ML17130A235

From kanterella

Jump to navigation Jump to search

Revision 26 to Updated Final Safety Analysis Report, Section 7.0, Control and Instrumentation, Part 1 of 2
Person / Time
ML17130A235
Site:	Peach Bottom
Issue date:	04/06/2017
From:	Exelon Generation Co
To:	Office of Nuclear Reactor Regulation
Shared Package
ML17130A259	List: ML17108A393 ML17130A208 ML17130A211 ML17130A216 ML17130A218 ML17130A220 ML17130A222 ML17130A224 ML17130A227 ML17130A231 ML17130A233 ML17130A235 ML17130A241 ML17130A245 ML17130A247 ML17130A249 ML17130A254 ML17130A256 ML17130A258 ML17130A263 ML17130A266 ML17130A268 ML17130A270 ML17130A273 ML17130A277 ML17130A279 ML17130A281 ML17130A284 ML17130A286 ML17130A288 ML17130A290 ML17130A292 ML17130A294 ML17130A301 ML17130A303 ML17130A306 ML17130A308 ML17130A310 ML17130A313 ML17130A317 ML17130A319 ML17130A321 ML17130A324 ML17130A326 ML17130A328 ML17130A330 ML17130A332 ML17130A486 ML17130A488 ML17130A493 ... further results
References
Download: ML17130A235 (296)
v • d • e

v t e Similar Documents at Peach Bottom
Category:Updated Final Safety Analysis Report (UFSAR) MONTHYEAR2023-04-10 [Table view]

Text

PBAPS UFSAR SECTION 7.0 - CONTROL AND INSTRUMENTATION TABLE OF CONTENTS SECTION TITLE 7.1

SUMMARY

DESCRIPTION 7.1.1 Safety Systems 7.1.2 Power Generation Systems 7.1.3 Safety Functions 7.1.4 Plant Operational Control 7.1.5 Definitions 7.1.6 Redundant System Wiring Independence, Protection, and Marking 7.1.6.1 Cable Routing and Separation 7.1.6.2 Fire Protection 7.1.6.3 Cable and Tray Marking 7.1.6.4 Cable Derating 7.1.7 Reactor Protection System and Engineered Safeguard Equipment Marking 7.1.8 Periodic Testing of Instrumentation and Control Equipment 7.2 REACTOR PROTECTION SYSTEM 7.2.1 Safety Objective 7.2.2 Safety Design Basis 7.2.3 Description 7.2.3.1 General 7.2.3.2 Power Supply 7.2.3.3 Physical Arrangement 7.2.3.4 Logic 7.2.3.5 Operation 7.2.3.6 Scram Functions and Bases for Trip Settings 7.2.3.7 Mode Switch 7.2.3.8 Scram Bypasses 7.2.3.9 Instrumentation 7.2.3.10 Wiring 7.2.4 Safety Evaluation 7.2.5 Inspection and Testing 7.3 PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM 7.3.1 Safety Objective 7.3.2 Definitions 7.3.3 Safety Design Basis 7.3.4 Description 7.3.4.1 Identification 7.3.4.2 Power Supply 7.3.4.3 Physical Arrangement 7.3.4.4 Logic CHAPTER 07 7-i REV. 26, APRIL 2017

PBAPS UFSAR TABLE OF CONTENTS (cont'd)

SECTION TITLE 7.3.4.5 Operation 7.3.4.6 Isolation Valve Closing Devices and Circuits 7.3.4.7 Isolation Functions and Settings 7.3.4.8 Instrumentation 7.3.4.9 Environmental Capabilities 7.3.5 Safety Evaluation 7.3.6 Inspection and Testing 7.4 CORE STANDBY COOLING SYSTEMS CONTROL AND INSTRUMENTATION 7.4.1 Safety Objective 7.4.2 Safety Design Basis 7.4.3 Description 7.4.3.1 Identification 7.4.3.2 High Pressure Coolant Injection System Control and Instrumentation 7.4.3.2.1 Identification and Physical Arrangement 7.4.3.2.2 High Pressure Coolant Injection System Initiation Signals and Logic 7.4.3.2.3 High Pressure Coolant Injection System Initiating Instrumentation 7.4.3.2.4 High Pressure Coolant Injection System Turbine and Turbine Auxiliary Control 7.4.3.2.5 High Pressure Coolant Injection System Valve Control 7.4.3.2.6 High Pressure Coolant Injection System Environmental Considerations 7.4.3.3 Automatic Depressurization System Control and Instrumentation 7.4.3.3.1 Identification and Physical Arrangement 7.4.3.3.2 Automatic Depressurization System Initiating Signals and Logic 7.4.3.3.3 Automatic Depressurization System Initiation Instrumentation 7.4.3.3.4 Automatic Depressurization System Alarms 7.4.3.3.5 Automatic Depressurization System Environmental Considerations 7.4.3.4 Core Spray System Control and Instrumentation 7.4.3.4.1 Identification and Physical Arrangement 7.4.3.4.2 Core Spray System Initiating Signals and Logic 7.4.3.4.3 Core Spray System Pump Control 7.4.3.4.4 Core Spray System Valve Control 7.4.3.4.5 Core Spray Alarms and Indications 7.4.3.4.6 Core Spray System Environmental Considerations CHAPTER 07 7-ii REV. 26, APRIL 2017

PBAPS UFSAR TABLE OF CONTENTS (cont'd)

SECTION TITLE 7.4.3.5 Low Pressure Coolant Injection Control and Instrumentation 7.4.3.5.1 Identification and Physical Arrangement 7.4.3.5.2 Low Pressure Coolant Injection Initiating Signals and Logic 7.4.3.5.3 Low Pressure Coolant Injection Pump Mode Control 7.4.3.5.4 Low Pressure Coolant Injection Valve Control 7.4.3.5.5 Low Pressure Coolant Injection Environmental Considerations 7.4.3.5.6 Low Pressure Coolant Injection Load Shed 7.4.4 Safety Evaluation 7.4.5 Inspection and Testing 7.5 NEUTRON MONITORING SYSTEM 7.5.1 Safety Objective 7.5.2 Power Generation Objective 7.5.3 Identification 7.5.4 Wide Range Neutron Monitor Subsystem 7.5.4.1 Power Generation Design Basis 7.5.4.2 Safety Design Basis 7.5.4.3 Description 7.5.4.3.1 Identification 7.5.4.3.2 Power Supply 7.5.4.3.3 Physical Arrangement 7.5.4.3.4 Signal Conditioning 7.5.4.3.5 Trip Functions 7.5.4.4 Power Generation Evaluation 7.5.4.5 Safety Evaluation 7.5.4.6 Inspection and Testing 7.5.5 Deleted 7.5.6 Local Power Range Monitor Subsystem 7.5.6.1 Power Generation Design Basis 7.5.6.2 Description 7.5.6.2.1 Identification 7.5.6.2.2 Power Supply 7.5.6.2.3 Physical Arrangement 7.5.6.2.4 Signal Conditioning 7.5.6.2.5 Trip Functions 7.5.6.3 Power Generation Evaluation 7.5.6.4 Inspection and Testing 7.5.7 Average Power Range Monitor Subsystem 7.5.7.1 Safety Design Basis 7.5.7.2 Power Generation Design Basis 7.5.7.3 Description 7.5.7.3.1 Identification CHAPTER 07 7-iii REV. 26, APRIL 2017

PBAPS UFSAR TABLE OF CONTENTS (cont'd)

SECTION TITLE 7.5.7.3.2 Power Supply 7.5.7.3.3 Signal Conditioning 7.5.7.3.4 Trip Function 7.5.7.4 Safety Evaluation 7.5.7.5 Power Generation Evaluation 7.5.7.6 Inspection and Testing 7.5.8 Rod Block Monitor Subsystem 7.5.8.1 Power Generation Design Basis 7.5.8.2 Description 7.5.8.2.1 Identification 7.5.8.2.2 Power Supply 7.5.8.2.3 Signal Conditioning 7.5.8.2.4 Trip Function 7.5.8.3 Power Generation Evaluation 7.5.8.4 Inspection and Testing 7.5.9 Traversing In-Core Probe Subsystem 7.5.9.1 Power Generation Design Basis 7.5.9.2 Description 7.5.9.2.1 Identification 7.5.9.2.2 Physical Arrangement 7.5.9.2.3 Signal Conditioning 7.5.9.3 Power Generation Evaluation 7.5.9.4 Inspection and Testing 7.6 REFUELING INTERLOCKS 7.6.1 Safety Objective 7.6.2 Safety Design Basis 7.6.3 Description 7.6.4 Safety Evaluation 7.6.5 Inspection and Testing 7.7 REACTOR MANUAL CONTROL SYSTEM 7.7.1 Power Generation Objective 7.7.2 Safety Design Basis 7.7.3 Power Generation Design Basis 7.7.4 Description 7.7.4.1 Identification 7.7.4.2 Operation 7.7.4.2.1 General 7.7.4.2.2 Insert Cycle 7.7.4.2.3 Withdraw Cycle 7.7.4.2.4 Control Rod Drive Hydraulic System Control 7.7.4.3 Rod Block Interlocks 7.7.4.3.1 General 7.7.4.3.2 Rod Block Functions CHAPTER 07 7-iv REV. 26, APRIL 2017

PBAPS UFSAR TABLE OF CONTENTS (cont'd)

SECTION TITLE 7.7.4.3.3 Rod Block Bypasses 7.7.4.4 Control Rod Information Displays 7.7.4.5 DELETED 7.7.4.5.1 DELETED 7.7.4.5.2 DELETED 7.7.5 Safety Evaluation 7.7.6 Inspection and Testing 7.8 REACTOR VESSEL INSTRUMENTATION 7.8.1 Safety Objective 7.8.2 Safety Design Basis 7.8.3 Power Generation Objective 7.8.4 Power Generation Design Basis 7.8.5 Description 7.8.5.1 Reactor Vessel Surface Temperature 7.8.5.2 Reactor Vessel Water Level 7.8.5.3 Reactor Vessel Coolant Flow Rates and Differential Pressures 7.8.5.4 Reactor Vessel Internal Pressure 7.8.5.5 Reactor Vessel Top Head Flange Leak Detection 7.8.6 Safety Evaluation 7.8.7 Inspection and Testing 7.9 RECIRCULATION FLOW CONTROL SYSTEM 7.9.1 Power Generation Objective 7.9.2 Power Generation Design Basis 7.9.3 Safety Design Basis 7.9.4 Description 7.9.4.1 General 7.9.4.2 Adjustable Speed Drive 7.9.4.3 Speed Control for the Adjustable Speed Drives 7.9.4.4 System Operation 7.9.4.4.1 Recirculation Loop Starting Sequence 7.9.4.4.2 Anticipated Transient Without Scram Recirculation Pump Trip 7.9.5 Safety Evaluation 7.9.6 Inspection and Testing 7.10 FEEDWATER CONTROL SYSTEM 7.10.1 Power Generation Objective 7.10.2 Power Generation Design Basis 7.10.3 Description 7.10.3.1 Reactor Vessel Water Level Measurement 7.10.3.2 Steam Flow Measurement 7.10.3.3 Feedwater Flow Measurement CHAPTER 07 7-v REV. 26, APRIL 2017

PBAPS UFSAR TABLE OF CONTENTS (cont'd)

SECTION TITLE 7.10.3.4 Feedwater Control System 7.10.3.4.1 Three (3) Element Reactor Level Control 7.10.3.4.2 Single or One (1) Element Reactor Level Control 7.10.3.4.3 High Pressure Startup Level Control 7.10.3.4.4 Low Pressure Startup Level Control 7.10.3.4.5 Reactor Feedwater Pump Minimum Flow Protection 7.10.3.4.6 Reactor Feedwater Pump Discharge Check Valve Control on Low Flow 7.10.3.4.7 Deleted 7.10.3.4.8 Interlocks to Rod Worth Minimizer from Total Feedwater and Steam Flow Signals 7.10.3.4.9 Runbacks to the Recirculation Control System 7.10.3.4.10 Deleted 7.10.3.4.11 90% Flow Limiter on Loss of Condensate Pump or Reactor Scram 7.10.3.4.12 Feedforward Control 7.10.3.4.13 Setpoint Setdown Following a Reactor Scram 7.10.3.4.14 Scaling-up of Feedwater and Steam Flow Signals 7.10.3.4.15 Auto Calibration of Steam Flow Signals 7.10.3.4.16 Fault Tolerant Logic 7.10.3.4.17 Bumpless Transfer Between Automatic and Manual Modes 7.10.3.4.18 Testability and Maintainability 7.10.3.4.19 Total Feedwater Flow Signal to the Hydrogen Water Chemistry System 7.10.4 Turbine Driven Feedwater Pump Control 7.11 PRESSURE REGULATOR AND TURBINE GENERATOR CONTROL SYSTEM 7.11.1 Power Generation Objective 7.11.2 Power Generation Design Basis 7.11.3 Description 7.11.3.1 Normal Control System 7.11.3.2 Emergency Control System 7.11.4 Power Generation Evaluation 7.11.5 Inspection and Testing 7.11.5.1 Turbine-Generator Supervisory Instruments 7.11.5.2 Testing Provisions 7.12 PROCESS RADIATION MONITORING 7.12.1 Main Steam Line Radiation Monitoring System 7.12.1.1 Safety Objective 7.12.1.2 Safety Design Basis 7.12.1.3 Description 7.12.1.4 Safety Evaluation CHAPTER 07 7-vi REV. 26, APRIL 2017

PBAPS UFSAR TABLE OF CONTENTS (cont'd)

SECTION TITLE 7.12.1.5 Inspection and Testing 7.12.2 Air Ejector Discharge and Adsorber Bed Outlet Radiation Monitoring System 7.12.2.1 Power Generation Objective 7.12.2.2 Power Generation Design Basis 7.12.2.3 Description 7.12.2.3.1 Air Ejector Discharge Radiation Monitor 7.12.2.3.2 Adsorber Bed Outlet Radiation Monitor 7.12.2.4 Power Generation Evaluation 7.12.2.5 Inspection, Testing, and Calibration 7.12.2.5.1 Air Ejector Discharge Radiation Monitor 7.12.2.5.2 Adsorber Bed Outlet Radiation Monitor 7.12.3 Stack Radiation Monitoring System 7.12.3.1 Safety Objective 7.12.3.2 Safety Design Basis 7.12.3.3 Description 7.12.3.4 Safety Evaluation 7.12.3.5 Inspection, Testing, and Calibration 7.12.4 Liquid Process Radiation Monitoring System 7.12.4.1 Power Generation Objective 7.12.4.2 Power Generation Design Basis 7.12.4.3 Description 7.12.4.4 Power Generation Evaluation 7.12.4.5 Inspection and Testing 7.12.5 Ventilation Radiation Monitoring 7.12.5.1 Safety Objective 7.12.5.2 Safety Design Basis 7.12.5.3 Power Generation Objective 7.12.5.4 Power Generation Design Basis 7.12.5.5 Description 7.12.5.5.1 Ventilation Stack Radiation Monitoring 7.12.5.5.2 Reactor Building Ventilation Exhaust Radiation Monitoring and Refueling Floor Ventilation Exhaust Radiation Monitoring 7.12.5.5.3 Control Room Ventilation Intake Radiation Monitoring 7.12.5.5.4 Radwaste Ventilation Exhaust Radiation Monitoring, and Off-Gas Recombiner Building Duct Ventilation Exhaust Radiation Monitoring 7.12.5.6 Alarm and Isolation Logic 7.12.5.6.1 Reactor Building Isolation 7.12.5.6.2 Ventilation Stack Alarms 7.12.5.6.3 Control Room Ventilation Intake Alarm and Bypass 7.12.5.6.4 Radwaste Ventilation Alarm and Isolation CHAPTER 07 7-vii REV. 26, APRIL 2017

PBAPS UFSAR TABLE OF CONTENTS (cont'd)

SECTION TITLE 7.12.5.6.5 Off-Gas Recombiner Building Duct Ventilation Exhaust Radiation Monitoring 7.12.5.7 Safety Evaluation 7.12.5.8 Inspection and Testing 7.13 AREA RADIATION MONITORING SYSTEM 7.13.1 Power Generation Objective 7.13.2 Power Generation Design Basis 7.13.3 Description 7.13.3.1 Monitors 7.13.3.2 Locations 7.13.4 Inspection and Testing 7.14 SITE ENVIRONS RADIATION MONITORING PROGRAM 7.14.1 Deleted 7.14.2 Deleted 7.14.3 Deleted 7.14.3.1 Deleted 7.14.3.2 Deleted 7.14.4 Deleted 7.15 HEALTH PHYSICS AND LABORATORY ANALYSIS RADIATION MONITORS 7.16 PROCESS COMPUTER SYSTEM 7.16.1 Power Generation Objective 7.16.2 Power Generation Design Basis 7.16.3 Description 7.16.3.1 Computer System Components 7.16.3.1.1 Central Processor 7.16.3.1.2 Deleted 7.16.3.1.3 Deleted 7.16.3.1.4 Process Input/Output Subsystems 7.16.3.1.5 Operator Console 7.16.3.1.6 Programming and Maintenance Console 7.16.3.2 Reactor Core Performance Function 7.16.3.2.1 Power Distribution Evaluation 7.16.3.2.2 Fast Core Monitoring 7.16.3.2.3 Local Power Range Monitor Calibration 7.16.3.2.4 Fuel Exposure 7.16.3.3 Rod Worth Minimizer Function 7.16.3.3.1 Rod Worth Minimizer Inputs 7.16.3.3.2 Rod Worth Minimizer Outputs 7.16.3.3.3 Rod Worth Minimizer Indications 7.16.3.4 Monitor, Alarm, and Logging Functions CHAPTER 07 7-viii REV. 26, APRIL 2017

PBAPS UFSAR TABLE OF CONTENTS (cont'd)

SECTION TITLE 7.16.3.4.1 Analog Monitor and Alarm 7.16.3.4.2 Digital Monitor and Alarm 7.16.3.4.3 Alarm Logging 7.16.4 Power Generation Evaluation 7.16.5 Inspection and Testing 7.17 NUCLEAR SYSTEM STABILITY ANALYSIS 7.17.1 Safety Objective 7.17.2 Safety Design Basis 7.17.3 Power Generation Design Basis 7.17.4 Description and Performance Analysis 7.17.5 Operational Verification of Nuclear System Stability 7.17.6 Conclusion 7.18 SEPARATE SHUTDOWN CONTROL PANELS 7.18.1 Power Generation Objective 7.18.2 Power Generation Design Basis 7.18.3 Description 7.18.3.1 Control Panels 7.18.3.2 Operation 7.18.3.2.1 Reactor Shutdown 7.18.3.2.2 Reactor Level Control 7.18.3.2.3 Reactor Pressure Control 7.18.3.2.4 Heat Removal 7.18.3.2.5 Instrumentation and Controls 7.18.3.3 Physical Location 7.18.4 Inspection and Testing 7.19 CLASS 1E EQUIPMENT ENVIRONMENTAL QUALIFICATION 7.19.1 Effects of Loss of Air Conditioning and Ventilation on Control Room and Equipment Room Equipment 7.19.2 Seismic Qualification 7.19.2.1 General 7.19.2.2 Nuclear Steam Supply System - GE-Supplied Equipment 7.19.2.3 Non-Nuclear Steam Supply System Equipment -

Bechtel-Supplied Equipment 7.20 ACCIDENT MONITORING 7.20.1 Safety Objective 7.20.2 Safety Design Basis 7.20.3 Power Generation Design Bases 7.20.4 Description 7.20.4.1 Reactor Water Level CHAPTER 07 7-ix REV. 26, APRIL 2017

PBAPS UFSAR TABLE OF CONTENTS (cont'd)

SECTION TITLE 7.20.4.2 Reactor Pressure 7.20.4.3 Containment Pressure 7.20.4.4 Containment Temperature 7.20.4.5 Containment Atmosphere Analysis 7.20.4.6 Coolant Sampling and Analysis 7.20.4.7 Suppression Pool Water Temperature 7.20.4.8 Suppression Pool Water Level 7.20.4.9 Safety/Relief Valve Position Indication 7.20.4.10 Vent Stack Wide Range and Main Stack Wide Range Noble Gas Monitors 7.20.4.11 Primary Containment Isolation Valve Position Indication 7.20.5 Safety Evaluation 7.20.6 Inspection and Testing 7.21 SEISMIC INSTRUMENTATION 7.21.1 Safety Design Objective 7.21.2 Safety Design Basis 7.21.3 Description 7.21.4 Safety Evaluation 7.21.5 Inspection and Testing 7.22 HIGH PRESSURE SERVICE WATER (HPSW) POWER TRANSFER SWITCH 7.22.1 Power Generation Objective 7.22.2 Power Generation Design Basis 7.22.3 Description 7.22.3.1 Power Transfer Switch 7.22.3.2 Operation 7.22.3.3 Physical Location 7.23 RESIDUAL HEAT REMOVAL (RHR) POWER TRANSFER SWITCH 7.23.1 Power Generation Objective 7.23.2 Power Generation Design Basis 7.23.3 Description 7.23.3.1 Power Transfer Switch 7.23.3.2 Operation 7.23.3.3 Physical Location 7.23.4 Inspection and Testing CHAPTER 07 7-x REV. 26, APRIL 2017

PBAPS UFSAR SECTION 7.O CONTROL AND INSTRUMENTATION LIST OF TABLES TABLE TITLE 7.2.1 Reactor Protection System Instrumentation Specifications 7.2.2 Reactor Protection System Actions (Various Positions of the Mode Switch) 7.2.3 Reactor Protection System Instrument Calibration Methods 7.3.1 Principal Primary Containment Isolation Valves 7.3.2 Primary Containment and Reactor Vessel Isolation Control System Instrumentation Specifications 7.4.1 High Pressure Coolant Injection System Instrument Specifications 7.4.2 Automatic Depressurization System Instrument Specifications 7.4.3 Core Spray System Instrument Specifications 7.4.4 Low Pressure Coolant Injection System Instrument Specifications 7.5.1 Deleted 7.5.2 Wide Range Neutron Monitor Trips and Alarms 7.5.3 Local Power Range Monitor Trips 7.5.4 Average Power Range Monitor Trips 7.6.1 Refueling Interlock Effectiveness 7.7.1 Reactor Manual Control System Instrument Specifications 7.8.1 Reactor Vessel Instrumentation Instrument Specifications 7.12.1 Process Radiation Monitoring Systems Characteristics CHAPTER 07 7-xi REV. 26, APRIL 2017

PBAPS UFSAR LIST OF TABLES (cont'd)

TABLE TITLE 7.12.2 Process Radiation Monitoring System Environmental and Power Supply Design Conditions 7.13.1 Area Radiation Monitoring System, Environmental and Power Supply Design Conditions 7.13.2 Location of Area Radiation Monitors 7.16.1 Instrumentation Input Summary, Neutron Monitoring System 7.16.2 Instrumentation Output Summary, Signal Output Description 7.20.1 Regulatory Guide 1.97 Category 1 Instrumentation CHAPTER 07 7-xii REV. 26, APRIL 2017

PBAPS UFSAR SECTION 7.0 - CONTROL AND INSTRUMENTATION LIST OF FIGURES FIGURE TITLE 7.1.1 Use of Protection System and Instrumentation Definitions 7.2.1 Deleted 7.2.2 Typical Configuration for Main Steam Line Isolation Scram 7.2.3 Deleted 7.2.4 Schematic Diagram of Logics in One Trip System 7.2.5 Schematic Diagram of Actuator and Actuator Logics 7.2.6 Reactor Protection System Scram Functions 7.2.7 Deleted 7.2.8 Relationship Between Neutron Monitoring System and Reactor Protection System 7.2.9 Functional Control Diagram for Neutron Monitoring System Logics 7.2.10 Typical Arrangement of Channels and Logics 7.2.11 Typical Configuration for Turbine Stop Valve Closure Scram 7.2.12 Typical Assessment of Condenser Pressure Instrument Channels and Logics 7.3.1 Deleted 7.3.2 Typical Isolation Control System Using Motor-Operated Valves (Fail-Safe Logic) 7.3.3 Typical Isolation Control System for Main Steam Line Isolation Valves 7.3.4 Main Steam Line Isolation Valve Schematic Control Diagram 7.3.5A Deleted CHAPTER 07 7-xiii REV. 26, APRIL 2017

PBAPS UFSAR LIST OF FIGURES (cont'd)

FIGURE TITLE 7.3.5B Deleted 7.3.5C Deleted 7.3.5D Deleted 7.3.5E Deleted 7.3.5F Deleted 7.3.5G Deleted 7.3.5H Deleted 7.3.5I Deleted 7.3.5J Deleted 7.3.5K Deleted 7.3.6 Area and Compartment Leakage Detection by Temperature Measurement 7.3.7 Typical Main Steam Line Space High Temperature Channel 7.3.8 Typical Arrangement for Main Steam Line Leak Detection by Flow Measurement 7.3.9 Main Steam Line High Flow Channels 7.3.10 Typical Elbow Tap Arrangement for Gross Leak Detection 7.3.11a Legend for Containment Isolation Valve Arrangement 7.3.11b Main Steam Line and Main Steam Line Drains 7.3.11c Feedwater 7.3.11d RCIC and HPCI Steam Supplies 7.3.11e RHR Shutdown Cooling Suction 7.3.11f RHR Shutdown Cooling Return Core Spray Discharge 7.3.11g Reactor Water Cleanup Pump Suction Instrument Line CHAPTER 07 7-xiv REV. 26, APRIL 2017

PBAPS UFSAR LIST OF FIGURES (cont'd)

FIGURE TITLE 7.3.11h RHR Head Spray 7.3.11i Drywell Equipment Drain Sump Pump Discharge, Drywell Floor Drain Sump Pump Discharge 7.3.11j Service Air Supply and Breathing Air Supply 7.3.11k Instrument Nitrogen Supply 7.3.11l Reactor Building Cooling Water 7.3.11m Drywell and Torus Purge Supplies 7.3.11n Drywell Purge Exhaust 7.3.11o Tip Purge 7.3.11p Tip Drives 7.3.11q Instrument Lines 7.3.11r Not Used 7.3.11s Integrated Leak Rate Test Connections 7.3.11t Instrument Lines, Drywell Pressure 7.3.11u Not Used 7.3.11v CRD Insert and Withdrawal 7.3.11w RHR Containment Spray 7.3.11x Recirculation Loop and Main Steam Samples 7.3.11y Standby Liquid Control 7.3.11z Containment Atmospheric Control System Sample Lines 7.3.11aa Containment Atmospheric Control System/CADS Sample Lines 7.3.11bb Containment Atmospheric Control System Sample Return 7.3.11cc Drywell Chilled Water CHAPTER 07 7-xv REV. 26, APRIL 2017

PBAPS UFSAR LIST OF FIGURES (cont'd)

FIGURE TITLE 7.3.11dd Torus Vacuum Breaker 7.3.11ee Instrument Lines, Torus Levels 7.3.11ff RHR Torus Spray and RHR Test and Pool Cooling Return 7.3.11gg RCIC and HPCI Turbine Exhaust - RCIC and HPCI Vacuum Relief 7.3.11hh HPCI Minimum Flow 7.3.11ii Torus Purge Exhaust 7.3.11jj RCIC Vacuum Pump Discharge - HPCI Turbine Drain 7.3.11kk Core Spray Test Line 7.3.11ll RCIC and Torus Water Cleanup Suction 7.3.11mm RHR Pump Suction 7.3.11nn HPCI Suction 7.3.11oo Core Spray Pump Suction 7.3.11pp Core Spray Pump Minimum Flow 7.3.11qq RCIC Pump Minimum Flow 7.3.11rr HPCI Test Line 7.3.11ss Core Spray Test Line 7.3.11tt Pump Minimum Flow 7.3.12 ADS Safety Grade Pneumatic Supply Leak Detection 7.4.1A Deleted 7.4.1B Deleted 7.4.2A Deleted 7.4.2B Deleted CHAPTER 07 7-xvi REV. 26, APRIL 2017

PBAPS UFSAR LIST OF FIGURES (cont'd)

FIGURE TITLE 7.4.2C Deleted 7.4.2D Deleted 7.4.2E Deleted 7.4.2F Deleted 7.4.2G Deleted 7.4.3A Deleted 7.4.3B Deleted 7.4.4 Deleted 7.4.5A Deleted 7.4.5B Deleted 7.4.5C Deleted 7.4.5D Deleted 7.4.6 Deleted 7.4.7A Deleted 7.4.7B Deleted 7.4.7C Deleted 7.4.7D Deleted 7.4.7E Deleted 7.4.7F Deleted 7.4.7G Deleted 7.4.8 Reactor Recirculation Loop Valves Functional Control Diagram 7.4.9 Typical Core Standby Cooling Systems Trip Systems Actuation Logic 7.5.1 Deleted CHAPTER 07 7-xvii REV. 26, APRIL 2017

PBAPS UFSAR LIST OF FIGURES (cont'd)

FIGURE TITLE 7.5.2 WRNMS Configuration (One Channel) 7.5.3 Deleted 7.5.4 Functional Block Diagram of WRNM Channel 7.5.5 Deleted 7.5.6 Core Location of Neutron Monitoring System Detectors 7.5.7 Deleted 7.5.8 LPRM Locations 7.5.9 Power Range Neutron Monitoring Unit 7.5.10a LPRM to APRM Assignment Scheme (System A) 7.5.10b LPRM to APRM Assignment Scheme (System B) 7.5.11 APRM Tracking, Reduction in Power by Flow Control 7.5.12 Envelope of Maximum APRM Deviation for APRM Tracking with On-Limit-Limits Control Rod Withdrawal 7.5.13 Typical Assignment of LPRM Assemblies to RBM's 7.5.14 RBM Trip Setpoint Variation with Reference APRM Power 7.5.15 LPRM to RBM Assignment 7.5.16 Assignment of LPRM Strings to TIP Machines 7.5.17 Traversing In-Core Probe Subsystem Block Diagram 7.5.18 Traversing In-Core Probe Assembly 7.5.19 Neutron Monitoring System Arrangement 7.5.20 Deleted 7.5.21 Ranges of Neutron Monitoring System CHAPTER 07 7-xviii REV. 26, APRIL 2017

PBAPS UFSAR LIST OF FIGURES (cont'd)

FIGURE TITLE 7.5.22 Typical WRNM Circuit Arrangement for Reactor Protection System Input 7.5.23 Typical APRM Circuit Arrangement for Reactor Protection System Input 7.5.24 APRM Trip Setdown, 15 Percent Power in Startup Mode 7.6.1 CRD Hydraulic System, Refueling Interlocks, Functional Control Diagram 7.7.1A Deleted 7.7.1B Deleted 7.7.1C Deleted 7.7.1D Deleted 7.7.1E Deleted 7.7.1F Deleted 7.7.1G Deleted 7.7.1H DELETED 7.7.1I Deleted 7.7.2 Deleted 7.7.3 Reactor Control Board 7.7.4 Input Signals to Four-Rod Display 7.7.5 Typical Process Computer Printout 7.7.6 Rod Block Functions 7.8.1 Nuclear Boiler Instrumentation, P&ID (Deleted) 7.8.2 Nuclear Boiler Thermocouple Locations 7.9.1 Recirculation Flow Control Illustration 7.9.3 Deleted CHAPTER 07 7-xix REV. 26, APRIL 2017

PBAPS UFSAR LIST OF FIGURES (cont'd)

FIGURE TITLE 7.9.4A Deleted 7.9.4B Deleted 7.9.4C Deleted 7.9.4D Deleted 7.9.4E Deleted 7.9.4F Deleted 7.10.1 Feedwater Control System Dual Redundant, Independent Computer Architecture 7.10.2 Feedwater Control System, DFCS Logic Structure Overview 7.11.1 Block Diagram, Electrohydraulic Control System 7.11.2 Block Diagram, Pressure, Load and Speed Control 7.12.1 Deleted 7.12.2 Process Radiation Monitoring System Instrument Electrical Drawings 7.12.3 Deleted 7.13.1 Deleted 7.16.1 Rod Worth Minimizer Functional Control Diagram 7.17.1 Damping Coefficient Versus Decay Ratio (Second Order Systems) 7.20.1 Deleted CHAPTER 07 7-xx REV. 26, APRIL 2017

PBAPS UFSAR SECTION 7.0 - CONTROL AND INSTRUMENTATION 7.1

SUMMARY

DESCRIPTION The control and instrumentation section presents the details of the more complex control and instrumentation system in the station. Some of these systems are safety systems, while others are power generation systems.

7.1.1 Safety Systems The safety systems described in the control and instrumentation section are the following:

1. Nuclear safety systems and engineered safeguards (required for accidents and abnormal operational transients)

a. RPS

b. Primary containment and reactor vessel isolation control system

c. CSCS's control and instrumentation

d. Neutron monitoring system (specific portions)

e. Process radiation monitoring system (specific portions)

f. Containment atmosphere control.

2. Safety-related display instrumentation

a. Seismic monitoring

b. Accident monitoring.

3. Process safety systems (required for planned operation)

a. Neutron monitoring system (specific portions)

b. Refueling interlocks

c. Reactor vessel instrumentation

d. Process radiation monitors (specific portions).

CHAPTER 07 7.1-1 REV. 22, APRIL 2009

PBAPS UFSAR 7.1.2 Power Generation Systems The power generation systems described in this section are as follows:

1. Reactor manual control system.

2. Recirculation flow control system.

3. Feedwater system control and instrumentation.

4. Pressure regulator and turbine-generator control.

5. Process computer system. (PMS)

6. Area radiation monitors.

7. Site environs radiation monitors.

8. Health physics and laboratory analysis radiation monitors.

7.1.3 Safety Functions The major functions of the safety systems are summarized as follows:

1. Reactor Protection System - The RPS initiates an automatic reactor shutdown (scram) if monitored nuclear system variables exceed established limits. This action limits fuel damage and system pressure and thus restricts the release of radioactive material.

2. Primary Containment and Reactor Vessel Isolation Control System - This system initiates closure of various automatic isolation valves in response to out of limit nuclear system variables. The action provided limits the loss of coolant from the reactor vessel and contains radioactive materials either inside the reactor vessel or inside the primary containment. The system responds to various indications of pipe breaks or radioactive material release.

3. Core Standby Cooling Systems Control and Instrumentation

- This subsection describes the arrangement of control devices for HPCI, automatic depressurization, core spray, and LPCI.

CHAPTER 07 7.1-2 REV. 22, APRIL 2009

4. Neutron Monitoring System - The neutron monitoring system uses in-core neutron detectors to monitor core neutron flux. The safety function of the neutron monitoring system is to provide a signal to shut down the reactor when an overpower or instability condition is detected. High average neutron flux is used as the overpower indicator. Oscillations in the neutron flux are used as the thermal-hydraulic instability indicator. In addition, the neutron monitoring system provides the required power level indication during planned operation.

5. Main Steam Radiation Monitoring System - Gamma sensitive radiation monitors are installed in the vicinity of the main lines just outside the primary containment. These monitors can detect a gross release of fission products from the fuel by measuring the gamma radiation coming from the steam lines. A high radiation trip signal is sent to the RPS and the primary containment and reactor vessel isolation control system. The high radiation condition results in reactor scram and isolation.

6. Refueling Interlocks - The refueling interlocks serve as a backup to procedural core reactivity control during refueling operation.

7. Reactor Vessel Instrumentation - The reactor vessel instrumentation monitors and transmits information concerning key reactor vessel operating parameters during planned operation to ensure that sufficient control of these parameters is possible.

8. Process Radiation Monitors (except Main Steam Line Radiation Monitoring System) - A number of radiation monitoring systems are provided on process liquid and gas lines to provide sufficient information for control of radioactive material release from the site.

9. Containment Atmosphere Control System - The containment atmosphere control system provides the capability to monitor and control the concentration of oxygen in the primary containment during normal operations.

10. Containment Atmospheric Dilution System - The CADS provides the capability to monitor and control the concentration of hydrogen in the primary containment following an accident.

11. Seismic Monitoring System - The seismic monitoring system provides the capability to record and play back CHAPTER 07 7.1-3 REV. 22, APRIL 2009

PBAPS UFSAR the time-history of seismic vibration and the resulting safety structure response.

12. Accident Monitoring Equipment - The accident monitoring equipment provides the capability to monitor the plant conditions to assess the progress of an accident to allow appropriate remedial action to be taken.

7.1.4 Plant Operational Control The major systems used to control the plant during planned power generation operations are the following:

1. Reactor Manual Control System - This system allows the operator to manipulate control rods and determine their positions. Various interlocks are provided in the control circuitry to avoid unnecessary protection system action resulting from operator error.

2. Recirculation Flow Control System - This system controls the speed of the two reactor recirculation pumps by varying the frequency of the power supply for the pumps.

By varying the coolant flow rate through the core, power level may be changed. The system is arranged to allow for manual control (operator action).

3. Feedwater System Control and Instrumentation - This system regulates the feedwater flow rate so that proper reactor vessel water level is maintained. The feedwater system controller uses reactor vessel water level, main steam flow, and feedwater flow signals to regulate feedwater flow. The system is arranged to permit single element (level only), three element (level, steam flow, and feed flow), or manual operation.

4. Pressure Regulator and Turbine-Generator Controls -The pressure regulator and turbine-generator controls work together to allow proper generator and reactor response to load demand changes. The pressure regulator acts to maintain nuclear system pressure essentially constant, so that pressure-induced core reactivity changes are controlled. To maintain constant pressure, the pressure regulator adjusts the turbine control valves or turbine bypass valves. The turbine-generator speed-load controls can initiate rapid closure of the turbine control valves (coincident with fast opening of the bypass valves) to prevent excessive turbine overspeed in case of loss of generator electrical load.

CHAPTER 07 7.1-4 REV. 22, APRIL 2009

5. Process Computer System (PMS) - The process computer provides alarm and data logging facilities and supplemental information for the more efficient operation of the core.

6. Area Radiation Monitoring System - The area radiation monitoring system provides a record and an indication in the control room of gamma radiation levels at selected locations within various plant buildings during normal operation and post-accident containment radiation levels. It also provides local alarms to warn personnel of significant increases in radiation levels.

7. Site Environs Radiation Monitoring System - The function of the site environmental monitoring program is to measure trends in the levels of environmental radioactivity. The monitoring station continuously records gamma radiation levels and collects airborne radioactive particulates for analysis.

8. Health Physics and Laboratory Analysis Radiation Monitoring Program - Portable radiation survey instruments and laboratory instruments are available to measure alpha, beta, gamma, and neutron radiation to protect the health and safety of plant personnel.

7.1.5 Definitions The complexity of the control and instrumentation systems requires the use of certain terminology for clarification in the description of the protection systems. See additional definitions in subsection 1.2, "Definitions."

1. Channel - A channel is an arrangement of one or more sensors and associated components used to monitor plant variables and produce discrete outputs used in logic. A channel terminates and loses its identity where individual channel outputs are combined in logic. See Figure 7.1.1.

2. Sensor - A sensor is that part of a channel used to detect variations in the measured power plant variable.

See Figure 7.1.1.

3. Logic - Logic is that array of components which combines individual bistable output signals to produce decision outputs. See Figure 7.1.1.

4. Trip System - A trip system is that portion of a system encompassing one or more channels, logic, and bistable CHAPTER 07 7.1-5 REV. 22, APRIL 2009

PBAPS UFSAR devices used to produce output signals to the actuation logic. A trip system terminates and loses its identity where outputs are combined in logic. See Figure 7.1.1.

5. Actuation Device - An actuation device is an electrical or electromechanical module controlled by an electrical decision output used to produce mechanical operation of one or more activated devices to accomplish the necessary action. See Figure 7.1.1.

6. Activated Device - An activated device is a mechanical module in a system used to accomplish an action. An activated device is controlled by an actuation device.

See Figure 7.1.1.

7. Trip - A trip is the change of state of a bistable device which represents the change from a normal condition. A trip signal, which results from a trip, is generated in the channels of a trip system and produces subsequent trips and trip signals throughout the system as directed by the logic.

8. Set Point - A set point is that value of a monitored plant variable which is maintained by control action or at which a trip occurs.

9. Component - Items from which the system is assembled (e.g., resistors, capacitors, wires, connectors, transistors, switches, springs, pumps, valves, piping, heat exchangers, vessels, etc).

10. Module - Any assembly of interconnected components which constitutes an identifiable device, instrument, or piece of equipment.

11. Incident Detection Circuitry - Incident detection circuitry includes those trip systems which are used to sense the occurrence of an incident. Such circuitry is described and evaluated separately where the incident detection circuitry is common to several systems.

CHAPTER 07 7.1-6 REV. 22, APRIL 2009

PBAPS UFSAR 7.1.6 Redundant System Wiring Independence, Protection, and Marking 7.1.6.1 Cable Routing and Separation Cable routing and separation maintains the ability to safely shutdown the plant in the event of a fire. Cable routing and separation for fire protection is described in the Fire Protection Program, Peach Bottom Atomic Power Station, Units 2 and 3.

Cables serving engineered safety feature systems and Class 1E electrical systems are routed separately when duplicate or backup equipment is affected. Separation for these safety systems is achieved by routing through separate rooms or corridors where possible. When wiring for two or more redundant safety systems passes through the same compartment having rotating heavy machinery or containing high-pressure steam lines, a horizontal separation of 20 ft is maintained between raceways groups. Where spacing less than 20 ft is provided in zones of potential mechanical damage, protective walls or barriers equal to a 6-in thick reinforced concrete wall are provided between groups.

Cables identified as required for Safe Shutdown in accordance with Appendix R to 10CFR, Part 50 are routed in accordance with the separation criteria identified in Section III.G of Appendix R.

Any switchgear or electrical panel associated with redundant systems has a minimum horizontal separation of 20 ft or is separated by a protective wall, ceiling, or floor equivalent to a 6-in thick reinforced concrete wall. This applies only in zones of potential missile damage.

To protect against the potential hazard of an electrical fire, where practical, cable trays of redundant systems have a minimum horizontal separation of 3 ft and a minimum vertical separation of 5 ft, or a crossover separation of 18 in. Where these separations cannot be maintained, fire resistant barriers are installed between the trays, or cables are run in rigid steel conduit, steel intermediate metal conduit (IMC) or steel electrical metallic tubing (EMT), until this separation exists.

In the Cable Spreading Room, where cables of redundant systems approach the same or adjacent control panels with a spacing less than 3 feet horizontally or 5 feet vertically, both cables run in rigid steel conduit, steel IMC, steel EMT or separation is established by an analysis of the installation. Flexible steel conduit is used only for final bend to the tray or through floor sleeves when conduit is required to panels. A barrier exists between the cable spreading room and the main control room.

CHAPTER 07 7.1-7 REV. 22, APRIL 2009

PBAPS UFSAR In other areas where cables of redundant systems approach the same or adjacent control panels or components with a spacing less than 3 feet horizontally or 5 feet vertically, both cables run in rigid steel conduit, steel IMC or steel EMT or, for control and instrument cables, separation is established by an analysis of the installation. Flexible steel conduit is used only for final bend to the tray, component, or through floor sleeves when conduit is required to panels.

The RPS and primary containment isolation system are designed to meet the following requirements:

1. Wiring to duplicate sensors on a common process is run in separate conduits. The neutron monitoring system cables beneath the reactor vessel are an exception to the general rule. They are not routed in conduit because of space limitations and the need for flexibility of the cables. However, these cables are grouped and separated to obtain effective channel independence.

2. Cables through drywell penetrations are so grouped that loss of all cabling in a single penetration cannot prevent a scram.

3. Wiring for sensors of more than one variable in the same trip channel may be run in the same conduit.

4. For the primary containment isolation system, the inboard primary containment isolation valve wiring between the control panel and the valve proper is separate from the outboard isolation valve wiring.

Safety system cables are not installed in nonsafety system trays or conduits. Nonsafety-related cables may be installed in a safety system tray or conduit, but those of a nonsafety system are not installed in trays or conduits of more than one independent channel of a safety system.

No single control panel includes wiring essential to the function of two redundant systems unless there is a minimum of 6 inches of separation between cables and components of the two systems, except where the presence of wiring of two redundant systems is permitted by project specifications. If less than 6 inches separation between systems exists, a fire resistant barrier is provided or wiring for one of the two systems is run in conduit or fire resistant sleeving to separate the two systems. Penetration of separation barriers within a panel is not permitted, unless the penetration is so designed that fire cannot propagate through the CHAPTER 07 7.1-8 REV. 22, APRIL 2009

PBAPS UFSAR penetration, or conduit is used. Devices or components of redundant systems on the same panel less than 6 in apart are considered adequately separated if one of the devices is totally enclosed in fire resistant material, or if their failure in any mode will not negate automatic system operation if required.

If two panels containing circuits of redundant systems are less than 3 ft apart, there is a steel barrier between the two panels.

Panel ends closed by steel end plates are acceptable barriers provided that terminal boards and wireways are mounted at least 1 in from the end plates.

7.1.6.2 Fire Protection Part of the fire protection system, as described in subsection 10.12, is used to detect fire and protect safety-related cables in trays in the following areas:

1. Smoke detectors are installed in the cable spreading room and computer room to initiate alarm in the control room. A manually operated carbon dioxide system in the computer room and cable spreading room are used for fire protection in these areas.

2. Heat detectors are installed in the HPCI rooms to initiate alarms in the control room and for automatic initiation of the carbon dioxide system.

7.1.6.3 Cable and Tray Marking The permanent cable markers for engineered safeguard cables include a color dot to identify a particular wiring channel.

Cable trays and conduits used for engineered safeguard cables are marked at intervals not exceeding 50 ft with the raceway number and color code.

Identification of engineered safeguard cables and raceways is as follows:

Cable and Raceway Color Channel Prefix Code A ZA Blue B ZB Green C ZC Red D ZD Orange CHAPTER 07 7.1-9 REV. 22, APRIL 2009

PBAPS UFSAR RPS cables are installed in conduits having a unique identification number.

7.1.6.4 Cable Derating Cables serving engineered safety feature and Class 1E electrical systems are thermally sized and derated in accordance with methods outlined in Insulated Power Cable Engineers Association (IPCEA) standards. Power Cables installed in conduit are derated in accordance with IPCEA standard P-46-426, Power Cable Ampacities, Volume I or Volume II. Power cables installed in open-top cable tray are derated in accordance with ICEA standard P-54-440, Ampacities Cables in Open-top Cable Trays. For special cases where the use of these standards is restrictive, cables are derated using a heat transfer model which considers load diversity among cables (actual loading of cables) installed in the raceway.

7.1.7 Reactor Protection System and Engineered Safeguard Equipment Marking RPS and engineered safeguard equipment is physically identified as safety related by use of distinctive markings or labels designating the name of apparatus and the applicable channel or safeguard division.

7.1.8 Periodic Testing of Instrumentation and Control Equipment The use of lifted leads and jumpers for on-line testing of engineered safety feature equipment is permitted but will be minimized. All lifted leads and jumpers shall be clearly identified and controlled by specific instructions in the procedure including signoff and verification. All periodic testing of engineering safety features is consistent with IEEE 279 with regard to on-line testability.

The following test methods will be considered:

1. Provisions should be made for functional testing without requiring shutdown or unscheduled power change as a condition of the test.

2. Testing should be accomplished without disturbing the existing wiring (i.e., lifting of wires from terminals is not the best method of testing). Pulling of fuses is an acceptable practice.

3. The use of clip-leads should be minimized except for the attachment of meter leads.

CHAPTER 07 7.1-10 REV. 22, APRIL 2009

4. Test jacks permanently wired to existing circuitry are considered acceptable provided the connection points are so chosen that no portion of the installed protective wiring is untestable and that external equipment connected to the text jacks is procedurally controlled.

5. Permanently wired test lights are acceptable provided the installation is not capable of producing an unsafe failure through any malfunction of the lamp.

6. Booting of contacts should be done only when necessary. All alternate methods should be considered first.

CHAPTER 07 7.1-11 REV. 22, APRIL 2009

PBAPS UFSAR 7.2 REACTOR PROTECTION SYSTEM 7.2.1 Safety Objective The safety objective of the RPS is to provide timely protection against the onset and consequences of conditions that threaten the integrities of the fuel barrier (uranium dioxide sealed in cladding) and the nuclear system process barrier. Excessive temperature threatens to perforate the cladding or melt the uranium dioxide. Excessive pressure threatens to rupture the nuclear system process barrier. The RPS limits the uncontrolled release of radioactive material from the fuel and nuclear system process barrier by terminating excessive temperature and pressure increases through the initiation of an automatic scram.

7.2.2 Safety Design Basis

1. The RPS initiates, with precision and reliability, a reactor scram in time to limit fuel damage following abnormal operational transients to such an extent that, if the freed fission products were released to the environs via the normal discharge path for radioactive material, the limits of applicable regulations would not be exceeded.

2. The RPS initiates, with precision and reliability, a reactor scram in time to prevent damage to the nuclear system process barrier as a result of internal pressure.

Specifically, the RPS initiates a reactor scram in time to prevent nuclear system pressure from exceeding the nuclear system pressure allowed by applicable industry codes.

3. The RPS initiates, with precision and reliability, a reactor scram to limit the uncontrolled release of radioactive materials from the fuel or nuclear system process barrier upon gross failure of either of these barriers.

4. RPS inputs are derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions to provide assurance that conditions which threaten the fuel or nuclear system process barriers are detected with sufficient timeliness and precision to fulfill safety design bases 1, 2, and 3.

5. The RPS responds correctly to the sensed variables over the expected range of magnitudes and rates of change to provide assurance that important variables are monitored CHAPTER 07 7.2-1 REV. 26, APRIL 2017

PBAPS UFSAR with a precision sufficient to fulfill safety design bases 1, 2, and 3.

6. An adequate number of sensors are provided for monitoring essential variables having spatial dependence to provide assurance that important variables are monitored with a precision sufficient to fulfill safety design bases 1, 2, and 3.

7. The following bases provide assurance that the RPS is designed with sufficient reliability to fulfill safety design bases 1, 2, and 3:

a. No single failure within the RPS prevents proper RPS action when required to satisfy safety design bases 1, 2, or 3.

b. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability does not impair the ability of the RPS to respond correctly.

c. The system is designed for a high probability that, when any monitored variable exceeds the scram set point, the event results in an automatic scram, and does not impair the ability of the system to scram, as other monitored variables exceed their scram trip points.

d. Where a plant condition that requires a reactor scram can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more RPS channels designed to provide protection against the unsafe condition, the remaining portions of the RPS meet the requirements of safety design bases 1, 2, 3, and 7a.

e. The power supply for the RPS is arranged so that loss of one supply neither causes nor prevents a reactor scram.

f. The system is designed so that, once initiated, an RPS action goes to completion.

Return to normal operation after protection system action requires deliberate operator action.

CHAPTER 07 7.2-2 REV. 26, APRIL 2017

g. There is sufficient electrical and physical separation between channels, and between logics monitoring the same variable, to prevent environmental factors, electrical transients, and physical events from impairing the ability of the system to respond correctly.

h. Earthquake ground motions do not impair the ability of the RPS to initiate a reactor scram.

i. Sufficient diversity in measurement principle or manufacture of the devices used to monitor water level in the scram discharge volume is provided to ensure that a common mode failure of the devices of one design will not prevent a scram on high scram discharge volume water level.

8. The following bases are specified to reduce the probability that RPS operational reliability and precision is degraded by operator error:

a. Access to trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables are under the control of station operations personnel.

b. The means for manually bypassing logics, channels, or system components are under the control of the control room operator. If a channel logic is bypassed, this fact is continuously annunciated in the control room.

9. To provide the operator with means, independent of the automatic scram functions, to counteract conditions that threaten the fuel or nuclear system process barrier, it is possible for the control room operator to manually initiate a reactor scram.

10. The following bases are specified to provide the operator with the means to assess the condition of the RPS and to identify conditions that threaten the integrities of the fuel or nuclear system process barriers:

CHAPTER 07 7.2-3 REV. 26, APRIL 2017

a. The RPS is designed to provide the operator with information pertinent to the operational status of the protection system.

b. Means are provided for prompt identification of channel and trip system responses.

11. It is possible to check the operational availability of each logic.

7.2.3 Description 7.2.3.1 General The RPS is designed to meet the intent of the Institute of Electrical and Electronic Engineers (IEEE) "Proposed Criteria for Nuclear Power Plant Protection Systems," (IEEE-279 of August, 1968). The RPS is functionally identical to the design as presented in Topical Report NEDO-10139, "Compliance of Protection Systems to Industry Criteria: GE BWR Nuclear Steam Supply System" (June 1970). Details of the RPS compliance with IEEE-279-1968 are presented on pages 2-21 through 2-24 of the topical report. In addition to the subsystems listed in the topical report, a condenser low vacuum scram is included in the PBAPS design. This scram complies with IEEE-279-1968. Appendix H contains an evaluation of the facility with respect to the 70 General Design Criteria for Nuclear Power Plant Construction Permit (July 1967).

The RPS includes the motor-generator (M-G) power supplies with associated control and indicating equipment, sensors, relays, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. It also includes outputs to the process computer system (PMS) and annunciators.

The process computer system (PMS) and annunciators are not part of the RPS. Although scram signals are received from the neutron monitoring system, this system is treated as a separate nuclear safety system elsewhere in the report (subsection 7.5, "Neutron Monitoring System").

7.2.3.2 Power Supply Power to each of the two reactor protection trip systems is supplied, via a separate bus, by its own high inertia AC M-G set (Drawing M-1-T-49, Sheets 1 and 4). Each generator has a voltage regulator which is designed to respond to a step load change of 50 percent of rated load with an output voltage change of not greater than 15 percent. High inertia is provided by a flywheel. The inertia is sufficient to maintain voltage and frequency within 5 percent of rated values for at least 1.0 sec following a total loss of power to the drive motor. The output of each RPS M-G set CHAPTER 07 7.2-4 REV. 26, APRIL 2017

PBAPS UFSAR is protected by a protection panel containing two channels of Class 1E protection. Each channel contains relays for overvoltage, undervoltage, and underfrequency protection which trip an associated circuit breaker. The protection panels will protect RPS components from an overvoltage, undervoltage, and underfrequency condition as defined in the Technical Specification Bases.

Each M-G Set is designed to allow a momentary loss of power to the drive motor during 4 kV transients. A time delay relay maintains a restart signal to the motor if power is restored within a specified time. This delay is based on the ability of the flywheel to provide sufficient inertia to maintain generator output during a 4 kV fast transfer. The time delay also provides assurance that on a total loss of 4 kV, the RPS M-G set output trips on undervoltage after flywheel inertia is lost to trip the unit and is removed from the emergency diesel generators as a system load.

Deenergization of one of the RPS power supplies causes the associated RPS to actuate causing a half scram.

Alternate power is available to either RPS bus from an inverter supplied by DC power, or an electrical bus that can receive standby electrical power. The output of the alternate power source is protected by a protection panel which provides similar RPS component protection as installed on the M-G sets. The alternate power switch prevents simultaneously feeding both buses from the same source. The switch also prevents paralleling an M-G set with the alternate supply. Dc power is supplied to the backup scram valve solenoids from the station batteries. The protection panels will protect the RPS components from an overvoltage, undervoltage, and underfrequency condition as defined in the Technical Specification Bases.

7.2.3.3 Physical Arrangement Instrument piping that taps into the reactor vessel is routed through the drywell wall and terminates inside the secondary containment (reactor building). Reactor vessel pressure and water level information is sensed from this piping by instruments mounted on instrument racks in the reactor building. Valve position switches are mounted on valves from which position information is required. The sensors for RPS signals from equipment in the turbine building are mounted locally. The two M-G sets that supply power for the RPS are located in the 4 kV switchgear complex in an area where they can be serviced during reactor operation. Cables from sensors and power cables are routed to two RPS cabinets in the control room, where the logic circuitry of the system is formed. One cabinet is used for each CHAPTER 07 7.2-5 REV. 26, APRIL 2017

PBAPS UFSAR of the two trip systems. The logics of each trip system are isolated in separate bays in each cabinet. The RPS is designed as seismic Class I equipment to assure a safe reactor shutdown during and after seismic disturbances. However, certain input signals to RPS such as:

Turbine stop valve pressure sensors

Turbine control valve fast closure pressure sensors

First stage turbine pressure sensors

Condenser vacuum pressure sensors

Main steam line pressure sensors are located in the Turbine Building which is a Seismic Class II structure. All of these instruments are qualified and mounted per Seismic Class I requirements.

7.2.3.4 Logic The basic logic arrangement of the system is illustrated in Drawing M-1-T-49, Sheets 2 and 5. The RPS is arranged as two separately powered trip systems. Each trip system has three logics, as shown in Figure 7.2.4. Two of the logics are used to produce automatic trip signals. The remaining logic is used for a manual trip signal. Each of the two logics used for automatic trip signals receives input signals from at least one channel for each monitored variable. Thus, two channels are required for each monitored variable to provide independent inputs to the logics of one trip system. At least four channels for each monitored variable are required for the logics of both trip systems.

As shown in Figure 7.2.5, the actuators associated with any one logic provide inputs into each of the actuator logics for the associated trip system. Thus, either of the two automatic logics associated with one trip system can produce a trip system trip.

The logic is a one-out-of-two arrangement. To produce a scram, the actuator logics of both trip systems must be tripped. The overall logic of the RPS could be termed one-out-of-two taken twice.

7.2.3.5 Operation To facilitate the description of the RPS, the two trip systems are called trip system A and trip system B. The automatic logics of trip system A are logics A1 and A2; the manual logic of trip system A is logic A3. Similarly, the logics for trip system B are logics B1, B2, and B3. The actuators associated with any particular logic are identified by the logic identity (such as actuators B2) and a letter (Figure 7.2.4). The actuator logics associated with a trip system are identified with the trip system identity (such as actuator logics A). Channels are identified by CHAPTER 07 7.2-6 REV. 26, APRIL 2017

PBAPS UFSAR the name of the monitored variable and the logic identity with which the channel is associated (such as reactor vessel high-pressure channel B1).

During normal operation all sensor and trip contacts essential to safety are closed; channels, logics, and actuators are energized.

There are two scram pilot valve solenoids and two scram valves for each control rod, arranged functionally as shown in Drawing M-1-T-49, Sheet 1 and 4. Each scram pilot valve is solenoid operated.

The solenoids are normally energized. The scram pilot valves associated with a control rod control the air supply to both scram valves for that rod. With either scram pilot valve solenoid energized, air pressure holds the scram valves closed. The scram insert valve supplies water to the CRD from the scram accumulator and the scram exhaust valves exhaust water from the CRD to the scram discharge volume. One of the scram pilot valve solenoids for each control rod is controlled by actuator logics A, the other solenoid by actuator logics B. There are two DC solenoid-operated backup scram valves which provide a second means of controlling the air supply to the scram valves for all control rods. The DC solenoid for each backup scram valve is normally deenergized. The backup scram valves are energized (initiate scram) when both trip system A and trip system B are tripped.

The functional arrangement of sensors and channels that constitute a single logic is shown in Drawing M-1-T-49, Sheet 2 and 5. A schematic is given in Figure 7.2.4.

Whenever a channel sensor contact opens, its sensor relay deenergizes, causing contacts in the logic to open. The opening of contacts in the logic deenergizes its actuators. When deenergized, the actuators open contacts in all the actuator logics for that trip system. This action results in deenergizing the scram pilot valve solenoids associated with that trip system (one scram pilot valve solenoid for each control rod). Unless the other scram pilot valve solenoid for each rod is deenergized, the rods are not scrammed. If a trip then occurs in any of the logics of the other trip system, the remaining scram pilot valve solenoid for each rod is deenergized, venting the air pressure from the scram valves, and allowing CRD water to act on the CRD piston.

Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is vented into a scram discharge volume which is isolated due to the RPS scram signal. Drawing M-1-T-49, Sheets 1 and 4 shows that when the solenoid for each backup scram valve is energized, the backup scram valves vent the air supply for the scram valves; this action initiates insertion of every control rod regardless of the action of the scram pilot valves.

CHAPTER 07 7.2-7 REV. 26, APRIL 2017

PBAPS UFSAR A scram can be manually initiated. There are two scram buttons, one for logic A3 and one for logic B3. Depressing the scram button on the logic A3 deenergizes actuators A3 and opens corresponding contacts in actuator logics A. A single trip system trip is the result. To effect a manual scram, the buttons for both logic A3 and logic B3 must be depressed. By operating the manual scram button for one manual logic at a time, followed by reset of that logic, each trip system can be tested for manual scram capability. It is also possible to scram the reactor by interrupting power to the RPS. This can be done by opening power supply breakers. The manual scram capability provided in the control room meets safety design basis 9.

As an alternate means, Operations can initiate an automatic scram using the test switches. There is one test push-button for logic A1, A2, B1, and B2. Depressing test switches on the logic A1, deenergizes actuators A1 and opens corresponding contacts in actuator logics A. A single trip system trip is the result. To cause a scram, the buttons for both logic (A1 or A2) and logic (B1 or B2) must be depressed. By operating the test switches for one auto logic at a time, followed by reset of that logic, each trip system can be tested for automatic scram capability.

To restore the RPS to normal operation following any single trip system trip or scram, the actuators must be manually reset. Reset is possible only if the conditions that caused the trip or scram have been cleared and is accomplished by operating switches in the control room. Drawing M-1-T-49, Sheets 2 and 5 shows the functional arrangement of reset contacts for trip system A. This meets safety design basis 7f.

Whenever an RPS sensor trips, it lights a printed red window, common to all the channels for that variable, on the reactor annunciator panel in the control room to indicate the out-of-limit variable. Each trip system lights a red window indicating the trip system which has tripped. An RPS channel trip also sounds a buzzer or horn, which can be silenced by the operator. The annunciator window lights latch in until manually reset; reset is not possible until the condition causing the trip has been cleared. The physical positions of RPS relays are used to identify the individual sensor that tripped in a group of sensors monitoring the same variable. The location of alarm windows provides the operator with the means to quickly identify the cause of RPS trips and to evaluate the threat to the fuel or nuclear system process barrier.

To provide the operator with the ability to analyze an abnormal transient during which events occur too rapidly for direct operator comprehension, all RPS trips are recorded by the plant monitoring system (PMS) computer system. All trip events are CHAPTER 07 7.2-8 REV. 26, APRIL 2017

PBAPS UFSAR recorded. Use of the computer is not required for plant safety, and information provided is in addition to that immediately available from other annunciators and data displays. The display of trips is of particular usefulness in routinely verifying the proper operation of pressure, level, and valve position sensors as trip points are passed during startups, shutdowns, and maintenance operations.

RPS inputs to annunciators, recorders, and the computer are arranged so that no malfunction of the annunciating, recording, or computing equipment can functionally disable the RPS. Signals directly from the RPS sensors are not used as inputs to annunciating or data logging equipment. Isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the RPS satisfies safety design bases 10a and 10b.

7.2.3.6 Scram Functions and Bases for Trip Settings The following discussion covers the functional considerations for the variables or conditions monitored by the RPS. Table 7.2.1 lists the specifications for instruments providing signals for the system. Figure 7.2.6 shows the scram functions in block form.

a. Neutron monitoring system trip. To provide protection for the fuel against high heat generation rates, neutron flux is monitored and used to initiate a reactor scram.

The neutron monitoring system set points and their bases are discussed in subsection 7.5, "Neutron Monitoring System."

b. Nuclear system high pressure. High pressure within the nuclear system poses a direct threat of rupture to the nuclear system process barrier. A nuclear system pressure increase while the reactor is operating compresses the steam voids and results in a positive reactivity insertion causing increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing the core fission heat generation.

The nuclear system high-pressure scram setting is chosen slightly above the reactor vessel maximum normal operating pressure to permit normal operation without spurious scram yet provide a wide margin to the maximum allowable nuclear system pressure. The location of the pressure measurement, as compared to the location of highest nuclear system pressure during transients, was also considered in the selection of the high-pressure CHAPTER 07 7.2-9 REV. 26, APRIL 2017

PBAPS UFSAR scram setting. The nuclear system high-pressure scram works in conjunction with the pressure relief system in preventing nuclear system pressure from exceeding the maximum allowable pressure. This same nuclear system high-pressure scram setting also protects the core from exceeding thermal hydraulic limits as a result of pressure increases for some events that occur when the reactor is operating at less than rated power and flow.

c. Reactor vessel low water level. A low water level in the reactor vessel indicates that the core is in danger of being inadequately cooled. The effect of a decreasing water level while the reactor is operating at power is to decrease the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. Should water level decrease too far, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission heat generation within the core.

