ML17355A664
| ML17355A664 | |
| Person / Time | |
|---|---|
| Site: | Columbia  |
| Issue date: | 12/31/2017 |
| From: | Energy Northwest |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML17355A655 | List: |
| References | |
| GO2-17-190 | |
| Download: ML17355A664 (416) | |
Text
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS
Section Page LDCN-05-009 7-i
7.1 INTRODUCTION
.........................................................................7.1-1
7.1.1 IDENTIFICATION
OF SA FETY-RELATED SYSTEMS.......................7.1-1 7.1.1.1 Reactor Protection System...........................................................7.1-1 7.1.1.2 Primary Containment and Reactor Vessel Isolation Control System.........7.1-1 7.1.1.3 Emergency Core Cooling System..................................................7.1-1 7.1.1.4 Neutron Monitoring System.........................................................7.1-2 7.1.1.5 Process Radiation Monitoring System.............................................7.1-2 7.1.1.6 Main Control Room and Critical Switchgear Rooms Heating, Ventilating, and Air Conditioning System........................................7.1-2 7.1.1.7 Standby Service Water System......................................................7.1-2 7.1.1.8 Containment At mosphere Control System........................................7.1-2 7.1.1.9 Reactor Core Isolation Cooling System...........................................7.1-3 7.1.1.10 Standby Liquid Control System....................................................7.1-3 7.1.1.11 Leak Detection System..............................................................7.1-3 7.1.1.12 Residual Heat Removal System - Shutdown Cooling Modes.................7.1-3 7.1.1.13 Fuel Pool C ooling and Cleanup System..........................................7.1-3 7.1.1.14 Suppression Pool Temperature Monitoring System.............................7.1-3 7.1.1.15 Standby Gas Treatment System....................................................7.1-3 7.1.1.16 DELETED.............................................................................7.1-3 7.1.1.17 Safety-Related Display Instrumentation...........................................7.1-4 7.1.1.18 Containment Instrument Air System..............................................7.1-4 7.1.1.19 Residual Heat Removal System - Containment Spray Cooling Mode.......7.1-4 7.1.1.20 Remote Shutdown System...........................................................7.1-4 7.1.1.21 Recirculation Pump Trip............................................................7.1-4 7.1.1.22 Residual Heat Removal Syst em - Suppression Pool Cooling Mode..........7.1-4 7.1.1.23 Anticipated Transient Without Scram Recirculation Pump Trip.............7.1-4 7.1.1.24 Anticipated Transient Wit hout Scram - Alternate Rod Insertion.............7.1-4
7.1.2 IDENTIFICATION
OF SAFETY CRITERIA.....................................7.1-5 7.1.2.1 Regulatory Requirements............................................................7.1-5 7.1.2.2 Regulatory Confor mance - 10 CFR 50 Appendix A............................7.1-5 7.1.2.3 Conformance to Institute of Electrical and Elec tronics Engineers Standards................................................................................7.1-5 7.1.2.4 Conformance to Regulatory Guides................................................7.1-7 7.1.2.5 Instrument Errors......................................................................7.
1-10 C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS (Continued)
Section Page LDCN-11-031 7-ii 7.2 REACTOR PROTECTION (TRIP) SYSTEM ........................................ 7.2-1
7.2.1 DESCRI
PTION ...........................................................................
7.2-1 7.2.1.1 Reactor Protection System Descri ption ............................................
7.2-1 7.2.1.1.1 Neut ron Monitoring System Trip ................................................ 7.2-3 7.2.1.1.1.1 Intermediate Range Monitors .................................................. 7.2-4 7.2.1.1.1.2 Average Powe r Range Monitors ............................................... 7.2-4 7.2.1.1.2 Reactor Ve ssel Pressu re ........................................................... 7.2-5 7.2.1.1.3 Reactor Vessel Water Level ...................................................... 7.2-5 7.2.1.1.4 Turbine Throttle Valve Position
.................................................. 7.2-6 7.2.1.1.5 Turbine Gover nor Valve Position ................................................
7.2-6 7.2.1.1.6 Main Steam Line Isolation Valves Position .................................... 7.2-7 7.2.1.1.7 Scram Discharge Volume Water Level .........................................
7.2-8 7.2.1.1.8 Drywell Pressure
.................................................................... 7.2-8 7.2.1.1.9 Manua l Scram ....................................................................... 7.2-8 7.2.1.1.10 Reactor Mode Sw itch Manual Scram ............................................ 7.2-9 7.2.1.2 Design Basis ............................................................................ 7.2-9 7.2.1.2.1 Variables Monitored to Provide Protective Actions .......................... 7.2-9 7.2.1.2.2 Location and Minimu m Number of Se nsors ...................................
7.2-9 7.2.1.2.3 Prudent Operational Limits ....................................................... 7.2-10 7.2.1.2.4 Margin ................................................................................ 7.2-10 7.2.1.2.5 Levels ................................................................................. 7.2-11 7.2.1.2.6 Malfunctions , Accidents, and Other Unusual Events Which Could Cause Damage to Sa fety Systems ........................................ 7.2-11 7.2.1.2.6.1 Floods ..............................................................................
7.2-11 7.2.1.2.6.2 Storms and Tornadoes ........................................................... 7.2-11 7.2.1.2.6.3 Ea rthquakes ....................................................................... 7.
2-11 7.2.1.2.6.4 Fires ................................................................................
7.2-12 7.2.1.2.6.5 Loss-of-Coolant Accident ....................................................... 7.2-12 7.2.1.2.6.6 Pipe Break Outside Primary Containment ................................... 7.2-13 7.2.1.2.6.7 Missiles ............................................................................ 7.2-13 7.2.1.2.7 Minimum Pe rformance Requirements
........................................... 7.2-13 7.2.1.3 Final System Drawings
............................................................... 7.2-13
7.2.2 ANALYSIS
............................................................................... 7.2-13 7.2.2.1 Conformance to 10 CFR 50, Appendix A, General Design Criteria ......... 7.2-13 7.2.2.2 Conformance to IEEE Standards ................................................... 7.2-15 7.2.2.3 Conformance to NRC Regulatory Guides ......................................... 7.2-20 C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS (Continued)
Section Page LDCN-09-007 7-iii
7.3 ENGINEERED
SAFETY FEATURE SYSTEMS ................................... 7.3-1
7.3.1 DESCRI
PTION ..........................................................................
7.3-1 7.3.1.1 System Description
.................................................................... 7.3-1 7.3.1.1.1 Emergency Core Cooling Syst ems ...............................................
7.3-1 7.3.1.1.1.1 High-Pressure Core Spray Sy stem. ...........................................
7.3-2 7.3.1.1.1.2 Auto matic Depressurizati on System
.......................................... 7.3-4 7.3.1.1.1.3 Low-Pr essure Core Spray.
...................................................... 7.3-5 7.3.1.1.1.4 Residual Heat Removal System - Low Pressure Coolant Injection M ode. ...................................................................
7.3-6 7.3.1.1.2 Primary Containment and Reactor Vessel Isolation Control System (PCRVICS) .......................................................................... 7.3-9 7.3.1.1.2.1 Reactor Vessel Low Water Level ............................................. 7.3-10 7.3.1.1.2.2 Drywell High Pressure .......................................................... 7.3-11 7.3.1.1.2.3 Main Steam Line - High Radiation ............................................ 7.3-11 7.3.1.1.2.4 Main Steam Line - Tunnel High Ambient Temperature or High Differential Temperature ........................................................ 7.3-11 7.3.1.1.2.5 Main Steam Line - High Flow ................................................. 7.3-12 7.3.1.1.2.6 Main Steam Line - Low Pressure ............................................. 7.3-12 7.3.1.1.2.7 Reactor Building Ventilation Exhaust Radiation Monitor ................. 7.3-13 7.3.1.1.2.8 Reactor Wa ter Cleanup System - High Differential Flow ................. 7.3-13 7.3.1.1.2.9 Reactor Wa ter Cleanup System - Area High Ambient Temperature or High Differential Temperature
............................................. 7.3-13 7.3.1.1.2.10 Reactor Wa ter Cleanup System - High Blowdown Flow ................. 7.3-14 7.3.1.1.2.11 Residual Heat Removal System - Area Hi gh Ambient Temperature or High Differential Temperature
............................................. 7.3-14 7.3.1.1.2.12 Residual Heat Removal System - Flow Rate Monitoring ................. 7.3-14 7.3.1.1.2.13 Main Condenser Vacuum Trip ................................................ 7.3-15 7.3.1.1.2.14 Reactor Core Isolation Cooling System Isolation Signals. ............... 7.3-15 7.3.1.1.3 DELETED ........................................................................... 7.3-15 7.3.1.1.4 Residual Heat Removal System - Containment Spray Cooling Mode ..... 7.3-15 7.3.1.1.5 Residual Heat Removal System - Suppression Pool Cooling Mode
........ 7.3-16 7.3.1.1.6 Standby Servi ce Water System ................................................... 7.3-17 7.3.1.1.7 Main Control Room and Critical Switchgear Rooms Heating, Ventilating, and Air Cond itioning System ...................................... 7.3-18 7.3.1.1.8 Standby Gas Treatment System .................................................. 7.3-18 C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS (Continued)
Section Page LDCN-05-009 7-iv 7.3.1.1.9 Reactor Building Ventilation and Pressure Control System..................7.3-18 7.3.1.1.10 Containment Instrument Air System............................................7.3-19 7.3.1.2 Design Basis............................................................................7.3-20 7.3.1.2.1 Variables Monitored to Provide Protective Action............................7.3-20 7.3.1.2.2 Location and Minimu m Number of Sensors...................................
7.3-22 7.3.1.2.3 Prudent Op erational Limits.......................................................7.3-22 7.3.1.2.4 Margin................................................................................
7.3-22 7.3.1.2.5 Levels.................................................................................
7.3-22 7.3.1.2.6 Range of Transient, Steady State, and Environmental Conditions.........7.3-22 7.3.1.2.7 Malfunctions , Accidents, and Other Unusual Events Which Could Cause Damage to Safety System.........................................7.3-23 7.3.1.2.7.1 Floods..............................................................................7.3-23 7.3.1.2.7.2 Stor ms and Tornadoes...........................................................7.3-23 7.3.1.2.7.3 Earthquakes.......................................................................7.
3-23 7.3.1.2.7.4 Fires................................................................................7.3-23 7.3.1.2.7.5 LOCA..............................................................................7.3-23 7.3.1.2.7.6 Pipe Break Outside Primary Containment...................................7.3-23 7.3.1.2.7.7 Missiles............................................................................7.3-23 7.3.1.2.8 Minimum Perfor mance Requirements...........................................
7.3-23 7.3.1.3 Final System Drawings...............................................................7.3-24 7.3.2 ANALYSIS...............................................................................
7.3-24 7.3.2.1 Engineered Safety Feature Systems - Instrumentation and Controls.........7.3-24 7.3.2.1.1 Conformance to 10 CFR 50 Appendix A.......................................
7.3-24 7.3.2.1.2 Conformance to IEEE Standards.................................................
7.3-25 7.3.2.1.3 Conformance to Regulatory Guides.............................................7.3-29
7.4 SYSTEMS
REQUIRED FOR SAFE SHUTDOWN.................................7.4-1 7.
4.1 DESCRIPTION
..........................................................................
7.4-1 7.4.1.1 Reactor Core Isolation Cooling System...........................................7.4-1 7.4.1.1.1 Function..............................................................................
7.4-1 7.4.1.1.2 Op eration.............................................................................7.4-2 7.4.1.2 Standby Liquid Control System.....................................................7.4-5 7.4.1.2.1 Function..............................................................................
7.4-5 7.4.1.2.2 Op eration.............................................................................7.4-6 7.4.1.3 Residual Heat Rem oval System/Shutdown Cooling Mode.....................7.4-6 7.4.1.3.1 Function..............................................................................
7.4-6 C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS (Continued)
Section Page LDCN-04-027 7-v 7.4.1.3.2 Op eration.............................................................................7.4-6 7.4.1.4 Remote Shutdown Systems..........................................................7.4-7 7.4.1.4.1 Function..............................................................................
7.4-7 7.4.1.4.2 Op eration.............................................................................7.4-7 7.4.1.5 Anticipated Transient Without Scram - Recirculation Pump Trip............7.4-9 7.4.1.5.1 Function..............................................................................
7.4-9 7.4.1.5.2 Op eration.............................................................................7.4-9 7.4.1.6 Anticipated Transient Without Scram - Alternate Rod Insertion..............7.4-9 7.4.1.6.1 Function..............................................................................
7.4-9 7.4.1.6.2 Op eration.............................................................................7.4-9 7.4.1.7 Design Basis............................................................................7.4-10 7.4.1.7.1 Variables Monitored to Provide Protective Actions..........................7.4-10 7.4.1.7.2 Location and Minimu m Number of Sensors...................................
7.4-10 7.4.1.7.3 Prudent Op erational Limits.......................................................7.4-10 7.4.1.7.4 Margin................................................................................
7.4-10 7.4.1.7.5 Levels.................................................................................
7.4-10 7.4.1.7.6 Range of Transient, Steady State, and Environmental Conditions.........7.4-11 7.4.1.7.7 Malfunctions , Accidents, and Other Unusual Events Which Could Cause Damage to Safety Systems........................................7.4-11 7.4.1.7.7.1 Floods..............................................................................7.4-11 7.4.1.7.7.2 Stor ms and Tornadoes...........................................................7.4-11 7.4.1.7.7.3 Earthquakes.......................................................................7.
4-11 7.4.1.7.7.4 Fires................................................................................7.4-11 7.4.1.7.7.5 Loss-of-Coolant Accident.......................................................7.4-12 7.4.1.7.7.6 Pipe Break Outside Primary Containment...................................7.4-12 7.4.1.7.7.7 Missiles............................................................................7.4-12 7.4.1.7.8 Minimum Perfor mance Requirements...........................................
7.4-12 7.4.1.8 Final System Drawings...............................................................7.4-12 7.4.2 ANALYSIS...............................................................................
7.4-12 7.4.2.1 Conformance to 10 CFR 50 Appendix A, General Design Criteria..........7.4-12 7.4.2.2 Conformance to IEEE Standards...................................................7.4-13 7.4.2.3 Regulatory Guides Conformance...................................................7.4-18 7.
4.3 REFERENCES
...........................................................................
7.4-19 C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS (Continued)
Section Page LDCN-09-033 7-vi 7.5 SAFETY-RELATED DISPL AY INSTRUMENTATION .......................... 7.5-1 7.5.1
SUMMARY
DESCRIPTION
.......................................................... 7.5-1 7.5.1.1 General .................................................................................. 7.5-1 7.5.1.1.1 Reactor Water Level ............................................................... 7.5-1 7.5.1.1.2 Reactor Pressure .................................................................... 7.5-2 7.5.1.2 Reactor Shut down Indication ........................................................ 7.5-2 7.5.1.3 Primary Containment and React or Vessel Isolati on Indication ................ 7.5-3 7.5.1.4 Emergency Core Cooling System and Reactor Core Isolation Cooling Indicat ion .....................................................................
7.5-3 7.5.1.5 Containmen t Indications .............................................................. 7.5-4 7.5.1.5.1 Primary Containment Pressure Mon itoring .................................... 7.5-4 7.5.1.5.2 Primary Contai nment Temperat ure ..............................................
7.5-4 7.5.1.5.3 Primary Cont ainment Radiation ..................................................
7.5-5 7.5.1.5.4 Primary Containment Hydrogen and Oxygen Concentration
................ 7.5-6 7.5.1.5.5 Suppression Ch amber Pressu re ...................................................
7.5-6 7.5.1.5.6 Suppression Pool Te mperature Monitoring .................................... 7.5-6 7.5.1.5.7 Suppression Pool Water Level Monitoring ..................................... 7.5-6 7.5.1.6 Monitoring for Radioactive Release to the E nvironment
....................... 7.5-7 7.5.1.6.1 Building Effluent Gas Monitors .................................................. 7.5-7 7.5.1.6.2 Meteorologi cal Conditions ........................................................ 7.5-7 7.5.1.7 Radiation Expos ure (Postaccide nt) .................................................
7.5-7 7.5.1.8 Postaccident Sampling System ...................................................... 7.5-8 7.5.1.9 Primary System Relief Valve Position Indication
................................ 7.5-8 7.5.1.10 Power Supply St atus Monitoring ................................................... 7.5-8 7.5.1.11 Primary Water Source Indicat ion ..................................................
7.5-8 7.5.1.12 Residual Heat Removal System .................................................... 7.5-8 7.5.1.13 Standby Liquid C ontrol System .................................................... 7.5-9 7.5.1.14 DELETED ............................................................................. 7.5-9 7.5.1.15 High Levels in Radioactive Li quid Tanks
........................................ 7.5-9 7.5.1.16 Emergency Ventilation Damper Position I ndication
............................ 7.5-9 7.5.1.17 Standby Service Water System ..................................................... 7.5-9 7.5.1.18 Spent Fuel Pool Cooling System ................................................... 7.5-9 7.5.1.19 Main Control Room Heating, Ventilating, a nd Air Conditioning ............ 7.5-9 7.5.1.20 Standby Gas Treatment System .................................................... 7.5-9 7.5.1.21 Containment In strument Ai r ........................................................ 7.5-10 C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS (Continued)
Section Page LDCN-05-009 7-vii 7.5.1.22 Safety Parameter Display............................................................7.5-10 7.5.1.22.1 Desc ription..........................................................................7.5-10 7.5.1.22.2 Conforman ce to NUREG-0696..................................................7.
5-10 7.5.2 ANALYSIS AND DESIGN BASIS..................................................7.5-11 7.5.2.1 Design Basis............................................................................7.5-11 7.5.2.2 Analysis.................................................................................7.5-13 7.5.2.2.1 Conformance To 10 CFR 50 Appendix A, General Design Criteria......7.5-14 7.5.2.2.2 Conformance To IEEE Standards................................................
7.5-14 7.5.2.2.2.1 IEEE Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations.......................................7.5-14 7.5.2.2.2.2 IEEE Standa rd 323-1974, Standard for Qualifying Class 1E Equipment for Nuclear Po wer Generating Stations.........................7.5-17 7.5.2.2.3 Regulatory Gu ide Conformance..................................................7.5-17 7.
5.3 REFERENCES
...........................................................................
7.5-30 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY.....................................................................................7.6-1 7.
6.1 DESCRIPTION
..........................................................................
7.6-1 7.6.1.1 Process Radiation Monitoring System.............................................7.6-1 7.6.1.2 High-Pressure/Low-Pressu re Systems Interlocks and Alarms.................7.6-1 7.6.1.2.1 Function..............................................................................
7.6-1 7.6.1.2.2 Op eration.............................................................................7.6-1 7.6.1.3 Leak Detection System...............................................................7.6-2 7.6.1.3.1 Function..............................................................................
7.6-3 7.6.1.3.2 Op eration.............................................................................7.6-3 7.6.1.3.3 Main Steam Li ne Leak Detection................................................7.6-4 7.6.1.3.4 Reactor Core Isolation Cooling System Leak Detection.....................7.6-4 7.6.1.3.4.1 Reactor Core Isolation Cooling Area Temperature Monitoring..........7.6-4 7.6.1.3.4.2 Reactor Core Isolati on Cooling Steam Flow Rate Monitoring...........7.6-5 7.6.1.3.4.3 Reactor Core Isolati on Cooling Turbine Exhaust Diaphragm Pressure Monitoring.............................................................7.6-5 7.6.1.3.4.4 Reactor Core Isolation Cooling Pressure Monitoring......................7.6-5 7.6.1.3.5 Residual Heat Remova l System Leak Detection...............................7.6-5 7.6.1.3.5.1 Residual Heat Removal Area Temperature Monitoring...................7.6-6 7.6.1.3.5.2 Residual Heat Removal Flow Rate Monitoring.............................7.6-6 C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS (Continued)
Section Page LDCN-06-048 7-viii 7.6.1.3.6 Reactor Water Cleanup System Leak Detection...............................7.6-6 7.6.1.3.6.1 Reactor Water Cl eanup Differential Flow Monitoring.....................7.6-7 7.6.1.3.6.2 Reactor Water Cleanup Area Temperature Monitoring...................7.6-7 7.6.1.3.6.3 Condenser Bl owdown Line Flow Monitoring...............................7.6-7 7.6.1.3.7 Drywell Floor Dr ain Leak Detection............................................
7.6-7 7.6.1.3.8 Drywell Equipment Drain Leak Detection.....................................7.6-7 7.6.1.3.9 Reactor Building Floo r Drain and Equipment Drain Sumps Leak Detection.......................................................................
7.6-8 7.6.1.3.10 Emergency Core Cooling Systems Pump Room Flooding Detection.....7.6-8 7.6.1.3.11 Drywell Atmosphere Radiation Monitoring System.........................7.6-8 7.6.1.3.12 Auxiliary Steam Line Leak Detection..........................................7.6-9 7.6.1.4 Neutron Monitoring System.........................................................7.6-9 7.6.1.4.1 Intermediate Range Monitor......................................................7.6-9 7.6.1.4.1.1 Function............................................................................7.6-9 7.6.1.4.1.2 Operation..........................................................................7.6-9 7.6.1.4.2 Local Power Range Monitor......................................................7.6.10 7.6.1.4.2.1 Function............................................................................7.6-10 7.6.1.4.2.2 Operation..........................................................................7.6-10 7.6.1.4.3 Average Powe r Range Monitor..................................................7.6-12 7.6.1.4.3.1 Function............................................................................7.6-12 7.6.1.4.3.2 Operation..........................................................................7.6-12 7.6.1.4.4 Oscillation Po wer Range Monitor................................................7.6-13 7.6.1.4.4.1 Function............................................................................7.6-13 7.6.1.4.4.2 Operation..........................................................................7.6-13 7.6.1.5 Recirculation Pump Trip System...................................................7.6-15 7.6.1.5.1 Function..............................................................................
7.6-15 7.6.1.5.2 Op eration.............................................................................7.6-15 7.6.1.5.2.1 Bypa sses and Interlocks.........................................................7.6-16 7.6.1.5.2.2 Redundancy.......................................................................7.
6-17 7.6.1.5.2.3 Testability..........................................................................7.6-17 7.6.1.5.2.4 Environmental Considerations.................................................7.6-17 7.6.1.5.2.5 Opera tional Considerations.....................................................7.6-17 7.6.1.6 Spent Fuel Pool Cooling and Cleanup System...................................7.6-17 7.6.1.6.1 Function..............................................................................
7.6-17 7.6.1.6.2 Op eration.............................................................................7.6-18 C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS (Continued)
Section Page LDCN-06-048 7-ix 7.6.1.7 Suppression Pool Temperature Monitoring System.............................7.6-18 7.6.1.7.1 Function..............................................................................
7.6-18 7.6.1.7.2 Op eration.............................................................................7.6-18 7.6.1.8 Design Basis............................................................................7.6-19 7.6.1.8.1 Variables Monitored to Provide Protective Actions..........................7.6-19 7.6.1.8.2 Location and Minimu m Number of Sensors...................................
7.6-20 7.6.1.8.3 Prudent Op erational Limits.......................................................7.6-20 7.6.1.8.4 Margin................................................................................
7.6-21 7.6.1.8.5 Levels.................................................................................
7.6-21 7.6.1.8.6 Range of Transient, Steady State, and Environmental Conditions.........7.6-21 7.6.1.8.7 Malfunctions, Accidents, and Other Unus ual Events Which Could Cause Damage to Safety Systems................................................7.6-21 7.6.1.8.7.1 Floods..............................................................................7.6-21 7.6.1.8.7.2 Stor ms and Tornadoes...........................................................7.6-21 7.6.1.8.7.3 Earthquakes.......................................................................7.
6-21 7.6.1.8.7.4 Fires................................................................................7.6-22 7.6.1.8.7.5 Loss-of-Coolant Accident.......................................................7.6-22 7.6.1.8.7.6 Pipe Br eak Outside Containment..............................................7.6-22 7.6.1.8.7.7 Missiles............................................................................7.6-22 7.6.1.8.8 Minimum Perfor mance Requirements...........................................
7.6-22 7.6.1.9 Final System Drawings...............................................................7.6-22 7.6.2 ANALYSIS...............................................................................
7.6-22 7.6.2.1 Safety-Related System s - Instrumentation and Controls........................7.6-22 7.6.2.2 Conformance to 10 CFR 50 , Appendix A - General Design Criteria........7.6-23 7.6.2.3 Conformance to IEEE Standards...................................................7.6-23 7.6.2.4 Conformance to Regulatory Guides................................................7.6-28 7.
6.3 REFERENCES
...........................................................................
7.6-31 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY.........................7.7-1 7.
7.1 DESCRIPTION
..........................................................................
7.7-1 7.7.1.1 Reactor Vessel.........................................................................7.7-1 7.7.1.1.1 Function..............................................................................
7.7-2 7.7.1.1.2 Op eration.............................................................................7.7-2 7.7.1.1.2.1 Reactor Vessel Temperature....................................................7.7-2 7.7.1.1.2.2 Reactor Vessel Water Level....................................................7.7-2 7.7.1.1.2.3 Reactor Core Hydraulics........................................................7.7-3 C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS (Continued)
Section Page LDCN-06-057 7-x 7.7.1.1.2.4 Reactor Vessel Pressure.........................................................7.7-3 7.7.1.2 Reactor Manual Control System....................................................7.7-4 7.7.1.2.1 Function..............................................................................
7.7-4 7.7.1.2.2 Op eration.............................................................................7.7-4 7.7.1.2.2.1 Rod Drive Control System......................................................7.7-4 7.7.1.2.2.2 Rod Block Trip System..........................................................7.7-7 7.7.1.2.2.3 Rod Position Probes.............................................................7.7-12 7.7.1.2.2.4 Positi on Indication Electronics.................................................7.7-12 7.7.1.3 Recirculation Flow Control System................................................7.7-14 7.7.1.3.1 Function..............................................................................
7.7-14 7.7.1.3.2 Op eration.............................................................................7.7-15 7.7.1.4 Feedwater Control System...........................................................7.7-19 7.7.1.4.1 Function..............................................................................
7.7-19 7.7.1.4.2 Op eration.............................................................................7.7-19 7.7.1.4.2.1 Reactor Vessel Water Level....................................................7.7-20 7.7.1.4.2.2 Main Steam Line Steam Flow..................................................7.7-20 7.7.1.4.2.3 Feedwater Flow...................................................................7.
7-20 7.7.1.5 Digital Electro-Hydraulic Control System........................................7.7-21 7.7.1.5.1 Function..............................................................................
7.7-21 7.7.1.5.2 Op eration.............................................................................7.7-22 7.7.1.5.2.1 Steam Pressure Control.........................................................7.7-22 7.7.1.5.2.2 Steam Bypass System............................................................7.7-23 7.7.1.5.2.3 Turbine Control System Variables............................................7.7-23 7.7.1.5.2.4 Turbine Sp eed-Load Control Interfaces......................................7.7-24 7.7.1.6 Neutron Monitoring System - Traversing In-Core Probe......................7.7-28 7.7.1.6.1 Function..............................................................................
7.7-28 7.7.1.6.2 Op eration.............................................................................7.7-29 7.7.1.7 Neutron Monitoring System - Source Range Monitor..........................7.7-30 7.7.1.7.1 Function..............................................................................
7.7-30 7.7.1.7.2 Op eration.............................................................................7.7-30 7.7.1.8 Neutron Monitoring System - Rod Block Monitor..............................7.7-31 7.7.1.8.1 Function..............................................................................
7.7-31 7.7.1.8.2 Op eration.............................................................................7.7-31 7.7.1.9 Process Computer System...........................................................7.7-32 7.7.1.9.1 Function..............................................................................
7.7-32 7.7.1.9.2 Op eration.............................................................................7.7-33 C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
TABLE OF CONTENTS (Continued)
Section Page LDCN-14-004 7-xi 7.7.1.10 Rod Worth Minimizer Function .................................................... 7.
7-34 7.7.1.10.1 Function
.............................................................................. 7.7-34 7.7.1.10.2 Oper ation ............................................................................
7.7-34 7.7.1.11 DELETED 7.7-36 Throu gh 7.7-39
.............................................................. 7.7-39 7.7.1.12 Loose Parts Dete ction System ...................................................... 7.7-39 7.7.1.13 Refueling In terlocks .................................................................. 7.7-39 7.7.1.13.1 Function
.............................................................................. 7.7-39 7.7.1.13.2 Oper ation ............................................................................
7.7-39 7.7.1.14 Safety/Relief Valves - Relief Function ............................................ 7.7-41 7.7.1.14.1 Function
.............................................................................. 7.7-41 7.7.1.14.2 Oper ation ............................................................................
7.7-42 7.7.1.15 Transient Data Acquisition System ................................................ 7.7-42 7.7.1.15.1 Function
.............................................................................. 7.7-42 7.7.1.15.2 Descri ption ..........................................................................
7.7-43 7.7.1.15.3 Oper ation ............................................................................
7.7-43 7.7.1.15.4 Conformance to NRC Regulatory Guides
...................................... 7.7-44 7.7.1.15.4.1 Regulatory Guide 1.75, Revision 2, Physi cal Independence of Electric Systems .............................................................. 7.7-44 7.7.1.15.4.2 NUREG-0737, Supplement 1, Clarification of TMI Action Plan Requirements: Requirements for Emer gency Response Capabilities .. 7.7-45 7.7.1.16 Design Differences .................................................................. 7.7-45
7.7.2 ANALYSIS
............................................................................... 7.7-45
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
LIST OF TABLES
Number Page LDCN-02-032,05-009 7-xii 7.1-1 Design and Suppl y Responsibility of Safety-Related and Safe Shutdown Systems...................................................7.1-13 7.1-2 Safety-Related Systems Similarity to Licensed Reactors..................7.1-15
7.1-3 Codes and Standards Applicability Matrix.................................7.1-17
7.2-1 Reactor Protection Syst em Instrumentation................................7.2-23
7.3-1 High Pressure Core Spray System Instrumentation.......................7.3-31
7.3-2 Automatic Depressurization System Instrumentation.....................7.3-32
7.3-3 Low-Pressure Core Spray System Instrumentation.......................7.3-33
7.3-4 Low-Pressure Coolant Injection Instrumentation..........................7.3-34
7.3-5 Primary Containment and Reactor Vessel Isolation Control System Instrume ntation........................................................7.3-35
7.3-6 DELETED.......................................................................7.
3-37 7.3-7 Residual Heat Removal Syst em - Containment Spray Cooling Mode System Inst rumentation................................................7.3-38
7.3-8 Residual Heat Removal Syst em - Suppression Pool Cooling Mode System Inst rumentation................................................7.3-39 7.3-9 Standby Service Water System Instrumentation...........................7.3-40 7.3-10 Main Control Room and Critical Switchgear Room HVAC System Instrume ntation........................................................7.3-41
7.3-11 Standby Gas Treatment System Instrumentation..........................7.3-42
7.3-12 Reactor Building Ventilation and Pressure Controller System Instrumentation..................................................................7.3-43 C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
LIST OF TABLES (Continued)
Number Title Page LDCN-02-032,05-009 7-xiii 7.3-13 Containment Instrument Air System Instrume ntation.....................7.3-44
7.3-14 DELETED.......................................................................7.3-45 7.4-1 Reactor Core Isolation Cooling System Instrumentation.................7.4-21
7.4-2 ATWS-Recirculation Pump Trip System Instrumentation...............7.4-22
7.4-3 ATWS-Alternate Rod Insertion System Instrumentation.................7.4-23
7.5-1 Safety-Related Displa y Instrumentation.....................................7.5-33
7.6-1 High to Low Pressure System Interlocks Instrumentation...............7.6-33
7.6-2 Leak Detection System Instrumentation.....................................7.6-34
7.6-3 LPRM System Trips............................................................7.6-38
7.6-4 Recirculation System Trip Functions........................................
7.6-39 7.6-5 Spent Fuel Pool Cooling and Cleanup System Instrumentation Specifications....................................................................7.
6-40 7.6-6 Channels Requi red for Protective Action Completion for the Spent Fuel Pool Cooli ng and Cleanup System........................7.6-41
7.6-7 Suppression Pool Temperature Monitoring Instrumentation............7.6-42
7.7-1 Design and S upply Responsibility of Plant Control Systems............7.7-47
7.7-2 Similarity to Li censed Reactors..............................................
7.7-48 7.7-3 Refueling In terlocks............................................................7.7-49 C OLUMBIA G ENERATING S TATION Amendment 57 F INAL S AFETY A NALYSIS R EPORT December 2003 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
LIST OF FIGURES
Number Title LDCN-02-000 7-xiv 7.2-1 Reactor Protection System - IED (Sheets 1 through 4) 7.2-2 Reactor Protection System Scram Functions
7.2-3 Arrangement of RP S Sensor Trip Channels and Trip Logics
7.2-4 Arrangement of Actuat ors and Actuator Logics
7.2-5 Trip Logics in One Trip System (Schematic)
7.2-6 Relationships Between Neutron Monitoring System and Reactor Protection System 7.2-7 Configuration for Turbine Stop Valve Closure Reactor Trip
7.2-8 Process Radiation Monitoring System (Recombiner/Charcoal Bed) - IED (Sheets 1 through 3)
7.2-9 Configuration for Main Steam Line Isolation Reactor Trip
7.2-10 LPRM Channel Arrangement in th e Core and APRM Channel Assignments (Sheets 1 and 2)
7.2-11 Block Diagram - RPS Protective Circuit - Electrical Protection Assembly (EPA)
7.3-1 Reactor Water Cleanup System
7.3-2 Isolation Control System for Main Steam Line Isolation Valves 7.3-3 Isolation Control System Using Motor-Operated Valves
7.3-4 High-Pressure Core Spray Power Supply System - FCD (Sheets 1 through 3)
7.3-5 Initiation Logic - ADS, SPCS, LPCI A
7.3-6 Initiation Logic - LPCI B and C, HPCS, RCIC C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
LIST OF FIGURES (Continued)
Number Title LDCN-06-000 7-xv 7.3-7 High-Pressure Core Spray Sy stem - FCD (Sheets 1 through 3)
7.3-8 Nuclear Boiler System - FCD (Sheets 1 through 5)
7.3-9 Low-Pressure Core Spray System - FCD (Sheets 1 and 2)
7.3-10 Residual Heat Removal Syst em - FCD (Sheets 1 through 5)
7.3-11 DELETED
7.3-12 Control Logic Diagram - Standby Service Water Sy stem (Sheets 1 through 19)
7.3-13 Control Logic Diagram - HVAC - Main Control Room and Critical Switchgear/Filter Runout Alarm (Sheets 1 through 11)
7.3-14 Control Logic Diagram - Standby Gas Treatment Sy stem (Sheets 1 through 10)
7.3-15 Control Logic Diagram - Primary Containment Instrument Air (Sheets 1 through 10)
7.4-1 Reactor Core Isolation Cooling System - FCD (Sheets 1 through 5)
7.4-2 Standby Liquid Control System - FCD
7.4-3 Recirculation Pump Trip (ATWS-RPT) Logic
7.4-4 ATWS-ARI Control Rod Drive, CRD-V-24A, 25A, 26A, 27A, and 28
7.4-5 ATWS-ARI Control Rod Driv e, CRD-V-24B, 25B, 26B, and 27B
7.4-6 Remote Shutdown Sy stem (Sheets 1 and 2)
7.6-1 Leak Detection System (Sheets 1 and 2)
7.6-2 ECCS Pump Rooms Water Leve l Detection Control Logic Diagram C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
LIST OF FIGURES (Continued)
Number Title 7-xvi 7.6-3 Neutron Monitoring System - FCD (Sheets 1 through 7) 7.6-4 Ranges of Neutron Monitoring System
7.6-5 SRM/IRM Neutron Monitoring Unit
7.6-6 Detector Drive System Schematic
7.6-7 Functional Block Diagram - IRM Channel
7.6-8 Vessel Penetrations for Nuclear Instrumentation
7.6-9 Power Range Monitor Detector Assembly Location
7.6-10 Neutron Monitoring Syst em - IED (Sheets 1 and 2)
7.6-11 APRM Circuit Arrangement fo r Reactor Protection System Input
7.6-12 Recirculation Pu mp Trip Logic Diagram
7.6-13 Recirculation Pump Trip System A
7.6-14 Turbine Governor Va lve Fast Closure Sensors
7.6-15 Turbine Stop Valve Sensors
7.6-16 Control Logic Diagram -
7.6-17 Control Logic Diagram - Fuel Pool Circulation Pump (FPC-P-1A)
7.6-18 Control Logic Diagram - Fuel Pool Circulation Pump (FPC-P-1B)
7.6-19 Control Logic Diag ram - Makeup Water Skimme r Surge Tank (Fuel Pool)
7.6-20 Control Logic Diagram - Fuel Pool Filter Demineralizer Bypass (Division 1)
C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
LIST OF FIGURES (Continued)
Number Title 7-xvii 7.6-21 Control Logic Diagram - Fuel Pool Cooling Motor-Operated Valve
7.6-22 Control Logic Diagram - Fuel P ool Cooling Loop Isol ation (Division 1)
7.6-23 Control Logic Diagram - Fuel P ool Cooling Loop Isol ation (Division 2)
7.6-24 Control Logic Diagram - Fuel Pool Filter Demineralizer Bypass (Division 2)
7.6-25 Control Logic Diagram -
7.6-26 BISI Logic Diagram - Fuel Pool Cooling and Cleanup System
7.7-1 Water Level Range Definition
7.7-2 Control Rod Drive Hydraulic System - FCD (Sheets 1 through 7)
7.7-3 Reactor Manual Control System (Sheets 1 and 2)
7.7-4 Reactor Manual Control Operational Modes (Sheet 1) and Reactor Manual Control System Operation (Sheet 2)
7.7-5 Eleven-Wire Position Probe
7.7-6 Simplified NSSS Cont rol Schemes (RRS-ASD Flow Control Scheme)
7.7-7 RFCS Simplified Cont rol Logic Block Diagram 7.7-8 Feedwater Control System - IED
7.7-9 Simplified Diagram of Turbin e Pressure and Speed/Load Control
7.7-10 Functional Block Diagram - SRM Channel
7.7-11 Traversing In-Core Probe Assembly
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
LIST OF FIGURES (Continued)
Number Title LDCN-10-004 7-xviii 7.7-12 Assignment of LPRM Input to RBM System
7.7-13 RBM Response to Control Rod Motion (Channels A and C) 7.7-14 RBM Response to Control Rod Motion (Channels B and D)
7.7-15 DELETED
7.7-16 TDAS/PPCRS/PDIS Configuration
7.7-17 Power Dependent RBM Trip Setpoints C OLUMBIA G ENERATING S TATION Amendment 53 F INAL S AFETY A NALYSIS R EPORT November 1998 7.1-1 Chapter 7 INSTRUMENTATION AND CONTROL SYSTEMS
7.1 INTRODUCTION
Chapter 7 presents design and pe rformance information for inst rumentation and control (I&C) of safety-related and major plant control systems used throughout the plant. The design and performance considerations of these systems, safety function, a nd their mechanical aspects are described in other chapters.
7.1.1 IDENTIFICATION
OF SAFETY-RELATED SYSTEMS
The systems are classified according to Regulatory Gu ide 1.70, Revision 2.
Table 7.1-1 lists safety-related and safe shutdown systems and identifies the designer and/or the supplier. Other control systems are listed in Table 7.7-1. Table 7.1-2 identifies I&C systems that are identical to those of a nuclear power plant of similar design that received NRC design or operation approval through the issuance of either a construction permit or an operating license.
The following is a brief description of reactor protection (trip) system (RPS), engineered safety feature systems, safe shutdown systems, safe ty-related display instrumentation and other systems required for safety.
7.1.1.1 Reactor Protection System
The I&C initiate reactor shutdow n via automatic control rods insertion (scram) if selected variables exceed preestablished limits. This action prevents fuel damage, limits nuclear system pressure, and restricts the release of radioactive material.
7.1.1.2 Primary Containment and Reactor Vessel Isolation Control System
The I&C initiate automatic closure of various reactor pressure boundary and primary containment isolation valves if monitored system variables exceed preestablished limits. This action limits the loss of coolant from the reactor coolant pressure boundary (RCPB) and the release of radioactive materials from eith er the RCPB or the primary containment.
7.1.1.3 Emergency Core Cooling System
The I&C provide automatic initiation and control of specific core cooling systems, namely, high-pressure core spray (HPCS) system, automatic depressurization system (ADS), low-pressure core spray (LPCS) system, and the low-pressure coolant injection (LPCI) system.
This provides adequate core c ooling following a loss-of-coolant accident (LOCA) to prevent fuel cladding failure from excessive temperatures.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-14-002,13-044 7.1-2 7.1.1.4 Neutron Monitoring System
The I&C use in-core neutron detectors to monitor core neutron flux. The neutron monitoring system (NMS) provides signals to the RPS trip logic to scram the reactor. Average neutron flux or average simulated thermal power is measured by the average power range monitors (APRM) and is used as the overpower indicator during power ope ration. Intermediate range monitors (IRM) are used as power indicators during startup and shutdown. The NMS also provides power level indication during all modes of operation.
Also included within NMS is the Oscillation Power Range Monitor (OPRM), which is used to detect thermal hydrau lic oscillations.
7.1.1.5 Process Radiation Monitoring System
Radiation monitors are provided on process lines to monitor/detect and provide trip signals to limit the release of radiation:
- a. Main steam line radiation monitors,
- b. Reactor building exhaus t radiation monitors, and c. Standby service water radiation monitors.
7.1.1.6 Main Control Room and Critical Switchgear Rooms Heating, Ventilating, and Air Conditioning System
In the event of an F, A, or Z signal, the normal control room fresh air intake valves close.
The signal energizes the control room emergency filtration units which divert air through the filters to pressuri ze the main control room. The main c ontrol room kitchen exhaust fan and its isolation damper are also shut off by the F, A, Z signals.
7.1.1.7 Standby Serv ice Water System
The I&C automatically in itiate cooling water flow to vital equipment during abnormal plant conditions.
7.1.1.8 Containment Atmo sphere Control System
The I&C monitor the concentration of hydrogen and oxygen gas present in the primary
containment during and after a postulated LOCA.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-04-027,05-009 7.1-3 7.1.1.9 Reactor Core Isolation Cooling System
The I&C provide makeup water to the reactor vesse l in the event the reactor becomes isolated accompanied by a loss of flow from the reactor feedwater system during normal plant operation or plant transients.
7.1.1.10 Standby Liqu id Control System
The I&C in conjunction with manual initiation provide a redundant reactivity control system that can shut the reactor down from rated power to the cold condition in the event that all withdrawn control rods cannot be inserted manually by the reactor manual control system to achieve reactor shutdown.
7.1.1.11 Leak Detection System
The I&C provide various temperature, pressure, level, and flow sensor s to detect, annunciate, and isolate (in certain cases) water and steam leakage paths in selected reactor systems.
7.1.1.12 Residual Heat Removal System - Shutdown Cooling Modes
The I&C in conjunction with manual initiation of either the normal or alternate shutdown provide cooling to remove decay and sensible heat from the reactor vessel so that the reactor can be refueled and serviced.
7.1.1.13 Fuel Pool Cooling and Cleanup System
The I&C monitor fuel pool water temperature.
7.1.1.14 Suppression Pool Te mperature Monitoring System
The I&C are provided to determ ine when special operating pro cedures are required to avoid elevated suppression pool temperatures.
7.1.1.15 Standby Ga s Treatment System The I&C control standby gas treatment (SG T) system operation durin g abnormal conditions to limit radioactive material releases.
7.1.1.16 (DELETED)
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-05-009 7.1-4 7.1.1.17 Safety-Related Display Instrumentation
The I&C provide information to the reactor oper ators to support manual safety actions or to allow assessment of safety system status.
7.1.1.18 Containment Instrument Air System
The I&C provide uninterruptable instrument air or nitrogen to essential ADS valve accumulators inside primary containment.
7.1.1.19 Residual Heat Removal System - Contai nment Spray Cooling Mode
The I&C provide for the manual initiation of the residual heat re moval (RHR) system subsystem that condens es steam in the drywell and supp ression chamber following a LOCA. The drywell sprays (with or without the RHR heat exchangers) may be used to remove airborne radioactivity from the containment atmosphere in response to a LOCA.
7.1.1.20 Remote Shutdown System
The I&C provide the capability for safe shutdown of the reactor in the event the main control room becomes uninhabitable.
7.1.1.21 Recirculation Pump Trip
The I&C are provided to supplement plant shutdow n at the end of a fuel cycle when control rod worths are reduced by core nuclear characteristics.
7.1.1.22 Residual Heat Removal System - Suppre ssion Pool Cooling Mode
The I&C in conjunction with the suppression pool temperature m onitor provides information to the reactor operators to support manual initiation of this subsystem of the RHR system that cools the suppression pool water to avoid elevated pool temperatures.
7.1.1.23 Anticipated Tr ansient Without Scram Recirculation Pump Trip The I&C trip the reactor recirculation pump motors in the event of an anticipated transient without scram (ATWS).
7.1.1.24 Anticipated Tr ansient Without Scram -
Alternate Rod Insertion
The I&C provide an alternative me thod of inserting the control rods in the event of an ATWS.
C OLUMBIA G ENERATING S TATION Amendment 53 F INAL S AFETY A NALYSIS R EPORT November 1998 7.1-5 7.1.2 IDENTIFICATION OF SAFETY CRITERIA
The I&C equipment design is based on the need to have the system perform its intended function while meeting the requi rements of applicable general design criteria (GDC), regulatory guides, industry standards, and other documents. See Sections
7.2 through
7.6 for a discussion of the design bases for each safety-related system.
7.1.2.1 Regulator y Requirements The plant safety-related systems have been examined with re spect to specific regulatory requirements that are applicable to the instrument and controls of these systems. The specific regulatory requirements pertaining to each system's I&C is specified in Table 7.1-3. For a discussion of the degree of conformance see the individual systems analysis portions in Sections 7.1 through 7.6. 7.1.2.2 Regulatory Conformance - 10 CFR 50 Appendix A
Section 3.1 provides a discussion of those GDC that apply equally to all safety-related, safe shutdown, and augmented quality systems described in this chapter and include GDC 1, 2, 3, 4, 10, 13, 54, 55, and 56. Those GDC which do not apply equally to all safety-related, safe shutdown, and augmented quality systems are discussed for each system in the analysis portion of Sections
7.2 through
7.6.
7.1.2.3 Conformance to Instit ute of Electrical and Elec tronics Engineers Standards
The following is a discussion of those IEEE Standa rds which apply equally to all safety-related systems described in this chap ter. Those IEEE Standards wh ich do not apply equally to all safety-related systems are discussed for each system in the analysis portion of Sections
7.2 through
7.6:
IEEE 308-1974 - Class IE Power Systems fo r Nuclear Power Ge nerating Stations
IEEE 308-1974 is described in Section 8.3.
IEEE 317-1972 - Electric Penetration A ssemblies in Containment Structures
- All containment electrical penetration assemblies used for circuits routed into primary containment are designed to withstand, without loss of containment integrity, the maximum postulated overcurrent vs. time conditions, assuming a single failu re of the circuit primary
- For the replacement of the electrical penetration modules, use the version of IEEE 317 that is in effect at the time of purchase and documented in the design specifications.
C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 LDCN-09-011 7.1-6 overcurrent protecti on apparatus. See also Sections 1.8 (Regulatory Guide 1.63), 3.8.6 , and 8.1.5.2.
IEEE 323-1971 - Qualifying Class 1E Equipmen t for Nuclear Power Generating Stations
Written procedures and responsibilities are developed for the design and qualification of all Class 1 electric equipment. This includes preparation of specifications, qualification procedures, and documentation.
Qualification testing or analys is is accomplished prior to release of the engineering design for production. Standards ma nuals are mainta ined containing specifications, practices, and procedures for im plementing qualification requirements, and an auditable file of qualification documents is available for review. See Sections 1.8.2 , 1.8.3 , 3.10 and 3.11 for a description of conformance to IEEE 323. NUREG 0588-Category II invokes IEEE-323-1971 with add itional regulatory positions.
IEEE 336-1971 - Installation, Insp ection, and Testing Requirements for In strumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations
Where applicable, purchase and c ontract specifications define installation, inspection, and testing requirements for plant I&
Cs. See the Energy Northwest Operationa l Quality Assurance Program Description (OQAPD).
IEEE 338-1975 - Periodic Testing of Nuclear Power Generating Stations
IEEE 338 is presented on a system basis in the analysis portions of Sections
7.2 through
7.6 as part of the discussion of Re gulatory Guide 1.22 compliance.
IEEE 344-1971 and 1975 - Seismic Qua lification of Class 1E Equipment
Safety-related I&C equipment is classified as Seismic Category I, desi gned to withstand the effects of the safe shutdown earthquake (SSE) and remain functiona l during normal and accident conditions. Qualificati on and documentation procedures used for Seismic Category I equipment and systems are identified in Section 3.10 and Table 3.2-1. Section 3.10.1.2 identifies compliance to these standards and applicable exceptions.
IEEE 379-1972 - Application of Single Failure Cr iterion to Nuclear Powe r Generating Stations
The extent to which the single fa ilure criteria of IEEE 379 is sa tisfied is speci fically covered for each system in the analysis of IEEE 279, paragraph 4.2, in Sections
7.2 through
7.6.
IEEE 384-1974 - Independence of Cl ass 1E Equipment and Circuits
The safety-related system s described in Sections
7.2 through
7.6 meet the independence and separation criteria for redundant systems in accordance with IEEE 279, paragraph 4.6.
C OLUMBIA G ENERATING S TATION Amendment 55 F INAL S AFETY A NALYSIS R EPORT May 2001 LDCN-01-000 7.1-7 The electrical power supply, instrumentation, and control wiring for redundant safety-related circuits are physically separate d to preserve redundancy and ensu re that no single credible event will prevent completion of the protective function. Credib le events include but are not limited to the effects of short ci rcuits, pipe rupture, pipe whip, high-pressure jets, missiles, fire, earthquake, and falling objects, and are considered in the basic plant design.
The independence of wiring, tubing, piping, and control devices for safety-related controls and instrumentation is achieved by physical space or barriers betw een separation groups of the same protective function.
The criteria and bases for the i ndependence of safety-related I&Cs, electrical equipment, cable, cable routing, marking, and cable derating, are disc ussed in Section 8.3.1.4. Fire detection and protection in the areas where cab ling is installed is described in Appendix F.
IEEE 387-1972 - Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations
Design and qualification te sting of the standby power system us ed to furnish electrical power to safety loads conforms to IEEE 387 to ensure that system require ments for redundancy, single failure criteria, adequate capacity, capability, and reliability are adequately met. The standby power source as an integrated system component satisfies the requirements of IEEE 308 as discussed in Section 8.3.
7.1.2.4 Conformance to Regulatory Guides
The following is a discussion of Regulatory Guides which apply to safety-related systems described in this chapter. Unique applicati ons of Regulatory Guides are discussed for each system in the applicable an alysis portion of Sections
7.2 through
7.6 and Section
1.8. Regulatory
Guide 1.11 (March 1971)
All instrument lines that pe netrate the primary containmen t vessel, which are part of safety-related systems, meet the requirements of Regulatory Position C.1. This is accomplished by redundancy, indepe ndence, by allowing for safety system testability, by line orificing or sizing, by includi ng automatic or remote manual (from the cont rol room) line shutoff capability if line integr ity is lost, and by a conserva tive design at the individual penetrations.
All other instrument lines that penetrate the primary containment vessel meet the requirements of Regulatory Position C.2.a by th e same factors discussed above.
See Section 6.2.4.3.2.4 for further discussion.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-06-014 7.1-8 Regulatory Guide 1.22
Lifting of leads and/or removal of fuses is required to perform a number of surveillance tests.
Surveillance tests for which lifting of leads and/or removal of fuses is required fall into the following categories: (1) test s for thermocouples, (2) tests requiring introduc tion of test equipment into the instrument channel, (3) tests that otherwis e would be unreasonably complex, (4) tests which must be performed before entering the mode in which normally testable, and (5) tests on systems or components for which the configuration permits no reasonable alternative.
Plant procedures for these surveillance tests include instruct ions explicitly requiring the reconnecting of the lifted leads and/or replacement of fuses. Restoration is documented and verified in accordance with guidance provided in Information Notice 84-37.
Regulatory Guide 1.29 (September 1978)
All safety-related I&C equipment is classified as Seismic Cate gory I, designed to withstand the effects of the SSE and remain functional during norma l and accident conditi ons. Qualification and documentation procedures used for Seismic Category I equipment and systems are identified in Section 3.10 and Table 3.2-1.
