides a direct and immediate indication of a change in the reactivity status of the reactor. Periodic samples of the coolant boron concentration are taken. The variation in concentration during core life provides a further check on the reactivity status of the reactor including core depletion.
High nuclear flux protection is provided both in the power and intermediate ranges by reactor trips actuated from either range if the neutron flux level exceeds trip setpoints. When the reactor is critical, the best indication of the reactivity status in the core (in relation to the power level and average coolant temperature) is the control room display of the rod control grou p position. 7.4.2 System Design The three instrumentation ranges are provided with overlap between adjacent ranges so that continuous readings will be available during transition from one range to another as indicated in Figure 7.4
-1. The sensitivities of the neutron detectors are also shown in Figure 7.4
-1. The nuclear instrumentation system diagram is shown in Figure 7.4
-2. 7.4.2.1 Detectors The system consists of six detector assemblies located in instrument wells around the reactor as shown in Figure 7.4-3. The six assemblies provide the following instrumentation:
- 1. Power Range.
This range consists of four independent long uncompensated ionization chamber assemblies. Each assembly is made up of two sensitive lengths. One sensitive length covers the upper half of the core, and the other length covers the lower half of the core.
The arrangement provides in effect a total of eight separate ionization chambers approximately one
-half the core height. The eight uncompensated (guard
-ring) ionization chambers sense thermal neutrons in the range from 2.5 x 10 3 to 2.5 x 10 10 neutrons/cm 2-sec.
Each has a nominal sensitivity of 1.7 x 10
-13 amperes per neutron/cm 2-sec. The four long ionization chamber assemblies are located in vertical instrument wells IP2 FSAR UPDATE Chapter 7, Page 83 of 111 Revision 2 6, 20 1 6 adjacent to the four "corners" of the core. The assembly is manually positioned in the assembly holders and is electrically isolated from the holder by means of insulated standoff rings.
- 2. Startup Range (Intermediate and Source).
There are two separate assemblies. Each assembly covers two ranges. Each assembly contains one compensated ionization detector (intermediate range) and one proportional counter (source range). A third source range assembly is also provided for use under alternate safe
-shutdown conditions.
The source range neutron detectors are integral cable proportional counter assemblies. The proportional counter is filled with Boron Trifluoride (BF
- 3) gas enriched to greater than 90% in the B 10 isotope, with a thermal neutron sensitivity of approximately 13 counts/neutron cm² at an operating voltage of 2000 volts. The detectors sense thermal neutrons in the range from 10
-1 to 5 x 10 4 neutrons/cm 2-sec, to produce a pulse rate between 10 0 and 5 x 10 5 counts/sec. The range of the source range channel is 10 0 to 10 6 counts/sec.
The neutron detectors are positioned in detector assembly containers by means of a linear, high
-density moderator insulator. The detector and insulator units are packaged in a housing that is inserted into the guide thimbles. The detector assembly is electrically isolated from the guide thimble by means of insulated standoff rings.
The intermediate
-range neutron detectors are compensated ionization chambers that sense thermal neutrons in the range from 2.5 x 10 2 to 2.5 x 10 10 neutrons/cm 2-sec and have a nominal sensitivity of 4 x 10
-14 amperes per neutron/cm 2-sec. They produce a corresponding direct current of 10
-11 to 10-3 A. These detectors are located in the same detector assemblies as the proportional counters for the source range channels.
The electronic equipment for each of the source, intermediate, and power range channels is contained in a draw
-out panel mounted adjacent to the main control board. 7.4.2.1.1 Power Range Channels
There are three sets of power range measurements. Each set uses four individual currents as follows: 1. Four currents directly from the lower sections of the long ionization chambers.
- 2. Four currents directly from the upper sections.
- 3. Four total currents of items 1 and 2, equivalent to the average of each section.
For each of the four currents in items 1 and 2, the current measurement is indicated directly by a microammeter, and isolated signals are available for control console indication and recording. Analog signals proportional to individual currents are transmitted through buffer amplifiers to the over-temperature and overpower T channels and provide automatic reset of the trip point for IP2 FSAR UPDATE Chapter 7, Page 84 of 111 Revision 2 6, 20 1 6 these protection functions. The total current, equivalent to the average, is then applied through a linear amplifier to the bistable trip circuits. The amplifiers are equipped with gain and bias controls for adjustment to the actual output corresponding to 100
-percent rated reactor power.
Each of the four amplifiers also provides amplified isolated signals to the main control board for indication and for use in the reactor control system. Each set of bistable trip outputs is operated as a two
-out-of-four coincidence to initiate a reactor trip. Bistable trip outputs are provided at low
- and high-power setpoints depending on the operating power. To provide more protection during startup operation, the low
-range power bistable is used. This trip is manually blocked after a permissive condition is obtained by two
-out-of-four power range channels. The high-power trip bistable is always active.
The four amplifier signals corresponding to item 3 above are supplied to circuits that compare a referenced channel output with the corresponding signal from the other channels. Alarms are provided to present deviations that might be indicative of quadrant flux asymmetries.
Signals derived from the power range instruments are also supplied to the plant computer.
These signals are used to monitor radial and axial flux tilt in the following manner:
- 1. Radial flux tilt is determined by comparing the signals obtained from the upper sections of the ionization chambers. The signals obtained from the lower sections are also compared to each other in the same manner. The value of the deviation is supplied to the operator by means of a visual display. The existence of a radial flux tilt can be verified by the use of incore instrumentation.
- 2. Axial flux tilt is determined by comparing the sum and/or average of the upper sections of the ionization chambers to the sum and/or average of the signals from the lower sections. The operator will be informed by a computer alarm if the deviation exceeds a preset value of 20
-percent full power. A visual display is provided by four meters located on the flight panel, each of which indicates individual detector axial flux tilt.
- 3. Delta flux is determined by comparing the difference in signals between the upper and lower power range detectors. The program outputs two types of alarm messages. Above a preset power level (90-percent), an alarm message is printed out immediately upon discovering a delta flux alarm. Below this power level, an alarm message is printed if the delta flux has exceeded its allowable limits for a preset cumulative amount of time in the past 24 hr.
The overpower trip will be set so that, for operating limit reactor conditions concurrent with the maximum instrumentation and bistable setpoint error, the maximum reactor overpower condition will be limited to 118
-percent, as discussed in Chapter 14. This limit is accomplished by the use of solid
-state instrumentation and long ionization chambers, which permit an integration of the flux external to the core over the total length of the core, thereby reducing the influence of axial flux distribution changes resulting from control rod motion.
The ion chamber current of each detector is measured by sensitive meters with an accuracy of 0.0 5-percent. A shunt assembly and switch in parallel with each meter allows the selection of one of four meter ranges. The available ranges are 0 to 100, 0 to 500, 0 to 1000, and 0 to 5000 A. The shunt assemblies are designed in such a manner that they will not disconnect the IP2 FSAR UPDATE Chapter 7, Page 85 of 111 Revision 2 6, 20 1 6 detector current to the summing assembly upon meter failure or during switching. An isolation amplifier provides an analog signal proportional to ion chamber current for recording, data logging, and delta flux indication. A test calibration unit provides necessary switches and signals for checking and calibrating the power range channels.
The linear amplifier accepts the output currents from each of the two chamber sections and derives a nuclear power signal proportional to the summed direct currents. This unit amplifies the currents, and converts the normal current signal to a voltage signal suitable for operation of associated components such as bistables and isolation amplifiers.
Multiple power supplies furnish necessary positive and negative voltages for the individual channels and detector power.
Mounted on the front panel of each power range channel drawer are the ion chamber current meters, shunt selector switches with appropriate positions, and the nuclear power indicator (0 to
120-percent full power).
The isolated nuclear power signals are available for recording by the nuclear instrumentation system recorder. An isolated nuclear power signal is available for recording overpower conditions up to 200
-percent full power.
Alarm signals for dropped
-rod - rod stop, overpower
- rod stop, over
-power reactor trip, and channel test are annunciated on the main control board. Control signals sent to the reactor control and protection system include dropped
-rod - rod stop, overpower
- rod stop, overpower
- reactor trip, and permissive circuit signals. These are described in Section 7.2.
