NL-16-2280, Vogtle Electric Generating Plant, Units 1 & 2, Updated Final Safety Analysis Report, Section 15.2
Text
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E1 (763-in.2 BRE AK AREA)
FIGURE 6.2.1-22 (SHEET 1 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E2 (763-in.2 BREAK AREA)
FIGURE 6.2.1-22 (SHEET 2 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E3 (763-in.2 BREAK AREA)
FIGURE 6.2.1-22 (SHEET 3 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E4 (763-in.2 BREAK AREA)
FIGURE 6.2.1-22 (SHEET 4 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E5 (763-in.2 BREAK AREA)
FIGURE 6.2.1-22 (SHEET 5 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E6 (763-in.2 BREAK AREA)
FIGURE 6.2.1-22 (SHEET 6 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E7 (763-in.2 BREAK AREA)
FIGURE 6.2.1-22 (SHEET 7 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E8 (763-in.2 BREAK AREA)
FIGURE 6.2.1-22 (SHEET 8 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E9 (763-in.2 BREAK AREA)
FIGURE 6.2.1-22 (SHEET 9 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E10 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 10 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E11 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 11 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E12 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 12 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E13 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 13 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E14 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 14 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E15 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 15 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E16 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 16 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E17 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 17 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E18 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 18 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E19 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 19 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E20 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 20 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E21 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 21 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E22 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 22 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E23 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 23 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E24 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 24 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E25 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 25 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E26 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 26 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E27 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 27 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E28 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 28 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E29 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 29 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E30 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 30 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E31 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 31 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E32 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 32 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E33 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 33 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E34 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 34 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E35 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 35 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E36 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 36 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E37 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 37 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E38 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 38 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E39 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 39 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E40 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 40 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E41 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 41 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E42 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 42 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E43 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 43 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E44 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 44 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E45 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 45 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E46 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 46 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E47 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 47 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E48 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 48 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E49 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 49 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E50 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 50 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E51 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 51 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E52 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 52 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E53 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 53 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E54 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 54 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E55 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 55 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E56 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 56 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E57 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 57 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E58 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 58 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E59 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 59 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E60 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 60 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E61 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 61 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E62 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 62 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E63 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 63 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E64 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 64 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E65 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 65 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E66 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 66 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E67 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 67 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E68 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 68 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E69 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 69 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E70 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 70 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E71 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 71 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E72 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 72 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E73 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 73 OF 74)
REV 13 4/06 STEAM GENERATOR INLET ELBOW NODE - E74 (763-in.2 BREAK AREA) FIGURE 6.2.1-22 (SHEET 74 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E1 (336-in.2 BREAK AREA)
FIGURE 6.2.1-23 (SHEET 1 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E2 (336-in.2 BREAK AREA)
FIGURE 6.2.1-23 (SHEET 2 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E3 (336-in.2 BREAK AREA)
FIGURE 6.2.1-23 (SHEET 3 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E4 (336-in.2 BREAK AREA)
FIGURE 6.2.1-23 (SHEET 4 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E5 (336-in.2 BREAK AREA)
FIGURE 6.2.1-23 (SHEET 5 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E6 (336-in.2 BREAK AREA)
FIGURE 6.2.1-23 (SHEET 6 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E7 (336-in.2 BREAK AREA)
FIGURE 6.2.1-23 (SHEET 7 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E8 (336-in.2 BREAK AREA)
FIGURE 6.2.1-23 (SHEET 8 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E9 (336-in.2 BREAK AREA)
FIGURE 6.2.1-23 (SHEET 9 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E10 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 10 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E11 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 11 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E12 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 12 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E13 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 13 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E14 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 14 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E15 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 15 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E16 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 16 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E17 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 17 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E18 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 18 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E19 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 19 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E20 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 20 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E21 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 21 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E22 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 22 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E23 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 23 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E24 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 24 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E25 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 25 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E26 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 26 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E27 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 27 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E28 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 28 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E29 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 29 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E30 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 30 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E31 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 31 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E32 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 32 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E33 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 33 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E34 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 34 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E35 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 35 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E36 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 36 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E37 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 37 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E38 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 38 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E39 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 39 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E40 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 40 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E41 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 41 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E42 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 42 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E43 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 43 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E44 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 44 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E45 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 45 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E46 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 46 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E47 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 47 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E48 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 48 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E49 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 49 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E50 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 50 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E51 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 51 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E52 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 52 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E53 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 53 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E54 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 54 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E55 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 55 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E56 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 56 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E57 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 57 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E58 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 58 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E59 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 59 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E60 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 60 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E61 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 61 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E62 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 62 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E63 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 63 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E64 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 64 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E65 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 65 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E66 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 66 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E67 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 67 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E68 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 68 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E69 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 69 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E70 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 70 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E71 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 71 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E72 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 72 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E73 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 73 OF 74)
REV 13 4/06 LOOP CLOSURE WELD NODE E74 (336-in.2 BREAK AREA) FIGURE 6.2.1-23 (SHEET 74 OF 74)
REV 13 4/06 PRESSURIZER MODEL FIGURE 6.2.1-24
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 1 SURGE LINE BREAK (308-in 2 BREAK AREA) FIGURE 6.2.1-25 (SHEET 1 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 2, 3, 4, 5 SURGE LINE BREAK (308-in 2 BREAK AREA) FIGURE 6.2.1-25 (SHEET 2 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 6, 7, 8, 9 SURGE LINE BREAK (308-in 2 BREAK AREA) FIGURE 6.2.1-25 (SHEET 3 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 10, 11, 12, 13 SURGE LINE BREAK (308-in 2 BREAK AREA) FIGURE 6.2.1-25 (SHEET 4 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 14, 15, 16, 17 SURGE LINE BREAK (308-in 2 BREAK AREA) FIGURE 6.2.1-25 (SHEET 5 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 18, 19, 20, 21 SURGE LINE BREAK (308-in 2 BREAK AREA) FIGURE 6.2.1-25 (SHEET 6 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 22, 23, 24, 25 SURGE LINE BREAK (308-in 2 BREAK AREA) FIGURE 6.2.1-25 (SHEET 7 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 26, 27, 28 SURGE LINE BREAK (308-in 2 BREAK AREA) FIGURE 6.2.1-25 (SHEET 8 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 1 SPRAY LINE BREAK AT TOP OF PRESSURIZER FIGURE 6.2.1-25a (SHEET 1 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 2, 3, 4, 5 SPRAY LINE BREAK AT TOP OF PRESSURIZER FIGURE 6.2.1-25a (SHEET 2 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 6, 7, 8, 9 SPRAY LINE BREAK AT TOP OF PRESSURIZER FIGURE 6.2.1-25a (SHEET 3 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 10, 11, 12, 13 SPRAY LINE BREAK AT TOP OF PRESSURIZER FIGURE 6.2.1-25a (SHEET 4 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 14, 15, 16, 17 SPRAY LINE BREAK AT TOP OF PRESSURIZER FIGURE 6.2.1-25a (SHEET 5 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 18, 19, 20, 21 SPRAY LINE BREAK AT TOP OF PRESSURIZER FIGURE 6.2.1-25a (SHEET 6 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 22, 23, 24, 25 SPRAY LINE BREAK AT TOP OF PRESSURIZER FIGURE 6.2.1-25a (SHEET 7 OF 8)
REV 13 4/06 PRESSURIZER COMPARTMENT PRESSURE RESPONSE - NODE 26, 27, 28 SPRAY LINE BREAK AT TOP OF PRESSURIZER FIGURE 6.2.1-25a (SHEET 8 OF 8)
REV 15 4/09 CONTAINMENT PRESSURE TRANSIENT MSLB - 0.4 ft 2 SPLIT RUPTURE- 0% POWER CASE 16 FIGURE 6.2.1-26
REV 15 4/09 CONTAINMENT TEMPERATURE TRANSIENT MSLB - 0.4 ft 2 SPLIT RUPTURE- 0% POWER CASE 16 FIGURE 6.2.1-27
REV 13 4/06 CONTAINMENT PRESSURE TRANSIENT MSLB - 0.86 ft 2 SPLIT RUPTURE - 102% POWER CASE 13 FIGURE 6.2.1-28
REV 18 9/13 CONTAINMENT TEMPERATURE TRANSIENT MSLB - 0.86 ft 2 SPLIT RUPTURE - 102% POWER CASE 13 FIGURE 6.2.1-29
REV 13 4/06 CONTAINMENT PRESSURE DECLG (C D = 0.6, LOW T AVG , MIN SI, COSINE)
FIGURE 6.2.1-30
REV 13 4/06 CONTAINMENT TEMPERATURE DECLG (C D = 0.6, LOW T AVG, MIN SI, COSINE)
FIGURE 6.2.1-31
REV 13 4/06 CONTAINMENT WALL CONDENSATION HEAT TRANSFER COEFFICIENT DECLG (C D = 0.6, LOW T AVG, MIN SI, COSINE)
FIGURE 6.2.1-32
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 1 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 2 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 3 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 4 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 5 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 6 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 7 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 8 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 9 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 10 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 11 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 12 OF 13)
REV 16 10/10 VALVE ARRANGEMENT FIGURE 6.2.4-1 (SHEET 13 OF 13)
REV 13 4/06 ELECTRIC HRYDROGEN RECOMBINER (TYPICAL)
FIGURE 6.2.5-1
REV 13 4/06 ELECTRIC HYDROGEN RECOMBINER SYSTEM SCHEMATIC FIGURE 6.2.5-2
DELETED
REV 13 4/06 COMPARISON OF ANS 5.1 DECAY ENERGY CURVE AT 650 DAYS IRRADIATION + 20% TO DECAY ENERGY VALUES USED FOR H 2 PRODUCTION CALCULATION FIGURE 6.2.5-3
DELETED
REV 13 4/06 ALUMINUM AND ZINC CORROSION RATE DESIGN CURVES FIGURE 6.2.5-4
REV 13 4/06 CONTAINMENT HYDROGEN CONCENTRATION (ONE RECOMBINER ON AT 3.0 V/O)
FIGURE 6.2.5-5 DELETED
REV 13 4/06 HYDROGEN PRODUCTION FROM ALL SOURCES FIGURE 6.2.5-6 REV 15 4/09 HYDROGEN ACCUMULATION FROM ALL SOURCES (FOR 3 X BASELINE ALUMINUM SURFACE AREA)
FIGURE 6.2.5-7
VEGP-FSAR-6 REV 19 4/15 TABLE 6.3.2-1 (SHEET 1 OF 3)
EMERGENCY CORE COOLING SYSTEM COMPONENT PARAMETERS Accumulators Number Design pressure (psig) Design temperature (°F) Operating temperature (°F) Normal operating pressure (psig)
Total volume (ft
- 3) Nominal water volume (ft
- 3) Nominal volume N gas (ft
- 3) Boron concentration, nominal (ppm)
4 700 300 60-120 650 1350 each 900 each 400 each 1900-2600 Centrifugal charging pumps (See figure 6.3.2-3.)
Number Design pressure (psig) Design temperature (°F) Design flow (gal/min) Design head (ft) Maximum flow (gal/min)
Design head at maximum flow (ft)
Design head at shutoff (ft)
Motor rating (hp) Required NPSH at maximum flow (ft) Available NPSH at maximum flow (ft) from RWST
2 2800 300 150 5800 555 1400 6200 600 (See figure 6.3.2-3.)
78 Discharge orifice (1FO-10118 & 1FO-10122)
Discharge orifice (2FO-10122 & 2FO-10123) (See drawing 1X6AH02-300000 for sizing) (See drawing 2X6AH02-30000 for sizing)
SI pumps (See figure 6.3.2-4.)
Number Design pressure (psig) Design temperature (°F) Design flow (gal/min) Design head (ft)
Maximum flow (gal/min) Design head at maximum flow (ft) Design head at shutoff (ft)
Motor rating (hp)
Required NPSH at maximum flow (ft)
2 1750 300 425 2680 660 1660 3545 450 (See figure 6.3.2-4.)
VEGP-FSAR-6 REV 19 4/15 TABLE 6.3.2-1 (SHEET 2 OF 3)
Available NPSH at maximum flow (ft) 59 from RWST RHR pumps (See figure 6.3.2-2.)
Number 2 Design pressure (psig) 600 Design temperature (°F) 400 Design flow (gal/min) 3000 Design head (ft) 375 Maximum flow (gal/min) 4500 Design head at maximum flow (ft) 325 Design head at shutoff (ft) 450 Motor rating (hp) 400 Required NPSH at maximum flow (ft) (See figure 6.3.2-2.) Available NPSH at maximum flow (ft)
From RWST 92 From emergency sumps 34.7 Residual heat exchangers (See subsection 5.4.7 for design parameters.)
Boron injection tank (Unit 1 only)
Number 1 Total volume (gal) 900 Usable volume at operating conditions, 900 solution (gal)
Boron concentration, nominal (ppm) 0-2600 Design pressure (psig) 2735 Operating pressure (psig) 2684 Design temperature 300 Operating temperature Ambient Heaters Determinated
VEGP-FSAR-6 REV 19 4/15 TABLE 6.3.2-1 (SHEET 3 OF 3)
Motor-operated valves stroke times are provided in table 6.3.2-3.
Refueling water storage tank Number 1 Total volume, nominal (gal) 715,000 Boron concentration (ppm) 2400-2600 Operating pressure Atmospheric Operating temperature Ambient, 50
°F minimum Heating system Number of heaters 1 Heater capacity (kw) 50 Number of pumps 1 Pump capacity (gal/min) 200 Number of eductors 9
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-2 EMERGENCY CORE COOLING SYSTEM RELIEF VALVE DATA Fluid Inlet Set Backpressure Maximum Total Fluid Temperature Pressure Constant Backpressure Description Discharged Normal (°F) (psig) (psig)
(psig) Capacity N 2 supply to Nitrogen 120 700 0 0 1500 sf /min accumulators SI pump Dilute 120 1750 0 to 15 50 20 gal/min discharge H 3 BO 3 RHR pump SI line Dilute 120 600 0 to 15 50 20 gal/min H 3 BO 3 SI pumps suction Dilute 100 220 0 to 15 50 25 gal/min header H 3 BO 3 Accumulator to Nitrogen 120 700 0 0 1500 sf /min containment VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-3 (SHEET 1 OF 3)
MOTOR-OPERATED ISOLATION VALVES IN THE EMERGENCY CORE COOLING SYSTEM Location Valve Identification Interlocks Automatic
Features(a) Position Indication(b) Alarms Accumulator
isolation valves HV-8808 A,B,C,D SI signal, RCS pressure>
unblock. Opens on SI signal if closed
and RCS pressure
> unblock.
MCB Yes-out of position SI pump suction
from RWST HV-8806, HV-8923
A,B None None (c) MCB Yes-out of position RHR suction from RWST HV-8812 A,B Cannot be opened unless
corresponding sump valve
closed and RHR discharge to
SI or charging pumps closed.
None (c) MCB Yes-out of position RHR discharge to
SI/charging
pump suction HV-8804 A,B Cannot be opened unless SI pump miniflow isolated, charging pump alternate miniflow isolated, RHR
suction from RCS isolated, and corresponding sump
valve open.
None (c) MCB Yes-out of position SI hot leg injection HV-8802 A,B(d) None None MCB Yes-out of position RHR hot leg injection HV-8840(d) None None MCB Yes-out of position Containment emergency
sump isolation valve HV-8811 A,B(d) Cannot be opened in normal
operation unless RHR suction
closed. Opens on RWST low-low with SI signal.
MCB Yes-out of position CVCS suction from RWST LV-112 D, E SI signal Opens on SI signal or VCT low-low level
15 s(c)(e) MCB None CVCS normal suction LV-112 B,C SI signal Closes on SI signal or VCT low-low level if
CVCS suction valves from
RWST open 10 s(e) MCB Yes-out of position SI pump to cold leg HV-8835 None None MCB Yes-out of position
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-3 (SHEET 2 OF 3)
Location Valve Identification Interlocks Automatic
Features(a) Position Indication(b) Alarms CVCS pump discharge HV-8105, HV-8106, HV-8116 SI signal Closes on SI signal.
10 s(f) for HV-8116 MCB None 17 s(i) for HV-8105, HV-8106 BIT suction (Unit 1 only) HV-8803 A,B None None(g) None None BIT discharge (Unit 1)
and CVCS charging pump
high head cold leg HV-8801 A,B SI signal Opens on SI signal.
MCB(b) Yes-out of position Charging pump/SI pump crossover crossover HV-8807 A,B,
HV-8924 None None (c) MCB Yes-out of position RHR to RCS cold legs HV-8809 A,B None None MCB Yes-out of position SI pump miniflow HV-8813, HV-8814, HV-8920 Cannot be opened unless RHR
discharge to SI and
charging pumps closed.
None (c) MCB Yes-out of position RHR cross-connect HV-8716 A,B(h) None None (c) MCB Yes-out of position SI pump cross-connect HV-8821 A,B None None MCB Yes-out of position Charging pump normal miniflow HV-8110, HV-8111
A,B SI signal Closes on SI signal.
15 s MCB Yes-out of position Charging pump suction HV-8471 A,B None None MCB Yes-out of position Charging pump discharge HV-8485 A,B, HV-8438 None None MCB Yes-out of position
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-3 (SHEET 3 OF 3)
Location Valve Identification Interlocks Automatic
Features(a) Position Indication(b) Alarms Charging pump alternate miniflow HV-8508 A,B Cannot be opened by operator unless volume control tank
discharge valves closed and
charging pumps closed.
Enabled on SI signal and will open or
close based on centrifugal
charging pump discharge
pressure. MCB Yes-incorrect mode HV-8509 A,B Cannot be opened unless RHR discharge to SI and
charging pumps closed.
None (c) MCB Yes-out of position RHR pump miniflow FV-610, 611 None Open if pump discharge flow is less than 824
gpm at 350°F, 780 gpm at 100°F and close when the flow exceeds 1944 gpm
at 350°F, 1841 gpm at
100°F (10 s).
MCB None
- a. Times are maximum motor-operated valve stroke times that are significant to safety analysis/eval uations. No time is indicated where stroke time was irrelevant to safety analyses/evaluations. b. MCB - main control board.
- c. Vogtle FSAR table 6.3.2-7 provides the switchover sequence from the post-accident co ld leg injection mode to the cold leg re circulation mode of operation. The times provided in FSAR table 6.3.2-7, in conjunction with the RWST outflow, are used to verify that there is sufficient volume between the RWST Lo-Lo and empty alarms to complete the switchover sequence. Changes to valve stroke time should be evaluated for impact on available RWST volu me. d. Valve disk is provided with bonnet vent on containment side of disk. e. Valves LCV-112D, E open automatically on an SI signal. Valves LCV-112B, C begin to close when LCV-112D, E reach full open. The safety analyses assume that the SI flow path is unavailable until both sets of valves reach their final positions. f. The analysis assumes ECCS flow at 25 s. The operating time for the closure of the normal discharge valves and opening the i njection valves should not be significantly different; therefore, the nominal value of 10 s was specified for these valves. g. Valve is normally locked open, with power removed at component. Valve is operated manually for maintenance only. h. Valve disk is provided with bonnet vent to RHR pump side.
- i. The analysis assumes ECCS flow at 25 s. The limiting operati on is the alignment of the charging pump suction to the RWST fr om the VCT. The normal discharge valves and the injection valves can have stroke times up to 25 s before affecting the time it takes to establish safety injecti on. These valves should have similar stroke times to reduced charging pump runout. Closure of the nor mal discharge valves is 17 s and the injection valves is 17 s, and the opening time of the injection valves is 17 s.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-4 (SHEET 1 OF 2)
MATERIALS EMPLOYED FOR EMERGENCY CORE COOLING SYSTEM COMPONENTS
Component Material Accumulators Carbon steel clad with austenitic stainless steel Boron injection tank (Unit 1 only) Austenitic stainless steel Boron injection surge tank (a) Austenitic stainless steel (Unit 1 only)
Pumps Centrifugal charging Austenitic stainless steel Safety injection Austenitic stainless steel Residual heat removal Austenitic stainless steel Residual heat exchangers Shell Carbon steel Shell end cap Carbon steel Tubes Austenitic stainless steel Channel Austenitic stainless steel Channel cover Austenitic stainless steel Tube sheet Austenitic stainless steel Valves Motor-operated valves containing radioactive fluids Pressure containing Austenitic stainless steel parts or equivalent corrosion resistant material Body-to-bonnet Low alloy steel bolting and nuts Seating surfaces Stellite No. 6 or equivalent corrosion resistant material Stems Austenitic stainless steel or 17-4 pH stainless
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-4 (SHEET 2 OF 2)
Component Material Motor-operated valves, containing nonradioactive, boron-free fluids Body, bonnet, and flange Carbon steel Stems Corrosion resistance steel Diaphragm valves Austenitic stainless steel Accumulator check valves Parts contacting borated water Austenitic stainless steel Clapper arm shaft 17-4 pH stainless Relief valves Stainless steel bodies Stainless steel Carbon steel bodies Carbon steel All nozzles, discs, Austenitic stainless steel spindles, and guides Bonnets for stainless Stainless steel or steel valves without plated carbon steel balancing bellows All other bonnets Carbon steel Piping All piping in contact Austenitic stainless steel with borated water
flowpath.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-5 (SHEET 1 OF 9)
EMERGENCY CORE COOLING SYSTEM - SAFEGUARDS OPERATIONS - FAILURE MODES AND EFFECTS ANALYSIS Component(a) Failure Mode Function Effect on System Operation Failure Detection
Method(b)
Remarks
- 1. Motor-operated gate valve LV-112B (LV-
112C analogous) Fails to close on demand. Pr ovides isolation of fluid discharge from
the volume control tank (VCT) to the suction of
charging pumps. Failure reduces redundancy
of providing tank discharge
isolation. Negligible effect on system operation.
Alternate isolation valve
LV-112C (LV-112B)
provides backup tank
discharge isolation.
Valve open/close position
indication and valve close
position monitor light and
alarm for group monitoring
of components at main
control board (MCB). Valve is electrically interlocked with isolation
valve LV-112D (LV-112E)
and the instrumentation
that monitors fluid level of
the VCT. Valve closes
upon receipt of an SI signal
or upon receipt of a VCT low water level signal
providing that isolation
valve LV-112D (LV-112E)
is at full open position.
- 2. Motor-operated gate valve LV-112D (LV-
112E analogous) Fails to open on demand. Provi des isolation of fluid discharge from the RWST
to the suction of charging
pumps and an electrical
interlock to the closing of
isolation valve LV-112B (LV-112C). Failure reduces redundancy of providing fluid flow from
RWST to suction of
charging pumps. Negligible effect on system operation.
Alternate isolation valve
LV-112E (LV-112D) opens to provide backup flowpath.
Valve open/close position
indication and valve open
position monitor light at
MCB. Valve is electrically interlocked with the
instrumentation that
monitors fluid level of the
VCT. Valve opens upon
receipt of an SI signal or upon receipt of a VCT low water level signal.
Fails to close on demand. Failure reduces redundancy of providing isolation of fluid
discharged from residual
heat exchanger 1 to RWST.
No immediate effect on system operation during
recirculation. Alternate
isolation check valve 1208-
U4-189 in common line
from RWST provides
backup tank isolation.
VEGP-FSAR-6 TABLE 6.3.2-5 (SHEET 2 of 9)
REV 14 10/07 Component Failure Mode Function Effect on System Operation Failure Detection
Method(b)
Remarks
- 3. Centrifugal charging pump train A (pump
train B analogous) Fails to deliver working
fluid. Provides fluid flow of emergency coolant through
the BIT for Unit 1 and the
CVCS charging pump high
head cold leg injection for
Unit 2 to the RCS at the
prevailing incident RCS
pressure. Failure reduces redundancy of providing emergency
coolant to the RCS at high RCS pressures. Fluid flow
from charging train A (train B) will be lost. Minimum flow requirements for high-head SI will be met by
charging train B (train A).
Charging pump discharge header pressure and flow
indication at MCB.
Open/close pump switchgear circuit breaker
indication on MCB. Circuit
breaker close position
monitor light for group
monitoring of component at
MCB. Common breaker
trip alarm at MCB. One pump may be used for
normal charging of RCS
during plant operation.
Both pumps start upon
receipt of an SI signal.
- 4. Motor-operated globe valve HV-8110 Fails to close on demand. Pr ovides isolation of fluid flow from the charging
pump discharge header to the seal water heat
exchanger via minimum flow bypass line. Failure reduces redundancy
of providing isolation of charging pump miniflow
line. Negligible effect on system operation. Alternate
isolation valves HV-8111A
and HV-8111B in individual
charging pump minimum flow bypass lines provide backup miniflow line
isolation.
Same as item 1.
Valve closes upon receipt
of an SI signal.
- 5. Motor-operated globe valve HV-8111A (HV-
8111B analogous) Fails to close on demand. Prov ides isolation of fluid flow from charging train A (train B) to the seal water heat exchanger flow via minimum bypass line. Failure reduces redundancy
of providing isolation of charging pump miniflow
line. Negligible effect on system operation. Alternate
isolation valve 8110 provides backup miniflow
line isolation.
Same as item 1.
Valve closes upon receipt
of an SI signal.
- 6. Motor-operated gate valve HV-8105 (HV-
8106 analogous) Fails to close on demand. Prov ides isolation of fluid flow from the charging
pump discharge header to
the chemical and volume control system (CVCS)
normal charging line to the
RCS. Failure reduces redundancy
of providing isolation of
charging pump discharge to
normal charging line.
Negligible effect on system
operation. Alternate
isolation valve HV-8106 (HV-8105) provides backup
normal charging line
isolation.
Same as item 1 except no
valve close monitor alarm
for group monitoring.
Same as item 4.
VEGP-FSAR-6 TABLE 6.3.2-5 SHEET 3 of 9)
REV 14 10/07 Component Failure Mode Function Effect on System Operation Failure Detection
Method(b)
Remarks
- 7. Motor-operated gate valve HV-8801A (HV-
8801B analogous) Fails to open on demand. Provi des isolation of fluid discharge from the BIT for
Unit 1 and the CVCS
charging pumps for Unit 2
to high head injection
header connected to the
cold legs. Failure reduces redundancy of providing fluid flow from
BIT for Unit 1 and CVCS
charging pumps for Unit 2
to high head injection
header feeding the cold
legs. Negligible effect on system operation. Alternate
isolation valve HV-8801B (HV-8801A) opens to provide backup flowpath to
header. Valve open/close position
indication and valve open
position monitor light and
alarm for group monitoring
of components at MCB.
Valve opens upon receipt
of an SI signal.
analogous)
Fails open.
Provides regulation of fluid flow through miniflow bypass line to suction of
train A (train B) to protect
against overheating of the
pump and loss of discharge flow from the pump. Failure reduces working
fluid delivered to RCS from
RHR train A (train B).
Minimum flow requirements will be met by RHR train B (train A) and SI and
charging pumps.
Same as item 1. Valves are regulated by signals from flow
transmitter located in each
pump discharge header.
The control valves open when a RHR pump discharge flow is less than approximately 824 gpm at
350°F, 780 gpm at100
°F and close when the flow exceeds approximately
1944 gpm at 350
°F, 1841 gpm at 100
°F.
Fails closed.
Failure results in an insufficient fluid flow
through RHR train A (train
B) pump for a small LOCA
or steam break resulting in
possible pump damage.
Minimum flow requirements will be met by RHR train B (train A) and SI and
charging pumps delivering
coolant fluid to RCS.
- 9. RHR pump train A (train B pump analogous) Fails to deliver working
fluid. Provides fluid flow of emergency coolant to the RCS when the incident
RCS loop pressure drops below shutoff head of pump
and provides long term recirculation capability for core cooling following the
injection phase of LOCA. Failure reduces redundancy of providing emergency coolant to the RCS at low RCS pressure. Fluid flow
from RHR pump train A (train B) will be lost.
Minimum flow requirement will be met by RHR pump
train B (train A).
Same as that stated for
item 3 except RHR pump
discharge pressure and flow indication at MCB.
The RHR pumps are used
to deliver reactor coolant through the residual heat exchanger to meet the plant cooldown requirements and are used during cooldown
and startup operation.
The RHR pumps start upon
receipt of an SI signal.
VEGP-FSAR-6 TABLE 6.3.2-5 (SHEET 4 of 9)
REV 14 10/07 Component Failure Mode Function Effect on System Operation Failure Detection
Method(b)
Remarks
- 10. Motor-operated gate valve HV-8811A (HV-
8811B analogous) Fails to open on demand. Provi des isolation of fluid discharge from containment emergency sump to suction
line of RHR train A (train B). Failure reduces redundancy of providing fluid flow from the containment emergency
train A (train B) not
available for recirculation.
Minimum flow requirements will be met by RHR train B (train A) through opening of
isolation valve HV-8811B (HV-8811A). Negligible effect on system operation.
Same as item 7. Valves open automatically on receipt of a 2/4 RWST
lolo level signal in coincidence with SI signal
being present (i.e., latched in.) Valve is electrically
interlocked from being remotely opened from
MCB.
- 11. Motor-operated gate valve HV-8812A (HV-
8812B analogous) Fails to close on demand. Prov ides isolation of fluid discharge from the RWST
to suction line of RHR train A (train B). Failure reduces redundancy
of providing RWST isolation
from suction line of RHR train A (train B). Negligible effect on system operation.
A series check valve 1205-
U4-001(1205-U4-002)
provides backup isolation against fluid flow from the
suction of RHR train A (train B) to the RWST.
Same as item 1.
- 12. Motor-operated gate valve HV-8716A (HV-
8716B analogous) Fails to close on demand. Controls the RHR system resistance to prevent RHR pump runout by blocking or opening flowpaths Provides separation between two independent flowpaths
outside containment during
cold leg recirculation.
Directs LHSI flow to hot
legs during hot leg
recirculation. Failure reduces redundancy
to prevent excessive RHR
pump runout during cold
leg recirculation. No effect on system operation.
Isolation valve HV-8716B (HV-8716A) provides
backup isolation to limit RHR pump runout flow.
Same as item 1.
During the first 11 h of long-term core cooling phase incident recovery RHR, SI, and charging pumps are
aligned for injection into
cold legs of RCS coolant
loops. After 11 h, RHR and SI pumps are aligned by
operator for recirculation flow into the hot legs.
Fails to open on demand. Failure reduces redundancy of providing fluid flow from
RHR pumps for injection
into hot legs of RCS loops.
Minimum flow requirements will be met by
opening of isolation valve
HV-8716B (HV-8716A) and flow from RHR train B (train
A). Hot leg RCS coolant loop recirculation from at least SI pump required to prevent
boron precipitation during
longterm core cooling.
VEGP-FSAR-6 TABLE 6.3.2-5 (SHEET 5 of 9)
REV 14 10/07 Component Failure Mode Function Effect on System Operation Failure Detection
Method(b)
Remarks
- 13. Motor-operated gate valve HV-8809A (HV-
8809B analogous) Fails to close on demand. Prov ides isolation of fluid flow from RHR train A (train B) to cold leg injection
loops. Failure reduces flow of
recirculation coolant to hot
legs of RCS coolant loops
from RHR train A (train B)
Minimum flow requirements
to hot leg of RCS coolant loops will be met by delivery of coolant from
pumps to the hot legs.
Same as item 1.
- 14. Motor-operated gate valve HV-8840 Fails to open on demand. Provi des isolation of fluid flow from RHR pumps to
hot leg injection header of
RCS coolant loops.
Failure prevents fluid fluid flow from RHR pumps directly to hot leg injection
header of RCS coolant loops. Minimum flow
requirements to hot legs of RCS coolant loop will be met by delivery of coolant from either of the two SI
pumps, thus maintaining
redundant hot leg recirculation capability.
Same as item 7.
Same as item 12.
Fails to close on demand. Failure reduces redundancy of providing isolation of
recirculation of fluid into hot
legs of RCS coolant loops by RHR pumps. Negligible
effect on recirculation into
cold legs of RCS coolant loops. Alternate fluid flow isolation provided by
closing of isolation valves
HV-8716A and HV-8716B.
- 15. Motor-operated gate valve HV-8804A Fails to open on demand. Provi des isolation of fluid flow from RHR train A via
RHR heat exchanger A to
suction line of charging
pumps. Failure reduces redundancy of providing flow to the
suction of the charging
pumps from the RHR
pumps. No effect on system operation.
Charging pumps will be provided suction head by
RHR train B via opening
valve HV-8804B and the
high-head SI suction
crosstie via opening valve
HV-8807A or HV-8807B.
Same as item 7.
VEGP-FSAR-6 TABLE 6.3.2-5 (SHEET 6 of 9)
REV 14 10/07 Component Failure Mode Function Effect on System Operation Failure Detection
Method(b)
Remarks
- 16. Motor-operated gate valve HV-8804B Fails to open on demand. Provi des isolation of fluid flow from RHR train B via
RHR heat exchanger B to
suction line of SI pumps. Failure reduces redundancy of providing flow to the
suction of the SI pumps
from the RHR pumps. No effect on system operation.
SI pumps will be provided suction head by RHR train
A via opening valve HV-
8804A and the HHSI
suction crosstie via opening
valve HV-8807A or HV-
8807B. Same as item 7.
- 17. Motor-operated gate valve HV-8807A (HV-
8807B analogous) Fails to open on demand. Provides fluid flow between the suction of the charging
pumps and the SI pumps. Failure reduces redundancy
of providing long term recirculation fluid between
the suction of the charging
pumps and the SI pumps.
Negligible effect on system
operation. Suction fluid flow provided by opening
alternate isolation valve
HV-8807B (HV-8807A).
Same as item 7.
- 18. Motor-operated gate valve HV-8924 Fails to close on demand. Provides isolation barrier to separate the suction of the
charging pumps and SI
pumps in the event of a single passive failure which
occurs in the recirculation
mode. No effect on system
operation. Isolation barrier is provided by closing of
alternate isolation valves
HV-8807A and HV-8807B.
Same as item 1.
The normal operating position of the valve during
recirculation is open.
- 19. Motor-operated gate valve HV-8835 Fails to close on demand. Prov ides isolation of fluid flow from SI pumps
discharge line to cold legs
of RCS coolant loops. Failure reduces redundancy of providing flow isolation of SI pump flow to cold
coolant loops. No effect on safety for system operation.
Alternate isolation valves
HV-8821A and HV-8821B
in discharge crosstie line between SI pumps provide
backup isolation against flow of coolant to cold legs.
Same as item 1.
VEGP-FSAR-6 TABLE 6.3.2-5 (SHEET 7 of 9)
REV 14 10/07 Component Failure Mode Function Effect on System Operation Failure Detection
Method(b)
Remarks
- 20. Motor-operated gate valve HV-8802A (HV-
8802B analogous) Fails to open on demand. Provi des isolation of fluid flow from SI train A (train B)
discharge line to hot legs of
RCS coolant loops. Failure reduces redundancy of providing fluid flow from
SI pumps to hot legs of
RCS coolant loops.
Minimum flow requirements will be met by SI train B (train A) and RHR pump flow to hot legs of RCS
coolant loops.
Same as item 7.
Same as item 12.
Valve is positioned open by
operator for recirculation
into hot legs 1 and 4 (hot
legs 2 and 3) of RCS
coolant loops.
- 21. Motor-operated gate valve HV-8821A(HV-
8821B analogous) Fails to close on demand. Directs SI flow to cold legs during cold leg
recirculation. Provides separation between two independent flowpath
outside containment during
hot leg recirculation
isolation to separate SI flowpaths. Failure reduces redundancy
to provide independent SI flowpaths during hot leg
recirculation. No effect on system operation. Valve
HV-8821B (HV-8821A)
provides backup Same as item 1.
Same as item 12.
- 22. SI train A (train B analogous) Fails to deliver working
fluid. Provides fluid flow of emergency coolant to the RCS when the RCS loop pressure drops below
shutoff head of pump and
provides long-term recirculation capability for core cooling following the
injection phase of LOCA. Failure reduces redundancy of providing emergency
coolant to the RCS at high RCS pressure. Fluid flow
from SI pump train A (train B) will be lost. Minimum flow requirements for high-head SI will be met by SI
pump train B (train A) and
charging pumps.
Same as stated for item 3
except SI pump discharge pressure and flow
indication at MCB.
The SI pumps start upon
receipt of an SI signal.
- 23. Motor-operated globe valve HV-8813 Fails to close on demand. Prov ides isolation of fluid flow from the SI pump
discharge header to the
RWST. Failure reduces redundancy
of providing isolation of SI pumps miniflow line
isolation from RWST. No effect on safety for system
operation. Alternate
isolation valves HV-8814
and HV-8920 in each SI pump miniflow line provide
backup isolation.
Same as item 1. Valve is electrically interlocked with isolation
valves HV-8804A and HV-8804B and may not be
opened unless these valves
are closed.
VEGP-FSAR-6 TABLE 6.3.2-5 (SHEET 8 of 9)
REV 14 10/07 Component Failure Mode Function Effect on System Operation Failure Detection
Method(b)
Remarks
- 24. Motor-operated globe valve HV-8814 (HV-
8920 analogous) Fails to close on demand. Prov ides isolation of fluid flow from SI pump train A (train B) to the RWST. Failure reduces redundancy
of providing isolation of SI
pump train A (train B) miniflow isolation from RWST. No effect on safety for system operation.
Alternate isolation valve HV-8813 in miniflow header
provides backup isolation.
Same as item 1.
Same as item 23.
- 25. Motor-operated gate valve HV-8806 Fails to close on demand. Prov ides isolation of fluid discharge from the RWST
to suction line of SI pumps. Failure reduces redundancy
of providing isolation of SI
pump suction to RWST.
No effect on safety for system operation. Alternate
check isolation valve1204-
U4-090 provides backup
isolation.
Same as item 1.
- 26. Motor-operated gate valve HV-8923A (HV-
8923B analogous) Fails to close on demand. Provides isolation barrier to form two independent SI pump flowpaths in the
event of a single passive
failure. No effect on system
operation. Isolation barrier is provided by closing of
alternate isolation valve
HV-8923B (HV-8923A).
Same as item 1.
The normal operating position of the valve during
recirculation is open.
- 27. Motor-operated globe valve HV-8508A (HV-
8508B analogous) Fails to open on demand. Provides alternate miniflow path for charging pump train A (train B) following isolation of normal miniflow
line. Failure prevents use of alternate miniflow line following receipt of SI
signal. Charging train A (train B) degradation may
occur if RCS pressure then
increases to pump shutoff
head. High-head SI injection flow will be provided by charging pump
train B (train A) and SI
pumps. Valve open/close position
indication at valve handswitch. Valve enabled
condition at monitor light
box and alarm for group
monitoring of components
at MCB. Valve enabled by SI signal
and opens or closes based
on centrifugal charging
pump discharge pressure.
Fails to close on demand. Failure reduces redundancy of providing isolation of
charging pump alternate miniflow line. Alternate
isolation valve HV-8509B (HV-8509A) provides backup miniflow line
isolation.
Valve is closed by the operator during the switch-
over from injection to recirculation.
VEGP-FSAR-6 TABLE 6.3.2-5 (SHEET 9 of 9)
REV 14 10/07 Component Failure Mode Function Effect on System Operation Failure Detection
Method(b)
Remarks
- 28. Motor-operated globe valve HV-8509A (HV-
8509B analogous) Fails to close on demand. Failure reduces redundancy of providing isolation of
charging pump train B (train A) alternate miniflow line.
Alternate isolation valve
HV-8508B (HV-8508A) provides backup miniflow
line isolation.
Same as item 1.
Same as item 27.
- a. Components 1 through 6, 27, and 28 are components of the CVCS t hat perform an ECCS safeguards function. Components 8, 9, and 12 are components of the RHR system that perform an ECCS safeguards function.
- b. As part of plant operation, periodic tests, surveillance inspections, and instrumentation calibrations are made to monitor equipment and performance. Failures may be detected during such monitoring of equipment in addition to detection methods noted.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-6 EMERGENCY CORE COOLING SYSTEM RECIRCULATION PIPING PASSIVE FAILURE ANALYSIS LONG TERM PHASE Flowpath Indication of Loss of Flowpath Alternate Flowpath Low-head recirculation
From containment sump to low-head injection header Accumulation of water in a RHR Via the independent, identical via the RHR pumps and the pump compartment or auxiliary low-head flowpath residual heat exchangers. building sump. utilizing the second residual heat exchanger and RHR pump.
High-head recirculation
From containment sump to the high-head injection Accumulation of water in a RHR From containment sump to the header via RHR pump, pump compartment or the high-head SI headers via heat exchanger, auxiliary building su mp or SI alternate RHR pump, RHR heat and the high-head SI or charging pump compartment. exchanger, and SI or charging pumps. pump.
VEGP-FSAR-6 REV 19 4/15 TABLE 6.3.2-7 (SHEET 1 OF 4)
SEQUENCE OF SWITCHOVER OPERATIONS
Switchover from Cold Leg Injection to Cold Leg Recirculation
During the cold leg injection mode and prior to the receipt of the RWST low-low level alarm, the operator is to:
- Verify that all CSS pumps are operating.
The RWST low-low level signal automatically initiates opening of the containment emergency sump isolation valves (HV-8811A and B). Upon receipt of the RWST low-low level signal, the operator is required to perform manual switchover steps to complete the switchover in an orderly and timely manner and in the proper sequence. The list of manual switchover steps stated below summarizes the significant procedural steps performed. Upon completion of the switchover steps, the operator will verify proper operation and alignment of all ECCS and CSS components.
From the assumed allowances and flow rates, the minimum time available to complete the ECCS switchover, isolation, and verification (steps 1 through 8) is approximately 11.1 minutes from the time the RWST low-low level alarm is actuated. The available switchover time is calculated considering the worst-case single active failure, which is not isolating one RHR pump from the RWST. From the assumed allowances and flow rates, the minimum time available to complete the containment spray switchover and verification (steps 9 through 12) is approximately 6 minutes from the time the RWST empty level alarm is actuated. The available switchover time is calculated considering the worst-case single active failure, which is not isolating one RHR pump from the RWST.
VEGP-FSAR-6 REV 19 4/15 TABLE 6.3.2-7 (SHEET 2 OF 4)
Switchover Steps (a)
The steps 1 through 6 manual actions function to align the suction of the RHR pumps to the containment emergency sump and to align the suction of the charging and SI pumps to the discharge of the RHR pumps, thereby assuring an av ailable suction source for all ECCS pumps. The steps 7 and 8 manual actions provide redundant isolation of the RWST from the
recirculation fluid. In the cold leg recirculation alignment, both RHR pumps, both SI pumps, and both charging pumps are delivering to the RCS cold legs.
Step 1: When each containment emergency sump isolation valve has reached the full open position, take action to close the corresponding RWST to RHR pump suction isolation valve (HV-8812 A and B). The maximum time allowed for operator actions prior to and including completion of this step is 6.5 minutes from receipt of the RWST low-low level alarm.
Step 2: Close the three SI pump miniflow valves (HV-8813, HV-8814, and HV-8920).
Step 3: Close the two isolation valves in each charging pump's alternate miniflow line (HV-8508 A and B, HV-8509 A and B).
Step 4: Close the two valves in the crossover line downstream of the RHR heat exchangers (HV-8716 A and B).
Step 5: Open the two parallel valves in the common suction lines between the charging pump suction and the SI pump suction (HV-8807 A and B).
Step 6: Open each valve from each RHR pump discharge line to the charging pump suction and to the SI pump suction (HV-8804 A and B, respectively).
Step 7: Close the two parallel valves in the line from the RWST to the charging pump suction (LV-112D and E).
Step 8: Restore power to and close the valve in the common line from the RWST to both SI pumps (HV-8806).
- a. The operator actions for switchover from injection to cold leg recirculation and CSS switchover are not to be interrupted until all of the steps in the switchover are completed; however, corrective actions for any components failures during the switchover procedure will be performed following completion of the switchover procedure.
VEGP-FSAR-6 REV 19 4/15 TABLE 6.3.2-7 (SHEET 3 OF 4)
Following ECCS realignment from injection to recirculation and upon receipt of an RWST empty level alarm, the spray pumps' suctions are remote manually transferred to the containment emergency sumps. The steps 9 through 12 manual actions provide for this alignment and isolation of the RWST from the recirculation fluid. Upon completion of step 12, the CSS is aligned for recirculation mode of operation, with both CSS pumps taking suction from the containment emergency sumps and delivering flow to the containment spray ring headers.
Step 9: Open the containment emergency sump isolation valves in train A of the CSS (HV-9002A and HV-9003A).
Step 10: When the containment emergency sump isolation valves have reached the full open position, take action to close the corresponding RWST to CSS pump suction isolation valve (HV-9017A).
Step 11: Open the containment emergency sump isolation valves in train B of the CSS (HV-9002B and HV-9003B).
Step 12: When the containment emergency sump isolation valves have reached the full open position, take action to close the corresponding RWST to CSS pump suction isolation valve (HV-9017B).
VEGP-FSAR-6 REV 19 4/15 TABLE 6.3.2-7 (SHEET 4 OF 4)
Switchover from Cold Leg Recirculation to Hot Leg Recirculation
At approximately 7.5 h after the accident, hot leg recirculation shall be initiated. The manual operator switchover steps stated below are normally used to perform the switchover operation from the cold leg recirculation mode to the hot leg recirculation mode. Upon completion of the switchover steps, both RHR pumps are delivering from the containment emergency sumps directly to the RCS hot legs and are also delivering to the suction of the SI and charging pumps. Both SI pumps are delivering to the RCS hot legs and both charging pumps are delivering to the RCS cold legs. The CSS is not affected by the switchover to the hot leg recirculation procedure.
Switchover Steps
Step 1: Close the RHR pump discharge cold leg header isolation valves (HV-8809 A and B).
Step 2: Open the RHR pump discharge crossover isolation valves (HV-8716 A and B).
Step 3: Open the RHR pump discharge hot leg header isolation valve (HV-8840).
Step 4: Stop SI train A pump.
Step 5: Close the corresponding SI pump discharge crossover header isolation valve (HV-8821 A).
Step 6: Open the corresponding SI pump discharge hot leg header isolation valve (HV-8802 A).
Step 7: Restart SI train A pump.
Step 8: Stop SI train B pump.
Step 9: Close the corresponding SI pump discharge crossover isolation valve (HV-8821 B).
Step 10: Open the corresponding SI pump discharge hot leg header isolation valve (HV-8802 B).
Step 11: Restart SI train B pump.
Step 12: Close the SI pump discharge cold leg header isolation valve (HV-8835).
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-8 EMERGENCY CORE COOLING SYSTEM AIR-OPERATED VALVES(a) Correct Position Valve Following Automatic Location Safeguards Failure Positioning Position Indication Number Actuation Position Signal Red/Green Monitor Lights HV-8843 C FC CI-A Yes Yes HV-8882 C FC -- Yes --
HV-8964 C FC CI-A Yes Yes HV-8871 C FC CI-A Yes Yes HV-8888 C FC CI-A Yes Yes HV-8879 A,B,C,D C FC -- Yes --
HV-8877 A,B,C,D C FC -- Yes -- HV-8878 A,B,C,D C FC -- Yes --
HV-8880 C FC CI-A Yes Yes HV-8889 A,B,C,D C FC -- Yes --
HV-8823 C FC CI-A Yes Yes HV-8824 C FC CI-A Yes Yes HV-8825 C FC CI-A Yes Yes HV-8881 C FC CI-A Yes Yes HV-8890 A,B C FC CI-A Yes Yes FV-618 C FC -- No -- FV-619 C FC -- No --
HV-606 O FO -- No(b) Yes HV-607 O FO -- No(b) Yes
- a. Abbreviations:
FC - fails closed. FO - fails open.
C - closed. O - open. SI - safety injection. CI-A --containment isolation phase A.
- b. Position indication by percent valve opening.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-9 (SHEET 1 OF 5)
FAILURE MODES AND EFFECTS ANALYSIS FOR SAFETY GRADE COLD SHUTDOWN OPERATONS Component(a) Failure Mode Function Effect on System Operation Failure Detection Methods (c Remarks 1. Motor-operated gate valve HV-8812A (HV-
8812B analogous). Fails to close on demand. Prov ides isolation of fluid from the RWST to suction of
RHR pump 1 during cooldown operation. No effect on safety for system operation. Plant cooldown requirements are met by reactor coolant flow from hot leg loop 4 flowing
through train B of RHRS; however, time required to
reduce RCS temperature is
extended.
Valve open/closed position
indication at CB and valve (closed) monitor light and
alarm at CB. Valve is normally open to
align RHRS for ECCS operation during plant power operation and load follow.
Valve must be closed during plant cooldown to satisfy
electrical interlock to permit
valves HV-8701A and B (HV-8702A, B) to be
opened.
- 2. Centrifugal charging pump 1 (pump 2
analogous). Fails to deliver working fluid. Provides fluid flow of borated water from the BAT or
RWST to the RCS. Failure reduces redundancy of providing borated water to
the RCS at high RCS pressures. Fluid flow from
charging pump1 is lost.
Minimum flow requirements
for boration and makeup are met by charging pump 2.
Charging pump discharge header pressure and flow
indication at CB.
Open/close pump switchgear circuit breaker
indication on CB. Circuit
breaker close position
monitor light for group
monitoring of component at
CB. Common breaker trip
alarm at CB.
The charging pumps provide boration and makeup flow to the RCS during safety grade cold shutdown operations.
- 3. Motor-operated gate valve LCV-112B (LCV-
112C analogous). Fails to close on demand Prov ides isolation of fluid discharge from the VCT to
the suction of charging
pumps. Failure reduces redundancy
of providing VCT discharge
isolation. Negligible effect on safety for system
operation. Alternate
isolation valve provides
backup tank discharge
isolation.
Same as item 1.
The charging pumps suction is isolated from the VCT and
aligned to the BAT (for
boration) or RWST (for
boration and makeup) during safety grade cold shutdown
operations.
- 4. Motor-operated gate valve LCV-112D (LCV-
112E analogous). Fails to open on demand. Provi des isolation of fluid discharge from the RWST to
the suction of charging
pumps. Failure reduces redundancy of providing fluid flow from
RWST to suction of charging
pumps. Negligible effect on safety for system operation.
Alternate isolation valve
opens to provide backup flowpath to suction of
charging pumps. This path
is also the alternate to HV-
8104 for boration during safety grade cold shutdown
operations (see item 18).
Valves open/close position indication at CB and valve (open) monitor light and
alarm at CB.
The charging pumps suction
is aligned to the RSWT for
boration and makeup to the RCS during safety grade cold shutdown operations.
- 5. Motor-operated gate valve HV-8803A (HV-
8803B analogous) (Unit 1 only). N/A Provides isolation of fluid flow from charging pump
discharge header to the inlet
of the BIT.
N/A N/A Electric power supply has been disconnected. Hand switches have been
removed.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-9 (SHEET 2 OF 5)
Component(a) Failure Mode Function Effect on System Operation Failure Detection Methods (c Remarks 6. Solenoid-operated globe valve HCV-190A (HCV-
190B analogous). Fails to open on demand. Provides control of fluid flow from charging pump to RCS
during plant boration and
makeup. Failure reduces redundancy
of controlling boration and makeup flow to the RCS.
Negligible effect on safety for system operation.
Alternate control valve HCV-190B flow from charging
pump. Valve position indication at
CB; and charging pump discharge header flow
indication at CB.
- 7. Motor-operated globe valve HV-8116. Fails to open on demand. Provi des isolation of fluid flow from charging pump
through valve HCV-190A. Failure reduces redundancy of providing boration flow to
the RCS. Negligible effect on safety for system operation. Boration flow provided by charging pump
through valve HCV-190B.
Same as item 4.
Same as item 5.
- 8. Solenoid-operated globe valve HV-8095A (HV-
8095B analogous). a. Fails to open on demand. Prov ides isolation of fluid flow from the RV head to the
PRT. a. Failure reduces redundancy of providing flow from the RV head to the PRT. Negligble effect on safety for system operation. RV head letdown flow provided by parallel head letdown path through
alternate isolation valve.
Valve open/close position, indication at CB; and RV head letdown high
temperature indication and
alarm at CB. The RV head letdown path
to the PRT provides fluid flow out of the RCS to accommodate boration flow
into the RCS.
- b. Fails to close on demand. b. Failure reduces redundancy of isolating flow from the RV head to the PRT. Negligble effect on safety for system operation. RV head letdown flow isolation provided by
alternate series isolation
valve.
- 9. Solenoid-operated globe valve HV-8096-A (HV-
8096B analogous). a. Fails to open on demand. Same as item 8. a. Same as item 8.a. Same as item 8.
Same as item 8.
- b. Fails to close on demand. b. Same as item 8.b.
- 10. Solenoid-operated globe valve HCV-442A (HCV-
442B analogous). Fails to open on demand. Same as item 8.
Same as item 8.a. Valve position indication at CB; RV letdown temperature
indication at CB.
Same as item 8.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-9 (SHEET 3 OF 5)
Component(a) Failure Mode Function Effect on System Operation Failure Detection Methods (c Remarks 11. Solenoid- operated power-operated relief
valve PCV-455A (PCV-
456 analogous). a. Fails to open on demand. Prov ides isolation of fluid flow from pressurizer to
PRT. a. Failure reduces redundancy of providing flow from pressurizer to PRT. Negligible effect on safety for system
operation. Pressurizer vent flow provided by a
parallel pressurizer vent
path through alternate
isolation valves.
Valve open/close position
indication at CB; Pressurizer power-operated relief valve
outlet temperature indication
at CB. Pressurizer vent path to the PRT provides fluid flow out
depressurization to RHRS initiation conditions
- b. Fails to close on demand. b. Failure reduces redundancy of isolating flow from the pressurizer to the PRT. Negligible effect on safety for system operation.
Pressurizer vent flow isolation provided by
alternate series isolation
valve.
- 12. Motor-operated gate valve HV-8000A (HV-
8000B analogous). Fails to close on demand. Same as item 11.
Same as item 11.b except pressurizer vent flow isolation provided by
alternate series isolation
valve. Same as item 11.
Same as item 11.
- 13. Motor-operated gate valve HV-8808A (HV-
8808B, HV-8808C, and
HV-8808D analogous). Fails to close on demand. Prov ides isolation of fluid flow from accumulator 1 to
the RCS. Failure prevents isolation of
accumulator 1 from the
RCS. Negligible effect on safety for system operation.
Accumulator 1 is depressurized by opening
vent isolation valves.
Valve open/closed position
indication at CB, valve (closed) monitor light and
alarm at CB; and accumulator pressure indication and low alarm at
CB. Accumulators are isolated or
vented during plant cooldown to not affect RCS
depressurization.
- 14. Solenoid-operated globe valve HV-8875A (HV-
8875B, HV-8875C, and
HV-8875D analogous). Fails to open on demand. Prov ides venting of nitrogen gas from accumulator 1 to
containment. Failure reduces redundancy
for venting accumulator 1 to
containment. No effect on safety for system operation.
Accumulator 1 can be vented by opening vent
valves HV-8875E and HCV-
943A, or isolated from the RCS by closing isolation
valve HV-8808A.
Valve open/closed position
indication at CB and accumulator pressure indication and low alarm at
CB. Same as item 13.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-9 (SHEET 4 OF 5)
Component(a) Failure Mode Function Effect on System Operation Failure Detection Methods (c Remarks 15. Solenoid-operated globe valve HV-8875E (HV-
8875F, HV-8875G, and
HV-8875H analogous). Fails to open on demand. Same as item 14. Failure reduces redundancy for venting accumulator 1 to
containment. No effect on safety for system operation.
Accumulator 1 can be vented by opening vent
valves HV-8875A and HCV-
943A, or isolated from the RCS by closing isolation
valve HV-8808A.
Same as item 14.
Same as item 13.
- 16. Solenoid-operated globe valve HCV-943A (HCV-
943B analogous). Fails to open on demand. Prov ides venting of nitrogen gas from accumulators to
containment. Failure reduces redundancy
for venting accumulators to
containment. No effect on safety for system operation.
Accumulators can be vented by opening vent valve HCV-
943B or isolated from RCS by closing isolation valves
HV-8808A, B, C, and D.
Valve position indication at
CB and accumulator pressure indication and low
alarm at CB.
Same as item 13.
- 17. Boric acid transfer pump 1 (pump 2 analogous). Fails to deliver working fluid. Provides fluid flow of concentrated boric acid from
BAT to charging pump
suction. Failure reduces redundancy
of providing concentrated
boric acid to charging pump suction. Fluid flow from
boric acid transfer pump 1 is lost. Minimum flow
requirements for boration is met by boric acid transfer
pump 2. Pump motor start relay
position indication (open) at
CB and local pump
discharge pressure
indication.
The boric acid transfer pumps provide boration flow
to the charging pumps suction during safety grade cold shutdown operations.
- 18. Motor-operated globe valve HV-8104. Fails to open on demand. Provi des isolation of fluid flow from either boric acid
transfer pump to charging
pump suction. Failure reduces redundancy
of providing concentrated
boric acid to charging pump
suction. Negligible effect on safety for system operation
Concentrated boric acid
provided to charging pump
suction through valves LV-
112D or LV-112E from the
RWST. Valve open/close position
indication at CB; and boration flow indication at
CB. The charging pumps' suction
is aligned to the BAT pumps
for A-train boration of the RCS during safety grade cold shutdown operations.
Alternate A and B train paths
are aligned through valves
LV-112D or LV-112E from
the RWST.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.2-9 (SHEET 5 OF 5)
- a. Components 1, 5, and 13 through 16 are components of the ECCS that perform a safety-grade cold shutdown function. Componen ts 2 through 4, 6, 7, 17 and 18 are components of the CVCS that perform a safety-grade cold shutdown function. Components 8 through 12 are components of the RCS that perform a safety-grade cold shutdown function.
- b. List of acronyms and abbreviations.
Auto - Automatic.
BAT - Boric acid tank.
BIT - Boron injection tank (Unit 1 only).
CB - Main control board.
CVCS - Chemical and volume control system.
ECCS - Emergency core cooling system.
HELB - High-energy line break.
MELB - Moderate-energy line break.
PRT - Pressurizer relief tank.
RC - Reactor coolant.
RHRS - Residual heat removal system.
RWST - Refueling water storage tank.
RV - Reactor vessel.
SI - Safety injection.
VCT - Volume control tank.
- c. As part of plant operation, periodic tests, surveillance inspections, and instrument calibra tions are made to monitor equipment and performance. Failures may be detected during such monitoring of equipment in addition to detection methods noted.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.3-1 EMERGENCY CORE COOLING SYSTEM SHARED FUNCTIONS EVALUATION Component Normal Operating Arrangement Accident Arrangement
Refueling water storage tank Lined up to suction of SI and Lined up to suction of RHR pumps.
centrifugal charging, SI, and RHR pumps.
Charging pumps Lined up for charging serv ice Suction from refueling water suction from volume control storage tank; discharge tank; discharge via normal lined up to cold legs of charging line. reactor coolant piping through high head header.
Valves for realignment meet single failure criteria.
RHR pumps Lined up to cold legs of reactor Lined up to cold legs of coolant piping. reactor coolant piping.
Residual heat exchangers Lined up to cold legs of reactor Lined up to cold legs of coolant piping. reactor coolant piping.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.3.3-2 NORMAL OPERATING STATUS OF EMERGENCY CORE COOLING SYSTEM COMPONENTS FOR CORE COOLING
Number of charging pumps operable 2
Number of RHR pumps operable 2
Number of residual heat exchangers operable 2
Refueling water storage tank volume, nominal 715,000 (gal)
Boron concentration in refueling water storage 2400-2600 tank (ppm)
Boron concentration in accumulators (ppm) 1900-2600
Boron concentration in BIT (ppm) (Unit 1 only) 0-2600 (a)
Number of accumulators operable 4
Minimum accumulator pressure (psig) 617 Nominal accumulator water volume (ft
- 3) 900 System valves, interlocks, and piping required All for the above components which are operable
- a. No credit taken in accident analyses.