Regulatory Guide 1.30 (August 11, 1972)
The quality assurance requirement s of IEEE 336-1971 (see Section 7.1.2.3 discussion above) were applicable during the pl ant design and construction phases and implemented as an operational quality assurance program during plant operation in response to Regulatory Guide 1.30. The specific requirements of Regul atory Guide 1.30 are met as discussed in the OQAPD.
Regulatory Guide 1.40 (March 16, 1973)
The containment recirculation and head area re turn fans have been qualified for use in containment in accordance with IEEE 334-1974.
Qualification testi ng was successfully performed on a prototype fan for motor heat ag ing, fan resonant sear ch, vibration endurance, and LOCA simulation. Recircul ation and head area return fans will be used as the hydrogen mixing system in the event of a LOCA. See also Section 9.4.11.3.
Regulatory Guide 1.47 (1973)
Each safety-related system described in Sections 7.2 , 7.3 , 7.4 , and 7.6 is provided with an automatically or operator initiated system level bypass and inoperability annunciator. Each system level annunciator is locate d on the panel containing the controls for the specific system.
C OLUMBIA G ENERATING S TATION Amendment 55 F INAL S AFETY A NALYSIS R EPORT May 2001 LDCN-00-019 7.1-9 In addition to system level annunciation, component level i ndicators are provided near the system lever annunciator to indicate the cau se of the system bypass or inoperability.
A switch is provided for manual act uation of each system level a nnunciator to allow display of those bypass or inoperable conditions which are expected to occur at a frequency less than once per year and are not automatically indicated.
Typically, the following bypasses or inoperabilitie s cause actuation of system level (and component level) annunciati on for the affected system:
- a. Pump motor breaker not in operating position,
- b. Loss of pump motor control power,
- c. Loss of motor-operated valv e control power/motive power,
- d. Logic power failure,
- e. Logic in test,
- f. Position of remote-manual valves which do not receive automatic alignment signals, and
- g. Bypass or test switches actuated.
The manually induced inoperable or bypass condition of an auxiliary supporting system, typically, also results in the loss of function (immediate or dela yed) of another safety-related or important-to-safety system. To ensure that the operators recogni ze that more th an one system may be out-of-service, typically , an inoperable or bypassed aux iliary support system will not only cause actuation of the auxiliary support sy stem, system-level annunc iator, but also will cause the actuation of the system-level annunciator of the suppor ted system. The exception to this typical design is the dies el generator system, the batter y system, and the standby service water system. For these three systems, an i noperable or bypass condition will not result in the actuation of the supported systems, system-lev el annunciators. Howe ver, component-level indicating lamps will be actuated at each of the supported system locations to alert operators of the auxiliary system out-of-service condition.
These three systems are not designed to cascade to all the supported systems sin ce each has its own out-of-servi ce annunciation. This design reduces potential operator confusion and also dist raction that may occur during a transient or accident event.
C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 LDCN-09-011 7.1-10 Regulatory Guide 1.63 (October 1973)
All containment electrical penetration assemblies used for circuits routed into primary containment are designed to withstand, without loss of containment integrity, the maximum postulated overcurrent vs. time conditions, assuming a single failu re of the circuit primary overcurrent protecti on apparatus. See also Sections 7.1.2.3 (IEEE 336), 1.8 , 3.8.6 , and 8.1.5.2.
Regulatory Guide 1.68 (November 1973)
Plant preoperational and initia l startup test program requi rements are discussed in Section 14.2.7.
Regulatory Guide 1.73 (January 1974)
Auxiliary equipment associated with valve operators are tested in accordance with the requirements of Regulatory Guide 1.73. Design service conditions are implemented in the tests. Conservative values of the environmental variables dur ing and after a design-basis accident are used in the tests to ensure that the testing is carried out u nder more severe environmental conditions than those expected.
Regulatory Guide 1.75 (January 1974)
Regulatory Guide 1.75 is not applicable to the Columbia Generating St ation (CGS) design.
However, a complete description of the CGS physical and electrical separation criteria is discussed in Section 8.3.1.4.
Regulatory Guide 1.80 (June 1974)
Plant preoperational testing of instrument air systems is discussed in Sections 14.2.7 and 14.2.12.
Regulatory Guide 1.89 Revision 1 (June 1984)
Regulatory Guide 1.89 Revi sion 1 is applicable to the CGS design as clarified in Sections 1.8.2 and 1.8.3. Qualification of Class 1E e quipment is discussed in Section 3.11.
7.1.2.5 Instrument Errors
The design of each safety-related system considers instrument drift, setability, and repeatability in the selection of I&C in the determination of setpoints. Adequate margin between safety limits and instrument setpoints is provided to allow for instrument error. The allowable values are listed in the Technical Specifications. The Licensee Contro lled Specifications (LCS) also C OLUMBIA G ENERATING S TATION Amendment 55 F INAL S AFETY A NALYSIS R EPORT May 2001 7.1-11 contain information related to in strument setpoint determinati ons. The amount of instrument error is determined by test a nd experience. The setpoint is selected based on these known errors. The surveillance frequency is increased on instrumentation that demonstrates a tendency to drift or decreased based on stable performance characteristics.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.1-1 Design and Supply Responsibility of Safety-Related and Safe Shutdown Systems System GE Design GE Supply B&R Design Others Supply LDCN-05-009 7.1-13 Reactor Protection Trip X X Engineered Safety Feature Emergency core cooling X X X High-pressure core spray Automatic depressurization Low-pressure core spray Residual heat removal low pressure coolant injection Primary containment and reactor vessel isolation control X X X X Process radiation monitoring (portion used for PCRVICS)
X X X X Standby service water X X X X Main control room hea ting, ventilating, and air conditioning X X Containment atmosphere control X X Reactor building ventilation and pressure control X X Standby gas treatment X X Residual heat removal system containment spray cooling mode X X X Residual heat removal system suppression pool cooling mode X X Containment instrument air X X Systems Required for Safe Shutdown Reactor core isolation cooling X X Standby liquid control X X Residual heat removal system reactor shutdown cooling mode X X Remote shutdown X X X X Safety-Related Display Instrumentation X X X X C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.1-1 Design and Supply Responsibility of Safety-Related and Safe Shutdown Systems (Continued)
System GE Design GE Supply B&R Design Others Supply 7.1-14 All Other Leak detection (part of ESF) X X X X Process radiation monitoring X X X X Neutron monitoring X X Intermediate range monitor Average power range monitor Local power range monitor Primary containment atmosphere monitoring X X Recirculation pump trip X X Spent fuel pool cooling and cleanup X X Suppression pool temperature monitoring X X C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.1-2 Safety-Related Systems Similarity to Licensed Reactors Instrumentation and Controls (System) Plants Applying for or Having Construction Permit or Operating License
Design LDCN-05-009 7.1-15 Reactor protection system Zimmer-1 Identical Primary containment and reactor vessel
isolation control system Zimmer-1 Identical Emergency core cooling systems Zimmer 1 Identical Neutron monitoring system LaSalle Identical Process radiation monitoring system Zimmer-1 Identical Reactor building ventilation and pressure control system None Main control room heating, ventilating, and air conditioning system None Standby service water system None Containment atmosphere control system Zimmer-1 Identical Reactor core isolation cooli ng system Zimmer-1 Identical Standby liquid control system Zimmer-1 Identical Primary containment atmospheric monitoring system None Leak detection system None Residual heat removal system - reactor shutdown cooling mode Zimmer-1 Identical Fuel pool cooling and cleanup system None Standby gas treatment system None Safety-related display instrumentation Zimmer-1 Identical Containment instrument air system None Reactor building closed cooling water system None C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.1-2 Safety-Related Systems Similarity to License d Reactors (Continued)
Instrumentation and Controls (System) Plants Applying for or Having Construction Permit or Operating License
Design 7.1-16 Residual heat removal system -
containment spray cooling mode Zimmer-1 Identical Remote shutdown system Zimmer-1 (a) Recirculation pump trip Zimmer-1 Identical Residual heat removal system -
suppression pool cooling mode Zimmer-1 Identical a The number of valves controlled is slightly different due to differences in the necessary shutdown capability.
Table 7.1-3 Codes and Standards Applicability Matrix
NMS
PROCESS RAD MON. MAIN CONTROL ROOM HVAC EMERG SWGR RM
SERVICE WATER SYSTEM
CONTAIN.
ATMOS.
MON.
LEAK DETEC.
SYSTEMS RHR SHUT-DOWN COOL.
MODE
SFPCS
MSIVLCS (DEACTI-VATED)
SAFETY-RELATED DISPLAY RHR CONT.
SPRAY COOL MODE
REMOTE SHUT-DOWN
POOL COOL.
MODE
ATWS ARI C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORTDecember 2007LDCN-05-009 7.1-17 GDC 1 X X X X X X X X X X X X X X X X X X X X X X 2 X X X X X X X X X X X X X X X X X X X X X X 3 X X X X X X X X X X X X X X X X X X X X X X 4 X X X X X X X X X X X X X X X X X X X X X X 10 X X 12 X 13 X X X X X X X X X X X X X X X X X X X X X X 15 X X X 19 X X X X X X X X X X X X X X X X X X X X X X 20 X X X 21 X X X 22 X X X 23 X X X 24 X X X 25 X X 26 X X X X X X 28 X 29 X X X 33 X 34 X X X X 35 X X X 37 X X X 38 X X X X X 40 X X X 41 X 43 X X 44 X 46 X 50 X 54 X X X X X X X X X 55 X X X X X X X X 56 X X X X X X X 57 60 X X X 61 X X X Table 7.1-3 Codes and Standards Appli cability Matrix (Continued)
NMS
PROCESS RAD MON. MAIN CONTROL ROOM HVAC EMERG SWGR RM
SERVICE WATER SYSTEM
CONTAIN.
ATMOS.
MON.
LEAK DETEC.
SYSTEMS RHR SHUT-DOWN COOL.
MODE
SFPCS
MSIVLCS (DEACTI-VATED)
SAFETY-RELATED DISPLAY RHR CONT.
SPRAY COOL MODE
REMOTE SHUT-DOWN
POOL COOL.
MODE
ATWS ARI C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORTDecember 2009LDCN-09-011 7.1-18 GDC 62 X 63 X 64 X IEEE 279-1971 X X X X X X X X X X X X X X X X X X X 323 Note 1 X X X X X X X X X X X X X X X X X X X 336-1971 X X X X X X X X X X X X X X X X X X X 338-1975 X X X X X X X X X X X X X X X X X X X
344 Note 1 X X X X X X X X X X X X X X X X X X X 379-1972 X X X X X X X X X X X X X X X X X X 384-1974 X X X X X X X X X X X X X X X X X X X RG 1.6 3/10/71 X RG 1.11 2/17/72 X X X X X X X RG 1.22 2/17/72 X X X X X X X X X X X X X X X X X X X RG 1.29 9/78 X X X X X X X X X X X X X X X X X X X RG 1.30 8/72 X X X X X X X X X X X X X X X X X X X RG 1.45 5/73 X X RG 1.47 5/73 X X X X X X X X X X X X X X X X X RG 1.53 6/73 X X X X X X X X X X X X X X X X X X RG 1.62 10/73 X X X X X X X X X X X X X X RG 1.68 11/73 X X X X X X X X X X X X X X X X X X X RG 1.73 1/74 X X X RG 1.80 6/74 X X X X X X RG 1.89 Note 2 X Note 1: For a discussion of the degree of conformance to codes and standards listed see the individual system analysis portions of Sections 7.2 through 7.6. Note 2: Only applicable to Safety Related Display Instruments.
C OLUMBIA G ENERATING S TATION Amendment 53 F INAL S AFETY A NALYSIS R EPORT November 1998 7.2-1 7.2 REACTOR PROTECTION (TRIP) SYSTEM 7.
2.1 DESCRIPTION
The reactor protection system (RPS) is designe d to cause rapid insertion of control rods (scram) to shut down the reactor when speci fic variables exceed predetermined limits.
7.2.1.1 Reactor Protection System Description Schematic arrangements of RPS mechanical e quipment and information displayed to the operator are shown in Figure 7.2-1. The RPS component control logic is shown in Figure 7.2-2. The RPS instrumentation is listed in Table 7.2-1. The RPS channel and logic arrangement are shown in Figure 7.2-3. The RPS actuators and l ogic arrangement are shown in Figure 7.2-4. Trip system logic is shown in Figure 7.2-5. Sensor input arrangements are shown in Figures 7.2-6 , 7.2-7 , 7.2-8 , 7.2-9 , and 7.2-10. The RPS instrumentation is divided into sensor trip channels, trip logic, and trip actuator logic.
During normal operation, all sens or contacts and trip contacts essential to safety are closed; channels, logic, and actuators are energized.
There are at least four sensor trip channels for each variable. The sensor trip channels are designated as A1, A2, B1, and B2. Each sensor trip channel is associated with the trip logic of the same designation.
Trip actuator logics A1 and A2 (trip system A) outputs are combined in a one-out-of-two logic
arrangement to control the "A" pilot scram valv e solenoid in each of the four rod groups (a rod group consists of a pproximately 25% of the total of cont rol rods). Trip actuator logic B1 and B2 (trip system B) outputs control the "B" pilot scram valve solenoids in each of the four rod groups.
When a sensor trip channel contact opens, the trip logic deenergizes the trip actuator logic which deenergizes the pilot scram valves associated with that trip actuator logic. However, the other pilot scram valves for each rod must also be deenergized before the scram valves provide
a reactor scram.
There are two pilot scram valves and two scram valves for each control rod. Each pilot scram valve is solenoid operated, with the solenoids normally energized. The pilot scram valves control the air supply to the scram valves for each control rod.
With either pilot scram valve energized, air pressure holds th e scram valves closed. The sc ram valves control the supply and discharge paths for control rod drive (CRD) water.
C OLUMBIA G ENERATING S TATION Amendment 53 F INAL S AFETY A NALYSIS R EPORT November 1998 7.2-2 When both actuator logic A1 or A2 and B1 or B2 are tripped, air is vented from the scram valves and allows CRD water to act on the CRD piston. Thus, a ll control rods are scrammed. The water displaced by the movement of each r od piston is exhausted into a scram discharge volume (SDV).
To restore the RPS to normal operation following any single actuator logic trip or a scram, the trip actuators must be reset manually. After a 10-sec delay reset is possible only if the conditions that caused the scram have been cleared. The trip actuators are reset by operating switches in the main control room. Two reset push button switches (A1/B1 and A2/B2) are provided.
There are two 125-V dc solenoid-operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. When the solenoid for either backup scram valve is energized , the associated b ackup scram valve vents the air supply for the scram valves. This action in itiates insertion of any withdrawn control rods regardless of the action of the scram pilot valv es. The backup scram valves so lenoids are energized (initiate scram) when trip logic A1 or A2 and B1 or B2 are both tripped.
The RPS receives power from two high inertia ac motor generator (MG) sets. A flywheel provides high inertia sufficient to maintain voltage and frequency within 5% of rated values for at least 1 sec following a momentary loss of power to the drive motor (see Section 8.3.1.1.6).
Alternate power is available to each RPS bus and is manually switched to the bus as necessary for maintenance of the RPS MG sets. The alternate power switc h is interlocked to prevent simultaneous feeding of both buses from the same source. The switch al so prevents paralleling of an MG set with the alternate supply.
The RPS is designed to use a fail-safe logic and actuation scheme. Therefore, the power supplied by the RPS MG sets to hold RPS components energized is expendable and considered non-safety-related. However, to ensure that overvoltage, unde rvoltage, or un derfrequency do not damage safety-related components within the RPS, two series redundant Class 1E bus monitoring and tripping de vices are provided between the RPS bus and each of the non-Class 1E power sources. These devices trip whenever the voltage and frequency exceed predetermined limits (see Figure 8.3-2 and Section 8.3.1.1.6). An electrical protection assembly (EPA) consisting of Class 1E pr otective circuitry is installed between the RPS and each of the power sources, which consists of two MG sets and alternate voltage supplies. The EPA pr ovides redundant protection to th e RPS and other systems which receive power from the RPS buses by acting to disconnect the RPS from the power source circuits. See Figure 7.2-11.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-17-001 7.2-3 Sensor trip channel inputs to the RPS causing reactor scram are discus sed in the following paragraphs.
7.2.1.1.1 Neutron Mo nitoring System Trip To protect the fuel against high heat generation rates, neutron flux is monitored and initiates a reactor scram when predetermined limits are exceeded.
Neutron monitoring system instrume ntation is described in Section
7.6. Figure
7.2-6 clarifies the relationship between neutron monitoring syst em (NMS) channels, NMS logic, and the RPS logic. The NMS sensor channels are considered to be part of the NMS and not the RPS; however, the NMS logic channels are considered to be part of the RPS. Each NMS logic channel receives signals from one intermediate range monitor (IRM) channel and one average power range monitor (APRM) channel.
The NMS logic is arranged so that failure of any one logic channel cannot prevent the initiation of a high neutron flux or simulated thermal power scram. As shown in Figure 7.6-3 , there are eight NMS logic channels associ ated with the RPS. Each RP S logic channel receives inputs from two NMS logic channels.
The source range monitors (SRMs) are not credited to perform a ny safety function in the plant design basis transients. For th at reason, the trip signal inputs from the SRMs are normally removed from the RPS circuitry by the installation of "shorting links". With the "shorting links" installed, the SRM indication and rod block remain fully operable but the SRM trip is bypassed.
The "shorting links" are required to be removed to support performan ce of shutdown margin testing in Mode 5 under Limiting Condition fo r Operation (LCO) 3.10.
8, "Shutdown Margin (SDM) Test - Refueling." The removal of the "shorting links" during this testing provides a noncoincident NMS trip when any SRM exceeds the high-high flux trip setpoint, any IRM exceeds the high flux trip setpoint. The remova l of the "shorting links" is required to be verified within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> prior to placing the Mode switch into the startup/hot standby position and at least once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> during the time th e Mode switch is in the startup/hot standby position when in Mode 5.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.2-4 7.2.1.1.1.1 Intermedia te Range Monitors. The IRMs m onitor neutron flux between the upper portion of the SRM range to the lower portion of the APRM range. The IRM detectors are
positioned in the core remotely from the control room.
The IRM is divided into two groups of four IRM cha nnels arranged in the core as shown in Figure 7.6-8. Two IRM channels are associated with each of the trip logic channels of the RPS. The arrangement of IR M channels allows one IRM ch annel in each group to be bypassed without compromising the IRM trip function.
The NMS scram logic trip contacts for IRM can be bypassed by selector switches located on the reactor control benchboard in the main control room. The IRM channels A, C, E, and G bypasses are controlled by one sele ctor switch. Channels B, D, F, and H are controlled by a second selector switch. Each selector switch will bypass only one IRM channel at any time.
Bypassing an IRM channel will not inhibit the NMS from providing a pr otective action when required. Each IRM channel includes four trip circuits. On e trip circuit is used as an instrument trouble trip. It operates on four conditions: (1) when the high voltage drops below a preset level, (2) when one of the modules is not plugged in, (3) loss of negative 15-V dc, or (4) the IRM not in the OPERATE position. Each of the other trip circuits is specified to trip when preset downscale or upscale levels are reached.
The reactor mode switch determ ines whether IRM trips are ef fective in initia ting a reactor scram. With the reactor mode switch in REFUEL or STARTUP, an IRM upscale or inoperative trip signal actuates an NMS trip of the RPS. At least one IRM channel in each RPS trip system must trip to cause a scram.
7.2.1.1.1.2 Average Power Range Monitors.
There are four APRM ch annels. Each APRM channel consists of an APRM instrument, 2/4 logic module, quad low voltage power supply, local power range instrument, and a calibrati on/monitoring panel.
The APRM channels receive and average input signals from the lo cal power range monitor (LPRM) channels and provide a continuous indication of average reacto r power from a few per cent to greater than rated reactor power.
The APRMs supply neutron flux hi gh, simulated thermal power, a nd INOP trip signals to the 2-Out-of-4-Voters. The outputs from all four APRM channels instruments go to each 2-Out-of-4-Voter (logic) module. Each of the 2/4 l ogic modules interface to one of the four RPS input channels (A1, A2, B1, and B2). The trip outputs from all four APRMs are sent to each 2/4 logic module, such that each input sent to the RPS is a voted result of all four APRMs. A trip output to the RPS is provided when at least two of the same type of trip inputs is in a tripped state for at leas t two non-bypassed ARPMs.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.2-4a APRM channel instrumentation trip inputs to the 2/4 logic modules can be bypassed by a single fiber optic selector switch on the reactor contro l benchboard in the main control room. Each 2/4 logic module is designed to receive a fiber optic bypass of its "home" APRM instrument.
The state of that bypass signal is retransmitted to the other 2/4 logic modules in an isolated manner. Each 2/4 logic module will bypass the appropriate channel tr ip inputs when a bypass signal is active (modulated light is detected) for the APRM ch annel. Each 2/4 logic module will provide trip outputs to RPS as a voted result of the three unbypassed APRMs when one channel is bypassed, resulting in a 2/3 logic configuration. Bypassing an APRM will not inhibit NMS from performing its safety functi on. If a bypass indication from more than one APRM channel is received, none of the APRM inputs to the 2/4 logic modules will be bypassed and a trouble alarm will be generated by the "home" APRM.
Each APRM channel receives an independent flow signal input from each of the two recirculation loops and determines the total recirculation driving flow by summing these loop flow inputs. A total of eight l oop flow signals are sensed from f our pairs of elbow taps. Each pair has an elbow tap in each recirculation loop.
Total recirculation flow rate is calculated by each APRM chassi s by adding the flow values for each loop to obtain total flow. The total flow value is used to pro duce flow biased APRM scram and APRM rod bloc k setpoint values increase propor tionally with total recirculation flow rate. The total recirculation flow is also used in the OPRM enable logic.
The LPRM signals are averaged to achieve an APRM flux value. The APRM flux value is then adjusted by a manually ente red or digitally transferred gain factor to allow calibration of the APRM. The APRM power is processed through a first order filter with a six second time constant to calculate simulated thermal power. Each APRM channel also calculates a flow signal that is used to determine the APRM's flow -biased rod bl ock and scram setpoints. The APRM simulated thermal power upscale rod block and scram trip setpoints are varied as a function of reactor recirculation flow. The slope of the upscale rod block and scram trip response curves is set to track the required trip se tpoint with recirculati on flow changes. These calculations are all performed by the digital proce ssor and results in a digital representation of APRM and simulated thermal pow er, and of the flow-biased rod block and scram setpoints.
At least one APRM voter in each trip system of the RPS must trip to cause a scram. A simplified circuit arrangement is shown in Figure 7.6-11. Each APRM also includes an Oscillation Po wer Range Monitor (OPRM)
Upscale function.
The OPRM Upscale Function receives input signals from the LPRMs within the reactor core, which are combined into the "cells" for evaluation by the OP RM algorithms. Upon detection of thermal hydraulic oscillations, the OPRM initiates an automatic RPS trip signal (see Section 7.6.1.4.4).
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 7.2-5 In addition to the IRM upscale trip, a fast response APRM trip function with a setpoint of 15% power is active when the reactor mo de switch is in the "startup" position.
Diversity of trip initiation for excursions in reactor power is provided by the NMS trip signals and reactor vessel high pressure trip signals. An increase in reactor power will initiate protective action from the NMS as discussed above. This increase in power will cause reactor pressure to increase due to a higher rate of st eam generation with no change in turbine control valve position resulting in a trip from reactor vessel high pressure. These variables are independent of one another and provide diverse protec tive action for this condition.
7.2.1.1.2 Reactor Vessel Pressure
A reactor vessel pressure increase during reactor operation compresses the steam voids and results in increased reactivity; this causes increased core heat generation that could lead to fuel failure and system overpressuri zation. A scram counteracts a pressure increase by quickly reducing core fission heat ge neration. The reactor vessel high pressure scram works in conjunction with the pressure relief system to prevent reactor vessel pressure from exceeding the maximum allowable pressure.
The reactor vessel high pressure scram setting also protects the core from exceeding therma l hydraulic limits that result from pressu re increases during events that occur when the reactor is operating below rated power and flow.
Reactor pressure is monitored by four redundant pressure switches, ea ch of which provides a reactor high pressure signal input to one of the four RPS sensor trip channels.
7.2.1.1.3 Reactor Vessel Water Level
Decreasing water level while the reactor is operating at power decreases the reactor coolant.
Should water level decrea se too far, fuel dama ge could result as steam voids form around fuel rods. A reactor scram reduces the fission heat generation within the core.
Reactor vessel water level is monitored by four redundant differ ential pressure switches each of which provides a reactor vesse l low water level (trip level 3) signal input to one of the four RPS sensor trip channels.
Diversity of trip initiation for breaks in th e reactor coolant pressure boundary (RCPB) is provided by reactor vessel low water level trip signals and high drywell pressure trip signals.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-16-005 7.2-6 7.2.1.1.4 Turbine Throttle Valve Position
With the reactor above 29.5% pow er, generator load rejection or a turbine trip will initiate closure of the turbine throttle valve which can result in a significant addition of positive reactivity to the core as the reactor vessel pressure rise causes steam voids to collapse. The turbine throttle valve closure scram initiates a scram earlier than either the NMS or reactor vessel high pressure to provide required margin below core th ermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity caused by increasing pressure by inse rting negative reactivity with control rods.
Although the reactor vessel high pressure scram, in conjuncti on with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine throttle valve closure scram provides additional margin to the reactor vessel pressure limit.
Turbine throttle valve closure inputs to the RPS originate from eight redundant valve stem position switches mounted on the four turbine th rottle valves. Each of the switches opens before the valve is more than 10% closed to pr ovide the earliest positive indication of closure. Each switch provides an input signal to one of th e four RPS sensor trip channels. The logic is arranged so that closure of thr ee or more valves is required to initiate a scram. The switches are arranged so that no single failure can prev ent a turbine throttle valve closure scram.
Diversity of trip initiation for in creases in reactor ve ssel pressure due to termination of steam flow by turbine throttle valve or governor valve closure is provided by reactor vessel high pressure and high neutron flux trip signals.
Turbine throttle valve cl osure trip bypass is effected by four pressure switches sensing turbine first stage pressure. The turb ine throttle valve closure scram is automatically bypassed if the turbine first stage pressure is less than that corresponding to 29.5% of rated reactor power.
The bypass is automatically removed above 29.5% of reactor power.
7.2.1.1.5 Turbine Gove rnor Valve Position
Generator load rejection or a turbine trip w ith the reactor above 29
.5% power automatically initiates fast closure of the turb ine governor valves which results in a significant addition of positive reactivity to the core as nuclear system pressure rises.
The turbine governor valve fast closure scram initiates a scram earl ier than either the NMS or nuc lear system high pressure to provide required margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts th e addition of positive reactivity resulting from increasing pressure by inserting negative reactivity with control rods. Although the nuclear system high pressure scram, in conjunction with the pressure relief system, is adequate to
preclude overpressurizing the nuclear system, the turbine governor valve fast closure scram provides additional margin to the nuclear system pressure limit. The turbine governor valve fast closure scram setting is selected to provide timely indication of governor valve fast closure.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 7.2-7 Turbine governor valve fast clos ure inputs to the RPS originate fr om oil line pressure switches on each of four fast acting governor valve hydraulic mechanis ms. Each pressure switch provides an input signal to one of the four RPS sensor trip channels. If hydraulic oil line pressure is lost, a turbine governor va lve fast closure scram is initiated.
Automatic turbine governor valv e fast closure scram bypass is provided as described above for the turbine throttle valve.
7.2.1.1.6 Main Steam Line Isolation Valves Position The main steam line isolation valve (MSIV) closure can resu lt in a significant addition of positive reactivity to the core as nuclear system pressure rises.
Two redundant position switches mounted on each of the eight MSIVs provide an MSIV closure signal to the RPS. Each of the switches is arranged to open befo re the valve is more than 10% closed to provide the earliest posit ive indication of closure. Either of the two channels sensing isolation valv e position can signal valve closure.
Each RPS sensor trip channel logic receives signals from the valves associated with two steam lines. The arrangement of signals within each lo gic requires closing of at least one valve in each of the two steam lines associated with that logic to cause a trip of that logic. Closure of at least one valve in three or more steam lines is required to initiate a scram.
At plant shutdown and during initial plant startup, a bypass is required for the MSIV closure scram trip to properly reset the RPS. This bypass is in effect when reactor pressure is less than scram setpoint pressure and the mode switch is in the shutdown, refuel, or startup position. The bypass allows plant operation when the MSIVs are closed during low power operation. The operating bypass is removed when the mode switch is placed in RUN.
Diversity of trip initiation due to main steam isolation is provided by reactor vessel high pressure and reactor power trip signals.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-14-003 7.2-8 7.2.1.1.7 Scram Discharge Volume Water Level Water displaced by the CRD pistons during a scram goes to the SDV. If the SDV fills with water so that insufficient capac ity remains for the water displa ced during a scram, control rod movement would be hinde red during a scram. To prevent this situation, the reactor is scrammed when the water level in the discharge volume is hi gh enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the discharge volume can accommodate a scram.
Two transmitter/level switches (non-indicating) and two transmitt er/level indicating switches directly connected to each of two instrument vol umes monitor the volumes for abnormal level. They provide redundant a nd diverse input to the RPS scram function. One transmitter on each instrument volume also provides input for th e control room annunc iation and control rod withdrawal block function. The four level switches and the four level indicating switches are interconnected (one of each per trip channel) with the RPS syst em and initiate a reactor scram on high water level while suffic ient volume for full scram still exists within the SDV. To provide diversity for the RPS function the two transmitters per channel use a different sensing operating principle and have a different transmitter manufacturer. The level switches and the level indicating switches in each channel are also from different manufacturers. This arrangement provides diversity, as well as redundancy, to ensu re that no single event can prevent a scram caused by SDV high water level.
A scram is automatically initiated when sufficient capacity still remains in the discharge volume to accommodate a scram.
The SDV high water level trip bypass is controlled by the manual operation of two key-locked switches, a bypass switch, and the mode switch. The mode switch must be in the shutdown or refuel position to allow ma nual bypass of this trip. This bypa ss allows the opera tor to reset the RPS scram relays so that the SD V may be drained. Resetting th e trip actuators opens the SDV vent and drain valves. An annunciator in the main cont rol room indicates the bypass condition.
7.2.1.1.8 Drywell Pressure High pressure inside the drywell may indicate a break in the RCPB. Scram is initiated to minimize the possibility of fuel damage. Drywell pressure is monitored by f our redundant pressure switches. Each switch provides an input to one of the four RPS sensor trip channels.
7.2.1.1.9 Manual Scram A scram can be initiated manually. There are four scram switches, one for each of the four RPS trip logic channels. The manual scram switches are arranged in two groups of two switches. One group contains the A1 and B1 switches and the other group contains the A2 and B2 switches. To initiate a manual scram, at least two switches in a group must be depressed. By operating the ma nual scram switch for one logic channel at a time and then resetting that logic, each actuator logic can be tested for ma nual scram capability.
C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 7.2-9 7.2.1.1.10 Reactor M ode Switch Manual Scram Even though the action is not a safety function, reactor scram can be initiated by placing the mode switch in the shutdown position. The mode switch consists of four independent banks of contacts. A shutdown position c ontact from each of the four ba nks is a scram input to the associated RPS trip logic channel. The relationship of the reactor mode switch position and its scram function is shown in Figure 7.2-2.
The scram signal, initiated by placing the mode switch in the shutdown position is automatically bypassed after 10 sec by a timer which allows th e CRD hydraulic system valve lineup to be restored to normal before the control room operator can reset the RPS logic.
7.2.1.2 Design Basis
The RPS is designed to provide timely protection against the onset and cons equences of conditions that threaten the integrity of the fuel barrier and the RCPB.
Chapter 15 identifies and evaluates events that jeopa rdize the fuel barrier and RC PB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are presented in that chapter. Variables are monitored to provide protective actions to the RPS indicating the need for reactor scram.
7.2.1.2.1 Variables Monitored to Provide Protective Actions
- a. NMS trip,
- b. Reactor vessel system high pressure,
- c. Reactor vessel low water level,
- d. Turbine throttle valve closure, e. Turbine governor valve fast closure, f. Main steam line isolation,
- g. SDC high level, and
- h. Drywell high pressure.
The plant conditions that re quire protective action involvi ng the RPS are described in Chapter 15.
7.2.1.2.2 Location and Mini mum Number of Sensors Neutron flux is the only essential variable of significant spatial dependence that provides inputs to the RPS. The basis for the number and locations of sensor s is discussed in the following.
The other requirements are fulfilled throu gh the combination of logic arrangement.
Two transient analyses are us ed to determine the minimum number and physical location of required LPRMs for each APRM.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.2-10 The first analysis is performed with operating conditions of 100%
reactor power and 100% recirculation flow using a continuous rod withdrawal of the maximum worth control rod. In the analysis, LPRM detectors are mathematically removed fr om the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition.
The second analysis is performed with ope rating conditions of 100% reactor power and 100% recirculation flow using a re duction of recirculation flow at a fixed design rate. Again, LPRM detectors are mathematically removed fr om the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition.
The number of LPRM detector signa ls available as inputs to an APRM channel shall satisfy the following criteria:
- a. The number of operable LPRM detector inputs shall be at least 20. The PRNM provides an alarm and rod block. CGS enforces operability administratively. b. The number of operable LPRM detector i nputs per core axial level (A, B, C, or D) shall be at least 3. The PRNM provides an alarm and rod block. CGS enforces operability administratively. c. The number of LPRM detector input s that have become inoperable (and bypassed) since the most recen t APRM calibration shall be less than 10. This requirement is enforced by administ rative means and the Operation and Maintenance (O&M) Manual.
7.2.1.2.3 Prudent Operational Limits
Limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious scram is avoided. It is then verified by analysis that the release of radioactive materials following postulated gross failures of the fuel or the RCPB is kept within acceptable bounds. Design basis operational limits, as listed in the Technical Specifi cations, are based on operating experience and c onstrained by the safety design basis and the safety analysis. The selection of tentative scram tr ip settings has been develope d through analytical modeling, experience, historical use of in itial setpoints, and adoption of new variab les and setpoints as experience was gained. The initi al setpoint selection method provided for settings which were sufficiently above the normal opera ting levels (to preclude the possi bilities of spurious scrams or difficulties in operation), but low enough to protect the fuel and pr essure barrier. As additional information becomes available or systems are change d, additional scram variables are provided using the above met hod for initial setpoint selection. The selected scram settings are analyzed to verify that th ey are conservative and that the fuel, fuel barriers, and nuclear system process barriers are adequately protected. In all cases, the specifi c scram trip point selected is a conservative valu e that prevents damage to th e fuel or RCPB, taking into consideration previous operating experience and the analytical models.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 7.2-11 7.2.1.2.4 Margin The margin between operational limits and the limiting conditions of operation (scram) for the RPS are those parameters listed in the Technical Specifications. Annunc iators are provided to alert the reactor operator of the onset of unsafe conditions.
7.2.1.2.5 Levels Levels requiring protective action are specified in the Technical Specifications. These levels are design basis limits and are pr ovided in the Technical Specif ications as allowable values.
7.2.1.2.6 Malfunctions, Accidents, and Other Unusual Ev ents Which Coul d Cause Damage to Safety Systems Unusual events are defined as malfunctions, acci dents, and others which could cause damage to safety systems. Chapters 3 , 6 , 9 , 15 , and Appendix F describe the following credible accidents and events: floods, st orms, tornadoes, earthquakes, fires, loss-of-coolant accident (LOCA), pipe break outside containment, feedwater line break, and missile
- s. Each of these events is discussed below for the RPS.
All components essential to the operation of th e RPS are designed, fabricated, and mounted to Class 1E standards. However, even though the sensors initia ting reactor scram which monitor turbine throttle valve position and turbine go vernor valve fast cl osure are designed and purchased Quality Clas s 1, Seismic Category I, they are physically mounted on equipment which is not Seismic Category I/Quality Class 1, and are located in the turbine generator building which is not Seismic Cate gory I but has been shown to main tain its structural integrity following an safe shutdown ear thquake (SSE) (see Section 3.8). For this reason other diverse variables (reactor pressure and neutron flux trips), which are Seismic Category I and Quality Cl ass 1, may be relied on for r eactor scram if components in the turbine generator building fail.
7.2.1.2.6.1 Floods. The buildi ngs containing RPS components have been designed to meet the probable maximum flood (PMF) at the site location. See Section 2.4. For a discussion of internal flooding protection see Sections 3.4 and 3.6. 7.2.1.2.6.2 Storms and Tornadoes. The buildings containing RPS components, except the turbine generator building, have been designed to withstand all credible meteorological events and tornadoes as described in Section 3.3. 7.2.1.2.6.3 Earthquakes. Th e structures containing RPS co mponents, excep t the turbine building, have been seismically qua lified as described in Sections 3.7 and 3.8 and will remain functional during and following a SSE. However, as stated previously, other diverse variables (reactor pressure and neutron flux trips) may be re lied on for reactor scram if components in the turbine generator building fa il. The design features that prevent the following postulated C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 7.2-12 failures of turbine throttle and governor valve cl osure signals to the RP S during a seismic event from affecting other channels of the RPS from performing as required are the following:
- a. Shorts to ground: Each trip functi on input circuit to the RPS is individually fused to prevent degradation of other ch annels if a short to ground occurs on one channel. This protection also app lies to the turbine throttle and governor valve closure trip inputs to the RPS. Therefore, a short to ground would be interrupted by the protective fuses eliminating any inter action or degradation of other channels, as well as resulting in a channel trip due to "fail-safe" logic;
- b. Opens: The normal operating state of the RPS trip inputs is a closed contact condition. Therefore, an open in an RPS input channel circuit would result in failure in the safe direction causing a trip of that channel wi th no degradation or interaction with other channels; and
- c. Hot shorts: Reactor protection syst em cabling that is routed from trip instrumentation through the turbine generator building is enclosed in conduit. Each trip channel has a sepa rate and dedicated conduit.
Therefore, hot shorts would be confined to one channel of trip instrumentation a nd would not degrade or interact with othe r protective channels.
7.2.1.2.6.4 Fires. To protect the RPS in the event of a postulated localized raceway or panel fire, the RPS trip logics have been divided into four separate sections within two separate RPS panels. The sections within a panel are isolated by electrical separa tion barriers. If a fire were to occur within one of the secti ons or in the area of one of th e panels, the RPS functions would not be prevented by the fire. The use of se paration and barriers ensures that, even though some portion of the system may be affected, the RPS will con tinue to provide the required protective action. See Appendix F for a discussion of Appendix R fire effects on the RPS.
Within the control room Power Generation Cont rol Complex (PGCC) (underfloor cable routing ducts) heat detectors and products of combustion detectors ar e provided to initiate a Halon fire suppression system.
Throughout main plant areas, re dundant RPS cables are routed in separate race way divisions sufficiently separated such that a fire cannot affect more than one RPS division.
7.2.1.2.6.5 Loss-of-Coolant Accident. The following RPS system components are located inside the drywell and would be subject to the effects of a design basis LOCA:
- a. NMS cabling from the detector s to the main control room, b. MSIV (inboard) position switches, c. Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines, which terminate outside the drywell, and C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 7.2-13 d. Drywell pressure instrument taps.
These items have been environm entally qualified to remain functional during and following a LOCA as discussed in Section 3.11. 7.2.1.2.6.6 Pipe Break Outside Primary Containment. Prot ection for pipe break outside primary containment is described in Section 3.6. 7.2.1.2.6.7 Missiles.
Missile protection for RPS com ponents is described in Section 3.5. 7.2.1.2.7 Minimum Perf ormance Requirements
Minimum performance requirement s for RPS instrumentation and controls are provided in the Technical Specifications.
7.2.1.3 Final System Drawings
Functional and architectural de sign differences between the PSAR and FSAR are listed in Table 1.3-8.
7.2.2 ANALYSIS
The RPS is designed such that loss of plant instrument air, a plan t load rejection, or a turbine trip will not prevent the completion of the safety function.
7.2.2.1 Conformance to 10 CFR 50, Appendix A - General Design Criteria
The following is a discussion of conformance to those General Design Criteria (GDC) which apply specifically to the RPS. See Section 3.1 for a discussion of GDC that apply equally to all safety-related systems.
GDC 12 - Suppression of React or Power Oscillations
The system design provides protection from excessive fuel cladding temperatures and protects the RCPB from excessive pressu res which threaten th e integrity of the system. Abnormalities are sensed, and if protection system limits are reached, corrective action is initiated through an automatic scram.
GDC 15 - Reactor Coolant System Design
The RPS provides sufficient margin to ensure that the design conditions of the RCPB are not exceeded during any condition of normal operation, including antic ipated operational C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 7.2-14 occurrences. If the monitored variables exceed their predetermined settings, the system automatically responds to maintain the variables and systems within allowable design limits.
GDC 20 - Protection System Functions
The RPS monitors the appropriate plant variable s to maintain the fuel barrier and RCPB and initiates a scram automatically when the variables exce ed predetermined limits.
GDC 21 - Protection System Reliability and Testability The RPS is designed with two gr oups of redundant sensor channels and four independent and separated output channels. No single failure can prevent a scra m and removal from service of any component or channel will not result in loss of required minimum redundancy.
GDC 22 - Protection System Independence The redundant portions of the RPS are separated such that no singl e failure or credible natural disaster can prevent a scram, except the turbine scram inputs which originate from the Seismic Category II turbine building. Reactor pressure and power are diverse to the turbine scram variables. In addition, dryw ell pressure and vessel water level are diverse variables.
GDC 23 - Protection System Failure Modes The RPS is designed (including logic and actuated devices) to be fail safe. A complete loss of electrical power or air supply will result in a reactor scram. Postulated adverse environments will not prevent a scram.
GDC 24 - Separation of Protection and Control Systems The RPS has no direct interaction with any pl ant control system. However, the RPS does receive inputs from the reactor mode switch and the NMS which also provide inputs to plant control systems through isolation devices.
GDC 25 - Protection System Requirements for Reactivity Control Malfunctions The RPS provides protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Any monitored variable which exceeds the scram setpoint will initiate an auto matic scram and not impair the remaining variables from being monitored, and if one channel fails the remaining portions of the RPS will function.
GDC 29 - Protection Against Anticipated Operational Occurrences
The RPS is highly reliable and will provide a reactor scram in the event of anticipated operational occurrences.
C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 7.2-15 7.2.2.2 Conformance to IEEE Standards
The following is a discussion of conforman ce to IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, that applies specifically to the RPS system.
See Section 7.1.2.3 for a discussion of IEEE st andards that apply equally to all safety-related systems.
General Functional Re quirement (IEEE 279-197 1, paragraph 4.1)
The RPS automatically initiates the appropriate protective acti ons whenever the conditions described in Section 7.2.1.1 reach predetermined limits with precision and reliability assuming the full range of conditions and pe rformance discussed in Section 7.2.1.2.
Single Failure Criterion (IEEE 279-1971, paragraph 4.2)
Each of the conditions (varia bles) described in Section 7.2.1.1 is monitored by redundant sensors supplying input signals to redundant trip logics.
Independence of redundant RPS equipment, cables, instrument tubing, etc., is maintained and single failure criteria preserved through the application of the Columbia Generating Station sepa ration criteria as described in Section 8.3.1.4 to ensure that no single credible event can prevent the RPS from accomplishing its safety function.
Quality of Components and Modules (IEEE 279-1971, paragraph 4.3)
For a discussion of the quality of RP S components and modules see Section 3.11.
Equipment Qualification (IEEE 279-1971, paragraph 4.4)
Vendor certification requires that the sensors asso ciated with each of the RPS trip variables, manual switches, and trip logic components perform in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification in conjunction with the existing field experience with these compone nts in this application will serve to qualify these components.
For a complete discussion of RPS equipmen t protection and qualification see Sections 3.5 , 3.6 , 3.10 , and 3.11.
Channel Integrity (IEEE 279-1971, para graph 4.5)
For a discussion of RPS channel integrity under all extremes of conditions described in Section 7.2.1.2, see Sections 3.10 , 3.11 , 8.2.1 , and 8.3.1.
C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 7.2-16 Channel Independence (IEEE 279-1971, paragraph 4.6)
The RPS channel independence is maintained through the application of the Columbia Generating Station separation criteria as described in Section 8.3.1.4.
Control and Protection System Inter action (IEEE 279-1971, paragraph 4.7)
See Section 7.2.2.1 (GDC24).
Derivation of System Inputs (IEEE 279-1971, pa ragraph 4.8)
The RPS trip variables are direct measures of a reactor overpressure condition, a reactor overpower condition, or a bnormal conditions within th e RCPB except as follows:
Due to the normal throttling action of the turbin e governor valves with changes in the plant power level, measurement of governor valve positi on is not an appropriat e variable from which to infer the desired variable, wh ich is "rapid loss of the react or heat sink." Consequently, a measurement of governor valve closure rate is necessary.
Protection system design practice has discouraged use of rate sensing devices for protective purposes. In this instance, it was determined that detection of hydraulic actuator operation would be a more positive means of determin ing fast closure of the governor valves.
Loss of pressure in the hydraulic oil lines which initiate s fast closure of th e governor valves is monitored. These measurements provide indication that fast closure of the governor valves is imminent.
This measurement is adequate and a proper variable for the protective function taking into consideration the reliability of the chosen sensors relative to other av ailable sensors and the difficulty in making direct measurements of governor valve fast-closure rate.
Capability for Sensor Checks (IEEE 279-1971, pa ragraph 4.9)
See Section 7.2.2.3 (Regulatory Guide 1.22).
Capability for Test and Calibra tion (IEEE 279-1971, paragraph 4.10)
See Section 7.2.2.3 (Regulatory Guide 1.22).
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.2-17 Channel Bypass or Removal from Oper ation (IEEE 279-1971, paragraph 4.11)
The MSIV and the turbine throttle valve closure trip variable s have no provision for sensor removal from service because of the use of valve position limit switches as the channel sensor.
During periodic tests of any one trip channel, a sensor may be valv ed out of service and returned to service under admini strative control procedures. Si nce only one sensor is valved out of service at any given time during the test interval, protective action capability for RPS automatic initiation is maintained through the remaining redundant instrument channels.
A sufficient number of IRM channels is provided to permit a ny one IRM channel in a given trip system to be manually bypa ssed and still ensure that the remaining operable IRM channels comply with the IEEE 279 single failure design requirements.
One IRM manual bypass switch has been provided for each RPS trip system. The mechanical characteristics of this switch perm it only one of the four IRM channels of that trip system to be bypassed at any time. To accomm odate a single failure of this bypass switch, electrical interlocks have also been inco rporated into the bypass logic to prevent bypassing of more than one IRM in that trip system at any time. C onsequently, with any IRM bypassed in a given trip system, three IRM channels remain in operation to satisfy the protection system requirements.
A single manual APRM bypass switch is provided for all four APRM ch annels. This is a mechanical/optical switch that allows only one APRM channel to be bypassed at any time. This interlock is accomplishe d independently in each of th e APRM/OPRM 2-Out-of-4-Voter Channels. With any one APRM channel bypassed, the three remaining operating channels provide the necessary protection of the react or. Bypassing an APRM channel bypasses both the APRM and OPRM trips from that channel.
None of the 2-Out-of-4-V oter channels can be bypassed.
The mode switch produces operati ng bypasses which need not be annunciated because they are removed by normal reacto r operating sequence.
Operating Bypasses (IEEE 279-1971, paragraph 4.12)
For a discussion of RPS opera ting bypasses see Sections 7.2.1.1 and 7.2.1.1.4 through 7.2.1.1.7.
Indication of Bypasses (IEEE 279-1971, paragraph 4.13)
For a discussion of bypass and inope rability indication see Section 7.1.2.4 (Regulatory Guide 1.47).
C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 7.2-18 Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14)
Access to means of bypassing any safety action or safety func tion is under the administrative control of the control room supervisor/shift manager. Other approved methods of controlling access to bypasses are also used. These include key locks with admi nistrative control of the access to keys, procedurally controlled equipmen t lineups, e.g., locked valve checklists, and the use of mechanical locking devices and annunciators and other indications, e.g., BISI (Regulatory Guide 1.47, Bypass and Inoperable Status Indication for Nuclear Power Plant Safety Systems, described in Section 7.1.2.4). These additional met hods help to prevent inadvertent bypasses or to alert th e plant operators to safety f unction bypasses occurring either from equipment failures or from manually indu ced bypasses that result as part of testing, maintenance, or equipm ent repair activities.
Key-locked control switches that provide a means of controlling the access to a safety function bypass are designed to allow key removal only in the "safe" or "accident" positions. Access to the associated keys is pr ocedurally controlled. When not in use, keys are under the administrative control of the control room supervis or/shift manager and stored in a key locker.
The keys are audited once per day by the control room supervisor/shi ft manager. When operation of a key-locked control sw itch is required to be immediate, such as in the case of the reactor mode switch, the key may be left in the lock during normal pl ant operation to ensure timely actuation.
Multiple Set Points (IEEE 279-1971, para graph 4.15)
There are no multiple setpoints within the RPS.
Completion of Protective Action Once it is Initiated (IEEE 279-1971, paragraph 4.16)
Once the RPS trip logic is deenergized as a result of a sensor tr ip channel becoming tripped or the depressing of a manual scram push button, the scram contract or seal-in contact opens and completion of protective action is achieved without regard to the state of the initiating sensor trip channel.
After initial conditions (variable trip and logic deenergization) return to normal, deliberate operator action is required to return (reset) the RPS l ogic to normal (energized).
Manual Initiation (IEEE 279-1971, paragr aph 4.17)
See Section 7.2.2.3 (Regulatory Guide 1.62).
C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 7.2-19 Access to Set Point Adjust ments, Calibration, and Te st Points (IEEE 279-1971, paragraph 4.18)
During reactor operation, access to setpoint or calibration controls is not possible for the following RPS trip variables: SDV high water level, MSIV closure, and turbine throttle valve closure.
Access to setpoint adjustments, calibration controls, and test points for all other RPS trip variables are under the administrative c ontrol of the control room operator.
Identification of Protective Actions (IEEE 279-1971, paragraph 4.19)
When any one of the redundant RPS trip sensors exceeds its setpoint value, a control room annunciator is initiated to identif y that variable and a printed record is available from the computer work stations.
Information Readout (IEEE 279-1971, paragraph 4.20)
The RPS is designed to provide the operator with accurate a nd timely information pertinent to its status. It does not give anomalous i ndications that would confuse the operator.
System Repair (IEEE 279-1971, paragraph 4.21)
During periodic testing of the RPS sensor cha nnels (except as noted below), the operator can determine defective components and replace them during plant operation.
During reactor operation, the cont rol room operator is able to determine failed sensors for the following RPS trip variables, but subsequent repair can only be accomplished during reactor shutdown: MSIV closure, turbine throttle valve closure, neutron monitoring (APRM) system, and neutron monitoring (IRM) system.
Replacement of IRM and LPRM detectors must be accomplished during plant shutdown.
Repair of the remaining portions of the NMS may be accomplished during plant operation by appropriate bypassing of the defectiv e instrument channel. The de sign of the syst em facilitates rapid diagnosis and repair.
Identification of Protection Systems (IEEE 279-1971, paragraph 4.22)
The RPS components are identifie d with an RPS designation colo red marker plate. Cabling outside the cabinets is identified specifica lly as RPS wiring. (See also Section 8.3.1.3.) Redundant racks are identified by th e identification marker plates of instruments on the racks.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-14-003 7.2-20 7.2.2.3 Conformance to NRC Regulatory Guides The following is a discussion of conformance to those Regulatory Guides that apply specifically to the RPS. See Section 7.1.2.4 for a discussion of Regulatory Guides which apply equally to all safety-related systems.
Regulatory Guide 1.22 (Februar y 1972), Period Testing of Pr otection System Actuation Function The RPS can be tested during reactor operation by the following separate tests:
The manual scram test verifies the ability to deenergi ze the scram pilot valv e solenoids without scram by using the manual scram push button switches. By depressing the manual scram button for one trip logic, the trip actuators are deenergized, opening contacts in the actuator logics.
After the first trip channel is reset, the second trip channel is tripped manually and so forth for the four manual scram buttons. In addition to control room and computer printout indications, scram group indicator lights verify that the actuator contacts have opened and interrupted power to the scram solenoids.
The single rod scram test verifies the capability of each rod to scram.
It is accomplished by operating two toggle switches on the hydraulic control unit for the particular CRD. Timing traces can be made for each rod scrammed.
