ML18117A096

From kanterella
Jump to navigation Jump to search
Updated Final Safety Analysis Report, Chapter 7, Instrument and Control
ML18117A096
Person / Time
Site: Turkey Point  NextEra Energy icon.png
Issue date: 04/26/2018
From:
Florida Power & Light Co
To:
Office of Nuclear Reactor Regulation
Shared Package
ML18117A085 List:
References
L-2018-103
Download: ML18117A096 (291)
v  d  e


Text

TABLE OF CONTENTS

Section Title Page 7 INSTRUMENT AND CONTROL 7.1-1

7.1 General

Design Criteria 7.1-1 7.1.1 Instrumentation and Control Systems Criteria 7.1-1 Instrumentation and Control Systems 7.1-1 NUREG-0700 "Guidelines for Control Room Design Review" 7.1-1 Regulatory Guide 1.97, Revision 3, "Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident" 7.1-1a 7.1.2 Related Criteria 7.1-2

7.1.3 References

7.1-3

7.2 Protective

Systems 7.2-1

7.2.1 Design

Bases 7.2-1 Core Protection Systems 7.2-1 Engineered Safety Features Protection Systems 7.2-2 Protection Systems Reliability 7.2-3 Protection Systems Redundancy and Independence 7.2-4 Protection Against Multiple Disability for Protection Systems 7.2-5 Demonstration of Functional Operability of Protection Systems 7.2-6 Protection System Failure Analysis Design 7.2-6 Redundancy of Reactivity Control 7.2-7 Reactivity Control Systems Malfunction 7.2-7 Principles of Design 7.2-7 Redundancy and Independence 7.2-7 Manual Actuation 7.2-8 Channel Bypass or Removal from Operation 7.2-8 Capability for Test and Calibration 7.2-8 Information Readout and Indication of By-pass or Removal from Operation 7.2-9 Vital Protective Functions and Functional Requirements 7.2-9 Completion of Protection Action 7.2-10 Multiple Trip Settings 7.2-10 Interlocks 7.2-10 Protective Actions 7.2-10 Indication 7.2-11 Annunciators 7.2-11 Digital Data Processing System (DDPS) 7.2-11 Distributed Control System (DCS) Safety Parameter Display System (SPDS)/ Emergency Response Data Acquisition & Display System (ERDADS) 7.2-12

7-i Revised 09/20/2016

TABLE OF CONTENTS (Continued)

Section Title Page

7.2.2 System

Design 7.2-13 Reactor Protection System Description 7.2-13 System Safety Features 7.2-13 Separation of Redundant Protection Channels 7.2-13 Loss of Power 7.2-14 Reactor Trip Signal Testing 7.2-15 Process Channel Testing 7.2-15 Logic Channel Testing 7.2-16 Primary Power Source 7.2-19 Protective Actions 7.2-19 Reactor Trip Description 7.2-19 Manual Trip 7.2-20 High Nuclear Flux (Power Range) Trip 7.2-20 High Nuclear Flux (Intermediate Range) Trip 7.2-20 High Nuclear Flux (Source Range) Trip 7.2-21 Overtemperature T Trip 7.2-21 Overpower T Trip 7.2-21 Low Pressurizer Pressure Trip 7.2-22 High Pressurizer Pressure Trip 7.2-22 High Pressurizer Water Level Trip 7.2-22 Low Reactor Coolant Flow Trip 7.2-23 Safety Injection System (SIS) Actuation Trip 7.2-23 Turbine Generator Trip 7.2-24 Steam/Feedwater Flow Mismatch Trip 7.2-24 Low-Low Steam Generator Water Level Trip 7.2-24 Rods Stops 7.2-24 Rod Drop Detection 7.2-25 Control Group Rod Insertion Monitor 7.2-26 Setpoint Methodology 7.2-26 7.2.3 System Evaluation 7.2-28 Reactor Protection System and DNB 7.2-28 Specific Control and Protection Interactions 7.2-29 Coolant Temperature 7.2-29 Pressurizer Pressure 7.2-30 Pressurizer Level 7.2-31 Steam Generator Water Level; Feedwater Flow 7.2-31 Steam Line Pressure (Hi Steam Line Flow) 7.2-34 Normal Operating Environment 7.2-34 7.2.4 ATWS Mitigating System Actuation Circuitry (AMSAC) 7.2-35

7.2.5 Steam

Generator Overfill Protection 7.2-37 7.2.6 Eagle 21 Protection System 7.2-38 7.2.7 References 7.2-40

7-ii Revised 08/17/2016

TABLE OF CONTENTS (Continued)

Section Title Page

7.3 Regulating

System 7.3-1 7.3.1 Design Basis 7.3-1 7.3.2 System Design 7.3-4 RCCA Arrangements 7.3-4 Con trol Group Rod Control 7.3-5 Shutdown Groups Control 7.3-6 Interlocks 7.3-7 Rod Drive Performance 7.3-8 Full Length RCCA Position Indication 7.3-8 Individual RCCA Position Indication 7.3-10 Demand Position Indication 7.3-10 Rod Deviation 7.3-10 Turbine By-pass 7.3-11 Feedwater Control 7.3-11 Pressure Control 7.3-12

7.3.3 System

Design Evaluation 7.3-13 Unit Stability 7.3-13 Step Load Changes Without Steam Dump 7.3-13 Loading and Unloading 7.3-14 Loss of Load With Turbine By-pass 7.3-15 Turbine-Generator Trip With Reactor Trip 7.3-15

7.4 Nuclear

Instrumentation 7.4-1 7.4.1 Design Bases 7.4-1 Fission Process Monitors and Controls 7.4-1 Primary Nuclear Instrumentation 7.4-1 Backup Nuclear Instrumentation 7.4-2

7.4.2 System

Design 7.4-2 Protection Philosophy 7.4-3 Source Range Instrumentation 7.4-4 Intermediate Range Instrumentation 7.4-5 Power Range Instrumentation 7.4-6 Equipment Design Basis 7.4-7

7.4.3 Detailed

Description 7.4-7 Detectors 7.4-7 Source Range 7.4-8a Source Range Auxiliary Equipment 7.4-12 Visual - Audio Count Rate 7.4-12 Remote Count Rate Meter 7.4-13 Remote Recorder 7.4-13 Start-up Rate Circuitry 7.4-13 Intermediate Range 7.4-14 Intermediate Range Auxiliary Equipment 7.4-16 Power Range 7.4-17 Power Range Auxiliary Equipment 7.4-21 Comparator 7.4-21 Remote Recorder 7.4-21

7-iii Revised 04/17/2013

TABLE OF CONTENTS (Continued)

Section Title Page

Remote Meter 7.4-22 Overpower Recorder 7.4-22 Remote Meter (Delta Flux) 7.4-22a Axial Flux Comparator 7.4-22a Flux Deviation and Miscellaneous Control and Indication Drawer 7.4-23 7.4.4 System Evaluation 7.4-23 Philosophy and Set Points 7.4-23 Reactor Trip Protection 7.4-24 Rod-Drop Protection 7.4-25 Control and Alarm Functions 7.4-26 Source Range 7.4-26 Intermediate Range 7.4-26 Power Range 7.4-27 Loss of Power 7.4-28 Safety Factors 7.4-28 7.4.5 Regulatory Guide 1.97, Revision 3 7.4-28

7.5 Engineered

Safety Features Instrumentation 7.5-1 7.5.1 Design Basis 7.5-1 Engineered Safety Features Protection Systems 7.5-1

7.5.2 System

Design 7.5-2 Engineered Safety Feature Actuation Instrumentation Description 7.5-2 Feedwater 7.5-3 Indication 7.5-3 Engineered Safety Features Instrumentation 7.5-3 Containment Pressure 7.5-3 Refueling Water Storage Tank Level 7.5-4 Safety Injection Safety Pumps Discharge Pressure 7.5-4 Safety Injection Pump Energization 7.5-4 Radioactivity 7.5-4 Valve Position 7.5-4 Emergency Containment Coolers 7.5-5 Containment Level Instrumentation 7.5-5 Miscellaneous Instrumentation 7.5-5 Alarms 7.5-6 Instrumentation Used During LOCA 7.5-6

7-iv Revised 04/17/2013

TABLE OF CONTENTS (Continued)

Section Title Page

7.5.3 System

Evaluation 7.5-7 Pressurizer Pressure 7.5-7 Steam Generator Level Control During Unit Cooldown 7.5-8 Environmental Capability 7.5-8 7.5.4 Regulatory Guide 1.97, Revision 3 7.5-8 7.5.4.1 Regulatory Guide 1.97 (Revision 3) Requirements 7.5-8 7.5.4.2 Evaluation Criteria 7.5-10 7.5.4.2.1 Environmental Qualification Criteria 7.5-10 7.5.4.2.2 Seismic Qualification Criteria 7.5-11 7.5.4.2.3 Redundance 7.5-12 7.5.4.2.4 Power Sources 7.5-13 7.5.4.2.5 Display and Recording 7.5-14 7.5.4.2.6 Range 7.5-15 7.5.4.3 Type A Variables 7.5-15 7.5.4.4 References 7.5-16 7.6 In-Core Instrumentation 7.6-1 7.6.1 Design Basis 7.6-1 7.6.2 System Design 7.6-1 Thermocouples 7.6-2 Movable Miniature Neutron Flux Detectors 7.6-2 Mechanical Configuration 7.6-2 Control and Readout Description 7.6-4 7.6.3 System Evaluation 7.6-5

7.6.4 Regulatory

Guide 1.97, Revision 3 7.6-5

7.7 Operating

Control Stations 7.7-1

7.7.1 Design

Basis 7.7-1 7.7.2 System Design 7.7-2 7.7.2.1 Control Room 7.7-2 7.7.2.2 Remote (Alternate) Shutdown Capabilities 7.7-3

7.7.3 System

Evaluation - Human Factors Engineering 7.7-4 7.7.3.1 HFE Program 7.7-4 7.7.3.2 Detailed Control Room Design Review Implementation 7.7-4 Technical Approach 7.7-5 Assessment 7.7-6 Implementation 7.7-6 7.7.3.3 DCRDR Implementation Evaluation 7.7-7

7.7.4 References

7.7-9

7-v Revised 04/17/2013

TABLE OF CONTENTS (Continued)

Section Title Page

7.8 Miscellaneous

Alarms 7.8-1 7.8.1 Design Basis 7.8-1 Loose Parts Detection System 7.8-1

7.8.2 System

Design 7.8-1 7.8.3 Alarm Indication 7.8-1

7.9 Leading

Edge Flow Meter (LEFM) 7.9-1 7.9.1 Design and Operation 7.9-1 7.9.2 Operational Restrictions 7.9-2 7.9.3 References 7.9-3

7-vi Revised 04/17/2013

APPENDICES Appendix 7A Distributed Control System (DCS) /Safety Assessment System (SAS) / Emergency Response Data Acquisition and Display System (ERDADS)

7-vii Revised 04/17/2013

LIST OF TABLES

Table Title

7.2-1 Reactor Trip List

7.2-2 Permissive Circuits

7.2-3 Rod Stops 7.4-1 Source Range

7.4-2 Intermediate Range

7.4-3 Power Range 7.5-1 Parameter Listing Summary Sheets Unit 3

7.5-2 Parameter Listing Summary Sheets Unit 4

7.9-1 LEFM Calorimetric Instrumentation 7.9-2 Reduced Power Limits Applicable to Inoperable LEFM Calorimetric Instrumentation 7A-1 DELETED 7A-2 DELETED

7-viii Revised 04/17/2013

LIST OF FIGURES Figure Title 7.2-1 Typical Illustration of High T ( T vs T avg) 7.2-2 Reactor Protection Systems

7.2-3A Reactor Protection System - Redundant Channel Separation Design Configuration 7.2-3B ESF Actuation System - Redundant Channel Separation Design Configuration

7.2-4 Reactor Protection System - Typical Process Channel Testing Configuration

7.2-5 Reactor Trip Signals

7.2-6a Reactor Protection System - Typical Logic Relay Testing Configuration

7.2-6b ESF Actuation System - Typical Logic Relay Testing Configuration 7.2-7 RPS Logic Channel Test Panels

7.2-8a Pressurizer Caused Reactor Trip and Safety Injection Logic Diagram 7.2-8b Steam Generator Caused Reactor Trip and Safety Injection Logic Diagram

7.2-8c Primary Coolant System - Reactor Trips and T avg Interlock Logic Diagram 7.2-8d Nuclear Instrumentation Trip Signals Logic Diagram 7.2-8e Safeguards Actuation and Steam Line Actuation Logic Diagram

7.2-8f Nuclear Instrumentation Permissives and Block Logic Diagram

7.2-8g Setpoint Relationships

7.2-9a Rod Control System - Control System Diagram 7.2-9b T avg Control and Insertion Limit Alarms - Control System Diagram 7.2-10 Index and Symbols for Logic Diagrams 7.2-11a Pressurizer Pressure Protection and Overpressure Mitigation System - Control System Diagram 7.2-11b Pressurizer Pressure Control - Control System Diagram

7.2-12 Pressurizer Level Control and Protection and Charging Pump Control - Control System Diagram 7.2-13 Steam Generator Level Control and Protection - Control System Diagram

7-ix Revised 04/17/2013

LIST OF FIGURES (Continued)

Figure Title

7.2-14a ATWS Mitigation System - Actuation Circuitry (AMSAC) - Logic Diagram (Unit 3) 7.2-14b ATWS Mitigation System - Annunciation Circuitry (AMSAC) - Logic Diagram (Unit 3) 7.3-1 Steam Dump to Condenser Logic Diagram

7.3-1a Steam Dump to Condenser Logic Diagram 7.4-1 Neutron Detectors and Range of Operation

7.4-2a Nuclear Instrumentation Trip Signals - Logic Diagram 7.4-2b Nuclear Instrumentation Permissives and Blocks Logic Diagrams

7.4-3 Plan View Indicating Detector Location Relative to Core 7.6-1 In-core Instrumentation Guide Tube Pressure Seals - Typical Configurations 7.7-1 Control Room Equipment Locations 7.7-2a Control Console Equipment Layout Sections 3C01

7.7-2b Control Console Front View Section 3C02 7.7-3 Vertical Panel "A" Front View Section 3C04 7.7-4 Vertical Panel "A" Front View Section 3C03

7.7-5 Vertical Panel "B" and "C" Front View Section 3C05

7.7-6 Vertical Panel "B" Front View Section 3C06 7.7-7 Control Console Front View Section 4C01 7.7-8 Control Console Front View Section 4C02

7.7-9 Vertical Panels "A" and "C" Front View Section 4CO4 7.7-10 Vertical Panel "A" Front View Section 4CO3

7.7-11 Vertical Panel "B" Front View Section 4CO5 7.7-12 Vertical Panel "B" Front View Section 4CO6

7.8-1 Loose Parts Monitoring System Units 3 & 4 7A-1 DCS(ERDADS) Cable Block Diagram

7-x Revised 04/17/2013

7. INSTRUMENTATION AND CONTROL Supervision of the operation of the nuclear and turbine-generator portions of each unit is accomplished by the instrumentation and control systems which provide the control room operator with required information to operate the units in a safe and efficient manner. The systems are designed to permit periodic on line tests to demonstrate the operability of the reactor protection system.

7.1 GENERAL

DESIGN CRITERIA

Criteria applying in common to all instrumentation and control systems are given in the following listing. Thereafter, criteria which are specified to any one of the instrumentation and control systems are discussed in that section in which the system is described.

7.1.1 INSTRUMENTATION

AND CONTROL SYSTEMS CRITERIA

Instrumentation and Control Systems Criterion: Instrumentation and controls shall be provided as required to monitor and maintain within prescribed operating ranges essential reactor facility operating variables. (GDC 12)

Instrumentation and controls are provided to monitor and maintain all operationally important reactor parameters within prescribed operating ranges as required by the stated criterion. Process variables which are required on a continuous basis for the startup, power operation and shutdown are indicated, recorded, and controlled from the control room which is a controlled access area. The quantity and types of instrumentation provided is adequate for safe and orderly operation of all systems and processes over the full operating range.

NUREG-0700 "Guidelines for Control Room Design Review" The control room design shall consider the control room workspace, instrumentation, controls, and other equipment from a Human Factors Engineering point of view that takes into account both system demands and operator capabilities.

7.1-1 Rev 6 7/88 Regulatory Guide 1.97, Revision 3, "Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident" Regulatory Guide 1.97, Revision 3, divides all instrumentation used to monitor Post Accident variables into five functional types as defined in Subsection 7.5.4.1. The requirements for this instrumentation are listed in Table 1 of Regulatory Guide 1.97, Revision 3. The criteria are separated into three separate groups or categories that provide a graded approach to requirements depending on the importance to safety of the measurement of a specific variable. Category 1 provides the most stringent requirements and is intended for key variables. Category 2 provides less stringent requirements, and generally applies to instrumentation designated for indicating system operating status. Category 3 is intended to provide requirements that will ensure that high-quality off-the-shelf instrumentation is obtained and applies to backup and diagnostic instrumentation. It is also used where the state of the art will not support requirements for higher qualified instruments.

Subsection 7.5.4 provides an in depth description of Regulatory Guide 1.97, Revision 3.

7.1-1a Rev 6 7/88

7.1.2 RELATED

CRITERIA Several criteria are related to all instrumentation and control systems but are more specific to other features or systems. These are therefore discussed in other chapters or references, as listed.

Criterion Discussion Suppression of Power Oscillations(GDC-7) Section 3.1 Reactor Core Design (GDC-6) Section 3.1 Quality Standards (GDC-1) Section 4.1 Performance Standards (GDC-5) Section 4.1 Fire Protection (GDC-3) Reference 1 Missile Protection (GDC-4O) Section 5.1 Emergency Power (GDC-39) Section 8.1

7.

1.3 REFERENCES

1. STD-M-006, Engineering Guidelines for Fire Protection for Turkey Point Units 3 & 4.

7.1-2 Revised 09/20/2016

7.2 PROTECTIVE

SYSTEMS The protection systems consists of the control and instrumentation associated with the Engineered Safety Features and the Reactor Protection System. The Engineered Safety Features Instrumentation is discussed further in Section 7.5.

This section contains Figures 7.2-5, 7.2-8a, 7.2-8b, 7.2-8c, 7.2-8d, 7.2-8e, 7.2-8f and 7.2-8g which illustrate logic along with the nominal trip setpoints. The trip setpoint values are also contained in the Technical Specifications and Table 7.2-1.

7.2.1 DESIGN

BASES

Core Protection Systems

Criterion: Core protection systems, together with associated equipment, shall be designed to prevent or to suppress conditions that could result in exceeding acceptable fuel damage limits. (1967 Proposed GDC 14) If the reactor protection system receives signals which are indicative of an approach to unsafe operating conditions, the system actuates alarms, prevents control rod withdrawal, and/or opens the reactor trip breakers.

The basic reactor operating philosophy is to define an allowable region of power and coolant temperature conditions. This allowable range is defined by the primary tripping functions, the overpower T trip, the over-temperature T trip and the nuclear overpower trip. The operating region below these trip settings is designed so that no combination of power, temperatures and pressure could result in DNBR less than the safety analysis limit value with all reactor coolant pumps in operation. A complete list of tripping functions may be found in Table 7.2-1.

7.2-1 Revised 04/06/2018 RCCA (rod cluster control assemblies) withdrawal is prevented by a dropped RCCA signal to provide additional core protection. The dropped RCCA is indicated from individual RCCA position indicators, rod bottom bistables or by a rapid flux decrease on any of the power range nuclear channels.

Rod stops from nuclear overpower, overpower T and overtemperature T deviation are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal initiated by operator violation of administrative procedures. Automatic rod withdrawal by the reactor control system has been permanently disabled. The overpower T and overtemperature T rod stop setpoints are the same as the reactor trip setpoints, effectively negating these functions.

Engineered Safety Features Protection Systems

Criterion: Protection systems shall be provided for sensing accident situations and initiating the operation of necessary engineered safety features. (1967 Proposed GDC 15)

Instrumentation and controls provided for the protective systems are designed to trip the reactor, when necessary, to prevent or limit fission product release from the core and to limit energy release; to signal containment isolation; and to control the operation of engineered safety features equipment.

The engineered safety features systems are actuated by the engineered safety features actuation channels. Each coincidence network energizes an engineered safety features actuation device that operates the associated engineered safety features equipment, motor starters and valve operators.

The channels are designed to combine redundant sensors, and independent channel circuitry, coincident trip logic and different parameter measurements so that a safe and reliable system is provided in which a single failure will not defeat the channel function. The action initiating sensors, comparators and logic is shown in the figures included in the detailed

7.2-2 Revised 04/17/2013 Engineered Safety Features instrumentation description given in Section 7.5.2. The Engineered Safety Features instrumentation system actuates (depending on the severity of the condition) the Safety injection System, the Containment Isolation System, containment Emergency Containment Cooling System and Containment Spray System.

The passive accumulators of the Safety Injection System do not require signal or power sources to perform their function. A description of the actuation of the active portion of the Safety Injection System may be found in Table 7.2-1. Containment isolation is as tabulated in Table 7.2-1.