00 REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 1 OF 22) 00 REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM (UNIT 1)
FIGURE 6.3.2-1 (SHEET 2 OF 22)
00 REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM (UNIT 2)
FIGURE 6.3.2-1 (SHEET 3 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 4 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 5 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 6 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 7 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 8 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 9 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 10 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 11 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 12 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 13 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 14 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 15 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 16 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 17 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 18 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 19 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 20 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 21 OF 22)
REV 15 4/09 EMERGENCY CORE COOLING SYSTEM PROCESS FLOW DIAGRAM FIGURE 6.3.2-1 (SHEET 22 OF 22)
REV 14 10/07 PERFORMANCE CURVES RESIDUAL HEAT REMOVAL PUMPS FIGURE 6.3.2-2
REV 14 10/07 PERFORMANCE CURVES CENTRIFUGAL CHARGING PUMPS FIGURE 6.3.2-3
REV 14 10/07 PERFORMANCE CURVES SAFETY INJECTION PUMPS FIGURE 6.3.2-4
REV 17 4/12 RWST SIZING FIGURE 6.3.2-5
6.4.2.3 Leaktightness (HISTORICAL)
The exfiltration and infiltration analyses are performed using the methods and assumptions given in American Society of Heating, Refrigerating, and Air-Conditioning Engineers Handbook of Fundamentals and Regulatory Guide 1.78 and "Conventional Buildings for Reactor Containment," published by Atomics International, Catalog No. NAA-SR-10100, dated June 15, 1965. The leakage rates were calculated using the following equations: A. Penetrations and Doors Q = AP + BP 1/2 where: Q = leakage rate per unit leak path (ft 3/min). P = differential pressure (in. WG).
A and B = coefficients from test data. B. Dampers Leaktightness is determined from actual test data on dampers. The leak paths considered are ductwork, piping, and electrical penetrations; dampers and doors; and construction joints and materials.
Table 6.4.2-2 provides a listing of leakage data and total leakage rates for potential leak paths. For analysis of exfiltration from the pressurized control room envelope, a positive 1/8-in. WG pressure differential is considered for all leak paths resulting in a total outleakage of 1500 ft 3/min (at emergency conditions). For analysis of infiltration to the unpressurized control room envelope, a negative 1/8-in. WG pressure differential is considered for all leak paths resulting in a total inleakage of 750 ft 3/min. The control room envelope is pressurized during normal operation. The normal outside air supply is designed to pressurize the control room to 1/8 in.
WG and is sized to deliver up to 3000-ft 3/min flowrate into the control room during the normal mode of operation. Based on the rate of outleakage, this flowrate is adequate to maintain a 1/8-in. positive pressure in the control room envelope during normal operation.
G. When the control room is isolated but not pressurized, the air leakage into the control room is no greater than 750 ft 3/min from all pathways, based on a 1/8-in. WG differential. This amounts to approximately 0.3-h
-1 air change. The infiltration is distributed as shown in table 6.4.2-2. (HISTORICAL)
VEGP-FSAR-6 REV 14 10/07 TABLE 6.4.2-1 (SHEET 1 OF 2)
PERFORMANCE CHARACTERISTICS OF MAJOR SYSTEM COMPONENTS
Control Building Control Room Filter Units
Quantity 4
System components Supply fan Type Centrifugal Capacity (ft 3/min) (maximum) 25,000 Static pressure (in. WG) 14 Motor (hp) 125 Charcoal absorber Efficiency (%)
99 at 70%
relative humidity (for elemental and organic iodines) Face velocity (ft 3/min) 40 Residence time (s/4-in. bed depth) 0.5 Nominal size (Tyler mesh) 8 x 16 HEPA filters Filter element Pleated fiberglass Size (in.)
24 x 24 x 12 Efficiency (%)
99.97 on 0.3
µm and larger Capacity for size 1000 indicated (ft 3/min)
Moisture eliminator Separator element Fiberglass or Efficiency (%)
galvanized steel 99% for 5 to 10
µm droplets
Electric heater Heater element 80% Ni/20% Cr Heating capacity (kW) 118 Cooling coil Cooling capacity (Btu/h) 1.09 x 10 6 Entering water temperature 44 (°F) Leaving water temperature 56 (°F) Chilled waterflow (gal/min) 175 VEGP-FSAR-6 REV 14 10/07 TABLE 6.4.2-1 (SHEET 2 OF 2)
Control Building Control Room Return Air Fan
Type Vane axial Capacity (ft 3/min) 24,800 Static pressure (in. WG) 2.5 Motor (hp) 20 (NOTE: The return air fans are disabled and abandoned in place as their function is not required.
VEGP-FSAR-6 REV 15 4/09 (HISTORICAL)
TABLE 6.4.2-2 LEAKAGE DATA AND LEAKAGE RATES Inleakage Rate Outleakage Rate at 1/8 in. WG at 1/8 in. WG Leak Path (ft 3/min)
(ft 3/min)
Concrete walls and floors 2 5 Ducts, piping, 559 500 and electrical penetrations Dampers 0 10 Doors 125 125 Ductwork 20 15 Supply fans and 24 675 filtration units Return fan 4 150 Supply fan enclosure 16 20 TOTAL 750 1500
VEGP-FSAR-6 REV 14 10/07 TABLE 6.4.4-1 (SHEET 1 OF 14)
CONTROL ROOM EMERGENCY HVAC SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 1. 1HV12146 air-operated Remain open to A Inadvertent Position indicating None. Damper can be on-off damper, allow flow of closed lights manually opened to normally open/fail air, and closed provide HVAC in closed (NO/FC) on CRI so that normal mode.
(supply side) EFU will provide HVAC B, Fail to Position indicating None. Redundant C close lights damper (item 2) available.
D Inadvertent Position indicating None. Dampers can be closed lights manually opened to remove smoke.
- 2. 1HV12147 air-operated Remain open to A Inadvertent Position indicating None. Damper can be on-off damper, NO/FC allow flow of closed lights manually opened to (supply side) air, and closed provide HVAC in on CRI so that normal mode.
EFU will provide HVAC B, Fail to Position indicating None. Redundant C close lights damper (item 1) available.
D Inadvertent Position indicating None. Damper can be closed lights manually opened to remove smoke.
- 3. 1HV12148 air-operated Remain open to A Inadvertent Position indicating None. Damper can be on-off damper, NO/FC allow flow of closed lights manually opened to (return side) air, and closed provide HVAC in on CRI so that normal mode.
EFU will provide HVAC B, Fail to Position indicating None. Redundant C close lights damper (item 4) available.
D Inadvertent Position indicating None. Damper can be closed lights manually opened to remove smoke.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 2 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 4. 1HV12149 air-operated on-off damper, NO/FC (return side)
Remain open to allow flow of air, and closed on
CRI so that EFU will provide
HVAC A Inadvertent closed Position indicating
lights None. Damper can be manually opened to
provide HVAC in normal
mode. B, C Fail to close Position indicating
lights None. Redundant damper (item 3) available D Inadvertent closed Position indicating
lights None. Damper can be manually opened to remove smoke.
- 5. No. 16 breaker on 1ABA 480-V MCC, 1E Bus, for item 7, normally closed (NC) Provide continuity and
protection to
damper motor (item 7) A Inadvertent open Position indicating
lights; motor control
center (MCC) alarm None. Loss of intake air
from Unit 1. Intake air from
Unit 2 available.
B Inadvertent open Position indicating
lights; MCC alarm None. No loss of EFU.
C Inadvertent open Position indicating
lights; MCC alarm None. Open damper will
close. 6. No. 16 motor starter for item 7, NC Provide continuity to
damper (item 7)
A Inadvertent open Position indicating
lights None. Loss of intake air
from Unit 1. Intake air from
Unit 2 available.
B Inadvertent open Position indicating
lights None. No loss of EFU.
C Fail to open Position indicating lights None. Dampers (item10)
available.
- 7. 1HV12114 motor-operated on-off damper, NO Remain open to allow flow of air
on NU and CRI
modes A Inadvertent closed Position indicating
lights None. Loss of intake air
from Unit 1. Intake air from
Unit 2 available.
B Inadvertent closed Position indicating
lights None. No loss of EFU.
Loss of intake air from Unit
- 1. Intake air from Unit 2
available to maintain
positive pressure.
C Fail to close Position indicating
lights None. Damper (item 10) is already closed.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 3 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 8. No. 16 breakers on 1BBA 480-V MCC, 1E Bus, for
item 10, NC Provide continuity and
protection to
damper motor (item 10)
A Inadvertent open Position indicating
lights; MCC alarm None. Loss of intake air
from Unit 1. Intake air from
Unit 2 available.
B Inadvertent open Position indicating
lights; MCC alarm None. No loss of EFU.
C Inadvertent open Position indicating
lights; MCC alarm None. Open damper will
close. 9. No. 16 motor starter for item 10, NC Provide continuity to
1HV12115 (item
- 10) A Inadvertent open Position indicating
lights None. Loss of intake air
from Unit 1. Intake air from
Unit 2 available.
B Inadvertent open Position indicating
lights None. No loss of EFU.
C Fail to open Position indicating lights None. Dampers (item 7)
available.
- 10. 1HV12115 motor-operated on-off damper, NO Remain open to allow flow of air
on NU and CRI
modes A Inadvertent closed Position indicating
lights None. Loss of intake air
from Unit 1. Intake air from
Unit 2 available.
B Inadvertent closed Position indicating
lights None. No loss of EFU.
Loss of intake air from Unit
- 1. Intake air from Unit 2
available to maintain
positive pressure.
C Fail to close Position indicating
lights None. Dampers (item 7) is already closed.
- 11. HV12152 air-operated on-off damper, NO/FC Remain open to allow flow of air
during normal
mode, and
closed on CRI so that EFU will
provide HVAC A Inadvertent closed Flow alarm, low;
position indicating
lights None. Damper can be manually opened to
provide HVAC in normal
mode. Common to Units 1
and 2 B, C Fail to close Position indicating
lights None. Redundant damper (item 12) available.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 4 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks D Inadvertent closed Position indicating
lights None. Smoke mode intake
available.
- 12. HV12153 air-operated on-off damper, NO/FC Remain open to allow flow of air, and closed on
CRI so that EFU will provide
HVAC A Inadvertent closed Flow alarm, low;
position indicating
lights None. Damper can be manually opened to
provide HVAC in normal
mode. Common to Units 1
and 2 B, C Fail to close Position indicating
lights None. Redundant damper (item 11) available.
D Inadvertent closed Position indicating
lights None. Smoke mode intake
available.
- 13. DELETED 14. DELETED. 15. DELETED. 16. DELETED. 17. DELETED. 18. DELETED. 19. Breakers, 480-V switchgear, 1E Bus, for
item 20, No. 4 breaker on
1AB05 Provide continuity and
protection to fan motor (item 20)
A Inadvertent closed Motor indicating
lights None. EFU not required.
NUs provide HVAC.
B, C Fail to close Motor indicating lights; flow alarm, low Loss of train A. Train B
available.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 5 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 20. Control building control room filter unit fan motor, normally deenergized (ND) 1-1531-N7-001-M01 Provide motive power to circulate air A N/A N/A None. EFU not required.
NUs provide HVAC.
B, C Fail to operate fan
motor Flow alarm, low;
motor indicating
lights Loss of train A. Train B
available.
- 21. Breakers, 480-V switchgear, 1E Bus, for
item 22, No. 4 breaker on
1BB07 Provide continuity and
protection to fan
motor item 22 A Inadvertent closed Motor indicating
lights None. EFU not required.
NUs provide HVAC.
B, C Fail to close Motor indicating lights; flow alarm, low None. Loss of train B.
Train A available.
- 22. Control building control room filter unit fan motor, ND 1-1531-N7-002-M01 Provide motor power to circulate air A N/A N/A None. EFU not required.
NUs provide HVAC.
B, C Fail to operate fan
motor Flow alarm, low;
motor indicating
lights None. Loss of train B.
Train A available.
- 23. Breakers, 480-V switchgear, 1E Bus, for
item 24 No. 06 breaker
on 1AB05 Provide continuity and
protection to
heater (item 24)
A Inadvertent closed Heater indicating
lights None. EFU not required.
NUs provide HVAC.
B, C Fail to close Heater indicating lights; flow alarm, low None. Loss of train A.
Train B available.
- 24. Control building control room electrical heater, ND 1-1531-N7-001-H01 Provide heat, and reduce relative humidity
and extract
moisture A N/A N/A None. EFU not required.
NUs provide HVAC.
B, C Fail to operate Moisture alarm;
temperature
indicating lights None. Loss of train A.
Train B available.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 6 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 25. Breaker 480-V switchgear, 1E Bus, for
item 26, NO No. 6
breaker on 1BB07 Provide continuity and
protection to
heater (item 26)
A Inadvertent closed Heater indicating
lights None. EFU not required.
NUs provide HVAC.
B, C Fail to close Heater indicating lights; flow alarm, low None. Loss of train B.
Train B available.
- 26. Control building control room electrical heater, ND 1-1531-N7-002-H01 Provide heat, and reduce relative humidity
and extract
moisture A N/A N/A None. EFU not required.
NUs provide HVAC.
B, C Fail to operate Moisture alarm;
temperature
indicating lights None. Loss of train B.
Train A available.
- 27. Breakers, 480-V MCC, 1E Bus, for item 29, NC
No. 23 breaker on 1ABA Provide continuity and
protection to
damper (item
- 29) A, D Inadvertent open Position indicating
lights; MCC alarm None. Normally closed damper will remain closed.
B, C Inadvertent open Flow alarm, low;
position indicating
lights; MCC alarm None. Loss of train A.
Train B available.
- 28. Motor starter for item 29, NC No. 23 motor starter
on 1ABA Provide continuity to
damper (item
- 29) A, D Inadvertent closed Position indicating
lights None. EFU not required.
NUs provide HVAC.
B, C Fail to close Flow alarm, low;
position indicating
lights None. Loss of train A.
Train B available.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 7 OF 14)
REV 14 10/07
Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 29. Motor-operated on-off damper, NC 1HV12128
on 1ABA Remain close on
normal mode, and opens on
CRI A, D Inadvertent open Position indicating
lights None. EFU not required.
NUs provide HVAC. In
smoke mode, close the damper manually.
B, C Fail to open Flow alarm, low; position indicating
lights None; Loss of train A.
Train B available.
- 30. Breaker, 480-V MCC, 1E Bus, for item 32, NC No.
23 breaker on 1BBA Provide continuity and
protection to
damper (item
- 32) A, D Inadvertent open Position indicating
lights; MCC alarm None. Normally closed damper will remain closed.
B, C Inadvertent open Flow alarm, low;
position indicating
lights; MCC alarm None. Loss of train B.
Train A available.
- 31. Motor starter for item 32, NC No. 23 motor starter
on 1BBA Provide continuity to
damper (item
- 32) A, D Inadvertent closed Position indicating
lights None. EFU not required.
NUs provide HVAC.
B, C Fail to close Flow alarm, low;
position indicating
lights None. Loss of train B.
Train A available.
- 32. Motor-operated on/off damper, NC 1HV12129
on 1BBA Remain closed
on normal
mode, and open
on CRI A, D Inadvertent open Position indicating
lights None. EFU not required.
NUs provide HVAC. In
smoke mode, close the damper manually.
B, C Fail to open Flow alarm, low; position indicating
lights None. Loss of train B.
Train A available.
- 33. Breakers, 480-V MCC, 1E Bus, for item 35, NC
No. 6 breaker on 1ABA (c) Provide continuity and
protection to fan motor (item 35) A, D Inadvertent open MCC alarm; motor
indicating lights None. EFU not required.
NUs provide HVAC.
B, C Inadvertent open Flow alarm, low;
position indicating
lights; MCC alarm None. Loss of train A.
Train B available.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 8 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 34. Motor starter for item 35, NO No. 6 motor starter
on 1ABA (c) Provide continuity and
protection to fan motor (item 35) A, D Inadvertent closed Motor indicating
lights None. EFU not required.
NUs provide HVAC.
B, C Fail to close Flow alarm, low;
motor indicating
lights None. Loss of train A.
Train B available.
- 35. Control building control room return air fan motor, ND 1-1531-B7-005-M01 (c) Provide motive power to circulate air A, D N/A N/A None. EFU not required.
B, C Fail to operate fan
motor Flow alarm, low;
motor indicating
lights None. Loss of train A.
Train B available.
- 36. Breaker, 480-V MCC, 1E Bus, for item 38, NC No.
6 breaker on 1BBA (c) Provide continuity and
protection to fan motor (item 38) A, D Inadvertent open MCC alarm; motor
indicating lights None. EFU not required.
NUs provide HVAC.
B, C Inadvertent open Flow alarm, low;
position indicating
lights; MCC alarm None. Loss of train B.
Train A available.
- 37. Motor starter for item 38, NO No. 6 motor starter
on 1BBA (c) Provide continuity and
protection to fan motor (item 38) A, D Inadvertent closed Motor indicating
lights None. EFU not required.
NUs provide HVAC.
B, C Fail to close Flow alarm, low;
motor indicating
lights None. Loss of train B.
Train A available.
- 38. Control building control room return air fan motor, ND 1-1531-B7-006-M01 (c) Provide motor power to circulate air A, D N/A N/A None. EFU not required.
B, C Fail to operate Flow alarm, low;
motor indicating
lights None. Loss of train B.
Train A available.
- 39. Breaker, 480-V MCC, 1E Bus, for item 41, NC No.
21 breaker on 1ABA Provide continuity and
protection to
damper (item
- 41) A, D Inadvertent open Position indicating
lights; MCC alarm None. Normally closed damper will remain closed.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 9 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks B, C Inadvertent open Flow alarm, low;
position indicating
lights; MCC alarm None. Loss of train A.
Train B available.
- 40. Motor starter for item 41, NO No. 21 motor starter
on 1ABA Provide continuity to
damper (item
- 41) A, D Inadvertent close Position indicating
lights None. EFU not required.
NUs provide HVAC.
B, C Fail to close Flow alarm, low;
position indicating
lights None. Loss of train A.
Train B available.
- 41. Motor-operated on-off damper, NC 1HV12130
damper on 1ABA Remain closed
on normal
mode, and open
on CRI A, D Inadvertent open Position indicating
lights None. EFU not required.
NUs provide HVAC. In
smoke mode, damper can be closed manually.
B, C Fail to open Flow alarm, low; position indicating
lights None. Loss of train A.
Train B available.
- 42. Breaker, 480-V MCC, 1E Bus, for item 44, NC No.
21 breaker on 1BBA Provide continuity and
protection to
damper (item
- 44) A, D Inadvertent open Position indicating
lights; MCC alarm None. Normally closed damper will remain closed.
B, C Inadvertent open Flow alarm, low;
position indicating
lights; MCC alarm None. Loss of train B.
Train A available.
- 43. Motor starter for item 44, NO No. 21 motor starter
on 1BBA Provide continuity to
damper item 44 A, D Inadvertent close Position indicating
lights None. EFU not required.
NUs provide HVAC.
B, C Fail to close Flow alarm, low;
position indicating
lights None. Loss of train B.
Train A available.
- 44. Motor-operated on-off damper, NC 1HV12131
on 1BB1 Remain closed
on normal mode
and opens on
CRI A, D Inadvertent open Position indicating
lights None. EFU not required.
NUs provide HVAC. In
smoke mode, damper can be closed manually.
B, C Fail to open Flow alarm, low; position indicating
lights None. Loss of train B.
Train A available.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 10 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 45. Breakers, 480-V MCC, 1E Bus, for item 47, NC
No. 14 breaker on 1ABA Provide continuity and
protection to fan
motor item 47 A, B, C, D Inadvertent
open MCC alarm; motor indicating lights; flow alarm, low None. Loss of train A.
Train B available.
- 46. Motor starter for item 47, NC No. 14 motor starter
on 1ABA Provide continuity to fan
motor, item 47 A, B, C, D Inadvertent
open Flow alarm, low;
motor indicating
lights None. Loss of train A.
Train B available.
- 47. Control building control room engineered safety features (ESF) chiller
room exhaust fan motor, normally energized (NE)
1-1531-B7-002-M01 Provide motive power, to
exhaust air A, B, C, D Fail to operate Flow alarm, low;
motor indicating
lights None. Loss of train A.
Train B available.
- 48. Breaker 480-V MCC, 1E Bus, for item 50, NC No.
14 breaker on 1BBA Provide continuity
protection to fan
motor item 50 A, B, C, D Inadvertent
open MCC alarm; motor indicating lights; flow alarm, low None. Loss of train B.
Train A available.
- 49. Motor starter for item 50, NC No. 14 motor starter
on 1BBA Provide continuity to fan motor (item 50)
A, B, C, D Inadvertent
open Flow alarm, low;
motor indicating
lights None. Loss of train B.
Train A available.
- 50. Control building control room ESF chiller room
exhaust fan motor NE 1-
1531-B7-004-M01 Provide motor power to exhaust air A, B, C, D Fail to operate Flow alarm, low;
motor indicating
lights None. Loss of train B.
Train A available.
- 51. Fan, fan shaft, bearing, filter, damper, etc., for air
filtration unit 1-1531-N7-
001-000 Provide circulation
filtration and
control of air flow B, C Mechanical failure Flow alarm, low;
pressure differential
alarm, high;
temperature alarm, high None. Loss of train A.
Train B available.
- 52. Fan, fan shaft, bearing, filter, damper, etc., for air
filtration unit 1-1531-N7-
002-000 Provide circulation filtration and control of air
flow B, C Mechanical failure Flow alarm, low;
pressure differential
alarm, high;
temperature alarm, high None. Loss of train B.
Train A available.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 11 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 53. Cooling coil for air filtration unit 1-1531-N7-
001-000 Provide cooling
and heat removal in the
area B, C Leakage in cooling coil Water flow alarm, low; temperature alarm, low None. Loss of train A.
Train B available.
- 54. Cooling coil for air filtration unit 1-1531-N7-
002-000 Provide cooling
and heat removal in the
area B, C Leakage in cooling coil Water flow alarm, low; temperature
alarm, high None. Loss of Train B.
Train A available.
- 55. HV12162 air-operated on-off damper NO/FC Remain open to allow flow of air
in normal and
smoke modes, and close on
CRI so that EFU will provide
HVAC A Inadvertent closed Position indicating
lights None. Damper can be manually opened.
Common to Units 1
and 2 B, C Fail to close Position indicating
lights None. Item 56 available.
D Inadvertent closed Position indicating
lights None. Damper can be manually opened
- 56. HV12163 air-operated on-off dampers NO/FC Remain open to allow flow of air
in normal and
smoke modes, and close on
CRI so that EFU will provide
HVAC A Inadvertent closed Position indicating
lights None. Damper can be manually opened.
Common to Units 1
and 2 B, C Fail to close Position indicating
lights None. Item 55 available.
D Inadvertent closed Position indicating
lights None. Damper can be manually opened.
- 57. 1-1531-B7-002-000 fan, fan shaft bearing, motor, etc. Provide motive power to circulate air B, C, D Mechanical failure Flow alarm, low;
temperature alarm, high None. Loss of train A.
Train B available.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 12 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 58. 1-1531-B7-004-000 fan, fan shaft, bearing, motor, etc. Provide motive power to circulate air B, C, D Mechanical failure Flow alarm, low;
temperature alarm, high None. Loss of train B.
Train A available.
- 59. DELETED. 60. DELETED. 61. Smoke monitor 1AE12167 Monitor smoke
in intake air and
alarms at high
smoke concentration
and isolates
intake air C Fail to give smoke alarm
at high smoke
concentration Smoke alarm high
on smoke monitor
1AE12166 None. Automatically
isolate Unit 1 side intake by closing dampers
1HV12114 and
1HV12115. Use Unit 2 air
intake. If smoke concentration is also
high on Unit 2 air
intake, go on
recirculation mode with no outside air
intake False alarm No alarm on smoke monitor 1AE12166 None. Smoke
concentration is not high.
- 62. Smoke monitor 1AE12166 Monitor smoke
in intake air and
alarms at high
smoke concentration
and isolates
intake air C Fail to give smoke alarm
at high smoke
concentration Smoke alarm high
on smoke monitor
1AE12167 None. Automatically
isolate Unit 1 side intake by closing dampers
1HV12114 and
1HV12115. Use Unit 2 air
intake. If smoke concentration is also
high in Unit 2 air
intake go on
recirculation mode with no outside air
intake False alarm No alarm on smoke monitor 1AE12167 None. Smoke
concentration is not high.
- 63. Radiation monitor 1RE12117 Monitor radiation in
intake air and
alarms at high
radiation level C Fail to give radiation
alarm at high
radiation Radiation alarm high
on radiation monitor
1RE12116 None. Use EFU to filter
iodine. Item 64 available
also. False alarm No alarm on radiation monitor
1RE12116 None. Radiation level is
not high.
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 13 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 64. Radiation monitor 1RE12116 Monitor radiation
in intake air, and
alarms at high
radiation level C Fail to give radiation
alarm at high radiation Radiation alarm high
on radiation monitor
1RE12117 None. EFU to filter iodine.
Item 63 available also.
False alarm No alarm on radiation monitor
1RE12117 None. Radiation level is
not high.
- 65. 1-1531-D7-103 backdraft damper (return duct) Open with air flow in return
direction and
close on opposite flow A&D N/A N/A N/A B&C One blade fails to open None None. Flow variation is within allowable
tolerances. Control room
+VE pressure will be
maintained.
- 66. 1-1531-D7-104 backdraft damper (outside air) Open with air flow in outside air supply
direction and
close on opposite flow A&C&D N/A N/A N/A B One blade fails to open None None. Flow variation is within allowable
tolerances. Control room
+VE pressure will be
maintained.
- 67. 1-1531-D7-105 backdraft damper (return duct)
Same as Item
65 68. 1-1531-D7-106 backdraft damper (outside air)
Same as Item
66
VEGP-FSAR-6 TABLE 6.4.4-1 (SHEET 14 OF 14)
REV 14 10/07 Plant Method Failure Effect Item Description Safety Operating Failure of Failure on System Safety No. of Component Function Mode Mode(s) Detection Function Capability General Remarks
- 69. Flow switch FSL-12045 Monitor supply air flow of filter
unit 1-1531-N7-
002 to prevent
starting of
1-1531-N7-001;
or upon sensing low flow, to
provide permissive start
of filter unit
1-1531-N7-001 A&D N/A N/A N/A B&C Fail to detect air flow; no power Lights for both units
1-1531-N7-001 1-1531-N7-002 will
run until N7-002(b) None. Flow switch FSL-12045 will detect no flow in 1-1531-N7-002 supply duct and thus start
1-1531-N7-001.
- 70. Flow switch FSL-12046 Monitor supply air flow of filter
unit 1-1531-N7-
001 to stop lead
filtration unit
1-1531-N7-002
upon sensing flow A&D N/A N/A N/A B&C Fail to detect air flow; no power None None. Flow indicator FI-12192 will indicate
1-1531-N7-002 is running.
False flow indication None None, Lead/lag logic will start 1-1531-N7-001
- a. Plant operating modes are as follows:
A - Normal mode: HVAC normal units (NU) operating; outside and recirculation supply air; positive room pressure relative to t he atmosphere. B - Emergency mode: HVAC emergency filt ration units (EFU) operating; outside and recirculation supply air; positive room pre ssure relative to the atmosphere. *Trips after FSL-12046 sensing flow on N7-001 unit. C - Isolation mode: EFU operating; recirculation only; zero pre ssure differential; outside smoke. D - Smoke purge mode: HVAC NU operating; outside air only; negativ e room pressure relative to the atmosphere (smoke inside c ontrol room).
- b. Trips after FSL-12046 sensing flow on N7-001 unit.
- c. The return air fans ar e disabled and abandoned in place.
VEGP-FSAR-6 REV 14 10/07 TABLE 6.4.6-1 CONTROL ROOM HVAC INDICATIONS AND ALARMS
Control room differential pressure (high or low alarm)
Control room area radiation (indication and high alarm)
Control room smoke (high alarm)
Smoke in control room intake (high alarm)
Radiation level in control room intake (indication and high alarm)
Fan operating status
Isolation damper position
Differential pressure across first HEPA filter (indication and high alarm)
Differential pressure across total filter unit (indication and high alarm)
Moisture content downstream of the moisture eliminator (indication and high alarm)
Temperature in charcoal filter (high alarm, high high alarm)
Temperature of filter unit upstream and downstream of the charcoal filter (indication)
Airflow rate at filter unit outlet (indication and high or low alarm)
VEGP-FSAR-6 REV 13 4/06 TABLE 6.5.1-1 (SHEET 1 OF 3)
ESF FILTER SYSTEM DESIGN PARAMETERS (FOR UNIT 1 OR 2)
Control Room Emergency Filter System Quantity 2 (one on standby) Capacity (ft 3/min) 25,000 HEPA Filters Number of stages 2 (one upstream and one downstream of charcoal filter)
Cell size 24 in. x 24 in. x 12 in.
Pressure drop Clean (in. WG) 1.0 Loaded (in. WG) 2.0 Efficiency 99.97% for 0.3-m particles Charcoal Filter Bed depth (in.) 4 Face velocity (ft/min) 40 Average residence time (s) 0.25 per 2-in. bed depth Filter media Impregnated coconut shell Decontamination efficiency 99% at 70% relative humidity (for elemental and organic iodines)
Filter capacity 2.5 mg of total iodine per gram of activated carbon Moisture Eliminator Eliminator media Spun glass fiber or galvanized steel Maximum pressure drop (in. WG) 1.0
Efficiency 99% of 5 to 10 m diameter droplets Heating Coil Heating capacity (kW) 118 Heating element Finned tubular Heating coil 80% Ni/20% Cr Fan Quantity 1 Type Centrifugal Static press (in. WG) 14 Motor (hp) 125 Cooling Coils Cooling capacity (Btu/h) 1.09 x 10 6 Air entering temperature (F) 82 dry bulb, 65 wet bulb Air exiting temperature (F) 50.5 dry bulb, 50 wet bulb VEGP-FSAR-6 REV 13 4/06 TABLE 6.5.1-1 (SHEET 2 OF 3)
Water entering temperature (F) 44 Water exiting temperature (F) 56 Piping Penetration Filter System Quantity 2 (one on standby) Capacity (ft 3/min) 15,500 HEPA Filters Number of stages 2 (one upstream and one downstream of charcoal filter)
Cell size 24 in. x 24 in. x 12 in. Pressure drop Clean (in. WG) 1.0 Loaded (in. WG) 2.0 Efficiency 99.97% for 0.3-m particles Charcoal Filter Bed depth (in.) 4 Face velocity (ft/min) 40 Average residence time (s) 0.25 per 2-in. bed depth Filter media Impregnated coconut shell Decontamination efficiency 90% elemental iodine, 30% organic iodine, at 95% relative humidity Filter capacity 2.5 mg of total iodine per gram of activated carbon Eliminator media Spun glass fiber or galvanized steel Maximum pressure drop (in. WG) 1.0
Efficiency 99% of 5 to 10 m diameter droplets Heating Coil Heating capacity (kW) 80 Heating element Finned tubular Heating material 80% Ni/20% Cr Fan Quantity 1 Type Vane axial Static pressure (in. WG) 16 Motor (hp) 75 Fuel Handling Building Post-Accident Filter System (shared by both units)
Quantity 2 (one on standby) Capacity (ft 3/min) 5000
VEGP-FSAR-6 REV 13 4/06 TABLE 6.5.1-1 (SHEET 3 OF 3)
HEPA Filters Number of stages 2 (one upstream and one downstream of charcoal filter) Cell size 24 in. x 24 in. x 12 in. Resistance Clean (in. WG) 1.0 Loaded (in. WG) 2.0 Efficiency 99.97% for 0.3-m particles Charcoal Filters Bed depth (in.) 4.0 Face velocity (ft/min) 40 Average residence time (s) 0.25 per 2-in. bed depth Filter media Impregnated coconut shell Decontamination efficiency 90% elemental iodine, 30% organic iodine, at 95%
relative humidity Filter capacity 2.5 mg of total iodineper gram of activated carbon Eliminator media Spun glass fiber or galvanized steel Maximum pressure drop 1.0 (in. WG) Efficiency 99% of 5 to 10 m diameter droplets Heating Coil Heating capacity (kW) 20 Heating element Finned tubular Heating coil material 80% Ni, 20% Cr Fan Quantity 1 Type Vane axial Static pressure (in. WG) 14 Motor (hp) 40
VEGP-FSAR-6 REV 13 4/06 TABLE 6.5.1-3 (SHEET 1 OF 3)
ESF FILTER SYSTEM MATERIALS (Control Room Emergency Air-Conditioning Units)
Estimated Material/ Quantity per Chemical Housing Component Composition (lb)
Filter housing ASTM A Moisture eliminators
Eliminator medium Spun fiberglass 6 or galvanized steel Holding frame 304 SS 445 Total assembly 304 SS 1004 HEPA filters Filter medium Glass fiber with 5% 48 total binder Separator Aluminum foil 83 total Holding frames 304 SS; ASTM A-240 829 total Charcoal filters Filter media Impregnated, activated 8905 coconut shell charcoal Holding frames 304 SS; ASTM A-240 9364 Electric heater
Element 304 SS; ASTM A-240 252 Casing 304 SS; ASTM A-240 283 Cooling coils 4625 dry; 5208 wet Coils Copper; ASTM B-152; 2950 UNS-C11000 Fins and header Copper-nickel ASME 92; 1086 SB-111; UNS-C70600 Casing 304 SS; ASTM A-240 497 Exhaust fans Housing Carbon steel; ASTM 610 (a) A-36 Blades Ex-Ten 50; ASTM A-607 60
VEGP-FSAR-6 REV 13 4/06 TABLE 6.5.1-3 (SHEET 2 OF 3)
(Piping Penetration Room Filtration Units)
Estimated Material/ Quantity per Chemical Housing Composition Component (lb) Filter housing ASTM A Moisture eliminators Eliminator medium Spun fiberglass or galvanized steel Holding frame 304 SS 254 Total assembly ASTM A-240 1127 HEPA filters Filter medium Glass fiber with 5% 128 total binder Separator Aluminum foil 221 total Holding frames 304 SS; ASTM A-240 2211 total Charcoal filters
Filter media Impregnated, activated 5446 coconut shell charcoal Holding frames 304 SS; ASTM A-240 5408 Electric heater Element 304 SS; ASTM A-240 210 Casing 304 SS; ASTM A-240 200 Exhaust fans
Housing ASTM A-283 grade D 294 (b) Blades Aluminum, ASTM B-108 21 total(c)
VEGP-FSAR-6 REV 13 4/06 TABLE 6.5.1-3 (SHEET 3 OF 3)
(Fuel Handling Building Post-Accident Cleanup Units)
Estimated Material/ Quantity per Chemical Housing Composition Component (lb)
Filter housing ASTM A Moisture eliminators Eliminator medium Spun fiberglass 3 or galvanized steel Holding frame 304 SS 114 Total assembly 304 SS 592 HEPA filters Filter medium Glass fiber with 5% 48 total binder Separators Aluminum foil 83 total Holding frames 304 SS; ASTM A-240 829 total Charcoal filters
Filter media Impregnated, activated 1918 coconut shell charcoal Holding frames 304 SS; ASTM A-240 3019 Electric heater Element 304 SS; ASTM A-240 63 Casing 304 SS; ASTM A-240 187 Exhaust fans
Housing ASTM A-283 grade D 148 (b) Blades Aluminum; ASTM B-108 5 total(c)
a. Housing weights consist of shell material only and do not include stiffening or roll shapes.
- b. Housing weights consist of outer casing and flanges.
- c. Blade weight includes only blades and no studs.
VEGP-FSAR-6 REV 16 10/10 TABLE 6.5.2-2 (SHEET 1 OF 2)
INPUT PARAMETERS AND RESULTS OF SPRAY IODINE REMOVAL ANALYSIS
Total containment free volume (ft
- 3) 2.93 x 10 6 Unsprayed containment free volume (%)
21.5 Area coverage at the operating deck (%)
87 Mixing rate between sprayed and 87,000 unsprayed volumes (ft 3/min)
Containment model Two region
Minimum vertical distance to 134 operating deck from lowest spray header (ft)
Net spray flowrate per train, 2500 injection phase (gal/min)
Number of spray pumps operating 1
Minimum spray solution pH Injection phase 4.5 Recirculation phase 7.5 Partition factor between liquid and 40 gas phases Average spray drop diameter (µm) 1240 Elemental iodine spray removal 10 (DF 21.4) coefficient (h
-1) 0 (DF > 21.4)
Particulate iodine spray removal 4.19 (DF 50) coefficient (h
-1) 0.419 (DF > 50)
Duration of spray phase (h) 2
VEGP-FSAR-6 REV 16 10/10 TABLE 6.5.2-2 (SHEET 2 OF 2)
Elemental iodine wall deposition 4.76 (DF 200) coefficient (h
-1) 0 (DF > 200)
Area in containment subject to iodine 7.94 x 10 5 deposition, i.e., coated with epoxy paint, zinc based paint or galvanized (ft
- 2)
Average iodine deposition mass 4.9 transfer coefficient (m/h)
REV 13 4/06 SPATIAL DROP-SIZE DISTRIBUTION FIGURE 6.5.2-1
REV 13 4/06 SPRAY ENVELOPE REDUCTION FACTOR FIGURE 6.5.2-2
REV 13 4/06 CAPACITY CURVE SPRACO 1713A NOZZLE FIGURE 6.5.2-3
VEGP-FSAR-6
6.6-1 REV 20 9/16 6.6 INSERVICE INSPECTION OF CLASS 2 AND 3 COMPONENTS a 6.6.1 COMPONENTS SUBJECT TO EXAMINATION Inservice inspection and testing of Class 2 and 3 pressure-retaining components such as vessels, piping, pumps, valves, bolting, and supports shall be performed in accordance with Section XI of
the American Society of Mechanical Engineers (ASME) Code including subsections IWC and IWD
and any applicable addenda of the code in accordance with 10 CFR 50.55a(g) (specific edition and
any applicable addenda of the code will be delineated in each program). The testing of pumps and
valves is discussed in subsection 3.9.6. Class 1 component examinations are addressed in subsection 5.2.4. Certain exceptions to the above requirements may be taken whenever specific
written relief is granted by the Nuclear Regulatory Commission (NRC) in accordance with 10 CFR
50.55a(g)(6)(i).
The preservice inspection program requirements for each unit were completed prior to the commercial operation date for each of the respective units. The preservice inspection program for Unit 1 complied with the ASME Code,Section XI, 1980 Edition including addenda through Winter
1980, except that reactor pressure vessel examinations were performed using the 1980 Edition
including addenda through Winter 1981. The preservice inspection program for Unit 2 complied with the ASME Code,Section XI, 1983 Edition including addenda through Summer 1983, except
that reactor pressure vessel examinations were performed using the 1980 Edition including
addenda through Winter 1981. Certain preservice inspection requirements of the ASME Code,Section XI were determined to be impractical and relief requests were granted by the NRC pursuant
to 10 CFR 50.55a(g) (i). The relief requests were supported by information pursuant to 10 CFR
50.55a(a) (3). In addition, the preservice inspection program included a volumetric examination of a
minimum of 8 percent of the Class 2 piping welds in the engineered safety systems.
The inservice inspection program and inservice test program were submitted to the NRC prior to commercial operation. These programs comply with applicable inservice inspection provisions of 10 CFR 50.55a(g) and the NRC guidelines attached as an appendix to section 121.0 of review
questions entitled, "Guidance for Preparing Preservice and Inservice Inspection Programs and
Relief Requests Pursuant to 10 CFR 50.55a(g)." Where compliance with code requirements is not
practical, relief requests have been submitted to the NRC for review and approval. The inservice
programs will detail the areas subject to examination and method, extent, and frequency of
examinations. Additionally, component supports and snubber testing requirements are included in the inspection programs. 6.6.2 ACCESSIBILITY The physical arrangement of components was designed to allow personnel and equipment access to the extent practical to perform the inservice inspection examinations. Removable insulation was
provided on those piping systems requiring volumetric and surface inspection. Removable hangers
and pipe whip restraints are provided as necessary and practical to facilitate inservice inspection.
Working platforms were provided in areas requiri ng inspection and servicing of pumps and valves.
Temporary or permanent platforms, scaffolding, and ladders were provided to facilitate access to
piping welds.
a The Inservice Inspection Program is credited as a license renewal aging management program (see subsection 19.2.13).
VEGP-FSAR-6
6.6-2 REV 20 9/16 An inservice inspection design review was undertaken to identify exceptions to the access requirements of the code with subsequent design modifications and/or inspection technique
development to ensure code compliance to the extent practical. Additional exceptions may be
identified and reported to the Nuclear Regulatory Commission after plant operation, as specified in
Space is provided to handle and store insulation, structural members, shielding, and other material related to the inspection. Suitable hoists and other handling equipment, lighting, and
sources of power for inspection equipment were installed at appropriate locations. 6.6.3 EXAMINATION TECHNIQUES AND PROCEDURES The visual, surface, and volumetric examination techniques and procedures are in accordance with the requirements of American Society of Mechanical Engineers Code,Section XI, subarticle
IWA-2200. Where compliance with code requirements is not practical, relief requests and proposed
alternatives have been submitted to the NRC for review and approval. SNC will apply the code
cases listed in the latest revision of Regulatory Guide 1.147 endorsed by the NRC in 10 CFR
50.55a on a case-by-case basis as the need arises during inservice inspection. Code cases, which
are determined as necessary to accomplish inservice inspection activities, will be used.
The liquid penetrant or magnetic particle methods are used for surface examinations.
Radiography or ultrasonic methods, whether manual or remote, are used for volumetric
examinations.
The reportable indications and data compilation format provide for comparison of data from subsequent examinations. 6.6.4 INSPECTION INTERVALS Inspection intervals are as defined in subarticle IWA-2400 of American Society of Mechanical Engineers (ASME) Code,Section XI. The periods within each inspection interval may be extended
by as much as 1 year to permit weld inspections to be concurrent with plant outages. It is
intended that inservice examinations be performed during normal plant outages such as refueling
shutdowns or maintenance shutdowns occurring during the inspection interval. 6.6.5 EXAMINATION CATEGORIES AND REQUIREMENTS Examination categories are in accordance with subsection IWC and table IWC-2500 of American Society of Mechanical Engineers (ASME) Code,Section XI, and the methods used comply with
table IWC-2500 for Class 2 components. The examination categories of Class 3 components and
the methods used comply with subsection IWD. The preservice examination of Class 2 and 3
components was in accordance with the requirements of IWC-2200 and IWD-2100, respectively. 6.6.6 EVALUATION OF EXAMINATION RESULTS Examination results are evaluated per IWA-3000, IWC-3000, and IWD-3000 of American Society of Mechanical Engineers (ASME) Code,Section XI. Repair procedures are in accordance with IWC-
4000 and IWD-4000. If the guidelines of IWC-4000 and IWD-4000 are inappropriate for the
components, then the guidelines of IWA-4000 apply.
VEGP-FSAR-6
6.6-3 REV 20 9/16 6.6.7 SYSTEM PRESSURE TESTS System pressure tests comply with IWA-5000, IWC-5000 and IWD-5000 of American Society of Mechanical Engineers (ASME) Code,Section XI, for Class 2 and 3 components. 6.6.8 AUGMENTED INSERVICE INSPECTION TO PROTECT AGAINST POSTULATED PIPING FAILURES An augmented inservice inspection program is provided for high-energy fluid systems piping between containment isolation valves or where no isolation valve is used inside containment, between the first rigid pipe connection to the containment penetration or the first pipe whip restraint inside containment and the outside isolation valve.
This program includes 100 percent volumetric examination of welds in the affected piping during each inspection interval and will be conducted in accordance with American Society of Mechanical Engineers (ASME) Code,Section XI, and covers the high-energy fluid systems described in subsections 3.6.1 and 3.6.2.
VEGP-FSAR-7
7.1-1 REV 19 4/15 7.0 INSTRUMENTATION AND CONTROLS
7.1 INTRODUCTION
This chapter presents the various plant instrumentation and control systems by relating the
functional performance requirements, design bas es, system descriptions, design evaluations, and tests and inspections for each. The information provided in this chapter emphasizes the
instruments and associated equipment that constitute the protection system as defined in
Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971, Criteria for
Protection Systems for Nuclear Power Generating Stations.
The standard Westinghouse solid state protection system design, which incorporates signal multiplexing for the control board and the plant computer, is applicable to VEGP.
The primary purpose of the instrumentation and control systems is to provide automatic protection and exercise proper control against unsafe and improper reactor operation during steady-state and transient power operations (American Nuclear Society (ANS) Conditions I, II, and III) and to provide initiating signals to mitigate the consequences of faulted conditions (ANS
Condition IV). ANS conditions are discussed in chapter 15. Consequently, the information
presented in this chapter emphasizes the instru mentation and control systems that are central to ensuring that the reactor can be operated to produce power in a manner that ensures no
undue risk to the health and safety of the public.
It is shown that the applicable criteria and codes, such as general design criteria (GDC) and IEEE Standards, concerned with the safe generation of nuclear power are met by these
systems. (See table 7.1.1-1 for a listing of applicable criteria as applied to instrumentation and control systems.) A. Definitions Terminology used in this chapter is based on the definitions given in IEEE Standard 279-1971, which is listed in subsection 7.1.2. In addition, the following definitions apply: 1. Degree of redundancy - The difference between the number of channels monitoring a variable and the minimum number of channels which, when tripped, would cause an automatic system trip. 2. Minimum degree of redundancy - The degree of redundancy below which operation is prohibited or otherwise restricted by the Technical
Specifications. 3. Cold shutdown condition - When the reactor is subcritical by at least 1 percent k/k and Tavg is 200°F. 4. Hot shutdown condition - When the reactor is subcritical by an amount greater than or equal to the margin specified in the applicable Technical
Specification and Tavg is greater than or equal to the temperature specified in the applicable Technical Specification. 5. Phase A containment isolation (CIA) - Closure of all purging ducts and nonessential process lines which penetrate containment initiated by the
safety injection signal. (See subsection 6.2.4.) 6. Phase B containment isolation (CIB) - Not applicable.
VEGP-FSAR-7
7.1-2 REV 19 4/15 7. Containment ventilation isolation - Closure of containment ventilation penetrations due to high radiation conditions existing inside the
containment. B. System Response Times 1. Reactor trip system response time - The time delays are defined as the time required for the reactor trip (i.e., the time the rods are free and begin
to fall) to be initiated following a step change in the variable being
monitored from 5 percent below to 5 percent above the trip setpoint. 2. Engineered safety features actuation system (ESFAS) response time -
The interval required for the engineered safety features (ESF) sequence
to be initiated subsequent to the point in time that the appropriate
variable(s) exceed setpoints. The response time includes sensor/process (analog) and logic (digital) delay. 3. Reproducibility - This definition is taken from Scientific Apparatus Manufacturers Association (SAMA) Standard PMC-20.1-1973, Process
Measurement and Control Terminology: "the closeness of agreement
among repeated measurements of the output for the same value of input, under normal operating conditions over a period of time, approaching
from both directions." It includes drift due to environmental effects, hysteresis, long-term drift, and repeatability. Long-term drift (aging of
components, etc.) is not an important factor in accuracy requirements
since, in general, the drift is not significant with respect to the time
elapsed between testing. Therefore, long-term drift may be eliminated
from this definition. In most cases reproducibility is a part of the definition of accuracy. 4. Accuracy - This definition is derived from SAMA Standard PMC-20.1-1973, Process Measurement and Control Terminology. An accuracy
statement for a device falls under note 2 of the SAMA definition of
accuracy, which means reference accura cy or the accuracy of that device at reference operating conditions: "reference accuracy includes
conformity, hysteresis, and repeatability." To adequately define the
accuracy of a system, the term "reproducibility" is useful as it covers
normal operating conditions. The following terms, "trip accuracy" and "indicated accuracy," etc., include conformity and reproducibility under
normal operating conditions. Where the final result does not have to
conform to an actual process variable but is related to another value
established by testing, conformity may be eliminated, and the term "reproducibility" may be substituted for accuracy. 5. Normal operating conditions - For this document, these conditions cover all normal process temperature and pressure changes. Also included are
ambient temperature changes around the transmitter and racks. 6. Readout devices - The final device of a complete channel is considered a readout device. This includes indicators, recorders, isolators (nonadjustable), and controllers. 7. Channel accuracy - This definition includes accuracy of primary element, transmitter, and rack modules. It does not include readout devices or
rack environmental effects but does include process and environmental
effects on field-mounted hardware. Rack environmental effects are VEGP-FSAR-7
7.1-3 REV 19 4/15 included in the next two definitions to avoid duplication resulting from dual
inputs. 8. Indicated and/or recorded accuracy - This definition includes channel accuracy, accuracy of readout devices, and rack environmental effects. 9. Trip accuracy - This definition includes comparator accuracy, channel accuracy for each input, and rack environmental effects. This is the
tolerance expressed in process terms (or percent of span) within which
the complete channel must perform its intended trip function. This
includes all instrument errors but no process effects such as streaming.
The term "actuation accuracy" may be used where the word "trip" might
cause confusion, e.g., when starting pumps and other equipment. 10. Control accuracy - This definition includes channel accuracy, accuracy of readout devices (isolator and controller), and rack environmental effects.
Where an isolator separates control and protection signals, the isolator
accuracy is added to the channel accuracy to determine control accuracy, but credit is taken for tuning beyond this point; i.e., the accuracy of these
modules (excluding controllers) is included in the original channel
accuracy. The control accuracy is defined as the accuracy of the control
signal in percent of the span of that signal. This includes gain changes
where the control span is different from the span of the measured
variable. Where controllers are involved, the control span is the input
span of the controller. No error is included for the time the system is in a
nonsteady-state condition. 7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS Safety-related instrumentation and control sy stems and their supporting systems are those systems required to ensure: A. The integrity of the reactor coolant pressure boundary. B. The capability to shut down the reactor and maintain it in a safe shutdown condition. C. The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to the guideline exposures of 10 CFR 100.
The definitions provided below are used to cla ssify the instrumentation systems into the categories listed in chapter 7.0 of Regulatory Guide 1.70. 7.1.1.1 Reactor Protection System The reactor protection system consists of the reactor trip system, the ESFAS, and the instrumentation and control power supply system. 7.1.1.1.1 Reactor Trip System The reactor trip system is described in section 7.2.
Design bases for the reactor trip system are given in paragraph 7.1.2.1. Figure 7.1.1-1 is a schematic diagram of this system.
VEGP-FSAR-7
7.1-4 REV 19 4/15 7.1.1.1.2 Engineered Safety Features Actuation System The ESFAS is a functionally defined system described in section 7.3. The equipment which provides the actuation functions is identified and discussed in section 7.3. Design bases for the
ESFAS are given in paragraph 7.1.2.1.
The ESFAS are those instrumentation systems that are needed to actuate the equipment and systems required to mitigate the consequences of postulated design basis accidents. As
discussed in section 7.3 the ESF requiring actuation are: A. Emergency core cooling (section 6.3). B. Main steam line and feedwater isolation (subsection 6.2.4).
C. Containment isolation (subsection 6.2.4).
D. Containment heat removal (subsection 6.2.2).
E. Containment combustible gas control (subsection 6.2.5).
F. Containment ventilation isolation (subsection 6.2.4).
G. Fuel building exhaust isolation (subsection 9.4.2).
H. Control room ventilation isolation (subsection 9.4.1).
I. Auxiliary feedwater supply (subsection 10.4.9). 7.1.1.1.3 Instrumentation and Control Power Supply System Design bases for the instrumentation and control power supply system are given in paragraph 7.1.2.1. Further description of this system is provided in subsection 7.6.1 and in chapter 8. 7.1.1.2 Other Instrumentation Systems Required for Safety 7.1.1.2.1 Information Systems Important to Safety Information systems important to safety provide information for the operator to manually perform reactor trip, ESF actuation, post-accident monitoring, or safe shutdown functions.
Identification of the equipment and information sy stems important to safety is provided in section 7.5. Descriptions of other indicating systems that provide information for monitoring equipment and processes are also provided in section 7.5.
Section 7.5 also summarizes information systems required to maintain the plant in a hot shutdown condition or to proceed to cold shutdown. 7.1.1.2.2 Interlock Systems Important to Safety and Mode Switchover Instrumentation These safety-related instrumentation system s are the systems and components that have a preventive role in reducing the effects of accidents. Single failures in these systems do not inhibit reactor trip, ESF actuation, or functions required for safe shutdown. Other interlock
systems important to safety consist of the following:
VEGP-FSAR-7
7.1-5 REV 19 4/15 A. Residual heat removal isolation valve interlocks. B. Refueling interlocks.
C. Accumulator motor-operated valve interlocks.
D. Emergency core cooling system switchov er from injection mode to recirculation mode. E. Interlocks for RCS pressure control during low temperature operation.
F. Isolation of nonsafety-related syst ems for safety-related systems.
Item B above is described in subsection 9.1.4. Item D is discussed in section 6.3. The remaining items are described in subsection 7.6.5. 7.1.1.3 Systems Required for Safe Shutdown Systems required for safe shutdown are defined as those essential for pressure and reactivity control, coolant inventory makeup, and removal of residual heat once the reactor has been
brought to a subcritical condition.
Identification of the equipment and systems requir ed for safe shutdown is provided in section 7.4. Additional information regarding provisions for cold shutdown from outside the control room is also provided in section 7.4. 7.1.1.4 Control Systems Not Required for Safety Control systems not required for safety are t he automatic and manual systems with the primary purpose of normal load control, startup, and shutdown of the main power generating system.
As shown in section 7.7, malfunctions in these systems do not result in unsafe conditions. 7.1.1.5 Comparison with Other Plants The systems discussed in chapter 7 are compared with the systems of other plants of similar design in section 1.3. 7.1.2 IDENTIFICATION OF SAFETY CRITERIA Paragraph 7.1.2.1 gives design bases for the systems identified in subsection 7.1.1. Design bases for nonsafety-related systems are provided in the sections that describe the systems.
Considerations for instrument errors are included in the accident analyses presented in chapter
- 15. Functional requirements developed on the basis of the results of the accident analyses that
have utilized conservative assumptions and parameters are used in designing these systems, and a preoperational testing program verifies the adequacy of the design. Accuracies are given
in sections 7.2, 7.3, and 7.5.
The criteria listed in table 7.1.1-1 are considered in the design of the systems given in subsection 7.l.l. In general, the scope of these documents is given in the document itself. This
determines the systems or parts of systems to which the document is applicable. A discussion of compliance with each document for systems in its scope is provided in the referenced
sections given in table 7.1.1-1 for each criterion. Because some documents were issued after VEGP-FSAR-7
7.1-6 REV 19 4/15 design and testing had been completed, the equipment documentation may not meet the format
requirements of some standards. Justification for any exceptions taken to each document for
systems in its scope is provided in the referenced sections. 7.1.2.1 Design Bases 7.1.2.1.1 Reactor Trip System The reactor trip system acts to limit the consequences of Condition II events (faults of moderate frequency such as loss of feedwater flow) by, at most, a shutdown of the reactor and turbine.
The plant is capable of returning to operation after corrective action. The reactor trip system
limits plant operation to ensure that the reacto r safety limits are not exceeded during Condition
II events and that these events can be accommodated without developing into more severe
conditions. Reactor trip setpoints are given in the Technical Specifications.
The design requirements for the reactor trip syst em are derived by analyses of plant operating and fault conditions where automatic rapid control rod insertion is necessary in order to prevent
or limit core or reactor coolant boundary damage. The design bases addressed in IEEE
Standard 279-1971 are discussed in subsection 7.2.1. The design limits specified by
Westinghouse for the reactor trip system are: A. Minimum departure from nucleate boiling ratio (DNBR) shall not be less than the design basis limit as a result of any anticipated transient or malfunction (Condition II events). B. Power density shall not exceed the rated linear power density for Condition II events. Refer to chapter 4 for fuel design limits. C. The stress limit of the reactor coolant system for the various conditions shall be as specified in chapter 5. D. Release of radioactive material shall be limited so as not to interrupt or restrict public use of areas beyond the exclusion radius as a result of any Condition III
event. E. For any Condition IV event, release of radioactive material shall not result in an undue risk to public health and safety. 7.1.2.1.2 Engineered Safety Features Actuation System The engineered safety features actuation system (ESFAS) acts to limit the consequences of Condition III events (infrequent faults such as primary coolant spillage from a small rupture
which exceeds normal charging system makeup and requires actuation of the safety injection
system). The ESFAS acts to mitigate Condition IV events (limiting faults which include the
potential for significant release of radioactive material).
The design bases for the ESFAS are derived from the design bases given in chapter 6 for the engineered safety features (ESF). Design bases requirements of IEEE Standard 279-1971 are
addressed in paragraph 7.3.1.2. General design requirements are given below. A. Automatic Actuation Requirements VEGP-FSAR-7
7.1-7 REV 19 4/15 The primary requirement of the ESFAS is to receive input signals (information) from the various ongoing processes within the reactor plant and containment and
to automatically provide, as output, timely and effective signals to actuate the
various components and subsystems comprising the ESF system. B. Manual Actuation Requirements The ESFAS must have provisions in the control room for manually initiating the functions of the ESF system. 7.1.2.1.3 Instrumentation and Control Power Supply System The instrumentation and control power supply system provides continuous, reliable, regulated single phase ac power to all instrumentation and control equipment required for plant safety.
Details of this system are provided in sections 7.6 and 8.3. The design bases are given below: A. The inverter shall have the capacity and regulation required for the ac output for proper operation of the equipment supplied. B. Redundant loads shall be assigned to different distribution panels which are supplied from different inverters. C. Auxiliary devices that are required to operate dependent equipment shall be supplied from the same distribution panel to prevent the loss of electric power in
one protection set from causing the loss of equipment in another protection set.
No single failure shall cause a loss of power supply to more than one distribution
panel. D. Each of the distribution panels shall have access only to its respective inverter supply and a standby power supply. E. The system shall comply with IEEE Standard 308-1974, section 5.4. 7.1.2.1.4 Emergency Power Design bases and system description for the emergency power supply is provided in chapter 8.
7.1.2.1.5 Interlocks Interlocks are discussed in sections 7.2, 7.3, 7.6, and 7.7. The protection (P) interlocks are given in tables 7.2.1-2 and 7.3.1-3. The safety analyses demonstrate that, even under
conservative critical conditions for either postulated or hypothetical accidents, the protective
systems ensure that the nuclear steam supply sy stem (NSSS) is put into and maintained in a safe state following an ANS Condition II, III, or IV accident commensurate with applicable
technical specifications and pertinent ANS criteria. The protective systems are designed to
meet IEEE Standard 279-1971 and are entirely redundant and separate, including all
permissives and blocks.
All blocks of a protective function are automatic ally cleared whenever the protective function is required to function in accordance with GDC 20, 21, and 22 and sections 4.11, 4.12, and 4.l3 of IEEE Standard 279-1971. Control interlocks (C) are identified in table 7.7-1. Because control
interlocks are not safety related, they are not specifically designed to meet the requirements of IEEE protection system standards.
VEGP-FSAR-7
7.1-8 REV 19 4/15 7.1.2.1.6 Bypasses Bypasses are designed to meet the requirements of IEEE Standard 279-1971, sections 4.11, 4.12, 4.13, and 4.14. A discussion of bypasses provided is given in sections 7.2, 7.3, and 7.5.
A method has been developed to enable testing of the reactor trip system (RTS) and the engineered safety features actuation system (ESFAS) channels in the bypass condition as
opposed to the tripped condition. At VEGP, bypass testing is provided for the 7300 process
protection system, the nuclear instrumentation system, and various inputs to the solid state
protection system.
