ML17226A141
Text
RBSUSAR7.1-1August198
77.1INTRODUCTION
Chapter7presentsspecificdetaileddesignandperformanceinformationforinstrumentationandcontrolofsafety-relatedand majorplantcontrolsystemsutilizedthroughouttheplant.In addition,nonsafety-relatedmajorplantcontrolsystemsare presentedinSection7.7.Thedesignandperformance considerationsofthesesystems,safetyfunctions,andtheir mechanicalaspectsaredescribedinotherchapters.Equipment arrangementdrawingsareidentifiedinSection1.2; instrumentationlocationdrawingsandelementarydiagramsare identifiedinSection1.7.7.1.1IdentificationofSafety-RelatedSystems ThesystemspresentedinChapter7areclassifiedaccordingtotheNRCRegulatoryGuide1.70,Revision3;namely,reactor protection(trip)system(RPS),engineeredsafetyfeature(ESF) systems,safeshutdownsystems,safety-relateddisplay instrumentation,allotherinstrumentationsystemsrequiredfor safety,andcontrolsystemsnotrequiredforsafety.Table7.1-1 listssafety-relatedsystemsandidentifiesthedesignerandthe supplier.Tables7.1-2and7.7-2identifynuclearpowerplants ofsimilarinstrumentationandcontroldesignthathaverecently receivedNRCdesignoroperationapprovalthroughtheissuanceof eitheraconstructionpermitoranoperatinglicense.Thefollowingisabriefdescriptionofthereactorprotection(trip)system,ESFsystems,safeshutdownsystems,safety-related displayinstrumentation,andothersystemsrequiredforsafety, asdescribedinChapter7.1.ReactorProtection(Trip)System(RPS)TheRPSinstrumentationandcontrolsinitiatereactorshutdownviaautomaticcontrolrodsinsertion(scram)if selectedvariablesexceedpreestablishedlimits.This actionpreventsfueldamage,limitsnuclearsystempressure, andrestrictsthereleaseofradioactivematerial.
RBSUSAR7.1-2August19872.EmergencyCoreCoolingSystems(ECCS)TheECCSinstrumentationandcontrolsprovideautomaticinitiationandcontrolofspecificcorecoolingsystems, namely,highpressurecorespray(HPCS)system,automatic depressurizationsystem(ADS),lowpressurecorespray (LPCS)system,andthelowpressurecoolantinjection(LPCI) modeoftheresidualheatremoval(RHR)system.This providesadequatecorecoolingfollowingaloss-of-coolant accident(LOCA)topreventfuelcladdingfailuredueto excessivetemperatures.3.ContainmentandReactorVesselIsolationControlSystem (CRVICS)TheCRVICSinstrumentationandcontrolsinitiateautomaticclosureofvariousreactorcoolantpressureboundaryand containmentisolationvalvesifmonitoredsystemvariables exceedpreestablishedlimits.Thisactionlimitstheloss ofcoolantfromthereactorcoolantpressureboundary(RCPB) andthereleaseofradioactivematerialsfromeitherthe drywellorthecontainment.4.MainSteam-PositiveLeakageControlSystem(MS-PLCS)TheMS-PLCSinstrumentationandcontrolsareprovidedtopreventthereleaseoffissionproductstotheatmosphere followingadesignbasisLOCAbyestablishingapressurized barrierbetweenthecontainmentandtheenvirons.5.StandbyGasTreatmentSystem(SGTS)TheSGTSprocessespotentiallyradioactivematerialsfollowingadesignbasisaccident(DBA).6.CombustibleGasControlSystemThecombustiblegascontrolsystemprovidesthreesafety-relatedsystems:thehydrogenanalyzersystem,the hydrogenmixingsystem,andthehydrogenrecombinersystem.
Sufficientinstrumentationisprovidedtomonitorthe concentrationoffreehydrogeninthedrywelland containment,andtoreducethehydrogenconcentrationtoa safelevel.
RBS USAR Revision 18 7.1-3 7. Reactor Plant Ventilation System The reactor plant ventilation system provides an ESF system: the containment ventilation system
. Instrumentation is provided to limit the temperature buildup within the containment,and to divert the annulus exhaust through a filtration system when a high radiation or LOCA condition is present. Monitoring of the annulus exhaust for radioactivity is provided by the radiation monitoring system (RMS).8. RHR Suppression Pool Cooling Mode (SPCM)
The SPCM is a manually initiated mode of the RHR system that is provided to cool suppression pool water to avoid elevated
pool temperature. 9. Standby Service Water (SSW) System The SSW system instrumentation and controls provide backup for the normal service water system and reactor plant component cooling water system to ensure an adequate supply
of cooling water to safety-related equipment. 10. Control Building Air Conditioning System The control building air conditioning system instrumentation and controls assure that the control building has adequate heat, air conditioning, and ventilation during normal
operation and during all accident conditions. 11. Control Building Chilled Water System The control building chilled water system instrumentation and controls assure that the main control room area, the standby switchgear room, and the chiller equipment room air conditioning units have adequate chilled water during
normal, shutdown, or accident conditions. 12. Standby Power Support Systems Standby power support systems instrumentation and controls ensure the availability of the diesel generator auxiliary systems. Manual controls for diesel startup are provided
locally at the diesel generators and remotely in the main
control room.
RBSUSARRevision157.1-4May200213.DieselGeneratorBuildingVentilationSystemThedieselgeneratorbuildingventilationsystemprovidesinstrumentationtomaintainthedieselgeneratorbuilding withinitsdesigntemperaturetoensureproperoperationof thedieselgenerators.14.SSWPumpHouseVentilationSystemTheSSWpumphouseventilationsysteminstrumentationandcontrolsareprovidedtomaintaintheproperambient temperaturearoundtheSSWpumpsandtoprovideanadequate flowofcoolairaroundtheelectricalswitchgearand
transformer.15.AuxiliaryBuildingVentilationSystemTheauxiliarybuildingventilationsystemprovidesinstrumentationtomaintaintheESFareaswithinthe auxiliarybuildingwithindesigntemperatureandtodivert theexhaustairthroughafiltrationsystemwhenahigh radiationconditionispresent.16.FuelBuildingVentilationSystem14Thefuelbuildingventilationsysteminstrumentationand controlsmonitorandcontrolthesupplyoffilteredand temperedairtovariousoperatingareas.Thefuelbuilding ventilationsystemprocessespotentiallyradioactive materialsfollowingafuelhandlingaccident(FHA)inthe fuelbuilding.
1417.ReactorCoreIsolationCooling(RCIC)System15TheRCICinstrumentationandcontrolsprovidemakeupwater tothereactorvesselintheeventthereactorbecomes isolatedfromthemaincondensersduringnormalplant operationbyclosingthemainsteamisolationvalves (MSIVs).1518.RHRReactorShutdownCoolingMode(RSCM)TheRSCMoftheRHRsystemismanuallyinitiatedtoprovide coolingtoremovethedecayandsensibleheatfromthe reactorvesselsothatthereactorcanberefueledand
serviced.
RBSUSAR7.1-5August198719.StandbyLiquidControlSystem(SLCS)TheSLCSinstrumentationandcontrolsprovidemanualinitiationofareactivitycontrolsystemwhichcanshut downthereactorfromratedpowertothecoldcondition,in theeventthatasufficientnumberofcontrolrodscannotbe insertedmanuallybytherodcontrolandinformationsystem (RCIS)toachievereactorshutdown.20.RemoteShutdownSystem(RSS)TheRSSprovidesthecapabilitytoassuresafeshutdownofthereactorintheeventthemaincontrolroomshouldbecome
uninhabitable.21.Safety-RelatedDisplayInstrumentation(SRDI)TheSRDIprovidesinformationtotheoperatorenablinghimtomonitortransientreactorplantbehaviorandtoverify propersafetysystemperformance.22.RecirculationPumpTrip(RPT)TheRPTinstrumentationandcontrolsareprovidedtoreducetheseverityofthermaltransientsonfuelduetoa turbine/generatortripandloadrejectionbytrippingthe recirculationpumpsearlyintheevent,thusrapidly reducingcoreflowandincreasingvoidcontentandthereby reducingreactivityinconjunctionwiththecontrolrod
scram.23.LeakDetectionSystem(LDS)TheLDSusesvarioustemperature,pressure,level,flowsensors,andfissionproductmonitorstodetect,annunciate, alarm,andisolate(incertaincases)waterandsteam leakagepathsinselectedreactorsystems.24.NeutronMonitoringSystem(NMS)TheNMSinstrumentationandcontrolsuseincoreneutrondetectorstomonitorcoreneutronflux.TheNMSprovides signalstotheRPStripchannelstoscramthereactor.Core averageneutronfluxoraveragesimulatedthermalpoweris usedastheoverpowerindicatorduringpoweroperation.
Intermediaterangemonitors(IRM)areusedaspower indicatorsduringstartupandshutdown.TheNMSalso providespowerlevelindicationduringplantoperation.
RBSUSARRevision107.1-6April199825.RadiationMonitoringSystem(RMS)TheRMSinstrumentationandcontrolsmeasure,evaluate,andreportradioactivityinprocessstreamsinliquidand gaseouseffluents,andinselectedplantareas,andfunction tolimitthereleaseofradioactivematerialstothe
environs.26.FuelPoolCooling(FPC)SystemTheFPCsysteminstrumentationandcontrolsmonitorwatertemperatureandprovidecoolingofthespentfuelstorage
pool.27.PenetrationValveLeakageControlSystem(PVLCS)10ThePVLCSprovidesinstrumentationtoensureadequateairsupplytothemainsteamanddrainlinescontainment isolationvalvestopreventleakageoffissionproducts throughthevalveseatsafteraLOCA.
1028.RodPatternControlSystem(RPCS)TheRPCSinstrumentationandcontrolsareprovidedtoreducetheconsequencesofapostulatedroddropaccidentby preventingcontrolrodmovementintounacceptablerod
patterns.29.SafetyReliefValves(SRV)-ReliefFunctionTheSRVinstrumentationandcontrolsprovidearelieffunctiontorelievehighpressureconditionsinthenuclear systemthatcouldleadtothefailureofRCPB.7.1.2IdentificationofSafetyCriteria Instrumentationandcontrolequipmentdesignisbasedontheneedtohavethesystemperformitsintendedfunctionwhilemeeting applicablesectionsofTitle10CodeofFederalRegulations, Part50(10CFR50),IndustryCodesandStandards,andNRC RegulatoryGuides.RefertoSections7.2through7.6for discussionofdesignbasesforeachsafety-relatedsystem.The degreeofconformancetoNRCRegulatoryGuidesisprovidedin Section1.8.7.1.2.1RegulatoryRequirements Theplantsafety-relatedsystemshavebeenexaminedwithrespecttospecificregulatoryrequirementswhichare RBSUSARRevision107.1-7April1998applicabletotheinstrumentationandcontrolsofthesesystems.Theseregulatoryrequirementsinclude:1.10CFR50 2.IndustryCodesandStandards 3.NRCRegulatoryGuides.Thespecificregulatoryrequirementspertainingtoeachsystem'sinstrumentationandcontrolisspecifiedinTable7.1-3.Fora discussionofthedegreeofconformance,seetheindividual systemsanalysisportionsinSections7.1through7.6.7.1.2.2ConformancetoTitle10,CodeOfFederalRegulations,Part50(10CFR50)AppendixA-GeneralDesignCriteria (GDC)TheconformancediscussionsprovidedinSection3.1fortheGDCapplytothesafety-relatedsystemsinChapter7asidentifiedin Table7.1-3.7.1.2.3ConformancetoIEEEStandards ThefollowingarecompliancediscussionsforthoseIEEEstandardswhichapplygenericallytothesafety-relatedsystemsindicated inTable7.1-3.ThoseIEEEstandardswhichdonotapply genericallytothesafety-relatedsystemsinChapter7are discussedforeachsystemintheanalysisportionsof Sections7.2through7.6.Whereschedulespermitted,later issuesofIEEEstandardswereused(Table7.1-3).101.ConformancetoIEEE279-1974-ProtectionSystemsforNuclearPowerGeneratingStationsConformancetoIEEE279-1974isdiscussedinRegulatoryGuide1.75ofSection1.8andappliestoeachsysteminthe analysisportionofSections7.2-7.6.Theindependenceand separationcriteriaforredundantsystemsinaccordancewith IEEE279-1971hasbeenaddressaspartofIEEE384-1974.Bypass/inoperativeindicationsystemforautomaticsafetysystemsisdesignedtosatisfytherequirementsofIEEE279-1971andfurtherdescribedinconformancetoRegulatory Guide1.47.Manualinitiationofthecompletionoftheautomaticandprotectivefunctionisdesignedtosatisfytherequirements ofIEEE279-1971.SeeSection7.1.2.4.5forfurther compliancediscussions.
10 RBSUSARRevision107.1-7aApril199810Adjustments,calibration,andtestpointmethodologyusedindeterminingsafetysystemsetpointsaredesignedin conformancetoIEEE279-1971.SeeSection7.1.2.5andRiver Bend'spositioninRegulatoryGuide1.105forfurther conformancediscussion.2.ConformancetoIEEE308-1974-Class1EPowerSystemsforNuclearPowerGeneratingStations 10Allelectricallyoperatedbreakersareprovidedwithbreakerstatusindicationinthemaincontrolroom.All13.8-kV, 4.16-kV,and480-Vbreakersand125-Vdcswitchgearbreakers alarminthemaincontrolroomwhenthebreaker automaticallytrips.ForClass1Eand120-Vacand125-Vdc circuits,indicationisprovidedinthemaincontrolroom forlossofpowerinaccordancewithRegulatoryGuide1.47.ConformancetoIEEE308-1974isdescribedinSection8.3.
RBSUSARRevision107.1-7bApril1998THISPAGEINTENTIONALLYBLANK RBSUSARRevision107.1-8April1998103.ConformancetoIEEE317-1976-ElectricPenetrationAssembliesinContainmentStructures 10ConformancetoIEEE317-1976isdescribedinChapter8.104.ConformancetoIEEE323-1974-QualifyingClass1EEquipmentforNuclearPowerGeneratingStations 10ConformancetoIEEE323-1974isdescribedinSection3.11.105.ConformancetoIEEE336-1971-Installation,Inspection,andTestingRequirementsforInstrumentationandElectric EquipmentDuringtheConstructionofNuclearPower GeneratingStations 10Whereapplicable,purchaseandcontractspecificationsdefineinstallation,inspection,andtestingrequirements forplantinstrumentationandcontrols.Conformanceto IEEE336-1971isdiscussedinSection8.1.106.ConformancetoIEEE338-1971-PeriodicTestingofNuclearPowerGeneratingStations 10ConformancetoIEEE338-1971ispresentedonasystembasisintheanalysisportionsofSections7.2,7.3,7.4,and7.6 aspartofthediscussionofRegulatoryGuide1.22
compliance.107.ConformancetoIEEE344-1975-SeismicQualificationofClass1EEquipment 10ConformancetoIEEE344-1975isdescribedinSection3.10.108.ConformancetoIEEE379-1972-ApplicationofSingle-FailureCriteriontoNuclearPowerGeneratingStations 10Theextenttowhichthesingle-failurecriteriaofIEEE379-1972aresatisfiedisspecificallycoveredforeach systemintheanalysisofIEEE279-1971,Paragraph4.2in Sections7.2,7.3,7.4,7.6,andintheFailureModesand EffectsAnalysis,Books1and2.109.ConformancetoIEEE384-1974-IndependenceofClass1EEquipmentandCircuits 10Thesafety-relatedsystemsdescribedinSections7.2through7.6meettheindependenceandseparation RBS USAR Revision 20 7.1-9 criteria for redundant systems in accordance with IEEE 279-1971, Paragraph 4.6. The criteria and bases for the independence of safety-related instrumentation and controls, electrical equipment, cable, cable routing, marking, and cable derating, are discussed in Section 8.3. Fire detection and protection in the areas where wiring is installed are
described in Section 9.5.1 and in Appendix 9A. RBS instrument cabinets and main control room boards meet the separation criteria defined in Sections 5.6 and 5.7 of
IEEE 384-1974. The preferred method of separation at RBS is by physical separation of redundant Class 1E systems by safety class structures. Where physical separation by separate enclosures is not possible because of the plant design, a barrier or 6-in minimum separation distance is provided.
Instances where a barrier or 6-in separation is not provided, as required, have been analyzed to ensure compliance with Regulatory Guide 1.75, Revision 2, and
IEEE 384-1974. Control panels are physically separated so that hazards such as fire, missiles, pipe whip, and water sprays, including fire protection water systems, do not cause failures common to redundant Class 1E functions (Sections 9.5, 3.5, and 3.6). The station arrangement drawings shown in Section 1.2 identify equipment locations which may be used to verify separation by physical location and safety class structures.
A further description of the PGCC design is provided in
Reference 2. 1010. Conformance to IEEE 387-197 7 - Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations 10 Design and qualification testing of the standby power system used to furnish electrical power to safety loads conforms to IEEE 387-197 7 to ensure that system requirements for redundancy, single-failure criteria, adequate capacity, capability, and reliability are adequately met. The standby power source as an integrated system component satisfies the
requirements of IEEE 308-1974 as discussed in Section 8.3.
RBSUSARRevision107.1-10April19987.1.2.4ConformancetoNRCRegulatoryGuidesThefollowingarecompliancediscussionsforthoseRegulatoryGuideswhichapplygenericallytothesafety-relatedsystems describedinChapter7.ThoseRegulatoryGuideswhichdonot applygenericallytothesafety-relatedsystemsinChapter7are discussedforeachsystemintheanalysisportionof Sections7.2,7.3,7.4,and7.6.1.ConformancetoRegulatoryGuide1.11ConformancetoRegulatoryGuide1.11isdiscussedinSection1.8andinSection6.2.4.2.ConformancetoRegulatoryGuide1.2910Allsafety-relatedinstrumentationandcontrolequipmentareclassifiedSeismicCategoryI,designedtowithstandthe effectsoftheSSEandtoremainfunctionalduringnormaland accidentconditions.Qualificationanddocumentation proceduresusedforSeismicCategoryIequipmentandsystems areidentifiedinSections3.2and3.10.Conformanceto RegulatoryGuide1.29isdiscussedinSection1.8.
103.ConformancetoRegulatoryGuide1.30107Thequalityassurance(QA)requirementsofIEEE336-1971(seepreviousdiscussion)areapplicableduringtheplantdesign andconstructionphasesandarealsotobeimplementedasan OperationsQAprogramduringplantoperationinresponseto RegulatoryGuide1.30.TheconformancetoRegulatory Guide1.30isfurtherdiscussedinChapter17and Section1.8.
7104.ConformancetoRegulatoryGuide1.47Thesystemofbypass/inoperativeindicationforautomaticsafetysystemsisdesignedtosatisfytherequirementsof IEEE279-1971,paragraph4.13andRegulatoryGuide1.47.The designofthebypass/inoperativeindicationsystemallows testingduringnormaloperation,andisusedtosupplement administrativeproceduresbyprovidingindicationof automaticsafetysystemstatus.Thebypass/inoperativeindicationsystemisdesignedandinstalledinamannerwhichprecludesthepossibilityof adverseeffectsontheplantsafetysystems.Thoseportions ofthesystemwhichwhenfaultedcouldreduce RBSUSAR7.1-11August1987theindependencebetweenredundantsafetysystemsareelectricallyisolatedfromtheprotectioncircuits.Typically,thefollowingbypassesorinoperabilitiescauseautomaticactuationofsystemlevelannunciationforthe affectedsystem:a.Pumpmotorbreakernotinoperateposition b.Lossofpumpmotorcontrolpower c.Lossofmotor-operatedvalvecontrolpower/motive powerd.Logicpowerfailuree.Logicintestf.Bypassortestswitchesactuated.Automaticindicationandannunciationareprovidedinthemaincontrolroomtoindicatethatasystemorpartofa systemisinoperableorbypassed.Bypass/inoperative indicationisprovidedforthoseautomaticsafetysystems indicatedinTable7.1-3underRegulatoryGuide1.47.In addition,bypass/inoperativeindicationisprovidedforthe followingmanuallyactuatedsystems:a.Combustiblegascontrolsystem b.Standbyliquidcontrolsystem c.Penetrationvalveleakagecontrolsystem.DetailsofthesysteminputsareprovidedinthelogicdiagramsprovidedinSections7.3,7.4,7.5,and7.6andin thediscussionondieselgeneratorsystemprotectionand surveillanceinSection8.3.1.1.4.Bypassesofcertaininfrequentlyusedpiecesofequipment,suchasmanuallocked-openvalves,arenotautomatically annunciatedinthemaincontrolroom.However,capabilityfor manualactivationofeachsystemlevelbypass/inoperative statusindicatorisprovidedbymeansofhandswitchesinthe maincontrolroomforthosesystemsthathavethese infrequentlyusedbypasses.Operationofmanualvalves,useofmanualdisconnects,orotheroperationsoccurringonceayearorless RBSUSARRevision107.1-12April1998frequentlywhichcouldimpairplantsafetysystemperformance,arecontrolledbyadministrativeproceduresand followedbysystemtestingwhensuchinfrequentoperations arecompleted.RBSadministrativeprocedurescontainshift turnoverinstructionswhichprovideforapositiveassessment ofplantconditionsandsystemstatus.Theseprocedures minimizetheprobabilityofsystembypassesexisting undisclosedbetweenperiodicfunctionaltests.AsummaryofbypassandinoperableindicationforauxiliaryandsupportsystemsisprovidedinSection7.5.1.5andshown inTable7.5-3.5.ConformancetoRegulatoryGuide1.62ManualinitiationoftheprotectiveactionisprovidedatthesystemlevelforallsafetysystemsincludingRPS,ESF,and allothersystemsrequiredforsafety.Themanualcontrols areeasilyaccessibletotheoperatorsothatactioncanbe takeninanexpeditiousmanner.Operationofthemanual initiationaccomplishesalltheactionsperformedbythe automaticinitiationcircuitry.10Theamountofequipmentcommontoinitiationforbothmanualandautomaticprotectivefunctionsiskepttoaminimum throughimplementationofthemanualcontrolascloseas practicabletothefinalactuatordevices(scramcontactors orrelays)oftheprotectivesystems.Nosinglefailurein themanual,automatic,orcommonportionoftheprotection systemwillpreventinitiationbymanualorautomaticmeans.
TheFPCsystemismanuallyinitiatedfromthemaincontrol roombyactuationofsystempumpandvalvecontrols.Manual initiationofaprotectivefunction,onceinitiated,goesto completionasrequiredbyIEEE279-1971,Section4.16.See Section1.8forthegeneralapplicabilityofthisRegulatory
Guide.106.ConformancetoRegulatoryGuide1.63SeeSections1.8and8.3.1.7.ConformancetoRegulatoryGuide1.68SeeSections1.8and14.2.
RBSUSARRevision107.1-13April19988.ConformancetoRegulatoryGuide1.70SeeSection1.8.9.ConformancetoRegulatoryGuide1.73SeeSection1.8.10.ConformancetoRegulatoryGuide1.75SeeSections1.8and8.3andAppendix9A.11.ConformancetoRegulatoryGuide1.89SeeSection1.8.1012.ConformancetoRegulatoryGuide1.97ThosedevicesneededtomonitorplantstatusfollowinganaccidentareincompliancewithRegulatoryGuide1.97.
RegulatoryGuide1.97requiresreliableindicatorstothe operatorstobeabletoorespondinaccidentconditions.
SectionSections1.8and7.2-7.6fortheRiverBendposition onRegulatoryGuide1.97.13.ConformancetoRegulatoryGuide1.100 10SeeSection1.8.1014.ConformancetoRegulatoryGuide1.105RegulatoryGuide1.105stipulatesthesystemmethodforspecifyingandreviewingtheTechnicalSpecificationson allowablevaluesandsetpointsandensuringthatinstrument setpointsareinitiallywithinandremainwithinthe TechnicalSpecificationlimits.Furtherguidanceis providedinGEMethodology7.1.2.5.
10TheequipmentmanufacturersarerequiredtomeettherequirementsofregulatorypositionC.5pertainingto securingdevices.Finalqualificationorhardwareanalyses determinetheneedforprovisionsbeyondthosenormally providedbytheequipmentmanufacturer.1015.ConformancetoRegulatoryGuide1.118SeeSection8.3.1andSection1.8.
107.1.2.5NSSSandBOPSafety-RelatedSetPointMethodologyThemethodologyusedindeterminingBOPsafetysystemsetpointsisinaccordancewithRegulatoryGuide1.105,Revision1and IEEE279-1971.SeeTable1.8-1fortheRiverBendStation positiononRegulatoryGuide1.105.
RBSUSARRevision107.1-13aApril1998Thebalanceofplant(BOP)safety-relatedsetpointsareestablishedbasedonthefollowing:1.Aprocesssafetylimit(PSL)orsafetylimitisselectedtomaintaintheintegrityofphysicalbarriers orotherplantcharacteristicswhichmustremainintact oroperational.Asafetyfactororallowanceis incorporatedintothesafetylimitvalue.
RBSUSARRevision107.1-13bApril1998THISPAGELEFTINTENTIONALLYBLANK RBSUSARRevision8A7.1-14October19962.Alimitingsafetysystemsetting(LSSS)isestablishedbyprovidinganallowancebetweenthePSLandtheLSSS equalto(asaminimum)instrumentationinaccuracies suchasinstrumentinaccuracies,powersupplyeffects, seismiceffects,environmentaleffects(temperature, radiation,etc)andcalibrationeffects.3.SetpointsarechosensuchthattheLSSSisnotexceeded,takingintoaccounttolerancesfordriftand adjustability.Additionalallowancetoaccountfor uncertaintiesinanalysisisprovidedwherepossible.TheLSSStakesintoaccountenvironmentalerrorallowancesasrequiredbasedonqualificationtestingandothersourcesof designdata.Whereworst-casedataarenotavailable, conservativeengineeringestimatesareuseduntilverifieddata areobtainedtovalidateorrevisesame.Thepresentsetpoints arebasedonqualificationdataand,therefore,noexceptionsare takenatthepresenttime.8A8ThequalificationtimesforeachpieceofequipmentareincludedintheEnvironmentalQualificationMasterEquipmentList.88A7ThemethodologyusedindeterminingNSSSsafetysystemsetpointsissimilartothatdescribedaboveforBOPsafetysystem setpoints.ThismethodologyisdocumentedinNEDC-31336,General ElectricInstrumentSetpointMethodology,datedOctober1986.
ThisdocumentwasdevelopedbytheInstrumentSetpoint MethodologyOwnersGroup(ISMG)andapprovedbytheStaffon February9,1993.AnoutlineofthemethodologyusedforthedeterminationofNSSSsafety-relatedsetpoints,asdescribedinNEDC-31336,isas
follows:1.ALicensingSafetyLimitisestablishedbylicensingrequirementstoprovideconservativeprotectionforthe integrityofphysicalbarriersthatguardagainst uncontrolledreleaseofradioactivity.Eventsof moderatefrequency,infrequentevents,andaccidentsuse appropriatelyassignedlicensingsafetylimits.
Overpressureeventsuseappropriatelyselectedcriteria forupset,emergency,orfaultedASMEcategoryevents.2.AnAnalyticalLimitisestablishedaspartofthesafetyanalysisatapointpriortooratthepointwherea desiredactionistobeinitiatedto 7
RBSUSARRevision77.1-14aJanuary19957preventthesafetyprocessvariablefromreachingtheassociatedLicensingSafetyLimit.3.TheAllowableValue(TechnicalSpecificationLimit)isestablishedbasedontheAnalyticalLimitbyproviding allowancesforthespecifiedorexpectedcalibration capabilityandaccuracyoftheinstrumentationandthe measurementerrors.Thisvaluemaythenbedefinedas atechnicalspecificationlimitandprescribedasa licensingconditionfortheplant.4.ANominalTripSetpointvalueiscalculatedfromtheAnalyticalLimitbytakingintoaccountinstrument driftinadditiontotheinstrumentaccuracy, calibrationandthemeasurementerrors.NotallsafetysystemsetpointshaveanassociatedAnalyticalLimit(e.g.,MainSteamLineRadiationMonitors).AnAllowable Value,ordesignbasistechnicalspecificationlimit,maybe defineddirectlybasedonplantlicensingrequirements,previous operatingexperienceorotherappropriatecriteria.TheNominal TripSetpointisthencalculatedfromtheAllowableValue, allowingforinstrumentdrift.Whereappropriate,aNominalTrip Setpointmaybedetermineddirectlybasedonoperatingexperience orengineeringjudgment.
77.1.3PlantProtectionSystem-ElectronicTripSystemThissectionisprovidedtodescribetheanalogtransmitter/tripunit(AT/TU)system.TheAT/TUsystemisaplantprotection systemdesignfeaturegenericallyappliedtothereactor protection(trip)system,ESFsystems,andRCICsystem (1).Asadesignfeatureofinstrumentchannelswithintheplantprotection systems,theAT/TUsystemcomplieswiththeFederalRegulations, RegulatoryGuides,andIndustryStandardsapplicabletothe instrumentationandcontrolsoftheplantprotectionsystems.GeneralDescriptionTheAT/TUsystemutilizesanaloginstrumentchannelstomonitorimportantplantvariables,e.g.,reactorwaterlevel,reactor pressure,drywellpressure,processflow, RBSUSARRevision77.1-14bJanuary1995THISPAGELEFTINTENTIONALLYBLANK RBSUSAR7.1-15August1987etc.Theanalogtransmitterconvertstheprocessvariablesensedtoa4to20mAlinearsignal.Theminimumandmaximumprocess variableleveliswithinthe4to20mAsignalrange.Thesignal istransmittedtoelectronictripunitslocatedinthemain controlroom.Thetripunitscomparethetransmittalsignaltoa fixedreferencesignal.Whenthetransmittedsignalincreases aboveordecreasesbelowthefixedreferencesignal,thetrip unittripsanassociatedrelay.Therelayisselectedtoeither openorcloseonreceiptofthetripsignal.TheAT/TUsystemconsistsofmastertripassemblies,slavetripassemblies,andcalibrationunits.Themastertripunitalso containsapanelmeterthatrepresentstransmittercurrentandis scaledinunitsorrelativepercentagesoftheprocessvariable beingmonitored.Aswitchpositionselectioninternaltothe mastertripunitallowsforselectionofeitherhightrippoint orlowtrippoint.Thisallowstriprelayseithertobe energizedordeenergizedduringnormaloperation.Theslavetripunitisusedinconjunctionwithamastertripunitwhendifferentsetpointsfromacommontransmitterare desired.Theslavetripunitreceivesitsinputsignalfromthe analogoutputofamastertripunit.Thecalibrationunitfurnishesthemeansbywhichanin-placecalibrationcheckofthemasterandslavetripunitscanbe performed.Thecalibratorcontainsastablecurrentsourceanda transientcurrentsource.Thestablecurrentisforverification ofthecalibrationpointofanygivenchannel.Thetransient currentsourceisusedtoprovideastepcurrentinputintoa selectedtripunitsuchthattheresponsetimeofthatchannel canbedetermined.Electricalsystemequipmentprotectiverelaytripsetpointselectionisbasedupontheworstmanufacturer'srelaytolerances withpropermarginsappliedtoreflectanyactualoperatingdata.
Theseselectioncriteriaandperiodicsurveillanceavoid prematuretrippingofsafety-relatedcircuitsduetosetpoint
drift.7.1.4IsolationDevices Twogeneraltypesofdevices,relays,andopticalisolatorsareusedtoprovideisolationbetweenClass1Ecircuitsofdifferent divisionsorbetweenClass1Eandnon-Class1Ecircuits.Other devicesalsoareusedinlimitedapplicationstoprovide
isolation.
RBSUSARRevision107.1-16April19987.1.4.1Relays5Relaysareusedtoprovidecoil-to-contactisolation.Relaysqualifiedforuseasisolationdevicesaretestedtoverifythe relayswillsatisfactorilyperformtheirClass1Esafety functionsunder:1)thefullusageofinputvoltagesatgiven environmentalconditions;and2)thefullrangeinputvoltages fornormalenvironmentalconditionsatworstcaseseismic accelerationsforindividuallocationswithintheplant.
5Theacceptancecriterionisthatafailurewouldnotoccurinanyofthecontactorcoilcircuits.Testresultsareacceptable.7.1.4.2OpticalIsolators Opticalisolatorsconsistofaninputandoutputisolatorcardwhichprovideforanelectricalandthermalbarrierbetweenthe inputandoutput.Eachsignaltransmittedfromtheinputsideto theoutputsideisopticallycoupledbymeansofa light-emitting-diode,aquartzrod,andaphototransistor.The quartzrodactsasalightpipe.Theacceptancecriterionforisolatorsistheirabilitytoprovideelectricalisolationandthermalisolationintermsof protectionagainstthespreadoffire.Conductiveelectromagneticinterference(EMI)testsusing100to500kHz,300-Vpeak-to-peaktestsignals,andradiatedEMItests using0.5to100MHz,5-Vpeak-to-peaktestsignalsare
performed.Theacceptancecriterionisthatnomalfunction,undesiredresponse,degradationofperformance,orpermanentdamageoccur duringtheEMItesting.10Photo-opticcouplersareusedinaccordancewithIEEE384-1977toisolateclass1Eandnon-classcircuitry.Thecouplerprovides anoutputtowhichafiberopticcablecanbeattachedandrouted toanon-safetyrelateddevice.
107.1.4.3OtherDevicesUsedtoProvideIsolation1.CircuitBreakersThecircuitbreakerswithintheRPSpowersupplydistributioncabinetsareusedasfunctionalisolatorsfor thepurposeofdefiningthetransmissionpointfrom nondivisionaltodivisionalcircuits.
RBSUSARRevision107.1-17April1998TheRPSdivisionalcircuitsandloadsfedfromthesecircuitbreakerscannotintroduceanyunsafefailuremodebutcan triponovercurrentandgiveanRPSchanneltripcondition.
Thisisasafedirectiontripcondition.Thecircuitbreakers(althoughnon-class1Edevices)areacceptablefunctionalisolatorsforpurposesofdefiningthe transmissionfromnondivisionaltodivisionalfail-safe circuits.ThetransitionpointforRPSpoweristhe C71-P001/P002cabinets(non-Class1E)whichcontainthe functionalisolators.ThereisnocredibleeventthatwouldbecomeasafetyconcerntotheRPScircuitfeedortotheplant.Circuitbreakers,wheninterposedbetweentwofail-safedivisions,canpreventanunsafefailuremodefrom propagatingfromonedivisiontotheotherandthecircuit breakersprovidefunctionalisolation.Thefail-safe conceptoftheRPSsystemallowstheuseofnon-Class1E circuitbreakersanddistributioncabinets.Divisional isolationintheRPSpowerdistributioncabinetsiscovered byanalysis.2.AuxiliaryCurrentTransformerClass1EauxiliarycurrenttransformersareusedtoinputClass1Ebusamperagetonon-Class1Ecurrenttransducers usedforWhmeters.Auxiliarycurrenttransformersare isolationdevicesinaccordancewithIEEE384(1977),
Section6.2.Auxiliarycurrenttransformers,alongwiththe switchgearassembly,aretestedandqualifiedinaccordance withIEEE323(1974).103.AmplifierIsolationTheoperationalamplifiersintheauxiliaryanalogoutputofAnalogTransmitter/TripUnitareusedasanisolatorto provideisolatedsignalstonon-Class1Emultiplexmodules.
Auxiliaryanalogoutputisusedtodriveresistiveloadsby usingoperationalamplifiers.Anyelectricalmalfunction (fault)suchasmaximumcrediblevoltageappliedtothe output,orshorts,groundsoropencircuitsappliedtothe outputcircuitwillhavenotdegradingimpactonthetrip
function.107.1.5InstrumentSensors/TransmittersLocatedinaCommon Tap/LineForbalance-of-plantsafetysystems,therearenocaseswhereinstrumentsensorsortransmitterssupplyinginformationtomore thanoneprotectionchannelortobothaprotectionchannelanda controlchannelarelocatedinacommoninstrucmentlineor connectedtoacommoninstrumenttap.
RBSUSARRevision107.1-18April1998LRG-IIpositionpaper1-ICSBisapplicabletoRiverBendStationforNSSS-suppliedsafetysystems.ThisLRG-IIpositionprovides anassessmentofabreakinavessellevelsensingline,common tocontrolandprotectivesystems,incombinationwiththeworst singlefailureinaprotectivechannelandshowstheresulting accidentislessseverethan,andboundedby,theaccidents describedinChapter15.7.1.6Microprocessors,Multiplexers,orComputerSystemsUsedinSafety-RelatedSystemsMicroprocessors,multiplexers,orcomputersystemsareusedin,orinterfacewith,safety-relatedsystemsasfollows:1.Amicroprocessor-basedtemperaturescannermonitorsasubstantialnumberofinputsoriginatingfromRTDand thermocoupletypedeviceswhichmonitorvarious temperaturesassociatedwithClass1Eandnon-Class1E equipment.Thescannerservesnodirectsafety functionandconsequentlyhasbeenprocuredas non-Class1E.Thefollowingsafety-relatedequipment haveRTDsandthermocoupleswhichareusedasinputs tothesubjectscanner:SystemTemperaturesMonitoredHigh-PressureCoreSprayPumpMotorStatorandBearingLow-PressureCoreSprayPumpMotorStatorandBearing ResidualHeatRemovalPumpMotorStatorandBearing StandbyLiquidControlPumpBearing ReactorCoreIsolationPumpandTurbineBearing CoolingStandbyDieselEngineSleeveBearingAthermocoupleisnotessentialtoemergencyreactorshutdown,containmentandreactorheatremovaland thereforeisnotaClass1Edevice.However,itdoes shareacommonenclosure(themotorcase)withaClass 1Ecircuit(themotorwindings).InaccordancewithIEEE384,paragraph6.2.1.1,anisolationdeviceisnotrequiredonthethermocouple circuitsiftheindependenceofredundantClass1E circuits(themotors)canmaintainprotection functionsrequiredduringandfollowinganydesign basiseventasdiscussedbelow.Theoperationofamotorcanbeexpectedtobeaffectedinthefollowingmanner:a.Duringahighvoltagespikefromtemperaturescanner.Thermocoupleextensionwireinsulation istestedtowithstand2,500Vfor RBSUSARRevision10 7.1-19April19985minwhilemotorwindinginsulationistestedtowithstand11,000-Vacfor1minute.Ahighspike fromthescannerdoesnotaffectmotorwinding insulationanditsoperation,butcandamage thermocouplewindinginsulation,thereby disablingordamagingthetemperaturescanner system.b.Motorwindingfaultstothermocouplesinonemotorcannotcausedamageorotherwiseaffecttheoperationofanothermotor.Anyvoltagethatmay appearatathermocoupleofanothermotordueto fault,asstatedabove,ismuchlessthanits ratedinsulationstrength(11,000V)ofthat motor.Theexistenceofsuchavoltageandthe circumstancesofitsproductionmaycausedamage orimpairoperationofanindividualthermocouple sensor,itsscanner,orthermocoupleinthe circuits.However,thisaffectsmonitoringand notoperation.2.Theplantcomputerinputsfromsafety-relatedcircuitsareopticallyisolated.AdescriptionoftheNSSS processcomputersystemisprovidedinSection
7.7.1.6.3.Thee mergencyr esponseinformationsystem(ERIS)computerisi olatedfrominterfacingsafetysy stemsusingt hei solationc riteriaofUSARTable1.8-1forRegulatoryG uide1.75.AdescriptionofERI Sisprovidedi nSection7.7.1.7.104.TheDigitalRadiationMonitoringSystem(DRMS)utilizesamultiplexersystem.Thissystemoptically couplesdigitalandanalogdevicestoprovideupto 4000Vacisolationoftheinputsignaltotheoutput signal.Themaximumvoltageachievableinthepanel bayswherethemultiplexorsarelocatedis120Vacor 125Vdc.Thisvoltageislessthanthemaximumfault voltagecapabilityofthemultiplexerandthedownstreamdevice.Theassociateddivisionalcablingbetweenthemultiplexerinputmodulesandtheoutput ofthedownstreamdeviceisroutedinconduittomeet isolationrequirementsofIEEE384-1974.TheDRMSis isolatedfrominterfacingsafetysystemsusingthe isolationcriteriaofUSARtable1.8-1forRegulatory Guide1.75.AdescriptionofDRMSisprovidedin Section7.7.1.8.
10 RBSUSARRevision127.1-20December19997.1.7TransientMonitoring121Acomputer-baseddataacquisitionandanalysissystem(EmergencyResponseInformationSystem)asdescribedinSection7.7.1.7is usedtoperformemergencyresponsefacilityfunctions(i.e.,
safetyparameterdisplaysystem)andstartuptransientmonitoring typefunctions.Theequipmentmonitoringsafety-relatedfunctionsispermanentlyinstalledtothesamestandardsasallothersafety-related equipmentandcomplieswiththeseparationrequirementsof RegulatoryGuide1.75.
1Isolationisaccomplishedbytransmissionviaopticalfibercable.Theopticalisolationisaccomplisheddownstreamof signalconditioningandanalog-to-digitalconversion.Theremote DASchassisareclassifiedasClass1EwhereClass1Epoweris furnishedtotheunit.Thus,withinagivenDAScabinet,only signalsofonesafetydivisionareconnected.Thoseportionsof thesystemthatarerequiredtomeetClass1Erequirementsfor electricalisolationarequalifiedinaccordancewithIEEE 323-1974andIEEE344-1975.Additionalinformationonisolation devicesisprovidedinSection7.1.4.Tomaintainthesignalconditioningandmultiplexingequipmentasdivisionaldeviceswhererequired,thepowerforthesedevicesis suppliedfromdivisionalpowersources.Inaddition,eachsignal inputtothefiberopticrepeatersisindividuallyconditioned andbufferedfromallothersignalsinthesameDAScabinet.
12 RBSUSARRevision77.1-21January1995References-7.11.GELicensingTopicalReport.NEDO21617-A,December1978.
2.Clay,H.R.PowerGenerationControlComplexDesignCriteriaandSafetyEvaluation,NEDO10466-A,February1979.73.GeneralElectricInstrumentSetpointMethodology,NEDC-31336,October1986.