Protection Systems Reliability

Criterion: Protection system shall be designed for high functional reliability and in-service testability necessary to avoid undue risk to the health and safety of the public.(1967 Proposed GDC 19) Protection channels are designed with sufficient redundancy for individual channel calibration and test to be made during power operation without degrading the reactor protection. In general, removal of the channel for calibration/surveillance is accomplished by placing the channel in a partial-trip mode. For example, a two-out-of-three channel becomes a one-out-of-two channel. Testing will not cause a trip unless a trip condition exists in a concurrent channel. Channel bypass capability exists for Eagle 21 (overpower T, overtemperature T and Hi Pressurizer Level) and the Nuclear Instrumentation System (Source Range and Intermediate Range) utilizes channel bypass for calibration/surveillance.

Protection and operational reliability is achieved in part by providing redundant instrumentation channels for each protective function. These redundant channels are electrically independent and physically separated.

The channel design incorporates separate sensors, separate power supplies, separate rack and panel mounted equipment and separate relays for the actuation of the protective function. For protective functions where two-out-of-three or two-out-of-four redundant-coincident actuation is provided, a single channel failure will not impair the protective function nor will it cause an unnecessary unit shutdown.

7.2-3 Revised 08/17/2016 Two of the three high-high containment pressure channels are powered from the same source. However, loss of either power source will not impair the protective function nor will it cause an unnecessary actuation of containment spray.

Protection Systems Redundancy and Independence

Criterion: Redundancy and independence designed into protection systems shall be sufficient to assure that no single failure on removal from service of any component or channel of such a system will result in loss of the protection function. The redundancy provided shall include, as a minimum, two channels of protection for each protection function to be served. (1967 Proposed GDC

20)

The reactor protection system (for which credit is taken in the accident analyses), is designed so that the most probable modes of failure in each channel result in a signal calling for the protective trip. The protection system design combines redundant sensors and channel independence with coincident trip philosophy so that a safe and reliable system is provided, in which a single failure will not defeat the channel function, cause a spurious trip, or violate reactor protection criteria.

Channel independence is carried throughout the system, extending from the sensor to the relay actuating the protective function. The protective and control functions when combined are combined only at the sensor. The protective and control functions are fully isolated in the remaining part of the channel, control being derived from the primary protection signal path through an isolation device. A failure in the control circuit, therefore, does not affect the protection channel.

A discussion of Engineered Safety Features (ESF) instrumentation may be found under Section 7.5.1.

In the Reactor Protection System, two reactor trip breakers are provided to interrupt power to the RCCA drive mechanisms. The breaker main contacts are connected in series with each other and with the power supply so that opening either breaker interrupts power to all full length RCCA drive mechanisms permitting the RCCAs to free fall into the core.

7.2-4 Revised 04/17/2013 Further detail on redundancy is provided through the descriptions of the respective systems covered by the various subsections in this section.

Required continuous power supply for the protection systems is discussed in Section 8.

In summary, reactor protection is designed to meet all presently defined reactor protection criteria and is in accordance with the proposed IEEE 279 "Standard for Nuclear Plant Protection Systems" August 1968. The Eagle 21 instrumentation system is compliant with IEEE 279-1971 (see Section 7.2.6)

Protection Against Multiple Disability for Protection Systems

Criterion: The effects of adverse conditions to which redundant channels or protection systems might be exposed in common, either under normal conditions or those of an accident, shall not result in loss of the protection function or shall be tolerable on some other basis. (1967 Proposed GDC 23)

The components of the protection system are designed and laid out so that adverse environment accompanying an emergency situation, in which the components are required to function, does not interfere with that function.

Separation of redundant process protection channels originates at the process sensors and continues through the field wiring and containment penetrations to the process protection racks. Physical separation is used to the maximum practical extent to achieve separation of redundant transmitters. Separation of field wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel. Redundant process equipment is separated by locating components in different protection racks. Each channel is energized from a separate instrument bus.

Two of the three high-high containment pressure channels are powered from the same source. However, loss of either power source will not result in loss of the protective function nor will it cause unnecessary actuation of containment spray.

Wiring between vital elements of the system outside of equipment housing is routed and protected so as to maintain the true redundancy of the systems with respect to physical hazards.

7.2-5 Revised 08/17/2016 Demonstration Of Functional Operability Of Protection Systems Criterion: Means shall be included for suitable testing of the active components of protection systems while the reactor is in operation to determine if failure or loss of redundancy has occurred. (1967 Proposed GDC 25)

The signal conditioning equipment of each protection channel in service at power is capable of being calibrated and tested independently by simulated analog input signals to verify its operation without tripping the reactor.

For the RPS, the logic testing scheme includes checking through the trip logic relays to the trip breakers. For the ESF, the logic testing scheme includes checking through the trip logic relays, but does not include the master and slave relays. The master and slave relays are tested during Engineered Safeguards Integrated Testing. Thus, the operability of each trip channel can be determined conveniently and without ambiguity.

Protection System Failure Analysis Design

Criterion: The protection systems shall be designed to fail into a safe state or into a state established as tolerable on a defined basis if conditions such as disconnection of the system, loss of energy (e.g., electrical power, instrument air), or adverse environments (e.g., extreme heat or cold, fire, steam, or water) are experienced. (1967 Proposed GDC 26)

Each reactor protection channel (for which credit is taken in the accident analyses), is designed on the "de-energize to operate" principle; an open channel or a loss of power causes that channel to go into its trip mode. The Turbine Emergency Trip Header Pressure (Low) is designed to energize the associated logic relays. A loss of DC control power to this relay matrix will still result in a reactor trip.

Reactor trip is implemented by simultaneously interrupting power to the magnetic latch mechanisms on each drive allowing the full length rod clusters to insert by free fall. The entire reactor protection system is thus inherently safe in the event of a loss of power.

Each engineered safety feature channel (Instrumentation and logic relay) is designed on the "de-energized to operate" principle; an open channel or a loss-of-power causes that channel to go into its actuate mode. To achieve ESF actuation, the master and slave relays for each ESF feature (e.g., SI, MSIS,AFW initiation, etc.) must energize to actuate that feature.

7.2-6 Revised 04/17/2013 The components of the protection system are designed and laid out so that adverse environment accompanying an emergency situation, in which the components are required to function, does not interfere with that function.

Refer to Appendix 8A for additional information pertaining to Environmental Qualification.

Redundancy of Reactivity Control

Criterion: Two independent control systems, preferably of different principles, shall be provided. (1967 Proposed GDC 27)

One of the two reactivity control systems employs rod cluster control assemblies to regulate the position of the neutron absorbers within the reactor core. The other reactivity control system employs the Chemical and Volume Control System to regulate the concentration of boric acid solution neutron absorber in the Reactor Coolant System. These systems are described in Sections 3.2 and 9.2, respectively.

Reactivity Control Systems Malfunction

Criterion: The reactor protection system shall be capable of protecting against any single malfunction of the reactivity control system, such as unplanned continuous withdrawal (not ejection or dropout) of a control rod, by limiting reactivity transients to avoid exceeding acceptable fuel damage limits. (1967 Proposed GDC 31)

Reactor shutdown with RCCA is completely independent of the normal control functions since the trip breakers interrupt the power to the full length rod mechanisms regardless of existing control signals. Effects of continuous withdrawal of a RCCA and of deboration are described in Sections 7.3, 9.2, and 14.1.

Principles of Design

Redundancy and Independence

The protective systems are redundant and independent for all vital inputs and functions. Each channel is functionally independent of every other channel and receives power from an independent source. Each train is functionally independent of the other train and receives power from an independent source.

Separation of redundant protection channels is described in further detail in Section 7.2.2.

7.2-7 Revised 04/17/2013 Manual Actuation Means are provided for manual initiation of protective system action.

Failure in the automatic system does not prevent the manual actuation of protective functions. Manual actuation is designed to require the operation of a minimum of equipment.

Channel Bypass or Removal from Operation

The system is designed to permit any one channel to be maintained, tested or calibrated during power operation without system trip. During such operation the active parts of the system continue to meet the single failure criterion, since the channel under test is either tripped or makes use of superimposed test signals which do not negate the process signal.

Channel bypass capability exists for Eagle 21 (overpower T, overtemperature T and Hi Pressurizer level) and the Nuclear Instrumentation System (Source Range and Intermediate Range).

The systems with bypass capability are permitted to violate the single failure criterion during channel bypass, since acceptable reliability has been demonstrated and bypass time interval is short.

Capability for Test and Calibration

The rack portions of the protective system (e.g., relays, comparators, etc.)

provide trip or actuation signals only after signals from process portions of the system reach preset values. Capability is provided for calibrating and testing the performance of the rack portion of protective channels and various combinations of the logic networks during reactor operation.

7.2-8 Revised 04/17/2013 The operational availability of each system input sensor, during reactor operation, is accomplished by cross checking between redundant channels or between channels which bear a known relationship to each other and which have readouts available. Provisions have been made for transmitter calibrations during normal power operation, if deemed necessary.

The design provides for administrative control for the purpose of removing the channels from service for test and calibration purposes and for adjustment. The design provides for administrative control of access to all trip settings, module calibration adjustments, test points, and signal injection points.

Information Readout and Indication of By-Pass or Removal from Operation

The protective system provides the operator with complete information pertinent to system status and safety.

Indication is provided by the annunciation system if some part of the system has been administratively bypassed or taken out of service.

Trips are indicated and identified down to the channel level.

Vital Protective Functions and Functional Requirements

The Reactor Protection System monitors all parameters related to safe operation of the reactor. The system is designed to trip the reactor so as to protect the core against fuel rod cladding damage caused by departure from nucleate boiling (DNB), and to protect the Reactor Coolant System against damage caused by over-pressure. The Engineered Safety Features Instrumentation System monitors parameters to detect failure of the Reactor Coolant System, and initiates Engineered Safety Features operation. The Engineered Safety Features Instrumentation System is described in 7.5.1.

7.2-9 Revised 04/17/2013 Completion of Protective Action Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of the bypass of a protective function are part of the protective system and are designed in accordance with the applicable criteria of this section.

The protective systems are so designed that, once initiated, a protective action goes to completion. Return to normal operation requires administrative action by the operator.

Multiple Trip Settings

For monitoring nuclear flux, multiple trip settings are used. When it is necessary to change to a more restrictive trip setting to provide adequate protection for a particular mode of operation or set of operating conditions, the design provides positive means of assuring that the more restrictive trip setting is used. The devices used to prevent improper use of less restrictive trip settings are considered a part of the protective system and are designed in accordance with the applicable criteria of this section.

Interlocks

Interlocks required to limit the consequences of fault conditions other than those specified as limits for the protective function comply with the applicable protective system criteria.

Protective Actions

The Reactor Protection System automatically trips the reactor when the applicable conditions listed in Table 7.2-1 exist. Interlocking functions of the Reactor Protection System prevent control rod withdrawal when certain specified parameters reach values less than the values at which reactor trip is initiated.

7.2-10 Revised 08/17/2016 For anticipated abnormal conditions, protective systems in conjunction with inherent characteristics and engineered safety features are designed to assure that limits for energy release to the containment and for radiation exposure (as in 10 CFR 50.67) are not exceeded.

Indication

All transmitted signals (flow, pressure, temperature, etc) which can lead to a reactor trip are indicated and/or recorded for every channel.

All nuclear flux power range currents (top detector, bottom detector and algebraic difference and average of bottom and top detector currents) are indicated and/or recorded.

Annunciators

Annunciators are also used to alert the operator of deviation from normal operating conditions so that he may take corrective action to avoid a reactor trip. Further, actuation of any rod stop or trip of any reactor trip channel will actuate an annunciator.

Digital Data Processing System (DDPS)

Various plant signals are connected to the Digital Data Processing System (DDPS), which is integrated in plant Distributed Control System (DCS).

Information is displayed at consoles provided for the reactor control operators in the control room.

The DDPS provides the following information:

1. Sequence of events.
2. Data collection and limited processing for:
a. Heat rate determination.
b. Calorimetric reactor output measurement.
c. Reactor core analysis.
d. Primary Coolant System Loose Parts Vibration.
e. Auxiliary Feedwater Pump Parameters 3. Data collection and storage for post trip review.

Information for sequence of events is printed on a printer, located in the control room.

7.2-11 Revised 04/17/2013

Distributed Control System / Safety Parameter Display System / Emergency Response Data Acquisition and Display System The Safety Parameter Display System (SPDS) / Emergency Response Data Acquisition and Display System (ERDADS), Which is integrated in the plant Distributed Control System (DCS), consists of plant process and environmental signals that provide an electronic display of plant parameters, from which the safety status of plant operation may be determined in the control room, Technical Support Center (TSC) and Emergency Operations Facility (EOF). The primary function of the Safety Parameter Display System (SPDS) is to aid operating personnel in the control room in making rapid assessments of the status of plant safety. Duplication of the SPDS / DCS displays in the Technical Support Center and Emergency Operating Facility improves the communication between these facilities and the control room and assists corporate and plant management in the recovery decision-making process.

The Emergency Response Data Acquisition and Display System (ERDADS), which includes the Safety Parameter Display System, is a real time computer based data acquisition and display system designed to assist control room personnel in evaluating the safety status of the plant. The ERDADS aids in the coordinated control of the reactor during upset conditions, while concurrently providing information of concern to the public. The SPDS includes a set of predetermined displays designed to yield relevant, timely, accurate, and unambiguous information to the control room operators, the technical support advisors, and the offsite public safety officials. The SPDS / DCS displays a small but critical subset of the parameters available in the control room, thus reducing the problems associated with information overload and parameter selection. At the same time, by preselecting and grouping critical parameters for each display, the SPDS / DCS facilitates comprehension of the prevailing plant and public safety conditions. This is achieved by presenting high-level displays which summarize plant safety function status, plant system performance, and radiological and meteorological data. Printers and plotters are available for hard copy reports. For details on ERDADS refer to Section 7.5.4.

7.2-12 Revised 04/17/2013

7.2.2 SYSTEM

DESIGN

Reactor Protection System Description

Figure 7.2-1 illustrates typical core limits and shows the maximum trip points which are used for the protection system. The solid lines indicate a typical locus of DNBR equal to the safety analysis limit value (in this example, 1.30) at four pressures, and the dashed lines indicate maximum permissible trip points for the overtemperature T reactor trip. Actual setpoints (the final setpoints will be given in the Technical Specifications) are lower to allow for measurement and instrumentation errors. The overpower T reactor trip limits the maximum core power independent of the DNBR.

Adequate margins exist between the maximum nominal steady state operating point (which includes allowances for temperature, calorimetric, and pressure errors) and required trip points to preclude a spurious trip during design transients.

A block diagram of the Reactor Protection System showing various reactor trip functions and interlocks is shown in Figure 7.2-2.

System Safety Features

Separation of Redundant Protection Channels

The Reactor Protection System is designed to achieve separation between redundant protection channels. The channel design is applied to the process and the logic portions of the protection system, and is shown in Figure 7.2-3A. Also shown in Figure 7.2-3B is the configuration for the Engineered Safety Features Actuation Logic. The reactor trip on loss of 4160V Bus voltage and underfrequency (Trip of RCP breaker) differs from the typical RPS scheme shown in Figure 7.2-3A. They are illustrated by Figure 7.2-8c.

Separation of redundant process channels originates at the process sensors and continues along the field wiring and through containment penetrations to the process protection racks. Isolation of field wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel.

7.2-13 Revised 04/17/2013 Process equipment is isolated by locating redundant components in different protection racks. Each channel is energized from a separate AC power feed.

Logic equipment separation is achieved by providing separate racks, each associated with individual trip breakers. Physical separation is provided between these racks.

The reactor trip comparators are mounted in the process protection racks and are the final operational component in a process protection channel. Each comparator drives two logic relays ("X-A" & "X-B"). The contacts from the "X-A" relays are interconnected to form the required actuation logic for Trip Breaker No. A. The transition from channel identity to logic identity is made at the logic relay coil/relay contact interface. As such, there is both electrical and physical separation between the process and the logic portions of the protection system. The above logic network is duplicated for Trip Breaker No. B using the contacts from the "X-B" relays. Therefore, the two redundant reactor trip logic channels will be physically separated and electrically isolated from one another. The Reactor Protection System is comprised of identifiable channels which are physically, electrically and functionally separated from one another.

Loss of Power

With the exception of Emergency Trip Header Pressure (low), a loss of AC power to any RPS logic relay (Reactor Trip Comparator Output) causes the affected channel to trip. Emergency Trip Header Pressure (low) is designed to energize the associated logic relays (to trip). A loss of DC control power to the RPS logic matrix results in a reactor trip.

A loss of AC power to any ESF logic relay causes the affected channel to trip. Availability of DC control power to the logic matrix is required for train operability. Availability of DC control power to the ESF logic matrix is continuously monitored and annunciated in the control room.

Containment pressure (High-High coincident with High) differs from any other ESF functions in that the channel and train relays may utilize common DC power sources. No single failure of the DC power sources will result in an inadvertent actuation or render the system inoperable. Availability of DC control to the CIS channels and logic matrix is continuously monitored and annunciated in the control room.

7.2-14 Revised 04/17/2013 Reactor Trip Signal Testing Provisions are made for process variables to manually place the output of the comparators in a tripped condition for "at power" testing of all portions of each trip circuit including the reactor trip breakers. Administrative procedure requires that the final element in a trip channel (required during power operation) is placed in the trip mode before that channel is taken out of service for repair or testing, so that the single failure criterion is met by the remaining channels. In the source and intermediate ranges where the trip logic is one-out-of-two for each range, bypasses are provided for this testing procedure.

Nuclear instrument power range channels are tested by superimposing a test signal on the sensor signal so that the reactor trip protection is not bypassed. Based upon coincident logic (2/4) this will not trip the reactor; however, a trip will occur if a reactor trip is required.

Channel bypass capability exists for Eagle 21 (overpower T, overtemperature T and Hi Pressurizer level).

Provision is made for the insertion of test signals in each process loop.

Verification of the rack component response is made by portable instruments at test points specifically provided for this purpose. This enables testing and calibration of meters and comparators. Redundant sensor readouts are checked against each other during normal power operation to monitor transmitter performance. Provisions have been made for transmitter calibrations using precision read-out equipment during normal power operation if deemed necessary.

Process Channel Testing

The basic elements of a process protection channel are shown in Figure 7.2-4.

Rack door alarms are arranged on a protection channel basis to annunciate entry to more than one redundant protection channel at any time. Each process protection rack includes a test panel containing those switches, test jacks and related equipment needed to test the channels contained in the rack. A hinged cover encloses the test panel. Opening the cover or placing the test-operate switch in the "TEST" position will initiate an alarm. The test panel cover is designed such that it cannot be closed (and the alarm cleared) unless the test signal plugs (described below) are removed.

7.2-15 Revised 04/17/2013 Closing the test panel cover will mechanically return the test switches to the "OPERATE" position. Each digital protection rack includes a test panel, which is used to interface with a portable Man Machine Interface (MMI) test cart.

Administrative procedures will require that the bistable trip switch, in the channel under test, be placed in the tripped mode prior to test. This places a proving lamp across the comparator output so that the comparator trip point can be checked during channel surveillances and calibration. The comparator trip switches must be manually reset after completion of a test. Closing the test panel cover will not restore these switches to the untripped mode.

However, the annunciator on the RTG board cannot be reset until these comparators are returned to the untripped mode.

Administrative procedures allow the nuclear instrumentation source range and intermediate range protection channels to be placed in bypass during periodic testing. Annunciation is provided whenever the NIS (Source Range and Intermediate Range) bypass selector switch is placed in bypass. Power range overpower protection is not disabled since this function is not affected by the testing of circuits. Channel bypass capability exists for Eagle 21 (overpower T, overtemperature T and Hi Pressurizer level). Annunciation is provided whenever any of the Eagle 21 trips are placed in bypass. Administrative procedures also allow the power range dropped-rod annunciation to be placed in bypass during testing. Annunciation is provided whenever the power range dropped rod and rod stop protection bypass selector switch is placed in bypass. In addition, the rod position system would provide indication and associated corrective actions for a dropped rod condition.

Channel calibration consists of inserting a test signal from an external source into the test signal injection point. Where applicable, the channel power supply will serve as a power source for the calibration, which permits verifying the output load capacity of the power supply. Test points, located in the process channel, provide independent means of measuring the output of the calibration components.

Logic Channel Testing

The general design features of the logic system are described below. The trip logic channels for typical two-out-of-three RPS and ESFAS trip functions are shown in Figures 7.2-3A and 7.2-3B. The typical RPS and ESFAS logic relay testing configurations are shown in Figure 7.2-6A and 7.3-6B. Each comparator drives two relays.

7.2-16 Revised 04/17/2013 Contacts from the Train "A" relays are arranged in a 2/3 or 2/4 trip matrix for Trip Breaker A. The above configuration is duplicated for Trip Breaker B using contacts from the Train "B" relays. A series configuration is used for the trip breakers since they are actuated (opened) by undervoltage coils and shunt trip relays. This approach is consistent with a de-energize-to-trip preferred failure mode. The logic system testing includes exercising the reactor trip breakers to demonstrate system integrity. By-pass breakers are provided for this purpose. During normal operation, these by-pass breakers are open. Administrative procedures will be used to minimize the amount of time these breakers are closed. An interlock is provided to preclude the closing of both bypass breakers (Train A and B). Indication of a closed condition of either by-pass breaker is provided locally on the test panel and is annunciated in the control room.