The bypass test instrumentation (BTI) at VEGP will conform to applicable regulatory criteria including IEEE 279-1971 and Regulatory Guide 1.47 as well as prior regulatory guidance
concerning tests in bypass. With implementation of the BTI, routine testing of analog RTS and
ESFAS channels will be performed in a bypassed condition instead of a tripped condition. The
Technical Specifications allow for the ability to test in the bypassed condition and govern the
time that a channel can be in the bypassed condition for either test or maintenance. Reference
4 provides additional information concerning tests in bypass. 7.1.2.1.7 Equipment Protection The criteria for equipment protection are given in chapter 3. Equipment related to safe operation of the plant is designed, constructed, and installed to protect it from damage. This is
accomplished by working to accepted standards and criteria aimed at providing reliable
instrumentation which is available under varyi ng conditions. As an example, certain equipment
is seismically qualified in accordance with IEEE Standard 344-1975. During construction, independence and separation are achieved, as required by IEEE Standard 279-1971, IEEE
Standard 384-1981, and Regulatory Guide 1.75, either by barriers, physical separation, or
demonstration test. This serves to protect agains t complete destruction of a system by fires, missiles, or other natural hazards. 7.1.2.1.8 Diversity Functional diversity as discussed in reference 1 is designed into the system. The extent of diverse system variables is evaluated for a wide variety of postulated accidents. Generally, two
or more diverse protection functions automatically terminate an accident before unacceptable
consequences occur.
For example, there are automatic reactor tr ips based upon neutron flux measurements, reactor coolant loop temperature measurements, pre ssurizer pressure and level measurements, and reactor coolant pump underfrequency and undervoltage measurements. The system may also be activated manually and by initiation of a safety injection signal.
Regarding the ESFAS for a loss-of-coolant accident, a safety injection signal can be obtained manually or by automatic initiation from two diverse parameter measurements: A. Low pressurizer pressure. B. High containment pressure (high-1).
For a steam line break accident, safety injection signal actuation is provided by: A. Low steam line pressure (lead-lag compensated).
B. Low pressurizer pressure.
VEGP-FSAR-7
7.1-9 REV 19 4/15 For a steam line break inside containment, high containment pressure (high-1) provides an
additional parameter for generation of the signal.
All of the above sets of signals are r edundant and physically separated and meet the requirements of IEEE Standard 279-1971. 7.1.2.1.9 Bistable Trip Setpoints Three values applicable to reactor trip and ESF actuation have been specified; they are safety limit, limiting value, and nominal value.
The safety limit is the value assumed in the accident analysis and is the least conservative value. The limiting value is the technical specification value and is obtained by subtracting a safety margin from the safety limit. The safety margin accounts for instrument error, process
uncertainties such as flow stratification and transport factor effects, etc.
The nominal value is the value set into the equipment and is obtained by subtracting allowances for instrument drift from the limiting value. The nominal value allows for the normal expected
instrument setpoint drifts such that the technical specification limits are not exceeded under
normal operation.
The setpoints that require trip action are given in the Technical Specifications. A further discussion on setpoints is found in paragraph 7.2.2.2.1.
The trip setpoint is determined by factors other than the most accurate portion of the instrument's range. The safety limit is determined only by the accident analysis.
As described above, allowance is then made for process uncertainties, instrument error, instrument drift, and calibration uncertainty to obtain the nominal value which is actually set into
the equipment. The only requirement on the instrument's accuracy value is that over the
instrument span, the error must always be less than or equal to the error value allowed in the
accident analysis. The instrument does not need to be the most accurate at the setpoint value
as long as it meets the minimum accuracy requirement. The accident analysis accounts for the
expected errors at the actual setpoint.
Range selection for the instrumentation covers the expected range of the process variable being monitored consistent with its application. The design of the reactor protection and ESF
systems is such that the bistable trip setpoints do not require process transmitters to operate
within 5 percent of the high and low end of their calibrated span or range. Functional
requirements established for every channel in the reactor protection and ESF systems stipulate
the maximum allowable errors on accuracy, linearity, and reproducibility. The protection
channels have the capability for and are tested to ascertain that the characteristics throughout
the entire span in all aspects are acceptable and meet functional requirement specifications. As
a result, no protection channel operates normally within 5 percent of the limits of its specified
span. In this regard, it should be noted that the specific functional requirements for response time, setpoint, and operating span are finalized contingent on the results and evaluation of safety
studies to be carried out using data pertinent to the plant. Emphasis is placed on establishing
adequate performance requirements under both normal and faulted conditions. This includes
consideration of process transmitter margins such that, even under a highly improbable
situation of full-power operation at the limits of the operating map (as defined by the high- and low-pressure reactor trip, T overpower and overtemperature trip lines (DNB protection), and VEGP-FSAR-7
7.1-10 REV 19 4/15 the steam generator safety valve pressure set point), adequate instrument response is available
to ensure plant safety. 7.1.2.1.10 Engineered Safety Features Motor Specifications The voltage for the residual heat removal (RHR) pump motor and ESF auxiliary system pump motors rated 4 kV (and above) and 460 V is 75 percent of rated voltage at the motor terminals to start and accelerate the driven equipment. (For the boric acid transfer pump, 80 percent of
rated voltage is required.) The motors are capable of accelerating the driven equipment from
rest to operating speed within 4 s.
The minimum margin of motor torque over the pump full-load torque (as defined by the pump speed/torque curve) is sufficient to accelerate all the driven equipment as necessary and with
75 percent of rated voltage at the motor terminals from standstill to operating speed. (For the
boric acid transfer pump and boron injection recirculation pump motors, 80 percent of rated
voltage is required.)
Verification of the ESF pump motors capability to operate within design temperature ratings, including the National Electrical Manufacturers Association (NEMA) Test Specification MG1-
20.43 ("number of starts"), is based on the design tests of the prototype motor that are
performed at the manufacturer's test facilities, rather than by means of initial or periodic tests in
the field.
Six stator resistance type temperature detectors embedded in two slots of each phase between top and bottom coil sides are provided on 4-kV motors, except for the RHR pump motors.
Abnormalities in the motor windings may be monitored with this instrumentation. For conditions
where the motor stalls or fails to start, the influence of these conditions is best monitored from
the current versus time characteristics, and equipment protection for this is provided by the
circuit breaker trip function.
The design of 4-kV ESF pump motors does not preclude the surveillance of the hot spots on the rotor side of the motor. Should there be justification for making use of it, the procedure for
surveillance would include removal of the motor from the system and return to the
manufacturer's test facilities for evaluation, by means of reverification of prototype test results.
Westinghouse does not believe there are maintenance benefits over the method of evaluation of
the effects of motor overloads by means of the six stator resistance type temperature detectors
and the conventional method of equipment protection by means of a circuit breaker trip function
coordinated with the motor thermal overload characteristic. 7.1.2.2 Independence of Redundant Safety-Related Systems The safety-related systems described in subsection 7.1.1 are designed to meet the independence and separation requirements of General Design Criterion 22 and section 4.6 of
IEEE Standard 279-1971. Conformance with the specific provisions of Regulatory Guide 1.75 is
discussed in chapter 8 and paragraph 7.1.2.2.1.
The electrical power supply, instrumentation, and controls for redundant circuits of a nuclear plant have physical separation to preserve redundancy and to ensure that no single credible
event will prevent operation of the associated function resulting from electrical conductor
damage. Critical circuits and functions include power, control, and analog instrumentation
associated with the operation of the reactor trip system or ESFAS. Credible events include, but
are not limited to, the effects of short circuits, pipe rupture, missiles, fire, etc., and are
considered in the basic plant design. Control board details are given in chapter 18. In the VEGP-FSAR-7
7.1-11 REV 19 4/15 control board, separation of redundant circuits is maintained as described in paragraph
7.1.2.2.2.
7.1.2.2.1 General The physical separation criteria for redundant safety-related system sensors, sensing lines, wireways, cables, and components on racks meet recommendations contained in Regulatory
Guide 1.75 with the following comments for NSSS equipment: A. The design of the protection system relies on the provisions of IEEE Standard 384-1981 relative to overcurrent devices to prevent malfunctions in one circuit
from causing unacceptable influences on the functioning of the protection
system. The protection system uses redundant instrumentation channels and
actuation trains and incorporates physical and electrical separation to prevent
faults in one channel from degrading any other protection channel. B. Separation recommendations for redundant instrumentation racks are not the same as those given in Regulatory Position C.16 of Regulatory Guide 1.75 for
the control boards because of different functional requirements. Main control
boards contain redundant circuits which are required to be physically separated
from each other. However, since there are no redundant circuits which share a
single compartment of an NSSS protection instrumentation rack and since these
redundant protection instrumentation racks are physically separated from each
other, the physical separation requirements specified for the main control board
do not apply. However, redundant isolated control signal cables leaving the protection racks are brought into close proximity elsewhere in the plant, such as the control board.
It could be postulated that electrical faults or interference at these locations might
be propagated into all redundant racks and might degrade protection circuits
because of the close proximity of protection and control wiring within each rack.
Regulatory Guide 1.75 (Regulatory Position C.4) and IEEE Standard 384-1974 (section 4.5(3)) provide the option to demonstrate by tests that the absence of
physical separation could not significantly reduce the availability of Class 1E
circuits. Westinghouse test programs have demonstrated that Class 1E protection systems (nuclear instrumentation syst em, solid-state protection system, and 7300 process control system) are not degraded by non-Class 1E circuits sharing
the same enclosure. Conformance to the requirements of IEEE Standard 279-
1971 and Regulatory Guide 1.75 has been established and accepted by the
Nuclear Regulatory Commission (NRC) based on the following, which is
applicable to these systems at the VEGP. Tests conducted on the as-built designs of the nuclear instrumentation system and solid-state protection system were reported and accepted by the NRC in
support of the Diablo Canyon application (Docket Nos. 50-275 and 50-323).
Westinghouse considers these programs as applicable to all plants, including
VEGP. Westinghouse tests on the 7300 process control system were covered in
a report entitled, "7300 Series Process Control System Noise Tests,"
subsequently reissued as reference 2. In a letter dated April 20, 1977, (3) the NRC accepted the report in which the applicability of the VEGP is established.
VEGP-FSAR-7
7.1-12 REV 19 4/15 C. The physical separation criteria for instrument cabinets within Westinghouse NSSS scope and the Westinghouse-supplied 7300 series for balance of plant
scope meet the recommendations contained in section 6.7 of IEEE Standard
384-1981. 7.1.2.2.2 Specific Systems Independence is maintained throughout the system, extending from the sensor to the devices actuating the protective function. Physical separation is used to achieve separation of
redundant transmitters. Separation of wiring is ac hieved using separate wireways, cable trays, conduit runs, and containment penetrations for each redundant protection channel set.
Redundant analog equipment is separated by locating modules in different protection rack sets.
Each redundant channel set is energized from a separate ac power feed.
There are four separate process analog sets. Separation of redundant analog channels begins at the process sensors and is maintained in the field wiring, containment penetrations, and
analog protection cabinets to the redundant trains in the logic racks. In the nuclear instrumentation system, process systems, and the solid-state protection system input cabinets where redundant channel instrumentation are physically adjacent, there are no wireways or cable penetrations which would permit; for example, a fire resulting from electrical
failure in one channel to propagate into redundant channels in the logic racks. Redundant
analog channels are separated by locating modules in different cabinets. Since all equipment
within any cabinet is associated with a single protection set, there is no requirement for
separation of wiring and components within the cabinet.
Two reactor trip breakers are actuated by two separate logic matrices to interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the
power supply so that opening either breaker interrupts power to all control rod drive
mechanisms, permitting the rods to free-fall into the core. A. Reactor Trip System 1. Separate routing is maintained for the four basic reactor trip system channel sets analog sensing signals, bistable output signals, and power
supplies for such systems. The separation of these four channel sets is
maintained from sensors to instrument cabinets to logic system input
cabinets. 2. Separate routing of the redundant reactor trip signals from the redundant logic system cabinets is maintained. In addition, they are separated (by
spatial separation, by provision of ba rriers, or by separate cable trays or wireways) from the four analog channel sets. B. Engineered Safety Features Actuation System 1. Separate routing is maintained for the four basic sets of ESFAS analog sensing signals, bistable output signals, and power supplies for such
systems. The separation of these four channel sets is maintained from
sensors to instrument cabinets to logic system input cabinets. 2. Separate routing of the ESF actuation signals from the redundant logic system cabinets are maintained. In addition, they are separated by
spatial separation, by provisions of ba rriers, or by separate cable trays or
wireways from the four analog channel sets.
VEGP-FSAR-7
7.1-13 REV 19 4/15 3. Separate routing of control and power circuits associated with the operation of ESF equipment is required to retain redundancies provided
in the system design and power supplies. C. Instrumentation and Control Power Supply System The separation criteria presented also apply to the power supplies for the load centers and buses distributing power to redundant components and to the control of these power supplies.
Reactor trip system and ESFAS analog circuits may be routed in the same wireways, provided
circuits have the same power supply and channel set identified (I, II, III, or IV).
In order to maintain separation between wiring on the main control board associated with different trains, mutually redundant safety train wiring is not terminated on a single device.
Backup manual actuation switches link the separ ate trains by mechanical means to provide
greater reliability of operator action for the manual reactor trip function and manual ESF
actuations. The linked switches are themselves redundant so that operation of either set of
linked switches will actuate safety trains A and B simultaneously. This is shown in figure 7.2.1-
- 2. The design of the manual reactor trip function and manual ESF actuations conform with Regulatory Guide 1.62. (See also subsection 7.3.1.) 7.1.2.2.3 Fire Protection For electrical equipment within the NSSS scope of supply, including the balance of plant Westinghouse-supplied 7300 series cabinets, Westinghouse specifies noncombustible or fire
retardant material and conducts vendor-supplied s pecification reviews of this equipment, which includes assurance that materials are not used which may ignite or explode from an electrical
spark, flame, or from heating or will independent ly support combustion. These reviews also include assurance of conservative current carrying capacities of all instrument cabinet wiring, which precludes electrical fires resulting from excessive overcurrent (I 2 R) losses. For example, wiring used for instrument cabinet construction has Teflon or Tefzel insulation and is adequately
sized based on current carrying capacities set forth by the National Electric Code. In addition, fire retardant paint is used on protection rack or cabinet construction to retard fire or heat
propagation from rack to rack. Braided sheathed material used in the cables is noncombustible.
For in-field wiring, cables in power trays are sized using derating factors listed in Insulated
Cable Engineers Association (ICEA) Publication P-46-426 or Publication P-54-440. Paragraph
8.3.1.4.2 provides details regarding cable derating and cable tray fill.
For early warning protection against propagation of electrical fires, smoke or other detectors are provided for fire detection and alarm in remote wireways or other unattended areas where large
concentrations of cables are installed.
The criteria and bases for the independence of electrical cable including routing, marking, and cable derating are covered in section 8.3. Fire detection and protection in the areas where
wiring is installed is covered in subsection 9.5.1. 7.1.2.3 Physical Identification of Safety-Related Equipment There are four separate protection sets identifiable with process equipment associated with the reactor trip and engineered safeguards actuation systems. A protection set may be comprised
of more than a single process equipment cabinet. The color coding of each process equipment
rack nameplate coincides with the color code established for the protection set of which it is a VEGP-FSAR-7
7.1-14 REV 19 4/15 part. Redundant channels are separated by locating them in different equipment cabinets.
Separation of redundant channels begins at the process sensors and is maintained in the field
wiring, containment penetrations, and equipment cabinets to the redundant trains in the logic
racks. The solid-state protection system input cabinets are divided into four isolated
compartments, each serving one of the four redundant input channels. Horizontal 1/8-in.-thick
solid steel barriers coated with fire retardant paint separate the compartments. Four 1/8-in.-
thick solid steel wireways coated with fire retardant paint enter the input cabinets vertically in
their own quadrant. The wireway for a particular compartment is open only into that
compartment so that flame could not propagate to affect other channels. At the logic racks the
protection set color coding for redundant channels is clearly maintained until the channel loses
its identity in the redundant logic trains. The color-coded nameplates described in subsection
8.3.1 provide identification of equipment associated with protective functions and their channel
set association.
All noncabinet-mounted protective equipment and components are provided with an identification tag or nameplate. Small electr ical components such as relays have nameplates on the enclosure which houses them. All cables are numbered with identification tags. Cable
trays and conduits are identified using permanent markings which identify the associated
separation group. The purpose of such markings is to facilitate cable routing identification for
future modification or additions. Positive permanent identification of cables and/or conductors is
made at all terminal points. There are also identification nameplates on the input panels of the
solid-state logic protection system. See section 8.3 for further details of physical identification of
balance of plant safety-related equipment. 7.1.2.4 Conformance to Criteria A listing of applicable criteria and the sections where conformance is discussed is given in table 7.1.1-1. An additional discussion of Westinghouse conformance to Regulatory Guide 1.22 and
IEEE Standards 338-1975 and 379-1972 is given in the following paragraph. 7.1.2.5 Conformance to Regulatory Guide 1.22 Periodic testing of the reactor trip and ESFAS, as described in section 1.9 and subsections 7.2.2 and 7.3.1, conforms with Regulatory Guide 1.22, Periodic Testing of Protection System
Actuation Functions.
Where the ability of a system to respond to a bona fide accident signal is intentionally bypassed for the purpose of performing a test during reactor operation, each bypass condition is
automatically indicated to the reactor operator in the main control room by a separate
annunciator for the train in test. Test circuitry does not allow two trains of the SSPS to be tested
at the same time so that extension of the bypass condition to the redundant system is
prevented. Administrative and procedural controls are used to prevent simultaneous testing of
more than one protection set of the analog circuitry.
The actuation logic for the reactor trip and ESFAS is tested as described in sections 7.2 and 7.3. As recommended by Regulatory Guide 1.22, where actuated equipment is not tested
during reactor operation it has been determined that: A. There is no practicable system design that would permit operation of the equipment without adversely affecting the safety or operability of the plant.
VEGP-FSAR-7
7.1-15 REV 19 4/15 B. The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the
equipment during reactor operation. C. The equipment can routinely be tested when the reactor is shut down.
The list of reactor trip ESFAS equipment that cannot be tested at full power so as not to damage
equipment or upset plant operation is: A. Manual actuation switches for reactor trip system and ESFAS. B. Turbine trip system.
C. Main steam line isolation valves (close).
D. Main feedwater and feedwater bypass isolation valves (close).
E. Feedwater regulating valves (close).
F. Main feedwater pump trip solenoids.
G. Reactor coolant pump breakers.
H. Reactor coolant pump seal water return valves (close).
I. Pressurizer power operated relief valves (PORVs) (open).
J. Instrument air containment isolation valves (close).
The justifications for not testing the above items at full power are discussed below: A. Manual Actuation Switches for Reactor Trip System and ESFAS These switches would cause initiation of their protection system function at power causing plant upset and/or reactor trip. It should be noted that the reactor trip function that is derived from the automatic safety injection signal is tested at
power. The analog signals, from which the automatic safety injection signal is derived, are tested at power in the same manner as the other analog signals and as
described in paragraph 7.2.2.2.3. The processing of these signals in the solid-
state protection system wherein their channel orientation converts to a logic train
orientation is tested at power by the built-in semiautomatic test provisions of the
solid-state protection system. The reactor trip breakers are tested at power as
discussed in paragraph 7.2.2.2.3. B. Turbine Trip System Testing of the main turbine trip function under power operation is discussed in subsections 10.2.2 and 10.2.5. C. Closing the Main Steam Line Isolation Valves Main steam line isolation valves are routinely tested during refueling outages.
Testing of the main steam line isolation valves to closure at power is not
practical. As the plant power is increased, the coolant average temperature is
programmed to increase. If the valves are closed under these elevated
temperature conditions, the steam pressure transient would unnecessarily
operate the steam generator relief valves and possibly the steam generator
safety valves. The steam pressure transient produced would cause shrinkage in
the steam generator level, which would cause the reactor to trip on low-low VEGP-FSAR-7
7.1-16 REV 19 4/15 steam generator water level. Testing during operation will decrease the
operating life of the valve.
Based on the above-identified problems incurred with periodic testing of the main steam line isolation valves at power and since: 1. No practical system design permits operation of the valves without adversely affecting the safety or operability of the plant. 2. The probability that the protection system will fail to initiate the actuated equipment is acceptably low due to testing up to final actuation. 3. These valves are routinely tested during refueling outages.
The proposed resolution meets the guidelines of Regulatory Position D.4 of Regulatory Guide 1.22.
The main steam isolation valve actuator can be exercized periodically at power to approximately 90 percent of full open. Separate control switches and position lights are provided to test each redundant actuator hydraulic circuit on each
valve. The main steam isolation bypass valves can be closed at power, since the effect of the resulting change in steam flow is insufficient to upset the operation of the
reactor average coolant temperature regulation system. D. Closing the Main Feedwater and Feedwater Bypass Isolation Valves The main feedwater and feedwater bypass isolation valves are routinely tested during refueling outages. Periodic testing of these isolation valves by closing
them completely at power would induce steam generator water level transients
and oscillations which would trip the reactor. These transient conditions would
be caused by perturbing the feedwater flow and pressure conditions necessary
for proper operation of the variable speed feedwater pump control system and
the steam generator water level control system. Any operation which induces
perturbations in the main feedwater flow, whether deliberate or otherwise, generally leads to a reactor trip and should be avoided.
Based on these identified problems incurred with periodic testing of these isolation valves at power and since: 1. No practical system design permits operation of these valves without adversely affecting the safety or operability of the plant. 2. The probability that the protection system will fail to initiate the activated equipment is acceptably low due to testing up to final actuation. 3. These valves are routinely tested during refueling outages.
The proposed resolution meets the guidelines of Regulatory Position D.4 of Regulatory Guide 1.22.
The main feedwater isolation valve actuator can be exercized periodically at power to approximately 90 percent of full open. Separate control switches and position lights are provided to test each redundant actuator hydraulic circuit on
each valve. The feedwater bypass isolation valve cannot be similarly tested. E. Closing the Feedwater Regulating Valves These valves are routinely tested during refueling outages. To close them at power would adversely affect the operability of the plant. The verification of VEGP-FSAR-7
7.1-17 REV 19 4/15 operability of feedwater regulating valves at power is ensured by confirmation of
proper operation of the steam generator water level control system. The
actuation function of the solenoids, which provide the closing function, is
periodically tested at power as discussed in paragraph 7.3.2.2.5. The operability
of the slave relay which actuates the solenoid, which is the actuating device, is
verified during this test. Although the closing of these regulating valves is
blocked when the slave relay is tested, all functions are tested to ensure that no
electrical malfunctions have occurred which could defeat the protective function.
It is noted that the solenoids work on the deenergize-to-actuate principle, so that
the feedwater regulating valves close upon either the loss of electrical power to
the solenoids or loss of air pressure.
Based on the above, the testing of the isolating function of feedwater regulating valves meets the guidelines of Regulatory Position D.4 of Regulatory Guide 1.22.
At low power operation the bypass feedwater regulating valves are opened and the main feedwater regulating valves are closed. Testing of the bypass
feedwater regulating valves under this condition is not permitted since it could
cause unacceptable flow perturbation. The bypass feedwater regulating valves
can be tested closed at full power since they are normally closed under these
conditions. This is done by first opening and then closing the bypass feedwater
regulating valves. F. Main Feedwater Pump Trip Solenoids Since no credit is taken for automatic tripping of the feedwater pumps, the main feedwater pump trip solenoids do not require periodic testing. G. Reactor Coolant Pump Breakers No credit is taken in the accident analyses for a reactor coolant pump breaker opening causing a direct reactor trip. Testing at power would result in a plant
trip. Hence, these breakers are tested during scheduled refueling outages. H. Reactor Coolant Pump Seal Water Return Valves (Close)
Seal water return line isolation valves are routinely tested during refueling outages. Closure of these valves during operation would cause the seal water
system relief valve to lift, with the possibility of valve chatter. Valve chatter could
damage this relief valve. Testing of these valves at power could cause
equipment damage. Therefore, these valves are tested during scheduled
refueling outages. As above, additional containment penetrations and
containment isolation valves introduce additional unnecessary potential pathways
for radioactive release following a postulated accident. Thus, the guidelines of
Regulatory Position D.4 of Regulatory Guide 1.22 are met. I. Pressurizer Power Operated Relief Valves (PORVs)
Testing of the pressurizer power relief valves to open at power is not practical.
Opening of these valves at power would cause an unwarranted depressurization
of the reactor coolant system. The valves should be routinely tested during plant
shutdown with the block valve (corresponding to the pressurizer power relief
valve being tested) in the open position, the relief valve solenoid is energized.
The status of the relief valve is then verified to be in the open position via the limit
switch indication. This solenoid should then be immediately deenergized and the
position of the relief valve verified to be in the close position. This process
should be repeated for each relief valve.
VEGP-FSAR-7
7.1-18 REV 19 4/15 J. Instrument Air Containment Isolation Valve The instrument air containment isolation valve is routinely tested during refueling outages. Testing of the instrument air containment isolation valve to close at
power is not practical. Periodic testing of this valve by closing it completely
would induce the change of the normal position of several pneumatic valves
inside the containment (e.g., CVCS letdown line isolation valve, RCP seal no. 3
supply valves, steam generator blowdown isolation valves, containment drain
sump isolation valve, and containment normal purge isolation valves).
The actuation function of the solenoids, which provide the closing function, is periodically tested at power as discussed in paragraph 7.3.1.2.2.5. The
operability of the slave relay which actuates the solenoid, which is the actuating
device, is verified during this test. Although the closing of this valve is blocked
when the slave relay is tested, all functions are tested to ensure that no electrical
malfunctions have occurred which could defeat the protective function. It is
noted that the solenoids work on the deenergize-to- actuate principle, so that the
valve closes upon either the loss of electrical power to the solenoids or loss of air
pressure.
Based on the above, the testing of the isolating function of the valve meets the guidelines of Regulatory Position D.4 of Regulatory Guide 1.22. 7.1.2.6 Conformance to Regulatory Guide 1.53 and IEEE Standard 379-1972 The principles described in IEEE Standard 379-l972 are used in the design of both the
Westinghouse protection system and the balance of plant ESFAS. These systems conform with
the intent of this standard and the additional guidance of Regulatory Guide 1.53.
For the Westinghouse systems, the formal analyses are not documented exactly as outlined.
Westinghouse has gone beyond the required analyses and has performed a fault tree
analysis.(1) The referenced report provides details of the anal yses of the protection systems previously made to show conformance with the single-failure criterion set forth in section 4.2 of IEEE
Standard 279-1971. The interpretation of the single-failure criterion provided by IEEE Standard
379-1972 does not indicate substantial differences with the Westinghouse interpretation of the
criterion except in the methods used to confirm design reliability. Established design criteria in
conjunction with sound engineering practices form the bases for the Westinghouse protection
systems. The reactor trip and engineered saf eguards actuation systems are each redundant safety systems. The required periodic testing of these systems discloses any failures or loss of
redundancy which have occurred in the interval between tests, thus ensuring the availability of
these systems. 7.1.2.7 Conformance to IEEE Standard 338-1975 The periodic testing of the reactor trip system and ESFAS conforms to the requirements of IEEE Standard 338-1975 with the following comments: A. The surveillance requirements of the Technical Specifications for a protection system ensure that the system's func tional operability is maintained comparable to the original design standards. Periodic tests at frequent intervals demonstrate
this capability for the system, excluding sensors.
VEGP-FSAR-7
7.1-19 REV 19 4/15 Overall protection systems response ti mes are demonstrated by test. Sensors within the Westinghouse scope are demonstrated to be adequate for this design
by vendor testing, by onsite tests in operating plants with appropriately similar design, or by suitable type testing. The nuclear instrumentation system detectors
are excluded, since they exhibit response-time characteristics such that delays
attributable to them are negligible in the overall channel response time required
for safety.
Response time may be verified by actual response time tests in any series of sequential, overlapping, or total channel measurements, or by the summation of
allocated sensor, signal processing, and actuation logic response times with
actual response time tests on the remainder of the channel. Allocations for
sensor response times may be obtained from: (1) historical records based on
acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in
place, onsite, or offsite (e.g., vendor) test measurements, or (3) vendor
engineering specifications. Reference 5 provides the basis and methodology for
using allocated sensor response times in the overall verification of the channel
response time for specific sensors. Response time verification for other sensor
types must be demonstrated by test.
Reference 6 provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the
protection system channel response time. The allocations for sensor, signal
conditioning, and actuation logic response times must be verified prior to placing
the component in operational service and reverified following maintenance that
may adversely affect response time. In general, electrical repair work does not
impact response time provided the parts used for repair are of the same type and
value. Specific components may be replaced without verification testing. One
example where response time could be affected is replacing the sensing
assembly of a transmitter.
Each test shall include at least one logic train such that both logic trains are tested at least once per 36 months and one channel per function such that all
channels are tested at least once every N times 18 months, where N is the total
number of redundant channels in a specific protective function.
The measurement of response time provides assurance that the protective and ESF action function associated with each channel is completed within the time
limit assumed in the accident analyses. B. The reliability goals specified in section 4.2 of IEEE Standard 338-1975 are being developed, and adequacy of time intervals will be demonstrated at a later date. C. The periodic time interval discussed in section 4.3 of IEEE Standard 338-1975 and specified in the Technical Specifications is conservatively selected to ensure
that equipment associated with protection functions has not drifted beyond its
minimum performance requirements. If any protection channel appears to be
marginal or requires more frequent adjustments due to plant condition changes, the time interval is decreased to accommodate the situation until the marginal
performance is resolved. D. The test interval discussed in section 5.2 of IEEE Standard 338-1975 is developed primarily on past operating exper ience and modified if necessary to
ensure that system and subsystem protection is reliably provided. Analytical
methods for determining reliability are not used to determine test interval.
VEGP-FSAR-7
7.1-20 REV 19 4/15 Based on the scope definition given in IEEE Standard 338-1975, no other systems described in
chapter 7 are required to comply with this standard.
7.1.2.8 References 1. T. W. T. Burnett, "Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors," WCAP-7306, April 1969. 2. Marasco, F. W., and Siroky, R. M., "Westinghouse 7300 Series Process Control System Noise Tests," WCAP-8892-A, June 1977. 3. Letter dated April 20, 1977, R. L. Tedesco (NRC) to C. Eicheldinger (Westinghouse). 4. Mermigos, J. F., "Bypass Test Instrumentation for the Vogtle Electric Generating Plant, Units 1 and 2," WCAP-13376, Revision 2, September 1992. 5. Howard, R. C., "Elimination of Pressure Sensor Response Time Testing Requirements,"
WCAP-13632-P-A, Revision 2, January 1996. 6. Morgan, C. E., "Elimination of Periodic Protection Channel Response Time Tests,"
WCAP-14036-P-A, Revision 1, October 1998.
VEGP-FSAR-7 REV 15 4/09 TABLE 7.1.1-1 (SHEET 1 OF 7)
LISTING OF CRITERIA AS APPLIED TO INSTRUMENTATION AND CONTROL SYSTEMS Criteria Title Conformance Discussed In
- 1. General Design Criteria (GDC), Appendix A to
GDC 1 Quality Standards and Records 3.1, 7.2.2 GDC 2 Design Bases for Protection Against Natural Phenomena 3.1, 7.2.1 GDC 3 Fire Protection 3.1, 9.5.1, 7.1.2 GDC 4 Environmental and Missile Design Bases 3.1, 7.2.1 GDC 5 Sharing of Structures, Systems, and Components 3.1 GDC 10 Reactor Design 3.1, 7.2.2 GDC 12 Suppression of Reactor Power Oscillations 3.1 GDC 13 Instrumentation and Control 3.1, 7.3.1, 7.3.2 GDC 15 Reactor Coolant System Design 3.1, 7.2.2 GDC 17 Electric Power Systems 3.1, 8.3, 8.2 GDC 19 Control Room 3.1 GDC 20 Protection System Functions 3.1, 7.1.2, 7.2.2, 7.3.1, 7.3.2 GDC 21 Protection System Reliability and Testability 3.1, 7.1.2, 7.2.2, 7.3.1, 7.3.2
VEGP-FSAR-7 TABLE 7.1.1-1 (SHEET 2 OF 7)
REV 15 4/09 Criteria Title Conformance Discussed In
GDC 22 Protection System Independence 3.1, 7.1.2, 7.2.2, 7.3.1, 7.3.2 GDC 23 Protection System Failure Modes 3.1, 7.2.2, 7.3.1, 7.3.2 GDC 24 Separation of Protection and Control Systems 3.1, 7.2.2, 7.3.1, 7.3.2 GDC 25 Protection System Requirements for Reactivity Control Malfunctions 3.1, 7.3.2 GDC 26 Reactivity Control System Redundancy and Capability 3.1 GDC 27 Combined Reactivity Control Systems Capability 3.1, 7.3.1, 7.3.2 GDC 28 Reactivity Limits 3.1, 7.3.1, 7.3.2 GDC 29 Protection Against Anticipated Operational Occurrences 3.1, 7.2.2 GDC 33 Reactor Coolant Makeup 3.1 GDC 34 Residual Heat Removal 3.1 GDC 35 Emergency Core Cooling 3.1, 7.3.1, 7.3.2 GDC 37 Testing of Emergency Core Cooling System 3.1, 7.3.2 GDC 38 Containment Heat Removal 3.1, 7.3.1, 7.3.2 GDC 40 Testing of Containment Heat Removal System 3.1, 7.3.2 GDC 41 Containment Atmosphere Cleanup 3.1, 7.3.2 GDC 43 Testing of Containment Atmosphere Cleanup Systems 3.1, 7.3.2 GDC 44 Cooling Water 3.1 VEGP-FSAR-7 TABLE 7.1.1-1 (SHEET 3 OF 7)
REV 15 4/09 Criteria Title Conformance Discussed In
GDC 46 Testing of Cooling Water System 3.1, 7.3.2 GDC 50 Containment Design Basis 3.1 GDC 54 Piping Systems Penetrating Containment 3.1, 6.2.4 GDC 55 Reactor Coolant Pressure Boundary Penetrating Containment 3.1, 6.2.4 GDC 56 Primary Containment Isolation 3.1, 6.2.4, .3.1 GDC 57 Closed System Isolation Valves 3.1, 6.2.4 2. IEEE Standards IEEE Std 279-1971 (ANSI N42.7-1972)
Criteria for Protection Systems for Nuclear Power Generating Stations 7.1, 7.2, 7.3, 7.6, 7.7 IEEE Std 308-1974 Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations 7.6, 7.1, 8.1, 8.3 IEEE Std 317-1976 Electric Penetration Assemblies in Containment Structures for Nuclear Power
Generating Stations 7.1.2, 8.1, 8.3 IEEE Std 323-1974 Qualifying Class 1E Equipment for Nuclear Power Generating Stations 3.11, 1.9, 8.1, 8.3 (RG 1.89)]
[(HISTORICAL) IEEE Std 336-1971 (ANSI N45.2.4-1972) Installation, Inspection and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations 7.1.2, 8.0]
IEEE Std 336-1985 (ASME NQA-1-1994)
Installation, Inspection, and Testing Requirements for Power, Instrumentation, and Control Equipment at Nuclear Facilities 7.1.2, 8.0 IEEE Std 338-1975 Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems 7.1.2, 8.0 IEEE Std 344-1975 (ANSI N41.7)
Recommended Practices for Seismic
Qualification of Class 1E Equipment for 3.10, 7.1.2, 8.1, 8.3 VEGP-FSAR-7 TABLE 7.1.1-1 (SHEET 4 OF 7)
REV 15 4/09 Criteria Title Conformance Discussed In Nuclear Power Generating Stations IEEE Std 379-1972 (ANSI N41.2)
Trial-Use Guide for the Application of the
Single Failure Criterion to Nuclear Power
Generating Station Protection Systems 7.1.2, 8.0 IEEE Std 383-1974 Standard for Type Test of Class 1E Electric Cables, Field Splices, and Connectors for Nuclear Power Generating Stations 1.9.131, 8.1.4, 8.3 IEEE Std 384-1981 Standard Criteria for Independence of Class 1E Equipment and Circuits 7.1.2, 7.1.2, 8.1, 8.3 3. Regulatory Guides (RG)
RG 1.6 Independence Between Redundant Standby (Onsite)Power Sources and Between Their
Distribution Systems 1.9, 7.6, 8.0 RG 1.11 Instrument Lines Penetrating Primary Reactor Containment 1.9, 7.3.1 RG 1.12 Instrument for Earthquakes 1.9, 3.7.4 RG 1.22 Periodic Testing of Protection System Actuation Functions 1.9, 7.1.2, 7.3.2 RG 1.29 Seismic Design Classification 1.9 RG 1.30 Quality Assurance Requirements for the Installation, Inspection, and Testing of
Instrumentation and Electric Equipment 1.9, 17.0 RG 1.32 Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants 1.9 RG 1.45 Reactor Coolant Pressure Boundary Leakage Detection System 1.9, 5.2.5 RG 1.47 Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems 1.9, 7.5.5 RG 1.53 Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems 1.9, 7.1.2
VEGP-FSAR-7 TABLE 7.1.1-1 (SHEET 5 OF 7)
REV 15 4/09 Criteria Title Conformance Discussed In
RG 1.62 Manual Initiation of Protection Actions 1.9, 7.3.1 RG 1.63 Electric Penetration Assemblies in Containment Structures for Light Water-
Cooled Nuclear Power Plants 1.9, 8.1, 8.3 RG 1.67 Installation of Overpressure Protection Devices 3.9.B.3 RG 1.68 Initial Test Programs for Water-Cooled Nuclear Power Plants 1.9, 14.0 RG 1.70 Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants LWR Edition 1.9 RG 1.75 Physical Independence of Electric Systems 1.9, 7.1.2 RG 1.80 Preoperational Testing of Instrumentation Air Systems 1.9, 9.3.1, 14.2.7 RG 1.89 Qualification of Class 1E Equipment for Nuclear Power Plants 1.9, 3.11 RG 1.95 Protection of Nuclear Power Plant Control Room Operators Against an Accidental
Chlorine Release 1.9 RG 1.97 Instrumentation for Light Water-Cooled Nuclear Power Plants to Assess Plant
Conditions During and Following an Accident 1.9 RG 1.100 Seismic Qualification of Electric Equipment for Nuclear Power Plants 1.9, 3.10 RG 1.105 Instrument Setpoints 7.1.2 RG 1.118 Periodic Testing of Electric Power and Protection Systems 1.9 RG 1.120 Fire Protection Guidelines for Nuclear Power Plants 1.9 4. Branch Technical Positions (BTP) ICSB
VEGP-FSAR-7 TABLE 7.1.1-1 (SHEET 6 OF 7)
REV 15 4/09 Criteria Title Conformance Discussed In
BTP ICSB 3 Isolation of Low-Pressure Systems from the High-Pressure Reactor Coolant System 7.6.2 BTP ICSB 4 Requirements on Motor-Operated Valves in the ECCS Accumulator Lines 7.6.4 BTP ICSB 5 Scram Breaker Test Requirements -
Technical Specifications 7.2.2, Technical Specifications BTP ICSB 9 Definition and Use of "Channel Calibration" -
Technical Specifications Technical Specifications BTP ICSB 10 Electrical and Mechanical Equipment Seismic Qualification Program 3.10 BTP ICSB 12 Protection System Trip Point Changes for Operation with Reactor Coolant Pumps Out of
Service 7.2.2, Technical
Specifications BTP ICSB 13 Design Criteria for Auxiliary Feedwater Systems 7.3.2 BTP ICSB 14 Spurious Withdrawals of Single Control Rods in Pressurized Water Reactors 7.7.2 15.2.1, 15.2.2, 15.3.6 BTP ICSB 15 Reactor Coolant Pump Breaker Qualification 3.10, 7.1.2, 7.2.1 BTP ICSB 18 Application of the Single Failure Criteria to Manually-Controlled Electrically-Operated
Valves Technical
Specifications BTP ICSB 20 Design of Instrumentation and Controls Provided to Accomplish Changeover from
Injection to Recirculation Mode 7.6.5, 6.3.2 BTP ICSB 21 Guidance for Application of Regulatory Guide 1.47 7.5.5 BTP ICSB 22 Guidance for Application of Regulatory Guide 1.22 7.1.2 VEGP-FSAR-7 TABLE 7.1.1-1 (SHEET 7 OF 7)
REV 15 4/09 Criteria Title Conformance Discussed In
BTP ICSB 26 Requirements for Reactor Protection System Anticipatory Trips 7.2.1 REV 14 10/07 PROTECTION SYSTEM BLOCK DIAGRAM FIGURE 7.1.1-1
VEGP-FSAR-7
7.2-1 REV 19 4/15 7.2 REACTOR TRIP SYSTEM 7.
2.1 DESCRIPTION
7.2.1.1 System Description The reactor trip system automatically keeps t he reactor operating within a safe region by shutting down the reactor whenever the limits of the region are approached. The safe operating
region is defined by several considerations, such as mechanical/hydraulic limitations on
equipment and heat transfer phenomena. Therefore, t he reactor trip system keeps surveillance on process variables that are directly related to equipment mechanical limitations, such as
pressure and pressurizer water level (to prevent water discharge through safety valves and
uncovering heaters), and also on variables that directly affect the heat transfer capability of the
reactor (e.g., flow and reactor coolant temperatures). Still other parameters utilized in the reactor trip system are calculated from various process variables. In any event, whenever a
direct process or calculated variable exceeds a setpoint, the reactor will be shut down in order
to protect against either gross damage to fuel cladding or loss of system integrity which could
lead to release of radioactive fission products into the containment.
The following systems make up the reactor trip system. (See references 1, 2, 3, 5, 6, 7, and 8 for additional background information.)
- Process instrumentation and control system.
- Nuclear instrumentation system.
- Solid-state logic protection system.
- Reactor trip switchgear.
- Manual actuation circuit.
The reactor trip system consists of sensors, which monitor various plant parameters when connected with analog circuitry consisting of two to four redundant channels, and of digital
circuitry, consisting of two redundant logic trains, which receives inputs from the analog
protection channels to complete the logic necessary to automatically open the reactor trip
breakers.
Either of the two trains, A or B, is capable of opening a separate and independent reactor trip breaker, RTA and RTB, respectively. The two trip breakers, in series, connect three-phase ac
power from the rod drive motor generator sets to the rod drive power cabinets, as shown in drawing 1X6AA02-226. During plant power operation a dc undervoltage coil on each reactor
trip breaker holds a trip plunger out against its spring, allowing the power to be available at the
rod control power supply cabinets. For reactor trip, a loss of dc voltage to the undervoltage coil
as well as energization of the shunt trip coils trips open the breaker. When either of the trip
breakers opens, power is interrupted to the rod drive power supply, and the control and
shutdown rods fall into the core. The rods cannot be withdrawn until the trip breakers are
manually reset. The trip breakers cannot be reset until the abnormal condition which initiated
the trip is corrected. Bypass breakers BYA and BYB are provided to permit testing of the trip
breakers, as discussed in paragraph 7.2.2.2.3.
VEGP-FSAR-7
7.2-2 REV 19 4/15 7.2.1.1.1 Functional Performance Requirements The reactor trip system automatically initiates reactor trip: A. Whenever necessary to prevent fuel damage for an anticipated operational transient (Condition II). B. To limit core damage for infrequent faults (Condition III). C. So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting fault conditions (Condition IV).
The reactor trip system initiates a turbine trip signal whenever reactor trip is initiated. This prevents the reactivity insertion that would otherwise result from excessive reactor system cooldown to avoid unnecessary actuation of the engineered safety features actuation system.
The reactor trip system provides for manual init iation of reactor trip by operator action. 7.2.1.1.2 Reactor Trips The various reactor trip circuits automatically open the reactor trip breakers whenever a condition monitored by the reactor trip system reaches a preset level. To ensure a reliable system, high-quality design, components, manufacturing, quality control, and testing are used.
In addition to redundant channels and trains, the design approach provides a reactor trip system
which monitors numerous system variables, t hereby providing protection system functional
diversity. The extent of this diversity has been evaluated for a wide variety of postulated
accidents.
Table 7.2.1-1 provides a list of reactor trips which are described below. Table 7.2.1-2 provides a listing of the protection system interlocks and their P designations. A. Nuclear Overpower Trips The specific trip functions generated are described below. 1. Power Range High Neutron Flux Trip
The power range high neutron flux trip circuit trips the reactor when two
out of the four power range channels exceed the trip setpoint.
There are two bistables in each channel, each with its own trip setting
used for a high-and low-range trip setting. The high trip setting provides
protection during normal power operation and is always active. The low
trip setting, which provides protection during startup, can be manually
bypassed when two out of the four power range channels read above
approximately 10-percent power (P-10). Three out of the four channels
below 10 percent automatically reinstate the trip function. 2. Intermediate Range High Neutron Flux Trip
The intermediate range high neutron flux trip circuit trips the reactor when
one out of the two intermediate range channels exceeds the trip setpoint.
This trip, which provides protection during reactor startup, can be
manually blocked if two out of four power range channels are above
approximately 10-percent power (P-10). Three out of the four power
range channels below this value automatically reinstate the intermediate VEGP-FSAR-7
7.2-3 REV 19 4/15 range high neutron flux trip. The intermediate range channels (including
detectors) are separate from the power range channels. The
intermediate range channels can be individually bypassed at the nuclear
instrumentation racks to permit channel testing during plant shutdown or
prior to startup. This bypass action is monitored and annunciated on the
control board. 3. Source Range High Neutron Flux Trip
The source range high neutron flux trip circuit trips the reactor when one
out of the two source range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and plant shutdown, can
be manually bypassed when one out of the two intermediate range
channels reads above the P-6 setpoint value, and the trip is automatically
reinstated when both intermediate range channels decrease below the P-
6 setpoint value. This trip is automatically bypassed by two out of four
logic from the power range protection interlock (P-10). This trip function
can also be reinstated below P-10 by an administrative action requiring
manual actuation of two control board-mounted switches. Each switch
will reinstate the trip function in one of the two protection logic trains. The
source range trip point is set between the P-6 setpoint (source range
block power level) and the maximum source range power level. The
channels can be individually bypassed at the nuclear instrumentation
racks to permit channel testing during plant shutdown or prior to startup.
This bypass action is monitored and annunciated on the control board. 4. Power Range High Positive Neutron Flux Rate Trip
This circuit trips the reactor when a sudden abnormal increase in nuclear
power occurs in two out of four power range channels. This trip provides
protection against rod ejection accidents of low worth from midpower and
is always active. (See subsection 15.4.8.) This trip also provides
protection when there is a rapid power increase (e.g., an uncontrolled rod
cluster assembly withdrawal at power; see subsection 15.4.2).
Drawings 1X6AA02-227 and 1X6AA02-228 shows the logic for all of the
nuclear overpower and rate trips. B. Core Thermal Overpower Trips
The specific trip functions generated are described below.
- 1. Overtemperature T Trip This trip protects the core against low DNBR and trips the reactor on
coincidence, as listed in table 7.2.1-1, with one set of temperature measurements per loop; where T)s1()s1()s1(t 3 2 1+++setpoint.
The T setpoint for this trip is continuously calculated by analog circuitry for each loop by solving the following expression:
VEGP-FSAR-7
7.2-4 REV 19 4/15
])(f)PP(K)Ts1)1(T(s1)s1(KKT 0 3 avg 6 avg 5 4210++++o where: T =measured T. T 0 =indicated T at rated thermal power.
Tavg =average reactor coolant temperature (°F).
T°av g =nominal T av g at rated thermal power (°F).
P =pressurizer pressure (psig).
K 1 =preset bias.
K 2 =preset gain which compensates for effects of temperature on the DNB limits.
K 3 =preset gain which compensate for effect of pressure on the DNB limits.
1 , 2 =preset constants utilized in lead-lag compensator for T. P 0 =nominal RCS operating pressure (psig). 3 =preset constant utilized in lag compensator for T. 4 ,5 =preset constants which compensate for instrument time delay(s).
6 =preset constant utilized for measured Tavg response compensation.
s =LaPlace transform operator.
f () =function of the neutron flux difference between upper and lower long ion chambers. (Refer to
figure 7.2.1-1.)
A separate long ion chamber unit supplies the flux signal for each overtemperature T channel.
Increases in beyond a predefined deadband results in a decrease in trip setpoint. (Refer to figure 7.2.1-1.)
For Tavg<T°avg , the value of (T
°avg-Tavg) is clamped to limit the increase in the setpoint during cooldown transients.
VEGP-FSAR-7
7.2-5 REV 19 4/15
The required one pressurizer pressure parameter per loop is obtained
from separate sensors connected to three pressure taps at the top of the
pressurizer. Four pressurizer pressure signals are obtained from the three
taps by connecting one of the taps to two pressure transmitters. Refer to
paragraph 7.2.2.3.3 for an analysis of this arrangement.
Drawing 1X6AA02-229 shows the logic for overtemperature T trip function.
- 2. Overpower T Trip This trip protects against excessive power (fuel rod rating protection) and
trips the reactor on coincidence as listed in table 7.2.1-1, with one set of
temperature measurements per loop, where
setpoint.T)s1()s1()s1(T 3 2 1+++ The T setpoint for this trip is continuously calculated by analog circuitry for each loop using the following expression:
[()]+++fTs1 1TKTs1 1s1 sKKT avg 6avg5 avg 6 7 7540 where: T = measured T. T 0 = indicated T rated thermal power.
f () = a function of the neutron flux difference between upper and lower long ion chamber
section.
K 4 = a preset bias.
K 5 = a constant which compensates for instrument time delay.
K 6 = a constant which compensates for the change in density flow and heat capacity of the water
with temperature.
avg T = indicated Tavg at rated thermal power (°F).
Tavg = average reactor coolant temperature (°F).
1 , 2 = preset constants utilized in lead-lag compensator for T.
VEGP-FSAR-7
7.2-6 REV 19 4/15 3 = preset constant utilized in lag compensator for T. 7 = preset time constant (s).
s = LaPlace transform operator.
6 = preset constant utilized for measured Tavg response compensation.
The source of temperature and flux information is identical to that of the overtemperature T trip, and the resultant T setpoint is compared to the same T. Drawing 1X6AA02-229 shows the logic for this trip function. C. Reactor Coolant System Pressurizer Pressure and Water Level Trips The specific trip functions generated are described below. 1. Pressurizer Low-Pressure Trip The purpose of this trip is to protect against low pressure which could
lead to DNB. The parameter being sensed is reactor coolant pressure, as
measured in the pressurizer. Above P-7 the reactor is tripped when the
pressurizer pressure measurements (compensated for rate of change) fall
below preset limits. This trip is blocked below P-7 to permit startup. The
trip logic and interlocks are given in table 7.2.1-1.
The trip logic is shown in drawing 1X6AA02-230. 2. Pressurizer High-Pressure Trip
The purpose of this trip is to protect the reactor coolant system against
system overpressure. The same sensors and transmitters used for the
pressurizer low-pressure trip are used for the high-pressure trip, except
that separate bistables are used for trip. These bistables trip when
uncompensated pressurizer pressure signals exceed preset limits on
coincidence, as listed in table 7.2.1-1. There are no interlocks or
permissives associated with this trip function.
The logic for this trip is shown in drawing 1X6AA02-230. 3. Pressurizer High Water Level Trip
This trip is provided as a backup to the high pressurizer pressure trip and
serves to prevent water relief through the pressurizer safety valves. This
trip is blocked below P-7 to permit startup. The coincidence logic and
interlocks of pressurizer high water level signals are given in table 7.2.1 1.
The trip logic for this function is shown in drawing 1X6AA02-230. D. Reactor Coolant System Low Flow Trips
VEGP-FSAR-7
7.2-7 REV 19 4/15 These trips protect the core from DNB in the event of a loss of coolant flow situation. Drawings 1X6AA02-228 and 1X6AA02-229 shows the logic for these
trips. The means of sensing the loss of coolant flow are described below. 1. Low Reactor Coolant Flow The parameter sensed is reactor coolant flow. Four elbow taps in each
coolant loop are used as a flow device that indicates the status of reactor
coolant flow. The basic function of this device is to provide information as
to whether or not a reduction in flow has occurred. An output signal from
two out of the three bistables in a loop would indicate a low flow in that
loop.
The coincidence logic and interlocks are given in table 7.2.1-1 2. Reactor Coolant Pump Undervoltage Trip
This trip is provided to protect against low flow which can result from loss
of voltage to more than one reactor coolant pump motor (e.g., from plant
blackout or reactor coolant pump breakers opening).
Two undervoltage relays sense the voltage on the motor side of each
reactor coolant pump breaker. These relays provide an output signal
when the pump motor power bus voltage drops below approximately
70 percent of rated voltage. Signals from these relays are time delayed
to prevent spurious trips caused by short-term voltage perturbations. The
coincidence logic and interlocks are given in table 7.2.1-1. 3. Reactor Coolant Pump Underfrequency Trip
This trip protects against low flow resulting from pump underfrequency, for example, a major power grid frequency disturbance. The function of
this trip is to trip the reactor for an underfrequency condition greater than
approximately 2.4 Hz.
Two underfrequency relays sense the underfrequency on the motorside
of each reactor coolant pump breaker. Signals from these relays are time
delayed to prevent spurious trips caused by short-term frequency
perturbations. The coincidence logic and interlocks are given in table
7.2.1-1. E. Steam Generator Trip
The specific trip function generated is low-low steam generator water level trip.
This trip protects the reactor from loss of heat sink. This trip is actuated on two
out of four low-low water level signals occurring in any steam generator.
The logic is shown in drawing 1X6AA02-231.
VEGP-FSAR-7
7.2-8 REV 19 4/15 F. Reactor Trip on a Turbine Trip (Anticipatory)
The reactor trip on a turbine trip is actuated by two- out-of-three logic from
emergency trip fluid pressure signals or by all closed signals from the turbine
steam stop valves. A turbine trip causes a direct reactor trip above P-9.
Although not credited in any safe`ty analysis, the reactor trip on turbine trip
provides additional protection and conservatism beyond that required for the
health and safety of the public. This trip is included as part of good engineering
practice and prudent design and satisfies the requirement of TMI Action Items
II.K.3.10 and II.K.3.12.
The turbine provides anticipatory trips to the reactor protection system from
contacts which change position when the turbine stop valves close or when the
turbine emergency trip fluid pressure goes below its setpoint.
Components specified for use as sensors for input signals to the reactor
protection system for "emergency trip oil pressure low" and "turbine stop valves
close" conform to the requirements of Institute of Electrical and Electronics
Engineers (IEEE) 279-1971 and are environmentally qualified. However, pipe
whip, jet impingement, and seismic criteria are not included in qualification, regarding mounting and location for that portion of the trip system located within
non-Seismic Category 1 structures. (These criteria are also applicable to the
steam dump solenoid valves and tur bine impulse chamber pressure
transmitters.)
Loss of signal from equipment located within non-Seismic Category 1 structures
will result in a trip input to the reactor protection system.
In addition, the following measures will be taken to ensure the integrity of the
cabling to the solid-state protection system (SSPS): 1. Inputs from the turbine steam stop valv es will originate from four separate limit switches (one per valve), each of which is dedicated to providing an input to one channel of the SSPS. Cables carrying these signals will be
routed in individual conduits. The four circuits will be separated from one
another and from non-Class 1E circuits and identified according to the
criteria imposed on Class 1E circuits, from their source up to their
terminations within the SSPS cabinets.
Additionally, fuses have been added in each turbine stop valve limit
switch circuit before the circuit enters the turbine building. In the event of
multiple ground faults, the fuses will isolate the affected channels and
provide a trip signal input to the SSPS. 2. Input from the emergency trip oil pressure originates from three separate pressure transmitters powered from the balance of plant safety-related
process instrumentation cabinet. The cables for these transmitters are
routed in individual conduits within the turbine building, according to the
criteria imposed on Class 1E circuits. The logic for this trip is shown in drawings 1X6AA02-228 and 1X6AA02-240.
VEGP-FSAR-7
7.2-9 REV 19 4/15 G. Safety Injection Signal Actuation Trip
A reactor trip occurs when the safety injection system is actuated. The means of
actuating the safety injection system are described in section 7.3. This trip
protects the core against a loss of reactor coolant or a steam line rupture.
Drawings 1X6AA02-232 and 1X6AA02-519 show the logic for this trip. H. Manual Trip
The manual trip consists of two switches with two-train outputs on each switch on
the main control board, and two single-train switches, one on each of the
shutdown panels. One of the two-train outputs is used to actuate the train A
reactor trip breaker, and the other output actuates the train B reactor trip breaker.
Operating a manual trip switch removes the voltage from the undervoltage trip
coil and energizes the shunt trip coil of each breaker.
There are no interlocks which can block this trip. Drawing 1X6AA02-227 shows
the manual trip logic. The design conforms to Regulatory Guide 1.62, as shown
in figure 7.2.1-2. I. Solid State Protection System General Warning Alarm Reactor Trip
General warning alarm reactor trip is discussed in paragraph 7.2.2.2.3. 7.2.1.1.3 Reactor Trip System Interlocks A. Power Escalation Permissives The overpower protection provided by the out of core nuclear instrumentation consists of three discrete, but overlapping, ranges. Continuation of startup operation or power increase requires a permissive signal from the higher range
instrumentation channels before the lower range level trips can be manually
blocked by the operator. A one-out-of-two intermediate range permissive signal (P-6) is required prior to source range trip blocking. Source range trips are automatically reactivated when both intermediate range channels are below the permissive (P-6) setpoint.
There are two manual reset switches for administratively reactivating the source
range level trip, if required, when it is between the permissive P-6 and P-10
setpoints. Source range level trip block is always maintained when above the
permissive P-10 setpoint. The intermediate range level trip and power range (low setpoint) trip can only be blocked after satisfactory operation and permissive information are obtained from
two out of four power range channels. Four individual blocking switches are
provided so that the low range power range trip and intermediate range trip can
be independently blocked (one switch for each train). These trips are automatically reactivated when three out of the four power range channels are below the permissive (P-10) setpoint, thus ensuring automatic
activation of more restrictive trip protection.
VEGP-FSAR-7
7.2-10 REV 19 4/15 The development of permissives P-6 and P-10 is shown in drawing 1X6AA02-228. All of the permissives are digital. They are derived from analog signals in
the nuclear power range and intermediate range channels. B. Blocks of Reactor Trips at Low Power
Interlock P-7 blocks a reactor trip at low power (below approximately 10 percent
of full power) on a low reactor coolant flow in more than one loop, reactor coolant
pump undervoltage, reactor coolant pump underfrequency, pressurizer low pressure, or pressurizer high water level. See drawings 1X6AA02-229 and 1X6AA02-230 for permissive applications. The low power signal is derived from
three out of four power range neutron flux signals below the setpoint in
coincidence with two out of two turbine impulse chamber pressure signals below
the setpoint (low plant load). Turbine impulse chamber pressure transmitters and
circuits in the turbine building are designed to criteria similar to the reactor trip on
turbine trip circuits as described in paragraph 7.2.1.1.2.F. See drawings 1X6AA02-228 and 1X6AA02-240 for the derivation of P-7.
The P-8 interlock blocks a reactor trip when the plant is below approximately 48
percent of full power, on a low reactor coolant flow in any one loop. The block
action (absence of the P-8 interlock signal) occurs when three out of four neutron
flux power range signals are below the setpoint. Thus, below the P-8 setpoint, the reactor will be allowed to operate with one inactive loop, and trip will not occur until two loops are indicated as low flow. See drawing 1X6AA02-228 for derivation of P-8 and drawing 1X6AA02-229 for applicable logic. 7.2.1.1.4 Coolant Temperature Sensor Arrangement The hot and cold leg temperature signals required for input to the protection and control
functions are obtained using thermowell-mounted RTDs installed in each reactor coolant loop.
The hot leg temperature measurement in each loop is accomplished using three fast-response, dual-element, narrow-range RTDs mounted in thermowells. The three thermowells in each loop
are located within hot leg scoops 120 degrees apart in the cross-sectional plane of the piping, with one located at the top of the pipe, to obtain a representative temperature sample. The
scoops have a flow hole machined into the end to facilitate the flow of water through holes in the
leading edge of the scoop, past the thermowell, and back into the flow stream.
The temperatures measured by the three thermowell-mounted RTDs are different due to hot leg temperature streaming and vary as a function of thermal power. Therefore, these signals are
averaged using electronic weighting to generate a hot leg average temperature. Provisions are
incorporated into the process electronics to allow for operation with only two RTDs in service.
The two RTD measurements can be biased to compensate for the loss of the third RTD as
described in reference 4.
