5 to Updated Safety Analysis Report, Section 7, Plant Instrumentation and Control System

ML18017A402
Person / Time
Site:	Monticello
Issue date:	01/11/2018
From:	Xcel Energy, Northern States Power Co
To:	Office of Nuclear Reactor Regulation
Shared Package
ML18017A380	List: L-MT-17-075, 5 to Updated Safety Analysis Report, Appendix K, Introduction ML18017A389 ML18017A394 ML18017A395 ML18017A396 ML18017A397 ML18017A398 ML18017A399 ML18017A400 ML18017A401 ML18017A402 ML18017A403 ML18017A404 ML18017A405 ML18017A406 ML18017A407 ML18017A408 ML18017A409 ML18017A410 ML18017A411 ML18017A412 ML18017A414 ML18017A416 ML18017A417 ML18017A418 ML18017A419 ML18017A421 ML18017A422 ML18017A423 ML18017A426 ML18017A427
References
L-MT-17-075
Download: ML18017A402 (149)
v • d • e

Text

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 1 of 149 TABLE OF CONTENTS Section Page 7.1 Summary Description.............................................................................. 9 7.1.1 Monticello Conformance to IEEE 279......................................................... 9 7.1.1.1 Monticello Design....................................................................................... 9 7.1.1.2 Adequacy of the Monticello Emergency Core Cooling Systems (ECCS)..................................................................................................... 10 7.1.1.2.1 Low-Pressure Core Cooling Protective Function...................................... 11 7.1.1.2.1.1 Core Spray Subsystems........................................................................... 11 7.1.1.2.1.2 LPCI mode of RHR................................................................................... 11 7.1.1.2.2 High-Pressure Core Cooling Protective Function..................................... 12 7.1.1.2.2.1 Auto Depressurization System (ADS)....................................................... 12 7.1.1.2.2.2 HPCI System............................................................................................ 12 7.1.2 NRC Bulletin 90-01, Supplement 1, Loss of Fill-oil in Transmitters Manufactured By Rosemount................................................................... 13 7.1.2.1 Introduction............................................................................................... 13 7.1.2.2 Discussion and Evaluation....................................................................... 13 7.2 Reactor Control Systems....................................................................... 14 7.2.1 Reactor Manual Control System............................................................... 14 7.2.1.1 Design Basis............................................................................................ 14 7.2.1.1.1 Identification............................................................................................. 14 7.2.1.1.2 Operational Objective............................................................................... 14 7.2.1.1.3 Safety Design Basis................................................................................. 15 7.2.1.1.4 Operational Design Basis......................................................................... 15 7.2.1.2 Control Rod Adjustment Control............................................................... 15 7.2.1.2.1 General..................................................................................................... 15 7.2.1.2.2 Control Rod Operating Logic.................................................................... 18 7.2.1.2.2.1 Description............................................................................................... 18 7.2.1.2.2.2 Justification............................................................................................... 21 7.2.1.2.3 Performance Analysis............................................................................... 23 7.2.1.2.4 Inspection and Testing............................................................................. 24 7.2.2 Recirculation Flow Control System........................................................... 25 7.2.2.1 Description............................................................................................... 25 7.2.2.2 Performance Analysis............................................................................... 25

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 2 of 149 TABLE OF CONTENTS (CONT'D)

Section Page 7.3 Nuclear Instrumentation System........................................................... 25 7.3.1 Design Basis............................................................................................ 25 7.3.2 General Description.................................................................................. 26 7.3.3 Source Range Monitoring Subsystem...................................................... 27 7.3.3.1 Design Basis............................................................................................ 27 7.3.3.2 Description............................................................................................... 27 7.3.3.3 Inspection and Testing............................................................................. 29 7.3.4 Intermediate Range Monitoring Subsystem (IRM).................................... 30 7.3.4.1 Design Basis............................................................................................ 30 7.3.4.2 Description............................................................................................... 30 7.3.4.3 Performance Analysis............................................................................... 31 7.3.4.4 Inspection and Testing............................................................................. 32 7.3.5 Power Range Instruments........................................................................ 33 7.3.5.1 Local Power Range Monitoring Subsystem (LPRM)................................ 33 7.3.5.1.1 Design Basis............................................................................................ 33 7.3.5.1.2 Description............................................................................................... 33 7.3.5.1.3 Performance Analysis............................................................................... 34 7.3.5.2 Average Power Range Monitoring Subsystem (APRM)........................... 35 7.3.5.2.1 Design Basis............................................................................................ 35 7.3.5.2.2 Description............................................................................................... 35 7.3.5.2.3 Performance Analysis............................................................................... 37 7.3.5.3 Rod Block Monitor (RBM)......................................................................... 38 7.3.5.3.1 Design Basis............................................................................................ 38 7.3.5.3.2 Description............................................................................................... 39 7.3.5.3.3 Performance Analysis............................................................................... 39 7.3.5.4 Traversing In-Core Probe (TIP)................................................................ 40 7.3.5.5 Inspection and Testing............................................................................. 40 7.4 Reactor Vessel Instrumentation............................................................ 40 7.4.1 Design Basis............................................................................................ 40 7.4.2 Description............................................................................................... 41 7.4.2.1 Reactor Vessel Temperature.................................................................... 41

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 3 of 149 TABLE OF CONTENTS (CONT'D)

Section Page 7.4.2.2 Reactor Vessel Pressure.......................................................................... 41 7.4.2.3 Reactor Vessel Water Level..................................................................... 41 7.4.2.4 Reactor Feedwater Flow.......................................................................... 42 7.4.2.5 Reactor Steam Flow................................................................................. 42 7.4.2.6 Reactor Vessel Flange Leak Detection.................................................... 42 7.4.2.7 Design Evaluation..................................................................................... 43 7.4.3 Inspection and Testing............................................................................. 44 7.5 Plant Radiation Monitoring Systems.................................................... 44 7.5.1 Design Basis............................................................................................ 44 7.5.2 Process Radiation Monitoring System...................................................... 44 7.5.2.1 General..................................................................................................... 44 7.5.2.2 Off-Gas Pretreatment Monitoring Subsystem........................................... 45 7.5.2.2.1 Design Basis............................................................................................ 45 7.5.2.2.2 Description............................................................................................... 45 7.5.2.2.3 Performance Analysis............................................................................... 46 7.5.2.3 Radioactive Stack Wide Range Gas Monitoring Subsystem.................... 47 7.5.2.3.1 Design Bases........................................................................................... 47 7.5.2.3.2 Description............................................................................................... 47 7.5.2.3.3 Performance Analysis............................................................................... 48 7.5.2.4 Main Steam Line Monitoring Subsystem.................................................. 48 7.5.2.4.1 Design Basis............................................................................................ 48 7.5.2.4.2 Description............................................................................................... 49 7.5.2.4.3 Performance Analysis............................................................................... 49 7.5.2.5 Process Liquid Monitoring Subsystem...................................................... 50 7.5.2.5.1 Design Basis............................................................................................ 50 7.5.2.5.2 Description............................................................................................... 50 7.5.2.5.3 Performance Analysis............................................................................... 52 7.5.2.6 Reactor Building Exhaust Air Monitoring Subsystem............................... 52 7.5.2.6.1 Design Basis............................................................................................ 52 7.5.2.6.2 Description............................................................................................... 52 7.5.2.6.3 Performance Analysis............................................................................... 53

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 4 of 149 TABLE OF CONTENTS (CONT'D)

Section Page 7.5.2.7 Fuel Pool High Radiation Monitor............................................................. 53 7.5.2.7.1 Design Basis............................................................................................ 53 7.5.2.7.2 Description............................................................................................... 54 7.5.2.7.3 Performance Analysis............................................................................... 54 7.5.2.8 Control Room Ventilation Inlet Air Radiation Monitor................................ 54 7.5.2.8.1 Design Basis............................................................................................ 54 7.5.2.8.2 Description............................................................................................... 55 7.5.2.8.3 Performance Analysis............................................................................... 55 7.5.2.9 Reactor Building Vent Wide Range Gas Monitoring Subsystem.............. 55 7.5.2.9.1 Design Basis............................................................................................ 55 7.5.2.9.2 Description............................................................................................... 55 7.5.2.9.3 Performance Analysis............................................................................... 56 7.5.3 Area Radiation Monitoring System........................................................... 57 7.5.3.1 Design Basis............................................................................................ 57 7.5.3.2 Description............................................................................................... 57 7.5.3.2.1 Technical Support Center Radiation Monitoring....................................... 58 7.5.3.2.2 Containment High Range Radiation Monitoring System........................... 58 7.5.3.3 Performance Analysis............................................................................... 59 7.5.4 Health Physics and Laboratory Radiation Measuring Instruments........... 59 7.5.4.1 Design Basis............................................................................................ 59 7.5.4.2 Description............................................................................................... 59 7.5.4.3 Inspection and Testing............................................................................. 59 Table 7.5-1 Process Radiation Monitoring System-Principal Design Parameters

................................................................................................................. 60 Table 7.5-2 Area Radiation Monitoring System........................................................... 66 7.6 Plant Protection System........................................................................ 67 7.6.1 Reactor Protection System....................................................................... 67 7.6.1.1 Design Basis............................................................................................ 67 7.6.1.2 Description............................................................................................... 68 7.6.1.2.1 Identification............................................................................................. 68 7.6.1.2.2 Power Supply........................................................................................... 69 7.6.1.2.3 Physical Arrangement.............................................................................. 69 7.6.1.2.4 Logic......................................................................................................... 69

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 5 of 149 TABLE OF CONTENTS (CONT'D)

Section Page 7.6.1.2.5 Operation.................................................................................................. 70 7.6.1.2.6 Scram Functions and Settings.................................................................. 72 7.6.1.2.7 Mode Switch............................................................................................. 75 7.6.1.2.8 Scram Bypasses....................................................................................... 76 7.6.1.2.9 Instrumentation......................................................................................... 76 7.6.1.2.10 Wiring....................................................................................................... 79 7.6.1.3 Performance Analysis............................................................................... 80 7.6.1.4 Inspection and Testing............................................................................. 82 7.6.2 ATWS System.......................................................................................... 84 7.6.2.1 Design Basis............................................................................................ 84 7.6.2.2 General Description.................................................................................. 84 7.6.2.3 Performance Evaluation........................................................................... 86 7.6.3 Primary Containment Isolation System..................................................... 86 7.6.3.1 Design Basis............................................................................................ 86 7.6.3.2 Description............................................................................................... 87 7.6.3.2.1 Definitions................................................................................................. 87 7.6.3.2.2 Identification............................................................................................. 87 7.6.3.2.3 Physical Arrangement.............................................................................. 88 7.6.3.2.4 Description............................................................................................... 88 7.6.3.2.5 Instrumentation......................................................................................... 96 7.6.3.3 Performance Analysis............................................................................... 98 7.6.3.3.1 General..................................................................................................... 98 7.6.3.3.2 RCIC-HPCI Steamline Break Isolation................................................... 101 7.6.3.4 Inspection and Testing........................................................................... 102 7.6.3.4.1 General................................................................................................... 102 7.6.3.4.2 RCIC and HPCI Steam Flow.................................................................. 103 7.6.3.4.3 Reactor Building Ventilation Exhaust System......................................... 103 Table 7.6-1 Typical Reactor Protection Systems Scram Setpoints............................ 104 Table 7.6-2 Primary Containment Isolation System................................................... 105 7.7 Turbine-Generator System Instrumentation and Control................. 106 7.7.1 General................................................................................................... 106

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 6 of 149 TABLE OF CONTENTS (CONT'D)

Section Page 7.7.2 Turbine-Generator Control..................................................................... 106 7.7.2.1 Design Basis.......................................................................................... 106 7.7.2.2 Description............................................................................................. 106 7.7.2.3 Performance Analysis............................................................................. 108 7.7.3 Main Condenser, Condensate, Heater Drains, and Condensate Demineralizer System Instrumentation and Control............................... 109 7.7.3.1 Design Basis.......................................................................................... 109 7.7.3.2 Description............................................................................................. 109 7.7.3.3 Performance Analysis............................................................................. 109 7.7.4 Reactor Feedwater System Instrumentation and Control....................... 110 7.7.4.1 Design Basis.......................................................................................... 110 7.7.4.2 Description............................................................................................. 110 7.7.4.3 Performance Analysis............................................................................. 111 7.8 NUMAC Rod Worth Minimizer and Plant Process Computer........... 113 7.8.1 Introduction............................................................................................. 113 7.8.2 Rod Worth Minimizer.............................................................................. 113 7.8.2.1 Design Basis.......................................................................................... 113 7.8.2.2 Description and Definitions..................................................................... 114 7.8.2.2.1 Rod Group.............................................................................................. 114 7.8.2.2.2 Rod Subgroup........................................................................................ 114 7.8.2.2.3 Operating Sequence............................................................................... 114 7.8.2.2.4 Shutdown Margin Test Sequence.......................................................... 114 7.8.2.2.5 Selected Sequence................................................................................ 114 7.8.2.2.6 Selection Error........................................................................................ 115 7.8.2.2.7 Insertion Error......................................................................................... 115 7.8.2.2.8 Withdrawal Error..................................................................................... 115 7.8.2.2.9 Power Level Set Point............................................................................ 115 7.8.2.2.10 Description............................................................................................. 115 7.8.2.2.11 Arrangement........................................................................................... 116 7.8.2.3 Performance Analysis............................................................................. 118 7.8.2.4 Surveillance and Testing........................................................................ 118 7.8.3 Process Computer.................................................................................. 118 7.8.3.1 Design Basis.......................................................................................... 118

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 7 of 149 TABLE OF CONTENTS (CONT'D)

Section Page 7.8.3.2 Description of Process Computer Functions.......................................... 119 7.8.3.3 Description of Core Calculation Computer Functions............................. 120 7.8.3.4 Effects of Computer on Instrument System............................................ 120 7.8.3.5 Surveillance and Testing........................................................................ 121 7.9 Other Systems Control and Instrumentation..................................... 121 7.9.1 Reference to Control and Instrumentation Systems Discussed in Further Detail in Other Sections............................................................. 121 7.9.2 Toxic Substance Monitors...................................................................... 122 7.9.2.1 Design Basis.......................................................................................... 122 7.9.3 Accident Monitoring Instrumentation...................................................... 122 7.9.3.1 Design Basis.......................................................................................... 122 7.9.3.2 Description............................................................................................. 122 7.9.3.3 Performance Analysis............................................................................. 123 7.9.3.4 Testing and Inspection........................................................................... 123 7.10 Seismic and Transient Performance Instrumentation Systems....... 123 7.10.1 Nuclear Boiler Instrument Systems - Initial Seismic Test Program......... 123 7.10.1.1 Introduction............................................................................................. 123 7.10.1.2 Systems.................................................................................................. 123 7.10.1.3 Design Criteria........................................................................................ 124 7.10.1.4 Evaluation............................................................................................... 124 7.10.1.5 Acceptance............................................................................................. 125 7.10.2 Transient Performance........................................................................... 125 7.10.3 Balance of Plant Control Systems - Seismic Information Program......... 125 7.11 Reactor Shutdown Capability.............................................................. 126 7.11.1 Shutdown from Outside the Control Room............................................. 126 7.11.1.1 Conditions and Assumptions.................................................................. 126 7.11.1.2 Performance Evaluation......................................................................... 126 7.12 Detailed Control Room Design Review.............................................. 127

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 8 of 149 TABLE OF CONTENTS (CONT'D)

Section Page 7.13 Safety Parameter Display System....................................................... 127 7.13.1 Design Basis.......................................................................................... 127 7.13.2 Description............................................................................................. 127 7.13.3 Performance Analysis............................................................................. 128 7.13.4 Certification............................................................................................ 128 7.14 References............................................................................................ 129 FIGURES

............................................................................................................... 134 Figure 7.2-2 Block Diagram - Single Cycle BWR Flow Control................................... 135 Figure 7.3-1 Block Diagram - Nuclear Instrumentation System.................................. 136 Figure 7.3-2 Source Range Monitor System - Detector Locations.............................. 137 Figure 7.3-3 Intermediate Range Monitor System - Detection Locations.................... 138 Figure 7.3-6 LPRM Detector Location........................................................................ 139 Figure 7.3-7 LPRM Equivalent Locations................................................................... 140 Figure 7.3-8 APRM - LPRM Assignments.................................................................. 141 Figure 7.3-12 RBM - LPRM Input Assignments............................................................ 142 Figure 7.3-13 RBM Trip Setpoints as a Function of Power........................................... 143 Figure 7.6-1 Reactor Protection System-Schematic Diagram.................................... 144 Figure 7.6-2 Reactor Protection System Scram Functions......................................... 145 Figure 7.6-4 Block Diagram - Primary Containment Isolation..................................... 146 Figure 7.6-5 RCIC - HPCI Isolation System Schematic.............................................. 147 Figure 7.8-1 NUMAC Rod Worth Minimizer Block Diagram........................................ 148 Figure 7.8-2 NUMAC Rod Worth Minimizer Operator Display and Instrument Chassis................................................................................................... 149

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 9 of 149 7.1 Summary Description Instrumentation and controls have been provided to perform protective and regulating functions.

The protective systems, which consist of the reactor protective circuitry and the instrumentation and control for engineered safeguards, normally perform the most important of the instrumentation and control safety functions.

The regulating systems provide the ability to regulate the plant from shutdown to full power and to monitor and maintain key unit variables, such as reactor power, flow, temperature, and radioactivity levels within predetermined limits at both steady state and during normal plant transients.

The inputs to the protective and regulating systems are provided by a diversity of instruments. Description of instrumentation systems and major components, evaluation of adequacy of the provisions, and analyses from both a functional and reliability viewpoint are included in the following subsections.

7.1.1 Monticello Conformance to IEEE 279 7.1.1.1 Monticello Design The integrated Emergency Core Cooling System (ECCS) fully meets the single failure criterion of IEEE 279 (Reference 18).

Although each of the various ECCS subsystems can tolerate failure of a sensor or sensor relay without impairment of correct operation, the designs do not generally carry this single failure tolerance beyond the sensor logic except for the Automatic Depressurization System (ADS). The ECCS subsystems are redundant between themselves (i.e. HPCI and ADS systems provide high pressure cooling and depressurization and the two Low Pressure Coolant Injection (LPCI) and two Core Spray Systems provide multiple redundant low pressure cooling). Each individual system (except ADS) is considered to be inoperable upon failure of any one of several single components, such as: core spray pump, core spray injection valve, core spray control relay; LPCI loop selection circuit, LPCI injection valve, LPCI control relay; HPCI turbine, HPCI pump, HPCI flow control valve; etc. The ADS can tolerate any single component failure (including single short and single open circuits) but could not tolerate a single event such as destruction of the entire control cabinet.

The Reactor Protection System (RPS) Section 7.6.1 and Primary Containment Isolation System (PCIS) Section 7.6.3 were designed to meet a single failure criterion including single short circuits and single open circuits which were later embodied in IEEE 279. These systems fully meet the single failure requirements of the IEEE 279 criteria including the single component failure definition as defined in paragraph 4.2 of IEEE 279.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 10 of 149 The criteria are clearly applicable to functions such as emergency core cooling or reactor protection, etc., and are not intended for individual elements of such functions. The acceleration relay pressure switch input to the RPS was noted by the AEC staff (November 4 and 5, 1969) as representing an exception to paragraph 4.10 (lack of testability) as well as AEC interpretation of paragraph 4.6 (separation requirements). Valving provides testability for the acceleration relay pressure switch input to the RPS and physical separation is maintained by the location of two of the four switches. Restricted orifice valves are provided in the bleed valve location in order to assure that a single operator error does not inadvertently bleed pressure off the turbine control valve hydraulic pressure source. Complete separation of the oil lines to these switches is not considered practical since the oil lines stem from a common source of hydraulic pressure and the incremental increase in safety that would be provided by separate routing is negligible.

The Standby Gas Treatment System (SGTS) is designed electrically to provide testability and single failure tolerance as defined in paragraph 4.2 of the IEEE 279.

As indicated in Section 5.3, certain components (HEPA filters, charcoal filters) in the two trains of this system are separated physically by concrete partitions and separation of the controls is provided by a steel barrier in the control panel. Electrical wiring is channeled by different routes.

7.1.1.2 Adequacy of the Monticello Emergency Core Cooling Systems (ECCS)

The Emergency Core Cooling Systems (ECCS) are made up of several subsystems.

These subsystems are intended to provide two protective functions. One protective function is for large primary system breaks, where core spraying or core flooding is to be accomplished to adequately cool the core. The Core Spray Systems and the LPCI Subsystem each independently provide this protective function. This is referred to as the low-pressure core cooling protective function. The other protective function is for small primary system breaks. In this case, the protective function occurs in two steps: the first is the depressurization of the primary system followed by the second which is spraying or flooding as in the large break case. The depressurization can be performed rapidly by use of the Auto Depressurization System (ADS), or slowly by the HPCI System while also making up coolant inventory. The ADS and HPCI are each, independently, capable of providing the first step in the small break protective function. This is known as the high-pressure core cooling protective function.

In other words, either the LPCI Subsystem or either one of the two Core Spray Systems loops perform a low-pressure core cooling function and either the HPCI or the ADS perform a high-pressure core cooling function.

Each of the two protective (low-and high-pressure core cooling) functions described above are accomplished by the use of one of two subsystems. These protective functions are redundant and independent in themselves, but are collectively designed so that each protective function is achieved with a combined systems design which meets the single failure requirements of IEEE 279 in both initiation and control. A discussion of each subsystem is given below in order to clarify the applicability of IEEE 279 to each protective function and the capability of each subsystem making up the protective function in itself to meet the IEEE 279 requirements.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 11 of 149 7.1.1.2.1 Low-Pressure Core Cooling Protective Function 7.1.1.2.1.1 Core Spray Subsystems There are two completely independent, redundant, physically separated Core Spray System loops. The initiation logic for these two subsystems meets the requirements of IEEE 279. Once initiated, there is no proportioning control function served by this subsystem, (i.e. upon initiation, the subsystem maintains its state and operates continuously at rated conditions). Each subsystem loop is not required to meet IEEE 279, but the two subsystems together are designed to meet the IEEE 279 single failure requirements.

7.1.1.2.1.2 LPCI mode of RHR The initiation logic (sensors and sensor relays) for the LPCI System meets the requirements of IEEE 279. The loop selection logic meets the single active component failure criterion (i.e., failure of a component to operate upon demand), but does not fully meet the single failure requirements of IEEE 279 regarding a single short circuit. The protective function performed by LPCI System is redundant to and can be performed alternately by the Core Spray Systems described above. Thus, there are two independent and fully redundant systems to provide the large break protective function. These two systems collectively meet the single failure requirements of IEEE 279.

The LPCI mode of the RHR has no automatic proportioning control circuitry associated with it. Like the core spray systems, the LPCI upon initiation maintains its state and operates continuously at rated conditions. Subsequent to reflooding the core after an accident, the LPCI System can be switched to manual control and flow reduced to only that required to make up system leakage. This manual control circuitry is not required for the protective function and need not meet the IEEE 279 requirements.

The flow path used by the LPCI for injecting water into the reactor vessel utilizes a single injection valve and flow path into each recirculation loop. There are two separate LPCI Injection paths (FIGURE 6.2-5). The circuitry which operates this single valve can be disabled by a single failure.

The shutdown cooling function of the RHR is normally isolated during reactor operation by use of two closed valves. This portion of the RHR does not provide any safety or protective function and therefore need not be designed to meet the requirements of IEEE 279.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 12 of 149 7.1.1.2.2 High-Pressure Core Cooling Protective Function 7.1.1.2.2.1 Auto Depressurization System (ADS)

The Auto Depressurization System initiation logic meets the single failure requirements of paragraph 4.2 of IEEE 279. The automatic control of the valving meets the single active component failure criterion, but does not meet strict interpretation of the separation requirements of IEEE 279. The protective function of the ADS is redundant to and can be performed alternately by the HPCI System described below. Thus, there are two independent and fully redundant systems to provide high-pressure core cooling protective function.

The ADS valves, when actuated, open and remain open with no further automatic control. The valves are powered by independent circuits each of which automatically transfers to a backup source upon loss of power. The manual control of the valving does meet the single component failure criterion, as defined in paragraph 4.2 of the IEEE 279, but does not meet our interpretation of the separation requirements of IEEE 279.

7.1.1.2.2.2 HPCI System The initiation logic of the HPCI System meets the single failure requirements of IEEE 279. This system has a steam turbine that is automatically controlled to operate under a wide range of driving steam conditions from as low as 150 psig to 1120 psig.

The protective function served by the HPCI System is redundant to and can be performed alternately by the ADS System described above. The initiation and control circuitry of these two systems which perform the depressurization (high pressure) protective function, when viewed together are designed to meet the single failure requirements of IEEE 279.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 13 of 149 7.1.2 NRC Bulletin 90-01, Supplement 1, Loss of Fill-oil in Transmitters Manufactured By Rosemount 7.1.2.1 Introduction NRC Bulletin 90-01, Supplement 1, was issued by the NRC on December 22,1992 (Reference 19), to inform addressees of activities taken by the NRC staff and, the industry in evaluating Rosemount transmitters and to request licensees to take actions to resolve this issue. The Supplement requested utilities to review the information for applicability, perform testing on the transmitter commensurate with its importance to safety and demonstrated failure rate, and modify as appropriate, their actions and enhanced surveillance programs.

7.1.2.2 Discussion and Evaluation Monticello responded to NRC Bulletin 90-01, Supplement 1, in submittals dated March 1, 1993 and April 29, 1994 (References 21, 22). The requested actions delineated in Supplement 1 asked that licensees review plant records and identify any Rosemount 1153 Series B, Model 1153 Series D, and Model 1154, transmitters manufactured before July 11, 1989 that are used or may be used in the future in either safety-related systems or systems installed in accordance with 10 CFR 50.62 (the ATWS rule). Additionally, the bulletin supplement requested that enhanced surveillance monitoring be established for transmitters which satisfied criteria for normal operating pressures and time in service criteria.

Monticellos actions included replacement of the sensing module of potentially affected transmitters or demonstration that the potentially affected transmitter satisfied the psi-month threshold criteria for not requiring enhanced surveillance monitoring. Therefore, enhanced surveillance monitoring is not required.

The NRC staff reviewed Monticellos responses to NRC Bulletin 90-01, Supplement 1, and provided a Safety Evaluation by NRC letter dated February 28, 1995 (Reference 23). The NRC staff safety evaluation concluded that the actions taken by Monticello in response to the bulletin conform to the Requested Action of NRC Bulletin 90-01, Supplement 1, and that Monticello has completed the reporting actions.

Monticello is committed to the GE Setpoint Methodology for instrument Setpoint calculations associated with safety limits and Technical Specifications (See Reference 48).

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 14 of 149 7.2 Reactor Control Systems 7.2.1 Reactor Manual Control System 7.2.1.1 Design Basis The reactor manual control system is designed to:

a.

Provide methods to control reactor power level.

b.

Provide methods to balance the power distribution within the reactor core.

c.

Prevent a single component malfunction or single operator error from causing damage to the reactor coolant system.

d.

Prevent a malfunction from interfering with reactor protective functions.

e.

Provide a capability to satisfy the boundaries for fuel damage by meeting the specific core characteristics, parameters, and limitations listed and described in Section 3.2.

Based on these design bases the reactor manual control system can be described in such manner as to separate the system into both safety and operational design bases and objectives. It is upon these objectives and design bases and their ultimate mission cited in Sections 3.2.1 and 3.2.2, that the following sections are justified and discussed.

7.2.1.1.1 Identification The reactor manual control system consists of the electrical circuitry, switches, indicators, and alarm devices provided for operational manipulation of the control rods and the surveillance of associated equipment. This system includes the interlocks that inhibit rod movement (rod block) under certain conditions. The reactor manual control system does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in the Reactor Protection System, Section 7.6.1. Neither are the mechanical devices of the control rod drives and the control rod drive hydraulic system included in the reactor manual control system. These mechanical components are described in Section 3.5, Reactivity Control Mechanical Characteristics.

7.2.1.1.2 Operational Objective The objective of the reactor manual control system is to provide the operator with the means to make changes in core reactivity so that reactor power level and power distribution can be controlled. The system allows the operator to manipulate control rods.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 15 of 149 7.2.1.1.3 Safety Design Basis

a.

The circuitry provided for the manipulation of control rods is designed so that no single failure can negate the effectiveness of a reactor scram.

b.

Repair, replacement, or adjustment of any failed or malfunctioning component does not require that any element needed for reactor scram be bypassed unless a bypass is normally allowed.

7.2.1.1.4 Operational Design Basis

a.

The reactor manual control system is designed to inhibit control rod withdrawal following erroneous control rod manipulations so that reactor protection system action (scram) is not required.

b.

The reactor manual control system is designed to inhibit control rod withdrawal in time to prevent local fuel damage as a result of erroneous control rod manipulation.

c.

The reactor manual control system is designed to inhibit rod movement whenever such movement would result in operationally undesirable core reactivity conditions or whenever instrumentation is incapable of monitoring the core response to rod movement.

d.

To limit the potential for inadvertent rod withdrawals leading to reactor protection system action, the reactor manual control system is designed in such a way that deliberate operator action is required to effect a continuous rod withdrawal.

e.

To provide the operator with the means to achieve prescribed control rod patterns, information pertinent to the position and motion of the control rods is available in the control room.

7.2.1.2 Control Rod Adjustment Control 7.2.1.2.1 General Withdrawing a control rod increases core reactivity causing reactor power to increase until the increased boiling, void formation, and fuel temperature balance the change in reactivity caused by the rod withdrawal. Increase in boiling rate tends to raise reactor vessel pressure, causing the initial pressure regulator to open the main turbine control or bypass valves to maintain a constant turbine inlet pressure. When a control rod is inserted, the converse effect takes place.

The hydraulic portion of the control rod drive system is described and evaluated in Section 3.5.3. Each control rod has its own drive, including separate control and scram devices. Each rod is electrically and hydraulically independent of the others, except that a common hydraulic pressure source is used for normal operation. The east hydraulic control unit groups use the east scram discharge volume and the west

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 16 of 149 hydraulic control unit groups use the west scram discharge volume for the scram operation. Each rod has an individual pressure source for scram operation. Rod position is mechanically controlled by the design of the rod drive piston and collet assembly.

Scram operation of all rods is completely independent of the circuitry involved in rod positioning during normal operation. Scram operation is described in Section 7.6.1.2.

Electrical power for the control rod drive control system is received from an instrument bus and the a-c bus. The rod drive system is actuated, for normal operation, by energizing solenoid operated valves which direct the drive water to insert or withdraw the rod.

Control rods are operated one at a time and are withdrawn in preplanned sequences conforming to the Banked Position Withdrawal Sequence (BPWS). See section 7.8.2 for additional discussion of the BPWS. The rod selected for movement is electrically controlled so that movement is not more than six inches - one notch at a time except that the one notch withdrawal movement restriction can be overridden by the operator by simultaneously manipulating two switches. Insertion requires operation of only one switch. Protection is afforded to prevent inadvertent withdrawal, insertion and selection of the controls rods. This protection prevents control rod movement (rod block). To permit continued power operation during the repair or calibration of equipment for selected functions which provide rod block interlocks, a limited number of manual bypasses are permitted as follows:

1 SRM channel 2 IRM channels (1 on either bus) 1 APRM channel 1 RBM channel The permissible IRM and APRM bypasses are arranged in the same way as in the reactor protection system. The IRMs are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. The arrangement allows the bypassing of one IRM in each rod block logic circuit. Only one of the 4 APRM channels can be bypassed at a time. Only one rod block circuit can be affected by the APRM bypass function. These bypasses are enabled by positioning switches in the control room. A light in the control room indicates the bypassed condition.

An automatic bypass of the SRM detector position rod block is enabled as the neutron flux increases beyond a preset low level on the SRM instrumentation. The bypass allows the detector to be partially or completely withdrawn as a reactor startup is continued.

An automatic bypass of the RBM rod block occurs whenever the power level is below a preselected level or whenever a peripheral control rod is selected. Either of these two conditions indicates that local fuel damage is not threatened and the RBM action is not required.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 17 of 149 The rod worth minimizer rod block function is automatically bypassed when reactor power increases above a preselected value in the power range. It may be manually bypassed for maintenance at any time.

The same grouping of neutron monitoring equipment (APRM, IRM, SRM, and RBM) that is used in the reactor protection system is also used in the rod block circuitry.

One half of the total numbers of APRMs IRMs, SRMs, and RBMs provides inputs to one of the rod block logic circuits, and the remaining half provides inputs to the other logic circuit. Both RBM trip channels provide input signals into a separate inhibit circuit for the nonannunciating rod block control. Scram discharge volume high water level signals are provided as inputs into one of the two rod block logic circuits.