As shown in Figure 7.2-5, the trip signal from the logic network is simultaneously applied to the main trip breaker associated with the specific logic chain as well as the by-pass breaker associated with the alternate trip breaker. Should a valid trip signal occur while by-pass breaker (BYA)is by-passing reactor trip breaker (RTA), RTB will be opened through its associated logic train. The trip signal applied to RTB is simultaneously applied to BYA thereby opening the by-pass around BYA. BYA would either have been opened manually as part of the test or would be opened through its associated logic train which would be operational or tripped during a test.

An auxiliary relay is located in parallel with the undervoltage coils of the trip breakers. This relay is connected to ERDADS which can provide a sequence of events printout which is used to indicate transmission of a trip signal through the logic network during testing. Lights are also provided to indicate the status of the logic relays.

Two shunt trip relays are connected in parallel with the undervoltage coil.

These relays provide additional assurance for opening the trip breakers on an automatic trip signal by energizing the breaker trip coil (i.e., shunt trip attachment).

The following procedure illustrates the method used for testing Reactor Trip Breaker A and its associated logic network.

a. With the BYA in the test position, close and trip BYA to verify operation.

7.2-17 Revised 04/17/2013

b. Rack-in and close BYA. Test the undervoltage and shunt trips (independently) for RTA.
c. Sequentially de-energize the trip relays for each logic combination (1-2, 1-3,2-3). Verify that the logic network de-energizes the undervoltage coil on RTA for each logic combination. When the appropriate logic is actuated, the signal applied to the undervoltage coil is verified by use of the test panel test lights. (Note: operation of the shunt trip attachment is tested independently of the undervoltage coil).
d. Repeat "C" for every logic combination in each matrix.
e. Reset RTA. Trip and rack-out BYA.

In order to minimize the possibility of operational errors (such as tripping the reactor inadvertently or only partially checking all logic combinations) each logic network includes a logic channel test panel. This panel includes those switches, test lights and recorders needed to perform the logic system test. This arrangement is illustrated in Figure 7.2-7. The test switches used to de-energize the trip comparator relays operate through inter-posing relays as shown in Figure 7.2-4 and 7.2-6. This approach avoids violating the separation philosophy used in the process channel design. Thus, although test switches for redundant channels are conveniently grouped on a single panel to facilitate testing, physical and electrical separation of redundant protection channels are maintained by the inclusion of the interposing relay which is actuated by the logic test switches.

7.2-18 Revised 04/17/2013 Primary Power Source The primary power sources for the Reactor Protection System are the instrument buses described in Section 8. The source of electrical power for the sensors and the actuation of circuits in the engineered safety features instrumentation is also from these buses.

Protective Actions

Reactor Trip Description

Rapid reactivity shutdown is provided by the insertion of full length RCC assemblies by free fall. Duplicate series-connected reactor trip breakers maintain all power to the full length control rod drive mechanisms. The full length RCCA must be energized to remain withdrawn from the core. Automatic reactor trip occurs upon the loss of power to the full length control rods.

The reactor trip breakers are opened by the undervoltage coils on both breakers. The undervoltage coils (which are normally energized) become de-energized by any one of the several trip signals. In order to provide additional assurance of tripping the reactor trip breakers per NRC, Generic Letter 83-28 Item 4.3 (Reference 4), the reliability of the reactor protection system is enhanced by a design change to also use the shunt trip attachments to open the reactor trip breakers automatically. The automatic shunt trip function is considered safety related. The breaker closing circuit is electrically separated from the tripping circuit and is considered non-safety related.

The design of the devices providing signals to the reactor trip breaker undervoltage trip coils is such as to cause this coil to trip the breaker on a reactor trip signal or power loss.

Certain reactor trip channels are automatically bypassed at low power where they are not required for safety. Nuclear source range and intermediate range trips are specifically provided for protection at low power or subcritical operation, and at higher power operations they are bypassed by manual action.

7.2-19 Revised 04/17/2013

During power operation, a sufficient amount of rapid shutdown capability in the form of control rods is administratively maintained by means of the control rod insertion limit monitors. Administrative control requires that all shutdown group rods be in the fully withdrawn position during power operation.

A list of reactor trips, means of actuation, required setpoints, and the coincident circuit requirements is given in Table 7.2-1. The interlock circuits, referred to in Table 7.2-1, are listed in Table 7.2-2.

Manual Trip

The manual actuating devices are independent of the automatic trip circuitry, and are not subject to failures which make the automatic circuitry inoperable. Either of two manual trip devices located in the control room can initiate a reactor trip.

High Nuclear Flux (Power Range) Trip

This circuit trips the reactor when two of the four power range channels read above the trip set-point. There are two independent trip settings, a high and a low setting. The high trip setting provides protection during normal power operation. The low setting, which provides protection during startup, can be manually bypassed when two out of the four power range channels read above approximately 10% power (P10). Three out of the four channels below 10% automatically reinstates the trip function. The high setting is always active.

High Nuclear Flux (Intermediate Range) Trip

This circuit trips the reactor when one out of the two intermediate range channels reads above the trip set-point. This trip, which provides protection during reactor startup, can be manually bypassed if two out of four power range channels are above approximately 10% (P10): Three out of four channels below this value automatically reinstates the trip function.

The intermediate channels (including detectors) are separate from the power range channels.

7.2-20 Revised 04/17/2013 High Nuclear Flux (Source Range) Trip This circuit trips the reactor when one of the two source range channels reads above the trip set-point. This trip, which provides protection during reactor startup can be manually bypassed when one of two intermediate range channels reads above the P6 setpoint value and is automatically reinstated when both intermediate range channels decrease below this value (P6). This trip is also bypassed by two out of four high power range signals (P10). The trip function can also be reinstated below P10 by an administrative action requiring coincident manual actuation. The trip point is set between the administrative source range cutoff power level setpoint and the maximum source range power level.

Overtemperature T Trip The purpose of this trip is to protect the core against DNB. This trips the reactor on coincidence of two out of the three signals, with one set of temperature measurements per loop. The set point for this reactor trip is continuously calculated for each loop by solving the equation provided in Section 2.2 of the Technical Specifications.

Three of the four power range detectors provide input (one per channel) to the overtemperature T trip function. Thus, a single failure neither defeats the function nor causes a spurious trip. Changes in f (I) can only lead to a decrease in trip setpoint.

A rod stop is initiated when

T > T rod stop where

T rod stop = T setpoint - B p B P = a set point bias The setpoint bias is set to zero, effectively negating this rod stop.

Overpower T Trip The purpose of this trip is to protect against excessive power level (fuel rod rating protection). This trips the reactor on coincidence of two out of the three signals, with one set of temperature measurements per loop.

7.2-21 Revised 04/17/2013 The set point for this reactor trip is continuously calculated for each channel by solving equations provided in Section 2.2 of the Technical Specifications.

A similar rod stop function is provided for overpower protection. The setpoint bias is also set to zero, effectively negating this rod stop.

Low Pressurizer Pressure Trip

The purpose of this trip is to protect against excessive core steam voids which could lead to DNB. This trips the reactor on coincidence of two out of the three low pressurizer pressure signals. This trip is blocked when three of the four power range channels and two of two turbine inlet pressure channels read below approximately 10% power (P7).

High Pressurizer Pressure Trip

The purpose of this trip is to limit the range of required protection from the overtemperature T trip and to protect against Reactor Coolant System overpressure. The reactor is tripped on coincidence of two out of the three high pressurizer pressure signals.

High Pressurizer Water Level Trip

This trip is provided as a backup to the high pressurizer pressure trip. The coincidence of two out of the three high pressurizer water level signals trips the reactor. This trip is blocked when three of the four power range channels and two of two turbine inlet pressure channels read below approximately 10% power (P7).

7.2-22 Revised 04/17/2013 Low Reactor Coolant Flow Trip This trip protects the core from DNB following a low flow or loss of coolant flow. The means of sensing low flow and a loss of coolant flow accident are as follows:

a. Measured low flow in the reactor coolant piping.

The low reactor flow trip is actuated by the coincidence of 2/3 signals for any reactor coolant loop. The loss of flow in any two loops causes a reactor trip in the power range above approximately 10% (P7). Above approximately 45% power (P8), the loss of flow in any loop causes a reactor trip. The flow measurement utilizes an elbow tap which is discussed in Section 4.2.

b. Monitored electrical supply to the reactor coolant pumps

The voltage and frequency of the buses which supply power to the reactor coolant pumps is monitored. Under voltage on both buses on either Train A or B logic will cause a reactor trip above approximately 10% power (P-7). Under frequency will cause a pump breaker trip which then will cause a reactor trip as follows:

1)Above approximately 10% power a loss of 2 of the 3 pumps will cause a trip (P-7).

2) Above approximately 45% power a loss of 1 of the 3 pumps will cause a trip (P-8).

Safety Injection System (SIS) Actuation Trip

A reactor trip occurs when the safety injection system is actuated by signals as listed in Table 7.2-1.

7.2-23 Revised 04/17/2013 Turbine Generator Trip A turbine trip is sensed by two out of three signals from Emergency Trip Header pressure or 2/2 stop valves closed. A turbine trip causes a direct reactor trip above approximately 10% power (P7) and a controlled short term release of steam to the condenser which removes sensible heat from the reactor coolant system and thereby avoids steam generator safety valve actuation.

The turbine control system automatically trips the turbine generator under any of the following conditions:

a. Turbine overspeed
b. Generator lock-out
c. Low condenser vacuum
d. High thrust bearing wear e. Low bearing oil pressure
f. Reactor trip
g. Manual trip
h. AMSAC signal

i.High-High steam generator level j. Safeguards actuation

Steam/Feedwater Flow Mismatch Trip

This trip protects the reactor from a sudden loss of its heat sink. The trip is actuated by a steam/feedwater flow mismatch (1/2) in coincidence with low water level (1/2) in any steam generator.

Low-Low Steam Generator Water Level Trip

The purpose of this trip is to protect the steam generators in the case of a sustained steam/feedwater flow mismatch of insufficient magnitude to cause a flow mismatch reactor trip. The trip is actuated on two out of the three (2/3) low-low water level signals in any steam generator.

Rods Stops

Rod stops are added to prevent a reactor trip or prevent an abnormal condition from increasing in magnitude.

7.2-24 Revised 08/17/2016 A list of rod stops is given in Table 7.2-3. Some of these have been previously noted under permissive circuits, but are listed again for completeness.

Rod Drop Detection

Two independent systems are provided to sense a dropped rod, (1) rod position system rod bottom bistables and (2) nuclear instrumentation power range circuits which sense sudden reduction in out-of-core neutron flux. These systems are not reactor protection systems.

A dropped RCCA would be detected by the rod bottom signal derived for each rod from its individual position indication system. With the position indication system, initiation of action is not dependent on location, reactivity worth or power distribution changes.

Backup is provided by use of the out-of-core power range nuclear detectors and is particularly effective for larger nuclear flux reductions occurring in the region of the core adjacent to the detectors.

The rod drop detection circuit from nuclear flux consists basically of a comparison of each of the four ion chamber signals with the same signal taken through a first order lag network. Since a dropped RCC assembly will rapidly depress the local neutron flux, the decrease in flux will be detected by one or more of these circuits.

Such a sudden decrease in ion chamber current will be seen as a changed channel level. A negative signal output greater than a preset value (approximately 5 percent) from any one of the four power range channels will initiate the rod drop annunciation. Automatic rod withdrawal by the reactor control system has been permanently disabled. Manual rod withdrawal is not blocked by nuclear instrumentation system power range rod drop detection.

Figure 7.4-2b indicates schematically the Nuclear Instrumentation System, including the dropped RCCA alarm.

7.2-25 Revised 04/17/2013 Control Group Rod Insertion Monitor The control group rod insertion limits, Z LL, are calculated as a linear function of power and reactor coolant average temperature. The equation is:

Z LL = A (T)avg + B (T avg) + C where A, B are preset manually adjustable gains and C is a preset manually adjustable bias. The (T)avg and (T avg) are the average of the individual temperature differences and the coolant average temperatures respectively measured from the reactor coolant hot leg and the cold leg.

An insertion limit monitor with two alarm set points is provided for the control banks. A description of control and shutdown rod groups is provided in Section 7.3. The "Low" alarm alerts the operator of an approach to a reduced shutdown reactivity situation requiring boron addition by following procedures with the Chemical and Volume Control System. If the actuation of the "Low-Low" alarm occurs, the operator should take immediate action to add boron to the system.

Setpoint Methodology The nominal trip setpoints (NTS) for the reactor trip system and engineering safety features are provided in Table 7.2-1. The NTS values are the Limiting Safety System Setting (LSSS) values that are calculated based on limits derived from the safety analyses and process instrumentation and adjusted to account for the specific instrument uncertainties. The instrument uncertainties for the trip setpoints affected by the EPU are based on the methodology described in WCAP-17070P, Westinghouse Setpoint Methodology for Protection Systems Turkey Point Units 3 and 4 (Power Uprate to 2644 MWt - Core Power) (Reference 5). The guidance of Technical Specification Task Force (TSTF) No. 493, Rev. 4, Option A, "Clarify Application of Setpoint Methodology for LSSS Functions," (Reference 6) is applied to the Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) setpoints and surveillance requirements impacted by EPU.

EPU impacted RTS functions include power range high neutron flux, Overtemperature AT, Overpower AT, reactor coolant low flow, steam generator low-low water level, steam/feedwater flow mismatch coincident with steam generator low water level, and turbine trip on emergency trip header pressure (Table 7.2-1 items 2, 3, 4, 8, 13, 12, & 11, respectively).

7.2-26 Revised 04/17/2013

EPU impacted ESFAS functions include safety injection on high steam line flow coincident with low steam generator pressure, steam line isolation on high steam line flow coincident with low steam generator pressure, feedwater isolation on high-high steam generator water level, and auxiliary feedwater actuation on low-low steam generator water level (Table 7.2-1 items 19e, 22, 26a, & 25a, respectively). The setpoint methodology establishes the NTS and Allowable Value (AV) for each of the affected functions. The AVs at Turkey Point are "performance based" and are determined by adding (or subtracting) the rack calibration accuracy (RCA) of the device tested during the Channel Operational Test (COT) to the NTS in the non-conservative direction, i.e., toward or closer to the Safety Analysis Limit (SAL) for the application. See Figure 7.2-8g for an illustration of setpoint relationships between SAL, Channel Statistical Allowance (GSA), RCA, As-Found Tolerance (AFT), and As-Left Tolerance (ALT) are shown and AFT=ALT=RCA where the RCA uncertainty term is based on equipment manufacturer's performance specifications.

Surveillance limits are established to verify that RTS and ESFAS instrumentation operates within the boundaries of applicable instrument uncertainty calculations. These limits are implemented in plant procedures in accordance with TS Notes (a) and (b) below which are consistent with the wording provided in TSTF-493 Rev 4. These notes specify operability criteria and require that out-of-tolerance conditions detected during surveillances be evaluated before returning the channel to service. The notes have been inserted into TS Table 4.3-1, RTS Instrumentation Surveillance Requirements and TS Table 4.3-2, ESFAS Instrumentation Surveillance Requirements. The methods used to determine the NTS and AV values and summaries of the associated calculations are described in WCAP-17070-P (Reference 5).

Note (a) states: "If the as-found channel setpoint is outside its predefined as-found tolerance, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service." Note (b) states: "The instrument channel setpoint shall be reset to a value that is within the as-left tolerance around the Nominal Trip Setpoint (NTS) at the completion of the surveillance; otherwise, the channel shall be declared inoperable. Setpoints more conservative than the NTS are acceptable provided that the as-found and as-left tolerances apply to the actual setpoint implemented in the surveillance procedures (field settings) to confirm channel performance. The NTS and methodologies used to determine the as-found and the as-left tolerances are specified in UFSAR Section 7.2." 7.2-27 Revised 04/17/2013

7.2.3 SYSTEM

EVALUATION

Reactor Protection System and DNB

The following is a description of how the reactor protection system prevents

DNB.

The variables affecting the DNB ratio are:

Thermal Power Coolant flow Coolant temperature Coolant pressure Core power distribution (hot channel factors)

Figure 7.2-1 illustrates the typical core safety limits for which DNBR for the hottest fuel rod is equal to the safety analysis limit value (in this example, 1.30) and shows the overpower and overtemperature T reactor trips locus as a function of T avg and pressure. This illustration is derived from the inlet temperature versus power relationships. Figure 7.2-9b illustrates

T avg control and insertion limit alarms and is typical for one reactor coolant loop. Figure 7.2-9a illustrates the rod control system.

Reactor trips for a fixed high pressurizer pressure and for a fixed low pressurizer pressure are provided to limit the pressure range over which core protection depends on the overpower and overtemperature T trips.

Reactor trips on nuclear overpower and low reactor coolant flow are provided for direct, immediate protection against rapid changes in these parameters.

However, for all cases in which the calculated DNBR approaches the safety analysis limit value, a reactor trip on overpower and/or overtemperature T would also be actuated.

The Reactor Protection System actuates a reactor trip for a set of conditions for which the calculated DNBR for the worst fuel rod approaches the safety analysis limit value. Because of the statistical nature of the DNB correlation used and the statistical makeup of a portion of the hot channel factors, there exists a finite probability of a few rods being in DNB for a calculated ratio equal to the safety analysis limit value for the worst fuel rod (Section 3.2.2).

7.2-28 Revised 04/17/2013

For the anticipated abnormal conditions, it is highly unlikely that the exact combination of conditions (reactor coolant pressure, temperature and core power, instrumentation inaccuracies, etc.) that cause a DNBR equal to the safety analysis limit value will be approached before a reactor trip. The simultaneous loss of power to all of the reactor coolant pumps is the accident condition most likely to approach the DNBR limit value for the calculated worst fuel rod. In any event the DNBR at the worst fuel rod is near the limit value for only a few seconds.

Typically, the hottest fuel rods are not adjacent to one another. They are located near the RCCA thimbles. Fuel rods located in the immediate vicinity of the hottest fuel rod have a DNBR higher than that rod.

In the event of a difference between the upper and lower power range detector signals that exceeds the desired range, automatic feedback signals are provided to reduce the overtemperature trip setpoint and block rod withdrawal.

Specific Control and Protection Interactions

Four power-range nuclear flux channels are provided for overpower protection.

Isolated output from one of these channels is used for automatic control rod regulation of power. If any channel fails in such a way as to produce a low output, that channel is incapable of proper overpower protection.

Two-out-of-four overpower trip logic will ensure an overpower trip, if needed, even with an independent failure in another channel.

A rapid decrease of any nuclear flux signal will annunciate rod drop. An overpower signal from any nuclear channel will block manual rod withdrawal.

The set point for this rod stop is below the reactor trip set point.

Coolant Temperature

Each overtemperature-overpower protection channel calculates T avg and T based on the temperature measurements from the associated RCS loop. The median T avg signal (of the three separate channels) is used for automatic control rod regulation of power and temperature. Two out of three (2/3) trip logic is used to ensure that a trip occurs, if needed, even with an independent failure in another channel.

7.2-29 Revised 04/17/2013 Manual rod withdrawal blocks will occur if any one of four nuclear channels indicates an overpower condition or if any two of three overtemperature or overpower channels exceed the trip setpoint.

Finally, as shown in Section 14.1, the combination of trips on nuclear overpower, high pressurizer water level, and high pressurizer pressure also serve to limit an excursion for any rate of reactivity insertion.

Pressurizer Pressure

Three pressure channels are used for high and low pressure protection and as part of overtemperature protection (See Figures 7.2-11a and 7.2-11b).

Pressure control is accomplished by spray, power-operated relief valves, and heaters which are controlled by output signals from two separate pressure control channels. The pressurizer safety valves are adequately sized to prevent system overpressure.

a) Low Pressure

A spurious high pressure signal from the control channel can cause low RCS pressure by spurious actuation of spray and/or a relief valve. Additional redundancy is provided in the protection system to ensure underpressure protection, i.e., two-out-of-three low pressurizer pressure reactor trip logic and two-out-of-three low pressurizer pressure safety injection logic.

b) High Pressure

The pressurizer heaters are incapable of overpressurizing the reactor coolant system. Maximum steam generation rate with heaters is about 13,000 lbs/hr., compared with a total capacity of 941,478 lbs/hr. for the three safety valves and a total capacity of 420,000 lbs/hr. for the two power-operated relief valves. Therefore, additional redundancy for overpressure protection is not required for a pressure control failure. Two-out-of-three high pressurizer pressure trip logic is therefore used.

In addition, either of the two relief valves can easily maintain pressure below the high pressure trip point. The two relief valves are controlled by independent pressure channels, one of which is independent of the pressure channel used for heater control.

Finally, the rate of pressure rise achievable with heaters is slow, and ample time and pressure alarms are available for operator action.