The cold leg temperature measurement in each loop is accomplished by one fast-response, dual-element, narrow-range RTD mounted in a thermowell. 7.2.1.1.5 Pressurizer Water Level Reference Leg Arrangement The design of the pressurizer water level instrumentation employs the usual tank level
measuring arrangement, using differential pressure between an upper and a lower tap on a
column of water. A reference leg connected to the upper tap is kept full of water by
condensation of steam at the top of the leg.
VEGP-FSAR-7
7.2-11 REV 19 4/15 7.2.1.1.6 Analog System The analog system consists of two instru mentation systems, the process instrumentation system, and the nuclear instrumentation system.
Process instrumentation includes those devices (and their interconnection into systems) which measure temperature, pressure, fluid flow, fluid level in tanks or vessels, and, occasionally, physicochemical parameters such as fluid conduc tivity or chemical concentration. Process instrumentation specifically excludes nuclear and radiation measurements. The process instrumentation includes the process measuring devic es, power supplies, indicator, recorders, alarm actuating devices, controllers, signal conditioning devices, etc., which are necessary for
day-to-day operation of the nuclear steam supply sy stem, as well as for monitoring the plant and providing initiation of protective functions.
The primary function of nuclear instrumentation is to protect the reactor by monitoring the neutron flux and generating appropriate trips and alarms for various phases of reactor operating
and shutdown conditions. It also provides a se condary control function and indicates reactor status during startup and power operation. The nuclear instrumentation system uses
information from three separate types of in strumentation channels to provide three discrete protection levels. Each range of instrumentation (source, intermediate, and power) provides the
necessary overpower reactor trip protection required during operation in that range. The
overlap of instrument ranges provides reliable continuous protection, beginning with source
level through the intermediate and low power level. As the reactor power increases, the
overpower protection level is increased by administrative control and in-plant procedures after
satisfactory higher range instrumentation operation is obtained. Automatic reset to more
restrictive trip protection is provided when reducing power.
Various types of neutron detectors, with appropriate solid-state electronic circuitry, are used to monitor the leakage neutron flux from a completely shutdown condition to 200 percent of full power. The neutron flux covers a wide range between these extremes. Therefore, monitoring
with several ranges of instrumentation is necessary.
The lowest range (source range) covers 7 decades of leakage neutron flux. The lowest observed count rate depends on the strength of the neutron sources in the core and the core
multiplication associated with the shutdown reactivity. This is generally greater than two counts
per second. The intermediate range covers 8 decades to 200 percent full power. Detectors
and instrumentation are chosen to provide overlap between the higher portion of the source
range and the lower portion of the intermediate range. The power range covers approximately 2
decades of the total instrumentation range to 120 percent full power. This is a linear range that
overlaps with the higher portion of the intermediate range.
The system described above provides control room indication and recording of signals proportional to reactor neutron flux during core loading, shutdown, startup, and power operation, as well as during subsequent refueling. Startup rate indication for the source and intermediate
range channels is provided at the control board. Reactor trip, rod stop, control, and alarm
signals are transmitted to the reactor control and protection system for automatic plant control.
Equipment failures and test status information are annunciated in the control room.
See references 1 and 2 for additional background information on the process and nuclear instrumentation. 7.2.1.1.7 Solid-State Logic Protection System The solid-state logic protection system takes binary inputs (voltage/no voltage) from the process
and nuclear instrument channels (nuclear steam supply system/balance of plant) and from field VEGP-FSAR-7
7.2-12 REV 19 4/15 instrument channels corresponding to conditions (normal/abnormal) of plant parameters. The
system combines these signals in the required logic combination and generates a trip signal (no
voltage) to the undervoltage trip attachment and shunt trip auxiliary relay coils of the reactor trip circuit breakers when the necessary combination of signals occur. The system also provides
annunciator, status light, and computer input signals which indicate the condition of bistable
input signals, partial trip, and full trip functions and the status of the various blocking, permissive, and actuation functions. In addition, the system includes means for semiautomatic testing of the logic circuits. See reference 3, 5, 6, 7, and 8 for additional background
information. 7.2.1.1.8 Isolation Amplifiers In certain applications, control signals are derived from individual protection channels through
isolation amplifiers contained in the protection channel, as permitted by IEEE 279-1971.
In all of these cases, analog signals derived from protection channels for nonprotective functions are obtained through isolation amplifiers located in the analog protection racks. By
definition, nonprotective functions include those signals used for control, remote process
indication, and computer monitoring. Refer to paragraph 7.1.2.2.1 for a discussion of electrical
separation of control and protection functions. 7.2.1.1.9 Power Supply and Environmental Variations The power supply for the reactor trip system is described in section 7.6 and chapter 8. The
environmental variations throughout which the system will perform are given in section 3.11. 7.2.1.1.10 Setpoints The setpoints that require trip action are given in the Technical Specifications. A detailed
discussion on setpoints is found in paragraph 7.1.2.1.9. 7.2.1.1.11 Seismic Design The seismic design considerations for the reactor trip system are given in section 3.10. This
design meets the requirements of General Design Criterion 2. 7.2.1.2 Design Bases Information The information given below presents the design bases information requested by section 3 of IEEE 279-1971. Functional diagrams are presented in drawings 1X6AA02-225, 1X6AA02-226, 1X6AA02-227, 1X6AA02-228, 1X6AA02-229, 1X6AA02-230, 1X6AA02-231, 1X6AA02-232, 1X6AA02-233, 1X6AA02-234, 1X6AA02-235, 1X6AA02-236, 1X6AA02-237, 1X6AA02-238, 1X6AA02-239, 1X6AA02-240, 1X6AA02-494, 1X6AA02-495, 1X6AA02-496 and 1X6AA02-519. 7.2.1.2.1 Generating Station Conditions The following are the plant conditions requiring reactor trip.
- DNBR approaching the design basis limit.
- Power density (kW/ft) approaching rated value for Condition II events. (See chapter 4 for fuel design limits.)
VEGP-FSAR-7
7.2-13 REV 19 4/15
- Reactor coolant system overpressu re creating stresses approaching the limits specified in chapter 5. 7.2.1.2.2 Generating Station Variables The following are the variables required to be monitored in order to provide reactor trips. (See
table 7.2.1-1.)
- Neutron flux.
- Reactor coolant temperature.
- Reactor coolant system pressure (pressurizer pressure).
- Pressurizer water level.
- Reactor coolant flow.
- Reactor coolant pump operational status (voltage and frequency).
- Steam generator water level.
- Turbine-generator operational status (trip fluid pressure and stop valve position).
- Safety injection signal. 7.2.1.2.3 Spatially Dependent Variables The reactor coolant temperature is spatially dependent. (See subsection 7.3.1 for a discussion
of this variable spatial dependence.) 7.2.1.2.4 Limits, Margins, and Setpoints The parameter values that will require reactor trip are given in the Technical Specifications and
in chapter 15. The accident analyses of chapter 15 demonstrate that the setpoints used in the
Technical Specifications are conservative.
The setpoints for the various functions in the reactor trip system have been analytically determined such that the operational limits so prescribed will prevent fuel rod clad damage and
loss of integrity of the reactor coolant system as a result of any American Nuclear Society (ANS)
Condition II event (anticipated malfunction). As such, during any ANS Condition II event, the
reactor trip system limits the following parameters to:
- Minimum DNBR = the design basis limit.
- Maximum system pressure = 2735 psig.
- Fuel rod maximum linear power for determination of protection setpoints =
22.4 kW/ft.
The accident analyses described in section 15.4 demonstrate that the functional requirements, as specified for the reactor trip system , are adequate to meet the above considerations, even
assuming, for conservatism, adverse combinations of instrument errors. (Refer to table 15.3.1-VEGP-FSAR-7
7.2-14 REV 19 4/15 1.) A discussion of the safety limits associated with the reactor core and reactor coolant
system, plus the limiting safety system setpoints, are presented in the Technical Specifications. 7.2.1.2.5 Abnormal Events The malfunctions, accidents, or other unusual events which could physically damage reactor trip system components or could cause env ironmental changes are as follows:
- Earthquakes. (See chapters 2 and 3.)
- Fire. (See subsection 9.5.1.)
- Explosion - hydrogen buildup inside containment. (See section 6.2.)
- Missiles. (See section 3.5.)
- Flood. (See chapters 2 and 3.)
- Wind and tornadoes. (See section 3.3.)
The reactor trip system fulfills the r equirements of IEEE 279-1971 to provide automatic protection and to provide initiating signals to mitigate the consequences of faulted conditions.
The reactor trip system is protected against destr uction of the system from fires, explosions, floods, wind, and tornadoes. (See each item above.) 7.2.1.2.6 Minimum Performance Requirements A. Reactor Trip System Response Times
The response time of each reactor trip function shown in Technical Specification Table 3.3.1-1 is shown in FSAR table 7.2.1-4. Response time verification for selected components may use the predetermined allocation values provided in FSAR table 7.2.1-5.
Reactor trip system response time is defined in section 7.1. Typical maximum allowable time delays in generating the reactor trip signal are tabulated in table
7.2.1-3. See paragraph 7.1.2.7 A for a discussion of periodic response time
verification. B. Reactor Trip Accuracies
Accuracy is defined in section 7.1. Reactor trip accuracies are tabulated in table
7.2.1-3. An additional discussion on accuracy is found in subsection 7.1.2. C. Protection System Ranges
Typical protection system ranges are tabulated in table 7.2.1-3. Range selection
for the instrumentation covers the expected range of the process variable being
monitored during power operation. Limiting setpoints are at least 5 percent from
the end of the instrument span.
VEGP-FSAR-7
7.2-15 REV 19 4/15 7.2.1.3 Final System Drawings Functional block diagrams, electrical elementaries, and other drawings required to perform a
safety review are listed in the safety-related drawing package. (See section 1.7.) 7.2.1.4 References 1. Reid, J. B., "Process Instrumentation for Westinghouse Nuclear Steam Supply Systems," WCAP-7913, January 1973. (Additional background information only.) 2. Lipchak, J. B., "Nuclear Instrumentation System," WCAP-8255, January 1974. (Additional background information only.) 3. Katz, D. N., "Solid State Logic Protection System Description," WCAP-7488-L (Proprietary), March 1971, and WCAP-7672 (Nonproprietary), May 1971. (Additional background information only.) 4. DiTommaso, S. M., Sterrett, C. R., "RTD Bypass Elimination Licensing Report for Vogtle Electric Generating Plant." WCAP-12788 (Proprietary), March 1, 1991. (Additional background information only.) 5. WCAP-16769-P Revision 1, "Westinghouse SSPS Universal Logic Board Replacement Summary Report 6D30225G01/G02/G03/G04." 6. WCAP-16770-P Revision 0, "Westinghouse SSPS Safeguards Driver Board Replacement Summary Report 6D30252G01/G02." 7. WCAP-16771-P Revision 0, "Westinghouse SSPS Undervoltage Driver Board Replacement Summary Report 6D30350G01/G02." 8. WCAP-16772-P Revision 0, "Westinghouse SSPS Semi-Automatic Tester Board Replacement Summary R eport 6D30520G01/G02/G03/G04/G05."
7.2.2 ANALYSES 7.2.2.1 Failure Modes and Effects Analyses An analysis of the reactor trip system has been performed. Results of this study and a fault tree analysis are presented in reference 1. 7.2.2.2 Evaluation of Design Limits While most setpoints used in the reactor protection system are fixed, there are variable setpoints, most notably the over-temperature T and overpower T setpoints. All setpoints in the reactor trip system have been selected on the basis of engineering design or safety studies.
The capability of the reactor trip system to prevent loss of integrity of the fuel cladding and/or
reactor coolant system (RCS) pressure boundary during Condition II and III transients is
demonstrated in chapter 15. These accident analyses are carried out using those setpoints
determined from results of the engineering design studies. Setpoint limits are presented in the
Technical Specifications. A discussion of the purpose of each of the various reactor trips and
the accident analyses (where appropriate) which utilize this trip are presented below. It should
be noted that the selected trip setpoints provide for a margin before protective action is actually
required to allow for uncertainties and instrument errors. The design meets the requirements of
General Design Criteria (GDC) 10 and 20.
VEGP-FSAR-7
7.2-16 REV 19 4/15 7.2.2.2.1 Trip Setpoint Discussion The departure from nucleate boiling ratio (DNBR) existing at any point in the core, for a given core design, can be determined as a function of the core inlet temperature, power output, operating pressure, and flow. Below the DNBR design basis limit there is likely to be significant
local fuel cladding failure. Consequently, core safety limits, in terms of a DNBR equal to the design basis limit for the hot channel, can be developed as a function of core T, Tavg , and pressure for specified flow as illustrated by the solid lines in figure 15.0.6-1. The dashed lines
indicate the maximum permissible setpoint (T) as a function of Tavg and pressure for the overtemperature and overpower reactor trip. Actual setpoint constants in the equation representing the dashed lines are as given in the Technical Specifications.
These values are conservative to allow for instrument errors. The design meets the requirements of GDC 10, 15, 20, and 29.
The DNBR is not a directly measurable quantity. However, the process variables that determine DNBR are sensed and evaluated. Small isolated changes in various process variables may not, individually, result in violation of a core safety limit. However, the combined variations, over sufficient time, may cause the overpower or overtemperature safety limit to be exceeded. The
reactor trip system provides reactor trips associated with individual process variables, in
addition to the overpower/overtemperatur e safety limit trips. Process variable trips prevent reactor operation whenever a change in the monitor ed value is such that a core or system safety limit could potentially be exceeded, s hould operation continue. Basically, the high-pressure, low-pressure, and overpower/over-temperature T trips provide sufficient protection for slow transients, as opposed to such trips as low flow or high flux, which will trip the reactor for rapid changes in flow or flux, respectively, that would result in fuel damage before actuation of the slower responding T trips could be effected.
Therefore, the reactor trip system has been designed to provide protection for fuel cladding and RCS pressure boundary integrity where: A. A rapid change in a single variable or factor will quickly result in exceeding a core or a system safety limit. B. A slow change in one or more variables will have an integrated effect which will cause safety limits to be exceeded.
Overall, the reactor trip system offers diverse and comprehensive protection against fuel
cladding failure and/or loss of RCS integrity for Condition II and III accidents. This is
demonstrated by table 7.2.2-1 which lists the various trips of the reactor trip system, the
corresponding technical specification on safety limits and safety system settings, and the
appropriate accident discussed in the safety analyses in which the trip could be utilized.
In accordance with Branch Technical Position I CSB 12 the reactor trip system automatically provides core protection during nonstandard operating configuration; i.e., operation with a loop out of service. Although operating with a loop out of service over an extended time is
considered to be an unlikely event, no protection system setpoints need to be reset. This is
because the nominal value of the power (P-8) interlock setpoint restricts the power, such that
DNBRs less than the design basis limit will not be realized during any Condition II transients
occurring during this mode of operation. This restricted power is considerably below the
boundary of permissible values, as defined by the core safety limits for operation with a loop out
of service. Thus, the P-8 interlock acts, essentially, as a high nuclear power reactor trip when
operating with one loop not in service. By first resetting the coefficient setpoints in the overtemperature T function to more restrictive values, as listed in the Technical Specifications, the P-8 setpoint can then be increased to the maxi mum value consistent with maintaining DNBR VEGP-FSAR-7
7.2-17 REV 19 4/15 above the design basis limit for Condition II transients in the one-loop shutdown mode. The resetting of the overtemperature T trip and P-8 will be carried out under administrative control and the direction of authorized supervision and with the plant conditions prescribed in the Technical Specifications.
The design meets the requirements of GDC 21.
Preoperational testing is performed on reactor trip system components and systems to determine equipment readiness for startup. This testing serves as a further evaluation of the system design.
Analyses of the results of Condition I, II, III, and IV events, including considerations of instrumentation installed to mitigate their consequences, are presented in chapter 15. The
instrumentation installed to mitigate the consequences of load rejection and turbine trip is given
in section 7.4. 7.2.2.2.2 Reactor Coolant Flow Measurement The elbow taps used on each loop in the primar y coolant system are instrument devices that indicate the status of the reactor coolant flow. The basic function of devices is to provide
information as to whether or not a reduction in flow has occurred. The correlation between flow
and elbow tap signal is given by the following equation:
2 o P P=o W W where P o is the pressure differential at the reference flow W o , and P is the pressure differential at the corresponding flow, W. The full-flow reference point is established during initial plant startup. The low-flow trip point is then established by extrapolating along the
correlation curve. The expected absolute accuracy of the channel is within +/-10 percent of full
flow, and field results have shown the repeatability of the trip point to be within +/-1 percent. 7.2.2.2.3 Evaluation of Compliance to Applicable Codes and Standards The reactor trip system meets the criteria of the GDC, as indicated. The reactor trip system
meets the requirements of section 4 of Institute of Electrical and Electronics Engineers (IEEE)
279-1971, as indicated below. A. General Functional Requirement
The protection system automatically initiates appropriate protective action
whenever a condition monitored by the sy stem reaches a preset level.
Functional performance requirements are given in paragraph 7.2.1.1.1.
Paragraph 7.2.1.2.4 presents a discussion of limits, margins, and levels;
paragraph 7.2.1.2.5 discusses unusual (abnormal) events; and paragraph
7.2.1.2.6 presents minimum performance requirements. B. Single Failure Criterion
The protection system is designed to pr ovide two, three, or four instrumentation
channels for each protective function and two logic train circuits. These
redundant channels and trains are electrically isolated and physically separated.
Thus, any single failure within a channel or train will not prevent protective action
at the system level, when required. Loss of input power to a channel or logic VEGP-FSAR-7
7.2-18 REV 19 4/15 train, the most likely mode of failure, will result in a signal calling for a trip. This
design meets the requirements of GDC 23.
To prevent the occurrence of common mode failures, such additional measures
as functional diversity, physical separation, and testing as well as administrative
control during design, production, installation, and operation are employed, as
discussed in reference 1. The design meets the requirements of GDC 21 and
- 22. C. Quality of Components and Modules
For a discussion on the quality of the components and modules used in the
reactor trip system, refer to chapter 17. The quality assurance applied conforms
to GDC 1. D. Equipment Qualification
For a discussion of the type of tests made to verify the performance
requirements, refer to section 3.11. The test results demonstrate that the design
meets the requirements of GDC 4. E. Channel Integrity
Protection system channels required to operate in accident conditions maintain
necessary functional capability under extremes of conditions relating to
environment, power supply, malfunctions, and accidents. The power supply for
the reactor trip system is described in chapter 8. The environmental variations, throughout which the system will perform, are given in section 3.11. F. Independence
Channel independence is carried throughout the system, extending from the
sensor to the devices actuating the protecti ve function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is
achieved using separate wireways, cable trays, conduit runs, and containment
penetrations for each redundant channel. Redundant analog equipment is
separated by locating modules in different protection cabinets. Each redundant
protection channel set is energized from a separate ac power feed. This design
meets the requirements of GDC 21.
Two reactor trip breakers, which are actuated by two separate logic matrices, interrupt power to the control rod drive mechanisms. The breaker main contacts
are connected in series with the power supply, so that opening either breaker
interrupts power to all control rod drive mechanisms, permitting the rods to free
fall into the core. (See figure 7.1.1-1.)
The design philosophy is to make maximum use of a wide variety of
measurements. The protection system continuously monitors numerous diverse system variables. Generally, two or more diverse protection functions would
terminate an accident before intolerable consequences could occur. This design
meets the requirements of GDC 22.
VEGP-FSAR-7
7.2-19 REV 19 4/15 G. Control and Protection System Interaction
The protection system is designed to be independent of the control system. In
certain applications, the control signals and other nonprotective functions are
derived from individual protective channels through isolation amplifiers. The
isolation amplifiers are classified as part of the protection system and are located
in the analog protection racks. Nonprotective functions include those signals
used for control, remote process indication, and computer monitoring. The
isolation amplifiers are designed, such that a short circuit, open circuit, or the
application of credible fault voltages from within the cabinets on the isolated
output portion of the circuit (i.e., the nonprotective side of the circuit) will not
affect the input (protective) side of the circuit. The signals obtained through the
isolation amplifiers are never returned to the protection racks. This design meets
the requirements of GDC 24 and section 4.7 of IEEE 279-1971.
The results of applying various malfunction conditions on the output portion of the
isolation amplifiers show that no significant disturbance to the isolation amplifier
input signal occurred. H. Derivation of System Inputs
To the extent feasible and practical, protec tion system inputs are derived from signals which are direct measures of the desired variables. Variables monitored
for the various reactor trips are listed in paragraph 7.2.1.2.2. I. Capability for Sensor Checks
The operational availability of each system input sensor during reactor operation
is accomplished by cross-checking between channels that bear a known
relationship to each other and that have readouts available. Channel checks are
discussed in the Technical Specifications. J. Capability for Testing
The reactor trip system is capable of being tested during power operation.
Where only parts of the system are tested at any one time, the testing sequence
provides the necessary overlap between the parts to ensure complete system operation. The testing capabilities are in conformance with Regulatory Guide
1.22, as discussed in paragraph 7.1.2.5.
The protection system is designed to permit periodic testing of the analog
channel portion of the reactor trip system during reactor power operation without
initiating a protective action, unless a trip condition actually exists. This is
because of the coincidence logic required for reactor trip. These tests may be
performed at any plant power, from cold shutdown to full power. Before starting any of these tests with the plant at power, all redundant reactor trip channels
associated with the function to be tested must be in the normal (untripped) mode
in order to avoid spurious trips. Setpoints are referenced in the precautions, limitations, and setpoints portion of the plant technical manual. 1. Analog Channel Tests Analog channel testing of the process channels which produce the two-
out-of-four or two-out-of-three protection logic is performed at the analog VEGP-FSAR-7
7.2-20 REV 19 4/15 instrumentation rack set by individually testing each instrumentation
channel. Testing is accomplished through the use of a bypass testing
instrumentation test panel installed in each of the 7300 protection channel
sets. Use of this panel will prevent the initiation of an unwarranted
protective action from that channel during the short period that it is
undergoing test. Located on the test panel is a keylock switch which
controls the use/operation of the panel during testing and normal
operation. Activation of this keylock switch will provide an automatic and
continuous indication (alarm and annunciator) in the control room to alert
the operators that a 7300 process channel is being tested in the bypass
condition. Individual toggle switches are also provided on the test panel
for each 7300 bistable. The use of these switches will allow the primary
field signal power to be replaced with an imposed test signal power to
prevent disruption of the 26-V dc source provided from the protection
system bistables to the SSPS input relays. These switches also isolate
the 7300 outputs from the BTI panel. The keylock switch provided on the
BTI test panel has two operable positions:
- NORMAL - The BTI test panel is disabled, along with all of the toggle switches on that test panel.
- BYPASS ENABLE - The BTI test panel has the capability through the use of the individual toggle switches to place a channel in bypass.
When in this mode, automatic and continuous indication of a bypass
condition or the potential for a bypass condition is provided to the
control room.
When in the bypass enable keylock switch mode of operation, the
individual toggle switches on the test panel have two operable positions:
- NORMAL - Live field signal power supplied to SSPS.
- BYPASS - Test signal power supplied to SSPS when an individual process channel toggle switch is placed in the bypass condition. To alert the test technician of this state of operation, a local status light is
provided on the BTI test panel, one for each bistable to be tested, to
indicate which channel is in test.
Reference 5 provides additional information on this subject.
The following analog channels will be tested as described above:
- Tavg and T protection channel testing.
- Pressurizer pressure protection channel testing.
- Pressurizer water level protection channel testing.
- Steam generator water level protection channel testing.
- Reactor coolant low flow.
- Steam pressure protection channels.
- Containment pressure.
- Turbine (anticipatory trip) and trip fluid pressure channel testing.
VEGP-FSAR-7
7.2-21 REV 19 4/15 The underfrequency and undervoltage protection channels are not
equipped with a bypass capability for testing. These channels are tested
by individually introducing dummy input signals into the instrumentation
channels and observing the tripping of the appropriate output bistables.
Process analog output to the logic circuitry is interrupted during individual
channel testing by a test switch which deenergizes the associated logic
input and inserts a proving lamp in the bistable output. Interruption of the
bistable output to the logic circuitry for any cause (test, maintenance
purposes, or removal from service) will cause that portion of the logic to
be actuated (partial trip), accompanied by a partial trip alarm and channel
status light actuation in the control room. Each channel contains those
switches, test points, etc., necessary to test the channel. See references
2 and 3 for additional background information. 2. Nuclear Instrumentation Channel Tests
The nuclear instrumentation system (NIS) channels which produce a rod
stop, permissive, or a reactor trip on one-out-of-two, one-out-of-four, two-
out-of-four, or three-out-of four protection logic are provided with a bypass
function to prevent the initiation of an unwarranted protective action from
that channel during the short period that it is undergoing test. To permit
testing of an NIS channel in the bypass mode, a BTI test panel is installed
in each of the four NIS protection channel sets (racks). Located on the
test panel is a keylock switch which controls the use/operation of the
panel during testing and normal operation. Activation of this keylock
switch will provide automatic and continuous indication (alarm and
annunciator) in the control room to alert the operators that an NIS channel
is being tested in the bypass condition. Individual make-before-break
toggle switches are also provided on the test panel for each bistable
associated with the protection channel set. The make-before-break
switch is located on the NIS BTI panels only. Use of these switches will
allow the primary field signal power to be replaced by an imposed test
signal power to prevent disruption of the 118 V-ac from the protection
system bistables to the SSPS input relays. These switches also isolate
the NIS drawer outputs from the BTI panel.
The keylock switch provided on the BTI test panel has two operable
positions:
- NORMAL - The BTI test panel is disabled, along with all of the toggle switches on that test panel.
- BYPASS ENABLE - The BTI test panel has the capability through the use of the individual toggle switches to place a channel in bypass.
When in this mode, automatic and continuous indication of a bypass
condition or the potential for a bypass condition is provided to the
control room.
When in the bypass enable keylock switch mode of operation, the
individual make-before-break toggle switches on the test panel have two
operable positions and a transition position:
- NORMAL - Live field signal power supplied to SSPS.
VEGP-FSAR-7
7.2-22 REV 19 4/15
- MID-POSITION (MAKE-BEFORE-BREAK) - Live field signal power and test signal power is supplied to the SSPS.
- BYPASS - Test signal power supplied to SSPS when an individual process channel toggle switch is placed in the bypass condition. To
alert the test technician of this state of operation, a local status light is
provided on the BTI test panel, one for each bistable to be tested, to
indicate which channel is in test.
Since the power provided to the NIS is ac, prior to placing a nuclear
instrumentation system channel in by pass, the live signal power signal and the test signal power sources must be in phase to prevent an
unwarranted protective action. Alignment of phase is adjusted and
verified at the test points provided in the BTI test panel per installation
instructions. Once the sources are in phase, the make-before-break
switch will be in a position to provide the 118 V-ac bypass voltage.
Individual bypass status lights located on the bypass test panels are
provided to indicate the bypassed condition of these bistable outputs to
the SSPS.
Reference 5 provides additional information on this subject.
It should be noted that a valid trip signal would cause the channel under
test to trip at a lower actual reactor power level. A reactor trip would
occur when a second bistable trips. No provision has been made in the
channel test circuit for reducing the channel signal level below that signal
being received from the nuclear in strumentation system detector.
A nuclear instrumentation system channel which can cause a reactor trip
through one of two protection logic (source or intermediate range) is
provided with a bypass function which prevents the initiation of a reactor
trip from that particular channel during the short period that it is
undergoing test. Indication of these bypasses are provided locally via
status lights on the NIS bypass test panel or remotely via a main control
room annunciator.
Periodic tests of the nuclear instrumentation system are performed in
accordance with the plant Technical Specifications.
Any deviations noted during the performance of these tests are
investigated and corrected in accordance with the established calibration
and trouble shooting procedures provided in the plant technical manual
for the nuclear instrumentation system. Control and protection trip
settings are indicated in the plant technical manual under precautions, limitations, and setpoints.
For additional background information on the nuclear instrumentation
system, see reference 3. 3. Solid-State Logic Testing
The reactor logic trains of the reactor trip system are designed to be
capable of complete testing at power. After the individual channel analog VEGP-FSAR-7
7.2-23 REV 19 4/15 testing is complete, the logic matrices are tested from the train A and train
B logic rack test panels. This step provides overlap between the analog
and logic portions of the test program. During this test, all of the logic
inputs are actuated automatically in all combinations of trip and nontrip
logic. Trip logic is not maintained sufficiently long to permit opening of the
reactor trip breakers.
The reactor trip undervoltage coils are "pulsed" in order to check
continuity. During logic testing of one train, the other train can initiate any
required protective functions. Annunciation is provided in the control
room to indicate when a train is in test (train output bypassed) and when
a reactor trip breaker is bypassed. Logic testing can be performed in less
than 30 min.
A direct reactor trip resulting from undervoltage or underfrequency on the
reactor coolant pump buses is provided, as discussed in paragraph 7.2.1.1.2.D and shown in drawings 1X6AA02-228 and 1X6AA02-229. The
logic for these trips is capable of being tested during power operation.
When parts of the trip are being tested, an overlap is provided between
parts so that a complete logic test is provided. Thus, complete testing of
protection system equipment is possible.
This design complies with the testing requirements of IEEE 279-1971 and
338-1975, as discussed in subsection 7.1.2.
The permissive and block interlocks associated with the reactor trip system and engineered safety features actuation system are given in
tables 7.2.1-2 and 7.2.1-3 and designated protection or "P" interlocks. As
a part of the protection system, these interlocks are designed to meet the
testing requirements of IEEE 279-1971 and 338-1975.
Testing of all protection system interlocks is provided by the logic testing
and semiautomatic testing capabilities of the solid state protection
system. In the solid state protection system the undervoltage trip
attachment and shunt trip auxiliary relay coils (reactor trip) and master
relays (engineered safeguards actuation) are pulsed for all combinations
of trip or actuation logic, with and without the interlock signals. For
example, reactor trip on low flow (two out of four loops showing two out of
three low flow) is tested to verify operability of the trip above P-8 and nontrip below P-7. (See drawing 1X6AA02-229). Interlock testing may
be performed at power.
Testing of the logic trains of the reactor trip system includes a check of
the input relays and a logic matrix check. The following sequence is used
to test the system:
- Check of Input Relays During testing of the process instrumentation system and nuclear
instrumentation system channels, each channel bistable is placed in a
trip mode, causing one input relay in train A and one in train B to
deenergize. A contact of each relay is connected to a universal logic VEGP-FSAR-7
7.2-24 REV 19 4/15 printed circuit card. This card performs both the reactor trip and
monitoring functions. Each reactor trip input relay contact causes a
status lamp and an annunciator on the control board to operate.
Either the train A or train B input relay operation will light the status
lamp and annunciator.
Each train contains a multiplexing test switch. At the start of a
process or nuclear instrumentation system test, this switch (in either
train) is placed in the A + B position. The A + B position alternately
allows information to be transmitted from the two trains to the control
board. A steady status lamp and annunciator indicates that input
relays in both trains have been deenergized. A flashing lamp means
that both the input relays in the two trains did not deenergize. Contact
inputs to the logic protection system, such as reactor coolant pump
bus underfrequency relays, operate input relays which are tested by
operating the remote contacts, as described above, and use the same
type of indications as those provided for bistable input relays.
Actuation of the input relays provides the overlap between the testing
of the logic protection system and the testing of those systems
supplying the inputs to the logic protection system. Test indications
are status lamps and annunciators on the control board. Inputs to the
logic protection system are checked one channel at a time, leaving
the other channels in service. For example, a function that trips the
reactor when two out of four channels trip becomes a one out of three
trip when one channel is placed in the trip mode. Both trains of the
logic protection system remain in service during this portion of the
test.
- Check of Logic Matrices
Logic matrices are checked, one train at a time. Input relays are not
operated during this portion of the test. Reactor trips from the train
being tested are inhibited with the use of the input error inhibit switch
on the semiautomatic test panel in the train. At the completion of the
logic matrix tests, one bistable in each channel of process
instrumentation or nuclear instrumentation is tripped to check closure
of the input error inhibit switch contacts.
The logic test scheme uses pulse techniques to check the
coincidence logic. All possible trip and nontrip combinations are
checked. Pulses from the tester are applied to the inputs of the
universal logic card at the same terminals that connect to the input
relay contacts. Thus, there is an overlap between the input relay
check and the logic matrix check. Pulses are fed back from the
reactor trip breaker undervoltage trip attachment and shunt trip
auxiliary relay coils to the tester. The pulses are of such short
duration that the reactor trip breaker undervoltage coil armature
cannot respond mechanically.
Periodic testing of the solid state protection system includes testing of
the master and slave relays from the system's relay test panel.
VEGP-FSAR-7
7.2-25 REV 19 4/15
Test indications that are provided are an annunciator in the control
room, indicating that reactor trips from the train have been blocked
and that the train is being tested, and green and red lamps on the
semiautomatic tester to indicate a good or bad logic matrix test.
Protection capability provided during this portion of the test is from the
train not being tested.
The testing capability meets the requirements of GDC 21.
- General Warning Alarm Reactor Trip
Each of the two trains of the solid state protection system is
continuously monitored by the general warning alarm reactor trip
subsystem. The warning circuits are actuated if undesirable train
conditions are set up by improper a lignment of testing systems, circuit
malfunction or failure, etc., as listed below. A trouble condition in a
logic train is indicated in the control room. However, if any one of the
conditions exists in train A at the same time any one of the conditions
exists in train B, the general warning alarm circuits will automatically
trip the reactor. - Loss of either of two 48-V dc or either of two 15-V dc power supplies. - Printed circuit card improperly inserted.
- Input error inhibit switch in the inhibit position.
- Slave relay tester mode selector in test position.
- Multiplexing selector switch in inhibit position.
- Train bypass breaker racked in and closed.
- Permissive or memory test switch not in off position.
- Logic function test switch not in off position.
- Loss of power to slave relay output cabinet. 4. Testing of Reactor Trip Breakers Normally, reactor trip breakers 52/RTA and 52/RTB are in service, and bypass breakers 52/BYA and 52/BYB are withdrawn (out of service). In
testing the protection logic, pulse techniques are used to avoid tripping
the reactor trip breakers, thereby eliminating the need to bypass them during this testing (drawing 1X6AA02-226). The following procedure
describes the method used for testing the trip breakers:
- With bypass breaker 52/BYA racked out, manually close and trip it to verify its operation.
- Rack in and close 52/BYA. Manually trip 52/RTA through a protection system logic matrix while at the same time operating the "Auto Shunt Trip Block" pushbutton on the automatic shunt trip panel. This verifies
operation of the undervoltage trip attachment (UVTA) when the
breaker trips. After reclosing RTA, trip it again by operation of the VEGP-FSAR-7
7.2-26 REV 19 4/15 "Auto Shunt Trip Test" pushbutton on the automatic shunt trip panel.
This is to verify tripping of the breaker through the shunt trip device.
- Reset 52/RTA.
- Trip and rack out 52/BYA.
- Repeat the above steps to test trip breaker 52/RTB using bypass breaker 52/BYB.
Auxiliary contacts of the bypass breakers are connected into the
alarm system of their respective trains such that, if either train is
placed in test while the bypass breaker of the other train is closed, both reactor trip breakers and both bypass breakers will automatically
trip.
Auxiliary contacts of the bypass breakers are also connected in such
a way that if an attempt is made to close the bypass breaker in one
train while the bypass breaker of the other train is already closed, both bypass breakers will automatically trip.
Test panels are provided near the reactor trip breakers for verifying
auxiliary and cell switch contacts used in the P-4 SSPS and turbine
trip signals. In addition, a voltmeter and selector switch are available
on the front of each reactor trip switchgear that may be used to
determine auxiliary contact position for input to SSPS.
The train A and train B alarm systems operate separate annunciators
in the control room. The two bypass breakers also operate an
annunciator in the control room. Bypassing of a protection train with
either the bypass breaker or with the test switches will result in
audible and visual indications.
The complete reactor trip system is normally required to be in service.
However, to permit online testing of the various protection channels or
to permit continued operation in the event of a subsystem
instrumentation channel failure, the Technical Specifications define
the minimum number of operable channels. The Technical
Specifications also define the required restriction to operation in the
event that the channel operability requirements cannot be met. K. Channel Bypass or Removal from Operation The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation, without initiating a protective action, unless a trip condition actually exists. L. Operating Bypasses Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic
removal of the bypass of a protective function are considered part of the
protective system and are designed in accordance with the criteria of this section.
VEGP-FSAR-7
7.2-27 REV 19 4/15 Indication is provided in the control room if some part of the system has been
administratively bypassed or taken out of service. M. Indication of Bypasses Bypass indication is discussed in paragraph 7.5.5 and section 1.9. N. Access to Means for Bypassing The design provides for administrative control of access to the means for
manually bypassing channels or protective functions. O. Multiple Setpoints For monitoring neutron flux, multiple setpoints are used. When a more restrictive
trip setting becomes necessary to provide adequate protection for a particular
mode of operation or set of operating conditions, the protective system circuits
are designed to provide positive means or administrative control to ensure that
the more restrictive trip setpoint is used. The devices used to prevent improper
use of less restrictive trip settings are considered part of the protective system
and are designed in accordance with the criteria of this section. P. Completion of Protective Action The protection system is so designed that, once initiated, a protective action
goes to completion. Return to normal operation requires action by the operator. Q. Manual Initiation Switches are provided on the control board for manual initiation of protective
action. Failure in the automatic sys tem does not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum
of equipment. R. Access The design provides for administrative control of access to all setpoint
adjustments, module calibration adjustments, and test points. S. Identification of Protective Actions Protective channel identification is discussed in paragraph 7.1.2. Indication is
discussed in item T below. T. Information Readout The protective system provides the operator with complete information pertinent
to system status and safety. All transmi tted signals (flow, pressure, temperature, etc.) which can cause a reactor trip will either be indicated or recorded for every
channel, including all neutron flux power range currents (top detector, bottom
detector, algebraic difference, and average of bottom and top detector currents).
Any reactor trip will actuate an alarm and an annunciator. Such protective
actions are indicated and identified down to the channel level.
Alarms and annunciators are also used to alert the operator of deviations from
normal operating conditions, so that he may take appropriate corrective action to
avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel
will actuate an alarm.
VEGP-FSAR-7
7.2-28 REV 19 4/15 U. System Repair The system is designed to facilitate the recognition, location, replacement, and repair of malfunctioning components or modules. Refer to the discussion in item
J above. 7.2.2.3 Specific Control and Protection Interactions 7.2.2.3.1 Neutron Flux Four power range neutron flux channels are provided for overpower protection. An isolated
auctioneered high signal is derived by auctioneering of the four channels for automatic rod
control. If any channel fails in such a way as to produce a low output, that channel is incapable
of proper overpower protection but will not cause control rod movement because of the
auctioneer. Two out of four overpower trip logic will ensure an overpower trip if needed, even
with an independent failure in another channel.
In addition, channel deviation signals in the control sy stem will give an alarm if any neutron flux channel deviates significantly from the average of the flux signals. Also, the control system will respond only to rapid changes in indicated neutron flux; slow changes or drifts are compensated by the temperature control signals. Finally, an ov erpower signal from any nuclear power range channel will block manual rod withdrawal. Autom atic rod withdrawal capability of the rod control system has been disabled. The setpoint for this rod stop is below the reactor trip setpoint. 7.2.2.3.2 Coolant Temperature The accuracy of the resistance temperature detec tor (RTD) loop temperature measurements is demonstrated during plant preoperational tests by comparing temperature measurements from all loop RTDs with one another, as well as with the temperature measurements obtained from
the wide range RTDs located in the hot leg and cold leg piping of each loop. The comparisons are done with the RCS in an isothermal condition. The linearity of the T measurements obtained from the hot leg and cold leg loop RTDs, as a function of plant power, is also checked
during plant startup tests. The absolute value of T versus plant power is not important, per se, as far as reactor protection is concerned. Reactor trip system setpoints are based upon
percentages of the indicated T at nominal full power rather than on absolute values of T. This is done to account for loop differences which are inherent. Therefore, the percent T scheme is relative, not absolute, and therefore provides better protective action without the
expense of accuracy. For this reason, the linearity of the T signals as a function of power is of importance rather than the absolute values of the T. As part of the plant preoperational tests, the loop RTD signals will be compared with the core exit thermocouple signals.
Reactor control is based upon signals derived from protection system channels after isolation by isolation amplifiers, such that no feedback effect can perturb the protection channels.
Since control is based on the average temperature of the loop with the highest temperature, the control rods are always moved based upon the most pessimistic temperature measurement with
respect to margins to departure from nucleate boiling. A spurious low average temperature
measurement from any loop temperature control channel will cause no control action. A
spurious high average temperature measurement will cause rod insertion (safe direction).
Channel deviation signals in the control system will give an alarm if any temperature channel deviates significantly from the auctioneered (highest) value. Manual rod withdrawal blocks and VEGP-FSAR-7
7.2-29 REV 19 4/15 turbine runback (power demand reduction) will also occur if any two out of the four overtemperature or overpower T channels indicate an adverse condition. 7.2.2.3.3 Pressurizer Pressure The pressurizer pressure protection channel signals are used for high- and low-pressure
protection and as inputs to the overtemperature T trip protection function. Isolated output signals from these channels are used for pressure control. These are used to control pressurizer spray and heaters and power-operated relief valves. Pressurizer pressure is
sensed by fast response pressure transmitters.
A spurious high-pressure signal from one channel can cause decreasing pressure by actuation of either spray or relief valves. Additional redundancy is provided in the low pressurizer
pressure reactor trip and in the logic for safety injection to ensure low pressure protection.
Overpressure protection is based upon the positive surge of the reactor coolant produced as a result of turbine trip under full load, assuming the core continues to produce full power. The
self-actuated safety valves are sized on the basis of steam flow from the pressurizer to
accommodate this surge at a setpoint of 2485 psig and an accumulation of 3 percent. Note that
no credit is taken for the relief capability provided by the power-operated relief valves during this
surge. In addition, operation of any one of the power-operated relief valves can maintain pressure below the high-pressure trip point for most transients. The rate of pressure rise achievable with
heaters is slow, and ample time and pressure alarms are available to alert the operator of the
need for appropriate action.
Redundancy is not compromised by having a shared tap (paragraph 7.2.1.1.2), since the logic for this trip is two out of four. If the shared tap is plugged, the affected channels will remain
static. If the impulse line bursts, the indicated pressure will drop to zero. In either case the fault
is easily detectable, and the protective function remains operable. 7.2.2.3.4 Pressurizer Water Level Three pressurizer water level channels are used for reactor trip. Isolated signals from these
channels are used for pressurizer water level control. A failure in the level control system could
fill or empty the pressurizer at a slow rate (on the order of 1/2 h or more).
The high water level trip setpoint provides sufficient margin, such that the undesirable condition of discharging liquid coolant through the safety va lves is avoided. Even at full- power conditions, which would produce the worst thermal expansion rates, a failure of the water level
control would not lead to any liquid discharge through the safety valves. This is due to the
automatic high pressurizer pressure reactor trip actuating at a pressure sufficiently below the
safety valve setpoint.
For control failures which tend to empty the pressurizer, two out of four logic for safety injection action on low pressure ensures that the protection system can withstand an independent failure
in another channel. In addition, ample time and alarms exist to alert the operator of the need for
appropriate action. 7.2.2.3.5 Steam Generator Water Level The basic function of the reactor protection circuits associated with low-low steam generator
water level is to preserve the steam generator heat sink for removal of long-term residual heat.
Should a complete loss of feedwater occur, the reactor would be tripped on low-low steam VEGP-FSAR-7
7.2-30 REV 19 4/15 generator water level. In addition, redundant auxilia ry feedwater pumps are provided to supply feedwater in order to maintain residual heat removal after trip. This reactor trip acts before the
steam generators are dry. This reduces the required capacity, increases the time interval
before auxiliary feedwater pumps are required, and minimizes the thermal transient on the
reactor coolant system and steam generators.
Therefore, a low-low steam generator water level reactor trip circuit is provided for each steam generator to ensure that sufficient initial
thermal capacity is available in the steam generator at the start of the transient. Two out of four
low-low steam generator water level trip logic ensures a reactor trip if needed, even with an
independent failure in another channel used for control, and when degraded by an additional
second postulated random failure.
A spurious low signal from the feedwater flow channel being used for control would cause an increase in feedwater flow. The mismatch betw een steam flow and feedwater flow produced by
the spurious signal would actuate alarms to alert the operator of the situation in time for manual
correction. If the condition continues, a two out of four high-high steam generator water level
signal in any loop, independent of the indicated feedwater flow, will cause feedwater isolation
and trip the turbine. The turbine trip will result in a subsequent reactor trip if power is above the
P-9 setpoint. The high-high steam generator water level trip is an equipment protective trip, preventing excessive moisture carryover which could damage the turbine blading.
In addition, the three-element feedwater controller incorporates reset action on the level error
signal, such that with expected controller settings, a rapid increase or decrease in the flow
signal would cause only a small change in level, before the controller would compensate for the
level error. A slow change in the feedwater signal would have no effect at all. A spurious low or
high steam flow signal would have the same effect as high or low feedwater signal, as
discussed above.
A spurious high steam generator water level signal from the protection channel used for control will tend to close the feedwater valve. A spurious low steam generator water level signal will
tend to open the feedwater valve. Before a reactor trip would occur, two out of four channels in
a loop would have to indicate a low-low water level. Any slow drift in the water level signal will
permit the operator to respond to the level alarms and to take corrective action.
Automatic protection is provided in case the spurious high level reduces feedwater flow sufficiently to cause low-low level in the steam generator. Automatic protection is also provided
in case the spurious low-level signal increases feedwater flow sufficiently to cause high level in
the steam generator. A turbine trip and feedwater isolation would occur on two out of four high-
high steam generator water level in any loop. 7.2.2.4 Additional Postulated Accidents Loss of plant instrument air or loss of component cooling water is discussed in subsection 7.3.1.
Load rejection and turbine trip are discussed in further detail in section 7.7.
The control interlocks, called rod stops, that are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal are discussed in paragraph 7.7.1.4
and listed on table 7.7.1-1. Excessively high-power operation (which is prevented by blocking of manual rod withdrawal), if allowed to continue, might lead to a safety limit (as given in the
Technical Specifications) being reached. The automatic rod withdrawal capability of the rod
control system has been disabled.
Before such a limit is reached, protection will be av ailable from the reactor trip system. At the power levels of the rod block setpoints, safety limits have not been reached. Therefore, these rod withdrawal stops do not come under the scope of safety-related systems and are
considered control systems.
VEGP-FSAR-7
7.2-31 REV 19 4/15 7.2.2.5 Tests and Inspections The reactor trip system meets the testing requirements of IEEE 338-1975, as discussed in
paragraph 7.1.2.7. The testability of the system is discussed in paragraph 7.2.2.2.3. The initial
and subsequent test intervals are specified in the Technical Specifications. Written test
procedures and documentation, conforming to the requirements of IEEE 338-1975, will be
available for audit by responsible personnel.
Periodic testing conforms with Regulatory Guide 1.22, as discussed in subsections 7.1.2 and 7.2.2. 7.2.2.6 References 1. Gangloff, W. C., and Loftus, W. D., "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients," WCAP-7706-L (Proprietary) and WCAP-7706 (Nonproprietary), February 1971. 2. Reid, J. B., "Process Instrumentation for Westinghouse Nuclear Steam Supply Systems," WCAP-7913, January 1973. (Additional background information only.) 3. Lipchak, J. B., "Nuclear Instrumentation System," WCAP-8255, January 1974. (Additional background information only.) 4. Katz, D. N., "Solid State Logic Protection System Description," WCAP-7488-L (Proprietary), March 1971, and WCAP-7672 (Nonproprietary), May 1971. (Additional background information only.) 5. Mermigos, J. F., "Bypass Test Instrum entation for the Vogtle Electric Generating Plant, Units 1 and 2," WCAP-13376, Revision 2, September 1992. 6. WCAP-16769-P Revision 1, "Westinghouse SSPS Universal Logic Board Replacement Summary Report 6D30225G01/G02/G03/G04." 7. WCAP-16770-P Revision 0, "Westinghouse SSPS Safeguards Driver Board Replacement Summary Report 6D30252G01/G02." 8. WCAP-16771-P Revision 0, "Westinghouse SSPS Undervoltage Driver Board Replacement Summary Report 6D30350G01/G02." 9. WCAP-16772-P Revision 0, "Westinghouse SSPS Semi-Automatic Tester Board Replacement Summary R eport 6D30520G01/G02/G03/G04/G05."
VEGP-FSAR-7 REV 14 10/07 TABLE 7.2.1-1 (SHEET 1 OF 2)
LIST OF REACTOR TRIPS
Coincidence Reactor Trips Logic Interlocks Comments Power range high neutron flux 2/4 Manual block of low setting permitted by P-10 High and low setting;
manual block and automatic reset of low setting by P-10 Intermediate range high neutron flux 1/2 Manual block permitted by P-10 Manual block and automatic reset Source range high neutron flux 1/2 Manual block permitted by P-6; interlocked with P-10 Manual block and
automatic reset; automatic
block above P-10 Power range high positive neutron flux rate 2/4 No interlocks - Overtemperature T avg 2/4 No interlocks - Overpower T avg 2/4 No interlocks - Pressurizer low pressure 2/4 Interlocked with P-7 Blocked below P-7 Pressurizer high pressure 2/4 No interlocks - Pressurizer high water level 2/3 Interlocked with P-7 Blocked below P-7 Low reactor coolant flow 2/3 in any loop Interlocked with P-7 Low flow in one loop and P-8 will cause a reactor trip when above P-8, and a low flow in two loops will cause a reactor trip when above P-7; blocked below
P-7 Reactor coolant pump bus undervoltage Low voltage sensed for
pumps 1 or 2 and 3 or 4. Interlocked with P-7 Blocked below P-7
VEGP-FSAR-7 TABLE 7.2.1-1 (SHEET 2 OF 2)
REV 14 10/07 Coincidence Reactor Trips Logic Interlocks Comments Reactor coolant pump bus underfrequency Underfrequency sensed
for pumps 1 or 2 and 3
or 4 Interlocked with P-7 Blocked below P-7 Solid state protection system general warning alarm Both trains No interlocks - Low-low steam generator water level 2/4 per loop No interlocks - Turbine-generator Interlocked with P-9 Blocked below P-9
- a. Low auto stop oil pressure 2/3 b. Turbine stop valve close 4/4 Safety injection signal coincident with actuation of safety injection No interlocks See section 7.3 for engineering safety
features actuation
conditions Manual 1/2 per train No interlocks
VEGP-FSAR-7 REV 19 4/15 TABLE 7.2.1-2 (SHEET 1 OF 2)
PROTECTION SYSTEM INTERLOCKS
Designation DerivationFunction Powe r Escalation Permissives
P-6 Presence of P-6: 1/2 neutron flux (intermediate range) above approximately 2.0 x
10-5 % rated thermal power Allows manual block of source range reactor trip
Absence of P-6: 2/2 neutron flux (intermediate range)
below setpoint Defeats the block of source range reactor trip
P-10 Presence of P-10: 2/4 neutron flux (power range)
above setpoint Allows manual block of power range (low setpoint) reactor
trip A llows manual block of intermediate range reactor trip and intermediate range rod
stops (C-1)
Blocks source range reactor trip (backup for P-6)
Absence of P-10: 3/4 neutron flux (power range) below setpoint Defeats the block of power
range (low setpoint) reactor
trip Defeats the block of intermediate range reactor trip and intermediate range rod
stops (C-1)
Inputs to P-7
VEGP-FSAR-7 REV 19 4/15 TABLE 7.2.1-2 (SHEET 2 OF 2)
Designation DerivationFunction Blocks o f Reacto r Trips P-11 2/3 pressurizer pressure below setpoint Allows manual block of safety injection actuation on low pressurizer pressure signal and low steam line pressure signal (lead/lag compensated)
2/3 pressurizer pressure above setpoint Defeats manual block of safety injection actuation
P-7 Absence of P-7: 3/4 neutron flux (power range) below setpoint (from P-10)
and Blocks reactor trip on low reactor coolant flow in more than one loop, undervoltage, underfrequency, pressurizer low pressure, and pressurizer
high level 2/2 turbine impulse chamber pressure below setpoint (from
P-13)
P-8 Absence of P-8: 3/4 neutron flux (power range) below setpoint Blocks reactor trip on low reactor coolant flow in a single
loop P-9 Absence of P-9: 3/4 neutron flux (power range) below 40 percent power Blocks reactor trip on turbine
trip P-13 Absence of P-13: 2/2 turbine impulse chamber pressure below 10 percent of full load Input to P-7
VEGP-FSAR-7 REV 19 4/15 TABLE 7.2.1-3 (SHEET 1 OF 3)
REACTOR TRIP SYSTEM INSTRUMENTATION Reactor Trip Signal
Typical Range
Typical Trip Accuracy Typical Time
Response (s) Power range high neutron flux 1 to 120% of full power 1% of full power 0.5(a) Intermediate range high neutron flux 8 decades of neutron flux overlapping source range by 2 decades
+/- 5% of full scale;
+/- 1% of full scale from 10
-4 to 50% full power N/A Source range high neutron flux 6 decades of neutron flux (1 to 10 6 counts/s) +/- 5% of full scale 0.5(a) Power range high positive neutron flux rate + 15% of full power
+/- 5% 0.65(a) Overtemperature T T hot 530° to 630°F Tcold 530° to 630°F T avg 530° to 630°F PPRZR 1700 to 2500 psig F() -50 to +50 T setpoint 0° to 100°F +/- 3.2°F (a) (c) Overpower T T hot 530° to 650°F Tcold 530° to 630°F T avg 530° to 630°F T setpoint 0° to 100°F +/- 2.7°F (a) (c) Pressurizer low pressure 1700 to 2500 psig
+/- 18 psi (compensated signal) 2 Pressurizer high pressure 1700 to 2500 psig +/- 18 psi (noncompensated signal) 2 Pressurizer high water level Entire cylindrical portion of pressurizer (distance between taps)
+/- 2.3% of full range P between taps at design temperature and pressure N/A
VEGP-FSAR-7 TABLE 7.2.1-3 (SHEET 2 OF 3)
REV 19 4/15 Reactor Trip Signal
Typical Range
Typical Trip Accuracy Typical Time
Response (s) Low reactor coolant flow 0 to 120% of rated flow +/- 2.5% of full flow within range of 70 to 100%
of full flow(a) +/- 1% a. Single loop (above
P-8)
- b. Two loops (above P-
7 Reactor coolant pump undervoltage 0 to 100% rated voltage 1.5 Reactor coolant pump underfrequency 3 to 80 Hz
+/- 0.1 Hz 0.6 Low-low steam generator water level(b) +/-~6 ft from nominal full load water level
+/- 2.3% of P signal overpressure range of 700 to 1200 psig 2 Turbine trip oil pressure 0 to 2000 psig N/A
- a. Neutron detectors are exempt from res ponse time testing. Response time of t he neutron flux signal portion of the channel sh all be measured from detector output or input of first electronic component in channel. (This prov ision is not applicable to construction permits docketed after January 1, 1978. See Regulatory Guide 1.118, June 1978.)
- b. See also Technical Specification 3.3.3.
- c. RTD time constants are verified by measurement. The following channel response times are calculated for narrow range RTD ti me constants 5.5 seconds. In both conditions, sensor (RTD) response times have been mathematically removed such that only electronic delays are included. The choice between"without dynamics" and "with dynamics" depends on the method chosen to verify respons e time. When using allocation times in table 7.2.1-5, the withoutdynamics values are utilized. When using actual measurements, the values chosen must match the test conditions. Dynamics refers to functions usually performed by NLL cards in the 7300 Process Control System and include lead-lag, rate-lag, and lag functions.
Function Without Dynamics With Dynamics 1 Overtemperature T, T avg input 2.000 s 2.469 s 2 Overtemperature T, pressurizer pressure input 8.000 s 8.000 s 3 Overtemperature T, nuclear flux input 8.000 s 8.000 s 4 Overtemperature T, T input 2.000 s 6.159 s 5 Overpower T, T avg input 2.000 s 2.341 s 6 Overpower T, T input 2.000 s 6.159 s VEGP-FSAR-7 TABLE 7.2.1-3 (SHEET 3 OF 3)
REV 19 4/15 For measured RTD time constants (plus 10% uncertainty) of more than 5.5 seconds, adjust the channel response times as follows:
Function Reduction 1 Overtemperature T, T av g input Reduce by amount RTD time constant plus 10% uncertainty exceeds 5.5 s.
2 Overtemperature T, pressurizer pressure input No adjustment.
3 Overtemperature T, nuclear flux input No adjustment.
4 Overtemperature T, T input Reduce by amount RTD time constant plus 10% uncertainty exceeds 5.5 s.
5 Overpower T, T av g input Reduce by amount RTD time constant plus 10% uncertainty exceeds 5.5 s.
6 Overpower T, T input Reduce by amount RTD time constant plus 10% uncertainty exceeds 5.5 s.
VEGP-FSAR-7 REV 19 4/15 TABLE 7.2.1-4 (SHEET 1 OF 3)
REACTOR TRIP SYSTEM INSTRUMENTATION RESPONSE TIMES FUNCTIONAL UNIT RESPONSE TIME 1. Manual Reactor Trip N/A 2. Power Range, Neutron Flux (N-0041, N-0042, N-0043, N-0044) 0.5 s (a) 3. Power Range, Neutron Flux, High Positive Rate (N-0041, N-0042, N-0043, N-0044) 0.65 s (a) 5. Intermediate Range, Neutron Flux (N-0035, N-0036)
N/A 6. Source Range, Neutron Flux (N-0031, N-0032)
N/A 7. Overtemperature T (TE-0411, TE-0421, TE-0431, TE-0441)
(a)(c) 8. Overpower T (TE-0411, TE-0421, TE-0431, TE-0441)
(a)(c) 9. Pressurizer Pressure--Low (PI-0455, PI-0456, PI-0457, PI-0458) 2 s 10. Pressurizer Pressure--High (PI-0455, PI-0456, PI-0457, PI-0458) 2 s 11. Pressurizer Water Level--High (LI-0459, LI-0460, LI-0461)
N/A 12. Reactor Coolant Flow--Low Loop 1 Loop 2 Loop 3 Loop 4 FI-0414 FI-0424 FI-0434 FI-0444 FI-0415 FI-0425 FI-0435 FI-0445 FI-0416 FI-0426 FI-0436 FI-0446 a. Single Loop (Above P-8) 1 s b. Two Loops (Above P-7 and below P-8) 1 s VEGP-FSAR-7 REV 19 4/15 TABLE 7.2.1-4 (SHEET 2 OF 3)
FUNCTIONAL UNIT RESPONSE TIME 13. Steam Generator Water Level--Low-Low (b) 2 s Loop 1 Loop 2 Loop 3 Loop 4 LI-0519 LI-0529 LI-0539 LI-0549 LI-0518 LI-0528 LI-0538 LI-0548 LI-0517 LI-0527 LI-0537 LI-0547 LI-0551 LI-0552 LI-0553 LI-0554 14. Undervoltage - Reactor Coolant Pumps 1.5 s 15. Underfrequency - Reactor Coolant Pumps 0.6 s 16. Turbine Trip
- a. Low Fluid Oil Pressure (PI-6161, PI-6162, PI-6163)
N/A b. Turbine Stop Valve Closure N/A 17. Safety Injection Input from ESF N/A 18. Reactor Trip System Interlocks N/A 19. Reactor Trip Breakers N/A 20. Automatic Trip and Interlock Logic N/A a. Neutron detectors are exempt from response time testing. Response time of the neutron flux signal portion of the channel shall be measured from detector output or input of first electronic component in channel. (This provision is not applicable to construction permits docketed after January 1, 1978. See Regulatory Guide 1.118, June 1978.)
- b. See also Technical Specification 3.3.3.
- c. RTD time constants are verified by measurement. The following channel response times are calculated for narrow range RTD time constants 5.5 seconds. In both conditions, sensor (RTD) response times were mathematically removed such that only electronic delays are included. The choice between "without dynamics" and "with dynamics" depends on the method chosen to verify response time. When using allocation times in table 16.3-3a, the "without dynamics" values are utilized. When using actual measurements, the values chosen must match the test conditions. Dynamics refers to functions usually performed by NLL card s in the 7300 Process Control System and include lead-lag, rate-lag, and lag functions.