The sensor test involves applying a test signal to each RPS sens or trip channel in turn and observing that a logic trip results. The test signals can be a pplied to the processing sensing instrumentation (pressure and differential pressure) through calibration taps.
During plant operation, the operator can set th e turbine throttle valv e or main steam line closure logic test switch in test position and actuate the other valve, which completes the respective channel trip with annunciation and computer logging. The operator can then
confirm that the main steam line isolation and turbine throttle valve limit switches operate during valve motion, from full open to full closed and vice versa, by comparing the time that the RPS channel trip occurs with the time that the valve position indicator lights in the control room signal that the valve is fu lly open and fully closed. This test does not confirm the exact setpoint, but does provide the operator with an indication that the limit switch operates between the limiting positions of the valve. During reactor shutdown, calibration of the main steam line isolation and turbine throttle va lve limit switch set point at a valve position of less than or equal to 10% closure is possible by phys ical observation of the valve stem.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-16-005 7.2-21 During reactor operation, a test and calibration of the individual hydraulic oil line pressure sensors associated with turbine control valve fast closur e when the plant is operating above 29.5% of rated power may be accomplished by valving one sensor out-of-service at a time and introducing a test pressure input.
The APRMs are calibrated to reactor power by using a reactor h eat balance and the traversing in-core probe (TIP) system to establish the relative local fl ux profile. The LPRM gain settings are determined from the local flux profiles measured by the TIP system once the total reactor heat balance has been determined.
The gain adjustment factors for the LPRMs are produced as a result of the computer calculations involving the reacto r heat balance and the TIP flux distributions. The APRM and LPRM gains are adjusted usi ng the instrument's front panel display or accepting the APRM gain calculated from the Percent Core Thermal Power (%CTP) and LPRM Gain adjustment factors that are downloaded from the core m onitoring system. Thes e adjustments, when incorporated into the LPRMs, permit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power.
During reactor operation, one manual scram push butt on may be depressed to test the proper operation of the switch and trip logic relay. Once the RPS is reset, th e other switches may be depressed to test their operation one at a time. For each su ch operation, a control room annunciation will be initiated and the process computer will prin t the identification of the pertinent trip.
Operation of the reactor mode switch from one position to another may be employed to confirm certain aspects of the RPS trip channels during periodic test and calibration at shutdown only. During tests of th e trip channels, proper operati on of the mode switch contacts can be easily verified by noting that certain sensors are connected into the RPS logic and that other sensors are bypassed in the RPS logic in an appropriate manner of the given position of the mode switch.
In the startup and run modes of plant operation, procedures may be used to confirm that SDV high water level trip channels cannot be bypassed as a result of the operating bypass switch. In the shutdown and refuel modes of plant operation, a similar pr ocedure may be used to bypass all four SDV trip channels.
Due to the discrete "on-off" nature of the bypass function, calibration is not meaningful.
Administrative control must be exercised to valve one turbine first-stage pressure sensor out-of-service for the periodic test. During this test, a vari able pressure source may be introduced to operate the sensor at the setpoint value. When the condition for bypass has been C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-16-005 7.2-22 achieved on an individual sens or under test, the control room annunciator for this bypass function will be initiated. If the RPS trip channel associated with this sensor is in its tripped state, the process comput er will log the return to normal state for the RPS trip logic. When the plant is operating above 29.5% of rated power, testing of the turbine throttle valve and governor valve fast closure trip channels will confirm that the bypass function is not in effect.
Operation of the reset switch following a trip of one RPS trip system will confirm that the switch is performing its intended f unction. Operation of the rese t switch following trip of both RPS trip systems will confirm that all portions of the switch and relay logic are functioning properly since half of the control rods are returned to a normal state for one actuation of the switch.
A manual scram switch permits each individual trip logic, trip act uator, and trip actuator logic to be tested on a periodic basis. Testing of each process sensor of the protection system affords an opportunity to verify proper operati on of these components. Calibration of the time response of the trip channel re lays and trip actuators may be accomplished by connection of external test equipment.
Regulatory Guide 1.53 (June 1973
), Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems
See Section 7.2.2.2 (IEEE 279-1971, Paragraph 4.2).
Regulatory Guide 1.62 (October 1973), Manual Initiation of Protective Actions
Means are provided for manual initiation of the RPS at the system level through the use of four push button switches located on th e control room bench board.
Operation of two switches (one in each trip system) accomplishes the initiation of all actions performed by the automatic initiation circuitry.
Placing the reactor mode switch in the shutdown position will also cause a system level initiation.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 Table 7.2-1 Reactor Protection System Instrumentation Function Instrument a LDCN-14-003 7.2-23 Scram Reactor vessel high pressure Pressure switch (B22-N023A-D) MS-PS-23A-D Drywell high pressure Pressure switch (C72-N002A-D) RPS-PS-2A-D Reactor vessel low water level (level 3) Level switch (B22-N024A-D)
MS-LIS-24A-D Scram discharge volume high water level Transmitter/Level Indicating Switch CRD-LT-12A-D CRD-LIS-601A-D Transmitter/Level Switch CRD-LT-13A-D CRD-LS-613-A-D Turbine throttle valve closure
Position switch (C72-N006A-D)
RPS-POS-33T/1A-4A RPS-POS-33T/1B-4B Turbine governor valve fast
closure Pressure switch (C72-N005A-D)
RPS-PS-5A-D Main steam line isolation valve closure Position switch (B22F022 A-D)
MS-V-22 A-D (B22F028 A-D)
MS-V-28 A-D Neutron monitoring system IRM, APRM, OPRM C OLUMBIA G ENERATING S TATION Amendment 53 F INAL S AFETY A NALYSIS R EPORT November 1998 Table 7.2-1 Reactor Protec t ion System Instrumentation (Continued)
Function Instrumen t a 7.2-24 Bypass Discharge volume high water level trip bypass N/A Turbine stop valve and governor valve fast-closure trip bypass Pressure switch (C72-N003A-D)
MS-PS-3A-D Main steam line isolation valve closure trip bypass Pressure switch (B22-N020A-D)
MS-PS-20A-D a Instruments in parenthes e s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-05-009 7.3-1 7.3 ENGINEERED SAFETY FEATURE SYSTEMS
7.
3.1 DESCRIPTION
The instrumentation and controls include the operation of the following engineered safety feature (ESF) systems (see Figures 7.3-1 through 7.3-15): a. Emergency core cooling system (ECCS),
- b. Primary containment and reactor vessel isolation control systems (PCRVICS), c. Residual heat removal (RHR) system - containment spray cooling mode (CSCM),
- d. RHR system - suppression pool cooling mode (SPCM),
- e. Standby service water (SW) system,
- f. Main control room and critical switchgear rooms h eating, ventila ting, and air conditioning (HVAC) system,
- g. Reactor building ventilation and pressure control system,
- i. Containment instrument air (CIA) system, and The sources which supply power to the ESF system s originate from onsite ac and/or dc safety-related buses or, as in the case of the PCRVICS fail safe logic, from safety-related Division 1 and 2 power and the non-safety-related reactor protection system (RPS) motor generator (MG) sets. See Chapter 8 for a complete discussion of the ESF systems power sources.
7.3.1.1 System Description 7.3.1.1.1 Emergency Co re Cooling Systems The ECCS is a network of the following systems. See Sections 6.3.1 and 6.3.2. a. High-pressure core spray (HPCS) system,
- c. Low-pressure core spray (LPCS) system, and d. Low-pressure coolant injecti on (LPCI) mode of the RHR system.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-04-027,05-009 7.3-2 The following plant variables are monitored and provide automa tic initiation of the ECCS when these variables exceed predetermined limits:
A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the reactor coolant pressure boundary (RCPB) and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. See Figure 10.3-2 for a schematic arrangement of reactor vessel instrumentation.
- b. Drywell pressure
High pressure in the drywell could indi cate a breach of the RCPB inside the drywell and that the core is in danger of becoming overheated as reactor coolant inventory diminishes.
7.3.1.1.1.1 High-Pressu re Core Spray System.
Function The purpose of the HPCS is to provide high pre ssure reactor vessel core spray for a small line break loss-of-coolant accident (LOCA) which does not depressu rize the reactor vessel. In addition HPCS is redundant to the ADS system fo r mitigation of the cons equences of various events described in Chapter 15. The HPCS can provide core cooling or reactor vessel inventory makeup following accidents and various design basis transients described in Chapter 15. See also Section 6.3.2.2.1. The HPCS also provides for core cooling during a station blackout event.
Operation Schematic arrangements of system mechanical e quipment is shown in Figure 6.3-4. The HPCS system component control logic is shown in Figures 7.3-4 and 7.3-7. Instruments are listed in Table 7.3-1. Operator information displays are shown in Figures 7.3-7 and 7.3-4.
The HPCS is initiated automatically by either reactor vessel low water level (trip level 2) or drywell high pressure. The syst em is designed to operate automatically for at least 10 minutes without any actions requ ired by the control room operator.
Once initiated the HPCS logic seals-in and can be reset by th e operator only when the initial conditions return to normal.
See Figure 7.3-7 for a schematic representation of the HPCS system initiation logic.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-3 Reactor vessel water level (trip level 2) is m onitored by four redundant differential pressure switches. The switch contacts are arranged in a one-out-of-two twice logic arrangement to ensure that no single event can pr event the initiation of the HPCS.
Initiation diversity is provided by drywell pres sure which is monito red by four redundant pressure switches. The switches are electrically connected in a one-out-of-two twice logic arrangement to ensure that no single instrument failure can pr event the initiation of the HPCS.
The HPCS components respond to an automatic initiation signal as fo llows (actions are simultaneous unless stated otherwise):
- a. The HPCS diesel genera tor is signaled to start a nd its protective relays are bypassed. Once the diesel is started it signals its coo ling water pump to start.
See Section 6.3.1.1;
- b. The HPCS pump motor is signaled to start;
- c. The normally open pump suction valv e from the condens ate storage tank HPCS-V-1 (MO F001), is signaled to open;
- d. The test return valves HPCS-V-10 (MO F010), HPCS-V-11 (MO F011), and HPCS-V-23 (MO F023) are signaled to close; and
- e. The HPCS injection valve HPCS-V
-4 (MO F004) is signaled to open.
If the pump is running but discharge flow is low enough that pump overh eating may occur, the minimum flow return line valve HPCS-V-12 (M O F012) is signaled to open. The valve is automatically closed if flow is normal.
If water level in the condensa te storage tanks falls below a predetermined level, the suppression pool suction valve HPCS-V-15 (MO F015) automatically opens. When HPCS-V-15 (MO F015) is fully open the conde nsate storage tank suct ion valve HPCS-V-1 (MO F001) automatically closes. Two leve l switches mounted on a Seismic Category I standpipe in the reactor building are used to de tect low water level in the condensate storage tanks. Either switch can cause automatic suction tran sfer. If the condens ate supply line fails, the suction supply for HPCS-P-1 pump transf ers to the suppression pool. Either of two instruments mounted on the su pply line in the react or building sense a low water level in the supply line as a broken pipe. The suppression pool suction valve also automatically opens if high water level is detected in the suppression pool. Two level switches monitor suppression
pool water level and either switch can initiate opening of the suppression pool suction valve.
To prevent losing suction to the pump, the suction valves are in terlocked so that one suction path must be open befo re the other closes.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-4 The HPCS provides makeup water to the reactor until the vessel water level reaches the high level trip (trip level 8) at which time the inje ction valve HPCS-V-4 (MO F004) is automatically closed. The pump will continue to run on minimum flow recirculation. The injection valve will automatically reopen if vessel level again drops to the low level (trip level 2) initiation point.
The HPCS pump motor and injection valve are provided with ma nual override controls. These controls permit the reactor ope rator to manually control the system following automatic initiation.
7.3.1.1.1.2 Automatic Depressurization System.
Function The ADS is designed to provide automatic depr essurization of the reactor vessel by activating seven safety/relief valves (SRV s). These valves ve nt steam to the suppression pool in the event the HPCS cannot maintain reactor water level following a LOCA. The ADS reduces reactor pressure so that flow from the low pressure ECCS, LPCI system and LPCS, can inject into the reactor vessel in time to cool the core and limit fuel cladding temperature. See also Section 6.3.2.2.2.
Operation Schematic arrangements of system mechanical e quipment is shown in Figure 10.3-2. The ADS component control logic is shown in Figure 7.3-8. Instruments are listed in Table 7.3-2. Operator information di splays are shown in Figures 10.3-2 and 7.3-8.
The ADS is made up of two independent trip systems (A&B).
To prevent inadvertent actuation of the ADS, two channels of logic for each ADS trip system are used. Both channels must be activated to actuate ADS. See Figure 7.3-5 for a schematic representation of the ADS initiation logic.
One channel includes two differential pressure sensor inputs monitoring reactor vessel low water level (trip level 3 and trip level 1). The low water le vel trip (trip level 3) provides confirmation of a reactor vessel low water leve l condition. The other channel includes only a single reactor vessel low water level (trip level 1) input.
To ensure that adequate makeup water is available after the vessel has been depressurized each logic channel includes a pump di scharge pressure permissive signal indicating RHR or LPCS system available for vessel water makeup.
Any one of the three RHR pumps or the LPCS pump is sufficient to permit automatic depressurization.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-5 After receipt of the initiation signals and a time delay, one or both of th e two solenoid pilot air valves are energized. This allows pneumatic pr essure from the accumulator to act on the air cylinder operator. Each ADS trip system tim er can be reset manually to delay system initiation. If reactor vessel water level is restored by HPCS prior to the end of the time delay, ADS initiation will be prevented.
Also, either or both ADS trip systems may be initially inhibited to eliminate resetting the timer.
The ADS trip system A actuates the "A" solenoid pilot valv e on each ADS relief valve. Similarly, the ADS trip system B actuates the "B" solenoid pilot valve on each ADS relief valve. Actuation of either solenoid pilot valve causes the ADS valve to open and provide depressurization.
Two control switches (one for each trip system solenoid) are located in the main control room for each SRV associated with the ADS. Each switch controls one of the two solenoid pilot valves.
7.3.1.1.1.3 Low-Pr essure Core Spray.
Function The purpose of the LPCS is to provide low-pr essure reactor vessel core spray following a LOCA when the vessel ha s been depressurized and vessel water level has not been restored by the HPCS. The LPCS is func tionally diverse to the LPCI mode of the RHR system (see Section 6.3.2.2.3).
Operation Schematic arrangements of system mechanical e quipment is shown in Figure 6.3-4. The LPCS component control logic is shown in Figure 7.3-9. Instruments are listed in Table 7.3-3. Operator information di splays are shown in Figure 7.3-9.
The LPCS is initiated automatically by either reactor vessel low water level and/or drywell high pressure. The system is de signed to operate automatically for at least 10 minutes without any actions required by the control room operator. Once in itiated the LPCS logic seals-in and can be reset by the control room operator only when the initial conditions return to normal.
See Figure 7.3-9 for a schematic representation of the LPCS system initiation logic.
Reactor vessel water level (trip level 1) is monitored by two redundant differential pressure switches. To provide diversity drywell pressure is monitored by two redundant pressure switches. The vessel level swit ch contacts and the drywell pressure switch contacts are connected in a one-out-of-two tw ice logic arrangement so that no single instrument failure can prevent initiation of LPCS.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-6 The LPCS components respond to an automatic initiation signal si multaneously (or sequentially as noted) as follows:
- a. The Division 1 diesel generator is signaled to start,
- b. The normally closed test return line to the suppression pool valve LPCS-V-12 (MO F012) is signaled closed,
- c. If power from the normal auxiliary or backup transformer is available at the pump motor bus, the LPCS pump is signaled to start. If the startup transformer is supplying the pump motor buses, se quential starts of ECCS pumps are required to prevent excessive voltage drops on the buses. This is accomplished by delaying the start of LPCS pump by 9.5 sec.
- d. Reactor pressure is monitored by a pressure switch which senses the reactor vessel pressure. When the reactor vessel pressure is low enough to protect the LPCS from over-pressure and power is available to the pump motor bus, the injection valve is signaled to open.
The LPCS pump discharge flow is monitored by a flow indicating switch. When the pump is running and discharge flow is low enough that pump overheating may occur, the minimum
flow return line valve LPCS-FCV
-11 (MO F011) is opened. The valve is automatically closed if flow is normal.
The LPCS pump suction from the suppression p ool valve LPCS-V-1 (MO F001) is normally open, the control switch is key locked in the open position, and thus requires no automatic open signal for system initiation.
The LPCS pump and injection valve are provide d with manual override controls. These controls permit the operator to manually control the system subs equent to automatic initiation.
7.3.1.1.1.4 Residual Heat Removal System - Low Pressure Coolant Injection Mode.
Function Low-pressure coolant injection is an operating mode of the RH R system. The purpose of the LPCI system is to provide low-pressure reactor vessel coolant makeup following a LOCA when the vessel has been depressurized and vessel water level is not rest ored by the HPCS (see Section 6.3.2.2.4).
C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 7.3-7 Operation Schematic arrangements of system mechanical e quipment is shown in Figure 5.4-15. The LPCI component contro l logic is shown in Figure 7.3-10. Instruments are listed in Table 7.3-4. Operator information displays are shown in Figures 7.3-10 and 5.4-15.
The LPCI system is init iated automatically by e ither reactor vessel low water level or drywell high pressure (one-out-of-two-twice logic). The system is designed to operate automatically for at least 10 minutes without any actions required by the control room operator. Once initiated, the LPCI logic seals-in and can be reset by the cont rol room operator only when initial conditions return to normal. See Figure 7.3-10 for a schematic representation of the LPCI initiation logic. To provide diversity, reactor vessel water leve l (trip level 1) and drywell pressure are monitored by two re dundant differential pressure switches.
To initiate the Division 2 LPCI (loops B and C) the vessel level switch contacts and the two drywell pressure switch contacts are connected in a one-out-of-two-twice arrangement so that no single instrument failure can prevent in itiation of LPCI.
The Division 1 LPCI (loop A) receives its initiation signal from the LPCS logic.
The LPCI system components respond to an automatic initiation signal simultaneously (or sequentially as noted) as follows (the loop A components are controlled from the Division 1 logic; the loop B and C components are controlled from the Division 2 logic):
- a. The Division 2 diesel generator is signaled to start from the loop B and C initiation logic;
- b. If offsite power is not available and the diesel ge nerators are supplying the pump motor buses, sequential loading of the diesel generators is required. This is accomplished by delaying the start of LPCI pumps A and B by 5 sec while allowing the LPCS and LPCI C pumps to start immediately. The same start sequence is maintained for the LPCS and LPCI pumps when the pump motor buses are supplied from the normal auxiliary or backup transformer. If the startup transformer is supplying the pump motor buses, seque ntial starts of ECCS pumps are required to prevent exce ssive voltage drops on starting. This is accomplished by delaying the start of LPCS and LPCI C pumps by 9.5 sec and delaying LPCI A and B pump starts by 19.4 sec;
- c. Reactor pressure is monitored by a pressure switch for each LPCI injection valve RHR-V-42A, RHR-V-42B, and RH R-V-42C (MO FO42A, B, C). When the reactor pressure is low enough to protect the LPCI from overpressure and power is available at the associated pump motor bus, the injection valve is signaled to open;
C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 LDCN-04-017 7.3-8
- d. The following normally closed valves are signaled closed to ensure proper system lineup:
- 1. The test return line to the suppression pool va lves RHR-V-24A, RHR-V-24B (MO F024 A, B), RHR-V-21, and
- 2. The suppression pool spray valves RHR-V-27A and RHR-V-27B (MO F027 A, B).
- e. The normally open heat exchanger bypass valves RHR-V-48A and RHR-V-48B (MO F048 A, B) are signaled open. The open signal is auto matically removed 10 minutes after system initiation to a llow operator control of the valve for throttling purposes if cooling using RHR heat exchangers is required.
The flow in each LPCI discharge line is mon itored when the pump is running. Whenever the discharge flow is below the minimum flow setpoint, the respective minimum flow valve RHR-FCV-64A, RHR-FCV-64B, or RHR-FCV-64C (MO F064A, B or C) will automatically start to open in approximately 8 sec, to preven t pump overheating. The valve is automatically closed if the flow is above the minimum flow setpoint. The time delay is provided to limit reactor vessel inventory loss during the shutdown cooling mode of the RHR system (see Section 5.4.7.2.6).
The three RHR pump suction from the suppression pool valves RHR-V-4A, RHR-V-4B, RHR-V-4C (MO F004 A, B, C) and the RHR heat exchanger inlet valves RHR-V-47A, RHR-V-47B, (MO F047 A, B) which are locked open (with power removed) and outlet valves RHR-V-3A, RHR-V-3B (MO F003 A, B) have their control switches in the open position, and thus require no automatic open signal for system initiation.
The two series SW crosstie valves RHR-V-115 (MO F094) and RHR-V-116 (MO F093) have their control switches key locked in the close position, and thus require no automatic close signal for system initiation.
The two series containment spray valves RHR-V-16A, RHR-V-16B, (MO F016 A, B) and RHR-V-17 and RHR-V-17B (MO F017 A, B), the two series RH R heat exchanger vent valves RHR-V-73A, RHR-V-73B, RHR-V-74A, an d RHR-V-74B (MO F073 A, B and MO F074 A, B), and the RHR shutdown cooling mode suction valves RHR-V-6A and RHR-V-6B (MO F006 A, B) are all normally closed and thus requi re no automatic close signal for system initiation.
The LPCI pump motors and injection valves are provided with manual override controls.
These controls permit the operato r to manually control the syst em subsequent to automatic initiation.
C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 LDCN-12-028 7.3-9 7.3.1.1.2 Primary Containment and Reactor Vessel Isolation Control System (PCRVICS)
Function The PCRVICS includes the instrument channels , trip logic, and act uation circuits that automatically initiate valve closure providing isolation of the primary containment and/or reactor vessel, and initiation of systems provided to limit the release of radioactive materials.
See Section 6.2.4 and Table 6.2-16 for a complete description of primary containment and reactor vessel process lines and isolation signals applied to each.
Operation
Schematic mechanical arrangeme nts of containment isolation valves and other components initiated by PCRVICS are shown in Figures 5.4-15 , 10.3-2 , 5.4-7 , 5.4-11 , 5.4-22 , 9.3-9 , 9.3-12 , and 3.2-2. The PCRVICS component c ontrol logic is shown in Figures 7.3-1 , 7.3-8 , 7.3-10 and 7.4-1. Instruments are listed in Table 7.3-5. Operator information displays are shown on these figures.
During normal plant operation, the isolation control system se nsors and trip logic that are essential to safety are energi zed. When abnormal conditions ar e sensed, instrument contacts open and deenergize the trip logic and thereby initiate isolation. On ce initiated, then the PCRVICS trip logic seals-in and may be reset by the operator when the initiating conditions return to normal.
The PCRVICS trip logic provides isolation signals to the main steam li ne isolation valves (MSIVs) MS-V-22A, MS-V-22B, MS-V-22C, MS-V-22D (AO F022 A, B, C, D) and MS-V-28A, MS-V-28B, MS-V-28C, MS-V-28D (AO F028 A, B, C, D);
to the main steam line drain valves MS-V-16 (MO F016), MS-V-67A, MS-V-67B, MS-V-67C, MS-V-67D (F067 A, B, C, D), and MS-V-19 (MO F019); to the reactor water sample valves RRC-V-19 (MO F019) and RRC-V-20 (F020); to the RHR shutdown cooling system valves RHR-V-8 (MO F008), RHR-V-9 (F009), RHR-V-23 (F023), RHR-V-40 (F040), RHR-V-49 (F049),
RHR-V-53A, RHR-V-53B (F053 A, B), RHR-V-123A, RHR-123B (F099 A, B); to the reactor water cleanup (RWCU) system valves RWCU-V-1 (MO F001) and RWCU-V-4 (F004); to the drywell equipment drain valves EDR-V-19 (AO F019) and EDR-V-20 (F020); to the drywell floor drain valves FDR-V-3 (AO F003) and FDR-V-4 (F004); to the TIP system valves, TIP-V-1, TIP-V-2, TIP-V-3, TIP-V-4, TIP-V-5, and TIP-V-15; and to the RCIC system valves, RCIC-V-63 (MOF063), RCIC-V-8 (F008) and RCIC-V-76 (F076).
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 LDCN-09-007 7.3-10 Each MSIV has two control solenoids. Each solenoid receives inputs from two redundant logic channels. A signal from either can deenergi ze the solenoid. For any one valve to close automatically, both of its sole noids must be deenergized.
The MSIV logic has a minimum of four redundant instrument channels for each measured variable. One channel of each variable is connected to one trip logic. One group of redundant logic (A, C) is used to control one solenoid of both inboard and out board valves of all four main steam lines, and the other group of redundant logic (B , D) is used to control the other solenoid of both inboard and outboard valves. The four PCRVICS trip logic channels are arranged in a one-out-of-two twice logic combination (trip l ogic A or C and B or D). See Figure 7.3-2.
The main steam line drain valves, drywell equi pment and floor drain valves, reactor water sample valves, the RWCU system, and RHR system isolation valves also operate in pairs. The outboard valves close if the Divi sion 1 isolation logic (A and B) is tripped, and the inboard valves close if the Division 2 logi c (C and D) is tripped. See Figure 7.3-3. The RCIC system isolation valves are initiate d closed by the leak detecti on system signals listed in Section 7.3.1.2.1.d. See Figure 7.4-1.
The PCRVICS also provides signals to start the SGT, to remove nonessential loads from essential buses, and to isolate the reactor building ventilation system and the primary containment purge and vent system.
The following variables provide inputs to the PCRVICS logics for initiation of reactor vessel and drywell isolation, as we ll as the initiation or trip of other plant functions when predetermined limits are exceeded.
Combinations of these variables, as necessary, provide initiation of various isol ating and initiating functi ons as identified in Table 6.2-16 and described below.
7.3.1.1.2.1 Reactor Vessel Low Water Level. A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the RCPB and that the core is in danger of becoming overheated as the re actor coolant inventory diminishes.
Reactor vessel low water level initiates closure of various valves. The closure of these valves is intended to isolate a breach of the pipelines, conserve reactor coolant by closing off process lines, and limit the escape of radioactive materials from th e primary containment through process lines that communicate with the primary coolant boundary or primary containment.
Three reactor vessel low water leve l isolation trip settings are used to complete the isolation of the primary containment and the reactor vessel.
The first (and higher) reactor vessel low water level isolation trip (trip level 3) initiates closure of all RHR system isolation valves. The main steam lines are left open to allow the removal of heat from the reactor core. The second (and lower) reactor vessel low-low wate r level isolation trip (trip level 2) isolat es the Group 2, 3, 4 C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 LDCN-09-007 7.3-11 and 7 primary containment isola tion valves and also provides i nputs to logic which trips or initiates other plant equipment.
The third (lowest) reactor vessel low-low-low water isolation trip (trip level 1) isolates the Group 1 primary containment isolation valves which include MSIVs and main steam line drain valves.
Reactor vessel low water level (Level 3) is m onitored by four redundant differential pressure switches. Each provides a low water level input to one of the four PCRVICS trip logic.
Reactor vessel water low-low (Level 2) a nd low-low-low (Level 1) are monitored by four redundant differential pressu re transmitters with dual trip un its. Each trip unit provides a Level 2 or Level 1 input to the PCRVICS trip logic.
Diversity of trip initiation for pipe breaks inside of primary containment is provided by drywell high pressure sensors.
7.3.1.1.2.2 Drywell High Pressure. High pressure in the dryw ell could indicate a breach of the RCPB inside the drywell and that the core is in danger of becoming overheated as reactor coolant inventory diminishes.
Drywell pressure is monitored by four redundant pressure switc hes. Each switch provides an input to one of the four trip logic channels.
7.3.1.1.2.3 Main Steam Line - High Radiation. The main steam line radiation monitors sense the gross release of fission prod ucts from the fuel and initiates action to contain the released fission products.
Four redundant detectors monitor the gross gamma radiation from the main steam lines. Each provides an input to one of the f our PCRVICS trip logic channels.
Each channel consists of a gamma-sensitive ion chamber and a log radiation monitor. Each log radiation monitor has three trip circuits. One ups cale trip circuit is used to initiate closure of the reactor water sample valves, mechanical vacuum pump trip, gland seal conde nser exhauster trip, and an isolation alarm. The second circuit is used for a high alarm and is set at a level below that of the upscale trip circuit. The third circuit is a downscal e alarm. The inoperative condition actuates the isolation alarm and produces the same isolation described above for the upscale trip circuit.
7.3.1.1.2.4 Main Steam Line - Tunnel High Ambient Temperature or High Differential Temperature. A leak in a main steam line is indicated by a high ambient temperature or a high differential temperature for this area. The automatic closure of main steam line isolation and
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.3-12 drain valves prevents the exce ssive loss of reactor coolant a nd the release of a significant amount of radioactive ma terial from the RCPB.
There are four main st eam line high ambient temperature cha nnels within the steam tunnel and four high differential temperature channels between the main steam line tunnel and the reactor building. These eight channels monitor and actuate main steam line isolation logic which is deenergized by high ambient or high differential temperature condition.
Diversity of trip initiation signals for the main steam line tunnel high ambient or high differential temperature is provi ded by main steam line high flow and steam line low pressure instrumentation.
7.3.1.1.2.5 Main Steam Line - High Flow. Main steam line high flow could indicate a breach in a main steam line. Automatic closure of isol ation valves prevents excessive loss of reactor coolant and release of signi ficant amounts of radioactive material from the RCPB.
Sixteen redundant differential pressure switches, four for each main steam line, monitor the main steam line flow. Four differential pressure switches for each main steam line provide inputs to each of the four trip logic channels.
When a significant increase in ma in steam line flow is detected, tr ip signals initiate closure of all main steam line isolation and drain valves.
7.3.1.1.2.6 Main Steam Line - Low Pressure. Low steam pressu re at the turbine inlet while the reactor is operating could indicate a malfunction of the nuclear system pressure regulator in which the turbine governor valv es or turbine bypass valves become fully open, thus causing rapid depressurization of the reactor vessel.
From reduced power the rate of decrease of nuclear system saturation temperature could exceed the allowable rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pre ssures across the channe ls (around some fuel bundles) of sufficient magnitude to cause mechanical deforma tion of channel walls. Such depressurizations without adequate preventive actions could require thorough vessel analysis or core inspection prior to returning the reactor to power operation.
Four redundant pressure sensors, one for ea ch main steam line, m onitor main steam line pressure and each provides an input to one of the four trip logic channels.
When a significant decrease in main steam line pressure is detected , the PCRVICS initiates closure of all main steam lin e isolation and drain valves.
The main steam line low pressure trip is bypassed by the reactor mode switch in the shutdown, refuel, and startup modes of reactor operation. In the run mode, the low pressure trip function is active.
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.3-13 7.3.1.1.2.7 Reactor Building Ventilation Exhaust Radiation Monitor. There are four radiation monitors arranged in two sets of two channels each, (A, B) and (C, D), which make up the process radiation monitor (PRM) reactor building vent radiation monitor isolation system. Each channel has a trip signal output used for shutdown and isolation of the reactor building ventilation system, startup of the SGT, and trip and/or is olation of various other plant functions. The trip output is provided in response to either high radiation in the ventilation exhaust plenum (upscale trip) or instrument failure (downscale trip). The downscale trip also initiates an alarm to alert th e operator to instrument trouble conditions. See Section 11.5 for additional details.
7.3.1.1.2.8 Reactor Water Cleanup System - High Differential Flow. High differential flow in the RWCU system could indicate a breach of the RCPB of the cleanup system. The flow at the inlet to the system is compared with the flow at the outlets of the system.
A differential flow signal is developed from the compared in let-outlet flow si gnals and applied to the two (inboard or outboard) logic trip channels. When an increase in RWCU system differential flow is detected, the PCRVICS initiates closure of the RWCU system isolation valves. This isolation function is not credited in the accident analysis.
Diversity of trip initiation signals for RWCU system isolation is provided by instrumentation for reactor water level, differential flow, high blowdown flow, and ambient or differential temperature in RWCU equipment areas.
The RWCU system high differential flow trip is bypassed by an automatic timing circuit during normal RWCU system surges. This time delay bypass prevents inadverten t system isolations during system flow transients.
7.3.1.1.2.9 Reactor Water Cleanup System - Area High Ambient Temperature or High Differential Temperature. High temperature in the equipment room areas of the RWCU system could indicate a breach of the RCPB in the cleanup system.
Redundant ambient temperature or differential temperature sens ors monitor the RWCU system area temperatures. When a significant increase in RWCU system area ambient or differential temperature is detected the PCRVICS initiates closure of RW CU system isolation valves.
The output trip signal of each sensor initiates a l ogic trip and closure of either the inboard or outboard RWCU system isolation valve.
Diversity of trip initiation signa ls for high differential temperat ure is provided by two pair of differential temperature elements and associated differential temp erature switches. Each pair of temperature elements and its differential temperature switch are associated with one of two logic channels.
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.3-14 7.3.1.1.2.10 Reactor Water Cleanup System - High Blowdown Flow. High flow conditions in the RWCU blowdown to the main condenser or radwaste line is indi cative of a high-energy line break condition. Flow in this line is monitored by two redundant flow sensors which measure flow at the same point and apply flow signals to the trip logic channels. One flow signal is provided to the inboa rd trip channel and one to the outboard trip channel.
When an increase in RWCU blowdown flow is detected, the PCRVICS in itiates closure of the RWCU system isolation valves.
The high blowdown flow trip logic contains a time delay feature which prevents inadvertent system isolations due to normal flow transients.
7.3.1.1.2.11 Residual Heat Removal System - Area High Am bient Temperature or High Differential Temperature. High temperature in the equipment room area s of the RHR system could indicate a breach in the RCPB in the RHR system.
Redundant ambient temperature or redundant diffe rential temperature sensors monitor the RHR system area temperatures. Ha lf of the ambient and differential temperature sensors are associated with one trip logic. The remaining temperature channels are associated with the other trip logic. The ambient temperature elements are located in each RHR equipment area.
The differential temper ature elements are located in th e ventilation supply and ventilation exhaust of RHR pump rooms A and B.
When an increase in RHR system area ambient temperature or differential temperature is detected, the PCRVICS initiates closure of the RHR system isolation valves.
The output trip signal of each sens or initiates a trip logic and clos ure of either the inboard or outboard RHR system isolation valve.
Diversity of trip initiation signals for RHR line break is provided by ambient temperature, differential temperature, and shutdown cooling fl ow instrumentation.
An increase in ambient temperature, differential temperature, or flow will initiate RHR system isolation.
7.3.1.1.2.12 Residual Heat Rem oval System - Flow Rate Monito ring. High flow in the RHR system suction line from the r eactor vessel could indicate a breach in the RCPB in the RHR system.
Two redundant differential pressure switches, one for each trip logic, monitor the RHR shutdown cooling mode suction line.
The output trip signal of each sensor initiates a logic trip and closure of either the inboard or outboard RHR system isol ation valve. The RHR suction high flow trip is not credited within the Columb ia Generating Station (CGS) accident analysis.
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.3-15 7.3.1.1.2.13 Main Conde nser Vacuum Trip. The main turbine condenser low vacuum signal could indicate a leak in the condenser. Initiation of automatic closure of various valves will prevent excessive loss of reactor coolant and th e release of significant amounts of radioactive material.
Four redundant vacuum switches monitor the main condenser vacuum. Each switch provides an input to one of four trip logic channels.
When a significant decrease in main condenser vacuum is de tected, the PCRV ICS initiates closure of all main steam lin e isolation and drain valves.
Main condenser low vacuum trip can be bypass ed manually when the tu rbine throttle valve is less than 90% open and reactor pressure is below 1060 psig.
7.3.1.1.2.14 Reactor Core Isolation Cooling System Isolation Signals. The RCIC isolation signals for RCIC steam line hi gh flow and RCIC pipe routi ng/equipment area high ambient temperature or high differential temperature are a subset of the RCIC leak detection system and are described in Section 7.6.1.3.4.
7.3.1.1.3 DELETED
7.3.1.1.4 Residual Heat Re moval System - Containm ent Spray Cooling Mode
Function The CSCM is an operating mode of the RHR system. It is de signed to condense steam in the suppression chamber air volume and/or the drywell atmosphere following a LOCA. See Section 5.4.7. The drywell spray (with or without the RHR heat exchangers) is used to remove airborne radioactivity from the cont ainment atmosphere in response to a LOCA.
Drywell sprays are started within the first 15 minutes post-LOCA.
Operation
The RHR system control logic is shown in Figure 7.3-10. Instruments are listed in Table 7.3-7. Operator information displays are shown in Figure 7.3-10.
The CSCM is initiated by the control room operator by diverting RHR flow to either the suppression pool or the dryw ell by opening valves RHR-V-27A, RHR-V-27B (MO F027A, B) or RHR-V-16A, RHR-V-16B (MO F016A, B), and RHR-V-17A, RHR-V-17B (MO F017A, B).
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.3-16 The following conditions must exis t before the operator can initiate the drywell spray cooling loop: a. The LOCA signal which automatically initiated LP CI must still exist;
- b. One of the two redundant drywell pressure switches must indicate high pressure; and
- c. The operator must close the LPCI injection valve RHR-V-42A, RHR-V-42B (MO F042A, B).
7.3.1.1.5 Residual Heat Removal System - Suppression Pool Cooling Mode
Function The SPCM is an operating mode of the RHR sy stem. It is designed to prevent suppression pool temperature from exceeding predetermined limits following a reactor blowdown of the ADS or SRVs. The SPCM mode is also us ed during RCIC operati on and SRV testing.
Operation
Component control logic is shown in Figure 7.3-10. Instruments are listed in Table 7.3-8. Operator information di splays are shown in Figure 7.3-10.
The SPCM is initiated by the control room operator either during normal plant operation or following a LOCA when the suppression pool temperature monitoring system (see Section 7.6) indicates that pool temperature ma y exceed a predetermined limit.
During normal plant operation the opera tor initiates the SPCM as follows:
- a. The RHR pump (A or B) is started. The standby SW pump is started and the RHR heat exchanger SW discha rge valve RHR-V-68A, RHR-V-68B (MO 0068 A, B) is signaled to open au tomatically when the SW pump starts.
- b. The RHR test return line valve RHR-V-24A, RHR-V-24B (MO F024 A, B) is opened.
- c. The RHR heat exchanger inlet valves RHR-V-47A, RHR-V-47B (MO F047 A, B) are locked open (with power rem oved) and outlet valves RHR-V-3A, RHR-V-3B (MO F003 A, B) are throttled as necessary. Th e heat exchanger bypass valve RHR-V-48A, RHR-V-48B (MO F048 A, B) and valve RHR-V-24A, RHR-V-24B (MO F024 A, B) are throttled as necessary.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-15-062 7.3-17 Subsequent to a LOCA the operato r initiates the SPCM as follows:
- a. Once reactor vessel water level has b een restored, the LPCI flow must be terminated by closing the LPCI in jection valve RHR-V-42A, RHR-V-42B (MO F042 A, B). Closing the injection valve causes the LOCA initiation logic to be overridden and allows ope rator control of the system;
- b. The RHR test return line valve RHR-V-24A, RHR-V-24B (MO F024 A, B) control logic also has LOCA signal override provisions. This allows the operator to open the valve; and
- c. The RHR heat exchanger inlet valves RHR-V-47A, RHR-V-47B (MO F047 A, B) are locked open (with power rem oved) and outlet valves RHR-V-3A, RHR-V-3B (MO F003 A, B) are throttled as necessary. Th e heat exchanger bypass valve RHR-V-48A, RHR-V-48B (MO F048 A, B) (a 10-minute timer keeps this valve open following a LOCA) and valve RHR-V-24A, RHR-V-24B (MO F024 A, B) are throttled as necessary.
7.3.1.1.6 Standby Serv ice Water System
Function The SW system provides cooling water to the diesel generators, the RHR heat exchangers, the HPCS, RCIC, LPCI, and LPCS auxiliary equipm ent (e.g., room cooler, pump motor bearing cooler, pump seal cooler), and the essential HVAC chillers. See Section
9.2. Operation
Schematic arrangements of system mechanical e quipment is shown in Figure 9.2-12. The SW component control logic is shown in Figure 7.3-12. Instruments are listed in Table 7.3-9. Operator information di splays are shown in Figures 7.3-12 and 9.2-12.
The SW system is automatica lly initiated as follows:
- a. The Division 1 SW pump P-1A is started automatically when either the RHR A pump, the LPCS pump, or the Divi sion 1 diesel genera tor is started,
- b. The Division 2 SW pump P-1B is started automatically when either the RHR B pump, RHR C pump, the Division 2 diesel generator, or the RCIC pump is started, and
- c. The HPCS SW pump HPCS-P-2 (C002) is automatically started when the HPCS diesel generator is started.
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.3-18 Once the SW pumps are started the following occurs:
- b. After the SW pumps discharge pres sure exceeds a mini mum value the pump discharge valves SW-V-2A, SW-V-2B, and SW-V-29 are signaled to open.
7.3.1.1.7 Main Control Room and Critical Switchgear Rooms H eating, Ventilating, and Air Conditioning System
Schematic arrangements of system mechanical e quipment are shown in Figure 9.4-1. Component control logic is shown in Figure 7.3-13. Instruments are listed in Table 7.3-10. Operator information di splays are shown in Figure 9.4-1 and Figure 7.3-13.
For a complete description of the main control room and critical switchgear rooms HVAC instrumentation and controls see Section 9.4.1.
7.3.1.1.8 Standby Gas Treatment System
Schematic arrangements of system mechanical e quipment are shown in Figure 3.2-2. The SGT component control logic is shown in Figure 7.3-14. Instruments are listed in Table 7.3-11. Operator information displays are shown in Figure 3.2-2 and Figure 7.3-14.
For a complete description of the SGT in strumentation and c ontrols see Section 6.5.1.
7.3.1.1.9 Reactor Building Ventilati on and Pressure Control System
Function The reactor building ventilation and pressure control system automatically maintains the reactor building or secondary containment at a negative pressure below atmospheric pressure by controlling the reactor building exhaust or SGT fan units. See Section
9.4.2. Operation
Schematic arrangements of system mechanical e quipment are shown in Figure 9.4-2. System component control logic is shown in Figure 7.3-14. Instruments are listed in Table 7.3-12. Operator information di splays are shown in Figure 9.4-2 and Figure 7.3-14.
The differential pressure is monitored by eight redundant diffe rential pressure transmitters, four in Division 1 and four in Division 2, which measure the differential pressure across the C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.3-19 exterior of four sides of the reactor building to inside the reactor building (572 ft el.). The signal indicating the least differential pressure fr om the four differentia l pressure transmitters in one division is selected and is used to control the position of the blades of the normal reactor building exhaust fan unit in that division.
On the initiation of the SGT by containment isolation signals high drywell pressure, low reac tor water level, or reactor building exhaust high radiation, the reactor building pressure control system then controls the secondary containment pressure by controlling the SGT fan units (see Section 6.5.1). 7.3.1.1.10 Containment Instrument Air System
Function The purpose of the CIA system is to provide clean, dry, pressurized gas to the main steam relief valves and isolation valves inside primar y containment. The pres surized nitrogen or air is normally provided by a non-safety-related s ource to a single head er which delivers the operating gas to the relief and isolation valves. Under normal conditions, the non-safety-related source also provides working pressure to two headers which serve as the safety-related backup system for seven relief valves designated for the ADS function.
However, a safety-related, bottled nitrogen source is available to maintain operating pressure to the seven divisionally separated ADS valves, in the event that the non-safety-related sources fail (see Figure 9.3-2
).
In the event of failure of the non-safety-related portions of the system, which is indicated by low header pressure and detected by three pressure switches, the bottled nitrogen automatically maintains header pressure to th e ADS valves. The non-safety-relat ed portion of the system is isolated from the safety-related ADS portion upon receipt of the low header pressure signal.
See Section 9.3.1.5.2.
The local stepping controller used for sequen tial nitrogen bottle openi ng is equipped with a local wheel index counter. A re mote counter display is also located near the backup N 2 supply bottles inside of the react or building (see Section 9.3.1.2.2). In addition, a low-header pressure alarm is provided to alert the operator to the loss of the ADS pneumatic supply.
Operation Schematic arrangements of system mechanical e quipment is shown in Figure 9.3-2. The CIA component control logic is shown in Figure 7.3-15. Instruments are listed in Table 7.3-13. Operator information di splays are shown in Figures 7.3-15 and 9.3-2. The CIA system is always in operation. The instrumentation and cont rols of the system perform the following functions:
- a. Monitor CIA system header pressure, C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 LDCN-09-007 7.3-20
- b. Isolate the non-safety-rel ated portion of system in the event of failure in this portion, and
- c. Maintain CIA system header pressure in the event of item b by sequentially opening nitrogen bottles.
7.3.1.2 Design Basis The ESF systems are designed to provide timely protection agains t the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Chapter 15 identifies and evaluates events that jeopa rdize the fuel barrier and RC PB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are presented in Chapter 15. 7.3.1.2.1 Variables Monitored to Provide Protective Action
The following variables are monitored to provide protective actions by the ESF systems:
- a. HPCS 1. Reactor vessel low water level (trip level 2), 2. Drywell high pressure;
- b. ADS 1. Reactor vessel low water level (trip level 3), 2. Reactor vessel low water level (trip level 1);
- 1. Reactor vessel low water level (trip level 1), 2. Drywell high pressure;
- d. PCRVICS
- 1. Reactor vessel low water level (trip level 3), 2. Reactor vessel low-low water level (trip level 2), 3. Reactor vessel low-low-low water level (trip level 1), 4. Main steam lin e high radiation, 5. Main steam line tunnel high ambien t or high differential temperature, C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-13-044 7.3-21
- 6. Main steam line high flow,
- 7. Main steam line low pressure,
- 8. Reactor building ventilation exhaust high radiation,
- 9. RWCU high differential fl ow or high blowdown flow, 10. RWCU pipe routing and equipment area high ambient temperature or high differential temperature, 11. RHR area high ambient temperature or high differential temperature,
- 12. RHR shutdown cooli ng suction high flow,
- 13. Main condenser low vacuum,
- 14. Drywell high pressure,
- 15. RCIC steam line high flow, and
- 16. RCIC pipe routing area high te mperature, or equipment area high ambient temperature or high differential temperature;
- e. DELETED;
- f. CSCM - drywell high pressure,
- suppression chamber high pressure;
- g. SPCM
- 1. Suppression pool temperature,
- 2. Drywell high pressure,
- 3. Reactor vessel low water level (trip level 1);
- i. Main control room and cr itical switchgear room HVAC
- 1. High room temperature;
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.3-22 j. Reactor building ventilation and pressure control - reactor building to fuel pool area differential pressure;
- k. SGT
- 1. Reactor vessel low water level (trip level 2), 2. Drywell high pressure,
- 3. Reactor building ven tilation high radiation;
- l. CIA System - instrument air header low pressure;
The plant conditions which require protective action involving the ESF systems are described in Chapter 15.
7.3.1.2.2 Location and Mini mum Number of Sensors
See the Technical Specifications for ESF systems, which identifies the minimum number of sensors to monitor safety-related variables. There are no sensors in the ESF systems which have a spatial dependence.
7.3.1.2.3 Prudent Operational Limits
Operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious ESF sy stem initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or the nuclear system process barrier, is kept within acceptable bounds.
7.3.1.2.4 Margin
The margin between operational limits and the limiting conditions of operation of ESF systems are listed and the bases stated in the Technical Specifications.
7.3.1.2.5 Levels
Levels requiring protective action are specified in the Technical Specifications.
7.3.1.2.6 Range of Transient, Steady State, and Environmental Conditions
See Section 3.11 for environmental conditions. See Sections 8.2.1 and 8.3.1 for the maximum and minimum range of energy supply to ESF instrumenta tion and controls. All ESF instrumentation and controls are specified and purchased to withstand the effects of energy supply extremes.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-23 7.3.1.2.7 Malfunctions, Accidents, and Other Unusual Ev ents Which Coul d Cause Damage to Safety System Chapters 3 , 6 , 9 , 15 , and Appendix F describe the following credib le accidents and events:
floods, storms, tornadoes, earthqua kes, fires, LOCA, and pipe break outside containment. Each of these events is discussed below for the ESF systems.
7.3.1.2.7.1 Floods. The buildings containing ESF system s components have been designed to meet the probable maximum flood (PMF) at the site location. See Section 2.4. For a discussion of internal floodi ng protection see Sections 3.4.1.4.1.2 , 3.4.1.5.2 , and 3.6.
7.3.1.2.7.2 Storms and Tornadoes. The buildings containing ESF systems components have been designed to withstand meteorol ogical events described in Section 3.3.
7.3.1.2.7.3 Earthquakes. The structures containing ES F systems components have been seismically qualified as described in Sections 3.7 and 3.8 and will remain f unctional during and following a safe shutdown earthqua ke (SSE). Seismic qualifica tion of instrumentation and electrical equipment is discussed in Section 3.10.
7.3.1.2.7.4 Fires. To protect the ESF syst ems in the event of a pos tulated fire, the redundant portions of the systems are isolated by electrical separation barriers. If a fire were to occur within one of the sections or in the area of one of the panels , the ESF systems functions would not be prevented by the fire. The use of spat ial separation and barrie rs ensures that even though some portion of the systems may be affected, the ESF systems will continue to provide the required protective action.
A fire detection system using heat detectors and combustion product detectors is provided in Power Generation Control Co mplex (PGCC) floor sections and in panels containing ESF systems components mounted on these floor sections. A Halon fire suppression system is provided in the same areas.
7.3.1.2.7.5 LOCA. The ESF systems components f unctionally required during and/or following a LOCA have been environmentally qua lified to remain functi onal as discussed in Section 3.11.
7.3.1.2.7.6 Pipe Break Outside Primary Containment. The ESF systems are designed and qualified to remain functional during and/or following these events. See Section 3.6.
7.3.1.2.7.7 Missiles. Protection for safety-related components is described in Section 3.5.
7.3.1.2.8 Minimum Perf ormance Requirements
Minimum performance requirement s for ESF instrumentation and controls are provided in the Technical Specifications.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-24 7.3.1.3 Final System Drawings Functional and architectural de sign differences between the PSAR and FSAR are listed in Table 1.3-8.
7.3.2 ANALYSIS
7.3.2.1 Engineered Safety Feature Sy stems - Instrumentation and Controls Chapter 15 and Chapter 6 evaluate the individual and co mbined capabilities of the ESF systems.
The ESF systems are designed such that a loss of instrument air, plant load rejection, or turbine trip will not prevent the completion of the safety function.
7.3.2.1.1 Conformance to 10 CFR 50 Appendix A
The following provides information regarding c onformance to those General Design Criteria (GDC) which apply specifically to the ESF systems. See Section 3.1 for a discussion of GDC which apply equally to all safety-related systems.
GDC 33 See Sections 7.3.1.1.1.1 and 3.1.2.4.4.
GDC 34 See Section 7.3.1.1.6 and 3.1.2.4.5.
GDC 35 See Sections 7.3.1.1.1 , 7.3.1.1.6 , and 3.1.2.4.6.
GDC 36, 37, 39, 40, 42 , 43, 45, 46, and 61 See Section 7.3.2.1.3, Regulatory Guide 1.22.
GDC 38 See Sections 7.3.1.1.4 , 7.3.1.1.5 , and 7.3.1.1.6 , and 3.1.2.4.9.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-25 GDC 41 See Sections 7.3.1.1.8 and 3.1.2.4.12.
GDC 44 See Sections 7.3.1.1.6 and 3.1.2.4.15.
GDC 60 and 61
See Sections 7.3.1.1.8 , 7.3.1.1.3 , 3.1.2.6.1, and 3.1.2.6.2.
GDC 64 See Sections 7.3.1.1.2 and 7.3.1.1.8.
7.3.2.1.2 Conformance to IEEE Standards
The following provides information regardi ng conformance to IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generati ng Stations, which apply specifically to the ESF systems. See Section 7.1.2.3 for a discussion of IEEE standa rds which apply equally to all safety-related systems.
General Functional Requirement (IEEE 279-1971, paragraph 4.1)
The ESF systems that automatically initiate appropriate protective actions, whenever the parameters descri bed in Section 7.3.1.2.1 reach predetermined limits, with precision and reliability assuming the full range of conditions and performance are discussed in
Sections 7.3.1.2 and Chapter 15.
Single Failure Criterion (IEEE 279-1971, pa ragraph 4.2)
The ESF systems are not required to meet the single failure criterion on an individual system (division) basis. However, on a network basis, the single failure criteria does apply to ensure the completion of a protective f unction. Redundant sensors, wiring, logic, and actuated devices are physically and electri cally separated such that a si ngle failure will not prevent the protective function. See Section 8.3.1.4 for a discussion of the CGS separation criteria.