The reactor vessel low water level scram setting was selected to prevent fuel damage following those abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. Specifically, the scram setting is chosen far enough below normal operational levels to avoid spurious scrams but high enough above the top of the active fuel to assure that enough water is available to account for evaporation losses and displacements of coolant following the most severe abnormal operational transient involving a level decrease. The selected scram setting was used in the development of thermal-hydraulic limits, which set operational limits on the thermal power level for various coolant flow rates.

d. Turbine stop valve closure. Closure of the turbine stop valves with the reactor at power can result in a significant addition of positive reactivity to the core as the nuclear system pressure rise collapses steam voids. The turbine stop valve closure scram, which initiates a scram earlier than either the neutron monitoring system or nuclear system high pressure, is required to provide a satisfactory margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity due to pressure by inserting negative reactivity with the control rods.

Although the nuclear system high-pressure scram, in conjunction with the pressure relief system, is adequate CHAPTER 07 7.2-10 REV. 26, APRIL 2017

PBAPS UFSAR to preclude overpressurizing the nuclear system, the turbine stop valve closure scram provides additional margin to the nuclear system pressure limit.

The turbine stop valve closure scram setting is selected to provide the earliest positive indication of valve closure. The trip logic was chosen both to identify those situations in which a reactor scram is required for fuel protection and to allow functional testing of this scram function.

e. Turbine control valve fast closure. With the reactor and turbine-generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram, which initiates a scram earlier than either the neutron monitoring system or nuclear system high pressure, is required to provide a satisfactory margin to core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity due to pressure by inserting negative reactivity with the control rods. Although the nuclear system high-pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control valve fast closure scram provides additional margin to the nuclear system pressure limit.

The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure. The trip logic was chosen to identify those situations in which a reactor scram is required for fuel protection.

f. Main steam line isolation. The main steam line isolation scram is provided to limit the release of fission products from the nuclear system. Automatic closure of the main steam line isolation valves is initiated upon conditions indicative of a steam line break. Immediate shutdown of the reactor is appropriate in such a situation. The scram initiated by main steam line isolation valve closure anticipates a reactor vessel low water level scram. The main steam line isolation scram setting is selected to give the earliest positive indication of isolation valve closure. The trip logic allows functional testing of main steam line isolation trip channels with one steam line isolated.

CHAPTER 07 7.2-11 REV. 26, APRIL 2017

g. Scram discharge volume high water level. The scram discharge volume receives the water displaced by the motion of the CRD pistons during a scram. Should the scram discharge volume fill up with water to the point where not enough space remains for the water displaced during a scram, control rod movement would be hindered in the event a scram were required. To prevent this situation the reactor is scrammed when the water level in the discharge volume attains a value high enough to verify that the volume is filling up yet low enough to ensure that the remaining capacity in the volume can accommodate a scram.

h. Primary containment high pressure. A high pressure inside the primary containment could indicate a break in the nuclear system process barrier. It is prudent to scram the reactor in such a situation to minimize the possibility of fuel damage and to reduce the addition of energy from the core to the coolant. The reactor vessel low water level scram also acts to scram the reactor for LOCA's. The primary containment high-pressure scram setting is selected to be as low as possible without inducing spurious scrams.

i. Main steam line high radiation. High radiation in the vicinity of the main steam lines could indicate a gross fuel failure in the core. When high radiation is detected near the steam lines an alarm is initiated to alert Operators. Trending of radiation monitor recorder data will be evaluated and reactor coolant samples may be taken to determine if additional action is required to maintain radiation levels within limits. Initiation of a high-high radiation alarm alerts the Operators to close any open reactor coolant sample lines and trips the mechanical vacuum pump, if running. The high radiation alarm setting is selected high enough above background radiation levels to avoid spurious alarms, yet low enough to promptly detect a gross release of fission products from the fuel. More information on the alarm setting is available in subsection 7.12, "Process Radiation Monitoring."

j. Main condenser low vacuum scram. The purpose of the low condenser vacuum turbine trip is to protect the main condenser against overpressure on loss of condenser vacuum. A low condenser vacuum condition provides a signal to trip the main turbine by providing automatic closure to the turbine stop valves. To anticipate the transient and automatic scram which results from the closure of the turbine stop valves, a low condenser CHAPTER 07 7.2-12 REV. 26, APRIL 2017

PBAPS UFSAR vacuum condition initiates a reactor scram. The low condenser vacuum scram trip setting is selected to initiate a reactor scram prior to initiation of closure of the turbine stop valves.

k. Manual scram. To provide the operator with means to shut down the reactor, push buttons located on the reactor operator's console in the control room initiate a scram when actuated by the operator.

As an alternate means, Operations can initiate an automatic scram using the test switches. There is one test switch for each logic: A1, A2, B1, and B2.

Actuating test switches on the logic A1 deenergizes actuators A1 and opens corresponding contacts in actuator logic A. A single trip system trip is the result. To cause a scram, the switches for both logic (A1 or A2) and logic (B1 or B2) must be actuated. By operating the test switches for one auto logic at a time, followed by reset of that logic, each trip system can be tested for automatic scram capability.

l. Mode switch in SHUTDOWN. The mode switch provides appropriate protective functions for the condition in which the reactor is to be operated. Placing the mode switch in the SHUTDOWN position initiates a reactor scram. This scram is not considered a protective function because it is not required to protect the fuel or nuclear system process barrier, and it bears no relationship to minimizing the release of radioactive material from any barrier. The scram signal is removed after a short time delay, permitting a scram reset which restores the normal valve lineup in the CRD hydraulic system.

When performing a plant shutdown by insertion of all control rods (soft shutdown), the scram function generated from the mode switch being placed in the SHUTDOWN position may be temporarily bypassed under administrative controls that assure all control rods are fully inserted, associated Technical Specification Required Actions are entered, and time duration of bypass is managed.

7.2.3.7 Mode Switch A multi-position keylock mode switch located on the reactor operator's console is provided to select the necessary scram functions for various plant conditions. In addition to selecting scram functions from the proper sensors, the mode switch provides CHAPTER 07 7.2-13 REV. 26, APRIL 2017

PBAPS UFSAR appropriate bypasses. The mode switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the RPS.

The switch itself is designed to provide separation between the two trip systems. The mode switch positions and their related scram functions are as follows:

1. SHUTDOWN - Initiates a reactor scram; bypasses main steam line isolation scram and main condenser low vacuum scram.

2. REFUEL - Selects neutron monitoring system scram for low neutron flux level operation (subsection 7.5, "Neutron Monitoring System"); bypasses main steam line isolation scram and main condenser low vacuum scram.

3. STARTUP - Selects neutron monitoring system scram for low neutron flux level operation (subsection 7.5, "Neutron Monitoring System"); bypasses main steam line isolation scram and main condenser low vacuum scram.

4. RUN - Selects neutron monitoring system scram for power range operation (subsection 7.5, "Neutron Monitoring System").

The relationship between the actions caused by the position of the mode switch and the various BWR operating states is represented in Table 7.2.2.

7.2.3.8 Scram Bypasses A number of scram bypasses are provided to account for the varying protection requirements depending on reactor conditions and to allow for instrument service during reactor operations. Some bypasses are automatic; others are manual. All manual bypass switches are in the control room, under the direct control of the reactor operator. If the ability to trip some part of the system has been bypassed, this part is continuously indicated in the control room.

Automatic bypass of the scram trips from main steam line isolation and main condenser low vacuum is provided when the mode switch is not in RUN.

The bypass allows reactor operations at low power with the main steam lines isolated and the main condenser not in operation.

These conditions exist during startups and certain reactivity tests during refueling.

CHAPTER 07 7.2-14 REV. 26, APRIL 2017

PBAPS UFSAR The scram signal initiated by placing the mode switch in SHUTDOWN is automatically bypassed after a time delay of 2 seconds. The bypass is provided to permit resetting the trip logic while the reactor mode switch is in the shutdown position. Resetting of any scram signal requires a 10-second time delay to insure that, once initiated, the RPS action goes to completion. This meets safety design basis 7f. An annunciator in the control room indicates the bypassed condition.

An automatic bypass of the turbine control valve fast closure scram and turbine stop valve closure scram is effected whenever the reactor thermal power is less than 26.7 (as indicated by turbine first stage pressure with no 3rd, 4th, or 5th feedwater heaters in service). Closure of these valves from such a low initial power level does not constitute a threat to the integrity of any barrier to the release of radioactive material. Bypasses for the neutron monitoring system channels are described in subsection 7.5, "Neutron Monitoring System." A manual keylock switch located in the control room permits the operator to bypass the scram discharge volume high level scram trip if the mode switch is in SHUTDOWN or REFUEL. This bypass allows the operator to reset the RPS, so that the system is restored to operation while the operator drains the scram discharge volume. In addition to allowing the scram relays to be reset, actuating the bypass initiates a control rod block. An annunciator in the control room indicates the bypass condition. The arrangement of bypasses meets safety design basis 8b.

When performing a plant shutdown by inserting all control rods (soft shutdown), the scram function generated from the mode switch being placed in SHUTDOWN may be temporarily bypassed under administrative controls. Administrative procedures during this evolution ensure licensed operator cognizance of RPS condition and therefore, the intent of safety design basis 8b is satisfied.

7.2.3.9 Instrumentation Channels providing inputs to the RPS are not used for automatic control of process systems; thus, the operations of protection and process systems are separated. The RPS instrumentation, shown in Drawing M-1-T-49, Sheets 3 and 6, is discussed as follows:

1. Neutron monitoring system instrumentation is described in subsection 7.5, "Neutron Monitoring System." Figure 7.2.8 clarifies the relationship between neutron monitoring system channels, neutron monitoring system logics, and the RPS logics. The neutron monitoring system channels are considered part of the neutron monitoring system.

CHAPTER 07 7.2-15 REV. 26, APRIL 2017

PBAPS UFSAR The neutron monitoring system logics are considered part of the RPS. As shown in Figure 7.2.9, there are four neutron monitoring system logics associated with each trip system of the RPS. Each RPS logic receives inputs from two neutron monitoring system logics. Each neutron monitoring system logic receives signals from one WRNM channel and one APRM voter channel. The position of the mode switch determines which input signals will affect the output signal from the logic. The arrangement of neutron monitoring system logics is such that the failure of any one logic cannot prevent the initiation of a high neutron flux scram.

2. Reactor pressure is measured at two separate locations.

A pipe from each location is routed through the primary containment and terminates in the reactor building. Two locally mounted, analog pressure transmitters monitor the pressure in each pipe. The pressure transmitters are connected to indicating electronic trip units located in one of two separate trip unit panels in the reactor building. The two pairs of pressure transmitters and trip units are physically separated.

Each trip unit provides a high-pressure signal to one channel. The trip units are arranged so that each pair provides an input to trip system A and trip system B, as shown in Figure 7.2.10. The physical separation and the signal arrangement assure that no single physical event can prevent a scram due to nuclear system high pressure.

3. Reactor vessel low water level signals are initiated from level transmitters which sense level from the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. The level transmitters drive indicating electronic trip units. The level transmitters and trip units are arranged in pairs in the same way as the nuclear system high-pressure transmitters and trip units (Figure 7.2.10). Two instrument lines attached to taps, one above and one below the water level, on the reactor vessel are required for the differential pressure measurement for each pair of level transmitters. The two pairs of lines terminate outside the primary containment and inside the reactor building; they are physically separated from each other and tap off the reactor vessel at widely separated points. The RPS pressure sensors, as well as instruments for other systems, sense pressure and level from these same lines. The physical separation and signal arrangement assure that no single physical event CHAPTER 07 7.2-16 REV. 26, APRIL 2017

PBAPS UFSAR can prevent a scram due to reactor vessel low water level.

4. Turbine stop valve closure inputs to the RPS are from valve stem position switches mounted on the four turbine stop valves. Each of the double pole, single throw switches is arranged to open before the valve is more than 15 percent closed to provide the earliest positive indication of closure. Either of the two channels associated with one stop valve can signal valve closure, as shown in Figure 7.2.11. The logic is arranged so that closure of three or more valves initiates a scram.

5. Turbine control valve fast closure inputs to the RPS are from pressure switches in the hydraulic control system.

The loss of hydraulic fluid pressure is used to effect fast closure of the turbine control valves. These pressure switches on the hydraulic control system provide signals to the RPS trip systems, as shown in Figure 7.2.10.

6. There are eight main steam line isolation channels, two for each main steam line. Each channel senses isolation of the associated main steam line via a valve stem position switch on each isolation valve in the main steam line. The double pole, single throw switch on each main steam line isolation valve is arranged to open before the valve is more than 15 percent closed to provide the earliest indication of isolation. The closure of either valve in a main steam line causes both channels associated with that steam line to signal isolation. Figure 7.2.2 shows the arrangement of main steam line isolation channels. The main steam line isolation valve closure scram function is effective only when the reactor mode switch is in RUN.

The outputs from the channels are combined in RPS logic in such a way that the isolation of three or four main steam lines (closure of one valve in each main steam line) causes a scram. Figure 7.2.2 shows the logic arrangement. Wiring of the isolation channels from any one main steam line is physically separated in the same way that wiring to duplicate sensors on a common process tap is separated. The effects of the logic arrangement and separation provided for the main steam line isolation valve closure scram are as follows:

a. Closure of one valve for test purposes with one steam line already isolated without causing a scram due to valve closure.

CHAPTER 07 7.2-17 REV. 26, APRIL 2017

b. Automatic scram upon isolation of all steam lines.

c. No single failure can prevent an automatic scram required for fuel protection due to main steam line isolation.

7. Scram discharge volume high water level inputs to the RPS are from four switches located in the reactor building. Each switch provides an input into one channel (Figure 7.2.10). The switches are arranged in pairs so that no single event prevents a reactor scram due to scram discharge volume high water level. One pair of switches uses non-indicating float switches. The other pair of switches uses a thermal dispersion principle for level measurement. With the scram setting as listed in Table 7.2.1, a scram is initiated when sufficient capacity remains in the tank to accommodate a scram. Both the amount of water discharged and the volume of air trapped above the free surface during a scram were considered in selecting the trip setting.

8. Primary containment pressure is monitored by four pressure transmitters which are mounted on instrument racks outside the drywell in the reactor building. The pressure transmitters drive indicating electronic trip units which are located in one of two separate panels in the reactor building. Each trip unit provides an input to one channel (Figure 7.2.10). Pipes that terminate in the secondary containment (reactor building) connect the pressure transmitters with the drywell interior. The pressure transmitters and trip units are grouped in pairs, physically separated, and electrically connected to the RPS so that no single event will prevent a scram due to primary containment high pressure.

9. Main steam line radiation is monitored by four radiation monitors, which are discussed and evaluated in paragraph 7.12.1 "Main Steam Line Radiation Monitoring System."

Each monitor provides a trip signal to one channel when high gamma radiation is detected in the vicinity of the main steam lines (Figure 7.2.10).

10. Main condenser low vacuum is sensed by four vacuum pressure transmitters that provide inputs to associated trip units. The vacuum pressure transmitters and associated trip units are arranged as shown in Figure 7.2.12.

CHAPTER 07 7.2-18 REV. 26, APRIL 2017

11. Deleted

12. Two turbine first stage pressure switches are provided for each trip system to initiate the automatic bypass of the turbine control valve fast closure and turbine stop valve closure scrams when reactor thermal power is below 26.7 percent (as indicated by turbine first stage pressure with no 3rd, 4th, or 5th feedwater heaters in service). The switches are arranged so that no single failure can prevent a turbine stop valve closure scram or turbine control valve fast closure scram.

Channel and logic relays are fast response, high reliability relays. Power relays for interrupting the scram pilot valve solenoids are type CR105 or equivalent magnetic contactors, made by the General Electric Company. All RPS relays are selected so that the continuous load will not exceed 50 percent of the continuous duty rating. Component electrical characteristics are selected so that the system response time, from the opening of a sensor contact up to and including the opening of the trip actuator contacts, is less than 50 milliseconds. The time requirements for control rod movement are discussed in subsection 3.4, "Reactivity Control Mechanical Design."

Environmental qualification of RPS equipment is provided in subsection 7.19.

To gain access to those calibration and trip setting controls that are located outside the control room, a cover plate, access plug, or sealing device must be removed by authorized personnel before any adjustment in trip settings can be effected.

7.2.3.10 Wiring Wiring and cables for RPS instrumentation are selected to avoid excessive deterioration due to temperature and humidity during the design life of the plant. Cables and connectors used inside the primary containment are designed for continuous operation at an ambient temperature of 150F and a relative humidity of 99 percent.

Cables required to carry low level signals (currents of less than 1 milliampere or voltages of less than 100 millivolts) are designed and installed to minimize electrostatic and electromagnetic pickup from power cables and other AC or DC fields; ferromagnetic conduits are used. Low level signal cables are routed separately from all power cables.

Wiring for the RPS outside of the enclosures in the control room is run in rigid metallic conduits used for no other wiring (note CHAPTER 07 7.2-19 REV. 26, APRIL 2017

PBAPS UFSAR exceptions described in Sec. 8.4.5). The wires from duplicate sensors on a common process tap are run in separate conduits.

Wires for sensors of different variables in the same RPS logic may be run in the same conduit.

The scram pilot valve solenoids are powered from eight actuator logic circuits: four circuits from trip system A and four from trip system B. The four circuits associated with any one trip system are run in separate conduits. One actuator logic circuit from each trip system may be run in the same conduit; wiring for the two solenoids associated with any one control rod may be run in the same conduit.

Electrical panels, junction boxes, and components of the RPS are prominently identified by nameplate. Circuits entering junction boxes are conspicuously marked inside the boxes. Wiring and cabling outside cabinets and panels are identified by color, tag, or other conspicuous means.

7.2.4 Safety Evaluation The RPS is designed to provide timely protection against the onset and consequences of conditions that threaten the integrities of the fuel barrier and the nuclear system process barrier. It is the objective of Section 14.0, "Plant Safety Analysis," to identify and evaluate events that challenge the fuel barrier and nuclear system process barrier. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are sought and identified, are presented in that section.

Design procedure has been to select tentative scram trip settings that are far enough above or below normal operating levels that spurious scrams and operating inconvenience are avoided; it is then verified by analysis that the reactor fuel and nuclear system process barrier are protected as is required by the basic objective. In all cases, the specific scram trip point selected is not the only value of the trip point which results in acceptable results relative to the fuel or nuclear system process barrier; trip setting selection is based on operating experience and constrained by the safety design basis. The scrams initiated by neutron monitoring system variables, nuclear system high pressure, turbine stop valve closure, turbine control valve fast closure, and reactor vessel low water level are sufficient to prevent excessive fuel damage following abnormal operational transients.

Section 14.0, "Plant Safety Analysis," identifies and evaluates the threats to fuel integrity posed by abnormal operational events. In no case does excessive fuel damage result from CHAPTER 07 7.2-20 REV. 26, APRIL 2017

PBAPS UFSAR abnormal operational transients. The RPS meets the timeliness and precision requirements of safety design basis 1.

The evaluation of the scram function provided by the neutron monitoring system is presented in the section describing that system as well as in Section 14.0, "Plant Safety Analysis."

The scram initiated by nuclear system high pressure, in conjunction with the pressure relief system is sufficient to prevent damage to the nuclear system process barrier as a result of internal pressure. For turbine-generator trips, the turbine stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the maximum allowed nuclear system pressure than would the high pressure scram alone. Section 14.0, "Plant Safety Analysis," identifies and evaluates accidents and abnormal operational events that result in nuclear system pressure increases; in no case does pressure exceed the maximum allowed nuclear system pressure. The RPS meets the timeliness and precision requirements of safety design basis 2.

The scrams initiated by the neutron monitoring system, main steam isolation valve closure, and reactor vessel low water level satisfactorily limit the radiological consequences of gross failure of the fuel or nuclear system process barriers. Section 14.0, "Plant Safety Analysis," evaluates gross failures of the fuel and nuclear system process barriers; in no case does the release of radioactive material to the environs exceed the guideline values of published regulations. The RPS meets the precision requirements of safety design basis 3.

Because the RPS meets the timeliness and precision requirements of safety design bases 1, 2, and 3, monitoring variables that are true, direct measures of operational conditions, it is concluded that safety design basis 4 is met.

Because the RPS meets the precision requirements of safety design bases 1, 2, and 3, using instruments with the characteristics described in Table 7.2.1, it is concluded that safety design basis 5 is met.

Neutron flux (the neutron monitoring system variable) is the only essential variable of significant spatial dependence that provides inputs to the RPS. The basis for the number and locations of neutron flux detectors is discussed in subsection 7.5, "Neutron Monitoring System." Because the precision requirements of safety design basis 1, 2, and 3 are met using the neutron monitoring system as described, it is concluded that the number of sensors for spatially dependent variables satisfies safety design basis 6.

CHAPTER 07 7.2-21 REV. 26, APRIL 2017

PBAPS UFSAR The items of safety design basis 7 specify the requirements that must be fulfilled for the RPS to meet the reliability requirements of safety design bases 1, 2, and 3. It has already been shown in the description of the RPS that safety design basis 7f has been met. The other requirements are fulfilled through the combination of logic arrangement, channel redundancy, wiring scheme, physical isolation, power supply redundancy, and component environmental capabilities. The following discussion evaluates these subjects.

In terms of protection system nomenclature, the RPS is a one-out-of-two system used twice (1 of 2 x 2). Theoretically, its reliability is slightly higher than a two-out-of-three system and slightly lower than a one-out-of-two system. However, since the differences are slight, they can, in a practical sense, be neglected. The advantage of the dual trip system arrangement is that it can be tested during reactor operation without causing a scram. This capability for a testing program, which contributes significantly to increased reliability, is not possible for a one-out-of-two system.

The use of independent channels allows the system to sustain any channel failure without preventing other sensors monitoring the same variable from initiating a scram. A single sensor or channel failure will cause a single trip system trip and actuate alarms that identify the trip. The failure of two or more sensors or channels would cause either a single trip system trip, if the failures were confined to one trip system, or a reactor scram, if the failures occurred in different trip systems. Any intentional bypass, maintenance operation, calibration operation, or test leaves sufficient channels per monitored variable capable of initiating a scram. The resistance to spurious scrams contributes to plant safety, because unnecessary cycling of the reactor through its operating modes would increase the probability of error or actual failure. It is concluded from the preceding paragraphs evaluating the logic, redundancy, and failure characteristics of the RPS that the system satisfies the reliability requirement stated in safety design bases 7a and 7b.

Any actual condition in which an essential monitored variable exceeds its scram trip point is sensed by at least two independent channels in each trip system. Because only one channel must trip in each trip system to initiate a scram, the arrangement of two channels per monitored variable per trip system provides assurance that a scram will occur as any monitored variable exceeds its scram setting.

Each control rod is controlled as an individual unit. A failure of the controls for one rod would not affect other rods. The backup scram valves provide a second method of venting the air pressure from the scram valves, even if either scram pilot valve CHAPTER 07 7.2-22 REV. 26, APRIL 2017

PBAPS UFSAR solenoid for any control rod fails to deenergize when a scram is required. It is concluded from the evaluations in the above paragraphs that the RPS meets safety design basis 7c.

Electronic sensors, channels, and logics of the RPS are not used in the process control systems. Therefore, failure in the controls and instrumentation logic systems of process systems cannot induce failure of any portion of the protection system.

This meets safety design basis 7d.

Failure of either RPS M-G set would result in a single trip system trip. Alternate power is available to the RPS buses. A complete, sustained loss of electrical power to both M-G sets would result in a scram, delayed by the M-G set flywheel inertia, in about 8 sec. This meets safety design basis 7e.

The environmental conditions in which the instruments and equipment of the RPS must operate are given in subsection 7.19.

RPS components located inside the primary containment must function in the environment resulting from a break of the nuclear system process barrier. Components located inside the primary containment are the condensing chambers. The condensing chambers are similar to those that have successfully undergone qualification testing in connection with other projects.

The environmental capabilities of the RPS components, combined with the previously described physical and electrical isolation of sensors and channels, satisfy safety design basis 7g.

Safe shutdown of the reactor during earthquake ground motion is assured by the design of the system as a seismic Class I system and by the fail-safe characteristics of the system. The system only fails in a direction that causes a reactor scram when subjected to extremes of vibration and shock. This meets safety design basis 7h.

The scram discharge volume level switches are arranged in pairs.

Each pair of switches uses a different principle of water level measurement. This ensures that a common mode failure of the switches of one design will not prevent a scram on high scram discharge volume water level. This meets safety design basis 7i.

Calibration and test controls for the neutron monitoring system are located in the control room and are, because of their physical location, under the direct control of the control room operators.

Calibration and test controls for pressure switches, level switches, pressure transmitters, trip units, and valve position switches are located on the switches, transmitters, and trip units themselves. These devices are located in the turbine building, reactor building, and primary containment, and are equipped with CHAPTER 07 7.2-23 REV. 26, APRIL 2017

PBAPS UFSAR cover plates and/or sealing mechanisms to prevent unauthorized adjustment. The control room operator is responsible for granting access to the setting controls to properly qualified plant personnel for the purpose of testing or calibration adjustments.

This meets safety design basis 8a.

It has been shown in the description of the RPS that safety design bases 8b, 9, 10a, and 10b are satisfied.

The following section covering inspection and testing of the RPS demonstrates that safety design basis 11 is satisfied.

7.2.5 Inspection and Testing The RPS can be tested during reactor operation by five separate tests. The first of these is the manual trip actuator test. By depressing the manual scram button for one trip system, the manual logic actuators are deenergized, opening contacts in the actuator logics. After resetting the first trip system, the second trip system is tripped with the other manual scram button. The total test verifies the ability to deenergize all eight groups of scram pilot valve solenoids by using the manual scram push button switches. Scram group indicator lights verify that the actuator contacts have opened.

The second test is the automatic actuator test which is accomplished by operating, one at a time, the keylocked test switches for each automatic logic. The switch deenergizes the actuators for that logic, causing the associated actuator contacts to open. The test verifies the ability of each logic to deenergize the actuator logics associated with the parent trip system. The actuator and contact action can be verified by observing the alarming of a tripped condition of these devices.

The third test includes calibration of the neutron monitoring system by means of simulated inputs from calibration signal units.

Subsection 7.5, "Neutron Monitoring System," describes the calibration procedure.

The fourth test is the single rod scram test which verifies capability of each rod to scram. It is accomplished by operation of toggle switches on the protection system operations panel.

Scram time data can be gathered for each rod scrammed. Prior to the test, a physics review must be conducted to assure that the rod pattern during scram testing does not create a rod of excessive reactivity worth.

The fifth test involves the application of a test signal to each RPS channel in turn and observing that a logic trip results. This test also verifies the electrical independence of the channel CHAPTER 07 7.2-24 REV. 26, APRIL 2017

PBAPS UFSAR circuitry. The test signals can be applied to the process type sensing instruments (pressure and differential pressure) through calibration taps.

RPS response times were first verified during pre-operational testing and may be verified thereafter by similar tests. The elapsed times from sensor trip to each of the following events are measured:

1. Channel relay deenergized.

2. Actuators deenergized.

The PMS computer verifies the condition of many sensors during plant startups and shutdowns. Main steam line isolation valve position switches and turbine stop valve position switches can be checked in this manner. The verification provided by the alarm typewriter is not considered in the selection of test and calibration frequencies and is not required for plant safety.

The provisions for functionally testing and calibrating the RPS meet the requirements of safety design basis 11. The methods of calibrating RPS instruments are provided in Table 7.2.3.

CHAPTER 07 7.2-25 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.2.1 REACTOR PROTECTION SYSTEM INSTRUMENTATION SPECIFICATIONS Scram Function Instrument Accuracy(1) Trip Setting(2)

Neutron monitoring See subsection 7.5, "Neutron Monitoring System" system scram Nuclear system Pressure transmitter and +/-1% 1,101 psig high pressure indicating trip unit Reactor vessel low Level transmitter and +/-3.5 538 in above water level indicating trip unit vessel zero Turbine stop Position switch --- Before 1% valve valve closure closure Turbine control Pressure switch --- 400 psig valve fast closure Main steam line iso- Position switch --- Before 15% valve lation valve closure closure Scram discharge volume Level switch Repeatable within 50.36 gal high water level trip setting tolerance Primary containment Pressure transmitter and +/-0.05 psi 2.5 psig high pressure indicating trip unit Main steam line See subsection 7.12, "Main Steam Line Radiation Monitoring System" high radiation Condenser low vacuum Pressure transmitter and +/-0.3 in Hg Vacuum 22 in Hg Vacuum indicating trip unit (1)

Instruments for this service have accuracy within the range over the actually purchased full scale.

(2)

The values given here have been used in the setpoint analysis; however, the allowable values are listed in the plant's Technical Specifications.

CHAPTER 07 7.2-26 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.2.2 REACTOR PROTECTION SYSTEM ACTIONS (Various Positions of the Mode Switch)

Mode Turbine Reactor Power Switch Operating Inlet Position State(1) Pressure 0% (Shutdown) >0% - <15% 15 - 30% >30%

RUN B,D <850 psig Plant scram occurs due to MSIV closure from Group I isolation signal at <850 psig in run mode.

RUN D 850 psig Not a possible All RPS inputs active except All RPS inputs condition for WRNMs, APRM Neutron Flux-High (Setdown), active except WRNMs Operating State D OPRM upscale, turbine control vlv fast closure, and APRM Neutron and turbine stop vlv not full open Flux-High (Setdown)

RUN A,C Any Not a possible condition for Operating States A and C STARTUP A,B,C,D Any All RPS inputs active except APRM Not a possible condition. Plant Simulated Thermal Power-High, APRM scram occurs on APRM Neutron Neutron Flux High, OPRM upscale, MSIV closure, Flux-High (Setdown) when not in condenser low vacuum, turbine RUN mode control vlv fast closure, and turbine stop vlv not full open REFUEL B,D 0 Not a possible Not a possible condition, only one control rod may be condition for not-full-in at a time (refuel mode one rod permissive)

State B and D therefore criticality not possible REFUEL A,C 0 (See startup for Not a possible condition for Operating States A and C 0 - <25% power)

SHUTDOWN A,B,C,D 0 Not a possible condition, plant scram occurs with mode switch in shutdown (1)

See Appendix G (2)

All numbers shown are analytical limits CHAPTER 07 7.2-27 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.2.3 REACTOR PROTECTION SYSTEM INSTRUMENT CALIBRATION METHODS Instrument Channel Calibration Method WRNM Period Trip Comparison to Standard Frequency Source APRM High Flux Heat Balance and Comparison to Standard Simulated Thermal Power Frequency, Voltage and Resistance Source OPRM Upscale (all), Standard Pressure Source (Flow Flow Bias Signal Bias only)

LPRM Signal TIP System Traverse High Reactor Pressure Standard Pressure Source High Drywell Pressure Standard Pressure Source Reactor Low Water Level Pressure Standard High Water Level in Scram Water Column Discharge Instrument Volume Turbine Condenser Low Vacuum Standard Vacuum Source Main Steam Line Isolation Valve Physical Inspection and Actuation of these Closure Position Switches will be Performed During the Refueling Outages Main Steam Line High Radiation Standard Current Source Turbine First State Pressure Standard Pressure Source Permissive CHAPTER 07 7.2-28 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.2.3 REACTOR PROTECTION SYSTEM INSTRUMENT CALIBRATION METHODS Instrument Channel Calibration Method Turbine Control Valve Fast Standard Pressure Source Closure Oil Pressure Trip Turbine Stop Valve Closure Physical Inspection and Actuation of these Position Switches will be Performed During the Refueling Outages CHAPTER 07 7.2-29 REV. 21, APRIL 2007

PBAPS UFSAR 7.3 PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM 7.3.1 Safety Objective To provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barrier, the primary containment and reactor vessel isolation control system initiates automatic isolation of appropriate lines which penetrate the primary containment whenever monitored variables exceed preselected operational limits.

A gross failure of the fuel barrier would allow the escape of fission products from the fuel. A gross failure of the nuclear system process barrier could allow the escape of gross amounts of reactor coolant. The loss of coolant could lead to overheating and failure of the fuel. For a gross failure of the fuel, the primary containment and reactor vessel isolation control system initiates isolation of the reactor vessel to contain released fission products. For a gross breach in the nuclear system process barrier outside the primary containment, the isolation control system acts to interpose additional barriers between the reactor and the breach, thus stopping the release of radioactive materials and conserving reactor coolant. For gross breaches in the nuclear system process barrier inside the primary containment, the primary containment and reactor vessel isolation control system acts to close off release routes through the primary containment barrier, thus trapping the radioactive material coming through the breach inside the primary containment.

7.3.2 Definitions Group A isolation valves are in lines that communicate directly with the reactor vessel and penetrate the primary containment.

These lines have two isolation valves in series, generally one inside the primary containment and one outside the primary containment.

Group B isolation valves are in lines that do not communicate directly with the reactor vessel, but penetrate the primary containment and communicate with the primary containment free space. These lines generally have two isolation valves in series, usually both of them outside the primary containment.

Group C isolation valves are in lines that penetrate the primary containment but do not communicate directly with the reactor vessel, nor do they open into the primary containment. These lines are provided with at least one valve located outside the primary containment.

CHAPTER 07 7.3-1 REV. 26, APRIL 2017

PBAPS UFSAR 7.3.3 Safety Design Basis

1. To limit the uncontrolled release of radioactive materials to the environs, the primary containment and reactor vessel isolation control system, with precision and reliability, initiates timely isolation of penetrations through the primary containment structure which could otherwise allow the uncontrolled release of radioactive materials whenever the values of monitored variables exceed preselected operational limits.

2. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, the primary containment and reactor vessel isolation control system responds correctly to the sensed variables over the expected range of magnitudes and rates of change.

3. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, an adequate number of sensors are provided for monitoring essential variables that have spatial dependence.

4. To provide assurance that conditions indicative of a gross failure of the nuclear system process barrier are detected with sufficient timeliness and precision to fulfill safety design basis 1, primary containment and reactor vessel isolation control system inputs are derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions.

5. The time required for closure of the main steam line isolation valves is short, so that the release of radioactive material and the loss of coolant as a result of a breach of a steam line outside the primary containment are minimal.

6. The time required for closure of the main steam isolation valves is not so short that inadvertent isolation of steam lines causes excessive fuel damage or excessive nuclear system pressure. This basis ensures that the main steam isolation valve closure speed is compatible with the ability of the RPS and pressure relief system to protect the fuel and nuclear system process barrier.

7. To provide assurance that closure of Group A and Group B automatic isolation valves is initiated, when required, with sufficient reliability to fulfill safety design basis 1, the following safety design bases are specified for the systems controlling Group A and Group B automatic isolation valves:

CHAPTER 07 7.3-2 REV. 26, APRIL 2017

a. No single failure within the isolation control system prevents isolation action when required to satisfy safety design basis 1.

b. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability does not impair the functional ability of the isolation control system to respond correctly to essential monitored variables.

c. The system is designed for a high probability that when any essential monitored variable exceeds the isolation set point, the event either results in automatic isolation or does not impair the ability of the system to respond correctly as other monitored variables exceed their trip points.

d. Where a plant condition that requires isolation can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more isolation control system channels designed to provide protection against the unsafe condition, the remaining portions of the isolation control system meet the requirements of safety design bases 1, 2, 3, and 7a.

e. The power supplies for the primary containment and reactor vessel isolation control system are arranged so that loss of one supply cannot prevent automatic isolation when required.

f. The system is designed so that, once initiated, automatic isolation action goes to completion. Return to normal operation after isolation action requires deliberate operator action.

g. There is sufficient electrical and physical separation between trip channels monitoring the same essential variable to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly.

h. Earthquake ground motions due to the maximum credible earthquake do not impair the ability of the primary containment and reactor vessel isolation control system to initiate automatic isolation.

8. The following safety design bases are specified to assure that the timely isolation of main steam lines is accomplished, when required, with extraordinary reliability:

CHAPTER 07 7.3-3 REV. 26, APRIL 2017

a. The motive force for achieving valve closure for one of the two tandem-mounted isolation valves in an individual steam line is derived from a different energy source than that for the other valve.

b. At least one of the isolation valves in each of the steam lines does not rely on continuity of any variety of electrical power for the motive force to achieve closure.

9. To reduce the probability that the operational reliability and precision of the primary containment and reactor vessel isolation control system are degraded by operator error, the following safety design bases are specified for Group A and Group B automatic isolation valves:

a. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables is under the control of the control room operator or other administrative personnel.

b. The means for bypassing channels, logics, or system components are under the administrative control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact is continuously indicated in the control room.

10. To provide the operator with means independent of the automatic isolation functions to take action in the event of a failure of the nuclear system process barrier, it is possible for the control room operator to manually initiate isolation of the primary containment and reactor vessel.

11. The following bases are specified to provide the operator with the means to assess the condition of the primary containment and reactor vessel isolation control system and to identify conditions indicative of a gross failure of the nuclear system process barrier:

a. The primary containment and reactor vessel isolation control system is designed to provide the operator with information pertinent to the status of the system.

b. Means are provided for prompt identification of channel and trip system responses.

12. It is possible to check the operational availability of each essential channel and logic during the reactor operation.

CHAPTER 07 7.3-4 REV. 26, APRIL 2017

PBAPS UFSAR 7.3.4 Description 7.3.4.1 Identification The primary containment and reactor vessel isolation control system includes sensors, trip units, channels, pressure compensation instruments, relays, relay contact output cards, switches, and remotely activated valve closing mechanisms associated with the valves, which, when closed, effect isolation of the primary containment or reactor vessel, or both. The control systems for those Group A and B isolation valves which close by automatic action pursuant to the safety design bases are the main subjects of this section. Group A and B check valves are also included even though no control system is involved. Testable check valves are also included because they provide the operator with an ability to verify that the check valve disc can respond to reverse flow.

The primary containment and reactor vessel isolation control system is designed to meet the intent of the IEEE proposed criteria for nuclear power plant protection systems (IEEE-279 of August, 1968). GE Topical Report NEDO-10139, "Compliance of Protection Systems to Industry Criteria: GE Boiling Water Reactor Nuclear Steam Supply System," details compliance of primary containment and reactor vessel isolation with IEEE-279-1968.

Appendix H contains an evaluation of the facility with respect to the 70 General Design Criteria for Nuclear Power Plant Construction Permit (July, 1967).

7.3.4.2 Power Supply The power for the channels and logics of the isolation control system is supplied from the RPS M-G sets. Isolation valves receive power from standby power sources. Power for the operation of two valves in a line is fed from different sources. In most cases, one valve is powered from an AC bus of appropriate voltage, and the other is powered by DC from the station batteries. The main steam isolation valves, which are described in detail later, use ac, dc, and pneumatic pressure and valve actuator springs in the control scheme. Table 7.3.1 lists the power supply for each isolation valve.

7.3.4.3 Physical Arrangement Table 7.3.1 lists all piping penetrations of the primary containment and the valves associated with these penetrations.

Lines which penetrate the primary containment and are in direct communication with the reactor vessel generally have two Group A isolation valves, one inside the primary containment and one CHAPTER 07 7.3-5 REV. 26, APRIL 2017

PBAPS UFSAR outside the primary containment. Lines which penetrate the primary containment and which communicate with the primary containment free space, but which do not communicate directly with the reactor vessel, generally have two Group B isolation valves located outside the primary containment. Valves in lines that have core standby cooling as their primary function (Group C valves) are described with their own system; however, they have been included in Table 7.3.1. Figures 7.3.11a through 7.3.11tt show the containment isolation valve arrangements for the primary containment penetrations listed in Table 7.3.1.

Power cables are run in conduits or trays from appropriate electrical sources to the motor or solenoid involved in the operation of each isolation valve. The control arrangement for the main steam line isolation valves includes pneumatic piping and an accumulator for those valves for which air is considered the emergency source of motive power for closing. Pressure and water level sensors are mounted on instrument racks in either the reactor building or the turbine building. Valve position switches are enclosed in cases to protect them from environmental conditions. All signals transmitted to the control room are electrical; no pressure lines from the nuclear system or the primary containment penetrate the control room. Lines used to transmit level information from the reactor vessel to sensing instruments terminate inside the secondary containment (reactor building). The sensor cables and power supply cables are routed to cabinets in the control room or cable spreading room where the logic arrangements of the system are formed.

To ensure continued protection against the uncontrolled release of radioactive material during and after earthquake ground motions, the control systems required for the automatic closure of Group A and Group B valves are designed as seismic Class I equipment as described in Appendix C. This meets safety design basis 7h.

7.3.4.4 Logic The basic logic arrangement is one in which an automatic isolation valve is controlled by two trip systems. Where many isolation valves close on the same signal, two trip systems control the entire group. Where just one or two valves must close in response to a special signal, two trip systems may be formed from the instruments provided to sense the special condition. Valves that respond to the signals from common trip systems are identified in the detailed descriptions of isolation functions (paragraph 7.3.4.7).

Each trip system is made up of two independent logic channels, each logic channel having inputs from essential monitored variables. A total of four channels are required for the actuator CHAPTER 07 7.3-6 REV. 26, APRIL 2017

PBAPS UFSAR logics of both trip systems. Figures 7.3.2 and 7.3.3 illustrate typical isolation control arrangements for motor-operated valves and for the main steam line isolation valves. The two logic channels of one trip system are connected to form a one-out-of-two logic arrangement and are in turn connected with the logic channels of the other trip system to form a one-out-of-two taken twice logic for the trip system actuator logic. To initiate a motor-operated valve closure, one actuator logic must be tripped.

To initiate a main steam line isolation valve closure, both actuator logics must be tripped.

The basic logic arrangement just described does not apply to testable check valves. Exceptions to the basic logic arrangement are made for the HPCI and RCIC isolation valves as described below and for the main steam line drain valves, the logic for which is shown in Drawing M-1-CC-13, Sheets 4 and 16.

7.3.4.5 Operation During normal operation of the isolation control system, when isolation is not required, sensor and trip contacts essential to safety are closed: channels, logics, and actuators are normally energized (fail safe logic). Whenever a channel sensor contact opens, its auxiliary relay deenergizes, causing a contact in the logic to open. The opening of the contact in the logic deenergizes its actuator. When deenergized, the actuator opens contacts in the actuator logics. If a trip then occurs in either of the logic channels of the other trip system, both actuator logics are deenergized. With both trip systems tripped, appropriate contacts open or close in valve control circuitry to actuate valve closing mechanisms. Automatic isolation valves that are normally closed receive the isolation signal as well as those valves that are open. The control system for each Group A isolation valve is designed to provide closure of the valve in time to prevent uncovering the fuel as a result of a break in the line which the valve isolates. The control systems for Group A and Group B isolation valves are designed to provide closure of the valves with sufficient rapidity to restrict the release of radioactive material to the environs below the guideline values of applicable regulations.

The HPCI and RCIC isolation valves, due to their service, are exceptions to the above description and use nonfail-safe logic.

When isolation is not required, sensor and trip contacts are open; channels, logics, and actuators are normally deenergized.

Operation is opposite to that described above.

All automatic isolation valves can be closed by manipulating switches in the control room, thus providing the operator with means independent of the automatic isolation functions to take CHAPTER 07 7.3-7 REV. 26, APRIL 2017

PBAPS UFSAR action in the event of a failure of the nuclear system process barrier. This meets safety design basis 10.

Once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. The isolation logic prevents resetting of the primary containment isolation signals unless the conditions which initiated the isolation have cleared and all of the associated isolation control valve manual switches have been placed in the "close" position.

After resetting of the isolation signals, the operator can reopen the isolation valves as needed during the post-isolation period.

The requirement to return all valve manual switches to the "close" position prevents the valves from moving from the closed position upon reset of the isolation signal. Unless manual override features have been provided in the manual control circuitry, the operator cannot open an isolation valve with an isolation signal present. This is the equivalent of a manual reset and meets safety design basis 7f.

A trip of an isolation control system channel is annunciated in the control room so that the operator is immediately informed of the condition. The response of isolation valves is indicated by "open-closed" lights. All motor-operated isolation valves without an essential post-accident function have two sets of "open-closed" lights. One set is located near the manual control switches for controlling each valve from the control room panel. A second set is located in a separate central isolation valve position display in the control room. The positions of pneumatically operated isolation valves are displayed in the same manner as motor-operated valves, with the exception of AO-23C-4807 (Unit 2 only) which has only one "open-closed" lights in the control room near its manual control switch.

In addition, the inflatable seal pressures of various isolation valves are monitored by pressure switches, that are set at predetermined low pressure values to activate control room annunciator alarms and the associated isolation valve red indicating lights.

Inputs to annunciators, indicators, and the computer (PMS) are arranged so that no malfunction of the annunciating, indicating, or computing equipment can functionally disable the system.

Signals directly from the isolation control system sensors are not used as inputs to annunciating or data logging equipment.

Isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the primary containment and reactor vessel isolation control system satisfies safety design bases 11a and 11b.

CHAPTER 07 7.3-8 REV. 26, APRIL 2017

PBAPS UFSAR 7.3.4.6 Isolation Valve Closing Devices and Circuits Table 7.3.1 itemizes the type of closing device provided for each isolation valve intended for use in automatic or remote manual isolation of the primary containment or reactor vessel. To meet the requirement that automatic Group A valves be fully closed in time to prevent the reactor vessel water level from falling below the top of the active fuel as a result of a break of the line which the valve isolates, the valve closing mechanisms are designed to give the minimum closing rates specified in Table 7.3.1. In many cases, a standard closing rate of 12 ipm for a gate valve is adequate to meet isolation requirements. Because of the relatively long time required for fission products to reach the containment atmosphere following a break in the nuclear system process barrier inside the primary containment, a standard closure rate is adequate for the automatic closing devices on Group B isolation valves. The design closure times for the various automatic isolation valves essential to reactor vessel isolation and those essential to primary containment isolation are given in Table 7.3.1.

Motor operators for isolation valves are selected with capabilities suitable to the physical and environmental requirements of service. The required valve closing rates were considered in designing motor operators. Appropriate torque and limit switches are used to ensure proper valve seating.

Handwheels, which are automatically disengaged from the motor operator when the motor is energized, are provided for local-manual operation.

The control circuits of motor operators for automatically operated isolation valves are arranged so that motor thermal overload protection is provided for manual operation of the valves, but is bypassed for automatic operation. This prevents an automatically initiated valve operation from being interrupted by motor thermal overload. During automatic operation, the thermal overload circuit produces an alarm for overload conditions. In the manual mode, valve operation is interrupted and an alarm is received.

The operator can override the thermal overload circuit by continuously holding the spring return control switch in the "operate" position during manual operation.

Direct solenoid-operated isolation valves and solenoid air pilot valves are chosen with electrical and mechanical characteristics which make them suitable for the service for which they are intended. Appropriate watertight or weathertight housings are used to ensure proper operation under accident conditions.

The pneumatic actuator used for testable check valves is designed to allow opening the valve at near 0 psi differential pressure CHAPTER 07 7.3-9 REV. 26, APRIL 2017

PBAPS UFSAR across the valve. The actuator cannot close the valve against forward flow or prevent the closing of the valve against reverse flow. Thus, the check valve neither hinders forward fluid flow nor fails to stop reverse flow regardless of the condition of the actuator.

The main steam isolation valves are spring-closing, pneumatic, piston-operated valves designed to close upon loss of power to both solenoid operated pilot valves. The control arrangement is shown in Figure 7.3.4 and Drawing M-1-CC-13, Sheets 3 and 15.

Closure time for the valves is adjustable between 3 and 10 sec.

Each valve is piloted by two, three-way, packless, direct-acting, solenoid-operated pilot valves: one powered by ac, the other by dc. An accumulator(s) is located close to each isolation valve to provide pneumatic pressure to assist valve closing in the event of failure of the normal air supply system.

The valve pilot system and the pneumatic lines, as shown in Figure 7.3.4, are arranged so that when one or both solenoid-operated pilot valves are energized, normal pneumatic supply provides pneumatic pressure to the air-operated pilot valve to direct air pressure to the main valve pneumatic operator to open the valve.

This overcomes the closing force exerted by the spring to keep the main valve open. When both pilots are deenergized, as would be the result of both trip systems tripping or placing the manual switch in the closed position, the path through which the pressure acts is switched so that the opposite side of the valve operator is pressurized, thus assisting the spring in closing the valve.

In the event of the normal pneumatic supply failure for an outboard MSIV, the loss of pneumatic pressure causes the pneumatically operated pilot valve to move by spring force to the position resulting in the underside of the actuator cylinder to be vented to the atmosphere. In the event of normal and safety related pneumatic (i.e., local accumulator system) supply failure for an inboard MSIV, the loss of pneumatic pressure causes the pneumatically operated pilot valve to move by spring force to the position resulting in the underside of the actuator cylinder to be vented to containment. Main valve closure is then effected by means of the pneumatic supply stored in the accumulator(s) and assisted by the spring.

Pneumatic pressure, acting alone, and the force exerted by the spring, acting alone, are each capable of independently closing the valve under all postulated design basis accident conditions except the most severe cases involving high ambient pressure.

Accumulator capacity is provided for the isolation valves inside the primary containment (inboard) to assure closure by pneumatic pressure and spring force with the vented side of the piston operator at the primary containment peak accident pressure. The outboard isolation valve is subjected to peak steam tunnel accent CHAPTER 07 7.3-10 REV. 26, APRIL 2017

PBAPS UFSAR pressure. The accumulator volumes for inboard and outboard isolation valves are designed to provide enough pressure to close the valve in combination with the springs when the pneumatic supply to the accumulator has failed. The supply line to the accumulator is large enough to make up pressure to the accumulator at a rate faster than the valve operation bleeds pressure from the accumulator during valve opening or closing.

A separate, single, solenoid-operated pilot valve with an independent switch is included to allow manual testing of each isolation valve from the control room. The testing arrangement is designed to give a slow closure of the isolation valve being tested to avoid rapid changes in steam flow and nuclear system pressure. Two different tests are performed. The partial slow closure time test (from 0 to 10% closed) for the valve is performed quarterly. The full slow closure time test (from 0 to 100% closed) for the valve is only performed during outages. Full slow closure of a valve during testing requires 45 to 60 seconds.

The valve mechanical design is discussed further in subsection 4.6, "Main Steam Line Isolation Valves."

7.3.4.7 Isolation Functions and Settings The isolation trip settings of the primary containment and reactor vessel isolation control system are listed in Table 7.3.2. The functions that initiate automatic isolation are itemized in Table 7.3.1.

Although this section is concerned with the electrical control systems that initiate isolation to prevent direct release of radioactive material from the primary containment or nuclear system process barrier, the additional information given in Table 7.3.1 can be used to assess the overall (electrical and mechanical) isolation effectiveness of each system.

Isolation functions and trip settings used for the electrical control of isolation valves in fulfillment of the previously stated safety design bases are discussed in the following paragraphs. The role each isolation function plays in initiating isolation of barrier valves or groups of valves is illustrated in the functional control diagrams in Drawing M-1-CC-13, Sheets 3 through 12A, and 15 through 24. For the RCIC isolation valves see Drawing M-1-CC-38, Sheets 1, 2, 7 and 8, for the HPCI isolation valves see Drawing M-1-CC-39, Sheets 1 through 12, for the core spray isolation valves see Drawing M-1-CC-41, Sheets 1 through 8, for the reactor water cleanup isolation valves see Drawing M-1-CC-35, Sheets 1 through 4, and for the RHR isolation valves see Drawing M-1-CC-40, Sheets 1 through 14.

CHAPTER 07 7.3-11 REV. 26, APRIL 2017

1. Reactor vessel low water level (Table 7.3.1, signals I(A), II(A), III(A), IV(E), VI, VII).

A low water level in the reactor vessel could indicate that either reactor coolant is being lost through a breach in the nuclear system process barrier or that the normal supply of reactor feedwater has been lost and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. Reactor vessel low water level initiates closure of various Group A and Group B valves.

The closure of Group A valves is intended to either isolate a breach in any of the lines in which valves are closed or conserve reactor coolant by closing off process lines. The closure of Group B valves is intended to prevent the escape of radioactive materials from the primary containment through process lines which are in communication with the primary containment free space.

Three reactor vessel low water level isolation trip settings are used to complete the isolation of the primary containment and the reactor vessel. The first reactor vessel low water level isolation trip setting, which occurs at a higher water level than the second setting, initiates closure of all Group A and Group B valves in major process lines except the main steam lines. The main steam lines are left open to allow the removal of heat from the reactor core. The second and lower reactor vessel low water level isolation trip setting initiates closure of HPCI Test Line Valve MO-23-31. The third and lowest reactor vessel low water level isolation trip setting, completes the isolation of the primary containment and reactor vessel by initiating closure of the main steam isolation valves and any other Group A or Group B valves that must be shut to isolate minor process lines.

The first low water level setting, which is, coincidentally, the same as the reactor vessel low water level scram setting, was selected to initiate isolation at the earliest indication of a possible breach in the nuclear system process barrier, yet far enough below normal operational levels to avoid spurious isolation. Isolation of the following lines is initiated when reactor vessel low water level falls to this first setting (Table 7.3.1, signals II(A), III(A)):

a. RHR reactor shutdown cooling supply.

b. REMOVED.

c. RHR injection (if in shutdown cooling mode).

d. Reactor water cleanup.

e. Feedwater long path recirculation.

f. Suppression chamber water cleanup.

CHAPTER 07 7.3-12 REV. 26, APRIL 2017

g. Drywell and suppression chamber nitrogen makeup supply.

h. Drywell equipment drain discharge.

i. Drywell floor drain discharge.

j. Drywell purge inlet.

k. Drywell instrument nitrogen supply.

l. Drywell main exhaust.

m. Suppression chamber instrument nitrogen supply.

n. Suppression chamber exhaust valve bypass.

o. Suppression chamber purge inlet.

p. Suppression chamber main exhaust.

q. Primary containment oxygen analyzer.

r. Drywell exhaust valve bypass.

s. Instrument nitrogen compressor suction.

t. TIP.

The second and lower reactor vessel low water level isolation setting is used to initiate reconfiguration of the portion of the HPCI system, which affects penetration isolation valves in this system (Table 7.3.1 signal IV(E)):

a. HPCI Test Line.

The third and lowest of the reactor vessel low water level isolation settings was selected low enough to allow the removal of heat from the reactor for a predetermined time following scram and high enough to complete isolation in time for the operation of CSCS's in the event of a large break in the nuclear system process barrier. This third low water level setting is low enough that partial losses of feedwater supply would not unnecessarily initiate full isolation of the reactor, thereby disrupting normal plant shutdown or recovery procedures. Isolation of the following lines is initiated when the reactor vessel water level falls to this third setting (Table 7.3.1, signals I(A)):

a. All four main steam lines.

b. Main steam line drain.

c. Reactor water sample line.

d. Main steam sample line.

This third low water level signal is also used to initiate reconfiguration of portions of the RHRS and core spray system, which affects penetration isolation valves in these systems (Table 7.3.1, signals VI and VII).

a. RHR test and suppression pool cooling return line.

CHAPTER 07 7.3-13 REV. 26, APRIL 2017

b. RHR drywell and torus spray lines.

c. Core spray test lines.

2. Main steam line high radiation High radiation in the vicinity of the main steam lines could indicate a gross release of fission products from the fuel.

High radiation near the main steam lines initiates an alarm to alert Operators. Trending of radiation monitor recorder data will be evaluated and reactor coolant samples may be taken to determine if additional action is required to maintain radiation levels within limits. Initiation of a high-high radiation alarm alerts the Operators to close any open reactor coolant sample lines and trips the mechanical vacuum pump, if running.

The high radiation alarm setting is selected high enough above background radiation levels to avoid spurious isolation, yet low enough to promptly detect a gross release of fission products from the fuel. Further information regarding the high radiation set point is available in subsection 7.12, "Process Radiation Monitoring."

3. Main steam line space high temperature (Table 7.3.1, signal I(C)).

High temperature in the space in which the main steam lines are located outside the primary containment could indicate a breach in a main steam line. The automatic closure of various Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperatures occur in the main steam line space, the following lines are isolated:

a. All four main steam lines.

b. Main steam line drain.

c. Reactor water sample line.

d. Main steam sample line.

The main steam line space high temperature trip is set far enough above the temperature expected during operations at rated power to avoid spurious isolation, yet low enough to provide early indication of a steam line break.

CHAPTER 07 7.3-14 REV. 26, APRIL 2017

4. Main steam line high flow (Table 7.3.1, signal I(B)).

Main steam line high flow could indicate a break in a main steam line. The automatic closure of various Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. Upon detection of main steam line high flow, the following lines are isolated:

a. All four main steam lines.

b. Main steam line drain.

c. Reactor water sample line.

d. Main steam sample line.

The main steam line high flow trip setting was selected high enough to permit the isolation of one main steam line for test at rated power without causing an automatic isolation of the rest of the steam lines, yet low enough to permit early detection of a steam line break.

5. Low steam pressure at turbine inlet (Table 7.3.1, signal I(D)).

Low steam pressure at the turbine inlet could indicate a malfunction of the nuclear system pressure regulator in which the turbine control valves or turbine bypass valves open fully. This action could cause rapid depressurization of the nuclear system. The rate of decrease of nuclear system saturation temperature could exceed the design rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pressures across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. Such depressurizations, without adequate preventive action, could require thorough vessel analysis or core inspection prior to returning the reactor to power operation. To avoid the time-consuming requirements following a rapid depressurization, the steam pressure at the turbine inlet is monitored in the RUN mode. The signal initiates isolation of the following lines:

a. All four main steam lines.

b. Main steam drain line.

CHAPTER 07 7.3-15 REV. 26, APRIL 2017

c. Reactor water sample line.

d. Main steam sample line.

The low steam pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation, yet high enough to provide timely detection of a pressure regulator malfunction. Although the isolation function is not required to satisfy any of the safety design bases for this system, this discussion is included here to make the listing of isolation functions complete.

6. Primary containment (drywell) high pressure (Table 7.3.1, signals II(B), III(B), IV(D), V(D), VI, VII).

High pressure in the drywell could indicate a breach of the nuclear system process barrier inside the drywell. The automatic closure of various Group B valves prevents the release of significant amounts of radioactive material from the primary containment. Upon detection of a high drywell pressure, the following lines are isolated:

a. RHRS shutdown cooling supply.

b. REMOVED.

c. RHRS injection (if in shutdown cooling mode).

d. Feedwater long path recirculation.

e. Drywell equipment drain discharge.

f. Drywell and suppression chamber nitrogen makeup supply.

g. Drywell floor drain discharge.

h. Drywell instrument nitrogen supply.

i. TIP tubes.

j. Drywell purge inlet.

k. Drywell main exhaust.

l. Suppression chamber water cleanup.

m. Suppression chamber exhaust valve bypass.

CHAPTER 07 7.3-16 REV. 26, APRIL 2017

n. Suppression chamber instrument nitrogen supply.

o. Suppression chamber purge inlet.

p. Suppression chamber main exhaust.

q. Primary containment oxygen analyzer.

r. Drywell exhaust valve bypass.

s. Instrument nitrogen compressor suction.

The primary containment high-pressure isolation setting was selected to be as low as possible without inducing spurious isolation trips.

7. RCICS equipment space high temperature (Table 7.3.1, signal V(B)).

High temperature in the vicinity of the RCICS equipment could indicate a break in the RCIC steam line. The automatic closure of certain Group A valves listed in Table 7.3.1 prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier (Drawing M-1-CC-38, Sheets 1, 2, 7 and 8). When high temperature occurs near the RCICS equipment, except in the Outboard MSIV Room, the RCIC turbine steam line is isolated. The high temperature isolation setting was selected far enough above anticipated normal RCICS operational levels to avoid spurious operation, but low enough to provide timely detection of an RCIC turbine steam line break. This signal has nonfail-safe logic to be compatible with the core cooling primary function of the RCICS.

8. RCIC turbine high steam flow (Table 7.3.1, signal V(A)).

RCIC turbine high steam flow could indicate a break in the RCIC turbine steam line. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of RCICS turbine high steam flow, the RCICS turbine steam line is isolated. The high steam flow trip setting was selected high enough to avoid spurious isolation, yet low enough to provide timely detection of an RCIC turbine steam line break. A time delay is provided to prevent isolation due to high flow transients upon RCICS startup. The nominal 3-second time delay is determined by station setpoint control processes.

CHAPTER 07 7.3-17 REV. 26, APRIL 2017

PBAPS UFSAR The logic arrangement used for this function is shown in Drawing M-1-CC-38, Sheets 1, 2, 7 and 8 for valves listed in Table 7.3.1 and is an exception to the usual logic requirement because the high steam flow logic uses a one-out-of-two configuration. This signal has nonfail-safe logic to be compatible with the core cooling primary function of the RCICS.

9. RCIC turbine steam line low pressure (Table 7.3.1, signal V(C)).

RCIC turbine steam line low pressure is used to automatically close the two isolation valves in the RCIC turbine steam line so that steam and radioactive gases do not escape from the RCIC turbine shaft seals into the reactor building after steam pressure has decreased to such a low value that the turbine cannot be operated (Drawing M-1-CC-38, Sheets 1, 2, 7 and 8). The isolation set point is chosen at a pressure below that at which the RCIC turbine can operate effectively.

This signal has nonfail-safe logic to be compatible with the core cooling primary function of the RCICS.

10. HPCIS equipment space high temperature (Table 7.3.1, signal IV(B)).

High temperature in the vicinity of the HPCIS equipment could indicate a break in the HPCIS turbine steam line. The automatic closure of certain Group A valves (listed in Table 7.3.1) prevents the excessive loss of coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperature occurs near the HPCIS equipment, the HPCIS turbine steam supply line is isolated. The high temperature isolation setting was selected far enough above anticipated normal HPCIS operational levels to avoid spurious isolation, but low enough to provide timely detection of an HPCI turbine steam line break. This signal has nonfail-safe logic (Drawing M CC-38, Sheets 1, 2, 7 and 8) to be compatible with the core cooling primary function of the HPCIS.

11. HPCI turbine high steam flow (Table 7.3.1, (signal IV(A)).

HPCI turbine high steam flow could indicate a break in the HPCI turbine steam line. The automatic closure of certain Group A valves (listed in Table 7.3.1) prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of HPCI turbine high steam CHAPTER 07 7.3-18 REV. 26, APRIL 2017

PBAPS UFSAR flow, the HPCI turbine steam line is isolated (Drawing M CC-38, Sheets 1, 2, 7 and 8). The high steam flow trip setting was selected high enough to avoid spurious isolation, yet low enough to provide timely detection of an HPCI turbine steam line break. A time delay is provided to prevent isolation due to high flow transients upon HPCIS startup.

The nominal 3-second time delay is determined by station setpoint control processes.

The logic arrangement used for this function is shown in Drawing M-1-CC-38, Sheets 1, 2, 7 and 8 and is an exception to the usual logic requirement because high steam flow logic uses a one-out-of-two configuration. This signal has nonfail-safe logic to be compatible with the core cooling primary function of the HPCIS.

12. HPCI turbine steam line low pressure (Table 7.3.1, signal IV(C)).

HPCI turbine steam line low pressure is used to automatically close the two isolation valves in the HPCI turbine steam line so that steam and radioactive gases do not escape from the HPCI turbine shaft seals into the reactor building after steam pressure has decreased to such a low value that the turbine cannot be operated (Drawing M-1-CC-38, Sheets 1, 2, 7 and 8 for valves listed in Table 7.3.1). The isolation set point is chosen at a pressure below that at which the HPCI turbine can operate efficiently. This signal has nonfail-safe logic to be compatible with the core cooling primary function of the HPCIS.