VEGP-FSAR-7 REV 19 4/15 TABLE 7.2.1-4 (SHEET 3 OF 3)
Function Without Dynamics With Dynamics Overtemperature T, Tavg input 2.000 s 2.469 s Overtemperature T, pressurizer pressure input 8.000 s 8.000 s Overtemperature T, nuclear flux input 8.000 s 8.000 s Overtemperature T, T input 2.000 s 6.159 s Overpower T, T av g input 2.000 s 2.341 s Overpower T, T input 2.000 s 6.159 s For measured RTD time constants (plus 10% uncertainty) of more than 5.5 seconds, adjust the channel response times as follows:
Function Reduction Overtemperature T, Tavg input Reduce by amount RTD time constant plus 10% uncertainty exceeds 5.5 s.
Overtemperature T, pressurizer pressure input No adjustment.
Overtemperature T, nuclear flux input No adjustment.
Overtemperature T, T input Reduce by amount RTD time constant plus 10% uncertainty exceeds 5.5 s.
Overpower T, Tavg input Reduce amount RTD time constant plus 10% uncertainty exceeds 5.5 s.
Overpower T, T input Reduce by amount RTD time constant plus 10% uncertainty exceeds 5.5 s.
VEGP-FSAR-7 REV 19 4/15 TABLE 7.2.1-5 (SHEET 1 OF 2)
REACTOR TRIP ALLOCATION TIMES Function Sensor Time 7300/NIS String Time SSPS Relays Time PZR PRESS HI Tobar 32PG 200 ms NLP + NAL 65 ms Input 20 ms Veritrak 76PH 200 ms Rosemount 1154SH9 200 ms PZR PRESS LO Tobar 32PG 200 ms NLP + NAL 65 ms Input 20 ms Veritrak 76PH 200 ms Rosemount 1154SH9 200 ms SG LEVEL LO-LO Tobar 32DP 400 ms NLP + NAL 65 ms Input 20 ms Veritrak 76DP 400 ms Rosemount 1154DH5 200 ms RCS FLOW LO Tobar 32DP 400 ms NLP + NAL 65 ms Input 20 ms Veritrak 76DP 400 ms Rosemount 1153HB5 200 ms OPDT (Vary Tavg) Weed N9004E-2B (1) NRA+NSA+NSA+NSA+NSA+NAL 368 ms Input 20 ms OPDT (Vary T) Weed N9004E-2B (1) NRA+NSA+NSA+NAL 293 ms Input 20 ms OTDT (Vary Tavg) Weed N9004E-2B (1) NRA+NSA+NSA+NSA+NSA+NAL 368 ms Input 20 ms OTDT (Vary T) Weed N9004E-2B (1) NRA+NSA+NSA+NAL 293 ms Input 20 ms OTDT (Vary Press)
Tobar 32PG 200 ms NLP+NSA+NSA+NAL 140 ms Input 20 ms Veritrak 76PH 200 ms Rosemount 1154SH9 200 ms VEGP-FSAR-7 REV 19 4/15 TABLE 7.2.1-5 (SHEET 2 OF 2)
Function Sensor Time 7300/NIS String Time SSPS Relays Time OTDT (Vary Flux)
Detectors Exempt N/A NIS (1 ms)+NSA+NCH+
NSA+NAL 148.5 ms Input 20 ms RCP VOLTAGE LO GE NGV/SAM (1) N/A N/A Input 20 ms RCP FREQ LO ABB (1) N/A N/A Input 20 ms NIS LEVEL HI Detectors Exempt N/A NIS FEMA 65 ms Input 20 ms NIS RATE HI Detectors Exempt N/A NIS FEMA 200 ms Input 20 ms CNMT PRESS REACTOR TRIP FROM SI Barton 764/351 1.0 s NLP+NAL 65 ms Input 20 ms SEAMLINE PRESS REACTOR TRIP FROM SI Tobar 32PA 200 ms NLP+NAL 65 ms Input 20 ms Veritrak 76PG 200 ms Rosemount 1154SH9 200 ms Rosemount 1153GB9 200 ms Note 1: Allocated sensor times are not used for these variables. These components will continue to be tested as required.
Allocated sensor times are derived from method (3), section (9), WCAP-13632, revision 2 (Vendor Engineering Specifications).
Tobar, Veritrak, and Barton times were provided in table 9-1. Rosemount times are from Rosemount manuals 4302 and 4631 The Rosemount response time specifications may also be found in NUREG/CR-5383. Transmitter FMEAs are based upon EPRI report NP-7243 revision 1.
Values for 7300 cards are from tables 4-7 through 4-12 of WCAP-14036, revision 1. Cards installed are 4NCH, 4NRA, 6NLP, 4NSA, and 9NAL or older artwork levels. NIS components installed are summing and level Amp (3359C48G01), isolation Amp (6065D75G01), rate circuit assembly (3359C41G01), and bist able relay driver assembly (3359C39G01). These were evaluated per NIS FMEA schematic diagram 6065D99.
SSPS input and master relays are Potter & Brumfield KH series relays. SSPS slave relays are Potter & Brumfield MDR relays.
Values are tabulated from section 4.8, Westinghouse SSPS FMEA.
VEGP-FSAR-7 REV 17 4/12 TABLE 7.2.2-1 (SHEET 1 OF 5)
REACTOR TRIP CORRELATION
Technical Tri p (a) A ccident (b)S p ecification A. NUCLEAR OVERPOWER TRIPS
- 1. Power ran ge Uncontrolled rod cluster control (c) hi gh neutron assembl y bank withdrawal flux tri p f rom a subcritical or low-p owe r (low set p oint) startu p condition (15.4.1) Feedwater s y stem malfunctions that result in a decrease in feedwater tem p erature (15.1.1) S p ectrum of rod cluster control assembl y e j ection accidents (15.4.8) 2. Intermediate Uncontrolled rod cluster control (c) ran g e hi g h assembl y bank withdrawal from a neutron flux subcritical or low-p ower startu p tri p condition (15.4.1) 3. Source ran ge Uncontrolled rod cluster control (c) hi gh neutron assembl y bank withdrawal from a flux tri p subcritical or low-p ower startu p condition (15.4.1) 4. Power ran g e S p ectrum of rod cluster control (c) hi g h p ositive assembl y e j ection accidents neutron flux rate tri p (15.4.8) Uncontrolled rod cluster control assembly bank withdrawal at power (RCS over p ressure event onl y) (15.4.2) 5. Power ran ge Uncontrolled rod cluster control (c) hi gh neutron assembl y bank withdrawal from a flux tri p subcritical or low-p ower startu p (hi g h set p oint) condition (15.4.1) Uncontrolled rod cluster control assembl y bank withdrawal at p owe r (15.4.2)
VEGP-FSAR-7 TABLE 7.2.2-1 (SHEET 2 OF 5)
REV 17 4/12 Technical Tri p (a) A ccident (b)S p ecification Startu p of an inactive reacto r coolant p um p at an incorrect tem p erature (15.4.4) Feedwater s y stem malfunctions that result in a decrease in feedwater tem p erature (15.1.1) Excessive increase in secondar y steam flow (15.1.3) Inadvertant o p enin g of a steam g enerator relief or safet y valve (15.1.4) S p ectrum of steam s ystem p i p in g failures inside and outside o f containment in a PWR (15.1.5) S p ectrum of rod cluster control assembl y e j ection accidents (15.4.8) B. CORE THERM A L OVERPOWER TRIPS
- 1. Overtem perature Uncontrolled rod cluster control (c) T tri p assembl y bank withdrawal at p ower (15.4.2) Chemical and volume control s y stem malfunction that results ina decrease in the boron concentration in the reactor coolant (15.4.6) Loss of external electrical load (15.2.2) Turbine tri p (15.2.3) Feedwater s y stem malfunctions that result in a decrease in feedwater tem p erature (15.1.1) Excessive increase in secondar y steam flow (15.1.3) Inadvertent o p enin g of a p ressurize r safet y or relief valve (15.6.1) Inadvertent o p enin g of a steam g enerator relief or safet y valve (15.1.4)
VEGP-FSAR-7 TABLE 7.2.2-1 (SHEET 3 OF 5)
REV 17 4/12 Technical Tri p (a) A ccident (b)S p ecification Loss-o f-coolant accidents resultin g from the s p ectrum of p ostulated p i p in g breaks within the reactor coolant p ressure boundar y (15.6.5) 2. Over p owe r Uncontrolled rod cluster control (c) T tri p assembl y bank withdrawal at p ower (15.4.2) Feedwater s y stem malfunctions that result in a decrease in feedwater tem p erature (15.1.1) Excessive increase in secondar y steam flow (15.1.3) Inadvertent o p enin g of a steam g enerator relief or safet y valve (15.1.4) S p ectrum of steam s ystem p i p in g failures inside and outside o f containment in a PWR (15.1.5) C. REACTOR COOLANT SYSTEM PRESSURIZER PRESSURE AND WATER LEVEL TRIPS
- 1. Pressurize r Inadvertent o p enin g of a pr essurize r (c) low p ressure safet y or relief valve (15.6.1) tri p Loss-o f-coolant accidents resultin g from the s p ectrum o f p ostulated p i p in g breaks within the reactor coolant p ressure boundar y (15.6.5) Steam g enerator tube failure (15.6.3) 2. Pressurize r Uncontrolled rod cluster control (c) hi g h pressure assembl y bank withdrawal at tri p p ower (15.4.2) Loss of external electrical load (15.2.2) Turbine tri p (15.2.3) 3. Pressurize r Uncontrolled rod cluster control (c) hi g h wate r assembl y bank withdrawal at level tri p p ower (15.4.2)
VEGP-FSAR-7 TABLE 7.2.2-1 (SHEET 4 OF 5)
REV 17 4/12 Technical Tri p (a) A ccident (b)S p ecification Loss of external electrical load (15.2.2) Turbine tri p (15.2.3) D. REACTOR COOLANT SYSTEM LOW FLOW TRIPS
- 1. Low reacto r Partial loss o f forced reacto r (c) coolant flow coolant flow (15.3.1) Loss of nonemer g enc y ac p owe r to the station auxiliaries (15.2.6) Com p lete loss of forced reacto r coolant flow (15.3.1) 2. Reacto r Com p lete loss of forced reacto r (c) coolant p um p coolant flow (15.3.1) undervolta g e tri p 3. Reactor Com p lete loss of forced (c) coolant p um p reactor coolant flow (15.3.1) underfre q uenc y tri p E. STEAM GENERATOR TRIP Low-low steam Loss of normal feedwater flow (c) g enerato r (15.2.7) water level tri p Feedwater S y stem Malfunction (15.1.2) F. REACTOR TRIP ON A TURBINE TRIP Reactor tri p Loss of external electrical (c) on turbine load (15.2.2) tri p Turbine tri p (15.2.3) Loss of nonemer g enc y ac p owe r (c) to the station auxiliaries (15.2.6) G. SAFETY INJECTION SIGNAL ACTUATION TRIP Safet y in jection Inadvertent o p enin g of a steam (c) si g nal actuation g enerator relief or safet y valve t r i p (15.1.4)
VEGP-FSAR-7 TABLE 7.2.2-1 (SHEET 5 OF 5)
REV 17 4/12 Technical Tri p (a) A ccident (b)S p ecification H. MANUAL TRIP Manual tri p A vailable for all accidents (c) (cha p ter 15.)
- a. Tri p s are listed in order of discussion in section 7.2.
- b. References refer to accident analyses presented in chapte r 15. c. Trip safety settings will be incorporated in the Technical Specifications.
REV 14 10/07 SETPOINT REDUCTION FUNCTION FOR OVERPOWER AND OVERTEMPERATURE T TRIPS FIGURE 7.2.1-1
REV 14 10/07 REACTOR TRIP/ENGINEERED SAFETY FEATURES ACTUATION MECHANICAL LINKAGE FIGURE 7.2.1-2
VEGP-FSAR-7
7.3-1 REV 19 4/15 7.3 ENGINEERED SAFETY FEATURES SYSTEMS In addition to the requirements for a reactor trip for anticipated abnormal transients, the facility is
provided with adequate instrumentation and controls to sense accident situations and initiate
the operation of necessary engineered safety features (ESF). The occurrence of a limiting fault, such as a loss-of-coolant accident (LOCA) or a steam line break, requires a reactor trip plus
actuation of one or more of the ESF in order to prevent or mitigate damage to the core and
reactor coolant system (RCS) components and to ensure containment integrity.
To accomplish these design objectives the ESF system has proper and timely initiating signals which are to be supplied by the sensors, transmitters, and logic components making up the
various instrumentation channels of the engineered safety features actuation system (ESFAS). 7.3.1 NUCLEAR STEAM SUPPLY SYSTEM ESFAS 7.3.1.1 Introduction The ESFAS uses selected plant parameters, determines whether or not predetermined safety limits are being exceeded, and, if they are, combines the signals into logic matrix combinations
indicative of primary or secondary system boundary ruptures (Condition III or IV events). Once
the required logic combination is completed, the system sends actuation signals to the
appropriate ESF components. The ESFAS meets the requirements of General Design Criteria (GDC) 13, 20, 27, 28, and 38. 7.3.1.1.1 System Description The ESFAS is a functionally defined system described in this section. The equipment which provides the actuation functions identified in paragraph 7.3.1.1.1.1 is listed below and discussed
in this section. (For additional background information refer to references 1, 2, 3, 6, 7, 8, and 9). A. Process instrumentation and control system.
(1) B. Solid-state logic protection system.
(2) C. ESF test cabinet.
(3) D. Manual actuation circuits.
The ESFAS consists of two discrete portions of circuitry as follows: A. An analog portion consisting of three to four redundant channels per parameter or variable to monitor various plant parameters such as the RCS and steam system
pressures, temperatures, and flows and containment pressures. B. A digital portion consisting of two redundant logic trains which receive inputs from the analog protection channels and perform the logic needed to actuate the ESF.
Each digital train is capable of actuating the ESF equipment required. The intent is that any
single failure within the ESFAS shall not prevent system action when required. 7.3.1.1.1.1 Function Initiation. The specific functions which rely on the ESFAS for initiation are:
VEGP-FSAR-7
7.3-2 REV 19 4/15 A. A reactor trip, provided one has not already been generated by the reactor trip system. B. Cold leg injection isolation valves which are opened for injection of borated water by centrifugal charging pumps into the cold legs of the RCS. C. Charging pumps, SI pumps, residual heat removal pumps, and associated valving which provide emergency makeup water to the cold legs of the RCS following a
LOCA. D. Containment air cooling units which cool the containment and limit the potential for release of fission products from the containment by reducing the pressure following
an accident. E. Those pumps which serve as part of the heat sink for containment cooling, e.g., nuclear service cooling water and component cooling water pumps. F. Motor-driven auxiliary feedwater pumps and steam generator blowdown line isolation valve. G. Phase A containment isolation which prevents fission product release (isolation of all lines not essential to reactor protection). H. Steam line isolation to prevent the continuous, uncontrolled blowdown of more than one steam generator and thereby uncontrolled RCS cooldown. I. Main feedwater line isolation as required to prevent or mitigate the effect of excessive cooldown. J. Start of the emergency diesels to ensure backup supply of power to emergency and supporting systems components. K. Isolation of the control room intake ducts and normal heating, ventilation, and air-conditioning (HVAC) units and actuation of the control room emergency HVAC
system to meet control room occ upancy requirements following a LOCA. L. Containment spray actuation which initiates containment spray to reduce containment pressure and temperature following a LOCA or steam line break
accident inside of containment. M. Reactor cavity post-accident purge units. N. Containment purge isolation.
O. Actuation of the control building ESF safety feature electrical equipment room.
P. Isolation of the auxiliary building normal HVAC system and actuation of the auxiliary building emergency ventilation system. Q. ESF-chilled water pumps and chillers.
R. Auxiliary feedwater pumphous e ESF HVAC systems. 7.3.1.1.1.1.1 Analog Initiating Circuitry. The process analog sensors and racks for the ESFAS are discussed in reference 1. Discussed in this report are the parameters to be
measured including pressures, flows, tank and vessel water levels, and temperatures, as well
as the measurement and signal transmission considerations. These latter considerations
include the transmitter, orifices and flow elements, and resistance temperature detectors, as
well as automatic calculations, signal conditioning, and location and mounting of the devices.
VEGP-FSAR-7
7.3-3 REV 19 4/15 The sensors monitoring the primary system are lo cated as shown on the piping flow diagrams in
chapter 5. The secondary system sensor loca tions are shown on the steam system flow diagrams given in chapter 10. Containment pressure is sensed by four physically separated differential pressure transmitters mounted by strong supports outside of the containment. These are connected to the containment atmosphere by a filled and sealed hydraulic transmission system. The distance
from penetration to transmitter is kept to a minimum, and separation is maintained. This
arrangement and the pressure sensors external to the containment form a double barrier and
conform to GDC 56 and Regulatory Guide 1.11. 7.3.1.1.1.1.2 Digital Initiating Circuitry. The ESF logic racks are discussed in detail in references 2, 6, 7, 8, and 9. The description includes the considerations and provisions for
physical and electrical separation as well as details of the circuitry. Reference 2 also covers
certain aspects of online test provisions, provisions for test points, considerations for the
instrument power source, and considerations for accomplishing physical separation. The
outputs from the analog channels are combined into actuation logic as shown in drawings 1X6AA02-228, 1X6AA02-229, 1X6AA02-230, 1X6AA02-231, 1X6AA02-232, and 1X6AA02-519.
To facilitate ESF actuation testing, two-bay cabinets (one per train) are provided which enable operation, to the maximum practical extent, of safety feature loads on a group-by-group basis
until actuation of all devices has been checked. Final actuation testing is discussed in detail in
this section. 7.3.1.1.1.2 Logic. The outputs from the analog channels are combined into actuation logic as shown in drawings 1X6AA02-229, 1X6AA02-230, 1X6AA02-231, 1X6AA02-232, and 1X6AA02-519. Sensing of the variables by the analog circuitry is discussed in reference 1 and
in section 7.2. Tables 7.3.1-1 and 7.3.1-2 give additional information pertaining to logic and
functions. 7.3.1.1.1.3 Bypasses, Interlocks, and Sequencing. The interlocks associated with the ESFAS are outlined in table 7.3.1-3. These interlocks satisfy the functional requirements, including those for operational bypasses (Refer to P-11 in table 7.3.1-3.) discussed in
subsection 7.1.2. The functions of sequencing electrical equipment are not part of the ESFAS. 7.3.1.1.1.4 Redundancy and Diversity. The redundant concept is applied to both the analog and logic portions of the system. Separation of redundant analog channels begins at the process sensors and is maintained in the field wiring, containment building penetrations, and
analog protection racks terminating at the redundant safeguards logic racks. The design meets
the requirements of GDC 20, 21, 22, 23, and 24. 7.3.1.1.1.5 Final Actuation Circuitry. The outputs of the solid-state logic protection system (the slave relays) are energized to actuate, as are most final actuators and actuated devices. Examples of these devices are: A. Safety injection (identified also as em ergency core cooling) system pump and valve actuators. See chapter 6 for flow diagrams and additional information. B. Containment isolation phase A (CIA) signal isolates all nonessential process lines on receipt of SI signal. For further information see subsection 6.2.4. C. Emergency fan coolers, air handling units, and water chillers. (See section 6.2.)
VEGP-FSAR-7
7.3-4 REV 19 4/15 D. Nuclear service cooling water pump and valve actuators. (See section 9.2.) E. Auxiliary feedwater pumps start. (See section 10.4.)
F. Emergency diesel generator start. (See section 8.3.)
G. Main feedwater isolation. (See section 10.4.)
H. Ventilation isolation valve and damper actuators. (See section 6.4.)
I. Steam line isolation valve actuators. (See section 10.3.)
J. Containment spray pump and valve actuators. (See section 6.2.)
If an accident is assumed to occur coincident with a loss of offsite power, the ESF loads are sequenced onto the diesel generators to prevent overloading them. This sequence is discussed
in chapter 8. The design meets the requirements of GDC 35. 7.3.1.1.2 Design Bases Information The functional diagrams 1X6AA02-228, 1X6AA02-229, 1X6AA02-230, 1X6AA02-231, 1X6AA02-232, and 1X6AA02-519 provide a graphic outline of the functional logic associated
with the ESFAS. Requirements for the ESF system are given in chapter 6. Given below is the design bases information required in Institute of Electrical and Electronics Engineers (IEEE)
279-1971.(4) 7.3.1.1.2.1 Plant Conditions. The following is a summary of those plant conditions requiring protective action: A. Primary System 1. Rupture in small pipes or cracks in large pipes. 2. Rupture of an RCS (LOCA).
- 3. Steam generator tube rupture. B. Secondary System 1. Minor secondary system pipe breaks resulting in steam release rates equivalent to the opening of a single dump, relief, or safety valve. 2. Rupture of a major steam pipe. 7.3.1.1.2.2 Plant Variables. The following list summarizes the plant variables required to be monitored for the automatic initiation of SI during each accident identified in the preceding section. Post-accident monitoring requirements are given in table 7.5.2-1. A. Primary System Accidents 1. Pressurizer pressure. 2. Containment pressure (not required for steam generator tube rupture). B. Secondary System Accidents 1. Pressurizer pressure.
- 2. Steam line pressures.
- 3. Containment pressure.
VEGP-FSAR-7
7.3-5 REV 19 4/15 7.3.1.1.2.3 Spatially Dependent Variables. The only variable sensed by the ESFAS which has spatial dependence is reactor coolant temperature. The effect on the measurement
is neutralized by electronic averaging. 7.3.1.1.2.4 Limits, Margins, and Levels. Prudent operational limits, available margins, and setpoints before onset of unsafe conditions requiring protective action are discussed in chapter 15 and the Technical Specifications. 7.3.1.1.2.5 Abnormal Events. The malfunctions, accidents, or other unusual events which could physically damage protection syst em components or could cause environmental changes are as follows: A. LOCA. (See chapter 15.) B. Steam breaks. (See chapter 15.)
C. Earthquakes. (See chapters 2 and 3.)
D. Fire. (See subsection 9.5.1.)
E. Explosion-hydrogen buildup inside containment. (See subsection 6.2.5.)
F. Missiles. (See section 3.5.)
G. Flood. (See chapters 2 and 3.) 7.3.1.1.2.6 Minimum Performance Requirements. Minimum performance requirements are as follows: A. System Response Times The response time of each ESFAS function shown in Technical Specification Table 3.3.2-1 is shown in FSAR table 7.3.1-6. Response time verification for selected components may use the predetermined allocation values provided in FSAR table 7.3.1-7.
See paragraph 7.1.2.7A for a discussion of periodic response time verification.
The ESFAS response time is defined as the interval required for the ESF sequence
to be initiated subsequent to the time that the appropriate variable(s) exceed the
setpoint(s). The ESF sequence is initiated by the output of the ESFAS. This is
brought about by the operation of the dry contacts of the slave relays (600 and 700
series relays) in the output cabinets of the solid-state protection system. The
response times include the time interval between the time the parameter sensed by
the sensor exceeds the safety setpoint and the time the solid-state protection system
slave relay dry contacts are operated. Thes e values are maximum allowable values consistent with the safety analyses and the Technical Specifications and are
systematically verified during plant preoperational startup tests. These maximum delay times include all compensation and therefore require that any such network be
aligned and operating during verification testing.
The ESFAS is always capable of having response time tests performed using the
same methods as those tests performed during the preoperational test program or
following significant component changes.
VEGP-FSAR-7
7.3-6 REV 19 4/15 Maximum allowable time delays in generating the actuation signal for loss-of-coolant
protection are given in table 7.3.1-4.
Maximum allowable time delays in generating the actuation signal for secondary
system protection are given in table 7.3.1-5. B. System Accuracies
Typical accuracies required for generating the required actuation signals for loss-of-
coolant protection are given in table 7.3.1-4.
Typical accuracies required in generating the required actuation signals for
secondary system protection are given in table 7.3.1-5. C. Ranges of Sensed Variables
Typical ranges of sensed variables to be accommodated until conclusion of
protective action is ensured are given in table 7.3.1-4 for loss-of-coolant protection.
Typical ranges of sensed variables to be accommodated until conclusion of
protective action is ensured are given in table 7.3.1-5 for secondary system
protection. 7.3.1.1.3 Final System Drawings The schematic diagrams for the system discussed in th is section are identified in section 1.7. 7.3.1.2 Analysis 7.3.1.2.1 Failure Modes and Effects Analyses
Failure modes and effects analyses have been per formed on ESF systems equipment within the Westinghouse scope of supply.
(5) The balance of plant system interfacing with the ESF system equipment meets the failure modes and effects analyses interface requirements in WCAP-8760.(5) The VEGP balance of plant ESF systems, although not identical, have been designed to equivalent safety design criteria. Other FMEA are included in the pertinent sections of this
report. 7.3.1.2.2 Compliance with Standards and Design Criteria Discussions of GDC are provided in various sections of chapter 7 where a particular GDC is applicable. Conformance with certain IEEE standards is presented in subsection 7.1.2.
Conformance with Regulatory Guide 1.22 is discussed in paragraph 7.1.2.5. The discussion
given below shows that the ESFAS conforms with IEEE 279-1971.
(4) 7.3.1.2.2.1 Single Failure Criteria. The discussion presented in paragraph 7.2.2.2.3 is applicable to ESFAS, with the following exception.
In the ESF, a loss of instrument power calls for actuation of ESF equipment controlled by the specific bistable that lost power (containment spray excepted). The actuated equipment must
have power to comply. The power supply for the protection systems is discussed in sections 7.6 and 8.3. For containment spray, the final bistables are energized to trip to avoid spurious
actuation. In addition, manual containment spray requires a simultaneous actuation of two VEGP-FSAR-7
7.3-7 REV 19 4/15 manual controls. This is considered acceptable because spray actuation on high-3 containment
pressure signal provides automatic initiation of the system via protection channels meeting the
criteria of reference 2. Moreover, two sets (two switches per set) of containment spray manual
initiation switches are provided to meet the requirements of IEEE 279-1971. Also, it is possible for all ESF equipment (e.g., valves and pumps) to be individually, manually actuated from the
control board. Hence, a third mode of containment spray initiation is available. The design
meets the requirements of GDC 21 and 23. 7.3.1.2.2.2 Equipment Qualification. Equipment qualifications are discussed in sections 3.10 and 3.11.
7.3.1.2.2.3 Channel Independence. The discussion presented in paragraph 7.2.2.2.3 is applicable. The ESF slave relay outputs from the solid-state logic protection cabinets are redundant, and the actuations associated with each train are energized up to and including the
final actuators by the separate ac power supplies which power one logic train each. 7.3.1.2.2.4 Control and Protection System Interaction. The discussions presented in paragraph 7.2.2.2.3 are applicable.
7.3.1.2.2.5 Capability for Sensor Checks and Equipment Test and Calibration. The discussions of system testability in paragraph 7.2.2.2.3 are applicable to the sensor, analog circuitry, and logic trains of the ESFAS.
The following discussions cover those areas in which the testing provisions differ from those for the reactor trip system. 7.3.1.2.2.5.1 Testing of ESFAS. The ESF systems are tested to provide assurance that the systems operate as designed and are available to function properly in the event of an accident.
The testing program meets the requirements of GDC 21 and Regulatory Guide 1.22 as
discussed in paragraph 7.1.2.5. The tests described herein and further discussed in subsection
6.3.4 meet the requirements on testing of the emergency core cooling system (ECCS) as stated in GDC 37, except for the operation of those components that will cause an actual safety
injection. The test, as described, demonstrates the performance of the full operational
sequence that brings the system into operation, the transfer between normal and emergency
power sources, and the operation of associated cooling water systems. The safety injection
and residual heat removal pumps are started and operated and their performance verified in a
separate test discussed in subsection 6.3.4. When the pump tests are considered in
conjunction with the ECCS test, the requirements of GDC 37 on testing of the ECCS are met as
closely as possible without causing an actual safety injection.
Testing, as described in subsections 6.3.4 and 7.2.2 and herein, provides periodic testability during reactor operation of all logic and components associated with the ECCS. This design
meets the requirements of Regulatory Guide 1.22 as discussed in the above sections. The
program is as follows: A. Prior to initial plant operations, ESF system tests are conducted. B. Subsequent to initial startup, ESF system tests are conducted on one train ON A STAGGERED TEST BASIS during each regularly scheduled refueling outage. C. During online operation of the reactor, all of the ESF analog and digital circuitry are fully tested. In addition, essentially all of the ESF final actuators are fully tested. The VEGP-FSAR-7
7.3-8 REV 19 4/15 remaining few final actuators whose operation is not compatible with continued
online plant operation is checked by means of continuity testing. D. During normal operation, the operability of testable final actuation devices of the ESF systems is tested by manual initia tion from the control room. 7.3.1.2.2.5.2 Performance Test Acceptability Standard for the "SI" (Safety Injection Signal)
and for the "CS" (Containment Spray Actuation) Actuation Signals Generation. During reactor
operation the basis for ESFAS acceptability is the successful completion of the overlapping
tests performed on the initiating system and the ESFAS. (See figure 7.3.1-1.) Checks of
process indications verify operability of the sensors. Analog checks and tests verify the
operability of the analog circuitry from the input of the analog circuits up to and including the
logic input relays except for the input relays associated with the containment spray function
which are tested during the solid-state logic testing. Solid-state logic testing also checks the
digital signal path from and including logic input relay contacts through the logic matrices and
master relays and performs continuity tests on the coils of the output slave relays; final actuator
testing operates the output slave relays and verifies operability of those devices which require
safeguards actuation and which can be tested without causing plant upset. A continuity check
is performed on the actuators of the untestable devices. Operation of the final devices is confirmed by control board indication and by visual observation that the appropriate pump motor
breakers close and automatic valves have completed their travel.
The basis for acceptability for the ESF interlocks is control board indication of proper receipt of the signal upon introducing the required input at the appropriate setpoint. Maintenance checks (performed during regularly scheduled refueling outages), such as resistance to ground of
signal cables in radiation environments are based on qualification test data which identifies what
constitutes acceptable radiation degradation. 7.3.1.2.2.5.3 Frequency of Performance of ESFAS. During reactor operation, complete system testing (excluding sensors or those devices whose operation would cause plant upset)
is performed periodically as specified in the Technical Specifications. Testing, including the
sensors, is also performed during scheduled plant outages for refueling. 7.3.1.2.2.5.4 ESF Actuation Test Description. The following sections describe the testing circuitry and procedures for the online portion of the testing program. The guidelines used in
developing the circuitry and procedures are: A. The test procedures must not involve the potential for damage to any plant equipment. B. The test procedures must minimize the potential for accidental tripping. C. The provisions for online testing must minimize complication of ESF actuation circuits so that their reliability is not degraded. 7.3.1.2.2.5.5 Description of Initiation Circuitry. Several systems comprise the total ESF system, the majority of which may be initiated by different process conditions and be reset
independently of each other.
The functions listed in paragraph 7.3.1.1.1.1 (excluding items H and L) are initiated by a common signal (Safety Injection) which in turn may be generated by different process
conditions.
In addition, operation of all other vital auxiliary support systems, such as auxiliary feedwater, component cooling water, and nuclear service cooling water, is initiated by the safety injection signal.
VEGP-FSAR-7
7.3-9 REV 19 4/15 Each function is actuated by a logic circuit which is duplicated for each of the two redundant
trains of ESF initiation circuits.
The output of each of the initiation circuits consists of a master relay which drives slave relays for contact multiplication as required. The logic, master, and slave relays are mounted in two
redundant and independent solid-state logic protection cabinets designated train A and train B.
The master and slave relay circuits operate various pump and fan circuit breakers or motor
starters, motor-operated valve starters, solenoid-operated valves, emergency generator starting
equipment, and other ESF actuation devices. 7.3.1.2.2.5.6 Analog Testing. Analog testing is identical to that used for reactor trip circuitry and is described in paragraph 7.2.2.2.3.
An exception to this is containment spray, which is energized to actuate two out of four and reverts to two out of three when one channel is in test. 7.3.1.2.2.5.7 Solid-State Logic Testing. Except for containment spray channels, solid-state logic testing is the same as that discussed in paragraph 7.2.2.2.3. During logic testing of one
train, the other train can initiate the required ESF function. For additional details, see
references 2, 6, 7, 8, and 9. 7.3.1.2.2.5.8 Actuator Testing. At this point, testing of the initiation circuits through operation of the master relay and its contacts to the coils of the slave relays has been
accomplished. The ESFAS logic slave relays in the solid-state protection system output
cabinets are subjected to coil continuity tests by the output relay tester in the solid-state
protection system cabinets. Slave relays (e.g., K601 and K602) do not operate because of
reduced voltage applied to their coils by the mode selector switch (test/operate). A multiple
position master relay selector switch selects the master relays and corresponding slave relays
to which the coil continuity test voltage is applied. The master relay selector switch is returned
to off before the mode selector switch is returned to off. The mode selector switch is placed
back in the operate mode. However, failure to do so does not result in defeat of the protective
function. The ESFAS slave relays are activated during the testing by the online test cabinet, so
that overlap testing is maintained.
The ESFAS final actuation device or actuated equipment testing is performed from the engineered safeguards test cabinets. These cabinets are located near the solid-state logic protection system equipment. There is one set of test cabinets provided for each of the two
protection trains A and B. Each set of cabinets contains individual test switches necessary to
actuate the slave relays. To prevent accidental actuation, test switches are of the type that
must be rotated and then depressed to operate the slave relays. Assignments of contacts of
the slave relays for actuation of various final devices or actuators has been made such that
groups of devices or actuated equipment can be operated individually during plant operation
without causing plant upset or equipment damage. In the unlikely event that a safety injection
signal is initiated during the test of the final device that is actuated by this test, the device will
already be in its safeguards position.
During this last procedure, close communication between the main control room operator and the tester at the test cabinet is required. Prior to the energizing of a slave relay, the operator in
the main control room ensures that plant conditions permit operation of the equipment that is
actuated by the relay. After the tester has energized the slave relay, the main control room
operator observes that all equipment has operated as desired using the appropriate indicating
lamps, monitor lamps, and annunciators on the control board and records all operations. The
operator then resets all devices and prepares for operation of the next slave relay actuated
equipment.
VEGP-FSAR-7
7.3-10 REV 19 4/15 By means of the procedure outlined above, all ESF devices actuated by ESFAS initiation
circuits, with the exceptions noted in paragraph 7.1.2.5 under a discussion of Regulatory Guide
1.22, are operated by the automatic circuitry. 7.3.1.2.2.5.9 Actuator Blocking and Continuity Test Circuits. Those few final actuation devices that cannot be designed to be actuated during plant operation (discussed in paragraph
7.1.2.5) have been assigned to slave relays for which additional test circuitry has been provided
to individually block actuation of a final device upon operation of the associated slave relay
during testing. Operation of these slave relays, including contact operations and continuity of
the electrical circuits associated with the final devices control, is checked in lieu of actual
operation. The circuits provide for monitoring of the slave relay contacts, the devices control
circuit cabling and control voltage, and the devices control actuation solenoids. Interlocking
prevents blocking the output from more than one output relay in a protection train at a time.
Interlocking between trains is also provided to prevent continuity testing in both trains
simultaneously; therefore, the redundant device associated with the protection train not under
test is available in the event protective action is required. If an accident occurs during testing, the automatic actuation circuitry overrides testing as noted above. One exception to this is if the accident occurs while testing a slave relay whose output must be blocked, those few final
actuation devices associated with this slave relay are not actuated; however, the redundant
devices in the other train are operational and perform the required safety function. Actuation
devices to be blocked are identified in paragraph 7.1.2.5.
The continuity test circuits for these components that cannot be actuated online are verified by providing lights on the engineered safeguards test cabinets.
The typical schemes for blocking operation of selected protection function actuator circuits are shown in figure 7.3.1-2 as details A and B. The schemes operate as explained below and are
duplicated for each safeguards train.
Detail A shows the circuit for contact closure for protection function actuation. Under normal plant operation with equipment not under test, the test lamps DS* for the various circuits are
energized, verifying that the blocking functions are not in use. Typical circuit path is through the normally closed test relay contact K8* and through test lamp connections one to three. Coils X1 and X2 are capable of being energized for protection function actuation upon closure of solid-state logic output relay contacts K*. Coil X1 is typical for a motor control center starter coil, and X2 is typical for a breaker closing auxiliary coil, motor starter master coil, coil of a solenoid valve, auxiliary relay, etc. When the contacts K8* are opened to block energizing of coil X1 or X2, the white lamp is deenergized, and the slave relay K* may be energized to perform
continuity testing. The continuity test is performed by depressing the test lamp assembly and observing that the test lamp lights. The circuit path is through test lamp connections two to one (contact K8* open), through relay contact K*, and finally through actuator coil X1 or X2.
Sufficient current flows in the circuit to cause the test lamp to light, but the current is insufficient to cause coil X1 or X2 to operate. When the K* relay is reset, depressing the lamp assembly
does not cause the lamp to light. After the K8* relay is reset, the test lamp lights, verifying that
the blocking action is removed and the circuit is in its normal operable condition.
Detail B shows the circuit for contact opening for protection function actuation. Under normal plant operation with equipment not under test for 125 V-dc actuation devices, the white test
lamps DS* for the various circuits are energized, and green test lamps DS* are deenergized.
Typical circuit path for white lamp DS* is through the normally closed solid-state logic output relay contact K*. Coil Y2 is typical for a solenoid valve coil, auxiliary relay, etc. When the
contact K8* is closed to block deenergizing of coil Y2, the green test lamp is energized and the
slave relay K* may be energized to verify operation (opening of its contacts). Opening of the K*
VEGP-FSAR-7
7.3-11 REV 19 4/15 contact is verified by the white lamp DS* deenergizing. When the K* relay is reset, the white
lamp DS* reenergizes, verifying that the K* relay contact has closed. After the K8* relay is
reset, the green test lamp should be deenergized, which verifies that the circuit is now in its
normal (i.e., operable) position. 7.3.1.2.2.5.10 Time Required for Testing. It is estimated that analog testing can be performed at a rate of several channels per hour. Logic testing of both trains A and B can be
performed in less than 30 min. Testing of actuated components, including those which can only
be partially tested, will be a function of control room operator availability. It is expected to require several shifts to accomplish these tests. Automatic actuation circuitry overrides testing, except for those few devices associated with a single slave relay whose outputs must be
blocked and then only while blocked. It is anticipated that continuity testing associated with a
blocked slave relay could take several minutes. During this time the redundant devices in the
other trains would be functional. 7.3.1.2.2.5.11 Summary of Online Testing Capabilities. The procedures described provide capability for complete checking from the process signal to the logic cabinets and from there to
the individual pump and fan circuit breakers or starters, valve starters, pilot solenoid valves, and
other equipment including all field cabling actually used in the circuitry called upon to operate for
an accident condition. For those few devices whose operation could adversely affect plant or
equipment operation, the same procedure provides for checking from the process signal to the
logic rack. To check the final actuation device, a continuity test of the individual control circuits
is performed.
The procedures require testing at various locations: A. Analog testing and verification of bistable setpoint are accomplished at process analog racks. Verification of bistable relay operation is done at the main control room status lights. B. Logic testing through operation of the master relays and low voltage application to slave relays is done at the solid-state protection system logic rack test panel. C. Testing of pumps, fans, and valves is done at the engineered safeguards cabinet test panel located near the solid-state protection system logic racks in combination
with the control room operator. D. Continuity testing for those circuits that cannot be operated is done at the same test cabinet mentioned in item C above.
The reactor coolant pump essential service isolation valves consist of the isolation valves for the
auxiliary component cooling water return and the seal water return header.
The main reason for not testing these valves periodically is that the reactor coolant pumps may be damaged. Although pump damage from this type of te st would not result in a situation which endangers the health and safety of the public, it could result in unnecessary shutdown of the
reactor for an extended period of time while the reactor coolant pump or any of its components
are replaced.
Containment spray system pump tests ar e performed periodically. The pump tests are performed with the isolation valves in the spray pump discharge lines closed. The valves are tested with the pump stopped. 7.3.1.2.2.5.12 Testing During Shutdown. ECCS tests are performed periodically in accordance with the Technical Specifications with the RCS isolated from the ECCS by closing VEGP-FSAR-7
7.3-12 REV 19 4/15 the appropriate valves. A test safety injection signal will then be applied to initiate operation of
active components (pumps and valves) of the ECCS. This is in compliance with GDC 37. 7.3.1.2.2.5.13 Periodic Maintenance Inspections. The maintenance procedures which follow are accomplished in accordance with applicable plant procedures. The frequency depends on
the operating conditions and requirements of the reactor power plant. If any degradation of
equipment operation is noted, either mechanically or electrically, remedial action is taken to
repair, replace, or readjust the equipment. Optimum operating performance must be achieved
at all times.
Typical maintenance procedures include the following: A. Check cleanliness of all exterior and interior surfaces.
B. Check all fuses for corrosion.
C. Inspect for loose or broken control knobs and burned out indicator lamps.
D. Inspect for moisture and check the condition of cables and wiring.
E. Mechanically check all connectors and terminal boards for looseness, poor connection, or corrosion. F. Inspect the components of each assembly for signs of overheating or component deterioration. G. Perform complete system operating check.
The balance of the requirements listed in reference 1 (sections 4.11 through 4.22) are discussed in paragraph 7.2.2.2.3. Section 4.20 receives special attention in section 7.5. 7.3.1.2.2.6 Manual Resets and Blocking Features. The manual reset feature is provided in the standard design of the Westinghouse solid-state protection system design for two basic purposes: A. The feature permits the operator to start an interruption procedure in the event of false actuation. B. Although system actuation is automatic, the reset feature enables the operator to start a manual takeover of the system to handle unexpected events which can be better dealt with by operator appraisal of changing conditions following an accident.
It is most important to note that manual control of the system does not occur once actuation has
begun by just resetting the associated logic devices alone. Components seal in (latch) so that
removal of the actuate signal, in itself, neither cancels nor prevents completion of protective
action nor provides the operator with manual ove rride of the automatic system by this single action. In order to take complete control of the system to interrupt its automatic operation, the
operator must manually unlatch relays which have latched the initial actuation signals in the
associated motor control centers, and trip the pump motor circuit breakers.
The manual reset feature therefore, does not perform a bypass function. It is merely the first of several manual operations required to take control of the automatic system should such an
action be considered necessary.
In the event that the operator anticipates system actuation and erroneously concludes that it is undesirable or unnecessary and imposes a standing reset condition in one train by operating and holding the corresponding reset switch at the time the actuation signal is transmitted, the
other train will automatically carry the protective action to completion. In the event that the reset
condition is imposed simultaneously in both trains at the time the actuation signals are VEGP-FSAR-7
7.3-13 REV 19 4/15 generated, the automatic sequential completion of system action is interrupted and control is
taken by the operator. Manual takeover will be maintained, even though the reset switches are released, if the original initiate signal exists. Should the initiate signal then clear and return
again, automatic system actuation will repeat.
Note also that any time delays imposed on the system action are to be applied after the initiating signals are latched. Delay of actuation signals for fluid systems lineup, load sequencing, and
other operations are not sufficient to allow the operator time to interrupt automatic completion
with manual reset alone, as would be necessary if the time delay was imposed prior to latching
of the initial actuation signal.
The manual block features associated with pressurizer and steam line safety injection signals provide the operator with the means to block initiation of safety injection during plant startup.
These block features meet the requirements of section 4.12 of IEEE 279-1971, in that automatic
removal of the block occurs when plant conditions require the protection system to be
functional.
If a steam line rupture occurs while both of these safety injection actuation signals are blocked, steam line isolation will occur on high negative steam pressure rate. An alarm for steam line
isolation will alert the operator of the accident.
For large loss-of-coolant accidents (LOCAs), sufficient mass and energy would be released to the containment to automatically actuate safety injection when the containment high pressure setpoint (high-l) is reached. Additionally, the operator would be alerted to the occurrence of a
LOCA by the following safety-related indications: A. Loss of pressurizer level (a low level alarm is provided). B. Rapid decrease of reactor coolant system pressure.
C. Increase in containment pressure.
In addition to the above, the following indications are normally available to the operator at the control board: A. Radiation alarms. B. Increase in sump water level.
C. Decrease off scale of accumulator water levels and decrease in pressure (a low water level alarm and low pressure alarm is provided for each accumulator). D. ECCS valve and pump position indication, status lights, and annunciators.
E. Flow from ECCS pumps.
For very small LOCAs (approximately less than 2-in. diameter) in which the containment high pressure setpoint may not be reached, the operator would observe the safety-related indications plus the first two normally available indications. In addition, a charging flow/letdown mismatch would provide the operator with another indication of leakage from the reactor coolant system.
Since the operator would observe the pressurizer level and receive additional indications that a LOCA occurred, a manual safety injection would be initiated immediately. As presented in
WCAP-8356, the time to uncover the core following a small break is relatively long (e.g., greater
than 10 min for a 2-in. break). The operator would, therefore, have sufficient time to manually
initiate safety injection.
As part of WCAP-10599, ERG Validation Program Final Report, June 1984, a simulator response to a LOCA with safety injection blocked is included. Although this was a substantial
sized LOCA, the operator actions for this LOCA are more limiting than those for a small-break VEGP-FSAR-7
7.3-14 REV 19 4/15 LOCA, and therefore bound the small-break LOCA. Sufficient operator action time was
available to perform the necessary actions to mitigate the consequences of this event. 7.3.1.2.2.7 Manual Initiation of Protective Actions (Regulatory Guide 1.62). There are eight individual main steam stop valve momentary control switches (two per loop) mounted on the control board. Each switch, when actuated, will isolate one of the main steam lines. In
addition, there are two system level switches. Ea ch switch actuates all eight main steam line isolation valves and associated bypass valves at the system level.
Manual initiation of switchover to recirculation is in conformance with section 4.17 of IEEE 279-1971 with the following comment.
Manual initiation of containment isolation consis ts of two momentary control switches mounted on the control board. Each switch, when actuated, will provide for actuation of containment isolation (as well as containment ventilation isolation).
Manual initiation of containment spray consists of four momentary control switches mounted on the control board. Actuation of containment spray and resultant containment ventilation
isolation will occur only if two associated control switches are operated simultaneously.
Manual initiation of either one of two redundant safety injection actuation main control board-mounted switches provides for actuation of the components required for reactor protection and
mitigation of adverse consequences of the postulated, modify accident, including delayed
actuation of sequence-started emergency electrical loads, as well as for the cold leg
recirculation mode following a loss of primary coolant accident. Therefore, once safety injection
is initiated, those components of the ECCS (see section 6.3) which are realigned as part of the
semiautomatic switchover go to completion on refueling water storage tank low-low water level
without any manual action. Manual operation of other components or manual verification of proper position as part of emergency procedures is not precluded nor otherwise in conflict with
the above described conformance to section 4.17 of IEEE 279-1971 of the semiautomatic
switchover circuits.
No exception to the requirements of IEEE 279-1971 has been taken in the manual initiation circuit of safety injection. Although section 4.17 of IEEE 279-1971 requires that a single failure
within common portions of the protective system shall not defeat the protective action by manual or automatic means, the standard does not specifically preclude the sharing of initiated circuitry
logic between automatic and manual functions. It is true that the manual safety injection
actuation associated with one safety train (e.g., train A) shares portions of the automatic
actuation circuitry of the same train; however, a single failure in shared functions does not
defeat the protective action of the redundant actuation train (e.g., in this case train B). A single
failure in shared functions does not defeat the protective action of the safety function. It is
further noted that the sharing of the logic by manual and automatic actuation is consistent with
the system level action requirements of section 4.17 of IEEE 279-1971 and with the
minimization of complexity. 7.3.1.2.2.8 Further Considerations. In addition to the considerations given above, a loss of instrument air or loss of component cooling water to vital equipment has been considered.
Neither the loss of instrument air nor the loss of component cooling water (assuming no other accident conditions) can cause safety limits given in the Technical Specification to be exceeded.
Likewise, loss of either one of the two will not adversely affect the core or the reactor coolant
system nor will it prevent an orderly shutdow n if this is necessary. Furthermore, all pneumatically operated valves and controls will assume a safe operating position upon loss of VEGP-FSAR-7
7.3-15 REV 19 4/15 instrument air. It is also noted that, for conservatism during the accident analysis (chapter 15),
credit is not taken for the instrument air sy stem nor any control system being operable.
The design does not provide any circuitry which will directly trip the reactor coolant pumps on a
loss of auxiliary component cooling water. Indica tion in the control room is provided whenever auxiliary component cooling water is lost. The reactor coolant pumps can run about 10 min
after a loss of auxiliary component cooling water. This provides adequate time for the operator
to correct the problem or trip the plant if necessary.
In regard to the auxiliary feedwater system refer to subsection 7.3.7. 7.3.1.2.3 Summary The effectiveness of the ESFAS is evaluated in chapter 15, based on the ability of the system to contain the effects of condition III and IV events, including loss-of-coolant and steam break
accidents. The ESFAS parameters are based upon the component performance specifications
which are given by the manufacturer or verified by test for each component. Appropriate factors to account for uncertainties in the data are factored into the constants characterizing the system. The ESFAS must detect Condition III and IV events and generate signals which actuate the ESF. The system must sense the accident condition and generate the signal actuating the
protection function reliably and within a time determined by and consistent with the accident
analyses in chapter 15.
The ESF actuating signals, once generated, are latched in the actuation logic output relays and remain active until the manual reset is performed by the operator. Such reset will not reverse
the actuation of any ESF equipment, all of which will remain in its emergency mode until
deenergized by the operator on an individual basis. For details see the logic diagrams
referenced in section 1.7.
Much longer times are associated with the actuation of the mechanical and fluid system equipment associated with ESF. This includes the time required for switching and bringing
pumps and other equipment to speed and the time required for them to take load.
Operating procedures require that the complete ESFAS normally be operable. However, redundancy of system components is such that t he system operability assumed for the safety analyses can still be met with certain instrumentation channels out of service. Channels that
are out of service are to be placed in the tripped mode or in the case of containment spray, in
the bypass mode. 7.3.1.2.3.1 Loss-of-Coolant Protection. By the analysis of LOCA and in system tests, it has been verified that except for very small reactor coolant system breaks which can be protected against by the charging pumps followed by an orderly shutdown, the effects of various LOCAs are reliably detected by the low pressurizer pressure signal; the ECCS is actuated in
time to prevent or limit core damage.
For large coolant system breaks the passive accumulators inject first, because of the rapid pressure drop. This protects the reactor during the unavoidable delay associated with actuating
the active ECCS equipment.
High containment pressure also actuates the ECCS. Therefore, emergency core cooling actuation can be brought about by sensing this other direct consequence of a primary system
break; that is, the ESFAS detects the leakage of the reactor coolant into the containment. Then VEGP-FSAR-7
7.3-16 REV 19 4/15 generation time of the actuation signal of about 1.5 s after detection of the consequences of the
accident is adequate.
Containment spray will provide additional emer gency cooling of containment and also limit fission product releases upon sensing elevated containment pressure (high-3) to mitigate the effects of a LOCA.
The delay time between detection of the accident condition and the generation of the actuation signal for the system is assumed to be about 1.0 s. However, this time is short as compared to
that required for startup of the fluid systems.
The analyses in chapter 15 show that the diverse methods of detecting the accident condition and the time for generation of the signals by the protection systems are adequate to provide
reliable and timely protection against the effects of loss-of-coolant. 7.3.1.2.3.2 Steam Line Break Protection
. The ECCS is also actuated to protect against a steam line break. About 2.0 s elapse between sensing low steam line pressure and generation of the actuation signal. Analysis of steam line break accidents assuming this delay for signal
generation shows that the ECCS is actuated for a steam line break in time to limit or prevent
further core damage for steam line break cases.
Additional protection against the effects of steam line break is provided by feedwater isolation which occurs upon actuation of the ECCS. Feedwater line isolation is initiated to prevent excessive cooldown of the reactor vessel and thus protect the reactor coolant system.
Additional protection against a steam line break acci dent is provided by closure of all steam line isolation valves to prevent uncontrolled blowdown of all steam generators. The generation of the protection system signal (from high negative steam pressure rate) (about 2.0 s) is again
short as compared to the time required to close the fast acting steam line isolation valves (approximately 5 s).
In addition to actuation of the ESF, the steam line break accident results in a reactor trip. The core reactivity is further reduced by borated water injected by the ECCS.
The analyses in chapter 15 of the steam line break accidents and an evaluation of the protection system instrumentation and channel design show that the ESFAS is effective in
preventing or mitigating the effects of a steam line break accident. 7.3.1.3 References 1. Reid, J. B., "Process Instrumentation for Westinghouse Nuclear Steam Supply System (4 Loop Plant Using WCID 7300 Series Process Instrumentation)," WCAP-7913, March 1973. 2. Katz, D. N., "Solid State Logic Protection System Description," WCAP-7488-L (Proprietary) and WCAP-7672 (Nonproprietary), June 1971. (Additional background information only). 3. Swogger, J. W., "Testing of Engineered Safety Features Actuation System," WCAP-7705, Revision 2, January 1976. (Information only, i.e., not a generic topical WCAP.) 4. The Institute of Electrical and Electronics Engineers, Inc., "IEEE Standard: Criteria for Protection System for Nuclear Power Generating Stations," IEEE 279-1971. 5. Mesmeringer, J. C., "Failure Mode and Effects Analysis (FMEA) of the Engineered Safety Features Actuation System" WCAP-8584, Revision 1 (Proprietary), and WCAP-8760, Revision 1 (Nonproprietary), February 1980.
VEGP-FSAR-7
7.3-17 REV 19 4/15 6. WCAP-16769-P Revision 1, "Westinghouse SSPS Universal Logic Board Replacement Summary Report 6D30225G01/G02/G03/G04." 7. WCAP-16770-P Revision 0, "Westinghouse SSPS Safeguards Driver Board Replacement Summary Report 6D30252G01/G02." 8. WCAP-16771-P Revision 0, "Westinghouse SSPS Undervoltage Driver Board Replacement Summary Report 6D30350G01/G02." 9. WCAP-16772-P Revision 0, "Westinghouse SSPS Semi-Automatic Tester Board Replacement Summary Report 6D30520G01/G02/G03/G04/G05." 7.3.2 EMERGENCY CORE COOLING SYSTEM 7.3.2.1 Description 7.3.2.1.1 System Description An important engineered safety feature (ESF) is the emergency core cooling system which includes a collection of fluid system components de scribed as the safety injection system (SIS).
Refer to section 6.3 for a description and analysis of the system. Portions of the SIS which are
actuated by the ESFAS include these components: A. Residual heat removal/low-head safety injection (SI) pumps in both trains. B. Charging pumps/high-head SI pumps in both trains.
C. Air-operated isolation valves. These include isolation valves for accumulators fill line, test. D. Motor-operated isolation valves. These include 8808A, 8808B, 8808C, and 8808D for the accumulators. E. A flow diagram description is shown in figure 6.3.2-1. The principal description and evaluation of this system is provided in section 6.3. 7.3.2.1.1.1 Initiating Circuits and Logic. The function of initiation of SI is described in paragraph 7.3.1.1.1 with specific functions identified in table 7.3.1-2. The logic for the initiation of SI is shown in drawings 1X6AA02-232 and 1X6AA02-519. 7.3.2.1.1.2 Bypass, Interlocks, and Sequencing. There are no operating or online testing bypasses provided for the SI pump motors or valve operators. The associated interlocks are described in section 7.6. The pump motors for high-head SI and low-head SI are sequenced as shown in drawings 1X3D-AA-K02A and 1X3D-AA-K02B. 7.3.2.1.1.3 Redundancy and Diversity. The system is composed of redundant trains A and B. The instrumentation and controls of the components and equipment in train A are physically and electrically separate and independent of the instrumentation and controls of the
components and equipment in train B. The redundancy and independence provided between
safety trains A and B are adequate to maintain equipment functional capabilities following
design bases events.
VEGP-FSAR-7
7.3-18 REV 19 4/15 7.3.2.1.1.4 Status Indication and Display. Pumps and valves which are an integral part of or associated with the engineered safeguards (used for injection, containment spray, and
recirculation) have an operation/position status light.
ESF remote-operated valves have position indication on the control board in two places to show proper positioning of the valves. Red and green indicator lights are located next to the manual
control station showing open and closed positions. The ESF (SI) positions of these valves are
displayed by an energized light on the monitor light panels, which consist of an array of white
lights which are off when the valves are in their normal or required positions for power
operations. The monitor lights for automatically actuated valves are energized when the valve is in the automatically actuated position. For the centrifugal charging pump alternate minimum
flow valves (HV-8508A and B), the monitor panel lights indicate that the valves are in the
enabled mode; therefore, valve position is indicated only at the handswitches. These monitor
lights thus enable the operator to quickly assess the status of the ESF systems. These
indications are derived from contacts integral to the valve operators. The circuits for the ESF
monitor lights are classified as associated circuits and have electrical and physical separation.
In the cases of the accumulator isolation valves, redundancy of position indication is provided
by valve stem-mounted limit switches which ac tuate annunciators on the control board when the valves are not correctly positioned for ESF actuation.
The stem-mounted switches for the accumulator isolation valves are independent of the limit switches in the motor operator. 7.3.2.1.1.5 Support Systems. The following systems are required for support of the ESF: A. Nuclear service cooling water system. (See subsection 9.2.1.) B. Component cooling water system. (See subsection 9.2.2.)
C. Electrical power distribution systems. (See chapter 8.) 7.3.2.1.2 Design Basis Information.
Refer to section 6.3. 7.3.2.1.3 Final System Drawings.
Refer to section 6.3. 7.3.2.2 Analysis Refer to chapter 15 and section 6.3.
7.3.3 CONTAINMENT COMBUSTIBLE GAS CONTROL SYSTEM 7.3.3.1 Description The concentration of hydrogen in the containment atmosphere is monitored by the hydrogen monitor system described in subsection 6.2.5.
The containment combustible gas control equipment (described briefly below and more completely in subsection 6.2.5) maintains this hydrogen concentration below the minimum concentration capable of combustion.
VEGP-FSAR-7
7.3-19 REV 19 4/15 7.3.3.1.1 System Description A. Subsystems 1. Hydrogen monitors. 2. Hydrogen recombiners.
- 3. Post-loss-of-coolant accident (post-LOCA) purge exhaust system.
- 4. Post-LOCA cavity purge system.
- 5. Containment cooling system fans. B. Initiating Circuits The containment combustible gas control equipment (table 7.3.3-1) is operated
manually from control switches located in the main control room or at local stations.
It is not necessary for the monitor, recombiner, or purge equipment to be initiated
automatically because it would take approximately 7 days for the hydrogen
concentration to reach the control limit of 4-percent hydrogen by volume with no
hydrogen reduction system in operation. The containment cooler fans start
automatically and run at slow speed upon receipt of a safety injection signal (SIS).
(See subsection 7.3.11.) The post-LOCA cavity purge system starts automatically on SIS. C. Logic
The combustible gas control system is m anually controlled, except for items under automatic start mentioned in paragraph 7.3.3.1.1.B above, as shown in drawings 1X5DN013-4, 1X5DN015-1, 1X5DN017-2, 1X5DN013-1, 1X5DN013-2 and 1X5DN013-4. D. Bypass
Indication of system bypass is provided as described in section 7.5. The
containment isolation system (CIS) isolates the purge exhaust lines which can
manually be reopened when necessary. E. Interlocks
There are no interlocks on these controls. F. Sequencing
On SIS or loss of offsite power coincident with SIS, the containment fan coolers are
sequenced on at low speed at the 30.5-s sequencer step. On loss of offsite power
only, the fans are sequenced on at high speed at the same step. G. Redundancy
Controls are provided on a one-to-one basis with the mechanical equipment so that
the controls preserve the redundancy of the mechanical equipment. H. Diversity
Diversity of control is provided in that the combustible gas control equipment may be VEGP-FSAR-7
7.3-20 REV 19 4/15 controlled from local controls at the power distribution equipment, as well as from the
main control room panels. I. Actuated Devices
Table 7.3.3-1 lists the actuated devices. J. Supporting Systems
The supporting systems required for these controls are the Class 1E ac power
system (described in section 8.3) and the containment atmosphere monitoring
system (described in subsection 6.2.5). 7.3.3.1.2 Design Basis Design bases for the containment combustible gas control system are such that operation is controlled manually from the main control room and no single failure prevents the containment combustible gas control system from functioning. In addition, the following conditions are
considered for the control system components: A. Range of Transient and Steady-State Conditions and Circumstances
The electrical power supply characteristics for the controls on this system are as
described in section 8.3. The range of possible environmental conditions for these
controls is as described in section 3.11. B. Malfunctions, Accidents, or Other Unusual Events 1. Fire protection is discussed in subsection 9.5.1. 2. Missile protection is discussed in section 3.5.