Quality Components (IEEE-279-1971, pa ragraph 4.3)
For a discussion of the quality of ESF sy stem components and modules see Section 3.11.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-26 Equipment Qualification (IEEE 279-1971, paragraph 4.4)
Vendor certification requires that the sensors associated with the ESF system variables, manual switches, and trip logic components located in mild environments perform in accordance with the requirements listed on the purc hase specification as well as in the intended application. This certification, in conjunction with the existing field expe rience with thes e components in this application, will serve to qualify these components.
For a complete discussion of ESF equipment se ismic and harsh environment qualification see Sections 3.10 and 3.11.
Channel Integrity (IEEE 279-1971, paragraph 4.5)
For a discussion of ESF systems channel integrity under extr eme conditions described in Section 7.3.1.2, see Sections 3.10 , 3.11 , 8.2.1 , and 8.3.1.
Channel Independence (IEEE 279-1971, paragraph 4.6)
The ESF systems channel indepe ndence is maintained through the application of the CGS separation criteria as described in Section 8.3.1.4.
Control and Protection Interaction (IEEE 279-1971, paragraph 4.7)
There are no ESF system and control system interactions.
Derivation of System Inputs (IEEE 279-1971, pa ragraph 4.8)
The ESF variables are direct m easures of the desired variable s requiring protective actions. See Sections 7.3.1.1.1 through 7.3.1.1.10.
Capability of Sensor Checks (IEEE 279-1971, paragraph 4.9)
See Section 7.3.2.1.3, Regulatory Guide 1.22.
Capability for Test and Calibration (IEEE 279-1971, paragraph 4.10)
See Section 7.3.2.1.3, Regulatory Guide 1.22.
Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)
During periodic tests of any one ESF system cha nnel, a sensor may be valved out of service and returned to service under the administrative control procedur es. Since only one sensor is valved out of service at any given time during the test interval, protective action capability for C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-27 ESF system automatic initiation is maintained through the remaining redundant instrument channels.
Operating Bypasses (IEEE 279-1971, paragraph 4.12)
The ESF systems contain the following operating bypasses.
The PCRVICS has two bypasses:
(1) main steam line low pre ssure operating bypass which is imposed by means of the mode switch in the "startup" position (not in "run"). The mode switch cannot be left in this position above approxi mately 15% of rated power without initiating a scram. Therefore, the bypass is removed by placing the mode switch in the "run" position via the normal reactor operating sequence, and (2) the low condenser vacuum bypass which is imposed by means of f our manual bypass switches in c onjunction with closure of the turbine throttle valves, the r eactor mode switch in any position other than "run," and reactor pressure below the low-pressure setpoint.
Bypass removal is accomp lished automatically by the opening of the turbine throttle valves or raising reactor pressure above the interlock pressure setpoint or manually by placing any of the four bypass switches in normal position or by placing the mode switch in the "run" position.
Indication of Bypasses (IEEE 279-1971, paragraph 4.13)
For a discussion of bypass and inope rability indication see Section 7.1.2.4 , Regulatory Guide 1.47.
Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14)
Access to means of bypassing any safety action or safety func tion is under the administrative control of the control room supervisor/shift manager. Other approved methods of controlling access to bypasses are also used. These include key locks with admi nistrative control of the access to keys, procedurally controlled equipmen t lineups, e.g., locked valve checklists, and the use of mechanical locking devices and annunciators and other indications, e.g., BISI (Regulatory Guide 1.47, Bypass and Inoperable Status Indication for Nuclear Power Plant Safety Systems, described in Section 7.1.2.4). These additional met hods help to prevent inadvertent bypasses or to alert th e plant operators to safety f unction bypasses occurring either from equipment failures or from manually indu ced bypasses that result as part of testing, maintenance, or equipm ent repair activities.
Key-locked control switches that provide a means of controlling the access to a safety function bypass are designed to allow key removal only in the "safe" or "accident" positions. Access to the associated keys is pr ocedurally controlled. When not in use, keys are under the administrative control of the control room supervis or/shift manager and stored in a key locker.
The keys are audited once per day by the control room supervisor/shi ft manager. When operation of a key-locked control sw itch is required to be immediate, such as in the case of the C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-28 reactor mode switch, the key may be left in the lock during normal pl ant operation to ensure timely actuation.
Multiple Trip Settings (IEEE 279-1971, paragraph 4.15)
There are no multiple set points within the ESF systems.
Completion of Protective Action Once Initiated (IEEE 279-1971, pa ragraph 4.16)
Each of the automatically ESF system initiation control logic ch annels seal-in electrically and remain energized after initial conditions return to normal.
Deliberate operator action is required to return (reset) an ESF system logic to normal.
Manual Initiation (IEEE 279-1971, paragraph 4.17)
See the discussion of Regulat ory Guide 1.62 in Section 7.3.2.1.3.
Access to Setpoint Adjustments (IEEE 279-1971, paragraph 4.18)
All access to ESF system setpoint adjustments, calibration controls, a nd test points are under the administrative control of the control room operator.
Identification of Protective Actions (IEEE 279-1971, paragraph 4.19)
The ESF protective actions are di rectly indicated and identified by annunciators located in the main control room and a printed record is avai lable from the process computer and transient data acquisition system.
Information Readout (IEEE 279-1971, paragraph 4.20)
The ESF systems are designed to provide the operator with accurate and timely information pertinent to their status. They do not introduce signals that could cause anomalous indications confusing to the operator.
System Repair (IEEE 279-1971, paragraph 4.21)
The ESF systems are designed to permit repair or replacement of components.
Recognition and location of a failed component will be accomplishe d during periodic testing or by annunciation in the main control room.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.3-29 Identification (IEEE 279-1971, paragraph 4.22)
The ESF panels are identified by nameplates. The nameplate shows the division to which each panel or rack is assigned and also identifies the function in the system of each item of the control panel. The system to which each externally mounted rela y belongs is identified on the relay panels.
Wiring and cabling outside of panels are labeled to indicate its divisional assignment as well as its system assignment (see Section 8.3.1.3).
7.3.2.1.3 Conformance to Regulatory Guides
The following is a discussion of conformance to those Regulatory Guides which apply specifically to the ESF systems. See Section 7.1.2.4 for a discussion of Regulatory Guides which apply equally to all safety-related systems.
Regulatory Guide 1.22 - 1972
The ESF systems instrumentation and controls are capable of be ing tested during normal plant operation (unless that testing is detrimental to plant availability) to verify the operability of each system component. Testing of safety-rel ated sensors is accomplished by valving out each sensor, one at a time, and applying a test pressure source or as in the case of the main steam line radiation sensors, the sensor s may be removed and te st sources applied.
This verifies the operability of the sensor, sensor contacts, a nd the sensor setpoint. Associated logic components are typically tested during plant shutdown conditions when component activation is not detrimental to plant opera tion. Functional operability of temperature sensors may be verified by readout comparisons, applying a heat source to the locally mounted temperature sensing elements or by continuity testing.
For the HPCS, LPCS, and LPCI, testing for func tional operability of the control logic relays can be accomplished by use of plug-in test jacks and switches in conjunction with single sensor tests. Annunciation is provided in the main control room whenever a test plug is inserted in a jack to indicate to the operator that an ECCS is in a test status.
Operability of air-operated, so lenoid-operated, and motor-operated valv es is verified by actuating the valve control switches and monitoring the position change by position indicating lights at the control switch.
The ESF systems are provided with indications, status displa ys, annunciation, and computer printouts which aid the control room operator during periodic system tests to verify component operability.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-05-009 7.3-30 Regulatory Guide 1.53 - 1973
See IEEE 279 paragraph 4.2 in Section 7.3.2.1.2.
Regulatory Guide 1.62 - 1973
The HPCS, LPCS, and the Division 2 LPCI syst em can be manually in itiated at the system level from the main control room by actuation of armed push buttons. The LPCS push button also initiates the Division 1 LPCI system.
The ADS and the PCRVICS (except RCIC is ma nually isolated at th e system level by its "Manual Isolation Push Button") are manually initiated at the system (division) level by actuation of two armed push butt ons (one for each logic channel). The CIA system provides pneumatic pressure for ope ning of the ADS valves and is normally in service. A safety-related source of pressurized nitrogen will automatica lly come on line if the normal supply cannot maintain system pressure above a preset pressu re. There is no remote manual initiation of the CIA system.
The CSCM is manually initiated at the system (division) leve l by actuation of the RHR pump start control switch and by opening the containment spray or suppression chamber spray valves.
The SPCM is manually initiated from the main control room by actuation of system pump and valve controls.
The SW system is manually initiated at the system (division) level by actuation of the pump start control switch.
The main control room and critical switchgear HVAC is manually in itiated at the system (division) level by actuation of indi vidual fan start control switches.
The SGT is manually initiated at the system (division) level by actuation of the system start control switch.
The actuation of the system level manual in itiation switches simulate s all the actions of automatic or manual (individual equipment initiation) system actuation.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-1 High-Pressure Core Spray System Instrumentation Function Instrument a 7.3-31 Reactor vessel low water level (level 2)
Level switch (B22-N031A-D)
MS-LIS-31A-D Drywell high pressure Pressure switch (B22-N047A-D)
MS-PS-47A-D Reactor vessel high water level (level 8)
Level switch (B22-N100A, B)
MS-LIS-100A, B Pump minimum flow Flow switch (E22-N006)
HPCS-FIS-6 Suppression pool high wa ter level Level switch (E22-N002A, B)
HPCS-LS-2A, B Condensate storage tanks low level Level switch (E22-N001A, B)
HPCS-LS-1A, B Condensate supply line level Pressureswitch HPCS-PS-3A, B a Instruments in parenthese s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-2 Automatic Depressurization System Instrumentation Function Instrument a 7.3-32 Reactor vessel low water level (level 3)
Level switch (B22-N038A, B)
MS-LIS-38A, B Reactor vessel low water level (level 1)
Level switch (B22-N037A-D)
MS-LIS-37A-D Low-pressure coolant injecti on permissive Pressure switch (E12-N016A-C)
RHR-PS-16A-C (E12-N019A-C)
RHR-PS-19A-C Low-pressure core spray permissive Pressureswitch (E21-N001)
LPCS-PS-1 (E21-N009)
LPCS-PS-9 Automatic depressurization time delay Timer B22-K5AA (MS-RLY-ADK5AA)
B22-K5BB (MS-RLY-ADK5BB) a Instruments in parenthese s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-3 Low-Pressure Core Spray System Instrumentation Function Instrument a 7.3-33 Reactor vessel low water level (level 1)
Level switch MS-LIS-37A, C (B22-N037A, C)
Drywell high pressure Pressure switch MS-PS-48A, C (B22-N048A, C)
Injection valve permissive Pressureswitch MS-PS-413C (B22-N413C) Pump minimum flow bypass Flow switch LPCS-FIS-4 (E21-N004) a Instruments in parenthese s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-4 Low-Pressure Coolant Injection Instrumentation
Function Instrument a 7.3-34 Reactor vessel low water level (level 1)
Level switch MS-LIS-37A-D (B22-N037A-D)
Drywell high pressure Pressure switch MS-PS-48A-D (B22-N048A-D)
Low-pressure coolant injection pump delay (on loss of normal power)
Timer RHR-RLY-K70A, B Injection valve permissive Pressureswitch MS-PS-413A, B, D (B22-N413A, B, D) Pump minimum flow bypass Flow switch RHR-FIS-10A-C (E12-N010A-C) a Instruments in parenthese s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 Table 7.3-5 Primary Containment and Reactor Vessel Isolation Control System Instrumentation Function Instrument a LDCN-09-007 7.3-35 Reactor vessel low water level (level 3)
Level switch MS-LIS-24A-D (B22-N024A-D) Reactor vessel low-low water le vel (level 2) Level transmitter MS-LT-61A-D Level switch MS-LS-300A-D Reactor vessel low-low-low water level (level 1) Level transmitter MS-LT-61A-D Level switch MS-LIS-200A-D Main steam line high radiation
[closes RRC-V-19 (20)] Radiation monitor MS-RIS-610A-D (D17-K610A-D)
Main steam line tunnel high temperature
Main steam line tunne l high differential temperature Temperature monitor LD-MON-2A (2B)
Main steam line low pre ssure Pressure switch MS-PS-15A-D (B22-N015A-D)
Drywell high pressure Pressure switch RPS-PS-2A-D (C72-N002A-D) Reactor building ventilation exhaust high
radiation Radiation monitor REA-RIS-609A-D (D17-K609A-D)
Main condenser low v acuum Pressure switch MS-PS-56A-D (B22-N056A-D)
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 Table 7.3-5 Primary Containment and Reactor Vessel Isolation Control System Instrumentation (Continued)
Function Instrument a 7.3-36 Main steam line high flow Differential pressure switch MS-DPIS-8A-D (E31-N008A-D)
MS-DPIS-9A-D (E31-N009A-D)
MS-DPIS-810A-D (E31-N010A-D)
MS-DPIS-11A-D (E31-N011A-D)
RWCU system high differential flow Flow Switch LD-FS-605A,B RWCU blowdown line high flow Flow Switch LD-FS-15,16 RWCU equipment areas high temperature
RWCU equipment areas high differential
temperature Temperature Monitor
LD-MON-1A,1B RHR shutdown cooling suc tion high flow Differential Pressure Switch RHR-DPIS-12A,B RHR equipment areas high temperature
RHR equipment areas high differential
temperature Temperature Monitor
LD-MON-2A,2B RCIC steam supply line high flow Differential pressure switch RCIC-DPIS-13A,B RCIC-DPIS-7B RCIC equipment areas high temperature
RCIC equipment area s high differential temperature Temperature Monitor
LD-MON-1A,1B a Instruments in parenthe ses are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-6 DELETED LDCN-02-032,05-009 7.3-37
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-7 Residual Heat Removal System - Containment Spray Cooling Mode System Instrumentation Function Instrument a . 7.3-38 Drywell high pressure Pressure switch (B22-N048A-D)
MS-PS-48A-D Reactor vessel low water level (level 1)
Level switch (B22-N037A-D)
MS-LIS-37A-D a Instruments in parentheses are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-8 Residual Heat Removal Sy stem - Suppression Pool Cooling Mode System Instrumentation Function Instrument a 7.3-39 Reactor vessel low water level (level 1)
Level switch (B22-N037A-D)
MS-LIS-37A-D Drywell high pressure Pressure switch (B22-N048A-D)
MS-PS-48A-D Suppression pool temperature - high Temperaturerecorder CMS-TR-5, 6 Temperatureindicator SPTM-TI-5 a Instruments in parenthese s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-9 Standby Service Water Sy stem Instrumentation Function Instrument 7.3-40 Standby service water discharge pressure
low Pressure switch SW-PS-1A, 1B, and 40B Spray pond temperature Temperature switch SW-TS-1A, 1B, 1C, and 1D C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 Table 7.3-10 Main Control Room and Critical Switchgear Room HVAC System Instrumentation Function Instrument a LDCN-13-044 7.3-41 Control room temperature Temperature controller WMA-TIC-11A, B Switchgear rooms temperature Temperature controllers WMA-TIC-52A, B WMA-TIC-53A, B Reactor vessel low-low water le vel (level 2) Level transmitter MS-LT-61A-D
Level switch
MS-LS-300A-D Drywell high pressure Pressure switch (C72-N002A-D)
RPS-PS-2A-D Reactor building ventilation exhaust high
radiation Radiation monitor (D17-K609A-D)
REA-RIS-609A-D a Instruments in parenthese s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 Table 7.3-11 Standby Gas Treatment Sy stem Instrumentation Function Instrument a LDCN-09-007 7.3-42 Reactor vessel low-low water level (level 2) Level transmitter MS-LT-61A-D Level switch MS-LS-300A-D Drywell high pressure Pressure switch (C72-N002A-D)
RPS-PS-2A-D Reactor building ventilation exhaust high
radiation Radiation monitor (D17-K609A-D)
REA-RIS-609A-D a Instruments in parenthese s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-12 Reactor Building Ventilation and Pressure Controller System Instrumentation Function Instrument 7.3-43 Reactor building differential pressure Differential pressuretransmitter REA-DPT-1A1-1A4 REA-DPT-1 B1-1B4 Differentialpressurecontroller REA-DPIC-1A, 1B
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-13 Containment Instrument Air System Instrumentation Function Instrument 7.3-44 Safety-related header pre ssure - low Pressure switch CIA-PIS-21A, B Safety-related header pre ssure - low Pressure switch CIA-PS-22A, B Non-safety-related header pr essure - low Pressure switch CIA-PS-39A, B
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.3-14 DELETED LDCN-02-032,05-009 7.3-45
{
C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 LDCN-03-076 7.4-1 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN
7.
4.1 DESCRIPTION
This section discusses the inst rumentation and controls of th e following systems required for safe plant shutdown:
- a. Reactor core isolation cooling (RCIC) system,
- b. Standby liquid control (SLC) system,
- c. Residual heat removal shutdown cooling mode (RHR-SDC),
- d. Remote shutdown system (RSS),
- e. Anticipated transient without scram recirculation pump trip system (ATWS-RPT), and
- f. Anticipated tran sient without scram alternate rod insertion (ATWS-ARI).
The systems discussed in this section are all capable of assisting th e operator in achieving a safe plant shutdown. The remote shutdown and SLC systems are ma nually operated backups to the control room and reactor manual control systems, respectively, and are only required for special event conditions. Their use is not required to achieve a safe shutdown under normal, transient, or accident conditions. The normal shutdown cooling mo de of residual heat removal (RHR) is available to the operator to remove re sidual heat when the r eactor is shut down. Recirculation pump trip (ATWS-RPT) is used in conjunction with alternate rod insertion (ARI) and SLC to mitigate an ATWS event. Design of the ATWS-RPT and ARI systems is in accordance with the criteria provided in Reference 7.4-1. Loss of any of the systems will not impede safe shutdown of the plant. As such these systems are not required to be safety-related (except RCIC and alternate RHR SDC) and have not been designed to meet safety system requirements.
The sources that supply power to the safe shut down systems originate fr om onsite ac and/or dc safety-related and non-safety-related buses. See Chapter 8 for a complete discussion of the safety-related and non-safety-related power sources.
7.4.1.1 Reactor Core Isolation Cooling System
7.4.1.1.1 Function
The RCIC system (see Section 5.4.6.2) is designed to maintain or supplement reactor vessel water inventory during the following conditions. C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-04-027 7.4-2
- a. Normal Operation. When the reactor vessel is isolated fr om its primary heat sink (main condenser) and accompanied by a loss or unavailability of the reactor feedwater system; and
- b. When the plant is being shut down and normal coolant flow from the feedwater system is stopped before the reactor is depressurized to a level where the reactor shutdown cooling mode of the RHR system can be placed into operation.
7.4.1.1.2 Operation
Schematic arrangements of system mechanical e quipment are shown in Figure 5.4-11. The RCIC system component c ontrol logic is shown in Figure 7.4-1. Instruments are listed in Table 7.4-1. Operator information displays are shown in Figures 5.4-11 and 7.4-1. The RCIC system can be initiated either manually or automatically. The control room operator can initiate RCIC by operating the manual initiation push button which simulates an automatic initiation or by activating each piece of equipment sequentially as required.
The RCIC system is automatically initiated by four redundant level switches, arranged in a one-out-of-two-twice logic confi guration, which sense reactor vessel low water level (trip level 2).
The RCIC steam line isolati on and the turbine steam exhaust motor-operated valves are normally open with their control switches key locked in the open position, and the turbine trip and throttle valve is normally open and thes e valves require no ch ange of position for automatic system initiati on. (Note: the key locked cont rol switches do not prevent automatic isolation of these valves.)
The RCIC system responds to an automatic initiation signal as fo llows (actions are simultaneous unless stated otherwise):
- a. The pump suction from the condens ate storage tanks valve RCIC-V-10 (MO F010) is signaled open;
- b. To ensure pump discharge flow is directed to the reactor vessel only, the test return line to the condens ate storage tanks valves RCIC-V-22 (MO F022) and RCIC-V-59 (MO F059) are signaled closed;
- c. The turbine steam inlet and the turbine lube oil c ooler cooling water supply valves RCIC-V-45 (MO F045) and RC IC-V-46 (MO F046) are signaled to open; C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-04-027 7.4-3 d. When the turbine steam inlet valve RCIC-V-45 (MO F 045) starts to open, the RCIC pump discharge to reactor vessel valve RCIC-V-13 (MO F013) and the turbine lube oil cooler supply valve RCIC-V-46 (F046) are signaled open.
Valves RCIC-V-13 (MO F013) and RCIC-V-46 (F046) are prohibited from opening or if open, automatically clos es when RCIC-V-45 (MO F045) or the turbine trip and throttle valve RCIC-V-1 (MO F001) is closed. A one-out-of-two-twice limit switch logi c trips the main turbine on the opening of RCIC-V-13 (MO F013) and RCIC-V-45 (MO F045) to limit mo isture introduction;
- e. The barometric condenser vacuum tank vacuum pump is signaled to start; and
- f. When valve RCIC-V-45 (MO F045) leav es the closed position the RCIC turbine is accelerated until the automatic flow controller setpoint is reached and the system discharge flow is controlled by the turbine electronic governor mechanism.
RCIC flow may be directed away from the vessel by diverting the pump discharge to the CST.
This is accomplished by closi ng injection valve RCIC-V-13 and opening the test return valves (RCIC-V-22 and 59). The system is returned to injection mode by closing RCIC-V-59 and then opening RCIC-V-13. This mode of operation will not be used during events where an unacceptable source term is identified in primary containment. Diverting RCIC flow to the CST is not a safety-related function nor does this mode affect the ability of RCIC to initiate during plant transients. The system automatically switches to injection m ode if the water level decreases to the low level initiation point (Level 2).
During system operation if the barometric c ondenser vacuum tank wa ter level becomes high the condenser condensate discharg e pump is automatically starte d and the condensate returned to the RCIC pump suction. When the system is not operating excess ta nk water is discharged through isolation valves RCIC-V-4 (AO F004) and RCIC-V-5 (AO F005) to the equipment
drain system.
In the event the water level in the condensate storage tanks s hould become low the RCIC pump suction is automatically transferred from the condensate storage tank(s) to the suppression pool by opening valve RCIC-V-31 (MO F031). Tw o level switches mounted on a Seismic Category I standpipe in the reactor building are used to detect low water level in the condensate storage tank(s). Either switch can cause automatic suction transfer. Once valve RCIC-V-31 (F031) is fully open the condensate storage tank va lve RCIC-V-10 (MO F010) is automatically closed.
The RCIC system includes design features wh ich provide system equipment protection or accomplish primary containment isolation if certa in types of abnormal events occur. The RCIC turbine is automa tically shut down by closing the turbine trip and throttle valve, RCIC-V-1 (MO F001), if any of the following conditions are detected: C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.4-4 a. RCIC isolation signals:
- i. Low reactor pressure ii. High steam line flow iii. Instrumentation line break iv. High differential temperature across RCIC area cooler
- v. RCIC equipment area high temperature vi. High turbine exhaust diaphragm pressure vii. Manual isolation b. Turbine overspeed
- c. High turbine exhaust pressure
- d. Low pump suction pressure
- e. Low pressure in the RCIC discharge header f. Manual turbine trip actuated by the control room operator.
The steam inlet valve RCIC-V-45 (MO F045) is au tomatically closed and the turbine is shut down if the reactor vessel high water level (level 8) is reached. The isolation valve for RCIC turbine lube oil cooling water, RCIC-V-46 (M O F046), automatically closes if RCIC-V-45 (MO F045) closes, or if the turbine trip and throttle valve RCIC-V-1 closes. Valves RCIC-V-45 (MO F045) and RCIC-V-46 (MO F046) will reopen automatically and the turbine restarts when the water level is subsequently reduced to the low level initiation (level 2).
Turbine trip throttle valve RCIC-V-1 automatically closes upon detection of low pressure in the discharge header of RCIC-P-1. The valve closure prevents the automatic initiation of RCIC in conditions where water hammer may result.
To protect the RCIC pump from overheating dur ing low flow conditions the pump discharge flow and pressure are monitore
- d. If the pump discharge pressu re switch indicates the pump is running and the pump discharge flow switch indicat es low flow, the minimum flow return line valve RCIC-V-19 (MO F019) is automatically opened. The minimum flow valve is automatically closed when flow is normal or wh en either the turbine trip and throttle valve (RCIC-V-1) or the steam inlet valve RCIC-V-45 (MO F045) is closed.
Air operated (AO) valves RCIC-V-25, RCIC-V-26, and RCIC-V-54 (AO F025, AO F026, and AO F054) and a condensate drain pot are provide d in a drain pipe line arrangement just upstream of the turbine inlet valve. On receipt of an RCIC initiation signal, the drainage path is isolated by closing RCIC-V-25 and RCIC-V-26 (AO F025 and AO F026). The water level in the steam line drain condensate pot is cont rolled by a level switch and a valve RCIC-V-54 (AO F054) which energizes to al low condensate to flow out of the drain pot by bypassing the steam trap, in the event that the trap fails to adequately remove the condensate.
The RCIC system turbine exhaust line v acuum breaker isolation valves RCIC-V-110 (MO F080) and RCIC-V-113 (MO F086) are normally open but close automatically following C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.4-5 system trip when both the low steam line pressure and high dr ywell pressure setpoint are exceeded.
The leak detection and other protective signals of RCIC system will automatically signal the steam line warmup valve RCIC-V-76 (MO F076) cl osed, override the key lock control switch position and signal the steam line inboard is olation valve RCIC-V-63 (MO F063) and the outboard steam line isolation valve RCIC-V-8 (MO F008) clos ed if any of the following abnormal conditions exist:
- a. Redundant temperature switches sense RCIC pump room area ventilation air inlet and outlet high differential temperature or high ambient temperature;
- b. Redundant temperature switches sense RCIC pipe routing area high ambient temperature;
- c. Redundant differential pressure switche s sense RCIC steam line high flow or instrument line break (after an approximate 3 sec delay);
- d. Redundant pressure switc hes sense RCIC turbine exhaust diaphragm high pressure. Both switches in the same di vision must actuate to cause isolation; and
- e. A pressure switch senses RC IC low steam supply pressure.
For a complete description of the RCIC system leak detection isolation signal, see Section 7.6.1.3.1. The RCIC system may be isolat ed after initiation by the contro l room operator by actuation of a push button which causes the outboard st eam line isolation valve to close.
7.4.1.2 Standby Liquid Control System
7.4.1.2.1 Function
The SLC system (see Section 9.3.5) instrumentation is designed to initiate injection of a liquid neutron absorber into the reacto
- r. Other instrumentation is provided to maintain this liquid chemical solution well above saturation te mperature in readin ess for injection.
The SLC system is a redunda nt method of manually shutti ng down the reactor to cold shutdown conditions from normal operation or from anticipated tran sient conditions when manual control rod insertion capability is lost. For the anticipated transient condition, boron solution can be injected into the reactor pressure vesse l by running both SLC pumps C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.4-6 simultaneously. The quantity of boron required to s hut down the nuclear reaction can be injected in approximately 1 hr (see Section 9.3.5.2). 7.4.1.2.2 Operation
Schematic arrangements of system mechanical e quipment is shown in Figure 9.3-14. The SLC system component contro l logic is shown in Figure 7.4-2. Operator information displays are shown in Figures 9.3-14 and 7.4-2. The SLC system is initiated by the control room operator by turning the SYSTEM A or the SYSTEM B or both key locked switches to th e OPERATE positions. When either or both of these switches are activated, bot h of the explosive-operated valv es fire and bot h tank discharge valves (SLC-V-1A and SLC-V-1B) start to open immediately. The pumps are interlocked so that at least one of the two storage tank discharge valves (or the test tank discharge valve when testing) must be open for either or both pumps to run. When the SLC system is initiat ed, the outboard isolation valv e of the reactor water cleanup (RWCU) system is automatically closed. This prevents removal of the injected boron by the RWCU demineralizers.
7.4.1.3 Residual Heat Removal System/Shutdown Cooling Mode
7.4.1.3.1 Function
The normal shutdown cooli ng mode (see Section 5.4.7.1) of the RHR system is used when the reactor is shutdown and, if available, can be used for long-term cooling after vessel water level has been restored following accident conditions.
The RHR-SDC consists of instrumentation desi gned to provide decay heat removal capability for the core by accomplishing the following:
- a. Reactor cooling during shutdown operation after the vessel pressure is reduced to approximately 48 psig,
- b. Cooling the reactor water to a temp erature at which reactor refueling and servicing can be accomplished, and
- c. Diverting part of the s hutdown flow to the reactor vessel head to condense the steam generated from the hot walls of the vessel while it is being flooded.
7.4.1.3.2 Operation
See Section 5.4.7.2.6 for a complete descripti on of the RHR-SDC operation. C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.4-7 7.4.1.4 Remote Shutdown Systems
7.4.1.4.1 Function
The RSS are designed to achieve a cold reactor shutdown from outside the main control room following these postulated conditions:
- a. The plant is at normal operating cond itions and all plant personnel have been evacuated from the main control room and it is inaccessible;
- b. The initial event that causes the main control room to become inaccessible is assumed to be such that the reactor operator can manually scram the reactor before leaving the main control room.
Though the capability exists to manually scram from outside the control room, plant procedures realistically call for scramming before exiting the control room;
- c. The main turbine pressure regulators ma y be controlling reactor pressure via the bypass valves. However, in the interest of demonstrating that the plant can accommodate even loss of the turbine controls, it is assumed that this turbine generator control panel function is also lost. Therefore, main steam line isolation is assumed to occur at a specifi ed low turbine inlet pressure and reactor pressure is relieved through the relie f valves to the suppression pool;
- d. The reactor feedwater system which is normally available is also assumed to be inoperable. Reactor vessel water inventory is provided by the RCIC system or automatic depressurization system (ADS) and RHR as described in Section 7.4.1.4.2; and
- e. Emergency dc power is assumed to be available.
The RSS are required only during times of main control room inaccessibility when normal plant operating conditions exist, i.e., no transients or accidents are occurring. Following such an event the remote shutdown function is provided by two redundant systems: the RSS and the alternate RSS. 7.4.1.4.2 Operation
Some of the existing systems used for normal r eactor shutdown operation are also used in the remote shutdown capability to shut down the reactor from outside the main control room. The functions needed for remote shutdown control are provided with manual transfer switches that override controls from the main control room and transfer the c ontrols to the remote shutdown control panels. Remote shutdown control is not possible without actuation of the transfer C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.4-8 devices. Necessary power supplies and control logic are also transferred. Operation of the transfer switches causes an alarm in the main control room. During a main control room fire it has been postulated that high-to-low pressure interface valves RHR-V-8 and RHR-V-9 (ser ies isolation valves) can simu ltaneously open. This would result in a loss-of-coolant accident (LOCA) outside the primary containment with no mitigation; these valves cannot close against a 1000 psi differential. For this reason, during normal plant operation, power is removed from RHR-V-9. This precludes operation via spurious control circuit energizat ion. Access to the remote shutdown panel is administratively and procedurally controlled. All system equipment controls (for essential va lves and pumps) necessary for proper system lin eup and complete system control are located on the remote shutdown panels.
The remote shutdown function can be effected by one of two redundant systems. The primary (preferred) system uses the RHR system loop B (RHRB) while the secondary uses RHR loop A and is designated as the alternate RSS. The RCIC system is not required for reactor safe shutdown when using the minimum systems analyzed in GE document NEDO-24708A. Consequently, the mode of depressurization used for the alte rnate RSS is based on a rapid depressurization (ADS) in going from event initiation directly to cold shutdown where the low pressure system (RHR A) is used in the altern ate shutdown cooling mode. This flow path uses the suppression pool as a heat sink when the serv ice water system (SW loop A) is needed to bring the reactor to the cold low pressure condition.
When the RCIC system is available, then manual actuation of relief valves and the initiation of the RCIC system will maintain reactor water inventory and bring the reactor to a hot shutdown condition after scram. During this phase of shutdown, the s uppression pool will be cooled by operating the RHR system in the suppression pool cooling mode. Reac tor pressure will be controlled and core decay and se nsible heat rejected to the suppression pool by relieving steam pressure through the relief valves.
Manual operation of the relief va lves will cool the reactor and reduce its pressure at a controlled rate until reactor pressure becomes so low that the RCIC system is unable to sustain operation. The RHR system will then be operated in the shutdown cooling mode using the RHR system heat exchanger to cool reactor water and bring the reactor to the cold low pressure condition. Equipment/functions that have tr ansfer and control switches or indicators located on the remote shutdown and the alternate remote shutdown control panels are shown in the Licensee Controlled Specifications.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.4-9 7.4.1.5 Anticipated Transient Without Scram - Recirculation Pump Trip 7.4.1.5.1 Function
The ATWS-RPT function is to trip the reactor r ecirculation pumps in th e event of an abnormal operating occurrence in conjuncti on with failure of the reac tor protection system (RPS).
7.4.1.5.2 Operation
Schematic arrangement of system mechanical equipment is shown in Figure 5.4-6. The ATWS-RPT is automatically initiated by reactor vessel low water level (level 2) and/or reactor vessel high pressure. Instruments are listed in Table 7.4-2. The sensor logic configuration is "one-out-of-two-twice" for tripping the reactor recirculating pump feeder breakers. See Figure 7.4-3. The ATWS-RPT system is an energize-to-operate system. The sensor logic channels and the feeder breaker trip coil circuitry receive power from the 125-V dc batteries from Divisions 1 and 2. 7.4.1.6 Anticipated Transient Without Scram - Alternate Rod Insertion
7.4.1.6.1 Function
The ATWS-ARI function is to actuate valves in the scram air header to reduce the air pressure in the header allowing the scram inlet and disc harge valves to open pr oviding an alternate scram. The design is diverse and independe nt from the RPS.
7.4.1.6.2 Operation
Schematic arrangement of the system mechanical equipment is shown in Figure 4.6-5. Logic arrangement is shown in Figures 7.4-4 and 7.4-5. The ATWS-ARI is automatically initiated by reactor vessel low water level or reactor vessel high pressure. Instruments are listed in Table 7.4-3. The sensor logic configuration is "two-out-of-two" for either parameter input for ener gizing the scram air h eader exhaust solenoid valves to vent the header. The system can also be actuated manually. The ATWS-ARI is an energize-to-operate system. The sensor logic channels and sole noid valves receive power from the 125-V dc batteries fr om Divisions 1 and 2.
C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 7.4-10 7.4.1.7 Design Basis The safe shutdown systems are designed to pr ovide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary (RCPB). Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. The me thods of assessing barri er damage and radioac tive material releases, along with the methods by which abnormal ev ents are identified, are presented in Chapter 15. No design basis accident sha ll be considered for the RSS systems (including LOCA). Therefore, control of engineered safety feature (ESF) systems for protective action outside the main control room is not required.
7.4.1.7.1 Variables Monitored to Provide Protective Actions
All safe shutdown systems are initiated by opera tor actions, with the exception of ATWS-RPT and ATWS-ARI which are actuated by level and/or pressure sensor s and RCIC which is activated by low reactor vessel water level (level 2).
The plant conditions which require protective action involving sa fe shutdown are described in Chapter 15.
7.4.1.7.2 Location and Mini mum Number of Sensors
The Technical Specifications identify the minimum number of sensors required to monitor safety-related variables. There are no sensors in the safe shutdown systems which have a spatial dependence.
7.4.1.7.3 Prudent Operational Limits
Prudent operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious safe shut down system initiation is a voided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or the nuclear system proces s barrier, is kept within acceptable bounds.
7.4.1.7.4 Margin
The margin between operational limits and the al lowable values for safe shutdown systems are addressed for those para meters listed in the Technical Specifications. 7.4.1.7.5 Levels
Levels requiring protective action are esta blished in the Technical Specifications.
C OLUMBIA G ENERATING S TATION Amendment 57 F INAL S AFETY A NALYSIS R EPORT December 2003 LDC N-9 8-0 7 8 7.4-11 7.4.1.7.6 Range of Transient, Steady State, and Environmental Conditions
See Section 3.11 for environmental conditions. See Sections 8.2.1 and 8.3.1 for the maximum and minimum range of energy s upply to the safe shutdown systems instrumentation and controls. All safety-related instrumentation and controls are specified and purchased to withstand the effects of energy supply extremes.
The ATWS-RPT and ATWS-ARI systems are requi red to function only during an anticipated operational occurrence, not a de sign basis accident. Therefore, all the ATWS-RPT and ATWS-ARI equipment is locate d outside containment and is qualified for the temperature, pressure, humidity, and radia tion levels experienced during the anticipated operational occurrence.
7.4.1.7.7 Malfunctions, Accidents, and Other Unusual Ev ents Which Coul d Cause Damage to Safety Systems
Chapter 15 describes the following credible accidents and events: floods, storms, tornadoes, earthquakes, fires, LOCA, pipe break outside c ontainment, and feedwater line break. Each of these events is discussed below for the safe shutdown systems.
7.4.1.7.7.1 Floods. The buildings containing safe shutdown system components have been designed to meet the probable maximum flood (P MF) at the site location. See Section 2.4. For a discussion of internal flooding protection see Sections 3.4 and 3.6. 7.4.1.7.7.2 Storms and Tornadoes. The buildings containing safe shutdown system components have been designed to withstand meteorological events described in Section 3.3. 7.4.1.7.7.3 Earthquakes. The structures containing safe shutdown system components have been seismically qualified (o r shown to maintain integrity) as described in Sections 3.7 and 3.8 and will remain functional during and following a safe shutdown earthquake (SSE). Seismic qualification of instrumenta tion and electrical equipmen t is discussed in Section 3.10. 7.4.1.7.7.4 Fires. To protect the safe shutdown systems in the event of a postulated fire, the redundant portions of the safe shutdown systems are isolated by electrical separation barriers or physical distance. The use of separation and barriers ensure s that even though some portion of the systems may be affect ed, the safe shutdown systems will continue to provide the required protective action. A fi re detection system using heat detectors and product of combustion detectors is provided in power genera tion control complex (P GCC) floor sections and in panels containi ng safe shutdown system components mounted on these floor sections. A Halon fire suppression system is provided in the same areas. See Appendix F for a discussion of Appendix R fire protection.
C OLUMBIA G ENERATING S TATION Amendment58 F INAL S AFETY A NALYSIS R EPORT December2005 LDCN-03-076 7.4-12 7.4.1.7.7.5 Loss-of-Coolant Accident. The safe shutdown system s components located inside containment which are functionally required following a LOCA have been environmentally
qualified to remain functiona l as discussed in Section 3.11. 7.4.1.7.7.6 Pipe Break Outside Primary Containment. Protection is provided for safe shutdown system components, as required from the effect s of breaks outside primary containment. See Section 3.6. 7.4.1.7.7.7 Missiles. Protection for safe shutdown systems is described in Section 3.5. 7.4.1.7.8 Minimum Perf ormance Requirements
Minimum performance requirements for safe shutdown systems in strumentation and controls are provided in the Technical Specifications.
7.4.1.8 Final System Drawings
Functional and architectural design difference between the PSAR and FSAR are listed in Table 1.3-8.
7.4.2 ANALYSIS
The safe shutdown systems are desi gned such that loss of instrument air, a plant load rejection, or a turbine trip will not prevent the completion of the safety function. No abnormal operation is assumed for the RSS which, by itself, performs no safety-related function.
7.4.2.1 Conformance to 10 CFR 50 Appendix A - General Design Criteria
The following is a discussion of conformance to those genera l design criteria (GDC) which apply specifically to the safe shutdown systems. See Section 3.1 for a discussion of GDC which apply equally to all safety-related systems.
GDC 19 - Control Room
The RSS consists of equipment located outside the control room which is sufficient to provide and ensure safe shutdown of the reactor.
GDC 34 - Residual Heat Removal
Refer to Section 3.1.2.4.5. C OLUMBIA G ENERATING S TATION Amendment58 F INAL S AFETY A NALYSIS R EPORT December2005 LDCN-03-076 7.4-13 7.4.2.2 Conformance to IEEE Standards
The following is a discussion of conformance to IEEE 279-1971 which applies specifically to the safe shutdown systems. See Section 7.1.2.3 for a discussion of IEEE Standards which apply equally to all safety-related systems.
General Functional Re quirement (IEEE 279-197 1, paragraph 4.1)
Since the RSSs, by themselves, do not perform any safety-related function, they do not fall within the criteria set by IEEE 279. However, since certain RSS components interface with safety-related systems, such as RHR and RCIC, during normal operation, they are part of those systems and meet the design criteria for those systems. Remote shutdown is provided by two redunda nt systems: the Division 2 RSS and the Division 1 alternate RSS. Portions of these systems are electrically separated by the physical and spatial requirements described in Section 8.3.1.4. A design basis fire in the main control room that fails all components to their worst operati onal state is considered an incredible event. As such only the Division 2 power distribution system for the Division 2 remote shutdown is completely isolated from the effects of a main control room fire. Control room interaction that would result in the loss of power to the alternate RSS as well, is not considered credible per Columbia Generating Station (CGS) SSER commitments (licensing condition 12). The RSSs
consist of components that are qualified to Quality Cl ass I and Seismic Category I requirements. Operation of any RSS transfer switch is annuncia ted in the main control room.
The RCIC is automatically initiated when reactor vessel water level is determined to be below a predetermined limit.
The SLC system is initiated by the control room operator. Display instrumentation in the control room provides the operator with inform ation on reactor vessel water level, pressure, neutron flux level, control rod position, and sc ram valve status allowing assessment of the need for initiation of the SLC system.
The ATWS-RPT and ATWS-ARI are automatically initiated when reactor vessel low water level and/or reactor vessel high pressure predetermined limits are exceeded. ATWS-RPT and ATWS-ARI do not perform a safety-related func tion and do not fall within the criteria of IEEE 279. However, applicable paragraphs of IEEE 279 are addressed in the following paragraphs:
Single-Failure Criterion (IEEE 279-1971, pa ragraph 4.2)
The reactor shutdown cooling func tion is safety rela ted and required to comply with single failure requirements of IEEE 279 and GDC 34. However, the prefe rred RHR-SDC suction path uses a single loop of the RRC system th rough two series, redundant division, isolation C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 LDCN-03-076 7.4-14 valves RHR-V-8 and RHR-V-9 and is, therefore, not single failure proof. To meet the single failure requirements of IEEE 279 a nd GDC 34, a safety related, single failure proof design for this function is provided by the alternat e shutdown cooling m ode of RHR. See Section 5.4.7.1.1 and the notes to Figure 15.2-10 , Activity C1 or C2 fo r a complete discussion of the alternate shutdown cooling mode of RHR. The alternate shutdown cooling mode is safety related and single failu re proof in that two redundant divisions of equipment are available. Since the normal shutdown cooling mode is the preferred path, Energy Northwest will maintain all the preferred path compone nts as safety related, Quality Class I. The RCIC system alone is not required to meet the single-fa ilure criterion. The RCIC initiation and isolation initiati on sensors and associated l ogic do, however, meet the single-failure criterion for automatic system initiation or isolation. The single-failure criteria is met through physical and electr ical separation of equipment as described in Section 8.3.1.4. The SLC system serves as b ackup to the control rod drive (CRD) system for controlling reactivity if the CRD fails and is required for ATWS. It is not necessary for the SLC system to meet the single failure criterion.
The ATWS-RPT and ATWS-ARI are not required to meet the single failure criterion. However, with the exception of the electrical power and the final actuating equipment the system is designed to the single failure criterion.
Quality of Components and Modules (IEEE 279-1971, paragraph 4.3)
See Section 3.11 for safe shutdown syst em conformance. The ATWS-ARI components are selected to satisfy the quality requirements in Reference 7.4-1. Equipment Qualification (IEEE 279-1971, paragraph 4.4)
Vendor certification requires that the safe shutdown system se nsors, manual switches, and logic components perform in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification, in conjunction with the existing field experience with thes e components in this applicati on, will serve to qualify these components.
For a discussion of safe shutdown system equipment qualification see Sections 3.5 , 3.6 , 3.10 , and 3.11. Channel Integrity (IEEE 279-1971, paragraph 4.5)
For a discussion of RCIC and SL C system Channel Integrity unde r all extremes of conditions described in Sections 7.4.1.1 and 7.4.1.2, see Section 3.11. C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 7.4-15 Channel Independence (IEEE 279-1971, paragraph 4.6) Channel independence is maintain ed through application of the CGS separation criteria as described in Section 8.3.1.4. Control and Protection Interaction (IEEE 279-1971, paragraph 4.7)
The RCIC, SLC, ATWS-RPT, and ATWS-ARI systems have no inte raction with plant control systems. Derivation of Systems Inputs (IEEE 279-1971, paragraph 4.8)
All inputs to the RCIC system, RSS, RHR-SDC, ATWS-RPT, and ATWS-ARI that are essential to their operation are direct measures of appropriate variables.
The SLC system display instrumentation in the control room provides the operator with directly measured information on reactor vessel water level, pressure, neutron flux level, control rod position and valve stat us. Based on this information the operator can assess the need for the SLC system.
Capability for Sensor Checks (IEEE 279-1971, paragraph 4.9)
See Section 7.4.2.3 , Regulatory Guide 1.22.
Capability for Test and Calibration (IEEE 279-1971, paragraph 4.10)
See Section 7.4.2.3 , Regulatory Guide 1.22.
Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)
Calibration of a sensor which introduces a single instrument channel trip will not cause a protective action without the coincident trip of a second channel. Rem oval of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning.
Operating Bypasses (IEEE 279-1971, paragraph 4.12) There are no operating bypasses with in the safe shutdown systems.
Indication of Bypasses (IEEE 279-1971, paragraph 4.13)
For a discussion of bypass and inope rability indication see Section 7.1 , with the exception of ATWS-RPT and ATWS-ARI, which ar e under administrative control. C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 7.4-16 Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14)
Access to means of bypassing any safety action or safety func tion is under the administrative control of the control room supervisor/shift manager. Other approved methods of controlling access to bypasses are also used. These include key locks with admi nistrative control of the access to keys, procedurally controlled equipmen t lineups, e.g., locked valve checklists, and the use of mechanical locking devices and annunciators and other indications, e.g., BISI (Regulatory Guide 1.47, Bypass and Inoperable Status Indication for Nuclear Power Plant Safety Systems, described in Section 7.1.2.4). These additional met hods help to prevent inadvertent bypasses or to alert th e plant operators to safety f unction bypasses occurring either from equipment failures or from manually indu ced bypasses that result as part of testing, maintenance, or equipm ent repair activities.
Key-locked control switches that provide a means of controlling the access to a safety function bypass are designed to allow key removal only in the "safe" or "accident" positions. Access to the associated keys is pr ocedurally controlled. When not in use, keys are under the administrative control of the control room supervis or/shift manager and stored in a key locker. The keys are audited once per day by the control room supervisor/shi ft manager. When operation of a key-locked control sw itch is required to be immediate, such as in the case of the reactor mode switch, the key may be left in the lock during normal pl ant operation to ensure timely actuation.
Multiple Set Points (IEEE 279-1971, paragraph 4.15)
There are no multiple setpoints wi thin the safe shutdown systems.
Completion of Protective Action Once it is Initiated (IEEE 279-1971, paragraph 4.16)
The RCIC is automatically stoppe d on high vessel water level, system malf unction trip signals or if steam supply pressure drops below th at necessary to sustain turbine operation.
The SLC system explosive valves remain open once fired. The inje ction valves will not close, and discharge pump motors will continue to r un unless terminated by operator action. The ATWS-ARI system once initiated will actuate valves in the scra m air header thus providing an alternate method to scram. This action will c ontinue until the trip logic is cleared and the operator resets the system.
Manual Initiation (IEEE 279,1971, paragraph 4.17)
See Sections 7.4.1.1 , 7.4.1.2 , 7.4.1.3 , 7.4.1.4 , 7.4.1.5 , and 7.4.1.6 for a discussion of the manual initiation of RCIC, SLC, RHR-SDC, RSS, ATWS-RPT, and ATWS-ARI systems.
C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 7.4-17 Access to Set Point Adjustment (IEEE 279-1971, paragraph 4.18) All access to setpoint adjustments for RHR-SDC, RCIC, ATWS-RPT, and ATWS-ARI are under administrative control of the control room supervisor /shift manager.
The operation of the SLC system is not dependent on or affected by any setpoint adjustment or calibration.
Identification of Protective Actions (IEEE 279-1971, paragraph 4.19)
Automatic initiation of the RCIC system is annunciated in the control room.
The ATWS-RPT breaker trip is annunciated in the control room. The ATWS-ARI system
initiation is annunciated in the control room.
The explosive valve status of the SLC system, once fired, is indicated in the control room.
Information Readout (IEEE 279-1971, paragraph 4.20)
The RCIC, ATWS-RPT, and ATWS-ARI systems are designed to provide the operator with accurate and timely information pertinent to their status. They do not give anomalous indications confusi ng to the operator.
The SLC system discharge pressu re of the pumps and storage ta nk level is indicated in the control room.
System Repair (IEEE 279-1971, paragraph 4.21)
The RCIC, SLC, ATWS-RPT, a nd ATWS-ARI systems are designed to permit repair or replacement of components duri ng normal plant operation.
Recognition and location of a failed component will be accomplishe d during periodic testing or by annunciation in the control room.
Identification (IEEE 279-1971, paragraph 4.22)
Controls and instruments for RCIC, SLC, ATWS-RPT, and ATWS-ARI systems are located in the main control room and clearly identified by nameplates. Relays are located in separate panels for RCIC, SLC, ATWS-RPT , and ATWS-ARI systems use onl
- y. Relays a nd panels are identified by nameplates. All wiring and cabling is labeled to indicate its divisional assignment as well as its system assignment (see Section 8.3.1.3).
C OLUMBIA G ENERATING S TATION Amendment58 F INAL S AFETY A NALYSIS R EPORT December2005 7.4-18 7.4.2.3 Regulatory Gu ides Conformance Regulatory Guide conformance for remote shutdown control and instrumentation is provided in this chapter for each system whose instrumentation and controls interface with the RSS.
Conformance to Regulatory Guides for the RH R shutdown cooling mode is discussed in Section 7.3.2.
The following is a discussion of conformance to those Regulatory Guides which apply specifically to the RCIC, SLC, ATWS-RPT, and ATWS-ARI systems. See Section 7.1.2.4 for a discussion of Regulatory Guides which apply equally to all safety-related systems. Regulatory Guide 1.22 - Periodic Testing of Protecti on System Actuation Functions
The RCIC system, with the ex ception of RCIC-V-13 (injection valve), is capable of being completely tested during normal pl ant operation to verify that each element of the system is capable of performing its intended safety function. RCIC-V-13 is operability tested during plant shutdown.
The explosive valves may be tested during plant shutdown. The explosive valve control circuits are continuously monitored and annunciated in the cont rol room. The remainder of the SLC system may be tested during normal plant operation to verify that each element is capable of performing its intended function.
Testing of RCIC, SLC, ATWS-RPT, and ATWS-ARI systems sensors during normal plant operation is accomplished by valving out each sensor from its process line and applying a test pressure source. This verifies the operability of the sensor, its ca libration range, and the operability of associated cont rol room logic components.
Also, the ATWS-RPT trip logic up to the breaker trip can be tested during plant operation. The ATWS-ARI trip logic can be tested up to the solenoid valves during plant operation.
Regulatory Guide 1.53 - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems
See Section 7.4.2.2 and IEEE 279, paragraph 4.2, fo r the RCIC, SLC, ATWS-RPT, and ATWS-ARI systems.
Regulatory Guide 1.62 - Manual Initiation of Protective Actions
The SLC system is actuated by two key-locked switches on the ma in control room console. Operating either switch starts one of the injection pumps, actuates both of the explosive valves, C OLUMBIA G ENERATING S TATION Amendment58 F INAL S AFETY A NALYSIS R EPORT December2005 7.4-19 opens both pump suction motor-operated valves , and closes the RWCU system outboard isolation valve.
The ATWS-RPT feeder breakers can be initiated manually from the main control room by actuation of the feeder breaker control switch.
The ATWS-ARI scram air header blowdown valv es can be manually initiated from the main control room.
The RCIC system can be manually in itiated for vessel wa ter level makeup. 7.