7.4.2.1.2 Intermediate
-Range Channels
There are two intermediate range channels that use two compensated ionization chambers. Direct current from the ion chambers is transmitted through triaxial cables to transistor logarithmic current amplifiers in the nuclear instrumentation equipment.
The logarithmic amplifier derives a signal proportional to the logarithm of the current as received from the output of the compensated ion chamber. The output of the logarithmic amplifier provides an input to the level bistables for reactor protection purposes and source range cutoff. The bistable trip units are similar to those in the other ranges. The trip outputs can be manually blocked after receiving a permissive signal from the power range channels. On decreasing power, the intermediate
-range trips for reactor protection are automatically inserted when the power range permissive signal is not present. To prevent inadvertent and unnecessary reactor trips during power reductions prior to shutdown, operating procedures allow these trips to be manually bypassed until they have reset to the untripped condition and the reset has been verified.
Low-voltage power supplies contained in each drawer furnish the necessary positive and negative voltages for the channel electronic equipment. Two medium
-voltage power supplies, one in each channel, furnish compensating voltage to the two compensated ion chambers. The high voltage for the compensated ion chambers is supplied by separate power supplies also located in the intermediate-range drawers.
IP2 FSAR UPDATE Chapter 7, Page 86 of 111 Revision 2 6, 20 1 6 On the front panel of the intermediate range channel cabinet and on the control board are mounted a neutron (log N) flux level indicator calibrated in terms of ion chamber current (10
-11 to 10-3 A). Isolated neutron flux level signals are available for recording and startup rate computation. The startup rate for each channel is indicated at the main control board in terms of decades per minute over the range of
-0.5 to 5.0 decades/min.
Channel test, intermediate channel above source range cutoff point, intermediate range trips not armed, block rod withdrawal, and reactor trip signals are alarmed on the main control board annunciator. The latter signal is sent to the reactor protection system.
7.4.2.1.3 Source Range Channels
There are two source range channels using boron lined proportional counters. Neutron flux, as measured in the primary shield area, produces current pulses in the detectors. These preamplified pulses are applied to transistor amplifiers and discriminators located in the central control room. Triaxial cable is used for all interconnections from the detector assemblies to the instrumentation in the central control room. The preamplifiers are located outside the reactor containment.
These channels indicate the source range neutron flux and startup rate and provide high flux level reactor trip and alarm signals to the reactor control and protection system. The reactor trip signal is manually blocked when a permissive signal from the intermediate range is available. They are also used at shutdown to provide audible alarms in the reactor containment and central control room of any inadvertent increase in reactivity. An audible count rate signal is used during initial phases of startup and is audible in both the reactor containment and central control room.
Amplifiers are used to obtain a high
-level signal prior to the elimination of noise and gamma pulses by the discriminator. The discriminator output is shaped for use by the log integrator.
The log integrator derives an analog signal, proportional to the logarithm of the number of pulses per unit time, as received from the output of the previous unit. This unit performs log integration of the pulse rate to determine the count rate; a linear amplifier amplifies the log integrator output for indication, recording, control, and rate computation through isolation amplifiers.
Each source range contains two bistable trip units. Both units trip on high flux level, but one is used during shutdown to alarm reactivity changes and the other provides overpower protection during shutdown and startup. The shutdown alarm unit is blocked manually prior to startup or can serve as a startup alarm. When the input to either unit is below its setpoint, the bistable is in its normal position and assumes a "fully
-on" status. When an input from the log amplifier reaches or exceeds the setpoint, the unit reverses its condition and goes "fully
-off." The output of the reactor trip unit controls relays in the reactor protection system. Power supplies furnish the positive and negative voltages for the transistor circuits and alarm lights and the adjustable high voltage for the neutron detector.
IP2 FSAR UPDATE Chapter 7, Page 87 of 111 Revision 2 6, 20 1 6 A test calibration unit can insert selected test or calibration signals into the preamplifier channel input or the log amplifier input. A set of precalibrated level signals are provided to perform channel tests and calibrations. An alarm is registered on the main control board annunciator whenever a channel is being tested or calibrated. A trip bypass switch is also provided to prevent a reactor trip during channel test under certain reactor conditions.
The neutron detector high
-voltage cutoff assembly receives a trip signal when a one
-of-two matrix controlled by intermediate
-range channel flux level bistables and manual block condition are present and disconnects the voltage from the source range channel high
-voltage power supply to prevent operation of the boron lined counter outside its design range. In addition, a high-voltage manual control switch is installed to prevent inadvertent energization of the source range high voltage while at power. The position of the switch is administratively controlled to ensure that the source range high voltage is energized upon a reactor trip or normal shutdown when the detector current is less than 10
-10 amps.
Mounted on the front panel of the source range channel is a neutron flux level indicator calibrated in terms of count rate level (1 to 10 6 cps). Mounted on the control board is a neutron count rate level indicator (1 to 10 6 cps). Isolated neutron flux signals are available for recording by the nuclear instrumentation system recorder and startup rate computation. The startup rate for each channel is indicated at the main control board in terms of decades per minute over the range of -0.5 to +5.0 decades/min. The isolation network for these signals prevents any electrical malfunction in the external circuitry from affecting the signal being supplied to the flux level bistables. The signals for channel test, high neutron flux at shutdown, and source reactor trip are alarmed on the main control board annunciator. In addition, there are annunciators for the following source range conditions: "Source Range High Shutdown Flux Alarm Blocked", "NIS Channel Test", "Source Range Loss of Detector Voltage", and "NIS Trip Bypass".
7.4.2.2 Auxiliary Equipment 7.4.2.2.1 Comparator Channel
The comparator channel compares the four nuclear power signals of the power range channels with one another. A local alarm on the channel is actuated when any two channels deviate from one another by a preset adjustable amount. During full
-power operation, the comparator serves to sense and annunciate channel failures and/or deviations.
7.4.2.2.2 Dropped Rod Protection
As backup to the primary protection for the dropped rod cluster control accident, the rod bottom signal, an independent detection means is provided using the out
-of-core power range nuclear channels. The dropped
-rod sensing unit contains a difference amplifier, which compares the instantaneous nuclear power signal with an adjustable power lag signal and responds with a trip signal to the bistable amplifier when the difference exceeds a preset adjustable amount. Above a given power level the signal initiates protective action in the form of a turbine load cutback. Bypass switches have been installed, which are normally in the DEFEAT position, so as to bypass the runback of this signal.
7.4.2.2.3 Audio Count Rate Channel The audio count channel provides audible source range information during refueling operations in both the central control room and the reactor containment. In addition, this channel signal is IP2 FSAR UPDATE Chapter 7, Page 88 of 111 Revision 2 6, 20 1 6 fed to a scaler
-timer assembly, which produces a visual display of the count rate for an adjustable sampling period.
7.4.2.2.4 Recorders One large, two
-pen strip-chart recorder is mounted on the main control board for recording the complete range of the source and intermediate channels. It is also possible to record any two power range channels as linear signals. Variable chart speeds are provided with controls for changing the span and zero during intermediate
-range operation.
The switching of inputs to the recorders does not cause any spurious signals that would initiate false alarms or reactor trips.
Four 2-pen recorders are provided, one for each power range, to record the flux level from each of the eight sections comprising the four long ion chambers.
7.4.2.2.5 Power Supply The nuclear instrumentation system is powered by four 120
-V independent vital instrument AC bus circuits (see Chapter 8).
7.4.3 System Evaluation 7.4.3.1 Loss of Power Loss of nuclear instrumentation power would result in the initiation of all reactor trips associated with the channel power failure. In addition, all trips that were blocked prior to loss would be unblocked and initiated.
7.4.3.2 Reliability and Redundancy The requirements established for the reactor protection system apply to the nuclear instrumentation. All channel functions are independent of every other channel.
7.4.3.3 Safety Factors The relation of the power range channels to the reactor protection system has been described in Section 7.2. To maintain the desired accuracy in trip action, the total error from drift in the power range channels will be held to
+1-percent at full power. Routine tests and recalibration will ensure that this degree of deviation is not exceeded. Bistable trip setpoints of the power range channels will also be held to an accuracy of
+1-percent of full power. The accuracy and stability of the equipment have been verified by vendor tests.
7.4.3.4 Overpower Trip Setpoint The overpower trip setpoint for the Indian Point Unit 2 reactor is 10 7.4-percent of rated thermal power. This trip point was selected to provide adequate assurance that spurious reactor trips will not occur in normal operation.