13. Reactor building ventilation exhaust high radiation (Table 7.3.1, signal III(C)).

High radiation in the reactor building ventilation exhaust could indicate a breach of the nuclear system process barrier inside the primary containment which would result in increased airborne radioactivity levels in the primary containment exhaust to the secondary containment. The automatic closure of certain Group B valves acts to close off release routes for radioactive material from the primary containment into the secondary containment (reactor building). Reactor building ventilation exhaust high radiation initiates isolation of the following lines:

a. Drywell purge inlet.

b. Drywell main exhaust.

c. Drywell and suppression chamber nitrogen CHAPTER 07 7.3-19 REV. 26, APRIL 2017

PBAPS UFSAR makeup inlet.

d. Suppression chamber exhaust valve bypass.

e. Suppression chamber purge inlet.

f. Suppression chamber main exhaust.

g. Primary containment oxygen analyzer.

h. Drywell exhaust valve bypass.

i. Instrument nitrogen compressor suction.

The high radiation trip setting selected is far enough above background radiation levels to avoid spurious isolation, but low enough to provide timely detection of nuclear system process barrier leaks inside the primary containment.

Because the primary containment high-pressure isolation function and the reactor vessel low water level isolation function are adequate in effecting appropriate isolation of the above lines for gross breaks, the reactor building ventilation exhaust high radiation isolation function is provided as a third redundant method of detecting breaks in the nuclear system process barrier significant enough to require automatic isolation.

14. Cleanup system high flow and manual isolation (Table 7.3.1, signals II(C), II(D)).

High flow in the reactor water cleanup system or high temperature in the reactor water cleanup system equipment rooms would be indicative of a rupture in the system. The high flow signal automatically isolates the cleanup system and high room temperature initiates an alarm with one exception. There is no temperature monitoring in the RWCU pump rooms. When a high temperature alarm occurs, the cleanup system is manually isolated. Upon detection of abnormal leakage in the RWCU pump rooms, the system is manually isolated. The high flow and temperature settings were selected far enough above the anticipated normal values to avoid spurious isolation or alarm, but low enough to provide timely detection of a reactor water cleanup system line break (high flow isolation) or abnormal system leakage which could lead to catastrophic piping failure (manual isolation).

15. ADS safety-grade pneumatic supply pressure low differential with respect to drywell pressure and supply line high flow (Table 7.3.1, signals VIII(A) and VIII(B)).

CHAPTER 07 7.3-20 REV. 26, APRIL 2017

PBAPS UFSAR ADS safety-grade pneumatic supply pressure low differential with respect to drywell pressure indicates a breach of the nuclear system process barrier inside the drywell. High supply line flow indicates a line break downstream of the flow transmitter either inside or outside of containment.

Either condition automatically isolates the ADS safety-grade pneumatic supply line. The high flow isolation setting was selected far enough above anticipated operational levels to avoid spurious isolation, but low enough to provide timely detection of a line break. A time delay is provided in the high flow isolation logic to prevent spurious closing of the valve due to the initial inrush of nitrogen gas.

7.3.4.8 Instrumentation Sensors providing inputs to the primary containment and reactor vessel isolation control system are not used for the automatic control of process systems, thus separating the functional control of protection systems and process systems. Channels are physically and electrically separated to assure that a single physical event cannot prevent isolation. Channels for one monitored variable that are grouped near each other provide inputs to different isolation trip systems. Figures 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.8, 7.3.9, and 7.3.10 illustrate arrangements of channels, logics, and valve closing mechanism circuitry for isolation control systems. Drawings M-1-CC-13, Sheets 3 through 12, Sheets 15 through 24, M-1-CC-38, Sheets 1, 2, 7, 8, and M CC-39, Sheets 1 through 12 illustrate in detail the functional arrangement of channels used to initiate isolation of various groups of valves as detailed in Table 7.3.1. Table 7.3.2 lists instrument characteristics.

1. Reactor vessel low water level signals are initiated from differential pressure transmitters which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. These transmitters with trip units are used to sense that water level has decreased to the first (highest) or the third (lowest) low water level setting for RPS or PCIS. Other transmitters with pressure compensation instruments are used to sense that water has decreased to the second (middle) low water level setting for ECCS and RCIC.

The differential pressure transmitters for each level setting are arranged in pairs; each transmitter in a pair provides a signal to a different trip system. Two lines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for CHAPTER 07 7.3-21 REV. 26, APRIL 2017

PBAPS UFSAR each pair of transmitters. The two pairs of lines terminate outside the primary containment and inside the secondary containment. They are physically separated from each other and tap off the reactor vessel at widely separated points.

This arrangement assures that no single physical event can prevent isolation, if required. Pressure compensation instruments are used to increase the accuracy of the level measurements.

2. Main steam line radiation is monitored by four radiation monitors, which are described in subsection 7.12, "Process Radiation Monitoring."

3. High temperature in the vicinity of the main steam lines is detected by 16 resistance temperature detectors located along the main steam lines between the drywell wall and the turbine. The detectors are located or shielded so that they are sensitive to air temperature and not radiated heat from hot equipment. An additional temperature sensor is located near each set of four detectors for remote temperature readout and alarm. The temperature sensors activate an alarm at high temperature and, upon loss of power, operate to give the alarm condition. The main steam line space temperature detection system is designed to detect leaks of from 1 percent to 10 percent of rated steam flow. Figure 7.3.6 illustrates in general terms the instruments used to detect high temperatures in the main steam line space. A total of four main steam line space high temperature channels are provided. Each main steam line isolation logic receives an input signal from one main steam line space high temperature channel.

4. High flow in each main steam line is sensed by four differential pressure transmitters which sense the pressure difference across the flow restrictor in that line. The differential pressure transmitters drive indicating electronic trip units. Figure 7.3.8 illustrates the general arrangement of instruments used to sense the flow in a single main steam line. Figure 7.3.9 illustrates how the 16 differential pressure transmitters and trip units are combined to form four channels. Each main steam line isolation logic receives an input signal from one main steam line high flow channel.

5. Main steam line low pressure is monitored by four pressure switches which sense pressure just upstream of the turbine stop valves. Each switch is part of an independent channel.

Each channel provides a signal to one isolation logic.

CHAPTER 07 7.3-22 REV. 26, APRIL 2017

6. Primary containment pressure is monitored by four pressure transmitters which are mounted on instrument racks outside the drywell. The pressure transmitters drive indicating electronic trip units which are located in one of two separate panels in the reactor building. The transmitters and trip units are grouped in pairs, physically separated, and electrically connected to the isolation control system so that no single event prevents isolation due to primary containment high pressure.

7. High temperature in the vicinity of the RCIC equipment is sensed by four sets of four resistance temperature detectors.

Figure 7.3.6 illustrates the arrangement. Each set is arranged as two trip systems. Each trip system receives input signals from two temperature trip channels. Both trip systems must trip to initiate isolation.

8. High flow in the RCIC turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across an elbow installed in the RCIC turbine steam supply line. The arrangement is illustrated in Figure 7.3.10. The tripping of either trip channel initiates isolation of the RCIC turbine steam line. This is an exception to the usual channel arrangement. The reason for the exception was given in the discussion of the RCIC turbine high steam flow isolation function.

9. Low pressure in the RCIC turbine steam line is sensed by four pressure switches from the RCIC turbine steam line upstream of the isolation valves. The switches are arranged as two trip systems, both of which must trip to initiate isolation of the RCIC turbine steam line. Each trip system receives inputs from two pressure switches either one of which can initiate isolation. The arrangement is shown in Drawings M-1-CC-38, Sheets 1, 2, 7, and 8.

10. High temperature in the vicinity of the HPCI equipment is sensed by four sets of four resistance temperature detectors.

Figure 7.3.6 illustrates the arrangement. Each set is arranged as two trip systems. Each trip system receives input signals from two temperature trip channels. Both trip channels must trip to initiate isolation.

11. High flow in the HPCI turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across an elbow installed in the HPCI turbine steam line. The arrangement is illustrated in Figure 7.3.10. The tripping of either switch initiates isolation of the HPCI turbine steam line. This is an exception to the usual sensor arrangement. The reason for the exception was given in the CHAPTER 07 7.3-23 REV. 26, APRIL 2017

PBAPS UFSAR discussion of the HPCI turbine high steam flow isolation function.

12. Low pressure in the HPCI turbine steam line is sensed by four pressure switches from HPCI turbine steam line upstream of the isolation valves. The switches are arranged as two trip systems, both of which must trip to initiate isolation of the HPCI turbine steam line. Each trip system receives inputs from two pressure switches, either one of which can initiate isolation. The arrangement is shown in Drawing M-1-CC-39, Sheets 1 through 12.

13. Reactor building ventilation exhaust radiation is monitored by four reactor building ventilation exhaust monitors which are described in paragraph 7.12.5, "Ventilation Radiation Monitoring." Each monitoring trip channel provides one input to each applicable isolation trip system. The channels are arranged in a one-out-of-two-twice isolation logic.

14. High temperature in the spaces occupied by the RHRS (shutdown cooling) and the reactor water cleanup system piping outside the primary containment is sensed by temperature sensors.

These sensors input to a control room recorder which provides an alarm output on high temperature to indicate possible line breaks. A typical arrangement is shown in Figure 7.3.6 for the RHRS which alarms only. Automatic isolation on high temperature is not required since the reactor vessel low water level isolation function is adequate in preventing the release of significant amounts of radioactive material in the event that this system suffers a breach.

15. ADS safety-grade pneumatic supply pressure is monitored by a pressure transmitter in each line. The output of this transmitter is compared with the output from a drywell pressure transmitter to generate a trip signal whenever a low differential exists between the supply line pressure and the drywell pressure. Flow in each supply line is monitored by a differential pressure transmitter which senses the pressure difference across a flow surface. The differential pressure signal is transmitted to an electronic trip unit that produces a trip signal whenever flow exceeds a predetermined setpoint. A time delay relay provides the necessary time delay of the high flow trip signal to prevent spurious closing of the solenoid valves. Figure 7.3.12 illustrates the arrangement of instruments used to generate these trip signals. Two trip systems are used, one for each supply line. The transmitters and trip units for each trip system are physically and electrically independent to ensure that a single active failure will not isolate both supply lines.

CHAPTER 07 7.3-24 REV. 26, APRIL 2017

PBAPS UFSAR Channel and logic relays are high reliability relays equal to type HFA relays made by the General Electric Company. The relays are selected so that the continuous load does not exceed 50 percent of the continuous duty rating.

7.3.4.9 Environmental Capabilities The physical and electrical arrangement of the primary containment and the reactor vessel isolation control system was selected so that no single physical event prevents isolation. The location of Group A and Group B valves inside and outside the primary containment provides assurance that the control system for at least one valve on any line penetrating the primary containment remains capable of automatic isolation. Electrical cables for isolation valves in the same line are routed separately. Motor operators for valves inside the primary containment are of the totally enclosed type; those outside the primary containment have weatherproof type enclosures. Solenoid valves, whether used for direct valve isolation or as an air pilot, are provided with watertight enclosures. All cables and operators are capable of operation in the most unfavorable ambient conditions anticipated for normal operations. Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high radiation areas have radiation-resistant insulation. Shielded cables are used where necessary to eliminate interference from magnetic fields.

Special consideration has been given to isolation requirements during a LOCA inside the drywell. Components of the primary containment and reactor vessel isolation control system that are located inside the primary containment and that must operate during a LOCA are the cables, control mechanisms, and valve operators of isolation valves inside the drywell. These isolation components are required to be functional in a LOCA environment.

Electrical cables are selected with insulation designed for this service. Closing mechanisms and valve operators are considered satisfactory for use in the isolation control system only after completion of environmental testing under LOCA conditions or submission of evidence from the manufacturer describing the results of suitable prior tests.

Verification that the isolation equipment has been designed, built, and installed in conformance to the specified criteria is accomplished through quality control and performance tests in the vendor's shop or after installation at the plant before startup, during startup, and thereafter during the service life of the equipment.

CHAPTER 07 7.3-25 REV. 26, APRIL 2017

PBAPS UFSAR Control is also exercised through review of equipment design during bid review and by approval of vendor's drawings during the fabrication stage. Purchase specifications require extensive control of materials and of the fabrication procedure.

Further information on the environmental qualification of Class 1E equipment is contained in subsection 7.19.

7.3.5 Safety Evaluation The primary containment and reactor vessel isolation control system, in conjunction with other protection systems, is designed to provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barriers. It is the objective of Section 14.0, "Plant Safety Analysis," to identify and evaluate postulated events resulting in gross failure of the fuel barrier and the nuclear system process barrier. The consequences of such gross failures are described and evaluated in that section.

Design procedure has been to select tentative isolation trip settings that are far enough above or below normal operating levels that spurious isolation and operating inconveniences are avoided. It is then verified by analysis that the release of radioactive material following postulated gross failures of the fuel and nuclear system process barrier is kept within acceptable bounds. Trip setting selection is based on operating experience and constrained by the safety design basis, the safety analyses and/or design analysis.

Section 14.0, "Plant Safety Analysis," shows that the actions initiated by the primary containment and reactor vessel isolation control system, in conjunction with other safety systems, are sufficient to prevent releases of radioactive materials from exceeding the guideline values of published regulations. Because the actions of the system are effective in restricting the uncontrolled release of radioactive materials under accident situations, the primary containment and reactor vessel isolation control system meets the precision, reliability, and timeliness requirements of safety design basis 1.

Because the primary containment and reactor vessel isolation control system meets the precision and timeliness requirements of safety design basis 1 using instruments with the characteristics described in Table 7.3.2, safety design basis 2 is met.

Temperatures in the spaces occupied by various steam lines outside the primary containment are the only essential variables of significant spatial dependence that provide inputs to the primary CHAPTER 07 7.3-26 REV. 26, APRIL 2017

PBAPS UFSAR containment and reactor vessel isolation control system. The large number of temperature sensors and their dispersed arrangement near the steam lines requiring this type of break protection provide assurance that a significant break is detected rapidly and accurately. One of the four groups of temperature switches is located in the ventilation exhaust from the steam line space between the drywell wall and the secondary containment wall.

This assures that abnormal air temperature increases are detected regardless of leak location in that space. The number of sensors provided for steam line break detection satisfies safety design basis 3.

Because the primary containment and reactor vessel isolation control system meets the timeliness and precision requirements of safety design basis 1 by monitoring variables that are true, direct measures of operational conditions, safety design basis 4 is satisfied.

Section 14.0, "Plant Safety Analysis," evaluates a gross break in a main steam line outside the primary containment during operation at design power. The evaluation shows that the main steam lines are automatically isolated in time to prevent a release of radioactive material in excess of the guideline values of published regulations and to prevent the loss of coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed.

The time required for automatic closure of the main steam isolation valves meets the requirements of safety design basis 5.

The shortest closure time of which the main steam valves are capable is 3 sec. The transient resulting from a simultaneous closure of all main steam isolation valves in 3 sec during reactor operation at design power is considerably less severe than the transient resulting from inadvertent closure of the turbine stop valves (which occurs in a small fraction of 1 sec) coincident with failure of the turbine bypass system. The RPS is capable of accommodating the transient resulting from the inadvertent closure of the main steam line isolation valves. This conclusion is substantiated by Section 14.0, "Plant Safety Analysis." This meets safety design basis 6.

The items of safety design bases 7, 8, and 9 must be fulfilled for the primary containment and reactor vessel isolation control system to meet the design reliability requirements of safety design basis 1. It has already been shown that safety design bases 7f and 7h have been met. The remainder of the reliability requirement is met by a combination of logic arrangement, sensor redundancy, wiring scheme, physical isolation, power supply arrangement, and environmental capabilities. These subjects are discussed in the following paragraphs.

CHAPTER 07 7.3-27 REV. 26, APRIL 2017

PBAPS UFSAR Because essential variables are monitored by four channels arranged for physical and electrical independence, and because a dual trip system arrangement is used to initiate closure of automatic isolation valves, no single failure, maintenance operation, calibration operation, or test can prevent the system from achieving isolation. An analysis of the isolation control system shows that the system does not fail to respond to essential variables as a result of single electrical failures such as short circuits, ground, and open circuits. A single trip system trip is the result of these failures. Isolation is initiated upon a trip of the remaining trip system. For some of the exceptions to the usual logic arrangement, a single failure could result in inadvertent isolation of a line. With respect to the release of radioactive material from the nuclear system process barrier, such inadvertent valve closures are in the safe direction and do not pose any safety problems. This meets safety design bases 7a and 7b.

The redundancy of channels provided for all essential variables provides a high probability that whenever an essential variable exceeds the isolation setting, the system initiates isolation. In the unlikely event that all channels for one essential variable in one trip system fail in such a way that a system trip does not occur, the system could still respond properly as other monitored variables exceed their isolation settings. This meets safety design basis 7c.

The sensors, circuitry, and logics used in the primary containment and reactor vessel isolation control system are not used in the control of any process system. Thus malfunctions and failures in the controls of process systems have no direct effect on the isolation control system. This meets safety design basis 7d.

The various power supplies used for the isolation system logic circuitry and for valve operation provide assurance that the required isolation can be effected in spite of a single power failure. If AC for valves inside the primary containment is lost, DC is available for operation of valves outside the primary containment. The main steam isolation valve control arrangement is resistant to both AC and DC power failures. Because both solenoid-operated pilot valves must be deenergized, loss of a single power supply neither causes inadvertent isolation nor prevents isolation if required. The logic circuitry for each channel is powered from separate sources available from the RPS buses. A loss of power here results in a single trip system trip.

In no case does a loss of a single power supply prevent isolation when required. This meets safety design bases 7c and 7e.

CHAPTER 07 7.3-28 REV. 26, APRIL 2017

PBAPS UFSAR All instruments, valve closing mechanisms, and cables of the isolation control system can operate under the most unfavorable containment environmental conditions associated with normal operation. The discussion of the effects of rapid nuclear system depressurization on level measurement given in subsection 7.2, "Reactor Protection System," is equally applicable to the reactor vessel low water level switches used in the primary containment and reactor vessel isolation control system. The temperature, pressure, differential pressure, and level switches, transmitters and trip units, cables and valve closing mechanisms used were selected with ratings that make them suitable for use in the environment in which they must operate.

The special considerations (treated in the description portion of this subsection) made for the containment environmental conditions resulting from a LOCA are adequate to ensure operability of essential isolation components located inside the drywell.

The wall of the primary containment effectively separates adverse environmental conditions which might otherwise affect both isolation valves in a line. The location of isolation valves on either side of the wall decouples the effects of environmental factors with respect to the ability to isolate any given line.

The previously discussed electrical isolation of control circuitry prevents failures in one part of the control system from propagating to another part. Electrical transients have no significant effect on the functioning of the isolation control system, and safety design basis 7g is satisfied.

The design of the main steam isolation valves meets the requirement of safety design basis 8a in that the motive forces for closing the inboard and outboard main steam line isolation valves are derived from separate sources, i.e., instrument nitrogen and instrument air system accumulators, respectively, and the energy stored in the springs of each valve operator.

None of the valves relies on continuity of any sort of electrical power to achieve closure in response to essential safety signals.

Total loss of the power used to control the valves would result in closure. This meets safety design basis 8b.

Access is provided for calibration and testing of pressure and level switches, and transmitters and trip units which are located in the turbine building and reactor building. To gain access to the setting controls on each switch, transmitter, or trip unit, a cover plate, access plug, or sealing device must be removed by operations personnel before any adjustment in trip settings can be effected. The location of calibration and test controls in areas under the control of the control room operator or other supervisory personnel reduces the probability that operational CHAPTER 07 7.3-29 REV. 26, APRIL 2017

PBAPS UFSAR reliability will be degraded by operator error. This meets safety design basis 9a.

The ability to bypass certain containment isolation lines (e.g.,

instrument nitrogen, RHR sample lines) is under the administrative control of the control room operator, via emergency response procedures, through the use of key interlock switches. In addition to administrative control, continuous alarm indication of the bypassed line is provided in the control room. This meets safety design basis 9b.

Because safety design bases 7, 8, and 9 have been met, it can be concluded that the primary containment and reactor vessel isolation control system satisfies the reliability requirement of safety design basis 1. That the system satisfies safety design bases 10, 11a, and 11b was shown in the description of the system.

The following section describing inspection and testing of the system demonstrates that safety design basis 12 is satisfied.

7.3.6 Inspection and Testing Essential parts of the primary containment and reactor vessel isolation control system are testable during reactor operation.

Isolation valves can be tested to assure that they are capable of closing by operating manual switches in the control room and observing the position lights and any associated process effects.

Testable check valves are arranged to verify that the valve disc is free to open and close. The channel and trip system responses can be functionally tested by applying test signals to each channel and observing the trip system response. Testing of the main steam line isolation valves is discussed in subsection 4.6, "Main Steam Line Isolation Valves."

CHAPTER 07 7.3-30 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.3.1 Penetration Valve Position (22)

Figure Mode of Actuation Penetration Line Type Valve Valve Valve No. Post Power Isolation Group Closure Power Position Pipe Number Line Description Fluid Size (in) Group(14) ESF(13) Essential(11) Number(1) Location Type2 7.3.11 Primary Secondary Normal Shutdown Accident Failure (Signal)(3) Diverse(4) Reset(5) Time(sec)(6) Source(7) Ind.(8) Class(12)

N-7 A to D Main Steam Steam 26 A Yes No AO-2-01A-80 AtoD Inside GB b Inst. Nitrogen Spring O C C C(15) I(A,B,C,D,E) Yes Yes 3< to <5(19) A and E D I Yes No AO-2-01A-86 AtoD Outside GB Inst. Air Spring O C C C(15) I(A,B,C,D,E) Yes Yes 3< to <5(19) B and F D N-8 Main Steam Drain Steam/ 3 A No No MO-2-01A-74 Inside GT b AC Motor Manual C O/C C as is I(A,B,C,D,E) Yes Yes 30 A D I Water No No MO-2-01A-077 Outside GT DC Motor Manual C O/C C as is I(A,B,C,D,E) Yes Yes 30 F D N-9A Feedwater - feedwater Water 24 A Yes Yes CHK-2-06-28A Inside CK c Flow - O C O/C - - - - - - N I

- feedwater No No CHK-2-06-96A Outside CK Flow - O C C - - - - - - N

- startup recirc. No No MO-2-06-038A Outside GT AC Motor Manual C C C as is IIC(A,B,F) Yes Yes 60 D D

- HPCI Yes Yes MO-2-23-019 Outside GT DC Motor Manual C C O as is RM** n.a. n.a. - F D

- instrument (9 lines) No No - Outside GB Manual - O O O - - - - - - -

- startup bypass No No - Outside CK Flow - C C C - - - - - - -

N-9B Feedwater - feedwater Water 24 A Yes Yes CHK-2-06-28B Inside CK c Flow - O C O/C - - - - - - N I

- feedwater No No CHK-2-06-96B Outside CK Flow - O C C - - - - - - N

- RCIC Yes Yes MO-2-13-021 Outside GT DC Motor Manual C C O as is RM** n.a. n.a. - E D

- RWCU No No MO-2-12-068 Outside GB AC Motor Manual O O C as is IIA(A,C,D,G) Yes Yes 30 B D

- startup recirc. No No MO-2-06-038B Outside GT AC Motor Manual C C C as is IIC(A,B,F) Yes Yes 60 B D N-10 Steam to RCIC Turbine Steam 3 A Yes Yes MO-2-13-015 Inside GT d AC Motor Manual O C O as is V(A,B,C)** n.a. 2 25 B D I Yes Yes MO-2-13-016 Outside GT DC Motor Manual O C O as is V(A,B,C)** n.a. 2 25 E D N-11 Steam to HPCI Turbine Steam 10 A Yes Yes MO-2-23-015 Inside GT d AC Motor Manual O C O as is IV(A,B,C)** n.a. 2 25 A D I Yes Yes MO-2-23-016 Outside GT DC Motor Manual O C O as is IV(A,B,C)** n.a. 2 25 F D Yes No AO-2-23C-4807 (Unit 2 Only) Outside GT Inst. Air Spring C C C C IV(A,B,C) Yes Yes {5} F D N-12 RHR Shutdown Cooling Suction Water 20 A No No MO-2-10-017 Outside GT e DC Motor Manual C O C as is IIB(A,B,E) Yes Yes 40 F D I No No MO-2-10-018 Inside GT AC Motor Manual C O C as is IIB(A,B,E) Yes Yes 40 A D N-13 A,B RHR Shutdown Cooling Return Water 24 A YI YI MO-2-10-025 B,A Outside GT f AC Motor Manual C O O/C as is IIB(A,B)(10)** Yes Yes 34 1 D I

& LPCI Injection YI YI AO-2-10-046 B,A Inside CK Flow - C O O/C - - - - - 2 D YI No AO-2-10-163 B,A (Unit 2 only) Inside DCV Inst. Nitrogen Spring C C C C RMP n.a. n.a. {5} B,A D YI No HV-3-10-33451 B,A Inside GB Manual - C C C C LC - - - - N N-14 RWCU Pump Suction Water 6 A No No MO-2-12-015 Inside GT g AC Motor Manual O O C as is IIA(A,C,D,G) Yes Yes 30 A D I No No MO-2-12-018 Outside GT DC Motor Manual O O C as is IIA(A,C,D,G) Yes Yes 30 F D N-16 A,B Core Spray Pump Discharge Water 12 A Yes Yes MO-2-14-012 B,A Outside GT f AC Motor Manual C C O as is RM** n.a. n.a. {18} D,A D I (Unit 2)

B,C (Unit 3)

Yes Yes AO-2-14-013 B,A Inside CK Flow - C C O - - - - - 2 D Yes No AO-2-14-015 B,A (Unit 2 only) Inside DCV Inst. Nitrogen Spring C C C C RMP n.a. n.a. {5} B,A D Yes No HV-3-14-39046 B,A Inside GB Manual - C C C C LC - - - - N N-18 Drywell Fl. Dr. Pump Disch. Water 3 B No No AO-2-20-082 Outside DCV i Inst. Air Spring O C C C IIB(A,B) Yes Yes 5 A D III No No AO-2-20-083 Outside DCV Inst. Air Spring O C C C IIB(A,B) Yes Yes 5 B D N-19 Drywell Equip. Dr.Pump Disc. Water 3 B No No AO-2-20-094 Outside DCV i Inst. Air Spring O C C C IID(A,B) Yes Yes 5 A D III No No AO-2-20-095 Outside DCV Inst. Air Spring O C C C IID(A,B) Yes Yes 5 B D N-21 Service Air Supply Air 1 B No No HV-2-36A-20165 Inside GB j Manual - C C C - LC - - - - N III No No HV-2-36A-20163 Outside GB Manual - C C C - LC - - - - N N-22 Inst. Nitrogen Supply Air/ 1 B No No CHK-2-16-23202A Outside CK k Flow - O O C - - - - - - N III Nitrogen AO-2-16-2969A Outside DCV Inst. Air Spring O O C C IID(A,B) Yes Yes {5} A D N-23 RBCW to Recirc. Pumps Water 4 C No No MO-2-35-2373 Outside GT l AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. - B D III N-24 RBCW from Recirc. Pumps Water 4 C No No MO-2-35-2374 Outside GT l AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. - B D III N-25 Drywell and Torus - purge Air/ 18 & B No No AO-2-07B-2505(17) Outside B m Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 5 B D II

& 205B Purge Supply - purge Nitrogen 20 B No No AO-2-07B-2519(17) Outside B Inst. Air(18) Spring C C C C III(A,B,C,D,E) Yes Yes 5 B D

- purge No No AO-2-07B-2520(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 5 A D

- purge No No AO-2-07B-2521A(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 5 B D

- purge No No AO-2-07B-2521B(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 5 A D

- N 2 Supply No No AO-2-07B-2523 Outside DCV Inst. Air Spring C C C C III(A,B,C,D) Yes Yes 5 A D

- vac. relief Yes Yes AO-2-07B-2502A Outside B Inst. Air(18) Spring C C C O RM n.a. n.a. {10} H D

- vac. relief Yes Yes VBV-2-07B-026A Outside VB Flow - C C C - - - - - - N

- inst. (press) Yes Yes DPIS-2503A Outside Inst - - - - - - - - - - - N

- N2 Supply No No CHK-2-07B-40095 A,B Outside CK Flow - C C C - - - - - - N CHAPTER 07 7.3-31 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.3.1 (CONTINUED)

PRINCIPAL PRIMARY CONTAINMENT ISOLATION VALVES Penetration Valve Position (22)

Figure Mode of Actuation Penetration Line Type Valve Valve Valve No. Post Power Isolation Group Closure Power Position Pipe Number Line Description Fluid Size (in) Group(14) ESF(13) Essential(11) Number(1) Location Type2 7.3.11 Primary Secondary Normal Shutdown Accident Failure (Signal)(3) Diverse(4) Reset(5) Time(sec)(6) Source(7) Ind.(8) Class(12)

N-26 Drywell Purge - CAD Air/ 18 B Yes Yes AO-2-07B-2509 Outside DCV n Inst. Air(18) Spring O O C/O C III(A,B,C,D) Yes Yes 5 B D I Exhaust - CAD Nitrogen Yes Yes AO-2-07B-2510 Outside DCV Inst. Air(18) Spring C C C/O C III(A,B,C,D) Yes Yes 5 B D

- purge No No AO-2-07B-2506(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 5 A D II

- purge No No AO-2-07B-2507(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 5 B D

- inst. gas No No AO-2-16-4235 Outside DCV Inst. Air Spring O O C C III(A,B,C,D) Yes Yes 5 B D

- inst. gas No No SV-2-16-8100 Outside SV AC Coil - O O C C III(A,B,C,D) Yes Yes 5 A D

- CACS sample No No SV-2-07D-2671G Outside SV AC Coil - O O C C III(A,B,C,D) Yes Yes - A I

- CACS sample No No SV-2-07D-2978G Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F I

- CAD sample Yes Yes SV-2-07E-4960B Outside SV AC Coil Manual C C O C RM n.a. n.a. - B I

- CAD sample Yes Yes SV-2-07E-4961B Outside SV AC Coil Manual C C O C RM n.a. n.a. - D I

- rad. gas sample No No SV-2-63G-4966B Outside SV AC Coil Manual C C C C III(A,B,C,D) Yes Yes - A I

- rad. gas sample No No SV-2-63G-8101 Outside SV AC Coil - C C C C III(A,B,C,D) Yes Yes {5} B D II

- inst. (press) Yes Yes PT-2508A,B Outside INST - - - - - - - - - - - N N-26A Inst. Line-RPV Level & Pressure Water/ 1 A Yes Yes RO-80338A Inside RO q - - - - - - - - - - - N I Steam Yes Yes XFC-2-02-37A Outside XFCV Flow - 0 0 0 - - - - - - N N-26B Inst. Line-RPV Level & Pressure Water/ 1 A Yes Yes RO-80338C Insdie RO q - - - - - - - - - - - N I Steam Yes Yes XFC-2-02-37B Outside XFCV Flow - 0 0 0 - - - - - - N N-27A,C Inst. Line - Bottom Head Water 1 A No No RO-80476A,B Inside RO q - - - - - - - - - - - N I (Unit 2) Drain Line Flow (Unit 2) No No XFC-2-12-80457L,H Outside XFCV Flow - 0 0 0 - - - - - - N N-27 E,F Inst. Lines-Core Plate Press. Water 1 A No No RO-80341A,B Inside RO q - - - - - - - - - - - N I No No XFC-2-02-25 Outside XFCV Flow - 0 0 0 - - - - - - N XFC-2-02-27 N-28 A,B Inst. Lines-RPV Level & Pressure Water/Steam 1 A Yes,C-No Yes,C-No RO-80339A, RO(MK-1) Inside RO q - - - - - - - - - - - N I C,F Steam RO-80337, RO-80338B 0 0 0 - - - - - - N Yes,C-No Yes,C-No XFC-2-02-17A, XFC-2-02-19A, Outside XFCV Flow -

XFC-2-02-11, XFC-2-02-15A

- - - - - - - - - N I N-28 D Inst. Line - RPV Head Pressure Steam 1 A No No RO-80335 Inside RO q - - 0 0 0 - - -

No No XFC-2-02-23 Outside XFCV Flow -

N-29 A,D,E Inst. Lines - RPV Level and Water/ 1 A Yes Yes RO-80339B, RO(MK-1) Inside RO q - - 0 0 0 - - - - - - N I (Unit 2) Pressure Steam RO-80338D, RO-90338D Yes Yes XFC-2-02-17B, XFC-2-02-19B, Outside XFCV Flow -

N-29F XFC-2-02-15B, XFC-3-02-15B (Unit 3)

- - - - - - - - - N I 0 0 0 - - - - - - N N-30 A, Inst. Lines - Main Stm. Pressure Steam 1 A Yes Yes RO-80336B, RO-80336D Inside RO q - -

B,C,D RO-90336C, RO-80338D, RO-80336H - - - - - - - - - N I Yes Yes XFC-2-02-73A,C,E,G Outside XFCV Flow - 0 0 0 - - - - - - N N-30 E,F Inst. Lines - Recirc. Loop B Flow Water 1 A No No RO-80483D,C Inside RO q - - - - - - - - - - - N I XFC-2-02-64D,C Outside XFCV Flow - 0 0 0 - - - - - - N N-31 A to D Inst. Lines - Recirc. Pump Water 1 A No No RO-80129A,B, RO-80128A,B Inside RO q - -

Seal Press. XFC-2-02-7A,B Outside XFCV Flow - - - - - - - - - - N I XFC-2-02-8A,B 0 0 0 - - - - - - N N-32 A,B Inst. Lines - Recirc. Loop A Flow Water 1 A No No RO-80483A,B Inside RO q - - C C C - LC - - - - N III No No XFC-2-02-64A,B Outside XFCV Flow - C C C - LC - - - - N III N-32 C,D ILRT Connections Air 1 B No No HV-2-07A-29871,29873 Outside GB s Manual - - - - - - - - - - N I No No HV-2-07A-29872,29874 Outside GB Manual - 0 0 0 - - - - - - N N-32 E,F Inst. Lines - CS Water 1 A Yes No RO-80330B,A Inside RO q - - - - - - - - - - - N I Line Break Detect. No No XFC-2-14-31B,A Outside XFCV Flow -

0 0 0 - - - - - - N N-33 A, Inst. Lines - Recirc. Pump Water 1 A No No RO-80481A, RO-80482A Inside RO q - -

B,C,D RO-80481B, RO-80482B - - - - - - - - - N I No No XFC-2-02-62A,B,C,D Outside XFCV Flow -

N-33 F Inst. Line - Drywell Pressure Air/ 1 B Yes Yes PT-4805, DPT-8143 Outside INST t - - - - - - - - - - - N I Nitrogen 0 0 0 - - - - - - N N-34 A to D Inst. Lines - Main Stm. Pressure Steam 1 A Yes Yes RO-80336A, RO-80336C Inside RO q - -

RO-90336D, RO-80336E, RO-80336G - - - - - - - - - N I Yes Yes XFC-2-02-73B,D,F,H Outside XFCV Flow - 0 0 0 - - - - - - N N-34 E,F Inst. Lines - HPCI Stm. Pressure Steam 1 A Yes Yes RO-80328, RO-80327 Inside RO q - -

XFC-2-23-37A,B Outside XFCV Flow -

CHAPTER 07 7.3-32 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.3.1 (CONTINUED)

PRINCIPAL PRIMARY CONTAINMENT ISOLATION VALVES Penetration Valve Position (22)

Figure Mode of Actuation Penetration Line Type Valve Valve Valve No. Post Power Isolation Group Closure Power Position Pipe Number Line Description Fluid Size (in) Group(14) ESF(13) Essential(11) Number(1) Location Type2 7.3.11 Primary Secondary Normal Shutdown Accident Failure (Signal)(3) Diverse(4) Reset(5) Time(sec)(6) Source(7) Ind.(8) Class(12)

N-35B-G TIP Drives Air 3/8 B No No SV-2-07-104 AtoE (24) Outside BL p AC Coil Spring C C C C IID(A,B) Yes Yes - 3 D III (See Figure for Unit Specific Letters) XV-2-07-102 AtoE (24) Outside XV DC Squib - O O O C RM n.a. n.a. - 3 D N-35C,D TIP Purge Air/ 3/8 B No No CHK-2-07F-41504 Outside CK o Flow - O C C - - - - - - N III (See Figure for Unit Specific Letters) Nitrogen SV-2-07-109 Outside SV AC Coil - O C C C IID(A,B) Yes Yes - 3 I N-37 A to D CRD Insert Water 1 A Yes Yes - Inside BCK v Flow - C C C - - - - - - N I Yes Yes - Outside HCU AC Coils/Inst. Air Spring C C C/O C/O - n.a. n.a. - N I N-38 A to D CRD Withdrawal Water 1 A Yes Yes - Outside HCU v AC Coils/Inst. Air Spring C C C/O C/O - - - - N I I No No AO-2-03-032A,B Outside DCV Inst. Air Spring O O C C Scram Yes Yes 15 RPSA D No No AO-2-03-033 Outside DCV Inst. Air Spring O O C C Scram Yes Yes 15 RPSA D No No AO-2-03-035A,B Outside DCV Inst. Air Spring O O C C Scram Yes Yes 15 RPSB D No No AO-2-03-036 Outside DCV Inst. Air Spring O O C C Scram Yes Yes 15 RPSB D N-39 A,B RHR Containment Spray - RHR Water/ 14 B Yes Yes MO-2-10-031B,A Outside GT w AC Motor Manual C C C/O as is VII(A,B,c) Yes Yes {20} D,C D II

- RHR Air/ Yes Yes MO-2-10-026B,A Outside GT AC Motor Manual C C C/O as is VII(A,B,C) Yes Yes {20} D,C D

- CAD Nitrogen Yes Yes SV-2-07C-4949B,A (U2) Outside SV AC Coil - C C O C RM n.a. n.a. - D,C(U2) I SV-3-07C-5949A,B (U3) C,D(U3)

- CAD Yes Yes CHK-2-07C-40143/ Outside CK Flow - C C O - - - - - - N CHK-3-07C-50142, CHK-2-07C-40142/

CHK-3-07C-50143 N-40 AtoD Inst. Lines - Jet Pumps Water 1 A No No RO-80340 A to Z Inside RO q - - - - - - - - - - - N I No No XFC-2-02-21A to D Outside XFCV Flow - 0 0 0 - - - - - - N (except N-40B-D XFC-2-02-23A to D N-40D-B) XFC-2-02-31B to W N-41 Recirc. Loop Sample Water 3/4 A No No AO-2-02-039 Inside DCV x Inst. Nitrogen Spring C C C C I(A,B,C,D,E) Yes Yes 5 A D I AO-2-02-040 Outside DCV Inst. Air Spring C C C C I(A,B,C,D,E) Yes Yes 5 B D N-42 Standby Liquid Control Sodium 1 1/2 A No Yes CHK-2(3)-11-16 Outside CK y Flow - C C C - - - - - - N I Pentaborate Solution XV-2(3)-11-14A,B Outside XV AC Squib - C C C As is - - - - A,B I N-46 A,B Inst. Lines - Unit 3, Drywell Air/ 1 B Yes Yes PT-9102A/PT-100A/PT-3-05-12A/ Outside INST t - - - - - - - - - - - N I Pressure Nitrogen PS-3-05-16, PT-9102C/PT-100C/PT-3-05-12B N-47 ADS Safety Grade Pneumatic Supply Gas 1 B Yes Yes SV-2-16A-8130B Outside SV k AC Coil - C C C/O C VIII(A,B) n.a. Yes - D D II Yes Yes CHK-2-16A-23299B Outside CK Flow - C C C/O - - - - - - N N-49 B,C Inst. Lines - Unit 3, Drywell Pres. Air/ 1 B Yes Yes PT-3-05-124/PT-100B/PT-9102B, Outside INST t - - - - - - - - - - - N II Nitrogen PT-9458/PT-9102D/PT-3-05-12D/

PT-100D N-49 E,F Inst. Lines. - Unit 2, Drywell Pres. Air/ 1 B Yes Yes PT-2-05-16/PT-2-05-12A/PT-8102A Outside INST t - - - - - - - - - - - N II Nitrogen PT-100A,PT-2-05-12B/PT-8102C/

PT-100C N-50A Inst. Lines. - Recirc. Suction Pres. Water 1 A No No RO-80484A/RO-80485A Inside RO q - - - - - - - - - - - N II No No XFC-2-02-305A Outside XFCV Flow - 0 0 0 - - - - - - N N-50 B,C Inst. Lines - RCIC Stm. Pressure Steam 1 A Yes Yes RO-80308/RO-90307, Inside RO q - - - - - - - - - - - N I RO-80307/RO-90308 Yes Yes XFC-2-13-55B/XFC-3-13-55A, Outside XFC Flow - 0 0 0 - - - - - - N XFC-2-13-55A/XFC-3-13-55B N-50 D,E Inst. Lines - RWCU Pump Suct. Press. Water 1 A No Yes RO-125A,B Inside RO q - - - - - - - - - - - N I No No XFC-2-12-66A,B Outside XFCV Flow - 0 0 0 - - - - - - N N-51 A,B CACS Sample Lines Air/ 1 B No No SV-2-07D-2671E,D Outside SV z AC Coil - O O C C III(A,B,C,D) Yes Yes - A,A I II Nitrogen No No SV-2-07D-2978E,D Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F,F I N-51C CACS Sample Lines - CACS Sample Air/ 1 B No No SV-2-07D-2671C Outside SV aa AC Coil - O O C C III(A,B,C,D) Yes Yes - A I II

- CACS Sample Nitrogen No No SV-2-07D-2978C Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F I

- CAD Sample Yes Yes SV-2-07E-4960C Outside SV AC Coil Manual C C O C RM n.a. n.a. - A I

- CAD Sample Yes Yes SV-2-07E-4961C Outside SV AC Coil Manual C C O C RM n.a. n.a. - C I

- Rad. Gas Sample No No SV-2-63G-4966C Outside SV AC Coil Manual C C C C III(A,B,C,D) Yes Yes - A I

- Rad. Gas Sample No No SV-2-63G-8101 Outside SV AC Coil - C C C C III(A,B,C,D) Yes Yes {5} B D N-51D CACS Sample Return Air/ 1 B No No CHK-2-07D-40140 Outside CK bb Flow - O O C - - - - - - N II Nitrogen SV-2-07D-2980 Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F I N-51E Inst. Line - Recirc. Suction Water 1 A No No RO-80485A/RO-90484A Inside RO q - - - - - - - - - - - N I Pressure No No XFC-2-02-305B Outside XFCV Flow - 0 0 0 - - - - - - N N-52E Inst. Line - Core Plate Pressure Water 1 A No No RO-80342 Inside RO q - - - - - - - - - - - N I No No XFC-2-02-33 Outside XFCV Flow - 0 0 0 - - - - - - N CHAPTER 07 7.3-33 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.3.1 (CONTINUED)

PRINCIPAL PRIMARY CONTAINMENT ISOLATION VALUES Penetration Valve Position (22)

Figure Mode of Actuation Penetration Line Type Valve Valve Valve No. Post Power Isolation Group Closure Power Position Pipe Number Line Description Fluid Size (in) Group(14) ESF(13) Essential(11) Number(1) Location Type2 7.3.11 Primary Secondary Normal Shutdown Accident Failure (Signal)(3) Diverse(4) Reset(5) Time(sec)(6) Source(7) Ind.(8) Class(12)

N-52F Inst. Nitrogen Supply Gas 1 B No No CHK-2-16-23335 (U2 only) Outside CK k Flow - C C C - - - - - - N III Air/ CHK-3-16-33312 (U3 only)

Nitrogen AO-2-16-2969B Outside DCV Inst. Air Spring O O C C IID(A,B) Yes Yes {5} B D HV-2-16-23333 (U2 only); Outside GB Manual - C C C - 2C - - - - N HV-2-16-33310 (U3 only)

CHK-2-16-23202B Outside CK Flow - O O C - - - - - - N N-53 Chilled Wtr. From Drywell Coolers, Water 8 C No No MO-2-44A-2201B Outside GT cc AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. {50} B D III Loop A N-54 Chilled Wtr. From Drywell Coolers, Water 8 C No No MO-2-44A-2200B Outside GT cc AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. {50} B D III Loop B N-55 Chilled Wtr. To Drywell Coolers, Water 8 C No No MO-2-44A-2200A Outside GT cc AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. {50} A D III Loop B N-56 Chilled Wtr. To Drywell Coolers, Water 8 C No No MO-2-44A-2201A Outside GT cc AC Motor Manual O O O/C(16) as is RM(16) n.a. n.a. {50} A D III Loop A N-57 Main Stm. Line 'D' Sample Steam 3/4 A No No AO-2-02-316 Inside DCV x Inst. Nitrogen Spring C C C C I(A,B,C,D,E) Yes Yes 5 A D I No No AO-2-02-317 Outside DCV Inst. Air Spring C C C C I(A,B,C,D,E) Yes Yes 5 B D N-100BA Inst. Line - RPV Level & Pressure Water/ 1 A Yes Yes RO-90339B, RO(MK-1) Inside RO q - - - - - - - - - - - N I N-100BD (Unit 3) Steam Yes Yes XFC-3-02-17B, Outside XFCV Flow - O O O - - - - - - N XFC-3-02-19B N-102BA, Inst. Line - Unit 2, Drywell Press Air/ 1 B Yes Yes PT-2-05-12C, PT-8102B, PT-100B, Outside INST t - - - - - - - - - - - N I BB Nitrogen PT-2-05-12D, PT-8102D, PT-100D, PT-8458 N-102BC ADS Safety Grade Pneumatic Supply Gas 1 B Yes Yes SV-2-16A-8130A Outside SV k AC Coil Spring C C C/O C VIII(A,B) n.a. Yes - C D II Yes Yes CHK-2-16A-23299A Outside CK Flow - C C C/O - - - - - - N N-102BD Breathing Air-Unit 3 Air 3 B No No HV-3-36E-50078 Outside GT j Manual - C C C - LC - - - - N III No No HV-3-36E-54762 Inside GT Manual - C C C - LC - - - - N N-203 CACS & CAD Sample Line - CACS Sample Air/ 1 B No No SV-2-07D-2671B Outside SV aa AC Coil - O O C C III(A,B,C,D) Yes Yes - A I II

- CACS Sample Nitrogen No No SV-2-07D-2978B Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F I

- CAD Sample Yes Yes SV-2-07E-4960D Outside SV AC Coil Manual C C O C RM n.a. n.a. - B I

- CAD Sample Yes Yes SV-2-07E-4961D Outside SV AC Coil Manual C C O C RM n.a. n.a. - D I

- rad. gas Sample No No SV-2-63G-4966D Outside SV AC Coil Manual C C C C III(A,B,C,D) Yes Yes - A I

- rad. gas sample No No SV-2-63G-8101 Outside SV AC Coil - C C C C III(A,B,C,D) Yes Yes {5} B D

- inst. Yes Yes PT-4953 Outside INST - - - - - - - - - - - N N-205A Torus Vacuum Breaker Air/ 20 B Yes Yes AO-2-07B-2502B Outside B dd Inst. Air(18) Spring C C C O RM n.a. n.a. {10} G D III Nitrogen Yes Yes VBV-2-07B-26B Outside VB Vaccum - C C C - - - - - - N Yes Yes DPIS-2503B Outside INST - - - - - - - - - - - N N-206A,B Inst. Lines - Torus Level Air/Nitrogen 2 B Yes Yes LS-2-23-091A, LS-2-23-091B, Outside INST ee - - - - - - - - - - - N II Water LT-8123A, LT-8027A, LT-8027B N-210A,B RHR Test & Pool Cooling Return Water 18 B Yes Yes MO-2-10-034B,A Outside GB ff AC Motor Manual C C C/O as is VII(A,B & C) Yes Yes - D,C D II Yes Yes CHK-2-10-19B,D,A,C Outside CK Flow - C C O/C - - - - - - N N-211A,B RHR Torus Spray - RHR Water 6 B Yes Yes MO-2-10-038B,A Outside GB ff AC Motor Manual C C C/O as is VII(A,B & C) Yes Yes {30} D,C D III

- RHR Yes Yes MO-2-10-039B,A Outside GT AC Motor Manual C C C/O as is VII(A,B & C) Yes Yes {112} D,C D

- RHR Yes Yes MO-2-10-034B,A Outside GB AC Motor Manual C C C/O as is VII(A,B & C) Yes Yes - D,C D

- CAD Air/ Yes Yes SV-2-07C-4951B, SV-2-07C-4951A Outside SV AC Coil - C C O C RM n.a. n.a. - D,C/C,D I

- CAD Nitrogen Yes Yes SV-3-07C-5951A, SV-3-07C-5951B Outside CK Flow - C C O - - - - - N N Yes Yes CHK-2-07C-40145, CHK-2-07C-40144 Yes Yes CHK-3-07C-50144, CHK-3-07C-50145 N-212, HPCI & RCIC Turbine - RCIC Steam (N-212) 12 (N-212) B Yes Yes HV-2-13C-9 (21) Outside SCK gg Flow - C C O/C - - - - - - N II 214, Exhaust - RCIC Yes Yes CHK-2-13C-50 Outside CK Flow - C C O/C - - - - - - N 217B - RCIC Yes No AO-2-13-137 Outside DCV Inst. Air Spring O O O/C C TT,V(A,B,C) Yes Yes {5} E D

- RCIC Yes No AO-2-13-138 Outside DCV Inst. Air Spring O O O/C C V(A,B,C) Yes Yes {5} F D

- HPCI Steam (N-214) 24 (N-214) B Yes Yes HV-2-23C-12 (21) Outside SCK Flow - C C O/C - - - - - - N

- HPCI Yes Yes CHK-2-23C-65 Outside CK Flow - C C O/C - - - - - - N

- HPCI Yes No AO-2-23-137 Outside DCV Inst. Air Spring O O O C IV(A,B) Yes Yes {5} E D

- HPCI Yes No AO-2-23-138 Outside DCV Inst. Air Spring O O O/C C TT,IV(A,B,C) Yes Yes {5} F D

- vac. relief Air/Nitrogen 2 (N-217B) B Yes Yes MO-2-13C-4244 Outside GT DC Motor Manual O O O/C as is VB(C&D) n.a. Yes 20 E D

- vac. relief (N-217B) Yes Yes MO-2-23C-4245 Outside GT DC Motor Manual O O O/C as is IVB(C&D) n.a. Yes - F D N-213A Torus Drain (with level inst.) Water 1 B Yes Yes LT-8123B, LT8456 Outside INST ee - - - - - - - - - - - N II N-215 Inst. Line - Unit 2, Torus Level Air/Nitrogen 1 B Yes Yes LT-8123B, LT-8456 Outside INST ee - - - - - - - - - - - N II N-216 HPCI Min. Flow Water 4 B Yes Yes CHK-2-23B-62 Outside CK hh Flow - C C O/C - - - - - - N II N-218A Inst. Nitrogen Supply Air/ 1 B No No CHK-2-16-23261 Outside CK k Flow - O O C - - - - - - N III Nitrogen No No AO-2-16-2968 Outside DCV Inst. Air Spring O O C C IID(A,B) Yes Yes {5} B D CHAPTER 07 7.3-34 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.3.1 (CONTINUED)

PRINCIPAL PRIMARY CONTAINMENT ISOLATION VALVES Penetration Valve Position (22)

Figure Mode of Actuation Penetration Line Type Valve Valve Valve No. Post Power Isolation Group Closure Power Position Pipe Number Line Description Fluid Size (in) Group(14) ESF(13) Essential(11) Number(1) Location Type2 7.3.11 Primary Secondary Normal Shutdown Accident Failure (Signal)(3) Diverse(4) Reset(5) Time(sec)(6) Source(7) Ind.(8) Class(12)

N-218B CACS Sample Line Air/ 1 B No No SV-2-07D-2671A Outside SV z AC Coil - O O C C III(A,B,C,D) Yes Yes _ A I II Nitrogen No No SV-2-07D-2978A Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F I N-218C ILRT Connection Air 1 B No No HV-2-07A-29875 Outside GB s Manual - C C C - LC - - - - N III No No HV-2-07A-29876 Outside GB Manual - C C C - LC - - - - N III N-219 Torus Purge - CACS Air/ 18 B No No AO-2-07B-2511(17) Outside B ii Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 5 E D II Exhaust - CACS Nitrogen No No AO-2-07B-2512(17) Outside B Inst. Air(18) Spring C O C C III(A,B,C,D,E) Yes Yes 5 B D

- CAD Yes Yes AO-2-07B-2513 Outside DCV Inst. Air(18) Spring C C C/O C III(A,B,C,D) n.a. Yes 5 A D

- CAD Yes Yes AO-2-07B-2514 Outside DCV Inst. Air(18) Spring C C C/O C III(A,B,C,D) n.a. Yes 5 A D

- CACS Sample No No %SV-2-070-2671F Outside SV AC Coil - O O C C III(A,B,C,D) Yes Yes - A I

- CACS anal. Sample No No SV-2-07D-2978F Outside SV DC Coil - O O C C III(A,B,C,D) Yes Yes - F I

- CAD anal. Sample Yes Yes SV-2-07E-4960A Outside SV AC Coil Manual C C O C RM n.a. n.a. - A I

- CAD anal. Sample Yes Yes SV-2-07E-4961A Outside SV AC Coil Manual C C C C RM n.a. n.a. - C I

- rad. gas Sample No No SV-2-63G-4966A Outside SV AC Coil Manual C C C C III(A,B,C,D) Yes Yes - A I

- rad. gas Sample No No SV-2-63G-8101 Outside SV AC Coil - C C C C III(A,B,C,D) Yes Yes {5} B D

- inst. (pressure) Yes Yes PT-4952 Outside INST - - - - - C - - - - - N

- Torus Hardened Vent No No AO-2-07B-80290 Outside B Inst. Air - C C C - RM n.a. n.a. - E* D N-221 RCIC Vacuum Pump Disch. Air 2 B* Yes No Yes No CHK-2-13C-38 Outside CK jj Flow - C C O/C - - - - - - - II N-223 HPCI Turbine Drain Water 2 B* Yes No Yes No CHK-2-23C-56 Outside CK jj Flow - C C O/C - - - - - - - II N-224 Core Spray Test Line - Unit 2 Water 10 B* Yes No MO-2-14-026A Outside GB kk AC Motor Manual C C C as is VI(A,B) Yes Yes - C D II Yes No CHK-2-10-21541 Outside CK Flow - C C C - - - - - - N Yes No CHK-2-14-29051A Outside CK Flow - C C C - - - - - - N Yes No CHK-2-10-21577A Outside CK Flow - C C C - - - - - - N Yes Yes CHK-2-14-66A,C Outside CK Flow - C C O/C - - - - - - N N-225 RCIC & Torus Water Cleanup Suct. Water 6 B* Yes Yes MO-2(3)-13-041 Outside GT ll DC Motor Manual C C C/O as is V(A,B,C) n.a. Yes - E D II Yes Yes MO-2(3)-13-039 (23) Outside GT DC Motor Manual C C C/O as is V(A,B,C) n.a. Yes - E D No No MO-2-14-070 Outside GT AC Motor Manual C C C as is IID(A,B) Yes Yes - A D No No MO-2-14-071 Outside GT DC Motor Manual C C C as is IID(A,B) Yes Yes - E D N-226A RHR Pump Suction Water 24 B* Yes Yes MO-2-10-013B,D,A,C Outside GT mm AC Motor Manual O O O as is RM n.a. n.a. - B,D,A,C D II to D Yes No RV-2-10-072B,D,A,C Outside RV Pressure - C C C - - - - - - N N-227 HPCI Pump Suction Water 16 B* Yes Yes MO-2(3)-23-058 Outside GT nn DC Motor Manual C C C/O as is IV(A,B,C) n.a. Yes - F D II Yes Yes MO-2(3)-23-057 (23) Outside GT DC Motor Manual C C C/O as is IV(A,B,C) n.a. Yes - F D N-228A Core Spray Pump Suction Water 16 B* Yes Yes MO-2-14-007C,A,B,D(U2) Outside GT oo AC Motor Manual O O O as is RM n.a. n.a. {80} C,A,B,D(U2) D II to D MO-3-14-007D,B,C,A(U3) D,B,C,A(U3)

N-229 Core Spray Pump Min Flow - Unit 2 Water 4 B* Yes Yes CHK-2-14-66B,D Outside CK pp Flow - C C O/C - - - - - - N II No No CHK-2-14A-29036A,B Outside CK Flow - C C C - - - - - - N N-230 RCIC Pump Min. Flow Water 2 B* Yes Yes CHK-2-13B-29 Outside CK qq Flow - C C O/C - - - - - - N II N-233 HPCI Test Line - Unit 2 Water 4 B* Yes No MO-2-23-031 Outside GT rr DC Motor Manual C C C as is IVA(D,E) Yes Yes - F D II N-234 Core Spray Test Line - Unit 2 Water 10 B* Yes No MO-2-14-026B Outside GB ss AC Motor Manual C C C as is VI(A,B) Yes Yes - D D II Yes No CHK-2-10-21577B Outside CK Flow - C C C - - - - - - N Yes No CHK-2-14-29051B Outside CK Flow - C C C - - - - - - N No No CHK-2-21-40252 Outside CK Flow - C C C - - - - - - N N-234A Core Spray Test Line - Unit 3 Water 10 B* Yes No MO-3-14-026B Outside GB ss AC Motor Manual C C C as is VI(A,B) Yes Yes - D D II Yes No CHK-3-10-31541 Outside CK Flow - C C C - - - - - - N Yes No CHK-3-14-39051B Outside CK Flow - C C C - - - - - - N Yes No CHK-3-10-31577B Outside CK Flow - C C C - - - - - - N N-234B Core Spray Test Line - Unit 3 Water 10 B* Yes No MO-3-14-026A Outside GB ss AC Motor Manual C C C as is VI(A,B) Yes Yes - C D II Yes No CHK-3-10-31577A Outside CK Flow - C C C - - - - - - N Yes No CHK-3-14-39051A Outside CK Flow - C C C - - - - - - N No No CHK-3-21-50252 Outside CK Flow - C C C - - - - - - N N-235 HPCI Test Line - Unit 3 Water 4 B* Yes No MO-3-23-031 Outside GT rr DC Motor Manual C C C as is IVA(D,E) Yes Yes - F D II N-236A Core Spray Pump Min. Flow - Unit 3 Water 4 B* Yes Yes CHK-3-14-66B,D Outside CK tt Flow - C C O/C - - - - - - N II N-236B Core Spray Pump Min. Flow - Unit 3 Water 4 B* Yes Yes CHK-3-14-66A,C Outside CK pp Flow - C C O/C - - - - - - N II No No CHK-3-14A-39036A,B Outside CK Flow - C C C - - - - - - N N-250 Inst. Line - Unit 3, Torus Level Air/Nitrogen 1 B Yes Yes LT-9456, LT-9123B Outside INST ee - - - - - - - - - - - N I

Fuses removed during normal operation. Control room indication maintained.

CHAPTER 07 7.3-35 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.3.1 (Continued)

NOTES:

1. Valve Numbering: Unless otherwise noted all Unit 2 valves also apply to Unit 3 with the numbering changes specified below.

a. All valves: the unit changes from 2 to 3

b. Valves with 4 or 5 digit suffixes: Unit 2 valve suffixes beginning with 2, 4, or 8 change to 3, 5 or 9 for Unit 3.

2. Valve Types:

GB - Globe DCV - Diaphragm Control Valve GT - Gate VB - Vacuum Breaker CK - Check XV - Explosive Valve BL - Ball RO - Restricting Orifice B - Butterfly BCK - Ball Check SV - Solenoid HCU - Hydraulic Control Unit RV - Relief XFCV - Excess Flow Check Valve SCK - Stop Check INST - Instrument, used when the instrument is the actual isolation device.

3. Isolation Signals:

The setpoints given here are analytical limits used in analyses; however the actual setpoints must be as given in Appendix B, plant Technical Specifications.

Group Signal (set point) Instrument I

A. Reactor Low-Low-Low LT/LIS-2-3-99 A thru D Water Level (Level 1)(-171.7 in)

B. High Steam Line Flow DPT/DPIS-2-116, 117, 118, (140.0%) 119, A thru D C. High Steam Tunnel Temp. TE-4931, 4932, 4933, (220F - Turbine Building) 4934, A thru D TIS-80547 (240oF - Unit 2 Reactor Building) A thru D (220oF - Unit 3 Reactor Building)

D. Low Steam Line Press. PS-2-134, A thru D (850 psi in Run Mode)

CHAPTER 07 7.3-36 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.3.1 (Continued)

IIA, IIB, IIC, IID A. Reactor Low Water Level LT/LIS-2-3-101 A thru D (Level 3)(0 in)

B. High Drywell Press PT/PIS-5-12 A thru D (2.5 psig)

C. RWCU High Flow (300%) DPIS-12-124 A & B D. RWCU Non-Regen. Hx Hi- TT/TS-12-99 Temp (200F)*

E. High Reactor Press. (shut- PT/PS-2-128 A & B down cooling-75 psig)

F. High Reactor Press. PT/PSL-2-3-55 A thru D (Feedwater flush system interlock - 600 psig)

G. SLC System Operation* Switch 11A-S1 III A. Reactor Low Water Level LT/LIS-2-3-101 A thru D (Level 3)(0 in)

B. High Drywell Press. PT/PIS-5-12 A thru D (2.5 psig)

C. Reactor Bldg.High Rad. RE-17-430 A thru D (16 Mr/hr) RIS-17-452 A thru D D. Refueling Floor High Rad. RE-17-458 A thru D (16 Mr/hr) RIS-17-458 A thru D E. Main Stack Radiation High RE-17-50AG and -50BL

(<1.0 x 10-1 Ci/cc) RI-17-50A and -50B IV, IVA, IVB A. HPCI Steam Line High DPIS-23-76 and 77 Flow (300%)

B. HPCI Steam Tunnel High TE-4941, 4942, 4943, Temp. (220F) 4944, A thru D TIS-80547 A thru D C. HPCI Steam Line Low PS-23-68 A thru D Press. (50 psig)*

D. High Drywell Press. PT/PISHH-10-100 A thru D (2.5 psig)

E. Reactor Low-Low LT-2-3-72 A thru D/

Water Level XS-2-3-116 A thru D (Level 2)(-66 in)

V, VB A. RCIC Steam Line High Flow DPIS-13-83 and 84 (300%)

B. RCIC Steam Tunnel High TE-4936, 4937, 4938, Temp. (220F) 4939, A thru D TIS-80547 A thru D C. RCIC Steam Line Low PS-13-87 A thru D press. (50 psig)*

D. High Drywell Press. PT/PISHH-10-100 A thru D (2.5 psig)

VI A. Reactor Low-Low-Low LT-2-3-72 A thru D/

Water Level XS-2-3-116 A thru D (Level 1)(-171.7 in)

B. High Drywell Press. PT/PSHH-10-100 A thru D (2.5 psig)

CHAPTER 07 7.3-37 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.3.1 (Continued)

VII LPCI Initiation:

A. Reactor Low-Low-Low LT-2-3-72 A thru D/

Water Level XS-2-3-116 A thru D (Level 1)(-171.7 in)

B. High Drywell Pressure PT/PISHH-10-100 A thru D (2.5 psig)

C. Reactor Low Pressure PT-2-3-404 C/D/

(400 psig) XS-2-3-121 A thru D VIII A. ADS Safety Grade PT/IE 8102 A,B Pneumatic Supply PT/IE/DPS 8142 A,B Pressure low differential with respect to Drywell pressure B. ADS Safety Grade FT/IE/FS 8130 A,B Pneumatic Supply high flow (10 scfm)

Scram- Reactor Protection System Trip RM - Remote Manual (operation from main Control Room)

M - Manual (local only)

LC - Locked Closed TT - Turbine Trip*

RMP - Push Button, momentary contact opens valve for test

Process Signals - Process Signals are signals used to support operation or to protect system related equipment. Process Signals do not support the isolation of the containment during accident conditions.

- Valve opens on system initiation.

4. Diverse actuation signal provided per SRP 6.2.4. Only nonessential systems require diverse signals for automatic isolation. Therefore, this column is not applicable, (n.a.), for essential containment isolation valves and remote manual valves. Non power operated components such as check valves, hand valves and instruments have a dash (-) designation. See note 11 for a definition of essential lines.

5. Is the control circuit designed such that resetting the isolation will not cause the valve to automatically return to its previous position?

The following special notes apply:

a. Valve automatically reopens upon reset of isolation signal if the system initiation signal is present.

CHAPTER 07 7.3-38 REV. 26, APRIL 2017

6. Closure time is the maximum valve stroke time in the closed direction required to comply with Technical Specification SR 3.6.1.3.8.