7.2-30 Revised 04/17/2013

Pressurizer Level Three pressurizer level channels in a two-out-of-three logic (2/3) for high pressurizer level are used for reactor trip. This function is not relied upon as a primary trip function in the plant safety analysis. It may perform as a backup trip for any significant heatup transient which results in a large specific volume change for the RCS primary coolant. Isolated output signals from these channels are used for volume control, increasing or decreasing water level.

A level control failure could fill or empty the pressurizer at a slow rate (on the order of half an hour or more). Therefore, ample time and alarms exist for operator action in the event of increasing or decreasing water level in the pressurizer. (See Figure 7.2-12).

(a) High Level

A reactor trip on pressurizer high level is provided to prevent rapid thermal expansions of reactor coolant fluid from filling the pressurizer: the rapid change from high rates of steam relief to water relief can be damaging to the safety valves and the relief piping and pressure relief tank. However, a level control failure cannot actuate the safety valves because the high pressure reactor trip is set below the safety valve set pressure. With the slow rate of charging available, overshoot in pressure before the trip is effective is much less than the difference between reactor trip and safety valve set pressures. Therefore, a control failure does not require protection system action.

In addition, ample time and alarms are available for operator action.

(b) Low Level

Ample time and alarms exist for operator action in the event of a decreasing water level in the pressurizer.

Steam Generator Water Level; Feedwater Flow

Before describing control and protection interaction for these channels, it is beneficial to review the protection system basis for this instrumentation.

(See Figure 7.2-13).

7.2-31 Revised 04/17/2013 The basic function of the reactor protection circuits associated with low steam generator water level and low feedwater flow is to preserve the steam generator heat sink for removal of long term residual heat. Should a complete loss of feedwater occur with no protective action, the steam generators would boil dry. and cause an overtemperature-overpressure excursion in the reactor coolant. Reactor trips on temperature and pressure will trip the unit before there is any damage to the core or reactor coolant system. Residual heat would cause thermal expansion after trip and discharge of the reactor coolant to the pressurizer relief tank through the pressurizer relief valves.

Redundant auxiliary feedwater pumps are provided to prevent this. Reactor trips act before the steam generators are dry to reduce the required capacity and starting time requirements of these pumps and to minimize the thermal transient on the reactor coolant system and steam generators. Independent trip circuits are provided for each steam generator for the following reasons:

1. Should severe mechanical damage occur to the feedwater line to one steam generator, it is difficult to ensure the functional integrity of level and flow instrumentation for that unit. For instance, a major pipe break between the feedwater flow element and the steam generator would cause high flow through the flow element. The rapid depressurization of the steam generator would drastically affect the relation between downcomer water level and steam generator water inventory.
2. It is desirable to minimize thermal transient on a steam generator for credible loss of feedwater accidents.

It should be noted that controller malfunctions caused by a protection system failure affect only one steam generator. Also, they do not impair the capability of the main feedwater system under either manual control or automatic control. Hence, these failures are far from being the worst case with respect to decay heat removal with the steam generators.

(1) Feedwater Flow

The feedwater flow signal is monitored by the control system for sudden changes such that a spurious high signal from the feedwater flow channel being used for control would not cause a significant reduction in feedwater flow. The feedwater controller will reject to MANUAL when the spurious signal is detected.

7.2-32 Revised 04/17/2013 This condition is alarmed such that the failure is promptly detected. The spurious high signal will prevent that channel from tripping from steam/feedwater flow mismatch coincident with low steam generator level. A reactor trip on steam generator low-low water level, independent of indicated feedwater flow, will ensure a reactor trip if needed.

In addition, the three-element feedwater controller incorporates reset on level, such that with expected controller settings a rapid increase in the flow signal would cause only a small decrease in level before the controller re-opened the feedwater valve. A slow increase in the feedwater signal would have no effect at all.

(2) Steam Flow

A spurious low steam flow signal would have the same effect as a high feedwater signal, discussed above.

(3) Level

The level signal is monitored by the control system for sudden changes such that a spurious high water level signal from the protection channel used for control will not close the feedwater control valve; instead, the feedwater controller will reject to MANUAL when the spurious signal is detected. This condition is alarmed such that failure is promptly detected. This level channel is independent of the level channels used for reactor trip on steam/feedwater flow mismatch coincident with low steam generator level.

a) A rapid increase in the level signal will reject the feedwater controller to MANUAL and generate an alarm. If the alarm is not properly responded to this will lead to an actuation of a reactor trip on steam/feedwater flow mismatch coincident with low level.

b) A slow increase in the level signal may not actuate a low feedwater signal. Since the resulting level decrease is slow, the operator has time to respond to low level alarms. Since only one steam generator is affected, automatic protection is not mandatory and reactor trip on two-out-of-three low-low level is acceptable.

7.2-33 Revised 04/17/2013

(4) Median T avg is used as an index to select gain and reset tuning parameters for feedwater control at low power levels. A spurious change to T avg from a protection channel will cause the T avg median signal selector to select the median channel and a small change in T avg. Small changes in T avg will have minimal impact on tuning parameters and no adverse effects on feedwater control.

Steam Line Pressure (Hi Steam Line Flow)

High steam flow in 2 out of 3 steam generators coincident with low steam line pressure in 2 out of 3 steam lines or Lo-T avg in 2 out of 3 loops will actuate safety injection and close the main steam isolation valves (steam break protection).

Normal Operating Environment

The control room is maintained at the personnel comfort level of (70 + 10) oF. Protective equipment inside the room is designed to operate within design tolerance over this temperature range and will perform its protective function in an ambient of 120 oF and 95% relative humidity (i.e., there will be no loss-of-function in an ambient temperature of 120 o F).

The operating environment for equipment within the containment will normally be controlled to less than 120 oF. Operation with elevated normal bulk containment temperatures up to 125 oF for short periods of time during the summer months has been evaluated and is acceptable; refer to Section 14.0.

The Reactor Protective System instrumentation within the containment is designed for continuous operation. The temperature of the out-of-core neutron detectors is maintained at or below 135 oF by the normal containment air cooling system. The detectors are designed for continuous operation at 135 oF and will withstand operation at 175 oF for short durations.

Typical test data (or reasonable engineering extrapolation based on test data) will be used to verify that protection systems equipment will meet, on a continuing basis, the functional requirements under the anticipated normal ambient conditions.

7.2-34 Revised 04/17/2013

7.2.4 ATWS MITIGATING SYSTEM ACTUATION CIRCUITRY (AMSAC)

An Anticipated Transient Without Scram (ATWS) event is an operational transient (e.g., loss of load, loss of feedwater, loss of off-site power) followed by a failure of the Reactor Protection System (RPS) to shutdown the reactor. Title 10 CFR 50.62 requires that all pressurized water reactors have backup equipment, diverse from the RPS, to automatically initiate the Auxiliary Feedwater System and turbine trip under conditions indicative of an ATWS event.

This requirement has been satisfied by the addition of ATWS Mitigating System Actuating Circuitry (AMSAC), which in addition to the requirements of 10 CFR 50.62 to automatically initiate the Auxiliary Feedwater System and trip the turbine, will trip the control rod MG set output breakers which will trip the reactor. AMSAC serves as a non-safety related backup protective system to the RPS by preventing overpressurization of the Reactor Coolant System, conservation of steam generator inventory, and insertion of the reactor control rods following an ATWS event. AMSAC actuation logic is shown in Figure 7.2-14a.

AMSAC is initiated when low steam generator level is sensed and the RPS fails to respond with an automatic reactor trip. The AMSAC nominal trip setpoint is based on the low steam generator level RPS safety analysis limit (4%) plus an allowance for the total loop uncertainty of the AMSAC steam generator level input signals. A low level on two of three steam generators for both Channels I and II with turbine power greater than 40% (minus an allowance for the total loop uncertainty), as indicated by turbine inlet pressure, is required for AMSAC to initiate. The 1-5 volt input signals to AMSAC are obtained from the voltage drop across the existing 250 ohm test point resistors in the 4-20 milliampere secondary loops for Channels I and II steam generator level and Channels III and IV turbine inlet pressure. Qualified isolators are used in addition to the existing secondary loop isolators to provide for electrical isolation between AMSAC and RPS circuitry in accordance with the requirements for the Safety Evaluation Report for the Westinghouse Owners Group Topical Report WCAP-10858 "AMSAC Generic Design Package".

The logic for AMSAC is developed using two microprocessors (A & B) with Channel I steam generator level input signals aligned to Microprocessor A and Channel II steam generator level input signals aligned to Microprocessor B.

7.2-35 Revised 04/17/2013 The inlet turbine pressure input signals are aligned to both microprocessors. Normally, both microprocessors must be in service for AMSAC to be operational; however, a "processor selector switch" is provided on the AMSAC panel that allows for a single microprocessor mode of operation to facilitate microprocessor maintenance without loss of AMSAC. In addition, AMSAC can be completely bypassed by placing the "normal/bypass switch", located on the AMSAC panel, into the bypass position. The microprocessors perform periodic, self-diagnostic testing to enhance the overall reliability of the system and are designed in a fault-tolerant configuration that reduces the possibility of inadvertent actuation.

The input isolators are powered from a vital uninterruptible instrumentation power source, either 3P08 (Unit 3) or 4P08 (Unit 4). The microprocessors are powered from a non-vital uninterruptible instrumentation power source, either 3P31 (Unit 3) or 4P31 (Unit 4). A loss of power to the isolators, the microprocessors, or the input signal loops will disable AMSAC.

The output signals from AMSAC generate turbine trip, reactor trip and auxiliary feedwater initiation. The AMSAC signal energizes the auxiliary feedwater auto-start relays, which open the steam supply motor operated valves to admit steam to the auxiliary feedwater pump steam turbines, open the auxiliary feedwater trip and throttle valves (if electrically closed), and close the steam generator blowdown and sampling isolation valves.

Qualified relays are used as isolation devices between the non-safety related AMSAC output modules and the safety related auxiliary feedwater auto-start relays. The AMSAC signal energizes the turbine trip solenoids to generate a turbine trip. In addition, the AMSAC signal energizes the control rod MG set output breakers trip coil. Tripping the breakers causes a loss of power to the control rod drive mechanisms causing insertion of the control rods. Since the turbine trip solenoid circuits and control rod MG set output breaker circuits are non-safety related, electrical isolation from AMSAC is not required.

There is no manual initiation capability available for AMSAC, since manual initiation of turbine trip, auxiliary feedwater and reactor trip is currently available. The AMSAC signal can be reset from both the main control room at panels, 3C04 (Unit 3) and 4C04 (Unit 4), and the AMSAC panels, 3C391 (Unit 3) and 4C391 (Unit 4). Main control room indication is provided for AMSAC actuation, AMSAC signal and dual microprocessor mode of operation, and AMSAC bypass.

7.2-36 Revised 04/17/2013 A single annunciator window is provided for alarm of any of the following signals: (1) Low of Voltage (input signal loops, isolators, or processor);

(2) AMSAC Actuated; (3) AMSAC Bypass; or (4) Processor A/B Trouble. Input to the plant computer (DDPS) for Microprocessor A and/or B actuation is also provided. Local indication and digital readout is provided to give specific AMSAC status. The Units 3 and 4 AMSAC panels are located in the Cable Spreading Room and are seismically qualified and mounted to preclude adverse affects on safety related components and circuits due to a postulated seismic event. AMSAC annunciation logic is shown in Figure 7.2-14b.

7.2.5 STEAM

GENERATOR OVERFILL PROTECTION

As a result of the technical resolution of the Unresolved Safety Issue (USI)

A-47,"Safety Implication of Control Systems in LWR Nuclear Power Plants," the NRC concluded that protection should be provided for certain control system failures and that selected emergency procedures should be modified to assure that plant transients resulting from control system failures do not compromise plant safety. The NRC concluded that all PWR plants should provide automatic steam generator overfill protection, and that plant procedures and Technical Specifications should include provisions to periodically verify the operability of the overfill protection and to assure that automatic overfill protection is available to mitigate main feedwater overfill events during reactor power operation.

In response to these conclusions, the NRC issued Generic Letter 89-19 (Reference 1),"Request for Action Related to Resolution of Unresolved Safety Issue A-47...," which requested that licensees incorporate features of the steam generator overfill protection into plant procedures and plant Technical Specifications.

In response to NRC Generic Letter 89-19, FPL submitted a proposed license amendment to the NRC (Reference 2), which addressed the recommendations from the Generic Letter and revised the Technical Specifications to include appropriate limiting condition of operation (LCO) and surveillance requirements for steam generator overfill protection. The NRC approved Technical Specification changes (Reference 3) implemented the requested improvements and included the addition of SG high-high level feedwater isolation signals to Technical Specification Tables 3.3-2, 3.3-3 and 4.3-2 under the heading of "SG Water Level - High-High" along with a corresponding discussion for Section 4.3 of Technical Specification Bases.

7.2-37 Revised 04/17/2013

Steam generator overfill protection is achieved by utilizing the existing steam generator level high-high signal. The high-high signal is actuated when the level in any steam generator exceeds the high-high setpoint and isolates feedwater by closing the feedwater valves and initiates other associated actions. The instrumentation, setpoints and surveillances already exist, however, they were used for equipment protection.

The steam generator level Protection Channels I, II, and III are designed to combine redundant sensors, independent channel circuitry, coincident trip logic of 2 out of 3, and varied parameter measurement to ensure that a safe and reliable system is provided.

The steam generator overfill protection function is not part of the Engineered Safety Features Actuation System (ESFAS), but was added to the ESFAS Technical Specification tables without modification of the existing design. This function was specifically developed to meet commitments to the NRC criteria contained in Generic Letter 89-19. Although the steam generator overfill protection feature uses much of the same instrumentation as the steam generator low-low trip (reactor trip circuitry), portions of the circuitry for steam generator high-high level overfill protection may not meet all the criteria which apply to ESFAS functions. This is because the steam generator high-high level function was not originally designed to be part of the ESFAS system.

7.2.6 EAGLE

21 PROTECTION SYSTEM Prior to a modification (References 7 and 8) performed on each unit in the early 1990s, reactor coolant temperature measurements used for reactor protection and control were made by Resistance Temperature Detectors (RTD) located in reactor coolant loop bypass manifolds. Due to maintenance and radiation exposure problems associated with the bypass manifolds, a temperature measurement modification was implemented that eliminated the manifold piping and valves and that uses three dual element RTDs mounted in thermowells in each coolant loop.

The modification also included the removal of the analog protection modules and circuits used in the T avg, Delta T, and Pressurizer Level protection functions and replaced them with a digital system (Eagle 21). The Eagle 21 Protection System provides the reactor trip functions of Overpower T, Overtemperature T, and Pressurizer Water Level - High, and the same redundancy as it replaced the analog protection channels on a one-for-one basis. The Pressurizer Water Level - High instrumentation was included in the Eagle 21 modification because two channels were located in the same instrument racks associated with the RTD bypass elimination modification.

7.2-38 Revised 08/17/2016

The Eagle 21 Protection System meets the requirements of IEEE-279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE-323-1974, "IEEE Standard for Qualifying Class IE Equipment for Nuclear Power Generating Stations," for normal and accident environments. The design verification and validation process is in accordance with Westinghouse Design Standard 408A47, Replacement Hardware Design, Verification and Validation Plan, Revision 3, which is modeled after the guidance in Regulatory Guide 1.152, "Criteria for Programmable Digital Computer System Software in Safety-Related Systems in Nuclear Plants," November 1985 and IEEE/ANSI 7-4.3.2-1982, "Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations". WCAP-12632, Revision 1 (Reference 9), describes the application of the Eagle 21 Protection System to the Turkey Point units. WCAP-12374, Revision 1 (Reference 10), is the generic topical report for the Eagle 21 Protection System which provides a more detailed discussion of system design including applicable codes and standards.

7.2-39 Revised 08/17/2016

7.

2.7 REFERENCES

1. NRC Generic Letter 89-19,"Request for Action Related to Resolution of Unresolved Safety Issue A-47,`Safety Implication of Control Systems in LWR Nuclear Power Plants' Pursuant to 10 CFR 50.54(f)," dated September 20, 1989.
2. FPL letter to the NRC L-93-276,"Proposed License Amendment - Steam Generator Overfill Protection (Generic Letter 89-19)," dated December 28, 1993.
3. NRC letter to FPL,"Issuance of Amendments RE: Steam Generator Overfill Protection (TAC NO.s M88560 and M88561)," dated April 28, 1994.
4. NRC Generic Letter 83-28, "Required Actions Based on Generic Implications of Salem ATWS Events," July 8, 1983.
5. WCAP-17070-P, Rev.1, "Westinghouse Setpoint Methodology for Protection Systems Turkey Point Units 3 and 4 (Power Uprate to 2644 Mwt - Core Power)" January 2011.
6. Technical Specification Task Force (TSTF) No. 493, Rev. 4, "Clarify Application of Setpoint Methodology for LSSS Functions," July 2009.
7. Unit 3 PC/M No.90-220, RTD Bypass Elimination Modification and Eagle 21 Installation, (EC 244881).
8. Unit 4 PC/M No.90-221, RTD Bypass Elimination Modification and Eagle 21 Installation, (EC 244882).
9. WCAP-12632, RTD Bypass Elimination Licensing Report for Turkey Point Units 3 and 4, Revision 1, November 1990.
10. WCAP-12374, Topical Report Eagle-21 Microprocessor-based Process Protection System, Revision 1, December 1991.

7.2-40 Revised 08/17/2016 TABLE 7.2-1 Sheet 1 of 8 LIST OF REACTOR TRIPS & CAUSES OF ACTUATION OF: ENGINEERED SAFETY FEATURES, CONTAINMENT ISOLATION AND STEAM LINE ISOLATION & AUXILIARY FEEDWATER ACTUATION

REACTOR TRIP TRIP SETPOINT COINCIDENCE CIRCUITRY AND INTERLOCKS COMMENTS

1. Manual NA 1/2, no interlocks
2. Power Range 108% RTP* 2/4, no interlocks High and low settings; High Neutron Flux 25% RTP* 2/4, manual block manual block and automatic permitted by permissive P-10 reset of low setting b y P-10, Table 7.2-2.
3. Overtemperature T Note 1 2/3, no interlocks Note 2
4. Overpower T Note 3 2/3, no interlocks Note 4
5. Low Pressurizer Pressure >1835 psig 2/3, interlocked with P-7 (fixed set point)
6. High Pressurizer Pressure <2385 psig 2/3, no interlocks (fixed set point)
7. High Pressurizer Water Level <92% of instrument 2/3, interlocked with P-7 span
8. Low Reactor Coolant Flow 90% of loop thermal 2/3, per loop, interlocked with Low flow in 2 loops design flow** P-7, and P-8 permitted below P-7. Low flow in 1 loop permitted below P-8. 9. Monitored Electrical Supply to Reactor Coolant Pumps:

9a. Undervoltage - 4.16 KV >70% bus voltage 1/2, on both buses, interlocked with P-7 Buses A and B

9b. Underfrequency - Trip of Reactor >56.1 HZ Under frequency on 1 out of 2 on Under frequency on any Coolant Pump Breaker(s) Open either bus bus will trip minimum of one reactor coolant pump and consequently cause a reactor trip; reactor trip interlocked with P-7 and P-8

  • RTP = Rated Thermal Power ** Loop thermal design flow = 86,900 gpm

Revised 04/17/2013

TABLE 7.2-1 (Continued)

Sheet 2 of 8

REACTOR TRIP TRIP SETPOINT COINCIDENCE CIRCUITRY AND INTERLOCKS COMMENTS

9c. Reactor Coolant Pump Breakers NA interlocked with P-7 and P-8

10. Safety Injection Signal NA (Actuation) See Item 19
11. Turbine-Generator Trip 2/3, low Emergency Trip Header Pressure interlocked with P-7, or 2/2 stop Emergency Trip Header Pressure 1000 psig valve closure indication (interlocked with P-7) Turbine Stop Valve Fully closed***
12. Steam/Feedwater Flow Mismatch, Feed flow <20% 1/2, steam/feedwater flow mismatch coincident with : below steam flow in coincidence with 1/2 low steam generator water level per loop Low Steam Generator Water Level 16% of narrow range instrument span
13. Low-Low Steam Generator Water 16% of narrow range 2/3, per loop Level instrument span
14. Intermediate Range Neutron Flux <25% of RTP* 1/2, manual block permitted by P-10 Manual block and automatic reset
15. Source Range Neutron Flux <10 5 CPS 1/2, manual block permitted by P-6, Manual block and automatic interlocked with P-10 reset by P-6, automatic block by P-10
16. Phase A - Safety Injection Signal NA See Item 19 (except manual isolation); Actuates all non-essential service containment isolation trip valves. Manual Initiation 2 momentary push buttons, pressing of either push button (1/2) will actuate.
  • RTP = Rated Thermal Power *** Limit switch is set when turbine stop valves are fully closed.

Revised 04/17/2013

TABLE 7.2-1 (Continued) Sheet 3 of 8 CONTAINMENT ISOLATION ACTUATION TRIP SETPOINT COINCIDENCE CIRCUITRY AND INTERLOCKS COMMENTS

17. Phase B - Containment Pressure 2/3 high containment in coincidence Actuates all essential High High Coincident with 20 psig with 2/3 high-high pressure service containment Containment Pressure High 4 psig isolation trip valves Manual Initiation NA 2/2, No Interlocks CONTAINMENT VENTILATION ISOLATION

18a. High Containment Activity Note 5 High activity signal, from air This additional signal particulate detector or radiogas closes containment purge detector. (1/2) supply and exhaust valves.