Both rod block logic circuits sense when the high water level scram trip for the scram discharge volume is bypassed. The rod withdrawal block from the rod worth minimizer trip affects a separate circuit that trips the nonannunciating rod block control. The rod insert block from the rod worth minimizer function prevents energizing the insert bus for both notch insertion and continuous insertion.

The APRM rod block settings are varied as a function of recirculation flow. Analyses show that the settings selected are sufficient to avoid both reactor protection system action and local fuel damage as a result of a single control rod withdrawal error.

Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. Additional detail on all the neutron monitoring system trip channels is available in the Section 7.3.

The rod block from scram discharge volume high water level utilizes two thermally activated switches, one installed on each scram discharge volume. Control rod position information is obtained from reed switches in the control rod drive that open or close as a magnet attached to the rod drive piston passes during rod movement.

Reed switches are provided at each 3 inch increment of piston travel. Since a notch is 6 inches, indication is available for each half-notch of rod travel. The reed switches located at the half-notch positions for each rod are used to indicate rod drift.

A drifting rod is indicated by an alarm and red light in the control room. The rod drift condition is also monitored by the process computer and the rod worth minimizer.

Reed switches are also provided at locations that are beyond the limits or normal rod movement. If the rod drive piston moves to these over-travel positions, an alarm is sounded in the control room. The over-travel alarm provides a means to verify that the drive-to-rod coupling is intact, because with the coupling in its normal condition, the drive cannot be physically withdrawn to the over-travel position. Coupling integrity can be checked by attempting to withdraw the drive to the over-travel position.

The following control room lights are provided to allow the operator to know the status of the control rod system and the control circuitry:

Rod position Withdraw bus energized Insert bus energized Withdrawal not permissive Rod drift Notch override Settle bus energized Rod drive flow control valves position

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 18 of 149 Rod drive water pressure control valve position Drive water pump low suction pressure (alarm only)

Charging water (to accumulator) low pressure (alarm only)

Control rod drive high temperature alarm Scram discharge volume not drained (alarm only)

Scram valve pilot air header low pressure (alarm only)

Rod worth minimizer conditions are displayed (Section 7.8)

Nuclear instrumentation system trips are displayed (Section 7.3) 7.2.1.2.2 Control Rod Operating Logic 7.2.1.2.2.1 Description The control rod operating logic is shown in block form on Section 15 Drawings NX-7865-7-1 and NX-7865-7-2, and is described below:

a.

With the mode switch in SHUTDOWN, no control rod can be withdrawn. This enforces compliance with the intent of the SHUTDOWN mode.

b.

The circuitry is arranged to initiate a rod block which prevents rod withdrawal regardless of the position of the mode switch for the following conditions:

1.

Any average power range monitor (APRM STP) upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require reactor protection system action if allowed to proceed.

The APRM STP upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached.

2.

Any APRM inoperative alarm. This assures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or properly bypassed.

3.

Either rod block monitor (RBM) upscale alarm. This function is provided to stop the erroneous withdrawal of a control rod so that local fuel damage does not result. Although local fuel damage poses no significant threat in terms of radioactive material released from the nuclear steam supply system, the trip setting is selected so that no local fuel damage results from a single control rod withdrawal error during power range operation.

4.

Either RBM inoperative alarm. This assures that no control rod is withdrawn unless the RBM channels are in service or properly bypassed.

5.

APRM flow upscale alarm rod block. This assures that no control rod is withdrawn unless the recirculation flow inputs to the APRMs are operable.

6.

The reduction of LPRM inputs for any APRM channel below a preset number gives a trouble alarm.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 19 of 149

7.

Scram discharge volume high water level. This assures that no control rod is withdrawn unless enough capacity is available in either scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block no later than the scram that is initiated on scram discharge volume high water level.

8.

Scram discharge volume high water level scram trip bypassed. This assures that no control rod is withdrawn while the scram discharge volume high water level scram function is out of service.

9.

The rod worth minimizer (RWM) can initiate a rod insert block, a rod withdrawal block, or a rod select block. The purpose of this function is to reinforce procedural controls that limit the reactivity worth of control rods under low power conditions. The rod block trip settings are based on the allowable control rod worth limits established for the design basis rod drop accident. Adherence to prescribed control rod patterns is the normal method by which this reactivity restriction is observed.

10. Rod select switch off position is necessary to assure compliance with the intent of the off position.

11. Rod movement timer malfunction prevents rod motion if timer in the control rod withdraw circuitry is not functioning properly.

12. Rod position information system malfunction. A rod block occurs whenever the rod position information system clock oscillator malfunctions or whenever a control rod probe buffer printer circuit card is removed from its card holder. This circuitry assures that all control rod positions are being properly monitored.

c.

With the mode switch in RUN the following conditions initiate a rod block:

1.

Any APRM downscale alarm. This assures that no control rod is withdrawn during power range operation unless the average power range neutron monitoring channels are operating properly or are correctly bypassed. All unbypassed APRMs must be on scale during reactor operations in the RUN mode.

2.

Either RBM downscale. This assures that the RBM is in an operating range and is automatically bypassed at low power by a low APRM signal.

3.

Any APRM Simulated Thermal Power (STP) - High in RUN. The APRM-STP rod block trip prevents operation significantly above the licensing basis power level especially during operation at reduced flow.

The APRM-STP rod block provides gross core protection; i.e., limits the gross core power increase from withdrawal of control rods in the normal withdrawal sequence.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 20 of 149

d.

With the mode switch in STARTUP or REFUEL the following conditions initiate a rod block:

1.

Any source range monitor (SRM) detector not fully inserted into the core when the SRM count level is below the retract permit level and any IRM range switch on either of the two lowest ranges. This assures that no control rod is withdrawn unless all SRM detectors are properly inserted when they must be relied upon to provide the operator with neutron flux level information.

2.

Any SRM upscale level alarm. This assures that no control rod is withdrawn unless the SRM detectors are properly retracted during a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is designed to detect and measure neutron flux.

3.

Any SRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all SRM channels are in service or properly bypassed.

4.

Any intermediate range monitor (IRM) detector not fully inserted into the core. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all IRM detectors are properly located.

5.

Any IRM upscale alarm. This assures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is properly upranged during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring reactor protection system action (scram) in the event that a rod withdrawal error is made during low neutron flux level operation.

6.

Any IRM downscale alarm except when the range switch is on the lowest range. This assures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being properly monitored. This rod block prevents the continuation of a reactor startup if the operator upranges the IRM too far for the existing flux level; thus, the rod block ensures that the intermediate range monitor is on scale if control rods are to be withdrawn.

7.

Any IRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all IRM channels are in service or properly bypassed.

8.

Fuel loaded on service platform hoist. This prevents rod movement while this hoist is loaded.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 21 of 149

9.

Refuel platform is near or over reactor core and the fuel grapple, frame mounted hoist, or trolley mounted hoist is loaded. This feature prevents rod movement while any of these hoists are loaded.

e.

With the mode switch in REFUEL position:

1.

One rod permissive not energized - provides a bypass to permit single rod withdrawal without nuclear instrumentation permissives.

f.

With mode switch in STARTUP position:

1.

Refuel platform near or over reactor core - prevents rod motion for startup if the refueling platform is near or over the core.

2.

APRM STP - High (Setdown) in STARTUP. For operation at low power (i.e. Mode 2), the APRM STP - High (Setdown) Function generates a rod block to prevent fuel damage resulting from abnormal operating transients in this power range.

7.2.1.2.2.2 Justification The rod block functions listed above can be divided into three primary categories:

1) those associated with the neutron monitoring system; 2) those associated with preventing control rod withdrawal due to malfunctions within the control rod control system; 3) those associated with the refueling interlock system. Although considerable redundancy has been provided in these systems, they are not part of the plant protection system and, therefore, are not designed to meet IEEE 279 Criteria for Nuclear Power Plant Protection Systems (Reference 18). As stated in Section 7.1.1, they are designed to prevent a single malfunction or single operator error from causing damage to the reactor or the reactor coolant system.

Of the rod block functions listed, item a needs no justification, since it is provided to enforce the intent of the shutdown and control rod select off position and is necessary to assure that the operator can lock the control rods when the plant is shutdown.

Functions b1, b2, b3, b4, b5, b9, c1, c2 are part of the neutron monitoring system.

Functions d1, d2, d3, d4, d5, d6, d7 and f2 are also neutron monitoring system inputs under some conditions as described below. A description of the neutron monitoring system is contained in Reference 1 and Section 7.3. It is indicated in these documents that the neutron monitoring system is designed such that it is adequate to block withdrawal when required.

There are two rod block logic circuits and one half of the total numbers of APRMs, IRMs, SRMs, and RBMs provides inputs to one of the rod block logic circuits. The remaining half provides inputs to the other logic circuit. In addition to the arrangement just described, both RBM channels provide input signals into a separate inhibit circuit for the nonannunciating rod block control.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 22 of 149 The rod withdrawal block from the rod worth minimizer trip affects a separate circuit that trips the nonannunciating rod block control. The rod insert block from the rod worth minimizer function prevents energizing the insert bus for both notch insertion and continuous insertion.

The RBM rod block alarm settings are varied as a function of reactor power.

Analysis shows that the settings selected are sufficient to avoid local fuel damage as a result of a single control rod withdrawal error. This analysis is discussed in Section 7.3.5.3.3. Thus, although the system may not meet the IEEE 279 criteria, considerable redundancy is provided.

The rod block monitor (RBM) is installed in the boiling water reactor to provide, in addition to stated operating procedures, equipment as an operating aid in the event of a single equipment malfunction or a single operator error, so that thermal margins are maintained. As explained above, if the most adverse control rod pattern were to be established by the operator it is possible there would exist a control rod, which if fully withdrawn, could result in reduced thermal margins. In order for the operator to withdraw such a rod it is necessary that, besides committing a procedural error of beginning the withdrawal of the wrong rod, he must ignore several alarms (or have failures of such alarms) and simultaneously have a failure of the RBM system. Thus, it has been analyzed that even if it is assumed that: 1) one operator error AND one equipment malfunction, or 2) one operator error plus a second operator error AND one or more equipment malfunctions occur, the possible off-site effects are within the limitations of 10CFR20. Therefore, safety-grade equipment status has not been assigned to the RBM.

If it is assumed that sufficient operator errors and equipment failures occur to exceed thermal limits and if exceeding these thermal limits causes fuel perforations, no off-site doses in excess of 10CFR20 limits would occur due to the protective action of such equipment as the air ejector isolation of the off-gas or the stack gas alarm which would alert the operator to isolate the off-gas.

Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. These switches help assure proper utilization of the SRM and IRM systems during refueling and startup conditions.

Functions b7, b8, b11, b12 are associated with possible malfunctions within the control rod control system. These are desirable in order to prevent control rod withdrawal when there is a known malfunction in the control rod system. Such a rod block forces immediate repair or adjustment as indicated by the corresponding alarms before control rod withdrawal can be resumed.

Functions d1, d2, d3, d4, d5, d6, d7, d8, d9, e1, f1, and f2 permit refueling the reactor, checking reactivity during fueling operations, testing individual control rod drives and yet helping to assure that refueling is not attempted when the control room operator does not intend such action and that reactor startup is not undertaken while refueling operations are progressing. As described above, outputs from the IRM and SRM systems are inputs to the two rod block logic circuits, one half of the instrument channels feeding the rod blocks logic circuits.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 23 of 149 These outputs are arranged to insure that the low range neutron monitors are operating (or properly bypassed) when fuel is being moved.

In addition to assuring that the neutron monitors are in operation, refueling interlocks are provided which include circuitry to sense the condition of the refueling equipment and the control rods. Depending on the sensed condition, interlocks are actuated which prevent the movement of the refueling equipment or withdrawal of control rods (rod block).

7.2.1.2.3 Performance Analysis The reactor manual control system is used to manipulate individual control rods during plant operation, and is a distinctly separate system (both electrically and physically) from the reactor protection system (RPS) which is used to scram all control rods when required for protection of the reactor. The scram circuitry of the reactor protection system is discussed in Section 7.6. The independence and separation of these two systems assures that any single failure of the manual control system cannot prevent a reactor scram when such action is required.

Both of these systems are designed to control individual control rods: however, the manual control system accomplishes its function by means of four directional control solenoids and valves, whereas the RPS accomplishes its function using the two scram pilot valves and solenoids of each control rod. Even if a given control rod is being withdrawn with the manual control system, the action of the scram valves on that rod results in the rod being inserted to its full-in position. Hence, it is concluded that the RPS protective action is applicable to all control rods regardless of the state of the reactor manual control system.

The design features of the reactor manual control system to prevent simultaneous withdrawal of more than one control rod are as follows:

a.

A single pushbutton is used to select an individual control rod. Wiring is used from the pushbutton contacts to the control rod select relays associated with the chosen control rod.

b.

The logic of the control rod select pushbutton contacts is arranged with a set of contacts in the hot side of the power line and another set of contacts in the neutral side of the power line. The rod select relay for any selected rod is automatically de-energized by this logic arrangement prior to energization of the next control rod selected by the operator.

This configuration assures that only one control rod is selected at any given time.

Therefore it is concluded that the reactor manual control system contains adequate provisions to prevent simultaneous withdrawal of more than one control rod.

The system has inherent design features which provide additional protective and operational capabilities which are not necessary for safety criteria purposes. Even if multiple component failures are assumed, the rod block monitor (RBM) would prevent control rod withdrawal due to the fact it would receive double the normal analog voltage input from two rods being selected by the multiple failure. Below 10%

power the rod worth minimizer (RWM) may also detect erroneous selection of more than one rod since the selected rod input information from each rod is added

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 24 of 149 together by Boolean addition. Moreover, if such multiple component failures caused multiple rod selection the reactor operator would be presented with the control rod selection pushbutton display having more than one pushbutton illuminated. Such an indication would warn the reactor operator that multiple failures had occurred.

An evaluation of the control rod position detection and indication system shows that there are no specific number of switch failures which require restricting the control system. Formal criteria or procedures are not considered necessary to properly operate the plant under conditions of one or more rod position indication or detection failures. For such failures, it is necessary that operating personnel exercise good judgement based upon the particular circumstances. As indicated below, the operator is generally able to deduce the position of the control rod. This approach is illustrated by the following examples:

a.

One open reed switch on one control rod. At this particular rod position, no indication of rod position would be provided to the operator or the process computer. It is expected that the operator would move this control rod to an adjacent position having proper rod position indication.

b.

One continuously closed reed switch on one control rod. At various positions, indications would be provided. The operator is generally able to properly deduce the correct position, but the process computer may be unable to do so.

It is expected that the operator would not need to move the rod since he would be highly confident of its position and the computer program would automatically assume a predetermined position to eliminate the ambiguity.

c.

Loss of all rod position information for one rod. The operator indication and computer input would indicate absence of data, blank display and logic 0 inputs to the computer. It is expected that the operator would either place the rod at its full-in position and valve it out of service, or he may attempt to locate it using the TIP system to scan the core flux distribution at the guide tube nearest the control rod in question. If the rod position information system (RPIS) electronics board has caused the failure, the board would be replaced to correct the fault.

d.

Loss of rod position information for all rods. A malfunction of the RPIS internal clock oscillator or loss of AC power to the RPIS result in rod selection, rod insertion and rod withdrawal blocks by direct interlocks in the control rod adjustment control system, and by indirect means with the rod worth minimizer function of the process computer below 10% power levels. Repair of the fault would be anticipated in these circumstances.

Many combinations of similar failures could be postulated and analyzed. However, the above four examples illustrate the importance of operator judgment in assessing the situation and determining a proper course of action.

7.2.1.2.4 Inspection and Testing The reactor manual control system is routinely checked for proper operation by manipulating control rods using the various methods of control. Detailed testing and calibration is performed by using standard test and calibration procedures for the various components of the reactor manual control circuitry.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 25 of 149 7.2.2 Recirculation Flow Control System 7.2.2.1 Description Reactor power may be varied over a range of approximately 30% by varying recirculation flow rate. As recirculation flow rate is increased, steam is removed from the core faster, thus reducing the existing void accumulation. A positive reactivity insertion is affected by increased moderation of neutrons, and reactor power increases. The positive reactivity input is balanced by the negative reactivity effects of high temperature and new void formation.

Speed of the reactor recirculation pumps is varied to change the recirculation flow. A block diagram of the recirculation flow control system is shown in Figure 7.2-2.

Motor-generator sets with adjustable speed couplings vary the frequency of the voltage supply to the pump motors to give the desired pump speed. To change reactor power, an input from the reactor operator is applied to one of the Pump Speed Control Switches. A signal from each Control Switch directs the Programmable Logic Controller (PLC) to control the time rate of change of pump speed. It is the signal from this device that directly controls the actuators that vary the adjustable speed couplings of the motor-generator sets.

The recirculating pump motor adjusts its speed in accordance with the frequency of the motor-generator (MG) set output voltage.

A scoop tube lock-up system installed at Monticello improves the reliability of the recirculation flow control system. Protective logic functions monitor each recirculation flow control loop and lock the actuator in position if abnormal conditions are sensed.

7.2.2.2 Performance Analysis The recirculation flow control arrangement contributes to the stable response of the reactor. Malfunction of the flow controls is discussed in Section 14.5 of the FSAR.

Section 3 describes reactor margins under the flow control mode.

7.3 Nuclear Instrumentation System 7.3.1 Design Basis The neutron monitoring system is designed to:

a.

Provide the reactor operator with the information required for optimum, safe operation of the reactor core.

b.

Provide inputs to the reactor protection system and the rod block circuitry to assure that the local power density and bulk power level do not exceed preset limits.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 26 of 149 In order to meet the design requirements, the nuclear instrumentation system must:

c.

Detect and measure neutron flux from the source range level through the power range level.

d.

Annunciate an alarm on component failures.

In addition, both local and average neutron flux must be measured and indicated in the power range.

Also, included in the neutron monitoring system is the Oscillation Power Range Monitor (OPRM) used to detect thermal hydraulic oscillations.

Specific design requirements are listed for each nuclear instrumentation sub-system.

7.3.2 General Description The nuclear instrumentation system uses three types of neutron monitors. The neutron flux level for operation in the region of subcritical to an intermediate flux level and refueling operations is monitored by the source range monitor (SRM). From a neutron flux level of just above criticality to approximately ten percent full power the intermediate range monitor (IRM) is used. From about 3% power to full power operation the local power range monitor (LPRM) is used. The detectors for the SRM and IRM subsystems are withdrawn from the core during power range operation. The detectors for the power range are fixed in place.

During operation in the power range, the LPRM signals are used in three separate systems:

a.

LPRM flux level is indicated, and a high flux alarm is annunciated if the level reaches a preselected point.

b.

The average power range monitors (APRM) average the outputs of selected LPRMs in such a manner that indication of average reactor power is provided.

High average neutron flux or high Simulated Thermal Power is used as an indication of an overpower condition requiring shutdown by reactor scram signals to the RPS.

c.

During control rod motion, the average of a set of LPRMs adjacent to the selected control rod is used by the rod block monitor (RBM) to limit increases in local power.

d.

The Oscillation Power Range Monitor determines the magnitude and period of neutron flux oscillations. These oscillations are indicative of reactor instability and if oscillations exceed predetermined levels a RPS scram will be triggered to eliminate the oscillations.

Figure 7.3-1 presents a block diagram of the various neutron monitoring system channels as they are functionally assembled in one of two similar groups.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 27 of 149 A traversing in-core probe (TIP) is supplied which may be inserted in the core to obtain axial neutron flux profile data at each LPRM detector assembly location. The information obtained from the TIP is used to calibrate the LPRM system.

7.3.3 Source Range Monitoring Subsystem 7.3.3.1 Design Basis In order to meet the general design requirement to provide the nuclear information needed for knowledgeable and efficient reactor startup and low flux level operation, the source range monitor must:

a.

Provide a minimum signal-to-noise count ratio of 3:1 and a minimum count rate of 3 counts per second with all control rods inserted prior to initial power operation (includes contribution of neutron-emitting sources).

b.

Show a measurable increase in output signal (10%) from at least one detector before the reactor period is less than 20 seconds during the worst physically possible startup control rod withdrawal condition.

c.

Provide for signal overlap with the IRM signal when the SRM detectors are in the fully inserted position.

7.3.3.2 Description The source range monitoring system is used to provide the necessary information for reactor start-up from subcritical to an intermediate flux level and for refueling operations. The SRM system consists of four miniature fission chambers which are operated in the pulse counting mode. These detectors have a nominal sensitivity of 1.2 x 10-3 counts per second per nv and are located radially in the core as shown in Figure 7.3-2. The detectors are attached to drive mechanisms which can position the chambers from the full in location (approximately 2 feet above core centerline) to a position approximately two feet below the reactor core.

The detector drive system consists of a detector drive, a flexible drive shaft, a motor module, and a drive tube for each detector. The drive is mounted through an adapter to the instrumentation nozzle well below the vessel in a location that does not interfere with control rod operation and maintenance. The drive tube is a long hollow tube which acts as a rack. A long, slender shuttle tube is mounted on the upper end of the drive tube. This combination tube, housing the fission chamber detector assembly, is driven up and down inside the dry tube.

A flexible drive shaft transmits power to the gear box of the detector drive assembly from the motor module located approximately 20 feet away. Four limit switches provide detector position information and also interlock the motor power circuits to establish insert and retract limits.

The detector assembly consists of a fission counter attached to a low loss quartz fiber insulated transmission cable terminated with a connector. The detector cable is connected below the reactor vessel to a triple-shielded cable which carries the detector electrical output to the monitor circuitry. The output of each of the four SRM

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 28 of 149 detectors is amplified and the signal conditioned. The resulting signal, proportional to the logarithm of the counts per second occurring in the detector, is continuously displayed to the reactor operator on log count rate meters. The time derivative of this signal is formed and displayed to the reactor operator on four reactor period meters.

A recorder is available to the operator to allow recording of the four log count rate signals. Annunciators are activated by various conditions such as short reactor period or high count rate.

Each of the four SRM channels initiates a rod block with the mode switch in STARTUP or REFUEL under the following conditions:

a.

SRM detectors not fully inserted into the reactor core with the SRM count level below 100 cps, IRM on the lowest two range positions.

b.

SRM upscale.

c.

SRM channel inoperative.

d.

SRM low count rate.

e.

SRM downscale.

The SRM detector position rod block is actuated by a position indicator on the retract mechanism. The SRM channel inoperative rod block is effective whenever the SRM detector high voltage supply drops below a preset level, one of the SRM channel modules is not plugged in, or the SRM channel is not in its operate mode. A rod block trip signal from any one of the four channels prevents rod withdrawal.

Any one of the four SRM channels may be bypassed by operation of a bypass switch on the control panel. An automatic bypass of the SRM channel detector position rod block occurs when the count level is greater than 100 cps or when the IRM range switch is on range three or above.

Reactor startup is begun with the un-bypassed SRM chambers fully inserted.

Withdrawal of control rods increases the reactivity of the reactor core and hence the multiplication of source neutrons. Although the removal of given individual control rod may not show as a measurable increase on all chambers the approach to criticality through distributed control rod withdrawal is indicated by an appreciable increase in the count rate indicated. Both the log count rate meters and the period meters provide an indication as the reactor approaches criticality, becomes critical, and, with further withdrawal of control rods, becomes supercritical. After sufficient rod withdrawal to obtain a useful reactor period (on the order of sixty seconds) the reactor power is allowed to increase exponentially.

The SRM chambers may be withdrawn from the fully inserted position any time the count rate is 100 counts per second or greater on the chamber to be withdrawn. To continue the reactor startup, withdrawal of the SRM detectors must be gradual, and the SRM count levels must be maintained between the low level (100 cps) rod block and the high level (9.07 x 104 cps) rod block set points. Each SRM chamber is withdrawn individually, and it may be stopped at any intermediate point in its travel.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 29 of 149 The useful range of the SRM channels is from 101 cps to 106 cps, which corresponds to flux range of 5 x 101 to 5 x 108 neutrons per square centimeter per second.

The primary function of the SRM system is to verify that an adequate neutron flux background exists during an approach to criticality. The minimum required source range monitor count rate of 3 cps is maintained by the irradiated fuel with refueling procedures. The number of SRM channels was selected to permit positive detection of an approach to criticality performed by withdrawing control rods in the region most remote from chambers. In this worst case, the nearest un-bypassed SRM channel would show a factor of 1.1 signal increase at the time criticality is achieved.

The minimum source range count rate of 3 cps is required to assure the presence of neutrons in the core, assure the operability of the analog portion of the SRM detectors, and assure that the SRM detectors are close enough to fuel assemblies to monitor core flux levels. When only a small number of assemblies are present in the core, the SRM count rate will drop below the 3 cps requirement due to the small number of neutrons being produced and the attenuation of these neutrons in the water surrounding these assemblies. Fuel movement is allowed, with less than 3 cps, as long as 1) there are no more than two fuel bundles present in the core quadrant associated with the SRM and 2) while in the core these assemblies are in locations adjacent to that SRM (Reference 4). This exception to the 3 cps requirement is allowed since there is no possibility of achieving criticality with 8 bundles in the specified geometry. This exception allows core offload and reload.

Once the 8 bundles are reloaded, the 3 cps requirement must be met. Following this, the rest of the core is reloaded. (See Reference 5 for a discussion of core offload and reload.)

Since the SRM detectors can be retracted as a reactor startup is continued, a large overlap of indication is possible during transition from the SRM to the IRM. Even with the SRM detectors fully inserted, an overlap is provided. The overlap in range reduces the neutron measurement uncertainty resulting from the SRM to IRM transition to an insignificant level.

SRM component or power supply failure is annunciated. Downscale and upscale failure of any SRM channel during low flux operations with the mode switch in REFUEL or STARTUP initiates a rod block, thus preventing reactivity insertion. The bypass switch arrangement permits only one SRM channel bypass, guaranteeing the required detection capability during source range reactor operation.

The SRM detector position rod block assures that reactivity insertion is not made under very low flux level conditions unless the SRM detectors are inserted to the optimum position for flux detection.

7.3.3.3 Inspection and Testing SRM failures are annunciated. The SRM circuitry is calibrated using built-in calibration equipment.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 30 of 149 7.3.4 Intermediate Range Monitoring Subsystem (IRM) 7.3.4.1 Design Basis The intermediate range monitor is designed to:

a.

Detect and indicate neutron flux level in a range between the SRM detection capability and the power range instrumentation capability (approximately 108 nv to approximately 1013 nv).

b.

Generate trip signals to prevent fuel damage from single operator errors or single equipment malfunctions.

7.3.4.2 Description The IRM subsystem is composed of eight miniature fission chambers located radially in the core as shown in Figure 7.3-3. The figure also shows the assignment of IRM detectors to each reactor protection system logic channel. The assignment is made to provide coverage of each quadrant of the reactor core with one detector in each channel bypassed. The detectors are attached to drive mechanisms which can position them from the full in location (approximately core center) to a position approximately two feet below the reactor core. The detectors are similar, and the drive systems are identical to those used in the SRM subsystem. The detectors are not withdrawn from their fully inserted position until the reactor mode switch has been turned to the RUN position.

The outputs of the fission chambers are routed through wide band amplifiers to a voltage variance circuit (Campbelling or root mean square technique, See Reference 2) and a signal conditioner to produce an output which is proportional to the reaction rate in the chamber. This output is used to drive four recorders and trip units.

The IRM subsystem can detect flux levels from the upper end of the SRM range to approximately 1 x 1013 nv.

A neutron flux of 5 x 107 nv (upper source range) provides a signal of approximately 0.1 full scale on the most sensitive IRM range.

In order to handle the wide range of IRM detection, the IRM equipment is provided with a remote range switch which selects various ranges of attenuation of the detector signal. As the neutron flux level changes during reactor startup, the operator manually upranges the system.

The IRM subsystem provides trip signals for both the reactor protection system and the rod block circuitry; the trips are required to be operable when the reactor is in the STARTUP or the REFUEL modes.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 31 of 149 Each IRM channel provides a trip signal to the reactor protection system scram logic circuitry under the following conditions:

a.

IRM upscale (high flux level)

b.

IRM channel inoperative In order for a scram to occur, a scram trip signal must be received in both reactor protection system logic channels. The scram-initiating high level trips provide automatic shutdown capability for operation from just critical to the lower portion of the power range. The IRM scrams are automatically bypassed when the mode selector switch is in the RUN position if the APRMs are above their downscale trip points.

The IRM subsystem provides rod block trip signal to the rod block circuitry under the following conditions:

a.

IRM upscale (high flux level)

b.

IRM inoperative

c.

IRM downscale on any range but the lowest

d.

IRM detectors not fully inserted into the core A rod block trip on any one of the eight IRM channels produces a rod block.

Any one IRM channel in each reactor protection system logic channel may be manually bypassed, making ineffective the scram and rod block trips associated with that individual IRM channel. The IRM rod blocks are automatically bypassed when the RUN mode.

7.3.4.3 Performance Analysis The number and location of the IRM detectors have been analytically and experimentally determined to provide sufficient intermediate range flux level information under the worst permitted bypass and chamber failure conditions. The ability of the monitor output to provide an accurate measurement of the detector reaction rate over the flux range of interest has been verified by experimentation with the root mean square technique. IRM channel redundancy provides a margin for component failure, and allows continued reactor operation with one IRM bypassed in each reactor protection system logic channel.

For reactor pressure of 800 psia or core flows of 10% of rated, Technical Specifications establish the APRM Mode 2 setdown trip at 20% of rated neutron flux to ensure that power does not exceed 25% of rated core thermal power beyond which thermal limit monitoring is required. During plant startup, normal operating practice is to select the IRM indicating scale at which the monitored reactor power level is within mid range. This practice and the scaling arrangement in the IRM subsystem assures that for all un-bypassed IRM channels, the scram and rod block trips are no more

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 32 of 149 than a factor of 10 above the current IRM reading. This assures that, should scram or rod block action be needed due to rapid or unintentional neutron flux increases, the trip signal is generated before the flux increases by a factor greater than ten, providing a conservative margin to fuel damage.

A Rod Withdrawal Error (RWE) analysis at full power conditions was performed and is discussed in USAR section 14.4.3. An RWE analysis at startup conditions was also performed and is based on a generic study, NEDO-23842 Continuous Control Rod Withdrawal Transient in the Startup Range, April 1978 (Reference 53). For this event, the reactor is assumed to be critical and operating in the startup range. An out of sequence control rod is withdrawn at the maximum normal drive speed. The furthest possible distance between the control rod and the scram-initiating IRM scram detector is used in the analysis. The licensing basis for a RWE during startup relies on the IRM trips and the APRM setdown trip. The IRMs provide scrams based upon reactivity insertions during the RWE and the APRM setdown provides a scram if the reactor leaves the IRM protection while in the startup mode. No change in peak fuel enthalpy is expected due to Extended Power Uprate (EPU) to 2004 MWt since this is a localized lowpower event, but it was increased conservatively by a factor of 1.2.

This results in a peak fuel enthalpy of 72 cal/gm which is well below the limit of 170 cal/gm (References 54 and 56).

The overlap between the IRM and the power range monitoring subsystem is sufficient to guarantee a safe transition between the instrumentation ranges. Overlap between the SRM and IRM ranges is discussed in Section 7.3.3.

The IRM detector position rod block is effective in preventing rod withdrawal during periods of reactor operation when the IRM is required for flux level indication unless the detectors are fully inserted.

The IRM detectors are chosen with characteristics which permit reliable performance in the reactor environment.

IRM upscale failures are annunciated, and, during low flux level reactor operation, result in a reactor protection system single logic channel trip and rod block. Thus, further insertion of reactivity is prevented, and a reactor scram would be initiated by any condition resulting in a trip of the other reactor protection system logic channel.

7.3.4.4 Inspection and Testing IRM component or power supply failures are annunciated in the control room. Built-in calibration equipment is provided to periodically check and reset the IRM equipment.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 33 of 149 7.3.5 Power Range Instruments 7.3.5.1 Local Power Range Monitoring Subsystem (LPRM) 7.3.5.1.1 Design Basis In order that the power range instrumentation meets the general design requirements for power range local flux monitoring and prevention of excessive local and bulk power densities, the LPRM subsystem must:

a.

Continuously monitor local neutron flux and alarm on excessive conditions.

b.

Permit evaluation of the critical core parameters (minimum critical power ratio) to an accuracy consistent with core design and established limits.

c.

Permit demonstration of compliance with the critical core parameters (minimum critical power ratio) with a speed and ease consistent with efficient operation of the plant.

7.3.5.1.2 Description The Local Power Range Monitoring Subsystem (LPRM) output signals are used to demonstrate that the core is operating within the established thermal limits. In addition, this system provides the information needed for evaluating the detailed characteristics of the power distribution, for other technical evaluations, and provides input to the average power range monitoring subsystem and rod block monitor subsystem which are described below.