IP2 FSAR UPDATE Chapter 7, Page 89 of 111 Revision 2 6, 20 1 6 TABLE 7.4-1 DELETED TABLE 7.4-2 DELETED 7.4 FIGURES Figure No.
Title Figure 7.4
-1 Neutron Detectors And Range Of Operation Figure 7.4
-2 Nuclear Instrumentation System Figure 7.4
-3 Plan View Indicating Detector Location Relative To Core
IP2 FSAR UPDATE Chapter 7, Page 90 of 111 Revision 2 6, 20 1 6 7.5 PROCESS INSTRUMENTAT ION 7.5.1 Design Bases The nonnuclear process instrumentation measures temperatures, pressures, flows, and levels in the reactor coolant system, steam system, reactor containment, and auxiliary systems.
Process variables required on a continuous basis for the startup, operation, and shutdown of the unit are indicated and controlled from the control room. Essential parameters are also recorded. The quantity and types of process instrumentation provided ensures safe and orderly operation of all systems and processes over the full operating range of the plant.
Certain controls that require a minimum of operator attention, or are only in use intermittently, are located on local control panels near the equipment to be controlled. The monitoring of the alarms of such control systems are provided in the control room. Table 7.5-1 includes a list of important process instrumentation, indication, and safeguards functions.
7.5.2 System Design
Much of the process instrumentation provided in the plant has been described in the reactor control and protection and nuclear instrumentation system. The most important instrumentation used to monitor and control the plant has been described in the above systems descriptions.
The remaining portion of the process instrumentation is generally shown on the respective systems process flow diagrams.
Condensate pots and wet legs are used to prevent process temperatures from actually reaching the transmitters.
7.5.2.1 Engineered Safety Features
The following instrumentation ensures coverage of the effective operation of the engineered safety features. Compliance with the requirements of Regulatory Guide 1.97 is referenced in Section 7.1.5.
7.5.2.1.1 Containment Pressure
The containment pressure is transmitted to the main control board for postaccident monitoring. Six (-5 to +75 psig) transmitters are installed outside the containment for protection against potential missile damage. The pressure is indicated (all six channels) on the main control board.
The six channels monitoring containment pressure initiate containment spray, phase B containment isolation, containment ventilation isolation, and steam line isolation, as well as reflecting the effectiveness of engineered safety features.
As part of the TMI Action Plan modifications for Indian Point Unit 2, (NUREG
-0737), a continuous indication of containment pressure is provided in the central control room by two recorder indicator units covering a range of
-10 to 150 psig.
IP2 FSAR UPDATE Chapter 7, Page 91 of 111 Revision 2 6, 20 1 6 7.5.2.1.2 Containment Water Level Redundant containment water level indicators, one in each sump (LT
-939 in the recirculation sump and LT
-941 in the containment sump) are relied upon to show that water has been delivered to the containment following a loss
-of-coolant accident, and subsequently show that sufficient water has been collected by the sump to permit recirculation to the reactor and/or to the spray headers and to show that water is below the flood level to protect electrical equipment from submergence. These transmitters are mounted inside the containment and have been environmentally qualified. The level indications in the central control room are as follows:
For the containment sump:
one "thermal type" detector (LT
-941) provide s a series of five lights each energized from the associated instrument as a preset level is exceeded; one differential pres sure "bubbler type" transmitter (LT-3304) provide s a series of five lights each energized from the associated instrument as a preset level is exceeded; and one differential pressure transmitter (LT
-3300) provides a calibrated sump level span that is continuously indicated. An audible alarm is also provided for increasing sump level (see Section 6.7.1.2.13). For the recirculation sump: two magnetic switch/float type detectors (LT
-938 and LT
-939) provide a series of five lights each energized from the associated instrument as a preset level is exceeded; and one differential pressure transmitter (LT
-3301) provides a calibrated sump level span that is continuously indicated (see Section 6.7.1.2.14). Refer to Section 6.2 for further description of the two sumps serving the internal and external recirculation loops. In addition, a differential
-pressure-level transmitter has been installed in the reactor cavity pit (see Section 6.7.1.2.15).
7.5.2.1.3 Containment Hydrogen Concentration As part of the TMI Action Plan modifications for Indian Point Unit 2, (NUREG
-0737), a continuous indication of hydrogen concentration in the containment atmosphere is provided in the central control room. The containment hydrogen/oxygen monitor system is described in Section 6.8.2.3.
7.5.2.1.4 Refueling Water Storage Tank Level
Refueling water storage tank level measurement is provided by:
- 1. A local level indicator at the tank, and
- 2. Two separate, redundant transmitting channels, which provide level indication and level alarms in the central control room for the initiation of the changeover to the postaccident recirculation phase.
In the case of a large
-break loss
-of-coolant accident (LBLOCA) and full operation of all safeguards and spray pumps, the RWST level alarms will annunciate after approximately 20 minutes. At this time, the operator is required to proceed with the changeover sequence. The tank level indicator is available for confirmation. Information on the level of water in both the recirculation and containment sumps is also available to the operator during this period via the sump level instrumentation.
IP2 FSAR UPDATE Chapter 7, Page 92 of 111 Revision 2 6, 20 1 6 In view of the information provided to the operator, together with the procedure, which he is required to follow, no single instrument failure would cause him to follow a course of action that could in any way jeopardize core cooling.
The water in the storage tank is protected from freezing by a thermostat that turns the heating medium on and off. Instrument lines are freeze protected.
7.5.2.1.5 Condensate Water Storage Tank Level
An additional channel has been added to the original water level indication channel. The added level channel includes an alarm switch to actuate the low
-level alarm in the central control room. In addition, there is a low
-temperature alarm to indicate heat tracing failure or a low instrument ambient temperature. The instrument lines are freeze protected.
7.5.2.1.6 Safety Injection Pumps Discharge Pressure These channels show that the safety injection pumps are operating. The transmitters are outside the containment.
7.5.2.1.7 Accumulator Level
Each of the safety injection system accumulator tanks contains two differential
-pressure-type liquid level transmitters providing the electrical signal for separate channel level indicators and high- and low-level alarms in the central control room.
7.5.2.1.8 Pump Energization All pump motor power feed breakers indicate that they have closed by energizing indicating lights on the control board.
7.5.2.1.9 Valve Position
All engineered safety features valves have position indication on the control board to show proper positioning of the valves. Air
-operated and solenoid
-operated valves are selected so as to move in a preferred direction on the loss of air or power. Motor
-operated valves remain in the position at time of loss of power to the motor.
Acoustic sensors installed on the code safety valves discharge lines provide indication in the central control room of the "flow" or "non
-flow" condition of line safety valves. The power-operated relief valves have a direct valve position indication in the central control room. The acoustic monitoring system was installed to comply with the requirements of NUREG
-0578.
7.5.2.1.10 Residual Heat Exchangers Combined exit flow is indicated and combined inlet and combined exit temperatures are recorded on the control board to monitor the operation of the residual heat exchangers. A high pressure is annunciated on the auxiliary coolant system panel in the central control room.
IP2 FSAR UPDATE Chapter 7, Page 93 of 111 Revision 2 6, 20 1 6 7.5.2.1.11 Fan Coolers The service water discharge flow is indicated in the control room. The flow transmitters are located inside the containment. The temperature of each of the five fan coolers' service water is indicated locally. A control room alarm is actuated if the flow is low during safety injection. In addition, the exit flow is monitored for radiation and alarmed in the control room if high radiation should occur. There are redundant radiation monitors, and the faulty cooler can be identified by manually sampling the flow from each unit in turn and using these monitors.
7.5.2.1.12 Bus Undervoltage The normal 480
-V feeds to the safeguard buses are tripped upon sustained undervoltage. An alarm and indicator light are also provided in the control room to alert the operator in advance of attaining the actual undervoltage trip level. Each bus is monitored by two undervoltage relays (set at approximately 88
-percent). Two
-out-of-two logic will activate an agastat relay (set at 180 + 30 sec), which in turn trips its respective 480
-V feeder breaker. This trip has been added to provide additional Class A/Class 1E protection of the safeguards loads against degraded voltage conditions. Two separate Asea Brown Boveri (ABB) type 27N high accuracy relays are used for each bus. A separate category alarm and lights on a panel in the central control room alert the operator when any 480
-V bus voltage falls to approximately 94
-percent. These may actuate during load
-sequencing operations, but they are primarily intended to alert the operator to sustained degraded voltages that result from problems on the offsite power system. A separate Westinghouse type CP relay is used for each bus. These alarm circuits and relays are subject to an actuation operability test each 31 days and a channel calibration each 24 months.