- 3. Earthquake protection is discussed in sections 3.7.B and 3.7.N. 7.3.3.1.3 Drawings There is no automatic actuation signal for this system, although the equipment controls include interfaces with sensors and with other devices. However, at the device level, the containment
cooler fans and the post-LOCA cavity purge fans automatically start upon receipt of SIS, and the containment post-LOCA purge exhaust isolation valves automatically close on receipt of
CVI. References to the drawings associated with this system are provided as described in the
introductory material for this section. Control logic diagrams for the individual devices are shown in drawings 1X5DN013-4, 1X5DN015-1, 1X5DN017-2, 1X5DN019-1, 1X5DN019-2, 1X5DN013-1, 1X5DN013-2 and 1X5DN013-4. These compare with the Preliminary Safety Analysis Report (PSAR) as follows: A. Recombiner Controls
For recombiners, there is no functional change, but fault protection is added. B. Mixing Fan Controls
Functionally the containment cooler fans operate as shown in drawings 1X5DN013-1, 1X5DN013-2 and 1X5DN013-4. Details of motor overload protection have been
added since the PSAR. The containment cooler fans are loaded onto the diesel VEGP-FSAR-7
7.3-21 REV 19 4/15 generators as indicated in drawings 1X3D-AA-K02A, 2X3D-AA-K02A, 1X3D-AA-K02B and 2X3D-AA-K02B.
The electrical schematic diagrams listed in section 1.7 are in accordance with the control logic
diagrams. 7.3.3.2 Analysis A. Conformance to Nuclear Regulatory Commission (NRC) General Design Criteria The applicable criteria are listed in table 7.1.1-1. No deviations or exceptions to
those criteria are taken. (See section 3.1.) B. Conformance to Regulatory Guide 1.7
Conformance is described in subsection 6.2.5 and summarized in section 1.9. C. Conformance to Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971
The design of the control system is based on the applicable requirements of IEEE
Standard 279-1971, as follows: 1. General Functional Requirement - Paragraph 4.1 The containment cooler fans and the post-LOCA cavity purge fans are able to
function automatically and reliably over the full range of transients for all plant
conditions for which credit was taken in the analyses. The rest of the system
functions for all of these plant conditions when manually initiated. The system
response time and accuracy are as required in the accident analyses. The
hydrogen sampling line is manually actuated. 2. Single Failure Criterion - Paragraph 4.2
Through use of redundant, independent systems, as previously described, any single failure or multiple failures resulting from a single credible event will not
prevent the system from performing its intended function when required. 3. Quality of Components and Modules - Paragraph 4.3
Components and modules used in the construction of the system exhibit a quality
consistent with the nuclear power plant design life objective, require minimum
maintenance, and have low failure rates. The program for quality assurance is
described in chapter 17. 4. Equipment Qualification - Paragraph 4.4
The system is qualified to perform its intended functions under the environmental
conditions specified in sections 3.10.B, 3.10.N, 3.11.B, and 3.11.N. 5. Channel Integrity - Paragraph 4.5
All channels maintain functional capability under all conditions described in
paragraph 7.3.3.1.2.
VEGP-FSAR-7
7.3-22 REV 19 4/15 6. Channel Independence - Paragraph 4.6
Discussions of the means used to ensure channel independence are given in
paragraphs 7.1.2.2 and 8.3.1.4. 7. Control and Protection System Interaction - Paragraph 4.7
No credible failure at the output of an isolation device will prevent the associated
channel from performing its intended function. No single random failure in one
channel will prevent the other channel from performing the intended function. 8. Derivation of System Outputs - Paragraph 4.8
To the extent feasible, the system input s are from direct measurement of the
desired variable. 9. Capability of Sensor Checks - Paragraph 4.9
Sufficient means have been provided to check the operational availability of the system. 10. Testing and Calibration - Paragraph 4.10
The control system has the capability of testing the devices used to derive the
final system output. No jumpers are used for testing. 11. Channel Bypass or Removal from Operation - Paragraph 4.11
Testing of one channel can be accomplished during reactor operation without
initiating a protective action at the system level. 12. Operating Bypasses - Paragraph 4.12
There are no permissive conditions on bypasses. Bypass of one channel will not
bypass the other channel. Bypass of one system will not bypass any other system. 13. Indication of Bypass - Paragraph 4.13
If the protective action of any part of the system has been bypassed or
deliberately rendered inoperative, the fact will be continuously indicated in the
control room, as described in section 7.5. 14. Access to Means for Bypassing - Paragraph 4.14
Appropriate administrative controls will be applied to ensure that access to the
means for manually bypassing the sy stem is adequately protected. 15. Multiple Setpoints - Paragraph 4.15
The system is designed so that there are no multiple setpoints. 16. Completion of Protective Action Once It Is Initiated - Paragraph 4.16
The system is designed so that once protective action is initiated, it is carried
through to completion.
VEGP-FSAR-7
7.3-23 REV 19 4/15 17. Manual Initiation - Paragraph 4.17
Manual initiation of each function is provided in the control system with a
minimum of equipment by direct control of power distribution equipment and solenoid valves from panel-mounted control switches. System level actuation of
the safety function is not provided since the time required for operation of these
functions allows the station operator to take individual action for each controlled
device. 18. Access to Setpoint Adjustments, Calibration, and Test Points - Paragraph 4.18
Appropriate administrative controls are applied to ensure that access to the
means for adjusting, calibrating, and testing the system is adequately protected. 19. Identification of Protective Actions - Paragraph 4.19
System protective actions are described and identified down to the channel level. 20. Information Readout - Paragraph 4.20
Sufficient information is provided to allow the station operator to make a prompt
decision regarding the system operating requirements. The indications required
for these decisions are provided by devic e status lights, the systems status monitor panel, and supporting systems, as listed in the system description discussed in paragraph 7.3.3.1.1.J. 21. System Repair - Paragraph 4.21
The system is designed to facilitate the recognition, location, replacement, repair, and adjustment of malfunctioning components or modules. 22. Identification - Paragraph 4.22
Protection system components are identified, as described in paragraph 7.1.2.3. D. Conformance to Nuclear Regulatory Commission (NRC) Regulatory Guides
The applicability of regulatory guides is as shown in table 7.1.1-1 and summarized in
section 1.9. References to the discussions of these regulatory guides are presented
in paragraphs 7.1.2.5, 7.1.2.6, and 7.1.2.7. E. Periodic Testing
Periodic testing of the mechanical equipment associated with this system is
discussed in subsection 6.2.5. There is no automatic actuation equipment for the
entire system, but there is automatic dev ice actuation, as described in paragraph 7.3.3.1.3. Provisions for periodic testing of the actuation system are discussed in the
Technical Specifications. F. Failure Modes and Effects Analysis See table 6.2.5-2.
VEGP-FSAR-7
7.3-24 REV 19 4/15 7.3.4 CONTAINMENT PURGE ISOLATION SYSTEM 7.3.4.1 Description The containment purge isolation system detects any abnormal amount of radioactivity in the containment and initiates appropriate action to ensure that any release of radioactivity to the environs is controlled. The containment purge sy stems are isolated by containment ventilation isolation (CVI) signals. A detailed description of those systems is given in subsection 6.2.4. 7.3.4.1.1 System Description A. Initiating Circuits Redundant area radiation monitors in the containment and an independent radiation
monitor in the purge line consisting of gaseous, particulate, and iodine radiation
monitors measure the radioactivity levels in the containment. These monitors, through their data processing modules, provide digital radioactivity signals to the
engineered safety features actuation system (ESFAS) logic. The logic generates
redundant CVI actuation signals. B. Logic
Logic diagrams for the ESFAS are provided in drawings 1X6AA02-225, 1X6AA02-226, 1X6AA02-227, 1X6AA02-228, 1X6AA02-229, 1X6AA02-230, 1X6AA02-231, 1X6AA02-232, 1X6AA02-233, 1X6AA02-234, 1X6AA02-235, 1X6AA02-236, 1X6AA02-237, 1X6AA02-238, 1X6AA02-239, 1X6AA02-240, 1X6AA02-494, 1X6AA02-495, 1X6AA02-496, 1X6AA02-519, 1X5DN019-1 and 1X5DN019-2.
These diagrams show the actuation system s and bypass interlock provisions. The logic for the containment purge isolation subsystem is included in these figures. C. Bypass
Switches are provided to bypass defective monitors to preclude spurious actuation. D. Interlocks
There are no interlocks on these controls. E. Sequencing
The system is energized on the first step of load sequencing. F. Redundancy
Controls are provided on a one-to-one basis with the mechanical equipment so that
the controls preserve the redundancy of the mechanical equipment. G. Diversity
Diversity of sensing is provided in that containment purge isolation can be actuated
by the containment vent gaseous iodine, air particulate radiation monitors, or
containment area radiation monitors.
VEGP-FSAR-7
7.3-25 REV 19 4/15 H. Actuated Devices
Table 7.3.4-1 lists the actuated devices. I. Supporting Systems
Supporting systems for the containment purge isolation are the four Class 1E 125-V
dc power supplies, the Class 1E ac power system discussed in section 8.3, and the
instrument air system described in section 9.3. The isolation function is fail-safe with
respect to all of these support systems; that is to say, loss of any one of these
support systems will not prevent isolation. 7.3.4.1.2 Design Bases The design bases for the containment purge isolation system are described in paragraphs 6.2.4.1.1 and 7.3.3.1.2. 7.3.4.1.3 Drawings The logic for the containment purge isolation system is shown in the ESFAS logic diagrams, drawings 1X6AA02-225, 1X6AA02-226, 1X6AA02-227, 1X6AA02-228, 1X6AA02-229, 1X6AA02-230, 1X6AA02-231, 1X6AA02-232, 1X6AA02-233, 1X6AA02-234, 1X6AA02-235, 1X6AA02-236, 1X6AA02-237, 1X6AA02-238, 1X6AA02-239, 1X6AA02-240, 1X6AA02-494, 1X6AA02-495, 1X6AA02-496, 1X6AA02-519, 1X5DN019-1 and 1X5DN019-2. 7.3.4.2 Analysis A. Conformance to Nuclear Regulatory Commission (NRC) General Design Criteria The applicable criteria are listed in table 7.1.1-1. No deviations or exceptions to
those criteria are taken. Compliance is summarized in section 3.1. B. Conformance to Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971
The design of the control system conforms to the applicable requirements of IEEE
Standard 279-1971, as listed and discussed in paragraph 7.3.3.2C. The ranges and
setpoints are given in the Technical Specifications. C. Conformance to NRC Regulatory Guides
The applicability of the regulatory guides is as shown in table 7.1.1-1 and
summarized in section 1.9. References to the discussions of these regulatory guides
are presented in subsection 7.1.2. D. Periodic Testing
Periodic testing of the mechanical equipment associated with this system is
discussed in section 9.4. Periodic testing of the actuation system is discussed in the
Technical Specifications.
VEGP-FSAR-7
7.3-26 REV 19 4/15 7.3.5 FUEL HANDLING BUILDING VENTILATION ISOLATION 7.3.5.1 Description A description of the entire fuel handling building ventilation system is given in subsection 9.4.2. 7.3.5.1.1 Initiating Circuits A. Four redundant two-channel-oriented and train-oriented gaseous radioactivity monitors, together with their data processing modules, provide a digital signal to the balance of plant (BOP) safety actuation system when preset radiation levels are
exceeded. B. Two manual actuation switches also are wi red into the BOP safety actuation system. C. Upon receipt of the inputs from items A through C above, the BOP safety actuation system logic circuitry produces a fuel handling building isolation signal for both train
A and train B (FHBI-A and FHBI-B). This signal in turn causes the post-accident
filter units, train A and train B, fans to start. Starting these fans then causes the inlet
and discharge dampers to open. Isolation dampers are closed automatically. D. When radiation signals return to normal conditions, the post-accident heating, ventilation and air-conditioning (HVAC) systems continue to operate until reset
manually. E. Switches are provided to bypass defective monitors to preclude spurious actuation.
The FHBI signal may be blocked using the normal channel test blocks. Channel
bypass is indicated in the control room. F. There are no interlocks on these controls. G. The system is energized on the first step of load sequencing.
H. Controls are provided on a one-to-one basis with the mechanical equipment so that the controls preserve the redundancy of the mechanical equipment. There are two channels of actuation initiated by redundant radioactivity monitors, and redundant
manual initiation switches. I. Diversity of control is provided in that the fuel handling building ventilation isolation system can be actuated by either autom atic signals or manual control. J. Table 7.3.5-1 lists the actuated devices. K. Supporting systems for the fuel handli ng building ventilation isolation system actuation are the two Class IE 125-V dc power supplies, the two Class-IE vital 120-V ac power systems discussed in section 8.3, and the instrument air system described
in subsection 9.3.1. Loss of any one of these support systems will not prevent
isolation. 7.3.5.2 Design Bases The design bases for the fuel handling building ventilation isolation system are discussed in
paragraph 9.4.2.2.1.1. Additionally, the design bases described in paragraph 7.3.1.1.2 are
applicable for the control system components.
VEGP-FSAR-7
7.3-27 REV 19 4/15 7.3.5.3 Drawings The logic diagrams for the fuel handling building ventilation isolation actuation system are included in drawings AX5DN020-1, AX5DN020-2, AX5DN020-3, AX5DN027-1, AX5DN028-1, AX5DN029-1 and AX5DN029-3.
The control logic diagrams, the electrical schematic diagrams, the piping and instrument diagrams, and the physical location drawings for th is system are included in the references in section 1.7. 7.3.5.4 Analysis A. Conformance to Nuclear Regulatory Commission (NRC) General Design Criteria The applicable criteria are listed in table 7.1.1-1. No deviations or exceptions to
those criteria are taken. Compliance is summarized in section 3.1. B. Conformance to Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971
The design of the control system conforms to the applicable requirements of IEEE
Standard 279-1971, as listed and discussed in paragraph 7.3.3.2C. C. Conformance to NRC Regulatory Guides
The applicability of the regulatory guides is as shown in table 7.1.1-1 and
summarized in section 1.9. References to the discussions of conformance to these
regulatory guides are presented in paragraph 7.1.2. D. Failure Mode and Effects Analysis
See table 9.4.2-2. E. Periodic Testing
Periodic testing of the mechanical equipment associated with this system is
discussed in subsection 9.4.2. 7.3.6 CONTROL ROOM VENTILATION ISOLATION 7.3.6.1 Description Upon detection of high gaseous radioactivity levels in the control room outside air intake, the normal HVAC system is isolated as described in sections 6.4 and 9.4. The control room HVAC
system switches to the emergency mode of oper ation where a small supply of outside air is provided to maintain a set positive pressure in the control room. This positive pressure will prevent the ingress of the local ambient atmosphere. Normal ventilation is restored only by
manual operation by the plant operator and is maintained only if the local ambient atmosphere
poses none of the monitored hazards.
VEGP-FSAR-7
7.3-28 REV 19 4/15 7.3.6.1.1 System Description A. Actuating Circuits
The gaseous radioactivity level of the air provided to the main control room from the
local ambient atmosphere is monitored by four redundant monitors (two per each
intake duct).
The signals from these monitors are transmitted to bistables in the engineered safety
features actuation system. If acceptable levels are exceeded, the control room is
isolated, as described above.
The sensitivities and response times of these monitors are listed in table 7.3.6-1.
In addition to the above, control room isolation is initiated manually. B. Logic The control room ventilation isolation actuation system logic is included in drawings AX5DN020-4, AX5DN020-5, AX5DN020-6, AX5DN020-8, AX5DN020-10, AX5DN031-1, AX5DN031-2, AX5DN031-4, AX5DN032-3, AX5DN032-1, AX5DN034-2 and AX5DN037-1. For emergency operation, both trains of the affected unit
receive a start signal. However, a permissive is provided which does not allow the
lag unit to start unless there is a low-flow condition in the lead unit. The actuation
signal is transmitted to each actuated device and, subject to the provisions of bypass
or override, causes each device to assume its safe state. C. Bypass
Channel selector switches, with a test block feature, are provided in the
instrumentation control circuit to enable testing of the instrument control circuit
independently of the redundant control circuit. Channel bypass is indicated at the
system level in the control room.
Manual override is available by means of pull-to-lock switches on the fans. D. Interlocks
Operational interlocks are as shown in drawings AX5DN020-4, AX5DN020-5, AX5DN020-6, AX5DN020-8, AX5DN020-10, AX5DN031-1, AX5DN031-2, AX5DN031-4, AX5DN032-3, AX5DN032-1, AX5DN034-2 and AX5DN037-1 and as
identified in section 6.4.
E. Sequencing
The control room ventilation isolation syst em is powered from the Class 1E power system and energized on the first (0.5 s) step of the load sequencing, except for the
control room filter units which start automatically after the 30.5 s step. F. Redundancy
Controls are provided on a one-to-one basis with the mechanical equipment so that
the controls preserve the redundancy of the mechanical equipment. Redundancy is
provided in the gaseous radioactivity monitors, the actuation signals, and manual
actuation switches.
VEGP-FSAR-7
7.3-29 REV 19 4/15 G. Diversity
Diversity of actuation is provided in that the control room ventilation system may be
isolated by either an automatic system or by operator manual actuation. Diversity is provided by actuation from the gaseous radioactivity and manual switches. H. Actuated Devices
Table 7.3.6-2 lists the actuated devices. I. Supporting System
The supporting system required for the controls are the four Class 1E 125 V-dc
power supplies, vital Class 1E ac system described in section 8.3, and instrument air
system described in section 9.3.1. 7.3.6.1.2 Design Bases The design bases for the control room ventilation isolation system are such that no single failure can prevent the isolation of the control room v entilation system. The trip points are provided in
the Technical Specifications.
Additionally, the design bases described in subsection 6.4.1 are applicable to the control system components. 7.3.6.1.3 Drawings The logic diagram for the control room ventilati on isolation actuation system is included in drawings AX5DN020-4, AX5DN020-5, AX5DN020-6, AX5DN020-8, AX5DN020-10, AX5DN031-1, AX5DN031-2, AX5DN031-4, AX5DN032-3, AX5DN032-1, AX5DN034-2 and AX5DN037-1.
Other drawings pertaining to this system are included in the references in section 1.7. 7.3.6.2 Analysis A. Conformance to Nuclear Regulatory Commission (NRC) General Design Criteria The applicable criteria are listed in table 7.1.1-1. No deviations or exceptions to
those criteria are taken. Compliance is summarized in section 3.1. B. Conformance to Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971
The design of the control system conforms to the applicable requirements of IEEE
Standard 279-1971, as listed and discussed in paragraph 7.3.3.2.C. The setpoints
are provided in the Technical Specifications. C. Conformance to NRC Regulatory Guides
The applicability of regulatory guides is as shown in table 7.1.1-1 and summarized in
section 1.9. References to the discussions of these regulatory guides are presented
in table 7.1.1-1. D. Failure Mode and Effects Analysis
This analysis is given in table 6.4.4-1.
VEGP-FSAR-7
7.3-30 REV 19 4/15 E. Periodic Testing
Periodic testing of the mechanical equipment associated with this system is
discussed in subsection 9.4.1. Provisions for the periodic testing of the actuation
system are discussed in the Technical Specifications. 7.3.7 AUXILIARY FEEDWATER SYSTEM 7.3.7.1 Description The auxiliary feedwater system (AFWS) consists of two motor-driven pumps, one steam turbine-driven pump, and piping, valves, instruments, and controls, as shown in drawings 1X4DB161-2 and 1X4DB161-3. The pumps are started automatica lly on receipt of signals from the actuation logic, as shown in drawings 1X5DN117-1, 1X5DN117-2, 1X5DN117-3, 1X5DN120-1, 1X5DN120-2, 1X5DN120-3, 1X5DN120-5, 1X5DN120-6, 1X5DN121-1, 1X5DN121-2, 1X5DN122-1 and 1X5DN122-2. The two motor-dri ven pumps can also be started manually from control switches in the control room or at the remote shutdown control panel. The turbine-
driven pump can also be started manually from t he control room or at the local control panels located in the auxiliary feedwater pumphouse.
The preferred source of water for the AFWS is the condensate storage tank (CST). This tank is Seismic Category 1.
Each motor-driven pump feeds two steam generators through individual motor-operated flow control valves. AFWS flow can be regulated manually from the control room or from the remote shutdown panels.
The turbine-driven pump feeds all four steam generators through individual dc motor-operated control valves. AFWS valves can be operated manually from the control room or from the local
control panels located in the auxiliary feedwater pumphouse.
AFWS flow indication is provided for each steam generator in the control room and at the remote shutdown control panel.
The AFWS pump turbine is supplied steam from two of the four main steam lines. Each of the steam supply lines to the turbine driver is equipped with a check valve and a normally open
motor-operated gate valve. These steam lines join to form a header which leads to the turbine
through a normally closed supply valve and normally open trip/throttle valve, both of which are dc motor-operated, and a normally open electro-hydraulically operated speed governing valve.
Control of these valves, as well as manual speed control for the turbine-driven pump, is provided in the control room and at the local control panels located in the auxiliary feedwater
pumphouse.
The status of the motor-driven pumps, the turbine-driven pump, the turbine steam supply valves, and the turbine stop valves is indicated in the control room.
The AFWS equipment is described in subsection 10.4.9.
In addition to initiating functions described above, the auxiliary feedwater actuation signal (AFWAS) closes the steam generator blowdown and sample isolation valves, when auxiliary
feedwater is required by plant conditions. However, the steam generator sample isolation
valves may be opened 30 seconds after closure due to an auxiliary feedwater auto-start signal
to allow operators to obtain a sample. All remote manually operated valves in the normal
suction from the CST and in the discharge to the steam generators are normally open.
VEGP-FSAR-7
7.3-31 REV 19 4/15 7.3.7.1.1 System Description A. Initiating Circuits
The AFWAS motor-driven (AFWAS-M) starting the motor-driven auxiliary feedwater
pumps is generated on the occurrence of any one of the following signals: 1. Manual start.
- 2. Trip of both main feedwater pumps.
- 3. The two out of four low-low water level signals in any one steam generator.
- 4. Safety injection (SI).
- 5. Loss of offsite power.
All automatic actuations of the motor-driven pumps are subject to load sequencing.
The AFWAS turbine-driven (AFWAS-T) starti ng the turbine-driven auxiliary feedwater pumps is generated on the occurrence of any one of the following signals: 1. Manual start.
- 2. The two out of four low-low water level signals on any two steam generators.
- 3. Loss of offsite power.
- 4. AMSAC.
The steam generator sample line isolation valves and the steam generator blowdown isolation valves are all automatically closed on the occurrence of a steam generator
low-low water level, safety injection signal, a loss of offsite power signal, trip of both
main feedwater pumps, or AMSAC actuation. B. Logic
See drawings 1X5DN117-1, 1X5DN117-2, 1X5DN117-3, 1X5DN120-1, 1X5DN120-2, 1X5DN120-3, 1X5DN120-5, 1X5DN120-6, 1X5DN121-1, 1X5DN121-2, 1X5DN122-1 and 1X5DN122-2. C. Bypass
Control switches in the control room to modulate the feedwater pump discharge valves have override features to maintain the required steam generator water levels.
This also permits manual closure of the valves if necessary to isolate the flow to a
faulted steam generator. (See FSAR paragraph 10.4.9.2.2.3 and drawings 1X5DN121-1 and 1X5DN121-2.) D. Interlocks
There are no other interlocks other than those shown in drawings 1X5DN117-1, 1X5DN117-2, 1X5DN117-3, 1X5DN120-1, 1X5DN120-2, 1X5DN120-3, 1X5DN120-5, 1X5DN120-6, 1X5DN121-1, 1X5DN121-2, 1X5DN122-1 and 1X5DN122-2. E. Redundancy
Sufficient actuation and control channels are provided throughout the AFWS to VEGP-FSAR-7
7.3-32 REV 19 4/15 ensure the required flow to at least two steam generators in the event of a single
failure. F. Diversity
The AFWS is diversified by utilizing a turbine-driven pump with dc motor-operated
valves and two ac motor-driven pumps with ac motor-operated valves. Diversity in initiating signals can be seen in drawings 1X5DN117-1, 1X5DN117-2, 1X5DN117-3, 1X5DN120-1, 1X5DN120-2, 1X5DN120-3, 1X5DN120-5, 1X5DN120-6, 1X5DN121-1, 1X5DN121-2, 1X5DN122-1 and 1X5DN122-2. G. Actuated Devices 1. Auxiliary feedwater pump turbine steam supply valves (two). 2. Auxiliary feedwater pump turbine stop valve.
- 3. Auxiliary feedwater motor-operated valves (eight).
- 4. Auxiliary feedwater pump electric motors (two).
- 5. Steam turbine-driven AFWS pump drain line to condenser HV-5178.
- 6. Vacuum degasifier isolation valve HV-5087.
- 7. Steam generator blowdown isolation valves (four).
- 8. Steam generator blowdown sample isolation valves (eight).
- 9. Auxiliary feedwater pump recirculation valves (two). H. Supporting Systems The Class 1E ac and dc power systems are r equired for auxiliary feedwater control. I. Portion of System Not Required for Safety
Instrumentation provided for monitoring system performance is not required for
safety, except for the instrumentation that is shown on table 7.5.2-1. 7.3.7.1.2 Design Bases Auxiliary feedwater is required, as described in subsection 10.4.9. No single failure shall prevent this system from operating.
The system must provide full auxiliary feedwater flow within 1 min of the detection of any condition requiring auxiliary feedwater. 7.3.7.1.3 Drawings The logic diagram for the AFWAS is included in drawings 1X5DN117-1, 1X5DN117-2, 1X5DN117-3, 1X5DN120-1, 1X5DN120-2, 1X5DN120-3, 1X5DN120-5, 1X5DN120-6, 1X5DN121-1, 1X5DN121-2, 1X5DN122-1 and 1X5DN122-2.
Other drawings pertaining to this system are referenced in section 1.7. 7.3.7.2 Analysis A. Compliance to Nuclear Regulatory Commission (NRC) General Design Criteria (GDC)
VEGP-FSAR-7
7.3-33 REV 19 4/15
Compliance is summarized in section 3.1. 1. GDC 13 Instrumentation necessary to monitor station variables associated with hot
shutdown is provided in the main c ontrol room and on the auxiliary shutdown control panel. Controls for the AFWS are provided at each location. A
description of the surveillance instrumentation is provided in section 7.5. 2. GDC 19
All controls and indications required for safe shutdown of the reactor are provided
in the main control room. In the event that the main control room must be
evacuated, adequate controls and indications are located outside the main
control room to bring to and maintain the reactor in a hot standby condition and
provide capability to achieve cold shutdown.
The remote shutdown control panels, located outside the main control room, are
described in section 7.4. 3. GDC 34
The AFWS provides an adequate supply of feedwater to the steam generators to
remove reactor decay heat following reactor trip. Two steam generators with
auxiliary feedwater supply are sufficient to remove reactor decay heat without
exceeding design conditions of the reactor coolant system. 4. Other GDC
The remaining applicable general design criteria are listed in table 7.1.1-1 and
subsection 10.4.9. B. Conformance to Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971
The design of the control system conforms to the applicable requirements of IEEE
Standard 279-1971, as listed and discussed in paragraph 7.2.2.3 and subsection
7.3.2, except that this system is automat ically actuated. The setpoints are provided in the Technical Specifications. C. Conformance to NRC Regulatory Guides
The applicability of regulatory guides is shown in table 7.1.1-1 and summarized in
section 1.9. References to the discussions of these regulatory guides are presented
in table 7.1.1-1. D. Failure Modes and Effects Analysis
See table 10.4.9-4. E. Periodic Testing
Periodic testing of the mechanical equipment associated with this system is
discussed in paragraph 10.4.9.4. Provisions for the periodic testing of the actuation
system are discussed in the Technical Specifications.
VEGP-FSAR-7
7.3-34 REV 19 4/15 7.3.8 MAIN STEAM AND FEEDWATER ISOLATION 7.3.8.1 Description The signals that initiate automatic closure of the main steam isolation, main steam isolation valve bypass, feedwater isolation, and feedwater isolation bypass valves are generated in the engineered safety features actuation system (ESFAS) described in subsection 7.3.1. The logic diagrams for the generation of these signals are shown in drawings 1X6AA02-225, 1X6AA02-226, 1X6AA02-227, 1X6AA02-228, 1X6AA02-229, 1X6AA02-230, 1X6AA02-231, 1X6AA02-232, 1X6AA02-233, 1X6AA02-234, 1X6AA02-235, 1X6AA02-236, 1X6AA02-237, 1X6AA02-238, 1X6AA02-239, 1X6AA02-240, 1X6AA02-494, 1X6AA02-495, 1X6AA02-496, and 1X6AA02-519. The remainder of this section concentrates on the non-Westinghouse portion of
the main steam and feedwater isolation system.
The main steam and main feedwater isolation valves are operated by hydraulic actuators. The actuators are powered by compressed gas accumulators, which are controlled by electrically
operated solenoid valves. Each main feedwater isolation valve has two actuators. Each
actuator is controlled from a separate Class 1E electrical system, and each is capable of closing
the valve independently of the other. Each main steam isolation valve has one separate Class
1E electrical system actuator.
The main steam isolation valve bypass va lves are operated by a pneumatic diaphragm operator, each with one separate Class 1E electr ical system actuator; the bypass feedwater isolation valves are pneumatic piston operator, eac h with two separate 1E electrical system actuators. 7.3.8.1.1 System Description A. Initiating Circuits The main steam isolation, main steam isolation valve bypass, feedwater isolation, and feedwater isolation bypass valves clos e automatically upon receipt of automatic close signals (steam line isolation signal for steam isolation and feedwater isolation
signal for feedwater isolation) from the Westinghouse solid-state protection system.
The steam line isolation signal is generated by any of the following: 1. High steam pressure rate.
- 2. Low steam line pressure.
- 3. High containment pressure.
A feedwater isolation signal is generated by the following:
- 1. Steam generator high level (two out of four for each steam generator).
- 2. Safety injection.
- 3. Reactor trip coincident with low Tavg. Manual operation is also provided. B. Logic Refer to drawings 1X6AA02-225, 1X6AA02-226, 1X6AA02-227, 1X6AA02-228, 1X6AA02-229, 1X6AA02-230, 1X6AA02-231, 1X6AA02-232, 1X6AA02-233, 1X6AA02-234, 1X6AA02-235, 1X6AA02-236, 1X6AA02-237, 1X6AA02-238, VEGP-FSAR-7
7.3-35 REV 19 4/15 1X6AA02-239, 1X6AA02-240, 1X6AA02-494, 1X6AA02-495, 1X6AA02-496, 1X6AA02-519, 1X5DN149-1, 1X5DN149-2, 1X5DN149-3, 1X5DN150-1, 1X5DN150-2, 1X5DN150-3, 1X5DN149-4 and 1X5DN150-4. C. Bypass
See subsection 7.3.1. D. Interlocks
See subsection 7.3.1. E. Redundancy
Two isolation valves in series (train oriented) are provided, ensuring steam line
isolation. F. Diversity
See subsection 7.3.1 for a discussion of diversity with regard to the automatic
actuation signal. G. Actuated Devices
The actuated devices are the main steam and feedwater isolation valves. Refer to
table 7.3.8-1. H. Supporting Systems
The system makes use of the Class 1E dc power systems and of the compressed air system. I. Portions of the System Not Required for Safety
The operator for each valve includes provisions for manually opening the valve.
Instrumentation is provided for measuring the accumulator pressures. Neither of
these provisions is required for safety. 7.3.8.1.2 Design Bases The design bases for the main steam and feedwater isolation actuation system are provided in subsection 7.3.1. The design bases for the remainder of the main steam and feedwater
isolation system are that the system isolat es the main steam and feedwater when required and that no single failure can prevent isolation from occurring. See subsection 7.3.1 for additional
discussion.
In addition, paragraph 7.3.3.1.2 is applicable to the control system components. 7.3.8.1.3 Drawings See drawings 1X6AA02-225, 1X6AA02-226, 1X6AA02-227, 1X6AA02-228, 1X6AA02-229, 1X6AA02-230, 1X6AA02-231, 1X6AA02-232, 1X6AA02-233, 1X6AA02-234, 1X6AA02-235, 1X6AA02-236, 1X6AA02-237, 1X6AA02-238, 1X6AA02-239, 1X6AA02-240, 1X6AA02-494, 1X6AA02-495, 1X6AA02-496, 1X6AA02-519, 1X5DN149-1, 1X5DN149-2, 1X5DN149-3, 1X5DN150-1, 1X5DN150-2, 1X5DN150-3, 1X5DN149-4 and 1X5DN150-4.
VEGP-FSAR-7
7.3-36 REV 19 4/15 7.3.8.2 Analysis A. Compliance to Nuclear Regulatory Commission (NRC) General Design Criteria
Compliance is summarized in section 3.1. B. Conformance to Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971. The design of the valve control system conforms to the applicable
requirements of IEEE Standard 279-1971, as listed and discussed in subsection
7.3.2, except that the system is automat ically actuated. The setpoints are provided in the Technical Specifications. C. Conformance to NRC Regulatory Guides
The applicability of regulatory guides is shown in table 7.1.1-1 and summarized in
section 1.9. D. Periodic Testing
The main steam isolation valve control syst em includes provisions for verifying the proper operation of the electronic logic circuits, checking the accumulator pressure in
each actuator, and for performing a 10-percent close test of each valve. The
frequency of control system testing is provided in the Technical Specifications. The
mechanical system testing provisions are given in subsection 10.3.4. 7.3.9 NUCLEAR SERVICE COOLING WATER 7.3.9.1 Description The nuclear service cooling water (NSCW) consists of the ultimate heat sink and the NSCW pumps, piping, valves, exchangers, and other components. The NSCW system is described in
subsection 9.2.1. The ultimate heat sink is described in subsection 9.2.5.
The referenced sections also state the safety design bases and the power generation design bases for their respective systems. 7.3.9.1.1 System Description A. Initiating Circuits For train A, two of the three NSCW cooling tower pumps are normally operating
during power generation, with one spare. In the event of an accident requiring safety
injection, the safety injection signal A ensures that two out of three remain in
operation. If any one pump drops out, pump discharge manifold low pressure and
the pump interlock circuitry starts the spare pump. The design is similar for the train
B NSCW cooling tower pumps. For either train, the load sequencer must also be in
operation. Manual initiation is also provided from the control room and remote
shutdown panels.
Transfer pumps in each basin are used to transfer water between basins; they are
powered by the same source as the train power source for the basin into which they
pump. The operation of these pumps is manual only.
The first fan to start in each NSCW tower is interlocked to start when the tower's VEGP-FSAR-7
7.3-37 REV 19 4/15 spray valve opens and will stop when the spray valve closes. The spray valve begins to open when the NSCW return temperature is above 75
°F and begins to close when the temperature falls below 65
°F. The other three fans in each NSCW tower are controlled by independent
temperature switches that are dependent on the NSCW return header temperatures.
These fans are set to start sequentially through a range of 79
°F to 87°F. Automatic trip of the three tower fans on decreasing temperature is provided, with the fans set
to trip sequentially through a range of 77
°F to 71°F. To protect against tower icing in the event of low ambient temperature, two motor-
operated interlocked valves function to bypass the cooling spray headers and return
water directly to the cooling tower basin. Manual initiation is also provided from the
control room and remote shutdown panels. B. Logic
Drawings 1X5DN086-1, 1X5DN087-1, 1X5DN087-2, 1X5DN087-3, 1X5DN087-4, 1X5DN089-1, 1X5DN089-2, 1X5DN089-3, 1X5DN090-1, 1X5DN090-2, 1X5DN090-3, 1X5DN087-5, and 1X5DN090-6 show the logic for NSCW engineered safety
features. C. System Bypass
System bypass, nonauto, power failure, or overload are indicated and alarmed at the systems status monitor panel (QBPS). D. Interlocks
Interlocks are described in subsection 9.2.1 and 9.2.5 and are shown in drawings 1X5DN086-1, 1X5DN087-1, 1X5DN087-2, 1X5DN087-3, 1X5DN087-4, 1X5DN089-1, 1X5DN089-2, 1X5DN089-3, 1X5DN090-1, 1X5DN090-2, 1X5DN090-3, 1X5DN087-5, and 1X5DN090-6. E. Redundancy
Redundancy is provided by trains A and B and controls on a one-to-one basis with
the mechanical equipment, so that controls preserve the redundancy of the
mechanical equipment. F. Diversity
Diversity is provided by trains A and B, as well as by control from the control room
and the remote safe shutdown panels. G. Radiation Monitoring
Radiation monitoring is provided by a radiation monitor in the return line to each
NSCW cooling tower. H. Actuated Devices
Table 7.3.9-1 lists the actuated devices.
VEGP-FSAR-7
7.3-38 REV 19 4/15 I. Supporting Systems a. The Class 1E ac power system (described in chapter 8). b. Makeup water wells.
- c. Makeup from river. 7.3.9.1.2 Drawings Drawings 1X4DB133-1, 1X4DB133-2, 1X4DB134, 1X4DB135-1, and 1X4DB135-2 show the NSCW system and the ultimate heat sink. Drawings 1X5DN086-1, 1X5DN087-1, 1X5DN087-2, 1X5DN087-3, 1X5DN087-4, 1X5DN089-1, 1X5DN089-2, 1X5DN089-3, 1X5DN090-1, 1X5DN090-2, 1X5DN090-3, 1X5DN087-5, and 1X5DN090-6 show the systems actuation logic. 7.3.9.2 Analysis A. Compliance with Nuclear Regulatory Commission General Design Criteria Compliance is summarized in section 3.1. See subsection 7.3.1. B. Conformance to Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971 The design of the NSCW control system conforms to the applicable requirements of IEEE Standard 279-1971 as listed and discussed in subsection 7.3.2 and paragraph
7.3.7.2. The setpoints which result in Engineered Safety Features Actuation System (ESFAS) actuation of NSCW system are in the Technical Specifications. C. Failure Modes and Effects Analysis See table 9.2.1-2. 7.3.10 COMPONENT COOLING WATER SYSTEM 7.3.10.1 Description The component cooling water system (CCWS) consists of three pumps in each of two trains (A and B), heat exchangers, surge tank, interconnecting pipes, valves, and fittings. The CCWS is
described in subsection 9.2.2. Subsection 9.2.2 also addresses the safety design bases and
the power generation design bases. 7.3.10.1.1 Engineered Safety Features Initiating Circuits A. One or two out of three 50-percent capacity CCWS pumps are normally operated in one train. The appearance of a safety injection signal A or loss of offsite power starts train A pumps via the load sequencer. B. A pump discharge header low pressure signal will also start any pump not running. C. Pumps can also be started manually from the control room or the remote shutdown panels. D. Should any pump drop out, the continued presence of the safety injection signal A automatically ensures that two pumps are operating. E. The safety injection signal B starts train B similarly to train A.
VEGP-FSAR-7
7.3-39 REV 19 4/15 F. Low-low level switches on the surge tank are provided to automatically stop the CCWS pumps before insufficient net positive suction head (NPSH) conditions occur
in the pump suction. Each train has its own, separate surge tank, thus maintaining
separation. G. Radiation monitoring is provided in the return line to the CCWS pumps suctions, which would include any return to the surge tanks. H. Power failure, bypass for test or maintenance, switches in local mode are monitored; alarms and system inoperable lights occu r on system status monitoring panel (QBPS) in the control room. I. Table 7.3.10-1 lists the actuated devices. J. Supporting systems 1. The Class 1E ac power system.
- 2. Nuclear service cooling water system.
- 3. Nuclear steam supply system-balance of plant engineered safety features actuation system. 4. Reactor makeup water storage tanks.
- 5. Demineralized water storage tank.
- 6. CCWS surge tanks.
Makeup to the component cooling water surge tanks is provided automatically from the Seismic Category 1 reactor makeup water storage tank or the demineralized water storage tank. 7.3.10.1.2 Design Bases Subsection 9.2.2 covers the safety design bases and the power generation design bases. 7.3.10.1.3 Drawings Drawings 1X5DN091-1, 1X5DN091-2, 1X5DN091-3, 1X5DN092-1, and 1X5DN092-2 show the logic diagrams for the CCWS. 7.3.10.2 Analysis A. Conformance to Nuclear Regulatory Commission general design criteria is discussed in subsection 7.3.1 and section 3.1. B. Conformance to Institute of Electrical and Electronics Engineers 279-1971 is listed and discussed in paragraphs 7.3.1.2, and 7.3.7.2. C. A failure modes and effects analysis is given in table 9.2.2-3.
VEGP-FSAR-7
7.3-40 REV 19 4/15 7.3.11 CONTAINMENT HEAT REMOVAL SYSTEM 7.3.11.1 Description The containment heat removal system consists of eight train- oriented, fan-operated cooling units and the containment spray system. The cooling unit and the spray system are described
in subsection 6.2.2. 7.3.11.1.1 Design Bases A. Safety design bases for the cooling units are described in paragraph 6.2.2.1.1.1 and for the spray system in paragraph 6.2.2.2.1.1.1. B. Power generation bases are described in paragraph 6.2.2.1.1.2 for the cooling units.
The containment spray system has no power generation design bases. 7.3.11.1.2 Actuating Signals and Circuits A. The containment safety-related cooling units start via the load sequencer on the receipt of a safety injection signal. All fans are energized on the 30.5 s sequencer step following the receipt of a safety injection signal. The cooling units can also be
started and stopped from the control room and from the remote shutdown panels. B. The containment spray system is initiated by the receipt of a high containment pressure signal (high-3). C. The safety evaluation is covered in paragraph 6.2.2.1.3. D. Actuated devices that are tested are listed in table 7.3.11-1. 7.3.11.2 Analysis The analysis for the engineered safety features, including the systems covered by this section, is covered in paragraph 7.3.1.2. The failure modes and effects analysis of the containment heat
removal system is given in table 6.2.2-3. The containment spray failure modes and effects
analysis is given in table 6.2.2-5. 7.3.11.3 Summary The summary is covered in paragraph 7.3.1.
7.3.11.4 Loss-of-Coolant Protection This analysis is covered in paragraph 7.3.1.
7.3.11.5 Drawings A. Drawings 1X5DN013-1, 1X5DN013-2, and 1X5DN013-4 show the logic for the containment coolers. B. Drawings 1X3D-BD-J01A, 1X3D-BD-J01B, 1X3D-BD-J02A, 1X3D-BD-J02B, 1X3D-BD-J02C, and 1X3D-BD-J02D show the electrical elementary diagrams for the containment spray system. The containm ent spray system starts independently of the sequence to load the safety injection signal. This makes it possible to start within
the required time independently of the safety injection signal status.
VEGP-FSAR-7
7.3-41 REV 19 4/15 7.3.12 CONTROL BUILDING ENGINEERED SAFETY FEATURES HEATING, VENTILATION, AND AIR-CONDITIONING SYSTEM 7.3.12.1 Description The control building engineered safety features (ESF) heating, ventilation, and air-conditioning (HVAC) system provides a proper environment and temperature for the Class 1E electrical equipment and personnel, both during normal operations and under postulated accident
conditions. It also serves to reduce or limit the release of fission products to the control building
following a postulated loss-of-coolant accident or fuel handling accident. Except for the control
room essential HVAC system described in detail in section 6.4 and subsection 7.3.6, the other subsystems of the control building ESF HVAC system are as follows: A. Control building safety feature elec trical equipment rooms HVAC system. B. Control building HVAC equipment rooms ESF ventilation system (level 3). C. Control building auxiliary relay rooms ESF air-conditioning units.
A detailed description of these systems is given in subsection 9.4.5. 7.3.12.1.1 System Description A. Actuating Circuits 1. Control building safety feature el ectrical equipment rooms HVAC system components (air-conditioning units, exhaust fans, and associated dampers) are actuated upon: a. Safety injection (signal A and signal B).
- b. Manual initiation. 2. Control building HVAC equipment rooms ESF ventilation system components (control room ESF chiller rooms exhaust fans) are actuated upon:
- a. Control room ESF chiller room high temperature.
- b. Manual actuation. 3. Control building auxiliary relay rooms ESF air-conditioning units are actuated upon:
- a. Safety injection (signal A and signal B).
- b. Manual initiation. B. Logic The control building ESF HVAC system logic is shown in drawings AX5DN008-1, AX5DN056-6, 1X5DN044-1, 1X5DN045-1, and AX5DN056-2. Logic is designed in
such a manner that a momentary loss of the control power will not prevent or reverse
the safety actuation of any equipment and the reset of the safety injection signal will
not trip the actuated equipment without deliberate subsequent operator action. C. Bypass
Bypass of each subsystem (except the auxiliary relay rooms ESF air-conditioning)
comprising the control building ESF HVAC system is indicated in the control room.
Such bypass may result from either cont rol power failure, system component failure, VEGP-FSAR-7
7.3-42 REV 19 4/15 manual override at the component level, or transfer to local control. The bypass indication logic is shown in drawings AX5DN008-1, AX5DN056-6, 1X5DN044-1, 1X5DN045-1, and AX5DN056-2. The manual override capability is provided only for
the control building control room ESF chiller rooms exhaust fans. D. Interlocks
There are no interlocks other than those shown in drawings AX5DN008-1, AX5DN056-6, 1X5DN044-1, 1X5DN045-1, and AX5DN056-2. E. Sequencing
All loads other than the supporting ESF chiller compressor motors (item J) are
energized on the first step of load sequencing. The ESF chiller compressor motors
start automatically after the 30.5-s sequencer step. F. Redundancy
All equipment, instruments, and controls are fully redundant and arranged in two
completely independent trains (A and B). G. Seismic Qualification
All components comprising the control building ESF HVAC system are Seismic
Category 1 and remain functional during and after a safe shutdown earthquake. H. Diversity
Diversity of actuation is provided in that the control building ESF HVAC system can
be operated either manually from any one of the two physically separated locations (i.e., main control room and the shutdown panels) or automatically. I. Actuated Devices
Table 7.3.12-1 lists the actuated devices. J. Supporting Systems
The following systems are required to be operational for proper functioning of the
control building ESF HVAC system: 1. Class 1E 480-V ac system.
- 2. Class 1E 120-V ac system.
- 3. Class 1E 125-V dc system.
- 4. Class 1E 4160-V ac system.
- 5. Essential chilled water system.
Under emergency conditions (safety injection or loss of offsite power) the Class 1E electric power systems remain operational, as described in section 8.3. The
essential chilled water system is described in subsection 9.2.9. It is automatically
actuated by the safety injection signal.
VEGP-FSAR-7
7.3-43 REV 19 4/15 7.3.12.1.2 Design Bases The design bases for the control building ESF HVAC system are such that no single failure within that system nor any supporting system shall prevent it from performing its safety function.
A detailed description of the system's design bases is provided in subsection 9.4.5. 7.3.12.1.3 Drawings The drawings pertaining to the control building ESF HVAC system (including logic diagrams shown in drawings AX5DN008-1, AX5DN056-6, 1X5DN044-1, 1X5DN045-1, and AX5DN056-2)
are included in the references in section 1.7. 7.3.12.2 Analysis The analysis presented in subsection 7.3.1 for the ESF pertains also to the system discussed herein. The failure mode and effects analyses of the control building ESF HVAC systems are
given in table 9.4.5-2. 7.3.12.3 Summary The summary is covered in paragraph 7.3.1.
7.3.13 AUXILIARY BUILDING ENGINEERED SAFETY FEATURES HEATING, VENTILATION, AND AIR-CONDITIONING SYSTEM 7.3.13.1 Description The auxiliary building engineered safety features (ESF) heating, ventilation, and air conditioning (HVAC) system performs the following safety functions:
- Maintains proper temperatures in safety-related switchgear, motor control center (MCC), pump and heat exchanger rooms during postulated accident conditions, station blackout, and manual conditions.
- Minimizes the release of airborne radioactivity to the outside atmosphere resulting from recirculation line and component leakage into the piping penetration area ECCS
and ESF pump rooms during an accident condition.
The system maintains a negative pressure in the piping penetration area and ESF pump rooms and filters the exhaust from the negative pressu re boundary. The auxiliary building ESF HVAC system is comprised of the following two systems:
- Auxiliary building ESF room coolers.
- Piping penetration area filtration and exhaust system.
Both systems are described in detail in subsection 9.4.3. 7.3.13.1.1 System Description A. Activity Circuits 1. The ESF room coolers are actuated upon:
VEGP-FSAR-7
7.3-44 REV 19 4/15
- Safety injection signal (signal A and signal B) or an automatic actuation signal generated by actuation of the corresponding equipment (pump or heat
exchanger).
- Room temperature high signal.
- Manual actuation. For details see drawings 1X5DN030-1, 1X5DN030-3, 1X5DN030-4, 1X5DN030-5, and 1X5DN065-1. 2. The piping penetration area filtration and exhaust unit motors and their associated dampers and heaters are actuated upon:
- Containment ventilation isolation signal (signal A and signal B).
- Manual actuation.
Upon automatic actuation of the piping penetration area filtration exhaust system, the piping penetration area is automatically isolated from the auxiliary building
normal HVAC system. B. Logic
The auxiliary building ESF HVAC system logic is shown in drawings 1X5DN030-1, 1X5DN030-3, 1X5DN030-4, 1X5DN030-5, and 1X5DN065-1. Logic is designed in
such a manner that a momentary loss of the control power will not prevent or reverse
the safety actuation of any equipment, and it is designed such that the reset of the
safety injection signal will not trip the actuated equipment without deliberate
subsequent operator action. C. Bypass
Bypass of either subsystem comprising t he auxiliary building ESF HVAC system is
indicated in the control room. Such bypass may result from control power failure, system component failure, manual override at the component level, or transfer to local control. The bypass indication logic is shown in drawings 1X5DN030-1, 1X5DN030-3, 1X5DN030-4, 1X5DN030-5, and 1X5DN065-1. The manual override
capability is provided only for the piping penetration area filtration and exhaust units. D. Interlocks
There are no interlocks other than those shown in drawings 1X5DN030-1, 1X5DN030-3, 1X5DN030-4, 1X5DN030-5, and 1X5DN065-1. E. Sequencing
The piping penetration area filtration and exhaust units are permitted to start on the
containment ventilation isolation signal during the 15.5-s sequencer step for (1-s) or
after sequencing is complete (after 30.5 s). All other loads are energized on the first
step of load sequencing. The supporting ESF chiller compressor motors start
automatically after sequencing is complete. Heaters may be manually loaded after
sequencing is completed. F. Redundancy
All equipment, instruments, and controls are fully redundant and arranged in two
completely independent trains (A and B).
VEGP-FSAR-7
7.3-45 REV 19 4/15 G. Seismic Qualification
All components comprising the auxiliary bu ilding ESF HVAC system are Seismic Category 1 and remain operational during and after a safe shutdown earthquake. H. Diversity
Diversity of actuation is provided in that the auxiliary building ESF room coolers can
be operated either manually from any one of the two physically separated locations (i.e., main control room and the shutdown panels) or automatically. The automatic
actuation occurs upon either high room temperature or safety injection; this also
enhances system diversity. The penetration area filtration and exhaust units can be
actuated either manually from the c ontrol room or automatically. I. Actuated Devices
Table 7.3.13-1 lists the actuated devices. J. Supporting Systems
The following systems are required to be operational for proper functioning of the
auxiliary building ESF HVAC system:
- Class 1E 480-V ac system.
- Class 1E 120-V ac system.
- Class 1E 125-V dc system.
- Essential chilled water system.
Under emergency conditions (safety injection or loss of offsite power) the Class IE electric power system remains operational, as described in section 8.3. The
essential chilled water system is described in subsection 9.2.9. It is automatically
actuated by the safety injection signal. 7.3.13.1.2 Design Bases The design bases for the auxiliary building ESF HVAC system are such that no single failure within that system nor any supporting system can prevent it from performing its safety function.
A detailed description of system design bases is provided in subsection 9.4.3. 7.3.13.1.3 Drawings The drawings pertaining to the auxiliary buildi ng ESF HVAC system (including logic diagrams shown in drawings 1X5DN030-1, 1X5DN030-3, 1X5DN030-4, 1X5DN030-5, and 1X5DN065-1) are included in the references in section 1.7. 7.3.13.2 Analysis The analysis presented in subsection 7.3.1 for the ESF pertains also to the systems discussed herein. The failure modes and effects analysis of the auxiliary building ESF HVAC system is given in table 9.4.3-3.
VEGP-FSAR-7
7.3-46 REV 19 4/15 7.3.13.3 Summary The summary is covered in paragraph 7.3.1. 7.3.14 AUXILIARY FEEDWATER PUMPHOUSE ENGINEERED SAFETY FEATURES HEATING, VENTILATION, AND AIR-CONDITIONING SYSTEM 7.3.14.1 Description The auxiliary feedwater pumphouse engineered safety features (ESF) heating, ventilation, and air-conditioning (HVAC) system provides a suitable environment for equipment and maintenance personnel within the auxiliary feedwater pump rooms. It consists of one wall-mounted air supply fan and damper in each of t he two motor-driven auxiliary feedwater pump rooms and two dampers facilitating natural convec tion in the turbine-driven auxiliary feedwater
pump room. A detailed description of this sy stem is given in subsection 9.4.8. 7.3.14.1.1 System Description A. Actuating Circuits 1. The motor-driven auxiliary feedwater pump room air supply fans and dampers are actuated upon:
- Room temperature high signal.
- Manual actuation. 2. The turbine-driven auxiliary feedwater pump room dampers are actuated upon:
- Turbine-driven auxiliary feedwater pump automatic start signal.
- Manual actuation. B. Logic The auxiliary feedwater pumphouse ESF HVAC sy stem logic is shown in drawings 1X5DN068-1 and 1X5DN068-3. Logic is designed so that a momentary loss of
control power can not prevent or reverse the safety actuation of any equipment. C. Bypass
Bypassed/inoperable status for the motor-d riven auxiliary feedwater pump room air supply fans and dampers is indicated in the control room.
The manual override capability is provi ded only for the motor-driven auxiliary feedwater pump room air supply fans. D. Interlocks
There are no interlocks other than those shown in drawings 1X5DN068-1 and 1X5DN068-3. E. Sequencing
All equipment comprising the auxiliary f eedwater pumphouse ESF HVAC system is energized on the first (0.5-s) sequencer step.
VEGP-FSAR-7
7.3-47 REV 19 4/15 F. Redundancy
There is no redundancy in the auxiliary feedw ater pumphouse ESF HVAC system. G. Seismic Qualification
All components comprising the auxiliary feedwater pumphouse ESF HVAC system are Seismic Category 1 and remain functional during and after a safe shutdown
earthquake. H. Diversity
Diversity of actuation is provided in that the equipment can be operated either
automatically or manually fr om any one of the two physically separated locations. I. Actuated Devices
Table 7.3.14-1 lists the actuated devices. J. Supporting Systems
The following systems are required to be operational for proper functioning of the
auxiliary feedwater pumphous e ESF HVAC system:
- Class 1E 480-V ac system.
- Class 1E 125-V dc system.
These systems remain operational under emergency conditions. (See section 8.3.) 7.3.14.1.2 Design Bases The design bases for the auxiliary feedwater pumphouse ESF HVAC system are outlined in subsection 9.4.8. 7.3.14.1.3 Drawings The drawings pertaining to the auxiliary feedw ater pumphouse ESF HVAC system (including logic diagrams shown in drawings 1X5DN068-1 and 1X5DN068-3) are included in the
references in section 1.7. 7.3.14.2 Analysis The analysis presented in subsection 7.3.1 generally applies. Although the auxiliary feedwater pumphouse ESF HVAC system is not redundant, its malfunctioning poses no threat to safety
functions of the auxiliary feedwater system, due to the excessive redundancy of the latter. A loss of either of the three auxiliary feedwater pumps that might potentially result from the
malfunction of its respective ventilation equi pment does not impair the auxiliary feedwater supply function. (See subsection 10.4.9.) The failure modes and effects analysis of the
auxiliary feedwater pumphouse ESF HVAC syst em is given in table 9.4.8-2. 7.3.14.3 Summary The summary covered in subsection 7.3.1 generally app lies. All specific features of the auxiliary
feedwater pumphouse ESF HVAC system are di scussed above and in subsection 9.4.8.
VEGP-FSAR-7
7.3-48 REV 19 4/15 7.3.15 DIESEL GENERATOR BUILDING ENGINEERED SAFETY FEATURES HEATING, VENTILATION, AND AIR-CONDITIONING SYSTEM 7.3.15.1 Description The diesel generator building engineered safety features (ESF) heating, ventilation, and air-
conditioning (HVAC) system is designed to remove the heat added to the building atmosphere
by operating diesel generators, their associated equipment, and solar load. The system is
comprised of two identical and completely independent trains, each serving one diesel
generator.
Each such subsystem includes two 50-percent capacity ESF fan units connected in parallel to common ductwork. For a detailed description of the diesel generator building ESF HVAC
system, see subsection 9.4.7. 7.3.15.1.1 System Description A. Actuating Circuits As noted above, each of the two diesel generator building ESF HVAC system trains
includes two ESF fan units. The first ESF fan unit is actuated upon:
- Diesel generator running signal.
- Manual actuation.
The second (standby) unit is actuated upon:
- Diesel generator running and room temperature high signal.
- Manual actuation.
Following its actuation, the system maintains the air temperature within the recommended range by modulating appropriate dampers. For details see drawings 1X5DN058-1, 1X5DN058-3, 1X5DN058-4, and 1X5DN058-5. B. Logic
The diesel generator building ESF HVAC system logic is shown in drawings 1X5DN058-1, 1X5DN058-3, 1X5DN058-4, and 1X5DN058-5. Logic is designed in
such a manner that a momentary loss of the control power does not prevent or
reverse the safety actuation of any equipment. Once actuated, the system operates
until the actuating signals disappear. The first ESF fan is stopped manually. The
second (standby) ESF fan stops when room temperature drops below setpoint.
The dampers then automatically return to normal position. Should the diesel
generator restart, the ESF HVAC system actuates again without operator
intervention. C. Bypass
Bypass of the diesel generator building ESF HVAC system is indicated in the control
room. Such bypass may result from eit her system control power loss, fan motor breaker inoperable position, component failure, transfer to local control, or manual
override of the fan motor actuating signal. The bypass indication logic is shown in drawings 1X5DN058-1, 1X5DN058-3, 1X5DN058-4, and 1X5DN058-5.
VEGP-FSAR-7
7.3-49 REV 19 4/15 D. Interlocks
There are no interlocks other than those shown in drawings 1X5DN058-1, 1X5DN058-3, 1X5DN058-4, and 1X5DN058-5. E. Sequencing
The ESF fan motors may be energized after the 30.5-s sequencer step based on
process requirements. All other loads are energized at the first of load sequencing. F. Redundancy
The diesel generator building ESF HVAC system is not redundant, since each of its
trains (A and B) serves the corresponding diesel generator. Nevertheless, such
arrangement preserves redundancy at the diesel generator system level. G. Seismic Qualification
All components of the diesel generator ESF HVAC system are Seismic Category 1
and remain operational during and after a safe shutdown earthquake. H. Diversity
Diversity of actuation is provided in that the diesel generator building ESF HVAC
system can be operated either manually from any one of the two physically separated locations (i.e., main control room and the shutdown panels) or
automatically with each of the two fans in either train being actuated by different
signals. (See item A.) I. Actuated Devices
Table 7.3.15-1 lists the actuated devices. J. Supporting Systems
The following systems are required to be operational for proper functioning of the
diesel generator building ESF HVAC system:
- Class 1E 480-V ac system.