A maximum valve stroke time in the closed direction is not applicable to the valves with closure times contained in brackets { }. The closure time is provided as design information only.

"S" indicates standard closing time. The standard minimum closing rate for automatic isolation valves is based on a nominal line size of 12 inches. Using the standard closing rate, a 12-inch line is isolated in 60 seconds. Conversion to closing time can be made on this basis using the actual size of the line in which the valve is installed.

7. The power supplies for the valves are identified as one of the following:

A - safeguard AC channel A (on-site emergency diesel buses)

B - safeguard AC channel B (on-site emergency diesel buses)

C - safeguard AC channel C (on-site emergency diesel buses)

D - safeguard AC channel D (on-site emergency diesel buses)

E - safeguard DC channel A (on-site emergency diesel buses)

F - safeguard DC channel B (on-site emergency diesel buses)

G - safeguard DC channel C (on-site emergency diesel buses)

H - safeguard DC channel D (on-site emergency diesel buses)

N - non-safeguard RPSA - reactor protection system Bus A RPSB - reactor protection system Bus B 1 - The power for valve MO-2(3)-10-025A automatically transfers between A and C depending upon availability. The power for valve MO-2(3)-10-025B automatically transfers between B and D depending upon availability.

2 - Testable check valve, power and controls do not affect isolation function.

3 - Controls for the TIP ball, shear, and purge valves are not separated and are not assigned to safeguard channels.

For cable routing purposes, channels A&C - AC and A&C-DC are assigned to Division I and channels B&D - AC and B&D-DC are assigned to Division II.

Non power operated components such as; check valves, hand valves, and instruments have a dash (-) designation.

8. Position indication, in the control room, for the valves is identified as follows:

D - direct indication from position switches at the valve.

TABLE 7.3.1 (Continued)

CHAPTER 07 7.3-39 REV. 26, APRIL 2017

PBAPS UFSAR I - indirect indication, usually light is electrically parallel to solenoid. Valves XV-2(3)-11-14A, B have firing readiness light based on circuit continuity.

N - no indication as to/component position.

9. Deleted

10. Isolates only if in shutdown cooling mode.

11. Essential lines are defined as those essential to emergency reactor shutdown, reactor core cooling, containment heat removal and post-LOCA combustible gas control (per PECO letter to NRC dated January 2, 1980). The classification of each isolation valve is indicated in UFSAR Table 7.3.1.

Y1 - Indicates the line is essential and ESF unless in shutdown cooling mode.

12. Piping Classification Group per Updated FSAR, App. A.

13. Engineering Safety Feature (ESF) is a system which is required to mitigate the consequences of a postulated accidents and abnormal transients. This classification is normally on a system level with the following exceptions. The portions of the Feedwater System which provide injection paths for the HPCI and RCIC Systems are considered part of the HPCI System and RCIC System and therefore, classified as an ESF. MSIV Isolation function is also considered an ESF.

Y1 - Indicates the line is essential and ESF unless in shutdown cooling mode.

14. Penetration Type Group -

Group A - Line communicates directly with reactor coolant.

Group B - Line communicates with containment free space. Line terminates inside the containment. Lines identified with an astrick (*) terminate below the torus minimum water level and are provided with a water seal.

Group C - Closed loop inside of containment.

15. Main steam isolation valves required both solenoid pilots to be deenergized to close valve. Accumulator pressure plus spring act together when both pilots are deenergized. Voltage failure at only one pilot does not cause valve to close.

16. The isolation valves on the Reactor Building Closed Cooling Water System and The Drywell Chilled Water System do not receive automatic isolation signals, since the continued use of these systems will tend to mitigate the consequences of an accident. In addition, 10CFR50, Appendix A, GDC57 allows the use of a remote-manual valve on lines such as these that are neither part of the reactor coolant pressure boundary nor connected directly to the containment atmosphere. Plant operating procedures ensure appropriate closure of these valves following the onset of an accident.

TABLE 7.3.1 (Continued)

CHAPTER 07 7.3-40 REV. 26, APRIL 2017

17. Eighteen (18) Containment Atmospheric Control System valves (on Units 2 and 3) were modified to establish a new maximum allowable opening angle to maintain their closure times. The new maximum opening angles are listed below:

Value No. Opening Angle (max.)

A0-2(3)505 55 degrees A0-2(3)506 65 degrees A0-2(3)507 65 degrees A0-2(3)511 65 degrees A0-2(3)512 55 degrees A0-2(3)519 70 degrees A0-2(3)520 65 degrees A0-2(3)521A 65 degrees A0-2(3)521B 65 degrees

18. The Safety Grade Instrument Gas (SGIG) system supplies hard-piped pressurized nitrogen gas as backup to the normal instrument air supply to these valves.

19. A maximum closure time of 10 seconds has been used for AO-2(3)-01A-080A-D and AO-2(3)-01A-086A-D in some analyzes where the loss of reactor coolant inventory is the controlling variable. Using the extended closure time yields conservative results.

20. Note Deleted.

21. These stop check valves serve as block valves to allow testing of the outboard check valve. The check function of these valves is not leak tested. Valve positions representing system alignments for testing, maintenance, and transition between plant conditions are not provided.

22. Valve position information provided represents the expected position of the valve under the specified plant conditions. This information is provided for general guidance. Valve positions representing system alignments for testing, maintenance, and transition between plant conditions are not provided.

Plant conditions are specified as follows:

Normal - Plant operation at rated power.

Shutdown - Normal system alignments during hot shutdown, cold shutdown and refueling conditions.

Post Accident - Plant system alignments during an accident or abnormal transient event (short term and long term).

Power Failure - Loss of power to component.

23. This valve is not a PCIV.

24. This penetration only requires on PCIV. The shear valve (XV) and ball valve (SV) work in tandem to fulfill the PCIV function.

CHAPTER 07 7.3-41 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.3.2 PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM INSTRUMENT SPECIFICATIONS Isolation Signal* Isolation Function Sensor Accuracy(1) Trip Setting(2)

II(A), III(A) Reactor vessel Differential +/-3.5% 0 in low water level pressure transmitter (172 in above TAF) and indicating trip unit IV(E) Reactor vessel Differential +/-3.5% -66 in above low water level pressure transmitter instrument zero and pressure com- (106 in above TAF) pensation instruments I(A) Reactor vessel Differential +/-3.5% -171.7 in above low water level pressure transmitter instrument zero and indicating trip unit (0.3 in above TAF)

I(E) Main steam line Radiation high radiation monitor Paragraph 7.12.1 I(C) Main steam line Temperature indicating +/-2% 220F (Turbine Building) space high switch 240F (Unit 2 Reactor Building) temperature 220F (Unit 3 Reactor Building)

I(B) Main steam line Differential +/-2% 140.0% rated flow high flow pressure transmitter and indicating trip unit I(D) Main steam line Pressure switch +/-1% 850 psig low pressure II(B), III(B) Primary containment Pressure transmitter +/-0.5% psig 2.5 psig high pressure and indicating trip unit V(B) RCIC turbine steam Temperature indicating +/-2% 220F line space high switch temperature V(A) RCIC turbine steam Differential +/-5% 894 in WC line high flow pressure switch See Isolation Signal Codes for Table 7.3.1.

CHAPTER 07 7.3-42 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.3.2 (cont'd)

PRIMARY CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM INSTRUMENT SPECIFICATIONS Isolation Signal Isolation Function Sensor Accuracy(1) Trip Setting(2)

V(C) RCIC turbine steam Pressure switch +/-2% 50 psig line low pressure IV(B) HPCI turbine steam Temperature +/-2% 220F line space high indicating temperature switch IV(A) HPCI turbine steam Differential +/-5% 278 in WC line high flow pressure switch IV(C) HPCI turbine steam Pressure switch +/-2% 50 psig line low pressure III(C) Reactor building ventilation exhaust Radiation monitor Paragraph 7.12.5 high radiation RHRS (shutdown Temperature recorder +/-2% 160F cooling space high alarm switch temperature) alarm only II(C) Reactor water cleanup Differential +/-1% 132.48 in WC system high flow pressure switch VIII(A) ADS safety-grade Pressure transmitters +/-2.5% Gas Supply pneumatic supply and trip unit pressure pressure low less than differential with drywell pressure respect to drywell pressure VIII(B) ADS Safety Guide Flow transmitter +/-2.5% 10 scfm Pneumatic Supply high and trip unit flow 1 Instruments for this service have accuracy within this range over the actually purchased full scale.

2 The values given here have been used in the setpoint analysis; however, the allowable values are listed in Technical Specifications.

CHAPTER 07 7.3-43 REV. 26, APRIL 2017

PBAPS UFSAR 7.4 CORE STANDBY COOLING SYSTEMS CONTROL AND INSTRUMENTATION 7.4.1 Safety Objective The safety objective of the controls and instrumentation for the CSCS's is to initiate appropriate responses from the various cooling systems so that the fuel is adequately cooled under abnormal or accident conditions. The cooling provided by the systems restricts the release of radioactive materials from the fuel by limiting the extent of fuel damage following situations in which reactor coolant is lost from the nuclear system.

Even after the reactor is shut down from power operation by the full insertion of all control rods, heat continues to be generated in the fuel as radioactive fission products decay. An excessive loss of reactor coolant allows the fuel temperature to rise, cladding to melt, and fission products in the fuel to be released.

If the temperatures in the reactor rise to a sufficiently high value, a metal (zirconium)-water reaction occurs which releases energy. Such a reaction increases the pressure inside the nuclear system and the primary containment. This threatens the integrity of the barriers which are relied upon to prevent the uncontrolled release of radioactive materials. The controls and instrumentation for CSCS's prevent such a sequence of events by actuating CSCS's in time to limit fuel cladding temperatures to acceptable levels (less than 2,200F).

7.4.2 Safety Design Basis

1. Controls and instrumentation automatically initiate and control the CSCS's with precision and reliability to ensure removal of heat from the reactor core in time to prevent cladding temperature from exceeding 2,200F so that fuel and core deformation do not limit effective cooling of the core.

2. Controls and instrumentation initiate and control the CSCS's with sufficient timeliness, precision, and reliability to prevent more than a small fraction of the core from heating to a temperature at which a gross release of fission products occurs.

3. To meet the precision requirements of safety design bases 1 and 2, the controls and instrumentation for the CSCS's respond to conditions that indicate the potential inadequacy of core cooling, regardless of the physical location of the defect causing the inadequacy.

CHAPTER 07 7.4-1 REV. 26, APRIL 2017

4. To place limits on the degree to which safety is dependent on operator judgment in time of stress, the following safety design bases are specified:

a. Appropriate responses of the CSCS's are initiated automatically by control systems when positive precise action is immediately required so that no decision or manipulation of controls beyond the capacity of plant operations personnel is demanded.

b. Intelligence of the responses of the CSCS's is provided to the operator by control room instrumentation so that faults in the actuation of safety equipment can be diagnosed.

c. Facilities for manual actuation of the CSCS's are provided in the control room so that operator action is possible, yet reserved for the remedy of a deficiency in the automatic actuation of the safety equipment or for control over the long term effects of an abnormal or accident condition.

5. To meet the reliability requirements of safety design bases 1 and 2, the following safety design bases are specified:

a. No single failure, maintenance, calibration, or test operation prevents the integrated operations of the CSCS's from providing adequate core cooling.

b. No protective device which causes interruption of performance or availability of the CSCS's is automatic, unless there is a high probability that continued use would make complete failure imminent.

Instead, such protective devices indicate off-standard conditions for operator decision and action.

c. The power supplies for the controls and instrumentation for the CSCS's are chosen so that core cooling can be accomplished concurrently with a loss of normal auxiliary AC power.

d. The physical events that accompany a LOCA do not interfere with the ability of the CSCS's controls and instrumentation to function properly.

e. Earthquake ground motion does not impair the ability of essential CSCS's controls and instrumentation to function properly.

CHAPTER 07 7.4-2 REV. 26, APRIL 2017

6. To verify the availability of the CSCS's, it is possible to test the controls and instrumentation.

7.4.3 Description 7.4.3.1 Identification The controls and instrumentation for the CSCS's are identified as the equipment required for the initiation and control of the following:

1. HPCIS

2. ADS

3. Core spray system

4. LPCI (an operating mode of the RHRS).

The equipment involved in the control of these systems includes automatic injection valves, turbine pump controls, electric pump controls, relief valve controls, and the switches, contacts, and relays that make up sensory logic channels. Testable check valves and certain automatic isolation valves are not included in this description; they are described in subsection 7.3, "Primary Containment and Reactor Vessel Isolation Control System."

The CSCS's initiation and control instrumentation can be conveniently broken into two parts, the incident detection circuitry and the control instrumentation. The incident detection circuitry, which is designed to meet the intent of IEEE-279-1968, includes those channels which detect a need for core cooling systems operation and the corresponding trip systems which initiate the proper response of the CSCS's. GE Topical Report NEDO-10139 details the compliance of CSCS's with IEEE-279-1968 on pages 3-7, 3-54, 3-86, 3-107, and 3-108 (paragraph 7.2.3.1).

Appendix H contains an evaluation of the facility with respect to the 70 General Design Criteria for Nuclear Power Plant Construction Permit (July 1967).

To assure the functional capabilities of the CSCS's during and after earthquake ground motions, the controls and instrumentation for each of the systems are designed as seismic Class I equipment.

This meets safety design basis 5e.

7.4.3.2 High Pressure Coolant Injection System Control and Instrumentation CHAPTER 07 7.4-3 REV. 26, APRIL 2017

PBAPS UFSAR 7.4.3.2.1 Identification and Physical Arrangement When actuated, the HPCIS pumps water from either the condensate storage tank or the suppression chamber to the reactor vessel via the feedwater lines. The HPCIS includes one turbine driven pump set and auxiliary equipment as shown in Drawings M-365, Sheets 1 and 2 and M-366, Sheets 1 through 4.

Pressure and level sensors and trip units used in the HPCIS are located on racks in the reactor building. The pressure compensation instruments used in the HPCIS are mounted in panels in the cable spreading and computer rooms. The only operating component for the HPCIS that is located inside the primary containment is one of the two HPCIS turbine steam supply line isolation valves. The rest of the HPCIS control and instrumentation components are located outside the primary containment. Cables connect the sensors to control circuitry in the computer room, cable spreading room, and control room.

Although the system is arranged to allow a full flow functional test of the system during normal reactor power operation, the test controls are arranged so that the system will operate automatically to fulfill its safety function if required during a full flow functional test. If testing does prohibit the automatic initiation of the system, the system must be in Technical Specification Action Statement. The logic for the HPCIS is shown in Drawing M-1-CC-39, Sheets 1 through 12.

7.4.3.2.2 High Pressure Coolant Injection System Initiation Signals and Logic Either reactor vessel low water level (level 2) or primary containment (drywell) high pressure automatically start the HPCIS.

Reactor vessel low water level is an indication that reactor coolant is being lost and that the fuel is in danger of being overheated. Primary containment high pressure is an indication that a breach of the nuclear system process barrier has occurred inside the drywell.

The logic scheme used for initiating the HPCIS is shown in Figure 7.4.9 and is a single trip system containing two trip system logics. One trip system logic actuates upon receipt of a low water level signal. The other actuates upon receipt of a high drywell pressure signal. Either trip system logic can start the HPCIS. The HPCI trip system is powered by reliable DC buses.

Instrument settings for the HPCIS control and instrumentation are listed in Table 7.4.1. The reactor vessel low water level setting for HPCIS initiation is selected high enough above the active fuel to start the HPCIS in time both to prevent excessive fuel clad temperatures and to prevent more than a small fraction of the core CHAPTER 07 7.4-4 REV. 26, APRIL 2017

PBAPS UFSAR from reaching the temperature at which gross fuel failure occurs.

The water level setting is far enough below normal levels that spurious HPCIS startups are avoided. The primary containment pressure setting is selected to be as low as possible without inducing spurious HPCIS startup.

A manual initiation switch, shown on Drawing M-1-CC-39, Sheets 1, 2A and 7, allows the operator to manually start the system quickly.

7.4.3.2.3 High Pressure Coolant Injection System Initiating Instrumentation Reactor vessel low water level is monitored by four level transmitters that sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual height of water in the vessel. The transmitters drive pressure compensation instruments. Two lines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for each pair of transmitters. The two pairs of lines terminate outside the primary containment and inside the reactor building. They are physically separated from each other and tap off the reactor vessel at widely separated points. These same lines are also used for pressure and water level instruments for other systems. The level transmitters and pressure compensation instruments for the HPCIS are arranged in pairs, each pair sensing level from one pair of lines. The transmitter and pressure compensation instruments on each pair of lines provide an input to trip system A, the other to trip system B. This arrangement assures that no single transmitter or trip unit failure can prevent HPCIS initiation from reactor vessel low water level. These pressure compensation instruments are used to increase the accuracy of level measurements.

Primary containment pressure is monitored by four pressure transmitters which are mounted on instrument racks outside the drywell, but inside the reactor building. The transmitters drive indicating electronic trip units which are located in panels in the reactor building. Pipes that terminate in the reactor building allow the transmitters to communicate with the drywell interior. The transmitters and trip unit combinations are grouped in pairs and are electrically connected so that no single failure of a transmitter or trip unit can prevent the initiation of the HPCIS due to primary containment high pressure.

7.4.3.2.4 High Pressure Coolant Injection System Turbine and Turbine Auxiliary Control CHAPTER 07 7.4-5 REV. 26, APRIL 2017

PBAPS UFSAR The HPCIS controls automatically start the HPCIS from the receipt of a reactor vessel low water level signal or primary containment high pressure signal and bring the system to its design flow rate within 55 seconds. The controls then function to provide design makeup water flow to the reactor vessel until the amount of water delivered to the reactor vessel is adequate, at which time the HPCIS automatically shuts down. The controls are arranged to allow remote-manual startup, operation, and shutdown.

The HPCI turbine is functionally controlled as shown in Drawing M-1-CC-39, Sheets 5 and 11. A speed governor limits the turbine speed to its maximum operating level. A control governor receives an HPCIS flow signal and adjusts the turbine steam control valve so that design HPCIS pump discharge flow rate is obtained. Manual control of the governor is possible in the test mode, but control of the governor automatically returns to the flow controller upon receipt of an HPCIS initiation signal. The flow signal used for automatic control of the turbine is derived from a flow element in the HPCIS pump discharge line. The governor controls the pressure applied to the hydraulic operator of the turbine control valve which, in turn, controls the steam flow to the turbine. Hydraulic pressure is supplied for both the turbine control valve and the turbine stop valve by the DC powered oil pump during startup and then by the shaft-driven hydraulic oil pump when the turbine reaches operating speed.

Upon receipt of an initiation signal, the auxiliary oil pump starts, providing hydraulic pressure for the turbine stop valve and turbine control valve hydraulic operator. During turbine startup, the lower of the signals from the startup ramp generator and the flow controller positions the control valve. The control valve hydraulic operator is biased to start the control valve open as hydraulic pressure is developed. Once sufficient hydraulic pressure is developed to reposition the control valve operator, the control valve starts to reclose, controlled by the idle ramp generator signal. The stop valve opens completely as hydraulic pressure is developed. When the stop valve starts open, a limit switch on the stop valve initiates the ramp generator to provide an increasing opening signal to the control valve to ramp the turbine up to rated flow within 55 seconds of the initiating signal. When the turbine reaches rated flow, the flow controller adjusts the control governor setting so that design flow is maintained.

The turbine is automatically shut down by tripping the turbine stop valve closed if any of the following conditions are detected:

1. Turbine overspeed.

2. High turbine exhaust pressure.

CHAPTER 07 7.4-6 REV. 26, APRIL 2017

3. Low pump suction pressure.

4. Reactor vessel high water level.

5. Auto-isolation signal (subsection 7.3, "Primary Containment and Reactor Vessel Isolation Control System").

A probabilistic missile evaluation has been performed on the HPCIS pump turbine and is described in subsection 11.2.

Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust line. Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump which could place it out of service.

A turbine trip is initiated for these conditions so that if the causes of the abnormal conditions can be found and corrected, the system can be quickly restored to service. The trip settings are selected far enough from normal values so that a spurious turbine trip is unlikely, but not so close that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed mechanical-hydraulic device. Two pressure switches are used to detect high turbine exhaust pressure; either switch can initiate turbine shutdown. One pressure switch is used to detect low HPCIS pump suction pressure.

High water level in the reactor vessel indicates that the HPCIS has performed satisfactorily in providing makeup water to the reactor vessel. Further increase in level could result in HPCIS turbine damage caused by gross carryover of moisture. The reactor vessel high water level setting which trips the turbine is near the top of the steam separators and is sufficient to prevent gross moisture carryover to the turbine. Two level transmitters with pressure compensation instruments are arranged to require that both pressure compensation instruments must operate (coincidence) to initiate a turbine shutdown.

The controls for the turbine auxiliary oil pump are arranged for automatic or manual control. Upon receipt of an HPCIS initiation signal the auxiliary oil pump starts and provides hydraulic pressure to open the turbine stop valve and the turbine control valve. As the turbine gains speed, the shaft-driven oil pump begins to supply hydraulic pressure. After about 30 sec during an automatic turbine startup, the pressure supplied by the shaft-driven oil pump is sufficient, and the auxiliary oil pump automatically stops upon receipt of a high oil pressure signal.

Should the shaft-driven oil pump malfunction, causing oil pressure to drop, the auxiliary oil pump restarts.

CHAPTER 07 7.4-7 REV. 26, APRIL 2017

PBAPS UFSAR Operation of the gland seal condenser components - gland seal condenser condensate pump (DC), gland seal condenser blower (DC),

and gland seal condenser water level instrumentation - prevents out leakage from the turbine shaft seals. Startup of this equipment is automatic. Failure of this equipment will not prevent the HPCIS from providing water to the reactor vessel.

7.4.3.2.5 High Pressure Coolant Injection System Valve Control All automatic valves in the HPCIS are equipped with remote-manual test capability, so that the entire system can be operated from the control room. Motor operated valves are provided with appropriate limit switches to turn off the motors when the full open or full closed positions are reached. Valves that are automatically closed on isolation signals are equipped with remote-manual reset devices, so that they cannot be reopened without operator action. All essential components of the HPCIS control operate independent of normal AC power. The HPCI steam supply inboard isolation valve is AC powered, but is normally maintained open.

To assure that the HPCIS can be brought to design flow rate within 55 seconds from the receipt of the initiation signal, the following maximum operating times for essential HPCIS valves are provided by the valve operation mechanisms:

HPCIS turbine steam supply valve 40 seconds HPCIS pump discharge valves 20 seconds HPCIS pump minimum flow bypass valve 12 seconds The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa.

Because the two HPCIS steam supply line isolation valves are normally open and because they are intended to isolate the HPCIS steam line in the event of a break in that line, the operating time requirements for them are based on isolation specifications.

These are described in subsection 7.3, "Primary Containment and Reactor Vessel Isolation Control System." A normally closed DC motor operated isolation valve is located in the turbine steam supply line just upstream of the turbine stop valve. Upon receipt of an HPCIS initiation signal, this valve opens and remains open until closed by operator action from the control room.

An inside of the drywell and an outside of the drywell isolation valve has been provided in the steam supply to the turbine. These valves are normally open. On Unit 2, a normally closed isolation CHAPTER 07 7.4-8 REV. 26, APRIL 2017

PBAPS UFSAR valve has been provided in the 1-inch line that bypasses the isolation valve that is outside the drywell. The valve in the bypass line is used to control warm-up of the HPCI steam line before the HPCIS is returned to service with the reactor at power.

On Unit 3, the HPCI steam supply isolation valve is used to permit controlled steam line heatup. The steam supply line isolation valve inside the drywell is controlled by an AC motor. The valve outside the drywell is controlled by a DC motor. The bypass valve is a solenoid actuated, air operated valve that fails closed on loss of power or air. Although the main isolation valves are normally open, an HPCIS initiating signal opens them if they are closed. All three valves automatically close upon receipt of an HPCIS turbine steam line high flow signal, or an HPCIS turbine steam supply low pressure signal, or high steam line space temperature. The closure by the HPCIS turbine steam line high flow signal is delayed to prevent isolation of the HPCIS on transient high flow conditions experienced during system startup.

The nominal 3-second time delay is determined by station setpoint control processes. This meets the intent of NUREG-0737, Item II.K.3.15. The instrumentation for isolation is described in subsection 7.3, "Primary Containment and Reactor Vessel Isolation Control System."

The HPCI turbine exhaust line is equipped with vacuum breakers to prevent suppression pool water from being sucked into the line.

The line to the vacuum breakers is equipped with an automatic isolation valve. The isolation signal for the valve consists of a high drywell pressure signal and a low reactor pressure signal combined in "AND" logic. The high drywell pressure indicates a need for containment isolation. The low reactor pressure signal is a permissive that allows automatic isolation only after reactor pressure has dropped to a value that renders the HPCIS inoperable.

Three pump suction valves are provided in the HPCIS. One valve provides pump suction from the condensate storage tank and the other two in series provide suction from the suppression chamber.

The condensate storage tank is the initial source. All three valves are operated by DC motors. The control arrangement is shown in Drawing M-1-CC-39, Sheets 1, 2A and 7. Although the condensate storage tank suction valve is normally open, an HPCIS initiation signal opens it if it is closed. If the water level in the condensate storage tank falls below a preselected level, the suppression chamber suction valves automatically open. When the suppression chamber valves are both fully open, the condensate storage tank suction valve automatically closes. Two level switches are used to detect the condensate storage tank low water level condition. Either switch can cause the suppression chamber suction valves to open. The suppression chamber suction valves also automatically open and the condensate storage tank suction valve closes if a high water level is detected in the suppression CHAPTER 07 7.4-9 REV. 26, APRIL 2017

PBAPS UFSAR chamber. Two level switches monitor the water level. Either switch can initiate opening of the suppression chamber suction valves. If open, the suppression chamber suction valves automatically close upon receipt of the signals that initiate HPCIS steam line isolation.

Two DC motor operated HPCIS pump discharge valves in the pump discharge line are provided. Both valves are arranged to open upon receipt of either one of the HPCIS initiation signals. The valves remain open after receipt of a turbine trip signal until closed by operator action in the control room.

To prevent damage by overheating at reduced HPCIS pump flow, a pump discharge minimum flow bypass is provided back to the suppression chamber. The bypass is controlled by an automatic, DC motor-operated valve. At HPCIS high flow, the valve is closed; at low flow, the valve is opened. A flow switch in the HPCIS pump discharge line provides the necessary signals. There is also an interlock provided to shut the minimum flow bypass whenever the turbine is tripped. This is necessary to prevent drainage of the condensate storage tank into the suppression pool which is at a lower elevation.

To prevent the HPCIS steam supply line from filling up with water and cooling, a condensate drain pot, steam line drain, and appropriate valves are provided in a drain line arrangement just upstream of the turbine supply valve. The controls position valves so that during normal operation steam line drainage is routed to the main condenser. Upon receipt of an HPCIS initiation signal, the drainage path is isolated. The water level in the steam line drain condensate pot is controlled by a level switch and a direct-acting solenoid valve which energizes to allow condensate to flow out of the pot.

During test operation, the HPCIS pump discharge can be routed to the condensate storage tank or the suppression pool. DC motor operated valves are installed in the pump discharge test lines.

Upon receipt of an HPCIS initiation signal, the valves close and remain closed. In order to prevent injection of contaminated water into the condensate storage tank during testing, the valve that directs flow to the condensate storage tank is interlocked closed if any HPCIS or RCICS suppression chamber suction valve is fully open. Numerous indications pertinent to the operation and condition of the HPCIS are available to the control room operator.

Drawing M-1-CC-39, Sheets 6 and 12 shows the various indications provided.

The control circuits of motor operators for all automatically operated HPCI valves required to perform the HPCIS safety function, primary containment isolation or reactor vessel CHAPTER 07 7.4-10 REV. 26, APRIL 2017

PBAPS UFSAR isolation, are arranged such that motor thermal overload protection is provided for manual operation of the valve, but is bypassed for automatic operation. This prevents an automatically initiated valve operation from being interrupted by motor thermal overload. During automatic operation, the thermal overload circuit produces an alarm for overload conditions. In the manual mode, valve operation is interrupted and an alarm is received.

The operator can override the thermal overload circuit by continuously holding the spring-return control switch in the operate position during manual operation.

7.4.3.2.6 High Pressure Coolant Injection System Environmental Considerations The only HPCIS control component located inside the primary containment that must remain functional in the environment resulting from a LOCA is the control mechanism for the inboard isolation valve on the HPCIS turbine steam line. The HPCIS control and instrumentation equipment located outside the primary containment is selected in consideration of the normal and accident environments in which it must operate. The environmental capabilities of the HPCIS equipment is discussed in subsection 7.19, "Class 1E Equipment Environmental Qualification."

7.4.3.3 Automatic Depressurization System Control and Instrumentation 7.4.3.3.1 Identification and Physical Arrangement Automatically controlled relief valves are installed on the main steam lines inside the primary containment. The valves are dual purpose in that they will open due to overpressure or by action of an electric-pneumatic control system (subsection 4.4, "Nuclear System Pressure Relief System"). Depressurization by automatic action of the control system is intended to reduce nuclear system pressure during a LOCA in which the HPCIS flow is not adequate so that the core spray system and LPCIS can inject water into the reactor vessel. The automatic control and instrumentation equipment for the relief valves is described in this section. The controls and instrumentation for one of the relief valves are discussed. Other relief valves equipped for automatic depressurization are identical.

The control system, which is functionally illustrated in Drawing M-1-CC-13, Sheets 1, 2, 13 and 14, consists physically of pressure and water level sensors arranged in trip systems that control a solenoid operated pilot air valve. The solenoid operated pilot valve controls the pneumatic pressure applied to a diaphragm actuator which controls the relief valve directly. An accumulator is included with the control equipment to store CHAPTER 07 7.4-11 REV. 26, APRIL 2017

PBAPS UFSAR pneumatic energy for relief valve operation. The accumulator is sized to hold a volume equivalent to five valve operations following failure of the pneumatic supply to the accumulator. The accumulator is supplied from either the plant instrument nitrogen (primary source) or the plant instrument air system (secondary source) and also from the long-term, safety-grade pneumatic supply. The electrical control circuitry is powered by DC from the station batteries. The power supplies for the control channels are separated to limit the effects of electrical failures. Electrical elements in the control system energize to cause opening of the relief valve.

7.4.3.3.2 Automatic Depressurization System Initiating Signals and Logic Two initiation signals are used for the ADS:

1. Reactor vessel low water level.

2. Primary containment (drywell) high pressure.

Reactor vessel low water level indicates that the fuel is in danger of becoming overheated. This low water level would normally not occur unless the HPCIS failed. Primary containment high pressure indicates that a breach in the nuclear system process barrier has occurred inside the drywell.

The presence of both initiation signals concurrently will cause the relief valves to open after a maximum two-minute time delay provided that at least one LPCI or two core spray pumps are running. Any combination of CS pumps running except A and B or C and D will satisfy the requirement. Additionally, the primary containment high pressure signal is bypassed after an extended time delay following receipt of a reactor vessel low water level signal. This causes the relief valves to open in response to a reactor vessel low water level signal alone, provided that at least one LPCI or two core spray pumps are running.

After receipt of the initiation signals, the solenoid operated pilot air valve is energized, allowing pneumatic pressure from the accumulator to act on the actuator. The diaphragm actuator is an integral part of the relief valve and mechanically displaces the second-stage piston to a position to permit the relief valve to remain open. Lights in the control room inform the control room operator of relief valve position.

A two-position switch is provided in the control room for the control of each relief valve. The two positions are OPEN and AUTO. In the open position the switch energizes the solenoid CHAPTER 07 7.4-12 REV. 26, APRIL 2017

PBAPS UFSAR operated pilot valve, which allows pneumatic pressure to be applied to the diaphragm actuator of the relief valve.

This allows the control room operator to take action independent of the automatic system. The relief valves can be manually opened to provide a controlled nuclear system cooldown under conditions where the normal heat sink is not available. Manual reset circuits are provided for the initiating signals and for the logic circuits. Manually resetting the logic before the delay timers time out causes the timers to be recycled. The operator can use the logic reset switch to delay or prevent automatic opening of the relief valves if such delay or prevention is prudent.

A manual inhibit switch is provided in the control room for each of the two logics. A keylocked switch is used to limit the potential for inadvertent actuation of the manual inhibit. The operator can use the inhibit switch to prevent automatic opening of the relief valves if such prevention is prudent. Alarms alert the operator of activation of the manual inhibit.

The logic scheme used for initiating the system is shown in Figure 7.4.9 and is a single trip system containing two trip system logics. Each trip system logic can initiate automatic depressurization. The trip system is powered by reliable DC buses.

Instrument specifications and settings are listed in Table 7.4.2.

The wiring from the trip systems to each relief valve is routed in separate conduits to reduce the probability that a single event will prevent automatic opening of the relief valves. Pump discharge pressure switches are used to sense that the core spray and LPCI pumps are running.

The reactor vessel low water level initiation setting for the ADS is selected to open the relief valves to depressurize the reactor vessel in time to allow adequate cooling of the fuel by the core spray system and LPCIS following a LOCA in which the other makeup systems (feedwater, RCICS, HPCIS) fail to maintain vessel water level. The primary containment high pressure setting is selected to be as low as possible without inducing spurious initiation of the ADS.

7.4.3.3.3 Automatic Depressurization System Initiation Instrumentation The pressure and level switches used to initiate the ADS are common to each relief valve control circuitry. Reactor vessel low water level is detected by four level transmitters and pressure compensation instruments that measure differential pressure.

Primary containment high pressure is detected by four pressure CHAPTER 07 7.4-13 REV. 26, APRIL 2017

PBAPS UFSAR transmitters and trip units. The transmitters, trip units, and pressure compensation instruments combinations used for these two initiating functions are the same ones used for the LPCIS and core spray system. Two additional uncompensated level transmitters are used to confirm reactor low water level as part of the interlocks.

The primary containment high pressure signals are arranged to seal into the control circuitry; they must be manually reset to clear.

Timers are used in the control circuitry for each of the two logics. The delay time setting before the ADS is actuated on low reactor vessel level and high drywell pressure is chosen to be long enough so that the HPCIS has time to start, yet not so long that the core spray system and LPCIS are unable to adequately cool the fuel if the HPCIS fails to start. The delay time setting before the ADS is activated on low reactor vessel level alone is chosen to be long enough to allow the operator time to correctly diagnose plant conditions and inhibit the ADS in the case of an ATWS event, yet not so long that the core spray and LPCIS are unable to adequately cool the fuel if the HPCIS fails to start.

An alarm in the control room is annunciated every time any of the timers is running.

The requirement that at least one LPCI pump or two core spray pumps be running before automatic depressurization starts ensures that cooling will be available to the core after the system pressure is lowered.

7.4.3.3.4 Automatic Depressurization System Alarms A temperature element is installed in the thermowell in the relief valve discharge piping several feet from the valve body. The temperature element is connected to a multipoint recorder in the control room to provide a means of detecting relief valve leakage during plant operation. When the temperature in any relief valve discharge line exceeds a preset value, an alarm is sounded in the control room. The alarm setting is selected far enough above normal rated power temperatures to avoid spurious alarms yet low enough to give early indication of relief valve leakage.

7.4.3.3.5 Automatic Depressurization System Environmental Considerations Control and instrumentation equipment of the ADS such as signal cables, solenoid valves, and relief valve operators are the only items that are located inside the primary containment and that must remain functional in the environment resulting from a LOCA.

These items are selected with capabilities that permit proper operation in the most severe environment resulting from a design basis LOCA. Gamma and neutron radiation is also considered in the selection of these items. Other equipment, located outside the drywell, is selected in consideration of the normal and accident CHAPTER 07 7.4-14 REV. 26, APRIL 2017

PBAPS UFSAR environments in which it must operate. Refer to subsection 7.19, "Class 1E Equipment Environmental Qualification."

7.4.3.4 Core Spray System Control and Instrumentation 7.4.3.4.1 Identification and Physical Arrangement The core spray system consists of two independent spray loops as illustrated in M-362, Sheets 1 and 2. Each loop is capable of supplying sufficient cooling water to the reactor vessel to adequately cool the core following a design basis LOCA. The two spray loops are physically and electrically separated so that no single physical event makes both loops inoperable. Each loop includes two AC motor driven pumps, appropriate valves, and the piping to route water from the suppression pool to the reactor vessel. The controls and instrumentation for the core spray system includes either trip units and relays or pressure compensation instruments and relay contact output cards, and the sensors, wiring, and valve operating mechanisms used to start, operate, and test the system. Except for the testable check bypass valve in each spray loop, which is inside the primary containment, the sensors and valve closing mechanisms for the core spray system are located in the reactor building. Testable check valves are described in subsection 6.6, "Inspection and Testing."

Each core spray pump is powered from a separate AC bus which is capable of receiving standby power. The power supplies for automatic valves in each loop are from the same sources as these used for the core spray pumps in that loop. Control power for each of the core spray loops comes from separate DC buses. The electrical equipment in the control room for one core spray loop is isolated from that used for the other loop.

7.4.3.4.2 Core Spray System Initiating Signals and Logic The control scheme for the core spray system is illustrated in Drawing M-1-CC-41, Sheets 1 through 8. Trip settings are given in Table 7.4.3. The overall operation of the system following the receipt of an initiating signal is as follows:

1. Test bypass valves are closed and interlocked to prevent opening.

2. If normal AC power is available, the A & C pumps start after a 13-second time delay. The B & D pumps will start after a 23 second time delay. The valves in the suction paths from the suppression chamber are maintained open so that no automatic action is required to line up suction.

CHAPTER 07 7.4-15 REV. 26, APRIL 2017

3. If normal power is not available, the four pumps start simultaneously 6 seconds after the standby power source is available.

4. When reactor vessel pressure drops to a preselected value, valves open in the pump discharge lines, allowing water to be sprayed over the core.

5. When pump differential pressure indicates that sufficient discharge flow is present, the pump low flow bypass valves shut, directing full flow into the reactor vessel.

Two automatic initiating functions are used for the core spray system: (1) primary containment (drywell) high pressure plus low reactor pressure and (2) reactor vessel low water level. Either initiation signal can start the system.

The logic scheme used for initiating the core spray system is comprised of two trip systems, each containing two trip system logics. One trip system logic actuates upon receipt of a low water signal. The other actuates upon receipt of a high drywell pressure signal if the reactor pressure is low. Each trip system logic is made up of two parallel logic pairs. Each trip system logic, in a trip system, can initiate the respective loop of the core spray system. The trip systems are powered by reliable independent DC buses.

A manual initiation switch in each of the two systems, shown on Drawing M-1-CC-41, Sheets 1 and 5, allows the operator to manually start the system quickly.

Reactor vessel low water level indicates that the core is in danger of being overheated due to the loss of coolant. Concurrent drywell high pressure and low reactor pressure indicates that a breach of the nuclear system process barrier has occurred inside the drywell. The reactor vessel low water level setting and primary containment high pressure and low reactor vessel pressure settings and the instruments that provide the initiating signals are selected and arranged so as to assure adequate cooling for the design basis LOCA without inducing spurious system startups.

7.4.3.4.3 Core Spray System Pump Control The control arrangements for the core spray pumps are shown in Drawing M-1-CC-41, Sheets 1 and 5. The circuitry provides for detection of normal power available, so that all pumps are automatically started in sequence. Each pump can be manually controlled by a control room remote switch, or the automatic control system. Pressure and flow instrumentation on the CHAPTER 07 7.4-16 REV. 26, APRIL 2017

PBAPS UFSAR discharge line from each set of core spray pumps provide signals in the control room to indicate the successful startup of the pumps.

The core spray pump motors are provided with overload and undervoltage protection. Overload relays are applied so as to maintain power as long as possible without immediate damage to the motors or emergency power system.

7.4.3.4.4 Core Spray System Valve Control Except where specified otherwise, the remainder of the description of the core spray system refers to one spray loop. The second core spray loop is identical. The control arrangements for the various automatic valves in the core spray system are indicated in Drawing M-1-CC-41, Sheets 1, 2, 3, 5, 6, and 7. All motor operated valves are equipped with switches to turn off the valve motor when the valve reaches the limits of movement and provide control room indication of valve position. Each automatic valve can be manually operated from the control room.

The control circuits of motor operators for automatically operated core spray system valves are arranged such that motor thermal overload protection is provided during manual operation, but is bypassed for automatic operation. This prevents an automatically initiated valve operation from being interrupted by motor thermal overload. During automatic operation, the overload circuit produces an alarm for overload conditions. In the manual mode, valve operation is interrupted and an alarm is received. The operator can override the thermal overload circuit by continuously holding the spring-return control switch in the operate position during manual operation.

Upon receipt of an initiation signal the test bypass valve is interlocked shut. The core spray pump discharge valves are automatically opened when nuclear system pressure drops to a pre-selected value; the setting is selected low enough so that the low pressure portions of the core spray system are not overpressurized, yet high enough to open the valves in time to provide adequate cooling for the fuel. Four sets of pressure transmitters and trip units are used to monitor nuclear system pressure. These are connected in a one-out-of-two-twice logic to initiate opening of the discharge valves. The full stroke operating time of the motor operated discharge valves is selected to be rapid enough to assure proper delivery of water to the reactor vessel in a design basis accident.

A differential pressure indicating switch across each core spray pump provides a signal to operate the minimum flow bypass line valve for each pump. When the flow reaches the value required to CHAPTER 07 7.4-17 REV. 26, APRIL 2017

PBAPS UFSAR prevent pump overheating, the valves close, directing all flow into the sparger.

7.4.3.4.5 Core Spray Alarms and Indications Core spray system pressure between the two pump discharge valves is monitored by a pressure switch to permit detection of leakage from the nuclear system into the core spray system outside the primary containment.

A detection system is also provided to continuously confirm the integrity of the core spray piping between the inside of the reactor vessel and the core shroud. A differential pressure switch measures the pressure difference between the bottom of the core and the inside of the core spray sparger pipe just outside the reactor vessel. If the core spray sparger piping is intact, this pressure difference will be the pressure drop across the core. If the core spray piping outside the shroud fails, this pressure drop will include the core pressure drop and the steam separator pressure drop. An increase in the normal pressure drop initiates an alarm in the control room. Pressure in each core spray pump suction and discharge line is monitored by a pressure indicator which is locally mounted to permit determination of suction head and pump performance.

7.4.3.4.6 Core Spray System Environmental Considerations There are no control and instrumentation components for the core spray system that are located inside the primary containment that must operate in the environment resulting from a LOCA. All components of the core spray system that are required for system operation are outside the drywell and are selected in consideration of the normal and accident environments in which they must operate. Refer to subsection 7.19, "Class 1E Equipment Environmental Qualification."

7.4.3.5 Low Pressure Coolant Injection Control and Instrumentation 7.4.3.5.1 Identification and Physical Arrangement LPCI is an operating mode of the RHRS that uses pumps and piping that are parts of the RHRS. Because the LPCIS is designed to provide cooling water to the reactor vessel following the design basis LOCA, the controls and instrumentation for it are discussed here. Subsection 4.8, "Residual Heat Removal System," describes the RHRS in detail.

Drawing M-361 Sheets 1 through 4 shows the entire RHRS, including the equipment used for LPCI operation. The following list of CHAPTER 07 7.4-18 REV. 26, APRIL 2017

PBAPS UFSAR equipment itemizes essential components for which control or instrumentation is required:

1. Four RHRS pumps.

2. Pump suction valves.

3. LPCI-to-recirculation loop injection valves.

The instrumentation for LPCI operation provides inputs to the control circuitry for other valves in the RHRS. This is necessary to ensure that the water pumped from the suppression chamber by the pumps is routed directly to a reactor recirculation loop.

These interlocking features are described in this section. The actions of the reactor recirculation loop valves are also described in this section because these actions are accomplished to facilitate LPCI operation.

LPCI operation uses two identical loops, each loop with two pumps in parallel. The two loops are arranged to discharge water into different reactor recirculation loops. Drawing M-361, Sheets 1 through 4, shows the locations of instruments, control equipment, and LPCI components relative to the primary containment. Except for the LPCI testable check valves and the reactor recirculation loop valves, the components pertinent to LPCI operation are located outside the primary containment.

The power for the RHRS pumps is supplied from AC buses that can receive standby AC power. Each of the four pumps derives its power from a different bus. The primary source of power for the LPCI inboard injection valves and recirculation pump discharge valves is from one of two redundant buses, with the capability to automatically transfer to the redundant and independent power supply upon loss of the primary power source. Control power for the LPCI components comes from the DC buses. Redundant trip systems are powered from different DC buses. Each pump is provided with a redundant start signal in one-out-of-two logic.

LPCI is arranged for automatic operation and for remote-manual operation from the control room. The equipment provided for manual operation of the system allows the operator to take action independent of the automatic controls in the event of a LOCA.

7.4.3.5.2 Low Pressure Coolant Injection Initiating Signals and Logic CHAPTER 07 7.4-19 REV. 26, APRIL 2017

PBAPS UFSAR The overall operating sequence for LPCI following the receipt of an initiation signal is as follows:

1. If normal AC power is available, the A & B pumps start after a 2-second time delay and the C & D pumps start after an 8-second time delay. The valves in the suction paths from the suppression chamber are maintained open so that no automatic action is required to line up suction.

2. If normal AC power is not available, the four pumps start simultaneously with no delay as soon as the standby power source is available.

3. The discharge valves in the reactor recirculation loops automatically close when the reactor pressure decreases below the low pressure setpoint.

4. Selected valves automatically realign so that the water pumped from the suppression chamber is routed properly.

5. The high pressure service water pumps automatically stop (if running) because they are not needed for LPCI operation.

6. When nuclear system pressure has dropped to a value at which the RHR System pumps are capable of injecting water into the recirculating loops, the LPCIS injection valves to the recirculation loops automatically open.

7. The LPCIS then delivers water to the reactor vessel via the recirculation loops to provide core cooling.

In the descriptions of LPCI controls and instrumentation that follow, Drawing M-361, Sheets 1 through 4, can be used to determine the physical locations of sensors. Drawing M-1-CC-40, Sheets 1 through 14 can be used to determine the functional use of each sensor in the control circuitry for the various LPCI components. Instrument characteristics and settings are given in Table 7.4.4.

Two automatic initiation functions are provided for the LPCI: (1) primary containment (drywell) high pressure plus low reactor pressure and (2) reactor vessel low water level. Either initiation signal can start the system.

The logic scheme used for initiating the LPCIS is shown in Figure 7.4.9 and is comprised of two trip systems each containing two-trip system logics. Each of the two initiation trip system logics can initiate its trip system. Each LPCI pump receives a CHAPTER 07 7.4-20 REV. 26, APRIL 2017

PBAPS UFSAR start signal from the two trip systems either of which starts the pump. Each of these pump start circuits contains its own emergency bus voltage sensing relay and appropriate timing relays to assure complete redundancy of the starting signals. The trip systems are powered by reliable independent DC buses. The instruments used to detect reactor vessel low water level, primary containment high pressure and low reactor pressure are the same ones used to initiate the other CSCS.

A manual initiation switch, shown on Drawing M-1-CC-40, Sheets 1 and 8, allows the operator to manually start the system quickly.

7.4.3.5.3 Low Pressure Coolant Injection Pump Mode Control The functional control arrangement for the pumps is shown in Drawing M-1-CC-40, Sheets 1 and 8.

The time delays are provided by timers which are set as shown Table 7.4.4 to prevent overloading the power source.

Pressure switches installed in the pump discharge lines upstream of the pump discharge check valves provide indication of proper pump operation following an initiation signal. Low pressure in a pump discharge line indicates pump failure. The locations of the pressure switches relative to the discharge check valves prevent the discharge pressure from an operating pump from concealing a pump failure.

To prevent RHRS pump damage due to overheating at no flow, the control circuitry prevents a pump from starting unless a suction path is lined up. Limit switches on suction valves provide indications that a suction lineup is in effect. If suction valves change from their fully open position during RHRS pump operation, the limit switches trip the pump power supply breaker open.

The RHRS pump motors are provided with overload and undervoltage protection. The overload relays are applied so as to maintain power on the motor as long as possible without harm to the motor or immediate damage to the emergency power system.

7.4.3.5.4 Low Pressure Coolant Injection Valve Control The automatic valves controlled by the LPCI control circuitry are equipped with appropriate switches which turn off the valve operating mechanisms whenever the valves reach the limits of travel. Seal-in and interlock features are provided to prevent improper valve positioning during automatic LPCI operation. The operating mechanisms for the valves are selected so that the LPCI operation is in time for the system to fulfill its objective of providing adequate core cooling following a design basis LOCA.

CHAPTER 07 7.4-21 REV. 26, APRIL 2017

PBAPS UFSAR The time required for the valves pertinent to LPCI operation to travel from the fully closed to the fully opened positions, or vice versa, is as follows:

LPCI injection valves 34 sec Reactor recirculation discharge valves 29 sec Containment(drywell spray) cooling valves20 sec RHRS test line isolation valves 112 sec The pump suction valves to the suppression pool are normally open.

Upon receipt of an LPCI initiation signal certain reactor shutdown cooling system valves and the RHRS test line and containment spray valves automatically close to automatically return the system to the LPCI lineup. By closing these valves the pump discharge is properly routed. Also included in this set of valves are the valves which, if not closed, would permit the pumps to take a suction from the reactor recirculation loop, a lineup that is used during normal shutdown cooling system operation.

The control circuits of motor operators for automatically operated LPCIS valves are arranged such that motor thermal overload protection is provided during manual operation, but is bypassed for automatic operation. This prevents an automatically initiated valve operation from being interrupted by motor thermal overload.

During automatic operation, the overload circuit produces an alarm for overload conditions. In the manual mode, valve operation is interrupted and an alarm is received. The operator can override the thermal overload circuit by continuously holding the spring return control switch in the operate position during manual operation.

A motor operated valve is located in the RHR cross-tie line between pump discharge headers within each division. The RHR cross-tie valve is manually operated from the control room to enter the RHR cross-tie mode of operation. With the valve open, a single RHR pump can be aligned to both RHR heat exchangers within a division, increasing cooling capacity of the RHR system.

A throttling valve is located in the discharge of each RHR pump before the associated heat exchanger. In the shutdown cooling mode, they are used to throttle RHR flow as the cooling requirement diminishes. During LPCI operation, they provide resistance to flow to prevent RHR pump runout in the event of pump output flowing into a broken recirculation line. The valves are positioned for LPCI operation during RHR surveillance testing, to ensure LPCI flow is above the minimum required to satisfy CHAPTER 07 7.4-22 REV. 26, APRIL 2017

PBAPS UFSAR Technical Specifications, but limited to the maximum calculated flow to ensure that adequate NPSH remains available for the RHR pump, and also to prevent pump runout. To alert operators that the valves have been moved from their proper LPCI alignment during any period when LPCI could be needed, an alarm appears in the control room when the valves are moved from their proper position.

During the RHR cross-tie mode, the valves can be throttled to balance the flow rate between heat exchangers within the operating RHRS division.

The LPCIS is designed for automatic operation following a recirculation line break. The LPCI logic opens the LPCI valve and closes the recirculation pump discharge valves in both recirculation loops providing cooling for the reactor core. The LPCI logic is configured such that the recirculation pump discharge valves do not close until the reactor pressure has decayed below the low pressure setpoint. The functional control diagrams for the recirculation loop valves are provided in subsection 7.9. The manual control for the recirculation loop valves is interlocked to prevent valve opening whenever the LPCI initiation signal is present. The LPCI valves do not open until reactor pressure decreases to a value below the discharge head of the LPCIS. LPCI flow then enters the reactor vessel when the check valves open due to LPCI pressure being higher than reactor pressure.

A timer cancels the LPCI signals to the outboard LPCI injection valves and to the RHR throttling valves after a delay time long enough to permit satisfactory operation of the LPCIS. The cancellation of the signals allows the operator to divert the water for other post-accident purposes. Cancellation of the signals does not cause the injection valves or the throttling valves to move.

The manual controls in the control room allow the operator to open an LPCI valve only if either nuclear system pressure is low or the other injection valve in the same line is closed. These restrictions prevent overpressurization of low pressure piping.

The same pressure transmitter and trip unit used for the automatic opening of the valves are used in the manual circuit. Limit switches on both injection valves for each LPCI loop provide the valve position signals required for injection valve manual operation at high nuclear system pressure.

To protect the pumps from overheating at low flow rates a minimum flow bypass line, which routes water from the pump discharge to the suppression chamber, is provided for each pump. A single motor-operated valve controls the condition of each bypass line.

The minimum flow bypass valve automatically opens upon low flow in CHAPTER 07 7.4-23 REV. 26, APRIL 2017

PBAPS UFSAR the discharge line from the associated pump. The valve automatically closes whenever the flow from the associated pump is above the low flow setting. The RHR minimum flow bypass valves are controlled by differential pressure switches across each RHR pump. Drawing M-361Figure 7.4.6 shows the location of the differential pressure switches. One switch is used for each pump.

The valves that allow the diversion of water for containment cooling are automatically closed upon receipt of an LPCI initiation signal. The manual controls for the drywell valves are interlocked so that opening the valves by manual action is not possible unless both primary containment (drywell) pressure is high, which indicates the need for containment cooling, and reactor vessel water level inside the core shroud is above the level equivalent to two-thirds the core height. Four transmitters and trip units are used to monitor drywell pressure. The trip setting is selected to be as low as possible yet provide indication of abnormally high drywell pressure. The trip units which are in one-out-of-two-twice logic must register the drywell high-pressure condition to allow opening of containment cooling valves by manual action. A level transmitter and pressure compensation instrument is used to monitor water level inside the core shroud for each loop's set of valves. A keylock switch in the control room allows a manual override of the two-thirds core height permissive contact for the containment cooling valves.

Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess the LPCI operation. Valves have indications of full open and full closed positions. Pumps have indications for pump running and pump stopped. Alarm and indication devices are shown in Drawing M-361, Sheets 1 through 4 and Drawing M-1-CC-40, Sheets 7 and 14.

7.4.3.5.5 Low Pressure Coolant Injection Environmental Considerations The only control components pertinent to LPCI operation that are located inside the primary containment that must remain functional in the environment resulting from a LOCA are the cables and valve closing mechanisms for the recirculation loop discharge valves.

The cables and valve operators are selected with environmental capabilities that assure valve closure under the environmental conditions resulting from a design basis LOCA. Gamma and neutron radiation is also considered in the selection of this equipment.

Other equipment located outside the drywell is selected in consideration of the normal and accident environments in which it must operate. Refer to subsection 7.19, "Class 1E Equipment Environmental Qualification."

CHAPTER 07 7.4-24 REV. 26, APRIL 2017

PBAPS UFSAR 7.4.3.5.6 Low Pressure Coolant Injection Load Shed In order to ensure that sufficient power is available to start the RHR pumps during LOCA event, the affected unit's backup air compressor is tripped if running or prevented from being started for the first 60 seconds of the LOCA event. The compressor load shed is initiated by a Division I or Division II LPCI initiation signal.

7.4.4 Safety Evaluation In Sections 14.0, "Plant Safety Analysis," and 6.0, "Core Standby Cooling Systems," the individual and combined capabilities of the CSCS's are evaluated. The control equipment characteristics and trip settings described in this section were considered in the analysis of CSCS's performance. For the entire range of nuclear process system break sizes the cooling systems are effective both in preventing excessive fuel clad temperature and in preventing more than a small fraction of the reactor core from reaching the temperature at which a gross release of fission products can occur. This conclusion is valid even with significant failures in individual cooling systems because of the overlapping capabilities of the CSCS's. The controls and instrumentation for the CSCS's satisfy the precision and timeliness requirements of safety design bases 1 and 2.

Safety design basis 3 requires that instrumentation for the CSCS's responds to the potential inadequacy of core cooling regardless of the location of a breach in the nuclear system process barrier.

The reactor vessel low water level initiating function, which can actuate HPCI, ADS, LPCI, and core spray without coincident high drywell pressure, meets this safety design basis because a breach in the nuclear system process barrier inside or outside the primary containment is sensed by the low water level detectors.

The use of the reactor vessel low water level signal as the only CSCS initiating function completely independent of breach location is adequate. This is based on the isolation responses of the primary containment and reactor vessel isolation control system to a breach of the nuclear system outside the primary containment.

The other major initiating function, primary containment high pressure, is provided because the primary containment and reactor vessel isolation control system may not be able to isolate all nuclear system breaches inside the primary containment. The primary containment high pressure initiating signal for the CSCS's provides a second reliable method for sensing losses of coolant that cannot necessarily be stopped by isolation valve action.

This second initiating function is independent of the physical location of the breach within the drywell. The method used to initiate the ADS in the short term, which employs reactor vessel CHAPTER 07 7.4-25 REV. 26, APRIL 2017

PBAPS UFSAR low water level and primary containment high pressure in coincidence, requires that the nuclear system breach be inside the drywell because of the required primary containment high pressure signal. This control arrangement is adequate in view of the automatic isolation of the reactor vessel by the primary containment and reactor vessel isolation control system for breaches outside the primary containment and because the ADS is required only if the HPCIS fails. Coincident failure of the primary containment and reactor vessel isolation control system would be needed for nuclear system breaks outside the primary containment. However, if these situations do occur, the existence of a low water level signal for an extended time period will cause initiation of the ADS without the presence of high drywell pressure. Thus safety design basis 3 is satisfied.

An evaluation of CSCS controls shows that no operator action beyond the capacity of the operator is required to initiate the correct responses of the CSCS's.

The alarms and indications provided to the operator in the control room allow interpretation of any situation requiring CSCS operations and verify the response of each system. Manual controls are illustrated on functional control diagrams. The control room operator can manually initiate every essential operation of the CSCSs.

Because the degree to which safety is dependent on operator judgment and response has been appropriately limited by the design of CSCS control equipment, safety design bases 4a, 4b, and 4c are satisfied.

The redundancy provided in the design of the control equipment for the CSCSs is consistent with the redundancy of the cooling systems themselves. The arrangement of the initiating signals for the CSCSs is similar to that provided by the dual trip system arrangement of the RPS. No failure of a single initiating sensor channel can prevent the start of the cooling systems. The number of control components provided in the design for individual cooling system components are consistent with the need for the controlled equipment. An evaluation of the control schemes for each CSCS component shows that no single control failure can prevent the combined cooling systems from providing adequate core cooling. In performing this evaluation the redundancy of components and cooling systems was considered. The functional control diagrams provided with the descriptions of cooling systems were used in assessing the functional effects of instrumentation failures. In the course of the evaluation, protection devices which can interrupt the planned operation of cooling system components were investigated for the results of their normal CHAPTER 07 7.4-26 REV. 26, APRIL 2017

PBAPS UFSAR protective action as well as maloperation on core cooling effectiveness.

The only protection devices that can act to interrupt planned CSCS operation are those that must act to prevent complete failure of the component or system. Examples of such devices are the HPCIS turbine overspeed trip, HPCIS steam line break isolation trip, pump trips on low suction pressure, and minimum flow bypass valves for pumps. In every case the action of a protective device cannot prevent other redundant cooling systems from providing adequate cooling to the core.

The locations of controls where operation of CSCSs components can be adjusted or interrupted are in areas under the surveillance of operations personnel.

The environmental capabilities of instrumentation for the CSCSs are discussed in the descriptions of the individual systems.

Components which are located inside the primary containment and which are essential to CSCS performance are designed to operate in the environment resulting from a LOCA.

Special consideration has been given to the performance of reactor vessel water level and pressure sensors, pressure compensation instruments, and condensing chambers during rapid depressurization of the nuclear system. The discussion of this consideration is included in subsection 7.2, "Reactor Protection System," and is equally applicable to the instrumentation for the CSCS's.

It is concluded from the previous paragraphs and the description of control equipment that safety design basis 5 is satisfied. The testing capabilities of the CSCSs, which are discussed in the following section, satisfy safety design basis 6.

7.4.5 Inspection and Testing Components required for HPCI, LPCI, and core spray are designed to allow functional testing during normal power operation. Overall testing of these systems is described in Section 6.0, "Core Standby Cooling Systems." During overall functional tests the operability of the valves, pumps, turbines, and their control instrumentation can be checked. The ADS relief valves are subjected to tests during shutdown periods.

Logic circuitry used in the controls for the CSCS's can be individually checked by applying test or calibration signals to the sensors and observing trip system responses. Valve and pump operation from manual switches verifies the ability of breakers and valve closing mechanisms to operate. Normal lineup of the CSCS's is restored following a LOCA if the testing was a pump, CHAPTER 07 7.4-27 REV. 26, APRIL 2017

PBAPS UFSAR valve and flow test. If a LOCA occurred while conducting a logic test, the division of the system under test would remain disabled, the other division of the system would operate normally.

CHAPTER 07 7.4-28 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.4.1 HIGH PRESSURE COOLANT INJECTION SYSTEM INSTRUMENT SPECIFICATIONS HPCI Function Instrument Type Range(required) Accuracy(a) Trip Setting(b)

Reactor vessel high water level Level transmitter 0-225 in H20 +/-3.5% 593 in turbine trip and pressure com- above vessel zero pensation instrument Turbine exhaust high pressure Pressure switch 0-200 psig +/-1% 150 psig HPCIS pump high suction pressure Pressure switch 10-75 psig +/-2% 70 psig HPCIS pump low suction pressure Pressure switch 0-30 in HG vac +/-2% 15 in HG vac Reactor vessel low water level Level transmitter 0-215 in H20 +/-3.5% 472 in and pressure com- above vessel zero pensation instrument Primary containment (drywell) Pressure transmitter 0-25 psig +/-1% 2.5 psig high pressure and indicating trip unit HPCIS steam supply low pressure Pressure switch 0-1500 psig +/-2% 50 psig Condensate storage tank low level Level switch -2 in to 0 5% 60 in above to 2 in H2O bottom of tank HPCIS flow (for discharge bypass) Flow switch N/A +/-5% High - 1,290 gpm Low - 500 gpm Suppression pool high water level Level switch N/A for these +/-1/4" 16'-6.5" above devices torus invert Turbine overspeed Centrifugal device N/A +/-100 rpm 5,000 rpm Steam line high differential Pressure switch -300 in to +/-5% 278 in WC pressure +300 in H20 Steam leak detection high temperature RTD and Trip Unit 50 - 350F +/-2% 220F (a)

Instruments for this service have accuracy within this range over the actually purchased full scale.

(b)

The values given here have been used in the setpoint analysis; however, the allowable values are listed in the Technical Specifications.

CHAPTER 07 7.4-29 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.4.2 AUTOMATIC DEPRESSURIZATION SYSTEM INSTRUMENT SPECIFICATIONS System Function Instrument Type Normal Range(required) Accuracy(1) Trip Setting(2)

Reactor vessel low water level(3) Level transmitter 0-225 in H20 +/-3.5% 366.3 in above and pressure com- vessel zero pensation instrument Primary containment (drywell) Pressure transmitter 0-5 psig +/-1% 2.5 psig high pressure(3) and indicating trip unit ADS actuation timer(3) Timer 0-180 sec --- 120 sec (3)

ADS bypass timer Timer 1-30 min +/-5% 12 min Relief valve leakage Temperature switch 0-600F +/-1% 200F LPCI pump discharge pressure(3) Pressure switch 0-450 psig +/-2% 66.55 psig Core spray pump discharge Pressure switch 0-500 psig +/-1% 201.55 psig pressure(3)

Confirmatory low reactor vessel(3) Level transmitter 0-60 in H20 +/-3.5% 538 in above water level and indicating trip vessel zero unit (1)

Instruments for this service have accuracy within this range over the actually purchased full scale.

(2)

The values given here have been used in the setpoint analysis; however, these are not the instrument setpoints. The setpoints are in the Improved Instrument Setpoint Control Program (IISCP), and the allowable values except relief valve leakage are listed in the Technical Specifications.

(3)

Incident detection circuitry instrumentation.