4.3 REFERENCES
7.4-1 NEDE-31096-P, Licensi ng Topical Report, Anticipated Transients Without Scram, response to NRC ATWS RULE 10 CFR 50.62, December 1985. C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 Table 7.4-1 Reactor Co r e Iso l ation Cooling System Instrumentation Function Instrumen t a 7.4-21 Reactor ve s s el high wa t e r le vel (le v el 8) Level switch (B22-N024B, D) MS-LIS-24B, D Pump low suction pressure Pressure switch (E51-N006)
RCIC-PS-6 Reactor ve s s el low wa t e r le vel (l evel 2) Level switch (B22-N037A-D)
MS-LIS-37A-D Drywell high pressure Pressure switch (B22-N048A-D)
MS-PS-48A-D Condensate storage tanks l o w water level Level switch (E51-N015A, B) RCIC-LS-1 5 A, B a Instruments in parenthes e s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 Table 7.4-2 ATWS-Recirculation Pump Trip
System Instrumentation Function Instrumen t a 7.4-22 Reactor ve s s el low wa t e r level (l evel 2) Level indicating switch MS-LIS-36A-D
(B22-N036)
Reactor vessel high pressure
Pressure switch MS-PS-45A-D
(B22-N045) a Instruments in parenthes e s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 Table 7.4-3 ATWS-Alternate Rod Insertion
System Instrumentation Function Instrumen t a 7.4-23 Reactor ve s s el low wa t e r level (l evel 2) Level indicating switch MS-LIS-36A-D
(B22-N036)
Reactor ve s s el high pressure Pressure switch MS-PS-45A-D
(B22-N045) a Instruments in parenthes e s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 53 F INAL S AFETY A NALYSIS R EPORT November 1998 7.5-1 7.5 SAFETY-R ELATED DISPLAY I N STRUMENTATION 7.5.1 SUMM A RY DESCRIPTION
7.5.1.1 General
This section describes the instr u mentation that provides inform a tion to the operator to enable
him to asse s s the s t atus of sa f e ty-re l ated s y s t ems and the need to perfo r m required safety functions including a dis c ussion of conformance to Regulatory G u ide 1.97. The safety-rela t ed display i n strumentation is listed in Table 7.5-
- 1. It tabulates equipment
identified on the various f i gures located in Secti o ns 7.2 , 7.3 , 7.4 , and 7.6.
The instrumentation and ranges shown in Table 7.5-1 are selected on the basis of giving the reactor operator the neces s ary information to perform normal plant operations and yet the
capabil i ty to track process var i ables pertinent to safety f o llowing design-basis accidents (DBAs).
The follow i ng information is provided to t h e control room operat o r to monitor reactor conditions and allow assessment of saf e ty system status foll o wing a DBA.
The power sources to the instrumentation des c ribed in this section originate from the
Division 1, Division 2, or D i vision 3 safety-related emerg e ncy ac and/or dc buses unless
indicated otherwise.
7.5.1.1.1 Reactor Wa t e r Level Two divisionally separated ranges of water level instru mentation are provided: wide range and
fuel range.
Wide range water level is s e nsed by two divisionally sep a rated differential pressure
transmit t ers. The signa l s are disp l a yed in t h e control room on two r ecorders. Wide range instruments cover the level from +60 in. to -150 in.
Fuel range water level ove rlaps the wide range to provide wat e r level in the actual core region. Level is sensed by two divisionally separated d i fferential p r essure t r ansmitters. T h e level is displayed in the control room on a r ecorder a nd an indicator. The fuel range covers from -310 in. to -110 in.
The two ranges provide continuous l e vel indication from 60 in. above the bottom of the dryer skirt to 150 in. below the top of the active fue
- l. Both ranges have a common zero reference
point located 527.5 in. above the i n side bottom of the reactor vessel.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-98-116 7.5-2 In addition to the wide range and fuel zone range, the following are provided.
Upset range water level is sensed by a single channel to monitor from 0 in. to 180 in. and is recorded in the control room.
Shutdown range water level is sensed by a single channel to monitor from 0 in. to +400 in. and is indicated in the control room.
The combination of all fourranges monitor from just below the bo ttom of the activ e fuel to the top of the reactor head, a total span of -310 in. to +400 in. In response to NRC Bulletin 93-03 a continuous backfill capability was a dded for the reactor pressure vessel (RPV) level reference legs to ensure the level instrumentation system design is of high functional reliability fo r long-term operation by minimizi ng the transport of dissolved noncondensable gas down the re ference legs. The control r od drive (CRD) system is the source of backfill water as described in Section 4.6.1. 7.5.1.1.2 Reactor Pressure Reactor pressure is sensed by two divisionally separated pressure transmitters. These pressure transmitters are recorded in the control room. 7.5.1.2 Reactor Shutdown Indication The following information is provided to th e control room operato r to monitor reactor shutdown. a. Control rod status lamps indicating each rod fully inserted. Power is supplied from a highly reliable non-Class 1E uninterruptible power supply (UPS) system;
- b. Control rod scram pilo t valve position status lamp s indicating open valves;
- c. Neutron monitoring power range channels and recorders downscale. The power sources are from reactor protection system (RPS) motor-generator (MG) sets;
- d. Source range neutron mon itoring channels and recorder s on scale. When fully withdrawn from the core, the range covered is approxi mately 10% to 10
-3% power. When fully inserted, the range is 10 -3% to 7% power;
- e. Annunciators for RPS variables and trip logic in the tripped state. Power is supplied from a Class 1E power source;
- f. The computer work stations provide logging of trips and co ntrol rod position log and provides thermal hydraulic informa tion to the operator which is used to
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-15-033 7.5-3 keep the plant operating within Tec hnical Specifications limits. Power is supplied by a non-Class 1E UPS power source; and
- g. Reactor water sample analysis to determine soluble boron concentration via the postaccident sample station.
7.5.1.3 Primary Containment and Reactor Vessel Isolation Indication The following information is provid ed to the control room operato r to monitor th e integrity of the primary containment.
- a. Power operated primary containment is olation valve (excluding check valves) position indication is displayed (valve position indicating lamps) at valve controls in the control room which ar e Class 1E and is also displayed by a non-Class 1E transient data acquisi tion system (TDAS) (see Section 7.7). The non-Class 1E RPS MG sets provide an acceptable power supply in conjunction with the independently powered TDAS display. Although the hardened containment vent primary containment isol ation valves are pow er operated, their function is to operate in a beyond-design-basis event.
Position indication is provided at the controls in the control room. These valves are spring closed with the operating pneumatics isolated a nd locked requiring a manual action to place in service and therefore, are not powered from a Class 1 E supply.
- b. Main steam line flow indication;
- c. Annunciators for the primary containm ent and reactor vessel isolation system variables and trip logic in the tripped state. Power is supplied by Class 1E power; and
- d. Process computer logging of trips.
Power is from a non-Class 1E UPS power supply. 7.5.1.4 Emergency Core Cooling System and Reactor Core Isolation Cooling Indication The following information is prov ided to the control room operator to monitor emergency core cooling system (ECCS) and reactor core isolation cooling (RCIC) system status.
- a. Annunciators for high-pressure core spray (HPCS), low-pressure core spray (LPCS), residual heat removal (RHR), automatic depressurization system (ADS), and RCIC sensor initiation logic trips;
- b. Flow and/or pressure indications for each ECCS and RCIC are provided;
- c. ECCS and RCIC valve position indication;
C OLUMBIA G ENERATING S TATION Amendment 55 F INAL S AFETY A NALYSIS R EPORT May 2001 LDCN-00-018 7.5-4 d. Process computer logging of trips in the ECCS and RCIC. Power is provided from the UPS, a highly reliable non-Class 1E power supply;
- e. Transient data acquisition system display of RCIC and ECCS functions. Power is provided from the UPS, a highly re liable non-Class 1E power supply; and
- f. Main steam safety/relief valve (SRV) position indication.
7.5.1.5 Containment Indications
The following information is pr ovided to the control room operator to monitor primary containment status.
7.5.1.5.1 Primary Containm ent Pressure Monitoring
There are two divisions of drywell pressure mon itoring instruments. Each division consists of three monitoring ranges. The narrow range is -5 to +3 psig; the intermediate range is 0 to 25 psig; and the high range is 0 to 180 psig. E ach range is recorded a nd the narrow range is indicated in the control room.
7.5.1.5.2 Primary Containment Temperature
Containment temperature is monito red continuously by a recorder in the control room. Points of measurement are as follows:
Points Description 4* Air inlet vicinity recirculation pump motors
5* Fan coil inlets
5 Fan coil outlets
3* RPV head flange area 6 Sacrificial shield annulus 3 CRD area
- Some of these points are summed to provide average drywell temperature information during normal operation and post accident conditions.
C OLUMBIA G ENERATING S TATION Amendment 55 F INAL S AFETY A NALYSIS R EPORT May 2001 7.5-5 2 RPV head area 5 SRV area 3* Fan coil inlet minus annulus air
5 Upper drywell area return ducts
5 Miscellaneous areas 2 Suppression chamber air temperature
2 Suppression pool water temperature
Drywell average temperature and suppression chamber air temperatur e are recorded in the control room. Indication from all points is also available.
7.5.1.5.3 Primary Containment Radiation
The atmosphere of the primary containment is monitored for lo w levels (leak detection) and high levels [loss-of-coolant accide nt (LOCA)] of radioactivity and recorded in the control room on two redundant recorders.
The leak detection monitoring system consists of two identical divisionally separated offline samplers with racks located in the reactor building sample rooms. Each sample rack has a two-channel unit containing a pa rticulate and a noble gas scintilla tion detector. The detectors are of high sensitivity to detect the presence or increase of radioactiv ity in the atmosphere indicating small leaks in the reactor coolant pressure boundary (RCPB). The output signals from the detectors are sent to panels in the main control room , which contain count ratemeters, recorders, and controls.
An air sample is piped from the containment at mosphere to the local le ak detector racks and returned to containment. The control room operator has complete control of the operation and checking of the monitor system from the main control room. The leak detection channels described above are isolated when a LOCA occu rs because they would rapidly be saturated by the high levels of radioactivity.
The LOCA detection system provides a means to detect a r upture of the RCPB which has released large amounts of radioact ive material into primary cont ainment. The LOCA detection system consists of two divisionally separated re dundant systems. Each system contains an
- Some of these points are summed to provide average drywell temperature information during normal operation and post accident conditions.
C OLUMBIA G ENERATING S TATION Amendment 55 F INAL S AFETY A NALYSIS R EPORT May 2001 7.5-6 ionization chamber type detector located inside the primary containment. The LOCA monitors provide signals to panels in the main cont rol room, which contain count ratemeters and recorders.
7.5.1.5.4 Primary Containment H ydrogen and Oxygen Concentration
Atmosphere samples from a minimum of two loca tions inside the primary containment and one location in the suppression chamber are sequentially monitored for hydrogen and oxygen percentage levels by each of tw o redundant analyzer systems (see Figure 9.4-8 ). Each gas analyzer system contains a hydrogen and an oxygen sensor with calibrated resistance temperature detectors (RTDs) and pressure tr ansducers that allow a microprocessor in the H 2-O 2 analyzer system to automatically compensate the measured H 2 or O 2 concentrations for changes in temperature and pre ssure. The microprocessor provi des for periodic calibration of the analyzers. All gases ar e pumped back to the primary containment at all times.
The analyzers are single range, i.e., 0 to 30% hydrogen and 0 to 30% oxygen. The output signal from each analyzer is se nt to a recorder in the main control room. Two redundant (divisional) recorders are provide
- d. Each analyzer has three adjustable alarm contacts which annunciate abnormal conditions (Hi H 2 , Hi O 2 , and Hi Hi O
- 2) in the main control room.
7.5.1.5.5 Suppression Chamber Pressure
Suppression chamber pressure is recorded in the control room from two separate pressure transmitter systems. Range of recording is from 0 to 100 psig.
7.5.1.5.6 Suppression Pool Temperature Monitoring
Postaccident suppression pool te mperature data is provided by four thermocouples, one per wetwell quadrant, which feed signals to a summer via millivolt to curr ent converters (MV/Is). The average suppression pool temperature is then recorded and displayed in the control room. Backup thermocouples are available for use in the monitoring scheme. See Section 7.6.1.7 for additional information.
7.5.1.5.7 Suppression Pool Water Level Monitoring
Both wide range and narrow ra nge suppression pool water level are monitored by two sets of redundant Class 1E sensors. Each sensor consists of one level transmitter which provides a signal to a recorder in the control room. The range of these sensors is +/-25 in. from normal water level in the pool for the narrow range and 2 ft to 52 ft for the wide range.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-07-001 7.5-7 7.5.1.6 Monitoring for Radioactive Release to the Environment
7.5.1.6.1 Building Effluent Gas Monitors
The effluent activity from th e reactor building ventilation e xhaust, the condenser offgas system, the condenser vacuum pump system, and the standby gas treatment system (SGTS) is monitored by using an on-line isotopic analysis system. This system uses three detectors to monitor the reactor building elevated release duct, providing both gross gamma and isotopic information. Two postaccident detectors, using collimators and shielding, monitor activity through the stack, and one dete ctor mounted in a well inside the stack monitors normal operational levels. Both the postaccident and normal operationa l data are reco rded in the control room and trended via computer work stations. The turbine building effluent release path is monitored using an isokinetic system. A sample is wit hdrawn from the duct through an array of isokinetic nozzles then through particulate and charcoal filters and into a low range and high range set of gas detectors. Each of these effluent stacks or ducts have a continuous vent flow rate monitoring syst em as described in Section 7.5.2.2.3. As described in Sections 11.5.2.2.1.5 and 11.5.2.2.1.6 , signals from these radiati on detectors are sent to a ratemeter and recorder located in the control ro om. Similar systems ar e installed to monitor the radwaste building ventilation rel ease path as described in Section 11.5.2.2.1.7 , except that flow rate monitoring is available on computer work stations ra ther than on a separate flow recorder. Even though flow monitoring is Category 2 which re quires environmental qualification, TDAS is not environmentally qualified. However, TDAS is located in the main control room (a mild environment) and is designed for this se rvice environment. If TDAS is unavailable, radwaste building effluent flow will be determined in accordance with the ODCM.
7.5.1.6.2 Meteorol ogical Conditions
The wind speed, wind directions, a nd stratified atmospheric temper ature information is sensed by the meteorological tower primary and backup in strumentation and is r ecorded in the control room. Indicated meteorological conditions are used to calculate doses downwind due to a radiation release. Wind speed and direction is monitored by separa te channels at the 33 ft and 245 ft elevations. Primary and backup channels provide the air temperature difference between 33 ft and 245 ft elevations.
7.5.1.7 Radiation Exposure (Postaccident) (See Section 12.3.4.2) High range area radiation monitors are located inside the reactor bu ilding to monitor the exposure rates at entry points to that building following an accident. These also serve to provide indication of any radioactive releases into the reactor building from the primary containment and provide trend monitoring during accident co nditions. Signals from the detectors are recorded in the control room.
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.5-8 7.5.1.8 Postaccident Sampling System The postaccident sampling system provides a means for obtaining grab samples of highly radioactive liquid samples of prim ary coolant directly from the reactor vessel, the RHR loops, or the suppression pool and atmospheric samples of the drywell, wetwell, and reactor building. All samples may be transpor ted for analysis in the ons ite or offsite facilities.
7.5.1.9 Primary System Reli ef Valve Position Indication Two methods are available to monitor SRV position in the main control room:
- a. Direct indication: Uses linear variable differential transformers (LVDTs) mounted directly on the relief valves.
These sensors genera te a voltage signal proportional to valve lift which is processed to provide an OPEN/CLOSED indication and an nunciation; and
- b. Tail pipe thermocouples:
Uses thermocouples attach ed to the SRV tailpipes which monitor the temperature rise in the piping resulting fr om open or leaking relief valves. These signals are recorded and annunciated. 7.5.1.10 Power Supply Status Monitoring
Voltage indication for standby power buses of 4160-V ac and 480-V ac switchgear are provided in the control room. Voltage and ampe rage indication is also provided for batteries, battery chargers, inverters, and dc and UPS buses.
7.5.1.11 Primary Water Source Indication
The amount of feedwater flow to the reactor is detected by flow tran smitters located on the feedwater lines. The flow rate is recorded in the control room. The reserve of water available in the condensate storage tanks is monitored and transmitted to the control room for operator information.
7.5.1.12 Residual Heat Removal System Residual heat removal system loops A and B ma y function in several di fferent modes. The flow for each of these modes, except for the r eactor vessel head spray, is indicated by a single flow meter for each loop. The flow rate fo r each mode is dete rmined by observing both indicated flow and valve position. The head sp ray has its own individual flow meter. All flow information is displa yed in the control room. Residual heat removal system loop C functions only in one mode. The flow rate for this mode is also displayed in the control room. C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.5-9 Heat from the RHR loops A and B is removed via heat exchangers. Th e outlet temperature of the heat exchangers is recorded in the control room.
7.5.1.13 Standby Liqu id Control System
The standby liquid control (SLC) system flow into the reactor is monitored and displayed in the control room. Additionally, th e SLC system tank level is disp layed in the control room as a backup indication to the flow. 7.5.1.14 (DELETED)
7.5.1.15 High Levels in Radioactive Liquid Tanks
Each tank used to hold or collect radioactive liquids is equipped with a level indicating system. The level is recorded on local panels in the radwaste building.
7.5.1.16 Emergency Ventilati on Damper Position Indication
Damper position indication is provided in the control room for all dampers necessary to prevent release of radioactive gases to the environment or for the protection of operating personnel during accident conditions.
7.5.1.17 Standby Serv ice Water System
Flow rate in each loop is detected by a flow transmitter providing signals to indicators in the control room. The spray pond temperature is indicated in the control room. The spray pond provides the source of cooling water to engi neered safety feature (ESF) components.
7.5.1.18 Spent Fuel Pool Cooling System
The temperature of the spent fuel pool is monitored by instrumentation that provides indication and hi-alarms in the control room.
7.5.1.19 Main Control R oom Heating, Ventilati ng, and Air Conditioning
Redundant temperature indications are provided in the control r oom to monitor control room temperature.
7.5.1.20 Standby Gas Treatment System
Each division of the SGTS is provided with loop flow indication in the control room.
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.5-10 7.5.1.21 Containment Instrument Air Each division of the containment instrument air (CIA), the common header and both ADS main steam relief valve trains, pr ovides system line pressure in dication in the control room. The sequence programmers for the backup nitrogen bottles on each train provide annunciator signals to the control room when the last bottles are connected to the train manifolds.
7.5.1.22 Safety Parameter Display 7.5.1.22.1 Description
The safety parameter display system (SPDS) design is ba sed on the emergency response information system (ERIS) con cept developed by the BWR Owner's Group. The ERIS control room information requirements are defined as a minimum by the Emergency Procedures Guidelines (EPG).
The purpose of the SPDS is to assist control room personnel in making quick assessments of plant safety status. The func tional criteria for the SPDS ar e described in NUREG-0696. These requirements are satisfied using human engineered hard-wired control room instrumentation. Additional support information that is useful for emergency response is
supplied by the Graphic Display System (GDS). The displays provide in formation related to the following plant functions:
- a. Reactivity control,
- b. Reactor core cooling and heat removal,
- c. Reactor coolant system integrity, d. Radioactivity control, and
- e. Containment integrity.
7.5.1.22.2 Conformance to NUREG-0696
The overall SPDS design consists of two display systems. The human engineered hard wired control room instrumentation needed to comp ly with Regulatory Guide 1.97 is the primary source of plant safety status. These displays are Class 1E and sufficiently concentrated to allow rapid safety assessment. (Additional information is contained in Appendix B, TMI Item I.D.1.)
The hard-wired control room disp lays afford continuous parameter status indi cation. Real time validation of critical parameters is accomplished by comparis on of signals from redundant divisions. Operating procedures and operat or training provide guidance resolution of unsuccessful data validation. Recorders indicate magnitude and trend of important parameters, and alarms provide audible notification of an unsafe operating condition. Redundant C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-15-039 7.5-11 divisionally separate instrume ntation provided for critical parameters ensures a very high degree of reliability during both plant operation and cold shutdown.
Additional support information is supplied by the GDS. The GDS consists of high performance human factored HMI displays of critical plant func tions. The GDS and Class 1E equipment are adequately isolated to meet IEEE 279-1974. Data is collected and processed by the control room real time data acquisition systems (see Section 7.7.1.15). Processed data of critical parameters is subseque ntly formatted and available fo r display in the control room automatically or on request. The HMI display of critical parameters is a dedicated function with form atted displays capable of indicating approaches to off normal conditions for critical plant parameters. Control room displays are available on a separate HMI on an "ON DEMAND" or "AUTOMATIC" basis as required. Power to the data acquisition system, computer pro cessor, and HMI displays is uninterruptible. All analysis and display hardware is located in the main control room, however, both the TSC and EOF have acces s to any event res ponse aid function.
The HMI displays provide continuo us indication of plant safety status. Where applicable, real time validation of each signal is accomplishe d by comparing redundant signals. Display formats were developed by the BWR Owners' Group based on critical parameters and the EPG. Displays are capable of showing the magnitude and tre nd of critical parameters and parameter vs. para meter displays needed to support EP G requirements. The hardware and software designs allow system e xpansion and flexibility in displa y formats. The use of highly reliable components ensures a ve ry high degree of reliability.
7.5.2 ANALYSIS
AND DESIGN BASIS
7.5.2.1 Design Basis
The safety-related display in strumentation is designed to provide the operator with all necessary information to assess the status of transients or accidents from their onset to a safe cold shutdown condition, to asse ss the status of safety-related systems us ed to mitigate the event, and to allow timely operator actions as necessary.
Chapter 15 identifies and evaluates events that jeopardize the fu el barrier and RCPB. The methods of assessing ba rrier damage and radioactive materi al releases, along with the methods by which abnormal events are id entified, are discussed in Chapter 15. Variables monitored are listed in Table 7.5-1. These variables have been selected using the methodology established in Regulatory Guide 1.97, NUREG-0737, and the EPG. C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.5-12 The safety-related disp lay instrumentation is categorized into types in accordance with Regulatory Guide 1.97, Revisi on 2 or 3, and according to the primary function during a transient or accident condition. These types are as follows: Type A Variables
Those variables to be monitored that provide the primary information required to permit the control room operator to take specific manually controlled actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for DBA events. Primary info rmation is information that is essential for the direct accomplishment of the specified safety functions; it does not include those variables that are associated with contingency actions that may also be id entified in written procedures.
A variable included as Type A does not preclude it from being included as Type B, C, D, or E or vice versa.
Type B Variables
Those variables that provide information to indicate whether plant safe ty functions are being accomplished.
Type C Variables
Those variables that provide information to indicate the poten tial for being breached or the actual breach of the barriers to fission product releases.
Type D Variables
Those variables that provide information to i ndicate the operation of individual safety systems and other systems important to safety. These variables are to help the operator make appropriate decisions in using the individual systems important to safety in mitigating the consequences of an accident.
Type E Variables Those variables to be monitored as required for use in determining the magnitude of the release of radioactive materials and continually assessi ng such releases. The instruments are further divi ded into categories by their im portance to the operator during and following an accident, and to the importance to safety of the specific measured variable. These categories are as follows:
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.5-13 Category 1 Category 1 provides the most stringent requirements for equipment qualification and pertains
to monitoring key variables.
Category 2
Category 2 display instruments require less stringent equipment qualification and generally applies to instrumentation designed fo r indicating system operating status.
Category 3
Category 3 display instruments are used as backup displays for Category 1 and Category 2 and to aid in diagnosing the type of transient or acc ident and determining the extent of damage, if any.
7.5.2.2 Analysis
The safety-related display instrumentation provides adequate information to allow the reactor operator to perform the necessary manual safety functions and to assess plant and system status during normal operation, transi ents, and accident conditions.
Normal Operation
The information channel ranges were selected on the basis of giving the reactor operator the necessary information to perform all the normal plant startup, steady state maneuvers, and to be able to track all the proce ss variables pertinent to safety.
Abnormal Transient Occurrences
The ranges of indicators and reco rders provided are capable of c overing the extreme of process variables and provide ade quate information for all abnormal transient events.
Accident Conditions Information readouts are designed to accommodate all credible accident s for operator actions, information, and event tracki ng requirements, and cover all other design basis events or incident requirements.
Postaccident monitoring instrumentation provides the operator w ith plant status information during and following an accident. The information is needed to follow the progress of an accident, assist the operator to safely shut down the reactor, assess the extent and type of C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.5-14 damage, if any, and to monitor critical parameters for extended periods of time if extensive damage has occurred.
7.5.2.2.1 Conformance To 10 CFR 50 A ppendix A, General Design Criteria
The following is a discussion of conformance to those General Design Criteria (GDC) that apply specifically to the safety-related display instrumentation. See Section 7.1.2.2 for a discussion of GDC which apply equally to all safety-related systems. GDC 13, Instrumentation and Control Instrumentation is provided to monitor variables and systems over their anticipated ranges for accident conditions as appropriate to ensure adequate safety.
GDC 19, Control Room
The safety-related instrumentation meets the requirements that a control r oom be provided from which actions can be take n to maintain the nuclear power unit in a safe condition under accident conditions, including LOCAs, and th at equipment, including the necessary instrumentation, at appropriate locations outside the control r oom be provided with a design capability for prompt hot shutdown of the reactor.
GDC 64, Monitoring Radi oactivity Releases
The safety-related instrument ation includes the capability of monitoring the reactor containment atmosphere, spaces containing components for recirculation of LOCA fluid, effluent discharge paths, and th e plant environs for radioactivity that may be released from postulated accidents.
7.5.2.2.2 Conforman ce To IEEE Standards
The following is a discussion of conformance to those IEEE Sta ndards which apply specifically to the safety-related display instrumentation. See Section 7.1.2.3 for a discussion of IEEE Standards which apply equally to all safety-related systems. 7.5.2.2.2.1 IEEE Standard 279-1971, Criteri a for Protection Systems for Nuclear Power Generating Stations. The safety-related display instrument ation is part of the protection systems and provides information to the reacto r operator during and af ter accident conditions, allowing assessment of reactor status, safety syst em status, and allowing the operator to control safety systems when necessary.
C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 LDCN-09-011 7.5-15 General Functiona l Requirements (IEEE 279-1971, paragraph 4.1)
The safety-related display instrumentation, in addition to providing the reactor operator the necessary information to perform normal plant operations, also provi des information that allows assessment of plant a nd safety system status during and after transients and DBAs.
Single Failure Criterion (IEEE 279-1971, pa ragraph 4.2) The safety-related display instrumentation that is recommended by Regulatory Guide 1.97, Revision 2, to be redundan t is designed to meet the single failure criterion. Quality of Components and Modules (IEEE 279-1971, paragraph 4.3)
For a discussion of the quality classifications and qualification of components and modules see
Sections 3.2 , 3.10 , and 3.11. Equipment Qualification (IEEE 279-1971, paragraph 4.4)
For a discussion of equipment qualification see Sections 7.5.2.2.2.2 (IEEE 323-1974), 3.10 , 3.11 , and 1.8.3 for conformance.
Channel Integrity (IEEE 279-1971, paragraph 4.5)
The safety-related display instrumentation is designed to provide informati on to the reactor operator under extreme c onditions. See Sections 3.10 , 3.11 , 8.2.1 , and 8.3.1. Channel Independence (IEEE 279-1971, paragraph 4.6)
Safety-related display instrumentation independence is maintained through the application of separation criteria as described in Section 8.3.1.4. Control and Protection System Interaction (IEEE 279-1971, paragraph 4.7)
There is no interaction between control systems and that safety-related display instrumentation which is part of the protection system.
Derivation of System Inputs (IEEE 279-1971, pa ragraph 4.8)
The safety-related displa y instrumentation, where feasible and practical, is a direct measure of the desired variable.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.5-16 Capability for Sensor Checks (IEEE 279-1971, paragraph 4.9) The safety-related disp lay instrumentation input sensors can be either perturbed, inputs substituted, or cross checked for proper operability. See Regul atory Guide 1.22 compliance in each of the sections in this chapter for a discussion of sensor check capability.
Capability for Test and Calibration (IEEE 279-1971, paragraph 4.10)
See the compliance discussion of Regulatory Guide 1.22 in each section of this chapter.
Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)
Removal from service of sensors which provide inputs to the safety-related display
instrumentation is discussed in the respective system discussions in this chapter on compliance to IEEE 279.
Operating Bypasses (IEEE 279-1971, paragraph 4.12)
This paragraph does not apply as the safety-related display instrumentation does not incorporate operating bypasses.
Indication of Bypasses (IEEE 279-1971, paragraph 4.13)
This paragraph does not apply as the safety-related display instrumentation does not incorporate bypasses.
Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14)
Access to instrument valves is administratively controlled. Access to other means of bypassing are located in the control room and are also under administrative control.
Multiple Setpoints (IEEE 279-1971, pa ragraph 4.15)
This paragraph does not apply as the safety-related display instrumentation does not incorporate multiple setpoints. Completion of Protective Action Once it is Initiated (IEEE 279-1971, paragraph 4.16)
This paragraph does not apply as the safety-related display instrumentation does not provide protective action.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.5-17 Manual Initiation (IEEE 279-1971, paragraph 4.17) This paragraph does not apply as the safety-related display instrumentation does not provide manual initiation.
Access to Setpoint Adjustments, Calibration, and Test Points (IEEE 279-1971, paragraph 4.18)
Access to calibration adjustments are under administrative control. Identification of Protective Actions (IEEE 279-1971, paragraph 4.19) Certain safety-related display instrumentation is specifically de signed to identify the need for operator-initiated protective ac tions while others only provide the reactor operator the necessary information to identify plant and safety system status.
Information Read-Out (IEEE 279-1971, paragraph 4.20)
The safety-related display instrumentation is designed to provide the operato r with accurate, complete, and timely information to determine plant status and avoids anomalous indications which could confuse the reactor operator.
System Repair (IEEE 279-1971, paragraph 4.21)
The operator can identify and repair most failed sensors, recorders, or indications during plant operation. However, there are sensors such as neutron monitoring [local power range monitor (LPRM) and intermediate range monitor (IRM)] wh ich cannot be replaced or repaired during plant operation and must be repaired or replaced durin g plant shutdown.
Identification (IEEE 279-1971, paragraph 4.22)
The safety-related displa y instrumentation is specifically identi fied on the control panels so that the operator can easily discer n that they are intended for use under accident conditions.
7.5.2.2.2.2 IEEE Standard 323-1974, Standard for Qualif ying Class 1E Equipment for Nuclear Power Generating Stations. Safety-related display instrumentation as recommended by Regulatory Guide 1.97, Re vision 2. See Section 3.11 for equipment requirements based on NUREG-0588, 10 CFR 50.49, and IEEE-323.
7.5.2.2.3 Regulatory Guide Conformance
Regulatory Guide 1.32. Safety-related display instrumentation as recomme nded by Regulatory Guide 1.97, Revision 2, is powered from vital buses and, if necessary , with battery backup where momentary interruption is intolerable; or as noted in text discussion (see Section 7.5.1). C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 LDCN-09-011 7.5-18 Regulatory Guide 1.75, Revision 1. Redundant or diverse channels are provided where necessary as recommended by Regulatory Guide 1.97, Revision 2. These channels are electrically independent and physically separated from each other as discussed in Section
8.3. Regulatory
Guide 1.89, Revision 1. Safety-related display in strumentation is qualified to Regulatory Guide 1.89, Revision 1 as recommended by Regulatory Guide 1.97, Revision 2 or Revision 3 as clarified in Section
1.8.3. Regulatory
Guide 1.100, Revision 1. Safety-related display in strumentation as recommended by Regulatory Guide 1.97, Revision 2 or Re vision 3, meets the seismic qualifications requirements of IEEE-344-1975 as clarified in Section 3.10.1.2 and is purchased to the requirements in Regulatory Guide 1.100 which states that instru mentation should continue to read within the required accuracy following, but not necessar ily during, a safe shutdown earthquake.
Regulatory Guide 1.97, Revision 2. Instruments meet the recommendations required by category and type as described in Revision 2 unless noted in th e text discussions as meeting Revision 3 requirements.
An item by item general di scussion of display instrumentatio n and the degree of conformance to Regulatory Guide 1.97 requirement s is provided below and in Section 7.5.1.1. See Table 7.5-1 for instrument ranges, Regulatory Guide 1.97 cate gory, and other specific information.
Neutron Flux (Table 7.5-1, item 3) The facility operating license re quired the installation of a neutron flux monitoring system in the form of ex-core wide range monitors that were in conformance w ith the requirements of Regulatory Guide 1.97. The required wide range monitoring syst em was installed in 1989. Authorization to delete the license condition and remove th e equipment was granted by the NRC in May 2000 (Amendment 162, Reference 7.5-4). The authorization was based on a demonstration that the wide range monitors were unnecessary because the originally installed neutron monitoring systems met the alternat e criteria described in NEDO-31558 for post-accident neutron flux monitoring systems (References 7.5-1 and 7.5-3). Two exceptions to this are that the APRM system ac curacy does not satisfy the NEDO-31558 require ments under all post accident conditions and that the NEDO-31558 requirement for an uninterruptible power source is not met. It was shown that alternate means are ava ilable to meet the intent of NEDO-31558 for both of these exceptions, and these alternate means were accepted by the NRC (References 7.5-3 and 7.5-4). The installed neutron monitoring system (NMS) consists of the source range, intermediate
range, and APRM/LPRM monitoring systems. The existing s ource range and intermediate C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 7.5-19 range detectors are powered from Class 1E power; the average power range instruments are powered from the reactor protection bus which is a highly reliable source backed up by a diesel generator. There are 43 strings of local power range detectors, 8 interm ediate range detectors and 4 source range detectors. These are divided into two redundant divisions. The source and intermediate range detectors are inserted or re tracted from the core by Quality Class 2 drive units; however, the drive units are supplied from reliable power supplies and failure of all drive units simultaneously is extremely remote even under accident cond itions. The drive units are only required to drive the detector into the core. Any failure after insertion is inconsequential. If all drive un its did fail and the source range monitors could not be inserted, the range of indicated power when withdrawn is sufficient to ensure that the reactor is subcritical since the source range instruments monitor a range of 10 -3% to 10% power even in the fully withdrawn position. Neutron flux level indication is provided by recorders in the control room.
In accordance with the NRC authorization described above, the ex-core wide range neutron monitoring (WRM) system has been deactivated. The two dete ctors located in the drywell between the reactor pressure vessel and the sacrificial shield wall and the two preamplifier assemblies located on the reactor building 522' elevation have been abandoned in place. The amplifiers, recorders, and other hardware located in the main control room have been removed. The associated electrical cables have been spared in place.
Coolant Level in the Reactor (Table 7.5-1, item 2) Regulatory Guide 1.97 recommends that reactor level be monitored from below the core support plate to the centerline of the main steam lines by Category 1 instruments.
There are two divisionally separa ted ranges of level instrumenta tion to cover the full range of reactor water level as discussed in Section 7.5.1.1.1. Additionally, a single channel (Category 3) of "upset" range (h igh) level and a single channel of shutdown range indication is also provided.
RCS Soluble Boron Concentration
Regulatory Guide 1.97 recommends measurement of the soluble boron concentration in the circulating primary coolant. Grab samples of the circulating primary coolant will be analyzed by either the onsite of offsite facilities for determination of so luble boron concentration. These facilities will have capability to analyze 0 to 1000 ppm of soluble boron concentration in RCS.
Boiling Water Reactor Core Thermocouples
Regulatory Guide 1.97 recommends the in stallation of in-core thermocouples. C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.5-20 Columbia Generating Station (CGS) concurs with LRG and BWR Owners' Group that core thermocouples do not provide adeq uate indication of approach to or existence of inadequate core cooling. Energy Northwest's response to Generic Letter 84-23 closed this issue.
Primary System Pressure (Table 7.5-1, item 1) Regulatory Guide 1.97 recommends th at primary system pressure be monitored from 15 psia to 1500 psig by Category 1 instruments.
Redundant Class 1E pressure i ndicators with a range of 0 to 1500 psig are provided.
Control Rod Position Indication (Table 7.5-1, item 39) Regulatory Guide 1.97 recommends that Category 3 indication be provided to indicate when a rod is in or not in.
A rod position display of full-in and full-out position provides th is information.
Drywell Pressure (Table 7.5-1, item 37) Regulatory 1.97 recommends Category 1 redundant instruments covering a range from 10 psia to three times design pressure.
Redundant channels are recorded, each having three ranges, a narro w range for -5 to +3 psig, an intermediate range for 0 to 25 ps ig, and a high range for 0 to 180 psig.
Drywell Sump Level
Regulatory Guide recommends that the drywe ll sump level be measured by Category 1 instruments.
The drywell equipment and floor drain sump s drain by gravity to the reactor building equipment drain sump and reactor building floor drain sumps respectively. On a LOCA, the containment isolation valves from these drywell sumps flange lines close, isolating the sumps. Any major drywell flooding at this time will overflow thes e sumps and spill into the suppression pool via the downcomers.
When a LOCA isolation signal is not present th e drywell sump drains to the reactor building sump where flow and sump level are continuously monitored in the control room.
C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 7.5-21 Primary Containment Valve Position Indication (Table 7.5-1, item 40) Regulatory Guide 1.97 recommends Category 1, closed-not closed indication on power operated primary containm ent isolation valves.
Valve position for each applicable containment isolation valve is provided at the valve controls in the control room.
Redundancy requirements are met by the two valve criteria required for co ntainment isolation. Radioactivity Concentration or Radiati on Level in Circulating Primary Coolant
Regulatory Guide 1.97 recommends that Category 1 redun dant detection systems be installed to measure this parameter. The recommended range is one-hal f Technical Specifications limit to 100 times Technical Specifications limit in R per hour.
There is presently no instrument available which will accomplish th is task. Prior to isolation of main steam lines, the condenser offgas ssystem and the main steam line radiation monitors will give immediate warning of fuel failure. The postaccident sampling system (see
Section 11.6) provides monitoring and a measure of primary coolant activity after an accident. For details about offgas syst em and main steam line radi ation monitors, see Section 11.5. Analysis of Primary Coolant
Regulatory Guide 1.97 recommends provisions be made to anal yze the primar y coolant to determine the extent of core dama ge. This is a Category 3 system.
A postaccident sampling system (see Section 11.6) providing for grab samples of the primary coolant, suppression pool wate r, drywell atmosphere, wetw ell atmosphere, and reactor building atmosphere is provided. Grab samples will be an alyzed in onsite or offsite facilities. Grab samples of the reactor building equipment and floor drain sumps may also be taken with the same equipment.
Primary Containment Area Radiation (Table 7.5-1, item 8) Regulatory Guide 1.97 recommends that the radiation levels in the primary containment be monitored by redundant Category 1 instruments.
Two detectors are located inside containment that have a range 10 0 R/hr to 10 7 R/hr. These monitors respond to gamma ra diation of 60 KeV as required by Regulatory Guide 1.97 to detect the 133Xe gases. These radiation monitors display on recorders located in the control room. ~ !"~#$!~%&'(~!)*+~~"~!!!()$,!(#-&-~.,/-!"!~~"~
!.!.!(!"! ).~~0)(!12)(!#$!~%!& 3+!"(,!,)(!.,!()45!!2)(!.,!()5!-'(~!)*+'!(,~46-,)(!6-2)(!,5!!~-!(-!(
01!!~)7!".,!(-46-,(!!!!!~-!(-!($,01~"~!,~ ~*!/--~'!!")8#$!~%& $!!"~(!",!,%'(~!)*+--~!~()!!!"(!()!~~~( 2,!.,~!!)$,().~!().,!(-m9 4!,(,-.4!m9 4(,~!$,!~(~"!~!),"~!(~.%!% !,(,!($,!!,(,!("!%)/!%!()!!%!((-3232m9 4%"((-!~~!!.!1:;,~.!(-,18~)$,!!,(,!(!!~ !~!"'(~!)*+%)/%!()4!! (-(!~!%,!~(~!!~(!!)" -!'!!/2'!#$!~%& '(~!)*+#-$)/&,!!!!!"!!<~!-,!)!
$,!,~!!-!~()!, ~(",5"!($,),!"!!(-'9,%!!()4%!!,~
C OLUMBIA G ENERATING S TATION Amendment 58 F INAL S AFETY A NALYSIS R EPORT December 2005 7.5-23 These monitors provide coverage for these areas described by Regulatory Guide 1.97. Additionally, grab samples of the reactor building atmosphere may be obtained from the postaccident sample system. These high range area monitors provide coverage for personnel access and long-term surveilla nce (see Reactor Building or Secondary Containment Area Radiation below).
Main Feedwater Flow Rate (Table 7.5-1, item 23) Regulatory Guide 1.97 recommends a Category 3 indicator to displa y the feedwater flow rate. Feedwater flow indication is pr ovided in the control room.
Condensate Storage Tank Level (Table 7.5-1, item 24) Regulatory Guide 1.97 recommends that the condensate storage tank levels be indicated on Category 3 instruments.
Instrumentation is provided for this parameter with display in the control room.
Suppression Chamber Pressure (Table 7.5-1, item 12) Regulatory Guide 1.97 recommends that a Category 2 flow instrument be provided to indicate suppression pool spray flow. Suppr ession pool pressure is the ke y variable and pressure will indicate whether or not spray flow has been es tablished. Knowing th e actual amount of spray flow in gpm is of no value. However, va lve position, RHR pump running indication, RHR system flow (all indicated in the control room), and suppression chamber pressure will indicate the presence or absence of spray flow. Suppre ssion chamber pressure w ill also be a basis for whether or not drywell spray initiation will be required, given a high drywell pressure condition.
Suppression Pool Water Temperature (Table 7.5-1, item 13) Regulatory Guide 1.97 recommends temperature indication of the suppression pool water. This indication would be Cate gory 2 and have a ra nge of 30°F to 230°F. See Section 7.6.1.7 for the CGS design.
Drywell Atmosphere Temperature (Table 7.5-1, item 7) Regulatory Guide 1.97 recommends that the drywell atmosphere temperature be monitored with a range of 40°F to 440°F on Category 2 in struments. CGS has provided instrumentation monitoring a 50 °F to 400°F range. Postaccident drywell temperature data is provided by four thermocouples located in the drywell area. These thermocoup les feed signals to a summer via MV/Is. The average drywell C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-05-009 7.5-24 temperature is then recorded and displayed in the control room. Backup thermocouples are available for use in the monitoring scheme.
Drywell Spray Flow (Table 7.5-1, item 25) Regulatory Guide 1.97 recommends a drywell spray flow instru ment capable of monitoring flow from 0 to 110% of flow. This instrument should be Category 2.
Drywell spray flow is provide d by RHR pump flow indication. Valve position indication and drywell pressure will indicate proper flow path. Residual heat removal flow is indicated in the control room.
Primary System Safety/Relief Valve Position (Table 7.5-1, item 21) Regulatory Guide 1.97 recommends monitoring the SRV position, closed or not closed, with Category 2 instruments.
Monitoring the SRV position is prov ided as discussed in Section 7.5.1.9. This is also backed up by the suppression pool temperature and level instrumentation.
Reactor Core Isolation Cooling Flow Rate (Table 7.5-1, item 4) Regulatory Guide 1.97 recommends RCIC be monitored from 0 to 110% of design flow with Category 2 instruments.
Reactor core isolation cooling pump discharge flow monitoring is provided. This, in conjunction with verifica tion of RCIC system valve lineup, provides indication of system operability. Flow indication and valve position are displayed in the control room.
High-Pressure Core Spray Flow Rate (Table 7.5-1, item 5) Regulatory Guide 1.97 recommends that HPCS flow be monitored from 0 to 110% of design flow with Category 2 instruments.
High-pressure core spray pump discharge flow monitoring is provided. This in conjunction with verification of HPCS system valve lineup provides indication of system operability. Flow indication and valve position are displayed in the control room. Low-Pressure Core Injection Flow Rate (Table 7.5-1, item 25) Regulatory Guide 1.97 recommends that low-pressure coolant injection (LPCI) flow be monitored from 0 to 110% of design flow with Category 2 instruments. C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.5-25 Residual heat removal (LPCI) pump discharge flow monitoring is provided. This in conjunction with verifi cation of RHR system valve lineup provides indication of system operability. Flow indication and valve position are displayed in the control room.
Low-Pressure Core Spray Flow Rate (Table 7.5-1, item 6) Regulatory Guide 1.97 recommends that LPCS flow be monitored from 0 to 110% of design flow with Category 2 instruments. Low-pressure core spray pump discharge flow m onitoring is provided. This, in conjunction with verification of LPCS system valve line up, provides indication of system operability. Flow indication and valve position ar e displayed in the control room.
Standby Liquid Control System Flow (Table 7.5-1, item 27) Regulatory Guide 1.97 recommends that the flow rate in the SLC system be monitored by Category 2 instruments.
Standby liquid control system flow monitoring is provided. Display is provided in the control room.
Standby Liquid Control System Tank Level (Table 7.5-1, item 28) Regulatory Guide 1.97 recomme nds SLC system tank level indication be monitored by Category 2 instruments.
The SLC system tank level instruments are provided as Cate gory 3. Level indication is provided in the control room.
Residual Heat Removal System Flow Rate (Table 7.5-1, item 25) Regulatory Guide 1.97 recommends that RHR system flow be monitored from 0 to 110% of design flow with Category 2 instruments.
Residual heat removal pump discharge flow monito ring is provided. This in conjunction with RHR pump suction and discharg e pressures and verification of RHR system valve lineup provides indication of system operability. Flow indication and va lve position are displayed in the control room.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.5-26 Residual Heat Removal Heat Exchanger Outlet Temperature (Table 7.5-1, item 26) Regulatory Guide 1.97 recommends that the RHR heat exchanger outlet temperature be monitored by Category 2 instruments with a range of 32°F to 350°F.
Columbia Generating Station considers this instrumentation to be backup to RHR/service water (SW) flow indications. For th is reason Category 3 (Class 1E powered) instrumentation is provided.
Existing instrumentation is not Class 1E but is adequate for monitoring this parameter. Indication is provided in the control room since other Class 1E indication of system performance such as RHR flow and standby se rvice water flow to heat exchanger are provided.
Cooling Water Temperature to ESF System Components (Table 7.5-1, item 31) Regulatory Guide 1.97 recommends Category 2 instruments with a range of 32°F to 200°F.
Present instruments measure water temperature of the spray pond. This is the source of water for the ESF systems. The range of these instruments is 0°F to 200°F.
Further temperature indication is provided on the outlet of each individual heat exchanger in the ESF systems. There is su fficient indication available to verify proper operation of the system.
Cooling Water Flow to ESF System Components (Table 7.5-1, items 29 and 30) Regulatory Guide 1.97 recommends Category 2 flow instruments to monitor flow in the ESF cooling system.
The SW return lines to the spray ponds are monitored by flow transmitters providing signals to indication in the control room for service wa ter loop A and B. The HP CS service water loop status is detected by a pressure transmitter pr oviding a signal to an indicator in the control room. High Radioactivity Liquid Tank Level (Table 7.5-1, item 36) Regulatory Guide 1.97 recommends that all tanks containing radioactive liquids be provided with tank level indication (Category 3 instruments).
All tanks designed to handle radi oactive liquids are equipped w ith remote reading tank level instruments. The indicators ar e located in the radwaste build ing which is accessible following a DBA. C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.5-27 Emergency Ventilation Damper Position (Table 7.5-1, item 38) Regulatory Guide 1.97 recommends Category 2 indication for the open-closed position of emergency ventilation dampers.
The position status on all emergency ventilation dampers is displayed in the control room.
Status of Standby Power and Other Energy Sources Important to Safety (Table 7.5-1, items 16 and 22) Regulatory Guide 1.97 recommends that status information be provided for all standby power and other energy sources such as pneumatic or hydraulic power.
Voltage indication for standby elect rical buses of 4.16-kV is disp layed in the control room. Additionally, all vital 480-V switchgear voltage readout is provided along with all battery, battery charger, and inverter voltage and amperage. The pneu matic pressure for the CIA is also displayed in the control room.
Reactor Building or Secondary Containment Area Radiation (Table 7.5-1, item 20) Regulatory Guide 1.97, Revision 3 (for Type E) recommends that area radiation monitors be placed inside buildings or areas where access is required to se rvice equipment important to safety and in the reactor building. This is to monitor for significant releases, for release assessment, and for lo ng-term surveillance.
Three high range area monitors with a range of 10 -1 R/hr to 10 4 R/hr are located in the reactor building. They are located to monitor specific entry points to the building (to e1. 471 ft via door R202, e1. 501 ft via door R305, and e1. 606 ft via door R702). These are the same monitors discussed above in the item on radia tion exposure rate. Portable equipment will be used whenever personnel enter a radia tion area as required by entry procedures.
Airborne Particulate and Halogen Materials Released from Plant (Table 7.5-1, item 15) Regulatory Guide 1.97 recommends th at particulates and halogens be sampled at the identified plant release points. Onsite analysis capab ilities are required. This sampling equipment should be Category 3 equipment. Off-line monitoring systems with low range and
intermediate detectors are provided. These systems are prov ided for the turbine building exhaust and the radwas te building exhaust.
Particulates and ha logens, as well as noble gases, are monitored and recorded by the on-line gamma spectroscopy system for the reactor building elevated release duct.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.5-28 Radiation Exposure Meters at Va rious Locations Around the Plant Regulatory Guide 1.97 recommends that continuously monitori ng samplers be located at various locations around the plant to assess releases from the plant.
Adequate release information is already available through ven tilation release point monitoring and atmospheric conditions information available from the mete orologic conditions information center located onsite. Backup monitoring facilities are read ily available on the Hanford Reservation from fixed and mobile units. Airborne Radiohalogens a nd Particulates (Portable)
Regulatory Guide 1.97 recommends portable sampling with onsite analysis capability for airborne halogens and particulates.
Portable air samples and a radi oanalytical laboratory are mainta ined by the plant health physics group capable of measuri ng concentrations from 10 -9 µCi/cm 3 to 10-3 µCi/cm 3. Plant and Environs Radiation (portable)
Regulatory Guide 1.97 recommends portable monitoring instrumentation capable of measuring gamma and beta dose rates from 10 -3 R/hr to 10 4 R/hr. The plant health physics personnel mainta in such portable in struments onsite.
Plant and Environs Radioactivity
Contrary to the Regulatory Guide 1.97 recommenda tion regarding the ava ilability of a portable multichannel gamma ray spectrometer, alternative, equivalent me thods are used to meet the intent of Regulatory Guide 1. 97, Revision 2, Table 2, Plan t and Environs Radioactivity (portable instrumentation).
Computerized dose projection ca pability is provided in certain emergency centers, with the capability to back fit fi eld team sample results to verify initial dose projection calculations. Detection of fission prod ucts in the accident effluent stream is indicated by the presence of iodine. Field team air sample results are obtained by purging noble gasses from a silver zeolite cartridge and measuring the rema ining radioactivity, which is conservatively assumed to be iodine until proven otherwise by a detailed analysis. Determinati on of the presence of iodine in the air sample indicates a degree of fa iled fuel cladding and fission product barrier breakdown. Onsite radiological analytical capability exists within the plant to perform detailed analysis. Near site capability is also available at the Emergency Opera tions Facility to perform detailed C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.5-29 analysis of field team samples. Additi onally, agreements exis t through Washington and Oregon analytical laboratories fo r analysis of field team samp les by their respective emergency plans. This analytical and release assessment capability me ets the intent of Regulatory Guide 1.97 without the need to maintain portable multichannel gamma-ray spectrometers. Wind Direction and Speed (Table 7.5-1, items 17 and 18) Regulatory Guide 1.97 recommends that wind speed and directi on be availabl e on Category 3 instruments. Wind speed should be monitored from 0 to 67 mph and the direction from 0° to 360°.
Wind speed and direction is determined by instruments located on the meteorological tower and transmitted to the meteorological information center. This informati on is recorded in the control room.
Estimation of Atmospheric Stability (Table 7.5-1, item 19) Regulatory Guide 1.97, based on vertical temperature differences spaced at set intervals down the meteorological tower, recommends that atmos pheric stability (tempera ture inversion) be detected.
Vertical temperature stratification inform ation is recorded in the control room.
Postaccident Sampling System (See Section 11.6) Onsite and/or offsite facilities are provided to analyze pr imary coolant and containment air grab samples for variables and ranges listed in Regulatory Guide 1.97.
Reactor Building Pressure (Table 7.5-1, item 41) Reactor building pressure is th e controlling variable for the SG TS during accident conditions. Flow through the SGTS is automatically regulated to maintain the reactor building at minus 0.25 in. water column to prevent outleakage of potentially radioactive gases.