7 RBSUSAR7.2-1August19877.2REACTORPROTECTION(TRIP)SYSTEM7.2.1Description 7.2.1.1SystemDescription RPSFunctionTheRPSisdesignedtocauserapidinsertionofcontrolrods(scram)toshutdownthereactorwhenspecificvariablesexceed predeterminedlimits.RPSOperationSchematicarrangementsofRPSmechanicalequipmentoperatorinformationdisplays,andsensorchannelarrangementsareshown inFig.7.2-1.Instrumentationlocationdrawingsandelementary diagramsareidentifiedinSection1.7.TheRPSpowersupplyis discussedinChapter8.TheRPSinstrumentationisdividedintotripchannels,triplogics,andtripactuatorlogics.Duringnormaloperation,alltripchannelrelaysessentialtosafetyareenergized;channels,logics,andactuatorsare energized.Thereareatleastfourtripchannelsforeachvariable.ThetripchannelsaredesignatedA,B,C,andD.Eachtripchannel isassociatedwiththetriplogicofthesamedesignation.TriplogicsAandCoutputsarecombinedinaone-out-of-twologicarrangementtocontroltheApilotscramvalvesolenoidineachofthefourrodgroups(arodgroupconsistsof approximately25percentofthetotalcontrolrods).Triplogics BandDcontroltheBpilotscramvalvesolenoidsineachofthe fourrodgroups.Whenatripchanneldeenergizes,thetriplogicdeenergizesthetripactuatorlogic,whichdeenergizeseachrod'spilotscram valvecoilassociatedwiththattripactuatorlogic.However, theotherpilotscramvalvecoilforeachrodmustalsobe deenergizedbeforethescramvalvesprovideareactorscram.Therearetwoscramvalvesandonedual-coilpilotscramvalveforeachcontrolrod.Thepilotscramvalveis solenoid-operated,withthesolenoidsnormallyenergized.The pilotscramvalvecontrolstheairsupplytothescram RBSUSAR7.2-2August1987valvesforeachcontrolrod.Witheitheroneofthetwopilotscramvalvecoilsenergized,airpressureholdsthescramvalves closed.Thescramvalvescontrolthesupplyanddischargepaths forthecontrolroddrive(CRD)water.WhentriplogicsAorCandBorDaretripped,thescramvalvesareactuated,scrammingallcontrolrods.Thewaterdisplacedby themovementofeachrodpistonisexhaustedintoascram dischargevolume.TorestoretheRPStonormaloperationfollowinganysingleactuatorlogictriporascram,thetripactuatorsmustbereset manually.Aftera10-secdelay,resetispossibleonlyifthe conditionsthatcausedthescramhavebeencleared.Thetrip actuatorsareresetbyoperatingswitchesinthemaincontrol room.Fourresetswitches(1pertripchannel)areprovided.Therearetwo125-Vdcsolenoid-operatedbackupscramvalvesthatprovideasecondmeansofcontrollingtheairsupplytothescram valvesforallcontrolrods.Whenthesolenoidforeitherbackup scramvalveisenergized,theassociatedbackupscramvalvevents theairsupplyforthescramvalves.Thisactioninitiates insertionofanywithdrawncontrolrodsregardlessoftheaction ofthescrampilotvalves.Thebackupscramvalvesolenoidsare energized(initiatescram)whentriplogicsAorCandBorDare
tripped.SensortripchannelinputstotheRPScausingreactorscramarediscussedinthefollowingparagraphs.1.NeutronMonitoringSystem(NMS)Toprotectthefuelagainsthighheatgenerationrates,neutronfluxismonitoredandinitiatesareactorscramwhen predeterminedlimitsareexceeded.NMSinstrumentationisdescribedinSection7.6.TheNMSsensorchannelsareconsideredtobepartoftheNMSandnot theRPS;however,theNMSlogicsareconsideredtobepart oftheRPS.EachNMSlogicreceivessignalsfromone Intermediaterangemonitor(IRM)channelandoneaverage powerrangemonitor(APRM)channel.TheNMSlogicsarearrangedsothatfailureofanyonelogiccannotpreventtheinitiationofahighneutronfluxor simulatedthermalscram.AsshowninFig.7.6-2,thereare eightNMSlogicsassociatedwith RBSUSARRevision157.2-3May2002theRPS.EachRPStripchannelreceivesinputsfromtwoNMS logics.15 15TheNMSlogiccontactsforIRMandAPRMcanbebypassedbyselectorswitcheslocatedinthemaincontrolroom.APRM channelsA,C,E,andGbypassesarecontrolledbyone selectorswitchandchannelsB,D,F,andHbypassesare controlledbyasecondselectorswitch.Eachselector switchcanbypassonlyoneAPRMchannelatonetime.IRMchannelsA,C,E,andGandchannelsB,D,F,andHarebypassedinthesamemannerastheAPRMchannels.BypassingeitheranAPRMoranIRMchanneldoesnotinhibittheNMSfromprovidingprotectiveactionwhenrequired.a.IntermediateRangeMonitors(IRM)TheIRMchannelsmonitorneutronfluxbetweentheupperportionoftheSRMrangeandthelowerportion oftheAPRMrange.TheIRMdetectorsarepositioned inthecoreremotelyfromthemaincontrolroom.TheIRMisdividedintotwogroupsoffourIRMchannels.TwoIRMchannelsareassociatedwitheach ofthetripchannelsoftheRPS.Thearrangementof IRMchannelsallowsonlyoneIRMchannelineachgroup tobebypassedatonetime.EachIRMchannelincludesfourtripcircuits.Onetripcircuitisusedasaninstrumenttroubletrip.
Itoperatesonthreeconditions:1)whenthehigh voltagedropsbelowapresetlevel,2)whenoneofthe modulesisnotpluggedin,or3)whenthe OPERATE-CALIBRATEswitchisnotintheOPERATE position.Eachoftheothertripcircuitsis specifiedtotripwhenpresetdownscaleorupscale levelsarereached.ThereactormodeswitchdetermineswhetherIRMtripsareeffectiveininitiatingareactorscram.
RBSUSAR7.2-4August1987WiththereactormodeswitchinREFUELorSTARTUP,anIRMupscaleorinoperativetripsignalactuatesanNMS tripoftheRPS.OnlyoneoftheIRMchannelsmust triptoinitiateanNMStripoftheassociatedRPS tripchannel.b.AveragePowerRangeMonitors(APRM)TheAPRMchannelsreceiveandaverageinputsignalsfromthelocalpowerrangemonitor(LPRM)channels, andprovideacontinuousindicationofaveragereactor powerfromafewpercenttogreaterthanratedreactor
power.TheAPRMchannelssupplytripsignalstotheRPS.TheAPRMupscalethermalpowerscramtripsetpointsvary asafunctionofreactorrecirculationloopflow.
EachAPRMchannelreceivesaflowsignal representativeoftotalrecirculationflow.This signalisobtainedbysummingtheflowsignalsfrom thetworecirculationloops.Theseflowsignalsare sensedfromfourpairsofelbowtaps,twoineach recirculationloop.TheAPRMsignalforthethermal powerscramtripispassedthrougha6-sectime constantcircuittosimulatethermalpower.Afaster response(approximately0.09sec)APRMupscaletrip hasafixedsetpoint,notvariablewithrecirculation flow.AnyAPRMupscaleorinoperativetripinitiates anNMStripintheRPS.Onlythetriplogic associatedwiththatAPRMisaffected.Atleastone APRMchannelineachtripsystemoftheRPSmusttrip tocauseascram.Theoperatorcanonlybypassone APRMchannelineachtripsystemoftheRPSatone
time.InadditiontotheIRMupscaletrip,afastresponseAPRMtripfunctionwithasetpointof15percent powerisactivewhenthereactormodeswitchisinthe STARTUPposition.DiversityoftripinitiationforexcursionsinreactorpowerisprovidedbytheNMSandreactorvesselhigh pressuretripsignals.Anincreaseinreactorpower initiatesprotectiveactionfromtheNMSasdiscussed intheaboveparagraphs.Thisincreaseinpower causesreactorpressuretoincreaseduetoahigher rateofsteamgeneration.Untiltheloadlimitofthe turbinegeneratoroccurs,theturbinecontrolvalve opens.Oncethepressurecontrollimitsarereached, reactor RBSUSAR7.2-5August1987pressureincreasesuntiltheresultingtripfromreactorvesselhighpressure.Thesevariablesare independentofoneanotherandprovidediverse protectiveactionforthiscondition.2.ReactorVesselPressureAreactorvesselpressureincreaseduringreactoroperationcompressesthesteamvoidsandresultsinincreased reactivity.Thiscausesincreasedcoreheatgenerationthat couldleadtofuelbarrierfailureandreactor overpressurization.Ascramcounteractsapressureincrease byquicklyreducingcorefissionheatgeneration.The reactorvesselhighpressurescramworksinconjunctionwith thepressurereliefsystemtopreventreactorvessel pressurefromexceedingthemaximumallowablepressure.The reactorvesselhighpressurescramsettingalsoprotectsthe corefromexceedingthermalhydrauliclimitsthatresult frompressureincreasesduringeventsthatoccurwhenthe reactorisoperatingbelowratedpowerandflow.Reactorpressureismonitoredbyfourredundantpressuretransmitters,eachofwhichprovidesareactorhighpressure signalinputtooneofthefourRPStriplogics.3.ReactorVesselLowWaterLevelDecreasingwaterlevelwhilethereactorisoperatingatpowerdecreasesthereactorcoolant.Shouldwaterlevel decreasetoofar,thereactorscramreducesthefissionheat generationwithinthecoreandpreventsfueldamagewhich couldresultassteamvoidsformaroundfuelrods.Reactorvesselwaterlevelismonitoredbyfourredundantdifferentialpressuretransmitters,eachofwhichprovidesa reactorvessellowwaterlevel(triplevel3)signalinput tooneofthefourRPSsensortripchannels.DiversityoftripinitiationforbreaksintheRCPBisprovidedbyreactorvessellowwaterlevelandhighdrywell pressuretripsignals.4.ReactorVesselHighWaterLevelIncreasingwaterlevelwhilethereactorisatpowerindicatesanincreaseinfeedwaterflowandimpendingpower increase.Thehighwaterleveltripcausesa RBS USAR Revision 16 7.2-6 March 2003 scram prior to significant power increase, limiting neutron flux and thermal transient, so that the fuel design basis is
satisfied. Reactor vessel high water level is monitored by four redundant differential pressure transmitters, each of which provides a reactor vessel high water level (trip level 8) signal input to one of the four RPS trip logics. These are the same transmitters that provide the reactor vessel low
water level trip. Diversity of trip initiation for reactor vessel high water level is provided by reactor vessel high pressure trip
signals and NMS trip signals. An operating bypass of the reactor vessel high water level trip is provided in all reactor operating modes, except RUN. 5. Turbine Stop Valve Position A turbine trip initiates closure of the turbine stop valves, which can result in a significant addition of positive reactivity to the core as the reactor vessel pressure rise causes steam voids to collapse. The turbine stop valve closure scram initiates a scram earlier than either the NMS
or reactor vessel high pressure to provide a required margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity caused by increasing
pressure by inserting negative reactivity with control rods.
Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to
preclude overpressurizing the reactor system, the turbine stop valve closure scram provides additional margin to the
reactor vessel pressure limit. 16 Turbine stop valve closure inputs to the RPS originate from eight redundant valve stem position switches mounted on the four turbine stop valves. Each of the double-pole, single-throw switches actuate during valve movement from open to closed to provide the earliest positive indication of closure. Each switch provides an input signal to one of
the four RPS sensor trip channels. The logic is arranged so
that closure of three or more valves is required to initiate a scram. The switches are arranged so that no single
failure can prevent a turbine stop valve closure scram.
16 RBSUSAR7.2-7August1987Diversityoftripinitiationforincreasesinreactorvesselpressureduetoterminationofsteamflowbyturbinestop valveclosureorcontrolvalveclosureisprovidedby reactorvesselhighpressureandhighneutronfluxtrip
signals.Turbinestopvalveclosuretripbypassiseffectedbyfourpressuretransmitterssensingturbinefirststagepressure.
Theturbinestopvalveclosurescramisautomatically bypassediftheturbinefirststagepressureislessthan thatcorrespondingto40percentofratedreactorpower.
Thebypassisautomaticallyremovedabove40percentof reactorpower.6.TurbineControlValve(TCV)PositionGeneratorloadrejectionwiththereactorabove40percentpowerautomaticallyinitiatesfastclosureoftheTCVswhich resultsinasignificantadditionofpositivereactivityto thecoreasnuclearsystempressurerises.TheTCVfast closurescraminitiatesascramearlierthaneithertheNMS orreactorvesselhighpressurescramstoproviderequired marginbelowcorethermal-hydrauliclimitsforthiscategory ofabnormaloperationaltransients.Thescramcounteracts theadditionofpositivereactivityresultingfrom increasingpressurebyinsertingnegativereactivitywith controlrods.Althoughthereactorvesselhighpressure scram,inconjunctionwiththepressurereliefsystem,is adequatetoprecludeoverpressurizingthereactorvessel, theTCVfastclosurescramprovidesadditionalmargintothe reactorvesselpressurelimit.TheTCVfastclosurescram settingisselectedtoprovidetimelyindicationofcontrol valvefastclosure.TCVfastclosureinputstotheRPSoriginatefromoillinepressureswitchesoneachoffourfastactinggovernorvalve hydraulicmechanisms.Eachpressureswitchprovidesan inputsignaltooneofthefourRPStripchannels.If hydraulicoilpressureislost,aTCVfastclosurescramis
initiated.AutomaticTCVfastclosurescrambypassisprovidedasdescribedabovefortheturbinestopvalve.7.MainSteamIsolationValves(MSIV)PositionTheMSIVclosurecanresultinasignificantadditionofpositivereactivitytothecoreasreactorvesselpressure
rises.
RBS USAR Revision 16 7.2-8 March 2003 16 Two redundant position switches mounted on each of the eight MSIVs provide MSIV closure signals to the RPS. Each of the
double-pole, single-throw switches provides the earliest positive indication of closure. Both of the channels sensing isolation valve position will receive valve closure
signals. Each RPS sensor trip channel receives signals from the valves associated with two steam lines. The arrangement of signals within each channel requires a closure signal from
at least one valve in each of the two steam lines associated with that logic to cause a trip of that logic. Closure of
at least one valve in three or more steam lines is required
to initiate a scram.
16 At plant shutdown and during plant startup, a bypass is required for the MSIV closure scram trip in order to properly reset the RPS. This bypass is in effect when the
mode switch is in the SHUTDOWN, REFUEL, or STARTUP position.
The bypass allows plant operation when the MSIVs are closed
during low power operation. The operating bypass is removed
when the mode switch is placed in RUN. Diversity of trip initiation due to main steam isolation is provided by reactor vessel high pressure and reactor power
trip signals. 8. Scram Discharge Instrument Volume Water Level Water displaced by the CRD pistons during a scram goes to the scram discharge volume. If the scram discharge volume fills with water so that insufficient capacity remains for
the water displaced during a scram, control rod movement would be hindered during a scram. To prevent this situation, the reactor is scrammed when the water level in
the discharge instrument volume is high enough to verify
that the volume is filling up, yet low enough to ensure that the remaining capacity in the discharge volume can
accommodate a scram. Four nonindicating float type level switches (one for each channel) provide scram discharge volume (SDV) high water
level inputs to the four RPS channels. In addition, a level
transmitter and trip unit for each channel provide redundant SDV high water level inputs to RPS. This arrangement provides diversity and redundancy to ensure that no single
event could prevent a scram caused by SDV high water level.
RBSUSARRevision87.2-9August1996Thescramdischargeinstrumentvolumehighwaterleveltripbypassiscontrolledbythemanualoperationoffour keylockedbypassswitchesandthemodeswitch.Themode switchmustbeintheSHUTDOWNorREFUELpositiontoallow manualbypassofthistrip.Thisbypassallowstheoperator toresettheRPSscramrelayssothatthescramdischarge instrumentvolumemaybedrained.Resettingthetrip actuatorsopensthescramdischargevolumeventanddrain valves.Aninstrumentannunciatorinthemaincontrolroom indicatesthebypasscondition.9.DrywellPressureHighpressureinsidethedrywellmayindicateabreakintheRCPB.Scramisinitiatedtominimizethepossibilityof fueldamage.Drywellpressureismonitoredbyfourpressuretransmitters.EachtransmitterprovidesaninputtooneofthefourRPS tripchannels.810.DELETED811.ManualScramAscramcanbeinitiatedmanually.Therearefourscramswitches,oneforeachofthefourRPStripchannels.The manualscramswitchesarearrangedintwogroupsoftwo switches.OnegroupcontainstripchannelsAandB,andC andDareintheothergroup.Toinitiateamanualscram, atleasttwoswitches,oneineachgroup,mustbeactuated.
Byoperatingthemanualscramswitchforonelogicatatime andthenresettingthatlogic,eachactuatorlogiccanbe testedformanualscramcapability.
RBSUSAR7.2-10August198712.ReactorModeSwitchManualScramEventhoughtheactionisnotasafetyfunction,reactorscramcanbeinitiatedbyplacingthemodeswitchinthe SHUTDOWNposition.Themodeswitchconsistsoffour electricallyindependentcontactblocks.ASHUTDOWN positioncontactfromeachofthefourcontactblocks providesaninputtooneofthefourRPStripchannels.Thescramsignal,initiatedbyplacingthemodeswitchinSHUTDOWNisautomaticallybypassedafter10secbyatimer whichallowstheCRDhydraulicsystemvalvelineuptobe restoredtonormalbeforethemaincontrolroomoperatorcan resettheRPStriplogic.7.2.1.2DesignBasisInformationTheRPSisdesignedtoprovidetimelyprotectionagainsttheonsetandconsequencesofconditionsthatthreatentheintegrity ofthefuelbarrierandtheRCPB.Chapter15identifiesand evaluateseventsthatjeopardizethefuelbarrierandRCPB.The methodsofassessingbarrierdamageandradioactivitymaterial releases,alongwiththemethodsbywhichabnormaleventsare identified,arepresentedinthatchapter.ThefollowingvariablesaremonitoredinordertoprovideprotectiveactionstotheRPSindicatingtheneedforreactor
scram.1.VariablesMonitoredtoProvideProtectiveActions:a.Neutronflux b.Reactorvesselhighpressure c.Reactorvessellowwaterlevel d.Reactorvesselhighwaterlevel e.Turbinestopvalveclosure f.Turbinecontrolvalvefastclosure g.Mainsteamisolationvalveclosure h.Scramdischargeinstrumentvolumehighwater leveli.Drywellhighpressure RBSUSARRevision87.2-11August199688TheplantconditionswhichrequireprotectiveactioninvolvingtheRPSaredescribedinChapter15.2.LocationandMinimumNumberofSensorsNeutronfluxistheonlyessentialvariableofsignificantspatialdependencethatprovidesinputstotheRPS.Thebasisforthenumberandlocationsisdiscussedbelow.TwotransientanalysesareusedtodeterminetheminimumnumberandphysicallocationofrequiredLPRMsforeach APRM.a.Thefirstanalysisisperformedwithoperatingconditionsof100percentreactorpowerand 100percentrecirculationflowusingacontinuousrod withdrawalofthemaximumworthcontrolrod.Inthe analysis,LPRMdetectorsaremathematicallyremoved fromtheAPRMchannels.Thisprocessiscontinued untiltheminimumnumberandlocationsofdetectors neededtoprovideprotectiveactionaredeterminedfor thiscondition.b.Thesecondanalysisisperformedwithoperatingconditionsof100percentreactorpowerand 100percentrecirculationflowusingareductionof recirculationflowatafixeddesignrate.Again, LPRMdetectorsaremathematicallyremovedfromthe APRMchannels.Thisprocessiscontinueduntilthe minimumnumberandlocationsofdetectorsneededto provideprotectiveactionaredeterminedforthis
condition.TheresultsofthetwoanalysesareanalyzedandcomparedtoestablishtheactualminimumnumberandlocationofLPRMs neededforeachAPRMchannel.Aminimumof11LPRMsper APRMarerequiredtoprovideadequateprotectiveaction.3.PrudentOperationalLimitsPrudentoperationallimitsforeachsafety-relatedvariabletripsettingareselectedwithsufficientmarginsothata spuriousscramisavoided.Itisthenverifiedbyanalysis thatthereleaseofradioactivematerial,following postulatedgrossfailuresofthefuelortheRCPBiskept withinacceptablebounds.
RBSUSAR7.2-12August1987Designbasisoperationallimitsarebasedonoperatingexperienceandconstrainedbythesafetydesignbasisand thesafetyanalyses.Theselectionoftentativescramtrip settingshasbeendevelopedthroughanalyticalmodeling, experience,historicaluseofinitialsetpoints,and adoptionofnewvariablesandsetpointsasexperiencewas gained.Theinitialsetpointselectionmethodprovidedfor settingswhichweresufficientlyabovethenormaloperating levels(toprecludethepossibilitiesofspuriousscramsor difficultiesinoperation),butlowenoughtoprotectthe fuelbarrierandRCPB.Asadditionalinformationbecame availableorsystemswerechanged,additionalscram variableswereprovidedusingtheabovemethodforinitial setpointselection.Theselectedscramsettingsare analyzedtoverifythattheyareconservativeandthatthe fuelbarriersandRCPBareadequatelyprotected.Inall cases,thespecificscramtrippointselectedisa conservativevaluethatpreventsdamagetothefuelorRCPB.4.MarginThemarginbetweenoperationallimitsandthelimitingconditionsofoperation(scram)fortheRPSareprovidedin Chapter16,TechnicalSpecifications.5.LevelsLevelsrequiringprotectiveactionareprovidedinChapter16,TechnicalSpecifications.6.RangeofTransient,Steady-State,andEnvironmental ConditionsTheenvironmentalqualificationofthesafety-relatedRPSinstrumentationandcontrolsisdiscussedinSection3.11.
TheRPSpowersupplyrangeofsteady-stateandtransient conditionsisprovidedinChapter8.7.Malfunction,Accidents,andOtherUnusualEventsWhichCouldCauseDamagetoSafetySystemsUnusualeventsaredefinedasmalfunctions,accidents,andotherswhichcouldcausedamagetosafetysystems.
Chapter15andAppendix15Adescribethefollowingcredible accidentsandevents:floods,storms,tornadoes, earthquakes,fires,LOCAs,pipebreakoutsidesecondary containment,feedwaterlinebreak,and RBSUSAR7.2-13August1987missiles.Eachoftheseeventsisdiscussedbelowforthe RPS.AllcomponentsessentialtotheoperationoftheRPSaredesigned,fabricated,andmountedtoClass1Estandards.
However,eventhoughthesensorsinitiatingreactorscram whichmonitorturbinestopvalvepositionandTCVfast closurearedesignedtotheseismicandenvironmental qualificationrequirementsinSections3.10and3.11, respectively,theyarephysicallymountedonequipmentwhich isnotdesignedtotheserequirementsandislocatedinthe turbinegeneratorbuildingwhichisnotdesignedtothe seismicqualificationrequirementsinSection3.10.For thisreason,otherdiversevariables(reactorpressureand neutronfluxtrips)mayberelieduponforreactorscramif componentsintheturbinegeneratorbuildingfail.a.FloodsThebuildingscontainingRPScomponentshavebeendesignedtomeettheprobablemaximumflood(PMF)at thesitelocation.Thisensuresthatthebuildings remainwater-tightunderPMFincludingwind-generated waveactionandwaverunup.b.StormsandTornadoesThebuildingscontainingRPScomponents,excepttheturbinegeneratorbuilding,havebeendesignedto withstandallcrediblemeteorologicaleventsand tornadoesasdescribedinSection3.3.c.EarthquakesThestructurescontainingRPScomponents,excepttheturbinebuilding,havebeenseismicallyqualified,as describedinSections3.7and3.8,toremain functionalduringandfollowingaSSE.d.FiresToprotecttheRPSintheeventofapostulatedfire,thesystemhasbeendividedintofourseparatepanels.
Ifafireweretooccurwithinoneofthepanelsorin theareaofoneofthepanels,theRPSfunctionsare notpreventedbythefire.Useofseparationandfire barriersensuresthat,eventhoughsomeportionofthe systemmaybe RBSUSARRevision87.2-14August1996affected,theRPScontinuestoprovidetherequiredprotectiveaction.SeeSection9.5.1.e.LOCAThefollowingRPSsystemcomponentsarelocatedinsidethedrywellandwouldbesubjectedtotheeffectsofa designbasisLOCA:(1)NMScablingfromthedetectorstothemaincontrolroom(2)MSIV(inboard)positionswitches (3)Reactorvesselpressureandreactorvesselwaterlevelinstrumenttapsandsensinglines,which terminateoutsidethedrywell(4)Drywellpressureinstrumenttaps.8Items1and2havebeenenvironmentallyqualifiedtoremainfunctionalduringandfollowingaLOCAas discussedinSection3.11.8f.PipeBreakOutsideContainmentProtectionisdescribedinSection3.6.AfeedwaterlinebreakdoesnotaffecttheoperationoftheRPS.g.MissilesProtectionfrommissilesisdescribedinSection3.5.8.MinimumPerformanceRequirementsSeeTechnicalSpecifications.7.2.1.3FinalSystemDrawings Theinstrumentandelectricaldrawings(IED)havebeenprovidedfortheRPSinthissection.EquipmentarrangementdrawingsareprovidedinSection1.2.ElementarydiagramsarelistedinSection1.7,andpipingand instrumentdiagramsareprovidedinChapter5.FunctionalandarchitecturaldesigndifferencesbetweenthePSARandFSARarelistedinTable1.3-8.
RBSUSAR7.2-15August19877.2.2AnalysisTheRPSisdesignedinsuchawaythatlossofplantinstrumentair,spuriouscontrolrodwithdrawals,lossofcoolingwaterto vitalequipment,aplantloadrejection,oraturbinetripdoes notpreventthecompletionofthesafetyfunction.Chapter15identifiesandevaluateseventsthatjeopardizethefuelbarrierandreactorcoolantpressureboundary.Themethods ofassessingbarrierdamageandradioactivematerialreleases, alongwiththemethodsbywhichabnormaleventsaresoughtand identified,arealsopresentedinChapter15.Asystem level/qualitativeplantFMEA,theNuclearSafetyOperation Analysis(NSOA),ispresentedinAppendix15A.7.2.2.1ConformancetoTitle10CodeofFederalRegulations,Part50(10CFR50),AppendixA-GeneralDesign Criteria(GDC)TheconformancediscussionsprovidedinSection3.1fortheGDCapplytotheRPS,asidentifiedinTable7.1-3.7.2.2.2ConformancetoIEEEStandards ThefollowingisadiscussionofconformancetothoseIEEEstandardswhichapplyspecificallytotheRPS.Referto Section7.1.2.3foragenericdiscussionofIEEEstandardswhich applytotheRPSasidentifiedinTable7.1-3.Thenonessential RPSpoweranditselectricalprotectionassembly(EPA)are discussedinSection8.3.1.1.3.8.1.1.IEEE279-1971a.GeneralFunctionalRequirement(IEEE279-1971,Paragraph4.1)TheRPSautomaticallyinitiatestheappropriateprotectiveactions,whenevertheconditionsdescribedinSection7.2.1.1reachpredeterminedlimits,with precisionandreliabilityassumingthefullrangeof conditionsandperformancediscussedinthisSection.b.SingleFailureCriterion(IEEE279-1971,Paragraph4.2)Eachoftheconditions(variables)describedinSection7.2.1.1ismonitoredbyredundantsensors supplyinginputsignalstoredundanttriplogics.
RBS USAR Revision 16 7.2-16 March 2003 Independence of redundant RPS equipment, cables, instrument tubing, etc, is maintained, and
single-failure criteria are preserved through the
application of the RBS separation criteria as described in Section 8.3.1 to assure that no single credible event can prevent the RPS from accomplishing
its safety function. c. Quality of Components and Modules (IEEE 279-1971, Paragraph 4.3) For a discussion of the quality of RPS components and modules, refer to Chapter 17. d. Equipment Qualification (IEEE 279-1971, Paragraph 4.4)
For a discussion of the equipment qualification, refer to Sections 3.10 and 3.11. e. Channel Integrity (IEEE 279-1971, Paragraph 4.5)
For a discussion of RPS channel integrity under all extremes of conditions described in Section 7.2.1
refer to Sections 3.10, 3.11, and 8.3.1. f. Channel Independence (IEEE 279, Paragraph 4.6)
RPS channel independence is maintained through the application of the RBS separation criteria as
described in Section 8.3.1. g. Control and Protection System See Section 3.1, Compliance to GDC 24.
- h. Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8) 16 The RPS trip variables are direct measures of a reactor overpressure condition, a reactor overpower condition, or abnormal conditions within the RCPB
except as follows:
16 (1) Due to the normal throttling action of the TCVs with changes in the plant power level, measurement of control valve position is not an
appropriate variable from which to infer RBSUSAR7.2-17August1987thedesiredvariable,whichisrapidlossofthereactorheatsink.Consequently,ameasurement ofcontrolvalveclosurerateisnecessary.(2)Protectionsystemdesignpracticehasdiscourageduseofratesensingdevicesforprotective purposes.Inthisinstance,itwasdetermined thatdetectionofhydraulicactuatoroperation wouldbeamorepositivemeansofdetermining fastclosureofthecontrolvalves.(3)Lossofhydraulicpressureintheelectrohydrauliccontrol(EHC)oillineswhich initiatesfastclosureofthecontrolvalvesis monitored.Thesemeasurementsprovideindication thatfastclosureofthecontrolvalvesis
imminent.(4)Thismeasurementisadequateandapropervariablefortheprotectivefunctiontakinginto considerationthereliabilityofthechosen sensorsrelativetootheravailablesensorsand thedifficultyinmakingdirectmeasurementsof controlvalvefast-closurerate.i.CapabilityforSensorChecks(IEEE279-1971,Paragraph4.9)RefertoRegulatoryGuide1.22inSection7.2.2.3.j.CapabilityforTestandCalibrationIEEE279-1971,Paragraph4.10)RefertoRegulatoryGuide1.22inSection7.2.2.3k.ChannelBypassorRemovalfromOperation(IEEE279-1971,Paragraph4.11)ThefollowingRPStripvariableshavenoprovisionforsensorremovalfromservicebecauseoftheuseof valvepositionlimitswitchesasthechannelsensor:(1)MSIVclosuretrip (2)Turbinestopvalveclosuretrip.
RBSUSAR7.2-18August1987Duringperiodictestofanyonetripchannel,asensorortripunitmayberemovedfromserviceandreturned toserviceunderadministrativecontrolprocedures.
Sinceonlyonesensorortripunitisremovedfrom serviceatanygiventimeduringthetestinterval, protectiveactioncapabilityforRPSautomatic initiationismaintainedthroughtheremaining rendundantinstrumentchannels.AsufficientnumberofIRMchannelshasbeenprovidedtopermitanyoneIRMchannelinagiventripsystem tobemanuallybypassedandstillensurethattheremainingoperableIRMchannelscomplywiththe IEEE279-1971single-failuredesignrequirements.OneIRMmanualbypassswitchhasbeenprovidedforeachRPStripsystem.Themechanicalcharacteristics ofthisswitchpermitonlyoneofthefourIRM channelsofthattripsystemtobebypassedatany time.Inordertoaccommodateasinglefailureof thisbypassswitch,electricalinterlockshavealso beenincorporatedintothebypasslogictoprevent bypassingofmorethanoneIRMinthattripsystemat anytime.Consequently,withanyIRMbypassedina giventripsystem,threeIRMchannelsremainin operationtosatisfytheprotectionsystem
requirements.Inasimilarmanner,oneAPRMmanualbypassswitchhasbeenprovidedforeachRPStripsystemtopermitone ofthefourAPRMstobebypassedatanytime.
Mechanicalinterlockshavebeenprovidedwiththe bypassswitchandelectricalinterlockshavebeen providedinthebypasscircuitrytoaccommodatethe possibilityofswitchfailure.Withthemaximum numberofAPRMsbypassedbytheswitches,sufficient APRMchannelsremaininoperationtoprovidethe necessaryprotectionforthereactor.Themodeswitchproducesoperatingbypasseswhichneednotbeannunciatedbecausetheyareremovedbynormal reactoroperatingsequence.l.OperatingBypasses(IEEE279-1971,Paragraph4.12)ForadiscussionofRPSoperatingbypassesrefertoSection7.2.1.1.
RBSUSARRevision147.2-19September2001m.IndicationofBypasses(IEEE279-1971,Paragraph4.13)ForadiscussionofbypassandinoperabilityindicationrefertoSection7.1.2.4,RegulatoryGuide
1.47.n.AccesstoMeansforBypassing(IEEE279-1971,Paragraph4.14)AccesstomeansofbypassinganysafetyactionorfunctionfortheRPSisundertheadministrative controlofthemaincontrolroomoperator.The operatorisalertedtobypassesasdescribedin Section7.1.2.4,RegulatoryGuide1.47.147Controlswitcheswhichallowsafetysystembypasses arekeylocked.Allkeylockemergencyswitchesinthe maincontrolroomaredesignedinsuchawaythat theirkeyscanonlyberemovedwhentheswitchesare inthesafeposition.Allkeysarenormallyremoved fromtheirrespectiveswitchesduringoperationand maintainedunderthecontroloftheshift
superintendent.
714o.MultipleSetPoints(IEEE279-1971,Paragraph4.15)ThereactormodeswitchimplementsmorerestrictivescramtripsetpointswhenitisshiftedfromRUNto STARTUP.AsthemodeswitchismovedtoSTARTUP:(1)TheAPRMupscaleneutronscramtripisreplacedbytherestrictiveAPRMsetdownscramtripat15%
power.(2)TheIRMrangeswitchdependentscramtripsare enabled.EachIRMrangeswitchenablessuccessivelymorerestrictivescramtripsetpointsasitisrangeddown.Inadditiontothemodeswitchdependentmultiplesetpoints,theflowchannelswhichsupplycontroland referencesignalsfortheAPRMupscalethermalscram continuallyvarythescramsetpointasflowchanges.
Asensedreductioninflowresultsinmorerestrictive scramtripsetpoints.
RBSUSAR7.2-20August1987Thedevicesusedtopreventimproperuseofthelessrestrictivesetpoints(themodeswitch,IRMrange switches,theIRMandAPRMsignalconditioning equipment,andtheflowchannels)aredesignedin accordancewithcriteriaregardingtheperformance andreliabilityofprotectionsystemequipment.p.CompletionofProtectiveActionOnceItIsInitiated(IEEE279-1971,Paragraph4.16)OncetheRPStriplogichasbeendeenergizedasaresultofatripchannelbecomingtripped,orthe actuationofamanualscramswitch,thetriplogic seal-incontactopens,andcompletionofprotection actionisachievedwithoutregardtothestateof theinitiatingsensortripchannel.Afterinitialconditions(variabletripandlogicdeenergization)returntonormal,deliberate operatoractionisrequiredtoreturn(reset)the RPSlogictonormal(energized).Aftertheoperator resetstheRPSlogic,theassociatedESFequipment (pumps,valves,fans,anddampers)remainsinthe emergencymode(safetyfeaturecondition)until deliberateoperatoractionistakentoreturnthe equipmenttothenormalmodeofoperation.q.ManualInitiation(IEEE279-1971,Paragraph4.17)RefertothediscussionofRegulatoryGuide1.22inSection7.2.2.3.r.AccesstoSetPointAdjustments,Calibration,andTestPoints(IEEE279-1971,Paragraph4.18)Duringreactoroperation,accesstosetpointorcalibrationcontrolsisnotpossibleforthe followingRPStripvariables:(1)MSIVclosuretrip (2)Turbinestopvalveclosuretrip (3)TCVfastclosuretrip.
Accesstosetpointadjustments,calibrationcontrols,andtestpointsforallotherRPStrip RBSUSAR7.2-21August1987variablesisundertheadministrativecontrolofthemaincontrolroomoperator.s.IdentificationofProtectiveActions(IEEE279-1971,Paragraph4.19)WhenanyoneoftheRPSsensedvariablesexceedsitstripunitsetpointvalue,amaincontrolroom annunciatorisinitiatedtoidentifythatvariable andatypedrecordisavailablefromtheprocess computer.t.InformationReadout(IEEE279-1971,Paragraph4.20)TheRPSisdesignedtoprovidetheoperatorwithaccurateandtimelyinformationpertinenttoits status.Itdoesnotgiveanomalousindications confusingtotheoperator.u.SystemRepair(IEEE279-1971,Paragraph4.21)DuringperiodictestingoftheRPSsensorchannels(exceptasnotedbelow)theoperatorcandetermine anydefectivecomponentandreplaceitduringplant
operation.Duringreactoroperation,themaincontrolroomoperatorisabletodeterminefailedsensorsforthe followingRPStripvariablesforwhichsubsequent repaircanonlybeaccomplishedduringreactor
shutdown:(1)MSIVclosuretrip (2)Turbinestopvalveclosuretrip (3)Neutronmonitoring(APRM)systemtrip (4)Neutronmonitoring(IRM)systemtrip.
ReplacementofIRMandLPRMdetectorsmustbeaccomplishedduringplantshutdown.Repairofthe remainingportionsoftheNMSmaybeaccomplished duringplantoperationbyappropriatebypassingof thedefectiveinstrumentchannel.Thedesignofthe systemfacilitatesrapiddiagnosisandrepair.
RBSUSAR7.2-22August1987v.IdentificationofProtectionSystems(IEEE279-1971,Paragraph4.22)TheidentificationschemefortheRPSsystemisdiscussedinSection8.3.1.7.2.2.3ConformancetoNRCRegulatoryGuides ThefollowingisadiscussionofconformancetothoseRegulatoryGuideswhichapplyspecificallytotheRPS.Referto Section7.1.2.4foragenericdiscussionofRegulatoryGuides whichapplytotheRPS,asidentifiedinTable7.1-3.1.RegulatoryGuide1.22TheRPScanbetestedduringreactoroperationbythefollowingseparatetests:Themanualscramtest.Thetotaltestverifiestheabilitytodeenergizethescrampilotvalvesolenoids withoutscrambyusingthemanualscrampushbutton switches.Byactuatingthemanualscramswitches,the triplogicisdeenergized,openingcontactsinthetrip actuatorlogic.Afterthefirsttripchannelisreset,thesecondtripchannelistrippedmanuallyandsoforthforthefour manualscramswitches.Inadditiontomaincontrolroom annunciatorandcomputerprintoutindications,scramgroup indicatorlightsverifythatthetripactuatorcontacts haveopenedandinterruptedpowertothescramsolenoids.Thesinglerodscramtest,whichverifiescapabilityofeachrodtoscram.Itisaccomplishedbyoperatingtwo toggleswitchesonthehydrauliccontrolunitforthe particularCRD.Timingtracescanbemadeforeachrod
scrammed.ThesensortestinvolvesapplyingatestsignaltoeachRPSsensorortripunitinturnandobservingthetrip channeltripresults.Thetestsignalscanbeappliedto theprocessingsensinginstrumentation(pressureand differentialpressure)throughcalibrationtaps.Atestofindividualscramdischargeinstrumentvolumewaterlevelsensorscanbeperformedduringfullpower operationbyvalvingoutthesensorandinjectingwater intoatesttap.Atplantshutdown,thelevel RBS USAR Revision 16 7.2-23 March 2003 transmitters may be calibrated by introducing a fixed volume of water into the discharge instrument volume and observing
that all level transmitters operate at the specified trip
points. 16 During plant operation, the operator can set the turbine stop valve or MSIV closure logic test switch in test
position and actuate the other valve which completes the
respective channel trip with annunciation and computer logging. The operator can then confirm that the MSIV and
turbine stop valve limit switches operate during valve
motion, from full open to full closed and vice versa, by
comparing the time that the RPS channel trip occurs with the time that the valve position indicator lights in the main
control room signal that the valve is fully open and fully
closed. This test does not confirm the exact set point, but
does provide the operator with an indication that the limit
switch operates between the limiting positions of the valve.
During reactor shutdown, calibration of the MSIV and turbine stop valve limit switch nominal set points is possible by
physical observation of the valve stem. During reactor operation, a test and calibration of the individual EHC oil line pressure sensors associated with TCV closure when the plant is operating above 40 percent of
rated power may be accomplished by valving one sensor
out-of-service at a time and introducing a test pressure
input.16 The APRMs are calibrated to reactor power by using a reactor heat balance and the TIP system to establish the relative local flux profile. LPRM gain settings are determined from
the local flux profiles measured by the TIP system once the
total reactor heat balance has been determined. 15 The gain adjustment factors for the LPRMs are produced as a result of the ancillary core monitoring system nuclear calculations involving the reactor heat balance and the TIP flux distributions. These adjustments, when incorporated
into the LPRMs, permit the nuclear calculations to be 15 RBSUSAR7.2-24August1987completedforthenextoperatingintervalandestablishtheAPRMcalibrationrelativetoreactorpower.OperationofthereactormodeswitchfromonepositiontoanothermaybeemployedtoconfirmcertainaspectsoftheRPStripchannelsduringperiodictestandcalibrationatshutdownonly.Duringtestsofthetripchannels,proper operationofthemodeswitchcontactscanbeeasilyverifiedbynotingthatcertainsensorsareconnectedintotheRPS logicandthatothersensorsarebypassedintheRPSlogic inanappropriatemannerofthegivenpositionofthemode
switch.IntheSTARTUPandRUNmodesofplantoperation,proceduresmaybeusedtoconfirmthatscramdischargeinstrument volumehighwaterleveltripchannelscannotbebypassedasa resultoftheoperatingbypassswitch.IntheSHUTDOWNand REFUELmodesofplantoperation,asimilarproceduremaybe usedtobypassallfourscramdischargeinstrumentvolumetrip channels.Duetothediscreteon-offnatureofthebypass function,calibrationisnotmeaningful.Administrativecontrolmustbeexercisedtovalveoneturbinefirststagepressuresensorout-of-servicefor theperiodictest.Duringthistest,avariablepressure sourcemaybeintroducedtooperatethesensorattheset pointvalue.Whentheconditionforbypasshasbeen achievedonanindividualsensorundertest,themain controlroomannunciatorforthisbypassfunctionis initiated.IftheRPStripchannelassociatedwiththis sensorwereinitstrippedstate,theprocesscomputer wouldlogthereturntonormalstatefortheRPStrip logic.Whentheplantisoperatingabove40percentof ratedpower,testingoftheturbinestopvalveand controlvalvefastclosuretripchannelsconfirmsthat thebypassfunctionisnotineffect.Amanualscramswitchpermitseachindividualtriplogicandtripactuatorlogictobetestedonaperiodicbasis.
Operationoftheresetswitchfollowingatripofeach RPStripchannelconfirmsthattheswitchisperforming itsintendedfunction.(Calibrationofthetimeresponse ofthetripchannel,relays,andtripactuatorsmaybe accomplishedbyconnectionofexternaltestequipment.)
RBSUSAR7.2-25August19872.RegulatoryGuide1.53SeeIEEE279-1971,Paragraph4.2,Section7.2.2.2.
RBSUSAR7.3-1August19877.3ENGINEEREDSAFETYFEATURESYSTEMS7.3.1Description Section7.3describestheinstrumentationandcontrolsforthefollowingESFsystems:1.ECCS 2.CRVICS 3.MS-PLCS 4.SGTS 5.Combustiblegascontrolsystem 6.Reactorplantventilationsystem 7.RHR-SPCM 8.SSWsystem 9.Controlbuildingairconditioningsystem 10.Controlbuildingchilledwatersystem 11.Standbypowersupportsystems 12.Dieselgeneratorbuildingventilationsystem 13.SSWpumphouseventilationsystem 14.Auxiliarybuildingventilationsystem 15.Fuelbuildingventilationsystem.RefertoChapter8foracompletediscussionoftheESFsystemspowersources.7.3.1.1SystemDescription 7.3.1.1.1EmergencyCoreCoolingSystem(ECCS)
TheECCSisanetworkofthefollowingsubsystems.SeeSections6.3.1and6.3.2.1.HPCSsystem 2.ADS RBSUSAR7.3-2August19873.LPCSsystem4.LPCImodeoftheRHRsystem.ThepurposeofECCSinstrumentationandcontrolsistoinitiateappropriateresponsesfromthesystemtoensurethatthefuelis adequatelycooledintheeventofaDBA.Thecoolingprovidedby thesystemrestrictsthereleaseofradioactivematerialsfromthe fuelbypreventingorlimitingtheextentoffueldamagefollowing situationsinwhichcoolantislostfromtheRCPB.TheECCSinstrumentationdetectsaneedforcorecoolingsystemsoperation,andthetripsystemsinitiatetheappropriateresponse.ThefollowingplantvariablesaremonitoredandprovideautomaticinitiationoftheECCSwhenthesevariablesexceedpredetermined
limits:1.ReactorVesselWaterLevelAlowwaterlevelinthereactorvesselcouldindicatethatreactorcoolantisbeinglostthroughabreachin theRCPBandthatthecoreisindangerofbecoming overheatedasthereactorcoolantinventorydiminishes.RefertoFig.5.1-3foraschematicarrangementofreactorvesselinstrumentation.2.DrywellPressureHighpressureinthedrywellcouldindicateabreachoftheRCPBinsidethedrywellandthatthecoreisin dangerofbecomingoverheatedasreactorcoolant inventorydiminishes.7.3.1.1.1.1HighPressureCoreSpray(HPCS)System SystemFunctionThepurposeoftheHPCSistoprovidehighpressurereactorvesselcoresprayforsmalllinebreakswhichdonotdepressurizethe reactorvessel.Inaddition,HPCSisredundanttotheRCICsystem formitigationoftheconsequencesofvariouseventslistedin Appendix15A.ReferalsotoSection6.3.2.2.1.