In the unlikely event of a sustained degraded voltage coincident with a safety injection signal for approximately 10 2 sec, the 480
-V feed breaker to the safeguards bus will trip.
7.5.2.1.12.1 Station Auxiliary Transformer Load Tap Changer SI Signal
The Load Tap Changer (LTC) is used to maintain the nominal voltage level on the Station Auxiliary Transformer's (SAT's) 6.9 KV buses by automatically raising or lowering the SAT secondary winding taps in response to voltage variations on the 6.9 KV buses. During a SI event the SI signal will raise the LTC tap position increasing the voltage towards a pre
-selected voltage in anticipation of the increased loads from the fast transfer of the loads held by the four 6.9 KV in-house buses to the SAT, thus reducing the severity of a degraded voltage condition on the 480V and 6.9KV buses.
7.5.2.1.13 Reactor Coolant Pump Seal Injection The seal injection flow rate to each reactor coolant pump is indicated locally by a P gauge. A flow transmitter in parallel with each of the P gauges provides remote flow indication in the central control room. The system does not provide an alarm or initiate any safety action.
IP2 FSAR UPDATE Chapter 7, Page 94 of 111 Revision 2 6, 20 1 6 7.5.2.1.14 Reactor Vessel Level A reactor vessel level indication system has been installed to assist the operator in determining the presence of voids in the reactor vessel. The reactor vessel level indication system, which is mainly part of the inadequate core cooling instrumentation (Section 4.2.11), indicates the water level from the bottom to the top of the reactor vessel and under different coolant flow conditions with and without reactor coolant pumps operating. The system is described in Section 4.2.11.
7.5.2.1.15 Subcooling Margin Monitoring System
The subcooling margin monitoring system has been installed in accordance with the requirements of NUREG
-0578 and NUREG
-0737. The system provides indication for aiding the operator in diagnosing early symptoms of inadequate core cooling during transients and accidents and determining whether or not safety injection can be terminated.
The system has two independent, redundant channels, each providing indication in the control room. The inputs of one subcooling margin monitoring channel (reactor coolant system pressure, hot
-leg temperature, cold
-leg temperature) are provided by a wide
-range reactor coolant system pressure transmitter in reactor coolant loop 21, and the reactor coolant system cold- and hot-leg resistance temperature detectors in loops 21 and 23.
The redundant channel receives pressure input from a transmitter in loop 24, and temperature input from detectors in loops 22 and 24.
The system is energized from Class 1E power supplies.
The subcooling margin monitors are located in the central control room along with its associated signal conditioning equipment.
7.5.2.1.16 Reactor Coolant System Pressure
RCS pressure is monitored on three of the four primary loops.
Signals from PT 402 and PT 403 on loops 21 and 24 provide wide range pressure indication in the Central Control Room and independent, redundant interlock signals to the RHR isolation valves (730 and 731) to prevent opening them at high RCS pressures. RCS pressure for PT 402 and PT 403 is transmitted through a filled capillary system to transmitters located outside containment in the Pipe Penetration Area. The sensing lines are connected to the pressure sensor bellows to capillary lines extending through the penetrations, to hydraulic isolators, which are located outside of containment. The capillary lines are routed through separate penetrations as shown on Figure 7.5
-1. Signals from PT 413, PT 433 and PT 443 on loops 21, 23 and 24 provide input to the Overpressure Protection System (Section 7.3.3.5).
7.5.2.1.17 Pressurizer Relief Tank Temperature
Temperature in the pressurizer relief tank may be used as an indication of pressurizer relief valve position, backing up the acoustic monitors. A temperature indicator is provided in the control room.
IP2 FSAR UPDATE Chapter 7, Page 95 of 111 Revision 2 6, 20 1 6 7.5.2.1.18 Alarms Visual and/or audible alarms are provided to call attention to abnormal conditions. The audible alarms are of the individual acknowledgment type; that is, the operator must recognize and silence the audible alarm for each alarm point. For most control systems, the sensing device and circuits for the alarms are independent, or isolated from, the control devices.
In addition to the above, the following local instrumentation is available:
- 1. Containment spray test lines total flow.
- 2. Safety injection test line pressure and flow. 7.5.3 System Evaluation Redundant instrumentation has been provided for all inputs to the protection systems and vital control circuits.
Where wide process variable ranges and precise control are required, both wide
-range and narrow-range instrumentation are provided.
Instrumentation components are selected from standard commercially available products.
All electrical and electronic instrumentation required for safe and reliable operation is supplied from four redundant instrumentation buses.
IP2 FSAR UPDATE Chapter 7, Page 96 of 111 Revision 2 6, 20 1 6 TABLE 7.5-1 Process Instrumentation, Indication, and Safeguards Functions Parameter Transmitters/
Sensors Read-Out 1 Power 2 Prot/Safeguards Use Taps Reactor coolant temperature 8 RTDs CB meter Ext. T trips Tavg permissives 1 eac h Pressurizer pressure 4 transmitters CB meter Ext. Hi/low pressure trips, SIS 3 (top level), one shared, 3 pairs Pressurizer level 3 P transmitters CB meter Ext. Hi Level trip 3 (top level), one shared, 3 pairs Steam flow 8 P transmitters CB met er Ext. Mismatch trip, SIS 1 pair each Feedwater flow 8 P transmitters CB meter Ext. Mismatch trip 1 pair each Steam pressure 12 transmitters CB meter Ext. SIS 1 each Steam generator level 12 P transmitters CB meter Ext. Mismatch trip Low level tr ip 1 pair each Reactor coolant flow 12 P transmitters CB meter Ext. Low flow trip 1 high pressure each, 1 low pressure shared/loop Containment pressure 6 transmitters CB meter Ext. SIS (2/3), Spray (2/3+2/3) 3 shared Steam Header pressure 2 transmitters Blind Ext. Setpoint programs and turbine power permissives 1 each Notes: 1. CB is control board.
- 2. Ext. is external.
IP2 FSAR UPDATE Chapter 7, Page 97 of 111 Revision 2 6, 20 1 6 7.5 FIGURES Figure No.
Title Figure 7.5
-1 Reactor Coolant Wide Range Pressure Instrument Syste m - Flow Diagram
7.6 INCORE INSTRUMENTATI ON 7.6.1 Design Basis
The incore instrumentation is designed to yield information on the neutron flux distribution and fuel assembly outlet temperatures at selected core locations. Using the information obtained from the incore instrumentation system, it is possible to confirm the reactor core design parameters and calculated hot
-channel factors. The system provides means for acquiring data and performs no operational plant control. The incore thermocouples are also designed to provide information for diagnosing the onset of inadequate core cooling and for mitigating its effects.
7.6.2 System Design The incore instrumentation system consists of thermocouples, positioned to measure fuel assembly coolant outlet temperature at preselected locations, and flux thimbles, which run the length of selected fuel assemblies to measure the neutron flux distribution within the reactor core.
The experimental data obtained from the incore temperature and flux distribution instrumentation system, in conjunction with previously determined analytical information, can be used to determine the fission power distribution in the core at any time throughout core life. This method is more accurate than using calculational techniques alone. Once the fission power distribution has been established, the maximum power output is primarily determined by thermal power distribution and the thermal and hydraulic limitations determine the maximum core capability.
The incore instrumentation provides information that may be used to calculate the coolant enthalpy distribution, the fuel burnup distribution, and an estimate of the coolant flow distribution.
Both radial and azimuthal symmetry of power may be evaluated by combining the detector and thermocouple information from the one quadrant with similar data obtained from the other three quadrants.
7.6.2.1 Thermocouples
Chromel-alumel thermocouples are threaded into guide tubes that penetrate the reactor vessel head through seal assemblies and terminate at the exit flow end of the fuel assemblies. The thermocouples are provided with two primary seals, a conseal and swage
-type seal from conduit to head. The thermocouples are enclosed in stainless steel sheaths within the above tubes to allow replacement if necessary. Thermocouple readings are recorded in the control room. The support of the thermocouple guide tubes in the upper core support assembly is described in Chapter 3.