Emergency Core Cooling System Pump Room Flood Level (Table 7.5-1, item 42) One level switch is provided in each of the ECCS and the RCIC pump rooms to monitor room flood conditions (due to breaks and/ or leaks) in the rooms. A nnunciators and safety-related indications are activated in th e control room if flood levels reach 6 in. above the floor.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.5-30 Fuel Pool Cooling Flow (Table 7.5-1, item 43) Two redundant flow transmitters (one for each loop) monitor loop flows and send signals to control room indicators.
Fuel Pool Temperature (Table 7.5-1, item 44) Two redundant temperature elements monitor fuel pool water temperature and send signals to
control room indicators. Standby Service Water Radiation (Table 7.5-1, item 45) For a short period of time during RHR shutdown cooling mode operation the RHR system pressure may exceed that of the SW system. If any RHR heat exchanger tube leaks have developed, it is possible, during accident conditions, to bypass secondary containment radioactivity release processing. To ensure that releases are monitored and appropriate actions taken as required, each of th e SW Division 1 and Division 2 loops is provided with a radioactivity monitor providing input to a conti nuous indication located on a control room back panel. In addition, high radi oactivity levels are annunciated in the control room and also recorded on a panel recorder.
Radioactive Gaseous Effluent Release Path Vent Flow Rate (Table 7.5-1, item 9) Regulatory Guide 1.97 (for Type E) recommends that all effluent release paths from the plant be monitored from 0 to 110% of design flow, for the purpose of release asse ssment. The three release paths for CG S are via the reactor, turbine, and radwaste buildings. All three are monitored and trended on the plant TDAS system. Additionally the reactor building vent flow is recorded in the control room and the turb ine building vent flow is recorded locally.
7.
5.3 REFERENCES
7.5-1 Letter from B. A. Boger, NRC, to C. L. Tully, BWROG,
Subject:
NRC Evaluation of BWR Owner's Group Topical Report NEDO-31558, Position on
NRC Regulatory Guide 1.97, Revision 3, Requirements for Post-Accident Neutron Monitoring System (TAC M7 7660), dated January 13, 1993.
7.5-2 Letter GO2-99-142 from R. L. Webring, Supply System, to NRC,
Subject:
WNP-2 Operating License NPF-21 Request for Amendment, Post-Accident Neutron Flux Monitoring, License Condition 2.C.(16), Attachment 2, Item 3(b), dated July 29, 1999.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.5-31 7.5-3 Letter GO2-00-037 from D. W. Coleman, Supply System, to NRC,
Subject:
WNP-2 Operating License NPF-21 Request for Amendment, Post-Accident Neutron Flux Monitoring, License Conditi on 2.C.(16), Attachment 2, Item 3(b) (Additional Information), da ted February 28, 2000. 7.5-4 Letter GI2-00-088 from J. Cushing, NRC, to J. V. Parrish, Energy Northwest,
Subject:
WNP Issuance of Amendmen t re: Wide Range Neutron Monitoring System (TAC NO. MA6165 ), dated May 18, 2000.
C OLUMBIA G ENERATING S TATION Amendment 57 F INAL S AFETY A NALYSIS R EPORT December 2003 Table 7.5-1 Safety-Re l a t ed Display I n strumentat i on Design Criteria
Type Readout Number of Channels Range Type and Category a Location LDC N-0 0-0 9 3 7.5-33 1. Reactor vessel pressure Recorder MS-LR/PR-623A,B b 2 0 to 1500 psig A,1 CR 2. Reactor vessel water level Recorder MS-LR/PR-623A,B b 2 -150 in./0/+60 in. A,1 CR Indicator MS-LI-610 b 1 -110 in. to
-3 1 0 in. A,1 CR Recorder MS-LR-615 b 1 -110 in. to -3 1 0 in. A,1 CR Indicator MS-LI-605 1 0 in. to 400 i
- n. B,3 CR Recorder RFW-LR-608 1 0 in. to 180 i
- n. B,3 CR 3. Neutron Flux Recor d ers SRM SRM-LR-60 2 A/B* 2 10-3 to 10% power (10-1 to 10 6 cps ) B,1 CR IRM/APRM IRM-LR-603A/B
- 2 0 to 125% power B,1 CR 4. RCIC flow Indicator RCIC-FI-600/1 1 0 to 700 gpm D,2 CR 5. HPCS flow Indicator HPCS-FI-603 1 0 to 8000 gpm D,2 CR 6. LPCS flow Indicator LPCS-FI-600 1 0 to 8500 gpm D,2 CR 7.a. Drywell atmosphere temperature Recorder CMS-TR-5 1 50 to 400 F D,2 CR b. Suppression pool atmosphere temperat u r e Recorder CMS-TR-5 1 50 to 400 F D,2 CR c. Drywell a t mosphere temperat u r e Indicator
CMS-TI-5 1 50 to 400 F D,2 CR
- See FS A R Section 7.5.2.2.3.
~ !"#! $%# ! & !#' %#%! (!!(#&)*!!'%'%!!!+,"~ !#,~-$!.'-/#+,"~ !#,~0$!.'1! %%! !2! +,0!/-/# %%! !2!)1/-/2 %2 %%! !2!/-/#!'!% !!!
- ,34/!)5#/)#!!6%!!!
- ,34/!)5#/# !!!' !
- ,+)/!%/7/#) !!!2 !
- ,!°0#~!,~!°0# !!!28!"$
- ,()/9!9:!
!#/# C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 Table 7.5-1 Safety-Related Display In strumentation (Continued) Design Criteria
Type Readout Number of Channels Range Type and Category a Location LDCN-06-051, 07-001, 15-026 7.5-35 15. Building gaseous release
monitor Recorder
PRM-RR-3 a CR Low range TEA-RIS-13 WEA-RIS-14 2 1 x 10-7 to 1 x 10-1 µCi/cc 1 x 10-6 to 1 x 10-1 µCi/cc E,C,2 Intermediate range PRM-LCRM-1B 2 10 1 to 10 6 cps E,C,2 High range PRM-LCRM-1C PRM-COMP-1 TEA-RIS-13 WEA-RIS-14 2 10 1 to 10 6 cps Isotopic 1 x 10-3 to 1 x 10+3 µCi/cc 1 x 10-3 to 1 x 10+3 µCi/cc E,C,2 E,3 16. Containment instrument air Indicator CIA-PI-21A,B 2 0 to 300 psig D,2 CR 17. Wind speed Recorder MET-WSR-4 1 0 to 90 mph E,3 CR 18. Wind direction Recorder MET-WDR-4 1 0 to 540 E,3 CR 19. Temperature differential Recorder MET-TR-1 1 15 F E,3 CR 20. Radiation exposure rate and reactor building or
secondary
containment area radiation Recorder ARM-RR-32 3 10-1 to 10 4 R/hr E,3 CR 21. SRV position indication Direct indication
MS-VPI-LVDT-1A through LVDT/5C 18 Closed or not closed D,2 CR Recorder MS-TR-614 18 0 to 600 F D,3 CR C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 Table 7.5-1 Safety-Related Display In strumentation (Continued) Design Criteria
Type Readout Number of Channels Range Type and Category a Location LDCN-12-020 7.5-36 22. Power supply monitoring Voltmeter/ammeter Various D,2 CR Voltmeters 0 to 5.25 kV ac HPCS-VM-R610 DG-VM-DG1/A DG-VM-DG1/B DG-VM-DG1/C DG-VM-DG2/A DG-VM-DG2/B DG-VM-DG2/C E-VM-SM/7 E-VM-SM/8 Various D,2 CR Voltmeters 0 to 600 V ac E-VM-SL71 E-VM-SL73 E-VM-SL81 E-VM-SL83 Various D,2 CR Voltmeters 0 to 300 V ac E-VM-PP7AA E-VM-PP8AA Various D,2 CR Voltmeters 0 to 300 V dc E-VM-DPS2/1 Various D,2 CR Voltmeters 0 to 150 V dc HPCS-VM-R618 E-VM-DPS1/1
E-VM-DPS1/2 Various D,2 CR Voltmeters 0 to 30 V dc E-VM-DP/S0/A E-VM-DP/S0/B Various D,2 CR C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 Table 7.5-1 Safety-Related Display In strumentation (Continued) Design Criteria
Type Readout Number of Channels Range Type and Category a Location LDCN-12-020 7.5-37 Ammeters Various D,2 CR
- 22. Power supply monitoring (continued)
HPCS-AM-B1 HPCS-AM-C1 E-AM-C0/1A/1B E-AM-C0/2A/2B E-AM-B0/1A/1B E-AM-B0/2A/2B E-AM-C1/1
E-AM-C1/2
E-AM-C2/1 E-AM-B1/1
E-AM-B1/2 E-AM-B2/1 E-AM-IN2/A E-AM-IN2/B E-AM-IN3/A E-AM-IN3/B E-AM-7/71 E-AM-7/73 E-AM-8/81 E-AM-8/83 DG-AM-DG1 DG-AM-DG2 HPCS-AM-R607
- 23. Feedwater flow Indicator RFW-FI-604A,B 2 0 to 8.5 x 10 6 #/hr D,3 CR 24. CST level indicator Indicator COND-LI-40A,B 2 0 to 35 ft D,3 CR 25. RHR flow (LPCI and shutdown
cooling) (drywell spray) Indicator
RHR-FI-603A,B,C 3 0 to 10,000 gpm D,2 CR 26. RHR heat exchanger outlet temperature Recorder (2 pen) RHR-TRS-601 2 0 to 500 F D,3 CR 27. SLCS flow rate Indicator SLC-FI-1 1 0 to 100 gpm D,2 CR 28. SLCS tank level Indicator SLC-LI-601 1 0 to 5000 gal D,3 CR
~ !"#! $%# ! & !#' %#%! (!!(#&)*+,-#.'% ~!.-~!%#).!0~!.1~+/2!/%#).!0 ~! .~!°1#)3!0!31// 2/2!4/#))(44)(44)(44)!565!!7)0 %~!!7)0 %)! !
- 8-//!9)%/!%)/!*%/2//2/
/2/##
- )*4%5!!!~!:!!#)+#!!!!!~!1 !! 2/)#!!!55!!~!#!!!!2/#! %!'
"$! 4/2)!9.##4##;#~# !!!!5~%%' 1(~!";!!$!/# C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.5-1 Safety-Related Display In strumentation (Continued) Design Criteria
Type Readout Number of Channels Range Type and Category a Location 7.5-39 43. FPC flow Indicator FPC-FI-16,17 2 0 to 1200 gpm D,2 CR
- 44. Fuel pool temperature Indicator FPC-TI-7,8 2 0 to 225°F D,2 CR 45. SW radiation monitor Indicator SW-RIS-604, SW-RIS-605 2 10-1 to 10 6 cps E,C,2 CR a The instruments meet the recommendations required by the category type as described in Regulatory Guide 1.97, Revision 2, unless otherwise noted in text discussion.
b These instruments are Technical Specifications postaccident monitoring instrumentation. C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDC N-9 8-1 1 6 7.6-1 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY
7.
6.1 DESCRIPTION
The instrumentation and control systems required for safety not discussed in other sections include the following:
- a. Process radiation monitoring system,
- b. High-pressure/low-pressure systems interlocks, c. Leak detection system (LDS), d. Neutron monitoring system (NMS),
- e. Recirculation pump trip (RPT) system, f. Spent fuel pool cooling and cleanup (FPC) system, and g. Suppression pool temperatur e monitoring (SPTM) system.
The sources which supply power to the safety-related systems described in this section originate from onsite ac and/or dc safety-related buses or, as in the case of the fail-safe NMS logic and portions of the LDS, from the non-sa fety-related reactor pr otection system (RPS) motor-generator (MG) sets. See Chapter 8 for a complete description of the safety-related systems power sources.
7.6.1.1 Process Radiation Monitoring System
The safety-related portions of the process radiation monitoring system are described in Section 7.3.1.1.2. 7.6.1.2 High-Pressure/Low-Pressure Systems Interlocks and Alarms
7.6.1.2.1 Function
Instrumentation and controls are provided to prevent overpressuri zation of low-pr essure piping which interface with the reactor coolant pressure boundary (RCPB).
7.6.1.2.2 Operation
Flow diagrams for the systems involved are shown in Figures 5.4-11 , 5.4-15 and 6.3-4. Component control log i c and alarms f o r the systems involved are shown in Figures 7.3-7 , 7.3-9 , 7.3-10 and 7.4-1. Instruments are l is t ed i n Table 7.6-
- 1.
C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDC N-9 8-1 1 6 7.6-2 High-pressure/low-pressure interl ocks are provided to sense react or pressure and prevent the following valves from opening until reactor pr essure is below system design pressure: Interlocked Process Line Type Valve Residual heat removal (RHR)
shutdown cooling suction MO RHR-V-9 (F009) RHR-V-8 (F008) RHR shutdown cooling return MO RHR-V-53A RHR-V-53B (F053) RHR head spray MO RHR-V-23 (F023) LPCI injection MO RHR-V-42A,B,C (F042) LPCS injection MO LPCS-V-5 (F005) The interlock for RHR-V-9, suction valve inside the primary containment is redundant and diverse from the interlock for RHR-V-8, suction valve outside the primary containment to ensure that at least one of two valves in series will always isol ate when required. Diversity is provided by selecting pressure sensors from two different manufacturers.
Each sub-system process line listed below is provided with an overp ressure switch. The pressure switch activates an alarm in the control room to alert the operator to an intersystem leakage situation where a leaking shutoff valve may result in the sub-system pressure exceeding design limits.
The associated pressure switc hes are shown on the respective system flow diagrams.
- a. RHR shutdown cooling suction, b. RHR A, B, and C pump discharge,
- c. Low-pressure core spray system (LPCS) pump discharge,
- d. High-pressure core spray (HPCS) pump suction, and e. Reactor core isolation cooling (RCIC) pump suction.
7.6.1.3 Leak Detection System The safety-related portions of the LDS are as follows:
- a. Main steam line leak detection, b. RCIC system leak detection, C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 LDCN-11-005 7.6-3 c. RHR system leak detection,
- d. Reactor water cleanup (RWCU) system leak detection,
- e. Drywell/reactor build ing leak detection, f. Auxiliary steam line leak detection, g. ECCS pump room flooding detection.
7.6.1.3.1 Function
The LDS instrumentation and controls are desi gned to monitor leakage from the RCPB plus other specific leakage wi thin the Reactor Building and initiate alarms and/or isolation when predetermined limits are exceeded. See Sections 5.2.5 , 3.6.1.15.3 and 9.3.3.2.2.1. 7.6.1.3.2 Operation
LDS instrument arrangement draw ings which contain operator in formation displays are shown in Figures 7.6-1 and 7.6-2. Instruments are listed in Table 7.6-2. Systems or parts of systems that are in direct communication with the reactor vessel are provided with leakage detection systems.
The required leakage detection system inside the primary containment is designed with a capability to detect leakage less than established leakage ra te limits. See the Technical Specifications for the specific values.
Major components within the primary containment that by nature of thei r design are sources of leakage (e.g., pump seals, equipment warming drains), are collected ultimately in an equipment drain sump located in the reactor building and thereby identified.
Equipment associated with systems within the primary contai nment (e.g., vessels, piping, fittings) share a common volume. Steam or wate r leaks from such e quipment are collected ultimately in the floor drain sumps located in the reactor build ing and identified if possible.
Each of the sumps is protected against overflowing to prevent leaks of an identified source from masking those from unidentified sources.
Outside the primary containment, the piping within each syst em monitored for leakage is in compartments or rooms separate from other systems as feasible so that leakage may be detected by sump or room level, ambient or differential area temperature, or high process flow.
Sensors, wiring, and associated equipment of the LDS that are associated with the isolation valve logic are designed to with stand the conditions that follow a design-basis loss-of-coolant accident (LOCA) (see Section 3.11). C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDC N-9 8-1 1 6 7.6-4 The operator is kept aware of th e status of the LDS variables th rough displays or recorders that indicate the measured variable s in the control room. If a trip occurs, the condition is annunciated in the control room.
7.6.1.3.3 Main Steam Line Leak Detection
The safety-related portions of the main steam line LDS are described in Section 7.3.1.1.2. 7.6.1.3.4 Reactor Core Isolation Cooling System Leak Detection
The steam lines of the RCIC sy stem are monitored for leaks by the LDS. Leaks from the RCIC will cause a change in at least one of the following monitored parameters. The RCIC LDS consists of the following:
- a. Equipment area and pipe routing area high ambient and equipment area differential temperature, b. High flow rate (differential pressure) through the steam line,
- c. The turbine exhaust dia phragm high pressure, and d. Low steam line inlet pressure.
If the monitored variables indicate that a leak ma y exist, the detection system initiates an RCIC isolation signal (after an approximate 3 sec delay for RCIC high flow).
The following sections desc ribe each of the RCIC le ak detection methods.
7.6.1.3.4.1 Reactor Core Isolation Cooling Area Temperature Monitoring. The RCIC area ambient and differential temperature monitoring circuits are simi lar to those described for the main steam line tunnel temperature monitoring system (see Section 7.3.1.1.2). Two redundant temperature monitoring channels are provided. Each redundant instrument provides input to one of two logi c channels (Division 1 or 2).
Using 1 out of 2 logic, any RCIC equipment area or pipe routing area high ambient or equipment area high differential temperature in itiates an isolation of the RCIC system.
A bypass/test switch is provided in each logi c channel for the purpo se of testing the temperature monitor without initia ting RCIC system isolation.
Diversity is provided by RCIC steam line flow and pressure monitoring.
C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDC N-9 8-1 1 6 7.6-5 7.6.1.3.4.2 Reactor Core Isolation Cooling Steam Flow Rate Monitoring. The steam line flow rate from the reactor vessel to the RCIC turbine is monitored by redundant differential pressure switches. In the presence of a leak, the flow rate monitor responds by generating the auto-isolation signal. A time delay in each logic division prevents inadvertent system isolations due to pressure spikes. See Section 7.4.1.1.2. Diversity is provided by ambien t temperature, differential temperature, and RCIC steam line pressure monitoring.
7.6.1.3.4.3 Reactor Core Isol ation Cooling Turbine Exhaust Diaphragm Pressure Monitoring. The RCIC turbine exhaust diaphragm pressure is monitored by four redundant pressure switches. In the presence of a leak, the RCIC system res ponds by generating the isolation signal. See Section 7.4.1.1.2. Using 2 out of 2 logic high turbine exhaust diaphragm pressure initiates isolation of the RCIC system.
Diversity is provided by ambient temperature and differential temperature.
7.6.1.3.4.4 Reactor Core Isola tion Cooling Pressure Monitoring. The steam line pressure from the reactor vessel leading to the RCIC tu rbine is monitored by four redundant pressure switches. In the presence of a leak, the RCIC system responds by generating the auto-isolation signal. See Section 7.4.1.1.2. Using 2 out of 2 logic low pressure in the stea m line initiates isolati on of the RCIC system.
Diversity is provided by ambien t temperature, differential temperature, and RCIC steam line flow monitoring.
7.6.1.3.5 Residual Heat Removal System Leak Detection
Leaks from the RHR system are detected by equipment area ambient or differential temperature monitoring and by the shutdown co oling suction flow rate. If the monitored parameters indicate that a leak exists, the LDS initiates an RHR isolation signal. The RHR LDS consists of the following:
- a. Equipment area high ambient or high differential temperature,
- b. Shutdown cooling suc tion line high flow rate.
Outputs from both circuits are used to generate the RHR auto-isolation signal (one for each division) to isolate the inboard and outboard isolation valves. C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDC N-9 8-1 1 6 7.6-6 The following is a description of each RHR leak detection method.
7.6.1.3.5.1 Residual Heat Removal Area Temperature Monitoring. The RHR area temperature monitoring circuit is similar to the one describe d for the main steam line tunnel temperature monitoring system (see Section 7.3.1.1.2). Two redundant temperature monitoring channels are provided. Each redundant instrument provides input to one of two logi c channels (Division 1 or 2). Using 1 out of 2 logic, high RHR area ambient or differential temperature initiates an RHR isolation signal closing the RHR inbo ard and outboard isolation valves.
A bypass/test switch is provided in each logi c channel for the purpo se of testing the temperature monitor without initiating RHR system isolation.
7.6.1.3.5.2 Residual Heat Re moval Flow Rate Monitoring. Flow rate monitoring is provided on the RHR shutdown cooling suction line by redundant differential pressure switches.
Flow rates in excess of predetermine d limits indicate a line leak or break.
Two redundant differential pressure switches mon itor flow and each provides an input to one of the two logic channels (Division 1 or 2).
Using 1 out of 2 logic, the high flow rate in itiates an isolation of the RHR inboard and outboard isolation valves.
Diversity is provided by ambient and differential temperature monitoring.
7.6.1.3.6 Reactor Water Cleanup System Leak Detection
The RWCU LDS monitors differential flow, blowdown flow, and temperature. Automatic isolation of the RWCU system isolation valves is initiated when hi gh differential flow, high blowdown flow, or high temperature exists. The RWCU LDS consists of the following:
- a. Leakage monitoring by the flow comp arison of RWCU system water inlet and outlet flow rate,
- b. Ambient and differential temperature monitoring, and
C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDCN-98-116 7.6-7 c. Monitoring the RWCU blow down line to the main condenser for high flow to mitigate a high energy line break.
The following is a description of each RWCU leak detection method:
7.6.1.3.6.1 Reactor Water Cleanup Differential Flow Monitoring. The RWCU system inlet flow is compared to RWCU outlet flow to th e feedwater lines or to the main condenser. A flow element, flow transmitte r, and square root converter for each of these three lines provides signals to a common flow summer which trips two differential flow alarm units on a high differential flow condition. The high differential flow rate initiates a 45-sec time delay which bypasses the isolation signal during the normal operational system surges, i.e., pump startup or valving changes. If the high differential flow cond itions still exists after the time delay, then isolation is initiated. Flow and differential flow indications are provided in the main control room.
Using 1 out of 2 logic in each logic channel (Division 1 or 2), the RWCU flow comparison monitoring initiates RWCU isolation signal. The signal closes the inboard and outboard isolation valves, after a time delay, when the flow rate difference exceeds a preset limit.
Diversity is provided by ambien t and differential temperature.
7.6.1.3.6.2 Reactor Water Cleanup Area Temperature Monitoring. See Section 7.3.1.1.2. 7.6.1.3.6.3 Condenser Blow down Line Flow Monitoring. The RWCU blowdown line to the main condenser is monitored to detect a high energy line break. Two redundant flow transmitters provide flow signals to two flow alarm units in the main control room. The Division 2 signal closes the i nboard isolation valve and the Division 1 signal closes the outboard isolation valve when blowdown flow exceeds a preset limit after a specified time delay.
7.6.1.3.7 Drywell Floor Drain Leak Detection
The drywell floor drain sump collects unidentified leakage within the drywell. The leakage is gravity fed to the Reactor Building floor drain sump. The flow is monitored and leakage in excess of the acceptable limit is annunciated in the control room.
7.6.1.3.8 Drywell Equipment Drain Leak Detection
The drywell equipment drain sump collects identified leakage within the drywell. The leakage is gravity fed to the Reactor Building equipment drain sump. The flow is monitored and leakage in excess of the acc eptable limit is annunciat ed in the control room.
C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 LDCN-06-048 7.6-8 7.6.1.3.9 Reactor Building Fl oor Drain and Equipment Drain Sumps Leak Detection
The floor drain sumps leak detection instrumentation is designed to detect leakage from unidentified sources. The equipment drain sump leak detection instrumentation is designed to
detect leakage from identified sources.
A level switch is mounted in each sump and cont rols the associated su mp pump. The sump pump starts when the upper sump level is exceeded and turns off when the level in the sump reaches the lower setpoint. A timer is starte d and stopped by the upper and lower sump level switches respectively. If the tim er exceeds a predetermined setpoi nt, high flow is annunciated. The timer resets to read when the sump pump stops. A second timer starts timing when the sump pump stops. If the sump pump starts before the second timer r eaches a predetermined
setpoint, high flow rate is annunciated. The timer is reset to read when the su mp pump starts.
A level switch is provided for each sump for high sump water level annunciation purposes. The alarm setpoint is set above the pump start se tpoint and will actuate an alarm in the main control room in the event the sump water level exceeds the switch setpoint.
In addition, the ECCS pump room floor drain su mps are provided with a drain header shutoff valve. This valve will isolate the sump from another connect ed pump room in the event the sump water level exceeds the valve control level switch set point, thus minimizing common mode flooding of more than a single pump room (see Figure 9.3-12 ). See Section 3.6.1.5.2 for the RCIC/CRD pump rooms.
7.6.1.3.10 Emergency Co re Cooling Systems Pump Room Flooding Detection
A Class 1E level switch is provided for each of the RHR-A, RHR-B, RHR-C, RCIC, LPCS, and HPCS pump room area. Each level switch is set 6 in. above the pump room floor and will activate an alarm in the main control room in the event the pump room water level exceeds the level switch setpoint (see Figure 7.6-2 ). See Section 9.3.3.2.2.1. 7.6.1.3.11 Drywell Atmosphere Radiation Monitoring System
The drywell atmosphere is continuously monitored for gaseous and partic ulate radioactivity by redundant sampling systems. In each system the sample is drawn into the sample system by its vacuum pump. Flow control is provided to ensure proper sample flow. The sample flow path
is from the sample point inside the primary containment, throug h the inlet isolation valve to the particulate monitor chamber. Here the sa mple is passed through a fixed filter where the particulate matter is deposited while allowing the noble gases to pass through.
After removal of any particulate matter as described above, the gaseous sample passes into a volume chamber where a second scintillation detector checks for noble gas activity.
C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 7.6-9 The sample gas then proceeds through the flow control devi ce, vacuum pump, return line isolation valve, and is discharged back into the primary containment.
7.6.1.3.12 Auxiliary Steam Line Leak Detection
Auxiliary steam line leak detec tion consists of redundant temperature sensors, temperature monitor with alarm/isolation output function, and the isolation valves (see Section 3.6.1.15.3 ). When any one of the four temperature elements detects abnormally high temperature, the logic circuit actuates the closure of auxiliary steam line isolation valves (AS-V-68A or AS-V-68B) and provides audible alarm in the main control room.
Auxiliary steam line leak detection instru mentation provides test able features for motor-operated valve (MOV) closure tests.
7.6.1.4 Neutron Monitoring System
The safety-related portions of the NMS include the intermediate range monitor (IRM), local power range monitor (LPRM), average power ra nge monitor (APRM), and oscillation power range monitor (OPRM).
The NMS instrumentation and controls are desi gned to monitor reactor power (neutron flux) from startup through full power operation.
The NMS uses in-core detector s, either fixed (LPRM) or removable (IRM), to determine neutron flux levels.
The NMS will initiate a scram when predetermined limits ar e exceeded and provide operator information during and af ter accident conditions.
The NMS component contro l logic is shown in Figure 7.6-3. 7.6.1.4.1 Intermedia te Range Monitor
7.6.1.4.1.1 Function. The IRM monitors neutron flux from the upper portion of the source range monitor (SRM) to the lower portion of the power range monitor (APRM) as shown in
Figure 7.6-4. 7.6.1.4.1.2 Operation. The IRM has eight channels, each of which includes one detector that can be positioned in the core by remote control. See Figures 7.6-5 and 7.6-6. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor mode selector switch is pla ced in the RUN position.
C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 7.6-10 Each detector assembly consists of a fission chamber attached to a low-loss, quartz-fiber-insulated transmission cable. When coupled to the signal conditioning equipment, the detector produces a reading of full scal e on the six most sensitive rang es (8 KHz 16 KHZ flux level bandwidth). The detector cable is connected underneath the vesse l to a triple-shielded cable that is connected to the preamplifier.
The preamplifier converts current pulses to volta ge pulses, modifies th e voltage signal, and provides impedance matching. Th e preamplifier output signal is then sent to the IRM signal conditioning elec tronics (see Figure 7.6-7 ). Each IRM channel input signal from the preamp lifier can be amplified and attenuated. The IRM preamplification is selected by a remote range switch that provides 10 ranges of increasing attenuation (the first six called low range and the last four called hi gh range). As the neutron flux of the reactor core increases the signal from the fission chambe r is attenuated to keep the input signal to the inverter in the same range. The output signal, which is proportional to neutron flux at the detector, is amplified and supplied to a locally mounted meter, a remote me ter and recorder.
The IRM scram trip functions are discussed in Section 7.2.1.1. The IRM setpoints are listed in the Technical Specifications.
The IRM range switches must be up-ranged or down-ranged to follow increases and decreases in power within the range of the IRM to prevent either a scram or a rod block. The IRM detectors must be inserted into the core whenever these channels are ne eded and withdrawn from the core, when permitted, to prevent unnecessary burnup.
7.6.1.4.2 Local Po wer Range Monitor
7.6.1.4.2.1 Function. The LPRMs provide localized neutron flux detection over the full power range for input to the APRM.
7.6.1.4.2.2 Operation. The LPRM includes 43 detector st rings having detectors located at different axial heights in the core; each detector string contains four fission chambers. Figure 7.6-8 shows the LPRM detector radial layout scheme. The LPRM assembly consists of four neutron detector (ion cham bers) permanently installed in a housing (see Figure 7.6-9), each with an associated solid sheath cable. The chambers are vertically spaced in the LPRM detector assemblies in a way that gives adequate axial coverage of the core, complementing the radial coverage given by the horizontal arrangement of the LPRM detector assemblies.
Each chamber consists of two c oncentric cylinders, that act as electrodes. The inner cylinder (the collector) is mounted on insulators and is separated from the outer cylinder by a small C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 7.6-11 gap. The gas between the electrodes is ionized by the charged particles produced as a result of neutron fissioning of the uranium-coated outer electrode. The chamber is operated at a polarizing potential of approxim ately 100-V dc. The negative ions produced in the gas are accelerated to the collector by the potential difference maintained between the electrodes. In a given neutron flux, all the ions produced in the ion chamber can be collected if the polarizing voltage is high enough. When this situation exists, the ion chamber is considered to be saturated. Output current is th en independent of operating voltage. Each assembly also contains a calibration tube for a traversing in-core probe. The enclosing tube around the entire assembly c ontains holes that allow circul ation of the reactor coolant water to cool the ion chambers. Numerous tests have been performed on the chamber
assemblies including tests of linearity, life time, gamma sensitivity , and cable effects (Reference 7.6-1). A modified LPRM assembly is used for measurement of electro-chemical corrosion potential (ECP). The modified assembly contains three ECP sensor strings, in
addition to the neutron detectors. LPRM operati on in the modified assembly is not affected by the ECP electrodes.
The current signals from the LPRM detectors are transmitted through coaxial cable to the LPRM amplifiers in the control room. The amplifier is a linear current amplifier whose voltage output is proportional to the current input and therefore proportional to the magnitude of the neutron flux. Low-level output signals are provided that ar e suitable as an input to the computer, recorders, etc. The output of each LPRM amplifier is isolated to prevent interference of the signal by inadvertent grounding or application of stray voltage at the signal terminal point.
When a central control rod is selected for movement, the output signals from the amplifiers associated with the nearest 16 LPRM detectors are displayed on reactor control panel meters. The four LPRM detector signals from each of the four LPRM assemblies are displayed on
16 separate meters. Th e operator can readily obtain readings of all the LPRM amplifiers by selecting the control rods in order.
The trip circuits for th e LPRM provide trip signals to acti vate lights, instrument inoperative signals, and annunciators. See Table 7.6-3. These trip circuits are powered from the 24-V dc power supply and are set to trip on loss of power. They also trip when power is not available for the LPRM amplifiers. The trip levels can be adjusted from 2% to 100% of full-scale deflection and are accurate to +/-1% of full-scale deflection in the normal operating environment.
Each LPRM channel may be individually bypa ssed. When the maxi mum number of bypassed LPRMs associated with any APRM channel has been exceeded, an inopera tive trip is generated by that APRM.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.6-12 Each individual detector chamber of the assembly is a moisture-proof, pressure-sealed unit. The detector assemblies are designed to operate up to 600°F and 1250 psig. The wiring, cables, and connectors located within the drywell are designe d for continuous duty up to 165°F, 55% relative humidity and a 3-hr single exposure rating of 340°F at 100% relative humidity.
Power for the LPRM system is supplied by the two RPS buses. The PRNM equipment receives power from 120 Vac 50/60 Hz. Ea ch PRNM chassis (LP RM) is powered by redundant Low Voltage Power S upply (LVPS) modules containe d with a single Quad Low Voltage Power Supply (QLVPS) chas sis. One LVPS module is c onnected to RPS power bus A and the other LVPS module connected to RPS power bus B. For maximum variation in the input voltage or line frequency, the overextended ranges of temperature and humidity, the output voltage varies no more than 2 V.
7.6.1.4.3 Average Power Range Monitor
7.6.1.4.3.1 Function. The function of the APRM is to aver age signals from the LPRMs and provide a continuous indication of average reacto r power from a few per cent to greater than rated reactor power. The APRM also provides signals to the OPRM which are used to detect thermal hydraulic oscillations.
7.6.1.4.3.2 Operation. The APRM has four redundant channe ls. Each channel uses input signals from a number of LPRM detectors.
The APRM compares corrected LPRM values to high and low trip points and averages the filtered readings to obtain a value for the reactor average instantaneous neutron flux value (readings from bypassed LPRMs are automatically excluded from the average). Each APRM channel can average the output signals from as many as 43 LPRMs. Assignment of LPRMs to an APRM follows the pattern shown in Figure 7.6-10. Position A is the bottom position, Positions B and C are above Po sition A, and Position D is the topmost LPRM detector position. The pattern provides LPRM signals from all four core axial LPRM detector positions.
The APRM gain is adjusted using the instrume nt's front panel display or accepting the APRM gain calculated from the Percent Core Thermal Power (%CTP) downloaded from the core monitoring system. Each APRM instrument is designed to provide automatic periodic testing of the replaceable hardware modules in an AP RM Channel at least ev ery 15 minutes. The APRM firmware (or software) shall continuously cycle through a series of tests when the instrument keylock switch is in the "OPER" posi tion. When the instrument keylock switch is in the "INOP" position, the module tests shall be performed under user control.
See Section 7.2.1.1 for a description of the APRM inputs to the RPS.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.6-13 The APRM system allowable values are listed in the Technical Specifications. The APRM circuit arrangement for RPS trip input is shown in Figure 7.6-11 . APRM may be bypassed at any time. Each APRM provides a rod block output whenever the minimum number of LPRM inputs to it is not met. The PRNM equipment receives power from 120 Vac 50/60 Hz. Each PRNM chassis (APRM or RBM chassis) is powered by redundant Low Voltage Power Supply (LVPS) modules contained with a single Quad Low Voltage Power Supply (QLVPS) ch assis. One LVPS module is connected to RPS power bus A and the other LVPS module connected to RPS power bus B. Thus, APRM Channels 1, 2, 3, and 4 are powered from the bus used for trip system A and B of the RPS. The AC buses that power an APRM channel also supply power to its associated LPRMs. 7.6.1.4.4 Oscillation Power Range Monitor 7.6.1.4.4.1 Function. The digital-based OPRM detects and suppresses reactor core power instabilities using the Option III approach described in NEDO -31960. The OPRM provides independent oscilla tion trip signals to the RPS when one of the instability algorithms (Period based, Amplitude based, or Growth based) for an operable OPRM cell has detected an instability condition.
7.6.1.4.4.2 Operation. The OPRM upscale function monitors LPRMs combined into "cells" of 4 LPRMs each. The OPRM system consists of four independent channels capable of detecting thermal hydraulic instability by monitoring the neutron flux within the reactor core. The OPRM function combines the signals from each LPRM in an OP RM cell and evaluates that combined cell signal using the OPRM algorithms to detect thermal-hydraulic instabilities. An OPRM upscale trip output is generated from an APRM ch annel when the period based detection algorithm in that channe l detects oscillatory changes in the neutron flux, indicated by the combined signals for the LPRM detectors in a cell, with the period confirmations and relative cell amplitude exceeding specific setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel trip. An OPRM upscale trip is also issued from any APRM channel is either the growth rate or amplitude ba sed algorithms detect growing oscillatory changes in the neutron flux from one or more cells in that channel. The OPRM upscale trip output is automatica lly enabled (not-bypassed) when the APRM Simulated Thermal Power is equal to or above the OPRM auto-enable power setpoint and recirculation flow is equal to or below the OPRM auto-enable flow setpoint. The OPRM upscale trip output is automatically bypassed when Simu lated Thermal Power and recirc ulation flow are not within the OPRM trip enabled region. The OPRM upscal e trip is active only wh en the reactor mode switch is in the RUN position. At least two unbypassed APRM cha nnels must be in the APRM ups cale trip or inoperative trip state to cause an APRM/Inop RPS trip output fr om the ARPM 2-Out-of-4-Voter channels. Similarly, at least two unbypasse d APRM channels must be in the OPRM upscale trip state or C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.6-14 inoperative state to cause an OP RM Upscale RPS trip output from the ARPM 2-Out-of-4-Voter channels. The APRM Upscale/Inop and OPRM Upscale/Inop trips are combined and input to the 2-Out-of-4-Voter channels. All four voter channels will provide RPS trip output, two to each RPS trip system. If only one unbypassed AP RM channel is providing a trip output, each the four APRM 2-Out-of-4-Voter channels will ha ve a half-trip, but no tr ip signals will be sent to the RPS. Removing voltage to a relay coil transmits trip outputs to RPS, so loss of power results in actuating the RPS trips. Loss of a 2-Out-of-4-Voter channel results in an RPS half-scram. The OPRM protection system provides the followi ng control board annunc iator outputs to the control room operator: OPRM TRIP ENABLED (reactor has reached the operating region where instability can occur and oscillation trip output has been enabled), OPRM ALARM (when one of the instability algorithms (Period based, Amplitude based, or Growth based) for an operable OPRM cell has exceeded user defined setpoints), OPRM TRIP (provides trip signal to RPS wh en one of the instab ility algorithms (Period based, Amplitude based, or Growth based) for an operable cell has detected an instability condition), and OPRM INOP (when the quantity of operable OP RM cells is less th an the required 25 out of 30 OPRM cells for each of the four OPRM channels. C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-16-005 7.6-15 7.6.1.5 Recirculation Pump Trip System
7.6.1.5.1 Function
The function of the RPT is to mitigate the th ermal consequences of the turbine trip and generator trip transients by tripping the recirculation pumps early in the event, producing rapid pump flow coastdown and additional core voiding, which results in a core reactivity reduction. This system is linked to the RPS such that both a scram and a pump trip occur when the turbine stop valves start to close and when turbine governor valv e fast closure occurs. Both scram and RPT are bypassed at low thermal power levels.
The RPT system is required to trip both recirculation pumps from their normal power source within 200 msec after a turbine/gene rator trip or load rejection ev ent occurs with reactor power level greater than 29.5% of rated thermal power. This trip cannot be prevented or caused by any single component failure in the system.
7.6.1.5.2 Operation
The RPT logic is derived from relays in the RPS which are activated by turbine stop valve limit switches and turbine control valve oil pressure switches. Contacts from these relays are arranged in a logic scheme so that deenergi zing various combinations of the relays will energize the RPT trip coil in ea ch of two main power source ci rcuit breakers provided for each recirculation pump (see Figures 7.6-12 and 7.6-13). C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-16-005 7.6-16 Each main circuit breaker has two trip coils. One trip coil is activated by an RPT signal only. The other trip coil is act ivated by all other breaker trip func tions. The dual trip coils serve to separate the breaker safety function from its non-safety functions.
Turbine governor valve fast closure signals to the RPT system from the RPS are derived from oil line pressure switches lo cated on each of the four fast-acting control valve hydraulic mechanisms (see Figure 7.6-14 ). Turbine stop valve closure signals to the RPT system from the RPS are derived from valve stem position switches mounted on the four turbine stop valves. The switches open before the valve is more than 10% closed to provide the earliest positive indication of valve closure (see Figure 7.6-15 ). Turbine first-stage pressure signals to the RP T system from the RPS are derived from four pressure switches. The pressu re switches trip at a pressure setpoint corresponding to 29.5% power to bypass the turbine stop valve and turbine control valve fast closure trips below this value (see Figure 7.6-14 ). The RPT, when initiated, complete s the recirculation pumps circu it breakers trip. Restarting the pumps for normal power operation requires deliberate operator actions.
Channel and logic relays are fast-response, high-reliability relays from the RPS. The relays are selected so that the conti nuous load will not exceed 50% of the continuous duty rating. The total response time from start of the turbine control valve fast closure signal or the turbine stop valve closure signal to complete suppressi on of the electric arc between the fully open contacts of the pump motor circuit breaker is le ss than 200 msec on a 60 Hz basis. With the adjustable speed drive (ASD) installation, this time dela y varies from 185 to 200 msec.
The RPT logic is illustrated in Figure 7.6-13. The system is arra nged as two separately powered trip systems. Each logic trip system has at least two channels of the monitored variable. Either of the two au tomatic trip systems will trip both of the two recirculation pump motors.
Table 7.6-4 provides a summary of the recirculati on system trip functions and actions. 7.6.1.5.2.1 Bypasses and Inte rlocks. With the reactor pow er under 29.5%, the RPT is automatically bypassed by four pressure switches associated with the turbine first stage. Any one of the four channels in a bypass state initiates main control room annunciation. A manual key-locked bypass switch is provided for each of the two RPT systems, located on the relay panels, for logic testing. Pl acing the manual switch in bypass position initiates a control room annunciator. The RPT is not inhibited, since the redundant system is operable.
C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 7.6-17 The RPT system initiation logic is composed of contact from th e RPS sensor channel relays. The interlock is performed using separate relay contacts so that no failure in the RPT system can prevent an RPS scram.
7.6.1.5.2.2 Redundancy. The RPT is divided into two divi sions. Each division duplicates the function of the other to the extent that eith er system performs th e pump motor power supply trip regardless of the state of operation or failure of the other trip system. The turbine stop valve closure and turbine governor fast valve closure signals ar e diverse inputs to the RPT for pump motor trip. Each pump motor is provided with two circuit breakers in series tripped from redundant division logic.
7.6.1.5.2.3 Testability. The RPT system logic can be tested during reactor operation without pumps trip and without inhibiting the pum ps trip function by the redundant system.
A key-locked bypass switch for syst em circuit testing is provided for each system located at the RPS relay cabinets.
Since the RPT system logic consists of relay co ntacts actuated in the RP S, the RPS surveillance tests will include the testing of the RPT logic system. See Section 7.2 for RPS testing.
7.6.1.5.2.4 Environmental Considerations. The electrical equipment and devices of the RPT system are located in the control building and in the electrical equipmen t rooms. These areas have a controlled environment isolated from an accident environment ensuring reliable operation. The logic channel sensors located at the turbin e-generator are discussed in Section 7.2. 7.6.1.5.2.5 Opera tional Considerations. The sensor channel logic relays are normally energized with contacts open in the RPT system logic. Loss of both RPS MG buses or sensor variables out of tolerance will cause RPT.
The RPT system has no manual trip feature. The pump motor power supply circuit breakers have their normal manual control switches at the control room panels for normal pump start and stop operation. These controls are isolated from the RP T circuits. Circuit breaker status indications for the operator cons ist of a green pilot light for breaker open position and one red pilot light for breaker closed. 7.6.1.6 Spent Fuel Pool Cooling and Cleanup System
7.6.1.6.1 Function
The function of the FPC system is to remove decay heat from the spent fuel storage pool to ensure adequate cooling of irradiated stored fuel assemblies. The FPC system also purifies the C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-14-049 7.6-18 storage pool water, maintains water clarity for fu el handling operations, a nd fills and drains the fuel transfer canal. See Section 9.1.3. 7.6.1.6.2 Operation
Schematic arrangement of the FPC system mechanical equipment is shown in Figure 9.1-5. The FPC system component control logic is shown in Figures 7.6-16 through 7.6-26. Instruments are listed in Table 7.6-5. Operator information displays are shown in Figure 9.1-5 and Figures 7.6-16 through 7.6-26. The FPC system consists of two redundant cooling loops. Syst em operation is discussed in Section 8.1.3.
Instrumentation is provided to monitor the pool temperature, pool level, pump discharge pressures, and water conductivity to allow the control room operator to assess system operation. Channels provided versus channels required for protectiv e action completion are listed in Table 7.6-6. 7.6.1.7 Suppression Pool Temperature Monitoring System
7.6.1.7.1 Function
The SPTM system is designed to monitor suppression pool wa ter temperature and alert the plant operator to the potentially hazardous co ndition of elevated pool water temperature.
The instrumentation for the SPTM system is shown in Figure 5.4-12. Instruments are identified in Table 7.6-7. 7.6.1.7.2 Operation
The SPTM system consists of tw o separate divisions, each with 12 dual element thermocouples and multipoint recorder. The 24 channels are at eight locations evenly spaced around the perimeter of the pool. Sixteen ch annels are arranged in an uppe r ring at el. 465 ft 5.75 in. The remaining eight channels are mounted at el. 447 ft 10.25 in. E ach quadrant contains four upper level and two lower level thermocouples. This a rrangement was chosen to track stratification. Average suppression pool temperature is recorded in the control room using data from eight channels, one per division per quadrant. Te mperature indication from all 24 channels is available at the control room. Additionally, a separate indicator is available for direct readout of suppression pool av erage temperature (Division 1 only).
The time constant for the thermocouples is no greater than 15 s ec. The time from thermocouple signal input to initiation of alarm is no greater than 60 sec.
C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 7.6-19 Each division of the SPTM system is provi ded with a multipen reco rder for individual thermocouple temperature recording, a micropro cessor for averaging the thermocouple outputs of both divisions and providing an average bulk suppression pool temperature, a recorder for recording the average bulk temperature, and audiovisual annunciators which alarm on abnormally high suppression pool temperature outputs of each division and of the bulk temperature averaging system.
7.6.1.8 Design Basis The safety-related systems described in this section are designed to provid e timely protective action inputs to other safety systems to protect against the onset and cons equences of conditions that threaten the integrity of the fuel barrier and the RCPB. Chapter 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. Th e methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are also presented in Chapter 15. The station conditions which require protective actions are described in Chapter 15. 7.6.1.8.1 Variables Monitored to Provide Protective Actions The following variables are monitored to provide protective action inputs:
- a. High pressure/low pressure system interlocks - reactor pressure;
- b. LDS 1. RCIC area temperatures - differential and ambient, 2. RCIC steam line flow rate, 3. RCIC turbine exhaust diaphragm pressure, 4. RCIC steam line pressure, 5. RHR area temperatures - differential and ambient, 6. RHR shutdown cooling suction fl ow (not credited in the Columbia Generating Station [CGS] accident analysis), 7. RWCU area temperatures - differential and ambient, 8. RWCU differential flow (not credited in the CGS accident analysis), 9. RWCU blowdown line flow, C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 7.6-20 10. Identified and unidentified leakage from the drywell floor and equipment drain sumps, 11. Drywell atmosphere radiation monitor, 12. Main steam pipe tunnel area temperatures - differential and ambient, 13. Auxiliary steam line area temperature, 14. Reactor building floor drain and equipment drain sumps level, 15. Emergency core cooling sy stems (ECCS) pump room level;
- c. NMS 1. IRM neutron flux,
- 2. APRM neutron flux;
- d. RPT system
- 1. Turbine throttle valve closure,
- 2. Turbine governor valve fast closure;
- e. Spent FPC system; and
- f. Suppression pool temperature monitoring system
The plant conditions which require protective action involving the sa fety-related systems discussed in this sec tion are described in Chapter 15. 7.6.1.8.2 Location and Mini mum Number of Sensors
See the Technical Specifications for the minimum number of sensors required to monitor safety-related variables. The IRM and LPRM detectors are the only sensors which have spatial dependence.
7.6.1.8.3 Prudent Operational Limits
Prudent operational limits for each safety-related variable trip setting are selected to be far enough above or below normal operating levels so that a spurious safety system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 7.6-21 postulated gross failures of the fuel or nuclear system process barrier, is kept within acceptable bounds. 7.6.1.8.4 Margin
The margin between operational limits and the limiting conditions of operation of the safety-related systems are addresse d in the Technical Specifications.
7.6.1.8.5 Levels Levels requiring protective action are esta blished in the Technical Specifications.
7.6.1.8.6 Range of Transient, Steady State, and Environmental Conditions
See Section 3.11 for environmental conditions. See Sections 8.2.1 and 8.3.1 for the maximum and minimum range of ener gy supply to the safety-related instrumentation and controls of the systems described in this section. All safety-related instrumentation and controls are specified and purchased to withstand the effects of ener gy supply ranges.
Environmental conditions for proper operation of the systems described in this section are discussed in Sections 3.10 and 3.11. 7.6.1.8.7 Malfunctions, Accidents, and Other Unusual Ev ents Which Coul d Cause Damage to Safety Systems
Chapters 3 , 6 , 9 , 15 , and Appendix F describe the following credib le accidents and events: floods, storms, tornadoes, eart hquakes, fires, LOCA, pipe br eak outside containment, and missiles.
7.6.1.8.7.1 Floods. The buildings containing safety-rel ated components have been designed to meet the probable maximum flood (PMF) at the site location. See Section 2.4. Therefore, none of the functions are affected by external flooding. For a discus sion of internal flooding
protection see Sections 3.4 and 3.6. 7.6.1.8.7.2 Storms and Tornadoes. The buildings containing sa fety-related components have been designed to withstand all credible meteorological events and torn adoes as described in Section 3.3. 7.6.1.8.7.3 Earthquakes. The structures containing safety-related system components have been seismically qualified as described in Sections 3.7 and 3.8 and will remain functional during and following a safe shutdown earthquake (SSE).
C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 7.6-22 7.6.1.8.7.4 Fires. To protect the safety systems in the event of a postulated fire, the components have been separate d by distance, electrical separation barriers, and/or fire barriers. The use of separation and barriers ensures that even though some portion of the system may be affected the safety function will not be prevented. Within the control room power generation cont rol complex (PGCC) (unde rfloor cable routing ducts) heat detectors and products of combustion detectors ar e provided to initiate a Halon fire suppression system.
7.6.1.8.7.5 Loss-of-Coolant Accident. The safety-related syst ems components described in this section and functionally required during and/or following a LOCA have been environmentally qualified to remain functional as disc ussed in Section 3.11. 7.6.1.8.7.6 Pipe Brea k Outside Containment. Protection for these comp onents is described in Section 3.6. 7.6.1.8.7.7 Missiles. Protection for safety-related components is described in Section 3.5. 7.6.1.8.8 Minimum Perf ormance Requirements
Minimum performance requirements for safety-related systems instrumentation and controls are provided in the Technical Specifications an d the Licensee Controlled Specifications (LCS).
7.6.1.9 Final System Drawings
Functional and architectural design difference between the PSAR and FSAR are listed in Table 1.3-8.
7.6.2 ANALYSIS
7.6.2.1 Safety-Related Systems - Instrumentation and Controls
Chapter 15 evaluates the individual and combined cap abilities of the safety-related systems described in this section.
The safety-related systems describe d in this section are designed such that a loss of instrument air, a plant load rejection, or a turbine trip will not prevent the comple tion of the safety function.
C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 7.6-23 7.6.2.2 Conformance to 10 CFR 50, Appendix A - General Design Criteria
The following is a discussion of conformance to those General Design Criteria (GDC) which apply specifically to the safety-related systems described in this section. See Section 3.1 for a discussion of GDC which apply equally to all safety-related systems.
The GDC for the NMS and process radiati on monitoring system are discussed in Sections 7.2.2.1 and 7.3.2.1.1. GDC 12 - Suppression of R eactor Power Oscillations
The NMS provides protective actions to the RPS to ensure that fuel design limits are not exceeded.
GDC 13 - Instrumentation and Control
The safety-related instrumentation and controls monitor variables over their anticipated ranges for normal operation, anticipated occurrences, and accident cond itions and initiate protective actions to limit or prevent fuel damage and main tain the integrity of the RCPB and the primary containment.
GDC 15 - Reactor Coolant System Design
The safety-related systems provide sufficient margin to ensure that the design conditions of the RCPB are not exceeded during any condition of normal operation, including anticipated operational occurrences. If the monitored variables exceed th eir predetermined settings, automatic safety ac tions are provided.
GDC 30, 34, 35, 38, and 40
The LDS provides means for detecting the source of reactor coolant leakage.
GDC 61, 62, and 63 The FPC system provides reliab le fuel pool RHR capability. 7.6.2.3 Conformance to IEEE Standards
The following is a discussion of conforman ce to IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Genera ting Stations, that applies specifically to the safety-related systems described in this section. See Section 7.1.2.3 for a discussion of IEEE standards which apply equally to all safety-related systems. C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 7.6-24 General Functional Requirement (IEEE 279-1971, paragraph 4.1)
The safety-related systems descri bed in this section automatically initiate protective actions or provide information to the operator when a condition monitored reaches a preset level for all conditions descri bed in Section 7.6.1. For example, the LDS initia tes containment isolation by closure of containment isolation valves when area temperatures exceed preset limits.