RBSUSARRevision147.3-3September2001SystemOperationSchematicarrangementsofsystemmechanicalequipmentandoperatorinformationdisplaysareshowninFig.6.3-1.HPCSsystem componentcontrollogicisshowninFig.7.3-1.Instrument locationdrawingsandelementarydiagramsareidentifiedin Section1.7.TheHPCSpowersupply(HPCSdieselgenerator)is discussedinChapter8.14TheHPCSisinitiatedautomaticallybyeitherreactorvessellow waterlevel(triplevel2)ordrywellhighpressure.TheHPCSis actuatedautomaticallyandrequiresnooperatoractionduringthe first20minfollowingtheaccident.Thesystemisdesignedto operateautomaticallyforatleast10minwithoutanyactions requiredbythemaincontrolroomoperator.Duringthelongterm coolingperiod(after10min),theoperatoractionsareas specifiedinSection6.2and6.3.2.8.OnceinitiatedtheHPCS logicsealsinandcanberesetbytheoperatoronlywhenthe initiatingconditionsreturntonormal.RefertoFig.7.3-1fora schematicrepresentationoftheHPCSsysteminitiationlogic.
14Reactorvesselwaterlevel(triplevel2)ismonitoredbyfour redundantleveltransmitters.Eachtransmitterprovidesaninput toatripunit.Thetripunitrelaycontactsarearrangedina one-out-of-twotwicelogicarrangementtoassurethatnosingle failurecanpreventtheinitiationoftheHPCS.Initiationdiversityisprovidedbydrywellpressurewhichismonitoredbyfourredundantpressuretransmitters.Thetripunit relaycontactsareelectricallyconnectedinaone-out-of-two twicelogicarrangementtoassurethatnosingleinstrument failurecanpreventtheinitiationoftheHPCS.TheHPCScomponentsrespondtoanautomaticinitiationsignalasfollows(actionsaresimultaneousunlessstatedotherwise):1.TheHPCSdieselgeneratorissignaledtostart.
2.TheHPCSpumpmotorissignaledtostart.
3.ThenormallyopenpumpsuctionfromthecondensatestoragetankvalveMOF001issignaledtoopen.4.ThetestreturnvalvesMOF010,MOF011,andMOF023aresignaledtoclose.5.TheHPCSinjectionvalveMOF004issignaledtoopen.
RBSUSAR7.3-4August1987TheHPCSpumpdischargeflowandpressurearemonitoredbypressureswitches.Ifpumpdischargepressureisnormalbut dischargeflowislowenoughthatpumpoverheatingmayoccurthe minimumflowreturnlinevalveMOF012issignaledtoopen.The valveisautomaticallyclosedifflowisnormal.TheHPCSreaches itsdesignflowratewithin27secfollowingreceiptofthe initiationsignal.Ifthewaterlevelinthecondensatestoragetankfallsbelowapredeterminedlevel,thesuppressionpoolsuctionvalveMOF015 automaticallyopens.WhenMOF015isfullyopenthecondensate storagetanksuctionvalveMOF001automaticallycloses.Two leveltransmittersareusedtodetectlowwaterlevelinthe condensatestoragetank.Eithertransmittercancauseautomatic suctiontransfer.Thesuppressionpoolsuctionvalvealso automaticallyopensifhighwaterlevelisdetectedinthe suppressionpool.Twoleveltransmittersmonitorsuppressionpool waterlevelandeithertransmittercaninitiateopeningofthe suppressionpoolsuctionvalve.Topreventlosingsuctiontothe pump,thesuctionvalvesareinterlockedsothatonesuctionpath mustbeopenbeforetheothercloses.TheHPCSprovidesmakeupwatertothereactoruntilthevesselwaterlevelreachesthehighleveltrip(triplevel8).The injectionvalveM0F004isthenautomaticallyclosedandthepump continuestorunonminimumflowrecirculation.Theinjection valveautomaticallyreopensifvessellevelagaindropstothelow level(triplevel2)initiationpoint.TheHPCSpumpmotorandinjectionvalveareprovidedwithmanualoverridecontrols.Thesecontrolspermitthereactoroperatorto controlthesystemmanuallyfollowingautomaticinitiation.7.3.1.1.1.2AutomaticDepressurizationSystem(ADS)
SystemFunctionTheADSisdesignedtoprovideautomaticdepressurizationofthereactorvesselbyactivatingsevenSRVs.Thesevalvesventsteam tothesuppressionpoolintheeventthattheHPCScannotmaintain thereactorwaterlevelfollowingaLOCA.ADSreducesthereactor pressuresothatflowfromtheRHR-LPCImodeandLPCScaninject intothereactorvesselintimetocoolthecoreandlimitfuel barriertemperature.ReferalsotoSection6.3.
RBSUSARRevision107.3-5April1998SystemOperationSchematicarrangementsofsystemmechanicalequipmentandoperatorinformationdisplaysareshowninFig.5.1-3.ADScomponent controllogicandoperatorinformationdisplaysareshowninFig.
7.3-2.Instrumentlocationdrawingsandelementarydiagramsare identifiedinSection1.7.TheADSconsistsoftworedundantandindependenttripsystems,tripsystemsAandB.ADStripsystemAactuatestheAsolenoid airpilotvalveoneachADSSRV.Similarly,ADStripsystemB actuatestheBsolenoidairpilotvalveoneachADSSRV.
ActuationofeithersolenoidpilotvalvecausestheADSSRVto openandprovidedepressurization.Topreventinadvertent actuationoftheADS,twochannelsoflogicforeachADStrip system(AandB)areused.Bothchannelsmustbeactivatedto actuateanADStripsystem.Eachtripchannelcontainsasingleinputfromadrywellhighpressuretransmitter.Onetripchannelincludestwodifferential pressuresensorinputsmonitoringreactorvessellowwaterlevel (triplevels1and3).Thelowwaterlevel3tripprovides confirmationofareactorvessellowwaterlevelcondition.The secondtripchannelisredundant,exceptthelowwaterlevel confirmationsignalisomitted.10ToensureautomaticdepressurizationforLOCAsorotherpostulatedeventsthatdonotproduceahighdrywellpressuresignal,theADS tripsystemprovidesautomaticbackuptooperatoraction.This modificationconsistsofaddingabypasstothedrywellpressure signalwithasettimedelayandtheadditionofamanualADS inhibit.Thebypassisincorporatedintothesystemlogicbythe additionofabypasstimeractuatedonreactorwaterlevel1.
Thistimerprovidesanominal5-mintimedelaywiththeexact timersetpointdeterminedbasedonnotexceeding10CFR50.46 acceptancecriteriaforLOCAeventsandstillbeingcompatible withtheRBSATWSdesign.Startingofthebypasstimeralso activatesanalarmthatthebypasslogichasbeenactivated.
Afterthetimedelay,thetimedelayrelaycontactslocatedinthe highdrywellpressuresignalbypasscircuitareclosed,effecting thebypass.Theexisting106-sectimeristhenstartedandthe ADSsolenoidenergized,afterthetimerrunout,providedthatat leastonelowpressurepumpinthatdivisionisrunning.The bypasstimersareautomaticallyresetwhenthelowwaterlevel signalhasclearedortheresetpushbuttonispressed.
10 RBSUSARRevision107.3-6April1998Toassurethatadequatemakeupwaterisavailableafterthevesselhasbeendepressurized,eachtripchannelincludesapump dischargepressurepermissivesignalindicatingLPCIorLPCS systemavailableforvesselwatermakeup.Anyoneofthethree LPCIpumpsortheLPCSpumpavailableforreactorcoolantmakeup issufficienttopermitautomaticdepressurization(onepumpeach pertripsystem).10Afterreceiptoftheinitiationsignalsandaftera106-secdelayprovidedbytimers,eachofthetwosolenoidairpilotvalvesis energized.Thisallowspneumaticpressurefromtheaccumulatorto actontheaircylinderoperator.EachADStripsystemhasatime delaythatcanberesetmanuallybyactivatingthetimerreset buttonstodelaysysteminitiation.Thetimedelayisselectedto bewithinaperiodthatallowstheHPCStoperformitsfunction priortoADSinitiation.ResettingtheADStimersdoesnotchange thestateoftheinitiatingcircuits.Itmerelyextendsthetime delaybeforetheADSfunctiontakesplace.IntheeventofHPCS failure,thetimedelayperiodisselectedtoallowinitiationof ADS,LPCI,andLPCSintimetomaintainthefuelbarrier temperaturewithinacceptablelimits.Ifreactorvesselwater levelisrestoredbyHPCSpriortotheendofthetimedelay,ADS initiationisprevented.Theoperatorisprocedurallyconstrained fromrepeatedlyresettingthetimersandwouldbasehisdecision oninformationprovidedbysafety-relateddisplays;e.g.,reactor pressure,reactorwaterlevel,andwaterinventorymakeupsystem performance.Inaddition,hewouldhavetheHPCS,RCIC,and feedwatersystemsathisdisposaltoprovidemakeupwater.
10OnceinitiatedtheADSlogicsealsinandcanberesetbythemaincontrolroomoperatoronlywheneitherdrywellpressureorvessel waterlevelreturnstonormal.Twocontrolswitches(oneforeachtripsystemsolenoid)arelocatedinthemaincontrolroomforeachSRVassociatedwiththe ADS.Eachswitchcontrolsoneofthetwosolenoidairpilot
valves.7.3.1.1.1.3LowPressureCoreSpray(LPCS)
SystemFunctionThepurposeoftheLPCSistoprovidelowpressurereactorvesselcoresprayfollowingaLOCAwhenthevesselhasbeendepressurized andvesselwaterlevelhasnotbeenrestoredbytheHPCS.The LPCSisfunctionallydiversetotheLPCImodeoftheRHRsystem.
SeeSection6.3.
RBSUSARRevision147.3-7September2001SystemOperationSchematicarrangementsofsystemmechanicalequipmentandoperatorinformationdisplaysareshowninFig.6.3-4.LPCScomponent controllogicandoperatorinformationdisplaysareshowninFig.
7.3-3.Instrumentlocationdrawingsandelementarydiagramsare identifiedinSection1.7.14TheLPCSisinitiatedautomaticallybyreactorvessellowwater leveland/ordrywellhighpressure.TheLPCSisactuated automaticallyandrequiresnooperatoractionduringthefirst20 minfollowingtheaccident.Thesystemisdesignedtooperate automaticallyforatleast10minwithoutanyactionsrequiredby themaincontrolroomoperator.Duringthelongertermcooling period(after10min),theoperatoractionsareasspecifiedin Section6.2and6.3.2.8.OnceinitiatedtheLPCSlogicsealsin andcanberesetbythemaincontrolroomoperatoronlywhenthe initiatingconditionsreturntonormal.RefertoFig.7.3-3fora schematicrepresentationoftheLPCSsysteminitiationlogic.
14Reactorvesselwaterlevel(triplevel1)ismonitoredbytwo redundantleveltransmitters.Drywellpressureismonitoredby tworedundantpressuretransmitters.Thevesselleveltripunit relaycontactsandthedrywellpressuretripunitrelaycontacts areconnectedinaone-out-of-twotwicelogicarrangementsothat nosingleinstrumentfailurecanpreventinitiationofLPCS.Additionally,areactorlowpressurepermissiveisprovidedinone-out-of-twotwicelogicbeforetheinjectionvalvesare signaledtoopen.ManualinitiationoftheLPCIisprovided, whichbypassestheinitiationlogicexceptthatthereactorlow pressurepermissivemustbepresenttoopentheinjectionvalves.Reactorpressureismonitoredbyeightpressuresensors,fourperdivision,mountedonracksinthereactorbuilding.Division1 providestheinterlocksfortheLPCS.TheLPCScomponentsrespondtoanautomaticinitiationsignalsimultaneously(orsequentiallyasnoted)asfollows:1.TheDivision1dieselgeneratorissignaledtostart.
2.ThenormallyclosedtestreturnlinetothesuppressionpoolvalveMOF012issignaledclosed.3.Whenpower(offsiteoronsite)isavailableattheLPCSpumpmotorbus,theLPCSpumpissignaledtostartafter apresettimedelay.
RBSUSARRevision147.3-8September200184.Whenpowerisavailabletothepumpmotorbus,theinjectionvalveE21MOVF005issignaledtoopen.814TheLPCSpumpdischargeflowismonitoredbyadifferentialpressure transmitter.Whenthepumpisrunninganddischargeflowislowenough thatpumpoverheatingmayoccur,theminimumflowreturnlinevalveMOV-F011isopened.Attheendoftheopenstroke,theclosecyclestartis delayedtoavoidpossiblebreakertrip.Thevalveisautomatically closedifflowisnormal.
14*10TheLPCSpumpsuctionfromthesuppressionpoolvalveMOV-F001is normallyopen,thecontrolswitchiskeylockedintheopenposition,and thusrequiresnoautomaticopensignalforsysteminitiation.
10*8TheLPCSpumpandinjectionvalveE21MOVF005isprovidedwithmanual overridecontrols.Manualopeningoftheinjectionvalveisinterlocked onreactorlowpressure,monitoredbyapressuretransmitteronthe vesselsideoftheLPCSinjectionvalve.Oncemanualcontrolofthe injectionvalvehasbeeninitiatedbytheoperatorcausingthevalveto movetowardtheclosedposition,theautomaticvalveopenlogicis bypassedandwillberesetonlyuponlossofDClogiccontrolpower, lossofpowertotheLPCSpump,orwhentheLPCSsysteminitiation signalhasbeenmanuallyreset.Thesecontrolspermittheoperatorto manuallycontrolthesystemsubsequenttoautomaticinitiation.87.3.1.1.1.4RHR-LowPressureCoolantInjection(LPCI)
ModeSystemFunctionLPCIisanoperatingmodeoftheRHRsystem.SeeSection5.4.ThepurposeoftheLPCIsystemistoprovidelowpressurereactorvessel coolantmakeupfollowingaLOCAwhenthevesselhasbeendepressurized andvesselwaterlevelisnotrestoredbytheHPCS.SeeSection
6.3.2.2.4.SystemOperationSchematicarrangementsofsystemmechanicalequipmentoperatorinformationdisplaysareshowninFig.5.4-12.LPCIcomponentcontrol logicandoperatorinformationdisplaysareshowninFig.7.3-4.
Instrumentationlocationdrawingsandelementarydiagramsareidentified inSection1.7.14TheLPCImodeisinitiatedautomaticallybyreactorvessellowwater leveland/orbydrywellhighpressure.TheLPCIisactuated automaticallyandrequiresnooperatoractionduringthefirst20min followingtheaccident.Thesystemisdesignedtooperateautomatically foratleast10minwithoutanyactionsrequiredbythemaincontrol roomoperator.Duringthelongertermcoolingperiod(after10min),the operatoractionsareasspecifiedinSection6.2and6.3.2.8.Once initiatedtheLPCIlogicsealsinandcanberesetbythemaincontrol roomoperatoronlywheninitiatingconditionsreturntonormal.
14 RBS USAR Revision 24 7.3-9 Reactor vessel water level (trip level 1) is monitored by two redundant differential pressure transmitters. Drywell pressure is
monitored by two redundant pressure transmitters.
Additionally, a reactor low pressure permissive is provided in one-out-of-two twice logic before the injection valves are to be
signaled open. Manual initiation of the LPCI mode is provided, which bypasses the initiation logic except that the reactor low pressure permissive must be present to open the injection valves.
Reactor pressure is monitored by eight pressure sensors, four per division, mounted on racks in the reactor building. Division I provides the interlocks for the LPCI A loop; Division II provides
the interlocks for the LPCI B and LPCI C loops.
To initiate the Division II LPCI (Loops B and C) the vessel level trip unit relay contacts and the two drywell pressure trip unit relay contacts are connected in a one-out-of-two twice arrangement so that no single instrument failure can prevent initiation of
LPCI.
The Division I LPCI (Loop A) receives its initiation signal from
the LPCS logic.
The LPCI system components respond to an automatic initiation
signal simultaneously (or sequentially as noted) as follows (the Loop A components are controlled from the Division I logic; the
Loop B and C components are controlled from the Division II logic):
- 1. The Division II diesel generator is signaled to start from the Loop B and C initiation logic.
- 2. If normal auxiliary (offsite) power is available at the pump motor buses the LPCI Loop A, B, and C pumps are signaled to start. If offsite power is not available and the diesel generators are providing power to the pump motor buses, sequential loading of the diesel generators is required. This is accomplished by delaying the start of the LPCI pumps A and B by 7 sec while allowing the LPCS and LPCI C pumps to start 2 sec after the closing of their
associated DG air circuit breaker. 13 3.The normally open RHR injection valves MO F027A and MO F027B are signaled to open. When power is available at the associated pump motor bus and reactor low-pressure injection permissive is satisfied, the injection valves MO
F042A, MO F042B and MO F042C are signaled to open.
13 RBSUSARRevision107.3-10April19984.Thefollowingnormallyclosedvalvesaresignaledclosedtoensurepropersystemlineup:4a.TheRHRheatexchangerdischargetoRCICvalvesAOF065A,andAOF065B.b.TheRHRheatexchangerflushtosuppressionpoolvalvesMOF011AandMOF011B.c.DELETED d.DELETED 410e.ThetestreturnlinetothesuppressionpoolvalvesMOF024A,andMOF024B.
105.ThenormallyopenheatexchangerbypassvalvesMOF048AandMOF048Baresignaledopen.Theopensignalis automaticallyremoved10minaftersysteminitiationto allowoperatorcontrolofthevalveforthrottling
purposes.106.Thefollowingnormallyopenvalvesaresignaledclosedtoensurepropersystemlineup:a.TheloopCtestreturnlinetothesuppressionpoolvalveMOF021.b.ThesuppressionpoolcoolingandcleanupsuctionvalvesRHS-AOV62andRHS-AOV63.Thesevalveswill alsoautomaticallycloseuponalossofpoweror lossofair.c.ThesuppressionpoolcoolingandcleanupdischargevalveRHS-AOV64.Thisvalvewillalsoautomatically closeuponalossofpowerorlossofair.
10 RBS USAR Revision 17 7.3-10a 15 14 9Each LPCI pump is provided with a minimum flow recirculation line and a motor operated bypass valve which is initially open when the system is in the standby mode. This discharge flow of each pump is
monitored by a differential pressure transmitter which, when the pump is running, closes the minimum flow valves MO F064A, MO F064B, MO F064C if flow is normal. The valve is automatically opened if the flow is low enough that pump overheating may occur. The valves MO F064A and MO F064B are provided with a time delay to prevent reactor vessel inventory loss during the shutdown cooling mode of the RHR system (Section 5.4.7).These valves are initially closed by operator action during the shutdown cooling mode.
9 14 1513The three RHR suppression pool pump suction valves MO F004A, MO F004B, and MO F105 have their control switches key-locked in the open position, and thus require no automatic open signal for system
initiation.The RHR heat exchanger normally open inlet valves MO F047A, MO F047B have open/ close maintained control switches, and normally open outlet valves MO F003A and MO F003B have spring return to
neutral throttle control switches.
13The two series service water crosstie valves MO F094 and MO F096 do not require an automatic close signal for system initiation, as MO
F096 is keylocked in the closed position. 14The upper pool shutdown cooling valves MO F037A and MO F037B, the two series RHR heat exchanger vent valves MO F073A, MO F073B, MO F074A, and MO F074B, and the RHR shutdown cooling mode suction valves MO F006A and MO F006B are all 14 RBSUSARRevision107.3-10bApril1998THISPAGELEFTINTENTIONALLYBLANK RBSUSARRevision87.3-11August1996normallyclosedandthusrequirenoautomaticclosesignalforsysteminitiation.8TheLPCIpumpmotorsandinjectionvalvesareprovidedwithmanualoverridecontrols.ManualopeningoftheLPCIinjectionvalves E12-MOVF042A,B,andCisinterlockedwithreactorlowpressure andmonitoredbypressuretransmittersonthereactorvesselside oftheLPCIinjectionvalve.Oncemanualcontrolofinjection valvesE12-MOVF042A,B,orChasbeeninitiatedbytheoperator causingthevalvetomovetowardtheclosedposition,the automaticvalveopenlogicisbypassedandwillberesetonlyupon lossofDClogiccontrolpower,lossofpowertoitsassociated LPCIpump,orwhentheLPCIinitiationsignalhasbeenmanually reset.Thesecontrolspermittheoperatortocontrolthesystem manuallysubsequenttoautomaticinitiation.87.3.1.1.2ContainmentandReactorVesselIsolationControlSystem(CRVICS)SystemFunctionTheCRVICSincludestheinstrumentchannels,triplogics,andactuationcircuitsthatautomaticallyinitiatevalveclosure providingisolationofthecontainmentand/orreactorvessel,and initiationofsystemsprovidedtolimitthereleaseofradioactive
materials.TheCRVICSencompassesthefollowingESFsubsystems:1.NuclearSteamSupplyShutoffSystem(NSSSS) 2.ContainmentIsolationSystem 3.ClosedSystemIsolationValves.TheNSSSSvalvesconnectdirectlytothereactorvesselandarelocatedinpipelineswhichpenetratethedrywellandcontainment andarepartofthereactorcoolantpressureboundary(RCPB).Thecontainmentisolationsystemvalvesconnecttothedrywellorcontainmentatmosphereandarelocatedinpipelineswhich penetratethedrywellorcontainment.TheclosedsystemisolationvalvesareneitherpartoftheRCPBnorconnectdirectlytothedrywellorcontainmentatmospheres.
However,thesevalvesarelocatedinpipelineswhichpenetratethe drywellorcontainment.SeeSection6.2.4andTable6.2-40foracompletedescriptionofcontainmentandreactorvesselprocesslinesandisolationsignals appliedtoeach.
RBSUSAR7.3-12August1987SystemOperationSchematicmechanicalarrangementsofcontainmentisolationvalvesandothercomponentsinitiatedbyCRVICSandoperatorinformation displaysareshowninFig.5.4-12,5.1-3,6.2-63,6.2-64,and 6.2-65.CRVICScomponentcontrollogicandoperatorinformation displaysareshowninthefunctionalcontroldiagramsandlogic diagramsinChapter7.Instrumentlocationdrawingsand elementarydiagramsareidentifiedinSection1.7.Duringnormalplantoperation,theisolationcontrolsystemsensorsandtriplogicthatareessentialtosafetyareenergized.Whenabnormalconditionsaresensed,instrumentchannelrelaycontactsopenanddeenergizethetriplogicandtherebyinitiate isolation.Onceinitiated,theCRVICStriplogicssealinandmay beresetbytheoperatoronlywhentheinitiatingconditions returntonormal.EachMSIVhastwocontrolsolenoids.Eachsolenoidreceivesinputsfromtworedundantlogics.Asignalfromeithercan deenergizethesolenoid.Foranyonevalvetoclose automatically,bothofitssolenoidsmustbedeenergized.TheMSIVlogichasaminimumoffourredundantinstrumentchannelsforeachmeasuredvariable.Onechannelofeachvariableis connectedtoonetriplogic.Onegroupofredundantlogics(Aand C)isusedtocontrolonesolenoidofbothinboardandoutboard valvesofallfourmainsteamlines,andtheothergroupof redundantlogics(BandD)isusedtocontroltheothersolenoid ofbothinboardandoutboardvalves.ThefourCRVICStriplogics arearrangedinaone-out-of-twotwicelogiccombination(trip logicAorCandBorD).Themainsteamlinedrainvalves,drywellequipmentandfloordrainvalves,reactorwatersamplevalves,thereactorwater cleanup(RWCU)system,andRHRsystemisolationvalvesalso operateinpairs.Theinboardvalvescloseiftheisolation logicsBandCaretripped,andtheoutboardvalvescloseifthe isolationlogicsAandDaretripped.ThefollowingvariablesprovideinputstotheCRVICSlogicsforinitiationofreactorvesselandcontainmentisolation,aswellas theinitiationortripofotherplantfunctionswhenpredetermined limitsareexceeded.Combinationsofthesevariables,as necessary,provideinitiationofvariousisolatingandinitiating functionsasdescribedinTable6.2-40andasfollows:
RBSUSARRevision107.3-13April19981.ReactorVesselLowWaterLevelAlowwaterlevelinthereactorvesselcouldindicatethatreactorcoolantisbeinglostthroughabreachintheRCPBand thatthecoreisindangerofbecomingoverheatedasthe reactorcoolantinventorydiminishes.Reactorvessellowwaterlevelinitiatesclosureofvariousvalves.Theclosureofthesevalvesisintendedtoisolatea breachofthepipelines,conservereactorcoolantbyclosing offprocesslines,andlimittheescapeofradioactive materialsfromthecontainmentthroughprocesslinesthat communicatewiththeRCPBorthecontainment.10Reactorvesselwaterlevelismonitoredbyfourredundantdifferentialpressuretransmitters.Eachprovidesalowwater levelinputtooneofthefourCRVICStripchannels.Three reactorvessellowwaterlevelisolationtripsettingsare usedtocompletetheisolationofthecontainmentandthe reactorvessel.Thefirstandhighest(triplevel3)reactor vessellowwaterlevelisolationtripsettinginitiates closureofRHRisolationvalves.Thesecondreactorvessel lowwaterlevel(triplevel2)initiatesclosureofallvalves inmajorprocesspipelinesexceptthemainsteamlinesand drains.Themainsteamlinesareleftopentoallowthe removalofheatfromthereactorcore.Thethirdandlowest (triplevel1)reactorvessellowwaterlevelcompletesthe isolationofthecontainmentandpressurevesselbyinitiating closureoftheMSIVsandmainsteamlinedrain valves.Diversityoftripinitiationforpipebreaksinsidethe drywellisprovidedbydrywellhighpressure.
102.DrywellHighPressureHighpressureinthedrywellcouldindicateabreachoftheRCPBinsidethedrywellandthatthecoreisindangerof becomingoverheatedasreactorcoolantinventorydiminishes.
RBS USAR Revision 16 7.3-14 March 2003 Drywell pressure is monitored by four redundant pressure transmitters. Each transmitter trip unit provides an input to
one of the four trip channels. When a predetermined increase in drywell pressure is detected, the CRVICS initiates RHR system isolation and closure of the
main steam line drain valves. 3. Main Steam Line - High Radiation 10The main steam line radiation monitoring senses the gross release of fission products from the fuel and initiates
appropriate actions to limit fuel damage and contain the
released fission products.
10 8Two redundant detectors monitor the gross gamma radiation from the main steam lines. Each provides an input to one of two
CRVICS trip channels. 10Each monitoring channel consists of a gamma-sensitive ion chamber and a log radiation monitor. Each log radiation monitor has four trip circuits. Two trips are upscale (high-high and high), one downscale (low), and one is inoperative. A high-high or inoperative produce an isolation signal and an alarm. The other two are not used. Also, each monitor has an analog module circuit that is set to alarm at a
level (high rad) below that of the upscale trip circuit used
for isolation and alarm at a downscale value. When the main steam line radiation level exceeds a predetermined value or an inop condition, CRVICS initiates closure of the group 9 valves (reactor water sample valves).
Also, the condenser air removal system mechanical vacuum pumps are tripped, which in turn isolate the mechanical vacuum pump
lines.10164. Main Steam Line - Tunnel High Ambient Temperature High ambient temperature in the steam tunnel could indicate a leak in a main steam line.
8 16 RBS USAR Revision 16 7.3-15 March 2003 The automatic closure of valves prevents excessive loss of reactor coolant and release of a significant amount of
radioactive material from the RCPB. 16 8The main steam line ambient temperature monitoring system consists of four redundant channels, each with one area temperature monitor, serving the main steam line tunnel. A high ambient temperature condition, sensed by any one of the 4 aforementioned temperature monitors, results in tripping that monitor's associated channel. Each main steam isolation trip logic is deenergized by high ambient temperature in the main
steam tunnel.
16When a predetermined increase in the main steam line tunnel ambient temperature is detected, trip signals initiate closure
of all main steam isolation valves and main steam line drain
valves.Diversity of trip initiation signals for main steam line tunnel high ambient temperature is provided by main steam line
high flow, and steam line low pressure.
- 85. Main Steam - High Flow Main steam high flow could indicate a breach in a main steam line. Automatic closure of isolation valves prevents excessive loss of reactor coolant and release of significant amounts of
radioactive material from the RCPB. Sixteen redundant differential pressure transmitters, four for each main steam line, monitor the main steam flow. Four differential pressure transmitter trip units for each main
steam line provide inputs to each of the four trip channels.
RBSUSAR7.3-16August1987Whenexcessivemainsteamflowisdetected,tripsignalsinitiateclosureofthemainsteamisolationandmainsteam linedrainvalves.6.MainSteamTurbineInlet-LowSteamPressureLowsteampressureattheturbineinletwhilethereactorisoperatingcouldindicateamalfunctionofthenuclearsystem pressureregulatorinwhichtheTCVsorturbinebypassvalves becomefullyopen,andcauserapiddepressurizationofthe reactorvessel.Fromreducedpower,therateofdecreaseof nuclearsystemsaturationtemperaturecouldexceedthe allowablerateofchangeofvesseltemperature.Arapid depressurizationofthereactorvesselwhilethereactoris nearfullpowercouldresultinundesirabledifferential pressuresacrossthechannels(aroundsomefuelbundles)of sufficientmagnitudetocausemechanicaldeformationof channelwalls.Suchdepressurization,withoutadequate preventiveaction,couldrequirethoroughvesselanalysisor coreinspectionpriortoreturningthereactortopower
operation.Fourredundantpressuretransmitters,oneforeachmainsteamline,monitormainsteampressureattheturbineinletand eachprovidesaninputtooneofthefourtripchannels.Whenadecreaseinmainsteampressurebelowapreselectedvalueisdetected,theCRVICSinitiatesclosureofallmain steamisolationvalvesandmainsteamlinedrainvalves.ThemainsteamturbineinletlowpressuretripisbypassedbythereactormodeswitchintheSHUTDOWN,REFUEL,andSTARTUP modesofreactoroperation.IntheRUNmode,thelowpressure tripfunctionisoperative.7.ReactorWaterCleanup(RWCU)System-HighDifferentialFlowHighdifferentialflowintheRWCUsystemcouldindicateabreachoftheRCPBofthecleanupsystem.Theflowatthe inlettothesystem(suctionfromtherecirculationlines)is comparedwiththeflowattheoutletsofthesystem(flow RBSUSARRevision87.3-17August1996returntofeedwaterorflowtothemaincondenserand/or radwaste).TworedundantdifferentialflowsensorscomparetheRWCUsysteminlet-outletflow.Eachoftheflowmonitoring sensorsprovidesaninputtooneoftwo(inboardoroutboard) logictripchannels.WhenanincreaseinRWCUsystemdifferentialflowisdetected,theCRVICSinitiatesclosureofallRWCUsystem isolationvalves.8DiversityoftripinitiationsignalsforanRWCUsystemlinebreakisprovidedbyinstrumentationforreactorwaterlevel, differentialflow,andambienttemperatureinRWCUequipment
areas.AnautomatictimingcircuitisprovidedtobypasstheRWCUsystemhighdifferentialflowtripduringnormalRWCUsystem surges.Thistimedelaybypasspreventsinadvertentsystem isolationsduringsystemoperationalchanges.8.ReactorWaterCleanupSystem-AreaHighAmbientTemperatureHightemperatureintheequipmentroomareasoftheRWCUsystemcouldindicateabreachintheRCPBinthecleanup
system.FourteenambienttemperatureinstrumentchannelsmonitortheRWCUsystemareatemperatures.Eightspacetemperature channelsareassociatedwiththesamelogicchannel.The remaininginstrumentchannelsareassociatedwithadifferent logicchannel.Twoambienttemperatureelementsarelocated asshowninFig.7.6-1.WhenapredeterminedlimitinRWCUsystemareaambienttemperatureisdetected,theCRVICSinitiatesclosureofall RWCUsystemisolationvalves.
8 RBSUSARRevision87.3-18August1996TheoutputtripsignalofeachsensorinitiatesachanneltripandclosureofeithertheinboardoroutboardRWCU systemisolationvalve.89.RHRSystem-AreaHighAmbientTemperatureHightemperatureintheequipmentroomareasoftheRHRsystemcouldindicateabreachintheRCPBintheRHRsystem.FourredundantambienttemperaturesensorsmonitortheRHRsystemareatemperatures.Twoambienttemperaturesensorsare associatedwithonetriplogic.Theremainingtemperature channelsareassociatedwiththeothertriplogic.The ambienttemperatureelementsarelocatedineachRHR equipmentarea.WhenapredeterminedlimitinRHRsystemareaambienttemperatureisdetected,theCRVICSinitiatesclosureofthe RHRsystemisolationvalves.TheoutputtripsignalofeachsensorinitiatesachanneltripandclosureofeithertheinboardoroutboardRHRsystem isolationvalve.Bothtripchannelsmusttriptocloseboth theinboardandoutboardisolationvalves.
8 RBSUSARRevision107.3-19April199810.MainCondenserVacuumTripThemainturbinecondenserlowvacuumsignalcouldindicatealeakinthecondenser.Initiationofautomaticclosureof variousvalvespreventsexcessivelossofreactorcoolantand thereleaseofsignificantamountsofradioactivematerial.Fourredundantpressuretransmittersmonitorthemaincondenservacuum.Theoutputtripsignalofeachinstrument channelinitiatesatripchannel.Theoutputtripsignalsof thechannellogicsarecombinedinone-out-of-twotwicelogic forMSIVsandtwo-out-of-twologicsfordrainvalves.All fourtripchannelsmusttriptoclosebothinboardand outboardMSIVs.Whenasignificantdecreaseinmaincondenservacuumisdetected,theCRVICSinitiatesclosureofthemainsteam isolationvalvesandmainsteamlinedrainvalves.Main condenserlowvacuumtripcanbebypassedmanuallyfromthe maincontrolroombyactuatingakeylockedswitch.7.3.1.1.3MainSteam-PositiveLeakageControlSystem(MS-PLCS)SystemFunctionTheMS-PLCSisdesignedtominimizethereleaseoffissionproductswhichcouldleakthroughtheclosedMSIVsandbypassthe SGTSafterapostulatedLOCA.Thisisaccomplishedby establishingapressurizedbarrierbetweenthecontainmentwith theMSIVsandtheenvirons.SystemOperation10SchematicarrangementsofsystemmechanicalequipmentandoperatorinformationdisplaysareshowninFig.6.7-1.MS-PLCSsystem componentcontrollogicisshowninFig.7.3-6.Instrument locationdrawingsandelementarydiagramsareidentifiedin Section1.7.AlsoseeFig.5.1-3.
10TheMS-PLCSismanuallyactuatedafteraLOCAhasoccurredandaftervalvesonthemainsteamlineshavebeenfullyclosed, providedthatthepressureoftheairsupplyandreactorare withinthepermissiveinterlocksetpoints.The RBSUSAR7.3-20August1987outboardandinboardsubsystemsareprovidedwithoneremotemanualinitiatingswitcheach,whichislocatedinthemain controlroom.Whentheinboardsystemisinitiated,thebypassairsupplyvalveF014opens,theinjectionvalveM0F005opens,thepressure controllerPCR603isactivatedtocontrolairsupplyvalvePCV F002,thedrainvalveM0F006closes,andatimerisinitiated.
Providedthatthemainsteampressureisbelowthepermissive interlocksetpoint,theisolationvalvesF007andF008open, admittingairtoraisethepressureofthemainsteamlines betweentheinboardandoutboardMSIVsB21-F022andB21-F028.A predetermineddifferentialpressureisestablishedbetweenthe reactorandthesteamlines.Ifthebypassvalvehasnotclosed onestablishingthedifferentialpressure,5minafterthedrain valveclosedthetimer(previouslyinitiated)closesthebypass valveandallowstheMS-PLCStoisolate,ifnecessary,forhigh floworforlowdifferentialpressure.Thepressure-controllerthenmaintainstherequiredpressuredifferentialbetweenthemainsteamsystem(outsidecontainment) andthereactor(insidecontainment).Mainsteamsystempressure ismonitoredfrompressuretapsintheinboardMS-PLCSprocess line.Thereactorpressureismonitoredfromtapsinthemain steamlinesupstreamoftheinboardMSIVs.Whentheoutboardsystemisinitiated,thebypassairsupplyvalveM0F034opens,theinjectionvalveM0F025opens,thepressure controllerPCR623isactivatedtocontrolairsupplyvalvePCV F022,theoutboardMSIVstemleak-offandMS-PLCSheaderdrain valveM0F026closes,andatimerisinitiated.Providedthatthe steampressureisbelowthepermissiveinterlocksetpoint,the isolationvalvesF027andF028open,admittingairtoraisethe pressureofthemainsteamlinesbetweentheoutboardMSIVsF028A, F028B,F028C,andF028Dandthemainsteamshutoffvalves M021-F098A,M0B21-F098B,M0B21-F098C,andM0B21-F098Dandthe associateddrainlines.Apredetermineddifferentialpressureis establishedbetweenthereactorandthesteamlines.Ifthe bypassvalvehasnotclosedonestablishingthedifferential pressure,5minafterthedrainvalveclosedthetimerclosesthe bypassvalveandallowstheMS-PLCS(outboard)toisolate,if necessary,forhighfloworforlowdifferentialpressure.Thepressurecontrollerthenmaintainstherequiredpressuredifferentialbetweenthemainsteamsystem(outsidecontainment) andthereactor(insidecontainment).Main RBSUSARRevision137.3-21September2000steamsystempressureismonitoredbypressuretapsintheoutboardMS-PLCSprocessline.Thereactorpressureismonitored fromtapsinthemainsteamlinesupstreamoftheinboardMSIVs.Eachsystemhasseparatecontrols,andeitherinboardoroutboardsubsystemaloneestablishessufficientpressurebarriertoprevent fissionproductleakagethroughtheMSIVs.MSIVsanddrainvalveareprovidedwithindividualmanualcontrols,butanautomaticCRVICSclosuresignaloverridesmanual.Themainsteamshutoffvalves(outboard)areclosedbymanualcontrolswitchesinthemaincontrolroom.7.3.1.1.4StandbyGasTreatmentSystem(SGTS)SystemFunctionTheSGTSprocessespotentiallyradioactiveexhaustairfromthefollowingsourcespriortodischargingtheairtothemainplant exhaustduct:1.Annulusexhaust 2.Auxiliarybuildingexhaust 3.Containment/drywellpurgeexhaust.TheinstrumentationrequirementsforthissystemarecontainedinSection6.5.1.5.SystemOperationSchematicarrangementsofsystemmechanicalequipmentandoperatorinformationdisplaysareshowninFig.6.2-58.TheSGTScomponent controllogicisshowninFig.7.3-7.Instrumentlocation drawingsandelementarydiagramsareidentifiedinSection1.7.13TheSGTSconsistsoftwofullcapacityredundantfiltertrainsandassociatedfansanddampers.Automaticstartsignalsinitiate bothSGTSFiltertrains.Thefiltertrainwhichismanuallyshut downservesasabackupfortheoperatingfiltertrain.During normaloperatingtheannuluspressurecontrolsystemmaintainsthe annulusatnegativepressure(Section9.4.6).TheSGTSalso servesasabackupnon-ESFsystemtotheannuluspressurecontrol system(APCS)duringnormaloperation.UponlossoftheAPCS,a highradiationsignalfromoneoftworadiationmonitorslocated intheannulusairstream,oranESFsignal(i.e.,LOCA), 13 RBSUSARRevision137.3-22September200013theannulusairandairfromtheshieldedcompartmentsintheauxiliarybuildingareautomaticallydivertedthroughtheSGTS filtertrain.
13Duringcontainment/drywellpurgeandrefuelingoperations,manualinitiationofbothfiltertrainsispossible.TheSGTSmayalso bemanuallylinedupforannulusand/orauxiliarybuildingexhaust airpurification.Post-accidentradiationmonitoringisprovidedinthemaincontrolroomfortheSGTSeffluent.Statuslightsinthemaincontrolroomindicatethemotor-drivenfanswhichareenergizedandthepositionoftheSGTSdampers.7.3.1.1.5CombustibleGasControl SystemFunctionThecombustiblegascontrolsystemencompassesthefollowingESF subsystems:1.Hydrogenanalyzersystem 2.Hydrogenmixingsystem 3.Hydrogenrecombinersystem.
4.HydrogenignitersystemTheinstrumentationrequirementsforthissystemarecontainedinSection6.2.5.5.Thepurposeofthehydrogenanalyzersystemistomonitorthehydrogenconcentrationoftheatmospheresinsidethecontainment anddrywell.AfteraLOCA,thehydrogenmixingsystemservestomixtheatmospherewithinthedrywellwiththatofthecontainmentto loweranylocalhydrogenconcentration.Ifthehydrogenconcentrationreachesapresetvalue,thehydrogenrecombinersystemisusedtoreducethehydrogenconcentration insidethecontainmenttoasafenonexplosivelevel.
RBSUSARRevision137.3-23September2000Thehydrogenignitersystemisfurnishedtomeettheinterimrequirementsrelatedtothehydrogencontrolfordegradedcore hydrogengenerationevents.SystemOperation1.HydrogenAnalyzerSystemThehydrogenanalyzersystemcomponentcontrollogicisshowninFig.7.3-22.Instrumentlocationdrawingsandelementary diagramsareidentifiedinSection1.7.13Thehydrogenanalyzersystemmeasuresthehydrogenconcentrationoftheatmosphereinsidethecontainmentand drywell.Eachsystemincludesasequenceprogrammerfor automaticoperationofthecontainmentanddrywellhydrogen samplingvalves.Duringemergencyconditions(LOCA),high drywellpressureorlowreactorwaterlevelautomatically activatesapost-accidenthydrogenrecorderinthemain controlroom.Thehydrogenanalyzersystemwilloperate continuouslyunderautomaticandmanualoperation.Priorto day11ofpostaccidentoperation,eachoperatinganalyzer willbeplacedinthemanualmodeofoperationtoprevent automaticsequencingbetweenthedrywellandcontainment.
Thisisnecessarytopreservetheenvironmental qualificationsofthesolenoid-operatedvalvesineachofthe samplelines.Thehydrogenanalyzerswillbealignedto continuouslysamplefromeitherthedrywellorcontainment, oracombinationofboth,fortheremainderoftheevent.
Duringnormalplantoperation,thehydrogenanalyzer isolationvalvesareopen.Statuslightsinthemaincontrol roomindicatethepositionofthehydrogensampleand isolationvalves.
132.HydrogenMixingSystemSchematicarrangementsofsystemmechanicalequipmentandoperatorinformationdisplaysareshowninFig.6.2-66.The hydrogenmixingsystemcomponentcontrollogicisshownin Fig.7.3-8.Instrumentlocationdrawingsandelementary diagramsareidentifiedinSection1.7.Thehydrogenmixingsystemconsistsoftwofullcapacityredundanthydrogenmixingfansandassociatedvalves.
Initiationofthehydrogenmixingsystemisperformed manually.Statuslightsinthemaincontrolroomindicate themotor-drivenfanswhichareenergizedandthepositionof thehydrogenmixinginletandventvalves.
RBS USAR Revision 18 7.3-24 3. Hydrogen Recombiner System The hydrogen recombiner system component control logic is shown in Fig. 7.3-10. Instrument location drawings and
elementary diagrams are identified in Section 1.7. The hydrogen recombiner system consists of two full capacity redundant hydrogen recombiner units. Each recombiner unit consists of an inlet preheater, a heater recombination section, and an exhaust chamber. Initiation of the hydrogen recombiner system is performed manually. Performance of the
hydrogen recombiners is monitored in the main control room. 4. Hydrogen Control System (Igniters) The hydrogen igniter system is described in Section 6.2.5.2.5. The system's electrical arrangement is shown on Fig. 7.3-25, and its electrical schematic is shown on Fig.
7.3-26.The hydrogen igniter system includes a total of 104 igniters, powered from two physically separate and electrically independent Class 1E sources of power. The hydrogen igniter system derives its power from motor control centers which are ultimately connectable to either the preferred offsite power sources or to the standby diesel generators. Its distribution system consists of combination starters with remote control switches for each electrical division located in the main control room. This energizes the hydrogen igniters via 480-120/240-V transformers and distribution
panelboards located outside the containment. 7.3.1.1.6 Reactor Plant Ventilation System
System FunctionThe reactor plant ventilation system encompasses the following ESF subsystems:1. Containment ventilation system
- 2. Annulus mixing system (Disabled)
.In conjunction with the RHR suppression pool cooling mode of operation, the containment ventilation system is used in RBS USAR Revision 18 7.3-25 preventing the containment atmosphere temperature from exceeding 185 F.System OperationSchematic arrangements of system mechanical equipment and operational displays are shown in Fig. 9.4-7a through 9.4-7e. The reactor plant ventilation system component control logic is shown in Fig. 7.3-9. Instrument location drawings and elementary
diagrams are identified in Section 1.7. 1. Containment Ventilation System The containment ventilation system consists of three air recirculation cooling units, two of which are safety related.