A total of 65 thermocouples are installed at preselected core locations to provide core exit temperature data up to 2300
ºF. There are two microprocessors, one to process data for 34 thermocouples and the other for the remaining 31. Two display units are provided on the central control room accident IP2 FSAR UPDATE Chapter 7, Page 98 of 111 Revision 2 6, 20 1 6 assessment panels. Each presents a graphic core location map with an alphanumeric display of core exit temperatures. Temperature signals from the microprocessors are sent to the plant computer.
Microprocessors, display units and cables are separated into two redundant channels. Thermocouples, cables, microprocessors and display units are seismically designed. Cables and components inside the containment and in the electrical penetration area are environmentally qualified. The two channels receive power from redundant instrument busses.
7.6.2.2 Movable Miniature Neutron Flux Detectors
Six fission chamber detectors (employing U 3 O 8, which is 90
-percent enriched in U
-235) can be remotely positioned in retractable guide thimbles to provide flux mapping of the core. Maximum
chamber dimensions are 0.188
-in. in diameter and 2.10
-in. in length. The stainless steel detector shell is welded to the leading end of the helical
-wrap drive cable and the stainless steel sheathed coaxial cable. Each detector is designed to have a minimum thermal neutron sensitivity of 1.5 x 10
-17 A/nv and a maximum gamma sensitivity of 3 x 10
-14 A/rad-hr. Operating thermal neutron flux range for these probes is 1 x 10 11 to 5 x 10 13 nv. Other miniature detectors, such as gamma ionization chambers and boron-lined neutron detectors, can also be used in the system. The basic system for the insertion of these detectors is shown in Figures 7.6
-1 through 7.6
-3. Retractable thimbles into which the miniature detectors are driven are pushed into the reactor core through conduits that extend from the bottom of the reactor vessel down through the concrete shield area and then up to a thimble seal zone.
The thimbles are closed at the leading ends, are dry inside, and serve as the pressure barrier between the reactor water pressure and the atmosphere. Mechanical seals between the retractable thimbles and the conduits are provided at the seal line. The thimbles are seismic Class I, and the supports for the flux mapping frame support assembly are seismically designed
. During reactor operation, the retractable thimbles are stationary. They are extracted downward from the core during refueling to avoid interference within the core. A space above the seal line is provided for the retraction operation.
The drive system for the insertion of the miniature detectors consists basically of six drive assemblies, six path group selector assemblies and six rotary selector assemblies, as shown in Figures 7.6
-1 and 7.6-2. The drive system pushes hollow helical
-wrap drive cables into the core with the miniature detectors attached to the leading ends of the cables and small
-diameter sheathed coaxial cables threaded through the hollow centers back to the ends of the drive cables. Each drive assembly generally consists of a gear motor that pushes a helical
-wrap drive cable and detector through a selective thimble path by means of a special drive box and includes a storage device that accommodates the total drive length. Further information on mechanical design and support is described in Chapter 3.
The control and readout system for the movable miniature neutron flux detectors provides means for inserting the miniature neutron detectors into the reactor core and withdrawing the detectors at a selected speed while plotting a level of induced radioactivity versus detector position. The control system consists of two sections, one physically mounted with the drive units, and the other contained in the control room. Limit switches in each drive conduit provide means for prerecording detector and cable positioning in preparation for a flux mapping operation. One group path selector is provided for each drive unit to route the detector into one of the flux thimble groups. A rotary transfer assembly is a transfer device that is used to route a detector into any one of up to ten selectable paths. Ten manually operated isolation valves allow free passage of the detector and drive wire when open, and IP2 FSAR UPDATE Chapter 7, Page 99 of 111 Revision 2 6, 20 1 6 when closed prevent leakage from the core in case of a thimble rupture. A path common to each group of flux thimbles is provided to permit cross calibration of the detectors.
The central control room contains the necessary equipment for control, position indication, and flux recording. Panels are provided to indicate the core position of the detectors and for plotting the flux level versus the detector position. Additional panels are provided for such features as drive motor controls, core path selector switches, plotting, and gain controls. A "flux
-mapping" consists, briefly, of selecting (by panel switches) flux thimbles in given fuel assemblies at various core quadrant locations. The detectors are driven or inserted to the top of the core and stopped automatically. An X
-Y plot (position vs. flux level) is initiated with the slow withdrawal of the detectors through the core from top to a point below the bottom. In a similar manner other core locations are selected and plotted.
Each detector provides axial flux distribution data along the center of a fuel assembly. Various radial positions of detectors are then compared to obtain a flux map for a region of the core.
7.6.3 System Evaluation The thimbles are distributed nearly uniformly over the core with about the same number of thimbles in each quadrant. The number and location of thimbles have been chosen to permit the measurement of local-to-average peaking factors to an accuracy of
+10-percent (95
-percent confidence). Measured nuclear peaking factors are increased to allow for possible instrument error. The departure from nucleate boiling ratio calculated with the measured hot
-channel factor is compared to the departure from nucleate boiling ratio calculated from the design nuclear hot
-channel factors. If the measured power peaking is larger than expected, reduced power capability will be indicated.
7.6.4 System Operation
A minimum of 2 thimbles per quadrant and sufficient movable in
-core detectors shall be operable during re-calibration of the excore axial offset detection system.
7.6 FIGURES
Figure No.
Title Figure 7.6
-1 Typical Arrangement Of Moveable Miniature Neutron Flux Detector System, replaced with Plant Drawing 1999MC3880 Figure 7.6
-2 Arrangement Of Incore Flux Detector, replaced with Plant Drawing 1999MC3 881 Figure 7.6
-3 Incore Instrumentation
- Details, replaced with Plant Drawing 1999MC3882
7.7 OPERATING CONTROL STATIONS 7.7.1 Station Layout The principal criterion of control station design and layout is that all controls, instrumentation displays, and alarms required for the safe operation and shutdown of the plant are readily available to the operators in the central control room.
IP2 FSAR UPDATE Chapter 7, Page 100 of 111 Revision 2 6, 20 1 6 During other than normal operating conditions, other operators will be available to assist the control room operator. Plant Drawing 209812 [Formerly UFSAR Figure 1.2
-7 Sheet 1], shows the central control room arrangements for the unit. The control board is divided into relative areas to show the location of control components and information display pertaining to various subsystems.
Early control room reviews performed in 1980 and 1981 resulted in implementation of several changes including:
- 1. Installation of battery
-operated emergency lighting fixtures to provide for continuously available emergency lighting.
- 2. Installation of several new multipoint recorders and relocation of some recorders to be adjacent to the flight panel.
- 3. Revised flash rate of supervisory annunciators from one to two flashes per second.
- 4. Relocation of annunciators to provide a more functional grouping and a more systems oriented display.
In response to NRC's Generic Letter 82
-33 and the requirements of Supplement 1 to NUREG
-0737, Requirements for Emergency Response Capability, a detailed control room design review was conducted (Reference 1). The purposes of this review were:
to review and evaluate the control room workspace, instrumentation, controls and other equipment from a human factors engineering point of view; to identify human engineering observations and human engineering discrepancies; and to establish a plan for implementing corrective action.
The review was conducted by a multi
-disciplined team having qualifications consistent with the guidelines of NUREG
-0700. The team conducted the review through the following major activities:
- 1. Operating experience review.
- 2. Function and task analysis.
- 3. Control room survey.
- 4. Verification of task performance capabilities.
- 5. Validation of control room as an integrated system.
Numerous changes were made in the central control room to implement human engineering enhancements. Among the changes made were:
- 1. Improved panel demarcation and annunciator tile/panel device labeling.
- 2. Replacement, relocation and provision of additional indicators for a number of parameters.
- 3. Removal of retired indicators/controls. Improvements to communications between the control room and other plant areas.
The detailed control room design review was reviewed by the NRC as documented in their SER dated January 12, 1989 (Reference 3) and found acceptable.