The LPRM subsystem, which uses DC measurement techniques, consists of miniature fission chambers located within the reactor core and electronic signal conditioning equipment located in the control room.

Each LPRM has an upscale (high neutron flux) level alarm and a common annunciator located on the control board.

Figure 7.3-6 indicates the core location of the LPRM detector assemblies. Each LPRM detector assembly consists of four miniature fission chambers which are spaced vertically at three foot intervals. The top and bottom chambers are located 1.5 feet from the core boundaries thereby providing uniform core coverage in the axial direction. Also included in each detector assembly is a calibration tube which accepts the traversing in-core probe used to measure the axial flux distribution and calibrate the LPRM subsystem. Figure 7.3-7 illustrates that, due to the equivalence of locations resulting from symmetry, the LPRM subsystem monitors all unique locations within the central region of the core when the core is operated with quadrant symmetric control rod patterns. Current core monitoring software is capable of satisfactorily monitoring thermal margins for fuel operating with both symmetric and asymmetric control rod patterns (Reference 40).

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 34 of 149 The LPRMs are calibrated using data from the TIP calibration system, heat balance data and some analytical data. The basic process is:

a.

adjust the LPRM gain until display readings are proportional to heat flux,

b.

run TIP system and accumulate axial profile data,

c.

normalize axial profile data, and

d.

determine absolute heat flux in four adjacent fuel rods at detector elevations.

This technique can be performed by hand calculations using the analog traces produced by the system, although use of the process computer is preferred due to greater speed, accuracy, convenience and reliability. The TIP flux profile information is directly input to the computer as digitized data. When these adjustments have been made, the LPRM output signals are proportional to the average heat flux in the four adjacent fuel rods at the detector elevation. The 16 LPRM signals adjacent to a control rod selected are displayed to the reactor operator on centrally located displays. This directs the attention of the operator to the local power level prior to and during rod motion. A selected subset of these 16 signals are also used by the rod block monitor. When rods on the edge of the core are selected, less than four detector strings may be used. In this case, the readings are zeroed on the displays corresponding to the LPRMs that are not present. The operator may view any desired region of the core by selection of the control rod in the area of interest. A selected set of LPRM signals is used to drive each of the four APRM channels.

7.3.5.1.3 Performance Analysis The number and location of LPRM detectors provides the capability of determining local heat flux in all unique locations in the central region of the core. Although each unique location in each core quadrant is not specifically monitored, the quadrant symmetry illustrated in Figure 7.3-7, effectively provides knowledge of the flux level throughout the core. The previously discussed method of calibration using the traversing in-core probe (TIP) provides a method of correlating LPRM measurements with local thermal conditions; thus, the LPRM measurements are a valid representation of local thermal conditions.

Each individual LPRM signal annunciates an alarm via the APRM, upon detection of a flux level exceeding a preset limit. Thus the operator receives warning of local high flux conditions. LPRM component failure is also annunciated.

The LPRM detectors are selected for characteristics which guarantee reliable operation in the reactor environment: reactor temperature, pressure, neutron and gamma flux. The detector electrical requirements were also considered in detector selection.

The use of the LPRM signals in the rod block monitor provides a positive assurance that local thermal peaks which would cause fuel damage are prevented.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 35 of 149 7.3.5.2 Average Power Range Monitoring Subsystem (APRM) 7.3.5.2.1 Design Basis The APRM subsystem must continuously indicate core average flux level and initiate trips to prevent excessive average power density. In order to fulfill its design requirement, the APRM subsystem must:

a.

Initiate trip signals which scram the reactor automatically before the neutron flux level exceeds specified values.

b.

Initiate a rod block trip signal, thereby preventing core average power increases to excessive levels with reduced recirculation flow. The rod block trip setpoint is lower than the scram setpoint (actual setting is selected on the basis of operational considerations).

c.

Provide a continuous indication and record of the bulk thermal power of the reactor in the power range.

d.

For the worst permitted bypass and chamber failure conditions, be capable of generating a scram trip signal during bulk neutron flux level transients before the actual bulk neutron flux level exceeds the value which provides an adequate margin to fuel damage.

e.

Continue to perform its function following single component failure within the subsystem. In order that the APRM satisfy this requirement, there must be three operable APRMs in the reactor protection system. Each of the four APRM channels provides input to four 2-out-of-4 voter channels. Two of the voter channels are associated with each of the trip systems of the Reactor Protection System. This permits one APRM Channel to be bypassed.

7.3.5.2.2 Description The APRM subsystem consists of electronic equipment that averages the output signals from selected groups of LPRM signals. The APRM subsystem is part of the Power Range Neutron Monitoring System (PRNMS) installed as an upgrade to the original APRM subsystem (References 48, 49, 50, and 51). Figure 7.3-8 illustrates the LPRM assignments for the APRM subsystem. As shown on the figure, the system consists of four channels. Each of the four APRM channels provides input to four 2-out-of-4 voter channels. Two of the voter channels are associated with each of the trip systems of the Reactor Protection System. The design of the APRM subsystem shall be such that for the worst permitted input LPRM bypass and failure conditions, the APRM shall be capable of generating a scram trip signal in response to local neutron flux oscillations resulting from a thermal-hydraulic instability in time to prevent fuel damage. Each voter provides a scram trip signal to the reactor protection system under the following conditions:

a.

APRM Neutron Flux - High (Setdown) in the startup mode

b.

Simulated Thermal Power (STP) - High

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 36 of 149

c.

APRM Neutron Flux - High

d.

Inop

e.

Oscillation Power Range Monitor (OPRM) Upscale The LPRM signals are averaged to achieve an APRM flux value, which is then adjusted by either a manually entered or digitally transferred factor to allow calibration of the APRM to represent APRM power. The APRM power is processed through a first order filter with a six second time constant to calculate simulated thermal power. Each APRM channel also calculates a flow signal that is used to determine the APRMs flow-biased rod block and scram setpoints. The APRM simulated thermal power upscale rod block and scram trip setpoints are varied as a function of reactor recirculation flow. The slope of the upscale rod block and scram trip response curves is set to track the required trip setpoint with recirculation flow changes. These calculations are all performed by the digital processor and result in a digital representation of APRM and simulated thermal power, and of the flow-biased rod block and scram setpoints.

A recirculation flow signal automatically varies the scram setting for all four APRM channels. Each flow signal used in the APRM is determined by summing the flow signals from the two recirculation loops. These signals are sensed from two flow elements, one in each recirculation loop. The differential pressure from each flow element is routed to four differential pressure transducers (eight total). The signals from two differential pressure transducers, one from each flow element, are routed to two inputs in each APRM chassis.

The APRM trip functions are performed by digital comparisons within APRM electronics. For each RPS trip and rod block alarm, the APRM average neutron flux or simulated thermal power, as applicable, is compared to the associated setpoint. If the signal value exceeds the setpoint, the applicable trip is issued.

Each APRM also includes an OPRM Upscale Function. The OPRM upscale function monitors LPRMs combined into cells of 3 or 4 LPRMs each. The OPRM function combines the signals from each LPRM in an OPRM cell and evaluates that combined cell signal using the OPRM algorithms to detect thermal-hydraulic instabilities. An OPRM upscale trip output is generated from an APRM channel when the period based detection algorithm in that channel detects oscillatory changes in the neutron flux, indicated by the combined signals for the LPRM detectors in a cell, with the period confirmations and relative cell amplitude exceeding specific setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel trip. An OPRM upscale trip is also issued from any APRM channel if either the growth rate or amplitude based algorithms detect growing oscillatory changes in the neutron flux from one or more cells in that channel. The OPRM upscale trip output is automatically enabled (not-bypassed) when the APRM Simulated Thermal Power is equal to or above the OPRM auto-enable power setpoint and recirculation flow is equal to or below the OPRM auto-enable flow setpoint. The OPRM upscale trip output is automatically bypassed when Simulated Thermal Power and recirculation flow are not within the OPRM trip enabled region. The OPRM upscale trip is active only when the reactor mode switch is in the RUN position.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 37 of 149 At least two unbypassed APRM channels must be in the APRM upscale trip or inoperative trip state to cause an APRM/Inop RPS trip output from the APRM 2-out-of-4 voter channels. Similarly, at least two unbypassed APRM channels must be in the OPRM upscale trip or APRM Inoperative trip state to cause an OPRM RPS trip output from the APRM 2-out-of-4 voter channels. Additionally in a deviation from the Licensing Topical Report for Power Range Neutron Monitoring System, the OPRM upscale and APRM Inoperative Trips are voted in parallel so that one OPRM upscale and one APRM Inoperative Trip will cause a RPS Trip output from the APRM 2 out of 4 voter channels. The APRM/Inop and OPRM/Inop trips are input to the 2-out-of-4 voter channels. All four voter channels will provide a RPS trip output, two to each RPS trip system. If only one unbypassed APRM channel is providing a trip output, each of the four APRM 2-out-of-4 voter channels will have a halftrip, but no trip signals will be sent to the RPS. Removing voltage to a relay coil transmits trip outputs to the RPS, so loss of power results in actuating the RPS trips. Loss of a 2-out-of-4 voter channel results in an RPS half-scram.

Trip signals from each APRM channel are provided, via APRM interface hardware directly to the Reactor Manual Control System and via the 2-out-of-4 voter channels to the Reactor Protection System (RPS).

The trips from one APRM can be bypassed by operator action in the control room, which bypasses both the APRM/Inop and OPRM/Inop trips from that APRM channel.

One of the four APRM channels can be bypassed at any time. None of the APRM 2-outof-4 voter channels can be bypassed. An interlock circuit provides an APRM alarm and rod block whenever the number of LPRM inputs to an APRM is less than the required minimum.

7.3.5.2.3 Performance Analysis As shown in Figures 7.3-8 the LPRM inputs to the APRM channels provide a wide sampling of local flux levels on which to base an average power level measurement.

The fact that all four of the APRM channels are provided for each reactor protection system logic channel assures that at least three independent average power measurements are available under the worst permitted bypass or failure conditions.

The four APRM channels provide continuous indications of core average power level based on different samplings of local flux levels. That the APRM provides valid average power measurements during a typical rod or flow induced power level change has been shown by three dimensional analyses. These analyses indicate tracking accuracies of approximately 5% over a wide range of power levels.

The effectiveness of the APRM high flux scram signals in preventing fuel damage following single component failures or single operational errors is demonstrated in the transient analyses contained in Section 14.5 of the FSAR. In all such failures, no fuel damage occurs. Since only three APRM channels in each reactor protection system logic channel are required for effective detection of bulk power level transients, the same effectiveness is attained even under the worst permitted bypass conditions. These analyses assumed a scram at the power corresponding to the scram clamp regardless of the starting point, however, the flow referenced scram circuitry would cause a scram at the clamped value or lower power due to the flow biasing effect.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 38 of 149 The APRM rod block setpoint is set lower than the scram setpoint. Thus, reactivity insertions due to rod withdrawal errors are terminated well before fuel damage limits are approached. To account for the decreasing margin to fuel damage at a given power level with reduced recirculation flow, the APRM rod block setpoint is varied with flow.

APRM component failures are annunciated. The reduction of LPRM inputs for any APRM channel below a preset number gives an APRM trouble alarm and rod block.

These arrangements warn of loss of APRM capability.

7.3.5.3 Rod Block Monitor (RBM) 7.3.5.3.1 Design Basis The RBM system is designed as an operational aid to assist the reactor operator by initiating a rod block to prevent violation of the fuel integrity safety criteria during withdrawal of a single control rod and by providing a local relative power signal for operator evaluation during control rod movement. The two RBM channels provide a redundant set of rod block signals because each channel monitors the local power in the vicinity of the control rod being withdrawn with a different set of detectors.

Therefore either RBM channel can provide the appropriate signal to block rod withdrawal. Because of this inherent redundancy, one RBM channel can be manually bypassed by the reactor operator and tested with the front panel mounted test features. The two RBM channels share control rod selected status input signals from the reactor manual control system, one of which provides for automatic bypass if a peripheral control rod is selected. To provide the indication of local power change, the RBM uses a subset of the same LPRMs that are currently displayed to the operator on rod selection. There are two RBM circuits. Each of the RBMs averages the signal from a set of LPRM detectors at various core heights. The assignment scheme is intended to provide similar responses between the two RBMs, to provide a high response to rod motion and to provide high availability. The specific assignment scheme is described in NEDC-30492-P (Reference 24). Thus, eight inputs are retained per circuit for a typical central region control blade. The two RBMs are in one bay of the power range neutron monitoring panel, thus providing for direct routing of these interconnections. The RBMs furnish signals to the control rod block portion of the reactor manual control system and the signals are routed together to this panel. Although redundant RBM units are supplied, they are not designed to meet the intent of Criteria for Nuclear Power Plant Protection Systems, IEEE 279 (Reference 18).

The components used in the RBM are of the same quality and are qualified to the same level of operability, duty and performance requirements as those of the APRM system.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 39 of 149 7.3.5.3.2 Description The system uses the signals from the four LPRM detector assemblies adjacent to the selected control rod (Figure 7.3-12). The RBM computes the average of all un-bypassed LPRMs assigned, much in the same manner as the average power range monitor (APRM). Whenever a control rod is selected, the average of the input chambers is filtered to reduce signal noise and then is automatically calibrated to the same as a reference source signal by a gain adjustment in the RBM. This gain is held until a new control rod is selected. The RBM automatically limits the local power change by allowing the local average neutron flux indications to increase by a controlled amount. If the change is too great, the rod withdrawal permissive is removed. The RBM is further described in APED-5706 Rev 1, April 1969 In Core Neutron Monitoring System for G. E. BWRs (Reference 1), NEDC-30492-P, April, 1984 General Electric Licensing Report: Average Power Range Monitor, Rod Block Monitor and Technical Specification Improvement (ARTS) Program for Monticello Nuclear Generating Plant (Reference 24) and NEDC 32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM)

Retrofit Plus Option III Stability Trip Function, October 1995 (Reference 49).

Two RBM channels are provided. Either channel, independently, prevents rod withdrawal under the following conditions:

a.

Upscale (high flux) trip

b.

One of the two channels inoperative

c.

Downscale trip with the mode switch in Run One of the two RBM channels may be manually bypassed.

The RBM trip varies with reactor power. (Figure 7.3-13) 7.3.5.3.3 Performance Analysis Since the rod block monitor utilizes the signals from the LPRMs, it is capable of determining the approach of local thermal flux conditions which could result in local fuel damage. The fact that either RBM channel can, independently, initiate a rod block, provides assurance that rod withdrawal error is terminated even with one RBM channel bypassed.

The effectiveness of the RBM to prevent local fuel damage as a result of a single rod withdrawal error is reanalyzed for every core reload. A description of the rod withdrawal error analysis is presented in Section 14.4.3. The results for the current reload cycle are presented in Section 14A.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 40 of 149 7.3.5.4 Traversing In-Core Probe (TIP)

The TIP calibration system is designed to permit rapid and accurate calibration of the LPRM system. The TIP system consists of miniature fission chambers similar to the detectors used in the LPRM system, signal conditioning equipment, read out equipment, and detector driving indexing equipment. Each of these detectors can be used to obtain axial flux profile data for a selected set of LPRM detector assemblies locations.

The output of the TIP amplifiers is used to drive x-y recorders to produce an analog plot of the axial flux at each of the 24 in-core strings. The TIP profile data is then used in the calculation of power distribution by either a manual method or by the preferred, automated process computer method. The process computer does not utilize hard copy analog plots since electronic TIP profile information is sent directly to it as digitized data.

7.3.5.5 Inspection and Testing Power range neutron monitoring system failures are annunciated. Monitor circuitry is arranged to facilitate testing with simulated signals. The TIP system provides information used to periodically calibrate the system.

7.4 Reactor Vessel Instrumentation 7.4.1 Design Basis The reactor vessel instrumentation is designed to fulfill a number of requirements pertaining to the vessel itself or the reactor core; the instrumentation must:

a.

Provide the operator with sufficient information in the control room to protect the vessel from undue stresses.

b.

Provide information which can be used to assure that the reactor core remains covered with water and that the separators are not flooded.

c.

Provide redundant, reliable inputs to the reactor protection system to shut the reactor down when fuel damage limits are approached.

d.

Provide a method of detecting leakage from the reactor vessel head flange.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 41 of 149 7.4.2 Description Refer to Section 15 Drawing NH-36242, NH-36242-1 and NH-36242-2, for the following description of reactor vessel instrumentation.

7.4.2.1 Reactor Vessel Temperature Thermocouples are attached to the reactor vessel to measure the temperature at a number of points, chosen to provide data representative of thick, thin, and transitional sections of the vessel. The data obtained from such instrumentation provides the basis for controlling the rate of heating or cooling the vessel so that the stress set up between sections of the reactor vessel is held to an allowable limit. The temperatures are recorded on a multi-point recorder. The thermocouples are copper constantan, insulated with braided glass, and clad with stainless steel. They are positioned under pads welded to or magnetically fastened to the reactor vessel.

Two thermocouples located near the vessel flange are recorded as differential temperature on a separate recorder. The two thermocouples used for differential temperature are on or near the same vessel azimuth.

7.4.2.2 Reactor Vessel Pressure Pressure is both indicated and recorded in the control room; these sensors are different from the reactor protection system sensors.

The reactor pressure inputs to the reactor protection system are from local non-indicating type pressure switches. The pressure is tapped off the vessel through two sensor lines on opposite sides of the reactor vessel. The sensor lines are extended outside the drywell to separate instrument racks. The pressure switches are grouped on the two independent sensing lines so that no single event jeopardizes the protection systems ability to scram.

7.4.2.3 Reactor Vessel Water Level Reactor vessel water level is indicated and recorded in the control room. Level is measured by differential pressure transmitters. The instrument sensing lines which tap off the condensing chambers also serve as reference columns. The reference columns are located outside the drywell to prevent exposing the reference columns to the high drywell temperatures of a post-LOCA environment. This cold reference leg design will minimize the indicated level errors due to temperature changes of the reference columns. Two sets of sensing lines on opposite sides of the reactor vessel are extended outside the drywell to separate instrument racks and the transmitters are grouped so that no single event jeopardizes the reactor protection systems ability to scram. The level of the water in the reactor is controlled by a reactor feedwater control system which receives inputs from water level, steam flow, and feedwater measurements. The water level is monitored by level transmitters coupled to sensing lines from the reactor vessel and is indicated in the control room.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 42 of 149 On June 30, 1989, the NRC Staff issued Generic Letter 89-11: Resolution of Generic Issue 101 Boiling Water Reactor Water Level Redundancy (Reference 25). The Generic Issue 101 concern is that a leak or break in the instrument sensing line that is connected to the constant head condensing chamber could cause the reference water leg level to decrease. The decrease in the reference water leg level could cause all the differential pressure instruments connected to that line to indicate a false high reactor water level. Under these conditions, the feedwater system may automatically reduce the feedwater flow into the reactor vessel, causing the actual reactor water level to decrease. Generic Letter 89-11 stated that the NRC Staff has concluded that all BWR designs, in conjunction with operator training and procedures, provide adequate protection in the event of an instrument line break in any of the reactor vessel water-level instrument systems. The technical basis for the Staffs conclusion is documented in NUREG/CR-5112, Evaluation of Boiling Water Reactor Water-Level Sensing Line Break and Single Failure (Reference 26).

NRC Bulletin 93-03: Resolution of Issues Related to Reactor Vessel Water Level Instruments was issued in May, 1993 (Reference 27). The concern is that noncondensible gases may become dissolved in the reference leg of BWR water level instrumentation and lead to a false high level indication during RPV depressurization when the noncondensibles could come out of solution. Each licensee was requested to implement hardware modifications necessary to ensure the level instrumentation design is of high functional reliability for long-term operation.

Monticello has installed a backfill system which provides a backfill of water from the CRD charging water header to the safeguards and feedwater instrument reference legs. Backfilling the instrument lines prevents water in the reference legs from being saturated with noncondensible gases and thus, enhances the vessel level instrumentation system to ensure a high functional reliability system.

7.4.2.4 Reactor Feedwater Flow Reactor feedwater flow is monitored by flow transmitters coupled to flow nozzles in the feedwater lines. Feedwater flow instrumentation is shown on the feedwater system P&ID, Section 15 Drawings NH-36036 and NH-36037.

7.4.2.5 Reactor Steam Flow Reactor steam flow is monitored by flow transmitters coupled to the flow restrictors in each main steam line. The total steam flow is obtained by summing the flow signal from each main steam line.

7.4.2.6 Reactor Vessel Flange Leak Detection Integrity of the seal between the reactor vessel body and head is continuously monitored at the drain line connected to the flange face between the two large concentric O-rings. Leakage from the reactor vessel through the inner O-ring collects in a level-switch chamber and annunciates an alarm. Pressure buildup is also annunciated. A solenoid operated valve permits draining the leak system piping so a measurement of the severity of this leak can be made as the chamber refills.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 43 of 149 7.4.2.7 Design Evaluation Reactor vessel temperature and pressure are sensed and indicated in the control room to provide the operator with the knowledge required to prevent excessive vessel stresses. Sufficient vessel temperature sensors and pressure sensors are provided in quantities to allow margin for sensor failures.

Thermocouples on the reactor vessel are particularly important during the first few cycles of heating and cooling of the reactor vessel. Once a good record is obtained and analyzed, the limiting rates of temperature change can be related to the temperature observations from a relatively few thermocouples. Redundant thermocouples are installed to ensure that the operator always has adequate information to operate the reactor safely. The thermocouples meet the requirements of ASA-C96.1 (Reference 28).

Reactor vessel water level is measured to provide information which can be used to assure that the core is covered and that the separators are not flooded. The use of the level signals in the reactor protection system and the feedwater control system assures that the reactor is shut down automatically if the proper level is not maintained.

Redundant analog trip units and transmitters are provided as required by NUREG-0737 (Reference 41) Item II.F.2, and there are a sufficient number of sensing lines so that plugging of a line does not cause a failure to scram. The arrangement provides assurance that vital protection functions occur as required in spite of system failures.

Other than common taps, the feedwater control system level sensors are independent of the reactor protection system level sensors. A failure in the level control which causes the water level to exceed limits in no way influences the level signals feeding the reactor protection system. Feedwater control system failures are discussed in Section 14.4.

Reactor vessel level and pressure are sensed for core protection purposes. A damaging core power transient resulting from a reactor vessel pressure rise is prevented through the use of the pressure signal. The four pressure sensors used by the reactor protection system are arranged so that a plugged line or any other single failure does not prevent a reactor scram due to high pressure.

The reactor vessel flange leak detection system gives immediate qualitative information about a leak sensed by a pressure buildup. This signal has a sensitivity such that degradation of the seal is noted long before excessive leakage occurs.

Quantitative leak rate information provides the information necessary for a decision regarding repair.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 44 of 149 7.4.3 Inspection and Testing All reactor vessel instrumentation inputs to the reactor protection system operate on a pressure or differential pressure signal. These devices are piped so that they may be individually actuated with a known signal during shutdown or operation to initiate a protection system single logic channel trip. The level switches have indicators so that the readings can be compared to check for nonconformity.

During equilibrium conditions, either hot or cold, thermocouples monitor an approximately constant temperature; this fact is used to detect abnormalities.

The reactor feedwater system control scheme is a dynamic system and malfunctions become self-evident. The system can at all times be cross-compared with other level instruments.

7.5 Plant Radiation Monitoring Systems 7.5.1 Design Basis The design bases are:

a.

To provide indication of radiation levels or releases of radioactive material;

b.

To give warning when radiation equipment malfunctions;

c.

To provide an alarm when radiation levels or releases exceed preselected levels.

Table 7.5-1 gives the principal design parameters for the radiation monitoring systems.

Additional, specific design bases are stated for each subsystem as they apply.

7.5.2 Process Radiation Monitoring System 7.5.2.1 General The process radiation monitoring system consists of several individual process subsystems:

a.

Off-gas pretreatment monitoring subsystem

b.

Radioactive stack gas monitoring subsystem

c.

Main steam line monitoring subsystem

d.

Process liquid monitoring subsystem

e.

Reactor building exhaust air monitoring subsystem

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 45 of 149

f.

Fuel pool radiation monitor

g.

Control room ventilation inlet air radiation monitor All monitors give an alarm when downscale or de-energized. Alarms are also provided to give warning if the monitors sampling system malfunctions. All monitors are capable of operational verification by means of test signals or radioactive check sources.

All monitoring systems provide indication in the main control room. As a general requirement, the various process monitors are capable of initiating alarms and actuating control equipment to assure containment of radioactive materials, if pre-established limits are approached. All monitoring systems are non-saturating.

7.5.2.2 Off-Gas Pretreatment Monitoring Subsystem 7.5.2.2.1 Design Basis The off-gas pretreatment monitors are designed:

a.

To monitor, indicate, and record the radioactivity level of the off-gas removed from the main condenser prior to entry into the 42-inch delay pipe enroute to the stack.

b.

To alarm when the radiation level in the effluent gases from the main condenser air ejector off-gas system exceeds an established limit.

c.

To terminate (after time delay) off-gas flow when the radiation level in the off-gas system exceeds a prescribed limit.

7.5.2.2.2 Description The monitoring system (Section 15 Drawing NX-7993-1-1) incorporates two identical channels of logarithmic instrumentation and one linear channel. Each log channel consists of:

a.

A gamma sensitive ionization chamber.

b.

A log radiation monitor complete with fail-safe operational alarms, appropriate high and low voltage power supplies, and control and alarm-trip contacts.

c.

A trend recorder, complete with alarm-trip contacts.

The linear channel consists of a gamma sensitive ion chamber, a linear radiation monitor amplifier and a single pen recorder. No control functions are performed by the linear monitor.

The noncondensible sample gases for the Off-Gas Pretreatment Monitoring System are drawn from the main condenser by the steam-jet air ejector and are discharged back to the main condenser. The radioactive gas is measured by detectors which

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 46 of 149 are located near the off-gas sample chamber which is an internally polished section of 4-inch stainless steel pipe. The radioactivity level is indicated and recorded in the control room on a trend recorder.

The radioactivity levels of N-16 and 0-19 in the main steam lines are normally relatively high, but quickly decay due to their short half lives. Therefore, to obtain a more accurate indication of the activity levels of radioisotopes which affect the gas discharge limits through the stack release point, the air ejector off-gas sample is monitored after a transportation time delay of at least two minutes.

When the activity of the off-gas from the main condenser approaches a value equivalent to short term stack release limit, a signal is initiated to close the recombiner inlet valves after a time delay of 30 minutes in which the reactor operator may take corrective action. The time delay allows time for the reactor operator to evaluate the data and prevent an unwarranted valve closure or reactor shutdown if the signal is false. There is a 50 hour5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br /> minimum delay enroute to the stack discharge point when the off-gas holdup system is in use and a 30 minute minimum delay when it is bypassed. The two log channels are so arranged that they operate independently of each other. The logic is so arranged that a trip of the recombiners is initiated by two upscale, two downscale trip signals, or one upscale and one downscale following a time delay.

The third channel using a linear count rate meter is provided to give a more sensitive indication when flux tilting is being used to assist in locating leaking fuel assemblies.

Provisions are made for collecting grab samples of air ejector off-gas for more sensitive and quantitative laboratory analyses.

7.5.2.2.3 Performance Analysis As indicated by Table 7.5-1, the off-gas pretreatment monitors are of sufficient range and accuracy to detect an increase in off-gas radiation level. Functional testing and calibration of the off-gas pretreatment monitors are controlled by the Off-Site Dose Calculation Manual. The air ejector monitors are calibrated by the use of solid radioactive source of known activity. The results of a multi-channel analyzer analysis of a grab sample are used for setpoint determination and to establish a relationship between concentration in ci/sec and the monitor reading in mR/hr.

Since the radioactivity levels of N16 and 019 in the main steam are normally relatively high, the transportation time delay to the air ejector off-gas monitor location allows for the rapid decay of the short-lived gases. The delay permits a more accurate indication of activity levels of the longer-lived gases.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 47 of 149 7.5.2.3 Radioactive Stack Wide Range Gas Monitoring Subsystem 7.5.2.3.1 Design Bases In order that the reactor operator and the Plant Chemistry Group be aware of activity being released from the plant, the stack wide range gas monitoring system is designed as required by NUREG-0737 (Reference 41) Items II.F.1.1 and II.F.1.2:

a.

To monitor, indicate and record the noble gas radioactivity level of the effluent gases discharged from the stack to the atmosphere.

b.

To alarm and automatically terminate stack releases from the air ejector and off-gas storage system prior to the point at which the radiation level of the effluent gases being discharged exceeds the limits defined by Technical Specifications.

c.

To provide a means of collecting iodine and particulate samples of the stack effluent.

d.

To provide the plant operator and Emergency Planning agencies with information on plant releases of noble gases during and following an accident.

7.5.2.3.2 Description The radioactive stack wide range gas monitoring subsystem incorporates two trains of instrumentation each of which includes:

a.

A sample conditioning unit with particulate and iodine filters,

b.

A sample detection unit with noble gas activity sensors and sample pumps,

c.

A microprocessor and electronic hardware unit.

d.

An isokinetic sampling probe assembly,

e.

A communications and control unit in the control room.

The effluent gas is monitored and the levels of noble gas radioactivity are indicated and recorded in the control room. The Off-Gas stack gas monitor channel A is shown in Section 15, drawing NH-36159-2.

A representative sample is drawn from the stack by an isokinetic sample probe.

Isokinetic sampling is assured by microprocessor control of sample flow in response to the stack flow sensed by these monitors. The sample flow rate is adjusted to result in a sample tip velocity consistent with the stack stream velocity for the higher flow in the stack. Flow of gas through the system is indicated and alarmed on low-flow to indicate failure of the pump or blockage of the filters in the system. The entire probe/filter assembly is located inside the concrete stack thereby preventing temperature transients which might affect possible plate out of halogens in the line.

01550890 01550890 01550890

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 48 of 149 The frequency of removing the stack sampler filter and charcoal filters and the type of analysis to be performed is specified in the Offsite Dose Calculation Manual (ODCM).

Operating experience and analysis shows that the stack emission rate limit for noble gases exceeds that for the halogens and particulates if both are established on the same rational basis. There is a positive relationship between noble gas, daughter particle, and halogen emission rate; thus the noble gas rate which is continually monitored also reflects the emission of particles and halogens. Therefore, increases in the noble gas release rate will trigger more frequent removal and analysis of the particulate and halogen filters.

Readout for each channel consists of a digital display as well as a recorder for activity and effluent levels. Three trips are included in each channel, one inoperable and two upscale. The monitor initiates each of the three signals, which actuate the two high alarms and the one inoperable alarm.

The trip logic is arranged such that two High-High alarms, two INOP alarms or a High-High alarm combined with an INOP alarm in the opposite channel will isolate the off-gas discharge line from the compressed storage tanks, the air ejector off-gas filter and the stack drain line.

7.5.2.3.3 Performance Analysis The stack gas radioactivity monitoring system provides indication and recording of plant stack noble gas activity. The sensitivity and range of the stack gas monitor (Table 7.5-1) is such that the equipment is capable of detecting activity levels from stack background levels to levels in excess of the release limit.

Check sources are included in each monitoring unit to conveniently check functional operation of all detection ranges.

The monitor is periodically calibrated by testing monitor response to known sources.

Source checking, functional testing and calibration are controlled by plant ODCM or Technical Requirements Manual (TRM), as applicable.

7.5.2.4 Main Steam Line Monitoring Subsystem 7.5.2.4.1 Design Basis The main steam line monitoring subsystem is designed to continuously monitor the radiation from the main steam lines to permit the prompt indication of gross release of fission products from the fuel to the reactor primary coolant system and subsequently to the turbine-generator system.

The monitoring system alarms in the Control Room, and operators can close MSIVs if activity levels in the main steam lines indicate that such action is required. The monitoring system also turns off the mechanical vacuum pump and initiates closure of the mechanical vacuum pump line valves, if in operation at that time.

01550890 01550890

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 49 of 149 7.5.2.4.2 Description Four gamma-sensitive instrumentation channels monitor the gross gamma radiation from the main steam lines. The detectors are physically located near the main steam lines just downstream of the outboard main steam line isolation valves in the space between the primary containment and secondary containment walls. The detectors are geometrically arranged so that the system is capable of detecting significant increases in radiation level for any number of main steam lines in operation. Their location along the main steam lines allows the earliest practical detection of a gross fuel failure. Trip logic for two of the channels (A1 and A2) are powered from RPS, Channel A, and the trip logic for the other two channels (B1 and B2) are powered from uninterruptible AC bus Y80.

When a significant increase in the main steam line radiation level is detected, trip signals are transmitted to the condenser vacuum pump, vacuum pump recirculation seal pump, and vacuum pump suction isolation valves SV-1825A and SV-1825B.