During normal operation, initiation of the containment unit coolers is performed manually. In the emergency (LOCA) mode
of operation, both safety-related unit coolers are
automatically initiated by high drywell pressure or low reactor water level. One unit cooler is selected by the operator for operation. During a loss of offsite power (and existing LOCA signal), the unit cooler fans start automatically. The unit cooler fan stops running when the
containment-to-annulus differential pressure is negative.
Status lights in the main control room indicate the motor-driven fans which are energized. The instrumentation requirements for this system are contained in Section
9.4.6.5.2. Annulus Mixing System (Disabled)
The annulus mixing system fans HVR-FN11A/B and associated alarm functions are secured to disable the annulus mixing system per ER 02-0223.
RBS USAR Revision 18 7.3-26 7.3.1.1.7 RHR Suppression Pool Cooling Mode (SPCM)
System FunctionThe SPCM is an operating mode of the RHR system. It is designed to prevent suppression pool temperature from exceeding predetermined limits following a reactor blowdown of the ADS or SRV, or a LOCA.
Thus the SPCM removes containment heat by cooling the suppression pool volume, in conjunction with cooling the containment atmosphere (Section 7.3.1.1.6).
System OperationSchematic arrangements of system mechanical equipment and operator information displays are shown in Fig. 5.4-12. Component control logic and operator information displays are shown in Fig. 7.3-4.
Suppression pool temperature is determined through the use of the suppression pool temperature monitors located as detailed in Table 7.6-1. Instrumentation location drawings and elementary diagrams
are identified in Section 1.7. The SPCM is initiated by the main control room operator either during normal plant operation or following an SRV actuation or a LOCA, when the suppression pool temperature monitoring system (Section 7.5) indicates that pool temperature may exceed a
predetermined limit. During normal plant operation the operator initiates the SPCM as follows: 101. RHR heat exchanger service water discharge valves MO F068A and MO F068B are manually opened as needed. The RHR Pump (A or B) is started.
102. The RHR test return line valves MO F024A and MO F024B are opened.3. The RHR heat exchanger inlet and outlet valves MO F047A, MO F047B, MO F003A, and MO F003B are RBSUSARRevision137.3-27September2000normallyopen.TheheatexchangerbypassvalvesMOF048AandMOF048B,andvalvesMOF003AandMOF003Bare throttledasnecessary.10Duringnormalplantoperation,heataddedtothesuppressionpoolasaresultofsafetyreliefvalveleakageorRCICtestingmay alsoberemovedbythesuppressionpoolcleanupandcooling configurationoftheSuppressionPoolCleanup,Cooling,and AlternateDecayHeatRemovalsystem.
10SubsequenttoaLOCAtheoperatorinitiatestheSPCMasfollows:131.Oncereactorvesselwaterlevelhasbeenrestored,themanualclosingoftheLPCIinjectionvalvesMOF042Aand MOF042Boverridesauto-initiation(open)logicand allowsmanualcontrolofinjectionvalves.
132.TheRHRtestreturnlinevalvesMOF024AandMOF024BcontrollogicalsohasLOCAsignaloverrideprovisions.
Thisallowstheoperatortoopenthevalve.103.TheRHRheatexchangerinletandoutletvalvesMOF047A,MOF047B,MOF003A,andMOF003Barenormallyopen.The heatexchangerbypassvalvesMOF048AandMOF048B,after atimedelay(a10-mintimerkeepsthesevalvesopen followingaLOCA)andvalvesMOF003AandMOF003Bare throttledasnecessary.
107.3.1.1.8StandbyServiceWater(SSW)SystemSystemFunctionThepurposeoftheSSWsystemistoprovideareliablesourceofcoolingwaterforplantauxiliariesthatareessentialtoasafe reactorshutdownfollowingadesignbasisaccident(LOCA).The SSWsystemprovidesabackupforthenormalservicewaterandthe reactorplantcomponentcoolingwatersystems.Theinstrumentationrequirementsforthissystemarecontainedinthefollowingsections:Section9.2.5.5-Ultimateheatsink(standbycoolingtowerfans)
Section9.2.7-SSWSystem SystemOperationSchematicarrangementsofsystemmechanicalequipmentandoperatorinformationdisplaysareshowninFig.9.2.1athrough9.2-1d.The SSWsystemcomponentcontrollogicisshowninFig.7.3-11.
Instrumentlocationdrawingsandelementarydiagramsare identifiedinSection1.7.
RBSUSAR7.3-28August1987TheSSWsystemconsistsoftworedundantmechanicalsystems.Eachsystemconsistsoftwo50-percentcapacityservicewaterpumps withassociatedvalvesandstandbycoolingtowerfans.Oneofthe redundantmechanicalSSWsystemscontainsDivisionI(1SWP*P2A) andDivisionIII(1SWP*P2C)pumps.TheothermechanicalSSW systemincludesDivisionII(1SWP*P2B,P2D)pumps.Standby coolingtowerfansaredividedbetweenDivisionsIandIIonly.
TheSSWsystemisdividedintotwoindependentpipingloopswith manualcrossovercapabilitybetweentheloops.AutomaticinitiationoftheSSWsystemoccurswhenthenormalservicewatersystempressureorthereactorplantcomponent coolingwater(RPCCW)systempressuredropsbelowpresetvalues.
TheinitiationsignalalsoactivatestheSSWsystemrecordersin themaincontrolroom.Theserecordersmonitorthefollowing
parameters:1.SSWsupplyandreturnflow 2.SSWheaderpressureandstandbycoolingtowerlevel.LossofRPCCWsystempressureautomaticallyisolatesalllinesservingsafety-relatedequipmentfromtheRPCCWsystem.ALOCAconditionwithadequateRPCCWsystempressureallowstheRPCCWsystemtosupplycoolingwatertothefollowingpumpsand
coolers:1.RHRpumpsealcoolers 2.Fuelpoolcoolers 3.RWCUpumpsealandmotorbearingcoolers.
4.Controlroddrivepumpcoolers.TheremainingequipmentservicedbytheRPCCWsystemisisolated.
LowRPCCWsystempressureautomaticallyisolatesalllinesservedbytheRPCCWsystemwiththeexceptionoftheRWCUpumpsand, instead,allowstheSSWsystemtoprovidecoolingwatertothe followingequipment:
RBSUSAR7.3-29August19871.RHRpumpsealcoolers2.FuelpoolcoolersALOCAcondition(highdrywellpressureorlowreactorwaterlevel)providesSSWtothetwosafety-relatedcontainmentunit coolers,providedthecontainment-to-annulusdifferentialpressure ispositive.ALOCAconditionautomaticallyisolatestheSSW linesservingthedrywellunitcoolers.Statuslightsinthemaincontrolroomindicatethemotor-drivenfansandpumpswhichareenergizedandthepositionoftheSSW systemvalves.7.3.1.1.9ControlBuildingAirConditioningSystem SystemFunctionThepurposeofthecontrolbuildingairconditioningsysteminstrumentationandcontrolsistoprovideanenvironmentinthe controlbuildingsuitableforhabitation.ThecontrolbuildingairconditioningsystemencompassesthefollowingESFsubsystems:1.Maincontrolroomareaventilationsystem 2.Standbyswitchgearandchillerequipmentroomsventilationsystem.TheinstrumentationrequirementsforthissystemarecontainedinSection9.4.1.5.SystemOperationSchematicarrangementsofsystemmechanicalequipmentandoperatorinformationdisplaysareshowninFig.9.4-1athrough9.4-1e.The maincontrolroomareaventilationsystemcomponentcontrollogic isshowninFig.7.3-12.Thestandbyswitchgearandchiller equipmentroomsventilationsystemscomponentcontrollogicis showninFig.7.3-13.Instrumentlocationdrawingsandelementary diagramsareidentifiedinSection1.7.1.MainControlRoomAreaVentilationSystemThemaincontrolroomareaventilationsystemconsistsoftwofullcapacityredundantairhandlingunitswithassociated filtertrain, RBSUSAR7.3-30August1987electricheater,anddampers.Air-conditioningunitscanbestartedmanuallyorautomaticallywhenacontrolbuilding chilledwaterpumpisrunning.Roomtemperatureis maintainedandhumidityislimitedtowithindesignlimits.
Intheemergency(LOCA)modeofoperationahighdrywell pressureorlowreactorwaterlevel,orhighradiation conditioninthelocaloutsideairintake,automatically divertsthesupplyairthroughthemaincontrolroomcharcoal filtertrain.Theoperatorhastheoptionofselectingfresh airsupplyforthecontrolbuildingfromeitherthelocal outsideairintakeorremoteoutsideairintake.Status lightsinthemaincontrolroomindicatethemotor-driven fanswhichareenergizedandthepositionofthecontrolroom ventilationsystemdampers.Inthepurgemode,thesystem removessmokeornoxiousgasesfromthemaincontrolroom area.Initiationofthepurgemodeisperformedmanually.2.StandbySwitchgearandChillerEquipmentRoomsVentilationSystemsThestandbyswitchgearandchillerequipmentroomsventilationsystemseachconsistoftwofullcapacity redundantairhandlingunitswithassociatedfan,heater,and dampers.Air-conditioningunitscanbestartedmanuallyor automaticallywhenacontrolbuildingchilledwaterpumpis running.Roomtemperatureismaintainedwithindesign limits.Statuslightsinthemaincontrolroomindicatethe motordrivenfanswhichareenergizedandthepositionsof thestandbyswitchgearandchillerequipmentrooms ventilationsystemdampers.7.3.1.1.10ControlBuildingChilledWaterSystem SystemFunctionThecontrolbuildingchilledwatersystemsupplieschilledwatertothecontrolbuildingairconditioningsystem(Section
7.3.1.1.9).TheinstrumentationrequirementsforthissystemarecontainedinSection9.2.10.5.
RBS USAR Revision 16 7.3-31 March 2003 System OperationSchematic arrangements of system mechanical equipment and operator information displays are shown in Fig. 9.2-9a and 9.2-9b. The control building chilled water system component logic is shown in Fig. 7.3-14. Instrument location drawings and elementary diagrams
are identified in Section 1.7. 16 3The control building chilled water system consists of two redundant systems. Each system consists of two 100-percent capacity water chillers with associated pumps and valves. During normal operation the makeup water for the chilled water compression tank is automatically supplied by the plant makeup water system and water to the chiller condenser is supplied by the normal service water system. During emergency conditions (LOCA), high drywell pressure or low reactor water level isolates the nonsafety-related supply of
the makeup water system and allows the operator to switch to the SSW system. Also, during LOCA, the chiller condenser is supplied by the SSW system. Status lights indicate the motor-driven pumps, and the position of the chilled water system valves are provided in
the main control room.
3 167.3.1.1.11 Standby Power Support Systems System FunctionThe standby power support systems for the two standby diesel generators and the HPCS diesel generator encompasses the following
ESF subsystems: 1. Diesel generator fuel oil storage and transfer system
- 2. Diesel generator starting system
- 3. Diesel generator lubrication system
- 4. Diesel generator cooling water system
- 5. Diesel generator combustion air intake and exhaust system. The purpose of the diesel generator fuel oil storage and transfer system is to provide an adequate fuel oil supply for 7 days continuous operation of each diesel generator at its rated
capacity. 14The diesel generator starting system provides the required air pressure for startup of each diesel generator as described in
Section 9.5.6.1.
14 RBSUSARRevision147.3-32September20011412Thestartingsystemalsoprovidescontrolairforthetwostandby dieselgenerators'pneumaticlogic,whichisrequiredforstopping ofthedieselgenerators.Theaircompressorspoweredfromthe Class1Epowersupplyforthetwostandbydieselgenerators providethecapabilityforalongtermairsupplyforthe pneumaticlogic.
1214Thepurposeofthedieselgeneratorlubricationsystemisto circulatethelubeoilandtomaintainthelubeoiltemperatureat avaluewhichensuresquickstartingcapabilityofthediesel
generator.Thepurposeofthedieselgeneratorcoolingwatersystemistoprovidecoolingwatertothedieselgeneratorenginejacketandto maintainthetemperatureofthewaterataminimumtemperature whentheengineisnotrunning.Thedieselgeneratorcombustionairintakeandexhaustsystemprovidestherequiredcombustionairpressureandtemperature conditionsforoperationofthedieselengines.ThedieselgeneratorprotectioninterlocksaredescribedinSection8.3.SystemOperationSchematicarrangementsofsystemmechanicalequipmentandoperatorinformationdisplaysareshowninFig.9.5-2and9.5-4a.The dieselgeneratorfueloilstorageandtransfersystemcomponent controllogicisshowninFig.7.3-15.Thedieselgenerator startingsystemcomponentcontrollogicisshowninFig.7.3-16.
Thedieselgeneratorlubricationsystemcomponentcontrollogicis showninFig.7.3-17.Thestandbystationservicecomponentlogic isshowninFig.7.3-23.Instrumentlocationdrawingsand elementarydiagramsareidentifiedinSection1.7.1.DieselGeneratorFuelOilStorageandTransferSystemThefueloilstorageandtransfersystemconsistsofthreeredundantsystems.Eachsystemconsistsofafueloil storagetank,afueldaytank,andassociatedpumps.The fueloillevelinthedaytankismaintainedwithinlimitsby automaticcontrols.Eachdieselgeneratorfueloiltransfer systemismonitoredintherespectivedieselgenerator controlroomandmaincontrolroom.TheinstrumentationrequirementsforthissystemarecontainedinSection9.5.4.5.
RBSUSARRevision127.3-33December19992.DieselGeneratorStartingSystem12Eachdieselgeneratorisprovidedwithtwofullcapacityredundantairstartingsystems.Eachstartingsystem consistsofacompressorwithairdryer,twoairreceiver tanks,andastartupsolenoid.Thesystemairpressureis maintainedwithinlimitsbyautomaticoperationofthe compressor.ALOCAconditionenergizestoopentheair startupsolenoidallowingtheenginetostart.Iftheengine doesn'tstartautomatically,afail-to-startalarmis activatedinthemaincontrolroom.Amanualstartcontrol switchisprovidedinthemaincontrolroom.Controlpower foroperationofthedieselgeneratorstartingsystemis suppliedbythestandby125-vdcsystem.Controlairfor operationofthepneumaticlogic,whichisrequiredfor stoppingofthetwostandbydieselgenerators,issuppliedby theairstartingsystems.Statuslightsandinstrumentsin thedieselgeneratorcontrolroommonitortheoperationof thedieselgeneratorstartingsystem.
12TheinstrumentationrequirementsforthissystemarecontainedinSection9.5.6.4.3.DieselGeneratorLubricationSystemEachdieselgeneratorlubricationsystemconsistsofalubeoilcirculatingpumpandassociatedlubeoilheater.The lubeoilcirculatingpumprunswheneveritsdieselengineis idle.Thelubeoilheaterisenergizedwhenthelubeoil temperaturedropsbelowapresetvaluewhilethecirculating pumpisrunning.Statuslightsinthedieselgenerator controlroommonitortheoperationofthedieselgenerator lubricationsystem.TheinstrumentationrequirementsforthissystemarecontainedinSection9.5.7.4.4.DieselGeneratorCoolingWaterSystemEachdieselgeneratorcoolingwatersystemconsistsoftwofullcapacityredundantcoolingwaterpumpswithassociated heatexchanger,heater,andexpansiontank.Thediesel enginejacketcoolingwaterismaintainedataminimum temperaturewhentheengineisidle.Statuslightsand instrumentsinthedieselgeneratorcontrolroommonitorthe operationofthedieselgeneratorcoolingwatersystem.
RBS USAR Revision 18 7.3-34 The instrumentation requirements for this system are contained in Section 9.5.5.4. 5. Diesel Generator Combustion Air Intake and Exhaust System Each diesel generator combustion air system is monitored in the respective diesel generator control room and in the main
control room. The instrumentation requirements for this system are contained in Section 9.5.8.5. 7.3.1.1.12 Diesel Generator Building Ventilation System
System FunctionThe purpose of the diesel generator building ventilation system is to maintain the temperature of the air inside each diesel generator room within the environmental limits listed in Table 9.4-1
.The instrumentation requirements for this system are contained in Section 9.4.5.5.
System OperationSchematic arrangements of system mechanical equipment and operator information displays are shown in Fig. 9.4-5. The diesel generator building ventilation system component control logic is shown in Fig. 7.3-18. Instrument location drawings and elementary diagrams
are identified in Section 1.7. The diesel generator ventilation system is described in Section 9.4.5.2.2. Initiation of the exhaust fan occurs automatically when
the diesel generator is running or the ambient room temperature exceeds 110 F.7.3.1.1.13 SSW Pump House Ventilation System System Function The purposes of the SSW pump house ventilation system are as follows: 1. To maintain the temperature of the air inside the pump roomswithin the environmental limits listed in Table 9.4-1.
RBS USAR Revision 18 7.3-35 2. To ensure adequate air flow in the switchgear rooms. The instrumentation requirements for this system are contained in Section 9.4.5.5.
System OperationSchematic arrangements of system mechanical equipment and operator information displays are shown in Fig. 9.4-6b. The SSW pump house ventilation system component control logic is shown in Fig. 7.3-19.
Instrument location drawings and elementary diagrams are
identified in Section 1.7. The SSW pump house ventilation system consists of two full capacity fans for each pump room. Pump rooms A and B contain Divisions I
and II, and III equipment. Initiation of the SSW pump house fan s occurs automatically to ensurenormal maximum space temperature does not exceed the environmental value listed in Table 9.4-1. The SSW pump house ventilation system also includes two full capacity redundant fans in each switchgear room (A and B). Initiation of the switchgear room standby fan occurs automatically on operating
fan failure. Status lights for the motor-driven fans are provided in the main control room. 7.3.1.1.14 Auxiliary Building Ventilation System
System Function 16The purpose of the auxiliary building ventilation system instrumentation and controls is to prevent the ambient temperature inside each area in the auxiliary building from exceeding the
environmental limits as described in Table 9.4-1.
16The instrumentation requirements for the auxiliary building ventilation system are contained in Section 9.4.3.5.
System OperationSchematic arrangements of system mechanical equipment and operator information displays are shown in Fig. 9.4-7a through 9.4-7c. The auxiliary building ventilation system component control logic is
shown in Fig. 7.3-20. Instrument RBS USARRevision 37.3-36August 1990location drawings and elementary diagrams are identified in Section 1.7.The auxiliary building ventilation system includes unit coolersfor those areas that contain equipment in ESF systems. Operation of the unit coolers is performed manually. Redundant unit coolers are provided for the SGTS area. These coolers are interlocked
with their respective discharge dampers.
In the emergency (LOCA) mode of operation, high drywell pressureor low reactor water level diverts the exhaust air through the SGTS charcoal filter train. A LOCA condition automatically shuts
down and isolates the auxiliary building supply air system which
is not a safety-related system.
A high radiation level in the auxiliary building exhaust isannunciated in the main control room. The operator must manually divert the exhaust air to the SGTS and shut down the supply air system. Status lights in the main control room indicate the
motor-driven unit cooler fans which are energized and the position
of the auxiliary building ventilation system dampers.7.3.1.1.15 Fuel Building Ventilation System
System Function 3 The fuel building ventilation system processes potentially
radioactive exhaust air prior to discharging the air to the
environment.
3The instrumentation requirements for the fuel building ventilation
system are contained in Section 9.4.2.5.
System OperationSchematic arrangements of system mechanical equipment and operatorinformation displays are shown in Fig. 9.4-2a and 9.4-2b. The fuel building ventilation system component control logic is shown in Fig. 7.3-21. Instrument location drawings and elementary
diagrams are identified in Section 1.7.The fuel building ventilation system includes a post-accidentexhaust air system, consisting of two full capacity redundant filter trains and associated fans and dampers and unit coolers for those areas in the fuel building that require removal of heat dissipated from equipment. Operation of the unit cooler is
performed manually.
RBSUSAR7.3-37August1987Duringemergencyconditions(LOCA),highdrywellpressure,lowreactorwaterlevel,orhighradiationinthefuelbuilding exhaustautomaticallydivertsthefuelbuildingexhaustair throughthefuelbuildingexhaustfiltertrainpriortoreleasing theairtotheenvironment.Also,aLOCAsignalorahigh radiationsignalautomaticallyshutsdownthenonsafety-related normalexhaustairsystemandthenormalsupplyairsystem.
EitheraLOCAsignalorahighradiationsignalinitiatesboth filtertrains.Thefiltertrainwhichismanuallyshutdown servesasabackupfortheoperatingfiltertrain.Duringfuel handlingmodeofoperation,theexhaustairisroutedthroughthe filtrationunits.Post-accidentradiationmonitoringisprovidedinthemaincontrolroomforthefuelbuildingeffluent.Statuslightsfortheheatersandmotor-drivenfansandthepositionofthefuelbuildingventilationsystemdampersare providedinthemaincontrolroom.7.3.1.2DesignBasisInformation TheESFsystemsaredesignedtoprovidetimelyprotectionagainsttheonsetandconsequencesofconditionsthatthreatenthe integrityofthefuelbarrierandtheRCPB.Chapter15identifies andevaluateseventsthatjeopardizethefuelbarrierandRCPB.
Themethodsofassessingbarrierdamageandradioactivematerial releases,alongwiththemethodsbywhichabnormaleventsare identified,arepresentedinthatchapter.1.VariablesMonitoredtoProvideProtectiveActionThefollowingvariablesaremonitoredinordertoprovideprotectiveactionstotheESFsystems:a.HPCS(1)Reactorvessellowwaterlevel(triplevel2)(2)Drywellhighpressureb.ADS(1)Reactorvessellowwaterlevel(triplevel3)
RBSUSARRevision127.3-38December1999(2)Reactorvessellowwaterlevel(triplevel1)(3)Drywellhighpressurec.LPCSandLPCI(1)Reactorvessellowwaterlevel(triplevel1)
(2)Drywellhighpressured.CRVICS(1)Reactorvessellowwaterlevel(triplevel3)
(2)Reactorvessellowwaterlevel(triplevel2)
(3)Reactorvessellowwaterlevel(triplevel1)
(4)Drywellhighpressure (5)Mainsteamhighradiation (6)Mainsteamlineareahighambientanddifferential temperature(7)Mainsteamlinehighflow (8)Mainsteamturbineinletlowsteampressure (9)RWCUhighdifferentialflow12(10)RWCUareahighambienttemperature(11)RHRareahighambienttemperature 12(12)Maincondenserlowvacuume.MS-PLCS(manual)Reactorvessellowpressure RBSUSARRevision137.3-39September2000f.SGTS(1)Reactorvessellowwaterlevel(triplevel2)
(2)Drywellhighpressure13g.CombustibleGasControlSystem(manual)Containmenthydrogenconcentrationh.ReactorPlantVentilationSystem(1)Reactorvessellowwaterlevel(triplevel1)
(2)Reactorvessellowwaterlevel(triplevel2)
(3)Drywellhighpressure 13I.SPCM(manual)(1)Suppressionpooltemperature (2)Drywellhighpressure (3)Reactorvessellowwaterlevel(triplevel1)j.SSW(1)Normalservicewatersystemheaderpressure (2)RPCCWsystemheaderpressure (3)Reactorvessellowwaterlevel(triplevel1)
(4)Drywellhighpressurek.ControlBuildingAirConditioningSystem4(1)Reactorvessellowwaterlevel(triplevel2) 4 RBSUSAR7.3-40August1987(2)Drywellhighpressure(3)Airintakehighradiationl.ControlBuildingChilledWaterSystem(1)Reactorvessellowwaterlevel(triplevel2)
(2)Drywellhighpressure (3)Controlbuildingairconditioningsystemstatusm.StandbyPowerSupportSystems(1)HPCSandstandbydieselgeneratorsystems(RefertoSection8.3.1.)(2)HPCSandstandbydieselgeneratorsupportsystems(a)Fueloildaytanklevel (b)Fueloilstoragetanklevel (c)Startingairreceiverpressure (d)StandbyorHPCSdieselstartn.DieselGeneratorBuildingVentilationSystem(1)Dieselgeneratorroomambienttemperature (2)Dieselgeneratorstartsignalo.StandbyServiceWaterPumpHouseVentilationSystemSSWpumphousepumproomtemperaturep.AuxiliaryBuildingVentilationSystem(1)Reactorvessellowwaterlevel(triplevel2)
(2)Highdrywellpressure RBSUSARRevision87.3-41August1996(3)Auxiliarybuildingexhausthighradiationsignal (manual)q.FuelBuildingVentilationSystem(1)Reactorvessellowwaterlevel(triplevel2)
(2)Highdrywellpressure (3)FuelbuildingexhausthighradiationTheplantconditionswhichrequireprotectiveactioninvolvingtheESFsystemsaredescribedinChapter15andAppendix15A.82.LocationandMinimumNumberofSensorsSeetheTechnicalSpecifications/Requirementsfortheminimumnumberofsensorsrequiredtomonitorsafety-related variables.TherearenosensorsintheESFsystemswhich haveaspatialdependence.
83.PrudentOperationalLimitsOperationallimitsforeachsafety-relatedvariabletripsettingareselectedwithsufficientmarginsothata spuriousESFsysteminitiationisavoided.Itisthen verifiedbyanalysisthatthereleaseofradioactive materials,followingpostulatedgrossfailuresofthefuelor thenuclearsystemprocessbarrier,iskeptwithinacceptable
bounds.4.MarginThemarginbetweenoperationallimitsandthelimitingconditionsofoperationofESFsystemsarelistedandthe basesstatedintheTechnicalSpecifications.85.LevelsLevelsrequiringprotectiveactionareestablishedintheTechnicalSpecifications/Requirements.
8 RBSUSAR7.3-42August19876.RangeofTransient,SteadyState,andEnvironmental ConditionsTheenvironmentalqualificationofthesafety-relatedESFinstrumentationandcontrolsisdiscussedinSection3.11.
TheESFpowersupplyrangeofsteadystateandtransient conditionsisprovidedinChapter8.7.Malfunctions,Accidents,andOtherUnusualEventsWhichCouldCauseDamagetoSafetySystemsa.Floods ThebuildingscontainingESFsystemscomponentshavebeendesignedtomeetthePMFatthesitelocation.Thisensures thatthebuildingsremainwatertightunderPMFconditions includingwind-generatedwaveactionandwaverunup.Fora discussionofinternalfloodingprotectionrefertoSections 3.4and3.6.b.StormsandTornadoes ThebuildingscontainingESFsystemscomponentshavebeendesignedtowithstandmeteorologicaleventsdescribedin Section3.3.c.Earthquakes ThestructurescontainingESFsystemscomponentshavebeenseismicallyqualified,asdescribedinSections3.7and3.8, toremainfunctionalduringandfollowinganSSE.Seismic qualificationofinstrumentationandelectricalequipmentis discussedinSection3.10.d.Fires ToprotecttheESFsystemsintheeventofapostulatedfire,theredundantportionsofthesystemsareseparatedbyfire barriers.Ifafireweretooccurwithinoneofthesections orintheareaofoneofthepanels,theESFsystems functionswouldnotbepreventedbythefire.Theuseof separationandfirebarriersensuresthateventhoughsome
portion RBSUSARRevision87.3-43August1996ofthesystemsmaybeaffected,theESFsystemscontinuetoprovidetherequiredprotectiveaction.Fireprotectionis discussedinSection9.5.e.LOCA TheESFsystemscomponentsfunctionallyrequiredduringand/orfollowingaLOCAhavebeenenvironmentallyqualified toremainfunctionalasdiscussedinSection3.11.Chapter 15describestheeffectsofaLOCA.f.PipeBreakOutsideSecondaryContainmentThisconditiondoesnotpreventsafeshutdown.RefertoSection3.6.Chapter15describestheeffectsofapipe breakoutsidecontainment.g.Missiles Protectionforsafety-relatedcomponentsisdescribedinSection3.5.88.MinimumPerformanceRequirementsMinimumperformancerequirementsforESFinstrumentationandcontrolsareprovidedintheTechnicalSpecifications/
Requirements.
87.3.1.3FinalSystemDrawingsThefinalsystemdrawingsincluding:1.Pipingandinstrumentationdiagrams(P&ID)orinstrumentandelectricaldiagrams(IED),and2.Functionalcontroldiagrams(FCD)orlogicdiagrams (LSK)havebeenprovidedorreferencedfortheESFsystemsinthis section.ESFsystemselementarydiagramsarelistedinSection1.7.
EquipmentarrangementdrawingsareprovidedinSection1.2.
FunctionalandarchitecturaldesigndifferencesbetweenthePSARandFSARarelistedinTable1.3-8.
RBSUSARRevision87.3-44August19967.3.2Analysis7.3.2.1ESFSystems Chapters15and6evaluatetheindividualandcombinedcapabilitiesoftheESFsystems.TheESFsystemsaredesignedinsuchawaythatalossofinstrumentair,lossofcoolingwatertovitalequipment,aplant loadrejection,oraturbinetripdoesnotpreventthecompletion ofthesafetyfunction.Asystem-level/qualitativetypeplantFMEA,theNuclearSafetyOperationalAnalysis(NSOA),ispresentedinAppendix15A.In addition,failuremodesandeffectsanalysesforbalance-of-plant (BOP)ESFinstrumentationandcontrolsystemsarecontainedinthe FMEAdocument.AllplantsystemshavingESFfunctionsorprovidingsupportforESFfunctionswerereviewedinthecontextofIEBulletin80-06.
Ithasbeenverifiedthat,exceptasdiscussedbelow,1) protectiveactioniscompletedonceinitiated;2)all safety-relatedequipmentremainsinitsemergencymodeuponreset ofanESFactuationsignal;and3)returnofasystemto nonsafety-featureoperationrequiressubsequentdeliberate operatoraction.1.a.HPCSDieselGenerator8AsystemlevelresetoftheESFactuationsignaldoesnotshutdownthedieselgenerator.However,asystemlevel resetdoesrestorealloftheprotectivetripsprovided fordieselgeneratorprotection(i.e.,highjacketwater temperature,lowlubricationoilpressure,reversepower, lossofexcitationovercurrent)whichareblockedduring anabnormalcondition.Ifanyoftheseprotectivetrips ispresentatthetimeofsystemlevelreset,thediesel generatortripsandalockoutoccurs.8Intheemergencymode,theHPCSdieselgeneratorisasourceofonsitepower.Duringemergencies,which includesaLOCA,mostoftheprotectivetripfunctions areblockedsothatthedieseloperatesaslongas possible,regardlessofthedamagethatitmayincur.
Uponconclusionoftheemergency,allprotective functionsarerestoredassoonastheLOCAsignalis manuallyreset.Thisrestorationofprotectivefunctions isprovidedso RBSUSAR7.3-45August1987thatthedieseldoesnotsufferanymoredamagethannecessary.ThstripsarenotreinstateduntiltheLOCA signalisreset.Sincethissignalmustbemanually reset,thetripsare,ineffect,manuallyreinstated.
Thus,aftertheLOCA,thedieselcontinuestorunwith alltripsfunctioningnormally.1.b.StandbyDieselGeneratorsThestandbydieselgenerators(1EGS*EG1Aand1EGS*EG1B)operateinamannersimilartotheHPCSdiesel.Upon resetoftheESFactuationsignal,thegenerator protectivetripsareautomaticallyrestored,whereasthe engineprotectivetripsmustbemanuallyrestored.Refer toSection8.3.1.6.1.2and8.3.1.1.4.1foradescription ofthestandbydieselgeneratorprotectiveinterlocks.ItistheRiverBendStationpositionthatthismethodofoperationfortheHPCSandstandbydieselgeneratormeets theintentofIEBulletin80-06andnomodificationsare
planned.2.AutomaticDepressurizationSystemAresetdeenergizestheADSsolenoids,thusreturningtheair-operatedADSvalvestothenormalclosedcondition.ThedesignoftheADSincludesadedicatedresetbuttonineachofthetwodivisions.Pushingbothbuttons causesallADSvalvestoclose,interruptingADSaction for120sec.Theresetpushbuttonsareprovidedfor manuallypreventingorlimitinginadvertentactuationof theADS.ThesearetheonlyADSshutoffswitches availabletotheoperator.ItistheRiverBendStationpositionthatthisdesignisconsistentwithIEEEStandardsandnochangeis consideredappropriateinresponsetoIEBulletin80-06.
RBSUSAR7.3-46August19877.3.2.1.1ConformancetoTitle10CodeofFederalRegulations,Part50(10CFR50)AppendixA-GeneralDesignCriteria(GDC)TheconformancediscussionsprovidedinSection3.1fortheGDCapplytotheESFSystems,asidentifiedinTable7.1-3.7.3.2.1.2ConformancetoIEEEStandards ThefollowingisadiscussionofconformancetothoseIEEEstandardswhichapplyspecificallytotheESFsystems.Referto Section7.1.2.3foragenericdiscussionofIEEEstandardswhich applytotheESFsystems,asidentifiedinTable7.1-3.1.IEEE279-1971a.GeneralFunctionalRequirement(IEEE279-1971,Paragraph4.1)TheESFsystemsautomaticallyinitiatetheappropriateprotectiveactions,wheneverthe parametersdescribedinSection7.3.1.2,item1, reachpredeterminedlimits,withprecision andreliabilityassumingthefullrangeof conditionsandperformancediscussedinSection
7.3.1.2.b.SingleFailureCriterion(IEEE279-1971,Paragraph4.2)ESFsystemsarenotrequiredtomeetsinglefailurecriteriaonanindividualsystem(division)basis.
However,onanetworkbasis,thesinglefailurecriteria doesapplytoassurethecompletionofaprotective function.Redundantsensors,wiring,logic,and actuateddevicesarephysicallyandelectricallyseparated insuchawaythatasinglefailuredoesnotprevent theprotectivefunction.RefertoSection8.3.1.4 foracompletedescriptionoftheindependenceof redundantsystems.c.QualityComponents(IEEE279-1971,Paragraph4.3)ForadiscussionofthequalityofESFsystemcomponentsandmodulesrefertoChapter17.
RBSUSAR7.3-47August1987d.EquipmentQualification(IEEE279-1971,Paragraph4.4)Foradiscussionofequipmentqualificaton,refertoSections3.10and3.11.e.ChannelIntegrity(IEEE279-1971,Paragraph4.5)ForadiscussionofESFsystemschannelintegrityunderallextremesofconditionsdescribedin Section7.3.1.2refertoSections3.10,3.11,and
8.3.1.f.ChannelIndependence(IEEE279-1971,Paragraph4.6)ESFsystemschannelindependenceismaintainedasdescribedinSection8.3.1.4.g.ControlandProtectionInteraction(IEEE279-1971,Paragraph4.7)TherearenoESFsystemandcontrolsystem interactions.h.DerivationofSystemInputs(IEEE279-1971,Paragraph 4.8)TheESFvariablesaredirectmeasuresofthedesiredvariablesrequiringprotectiveactions.RefertoSections7.3.1.1.1through7.3.1.1.12.i.CapabilityofSensorChecks(IEEE279-1971,Paragraph 4.9)RefertoSection7.3.2.1.3,RegulatoryGuide1.22.j.CapabilityforTestandCalibration(IEEE279-1971,Paragraph4.10)RefertoSection7.3.2.1.3,RegulatoryGuide1.22.
RBSUSAR7.3-48August1987k.ChannelBypassorRemovalfromOperation(IEEE279-1971,Paragraph4.11)DuringperiodictestofanyoneESFsystemchannel,asensorortripunitmaybetakenoutofservice andreturnedtoserviceundertheadministrative controlprocedures.Sinceonlyonesensorortrip unitistakenoutofserviceatanygiventime duringthetestinterval,protectiveaction capabilityforESFsystemautomaticinitiation ismaintainedthroughtheremainingredundant instrumentchannels.l.OperatingBypasses(IEEE279-1971,Paragraph4.12)TheESFsystemscontainthefollowingoperatingbypasses.TheCRVICShastwobypasses:
(1)Themainsteamlinelowpressureoperatingbypasswhichisimposedbymeansofthe modeswitch.InallmodesexceptRUN,the modeswitchcannotbeleftinthisposition above15percentofratedpowerwithout initiatingascram.Thereforethebypass isremovedbythenormalreactoroperating sequence,and(2)Thelowcondenservacuumbypasswhichisimposedbymeansofamanualbypassswitch.m.IndicationofBypasses(IEEE279-1971,Paragraph4.13)ForadiscussionofbypassandinoperabilityindicationrefertoSection7.1.2.4,Regulatory Guide1.47.n.AccesstoMeansforBypassing(IEEE279-1971,Paragraph4.14)AccesstomeansofbypassinganysafetyactionorfunctionfortheESFsystemsisunder theadministrativecontroloftheoperator.
Theoperatorisalertedtobypassesasdescribed inSection7.1.2.4,RegulatoryGuide1.47.
RBSUSAR7.3-49August1987o.MultipleTripSettings(IEEE279-1971,Paragraph4.15)TherearenomultiplesetpointswithintheESF systems.p.CompletionofProtectiveActionOnceInitiated(IEEE279-1971,Paragraph4.16)ThelogiccircuitsofautomaticallyinitiatedESFsystemssealinandremainsealedin afterinitiatingconditionsreturntonormal.
Theoperatormustthentakedeliberateactionto return(reset)ESFsystemlevellogiccircuits.
AftertheESFsystemlevellogicisreset, theassociatedESFequipment(pumps,valves,fans, anddampers)remainsintheemergencymode (safetyfeaturecondition)untildeliberate operatoractionistakentoreturntheequipment tothenormalmodeofoperation.q.ManualInitiation(IEEE279-1971,Paragraph4.17)RefertothediscussionofRegulatoryGuide1.62inSection7.1.2.4.r.AccesstoSetPointAdjustments(IEEE279-1971,Paragraph4.18)AllaccesstoESFsystemsetpointadjustments,calibrationcontrols,andtestpoints areundertheadministrativecontrolofthemain controlroomoperator.s.IdentificationofProtectiveActions(IEEE279-1971,Paragraph4.19)ESFprotectiveactionsaredirectlyindicatedandidentifiedbyannunciatorslocatedinthe maincontrolroom,andatypedrecordisavailable fromtheprocesscomputer.t.InformationReadout(IEEE279-1971,Paragraph4.20)TheESFsystemsaredesignedtoprovidethe operatorwithaccurateandtimelyinformation pertinenttotheirstatus.Theydonot RBSUSAR7.3-50August1987introducesignalsthatcouldcauseanomalousindicationsconfusingtotheoperator.u.SystemRepair(IEEE279-1971,Paragraph4.21)TheESFsystemsaredesignedtopermitrepairorreplacementofcomponents.Recognitionandlocationofafailedcomponentareaccomplishedduringperiodictestingorby annunciationinthemaincontrolroom.v.Identification(IEEE279-1971,Paragraph4.22)TheESFpanelsareidentifiedbynameplates.Thenameplateshowsthedivisiontowhicheachpanel orrackisassigned,andalsoidentifiesthefunction inthesystemofeachitemofthecontrolpanel.
Thesystemtowhicheachrelaybelongsisidentified ontherelaypanels.Allwiringandcablingoutsidethepanelsislabeledtoindicateitsdivisionalassignmentaswellas itssystemassignment.SeeSection8.3.1.3.2.IEEE334-1974ConformancetoIEEE334-1974isdescribedinChapter8.7.3.2.1.3ConformancetoNRCRegulatoryGuides ThefollowingisadiscussionofconformancetotheRegulatoryGuideswhichapplyspecificallytotheESF systems.RefertoSection7.1.2.4foragenericdiscussion ofRegulatoryGuideswhichapplytotheESFsystems,as identifiedinTable7.1-3.1.RegulatoryGuide1.7ForcontrolofcombustiblegasconcentrationsincontainmentfollowingLOCArefertoSection1.8.2.RegulatoryGuide1.22TheESFsystemsinstrumentationandcontrolsarecapableofbeingtestedduringnormalplant operation,unlessthattestingisdetrimentalto plantavailability,toverifytheoperabilityof RBSUSAR7.3-51August1987eachsystemcomponent.Testingofsafety-relatedsensorsisaccomplishedbyvalvingouteachsensor,oneatatime,andapplyingatest pressuresource.Themainsteamlineradiation sensorsmayberemovedandtestsourcesapplied.
Thecombustiblegascontrolsystemsensorsaretested byintroducingsamplegasesofknownanalysis.
Thisverifiestheoperabilityofthesensorand theassociatedlogiccomponentsinthemain controlroom.Functionaloperabilityof temperaturesensorsmaybeverifiedby readoutcomparisons,applyingaheatsourceto thelocallymountedtemperaturesensingelements, orbycontinuitytesting.FortheHPCS,LPCS,andLPCI,testingforfunctionaloperabilityofthecontrollogicrelayscan beaccomplishedbyuseofplug-intestjacks andswitchesinconjunctionwithsinglesensortests.FourtestjacksareprovidedtoallowADSlogictesting(oneforeachlogicchannel).The logiccircuitsaredesignedtoallowthesystem testingwithoutactuallyopeninganyoftheADS valves.Duringtesting,topreventopeningofthe ADSvalve,oneofeachpairofcomplementary logicchannelsAandEorBandFisactivatedbya testswitchinsertedintothelogicpanelinthe maincontrolroom.Whenthetestplugisinserted intoonechannel,thecomplementarychannelof thattraipsystemisautomaticallyrendered inoperative.Therefore,inadvertentADSactuation cannotoccurevenifbothchannelsareimproperly placedinthetestmodesimultaneously.Analarm isprovidedifatestplugisinsertedinboth channelsinadivisionatthesametime.
Operatingthetestswitchthrougheachofits positions,incombinationswithoperationofthe tripunits,allowsverificationoftheproperADS logicresponsebyobservingindicatinglamps andactivationofannunciatorwindows.Thefinal DASvalve-initiatinglogicisverifiedbyneonlamps connectedacrossserieslogiccontactswhichallow verificationofoperationwithoutactuallyoperating theassociatedsolenoidpilotvalve.Annunciationisprovidedinthemaincontrolroomwheneveratestplugisinsertedinajackto RBSUSAR7.3-52August1987indicatetotheoperatorthatanECCSisinateststatus.Operabilityofair-operated,solenoid-operated,andmotor-operatedvalvesisverifiedbyactuating thevalvecontrolswitchesandmonitoringtheposition changebypositionindicatinglightsatthecontrol
switch.TheESFsystemsareprovidedwithindications,statusdisplays,annunciation,andcomputerprintoutswhich aidthemaincontrolroomoperatorduring periodicsystemteststoverifycomponentoperability.3.RegulatoryGuide1.40SeeSection1.84.RegulatoryGuide1.53RefertoIEEE279-1971,Paragraph4.2,Section7.3.2.1.2.5.RegulatoryGuide1.96TheMS-PLCSisdesignedtocomplywiththisregulatoryguide.SeeSection1.8.6.RegulatoryGuide1.97SeeSection1.8.7.3.2.1.4Interlocks BalanceofplantESFsysteminterlockswhicharecommontobothmanualandautomaticinitiationcircuitsareprovided forprotectionofsevensafety-relatedsystems.However,in eachcaseredundantequipmentofadifferentClass1Epower sourcedivisionisavailableintheotherdivisionsuchthat nosinglefailureinthemanual,automatic,orcommonportion oftheprotectionsystempreventsinitiationbymanualor automaticmeansofthesystemfunction.OftheNSSSESFsystems,theHPCS,LPCS,LPCI,andADSsubsystemofECCSsharepermissivelogicbetweenautomaticandsystem-levelmanualinitiationlogic.OnlytheHPCSshares permissivelogicbetweenautomaticandcomponent-level(switch forinjectionvalvecontrolonly)initiation.