IP2 FSAR UPDATE Chapter 7, Page 101 of 111 Revision 2 6, 20 1 6 7.7.2 Information Display And Recording 7.7.2.1 Operational Information Alarms and annunciators in the central control room provide the operators with warning of abnormal plant conditions that might lead to the damage of components, fuel, or other unsafe conditions. Other displays and recorders are provided for indication of routine plant operating conditions and for the maintenance of records.
Consideration is given to the fact that certain systems normally require more attention from the operator. The control system, therefore, is centrally located on the three
-section board.
On the left section of the control board, individual indicators present a direct, continuous readout of every control rod position. Fault detectors in the rod drive control system are used to alert the operator should an abnormal condition exist for any individual or group of control rods. Displayed in this same area are limit lights for each control rod group and all nuclear instrumentation information required to start up and operate the reactor. Control rods are manipulated from the left section.
Variables associated with the operation of the secondary side of the station are displayed and controlled from the control board. These variables include steam pressure and temperature, feedwater flow and temperature, electrical load, and other signals involved in the plant control system. The control board also contains provisions for indications and control of the reactor coolant system. Redundant indication is incorporated in the system design since pressure and temperature variables of the reactor coolant system are used to initiate safety features. Control and display equipment for station auxiliary systems are also located here.
The engineered safety features systems are controlled and monitored from a vertical panel to the left of the control board. Valve position indicating lights are provided as a means of verifying the proper operation of the control and isolation valves following initiation of the engineered safety features. Control switches located on this panel allow manual operation or test of individual units. Also located on this section are the control switches, indicating lights, and meters for fans and pumps required for emergency conditions. Also mounted on this section are auxiliary electrical system controls required for manual switching between the various power sources described in Section 8.2.2.
Controls and indications for Containment Purge and Exhaust, Primary Auxiliary Building and Fuel Service Building ventilation systems are located on CCR panel SL. Controls and indications for the containment isolation valves, and the isolation valve seal
-water system are located on a CCR panel SN. Radiation monitoring information is indicated immediately behind and to the left of the main control board.
Audible reactor building alarms are initiated from the radiation monitoring system and from the source range nuclear instrumentation. Audible alarms will be sounded in appropriate areas throughout the station if high
-radiation conditions are present.
As a result of considerations arising from experience at TMI, the instrument panels in the control room were modified to receive monitors and recorders associated with the following: 1. Reactor coolant system hot
-leg temperature.
- 2. Main steam line radiation monitors.
IP2 FSAR UPDATE Chapter 7, Page 102 of 111 Revision 2 6, 20 1 6 3. High-range containment radiation monitors.
- 4. High-range noble gas monitors.
- 5. Containment sump level indication.
-range pressure indication.
- 8. Reactor vent valve position indication.
- 9. Reactor vent temperature monitor.
- 10. Reactor vessel level indication.
- 11. Power-operated relief valve block valve position indication.
- 12. Subcooling monitor system indications.
- 13. Wide range hot
-leg temperature indication A plant process computer system is installed with color graphic displays in the central control room that monitors operating plant data as well as easily accessible sets of key plant safety parameters. It also provides data links with the technical support center, the emergency operations facility and the Alternate emergency operations facility. It has the capability of long term data storage and retrieval.
7.7.2.2 Safety Parameter Information A system for monitoring safety parameter information is provided in accordance with the requirements of NUREG-0737, Supplement 1. It is an operator aid and not a safety
-grade system and performs no safety function. The operation and potential failure of the plant computer system will not degrade the performance of safety systems.
The plant computer system consists of a data acquisition system, redundant computer systems with associated peripherals, and color displays.
The data acquisition system receives digital and analog signals required to monitor critical safety functions, which are:
-Reactivity control
-Reactor core cooling
-Reactor coolant system heat sink
-Reactor coolant system integrity
-Containment conditions
-Reactor coolant system inventory control Several parameters (measures of plant status or performance) are monitored for each critical safety function, and each parameter is measured by signals input from one or more plant sensors. The data acquisition system samples each input 10 times per second. The redundant computer systems receive, process, analyze, and store the data and provide outputs to the system displays. The computer performs data acquisition and processing, and drives the displays. The backup computer acquires data in parallel with the primary computer and periodically performs data processing and calculation functions for intracomputer verification. The loss of any critical component in the primary system triggers a switchover to the backup system, which then provides all primary system functions.
The plant computer display system consists of seven
-color graphic displays. The displays are located in the Central Control Room, Technical Support Center, Emergency Operations Facility, and Alternate Emergency Operations Facility.
IP2 FSAR UPDATE Chapter 7, Page 103 of 111 Revision 2 6, 20 1 6 Types of primary displays available are the plant mode, thirty
-minute trend, and critical safety function status tree. Also available are a display of emergency core cooling inventories and a display of availability of emergency core cooling inventories and a display of availability of emergency power. The system, which originally consisted of ten secondary displays, has provision for future expansion as warranted.
7.7.3 Emergency Shutdown Control
The central control room, its equipment, and furnishings have been designed so that the likelihood of conditions that could render the control room inaccessible even for a short time is extremely small.
A criterion of the station design and layout is that all controls, instrumentation displays, and alarms required for the safe operation and shutdown of the plant are readily available to the operators in the central control room.
It is design policy that the functional capacity of the central control room shall be maintained at all time s
inclusive of accident conditions, such as a maximum credible accident or a design basis event. The following features are incorporated in the design to ensure that this criterion is met:
- 1. Structural and finish materials for the central control room and the cable
-spreading room below were selected on the basis of fire
-resistant characteristics. Structural floors are concrete reinforced. Interior partitions are metal paneling joints. The control room ceiling covering is fire
-retardant egg crate diffusers. Door frames and doors are metallic. 2. The central control room is equipped with portable fire extinguishers. The extinguishers carry the Underwriters' Laboratory label of approval.
- 3. The cable-spreading room has a smoke detection system and a manually operated Halon system. The smoke detection system actuates an alarm in the control room. The cable tunnel has heat
-sensitive devices, which actuate alarms in the control room and a water spray deluge system for fire extinguishing.
- 4. The control room ventilation consists of a system having a large percentage of recirculated air. The fresh air intake can be diverted to charcoal filters to remove airborne activity if monitors indicate that such action is appropriate.
- 5. Control cables used throughout the installation have been selected on the basis of flame testing described in Chapter 8 and have superior flame
-retardant capability. Each conductor has a flame
-retardant glass braid over the insulation. In addition, electrical circuits are limited in the control room to those associated with lighting, instrumentation, and control. Lighting circuits operate on 120
-V; instrumentation and control circuits operate at either 120
-V ac, 125-V DC, or at millivolt level. All 120
-V and 125-V circuits are protected against both overload and short circuits by either fuses or circuit breakers. The power levels on the millivolt circuits are so low that the probability of fire hazard due to short circuits is very low.
- 6. All control and indication is transmitted into the control room ensuring that no combustible process fluids are carried into the room.
IP2 FSAR UPDATE Chapter 7, Page 104 of 111 Revision 2 6, 20 1 6 7. Cables that penetrate the control room floor pass through firestops to minimize fume and flame transmission from possible fire sources external to the control room.
- 8. All internal wiring in switchboards and instrument racks is type SIS cross
-linked polyethylene, which has excellent resistance to the propagation of flame. As a result of the design criterion discussed above, the amount of combustible material in the control room is of such small quantity that a fire of the magnitude that would require the evacuation of the control room is not credible.
As a further measure to ensure safety, provisions have been made so that plant operators can shut down and maintain the plant in a safe condition by means of controls located outside the control room. During such a period of control room inaccessibility, the reactor will be tripped and the plant maintained in a hot shutdown condition. If the period extends for a long time, the reactor coolant system can be borated to maintain shutdown as xenon decays.
In the unlikely event that the control room becomes inaccessible or the controls and/or instrumentation becomes nonfunctional due to a fire, the plant is equipped with an alternate safe shutdown system (ASSS) as discussed in Section 8.3, which provides the capability to safely shutdown and maintain the plant in a safe shutdown condition.
Abnormal operating procedures are in effect, to be used in their entirety or in part, to safely shutdown the plant in the event of inaccessibility of the control room. These procedures would be implemented based upon loss of normal and preferred alternate methods of control. These procedures do not include all the available normal methods of control described below.
The functions for which local control provisions have been made are listed below along with a brief description of the type of alternate controls and their location in the plant. Transfer to these local controls is annunciated in the central control room.