Single Failure Criterion (IEEE 279-1971, pa ragraph 4.2)
The safety-related systems described in this section ar e not required to m eet single failure criteria on an individual system basis. Howeve r, on a network basis, the single failure criteria does apply to ensure the completion of a prot ective function. Redundant sensors, wiring, logic, and actuated devices are physically and electrically separa ted such that a single failure will not prevent the protectiv e function. See Section 8.3.1.4 for a discussion of the CGS separation criteria.
The RPT meets the single failure criterion. Se nsors are electrically a nd physically separated with conduit provided to the RPS cabinets. The RPT signals to r ecirculation pump motor circuit breaker trip coils are separated into Divisi on 1 and Division 2 and circuit breaker to pump motors are divisionally separated.
Quality of Components and Modules (IEEE 279-1971, paragraph 4.3)
See Section 3.11 for a discussion of safety system component quality. Equipment Qualification (IEEE 279-1971, paragraph 4.4)
Vendor certification verifies that the sensors associated with each of the systems required for safety trip variables, manual sw itches, and trip logic components located in mild environments perform in accordance with the requirements listed on the purchase specifi cation as well as in the intended application. This certification, in conjunction with the existing field experience with these components in this application, will se rve to qualify these components.
See Sections 3.10 and 3.11 for a discussion of seismic a nd harsh environment structure, system, and compone nt qualification.
For a complete discussion of equi pment qualification for the safety-related systems described in this section, see Sections 3.5 , 3.6 , 3.10 , and 3.11. C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 7.6-25 Channel Integrity (IEEE 279-1971, paragraph 4.5) For a discussion of channel integrity for the safety-related systems described in this section under all extremes of conditi ons described in Section 7.6.1.8.6 see Sections 3.10 , 3.11 , 8.2.1 , and 8.3.1. Channel Independence (IEEE 279-1971, paragraph 4.6)
System channel independence is maintained by a pplication of the CGS separation criteria as described in Section 8.3.1.4. Control and Protection System Interaction (IEEE 279-1971, paragraph 4.7)
There are no control and protection system interactions for the system s described in this section. Derivation of System Inputs (IEEE 279-1971, pa ragraph 4.8) The variables discussed in this section are direct measures of the desired variables indicating the need for protective action.
Capability for Sensor Checks (IEEE 279-1971, paragraph 4.9)
For a discussion of sensor checks for the safety-related systems described in this section, see Regulatory Guide 1.22 in Section 7.6.2.4. Capability for Test and Calibration (IEEE 279-1971, paragraph 4.10)
For a discussion of the test and calibration capability of the safety-related systems described in this section, see Regulatory Guide 1.22 in Section 7.6.2.4. Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)
During periodic testing, any one sensor of the safety-related sy stems described in this section may be valved-out-of-service and returned-to-service under administrative control procedures. Since only one sensor is valv ed-out-of-service at any given time during the test interval, protective action capability for the safety-related variables is maintained through the remaining redundant instrument channels.
A sufficient number of IRM channels has been provided to permit any one IRM channel in a given trip system to be manua lly bypassed and still ensure that the remaining operable IRM channels comply with the single failure criterion.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-16-005 7.6-26 One IRM manual bypass switch has been provided for each RPS trip system. The mechanical characteristics of this switch perm it only one of the four IRM channels of that trip system to be bypassed at any time. To accomm odate a single failure of this bypass switch, electrical interlocks have also been inco rporated into the bypass logic to prevent bypassing of more than one IRM in that trip system at any time. C onsequently, with any IRM bypassed in a given trip system, three IRM channels remain in operation to satisfy the protection system requirements. The APRM system is designed so that only one APRM may be bypassed at any given time. The bypass switch is a five-positi on center locking joystick that mechanically switches four fiber optic signals. The bypass switch is optically isolated. When the sw itch is in one of the four bypass positions, light from only one of th e four fiber optic signa ls (corresponding to the switch position) shall be allowed to pass through the sw itch. With an APRM bypassed, a trip of two or more APRM channels out of three will result in a trip output from all four-voter channels. The voter cha nnels cannot be bypassed.
The LDS logic is provided with a bypass/test sw itch for the purpose of testing temperature sensors without initiating associated system isolation. Operati on of one switch at a time will not prevent the remaining redundant isolation logic from providing system isolation if required.
The RPT system meets this design re quirement as desc ribed in Section 7.6.1.5.2.1. Operating Bypasses (IEEE 279-1971, paragraph 4.12)
There are no operating bypasses for any of the safety-rel ated systems describe d in this section except for the RPT system.
The recirculation pump motors are not required to trip below 29.5% of rated power. The trip operating bypasses are automatically reinstated above 29.5% power.
Indication of Bypasses (IEEE 279-1971, paragraph 4.13)
For a discussion of automatic bypass indication for the safety-related systems described in this section see Section 7.1.2.4, Regulatory Guide 1.47.
Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14) Access to means for bypassing any safety action or safety func tion is under the administrative control of the control room supervisor/shift manager. Other approved methods of controlling access to bypasses are also used. These include key locks with admi nistrative control of the access to keys, procedurally controlled equipmen t lineups, e.g., locked valve checklists, and the use of mechanical locking devices and annunciators and other indications, e.g., BISI (Regulatory Guide 1.47, Bypass and Inoperable Status Indication for Nuclear Power Plant Safety Systems, described in Section 7.1.2.4). These additional met hods help to prevent inadvertent bypasses or to alert th e plant operators to safety f unction bypasses occurring either C OLUMBIA G ENERATING S TATION Amendment 57 F INAL S AFETY A NALYSIS R EPORT December 2003 7.6-27 from equipment failures or from manually indu ced bypasses that result as part of testing, maintenance, or equipm ent repair activities. Key-locked control switches that provide a means of controlling the access to a safety function bypass are designed to allow key removal only in the "safe" or "accident" positions. Access to the associated keys is pr ocedurally controlled. When not in use, keys are under the administrative control of the control room supervis or/shift manager and stored in a key locker. The keys are audited once per day by the control room supervisor/shi ft manager. When operation of a key-locked control sw itch is required to be immediate, such as in the case of the reactor mode switch, the key may be left in the lock during normal pl ant operation to ensure timely actuation.
Multiple Set Points (IEEE 279-1971, paragraph 4.15)
There are no multiple setpoints within the safety-related systems descri bed in this section.
Completion of Protective Action Once it is Initiated (IEEE 279-1971, paragraph 4.16)
Initiation control logic for the sa fety-related systems describe d in this section seals in electrically and remains energized or deenergized. After ini tial conditions return to normal deliberate operator action is required to return (reset) the safety system logic to normal.
The FPC system is initiated ma nually for continuous pool cooling when the pool contains spent fuel.
Manual Initiation (IEEE 279-1971, paragraph 4.17)
For a discussion of the manual in itiation capability for the safety-related systems described in this section, see Regulatory Guide 1.62 in Section 7.6.2.4. Access to Set Point Adjustments, Calibration, and Test Points (IEEE 279-1971, paragraph 4.18)
During reactor operation access to setpoint adjustments, calibration controls, and test points for the safety-related sy stems variables described in this section is under administ rative control of the control room operator.
Identification of Protective Actions (IEEE 2791971, paragraph 4.19)
When a safety-related system protective action sensor described in this section exceeds its predetermined setpoint, a control room annunciator is initiated to identify that variable and a typed record is available from the process computer and tran sient data acquisition system.
C OLUMBIA G ENERATING S TATION Amendment 57 F INAL S AFETY A NALYSIS R EPORT December 2003 7.6-28 Information Readout (IEEE 279-1971, paragraph 4.20) The safety-related systems descri bed in this section are designe d to provide the operator with accurate and timely information pertinent to their status. This information does not give anomalous indications conf using to the operator.
System Repair (IEEE 279-1971, paragraph 4.21)
During periodic testing of the safety-related systems described in this section (except as noted) the operator can determine defective components and replace them during plant operation.
Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the NMS may be accomplished during plant operation by appropriate bypassing of the defectiv e instrument channel. The de sign of the syst em facilitates rapid diagnosis and repair.
The RPT system componen ts are designed to facilitate maintenance with the exception of the turbine stop valve limit switches. The redundancy of the eight switches permits plant operation with a defective switch un til access can be gained to the switches for repair.
Identification of Protection Systems (IEEE 279-1971, paragraph 4.22)
Each cabinet containing safety system component s is labeled with the system designation and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified specifically as belonging to a particular safety system. See Section 8.3.1.3. Redundant racks are identified by the identification marker plates.
7.6.2.4 Conformance to Regulatory Guides
The following is a discussion of conformance to those Regulatory Guides which apply
specifically to the safety-related systems discussed in this section. See Section 7.1.2.4 for a discussion of Regulatory Guides which apply equally to all safety-related systems.
Regulatory Guide 1.22 (February 1972) The APRMs are calibrated to reactor power by using reactor heat balance and the traversing in-core probe (TIP) system to establish the relative local fl ux profile. LPRM gain settings are determined from the local flux profiles measured by the TIP system once the total reactor heat balance has been determined. The gain-adjustment-factors for the LPRMs are produced as a re sult of the process computer nuclear calculations involving the reactor heat balance and the TIP flux distributions. These C OLUMBIA G ENERATING S TATION Amendment 57 F INAL S AFETY A NALYSIS R EPORT December 2003 7.6-29 adjustments when incorpor ated into the LPRMs pe rmit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power. The IRMs are calibrated by co mparison with the APRMs.
The proper operation of the sensors and the logic associated with the LDS is verified during the LDS surveillance tests that are provided for the various com ponents during plant operation. Each temperature monitor channel, for both am bient and differential which provide isolation signals, is connected to one el ement of a dual thermocouple(s).
Each temperature monitor indicates when the temperature exceeds the setpoint. To verify the thermocouple (sensor) input, a comparison of the redundant sensor readings, one from the trip channel, and the recorded channe l is made. The recorded channel monitors the second element of the dual thermocouple. The firs t element is part of the trip ch annel. To test the temperature trips a simulated trip level signa l is inputed to the monitor fr om an external source. In addition, key lock test switches are provided so that instrume nt and logic ch annels can be tested without sending an isola tion signal to the system involve
- d. Thus, a complete system check can be confirmed by check ing actuation of the trip logic relay associated with each temperature monitor.
The RWCU differential flow leak detection alarm units are tested by inputting an electrical
signal to simulate a high differential flow. Alarm and indicator lights mon itor the status of the trip circuit.
The RPT system is testable up to but not in cluding actual RPT circuit breaker during periodic testing of the sensor channels and logic system
- s. The pump trip circuit breaker testing is performed during the refueling outage.
The turbine stop valves are tested individually by closing a stop valve and ve rifying RPT relay operation before the control room lights indicate the valve is cl osed. Calibration of the limit switches is possible only during shutdown and by physical observation. The turbine governor valve closure pressure switches may be valved out, tested, and calibrated during periodic testing.
All other system instrumentation is tested and calibrated during norm al reactor operation by valving out the instrume ntation and supplying a te st pressure source.
Regulatory Guide 1.45 (May 1973)
The leakage to the primary reactor containment from identified sources such as recirculation pump seal, fuel storage pool, head seal, etc., is sepa rated so that flow rates are monitored separately from unidentified leak age and total flow rate can be established and monitored. The leakage from the main steam line safety/relief valves (SRVs) is identified leakage because of C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 LDCN-11-005, 11-024 7.6-30 the location of the sensors which detect this leakage, but the leakage is not completely separated from unidentified sources.
Separation of this leakage is not required since any leak from the main steam line SRVs would not be from a crack or break in the line so there would be no identified leakage from the SRV lines during plant operation which necessitates separation from unidentified leakage. The leakage to the reactor c ontainment from unidentified sources is collected and this flow rate is monitored with an accuracy of better than 1 gal/minute. The leak detection methods us ed to monitor unidentified leakage include sump flow monitoring, airborne particulate radioactivity monitoring, and airborne gaseous radioactivity monitoring.
Provisions are made to monitor systems connect ed to the RCPB for signs of intersystem leakage, including radioactivity monitoring of process fluids (process radiation system) and reactor vessel water level monitoring [nuclear steam supply system (NSSS)].
The sensitivity and response time of each system for detection of unidentified leakage is 1 gal/minute in less than 1 hr, except for the airborne particul ate radioactivity and airborne gaseous activity monitoring cha nnels, which have sensitivities of 1E-9 microcuries/cc and 1E-6 microcuries/cc respectively, which are consistent with the sensitivities suggested for these channels by Regulatory Guide 1.45. Design calculations demonstrate that the particulate monitors are capable of detecting a 1 gpm leak in 1 hour or gaseous m onitors are capable of detecting 1 gpm leak in 10 hours against a background of design leakage. The specific conditions in the design calculations under which the stated capabilities can be met are as follows: Variable Particulate Monitors Gaseous Monitors Radioisotope concentration in reactor coolant Table 5 of ANS-18.1, Source Term Specification N237, reduced by a factor of 100 GE Specification 22A2703F Rev. 3 Background leakage rate 2.1 gpm and 5.5 gpm 2.1 gpm Duration of background leakage 1 day and 100 days 1 day The leakage detection system instruments listed in Table 7.6-2 have been evaluated and shown to be available for operation following an opera ting basis earthquake (OBE). The particulate radioactivity monitoring channel is available for operation following an SSE.
C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 7.6-31 The drywell floor drain and equipment drain sump s, piping to the sumps, and the equipment drain cooler are seismically supported such that they will continue to pass leakage flow following an OBE.
The level switches are used to monitor leakage from reactor building drains to the respective sumps.
Indicators and alarms for each leak age detection system are provided in the main control room. At the site, procedures for converting various indications (e.g., temperature, t, and pressure) to a flow rate measurement will be provided by means of conversi on curves whenever meaningful.
Major components within the drywell that by nature of their design are sources of leakage (e.g., pump seals) are contained and piped to an equipment drain sump and thereby identified.
Equipment associated with system s within the drywell (e.g., vessels, piping, fittings) share a common free volume, therefore, their leakage de tection systems are comm on. Steam or water leaks from such equipment are collected ultimately in an area drain sump.
Each of the sumps are protected against overflowing leaks from one source masking those from another.
As added backup to the unidentif ied leakage drain sy stem, the main stea m lines within the steam tunnel are monitored by temperat ure detectors within the tunnel.
Regulatory Guide 1.53 (June 1973)
See Section 7.6.2.3 (IEEE 279-1971, paragraph 4.2).
Regulatory Guide 1.62 (October 1973)
The FPC system is manually in itiated from the main control room by actuation of system pump and valve controls.
7.
6.3 REFERENCES
7.6-1 Morgan, W. R., "In-Core Neutron M onitoring System for General Electric Boiling Water Reactors," APED-5706, November 1968 (Rev. April 1969).
C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 Table 7.6-1 High to Low Pressure System
Interlocks Instrumentation Function Instrumen t a 7.6-33 RHR shutdown cooling v a lves isolation Press u re switch (B35-N 018A, B) RRC-PS-18A, B LPCI injection valve pe r m issive Pressure switch (B22-N 413A, B, D) MS-PS-413A, B, D LPCS injection valve permiss i ve Pressure switch (B22-N 413C) MS-PS-413C a Instruments in parenthes e s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 Table 7.6-2 Leak Detection System Instrumentation
Function Instrumen t a 7.6-34 Reactor core isolation cooling steam
supply pressure low Pressure switch (E31-N022A-D)
RCIC-PS-2 2 A-D Reactor co r e iso l ation cooling steam supply high flow Different i a l pressure sw itch (E31-N007B)
RCIC-D P I S-7B (E31-N013A, B)
RCIC-D P I S-13A, B Reactor core isolation cooling turbine
exhaust pressure high Pressure switch (E31-N012A-D)
RCIC-PS-1 2 A-D Reactor core isolation cooling equipment
room high differen tial temperature Temperatu r e monitor
LD-MON-1A
LD-MON-1B Reactor core isolation cooling equipment room high temperature Temperature monitor
LD-MON-1A
LD-MON-1B Reactor water cleanup/RCIC steam line
routing area temperature high Temperatu r e monitor
LD-MON-1A
LD-MON-1B Main steam line tunnel tempera t ure high Temperature monitor LD-MON-2A
LD-MON-2B Main steam line tunnel differential
temperature high Temperatu r e monitor
LD-MON-2A
LD-MON-2B C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 Table 7.6-2 Leak Detection System Instrumentation (Continued) Function Instrument a 7.6-35 Residual heat removal equipment area
temperature high Temperature monitor
LD-MON-2A
LD-MON-2B Residual heat removal equipment area
differential temperature high Temperature monitor
LD-MON-2A
LD-MON-2B Residual heat removal shutdown cooling
suction flow rate - high Differential pressure switch (E31-N012A, B)
RHR-DPIS-12A, B Residual heat remova l heat exchanger area temperature - high Room 606 Room 507 Room 605 Room 505 Temperature monitor
LD-MON-2A
LD-MON-2B Main steam line high flow Differential pressure switch (E31-N008A-D through E31-N011A-D)
MS-DPIS-8A-D, 9A-D, 810A-D, 11A-D Reactor building equipment drain sump
level high Level switch (G11-N014A, B)
EDR-LS-14A, B
C OLUMBIA G ENERATING S TATION Amendment 60 F INAL S AFETY A NALYSIS R EPORT December 2009 Table 7.6-2 Leak Detection System Instrumentation (Continued) Function Instrument a LDCN-06-048 7.6-36 Reactor building floor drain sumps
level high Level switch (G11-N006A, B) (G11-N005A, B) FDR-LS-6A, B FDR-LS-5A, B Drywell floor drain flow high
Drywell equipment drain flow high Flow recorder switch
EDR-FRS-623 Drywell atmosphere particulate monitor Radiation monitor CMS-RIS-12A, 12B Drywell atmosphere noble rad gas
monitor Radiation monitor CMS-RIS-12A, 12B Reactor water cleanup flow - high Flow switch (E31-N605A, B)
LD-FS-605A, B Reactor water cleanup blowdown line flow - high Flow switch
LD-FS-15, 16 Reactor water clea nup heat exchanger area temperature - high Temperature monitor
LD-MON-1A
LD-MON-1B Reactor water clea nup heat exchanger area temperature high Temperature monitor
LD-MON-1A
LD-MON-1B Reactor water cleanup pump area
temperature - high Pump room A
Pump room B Temperature monitor LD-MON-1A LD-MON-1B
C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 Table 7.6-2 Leak De t ec t ion System Instrumentation (Continued)
Function Instrumen t a 7.6-37 Reactor water cleanup pump area temperature high Pump room A Pump room B Temperatu r e monitor LD-MON-1A LD-MON-1B Reactor water cleanup line routing a r ea temperature - high Room 509 Room 511 Room 408 Room 409 Temperatu r e monitor
LD-MON-1A
LD-MON-1B Auxiliary steam line area temperature -
high Temperatu r e monitor
LD-MON-1A
LD-MON-1B ECCS pump rooms water level - high (See Figure 7.6-2 for a table of each
room and level switch) a Instruments in parenthese s are the GE designation.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 Table 7.6-3 LPRM System Trips Trip Function Trip Action Trip Setpoint Trip Action LDCN-17-001 7.6-38 LPRM downscale 2% to full s cale 3% ODA and annunciator LPRM upscale 2% to full scale 100% ODA and annunciator LPRM bypass Manual switch ODA and APRM averaging compensation
C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 Table 7.6-4 Recirculation System Trip Functions
Action Event A B C D E 7.6-39 1 X 2 X 3 X X 4 X 5 X 6 X 7 X 8 X 9 X 10 X Events
- 1. Suction or discharge blo c k valve less than 90% open.
- 2. Loss of one ASD channel.
- 3. Turbine control valve fast closure or stop valve <90% open.
- 4. Trip of one or two ope r ating recirculation pu m ps. 5. Trip of both opera ting r ecirculation pumps.
- 6. Loss of one feedwater pu m p plus v e ssel low level (L4).
- 7. Temperatu r e dif f erence between the s t eam dome and the recirculation pump suction temperature less than 10.
7 F. 8. Pump motor electrical pr otection logic is activated.
- 9. Ves s el low l e vel (l evel 3). 10. Vessel low-low level (level
- 2) or vessel high p r essure (ATWS).
Actions A. Trip of pu m p mot o r 6.9-kV power supply.
B. "Runback" to 15 Hz. C. "Runback" or limit speed of impac t ed loop to single channel capability. D. "Runback" or limit speed to a speed deter m ined within the capa b ility of the remaini n g feed pump. E. Trip of RPT breakers (ASD output). C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 Table 7.6-5 Spent Fuel Pool Cooling and Cleanup System
Instrumentation Specifications Function Instrumen t a Instrument Range 7.6-40 Fuel pool level alarm high L e vel switch LS-4, 5 6-1/8 in. Fuel pool level alarm low/cooling/cleaning isolation Level switch LS-4, 5 6-1/8 in. Fuel pool temperature indicator Temperature indicator TI-7 and TI-88 0-225 F Surge tank high level alarm Level indicating switch LIS-1A, LIS-1B 0-400 in. H 2 O Surge tank low level alarm pump shutoff Level indicating switch
LIS-3A2, LIS-3B2 0-400 in. H 2 O Surge tank makeup control
valve open Level indicating switch
LIS-3A1, LIS-3B1 0-400 in. H 2 O Surge tank makeup control
valve shut Level indicating switch
LIS-2A, LIS-2B 0-400 in. H 2 O Pool return flow indicator Flow indicator FI-16, FI-17 0-1200 gpm Pool return water temperature indicator Temperatu r e indicator TI-6 0-225 F Pump suction pressure low shutoff Pressure switch PS-6A, PS-6B 4-75 psig Pump discharge pressure low alarm/standby pump start Pressure switch PS-9A, PS-9B 20-180 psig Return flow to pool controller Differential pressure indicator
controller DPIC-1 0-100 psid F/D bypass AOV control Different ial pressure indicator controller DPIC-11 0-130 psid F/D bypass MOV control Differe ntial pressure indicating switch DPIS-12 0-130 psig Fuel pool high temperature
alarm Temperatu r e swi t ch T S-7, TS-8 0-225 F a All instruments prefixed - FPC C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 7.6-41 Table 7.6-6 Channels Required for Prote c ti v e Action Completion for the
Spent Fuel Pool Cooling and Cleanup System
Instrument Channel Channels Provided Minimum Channels Required Fuel pool level alarm - high 2 1 Fuel pool level alarm - low 2 1 Fuel pool temperature high alarm/indicator 2 1 Surge tank level high 2 1 Surge tank level low 2 1 Fuel pool return flow indicator 2 1 FPC Recirculation pump suction pressure low/pump s hut off 1 per pump 1 per pump FPC Recirculation pu m p discharge pressure
low alarm/standby pump start 1 per pump 1 per pump
C OLUMBIA G ENERATING S TATION Amendment 56 F INAL S AFETY A NALYSIS R EPORT December 2001 Table 7.6-7 Suppression Pool Temperature
Monitoring Instrumentation Function Instrument 7.6-42 Monitor suppression pool temperat u re Thermocouple SPTM-TE-1A, 1B through 8A, 8B; 9 through 16 Temperatu r e recorder Multipen recorder CMS-TR-5, CMS-TR-6 Average temperature indicator SPTM-T I-5
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-14-004 7.7-1 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY
7.
7.1 DESCRIPTION
This section describes instrume ntation and controls of majo r plant control systems whose functions are not essential for the safety of the plant. This section also describes instrumentation and controls not e ssential for the safety of the pl ant, which are not discussed in any other FSAR section. The systems include
- a. Reactor vessel instrumentation,
- b. Reactor manual control system (RMCS),
- c. Recirculation flow control system,
- d. Feedwater control system,
- e. Digital Electro-Hydraulic (DEH) control system,
- f. Neutron monitoring system (NMS) -
traversing in-core probe (TIP), source range monitor (SRM), rod block monitor (RBM),
- g. Process computer system and rod worth minimizer function (RWM),
- h. Loose parts detection system (LPDS), Retired
- i. Refueling interlocks,
- j. Safety/relief valve (S RV) relief function, and
- k. Transient data acquisition system (TDAS).
See Tables 7.7-1 and 7.7-2 for system design and supply re sponsibility and similarity to licensed reactors, respectively.
7.7.1.1 Reactor Vessel Figure 10.3-2 shows the arrangements of the sensors and sensing equipment used to monitor reactor vessel conditions.
C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDCN-98-104, 98-117 7.7-2 7.7.1.1.1 Function
The purpose of the reactor vessel instrumentation is to monitor key react or vessel variables to provide the operator with information during normal plant operation, st artup, and shutdown.
7.7.1.1.2 Operation
The following is a discussion of each reactor vessel variable monitored: 7.7.1.1.2.1 Reactor Vessel Temperature. The reactor vessel temperature is determined on the basis of reactor coolant temperature. Temperatures needed for operation and for compliance with the Technical Specifications operating limits are obtained from one of several sources, depending on the operating condition. During normal opera tion, either reactor pressure and/or the inlet temperature of the coolant in the reci rculation loops can be used to determine the vessel temperature. The recirc ulation suction temperature (via thermocouples) is the primary temperature measurement when less than 100 psig. When greater than 100 psig, vessel pressure converted to saturation temperature is the primary measurement. During normal operation, vessel thermal transients are limited via operational constraints on parameters other than temperature.
7.7.1.1.2.2 Reactor Vessel Water Level. Figure 7.7-1 shows the water level range and the reactor vessel tap location for each water level range. The instruments that sense the water level are differential pressure devices with a condensate referen ce leg calibrated to be accurate at a specific vessel pressure and liquid temperature condition. During operati on, a continuous flow of gas-free water at a flow rate of about 0.12 to 0.48 gal/hr is also maintained through each reference leg to the reference leg conde nsing chamber to minimize the transport of dissolved noncondensable gases down the reference leg. The following is a description of each water level range shown in Figure 7.7-1
- a. Shutdown water level range: This range is used to monitor the reactor water level during reactor shutdown conditions when the reactor system is flooded for maintenance and head removal. The ve ssel pressure and temperature conditions that are used for the calibration are 0 ps ig and 120°F water in the vessel. The two vessel instrument tap elevations used for this water level measurement are located at the top of the reactor vessel head and the instrument tap just below the bottom of the dryer skirt.
- b. Upset water level range: This range is used to monitor the reactor water level above the narrow range scale (see item c below). The design and vessel taps are the same as outlined above.
The vessel pressure a nd temperature condition for accurate indication is at the normal power operating point. The upset water level is continuously indicated by a recorder in the control room. The upset range upper limit is higher than the narro w range upper limit. Therefore, when C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDC N-9 8-1 0 4 7.7-3 the indication is upscale on the narrow ra nge recorder, water level indication may be read immediately from the upset range recorder. See Section 7.7.1.4.
- c. Narrow water level range: This range uses reactor vessel taps at the elevation near the top of the dryer skirt and the taps at an elevation n ear the bottom of the dryer skirt. The zero of the instrument is the bottom of the dryer skirt and the instruments are calibrated to be accurate at the normal power operating point. The feedwater control system uses this range for its water level control and indication inputs. See Section 7.7.1.4.
- d. Wide water level range:
This range uses reactor vessel taps at the elevation near the top of the dryer skirt and the ta ps at an elevation near the top of the active fuel. The zero of the instrument is the bottom of the dryer skirt (527.5 in. above the vessel bottom inside) and the instruments are calibrated to be accurate at the normal power operating point. See Section 7.5 for the safety-related features of this range.
- e. Fuel zone water level range
- This range uses reactor vessel taps at the elevation near the top of the dryer skirt and the ta ps at the jet pump diffuser skirt. The zero of the instrument is the bottom of the dryer skirt (527.5 in. above the vessel bottom inside) and the instruments ar e calibrated to be accurate at 0 psig and saturated conditions. See Section 7.5 for the safety-related features of this range. To decouple the change in meas ured water level with changes in drywell temperature, the elevation drop from reactor vessel penetration to the drywell penetration remains uniform for the narrow-range and wide-range water level instrument lines.
7.7.1.1.2.3 Reactor Core Hydraulics. A differential pressure transmitter indicates core plate pressure drop by measuring the pressure diffe rence between the core inlet plenum and the
space just above the core support assembly. The instrument sens ing line used to determine the pressure below the core support assembly att aches to the reactor ve ssel nozzle N-11. An instrument sensing line is provided for measuring pressure above the core support assembly. The differential pressure of the core plate is recorded in the main control room. Another differential pressure device indicates the jet pump developed head by measuring the pressure difference between the pr essure above the core and the pressure below the core plate. This is indicated locally a nd in the main control room. 7.7.1.1.2.4 Reactor Vessel Pressure. Pressure switches, indicat ors, and transmitters detect reactor vessel internal pressure from the same instrument lines used for measuring reactor vessel water level.
C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDC N-9 8-1 0 4 7.7-4 7.7.1.2 Reactor Manual Control System
7.7.1.2.1 Function
The RMCS provides the operator with the means to make change s in nuclear reactivity by the operator manipulating cont rol rods so that reactor power level and power distribution can be controlled.
This system includes th e interlocks that inhibit rod movement (rod block) under certain conditions. The RMCS does not include any of th e circuitry or devices used to automatically or manually scram the reactor; thes e devices are discussed in Section 7.2. In addition, the mechanical devices of the control rod drives (CRD) and the CRD hydraulic system are not included in the RMCS. The latter mechanical component s are described in Section 4.1.3. 7.7.1.2.2 Operation
The RMCS includes the following:
- a. Rod drive control system, b. Rod block trip system,
- c. Rod position probes, and
- d. Position indication electronics.
Figure 4.6-5 show the layout of the CRD hydraulic system. Figure 7.7-2 shows the functional arrangement of devices for the control of co mponents in the CRD hydraulic system. The logic diagram for the RMCS is shown in Figure 7.7-3. Although the figure also shows the arrangement of scram devices, these devices are not part of the RMCS. Three modes of control rod operation are used: insert, withdraw, and settle. Four solenoid-operated valves are associated with each control rod to accomplish these actions.
7.7.1.2.2.1 Rod Drive Control System. When the operator selects a control rod for motion and operates the rod insert or withdraw control switch, independent messages are formulated in the A and B portions of the rod drive control sy stem (RDCS). A comparison test is made of these two messages, and identical results confirmed; then a se rial message in the form of electrical pulses is transmitted to all hydraulic control units (HCU). The message contains two portions: (1) the identity or "address" of the selected HCU and (2) operation data on the action to be executed. Only one HCU responds to this messag e and it proceeds to execute the rod movement commands.
On receipt of the transmitted signal the responding HCU transmits three portions of a message back to the control room for comp arison with the original message:
- a. Hard-wire id entity "address,"
C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDC N-9 8-1 0 4 7.7-5
- b. Operations currently being executed, and
- c. Status indications of valve positions, accumulator conditions, and test switch positions.
In either rod motion direction, the A and B messages are formulat ed and compared each millisecond and, if they agree, the A message is transmitted to the HCU selected by the operator. Continued rod motion depends on receipt of a train of sequential messages because the HCU insert, withdraw, and settle valve control circuits are ac coupled. The system must operate in a dynamic manner to effect rod motion.
Any disagreement between the A and B formulat ed messages or the responding echo message will prevent rod motion. Electrical noise di sruptions will have only a momentary effect on system operation. Correct operation of the syst em will resume when the noise source ceases.
In Figure 7.7-4 , the three modes of the solid-state RMCS are shown:
- a. Operator control mode: This mode (0.0002-sec duration) se rvices the control rod selected by the operator to transm it action commands a nd receive status indications, i.e., pres ence of rod blocks.
- b. Scan mode: This mode (0.045-sec duration) continuously monitors the other control rods in the reactor, one at a time, to update their status display.
- c. Self test mode: This mode (on the order of 20 to 100-sec duration) automatically exercises one HCU at a time to ensure correct execution of actions commanded. This provides for a continuous, periodic self-t est of the entire RMCS.
In the event that any discrepanc y is detected in one of these three modes of operation, a rod motion inhibit is applied. This situation is alarmed and annunciated on the reactor control console as an "activity disagr ee" condition. The CRD control system is also designed to produce a rod motion inhibit condition should any failure of the system occur.
The cause of the discrepancy or failure must be corrected before rod movement can proceed. Note, however, that this syst em cannot affect normal shutdown capability via the reactor protection system (RPS).
The rod selection circuitry is a rranged so that a rod selection is sustained until either another rod is selected or separate acti on is taken to revert the selection circuitry to a no-rod selection
C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDC N-9 8-1 0 4 7.7-6 condition. Initiating movement of the selected rod prev ents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod selected condition is not possible (except for loss of control circuit power) until any moving rod has completed the movement cycle.
The direction in which the selected rod moves is determined by the position of four switches located on the reactor control panel. These four switches, "insert," "withdraw," "continuous insert," and "continuous withdr aw" are push buttons which retu rn by spring action to an off position. The following is a description of the operation of the RMCS during an insert cycle. The cycle is described in terms of the insert, wit hdraw, and settle commands from the RMCS. With a control rod selected for moveme nt, depressing the "insert" switch and then releasing the switch en ergizes the insert command fo r a limited time. Just as the insert command is removed, the settle command is automatically energized and remains energized for a limited time. The insert command time
setting and the rate of drive water flow provided by the CRD hydraulic system determine the distance traveled by a rod. The time setting results in a one-notch (6-in.) insertion of the selected rod for each momentary application of a rod-in signal from the rod movement switch. Continuous insertion of a selected control rod is possible by holding the "insert" switch.
A second switch can be used to aff ect insertion of a selected control rod. This switch is the "continuous insert" switch. By holding this switch "in," the unit maintains the insert command in a continuous, energize d state to cause continuous inse rtion of the selected control rod. When released, the "insert valves" close immediately and no settle function is available so rod motion stops via leakage past the seals.
The following is a description of the operation of the RMCS during a withdraw cycle. The cycle is described in terms of the insert, withdraw, and settle commands. With a control rod selected for move ment, depressing the "withdrawal" switch energizes the insert valves at the beginning of the withdrawal cycle to allow the collet fingers to disengage the index tube. When the insert valves are deenergized, the withdraw and settle valves are energized for a controlled period of time. The withdraw valve is deenergized before motion is complete; the drive then settles until the collet fingers engage. The settle valve is then deenergized, completing the withdraw cycle. This withdraw cycle is the same whether the withdraw switch is held continuously or momentarily depressed position. The timers that control the withdraw cycle are se t so that the rod travels one notch (6-in.) per cycle. Pr ovisions are included to prevent further control rod motion in the event of timer failure.
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-14-003 7.7-7 A selected control rod can be continuous ly withdrawn if the "withdraw" switch is held in the depressed position at the same time that the "continuous withdraw" switch is held in the depresse d position. With both switches held in
these positions, the insert valves ener gize momentarily and then the withdraw valves are continuously energized. Upon releasing the switches the settle function will start.
7.7.1.2.2.2 Rod Block Trip System. This portion of the RMCS on receipt of input signals from other systems inhibits movement or selection of control rods.
- a. Grouping of channels
The same grouping of neutron monitori ng equipment [SRM, intermediate range monitor (IRM), average power range monitor (APRM), and RBM] that is used in the RPS is also used in the rod block circuitry.
Half of the total monitors [SRM, IRM, APRM, RBM, reactor recirculation control (RRC) flow units, flow compar ator, and scram discharge volume high level] provide inputs to one of the RMCS rod block logic circuits and the remaining half provide inputs to the other RMCS rod bloc k logic circuit.
The rod withdrawal block from the RWM trip affects only one RMCS rod block
logic. The rod insert block from the RWM function prevents both notch insertion and continuous insertion.
The APRM and RBM (see Section 7.7.1.8) rod block settings are varied as a function of recirculation flow. Analyses show that the selected settings are
sufficient to avoid both RPS action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the pos ition signals used to indicate that a detector is not fully inserted. A dditional discussion of the NMS is in Sections 7.7.1.6 , 7.7.1.7 , and 7.7.1.8. The rod block from scram discharge volume high water level uses two nonindicating transmitter/level switches installed on the scram discharge volume. These two transmitter/level switches provide a control room annu nciation of increasing level below the level at which a rod block occurs.
- b. Rod block functions
The following discussion describes the various rod block functi ons and explains the intent of each function. The instru ments used to sense the conditions for which a rod block is provided are discus sed in the following sections. The rod
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT April 2015 LDCN-14-004 7.7-8 Figures 7.7-3 and 7.6-3 show the rod block interl ocks used in the RMCS. Figure 7.7-3 shows the general functional arra ngement of the interlocks, and Figure 7.6-3 shows the rod blocking functions that originate in the NMS.
- 1. With the mode switch in the S HUTDOWN position, no control rod can be withdrawn. This enforces compliance with the intent of the shutdown mode. 2. The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following conditions:
(a) Any APRM upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require RPS action if allowed to proceed.
The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached.
(b) Any APRM inoperative alarm. This ensures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in se rvice or correctly bypassed.
(c) Scram discharge volume high wate r level. This ensures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block earlier than the scram that is initiated on scram disc harge volume high water level.
(d) Scram discharge volume high wa ter level scram trip bypassed. This ensures that no control rod is withdrawn while the scram
discharge volume high water level scram f unction is out of service. (e) The RWM can initiate a rod inse rt block and a rod withdrawal block. The purpose of these func tions is to reinforce procedural controls that limit the reactivity worth of control r ods under lower power conditions. The rod block trip settings are based on the
allowable control rod worth limits establishe d for the design basis rod drop accident. Adherence to prescribed control rod patterns is the normal method by which this reactivity restriction is
observed. C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT April 2015 LDCN-14-004 7.7-9 Additional information on the RWM function is in Section 7.7.1.10. (f) Rod position information syst em (RPIS) malfunction. This ensures that no control rod can be withdrawn unless the RPIS is in service.
(g) Either RBM upscale alarm. This function is provided to stop the erroneous withdrawal of a control rod so that local fuel damage does not result. Although local fu el damage poses no significant threat in terms of radioactive material released from the nuclear system, the trip setting is selected so that no local fuel damage results from a single control rod withdrawal error during power range operation.
(h) Either RBM inoperative alarm. This ensures that no control rod is withdrawn unless the RBM channels are in service or correctly bypassed.
- 3. With the reactor mode switch in the RUN position, any of the following conditions initiates a rod block.
(a) Any APRM downscale alarm. This ensures that no control rod will be withdrawn during power range operation unless the
average power range neutron mo nitoring channels are operating correctly or are correctly by passed. All unbypassed APRMs
must be on scale during reactor operations in the RUN mode.
(b) Either RBM downscale alarm. This ensures that no control rod is withdrawn during power range operation unless the RBM channels are operating correctly or are correctly bypassed. Unbypassed RBMs must be on scale during reactor operations in the RUN mode.
(c) Any recirculation flow unit ups cale, inoperative, or comparator alarm. This ensures that no control rod is withdrawn unless the flow channels are operable, the difference between flow units is within limits, and the flow rate is not unusually high.
- 4. With the mode switch in the STARTUP or REFUEL position, any of the following conditions initiates a rod block:
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT November 2015 7.7-10 (a) Any SRM detector not fully inserted into the core when the SRM count level is below the retract permit level and any IRM range switch on either of the two lowest ranges. This ensures that no control rod is withdrawn unless all SRM detectors are correctly inserted when they must be relied on to provide the operator with neutron flux level information.
(b) Any SRM upscale level alarm. This ensures that no control rod is withdrawn unless the SRM detectors are correctly retracted during a reactor startup. The rod block setting is selected at the
upper end of the range over which the SRM is designed to detect and measure neutron flux.
(c) Any SRM downscale alarm. This ensures that no control rod is withdrawn unless the SRM count rate is above the minimum prescribed for low neutron flux level monitoring.
(d) Any SRM inoperative alarm. This ensures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available.
(e) Any IRM detector not fully inserted into the core. This ensures that no control rod is withdrawn during low neutron flux level operations unless proper neut ron monitoring capability is available.
(f) Any IRM upscale alarm. This ensures that no control rod is withdrawn unless the intermedia te range neutron monitoring equipment is correctly upranged during a reactor startup. This rod block also provided a means to stop rod withdrawal in time to avoid conditions requiri ng RPS action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations.
(g) Any IRM downscale alarm except when range switch is on the lowest range. This ensures th at no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being correctly monitored. This rod block prevents the continuation of a reactor startup if the operator upranges the IRM
too far for the existing flux level. Thus, the rod block ensures that the IRM is on scale if cont rol rods are to be withdrawn. C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT November 2015 LDCN-14-004, 10-004 7.7-11 (h) Any IRM inoperative alarm. This ensures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available.
- c. Rod block bypasses
To permit continued power operation duri ng repair or calibra tion of equipment for selected functions that provide rod block interlocks, a limited number of manual bypasses are pe rmitted as follows:
- 1. One SRM channel,
- 2. Two IRM channels (1 on e ither RPS bus A or bus B), 3. One APRM channel, and 4. One RBM channel.
The IRMs are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is main tained with one channel bypassed in each group. These bypasses are affect ed by positioning switches in the control room. A light in the control room indicates the bypassed condition.
An automatic bypass of the SRM detector position rod block is effected as the neutron flux increases beyond a preset lo w level on the SRM instrumentation. The bypass allows the detectors to be pa rtially or complete ly withdrawn as a reactor startup is continued.
An automatic bypass of the RBM rod block occurs wh en the power level is below a preselected level (less than 30% power) or when a peripheral control rod is selected. Either condition indicates that lo cal fuel damage is not threatened and that RBM action is not required.
The RWM rod block function is automa tically bypassed when reactor power increases above a preselected value in the power range. The RWM can be manually bypassed for maintenance when not required by procedure. C OLUMBIA G ENERATING S TATION Amendment 54 F INAL S AFETY A NALYSIS R EPORT April 2000 LDCN 9 8-1 0 4 7.7-12 7.7.1.2.2.3 Rod Position Probes. The position probe is a long cylindrical assembly that fits inside the CRD. It includes 53 magnetically ope rated reed switches, located along the length of the probe and operated by a permanent magnet fixed to the moving part of the hydraulic
drive mechanism. As the drive, and with it the control rod bl ade, moves along its length, the magnet causes reed switches to close as it pass es over the switch locations. The particular switch closed then indicates where the CR D, and hence the rod itself is positioned.
The switches are located as follows: one at each of 25 notch (even) positions, one at each of 24 mid-notch (odd) positions, one at the fully inserted position (approximately the same location as the "00" notch), one at the fully withdrawn position (appr oximately the same location as the "48" notch pos ition), one at the overtravel fu ll out (decoupled position), and one at the overtravel full in position.
All of the mid-notch or odd switches are wired in parallel and treated as one switch (for purposes of external connections), and the fully inserted and overtravel full-in switches are wired in parallel and treated as one switch. These and the remaining switches are wired in a 5 x 6 array (the switches short the intersections) and routed out in an 11-wire cable to the processing electronics (the probe also includes a thermocouple which is wired out separate from the 5 x 6 array). See Figure 7.7-5. 7.7.1.2.2.4 Position Indication Electronics. The electronics cons ist of a set of probe multiplexer cards (one per four-r od group where the four-rod group is the same as the display grouping described later in this section), a set of file cont rol cards (one per 11 multiplexer cards), and one set of master control and processing cards serving the whole system. All
probe multiplexer cards are the same except that each has a pa ir of plug-in daughter cards containing the identity code of one four-rod group (the probes for the corresponding four rods are connected to the probe multiplexer card). The system op erates on a con tinuous scanning basis with a complete cycle every 45 msec.
The control logic generates the identity code of one rod in th e set and transmits it using time multiplexing to all of the file control cards. These in turn transmit the identity with timing signals to all of the probe multiplexer cards. The one multiplexer card with the matching rod identity will respond and transmit its identity (locally generated) plus the raw probe data for that rod back through the file control card to the master control and processing logic. The processing logic does several checks on the returning data. First a check is made to verify that an answer was received. Next the identity of the answering data is checked against that which was sent. Finally the format of the data is checked for legitimacy. On ly a single even position or, full-in plus position "00," or full-out plus position "48," or odd, or overtravel, or blank (no switch closed) are legitimate. Any other combination of swit ches is flagged as a fault.
If the data passes all of these tests, it is (a) decoded and tran smitted in multiplexed form to the displays in the main control panel and (b) loaded into a memory to be read by the computer as required. C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-17-001 7.7-13 As soon as data for one rod is processed, the identity for th e next rod is generated and processed and so on for all of the rods. When data for all r ods has been gathered, the cycle repeats. A rod information display on the reactor control panel is patterned after a top view of the reactor core. The display allows the operato r to acquire informa tion rapidly by scanning. Colored windows provide an overa ll indication of rod pa ttern and allow the operator to quickly identify an abnormal indication. The following in formation for each control rod is presented in the display:
- a. Rod fully inserted (green),
- b. Rod fully withdrawn (red),
- c. Selected rod identificati on (coordinate pos ition, white), d. Accumulator trouble (amber),
- e. Rod scram (blue), and
- f. Rod drift (red).
LPRM low flux levels and LPRM high flux levels are displa yed on the Operator Display Assemblies (ODA) locat ed below the display. Another display shows the positions of the control rod selected for movement and the other rods in the rod group. For display purposes th e control rods are cons idered in groups of four adjacent rods (a four-rod group) cente red around a common core volume monitored by four LPRM strings. Rod groups at the periphery of the core ma y have less than four rods. The four-rod display shows the positions, in digital form, of the rods in the group to which the selected rod belongs. A lighted background on the digital di splay indicates which of the four rods is selected for movement. The four-rod display allows the operator to fo cus attention on the portion of the core where rod motion is occurring. A full core rod pos ition display would tend to be confusing and difficult to read. The ODA's permit the opera tor to monitor the core reactivity during rod motion. In addition, on dema nd by the operator, the process co mputer will provide a print out of all rod positions. During startup or shutdown all rods of a give n sequence are either fu lly withdrawn or fully inserted. These patterns are indicated on the full co re display with the full-in or full-out lights. In addition to the whole core display, a drifting rod is indicated by an alarm and red light in the control room. The rod drift condition is also monitored by the process computer. An indication is also provided for rod trend beyond the limits of normal rod movement. If the rod drive piston moves to the overtravel position, an alarm is sounded in the control room. The overtravel alarm provides a means to verify th at the drive-to-rod coupling is intact because C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-17-001 7.7-14 with the coupling in its normal condition the drive cannot be physica lly withdrawn to the overtravel position. Coupling inte grity can be checked by attempti ng to withdraw the drive to the overtravel position. For the displays above the se lected rod identification, accumulator trouble and rod scram indicators are provided by the RDCS. The OD A LPRM high and low flux level readings are provided by the power range monitor system. Th e remaining information to the displays and the position information for the process comput er (via the RWM) are provided by the rod position information subsystem. The following main control room lights are pr ovided to allow the operator to know the conditions of the CRD hydraulic sy stem and the control circuitry:
- a. Stabilizer valve se lector switch position, b. Insert command energized,
- c. Withdraw command energized,
- d. Settle command energized,
- e. Withdrawal not permissive,
- f. Continuous withdrawal,
- g. Pressure control valve position,
- h. Flow control valve position,
- i. Drive water pump low suction pr essure (alarm and pump trip), j. Drive water filter high diffe rential pressure (alarm only), k. Charging water (to accumulator) high pressure (alarm only),
- l. Scram discharge volume not drained (alarm only), and m. Scram valve pilot air header high/low pressure (alarm only).
7.7.1.3 Recirculation Flow Control System 7.7.1.3.1 Function The recirculation flow control function is to control reactor power level, over a limited range, by controlling the flow rate of the reactor reci rculating water using r ecirculation pump speed. The recirculation flow control system is not required for safety purposes, nor required to operate during or after the desi gn-basis accident. The system is required to operate in the normal plant environment for power-generation purposes only. C OLUMBIA G ENERATING S TATION Amendment 53 F INAL S AFETY A NALYSIS R EPORT November 1998 7.7-15 7.7.1.3.2 Operation
Reactor circulation flow is varied by controlling the recircula tion pump speed. By adjusting recirculation pump speed the change in recirculation flow will automatically change the reactor power level. Each recirculation pump has its individual manual control system as well as the capability of being controlled in unison or ganged by the master setpoint station.
Figure 7.7-6 shows a simplified control scheme for the reactor recirculation flow control system and its relationship to other nuclear steam supply sy stem (NSSS) control schemes.
The reactor power change resulting from change in recirculation flow caus es the turbine digital electrohydraulic (DEH) control system to repositi on the turbine control valves. The turbine responds to the change in react or power level by adjusting the control valves, and hence its power output, until the lo ad/speed error signal is reduced to zero.
Operator Information
Indication and alarms are provided to keep the ope rator informed of the status of the system and equipment and allow the operator to quic kly determine the location of malfunctioning equipment.
Instrumentation provides loop flow, pump speed , and controller output and input deviation meters. Alarms are provided to alert the operator of malfunctioning control signals and increasing temperatures of coo ling water. In most cases, alarms are supplemented by light indicators to more closely define the problem area.
Indicating lights are provided to indicate the status of the pump/motor control breakers. Alarms are provided to alert th e operator of automatic trips a nd transfers of the pump/motor, malfunctions, and availability of automatic control circuitry.
The GE-FANUC reactor flow control system (RFCS) provides manual control of the RRC pump speed. The GE-FANUC is a programmable logic controller (PLC) located in panel H13-P634 in the main control room. It consists of digital control design which provides operator manual control for the RRC pump speed demand, permissive logic for starting the RRC pump motor, and runback limiter logic functions.
The operator sets the RRC pump speed from a manual ganged or in dividual loop control setpoint station located in panel H13-P602 in the main control room. The control station provides an adjustable speed dr ive (ASD) speed reference dema nd signal to adjust the supply frequency over the range 15 Hz to 63 Hz, wh ich adjusts the speed of the RRC pump drive motors over the range 25% to 105% and in tu rn controls the recirculation flow rate.
Figure 7.7-7 shows a simplified version of the contro l system major functions. The individual
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT November 2015 LDCN-10-004 7.7-16 loop manual setpoint/bias station also has the ability to trim (bias) each loop speed to allow for dissimilarities in performance of the pumps. The GE-FANUC PLC consists of redundant cen tral processing units (CPU) redundant data communication buses, and redundant genius input/output, (I/O) blocks. A single video display terminal (VDT) is located on the control benchboard, H13-P602, to provide operating status. Major component gr oup alarms are also pr ovided via the backlit annunciator windows located on the vertical section of H13-P602. The ASD speed demand reference signal is set by the operator. The GE-FANUC PLC conditions the speed demand signal for each loop for an acceptable ramp rate and for runback limiters, where required. The sp eed demand reference si gnal is routed from the control room to the ASD local communication panel via redundant data communi cation buses. At the ASD local communication pane l, redundant genius I/ O blocks transmit the speed demand reference signals (2-10-V dc) to the appropriate ASD loop/ channel controls. The operator monitors the performance of the RRC using the indicators located on the vertical sect ion of the benchboard H13-P602. The ASD runs at the lowest speed demand of either the limiter signal or the speed demand
setpoint signal. On initiation of a limiter or development of an alarm or fault in the RFCS or ASD channel, a main control ro om annunciator alarms and the individual loop setpoint bias stations at H13-P602 are transferred from the ganged control to the individual loop control. Recirculation Pump Flow Measurement The recirculation loop elbow tap differential pressu re is used to provid e indirect core flow indication for the flow-biased simulated thermal power scram and to indicate pump performance and jet pump drive flow. In general these functions do not require high measurement accuracy, although re peatability is required. The flow-biased simulated thermal power scram requires a signal that is proportional to pump flow. The signal is used as an indicator of core flow. The proportionality c onstant (calibration coefficient - pressure drop versus flow) is unimportant as long as that constant does not ch ange; that is, the element is repeatable. Control Interlocks Operating conditions have been identified that could result in cavitation of the recirculation pumps and/or jet pumps. Operating procedures require the plant operator to avoid these conditions. In the event that due to operator error these conditi ons are not avoided, automatic interlocks exist which will prev ent operation at these conditions. C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT November 2015 LDCN-10-004 7.7-17 Cavitation Protection
The cavitation characteristics (thermal power level at whic h cavitation will occur for a given flow) of the jet pumps and recirculation pump are similar to a BWR/3 and BWR/4 except that jet pump cavitation occurs at higher thermal power levels. Protection is provided by measuring the available subcooling and reducing the pumps to 25% speed when there is inadequate subcooling. Temp erature elements in the loop suction line and steam dome pressure transmitters measure the amount of subcooling available to the system. For the pump suction temperature an RTD is us ed. For the discharge measurement, steam dome pressure is used. With GE-FANUC digital capability a programmed "look up" table converts pressure to temperature and hence a differential temperature in terlock is provided for the measurement of subcooling. If the minimum differential temperature becomes less than a predetermined value, the control logic will pr ovide a time delayed co mmand and run its output down to 15 Hz; hence the dual channel ASD output will reduce to 15 Hz and each recirculation pump motor will run back to 25% speed.