RBSUSARRevision87.3-53August1996ThedesignisacceptablesincetheindividualsubsystemsofECCSarenotrequiredtomeetthesinglefailurecriterion.TheECCS functionismetwithoneofitssubsystemsinoperative.7.3.3ResponseTimeTesting AllRiverBendStationsafety-relatedsystemshaveprovisionsforresponsetimetestingwiththeexceptionofthefollowing componentsensors:1.Thermocouples 2.Neutronmonitors(SPMs,IRMs,LPRMs) 3.Resistancetemperaturedetectors(RTDs)84.ReactorProtectionSystem(RPS)a.ReactorSteamDomePressure-High b.ReactorVesselWaterLevel-LowLevel3 c.ReactorVesselWaterLevel-HighLevel85.MainSteamIsolationValve(MSIV)isolationinstrumentation 6.EmergencyCoreCoolingSystem(ECCS)actuationinstrumentation 8Theprocedureswhichfulfillthetechnicalspecificationssurveillancerequirementsprovidedetailedrequirementsforthe operatortoreturnaprotectionfunctionactuatorcircuitto normaloperationafteritistested.Whenaprotectionfunction actuatorcircuitisbeingtestedandrenderstheprotectionsystem inoperative,thesystemmanualbypassisactivated.Thisinforms maincontrolroompersonnelofthestatusoftheprotection
systems.
RBSUSARRevision107.4-1April19987.4SYSTEMSREQUIREDFORSAFESHUTDOWNSystemsrequiredforsafeshutdownincludethoseneededforhotandcoldshutdownwhicharedefinedasfollows:1.HotShutdownAplantconditioninwhichthereactorissubcritical,andtheprimarysystemtemperatureissufficientto allowremovalofdecayheatbysteamgeneration.This temperatureistheoreticallygreaterthan212°F; however,300°to350°Fistheminimumpracticalrange forthismode.2.ColdShutdownAplantconditioninwhichthereactorissubcriticalanddecayheatisremovedbyeithertheresidualheatremoval systemorbyotherdecayheatsystems.Theprimary systemtempratureisreducedtobelow212°Fandtheheat sinkisaheatexchangerwithasecondarycoolantloop.Asafehotshutdownconditionisachievedwhenthefollowingfunctionsaresatisfied:1.Reactivityiscontrolled 2.Reactorcoolantinventorymakeupisprovided 3.Decayheatremovalisestablishedandreactorpressureiscontrolled4.Suppressionpoolcoolingisestablished 5.Systemstatusmonitoringisprovided.Oncethereactorisplacedinahotshutdowncondition,stationpersonnelareabletoprovideequipmentlineups,connections, and/ortemporaryrepairsasneededtoachieveandmaintainacold shutdownconditionwithin72hours.108Numerousmethodsareavailabletoachievesafeshutdown.Normal reactorshutdownandcooldownutilizesthemaincondenser; off-normalreactorshutdownusesRCICorcombinationsof redundantECCSequipment.Figure7.4-3showsthisnormalmethod andtwoalternatemethodsofachievingshutdownusingCategoryI redundantequipmentwhichis 108 RBSUSARRevision157.4-2May2002operablefromonsitepower.Electricalcircuitprotection,comprehensivedefinitionofequipmentandcables,useof separationandapprovedprotectionmeasuresensurethatsystems areavailableforsafeshutdownaftersinglepostulatedevents.7.4.1Description Thissectiondiscussestheinstrumentationandcontrolsofthefollowingsystemsrequiredforsafeplantshutdown:1.RCIC 2.RHR-RSCM 3.SLCS 4.RSSRefertoChapter8foracompletediscussionofthesafety-relatedpowersources.7.4.1.1ReactorCoreIsolationCooling(RCIC)System SystemFunctionTheRCICsystem(Section5.4.6)instrumentationisdesignedtomaintainorsupplementreactorvesselwaterinventoryduringthe followingconditions:1.Whenthereactorvesselisisolatedfromitsprimaryheatsink(themaincondenser)andmaintainedinthehot standbycondition.2.Whenthereactorvesselisisolatedandaccompaniedbyalossofnormalcoolantflowfromthereactorfeedwater
system.103.Deleted 10154.Deleted 15 RBSUSARRevision147.4-3September2001SystemOperationSchematicarrangementsofsystemmechanicalequipmentandoperatorinformationdisplayareshowninFig.5.4-8.RCIC systemcomponentcontrollogicisshowninFig.7.4-1.Instrumentlocationdrawings,andelementarydiagramsareidentifiedinSection1.7.1412TheRCICsystemcanbeinitiatedeithermanuallyor automatically.Theinitiationsignallogicisthensealed-infor afixedtimedurationtoallowsystemstartup.TheMCCcircuitry maintainsthecomponentssealedinafterinitiation.Themain controlroomoperatorcaninitiateRCICbyoperatingthemanual initiationswitchwhichsimulatesanautomaticinitiationorby activatingeachpieceofequipmentsequentiallyasrequired.The initiationsignalforsteamflowtotheRCICturbineandwater injectiontothereactorvesselissealedinforaspecifiedtime periodandthendropsout.Thisinitiationsignaltothegland sealcompressorissealedinandremainssealedinuntilmanually
reset.1214RCICisautomaticallyinitiatedbyfourredundantdifferential pressuretransmitters/triprelaycontacts,arrangedina one-out-of-two-twicelogicconfiguration,whichsensereactor vessellowwaterlevel(triplevel2).TheRCICsteamlineisolationandtheturbinesteamexhaustmotor-operated(MO)valvecontrolswitchesarekeylockedinthe openposition.Theturbinetripandthrottlevalveisnormally openandrequiresnochangeofpositionforautomaticsystem
initiation.TheRCICsystemrespondstoanautomaticinitiationsignalandreachesdesignflowratewithin30secasfollows(actionsare simultaneousunlessstatedotherwise):1.ThepumpsuctionfromthecondensatestoragetankvalveMOF010issignaledopen.2.Toensurepumpdischargeflowisdirectedtothereactorvesselonly,thetestreturnlinestothecondensate storagetankvalvesMOF022andMOF059aresignaled
closed.
RBSUSARRevision107.4-4April1998103.TheturbinesteaminletvalveMOF045issignaledopen.94.WhentheturbinesteaminletvalveMOF045beginstoopen,theRCICpumpdischargetoreactorvessel valveMOF013issignaledopen.ValveMOF013is prohibitedfromopeningorifopen,automaticallycloses whenMOF045ortheturbinetripandthrottlevalveis
closed.9105.Theturbineglandsealcompressorissignaledtostart.6.WhenvalveMOF045leavestheclosedpositiontheRCICturbineisacceleratedinspeeduntiltheautomaticflow controllersetpointisreachedandthesystemdischarge flowiscontrolledbytheturbineelectronicgovernor
mechanism.Intheeventthatthewaterlevelinthecondensatestoragetankshouldbecomelow,theRCICpumpsuctionisautomatically transferredfromthecondensatestoragetanktothesuppression poolbyopeningvalveMOF031.Atimedelayisincorporatedin thedesigntopreventinadvertenttransferthatcouldbecaused byatransientpressuredisturbance(reduction)inthesuction linewherethesensorsarelocated.OncevalveMOF031isfully openthecondensatestoragetankvalveMOF010isautomatically
closed.8 8TheRCICsystemincludesdesignfeatureswhichprovidesystem equipmentprotectionoraccomplishcontainmentisolationif certaintypesofabnormaleventsoccur.Theturbineiseither manuallytripactuatedbythemaincontrolroomoperatoror automaticallyshutdownbyclosingtheturbinetripandthrottle valveifanyofthefollowingconditionsaredetected:1.Turbineoverspeed 2.Highturbineexhaustpressure 3.RCICisolationsignal 4.Lowpumpsuctionpressure RBSUSARRevision87.4-5August1996Inaddition,thesteamsupplyvalveMOF045isclosedonreactorvesselhighwaterlevel(triplevel8).Thispermitsan automaticrestartoftheRCICsystemifthereactorwaterlevel dropstolevel2.ToprotecttheRCICpumpfromoverheatingduringlowflowconditionsthepumpdischargeflowandpressurearemonitored.
Ifthepumpdischargepressuretransmitterindicatesthepumpis runningandthepumpdischargeflowtransmitterindicateslow flow,theminimumflowreturnlinevalveMOF019isautomatically opened.Theminimumflowvalveisautomaticallyclosedwhenflow isnormal,orwheneithertheturbinetripandthrottlevalveor thesteamsupplyvalveMOF045isclosed.ThewaterlevelinthesteamlinedraincondensatepotiscontrolledbyalevelswitchandavalveAOF054whichenergizes toallowcondensatetoflowoutofthedrainpotbybypassingthe steamtrap.7Airoperated(AO)valvesF025,F026,andF054andacondensate drainpotareprovidedinadrainpipelinearrangementjust upstreamoftheturbinesupplyvalve.Thedrainagepathis isolatedbyclosingAOF025andAOF026uponreceiptofan M0F045not-closedsignal.
7RCICsystemturbineexhaustlinevacuumbreakervalvesMOF077 andMOF078arenormallyopenbutcloseautomaticallyfollowing systemtriponlowsteamlinepressureifdrywellpressure exceedsthesetpoint.7TheleakdetectionportionofRCICsystemautomaticallysignals thesteamlinewarmupvalveMOF076closed,theinboardsteam isolationvalveMOF063andtheoutboardsteamisolation valveMOF064closedifanyofthefollowingabnormalconditions exist.ForacompletedescriptionoftheRCICsystemleak detectionisolationsignals,seeSection7.6.1.
781.RedundantambienttemperatureswitchesindicateRCICandRHRequipmentareahighambienttemperature.82.RedundantdifferentialpressuretransmitterssenseRCICorRHR/RCICsteamhighfloworinstrumentlinebreak.
RBSUSARRevision127.4-6December19993.RedundantpressuretransmitterssenseRCICturbineexhaustdiaphragmhighpressure.Bothtransmittersin oneoftwotripchannelsmustsensehighpressureto causeisolation.4.ApressuretransmittersensesRCIClowsteamsupply pressure.TheRCICsystemmaybeisolatedafterinitiationbythemaincontrolroomoperatorbyactuationofaswitchwhichcausesthe outboardsteamisolationvalvetoclose.7.4.1.2RHRReactorShutdownCoolingMode(RSCM)
RSCMFunctionTheRSCM(Section5.4.7)oftheRHRsystemisusedduringanormalreactorshutdownorforlongtermcoolingaftervessel waterlevelhasbeenrestoredfollowingaccidentconditions.TheRSCMconsistsofinstrumentationdesignedtoprovidedecayheatremovalcapabilityforthereactorcorebyaccomplishingthe
following:1.Reactorcoolingduringshutdownoperationafterthevesselpressureisreducedtoapproximately110psig.2.Coolingthereactorwatertoatemperatureof125°Fatwhichreactorrefuelingandservicingcanbe
accomplished.1212RSCMOperationSchematicarrangementsofsystemmechanicalequipmentand operatorinformationdisplaysareshowninFig.5.4-12.RSCM componentcontrollogicisshowninFig.7.3-4.Instrument locationdrawingsandelementarydiagramsareidentifiedin Section1.7.Thereactorshutdowncoolingsystemcontainstwoloops.Eitherloopissufficienttosatisfythecoolingrequirementsfor shutdowncooling.However,bothloopsshareacommonsuction linewithtwosuctionvalvesin RBS USAR Revision 22 7.4-7 series. In the event one of the suction valves fails closed and normal shutdown cooling is not available, an alternate shutdown cooling loop may be established. The normal shutdown suction
path may be bypassed by manually switching to take suction water from the suppression pool, returning through the LPCI nozzle, and
manually opening the ADS valves to allow reactor water to flow back through the suppression pool line to the suppression pool.
The ADS valves may be actuated by either Division 1 or Division 2 power thus providing redundancy in the event of a divisional power failure. See Section 5.4.7 for a complete description of
RSCM operation.
7.4.1.3 Standby Liquid Control System (SLCS)
SLCS Function 1 The SLCS (Section 9.3.5) instrumentation is designed to initiate injection of a liquid neutron absorber into the reactor. Other instrumentation is provided to heat the neutron absorber solution should the ambient area temperature be insufficient to maintain the solution well above saturation temperature in readiness for
injection.
1 The SLCS is a redundant method of manually inserting enough negative reactivity to shut down the reactor to cold shutdown conditions from normal operation or from anticipated transient conditions when control rod insertion capability is lost. The Standby Liquid Control System sodium pentaborate solution also functions to control suppression pool pH following a design basis LOCA event with no functioning ECCS injection. This function was added to the Standby Liquid Control System in conjunction with the River Bend implementation of Alternate Source Term (AST) per Regulatory Guide 1.183.
SLCS Operation
Schematic arrangements of system mechanical equipment and operator information display are shown in Fig. 9.3-9. SLCS component control logic is shown in Fig. 7.4-2. Instrument location drawings and elementary diagrams are identified in
Section 1.7.
The SLCS is initiated by the main control room operator by turning a keylocked switch for system A, or a different keylocked switch for system B to the RUN position. The key is removable in the center NORMAL position. Should the selected pump fail to start, the other key switch may be used to select the alternate
pump loop.
When the SLCS is initiated, the explosive-operated valve in the
selected loop fires and the tank discharge valve starts to open immediately. The pump that has been selected for injection does
not start until the tank discharge valve is open.
RBS USAR Revision 20 7.4-8 When the SLCS is initiated from system A, the outboard isolation valve of the RWCU system is automatically closed. Initiation from system B closes the inboard isolation valve automatically (Table 6.2-40).
Pumps are interlocked so that either the storage tank discharge valve or the test tank discharge valve must be open for the pump to
run.7.4.1.4 Remote Shutdown System (RSS)
RSS Function The RSS is designed to achieve and maintain hot reactor shutdown and subsequently to achieve cold shutdown from outside the main control
room following these postulated conditions: 1. The plant is at normal operating conditions, all plant personnel have been evacuated from the main control room, and it is inaccessible for control of the plant. 2. The initial event that causes the main control room to become inaccessible is assumed to be such that the reactor
operator can manually scram the reactor before leaving the
main control room.
The RSS is required only during times of main control room inaccessibility when normal plant operating conditions exist, i.e.,
no transients or accidents are occurring. For this reason, only the
equipment which interfaces directly with safety-related equipment (RHR, RCIC, etc) is required to be of safety-related quality.
Transfer and control switches at the RSS panels and other selected control points, are provided for equipment which is controlled during remote shutdown. The controls and indications at these
panels are listed in Table 7.4-1
.The main steam isolation valves and the ADS valves represent potential fire-induced LOCA pathways that are accounted for in the design of the RSS. Isolation is assured through the respective
deenergization of the RPS breakers in the RPS distribution panels at el 115 in the control building and the ADS breakers in the dc
distribution panels at el 98 in the control building.
The initiating event that causes the main control room to become inaccessible could be a large transient fire that includes shorts
and/or spurious signals producing potential RBS USAR Revision 7 7.4-9 January 1995 7LOCA pathways and/or incorrect system lineup for shutdown. Transfer and control switches exist at the RSS Division I panel (single failure criteria is not applicable for a fire event), the diesel generator local control panels, and Division I 4.16 KV standby switchgear to achieve and maintain hot shutdown; while local transfer and control switches for the diesel generator fuel oil transfer pump, the standby service water pump house
ventilation fan, the standby cooling tower fans, and the penetration valve leakage control air compressor exist to achieve and maintain cold shutdown. For all remaining initiating events requiring a main control room evacuation, i.e., other than a
transient fire, functional redundancy is provided by the RSS Division I and Division II panels, both at el 98 in the control
building.7 RSS OperationInstrument location drawings and elementary diagrams are identified in Section 1.7. 7Some of the existing systems used for normal reactor shut-down operation are also utilized in the remote shutdown capability to shut down the reactor from outside the main control room. The functions needed for remote shutdown control are provided with manual transfer switches which override controls from the main control room and transfer the controls to the remote shutdown panel or other selected control points. Remote shutdown control is not possible without actuation of the transfer switches.
Power supplies and control logic are transferred and isolated.
The isolated Division I and III control logic circuits required to shutdown the plant in the event of a main control room fire are furnished power from independently fused power supplies.
Access to the remote shutdown panel is administratively and procedurally controlled via the plant security system. Local transfer switch positions are monitored via remote annunciation in the main control room, while proper system lineup (local
control switches) is monitored via remote indication at the RSS Division I panel for transfer switches located at this panel.
System control is available from the RSS panels or other selected
control points.
7Manual activation of SRVs, along with the initiation of RCIC system and/or the automatic initiation of the HPCS system, maintains reactor water inventory and brings the reactor to a hot shutdown condition after scram. During this phase of shutdown, the suppression pool is cooled by operating the RHR system in the suppression pool cooling mode. Reactor pressure is controlled
and core decay and sensible heat are RBS USAR Revision 20 7.4-10 rejected to the suppression pool by relieving steam pressure through the relief valves.Manual operation of the relief valves cools the reactor and reduces its pressure at a controlled rate until a method of long-term heat removal is established. The RHR system can be
operated in the shutdown cooling mode using the RHR system heat exchanger to cool reactor water and bring the reactor to the cold
shutdown condition. 7Remote shutdown component control logic and operator information displays for the Division I remote shutdown panel are shown in
Figure 7.4-4.
7 RBS USAR Revision 20 7.4-11 THIS PAGE LEFT INTENTIONALLY BLANK RBS USAR Revision 20 7.4-12 THIS PAGE LEFT INTENTIONALLY BLANK RBS USAR Revision 20 7.4-13 THIS PAGE LEFT INTENTIONALLY BLANK.
RBS USAR Revision 20 7.4-14 THIS PAGE LEFT INTENTIONALLY BLANK.
RBS USAR Revision 20 7.4-15 THIS PAGE LEFT INTENTIONALLY BLANK.
RBS USAR Revision 20 7.4-16 THIS PAGE LEFT INTENTIONALLY BLANK.
RBS USAR Revision 20 7.4-17 THIS PAGE LEFT INTENTIONALLY BLANK.
RBS USAR Revision 20 7.4-18 THIS PAGE LEFT INTENTIONALLY BLANK.
RBS USAR Revision 20 7.4-18a THIS PAGE LEFT INTENTIONALLY BLANK.
RBS USAR 7.4-18b August 1988 THIS PAGE LEFT INTENTIONALLY BLANK RBS USAR Revision 20 7.4-19 THIS PAGE LEFT INTENTIONALLY BLANK.
RBS USAR Revision 20 7.4-19a THIS PAGE LEFT INTENTIONALLY BLANK.
RBS USAR Revision 7 7.4-19b January 1995 THIS PAGE INTENTIONALLY LEFT BLANK RBS USAR Revision 20 7.4-20 THIS PAGE LEFT INTENTIONALLY BLANK.
RBS USAR Revision 20 7.4-21 7.4.1.5 Design Basis Information The safe shutdown systems are designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB.
Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage
and radioactive material releases, along with the methods by which abnormal events are identified, are presented in that
chapter. 1. Variables Monitored to Provide Protective Actions The following variables are monitored in order to provide protective actions to the safe shutdown
systems: a. RCIC - Reactor vessel low water level (trip level 2) All other safe shutdown systems are initiated by operator actions. The plant conditions which require protective action involving safe shutdown are described in
Chapter 15 and Appendix 15A. 2. Location and Minimum Number of Sensors See the Technical Specifications for the minimum number of sensors required to monitor safety-related variables. There are no sensors in the safe shutdown
systems which have a spatial dependence. 3. Prudent Operational Limits Prudent operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious safe shutdown system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following
postulated gross failures of the fuel or the nuclear system process barrier, is kept within acceptable
bounds.
RBSUSAR7.4-22August19874.MarginThemarginbetweenoperationallimitsandthelimitingconditionsofoperationofsafeshutdownsystemsare thoseparameterslistedintheTechnical
Specifications.5.LevelsLevelsrequiringprotectiveactionareestablishedintheTechnicalSpecifications.6.RangeofTransient,SteadyState,andEnvironmental ConditionsTheenvironmentalqualificationofthesafety-relatedinstrumentationandcontrolssafeshutdownsystemsis discussedinSection3.11.Thesafeshutdownsystems powersupplyrangeofsteady-stateandtransient conditionsisprovidedinChapter8.7.Malfunctions,Accidents,andOtherUnusualEventsWhichCouldCauseDamagetoSafetySystemsa.FloodsThebuildingscontainingsafeshutdownsystemcomponentshavebeendesignedtomeetthePMFat thesitelocation.Thisensuresthatthe buildingsremainwater-tightunderPMFconditions includingwind-generatedwaveactionandwave runup.Foradiscussionofinternalflooding protectionrefertoSections3.4and3.6.b.StormsandTornadoesThebuildingscontainingsafeshutdownsystemcomponentshavebeendesignedtowithstand meteorologicaleventsdescribedinSection3.3.c.EarthquakesThestructurescontainingsafeshutdownsystemcomponentshavebeenseismicallyqualified,as describedinSections3.7and3.8,toremain functionalduringandfollowinganSSE.Seismic qualificationofinstrumentationand RBSUSARRevision107.4-23April1998electricalequipmentisdiscussedinSection3.10.d.Fires10Toprotectthesafeshutdownsystemsintheeventofapostulatedfire,theredundantportionsofthe systemsareseparatedbyfirebarriersor physicaldistance.Theuseofseparationandfire barriersensuresthateventhoughsomeportionof thesystemsmaybeaffected,thesafeshutdown systemscontinuetoprovidetherequired protectiveaction.SeeSection9.5.1fora discussionoffireprotection.
10e.LOCAThesafeshutdownsystemscomponentslocatedinsidethedrywellandcontainmentwhichare functionallyrequiredfollowingaLOCAhavebeen environmentallyqualifiedtoremainfunctionalas discussedinSection3.11.Chapter15describes theeffectofaLOCA.f.PipeBreakOutsideSecondaryContainmentThisconditiondoesnotaffectthesafeshutdownsystems.RefertoSection3.6.Chapter15 describestheeffectsofapipebreakoutside
containment.g.MissilesProtectionforsafeshutdownsystemsisdescribedinSection3.5.8.MinimumPerformanceRequirementsMinimumperformancerequirementsforsafeshutdownsystemsinstrumentationandcontrolsare providedinChapter16,TechnicalSpecifications.7.4.1.6FinalSystemDrawings Thefinalsystemdrawingsincluding:1.Pipingandinstrumentationdiagrams(P&ID)
RBSUSAR7.4-24August19872.Functionalcontroldiagrams(FCD)orlogicdiagrams (LSK)Theabovehavebeenprovidedorreferencedforthesafeshutdown systems.FunctionalandarchitecturaldesigndifferencesbetweenthePSARandFSARarelistedinTable1.3-8.7.4.2AnalysisThesafeshutdownsystemsaredesignedinsuchawaythatlossofinstrumentair,lossofcoolingwatertovitalequipment,a plantloadrejection,oraturbinetripdoesnotpreventthe completionofthesafetyfunction.TheRSCMoftheRHRsystemutilizesthesameequipmentusedbytheLPCImode.Therefore,refertoSection7.3.2fortheRSCM standardsandregulatorycompliance.ConformanceoftheRSStoIEEEStandardsandRegulatoryGuidesisprovidedintheanalysissectionforeachsystemwhose instrumentationandcontrolsarepartoftheRSS(Sections7.3, 7.5,and7.6)andasnotedbelow.7.4.2.1ConformancetoTitle10CodeofFederalRegulations,Part50(10CFR50)AppendixA-General DesignCriteria(GDC)TheconformancediscussionsprovidedinSection3.1fortheGDCapplytothesafeshutdownsystemsasidentifiedinTable7.1-3.7.4.2.2ConformancetoIEEEStandards ThefollowingisadiscussionofconformancetothoseIEEEStandardswhichapplyspecificallytothesafeshutdownsystems.
RefertoSection7.1.2.3foragenericdiscussionofIEEE Standardswhichapplytothesafeshutdownsystemsasidentified inTable7.1-3.1.IEEE279-1971a.GeneralFunctionalRequirement(IEEE279-1971,Paragraph4.1)TheRCICisautomaticallyinitiatedwhenreactorvesselwaterlevelisdeterminedtobebelowa predeterminedlimit.
RBSUSAR7.4-25August1987TheSLCSisinitiatedbythemaincontrolroomoperator.Displayinstrumentationinthemain controlroomprovidestheoperatorwith informationonreactorvesselwaterlevel, pressure,neutronfluxlevel,controlrod position,andscramvalvestatusallowing assessmentoftheneedforinitiationoftheSLCS.b.Single-FailureCriterion(IEEE279-1971,Paragraph4.2)TheRCICsystemisnotrequiredtomeetthesingle-failurecriterion.TheRCICinitiation sensorsandassociatedlogicdo,however,meetthe single-failurecriterionforautomaticsystem initiation.Thesingle-failurecriterionis metthroughphysicalandelectricalseparationof equipmentasdescribedinSection8.3.1.4.TheSLCSservesasbackuptotheCRDsystemforcontrollingreactivityiftheCRDfails.Itisnot necessaryforSLCStomeetthesingle-failure criterion.However,thepumpsandmotors,the explosivevalves,andthestoragetankoutlet valvesareredundantsothatnosinglefailurein thesecomponentspreventsinitiationofSLCS.c.QualityofComponentsandModules(IEEE279-1971,Paragraph4.3)RefertoChapter17forRCIC,SLCS,andRSS conformance.d.EquipmentQualification(IEEE279-1971,Paragraph4.4)ForadiscussionoftheRCICandSLCSequipmentqualification,refertoSections3.10and3.11.e.ChannelIntegrity(IEEE279-1971,Paragraph4.5)ForadiscussionofRCIC,SLCS,andRSSchannelintegrityunderallextremesofconditions describedinSection7.4.1.2,referto Section3.11.
RBSUSARRevision147.4-26September2001f.ChannelIndependence(IEEE279-1971,Paragraph4.6)ChannelindependenceismaintainedasdescribedinSection8.3.1.4.g.ControlandProtectionInteraction(IEEE279-1971,Paragraph4.7)14TheSLCSandRCICsystemhasnointeractionwith plantcontrolsystems.ForfurtherdiscussiononcompliancetoGDC24,seeSection3.1.
14h.DerivationofSystemInputs(IEEE279-1971,Paragraph4.8)AllinputstotheRCICsystemthatareessentialtoitsoperationaredirectmeasuresof appropriatevariables.SLCSdisplayinstrumentationinthemaincontrolroomprovidestheoperatorwithdirectlymeasured informationonreactorvesselwaterlevel, pressure,neutronfluxlevel,andcontrolrod positionandscramvalvestatus.Basedonthis informationtheoperatorcanassesstheneedfor
SLCS.i.CapabilityforSensorChecks(IEEE279-1971,Paragraph4.9)RefertoSection7.4.2.3,RegulatoryGuide1.22.j.CapabilityforTestandCalibration(IEEE279-1971,Paragraph4.10)RefertoSection7.4.2.3,RegulatoryGuide1.22.k.ChannelBypassorRemovalfromOperation(IEEE279-1971,Paragraph4.11)
RBSUSARRevision147.4-27September2001Calibrationofasensorwhichintroducesasingleinstrumentchanneltripdoesnotcauseaprotective actionwithoutthecoincidenttripofasecond channel.Removalofasensorfromoperationduring calibrationdoesnotpreventtheredundant instrumentchannelfromfunctioning.ThedischargepumpsfortheSLCSareredundant,sothatonemayberemovedfromserviceduringnormal plantoperation.l.OperatingBypasses(IEEE279-1971,Paragraph4.12)TherearenooperatingbypasseswithintheRCICsystemortheSLCS.m.IndicationofBypasses(IEEE279-1971,Paragraph4.13)ForadiscussionofbypassandinoperabilityindicationrefertoSection7.1,Regulatory Guide1.47.n.AccesstoMeansforBypassing(IEEE279-1971,Paragraph4.14)AccesstomeansofbypassinganysafetyactionorfunctionfortheRCICandSLCSisunderthe administrativecontrolofthemaincontrolroom operator.Theoperatorisalertedtobypassesas describedinSection7.1,RegulatoryGuide1.47.147Controlswitcheswhichallowsafetysystembypasses arekeylocked.Allkeylockemergencyswitchesin themaincontrolroomaredesignedinsuchaway thattheirkeyscanonlyberemovedwhenthe switchesareinthesafeposition.Allkeysare normallyremovedfromtheirrespectiveswitches duringoperationandmaintainedunderthecontrol oftheshiftsuperintendent.Shouldakeybe requiredtochangeavalveposition,itisobtained fromtheshiftsuperintendentviaapprovedkey controlprocedures.
714 RBSUSAR7.4-28August1987o.MultipleSetPoints(IEEE279-1971,Paragraph4.15)TherearenomultiplesetpointswithintheRCICorSLCSsystems.p.CompletionofProtectiveActionOnceItIsInitiated(IEEE279-1971,Paragraph4.16)OnceRCICisinitiatedbyreactorvessellowwaterlevel,thelogicsealsinforaspecifiedtime periodtoallowtheinitiationlogictogoto completion.Systemoperationmaybeterminatedby theoperatoratanytimeafterinitiation.The systemisautomaticallystoppedonhighvessel waterlevel,systemmalfunctiontripsignals,or ifsteamsupplypressuredropsbelowthat necessarytosustainturbineoperation.TheSLCSexplosivevalvesremainopenoncefired.Theinjectionvalvesdonotclose,anddischarge pumpmotorscontinuetorununlessterminatedby operatoraction.q.ManualInitiation(IEEE279-1971,Paragraph4.17)RefertoSection7.4.2,RegulatoryGuide1.62,foradiscussionofthemanualinitiationoftheRCIC andSLCS.r.AccesstoSetPointAdjustment(IEEE279-1971,Paragraph4.18)AllaccesstosetpointadjustmentsforRCICisunderadministrativecontrol.TheoperationofSLCSisnotdependentonoraffectedbyanysetpointadjustmentor
calibration.s.IdentificationofProtectiveActions(IEEE279-1971,Paragraph4.19)TheexplosivevalvestatusoftheSLCS,oncefired,isindicatedinthemaincontrolroom.
RBSUSAR7.4-29August1987t.InformationReadout(IEEE279-1971,Paragraph4.20)TheRCICsystemisdesignedtoprovidetheoperatorwithaccurateandtimelyinformation pertinenttoitsstatus.Itdoesnotgive anomalousindicationsconfusingtotheoperator.TheSLCSdischargepressureofsodiumpentaboratepumpsandstoragetanklevelfortheSLCSis indicatedinthemaincontrolroom.u.SystemRepair(IEEE279-1971,Paragraph4.21)TheRCICandSLCSsystemsaredesignedtopermitrepairorreplacementofcomponentsduringnormal plantoperation.Recognitionandlocationofafailedcomponentareaccomplishedduringperiodictestingorby annunciationinthemaincontrolroom.v.Identification(IEEE279-1971,Paragraph4.22)AllcontrolsandinstrumentsforRCICandSLCSarelocatedinseparatesectionsofthemaincontrol roompanelandclearlyidentified.Relaysare locatedinseparatepanelsforRCICandSLCSuse only.Allwiringandcablingislabeledto indicateitsdivisionalassignmentaswellasits systemassignment(Section8.3.1.3).7.4.2.3ConformancetoNRCRegulatoryGuides RegulatoryGuideconformanceforremoteshutdowncontrolandinstrumentationisprovidedintheanalysissectionsof Chapter7foreachsystemwhoseinstrumentationandcontrolsare partoftheRSS.ConformancetoRegulatoryGuidesfortheRHRshutdowncoolingmodeisdiscussedinSection7.3.2.ThefollowingisadiscussionofconformancetothoseRegulatoryGuideswhichapplyspecificallytotheRCICsystemand/orthe SLCS.RefertoSection7.1.2.4foragenericdiscussionof RegulatoryGuideswhichapplytotheRCICand/ortheSLCSsystems asidentifiedinTable7.1-3.
RBSUSAR7.4-30August19871.RegulatoryGuide1.22TheRCICsystemiscapableofbeingcompletelytestedduringnormalplantoperationtoverifythateach elementofthesystemiscapableofperformingits intendedsafetyfunction.AllsensorsfortheRCICareinstalledwithcalibrationtapsandinstrumentvalvestopermittestingduring normalplantoperationbyvalvingoutthesensorsand supplyingatestpressuresource.TheSLCSexplosivevalvesmaybetestedduringplantshutdown.Theexplosivevalvecontrolcircuitsare continuouslymonitoredandannunciatedinthemain controlroom.TheremainderoftheSLCSmaybetested duringnormalplantoperationtoverifythateach elementiscapableofperformingitsintendedfunction.TestingofRCICsystemandSLCSsensorsduringnormalplantoperationisaccomplishedbytakingeachsensor fromitsprocesslineandapplyingatestpressure source.Thisverifiestheoperabilityofthesensor, itscalibrationrange,andtheoperabilityof associatedmaincontrolroomlogiccomponents.2.RegulatoryGuide1.53SeeIEEE279-1971,Paragraph4.2,inSection7.4.2forRCICandSLCS.
RBSUSARRevision8 7.5-1August19967.5SAFETY-RELATEDDISPLAYINSTRUMENTATION7.5.1Description 7.5.1.1General Thissectiondescribestheinstrumentationwhichprovidesinformationtotheoperatortoenablehimtoassessthestatusof safety-relatedsystems,andtheneedtoperformrequiredsafety functions.Figures7.5-1through7.5-11showthesafety-related displayinstrumentation(SRDI)forthesafetyrelatedcomponents notshowninothersectionsofChapter7.1Thesafety-relateddisplayinstrumentation(SRDI)islistedinTable7.5-1.Ittabulatesequipmentandoperatorinformation displaysillustratedonthevarioussafety-relatedsystem drawingsandfigureslocatedinSections7.2,7.3,7.4,and7.6 andonthenonsafety-relatedsystemfigureslocatedin Section7.5and7.7.Instrumentationforpostaccident monitoringrecommendedbyRegulatoryGuide1.97isaddressedin Table7.5-2.
1ThesourceswhichsupplypowertotheinstrumentationdescribedinthissectionarediscussedinChapter8.8Theinstrumentation,powersourceclassification,andrangesshowninTable7.5-1areselectedonthebasisofgivingthe reactoroperatorthenecessaryinformationtoperformnormal plantoperationsandthecapabilitytotrackprocessvariables pertinenttosafety.Instrumentaccuraciesandnumberof channelsprovidedforSRDIaregiveninthetechnical
specifications/requirements.
8Thefollowinginformationisprovidedtothemaincontrolroomoperatortomonitorreactorconditionsandallowassessmentof safetysystemstatus.7.5.1.1.1Transmitter/TripUnitMainControlRoomIndication Theplantprotectionsystemelectronictripsystem(Section7.1.3)providescontinuousmaincontrolroomindication ofeachvariablemonitoredbytheRPS,ESF,andRCICsystems.
Eachvariableissensedbyananalogtransmitterthatcontinually transmitsasignal,proportionaltothevariablerange,toatrip unitlocatedinthemaincontrolroom.Anammeter,locatedon eachmastertripunit,displaysthetransmittedsignal.The ammeterallowsvisualcross-checkingbetweeninstrument RBSUSARRevision12 7.5-2December1999channelstoverifyoperabilityandvariablelevel.Alltripunitsdisplaytripstatus,usinganindicatorlightlocatedon thetripunit.7.5.1.1.2ReactorWaterLevel Reactorwaterlevelinformationisobtainedfromphysicallyandelectricallyseparateddifferentialpressure(dp) instrumentation.Acoldreferencelegdesignisutilizedfor RBSwithaminimumamountofelevationchangeinsidethedrywell tominimizeinstrumentchannelerror.Thedpinstrumentsoperate ananalogcurrentloopwhichtransmitslevelinformationtothe maincontrolroom.Table7.5-1identifiesreactorwaterlevel
displays.AcomprehensivereportdiscussingtheeffectsofhightemperaturesonwaterlevelreferencelegsforBWRwaterlevel instrumentationhasbeensubmittedtotheNRCStaffforreviewby theBWROwners'Group.Thereportisentitled"ReviewofBWR ReactorVesselWaterLevelMeasurementSystems"andisidentified asS.LevyReportNo.SLI-8211.RiverBendStationendorsesthe contentandfindingsofthisreportwhereapplicabletothe designofRBSUnit1.ThefollowingdesignfeatureshavebeenimplementedatRiverBendStationtoimprovecontrolroomoperatorandsafetysystem responsewhereaccuratereactorvesselwaterlevelmeasurements arerequired:1.Theverticaldropofthewaterlevelreferenceleginstrumentlinesdoesnotexceed18incheswherethe linesaresubjecttotemperatureexcursionscapableof causingerroneousreadings.Theareaofprimaryconcern forthisdesignimprovementisthedrywell.RBSproceduresdelineateforoperatorinformationthemaximumexpectederrorsforwaterlevelmeasurements giventheunlikelyeventofdrywellheatupbeyondnormal ambientconditions.122.Annunciationisprovidedinthemaincontrolroomtoalerttheoperatortopotentialoractualwaterlevel measurementanomaliesowingtohighreference/variable legtemperatures.TworedundantClass1Einstrument channelswhichmonitordrywelltemperatureprovidehigh temperatureannunciation.12 RBSUSARRevision12 7.5-3December19993.Thecontrolroomoperatorisfurnishedwithredundant,Class1Ereactorvesselwaterlevelinstrumentchannelsfortwooverlappingregionsofthevessel.Thefirst regioncoverswaterleveloverawiderangefromthe dryerdowntonearthetopofthefuelzone.Thesecond regionoverlapsthefirstbutextendsdowntothebottom ofthecoreregion.Thissafety-relateddisplay instrumentationandotherwaterlevelmeasurement readingsaredeemedsufficienttoprovidetheoperator withanaccurateappraisalofreactorvesselwater
level.124.ECCSinitiatingsignalsaregeneratedfromanalogcircuitrywhichprovidesaswitchingfunction.Water levelinstrumentsusedforECCSactuationaregrouped accordingtorange(narroworwide)andelectrical channelseparation.Thisallowsindividualinstrument channelstobeobservedforproperoperation.This designfeaturegreatlyreducesthepossibilityofeither afailedchannelbeingunnoticedorerroneouschannel informationbeingusedforsystemactuation.125.ReactorwaterlevelinformationfromseveralsourceswithinthemaincontrolroomismonitoredbytheSafety ParameterDisplaySystem(SPDS).TheSPDSalertscontrol roomoperatorstowaterlevelmeasurementanomalies shouldthesituationarise.TheSPDSperformsthis functionbyperformingachannelcheckbycomparingtwo ormorechannelsforequivalencewithinagivenerror
margin.6.RiverBendStationutilizesrestrictionorificesinthevariableandreferencelegsensinglinesforRPVwater levelmeasurements.Theorificesarelocatedinclose proximitytothedrywellinstrumentpenetrations.This designfeatureeffectivelyobviatesoscillatorywater levelreadingswhenflashingoccursinthedrywell portionofsensinglines.77.Thefoursafetyrelatedreactorwaterlevelreferencelegsareprovidedwithacontinuousbackfillsystem.
Thefunctionofthesystemistopurgeoutorkeepout dissolvednon-condensiblegasesfromthereferencelegs; suchthat,uponadepressurization,non-condensible gasinduced7 RBSUSARRevision12 7.5-3aDecember1999 7levelerrorswillnotoccur.ThissystemresolvestheissuesdescribedinGenericLetter92-04andNRC Bulletin93-03concerninglevelerrorscreatedbynon-condensiblegasescomingoutofsolutionandcausing referencelegwaterinventorylosses.Thecontinuousbackfillsystemconsistsofinstrumenttubing,isolationvalves,ventanddrainvalves,two parallel15micronfilters,andfourchannelseach containingthefollowing:flowindicator,flow restrictor,ameteringvalve,twoseriescheckvalves,test/drainvalvesandventvalves.Thetotalsystem nominalflowis0.032gpm.Eachchannel'snominalflow is0.008gpm.Allcomponentsarelocatedinthesafety related,seismicallyqualifiedcontainmentbuilding.
Allcomponents,safetyandnon-safety,aremounted seismically.RefertoFigure5.1-3cforaschematic representationofthebackfillsystem.
712AdditionalinformationisprovidedinAppendix1A,ItemII.F.2.
127.5.1.1.3ReactorPressureTworeactorpressuresignalsaretransmittedfromtwoindependentdifferentialpressuretransmittersandare RBSUSARRevision7 7.5-3bJanuary1995THISPAGEINTENTIONALLYLEFTBLANK RBS USAR Revision 22 7.5-4 recorded on two, two point recorders.
One point records pressure and the other point records the wide range level. The range of recorded pressure is from 0 to 1,500 psig.
7.5.1.2 Reactor Shutdown Indication
The following information is provided to the main control room
operator to monitor reactor shutdown.
- 1. Control rod status lights indicate each rod fully inserted. Control rod scram pilot valve position
status lights indicate open valves.
- 2. Neutron monitoring power range channels and recorders downscale. The power sources are from RPS MG sets. A loss of offsite power would result in all scram valve
solenoids being deenergized and reactor scram.
- 3. Annunciators and indicators for RPS variables and trip logic in the tripped state.
- 4. The process computer provides logging of trips and control rod position and provides thermal-hydraulic information to the operator which he uses to keep the plant operating within technical specification limits.
Redundant capability exists in case of process computer failure. The power source for the process computer is
a Normal UPS.
7.5.1.3 Containment and Reactor Vessel Isolation Indication
The following information is provided to the main control room
operator to monitor the integrity of the containment.
- 1. Isolation valve position lights indicate valve closure.
- 2. Main steam flow indication.
- 3. Annunciators and indicators for the containment and reactor vessel isolation system variables and trip
logic in the tripped state.
- 4. Process computer logs trips.
7.5.1.4 ECCS and RCIC Indication
The following information is provided to the main control room
operator to monitor ECCS and RCIC system status.
RBSUSAR 7.5-5August19871.IndicatorsforHPCS,LPCS,RHR,ADS,andRCICvariablesandtriplogicinthetripstate.2.Flowand/orpressureindicationsforeachECCSandRCICareprovided.3.ECCSandRCICvalvepositionindication.4.ProcesscomputerloggingoftripsintheECCSandRCIC.
5.SRVpositionindicationincludingthoseinADS.ThepowersourceisinstrumentAC.6.SRVdischargepipetemperaturemonitors.7.5.1.5BypassandInoperableStatusIndicationThedesignofautomaticallyinitiatedengineeredsafetyfeature(ESF)systemsatRBSissuchthatthesystem,oraportionofthe system,maybeplacedinaninoperablestatusorbypassedduring theperformanceofperiodictestsormaintenance.Toalertthe operator(s)oftheinoperableorbypassedstatusoftheseand othermanuallyactuatedsafetysystems,administrativeprocedures aresupplementedwithautomaticindicationofsystem inoperability.Theautomaticindicationconsistsofannunciator points(visualandaudibleindication)inthemaincontrolroom (MCR)toalerttheoperatortoaninoperablecondition.This indicationisprovidedatthesystemlevelforeachdivisionor trainbyindicationonanannunciatorpanel.Beneaththissystem inoperableindication,morespecificindicationprovidesthe basisfortheinoperablestatus.Thisindicationconsistsof componentorsubsysteminoperable/bypassstatusindicationonthe verticalportionofthebenchboards.Thisdesignhasbeen implementedtomeettheintentofRegulatoryGuide1.47,whichis toprovideautomaticindicationofinoperablestatusof automaticallyinitiatedESFsystems.PositionC.2ofRegulatoryGuide1.47providesguidanceforcontrolroomdesignthatexpandsonthiscriteriatoinclude automaticindicationatthesystemlevelofthebypassingor deliberatelyinducedinoperabilityofanyauxiliaryorsupporting systemthateffectivelybypassesorrendersinoperablethe protectionsystemandthesystemsactuatedorcontrolledbythe protectionsystem.Auxiliaryorsupportsystemsnecessaryto ensureoperabilityofautomaticallyinitiatedESFsystemsare indicatedinTable7.5-3.Thistablealsoidentifiesthose auxiliary/supportsystemswhich RBSUSAR 7.5-6August1988arecascadedintothebypass/inoperableindicationoftheESF systems.7.5.1.6OtherSystemIndications ControlroomdisplayandindicationinformationforsystemsinadditiontothoselistedaboveisprovidedinTable7.5-1.7.5.2Analysis Thesafety-relateddisplayinstrumentationprovidesadequateinformationtoallowtheoperatortoperformthenecessarymanual safetyfunctionsduringnormaloperation,transients,and accidentconditions.TheSRDIthatispartofasafety-related systemandusedforsafety-relatedoperatorinformationorthe redundantreactorpressureandwaterlevelinstrumentationarein compliancewiththerequirementsapplicabletosafety-related
systems.1.NormalOperationTheinformationchannelrangesandindicatorswere selectedonthebasisofgivingthereactoroperator thenecessaryinformationtoperformallthenormal plantstartup,steady-statemaneuvers,andtobeable totrackalltheprocessvariablespertinenttosafety.2.AbnormalTransientOccurrencesTherangesofindicatorsandrecordersprovidedare capableofcoveringtheextremesofprocessvariables andprovideadequateinformationforallabnormal transientevents.3.AccidentConditionsInformationreadoutsaredesignedtoaccommodateall credibleaccidentsforoperatoractions,information, andeventtrackingrequirements,andcoverallother designbasiseventsorincidentrequirements.4.Post-AccidentMonitoring1Post-accidentmonitoringinstrumentationisprovidedinaccordancewiththeRiverBendStation positiononRegulatoryGuide1.97,(Table1.8-1)and Table7.5-2.