18b. Phase A Containment Isolation Manual 18c. Phase B Containment Isolation Manual 18d. Safety Injection See Item 19 ENGINEERED SAFETY FEATURES ACTUATION

19. Safety Injection Signal (A) See Item 10
a. Manual Initiation NA 1/2, no interlocks b. Containment Pressure - High <4 psig 2/3, no interlocks c. Pressurizer Pressure - Low >1730 psig 2000 psig (Pzr Press) d. High Differential Pressure <100 psid 2/3, manual block permitted below 2000 psig Between the Steam Line (pressurizer pressure)

Header and any Steam Line e. Steam Line Flow - High A function defined as 1/2 in 2/3 steam generators, manual follows: A p corres- block permitted below 543

ûF(Tavg Temp) ponding to 40% steam flow at 0% load increasing linearly from 20% load to a value corresponding to 114% steam flow at full load. coincident with: Steam Generator 614 psig 2/3, manual block permitted below 543 oF (Tavg Temp) Pressure - Low, or Tavg - Low >543 oF 2/3, manual block permitted below 543 oF (Tavg Temp) 20. Containment Spray Signal (P)

Containment Pressure - <20.0 psig 2/3 high containment pressure in High - High coincident with: coincidence with 2/3 High-High Containment Containment Pressure - High <4.0 psig pressure

21. Emergency Containment Cooling NA Safety injection signal initiates the start of two of three ECCs in accordance with the Safety Injection Starting Sequence. The third swing ECC will automatically start upon failure of either of the other two ECCs to start.

Revised 04/17/2015

TABLE 7.2-1 (Continued)

Sheet 4 of 8 STEAM LINES ISOLATION ACTUATION TRIP SETPOINT COINCIDENCE CIRCUITRY AND INTERLOCKS COMMENTS

22. Steam Flow 1/2 High steam line flow in 2 out of 3 loops coincident with either low Tavg Steam Line Flow - High A function defined as in 2 out of 3 loops or low steam line follows: A p corres- pressure in 2 out of 3 loops ponding to 40% steam Manual block is permitted below 543

ûF flow at 0% load increasing (Tavg Temp) linearly from 20% load to a value corresponding to 114% steam flow at full load.

coincident with: Steam Line 614 psig Pressure - Low or Tavg - Low >543 o F

23. Containment Pressure 2/3 high containment pressure signal in coincidence with 2/3 high-high High <4.0 psig containment pressure High - High <20.0 psig
24. Manual per Steam Loop NA 1/1 per steam line

AUXILIARY FEEDWATER ACTUATION

25a. Low-Low Steam Generator Level 16% NRS 2/3 per loop, no interlocks b. Safety Injection Signal N/A See Item 19 c. Feedwater Pump Trip N/A Trip of all operating feed pumps d. Bus stripping N/A e. AMSAC 8.65% 2/3 Low Steam Generator Level, for Both channels, with turbine power greater than 40% (minus an allowance for instrument uncertainty)

MAIN FEEDWATER ISOLATION

26a. Close Main Feedwater Control Actuated by: This function is related to Valves (fast closure) 1. Safety injection (see #19) the Steam Generator Overfill 2. 2/3 high-high level Protection function; (80%) in steam generator

3. Reactor trip coincident with low Tavg (slow closure) 26b. Close Bypass Feedwater 1. Safety injection (see item 19) Control Valves 2. 2/3 high-high level(80%) in any steam generator 26c. Close Backup Feedwater Isolation Valves Safety injection signal (See Item 19)
27. a) Trip Steam Generator Feed Pumps Safety injection signal (See Item 19)

b) Turbine Trip 2/3 high-high level (80%) in any steam generator Revised 04/06/2018

TABLE 7.2-1 (Continued)

Sheet 5 of 8 TABLE NOTATIONS NOTE 1: OVERTEMPERATURE T Those values denoted with [*] are specified in the COLR (Chapter 14, Appendix A)

Where: T = Measured T by RTD Instrumentation 1 + 1 S = Lead/Lag compensator on measured T; 1 = [*]s, 2 = [*]s 1 + 2 S 1 = Lag compensator on measured T; 3 = [*]s 1 + 3 S T o = Indicated T at RATED THERMAL POWER K

1 = [*] K 2 = [*]/o F; 1 + 4 S = The function generated by the lead-lag compensator for Tavg 1 + 5 S dynamic compensation; 4 , 5 = Time constants utilized in the lead-lag compensator for T avg , 4 = [*]s, 5 = [*]s; T = Average temperature, o F; 1 = Lag compensator on measured Tavg; 6 = [*]s 1 + 6 S T' < [*]

oF (Indicated Loop Tavg at RATED THERMAL POWER);

K 3 = [*]/psi;

Revised 04/17/2013

()()()()+++++++

TABLE 7.2-1 (Continued)

Sheet 6 of 8 TABLE NOTATIONS (Continued)

NOTE 1: (Continued)

P = Pressurizer pressure, psig;

P' > [*] psig (Nominal RCS operating pressure);

S = Laplace transform operator, s-1; and f 1 (I) is a function of the indicated difference between top and bottom detectors of the power-range neutron ion chambers; with gains to be selected based on measured instrument response during plant startup tests such that:

(1) For q t - q b between -[*]% and [*]%, f 1 (I) = 0, where q t and q b are percent RATED THERMAL POWER in the top and bottom halves of the core respectively, and q t + q b is total THERMAL POWER in percent of RATED THERMAL POWER; (2) For each percent that the magnitude of q t - q b exceeds -[*]%, the T Trip Setpoint shall be automatically reduced by [*]% of its value at RATED THERMAL POWER; and (3) For each percent that the magnitude of q t - q b exceeds [*]%, the T Trip Setpoint shall be automatically reduced by [*]% of its value at RATED THERMAL POWER.

NOTE 2: The Overtemperature T function Allowable Value shall not exceed the nominrl trip setpoint by more than 0.5% T span for the T channel; 0.2% T span for the Pressurizer Pressure Channel; and 0.4% T span for the F(I) channel. No separate Allowable Value is provided for T avg because this function is part of the T value.

Revised 04/17/2013

TABLE 7.2-1 (Continued)

Sheet 7 of 8 TABLE NOTATIONS (Continued)

NOTE 3: OVERPOWER T Those values denoted with [*] are specified in the COLR (Chapter 14, Appendix A)

Where: T = As defined in Note 1; 1 + 1 S = As defined in Note 1; 1 + 2 S 1 = As defined in Note 1; 1 + 3 S T o = As defined in Note 1;

K 4 = [*];

K 5 > [*]/oF for increasing average temperature and [*]/

oF for decreasing average temperature;

7S = The function generated by the lead-lag compensator for Tavg dynamic 1 + 7 S compensation; 7 = Time constants utilized in the lead-lag compensator for Tavg , 7 > [*]s, 1 = As defined in Note 1; 1 + 6 S

Revised 04/06/2018

()()()()()++++++

TABLE 7.2-1 (Continued)

Sheet 8 of 8 TABLE NOTATIONS (Continued)

NOTE 3: (Continued)

K 6 = [*]/oF for T > T" and K 6 = [*] for T < T" ;

T = As defined in Note 1; T" < [*]

oF (Indicated Loop Tavg at RATED THERMAL POWER);

S = As defined in Note 1, and f

2 (I) = [*]

NOTE 4: The Overpower T function Allowable Value shall not exceed the nominal trip setpoint by more than 0.5% T span for the channel. No separate Allowable Value is provided for Tavg because this function is part of the T value. NOTE 5: Particulate (R-11) <6.1 x 10 5 CPM Gaseous (R-12)

Containment Gaseous Monitor Setpoint = (3.2 x 10 4) CPM, ( F )

Containment Gaseous Monitor Allowable Value = (3.5 x 10 4) CPM, ( F )

where F = Actual Purge Flow Design Purge Flow (35,000 CFM)

Setpoint may vary according to current plant conditions provided that the release rate does not exceed allowable limits provided in the Offsite Dose Calculation Manual.

Revised 04/17/2013

TABLE 7.2-2

PERMISSIVE CIRCUITS

Number Function Required input

1 Prevent rod withdrawal 1/4 high nuclear flux (power range) or on overpower 1/2 high nuclear flux (intermediate range) or 2/3 overtemperature T or 2/3 overpower T. 2*

3*

4*

5 Steam dump to condenser Rapid decrease of MWe load signal permissive, fast load drop (turbine inlet pressure) arms system

6 Manual block of source 1/2 high intermediate range flux range trip allows manual block, 2/2 low intermediate range defeats block.

7 Permissive power (block 2/4 high nuclear flux (power range) various trips). Required or 1/2 high turbine power (inlet only at power. pressure) enables trips.

3/4 low nuclear flux (power range) and 2/2 low turbine power (inlet pressure) blocks trips.

8 Block single primary loop 2/4 high nuclear flux (power range) loss of flow trip blocks trip.

9*

10 Manual block of low power 2/4 high nuclear flux (power range) range trip and high allows manual block, intermediate range trip 3/4 low nuclear flux (power range) defeats manual block.

Manual block of safety 2/3 low pressurizer pressure, injection 2/3 low T avg temperature

  • Not applicable to this plant.

Revised 04/17/2013

Revised 10/23/2006

7.3 REGULATING

SYSTEM

7.3.1 DESIGN

BASIS

The reactor automatic control system is designed to respond to a rapid change in indicated nuclear flux versus steam demand (0/N-QT) through automatic rod insertion only. This system does not have the capability for automatic rod withdrawal. Overall reactivity control is achieved by the combination of chemical shim and Rod Cluster Control Assemblies (RCCA). Long-term regulation of core reactivity is accomplished by adjusting the concentration of boric acid in the reactor coolant. Short-term reactivity control for power changes or reactor trip is accomplished by moving RCCAs.

The function of the Reactor Control System is to provide automatic control of the RCCAs (rod insertion only) during power operation of the reactor. The system uses input signals including coolant temperature and turbine load.

The Chemical and Volume Control System (Section 9) supplements the reactor control system by the addition and removal of varying amounts of boric acid solution.

There is no provision for a direct continuous visual display of primary coolant boron concentration. When the reactor is critical, the best indication of reactivity status in the core is the position of the control group in relation to power and average coolant temperature. There is a direct relationship between control rod position and power and it is this relationship which establishes the lower insertion limit calculated by the rod insertion limit monitor. There are two alarm setpoints to alert the operator to take corrective action in the event a control group approaches or reaches its lower limit.

7.3-1 Rev. 16 10/99 Any unexpected change in the position (insertion) of the control group under automatic control or a change in coolant temperature under manual control provides a direct and immediate indication of a change in the reactivity status of the reactor. In addition, periodic samples are taken for determination of the coolant boron concentration. The variation in concentration during core life provides a further check on the reactivity status of the reactor including core depletion.

The Reactor Control System is designed to enable the reactor to follow load reductions automatically when the output is above 15% of nominal power.

Control rod positioning (insertion) may be performed automatically when output is above this value. Control rod positioning may be performed manually at any time.

The operator is able to select any single bank of rods for manual operation.

This is accomplished with a multiposition switch so that he may not select more than one bank. He may also select automatic or manual reactor control, in either case, however, the control banks can be moved only in their normal sequence with some overlap as one bank reaches its full withdrawal position and the next bank begins to withdraw. Relay interlocks, designed to meet the single failure criterion, are provided to preclude simultaneous withdrawal of more than one bank of control and shutdown rods except in overlap regions.

The system enables the nuclear units to accept a step load reduction of 10%

and a ramp reduction of 5% per minute within the load range of 100% to 15%

without reactor trip subject to possible xenon limitations. With automatic rod withdrawal disabled, ramp load increase to 5% per minute is performed manually. Manual rod withdrawal will be needed to bring the reactor coolant average temperature to the programmed value following a 10% load increase transient.

The control system is capable of restoring coolant average temperature following a scheduled or transient reduction in load.

7.3-2 Revised 04/17/2013 The pressurizer water level is programmed to be a function of the average coolant temperature. This is to minimize the requirements on the Chemical and Volume Control and Waste Disposal System resulting from coolant density changes during loading and unloading from full power to zero power.

Following a reactor and turbine trip, sensible heat stored in the reactor coolant is removed without actuating the steam generator safety valves by means of controlled steam bypass to the condenser and by injection of feedwater to the steam generators. Reactor coolant system temperature is reduced to the no load condition. This no load coolant temperature is maintained by steam bypass to the condensers which removes residual heat.

The control system is designed to operate the system over the full range of automatic control throughout core life.

7.3-3 Rev. 12 5/95

7.3.2 SYSTEM

DESIGN

The Power Regulating System can be broken down into two subsystems as follows: 1. Rod Control System

a. Rod Drive Programmer
b. Rod Position Indication (1) Individual (2) Group A control diagram of the Rod Control System is shown in Figure 7.2-9a.
2. Steam Dump Control Control logic for steam dump to condenser is shown in Figure 7.3-1 and Figure 7.3-1a.

RCCA Arrangements

There are 45 total RCCAs. The rods are divided into (1) a shutdown group comprising two shutdown banks of 8 rod clusters each, (2) a control group comprising 4 control banks containing 8, 8, 8, and 5 rod clusters. Figure 3.2.1-1 shows the location of RCCAs within the core. The four banks of the control group are the only rods that can be manipulated under

7.3-4 Rev. 16 10/99 automatic control. The banks are divided into subgroups to obtain smaller incremental reactivity changes. All RCCAs in a subgroup are electrically paralleled to move simultaneously. There is individual position indication for each RCCA. The drive mechanism for the RCCAs is described in Section

3.2.3. Control

Group Rod Control

The reactor control system is capable of restoring programmed average temperature following a reduction in load. The coolant average temperature increases linearly from zero to full power.

Reactivity changes caused by fuel depletion and/or xenon transients are initially compensated through manual rod control. Final compensation for these two effects is made by adjusting the boron concentration. The control system may then readjust (insert) the control group rods to respond to changes in coolant average temperature resulting from changes in boron concentration.

The coolant temperatures are measured by the hot leg and the cold leg resistance temperature detectors. There is one average temperature per loop.

The median of three loop average temperatures is the main control signal.

This signal is sent to the control group rod programmer through a lead/lag compensation unit. The control group rod programmer determines the direction and speed of control group rod motion.

The RCCAs are divided into six main banks, and each bank into two subgroups, to follow load changes over the full range of power operation.

Each subgroup in a bank is driven by the same variable speed rod drive control unit which moves the subgroups sequentially one step at a time. The sequence of motion is reversible; that is, a withdrawal sequence is the reverse of the insertion sequence. The variable speed sequential rod control affords the ability to insert a small amount of reactivity at low speed to accomplish fine control of reactor coolant average temperature about a small temperature deadband.

7.3-5 Rev. 16 10/99 Manual control is provided to move a control bank in or out at a preselected fixed speed.

Proper sequencing of the RCCA is assured first, by fixed programming equipment in the Rod Control System, and second, through administrative control of the reactor operator. Startup is accomplished by first manually withdrawing the shutdown rods to the full out position. This action requires that the operator select the SHUTDOWN BANK position on a control board mounted selector switch and then position the IN-HOLD-OUT lever (which is spring return to the HOLD position) to the out position.

RCCA are then withdrawn under manual control of the operator by positioning the IN-HOLD-OUT lever to the OUT position. In the MANUAL selector switch position, the rods are withdrawn (or inserted) in a predetermined programmed sequence by the automatic programming equipment.

Programming is set so that as the first bank out reaches a preset position near the top of the core, the second bank out begins to move out simultaneously with the first bank. This staggered withdrawal sequence continues until the unit reaches the desired power level. The programmed insertion sequence is the opposite of the withdrawal sequence, i.e., the last control bank out is the first control bank in.

With the simplicity of the rod program, the minimal amount of operator selection, and two separate direct position indications available to the operator, there is very little possibility that rearrangement of the control rod sequencing could be made.

Shutdown Groups Control

The shutdown groups of control rods together with the control groups are capable of shutting the reactor down. They are used in conjunction with the adjustment of chemical shim and the control groups to provide shutdown margin of at least one per cent following reactor trip with the most reactive control rod in the fully withdrawn position for all normal operating conditions.

7.3-6 Rev. 4 7/86 The shutdown groups are manually controlled during normal operation and are moved at a constant speed. Any reactor trip signal causes them to fall into the core. They are fully withdrawn during power operation and are withdrawn first during startup. Criticality is always approached with the control groups after withdrawal of the shutdown groups.

Interlocks The manual controls are interlocked with measurements of T and rod position system rod bottom bistables to prevent approach to an overpower condition.

7.3-7 Revised 04/27/2010 Rod Drive Performance The control is driven by a sequencing, variable speed rod drive programmer.

In the control group of RCC assemblies, control subgroups (each containing a small number of RCC assemblies) are moved sequentially in a cycle such that all subgroups within a group are maintained within one step of each other.

The sequence of motion is reversible, that is, withdrawal sequence is the reverse of the insertion sequence. The sequencing speed for rod insertion is proportional to the control signal from the Reactor Control System. This provides control group speed control proportional to the demand signal from the control system.

A rod drive mechanism control center is provided to receive sequenced signals from the programmer and to actuate SCRs in series with the coils of the rod drive mechanisms. Two reactor trip breakers are placed in series with the supply for these coils. To permit on-line testing, a bypass breaker is provided across each of the two trip breakers.

Full Length RCCA Position Indication Two separate systems are provided to sense and display control rod position as described below:

a) Analog System - An analog signal is produced for each RCCA by a linear position transmitter.

7.3-8 Rev 16 10/99 An electrical coil stack is placed above the stepping mechanisms of the control rod magnetic jacks external to the pressure housing. When the associated control rod is at the bottom of the core, the magnetic coupling between a primary and secondary is small and there is a small voltage induced in the secondary. As the control rod is raised by the magnetic jacks, the relatively high permeability of the lift rod causes an increase in magnetic coupling. Thus, an analog signal proportional to rod position is derived.

Direct, continuous readout of every RCC assembly position is presented to the operator by individual meter indications, without need for operator selection or switching to determine rod position.

Lights are provided for rod bottom positions for each rod. The lights are operated by bistable devices in the analog system.

b) Digital System - The digital system counts pulses generated in the rod drive control system. One counter is associated with each group (or subgroups) of RCCAs. Readout of the digital system is in the form of add-subtract counters reading the number of steps of rod withdrawal with one display for each group or subgroup. These readouts are mounted on the control panel.

The digital and analog systems are separate systems; each serves as backup for the other. Operating procedures require the reactor operator to compare the digital and analog readings upon recognition of any apparent malfunction.

Therefore, a single failure in rod position indication does not in itself lead the operator to take erroneous action in the operation of the reactor.

A detailed description of the solid state rod control power supply will be available in a WCAP report.

7.3-9 Rev 16 10/99 Individual RCCA Position Indication This system derives the position signal directly from measurements of the drive rod position utilizing a linear variable differential transformer (LVDT) as a detector. The drive shaft varies the amount of coupling between the primary and secondary windings of the coils which generates an analog signal proportional to rod position. The LVDT signal is conditioned and displayed on individual meters mounted on the operating console.

Demand Position Indication The bank demand position signal is derived from the programmer and is displayed on an add-subtract pulse counter mounted in the control console.

Rod Deviation Control rods - The actual rod position signals are monitored by rod deviation monitoring equipment which provides an alarm whenever an individual rod position signal deviates from any other rod in a bank by a preset limit.

Shutdown rods - An alarm is generated whenever any shutdown rod is inserted a preset amount from the fully withdrawn position.

7.3-10 Turbine By-Pass A turbine by-pass system is provided to accommodate a reactor trip with turbine trip, or 50% loss of load without reactor and turbine trip. The turbine by-pass system removes steam to reduce the transient imposed upon the reactor coolant system. The control rod system can then reduce the reactor power to a new equilibrium value without causing overtemperature and/or overpressure conditions.

The turbine by-pass is actuated when the median average coolant temperature exceeds the programmed value by a given value and the turbine inlet pressure decrease is greater than a given value. All the turbine by-pass valves stroke to full open immediately upon receiving the maximum by-pass signal.

The by-pass valves are modulated after they are full open by the median coolant average temperature signal. The turbine bypass flow reduces proportionally as the control rods act to reduce the average coolant temperature. The artificial load is therefore removed as the coolant average temperature is restored to its programmed equilibrium value.

The turbine by-pass steam capacity varies from approximately 27.2 to 34.4 percent of full load steam flow based on the full power average temperature and steam pressure operating window.

Feedwater Control

Each steam generator is equipped with a three-element feedwater controller (see Figure 7.2-13) which maintains a programmed water level as a function of load on the secondary side of the steam generator. The three-element feedwater controller regulates the feedwater valve by continuously comparing the feedwater flow signal, the water level signal and the steam flow signal which is compensated by a steam pressure signal. The feedwater controller gain and reset tuning parameters are adjusted as a function of steam flow, feed flow, or T avg to provide optimal controller performance over the entire operating range. The steam generators are operated in parallel, both on the feedwater and on the steam side.