- Class 1E 120-V ac system.
- Class 1E 125-V dc system.
As described in chapter 8, all systems remain operational under emergency conditions. 7.3.15.1.2 Design Bases The design bases for the diesel generator building ESF HVAC system are given in subsection 9.4.7. 7.3.15.1.3 Drawings The drawings pertaining to the diesel generator building ESF HVAC system (including logic diagrams shown in drawings 1X5DN058-1, 1X5DN058-3, 1X5DN058-4, and 1X5DN058-5) are
included in references in section 1.7.
VEGP-FSAR-7
7.3-50 REV 19 4/15 7.3.15.2 Analysis The analysis presented in subsection 7.3.1 generally applies. Although the diesel generator
building ESF HVAC system is not redundant, its malfunction does not impair the performance
and redundancy at the diesel generator system level. (See item F.) The failure modes and
effects analysis of the diesel generator building ESF HVAC system is given in table 9.4.7-2. 7.3.15.3 Summary The summary covered in subsection 7.3.1 generally applies. All specific features of the diesel generator building ESF HVAC system are discussed above and in subsection 9.4.7. 7.3.16 ELECTRICAL TUNNEL ENGINEERED SAFETY FEATURES HEATING, VENTILATION, AND AIR-CONDITIONING SYSTEM 7.3.16.1 Description The safety function of the electrical tunnel engineered safety features (ESF) heating, ventilation, and air-conditioning (HVAC) system is to provi de adequate environment for the Class 1E cables
routed through electrical tunnels. The tunnels se rviced by this system are as follows:
- Two diesel power cable tunnels (trains A and B).
- Two nuclear service cooling water (NSCW) tower cable tunnels (trains A and B).
- Turbine building and auxiliary building train A tunnel. (The corresponding train B tunnel is ventilated by convection only.)
Each of the above tunnels has a single fan unit. The electrical tunnel ESF HVAC system is
described in detail in subsection 9.4.9. 7.3.16.1.1 System Description A. Actuating Circuits The fan motor in every fan unit is actuated upon: 1. Tunnel temperature high signal, with the exception of fans 1-1540-B7-005-000 and 2-1540-B7-005-000, the turbine building to auxiliary building train A tunnel ventilation fans. As described in subsection 9.4.9, this fan does not automatically
start on high temperature. 2. Manual actuation.
For details see drawing 1X5DN069-1. B. Logic
The electrical tunnel ESF HVAC system logic is shown in drawing 1X5DN069-1. The
logic is designed in such a manner that a momentary loss of the control power does
not prevent or reverse the safety actuation of any equipment.
VEGP-FSAR-7
7.3-51 REV 19 4/15 C. Bypass
Bypass of either fan comprising the electrical tunnel ESF HVAC system is indicated
in the control room. Such bypass may re sult from control power failure, system component failure, or manual override at the component level. Bypass indication for
manual override of the turbine building to auxiliary building train A electrical tunnel
HVAC system is not indicated in the control room. As described in subsection 9.4.9, the train A electrical tunnel ventilation f an is manually started. The manual override capability is provided on all five fan units. D. Interlocks
There are no interlocks other than those shown in drawing 1X5DN069-1. E. Sequencing
The electrical tunnel ESF HVAC fan motors are energized on the first (0.5-s) step of
load sequencing, except for the train A tunnel fan which is manually actuated. F. Redundancy
The electrical tunnel ESF HVAC system is comprised of five completely independent
subsystems, each serving a different tunnel. Although these subsystems are not
redundant, it does not impair the redundancy at the system level. (Each tunnel and
its respective fan unit belong to the same train.) G. Seismic Qualification
All components comparing the electrical tunnel ESF HVAC system are Seismic Category 1 and remain operational during and after a safe shutdown earthquake. H. Diversity
Diversity of actuation is provided in that the electrical tunnel ESF fan units can be
operated either manually or automatically with the exception of the turbine building to auxiliary building train A tunnel. The fan unit in that tunnel is started manually. I. Actuated Devices
Table 7.3.16-1 lists the actuated devices. J. Supporting Systems
The only supporting system that has to be operational for the electrical tunnel ESF
HVAC system to function properly is t he Class 1E 480-V ac power system. As described in chapter 8, this system remains operational under any postulated
emergency conditions. 7.3.16.1.2 Design Bases The design bases for the electrical tunnel ESF HVAC system are discussed in subsection 9.4.9. 7.3.16.1.3 Drawings The drawings pertaining to the electrical tunnel ESF HVAC system (including logic diagrams shown in drawing 1X5DN069-1) are included in the references in section 1.7.
VEGP-FSAR-7
7.3-52 REV 19 4/15 7.3.16.2 Analysis The analysis presented in subsection 7.3.1 generally applies. As noted in item F above, redundancy of the vital diesel generator power system is not compromised by the lack of
redundancy in the electrical tunnel ESF HVAC system. The failure modes and effects analysis
of the latter system is given in table 9.4.9-3. 7.3.16.3 Summary The summary covered in paragraph 7.3.1 generally applies. All specific features of the electrical tunnel ESF HVAC system are discussed above and in subsection 9.4.9. 7.3.17 DIESEL GENERATOR FUEL OIL SYSTEM 7.3.17.1 Description A separate diesel generator fuel oil system provides sufficient and independent fuel oil supply for each diesel generator engine under all conditions and plant operating modes. Each such
system consists of a diesel fuel oil storage tank, a diesel fuel oil day tank, two diesel fuel oil
storage tank pumps, an engine-driven fuel oil pump, associated pipes, valves, filters, instrumentation, and controls. The diesel generator fuel oil system is described in detail in
subsection 9.5.4. 7.3.17.1.1 System Description A. Actuating Circuits Each diesel generator has two 100-percent capacity diesel fuel oil storage tank
pumps operating alternately for greater reliability. Each pump is actuated upon: 1. Day tank fuel oil level low signal.
- 2. Low pressure at the discharge of the other operating pump.
- 3. Manual actuation.
The details of the actuation logic are drawn in drawing 1X5DN107-1. B. Logic The diesel generator fuel oil system logic is shown in drawing 1X5DN107-1. The
logic is designed in such a manner that a momentary loss of the control power does
not prevent or reverse the actuation of the pumps. C. Bypass
Bypass of each diesel fuel oil storage pump is indicated in the control room. Such bypass may result from either control power failure, system component failure, or
manual override of the pump automatic actuation capability. The bypass indication logic is shown in drawing 1X5DN107-1. D. Interlocks
There are no interlocks other than those shown in drawing 1X5DN107-1.
VEGP-FSAR-7
7.3-53 REV 19 4/15 E. Sequencing
The diesel generator fuel oil storage pumps are energized on the first (0.5 s) step of
load sequencing. F. Redundancy
The fuel oil system for each diesel generator is partially redundant. The fuel oil
storage pumps are fully redundant, as there are two of these for each diesel
generator. All other portions of each diesel generator fuel oil system are not
redundant. This, however, does not impair the redundancy of the diesel generator
onsite power system, which consists of two completely independent and redundant
trains A and B for each nuclear power generating unit. G. Seismic Qualification
All components comprising the diesel generator fuel oil system are Seismic Category
1 and remain operational during and after a safe shutdown earthquake. H. Diversity
Diversity of actuation is provided in that the diesel generator fuel oil system can be
operated either automatically or manually. I. Actuated Device
Actuated devices are listed in table 7.3.17-1. J. Supporting Systems
The following systems are required to be operational for the diesel generator fuel oil
system to function properly: 1. Class 1E 480-V ac system.
- 2. Class 1E 120-V ac system.
As described in chapter 8, all Class 1E power systems remain operational under emergency conditions. 7.3.17.1.2 Design Bases The design bases for the diesel generator fuel oil system are given in subsection 9.5.4. 7.3.17.1.3 Drawings The drawings pertaining to the diesel generator fuel oil system (including logic diagrams drawn in drawing 1X5DN107-1) are included in the references in section 1.7. 7.3.17.2 Analysis The failure mode and effects analysis of the diesel generator fuel oil system is given in table 9.5.4-2.
VEGP-FSAR-7
7.3-54 REV 19 4/15 7.3.17.3 Summary The summary covered in paragraph 7.3.1 generally applies. All specifics of the diesel generator
fuel oil system are discussed above in subsection 9.5.4.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.1-1 INSTRUMENTATION OPERATING CONDITIONS FOR ENGINEERED SAFETY FEATURES
No. of No. of Channels No. Functional Unit Channels to Trip 1 Safety injection Manual 2 1 High containment pressure (high-1) 3 2 Low steam line 12 (3 per steam 2 in any one pressure lead-lag line) steam line compensated Pressurizer low 4 2 pressure (a) 2 Containment spray Manual (b) 4 2 Containment pressure 4 2 (high-3)
- a. Permissible bypass if reactor coolant pressure is less than 2000 psig.
- b. Manual actuation of containment spray system requires the simultaneous operation of two
separate switches. The requirements for the simultaneous operation of two switches is
desirable to prevent inadvertent spray actuation.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.1-2 (SHEET 1 OF 2)
INSTRUMENTATION OPERATING CONDITIONS FOR ISOLATION FUNCTIONS
No. of No. No. of Functional Unit No. of Channels Channels to Trip 1 Containment isolation Automatic safety See items 1b injection (phase A) through 1d of table 7.3.1-1 Manual (phase A) 2 1 2 Steam line isolation High steam line 12 (3 per steam line) 2 per steam negative pressure rate line in any steam line Containment pressure 3 2 (high-2)
Low steam line 12 (3 per steam line) 2 per steam pressure line in any steam line Manual (a) 2 per steam line 1 per steam line
VEGP-FSAR-7 TABLE 7.3.1-2 (SHEET 2 OF 2)
REV 14 10/07 No. of No. of Channels No. Functional Unit Channels to Trip 3 Feedwater line isolation Safety injection See items 1a through 1d of table 7.3.1-1 Steam generator 16 (4 per steam 2 per steam high-high level generator) generator 2/4 on any steam generator Reactor trip 2 (reactor trip) 1 coincident with low Tavg 4 (low Tavg) 2 Manual 1 per feedwater 1 per feedwater line line
- a. Two tandem switches (one for train A and one for train B) will simultaneously close all main steam line and main steam bypass isolation valves at the system level.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.1-3 (SHEET 1 OF 2)
INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM
Function Designation Input Performed P-4 Reactor trip Actuates turbine trip. Closes main and bypass feedwater valves on low Tavg below set point. Prevents opening of main and bypass feedwater valves which were closed by safety injection or high-high steam generator water level. Allows manual block of the automatic reactuation of safety injection. Transfers steam dump control from the load rejection controller to the plant trip controller. Reactor not tripped Defeats the block preventing automatic reactuation of safety injection. P-11 2/3 pressurizer pressure Allows manual block of safety below setpoint injection actuation on low pressurizer pressure signal. Allows manual block of safety injection actuation and steam line isolation on low compensated steam line pressure signal and allows steam line isolation on high steam line negative pressure rate.
VEGP-FSAR-7 TABLE 7.3.1-3 (SHEET 2 OF 2)
REV 14 10/07 Function Designation Input Performed 2/3 pressurizer pressure Defeats manual block of above setpoint safety injection actuation on low pressurizer pressure and safety injection and steam line isolation on low steam line pressure and defeats steam line isolation on high steam line negative pressure rate. P-12 (a) Blocks steam during except 2/4 low-low Tavg below setpoint cooldown condenser dump valves. Allows manual bypass of steam dump block for the cooldown valves only. 2/4 low-low Tavg above Defeats the manual setpoint bypass of steam dump block. P-14 2/4 steam generator high- Closes all feedwater high water level above regulating valves and setpoint on any steam isolation valves. generator Trips all main feedwater pumps which close the pump discharge valves. Actuates turbine trip. a. ESF interlock not applicable.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.1-4 PRIMARY SYSTEM ACCIDENTS AND REQUIRED INSTRUMENTATION RUPTURES IN SMALL PIPES, CRACKS IN LARGE PIPES, RUPTURES OF LARGE PIPES, AND STEAM GENERATOR TUBE RUPTURE Channel Response Time(s)(a) Accuracy (a) Range Pressurizer pressure (c) +1.75 percent of span 1700 to 2500 psig Containment pressure (b) (d) +1.75 percent of span 0 to 115 percent of containment design pressure
- a. See section 7.1 for definitions of engineered safety features actuation system response time and accuracy.
- b. Not required for steam generator tube rupture.
- c. Total time from step change in pressurizer pressure until start of safety injection pumps is 27 s with offsite power available and 40 s with offsite power unavailable.
- d. Total time from step change in containment pressure until full containment spray is obtained is 94 s (includes 29 s for diesel start and sequencing and 65 s for filling the spray header).
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.1-5 SECONDARY SYSTEM ACCIDENTS AND REQUIRED INSTRUMENTATION, MINOR SECONDARY SYSTEM PIPE BREAK, AND MAJOR SECONDARY SYSTEM PIPE BREAK Item Channel Response Time(s)(a) Accuracy (a) Range 1 Containment pressure (b) (b) +1.75 percent of full scale 0 to 115 percent of containment design
pressure 2 Steam line pressure 10.0 (c) +2.25 percent of span 0 to 1300 psig 3 Steam line pressure rate See item 2 for sensor characteristics
4 Tavg N/A +2°F 530 to 630
°F 5 Pressurizer pressure (d) +1.75 percent of span 1700 to 2500 psig
- a. See section 7.1 for definitions of engineered safety features actuation system response time and accuracy.
- b. Total time from step change in containment pressure until full containment spray is obtained is 94 s (includes 29 s for diesel start and sequencing and 65 s for filling the spray header).
- c. Total time from step change in steam pressure until steam line isolation valves are fully closed.
- d. Total time from step change in pressurizer pressure until start of safety injection pumps is 27 s with offsite power available and 40 s with offsite power unavailable.
VEGP-FSAR-7 REV 19 4/15 TABLE 7.3.1-6 (SHEET 1 OF 6)
ENGINEERED SAFETY FEATURES RESPONSE ITEMS INITIATION SIGNAL AND FUNCTION RESPONSE TIME IN SECONDS
- 1. Manual Initiation
- a. Safety Injection (ECCS)
N/A Feedwater Isolation N/A Component Cooling Water N/A Containment Cooling Fans N/A Nuclear Service Cooling Water N/A Containment Ventilation Isolation N/A b. Containment Spray N/A c. Phase "A" Isolation N/A d. Auxiliary Feedwater N/A e. Steam Line Isolation N/A f. Control Room Ventilation Emergency Mode Actuation N/A g. Reactor Trip N/A h. Start Diesel Generators N/A 2. Containment Pressure--High-1
- a. Safety Injection (ECCS) 39 (1)/27 (5) b. Reactor Trip (from SI) 2 c. Feedwater Isolation 7 d. Phase "A" Isolation 2 (6)
VEGP-FSAR-7 REV 19 4/15 TABLE 7.3.1-6 (SHEET 2 OF 6)
INITIATION SIGNAL AND FUNCTION RESPONSE TIME IN SECONDS
- e. Containment Ventilation Isolation 1.5 (6) f. Auxiliary Feedwater 60 g. Nuclear Service and Component Cooling Water 100 (1)/88.5 (2) h. Containment Cooling Fans 48 (1)/36.5 (2) i. Control Room Ventilation Emergency Mode Actuation 69.3 (12)/99.3 (13) j. Start Diesel Generators 13.5 (7) 3. Pressurizer Pressure--Low
- a. Safety Injection (ECCS) 39 (1)/27 (5) b. Reactor Trip (from SI) 2 c. Feedwater Isolation 7 d. Phase "A" Isolation 2 (6) e. Containment Ventilation Isolation 1.5 (6) f. Auxiliary Feedwater 60 g. Nuclear Service and Component Cooling Water 100 (1)/88.5 (2) h. Containment Cooling Fans 48 (1)/36.5 (2) i. Control Room Ventilation Emergency Mode Actuation 69.3 (12)/99.3 (13) j. Start Diesel Generators 13.5 (7) 4. Steam Line Pressure--Low
- a. Safety Injection (ECCS) 39 (1)/27 (5)
VEGP-FSAR-7 REV 19 4/15 TABLE 7.3.1-6 (SHEET 3 OF 6)
INITIATION SIGNAL AND FUNCTION RESPONSE TIME IN SECONDS
- b. Reactor Trip (from SI) 2 c. Feedwater Isolation 7 d. Phase "A" Isolation 2 (6) e. Containment Ventilation Isolation 1.5 (6) f. Auxiliary Feedwater 60 g. Nuclear Service and Component Cooling Water 100 (1)/88.5 (2) h. Containment Cooling Fans 48 (1)/36.5 (2) i. Control Room Ventilation Emergency Mode Actuation 69.3 (12)/99.3 (13) j. Start Diesel Generators 13.5 (7) k. Steam Line Isolation 10 (3) 5. Containment Pressure--High-3 Containment Spray 82.5 (2)/94 (1) 6. Containment Pressure--High-2 Steam Line Isolation 10 (3) 7. Steam Line Pressure - Negative Rate-High Steam Line Isolation 10 (3) 8. Steam Generator Water Level--High-High
- a. Turbine Trip N/A b. Feedwater Isolation 7 VEGP-FSAR-7 REV 19 4/15 TABLE 7.3.1-6 (SHEET 4 OF 6)
INITIATION SIGNAL AND FUNCTION RESPONSE TIME IN SECONDS
- 9. Steam Generator Water Level--Low-Low
- a. Motor-Driven Auxiliary Feedwater Pumps 60 b. Turbine-Driven Auxiliary Feedwater Pump 60 10. Loss of or Degraded 4.16 kV ESF Bus Voltage Auxiliary Feedwater 60 (14) 11. Trip of All Main Feedwater Pumps Motor Driven Pumps N/A Auxiliary Feedwater N/A 12. RWST Level-Low-Low Coincident with Safety Injection N/A a. Semi-Automatic Switchover to Containment Emergency Sump 60 13. Loss of Power
- b. 4.16 kV ESF Bus Undervoltage - Grid Degraded Voltage; Start Signal to Diesel Generator 21.2 (10) 14. Control Room Intake Radiogas Control Room Ventilation Emergency Mode Actuation 72.0 (15)/102.0 (16) 15. Containment Radioactivity
- a. Area Radiation Low Range- Containment Ventilation Isolation 5 (8, 11) b. Containment Ventilation Radiation-Containment Ventilation Isolation 5 (8, 11)
VEGP-FSAR-7 REV 19 4/15 TABLE 7.3.1-6 (SHEET 5 OF 6)
INITIATION SIGNAL AND FUNCTION RESPONSE TIME IN SECONDS
- 16. Fuel Handling Building Exhaust Duct Radiation
- a. Fuel Handling Building Post Accident Ventilation Actuation N/A VEGP-FSAR-7 REV 19 4/15 TABLE 7.3.1-6 (SHEET 6 OF 6)
TABLE NOTATIONS (1) Time to full ECCS flow. Signal sensing, diesel generator starting, and sequencer loading delays included.
(2) Diesel generator starting delay not included. Offsite power available.
(3) Electrohydraulic valves.
(4) Deleted.
(5) Time to full ECCS flow. Diesel generator starting delay not included.
(6) Does not include valve closure time.
(7) Signal sensing, diesel generator starting and diesel generator breaker delay included.
(8) Does not include valve closure time and relates to post-accident radiation sources as specified in FSAR subsection 15.7.4.
(9) The response time shall include the time delay associated with the loss of voltage relays plus the delay associated with operation of the respective SF sequencer output relays.
(10) The response time shall include the time delay associated with the undervoltage relays plus the delay associated with operation of the respective SF sequencer output relays.
(11) Radiation detectors time response not included.
(12) Signal sensing, sequencer loading, and flow establishment delays included for the train B lead filter unit.
(13) Signal sensing, sequencer loading, train B lead fan failure, and flow establishment delays included for the train A lag filter unit.
(14) For loss of voltage, the response time begins when the loss of voltage trip setpoint of Surveillance Requirement (SR) 3.3.5.2.A has been exceeded. For degraded voltage, the response time begins when the degraded voltage trip setpoint of SR 3.3.5.2.B has been exceeded continuously for the time delay specified in SR 3.3.5.2.B.
(15) Signal sensing and flow establishment delays included for the train B lead filter unit.
Response time criteria permit detection of degradation; however, analysis of record allows up to 138 s.
(16) Signal sensing, train B lead fan failure and flow establishment delays included for the train A lag filter unit. Response time permits detection of degradation; however, analysis of record allows up to 138 s.
VEGP-FSAR-7 REV 19 4/15 TABLE 7.3.1-7 (SHEET 1 OF 2)
ENGINEERED SAFETY FEATURES ALLOCATION TIMES Function Sensor Time 7300/NIS String Time SSPS Relays Time CNMT PRESS HI-1 Barton 764/351 1.0 s NLP+NAL 65 ms Input+Master+Slave 88 ms CNMT PRESS HI-2 Barton 764/351 1.0 s NLP+NAL 65 ms Input+Master+Slave 88 ms CNMT PRESS HI-3 Barton 764/351 1.0 s NLP+NAL 65 ms Input+Master+Slave 88 ms STEAMLINE PRESS LO Tobar 32PA 200 ms NLP+NAL 65 ms Input+Master+Slave 88 ms Veritrak 76PG 200 ms Rosemount 1154SH9 200 ms Rosemount 1153GB9 200 ms STEAMLINE HI NEG RATE Tobar 32PA 200 ms NLP+NAL 65 ms Input+Master+Slave 88 ms Veritrak 76PG 200 ms Rosemount 1154SH9 200 ms Rosemount 1153GB9 200 ms PZR PRESS LO SI Tobar 32PG 200 ms NLP+NAL 65 ms Input+Master+Slave 88 ms Veritrak 76PH 200 ms Rosemount 1154SH9 200 ms RWST LEVEL LO-LO Tobar 32DP 400 ms NLP+NAL 65 ms Input+Master+Slave 88 ms Veritrak 76DP 400 ms Rosemount 1153DB5 200 ms SG LEVEL LO-LO Tobar 32DP 400 ms NLP+NAL 65 ms Input+Master+Slave 88 ms Veritrak 76DP 400 ms Rosemount 1154DH5 200 ms VEGP-FSAR-7 REV 19 4/15 TABLE 7.3.1-7 (SHEET 2 OF 2)
Function Sensor Time 7300/NIS String Time SSPS Relays Time SG LEVEL HI-HI Tobar 32DP 400 ms NLP+NAL 65 ms Input+Master+Slave 88 ms Veritrak 76DP 400 ms Rosemount 1154DH5 200 ms CNMT AREA RADIATION LEVEL HI Westinghouse (1) N/A N/A Input+Master+Slave 88 ms CNMT VENT RADIATION LEVEL HI Westinghouse (1) N/A N/A Input+Master+Slave+Slave 124 ms Note 1: Allocated sensor times are not used for these variables. These components will continue to be tested as required.
Allocated sensor times are derived from method (3), section (9), WCAP-13632, revision 2 (Vendor Engineering Specifications). Tobar, Veritrak, and Barton times were prov ided in Table 9-1. Rosemount times are from Rosemount manuals 4302 and 4631. The Rosemount response time specifications may also be found in NUREG/CR-5383. Transmitter FMEAs are based upon EPRI report NP-7243, revision 1.
Values for 7300 cards are from tables 4-7 through 4-12 of WCAP-14036, revision 1. Cards installed are 4NCH, 4NRA, 6NLP 4NSA, and 9NAL or older artwork levels.
SSPS input and master relays are Potter & Brumfield KH seri es relays. SSPS slave relays are Potter & Brumfield MDR relays. Values are tabulated from section 4.8, Westinghouse SSPS FMEA.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.3-1 (SHEET 1 OF 2)
CONTAINMENT COMBUSTIBLE GAS CONTROL SYSTEM ACTUATED EQUIPMENT LIST (a)
Actuating Train Description A B Post-LOCA purge exhaust inside valve X Post-LOCA purge exhaust inside valve X Containment hydrogen monitor A supply X inside valves Containment hydrogen monitor B supply X inside valves Containment hydrogen monitor A supply X outside valve Containment hydrogen monitor B supply X outside valve Containment hydrogen monitor A supply X return valve Containment hydrogen monitor B supply X return valve Containment cooler fan 1 X Containment cooler fan 2 X Containment cooler fan 3 X Containment cooler fan 4 X Containment cooler fan 5 X Containment cooler fan 6 X Containment cooler fan 7 X Containment cooler fan 8 X Containment hydrogen thermal X recombiner 1
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.3-1 (SHEET 2 OF 2)
Actuating Train Description A B Containment hydrogen thermal X recombiner 2 Post-LOCA cavity purge system fan 1 X Post-LOCA cavity purge system fan 2 X
- a. Additional details are provided on the electrical schematic diagrams and the control logic diagrams
referenced in section 1.7.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.4-1 CONTAINMENT PURGE ISOLATION SYSTEM ACTUATED DEVICES (a)
Containment post-loss-of-coolant accident HV-2624A (post-LOCA) purge isolation valve, Train A, inside reactor containment (IRC)
Containment post-LOCA purge isolation valve, HV-2624B Train B, IRC Containment preaccess purge supply valve, HV-2626A Train A, IRC Containment minipurge supply valve, HV-2626B Train A, IRC Containment preaccess purge supply valve, HV-2627A Train B, outside reactor containment (ORC)
Containment minipurge supply valve, HV-2627B Train B, ORC Containment preaccess purge exhaust valve, HV-2628A Train A, IRC Containment minipurge exhaust valve, HV-2628B Train A, IRC Containment preaccess purge exhaust valve, HV-2629A Train B, ORC Containment minipurge exhaust valve, HV-2629B Train B, ORC
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.5-1 FUEL HANDLING BUILDING VENTILATION POST-ACCIDENT ACTUATED EQUIPMENT (a)
Actuating Description Train Emergency HVAC system fan motor A-1542-N7-001-M01 A Emergency HVAC system fan motor A-1542-N7-002-M01 B Emergency HVAC system inlet damper HV-12510 A Emergency HVAC system inlet damper HV-12511 B Emergency HVAC system discharge damper HV-12512 A Emergency HVAC system discharge damper HV-12513 B Normal HVAC system supply isolation HV-2528 B Normal HVAC system supply isolation HV-2529 A Normal HVAC system supply isolation HV-2534 B Normal HVAC system supply isolation HV-2535 A Normal HVAC system exhaust isolation HV-12479 A Normal HVAC system exhaust isolation HV-12480 B Normal HVAC system to equipment building isolation A HV-12481 Normal HVAC system to equipment building isolation B HV-12482
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.6-1
CONTROL ROOM VENTILATION ISOLATION CONTROL SYSTEM MONITOR SENSITIVITIES AND RESPONSE TIMES Concentration Setpoint for Isolation
Limiting Type µmCi/cm 3 ppm Isotope Response Time Gaseous Radioactivity 3x10 Kr 85 (a) Smoke - - - Manual actuation
- a. Response time is radiation-level dependent.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.6-2 CONTROL ROOM VENTILATION ISOLATION CONTROL SYSTEM ACTUATED EQUIPMENT LIST (a)
Actuation Channel Description or Train Control room (CR) filter unit fan motor A (1-1531-N7-001-M01)
CR filter unit fan motor (1-1531-N7-002-M01)
B Emergency supply outlet damper HV-12128 A Emergency supply outlet damper HV-12129 B Emergency return fan motor (1-1531-B7-005-M01)(b) A Emergency return fan motor (1-1531-B7-006-M01)(b) B Emergency return air damper HV-12130 A Emergency return air damper HV-12131 B Outside air isolation damper HV-12114 (c) A Outside air isolation damper HV-12115 (c) B Normal CR A/C unit fan motor A-1531-A7-001-M01 Nontrain Normal CR A/C unit fan motor A-1531-A7-002-M01 Nontrain Normal CR A/C unit inlet damper HV-12143 Nontrain Normal CR A/C unit inlet damper HV-12144 Nontrain Normal CR A/C unit discharge damper 1HV-12146 A Normal CR A/C unit discharge damper 1HV-12147 B Normal CR A/C unit return air 1HV-12148 B Normal CR A/C unit return air 1HV-12149 A CR kitchen, toilet, and conference room exhaust Nontrain fan motor A-1531-B7-008-M01 CR kitchen, toilet, etc., fan inlet damper HV-12162 A CR kitchen, toilet, etc., fan inlet damper HV-12163 B Normal CR A/C unit discharge damper 2HV-12146 A Normal CR A/C unit discharge damper 2HV-12147 B Normal CR A/C unit return damper 2HV-12148 B Normal CR A/C unit return damper 2HV-12149 A Normal CR A/C return and exhaust fan motor Nontrain A-1531-B7-009-M01 Normal CR A/C return and exhaust fan motor Nontrain A-1531-B7-010-M01
- a. Refer to appropriate logic diagrams for additional actuated devices.
- b. Return air fans are disabled and abandoned in place as their function is not
required.
- c. Manual actuation only.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.8-1 (SHEET 1 OF 2)
MAIN STEAM, MAIN STEAM BYPASS, AND MAIN FEEDWATER AND FEEDWATER BYPASS ISOLATION ACTUATED DEVICES (a)
Train Main steam isolation valve HV-3006A SG 001 A Main steam isolation valve bypass isolation valve HV-13005A SG 001 A
Main steam isolation valve HV-3006B SG 001 B Main steam isolation valve bypass isolation valve HV-13005B SG 001 B
Main steam isolation valve HV-3016A SG 002 A Main steam isolation valve bypass isolation valve HV-13007A SG 002 A
Main steam isolation valve HV-3016B SG 002 B Main steam isolation valve bypass isolation valve HV-13007B SG 002 B
Main steam isolation valve HV-3026A SG 003 A Main steam isolation valve bypass isolation valve HV-13008A SG 003 A
Main steam isolation valve HV-3026B SG 003 B Main steam isolation valve bypass isolation valve HV-13008B SG 003 B
Main steam isolation valve HV-3036A SG 004 A Main steam isolation valve bypass isolation valve HV-13006A SG 004 A
Main steam isolation valve HV-3036B SG 004 B Main steam isolation valve bypass isolation valve HV-13006B SG 004 B
Main feedwater isolation valve HV-5227 SG 001 A and B Main feedwater isolation valve HV-5228 SG 002 A and B
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.8-1 (SHEET 2 OF 2)
Train Main feedwater isolation valve HV-5229 SG 003 A and B Main feedwater isolation valve HV-5230 SG 004 A and B Main feedwater isolation bypass valve HV-15196 SG 001 A and B Main feedwater isolation bypass valve HV-15197 SG 002 A and B Main feedwater isolation bypass valve HV-15198 SG 003 A and B Main feedwater isolation bypass valve HV-15199 SG 003 A and B Main feedwater regulating valve FV-0510 SG 001 A and B Main feedwater regulating valve FV-0520 SG 002 A and B Main feedwater regulating valve FV-0530 SG 003 A and B Main feedwater regulating valve FV-0540 SG 004 A and B Bypass feedwater regulating valve LV-5243 SG 001 A and B Bypass feedwater regulating valve LV-5244 SG 002 A and B Bypass feedwater regulating valve LV-5245 SG 003 A and B Bypass feedwater regulating valve LV-5242 SG 004 A and B
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.9-1 NSCW ACTUATED DEVICES (a)
Train 1. NSCW pump 1-1202-P4-001-M01 A 2. NSCW pump 1-1202-P4-002-M01 B 3. NSCW pump 1-1202-P4-003-M01 A 4. NSCW pump 1-1202-P4-004-M01 B 5. NSCW pump 1-1202-P4-005-M01 A 6. NSCW pump 1-1202-P4-006-M01 B 7. NSCW pump 1-1202-P4-007-M01 B 8. NSCW pump 1-1202-P4-008-M01 A 9. NSCW fan 1-1202-W4-001-F01 A 10. NSCW fan 1-1202-W4-002-F01 B 11. NSCW fan 1-1202-W4-001-F02 A 12. NSCW fan 1-1202-W4-002-F02 B 13. NSCW fan 1-1202-W4-001-F03 A 14. NSCW fan 1-1202-W4-002-F03 B 15. NSCW fan 1-1202-W4-001-F04 A 16. NSCW fan 1-1202-W4-002-F04 B
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.10-1 COMPONENT COOLING WATER SYSTEM ACTUATED DEVICES (a)
Train Component cooling water pump 1-1203-04-001 A Component cooling water pump 1-1203-04-003 A Component cooling water pump 1-1203-04-005 A Component cooling water pump 1-1203-04-002 B Component cooling water pump 1-1203-04-004 B Component cooling water pump 1-1203-04-006 B
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.11-1 CONTAINMENT HEAT REMOVAL SYSTEM ACTUATED DEVICES (a) Component Train Containment building cooling A unit fan 1-1501-A7-001-M001
Containment building cooling A unit fan 1-1501-A7-002-M01
Containment building cooling B unit fan 1-1501-A7-003-M01
Containment building cooling B unit fan 1-1501-A7-004-M01
Containment building cooling A unit fan 1-1501-A7-005-M01
Containment building cooling A unit fan 1-1501-A7-006-M01
Containment building cooling B unit fan 1-1501-A7-007-M01
Containment building cooling B unit fan 1-1501-A7-008-M01
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.12-1 (SHEET 1 OF 2)
CONTROL BUILDING ESF HVAC SYSTEM ACTUATED EQUIPMENT LIST (a)
Actuation Description Channel or Train Control building safety feature electrical A equipment ac unit fan motor (1-1532-A7-001-M01)
Control building safety feature electrical B equipment ac unit fan motor (1-1532-A7-002-M01
Control building safety feature battery A room exhaust fan motor (1-1532-B7-001-M01)
Control building safety feature battery A room exhaust fan motor (1-1532-B7-003-M01)
Control building safety feature battery A room exhaust fan discharge dampers (HV-12742)
Control building safety feature battery A room exhaust fan discharge damper (HV-12748)
Control building safety feature battery B room exhaust fan motor (1-1532-B7-002-M01)
Control building safety feature battery B room exhaust fan motor (1-1532-B7-004-M01)
Control building safety feature battery B room exhaust fan discharge damper (HV-12727)
Control building safety feature battery B room exhaust fan discharge damper (HV-12749)
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.12-1 (SHEET 2 OF 2)
Actuation Description Channel or Train Control building control room ESF chiller A room exhaust fan motor (1-1531-B7-002-M01)
Control building control room ESF chiller B room exhaust fan motor (1-1531-B7-004-M01)
Control building electrical penetration A filter unit heater (1-1562-N7-001-H01)
Control building electrical penetration B filter unit heater (1-1562-N7-002-H01)
Control building auxiliary relay room ESF A air-conditioning unit fan motor (1-1539-A7-001-M01)
Control building auxiliary relay room ESF B air-conditioning unit fan motor (1-1539-A7-002-M01)
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.13-1 (SHEET 1 OF 2)
AUXILIARY BUILDING ESF HVAC SYSTEM ACTUATED EQUIPMENT LIST (a)
Actuation Description Channel or Train Electrical switchgear and MCC room cooler motors:
1-1555-A7-001-M01 A 1-1555-A7-002-M01 B 1-1555-A7-003-M01 A 1-1555-A7-004-M01 B 1-1555-A7-005-M01 A 1-1555-A7-006-M01 B
Residual heat removal pump room cooler motors:
1-1555-A7-007-M01 A 1-1555-A7-008-M01 B
Containment spray pump room cooler motors: 1-1555-A7-009-M01 A 1-1555-A7-010-M01 B
Component cooling water pump room cooler motors:
1-1555-A7-011-M01 A 1-1555-A7-012-M01 B
Charging pump room cooler motors:
1-1555-A7-013-M01 A 1-1555-A7-014-M01 B
Safety injection pump room cooler reactors:
1-1555-A7-015-M01 A 1-1555-A7-016-M01 B
Spent fuel pool heat exchanger and pump room cooler motors:
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.13-1 (SHEET 2 OF 2)
Actuation Description Channel or Train
1-1555-A7-017-M01 A 1-1555-A7-018-M01 B Piping penetration room filtration and exhaust unit motors:
1-1561-N7-001-M01 A 1-1561-N7-002-M01 B Piping penetration room filtration and exhaust unit heaters:
1-1561-N7-001-H01 A 1-1561-N7-002-H01 B Piping penetration room filtration and exhaust unit dampers:
HV-12614 and PV-2550A and PV-2550B A HV-12616 and PV-2551A and PV-2551B B Piping penetration area isolation dampers:
HV-12605 (controlled by SO-V HY-12605)
A HV-12606 (controlled by SO-V HY-12606)
B HV-12604 (controlled by SO-V HY-12604)
A HV-12607 (controlled by SO-V HY-12607)
B
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.14-1 AUXILIARY FEEDWATER PUMPHOUSE ESF HVAC SYSTEM ACTUATED EQUIPMENT LIST (a)
Actuation Description Channel or Train
Motor-driven auxiliary feedwater A pump A room air supply fan motor (1-1593-B7-001-M01)
Motor-driven auxiliary feedwater A pump A room air shutoff damper (HV-12006) Motor-driven auxiliary feedwater pump B room air supply fan motor B (1-1593-B7-002-M01)
Motor-driven auxiliary feedwater B pump B room air shutoff damper (HV-12005) Turbine-driven auxiliary feedwater pump C room air intake damper (HV-12010 controlled by HY-12010 solenoid valve)
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.15-1 (Sheet 1 of 2)
DIESEL GENERATOR BUILDING ESF HVAC SYSTEM ACTUATED EQUIPMENT LIST (a)
Actuations Description Train or Channel ESF supply fan motors: 1-1566-B7-001-M01 A 1-1566-B7-002-M01 B 1-1566-B7-003-M01 A 1-1566-B7-004-M01 B Recirculation dampers: TV-12100A (controlled by I/P converter TY-12100A) A TV-12100 (controlled by I/P converter TY-12100A) A TV-12101A (controlled by I/P converter TY-12101A) B TV-12101 (controlled by I/P converter TY-12101A) B Air intake dampers: TV-12094C (controlled by I/P converter TY-12094A) A TV-12094A (controlled by I/P converter TY-12094A) A TV-12094B (controlled by I/P converter TY-12094B) A TV-12094D (controlled by I/P converter TY-12094B) A TV-12095A (controlled by I/P converter TY-12095A) B TV-12095C (controlled by I/P converter TY-12095A) B TV-12095B (controlled by I/P converter TY-12095B) B TV-12095D (controlled by I/P converter TY-12095B) B Exhaust dampers: TV-12086 (controlled by SOL valve TY-12086) A TV-12086A (controlled by SOL valve TY-12086) A TV-12099 (controlled by SOL valve TY-12099) B TV-12099A (controlled by SOL valve TY-12099) B TV-12096 (controlled by SOL valve TY-12096) A TV-12096A (controlled by SOL valve TY-12096) A TV-12097 (controlled by SOL valve TY-12096) A TV-12097A (controlled by SOL valve TY-12096) A TV-12098 (controlled by SOL valve TY-12098) B TV-12098A (controlled by SOL valve TY-12098) B TV-12085 (controlled by SOL valve TY-12098) B TV-12085A (controlled by SOL valve TY-12098) B VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.15-1 (Sheet 2 of 2)
DIESEL GENERATOR BUILDING ESF HVAC SYSTEM ACTUATED EQUIPMENT LIST (a)
Actuations Description Train or Channel Non-ESF fan unit isolation dampers: HV-12052 A HV-12055 B ESF supply fan discharge dampers: HV-12050 A HV-12051 A HV-12053 B HV-12054 B
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.16-1 ELECTRICAL TUNNEL ESF HVAC SYSTEM ACTUATED EQUIPMENT LIST (a)
Actuation Description Train or Channel Diesel power cable tunnel exhaust fan motors:
1-1540-B7-001-M01 A
1-1540-B7-002-M01 B
NSCW tower cable tunnel exhaust fan motors:
1-1540-B7-003-M01 A
1-1540-B7-004-M01 B
Turbine building and auxiliary building exhaust fan motor:
2-1540-B7-005-M01 (Unit 2 only)
A 1-1540-B7-005-M01 (Unit 1 only)
A
- a. Refer to appropriate logic diagrams for additional actuated devices.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.3.17-1 DIESEL GENERATOR FUEL OIL SYSTEM ACTUATED EQUIPMENT LIST (a)
Actuation Description Train or Logic Diesel fuel oil storage tank pumps:
1-2403-P4-001 A 1-2403-P4-002 A 1-2403-P4-003 B 1-2403-P4-004 B
- a. Refer to appropriate logic diagrams for additional actuated devices.
REV 14 10/07 TYPICAL ENGINEERED SAFETY FEATURES TEST CIRCUITS FIGURE 7.3.1-1
REV 14 10/07 ENGINEERED SAFEGUARDS TEST CABINET (INDEX, NOTES, AND LEGEND)
FIGURE 7.3.1-2
VEGP-FSAR-7
7.4-1 REV 14 10/07 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN The functions necessary for safe shutdown are available through instrumentation and control
channels associated with the major systems in both the primary and secondary plant. These
channels are normally aligned to serve a variety of operational functions, including startup and shutdown, as well as protective functions. There are no systems specifically and solely
dedicated as safe shutdown systems. However, procedures for securing and maintaining the
plant in a safe condition can be instituted by appropriate alignment of selected plant systems.
The discussion of these systems, together with the applicable codes, criteria, and guidelines, is
found in other sections of this safety analysis report. In addition, the alignment of systems
associated with the engineered safety features, which are invoked under postulated limiting fault
situations, is discussed in section 6.3, paragraphs 7.3.1.1.1.1 and 7.3.1.1.1.5, and tables 7.3.1-
1, 7.3.1-2, and 7.3.1-3. In the event of a turbine or reactor trip, the plant is placed in a hot
standby condition. During the hot standby condition, an adequate heat sink is provided to
remove reactor core residual heat. Boration capability is provided to compensate for xenon
decay and to maintain the required core shutdown margin. Redundancy of systems and
components is provided to enable continued maintenance of the hot standby condition.
Redundant systems and components exist for taking the plant to the cold shutdown condition, if required.
The instrumentation and control systems required to be aligned for maintaining safe shutdown of the reactor, which are discussed in this section, are the minimum needed under nonaccident
conditions. These systems permit the necessary operations that:
- Prevent the reactor from returning to criticality.
- Provide an adequate heat sink so that design and safety limits on reactor coolant system (RCS) temperature and pressure are not exceeded.
The designation of systems required for safe shutdown depends on identifying those systems
which provide the following capabilities for maintaining a safe shutdown:
- Coolant circulation.
- Boration.
- Heat removal.
- Depressurization. The specific systems, together with the necessary associated instrumentation and controls, are
identified for both hot standby and cold shutdown in subsections 7.4.1 and 7.4.2. Table 7.4.1-1
tabulates systems available for safe shutdown.
Maintenance of a shutdown with these systems and associated instrumentation and controls has included consideration of the accident consequences that might jeopardize safe shutdown
conditions. The accident consequences that are germane are those that would tend to degrade
the capabilities for coolant circulation, boration, heat removal, and depressurization.
The results of the accident analysis are presented in chapter 15. Of these, the following produce consequences that might jeopardize safe shutdown conditions:
VEGP-FSAR-7
7.4-2 REV 14 10/07
- Chemical and volume control system malfunction that results in a decrease in the boron concentration in the reactor coolant (uncontrolled boron dilution) (15.4.6).
- Loss of normal feedwater flow (15.2.7).
- Loss of external electrical load and/or turbine trip (15.2.2 and 15.2.3).
- Loss of offsite ac power to the station auxiliaries (15.2.6).
These analyses show that safety is not adversely affected by these incidents, with the
associated assumptions being that one train of the instrumentation and controls discussed in
subsections 7.4.1 and 7.4.2 are available to control and/or monitor shutdown. These required
systems will allow the maintenance of safe shutdown even under the accident conditions listed
above, which would tend toward a return to criticality or a loss of heat sink.
In addition to the operation of systems required for safe shutdown, as described below, the following are assumed:
- The turbine is tripped. (Note that this can be accomplished at the turbine as well as inside the control room.)
- The reactor is tripped. (Note that this can be accomplished at the shutdown panels as well as inside the control room.)
- All automatic systems continue functioning as long as offsite power and the plant compressed air system are available. Wi th a loss of either, components relying on these systems are assumed to take their fail-safe position unless failure to do so is
the most limiting single failure. 7.4.1 HOT STANDBY To effect a unit shutdown, the unit is initially brought to a hot standby condition under control from the main control room or the shutdown panels. Hot standby is defined as the condition in which the reactor is subcritical (K eff <0.99) and the RCS temperature and pressure are in the normal operating range. To accomplish a hot standby, the following functions are required:
coolant circulation, boration, and heat removal. The portions of the reactor trip system required
to achieve the shutdown condition are descri bed in section 7.2. The system and component controls and monitoring indicators provided on the shutdown panels are listed in subsection
7.4.3. The minimum controls and monitoring indicators required to maintain a hot standby
under a nonaccident condition are tabulated and discussed below. Table 7.4.2-1 lists the instrumentation and controls available for hot standby and hot or cold shutdown and provides
the location of controls and indication. A. Required Systems and Component Controls 1. Auxiliary feedwater system. 2. Condensate storage facility.
- 3. Main steam power-operated atmospheric relief valves.
- 4. Centrifugal charging pumps.
- 5. Nuclear service cooling water (NSCW) pumps.
VEGP-FSAR-7
7.4-3 REV 14 10/07 6. NSCW fans. 7. Component cooling water pumps.
- 8. Containment fan coolers.
- 9. Emergency diesel generators (and associated onsite electrical distribution system). 10. Control room ventilation.
- 11. Emergency ventilation systems for those areas housing equipment required for safe shutdown. 12. Essential chilled water. B. Required Monitoring Indicators 1. Steam generators
- Water level for each steam generator. 2. Pressurizer
- Water level. 3. Reactor Coolant System
- Hot leg temperatures.
- Cold leg temperatures.
- Pressure. 7.4.1.1 Auxiliary Feedwater Control The auxiliary feedwater pumps start automatically as described in subsection 7.3.7 or can be started manually. Start/stop motor controls are located at the shutdown panels (trains A and B) and the turbine-driven pump auxiliary feedwater local panel (train C), as well as at the main control board. Control of the motor-operated valves in the auxiliary feedwater system is
provided at the shutdown panels, auxiliary feedwater local panel, and the main control board. 7.4.1.2 Power-Operated Atmospheric Steam Relief Valves 7.4.1.2.1 Description The instrumentation and controls for the atmospheric steam relief system consist of controls, transmitters, and indicators to provide automatic or manual actuation of the power-operated
atmospheric steam relief valves to remove decay heat from the RCS.
Both the main steam safety valves and the pow er-operated atmospheric steam relief valves are located upstream of the main steam isolation valves, outside of the containment; and both provide a means of removing decay heat in a hot standby condition. The safety valves are full-capacity, spring-loaded valves actuated by high main steam line pressure. They are described
more fully in chapter 10. The power-operated at mospheric steam relief valves, however, are the preferred mode of steam relief to avoid prolonged operation of the safety valves. The power-VEGP-FSAR-7
7.4-4 REV 14 10/07 operated portion of the relief system is safety rela ted, except as specifically noted otherwise in paragraph I below.
A pressure transmitter and pressure controller are provided for each of the steam generators to actuate the power-operated atmospheric steam relief valve and control the steam pressure at a
predetermined setting. Manual control capability is provided both in the control room and on the
shutdown panels for power-operated atmospheric steam relief valve regulation. The status of
the power-operated atmospheric steam relief valves is indicated by open and closed indicating
lights and by the controller output indication provided in the main control room and on the
shutdown panels. A. Initiating Circuits
No initiating circuits are required for the self-actuated, spring-loaded safety valves.
Each power-operated atmospheric steam relief valve is automatically actuated to
regulate the steam generator pressure via the pressure controller and can be
manually actuated by selecting the manual control mode. The required
instrumentation readout for manual system control is described in section 7.5. B. Logic
No logic is required for the spring-loaded safety valves. Each power-operated
atmospheric steam relief valve is individually controlled by its own pressure control
loop. Normally atmospheric steam relief valve operation is automatic, but it may be
operated manually. C. Bypass
No bypass is provided. Placement of the power- operated atmospheric steam relief
valve controller in the manual mode does not preclude the steam relief functional
requirement, since the spring-loaded safety valves provide the code-required relief
capability. D. Interlock
No interlock is provided for the power-operated atmospheric steam relief valve system. E. Redundancy
Any one of the four power-operated atmospheric steam relief valves provides
sufficient steam relief for hot shutdown requirements. Redundancy is accomplished
on a system basis, since any one of the four associated steam generators is
adequate for the heat removal requirements. F. Diversity
Diversity is accomplished by the spring-loaded safety valves operating as backup to
the power-operated atmospheric steam relief valves. G. Actuated Devices
The safety valves are self-actuated.
The power-operated atmospheric steam relief valves are electrohydraulic valves
designed to fail closed.
VEGP-FSAR-7
7.4-5 REV 14 10/07 H. Supporting Systems
The controls and power for the power-operated atmospheric steam relief valves are
powered from the Class 1E power system (chapter 8). I. Portion of System Not Required for Safety
The alarms to the station annunciator and computer are not required for safety. J. Design Bases Information
The design bases of the power-operated atmospheric steam relief system (in
accordance with Section 3 of Institute of Electric and Electronic Engineers (IEEE)
Standard 279-1971) are: 1. The plant condition which requires protective action is hot standby heat removal at controlled steam generator pressure, with or without loss of offsite power. 2. The equipment is located outside the containment and is designed to withstand the temperature range, relative humidity, and atmospheric pressure for that location. (Refer to table 3.11.B.1-1 for specific values.) 3. The power-operated atmospheric steam relief system is designed to withstand the effects of earthquake without loss of function. The system is designed and its components are physically located to prevent loss of function from missile
damage. 4. The power-operated atmospheric steam relief controls are analog in nature, and the response of conventional process control equipment adjusted for stable
pressure controlling operation is adequate. The power-operated atmospheric
steam relief valves are not intended to prevent safety valve operation when the turbine bypass system is not availabl
- e. The requirement is for the power-operated steam relief valves to relieve the safety valves from a sustained
pressure-controlling function in the hot standby mode. Thus, response time and
accuracy are not critical for the required performance. The steam generator
pressure will be relatively constant (no load steam pressure), with no rapid
change required in the mass flowrate from the atmospheric steam relief valves. 7.4.1.2.2 Analysis A. Conformance to Nuclear Regulatory Commission (NRC) General Design Criteria (GDC) 1. GDC 13 and 19 Instrumentation necessary to monitor station variables associated with hot
standby is provided with adequate indication in the main control room and on the
shutdown panels. Controls for the power-operated atmospheric steam relief are
provided at each location. A description of the surveillance instrumentation is
provided in section 7.5. 2. GDC 34
The power-operated atmospheric steam relief valves provide an adequate means
of venting the steam generators to remove reactor decay heat following reactor VEGP-FSAR-7
7.4-6 REV 14 10/07 trip. Modulation of the power-operated atmospheric steam relief valves provides
the desired rate of heat removal from the RCS to maintain the hot standby
condition. The power-operated atmospheric steam relief system has sufficient
redundancy to ensure its intended function, assuming a single failure. B. Conformance to NRC Regulatory Guides 1. Regulatory Guide 1.22
The power-operated atmospheric steam relief controls can be tested periodically. 2. Regulatory Guide 1.29
The power-operated atmospheric steam relief controls are designed to withstand
the effects of a safe shutdown earthquake (SSE) without loss of function. The
power-operated atmospheric steam relief controls are classified Seismic
Category 1, in accordance with the guide. C. Conformance to IEEE Standard 279-1971 The controls for the power-operated atmospheric steam relief system conform to the
applicable requirements of IEEE Standard 279-1971. The control circuits are
designed so that any single failure will not prevent proper protective action (removal
of reactor decay heat) when required. This is accomplished by redundant steam
relief systems in that only one of the four valves is needed to provide sufficient
capacity. The power-operated atmospheric relief valves utilize control power from
independent Class 1E power systems. The controllers for the valves are powered
from separate independent Class 1E control channels. In order to prevent
interaction between the redundant systems, the control channels are wired
independently and separated with no electrical connections between them. D. Conformance to Other Criteria and Standards Conformance to other criteria and standards is given in table 7.1.1-1. 7.4.1.3 Centrifugal Charging System Controls 7.4.1.3.1 Description If the unit is maintained in a hot standby condition for a prolonged time, a centrifugal charging pump is required to maintain the reactor coolant inventory so that the level in the pressurizer is
maintained above the heaters and to borate to compensate for xenon decay. At the time the
charging pump is brought into operation to replenish the RCS, the boron concentration of the
RCS may be increased, if desired. Normal operation of the charging system is automatic, as
described in paragraph 7.7.1.6. Manual control is also provided both at the main control board
and the shutdown panels. Control of major power-operated valves associated with establishing
a charging path to the RCS is provided in the main control room and at the shutdown panels.
The following discussion is limited to the manual centrifugal charging pump controls. A detailed description of the charging system, its operation, and safety evaluation is provided in section 6.3 and subsection 9.3.4.
VEGP-FSAR-7
7.4-7 REV 14 10/07 A. Initiating Circuits
The charging pumps can be controlled manually by the plant operator for hot
standby service. For other initiating circuits, see section 7.3. B. Logic
The control logic provides for both automatic and manual control features. The
pumps can be started under manual control at any time. Refer to section 1.7 for a
list of elementary and logic diagrams. C. Bypass
No bypass of the manual controls, other than maintenance provisions, is provided. D. Interlocks
When the shutdown panel transfer switch is in the local position, automatic start of
the pump on a safety signal is defeated. E. Redundancy
Two independent centrifugal charging pumps and control circuits are provided, either
of which can provide the necessary input to the primary system for the hot standby condition. F. Diversity
There is no diversity in the manual control circuits or power supplies for the two
centrifugal charging pumps. G. Actuated Devices
The charging pumps and associated valves are the actuated devices. H. Supporting Systems
The charging pump controls are powered fr om the Class 1E power system. I. Portion of System Not Required for Safety
The instrumentation used to monitor the charging pump operation (other than
indicating lights for hand switches as an integral part of the control circuit), alarms on
the station annunciator and computer, and automatic charging pump control via the
pressurizer level control channels are not required for safety. J. Design Bases Information
The design bases of the charging pump manual controls (in accordance with Section
3 of IEEE Standard 279-1971) are as follows: 1. The generating station condition that requires protective action is low pressurizer level following a reactor trip with or without loss of offsite power. 2. The equipment is located outside the containment and is designed to withstand the temperature range, relative humidity, and atmospheric pressure for its location. Refer to table 3.11.B.1-1 for specific values.
VEGP-FSAR-7
7.4-8 REV 14 10/07 3. The charging pump manual control system is designed to withstand the effects of an SSE without loss of function. The system is designed and its components
located to prevent loss of function from missile damage. 7.4.1.3.2 Analysis A. Conformance to NRC GDC 1. GDC 13 and 19
Instrumentation necessary to monitor station variables associated with hot
standby is provided with adequate indication in the main control room and on the
shutdown control panels. Manual controls for the centrifugal charging pumps are
provided both inside and outside of the control room. A description of the
surveillance instrumentation is provided in section 7.5. 2. GDC 33
The centrifugal charging pump manual controls provide adequate control of the
pressurizer level to preclude use of the pressurizer heaters below low-low level.
One centrifugal charging pump is sufficient to provide the necessary makeup to
the RCS to maintain the hot standby condition. B. Conformance to NRC Regulatory Guides 1. Regulatory Guide 1.22
The centrifugal charging pump manual controls can be tested periodically during
operation, since the charging pumps are used during normal operation. 2. Regulatory Guide 1.29
The centrifugal charging pump manual controls are designed to withstand the
effects of an SSE without loss of function or physical damage. The centrifugal
charging pump manual controls are classified Seismic Category 1, in accordance
with the guide. C. Conformance to IEEE Standard 279-1971
The centrifugal charging pump manual controls are designed to meet the portions of
IEEE Standard 279-1971 applicable to manual controls. The manual control circuits
are designed so that any single failure will not prevent protective action (makeup to
the RCS) when required. This is accomplished by two redundant centrifugal
charging pumps. The control circuit of each charging pump utilizes controls powered from an independent Class 1E power system. To prevent interaction between the
redundant systems, the manual control channels are wired independently and
separated with no electrical connections between them.
The normal automatic control circuits are electrically isolated from the manual
controls to ensure manual control system independence. D. Conformance to Other Criteria and Standards
Conformance to other criteria and standards is given in table 7.1.1-1.
VEGP-FSAR-7
7.4-9 REV 14 10/07 7.4.1.4 Coolant Circulation The preferred method of coolant circulation is forced circulation with the reactor coolant pumps
supplying the driving head. With loss of offsit e power, the pumps are not available; however, the RCS is designed to provide sufficient natural circulation to reach and maintain hot standby.
Natural circulation flow is verified by noting the various RCS temperatures. 7.4.1.5 Other Systems Required for Hot Standby The other major equipment and systems required to maintain the unit in the hot standby condition are listed below. For a more comprehensive and detailed listing, refer to tables
7.4.1-1 and 7.4.2-1. A. NSCW system (subsection 9.2.1). B. Component cooling water system (subsection 9.2.2).
C. Containment fan coolers (subsection 6.2.2).
D. Emergency diesel generators (and associated onsite electrical distribution system) (subsection 8.3.1). E. Control room ventilation system (subsection 9.4.1).
F. Emergency ventilation system (for thos e areas housing equipment required for safe shutdown) (section 9.4) G. Essential chilled water (subsection 6.2.2).
Systems A through F above are either normally oper ating continuously or start automatically when required. The instrumentation and controls for these systems are described in the particular section of this document where each system is described. (See A through F above.)
Further discussion of the actuation and controls for the engineered safety feature systems is
provided in section 7.3. 7.4.2 COLD SHUTDOWN To perform a unit cold shutdown, the unit is brought from hot standby conditions to nearly ambient conditions from the main control room or shutdown panels. The ability to reach cold
shutdown under control from the main control r oom utilizing safety-related components is further discussed in this section; the ability to reach cold shutdown under control from the shutdown
panels is discussed in detail in subsection 7.4.3.
Cold shutdown is defined by the Technical Specifications as the condition in which the reactor is subcritical, the reactor coolant system (RCS) temperature is 200°F, and the RCS is depressurized. To accomplish a cold shutdown, the following functions are required:
- Coolant circulation.
- Boration.
- Heat removal.
- Depressurization.
The systems required for hot standby are also required for cold shutdown. In addition, the following systems, components, and indication are required: A. Required Systems and Component Controls VEGP-FSAR-7
7.4-10 REV 14 10/07 1. Vessel head letdown and vent system. 2. Pressurizer power-operated relief valve complex.
- 3. Residual heat removal system.
- 4. Boric acid storage tank.
- 5. Boric acid transfer pumps.
- 6. Accumulator vent system.
- 7. Manual block of safety injection signal.
- 8. Pressurizer backup heaters.
The components in these systems are fully qualified and safety grade with power from a Class 1E electrical bus except the pressurizer heaters. (Two groups of pressurizer backup heaters can be administratively loaded on the non-1E emergency
bus.) All control switches for these items are safety grade. B. Required Monitoring Indicators 1. Boric acid storage tank level. 2. Boric acid charging flowrate.
Table 7.4.2-1 lists the instrumentation and controls available for hot standby and hot or cold shutdown and provides the locations of controls and indication.