1 RBSUSAR 7.5-7August19877.5.3ReviewofIEBulletin79-27andIECircular79-02Areviewofthebusessupplyingpowertoinstrumentationandcontrolsystemswhichcouldaffecttheabilitytoachieveacold shutdownconditionhasbeenperformedforRiverBendStationin accordancewithIEBulletin79-27,asfollows:1.Allinstrumentandcontrolsystemsutilizedtoachieveacoldshutdownbynormalandemergencymeans,as describedinSection7.4andFig.7.4-3,were
considered.2.Allacanddcbusessupplyingpowertothesesystemswerereviewedtodeterminetheeffectsoflossofpower toeachbusanditsassociateddevicesontheability toachievecoldshutdown.3.Alarmsand/orindicationsprovidedinthemaincontrolroomtoalerttheoperatortothelossofpowerto thesebuseswereidentified.4.Controlroomindicatorswerereviewedtodetermineifanyfailasisoratmidscalesuchthaterroneous informationisprovidedtotheoperator.Theresultsofthisreviewindicatethefollowing:1.Foreachacanddcbussupplyingpowertoinstrumentandcontrolsystemsutilizedtoachieveacoldshutdown bynormaloremergencymeans:a.Coldshutdowncanbeachievedassuminglossofpowertothebus.b.Clear,unambiguousannunciationisprovidedinthemaincontrolroomtoalerttheoperatorofanundervoltageconditiononthebus.Uponreceipt ofanundervoltagealarmwhiletheplantisinthe normalshutdownpath,theoperatorcanswitchto analternateshutdownpathasgovernedbythe emergencyoperatingprocedures.2.Nomaincontrolroomindicatorsforthesystemsidentifiedabovefailasis.This,inaccordancewith IEEEStandard279-1971paragraph4.20,prevents erroneousinformationfrombeingpresentedtothe
operator.
RBS USAR Revision 19 7.5-8 The River Bend Station emergency operating procedures have been reviewed to identify the instrumentation and controls which could
affect the ability to achieve a cold shutdown condition. Further
review has confirmed that these instrumentation and controls are
powered from buses which were considered in the review. These instrumentation and controls are included in the following
systems: Automatic depressurization
Containment isolation
Containment monitoring
Control rod drive
Heating, ventilation and air-conditioning
Low pressure core spray
Nuclear boiler
Neutron monitoring
Radiation monitoring
Reactor core isolation cooling
Reactor protection
Reactor recirculation
Safety and relief valves
Spent fuel cooling
Standby liquid control The review of IE Circular 79-02 has been extended to include both Class 1E and non-Class 1E power supply inverters. There are four safety-related uninterruptible power supply systems (1ENB
-INV01A or 1ENB-INV01A1 and 1ENB-INV01B or 1ENB-INV01B1) and sevennonsafety-related (UPS) systems (BYS-INV03, 1IHS-INV01, 1BYS-INV01A, 1BYS-INV01B, 1BYS-INV02, 1BYS-INV04, and 1BYS-INV06)
at River Bend Station. All eleven UPS systems are identical in design. This design, as discussed in Section 8.3.1.1.3.7, differs from the subject of IE Circular 79-02, and therefore does
not fail in a similar manner.
RBSUSAR7.6-1August19877.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY
7.6.1 DescriptionSection
7.6 describes the instrumentation and control systems required for safety not discussed inother sections. The systems include:1.Recirculation Pump Trip (RPT) 2.Leak Detection System (LDS) 3.Neutron Monitoring System (NMS) 4.Radiation Monitoring System (RMS) 5.Fuel Pool Cooling (FPC) System 6.Penetration Valve Leakage Control System (PVLCS) 7.Rod Pattern Control System (RPCS) 8.Safety Relief Valves - Relief Function.
9.Suppression Pool Temperature Monitoring System 10.Suppression Pool Pumpback System.Refer to Chapter 8 for a complete description of the safety-related systems power sources.
7.6.1.1 Recirculation Pump Trip (RPT)
System FunctionThe RPT is provided to supplement shutdown at the end of a fuel cycle when rodworths arereduced by core nuclear characteristics.The RPT is designed to aid the RPS in protecting the integrity of the fuel barrier. Turbine stopvalve closure or turbine control valve fast closure initiates a scram and concurrent RPT in order to keep the core within the thermal-hydraulic safety limits during operational transients.System OperationInitiating circuitry is shown on Fig. 7.2-1. RPS inputs sense turbine stop valve closure (turbinetrip) or turbine RBSUSAR7.6-2August1987control valve fast closure (load rejection). The devices utilized to sense turbine trip and full loadrejection are discussed in Section 7.2.1.The basic logic arrangement is a two-divisional two-out-of-two design for the turbine controlvalve and the turbine stop valve. It receives signals from each of four RPS divisions. Initiation requires confirmation by sensors located in two or more RPS divisions. Failure to initiate requires failure in more than two RPS divisions. Inputs according to division are combined in two-out-of-two configurations.Each RPT division causes both recirculation pumps to trip off the main power supply andinitiates the low frequency motor generator automatic transfer sequence. Refer to Section 7.7.1.7.6.1.2 Leak Detection System (LDS)
The safety-related portions of the LDS are as follows:
- Main steam system leak detection
- RCIC system leak detection
- RHR system leak detection
- RWCU system leak detection.System FunctionThe LDS instrumentation and controls are designed to monitor leakage from the RCPB andinitiate alarms and/or isolation when predetermined limits are exceeded. Refer to Section 5.2.5 for a complete description.System OperationSchematic arrangements of system mechanical equipment and operator information displays areshown in Fig. 7.6-1. LDS functional control diagram is shown in Fig. 7.6-9. Instrument location drawings and elementary diagrams are identified in Section 1.7.Systems or parts of systems which contain water or steam and which are in direct communicationwith the reactor vessel are provided with LDS.
RBSUSARRevision107.6-3April19988Each of the required LDSs inside the drywell is designed with a capability to detect leakage less than the established leakage rate limits. Refer to Technical Specifications/Requirements.
8Major components within the drywell that, by the nature of their design, are sources of leakage(e.g., pump seals, valve stem packing, equipment drains). The leakage is collected ultimately in an equipment drain sump.Equipment associated with systems within the drywell (e.g., vessels, piping, fittings) share acommon volume. Steam or water leaks from such equipment are collected ultimately in the floor drain sumps.Each sump is protected against overflowing to prevent leaks of an identified source frommasking those from unidentified sources.8Outside the containment, the piping within each system monitored for leakage is in compartments or rooms separate from other systems wherever feasible so that leakage may be detected by sump level, ambient area temperature, or high process flow.Sensors, wiring, and associated equipment of the LDS which are associated with the isolationvalve logic are designed to withstand the conditions that follow a design basis LOCA (Section 3.11).The operator is kept aware of the status of the LDS variables through meters and recorders whichindicate the measured variables in the main control room. If a trip occurs, the condition is annunciated in the main control room.1.MSL Leak Detection10The main steam lines are monitored for leaks by the leak detection system. Leaks in the MSL are detected by any one or a combination of the following monitored parameters:
10a.Reactor vessel low water levelb.Main steam line high flow c.Main steam line area high ambient temperature.8 RBSUSARRevision107.6-4April1998 For a detailed description, see Section 7.3.1.1.2.2.RCIC System Leak DetectionThe steam lines of the RCIC system are monitored for leaks by the LDS. Leaks fromthe RCIC cause a change in at least one of the following monitored parameters:8a.Equipment area high ambient temperature8b.High flow rate (differential pressure) through the steam linec.Turbine exhaust diaphragm high pressure d.Low steam line inlet pressure.
Outputs from all four monitoring circuits are used to generate the RCIC auto-isolationsignals (one for each division) to isolate the inboard and outboard isolation valves.The following is a description of each RCIC leak detection method.8a.RCIC Area Temperature MonitoringThe RCIC area ambient temperature monitoring circuits are similar to thosedescribed for the main steam line tunnel temperature monitoring system (Section 7.3.1).10Two redundant temperature monitoring channels are provided. Each redundant instrument provides input to one of two logic channels (ESF Division I or II).Using one-out-of-two logic, any RCIC equipment area high area ambienttemperature initiates an isolation of the RCIC system after a time delay. The time delay prevents false isolations that may occur from a loss of power or restoration of power to the temperature monitors.8A bypass/test switch is provided in each logic channel for the purpose of testing the 10 RBS USAR Revision 20 7.6-5 temperature monitor without initiating RCIC system isolation. Diversity is provided by RCIC steam line flow and pressure monitoring. b. RCIC Flow Rate Monitoring 10The steam line flow rate in the steam supply line leading to the RCIC turbine is monitored by two differential pressure transmitters. During high flow conditions, the flow rate trip unit initiates the auto-isolation signal (Section 7.4.1). A time delay is incorporated in the circuit to prevent inadvertent isolation due to pressure spikes during start. High flow in the steam line initiates isolation of the RCIC system. 10 8Diversity is provided by ambient temperature and RCIC steam line pressure monitoring. c. RCIC Turbine Exhaust Diaphragm Pressure Monitoring The RCIC turbine exhaust diaphragm pressure monitored by four redundant pressure transmitters. In the presence of a leak, the RCIC system responds by
generating the isolation signal (Section 7.4.1).High turbine exhaust diaphragm pressure initiates isolation of the RCIC system using two-out-of-two logic.Diversity is provided by ambient temperature monitoring.
8d. RCIC Pressure Monitoring The steam line pressure from the reactor vessel leading to the RCIC turbine is monitored by two redundant pressure transmitters. In the presence of a leak, resulting in low line pressure, the RCIC pressure trip unit initiates the auto-isolation signal (Section 7.4.1). The pressure transmitters are equipped with a sensing line backfill system.
RBS USAR Revision 20 7.6-6 Diversity is provided by ambient temperature and RCIC steam line flow monitoring.
3.RCIC/RHRSystem Leak Detection The common steam line to the RHR heat exchangers and the RCIC turbine is monitored for leaks by the LDS. Leaks from the RHR system are detected by the following monitored parameters: a. Equipment area high ambient temperature.
- b. High flow rate through the common RCIC/RHR steam line.
Outputs from both circuits are used to generate the RHR auto-isolation signal (one for each division) to isolate the inboard and outboard isolation valves. The following is a description of each RHR leak detection method. a. RHR Area Temperature Monitoring The RHR area temperature monitoring circuit is similar to the one described for the main steam line tunnel temperature monitoring system (Section 7.3.1). Two redundant temperature monitoring channels are provided. Each redundant instrument provides input to one of two logic channels (Division 1 or 2). 8High RHR area ambient temperature initiates an RHR isolation signal closing the
RHR inboard and outboard isolation valves.
8RHR temperature monitoring isolation signals also provide input to the RCIC isolation system. A bypass/test switch is provided in each logic channel for the purpose of testing the temperature monitor without initiating RHR system
isolation.Diversity is provided by RCIC/RHR steam line high flow rate monitoring.
RBS USAR Revision 23 7.6-7 b. RCIC/RHR Flow Rate Monitoring Flow rate monitoring is provided on the RCIC/RHR steam line to the RHR condensing heat exchanger by redundant differential pressure transmitters.
Flow rates in excess of predetermined limits indicate a line leak or break. A time delay is incorporated into the circuit to prevent inadvertent isolation due to pressure spikes.
Two redundant differential pressure transmitters monitor flow, and each provides an input to one of the two logic channels (Division I or II). The differential pressure transmitters are equipped with a backfill system on both transmitter legs.
The steam line high flow rate initiates an isolation of the RHR inboard and
outboard isolation valves using one-out-of-two logic. 8 Diversity is provided by area ambient temperature monitoring.
- 4. Reactor Water Cleanup (RWCU) System Leak Detection
The RWCU leak detection system consists of the following:
- a. Leakage monitoring by the flow comparison of RWCU system water inlet and outlet flow rate
- b. Ambient temperature monitoring. 8 Automatic isolation of the RWCU system isolation valves is initiated when monitored parameters indicate leakage exists.
The following is a description of each RWCU leak detection method.
- a. RWCU Differential Flow Monitoring
Refer to Section 7.3.1.
- b. RWCU Area Temperature Monitoring
Refer to Section 7.3.1.
RBSUSAR7.6-8August19877.6.1.3 Neutron Monitoring System (NMS)The safety-related portions of the NMS are as follows:1.Intermediate Range Monitor (IRM) 2.Power Range Monitors (PRM)a.Local Power Range Monitor (LPRM) b.Average Power Range Monitor (APRM).System FunctionThe NMS instrumentation and controls are designed to monitor reactor power (neutron flux)from startup through full power operation.System OperationThe NMS uses incore detectors, either fixed (LPRM) or removable (IRM), to determine neutronflux levels.The NMS initiates a scram when predetermined limits are exceeded and provides operatorinformation during and after accident conditions.The NMS component control logic is shown in Fig. 7.6-2.
7.6.1.3.1 Intermediate Range Monitor (IRM)
IRM FunctionThe IRM monitors neutron flux from the upper portion of the SRM range to the power portion ofthe power range as shown in Fig. 7.6-3.IRM OperationThe IRM has eight channels, each of which includes one detector that can be positioned in thecore by remote control. Refer to Fig. 7.6-4. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor mode selector switch is placed in the RUN position.Each detector assembly consists of a fission chamber attached to a low-loss,quartz-fiber-insulated transmission cable. When coupled to the signal conditioning equipment, the detector produces a reading of full scale on the most RBSUSAR7.6-9August1987sensitive range. The detector cable is connected underneath the reactor vessel to a triple-shieldedcable that is connected to the preamplifier.The preamplifier converts current pulses to voltage pulses, modifies the voltage signal, andprovides impedance matching. The preamplifier output signal is then sent to the IRM signal conditioning electronics.Each IRM channel input signal from the preamplifier can be amplified and attenuated. IRMpreamplification is selected by a remote range switch that provides 10 ranges of increasing attenuation (the first 6 called low range and the last 4 called high range). As the neutron flux of the reactor core increases, the signal from the fission chamber is attenuated to keep the input signal to the inverter in the same range. The output signal, which is proportional to neutron flux at the detector, is amplified and supplied to a locally mounted meter, a remote meter, and
recorder.The IRM scram trip functions are discussed in Section 7.2.1.1. The IRM trips are in theTechnical Specifications.The IRM range switches must be upranged or downranged to follow increases and decreases inpower within the range of the IRM to prevent either a scram or a rod block. The IRM detectors must be inserted into the core whenever these channels are needed, and withdrawn from the core, when permitted, to prevent unnecessary burnup.7.6.1.3.2 Power Range Monitor (PRM) 7.6.1.3.2.1 Local Power Range Monitor (LPRM)
LPRM FunctionThe LPRMs provide localized neutron flux detection over the full power range for input to theAPRM.LPRM OperationThe LPRM includes 132 detectors located at 33 locations at different axial heights in the core;each detector location contains four fission chambers. Fig. 7.6-5 shows the LPRM detector radial layout scheme.The LPRM assembly consists of four neutron detectors installed in a housing (Fig. 7.6-6).
RBSUSARRevision27.6-10August1989The chambers are vertically spaced in a way that gives adequate axial coverage of the core,complementing the radial coverage given by the horizontal arrangement of the LPRM detector assemblies.Each chamber consists of two concentric cylinders, which act as electrodes. The inner cylinder(the collector) is mounted on insulators and is separated from the outer cylinder by a small gap.
The gas between the electrodes is ionized by the charged particles produced as a result of neutron fissioning of the uranium-coated outer electrode. The chamber is operated at a polarizing potential of approximately 100 V dc. The negative ions produced in the gas are accelerated to the collector by the potential difference maintained between the electrodes. In a given neutron flux, all the ions produced in the ion chamber can be collected if the polarizing voltage is high enough. When this situation exists, the ion chamber is considered to be saturated. Output current is then independent of operating voltage.Each location contains a calibration tube for a traversing incore probe. The enclosing tubearound the entire assembly contains holes that allow circulation of the reactor coolant water to cool the tubes containing the ion chambers.The current signals from the LPRM detectors are transmitted to the LPRM amplifiers in the maincontrol room. The current signal from a chamber is transmitted directly to its amplifier through coaxial cable. The amplifier is a linear current amplifier whose voltage output is proportional to the current input and therefore proportional to the magnitude of the neutron flux. Low level output signals are provided that are suitable as an input to the computer, recorders, etc. The output of each LPRM amplifier is isolated to prevent interference of the signal by inadvertent grounding or application of stray voltage at the signal terminal point.2When a central control rod is selected for movement, the output signals from the amplifiers associated with the 4 LPRM detectors adjacent to the selected control rod are displayed on the reactor control display module. The 4 LPRM detector signals from the selected LPRMS are displayed in four windows. The operator can readily obtain readings of all the LPRM amplifiers by selecting the control rods in order.
2The trip circuits for the LPRM provide trip signals to activate lights, instrument inoperative signals, and annunciators. These trip circuits use the 24-V dc power RBSUSARRevision127.6-11December1999supply and are set to trip on loss of power. They also trip when power is not available for theLPRM amplifiers.The trip levels can be adjusted to within +0.5 percent of full-scale deflection and are accurate towithin +1 percent of full-scale deflection in the normal operating environment.Each LPRM channel may be individually bypassed. When the maximum number of bypassedLPRMs associated with any APRM channel has been exceeded, an inoperative trip is generated by that APRM.Each individual chamber of the assembly is a moisture-proof, pressure-sealed unit. Thechambers are designed to operate up to 600°F and 1,250 psig.Power for the LPRM is supplied by the two RPS buses. Approximately half of the LPRMs aresupplied from each bus. Each LPRM amplifier has a separate power supply in the main control room, which furnishes the detector polarizing potential. This power supply is adjustable from 75 to 200 V dc. The maximum current output is 3 milliamps. This ensures that the chambers can be operated in the saturated region at the maximum specified neutron fluxes. For maximum variation in the input voltage or line frequency, and over extended ranges of temperature and humidity, the output voltage varies no more than 2 V. Each rack of amplifiers is supplied operating voltages from a separate low voltage power supply.129 PBDS FunctionThe Average Power Range Monitoring (APRM) Pages A and B house a Period Based Detection System (PBDS) cards which are designed to detect and provide indication of significant reductions in reactor stability performance.The PBDS cards are installed in response to NRC GL 94-02, Long-term Solutions and Upgradeof Interim Operating Recommendations for Thermal Hydraulic Instabilities in BWRs.The function of the Period-Based Detection System (PBDS) cards is to detect conditionsconsistent with significant reduction in stability performance consistent with the imminent onset of neutronic/thermal hydraulic instability. Each PBDS card independently analyzes a maximum of sixteen (16) pre-selected individual LPRM neutron flux signals utilizing the Period-Based Algorithm. The PBDS cards are designed to provide alarming capabilities, however, they can be placed in bypass until full implementation of the Enhanced Option 1 Stability solution.The PBDS cards are installed in the Class 1E APRM Pages A and B. Sixteen (16) separateLPRM analog signals are connected to the inputs of each PBDS card. A remote data acquisition system located in the Main Control Room monitors and stores data from 912 RBSUSARRevision127.6-11aDecember1999129each PBDS card. A fiber optic transmitter on each PBDS card provides for a digital fiber optic link to the non-Class 1E data acquisition system.The various parameters recorded by the data acquisition system will be utilized to monitorLPRM noise data which will aid in determining the corner frequency and period tolerance. This information will be used for input signal filtering. The decay ratio alarm outputs are not utilized.
97.6.1.3.2.2 Average Power Range Monitor (APRM)11FCTR FunctionIn response to NRC GL 94-02, Long-term Solutions and Upgrade of Interim Operating Recommendations for Thermal Hydraulic Instabilities in BWRs, the hardware installation for the RBS long term solution has been implemented. This hardware installation includes two Period Based Detection System (PBDS) cards and the replacement of the analog Flow Control Trip Reference (FCTR) cards with new Enhanced Option 1A (E1A) digital FCTR cards in APRM pages A through H.The new E1A FCTR card defines the reactor operating domain stability regions that have beendetermined to be susceptible to reactor power instabilities. Reactor operation in these regions is excluded or controlled automatically with the new E1A FCTR card. The E1A FCTR card implements this safety-related stability function by preventing reactor operation in the Exclusion Region, and by limiting reactor operation within the Restricted Region. The Exclusion Region boundary is the APRM core flow-biased Neutron Monitoring System (NMS) scram trip reference. The Restricted Region boundary is the APRM upscale alarm and associated core flow-biased NMS control rod block trip referenced. Both trip references have associated trip reference trip setup, single/two loop recirculation loop operation features, which are accommodated by individual trip reference setpoint options, power-based trip reference adjustments, and alternate trip reference selections.
12The E1A FCTR card determines the specific trip reference setpoint, based upon the alternate trip reference selection, the single/two recirculation loop selector, and the trip reference setup selection. The modification of the scam and control rod block trip reference setpoints, which exhibit non-linear relationships to the input recirculation drive flow signal, 11 RBSUSARRevision127.6-11bDecember19991211increase the complexity of the trip reference function. For this reason, the existing analog FCTR cards are replaced with digital FCTR cards that use a microcontroller to implement and control
all card features.The remote data acquisition system originally provided for the PBDS cards monitors and storesdata from the E1A FCTR cards. A fiber optic transmitter on each E1A FCTR card provides for a digital fiber optic link to the non-Class 1E data acquisition system.
11 12APRM FunctionThe function of the APRM is to average signals from the LPRMs and provide a flow referencereactor scram when neutron flux exceeds predetermined limits.APRM OperationThe APRM has eight redundant channels. Each channel uses input signals from a number ofLPRM channels. Four APRM channels are associated with each trip system of the RPS.The APRM channel uses electronic equipment that averages the output signals from a selectedset of LPRMs, trip units that actuate automatic devices, and signal readout equipment. Each APRM channel can average the output signals from as many as 24 LPRMs. Assignment of LPRMs to an APRM follows RBSUSARRevision87.6-12August1996the pattern shown in Fig. 7.6-6. Position A is the bottom position, Positions B and C are abovePosition A, and Position D is the topmost LPRM detector position. The pattern provides LPRMsignals from all four core axial LPRM detector positions.The APRM amplifier gain can be adjusted by combining fixed resistors and potentiometers toallow calibration. The averaging circuit automatically corrects for the number of unbypassed LPRM amplifiers providing inputs to the APRM.
Refer to Section 7.2.1 for a further description of the APRM inputs to the RPS.
The APRM channels receive power from the 120 V ac RPS motor-generator sets.
7.6.1.4 Radiation Monitoring System (RMS)
The safety-related portions of the RMS that perform a control function are:1.Fuel building ventilation exhaust radiation monitors (Section 7.3.1.1.15) 2.Main control room local outside air intake radiation monitors (Section 7.3.1.1.9) 3.Reactor building annulus exhaust radiation monitors (Section 7.3.1.1.4)84.Main steam line radiation monitors (Section 7.3.1.1.2).8The safety-related portions of the RMS that provide indication to the operator only, and are discussed in Section 7.5, are:1.Main plant exhaust duct radiation monitors 2.RHR heat exchanger service water radiation monitors 3.Standby gas treatment effluent radiation monitors 4.Containment atmosphere radiation monitor 5.Drywell atmosphere radiation monitor 6.Main control room remote outside air intake radiation monitors RBSUSARRevision107.6-13April19987.Reactor building containment post-accident area radiation monitors.7.6.1.5 Fuel Pool Cooling (FPC) SystemSystem FunctionThe function of the FPC system is to remove decay heat from the spent fuel storage pool toensure adequate cooling of irradiated store fuel assemblies.System OperationSchematic arrangements of the FPC system mechanical equipment and operator informationdisplays are shown in Fig. 9.1-23a and 9.1-23b. The FPC system component control logic is shown in Fig. 7.6-7. Instrument location drawings and elementary diagrams are identified in
Section 1.7.The FPC system consists of two redundant cooling loops. The system is manually initiated, andone loop runs continuously when the pool contains spent fuel.Instrumentation is provided to monitor the spent fuel storage pool temperature and level to allowthe main control room operator to assess system operations. Instrumentation is also provided to monitor the level of the fuel storage pool in the containment.During a LOCA the FPC system containment isolation valves are automatically closed, therebyisolating the containment pools from the FPC system.Status lights in the main control room indicate the motor-driven pumps which are energized andthe position of the FPC system valves.The instrumentation requirements for this system are contained in Section 9.1.3.5.
7.6.1.6 Penetration Valve Leakage Control System (PVLCS)
System Function10The function of the PVLCS is to minimize the release of fission products which could leak through the associated penetrations of main steam and drain lines that penetrate the containment and terminate in an untreated area. Instrumentation requirements with associated pressure control for this system are contained in Section 9.3.6.5.
10 RBSUSARRevision107.6-14April1998System Operation10The PVLCS component control logic is shown in Fig. 7.6-8. Instrument location drawings and elementary diagrams are shown in Section 1.7.The PVLCS is manually actuated approximately 20 min after a LOCA.Although manually actuated, instrumentation is provided to assure that there is sufficient air supply at the normal pressure to open the injection valves when the pressure is normal, and that the isolation valves open only when the main steam and drain lines pressure is below a certain value.10Status lights in the main control room indicate the status of the motor-driven compressor and the position of the PVLCS valves.7.6.1.7 Rod Pattern Control System (RPCS)
System FunctionThe RPCS is a subsystem of the RC&IS.
The purpose of the RPCS is to reduce the consequences of the postulated rod drop accident to anacceptable level by restricting the patterns of control rods that can be established to predetermined sets.System OperationSchematic arrangements of the RPCS mechanical equipment and operator information displaysare shown in Fig. 7.7-2. The RPCS component control logic is shown in Fig. 7.7-1. Instrument location drawings and elementary diagrams are identified in Section 1.7.The RPCS is a dual channel system designed as a safety-related system. The control logic for theRPCS is contained in the rod activity control cabinets, one cabinet for each division. These electronic circuits have, in permanent storage, the identification of all rod groups and logic control information required to prevent movement of rods into unacceptable rod patterns. The logic is hardwired RBSUSARRevision127.6-15December1999is not site programmable except through engineering design change requiring new electronic circuit cards.There is a dual rod position probe for each drive. Each probe has two sets of reed switches forrod position information and provides, through different connectors, inputs to different rod position multiplexers. Two rod position multiplexers are provided, one for each channel. These multiplexers transmit rod position data to the rod action controls. These controls decode the multiplexed data and provide rod position data to the RPCS controller for all rods. The rod position multiplexers and controls are arranged in two divisions.Rod position is the primary data input for RPCS. Other inputs to the RPCS controllers includereactor power level, mode of operation, identification of selected rod, drive mode requested by the operator, and special modes of operation such as shutdown margin test.A means of comparing the outputs of the RPCS logic devices is provided as a way of monitoringthe performance of the two channels. Both channels must be operable and have identical outputs before rod motion is permitted. Failed comparison and circuit failures or inoperable conditions are indicated in the main control room. RPCS outputs are transmitted to the two activity control sections of the RC&IS in the form of a rod select and drive permissive interlock. The two RPCS channels provide inputs separately to the two separate activity controls. These two inputs are then treated as other rod block interlocks and further compared in the nondivisional rod drive portion of the RC&IS.From 0 percent power and 100 percent rod density (all rods full-in) either sequence A or B maybe used for startup. The first rod selected determines which sequence will be used. This rod belongs to one of four rod groups (Section 4.3). These groups must be withdrawn from full-in to full-out and always from a checkerboard pattern in the core. Any group number (1, 2, 3, 4) may be selected as the first group selected for withdrawal. Groups 1 and 2 must be fully withdrawn before group 3 or 4, or groups 3 and 4 before 1 or 2.12The first two groups are always moved from full-in to full-out. These motions can be either single notch or continuous withdrawal. One-fourth of all the control rods are full-out when this criteria is accomplished.
12 RBSUSARRevision157.6-16May200212The next two groups are moved into banked or intermediate positions between full-in and full-out. There are three bank positions (N1, N2, N3) which are determined by physics analysis.
These positions are part of the permanent logic of the RPCS but may vary from fuel cycle to fuel cycle, requiring new circuit cards. All control rods within a group must be withdrawn to their designated positions before proceeding to the next bank positions.All control rods within a group must be withdrawn to full-out before proceeding to the next rodgroup. Thus, all rods in the first four groups are fully withdrawn and form a checkerboard pattern establishing 50 percent rod density.Two insert errors are allowed; that is, a rod which should be at N1 is either full-in or betweenfull-in and N1. More than two insert errors and/or one withdraw error leads to a rod block.
Correction of errors is allowed, but withdraw errors must be corrected before insert errors.From 50 percent rod density to the low power set point (LPSP), groups 5-10 are to be withdrawnas follows: rod groups 5 and 6 are to be withdrawn to notch positions 00->N1->48. N1 is to be a flexible input which may vary from fuel cycle to fuel cycle.Any group may be selected next; however, if rods in group 7 or 8 are moved first, rods in groups9 and 10 cannot be moved until all rods contained in groups 5 and 6 and 7 or 8 are at notch
position >N1. If rods in group 9 or 10 are moved first, rods in groups 7 and 8 cannot be moveduntil all rods contained in groups 5 and 6 and 9 or 10 are at notch position >
N1.12*15When the LPSP is reached, restrictions on rod movement to minimize the consequences of a rod drop accident are no longer imposed. This setpoint is well above the point at which the rod drop accident consequences are no longer limiting and is determined to be at 10 percent power level.
This power level is derived by measuring first stage turbine pressure using transmitters and alarm units. There are two channels of instruments which are redundant and separated divisionally.
These trip functions are input to the proper rod activity control cabinet, and both instrument channels must trip to switch the RPCS to the rod withdrawal limitor mode. These instruments are continuously monitored, and any RBSUSARRevision157.6-17May2002instruments out of service or gross failure is alarmed and indicated in the main control room.From the LPSP on up in power, rod withdrawals are restricted to prevent excessive change in theheat flux rate. The minimum setpoint of 10 percent power level is well below the analytical maximum for this setpoint. From the LPSP to the high power setpoint (HPSP), rod motion is limited to four notches (2 ft) and from the HPSP on up in power, rod motion is limited to two notches (1 ft). The HPSP, which has been determined to be at 70 percent power level, provides adequate margin from the analytical point at which the 1-ft restriction on rod motion is required.
15*14An exception to the rod withdrawal limits is possible for a single control rod that is selected, subsequently inserted, to be withdrawn back to its original position without a rod block and withdrawn 1 or 2 feet beyond its original position as limited by the RWL. For this situation administrative controls are utilized to ensure that assumptions for the RWL design remain consistent with existing analysis that supports the Rod Withdrawal Error event described in SAR
section 15.4.2.
14Shutdown follows the same rules previously stated but in reverse. The only difference is that an approach alarm, called the low power alarm point, is provided so that the operator may prepare valid rod positions for proper shutdown below the LPSP.12Because of the possibility of stuck rods, provisions are made to bypass failed inputs according to the following rules. Substitute rod positions may be entered into the RPCS providing:
121.Only one entry per channel per subgroup is allowed.2.The same position cannot be entered into both channels.
3.Upon rod motion and a new position scan, the substitute rod position isoverlayed with new data.4.Unknown and substitute positions are logged and indicated in the main controlroom.Failed drives may be bypassed entirely. Bypassed rods are not checked by the RPCS. All bypassswitches are under keylock control. All bypass conditions including substitute rod positions are alarmed, indicated, and logged in the main control room and process computer.In addition to the periodic self-test mode of system operation, the RC&IS can be routinelychecked for correct operation by manipulating control rods using the various methods of control.
Detailed testing and calibration can be performed by using standard test and calibration procedures for the various components of the reactor manual control circuitry.
RBSUSAR7.6-18August19877.6.1.8 Safety Relief Valves (SRV) - Relief FunctionSRV Relief FunctionThe relief function of the SRV is to relieve high pressure conditions in the nuclear system thatcould lead to the failure of the reactor coolant pressure boundary. The system activates the safety relief valves to vent steam to the supression pool and reduce reactor pressure. See Section 5.2.2 for further details. Also, see Section 7.3.1.1.1.2 for the ADS function of selected SRV.SRV Relief OperationSchematic arrangement of system mechanical equipment and operator information displays areshown in Figure 5.1-3. The SRV component control logic is shown in Figure 7.3-2. Instrument location drawings and elementary diagrams are identified in Section 1.7.The relief function of the SRV is provided by two redundant and independent trip systems, "A"and "B." Relief trip system "A" actuate the "A" solenoid air pilot valve on each SRV. Similarly, relief trip system "B" actuates the "B" solenoid pilot valve on each SRV. Either or both solenoid actuations allow pneumatic pressure from the accumulator to act on the air cylinder operator and open the valve.Operation of the SRV is initiated by high reactor vessel pressure. Redundant reactor vesselpressure channels are provided in each trip system which operate in a two-out-of-two configuration in order to prevent inadvertent SRV actuation. Each trip system provides the following capabilities:1.Initiate operation of three groups of SRVs at the respective pressure set points.This feature automatically adjusts the relief capacity to the size of the overpressure condition. The reclose pressure setpoint (reset) for any group is separately adjusted, and adequate deadband is provided to eliminate rapid open/close operation and minimize system stresses.2.Alter set points on selected valves to minimize the number of valves that reopenfollowing the initial pressure surge. In order to assure that no more than one relief valve reopens following a reactor isolation event, five SRV valves are provided with lower opening and closing set points. These set RBSUSARRevision107.6-19April1998points override the normal set points following the initial opening of the reliefvalves and act to hold these valves open longer, thus preventing more than a single valve from reopening subsequently. This system logic is referred to as the low-low set point relief logic and functions to ensure that the containment integrity is not threatened on subsequent ADS actuations. This logic is armed when two or more valves are signaled to open from their normal relief pressure switches. At this time, the low-low set logic automatically seals itself into control of the five selected valves and actuates the annunciator. This logic remains sealed in until manually reset by the operator.10Since the valves have already opened from their original pressure relief signals, the low-low set logic acts to hold them open past their normal reclose point until the pressure decreases to a predetermined low-low setpoint. Thus these valves remain open longer than the other safety/relief valves. This extended relief capacity assures that no more than one valve reopens a second time. Also, the sealed-in logic provides the low-low set valves with new reopening set points which are lower than their original safety/relief set points. The "medium" low-low set valve acts as a backup for the "low" low-low set valve, should it mechanically fail. See Section 5.2.2 for further system description.
10The low-low set logic is designed with redundancy and single failure criteria, i.e., no single electrical failure 1) prevents any low-low set valve from opening, or 2) causes inadvertent seal-in of low-low set logic.The five valves associated with low-low set are arranged in three independentsecondary set point groups or ranges (low, medium, high). The low and medium pressure ranges consist of one valve each, having both reopen and reclose set points independently and uniquely adjustable. These are set considerably lower than their normal SRV set points. The remaining valves are individually controlled by new pressure switches which have an independently adjustable reclose set point. The normal SRV opening set points are slightly lower for this valve group though reclose is extended in the low-low set operating mode.
RBSUSAR7.6-20August1987The pressure switches are arranged in two divisions for each low-low set valve.The single-failure criterion is thus met for this function.The SRV system has two low-low set point logics, one in Division 1 and theother in Division 2. Either one can perform the low-low set function. Each valve has its own set of pressure switches. A key-locked switch which has a normal and a test position is provided for each division. The key is removable only in the normal position. When the key is inserted and switched to test, an annunciator alerts the operator of the test status of that division. In the test mode, all of the valves except the specific one under test remain responsive to the high reactor pressure signals should they occur. Indicator lights are switched in series with the solenoid coils on the low-low set valve to facilitate logic testing.Manual system level initiation capability is included in each trip system. Remote manualswitches are installed in the main control room. Lights in the main control room indicate when the solenoid-operated pilot valves are energized to open a safety relief valve.7.6.1.9 Suppression Pool Temperature Monitoring System The suppression pool temperature monitoring system is provided so that trends in suppressionpool temperature may be established in sufficient time for appropriate action to be taken to prevent steam quenching vibration in the suppression pool and to maintain the available heat sink required for reactor shutdown without exceeding the design bulk pool temperature of 185°F.The suppression pool temperature monitoring system consists of 14 dual element resistancetemperature detectors (RTDs) powered from Class 1E electrical power (see Table 7.6-1 for the electrical division, mark number, and location of each monitor). Of these 14 monitors, 4 are used for post-LOCA monitoring. The output of both normal pool temperature monitoring sensors and post-LOCA sensors are recorded in the main control room. The temperature sensors and their supports will withstand pool dynamic forces and operate in a post-LOCA environment. The sensors for normal and post-accident suppression pool temperature monitoring are located below the normal low water level and the post-LOCA ECCS drawdown water level of the suppression pool, respectively.
RBSUSARRevision87.6-21August19967.6.1.10 Design Basis InformationThe safety-related systems described in Section 7.6 are designed to provide timely protectiveaction inputs to other safety systems to protect against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are also presented in Chapter 15.The station conditions which require protective actions are described in Chapter 15 and Appendix 15A.1.Variables Monitored to Provide Protective ActionsThe following variables are monitored in order to provide protective action inputs:a.Recirculation Pump Trip(1)Turbine stop valve closure (2)Turbine control valve fast closure8b.Leak Detection System(1)RCIC area temperatures - ambient (2)RHR/RCIC steam line flow rate (3)RCIC turbine exhaust diaphragm pressure (4)RCIC steam line pressure (5)RHR area temperatures - ambient (6)RWCU area temperatures - ambient (7)RWCU differential flow 8c.Neutron Monitoring System(1)IRM neutron flux (2)APRM neutron flux RBSUSARRevision137.6-22September2000d.Radiation Monitoring System13(1)Fuel building ventilation exhaust radiation level(2)Main control room local air intake radiation level (3)Main steam line radiation level 13e.Fuel Pool Cooling System(1)High drywell pressure (2)Reactor vessel low water level (trip level 2)
(3)Fuel pool high temperature (4)Fuel pool high and low water level (5)Containment pool high and low water levelf.Penetration Valve Leakage Control System(1)Reactor drywell pressure10 10g.Rod Pattern Control System(1)Reactor power level (2)Control rod selectionh.Safety Relief Valves: Relief Function(1)Reactor vessel pressure RBSUSAR7.6-23August1987The plant conditions which require protective action involving the safety-relatedsystems discussed in Section 7.6 are described in Chapter 15 and
Appendix 15A.2.Location and Minimum Number of SensorsSee Technical Specifications for the minimum number of sensors required tomonitor safety-related variables. The IRM and LPRM detectors are the only sensors which have spatial dependence.3.Prudent Operational LimitsOperational limits for each safety-related variable trip setting are selected withsufficient operating levels so that a spurious safety system initiation is avoided.
It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or nuclear system process barrier, is kept within acceptable bounds.4.MarginThe margin between operational limits and the limiting conditions of operationof the safety-related systems are those parameters listed in the Technical
Specifications.5.LevelsLevels requiring protective action are established in the Technical Specifications.6.Range of Transient, Steady State, and Environmental ConditionsThe environmental qualification of the safety-related instrumentation andcontrols for the systems is discussed in Section 3.11. The power supply range of steady-state and transient conditions for these systems are provided in Chapter 8.
RBSUSAR7.6-24August19877.Malfunctions, Accidents, and Other Unusual Events Which Could CauseDamage to Safety Systemsa.FloodsThe buildings containing safety-related components have been designedto meet the PMF at the site location. This ensures that the buildings remain watertight under PMF, including wind-generated wave action and wave runup. Therefore, none of the functions are affected by flooding. For a discussion of internal flooding protection refer to
Sections 3.4 and 3.6.b.Storms and TornadoesThe buildings containing safety-related components have been designedto withstand all credible meteorological events including tornadoes, as
described in Section 3.3.c.EarthquakesThe structures containing safety-related system components have beenseismically qualified as described in Sections 3.7 and 3.8 to remain functional during and following an SSE. Seismic qualification of instrumentation and electrical equipment is described in Section 3.10.d.FiresTo protect the safety systems in the event of a postulated fire, thecomponents have been separated by distance or fire barriers. The use of separation and fire barriers ensures that, even though some portion of the system may be affected, the safety function is not prevented (Section 9.5).e.LOCAThe safety-related systems components described in this section whichare functionally required during and/or following a LOCA have been environmentally qualified to remain functional as discussed in RBSUSAR7.6-25August1987 Section 3.11. Chapter 15 describes the effects of a LOCA.f.Pipe Break Outside Secondary ContainmentProtection for these components is described in Section 3.6. Chapter 15describes the effects of a pipe break outside containment.g.MissilesProtection for safety-related components is described in Section 3.5.h.Minimum Performance RequirementsMinimum performance requirements for safety-related systemsinstrumentation and controls are provided in Technical Specifications.7.6.1.11 Final System Drawings The final system drawings, including:1.Piping and Instrumentation Diagrams (P&ID) or Instrument and ElectricalDrawings (IED), and2.Functional Control Diagrams (FCD) or Logic Diagrams (LSK)have been provided or referenced for the safety-related systems in this section.
Elementary diagrams are in listed in Section 1.7. Equipment arrangement drawings are provided in Section 1.2.Functional and architectural design difference between the PSAR and FSAR are listed inTable 1.3-8.7.6.1.12 Suppression Pool Pumpback System System FunctionThe suppression pool pumpback system (SPPS) provides the operator with the means to identifyand control potential post-LOCA leakage from the ECCS equipment and piping in the auxiliary building crescent area at el 70. The design basis and system description are contained in
Section 9.3.7.
RBSUSARRevision107.6-26April1998System OperationControl logic for the SPPS is shown on Fig. 7.6-10.10During normal plant operation, the level sensor 1DFR*LE8A(B) in auxiliary building floor drain sump 1DFR-TK5A(B) operates sump pumps 1DFR*P5A(B) and 1DFR*P5D(E) as required to discharge sump contents through air-operated valve 1DFR*AOV145(144) to the liquid radwaste system.10Following a postulated LOCA event, the control room operator can open by remote manual switch the suppression pool pumpback valve 1DFR*MOV146 which automatically closes 1DFR*AOV144(145) thereby isolating the sump pump discharge from the liquid radwaste system and directing sump pump discharge to the suppression pool.Pump running status and valve position are indicated in the main control room. Extreme highsump level and high-high sump level are annunciated in the main control room.Pump and valve inoperative status is indicated and system inoperative status is annunciated in themain control room.Pumps, valves, and level instrumentation for this system are powered from Class 1E power.
7.6.2 Analysis
7.6.2.1 Safety-Related Systems Chapter 15 evaluates the individual and combined capabilities of the safety-related systems described in this section.The safety-related systems described in this section are designed in such a way that a loss ofinstrument air, cold water slug injections, overpressurization, fires, a plant load rejection, or a turbine trip does not prevent the completion of the safety function.7.6.2.2Conformance to Title 10 Code of Federal Regulations, Part 50 (10CFR50) Appendix A -General Design Criteria (GDC)The conformance discussion provided in Section 3.1 for the GDC applies to the safety-relatedsystems as identified in Table 7.1-3.