The radiation trip setting is selected so that a high radiation trip results from the fission products released in the postulated design basis control rod drop accident.

The setting selected is high enough above the background radiation levels in the vicinity of the main steam lines that spurious trips are avoided at rated power. Yet, the setting is low enough that the monitors can respond to the fission products released during the design basis control rod drop accident, which occurs at a low steam flow condition.

Four instrumentation channels are used to decrease the possibility of an inadvertent pump trip as a result of instrumentation malfunctions. The output trip signals of each monitoring channel are combined in such a way that at least two channels must signal high radiation to initiate a pump trip. Thus, failure of any one monitoring channel does not result in inadvertent action.

Each monitoring channel consists of a gamma-sensitive ion chamber and log radiation monitor. Capabilities of the monitoring channel are listed in Table 7.5-1.

Each log radiation monitor has two trip circuits. One trip circuit is the upscale trip setting that is used to initiate a vacuum pump trip. The other trip circuit is a downscale trip that actuates an instrument trouble alarm in the control room. The output from each radiation monitor is sent to a digital display in the control room.

Each monitor has an output to a trend recorder with an upscale alarm.

The trip circuits for each monitoring channel operate normally energized, so that failures in which power to monitoring components is interrupted result in a trip signal.

The environmental capabilities of the components of each monitoring channel are selected in consideration of the locations in which the components are to be placed.

7.5.2.4.3 Performance Analysis The main steam line monitors are located such that they are in the radiation field of the four main steam lines. The range and sensitivity of the monitors (Table 7.5-1) has been chosen such that the monitors are capable of detecting, in the environment of the area near the main steam lines, increases of radiation due to the activity release following gross fuel failure.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 50 of 149 Continuous recording of the main steam line radiation levels is available to the operator. Abnormal radiation levels initiate an isolation of the Mechanical Vacuum Pump (MVP), and are annunciated in the control room.

The MVP isolation mitigates the consequences of fuel damaging events that do not result in a Group I isolation. The Control Rod Drop Accident is the limiting accident of that type and is described in section 14.7.1.

By License Amendment 83 (Reference 42), the NRC approved removal of the Main Steam Line Radiation Monitor scram/isolation function. This change was based on NEDO-31400A, Safety Evaluation for Eliminating the Boiling Water Reactor Main Steam Line Isolation Valve Closure Function and Scram Function of the Main Steam Line Radiation Monitor (Reference 29). In the Monticello submittal (dated February 14, 1992) (Reference 30) of the information supporting approval of License Amendment 83 it was demonstrated that NEDO-31400A is applicable to the Monticello plant. With the removal of the scram/isolation function for main steam line radiation monitor, the accident consequences remain within the dose limits of 10CFR50.67 Operator actions taken in response to a main steam line radiation monitor alarm ensure that significant levels of radioactivity in the main steam lines will be controlled expeditiously to limit occupational doses and environmental releases. Monticello utilizes hydrogen water chemistry which has a significant effect on main steam line background radiation levels. The alarm setpoint for the main steam line radiation monitors is not to exceed a setting of 1.5 times the nominal full power hydrogen water chemistry background dose rate. This setpoint provides assurance that the above goal of limiting occupational doses and environmental releases can be met.

7.5.2.5 Process Liquid Monitoring Subsystem 7.5.2.5.1 Design Basis The process liquid monitoring subsystem measures, indicates, and records the radioactivity concentration levels of major process system streams. The monitors alarm when the radiation level in these streams either:

a.

approach limitation for plant discharge, or

b.

indicate failure of the process system to retain radioactive fluids.

7.5.2.5.2 Description The following process liquid streams are monitored and the radioactivity concentration levels are indicated, recorded and alarmed:

a.

reactor building closed cooling water system (one channel).

b.

plant service water system effluent (one channel).

c.

radioactive waste effluent (one channel).

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 51 of 149

d.

discharge canal sample monitor (two channels).

e.

turbine building normal waste sump (two channels).

Each process liquid monitor incorporates one channel of instrumentation consisting of:

a.

a scintillation crystal-photomultiplier tube,

b.

a pulse preamplifier,

c.

a log count rate meter,

d.

trend recorder,

e.

trip auxiliaries (shared)

At each mounting installation (except the turbine building sump), a scintillation detector is located in a shielded sampler which is positioned to minimize background radiation level due to plate out. The turbine building sump monitor is installed in a dry tube in the sump. The service water system monitor uses a side stream sample system. As shown in Section 15 Drawing NX-7993-1-1, the system contains a process radiation monitor which counts the pulses produced by the scintillation detector.

Trip circuits are also included to indicate off-normal concentrations of fission and radioactive corrosion products so that action can be taken to prevent the accidental release or transfer of highly radioactive materials. Monitoring of these systems can also be utilized as an operational tool to detect failures or leaks in other plant process systems.

The service water is used to cool normally nonradioactive areas such as the air compressor, turbine auxiliary systems, pump bearings, etc., and the reactor building closed cooling water system via a heat exchanger. A significant increase in the radiation level (1-2 decades) may indicate that a major leak in the system has occurred.

The reactor building closed cooling water system is a system primarily utilized to provide cooling to equipment in potentially contaminated areas. The system normally contains activity due to activation of added corrosion inhibitors and the use of contaminated condensate as makeup water. Changes in the normal radiation levels could signify the presence of leaks of radioactive water into the system.

Readout from each channel consists of a seven decade meter (five decades for sump monitor) display. All monitor channels are recorded.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 52 of 149 7.5.2.5.3 Performance Analysis The control of the radioactivity concentration in liquid wastes which are processed in the plant or released to the circulating water system discharge canal is achieved by analyses of samples from individual batches of waste liquids. The monitors provide an additional check to ensure that deviations do not occur as processing is performed. To assure monitor accuracy, periodic source checks, functional tests and instrument calibration are specified in the ODCM. Table 7.5-1 lists specific data pertaining to the sensitivities of the monitoring equipment.

The radioactive waste effluent radiation monitor was installed for use during release of liquid radioactive waste to the discharge canal. Historically the use of this discharge path has not been required due to the design of the radioactive waste system. The liquid radwaste effluent radiation monitor has received reduced maintenance and calibration but remains available. Prior to use of this discharge path the ODCM requirements for the radiation monitoring equipment must be met.

7.5.2.6 Reactor Building Exhaust Air Monitoring Subsystem 7.5.2.6.1 Design Basis The air monitoring subsystem is designed to provide automatic initiation of the Standby Gas Treatment System and the Control Room Emergency Filtration System, shutdown of the normal reactor building ventilation system, and closes the select Group 2 primary containment valves (see Section 7.6.3.2.4, Part 12) when the concentration of radioactivity materials in the ventilation exhaust plenum exceeds prescribed levels.

7.5.2.6.2 Description The reactor building air monitoring subsystem measures the radioactivity in the combined exhaust from the Reactor Building, Radwaste Building, Turbine Building, Recombiner Building and Chemistry Laboratory ventilation systems. Provision is made for indication and recording in the main control room and for automatic alarm when radioactivity reaches prescribed levels.

Two monitoring channels are provided for the reactor building ventilation plenum, each consisting of a GM detector and an indicator and trip unit. These channels share power supplies with the fuel pool radiation monitors.

Both channels of the system are recorded. Table 7.5-1 lists the characteristics of the monitors.

Each channel provides a trip on high radiation level and low radiation level. The low radiation level is indicative of instrument trouble. The trip outputs from the two monitoring channels are combined such that one upscale trip or two downscale trips initiate reactor building ventilation system shutdown and startup of the standby gas treatment system and closes select Group 2 primary containment valves (see Section 7.6.3.2.4, Part 12). One downscale trip initiates an alarm only.

01548315 01548315

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 53 of 149 Additional monitoring of the reactor building ventilation system is provided by the Reactor Building Vent Wide Range Gas Monitor (see Section 7.5.2.9). The monitor is designed to alarm in the control room upon detection of an elevated release rate in the reactor building vent. Control room operators can initiate prompt isolation of secondary containment and actuation of the Standby Gas Treatment System to terminate a release which could result in exceeding the limits of 10CFR50, Appendix I.

7.5.2.6.3 Performance Analysis The refueling accident offers the greatest potential for radioactive release via the reactor building ventilation exhaust. To mitigate the consequences of this accident, the reactor building plenum monitoring subsystem is set to isolate the reactor building ventilation, start the Standby Gas Treatment System and the Control Room Emergency Filtration System (EFT), and isolate secondary containment upon detection of abnormal radiation levels. The high level setpoint is chosen sufficiently above the refueling operations background radiation level to avoid spurious trips, but low enough to detect and initiate a trip from the radiation level resulting from the design basis refueling accident.

For the design basis refueling accident, analysis using Alternative Source Term methodology has demonstrated that accident doses remain below regulatory limits even without isolation of secondary containment, operation of SBGT, operation of the EFT, and isolation of the reactor building ventilation.

Failure of a monitor which results in a downscale trip does not prevent isolation of the reactor building ventilation and initiation of the standby gas treatment system when the other monitor detects a high radiation level.

The sensitivity, accuracy, and range capability of the reactor building air monitors permit the monitor to detect radioactivity increases in the reactor building ventilation.

The monitors are selected with physical and electrical characteristics permitting them to function in the reactor building ventilation environment.

Calibration and testing of the monitor is performed periodically.

7.5.2.7 Fuel Pool High Radiation Monitor 7.5.2.7.1 Design Basis The fuel pool monitor is designed to provide automatic initiation of the standby gas treatment system and the Control Room Emergency Filtration System (EFT),

shutdown of the normal reactor building ventilation system, and closing of select Group 2 primary containment valves (see Section 7.6.3.2.4, Part 12) when the dose rate at the fuel pool/reactor pool area exceeds a preset level.

01543540 01543540

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 54 of 149 7.5.2.7.2 Description The fuel pool radiation monitor subsystem indicates the radioactivity levels at the operating floor in the vicinity of the fuel pool and the reactor pool cavity.

Two channels are provided each consisting of a GM detector and an indicator/trip unit. Power supplies for these units are shared with the reactor building exhaust air monitors in order to provide redundancy. Table 7.5-1 lists the characteristics of the monitors.

Each channel provides a trip on high radiation level and low radiation level. The low radiation level is indicative of instrument trouble. The trip outputs from the two monitoring channels are combined such that one upscale trip or two downscale trips initiate reactor building ventilation system shutdown and startup of the Standby Gas Treatment System and EFT and closes select Group 2 primary containment valves (see Section 7.6.3.2.4, Part 12). One downscale trip initiates an alarm only.

7.5.2.7.3 Performance Analysis The refueling accident offers the greatest potential for radioactive release via the Reactor Building ventilation exhaust. To mitigate the consequences of this accident, the fuel pool high radiation monitor subsystem is set to isolate the reactor building ventilation, start the Standby Gas Treatment System and EFT, and close select Group 2 primary containment valves (see Section 7.6.3.2.4, Part 12) upon detection of abnormal radiation levels. The high level setpoint is chosen sufficiently above refueling operations background radiation level to avoid spurious trips, but low enough to detect and initiate a trip from the radiation level resulting from a postulated refueling accident which uses the conservative NRC assumptions.

This system detects the release of radioactive gases when bubbles emerge from the reactor cavity pool surface. This system in conjunction with fast-acting ventilation valves results in isolating the Reactor Building prior to releasing the postulated radioactive gases. Reactor Building effluent thereafter is released via the standby gas treatment system and the off-gas stack.

For the design basis refueling accident, analysis using Alternative Source Term methodology has demonstrated that accident doses remain below regulatory limits even without isolation of secondary containment, operation of SBGT or the EFT, and isolation of the reactor building ventilation.

Calibration and testing of the monitor are provided by portable radioactive sources, and are controlled by plant technical specifications.

7.5.2.8 Control Room Ventilation Inlet Air Radiation Monitor 7.5.2.8.1 Design Basis The main control room ventilation air radiation inlet monitors are designed to automatically prevent the injection of radiologically contaminated air into the control room.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 55 of 149 7.5.2.8.2 Description The radiation detectors are sufficiently sensitive to transfer the air handling system to the filtration/pressurization mode before radiation levels in the control room become excessive. The filtration units have HEPA filters and charcoal adsorbers providing make-up air for establishing positive pressure in the control room.

Two detectors arranged in a one-out-of-two logic scheme are provided for redundancy. Due to the close proximity of the radiation detectors and their associated signal cables, the radiation monitor system has been modified so that the CRV-EFT system will trip into the high radiation mode if a radiation monitor failure signal is received.

7.5.2.8.3 Performance Analysis Activation of the EFT system High Radiation Mode by the control room air intake radiation monitors is not credited in any radiological safety analyses (see USAR Section 14.7).

7.5.2.9 Reactor Building Vent Wide Range Gas Monitoring Subsystem 7.5.2.9.1 Design Basis In order that the reactor operator and the Plant Chemistry Group be aware of activity being released from the plant, the reactor building vent wide range gas monitoring system is designed as required by NUREG-0737 (Reference 41) Items II.F.1.1 and II.F.1.2:

a.

To monitor, indicate and record the noble gas radioactivity level of the effluent gases discharged from the reactor building to the atmosphere.

b.

To alarm for reactor building vent releases prior to the point at which the radiation level of the effluent gases being discharged exceeds the limits defined by Technical Specifications.

c.

To provide a means of collecting iodine and particulate samples of the reactor building vent effluent.

d.

To provide the plant operator and Emergency Planning agencies with information on plant releases of noble gases during and following an accident.

7.5.2.9.2 Description The reactor building vent wide range gas monitoring subsystem incorporates two trains of instrumentation each of which includes:

a.

A sample conditioning unit with particulate and iodine filters,

b.

A sample detection unit with noble gas activity sensors and sample pumps, 01543540

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 56 of 149

c.

A microprocessor and electronic hardware unit.

d.

An isokinetic sampling probe assembly,

e.

A communications and control unit in the control room.

The effluent gas is monitored and the levels of noble gas radioactivity are indicated and recorded in the control room.

Each train is capable of sampling effluent releases from one of the three reactor building vent ducts. A representative sample is drawn from the vent duct by an isokinetic sample probe. Isokinetic sampling is assured by microprocessor control of sample flow in response to the vent flow sensed by these monitors. The sample flow rate is adjusted to result in a sample tip velocity consistent with the vent duct stream velocity. Flow of gas through the system is indicated and alarmed on low-flow to indicate failure of the pump, flow control valve, or blockage of the filters in the system. The entire system is located inside the reactor building thereby preventing temperature transients which might affect possible plate out of halogens in the line.

The frequency of removing the reactor building vent sampler filter and charcoal filters and the type of analysis to be performed is specified in the Offsite Dose Calculation Manual (ODCM).

Readout for each channel consists of a digital display as well as a recorder for activity and effluent levels. Three alarms are included in each channel, one inoperable and two upscale. The monitor initiates each of the three signals, which actuate the two high alarms and the one inoperable alarm.

7.5.2.9.3 Performance Analysis The reactor building vent wide range gas monitoring system provides indication and recording of reactor building vent noble gas activity. The sensitivity and range of the reactor building vent gas monitor (Table 7.5-1) is such that the equipment is capable of detecting activity levels consistent with the Lower Limit of Detection (LLD) requirements as specified in the ODCM. The monitor is designed to alarm in the control room upon detection of an elevated release rates approaching the release limits prescribed by Technical Specification 5.5.3 during normal operation. Control room operators can initiate prompt isolation of secondary containment and actuation of the Standby Gas Treatment System to terminate a release which could result in exceeding the limits of 10CFR50, Appendix I.

Check sources are included in each monitoring unit to conveniently check functional operation of all detection ranges.

The monitor is periodically calibrated by testing monitor response to known sources.

Source checking, functional testing, and calibration are controlled by the ODCM or TRM, as applicable.

01543540

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 57 of 149 7.5.3 Area Radiation Monitoring System 7.5.3.1 Design Basis The Area Radiation Monitoring System is designed to:

a.

Warn of excessive gamma radiation levels in areas where nuclear fuel is stored or handled.

b.

Provide operating personnel with a continuous indication in the main control room of gamma radiation levels at selected locations within the various plant buildings.

c.

Contribute plant dose rate information to the control room so that correct decisions may be made with respect to deployment of personnel in the event of a radiation incident.

d.

Assist in the detection of unauthorized or inadvertent movement of radioactive material in the plant, including the radwaste area.

e.

Supplement other systems, including Process Radiation Monitoring, leak detection, etc., in detecting abnormal migrations of radioactive material in or from the process streams.

f.

Provide local alarms at key points where a substantial change in radiation level might be of immediate importance to personnel frequenting the area.

g.

Maintain a permanent record of the radiation levels in the areas being monitored.

7.5.3.2 Description The Area Radiation Monitoring System provides operating personnel with a record of gamma radiation levels at detector locations within the various structures or buildings. All monitors provide continuous indication, intermittent record, and alarm in the control room, when radiation levels exceed preselected values or when the monitor has experienced an operational failure. Some monitors also alarm at the detector location. Table 7.5-2 lists detector locations.

A basic ARM channel consists of a sensor and converter unit, indicator and trip unit, and power supply. As an option, an ARM auxiliary unit may be inserted between the sensor and converter unit and the indicator and trip unit for remote indication and alarm. Table 7.5-2 indicates which of the ARM channels are provided with ARM Auxiliary Units.

Each sensor and converter unit contains a GM tube detector and the circuitry required to produce a direct current output signal that is a measure of gamma radiation intensity. The unit converts pulses produced in the GM tube to a DC current output signal which is proportional to radiation intensity. The DC current signal is applied to the associated channel trip and indicator unit.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 58 of 149 The direct current output signal of the sensor and converter unit serves as the input to an indicator and trip unit located in control room panels. This input current is converted to a voltage by a DC amplifier, which supplies signals to two trip circuits, a meter, and one of the recorders. The meter provides a front panel indication of the radiation level in units of mR/hr.

The auxiliary unit is primarily used to provide local indication of radiation levels.

However, it is also used to actuate local alarms in some instances. It is installed electrically between the sensor and converter unit and the corresponding indicator and trip unit. A meter on the front panel indicates the radiation level at the sensor.

When a high level trip occurs, operating current is supplied to a relay whose contacts are used to control a local klaxon horn, when used as a horn actuating device. An amber lamp on the auxiliary unit lights when the relay operates.

An area radiation monitor portable calibration unit, which provides several gamma radiation levels, is used in the adjustment procedure for ARM sensors and converters.

Area radiation monitor power supply units located in the control room provide the necessary regulated and unregulated voltages, including detector high voltage. Each power supply unit contains an adjustable test current source which can be applied to any of up to ten ARM channels connected to it.

Primary power to the ARM power supply units and the multi-point recorder is obtained from the 120 V, 60 HZ Instrument Bus. Power to the local alarm units (Klaxon horns) is obtained from local lighting circuits.

7.5.3.2.1 Technical Support Center Radiation Monitoring To ensure adequate radiological protection of TSC personnel under accident conditions, TSC radiation monitoring systems are provided. These systems are composed of either installed monitors or portable monitoring equipment dedicated to the TSC. While in use during an emergency, these systems will continuously indicate radiation dose inside the TSC. These monitoring systems include local alarms with trip levels set to provide TSC personnel with early warning of adverse conditions that may affect habitability of the TSC.

7.5.3.2.2 Containment High Range Radiation Monitoring System The Containment High Radiation Monitoring System complies with the requirements of NUREG-0737 (Reference 41), Item II.F.1.3. The sensor units for this system are located in the drywell at approximately 944 foot and 0° Azimuth for Channel B and 180° Azimuth for Channel A. Each sensor is an ionization chamber with an internal U-234 source, which gives approximately 1 R/hr reading for operation verification.

Increasing gamma radiation increases the rate of ionization with proportional increases in the signal current outputs to the readout module.

The readout modules convert the output current from the detectors to a readout of radiation from 100 R/hr. to 108 R/hr. There are two trip points on each unit, indicating Hi Radiation and Hi Hi Radiation. Both readout modules alarm to an annunciator and drive recorders.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 59 of 149 7.5.3.3 Performance Analysis Area radiation monitor detectors are distributed (see Table 7.5-2) in such a way that radiation detection coverage is provided in any areas where personnel may be required to work for extended periods. Increases in radiation above some preselected level annunciate an alarm. The ranges and sensitivities of the equipment (Table 7.5-1) are sufficient to detect increases in radiation level above background level. All monitors annunciate an alarm on failure.

7.5.4 Health Physics and Laboratory Radiation Measuring Instruments 7.5.4.1 Design Basis Portable radiation survey instruments are available for the measurement of the alpha, beta, gamma and neutron radiation expected in normal operation and emergencies.

Appropriate instruments and auxiliary equipment are available to detect and measure radioactive contamination on surfaces, in air, and in liquids.

7.5.4.2 Description Various survey meters, particulate sample counters and associated analytical equipment are furnished in order for health physics technicians to monitor working conditions and make special radioactivity surveys. Personnel monitoring is provided to detect radioactive contamination upon exit from contaminated or potentially contaminated areas.

Personnel dosimeters are provided to and worn by persons in those areas where required by 10CFR20 regulations.

Laboratory radiation measuring instruments are provided for alpha, beta, and gamma radiation, and for gaseous, liquid, and solid samples.

Secondary calibration sources and check-test sources for the various instruments are provided.

7.5.4.3 Inspection and Testing Proper operation of all radiation monitoring instruments is checked with built-in testing circuits and/or radiation sources. All measuring instruments are periodically calibrated with radioactive or electronic calibration sources.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 60 of 149 Table 7.5-1 Process Radiation Monitoring System-Principal Design Parameters (Page 1 of 6)

Off-Gas Pretreatment Radioactive Effluent Stack WRGM (3 ranges: L =

Low, M = Mid, H

= High)

Main Steam Line Process Liquid Reactor Building Vent WRGM (3 ranges: L = Low, M = Mid, H =

High)

General Monitoring Type Linear Log Air Particulate Radioactive Gas Area Liquid Effluent Air Particulate Radioactive gas Number of Channels 1

2 2L, 2M, 2H 4

7 2L, 2M, 2H D

E T

E C

T I

N G

Type Solid State Cd Te M & H M & H Ionization Chamber X

X X

G-M Tube Scintillation L

X L

Radiation Detection Alpha Beta L, M, H L, M, H Gamma X

X M & H X

X M & H Neutron Detector Sensi-tivity Minimum 2X10-10 amps/R/h 100 uc/sec 2X10-10 amps/R/h 10-5 uc/cc 100 uc/sec Physicals Temperature (°F Max) 140 131 140 140 131 Relative Humidity

(% Max) 98 95 98 98 95 Check Source Built-in Radiation X

X Manual Radiation Energy Resp.

Energy Range Reference Source

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 61 of 149 Table 7.5-1 Process Radiation Monitoring System-Principal Design Parameters (Page 2 of 6)

Reactor Building Plenum Fuel Pool High Radiation Area Radiation Monitoring System (34 Channels)

All Channels Control Room H&V and EFT Monitor General Monitoring Type Area Area Area Area Number of Channels 2

2 34 2

D E

T E

C T

I N

G Type Solid State Cd Te Ionization Chamber G-M Tube X

X X

Scintillation Radiation Detection Alpha Beta Gamma X

X X

X Neutron Detector Sensi-tivity Minimum 0.01 mR/h 0.1 mR/h 10-2, 10-1, 100, 102 mR/h 0.1 mR/h Physicals Temperature

(°F Max) 140 140 140 130 Relative Humidity

(% Max) 98 98 98 100 Check Source Built-in Radiation Manual Radiation X

X X

X Energy Resp. Energy Range Refer-ence Source 80 kev/7mev 80 kev/7 mev 80 kev/7 mev 80 kev 2.5 mev

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 62 of 149 Table 7.5-1 Process Radiation Monitoring System-Principal Design Parameters (Page 3 of 6)

Off-Gas Pretreatments Radioactive Effluent Stack WRGM Main Steam Line Process Liquid Reactor Building Vent WRGM I

N D

I C

A T

I N

G Type Count Rate Meter X

Picoammeter X

X Scale Digital X

X Log X

X X

X Linear Range 3X10-2 to 3X104 R/h 10-3 to 103 R/h 10-7 to 105 uCi/ml 10-3 to 103 R/h 10-1 to 106 cps 10-7 to 105 uCi/ml Channel Accuracy

% Range

+/- 10%

+/-3%

+/- 10%

+/- 3%

+/- 10%

+/- 10%

Power Station Supplied X

X X

X X

Battery Operated Location Local @ Detector Remote @ Control Room X

X X

X X

A N

N U

N C

I A

T I

N G

Type Visual X

X X

X X

Audio X

X X

X X

Recorded Location Local @ Detector Remote @ Control Room X

X X

X X

Radiation Alarm Hi X

X X

X X

Hi-Hi X

Trouble Alarm Hi X

X X

Low X

X X

Inop X

X Trip Bypass Alarm X

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 63 of 149 Table 7.5-1 Process Radiation Monitoring System-Principal Design Parameters (Page 4 of 6)

Reactor Building Plenum Fuel Pool High Radiation Area Radiation Monitoring System (34 channels)

All 34 channels Control Room H&V and EFT Monitor I

N D

I C

A T

I N

G Type Count Rate Meter X

X X

X Picoammeter Scale Digital Log X

X X

X Linear Range 0.01 - 102 mR/h 0.1 - 103 mR/h 10 102, 10 103, 100 -

104, 102 - 106 mR/h 0.1 - 104 mR/h Channel Accuracy

% Range

+/- 9.5%

+/- 9.5%

+/- 9.5%

+/- 15%

Power Station Supplied X

X X

X Battery Operated Location Local @ Detector X

Remote @ Control Room X

X X

X A

N N

U N

C I

A T

I N

G Type Visual X

X X

X Audio X

X X

X Recorded X

X Location Local @ Detector X

Remote @ Control Room X

X X

X Radiation Alarm Hi X

X X

X Hi-Hi X

Trouble Alarm Hi X

Low X

X X

Inop Trip Bypass Alarm X

X

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 64 of 149 Table 7.5-1 Process Radiation Monitoring System-Principal Design Parameters (Page 5 of 6)

Off-Gas Pretreatment Radioactive Effluent Stack WRGM Main Steam Line Process Liquid Reactor Building Vent WRGM R

E C

O R

D I

N G

Channels 1

2 2 ch 4

7 2 ch Scale Log X

X X

X X

Linear X

Range 6 decades 12 decades 6 decades 7 decades 12 decades S

A M

P L

I N

G Location In-line X

X Off-line X

X X

X Meas.

Medium Air - Steam X

X X

X Water X

Shielded X

X CONTROLLING Initiates SCRAM Initiates Off-gas Stack Isolation Valve Closure X

Initiates Emer-gency Ventila-tion System Trips Recombin-ers (after time delay)

X Turn Off Mech Vacuum Pump &

Close M.V.

Valve X

REMARKS Filter paper analyzed later Filter paper ana-lyzed later

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 65 of 149 Table 7.5-1 Process Radiation Monitoring System-Principal Design Parameters (Page 6 of 6)

Reactor Building Plenum Fuel Pool High Radiation Area Radiation Monitoring System (34 channels) all 34 channels Control Room H&V and EFT Monitor R

E C

O R

D I

N G

Type Trend X

X (not F-2)

Scale Log X

X Linear Range 4 decades 4 decades S

A M

P L

I N

G Location In-line X

X Off-line Meas.

Medium Air - Steam X

X X

Water Shielded CONTROLLING Initiates SCRAM Initiates Isola-tion Valve Clo-sure X

X Initiates Emer-gency Ventila-tion System X

X X

Initiates Off-gas Isolation Valve Turn Off Mech Vacuum Pump &

Close M.V.

Valves (Trip upon SGTS in-itation)

X X

REMARKS Several are also indicated and annunciated locally

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 66 of 149 Table 7.5-2 Area Radiation Monitoring System Channel Range Designation Location mR/hr A-1*

Refueling Floor Low Range 0.1-1000 A-2 Refueling Floor High Range 1-10,000 A-3*

Refueling Floor Stairway 0.1-1000 (Decontamination Area)

A-4 1001 Source Storage 0.1-1000 A-5 Fuel Pool Skimmer Tank 0.1-1000 A-6 1001 Decon Area 0.1-1000 A-7 985 Sample Hood 0.1-1000 A-8 Reactor Clean Up Demineralizer Area 0.1-1000 A-9 962 Tool Crib 0.1-1000 A-10 East CRD Module Area 0.1-1000 A-11 West CRD Module Area 0.1-1000 A-12*

TIP Drive Room 0.1-1000 A-13 TIP Cubicle 1-10,000 A-14*

HPCI Turbine Area 0.1-1000 A-15 896 Radwaste Drain Tank Room 0.1-1000 A-16 RCIC Equipment Area 0.1-1000 A-17 East (A) RHR Area 0.1-1000 A-18 West (B) RHR Area 0.1-1000 A-19 Chemistry Lab 0.1-1000 A-20 Control Room - Low Range 0.01-100 A-21 Control Room - High Range 1-10,000 B-1 Turbine Floor (North Wall) 1-10,000 B-2*

Turbine Shield Wall 0.1-1000 B-3*

Condensate Demin. Operating Area 0.1-1000 B-4*

MVP Room 0.1-1000 B-5 Feedwater Pump Area 0.1-1000 C-1*

Radwaste Control Room 0.1-1000 C-2*

947 Sample Tank Area 0.1-1000 C-3*

Conveyor Operating Aisle 0.1-1000 D-1*

13.8 KV Switchgear Room 0.1-1000 E-1 Recombiner Bldg Inst. Room 0.1-1000 E-2 Recombiner Bldg Pump Room 0.1-1000 F-1*

Off-Gas Stg Bldg Foyer (Low Range) 0.1-1000 F-2 Off-Gas Stg Foyer (Hi Range) 100-1,000,000

• Provided with ARM auxiliary units.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 67 of 149 7.6 Plant Protection System 7.6.1 Reactor Protection System 7.6.1.1 Design Basis The reactor protection system is designed to:

a.

Prevent, in conjunction with the containment and containment isolation system, the release of radioactive materials in excess of the limits of 10CFR50.67 as a consequence of any of the design basis accidents (Section 14.7).

b.

Prevent fuel damage following any single equipment malfunction or single operator error.

c.

Function independently of other plant controls and instrumentation and prevent the reactor from operating under any unsafe or potentially unsafe condition.

d.

Function safely following any single component malfunction failure and yet provide the highest continuity of service.

In order to meet its design requirements, the reactor protection system, under various conditions automatically initiates reactor scram. It is also possible for the operator to manually scram the reactor from the control room.

The following bases provide assurance that the reactor protection system is designed with sufficient reliability and versatility to fulfill the above design bases.

a.

Any one failure, intentional bypass, maintenance operation, calibration operation, or test to verify operational availability does not impair the functional ability of the reactor protection system to respond correctly.

b.

The system is designed for a high probability that when any monitored variable exceeds the scram setpoint, the event either results in an automatic scram or does not impair the ability of the system to scram as other monitored variables exceed their scram trip points.

c.

Where a plant condition that requires a reactor scram can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more reactor protection system channels designed to provide protection against the unsafe condition, the remaining portions of the reactor protection system meet the requirements of the above design basis.

d.

The power supply for the reactor protection system is arranged so that loss of one supply neither causes a reactor scram nor prevents an orderly plant shutdown.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 68 of 149

e.

The system is designed so that, once initiated, a reactor protection system action goes to completion. Return to normal operation after reactor protection system action requires deliberate operator action.

f.

There is sufficient electrical and physical separation between trip channels and between trip logics monitoring the same variable to prevent credible environmental factors, electrical transients, and physical events from impairing the ability of the system to respond correctly.

g.

Earthquake ground motions do not impair the ability of the reactor protection system to initiate a reactor scram.

h.

Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables are under the physical control of supervision or of the control room operator.

i.

The means for manually bypassing trip logics, trip channels, or system components are under the control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact is continuously annunciated in the control room. One or more channel trips causes a single annunciation of the particular variable and one additional annunciation of the RPS trip system containing the channel. Identification of individual channel trips is accomplished by process computer print out or visual inspection of the channel relays.

j.

The reactor protection system is designed to provide the operator with information pertinent to the operational status of the protection system and means are provided for prompt identification of trip channel and trip system responses.

k.

It is possible to check the operational availability of each trip channel and trip logic during reactor operation.

The reactor protection system, including the inputs and the related instrumentation, has been designed to the above listed design bases. This design meets and satisfies the intent of the requirements of the proposed IEEE 279 criteria, dated August 28, 1968 (Reference 18).