7.3-11 Revised 04/17/2013 Continued delivery of feedwater to the steam generators is required as a sink for the heat stored and generated in the reactor coolant following a reactor trip and turbine trip. An override signal closes the feedwater valves when the average coolant temperature is below a given temperature or when the respective steam generator level rises to a given value. Manual override of the feedwater control systems is also provided.

Pressure Control

The reactor coolant system pressure is maintained at constant value by using either the heaters (in the water region) or the spray (in the steam region of the pressurizer). The electrical immersion heaters are located near the bottom of the pressurizer. A portion of the heater groups are proportional heaters which are used to control small pressure variations. These variations are due to heat losses, including heat losses due to a small continuous spray. The remaining (backup) heaters are turned on when the pressurizer pressure controller signal is below a given value.

The spray nozzle is located at the top of the pressurizer. Spray is initiated when the pressure controller signal is above a given set point.

The spray rate increases proportionally with increasing pressure until it reaches a maximum value. Steam condensed by the spray reduces the pressurizer pressure. A small continuous spray is normally maintained to reduce thermal stresses and thermal shock and to help maintain uniform water chemistry and temperature in the pressurizer.

Two power operated relief valves limit system pressure to 2350 psia for large load reduction transients.

Three spring-loaded safety valves limit system pressure to 2750 psia following a complete loss of load without direct reactor trip or turbine by-pass.

7.3-12 Revised 04/17/2013

7.3.3 SYSTEM

DESIGN EVALUATION

Unit Stability

The Rod Control System is designed to maintain coolant average temperature about the control system set point within acceptable values. Because stability is more difficult to maintain, at low power under automatic control, no provision is made to provide automatic control below 15 percent of full power.

Step Load Changes Without Steam Dump

A typical power control requirement is to restore equilibrium conditions, without a trip, following a minus 10 percent step change in load demand, over the 15 to 100 percent power range for automatic control. The design must necessarily be based on conservative conditions and a greater transient capability is expected for actual operating conditions. A load demand greater than full power is prohibited by the Turbine Control System (TCS) load limiting software.

The function of the control system is to minimize the reactor average coolant temperature deviation during the transient within a given value. Excessive pressurizer pressure variations are prevented by using spray and heaters in the pressurizer.

7.3-13 Revised 08/17/2016 The margin between over-temperature T set-point and the measured T is of primary concern for the step load changes. This margin is influenced by nuclear flux, pressurizer pressure, average reactor coolant temperature, and temperature rise across the core.

Loading and Unloading Ramp loading and unloading is performed under manual control. The function of the control system is to respond to a rapid change in indicated nuclear flux versus steam demand (0/N-QT). The minimum control rod speed provides a sufficient reactivity rate to compensate the reactivity changes resulting from the moderator and fuel temperature changes.

The average coolant temperature increases during loading and causes a continuous insurge to the pressurizer as a result of coolant expansion. The sprays limit the resulting pressure increase. Conversely as the coolant average temperature is decreasing during unloading, there is a continuous outsurge from the pressurizer resulting from coolant contraction. The heaters limit the resulting system pressure decrease. The pressurizer level is programmed such that the water level is above the setpoint at which the heaters cut out during the loading and unloading transients.

The primary concern for the loading is to limit the overshoot in average coolant temperature so that a margin is provided for the over-temperature T set point.

The automatic load controls are designed to safely adjust the unit generation to match load requirements within the limits of the unit capability and licensed rating.

7.3-14 Rev 4 7/86 Loss of Load With Turbine By-Pass The reactor control system is designed to accept 50% loss of electrical load.

No reactor trip or turbine trip should be actuated. The automatic turbine by-pass steam capacity varies from approximately 27.2 to 34.4 percent of full load steam flow based on the full power average temperature and steam pressure operating window. The turbine by-pass system is actuated during a load rejection transient to reduce the effects that the transient imposes upon the reactor coolant system. The reactor power is reduced at a rate consistent with the capability of the rod control system. Reduction of the reactor power is automatic down to 15 percent of full power, at which point the operator places the rod motion control selector switch to MANUAL. The by-pass flow reduction is as fast as RCCAs are capable of inserting negative reactivity.

The pressurizer relief valves might be actuated for the most adverse conditions, e.g., the most negative Doppler coefficient, and the minimum incremental rod worth. The relief capacity of the power operated relief valves is sized large enough to limit the system pressure to prevent actuation of high pressure reactor trip for the above conditions.

Turbine - Generator Trip With Reactor Trip

Whenever the turbine-generator unit trips at an operating level above 10%

power, the reactor also trips. The unit is operated with a programmed average temperature as a function of load, with the full load average temperature significantly greater than the saturation temperature corresponding to the steam generator pressure at the safety valve set point.

The thermal capacity of the reactor coolant system is greater than that of the secondary system, and because the full load average temperature is greater than the no load steam temperature, a heat sink is required to remove heat stored in the reactor coolant to prevent actuation of steam generator safety valves for this trip from full power. This heat sink is provided by the combination of controlled release of steam to the condenser and by makeup of cold feedwater to the steam generators.

7.3-15 Revised 04/17/2013 The turbine by-pass system is controlled from the reactor average coolant temperature signal whose set point values are reset upon trip to the no load value. Actuation of the turbine by-pass must be rapid to prevent actuation of the steam generator safety valves. With the by-pass valves open the average coolant temperature starts to reduce quickly to the no load set point. A direct feedback of temperature acts to proportionally close the valves to minimize the total amount of steam which is by-passed.

Following the turbine trip, the steam voids in the steam generators will collapse and the fully opened feedwater valves will provide sufficient feedwater flow to restore water level in the downcomer. The feedwater flow is cut off when the average coolant temperature decreases below a given temperature value or when the steam generator water level reaches a given high level.

Additional feedwater makeup is then controlled manually to restore and maintain steam generator level while assuring that the reactor coolant temperature is at the desired value. Residual heat removal is maintained by the steam generator pressure controller (manually selected) which controls the amount of steam flow to the condensers. This controller operates the same bypass valves to the condensers which are used during the initial transient following turbine and reactor trip.

The pressurizer pressure and level fall rapidly during the transient because of coolant contraction. If heaters become uncovered following the trip, the Chemical and Volume Control System will provide full charging flow to restore water level in the pressurizer. Heaters are then turned on to restore pressurizer pressure to normal.

The turbine by-pass and feedwater control systems are designed to prevent the average coolant temperature falling below the programmed no load temperature following the trip to ensure adequate reactivity shutdown margin.

7.3-16 Rev 16 10/99

7.4 NUCLEAR

INSTRUMENTATION

7.4.1 DESIGN

BASES

Fission Process Monitors and Controls

Criterion: Means shall be provided for monitoring or otherwise measuring and maintaining control over the fission process throughout core life under all conditions that can reasonably be anticipated to cause variations in reactivity of the core. (1967 Proposed GDC 13)

Primary Nuclear Instrumentation

The Primary Nuclear Instrumentation is utilized primarily for reactor protection by permitting monitoring of neutron flux and by generating appropriate trip and alarm functions for various phases of reactor operating and shutdown conditions (including accidental criticality monitoring). It also provides a secondary control function and indicates reactor status during startup and power operation. The Primary Nuclear Instrumentation System utilizes information from three separate types of instrumentation channels to provide three discrete protection levels. Each range of Primary Instrumentation (source, intermediate and power) provides the necessary overpower reactor trip protection required during operation in that range.

The overlap of instrument ranges provides reliable continuous protection from source to intermediate and low power ranges. As the reactor power increases, the overpower protection level is increased administratively after satisfactory higher range instrumentation operation is obtained. Automatic reset to more restrictive trip protection is provided when reducing power.

Various types of neutron detectors, with appropriate solid state electronic circuitry, are used to monitor the leakage neutron flux from a completely shutdown condition to 120 percent of full power. The power range channels are capable of recording overpower excursions up to 200 percent of full power.

7.4-1 Rev. 16 10/99 The neutron flux covers a wide range between these extremes. Therefore, monitoring with several ranges of instrumentation is necessary. The lowest range ("source range") covers six decades of leakage neutron flux.

The lowest observed count rate depends on the strength of the residual neutron source in the reloaded fuel and the primary and/or secondary neutron source(s)

(if installed) in the core and the core multiplication associated with the shutdown reactivity. This is generally greater than one count per second.

The next range ("intermediate" range) covers eight decades. Detectors and instrumentation are chosen to provide overlap between the higher portion of the source range and the lower portion of the intermediate range. The highest range of instrumentation ("power" range) covers slightly more than two decades of the total instrumentation range. This is a linear range that overlaps with the higher portion of the intermediate range. The overlap for all ranges is shown in Figure 7.4-1 in terms of leakage neutron flux for a typical PWR plant. Start-up-rate indication for the source and intermediate range channels is provided at the control console and nuclear instrumentation panel.

7.4-1a Rev. 16 10/99 The system described above provides control room indication and recording of reactor neutron flux during core-loading, shutdown, start-up and power operation as well as during subsequent refueling. Reactor trip and rod-stop control and alarm signals are provided by this system for safe operation.

Control and permissive signals are transmitted to the Reactor Control and Protection System for automatic control. Equipment failures and test status information are annunciated in the control room.

Backup Nuclear Instrumentation

The Backup Nuclear Instrumentation is utilized for providing additional independent neutron flux indication in the control room, on the alternate shutdown panel and on the DCS / SPDS. This instrumentation does not interface with the reactor trip protection circuitry, and does not perform any control functions. It meets the requirements of Regulatory Guide 1.97, Rev. 3, and 10 CFR 50.48(c), NFPA 805.

The Backup Nuclear Instrumentation also provides alarms in the control room for system trouble and high flux at shutdown, and interfaces with the containment evacuation alarm system.

This system utilizes fission chambers to monitor the leakage neutron flux from a completely shutdown condition to 200 percent of full power which exceeds the range requirements of Regulatory Guide 1.97, Rev. 3.

7.4.2 SYSTEM

DESIGN

The nuclear instrumentation system (Figures 7.4-2a and 7.4-2b) consists of ten independent channels: two of these being source range, two the intermediate range, four the power range channels and two wide range channels.

In addition, there are three auxiliary channels, the visual-audio count rate channel, the comparator channel, and the startup rate channel. The various detectors associated with the ten channels are shown in relative position with respect to the core configuration on Figure 7.4-3.

7.4-2 Revised 09/20/2016 Protection Philosophy Nuclear protection assurance is obtained from the three ranges of out-of-core nuclear instrumentation. Separation of redundant protective channels is maintained from the neutron sensor with its associated cables to the signal conditioning equipment in the control room with its associated output wiring, indicating or recording devices and protective devices. Where redundant protective channels are combined to provide non-protective functions, the required signals are derived through isolation amplifiers. These devices are designed so that open or short circuit conditions as well as the application of 120 VAC or 140 VDC to the isolated side of the circuit will have no effect on the input or protection side of the circuit. As such, failures on the non-protective side of the system will not affect the individual protection channels. Redundant channels are powered from independent power sources, each channel being provided with the necessary power supplies for its detectors, signal conditioning equipment, trip bistables and associated trip relays. The nuclear instrumentation channels are mounted in four separate racks to provide the necessary physical separation between redundant channels.

The overpower protection provided by the out-of-core nuclear instrumentation consists of three discrete levels. Continuation of start-up operation or power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manually blocked by the operator.

A one-of-two intermediate range permissive signal (P6) is required prior to source range level trip blocking and detector high voltage cutoff. Source range level trips are automatically reactivated and high voltage restored when both intermediate range channels are below the permissive (P6) level. There are provisions for administratively reactivating the source range level trip and detector high voltage if required. Source

7.4-3

range level trip block and high voltage cutoff are automatically maintained by the power range permissive (P10).

The intermediate range level trip and low-range, power-range level trip can only be blocked after satisfactory operation and permissive information are obtained from two-of-four power range channels. Individual blocking switches are provided so that the low-range, power-range trip and intermediate range trip can be independently blocked. These trips are automatically reactivated when any three of the four power range channels are below the permissive (P10) level, thus ensuring automatic activation of more restrictive trip protection.

Blocking of any reactor trip function is indicated by the control board status lights. Channels which provide reactor protection through one-of-two or one-of-four logic matrices are equipped with positive detent type trip-bypass switches to enable channel testing. The trip-bypass condition for individual channels is indicated at the control board and at the nuclear instrumentation racks. The reactor protection afforded by the high-range, power-range trip is never blocked or bypassed.

Source Range Instrumentation Two independent source range channels are provided. Each receives pulse-type signals from a proportional counter. The preamplified detector signal is received by the source range instrumentation conditioning equipment located in the control room racks. The detector signal, which is a random count rate proportional to leakage neutron flux, is conditioned for conversion to an analog signal proportional to the logarithm of the neutron flux count rate.

The isolated analog signals from each channel are sent to various recording and indicating devices to provide the operator with necessary startup information. Bistable units also located in the racks, are used to

7.4-4 generate alarms and reactor trip signals. Trip signals from the bistables are transmitted to relays in the protection relay racks where the necessary logic involved in generating reactor trip signals is performed.

An isolated count rate signal derived from either channel is connected to a scaler-timer. This same signal also feeds the audio count rate channel which provides an audible count rate signal, proportional to the neutron flux.

Speakers are provided both in the containment and in the control room.

Start-up rate indication is also provided for each source range channel. These signals are generated from the isolation amplifier output since there is no protection function involved.

Two additional wide range channels are also provided. Each receives signals from dual fission chambers. The signal is received by the backup NIS instrumentation conditioning equipment located in the rod drive rooms. The signals are conditioned for conversion to an analog signal proportional to the logarithm of the neutron flux count rate.

The isolated analog signals from each channel are sent to remote meters to provide the operator with additional start-up information. Bistable units are also provided to generate alarms only.

Intermediate Range Instrumentation

Two independent compensated ionization chambers provide extended flux coverage from the upper end of the source range to approximately rated power. The equipment for each channel, including the high voltage and compensating voltage power supplies are located in separate drawers. To maintain separation between these redundant channels, the drawers are mounted in separate racks. The signal conditioning equipment furnishes an analog output voltage proportional to the logarithm of the neutron flux spectrum. Each channel covers approximately 8 decades of leakage flux. Isolation amplifiers (for start-up-rate circuits, remote recording, remote indication, etc) and bistable devices (for permissives, rod-stop and reactor trip) use this analog voltage to indicate status and provide the necessary protection functions.

All relays associated with control or protection are located in the reactor protection or auxiliary relay racks.

7.4-5 Rev. 16 10/99 Power Range Instrumentation Four dual section, uncompensated ionization chambers are used for power range flux detection. Each chamber provides two current signal outputs (one from each section) to signal conditioning equipment in the control room nuclear instrumentation racks. Each power range channel has an independent high voltage power supply. The individual current signals obtained from each section of the detector are proportional to upper core and lower core neutron flux respectively. These provide core flux status information at the instrument racks and through isolation amplifiers the same information at the control console. A separate output furnishes bias signals used in the overpower and overtemperature T reactor trip functions. The individual current signals are combined to provide an average signal proportional to average core flux in the associated core quadrant. This average signal is conditioned to provide an analog voltage signal for use in permissive and protection bistable amplifiers.

Isolation amplifiers, which provide remote control signals and core power status information to the operator, also utilize the average power analog signal. The four power range channels are operated from separate AC sources and are housed in separate racks so that a single failure will not cause loss of protection functions. Redundant relays for the protection functions are located in the logic portion of the protection system.

Isolated analog outputs from each power range channel are compared in a separate auxiliary channel drawer. This comparator provides the operator with annunciation of deviations in average power between the four power range channels. Switches are provided to defeat this comparison for a failed channel so that subsequent deviations or failures among the three remaining channels are annunciated.

Two additional dual fission chamber detector assemblies are used for wide range neutron flux detection. Each assembly provides signal outputs to the backup NIS signal conditioning equipment in the rod drive rooms. Each channel has an independent power supply.

Isolated wide range outputs provide remote indication of percent full power in the control room, the Alternate Shutdown Panel (channel B only), and the SPDS.

7.4-6 Rev 16 10/99 Equipment Design Basis The out-of-core nuclear instrumentation system consists of various plug-in type modules which perform the functions indicated on Figure 7.4-2 for the source, intermediate and power ranges. Components designed to military specifications are used, where possible, in conjunction with a conservative design stressing reliability, derating of components and circuits, and the use of field-proven circuits. On-line testing and calibration features are provided for each channel. The source and power range test signals can be superimposed on the normal sensor signal during operation.

The backup NIS components are qualified to IEEE standards. The backup NIS provides indication and alarm functions only and is completely independent of the primary NIS subsystem.

7.4.3 DETAILED

DESCRIPTION

Detectors

The primary nuclear instrumentation system employs six detector radial locations containing a total of eight detectors (two proportional counters, two compensated ionization chambers and four, dual section uncompensated ionization chamber assemblies) installed around the reactor in the primary shield. Windows in the primary shield minimize leakage flux attenuation and distortion.

BF 3 proportional counters having a nominal thermal neutron sensitivity of ten counts per neutron per square centimeter per second (cps/nv), provide pulse signals to the source range channels. These detectors are installed on opposite "flat" portions of the core at an elevation approximating the quarter core height.

7.4-7 Rev 16 10/99 Compensated ionization chambers serve as neutron sensors for the intermediate range channels and are located in the same instrument wells and detector assemblies as the source range detectors. These detectors have a nominal thermal neutron sensitivity of 7.6 x 10-14 amperes per neutron per square centimeter per second. Gamma sensitivity is less than 3 x 10

-11 amperes per Roentgen per hour when operated uncompensated, and is reduced to approximately

3 x 10-13 amperes/R/hr in compensated operation. The detectors are positioned at an elevation corresponding to the center mid core height.

The detector assemblies containing one each of the above mentioned detectors use aluminum enclosures. High density polyethylene, used as a moderator- insulator within the detector assemblies, will be confined at temperatures associated with the loss-of-coolant accident. The detectors are connected to the junction box at the top of the detector well by special high temperature, radiation resistant cables.

The remaining four detector assemblies contain the power range ionization chambers. Each provides two current signals corresponding to the neutron flux in the upper and lower sections of a core quadrant. These detectors have a total neutron sensitive length of ten feet and a nominal thermal neutron sensitivity for each section of 3.1 x 10

-13 amperes per neutron per square centimeter per second. Gamma sensitivity of each section is approximately

10-10 amperes per Roentgen per hour.

The detector assemblies for power range operation are installed vertically and located equidistant from the reactor vessel at all points, and, to minimize neutron flux pattern distortions, within one foot of the reactor vessel.

Cabling from individual detector wells to the containment penetrations and to the instrument racks in the control room are routed in individual conduits, with physical separation between the penetrations and conduits associated with redundant protective channels.

7.4-8 Rev 16 10/99

The Backup Nuclear Instrumentation System employs two detector radial locations, each containing one detector assembly (2 fission chambers) installed around the reactor within the primary shield.

These detector assemblies have a nominal thermal neutron sensitivity of 25 counts per second per neutron per square centimeter per second (cps/nv). Each of these detectors provides neutron flux indication over the range of 10

-8 to 200 percent full power. These detector assemblies are installed on opposite

`flat' portions of the core with the sensitive center line of the detector assembly aligned with the center line of the reactor.

These detectors and associated components are qualified to IEEE Standards 323-1974 and 344-1975 and are designed to function during and after a design basis accident.

Cabling from these detector assemblies to the containment penetrations to the signal processing equipment in the rod drive rooms is routed in dedicated conduit and safety related qualified cable trays.

Source Range The source range output information is tabulated in Table 7.4-1. The detector for each source range channel is a BF 3 proportional counter, except for the backup detectors. The signal received from the counter has a range of 1 to

10 6 cps.

7.4-8a Rev 16 10/99 pulses per second randomly generated and is received through a variable gain pulse preamplifier located outside the containment. The preamplifier optimizes the signal-to-noise ratio and also furnishes high voltage coupling to the detector.

The preamp has internal provisions for generating self-test frequencies of 10counts per second (CPS) and 10.24 x 10 3 CPS. These test oscillator circuits are energized by a switch located on the associated source range drawer. The source range channel power supplies furnish low voltage for preamp operation as well as low voltage for the drawer-mounted modules. The preamp is solid state in design with discrete components and includes an impedance matching network between the preamp output and the 75-ohm triaxial cable.

The preamp output is received at the amplifier located on the source range drawer. This module provides amplification and discrimination, both of which are adjustable. Discrimination is provided between neutron flux pulses and combined noise and gamma-generated pulses. The discriminator supplies two outputs: one output (isolated) to a scaler-timer unit on the visual-audio channel drawer (see source range auxiliary equipment); and the other to a pulse shaper (transistorized flip-flop circuit) which supplies a constant amplitude pulse to the log integrator module within the source range drawer.