RBSUSAR7.6-27August19877.6.2.3Conformance to IEEE StandardsThe following is a discussion of conformance to those IEEE standards which apply specificallyto the safety-related systems described in this section. Refer to Section 7.1.2.3 for a generic discussion of IEEE standards which apply to the safety-related systems as identified in Table 7.1-3.1.IEEE 279-1971 Criteria for Protection Systems for N uclear P ower Generating Stationsa.General Functional Requirem ent (IEEE 279-1971, Paragraph 4.1)The safety-related systems described in this section automatically(except as noted) initiate protective actions when a condition monitored reaches a preset level for all conditions described in Section 7.6.1. For example, the LDS initiates containment isolation by closure of containment isolation valves when area temperatures exceed preset limits.b.Single Failure Criterion (IEEE 279-1971, Paragraph 4.2)The safety-related systems described in Section 7.6 are not required tomeet single failure criteria on an individual system basis. However, on a network basis, the single failure criteria does apply to assure the completion of a protective function. Redundant sensors, wiring, logic, and actuated devices are physically and electrically separated such that a single failure does not prevent the protective function. Refer to Section 8.3.1 for a complete description of the RBS separation criteria.c.Quality of Components and Modules (IEEE 279-1971, Paragraph 4.3)
Refer to Chapter 17 for a discussion of S afety system component quality.
RBSUSAR7.6-28August1987d.Equipment Qualification (IEEE 279-1971, Paragraph 4.4)
For a discussion of the equipment
qualification refer to Sections 3.10 and 3.11.e.Channel Integrity (IEEE 279-1971, Paragraph 4.5)For a discussion of channel integrity for the safety-related systemsdescribed in this section under all extremes of conditions described in
Section 7.6.1.8 refer to Sections 3.10, 3.11, 8.2.1, and 8.3.1.f.Channel Independence (IEEE 279-1971, Paragraph 4.6)System channel independence is maintained as
described in Section 8.3.1.4.g.Control and Protection System Interaction (IEEE 279-1971, Paragraph 4.7)There are no control and protection system interactions for the systems described in t his s ection.h.Derivation of System Inputs (IEEE 279-1971, Paragraph 4.8)The variables discussed in this section are d irect measures of the desired variables i ndicating t he n eed f or protective action.i.Capability for Sensor Checks (IEEE 279-1971, Paragraph 4.9)For a discussion of sensor checks for the safety-related systemsdescribed in this section refer to Regulatory Guide 1.22 in
Section 7.6.2.4.j.Capability for Test and Calibration (IEEE 279-1971, Paragraph 4.10)For a discussion of the test and calibration capability of thesafety-related systems described in this section refer to Regulatory
Guide 1.22 in Section 7.6.2.4.
RBSUSAR7.6-29August1987k.Channel Bypass or Removal from Operation (IEEE 279-1971, Paragraph 4.11)See Section 7.2.2.2 for NMS compliance with IEEE 279-1971.The LDS logic is provided with a bypass/test switch for the purpose oftesting temperature sensors without initiating associated system isolation. Operation of one switch at a time does not prevent the remaining redundant isolation logic from providing system isolation if
required.l.Operating Bypasses (IEEE 279-1971, Paragraph 4.12)There are no operating bypasses for any of the safety-related systems described in this section.m.Indication of Bypasses (IEEE 279-1971, Paragraph 4.13)For a discussion of automatic bypass indication for the safety-relatedsystems described in this section refer to Section 7.1.8, Regulatory
Guide 1.47.n.Access to Means for Bypassing (IEEE 279-1971, Paragraph 4.14)Access to bypassing any safety action or function is under administrativecontrol. The operator is alerted to bypasses as described in Section 1.8, Regulatory Guide 1.47.o.Multiple Set Points (IEEE 279-1971, Paragraph 4.15)There are no multiple set points within the safety-related systems described in this section.p.Completion of Protective Action Once It Is Initiated (IEEE 279-1971,Paragraph 4.16)Each control logic for the safety-related systems described in this sectionseals in electrically and remains energized or RBSUSARRevision107.6-30April1998deenergized. After initial conditions return to normal, deliberateoperator action is required to return (reset) the safety system logic to normal.The FPC system is initiated manually for continuous pool cooling when the pool contains spent fuel.10 10q.Manual Initiation (IEEE 279-1971, Paragraph 4.17)For a discussion of the manual initiation capability for the safety-relatedsystems described in this section refer to Regulatory Guide 1.62 in
Section 1.8.r.Access to Set Point Adjustments, Calibration, and Test Points (IEEE279-1971, Paragraph 4.18)During reactor operation access to set point adjustments, calibrationcontrols, and test points for the safety-related systems variables described in this section is under administrative control.s.Identification of Protective Actions (IEEE 279-1971, Paragraph 4.19)When any sensor of the safety-related systems described in this sectionexceeds its predetermined set point a main control room annunciator is initiated to identify that variable, and a typed record is available from the process computer.t.Information Readout (IEEE 279-1971, Paragraph 4.20)The safety-related systems described in this section are designed toprovide the operator with accurate and timely information pertinent to their status. This information does not give anomalous indications confusing to the operator.
RBSUSAR7.6-31August1987u.System Repair (IEEE 279-1971, Paragraph 4.21)During periodic testing of the safety-related systems described in thissection (except as noted) the operator can determine any defective component and replace it during plant operation.Replacement of IRM and LPRM detectors must be accomplished duringplant shutdown. Repair of the remaining portions of the NMS may be accomplished during plant operation by appropriate bypassing of the defective instrument channel. The design of the system facilitates rapid diagnosis and repair.v.Identification of Protection Systems (IEEE 279-1971, Paragraph 4.22)The identifications scheme for the safety systems is discussed in Section 8.3.1.7.6.2.4 Conformance to NRC Regulatory Guides The following is a discussion of conformance to those Regulatory Guides which applyspecifically to the safety-related systems discussed in this section. Refer to Section 7.1.2.4 for a generic discussion of Regulatory Guides which apply to the safety-related systems, identified in Table 7.1-3.1.Regulatory Guide 1.21Online monitors are provided for all potentially significant paths forrelease of radioactive material. For those effluent paths having two or more significant contributing sources, online monitoring of the contributing sources is also provided as suggested.2.Regulatory Guide 1.22See Section 7.2.2.3 for NMS conformance.
The IRMs are calibrated by comparison with the APRMs.
The proper operation of the sensors and the logics associated with theLDSs is verified during the LDS preoperational test and during
inspection tests RBSUSAR7.6-32August1987that are provided for the various components during plant operation.Each temperature switch, both ambient and differential types which provide isolation signals, is connected to one element of a dual thermocouple element.Each temperature switch contains a trip light which illuminates when thetemperature exceeds the set point. To verify the thermocouple (sensor) input, a comparison of the redundant sensor readings, one from each trip channel, and the recorded channel is made. The recorded channel monitors the second of the dual thermocouples. The first element is part of the division one trip channel. To test the temperature trips a simulated trip level signal is input to the device from an external source.
In addition, keylock switches are provided so that instrument and logic channels can be tested without sending an isolation signal to the system involved. Thus, a complete system check can be confirmed by checking actuation of the trip logic relay associated with each temperature switch.RWCU differential flow leak detection alarm units are tested byinserting an electrical signal to simulate a high differential flow. Alarm and indicator lights monitor the status of the trip circuit.All other system instrumentation is tested and calibrated during normalreactor operation by valving out the instrumentation and supplying a test pressure source or by comparison of redundant analog channels and introducing a trip signal at the trip unit.3.Regulatory Guide 1.45Provisions are made to monitor systems connected to the RCPB for signsof intersystem leakage, including radioactivity monitoring of process fluids and reactor vessel water level monitoring.The LDS is qualified for operation following an OBE.
Indicators and alarms for each leakage detection subsystem are providedin the main control room.
RBSUSAR7.6-33August19874.Regulatory Guide 1.53See IEEE 279-1971, Paragraph 4.2, Section 7.6.2.3.7.6.3 Safety-Related Instruments/Channels Located inNonseismic StructuresThe reactor protection system (RPS), reactor recirculation system (RCS), and the rod control andinformation system (RCIS) have Class 1E, fail-safe instrument channels originating in the turbine building, which is a nonseismic Category I structure. The sending instruments are identified as follows:Instrument No. (GE MPL)Associated SystemC71-N005A through DRPS, RCS(Turbine Control Valve
Fast Closure)C71-N006A through HRPS, RCS(Turbine Stop Valve
Closure)C11-N054A through DRCIS(First State Turbine
Pressure)B21-N075A through DCRVICS (Main Condenser Vacuum)B21-N076A through DCRVIS(Main Steam Line
Pressure)C71-N052A through DRCS(First Stage Turbine
Pressure)The subject instrument channels are classified as Class 1E in the function that each performs.The components associated with each channel are qualified in accordance with the River Bend Station equipment qualification program.All of the subject channels are designed to fail in a safe condition. The circuitry opens a contactto perform its safety function. Wiring for these instrument channels is routed in rigid metallic conduit for protection and to avoid RBSUSAR7.6-34August1987inadvertent connection of the subject channels to a low or medium voltage power source.The design of the wiring and instrument layout in the turbine building area for these instrumentchannels is such that no single, credible event can degrade the ability of the RPS, RCS, or RCIS to perform its safety function. An analysis for the effects of a 480-V ac hot short on any RPS channel has been performed and confirms that no safety functions are lost as a result. River Bend Station does not consider this event to be credible.
RBSUSAR7.7-1August19887.7CONTROLSYSTEMSNOTREQUIREDFORSAFETY7.7.1Description Section7.7describesinstrumentationandcontrolsofmajorplantcontrolsystemswhosefunctionsarenotessentialforthesafety oftheplant.Thesystemsinclude:1.Rodcontrolandinformationsystem(RC&IS) 2.Recirculationflowcontrolsystem 3.Feedwatercontrolsystem 4.Steambypassandpressureregulatingsystem 5.Refuelinginterlocks 6.Processcomputersystem 7.Emergencyresponseinformationsystem(ERIS) 8.Digitalradiationmonitoringsystem(DRMS).19.AlternateRodInsertion(ARI) 1RefertoTable7.7-2forsimilarityinsystemdesigntolicensed
reactors.7.7.1.1RodControlandInformationSystem(RC&IS)
RC&ISFunctionTheRC&ISprovidestheoperatorwiththemeanstomakechangesinnuclearreactivitybymanipulatingcontrolrodssothatthe reactorpowerlevelandpowerdistributioncanbecontrolled.Thissystemincludestheinterlocksthatinhibitrodmovement(rodblock)undercertainconditions.TheRC&ISdoesnotinclude anyofthecircuitryordevicesusedtoautomaticallyormanually scramthereactor;thesedevicesarediscussedinSection7.2.
Inaddition,themechanicaldevicesoftheCRDsandthecontrol rodhydraulicsystemarenotincludedintheRC&IS.Thelatter mechanicalcomponentsaredescribedinSection4.1.3.RC&ISOperationTheRC&ISincludesthefollowing:1.CRD-controlsystem RBSUSARRevision107.7-2April19982.Rodblockinterlocks3.Rodpositionprobes 4.Positionindicationelectronics.Therodpatterncontrolsystem,asubsystemofRC&IS,issafety-relatedanddiscussedinSection7.6.1.10Fig.4.6-5aand4.6-5bshowthelayoutoftheCRDhydraulic system.Fig.7.7-1showsthefunctionalarrangementofdevices forthecontrolofcomponentsintheCRDhydraulicsystem.The logicdiagramfortheRC&ISisshownonFig.7.7-2.Althoughthe figuresalsoshowthearrangementofscramdevices,thesedevices arenotpartoftheRC&IS.Controlrodsaremovedbywater pressure,fromaCRDpump,ontheappropriateendoftheCRD cylinder.Thepressurizedwatermovesapiston,attachedbya connectingrodtothecontrolrod.Threemodesofcontrolrod operationareused:INSERT,WITHDRAW,andSETTLE.Four solenoid-operatedvalvesareassociatedwitheachcontrolrodto accomplishtheseactions.
101.ControlRodDriveControlSystemWhentheoperatorselectsacontrolrodformotionandoperatestherodinsertioncontrolswitch,independent messagesareformulatedintheAandBportionsofthe roddrivecontrolsystem.Acomparisontestismadeof thesetwomessagesandidenticalresultsconfirmed; thenaserialmessageintheformofelectricalpulses istransmittedtoallhydrauliccontrolunits(HCU).
Themessagecontainstwoportions,1)theidentityor "address"oftheselectedHCU,and2)operationdataon theactiontobeexecuted.OnlyoneHCUrespondsto thismessageanditproceedstoexecutetherod movementcommands.OnreceiptofthetransmittedsignaltherespondingHCUtransmitsthreeportionsofamessagebacktothemain controlroomforcomparisonwiththeoriginalmessage:a.Itsownhard-wireidentity"address,"
b.Itsownoperationscurrentlybeingexecuted,and RBS USAR Revision 16 7.7-3 March 2003 c. Status indications of valve positions, accumulator conditions, and test switch positions. In a similar manner, rod withdrawal is accomplished by formulating a message containing a different operation code. The responding HCU decodes the message and proceeds to execute the withdrawal command by operation
of HCU valves shown on Fig. 7.7-2. 16 In either rod motion direction, the A and B messages are formulated and compared and, if they agree, the A
message is transmitted to the HCU selected by the operator. Continued rod motion depends on receipt of a train of sequential messages because the HCU insert, withdraw, and settle valve control circuits are ac-coupled. The system must operate in a dynamic manner to effect rod motion. Postulated failure within the system generally results in static conditions which
prevent further rod motion. Any disagreement between the A and B formulated messages or the responding echo message prevents further rod motion. Electrical noise disruptions have only a momentary effect on system operation. Correct
operation of the system resumes when the noise source
ceases.The RC&IS is designed such that 3 basic commands are transmitted automatically and continuously to the
control rods. The commands are as follows:
1)OP FOLLOW 2)TEST 3)SCANThe selected rod command signal (OP FOLLOW) is processed approximately every 200 microseconds. The OP FOLLOW command transmits rod movement requests (if any) from the control room to the directional control
valves.Alternating between OP FOLLOW commands, is a set of TEST commands generated for a control rod. These are
diagnostic tests for directional control valves and transponder circuit cards. After 1 control rod is tested, the SCAN command replaces TEST. SCAN gathers HCU and rod status information. OP FOLLOW and SCAN
alternate until information for all 145 rods has been updated on the core display. This describes one
complete "sub-test" and takes approximately 48
milliseconds to complete.
16 RBS USAR Revision 16 7.7-3a March 2003 16 A minimum of 3 "sub-tests" and a maximum of 15 are generated for each rod. If no errors are returned for the first 3 "sub-tests," the testing sequence will proceed for the next rod. If any error is returned within the first 3 "sub-tests," then 12 additional
"sub-tests" will be completed before continuing to the next rod. If 7 errors out of the additional 12 "sub-
tests" are returned then the RC&IS analyzer will stop
and an alarm will be sounded.
A complete SCAN and TEST cycle for all 145 rods takes between (approximately) 20 and 100 seconds to complete.
16 The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the selection circuitry to a no-rod-selection condition.
Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod-selected condition is not possible (except for loss of control circuit power) until any moving rod has
completed the movement cycle.
RBS USAR Revision 16 7.7-4 March 2003 16 The direction in which the selected rod moves is determined by the position of four switches located on the reactor control panel. These four switches (INSERT, WITHDRAW, IN-TIMER SKIP, and CONTINUOUS WITHDRAW) are pushbuttons which return by spring action
to an off position. The following is a description of the operation of the RC&IS during an insert cycle. The cycle is described
in terms of the INSERT, WITHDRAW, and SETTLE commands
from the RC&IS. With a control rod selected for movement, depressing the insert switch and then releasing the switch energizes the INSERT command for a limited time. Just before the insert command is
removed, the settle command is automatically
energized and remains energized for a limited time. The insert command time setting and the rate of drive water flow provided by the CRD
hydraulic system determine the distance traveled by a rod. The time setting results in a one-notch (6-in) insertion of the selected rod for each momentary application of a rod-in signal from the rod movement switch. Continuous insertion of a selected control rod is possible by holding the
IN-TIMER SKIP pushbutton. The IN-TIMER SKIP mode is provided for control rod insertion in the event of a malfunction of the rod
motion timer or a malfunction of any other device
in the control system select insert or rod insert circuits. Additionally, the IN-TIMER SKIP is used for various proceduralized control rod movements.
This mode is initiated by selecting a particular control rod, and moving and holding the IN-TIMER
SKIP pushbutton switch in the depressed position. The contact action of this switch, when held, initiates the transmission of an alternate program directly to the HCU transponder, bypassing the rod
motion timer, timer controlled circuits, and select in/out circuits. Power is continuously applied to the solenoids of the insert directional control valves, with both the stabilizing valve insert solenoids deenergized. Drive pressure is applied to the underpiston port of the selected
CRD, causing continuous control rod insertion until the switch is released, which removes power
from the directional control valves and reenergizes the stabilizing valve insert
solenoids.
16 RBS USAR Revision 16 7.7-5 March 2003 The following is a description of the operation of the RC&IS during a withdraw cycle. The cycle is described
in terms of the INSERT, WITHDRAW, and SETTLE commands. 16 With a control rod selected for movement, depressing the WITHDRAW switch energizes the insert valves at the beginning of the withdrawal cycle to allow the collet fingers to disengage the index tube. When the insert valves are deenergized, the withdraw and settle valves are energized for a controlled period of time. The withdraw valve is deenergized before motion is complete; the drive then settles until the collet fingers engage. The settle valve is then deenergized, completing the withdraw cycle. This withdraw cycle is the same whether the withdraw switch is held continuously or momentarily in the depressed position. The timers that control the withdraw cycle are set so that the rod travels one notch (6-in) per cycle. Provisions are included to prevent further control rod motion in the event
of timer failure. A selected control rod can be continuously withdrawn if the WITHDRAW switch is held in the depressed position at the same time that the CONTINUOUS WITHDRAW switch is held in the depressed position. With both switches held in these positions, the WITHDRAW and SETTLE commands
are continuously energized.
16 12 12 RBSUSARRevision127.7-6December199912122.ControlRodDrive-HydraulicSystemControl10Twomotor-operatedpressurecontrolvalves,one air-operatedflowcontrolvalve,andtwo solenoid-operatedstabilizervalvesareincludedinthe CRDhydraulicsystemtomaintainsmoothandregulated systemoperation.Thesedevicesareshownon Fig.4.6-5aand4.6-5b.Themotor-operatedpressure controlvalvesarepositionedbymanipulatingswitches inthemaincontrolroom.Theswitchesforthese valvesarelocatedclosetothepressureindicators thatrespondtothepressurechangescausedbythe movementsofthevalves.Theair-operatedflowcontrol valveisautomaticallypositionedinresponseto signalsfromanupstreamflowmeasuringdevice.The stabilizervalvesareautomaticallycontrolledbythe energizationoftheinsertandwithdrawcommands.The controlschemeisshownonFig.7.7-2.Therearetwo drivewaterpumpswhicharecontrolledbyswitchesin themaincontrolroom.Eachpumpautomaticallystops onindicationoflowsuctionpressure.
10 RBS USAR Revision 16 7.7-7 March 2003 3. Rod Block Interlocks A portion of the RC&IS, upon receipt of input signals from other systems and subsystems, inhibits movement or
selections of control rods. a. Grouping of Channels 16 16 Half of the total monitors (SRM, IRM, and APRM) provide inputs to one of the RC&IS rod block logic circuits and the remaining half provide inputs to the other RC&IS rod block logic circuit. Scram
discharge instrument volume high water level signals are provided as inputs into both of the two rod block logic circuits. Both rod block
logic circuits sense when the scram discharge
instrument volume high water level trip is
bypassed. The APRM rod block settings are varied as a function of recirculation flow. Analyses show that the selected settings are sufficient to avoid both RPS action and local fuel damage as a result of a single control rod withdrawal error.
Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted.
The rod block from scram discharge instrument volume high water level utilizes two differential
transmitters installed on the scram discharge instrument volume. A second trip unit on one
transmitter provides a main control room
annunciation of increasing level below the level
at which a rod block occurs.b. Rod Block Functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed in the following sections. Fig. 7.7-2 shows all the rod block functions on a logic
diagram.
RBSUSAR7.7-8August1988(1)WiththemodeswitchintheSHUTDOWNposition,nocontrolrodcanbewithdrawn.
Thisenforcescompliancewiththeintentof theshutdownmode.(2)Thecircuitryisarrangedtoinitiatearodblockregardlessofthepositionofthemode switchforthefollowingconditions:(a)AnyAPRMupscalerodblockalarm.Thepurposeofthisrodblockfunctionis toavoidconditionsthatwouldrequire RPSactionifallowedtoproceed.The APRMupscalerodblockalarmsettingis selectedtoinitiatearodblockbefore theAPRMhighneutronfluxscram settingisreached.(b)AnyAPRMinoperativealarm.Thisassuresthatnocontrolrodis withdrawnunlesstheaveragepower rangeneutronmonitoringchannelsare eitherinserviceorcorrectly
bypassed.(c)Scramdischargeinstrumentvolumehighwaterlevel.Thisassuresthatno controlrodiswithdrawnunlessenough capacityisavailableinthescram dischargevolumetoaccommodatea scram.Thesettingisselectedto initiatearodblockearlierthanthe scramthatisinitiatedonscram dischargeinstrumentvolumehighwater
level.(d)Scramdischargeinstrumentvolumehighwaterlevelscramtripbypassed.This assuresthatnocontrolrodis withdrawnwhilethescramdischarge instrumentvolumehighwaterlevel scramfunctionisoutofservice.(e)Rodpatterncontrolsystem.Thepurposeoftherodpatterncontrol systemistolimittheworthofany controlrodsuchthatnoundesirable RBS USAR Revision 24 7.7-9 effects will result from a rod drop accident or a rod withdrawal error (RWE). The rod pattern
control system enforces operational procedural controls by
applying rod blocks before any rod
motion can produce high worth rod patterns. See Section 7.6.1 for
further discussion of this system.
(f) Rod position information system malfunction. This assures that no control rod can be withdrawn unless the rod position
information system is in service.
(g) Rod measurement timer malfunction during withdrawal. This assures
that no control rod can be
withdrawn unless the timer is in
service.
(3) With the reactor mode switch in the RUN position, any of the following
conditions initiate a rod block:
(a) Any APRM downscale alarm. This assures that no control rod will
be withdrawn during power range operation unless the average power
range neutron monitoring channels are operating correctly or are
correctly bypassed. All
unbypassed APRMs must be on scale during reactor operations in the
RUN mode.
RBS USAR Revision 24 7.7-10 (4) With the mode switch in the STARTUP or REFUEL position, any of the following conditions initiate a rod block:
(a) Any SRM detector not fully inserted into the core when the SRM count level is below the retract permit level and
any IRM range switch on either of the
two lowest ranges. This assures that no
control rod is withdrawn unless all SRM
detectors are correctly inserted when
they must be relied on to provide the operator with neutron flux level
information.
(b) Any SRM upscale level alarm below IRM Range 8. This assures that no control
rod is withdrawn unless the SRM
detectors are correctly retracted
during a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is
designed to detect and measure neutron
flux.
(c) Any SRM downscale alarm while IRMs are on Range 1 or 2 only. This assures
that no control rod is withdrawn unless
the SRM count rate RBSUSAR7.7-11August1987isabovetheminimumprescribedforlowneutronfluxlevelmonitoring.(d)AnySRMinoperativealarmbelowIRMRange8.Thisassuresthatnocontrol rodiswithdrawnduringlowneutron fluxleveloperationsunlessneutron monitoringcapabilityisavailable.(e)AnyIRMdetectornotfullyinsertedintothecore.Thisassuresthatno controlrodiswithdrawnduringlow neutronfluxleveloperationsunless properneutronmonitoringcapabilityis
available.(f)AnyIRMupscalealarm.Thisassuresthatnocontrolrodiswithdrawnunless theintermediaterangeneutron monitoringequipmentiscorrectly uprangedduringareactorstartup.
Thisrodblockalsoprovidesameansto stoprodwithdrawalintimetoavoid conditionsrequiringRPSaction(scram) intheeventthatarodwithdrawal errorismadeduringlowneutronflux leveloperations.(g)AnyIRMdownscalealarmexceptwhenrangeswitchisonthelowestrange.
Thisassuresthatnocontrolrodis withdrawnduringlowneutronfluxlevel operationsunlesstheneutronfluxis beingcorrectlymonitored.Thisrod blockpreventsthecontinuationofa reactorstartupiftheoperator uprangestheIRMtoofarforthe existingfluxlevel.Thus,therod blockensuresthattheIRMisonscale ifcontrolrodsaretobewithdrawn.(h)AnyIRMinoperativealarm.Thisassuresthatnocontrolrodis withdrawnduringlowneutronfluxlevel operationsunlessneutronmonitoring capabilityisavailable.
RBS USAR Revision 16 7.7-12 March 2003 c. Rod Block Bypasses To permit continued power operation during repair or calibration of equipment for selected functions that provide rod block interlocks, a limited
number of manual bypasses are permitted. The IRMs, SRMs, and APRMs are arranged in two groups (A and B) of equal numbers of channels (i.e., two groups of IRMs, two groups of SRMs, and
two groups of APRMs). A bypass switch in the main control room allows either group A or B to be bypassed. Any combination of IRM, SRM, or APRM bypasses can be
effected. 16 The IRMs are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with
one channel bypassed in each group.The permissible APRM and IRM bypasses affect RC&IS logic differently than in the RPS (Section 7.2.1).
Like RPS, half (4) of the APRM/IRM channels are assigned to Division I RC&IS and the other half is assigned to Division II. A maximum of 2 channels out of 8 can be bypassed, however, it is possible
that both could be in the same division. The SRM logic for RC&IS is such that 2 out of 4 channels are assigned to each division. Only 1
SRM Channel can be bypassed at any given time.
16 These bypasses are effected by positioning switches in the main control room. A light in the
main control room indicates the bypassed
condition. An automatic bypass of the SRM detector position rod block is effected as the neutron flux increases beyond a preset low level on the SRM
instrumentation.4. Rod Position Probes The position probe is a long cylindrical assembly that fits inside the CRD. Each CRD has two sets of reed switches for redundant indication of all information.
These two sets of switches are electrically and mechanically separate within a common enclosure. The reed switches are located along the length of the probe and operated by a RBS USAR Revision 16 7.7-13 March 2003 permanent magnet fixed to the moving part of the hydraulic drive mechanism. As the drive, and with it the control rod blade, moves along its length, the magnet causes reed switches to close as it passes over the switch locations. The particular switch closed then indicates where the CRD, and hence the rod itself, is positioned. The switches are located as follows: one at each of 25 notch (even) positions; one at each of 24 mid-notch (odd) positions; two at the fully inserted position (approximately the same location as the 00 notch); one at the fully withdrawn position (approximately the same location as the 48 notch position); and one at the
overtravel or decoupled position. All the mid-notch or odd switches are wired in parallel and treated as one switch (for purposes of external connections); the two full-in switches are wired in parallel and treated as one switch. These and the remaining switches are wired in a 5 x 6 array (the switches short the intersections) and routed out in an
11-wire cable to the processing electronics (the probe
also includes a thermocouple which is wired out
separately from the 5 x 6 array). 5. Position Indication Electronics 16 The electronics consists of a set of probe multiplexer cards (one per 4-rod group), a set of file control cards (one per 10 multiplexer cards), and a set of master control and processing cards (per division) serving the whole system. All probe multiplexer cards
are the same except that each has a pair of plug-in daughter cards containing the identity code of one 4-rod group (the probes for the corresponding 4 rods are connected to the probe multiplexer card). The
system operates on a continuous scanning basis with a
complete cycle about every 30 milliseconds.
16 The operation is as follows: The control logic generates the identity code of one rod in the set and transmits it using time multiplexing to all the file control cards. These in turn transmit the identity
with timing signals to all the probe RBS USAR Revision 16 7.7-14 March 2003 multiplexer cards. The one multiplexer card with the matching rod identity will respond and transmit its identity (locally generated) plus the raw probe data
for that rod back through the file control card to the
master control and processing logic. The processing logic does several checks on the returning data.
First, a check is made to verify that an answer was received. Next, the identity of the answering data is checked against that which was sent. Finally, the format of the data is checked for legitimacy. Only a single even position or full-in plus position 00, full-out plus position 48, odd, or overtravel, or blank (no switch closed) are legitimate. Any other
combination of switches is flagged as a fault. If the data passes all these tests, it is 1) decoded and transmitted in multiplexed form to the displays in
the main control panel, and 2) loaded into a memory to
be read by the computer as required. As soon as one rod's data is processed, the next rod's identity is generated and processed and so on for all the rods. When data for all rods has been gathered, the cycle repeats. The RC&IS is totally operable from the main control room. Manual operation of individual control rods is possible with a pushbutton to effect control rod insertion, withdrawal, or settle. Rod
position indicators, described as follows, provide the
necessary information to ascertain the operating state and position of all control rods. Conditions which prohibit control rod insertion are alarmed with the rod
block annunciator. A rod information display on the reactor control panel is patterned after a top view of the reactor core. The display allows the operator to acquire information
rapidly by scanning. 16 Light-emitting diodes (LEDs) under windows on the Full Core Display provide an overall indication of rod
pattern and allow the operator to identify quickly an abnormal indication. The following information for
each control rod window is presented in the display:
16 Rod fully inserted (green)
Rod fully withdrawn (red)
Selected rod identification RBS USAR Revision 16 7.7-15 March 2003 16 Rod position (numeric) of selected rods Rod position (numeric) of all rods Also dispersed throughout the display, in locations representative of the physical location of LPRM strings
in the core, are LPRM LEDs as follows:
LPRM Downscale (green)
LPRM Upscale (red) 16 A continuous core rod position display is provided from both rod position information system cabinets. The data for the display is automatically alternated between the
two RPIS outputs at a rate that is visible to the operator so that position data faults are easily
detected. 12 A separate, smaller display below the full core status display will provide the LPRM reading adjacent to the selected rod. The associated LPRM for each rod gang may be selected and displayed so that the operator can easily observe proper motion of the gang rods. Proper
gang motion can be further confirmed by observing rod position changes indicated by the full core display.
Note: Ganged mode is not fully installed or tested at
RBS and is therefore not used.
12 The position signals of selected control rods, together with a rod identification signal, are provided as inputs to the on-line process computer. The acquisition of the rod position signal does not interrupt the rod position indication signal in the main control room.
The computer can, on demand, provide a full core
printout of control rod positions. The following main control room lights are provided to allow the operator to know the conditions of the CRD
hydraulic system and the control circuitry:
Insert command energized Withdraw command energized
Settle command energized
Insert not permissive
Withdrawal not permissive
Insert required
Continuous withdrawal
Pressure control valve position
Flow control valve position RBSUSARRevision137.7-16September2000Drivewaterpumplowsuctionpressure(alarmandpumptrip)Drivewaterfilterhighdifferentialpressure(alarmonly)Chargingwater(toaccumulator)lowpressure(alarmonly)CRDtemperature(alarmonly)
Scramdischargeinstrumentvolumenotdrained(alarmonly)Scramvalvepilotairheaderhigh/lowpressure(alarmonly)7.7.1.2RecirculationFlowControlSystem SystemFunctionTherecirculationflowcontrolsystemcontrolsreactorpowerlevel,overalimitedrange,bycontrollingtheflowrateofthe reactorrecirculatingwater.SystemOperation13Note:RiverBendStationadministrativelychosenottooperatetherecirculationflowcontrolsysteminthemasterautoor fluxautomodes.Thesemodesallowthesystemto automaticallyrespondandadjustreactorpowerduetochanges inturbineloadorneutronflux.
13Reactorrecirculationflowisvariedbythrottlingthe recirculationpumpsdischargewithcontrolvalves.The recirculationpumpsoperateatconstantspeed,oneitherLFMGor normal60-cyclepower.Byadjustingthepositionofthe dischargethrottlingvalves,therecirculationsystemcan automaticallychangethereactorpowerlevel(Fig.7.7-4and
7.7-5).Controlofcoreflowissuchthat,atvariouscontrolrodpatterns,differentpowerlevelchangescanbeautomatically accommodated.Forarodpatternwhereratedpoweraccompanies 100percentflow,powercanbereducedtoapproximately 75percentoffullpowerbyfullautomaticormanualflow variation.Atotherrodpatterns,automaticormanualpower controlispossibleoverarangeofapproximately25percentof themaximumoperatingpowerlevelforthatrodpattern.Below the25percentrange,onlymanualcontrolofpowerisavailable.Anincreaseinrecirculationflowtemporarilyreducesthevoidcontentofthemoderatorbyincreasingtheflowofcoolant throughthecore.Theadditionalneutronmoderationincreases reactivityofthecore,whichcausesreactorpowerlevelto increase.Theincreasedsteamgenerationrateincreasesthe steamvolumeinthecorewithaconsequentnegativereactivity effect,andanewsteady-statepowerlevelisestablished.When recirculationflowisreduced,thepowerlevelisreducedinthe reversemanner.The RBSUSAR7.7-17August1987recirculationflowcontrolsystem,operatinginconjunctionwiththemainturbinepressureregulatorcontrols,providesfully automaticloadfollowing.Eachrecirculationsystemloopflowcontrolvalvehasitsownindividualmanualcontrolsystemaswellasthecapabilityof beingcontrolledinunisonbythemaster-fluxcontrollers.The mastercontrollerreceivesaloaddemanderrorsignalfromthe mainturbinepressureregulator.Itsoutputthendemandsa certainneutronfluxlevelinthereactorwhichiscomparedwith afilteredmeasurementofneutronflux.Theresultingerroris fedintoafluxcontroller,which,inturn,demandsadriveflow ineachloop.Eachloophasanindividualflowcontrollerthat causesadjustmentofvalvepositiontomeetademandedchangein loopflowandhencecoreflowandcorepower.Thisprocess continuesuntilboththeerrorsexistingattheinputsofflux andmastercontrollersaredriventozero.Fullyautomatic controlisprovidedbythemastercontrollerwheninautomatic mode.Thefluxcontrollercanremaininautomaticeventhough themastercontrollerisinmanual.Thereactorpowerchangeresultingfromthechangeinrecirculationflowcausesthepressureregulatortoreposition theTCVs.Iftheoriginaldemandsignalwasaturbineload/speed errorsignal,theturbinerespondstothechangeinreactorpower levelbyadjustingthecontrolvalves,andhenceitspower output,untiltheload/speederrorsignalisreducedtozero.1.PumpMotorControlEachreactorwaterrecirculatingpumpdrivemotorisa4-poleacinductionmotorthatoperatesfromthe normalplantelectricalsupplyduringnormalplant poweroperation.Atplantlow-powerlevels,the recirculationpump/motoroperatesfromtheelectrical outputofthelow-frequencymotor-generator(LFMG)set.
SincetheLFMGsetelectricaloutputfrequencyisat approximatelyone-fourththenormalplantelectrical frequency,therecirculationpump/motorisdrivenat approximatelyone-fourthitsratedspeed.TheLFMGsetisnotintendedtobecapableofstartingtherecirculationpump/motorwiththepump/motor initiallyatzerospeed.Atlowreactorpowerlevels, thepump/motorstartisinitiatedonthenormalplant electricalpowersupply.Asthepump/motorspeed approachesratedfullloadspeed, RBSUSAR7.7-18August1988itisautomaticallytripped.Whenthepump/motorspeedcoastdownisabout25percentofratedfullloadspeed, thepump/motorisreenergizedfromtheLFMGsetand drivenatabout25percentratedfullloadspeed.
Precedinginitiationofthepump/motor,theplant operatormaymanuallystarttheLFMGset.IftheLFMG setisnotoperatingwhenthepump/motorstartis initiated,theLFMGisautomaticallystarted.Whenpump/motorstartisinitiatedathigherreactorpowerlevels,theLFMGsetdoesnotstart automatically,andthepump/motorcontinuestooperate atratedfullloadspeed.Certaintripfunctions,asdefinedonFig.7.7-4,tripthepump/motorandautomaticallytransferittothe LFMGset.Othertripfunctionstripthepump/motor withouttransfertotheLFMGset.1Inadditiontothenormalrecirculationpumpdrive motorprotectivetripsandtheRPS-initiated recirculationpumptrip(RPT)(Section7.6.1.1),an ATWStripisinitiatedfromhighvesselpressureorlow reactorvesselwaterlevel(level2).Therearetwo safety-gradetriplogiccircuits,eachcapableof trippingbothpumpmotors.Eachlogiccircuitconsists oftwodedicatedleveltransmittersandtwodedicated pressuretransmittersarrangedinaredundant two-out-of-twologicarrangementasshownon Figure7.7-4(FCD).Atripsignaltripsbothcircuit breaker2andcircuitbreaker5foreachpump.
Trippingofcircuitbreaker5removesnormalplant electricalsupplytothepumpmotorsandtrippingof circuitbreaker2removestheLFMGelectricalsupply.
Thetriplogicincludesatestabilityfeaturethat allowstestingofeachtransmitter/tripunitwhilethe recirculationsystemisinoperation.
1Intheeventofananticipatedtransientwithfailure toscram,recirculationpumptripsareinitiatedfrom highvesselpressureand/orreactorlowwaterlevel.
Thisactionisinitiatedtomitigatetheeffectsofa postulatedplanttransient,suchasaturbinetripwith afailuretoscramduetoacommonmodefailureinthe RPS.Trippingtherecirculationpumpsminimizesthe pressureriseinthevesselinthefirstfewsecondsof theeventandreducesthereactor RBSUSAR7.7-19August1987thermalpowerwhich,inturn,reducessteamflowtothesuppressionpool.2.Low-FrequencyMotor-Generator(LFMG)SetTheLFMGsetconsistsofa16-poleacinductionmotordrivinga4-poleacsynchronousgeneratorthrougha flexiblecoupling.Thisarrangementprovides one-fourthnormalplantfrequencyattheoutputofthe generator.Thegeneratorexciterisdirectlyconnected tothegeneratortoprovideabrushlessexcitation system.Thevoltageregulatorfortheexcitation systemislocatedintheauxiliaryrelaypanelwhichis separatefromtheLFMGset.SeveralpermissivesdescribedonFig.7.7-4mustbesatisfiedbeforetherecirculationpump/motorcanbe operatedfromeitherthenormalplantelectricalsystem orthepreventionofLFMGset.Thesepermissives prohibitpumpstartuntilconditionsassureprevention ofdamagetothesystem.Section4.4.3describesthe regionsoftheoperationalmapwhereoperationisnot
permitted.3.ValvePositionControlComponentsThemainflowregulatingvalvescanbecontrolledindividuallyorjointly.Theturbine-generator controlsystemoutputsaload/speeddemandsignalto thereactorrecirculationcontrolsystemforautomatic controloftherecirculationflowcontrolvalves.The mastercontroller,fluxdemandlimiter,flux controller,andtotaldriveflowlimiterarecommonto thecontrolofbothvalves.Thesignalfromthese componentsisfedtotwoseparatesetsofcontrol systemscomponents,oneforeachvalve,whichare:a manual/automatictransferstation,anerrorlimiter,a flowcontroller,ahigh-lowsignalfailurealarm,a lossofsignalvalve"motioninhibit"interlock,a driveflowfeedbacksignaltoeachflowcontroller,a valveactuator,andalimiter.Thelimiterclosesthe mainflowregulatingvalveifoneofthereactorfeed pumpsshouldtrip,withacoincidentorsubsequent reactorvessellowwaterlevel.Adrywellpressuretransmitterwhichisindependentofanysafety-relatedtransmittersisactuatedwhenthe drywellpressureincreasestoalevel RBSUSAR7.7-20August1987indicativeofLOCA.Duringnormaloperation,actuationofthepressuretransmittercircuitpreventsboth openingandclosingcapabilitiesofthedischargeblock valve.Italsoactuatesthe"motioninhibit"interlock totheflowcontrolvalvesothatitspositioncannot bechanged.Thiscircuitcanbetestedduring operationbyplacingthedrywellhighpressuretest switchinthetestpositionandexternallyapplying pressuretothetransmitter.Lockupofbothvalves occursduringtest.However,thehydraulicsystemof theflowcontrolvalveisnotshutdownasoccurs duringanactualdisturbance.Thepositionofthetest switchisannunciated.4.MasterControllerThemanual/automaticmastercontrollerprovidesasignaltocontrolreactorfluxandaninterlocktothe pressureregulator.Duringautomaticloadfollowing,theturbine-generatorcontrolsystemsuppliesademandsignaltothemaster controller.Duringnormalautomaticoperation,the mastercontrollertransmitsanoutputsignalthrough thefluxdemandlimitertothefluxcontroller.This signaladjuststhefluxcontrollersetpointaccording totheloaderrorsignalrequirementandallowsfully automaticcontrol.Duringautomaticoperation,apressuresetpointadjustmentsignalfromtheturbinecontrolsystemgoes throughtheinterlockswitchonthemastercontroller tothepressureregulator.Thissignalallowsthe turbine-generatortorespondimmediatelytothechanged loaddemandduringthetimerequiredforanewpower leveltobeestablishedbythechangeinrecirculation flow(Section7.7.1.5).5.FluxDemandLimiterThefluxdemandlimiterisadjustable.Itspurposeistolimittheneutronfluxdemandedbytheflux controller,keepingitsufficientlybelowthehighflux scrampointtopreventscramsduringreactorpower
increases.
RBSUSAR7.7-21August19876.FluxControllerThefluxcontrollersuppliesatotaldriveflowdemandsignaltoaflowcontrollerstation,whichinturn supplieseachflowloopwithademandsignal.Under automaticcontrol,thefluxcontrolleroutputis comparedtothesensedloopflowfromthefeedback proportionalamplifiersineachloop.Theerrorsignal isfedviatheflowcontrolleramplifiertothevalve position,resultinginachangeofloopflowand thereforecorepower.Neutronfluxissensitivetochangesincoreflowinthefrequencyrangeofapproximately0.015to0.31Hz.
Thefluxcontrollerisalag/leadcompensated proportional-integral(PI)controller.Thelag/lead compensationremovesthefluxovershoot,andthePIcontrollerprovidesahigh-gainoutputfor low-frequencyinputsignalfromfeedwaterorpressure
disturbance.7.DriveFlowLimiterThedriveflowdemandlimitersareadjustable.Thehighsignallimiteristoestablishthemaximumdrive flowdemandlimitneededfortheupperendofthe automaticload-followingrange.Thelowsignallimit isdeterminedfromacorestabilitycriterionand definesthelowerendoftheautomaticload-following range.Thereisnolowflowlimit,andthevalvecan beclosedtoitsminimumpositionwhentheflux controllerisinmanualmodeoperation.8.FluxFeedbackIsolationAmplifierThefluxfeedbackisolationamplifierperformsadualfunction.Itisasecondaryamplifierthatcompletely isolatesthereactorflowcontrolsystemfromthe particularAPRMthatsuppliesitsinputsignal.It alsofiltersprocessnoiseaboveapproximately1Hzin thefluxsignal.Afailureintheamplifiercannot interferewiththeprotectionsystemfunctionofthe APRMs.EachofthetwoAPRMchannelsavailablefor fluxfeedbackisfurtherisolatedorbufferedbyan additionalprimaryisolationamplifier,sothatthe systemcomplieswiththerequirementsofParagraph4.7 ofIEEE279-1971.
RBSUSAR7.7-22August19879.Manual/AutomaticTransferStationsSwitchingbetweenmanualandautomaticoperationisdoneonthemaster,flux,andindividualflow controllers,usingamanuallyoperatedswitch.To automaticallycontrolloopflowbythefluxcontroller, thetransferswitchonthefluxandflowcontrollers mustbeintheautomaticposition.Settingthemastercontroltransferswitchtothemanualpositionprovidesgangedparallelmanual operationoftheflowcontrolloops.Switchingto manualcontrolonthemastercontrollersetsthe cascadeinputorsetpointofthefluxcontrollerand hencethesignaltothevalve.Theindividualflow controllersmustbeinautomatic.Duringstartup,the fluxcontrolleroutputsignalisdeterminedbythe manualsignallevelsettingonthefluxcontrollerwith thecontrollerinmanual.10.FlowControllerTheindividualflowcontroller(oneforeachvalve)transmitsthesignalthatadjuststhevalveposition.