7.6.1.2 Description 7.6.1.2.1 Identification The Reactor Protection System includes the motor-generator power supplies associated control and indicating equipment, sensors, relays, bypass circuitry and switches that cause rapid insertion of control rods (scram) to shutdown the reactor. It also includes outputs to the Process Computer System and annunciators. The Process Computer System and annunciators are not part of the Reactor Protection System. Although scram signals are received from the Nuclear Instrumentation System, the system is treated as a separate nuclear safety system elsewhere in the report. (See Section 7.3)

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 69 of 149 7.6.1.2.2 Power Supply Power to each of the two reactor protection trip systems is supplied, via a separate bus, by its own high inertia AC motor-generator set (see Figure 7.6-1). Each generator has a voltage regulator which is designed to respond to a step load change of 50% of rated load with an output voltage change of not greater than 15%.

High inertia is provided by a flywheel. The inertia is sufficient to maintain voltage and frequency within 5% of rated values for at least 1.0 second following a total loss of power to the drive motor. Protective source tripping is provided by redundant electrical protection assemblies on sensing overvoltage, undervoltage, or under frequency (See Section 8.6).

An alternate power source is available to either Reactor Protection System (RPS) bus. Manual circuit breakers, with a mechanical interlock, prevent the simultaneous feeding of both RPS busses from the alternate power source and prevent paralleling a motor-generator set with the alternate power source.

The reactor water level differential transmitter trip units, Panels C304 A-D, are also supplied from the class 1E UPS. The trip unit power supplies are configured such that the loss of any one power source will not cause the loss of a trip unit.

7.6.1.2.3 Physical Arrangement Instrument piping that taps into the reactor vessel is routed through the drywell wall and terminates inside the secondary containment (Reactor Building). Reactor vessel pressure and water level information is sensed from this piping by instruments mounted on instrument racks in the reactor building. Valve position switches are mounted on valves from which position information is required. The sensors for Reactor Protection System signals from equipment in the turbine building are mounted locally in the turbine building. The two motor-generator sets that supply power for the Reactor Protection System are located in the reactor building in an area where they can be serviced during reactor operations. Cables from sensors and power cables are routed to two reactor protection system cabinets in the control room, where the logic circuitry of the system is formed. One cabinet is used for each of the two trip systems. The trip logics of each trip system are isolated in separate bays in each cabinet. The Reactor Protection System is designed as Class I equipment to assure a safe reactor shutdown during and after seismic disturbances (See Section 7.6.1).

7.6.1.2.4 Logic The Reactor Protection System is arranged as two separately powered trip systems.

Each trip system has three trip logics, two of which are used to produce automatic trip signals. The remaining trip logic is used for a manual trip signal. Each of the two trip logics used for automatic trip signals receives input signals from at least one trip channel for each monitored variable. Thus, two trip channels are required for each monitored variable to provide independent inputs to the trip logics of one trip system.

At least four trip channels for each monitored variable are required for the trip logics of both trip systems.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 70 of 149 The trip actuators associated with one trip logic provide inputs into each of the trip actuator logics for the associated trip system. Thus, either of the two automatic trip logics associated with one trip system can produce a trip system trip. The logic is a 1-out-of-2 arrangement. To produce a scram, the trip actuator logics of both trip systems must be tripped. The overall logic of the Reactor Protection System is termed 1-out-of-2 taken twice.

7.6.1.2.5 Operation To facilitate the description of the Reactor Protection System, the two trip systems are called trip system A and trip system B. The automatic trip logics of trip system A are trip logics A1 and A2; the manual trip logic of trip system A is trip logic A3.

Similarly, the trip logics for trip system B are trip logics B1, B2, and B3. The trip actuators associated with any particular trip logic are identified by the trip logic identity (such as trip actuators B2). The trip actuator logics associated with a trip system are identified with the trip system identity (such as trip actuator logics A). Trip channels are identified by the name of the monitored variable and the trip logic identity, with which the channel is associated (such as reactor vessel high pressure trip channel B1).

During operation all sensor and trip contacts essential to safety are closed; trip channels, trip logics, and trip actuators are normally energized.

There are two scram pilot valves and two scram valves for each control rod, arranged functionally as shown in Figure 7.6-1. Each scram pilot valve is solenoid operated. The solenoids are normally energized. The two scram pilot valves associated with a control rod, control the air supply to both scram valves for that rod.

With either scram pilot valve energized, air pressure holds the scram valves closed.

The scram valves control the supply and discharge paths for water to the control rod drives. One of the scram pilot valves for each control rod is controlled by trip actuator logics A, the other valve by trip actuator logics B. There are two DC solenoid-operated backup scram valves which provide a second means of controlling the air supply to the scram valves for all control rods. The DC solenoid for each backup scram valve is normally deenergized. The backup scram valves are energized (initiate scram) when both trip system A and trip system B are tripped.

Whenever a trip channel sensor contact opens, its auxiliary relay deenergizes, causing contacts in the trip logic to open. The opening of contacts in the trip logic deenergizes its trip actuators. When deenergized, the trip actuators open contacts in all the trip actuator logics for that trip system. This action results in deenergizing the scram pilot solenoids associated with that trip system (one scram pilot valve solenoid for each control rod). Unless the other scram pilot valve solenoid for each rod is deenergized, the rods are not scrammed. If a trip then occurs in any of the trip logics of the other trip system, the remaining scram pilot valve solenoid for each rod is deenergized, venting the air pressure from the scram valves, and allowing water to the control rod drives to act on the control rod drive piston. Thus, all control rods are scrammed. The water displaced by the movement of the east rod pistons is vented into the east scram discharge volume and the movement of the west rod pistons vent the water displaced into the west scram discharge volume. Figure 7.6-1 shows that when the solenoid for either backup scram valve is energized, the backup scram valve vents the air supply for the scram valves; this action initiates insertion of every control rod regardless of the action of the scram pilot valves.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 71 of 149 Two additional scram solenoid valves were installed in the scram pilot air header for the Alternate Rod Insertion (ARI) portion of the ATWS system, see Figure 7.6-1. ARI is a means of diverse control blade injection which is motivated mechanically by the normal hydraulic control units and control rod drives, but which utilizes totally separate and diverse logic. For additional discussion of the ATWS System refer to Section 7.6.2.

A scram can be manually initiated. There are two scram buttons, one for trip logic A3 and one for trip logic B3. Depressing the scram button on trip logic A3 deenergizes trip actuators A3 and opens corresponding contacts in trip actuator logics A. A single trip system trip is the result. To effect a manual scram, the buttons for both trip logic A3 and trip logic B3 must be depressed. By operating the manual scram button for one trip logic at a time, followed by reset of that trip logic, each trip system can be tested for manual scram capability. It is also possible for the control room operator to scram the reactor by interrupting power to the Reactor Protection System. This can be done by operating power supply breakers in the control room.

To restore the Reactor Protection System to normal operation following any single trip system trip or scram, the trip actuators must be manually reset. Reset is possible only if the conditions that caused the trip or scram have been cleared and is accomplished by operating switches in the control room.

Whenever a Reactor Protection System sensor trips, it lights an annunciator common to all four trip channels for that variable, on the reactor control panel in the control room to indicate the out-of-limit variable. A Reactor Protection System trip channel trip also sounds an audible alarm, which can be silenced by the operator.

The annunciator lights latch in until manually reset; reset is not possible until the condition causing the trip has been cleared. The physical positions of Reactor Protection System relays are used to identify the individual sensor that tripped in a group of sensors monitoring the same variable. The location of annunciators provides the operator with the means to quickly identify the cause of Reactor Protection System trips.

To provide the operator with the ability to analyze an abnormal transient during which events occur too rapidly for direct operator comprehension, all Reactor Protection System trips are recorded by the Plant Process Computer Systems Trek List View Alarm/SOE (Sequence of Events) function. All trip events are recorded with a resolution of 2 milliseconds. Use of the Computer Alarm/SOE function is not required for plant safety, and information provided is in addition to that immediately available from other annunciators and data displays. The logging of trips is of particular usefulness in routinely verifying the proper operation of pressure, level, and valve position switches as trip points are passed during startups, shutdowns and maintenance operations.

Reactor Protection System inputs to annunciators, recorders, and the computer are arranged so that no malfunction of the annunciating, recording, or computing equipment can functionally disable the system. Signals directly from the Reactor Protection System sensors are not used as inputs to annunciating or data logging equipment. Isolation is provided between the primary signal and the information output.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 72 of 149 7.6.1.2.6 Scram Functions and Settings The following discussion covers the functional considerations for the variables or conditions monitored by the Reactor Protection System. Table 7.6-1 lists the trip settings for instruments providing signals for the system. Figure 7.6-2 shows the scram functions in block form. Scrams result from:

a.

Neutron monitoring system trip To provide protection for the fuel against abnormally high heat generation rates, neutron flux is monitored and used to initiate a reactor scram. The Neutron Monitoring System setpoints are given. They are discussed in the Nuclear Instrumentation System (Section 7.3).

b.

Reactor high pressure High pressure within the reactor vessel poses a direct threat of rupture to the nuclear system process barrier. A nuclear system pressure increase while the reactor is operating compresses the steam voids and results in a positive reactivity insertion causing increased core heat generation that could lead to a violation of the core thermal-hydraulic safety limit. A scram counteracts a pressure increase by quickly reducing the core fission heat generation.

The nuclear system high pressure scram setting is chosen slightly above the reactor vessel maximum normal operating pressure to permit normal operation without spurious scrams yet provide a wide margin to the nuclear system pressure safety limit. The location of the pressure measurement, as compared to the location of highest nuclear system pressure during transients, was also considered in the selection of the high pressure scram setting. The nuclear system high pressure scram works in conjunction with the Pressure Relief System in preventing nuclear system pressure from exceeding the pressure safety limit.

c.

Reactor vessel low water level A low water level in the reactor vessel indicates that the reactor core is in danger of being inadequately cooled. The effect of a decreasing water level while the reactor is operating at power is to decrease the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. Should water level decrease too far, fuel damage could result as level becomes inadequate. A reactor scram protects the fuel by reducing the fission heat generation within the core.

The reactor vessel low water level scram setting was selected to prevent fuel damage following those abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. Specifically, the scram setting is chosen far enough below normal operational levels to avoid spurious scrams but high enough above the top of the active fuel to assure that enough water is available to account for evaporation losses and displacements of coolant following the most severe abnormal operational transient involving a level decrease. The

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 73 of 149 selected scram setting is used in the development of the thermal-hydraulic safety limit, which sets a limit on thermal power level for various coolant flow rates.

If reactor water level drops below the level of the steam dryer skirt, then steam could flow under the skirt and bypass the dryer. This bypass steam flows past the variable leg of the reactor water level instrument tap and creates a Bernoulli effect pressure reduction, which results in a non-conservative indicated increase in reactor water level. The potential for skirt uncovery is assessed at the analytical limit for the low water level scram setpoint. The analytical limit for this setpoint conservatively includes a bias to compensate for the assumption that a Bernoulli effect will exist at the low level scram setpoint (References 55 and 57).

d.

Primary Containment high pressure A high pressure inside the Primary Containment could indicate a break in the primary system process barrier. It is prudent to scram the reactor in such a situation to minimize the possibility of fuel damage and to reduce the addition of energy from the core to the coolant. The reactor vessel low water level scram also acts to scram the reactor for loss-of-coolant accidents. The Primary Containment high pressure scram setting is selected to be as low as possible without inducing spurious scrams.

e.

Main condenser low vacuum This scram signal anticipates loss of the main heat sink which would result in a reactor vessel pressure rise as the condenser is isolated to protect it from overpressure. The effects of increased reactor pressure are discussed in item b.

f.

Scram discharge volume high water level The east scram discharge volume receives the water displaced by the motion of the east control rod drive pistons and the west scram discharge volume receives the water displaced by the motion of the west control rod drive pistons during a scram. Should either scram discharge volume fill up with water to the point where not enough space remains for the water displaced during a scram, control rod movement would be hindered in the event a scram were required.

To prevent this situation the reactor is scrammed when the water level in either discharge volume attains a value high enough to verify that the volume is filling up yet low enough to ensure that the remaining capacity in the volume can accommodate a scram.

g.

Turbine control valve fast closure With the reactor and turbine-generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram, which initiates a scram earlier than either the Nuclear Instrumentation System or nuclear system high pressure, is required to provide a satisfactory margin to the core thermal-hydraulic safety limit for this category of abnormal operational

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 74 of 149 transients. The scram counteracts the addition of positive reactivity due to pressure by inserting negative reactivity with the control rods. Although the primary system high pressure scram, in conjunction with the Automatic Depressurization System, is adequate to preclude overpressurizing the primary system, the turbine control valve fast closure scram provides additional margin to the primary system pressure safety limit.

The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure. The trip logic was chosen to identify those situations in which a reactor scram is required for fuel protection.

h.

Turbine stop valve closure Closure of the turbine stop valves with the reactor at power can result in a significant addition of positive reactivity to the core as the nuclear system pressure rise collapses steam voids. The turbine stop valve closure scram, which initiates a scram earlier than either the nuclear instrumentation system or primary system high pressure, is required to provide a satisfactory margin below the core thermal hydraulic safety limit for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity due to pressure by inserting negative reactivity with the control rods. Although the nuclear system high pressure scram, in conjunction with the Automatic Pressure Relief System, is adequate to preclude overpressurizing the primary system, the turbine stop valve closure scram provides additional margin to the primary system pressure limit.

The turbine stop valve closure scram setting is selected to provide the earliest positive indication of valve closure. The trip logic was chosen both to identify those situations in which a reactor scram is required for fuel protection and to allow functional testing of this scram function.

i.

Main steam line isolation valve closure The main steam line isolation valve closure scram is provided to limit the release of fission products from the nuclear system. Automatic closure of the main steam line isolation valves is initiated upon conditions indicative of a steam line break. The scram initiated by valve closure anticipates a reactor vessel low water level scram.

Various steam line and nuclear system malfunctions, or operator actions, can initiate main steam line isolation valve closure. Although credit is not taken for this scram to show vessel pressure ASME Code compliance (Section 14.5), the main steam line isolation valve closure scram will anticipate and reduce in magnitude the pressure transient following spurious main steam line isolation.

The main steam line isolation valve closure scram setting is selected to give the earliest positive indication of valve closure. The trip logic allows functional testing of valve closure trip channels with one steam line isolated.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 75 of 149

j.

Manual scram To provide the operator with means to shutdown the reactor independent of the automatic functioning of the Reactor Protection System, push buttons are located in the control room that initiate a scram when actuated by the operator.

k.

Mode switch in SHUTDOWN The mode switch provides appropriate protective functions for the condition in which the reactor is to be operated. The reactor is to be shutdown with all control rods inserted when the mode switch is in SHUTDOWN. To enforce the condition defined for the SHUTDOWN position, placing the mode switch in the SHUTDOWN position initiates a reactor scram. This scram is not required to protect the fuel or primary system process barrier, and it bears no relationship to minimizing the release of radioactive material from any barrier. The scram signal is removed after a short time delay, permitting a scram reset which restores the normal valve lineup in the control rod drive hydraulic system.

7.6.1.2.7 Mode Switch A conveniently located, multi-position, keylock mode switch is provided which selects the necessary scram functions for various plant operating modes. In addition to selecting scram functions from the proper sensors, the mode switch provides appropriate bypasses. The mode switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the Reactor Protection System. The switch itself is designed to provide separation between the two trip systems. The mode switch positions and their related scram functions are as follows:

a.

SHUTDOWN - Initiates a reactor scram; bypasses main steam line isolation valve closure and condenser low vacuum scram if primary system pressure is below 600 psig.

b.

REFUEL - Selects neutron monitoring system scram for low neutron flux level operation (see Section 7.3); bypasses main steam line isolation valve closure and condenser low vacuum scram if nuclear system pressure is below 600 psig.

c.

STARTUP - Selects neutron monitoring system scram for low neutron flux level operation (see Section 7.3); bypasses main steam line isolation valve closure and condenser low vacuum scram if primary system pressure is below 600 psig.

d.

RUN - Selects neutron monitoring system scram for power range operation (see Section 7.3).

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 76 of 149 7.6.1.2.8 Scram Bypasses A number of scram bypasses are provided to account for the varying protection requirements depending on reactor conditions and to allow for instrument service during reactor operations. Some bypasses are automatic, others are manual. All manual bypass switches are in the control room, under the direct control of the control room operator. If the ability to trip some part of the system has been bypassed, this fact is continuously indicated in the control room.

Automatic bypass of the scram trip from main steam isolation valve closure or condenser low vacuum is provided when both of the following conditions exist concurrently:

a.

Mode switch not in RUN.

b.

Primary system pressure less than 600 psig.

The bypass allows reactor operations at low power with the main steam lines isolated. These conditions exist during startups and certain reactivity tests during refueling.

The scram is initiated by placing the mode switch in SHUTDOWN and is then automatically bypassed after a time delay of two seconds. The bypass is provided to restore the control rod drive hydraulic system valve lineup to normal. An annunciator in the control room indicates the bypassed condition.

An automatic bypass of the turbine control valve fast closure scram and turbine stop valve closure scram is enabled below 26.6% thermal power as indicated by the turbine first stage pressure (Reference 58). Closure of these valves from such a low initial power level does not constitute a threat to the integrity of any barrier to the release of radioactive material. Bypasses for the Neutron Monitoring System channels are described in Section 7.3. A manual keylock switch located in the control room permits the operator to bypass the scram discharge volume high level scram trip if the mode switch is in SHUTDOWN or REFUEL. This bypass allows the operator to reset the protection system, so that the system is restored to operation while the operator drains the scram discharge volumes. In addition to allowing the scram relays to be reset, actuating the bypass initiates a control rod block. Resetting the trip actuators opens the scram discharge volume vent and drain valves. An annunciator in the control room indicates the bypass condition.

7.6.1.2.9 Instrumentation Trip channels providing inputs to the Reactor Protection System are separated. The Reactor Protection System instrumentation, shown on Section 15 Drawing NX-7834-2-2, is discussed as follows:

a.

Nuclear Instrumentation System instrumentation is described in Section 7.3.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 77 of 149

b.

Reactor pressure is tapped from the reactor vessel at two separate locations.

A pipe from each tap is led outside the primary containment and terminates in the reactor building. Two locally mounted, non-indicating pressure switches monitor the pressure in each pipe. Cables from these switches are routed to the control room. The two pairs of switches are physically separated. Each switch provides a high pressure signal to one trip channel. The switches are arranged so that each pair provides an input to trip system A and trip system B.

The physical separation and the signal arrangement assure that no single physical event can prevent a scram due to nuclear system high pressure.

c.

Reactor vessel low water level signals are initiated from differential pressure transmitters which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. The transmitters are arranged in pairs in the same way as the nuclear system high pressure switches. Two instrument pipe lines attached to taps, one above and one below the water level, on the reactor vessel are required for the differential pressure measurement for each pair of transmitters.

The two pairs of pipe lines terminate outside the Primary Containment and inside the Reactor Building; they are physically separated from each other and tap off the reactor vessel at widely separated points. The Reactor Protection System transmitters, as well as instruments for other systems sense pressure and level from these same pipes. The power requirements for the reactor water level differential transmitter trip units, Panels C304 A-D, are supplied by the class 1E UPS and the RPS MG-sets. The trip unit power supplies are configured such that the loss of any one power source will not cause the loss of a trip unit. The physical separation and signal arrangement assure that no single physical event can prevent a scram due to reactor vessel low water level.

Cold reference legs are used to increase the accuracy of the level measurements during LOCA conditions.

d.

The turbine stop valves are physically separated by approximately 5 feet from each other, and each stop valve has a National Acme, or equivalent, limit switch mechanically linked to the valve stem. Two contacts of the four available contacts on each switch are used in the RPS logic; one contact serves as a channel input to the A trip system and the other contact serves as a channel input to the B trip system. Each contact input to the RPS opens whenever the stop valve is 10% closed, and the RPS trip logic is designed to produce a scram trip when 3 out of 4 stop valves have reached or exceeded the 10% closure setpoint. This provision permits frequent testing of the stop valves without causing RPS trips.

e.

Loss of oil pressure at the acceleration relay is used to indicate imminent rapid closure of the turbine control valves. Pressure switches A and B are mounted on one pressure tap and are separated as much as possible from the other pressure tap containing pressure switches C and D. The physical separation and signal arrangement assure that no single event can prevent a scram due to fast closure of the turbine control valves (acceleration relay trip). Each pressure switch provides a contact opening on loss of oil pressure which is used in the 1-out-of-2-twice trip logic of the RPS.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 78 of 149

f.

Main steam line isolation valve closure inputs to the Reactor Protection System are from valve stem position switches mounted on the eight main steam line isolation valves. Each of the double pole, single throw switches is arranged to open before the valve is more than 10% closed to provide the earliest positive indication of closure. Either of the two trip channels associated with one isolation valve can signal valve closure. The main steam line isolation valve closure trip is arranged so that any one steam line may be isolated by full closure of its isolation valves and the isolation valve for any one other steam line may also be closed without causing a scram.

g.

The Scram discharge volume high water level inputs to the Reactor Protection System are from four non-indicating switches (two thermally activated and two float type) installed on each volume. Each switch provides an input into one trip channel. The switches are arranged in pairs so that no single event can prevent a reactor scram due to high water level in either scram discharge volume. The trip point for these switches cannot be adjusted without unbolting the switch and rewelding the flange location. With the scram setting as listed in Table 7.6-1, a scram is initiated before insufficient capacity remains in either tank to accommodate a scram. Both the amount of water discharged and the volume of air trapped above the free surface during a scram, were considered in selecting the trip setting.

h.

Primary containment pressure is monitored by four non-indicating pressure switches which are mounted on instrument racks outside the drywell in the reactor building. Cables are routed from the switches to the control room.

Each switch provides an input to one trip channel. Pipes that terminate in the secondary containment (Reactor Building) connect the switches with the drywell interior. The switches are grouped in pairs, physically separated, and electrically connected to the reactor protection system so that no single event can prevent a scram due to primary containment high pressure.

i.

Four reactor pressure switches are interlocked with the mode switch to provide the automatic bypass of the main steam line isolation valve closure and condenser low vacuum trips when nuclear system pressure is below 600 psig.

The switches are mounted outside the drywell on two instrument racks that are physically separated. The switches sense pressure from the same pipe lines that are used for the primary system high pressure scram switches. The arrangement of switches is such that no single failure can prevent a scram due to main steam line isolation valve closure.

j.

Four pressure switches each provide a contact closure to the RPS trip logic whenever the turbine first stage pressure corresponds to less than 26.6% of rated power. These contact inputs are used in the 1-out-of-2-twice logic of the RPS to produce an automatic bypass of the turbine trip scram (stop valve closure) and the generator trip scram (control valve fast closure) below 26.6%

of rated power as indicated by turbine first stage pressure. This ensures that reactor thermal power is less than 40% of its rated value even if 11.5% power is being passed directly to the condenser through the bypass valves. The two pressure taps are separated as much as possible from each other to provide physical isolation.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 79 of 149

k.

The condenser low vacuum switches initiate reactor scram in anticipation of turbine stop valve closure from loss of vacuum. The safety grade low vacuum scram switches in combination with the non-safety related turbine logic to close the turbine stop valves is sufficient to protect the condenser from overpressure as described in 7.6.1.2.6.e above. The four switches are installed at two pressure taps and are used in the 1-out-of-2-twice trip logic of the RPS. The two pressure taps are located with one on each of the two sections of the condenser. The switches are mounted on separate panels and are separated by at least five feet.

Sensor trip channel and trip logic relays are fast response, high reliability relays.

Power relays for interrupting the scram pilot valve solenoids are magnetic contactors. All reactor protection system relays are selected so that the continuous load does not exceed 50% of the continuous duty rating. Component electrical characteristics are selected so that the system response time, from the opening of a sensor contact up to and including the opening of the trip actuator contacts is less than 50 milliseconds.

Sensing elements are equipped with enclosures so that they can withstand conditions that may result from a steam or water line break long enough to perform satisfactorily.

Access to calibration and trip setting controls that are located outside the control room is limited to authorized personnel by maintaining cover plates, access plugs, or sealing devices.

7.6.1.2.10 Wiring Wiring and cables for reactor protection system instrumentation are selected to avoid excessive deterioration due to temperature and humidity during the design life of the plant. Cables and connectors used inside the primary containment are designed for continuous operation at an ambient temperature of 150°F and a relative humidity of 99%.

Cables required to carry low level signal-currents of less than 1 milliampere, or voltages of less than 100 millivolts, are designed and installed to eliminate, insofar as practical, electrostatic and electromagnetic pick-up from power cables and other AC or DC fields; ferromagnetic conduits or totally enclosed ferromagnetic trays are used.

Low level signal cables are routed separately from all power cables with a minimum separation of 3 feet. Where the low level signal cable runs at right angles to a power cable, a separation distance of less than three feet may be used, based upon the probable noise pickup relative to the allowable signal-to-noise ratio.

Wiring for the reactor protection system outside of the enclosures in the control room is run in rigid or flexible metallic conduits used for no other wiring. The wires from duplicate sensors on a common process tap are run in separate conduits. Wires for sensors of different variables in the same reactor protection system trip logic may be run in the same conduit.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 80 of 149 The instrument ac powering the reactor water level differential transmitter trip units, Panels C304 A-D, does not run in dedicated raceway. The water level input signals and the trip unit outputs do run in dedicated raceway.

The scram pilot valve solenoids are powered from 8 trip actuator logic circuits, i.e.,

4 circuits from trip system A and 4 from trip system B. The 4 circuits associated with any one trip system are run in separate conduits. One trip actuator logic circuit from each trip system may run in the same conduit; wiring for the two solenoids associated with any one control rod may run in the same conduit.

Electric panels, junction boxes, and components of the reactor protection system are prominently identified by nameplate. Circuits entering junction boxes or pull boxes are conspicuously marked inside the boxes. Wiring and cabling outside cabinets and panels are identified by color, tag or other conspicuous means.

7.6.1.3 Performance Analysis The Reactor Protection System is designed to provide protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the nuclear system process barrier (reactor primary system).

Trip settings were selected such that they are far enough above or below normal operating levels that spurious scrams and operating inconvenience are avoided; it was also verified by analysis that the reactor fuel and nuclear system process barrier were protected as required by the basic objective. In all cases, the specific scram trip point selected is not the only value of the trip point which results in no damage to the fuel or nuclear system process barrier, trip setting selection is based on operating experience and constrained by the safety design basis.

The scrams initiated by neutron monitoring system variables, turbine stop valve closure, turbine control valve fast closure, and reactor vessel low water level are sufficient to prevent fuel damage following abnormal operational transients.

Specifically, these scram functions initiate a scram in time to prevent the core from exceeding the thermal-hydraulic safety limit during abnormal operational transients.

The evaluation of the scram function provided by the Neutron Monitoring System is presented in Section 7.3.

The scram initiated by reactor high pressure, in conjunction with the Automatic Pressure Relief System, is sufficient to prevent damage to the nuclear system process barrier as a result of internal pressure. For turbine-generator trips, the turbine stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the reactor primary pressure safety limit than the high pressure scram.

The scrams initiated by the Nuclear Instrumentation System, main steam isolation valve closure, and reactor vessel low water level satisfactorily limit the radiological consequences of gross failure of the fuel or nuclear system process barriers.

Section 14.7 evaluates failures of the fuel.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 81 of 149 In terms of protection system nomenclature, the Reactor Protection System is a one-out-of-two system used twice (1 of 2 x 2). Theoretically, its reliability is slightly higher than a two-out-of-three system and slightly lower than a one-out-of-two system. However, since the differences are slight, they can, in a practical sense, be neglected. The advantage of the dual trip system arrangement is that it can be tested thoroughly during reactor operation without causing a scram. This capability for a thorough testing program, which contributes significantly to increased reliability, is not possible for a one-out-of-two system.

The use of an independent trip channel for each trip logic allows the system to sustain any trip channel failure without preventing other sensors monitoring the same variable from initiating a scram. A single sensor or trip channel failure causes a single trip system trip and actuates alarms that identify the trip. The failure of two or more sensors or trip channels would cause either a single trip system trip, if the failures were confined to one trip system, or a reactor scram, if the failures occurred in different trip systems. Any intentional bypass, maintenance operation, calibration operation, or test, any of which may result in a single trip system trip, leaves at least two trip channels per monitored variable capable of initiating a scram by causing a trip of the remaining trip system. The resistance to spurious scrams contributes to plant safety, because unnecessary cycling of the reactor through its operating modes would increase the probability of error or actual failure.

Any actual condition in which an essential monitored variable exceeds its scram trip point is sensed by at least two independent sensors in each trip system. Because only one trip channel must trip in each trip system to initiate a scram, the arrangement of two trip channels per monitored variable trip system provides assurance that a scram occurs as any monitored variable exceeds its scram setting.

Each control rod is controlled as an individual unit. A failure of the controls for one rod would not affect other rods. The backup scram valves provide a second method of venting the air pressure from the scram valves, even if either scram pilot valve solenoid for any control rod fails to deenergize when a scram is required.

Sensors, trip channels, and trip logics of the Reactor Protection System are not used directly for automatic control of process systems. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system.

Failure of either reactor protection system motor generator set would result, at worst, in a single logic channel trip. Alternate power is available to the reactor protection system busses. A complete, sustained loss of electrical power to both busses would result in a scram, delayed by the motor-generator set flywheel inertia, in about three seconds.

The environmental condition in which the instruments and equipment of the Reactor Protection System must operate was considered. Components which serve the Reactor Protection System that are located inside the primary containment and which must function in the environment resulting from a break of the nuclear system process barrier inside the Primary Containment are the condensing chambers and portions of the instrument columns. Special precautions are taken to ensure satisfactory operability after the accident.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 82 of 149 Safe shutdown of the reactor during earthquake ground motion is assured by the design of a system as a Class I system and the failsafe characteristics of the system.

The system only fails in a direction that causes a reactor scram when subjected to extremes of vibration and shock.

To ensure that Reactor Protection System remains functional, the number of operable trip channels for the essential monitored variables should be maintained at or above the minimum value given in the Technical Specifications. The minimums apply to any untripped trip system; a tripped trip system may have any number of inoperative trip channels.

Calibration and test controls for the Nuclear Instrumentation System are located in the control room and are, because of their physical location, under the direct physical control of the control room operator. Calibration and test controls for pressure switches, level switches, and valve position switches are located on the switches themselves. These switches are located in the Turbine Building, Reactor Building, and Primary Containment. To gain access to the setting controls on each switch, a cover plate or sealing device must be removed. The control room operator is responsible for granting access to the setting controls to properly qualified plant personnel for the purpose of testing or calibration adjustments.

7.6.1.4 Inspection and Testing The Reactor Protection System can be tested during reactor operation by five separate tests. The first of these is the manual trip actuator test. By depressing the manual scram button for one trip system, the manual trip logic actuators are deenergized, opening contacts in the trip actuator logics. After resetting the first trip system tested, the second trip system is tripped with the other manual scram button.

The total test verifies the ability to deenergize all 8 groups of scram pilot valve solenoids by using the manual scram push button switches. Scram group indicator lights verify that the trip actuator contacts have opened.

The second test is the automatic trip actuator test which is accomplished by operating, one at a time, the keylocked test switches for each automatic trip logic.

The switch deenergizes the trip actuators for that trip logic, causing the associated trip actuator contacts to open. The test verifies the ability of each trip logic to deenergize the actuator logics associated with the parent trip system. The actuator and contact action can be verified by observing the physical position of these devices.

The third test includes calibration of nuclear instrumentation system by means of simulated inputs from calibration signal units.

The fourth test is the single rod scram test which verifies capability of each rod to scram. It is accomplished by operation of toggle switches on the protection system operations panel. Scram times can be obtained from the rod worth minimizer for each rod scrammed.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 83 of 149 The fifth test involves applying a test signal to each reactor protection system trip channel in turn and observing that a trip channel trip or a trip logic trip results. This test also verifies the electrical independence of the trip channel circuitry. The test signals can be applied to the process type sensing instruments (pressure and differential pressure) through calibration taps. The test is conducted as follows:

a.

The seal on the instrument shutoff valves to a specific instrument are removed by authorized personnel.

b.

The instrument is isolated using the instrument valve (or instrument manifold valve) and a calibration set is attached to the instrument calibration taps which are arranged to avoid spilling of water (if the instruments are normally filled).

c.

A calibration signal sufficient to actuate the sensor contacts is applied while reading the value of applied pressure on a calibrated test gage.

d.

The trip points and reset point are compared to the required set point and the value is logged.

e.

Adjustments are made to the trip setting if necessary; adjustments are logged.

f.

Communication with the control room is maintained during the test to verify the trip point as registered on control room instruments. The trip value is logged.

g.

Proper protective relay operation is also verified by observation.

h.

The calibration signal is then reduced to zero, the test set is removed, the calibration taps plugged, the sensors valved into service, the valves sealed or locked in their operating positions.

i.