Logarithmic integration of the pulse signal is performed in another modular unit to obtain an analog DC signal. The log signal is then amplified for local indication on the front panel of the source range drawer, and is also delivered through a parallel run to the source range level bistables and isolation amplifier. The analog output signal is proportional to the logarithm of the count rate being received from the sensor and is displayed by the front panel meter on a scale calibrated logarithmically from 10 0 to 10 6 counts per second. The solid state isolation amplifier provides analog outputs, all of which are adjustable through attenuator controls. The outputs are used as follows: as remote indication (0-1 ma); as

7.4-9 Rev 16 10/99 remote recording (0-37.5 mv DC). A 0-10 VDC output is used by the start-up-rate amplifier to produce a start-up rate indication at the main control board. A spare output (0-5 DC) is available.

All bistables will employ a basic plug-in module with the external wiring determining the mode of operation (latching or non-latching and direction of output change with rising power). Bistables will have two adjustments "Trip Level" and "Differential". The first adjustment determines the trip point of the bistable, while the second determines the "dead zone" difference between the trip and release points of the bistable. The bistable module card will include a relay driver circuit made up of a silicon controlled rectifier (SCR) and full-wave bridge configuration. The bistable output will control the SCR gate which, in turn, controls conduction of the full-wave bridge supplying the power to drive up to four 115 VAC Westinghouse BF relays. All relays are located remote from the NIS racks.

Of the three bistables monitoring the source range level amplifier signal, one is a spare, one is used to monitor shutdown flux level only, and the third monitors source range operation during shutdown and start-up operation and provides a reactor trip on high flux level. The reactivity of the core during shutdown is monitored by a bistable to ensure protection of plant personnel working in the containment. Bistable tripping will initiate local visual and audible annunciation and remote audible annunciation of any abnormal increase in core activity. Visual annunciation occurs at the NIS rack and on the main control board. Audible annunciation is handled by the annunciator located in the control room, and the evacuation horn located in the containment.

These annunciators ensure that plant personnel will be alerted to any potentially unsafe condition. This bistable action will be manually blocked by deliberate operator action during start up. Blocking

7.4-10 Rev 16 10/99 is continuously annunciated at the control board during source range operation and is automatically blocked above permissive P10. The bistable trip point is approximately one-half decade above the flux level recorded during full shutdown.

The source range level bistable monitors the core activity during the full span of source range operation until such time as the intermediate range channels assume control of that portion of the reactor protection which is being supplied by nuclear instrumentation. At that time, when the intermediate range permissive P6 is available, the source range reactor trip bistable may be manually blocked and high voltage removed from the BF 3 detector by the operator actuating two momentary-contact switches located on the main control board.

A fourth bistable-relay driver unit is used as a high voltage failure monitor.

Loss of this voltage actuates the bistable, the relay driver and then the associated relay. The relay provides control board annunciation through a one of two matrix formed with a similar relay controlled by the other source range. Failure of either source range high voltage actuates this common annunciator on the main control board. During normal operation the source range high voltage will be cut off (mentioned above) when manual block of the source range trips is initiated. In this instance, loss of high voltage annunciation will be intentionally defeated to prevent the alarming of a condition which is not abnormal.

A test-calibrate module is also included in each source range drawer for self check of that particular channel. A multi-position switch on the source range front panel controls this module and also the operation of the built-in oscillator circuits in the preamp. The module is capable of injecting test signals of either 60, 10 3 , 10 5 and 10 6 counts per second at the input to the pulse amplifier, 10 or 10.24 x 10 3 counts per second to the preamplifier, or a variable d.c. voltage corresponding to 1 to 10 6 counts per second at the input to the level amplifier. An interlock

7.4-11 Rev 16 10/99 between the trip bypass switch and the test-calibrate switch will prevent inadvertent actuation of the reactor trip circuits, (i.e., the channel cannot be put in the test mode unless the trip is defeated). Trip bypass will be annunciated on the source range drawer and on the control board. Operation of the test-calibrate module will be annunciated on the control board as "NIS Channel Test." This common annunciator for all NIS channels will be alarmed when any channel is placed in the test position and will alert the operator that a test is being performed at the NIS racks.

Source Range Auxiliary Equipment

a. Visual-Audio Count Rate

The visual-audio count rate receives a signal from each of the source range channels. This isolated signal originates at the discriminator output in each source range. A switch on the audio count rate drawer selects either source range channel for monitoring. The selected signal is fed to a scaler-timer unit which permits count accumulation in the preset time or preset count mode. A visual display to five decimal places is presented through counting strips located on the front of the audio count rate drawer.

A "Scale Factor" switch permits division of the scaler output signal by 10, 100, 1000, or 10000. This signal, derived from the binary coded decimal output of the scaler, is conditioned and sent to two of the audio amplifiers which power two speakers: one speaker located in the control room, and the other in the containment. These speakers give plant personnel an audible indication of the count rate. Since the audio amp signal is taken from the coded scaler output, adjustment of the scale factor switch will alter only the audible count rate. This enables the operator to maintain the audible count rate at a distinguishable level.

7.4-12 Rev 16 10/99

b. Remote Count Rate Meter

The remote meter indication is an analog signal proportional to the count rate being received, and is obtained from the 0-1 ma isolation amplifier output.

The meter is mounted on the control board and calibrated logarithmically from 10 0 to 10 6 cps. This meter gives the same indication at the control board as is displayed by the local meter on the corresponding source range drawer.

The Backup NIS remote meter indication is an analog signal proportional to the count rate being received, and is obtained from a 4-20ma DC isolated output from the signal processor. This meter is mounted on the control console and calibrated logarithmically from 0.1 to 10 5 counts per second.

c. Remote Recorder

These multi-channel recorders are capable of recording all NIS channels. Each NIS signal is directly connected to both recorders. The operator selects the signals to be displayed. In the case of the source range channels, 0-50 mVDC signals that are proportional to the count rate range of 10 0 to 10 6 CPS are supplied from isolation amplifiers for recording during source range operation.

d. Start-up Rate Circuitry

The start-up rate drawer receives four input signals (0-10VDC) one from each of the primary source and intermediate range channels. Four rate amplifier modules condition these signals and output four rate signals to the respective control room S.U.R. meters (-.5 to 5 decades/minute).

A test module is provided which can inject a test signal into any one of the rate circuits and can be monitored on a test meter mounted on the front panel of this drawer. Two power supplies are provided to assure rate indication from at least one Primary Source and intermediate Range channel pair.

7.4-13 Revised 06/06/2005 Intermediate Range Intermediate Range output information is tabulated in Table 7.4-2. Each intermediate range channel receives a direct current signal from a compensated ion chamber and supplies positive high voltage and compensating (negative) high voltage to its respective detector. The compensating high voltage is used to cancel the effects of gamma radiation on the signal current being delivered to the intermediate range channel. Both high voltage supplies will be adjustable through controls located inside the channel drawer. The detector signal is received by the intermediate range logarithmic amplifier.

The modular unit, comprised of several operational amplifiers and associated discrete solid state components, produces an analog voltage output signal which is proportional to the logarithm of the input current. This signal is used for local indication and it is monitored by the isolation amplifier and the various bistable relay-driver modules within the intermediate range drawer. A 10

-11 ampere signal is continuously inserted and serves as a reference during gamma compensation. Local indication is provided by a meter mounted on the front panel of the drawer which has a logarithmic scale calibration of 10

-11 to 10 3 amperes. The isolation amplifier is the same solid state module that is used in the source range; it supplies the same outputs and for the same usage. Six bistable relay-driver units are used in the intermediate range drawer to provide the following functions:

One monitors the positive high voltage One monitors the compensating high voltage One provides the permissive P6 One provides rod-stop (blocks rod withdrawal) One provides reactor trip One serves as a spare

7.4-14 Rev 16 10/99 The intermediate range permissive P-6 bistable drives two Westinghouse BF relays (for redundancy) and the relays from each channel are combined in 1 of 2 matrices to provide the permissive function and control board annunciation of permissive availability. Permissive P-6 permits simultaneous manual blocking of the source range trips and removal of the source range detector high voltage. Once source range blocking has been performed, the operator may, through administrative action, defeat permissive P-6 and reactivate the source range high voltage and trip functions if required. This defeat is accomplished by the coincident operation of two control board mounted, momentary-contact switches. This provision, however, is only operational below permissive P-10 which is supplied by the power range channels. Above P-10, the defeat circuit is automatically bypassed and permissive P-6 is maintained which, in effect, maintains source range cutoff. The level bistable relay-driver unit which provides the intermediate range rod-stop function also drives two Westinghouse BF relays. Again, 1 of 2 matrices formed by the relays from the two intermediate range channels supply the rod-stop function and control board annunciation. Blocking of the outputs of these matrices is administratively performed when nuclear power is above permissive P-10 and can only be accomplished by deliberate operator action on two control board mounted switches.

The intermediate range reactor trip function is provided by a similar circuit arrangement, the only difference being the trip point of the bistable units.

The same control board switches which control blocking of the rod stop matrices also provide blocking action for the reactor trip matrices. These blocks are manually inserted when the power range of instrumentation indicates proper operation through activation of the P-10 permissive function. On decreasing power, however, the more restrictive intermediate range trip functions are automatically reinserted in the protective system. While these trips are blocked, there will be continuous illumination on the main control board of "Intermediate Range Trip Blocked." The high voltage failure monitors provide both local and remote annunciation upon failure of the respective high voltage supplies. A common "Intermediate Range Loss of Detector Voltage" and separate "Intermediate Range Loss of Compensate Voltage" are provided as control board annunciators for the intermediate ranges.

7.4-15 Rev 16 10/99 Administrative testing of each intermediate range channel is provided by a built-in test-calibrate module which injects a test signal at the input to the log amplifier. The signal is controlled by a multi-position switch on the front of each intermediate range drawer. A fixed 10

-11 through 10

-3 ampere signal is available along with a variable 10

-10 through 10

-3 signal, selectable in decade increments.

As in source range testing, the test switch on the intermediate range must be operated in coincidence with a trip bypass on the drawer. An interlock between these switches prevents injection of a test signal, until the trip bypass is in operation. Removal of the trip bypass also removes the test signal.

Intermediate Range Auxiliary Equipment

a. Remote Meter

The remote meter indication is in the form of an analog signal (0-1 ma) proportional to the ion chamber current. The isolation amplifier in each channel supplies this output to a separate meter. Meter calibration is 10

-11 to 10-3 amperes.

b. Remote Recorder

These multi-channel recorders are capable of recording all NIS channels. Each NIS signal is directly connected to both recorders. The operator selects the signals to be displayed. In the case of the intermediate range channels, 0

-50 mVDC signals that are proportional to the ion chamber current range of 10

-11 to 10-3 amperes are supplied from isolation amplifiers for recording during intermediate range operation.

7.4-16 Revised 06/06/2005

c. Start-Up-Rate Circuitry The start-up rate drawer receives four input signals (0-10VDC) one from each of the source and intermediate range channels. Four rate amplifier modules condition these signals and output four rate signals to the respective control room S.U.R. meters (-.5 to 5 decades/minute). A test module is provided which can inject a test signal into any one of the rate circuits and can be monitored on a test meter mounted on the front panel of this drawer. Two power supplies are provided to assure rate indication from at least one Source and Intermediate Range channel pair. Power Range The power range output information is tabulated in Table 7.4-3. The power range detector is a long uncompensated ion chamber assembly which is comprised of two separate neutron sensitive sections. Each section supplies a current signal to the associated power range. There is one high voltage power supply per channel and it supplies voltage to both sections of the associated detector. The two signals are received at the channel input and handled through separate ammeter-shunt assemblies. Four full-scale ranges can be selected for each ammeter through switches located on the front panel of the power range drawer, 100 ua, 500 ua, 1 ma, and 5 ma D. C. The switch selects shunt resistors for the meter but never interrupts the ion chamber signal to the power range channel. The circuit is so designed that a failure of the meter or switch will not interrupt the signal to the average power circuitry.

The individual currents are displayed on the two front panel ion chamber current meters and are then sent to separate isolation amplifiers. There are two isolation amplifiers monitoring each of the two individual current signals. The unit feeding the T protection function is being used for its impedance matching characteristics rather than isolation. All of the isolation amplifiers are capable of providing the same output ranges as the isolation amplifiers previously described in relation to the source

7.4-17 and intermediate ranges. Two of the isolation amplifiers, one monitoring each of the currents, supply signals to the T setpoint program. The other two isolation amplifiers provide output for the remote meter, axial deviation comparators, and upper and lower section comparators. The individual current signals are summed and then sent to a summing amplifier module which outputs a linear 0-10V D. C. signal proportional to reactor power. The summing and level amplifier has two controls: one is a "Zero" adjust located on the module itself, while the other is a "Gain" adjust with a calibrated dial located on the drawer's front panel. The output signal from this unit corresponds to 0 to 120 percent of full power and is displayed on a percent full power meter on the front panel of the power range drawer. This same signal is delivered directly to three isolation amplifiers, a dropped rod sensing assembly, and six bistable relay-driver modules. These isolation amplifiers are identical to those previously described and the outputs are the same in number and range but are used in different functions. (Specific outputs from the amplifiers are discussed in the auxiliary equipment section which follows.)

The dropped-rod sensor assembly is an operational amplifier unit which incorporates an adjustable lag network at one input and a non-delayed signal on the other. The unit compares the actual power signal with the delayed power signal received through the lag network and amplifies the difference.

This amplified differential signal is delivered to a bistable relay-driver unit which trips when the level of this signal exceeds a preset amount.

Tripping of this unit indicates a power level change over the lag period which would be indicative of a dropped rod. This bistable unit is a latching type, ensuring that the necessary action will be initiated and carried to completion. Specifically, the unit controls dual Westinghouse NBF relays which, in 1 of 4 logic matrices provide a control board annunciation signal and a spare input signal. Automatic rod withdrawal by the reactor control system has been permanently disabled. Manual rod withdrawal is not blocked by nuclear instrumentation system power range rod drop detection. A reset switch on the associated power range drawer must be operated manually to remove the trip functions and reset the bistable.

7.4-18 Revised 04/27/2010 The bistable units which sense the power level signal as derived by the linear amplifier are non-latching and perform the following functions: 1) overpower rod-stop (blocks manual rod withdrawal); 2) permissive functions (provisions for three are incorporated in the design but are not required on all plants);

3) low-range reactor trip; and 4) high-range reactor trip.

The overpower rod-stop and permissive bistables are units which trip on high power level and control Westinghouse NBF relays in the remote relay racks.

The rod-stop relay matrices (1 of 4) provide a rod-stop function to the rod control system and a main control board annunciation. Two-of-four logic, developed by relays controlled through the respective power range bistables, provide the signals required for the permissive functions. One set of relays provide permissive P-10, as was previously discussed with regard to its use in the source range and intermediate range. Two other groups of relays are available to provide inputs to two additional permissive functions when required. These bistable functions, when used, provide permissive P-8.

Permissive P-8 and P-10 are supplied solely by nuclear instrumentation.

For this reason, the nuclear instrumentation design provides for status light indication of P-8 and P-10 availability. Permissive P-10 is used in all three ranges of nuclear instrumentation while P-8 is provided by nuclear instrumentation for use in the reactor protection system.

The low range trip bistable actuates two Westinghouse NBF relays in the logic system. The two relays provide redundancy within the logic portion of the protection system. Each relay is used in a separate matrix with the relays from the other power range channels to continue the redundancy. The logic circuitry formed by the contacts on these relays provide for 1 of 4 and 2 of 4 logic outputs. The low range trip relays provide the following functions: 1) spare input ;2) low range trip annunciation (2 of 4 coincidence); 3) reactor-trip signal to reactor protection system (2 of 4 conicidence); and 4) annunciation of "Single Channel Low Range Trip" (1 of 4).

7.4-19 Revised 04/27/2010 Provisions for manually blocking these functions become available when 2 of 4 power ranges exceed the permissive P-10 level. Operator action on two control board mounted momentary-contact switches then initiates the blocking action.

A control board permissive status light, "Power Range Low Range Trip Blocked",

will be illuminated continuously when the trip function is blocked. On decreasing power, 3 of 4 power ranges below the P-10 power level will automatically reactivate the low range trip.

The high range reactor trip logic circuitry is developed identical to the low range reactor trip circuitry, but no provision for blocking is included.

The high range trip remains active at all times to prevent any continuation of an overpower condition.

An additional bistable unit monitors the high voltage power supply in the power range. Operation of this unit is identical to that for the source and intermediate ranges. The bistable provides relay actuation in the remote relay racks on failure of power range high voltage. While there is a separate relay for each power range, they control a common "Power Range Loss of Detector Voltage" annunciator on the main control board. Separate local indication of high voltage failure is provided on the power range drawers.

The test-calibrate module which is provided on each power range is capable of injecting test signals at several points in the channel. In all cases, the test signals are superimposed on the normal signal. An interlock between the bypass switch and channel test switch is provided as was done in the source and intermediate ranges. The bypass switch from each power range will activate a common annunciator,

7.4-20 Rev. 13 10/96

"NIS Trip Bypass," but individual bypass status lights will identify the particular channel. The remaining bistables which will be affected during channel test do not require bypasses since they operate in 2 of 4 logic.

Test signals can be injected independently or simultaneously at the input of either ammeter-shunt assembly to appear as the individual ion chamber currents. Operation of the test-calibrate switch on any power range will cause the "Channel Test" annunciator to be alarmed on the control board.

Power Range Auxiliary Equipment

a. Comparator

The comparator received an isolated signal from each of the four power ranges. These signals are conditioned in separate operational amplifier circuits and then compared with one another to determine if a preset amount of deviation of power levels has occurred between any two power ranges. Should such a deviation occur, the comparator output will operate a remote relay to actuate the control board annunciator, "Power Range Channel Deviation". This alarm will alert the operator to either a power unbalance being monitored by the power ranges or to a channel failure. Through other indicators, the operator can then determine the deviating channel(s) and take corrective action. Should correction of the situation not be immediately possible (e.g., a channel failure, rather than reactor condition), provisions are available to eliminate the failed channel from the comparison function. The comparator can then continue to monitor the active channels.

b. Remote Recorder

These multi-channel recorders are capable of recording all NIS channels. Each NIS signal is directly connected to both recorders. The operator selects the signals to be displayed. In the case of the power range channels, 0-50 mVDC signals that are proportional to 0-120% full power are supplied from isolation amplifiers to allow continuous monitoring during power range operation.

7.4-21 Revised 06/06/2005 A signal input is also provided to the Safety Parameter Display System (DCS / SPDS) for display and recording the power range flux.

c. Remote Meter

The Primary NIS remote meters receive the 0-1 ma isolated output that is available from each power range. This indication corresponds to that shown on the power range drawer. The signal is displayed on a meter scale calibrated from 0 to 120 percent of full power. The backup NIS remote meters receive a 4-20 ma DC isolated output that is available from each channel. The meter scales are calibrated from 10

-8 to 200 percent of full power.

d. Overpower Recorder

Inputs routed to vertical panel recorders monitor the individual average power indications from the four primary power ranges, capable of displaying overpower excursions up to 200 percent of full power. A power range isolated output of 0-50 mVDC will correspond to the range of zero percent to 200 percent of full power.

7.4-22 Revised 01/31/2013

e. Remote Meter (Delta Flux) Four control board mounted meters display the flux difference between the upper and lower ion chambers directly for each of the primary power range detectors.
f. Axial Flux Comparator The axial flux monitoring system contains four comparators, each of which receives an upper and lower section signal from one primary power range. If the axial flux difference for any primary channel exceeds setpoint, an alarm is actuated.

7.4-22a Rev 16 10/99 Flux Deviation and Miscellaneous Control and Indication Drawer Indicating lights (one per power range channel) are provided on this drawer to be used during test of the dropped rod annunciation. Illumination of one of the lights indicates completion of the relay tripping function, for the channel under test.

Switches are also provided on this drawer to permit a failed power range channel's overpower-rod stop function to be bypassed. Upper and lower section comparators are provided. The upper section comparator actuates an alarm when any upper section signal deviates from the average of the upper section signals by a preset amount. The lower section comparator performs in a similar manner. Switches are provided to bypass a failed channel.

7.4.4 SYSTEM

EVALUATION

Philosophy and Set Points During shutdown and operation, three discrete independent levels of nuclear protection are provided from the three ranges of out-of-core nuclear instrumentation. The basic protection philosophy is that the level protection is present in all three ranges to provide a reliable, rapid and restrictive protection system which is not dependent upon operation of higher range instrumentation.

Reliability is obtained by providing redundant channels which are physically and electrically separated. Fast trip response is an inherent advantage of using level trip protection in lieu of start-up rate protection (with a long time constant) during start-up. More restrictive operation is an inherent feature since an increase in power cannot be performed

7.4-23 Revised 04/27/2010 until satisfactory operation is obtained from higher range instrumentation which permits administrative bypass of the lower range instrumentation. On decreasing power level, protection is automatically made more restrictive.

Startup accidents while in the source range are rapidly terminated without significant increases in nuclear flux and with essentially no power generation or reactor coolant temperature increase.

The indications and administrative actions required by this protection system are readily available to the operator and should result in a safe, uncomplicated increase of power.