7.7.3.1 Reactor Trip If the central control room should be evacuated suddenly without any action by the operators, the reactor can be manually tripped by any of the following:
- 1. Operation of the Reactor Trip Breakers' local trip button.
- 2. Tripping the Control Rod Drive MG Set breakers.
- 3. Tripping/opening of any one of the MG Set power supply sources.
Following evacuation of the central control room, the following systems and equipment are provided to maintain the plant in a safe shutdown condition from outside the central control room:
- 2. Reactivity control, i.e., boron injection to compensate for fission product decay.
- 3. Pressurizer pressure and level control.
- 4. Electrical systems as required to supply the above systems.
- 5. Other equipment, as described.
IP2 FSAR UPDATE Chapter 7, Page 105 of 111 Revision 2 6, 20 1 6 7.7.3.1.1 Residual Heat Removal Following a normal plant shutdown, an automatic steam dump control system bypasses steam to the condenser and maintains the reactor coolant temperature at its no
-load value. This implies the continued operation of the steam dump system, condensate circuit, condenser cooling water, feed pumps, and steam
-generator instrumentation. Failure to maintain water supply to the steam generators would result in steam-generator dry
-out after some 2400 sec and loss of the secondary system for decay heat removal. Redundancy and full protection where necessary is built into the system to ensure the continued operation of the steam
-generator units. If the automatic steam dump control system is not available, independently controlled relief valves on each steam generator maintain the steam pressure. These relief valves are further backed up by coded safety valves on each steam generator. Numerous calculations have shown that with the steam generator safety valves operating alone, the reactor coolant system maintains itself close to the nominal no
-load condition. The steam relief facility is adequately protected by redundancy and local protection. For decay heat removal, it is only necessary to maintain the control on one steam generator.
For the continued use of the steam generators for decay heat removal, it is necessary to provide a source of water, a means of delivering that water and, finally, instrumentation for pressure and level indication.
The normal source of water supply is the secondary feed circuit; this implies satisfactory operation of the condenser, air ejector, condenser cooling circuit, etc. In addition to the normal feed circuit, the plant may fall back on:
- 1. The condensate storage tank.
- 2. The city water storage tank.
- 3. The city water supply.
Feedwater can be supplied to the steam generators by the two motor
-driven auxiliary feedwater pumps or by the steam
-driven auxiliary feedwater pump, these pumps and associated valves having local controls.
7.7.3.1.2 Reactivity Control
Following a normal plant shutdown to hot shutdown condition, soluble poison is added to the primary system to maintain subcriticality. For boron addition, the chemical and volume control system is used. Routine boration requires the use of the following:
- 1. Charging pumps and volume control tank with associated piping.
- 2. Boric acid transfer pumps with tanks and associated piping. (Not included in abnormal operating instructions on control room inaccessibility).
- 3. Letdown station, nonregenerative heat exchanger and associated equipment, component cooling, and service water systems. Compressed air for manual valve operation could be adopted if necessary.
It is worthy of note that with the reactor held at hot shutdown conditions, the boration of the plant is not required immediately after shutdown. The xenon transient does not decay to the equilibrium level until about 20 hr for 100
-percent power shutdown. However, for other power levels, this decay time can be IP2 FSAR UPDATE Chapter 7, Page 106 of 111 Revision 2 6, 20 1 6 lower, that is, as much as 5 hr for a 10
-percent power shutdown. A further period would elapse before the 1-percent reactivity shutdown margin provided by the full
-length control rods has been cancelled.
This delay would provide useful time for emergency measures.
7.7.3.1.3 Pressurizer Pressure and Level Control
Following a reactor trip, the primary temperature will automatically be reduced to the no
-load temperature condition as dictated by the steam
-generator temperature conditions. This reduction in the primary water temperature reduces the primary water volume, and if continued pressure control is to be maintained, primary water makeup is required.
The pressurizer level is controlled in normal circumstances by the chemical and volume control system. This implies the charging pump duty referred to for boration plus a guaranteed borated water supply.
The facility for boration is provided as described above; it is only necessary to supply water for makeup. Water may readily be obtained from normal sources, that is, the volume control tank.
7.7.3.2 Startup of Other Equipment The containment air recirculation fan coolers should be continued in operation to remove heat generated within the containment building. If they have stopped, at least one should be restarted within 5 min with the others started later as required. Similarly the nuclear service water pumps are to be checked and at least one of them restarted if none are already operating. The fan coolers and the service water pump remote controls are located in the switchgear room.
Offsite or onsite emergency power should be available to supply the above systems and equipment for the hot shutdown condition.
7.7.3.3 Indications and Controls Provided Outside the Central Control Room The specific indications and controls provided outside the central control room for the above capabilities are summarized in the following sections.
7.7.3.3.1 Indications
- 1. Level indication for the individual steam generators. One set for local control of steam generator level is visible from the auxiliary feedwater pump area; another set is visible from the main feedwater control valve area.
- 2. Pressure indication for the individual steam generators, visible from the auxiliary feedwater pump area.
- 3. Pressurizer level and pressure indicators. One set is visible from the auxiliary feedwater pump area, and one set is in the primary auxiliary building in the vicinity of the charging pump local control point. All instruments at the auxiliary feedwater pumps are grouped on a local gauge board.
- 4. Level indicators for steam generators 21 and 22 are located in the primary auxiliary building in the vicinity of the charging pumps.
IP2 FSAR UPDATE Chapter 7, Page 107 of 111 Revision 2 6, 20 1 6 7.7.3.3.2 Controls Local stop/start motor controls with a local/remote selector switch are provided at each of the following motors. The selector switch will transfer the control of the switchgear from the central control room to "local" at the motor. Placing the local selector switch in the local operating position will give an annunciator alarm in the central control room and will turn out the motor control position lights on the central control room panel.
- 1. Auxiliary motor
-driven feedwater pumps.
- 2. Charging pumps.
- 3. Boric acid transfer pumps. (Not included in administrative operating instructions on control room inaccessibility).
Local stop/start motor controls with a local/remote selector switch are provided for each of the following motors. These controls are grouped at one point in the switchgear room convenient for operation. The selector switch will transfer the control of the switchgear from the central control room to this local point. Placing the selector switch to local operation will give an annunciator alarm in the central control room and will turn out the motor control position lights on the central control room panel.
- 1. Service water pumps.
- 2. Containment air recirculation fans.
- 3. Central control room air
-handling unit, including control for the air inlet dampers.
Alternative motor control points are not required for the following:
- 1. Component cooling water pumps. (Automatically restarted on a blackout once the diesel generators are operating.)
- 2. Instrument air compressors and cooling pumps. (These will start automatically on low pressures in the air and water services once the diesel automatically energizes the bus and the motor control centers are manually energized. The control point is local to the compressors. The compressors must be initially re
-energized after the motor control centers are reset.)
7.7.3.3.3 Speed Control
Speed control is provided locally for the following:
- 1. Auxiliary turbine
-driven feedwater pump.
- 2. Charging pumps.
7.7.3.3.4 Valve Control
Local valve control is provided at the following: 1. Main feedwater regulators.
- 2. Auxiliary feedwater control valves.(These valves are located local to the auxiliary feedwater pumps.)
- 3. Atmospheric dump (auto control normally at hot shutdown).
- 4. All other valves requiring operation during hot standby can be locally operated at the valve.
IP2 FSAR UPDATE Chapter 7, Page 108 of 111 Revision 2 6, 20 1 6 5. Letdown orifice isolation valves local to the charging pumps. Local control (e.g., "close
-remote-open" selector switches) and indication (e.g., valve "open" position indicating lights) are provided for the regenerative heat exchanger letdown outlet flow control orifice isolation valves and the letdown inlet stop valve.
7.7.3.3.5 Pressurizer Heater Control
Stop and start buttons with selector switch and position lamp are provided locally at the charging pumps for Pressurizer Backup Heater Group 21.
7.7.3.3.6 Lighting Emergency lighting is provided in all operating areas. In addition, fixed battery pack emergency lighting units with at least an 8
-hr battery power supply have been installed in areas needed for operation of safe
-shutdown equipment and in access and egress routes to and from these areas in accordance with the requirements of 10 CFR 50, Appendix R.