The final state of the system valving and indication is verified by reactor authorized personnel, and the test is logged as complete.

Reactor protection system response times were first verified during preoperational testing and are verified periodically by similar tests. The elapsed times from sensor trip to each of the following events is measured:

1.

Trip channel relay deenergized.

2.

Trip actuators deenergized

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 84 of 149 7.6.2 ATWS System 7.6.2.1 Design Basis The Anticipated Transient Without Scram (ATWS) system is designed to mitigate the consequences of the extremely unlikely failure of the Reactor Protection System to effect reactor shutdown when required. The system will limit the following parameters to the specified values (References 59 and 62):

a.

Reactor vessel pressure less than 1500 psig.

b.

Peak clad temperature below the 10 CFR 50.46 limit of 2200°F

c.

Peak suppression pool temperature below the design limit of 281°F.

d.

Peak containment pressure below the design pressure of 56 psig.

e.

Fuel local cladding oxidation below the 10 CFR 50.46 limit of 17% of total clad thickness.

See Section 14.8 for more detailed information on ATWS design basis.

7.6.2.2 General Description The ATWS system consists of two separately powered trip systems, Channel A and Channel B, each made up of two sub-channels. Each sub-channel receives an input from an independent sensor monitoring each of the ATWS trip parameters. A trip occurring in both sub-channels of logic Channel A or a trip occurring in both sub-channels of logic Channel B will cause an ATWS trip which opens both recirc MG set generator field breakers and causes control rod insertion by venting the scram air header. Each field breaker is equipped with two trip coils, one connected to logic Channel A and the other to Channel B. Either trip coil can trip the breaker. Two solenoid valves, SV 3-142 A and SV 3-142 B, are installed in the scram air header upstream of the hydraulic control units. Energizing either of the valves will vent the header and cause control rod insertion (if a common-mode failure has not disabled the drives) when the scram valves fail open on low air pressure.

Each ATWS system logic channel is made up of two sub-channels designated A and C for Channel A and B and D for Channel B. For each input parameter, there is one independent sensor for each of the sub-channels.

The inputs to the ATWS system are:

a.

Reactor Vessel Low-Low Water Level Low-low water level in the reactor vessel may indicate that an ATWS event has occurred. Accordingly, an ATWS system trip is initiated when the level reaches

-47 inches.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 85 of 149 Level is sensed by four level transmitters. The transmitter output is fed to four analog trip units which energize their respective sensor relays when the transmitter output reaches the trip unit setpoint.

To prevent the ATWS trip on low-low water level from affecting the ECCS system performance, a time delay of >= 6 seconds and <= 8.6 seconds is provided for this trip. If the low-low level condition clears before the time delay relay times out, the relay will reset and the ATWS trip will not occur.

b.

Reactor Vessel High Pressure Reactor vessel pressure significantly higher than the high pressure scram setting is the primary indication of an ATWS event. Therefore, an ATWS trip is initiated when reactor pressure reaches 1135 psig.

Pressure is sensed by four pressure transmitters. The transmitter output is fed to four analog trip units, which energize their respective sensor relays when the transmitter output reaches the trip unit setpoint.

c.

Manual Initiation A manual initiation feature is included in the system to provide a means of tripping the recirc pumps and initiating ARI if the operator should detect an ATWS event prior to the instrumentation sensing it.

The ATWS system analog trip units, logic relays, and power supplies are located in two cabinets on the second floor of the reactor building.

Each analog trip unit contains a meter that indicates the transmitter output and is used for daily sensor checks. A GROSS FAIL indicator located above the meter will be lighted if the transmitter output fails upscale or downscale. After correcting the problem, the indicator may be reset by means of the RESET switch located next to it.

Six indicating lights at the top of the cabinet monitor continuity through the trip output logic, the field breakers trip coils and ARI solenoid valves. These lights are only used during surveillance testing and do not provide meaningful information under other conditions.

Control room annunciators are initiated when a logic sub-channel trip occurs. ATWS CH A TRIP annunciator is initiated when either Channel A or Channel C is tripped.

ATWS CH B TRIP annunciator, is initiated when either Channel B or Channel D is tripped. Note that with this arrangement and the 2-out-of-2-once logic, only one annunciator would be received for a complete trip in one trip system.

ATWS CABINET TROUBLE annunciators are initiated for the following conditions:

a.

Transmitter gross failure

b.

Trip unit removed from card file

c.

Cabinet power supply failure Pushbuttons at the cabinets permit testing of the alarm relays for conditions b. and c.

above.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 86 of 149 Power for each channel of the ATWS system logic is provided from two 24 Vdc power supplies. The source for one of these 24 Vdc power supplies is 120 Vac from an Uninterruptible AC system. The source for the other 24 Vdc power supply is 120 Vac from a 125 Vdc/120 Vac inverter located in the associated battery room.

Power for the ARI solenoid valves is supplied from 125 Vdc distribution panels D11 Circuit 5 (SV 3-142A) and D21 Circuit 6 (SV 3-142B).

7.6.2.3 Performance Evaluation The ATWS - ARI system is designed such that no single failure of the ATWS - ARI system can cause an inadvertent reactor scram. If, however, this unlikely event should occur, it would be no different than an inadvertent actuation of the existing backup scram valves; the result would be a reactor scram by means of venting the scram air header.

The arrangement of the ARI solenoid valves and check valve precludes a single failure of these valves preventing the backup scram valves from performing their function.

7.6.3 Primary Containment Isolation System 7.6.3.1 Design Basis The objective of Primary Containment Isolation System (PCIS) is to provide protection against the onset and consequences of accidents involving the gross release of radioactive materials from the Primary Containment. This protection is the automatic isolation of appropriate pipelines which penetrate the primary containment whenever certain monitored variables exceed their preselected operational limit. To accomplish this objective the containment isolation system was designed using the following bases:

a.

To prevent the release of radioactive materials in excess of the limits of 10CFR50.67 as a result of the design basis accidents.

b.

To function safely following any single component malfunction.

c.

To function independently of other plant controls and instrumentation.

The isolation system is designed in accordance with IEEE-279 (Reference 18) for nuclear power plant protection systems as described in Section 7.1.1.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 87 of 149 7.6.3.2 Description 7.6.3.2.1 Definitions Class A isolation valves are in pipelines that communicate directly with the reactor vessel and penetrate the Primary Containment. These lines generally have two isolation valves in series - one inside the primary containment and one outside the primary containment.

Class B isolation valves are in pipelines that do not communicate directly with the reactor vessel, but penetrate the Primary Containment and communicate with the primary containment free space. These pipelines generally have two isolation valves in series, both of them outside the Primary Containment, except that on water-sealed lines one isolation valve in addition to the water seal is adequate to meet isolation requirements.

Class C isolation valves are in pipelines that penetrate the Primary Containment but do not communicate directly with the reactor vessel, the primary containment free space, or the environs. These lines require one isolation valve located outside the Primary Containment. In addition, current NRC requirements would require these systems to be protected against the dynamic effects of a high energy line break outside of containment and be designed to Seismic Category I requirements. The Reactor Building Closed Cooling Water System was not designed to meet these requirements; however, redundant remote manual isolation valves are provided in the Primary Containment supply and return lines to permit valve leakage tests and to increase reliability (see References 43 and 44).

7.6.3.2.2 Identification The Primary Containment and reactor vessel isolation control system includes the sensors, trip channels, switches, and remotely activated valve closing mechanisms associated with the valves, which, when closed, effect isolation of the Primary Containment or reactor vessel, or both. It should be noted that the control systems for those class A and class B isolation valves which close by automatic action pursuant to the design bases are the main subjects of this section. However, class C remotely operated isolation valves are included because they add to the operators ability to effect manual isolation. Testable check valves are also included because they provide the operator with an ability to verify that the check valve disc can respond to reverse flow.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 88 of 149 7.6.3.2.3 Physical Arrangement Pipelines that penetrate the Primary Containment are in direct communication with the reactor vessel generally have two class A isolation valves, one inside the Primary Containment and one outside the Primary Containment. Pipelines that penetrate the Primary Containment and communicate with the primary containment free space, but do not communicate directly with the reactor vessel, generally have two class B isolation valves located outside the Primary Containment. Class A and class B automatic isolation valves are considered essential for protection against the gross release of radioactive material in the event of a breach in the primary system barriers. Process pipelines that penetrate the Primary Containment but do not communicate directly with reactor vessel, the primary containment free space, or the environs, have at least one class C isolation valve located outside the Primary Containment that may close either by process action (reverse flow) or by remote manual operation. The controls for the automatic isolation valves are discussed in this section.

Power cables are routed in cable trays and/or conduits from the electrical sources to the motor or solenoid involved in the operation of each isolation valve. Pressure and water level sensors are mounted on instrument racks as near as practical to the pressure source monitored. Valve position switches are mounted on the valve for which position is to be indicated. Switches are enclosed in cases to protect them from environmental conditions. Cables from each sensor are routed in conduits and cable trays to the control room with particular attention to routing in order to maintain independence. All signals transmitted to the main control room are electrical; no pipe from the nuclear system or the primary containment penetrates the control room. Pipes used to transmit level information from the reactor vessel to sensing instruments terminate inside the secondary containment (Reactor Building). The sensor cables and power supply cables are routed to cabinets in the control room where the logic arrangements of the system are formed.

To ensure continued protection against the uncontrolled release of radioactive material during and after earthquake ground motions, the control systems required for the automatic closure of class A and class B valves are designed as Class I equipment as described in Section 12.

7.6.3.2.4 Description The power supply for the PCIS trip systems and trip logics is fed from the Reactor Protection System power supply, the uninterruptible AC System, and/or the 125 Vdc battery systems.

Power for the operation of two valves in a pipeline is fed from different sources. One valve is powered from a reliable AC bus of appropriate voltage, and the other valve is powered by DC from the plant batteries. Automatic controls for the two valves are mounted in separate panels. The Main Steam Isolation Valves (MSIVs), which are described in Section 5.2.2, use AC, DC, and pneumatic pressure in the control scheme. The control arrangement for the main steam line isolation valves includes a pneumatic cylinder. Pneumatic pressure is used to hold the valve open against large springs. On receipt of an isolation signal, the inboard MSIV pneumatic pressure is shifted to close the valves with aid from the springs whereas for the outboard MSIVs,

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 89 of 149 pneumatic pressure is vented from the air cylinder allowing the stored energy in the springs alone to close the valve. The primary containment isolation system logic is arranged as a dual logic channel system, similar to that of the Reactor Protection System (as described in Section 7.6.1). The overall logic of the system is one-out-of-two-taken twice. This includes trip systems arranged in one-out-of-two-once logic where coincident tripping of two trip systems is required for the desired isolation to occur. Exceptions to this basic logic arrangement are made in several instances.

There are four exceptions to the one-out-of-two-twice logic arrangement: (1) reactor building ventilation exhaust high radiation isolation logic, (2) fuel pool high radiation, (3) RCIC high steam flow isolation logic, and (4) HPCI high steam flow isolation logic.

In these cases, a single logic channel trip initiates isolation. The reactor building ventilation exhaust high radiation trip or the fuel pool high radiation trip causes closure of a number of class B isolation valves which, if inadvertently closed, would neither adversely affect plant safety nor interfere significantly with plant operations.

A failure of the RCIC or HPCI high flow sensors could result in an inadvertent isolation of the steam supply line to the RCIC or HPCI turbine. With respect to the release of radioactive material from the nuclear system process barrier, such a failure is in the safe direction. Because of the redundancy in core standby cooling systems and methods, the inadvertent isolation of either the RCIC or HPCI steam line does not adversely affect the effectiveness of the core cooling systems to such an extent that a more complex logic arrangement is warranted.

During normal operation of the isolation control system, when isolation is not required, sensor and trip contacts essential to safety are closed; trip channels, trip logics, and trip actuators are normally energized. Whenever a trip channel sensor contact opens, its auxiliary relay deenergizes, causing contacts in the trip logic to open. The opening of contacts in the trip logic deenergizes its trip actuators. When deenergized, the trip actuators open contacts in all the trip actuator logics for that trip system. If a trip then occurs in any of the trip logics of the other trip system, the trip actuator logics for the other trip system are deenergized. With both trip systems tripped, the valve control circuitry actuates the valve closing mechanism. Automatic isolation valves that are normally closed receive the isolation signal as well as those valves that are open. Once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. The operator must manually operate switches in the main control room to reopen a valve which has been automatically closed. Interlocks are provided that prevent automatic reopening of the isolation valve upon isolation logic reset. The interlock requires the valve hand switches to be returned to the close position, and then placed in the auto/open position to open the valves following reset of the isolation logic.

Primary containment isolation functions are initiated by groups, according to the common sub-channel logic selected for each group. Additionally, manual switches on the control panel in the control room are available to backup all trip signals.

Figure 7.6-4 displays the various functions of the system and the signals which place them into effect.

A list of all the primary containment automatic isolation valves and their isolation groups is shown in Table 5.2-3b. The isolation signals and setpoints that close the applicable group of isolation valves are shown in Table 7.6-2.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 90 of 149 The isolation functions and trip settings used for the electrical control of isolation valves are discussed in the following paragraphs.

1.

Reactor vessel low water level A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the nuclear system process barrier and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes.

Two reactor vessel low water isolation trip settings are used to complete the isolation of the Primary Containment and the reactor vessel. The first reactor vessel low water isolation trip setting, which occurs at a higher water level than the second setting, initiates closure of all group 2 valves in major process pipelines except the main steam lines. The main steam lines are left open to allow the removal of heat from the reactor core. The second and lower reactor vessel low water level isolation trip setting completes the isolation of the primary containment and reactor vessel by initiating closure of the group 1 and group 3 isolation valves and any other group 2 valves that must be shut to isolate minor process lines.

The first low water level setting, which is coincidentally the same as the reactor vessel low water level scram setting, was selected to initiate isolation at the earliest indication of a possible breach in the nuclear system process barrier yet far enough below normal operational levels to avoid spurious isolation. The second and lower of the reactor vessel low water level isolation settings, which is coincidentally the same water level setting at which the RCIC System is placed into operation, was selected low enough to allow the removal of heat from the reactor for a predetermined time following the scram and high enough to complete isolation in time for the operation of the Emergency Core Cooling System in the event of a large break in the nuclear system process barrier.

The second setting is also credited in the Feedwater/Condensate Break HELB analysis, which relies on the MSIV isolation to reduce extraction steam flow, thereby limiting break energy.

The logic for each of the two isolation settings described above is similar. For each, the outputs of two of four trip units (channels) are arranged in one-out-of-two-once logic to form a trip system. The four trip units comprise two separate trip systems. Coincident tripping of both trip systems is required for isolation initiation.

2.

Main steam line space high temperature High temperature in the space in which the main steam lines are located outside of the Primary Containment could indicate a breach in a main steam line. The automatic closure of the group 1 valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 91 of 149 The main steamline space high temperature trip is set far enough above the temperature expected during operations at rated power to avoid spurious isolation, yet low enough to provide early indication of a steam line break.

Sixteen temperature detectors (channels) are grouped in four sets of four detectors. Each set is arranged in one-out-of-four-once logic. The outputs of two sets are arranged in one-out-of-two-once logic to form a trip system. These four sets comprise two separate trip systems. Coincident tripping of both trip systems is required for isolation initiation.

3.

Main steam line high flow Main steam line high flow could indicate a break in a main steam line. The automatic closure of the group 1 valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. The main steam line high flow trip setting was selected high enough to avoid spurious isolation of a steam line yet low enough to permit early detection of a steam line break.

High steam flow signals are derived from sixteen differential pressure switches (channels) which are grouped in four sets of four switches. Each set is arranged in one-out-of-four-once logic. The outputs of two sets are arranged in one-out-of-two-once logic to form a trip system. The four sets comprise two separate trip systems. Coincident tripping of both trip systems is required for isolation initiation.

4.

Low steam pressure at turbine inlet Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the reactor pressure regulator in which the turbine control valves or turbine bypass valves open fully. This action causes rapid depressurization of the reactor. The rate of decrease of the reactor saturation temperature corresponding to the decreasing pressure could exceed the allowable rate of change of vessel temperature. The steam pressure at the turbine inlet is monitored and upon falling below a pre-selected value with the reactor in the RUN mode initiates isolation of the Group 1 pipelines. This function assures that the reactor pressure vessel temperature change limit is not reached and thermal limits are not exceeded. In order to ensure that the Minimum Critical Power Ratio is not violated during the depressurization, analysis must demonstrate that reactor operation stays within the approved ranges of the critical power correlation while power is above the thermal limit monitoring threshold. For GE14 fuel which is analyzed by AREVA, the specific version of the SPCB critical power correlation (Siemens Power Correlation B) provides a sufficiently low pressure limit to ensure that reactor pressure and flow remain within the approved pressure and flow ranges while power is above the thermal limit monitoring threshold (References 65 and 66). ATRIUM 10XM fuel is analyzed with the AREVA ACE/ATRIUM 10XM critical power correlation which provides a sufficiently low pressure limit to ensure that reactor pressure and flow remain within the approved pressure and flow ranges while power is above the thermal limit monitoring threshold (Reference 66).

01511192

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 92 of 149 The low steam pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation yet high enough to provide timely detection of a pressure regulator malfunction. Although this isolation function is not required to satisfy any of the safety design bases for this system, this discussion is included here to make the listing of isolation functions complete.

Main Steam line low pressure is sensed by four pressure switches. The outputs of two of four switches (channels) are arranged in one-out-of-two-once logic to form a trip system. The four switches comprise two separate trip systems. Coincident tripping of both systems is required for isolation.

5.

Primary Containment (drywell) high pressure High pressure in the drywell could indicate a breach of the nuclear system barriers inside the drywell. The automatic closure of various valves of groups 2 and 3 prevents the release of significant amounts of radioactive material from the Primary Containment. The Primary Containment high pressure isolation setting was selected to be as low as possible without inducing spurious isolation trips.

Primary Containment pressure is sensed by four pressure switches. The outputs of two of four switches (channels) are arranged in one-out-of-two-once logic to form a trip system. The four switches comprise two separate trip systems. Coincident tripping of both systems is required for isolation initiation.

6.

RCIC turbine steam line space high temperature High temperature in the vicinity of the RCIC turbine steam line outside the primary containment could indicate a break in the RCIC steam line. The automatic closure of the RCIC isolation valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. The high temperature isolation setting was selected far enough above anticipated normal RCIC System operational levels to avoid spurious operation but low enough to provide timely detection of RCIC turbine steam line break.

Sixteen temperature detectors (channels) in the vicinity of the RCIC turbine steam line outside the primary containment are grouped in four sets of four detectors. Each set is arranged in one-out-of-two-twice logic. The output of each set provides trip signals to each of two separate isolation trip systems.

Each trip system is able, by itself, to initiate isolation.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 93 of 149

7.

RCIC turbine high steam flow RCIC turbine high steam flow could indicate a break in the RCIC turbine steam line. The automatic closure of the RCIC isolation valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of RCIC turbine high steam flow the RCIC turbine steam line is isolated. The high steam flow trip setting was selected high enough to avoid spurious isolation yet low enough to provide timely detection of a RCIC turbine steam line break.

High steam flow signals are derived from two differential flow switches. Each flow switch provides a trip signal to each of two separate trip systems. Each trip system is able, by itself, to initiate isolation.

To avoid spurious isolation during the initial startup transient, a time delay of approximately 7 seconds was added in the break detection logic. The timer is started when the flow rate sensed by the elbow flow meters exceeds the trip setpoint. At the end of the timer period, system isolation only occurs if the flow meters are still reading at or above the trip setpoint.

8.

RCIC Low Steam Pressure Low pressure signals are used to automatically close the two RCIC isolation valves so that steam and possible accompanying radioactive gases do not escape from the turbine shaft seals when the reactor pressure has decreased below the pressure at which the RCIC can effectively operate.

Four pressure switches are arranged in one-out-of-two-twice logic. The output of the logic provides a trip signal to each of two separate trip systems. Each trip system is able, by itself, to initiate RCIC isolation.

9.

HPCI turbine steam line space high temperature High temperature in the vicinity of the HPCI turbine steam line outside the primary containment could indicate a break in the HPCI turbine steam line. The automatic closure of the HPCI isolation valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperature occurs in the HPCI turbine steam line space, the HPCI turbine steam supply line is isolated.

The high temperature isolation setting was selected far enough above anticipated normal HPCI System operational levels, but low enough to provide timely detection of a HPCI turbine steam line break.

Sixteen temperature detectors (channels) in the vicinity of the HPCI turbine steam line outside the primary containment are grouped in four sets of four detectors. Each set is arranged in one-out-of-two-twice logic. The output of each set provides trip signals to each of two separate isolation trip systems.

Each trip system is able, by itself, to initiate isolation.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 94 of 149

10. HPCI turbine high steam flow HPCI turbine high steam flow could indicate a break in the HPCI steam line.

The automatic closure of the HPCI isolation valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of HPCI turbine high steam flow the HPCI turbine steam line is isolated.

Two differential pressure switches are arranged to provide two channels with time-delay trips at 300,000 lbm/hr steam flow (see Table 7.6-2). The time delay is set to meet Technical Specification requirements of 5.58 seconds and is intended to prevent short term flow peaks from initiating a system isolation.

Each channel provides a trip signal to each of two separate trip systems. Each trip system is able, by itself, to initiate isolation.

11. HPCI Low Steam Pressure Low pressure signals are used to automatically close the two HPCI isolation valves so that steam and possible accompanying radioactive gases do not escape from the turbine shaft seals when the reactor pressure has decreased below the pressure at which the HPCI can effectively operate.

Four pressure switches are arranged in one-out-of-two-twice logic. The output of the logic provides a trip signal to a single trip system for HPCI isolation.

12. Reactor building ventilation exhaust high radiation High Radiation in the reactor building ventilation exhaust could indicate a breach of the nuclear system process barrier inside the Primary Containment which would result in increased airborne radioactivity levels in the primary containment exhaust to the Secondary Containment. The automatic closure of certain group 2 valves acts to close off release routes for radioactive material from the Primary Containment into the Secondary Containment (Reactor Building).

Reactor building ventilation exhaust high radiation initiates isolation of the following:

Primary Containment Atmospheric Control System (includes Oxygen Analyzing)

Hydrogen - Oxygen Analyzing System Post Accident Sampling Station The high radiation trip setting selected is equivalent to the 10CFR Part 20 reactor building vent release rate limit. Because the primary containment high pressure isolation function and the reactor vessel low water level isolation function are adequate in effecting appropriate isolation of the above pipelines for gross breaks, the reactor building ventilation exhaust high radiation isolation function is provided as a third redundant method of detecting breaks in the nuclear system process barrier significant enough to require automatic

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 95 of 149 isolation. Two radiation monitors are arranged in one-out-of-two-once logic to initiate isolation. In addition to causing the isolation of the lines listed above, a trip of this system initiates isolation of Secondary Containment and operation of the Standby Gas Treatment System, as well as initiation of the Control Room Emergency Filtration System emergency mode.

13. Fuel Pool High Radiation Two area monitors are provided to monitor the refueling floor area for possible high radiation. In the event of a release of radioactivity in or around the fuel storage pool and the refueling pool, these monitors detect the activity before it enters the ventilation duct, thereby providing an early isolation signal. The two radiation monitors are arranged in one-out-of-two-once logic to initiate isolation. This signal affects the same lines and equipment as the reactor building ventilation plenum monitor above.

14. RWCU High Flow RWCU high flow could indicate a break in a RWCU line. The automatic closure of the RWCU isolation valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of RWCU high flow, the RWCU system is isolated.

To avoid spurious system isolation during momentary system flow disturbances, a time delay is provided in the isolation logic. To protect against an instrument line failure disabling the high flow protection, a trip on negative differential pressure is also provided.

Flow is sensed using four flow transmitters to provide four channels. The outputs of two of four channels are arranged in one-out-of-two-once logic to form a trip system. The four channels comprise two separate trip systems.

Coincident tripping of both trip systems is required for isolation initiation.

15. RWCU High Room Temperature High temperature in the RWCU room could indicate a break in a RWCU line.

The automatic closure of the RWCU line prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. The high temperature isolation setting was selected far enough above anticipated normal RWCU operational levels to avoid spurious operation but low enough to provide timely detection of RWCU line breaks.

Temperature is sensed using four temperature detectors to provide four channels. The outputs of two of four channels are arranged in one-out-of-two-once logic to form a trip system. The four channels comprise two separate trip systems. Coincident tripping of both trip systems is required for isolation initiation.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 96 of 149 7.6.3.2.5 Instrumentation Sensors providing inputs to the Primary Containment and reactor vessel isolation control system are not used for the automatic control of process systems. Trip channels are physically and electrically separated to reduce the probability that a single physical event could prevent isolation. Trip channels for one monitored variable that are grouped near each other provide inputs to different isolation trip systems. The sensors are described in the following paragraphs.

a.

Reactor vessel low water level signals are initiated from 4 differential pressure transmitters which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. These transmitters are connected to trip units which provide isolation signals to different trip systems at the low water level and low-low water level setpoints. Two pipelines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for the transmitters. The two pairs of pipe lines terminate outside the primary containment and inside the reactor building; they are physically separated from each other and tap off the reactor vessel at widely separated points. The reactor vessel low water level transmitters sense level from these pipes. This arrangement assures that no single physical event can prevent isolation, if required. Cables from the level sensors are routed to the control room. Cold reference legs are used to increase the accuracy of the level measurements during LOCA conditions.

b.

High temperature in the vicinity of the main steam lines is detected by 16 bimetallic temperature switches located along the main steam lines in the steam tunnel between the drywell wall and the turbine building. The detectors are positioned so that they are sensitive to air temperature and not the radiated heat from hot equipment. A temperature sensor is located near each main steam line for remote temperature readout and alarm. The temperature sensors activate an alarm at high temperature and upon loss of power to give the alarm condition. The main steam line space temperature detection instrumentation is designed to have a minimum leak detection capability of 5 to 10 gpm.

c.

High flow in each main steam line is sensed by four indicating type differential pressure switches which sense the pressure difference across the flow restrictor in that line.

d.

Main steam line low pressure is sensed by four pressure switches which sense pressure downstream of the outboard main steam isolation valves. The sensing point is located as close to the turbine stop valves as possible.

e.

Primary Containment pressure is monitored by four non-indicating pressure switches which are mounted on instrument racks outside the drywell. Pipes that terminate in the reactor building connect the switches with the drywell interior. Cables are routed from the switches to the control room. The switches are grouped in pairs, physically separated, and electrically connected to the isolation control system so that no single event can prevent isolation due to primary containment high pressure.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 97 of 149

f.

High temperature in the vicinity of the RCIC turbine steam line outside the primary containment is sensed by four sets of 4 bimetallic temperature switches.

g.

High flow in the RCIC turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across an elbow installed in the RCIC turbine steam supply pipeline.

h.

Low pressure in the RCIC turbine steam line is sensed by four pressure switches from the RCIC turbine steam line upstream of the isolation valves and fed from two separate pressure taps.

i.

High temperature in the vicinity of the HPCI turbine steam line outside the primary containment is sensed by four sets of 4 bimetallic temperature switches.

j.

High flow in the HPCI turbine steam line is sensed by two differential pressure switches which monitor the differential pressure across a venturi tube installed in the HPCI turbine steam pipeline.

k.

Low pressure in the HPCI turbine steam line is sensed by four pressure switches from the HPCI turbine steam line upstream of the isolation valves and fed from two separate pressure taps.

l.

Reactor building ventilation exhaust radiation is monitored by two reactor building ventilation exhaust monitors, which are described in Section 7.5.

m.

Fuel pool area radiation is monitored by two fuel pool monitors, which are described in Section 7.5.

n.

High temperature in the spaces occupied by the reactor shutdown cooling system piping and the piping outside the Primary Containment is sensed by temperature switches that activate alarms only, indicating possible pipe breaks. Automatic isolation on high temperature is not required since the reactor vessel low water level isolation function is adequate in preventing the release of significant amounts of radioactive material in the event that this system suffers a breach.

o.

RWCU high flow signals are initiated from four differential pressure transmitters which sense the pressure difference across the flow element in the line. Since the four transmitters share a common flow element and instrument lines, a single failure of the high side instrument line could prevent the transmitters from detecting a high flow condition. Therefore, the trip on negative differential is provided to ensure that no single physical event can prevent isolation.

p.

High temperature in the RWCU room is sensed by four RTDs. The RTDs are located to detect breaks throughout the RWCU room.

Sensor trip channel, and trip logic relays are high reliability General Electric type HFA relays or their equivalent. The relays are selected so that the continuous load does not exceed 50% of their continuous-duty rating.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 98 of 149 The physical and electrical arrangement of the Primary Containment and reactor vessel isolation control system was selected so that no single physical event can prevent isolation. The location of class 1 and 2 valves inside and outside the Primary Containment provides assurance that the control system for at least one valve on any pipeline penetrating the primary containment remains capable of automatic isolation. Electrical cables for isolation valves in the same pipeline are routed separately. Motor operators for the valves are enclosed for protection from environmental conditions.

All cables and motor or valve operators are capable of operation in the most unfavorable ambient conditions anticipated for normal operations. Temperature, pressure, humidity, and radiation are considered in the selection of equipment for the system. Cables used in high radiation areas have radiation-resistant insulation.

Shielded cables are used where necessary to eliminate interference from magnetic fields.

Special consideration was given to isolation requirements during a loss of coolant accident inside the drywell. Components of the Primary Containment Isolation System that are located inside the Primary Containment and that must operate during a loss of coolant accident are the cables, control mechanisms, and valve operators for isolation valves inside the drywell. These isolation components are required to be functional in a loss of coolant accident environment. Electrical cables were selected with insulation designed for this service. Closing mechanisms and valve operators were considered satisfactory for use in the isolation control system only after completion of environmental testing under design basis loss-of-coolant accident conditions or submission of evidence from the manufacturer describing the results of suitable prior tests. The environmental qualification program is discussed in Section 8.9.

7.6.3.3 Performance Analysis 7.6.3.3.1 General The Primary Containment Isolation System in conjunction with other safety systems, is designed to provide protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and primary system barriers. The consequences of such gross failures are described and evaluated in Section 14.7.

Design procedure has been to select tentative isolation trip settings that are far enough above or below normal operating levels that spurious isolation and operating inconvenience are avoided. It is then verified by analysis that the release of radioactive material following postulated gross failures of the fuel and nuclear system process barrier is kept within acceptable bounds. Trip setting selection is based on operating experiences and constrained by the design basis and the safety analyses.

Section 14 shows that the results of actions initiated by the Primary Containment Isolation System, in conjunction with other safety systems, are sufficient to prevent releases of radioactive material from exceeding the guide values of published regulations.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 99 of 149 Temperatures in the spaces occupied by various steam lines outside the primary containment are the only essential variables of significant spatial dependence that provide inputs to the Primary Containment Isolation System. The large number of temperature sensors and their dispersed arrangement near the steam lines requiring break protection provides assurance that a significant break is detected rapidly and accurately, regardless of leak location in that space.

A gross breach in a main steam line outside the primary containment during operation at rated power is evaluated in Section 14.7. The evaluation shows that the main steam lines are automatically isolated in time to prevent a release of radioactive material in excess of the guide values of published regulations and to prevent the loss of coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed.

The shortest closure time of which the main steam valves are capable is 3 seconds.

The pressure transient resulting from a simultaneous closure of all main steam isolation valves in 3 seconds during reactor operation at rated power with position scram is considerably less severe than the transient resulting from inadvertent closure of the turbine stop valves (which occurs in approximately 0.1 seconds) coincident with failure of the turbine bypass system. This latter transient has been analyzed and a discussion of it is included in Section 14.4.

Because essential variables are monitored by four trip channels arranged for physical and electrical independence, and because a dual trip system arrangement is used to initiate closure of automatic isolation valves, no single failure, maintenance operation, calibration operation, or test can prevent the system from initiating valve closure. An analysis of the isolation control system shows that the system does not fail to respond to essential variables as a result of single electrical failures such as short circuits, grounds, and open circuits. A single trip system trip is the result of these failures. Isolation is initiated upon a trip of the remaining trip system. For some of the exceptions to the usual logic arrangement, a single failure could result in inadvertent isolation of a pipeline. With respect to the release of radioactive material from the primary system process barrier, such inadvertent valve closures are in the safe direction and do not pose safety problems.

The redundancy of trip channels provided for all essential variables provides a high probability that whenever an essential variable exceeds the isolation setting, the system initiates isolation. In the unlikely event that all trip channels for one essential variable in one trip system fail in such a way that a system trip does not occur, the system could still respond properly as other monitored variables exceed their isolation settings.

The sensors, circuitry, and logic channels used in the Primary Containment Isolation System are not used in the control of any process system. Thus, malfunction and failures in the controls of process systems have no direct effect on the isolation control system.