Hot standby is a stable plant condition for a reactor plant that incorporates a Westinghouse nuclear steam supply system. Examination of Condition II, III, or IV events for the Westinghouse nuclear steam supply system reveals no event s that require cooldown to cold shutdown conditions for safety reasons. Eventual achi evement of cold shutdown conditions may be required for long-term recovery. However, there is no safety reason why this must be
accomplished in some limited period of time. While the plant is in the hot standby condition, the
auxiliary feedwater system and the power-operated atmospheric steam relief valves are used to
remove residual heat to meet all safety requirements. The long-term safety grade supply of
auxiliary feedwater allows extended operation at hot standby conditions. Additionally, the plant design includes provisions for achieving cold shutdown, even assuming a safe shutdown
earthquake, a loss of offsite power, and the most limiting single failure with limited operator
action outside the control room. 7.4.3 SAFE SHUTDOWN FROM OUTSIDE THE CONTROL ROOM 7.4.3.1 Description If temporary evacuation of the control room is required because of some abnormal plant condition, the operators can establish and maintain the plant in a hot standby and hot or cold
shutdown condition from outside the control room through the use of controls located at the
shutdown panels. Hot standby is a stable plant condition which can be maintained safely for an
extended period of time. In the event that access to the control room is restricted, the plant can
be safely kept at hot standby until the control room can be reentered, by the use of the
monitoring indicators and the controls listed in subsection 7.4.1. Although the prime intent of
the shutdown panels is to maintain hot standby from outside the control room, the panels are
also used for implementing cold shutdown from outside the control room.
VEGP-FSAR-7
7.4-13 REV 14 10/07 K. An alarm is provided in the control room to provide an indication when a component or components on the shutdown panel is/are bypassed from the main control boards
to the shutdown panel. L. Controls, switches, and indications on the shutdown panels are designed to be consistent with the design requirement for similar devices located in the main control
room. 7.4.3.2 Analysis The analysis of the control systems required for safe shutdown is found in subsection 7.4.1.
The discussion below is limited to the shutdown panels. A. Conformance to NRC GDC 1. GDC 19
The shutdown panels provide adequate controls and indications located outside
the main control room to establish and maintain the reactor and the reactor
coolant system in the hot standby and hot or cold shutdown condition in the
event that the main control room must be evacuated. B. Conformance to NRC Regulatory Guides 1. Regulatory Guide 1.22
The shutdown panels are designed to be tested periodically during station
operation. 2. Regulatory Guide 1.29
The shutdown panels are designed to withstand the effects of an SSE without
loss of function or physical damage. The shutdown panels are classified Seismic
Category 1. Selected instrumentation and control devices are not safety related
but are qualified for seismic integrity to prevent compromising the function of
safety- related devices during or after an SSE. C. Conformance to IEEE Standard 279-1971
The shutdown panels are designed to conform to applicable portions of IEEE
Standard 279-1971. The control circuits at the shutdown panels are designed so
that any single failure will not prevent maintaining safe shutdown when required.
This is accomplished by fully redundant controls for the systems required for hot
standby and hot or cold shutdown, utilizing independent Class 1E power systems.
To prevent interaction between the redundant systems, the redundant control
channels are wired independently and separated with no electrical connections
between them. Non-Class 1E circuits ava ilable for safe shutdown are electrically isolated from Class 1E circuits. D. Conformance to Other Guides, Criteria, and Standards
The additional guides, criteria, and standards listed in table 7.1.1-1 apply only to the
essential instrumentation and control required for safe shutdown from outside the
control room.
VEGP-FSAR-7
7.4-14 REV 14 10/07 7.4.3.3 Alternate Shutdown Indication System 7.4.3.3.1 Description The alternate shutdown indication system is designed to provide indication and controllers; i.e., OIMs, necessary for cold shutdown that are independent from the control room in the event of a
control room fire. No other events are postulated to occur either during or after a control room
fire; consequently, the design is exempted from the single failure criteria, Seismic Category 1
criteria, and the other design basis accident criteria, except where required for other reasons (e.g., due to interfacing with or impacting on existing systems).
The plant safety monitoring system (PSMS) (refer to paragraph 7.5.3.6) and the alternate shutdown indication system cabinet are used to process and output isolated signals which go to
the control room and the train B shutdown panel. The PSMS provides isolated signals for the
alternate shutdown indication parameters for which the PSMS performs data acquisition and
display. The alternate shutdown indication system cabinet isolates signals which are required in
the process cabinets and the OIM control loops.
The reactor may be tripped from the main control board before leaving the control room or tripped from either of the shutdown panels immediately after entering the shutdown panel
rooms. Both shutdown panels are fully equipped panels that may act as the point of control for
performing a shutdown and cooldown of the plant given that the control room is inaccessible.
However, only the train B shutdown panel is provided with electrically isolated instrumentation
and controls for use as the alternate shutdown point of control following a control room fire. 7.4.3.3.2 Design Bases Information The alternate shutdown indication system is designed to meet Branch Technical Position CMEB 9.5-1 requirement C.5.C (see appendix 9B). 7.4.3.3.2.1 Safety Design Bases. The alternate shutdown indication system shall not compromise safety-related systems and associated inputs nor prevent safe shutdown.
7.4.3.3.2.2 Power Generation Design Basis. The alternate shutdown indication system provides electrically isolated signals into t he control room during power generation. It is designed to function during and after a control room fire. A. The alternate shutdown indication system controls, in conjunction with remote shutdown panel B controls, are used to achieve and maintain hot standby condition and achieve cold shutdown from full power conditions in 72 h following a control
room fire and maintain cold shutdown conditions thereafter. B. The alternate shutdown indication system instrumentation, in conjunction with remote shutdown panel B instrumentation, provides direct readings and controls to
monitor the process variables necessary to perform and control the following
shutdown functions: 1. Reactivity control.
- 2. Reactor coolant makeup/inventory.
- 3. Reactor heat removal. C. The alternate shutdown indication system consists of the following required parameters and OIMs (see table 7.4.2-1):
VEGP-FSAR-7
7.4-15 REV 14 10/07 1. Neutron flux. 2. Reactor coolant system wide range T cold - (loops 2 and 3). 3. Incore thermocouples in the quadrants corresponding to loops 2 and 3 (Unit 1) and loops 1 and 4 (Unit 2). 4. Reactor coolant system wide range pressure.
- 5. Steam generator wide range level (loops 2 and 3).
- 6. Pressurizer level.
- 7. Head vent throttle valve (OIM).
- 8. Accumulator tank gas vent valve (OIM). D. The alternate shutdown indication system accommodates post-fire conditions where offsite power is available and where offsite power is not available for 72 h. E. The alternate shutdown indication system is not damaged by a control room fire.
F. The alternate shutdown indication system and associated circuits design are exempted from Seismic Category I criteria, single failure criteria, or other design basis accident criteria, except where required for other reasons (e.g., because of
interface with or impact on existing safety systems). G. The alternate shutdown indication system is electrically isolated from the control room so that a fire-induced, hot short, open circuit, or short to ground in the alternate
shutdown control room indication circuits will not prevent operation of the alternate
shutdown indication at the shutdown panel. H. Access to the alternate shutdown indication system is under administrative control. I. The alternate shutdown indication system OIMs are activated manually following evacuation of the control room. This actuation does not disturb control, process, protection, or nuclear instrumentation circuits except those associated with the
alternate shutdown indication system. J. The alternate shutdown indication system is electrically isolated from the control room so that a fire-induced hot short, open circuit, or short to ground in any of the
Class 1E circuits will not prevent operati on of the alternate shutdown equipment from
the shutdown panel. K. An alarm is provided in the control room to provide an indication in the event that the alternate shutdown OIMs are bypassed from the main control board to the shutdown
panel. 7.4.3.3.2.3 Guides, Criteria, and Standards. The alternate shutdown indication system conforms to GDC 19, the applicable portions of IEEE Standards 279-1971, 323-1974, and 344-
1975, Regulatory Guide 1.22, and Branch Technical Position CMEB 9.5-1.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.4.1-1 SYSTEMS AVAILABLE FOR SAFE SHUTDOWN
Auxiliary feedwater system
Condensate storage facility
Chemical and volume control system (boration and makeup
functions)
Pressurizer power-operated relief valve complex
Reactor vessel head letdown system
Residual heat removal system
Main steam power-operated atmospheric relief valve complex
Component cooling water system
NSCW system
Onsite standby power supply (diesel generators and associated outside electrical
distribution system)
Ventilation systems (control room and engineered safety
features rooms)
Associated instrumentation and controls
Safety injection system (accumulator vents systems)
Containment fan coolers
Essential chilled water
VEGP-FSAR-7 TABLE 7.4.2-1 (SHEET 9 OF 9)
REV 14 10/07
- a. AC air conditioner AFW auxiliary feedwater BAST boric acid storage tank BAT boric acid transfer BIT boron injection tank CB control building CBSF control building safety feature CCW component cooling water CRDM control rod drive mechanism CST condensate storage tank CTB containment building DG diesel generator ESF engineered safety features HX heat exchanger NSCW nuclear service cooling water PORV power-operated relief valve PRT pressurizer relief tank RCP reactor coolant pump RCS reactor coolant system RHR residual heat removal RWST refueling water storage tank SG steam generator SI safety injection VCT volume control tank
- b. CR control room PSDA shutdown panel A PSDB shutdown panel B ASI alternate shutdown indication
- c. The items identified in this column are provided with control room circuitry isolation, via the alternate shutdown indication panel, to provide the ability for
shutdown from remote shutdown panel B in the event of a control room fire.
- d. Unit 1 only.
- e. Available only on plant computer in control room.
VEGP-FSAR-7
7.5-1 REV 14 10/07 7.5 INFORMATION SYSTEMS IMPORTANT TO SAFETY 7.5.1 SAFETY-RELATED DISPLAY INSTRUMENTATION INTRODUCTION An analysis was conducted to identify the appropriate variables and to establish the appropriate design bases and qualification criteria for instrumentation employed by the operator for
monitoring conditions in the reactor coolant system, the secondary heat removal system, and
the containment, including engineered safety func tions and the systems employed for attaining a safe shutdown condition.
The instrumentation is used by the operator to monitor the VEGP throughout all operating conditions including anticipated operational occurrences and accident and post-accident
conditions.
The emergency response facilities and support systems consisting of the onsite technical support center, emergency operations facility, operational support center, safety parameter display system, and the emergency response data system (ERDS) are discussed in the VEGP
Emergency Plan, section H. Table 7.5.2-1 indicates the specific plant parameters which are
associated with ERDS. Modifications to these parameters in the plant may require NRC
notification per 10 CFR 50, Appendix E, Part VI. 7.
5.2 DESCRIPTION
OF INFORMATION SYSTEMS The plant safety analyses and evaluations define the design basis accident (DBA) event scenarios for which preplanned operator actions are required. Accident monitoring
instrumentation is necessary to permit the operator to take required actions to address these
analyzed situations. However, instrumentation is also necessary for unforeseen situations (i.e.,
to ensure that, should plant conditions evolve differently than predicted by the safety analyses, the control room operating staff has sufficient information to evaluate and monitor the course of
the event). Additional instrumentation is also needed to indicate to the operating staff whether
the integrity of the fuel cladding, the reactor coolant pressure boundary (RCPB), or the reactor
containment has degraded beyond the prescribed limits defined as a result of the plant safety analyses and other evaluations.
Five classifications of variables have been identified to provide this instrumentation: A. Those variables that provide information needed by the operator to perform manual actions identified in the operating procedures that are associated with DBA events are designated type A. These variables are restricted to preplanned
actions for DBA events. The basis for selecting type A variables is given in
paragraph 7.5.2.2.1. B. Those variables needed to assess that the plant critical safety functions are being accomplished or maintained, as identified in the plant safety analysis and
other evaluations, are designated type B. C. Those variables used to monitor for the gross breach or the potential for gross breach of the fuel cladding, the RCPB, or the containment are designated type C. D. Those variables needed to assess the operation of individual safety systems and other systems important to safety are designated type D.
VEGP-FSAR-7
7.5-2 REV 14 10/07 E. Those variables that are required for use in determining the magnitude of the postulated releases and continually assessing any such releases of radioactive
materials are designated type E.
The five classifications of variable are not mutually exclusive, in that a given variable (or
instrument) may be included in one or more types. When a variable is included in one or more
of the five classifications, the equipment monitoring this variable meets the requirements of the
highest category identified.
Three categories of design and qualification criteria have been identified. The differentiation is made in order that an importance of information hierarchy can be recognized in specifying
accident monitoring instrumentation. Category 1 instrumentation has the highest performance
requirements and should be utilized for information which cannot be lost under any
circumstances. Category 2 and Category 3 instruments are of lesser importance in determining
the state of the plant and do not require the same level of operational assurance.
The primary differences between category requirements are in qualification, application of single failure, power supply, and display requirements. Category 1 requires seismic and
environmental qualification, the application of a single failure criteria, utilization of emergency
power, and an immediately accessible display. Category 2 requires environmental and seismic
qualification commensurate with the required function but does not require the single failure
criteria, emergency power, or an immediately accessible display. Category 2 requires, in effect, a rigorous performance verification for a single instrument channel. Category 3, which is high
quality commercial grade, does not require qualification, single failure criteria, emergency
power, or an immediately accessible display.
Table 7.5.2-1 summarizes the following information for each variable identified: A. Instrument range or status.
B. Type and category.
C. Environmental qualification.
D. Seismic qualification.
E. Number of channels.
F. Display methodology.
G. Implementation date.
7.5.2.1 Definitions 7.5.2.1.1 Design Basis Accident Events Those events, any one of which could occur during the lifetime of a particular unit, and those events not expected to occur but postulated because their consequences would include the
potential for release of significant amounts of radioactive gaseous, liquid, or particulate material
to the environment are DBA events. Excl uded are those events (defined as normal and
anticipated operational occurrences in 10 CFR 50) expected to occur more frequently than once
during the lifetime of a particular unit.
The limiting accidents that were used to determine instrument functions are:
- Loss-of-coolant accident (LOCA).
VEGP-FSAR-7
7.5-3 REV 14 10/07
- Steam line break.
- Feedwater line break.
- Steam generator tube rupture. 7.5.2.1.2 Hot Standby Hot standby is the state of the plant in which the reactor is subcritical such that k eff is less than or equal to 0.99 and the reactor coolant system (RCS) temperature is greater than or equal to 350°F. 7.5.2.1.3 Cold Shutdown Cold shutdown is the state of the plant in which the reactor is subcritical such that k eff is less than or equal to 0.99, the RCS temperature is less than 200
°F, and the RCS pressure is less than or equal to 10 CFR 50, Appendix G limits. 7.5.2.1.4 Controlled Condition A controlled condition is the state of the plant that is achieved when the "subsequent action" portion of the plant emergency procedures is impl emented and the critical safety functions are being accomplished or maintained by the control room operating staff. 7.5.2.1.5 Critical Safety Functions Critical safety functions are those safety functions that are essential to prevent a direct and immediate threat to the health and safety of the public. These are the accomplishing or
maintaining of:
- Reactivity control.
- RCS pressure control.
- Reactor coolant inventory control.
- Reactor core cooling.
- Heat sink maintenance.
- Reactor containment environment. 7.5.2.1.6 Immediately Accessible Information Immediately accessible information is information that is visually available to the control room operating staff immediately (i.e., within human response time requirements), once they have
made the decision that the information is needed.
VEGP-FSAR-7
7.5-4 REV 14 10/07 7.5.2.1.7 Primary Information Primary information is information that is essential for the direct accomplishment of the preplanned manual actions necessary to bring the plant into a safe condition in the event of a
DBA event; it does not include those variables that are associated with contingency actions. 7.5.2.1.8 Contingency Actions Contingency actions are those manual actions that address conditions beyond the DBA events. 7.5.2.1.9 Key Variables Key variables are those variables which provide the most direct measure of the information required. 7.5.2.1.10 Backup Information Backup information is that information, made up of additional variables beyond those classified as key, that provide supplemental and/or confirmatory information to the control room operating
staff. Backup variables do not provide indication which is as reliable or complete as that
provided by primary variables and are not usually re lied upon as the sole source of information. 7.5.2.2 Variable Types These accident monitoring variables and information display channels are those that are
required to enable the control room operating staff to perform the functions defined by type A, B, C, D, and E classifications as follows. 7.5.2.2.1 Type A Type A variables provide the primary informati on required to permit the control room operating staff to: A. Perform the diagnosis specified in the VEGP emergency operating instructions. B. Take the specified, preplanned, manually controlled actions for which no automatic control is provided that are required for safety systems to accomplish their safety function in order to recover from the DBA. C. Attain and maintain a cold shutdown condition.
The verification of the actuation of safety-re lated systems has been excluded from the type A definition. The variables which provide this verification are included in the definition of type D.
Type A variables are restricted to preplanned actions for DBA events. Variables used for contingency actions and additional variables which mi ght be utilized are of types B, C, D, and E.
VEGP-FSAR-7
7.5-5 REV 14 10/07 7.5.2.2.2 Type B Type B variables provide to the control room operating staff information to assess the process of accomplishing or maintaining critical safety functions (i.e., reactivity control, RCS pressure
control, RCS inventory control, reactor core cooling, heat sink maintenance, and reactor
containment environment). 7.5.2.2.3 Type C Type C variables provide the control room operating staff information to monitor: A. The extent to which variables that indicate the potential for causing a gross breach of a fission product barrier have exceeded the design basis values. B. The incore fuel cladding, the RCPB, or the primary reactor containment which may have been subject to gross breach.
These variables include those required to initiate the early phases of the emergency plan. Excluded are those associated with monitoring of radiological
release from the plant which are included in type E.
Type C variables used to monitor the potential for breach of a fission product barrier have an
arbitrarily determined extended range. The extended range was chosen to minimize the
probability of instrument saturation even if c onditions exceed those predicted by the safety analysis.
Although variables selected to fulfill type C functions may rapidly approach the values that indicate an actual gross failure, it is the final steady-state value reached that is important.
Therefore, a high degree of accuracy and a rapid response time are not necessary for type C
information display channels. 7.5.2.2.4 Type D Type D variables provide the control room operating staff sufficient information to monitor the performance of: A. Plant safety systems employed for mitigating the consequences of an accident and subsequent plant recovery to attain a cold shutdown condition. These
include verification of the automatic actuation of safety systems. B. Other systems normally employed for a ttaining a cold shutdown condition. 7.5.2.2.5 Type E Type E variables provide the control room operating staff information to: A. Monitor the habitability of the control room. B. Monitor the plant areas where access may be required to service equipment necessary to monitor or mitigate the consequences of an accident. C. Estimate the magnitude of release of radioactive material through identified pathways and continually assess such releases.
VEGP-FSAR-7
7.5-6 REV 14 10/07 D. Monitor radiation levels and radioactivity in the environment surrounding the plant. 7.5.2.3 Variable Categories The qualification requirements of the type A, B, C, D, and E accident monitoring instrumentation
are subdivided into three categories. Descriptions of the three categories are given below.
Table 7.5.2-2 briefly summarizes the selection criteria for type A, B, C, D, and E variables into
each of the three categories. Table 7.5.2-3 briefly summarizes the design and qualification
requirements of the three designated categories. 7.5.2.3.1 Category 1 7.5.2.3.1.1 Selection Criteria for Category 1. The selection criteria for Category 1 variables have been subdivided according to the variable type. For type A, those key variables used for diagnosis or providing information for necessary operator action have been designated
Category 1. For type B, those key variables used for monitoring the process of accomplishing
or maintaining critical safety functions have been designated Category 1. For type C, those key
variables used for monitoring the potential for breach of a fission product barrier have been
designated Category 1. There are no type D or type E Category 1 variables. 7.5.2.3.1.2 Qualification Criteria for Category 1. The instrumentation is environmentally and seismically qualified in accordance with sections 3.11 and 3.10, respectively.
Instrumentation shall continue to read within the required accuracy following but not necessarily
during a seismic event.
At least one instrumentation channel is qualified from the sensor up to and including the display.
For the other instrumentation channels, qualification as a minimum is applied up to and
includes the channel isolation device. (Refer to paragraph 7.5.2.3.4 in regard to extended
range instrumentation qualification.) 7.5.2.3.1.3 Design Criteria for Category 1. A. No single failure within either the accident-monitoring instrumentation, its auxiliary supporting features, or its power sources, concurrent with the failures that are a cause of or result from a specific accident, will prevent the control room
operating staff from being presented the required information. Where failure of
one accident-monitoring channel results in information ambiguity (e.g., the
redundant displays disagree), the additional information is provided to allow the
control room operating staff to analyze the actual conditions in the plant. This
may be accomplished by providing additional independent channels of
information of the same variable (addition of an identical channel) or by providing
independent channels which monitor different variables which bear known
relationships to the channels (addition of a diverse channel(s)). Redundant or
diverse channels are electrically independent and physically separated from each
other with two-train separation and from equipment not classified important to VEGP-FSAR-7
7.5-7 REV 14 10/07 safety in accordance with Regulatory Guide 1.75, Physical Independence of
Electric Systems.
If ambiguity does not result from failure of the channel, then a third redundant or
diverse channel is not required. B. The instrumentation is energized from station emergency standby power sources, battery backed where momentary interruption is not tolerable, as
discussed in Regulatory Guide 1.32, Criteria for Safety-Related Electric Power
Systems for Nuclear Power Plants. C. The out-of-service interval is based on normal Technical Specification requirements for the system it serves where applicable or where specified by other requirements. D. Servicing, testing, and calibration programs are specified to maintain the capability of the monitoring instrumentation. For those instruments where the
required interval between testing is less than the normal time interval between
generating station shutdowns, a capability for testing during power operation is
provided. E. Whenever means for removing channels from service are included in the design, the design facilitates administrative control of the access to such removal means.
F. The design facilitates administrative control of the access to all setpoint adjustments, module calibration adjustments, and test points. G. The monitoring instrumentation design minimizes the development of conditions that would cause meters, annunciators, recorders, alarms, etc., to give
anomalous indications that could be potentially confusing to the control room
operating staff. H. The instrumentation is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules. I. To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables. An indirect measurement is made only
when it can be shown by analysis to provide unambiguous information. J. Periodic checking, testing, calibration, and calibration verification are performed in accordance with the applicable portions of Regulatory Guide 1.118, Periodic
Testing of Electric Power and Protection Systems. K. The range selected for the instrumentation encompasses the expected operating range of the variable being monitored to the extent that saturation does not
negate the required action of the instrument in accordance with the applicable
portions of Regulatory Guide 1.105, Instrument Setpoints. 7.5.2.3.1.4 Information Processing and Display Interface Criteria for Category 1. The interface criteria specified here provide requi rements to be implemented in the processing and displaying of the information. A. The control room operating staff have immediate access to the information from redundant or diverse channels in units of measure familiar to the staff; i.e. for
temperature readings, degrees should be used, not volts. Where two or more VEGP-FSAR-7
7.5-8 REV 14 10/07 instruments are needed to cover a particular range, overlapping instrument
spans are provided. B. A historical record of at least one instrumentation channel for each process variable is maintained. A recorded pre-event history for these channels is
required for a minimum of 1 h, and continuous recording of these channels is
required following an accident until continuous recording of such information is
no longer deemed necessary. The term "continuous recording" is not intended to
exclude the use of discrete time sample data storage systems. This recording is
available when required and does not need to be immediately accessible.
The time period of 1 h was selected based on a representatively slow transient which bounds
this time requirement. A 1/2-in.- equivalent break area LOCA was selected since the reactor trip
occurs at approximately 50 min after the break. Where direct and immediate trend or transient
data is essential for operator information or action, the recording is immediately accessible. 7.5.2.3.2 Category 2 7.5.2.3.2.1 Selection Criteria for Category 2. The selection criteria for Category 2 variables are subdivided according to the variable type. For types A, B, and C, those variables which provide preferred backup information are designated Category 2. For type D, those key variables that are used for monitoring the performance of safety systems have been designated
Category 2. For type E, those key parameters to be monitored for use in determining the
magnitude of the release of radioactive materials and for continuously assessing such releases
have been designated Category 2. 7.5.2.3.2.2 Qualification Criteria for Category 2. Category 2 instrumentation is qualified from the sensor up to and including the channel isolation device for at least the environment (seismic and/or environmental) in which it must operate to serve its intended function. 7.5.2.3.2.3 Design Criteria for Category 2. A. Category 2 instrumentation that is required to operate following a safe shutdown earthquake to mitigate a consequential plant incident is energized from a seismically qualified power source, which is battery backed where momentary
interruption is not tolerable. The instrumentation required to function after a
seismic event is the safety-related cold shutdown instrumentation described in
section 7.4. Otherwise, the instrumentation is energized from a highly reliable
onsite power source, not necessarily the emergency standby power, which is
battery backed where momentary interruption is not tolerable. B. The out-of-service interval is based on paragraph 7.5.2.4, Post Accident Monitoring Program. C. Servicing, testing, and calibration programs are specified to maintain the capability of the monitoring instrumentation. For those instruments where the
required interval between testing is less than the normal time interval between
generating station shutdowns, a capability for testing during power operation is
provided.
VEGP-FSAR-7
7.5-9 REV 14 10/07 D. Whenever means for removing channels from service are included in the design, the design facilitates administrative control of the access to such removal means.
E. The design facilitates administrative control of the access to all setpoint adjustments, module calibration adjustments, and test points. F. The monitoring instrumentation design minimizes the potential for the development of conditions that would cause meters, annunciators, recorders, and alarms, etc., to give anomalous indications that could be potentially
confusing to the operator. G. The instrumentation is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules. H. To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables. An indirect measurement is made only
when it can be shown by analysis to provide unambiguous information. I. Periodic checking, testing, calibration, and calibration verification are in accordance with applicable portions of Regulatory Guide 1.118, Periodic Testing
of Electric Power and Protection Systems. J. The range selected for the instrumentation encompasses the expected operating range of the variable being monitored to the extent that saturation does not
negate the required action of the instrument in accordance with the applicable
portions of Regulatory Guide 1.105, Instrument Setpoints. 7.5.2.3.2.4 Information Processing and Display Interface Criteria for Category 2. The instrumentation signal is, as a minimum, processed for display on demand. Recording
requirements are variable specific and are determined on a case-by-case basis. 7.5.2.3.3 Category 3 7.5.2.3.3.1 Selection Criteria for Category 3. The selection criteria for Category 3 variables have been subdivided according to the variable type. For types B and C, those variables which provide backup information have been designated Category 3. For types D and
E, those variables which provide preferred backup information have been designated Category
- 3. There are no Category 3 type A variables. 7.5.2.3.3.2 Qualification Criteria for Category 3. The instrumentation is high quality, commercial grade which is not required to provide information when exposed to a post-accident adverse environment. 7.5.2.3.3.3 Design Criteria for Category 3.
A. Servicing, testing, and calibration programs are specified to maintain the capability of the monitoring instrumentation. For those instruments where the VEGP-FSAR-7
7.5-10 REV 14 10/07 required interval between testing is less than the normal time interval between
generating station shutdown, a capability for testing during power operation is
provided. B. Whenever means for removing channels from service are included in the design, the design facilitates administrative control of the access to such removal means.
C. The design facilitates administrative control of the access to all setpoint adjustments, module calibration adjustments, and test points. D. The monitoring instrumentation design minimizes the potential for the development of conditions that would cause meters, annunciators, recorders, and alarms, etc., to give anomalous indications that could be potentially
confusing to the operator. E. The instrumentation is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules. F. To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables. An indirect measurement is made only
when it can be shown by analysis to provide unambiguous information. 7.5.2.3.3.4 Information Processing and Display Interface Criteria for Category 3. The instrumentation signal is, as a minimum, processed for display on demand. Recording
requirements are variable specific and are determined on a case-by-case basis. 7.5.2.3.4 Extended Range Instrumentation Qualification Criteria The qualification environment for extended range instrumentation is based on the DBA events; the assumed maximum qualification value of the monitored variable shall be equal to the
specified maximum range for the variable. The monitored variable is assumed to approach this
peak by extrapolating the most severe initial ramp associated with the DBA events. The decay
is considered proportional to the decay for this variable associated with the DBA events. No
additional qualification margin needs to be added to the extended range variable. All
environmental envelopes, except those pertaining to the variable measured by the information display channel, are those associated with the DBA events. The environmental qualification
requirement for extended range instrument does not account for steady-state elevated levels that may occur in other environmental parameters associated with the extended range variable.
For example, a sensor measuring containment pressure must be qualified for the measured process variable range (i.e., three times design pressure for concrete containments), but the
corresponding ambient temperature is not mechanistically linked to that pressure. Rather, the
ambient temperature value is the bounding value for DBA events analyzed in chapter 15. The extended range requirement is to ensure that the instrument will continue to provide information
if conditions degrade beyond those postulated in the safety analysis. Since extended variable
ranges are nonmechanistically determined, extensi on of associated parameter levels is not justifiable and is therefore not required.
VEGP-FSAR-7
7.5-11 REV 14 10/07 7.5.2.4 Post Accident Monitoring Instrumentation Program A program shall be maintained, the post accident monitoring instrumentation program, which
ensures the capability to monitor plant variables and systems operating status during and
following an accident. This program shall include t hose instruments provided to indicate system operating status and furnish information regarding the release of radioactive materials (Category
2 and 3 instrumentation as defined in Regulatory Guide 1.97 Revision 2) and provide the
following: A. Preventive maintenance and/or periodic surveillance of instrumentation. B. Preplanned operating procedures and backup instrumentation to be used if one or more monitoring instruments become inoperable. C. Administrative procedures for returning inoperable instruments to operable status as soon as practicable. 7.
5.3 DESCRIPTION
OF VARIABLES 7.5.3.1 Type A Variables Type A variables are defined in paragraph 7.5.2.2.1. They are the variables which provide primary information required to permit the control room operating staff to: A. Perform the diagnosis specified in the VEGP emergency operating procedures. B. Take specified preplanned manually controlled actions for which no automatic control is provided that are required for sa fety systems to accomplish their safety function to recover from a design basis accident (DBA) event. (Verification of actuation of safety systems is excluded from type A and is included as type D.) C. Attain and maintain a cold shutdown condition.
Key type A variables have been designated Category 1. These are the variables which provide
the most direct measure of the information required. The key type A variables are:
- Reactor coolant system (RCS) wide-range (WR) pressure.
- WR hot leg reactor coolant temperature (T hot).
- WR cold leg reactor coolant temperature (T cold).
- WR steam generator level.
- Narrow-range (NR) steam generator level.
- Pressurizer level.
- Containment pressure.
- Steam line pressure.
- Containment water level (WR).
VEGP-FSAR-7
7.5-12 REV 14 10/07
- Containment water level (NR).
- Condensate storage tank level.
- Refueling water storage tank level.
- Auxiliary feedwater flow.
- Containment radiation level (high range).
- Core exit temperature.
- Steam line radiation.
- RCS subcooling.
No type A variable has been designated Category 2 or 3. A summary of type A variables is
provided in table 7.5.3-1. 7.5.3.2 Type B Variables Type B variables are defined in paragraph 7.5.2.2.2. They are the variables that provide information to the control room operating staff to assess the process of accomplishing or
maintaining critical safety functions, i.e.:
- Reactivity control.
- RCS pressure control.
- Reactor coolant inventory control.
- Reactor core cooling.
- Heat sink maintenance.
- Primary reactor containment environment.
Variables which provide the most direct indication (i.e., key variable) to assess each of the six
critical safety functions have been designated Category 1. Preferred backup variables have
been designated Category 2. These are listed in table 7.5.3-2. 7.5.3.3 Type C Variables Type C variables are defined in paragraph 7.5.2.2.3. Basically, they are the variables that provide to the control room operating staff information to monitor the potential for breach or
actual gross breach of:
- Incore fuel clad.
- RCS boundary.
VEGP-FSAR-7
7.5-13 REV 14 10/07
- Containment boundary. (Variables associated with monitoring of radiological release from the plant are included in
type E.)
Those type C key variables which provide the most direct measure of the potential for breach of one of the three fission product boundaries have been designated Category 1. Backup
information indicating potential for breach is designated Category 2. Variables which indicate
actual breach and have been designated as preferred backup information are designated
Category 2. All other backup variables have been designated Category 3.
Table 7.5.3-3 summarizes the selection of type C variables. 7.5.3.4 Type D Variables Type D variables are defined in paragraph 7.5.2.2.4. They are those variables that provide sufficient information to the control room operating staff to monitor the performance of: A. Plant safety systems employed for mitigating the consequences of an accident and subsequent plant recovery to attain a safe shutdown condition, including
verification of the automatic actuation of safety systems. B. Other systems normally employed for a ttaining a cold shutdown condition.
Type D key variables are designated Category 2. Preferred backup information is designated
type D Category 3.
The following systems or major components have been identified as requiring type D information to be monitored: A. Pressurizer level and pressure control (assess status of the pressurizer following return to normal pressure and level control under certain post-accident
conditions). B. Chemical and volume control system (CVCS) (employed for attaining a safe shutdown under certain post-accident conditions). C. Secondary pressure and level control (employed for restoring/maintaining a secondary heat sink under post-accident conditions). D. Emergency core cooling system (ECCS). E. Auxiliary feedwater.
F. Containment systems.
G. Component cooling water (CCW).
H. Nuclear service cooling water.
I. Residual heat removal (RHR).
J. Heating, ventilation, and air-conditioning (HVAC) (if required for engineered safety features operation). K. Electric power to vital safety systems.
L. Verification of automatic actuation of safety systems.
M. Reactor coolant system status.
N. Reactivity control.
VEGP-FSAR-7
7.5-14 REV 14 10/07 Table 7.5.3-4 lists the key variables identified for each system listed above.
For the purpose of specifying seismic qualification for type D Category 2 variables, it is assumed that a seismic event and a break in Seismic Category 1 piping will not occur concurrently. As a
result, the limiting event is an unisolated (single failure of a main steam isolation valve) break in
Nuclear Safety Class 2 main steam piping. Inst rumentation necessary to monitor this event and associated with the safety systems which are required to mitigate should be seismically
qualified. Similarly, the environmental qualification of type D Category 2 variables depends on
whether the instrumentation is subject to a high-energy line break when required to provide
information. 7.5.3.5 Type E Variables Type E variables are defined in paragraph 7.5.2.2.5. They are those variables that provide the control room operating staff with information to: A. Monitor the habitability of control room. B. Monitor the plant areas where access may be required to service equipment necessary to monitor or mitigate the consequences of an accident. C. Estimate the magnitude of release of radioactive materials through identified pathways. D. Monitor radiation levels and radioactivity in the environment surrounding the plant. Key type E variables are qualified to Category 2 requirements. Preferred backup type E variables are qualified to Category 3 requirements.
Table 7.5.3-5 lists the key type E variables. 7.5.3.6 Plant Safety Monitoring System The plant safety monitoring system (PSMS) is a microprocessor-based monitoring system used to process and output many of the Regulatory Guide 1.97, Revision 2 variables in proper format to internal plasma displays and external indicators, displays, cabinets and other equipment. The
PSMS consists of three types of modular components: the remote processing unit, the display
processing unit, and the plasma display. These components perform the data acquisition and
processing, the data base consolidation and comparison, and the data selection and display, respectively.
The system is seismically and environmentally qualified and is configured to address single failure criteria. Qualification details are available in sections 3.10 and 3.11. In addition, the
PSMS has the capability for online testing without affecting reactor protection and control.
The configuration of the PSMS on VEGP consists of a remote processing unit associated with each protection channel set and a remote processing unit assigned to the monitoring of non-
Class 1E signals. Each remote processing unit acts independently to perform data acquisition, engineering unit conversion, and limit checking. Through this independence, the system is
immune to common mode failures. The remote processing units associated with the four
protection channel sets are powered by the same vital buses as the protection sets.
VEGP-FSAR-7
7.5-15 REV 14 10/07 The remote processing units also provide an additional function: isolated data links from each
remote processing unit serve as inputs to the integrated plant computer for transfer of the
Regulatory Guide 1.97 data set.
The plasma display modules are redundant, qualified graphic/alphanumeric modules for displaying Category 1 and certain Category 2 variables on demand (as indicated in table 7.5.2-
1). The displays have been human factor engineered in order to provide to the operator a
concise display of plant conditions. Access to particular information is via functional keys
integral to the PSMS. These displays will be used in conjunction with other control room
instrumentation to monitor the VEGP throughout all operating conditions including anticipated
operational occurrences and accident and post-accident conditions.
Additional discussions on the features of PSMS are provided in paragraphs 7.4.3.3, Alternate Shutdown Indication System, 7.7.2.7, Core Coo ling Monitor, and 7.7.2.8, Reactor Vessel Level Instrumentation System. 7.5.4 ADDITIONAL INFORMATION A cross-reference of variables and categories for each instrument identified in the VEGP survey is included in table 7.5.4-1.
Table 7.5.4-2 is included as a cross-reference to identify post-accident monitoring systems instruments utilized at VEGP which also address the recommendations of NUREG-0737. The
instruments identified meet the intent of the guidance provided in NUREG-0737. 7.5.5 BYPASSED AND INOPERABLE STATUS INDICATION FOR ENGINEERED SAFETY FEATURES SYSTEMS 7.5.5.1 Description In accordance with the guidance of Regulatory Guide 1.47, means are provided for automatic system level indication of the plant's engineer ed safety features (ESF) systems which are bypassed or inoperable. The system status monitoring panel (QBPS) serves the purpose of such indication and is located in the control room, next to the main control board. The QBPS
panel is safety grade and seismically qualified and hence remains functional during and after a
design basis event. However, no credit is taken in the accident analysis (chapter 15) for the
QBPS indications being available to the operator. Most of the information displayed on the
QBPS panel can be derived by the operator from other safety-grade instrumentation in the
control room, such as:
- Individual ESF equipment status indicating lights and controls' position.
- ESF equipment monitor (light boxes on the main control board), light groups 1 through 5.
- Lights indicating the status and manual override of the automatic actuation signals for the control room and fuel handling building ESF heating, ventilation, and air-
conditioning (HVAC) systems.
VEGP-FSAR-7
7.5-16 REV 14 10/07 The bypasses that are applied manually to test-blo ck the automatic safety actuation signal for either train of the two latter HVAC systems are monitored only on the QBPS panel.
Each ESF system monitored on the QBPS panel (table 7.5.5-1) has one monitoring light and an adjacent selector handswitch for each of its trains. The light-switch pairs belonging to each train
are grouped together for easy train identification. Under normal circumstances, i.e., when no
bypass condition has been detected, all monitoring lights are off. A detection of such condition
in any monitored component in either train of an ESF system causes the corresponding light on the panel to illuminate. The engraving on the light readily identifies the bypassed system; the
location of the light on the panel determines the train. Each system monitoring light can be
illuminated either automatically or manually by its corresponding selector handswitch. The QBPS panel circuitry automatically detects any of the following conditions as applicable in each monitored component of the ESF systems:
- Loss of control power.
- Control handswitch in pull-to-lock position.
- Overcurrent lockout relay tripped (process-control loads).
- Circuit breaker not in operating position.
- Control transferred from the control room to a local panel.
- Manual block of the actuation of one safety train to test the other train.(a)
- Loss of power to the relay actuation logic.(a)
- Manual override of an automatic actuation signal.(a)
- Incorrect status of a hand-operated component, defeating the safety function of an ESF system.(b) The components monitored by the system status monitoring circuits are the ESF pumps, fans, compressors, valves, dampers, and relay logic circuits.
In accordance with Regulatory Guide 1.47, the automatic system level indication of bypass and inoperable status is provided only for automatica lly actuated systems, including those systems that directly support the automatically initiat ed systems but may not be automatically initiated because they are normally in the operating mode.
No automatic indication is provided for the bypasses that are expected to occur less frequently than once per year or when the system is not required to be operable. These may include such maintenance features as manual valves
provided for isolation of equipment for repairs, electrical cable connections, or other manual disconnects. However, manual initiation of ESF equipment bypass indication on a system level
basis is provided; each status monitoring li ght on the QBPS panel can be manually lit by its adjacent selector handswitch. Under administrative control, manual bypass indication can be
set up or removed to further enhance the operator's awareness of the current status of the ESF
systems. The automatic indication feature cannot be removed by operator action.
a Applies only to the control room and fuel-handling building ESF HVAC systems.
b Applies only to the reactor water storage tank main drain isolation valve No. 1204-207, which, if closed, disables the safety injection system.
VEGP-FSAR-7
7.5-17 REV 14 10/07 The illumination of any monitoring light on the QBPS panel will activate the annunciator alarm
on the main control board and will also be registered by the plant computer. Annunciator
response procedures are discussed in subsection 13.5.2. In accordance with Institute of
Electrical and Electronics Engineers (IEEE) Standard 384 and Regulatory Guide 1.75, proper
isolation is provided between Class 1E circuits in different trains and between the Class 1E and
non-Class 1E circuits.
The QBPS monitoring lights and circuits are powered from the same train as the ESF equipment they monitor. The operability of each tr ain of the systems status monitoring system can be readily verified by pressing a test pushbutton for that train, which activates all status
monitoring lights, annunciator, and the computer input in that train.
The availability of power to the ESF system status monitoring circuitry is indicated on the QBPS panel (one normally lit indicating light per train). Loss of power is immediately annunciated. 7.5.5.2 Conformance to Regulatory Guide 1.47 As required by Nuclear Regulatory Commission Regulatory Guide 1.47, the ESF status monitoring system comprising the QBPS panel and related circuitry provides the following
functions: A. Bypassed and inoperable status is automatic ally indicated at the system level for protection systems and systems actuated or controlled by protection systems (i.e. for primary ESF systems). Automatic status indication for primary ESF
systems does not occur for the bypassing or inoperable condition of auxiliary or supporting systems which must be operable for the primary ESF systems to
perform their safety-related functions. However, the intent of Position C.2 of RG
1.47 is met in that automatic indication is provided for bypassed and inoperable
status for these auxiliary and supporting systems; and in that VEGP procedures will include steps to ensure that an operator, in responding to the annunciator
alarm for inoperable indication of a support system, will manually activate the
inoperable status indication for the appropriate primary ESF systems. B. The automatic indication discussed in A is highly reliable and provided in the control room, while manual activation of the system level indicators is also
provided in the control room. C. Automatic indication is provided for all those bypasses or deliberately induced inoperable conditions that are expected to occur more frequently than once per
year, have significant bearing upon the ability to perform safety functions, and
are expected to occur when the affected system is normally required to be
operable. 7.5.5.3 Conformance to Branch Technical Position ICSB-21 The guidelines set forth in Branch Technical Position ICSB-21, Revision 2, are complied with by
the following: A. Bypass indicators are arranged to enable the operator to determine the status of each safety system to determine if continued reactor operation is permissable. B. The operator cannot cancel erroneous bypass indications.
VEGP-FSAR-7
7.5-18 REV 14 10/07 C. The ESF status monitoring system is not used to perform functions that are essential to safety. D. The ESF status monitoring system is designed and installed in a manner that precludes the possibility of adverse effects on plant safety systems and does not
reduce the required independence between redundant safety systems. E. The design of the ESF status monitoring system provides the capability of assuming its operable status during normal plant operation by means of verifying
its indicating and annunciating functions. F. The ESF status monitoring system is designed with shared system bypass condition(s) monitored in both units. 7.5.5.4 System Drawings The logic and elementary diagrams pertaining to t he ESF systems status monitoring system are included in the tables in subsection 1.7.1.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.2-2
SUMMARY
OF SELECTION OF CRITERIA
Type Category 1 Category 2 Category 3 A Key variables that are used for diagnosis or providing information necessary for operator
action Variables which provide pref erred backup information None B Key variables that are used for monitoring the process of accomplishing or maintaining critical safety functions Variables which provide preferr ed backup information Variables which provide backup information C Key variables that are used for monitoring the potential for breach of a fission product barrier Variables which provide preferr ed backup information Variables which provide backup information D None Key variables which are us ed for monitoring the performance of plant systems Variables which provide preferred backup information which are used for monitoring the performance of plant systems E None Key variables to be moni tored for use in determining the magnitude of the release of radioactive materials and for continuously assessing such releases. Variables to be monitored which provide preferred backup information for use in determining the magnitude of the release of radioactive materials and for continuously assessing such releases.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.2-3
SUMMARY
OF DESIGN, QUALIFICATION, AND INTERFACE REQUIREMENTS
Qualification Category 1 Category 2 Category 3 Environmental Yes As appropriate (See paragraph 7.5.2.3.2.2.) No Seismic Yes As appropriate (See paragraph 7.5.2.3.2.2.) No Design Single failure Yes No No Power supply Emergency diesel generator Onsite As required Channel out of service Technica l Specifications Technical LA M Specifications As required Testability Yes Yes As required Interface Minimum indication Immediately accessble Demand Demand Recording Yes As required (See paragraph 7.5.2.3.
2.4.) As required (See paragraph 7.5.2.3.3.4.)
(a) As defined in paragraph 7.5.2.4, Post Accident Monitoring Instrumentation Program.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.3-1
SUMMARY
OF TYPE A VARIABLES Variable Type/ Variable Function Category RCS pressure (wide range (WR)) Key A1 T hot (WR) Key A1 T cold (WR) Key A1 Steam generator level (WR)
Key A1 Steam generator level (narrow range (NR)) Key A1 Pressurizer level Key A1 Containment pressure Key A1 Steam line pressure Key A1 Containment water level (WR)
Key A1 Containment water level (NR)
Key A1 Condensate storage tank level Key A1 Refueling water storage tank level Key A1 Auxiliary feedwater flow Key A1 Containment area radiation level (WR) Key A1 Core exit temperature Key A1 Steam line radiation monitor Key A1 RCS subcooling Key A1 VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.3-2 (SHEET 1 OF 2)
SUMMARY
OF TYPE B VARIABLES
Function Variable Type/
Monitored Variable Function Category Reactivity Extended range control Neutron Flux Key B1 WR T hot Backup (P) B2 WR T cold Backup (P) B2 RCS RCS pressure (WR)
Key B1 pressure WR T hot Key B1 control WR T cold Key B1 Containment pressure Backup (P) B2 Containment area radiation Backup (P) B2 (WR) Stream line radiation Backup (P) B2 Reactor Pressurizer level Key B1 coolant Reactor vessel water Key B1 inventory level control Containment water Backup (P) B2 level (NR)
Containment water Backup (P) B2 level (WR)
WR steam Backup (P) B2 generator level Reactor Core exit temperature Key B1 core RCS subcooling Key B1 cooling CST level Key B1 Reactor vessel Key B1 water level WR T hot Backup (P) B2 WR T cold Backup (P) B2 RCS pressure (WR) Backup (P) B2 Heat sink NR steam generator level Key B1 maintenance WR steam generator level Key B1 Auxiliary feedwater flow Key B1 Core exit temperature Key B1 Steam line pressure Key B1 Main steam line isolation Backup (P) B2 and bypass valve status
VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.3-2 (SHEET 2 OF 2)
Function Variable Type/
Monitored Variable Function Category Containment Containment pressure Key B1 environment Containment area radiation Key B1 Containment water Key B1 level (NR)
Containment water Key B1 level (WR)
Containment hydrogen Key B1 concentration
VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.3-3
SUMMARY
OF TYPE C VARIABLES
Function Variable Type/
Monitored Variable Condition Function Category Incore Core exit Potential Key C1 fuel clad temperature for breach Reactor vessel Potential water level for breach Backup (P) C2 RCS activity Actual breach Backup C3 RCS RCS pressure Potential Key C1 boundary (WR) for breach RCS pressure Actual Backup (P) C2 (WR) breach Containment Actual Backup (P) C2 pressure breach Containment Actual Backup (P) C2 water level breach (NR) Containment Actual Backup (P) C2 water level breach (WR) Containment Containment Potential Key C1 boundary pressure for breach (extended range)
Containment Potential Key C1 hydrogen concentration for breach
Plant vent Actual Backup (P) C2 radiation level breach Containment Actual Key C2 isolation breach valve status Containment pressure Actual Backup (P) C2 (extended range) breach Site environmental Actual Backup C3 radiation breach Auxiliary building Actual Backup C3 radiation breach VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.3-4 (SHEET 1 OF 4)
SUMMARY
OF TYPE D VARIABLES
System Variable Variable Function Type/
Category Pressurizer level and
pressure control Power-operated relief valve (PORV)
status Key D2 Safety valve status Key D2 Pressurizer level Key D2 RCS pressure (WR)
Key D2 Pressurizer heater power availability Key D2 Pressurizer pressure Key D2 CVCS Charging system flow Key D2 Letdown flow Key D2 Volume control tank level Key D2 Seal injection flow Key D2 CVCS valve status Key D2 Secondary pressure and
level control Steam generator atmospheric steam
dump valve status Key D2 Main steam flow Key D2 Main steam isolation valve and
bypass valve status Key D2 Steam generator blowdown isolation
valve status Key D2 Steam line pressure Key D2 Auxiliary feedwater flow Key D2 Steam generator level (WR)
Key D2 Steam generator level (NR)
Key D2 Main feedwater control and bypass
valve status Key D2 Main feedwater isolation valve and
bypass valve status Key D2 Main feedwater flow Key D2 SG sample line isolation valve status Key D2 VEGP-FSAR-7 TABLE 7.5.3-4 (SHEET 2 OF 4)
REV 14 10/07
System Variable Variable Function Type/
Category Reactor coolant RCS subcooling Key D2 System status Reactor coolant pump status Key D2 Reactor vessel water level Key D2 ECCS Refueling water storage tank level Key D2 HHSI and LHSI flow Key D2 Containment water level (NR) Key D2 Containment water level (WR) Key D2 ECCS valve status Key D2 Accumulator pressure Backup D3 Auxiliary feedwater Auxiliary feedwater flow Key D2 Auxiliary feedwater valve status Key D2 Condensate storage tank level Key D2 Containment Containment spray flow Key D2 Containment water level (WR and NR) Key D2 Containment spray valve status Key D2 Containment spray pump status Key D2 Containment pressure Key D2 Containment fan cooler damper
position Key D2 Containment fan cooler breaker
position Key D2 Containment isolation valve status Key D2 Containment sump water temperature Key D2 CCW Header pressure Key D2 Header temperature Key D2 Surge tank level Key D2 CCW flow Key D2 CCW pump status Key D2 A flow from RCP seals Key D2 VEGP-FSAR-7 TABLE 7.5.3-4 (SHEET 3 OF 4)
REV 14 10/07
System Variable Variable Function Type/
Category Nuclear service cooling water system Valve status Key D2 System flow Key D2 Fan status Key D2 Pump status Key D2 Reactor coolant RCS subcooling Key D2 System status Reactor coolant pump status Key D2 Reactor vessel water level Key D2 RHR Heat exchanger discharge temperature Key D2 Flow Key D2 Valve status Key D2 RCS pressure (WR)
Key D2 Pump status Key D2 HVAC Environment for ESF components Key D2 System status Key D2 ESF environment cooler status Key D2 Electric power ac/dc vital instrument voltage Key D2 Verification of automatic
actuation of safety systems Reactor trip breaker position Key D2 Reactor trip bypass breaker position Key D2 Rod position indication Backup D3 SI activation Key D2 Turbine stop valve position Key D2 First-stage turbine pressure Key D2 Main feedwater control bypass valve
status Key D2 Main feedwater isolation valve status Key D2 Auxiliary feedwater pump status Key D2 VEGP-FSAR-7 TABLE 7.5.3-4 (SHEET 4 OF 4)
REV 14 10/07
System Variable Variable Function Type/
Category Safety injection pump status Key D2 Nuclear service cooling water pump
status Key D2 CCW pump status Key D2 Containment isolation valve status Key D2 Containment fan cooler status Key D2 RHR pump status Key D2 Containment spray pump status Key D2 CVCS pump status Key D2 Reactivity control system Extended range neutron flux Key D2 Control rod position indication Backup D3
VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.3-5
SUMMARY
OF TYPE E VARIABLES
Variable Type/ Variable Function Category Containment area radiation (WR)
Key E2 Plant vent radiation level Key E2 Steam line radiation Key E2 Plant vent air flow rate Key E2 Condenser air ejector radiation Backup (P)
E3 Area radiation monitors Control room monitor Backup (P)
E3 Radiochemistry lab monitor Backup (P)
E3 Fuel handling building monitor Backup (P)
E3 Sampling room monitor Backup (P)
E3 Decontamination station Backup (P)
E3 (large parts)
Decontamination station Backup (P)
E3 (small parts)
Instrument decontamination station Backup (P)
E3 Site environmental radiation level Backup (P)
E3 Meteorological parameters Backup (P)
E3 Containment sump radiation Backup (P)
E3 VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.4-1 (SHEET 1 OF 5)
SUMMARY
OF VARIABLES AND CATEGORIES
Type and Category
Type Type Type Type Type Variable A B C D E Reactor coolant system (RCS) pressure (wide range (WR)) 1 1,2 1,2 2 WR T hot 1 1,2 WR T cold 1 1,2 WR steam generator level 1 1,2 2 Narrow range (NR) steam generator level 1 1 2
Pressurizer level 1 1 2 Containment pressure 1 1,2 2 2 Steam line pressure 1 1 2 Refueling water storage tank level 1 2
Containment water level (WR and NR) 1 1,2 2 2
Condensate storage tank level 1 1 2 Auxiliary feedwater flow 1 1 2 Containment radiation level (high range) 1 1,2 2
Steam line radiation monitor 1 2 2 Core exit temperature 1 1 1 RCS subcooling 1 1 2 Condenser air ejector 3 Extended range neutron flux 1 2 VEGP-FSAR-7 TABLE 7.5.4-1 (SHEET 2 OF 5)
REV 14 10/07 Type and Category
Type Type Type Type Type Variable A B C D E Reactor vessel water level 1 2 2 Containment isolation valve status 1,2 2
Control rod position 3 Containment hydrogen concentration 1 1
Containment pressure (extended range) 1,2
RCS activity 3 Plant vent radiogas level 2 2 Auxiliary building radiation level (portable sample) 3 Site environmental radiation level 3 3 Reactor coolant pump status 2 Pressurizer pressure 2 Power-operated relief valve (PORV) status 2
Primary safety valve status 2 Pressurizer heater current 2
Pressurizer relief tank temperature 3
Charging system flow 2 Emergency charging flow 2
Letdown flow 2 Emergency letdown 2 Volume control tank level 2 Chemical and volume control system (CVCS) valve status 2 CVCS pump status 2 VEGP-FSAR-7 TABLE 7.5.4-1 (SHEET 3 OF 5)
REV 14 10/07 Type and Category
Type Type Type Type Type Variable A B C D E Reactor coolant pump seal injection flow 2
Steam generator atmospheric PORV status 2
Main steam line isolation valve status 2 2
Main steam line isolation valve bypass
isolation valve status 2 2 Steam generator system status-main
steamflow 2 Main feedwater control valve status 2
Main feedwater control bypass valve status 2
Main feedwater isolation bypass valve
status 2 Main feedwater isolation valve status 2
Main feedwater flow 2 Steam generator blowdown isolation valve
status 2 Steam generator sample line isolation
valve status 2 High-head safety injection flow 2 Low-head safety injection flow 2 Emergency core cooling system valve
status 2 Accumulator pressure 3 Auxiliary feedwater valve status 2 Containment spray valve status 2 Containment spray pump status 2 VEGP-FSAR-7 TABLE 7.5.4-1 (SHEET 4 OF 5)
REV 14 10/07 Type and Category
Type Type Type Type Type Variable A B C D E Containment fan cooler damper position 2
Containment fan cooler breaker position 2
Component cooling water (CCW) header
pressure 2 CCW header temperature 2
CCW surge tank level 2 CCW flow 2 Auxiliary component cooling water from
RCP seals 2 Nuclear service cooling water system flow 2
Nuclear service cooling water system valve
status 2 Residual heat removal (RHR) heat
exchanger discharge temperature 2 RHR flow 2 RHR valve status 2 RHR pump status 2 Engineered safety features (ESF)
environment temperature 2 ESF environment cooler status 2 Heating, ventilation, and air-conditioning system status 2 ac and dc vital instrument voltage 2 SI actuation 2 Reactor trip breaker position 2 VEGP-FSAR-7 TABLE 7.5.4-1 (SHEET 5 OF 5)
REV 14 10/07 Type and Category
Type Type Type Type Type Variable A B C D E Turbine stop valve position 2 First-stage turbine pressure 2
Auxiliary feedwater pump status 2 Safety injection pump status 2 Nuclear service cooling water pump status 2
Nuclear service cooling water fan status 2
CCW pump status 2 Area radiation Control room monitor 3 Fuel handling building area radiation 3
Sampling room monitor 3 Plant vent airflow rate 2 Meteorological parameters 3
Containment sump radiation 3
Accident sampling capability 3
Containment sump water temperature 2
VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.4-2 NUREG-0737 CONFORMANCE
Applicable Section of NUREG-0737 Variable II.D.3 Pressurizer PORV status II.F.1, Attachment 4 Containment pressure (extended range)
II.F.1, Attachment 5 Containment water level (NR and WR)
II.F.1, Attachment 6 (2) Containment H@ concentration II.F.2 Core exit temperature Reactor vessel level RCS subcooling I.D.2 Safety parameter display system II.E.1.2 Auxiliary feedwater flow II.F.1, Attachment 3 (1) Containment area radiation (high range)
II.F.1, Attachment 2 Sampling and analysis of plant effluent (See section 11.5.)
II.F.1, Attachment 1 Noble gas effluent monitors (See section 11.5.)
II.K.1.5 ECCS and other system valve status
- 1. Calibration of high-range monitors is performed in accordance with the manufacturer's recommendation.
- 2. Accurate indication of containment hydrogen concentration is available to the operators within 90 minutes of initiating safety injection following a LOCA.
VEGP-FSAR-7 REV 14 10/07 TABLE 7.5.5-1 ESF SYSTEMS MONITORED ON THE SYSTEM STATUS MONITORING PANEL System Name System No. Monitored Train Nuclear service cooling water system 1202 A, B Component cooling water system 1203 A, B Spent fuel pit cooling system 1213 A, B Auxiliary component cooling water system 1217 A, B Safety injection system 1204 A, B Chemical and volume control system 1208 A, B Auxiliary feedwater system (motor driven) 1302 A, B Auxiliary feedwater system (turbine driven) 1302 C Containment spray system 1206 A, B Residual heat removal system 1205 A, B Containment building air cooling system 1501 A, B Essential chilled water system 1592 A, B Auxiliary building ESF equipment room coolers and
auxiliary feedwater pum phouse HVAC system 1555, 1593 A, B Control building ESF electrical equipment room HVAC system 1532 A, B Control building control room HVAC system 1531 A, B Fuel handling building ESF HVAC system 1542 A, B Piping penetration filtration and exhaust system 1561 A, B Electrical tunnel ventilation system 1540 A, B Diesel generator standby power system and diesel
generator, fuel oil, air start and diesel generator building HVAC systems 1566, 1821, 2403 A, B Containment hydrogen recombiner system and CTB
post LOCA cavity purge system 1513, 1516 A, B
VEGP-FSAR-7 REV 14 10/07 TABLE 7.6.2-1 INTERLOCK TABLE FOR OUTER ISOLATION VALVES (Refer to figure 7.6.2-1)
Outer HV8701A HV8702A
Isolation Valve (Train A) (Train D)
Interlock Pressure PT 438 PT 418 transmitter
Recirculation Limit HV8804A/No.
1 (a) HV8804B/No. 2 (a) line valve switch (a)
Refueling water Limit HV8812A/No. 1 (a) HV8812B/No. 2 (a) storage tank switch (a) (RWST) isolation
valve
Sump line Limit HV8811A/No. 1 (a) HV8811B/No. 2 (a) isolation valve switch (a)
INTERLOCK TABLE FOR INNER ISOLATION VALVES (Refer to figure 7.6.2-1)
RCS-RHRS Inner HV8701B HV8702B Isolation Valve (Train C) (Train B)
Interlock Pressure PT 408 PT 428 transmitter
Recirculation Limit HV8804A/No.
2 (a) HV8804B/No. 1 (a) line valve switch (a)
RWST isolation Limit HV8812A/No. 2 (a) HV8812B/No. 1 (a) valve switch (a)
Sump line Limit HV8811A/No. 2 (a) HV8811B/No. 1 (a) isolation valve switch (a)
- a. Limit switch No. 1 is a gear-driven limit switch supplied with a valve. Limit switch No. 2 is an added
stem-mounted limit switch.
REV 14 10/07 LOGIC DIAGRAM FOR THE RHRS ISOLATION VALVES FIGURE 7.6.2-1
REV 14 10/07 FUNCTIONAL BLOCK DIAGRAM OF ACCUMULATOR ISOLATION VALVE FIGURE 7.6.4-1