Feedwater Pump Trip Runback
The recirculation pump(s) will runback to a sp ecific speed setpoint in response to the combination of a feedwater turb ine trip and a low reactor pressure vessel (RPV) water level (L4). If the recirculation pump(s) were operating at or below the specified speed setpoint, a change in speed will not incur. This runback feature prevents a scram from a low level condition caused by one feedwater pump trip from rated conditions base d on testing results.
High Loop Flow Mismatch
Mismatch of the flow in one loop to the othe r loop of greater than 50% is known to create abnormal conditions in the jet pumps having the lower flow. Such operation is normally precluded by operating procedures. Following a trip of one of two operating pumps, the tripped pump coasts down to zero.
Loop Suction and Discharge Isolation Valve Position
The pump is tripped at less than 90% open position of either valve to prevent pump damage from no flow if isolation valve closure is initiated while the pumps are running.
Trip to 25% Speed
The pumps are tripped to 25% speed in specific cases to avoid scram re covery delays due to vessel bottom head fl uid stratification.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.7-18 Startup Interlocks
Interlocks ensure that the following conditions are established before the recirculation pump will start:
- a. The ASD is ready for operation,
- b. The suction and discharge block valves are greater than 90% open, c. The electrical protection "lock out" relay is reset, d. The pump motor breakers, end-of-cycle recirculation pump trip (EOC-RPT) breakers, and ASD source and load breakers are racked in place and closed,
- e. The RPT function is reset, and
- f. The operator manual control station is set to minimum pump speed demand.
The flow control system has been designed to limit the maximum demand signal to the ASD at
a rate of less than 10% of ra ted pump speed/sec. This is to ensure that the RPS will not initiate scram. Interlocks are installed to ensure that this limit is not exceeded.
Recirculation Pump Speed Rate of Change
Single failures can result in a recirculati on pump speed maximum rate of change in both recirculation pumps of 10% of rated pump speed /sec, which may result in RPS activation. This value is the average con tinuous rate used in the transi ent analysis for the two loop controller failure event. For a one loop controller failure even t, a higher than maximum rate of 25%/sec was assumed in the analysis.
The worst single failure would be an ASD control circuit failure which provides a high voltage/frequency power source to the motor.
Scram Avoidance Provisions
- a. One pump trip-pump inertia is greater than 21,500 lb m-ft 2 to allow coastdown without an RPS trip,
- b. Recirculation pump speed runback if th ere is a trip of one feedwater pump and vessel low level from rated cond itions based on testing results.
C OLUMBIA G ENERATING S TATION Amendment 55 F INAL S AFETY A NALYSIS R EPORT May 2001 LDC N-0 0-0 5 8 7.7-19 Reliability
The reliability of the ASD system and its GE-FANUC contro ls have been evaluated in NEDC-32232-P, "WNP-2 Reactor Recirculation Adjustable Speed Drive (ASD) System Reliability Analysis," August 1993. This reliability eval uation concludes that no credible failure modes were found that c ould affect safety assumptions for the loss-of-coolant (LOCA), anticipated transient without scram (ATW S), transient, and stability analyses. 7.7.1.4 Feedwater Control System
7.7.1.4.1 Function
The feedwater control system controls the flow of feedwater into the reactor vessel to maintain the vessel water level within predetermined limits during all normal pl ant operating modes. The range of water level is ba sed on the requirements of the steam separators. The feedwater control system uses vessel water level, steam flow, and feedwater flow as a three-element control.
Normally, the signal from the feedwater flow is approximately equal to the steam flow signal; thus, if a change in the steam flow occurs, the feedwater flow follows. The steam flow signal provides anticipation of the change in water level that will resu lt from change in load. The level signal provides a correction for any mismatch between the steam and feedwater flow which causes the level of the water in the reactor vessel to rise or fall accordingly. Single-element control is also av ailable based on water level only.
7.7.1.4.2 Operation
During normal plant operation, the feedwater control system automatically regulates feedwater flow into the reactor vessel. The system can also be manually operated (see Figure 7.7-8 ). The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel.
The optimum reactor vessel water level is determined by the requirements of the steam separators. The separators lim it water carry-over in the steam going to the turbines and limit steam carry-under in water returning to the core. The water level in the reactor vessel is maintained within +/-2 in. of the setpoint value during normal operation and within the high and low level trip setpoints during normal plant maneuvering transients. This control capability is achieved during plan t load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel. The feedwater flow is regulated by controlling the speed of the turbine-driven feed water pumps to deliver the required flow to the reactor vessel.
C OLUMBIA G ENERATING S TATION Amendment 55 F INAL S AFETY A NALYSIS R EPORT May 2001 7.7-20 The following is a discussi on of the variables sensed for system operation. 7.7.1.4.2.1 Reactor Vessel Water Level. Reactor vessel narrow range water level is measured by three identical, independent sensing systems. For each channel, a differential
pressure transmitter senses the difference between the pressure caused by a constant reference column of water and the pressure caused by the variable height of water in the reactor vessel. The differential pressure transmitter is installed on lines that serve other systems (see Section 7.7.1.1). Two of the differential pressure signa ls are used for i ndication and control and the third for indication only. The narrow-ra nge level signal from one of the two control channels can be selected by the operator as the signal to be used for fe edwater flow control. A third-narrow range level sensing channel is used in conjunction with the two control channels to provide high water level trips of the main turbine and feed pump turbines. All three narrow-range reactor level signals and reactor pressure are indicated in the main control room. A fourth level sensing system (upset range) provides level info rmation beyond the span of the narrow range devices. The selected narrow-range wate r level and upset range water level signals are continually reco rded in the main control room.
7.7.1.4.2.2 Main St eam Line Steam Flow. Steam flow is sensed at each main steam line flow restrictor by a differential pressure transmitter. A signal pro portional to the true mass steam flow rate is linearized and i ndicated in the main control room. The signals are summed to produce a total steam flow signal for indication and feedwater flow control. The total steam flow signal is recorded in the main control room.
Alarms on steam flow are provided for use in the RWM logic. Interlocks from steam flow and feedwater flow are used to initiate insertion of the RWM block. An alarm on low steam flow
indicates that the above RWM in sertion interlock setpoint is being approached. Alarms are also provided for (1) high and low water level and (2) reactor high pressure. Interlocks will trip the plant turbine and feedwater pumps in event of reactor high water level.
7.7.1.4.2.3 Feedwater Flow. Feedwater is delivered to the reactor vessel through turbine-driven feedwater pumps, which are arranged in parallel. The feedwater control system sends a flow demand signal to the master level setpoint station and to the tu rbine governor control system. The turbine governor control system converts the fl ow demand signal to a turbine speed signal. On either system failure, the turbine speed sign al is maintained at the steady value by each turbine operator control station, until the operator takes manual control. Both systems share data via a communications bus, and any transfer of control signal is bumpless. On reactor SCRAM, level setpoint setdown is performed in the feedwater control system. This immediately demands a low flow value, thus rapidly re ducing feedwater flow and the likelihood of carryover.
Feedwater flow is sensed at a flow element in each feedwater line by differential pressure transmitters. Each feedwater signal is linearized and then summed to provide a total mass flow signal which is sent to the fe edwater control system and r ecorded in the control room. C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.7-21 Three modes of feedwater flow control and thus level cont rol are provided.
- a. Startup automatic level control,
- b. Run mode automatic flow control, and
- c. Manual control.
Four level controllers are provided for startup va lve control and automatic feed pump control. The master level setpoint stati on and startup valve control stati on contain, as a minimum, level setpoint digital display, si gnal output display, manual output control, manual/automatic switching capability, and manual setpoint adjustment. The two feed pump operator control
stations contain turbine speed and pump disc harge pressure displays, pump speed bias and signal output displays, manual output control, and manual/automatic switching capability. Each of these manual/automatic stations are soft ware configured for its specific function. In the startup level control mode, measured level is compared to level setpoint within the controller. The resulting signal is conditioned by the proportional plus integral controller circuits and transmitted to th e startup level control valves.
During normal operation three element automatic control is provide
- d. The total steam flow/feed flow signal, modified by the conditi oned level error signal, provides a flow demand signal to the feedwater flow c ontrol loop. The demanded flow is converted to a speed demand which is compared to actual speed for each active pump.
The resulting speed error signal changes the turbine speed, zeroing the error signal.
Manual control is available by selecting manual on the controlle r manual/automatic stations. Flow change is accomplished by depressing the raise button or lower button depending on the desired flow change.
The level control system also pr ovides interlocks and control functions to other systems. If the recirculation pumps are running at a speed great er than the single fe ed turbine capability setpoint, loss of one of the reactor feed pumps and coincident or subsequent low water level, recirculation flow is reduced to within the power capabilities of the remaining reactor feed pump. This reduction aids in avoiding a low level scram by re ducing the steaming rate from rated conditions base d on testing results. 7.7.1.5 Digital Electro-Hydraulic Control System 7.7.1.5.1 Function
The function of turbine pressure regulation and control is performed by the DEH system. As a direct cycle boiling water reactor the turbine is slaved to the reactor in that all (except steam to the moisture separator reheaters) steam generated by the reactor is normally accepted by the turbine. The operation of the reactor requires pressure regulation to maintain a constant
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-06-057 7.7-22 (within the range of the DEH proportional contro ller setting) turbine inle t pressure with load following ability accomplished by variation of reactor power.
The DEH control system normally controls the turbine governor valves to maintain this constant turbine inlet pressure. In addition, the DEH control system also operates the steam bypass valves such that a porti on of nuclear boiler flow can be bypassed when operating at steam generation levels that exceed the turb ine load limits as well as during the startup and shutdown phase.
The overall turbine DEH control system accomplishes the following:
- a. Control turbine speed and turbine acceleration, b. Control the steam bypass system to k eep reactor pressure within limits, and avoid large power transients, and
- c. Control turbine inlet pr essure within the DEH pr oportional controller range.
7.7.1.5.2 Operation
Pressure control is accomplishe d by controlling main steam pressure imme diately upstream of the main turbine throttle and governor valves through modulation of th e turbine-governor or steam bypass valves. Command signals to thes e valves are generate d by the DEH control system which receives input from three redundant turbine inlet pressure sensors, as shown in Figure 7.7-9. For normal operation, the turbine governor valves regulate st eam pressure. The plant ability to change turbine generator output is enabled by adjusting reactor power level, by varying reactor recirculation flow and by manua lly moving control rods. In response to the resulting steam production change s, the DEH control system adjusts the turbine governor valves to accept the steam output change, th ereby regulating steam pressure and changing turbine generator power output.
7.7.1.5.2.1 Steam Pressure Control. During normal plant opera tion, steam pressure is controlled by the main turbine governor valves, positi oned in response to the pressure demand signal (see Figure 7.7-9 ). The steam bypass valves are normally closed. The DEH control system selects from three redundant pressure transmitters to control steam pressure. Separate pressure taps for each transmitter are provided at the turbine inlet. A median selector is used by the DEH control system to determine which throttle pressure transmitter is controlling. In addition, if one throttle pressure tran smitter fails, the DEH control system will automatically select the hi gher value of the two re maining transmitters for control. C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-06-057 7.7-23 The total steam flow (pressure demand) signal is limited, after passage through the low value gate (as shown in Figure 7.7-9 ), to that required for full power operation of the turbine (plus a deadband) or the load setpoint. Thus, if the DEH control system senses additional steam flow is needed to control reactor pressure when the governor valves have reached the load setpoint (plus a deadband) or the governor valve (position) demand limit, the control signal error to the bypass valves will increase a nd cause bypass valve actuation.
Control for the turbine governor valves is desi gned so that the valves will close upon loss of control system electric power or loss of hydraulic system pressure.
7.7.1.5.2.2 Steam Bypass System. The steam bypass equipment is designed to control steam pressure when reactor steam generation exceeds turbine requirements su ch as during startup (pressure control, speed rampi ng, and synchronizing), sudden load reduction, and shutdown.
The bypass capacity of the system is approximately 25% of NSSS rated st eam flow; sudden load reductions of up to the capacity of the steam bypass can be accommodated without reactor scram.
Normally, the bypass valves are he ld closed and the DEH control system controls the turbine governor valves, directing all steam flow to the turbine. If the speed/load demand limiter restricts steam flow to the turbine, the DE H controls system pre ssure by opening the bypass valves. If the capacity of the bypass valves is exceeded wh ile the turbine cannot accept an increase in steam flow, the main steam pressu re will rise and RPS act ion will cause shutdown of the reactor.
The bypass valves are an automatically operated, regulating type which are proportionally controlled by the turbine DEH control system.
The turbine DEH control system provides a signa l to the bypass valves corresponding to the error between the turbine governor valve ope ning required by the pre ssure demand signal by the output of the low value gate circuit and th e turbine governor valv e position flow limit (see Figure 7.7-9 ). A bias signal is provided to mainta in the bypass valves cl osed for momentary differences during normal operational transients.
7.7.1.5.2.3 Turbine Control System Variables. The turbine DEH control system is designed to receive input parameters of turbine throttle inlet pre ssure, governor and bypass valve position, and turbine speed to process the following signals in turbine modes 3 and 4:
- a. The pressure setpoint signal varies the turbine inlet pressure operating point, b. The pressure demand signal varies governor valve position corresponding to a steam flow from 0% to 100%,
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-16-005 7.7-24
- c. The combined turbine and bypass valve steam flow limite r signal range adjusts valve position limits to limit steam flow from 90% to 150%; however it is set equal to or less than 130% of 15.013 Mlb/hr steam flow, which is the fu el analysis limit, and
- d. The governor valve position (l oad) demand signal va ries to close or open the valves. The governor valve position limiter limits the governor valve position demand signal so that it does not exceed the value corresponding to valves fully open. The load demand and pressure demand signals are compared and the bypass va lves are opened when high steam pressure causes the pressure demand si gnal to be higher than the load demand signal.
7.7.1.5.2.4 Turbine Speed /Load Control Interfaces.
- a. Normal control functions The DEH control system performs three major functions: a monitoring function (Tricon 1 module), a control function (Tr icon 3 module), and a trip function (Tricon 2 module). The control function can also initiate a turbine overspeed trip through the Tricon 2 module.
- b. Normal modes of operation
The DEH control system (Tricon 3) has fi ve turbine control modes. The modes are based on a system of steps that cont rol the operation of the turbine. These modes are normally automatically entered depending on the current operating conditions. Each mode is tightly interloc ked, so the next mode is only entered when the conditions are co rrect. This ensures an orderly progression through the steps and appropriate actions in the event of malfunctions. The five modes are Reactor Start, Speed Control, Load Control, Turbine Follow Reactor and Overspeed Test (numbered Mode 1 through Mode 5, respectively).
- 1. Turbine Mode 1: Reactor start
In Mode 1, the turbine throttle and bypass valves are controlled to allow the turbine to be latched and pro ceed to the speed control mode. Throttle pressure controller output demand selection only allows for control of the bypass valves to maintain throttle pressure. After a successful latch of the tu rbine, the sequence automatically enters Speed Control (Mode 2). C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-06-057 7.7-25 2. Turbine Mode 2: Speed control
In Mode 2, the turbine speed is ramped up to n ear synchronous speed by using the turbine throttle valves to control turbine speed and the bypass valves to control reactor pressure. The turbine valve control is transferred from the throttle valves to the governor valves when near synchronous speed. When speed measurement reaches approximately 20 rpm below target, the throttle va lve minimum limit is ramped to 100%, opening the valves fully. As the throttle valves open, the governor valve speed controller is enabled to control speed. Overspeed Protection Controller (OPC) l ogic is active in this mode. If nominal turbine speed is 103% speed, the OPC sole noids are energized which will close the governor and inte rcept valves. Wh en turbine speed is reduced to less than 101%, the OPC solenoids close and return the DEH control system to Speed Control Mode. The sequence will proceed to Load C ontrol (Mode 3) if the generator breaker is detected closed or Overspeed Test (Mode 5) if Overspeed Test is selected.
- 3. Turbine Mode 3: Load (limit) control Mode 3 is entered from Speed Control (Mode 2) when control is transferred to the governor valves and the generator output breaker is closed upon synchronizing with the grid. Mode 3 is also entered from Turbine Follow Reactor (Mode 4), when the throttle pressure controller output demand is equal to the govern or valve load demand signal and when throttle pressure controller out put demand is equa l to the scaled valve position limit signal. See Figure 7.7-9. When entering this mode, a load reference is set along with a ramp rate providing an initial electrical load on the generator by ramping the governor valves open increasing measur ed electrical load. During this initial operating condition, any increase or decrease in throttle pressure results in the bypass valves ope rating to maintain pressure.
During Mode 3, OPC remains enabled.
- 4. Turbine Mode 4:
Turbine follow reactor Mode 4 is entered from Load C ontrol (Mode 3) when the throttle pressure controller output demand is lower than the governor valve load C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-06-057 7.7-26 demand signal. This is an indication that the throttle pressure controller is controlling pressure by modulati ng the governor valves. During Mode 4, as in the Load Control Mode, a load reference is set and the throttle pressure controller sets the governor and bypass valve flow demands, provided the demand is not restrained by the flow, load, or valve position limiters. Sequential and Optimized valve management may also be selected in this Mode. In Sequential valve operation, governor valves two and three are modulated together following the same demand vs. position schedule; similarly, valves one and four are modulated together following a different schedule. Se quential valve selection is the only available selection during turbine startup and when operating below 95% electrical measured load. Optimized valve selection can only be entered if operating 95% electrical load. In Optimized valve operation, governor valves two and three follow the sa me schedule as if operating in Sequential valve. Valves one and four each have their own schedule. This mode allows testing the throttle valves, governor valves, reheat/intercept valve pairs, and bypass valves to meet technical specification surveillance requirements. Only one valve may be tested at a time in this mode.
- 5. Turbine Mode 5: Overspeed/OPC test The sequence enters Mode 5 from M ode 2, Speed Control, when the Overspeed Test Mode is selected.
This Mode allows for the overspeed logic in the Control Tricon, the Trip Tricon, and each of the OPC solenoids to be tested without overspeeding the turbine. This is accomplished by ramping down the trip point to the operating speed range to initiate a trip. When the Overspeed Test select is returned to normal, the trip point automatically returns to its original setting.
- c. Turbine shutdown or turbine generator trip
During turbine shutdown or turbine gene rator trip conditions, the main turbine throttle valves and governor valves are or will be closed. Reactor steam flow will then be passed through the stea m bypass valves under steam pressure control, and through the reactor SRVs, as needed. See Section 10.2.2 for a complete description of the turbine generator protective a nd overspeed trips.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-06-057 7.7-27 d. Steam bypass operation The main turbine bypass system is de signed to control steam pressure when reactor steam generation exceeds turbin e requirements during plant startup, sudden load reduction, and cooldown. It allows ex cess steam flow from the reactor to the condenser without going through the turbine. The technical specifications require the main turbine bypass system to be operable at greater than or equal to 25% reactor thermal power (RTP). To ensure this limit is met, the bypass va lve logic is set to be armed based on generator load when the reactor is approximately 20% RTP during plant startup. This accounts for any thermal losses from the reactor and the turbine generator. Fast opening of the steam bypass valves dur ing a turbine trip, a generator load rejection, or an OPC actuation requires coordinate d action with the turbine control system. When the turbine governor valves are under pressure control, no bypass steam flow is demanded. During turbine or generator trip events, fast-closure of the turbine throttle or governor valves occurs. The bypass valves fully open until load drops below 20% lo ad, plus a 3-5 sec delay and then modulate under pressure control. Th e turbine governor valve demand is immediately tripped to zero as an anticipatory response, causing the bypass steam flow demand to equal th e pressure regulation demand.
During an OPC actuation, fast closur e of the governor an d intercept valves occurs. If operating at or above ap proximately 20% RTP, the bypass valves will fast open.
- e. Loss of turbine control system power
Turbine controls and valves are desi gned so that the turbine throttle and governor valves will close on loss of control system power or hydraulic pressure.
- f. Operator information The control interface and indications fo r the DEH control system are via soft control on two touch screen monitors mounted on the turbine generator section of the main control board. All contro ls and indications for the DEH control system during the various turbine generator operational modes (such as reactor start, speed control, load control, turb ine follow reactor, or overspeed/OPC test) are available to the operator from th e two Human Machin e Interface (HMI) touch screens.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 LDCN-06-057 7.7-28 The DEH control system is self-dia gnostic, therefore in the event of a component or control malfunc tion, an alarm will activat e to indicate the failure to the operator. Also, the DEH control system is fault tole rant and redundant, so any single failed active component can be replaced on-line without impact to power operations.
The DEH control system (load demand) receives input from three independent pressure transmitters in the main steam line upstream of the main turbine throttle valves. The pressure setpoint can be set by the operator from the HMI stations. The DEH control system has the following controls and information displayed in the main control room from the HMI stations:
- 1. Main steam throttle pr essure transmitter A, 2. Main steam throttle pr essure transmitter B, 3. Main steam throttle pr essure transmitter C, 4. Main steam pressure setpoint, 5. Bypass valve position indication and controls, and 6. Main steam throttle, governor, reh eat stop, and intercept valve position indication, and controls.
- g. Protection system interface The DEH control system is designed as a fail-safe, fault tolerant, redundant digital electro-hydraulic cont rol system. The control sy stem is designed to fail in a manner that is within the protection system capability for coping. See Section 3.5.1.3 for turbine missile protection and Section 10.2 for overspeed protection features.
7.7.1.6 Neutron Monitoring System - Traversing In-Core Probe
7.7.1.6.1 Function
Flux readings along the axial length of the core are obtained by fully inserting the traversing ion chamber into one of the ca libration guide tubes, then taking data as the chamber is withdrawn. The analog data is available for driving a recorder and for use by the process computer. One traversing ion chamber and its associated drive mechanism is provided for each group of seven to nine fixed in-core assemblies.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.7-29 7.7.1.6.2 Operation
The number of TIP machines is indicated in Figure 7.6-10. The TIP machines have the following components:
- a. One TIP detector,
- b. One drive mechanism,
- c. One indexing mechanism, and
- d. Up to 10 in-core guide tubes.
The system allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. The guide tubes inside the reactor are divided into groups. Each group has its own associated TIP machine.
A TIP drive mechanism uses a fission cham ber attached to a flexible drive cable (Figure 7.7-11 ). The cable is driven from outside the drywell by a gearbox assembly. The flexible cable is contai ned by guide tubes that penetrate the reactor core. The guide tubes are a part of the LPRM detector assembly. The indexing mechanism allows the use of a single
detector in any one of 10 different tube paths. The tenth tube is used for TIP cross calibration with the other TIP machines. The control system provides for both manual and semiautomatic operation. Electronics of the TIP panel amplify and provide the TIP signal. Core position versus neutron flux may be recorded on the X-Y recorder in the main control room and is provided to the process computer. A block diagram of the drive system is shown in Figure 7.6-10. Actual operating experience has s hown the system to reproduce within approximately 1.0% of full scale in a sequence of tests.
A valve system is provided with a valve on each guide tube entering the drywell. A ball valve and a cable shearing valve are mounted in the gui de tubing just outside the drywell. The ball valves are closed excep t when the TIP is in operation. They maintain the leaktightness integrity of the drywell. A va lve is also provided for a nitrogen gas purge line to the indexing mechanisms. A guide tube ball valve opens only when the TIP is being inserted. The shear valve is used only if containment isolation is required and the ball valve cannot be isolated. The shear valve, which is controlled by a manually operated key lock switch, can cut the cable and close off the guide tube. The shear valves are act uated by explosive squibs. The continuity of the squib circuits is monitored by indicator lights in th e main control room. On receipt of containment is olation command from the NSSS, all detectors which are not withdrawn into the shield are withdrawn at full speed, removing the TIP detector from the containment and allowing the ball valv es to close. The purge valve is also closed at this time.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.7-30 7.7.1.7 Neutron Monitoring Sy stem - Source Range Monitor 7.7.1.7.1 Function
The SRM provides neutron flux information during reactor startup and low flux level
operations.
7.7.1.7.2 Operation
There are four SRM channels. Each includes one detector that can be physically positioned in the core from the control room (see Figures 7.6-8 and 7.7-10). The detectors are inserted into the core for a reactor startup. They can be withdrawn if the indicated count rate is between preset limits or if the IRM is on the third range or above (see Figure 7.6-10 ). During initial fuel load neutron flux was monitored by source range neutron monitoring channels, providing a scram signal when the preset flux level of any channel has been reached. The logic was removed from the scram circuitry after initial fueling by the installation of "shorting links."
The "shorting links" may be peri odically removed from the RPS circuitry during control rod withdrawal to perform a shutdown ma rgin demonstration. See Section 7.2.1.1 for the verification requirement fo r "shorting links" removal.
Each detector assembly consists of a miniat ure fission chamber and a low-noise, quartz-fiber-insulated transmission cable. The se nsitivity of the detector is 1.2 x 10 -3 cps/nv nominal, 5.0 x 10-4 cps/nv minimum, and 2.5 x 10-3 cps/nv maximum. The detector cable is connected underneath the reactor vessel to the multiple-shielded coaxial cable. This shielded cable carries the pulses of a pulse current preamplifier locat ed outside the drywell.
The detector and cable are located inside the reactor vessel in a dry tube sealed against reactor vessel pressure. A remote controlled detector drive system moves the detector along the dry tube. Vertical positioning of the chamber is possible from above the centerline of the active length of fuel to 30 in. below the reactor fuel region (see Figures 7.6-6 and 7.6-5). When a detector arrives at a travel end point, detector motion is automatically stopped. The SRM/IRM drive control arrangement and logic are presented in Figures 7.6-6 and 7.6-3. The electronics for the SRMs, their trips, and thei r bypasses are located in four cabinets. Source range signal conditioning equipment is designed so that it can also be used for open vessel experiments.
A current pulse preamplifier provides amplific ation and impedance ma tching for the signal conditioning electronics (Figure 7.7-10 ). C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.7-31 The signal conditioning equipmen t converts the current pulses to analog dc currents and voltages that correspond to the l ogarithm of the count rate (LCR ). The equipment also derives the period. The output is disp layed on front panel meters and is provided to remote meters and recorders. The LCR meter displays the rate of occurrence of the input current pulses. The period meter displays the time in seconds for the count rate to change by a fact or of 2.7. In addition, the equipment contains integral test and calibration circuits, trip circuits, power supplies, and selector circuits. The trip outputs of the SRM operate in the fail-safe mode. Loss of pow er to the SRM causes the associated outputs to become tripped.
The SRM provides signals indicating SRM ups cale, downscale, inopera tive, and incorrect detector position to the RMCS to block rod withdrawal under certain conditions. Any SRM channel can initiate a rod block. These rod blocking functions are discussed in Section 7.7.1.2.2. One of the four SRM channels can be bypassed at any one time by the operation of a switch on the operator's control panel.
Inspection and testing are performed as required on the SRM detector drive mechanism; the
mechanism can be checked fo r full insertion and retracti on capability. The various combinations of SRM trips can be introduced to ensure the operability of the rod blocking functions.
7.7.1.8 Neutron Monitoring Sy stem - Rod Block Monitor
7.7.1.8.1 Function
The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during operator contro l rod manipulations.
7.7.1.8.2 Operation
The RBM has two channels. E ach channel uses input signa ls from a number of LPRM channels. A trip signal from either RBM channel initiates a rod block. One RBM channel can be bypassed at any time without loss of subsystem function. The minimum number of LPRM inputs required for each RBM channel to prevent an instrument inoperative alarm is four when using four LPRM assemblies, three when using three LPRM as semblies, and two when using two LPRM assemblies, see Figures 7.7-12 and 7.6-3. The RBM signal is generated by averaging a set of LPRM signals. The LPRM signals used depends on the control rod selected. Upon selection of a rod for withdrawal or insertion, the
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-10-004 7.7-32 conditioned signals from the LPRMs around that rod will be automatically selected by the two RBM channels. For a typical non-edge rod, each RBM channel averages LPRM inputs from two of the four B-level and D-le vel detectors, and all four of the C-level detect ors. A-level LPRM detectors are not included in the RBM averages, but are displayed to the operator. If a detector has been bypassed in the LPRM system, th at detector is automatic ally deleted from the RBM processing and the averaging logic is adju sted to average only the remaining unbypassed detectors. After selection of a control rod, each RBM channel calculates the average of the related LPRM detectors and calculates a gain fa ctor that adjusts the average to 100. Thereafter, until another rod is selected, the gain factor is applied to the LPRM aver age to obtain the RBM signal value. The RBM signal value is compar ed to RBM trip setpoints. When a peripheral rod is selected or the RBMs associated Reference APRM power signal is below the automatic bypass level, the RBM function is automatically bypassed, the rod block outputs are set to "permissive", and the RBM average is set to zero. If the Reference APRM is bypassed, the APRM power signal is automatically provided by a second APRM. In the operating range, the RBM signal is accurate to approximately 1% of full-scale. The RBM has three upscale trip levels and one downscale trip level. Figure 7.7-17 illustrates the trip setpoints. The percen t rated power input used to auto matically select the applicable RBM trip is provided in the form of simulated thermal power from the RBM channel's Reference APRM. With increasing or decreasing power, the RBM set point automatically changes to the higher or lower rod block setpoint line ba sed on the APRM simulated thermal power input. No operator action is required.
7.7.1.9 Process Computer System
7.7.1.9.1 Function
The function of the process computer is to provide a real time pl ant data collection, processing, and output system that is desi gned to support the following:
- a. Input of real time plant data si multaneously from both TDAS and PPCRS multiple sources,
- b. Processing of plant input data parameters to produce results in "engineering units,"
C OLUMBIA G ENERATING S TATION Amendment 64 F INAL S AFETY A NALYSIS R EPORT December 2017 LDCN-15-039 7.7-33 c. Compare plant inputs against alarm ranges,
- d. Output alarm informati on and other pertinent information to the real time HMI displays,
- e. Historical archiving of monitore d plant data to circular files.
7.7.1.9.2 Operation The process computer is half of an integrated dual processor telemetry processing system that provides redundant PPCRS and TDAS functions. With the excep tion of the data acquisition hardware, the software and hardware is identical between the PPCRS and TDAS system. This duplication provides manual failover capability in the event of a failure on either system. The configuration of the process computer, since redundant to TDAS, is described in Section 7.7.1.15.3 and shown in Figure 7.7-16 . The Human Machine Interface (H MI) is provided through redundant computer work stations. These workstations, as shown in Figure 7.7-16, consist of a Data Ac quisition Control Module, Calculation Module and Real Time Display Module. The us er (Control Room personnel) accesses these modules by a menu system. The Data Acquisition Control M odule provides the user the capability of stopping and starting the receipt of data from different sources and the transmissi on of data to other receiving processes. Each source deposits its specific da ta in the Current Value Table (CVT) for use by other modules. These sources include the RWM, TIP, Alarm, Core Mon itoring System Code, and the data acquisition preprocesso
- r. Data can only be sent to PDIS. Sending data to PDIS can be started or stopped by the Data Acquisition Control Module. Screens are provided to monitor the health/status of each function.
The Calculation Module derives information (Plant Data) from the CVT, performs predefined calculations and deposits the resu lts back into the CVT at prescribed frequencies. These calculations include core thermal power, corrected flows, and time averages. The results are then available in the CVT and to the Real Time Display Module. The Real Time Display Module provides the capability to exam ine data from all the data sources via the CVT and present them in various formats. These displays are in the form of strip charts, alphanumeric scrolling, and non-scrolling a nd mimic displays.
The process computer monitors and alarm checks each analog variable at a selectable rate of up to 20 times/sec. Each digital plant input to the process computer can be monitored and alarm checked at up to 250 times/sec. For a ll analog inputs two types of limit checking and alarming are available: process alarm high/low limits and high/low instru ment range limits. Both printed and historical disk storage are provided for analog and digital system alarms. C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.7-34 All alarms logs are printed on the alarm printing device informing the control room personnel of computer system malfunctions, system operation exceeding acceptable limits, and potential unreasonable, off normal, or failed input sensors.
7.7.1.10 Rod Worth Minimizer Function
7.7.1.10.1 Function
The RWM functions to assist a nd supplement the operator with an effective backup control rod monitoring routine that enforces adherence to establishe d startup, shutdow n, and low power level control rod sequences. The RWM comput er prevents the operator from establishing control rod patterns that are not consistent with the pre-stored RWM sequence by initiating appropriate rod withdrawal bloc k, and rod insert block interl ock signals to the RMCS rod block circuitry (see Figure 7.7-3). The RWM sequence stored in the computer memory are based on control rod withdrawal procedures designed to limit (and thereby minimize) individual control rod worths to acceptable levels as determined by the design basis rod drop accident.
7.7.1.10.2 Operation
The RWM function does not interfere with norma l reactor operation, and in the event of a failure does not itself cause rod patterns to be established. The RWM will not function on loss of offsite power. The RWM function can be by passed and its block func tion can be disabled only by specific procedural c ontrol initiated by the operator.
For the operator to bypass the RWM
- a. Plant management approval is required,
- b. A second operator or technically qualified plant staff member, with no other duties, is required to verify the first operator's actions while the first operator is performing rod movements,
- c. The startup and shutdown sequences with their respective signoff sheets are provided to the second operator for verification of each step rod movement
made by the first operator, and
- d. The startup and shutdown sequences fo llow the same control rod patterns that the RWM enforces if it were not bypassed.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.7-35 The following operator and sensor inputs are used by the RWM:
- a. Rod test. In selecting this input, the operator is permitted to withdraw and reinsert one control rod at a time while all other control rods are maintained in the fully inserted position;
- b. Normal/bypass mode. A key lock switch permits the operator to apply permissives to RWM rod block functions at any tim e during plant operation;
- c. System start/reset. This input is in itiated by the operator to start or restart the RWM programs and system at a ny time during plant operation;
- d. Control rod select. Binary coded identification of the control rod selected by the operator;
- e. Control rod position. Binary coded identification of the selected control rod position;
- f. Control rod drive selected and driving. The RWM prog ram uses this input as a logic diagnostic verification of the in tegrity of the rod select input data;
- g. Control rod drift. The RWM program recognizes a position change of any control rod using the control rod drift signal input;
- h. Reactor power level. Flow signals ar e used to implement two digital inputs to permit program control of the RWM functi on. These two inputs, the low power setpoint (LPSP) and the low power alarm setpoint, are used to disable/alarm the RWM function at power levels above th e intended service range of the RWM function;
- i. Permissive echoes. Rod withdraw and rod insert permissive echo inputs are used by the RWM as a verification "echo" feedback to the system hardware to ensure proper response of an RWM output; and
- j. Diagnostic inputs. The RWM uses selected diagnostic inputs to verify the integrity and performance of the processor.
Isolated contact outputs to plant instrumentation provide RW M rod block functions to the RMCS to permit or inhibit withdrawal or insertion of a control rod. These actions do not
affect any normal instrumentation displays associated with the selection of a control rod.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-14-004 7.7-36 The RWM control panel provide s the following indication:
- a. Insert error. Control rod coordinate identification for as many as two insert errors;
- b. Withdrawal error. Control rod coordinate identification for one withdrawal error; c. Latch group identification of the RWM sequence group number currently enforced by the computer;
- d. Rod test select indicates that the rod test function test selected by the operator was honored by the RWM Program;
- e. RWM bypass - indicates that the RWM is manually bypassed;
- f. Select error - indicates a control rod selection error;
- g. Rod blocks - indication that a withdrawal block or insertion block is in effect for all control rods;
- h. Out of sequence indication that the ac tual rod patterns is out of sequence;
- i. Below LPSP. Indication that the reactor core power is below the LPSP;
- j. Below low power alarm point (LPAP). Indication that the reactor core power is below the LPAP; and
- k. Rod drift. Indication that a rod drift condition is detected.
C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-14-004 7.7-37
DELETED C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-14-004 7.7-38
DELETED C OLUMBIA G ENERATING S TATION Amendment 63 F INAL S AFETY A NALYSIS R EPORT December 2015 LDCN-14-004 7.7-39 7.7.1.12 Loose Parts Detection System The LPDS has been deactivated and spared-in-place (retired). The System mainframe panel (LPDS-PNL-1) remains installe d on the 522 ft. level of the Reactor Building. The accelerometer charge-converters (pre-amps) remain installed inside containment, except those posing interference. All power to the system has been disconnected a nd the cables "spared."
7.7.1.13 Refue ling Interlocks 7.7.1.13.1 Function The purpose of the refueling interlocks is to re strict the movement of control rods and the operation of the refueling platform. Refueling interlocks are shown in Table 7.7-3. This reinforces operational procedures that prev ent the reactor from becoming critical during refueling operations. 7.7.1.13.2 Operation The refueling interlocks circuitry senses the c ondition of the refueling platform and the control rods to prevent the movement of the refueling platform or withdrawal of control rods (rod block). Redundant circuitry is provi ded to sense the following conditions:
- a. All rods inserted, b. Refueling platform positi oned near or over the core, c. Refueling platform hoists fuel loaded (main - fuel grapple, auxiliary - frame mounted hoist, monorail - trolley mounted hoist), and
- d. Reactor mode switch in "refuel" position.
C OLUMBIA G ENERATING S TATION Amendment 62 F INAL S AFETY A NALYSIS R EPORT December 2013 LDCN-11-031 7.7-40 d. Reactor mode switch in "refuel" position.
The indicated conditions are combined in logic ci rcuits to satisfy all re strictions on refueling equipment operations and control rod movement (Figure 7.7-2). The rod-in condition for each rod is established by the closur e of a magnetically operated reed switch in the rod position indicator probe.
The rod-in switch must be closed for each rod before the all-rods-in signal is generated. Loss of "all-rods-in" signal will remove grapple control power, if the refueling platform is over the core.
During refueling operations, no more than one control rod is permitted to be withdrawn; this is enforced by a redundant logic circ uit that uses the all-rods-in signal and a rod selection signal from the RMCS to prevent the selection of a second rod for movement. The simultaneous selection of two control rods is prevented by the interconnection arrangement of the select push buttons. With the mode switch in the refuel position, the circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn.
Operation of refueling equipment is preven ted by interrupting the power supply to the equipment. The refueling platfo rm is provided with two mechanical switches attached to the platform, which are tripped open by a long, stati onary ramp mounted adj acent to the platform rail. The switches open before the platform or any of its hoists are physically located over the reactor vessel to indicate the approach of the platform toward its position over the core.
In addition to the non-safety-related rod bloc k interlocks provided by the RMCS, and as a safety-related backup, the IRMs provide a rod scram signal during refue ling when neutron flux exceeds a preset flux level. The scram signal w ill provide a control room alarm and will insert any control rod that is withdrawn. The IRMs are required to be ope rable anytime a control rod is withdrawn in a fueled cell during refueling operations.
Load cell readout is provided for all hoists. The main hoist load is displayed on the flat panel display on the main trolley. The auxiliary frame hoist and the m onorail hoist load displays are on the frame pendant and monorail pendant, respectively. Load sensing is via electronic load cells and strain gauge transmitter
- s. The load for the main hoist and frame hoist are inputs to the PLC in the control center on th e main trolley. Associated interlock a nd load functions for the main hoist and auxiliary frame hoist are perf ormed by the PLC. Setpoint modules provide associated interlock and load functions for the monorail hoist.
The three hoists on the refueling platform are provided with sw itches that open when the hoists are fuel loaded. The switches open at a load weight that is lighter than that of a single fuel assembly. This indicates when fuel is loaded on any hoist. C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.7-41 A bypass plug for the previously installed servi ce platform hoist load interlock is provided which completes the circuit, prev enting a false indication that th e nonexistent hoist is loaded. Loaded hoist indication prevents control rod withdrawal with the mode switch in the startup or refuel positions. The bypass plug allows control rod movement in this situation. The bypass plug is physically arranged to prevent the connection of any power plug unless the bypass plug is removed.
The rod block interlocks and refu eling platform interlocks provide two independe nt levels of interlock action. The interlocks which restrict operation of th e refueling platform hoist and grapple provide a third level of interlock acti on since they would be required only after a failure of a rod bl ock and refueling pl atform interlock.
In the refueling mode, the control room operator has an indi cator light for "refueling mode select permissive" whenever all control rods are fully inserted. He can compare this indication with control rod position data from the computer as well as control rod in-out status on the full core status display. Whenever a control rod withdrawal block situat ion occurs, the operator receives annunciation and computer logs of the rod block. The operator can compare these outputs with the status of the variable providing the rod block condition. Both channels of the control rod withdrawal in terlocks must agree that permissive conditions exist to move control rods; otherwise, a control rod withdrawal block occurs. Failure of one channel may initiate a rod withdrawal block, and will not prevent application of a valid control rod withdrawal block from the remaining operable channel (see Figure 7.7-2 ). Refueling platform interlock indi cation and main hoist load are displayed to the operator on the flat panel display mounted on the trolley cable. In addition, the bridge, trolley, and main hoist positions displays are on the flat panel display.
The auxiliary frame hoist load and the monorail hoist load are displaye d on digital displays on the frame pendant and monorail pendant, resp ectively. Individual push button and control switches are provided for local control of the pl atform and its hoists. The platform operator
can immediately determine whether the platfo rm and hoists are responding to his local instructions, and can, in conjunc tion with the control room oper ator, verify proper operation of each of the three categories of interlocks listed previously. 7.7.1.14 Safety/Relief Valves - Relief Function 7.7.1.14.1 Function
The relief function of the SRVs is to relieve high pressure conditi ons in the nuclear system that could lead to the failure of the RCPB. The system activates the SRVs to vent steam to the suppression pool and re duce reactor pressure. See Section 5.2.2. Also, see Section 7.3.1.1.1.2 for the ADS function of selected SRVs. C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 LDCN-09-040 7.7-42 7.7.1.14.2 Operation
Schematic arrangement of system mechanical equipment is shown in Figure 10.3-2. The SRV component control logic is shown in Figure 7.3-8. The relief function of the SRVs is initiated by pr essure switches, one per relief valve. These pressure switches are set to ener gize the relief valve solenoids in five groups at five respective trip settings. The reli ef valves will open in groups, the lo west setpoint grou p first, followed by groups of SRVs at progressively higher setpoints. This feature automatically adjusts the relief capacity to the magnitude of the over pressure condition. The reclose pressure for each SRV is based on the deadband (reset) of the associated pressure switche
- s. Adequate deadband is provided to eliminate ra pid open/close operation and minimize system stresses.
To manually open each SRV, remote manual switches are installed in the control room. Lights on the control room panel indicate when the SRVs are open. This monitoring is in accordance with NUREG-0737, It em II.D.3 (see Section 7.5.1.9). 7.7.1.15 Transient Data Acquisition System
To meet the data acquisition and analysis need s during the operation of Columbia Generating Station, and to support emergenc y response facility functions, a pl ant data center, referred to as the Plant Data Information System (PDIS), is installed at Columbia Generating Station. The PDIS configuration is shown in Figure 7.7-16. The TDAS, the front e nd of PDIS, collects and multiplexes plant analog and digital data to a central location for storage and emergency response facility functions such as the graphic display system (GDS) described in
Section 7.5.1.22 , and the emergency res ponse data system (ERDS), which provides direct electronic data transmission of the required plant parameters from the TDAS computer to the NRC Operations Center. The plant ERDS computer receives data from the TDAS and the
process computer system described in Section 7.7.1.9 and transmits it to the Operations Center via secure Internet-based communication protoc ol. The ERDS was added in response to Generic Letter 89-15, Emerge ncy Response Data System.
7.7.1.15.1 Function
The purpose of the TDAS is to provide a data control center for the ac quisition, monitoring, recording, and transfer of data to a com puter for analysis and presentation for plant monitoring, testing and emergency response faci lity functions for select ed plant parameters.
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.7-43 7.7.1.15.2 Description
The basis and criteri a for the TDAS input signal selection is as follows: Basis Criteria Startup testing requireme nt Regulatory Guide 1.68 SRP Section 3.9.2 FSAR Section 3.9.2 Emergency response facility Regulatory Guide 1.23 requirement Regulatory Guide 1.97 NUREG-0737, Supplement 1 FSAR Section 7.1.1 Signals monitored may be either analog or digital (bilevel). The majority of the signals originate from existing equipment in the cont rol room. Signals are hard-wired from the control room to TDAS remote modules (multiplexers). Th e remote modules provide the following:
- a. Electrical isolation,
- b. Signal conditioning,
- c. Analog to digital conversion,
- d. Multiplexing of the input data, and
- e. Interface to fi ber-optic cables.
The signal output from the remote modules is transmitted through fiber-optic cables to the TDAS central control unit (CCU). The fiber-optic cabl es provide electrical separation between remote module output signals.
The TDAS CCU controls the monitoring, recording, engineering unit conversion, alarming, and transfer functions. Discs are used for high speed st orage of historical data.
Data is transferred from the TDAS CCU to a computer for data reduction, analysis, and
display. A system console conn ected directly to TDAS is pr ovided for operator interface.
7.7.1.15.3 Operation
TDAS automatically records data from all inpu t points on disc. Data is continuously overlaid on the disc such that in excess of three days of data exists at all times.
A secondary file can be created and archived from the history disk to preserve the data. The data contained in the seconda ry file can subsequently be displayed and printed. C OLUMBIA G ENERATING S TATION Amendment 61 F INAL S AFETY A NALYSIS R EPORT December 2011 LDCN-09-040 7.7-44 Three data transfer interfaces are provided by the TDAS CCU. One link is dedicated for the transfer of data to the com puter to support the control room GDS displays. The second link transfers TDAS real time data to the Process Computer work stations as user interface. The third link transfers data to th e corporate network for use in ERDS and other data reporting services. As noted in Section 7.7.1.9.2, the TDAS hardware (exc luding signal interface) software is identical in func tion and configuration to the Pr ocess Computer. This provides total computer redundancy.
7.7.1.15.4 Conformance to NRC Regulatory Guides
7.7.1.15.4.1 Regulatory Guide 1. 75, Revision 2, Physi cal Independence of Electric Systems. Regulatory Guide 1.75 is not applicable to Columbia Generating Station. However, based on commitment to the NRC the TDAS isolator design used the guidance provided in Regulatory Guide 1.75, Revision 2.
The TDAS is a non-safety-rel ated, non-Class 1E system which interfaces with many safety-related components. To ensure that the safe ty-related components are protected from TDAS equipment failures, the following was implemented in the TDAS design:
- a. All TDAS input circuits within racewa ys are identified and routed to Class 1E requirements up to a remote isolation device. From the isolation device to the
remote multiplexer the circuits ar e considered to be non-Class 1E;
- b. Remote multiplexer outputs are transmitted to the computer via a fiber optic cable which is inherently an isolation device. The fiber optic cable, therefore, can be routed in any raceway without regard to separa tion criteria; and
- c. Transient data acquisitio n system Class 1E input is olators are supplied from non-Class 1E 24-V dc current limiting power supplies. The power source to these power supplies is Class 1E and is provided with a Class 1E current interrupting device. The circuit to the power supply is routed as prime (see Section 8.3.1.4) for Division 1 and 2 isolator s and as Class 1E for the Division 3 isolator. The power supply sec tion of the isolator unit is internally isolated from the Class 1E signal input circuit. Downstream of the power supply, the circuits are treated as non-Class 1E.
All Class 1E components of the TDAS are qualified according to the requirements of Regulatory Guide 1.100 as clarified in Section 1.8.3. All components which interface with Class 1E circuitry (isolation devices) to extract signals are qualified (if applicable) acco rding to the require ments of Regulatory Guide 1.89, Revision 1 as clarified in Section 1.8.3. C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 7.7-45 7.7.1.15.4.2 NUREG-0737, Supplement 1, Clarification of TMI Action Plan Requirements: Requirements for Emergency Response Capabilities. Parameters identified in Regulatory Guide 1.97, Revision 2, and Re gulatory Guide 1.23 are hard-wir ed to the TDAS. The TDAS components are designed in a modular fashion with spare capacity. The system design allows the capability to expand. Physi cal separation or isol ation devices prevent failures in the TDAS from interfering with safety-related or sensitive control functions. The TDAS components are powered from a highly reliable uninterruptible power source to ensure sy stem availability and that power fluctuations will not result in the loss of software or stored data. The TDAS provides the equipment needed to ga ther, store, and transfer data helpful in assessing plant conditions. The system provides in excess of three days of pre-event data and the capability of recording post-e vent data. Data storage and re trieval functions are performed without interrupting real time data transfer. Data scan rates are more than sufficient to record transient events and determine the sequence of events. The TDAS has been designed to provide a high degree of reliability and redundancy with the Process Computer. Emergency a nd preventive maintenance procedur es have been established. Spare parts or redundant proce ssing is provided for critical com ponents. Tests are performed to verify that the hardware and software me et performance requireme nts. Hardware and software modifications are performed in accordance with applicable procedures.
7.7.1.16 Design Differences
See Table 7.7-2 for a list of system designs and their similarity of designs of other nuclear power plants.
7.7.2 ANALYSIS
See the safety evaluations in Chapter 15. Chapter 15 shows that the system s described in this section are not used to provide any design basis accident safety f unction. Safety functions are provided by other systems.
Chapter 15 also evaluates all credible control system failure modes, the effects of those failures on plant functions, and the response of various safety-related systems to those failures. The major plant control systems described above have no direct interface with any safety-related systems and, thus control system failures ot her than those described in Chapter 15 have no effect on the safety-related systems. C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.7-1 Design and Supply Responsibility of Plant Control Systems
System GE Design GE Supply B&R Design Others Supply 7.7-47 Reactor vessel instrumentation X X Reactor manual control X X Recirculation flow control X X Feedwater control X X X Pressure regulator and turbine generator X X Neutron monitoring Source range monitor X X Rod block monitor X X Transversing in-core probe X X Process computer and RWM X Rod sequence control X X Loose parts detection (Retired) Refueling interlocks X X Safety/relief valve X X Transient data acquisition X X
C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORT December 2007 Table 7.7-2 Similarity to Licensed Reactors
Instrumentation and Controls System Plants Applying for or Having Construction Permit or Operating License Similarity of Design LDCN-06-057 7.7-48 Neutron monitoring (TIP, SRM, RBM) LaSalle Identical Refueling interlocks LaSalle Identical Reactor manual control Zimmer-1 Identical Reactor vessel - instrumentation Zimmer-1 Identical Recirculation flow - control None -- Feedwater control None -- Pressure regulator and turbine-generator None None Rod sequence control Zimmer-1 Identical Refueling interlocks Zimmer-1 Identical Process computer and RWM None None Loose parts detection (Retired) Safety/relief valve - relief function Zimmer-1 Identical Transient data acquisition None -- Table 7.7-3 Refueling Interlocks Refueling Platform Position Refueling TMH a Platform FMH a Hoist FG a Control Rods Mode Switch Attempts Results C OLUMBIA G ENERATING S TATION Amendment59 F INAL S AFETY A NALYSIS R EPORTDecember 2007 7.7-49 Not near core UL UL UL All rods in Refuel Move refueling platform over core No restrictions Not near core UL UL UL All rods in Refuel W ithdraw rods Cannot withdraw more than one rod Not near core UL UL UL One rod withdrawn Refuel Move refueling platform over core No restrictions Not near core Any hoist loaded One rod withdrawn Refuel Move refueling platform over core Platform stopped
before over core Over core UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more
than one rod Over core Any hoist loaded All rods in Refuel Withdraw rods Rod block Not near core UL UL UL All rods in Startup Move refueling platform over core Platform stopped
before over core Not near core UL UL UL All rods in Startup Withdraw rods No restrictions Over core UL UL UL All rods in Startup Withdraw rods Rod block Table 7.7-3 Refueling Interlocks (Continued) C OLUMBIA G ENERATING S TATION Amendment 59 F INAL S AFETY A NALYSIS R EPORTDecember 2007 7.7-50 a Legend TMH - Trolley Mounted Hoist (Monorail) FMH - Frame Mounted Hoist (Auxiliary) FG - Fuel Grapple (Main Hoist) UL - Unloaded L - Fuel Loaded}}