CHAPTER 07 7.4-30 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.4.3 CORE SPRAY SYSTEM INSTRUMENT SPECIFICATIONS Core Spray Function Instrument Type Range(required) Accuracy(1) Trip Setting(2)

Reactor vessel low water Level transmitter 0-225 in H2O +/-3.5% 366.3 in level (3) and pressure com- above vessel zero pensation instrument Primary containment high Pressure transmitter 0-5 psig +/-1% 2.5 psig pressure(3) and indicating trip unit Reactor vessel low pressure Pressure transmitter 0-1,200 psig +/-1% 400 psig and pressure com-pensation instrument Core spray sparger high Differential -10 to +10 psid +/-1.0% 0.5 psid differential pressure pressure switch Pump discharge flow Flow indicator 0-8,000 gpm +/-10% ---

Pump suction pressure Pressure indicator 0-10 psig +/-1% ---

Pump discharge pressure Pressure indicator 0-500 psig +/-2% ---

Pump discharge flow Flow switch 450-900 ft w.c. 846/864 ft w.c.

CS sequence delay (Pump A)* Timer --- +/-7% 13 seconds CS sequence delay (Pump B)* Timer --- +/-7% 23 seconds CS sequence delay (Pump C)* Timer --- +/-7% 13 seconds CS sequence delay (Pump D)* Timer --- +/-7% 23 seconds (1)

Instruments for this service have accuracy within this range over the actually purchased full scale (2)

The values given here have been used in the setpoint analysis; however, the allowable values are listed in the Technical Specifications.

(3)

Incident detection circuitry instrumentation.

Offsite power available CHAPTER 07 7.4-31 REV. 22, APRIL 2009

PBAPS UFSAR TABLE 7.4.4 LOW-PRESSURE COOLANT INJECTION SYSTEM INSTRUMENT SPECIFICATIONS LPCI Function Instrument Type Range (required) Accuracy(1) Trip Setting(2)

(3)

Reactor vessel low water level Level transmitter 0-225 in H2O +/-3.5% 366.3 in above (LPCI pump start signal) and pressure com- vessel zero pensation instrument Primary containment (drywell) Pressure transmitter 0-5 psig +/-1% 2.5 psig high pressure (LPCI initiation)(3) and indicating trip unit Reactor vessel low water level Level transmitter 0-400 in H2O +/-5% 309 in above vessel (inside shroud) and pressure com- zero (2/3 core height) pensation instrument LPCI sequence delay (pump A)* Timer --- +/-7% 2 sec LPCI sequence delay (pump B)* Timer --- +/-7% 2 sec LPCI sequence delay (pump C)* Timer --- +/-7% 8 sec LPCI sequence delay (pump D)* Timer --- +/-7% 8 sec LPCI reactor vessel low pressure Pressure transmitter 50-1,200 psig +/-1% 400 psig and pressure com-pensation instrument LPCI reactor vessel low-pressure Pressure transmitter 0-1,200 psig +/-1% 200 psig permissive (recirculation pump and pressure com-discharge valve closing) pensation instrument LPCI valve initiation Timer 0-15 min --- 10 min signal cancellation

Offsite power available 1 of 2 CHAPTER 07 7.4-32 REV. 22, APRIL 2009

PBAPS UFSAR PBAPS TABLE 7.4.4 (continued)

LOW-PRESSURE COOLANT INJECTION SYSTEM INSTRUMENT SPECIFICATIONS LPCI Function Instrument Type Range (required) Accuracy(1) Trip Setting(2)

Containment spray valve manual Pressure transmitter 0-10 psig +/-1% 1 psig control interlock - high and indicating trip drywell pressure unit LPCI pump low flow Differential pressure 0-1,000 gpm +/-2% 336.7 psid switch (1)

Instruments for this service have accuracy within this range over the actually purchased full scale.

(2)

The values given here have been used in the setpoint analysis; however, the allowable values are listed in the Techinical Specifications.

(3)

Incident detection circuitry instrumentation.

2 of 2 CHAPTER 07 7.4-33 REV. 22, APRIL 2009

PBAPS UFSAR 7.5 NEUTRON MONITORING SYSTEM 7.5.1 Safety Objective The safety objective of the neutron monitoring system is to detect conditions in the core that threaten the overall integrity of the fuel barrier due to excessive power generation and provide signals to the RPS, so that the release of radioactive material from the fuel barrier is limited.

7.5.2 Power Generation Objective The power generation objective of the neutron monitoring system is to provide information for the efficient, expedient operation and control of the reactor. Specifically, the neutron monitoring system detects conditions that could lead to local fuel damage and provides signals that can be used to prevent such damage, so that plant availability is not reduced.

7.5.3 Identification The neutron monitoring system consists of five major subsystems as follows:

1. Wide range neutron monitor subsystem (WRNMS).

2. Local power range monitor subsystem (LPRMS).

3. Average power range monitor subsystem (APRMS).

4. Rod block monitor subsystem (RBMS).

5. Traversing in-core probe subsystem (TIPS).

7.5.4 Wide Range Neutron Monitor Subsystem 7.5.4.1 Power Generation Design Basis

1. With all control rods fully inserted, the present irradiated fuel and neutron detectors will maintain a minimum WRNM count rate based on a graph plotting WRNM count rate versus signal-to-noise ratio contained in the Technical Specifications. In cases where the core is fully unloaded, reloading can be accomplished by using procedures which, at a minimum, will maintain this signal count to noise count and counts per second.

If this cannot be achieved, new startup sources will be provided in new source holders in the reactor pressure vessel.

CHAPTER 07 7.5-1 REV. 26, APRIL 2017

2. The WRNMS is designed to indicate a measurable increase in output signal from at least one detecting channel before the reactor period is less than 20 sec during the worst possible startup rod withdrawal conditions.

3. The WRNMS is designed to indicate substantial increases in output signals with the maximum permitted number of WRNM channels out of service during normal reactor startup operations.

4. The WRNMS provides a measure of the time rate of change of the neutron flux (reactor period) for operational convenience and reactor protection.

5. The WRNMS is capable of generating a trip signal to block rod withdrawal if the WRNMS reading exceeds a preset value or if the WRNMS is not operating properly.

6. The WRNMS is designed so that overlapping neutron flux indications exist with the power range monitoring subsystems.

7.5.4.2 Safety Design Basis

1. The WRNMS is capable of generating a trip signal that can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate range.

2. The independence and redundancy incorporated in the design of the WRNMS is consistent with the safety design basis of the RPS.

7.5.4. Description 7.5.4.3.1 Identification The WRNMS provides neutron flux information during reactor startup and low flux level operations to the lower portion of the power range monitoring subsystems. There are eight WRNM channels each of which includes one detector that is positioned in the core.

7.5.4.3.2 Power Supply Power is supplied separately from two 24 VDC sources. The supplies are split according to their use so that loss of a power supply results in loss of only one trip system of the RPS.

Conduits and physical separation isolate the power buses external to the WRNM cabinet.

CHAPTER 07 7.5-2 REV. 26, APRIL 2017

PBAPS UFSAR 7.5.4.3.3 Physical Arrangement Each detector assembly consists of a miniature fission chamber operated in the pulse counting mode and attached to a low-loss mineral insulated triaxial transmission cable (Figure 7.5.2). The sensitivity of a new WRNM detector is 2x10-3 cps/nv nominal at rated reactor temperature. The detector cable is connected underneath the reactor vessel to a triple-shielded coaxial cable.

This shielded cable carries the pulses formed to a detector preamplifier located outside the primary containment.(1)

The detector and cable are located inside the reactor vessel in a dry tube sealed against reactor vessel pressure. The detectors are fixed in-core and vertically positioned 1.5 ft above the reactor fuel center line (Figure 7.5.3). Wide range signal conditioning equipment is designed so that it may be used for open-core experiments.

7.5.4.3.4 Signal Conditioning The signal input from the WRNM detector via the detector preamplifier is a train whose count rate is indicative of the counting flux in the counting range and whose Mean Square Voltage is indicative of neutron flux in the MSV range.

The high voltage power supply supplies a polarizing potential for the fission counter detector.

The discriminator module removes undesired (noise) pulses from the signal received from the Detector Preamplifier. Each negative pulse received represents the detector gas ionization that results from fission product generation (desired signal pulses), alpha and beta particles, and gamma ray generation (noise pulses). Noise pulses also result from EMI effects (non-ionization events).

After passing through a bandpass filter, and upon further amplification, high and low height discrimination is applied to the signal in order to remove the noise pulses (EMI, alpha particles, beta particles, and gamma rays).

Pulses which pass through the discriminator window are counted by hardware counters on the discriminator module. These counters are read to calculate an observed count rate in counts per second (CPS). The raw count rate is then filtered with a time constant which varies.

MSV Flux The neutron flux may be determined from the AC component of the voltage input from the detector. This signal is amplified by the CHAPTER 07 7.5-3 REV. 26, APRIL 2017

PBAPS UFSAR preamplifier with a gain and is then passed into the MSV card where one of the three separate RMS converters further amplify the signal and determines the signals RMS value. Only the 150-450 KHz frequency band of the signal is considered. The RMS value is read from the output of the present on-scale RMS converter.

This voltage is then gain corrected and linearized (each RMS converter introduces some non-linearities which are determined during calibration and corrected for). The resulting RMS voltage corresponds to the RMS of the voltage output of the detector.

This RMS voltage is range limited and filtered. The neutron flux is based on the square of this RMS voltage (MSV).

The WRNM flux is calculated from the counting based flux and the MSV based flux. At low flux levels the counting based flux is more accurate than the MSV based flux, and at high flux levels the MSV flux is more accurate. An intermediate flux region exists through which both flux measurement methods are accurate. This transition region is defined based on the measured MSV flux.

Below the transition region the WRNM flux is equal to the counting based flux. Above the transition region the WRNM flux is equal to the MSV flux. Within the transition region the WRNM flux is linear interpolation of the log flux values. The percent power is proportional to WRNM flux.

Calibration and pulse discriminator features are included to enable the accuracy of internal power and all measuring circuits to be verified and the trip level of the trip circuits to be set and checked. Period generators provide a means for verifying the calibration of the system.

7.5.4.3.5 Trip Functions The WRNMS performs trip functions during shutdown and startup conditions (i.e., Reactor Mode Switch not in RUN) using fail-safe logic. The trips are shown in Table 7.5-2.

The WRNMS is divided into two groups of WRNM channels arranged in the core as shown in Figure 7.5.6. Each group of WRNM channels is associated with one of the two trip systems of the RPS. Two WRNM channels and their trip auxiliaries from each group are installed in one bay of a cabinet; the remaining channels are installed in separate bays of the cabinet. Full-length side covers on the cabinet bays isolate the WRNM groups. The arrangement of WRNM channels allows one WRNM channel in each group to be bypassed without compromising neutron monitoring startup operation.

Each WRNM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates whenever the high voltage drops below a preset level, whenever one of the modules is not plugged in, when a self CHAPTER 07 7.5-4 REV. 26, APRIL 2017

PBAPS UFSAR test system declares a fault, or whenever the "Operate" switch is not in the OPERATE position. Each of the other trip circuits can be chosen to operate whenever present downscale or upscale levels are reached. A simplified WRNM circuit arrangement is shown in Figure 7.5.22.

The trip functions actuated by the WRNM trips are indicated in Table 7.5.2. The reactor mode switch determines whether WRNM trips are effective in initiating a rod block and a reactor scram.

Subsection 7.7, "Reactor Manual Control System," describes the WRNM rod block trips. With the reactor mode switch in REFUEL or STARTUP, an WRNM upscale period or inoperative trip signal actuates a neutron monitoring system trip of the RPS. Only one WRNM channel must trip to initiate a neutron monitoring system trip of the associated trip system of the RPS (Figure 7.2.9).

7.5.4.4 Power Generation Evaluation The locations and sensitivities of the WRNM detectors are designed to provide a count rate of at least three counts per second when all control rods are fully inserted in the reactor or a signal-to-noise ratio equal to or exceeding the curve in the Technical Specifications if the count rate is below 3 cps.

Design calculations show that if the multiplication of neutron sources in one section of the core is increased to the extent necessary to put that section of the reactor on a 20-sec period, the nearest WRNM chamber shows an increase in count rate; in general, at least one detector indicates the change in multiplication.

Normal startup procedures require specific rod withdrawal patterns that ensure that the withdrawn control rods are distributed about the core so that the multiplication in no one section of the core exceeds the average by a large amount; hence, each WRNM chamber can respond to some degree as the initial rod withdrawal is accomplished. Current design indicates that a scattered rod withdrawal of approximately one-fourth of all control rods is required to reach criticality.

The WRNMS is the primary source of information on the approach of the reactor to the power range. Its period trips with the rod blocking features require that the operator corrects an increase in core reactivity by rod motion. The sensitivity of the WRNM is such that the WRNM is on scale over the entire range to a reactor power up to 100 percent.

CHAPTER 07 7.5-5 REV. 26, APRIL 2017

PBAPS UFSAR 7.5.4.5 Safety Evaluation The safety evaluation in subsection 7.2, "Reactor Protection System," evaluates the arrangement of the redundant input signals to the RPS. The neutron monitoring system trip input to the RPS and the trip channels used in actuating a neutron monitoring system trip are of equivalent independence and redundancy to other RPS inputs.

The number and locations of the WRNM detectors have been analytically and experimentally determined to provide sufficient startup (wide) range flux level information under the worst permitted bypass and detector failure conditions. For verification of this, a range of rod withdrawal accidents has been analyzed. The most severe case assumes the reactor is critical and operating in the startup range, a single out of sequence rod is inadvertently selected and withdrawn at maximum drive speed and RWM Rod Block fails. A scram signal is initiated when one WRNM detector in each RPS trip system reaches its scram trip level.

The WRNM scram trips are automatically bypassed when the reactor mode switch is in the RUN position and the APRM's are on scale.

The WRNM rod block trips are automatically bypassed when the reactor mode switch is in the RUN position.

The WRNM detectors and electronics have been tested under operating conditions and verified to have the stated operational characteristics and as such provide the level of precision and reliability required by the RPS safety design bases.

Further analysis is presented in GE documents NEDE-24011-P, "Generic Reload Fuel Application Licensing Topical Report,"

Appendix A of NEDE-24011 and NEDE-24000. The WRNMS performs all the functions previously performed by the IRMS.

7.5.4.6 Inspection and Testing Each WRNM channel is tested and calibrated using the procedures in the WRNM instruction manual. All calibration functions are semi-automatic or automatic with manual verification. Each of the various WRNM channels can be checked to ensure that the WRNM short period scram and rod block functions are operable.

7.5.5 DELETED CHAPTER 07 7.5-6 REV. 26, APRIL 2017

PBAPS UFSAR 7.5.6 Local Power Range Monitor Subsystem 7.5.6.1 Power Generation Design Basis

1. The LPRMS provides signals proportional to the local neutron flux at various locations within the reactor core to the APRMS, so that accurate measurements of average reactor power can be made.

2. The LPRMS supplies signals to the RBMS, so that measurement of changes in local relative neutron flux can be made during the movement of control rods.

3. The LPRMS is capable of alarming under conditions of high or low local neutron flux indication.

4. The LPRMS supplies signals proportional to the local neutron flux to the process computer (PMS) to be used in power distribution calculations, local heat flux calculations, minimum critical heat flux calculations, and fuel burnup calculations.

5. The LPRMS supplies signals proportional to the local neutron flux to drive indicating meters and auxiliary devices to be used for operator evaluation of the power distribution, local heat flux, minimum critical heat flux, and fuel burnup.

7.5.6.2 Description 7.5.6.2.1 Identification The LPRMS consists of the fission chamber detectors, the signal conditioning equipment, and trip functions (Drawing M-1-T-20, Sheets 3 and 4). The LPRM signals are also used in the APRMS, RBMS, and process computer (PMS).

7.5.6.2.2 Power Supply Detector polarizing voltage for the LPRMs is supplied by eight pairs of redundant DC power supplies, adjustable from 75 to 200 VDC. Each DC power supply pair powers approximately one-eighth of the LPRMs. Power for the DC power supplies comes redundantly from the two 120 VAC Reactor Protection System buses via intermediate DC power supplies. These intermediate DC supplies also provide power for the LPRM amplifier cards. The redundant power supply in the power supply pair allows for on-line detector current-voltage testing without interrupting the polarizing voltage to the remaining detectors not undergoing testing. In the event that the CHAPTER 07 7.5-7 REV. 26, APRIL 2017

PBAPS UFSAR primary power supply fails, the redundant supply will take over normal detection polarizing functions.

The 75-200 VDC power supplies can supply up to 3 milliamperes for each LPRM detector which ensures that the chambers can be operated in the saturated region at the maximum specified neutron flux.

The voltage applied to the detectors varies no more than 2 VDC over the maximum variation of electrical input and environmental parameters.

7.5.6.2.3 Physical Arrangement The LPRMS includes LPRM detectors located throughout the core at different axial heights. Figure 7.5.6 illustrates the LPRM detector radial layout scheme which provides a detector assembly at every fourth intersection of the narrower of the water channels around the fuel bundles (narrow-narrow water gap). Thus, every narrow-narrow water gap has either an actual detector assembly or a symmetrically equivalent assembly in some other quadrant.

The 43 LPRM detector assemblies, each containing four fission chambers, are distributed to monitor four horizontal planes throughout the core. The detector assemblies (Figure 7.5.9) are inserted into the core in spaces between the fuel assemblies through thimbles which are mounted permanently at the bottom of the core lattice and which penetrate the bottom of the reactor vessel. These thimbles are welded to the reactor vessel at the penetration point. They extend down into the access area below the reactor vessel where they terminate in a flange which mates to the mounting flange on the incore detector assembly. The detector assemblies are locked at the top end to the top fuel guide by means of a spring-loaded plunger. This type of assembly is referred to as top entry-bottom connect, since the assembly is inserted through the top of the core and penetrates the bottom of the reactor vessel. Special water sealing caps are placed over the connection end of the assembly and over the penetration at the bottom of the vessel during installation or removal of an assembly. This prevents the loss of reactor coolant water upon removal of an assembly and also prevents the connection end of the assembly from being immersed in the water during installation or removal.

Each LPRM detector assembly contains four miniature fission chambers with an associated solid sheath cable. Each fission chamber produces a current which when coupled with the LPRM signal conditioning equipment provides the desired scale deflection throughout the design lifetime of the chamber. Each individual chamber of the assembly is a moisture-proof, pressure-sealed unit.

Each assembly also contains a calibration tube for a TIP. The enclosing tube around the entire assembly contains holes evenly CHAPTER 07 7.5-8 REV. 26, APRIL 2017

PBAPS UFSAR spaced along its length. These holes allow circulation of the reactor coolant water to cool the fission chambers. Numerous tests have been performed on the chamber assemblies including tests of linearity, lifetime, gamma sensitivity, and cable effects.(1) These tests and experience in operating reactors provide confidence in the ability of the LPRMS to monitor neutron flux to the design accuracy throughout the design lifetime.

The four miniature fission chambers used on each assembly are designed to operate up to a temperature of 599F and a pressure of 1,250 psig. The chambers are vertically spaced in the LPRM detector assemblies in such a manner as to give adequate axial coverage of the core, complementing the radial coverage given by the horizontal arrangement of the LPRM detector assemblies. Each miniature chamber consists of two concentric cylinders, which act as electrodes. The inner cylinder, the collector, is mounted on insulators and is separated from the outer cylinder by a small air gap. The gas between the electrodes is ionized by the charged particles produced as a result of neutron fissioning of the uranium coated outer electrode. The chamber has at the beginning of operation, a sensitivity of approximately 2.15 x 10-17 amps/nv and is operated at a polarizing potential of approximately 100 V.

The negative ions produced in the gas are accelerated to the collector by the potential difference maintained between the electrodes. In a given neutron flux, all ions produced in the ion chamber can be collected if the polarizing voltage is high enough.

When this situation exists, the ion chamber is considered to be saturated. Output current is then independent of operating voltage and has a linearity of approximately 1 percent over the design operating range.

7.5.6.2.4 Signal Conditioning The current signals from the LPRM detectors are transmitted to the LPRM amplifier modules within the control room electronics drawers. Amplifiers are arranged with up to five on an LPRM Input Module mounted in the APRM/LPRM chassis assembly. The current signal from a chamber is transmitted directly to its amplifier through coaxial cable. The amplifier is a linear current to voltage amplifier whose voltage output is proportional to the current input and therefore is proportional to the magnitude of the neutron flux. The amplifier output is digitized and sent to the digital processing electronics. The digital electronics apply hardware gain corrections, perform filtering, and apply the LPRM gain factors. The digital electronics provide suitable output signals for the computer, recorders, annunciators, etc. The LPRM amplifiers also isolate the detector signals from the rest of the processing so that individual faults in one LPRM signal path will not affect other LPRM signal.

CHAPTER 07 7.5-9 REV. 26, APRIL 2017

PBAPS UFSAR The LPRM signals can be read by the operator on the reactor console on either the APRM Operator Display Assemblies (ODAs) or the RBM ODAs. LPRM readings can be read on the APRM ODAs by selecting summary LPRM displays. When the control rod is selected for movement, LPRM readings can be read on the RBM ODAs for the 16 LPRM detectors nearest to the selected rod (see Figure 7.5.13).

Subsection 7.7, "Reactor Manual Control System," describes in greater detail the indications on the reactor console associated with the selected control rod.

7.5.6.2.5 Trip Functions The trip functions for the LPRMs provide trip signals to activate displays and annunciators. Table 7.5.3 indicates the trips.

The trip levels can be adjusted to within +/-0.1 percent of full-scale deflection and are accurate to +/-1 percent of full-scale deflection in the normal operating environment.

7.5.6.3 Power Generation Evaluation The LPRMS, as calibrated by the TIPS, provides detailed information about the neutron flux throughout the reactor core.

The total of 43 LPRM assemblies and their distribution is determined by extensive calculational and experimental procedures.

Individual failed chambers can be bypassed, and neutron flux information for a failed chamber location can be interpolated from nearby chambers. A substitute reading for a failed chamber can be derived from an octant-symmetric chamber, or an actual flux indication can be obtained by insertion of a TIP to the failed chamber position. The LPRM outputs provide for the functions required in the LPRM power generation design basis. Each output is electrically isolated so that an event (grounding the signal or applying a stray voltage) on the reception end does not destroy the validity of any other LPRM signal. Test and experience(1) attest to the ability of the detector to respond proportionally to the local neutron flux changes.

7.5.6.4 Inspection and Testing LPRM channels are calibrated using data from previous full power runs and TIP data and are tested by procedures in the applicable instruction manual. The uncertainty value for the LPRM update uncertainty will be twice the value specified in the methodology contained in General Electric Licensing Topical Report NEDC-32694P-A, dated August 1999.

7.5.7 Average Power Range Monitor Subsystem CHAPTER 07 7.5-10 REV. 26, APRIL 2017

PBAPS UFSAR 7.5.7.1 Safety Design Basis

1. The design of the APRMS is such that for the worst permitted input LPRM bypass conditions, the APRMS is capable of generating a scram trip signal in response to average neutron flux increases resulting from abnormal operational transients in time to prevent fuel damage.

The APRMS design also includes an OPRM upscale function that generates a trip signal upon detection of thermal-hydraulic instabilities.

2. The design of the APRMS is consistent with the requirements of the safety design basis of the RPS.

7.5.7.2 Power Generation Design Basis

1. The APRMS provides a continuous indication of average reactor power from a few percent to 125 percent of rated reactor power.

2. The APRMS is capable of providing trip signals for blocking rod withdrawal when the average reactor power exceeds pre-established limits.

3. The APRMS provides a reference power level for use in the RBMS.

7.5.7.3 Description 7.5.7.3.1 Identification The APRM System has four APRM channels, each of which uses input signals from 43 LPRM detectors. Each of the four APRM channels provides input to four two-out-of-four voter channels. Each voter channel is assigned to a specific RPS trip channel (i.e., A1, A2, B1, B2). Therefore, each APRM channel contributes to all four RPS channels.

7.5.7.3.2 Power Supply The APRM channels receive power redundantly from the 120-V AC supplies used for the RPS power.

Each APRM two-out-of-four voter channel receives power from the same 120 V AC power as the Reactor Protection System trip system with which it is associated.

7.5.7.3.3 Signal Conditioning CHAPTER 07 7.5-11 REV. 26, APRIL 2017

PBAPS UFSAR The APRM channel uses digital electronic equipment which averages the output signal from a selected set of LPRMs, generates trip outputs via the two-out-of-four voter channels (see Section 7.5.7.3.4), and provides signals to readout equipment. Each APRM channel can average the output signals from up to 43 LPRM channels. Assignment of LPRM channels to an APRM is shown in Table 1A and 1B on Drawing M-1-T-20, Sheets 3 and 4 with the distribution through the core shown in Figure 7.5.10. The letters at the detector locations in Drawing M-1-T-20, Sheets 3 and 4 refer to the axial positions of the detectors in the LPRM detector assembly. Position A is the bottom position, positions B and C are above position A, and position D is the topmost LPRM detector position. The pattern provides LPRM signals from all four core axial LPRM detector positions throughout the core. Some LPRM detectors may be bypassed, but the averaging logic automatically corrects for these by removing them from the average. The APRM value calculated from the LPRM inputs is adjusted by a digitally entered gain factor to allow calibration of the APRM to a heat balance.

Each APRM channel calculates a flow signal which is used to determine the APRMs flow-biased STP rod block and scram setpoints (see Drawing M-1-T-20, Sheets 3 and 4). The flow signal is also used to determine the trip-arming region associated with the Oscillation Power Range Monitor function. Each signal is determined by summing the flow signals from the two-recirculation loops. These signals are sensed from two flow elements, one in each recirculation loop (see Drawing M-352). The differential pressure from each flow element is routed to four different pressure transducers (eight total). The signals from two differential pressure transducers, one from each flow element, are routed to two inputs to each APRM digital electronics. Each APRM also includes an Oscillation Power Range Monitor (OPRM) Upscale Function that monitors small groups of LPRM signals to detect thermal-hydraulic instabilities. The OPRM Upscale Function receives input signals from small groups of LPRMs within the reactor core. The groups of LPRMs are combined into cells for evaluation by the OPRM algorithms.

All APRM channels are powered redundantly, via interpost low voltage DC power supplies, from both the A and B Reactor Protection System 120 Vac power buses. The LPRM signal processing equipment is powered by the same sources as their associated APRM channels.

7.5.7.3.4 Trip Function The digital electronics for each APRM channel provide trip signals to the Reactor Protection System (RPS) via the APRM two-out-of-four voter channels and directly to the Reactor Manual Control CHAPTER 07 7.5-12 REV. 26, APRIL 2017

PBAPS UFSAR System via APRM interface hardware. Any two unbypassed APRM channels, via the APRM two-out-of-four voter channels, can initiate an RPS trip in both RPS trip systems. Any one unbypassed APRM can initiate a rod block. Table 7.5.4 lists the APRM trip functions. Subsection 7.7, Reactor Manual Control System, describes in more detail the APRM rod block functions.

In the run mode of operation the APRM simulated thermal power upscale rod block and scram trip setpoints are varied as a function of reactor recirculation flow. The slope of the upscale rod block and scram trip response curves is set to track the required trip setpoint with recirculation flow changes.

An OPRM Upscale trip is issued from an OPRM channel when the Confirmation Density Algorithm (CDA) in that channel detects oscillatory changes in the neutron flux as indicated by periodic confirmations and amplitude exceeding the specified setpoints for a specified number of OPRM cells in the channel. The CDA is credited in the Licensing Analysis for OPRM. An OPRM Upscale trip is also issued from the channel if any of the DIDA (PBDA, ABA, GRA) exceed their trip condition for one or more cells in that channel. The PBDA, GRA and ABA are not credited in the Licensing Analysis for the OPRM and are provided for defense-in-depth only. The OPRM upscale trip output is automatically enabled (not-bypassed) when its associated APRM STP is above the OPRM auto-enable power setpoint and its associated recirculation flow is below the OPRM autoenable setpoint. The OPRM upscale trip output is automatically bypassed when the STP and recirculation flow are not within the OPRM trip enable region.

If OPRM is not operable, Backup Stability Protection (BSP) is required. The BSP consists of three options, which include the BSP Boundary, BSP Manual Regions, and an Automatic BSP Scram.

The BSP Boundary defines the operating domain where potential instability events can be effectively addressed by the specified BSP manual operator actions. The Manual BSP Regions are procedurally controlled and require specified operator actions if predefined operational conditions occur. The Automated BSP Scram Region is designed to avoid reactor instability by automatically preventing entry into the region of the power and flow operating map that is susceptible to reactor instability. Backup Stability Protection is a temporary means to protect against thermal-hydraulic instability if the OPRM is not operable.

At least two unbypassed APRM channels must be in the APRM upscale or inoperative trip state to cause an ARRM/INOP UPSCALE RPS trip output from the APRM two-out-of-four voter channels. Similarly, at least two unbypassed APRM channels must be in the OPRM upscale state to cause an OPRM RPS trip output from the APRM two-out-of-four voter channels. In either of these conditions, all four CHAPTER 07 7.5-13 REV. 26, APRIL 2017

PBAPS UFSAR voter channels will provide an RPS trip output, two to each RPS trip system. If only one unbypassed APRM channel is providing a trip output, each of the four APRM two-out-of-four voter channels will have a half-trip, but no trip signals will be sent to the RPS (see Figure 7.2.8). The APRM/INOP and OPRM trips are voted independently. The Trips from one APRM can be bypassed by operator action in the control room, which bypasses both the APRM/INOP and OPRM trips from that APRM channel. Trip outputs to the RPS are transmitted by removing voltage to the associated RPS relay coil, so loss of power results in actuating the RPS trips.

A simplified APRM/RPS interface circuit arrangement is shown in Figure 7.2.8.

In the startup mode of operation, the APRM fixed upscale trip setpoint is set down to a low level. This trip function is provided in addition to the existing WRNM period upscale trip in the startup mode. The trip settings are listed in Table 7.5.4.

The trip functions are performed by digital comparisons in APRM electronics. The APRM flux value is developed by averaging the LPRM signals and then adjusting the average to develop an APRM power value. The APRM power is processed through a first order filter with a six second time constant to calculate a simulated thermal power that reflects the heat transfer characteristics in the core. These calculations are all performed by the digital processor and result in a digital representation of APRM and simulated thermal power. For each RPS trip and rod block alarm, the APRM power or simulated thermal power, as applicable, is digitally compared to the setpoint (which was previously entered and stored). If the power value exceeds the setpoint, the applicable trip is issued.

7.5.7.4 Safety Evaluation Each APRM derives its signal from information obtained from the LPRMS. The assignment, power separation, cabinet separation, and the LPRM signal isolation are in accord with the safety design basis of the RPS. There are four APRM/OPRM channels with the Reactor Protection System trip outputs from each routed to each of four APRM two-out-of-four voter channels. Two voter channels are associated with each Reactor Protection System trip system. This configuration allows one APRM/OPRM channel to be bypassed plus one APRM/OPRM channel failure while still meeting the Reactor Protection System safety design basis.

Above a plant power level defined by Technical Specifications, the ARPM power (and simulated thermal power) are adjusted periodically based on heat balance to match true reactor power. This adjustment is made regularly at a rate sufficient to compensate for LPRM burnup and the related change in APRM values. However, CHAPTER 07 7.5-14 REV. 26, APRIL 2017

PBAPS UFSAR coolant flow changes, control rod movements, and failed or bypassed LPRM inputs can also affect the relationship between APRM measured flux and true reactor power. These predictable APRM variations are included in the analysis performed to determine the minimum number of LPRM inputs required to be operable in order for the APRM channel to be operable. The analysis is performed, considering worst case combinations of failed LPRM inputs, at rated conditions by assuming both continuous withdrawal of the maximum worth control rod and reduction of recirculation flow to 40% of rated Flow. The minimum number of LPRM inputs for an APRM is determined such that the average of the remaining operable LPRM inputs still allows the APRM to track power excursions within the acceptance criteria assumed in plant safety analyses. If the number of operable LPRMs is less than the required minimum, the APRM channel is declared inoperable.

There is also a minimum cells requirement applied to the OPRM upscale function. The minimum number of OPRM cells per APRM channel is established to ensure that thermal-hydraulic instabilities are detected within the limits of the OPRM licensing methodology. If the number of cells is less than the required minimum, the OPRM channel is declared inoperable.

The adequacy of the flow reference and APRM scram set point is demonstrated to be adequate in preventing fuel damage as a result of abnormal operational transients by the analyses in Section 14.0, "Plant Safety Analysis."

7.5.7.5 Power Generation Evaluation The APRMS provides the operator with four continuous recordings of the APRM average flux. The rod blocking function prevents operation above the region defined by the design power response to recirculation flow control. The flow signal used to vary the rod block level is supplied from the recirculation system flow function within the APRM instrumentation. Two flow signal comparators within the RBM instrumentation monitor the four total flow signals and initiate an alarm if the four total flow signals are not in agreement. Because any one of the APRM's can initiate a rod block, this function has a high level of redundancy and satisfies the power generation design basis. Any one APRM channel may be bypassed. In addition, a minimum number of LPRM inputs -

20 total and 3 per each axial level - are required for each APRM channel to be operative. If the number is less than this, an automatic Trouble alarm and rod block are generated. Each OPRM channel processes up to 33 cells of LPRMs with each cell comprised of 3 or 4 LPRMs. A minimum of 25 OPRM cells must be operative with at least 2 LPRMs per cell. If the number of cells is less than this, an automatic Trouble alarm is generated.

CHAPTER 07 7.5-15 REV. 26, APRIL 2017

PBAPS UFSAR 7.5.7.6 Inspection and Testing APRM channels are calibrated using a heat balance calculated by the plant process computer and are tested by procedures in the applicable instruction manual. Each APRM channel and APRM voter channel can be individually tested for the operability of the APRM scram and rod blocking functions by introducing test signals.

7.5.8 Rod Block Monitor Subsystem 7.5.8.1 Power Generation Design Basis

1. The RBMS is designed to prevent local fuel damage as a result of a single rod withdrawal error under the worst permitted condition of RBM bypass.

2. The RBMS provides a signal to permit operator evaluation of the change in the local relative power level during control rod movement.

7.5.8.2 Description 7.5.8.2.1 Identification The RBMS has two RBM channels, each of which uses input signals from a number of LPRM channels. A trip signal from either RBM channel can initiate a rod block. One RBM channel may be bypassed without loss of subsystem function. The minimum number of LPRM inputs required for each RBM channel to prevent an instrument inoperative alarm is 4 when using 4 LPRM assemblies, 3 when using 3 LPRM assemblies and 2 when using 2 LPRM assemblies (Figure 7.5.13).

7.5.8.2.2 Power Supply The RBMS power is received redundantly from the 120-V AC supplies used for the RPS.

7.5.8.2.3 Signal Conditioning The RBM signal is generated by averaging a set of LPRM signals.

The LPRM signals used depend on the control rod selected. Upon selection of a rod for withdrawal or insertion, the conditioned signals from the LPRMs around that rod will be automatically selected by the two RBM channels (Figure 7.5.13 shows examples of the four possible LPRM/selected rod assignment combinations). For a typical non-edge rod, each RBM channel averages LPRM inputs from two of the four B-level and D-level detectors, and all four of the C-level detectors (see Figure 7.5.13). A-level LPRM detectors are not included in the RBM averages, but are displayed to the CHAPTER 07 7.5-16 REV. 26, APRIL 2017

PBAPS UFSAR operator. When a rod near, but not at, the edge of the core is selected, where there are fewer than four but at least two LPRM strings around the rod, the number of detectors used by the RBM channels is either six or four depending on how many LPRM strings are available. If a detector has been bypassed in the LPRM system, that detector is automatically deleted from the RBM processing and the averaging logic is adjusted to average only the remaining detectors.

After selection of a control rod, each RBM channel calculates the average of the related LPRM detectors and calculates a gain factor that will adjust the average to 100. Thereafter, until another rod is selected, the gain factor is applied to the LPRM average to obtain the RBM signal value. The RBM signal value is compared to RBM trip setpoints (see 7.5.8.2.4).

When a peripheral rod is selected, or if the APRM STP value from the RBMs associated APRM is below the automatic bypass level (approximately 30% power), the RBM function is automatically bypassed, the rod block outputs are set to permissive, and the RBM average is set to zero.

7.5.8.2.4 Trip Function The RBM supplies a trip signal to the Reactor Manual Control System to inhibit control rod withdrawal. The trip is set whenever the RBM signal value exceeds the RBM setpoint. There are three different setpoints, each a percentage above the RBM initial value of 100. The particular setpoint that is applied is selected based on the simulated thermal power value from the RBMs associated APRM channel (an alternate APRM channel is assigned and is automatically used for inputs if the primary APRM channel is bypassed or inoperative). Higher APRM simulated thermal power values select a lower setpoint. That is, at higher power levels, the percentage increase in the RBM value allowed is less than at lower power levels.

Either RBM channel can prevent rod movement. One of the two RBMs can be bypassed by the operator.

7.5.8.3 Power Generation Evaluation Motion of a control rod causes the LPRMs adjacent to the control rod to respond strongly to the change in power in the region the rod is in motion. However, the RBM trip setpoints have been determined in NEDC-32162P to assure that the RBM will adequately protect the reactor fuel and maintain adequate margin in the operating MCPR during the Rod Withdrawal Error transients by blocking control rod withdrawal, but not over-restricting the RBM system performance. The RBM setpoints are also valid for CHAPTER 07 7.5-17 REV. 26, APRIL 2017

PBAPS UFSAR peripheral cells with less than four LPRM strings. The RBM cells near the core peripheral may have one, two, or three LPRM strings.

In some peripheral cases, the responses are actually improved because the missing strings are the weaker signal inputs in a standard RBM cell.

7.5.8.4 Inspection and Testing The RBM channels are tested and calibrated by procedures given in the applicable instruction manuals. The RBM's are functionally tested by introducing test signals into the RBM channels.

7.5.9 Traversing In-Core Probe Subsystem 7.5.9.1 Power Generation Design Basis

1. The TIPS is capable of providing a signal proportional to the axial neutron flux distribution at selected small axial intervals over the regions of the core where LPRM detector assemblies are located. This signal is of high precision to allow reliable calibration of LPRM gains.

2. The TIPS provides accurate indication of the position of the flux measurement to allow pointwise or continuous measurement of the axial neutron flux distribution.

7.5.9.2 Description 7.5.9.2.1 Identification The TIPS includes three TIP machines, each of which has the following components:

1. One TIP detector.

2. One Drive mechanism.

3. Two Indexing mechanisms.

4. Up to 15 in-core guide tubes.

5. One chamber shield.

The subsystem allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. The guide tubes inside the reactor are divided into groups. Each group has its own associated fifteen-path indexer.

CHAPTER 07 7.5-18 REV. 26, APRIL 2017

PBAPS UFSAR 7.5.9.2.2 Physical Arrangement A TIP drive mechanism uses a gamma sensitive detector attached to a flexible drive cable, which is driven from outside the primary containment by a gearbox assembly. The flexible cable is contained by guide tubes that continue into the reactor core. The guide tubes are a part of the LPRM detector assembly and are specially prepared to provide a durable low friction surface. The 6-path indexing mechanism allows the use of a single detector in any of the different tube paths. The fifteenth tube of the fifteen path indexer is used for TIP cross calibration with the other TIP machines. The control system provides both manual and automatic operation. The TIP signal is amplified and displayed.

Core position versus neutron flux is recorded in the main control room.

The heart of each TIP machine is the probe (Figure 7.5.18),

consisting of a detector and the associated signal drive cable.

The gamma sensitive detector is .211 in. in diameter and 1.0 in.

in active length. The body of the detector is made of stainless steel and its inner electrodes are made of titanium. Sensitivity of the detector is approximately 3 x 10-14 amp/R/hr. The gamma TIP detector operates in an order of magnitude of the gamma flux level value 2.8 x 109 R/hr. The TIP system is scaled depending upon various factors within the core. The detector saturation voltage is approximately 150 V dc(1).

The signal current from the detector is transmitted from the TIP-to-TIP control system by means of a triaxial signal cable, which is an integral part of the mechanical drive cable. The outer sheath of the drive cable is constructed of carbon steel in a helix array. The cable drive mechanism engages this helix to effect movement in and out of the guide tubes. The inner surface of the guide tubing between the reactor vessel and the drive mechanism is coated with a ceramic bonded lubricant to reduce friction. Within the reactor vessel the guide tubing inner surface is nitrided.

The cable drive mechanism contains the drive motor, the cable takeup reel, and a resolver position transducer to provide the control unit with positioning data for the TIP at all locations along the guide tube.

The drive mechanism inserts and withdraws the TIP and its cable from the reactor and provides detector position indication signals. The drive mechanism consists of a motor and drive gear box which drives the cable in the manner of a rack and pinion. A two-speed motor is used providing a high speed for insertion and withdrawal (108 fpm) and a low speed for scanning the reactor core (18 fpm).

CHAPTER 07 7.5-19 REV. 26, APRIL 2017

PBAPS UFSAR A takeup reel is included in the cable drive mechanism to coil the drive cable as it is withdrawn from the reactor. The drive unit takeup reel uses slip rings to connect the TIP detector and its cable to the signal cable from the amplifier.

The resolver is attached to the same drift shaft as the drive wheel. For each degree of rotation of the drive wheel the detector moves a known distance. The TIP console sends a reference AC sine wave to the resolver. The feedback signals from the resolver's stator windings are used to determine detector speed, detector direction of travel, and distance the detector has travelled. The TIPS console circuitry converts the signals to position signal.

The Withdraw Limit Switch (WLS) is a position limit switch that provides an electrical interlock permissive to allow the 6-path indexing mechanism to rotate when the detector is behind the WLS.

The Transfer Insertion Switch (TIS) is a position limit switch that provides an electrical interlock permissive to allow the 15-path indexing mechanism to rotate to the next guide tube when the detector is behind the TIS. The cable drive motor includes an AC voltage-operated brake to prevent coasting of the TIP after a desired in-core position is reached. When the system is not in use, the detector probe is completely withdrawn to a position in the center of the chamber shield.

The TIP system uses the resolver signals to determine detector position. The detector stops on withdraw when the detector position signal equals the software position stored in the TIP system for the shield location. In the event the system fails or is used in the MANUAL Withdraw mode, a position limit switch named "Safety Limit Switch" (SLS) prevents farther withdraw. The SLS interlocks with the power to the drive mechanism. This position limit switch is used to prevent overtravel and resulting high radiation outside the TIP room.

The indexing mechanism is actuated by a motor-operated rotating drive. Electrical interlocks prevent the indexing mechanism from changing positions until the probe cable has been completely retracted beyond the transfer point. Additional electrical interlocks prevent the cable drive motor from moving the cable until the transfer mechanism has indexed to the pre-selected guide tube location (Drawing M-1-CC-23, Sheet 14).

A valve system is provided with a valve on each guide tube entering the primary containment. These valves are closed except when the TIPS is in operation. A ball valve and a cable shearing valve are mounted in the guide tubing just outside the primary containment. They prevent the loss of reactor coolant in the CHAPTER 07 7.5-20 REV. 26, APRIL 2017

PBAPS UFSAR event a guide tube ruptures inside the reactor vessel. A valve is also provided for a nitrogen gas purge line to the indexing mechanisms. A guide tube ball valve opens only when the TIP is being inserted. The shear valve is used only if a leak occurs when the TIP is beyond the ball valve and power to the TIPS fails.

The shear valve, which is controlled by a manually operated keylock switch, can cut the cable and close off the guide tube.

The shear valves are actuated by detonation squibs. The continuity of the squib circuits is monitored by indicator lights in the control room.

A guide tube ball valve is normally deenergized and in the closed position. When the TIP starts forward, the valve is energized and opens. As it opens, it actuates a set of contacts which give a signal light indication at the TIPS control panel. The TIP return automatically stops TIP motion if the ball valve does not open on command (Drawing M-1-CC-23, Sheet 14).

When a containment isolation signal is received by the TIP system while in a computerized traverse, the TIP detectors will automatically withdraw and the ball valves close. If the containment isolation signal is received during a MANUAL mode operation, only the ball valve closes. In "MANUAL" mode the TIP probe can be withdrawn and the penetration isolated via the ball valve upon indication of a PCIS isolation. If the probe cannot be withdrawn, the manually operated shear valves are available to isolate the penetration. The system design complies with Reg Guide 1.11, and thus GDS 56. The "MANUAL" mode of operation is used infrequently, and can only be implemented through use of a keylock switch.

7.5.9.2.3 Signal Conditioning An output is provided for use by the process computer (PMS). The TIP output is linear to within 1.0 percent full scale for an indicated flux range of 2.8 x 1012 to 2.8 x 1014 nv. The probe and cable leakages contribute less than 1 percent of indicated reading.

7.5.9.3 Power Generation Evaluation An adequate number of TIP machines is supplied to assure that each LPRM assembly can be probed by a TIP and one LPRM assembly (the central one) can be probed by every TIP to allow intercalibration.

An LPRM calibration can be performed properly, even if the data is unavailable from some of TIP locations (up to 1/3 of the total).

The system has been field tested in an operating reactor to assure reproductivity for repetitive measurements, and the mechanical CHAPTER 07 7.5-21 REV. 26, APRIL 2017

PBAPS UFSAR equipment has undergone life testing under simulated operating conditions to assure that all specifications can be met. The system design allows semi-automatic operation for LPRM calibration and process computer (PMS) use. The TIP machines can be operated manually to allow pointwise flux mapping.

7.5.9.4 Inspection and Testing The TIPS equipment is tested and calibrated using heat balance data and procedure as described in the instruction manual.

CHAPTER 07 7.5-22 REV. 26, APRIL 2017

PBAPS UFSAR 7.5 NEUTRON MONITORING SYSTEM REFERENCE

1. Morgan, W. R., "In-Core Neutron Monitoring System for GE Boiling Water Reactors," General Electric Company, APED-5706, November 1968.

2. "Maximum Expanded Load Limit (MELLL) and ARTS Improvement Program, Peach Bottom Atomic Power Station, Units 2 and 3,"

NEDC-32162P, Revision 1, February 1993.

3. NEDC-32410P-A, Nuclear Measurements Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, October 1995.

4. NEDC-32410P-A Supplement 1, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, Supplement 1, November 1997.

5. NEDO-31960-A, BWR Owners Group Long-Term Stability Solutions Licensing Methodology, November 1995.

6. NEDO-31960-A, Supplement 1, BWR Owners Group Long-Term Stability Solutions Licensing Methodology, November 1995.

7. NEDO-32465-A, BWR Owners Group Long-Term Stability Detect and Suppress Solutions Licensing Basis Methodology and Reload Applications, August 1996.

8. NEDO-32694P-A, Power Distribution Uncertainties for Safety Limit MCPR Evaluations, August 1999.

9. NEDC-33075P-A, GE Hitachi Boiling Water Reactor Detect and Suppress Solution - Confirmation Density," November 2013.

CHAPTER 07 7.5-23 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.5.1 has been DELETED CHAPTER 07 7.5-24 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.5.2 WIDE RANGE NEUTRON MONITOR TRIPS AND ALARMS Function Action WRNM count rate low Trip indication, annunciator, rod block WRNM inoperative Scram, INOP indication, annunciator (FATAL) rod block WRNM bypassed White light WRNM period upscale Scram, trip indication, annunciator (High-high)

WRNM period upscale Trip indication, annunciator, rod (High) block Count rate (High) Trip indication, annunciator, rod

[Non-coincident mode only] block Count rate (High-high) Scram, trip indication, annunciator

[Non-coincident mode only]

WRNM inoperative Trip indication, annunciator (Non-fatal)

CHAPTER 07 7.5-25 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.5.3 LOCAL POWER RANGE MONITOR TRIPS Trip Set Point Trip Function Trip Range (%) Trip Action LPRM downscale 0% to full 3 Light and annun-scale ciator LPRM upscale 0% to full 100 Light and annun-scale ciator LPRM bypass Manual - Light, annunciator, Selection and APRM averaging compensation CHAPTER 07 7.5-26 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.5.4 AVERAGE POWER RANGE MONITOR TRIPS Trip Point Design (Analytical)

Trip Function Range Limits* Action APRM downscale 0% to full 0.5% Rod block scale APRM Simulated Varied with Rod block Thermal Power flow, inter-

- High cept and slope adjust- 0.61(W-W)** + 59.7% (TLO) able 0.55(W-W)** + 52.6% (SLO)

(Clamped - 110.4%)

APRM Simulated Varied with Scram Thermal Power flow, inter-

- High-High cept and slope adjust- 0.61(W-W)** + 69.3% (TLO) able 0.55(W-W)** + 62.2% (SLO)

(Clamped - 120%)

APRM Neutron 10% to full 125.0% Scram Flux - High scale APRM inoper- N/A Not in operate Scram and ative mode or critical rod block self-test fault APRM Simulated 7% to 27% 14% Rod block Thermal Power

- High (Setdown)

APRM Neutron 10% to 30% 21.0% Scram Flux - High (Setdown)

OPRM Upscale *** PBDA: Not Applicable **** Scram Confirmation Counts: 2-25 Amplitude:

1:00-1:30 ABA: 1.05-1.50 Not Applicable **** Scram GRA: 1.00-1.50 Not Applicable **** Scram CDA:

User-adjustable CDA confirmation count setpoint See COLR Jumpered out BSP:

Varies with flow, constant power and constant slope lines See COLR Disabled

The values given here have been used for the setpoint analysis; however, the actual Allowable Values must be as given in the Technical Specifications or the Technical Requirements Manual.

The percent (%) values given are in percent of rated thermal power (3951 MWt).

- W = Recirculation loop flow rate in percent of design.

=TLO Two Loop Operation.

=SLO Single Loop Operation.

CHAPTER 07 7.5-27 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.5.4 (cont'd)

AVERAGE POWER RANGE MONITOR TRIPS W = Difference between two loop and single loop effective recirculation drive flow at the same core flow. During single loop operation, the reduction in trip setting

(-0.55 W) is accomplished by selecting single loop operation mode in the APRM channel. The slope/offset settings must also be adjusted in each APRM channel when transitioning between Two Loop Operation (TLO) and Single Loop Operation (SLO). This action preserves the original (two loop) relationship between APRM rod block and scram setpoints and recirculation drive flow. W = 0 for two loop operation.

- - PBDA = period based detection algorithm ABA = amplitude based algorithm GRA = growth rate algorithm CDA = Confirmation Density Algorithm BSP = Automatic Backup Stability Protection

- - - The PBDA, ABA, and GRA are not credited in the safety analysis for the OPRM.

CHAPTER 07 7.5-28 REV. 26, APRIL 2017

PBAPS UFSAR 7.6 REFUELING INTERLOCKS 7.6.1 Safety Objective The safety objective of the refueling interlocks in combination with refueling procedures is to prevent an inadvertent criticality during refueling operations.

During a refueling operation, the reactor vessel head is removed, allowing direct access to the core. Refueling operations include the removal of reactor vessel upper internals and the movement of spent and fresh fuel assemblies between the core and the fuel storage pool. The refueling platform, and the equipment handling hoists on the platform are used to accomplish the refueling task.

The refueling interlocks reinforce operational procedures that prohibit taking the reactor critical under certain situations encountered during refueling operations by restricting the movement of control rods and the operation of refueling equipment.

7.6.2 Safety Design Basis

1. During fuel movements in or over the reactor core, all control rods are in their fully inserted positions.

2. No more than one control rod adjacent to fueled cells is withdrawn from its fully inserted position at any time when the reactor is in the refuel mode.

7.6.3 Description The refueling interlocks include circuitry which senses the condition of the refueling equipment and the control rods.

Depending on the sensed condition, interlocks are actuated which prevent the movement of the refueling equipment or withdrawal of control rods (rod block). Circuitry is provided which senses the following conditions:

1. All rods inserted.

2. Refueling platform positioned near or over the core.

3. Refueling platform hoists are fuel-loaded (fuel grapple, frame-mounted hoist, monorail hoist).

4. Fuel grapple is closed.

A two-channel DC circuit indicates that all rods are in. The rod-in condition for each rod is established by the closure of a magnetically operated reed switch in the rod position indicator probe. The rod-in switch must be closed for each rod before the CHAPTER 07 7.6-1 REV. 26, APRIL 2017

PBAPS UFSAR "all rods in" signal is generated; two channels carry the signal.

Both channels must register the "all rods in" signal in order for the refueling interlock circuitry to provide the "all rods in" condition.

The refueling platform is provided with two mechanical switches attached to the platform which are tripped open by a long, stationary ramp mounted adjacent to the platform rail. The switches open before the platform or any of its hoists are physically located over the reactor vessel, thereby providing indication of the approach of the platform toward the core or its position over the core.

The three hoists on the refueling platform are provided with switches which open when the hoists are fuel loaded. The switches are set to open at a load weight which is lighter than the weight of a single fuel assembly, thus providing positive indication whenever fuel is loaded on any hoist.

The fuel grapple head has two limit switches that open whenever the grapple is open. These limit switches close to give a grapple engaged indication and a grapple engaged interlock.

The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operation as described in Drawing M-1-CC-42 and in the following:

1. Refueling platform travel toward the core is stopped when the following three conditions exist concurrently:

a. Any refueling platform hoist is loaded

b. Not all rods in

c. Refueling platform position is such that the position switch is open (platform near or over the core).

2. With the mode switch in STARTUP, refueling platform travel toward the core is prevented when the refueling platform position switch is open (platform near or over the core).

3. Raising or lowering the refueling platform grapple is prevented when the following conditions exist concurrently:

a. One or more rod withdrawn CHAPTER 07 7.6-2 REV. 26, APRIL 2017

b. The refueling platform position switch open (platform near or over the core).

c. Fuel grapple fuel - loaded

4. The refueling platform frame-mounted hoist LIFT electrical circuit is open when the following three conditions exist concurrently:

a. Frame-mounted hoist loaded

b. Not all rods in

c. Refueling platform near or over the core.

5. The refueling platform monorail hoist LIFT electrical circuit is open when the following three conditions exist concurrently:

a. monorail hoist loaded

b. Not all rods in

c. Refueling platform near or over the core.

6. Fuel grapple release is prevented when the following two conditions exist concurrently:

a. Grapple is not within one foot of the core.

b. Refueling platform near or over the core.

The indicated conditions are combined in logic circuits to satisfy restrictions on control rod movement as shown in Drawing M-1-CC-42, Sheets 5 and 14.

7. With the mode switch in REFUEL, any one of the following two conditions prevents a control rod withdrawal:

a. Refueling platform over the core with a load on any refueling platform hoist

b. During normal operations, selection of a second rod for movement with any other rod withdrawn from the fully inserted position.

c. Bypassing any number of "Fill-in" position indicators to allow multiple control rod withdrawal is permitted while in the REFUEL mode, provided the following requirements are met:

CHAPTER 07 7.6-3 REV. 26, APRIL 2017

1. The four fuel assemblies are removed from the core cells associated with each control rod or CRD to be removed,

2. All other control rods in core cells containing one or more fuel assemblies are fully inserted, and,

3. Fuel assemblies shall only be loaded in compliance with an approved spiral reload sequence.

8. With the mode switch in STARTUP, the following condition prevents a control rod withdrawal:

a. Refueling platform over the core The prevention of a control rod withdrawal is accomplished by opening contacts at two different points in the rod block circuitry; prevention of refueling equipment operation is accomplished by interrupting the power supply to the equipment.

Except as noted in 7.c above, during refueling operations no more than one control rod may be withdrawn; this is enforced by a redundant logic circuit which uses the "all rods in" signal and a rod selection signal to prevent the selection of a second rod for movement with any other rod not fully inserted. The simultaneous selection of two control rods is prevented by the interconnection arrangement of the select pushbuttons. With the mode switch in REFUEL, the circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn.

Interlocks are provided on the refueling platform to prevent the fuel from being raised to a point where there would be less than adequate water shielding above active fuel. These interlocks include two separate modes of operation:

1. Normal Fuel Move Mode

2. Cask Loading Mode Selection of the cask loading mode including fuel handled in this mode is procedurally controlled. The normal fuel move mode ensures that 7-4 of water remains above top of active fuel while the cask loading mode ensures that 7-1 of water remains above top of active fuel assuming the Technical Specification low water level. The cask loading mode is used for preselected spent fuel CHAPTER 07 7.6-4 REV. 26, APRIL 2017

PBAPS UFSAR bundles that have been cooled for at least 7 years and are intended to be stored in an approved spent fuel storage cask.

The 7-4 water coverage from top of active fuel is reduced locally when the Reactor Cavity Work Platform is installed in the reactor cavity. The platform personnel baskets are submerged into the reactor cavity water to elevation 231-0 (-0 +3), which limits the water coverage to 6-10 (min) when a perimeter fuel bundle is raised to its full up position. This reduced coverage was evaluated and concluded to have no adverse impact on the refueling interlocks, the inadvertent criticality prevention, the offsite dose exposure or safety related equipment qualification.

7.6.4 Safety Evaluation The refueling interlocks, in combination with core nuclear design, and refueling procedures, limit the probability of inadvertent criticality. The nuclear characteristics of the core assure that the reactor is subcritical even when the highest worth control rod is fully withdrawn. Refueling procedures are written to avoid situations in which inadvertent criticality is possible. The combination of refueling interlocks for control rods and the refueling platform interlocks provide redundant methods of preventing inadvertent criticality. The interlocks on hoists provide yet another method of avoiding inadvertent criticality.

Table 7.6.1 illustrates the effectiveness of the refueling interlocks. This table considers various operational situations involving rod movement, hoist load conditions, refueling platform and fuel grapple movement and position, and mode switch manipulation. The scram indicated in situation 11 of Table 7.6.1 is not a result of the refueling interlocks; it is the response of the RPS to downscale neutron monitoring system channels when the mode switch is shifted to RUN. In all cases, proper operation of the refueling interlocks is successful in preventing either the operation of loaded refueling equipment over the core whenever any control rod is withdrawn or the withdrawal of any control rod when fuel-loaded refueling equipment is operating over the core. In addition, when the mode switch is in REFUEL, only one rod can be withdrawn from fueled cells; selection of a second rod is prohibited.

7.6.5 Inspection and Testing Complete functional testing of all refueling interlocks on equipment used during refueling activities shall be performed before any refueling activities. This will provide positive indication that the interlocks operate in the situations for which they were designed. By loading each hoist with a dummy fuel assembly, positioning the refueling platform, and withdrawing CHAPTER 07 7.6-5 REV. 26, APRIL 2017

PBAPS UFSAR control rods, or by simulating these inputs, the interlocks can be subjected to valid operational tests. Where redundancy is provided in the logic circuitry, tests can be performed to assure that each redundant logic element can independently perform its function.

CHAPTER 07 7.6-6 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.6.1 REFUELING INTERLOCK EFFECTIVENESS Refueling Refueling Platform Hoists Platform Mode Situation Position MH FMH FG Control Rods Switch Attempt Result 1 Not near core UL UL UL All rods in Refuel Move refueling No restrictions platform over core 2 Not near core UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod 3 Not near core UL UL UL One or more Refuel Move refueling No restrictions rod withdrawn platform over core 4 Not near core Any hoist loaded One or more Refuel Move refueling Platform stopped rods withdrawn platform over core before over core 5 Near core Loaded Loaded Loaded One or more Refuel Raise or lower Cannot raise or rods withdrawn loaded hoist/grapple lower loaded hoist/grapple 6 Over core UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod 7 Over core Any hoist loaded All rods in Refuel Withdraw rods Rod block 8 Not near core UL UL UL All rods in Startup Move refueling Platform stopped platform over core before over core CHAPTER 07 7.6-7 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.6.1 (Continued)

Refueling Refueling Platform Hoists Platform Mode Situation Position MH FMH FG Control Rods Switch Attempt Result 9 Not near core UL UL UL All rods in Startup Withdraw rods No restrictions 10 Over core UL UL UL All rods in Startup Withdraw rods Rod block 11 Any Any condition Any condition, Startup Turn mode switch Scram reactor not to run at power 12 Over core Any condition Any condition Any Release grapple Grapple will Grapple not within not release one foot of core KEY: MH = Monorail hoist FMH = Frame-mounted hoist FG = Fuel grapple UL = Unloaded CHAPTER 07 7.6-8 REV. 21, APRIL 2007

PBAPS UFSAR 7.7 REACTOR MANUAL CONTROL SYSTEM 7.7.1 Power Generation Objective The power generation objective of the reactor manual control system is to provide the operator with the means to make changes in nuclear reactivity so that reactor power level and power distribution can be controlled. The system allows the operator to manipulate control rods.

7.7.2 Safety Design Basis

1. The circuitry provided for the manipulation of control rods is designed so that no single failure can negate the effectiveness of a reactor scram.

2. Repair, replacement, or adjustment of any failed or malfunctioning component does not require that any element needed for reactor scram be bypassed unless a bypass is normally allowed.

7.7.3 Power Generation Design Basis

1. The reactor manual control system is designed to inhibit control rod withdrawal following erroneous control rod manipulations so that RPS action (scram) is not required.

2. The reactor manual control system is designed to inhibit control rod withdrawal in time to prevent local fuel damage as a result of erroneous control rod manipulation.

3. The reactor manual control system is designed to inhibit rod movement whenever such movement would result in operationally undesirable core reactivity conditions or whenever instrumentation is incapable (due to failure) of monitoring the core response to rod movement.

4. To limit the potential for inadvertent rod withdrawals leading to RPS action, the reactor manual control system is designed in such a way that deliberate operator action is required to effect a continuous rod withdrawal.

5. To provide the operator with the means to achieve prescribed control rod patterns, information pertinent to the position and motion of the control rods is available in the control room.

7.7.4 Description 7.7.4.1 Identification CHAPTER 07 7.7-1 REV. 23, APRIL 2011

PBAPS UFSAR The reactor manual control system consists of the electrical circuitry, switches, indicators, and alarm devices provided for operational manipulation of the control rods and the surveillance of associated equipment. This system includes the interlocks that inhibit rod movement (rod block) under certain conditions. The reactor manual control system does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in subsection 7.2, "Reactor Protection System." Neither are the mechanical devices of the CRD's and the CRD hydraulic system included in the reactor manual control system. These mechanical components are described in subsection 3.4, "Reactivity Control Mechanical Design."

7.7.4.2 Operation 7.7.4.2.1 General Drawing M-1-CC-42, Sheets 1 through 7, 9 through 16, and 18 show the functional arrangement of devices for the control of components in the CRD hydraulic system. Although the figures also show the arrangement of scram devices, these devices are not part of the reactor manual control system.

Control rod movement is accomplished by admitting water under pressure from a CRD water pump into the appropriate end of the CRD cylinder. The pressurized water forces the piston, which is attached by a connecting rod to the control rod, to move. Three modes of control rod operation are used: insert, withdraw, and settle. Four solenoid-operated valves are associated with each control rod to accomplish the actions required for the various operational modes. The valves control the path that the CRD water takes to the cylinder. The reactor manual control system controls the valves.

Two of the four solenoid-operated valves for a control rod are electrically connected to the insert bus. When the insert bus is energized and when a control rod has been selected for movement, the two insert valves for the selected rod open, allowing the CRD water to take the path that results in control rod insertion. Of the two remaining solenoid-operated valves for a control rod, one is electrically connected to the withdraw bus, and the other is connected to the settle bus. The withdraw valve that connects the insert drive water supply line to the exhaust water header is the one that is connected to the settle bus. The remaining withdraw valve is connected to the withdraw bus. When both the withdraw bus and the settle bus are energized and when a control rod has been selected for movement, both withdraw valves for the selected rod open, allowing CRD water to take the path that results in control rod withdrawal.

CHAPTER 07 7.7-2 REV. 23, APRIL 2011

PBAPS UFSAR The settle mode is provided to ensure that the CRD index tube is engaged promptly by the collet fingers after the completion of either an insert or withdraw cycle. During the settle mode, the withdraw valve connected to the settle bus is opened or remains open while the other three solenoid-operated valves are closed.

During an insert cycle, the settle action vents the pressure from the bottom of the CRD piston to the exhaust header, thus gradually reducing the differential pressure across the drive piston of the selected rod. During a withdraw cycle, the settle action again vents the bottom of the CRD piston to the exhaust header while the withdraw drive water supply is shut off. This also allows a gradual reduction in the differential pressure across the CRD piston. After the control rod has slowed down, the collet fingers engage the index tube and lock the rod in position. See Drawing M-1-CC-42, Sheets 1 and 10 for valve sequence and timing.