The wall of the Primary Containment effectively separates adverse environmental conditions which might otherwise affect both isolation valves in a pipeline. The location of isolation valves on either side of the wall decouples the effects of environmental factors with respect to the ability to isolate any given pipeline. The previously discussed electrical isolation of control circuitry prevents failures in one part of the control system from propagating to another part. Electrical transients

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 100 of 149 have no significant detrimental effect on the functioning of the isolation control system.

Calibration and test controls for pressure and level switches are located on the switches themselves. These switches are located in the turbine building and reactor building. Access to the setting controls on each switch is limited to authorized personnel by maintaining cover plates, access plugs, or sealing devices. The location of calibration and test controls in areas under the control of supervision or of the control room operator reduces the probability that operational reliability may be degraded by operator error.

The various power supplies used for the isolation system logic circuitry and for valve operation provide assurance that the required isolation can be accomplished in spite of power failures. If all AC power for valves inside the Primary Containment is lost, DC power is available for operation of valves outside the Primary Containment. The main steam isolation valve control arrangement is resistant to both AC and DC power failures. Because both solenoid operated pilot valves must be deenergized, loss of a single power supply neither causes inadvertent isolation nor prevents isolation if required. The logic circuitry for each trip system is powered from separate sources. A loss-of-power here results in a single trip system trip. In no case does a loss of a single power supply prevent isolation.

The following instrumentation and electrical equipment located within the primary containment are required to mitigate the effects of a loss-of-coolant accident.

a.

Main steam isolation valve air control solenoid valve

b.

Main steam safety/relief valve actuator solenoid valve

c.

Recirculation sample valve air control solenoid valve

d.

Motor operators for the following valves:

1.

Recirculation pump discharge valve

2.

RHR Intertie Return Line Isolation Valves (Technical Specifications SR 3.5.1.4 requires the valves to be closed or capable of being closed when in MODE 1)

3.

Reactor Water Cleanup System suction line isolation valve

4.

HPCI steam isolation valve

5.

RHR shutdown cooling suction line isolation valve

6.

RCIC steam isolation valve

7.

Main steam line drain isolation valve Environmental qualification and testing of the above equipment are included in the Nuclear Equipment Qualification Central File. (see Section 8.9).

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 101 of 149 7.6.3.3.2 RCIC-HPCI Steamline Break Isolation The isolation of the RCIC and the HPCI is part of the primary containment isolation system. The RCIC-HPCI portion of the system includes three detection subsystems.

Subsystem A (refer to Section 15 Drawings NH-36249, NH-36250, NH-36251, and NH-36252) detects, identifies, and isolates system pipe breaks which result in steam flows greater than 300% of rated steam flow. The RCIC and the HPCI each have a flow element (a tap in a pipe elbow for RCIC & venturi for HPCI) in their respective steam feedlines. The elements are situated inside the Primary Containment. Upon high steam flow HPCI isolates after a 5.58 second time delay and RCIC isolates after a 7.16 second time delay provided to eliminate spurious isolation from the elbow tap sensor location. Refer to Figure 7.6-5. Since each system is independent of the other, the RCIC and HPCI control action does not affect the other system.

Subsystem B (refer to Section 15 Drawings NH-36249, NH-36250, NH-36251 and NH-36252) detects, identifies, and isolates system pipe breaks which result in steam flows less than 300% of rated steam flow. This subsystem monitors the individual turbine-pump component areas of the RCIC and the HPCI. Logic matrixed temperature elements initiate the necessary control actions. Again the RCIC and the HPCI control and actuations are independent and non-conflicting.

Subsystem C (refer to Section 15, Drawings NH-36249, NH-36250, NH-36251, and NH-36252) detects, identifies, and isolates system pipe breaks which result in steam flows less than 300% of rated steam flow, in areas where the RCIC and HPCI share residence. This is done in such a manner and during a time duration that neither the RCIC nor the HPCI control actions negate the functioning of the other system when the design basis ECCS and/or operator actions are taken.

The only shared area for the two systems temperature elements is a portion of the torus area where the two lines are near each other. Two sets of temperature elements from each system monitor this common area, therefore failure in one system pipe could influence the other system control action causing both systems to isolate. An evaluation of the events follows:

Refer to Figure 7.6-5. This scheme is based on the fact that there is a mutual, acceptable pipe break control action (both systems are isolated) upon high temperature in the shared area.

a.

Assuming the special conditions of:

1.

No loss of AC power (Feedwater continues)

2.

Loss of coolant event (RCIC pipe break)

Upon detection of the RCIC break in the monitored area both the RCIC and the HPCI are automatically isolated. The operator determines that the RCIC is the faulty piping system by observing the pipe line pressure drop and the reactor water level recovery from the control room instrumentation. The temperature monitor resets after the RCIC is allowed to remain isolated. The HPCI isolation is removed and the system is returned to its ECCS or decay heat removal

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 102 of 149 service function. In the event cited, the AC power provides feedwater flow during the event and thus core cooling and vessel water level are maintained.

b.

It is emphasized that the system described above is also available for the following circumstances:

1.

Loss of all offsite AC power simultaneously with (a) above;

2.

Loss-of-coolant event (the RCIC pipe break cited above in the comment).

The RCIC and the HPCI are both immediately isolated. The operator has about 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to open the HPCI valve and initiate its service or provide other actions as necessary during this same period of time.

c.

The above design is also effective for:

1.

Loss of all off-site AC power simultaneously with (a) above;

2.

Loss-of-coolant event (HPCI pipe break).

In this situation both the RCIC and the HPCI are isolated. The operator determines which line is broken, from the control room, by observing pipe line pressure and reactor water level recovery. If the break is identified as an HPCI pipe the operator then initiates the auto depressurization system to provide for actuation (injection) of the low pressure coolant systems (LPCI and core spray cooling system). Analysis indicates that at least 10 minutes are available for the operator to take action to establish the low pressure cooling systems.

d.

In all of the above situations the radiological consequences are far less than those of the design basis main steam line break accident which are less than the limits specified in 10CFR50.67.

7.6.3.4 Inspection and Testing 7.6.3.4.1 General Most parts of the Primary Containment Isolation System are testable during reactor operation. Isolation valves can be tested to assure that they are capable of closing by operating manual switches in the control room and observing the position lights and any associated process effects. Testable check valves are arranged to verify that the valve disk is free to open and close during cold shutdown. The trip channel and trip system responses can be functionally tested by applying test signals to each trip channel in turn and observing that a trip channel trip or a trip logic trip results.

Testing of the main steam line isolation valves is discussed in Section 5.2.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 103 of 149 7.6.3.4.2 RCIC and HPCI Steam Flow Testing the RCIC and HPCI isolation trips requires the closure of electrical contacts in one of the flow sensors in each steam line.

Each sensor may be taken out of service and tested or calibrated by connecting a manometer or other secondary standard differential pressure measuring device and differential pressure producing device in parallel with the sensor to be tested. A simulated high flow signal can be generated by increasing the differential pressure to cause the tested device and the parallel standard to run up scale. A comparison of the reading on the two devices verifies calibration of the scale. Trip point verification can be determined by observing that the switching contacts close at the specified differential pressure. The calibration procedure causes the steam line isolation valves to close so that this function can be tested at the same time. The RCIC and HPCI systems are not running during normal operation except under emergency conditions so the test may be conducted any time except during emergency conditions. Procedures provide assurance that the steam supply isolation valves are returned to their normal open position following testing or calibration.

Should the plant operator desire to bypass the isolation function during testing he may do so by disconnecting the sensor switch. The isolation function can not be initiated by the sensor under test. Only actual high flow or switch failure in the other sensor initiates isolation.

7.6.3.4.3 Reactor Building Ventilation Exhaust System The reactor building ventilation exhaust monitors and fuel pool area monitors and their isolation systems may be checked by using simulated signals and portable gamma sources held near the Geiger-Muller detectors. The drywell systems that are isolated by the high radiation signal are all normally closed during reactor operation so that their inadvertent closure at any time has no safety implications.

The inadvertent closure of the reactor building ventilation ducts and initiation of the standby gas treatment system and Control Room Emergency Filtration System also have no safety implication.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 104 of 149 Table 7.6-1 Typical Reactor Protection Systems Scram Setpoints Signal Alarm Setpoint Scram Allowable Instrumentation Value Grouping Reactor High Neutron Flux APRM 108% of rated power 122% of rated power B

IRM 108/125% of full scale 122/125% of full scale B

Reactor High Pressure 1040 psia 1075 psig A

Reactor Low Water 10 inches above trip 7 (in the annulus)

B Level1 setpoint Primary containment 1.5 psig 2.0 psig A

High Pressure2 Condenser Low Vacuum 6 inHgA 21.25 Hg vacuum A

Scram Discharge less than or equal to 56 gallons A or B Volume High Level 28 gallons Turbine Control 167.8 psig3 A

Valve Fast Closure, Acceleration Oil Pressure-Low Turbine Stop Valve 10% closure3 A

Closure Main Steam Line 10% closure4 A

Isolation Valve Closure

1. Provides input to the Primary Containment Isolation System Reactor Low Water Level Signal.

2. Provides input to the Primary Containment Isolation System Primary Containment High Pressure Signal Instrumentation Grouping:

A. Passive type devices.

B. Vacuum tube or semiconductor devices and detectors that drift and lose sensitivity.

3. Turbine 1st Stage Pressure Corresponding to >26.6% Rx Power (adjusted down from 40% Rx Power to account for turbine bypass valves allowing 11.5% reactor power to pass to the condenser).

4. Mode Switch in RUN Position or Reactor Pressure >600 psig.

5. The low vacuum scram can have a nominal set point as low as coincident with the low vacuum turbine trip.

An allowable value is provided to demonstrate an anticipatory trip of low vacuum logic as compared to the low vacuum turbine trip for conservatism.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 105 of 149 Table 7.6-2 Primary Containment Isolation System Signal Group Closed Allowable Value Reactor Low Water Group 2

+7 inches Level Reactor Low-Low Groups 1, 3

-48 inches Water Level Primary Containment Group 2, 3 2 psig High Pressure Main Steam Line High Flow Group 1 116.9% of rated flow Main Steam Line Group 1 209°F High Temperature Main Steam Line Low Group 1 815 psig Pressure RCIC Steam Line High Group 5 196°F Temperature RCIC Steam Line High Group 5 45,903 lb/hr with <=7.16 second Flow time delay RCIC Steam Line Low Group 5 54 psig Pressure HPCI Steam Line Group 4 196°F High Temperature HPCI High Steam Flow Group 4 300,000 lb/hr; 5.58 second time delay HPCI Steam Line Low Group 4 95.5 psig Pressure Reactor Building Group 21 100 mR/hr on Reactor Building Ventilation Exhaust Plenum Radiation Monitors High Radiation Fuel Pool High Radiation Group 21 100 mR/hr on Refueling Floor (Fuel Pool) Radiation Monitors RWCU High Flow Group 3 500 gpm with 11.4 second time delay RWCU High Room Group 3 188°F Temperature

1.

Includes only select primary containment valves. (See Section 7.6.3.2.4, Part 12)

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 106 of 149 7.7 Turbine-Generator System Instrumentation and Control 7.7.1 General The turbine-generator system control and instrumentation controls steam flow to the turbine and protects the turbine-generator from overpressure or excessive speed.

Feedwater flow to the reactor is controlled by a three-element control system matching the feedwater flow to the steam flow with reactor water level as a bias to maintain reactor water level at the desired set point.

7.7.2 Turbine-Generator Control 7.7.2.1 Design Basis The pressure regulators and turbine-generator controls are integrally connected to accomplish the functions of controlling reactor pressure and turbine speed.

Specifically, reactor pressure must be prevented from increasing to too high a value during load maneuvers, and turbine speed must be maintained below design limitations. The system must result in stable response for all anticipated maneuvering rates.

7.7.2.2 Description Control and supervisory equipment for the turbine-generator are conventional and are arranged for remote operation from the turbine-generator control panel board or console in the control room. In addition, turbine oil pressure and steam extraction pressure are transmitted to receivers on the panel board. Normally, the Electronic Pressure Regulator (EPR) controls the turbine control valve position, which admits steam to the turbine while controlling reactor pressure. A second pressure regulator, the Mechanical Pressure Regulator (MPR), is normally used as a backup to the EPR at higher power levels. The MPR has a larger pressure operating range used during startup and shutdowns, however it can be used as the primary pressure regulator with the EPR in backup, if necessary. The ability of the plant to follow system load is accomplished by adjusting the reactor power level, either by regulating the reactor coolant recirculation flow or by moving control rods. However, the turbine speed governor, or the load limit, can override the pressure regulator(s) and close the control valves. The speed governor closes the control valves in response to an increase in turbine speed (typically due to a load reject). Manual operator actuation of the load limit or the governor control device (speed-load changer) can also close the control valves. In the event that the reactor is delivering more steam than the control valves can pass due to governor control override, load limit override, or if the turbine is tripped, the pressure regulator(s) will open the bypass valves to continue to control reactor pressure, which directs the steam to the main condenser. If the capacity of the bypass valves is exceeded, system pressure rises and scrams the reactor.

01511192

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 107 of 149 The total capacity of the main turbine bypass system is 11.5% of the 2004 MWt reactor steam flow (Reference 60). Load rejection in excess of the bypass valves capacity which occurs due to generator or tie line breaker trips causes the reactor to scram. The bypass system can also be utilized as an overpressure relief system to prevent relief valve operation provided the main condenser is not isolated.

The Electronic Pressure Regulator (EPR) and Mechanical Pressure Regulator (MPR) are used to control both the turbine control valves and the turbine bypass valves. The operation of the two groups of valves are coordinated to satisfy the system control requirements.

Normally, the main turbine bypass valves are closed and the pressure regulator positions the turbine control valves, utilizing all the steam production to generate electrical power. A reactor flow limit device is provided to limit the total steam flow through the turbine control valves and the bypass valves to between 108% and 113%

of reactor rated steam flow (Reference 61). The pressure regulator controls system pressure by operating the bypass valves whenever the turbine cannot absorb all of the generated steam, such as during startup or a sudden change in load. If the capacity of the bypass valves is exceeded when the governor or load limit reduces the steam flow to the turbine, system pressure rises and scrams the reactor. A rapid reduction of electrical load initiates a reactor scram.

The reactor flow limit device is installed to implement the Maximum Combined Flow Limit (MCFL). The turbine steam path passes 113% of reactor rated steam flow at valves wide open (all four control valves and two bypass valves 100% open), per Reference 61. Thus the reactor flow limit is set such that the control and bypass valves will fully open in response to the control system. This meets MCFL requirements in the analysis. A failure of the turbine pressure regulator open (PRFO) could cause the turbine control and bypass valves to go full open resulting in an unacceptable plant cool down rate, thus a maximum setting of the MCFL addresses this transient covered by SIL 502.

The second, or backup, pressure regulator is provided to take over control of pressure in the event that the lead regulator fails. The set point of the backup pressure regulator is a few psi above the set point of the lead pressure regulator.

The turbine stop valves are equipped with limit switches which open before the valve has moved greater than 10% from its fully opened position. These switches provide a scram signal to the reactor protection system, anticipating the resulting reactor high pressure condition.

To protect the main turbine, the following conditions initiate closure of the four turbine stop valves:

a.

High reactor vessel water level

b.

Turbine low control oil or bearing oil pressure

c.

Turbine speed governor malfunction

d.

Turbine overspeed (two devices provided) 01511192

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 108 of 149

e.

Turbine generator excessive thrust bearing wear

f.

Main generator electrical malfunctions

g.

Main power transformer malfunctions

h.

Low condenser vacuum

i.

Moisture separator high level

j.

Automatic Function removed per Modification EC-725 Upon a sudden loss of turbine load the turbine would tend to overspeed with an accompanying closure of the turbine control valve. A loss of pressure on the acceleration relay, which precedes closure of the control valves, causes a scram.

7.7.2.3 Performance Analysis The pressure regulators and turbine-generator system design is such that the system provides a stable response to normal maneuvering transients.

The main turbine bypass valves are capable of responding to the maximum closure rate of the turbine admission valves such that reactor steam flow is not significantly affected until the magnitude of the load rejection exceeds the capacity of the bypass valves. Load rejections in excess of bypass valve capacity may cause the reactor to scram due to high pressure, high neutron flux, or rapid loss of acceleration relay pressure as a result of loss of electrical load. Any condition causing the turbine stop valves to close directly initiates a scram before reactor pressure or neutron flux have risen to the trip level. Turbine valve closure transients have been considered in Section 14A.

The pressure regulators can be assumed to fail in either of two ways: Opening the turbine control valves or the turbine bypass system valves, or closing them. In neither case does fuel damage occur. The backup pressure regulator reduces the probability that pressure regulator malfunction will cause operational problems. Malfunctions of the pressure regulator system have been analyzed and are discussed in Section 14.4. The Core Operating Limits Report describes any adjustments to thermal margin monitoring that are required if one pressure regulator is not operational.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 109 of 149 7.7.3 Main Condenser, Condensate, Heater Drains, and Condensate Demineralizer System Instrumentation and Control 7.7.3.1 Design Basis Instrumentation in conjunction with the main condenser, condensate, and condensate demineralizer systems control is designed to provide indication of system trouble. Several main condenser sensors must provide inputs to the Reactor Protection System to anticipate loss of the main heat sink and to protect against condenser overpressure. The condensate recirculation system controls ensure minimum flow for the condensate pumps and cooling to the condenser air ejectors, and gland steam condenser. Controls for the condensate demineralizer system assure adequate condensate cleanup prior to its return to the reactor primary system.

7.7.3.2 Description The condensate pumps discharge, without throttling, to the suction of the reactor feedwater system pumps. Discharge pressure of the condensate pumps is indicated in the control room. A modulating control valve, located downstream of the gland seal condenser and steam jet air-ejector inter-condenser, and before the demineralizers, recirculates condensate back to the condenser on low loads. This maintains a minimum cooling flow through the condensate system pumps, air ejector condensers, and gland seal condenser. Conductivity of condensate both upstream and downstream of the demineralizer is measured, recorded and actuates an alarm on high conductivity.

Main condenser hotwell level is indicated in the control room and is automatically controlled by either making up or returning condensate from the condensate storage tank. Vacuum switches monitoring condenser vacuum provide scram signals to protect the reactor from loss of the main heat sink; protection for the condenser itself is assured by closure of the turbine and bypass valves as vacuum decreases below some preset low level and by the turbine rupture diaphragms.

7.7.3.3 Performance Analysis Indication of key parameters from the main condenser, condensate system, heater drains and condensate demineralizer systems are provided in the control room; the reactor operator is kept fully cognizant of the conditions of the system. Abnormal conditions are annunciated, so that the reactor operator may take appropriate action.

The reactor is protected from loss of the main heat sink by scramming from turbine trip or main condenser low vacuum trip signals. The vacuum sensors meet the design requirements established for all Reactor Protection System functions. To protect the main condenser from overpressure, continued decrease of condenser vacuum below the non-safety related turbine low vacuum trip set point initiates closure of the turbine bypass system valves.

The condensate recirculation arrangement provides minimum flow protection for the condensate pumps and cooling for the air ejector and gland seal condensers under low condensate demand conditions.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 110 of 149 7.7.4 Reactor Feedwater System Instrumentation and Control 7.7.4.1 Design Basis The Reactor Feedwater System control is designed to regulate the Reactor Feedwater System in supplying water to the reactor primary vessel such that proper reactor vessel water level is maintained.

7.7.4.2 Description The level of the water in the reactor is controlled by a feedwater controller which receives inputs from reactor vessel water level, steam flow, and feedwater flow transmitters. The water level is monitored by three level transmitters coupled to three separate condensing chambers. One feedwater level chamber and the safeguards level chamber share one variable sensing line while the second feedwater level chamber connects to a separate variable sensing line. The controlling level signal can be selected from either of the feedwater level signals or the median (middle) value of the three level signals. Each level is indicated and the selected level is recorded in the control room.

Reactor feedwater flow is monitored by flow transmitters FT-6-50A and FT-6-50B coupled to flow nozzles FE-6-11A and FE-6-11B in the feedwater lines. The total feedwater flow is the summation of the signals from all the feedwater lines.

Steam flow is monitored by four flow transmitters coupled to four flow restrictors in the main steam lines. The total steam flow is the summation of the signals from the four main steam lines.

The main steam line high-flow instrumentation is separate and independent (electrically and physically except for the flow nozzle taps used for the measurement of steam flow in each main steam line) from other instrumentation which provide inputs to the reactor feedwater system-control system.

The sharing of the steam flow measurement in this design is identical to the sharing of the reactor primary vessel level and pressure measurements shown in Section 15 Drawings NH-36242 and NH-36242-1.

The arrangement of the subject instrumentation systems are shown in Drawing NH-36241, Section 15. Each common shared measurements line (one on each main steam line) has one root valve and one excess flow check valve to be used for line isolation in event that instrument line or instrumentation equipment maintenance is necessary.

It should be noted that in this design there is complete electrical and physical separation and independence between the protective and control systems as required by and in conformance with the General Design Criteria.

The Reactor Feedwater System control is independent of the level scram function. A failure in the level control which causes the water level to go out of limits in no way influences the reliability of the level signals into the Reactor Protection System.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 111 of 149 Water flow to the reactor vessel is controlled by a three element control system. This system uses the total feedwater flow signal, the total main steam flow from the reactor signal, and the reactor water level signal to modulate the feedwater control valve to maintain a water supply to the reactor which matches the steam output from the reactor. In addition to the three element level controller, the single element mode, which is normally used to control level at power levels less than 30%, is available as a backup at full power.

Reactor vessel water level, feedwater flow, and steam flow are recorded in the control room. High and low reactor vessel water level are annunciated in the control room.

The desired level in the reactor is programmed as a function of steam flow. At high steam flow (high power), the level is lowered in order to minimize the carryover of moisture in the steam to the turbine.

The reactor feedwater flow regulating valves fail as is, and the valves may be switched to manual control in the event of failure.

Each reactor feedwater system pump has conventional modulating recirculation controls which pass feedwater back to the condenser when individual feed pump flow is below minimum flow requirements. The reactor feedwater recirculation valves fail open on loss of air supply and closed on loss of control signal or loss of power.

Each reactor feedwater pump is shut down automatically on low suction pressure, motor fault, low lube oil pressure, or low suction flow (with time delay).

Automatic trip of both feedwater pumps on high reactor water level, following a transient, is also provided.

7.7.4.3 Performance Analysis Key reactor feedwater system parameters are recorded and, upon abnormal conditions, annunciated in the control room; the reactor operator can monitor system operation continuously.

Feedwater level control signals are redundant, providing assurance that malfunctions do not result in operational difficulties.

Reactor feedwater system control malfunctions could result in maximum or zero feedwater flow. In neither case does fuel failure occur. The maximum feedwater control malfunction has been analyzed and the effects discussed in Section 14.4.

The instrumentation for the reactor feedwater system is separate from reactor protection system instrumentation, thereby preventing control system failure from affecting the operation of the protection system.

The following discussion is provided in order to assure that the design meets the single active component failure criterion and to demonstrate its inherent capability to withstand an unrequired further degradation (that is, an instrument line failure at the time of a postulated design basis main steam line break) at the same time that it performs its intended function of initiating main steam line valve closure or high main steam line flow. Single active component is defined as a device characterized by an expected significant change of state or discernible mechanical motion in response to

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 112 of 149 an imposed design basis load demand upon the system. Examples are: switches, relays, valve motion, pressure switches, turbines, motors, dampers, pumps, transistors, analog meters, etc.

a.

Main Steam Line Break Effects on Subject Equipment The instrumentations ability to perform its intended function (initiate MSL valve closure) immediately after the DBA - Main Steam Line Break Accident is cited below:

1.

The instrument line penetrations are located at an azimuth of 90° from the main steam line penetrations and any postulated steam line break outside the containment would not cause damage to the instrument lines or instrument racks.

2.

If the instrument lines or racks were damaged by some other failure and a steam line break occurred outside the containment, a backup isolation signal would be obtained from high steam line tunnel temperature.

3.

If a steam line break occurred inside the containment the valves would be isolated by low reactor water level if the instrument lines were failed or the break occurred upstream of the main steam line flow restrictors.

b.

Single Electronic Component Failure Refer to Section 7.6.2. The trip logic design basis, description, and performance evaluation demonstrate that the subject systems function is not negated by any single active component failure.

c.

Capability for Single Passive Component Failure

1.

Assume an instrument failure in the sensing line to the upstream side of the flow nozzle. This results in a zero or low flow signal on only that permissive set. Flow instrumentation on the other steam lines would be unaffected. The reactor water level, main steam tunnel temperature, and mode switch devices are still capable of monitoring and initiating control action service on all steam lines.

2.

Assume an instrument failure in the sensing line to the downstream side of the flow nozzle. This results in an indicated high flow situation at the monitors which results in main steam isolation valve closure.

d.

Reactor Feedwater System Control Effects Electronic effects on the reactor feedwater system as a result of the loss of steam flow or pressure measurement input is not a safety concern but is operationally adjusted for by the system instrumentation. Such failures may cause partial errors in the feedwater flow control tending to cause gradual changing of the reactor water level which might ultimately cause water level initiated isolation. Electronic failures in this system cannot impede operation of the main steam line isolation valves.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 113 of 149

e.

Conclusion No effects of influences in either subject system can negate the functional capacity of the other system.

7.8 NUMAC Rod Worth Minimizer and Plant Process Computer 7.8.1 Introduction Two digital computer devices are provided to aid in controlling the reactor. Both the control rod worth minimizer and the plant process computer are considered operating conveniences. While they assist the operator in knowing the complete status of the reactor core, they are not required for safe operation of the plant. The control rod worth minimizer is connected to the rod block functions as described in Section 7.3 but may be bypassed by use of a key lock switch. The process computer is isolated from the reactor manual control and reactor protection systems.

7.8.2 Rod Worth Minimizer 7.8.2.1 Design Basis The NUMAC RWM is an interlock and display system used to assist the operator in effecting rod pattern control. The principal function of the RWM is to limit rod motion such that high worth rods are not created, thereby limiting the maximum reactivity increase due to a CRDA. This is the only function the RWM must perform to satisfy all licensing and design basis requirements. However, the NUMAC RWM also limits rod motion so that rods cannot be withdrawn to the extent of generating excessive heat flux in the fuel or causing premature criticality. It displays information relevant to the movement of control rods used to shape both the axial and radial flux profiles for achieving optimum core performance and fuel utilization. The system imposes operating restrictions by limiting the movement of control rods to prescribed sequences, thereby minimizing the effect of a CRDA, should it occur. The NUMAC RWM System also imposes restrictions on which rod motions the operator can effect under various system states that result during testing and in achieving special functions. The NUMAC RWM includes options such as providing an optimal rod insertion sequence for rapid power reduction according to a permanently stored algorithm, and identification of rod movements required to align to the loaded sequence during reactor shutdown.

The RWM is programmed to follow the Banked Position Withdrawal Sequences (BPWS). The banked positions are established to minimize the maximum incremental control rod worth without being overly restrictive during normal plant operation. Generic analysis of the BPWS (References 20 and 46) has demonstrated that the fuel damage limit will not be violated during a Control Rod Drop Accident while following the BPWS mode of operation. This analysis also included an evaluation of the effect of fully inserted, inoperable control rods. It determined that it is acceptable to start up or operate with asymmetric control rod patterns so long as requirements of the BPWS are satisfied and the effect of any resulting asymmetric power distribution does not affect compliance with all thermal margin requirements.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 114 of 149 7.8.2.2 Description and Definitions 7.8.2.2.1 Rod Group A rod step consists of a group of one or more consecutive rods scheduled for individual withdrawal by normal operating procedures. Groups are specified by control rod identification and steps by minimum and maximum notch position of a rod group. For example, a specified step may be considered complete when a group of rods are all at some intermediate axial position. Certain rods may be included in more than one step as rod patterns are changed.

Steps and groups are selected such that the order of withdrawal or insertion within a given group minimizes rod worth. In general, the number of rods within a given group and the range of axial positions included in a step is maximized, consistent with the RWM objectives.

7.8.2.2.2 Rod Subgroup A rod subgroup is a subset of rods within a rod group. They are defined for operational convenience and their movement within a step will be enforced by the RWM. Rod subgroups may be any set of rods within a rod group. They are typically only used in the high power rod groups near the end of the withdrawal sequence steps.

7.8.2.2.3 Operating Sequence An operating sequence is defined as a series of rod steps controlled by the RWM.

Steps are ordered within an operating sequence such that rod withdraws by normal operating procedures corresponds to the series of groups. A complete operating sequence of rod groups includes all control rods in the system from the full in to the full out positions.

7.8.2.2.4 Shutdown Margin Test Sequence The shutdown margin test sequence consists of any group of any two control rods.

One rod of the group may be fully withdrawn and the other has a specified axial position limit. The order of withdrawal is unrestricted. For example, if the first rod is withdrawn to less than the axial position limit referred to above, the second rod may be fully withdrawn. However, if the first rod is withdrawn beyond the axial position limit, the second rod is automatically stopped at that limit.

7.8.2.2.5 Selected Sequence The RWM can store four operating sequences, one special test sequence and the shutdown margin test sequence. A selected sequence is the particular one being enforced by the RWM.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 115 of 149 7.8.2.2.6 Selection Error A selection error is defined as the selection of a control rod inconsistent with the selected sequence.

7.8.2.2.7 Insertion Error An insertion error is defined as the insertion of a control rod inconsistent with the selected operation sequence. For example, if the operator is withdrawing control rods exactly according to procedures and has withdrawn several of the rods which are defined to be in a particular group, the insertion of any withdrawn rod of that group is not considered an insertion error even though it may be a deviation from planned procedures. However, if the operator were to attempt to insert a rod which is defined in an earlier sequenced group, that action is inconsistent with the operating sequence and would be blocked. This definition is independent of how far the rod is inserted.

7.8.2.2.8 Withdrawal Error A withdrawal error is defined similarly to an insertion error. For example, if several rods in a group are not withdrawn, the withdrawal of a rod from any group sequenced for subsequent withdrawal is a withdrawal error, regardless of how far the rod is moved.

7.8.2.2.9 Power Level Set Point Above 10% power, the objectives of the RWM are satisfied with no constraints on rod patterns. This is due largely to the advantageous effects of high initial power level on the consequences of a reactivity insertion accident. Therefore, sensed core average power level is used to remove RWM constraints above 10% power.

7.8.2.2.10 Description The operation of the NUMAC RWM System and its interaction with other major systems in the BWR is described with the aid of the system block diagrams of Figure 7.8-1. The NUMAC RWM chassis and the Operators Display (OD) constitute the NUMAC RWM System. It is convenient to begin by examining in detail the system shown in Figure 7.8-1 and Figure 7.8-2.

The NUMAC RWM chassis receives input from the Rod Position Information System (RPIS), Reactor Manual Control System (RMCS), Plant Power Level Indication -

based on Steam Flow from the Digital Feedwater Control System (DFCS), and the Process Computer System (PCS). The RWM OD provides an improved operator interface for control and information. The RWM outputs include rod motion interlocks to the RMCS relay logic, operator annunciation, error message display via the PCS, and information to the PCS. A keylock switch on the RWM OD provides rod block and annunciate bypass capability. Display, controls and a keylock switch on the RWM chassis provide maintenance and setup capability under procedural control.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 116 of 149 Rod Motion permissive interlocks connect to the RMCS to assure that rod motions conform to a planned rod motion sequence. Four alternate sequences can be simultaneously stored. A particular sequence is selected under keylock control when the RWM is in the INOP mode.

The operator must withdraw control rods from the reactor core according to the selected sequence. The sequence is divided into steps which identify a group or subgroup of rods which can be moved between insert and withdraw limits. Rod groups are identified by the BPWS criteria. A subgroup is a subset of a rod group.

The operator selects and withdraws each rod to the withdraw limit. Each step is completed in order.

Control of the sequence of rod motions within the step is available as an optional feature, but is not required. The sequence is continued by step until the Low Power Set Point (LPSP) is reached, at which time the RWM rod block and annunciator function is automatically bypassed. The RWM continues to follow rod motion and display any deviation from the selected sequence in an advisory capacity until the RWM OD is manually shut off.

The RWM remains operable during reactor operation, but performs only the RPIS interface functions to the PCS. The Internal Self-Test system continually monitors the RWM hardware and annunciates in the event of hardware failure.

During reactor shutdown, the RWM OD is turned on when the Low Power Alarm Point (LPAP) is reached, if not turned on by the operator. If rod positions do not conform to the selected sequence when the LPAP is reached, Annunciation occurs and insert/withdraw errors are identified to the operator.

If the control rod configuration does not conform to the selected sequence when the LPSP is reached, rod insert and withdraw blocks are applied. The optional sequence alignment function aids the operator to assure against this condition.