7.7.3.3.7 Central Control Room Emergency Lighting
The emergency lighting in the central control room (CCR) consists of a combination of AC and DC lighting. These lights are strategically located to illuminate the instrument panels, flight panel, supervisory control panels, and the operator's desk. The normal voltage supply for CCR lighting is the AC lighting panels. The CCR emergency lighting is normally deenergized. If the CCR normal AC lighting failed, the CCR emergency AC or emergency DC lighting would illuminate. The CCR DC emergency lighting is supplied from Unit 2 Battery #21, whereas, the CCR AC emergency lighting is supplied from the Unit 1 M
-G Sets. In addition, dual
-lamp battery pack emergency lighting fixtures and remote-mounted battery pack emergency lighting fixture spotlights are located in the CCR, to provide additional illumination for the supervisory panel, flight panel, and accident assessment panel.
7.7.4 Communications
Plant communications are conducted via telephone, radio, and Public Address (paging) systems.
The plant telephone and radio communications systems include [Deleted] PBX electronic switches, backup phone lines and a UHF radio system. [Deleted] The public address system for Indian Point Unit 2 consists of "Page" and "Party" communications, which are common to both the primary (nuclear) and secondary (conventional) portions of Units 1 and
- 2. The "Page" and "Party" communications are also monitored at a speaker panel located in the CCR. [Deleted] Radio channels are available at the Indian Point Unit 2 control room. These radio channels are as follows:
- 1. - Radios provide the central control room with radio communication to the [Deleted] system operator.
- 2. Indian Point area radio s provide the central control room with radio communication to the emergency response facilities and offsite monitoring teams
[Deleted].
IP2 FSAR UPDATE Chapter 7, Page 109 of 111 Revision 2 6, 20 1 6 If the control room were to become inaccessible, safe shutdown communications would be conducted with the use of portable radios. This in
-house radio system is also provided for communicating with in
-plant personnel throughout the plant.
7.7.4.1 Central Control Room Communication Facilities The central control room is provided with telephone
-radio-page/party communication consoles and page/party handset stations.
[Deleted] A State/County Radiological Emergency Communication System (RECS) hotline is available. The NRC Emergency Notification System (ENS) hotline is available in a separate location.
A separate printer and its telephone modem is also available for meteorological data reception.
7.7.4.2 Radio Communication The [Deleted] radio channels are available at the radio [Deleted] line consoles in the central control room. Repeaters for the radio channels are located onsite. Wired audio/control pairs connect the [Deleted] transceivers with the communication consoles in the central control room for remote operation.
7.7.4.3 Page/Party Line Communication "Page" or "Party" line communication can be initiated in the CCR from either communication consoles or from handset stations.
An emergency alarm switch is provided in the CCR to connect and actuate the existing alarm oscillators to the "Page" system for the "Evacuation," "Fire," or "Air Raid" alert signals.
Another switch is provided on the central control room desk, which allows all outdoor speakers of the Indian Point 2 plant to be turned off at night.
7.7.4.4 Emergency Backup Power for Communications The plant radio and telephone communications systems are automatically supplied from a back
-up power source, upon failure of the normal power source. In addition, each PBX is provided with back-up battery capability of eight (8) hours of operation. The page/party system is powered from the DC system (through an inverter) with backup power from the emergency bus.
7.7.4.5 In-house Radio System An in-house radio system provides communications between [Deleted] in-plant personnel. Field units are low-wattage, hand
-held units, which are not to be used in areas containing equipment, which is potentially sensitive to radio
-frequency interference.
IP2 FSAR UPDATE Chapter 7, Page 110 of 111 Revision 2 6, 20 1 6 REFERENCES FOR SECTION 7.7
- 1. Letter from J.D. O'Toole, Con Edison, to Hugh L. Thompson, NRC,
Subject:
Indian Point Unit 2 Detailed Control Room Design Review Final Summary Report, dated June 30, 1986.
- 2. Letter from S. Bram, Con Edison, to Document Control Desk, NRC,
Subject:
Safety Assessment System/Safety Parameter Display System (SAS/SPDS) Safety Analysis Report, Revision 1, dated April 30, 1988.
- 3. Letter from M. M. Slosson, NRC, to S. B. Bram, Con Edison,
Subject:
Safety Evaluation Report - Detailed Control Room Design Review Summary Report For Indian Point Nuclear Generating Unit No. 2 (TAC 56131), dated January 12, 1989.
7.7 FIGURES
Figure No.
Title Figure 7.7
-1 Deleted 7.8 LIMITING SAFETY SYSTEM SETTINGS AND LIMITING CONDITIONS FOR OPERATION Table 7.2-1 lists the reactor protection, engineered safety features, and other plant protection actuation systems. Table 7.2
-2 lists associated plant interlocks and permissive circuits. Settings for these functions for safe plant operation are given in the facility Technical Specifications or Technical Requirements Manual.
7.9 SURVEILLANCE REQUIREMENTS Channel surveillance action (i.e., test, calibration, or check function) to be taken during the operation of the plant and the minimum frequencies (each refueling, shift, or month) for the indicated instrument channels are included in the Technical Specifications or Technical Requirements Manual.
The instrumentation channels that are covered include, for example, nuclear, reactor coolant temperature and flow, pressurizer pressure and level, and auxiliary process channels or components necessary to ensure that facility operation is maintained within the safe limits. The frequencies of periodic tests and checks of related systems and/or system components are also included in the Technical Specifications or Technical Requirements Manual.
7.10 ANTICIPATED TRANSIENT WITHOUT SCRAM MITIGATION SYSTEM ACTUATION CIRCUITRY In response to NRC requirements, Indian Point Unit 2 has been modified to incorporate features to protect against anticipated transients without scram (ATWS). These provisions are the ATWS mitigation system actuation circuitry (AMSAC), described in this section.
7.10.1 Design Bases The Indian Point Unit 2 AMSAC provides a means, diverse from the reactor protection system, to trip the turbine, start the auxiliary feedwater pumps, and initiate closure of the steam generator blowdown IP2 FSAR UPDATE Chapter 7, Page 111 of 111 Revision 2 6, 20 1 6 isolation valves. It was designed to meet the requirements of 10CFR50.62. The NRC Staff has concluded 1 that the design is acceptable and is in compliance with the ATWS Rule, 10CFR50.62, paragraph (c) (1).
The Indian Point Unit 2 AMSAC design is based on a modified Logic 1 option as described in Reference 2. The plant specific modification involves the deletion of permissive and time delay circuits, which is conservative compared to the generic design.
AMSAC utilizes signals from existing steam generator narrow
-range level transmitters associated with other systems. It actuates immediately on a predetermined level in any three steam generators.
The logic power supplies for the AMSAC system components are independent from the power supplies for the reactor protection system. AMSAC is capable of performing its intended function without off
-site power.
Alarm and/or annunciation is provided for AMSAC actuation, bypass or removal from service, and deviations such as loss of power or partial trip.
7.10.2 System Design
AMSAC receives signals from one steam generator narrow
-range level transmitter per steam generator. Bistables give trip signals on level below the setpoint, which is between 5 and 8
-percent of the transmitter span. Either of two relay logic channels provides AMSAC actuation on low level in any three steam generators.
AMSAC was designed and components selected to provide diversity from the reactor protection system. Electrical isolation from both protection and control systems is also provided.
Power is supplied to the relay logic channels, which are energized to trip, from separate class 1E 125
-
VDC battery
-backed distribution panels.
A two-position bypass switch, four test pushbuttons, and a status
-indicating light are provided for each logic channel, allowing surveillance testing a maintenance to be performed during reactor operation.
Bypassing either channel actuates an annunciator. While one channel is bypassed for testing, the other remains capable of performing its mitigation function.
The AMSAC system does not affect either manual or automatic actuation of turbine trip or auxiliary feedwater initiation. These circuits are self
-latching such that their actions will go to completion if initiated, and subsequent operator action is required to reset them.
REFERENCES FOR SECTION 7.10
- 1. Letter from Donald S. Brinkman, NRC, to Stephen B. Bram, Con Edison, subject: Indian Point Unit 2 ATWS RULE (10CFR50.62) (TAC NO. 59103), dated May 16, 1989.
- 2. WCAP-10858-P-A, Rev. 1