The arrangement of control rod selection push buttons and circuitry permits the selection of only one control rod at a time for movement. A rod is selected for movement by depressing a button for the desired rod on the reactor control bench board in the control room. This bench board is shown in Figure 7.7.3. The direction in which the selected rod moves is determined by the position of a switch, called the ROD CONTROL switch, which is also located on the reactor control bench board. This switch has ROD-IN and ROD-OUT-NOTCH positions and returns by spring action to the OFF position. The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the selection circuitry to a no-rod-selected condition. Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod-selected condition is not possible (except for loss of control circuit power) until any moving rod has completed the movement cycle.

7.7.4.2.2 Insert Cycle The following is a description of the detailed operation of the reactor manual control system during an insert cycle. The cycle is described in terms of the insert, withdraw, and settle buses.

The response of a selected rod when the various buses are energized has been explained previously.

Drawing M-1-CC-42, Sheets 3, 4, 12, and 13 can be used to follow the sequence of an insert cycle.

A three-position rod control switch is provided on the reactor control bench board. The switch has a ROD-IN position, a ROD-OUT-NOTCH position, and an OFF position. The switch returns by spring action to the OFF position. With a control rod selected for CHAPTER 07 7.7-3 REV. 23, APRIL 2011

PBAPS UFSAR movement, placing the rod control switch in the ROD-IN position and then releasing the switch energizes the insert bus for a limited amount of time. Just before the insert bus is deenergized, the settle bus is automatically energized and remains energized for a limited period of time after the insert bus is deenergized. The insert bus timer setting and the rate of drive water flow provided by the CRD hydraulic system determine the distance traveled by a rod. The timer setting results in a one notch (6 in) insertion of the selected rod for each momentary application of a ROD-IN signal from the rod control switch.

Continuous insertion of a selected control rod is possible by holding the rod control switch in the ROD-IN position.

A second switch can be used to initiate insertion of a selected control rod. This switch is the EMERGENCY IN/NOTCH OVERRIDE switch. The EMERGENCY IN/NOTCH OVERRIDE switch has three positions: EMERGENCY IN, NOTCH OVERRIDE, and OFF. The switch returns to the OFF position by spring action. By holding the EMERGENCY IN/NOTCH OVERRIDE switch in the EMERGENCY IN position, the insert bus is continuously energized, causing a continuous insertion of the selected control rod.

7.7.4.2.3 Withdraw Cycle The following is a description of the detailed operation of the reactor manual control system during a withdraw cycle. The cycle is described in terms of the insert, withdraw, and settle buses.

The response of a selected rod when the various buses are energized has been explained previously. Drawing M-1-CC-42, Sheets 3, 4, 12, and 13 can be used to follow the sequence of a withdraw cycle.

With a control rod selected for movement, placing the rod control switch in the ROD-OUT-NOTCH position energizes the insert bus for a short period of time. Energizing the insert bus at the beginning of the withdrawal cycle is necessary to allow the collet fingers to disengage the index tube. When the insert bus is deenergized, the withdrawal and settle buses are energized for a controlled period of time. The withdraw bus is deenergized prior to the settle bus, which, when deenergized, completes the withdraw cycle. This withdraw cycle is the same whether the rod control switch is held continuously in the ROD-OUT-NOTCH position or released. The timers that control the withdraw cycle are set so that the rod travels one notch (6 in) per cycle. An interlock is provided in the withdraw circuitry to deenergize the control circuit and prevent rod withdrawal if the withdraw bus timer fails to deenergize the withdraw bus after the specified time period.

A selected control rod can be continuously withdrawn if the rod control switch is held in the ROD-OUT-NOTCH position at the same CHAPTER 07 7.7-4 REV. 23, APRIL 2011

PBAPS UFSAR time that the EMERGENCY IN/NOTCH OVERRIDE switch is held in the NOTCH-OVERRIDE position. With both switches held in these positions, the withdraw bus is continuously energized.

7.7.4.2.4 Control Rod Drive Hydraulic System Control Two motor-operated pressure control valves, two air-operated flow control valves, and two dual solenoid-operated stabilizing valves are included in the CRD hydraulic system to maintain smooth and regulated system operation (subsection 3.4, "Reactivity Control Mechanical Design"). The motor-operated pressure control valves are positioned by manipulating switches in the control room. The switches for these valves are located close to the pressure indicators that respond to the pressure changes caused by the movements of the valves. The air-operated flow control valves are automatically positioned in response to signals from an upstream flow measuring device. The stabilizing valves are automatically controlled in the same manner as the insert and withdraw buses.

The control scheme is shown in Drawing M-1-CC-42, Sheets 2, 3, 4, 11, 12, and 13. The two drive water pumps are controlled by switches in the control room. Each pump automatically stops upon indication of low suction pressure (Drawing M-1-CC-42, Sheets 2 and 11).

7.7.4.3 Rod Block Interlocks 7.7.4.3.1 General Drawing M-1-CC-42, Sheets 3, 4, 5, 12, 13, and 14 show the rod block interlocks used in the reactor manual control system.

Drawing M-1-CC-42, Sheets 3, 4, 12, and 13 show the general functional arrangement of the interlocks, and Drawing M-1-CC-42, Sheets 5 and 14 shows the rod blocking functions originating in the neutron monitoring system in greater detail.

To achieve an operationally desirable performance objective where most failures of individual components would be easily detectable or do not disable the rod movement inhibiting functions, the rod block logic circuitry is arranged as two similar logic circuits.

The two circuits are energized when control rod movement is allowed. Rod block contacts are normally closed, and rod block relays are normally energized. Each of the two similar circuits receive input trip signals from a number of trip channels. Either of the two circuits can provide a separate rod block signal to the rod control circuitry. The individual signal from each circuit is called an "annunciating rod block control" because when tripped, a horn or buzzer is sounded in the control room to indicate the block signal. A third rod block signal is obtained by combining the outputs of the two similar logic circuits, the rod worth minimizer (RWM) output (subsection 7.16, "Process Computer CHAPTER 07 7.7-5 REV. 23, APRIL 2011

PBAPS UFSAR System"), and the rod block monitor outputs. This third signal is called the non-annunciating rod block control because when tripped, the rod block condition is indicated in the control room by a light indicator only. The two annunciating rod block controls are always placed in pairs in the rod control circuitry, while the non-annunciating rod block control is used independently. The two annunciating rod block controls and the non-annunciating rod block control must be in the permissive state for control rod withdrawal to be possible. A failure of any one of the three-rod block controls cannot prevent the remaining parts of the rod block circuitry from initiating a rod block.

When in the tripped state, the non-annunciating rod block control prevents the withdraw movement of the selected rod by opening the rod control circuit that is used to energize the withdraw bus.

The annunciating rod block controls prevent the withdraw movement of a selected rod in a similar manner, but the rod control circuit is opened at a location different from that affected by the non-annunciating rod block control. The rod block circuitry is effective in preventing rod withdrawal, if required, during both normal (notch) withdrawal and continuous withdrawal. If a rod block signal is received during a rod withdrawal, the control rod is automatically stopped at the next notch position, even if a continuous rod withdrawal is in progress.

The components used to initiate rod blocks in combination with refueling operations provide rod block trip signals to these same rod block circuits. These refueling rod blocks are described in subsection 7.6, "Refueling Interlocks."

7.7.4.3.2 Rod Block Functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed later. Drawing M-1-CC-23, Sheets 1 and 8, M-1-CC-42, Sheets 5 and 14, and Figure 7.7.6 show the rod block initiation functions.

Drawing M-1-CC-23, Sheets 1 and 8 shows the rod block functions initiated in the neutron monitoring system. The channel A and B annunciating rod block control and non-annunciating rod block control shown on Drawing M-1-CC-42, Sheets 5 and 14 initiate rod blocks on the reactor manual control system as indicated in Drawing M-1-CC-42, Sheets 3, 4, 12 and 13.

a. With the mode switch in SHUTDOWN, no control rod can be withdrawn. This enforces compliance with the intent of the SHUTDOWN mode.

CHAPTER 07 7.7-6 REV. 23, APRIL 2011

b. The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following conditions:

1. Any APRM upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require RPS action if allowed to proceed.

The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM neutron flux high or flow-biased STP high scram settings are reached.

2. Any APRM inoperative alarm. This assures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or properly bypassed.

3. Either RBM upscale alarm. This function is provided to stop the erroneous withdrawal of a single worst-case control rod so that local fuel damage does not result. Although local fuel damage poses no significant threat in terms of radioactive material released from the nuclear system, the alarm setting is selected so that no local fuel damage results from a single control rod withdrawal error during power range operation.

4. Either RBM inoperative alarm. This assures that no control rod is withdrawn unless the RBM channels are in service or properly bypassed.

5. Any recirculation flow signal upscale. This assures that no control rod is withdrawn unless the recirculation flow functions, which are necessary for the proper operation of the APRM Flow-Biased STP Rod Block, are operable.

6. Any APRM LPRM Low Count alarm. This assures that no rod is withdrawn unless the APRM channels are either monitoring the required minimum number of LPRM inputs to meet APRM channel operability requirements or the channel is properly bypassed.

7. Scram discharge volume high water level. This assures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block well in advance of that level which produces a scram.

CHAPTER 07 7.7-7 REV. 23, APRIL 2011

8. Deleted

9. The RWM function of the process computer system (PMS) can initiate a rod insert block and a rod withdrawal block. The purpose of this function is to reinforce procedural controls that limit the reactivity worth of control rods under low power conditions. The rod block trip settings are based on the allowable control rod worth limits established for the design basis rod drop accident.

Adherence to prescribed control rod patterns is the normal method by which this reactivity restriction is observed. Additional information on the RWM function is available in subsection 7.16, "Process Computer System."

10. The rod position information system (RPIS) initiates a rod select block for loss of power to the RPIS, loss of output signal from the master clock, or a missing printed circuit board in the RPIS.

11. Deleted

12. Deleted

c. With the mode switch in RUN, the following conditions initiate a rod block:

1. Any APRM downscale alarm. This assures that no control rod is withdrawn during power range operation unless the average power range neutron monitoring channels are operating properly or are correctly bypassed. All unbypassed APRM's must be onscale during reactor operations in the RUN mode.

2. Any RBM downscale alarm. This alarm indicates a gross failure of the RBM signal processing since normal RBM signal levels are much higher than the RBM downscale alarm setting. This assures that no rod is withdrawn unless the RBM channels are at least reading onscale or bypassed. Unbypassed RBMs must be onscale during reactor operations in the RUN mode.

d. With the mode switch in STARTUP or REFUEL the following conditions initiate a rod block:

1. Any WRNM downscale alarm. This assures that no control rod is withdrawn unless the WRNM count rate CHAPTER 07 7.7-8 REV. 23, APRIL 2011

PBAPS UFSAR is above the minimum prescribed for low neutron flux level monitoring.

2. Any WRNM period short alarm. This assures that no control rod is withdrawn unless the wide range neutron monitoring equipment is properly monitoring the core during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring RPS action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations.

3. Any WRNM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all WRNM channels are in service or properly bypassed.

4. The rod block functions provided specifically for refueling situation are described in subsection 7.6, "Refueling Interlocks."

e. With the mode switch in SHUTDOWN or REFUEL a rod block is initiated by scram discharge volume high level scram trip bypassed. This assures that no control rod is withdrawn while the scram discharge volume high level scram function is out of service.

7.7.4.3.3 Rod Block Bypasses To permit continued power operation during the repair or calibration of equipment for selected functions which provide rod block interlocks, a limited number of manual bypasses are permitted as follows:

1. Two WRNM channels.

2. One APRM channel.

3. One RBM channel.

The WRNM's are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. There are four APRM channels, each monitoring LPRM detectors covering the entire core.

The channels are arranged such that adequate monitoring of the core is maintained with one channel bypassed.

CHAPTER 07 7.7-9 REV. 23, APRIL 2011

PBAPS UFSAR These bypasses are effected by positioning switches in the control room. A light in the control room indicates the bypassed condition.

An automatic bypass of the RBM rod block occurs whenever the power level is below a preselected level or whenever a peripheral control rod is selected. Either of these two conditions indicates that local fuel damage is not threatened and that RBM action is not required.

The RWM rod block function is automatically bypassed when reactor power increases above a preselected value in the power range. The automatic bypass may itself be disabled to allow control rod sequence enforcement up to 100% reactor power. The RWM may be manually bypassed for maintenance at any time.

7.7.4.4 Control Rod Information Displays The operator has three different displays of control rod position:

1. Rod status display.

2. Four rod display.

3. Process computer (PMS).

These displays serve the following purposes:

1. Provide the operator with a continuously available, easily understood presentation of each control rod's status.

2. Provide continuously available, easily discernible warning of an abnormal condition.

3. Present numerical rod position for each rod.

4. Log all control rod positions on a routine basis.

The rod status display (Figure 7.7.3) is located on a vertical panel behind the reactor control console in the control room. It provides the following continuously available information for each individual rod.

1. Rod position, digital and fully inserted (green).

2. Rod position, digital and fully withdrawn (red).

3. Rod identification, coordinate position of selected rod (white).

CHAPTER 07 7.7-10 REV. 23, APRIL 2011

4. Accumulator trouble (amber).

5. Rod scram (blue).

6. Rod drift (red).

Also dispersed throughout the display in locations representative of the physical location of LPRM strings in the core are LPRM lights as follows:

1. LPRM low flux level (white).

2. LPRM high flux level (amber).

A separate four rod display consisting of four rod position modules is located on the reactor control console (Figure 7.7.3).

These four modules display rod position in two digits and rod selected status (white light, off or on) for the selected rod and three adjacent rods (Figure 7.7.4). The rod position digital range is from 00 to 48, where 00 and 48 represent the fully inserted and fully withdrawn positions, respectively. Each even increment (e.g., 00-02) represents six physical inches of rod movement. Near the four rod display are two RBM Operator Display Assemblies (ODAs) which display RBM status information including the LPRM values for each of the detector strings surrounding the selected rod (Figure 7.7.4). Since each LPRM detector string contains 4 detectors, these ODAs display up to 16 LPRM detector values both in bargraph and digital display format. The RBM ODAs allow the operator to easily focus attention on the core volume of primary concern during rod movements.

Control rod position information is obtained from reed switches in the CRD that open or close during rod movement. Reed switches are provided at each 3-in increment of piston travel. Since a notch is 6 in, indication is available for each half-notch of rod travel. The reed switches located at the half-notch positions for each rod are used to indicate rod drift. Both a rod selected for movement and the rods not selected for movement are monitored for drift. A drifting rod is indicated by an alarm and red light in the control room. The rod drift condition is also monitored by the process computer (PMS).

Reed switches are also provided at locations that are beyond the limits of normal rod movement. If the rod drive piston moves to these overtravel positions, an alarm sounds in the control room.

The overtravel alarm provides a means to verify that the drive-to-rod coupling is intact, because with the coupling in its normal condition, the drive cannot be physically withdrawn to the overtravel position. Coupling integrity can be checked by attempting to withdraw the drive to the overtravel position.

CHAPTER 07 7.7-11 REV. 23, APRIL 2011

PBAPS UFSAR The process computer (PMS) receives position indication from each rod and prints out all rod positions in a pre-arranged sequence.

The operator may order a computer printout at any time. The printout depicts the rod positions in an array corresponding to the other displays and actual core location (Figure 7.7.5). The printout is always in the same order; if there is an incorrect input, the printout will signify it by showing a blank or printing 99.

All displays are essentially independent of one another. Signals for the rod status display are hard wired from the rod position information system cabinet (RPISC) buffer outputs, so that a signal failure of other parts of the RPISC will not affect this display. Likewise, the computer (PMS) could conceivably fail but the rod status and rod position displays will continue to function normally.

The condition of the CRD hydraulic system and control circuitry can be monitored from the main control room by use of the following devices:

1. Indicating Lamps Flow control valve position Drive water pressure control valve position Cooling water pressure control valve position Stabilizer valve selector switch position Drive water pump motor circuit breaker Scram valve position Discharge volume vent and drain valves position Withdraw bus energized Insert bus energized Settle bus energized Notch override Withdraw not permissive

2. Annunciators Scram valve pilot air header low pressure Accumulator low pressure or leakage Scram discharge volume not drained Drive water filter high differential pressure Charging water high pressure Drive water pump "A" suction low pressure Drive water pump "B" suction low pressure CRD temperature CHAPTER 07 7.7-12 REV. 23, APRIL 2011

3. Instruments Drive water flow Cooling water flow Cooling water - reactor differential pressure Drive water - reactor differential pressure Charging water pressure CRD system flow Drive water pump ammeters Instrumentation provided for the reactor manual control system is presented in Table 7.7.1.

7.7.4.5 This subsection deleted 7.7.5 Safety Evaluation The circuitry described for the reactor manual control system is completely independent of the circuitry controlling the scram valves. This separation of the scram and normal rod control functions prevents failures in the reactor manual control circuitry from affecting the scram circuitry. The scram circuitry is discussed in subsection 7.2, "Reactor Protection System."

Because each control rod is controlled as an individual unit, a failure that results in energizing of any of the insert or withdraw solenoid valves can affect only one control rod. The effectiveness of a reactor scram is not impaired by the malfunctioning of any one control rod. It can be concluded that no single failure in the reactor manual control system can result in the prevention of a reactor scram and that repair, adjustment, or maintenance of reactor manual control system components does not affect the scram circuitry. This meets safety design bases 1 and 2.

7.7.6 Inspection and Testing The reactor manual control system can be routinely checked for proper operation by manipulating control rods using the various methods of control. Detailed testing and calibration can be performed by using standard test and calibration procedures for the various components of the reactor manual control circuitry.

CHAPTER 07 7.7-13 REV. 23, APRIL 2011

PBAPS UFSAR TABLE 7.7.1 REACTOR MANUAL CONTROL SYSTEM INSTRUMENT SPECIFICATIONS Measured Variable Instrument Type Normal Range Accuracy Trip Setting Pump suction pressure Pressure indicator -15 to +250 psig +/-2% full scale ---

Pump suction pressure Pressure switch 0 to 30 in Hg +/-5% full scale 18 in Hg (decreasing)

Pump discharge pressure Pressure indicator 1,400 to 1,650 psig +/-2% full scale ---

Filter pressure drop P indicator 5 to 25 psid +/-2% full scale 17 to 22 psid (increasing)

System flow indication and controller Flow indicator 0 to 100 gpm +/-5% set point Accum. HDR. Chg. PRESS alarm Pressure switch 1,400 to 1,510 psig +/-2% full scale 1,510 psig (decreasing)

Accum. HDR. Chg. PRESS Pressure indicator ---

Drive HDR. flow Flow indicator 0, 2, 4 gpm +/-2% full scale ---

Drive HDR. pressure Pressure indicator 250 to 1,285 psig +/-1% full scale ---

Drive HDR. pressure drop P indicator 0 to 350 psid +/-2% full scale ---

Cooling HDR. flow Flow indicator 46 to 63 gpm +/-2% full scale ---

Cooling HDR. pressure Pressure indicator 20 to 1,075 psig +/-1% full scale ---

Cooling HDR. reactor P P indicator 20 to 40 psid +/-2% full scale ---

Stabilizing flow Flow indicator 5 to 7 gpm +/-5% full scale ---

Exhaust pressure Pressure indicator 0 to 1,045 psig +/-1/2% full scale ---

Scram discharge level Level switch 2 in +/-1/2 in ---

Drive temperature Monitor 50 to 500F --- 300F Instrument air supply pressure Pressure indicator 0 to 50 psig +/-2% full scale ---

CHAPTER 07 7.7-14 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.7.1 (Continued)

Measured Variable Instrument Type Normal Range Accuracy Trip Setting Flow control station air pressure Pressure indicator 0 to 15 psig +/-2% full scale ---

Scram pilot air HDR. pressure Pressure indicator 0 to 150 psig +/-2% full scale Scram pilot air HDR. pressure Pressure switch 70 to 100 psig +/-2% full scale ---

Accum. Nd Chg. pressure Pressure indicator 0 to 1,000 psig +/-2% full scale ---

Accum. Nd Chg. pressure alarm Pressure switch 0 to 1,000 psig ---

FCV electro/pneumatic Pressure/current 3 to 15 psig/ --- ---

converter 10 to 50 ma Control rod drive overtravel Reed switches 2 in beyond full +/-1 1/2 in 2 in beyond full (withdraw direction) withdrawal position withdrawal position Control rod drive overtravel Reed switches 1 1/2 in beyond +/-1 1/2 in 1 1/2 in beyond (insert direction) last notch full insert position Control rod position Reed switches full-in to full-out, +/-1 1/2 in ---

(normal range) every 3 in Rod block - neutron monitoring See Section 7.5, "Neutron Monitoring System" system trip channels Rod block - rod worth minimizer See Section 7.16, "Process Computer System" CHAPTER 07 7.7-15 REV. 21, APRIL 2007

PBAPS UFSAR 7.8 REACTOR VESSEL INSTRUMENTATION 7.8.1 Safety Objective The safety objective of the reactor vessel instrumentation is to monitor and transmit information concerning key reactor vessel operating parameters during planned operations to ensure that sufficient control of these parameters is possible in order to avoid (1) release of radioactive material to the environs such that the limits of 10CFR20 are exceeded, (2) nuclear system stress in excess of that allowed by applicable industry codes, and (3) the existence of any operating conditions not considered by plant safety analyses.

7.8.2 Safety Design Basis Reactor vessel instrumentation is designed to:

1. Provide the operator with sufficient indication of reactor core flow rate during planned operations to avoid operating conditions not considered by plant safety analyses.

2. Provide the operator with sufficient indication of reactor vessel water level during planned operations to determine that the core is adequately covered by the coolant inventory inside the reactor vessel to avoid the release of radioactive materials to the environs such that the limits of 10CFR20 are exceeded, and to avoid operating conditions not considered by plant safety analyses.

3. Provide the operator with sufficient indication of reactor vessel pressure and temperature during planned operations to avoid operating conditions not considered by plant safety analyses.

4. Provide the operator with sufficient indication of reactor vessel flange leakage during planned operations to avoid nuclear system stress in excess of that allowed by applicable industry codes and the release of radioactive material to the environs such that the limits of 10CFR20 are exceeded.

7.8.3 Power Generation Objective The power generation objective of the reactor vessel instrumentation is to monitor and transmit reactor vessel parameter information for the convenient, efficient, and economical operation of the plant.

CHAPTER 07 7.8-1 REV. 26, APRIL 2017

PBAPS UFSAR 7.8.4 Power Generation Design Basis Reactor vessel instrumentation is designed to monitor and transmit sufficient reactor vessel parameter information to the operator such that he is continually able to operate the plant conveniently, efficiently, and economically.

7.8.5 Description Drawings M-351, Sheets 1 through 4 and M-352 show the numbers, location, and arrangements of the sensors, switches, and sensing equipment used to monitor reactor vessel conditions. Because the reactor vessel sensors used for safety systems and engineered safeguards have been described and evaluated in other portions of this Updated FSAR, only those sensors that are not required for safety systems are described in this subsection.

7.8.5.1 Reactor Vessel Surface Temperature Thermocouples are attached to the reactor vessel, the vessel top head, the vessel head studs, and the bottom vessel drain as a means of observing vessel metal temperature behavior in response to vessel coolant temperature changes during startup and power operation. Drawings M-351, M-352 and Figure 7.8.2 show the locations of the thermocouples. Probe type thermocouples are used to measure the temperature inside the reactor vessel head studs.

Magnetically attached thermocouples are used to measure the surface temperature of the vessel top head and top head flange.

Thermocouples are clamped to the vessel at various locations (see Figure 7.8.2) to measure the vessel surface temperature. The thermocouples are made of copper constantan insulated with braided glass, and clad with stainless steel. Thermocouple and temperature recorder specifications are listed in Table 7.8.1.

The collection of thermocouples provides temperature data representative of thick, thin, and transitional sections of the vessel and its attachments. Selected temperatures are recorded on a multi-point recorder in the control room. The temperature difference between the reactor vessel flange and the vessel wall adjacent to the flange is recorded on a temperature recorder.

7.8.5.2 Reactor Vessel Water Level Reactor vessel water level indication is detected by comparing the pressure exerted by the actual height of water inside the vessel to the pressure exerted by a constant reference column of water.

Lines which are connected to widely separated nozzles in the reactor vessel lead from the vessel to locations outside the primary containment where they terminate at instrument racks in CHAPTER 07 7.8-2 REV. 26, APRIL 2017

PBAPS UFSAR the reactor building. Level measuring instruments are attached to the appropriate sensor lines so that the proper differential pressure is applied to the level instruments. A condensing chamber is installed in each of the lines used to provide a reference column of water for level measurements. Pressure compensation instruments are used in the ECCS and Feedwater Control Systems to improve the accuracy of the level measurement.

The reactor vessel instrumentation used for safety systems is described and evaluated in subsections 7.2, 7.3, and 7.4. Each of the instrument lines is fitted with one manual isolation valve and one excess flow check valve, both of which are located directly outside the drywell in the reactor building. The instrument pipelines slope down in the direction of the instruments so that no air traps are formed. Pressure and differential pressure measuring instruments also use these same instrument lines, as indicated in Drawing M-352.

A continuous backfill system is connected to each reference column line at the instrument side of the excess flow check valve. The backfill system provides a continuous flow of water from the Control Rod Drive (CRD) System, through the reference column and condensing chamber, and into the Reactor Vessel. This flow of water will continuously purge the reference column and will prevent the migration of dissolved noncondensable gases down the columns. The backfill system connects to the CRD System and is common to all of the reference column lines up to a location outside primary containment where the backfill system line separates and is connected to each of the individual reference column lines. The backfill system line connecting to each reference column line is fitted with two manual isolation valves and two spring-loaded check valves. Backfill system flow to each reference column line is manually controlled via a double pattern needle valve, and both total backfill system flow and flow to each reference column line is indicated locally.

There are numerous indications of reactor vessel water level in the reactor building. Almost all of the level measuring instruments indicate locally, as shown in Drawing M-352.

There are several reactor vessel water level indications continuously displayed on various boards in the control room and one indication that can be selectively connected to a control room recorder. Eleven of the control room level indications are derived from the pressure compensation instruments, four come from the level transmitters provided for the feedwater control system, five come from the instruments used to measure the water level inside the core shroud, and one uses a separate reference column of water located so that water level indication is possible all the way to the top of the vessel. There are five level recorders in the control room. The first recorder receives level signals from CHAPTER 07 7.8-3 REV. 26, APRIL 2017

PBAPS UFSAR level transmitters in the feedwater control system and provides a continuous record of narrow range reactor vessel water level (0 to

+60 in). The second recorder can be selectively connected to a level transmitter to indicate in the range from instrument zero to 500 inches above instrument zero, during refueling operations.

This input is also provided to the plant monitoring computer. Two other recorders indicate reactor water level over the range from normal water level to the bottom of the fuel. Each of these recorders has two channels: one for wide range reactor level (-

165 to +60 in) and one for fuel zone level (-325 to +60 in). The inputs for these two recorders are from safety-related level transmitters, each recorder receiving signals from a separate set of transmitters. The power inputs for the dual channel recorders are from separate divisions and the design is such that no single failure will disable both recorders. The fifth recorder indicates reactor water level over the fuel zone range (-25 to +60 in).

This recorder receives its level signal from the pressure compensation instruments. Table 7.8.1 lists the specifications for level instruments not previously described with other systems.

Drawing M-352 gives a chart showing the water levels at which various automatic alarms and safety actions are initiated. Each of the actions listed is described and evaluated in the subsection of this report where the system involved is described. The following list tells where various level measuring components and their set points are discussed:

Level Instrumentation Subsection in Which Discussed Level transmitters and "Reactor Protection System" (7.2) trip units for initiating scram Level transmitters and "Primary Containment and Reactor pressure instruments Vessel Isolation Control System" or trip units for (7.3) initiating primary containment or reactor vessel isolation Level switches, "Core Standby Cooling Systems transmitters, and pres- Controls and Instrumentation" sure compensation instru- (7.4) ments used for HPCIS, LPCI, core spray, ADS, or recirculation loop valve closure CHAPTER 07 7.8-4 REV. 26, APRIL 2017

PBAPS UFSAR Level Instrumentation Subsection in Which Discussed Level transmitters, pres- "Core Standby Cooling Systems sure compensation instru- Controls and Instrumentation" ments, and recorder used (7.4) to measure water level inside core shroud Level transmitters and "Feedwater Control System" (7.10) recorders used for feedwater control Level transmitters and "Core Standby Cooling Systems pressure compensation Controls and Instrumentation" instruments used to trip (7.4)

RCICS turbine and HPCIS turbine Level transmitters and "Reactor Core Isolation pressure compensation Cooling System" (4.7) instruments used to initiate the RCICS Level transmitters and "Anticipated Transient pressure compensation without Scram Recirculation instruments used for Pump Trip" (7.9.4.4.2) automatically tripping recirculation pumps Level transmitters and "Alternate Rod Insertion" pressure compensation (1.6.3.4) instruments used for alternate rod insertion The large number of reactor vessel water level indications is sufficient in providing the operator with information with which the adequacy of the coolant inventory to cool the fuel can be determined. In addition, by verifying that reactor vessel water level is not rising to an abnormally high level, the operator is assured that turbines are not endangered by the possibility of water carried into the steam lines. The approach of abnormal conditions is brought to the operator's attention by audible and visual alarms (Drawing M-352). It should be noted that in no case requiring safety system response is operator action required; all essential protection system responses are completely automatic.

CHAPTER 07 7.8-5 REV. 26, APRIL 2017

PBAPS UFSAR 7.8.5.3 Reactor Vessel Coolant Flow Rates and Differential Pressures Drawing M-352 shows the flow instruments, differential pressure instruments, and recorders provided so that the core coolant flow rates and the hydraulic performance of reactor vessel internals can be determined.

The flow rate through each of the jet pumps is summed and indicated in the main control room. Four jet pumps, two associated with each recirculation loop, are specially calibrated.

They are provided with special pressure taps in the diffuser sections. The differential pressure measured between the special taps allows precise flow calibration using jet pump prototype test performance data. The flow rates through the remaining jet pumps are derived from the measured pressure differences between the jet pump diffuser near the throat end and the core inlet plenum. The flow rates through the jet pumps associated with each recirculation loop are again summed to provide a recorded control room indication of the total flow through the core. A smoothed average of the digital core flow values is available for the purpose of monitoring compliance with the 110% maximum core flow limit.

The control room flow rate readouts of the specially calibrated jet pumps can be used to cross-check the readouts of all the other jet pumps. A discrepancy in the cross-checks is reason enough to check local flow indications.

Flow in each recirculation loop is measured by a flow element as shown in Drawing M-353. Indicated recirculation loop flow rates can be checked by using recirculation pump performance curves and the differential pressure between the reactor vessel annulus and the core inlet plenum. Extreme accuracy of the flow rate operational readouts in the control room is not necessary because precise measurements can be obtained during reactor operation if they are desired. It is sufficient to periodically demonstrate that the reactor recirculation system flow rate is at least the design flow rate during operation at rated power.

A differential pressure transmitter is provided to indicate core pressure drop by measuring the pressure difference between the core inlet plenum and the space just above the core support assembly. The line used to determine the pressure in the core inlet plenum is the same line provided for the standby liquid control system. A separate line is provided for the pressure measurement above the core support assembly. Core Plate Flow in M lbs./hr is indicated and recorded in the main control room.

CHAPTER 07 7.8-6 REV. 26, APRIL 2017

PBAPS UFSAR Instrument lines leading from the reactor vessel to locations outside the drywell are each provided with one manual isolation valve and one excess flow check valve. All of the flow and differential pressure instruments are located outside the primary containment.

In addition to these measurements, core flow is calculated by the heat balance core flow measurement (HBCFM). This system uses the process computer (PMS) to calculate core flow by performing a heat balance around the reactor downcomer.

7.8.5.4 Reactor Vessel Internal Pressure Reactor vessel internal pressure is detected by pressure switches, indicators, and transmitters from the same instrument lines used for reactor vessel water level measurements. Several pressure indicators that sense pressure from different, separated instrument lines provide pressure indications in the reactor building. Reactor vessel pressure indications are provided in the main control room. These come from the pressure transmitters used in the feedwater control system. Reactor vessel pressure is continuously recorded in the main control room on four recorders.

Two of these recorders receive a signal from pressure transmitters associated with the feedwater control system. The remaining two recorders and their associated instrumentation are used for accident monitoring purposes. See subsection 7.20.4.2 for additional information on the reactor pressure accident monitoring instruments.

The following list shows where reactor vessel pressure measuring instruments used for the automatic control of equipment or systems are discussed:

Pressure Instrumentation Subsection in Which Discussed Pressure transmitters and "Reactor Protection System" trip units used to (7.2) initiate a scram Pressure transmitters and "Core Standby Cooling Systems pressure compensation Controls and Instrumentation" instruments used for core (7.4) spray system and LPCI CHAPTER 07 7.8-7 REV. 26, APRIL 2017

PBAPS UFSAR Pressure Instrumentation Subsection in Which Discussed Pressure instrumentation "System Operation" (7.9.4.4) used for automatically tripping the reactor recirculation pumps Pressure instrumentation "Alternate Rod Insertion" use for alternate rod (1.6.3.4)"

insertion Pressure transmitters and "Feedwater Control System" (7.10) recorders used for feedwater control Pressure instrumentation "Primary Containment and Reactor used for RHR shutdown Vessel Isolation Control System" cooling line isolation (7.3)

Differential pressure "Core Standby Cooling Systems switches measuring Controls and Instrumentation" differential pressure (7.4) between inside of core spray sparger pipes and core inlet above the core support assembly 7.8.5.5 Reactor Vessel Top Head Flange Leak Detection A connection on the reactor vessel flange is provided into the annulus between the two metallic seal rings used to seal the reactor vessel and top head flanges. This connection permits detection of leakage from the inside of the reactor vessel past the inner seal ring. The connection is piped to a collection chamber installed between two remotely operated valves. The arrangement is shown in Drawing M-351. The upstream valve is normally open, the downstream valve normally closed. A pressure switch is provided to actuate the alarm in the control room as pressure in the leakage collection piping becomes abnormally high.

A local pressure indicator is provided to indicate the pressure inside the piping arrangement. The pressure instruments are located outside the drywell but inside the reactor building. The instrument line for the pressure instruments is provided with one manual isolation valve and one excess flow check valve. The specifications for the pressure instruments are given in Table 7.8.1. The two valves are controlled by a switch in the control room. The positions of the valves are indicated by lights. If leakage past the inner seal ring is indicated, the upstream valve CHAPTER 07 7.8-8 REV. 26, APRIL 2017

PBAPS UFSAR can be closed and the downstream valve can be opened by remote-manual operation from the control room. This action routes the accumulated leakage to the drywell equipment drain sump. After the collection chamber is drained, the remotely operated valves can be returned to their normal positions. The leakage rate can be determined by timing the period until the alarm is reactivated (subsection 4.10, "Nuclear System Leakage Detection and Leakage Rate Limits").

A connection is provided on the reactor vessel beyond the outer metallic head seal. This connection is piped to a point in the drywell accessible during reactor shutdown and is capped. (Note:

In the event that difficulty is encountered in obtaining a pressure tight seal on the inner metallic seal, it is desirable to operate on the outer metallic seal only. It is possible to install a low pressure seal beyond the outer metallic seal and monitor the space between for outer metallic seal leakage by use of this piped connection.)

7.8.6 Safety Evaluation The reactor vessel instrumentation is designed to provide sufficient continuous indication of key reactor vessel operating parameters during planned operations such that the operator can efficiently monitor these parameters and anticipate any approach to operating conditions which could lead to any of the unacceptable safety results discussed in the safety design bases (paragraph 7.8.2). The redundancy of all indicators provided assures that the possibility that all instrumentation could be lost simultaneously is so remote as to be negligible. It is therefore concluded that the safety design bases are satisfied.

7.8.7 Inspection and Testing The large number of spare thermocouples provided on the reactor vessel and its attachments permit cross-checking to verify proper thermocouple response. Pressure, differential pressure, water level, and flow instruments are located in the reactor building and are piped so that calibration and test signals can be applied during reactor operation, if desired.

CHAPTER 07 7.8-9 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.8.1 REACTOR VESSEL INSTRUMENTATION INSTRUMENT SPECIFICATIONS*

Measured Variable Instrument Type Normal Range Accuracy Trip Setting Reactor vessel surface Thermocouple 0-600F ASA C96.1 ---

temperature Reactor vessel top head Thermocouple 0-600F ASA C96.1 ---

surface temperature Reactor vessel top head Thermocouple 0-600F ASA C96.1 ---

flange surface temperature Reactor vessel surface Temperature 0-600F +/-1% ---

temperature recorder Top head flange to reactor Differential tem- +/-300F +/-1% ---

vessel wall differential perature recorder temperature Reactor vessel water level Level indicator See Fig. 7.3.1 +/-2% See Fig. 7.3.1 (pressure compensated)

Reactor vessel water level Level indicator See Fig. 7.3.1 5% See Fig. 7.3.1 Specially calibrated jet Flow transmitter 0-30 psi +/-1/2% ---

pump flow rate Jet pump flow rate Flow transmitter 0-30 psi +/-1/2% ---

6 Specially calibrated jet Flow indicator 0-6x10 lb/hr +/-2% ---

pump flow rate Jet pump flow rate Flow indicator 0-60x106 lb/hr +/-2% ---

Specially calibrated jet Square root --- +/-2% ---

pump flow rate extractor Jet pump flow rate --- +/-1/2% ---

Recirculation loop flow Flow summer --- +/-1/2% ---

rate

Other instruments measuring reactor vessel variables are discussed in sections where the systems using the instruments are described.

CHAPTER 07 7.8-10 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.8.1 (Continued)

Measured Variable Instrument Type Normal Range Accuracy Trip Setting Recirculation loop flow Flow indicator 0-70,000 gpm +/-2% ---

rate Core total flow Controller --- +/-1/2% ---

Pressure difference across Flow recorder 0-120x106 lb/hr +/-2%

core support assembly Reactor vessel annulus to Differential pres- 0-50 psid +/-1%

core inlet plenum differ- sure transmitter ential pressure Reactor vessel annulus to Differential pres- 0-50 psid +/-2%

core inlet plenum sure indicator differential pressure Differential pressure across Differential pres- 0-50 psid +/-1%

the core support assembly sure transmitter Reactor vessel pressure Pressure indicators 0-1,500 psig +/-2%

Reactor vessel flange leak Pressure switch 0-1,500 psig +/-2% 600 psig detection piping internal pressure Reactor vessel flange leak Pressure indicator 0-1,500 psig +/-2%

detection piping internal pressure CHAPTER 07 7.8-11 REV. 21, APRIL 2007

PBAPS UFSAR 7.9 RECIRCULATION FLOW CONTROL SYSTEM 7.9.1 Power Generation Objective The power generation objective of the recirculation flow control system is to control reactor power level over a limited range by controlling the flow rate of the reactor recirculating water.

7.9.2 Power Generation Design Basis The recirculation flow control system is designed to allow manual recirculation flow adjustment to control reactor power level.

7.9.3 Safety Design Basis The recirculation flow control system functions so that no abnormal operational transient caused by a malfunction in the recirculation flow control system can result in fuel damage or excessive nuclear system pressure.

7.9.4 Description 7.9.4.1 General Reactor recirculation flow is controlled by regulating the speed of the two reactor recirculating pumps. By adjusting the frequency of the electrical power supplied to the recirculation pump motors, the recirculation flow control system affects changes in reactor power level.

Control of pump speed, and thus core flow, is such that at various control rod patterns, different power level changes can be manually accommodated. For a rod pattern (called the rated pattern) where rated power accompanies 100 percent flow, power change control down to approximately 65 percent of full power is possible over a range of approximately 35 percent of the maximum operating power level for that rod pattern. Thus, the manual power control range is approximately a constant fraction of operating power but a variable absolute power range.

An increase in recirculation flow temporarily reduces the void content of the moderator through the core. The additional neutron moderation increases the reactivity of the core, which causes the reactor power level to increase. The increased steam generation rate increases the steam volume in the core with a consequent negative reactivity effect, and a new steady-state power level is established. When recirculation flow is reduced, the power level is reduced in the reverse manner.

CHAPTER 07 7.9-1 REV. 26, APRIL 2017

PBAPS UFSAR Figure 7.9.1 illustrates how the recirculation flow control system operates.

Each recirculation pump motor has its own ASD for a power supply.

Four Remote Input/Output cabinets (two for each ASD) are provided to process signals between the ASD sub-compartments and the MCR.

To change the speed of the reactor recirculation pump, both operator and system initiated speed commands to the ASD changes the frequency and magnitude of the voltage supplied to the pump motor to give the desired pump speed. The recirculation flow control system uses a demand signal from pushbuttons and switches provided by the operator.

7.9.4.2 Adjustable Speed Drive The ASD provides variable speed operation to the recirculation pump motors by converting utility power at fixed frequency and voltage to variable frequency and voltage power. This conversion is done electronically, without moving parts. The ASD can continuously supply power to the pump motor at any speed between 20 percent and 100 percent of pump motor speed once the minimum startup speed of 29.7 percent is reached. The ASD is capable of starting the pump and accelerating it from standstill to the desired operating speed under any pump loading conditions.

The Unit 3 ASD is located in a Power Distribution Center (PDC) between the Torus Dewatering Tank (TDT) and the roadway northwest of the Unit 3 Reactor Building. The Unit 2 ASD is located inside the Radwaste Building at Elevation 135' near the west wall.

Each ASD unit consists of 7 cabinets: Input cabinet, Transformer cabinet, Fuse/Pre-charge cabinet {FPC), Power Cell cabinet, Output power cabinet, Relay cabinet, and Coolant System Cabinet (CSC).

The Unit 2 CSC is separated from the other ASD cabinets and is located at Elevation 150' of the Radwaste Building.

ASD Cabinet Description The 13.8kV input power is provided to the ASD through the Input cabinet and is then stepped down to 750V secondary winding outputs that supply voltage power cell input rectifiers. The FPC cabinet accommodates the cell input fuses that protect the cells from failure as well as providing input primary power interruption by monitoring the input voltages and currents so that the transformer secondary-side faults are identified quickly. In the Power cabinet, the power cells of the ASD rectify the input power to DC then invert to variable frequency and voltage AC power to drive the recirculation pump motor, via the Output panel and RPT CHAPTER 07 7.9-2 REV. 26, APRIL 2017

PBAPS UFSAR breakers. The Relay cabinet monitors the output characteristics of the ASD. The CSC maintains the operating temperature. Remote communication is made with the ASD through the use of the RIO panels.

7.9.4.3 Speed Control for the Adjustable Speed Drive Low Flow Runback The automatic low flow runback is generated from the ASD RIO Cabinet and automatically limits recirculation pump speed to 30 percent if the recirculation pump main discharge valve is not fully open, the total feedwater flow is less than 20 percent rated flow after time delay, or upon detection of a reactor scram signal (Ref. Section 7.10.3.4.9). Without the low flow runback, the recirculation pump could overheat if the recirculation pump discharge valve is partly closed. The low flow runback also reduces the recirculation flow if the feedwater flow drops below 20 percent after time delay, to prevent cavitation in the recirculation or jet pumps. The low flow runback reduces the recirculation flow to minimize this reactor level drop to shrink effects following a reactor scram. Reducing recirculation flow slows this rate of void collapse giving the feedwater system time to respond. The low flow runback must be manually reset by the Operator to increase recirculation pump speed above 30 percent during the reactor start-up sequence or whenever the low flow runback is activated as long as the recirculation pump main discharge valve is fully open, total feedwater flow is above 20 percent, and a reactor scram is not present.

High Flow Runback The automatic high flow runback is generated from the ASD RIO Cabinet and automatically limits recirculation pump speed to 45 percent if reactor water level is less than 17" and individual feed pump flows less than 20 percent or total feed flow is greater than 85 percent (Ref. Section 7.10.3.4.9) and all three condensate pump breakers are not closed. The high flow runback must be manually reset by the Operator to increase recirculation pump speed above 45 percent during the reactor start-up sequence or whenever the high flow runback is activated as long as the above plant logic is satisfied.

The raise/ speed functions provided by the ASD are enabled after the startup speed of the recirculation pumps have, been obtained (minimum speed of 29. 7 percent has been reached), then speed can be lowered to 20 percent and/or any speed changes via remote raise/lower or local raise/lower functions can be made above the minimum speed of 20 percent (333 RPM). The following is a list of CHAPTER 07 7.9-3 REV. 26, APRIL 2017

PBAPS UFSAR functions that are available to change the recirculation pump's motor speed using ASD:

a) Raise Low: By depressing the Raise Low pushbutton speed will increase 0.06 percent (1 RPM) per push at 2.0 percent/sec (33.3 RPM/sec) b) Raise Medium: By depressing the Raise Medium pushbutton speed will increase 0.3 percent (5 RPM) per push at 2.0 percent/sec (33.3 RPM/sec) c) Raise High: By depressing the Raise High pushbutton speed will increase 0.6 percent (10 RPM) per push at 2.0 percent/ sec (33.3 RPM/sec) d) Lower Low: By depressing the Lower Low pushbutton speed will decrease 0.06 percent (1 RPM) per push at 2.0 percent/sec (33.3 RPM/sec) e) Lower Medium: By depressing the Lower Medium pushbutton speed will decrease 0.3 percent (5 RPM) per push at 2.0 percent/sec (33.3 RPM/sec) f) Lower High: By depressing the Lower High pushbutton speed will decrease 1.8 percent (30 RPM) per push at 2.0 percent/sec (33.3 RPM/sec)

The motor speed cannot be lowered below 20 percent or raised above 100 percent. As soon as the ASD detects the "Remote Stop" or the "Local Stop" signal, it initiates a coast stop by disabling the drive output and concurrently tripping the drive Input Circuit Breaker (ICB) by de-energizing the Trip Input Medium Voltage Relay (TIMV) relays. The Medium Voltage (MV) ICB will open (de-energizes the TIMV relay) if the speed goes below 18 percent (300 RPM) after a startup complete (minimum speed of 29.7 percent has been obtained). This will preclude an inadvertent breaker closure/motor restart.

7.9.4.4 System Operation 7.9.4.4.1 Recirculation Loop Starting Sequence Each recirculation loop is independently put into operation by operating the controls of each recirculation loop as follows:

1. The recirculation loop suction valve is fully open.

2. The recirculation loop discharge valve is fully closed.

3. A "Ready to Pre-charge" signal is sent out if Control voltage is available, Low voltage is available, flow is above minimum value, the pre-charge circuit breaker is closed with voltage present for pre-charge, and the pre-charge permissive signal (used for remote control) is present.

CHAPTER 07 7.9-4 REV. 26, APRIL 2017

4. The ASD internally controls the resonant pre-charge sequencing. The "Pre-Charge in Progress" signal is sent out and when pre-charging is complete and a close Medium Voltage signal is issued to the user. The MV breaker will close within 3 seconds from issuing the close request.

5. Once medium voltage is sensed by the ASD, the "Pre-Charge Complete" and "Ready to Run" signals are issued.

6. The ASD can now process a "Remote Start" sequence from the user ramping to minimum pre-defined speed.

7. Upon reaching this speed the "Drive Running" signal goes high and the ASD continues running the motor to demanded speed.

8. If there is a fault in the sequence and I or a failed start the "Pre-Charge Fault" signal is issued.

9. Recirculation flow is increased during startup by manually increasing recirculation pump speed and by opening the recirculation loop discharge valve.

7.9.4.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT)

A recirculation pump trip (ATWS-RPT) on reactor high pressure or reactor low water level has been provided to limit the consequences of a failure to scram during a transient.

General Electric Company Topical Report NEDO-10349, March 1971 evaluates the effects of an anticipated transient without scram event.

The report is applicable to Peach Bottom Units 2 and 3 with the exception that high neutron flux and the time delay discussed in the report are not used. The Peach Bottom Units and 3 response to the event and the system design performance are within the envelope of the report's studied events. The reactor recirculation pump ASDs are automatically tripped when redundant coincident logics of reactor high pressure or reactor low water level are tripped.

An automatic alternate rod insertion (ARI) takes place simultaneously with ATWS-RPT. ARI is discussed in subsection 1.6.3.4.

CHAPTER 07 7.9-5 REV. 26, APRIL 2017

PBAPS UFSAR If automatic or manual insertion of rods fails, the operator injects boron into the reactor using the standby liquid control system (subsection 3.8).

ATWS-RPT and ARI uses four reactor pressure and four reactor level outputs from the compensated reactor water level instruments (subsection 7.8). These instrument channels are the same ones used by the Core and Containment Cooling Systems.

The ATWS recirculation pump trip circuit is shown functionally in Drawings M-1-CC-4, Sheets 1 through 12, and M-1-CC-46, Sheets 1 and 2.

For Peach Bottom Unit 2 and 3, General Electric-Hitachi Task Report, PEAM-EPU-70 (Task T0902), analyzed the ATWS event under extended power uprate conditions at 3951 MWt. The 13.8 kV feeder breaker to the reactor recirculation ASDs are automatically tripped when redundant coincident logics of reactor high pressure or reactor low water level are tripped.

7.9.4.4.3 End-of-Cycle Recirculation Pump Trip (EOC-RPT)

The End-of-Cycle Recirculation Pump Trip (EOC-RPT) improves the response to plant pressurization transients (e.g. turbine trip, generator load rejection) by disconnecting the recirculation pumps from the ASDs immediately upon receipt of a turbine stop valve (TSV) or control valve (TCV) trip signal to reduce system inertia and effect a quicker pump coastdown.

The EOC-RPT is composed of two 4.16 kV circuit breakers connected in series between each recirculation ASD and recirculation pump motor. These breakers provide a redundant means of tripping each pump. TSV closure and TCV fast closure from Reactor Protection System (RPS) logic channels A1 and B1 form one trip system and trip one EOC-RPT breaker for each recirc. pump. TSV closure and TCV fast closure signals from RPS logic channels A2 and B2 form the second trip system and trip the second EOC-RPT breaker for each recirc. motor. Each EOC-RPT trip channel utilizes two TSV closure and two TCV fast closure signals from RPS (subsection 7.2). The reactor recirculation pumps are automatically tripped when both TSV or TCV inputs are actuated in either logic channel.

An automatic bypass of the EOC-RPT is applied whenever the reactor thermal power is less than 26.7% RTP (as indicated by turbine first stage pressure). Test switches are provided to allow EOC-RPT logic channel testing without tripping the recirc. pumps. An annunciation is also provided in the control room which indicates when a switch is in the TEST position. An annunciation is also provided which indicates the loss of EOC-RPT logic circuit control CHAPTER 07 7.9-6 REV. 26, APRIL 2017

PBAPS UFSAR power. The EOC-RPT trip circuit is shown functionally in Drawing M-1-CC-46, Sheets 1 and 2.

The EOC-RPT related equipment are designed to withstand an Operating Basis Earthquake (OBE) (NRC Letter of March 15, 1995 to PECO Energy).

7.9.5 Safety Evaluation There is no inherent inertia driven coastdown power or braking force applied to the recirculation pump motor upon ASD stop or trip. As a result, the GNF2 ECCS-LOCA analysis demonstrated compliance with the 10 CFR 50.46 acceptance criteria, and concluded that the coastdown rate of the Recirculation pumps with the ASD is acceptable.

Transient analyses described in Section 14.0, "Plant Safety Analysis," show that no malfunction in the recirculation flow control system, including ATWS-RPT and EOC-RPT, can cause a transient sufficient to damage the fuel barrier or exceed the nuclear system pressure limits, as required by the safety design basis.

The original safety evaluation for the Anticipated Transient Without Scram Trip of the recirculation pump is contained in General Electric Company Topical Report NEDO-10349, March 1971.

Under EPU conditions for both Units 2 and 3, the safety evaluation for the Anticipated Transient Without Scram Trip of the recirculation pump is contained in General Electric Hitachi Safety Analysis Report NEDC-33566P, dated September 2012.

The effects of EOC-RPT on the transient analysis are described in subsection 14.5.

7.9.6 Inspection and Testing ASDs and associated controls are functioning during normal power operation. Any abnormal operation of these components can be detected during operation. The components which do not continually function during normal operation can be tested and inspected during scheduled plant shutdowns.

CHAPTER 07 7.9-7 REV. 26, APRIL 2017

PBAPS UFSAR 7.10 FEEDWATER CONTROL SYSTEM 7.10.1 Power Generation Objective The power generation objective of the feedwater control system is to maintain a pre-established water level in the reactor vessel during normal plant operation.

7.10.2 Power Generation Design Basis The feedwater control system regulates the feedwater flow so that the proper water level in the reactor vessel is maintained to meet the requirements of the steam separators over the entire power range of the reactor.

7.10.3 Description The feedwater control system, during normal plant operation, automatically regulates feedwater flow into the reactor vessel.

The system is capable of being manually operated.

The automatic feedwater control system consists of dual redundant digital control systems (see Figure 7.10.1). Each digital control system consists of a control computer with a complete process input/output subsystem. Each process parameter signal inputted into the feedwater control system is provided to each digital control system. Outputs from the feedwater control system come through the hardwired transfer of control logic (TOCL) from the "controlling" digital control system.

The automatic feedwater control system incorporates fault tolerance in its design so that any single failure, internal or external to the feedwater control system, will not result in the loss of feedwater control. This is done by automatically switching to another level element for control, automatically changing control modes, or switching to the backup digital control system upon detection of a failure. For example, if the "A" level sensor is selected for control and fails, the feedwater control system will automatically switch over to "AUTO" level selection and use the "B" or "C" level sensor.

The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel.

During automatic operation, these three measurements are used for controlling feedwater flow.

The optimum reactor vessel water level is determined by the requirements of the steam separators which limit the water carryover with the steam going to the turbines and limit the steam CHAPTER 07 7.10-1 REV. 26, APRIL 2017

PBAPS UFSAR carryunder with the water returning to the core. The water level in the reactor vessel is maintained within +/-2 in of the optimum level. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel. The feedwater flow regulation is achieved by adjusting the steam flow to the turbine driven feedwater pumps to deliver the required feedwater flow to the reactor vessel.

7.10.3.1 Reactor Vessel Water Level Measurement Narrow range reactor vessel water level is measured by three sensing systems. Two of the sensing systems are connected to the same reactor vessel instrumentation taps. The third is connected to a separate set of taps and provides independent signals. Each sensor system is electrically independent. Each system uses a differential pressure transmitter that senses the difference between the pressure due to a constant reference column of water and the pressure due to the variable height of water in the reactor vessel. These differential pressure transmitters are installed on lines that serve other systems (subsection 7.8, "Reactor Vessel Instrumentation"). Pressure transmitters supply reactor vessel pressure signals which are used to correct for density changes in the reactor vessel water. The differential pressure and pressure signals are fed into the digital control computer which calculates the corrected level signal for indication and control. The corrected reactor vessel water level and pressure from each sensing system are indicated in the control room. The corrected level signal from any of the sensing systems can be automatically selected (by digital control computer) or manually (by control room operator) as the signal to be used for feedwater flow control. The corrected level signals are used to trip the main and reactor feedpump turbines on high reactor water level. The main and reactor feedpump turbines reactor high level trip signal is derived by a two-out-of-two logic taken once. The two-out-of-two logic consists of each feedwater digital control computer providing an input to trip. Each digital control computer trip logic consists of three (3) contacts in parallel.

Two contacts actuate via testable digital outputs and the other contact monitors the status (online/offline) of the digital control computer. The two testable digital outputs normally actuate on a high reactor level signal. These outputs can be tested within the control program to allow functional testing of the trip circuit while at power (per NRC generic letter 89-19).

The contact that monitors the status of the digital control computer provides a fail-safe trip signal should that digital computer go off-line and therefore possibly not be able to determine if reactor water level is high or low. The reactor vessel water level and pressure are continually recorded in the CHAPTER 07 7.10-2 REV. 26, APRIL 2017

PBAPS UFSAR control room. High and low level alarms are also provided in the control room.

Three (3) pressure compensated wide range reactor water level signals are also used by the feedwater control system. These wide range level signals are only used if all three of the narrow range level signals are bad or on the downscale side of their calibrated range. The main function of these wide range level signals within the feedwater control system is to provide a level signal to this control system when reactor level is below the narrow range following a reactor scram.

7.10.3.2 Steam Flow Measurement The steam flow is measured across each main steam line flow restrictor by a differential pressure transmitter. This differential pressure steam flow signal is then inputted into the digital control computers which linearize the signal to produce a mass flow rate. The steam flow signals are added to produce a total steam flow signal for indication and feedwater flow control.

The steam flow rate from each main line is indicated in the control room. The total steam flow is recorded in the control room.

7.10.3.3 Feedwater Flow Measurement The feedwater flow measurement normally used in the plant heat balance computation is obtained from a dedicated system (Leading Edge Flow Meter, or LEFM) that utilizes ultrasonic technology to accurately determine feedwater mass flow.

Feedwater flow is also measured as differential pressure at each reactor feed pump discharge. This differential pressure feedwater flow signal is then inputted into the digital control computers which linearizes the signal to produce a mass flow rate. The total feedwater mass flow rate signal is used for indication and feedwater flow control. The individual line and total feedwater flows are recorded in the control room. When the LEFM is not in service, these feedwater flow signals are used in the plant heat balance.

Additionally, feedwater flow is measured at the inlet of the third feedwater heaters for condensate recirculation flow control and is separately logged on the process computer (subsection 7.16),

"Process Computer System").

CHAPTER 07 7.10-3 REV. 26, APRIL 2017

PBAPS UFSAR 7.10.3.4 Feedwater Control System The digital feedwater control system provides control for the following functions:

1. Three (3) element reactor level control.

2. Single or one (1) element reactor level control.

3. High pressure startup level control.

4. Low pressure startup level control.

5. Reactor feedwater pump min flow protection.

6. Reactor feedwater pump discharge check valve control on low flow.

7. Not Used

8. Interlocks to rod worth minimizer from total feedwater and steam flow signals.

9. Runbacks to the reactor recirculation control system.

10. Function deleted

11. 90% flow limiter on loss of condensate pump or reactor scram.

12. Feedforward control.

13. Setpoint setdown following a reactor scram.

14. Scaling up of feedwater and steam flow signals.

15. Auto calibration of steam flow signals.

16. Fault tolerant logic.

17. Bumpless transfer between automatic and manual modes.

18. Testability and maintainability.

19. Total feedwater flow signal to the Hydrogen Water Chemistry System 7.10.3.4.1 Three (3) Element Reactor Level Control In three (3) element control the feedwater control system determines the difference between the total feedwater flow signal against the total steam flow signal. This difference is designated as steam flow/feedwater flow error signal. If steam flow is greater than feedwater flow, this difference is increased from its normal value of zero when steam and feedwater flows are equal. The reverse is also true. This steam flow/feedwater flow error is then added to the reactor water level signal to provide an adjusted level signal. The feedwater control system controls reactor feedwater pump speed in order to control the adjusted level signal to the operator selected setpoint. The three (3) element control mode is the control mode normally used during power operation (nominally 30% to 100% power).

7.10.3.4.2 Single or One (1) Element Reactor Level Control Single element control is similar to the three element control (described in 7.10.3.4.1). However, single element control does not use the steam flow/feedwater flow error signal to adjust the CHAPTER 07 7.10-4 REV. 26, APRIL 2017

PBAPS UFSAR reactor level signal. In single element control the feedwater control system controls the reactor feedpump speed in order to control the unadjusted reactor level signal to the operator selected setpoint. The single element control mode is the control mode normally used during low power operation (nominally 5-30%

power).

7.10.3.4.3 High Pressure Startup Level Control The high pressure startup level control uses single element control (discussed in 7.10.3.4.2) to control the "C" reactor feedwater pump discharge valve bypass control valve position.

This valve uses the "C" reactor feedwater pump discharge (which is variable based on pump speed selected by operator) as its source of water. The feedwater control system modulates the flow through this valve in order to maintain unadjusted reactor level (single element) to the operator selected setpoint. The high pressure startup level control is used during low power/high pressure operation (nominally 450 psig to 10% power). This control method can be used at low pressures by allowing condensate to windmill through the "C" reactor feedwater pump.

7.10.3.4.4 Low Pressure Startup Level Control The low pressure startup level control uses single element control (discussed in 7.10.3.4.2) to control the reactor feedwater pump bypass control valve position. This valve uses condensate header pressure as its source of water. The feedwater control system modulates the flow through this valve in order to maintain unadjusted reactor level (single element) to the operator selected setpoint. The low pressure startup level control is used during shutdown (0 psig) up to a maximum of the condensate pump shutoff head (approx. 600 psig).

7.10.3.4.5 Reactor Feedwater Pump Minimum Flow Protection The feedwater control system provides three (3) digital outputs which operate on low reactor feedwater pump flow (one per pump).

These digital outputs provide control signals to their respective minimum flow control valves. Opening these minimum flow valves ensures that the pump net positive suction head requirements are maintained. These digital outputs also go to three (3) reactor feedwater pump low flow annunciators (one per pump) via an auxiliary relay.

7.10.3.4.6 Reactor Feedwater Pump Discharge Check Valve Control on Low Flow The feedwater control system provides three (3) digital outputs which operate on low reactor feedwater pump flow (one per pump).

CHAPTER 07 7.10-5 REV. 26, APRIL 2017

PBAPS UFSAR These digital outputs provide control signals to their respective reactor feedwater pump discharge check valves. Closing the discharge check valve on low flow reduces the probability of the check valve sticking open and then slamming closed on reverse flow.

7.10.3.4.7 Deleted 7.10.3.4.8 Interlocks to Rod Worth Minimizer From Total Feedwater and Steam Flow Signals The feedwater control system provides two (2) digital outputs to the rod worth minimizer system. One output is a combination of low/high feedwater and steam flow which is used for the rod worth minimizer low power setpoint. The second output is on low/high steam flow and is used for the rod worth minimizer low power alarm point.

7.10.3.4.9 Runbacks to the Recirculation Control System The feedwater control system provides three (3) digital outputs to each recirculation pump control system. The first output provides a low total feedwater flow signal, with time delay, or a combination of a reactor scram signal in conjunction with low reactor level which runs back the respective reactor recirculation pump to lower flow limit (30%) speed limiter. This runback ensures sufficient net positive suction pressure to the reactor recirculation pump(s) and improves reactor water level response following a scram from high power. The second and third outputs are part of the high speed runback circuit. The second output provides a high total feedwater flow signal which, in conjunction with less than three (3) condensate pumps in service, results in reactor recirculation runback. A reactor recirculation system runback on this condition is required to reduce total feedwater flow to within the capabilities of two (2) condensate pumps and thereby maintaining the required reactor feedwater pump net positive suction head requirements. The third output is a combination of less than three (3) reactor feedwater pumps in service (as sensed by the lowest reactor feedwater pump flow being low) and a simultaneous low level in the reactor. A reactor recirculation system runback on this condition is required since the remaining reactor feedwater pumps are not able to maintain reactor level at this power level. (Reference Section 7.9.4.3) 7.10.3.4.10 Function deleted 7.10.3.4.11 90% Flow Limiter on Loss of Condensate Pump or Reactor Scram CHAPTER 07 7.10-6 REV. 26, APRIL 2017

PBAPS UFSAR The feedwater control system will limit reactor feedwater pump speed on less than three (3) condensate pumps in-service or a full reactor scram with three (3) reactor feedwater pumps in-service.

The reactor feedwater pump speed is limited to a speed which is equivalent to ninety percent (90%) nuclear boiler rated flow.

There are two (2) separate speed limiters within the feedwater control system. One speed limiter is set for three (3) reactor feedwater pumps in-service. The second limiter is set for only two (2) reactor feedwater pumps in-service. Both limiters are set for only two (2) condensate pumps in-service.

With only two (2) condensate pumps in-service the condensate system can only support ninety percent (90%) nuclear boiler rate flow. (At this power level the required reactor feedwater pump suction pressures will be maintained.)

Due to reactor level shrink following a scram, the reactor feedwater control system increases its reactor feedwater pump speed demand signal to 100 percent (maximum speed). The condensate system cannot support three (3) reactor feedwater pumps operating at maximum speed even with three (3) condensate pumps in-service. Therefore, the feedwater control system will limit the reactor feedwater pumps to a speed equivalent to ninety percent (90%) nuclear boiler rated flow (with two (2) condensate pumps in-service) on a reactor scram with three (3) reactor feedwater pumps in-service (if three (3) condensate pumps are in-service the resultant flow rate will be something greater than 90% nuclear boiler rated).