Duringautomaticoperation,theinputsignalis receivedfromthefluxcontroller.Duringmanual operation,eachflow-regulatingvalvecanbemanually positionedwiththemanualoutputsignalraise/lower pushbuttonsprovidedoneachflowcontroller.11.LimiterAlimitingfunctionisrequired(asbrieflyoutlinedinforegoingparagraphs).Electroniclimiting,with reasonablerangeadjustment,isprovidedineachmain flowcontrolloop.Thislimiterisnormallyheld bypassedbyauxiliarydevicessuchasrelaycontacts.
Whenthelimitingpermissiveconditionisreached,the mainregulatingvalvecontrolsignalislimitedto closethevalvetothedesiredposition.12.ValveActuatorThevalveactuator(oneoneachvalve)istheelectro-hydraulicdevicethatmovestheflowcontrol valvetothedesiredpositionandmaintainsitthere.
Thevalvecontrolsystemisdesignedto RBSUSAR7.7-23August1987maintainthevalveinthelastpositiondemandedifcontrolpowerislost.Thevalveactuatorhasaninherentrate-limitingfeaturethatwillkeeptheresultingrateofchangeof coreflowandpowertowithinsafelimitsintheevent ofupscaleordownscalefailureofthevalveposition orvelocitycontrolsystem.Motor-operatedvalvesprovidedrywellisolationbetweentherecirculationflowcontrolvalvehydraulicactuator andthehydraulicpowerunit.Theisolationvalves automaticallyclosewhenaLOCAsignalispresent.
Controlsinthemaincontrolroompermitmanual operationoftheisolationvalves.Thecontrollogic fortheisolationvalvesisshownonFig.7.7-7.7.7.1.3FeedwaterControlSystem SystemFunctionThefeedwatercontrolsystemcontrolstheflowoffeedwaterintothereactorvesseltomaintainthevesselwaterlevelwithin predeterminedlimitsduringallnormalplantoperatingmodes.
Therangeofwaterlevelisbasedupontherequirementsofthe steamseparators(thisincludeslimitingcarryover,whichaffects turbineperformance,andcarryunder,whichaffectsrecirculation pumpoperation).Thefeedwatercontrolsystemutilizesvessel waterlevel,steamflow,andfeedwaterflowasa3-element control(Fig.7.7-6).Single-elementcontrolisalsoavailablebasedonwaterlevelonly.Normally,thesignalfromthefeedwaterflowisequalto thesteamflowsignal;thus,ifachangeinthesteamflow occurs,thefeedwaterflowfollows.Thesteamflowsignal providesanticipationofthechangeinwaterlevelthatwill resultfromchangeinload.Thelevelsignalprovidesa correctionforanymismatchbetweenthesteamandfeedwaterflow whichcausesthelevelofthewaterinthereactorvesseltorise orfallaccordingly.SystemOperationDuringnormalplantoperation,thefeedwatercontrolsystemautomaticallyregulatesfeedwaterflowintothereactorvessel.
Thesystemcanbemanuallyoperated.Thecomponentcontrollogic forthefeedwatersystempumpsandmotor-operatedvalveisshown onFig.7.7-8.
RBSUSAR7.7-24August1987Thefeedwaterflowcontrolinstrumentationmeasuresthewaterlevelinthereactorvessel,thefeedwaterflowrateintothe reactorvessel,andthesteamflowratefromthereactorvessel.
Duringautomaticoperation,thesethreemeasurementsareusedfor controllingfeedwaterflow.Theoptimumreactorvesselwaterlevelisdeterminedbytherequirementsofthesteamseparators.Theseparatorslimitwater carryoverinthesteamgoingtotheturbinesandlimitsteam carryunderinwaterreturningtothecore.Thewaterlevelin thereactorvesselismaintainedwithin-2inofthesetpoint valueduringnormaloperationandwithinthehighandlowlevel tripsetpointsduringnormalplantmaneuveringtransients.This controlcapabilityisachievedduringplantloadchangesby balancingthemassflowrateoffeedwatertothereactorvessel withthesteamflowfromthereactorvessel.Thefollowingisadiscussionofthevariablessensedforsystem operation:1.ReactorVesselWaterLevelReactorvesselnarrowrangewaterlevelismeasuredbythreeidentical,independentsensingsystems.Foreach channel,adifferentialpressuretransmittersensesthe differencebetweenthepressurecausedbyaconstant referencecolumnofwaterandthepressurecausedby thevariableheightofwaterinthereactorvessel.
Thedifferentialpressuretransmitterisinstalledon linesthatserveothersystems.Twoofthe differentialpressuresignalsareusedforindication andcontrol,andthethirdforindicationonly.The narrowrangelevelsignalfromoneofthetwocontrol channelscanbeselectedbytheoperatorasthesignal tobeusedforfeedwaterflowcontrol.Athirdnarrow rangelevelsensingchannelisusedinconjunctionwith thetwocontrolchannelstoprovidefailuretolerant tripsofthemainturbineandfeedpumpprimemovers.
Allthreenarrowrangereactorlevelsignalsand reactorpressureareindicatedinthemaincontrol room.Afourthlevelsensingsystem(widerange) provideslevelinformationbeyondthespanofthe narrowrangedevices.Theselectednarrowrangewater levelandwiderangewaterlevelsignalsare continuouslyrecordedinthemaincontrolroom.
RBSUSARRevision77.7-25January19952.MainSteamLineSteamFlow7Steamflowissensedineachofthefourmainsteam lineflowelbowsbyadifferentialpressure transmitter.Thesignalsfromthefourtransmitters arelinearized,indicatedinthemaincontrolroomand summedtoproduceatotalsteamflowsignalfor feedwaterflowcontrol.Thetotalsteamflowsignalis recordedinthemaincontrolroom.
73.FeedwaterFlowFeedwaterflowissensedataflowelementineachfeedwaterlinebydifferentialpressuretransmitters.
Eachfeedwatersignalislinearizedandthensummedto provideatotalmassflowsignalwhichisrecordedin themaincontrolroom.Thisflowisthencomparedwith thesteamflowtoobtainatotalsteamflowerror.The resultingerrorisusedinconjunctionwithreactor waterlevelparameterstoadjustfeedwatercontrol valveactuatorsinthenecessarydirection.Individual pumpflowissensedinthefeedwatersystembyasensor inthesuctionlineofeachfeedpumpandisusedto controlfeedwaterpumprecirculationflow.Thisdoes notaffectthefeedwatercontrolsystemusedtocontrol reactorlevel.Threemodesoffeedwaterflowcontrolandthuslevelcontrolareprovided:a.Startupautomaticlevelcontrol b.Runmodeautomaticflowcontrol c.Manualcontrol.Separatelevelcontrollersareprovidedforeachautomaticmode.Eachlevelcontrollercontainsset pointdeviationmeters,anoutputindicator,amanual outputcontrol,manualautomaticswitchingcapability, andamanuallyoperatedsetpointadjustment.Inthe startuplevelcontrolmode,measuredleveliscompared tolevelsetpointwithinthecontroller.The resultingsignalisconditionedbytheproportional plusintegralcontrollercircuitsandtransmittedto thestartupflowcontrolvalve.Thisisahard-wired systemandcannotbeselectedtoanyotheractuator.
RBSUSAR7.7-26August1987Duringnormaloperation3-elementautomaticcontrolisprovided.Thereactorlevelsignal,modifiedbythe conditionedflowerrorsignal,providesaflowdemand signaltothefeedwaterflowcontrolloop.Thedemanded flowiscomparedtoactualflowineachactivepump.
Theresultingflowerrorsignalafterconditioningby theproportionalplusintegralflowcontrollerchanges thefeedwaterflowcontrolvalveposition,zeroingthe errorsignal.Manualcontrolisavailablebyselectingmanualonthecontrollermanual-automaticstations.Flowchangeis accomplishedbydepressingtheraisebuttonorlower button,dependingonthedesiredflowchange.
Automaticinventorycontrolisavailablewithany singlepumporanycombinationoftwopumps.Thelevelcontrolsystemalsoprovidesinterlocksandcontrolfunctionstoothersystems.Whenoneofthe reactorfeedpumpsislostandcoincidentorsubsequent lowwaterlevelexists,recirculationflowisreduced towithinthepowercapabilitiesoftheremaining reactorfeedpumps.Thisreductionaidsinavoidinga lowlevelscrambyreducingthesteamingrate.Reactor recirculationflowisalsoreducedonsustainedlow feedwaterflowcoincidentwithlowrecirculationflow controlvalvepositiontoensurethatadequatenet positivesuctionhead(NPSH)isprovidedforthe recirculationsystem.Alarmsareprovidedfor1)highandlowwaterlevel,and2)reactorhighpressure.Interlockstripthe plantturbineandfeedwaterpumpsintheeventof reactorhighwaterlevel.Feedwaterisdeliveredtothereactorvesselthroughaparallelarrangementofthreeelectricmotor-driven feedwaterpumps.Theelectricmotor-drivenpumps operateatconstantspeed;flowiscontrolledbyaflow controlvalve.Duringplannedoperation,thefeedwater controlsignalfromthreelevel-sensingcircuitsisfed tothelevelcontroller.Theoutputofthelevel controllergoestotheflowcontrolvalves,which controlthefeedwaterflowsothatfeedwaterflowis proportionaltothefeedwaterdemandsignal.Included amongthefourfeedwatercontrolvalvesisalowflow controlvalve.Ifthefeedwatercontrolsignalis lost,analarmunitinthefeedwater RBSUSARRevision137.7-27September20007controlcircuitinitiatesanalarminthemaincontrolroomandlocksthemainfeedwatercontrolvalveatits positionjustpriortolosingthesignal.Thecontrol valvecanbemanuallycontrolleduntilthecontrol systemfailurehasbeenresolved.Resettingofthe feedwatercontroltoautomaticismanuallyaccomplished fromthemaincontrolroompanel.Analogvalve positionindicationforeachfeedwatercontrolvalveis providedinthemaincontrolroom.
77.7.1.4SteamBypassandPressureRegulationSystemSystemFunctionAsadirectcycleBWR,theturbineisslavedtothereactorinthatallsteamgeneratedbythereactor(exceptsteamtothe moistureseparatorreheaters)isnormallyacceptedbythe turbine.Theoperationofthereactorrequiresthatpressure regulationbeemployedtomaintainaconstant(withintherange oftheregulatorcontrollerproportionalbandsetting)turbine inletpressurewithloadfollowingabilityaccomplishedby variationofthereactorrecirculationflow.TheturbinepressureregulatornormallycontrolstheTCVstomaintainconstant(withintherangeoftheregulatorcontroller proportionalbandsetting)turbineinletpressureataparticular value.Inaddition,thepressureregulatoralsooperatesthe steambypassvalvesinsuchawaythataportionofnuclear boilerratedflowcanbebypassedwhenoperatingatsteamflow loadsabovethosewhichcanbeacceptedbytheturbineaswellas duringthestartupandshutdownphases.Theoverallturbine-generatorandpressurecontrolsystemaccomplishesthefollowing:13Note:RiverBendStationadministrativelychosenottooperatetherecirculationflowcontrolsysteminthemasterautoor fluxautomodes.Thesemodesallowthesystemto automaticallyrespondandadjustreactorpowerduetochanges inturbineloadorneutronflux.
131.Controlturbinespeedandturbineacceleration2.Controlthesteambypasssystemtokeepreactorpressurewithinlimits,andavoidlargepower
transients3.Controlmainturbineinletpressurewithintheproportionalbandsettingofthepressureregulator4.Matchnuclearsteamsupplytoturbinesteamrequirementsbythefollowingfunctions:a.Adjustrecirculationsystemflowtotheturbineloaddemandswhentherecirculation RBS USAR Revision 25 7.7-28 control is in the automatic load following mode
- b. Adjust the pressure set point of the pressure control unit in order to improve the load response
of the plant when the recirculation control is in
the automatic load following mode.
System Operation
Pressure control is accomplished by controlling main steam pressure immediately upstream of the main turbine stop and control valves through modulation of the turbine-control or steam-bypass valves. Command signals to these valves are
generated by redundant control elements using the sensed turbine inlet pressure signals as the feedback. For normal operation, the TCVs regulate steam pressure; however, whenever the total steam flow demand from the pressure regulator exceeds the capacity of the TCVs, the pressure control system sends the excess steam flow directly to the main condenser, through the steam bypass valves. The plant ability to follow grid-system load demands is enabled by adjusting reactor power level, by
varying reactor recirculation flow (manually or automatically),
or by manually moving control rods. In response to the resulting steam production changes, the pressure control system adjusts the
TCV to accept the steam output change, thereby regulating steam pressure. In addition, when the reactor is automatically following turbine speed/load demands, the pressure control system
permits an immediate steam flow response to fast changes in load
demand, thus utilizing part of the stored energy in the vessel.
- 1. Steam Pressure Control The pressure control system controls reactor pressure during plant startup, power generation and shutdown modes of operation. The Turbine Control and Protection System (TCPS) pressure controllers act to ensure that the desired pressure is achieved through the positioning of the turbine control valves and the steam bypass valves in response to changes in reactor operating conditions.
Under steady state operating conditions, the TCVs regulate steam pressure; however, whenever the total steam flow delivery exceeds the effective turbine steam flow need or capacity, the bypass valves are opened to regulate the pressure and send the excess steam directly to the condenser.
The reactor operator maintains control over the rate of steam production to meet the plant's steam demands - these control functions take place outside the TCPS controllers. The turbine operator uses the TCPS Human Machine Interface (HMI) to set the desired operating pressure set point.
RBS USAR Revision 25 7.7-28a Pressure control is designed to control reactor pressure during the following conditions:
reactor vessel heat up to rate pressure; when the turbine is being brought up to speed and synchronized; when reactor steam generation exceeds the turbine steam flow requirements during power operation; plant load rejections and turbine trip/generator trips; and reactor cool down/heat up
RBS USAR Revision 25 7.7-29 The reactor pressure control algorithm is designed to operate using three pressure transmitters tapped into the main steam line just upstream of the main stop valves and is called turbine inlet main steam (throttle) pressure control or MSP.
The major functional components processed in the pressure controller:
Controlling reactor pressure Controlling and monitoring the turbine steam bypass system Protecting against unsafe operating conditions Controlling reactor cool down The pressure regulator compares the measured steam supply pressure to the turbine operator entered pressure set point and develops the steam flow demand based on the magnitude of the pressure error.
The output from the pressure regulator has the ability to drive the TCVs to their 100% open position plus the capability of continuing to drive the bypass valves to their 100% open position. The regulation from the TCVs and the bypass valves in terms of percent change of the output from the pressure regulator versus the percent change of steam flow shall be uniform from TCVs closed to TCVs and bypass valves full open.
Control for the TCV is designed so that the valves close upon loss of control system electric power or
loss of hydraulic system pressure.
- 2. Steam Bypass System
The steam bypass equipment is designed to control steam pressure when reactor steam generation exceeds turbine requirements such as during startup (pressure, speed ramping, and synchronizing), sudden load reduction, and
cooldown.
The bypass capacity of the system is 9.5 percent of NSSS rated steam flow; sudden load reductions of up to the capacity of the steam bypass can be accommodated
without reactor scram.
Normally, the bypass valves are held closed and the pressure regulator controls the TCVs, directing all steam flow to the turbine. If the speed governor RBS USAR Revision 25 7.7-30 or the load limiter restricts steam flow to the turbine, the regulator controls system pressure by opening the bypass valves. If the capacity of the bypass valves is exceeded while the turbine cannot accept an increase in steam flow, the system pressure
rises and RPS action causes shutdown of the reactor.
The bypass valves are an automatically operated, regulating type which are proportionally controlled by
the turbine pressure regulator and control system. Each bypass valve is independently operated. Each loop has a position demand, a position error summer, a valve opening sequence bias, a position controller and a positioning sensor. The bypass valves are opened sequentially, when needed, to control reactor system pressure. A position demand bias (bypass jack) is provided for opening the bypass valves manually during reactor heat-up or as deemed necessary by plant operators. An automated feature is also provided for cool-down and heat up using the bypass valves.
The servo regulator bypass valve positioning reference starts with the summation of the bypass valve flow reference, the negative bypass valve sequencing bias, and the bypass valve test reference. The bypass valve sequencing bias is used to control the opening sequence of all the bypass valves; it is different for each valve. The bypass valve test reference is normally zero except during the bypass valves test. After a gain is applied to the modified bypass valve flow reference, it is limit checked and the result becomes the bypass valve position reference. The bypass valve jack algorithm provides manual position control by the turbine operator using the appropriate HMI pushbuttons or by entering the set point and rate directly. The bypass valve jack bias enters a maximum value select block along with the total bypass valve demand. The maximum value of these two signals becomes the bypass valve flow reference. Assuming that the bypass valve jack bias is applied when the bypass valves are closed, the effect of the bias is to open the bypass valves in the order of their normal operating sequence. 3.Turbine Speed/Load Control SystemUpon generator breaker closure, the turbine speed reference is at 1800 RPM. At this point, the turbineshaft speed is governed by the frequency of the power transmission system.The purpose of the load control algorithm is togenerate the load reference signal used to bias the turbine control valve position during synchronizingand, upon generator breaker closure, to set the turbine control valve position corresponding to the desiredmegawatt output. It accepts inputs from other controlfunctions and combines these inputs to calculate theappropriate load reference signal.
RBS USAR Revision 25 7.7-30a The load reference signal is normally set higher than the steam flow demand signal from the pressure regulators to allow the pressure regulators to control the turbine control valves.
- 4. Turbine Speed-Load Control Interfaces
Normal Operation RBSUSAR7.7-31August1987Duringbase-loadplantoperation,theturbineloadreferenceisheldabovethedesiredload,insuchaway thatthepressureregulationdemandgovernstheTCVs.
Duringautomaticloadfollowingoperation,turbine speed-loaddemandfluctuationscausethereactor recirculationflowtovarythecoreflowandtherefore reactorsteamgenerationandturbinepoweroutput.
Whentheturbineloaddemandincreaseexceedsthe limitsofthereactorrecirculationsystem automatic-flow-controlrange,furtherincreasesin turbineoutputarepreventedbythepressureregulator maintainingsteampressure.BehaviorofTurbineOutsideofNormalOperationTurbineStartupPriortoturbinestartup,sufficientreactorsteamflowisgeneratedtopermitthesteambypassvalvesto maintainreactorpressurecontrolwhiletheturbineis broughtuptospeedandsynchronizedunderits speed-loadcontrol.PartialLoadRejectionDuringpartialloadrejectiontransients,whichareapparenttothereactorasareductioninturbineload demandresultingfromanincreaseingenerator(or grid)frequencyaboverated,theturbine-pressure controlschemeallowsthereducedturbinespeed-load demandtobiasthepressureregulationdemandand therebydirectlyregulatetheTCVs.TurbineShutdownorTurbine-GeneratorTripDuringturbineshutdownorturbine-generatortripconditions,themainturbinestopvalvesandcontrol valvesareclosed.Reactorsteamflowthenpasses throughthesteambypassvalvesundersteampressure control,andthroughthereactorSRVs,asneeded.SteamBypassOperationFastopeningofthesteambypassvalvesduringturbinetripsorgeneratorloadrejectionsrequirescoordinated actionwiththeturbinecontrolsystem.WhentheTCVs areunderpressurecontrol,nobypass RBS USAR Revision 16 7.7-32 March 2003 steam flow is demanded; conversely, when the turbine speed-load demand falls below the pressure regulation demand, a net bypass flow demand is computed. During
turbine or generator trip events resulting in fast-closure of the turbine stop or control valves, the TCV demand is immediately tripped to zero as an anticipatory response, causing the bypass steam flow
demand to equal the initial pressure regulation demand. Loss of Turbine Control System Power Turbine controls and valves are designed so that the turbine stop and control valves close upon loss of
control system power or hydraulic pressure. 7.7.1.5 Refueling Interlocks
Refueling Interlocks FunctionThe purpose of the refueling interlocks is to restrict the movement of control rods and the operation of refueling equipment. This reinforces operational procedures that prevent
the reactor from becoming critical during refueling operations.
Refueling Interlocks OperationThe refueling interlocks circuitry senses the condition of the refueling equipment and the control rods to prevent the movement of the refueling equipment or withdrawal of control rods (rod block). Redundant circuitry is provided to sense the following
conditions:1. All rods inserted
- 2. Refueling platform positioned near or over the core 163. Refueling platform fuel grapple hoist, fuel loaded 164. Reactor mode switch in REFUEL position. The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operations and control rod movement (Table 7.7-1). A two-channel circuit indicates that all rods are in. The rod-in condition for each
rod is established by the closure of a magnetically operated reed
switch in the rod position RBS USAR Revision 16 7.7-33 March 2003 16indicator probe. The rod-in switch is generated. Both channels of the circuit must indicate "all-rods-in" to allow refueling
equipment to be used.
16During refueling operations, no more than one control rod is permitted to be withdrawn; this is enforced by a redundant logic circuit that uses the all-rods-in signal and a rod selection signal from the RC&IS to prevent the selection of a second rod for movement with any other rod not fully inserted. Control rod withdrawal is prevented by comparison between the A and B portions of the RC&IS rod position with a subsequent rod withdrawal block if necessary. With the mode switch in the REFUEL position, the circuitry prevents the withdrawal of more
than one control rod and the movement of the loaded refueling
platform over the core with any control rod withdrawn. Operation of refueling equipment is prevented by interrupting the power supply to the equipment. The refueling platform is provided with two mechanical switches attached to the platform, which are tripped open by a long stationary ramp mounted adjacent to the platform rail. The switches open before the platform or
any of its hoists are physically located over the reactor vessel
to indicate the approach of the platform toward its position over
the core. 16 10 6 Load sensing of fuel grapple hoist (main hoist) is by electronic load cell system. Associated interlock and load functions are
performed by switches activated by electronic load cells.
6 10The main hoist on the refueling platform is provided with switches that open when the hoist is fuel loaded. The switches open at a load weight that is lighter than that of a single fuel assembly. This indicates when fuel is loaded on the hoist. The fuel grapple hoist interlocks with the rod block circuitry and
refueling platform drive circuitry as well as hoist power.
16The rod block interlocks and refueling platform interlocks provide two independent levels of interlock action. The interlocks which restrict operation of the platform hoist and grapple provide a third level of interlock action since they would be required only after a failure of a rod block and
refueling platform interlock.
RBS USAR Revision 20 7.7-34 16In the refueling mode, the main control room operator has indicator lights whenever all control rods are fully inserted.
He can compare this indication with control rod position data from the computer as well as control rod in-out status on the full core status display. Whenever a control rod withdrawal block situation occurs, the operator receives annunciation and computer logs of the rod block. The operator can compare these
outputs with the status of the variable providing the rod block condition. Both channels of the control rod withdrawal interlocks must agree that permissive conditions exist in order
to move control rods; otherwise, a control rod withdrawal block occurs. Failure of one channel may initiate a rod withdrawal
block, and does not prevent application of a valid control rod withdrawal block from the remaining operable channel (Table 7.7-1).
16 8 In terms of refueling platform interlocks, the platform operator has digital readout indicators for the platform x-y position
relative to the reactor core. 10 4 The position of the grapple is shown in a digital indicator immediately below the platform position indicators. Load cell
indications of hoist loads are given for each hoist by locally mounted indicators. Individual pushbutton and rotary or joystick
control switches are provided for local control of the platform and its hoists. The platform operator can immediately determine whether the platform and hoists are responding to his local
instructions and can, in conjunction with the main control room operator, verify proper operation of each of the three categories
of interlocks listed previously.
4 10 7.7.1.6 NSSS Process Computer System System Function The function of the process computer system is to provide inputs for determination of core thermal performance; to improve data reduction, accounting, and logging functions; and to supplement procedural requirements for control and manipulation during
reactor startup and shutdown. This function is performed by two computer systems: the Legacy Honeywell system and the Orbital Network Engineering (ONE) system.
8 System OperationCentral Processor - The central processor performs various calculations, makes necessary interpretations, and provides for general input/output device control and buffered transmission
between I/O devices and memory.
RBSUSAR7.7-35August1987Anautomaticpriorityinterrupt(API)moduleprovidesprocessorcapabilitytorespondrapidlytoimportantprocessfunctionsand tooperateatoptimumspeed.CoreMemory-Corememoryisarandomaccesstypeutilizinga24-bitwordandoperatingatan800nanosecondcycletime.A processorparitycheckfeatureiscapableofstoppingcomputer operationsubsequenttocompletinganinstructioninwhicha parityerrorisdetected.Thecorememoryhassuitableshutdown protectiontopreventinformationdestructionintheeventof lossofpowerorincorrectoperatingvoltage.Capabilityis providedtomaintainrealtimebyutilizingnecessarycalendar typeprogramstocomputeyear,month,day,hour,minute,second, andcycle.Thisisdoneautomaticallyexceptintheeventofa processorshutdown.Inthiscasetheoperatorisrequiredto updatethecomputerwiththecorrecttimewhenrestartingthe
system.BulkMemory-Bulkmemoryiscomprisedoflargecorestorageandmovingheaddisc,andisusedforstoringallprogramsanddata.
Capabilityisprovidedtoprotectselectableportionsofbulk memoryagainstinformationdestructioncausedbyaninadvertent attempttowriteovertheprogramsorbyasystempowerfailure.I/OHardware-TheprocessI/Ohardwareconsistsofananaloginputscanner,adigitalI/Ocontroller,corresponding I/Oterminationsandsignalconditioners.Theanalogscanner acceptsanalogsignalsfromplantinstrumentationandconverts themtodigitalrepresentationforuseinthecomputer.The digitalI/Ocontrollersensesplantcontactactuationsbygroups andisusedtoreadstatusinformationfromplant instrumentation,includingalarmsandbinarycodesignals.
Intermittentsignalsandpulsetypeinputsaresensedby automaticprograminterruptchangedetectionhardwareinthe centralprocessorandallowimmediateprocessingofinformation thatmightotherwisebelostifdigitalscanningwereused.The controlleralsoprovideslatcheddigitaloutputstooperate displays,turntrendrecordersonandoff,turnonalarms,etc.Duringroutineoperationtheoperatorusesakeyboardlocatedinthemaincontrolroomtoenterinformationintothecomputerand forrequestingvariousspecialfunctionsfromit.Information fromthecomputercanbedirectedbytheoperatortovideo terminaldisplays,digitaldisplays,trendrecorders,oralarm
typer.
RBSUSARRevision87.7-36August1996Testability-Theprocesscomputersystemhasself-checkingprovisions.Itperformsdiagnosticcheckstodeterminethe operabilityofcertainportionsofthesystemhardwareand performsinternalprogrammingcheckstoverifythatinputsignals andselectedprogramcomputationsareeitherwithinspecific limitsorwithinreasonablebounds.EnvironmentalConsiderations-Allthecomputerequipment,exceptforperipherals,isdesignedforcontinuousdutyfrom0°Cto 50°C,and5to95percentrelativehumidityambient.The peripheralsaredesignedtooperateundermorerestrictive environmentalconditions.Allcomponentsareinstalledin air-conditionedrooms.OperatorInformation-Theprocessoriscapableofcheckingeachanaloginputvariableagainsttwotypesoflimitsforalarm
purposes:1.Processalarmlimitsaredeterminedbythecomputerduringcomputationoraspreprogrammedatsomefixed valuebytheoperator.2.Areasonablelimitoftheanaloginputsignallevel programmed.Thealarmingsequenceconsistsofatypewritermessageandvideomonitormessageforthevariablesthatexceedprocessalarm limits.Avariablethatisreturningtonormalissignifiedbya typewrittenmessage.Theprocesscomputerprovidestothe operatorameansofmonitoring,displaying,andrecordingboth NSSSandBOPevents.Thesefunctionsareperformedbythe followingsoftwareprograms:1.Statusalarmmonitor 2.Sequenceannunciator 3.Digitaltrend 4.Postdatarecall85.Processcomputerinterfaceforcollectionandtransferofdatatoanindependantcomputersystem.The independantcomputersystemperformscoreperformance
calculations
- 86. Balanceofplantperformancecalculations7.Turbineandgeneratorlog
- 8. Vesseltemperaturechangeratecalculations RBS USAR Revision 20 7.7-37 9. Process computer interface with rod control and information system.The ONE system consists of two independent servers. These servers obtain data from: 1. Analog & Digital I/O2. Data Streams from the Rod Control & Information System, the Neutron Monitoring System and the LEFM data server. These servers produce data which is obtained by an independent computer system which performs core performance calculations and a human machine interface for operator interface. The ONE system is designed for and located in the Main Control Room and is non safety related. The ONE system is a server system using central processor, random access memory, hard drives, analog and digital input/output modules, time standard synchronization, and self error checking. 7.7.1.7 Emergency Response Information System (ERIS) 7.7.1.7.1 ERIS Function The function of the ERIS is to gather plant data, store and process that data, generate visual displays of plant status information, and
provide printed and plotted records of transient events.
System Operation 12Data Acquisition System (DAS) - The data acquisition system interfaces with existing plant sensors or devices, converts the acquired signals to digital data, and performs preprocessing of the data before passing it on to the process servers. Self-test features are built into each element of the DAS. Failure of the DAS self-test circuitry has been analyzed, and the results demonstrate that safety-related signals are not impaired. Data is transmitted from the MCR DAS cabinets to a DAS cabinet in the computer room via a fiber optic network. From the DAS cabinet, data is then sent to two (2) Alpha 4100 servers. These servers compose the primary and
backup process nodes of the ERIS computer system and are responsible for carrying out all functions associated with TRA and RTAD functions. In addition to these inputs, the nodes receive data for the following: gross output and station load, feedwater regulator valve position, ERDS compliance, Digital Radiation Monitoring System
and Plant Process Computer inputs.
RBS USAR Revision 24 7.7-37a Input/Output Modules (I/O) - Input/Output (Analog and Digital) modules are part of the DAS and are mounted in the control room or in local panels to receive plant signals to be used in ERIS. The
I/O modules are installed in a VME bus arrangement which transmits data to a fiber optic repeater that then communicates this information to the primary/backup process servers. I/O modules and repeaters that interface with safety-related devices are qualified to the same standards such that total system integrity is maintained. The I/O modules are constructed with optical couplers which provide isolation between the incoming signals and ERIS.
Additional isolation is achieved through use of fiber optic cable which can be used to connect the fiber optic repeaters to the
primary and backup process servers. Signal conditioning and
digitizing are accomplished by the input modules.
New ERIS Components - Due to aging components and a lack of available spare parts, the ERIS is being replaced. The replacement process is being done in several phases. The first phase installs the replacement ERIS processing network and equipment in the Technical Support Center (TSC) Computer Room, and in the Main Control Room (MCR) and the fiber optic communications network to connect these components. In addition, several of the ERIS Input/Output (I/O) Modules located in the MCR are replaced with new and updated I/O modules. These replacement I/O Modules are connected, via fiber optic cables, to the new ERIS network at the new Network Switches installed in the MCR. The new ERIS processors provide signal translation and processing as necessary to provide replacement I/O data to the existing ERIS Data Processing System for the computer points which utilized the replaced I/O Modules. The replacement of existing ERIS I/O Modules will continue, via future planned Engineering Changes (ECs), until all of the ERIS I/O data is being routed through the new ERIS system. At that time, via future planned EC(s), all ERIS functions, including processing, display, printing, data storage and output functions will be migrated to the new ERIS system and the existing ERIS will be taken out of service.
The new ERIS equipment and network conform to the same separation and power supply criteria, as described in section 7.7.1.7, for the current ERIS equipment and network.
Fiber Optic Repeaters - The fiber optic repeaters are part of the
DAS and receive inputs from several I/O modules and then transmit
these signals to the primary and backup process servers.
12 RBS USAR Revision 24 7.7-38 December 1999 Data Processing System (DPS) - The data processing system receives data from the DAS and from the new ERIS I/O components , stores the data, performs calculations, validates the information by comparing redundant or secondary signals through appropriate
calculations, and generates displays according to programmed
formats. DPS uses two processors to accomplish these tasks, the Transient Recording and Analysis (TRA) and the Real Time Analyses
and Display (RTAD) processors. The TRA processor receives ERIS data from the DAS and stores it on magnetic disks. For
post-event analysis, the TRA processor retrieves stored data and
performs the necessary computations for formatting to provide
outputs as requested from the graphic display console. The RTAD processor receives ERIS data from the DAS and performs necessary
computations to convert data to a format suitable for real time display on the CRTs. It also performs the validation function of
input signals. The RTAD processor also stores data on magnetic
disk. This data can be retrieved to provide trend display information upon request. If either processor fails, both functions can be accomplished by the remaining processor with
minor diminished capacity. 12 Graphic Display Console - The existing SPDS video consoles (2) are replaced with two touch screen display stations. The new display stations generate a variety of graphic real-time displays that are available on command from the keyboard. The displays provide the plant operator with a central display of critical "symptoms" of the plant condition that assist the operator in entering and following procedures developed from the Emergency Procedure Guidelines (EPG) and initiating the required actions.
Different displays can be shown on each station simultaneously.
Simulator - All devices identical to those in the plant MCR are provided in the simulator. An additional display station is provided in the instructor's office to monitor simulated system
status and assist with any maintenance activities.
Technical Support Center (TSC) - The technical support center has three (3) display stations equipped with keyboards and monitors.
All of these stations have the same capabilities as those in the
main control room with access to the outputs from ERIS.
Emergency Operations Facility (EOF) - The emergency operations
facility, as part of ERIS, consists of two (2) display stations with keyboards and monitors located remote from the main control room with access to outputs from ERIS and the simulator system.
To facilitate the Backup EOF requirements, capability exists to
support modem-connected display stations.
Development System - This system is configured with the appropriate compilers, editors and support software to support
the development of custom software, graphic displays and the
system database. It is comprised of a server and one display
station. 12 RBSUSAR7.7-38aAugust1987ERISOutputs-TheERISiscapableofthefollowingoutputstoaidtheoperatorwhendealingwithemergencysituations:1.CriticalPlantVariablesdisplay-Aconcisedisplayofcriticalplantvariablestoprovideforrapid assessmentofsafetystatusoftheplantisprovided fortheoperator.Plantparametersaredisplayedwith amimicshowingtheRPV,containment,drywell,and suppressionpool.Thedisplayshowspressure,level, temperature,powerlevel,scramstatus,MSIVstatus, safetyreliefvalvestatus,andisolationvalvestatus.
Limitsareshownforvariablesadjacenttoactual
values.
RBSUSARRevision127.7-38bDecember1999THISPAGEINTENTIONALLYLEFTBLANK RBS USAR Revision 16 7.7-39 March 2003 162. Reactor Pressure Vessel Control display - Several displays are available showing detailed information on the RPV for "Narrow Range," "Wide Range," "Fuel Zone,"
"Shutdown Range," and "Full Range." Each of these displays shows reactor level, pressure, and power on a 10-min trend plot with appropriate display of key values for these variables. Also shown on the same display is status information of major systems such as
LPCI, LPCS, HPCS, RCIC, CRD, RWCU, SLC, turbine control, and turbine bypass. Status information is also shown for diesel generator, safety relief valves, MSIVs, isolation valves, and control rods (scram).
163. Containment Control display - Several displays are available showing detailed information for containment
such as "Narrow," "Upset-Lo," "Upset-Mid," "Upset-Hi,"
and "Full" range. Each of these displays shows
suppression pool level and temperature, drywell
pressure and temperature, and containment temperature
on 10-min trend plots with appropriate display of key values for these variables. Also shown on the same display is status information of major systems such as
suppression pool cooling, drywell cooling, containment
cooling, and standby gas treatment. Status information is also shown for diesel generator, safety relief valves, MSIVs, isolation valves, and control rods (scram).4. Plant Parameter Validation display - Displays validation information for critical plant parameters such as RPV level, pressure and temperature, reactor
power, drywell pressure and temperature, containment
pressure and temperature, suppression pool temperature and level. Validation is accomplished through
comparison with redundant or secondary signals with
appropriate calculations. 5. Trend Plot display - Trend plots for critical plant parameters are shown in a form similar to those on
composite displays mentioned above, but in more detail
with longer trend time. 166. Two-Dimensional Plot display - The following two-dimensional plots are available on demand: RPV
Saturation Temperature-Drywell Temperature vs RPV
Pressure and Heat Capacity Temperature Limit-
Suppression Pool Temperature vs RPV Pressure.
16 RBS USAR Revision 16 7.7-40 March 2003 16 These displays allow the operator to see at a glance available margins without having to perform manual
calculations.
16 Verification and Validation Verification and validation of ERIS is provided in GE Licensing Topical Report NEDE-30284-P.
IsolationTo sample a Class 1E signal, a Class 1E data acquisition unit is utilized. It is supplied with Class 1E power and the output is via fiber optic cable. Additional information on optical
isolators is provided in Section 7.1.4.2. 7.7.1.7.2 Startup Testing and Transient Analysis and Recording The emergency response and information system (ERIS) provides for transient analysis and recording of startup test data. The
initial use of this system is for the transient tests performed during the startup test program. During commercial operation ERIS
is used to aid in the following: 1. Verification of plant transient performance
- 2. Documentation based on data recovery of unplanned transient events 3. Routine surveillance tests which require dynamic response support data 4. Periodic check and adjustment of control systems for optimizing plant performance 5. System diagnostic and analytical tests necessary during the life of the plant to support various activities (e.g., maintenance, licensing requirements). The following table summarizes the parameters in safety-related systems which are monitored for startup transient testing:
RBSUSAR7.7-41August1988ParameterApplicableSystemValvePositionNSSSRHRLPCSHPCSRCICADSSLCSMSPLCSCRIVCSFlowRateRCICHPCSLPCSRHR SystemPressureRCICRHRRCSSLCSLDSHPCSLPCSRPSNBSFWSFluidLevelRPSRCSSLCSRHRFWS NSSSElectricPowerAllSafety-RelatedSystems AvailabilitySystemInitiationADSRPSCRIVCSRHRLPCSSignalHPCSRCICSystemTemperatureLDSNBSRCSSLCSCMS RHR7.7.1.8DigitalRadiationMonitoringSystem TheClass1Eportionsofthedigitalradiationmonitoringsystem(DRMS)areidentifiedinSection7.6.1.4.TheDRMSisfurther discussedbelowandinSections11.5.2.1and13.3.
SoftwareThesystemisdesignedtooperatewithoutbeingaffectedbyfailureofthenon-Class1Emonitorsorthenon-Class1E computers.Softwareforthemonitorshasbeendevelopedin INTEL's8085assemblercodeorinPLM.Thesoftwarewas developedinthesecodestoensuretheminimumpossibleexecution timeforeachprogramandstillhavemodularprogramming.TheDBM(DataBaseManager)moduleisthefiletaskthatcontrolsallexternalaccessestothemonitor'sdatabase.Errorreporting andaccessloggingisprovidedinadditiontothenormaldata basereadsandwrites.1DBMisresponsibleforcontrollingwhohasaccesstowhichitem withinthedataandunderwhatcircumstances.DBM'scontrol preventsaClass1Emonitor'sdatabasefrombeingchangedbya deviceotherthanitslocalcontrolpanel(portable)orremote1E cabinetinthemaincontrolroom.
1 RBSUSAR7.7-42August19881Eachmonitorisequippedwiththreeseparatecommunicationports.
Allthreeportsare0-30mAcurrentloopsandoperate synchronouslyinahalfduplexmode.Twoportsarefor communicatingtothenon-Class1EDEC11/34computerandoperate at4800baudviaClass1Ecommunicationisolationdevices(see ItemB).Thethirdportisinforcommunicatingtothe1E cabinetsintheMCRorthelocalcontrolpanel(portable)at1200 baud.InordertopreventblockingoftransmissionontheDEC 11/34computerloop,thefirsttwoportsareequippedwith hardwarerelaybypasseswhichshuntthelooptransmissionaround themonitorinthecasesoffailure.
1Validitycheckingisperformedonallrawdatabeforeanyfurther actionoccurs.Usuallyitinvolvescheckingthevaluesofthe datatoinsurethatitiswithinacceptablelimitsofrange.In somecasesthevalidityisdependentuponthevalueofthedata theprevioustimeitwassampled.
IsolationThecommunicationisolationdeviceprovidesphysicalseparationandelectricalisolationbetweenClass1Ecircuitsandnon-Class 1Ecircuitsandbetweencircuitsofdifferentsafety
classifications.Circuitsoutsidetheisolationboxarephysicallyseparatedby16in.betweeninputandoutputconduitentries.Opticallycoupledisolators,eachconsistingofa3-in.lightpipebetweenaninfraredlight-emittingdiode(LED)andasilicon photo-transistor,provideelectricalisolation.AllIEequipmentisfabricatedtotheapplicablesectionsofIEEE323-1974,IEEE384-1977,IEEE344-1975,andRegulatory Guides1.75(Rev.2)and1.89.17.7.1.9AlternateRodInsertion(ARI)1.SystemFunction TheARIsystemconsistsofredundantscramairheaderexhaustvalvesandprovidesameanstoscramthereactorwhenspecific variablesexceedpredeerminedlimits.Althoughnon-safety related,thesystemisdesignedtoperformitsfunctionina reliablemannerindependentofthereactorprotectionsystem (RPS).1 RBSUSAR7.7-42aAugust198812.SystemOperationTheARIsystemconsistsofsevenDCpoweredsolenoidoperatedvalvesarrangedtoprovidethreeredundantventpathsforthe scramairheaderandisolationofitsairsupply.Reference Figure4.6-5CforlocationsofvalvesC11-SOVF160,F162A,B,C, D,F164A,B.TheARIfunctionisinitiateduponreceiptofa reactorhighdomepressure,reactorlowwaterlevel2,ormanual initiationsignal.Manualinitiationandresetswitchesare locatedinthecontrolroomontheP680panel.Controlroom displayprovidestheoperatorwithARIsystemstatusandvalve positionindication.ThesetpointsforARIinitiationarechosen sothatanRPSgeneratedSCRAMshouldalreadyhavebeeninitiated bytheaboveparameters.Followinganyoftheseinitiation signals,theARIvalveswillenergizetoventairpressureinthe headerallowingindividualscraminletandoutletvalvestoopen.
Thecontrolroddriveunitstheninsertthecontrolbladesto shutdownthereactor.TheARIsystemutilizesthesamepressureandlevelinstrumentationusedforrecirculationpumptriponanATWS signal.Aredundanttwooutoftwologicarrangementforboth pressureandlevelprovidebothreliabilityandprotection againstinadvertenttrips.ThenumberandsizeoftheARIvalves isselectedtoallowinsertionofallcontrolrodstobegin withinapproximately15seconds.Allcontrolrodsreachtheir fullinpositionwithinapproximately25seconds.Uponreceipt ofaninitiationsignalasealinoccursforapproximately32 secondsensuringcompleteventingofthescramairheader.TheARIsystemisalsodesignedtoallowperiodicsurveillanceofallARIvalvesatpower.Thisisaccomplishedbyhavingtwo valvesinseriesoneachventpathandparallelairheadersupply valves.Theoutboardvalvesarecontrolledbychannel1andthe inboardvalvesandairsupplyvalvesarecontrolledbychannel2.
Eachchannelistestedindependentlyandinterlockedtoprevent simultaneoustestingofbothchannels.Testingisautomatically overriddenwhenARIisinitiated.TheARIsystemisdiverse,physicallyseparated,andelectricallyindependentfromtheRPS.Diversityisachievedthroughtheuse ofenergize-to-tripcircuitsandDCversusACpowersupply.Use ofnon-divisionalnon-interruptiblepowersupplyprecludesthe needforisolationdevicesandprovidesforARIcapabilityduring alossofoffsitepowerevent.
1 RBSUSAR7.7-42bAugust19887.7.1.10DesignDifferencesRefertoTable7.7-2foralistofinstrumentationandcontrolsystemdesignsandtheirsimilaritytodesignsofothernuclear powerplants.7.7.2Analysis RefertothesafetyevaluationsinChapter15andAppendix15A.Chapter15showsthatthesystemsdescribedinSection7.7are notutilizedtoprovideanyDBAsafetyfunction.Safety functionsareprovidedbyothersystems.
RBSUSAR7.7-43August1987Chapter15alsoevaluatesallcrediblecontrolsystemfailuremodes,theeffectsofthosefailuresonplantfunctions,andthe responseofvarioussafety-relatedsystemstothosefailures.