Rod motions, on power descent, conform to the selected BPWS sequence in the reverse order of the selected BPWS sequence.

7.8.2.2.11 Arrangement The major elements constituting the RWM System are shown in Figure 7.8-1. The system includes the NUMAC RWM Computer and the NUMAC Operators Display (OD) subsystems as well as portions of the plants process computer, the General Electric Data Acquisition and Control (GEDAC) System, the Rod Position and Information System (RPIS) and Reactor Manual Control System (RMCS).

Control rod motion sequences are designed to assure rod worth minimization, and are normally developed and updated on or using the process computer and stored in its memory. The process computer program validates the control rod sequences by checking against a variety of sequence constraints. Validated sequences of control rod motion, both for normal operation and operation under test conditions or emergency shutdown (optional), are stored in the plant computer system. This data is downloaded from the plant computer system and is transmitted through a GEDAC formatter (a buffering and formatting device) to the RWM Computer over a serial data link. Any RWM sequence which is downloaded to the RWM Computer is tested

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 117 of 149 to the BPWS criteria stored in the functional computer ROM while the RWM Computer is in the INOP mode of operation. Acceptance of the downloaded data results in the storage of validated, downloaded sequence information in memory within the RWM Computer. The RWM Computer can then be placed in its OPERATE mode in which it performs its sequence enforcement function without the aid of the process computer.

The Rod Position Information System contains an on-board enhancement card which serves as a data acquisition system. The enhanced RPIS uses a fixed program stored in ROM and has its own internal clock which drives a program counter; and the program counter drives a micro-programmed ROM. The outputs of the ROM are decoded to simultaneously select four channels of rod position and rod identification data. A parallel to serial conversion presents data from each channel of the rod position and identification data in a form suitable for transmission over four balanced lines to the RWM Computer. Four channels of rod position and identification data are transmitted during each scan period. The data acquisition and output multiplexer portion of the RPIS transmits a complete scan of 37 scan periods in 2.4 milliseconds.

The four data streams from the RPIS are converted from serial to parallel format in the RWM Computer and stored sequentially in memory for subsequent processing.

Output data, in the form of contact closures, (or voltage levels) from the RMCS are applied directly to the RWM Computer. The input data from the RWM Computer are assembled into words and stored in memory for subsequent processing. Stored rod position data and alarm messages (RWM status data) are transmitted from the RWM Computer to the process computer via the GEDAC multiplexer (MUX) and the GEDAC formatters.

When an operator selects a rod, the RWM Computer will perform an evaluation based on the power level, the rod motion sequence position, the selected rods identification and position and the operating step. The RWM computer checks its own state and the state of the NUMAC OD, as well as the input information from the Rod Position Information System (RPIS), the Plant Power Level Monitor and the Reactor Manual Control System (RMCS) to arrive at a decision whether or not to transmit a permissive signal to the RMCS. The RMCS receives its command inputs from the reactor operators console as a result of manual inputs by the reactor operator. Comparison by the RWM Computer of the command inputs and the permitted sequence of commanded rod motions determines whether the RWM Computer issues a permissive signal to the RMCS.

If movement of the selected rod is not permitted, the RWM Computer will block the rod motion by removing the permissive; that is, the RWM provides an interlock function for relay logic circuits in the RMCS when an out of sequence rod selection or a rod motion is requested. The operator is prevented from causing an out of sequence rod motion unless he bypasses the RWM. The interlock function of the RWM System can be bypassed and the RWM annunciator signal deactivated only by setting a keylock switch on the front panel of the OD in the BYPASS position.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 118 of 149 7.8.2.3 Performance Analysis During normal operation in any of the sequences, with the operator withdrawing and inserting control rods according to the pre-determined procedures, the RWM neither blocks nor noticeably delays such procedures. During such operation there are no alarms except for equipment malfunctions, i.e., control rod drift, RWM computer error, or RWM input/output error. If the core power level exceeds the low power alarm point, the RWM neither inhibits nor alarms the selection, insertion, or withdrawal of any control rod.

All operator selection errors are indicated by the RWM except during operation above the low power alarm point.

Assuming normal operation in any rod sequence, with permissives in the applicable group below the low power set point, the RWM does not permit any errors to occur. If an error exists due to equipment failure, the RWM does not allow further rod motion unless it is to correct the error. The operators display indicates an operator select error and, if applicable, any insert or withdrawal errors.

7.8.2.4 Surveillance and Testing Continuous running system diagnostic routines are provided to test the computer and the control rod interlock networks.

7.8.3 Process Computer The purpose of the Process Computer System (PCS) is to aid the operator in timely determination of plant operability status during all plant conditions by providing a real time presentation of operational data pertaining to the reactor core and other plant equipment. The PCS also records plant operational data which can be recalled for evaluation of abnormal and unusual events.

7.8.3.1 Design Basis The objective of the Process Computer System (PCS) is to provide the process monitoring, calculations and data presentation necessary for effective evaluation of normal and emergency plant operation.

The following basis for design was used to accomplish the intended design objectives:

a.

The PCS provides the capability for periodically determining the three dimensional power density distribution for the reactor core and providing the operator with operational data output with which an accurate assessment of core thermal performance can be attained.

b.

The PCS provides the capability for continuous monitoring and alarming of the core operating level with respect to the established core operating limits. This capability aids in assuring that the core is operating within acceptable limits at all times, including periods of maneuvering.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 119 of 149

c.

The PCS includes the capability for providing isotopic concentration data for each fuel bundle in the core.

d.

The PCS has no direct protective or safety significance and functions only as an operating aid by enhancing established manual operating procedures.

e.

The PCS provides the capability to perform certain Balance of Plant calculations to aid in maintaining efficiency of operation.

7.8.3.2 Description of Process Computer Functions The PCS is an integrated system designed for monitoring, analysis and display of plant process parameters obtained from instrumentation connected to plant equipment and systems. Data is collected via an interface with the Data Acquisition System (DAS). The PCS processes the data (analog, digital and pulse) and provides meaningful displays, logs and plots of historical, current and predicted plant performance. The PCS provides the following functions:

a.

The Safety Parameter Display System (SPDS) provides displays of critical plant parameters to aid control room operator personnel and system engineers in the determination of safety status of the plant during abnormal and emergency conditions.

b.

The Transient Recording and Analysis (TRA) System provides recording and analysis functions of real time and historical plant data.

c.

The Point Log and Alarm (PLA) provides point data processing and an operator interface for controlling point processing, data alarming, display and logging.

d.

The Gardel Core Monitoring System is provided the necessary data by the PCS. The PCS provides interfaces to interact with the Rod Worth Minimizer (RWM) and the Transversing Incore Probe (TIP) system for the transfer of data.

e.

The Sequence of Events (SOE) function provides data recording and event recall for system disturbance evaluation.

f.

The collection and recording of balance of plant (BOP) data provides for BOP performance monitoring.

g.

The PCS receives data from the CROSSFLOW system, which may be applied to correct for the effects of flow nozzle fouling on the calculated feedwater flow rate. When the CROSSFLOW system is enabled, this data is utilized in the PCS Core Thermal Power calculation.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 120 of 149 7.8.3.3 Description of Core Calculation Computer Functions The nuclear core calculation functions provide the operator with the following information:

a.

Reactor core performance and power distribution evaluations.

b.

Rapid core monitoring.

c.

Fuel exposure evaluations.

d.

Control rod exposure evaluations.

e.

LPRM calibration and accumulated chamber exposure.

f.

Isotopic composition of the fuel.

7.8.3.4 Effects of Computer on Instrument System The plant can operate independently of the PCS and failure of the PCS will not affect the function of any safety system. However, the PCS monitors a number of plant protection circuits. The two types of signals monitored, and the method of preventing undesirable interference from these signals, are:

a.

Analog signals Analog neutron monitoring signals are read into the plant process computer using analog to digital converter to convert the output DC signal to digital information. The DC voltage scanned by the computer is developed across a small precision resistor in series with an isolation resistor from the amplifier output.

The small precision resistor added to accommodate the computer is sized so that its failure does not affect the neutron monitoring channel output signal.

Typical values of the voltages (relative to ground) are:

Neutron Monitoring Amplifier Output 0 - 10 Vdc Computer Input 0 - 160 milli-Vdc If the computer resistor shorts to ground the neutron monitoring amplifier output signal remains constant and the circuit current increases by an insignificant voltage. Addition of the special resistor for the computer does not increase the probability of other neutron monitoring circuit failures. The neutron monitoring circuit is protected from a voltage feeding back from the computer by an inline fuse of low milliamp capacity.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 121 of 149

b.

Digital signals Reactor protection signals are read into the plant process computer from isolated relay or switch contacts in the protection circuitry. Where an isolated set of contacts is not available for computer use, an interposing relay is added.

Data acquisition modules have been connected to safety systems to support the Safety Parameter Display System. These devices are Class IE analog to digital converters and serve as qualified isolators to assure that failures on the computer side of the device will not affect the safety system. Separation criteria specified in the original plant design have been maintained. Loss of power to these modules does not affect the circuits within the safety system.

7.8.3.5 Surveillance and Testing The process computer system is self-checking. It performs diagnostic checks to determine the operability of certain portions of the system hardware, and performs internal programming checks to verify that input signals and selected program computations are either within specific limits or within reasonable bounds.

7.9 Other Systems Control and Instrumentation 7.9.1 Reference to Control and Instrumentation Systems Discussed in Further Detail in Other Sections Controls and Instrumentation for each of the following systems are described in the sections of the text describing the system itself:

Secondary Containment System Section 5.3 Reactor Cleanup Demineralizer System Section 10.2 Reactor Core Isolation Cooling System Section 10.2 Emergency Core Cooling System Section 6.2 Fire Protection System Section 10.3 Reactor Feedwater System Section 11.8 Plant Service Water System Section 10.4 Makeup Water System Section 10.3 Service and Instrument Air Systems Section 10.3 Communications System Section 10.3 Fuel Storage Pool Filtering and Cooling System Section 10.2

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 122 of 149 Reactor Shutdown Cooling System Section 10.2 Standby Liquid Control System Section 6.6 Refueling Equipment Section 10.2 Containment Monitors Section 5.2.2.5.5 Post Accident Sampling Section 10.3.10 SRV Low-Low Set System Section 4.4.2.3 7.9.2 Toxic Substance Monitors 7.9.2.1 Design Basis The toxic substance monitors were eliminated in 1994. See USAR Section 2.9.1 7.9.3 Accident Monitoring Instrumentation 7.9.3.1 Design Basis In Supplement 1 to NUREG-0737 (NRC Generic Letter 82-33) (Reference 31), the NRC specified the requirements for accident monitoring instrumentation. The guidelines of Regulatory Guide 1.97, Revision 2, Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident (Reference 32) were reviewed, and a number of additional instruments were identified. A number of exceptions to Regulatory Guide were also taken (References 3, 14, 15, and 16).

7.9.3.2 Description Regulatory Guide 1.97, Revision 2 (Reference 32) provides NRC guidance on design criteria for accident monitoring instrumentation used by control room operating personnel. The guide delineates design and qualification criteria for the instrumentation used to measure variables that provide accident monitoring information.

The NRC reviewed Monticellos responses with respect to conformance to Regulatory Guide 1.97, Revision 2 as specified in NRC Generic Letter 82-33 (Reference 31), and issued a letter and Safety Evaluation Report (SER)

(Reference 16). The report concluded that Monticello either conformed to or provided acceptable justification for deviations from the guidance of Regulatory Guide 1.97 for each post-accident monitoring variable. These documents form the basis for the plant specific compliance method for Regulatory Guide 1.97.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 123 of 149 A site program provides instructions to assure continued compliance with the approved method of implementing the applicable Regulatory Guide 1.97 criteria at Monticello. The program provides for a detailed and current database of the accident monitoring channels and associated equipment. The database includes the Regulatory Guide 1.97 category and type classifications for each channel and the plant specific design and qualification criteria that are based on these classifications.

The program also identifies the documentation and the site administrative processes that support ongoing compliance with the Regulatory Guide 1.97 criteria.

7.9.3.3 Performance Analysis Instrumentation is provided to assess plant and environs conditions during and following an accident following the guidance provided in Regulatory Guide 1.97, Revision 2.

7.9.3.4 Testing and Inspection Instrumentation is periodically sensor checked, functionally tested, and calibrated in accordance with the requirements of the Technical Specifications and the Monticello instrument calibration program.

7.10 Seismic and Transient Performance Instrumentation Systems 7.10.1 Nuclear Boiler Instrument Systems - Initial Seismic Test Program 7.10.1.1 Introduction The following describes the program which was used for assuring Class I instrumentation meets the seismic requirements at the time Monticello was going through the license application review process.

7.10.1.2 Systems Representative samples of the Class I instruments for the following essential systems were designed, analyzed and tested by General Electric or other vendors to ensure performance of their primary functions without spurious response during and after an earthquake:

Reactor Protection System Nuclear Boiler System CRD Hydraulic System Standby Liquid Control System Neutron Monitoring System Emergency Core Cooling Systems Process Radiation Monitoring Systems

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 124 of 149 7.10.1.3 Design Criteria

a.

Design Basis Earthquake For the Design Basis Earthquake for rigid body calculations, the seismic force assumed to act on the equipments center of mass had the following components:

Horizontal 1.5 times the weight Vertical 0.14 times the weight

b.

Operational Basis Earthquake The maximum stresses from combined seismic and normal loads did not exceed allowable stresses without the usual one-third increase of allowable stress for short term loading. The seismic loads for such analyses were:

Horizontal 0.75 times the weight Vertical 0.07 times the weight 7.10.1.4 Evaluation

a.

Devices All types of Class I devices (relays, switches, amplifiers, power supplies, sensors, etc.) which make up the Class I systems were tested for proper performance under the simulated seismic accelerations of the Design Basis Earthquake. Each device tested is energized and, as applicable, has a simulated input signal applied; and has its output monitored during and after the test.

The test consists of vibrating the devices to the DBE accelerations over the DBE frequency range on each of the devices three rectilinear axes.

b.

Racks and Panels Class I racks and panels complete with all internal wiring and devices mounted were vibrated at low accelerations over the DBE frequency range and measurements made to determine the presence of resonances. If resonances were present which affect Class I devices, steps were taken to shift their frequencies out of the band of interest or dampen them to an acceptable level.

Once this was accomplished, the panel can be considered a rigid body and analyzed statically.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 125 of 149

c.

Code devices All instrument devices required to conform to ASME Boiler Code requirements were analyzed as required by the applicable code. In general, these devices are large, strong structural or pressure bearing instruments which would not be noticeably stressed at the low seismic accelerations but, rather, should be analyzed at the combined loading of their in situ forces plus the seismic loads.

7.10.1.5 Acceptance The product being evaluated was required to perform its prescribed functions without failure or unacceptable response during and after the application of seismic forces.

Addition of new systems or re-evaluation of existing systems is done using current methods of analysis and component qualification. See Section 12.2.1.10.

7.10.2 Transient Performance Tests were performed to determine the stability of the original vessel level instrumentation in the presence of rapidly decaying pressures. These tests were conducted at 1500 psig on a standard temperature compensated head chamber and verified that the level instrumentation equipment used for Monticello would withstand a depressurization rate of 200 psig/sec for the first three seconds. Thereafter the rate was 100 psig/sec. During the most rapid depressurization transient the calculated pressure decay rate is approximately 100 psig/sec (200 psig/sec is not expected).

There is nothing to imply that the pressure sensors used would be required to follow such a transient. The pressure switches used to supply signals for actuation of ECCS equipment have a response time on the order of milliseconds. This response is fast enough to assure that pressure switch response does not affect ECCS equipment operation.

7.10.3 Balance of Plant Control Systems - Seismic Information Program The original seismic qualification of critical items of the following Balance of Plant equipment were performed by the equipment manufacturers using methods acceptable at the time.

4160 Volt AC Switchgear 480 Volt AC Load Centers 480 Volt AC Motor Control Centers 250 Volt DC Motor Control Center Electrical Penetration Assemblies Control Boards Batteries and Battery Racks Diesel-Generator System Standby Gas Treatment System RHR Service Water System Emergency Service Water System

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 126 of 149 7.11 Reactor Shutdown Capability 7.11.1 Shutdown from Outside the Control Room 7.11.1.1 Conditions and Assumptions The ability to safely shutdown the reactor, should access be lost to the control room, was evaluated using the following conditions and assumptions:

a.

Conditions

1.

The plant was operating initially at or less than design power.

2.

Loss of offsite AC power was not considered.

3.

Simultaneous or subsequent accidents were not considered.

b.

Assumptions

1.

The control room becomes uninhabitable.

2.

Plant personnel evacuate the control room.

3.

Access to the control room continues to be completely denied.

7.11.1.2 Performance Evaluation It is extremely improbable that the control room would become totally inaccessible.

However, the plant design does in fact make provision and does not preclude the ability to bring the plant to a safe and orderly hot shutdown condition and ultimately to a cold shutdown condition from outside the control room.

There are a number of automatic features incorporated in the plant design which would allow the reactor to come to a safe shutdown condition, in terms of core cooling, independent of any operator action. From an operating standpoint, however, it is desirable that operator action be taken to supplement these automatic features so that the plant outage time would be kept to a minimum following the re-establishment of control room access.

Before the control room operator is forced from the control room, he would attempt to bring the plant to a safe shutdown condition. If this cannot be accomplished before leaving, cold shutdown is achieved from the Alternate Shutdown System (ASDS) panel. ASDS is discussed in Section 10.3.1.5.4. During the entire shutdown process described in Section 10.3.1.5.4, no reliance has been placed on regaining entry into the control room.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 127 of 149 7.12 Detailed Control Room Design Review The plant is equipped with a single control room which contains controls and instrumentation necessary for safe operation of the unit, including the reactor and the turbine generator, under normal and accident conditions. A Detailed Control Room Design Review (DCRDR) program has been conducted. A DCRDR summary report which fulfills the guidance contained in NUREG-0700 (Reference 34) and NUREG-0800 (Reference 35) has been submitted to the NRC Staff for review and approval (Reference 6). The NRC staff issued a Safety Evaluation (Reference 10) pertaining to the Detailed Control Room Design Review (DCRDR) Program Plan.

The objective of the control room design review was to improve ability of nuclear power plant control room operators to prevent accidents or cope with accidents if they occur by improving the information provided to them. The design review plan describes activities for Monticellos control room review, emergency operating procedures development, safety parameter display system development and training plans.

The design review was set up to identify modifications to the control room that significantly reduce the probability of operator error through changes in control room design or related areas of training or procedures.

This design review included a control room survey to identify deviation from accepted human factor principles, and identification and initiation of the necessary control room changes and a human factors review of these modifications.

The design review concluded that there is a high likelihood of long-term improvements in operator performance and reduction of errors under both normal and emergency operating procedures.

7.13 Safety Parameter Display System 7.13.1 Design Basis The purpose of the Safety Parameter Display System (SPDS) is to provide a concise display of critical plant variables to control room operators to aid them in rapidly and reliably determining the safety status of the plant (References 7, 8 and 9).

7.13.2 Description The Monticello SPDS consists of three primary displays that are designed to support the information needs of the Emergency Procedure Guidelines (EPGs). These displays, RPV Control Display, Containment Control Display, and Critical Plant Variables Display, are elaborated in special function displays. The special function displays provide: 1) two-dimensional plots of the limiting conditions defined in the Emergency Operating Procedures (EOPs), e.g., Drywell Design Pressure Curve; 2) trend plots of all control parameters, showing data from the most recent 30 minutes; 3) the validation status of SPDS input data, and 4) radiation monitoring displays.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 128 of 149 Design of the SPDS was developed based on human factor engineering principles, then reviewed to assure that those principles had been properly implemented. The human factors engineering program provides reasonable assurance that the information provided by SPDS will be readily perceived and comprehended.

7.13.3 Performance Analysis The Monticello SPDS meets the requirements of NUREG-0737, Supplement 1 (Reference 31). Section 4.1f of Supplement 1 to NUREG-0737 states that:

The minimum information to be provided shall be sufficient to provide information to plant operators about:

(1)

Reactivity Control (2)

Reactor core cooling and heat removal from the primary system (3)

Reactor coolant system integrity (4)

Radioactivity control (5)

Containment conditions The SPDS was added as an aid to plant operators. It is not intended as a substitute for other safety-related equipment or instrumentation, but rather as an adjunct to such equipment. The SPDS is not essential to the safe operation of the plant, it is not essential to the prevention of events that endanger the public health and safety, nor is it essential to the mitigation of the consequences of an accident.

7.13.4 Certification NRC Generic Letter 89-06, dated April 12, 1989 (Reference 36), requested certification regarding the implementation of a Safety Parameter Display System (SPDS). The Generic Letter and its attachment, NUREG-1342, provided clarification of the requirements for an acceptable SPDS as originally defined in NUREG 0737, Supplement 1.

On July 11, 1989, NSP certified that the SPDS at Monticello (Reference 37) fully meets the requirements of NUREG-0737, Supplement 1, taking into account the information provided in NUREG-1342 (Reference 38). Based upon this certification, the NRC staff concluded in a letter dated April 25, 1990 (Reference 39) that the SPDS has satisfactorily met all the requirements specified in NUREG-0737, Supplement 1.

Therefore, staff review and licensee implementation of the SPDS are considered complete for Monticello.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 129 of 149 7.14 References

1.

General Electric report APED-5706, In Core Neutron Monitoring System for General Electric Boiling Water Reactors, April 1969.

2.

General Electric report GEAP-4900, Reactor Control Systems Based on Counting and Campbelling Techniques, Full Range Instrumentation Development Program, Final Progress Report, R A DuBride, et. al, July 1975.

3.

NSP (D Musolf), letter to the NRC, NUREG-0737 Supplement 1 - Generic Letter 82-33, Regulatory Guide 1.97 - Application to Emergency Response Facilities, dated December 30, 1983.

4.

NRC (H Nicolaras) letter to NSP (D M Musolf) Approval of Amendment 20, SRM Count Rate, dated January 16, 1984.

5.

NSP (T M Parker) letter to the NRC, Revised Submittal on Modification of Commitment for Core Unload and Reload Pattern for Full Core Discharges, dated March 15, 1993.

6.

NSP (D M Musolf) letter to the NRC, Supplement 1 to NUREG-0737, Generic Letter 82-33, Detailed Control Room Design Review Summary Report, dated December 30, 1986.

7.

NSP (D M Musolf) letter to the NRC, Safety Parameter Display System (SPDS),

Safety Analysis Report, dated December 26, 1984.

8.

NRC (J A Zwolinski) letter to NSP (D M Musolf) Safety Parameter Display System (SPDS), Safety Evaluation, dated December 12, 1985.

9.

General Electric report, NEDC-30806P, Safety Analysis Report for Monticello Nuclear Generating Plant Safety Parameter Display System, December 1984.

10. NRC (J J Stefano) letter to NSP (T M Parker), NRC Safety Evaluation Report for the Monticello Nuclear Generating Plant Detailed Control Room Design Review (TAC No. 56140), dated June 7, 1989.

11. Deleted.

12. Deleted.

13. Deleted.

14. NRC (D B Vassallo) letter to NSP (D M Musolf), Emergency Response Capability -

Conformance to Regulatory Guide 1.97, Rev 2, dated February 11, 1985.

15. NSP (D M Musolf) letter to the NRC, Additional Information Related to Conformance with Regulatory Guide 1.97, Rev 2, dated April 22, 1985.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 130 of 149

16. NRC (D B Vassallo) letter to NSP (D M Musolf), Emergency Response Capability -

Conformance to Regulatory Guide 1.97, dated November 18, 1985.

17. NRC (B A Wetzel) letter to NSP (R O Anderson), Regulatory Guide 1.97 - Boiling Water Reactor Neutron Flux Monitoring - Monticello Nuclear Generation Plant (TAC No. M51108), dated February 24, 1994.

18. ANSI/IEEE 279, Proposed Criteria for Protection Systems for Nuclear Power Generating Stations, dated August 30, 1968.

19. NRC Bulletin, NRCB 90-01, Supplement 1, Loss of Fill-Oil in Transmitters Manufactured by Rosemount, dated December 22, 1992.

20. General Electric report, NEDO-21231, Banked Position Withdrawal Sequence, C J Paone, January 1977.

21. NSP (T M Parker) letter to the NRC, Response to NRC Bulletin No. 90-01, Supplement 1 - Loss of Fill Oil in Transmitters Manufactured by Rosemount, dated March 1, 1993.

22. NSP (R O Anderson) letter to the NRC, Additional Information Related to Response to NRC Bulletin No. 90-01, Supplement 1 - Loss of Fill Oil in Transmitters Manufactured by Rosemount, dated April 29, 1994.

23. NRC (B A Wetzel) letter to NSP (R O Anderson), Closeout of Bulletin No. 90-01, Supplement 1 - Loss of Fill Oil in Transmitters Manufactured by Rosemount (TAC M85411), dated February 28, 1995.

24. General Electric report, NEDC-30492-P, Average Power Range Monitor, Rod Block Monitor and Technical Specification Improvement (ARTS) Program for Monticello Nuclear Generating Plant, April 1984.

25. NRC (J G Partlow) Generic Letter 89-11, Resolution of Generic Issue 101 - Boiling Water Reactor Water Level Redundancy, dated June 30, 1989.

26. NUREG/CR-5112, Evaluation of Boiling Water Reactor Water-Level Sensing Line Break and Single Failure, published March 1989.

27. NRC Bulletin, NRCB 93-03, Resolution of Issues Related to Reactor Vessel Water Level Instrumentation in BWRs, May 28, 1993.

28. ASA C96.1-1964, American Standard for Temperature Measurement Thermocouples, Approved June 9, 1964.

29. General Electric report, NEDO-31400A, Safety Evaluation for Eliminating the Boiling Water Reactor Main Steam Line Isolation Valve Closure Function and Scram Function of the Main Steam Line Radiation Monitor, October 1992.

30. NSP (T M Parker) letter to the NRC, License Amendment Request - Revision to Reactor Protection System Technical Specification, dated February 14, 1992.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 131 of 149

31. NRC (D G Eisenhut) Generic Letter 82-33, Supplement 1 to NUREG-0737, Requirements for Emergency Response Capability, dated December 17, 1982.

32. NRC Regulatory Guide 1.97, Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident, Revision 2, December 1980.

33. NRC (B A Boger) letter to the Chairman of the BWR Owners Group (C L Tully), NRC Evaluation of BWR Owners Group Topical Report NEDO-31558 -

Position on NRC Regulatory Guide 1.97, Revision 3, Requirements for Post-Accident Neutron Flux Monitoring System (TAC M77660), dated January 13, 1993.

34. NUREG-0700, Guidelines for Control Room Design Reviews.

35. NUREG-0800, Standard Review Plan, Section 18.1, Appendix A, Evaluation Criteria for Detailed Control Room Design Review (DCRDR), September 1984.

36. NRC (J G Partlow) Generic Letter 89-06, Task Action Plan Item I.D.2 - Safety Parameter Display System - 10CFR50.54(f), dated April 12, 1989.

37. NSP (T M Parker) letter to the NRC, Response to NRC Generic Letter 89-06, Safety Parameter Display Systems, dated July 11, 1989.

38. NUREG-1342, A Status Report Regarding Industry Implementation of Safety Parameter Display Systems, published April 1989.

39. NRC (W O Long) letter to NSP (T M Parker), Response to NRC Generic Letter 89-06 on the Safety Parameter Display System for MNGP (TAC No. 73677), dated April 25, 1990.

40. Deleted.

41. NUREG-0737, Clarification of TMI Action Plan Requirements, November, 1980.

42. NRC (W O Long) letter to NSP (T M Parker), Amendment 83 to Facility Operating License No. DRP-22 (TAC No. M82783), dated August 18, 1992.

43. NSP (T M Parker) letter to NRC, Design Basis and Criteria for the Reactor Building Closed Cooling Water System and Its Isolation Provisions, dated July 14, 1989.

44. NRC (W O Long) letter to NSP (T M Parker), Monticello - Safety Evaluation, Reactor Building Closed Cooling Water System Containment Isolation Valves (TAC Nos.

67160 and 71866), dated April 27, 1990.

45. NRC letter to MNGP (Dave Wilson), Monticello Nuclear Generating Plant - Issuance of Amendment RE: Elimination of Requirements for Post Accident Sampling System (TAC No. MB80630, dated June 17, 2003.

46. General Electric Report NEDO-33091-A, Improved BPWS Control Rod Insertion Process, J. Tuttle, July, 2004.

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 132 of 149

47. SSP-04/405, Gardel - Monticello NPP Thermal Margins Uncertainties, Alejandro Noel, February 2004.

48. NRC Commitment M87051A.

49. NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, October 1995.

50. NEDC-32410P-A, Supplement 1, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, November 1997.

51. NMC (T OConnor) letter to NRC, License Amendment Request: Power Range Neutron Monitoring System Upgrade, dated February 6, 2008.

52. NRC (P Tam) letter to NSPM, Issuance of Amendment Regarding the Power Range Neutron Monitoring System (TAC NO. MD8064), dated January 30, 2009.

53. General Electric report NEDO-23842, "Continuous Control Rod Withdrawal Transient in the Startup Range", April 1978.

54. GE Hitachi EPU Project Task Report GE-NE-0000-0062-6960-TR-R1, Revision 1, "Task T0904: Accident Performance Analysis (not ECCS-LOCA and dose)," May 2008 (Monticello calculation number 11-251).

55. EC16317, Revision 0, "EPU Replacement Steam Dryer Impact."

56. GE Hitachi Report NEDC-33322P, Revision 3, "Safety Analysis Report for Monticello Constant Pressure Power Uprate," October 2008.

57. GE Hitachi EPU Project Task Report GE-NE-0000-0062-2954-TR-R0, Revision 0, "Task T0900: Transient Analysis," December 2007 (Monticello calculation number 11-250).

58. Deleted.

59. GE Hitachi EPU Project Task Report GE-NE-0000-0061-7821-TR-R0, Revision 0, "Task T0902: Anticipated Transients Without Scram," January 2008 (Monticello calculation number 11-183).

60. Monticello calculation 09-239, Revision 0A, "Turbine Bypass Valve Capacity for EPU."

61. Monticello calculation 98-282, Revision 3, "Change Reactor Flow Limit Setting to Support Rerate."

62. NRC (T A Beltz) letter to NSPM (K D Fili), "Monticello Nuclear Generating Plant -

Issuance of Amendment No. 176 to Renewed Facility Operating License Regarding Extended Power Uprate (TAC No. MD9990)," dated December 9, 2013).

01511192

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 133 of 149

63. Deleted.

64. NRC (T Beltz) letter to NSPM, Issuance of Amendment to Reduce the Reactor Steam Dome Pressure Specified in the Reactor Core Safety Limits, dated November 25, 2014. (ADAMS Accession No. ML14281A318)

65. NRC (T. Beltz) letter to NSPM (P. Gardner), "Monticello Nuclear Generating Plant -

Issuance of Amendment to Transition to AREVA ATRIUNM 10XM Fuel and AREVA Safety Analysis Methods (TAC No. MF2479) (Am. 188), June 5, 2015.

66. ANP-3224P Revision 2, Applicability of AREVA NP BWR Methods to Monticello, June 2013.

01511192 01511192

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 134 of 149 FIGURES

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 135 of 149 Figure 7.2-2 Block Diagram - Single Cycle BWR Flow Control

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 136 of 149 Figure 7.3-1 Block Diagram - Nuclear Instrumentation System

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 137 of 149 Figure 7.3-2 Source Range Monitor System - Detector Locations

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 138 of 149 Figure 7.3-3 Intermediate Range Monitor System - Detection Locations

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 139 of 149 Figure 7.3-6 LPRM Detector Location

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 140 of 149 Figure 7.3-7 LPRM Equivalent Locations

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 141 of 149 Figure 7.3-8 APRM - LPRM Assignments

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 142 of 149 Figure 7.3-12 RBM - LPRM Input Assignments

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 143 of 149 Figure 7.3-13 RBM Trip Setpoints as a Function of Power

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 144 of 149 Figure 7.6-1 Reactor Protection System-Schematic Diagram

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 145 of 149 Figure 7.6-2 Reactor Protection System Scram Functions

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 146 of 149 Figure 7.6-4 Block Diagram - Primary Containment Isolation

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 147 of 149 Figure 7.6-5 RCIC - HPCI Isolation System Schematic

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 148 of 149 Figure 7.8-1 NUMAC Rod Worth Minimizer Block Diagram

MONTICELLO UPDATED SAFETY ANALYSIS REPORT USAR-07 SECTION 7 PLANT INSTRUMENTATION AND CONTROL SYSTEMS Revision 35 Page 149 of 149 Figure 7.8-2 NUMAC Rod Worth Minimizer Operator Display and Instrument Chassis