7.10.3.4.12 Feedforward Control The feedwater control system provides the option to use feedforward control. (This feature can be enabled/disabled as desired.) Feedforward control biases the feedwater controller output signal based on an inferred reactor power signal. The reactor power signal is inferred by filtering total steam flow. By using feedforward control the proportional and integral controller tuning may be adjusted to give a quicker response to a transient since the feedforward bias will set the controller output to the approximate required output for that power level.

7.10.3.4.13 Setpoint Setdown Following a Reactor Scram The feedwater control system provides the option to automatically lower the master controller set point (setpoint setdown), via a pre-programmed function curve based on starting power level and time since initiated, upon receipt of a validated scram signal.

(A scram signal is validated by the feedwater control system by verifying a rapid decreasing level signal which occurs as a result of a reactor scram).

CHAPTER 07 7.10-7 REV. 26, APRIL 2017

PBAPS UFSAR Following a reactor scram, the water inventory being displaced by steam voids within the reactor are no longer displaced and water level drops. However, no actual water inventory is lost. This is referred to as shrink. In response to the shrink, the feedwater control maximizes feedwater flow to recover water level. After the feedwater system recovers water level to some point, the decay heat in the reactor core heats the cool feedwater which results in expanding the water. This expansion of the water results in the reactor water level rising. This is referred to as swell. The purpose of the setpoint setdown function is to prevent the water level from reaching a low level Emergency Core Cooling System (ECCS) pump start due to shrink effects and prevent a high level Reactor Feedwater Pump Turbine trip due to swell effects. This feature of the digital feedwater control system can be enabled/disabled via software tuning as desired.

7.10.3.4.14 Scaling-up of Feedwater and Steam Flow Signals The feedwater control system provides the option to automatically scale-up the total feedwater or total steam flow. Scaling-up of feedwater and steam flow signals approximates what total feedwater and steam flow is based on what the other good flow signals are reading if one or more inputs are bad. If a feedwater or steam line flow signal is bad, total feedwater and steam flow signals will be in error. Scaling-up the good signal(s) approximates the total flow signal and provides the operator with better indication. The three (3) element control mode cannot be selected if any flow input to the replacement feedwater control system is bad with the feedwater and steam flow scale-up enabled or disabled. The scaling-up of the feedwater flow signal has logic built in to determine if a pump is running based on speed.

However, neither feedwater or steam flow scale-up has logic to detect if a valve is closed (RFP discharge valve or main steam isolation valve). This feature can be enabled/disabled via software tuning as desired.

7.10.3.4.15 Auto Calibration of Steam Flow Signals The feedwater control system provides the option to automatically calibrate the steam flow signals. Auto calibration of the steam flow signals uses filtered total steam flow as a basis to infer reactor power level. The steam flow signal calibrations are adjusted based on this inferred reactor power level to account for density changes in the steam at the different power levels. This feature can be enabled/disabled via software tuning as desired.

CHAPTER 07 7.10-8 REV. 26, APRIL 2017

PBAPS UFSAR 7.10.3.4.16 Fault Tolerant Logic The feedwater control system incorporates fault tolerance in its design so that any single failure to the feedwater control system will not result in the loss of feedwater control. This fault tolerant logic is designed to handle failures internal to the actual control system or failures external to the control system (field transmitters). Field signal failures are detected by either being out-of-range or violating a spread check with an equivalent-independent field signal (redundant transmitter). On field signal failures the control system will switch to another redundant field signal or change to another method of control. On internal failures the control system will fail over to a backup control computer. All detected failures will result in a control room alarm to alert the operator of the problem. Means are provided local to the digital feedwater control system to identify which control computer is in control and if any trouble alarm is up for that control computer. With a portable CRT/keyboard the source of any trouble alarm can be easily narrowed down to a given input/output instrument loop and/or internal computer trouble.

The basis of the system is to have a mean time between failures of greater than 10 years (failure here is defined as a failure of the feedwater control system that results in a unit trip) which is based on a component mean time between failure rate of greater than one year and a mean time to repair of less than eight hours.

(Mean time to repair is defined as time from first identification of trouble to time system is returned to full service). During this period of maintenance, the system does not have complete fault tolerance protection. That is, a single failure during this maintenance period may not be protected against and therefore could result in a loss of feedwater control and/or a plant trip.

7.10.3.4.17 Bumpless Transfer Between Automatic and Manual Modes Bumpless transfer between automatic and manual modes reduces control system induced transients. In automatic mode, the manual signal within the level control stations tracks the automatic control signal. Therefore, at the instant of transfer to manual mode, there is no change in the final control signal output to the associated RFPT (i.e., bumpless). In manual mode, the reactor level setpoint tracks within the level control stations the actual reactor water level (within the permitted operating range). In addition, when in manual mode, the controller does not perform the control algorithm, but instead tracks the manual signal.

Therefore, when transferring to automatic mode, the actual process will match setpoint and the resultant controller output (which equals the manual control signal just prior to the transfer) will not change (i.e., bumpless).

CHAPTER 07 7.10-9 REV. 26, APRIL 2017

PBAPS UFSAR 7.10.3.4.18 Testability and Maintainability With the addition of fault tolerance, additional testability and maintainability is added. In particular, the system is designed to allow for system testing without lifting any permanent plant wiring (this is accomplished with knife switch type terminal blocks with integral test connections). The reactor high level trip circuit to the RFPT's and the main turbine is designed to allow testing of this logic while at power. The system is also designed to permit the removal, repair, and return to service of any discrete component within the control system while at power.

During the periods of testing and/or maintenance complete fault tolerance is not necessarily available. Therefore, certain single failures during these periods could result in a plant transient.

7.10.3.4.19 Total Feedwater Flow Signal to the Hydrogen Water Chemistry System The feedwater control system provides a total feedwater flow signal to the hydrogen water chemistry system 7.10.4 Turbine Driven Feedwater Pump Control Feedwater is delivered to the reactor vessel by three turbine driven feedwater pumps arranged in parallel. The turbines are normally driven by steam taken from the main high pressure turbine exhaust lines. Under low load conditions or a sudden load increase condition, each turbine is supplied with main steam through a separate high pressure admission valve. The dual steam admission system operates from a common control linkage. The low pressure admission valves open first, followed by high pressure admission valves as required by the feedwater control system.

The turbine drive speed is controlled by a electro-hydraulically boosted electromechanical servo positioning system. During normal operation, the control signal from the feedwater control is fed to the turbine speed control system. The turbine speed control system adjust the steam flow of their associated turbines so that reactor feedpump turbine speed is proportional to the feedwater control signal.

Each turbine is controlled by the digital control computers.

7.10.4.1 Turbine Trips To protect the feedwater pump and/or feedwater pump turbine, the following conditions initiate closure of the turbine stop valve:

1. Feedwater pump turbine low control oil or bearing oil pressure.

CHAPTER 07 7.10-10 REV. 26, APRIL 2017

2. Feedwater pump turbine primary overspeed (110 percent rated).

3. Feedwater pump turbine excessive thrust bearing wear.

4. Deleted.

5. Deleted.

6. Feedwater pump turbine manual trip (local and remote).

7. Low feed pump suction pressure (after time-delay).

8. Reactor vessel high water level.

9. Trip signal from the turbine speed control system which include A. Secondary overspeed (x2)

B. Low-low hydraulic oil pressure C. Loss of speed feedback signals D. Critical controller faults A probalistic missile evaluation has been performed on the feedwater pump turbine and is described in subsection 11.2.

7.10.4.2 Loss of Control Signal to RFPT The output signal of each DFCS computer to the RFPT speed controllers is monitored to initiate either a RFPT lockup signal or a Failover to the Backup Control Computer upon loss of control signal. The desired action on loss control signal is selectable ahead of time. After failover if the control signal is lost, then a lockup signal is generated. Annunciators and alarms are actuated to identify the RFPT with the control signal failure.

When the loss of control signal lockup is generated interlocks are actuated which switch the RFPT speed controller from remote auto (DFCS M/A Station) into remote manual (Manual Speed Control {MSC})

mode of control. This transfer of control occurs bumplessly so there is no change at the time of transfer. After the transfer the operator has the ability to change RFPT speed as desired.

CHAPTER 07 7.10-11 REV. 26, APRIL 2017

PBAPS UFSAR 7.11 PRESSURE REGULATOR AND TURBINE-GENERATOR CONTROL SYSTEM 7.11.1 Power Generation Objective The power generation objective of the pressure regulator and turbine-generator control system is to maintain constant reactor pressure.

7.11.2 Power Generation Design Basis The pressure regulator and turbine-generator control system maintains constant reactor pressure during planned operations and operates the steam bypass system up to 22.39 percent of full load to assist in maintaining constant reactor pressure.

The pressure regulator and turbine-generator control system accomplishes the following control functions:

1. Controls speed and acceleration from 0 to 111 percent speed with nominal speed reference settings. At 100 percent speed with the circuit breaker closed, the 100 percent speed reference signal is locked in.

2. Controls reactor pressure in the range from 150 psig to approximately 1,100 psig.

7.11.3 Description 7.11.3.1 Normal Control System Normal operating control of the pressure regulator and turbine control system is an electrohydraulic servo positioning system basically consisting of interconnected control units (Figure 7.11.1). These control units combine their signals to modulate the position of the control, bypass, and combined intermediate valves on the turbine. These subsystems can be designated as speed control, load control, pressure control, bypass control, and valve positioning control units. For Unit 2, the functions of speed control, load control, pressure control, and steam bypass control are performed by dual redundant digital controllers in the Turbine Control System (TCS). The description of these units is as follows:

1. Speed Control Unit The speed control unit receives a speed signal from the shaft speed pickup and compares it to a speed reference signal to produce a speed error signal. The speed control unit also differentiates the speed signal to produce an acceleration signal. This signal is compared CHAPTER 07 7.11-1 REV. 26, APRIL 2017

PBAPS UFSAR against the acceleration reference to produce an acceleration error signal, which is integrated and combined with the speed error signal to produce output of the speed control unit. For Unit 3, redundancy is provided by use of two independent speed and acceleration signals. For Unit 2, redundancy is provided by the use of a validated speed signal using speed sensors, as an input to each of the redundant digital controllers.

2. Load Control Unit The load control unit accepts the speed-acceleration error signal, conditions it to establish the proper loop gain for the applicable control valve servo positioners, compares the speed-acceleration signal with the manually selected load set signal, and provides the output signals to position the control and combined intermediate valves on the turbine. The unit closes the main control valves at 105 percent of speed and closes the combined intermediate valves at 107 percent of speed. An operating bias keeps the combined intermediate valves wide open until the control valves reach a fully closed position. The load control unit also accepts the limit signal (e.g., load limits, maximum combined flow limit, valve position limit, power-load unbalance limit, etc) and combines them to modify or limit the output signals.

3. Pressure Control Unit The pressure control unit is a redundant pressure controller which maintains constant reactor pressure in coordination with the speed and load control. The pressure control unit accepts two independent main steam pressure signals which are measured ahead of the main stop valves, compares them with manually selected pressure reference signals, and produces lead or lag compensated pressure error signals. For Unit 3, of the two-pressure measurement and error signal producing circuits, the lower pressure unit exercises the control.

For Unit 2, the two redundant pressure controllers are provided with the primary controller in the control and the backup controller in standby where both controllers use a validated pressure signal from two main steam pressure signals. The compensated pressure error signal is conditioned to provide the proper control loop gain and produces the total flow demand signal. For Unit 2 and Unit 3, this signal passes through a pressure-load low value gate wherein the load control unit's control CHAPTER 07 7.11-2 REV. 26, APRIL 2017

PBAPS UFSAR valve signal is compared with the total steam flow signal and the lower of the two is allowed to pass as an input to the control valve-positioning servo mechanisms.

4. Bypass Control Unit The total flow demand signal of the pressure control unit and the control valve flow signal output from the pressure-load low value gate are sent to the bypass control unit. The bypass control unit adds a bias to the control valve flow signal and subtracts this sum from the total steam flow to produce the total flow error signal. The total flow signal passes through a high value gate where the bypass opening jack reference signal can override it. The signal can be interrupted by the maximum combined flow limit or condenser low pressure . The output of the bypass control unit is the bypass flow signal to the bypass valve servo mechanisms.

In this manner, if the total steam flow signal exceeds the control valve flow signal, the bypass valve will open to bypass the excess to the condenser without interrupting turbine speed control, and at the same time maintain a constant reactor pressure. An annunciator has been provided to indicate when a bypass valve is open.

5. Valve Positioning The control valve-positioning units are essentially electrohydraulic, close-looped, servo-mechanism position control systems receiving the control valve flow signal from the low value gate, which compares the output of the load control unit with the pressure control unit and selects the lower of the two.

In this manner, during normal operation, the pressure regulator and turbine-generator control system sets reactor pressure and turbine speed. The speed control and load control units generate the necessary signals to position the control valves through a low value gate over which the pressure control unit can exercise its influence.

7.11.3.2 Emergency Control System This system closes all valves, thereby shutting down the turbine on the following signals:

CHAPTER 07 7.11-3 REV. 26, APRIL 2017

1. Turbine approximately 10 percent above rated speed. On overspeed, the tripping is performed by the mechanical trip valve for Unit 3 and an electrical trip for Unit 2.

Unit 3 The mechanical overspeed trip device employs an unbalanced ring which is held concentric with the shaft by a spring. When the turbine speed reaches the predetermined trip speed, the centrifugal force of the ring overcomes the force of the spring and the ring snaps to an eccentric position. In so doing, it strikes the trip lever, typically at 110 percent to 111 percent of rated speed.

When the mechanical overspeed trip is initiated, the emergency trip system hydraulic pressure is removed.

This causes the fast closure of the main stop valves and the slower control valves which are in series at the high-pressure turbine inlet. Also, the trip system pressure removal causes the rapid closure of the intercept and stop valves which are in series at the low-pressure turbine inlet.

The mechanical trip valve can also be tripped by local manual action or by the mechanical trip solenoid.

Unit 2 Turbine protection is provided by redundant Emergency Trip System (ETS) controllers, which are separate from the TCS controllers. The electrical trip is provided by ETS that includes a Diverse Turbine Overspeed Protection System (DTOPS). DTOPS uses a diverse and separate set of magnetic pickups which are comprised of 3 passive speed sensors for sensing speed from a toothed wheel mounted to the turbine shaft. When the turbine speed reaches the trip speed (approximately 110%), the three independent overspeed protection trip modules located inside the DTOPS device provides three independent trip outputs that interface to the three ETS Testable Dump Manifold (TDM) solenoids. The ETS TDM utilizes a two-out-of-three (2/3) trip logic configuration to depressurize ETS fluid resulting in fast closure of the main stop valves, control valves, and the intercept valves and the intercept stop valves.

Depressing either the two manual pushbuttons in the main control room panel or the two manual pushbuttons at the CHAPTER 07 7.11-4 REV. 26, APRIL 2017

PBAPS UFSAR front standard will de-energize the ETS (and TCS) TDM solenoids and trip the turbine.

2. Turbine approximately 12 percent above rated speed while testing the overspeed trip device.

Unit 3 The backup electrical overspeed trip circuit senses the turbine speed by means of a magnetic pickup which monitors the speed of a toothed wheel on the main turbine shaft. At approximately 112 percent of rated turbine speed, the master trip solenoid valve assembly is deenergized, thereby removing the emergency trip system hydraulic pressure and activating the fast closure of all the turbine steam valves previously mentioned.

While the same sending technique is used for the turbine control system, the protective backup electrical overspeed trip signal is produced by a pickup and circuitry which is totally independent of any control function.

Unit 2 The backup electrical overspeed trip uses a diverse and separate set of magnetic pickups which are comprised of 3 active speed sensors for sensing speed from a toothed wheel mounted to the turbine shaft. When the turbine speed reaches the trip speed (approximately 111%), the Turbine Control System (TCS) utilizes a two-out-of-three (2/3) trip logic and provides a trip output to the TCS TDM unit, which utilizes a two-out-of-three (2/3) trip logic configuration to trip the turbine.

This trip uses speed detector modules that are independent of the TCS software. In addition, the TCS software also generates a trip of the TDM unit.

Cross trip functions are provided for interlocking the DTOPS trip with the TCS trip.

Depressing either the two manual pushbuttons in the main control room panel or the two manual pushbuttons at the front standard will de-energize the TCS (and ETS) TDM solenoids and trip the turbine.

Any one of these actions will trip the turbine, i.e.,

fast closure of the main stop valves, control valves, and combined intercept valves.

CHAPTER 07 7.11-5 REV. 26, APRIL 2017

3. Vacuum decreases to less than 20 in Hg.

4. Excessive thrust bearing wear.

5. Deleted

6. Loss of generator stator coolant after a time delay.

7. External trip signals, including remote manual trip on the control panel.

8. Loss of hydraulic fluid supply pressure (loss of emergency trip system fluid pressure automatically closes the turbine valves and then energizes the master trip relay to prevent a false restart).

9. Failure of shaft-driven lubrication oil pump with the turbine-generator over 1,300 rpm (nominal).

10. Deleted.

11. Loss of both speed signals for Unit 3; Loss of 2 out of 3 speed signals for Unit 2.

12. Loss of both primary and secondary EHC dc power supplies (24 Vdc Unit 3, 24 Vdc or 125 Vdc Unit 2).

13. Manual mechanical trip at front standard (Unit 3),

manual electrical trip via pushbuttons at front standard or main control panel (Unit 2).

14. High level in moisture separators.

15. Loss of 125-V dc power (at less than 1400 rpm turbine speed, Unit 3 only).

16. Reactor high water level.

17. Low bearing oil pressure.

7.11.4 Power Generation Evaluation The pressure regulator and turbine-generator control system design is such that it provides a stable control response to normal load fluctuations.

The main turbine bypass valves are capable of responding to the maximum closure rate of the turbine admission valves such that reactor steam flow is not significantly affected until the CHAPTER 07 7.11-6 REV. 26, APRIL 2017

PBAPS UFSAR magnitude of the load rejection exceeds the capacity of the bypass valves (22.39 percent of full load).

Load rejections in excess of bypass valve capacity may cause the reactor to scram. Any condition causing the turbine stop valves to close will directly initiate a scram before reactor pressure or neutron flux have risen to the trip level.

Abnormal operational transient analyses have been made for a component failure in the turbine-generator system and included in Section 14.0, "Plant Safety Analysis."

The pressure regulator and turbine-generator control system can fail in such a manner as to cause the control and bypass valves to either fully open or fully close. In neither case would fuel damage occur. However, if a pressure regulator fails downscale while the second regulator is out of service the resulting transient could be limiting. Operation with only one pressure regulator is limited to reactor power levels 90% (or alternatively, less than 25%) of rated as stated in section 14.5.4.

In the event that the control valves fully opened, the emergency trip system would cause all valves to close. Loss of electrical or hydraulic power causes all valves to close.

In the event that the control valves are failed fully closed, the reactor will scram with the excess steam flow absorbed by the bypass system.

7.11.5 Inspection and Testing 7.11.5.1 Turbine-Generator Supervisory Instruments The turbine and all turbine control system components can be tested and inspected prior to plant operation and during scheduled shutdown. The turbine supervisory instrumentation located in the control room is sufficient to detect any potential maloperation.

The turbine supervisory instrumentation includes monitoring of the following variables:

1. Vibration and eccentricity.

2. Thrust bearing wear.

3. Exhaust hood temperature and spray pressure.

4. Oil system pressures, levels, and temperatures.

CHAPTER 07 7.11-7 REV. 26, APRIL 2017

5. Bearing metal and drain temperatures.

6. Shell temperatures.

7. Valves positions (Unit 3 only).

8. Shell and rotor differential expansion.

9. Shaft speed (Unit 3 only), electrical load, and control valve inlet pressure indication.

10. Hydrogen temperature, pressure, and purity (Unit 3 only). For Unit 2, the HMI will display these parameters because their panel meters are removed.

11. Stator coolant temperature, pressure, and conductivity.

12. Stator winding temperature.

13. Alternator air coolant temperatures.

14. Steam seal pressure.

15. Steam packing exhauster vacuum.

16. Steam chest pressure.

17. Seal oil pressure.

7.11.5.2 Testing Provisions Provisions are made for testing each of the following devices while the unit is operating:

1. Main stop valves.

2. Main control valves.

3. Bypass valves.

4. Combined intermediate valves.

5. Overspeed trip.

6. Bleeder trip valves.

7. Vacuum trip.

8. Deleted CHAPTER 07 7.11-8 REV. 26, APRIL 2017

9. Master trip solenoid for Unit 3 and TDM trip solenoids for Unit 2.

CHAPTER 07 7.11-9 REV. 26, APRIL 2017

PBAPS UFSAR 7.12 PROCESS RADIATION MONITORING A number of radiation monitors and monitoring systems are provided on process liquid and gas lines that may serve as discharge routes for radioactive materials. These include the following:

1. Main steam line radiation monitoring system.

2. Air ejector off-gas radiation monitoring system.

3. Stack radiation monitoring system.

4. Liquid process radiation monitors.

5. Ventilation radiation monitoring system.

These systems are described individually in the following paragraphs. Process sampling systems are described in subsection 10.20.

7.12.1 Main Steam Line Radiation Monitoring System 7.12.1.1 Safety Objective The safety objective of the main steam line radiation monitoring system is to monitor for the gross release of fission products from the fuel and, upon indication of such failure, to initiate appropriate action to limit fuel damage and contain the released fission products.

7.12.1.2 Safety Design Basis

1. The main steam line radiation monitoring system is designed to give prompt indication of a gross release of fission products from the fuel.

2. The main steam line radiation monitoring system is capable of detecting a gross release of fission products from the fuel under any anticipated operating combination of main steam lines.

3. Upon detection of a gross release of fission products from the fuel, the main steam line radiation monitoring system initiates an alarm to alert Operators. Trending of radiation monitor recorder data will be evaluated and reactor coolant samples may be taken to determine if additional action is required to maintain radiations levels within limits. Initiation of high-high radiation alarm alerts the Operators to close any open reactor CHAPTER 07 7.12-1 REV. 26, APRIL 2017

PBAPS UFSAR coolant sample lines and trips the mechanical vacuum pump, if running.

7.12.1.3 Description Four gamma-sensitive instrumentation channels monitor the gross gamma radiation from the main steam lines. The detectors are physically located near the main steam lines just downstream of the outboard main steam line isolation valves. The detectors are geometrically arranged so that the system is capable of detecting significant increases in radiation level from any number of main steam lines in operation. Their location along the main steam lines allows the earliest practical detection of a gross fuel failure. Two of the channels are powered from one reactor protection system bus, and the other two channels are powered from the other reactor protection system bus.

When a significant increase in the main steam line radiation level is detected, an alarm is initiated to alert Operators. Trending of radiation monitor recorder data will be evaluated and reactor coolant samples may be taken to determine if additional action is required to maintain radiations levels within limits. Initiation of high-high radiation alarm alerts the Operators to close any open reactor coolant sample lines and trips the mechanical vacuum pump, if running.

The radiation trip setting is selected so that a high radiation trip results from the fission products released in the design basis rod drop accident. The setting so selected is enough above the background radiation level in the vicinity of the main steam lines that spurious trips are avoided at rated power. The setting is low enough that the monitor can respond to the fission products released during the design basis rod drop accident, which occurs at a low steam flow condition.

The trips of the four instrumentation channels are arranged in a one-out-of-two-twice logic to provide redundancy and prevent inadvertent alarms as a result of instrumentation malfunctions.

Each monitoring channel consists of a gamma sensitive ion chamber and a log radiation monitor, as shown in Drawing M-1-T-29, Sheets 1 and 2. Capabilities of the monitoring channel are listed in Table 7.12.1. Each log radiation monitor has two trip circuits.

One trip circuit comprises the upscale trip setting that is used to initiate alarm and pump trip. The other trip circuit is a downscale trip that actuates an instrument trouble alarm in the control room. A CRDA will trip the high-high radiation alarm.

The control room Operator must manually isolate the reactor sample lines within 40 minutes of the alarm actuation. The output from CHAPTER 07 7.12-2 REV. 26, APRIL 2017

PBAPS UFSAR each log radiation monitor is displayed in the control room on a digital display with a 1E0 to 1E6 mR/hr range.

The trip circuits for each monitoring channel operate normally energized, so that failures in which power to monitoring components is interrupted result in a trip signal. The environmental capabilities of the components of each monitoring channel are selected in consideration of the locations in which the components are to be placed.

A two-pen recorder is used to record the outputs from any one of two channels on each trip system of the four monitoring channels.

Manual selector switches allow the outputs of any two of the four channels to be recorded. The recorder has one upscale alarm circuit. The alarm setting is lower than the log radiation monitor upscale trip setting, so that an alarm is received in the control room before scram and steam line isolation are effected.

7.12.1.4 Safety Evaluation The number and location of the detectors meet safety design bases 1 and 2. The closure of the MSIV's, stopping the mechanical vacuum pump, and closing the mechanical vacuum pump suction valve effect containment of radioactive materials. This meets safety design basis 3. The system is capable of initiating safety action at the level of fuel damage resulting from the design basis rod drop accident. In Section 14.0, "Plant Safety Analysis," it is shown that the amount of fuel damage and fission product release involved in this accident is relatively small. It can be concluded that for any situation involving gross fission product release, the main steam line radiation monitoring system is capable of providing prompt safety action.

7.12.1.5 Inspection and Testing A built-in adjustable current source is provided for test purposes with each log radiation monitor. Routine verification of the operability of each monitoring channel can be made by comparing the outputs of the channels during power operation and by the use of check sources when shut down.

7.12.2 Air Ejector Discharge And Adsorber Bed Outlet Radiation Monitoring System 7.12.2.1 Power Generation Objective The power generation objective of the air ejector discharge and Adsorber Bed Outlet radiation monitoring system is to indicate when radioactivity levels of the Off-gas system increase above expected normal limits.

CHAPTER 07 7.12-3 REV. 26, APRIL 2017

PBAPS UFSAR 7.12.2.2 Power Generation Design Basis

1. The air ejector discharge radiation monitoring system provides an alarm to operations personnel whenever the radioactivity level of the air ejector off-gas reaches short-term limits.

2. The air ejector discharge radiation monitoring system provides a record of the radioactivity released from the air ejector outlet to the adsorber bed inlet.

3. The Adsorber Bed Outlet radiation monitoring system provides an alarm to operations personnel whenever the radioactivity level at the adsorber bed outlet exceeds expected normal levels.

7.12.2.3 Description 7.12.2.3.1 Air Ejector Discharge Radiation Monitor The air ejector discharge radiation monitoring system is shown in Drawing M-310, Sheets 2 and 4 and specifications are given in Table 7.12.1. The system has three instrumentation channels, two logarithmic and one linear. Each channel consists of a gamma-sensitive detector, a logarithmic or linear radiation monitor, and a strip chart recorder. The monitors and the recorders are located in the main control room. Each channel of the logarithmic radiation monitor is powered from a different bus of the RPS. The linear channel is powered from the 24-V dc bus.

Each logarithmic monitor has an upscale trip and a downscale trip indicating high radiation and instrument trouble, respectively.

Any one trip will give an alarm in the control room.

Three gamma-sensitive ion chambers are positioned adjacent to a vertical sample chamber that is internally polished to minimize plateout. A sample is drawn from the off-gas line through the sample chamber and returned to the air ejector suction line. The sample system is arranged to give a 2-minute time delay before the sample is monitored. This time delay allows nitrogen-16 to decay reducing some of the background radiation. The detectors are influenced by radioactive gases such as nitrogen-13 and oxygen-19 when a fuel defect is not present. At higher fission release rates when a fuel defect is present or during periods of high recoil, the detectors more accurately reflect fission isotopes like Xe and Kr.

Small changes in the off-gas gross fission product concentration can be detected by the continuous use of the linear radiation monitor. The detector monitors the same sample as the air ejector CHAPTER 07 7.12-4 REV. 26, APRIL 2017

PBAPS UFSAR off-gas logarithmic detectors. The system uses a linear readout with a range switch instead of a logarithmic readout. The output from the monitor is recorded on a one-pen recorder.

The environmental and power supply design conditions are given in Table 7.12.2.

7.12.2.3.2 Adsorber Bed Outlet Radiation Monitor The off-gas adsorber bed outlet radiation monitor specifications are given in Table 7.12.1. The system consists of a gamma-sensitive pipe-mounted detector and a readout module located in the main control room.

The monitor has an upscale trip and a downscale trip indicating high radiation and instrument trouble, respectively. Upscale or downscale trips will sound an alarm in the control room.

7.12.2.4 Power Generation Evaluation The air ejector discharge radiation monitors have been selected with monitoring characteristics sufficient to provide plant operations personnel with accurate indication of radioactivity in the air ejector off-gas. The system thus provides the operator with enough information to control the activity release rate.

Sufficient redundancy is provided to allow maintenance on one channel without losing the indications provided by the system.

7.12.2.5 Inspection, Testing, and Calibration 7.12.2.5.1 Air Ejector Discharge Radiation Monitor The air ejector discharge radiation monitors are periodically calibrated by taking a grab sample of the gases with the off-gas vial sampler. The sample is analyzed and a factor relating the response of the monitors to the off-gas activity is calculated.

These monitors are provided with two alarm level set points. The lower alarm level is set below the normal background reading of the monitor so that an alarm is sounded if the instrument reading falls below this level. The upper alarm level is selected at a value greater than the normal full power background to detect an increase in radioactivity in the off-gas system. The instrument range is 1.0 to 106 mR/hr.

7.12.2.5.2 Adsorber Bed Outlet Radiation Monitor The adsorber bed outlet radiation monitor is periodically calibrated by exposing the radiation sensor to a radioactive source of known field strength. This monitor is provided with two alarm level set points. The lower alarm level is set below the CHAPTER 07 7.12-5 REV. 26, APRIL 2017

PBAPS UFSAR normal background reading of the monitor so that an alarm is sounded if the instrument reading falls below this level. The high alarm setpoint is set at less than or equal to 105 mR/hr. The instrument range is 0.1 to 104 mR/hr.

7.12.3 Stack Radiation Monitoring System 7.12.3.1 Safety Objective The safety objectives of the stack radiation monitoring system are to indicate whenever limits on the release of radioactive material to the environs are reached and to indicate the rate of radioactive material release during planned operation and accident conditions.

7.12.3.2 Safety Design Basis

1. The stack radiation monitoring system provides a clear indication to operations personnel whenever limits on the release of radioactive material to the environs are reached.

2. The stack radiation monitoring system indicates the rate of release of radioactive material from values above release rate limits, including accident conditions, down to the release rates normally encountered during high power operation.

3. The stack radiation monitoring system records the rate of release of radioactive material to the environs, so that determination of the total amounts of activity released is possible.

7.12.3.3 Description The stack radiation monitoring system is a microprocessor-based state-of the-art system consisting of a wide range gas monitor (WRGM) and a normal range fixed filter particulate, iodine, and gas (PIG) monitor. The probe assembly consists of two isokinetic probes, one for the WRGM and one for the PIG, and two sets of stack flow sensing devices.

The WRGM has four channel -- the low, mid, and high range channels provide radioactivity concentration indication in Ci/cc and the fourth channel (i.e., the effluent release channel) providing radioactivity release rate information in Ci/sec. The low, mid, and high range channels of the WRGM have overlapping ranges with each other and are suitable for monitoring radioactive stack releases during normal full-power operation and accident CHAPTER 07 7.12-6 REV. 26, APRIL 2017

PBAPS UFSAR conditions. These ranges satisfy the requirements of Regulatory Guide 1.97, Rev. 3.

The PIG monitor also has four channels -- particulate channel, the iodine channel, the noble gas channel, and the effluent channel.

The first three channels provide radioactivity concentration indication in Ci/cc and the fourth channel (i.e., the effluent release channel) provides radioactivity release rate information in Ci/sec. Unlike the WRGM, the PIG covers only normal full-power operation releases.

Both WRGM and PIG monitors provide contact outputs to radiation alarms and analog outputs to the plant computer and to the radiation recorder. In addition, both monitors provide trip signals on a HIGH-HIGH alarm to Group III isolation valves. These signals (which fulfill the requirements of NUREG-0737, item II.E.4.2(7)) are required only when purging the containment through the SGTS and containment integrity is required. The trip signals isolate primary containment vent and purge valves greater than two inches in diameter to prevent accidental release of radioactivity offsite when the valves are open.

7.12.3.4 Safety Evaluation The main stack radiation monitors have been selected with monitoring characteristics sufficient to provide plant operations personnel with accurate indication of radioactivity being released to the environs via the stack. During normal operation, sufficient redundancy is provided to allow maintenance on one monitor without losing the indication provided by the radiation monitoring system.

A sampling system has been provided as described in Section 10.20 to identify sources of radioactive leakage detected by the main stack radiation monitors.

7.12.3.5 Inspection, Testing, and Calibration Each individual monitor includes a built-in check source and a purge line to purge the vent gas from the sampling chamber. The built-in check source and purge capability can be used to provide testing flexibility. Both the purge valve and the check source are operated from the control room.

Appendix E relates the equivalence of the Ci/sec release rate to the mR/hr created by the released effluent. The WRGM low range and PIG normal range gas monitors are provided with two radiation alarm level set points -- HIGH and HIGH-HIGH. The HIGH alarm level is set at a factor times normal monitor reading to indicate CHAPTER 07 7.12-7 REV. 26, APRIL 2017

PBAPS UFSAR presence of an abnormal radiation level in accordance with the Offsite Dose Calculation Manual (ODCM). The HIGH-HIGH alarm level is set below the maximum allowable release limit in accordance with the ODCM.

The main stack monitor effluent channel is capable of detecting activity as low as 100 Ci/sec. The minimum detectable release rate will be a function of the background environment. Assuming that 100 Ci/sec at 30-min decay exists continuously all year, the total release would be 3,150 Ci/yr. This value should not be considered the total activity because many of the half lives of the gaseous radioisotopes are short lived compared to a year. The annual average whole body dose would be about 0.1 mRem/yr at the worst off-site location. Considering reasonable occupancy and shielding dose reduction factors, the dose would be lower by factors of about 3 to 10.

Within the band of 100 Ci/sec and the set point at the annual average stack release rate limit the operator has knowledge of the release rate performance of the plant. Release rates up to the annual average stack release rate limit are within the 10CFR20 permissible whole body dose. Exceeding this limit for short periods of time could be allowed because the release rate limit represents an average over one hour. The release rate limit is not expected, but it is the maximum calculated release rate allowable by the regulations when considering off-gas design, size and shape of site, and meteorological data. Expected release rates and doses would be much less than permissible.

7.12.4 Liquid Process Radiation Monitoring System 7.12.4.1 Power Generation Objective Process liquid radiation monitors are provided to indicate when operational limits for the normal release of radioactive material to the environs are being approached and to indicate process system malfunctions by detecting the presence of radioactive material in a normally uncontaminated system.

7.12.4.2 Power Generation Design Basis Process liquid radiation monitors located in streams that normally discharge to the environs provide a clear indication to operations personnel whenever the radioactivity level in a stream approaches or exceeds pre-established operational limits for the discharge of radioactive material to the environs, or exceeds a pre-established limit above the normal radiation level of the stream.

CHAPTER 07 7.12-8 REV. 26, APRIL 2017

PBAPS UFSAR 7.12.4.3 Description The process liquids radiation monitoring system consists of the following subsystems (Figure 7.12.2):

1. Reactor building cooling water radiation monitor (Drawing M-316, Sheets 1 and 2).

2. Service water radiation monitor (Drawing M-314).

3. Emergency service water radiation monitor (Drawing M-330).

4. Radwaste discharge radiation monitor.

5. Fuel storage pool radiation monitor (Drawing M-363, Sheets 1 and 2).

6. RHR heat exchanger high-pressure service water intake and discharge monitors (Drawing M-315, Sheets 1 through 7; not shown in Figure 7.12.2).

A reactor building cooling water monitor, a service water monitor, and a fuel storage pool radiation monitor are supplied with each reactor unit. The emergency service water and radwaste discharge radiation monitors are common to both reactor plants.

Each subsystem consists of a gamma-sensitive scintillation detector, suitably mounted, which transmits to a log count ratemeter with an integral dual level alarm trip circuit. The ratemeter performs the pulse-to-analog conversion and transmits to a strip chart recorder (except for the fuel storage pool radiation monitor). Each detector is installed in such a manner as to reduce background radiation and plateout. All ratemeters, recorders, and controls are mounted in the main or radwaste control room, as appropriate.

Each ratemeter trip circuit has an upscale trip to indicate high radiation level and a downscale trip to indicate instrument trouble. The trips give an alarm and for the radwaste discharge monitor, initiates automatic control action.

Service water is used to cool normally non-radioactive services and equipment. It also cools the reactor building cooling water system via a heat exchanger. The presence of radiation in the service water discharge may indicate that a leak into the system from a contaminated stream has occurred.

The reactor building cooling water system cools potentially contaminated services and equipment. The system may contain CHAPTER 07 7.12-9 REV. 26, APRIL 2017

PBAPS UFSAR activity due to activation of added corrosion inhibitors. Changes in the normal radiation level could indicate leaks of radioactive water into the system.

The liquid radwaste system provides for collection of waste liquids through various drainage systems. Because of conductivity not all of the waste liquids can be economically purified by demineralization. Consequently, some liquid containing radioactivity is eventually discharged from the system. The liquid radwaste monitor indicates and records the radiation levels in this discharge.

The emergency service water system provides cooling water to the core standby cooling equipment in case of a loss of off-site power. Changes in the normal radiation level of the emergency service water discharge could indicate leakage in the core standby cooling equipment.

Radiation monitors have been provided on each high-pressure service water intake and discharge of the RHR heat exchangers for Unit 2 and 3. In the event that a heat exchanger leak occurs in conjunction with a reversal of normal heat exchanger differential pressure, these monitors will annunciate, in the control room, the presence of radioactivity in the high-pressure service water system. Two monitors have been provided for each unit. Samples are drawn from either the upstream or downstream piping of the RHR heat exchanger depending on HPSW system function (active or idle).

This will assure RHR leakage through the heat exchanger is monitored periodically. After HPSW operation, water in the system will drain through the HPSW pump discharge check valve, lowering the water level in the inlet and discharge piping to the RHR heat exchangers. Radiation monitoring will be temporarily suspended during periods when a solid water column in the header does not exist. Without the water column present, the transmission path for contamination does not exist, and continued sampling is not required. This will also protect the sample pumps from running dry.

Leakage from fuel elements stored in the fuel storage pool would be detected by radiation monitors suitably located in each spent fuel pool.

The environmental and power supply design conditions are given in Table 7.12.2.

CHAPTER 07 7.12-10 REV. 26, APRIL 2017

PBAPS UFSAR 7.12.4.4 Power Generation Evaluation The process liquid radiation monitoring system possesses radiation detection and monitoring characteristics sufficient to inform plant operations personnel whenever radiation levels in the processes rise above preset limits.

7.12.4.5 Inspection and Testing The operational integrity of the detectors, ratemeters, and alarm trip circuits can be tested by using test signals or portable gamma sources.

7.12.5 Ventilation Radiation Monitoring 7.12.5.1 Safety Objective The safety objective of the ventilation radiation monitoring system is to indicate whenever preset limits on the release of radioactive material are reached, to indicate the rate of radioactive material release, and to effect appropriate action when necessary, so that the release of radioactive material does not exceed the guideline values of published regulations.

7.12.5.2 Safety Design Basis

1. The ventilation radiation monitoring system provides an indication to operations personnel of the presence of abnormal amounts of radioactive material and indicates whenever limits on the release of radioactive material to the environs are reached.

2. The ventilation radiation monitoring system effects the necessary action to ensure that the release of radioactive material does not exceed the guideline values of published regulations.

7.12.5.3 Power Generation Objective The power generation objective of the ventilation radiation monitoring system is to indicate and record the quantities of radioactive material present in the ventilation effluents during planned operations.

The ODCM contains the release limits and monitoring system operability and utilization requirements to demonstrate conformance to the release limits. Refer to Appendix E for the station atmospheric release limit calculations. Table E.6.1 shows CHAPTER 07 7.12-11 REV. 26, APRIL 2017

PBAPS UFSAR the release limits from all the release points of Units 2 and 3.

Each release point is monitored as described in this section.

The alarm set points will be set so that the total release will satisfy the conditions of Table E.6.1, even if all release points should be discharging at their alarm set points.

Radioactive releases will be documented through analyses of filter depositions, analyses of grab samples, and recorded effluent radiation monitor values.

7.12.5.4 Power Generation Design Basis The ventilation radiation monitoring system indicates and records the rate of release of radioactive material to the environs.

7.12.5.5 Description The ventilation radiation monitoring system is illustrated in Drawing M-334, Sheets 1 through 4 and is composed of the following subsystems:

1. Ventilation stack radiation monitoring.

2. Reactor building ventilation exhaust radiation monitoring.

3. Refueling floor ventilation exhaust radiation monitoring.

4. Control room ventilation intake radiation monitoring.

5. Radwaste ventilation exhaust radiation monitoring.

6. Off-gas recombiner building duct ventilation exhaust radiation monitoring.

The reactor building, refueling floor, and control room intake monitors are designed to meet the safety design bases.

7.12.5.5.1 Ventilation Stack Radiation Monitoring The ventilation stack receives effluent from the following sources:

1. Reactor building reactor zones.

2. Reactor building refueling floor.

3. Reactor building equipment cells.

4. Radwaste building. (Unit 2 only)

CHAPTER 07 7.12-12 REV. 26, APRIL 2017

5. Radiochemistry laboratory and counting room. (Unit 2 only)

6. Radiochemistry hood. (Unit 2 only)

7. Turbine building.

8. Ventilation stack radiation monitors.

9. Offgas recombiner building exhaust. (Unit 3 only)

10. Pearl building, RCA exhaust. (Unit 3 only)

11. Pearl building fume hood exhaust.(Unit 3 only)

The ventilation stack radiation monitoring subsystem consists of a wide range gas monitor (WRGM) and a normal range fixed filter particulate, iodine, and gas (PIG) monitor per unit. The ventilation stack effluent is sampled by a probe assembly that consists of two isokinetic probes, one for WRGM and one for the PIG.

The wide range gas monitor detects and measures beta and gamma radiation levels. The WRGM is an off-line monitor that draws a representative sample from the vent stack. The sample is separated and routed to three different detectors, one low, mid and high range. The sample is filtered to prevent contamination of the detector chambers. The WRGM consists of four channels: a low radiation, mid radiation, high radiation and an effluent channel.

The WRGM range is sufficient to cover post-accident effluent. The three radiation channels overlap each other to provide an overall range of 1x10-7 Ci/cc to 1.0x105 Ci/cc. The WRGM has a local microprocessor that communicates with a display and alarm unit in the main control room. The alarm logic is discussed in paragraph 7.12.5.6. The WRGM has provisions for taking grab samples for laboratory analysis. The grab sampler can be controlled locally or from the main control room.

The fixed filter particulate, iodine, gas monitor detects and measures effluent beta and gamma radiation levels. The PIG is an off-line monitor that draws a representative sample from the vent stack through the radiation detector sample chambers. The PIG provides continuous iodine and particulate monitoring so that the actual time and duration of a release can be determined. The PIG monitor has a local microprocessor and a display and alarm unit in the main control room. The alarm logic is discussed in paragraph 7.12.5.6. The PIG also has provisions for taking grab samples for laboratory analysis.

The monitors read out in Ci/cc based upon an analytically determined counts/minute per Ci/cc conversion factor which is input to the monitor processor. These monitors have two radiation CHAPTER 07 7.12-13 REV. 26, APRIL 2017

PBAPS UFSAR alarms -- HIGH and HIGH-HIGH. The HIGH alarm is field set at a factor times normal monitor reading of the monitor to indicate the presence of an abnormal radiation level in accordance with the Offsite Dose Calculation Manual (ODCM), and an alarm is sounded if the reading rises above this level. The HIGH-HIGH alarm is set below the maximum allowable release limit in accordance with the ODCM.

The radiation level in the ventilation stack radiation monitoring system would depend upon the nature of an accidental release inside the plant. The actual specific activity of the mixture released is impossible to calculate or to establish by empirical standards or a sampling program. The most probable release would be one which produced a mixture of fission products, corrosion products, and activation products. Calibration on the basis of the most difficult isotopes to detect in this mixture is, therefore, conservative.

7.12.5.5.2 Reactor Building Ventilation Exhaust Radiation Monitoring and Refueling Floor Ventilation Exhaust Radiation Monitoring Each of these subsystems employs four dual-channel G-M detectors mounted directly on the duct. The radiation monitors are installed on both the refueling floor exhaust ducts and the building exhaust system ducts which serve the area below the refueling floor. Duct isolation valve closure time is 3 to 10 sec. The monitors for the refueling floor exhaust duct are located after the last exhaust branch duct and at a distance equivalent to or better than exhaust air travel time from the monitors to the isolation valve. For the reactor building area ventilation exhaust duct, no such delay is incorporated since the consequences of such an accidental release over the 3- to 10-sec valve closure are not significant by comparison with the limits of 10CFR100. This mounting provides a minimum response time to detect an abnormal release during a refueling operation. The signal that causes isolation also initiates the standby gas treatment systems. Each of the detectors transmits to a ratemeter with an integral three output, dual-level trip unit. Two of the outputs are recorded on a 2-pen strip chart recorder. All controls, recording, and readout are located in the main control room. The environmental and power supply design conditions are given in Table 7.12.2.

These monitors are calibrated using a portable calibration source.

The monitors read true gamma dose rate. The isolation set point is established on the basis of an analysis performed utilizing the specific plant ductwork at the detector location. The isolation set point also determines the gamma dose rate that would result from the amount of radioactivity released into the duct during the CHAPTER 07 7.12-14 REV. 26, APRIL 2017

PBAPS UFSAR refueling accident. The monitor range is 0.01 to 100 mR/hr, and the isolation allowable value is established at 16 mR/hr which is conservatively less than that which would result from the refueling accident. This allowable value corresponds to a release rate of 0.13 Ci/sec. The alarm setpoint is established at one-tenth the isolation allowable value or a release rate of 0.013 Ci/sec.

7.12.5.5.3 Control Room Ventilation Intake Radiation Monitoring The control room ventilation intake radiation monitoring equipment consists of six (6) induct beta/gamma scintillation radiation detectors, four (4) radiation detectors mounted in the intake plenum and two (2) radiation detectors mounted in the emergency ventilation supply fan plenum. The radiation detectors measure the radioactivity in the ventilation ducts utilizing background subtraction. Each detector transmits through a radiation pre-amplifier to a local radiation indicating switch with a three-level alarm/trip unit. The alarm and isolation logic is discussed in paragraph 7.12.5.6.3. The local radiation indicating switches then transmit to radiation indicators, with two of the indicators providing inputs to a strip chart recorder in the control room.

Each independent loop has controls for testing, using a simulated check source to indicate high radiation thereby ensuring the operational integrity and calibration. The flow in the ventilation duct is recorded and a loss of flow in the duct is annunciated in the control room. Most controls, recordings and readouts are located in the main control room; many are also provided in a local cabinet in the fan room (radwaste building elev. 165). The environmental and power supply conditions are given in Table 7.12.2.

7.12.5.5.4 Radwaste Ventilation Exhaust Radiation Monitoring and Off-Gas Recombiner Building Duct Ventilation Exhaust Radiation Monitoring The radwaste ventilation exhaust and off-gas recombiner building duct ventilation exhaust radiation monitors are process monitors, the purpose of which is to monitor radwaste exhaust and off-gas recombiner building duct ventilation exhaust feed streams to the vent stack effluent release points. As such, these monitors provide alarm function only. In the event that one of the vent stack effluent release point monitors should alarm on a high radiation signal, readings and/or setpoint-level alarms from one of the upstream process monitors (i.e., the radwaste exhaust monitor, or the off-gas recombiner building duct ventilation exhaust monitor as the case may be) will help to identify the origin of the suspected high radiation effluent release problem.

CHAPTER 07 7.12-15 REV. 26, APRIL 2017

PBAPS UFSAR These process monitors are single-channel noble gas microprocessor-controlled off-line monitors that utilize beta scintillation detectors mounted in 3-inch-thick 4 solid lead shields. They provide radioactivity concentration indication in Ci/cc and cover a range from 1.12 x 10-7 Ci/cc to 3.0 x 10-1 Ci/cc. Each detector has a 0.05 Ci Cl-36 beta-emitting check-source to verify proper operation. The gas detector consists of a photomultiplier tube and a 2-inch diameter by 0.01-inch-thick plastic beta scintillator. The sample enters the shield, passes through a 3250 cc fixed volume sample chamber, and exits the shield. The fixed volume is viewed by the plastic scintillator that senses beta radiation from the decay of noble gas radioisotopes.

7.12.5.6 Alarm and Isolation Logic The alarm and isolation logic of the various ventilation radiation monitoring systems is discussed in the following subsections.

7.12.5.6.1 Reactor Building and Refueling Floor Alarm and Isolation The reactor building and refueling floor ventilation exhaust equipment can isolate the monitored duct upon actuation of the correct two channels of the one-out-of-two-twice logic system.

HIGH-HIGH signals from the reactor building or refueling floor duct-mounted monitors will initiate the standby gas treatment system and send a signal to the primary containment and reactor vessel isolation control logic (subsection 7.3). Alarms will annunciate in the control room at the DOWNSCALE level, the HIGH level, and at the HIGH-HIGH level.

7.12.5.6.2 Ventilation Stack Alarms The ventilation stack monitors (WRGM and PIG) each have two alarms in the main control room Vent Exh Stack Rad Monitor Hi-Hi, and Vent Exh Stack Rad Monitor HI/TROUBLE. The HIGH alarm is field set at a factor times normal monitor reading to indicate the presence of an abnormal radiation level in accordance with the Offsite Dose Calculation Manual (ODCM), and an alarm is sounded if the reading rises above this level. The HIGH-HIGH alarm is set below the maximum allowable release limit in accordance with the ODCM. Administrative actions will be implemented to detect and isolate the source of release until corrective maintenance eliminates the problem. In addition to high radiation, the HI/TROUBLE alarm annunciates on low/loss vent stack flow or equipment failures or loss of power.

CHAPTER 07 7.12-16 REV. 26, APRIL 2017

PBAPS UFSAR 7.12.5.6.3 Control Room Ventilation Intake Alarm and Bypass The control room ventilation intake radiation monitors are used to switch from control room normal ventilation to control room emergency ventilation. A high radiation level or a downscale/failure from channels (A OR B) and (C OR D) will initiate the control room emergency ventilation system which diverts the intake air through absolute particulate and halogen filters. A high radiation level or downscale/failure will also annunciate in the control room. Low flow in the control room normal ventilation duct will also initiate the control room emergency ventilation system and annunciate in the main control room.

7.12.5.6.4 Radwaste Ventilation Alarm and Isolation The radwaste ventilation exhaust radiation monitor HIGH level is set below the maximum allowable release level and will alert the operator of the approach to the maximum limit. Administrative actions will be implemented to detect and isolate the source of release until corrective maintenance eliminates the problem.

7.12.5.6.5 Off-Gas Recombiner Building Duct Ventilation Exhaust Radiation Monitoring The off-gas recombiner building duct ventilation exhaust radiation monitor HIGH level is set below the maximum allowable release level and will alert the operator of the approach to the maximum limit. Administrative actions will be implemented to detect and isolate the source of release until corrective maintenance eliminates the problem.

7.12.5.7 Safety Evaluation The radiation monitors are duct-mounted for the reactor building and refueling floor ventilation system and for the control room ventilation system. The physical location and monitoring characteristics are adequate to detect accident generated radiation levels and initiate appropriate isolation signals. The design basis accidents are discussed and evaluated in Section 14.0, "Plant Safety Analysis." The redundancy of channels is sufficient to ensure that no single failure can prevent isolation when required.

The reactor building, refueling floor, and control room ventilation radiation monitoring equipment meet the requirements of IEEE-279 criteria. Should one monitor fail, failure being indicated by a downscale alarm, administrative action may be taken to remedy the situation.

CHAPTER 07 7.12-17 REV. 26, APRIL 2017

PBAPS UFSAR 7.12.5.8 Inspection and Testing The operational integrity of the detectors, ratemeters, and alarm trip circuits can be tested by using test signals, portable calibration sources, or built-in design features. Built-in check sources are provided for the detectors in the Vent Stack, Radwaste Ventilation Exhaust and the Offgas Recombiner radiation monitoring systems which could be used to verify system operational integrity. A simulated check source is provided in the Control Room ventilation intake radiation monitoring system and may be used to ensure system operational integrity and calibration.

Sample flows are monitored and will cause alarms if they go out of limits.

CHAPTER 07 7.12-18 REV. 26, APRIL 2017

PBAPS UFSAR TABLE 7.12.1 PROCESS RADIATION MONITORING SYSTEMS CHARACTERISTICS Upscale Downscale/

Monitoring Instrument Instrument Alarms Per INOP Alarms Trips Per (1)

System Range Scale Channel Per Channel Channel Main Steam 1-106 mR/hr Digital Line 2 1 1 Upscale 6

Air Ejector 1-10 mR/hr Digital Discharge 2 1 0 (Logarithmic)

Air Ejector 1-10-12 to (5)

Discharge 3.16 x 10-3 0-40 0 0 0 (Linear) amps 0-125 Adsorber 0.1-104 mR/hr 5-Decade log Bed 1 1 0 Outlet Main Stack 10-7 to 105 Digital Wide Range Ci/cc 2 1 1 Upscale Noble Gas Monitor Main Stack 10-7 to 10-1 Digital Particulate, Ci/cc 2 1 1 Upscale Iodine Noble Gas Monitor (Noble Gas Only)

Liquid 10-1 to 106 7-Decade log Process counts per 2 2 1 Upscale(3) second(2) 1 INOP(3)

Reactor .01-100 mR/hr 4-Decade log Zones 2 1 1 Upscale Exhaust Refueling .01-100 mR/hr 4-Decade log Floor 2 1 1 Upscale Exhaust CHAPTER 07 7.12-19 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.12.1 (Continued)

Upscale Downscale/

Monitoring Instrument Instrument Alarms Per INOP Alarms Trips Per System Range (1) Scale Channel Per Channel Channel Ventilation 10-7 to 105 Digital Stack Ci/cc 2 1 0 Wide Range Noble Gas Monitor Ventilation 10-7 to 10-1 Digital Stack Ci/cc 2 1 0 Particulate, Iodine and Noble Gas Monitor (Noble Gas Only)

Control Room 0 to 106 Digital Vent Intake counts per 2 1 Note 4 minute Radwaste 1.12 x 10-7 Digital Ventilation Ci/cc to 1 1 0 Exhaust 3.0 x 10-1 Ci/cc Recombiner 1.12 x 10-7 Digital Building Ci/cc to 1 1 0 Ventilation 3.0 x 10-1 Exhaust Ci/cc (1)

Range of measurements is dependent on items such as the source of geometry, background radiation, shielding, energy levels, and methods of sampling.

(2)

Readout is dependent upon the pulse height discriminator setting.

(3)

Liquid radwaste effluent radiation monitor only.

(4)

Uses one-out-of-two-twice logic [(A or B) and (C or D)].

(5)

Range of measurement is dependent on Range Switch Setting.

CHAPTER 07 7.12-20 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.12.2 PROCESS RADIATION MONITORING SYSTEM ENVIRONMENTAL AND POWER SUPPLY DESIGN CONDITIONS Sensor Location Control Room Design Design Parameter Center Range Center Range Temperature 25C 0C to 25C 5 to

+60C +50C Relative Humidity 50% 20 to 98% 50% 20 to 90%

Power, AC 115 V +/-10% 115 V +/-10%

60 Hz +/-5% 60 Hz +5%

Power, DC +24 VDC +22 to +24 VDC +22 to

+29 VDC +29 VDC

-24 VDC -22 to -24 VDC -22 to

-29 VDC -29 VDC CHAPTER 07 7.12-21 REV. 21, APRIL 2007

PBAPS UFSAR 7.13 AREA RADIATION MONITORING SYSTEM 7.13.1 Power Generation Objective The power generation objective of the area radiation monitoring system is to warn of abnormal gamma radiation levels in selected areas and to indicate post-accident radiation levels in containment.

7.13.2 Power Generation Design Basis

1. The area radiation monitoring system provides a record and an indication in the control room of gamma radiation levels at selected locations within the various plant buildings.

2. The area radiation monitoring system provides local alarms to warn personnel of significant increases in radiation levels.

3. The containment high range area monitoring system provides a record and indication in the control room of containment post-accident radiation levels.

7.13.3 Description 7.13.3.1 Monitors The normal range area radiation monitoring system is shown as a functional block diagram in Drawing M-1-CC-11, Sheets 1 and 2.

Each channel consists of a combined sensor and converter unit, a combined indicator and trip unit, and a shared power supply. Each channel has, in addition, a control room audio alarm and a local audio alarm auxiliary unit. Those channels designated as Reg.

Guide 1.97 variables are recorded by the PMS computer.

Each monitor has an upscale trip that indicates high radiation and a downscale trip that may indicate instrument trouble. These trips sound alarms but cause no control action. The system is powered from the 120V AC instrument bus. The trip circuits are set so that loss of power causes an alarm. The environmental and power supply design conditions are given in Table 7.13.1.

The containment high range area monitoring system consists of four high range, 1 to 108-R/hr monitors for each unit. Monitors are environmentally and seismically qualified and provided with divisional power to protect against single failure. Recorders for these monitors are located in the control room. The radiation detectors are located in the drywell. The system provides for CHAPTER 07 7.13-1 REV. 25, APRIL 2015

PBAPS UFSAR indication of post-accident levels of radiation in containment for use in implementing emergency action plans.

The Primary Containment High Range Radiation Monitoring System installed at Peach Bottom Atomic Power Station meets the Regulatory Guide 1.97 requirement where containment radiation after an event be measured to within a factor of two. Under certain extreme conditions of high drywell temperature conditions, Insulation Resistance (IR) leakage current will cause a system error. The induced error decreases exponentially with drywell temperature and becomes insignificant below a drywell temperature of 230°F. This induced error is significant (not within a factor of two) only under low radiation conditions coincident with high drywell temperatures, whereas the system will operate to perform its principal function under normal and varying temperature conditions during and following an accident. EPRI Report TR-112582 "High Range Radiation Monitor Cable Study: Phase II" (May 2000) states the following: "A strong positive thermally induced current of relatively short duration (minutes) occurs in response to the steep temperature increase at the start of a thermal event such as a loss-of-coolant accident (LOCA). Such a positive transient will be over before an operator would need the high range radiation monitor system to analyze a DBE condition."

PBAPS has chosen to comply with 10CFR50.68(b) for monitoring of accidental criticality in lieu of the requirements of 10CFR70.24.

7.13.3.2 Locations Work areas where normal operation monitors are located are tabulated in Table 7.13.2.

7.13.4 Inspection and Testing An internal trip test circuit, adjustable over the full range of the trip circuit, is provided for each normal range monitor. The test signal is fed into the indicator and trip unit input so that a meter reading is provided in addition to a real trip. All trip circuits are of the latching type and must be manually reset at the front panel. A portable calibration unit is also provided.

This is a test unit designed for use in the adjustment procedure for the area radiation monitor sensor and converter unit. A cavity in the sensor and converter unit is designed to receive the calibration unit.

The containment high range area monitors are provided with an internal electronic check source which is automatically actuated every 25 min.

CHAPTER 07 7.13-2 REV. 25, APRIL 2015

PBAPS UFSAR TABLE 7.13.1 AREA RADIATION MONITORING SYSTEM ENVIRONMENTAL AND POWER SUPPLY DESIGN CONDITIONS Sensor Location Control Room Design Design Parameter Center Range Center Range Temperature 25C -30C 25C 0 to to 60C +50C Relative 50% 20 to 50% 20 to Humidity 100% 95%

Power 115V/230V +/-10% 115V/230V +/-10%

50/60 Hz +/-5% 50/60 Hz +/-5%

CHAPTER 07 7.13-3 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.13.2 LOCATION OF AREA RADIATION MONITORS General Location Channel No. Nameplate Legend Reactor Building (3) 1 Reactor Bldg Sump Area Reactor Building (3) 2 Torus Comp't Reactor Building (3) 3 HPCI Pump Room Reactor Building (3) 4 RCIC Pump Room Reactor Building (3) 5 RHR Pump Room "D" Reactor Building (3) 6 RHR Pump Room "A" Reactor Building (3) 7 Core Spray Pump Room "D" (Unit 2)

Core Spray Pump Room "C" (Unit 3)

Turbine Building 8 Condensate Pumps Area Reactor Building (3) 9 Recirc. Pump Inst. Rack Area Reactor Building (3) 10 Steam Flow Inst. Rack Area Reactor Building (3) 11 Cooling Water Pump Area Turbine Building 12 Condensate Demin. Area Turbine Building 13 Condensate Serv. Pump Area South (Unit 2)

Turbine Building 14 CRD Pump Area North (Unit 3) H.P. Turbine Area Reactor Building (3) 15 Reactor Bldg Equipment Access Lock & TIP Control Area on Unit 2 only.

Reactor Building (3) 16 Reactor Bldg Personnel Access-South (Unit 2),

North (Unit 3) 1 of 3 CHAPTER 07 7.13-4 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.13.2 (Continued)

General Location Channel No. Nameplate Legend Reactor Building (3) 17 Reactor Bldg Personnel Access-North (Unit 2),

South (Unit 3)

Reactor Building (3) 18 TIP Withdrawal Area Turbine Building 19 Access Corridor Turbine Building 20 Moisture Separator Area Reactor Building (3) 21 Reactor Bldg Operating Areas Reactor Building (3) 22 Reactor Building Access Turbine Building 23 Heater & RFPT Area-South (Unit 2)

Heater & RFPT Area-North (Unit 3)

Turbine Building 24 Heater & RFPT Area-North (Unit 2)

Heater & RFPT Area-South (Unit 3)

Turbine Building 25 H.P. Turbine Area Reactor Building (3) 27 Reactor Building Exh. Fans Area Reactor Building (3) 28 Steam Separator Pool Area Reactor Building (3) 29 Reactor Refuel Slot Area Reactor Building (3) 30 Fuel Pool Area Reactor Building (3) 31 Refueling Bridge Turbine Building 32 Pipe Tunnel Sump Areas Plant(1)

Turbine Building 33 Turbine Building RR Access 2 of 3 CHAPTER 07 7.13-5 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.13.2 (Continued)

General Location Channel No. Nameplate Legend Turbine Building 34 Turbine Building Access Turbine Building 35 Turbine Building Access Area Turbine Building (3) 36 Main Control Room Reactor Building 37 Radwaste Sump Area Radwaste Building 38 Radwaste Filter Pump Area Radwaste Building 39 Radwaste Condensate Phase Separator Room - East Room Radwaste Building 40 Drum Storage Area Radwaste Building 41 Conveyor Operating Area Access Radwaste Building 42 Radwaste Filter Hatch Area Access Radwaste Building 43 Waste Sample Tank Area Admin. Building 44 Administration Building Reactor Building (3) 45 Source Storage Vault and Calibration Room Turbine Building 48 Turbine Building Cranes(2)

(1)

Channel Nos. 32 to 45 are common for both units.

(2)

Every channel, except Channel No. 48, has both local and control room readout and alarm, Channel No. 48 is located in the turbine building on both of the overhead cranes.

(3)

Channel designated as Regulatory Guide 1.97 Category 3 variable.

3 of 3 CHAPTER 07 7.13-6 REV. 21, APRIL 2007

PBAPS UFSAR 7.14 SITE ENVIRONS RADIATION MONITORING PROGRAM The environmental monitoring program is described in Section 2.6, "Environmental Radiation Monitoring Program."

Site environmental monitoring is performed by several ThermoLuminescent Dosimeters (TLDs) stations located at various locations on the site. The TLDs are collected at least annually for analysis.

CHAPTER 07 7.14-1 REV. 21, APRIL 2007

PBAPS UFSAR 7.15 HEALTH PHYSICS AND LABORATORY ANALYSIS RADIATION MONITORS Portable radiation survey instruments are available for the measurement of alpha, beta, gamma, and neutron radiation expected during normal operation, and in emergencies. Personal monitoring devices are furnished to and worn by all personnel in those areas where required by 10CFR20. Counters are located at exits from potentially contaminated areas.

Laboratory instruments are provided for measuring alpha, beta, and gamma radiation, and for the analysis of radioactive gaseous, liquid, and solid samples.

CHAPTER 07 7.15-1 REV. 21, APRIL 2007

PBAPS UFSAR 7.16 PROCESS COMPUTER SYSTEM 7.16.1 Power Generation Objective The power generation objectives of the process computer system (PMS) are to provide a quick and accurate determination of core thermal performance; to improve data reduction, accounting, and logging functions; and to supplement procedural requirements for control rod manipulation.

7.16.2 Power Generation Design Basis

1. The PMS is designed to periodically determine the three dimensional power density distribution for the reactor core and to provide printed logs which permit accurate assessment of core thermal performance.

2. The PMS provides continuous monitoring of the core operating level and appropriate alarms based on established core operating limits to aid the operator in assuring that the core is operating within acceptable limits at all times.

3. The PMS provides inputs to the rod block circuitry to supplement and aid in the enforcement of procedural restrictions on control rod manipulation, so that rod worth is limited to the values assumed in the plant safety analyses.

4. The PMS provides the Safety Parameter Display System, and the information needed by both the Technical Support Center, and the Emergency Operations Facility.

5. The PMS provides information to support Post Trip Reviews.

7.16.3 Description 7.16.3.1 Computer System Components 7.16.3.1.1 Central Processor The PMS computer system consists of two Central Processing Units CPU's) per unit. One CPU is referred to as the Primary Computer; the other as the Backup Computer. The Primary Computer is responsible for data acquisition and processing for the PMS. The Backup Computer provides the redundancy needed to achieve the high availability time required. In the event of a failure of the Primary Computer, the Backup Computer becomes the new Primary Computer within an appropriate time to meet availability goals. In CHAPTER 07 7.16-1 REV. 23, APRIL 2011

PBAPS UFSAR the event any programs are executing on the Backup Computer at the time of a failover, noncritical tasks are automatically aborted so that the Backup Computer can assume the dedicated role as the new Primary Computer. Overall system design provides for redundancy of key critical functions to minimize single points of failure.

The computer also consists of peripheral devices for loading and storing information. The computer consists of high capacity disk drives and other magnetic and optical storage peripherals.

The RWM is provided on dual redundant processors, also in a primary/backup configuration.

7.16.3.1.2 Deleted 7.16.3.1.3 Deleted 7.16.3.1.4 Process Input/Output Subsystem Data Acquisition Hardware consists of remote multiplexers located in the Cable Spreading Room and Computer room. Redundant communications links to each multiplexer have been provided to ensure that accurate and reliable field information is provided.

Should the primary system detect communication problems with a multiplexer, and if the problems are not present on the backup system, a fail over to the backup computer will occur thus maintaining reliable field input processing.

Process input from the Power Range Neutron Monitoring System (PRNMS) is obtained via a dedicated interface using fiber optics technology.

7.16.3.1.5 Operator Console The operator interface to the computer is through color graphic video monitors. The monitors are integrated with plant communication stations into consoles located in the main control room, providing a coordinated workstation. Digital displays and printers for hard copy are also available to the operator.

7.16.3.1.6 Programming and Maintenance Console The programming and maintenance console is provided to permit necessary control of the system for trouble shooting and maintenance functions. This console is located in the computer equipment room fourth floor Administration building. For hardware maintenance in the cable spreading room, a terminal is provided in the plant computer room.

CHAPTER 07 7.16-2 REV. 23, APRIL 2011

PBAPS UFSAR 7.16.3.2 Reactor Core Performance Function 7.16.3.2.1 Power Distribution Evaluation The local power density of every 6-in segment for every fuel assembly is calculated, using plant inputs of pressure, temperature, flow, LPRM levels (optional), control rod positions, and the calculated fuel exposure. Total core thermal power is calculated from a reactor heat balance. Iterative computational methods are used to establish a compatible relationship between the core coolant flow and core power distribution. The results are subsequently interpreted as local power at specified axial segments for each fuel bundle in the core.

After calculating the power distribution within the core, the computer uses appropriate reactor operating limit criteria to determine thermal limits. Alarms are generated to aid the operator in assuring that the core is operating within acceptable limit at all times.

The core evaluation analytical sequence is completed periodically and on demand. Subsequent to executing the program the computer prints a periodic log for record purposes.

7.16.3.2.2 Fast Core Monitoring This section is no longer applicable. LPRMs and APRMs are effectively monitored on a fifteen second bases for core evaluation purposes.

7.16.3.2.3 Local Power Range Monitor Calibration Flux level and position data from the TIP equipment are read into the computer. The computer evaluates the data and determines gain adjustment factors by which the LPRM amplifier gains can be altered to compensate for exposure-induced sensitivity loss. The LPRM amplifier gains are not to be physically altered except immediately prior to a whole core calibration using TIP data. The gain adjustment factor computations help to indicate to the operator when such a calibration procedure is necessary. An LPRM calibration can be performed properly, even if the data is unavailable from some of TIP locations (up to 1/3 of the total).

CHAPTER 07 7.16-3 REV. 23, APRIL 2011

PBAPS UFSAR 7.16.3.2.4 Fuel Exposure Using the power distribution data, a distribution of fuel exposure increments from the time of a previous power distribution calculation is determined and is used to update the distribution of cumulative fuel exposure. Each fuel bundle is identified by batch and location, and its exposure is stored for each of the axial segments used in the power distribution calculation. These data are printed out on demand by the operator.

7.16.3.3 Rod Worth Minimizer Function The RWM function assists and supplements the operator with an effective backup control rod monitoring routine that enforces adherence to established startup, shutdown, and low power level control rod procedures. The computer prevents the operator from establishing control rod patterns that are not consistent with prestored RWM sequences by initiating appropriate rod withdrawal block, and rod insert block interlock signals to the reactor manual control system's rod block circuitry (Figure 7.16.1). The RWM sequences stored in the computer memory are based on control rod withdrawal procedures designed to limit (and thereby minimize) individual control rod worths to acceptable levels as determined by the design basis rod drop accident.

The RWM function does not interfere with normal reactor operation, and in the event of a failure, does not itself cause rod patterns to be established which would violate the above objective. The RWM function may be bypassed and its rod block function disabled only by specific procedural control initiated by the operator.

7.16.3.3.1 Rod Worth Minimizer Inputs The following are the essential operator and sensor inputs utilized by the RWM:

1. Sequence The operator can select sequences to be enforced by the computer. The operator is permitted to perform the selection only when the RWM is in the inoperable state.

2. Rod Test By selecting this input option, the operator is permitted to withdraw and re-insert any single control rod in the core while all other control rods are maintained in the fully inserted position.

CHAPTER 07 7.16-4 REV. 23, APRIL 2011

3. Bypass Mode A key lock switch is provided to permit the operator to apply permissives to RWM rod block functions at any time during plant operation.

4. System Initialize/Reset This input is initiated by the operator to start or restart the RWM programs and system at any time during plant operation.

5. Substituted Position Values The operator can input a substitute position for a control rod which the RPIS does not have a valid value.

6. Control Rod Selected The RWM recognizes the binary coded identification of the control rod selected by the operator.

7. Control Rod Position The RWM recognizes the binary coded identification of the control rod position.

8. Control Rod Drive Selected and Driving The RWM utilizes this input as a logic diagnostic verification of the integrity of the rod input data.

9. Control Rod Drift The RWM recognizes a position change of any control rod using the control rod drift indication. This information is used to evaluate permissible withdrawal or insertion of subsequently selected rods.

10. Reactor Power Level Feedwater flow and steam flow signals are used to implement two digital inputs to permit program control of the RWM function. These two inputs, the low power set point and the low power alarm set point, may be used to disable the RWM blocking function at power levels above the intended service range of the RWM function.

11. Permissive Echoes CHAPTER 07 7.16-5 REV. 23, APRIL 2011

PBAPS UFSAR Rod withdraw, and rod insert permissive echo inputs are utilized by the RWM as a verification "echo" feedback to the system hardware to assure proper response of an RWM output.

12. Diagnostic Inputs The RWM utilizes selected diagnostic inputs to verify the integrity and performance of the processor.

13. Deleted 7.16.3.3.2 Rod Worth Minimizer Outputs The RWM provides isolated contacts to plant instrumentation as follows:

1. Blocks The RWM is interlocked with the reactor manual control system to permit or inhibit withdrawal, or insertion of a control rod. These actions do not affect any normal instrumentation displays associated with the selection of a control rod (Figure 7.16.1).

2. Scan Mode This RWM output is used to synchronize acquisition of control rod position data during the scan mode.

The RWM also provides control rod position information to the main computer.

7.16.3.3.3 Rod Worth Minimizer Indications The RWM display monitor and panel provides RWM system and process information. The following is some of the information available:

1. Insert Error Control rod coordinate identification for up to two insert errors.

CHAPTER 07 7.16-6 REV. 23, APRIL 2011

2. Withdrawal Error Control rod coordinate identification for one withdrawal error.

3. Rod Group Identification of the RWM sequence group number currently latched by the computer.

4. Rod Worth Minimizer Bypass Indication that the RWM is manually bypassed (key position).

5. Select Error Indication of a control rod selection error.

6. Blocks Indication that a withdrawal block or insertion block is in effect for all control rods.

7. Low Power Indication of the LPAP and LPSP inputs.

7.16.3.4 Monitor, Alarm, and Logging Functions 7.16.3.4.1 Analog Monitor and Alarm General The system is capable of checking each analog input variable against principally two types of limits for alarming purposes: (1) process alarm limits as determined by the computer during computation or as pre-programmed at some fixed value, and (2) a reasonableness limit of the analog input signal level as programmed.

The alarming sequence consists of a audible tone, and a video message for the variables exceeding process alarm limits.

Acknowledgement is required for those alarm categorized as major.

The system provides the capability to alarm the main control room annunciator system in the event of abnormal PMS operation. The abnormal condition for alarm is PMS trouble.

CHAPTER 07 7.16-7 REV. 23, APRIL 2011

PBAPS UFSAR Event Recall Logging The system measures and stores the values of selected analog variables at 10-second intervals to provide a 40 minute history of data. An operator can request printing and subsequently termination of the log. The system automatically prints the values of these selected variables for a period immediately preceding and following a reactor scram. A scram is indicated by digital input signals to the system.

Trend Logging A digital trend capability is provided for logging the values of operator-selected analog inputs and calculated variables. The periodicity of the log is limited to a nominal selection of intervals, which can be adjusted as desired by program control.

7.16.3.4.2 Digital Monitor and Alarm Sequence Annunciator Recording Selected digital inputs are monitored for high resolution detection of contact status changes. Changes detected are sequentially differentiated and printed on the alarm output device. The printout includes point description and time of occurrence. The time resolution is accurate to a tenth of a second relative to the computer clock.

Status Alarm The status alarm function scans digital inputs once each second and provides a record of system alarms. The record includes point description and time of occurrence.

7.16.3.4.3 Alarm Logging The alarm log is generated by the PMS computer. This is a chronological listing of computer system malfunctions, system operation exceeding acceptable limits, and potentially unreasonable, off-normal, or failed input sensors.

7.16.4 Power Generation Evaluation Should the RWM program be inoperative for any reason, the reactor operator can maintain acceptable rod worth by simply adhering to prescribed control rod patterns and sequences.

CHAPTER 07 7.16-8 REV. 23, APRIL 2011

PBAPS UFSAR 7.16.5 Inspection and Testing The PMS performs diagnostic checks to determine the operability of certain portions of the system hardware, and it performs internal programming checks to verify that input signals and selected program computations are either within specific limits or within reasonable bounds.

CHAPTER 07 7.16-9 REV. 23, APRIL 2011

PBAPS UFSAR TABLE 7.16.1 INSTRUMENTATION INPUT

SUMMARY

NEUTRON MONITORING SYSTEM Type of Engr Primary Variable Input Units Data Utilization Data Acquisition Mode LPRM Level (Flux) Analog % PWR Core Performance 5-sec scan class (Coordinate; Elev. A,B,C,D)

APRM Level (Flux) Analog % PWR Core Performance 1-sec scan class (Channel 1, 2, 3, 4A,C) Event Recall Log APRM Level (STP) Analog % PWR Core Performance 1-sec scan class (Channel 1, 2, 3, 4)

APRM Channel Bypass Digital Status Status Alarm Log 1-sec scan class (Channel 1, 2, 3, 4)

OPRM Upscale Trip Digital Status Sequence Annunicator Log Change of State (Channel 1, 2, 3, 4)

APRM Upscale Trip Digital Status Sequence Annunciator Log Change of State on STP Level (Channel 1, 2, 3, 4)

APRM Upscale Alarm Digital Status Status Alarm Log 1-sec scan class on STP Level (Channel 1, 2, 3, 4)

APRM Upscale Trip on Digital Status Sequence Annunciator Log Change of State Flux Level (Channel 1, 2, 3, 4)

APRM Downscale Alarm Digital Status Status Alarm Log 1-sec scan class on Flux Level (Channel 1, 2, 3, 4)

APRM Alarm on Digital Status Status Alarm Log 1-sec scan class Instrument Inoperative (Channel 1, 2, 3, 4)

Flow Upscale Digital Status Status Alarm Log 1-sec scan class Alarm on Level (Channel 1, 2, 3, 4)

OPRM Period Trip Digital Status Status Alarm Log 1-sec scan class (Channel 1, 2, 3, 4)

OPRM Period Pre-Trip Alarm Digital Status Status Alarm Log 1-sec scan class (Channel 1, 2, 3, 4)

OPRM Amplitude Trip Digital Status Status Alarm Log 1-sec scan class (Channel 1, 2, 3, 4)

OPRM Amplitude Pre-Trip Alarm Digital Status Status Alarm Log 1-sec scan class (Channel 1, 2, 3, 4)

OPRM Growth Rate Trip Digital Status Status Alarm Log 1-sec scan class (Channel 1, 2, 3, 4)

OPRM Growth Rate Pre-Trip Alarm Digital Status Status Alarm Log 1-sec scan class (Channel 1, 2, 3, 4)

Alarm on Flow Comparison Digital Status Status Alarm Log 1-sec scan class (A, B)

CHAPTER 07 7.16-10 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.16.1 (Continued)

NEUTRON MONITORING SYSTEM (Continued)

Type of Engr Primary Variable Input Units Data Utilization Data Acquisition Mode TIP Level (Flux) Analog % PWR Core Performance Program scan (Channel A,B,C)

TIP Guide Tube Address Digital Selected Core Performance 1-sec scan class (4 inputs per machine) code Tube (Channel A,B,C,D,E) Group Location TIP Probe at Top of Digital Status Core Performance API Core TIP Probe Position Pulses Pulse/inch Core Performance API Reactor Neutron Monitor Digital Status Sequence Annunciator Log Change of State System Trip (Channel A1,A2,B1,B2)

WRNM Alarm on Digital Status Status Alarm Log 1-sec scan class Instrument Inoperative (Any Channel)

WRNM Bypassed Digital Status Status Alarm Log 1-sec scan class (Any Channel)

WRNM Upscale Trip Digital Status Sequence Annunciator Log Change of State on Period (Chnl A,B,C,D,E,F,G,H)

CHAPTER 07 7.16-11 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.16.1 (Continued)

NEUTRON MONITORING SYSTEM (Continued)

Type of Engr Primary Variable Input Units Data Utilization Data Acquisition Mode WRNM Upscale Alarm Digital Status Status Alarm Log 1-sec scan class on Period (Any Channel)

WRNM Count Rate Low Alarm Digital Status Status Alarm Log 1-sec scan class on Level (Any Channel)

WRNM Alarm on Digital Status Status Alarm Log 1-sec scan class Instrument Inoperative (Any Channel)

RBM Trip on Level Digital Status Status Alarm Log 1-sec scan class (Either Channel)

RBM Downscale Digital Status Status Alarm Log 1-sec scan class Alarm on Level (Either Channel)

RBM Alarm on Digital Status Status Alarm Log 1-sec scan class Instrument Inoperative (Either Channel)

RBM Bypass Digital Status Status Alarm Log 1-sec scan class (Either or Both Channels)

RBM Level (Flux) Analog % PWR Variable Alarm Log 1-sec scan class (Channel A,B)

CONTROL ROD DRIVE HYDRAULICS SYSTEM Control Rod Drive Analog M lb/hr Core Performance Program Scan System Flow Control Rod Select Data Digital Rod Number Core Performance and Program Scan Control Rod Pos., Tens code Tens Pos. Rod Worth Minimizer Change of State Control Rod Pos., Units Group Units Pos.

Rod Drift Alarm Status Rod Selected & Driving Status CHAPTER 07 7.16-12 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.16.1 (Continued)

CONTROL ROD DRIVE HYDRAULICS SYSTEM (Continued)

Type of Engr Primary Variable Input Limits Data Utilization Data Acquisition Mode Control Rod Withdraw Digital Status Core Performance 1-sec scan class Discharge Vol. High Digital Status Sequence Annunciator Log Change of State Water Level (A,B,C,D)

Refuel Interlock Digital Status Status Alarm Log 1-sec scan class Control Rod Timer Digital Status Status Alarm Log 1-sec scan class Malfunction Rod Pattern Sequence Digital Status Rod Worth Minimizer 1-sec scan class (A,B) Select Status Alarm Log Shutdown Margin Select Digital Status Rod Worth Minimizer 1-sec scan class Status Alarm Log RWM Rod Insert Digital Status Rod Worth Minimizer 1-sec scan class Permissive Echo Status Alarm Log RWM Rod Select Digital Status Rod Worth Minimizer 1-sec scan class Permissive Echo Status Alarm Log RWM Rod Withdraw Digital Status Rod Worth Minimizer 1-sec scan class Permissive Echo Status Alarm Log RWM Block Alarm Digital Status Status Alarm Log 1-sec scan class Rod Out Block Digital Status Status Alarm Log 1-sec scan class Discharge Volume High Digital Status Status Alarm Log 1-sec scan class Water Level Rod Block RPIS Malfunction Digital Status Status Alarm Log 1-sec scan class Reactor Feedwater Inlet Analog M lb/hr Core Performance Program Scan Flow (A,B,C) Event Recall Log 5-sec scan class Reactor Pressure Analog psig Core Performance Program Scan Event Recall Log 5-sec scan class Reactor Water Level Analog Inches Core Performance Program Scan Event Recall Log 5-sec scan class CHAPTER 07 7.16-13 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.16.1 (Continued)

FEEDWATER CONTROL SYSTEM Type of Engr Primary Variable Input Limits Data Utilization Data Acquisition Mode Total Steam Flow Analog M lb/hr Event Recall Log 5-sec scan class Low Power Level Alarm Digital Status Rod Worth Minimizer 1-sec scan class Low Power Level Digital Status Rod Worth Minimizer 1-sec scan class Interlock Reactor Feedwater Analog F Core Performance Program Scan Inlet Temperature Event Recall Log 5-sec scan class NUCLEAR BOILER Reactor Core Analog psi Core Performance Program Scan Pressure Drop Event Recall Log 5-sec scan class Total Reactor Analog M lb/hr Core Performance Program Scan Jet-Pump Flow Event Recall Log 5-sec scan class (Core Flow)

Recirculation Loop Drive Analog M lb/hr Core Performance Program Scan Flow (LOOP A1,A2,B1,B2)

Recirculation Loop Analog F Core Performance Program Scan Inlet Temperature (Loop A1,A2,B1,B2)

Recirculation Pump Analog MW Core Performance Program Scan Motor Power (Motor A,B)

Reactor Vessel Digital Status Sequence Annunciator Log Change of State Low Level (Water)

(Channel A,B,C,D)

Main Steam Line Digital Status Sequence Annunciator Log Change of State Isolation Valve Closure (Channel A,B,C,D)

Main Steam Line Digital Status Status Alarm 1-sec scan class Leak Detection (Line A,B,C,D)

CHAPTER 07 7.16-14 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.16.1 (Continued)

NUCLEAR BOILER (Continued)

Type of Engr Primary Variable Input Units Data Utilization Data Acquisition Mode Relief Valve open Digital Status Sequence Annunciator Log Change of State (A thru H, K, L)

Safety Relief (A,B) Digital Status Sequence Annunciator Log Change of state Reactor Vessel High Digital Status Sequence Annunciator Log Change of State Pressure (Channel A,B,C,D)

Main Steam Line High Digital Status Status Alarm Log 1-sec scan class Flow (Line A,B,C,D)

REACTOR PROTECTION SYSTEM Primary Containment Digital Status Sequence Annunciator Log Change of State High Pressure (Channel A,B,C,D)

Manual Scram Digital Status Sequence Annunciator Log Change of State (Trip A,B)

Reactor Scram Digital Status Sequence Annunciator Log Change of State (Trip A,B)

Turbine Control Valve Digital Status Sequence Annunciator Log Change of State Fast Closure (Channel A,B,C,D)

Turbine Stop Valve Digital Status Sequence Annunciator Log Change of State Closure (Channel A,B,C,D)

Scram Discharge Volume Digital Status Sequence Annunciator Log Change of State High Level (Channel A,B,C,D)

Condenser Low Vacuum Digital Status Sequence Annunciator Log Change of State (Channel A,B,C,D)

Main Steam Isolation Valve Digital Status Sequence Annunciator Log Change of State Not Fully Opened (Channel A,B,C,D)

Reactor High Pressure Digital Status Sequence Annunciator Log Change of State (Channel A,B,C,D)

CHAPTER 07 7.16-15 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.16.1 (Continued)

OTHER SYSTEMS (Continued)

Type of Engr Primary Variable Input Units Data Utilization Data Acquisition Mode Reactor Low Level Digital Status Sequence Annunciator Log Change of State (Channel A,B,C,D)

Steam Line High Digital Status Sequence Annunciator Log Change of State Radiation (Channel A,B,C,D)

APRM Flux High-High Digital Status Sequence Annunciator Log Change of State (Channel 1, 2, 3, 4)

APRM STP High-High Digital Status Sequence Annunciator Log Change of State (Channel 1, 2, 3, 4)

WRNM Upscale Trip on Period Digital Status Sequence Annunciator Log Change of State (Channel A,B,C,D,E,F,G,H)

PROCESS RADIATION MONITORING SYSTEM Main Steamline High Digital Status Sequence Annunciator Log Change of State Radiation (Channel A,B,C,D)

Cleanup System Inlet Analog F Core Performance Program Scan Temperature Cleanup System Outlet Analog F Core Performance Program Scan Temperature Cleanup System Flow Analog M lb/hr Core Performance Program Scan (Channel A,B)

Containment High Radiation Analog LR/HR Status Alarm 60 sec scan class (Channel A,B,C,D)

Gross Generator Power Analog MW Core Performance Program Scan Gross Generator Energy Pulse kWh/Pulse Core Performance API KEY: API = Automatic Priority Interrupt WRNM = Wide Range Neutron Monitor TIP = Traversing In-Core Probe RBM = Rod Block Monitor APRM = Average Power Range Monitor RPIS = Rod Position Information System LPRM = Local Power Range Monitor STP = Simulated Thermal Power CHAPTER 07 7.16-16 REV. 21, APRIL 2007

PBAPS UFSAR TABLE 7.16.2 INSTRUMENTATION OUTPUT

SUMMARY

SIGNAL OUTPUT DESCRIPTION Latching TIP Scan TIP Core Top Enable RPIS Scan Mode Enable RPIS Next Rod Enable RWM Sequence Select RWM Shutdown Margin Select RWM Select Error RWM Low Power RWM Insert Error 1 Display (X. Y. location)

RWM Insert Error 2 Display (X. Y. location)

RWM Withdraw Error 1 Display (X. Y. location)

RWM Sequence Group Display (group no.)

RWM Insert Block RWM Select Withdraw Block RWM Program Operating Non-Latching Stall Error Detection Parity Error Detection CHAPTER 07 7.16-17 REV. 23, APRIL 2011

PBAPS UFSAR 7.17 NUCLEAR SYSTEM STABILITY ANALYSIS 7.17.1 Safety Objective The safety objective of the nuclear system stability analysis is to demonstrate that in the event of small disturbances, the reactor will always return to its normal operating state without compromising the integrity of the fuel or nuclear system process barrier.

7.17.2 Safety Design Basis To ensure that radioactive material barriers are not in danger of compromise, the nuclear system exhibits no inherent tendency toward divergent or limit cycle oscillations for most normal operating conditions. If divergent or limit cycle oscillations occur as a result of off-normal operating conditions, such oscillations will be automatically detected by the Oscillation Power Range Monitor (OPRM) system which will provide a reactor scram prior to exceeding the MCPR Safety Limit.

7.17.3 Power Generation Design Basis To facilitate normal maneuvering and control, the nuclear system exhibits at least a specified minimum calculated amount of damping of its responses over all normally expected operating conditions.

7.17.4 Description and Performance Analysis A BWR plant consists of many interacting dynamic processes and associated control systems. A dynamic process may be defined as one in which the inter-related variables are time varying, e.g.,

the boiling of water in the reactor core. The process may be self-regulating in that it exhibits a negative feedback effect.

In a BWR, when a control rod is withdrawn, core power increases due to the reactivity insertion. This causes increased boiling.

The increased boiling increases the steam volume in the core resulting in decreased neutron moderation. This is equivalent to removing reactivity and tends to counteract the reactivity addition of the withdrawn control rod. Thus, a rise in core power is limited by the negative feedback effect of the increased steam volume. This inherent negative feedback effect present in BWR's serves as a self-regulating mechanism upon core dynamics. A secondary inherent negative feedback effect, Doppler reactivity, also occurs as the fuel temperature varies with power. Whenever there is a negative feedback in a system, whether it be inherently self-regulated in the process or added to the process by a control system, the stability characteristics must be considered. There are many definitions of stability, but for feedback processes and control systems, the following definitions CHAPTER 07 7.17-1 REV. 26, APRIL 2017

PBAPS UFSAR may be used: a system is stable if, following a disturbance, the transient settles to a steady, non-cyclic state. A system may also be acceptably safe even if oscillatory, provided the limit cycle of the oscillations is less than a prescribed magnitude.

Instability, then, is a continuous departure from a final steady-state value, or it may be a greater-than-prescribed limit cycle about the final steady-state value.

The mechanism for instability can be explained in terms of frequency response. Consider a sinusoidal input to a feedback control system which for the moment has the feedback disconnected.

If there were no time lags or delays between input and output, the output will be in phase with the input. Connecting the output so as to subtract from the input (negative feedback or 180 out-of-phase connection) would result in stable closed loop operation.

However, natural laws would cause phase shift between output and input and should the phase shift reach 180, the feedback signal would be reinforcing the input signal rather than subtracting from it. If the feedback signal were equal to or larger than the input signal (loop gain equal to one or greater), the input signal could be disconnected and the system would continue to oscillate. If the feedback signal were less than one (loop gain less than one),

the oscillations would die out.

It is possible for an unstable process to be stabilized by the addition of a control system. In general, however, it is preferable that a process with inherent feedback be designed to be stable by itself before it is combined with other processes and control systems. The design of the BWR is based on this premise, that individual system components are stable.

Three types of stability are considered in the design of BWR's:

(1) reactor core (reactivity) stability, (2) channel hydrodynamic stability, and (3) total system stability. A stable system is analytically demonstrated if no inherent limit cycle or divergent oscillation develops within the system as a result of calculated step disturbances of any critical variable, such as steam flow, pressure, neutron flux, or recirculation flow. The criteria for evaluating reactor dynamic performance and stability are stated in terms of two compatible parameters. First is the decay ratio, x2/x0, which is the ratio of the magnitude of the second overshoot resulting from a step perturbation. A plot of the decay ratio is a graphic representation of the physical responsiveness of the system which is readily evaluated in a time-domain analysis.

There is a direct relationship between the decay ratio and the damping coefficient for any dominant response as shown in Figure 7.17.1. Second is the damping coefficient, n the definition of which corresponds to the dominant pole pair closest to the imaginary axis in the s-plane for the system closed-loop transfer CHAPTER 07 7.17-2 REV. 26, APRIL 2017

PBAPS UFSAR function. As n decreases, the closed-loop roots approach the imaginary axis and the response becomes increasingly oscillatory.

This parameter also applies to the frequency-domain interpretation. Limits for the decay ratio provided in reference 1.

References 2 and 3, provide the details of the models and also a significant base of experimental confirmation which verifies the suitability of the analytical models used.

While the design is shown to be inherently stable, the OPRM Upscale Function provides compliance with GDC 12 by providing a hardware system that detects and acts to suppress thermal-hydraulic instabilities, thereby providing protection against exceeding the MCPR Safety Limit due to thermal-hydraulic power oscillations. The OPRM Upscale Function is described in References 4 through 8. In the event the OPRM system is declared inoperable, the plant can continue to operate under the BWROG guidelines for Backup stability Protection as described in Reference 9.

7.17.5 Operational Verification of Nuclear System Stability The stability of the nuclear system was verified during startup testing by introducing the same near-step perturbations which were used during the analytical simulation. Compliance with the ultimate performance limit was demonstrated at selected responsive plant conditions by the absence of divergent or limit cycle oscillations, excluding those minor limit cycles which can be induced by controller deadband characteristics.

7.17.6 Conclusion Analysis of the stability of the nuclear system demonstrates that the system can be operated safely, within the operating conditions defined in reference 4, without danger of compromising any radioactive material barriers because of instability. A detailed treatment of the stability and dynamic performance of the BWR can be found in references 2 and 3.

CHAPTER 07 7.17-3 REV. 26, APRIL 2017

PBAPS UFSAR 7.17 NUCLEAR SYSTEM STABILITY ANALYSIS REFERENCES

1. "General Electric Standard Application for Reactor Fuel,"

including the United States Supplement, NEDE 24011-P-A and NEDE-24011-P-A-US, (latest approved revision).

2. "Stability and Dynamic Performance of the General Electric Boiling Water Reactor," NEDO-21506, January 1977.

3. "Compliance of the General Electric Boiling Water Reactor Fuel Designs to Stability Licensing Criteria," NEDE-22277-P-1, December 1982.

4. NRC Generic Letter 94-02, "Long Term Solutions and Upgrade of Interim Operating Recommendations for Thermal Hydraulic Instabilities in Boiling Water Reactors," July 11, 1994.

5. NEDO-31960-A and NEDO-31960-A, Supplement 1, BWR Owners Group Long-Term Stability Licensing Methodology, November 1995.

6. GE Nuclear Energy, "Reactor Stability Detect and Suppress Solutions Licensing Basis Methodology for Reload Applications," NEDO-32465-A, August 1996.

7. NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC-PRNM) Retrofit Plus Option III Stability Trip Function, October 1995.

8. NEDC-32140P-A, Supplement 1, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC-PRNM)

Retrofit Plus Option III Stability Trip Function, November 1997.

9. GE Nuclear Energy, Backup Stability Protection (BSP) for Inoperable Option III Solutions, OG 02-0119-260, July 17, 2002.

CHAPTER 07 7.17-4 REV. 26, APRIL 2017

PBAPS UFSAR 7.18 SEPARATE SHUTDOWN CONTROL PANELS 7.18.1 Power Generation Objective The objective of the Remote Shutdown System (for each unit) is to provide the capability to shut down the reactor and to maintain it in a safe shutdown condition from outside the main control room if access to the main control room is lost for events other than Fire Safe Shutdown Events described in the Fire Protection Program..

7.18.2 Power Generation Design Basis

1. The Remote Shutdown System for each unit provides the necessary controls and instrumentation to shut down the reactor and maintain it in a safe shutdown condition.

The design is based on the following considerations:

a. No total loss of off-site power exists at the time.

b. No accident situation occurs.

c. Access to the main control room is lost due to a toxic gas event, smoke event, or as a result of failure of one control panel.

d. Safe shutdown is defined as MODE 3 (hot shutdown)

2. The remote shutdown panels are located in a seismic Class I structure.

3. Nothing in the design of the separate shutdown control panels or the station precludes taking both units to the cold shutdown condition.

7.18.3 Description 7.18.3.1 Control Panels The control panels contain, where appropriate, transfer switches which avoid interaction with any damaged equipment in the control room. Each unit is controlled from two adjacent panels. These panels are powered from the emergency buses. The panels provide control of the emergency service water system pump, the RCIC system supply valves from the condensate storage tank and the suppression pool and RHR pump shutdown cooling mode suction valves. The panels also provide reactor containment, switchgear and RCIC system instrumentation. Although not required for this licensing basis event, the RSS also provides indication and controls for Emergency Service Water (ESW), 4 KV Breaker CHAPTER 07 7.18-1 REV. 26, APRIL 2017

PBAPS UFSAR controls, and Control Rod Drive pumps. In addition, controls are provided to support placing shutdown cooling in service which is considered beyond the licensing basis of this event..

7.18.3.2 Operation 7.18.3.2.1 Reactor Shutdown Prior to leaving the control room, operators attempt to scram both reactors, close the Main Steam Isolation Valves (MSIVs), and start suppression pool cooling on both units. In the event that these actions cannot be performed, the reactors can be scrammed and the MSIVs can be closed from outside of the control room by opening the AC supply breakers for the Reactor Protection Systems (RPS). De-energizing the RPS systems results in reactor trips and main steam line isolations.

7.18.3.2.2 Reactor Level Control The Remote Shutdown System (RSS) for each unit is designed to provide the ability to control reactor vessel water level. This is primarily accomplished by the use of RCIC. The remote shutdown panel contains reactor vessel level indication and the necessary controls for the operation of RCIC. In the event that RCIC does not auto-start, it can be manually started from the panel. HPCI automatic operation may occur, but RCIC is credited for reactor water level control.

Although not required for the RSS function, Control Rod Drive pumps can be started from the RSS panel to protect the control rod drive seals from overheating and to assist the RCIC system in controlling reactor vessel level.

7.18.3.2.3 Reactor Pressure Control Main steam Safety Relief Valves (SRVs) E, H and L can be manually operated from the RSS to maintain pressure below the automatic relief setpoint. SRV position indication is provided. Automatic operation of the SRVs occurs as a result of closure of the MSIVs.

7.18.3.2.4 Heat Removal Decay heat is transferred from the reactor vessel to the suppression pool via the SRVs and RCIC operation. RSS and plant design allow for this operation to continue for one hour prior to the initiation of suppression pool cooling. If operation from the control room cannot be resumed within one hour, or if the controls for the shutdown cooling suction valves (RHR panel) in the control room are damaged, shutdown cooling suction valves can be initiated by the RSS. In addition, equipment installed to meet CHAPTER 07 7.18-2 REV. 26, APRIL 2017

PBAPS UFSAR Appendix R requirements for post-fire safe shutdown, as described in the PBAPS Fire Protection Plan, can be used to establish suppression pool cooling. The above heat removal process can maintain the reactor in hot shutdown or be used as directed in emergency operating procedures to bring the plant to a cold shutdown condition.

7.18.3.2.5 Instrumentation and Controls In addition to the instrumentation and controls previously described, the RSS contains other instruments and controls that, although not required, provide assistance to the operator. This includes 4kV breaker indication (no loss of offsite power is assumed), ESW status and control (ESW is not required for RCIC room cooling), CST level, containment and reactor parameters.

7.18.3.3 Physical Location The separate shutdown control panels are located in a common area in the radwaste building at the control room elevation.

7.18.4 Inspection and Testing The instrumentation of the separate shutdown control panels can be tested during plant operations.

CHAPTER 07 7.18-3 REV. 26, APRIL 2017

PBAPS UFSAR 7.19 CLASS 1E EQUIPMENT ENVIRONMENTAL QUALIFICATION The environmental qualification of Class 1E equipment has been reviewed against the NRC Division of Operating Reactors' "Guidelines for Evaluating Environmental Qualification of Class 1E Electrical Equipment in Operating Reactors" which was an enclosure to IE Bulletin 79-01B, dated January 14, 1980.

The environmental qualification central file contains summary information in the form of Equipment Qualification review records and backup documentation, which supports the conclusion that the safety system Class 1E equipment required to operate during the postulated accident, is adequately qualified for service. The environmental qualification files are subdivided by equipment type. Each package contains a type of Class 1E equipment associated with various safety systems and a summary of the environmental qualification parameters for the equipment. The Master List/CRL contains the equipment component number and the location for each device. The Master List provides a description of the equipment, the name of the associated system, the equipment component number, the manufacturer, the model number, and the design function of the qualified item. The environment for which the equipment must be qualified is listed in the controlled specification titled "Environmental Service Conditions for PBAPS" and referenced in the EQ packages. The environmental parameters for which the device is qualified are listed on the summary EQRRs (Equipment Qualification Review Record) in the EQ package. The qualification method for each of the environmental parameters is also indicated in the EQ package.

7.19.1 Effects of Loss of Air Conditioning and Ventila-tion on Control Room and Equipment Room Equipment The criteria governing the design of the air conditioning and ventilation systems for the control room and other safety-related equipment rooms require that required safety-related functions be maintained in the event of any active component failure or loss of off-site power. All cooling and ventilation systems for these rooms are installed in seismic Class I structures. They are provided with 100 percent redundancy except for the CSCS pump rooms which are provided with one operational unit cooler and one installed spare. The fan unit for the 3C RHR Component Room Cooler 3CE058 is installed spare, without a dedicated power source. The control room chiller and air conditioning supply and return fans do not run during loss of off-site power. The control room ventilation fans and safety-related equipment room coolers are capable of being supplied by the standby ac power system in the event of loss of off-site power. The control room ventilation system, without refrigerated cooling, and the cooling systems for the other safety-related equipment rooms are designed to limit CHAPTER 07 7.19-1 REV. 26, APRIL 2017

PBAPS UFSAR maximum space temperatures to the following values, based upon design outside ambient temperatures of 95F dry bulb for the control room, switchgear, battery room, and standby diesel-generator rooms and heat rejection to spaces for operating equipment in safety-related CSCS rooms.

Room Max. Normal Temp.

Control room 114F (without air condi-tioning-ventila-tion only)

Battery rooms 120.6F Emergency switchgear rooms 128.8F CSCS rooms 115F Standby diesel-generator rooms 105F (without EDG running)

ESW/HPSW Compartment All equipment located in these rooms is rated for operation at these temperatures or higher.

For the core spray and RHR pump rooms, loss of ventilation in one room as a result of single active failure could result in loss of function for ECCS equipment in that room. However, sufficient redundancy exists in the core spray and RHR components to ensure accomplishing the required core standby cooling system functions.

Allowable post-LOCA temperatures have been established for the HPCI and RCIC pump components such that operation of room coolers in these compartments is not required to support operability of the HPCI and RCIC systems.

An analysis has determined that the RHR subsystems can still perform their design function even if emergency service water /

service water is not available to the RHR fan-coil units during shutdown conditions (Modes 4 and 5) with RHR suction temperature less than 110°F. For this condition, it was determined that although the RHR functions would be maintained, local temperatures in the RHR pump rooms could rise to 180°F at worst-case water temperature and operating conditions.

For the standby diesel-generator rooms, loss of ventilation in one room as a result of a single active failure could result in loss of the function of the associated diesel generator due to insufficient cooling. However, the total number of standby diesel generator units is such that sufficient power is available to provide for the functioning of required engineered safeguard systems for one reactor unit and the shutting down of the other unit, assuming failure of one standby diesel generator and loss of all off site power sources (Reference 8.5.2.3). Furthermore, the CHAPTER 07 7.19-2 REV. 26, APRIL 2017

PBAPS UFSAR diesel generator room ventilation is powered from the diesels during the loss of offsite power (Reference 10.14.3.2).

If all control room normal ventilation and air conditioning were lost, the control room operator would initiate an emergency shutdown of non-essential equipment and lighting to reduce the heat generation to a minimum. Heat removal would be accomplished by conduction through the floors, ceilings, and walls to adjacent rooms and to the environment.

The equilibrium condition for temperature and humidity in the control room following the loss of all air conditioning and normal ventilation would be a maximum of 114F, 27 percent relative humidity. The equilibrium temperature of 114F could be achieved during ambient conditions of 95F, 50 percent relative humidity.

The equilibrium temperature for the diesel generator rooms with the diesel generator and associated ventilation operation is 107F at an outside air temperature of 95F. The design maximum diesel generator room temperature is limited by the qualified maximum diesel generator combustion air temperature of 110F for the 3101KW to 3250 KW rating range. Below the 3101KW rating range the qualified maximum diesel generator room temperature is 122F.

All control board instrumentation is specified to be operable at or better than 114F and 50 percent relative humidity. Therefore, the temperature within the control room will not increase to a point that will require reactor shutdown. All instrumentation was functionally tested after installation and prior to plant startup to confirm satisfactory operability of control and electrical equipment under normal environmental conditions. The extreme of environmental conditions is less than the design requirement of the instrumentation. Operation below this design value is always expected so that additional testing is not warranted.

The maximum equilibrium temperatures in the emergency switchgear and battery rooms following a design basis accident with a loss of instrument air are 128.8F and 120.6F, respectively. This assumes a maximum outside air temperature of 95F db and the ESBR HVAC system enters a recirculation mode for switchgear room air.

Design analysis has determined that all safety-related equipment in the switchgear and battery rooms are acceptable for operation at these maximum ambient room temperatures.

The maximum equilibrium temperature in the ESW/HPSW Compartments following a design basis event is 128F. This assumes a maximum outside air temperature of 95F (dry bulb) and the pump structure CHAPTER 07 7.19-3 REV. 26, APRIL 2017

PBAPS UFSAR ventilation system in operation. An evaluation has determined that all safety-related equipment in the ESW/HPSW compartments are acceptable for operation at this maximum ambient compartment temperature.

Since two sets of 100 percent capacity redundant supply and exhaust fans are installed for each system and since maximum room temperatures are lower than the design maximum equipment temperatures, forced shutdown of the reactor due to high temperature in the control room, battery room, and emergency switchgear room, and ESW/HPSW compartment is not anticipated.

Similarly, proper component maintenance and surveillance testing ensures reliable operation of ventilation equipment in the CSCS rooms. Exceeding maximum room temperatures for equipment would be the basis for considering the affected equipment inoperable.

Reactor shutdown requirements will be in accordance with Technical Specifications for equipment operability.

7.19.2 Seismic Qualification 7.19.2.1 General The RPS, engineered safety feature instrumentation systems, and the emergency power system are designed to perform their required functions during and following a design earthquake and maximum credible earthquake of 0.05g and 0.12g horizontal.

7.19.2.2 Nuclear Steam Supply System - GE-Supplied Equipment Seismic qualification of GE-supplied equipment has been performed as follows.

Design Criteria states that all engineered safety features instrumentation shall be capable of performing their respective essential functions while being subjected to a peak horizontal acceleration of 1.5g and a peak vertical acceleration of 0.5g over the frequency range of 5 Hz to 30 Hz at the point of attachment to the building structure.

This capability has been demonstrated by vibration testing of representative complete assemblies. Results of separate tests of representative components, panels, or racks have been combined analytically to fully take into account the transmissibility or amplification of the floor accelerations by the panel or rack structures.

The vibration testing was accomplished by securing the equipment being tested to a mounting bracket on the testing machine which was sufficiently rigid to ensure that the motion of the testing machine would be effectively transmitted to the equipment being CHAPTER 07 7.19-4 REV. 26, APRIL 2017

PBAPS UFSAR tested at all test frequencies. Tests were repeated for each of the three rectilinear axes of the equipment, and operational verification of essential functions during vibration was obtained.

Acceptability was based upon the ability of the equipment to withstand the specified vibration without mechanical failure and the ability to perform its essential functions during and after vibration testing. The equipment supplier has been required to submit a test report to show compliance with the seismic qualifications outlined above.

Seismic test data showing a device to have a tolerance less than the maximum values specified has been reviewed and exceptions made on the basis of ability to tolerate the actual acceleration imposed by design basis conditions as located and applied (taking into account building amplification of the maximum credible earthquake ground accelerations) without failure to perform its essential function when called upon to do so.

7.19.2.3 Non-Nuclear Steam Supply System Equipment - Bechtel-Supplied Equipment Seismic qualification of non-nuclear steam supply system, Bechtel-supplied equipment has been performed as follows.

Qualification of the equipment for its particular acceleration was ascertained by either analytical techniques or vibration testing techniques. A seismic specification covering design criteria is stated in the purchase requisition or specification, or attachments thereto. Vendor certification for compliance to the specification requirements assures conformance to the design criteria.

CHAPTER 07 7.19-5 REV. 26, APRIL 2017

PBAPS UFSAR 7.20 Accident Monitoring 7.20.1 Safety Objective The safety objective of the accident monitoring instrumentation is to provide appropriate wide range information for remote monitoring of post-accident conditions within the primary containment for the full spectrum of postulated accidents.

7.20.2 Safety Design Basis The accident monitoring instrumentation provides the operator in the control room with the information required to make specified manual control actions, to monitor the results of these actions, and to verify adequate core cooling and containment integrity.

7.20.3 Power Generation Design Bases The accident monitoring instruments that are also used for power generation are designed so that all the expected power operation actions and maneuvers can be reasonably accomplished by the reactor operator.

7.20.4 Description The following instrumentation provides the operator with information for monitoring primary containment conditions after a postulated accident. Refer to Table 7.20.1 for Regulatory Guide 1.97, Category 1 instruments and ranges.

7.20.4.1 Reactor Water Level Two post-accident reactor water level recorders are located in the control room. Each recorder has two channels, one for wide range reactor water level and one for fuel zone reactor water level.

These overlapping ranges provide level information from the bottom of the active fuel through normal water level.

Each recorder and its associated instrumentation is assigned to a separate safeguard power electrical division to ensure that a single failure will not disable both recorders. These reactor level indications are derived from differential pressure transmitters having separate condensing chamber type reference legs and pressure compensation instruments.

Other reactor water level indications are detailed in subsection 7.8.

CHAPTER 07 7.20-1 REV. 25, APRIL 2015

PBAPS UFSAR 7.20.4.2 Reactor Pressure Two post-accident Reactor pressure recorders are located in the main control room. Each recorder and its associated instrumentation are assigned to two independent safeguard power electrical divisions. This is to ensure that reactor pressure indication is available in the event that a single failure disables one of the recorders. Additional reactor pressure indication is available in the main control room for use during normal operations. See subsection 7.8.5.4 for details of this instrumentation.

7.20.4.3 Containment Pressure The primary containment pressure is monitored by two electronic pressure transmitters (0 to 70 psig) located external to the containment in the reactor building and transmitting to two separate recorders located in the main control room.

Two post-accident, drywell pressure recorders have been provided in the control room to allow pressure measurement from 5 psia to in excess of four times design pressure of the drywell. This involves four instrument channels. Two channels are connected to pressure transmitters with the range 0 to 225 psig. Two channels are connected to absolute pressure transmitters with the range 5 to 25 psia. One channel of each range is connected to each of the recorders. Each recorder and its associated instrumentation is assigned to a separate safeguard power electrical division to ensure control room indication in the event of single failure.

7.20.4.4 Containment Temperature Twenty-six strategically placed temperature sensors monitor containment ambient temperatures. Twenty-five sensors are read out by a digital indicator in the main control room. The remaining sensor is monitored by a recorder in the control room.

7.20.4.5 Containment Atmosphere Analysis Redundant containment monitoring systems are provided to monitor the containment for hydrogen and oxygen concentration during CAC operation and CAD operation, as discussed in paragraph 5.2.3.8 and 5.2.3.9.

In addition, a gaseous radiation monitoring system is included to monitor the radioactive content of containment atmosphere. This monitor may be operated in conjunction with the CAD/CAC analyzer in either the CAD or CAC mode of operation. Subsection 4.10 contains details of this system.

CHAPTER 07 7.20-2 REV. 25, APRIL 2015

PBAPS UFSAR Post-accident containment radiation levels are monitored by four instrument channels with a range of 1 to 108 R/hr. These radiation monitors drive two dual channel recorders located in the control room. Each recorder and the two associated channels are in a separate division and are powered from safeguard power. The purpose of the system is to provide information on the magnitude of radiation release to containment so that appropriate emergency actions can be implemented.

The Primary containment High Range Radiation Monitoring System installed at Peach Bottom Atomic Power Station meets the Regulatory Guide 1.97 requirement where containment radiation after an event be measured to within a factor of two. Under certain extreme conditions of high drywell temperature and low radiation levels, the accuracy requirement of Regulatory Guide 1.97 is not satisfied. Under high drywell temperature conditions, Insulation Resistance (IR) leakage current will cause a system error. The induced error decreases exponentially with drywell temperature and becomes insignificant below a drywell temperature of 230°F. This induced error is significant (not within a factor of two) only under low radiation conditions coincident with high drywell temperatures, whereas the system will operate to perform its principal function under normal and varying temperature conditions during and following an accident. EPRI Report TR-112582 "High Range Radiation Monitor Cable Study: Phase II" (May 2000) states the following: "A strong positive thermally induced current of relatively short duration (minutes) occurs in response to the steep temperature increase at the start of a thermal event such as a loss-of-coolant accident (LOCA). Such a positive transient will be over before an operator would need the high range radiation monitor system to analyze a DBE condition."

Grab samples can be taken from the post-accident sampling stations described below.

7.20.4.6 Coolant Sampling and Analysis The Post Accident Sampling System is shown on Drawing M-374 (Sheets 1 and 2).

PBAPS license amendment number 248 to Renewed Operating License Number DPR-44 and license amendment number 251 to Renewed Operating License Number DPR-56 approve the elimination of the requirement to have and maintain the Post Accident Sampling System (PASS). The following items were committed to as part of the subject license amendments.

PBAPS has developed contingency plans for obtaining and analyzing highly radioactive samples of reactor coolant, suppression pool, and containment atmosphere. The contingency plans will be CHAPTER 07 7.20-3 REV. 25, APRIL 2015

PBAPS UFSAR contained in the PBAPS chemistry procedures and implemented with the implementation of the license amendment. Establishment of contingency plans is considered a regulatory commitment.

The capability for classifying fuel damage events at the Alert level threshold will be established at a level of core damage associated with radioactivity levels of 300 micro-curies/gm dose equivalent iodine. This capability will be described in emergency plan and emergency plan implementing procedures and implemented with the implementation of the license amendment. The capability for classifying fuel damage events is considered a regulatory commitment.

PBAPS has established the capability to monitor radioactive Iodines that have been released offsite to the environs. This capability is described in emergency plans and emergency plan implementing procedures. The capability to monitor radioactive Iodines is considered a regulatory commitment.

The following information contained in the UFSAR regarding the regulatory requirements for post accident sampling is retained for historical purposes.

Post-accident sample stations are installed in the M-G Set rooms which are located adjacent to, and between, the reactor buildings on elevation 135'. The sample stations consist of separate gas and liquid sample modules and a control panel. Sample lines are provided from jet pump instruments, RHR systems, and containment gas analyzer lines. Laboratory equipment for the analysis of post-accident samples is located in the Chemistry Lab at elevation 130'. Additionally, an off-site laboratory is available, via contractual arrangements, to confirm site analyses.

Sampling activities are controlled from the sample station control panels which are designed for sequential, manual operation. The control panels are located at a distance of at least 6 feet from the sample stations.

The sample stations may be powered from either a station auxiliary bus or an emergency bus so that sampling can be performed during a loss of off-site power. This design feature exists although the heat sink, emergency service water (ESW), for the reactor building closed cooling water (RBCCW) system has been eliminated as a result of locking closed the ESW-RBCCW cross-tie valves.

Therefore, little, if any, cooling would be provided to the sample station during a loss of off-site power.

The onsite radiological and chemical laboratory facilities are equipped with gamma spectral analysis equipment to quantify the CHAPTER 07 7.20-4 REV. 25, APRIL 2015

PBAPS UFSAR radionuclides present in gas and liquid samples. Shielded caves are provided for the radiation detectors to minimize the effect of background radiation. Initial dilutions are performed in the process of taking liquid samples at the sample stations. Any additional dilutions required will be performed in the laboratory fume hood behind a lead brick pile.

The onsite radiological and chemical laboratory facilities are equipped with gamma spectral analysis equipment to quantify the radionuclides present in gas and liquid samples. Shielded caves are provided for the radiation detectors to minimize the effect of background radiation. Initial dilutions are performed in the process of taking liquid samples at the sample stations. Any additional dilutions required will be performed in the laboratory fume hood behind a lead brick pile.

A procedure to assess the extent of core damage based on radionuclide concentrations and other parameters has been prepared.

The sampling and analysis provisions at Peach Bottom have been designed such that it will be possible to obtain and analyze a sample at any time without exceeding the radiation exposure limits of general design criteria 19 in Appendix A of 10CFR50.

7.20.4.7 Suppression Pool Water Temperature Suppression pool temperature is monitored by redundant suppression pool monitoring systems. Each monitoring system consists of thirteen (13) resistance temperature detectors (RTD) mounted in thermowells installed in the torus shell below the minimum water level, a processor/indicator/printer located in the control room, and a recorder located in the control room. The RTD inputs are averaged by the processor to provide a bulk average temperature.

Annunciation is provided for high temperature and signal/system failure. Each system is assigned to a separate safeguard power electrical division to ensure control room indication in the event of a single failure.

7.20.4.8 Suppression Pool Water Level Suppression pool water level is continuously monitored by two electronic transmitters located external to the suppression pool.

One transmitter is connected to a recorder and the other is connected to an indicator and a recorder in the main control room.

The range is sufficient to cover the addition of the reactor coolant system inventory to the suppression pool inventory, as well as any inventory contribution from the condensate storage tank prior to CSCS suction from the suppression pool. Each transmitter and its associated instrumentation is assigned to a CHAPTER 07 7.20-5 REV. 25, APRIL 2015

PBAPS UFSAR separate safeguard power electrical division to ensure control room indication in the event of a single failure.

7.20.4.9 Safety/Relief Valve Position Indication A direct method of indicating the position of safety/relief and safety valves has been provided. The indication and alarm system is based on acoustic monitoring techniques. Each safety/relief and safety valve has its own instrumentation channel. Each channel consists of a sensor mounted inside the primary containment, a preamplifier mounted in the reactor building, an electronics module mounted in the cable spreading room in the accident monitoring panels, and indicating lights in the control room which indicate that the safety/relief or safety valve has opened. An indication has also been provided for each valve to show that a valve was open if it opened and then reclosed.

7.20.4.10 Vent Stack Wide Range and Main Stack Wide Range Noble Gas Monitors A wide range noble gas radiation monitor has been provided on each unit vent stack. The vent stack monitors are located in the Turbine Building Ventilation Equipment Area. The overall range of the wide range vent stack monitors is 1x10-7 Ci/cc to 1.0x105 Ci/cc. The radiation levels are displayed on a recorder in the control room. Power has been provided for the instrument channels from the standby AC power system.

A Wide Range Noble Gas Monitor (WRGM) has been provided for the main stack. The main stack monitoring skids are installed in a pre-engineered building located next to the main stack. The range of the main stack monitor is 1x10-7 Ci/cc to 1.0x105 Ci/cc. This range is sufficient to cover post-accident effluent releases. The display of radiation levels is facilitated by a subsystem comprised of a local microprocessor, an indicating unit, and a recorder located in the main control room. Also, the WRGM has provisions for taking grab samples for laboratory analysis. The grab sampler can be controlled locally or from the main control room.

7.20.4.11 Primary Containment Isolation Valve Position Indication PCIV position is provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. The PCIV position PAM instrumentation consists of position switches, associated wiring and control room indicating lamps for active PCIV's (check valves, manual valves and relief CHAPTER 07 7.20-6 REV. 25, APRIL 2015

PBAPS UFSAR valves installed per GL 96-06 are not required to have position indication).

7.20.5 Safety Evaluation The accident monitoring instrumentation provides adequate information to enable the operator to monitor transient reactor plant behavior and to verify proper safety system performance following an accident. The performance of the accident monitoring system provides sufficient time for the operator to make reasoned judgments and take action when required.

7.20.6 Inspection and Testing Periodic testing is in accordance with Technical Specifications or the Technical Requirements Manual, as applicable.

CHAPTER 07 7.20-7 REV. 25, APRIL 2015

PBAPS UFSAR TABLE 7.20.1 REGULATORY GUIDE 1.97 CATEGORY 1 INSTRUMENTATION Type Indication Parameter Instrument and Range Reactor Water Level LR-2(3)-02-3-110A,B Recorder -165 to +60 inches (wide range)

Reactor Water Level LR-2(3)-02-3-110A,B Recorder -325 to +60 inches (fuel zone)

Reactor Pressure PR/LR-2(3)-02-3-404A Recorder 0 to 1500 psig PR/RR-2(3)-02-3-404B Drywell Pressure PR-8(9)102A,B Recorder 0 to 225 psig (wide range)

Drywell Pressure PR-8(9)102A,B Recorder 5 to 25 psia (subatmospheric range)

Suppression Chamber LR/TR-8(9)123A,B Recorder 30 to 310 degrees F Water Temperature TIS-2(3)-02-071A,B Indicator 30 to 310 degrees F CHAPTER 07 7.20-8 REV. 23, APRIL 2011

PBAPS UFSAR TABLE 7.20.1 REGULATORY GUIDE 1.97 CATEGORY 1 INSTRUMENTATION (Continued)

Type Indication Parameter Instrument and Range Suppression Chamber LR/TR(9)123A, B Recorder 1-21 ft.

Water Level (wide range) LI-8(9)123A,AX Indicator 1-21 ft.

Drywell High RR-8(9)103A,B Recorder Range Radiation 1-1E(+8) R/hr Monitors Primary Containment Valve Limit Switches Isolation Valve (for Direct Position Position Indication Indication)

Valve Control Circuit Open/Closed Lights (for Indirect Position Indication)

CHAPTER 07 7.20-9 REV. 23, APRIL 2011

PBAPS UFSAR 7.21 SEISMIC INSTRUMENTATION 7.21.1 Safety Design Objective The safety design objective of the seismic monitoring system is to provide the operator with timely information on the severity of an earthquake so that the operator can determine the effects of the earthquake on the operations of the plant.

7.21.2 Safety Design Basis

1. The seismic monitoring and recording system operates automatically to detect and record vibratory ground motion and the resulting vibratory responses of representative Category I structures.

2. The system is classified as Category I.

7.21.3 Description Four triaxial servo accelerometers input to a seismic instrumentation panel located in the cable spreading room.

The accelerometers are located at:

1. Unit 2, torus room, Elevation 105 ft on the containment foundation at Azimuth 0.

2. Unit 2, refueling floor, Elevation 234 ft on the west wall.

3. Unit 2, RCIC pump room, Elevation 88 ft on the pump foundation.

4. "C" diesel-generator building, Elevation 127 ft on the foundation in the southeast corner of the building.

The seismic instrumentation panel is powered from a non-safeguard distribution panel that is fed from safeguard power. The seismic instruments have sufficient recording capacity and backup power supply to provide 25 minutes of recording.

Vibratory motion is sensed by the accelerometers and each of their signals is continuously monitored by a solid state accelerograph.

When the seismic trigger threshold is exceeded on the containment foundation accelerometer, a permanent recording of the time-history response of all of these sensors is made. The recorder is programmed to record both pre-event and post-event data. The threshold level is adjustable from 0.005g to 0.02g. The CHAPTER 07 7.21-1 REV. 21, APRIL 2007

PBAPS UFSAR accelerograph has sufficient capability to allow for resolution of signals between 1 and 30 Hz with a dynamic range of at least 100:1. A graph of the time-history response of any sensor can be obtained by using the dedicated computer to recall the data and display it or print it.

The time history recorded by the containment foundation accelerograph is processed immediately following the seismic event by a dedicated computer which performs a response spectrum analysis; the dedicated computer calculates and compares the containment foundation response spectrum at discrete frequencies to the pre-programmed response spectrum of the Peach Bottom site operating basis earthquake. An alarm is provided if the operating basis earthquake is exceeded. The response spectrum of any of the solid state accelerograph recordings can be obtained by using the dedicated computer to recall the data and display it.

The operator is aware of the status of the seismic monitoring instrumentation through alarms in the control room that indicate there has been a loss of power, that the threshold trigger level has been exceeded, and that the operating basis earthquake has been exceeded.

In addition to the above seismic instrumentation, triaxial peak accelerographs are mounted in the same locations as accelerometers

2 and #4, and another accelerograph is located in Unit 2, reactor building, Elevation 170 ft, strapped to the line from the fuel pool to the RHR. These accelerographs require no source of power and they provide permanent records of peak acceleration.

This seismic monitoring system provides sufficient information to determine the status of both units at Peach Bottom.

7.21.4 Safety Evaluation The seismic monitoring instrumentation system is designed to provide the operator with timely information on the effects of an earthquake on the structures, systems, and components of the plant that are necessary for continued operation without undue risk to the health and safety of the public. The system meets the requirements of Regulatory Guide 1.12, "Instrumentation for Earthquakes."

7.21.5 Inspection and Testing Abnormal operation of any of the seismic monitoring components can be detected during plant operation through periodic testing of the equipment. The system is designed so that testing and repair can be scheduled to eliminate the need to take all the instrumentation out of service simultaneously.

CHAPTER 07 7.21-2 REV. 21, APRIL 2007

PBAPS UFSAR 7.22 HIGH PRESSURE SERVICE WATER (HPSW) POWER TRANSFER SWITCH 7.22.1 Power Generation Objective The objective of the HPSW power transfer switch is to ensure that the HPSW cross-tie valve remains functional following a OBA or transient.

7.22.2 Power Generation Design Basis The HPSW power transfer switch provides the capability of powering the HPSW cross-tie valve from safety related normal and safety related alternate power supplies. The redundant power supplies ensure that a single failure will not prevent the HPSW cross-tie valve from being opened when required during a design basis event.

7.22.3 Description 7.22.3.l Power Transfer Switch

l. The HPSW power transfer switch provides redundancy to the safety related 480 Vac Motor Control Centers that supply power to the operators of the HPSW cross-tie valves.

2. The HPSW power transfer switch provides the capability of transferring power from the normal power source to the alternate power source via a remote switch in the Main Control Room or using a local switch at the transfer switch panel.

7.22.3.2 Operation The operator takes action as directed station procedures.

7.22.3.3 Physical Location The HPSW power transfer switch is located in a common area in the Reactor Building at Elevation 135'-0".

7.22.4 Inspection and Testing The HPSW power transfer switch can be tested during plant operations.

CHAPTER 07 7.22-1 REV. 26, APRIL 2017

PBAPS UFSAR 7.23 RESIDUAL HEAT REMOVAL (RHR) POWER TRANSFER SWITCH 7.23.1 Power Generation Objective The objective of the RHR power transfer switch is to ensure that the RHR Heat Exchanger Control, Cross-tie Isolation and Cooling Water Discharge valves remain functional following a LOOP/LOCA, the loss of a Diesel Generator or 4kV bus, with a need for Containment Cooling.

7.23.2 Power Generation Design Basis The RHR power transfer switch provides the capability of powering the RHR Heat Exchanger Control, Cross-tie Isolation and Cooling Water Discharge valves from safety related normal and safety related alternate power supplies. The redundant power supplies ensure that a single failure will not prevent these valves from being operated when require during a design basis event.

7.23.3 Description 7.23.3.1 Power Transfer Switch

1. The RHR power transfer switch provides redundancy to the safety related 480 Vac Motor Control Centers that supply power to the operators of the RHR Heat Exchanger Control, Cross-tie Isolation and Cooling Water Discharge valves.

2. The RHR power transfer switch provides the capability of transferring power from the normal power source to the alternate power source via a switch on the associated diesel panel in the Main Control Room.

7.23.3.2 Operation The operator takes action as directed by station procedures.

7.23.3.3 Physical Location The RHR power transfer switch is located in the Main Control Room in the Turbine Building at elevation 165' -0".

7.23.4 Inspection and Testing The RHR power transfer switch can be tested during plant operations.

CHAPTER 07 7.23-1 REV. 26, APRIL 2017

Retrieved from "https://kanterella.com/w/index.php?title=ML17130A235&oldid=2439262"

Updated Final Safety Analysis Report (UFSAR)