Reactor Trip Protection During reactor start-up the operator will be made aware of satisfactory operation of one or more intermediate range channels by annunciation (audible and visual) at the control board. The source and intermediate range flux level information is also readily available on recorders and indicators at the control console. At this time, if both intermediate range channels are functioning properly, the operator would depress the two manual block switches associated with the source range logic circuitry, thus causing cutoff of source range detector voltages and blocking the trip logic outputs.

The manual block should not be initiated, however, until at least one decade of satisfactory intermediate range operation is obtained. If one intermediate range channel is not functioning, normal power increase could be performed if desired. The permissive P6 annunciation is continuously displayed by the control board status lights.

Continuation of the start-up procedure in the intermediate range would result in a normal power increase and the receipt of a permissive signal from the power range channels when two-of-four channels exceed 10 percent of full power. The operator would be alerted to this condition by a control board permissive status light. Indicators (one per channel) and a recorder also indicate unit status in terms of percent full power. If the operator does not block the I.R. trip and continues the power increase,

7.4-24 a rod stop will automatically occur from either of the intermediate range channels. The operator should then depress the momentary "Manual Block" push buttons associated with the intermediate range rod stop and reactor trip logic. This would transfer protection to the low-range trips for the four power range channels. The permissive P-10 status light would be continuously displayed as was P-6. The low-range manual block switches (two) must be depressed to initiate blocking prior to continuation of the power increase.

The permissive functions associated with administrative trip blocking and automatic reactivation are provided with the same separation and redundancy as the trip functions.

When decreasing power operation to lower levels, more restrictive trip protection is automatically afforded when 3 of 4 power range channels are below P-10 permissive and when 2 of 2 intermediate range channels are below the permissive P6.

Rod-Drop Protection Rod drop annunciation is provided by the power range instrumentation. Rod position system rod bottom bistables provide rod drop annunciation and the protective function of manual rod withdrawal block. The nuclear instrumentation rod-drop annunciation is provided by comparison of the average nuclear power signal with the same signal which is conditioned by an adjustable lag network. This method provides a response to dynamic signal changes associated with a dropped rod condition, but does not respond to the slower signal changes associated with normal operation. Annunciation from at least one of the four power range channels will occur for any dropped rod condition.

7.4-25 Revised 04/27/2010 Control and Alarm Functions Various control and alarm functions are obtained from the three ranges of out-of-core primary nuclear instrumentation during shutdown, startup and power operation. These functions are used to alert the operator of conditions which require administrative action and alert personnel of unsafe reactor conditions. The power and intermediate ranges provide manual withdrawal block signals to the rod control system to avoid unnecessary reactor trips; auto rod withdrawal signals are permanently disabled.

a. Source Range

No control functions are obtained from the source range channels. Alarm functions are provided, however, to alert the operator of any inadvertent changes in shutdown reactivity. Visual annunciation of this condition is at the control board, with audible annunciation performed in the containment and control room. This alarm can either be blocked prior to startup or can serve as the startup alarm in conjunction with administrative procedures.

The backup nuclear instrumentation system provides visual and audible annunciation in the control room and audible annunciation in the containment for hi-flux at shutdown.

b. Intermediate Range

Both alarm and control functions are supplied by the primary NIS intermediate range channels. Blocking of rod withdrawal is initiated by either intermediate range on high flux level. This condition is alarmed at the control board to alert the operator that rod-stop has been initiated. In addition, the primary NIS intermediate ranges provide status light indication when either channel exceeds the P-6 permissive level. This alerts the operator to the fact that he must take administrative action to manually block the source range trips to prevent an inadvertent trip during normal power increase.

The backup nuclear instrumentation system does not provide any control or alarm functions for the intermediate range.

7.4-26 Revised 04/27/2010

c. Power Range

The primary NIS power ranges provide alarm and control functions similar to those in the primary NIS intermediate ranges. An overpower rod-stop function from any of the four power range channels inhibits manual rod withdrawal and is alarmed at the control board. The power ranges also provide status light indication when 2 of 4 channels exceed permissive P-10 level. As in the case of P-6 in the intermediate range, this alerts the operating personnel that administrative action (namely, blocking of intermediate and low range trips) is required before any further power increase may take place.

The primary NIS power ranges also have provision for an additional permissive function P-8. A permissive status light is provided for P-8, "Single Loop Flow Trip Blocked". The extinguishing of the P-8 permissive status light alerts the operator that the low flow trips and "pump breaker open" trips are now active. These trips are blocked while the status light is alarmed. Additional functions are provided in the power range of operation. A dropped control rod will be sensed by one or more of the power range channels, and this condition will annunciate.

Another function of the primary NIS is a power range channel deviation alarm. This alarm is furnished by the comparator channel through a comparison of the average power level signals being supplied by the power ranges. Actuation of this alarm alerts the operator to a power unbalance between the channels so that corrective action can be taken.

Finally, two signals, one signal from each ion chamber isolation amplifier, are supplied by power ranges 1, 2, and 3 to the reactor protection system.

The backup nuclear instrumentation system does not provide any control or alarm functions for the power range.

7.4-27 Revised 04/27/2010 Loss of Power The nuclear instrumentation draws its primary power from the vital instrument buses whose reliability is discussed in Section 8. Redundant NIS channels are powered from separate buses. Loss of a single vital instrument bus would result in the initiation of all reactor trips associated with the primary NIS channels deriving power from that source. During power operation, the loss of a single bus would not result in a reactor trip since the power range reactor trip function operates from a 2-of-4 logic. If the bus failure occurred during source or intermediate range operation (1-of-2 logic) a reactor trip condition would result.

The backup nuclear instrumentation system does not perform any protective or control functions.

Safety Factors

The relation of the power range channels to the Reactor Protective System has been described in Section 7.2. To maintain the desired accuracy in trip action, the total error from drift in the primary NIS Power range channels will be held to

+/- 1.0 percent at full power (0.5% for Power Range Neutron Flux - High Setpoint). Routine tests and recalibration will ensure that this degree of deviation is not exceeded. Bistable trip set points of the primary NIS power range channels will also be held to an accuracy of

+/- 0.5 percent of full power.

7.4.5 REGULATORY

GUIDE 1.97, REVISION 3

A review of Turkey Point Units 3 and 4 accident monitoring instrumentation and control systems was conducted against the requirements of Regulatory Guide 1.97, Revision 3. Section 7.5.4 presents the requirements of Regulatory Guide 1.97, and the results of the conducted review.

7.4-28 Revised 04/17/2013 TABLE 7.4-1

SOURCE RANGE

Signal and Source Destination and/or Function

1. Isolation Amplifier
a. 0-10VDC Auxiliary Channel (S.U.R.)/DDPS
b. O-5VDC Spare
c. O-5VDC SPDS/SAS/DCS
d. 0-1 mADC Remote Meter (CPS)
e. 0-50 mVDC Remote Recorder
2. Bistable Amplifiers
a. 115VAC Misc. Proc. Relay Rack (Spare)
b. 115VAC Misc. Proc. Relay Rack

(Hi Flux Level @ Shutdown)

c. 115VAC Reac. Prot. Relay Rack

(Source Range Reactor.Trip)

d. 115VAC Misc. Proc. Relay Rack

(Annunciate "Source Range Loss

of Detector Voltage")

3. Manual Block (115 VAC) Misc. Proc. Relay Rack

(Block Hi Flux Level @ Shutdown)

4. Trip Bypass (115VAC) Reac. Prot. Relay Rack

(Block of S. R. Reactor Trip)

5. Test-Calibrate (115VAC) Misc. Proc. Relay Rack

("NIS Channel Test" - CB)

6. Discriminator (1-10E 6 Cps) Source Range Auxiliary Channel

(Visual-Audio)

BACKUP NIS SOURCE RANGE

1. Isolator
a. 4-20 mADC Control Room Meter (CPS)
b. 4-20 mADC Alternate Shutdown Panel Meter (CPS) Ch B Only
c. 4-20 mADC SPDS
2. Bistable
a. N.O. Contact Vertical Panel Annunciator

(Hi Flux Level @ Shutdown)

Communications Box

(CTMT Evacuation Alarm)

Revised 01/31/2013 TABLE 7.4-2

INTERMEDIATE RANGE

Signal and Source Destination and/or Function

1. Isolation Amplifier
a. 0-10 VDC Auxiliary Channel (S.U.R.)/DDPS
b. 0-1 mADC Remote Meter (Ampere)

C. O-5O mVDC Remote Recorder

d. 0-5 VDC SPDS/SAS/DCS
e. 0-5 VDC Spare
2. Bistable Amplifiers
a. 115 VAC Relay Rack (Spare)
b. 115 VAC Reac. Prot. Relay Rack

(Intermediate Range Permissive P-6)

C. 115 VAC Misc. Proc. Relay Rack

(Intermediate Range Rod-Stop)

d. 115 VAC Reac. Prot. Relay Rack

(Intermediate Range Reactor Trip)

e. 115 VAC Misc. Proc. Relay Rack

(Annunciate "I.R. Loss of Detector

Voltage")

f. 115 VAC Misc. Proc. Relay Rack

(Annunciate "I.R. Loss of Compensating

voltage")

3. Trip Bypass (115 VAC) Reac. Prot. Relay Rack

(Block of Rod-Stop and Reactor

Trip)

4. Test-Calibrate (115 VAC) Misc. Proc. Relay Rack

("NIS Channel Test" - CB)

Revised 01/31/2013 TABLE 7.4-3 SHEET 1 of 3 POWER RANGE

Signal and Source Destination and/or Function

1. Isolation Amplifier (Ion

Chamber A)

a. 0-10 VDC Upper Section Comparator/DDPS
b. 0-5 VDC Axial Flux Deviation Panel
c. 0-1 mADC Remote Meter (Delta Flux)
d. 0-5 VDC SPDS/SAS/DCS
e. 0-50 mVDC Spare
2. Isolation Amplifier

(Ion Chamber A)

a. 0-10 VDC Overpower-Overtemperature T (Power ranges Compensation 1, 2 & 3 only)
b. 0-5 VDC Spare
c. 0-1 mADC Spare
d. 0-5 VDC Spare
e. 0-50 mVDC Spare
3. Isolation Amplifier (Ion

Chamber B)

a. 0-10 VDC Lower Section Comparator/DDPS
b. 0-5 VDC Axial Flux Deviation Panel

C. 0-1 mADC Remote Meter (Delta Flux)

d. 0-5 VDC SPDS/SAS/DCS
e. 0-50 mVDC Console Recorder (Delta Flux)
4. Isolation Amplifier (Ion Chamber B)
a. 0-10 VDC Overpower-Overtemperature T (Power ranges Compensation 1,2 & 3 only)
b. 0-5 VDC Spare
c. 0-1 mADC Spare
d. 0-5 VDC Spare
e. 0-50 mVDC Spare

Revised 01/31/2013 TABLE 7.4-3 (cont'd)

SHEET 2 of 3

Signal and Source Destination and/or Function

5. Isolation Amplifier

(Average Power)

a. 0-10 VDC DDPS
b. 0-5 VDC Spare
c. 0-1 mADC Remote Meter (Percent Full Power)
d. 0-50 mVDC Remote Recorder
e. O-5 VDC SPDS/SAS/DCS
6. Isolation Amplifier (Average Power)
a. 0-10 VDC Power Mismatch (Power Range 4 only)
b. 0-5 VDC Spare
c. 0-1 mADC Spare
d. 0-50 mADC Spare
e. 0-5 VDC Spare
7. Isolation Amplifier (Average Power)
a. 0-10 VDC Comparator
b. 0-5 VDC Spare
c. 0-1 mADC Spare
d. 0-50 mVDC Overpower Recorder
e. 0-5 VDC Spare
8. Bistable Amplifiers
a. 115 VAC Reac. Prot. Relay Rack

Annunciation ERDADS

b. 115 VAC Misc. Proc. Relay Rack

(Overpower Rod Stop)

c. 115 VAC Reac. Prot. Relay Rack

(Permissive P-8)

Revised 01/31/2013 TABLE 7.4-3 (cont'd)

SHEET 3 of 3

Signal and Source Destination and/or Function

d. 115 VAC Reac. Prot. Relay Rack

(Permissive P-10)

e. 115 VAC Reac. Prot Relay Rack

(Spare Permissive)

f. 115 VAC Reac. Prot. Relay Rack

(Low Range Reactor Trip)

g. 115 VAC Reac. Prot. Relay Rack

(High Range Reactor Trip)

h. 115 VAC Misc. Proc. Relay Rack

(Annunciate "Power Range Loss of

Detector Voltage")

9. Test-Calibrate (115 VAC) Misc. Proc. Relay Rack

(NIS Channel Test-CB)

10. Block Rod Drop (115 VAC) Reac. Prot. Relay Rack

Detection (Block of Rod-Drop Circuit)

BACKUP NIS POWER RANGE

1. Isolator
a. 4-20 mADC Control Room Meter (Percent Full Power)
b. 4-20 mADC Alternate Shutdown Panel Meter (Percent Full Power) CH-B only
c. 4-20 mADC SPDS/DCS
2. Bistable
a. N.O. Contact Vertical Panel Annuciator (System Trouble)

Revised 01/31/2013

7.5 ENGINEERED

SAFETY FEATURES INSTRUMENTATION

7.5.1 DESIGN

BASIS

The engineered safety features instrumentation measures temperatures, pressures, flows, and levels in the reactor coolant system, steam system, reactor containment and auxiliary systems, actuates the engineered safety

features, and monitors their operation. Process variables required on a

continuous basis for the startup, operation, and shutdown of the unit are

indicated, recorded and controlled from the control room. The quantity and

types of process instrumentation provided ensures safe and orderly operation of

all systems and processes over the full operating range of the units.

Certain controls and indicators which require a minimum of operator attention, or are only in use intermittently, are located on local control panels near the

equipment to be controlled. Monitoring of the alarms of such control systems

is provided in the control room.

Engineered Safety Features Protection Systems

Criterion: Protection systems shall be provided for sensing accident situations and initiating the operation of necessary engineered

safety features. (1967 Proposed GDC 15)

Instrumentation and controls provided for the protective systems are designed

to trip the reactor, when necessary, to prevent or limit fission product

release from the core and to limit energy release; and to control the operation

of Engineered Safety Features equipment.

The engineered safety features systems are actuated by the engineered safety

features actuation channels. Each coincidence network energizes an engineered

safety features actuation device that operates the associated engineered safety features equipment, motor starters and valve operators. The channels are

designed to combine redundant sensors, independent channel circuitry, coincident trip logic and different parameter measurements so that a safe and

reliable system is provided in which a single failure will not defeat the

protective function. The action initiating sensors, bistables and logic are

shown in the figures included in the detailed Engineered Safety Features

Instrumentation Description given in the System Design section. The

Engineered Safety Features instrumentation system actuates (depending on the

severity of the condition) the Safety Injection System, containment

isolation, the Emergency Containment Cooling System and the Containment Spray

System.

7.5-1 Revised 04/17/2013 Availability of DC control power to the logic matrix is required for train

operability. Availability of DC control power is continuously monitored and

annunciated in the control room. The loss of instrument power to an

engineered safety features instrument channel (comparator and logic relay),

places that channel in the trip mode.

The passive accumulators of the Safety Injection System do not require signal

or power sources to perform their function. The actuation of the active

portion of the Safety Injection System is obtained from low pressurizer

pressure, high containment pressure, high differential steam line pressure or

high steam line flow in coincidence with low steam generator pressure or low

Tavg.

The Containment Emergency Cooling System is in the automatic sequence which

actuates the Engineered Safety Features upon receiving the necessary signals

indicative of an accident condition.

Containment spray is actuated by 2/3 High coincident with 2/3 High-High

containment pressure signals as noted in Table 7.2-1.

The containment isolation signals provide the means of isolating the various

pipes passing through the containment walls as required to prevent the

release of radioactivity to the outside environment in the event of a loss-

of-coolant accident. The actuation of the containment isolation may be found

in Table 7.2-1 or in Figure 7.2-8e.

7.5.2 SYSTEM

DESIGN

Engineered Safety Features Actuation Instrumentation Description

Figures 7.2-8a, 7.2-8b, 7.2-8c and 7.2-8e show the actuation logic for the

engineered safety features.

The same channel isolation and separation criteria as described for the

reactor protection circuits are applied to the engineered safety features

actuation circuits.

The Engineered Safety Features actuation instrumentation automatically

commences the protective actions as noted on Table 7.2-1.

7.5-2 Revised 04/17/2013 Feedwater

Any safety injection signal will isolate the main feedwater lines by closing

all control valves (main and bypass valves), tripping the main feedwater

pumps and thereby closing the pump discharge valves, and all backup feedwater

isolation valves. The auxiliary feedwater system is actuated by the safety

injection signal.

Indication

All transmitted signals (flow, pressure, temperature, etc.) which can cause

actuation of the engineered safety features are either indicated or recorded

for every channel.

The d-c control supply associated with the engineered safety features is

designed to meet the single failure criterion such that one failure will not

prevent actuation of sufficient engineered safety features, to meet the core

and containment cooling criterion.

Engineered Safety Features Instrumentation

The following instrumentation ensures monitoring of the effective operation

of the Engineered Safety Features.

Containment Pressure

Two containment pressure channels derived from pressure taps reflect the

effectiveness of the containment and cooling systems and other Engineered

Safety Features. Redundant pressure transmitters are provided for the narrow

range (-6 to +18 psig), and additional redundant pressure transmitters cover

the wide range of 0-180 psig. High pressure indicates high temperatures and

reduced pressure indicates reduced temperatures. Indicators and alarms are

provided in the control room to inform the operator of system status and to

guide actions taken during recovery operations. Containment pressure

indication will be used to distinguish between various incidents.

2/3 High coincident with 2/3 High-High containment pressure signals are

required to completely isolate the containment. Each train of containment

pressure switches (located in the cable penetration room) have their own

connection to the containment. Each switch provides input to annunciation in

the control room.

7.5-3 Revised 04/17/2013 Refueling Water Storage Tank Level

Level instrumentation for the refueling water storage tank consists of two

independent channels. Each channel provides remote indication (on the main

control board). Each channel provides annunciation for the technical

specification minimum level, in addition to high, low, and low-low level

alarms.

Safety Injection System Pumps Discharge Pressure

A Discharge pressure channel clearly shows that the Safety Injection System

pumps are operating. A post-accident flow channel is provided for safety

injection flow indication. These transmitters are outside the containment.

Safety Injection Pump Energization

Safety Injection pump motor power feed breakers indicate that they have

closed by energizing indicating lights on the control board.

Radioactivity

Means are provided to measure the radioactivity in the containment atmosphere

after the incident, since this information will be required for any

subsequent entry into the containment following a LOCA. The containment

system particulate and gaseous monitoring equipment could provide information

useful in post-accident recovery operations, providing containment pressure

is below 5 psig.

Valve Position

All Engineered Safety Features remote-operated valves have position

indication on the control board to show proper positioning of the valves.

Air-operated and solenoid-operated valves move in a preferred direction with

the loss of air or power. After a loss of power to the motors, motor-operated valves remain in the same position as they were prior to the

loss of power.

7.5-4 Revised 04/17/2013 Emergency Containment Coolers

The total cooling water discharge flow is indicated, and the exit temperature

of each of the coolers is recorded in the control room. In addition, each

CCW return header is monitored for radiation and alarmed in the control room

if high radiation should occur. These monitors are common to each CCW return

header and the faulty cooler can be located by remote valving.

Containment Level Instrumentation

The containment level instrumentation consists of two sub-systems: (1)

containment sump (narrow range), and (2) containment level (wide range).

Both the containment sump and containment level instrumentation consist of

redundant level transmitters designed to operate in a post-accident

environment. The signal receivers are located outside containment, remote

from the sensing elements. Indication and recording are provided in the

control room.

The containment sump level transmitter is a multi-element system with a

36-inch unit at the bottom of the sump and four 90-inch units, which extend

up to just below the containment 14'-0" elevation slab. Adjacent units

overlap for continuous level indication.

The containment level transmitter is a single-element device (90-inch unit),

which provides a range from just above the 14'-0" elevation to approximately

21'- 6" elevation.

Miscellaneous Instrumentation

In addition to the above, the following local instrumentation is available.

a. Residual heat removal pumps discharge pressure b. Residual heat exchanger exit temperatures
c. Containment spray test lines total flow
d. Safety injection test line pressure and flow

7.5-5 Revised 04/17/2013 Alarms Visual and audible alarms are provided to call attention to abnormal

conditions. The alarms are of the individual acknowledgement type. That is, the operator must recognize and acknowledge the alarm for each alarm point.

Operators have the means to silence the alarms with a timed auditory silence

for use during transient conditions coincident with high alarm conditions.

Instrumentation Used During Loss-of-Coolant Accident

Instruments to be provided and designed to function following a major loss-

of-coolant accident are those which initiate or otherwise govern the

operation of engineered safety features. Pressurizer pressure and level, and steam generator level and main steam flow are typical examples of sensors

that are located inside the containment because an equivalent signal cannot

be obtained from a sensor location outside containment.

It should be emphasized, however, that for a large loss-of-coolant accident

the initial suppression of the transient is independent of any detection or

actuation signal. That is, the passive accumulators begin the rapid

reflooding of the core. Complete reflood of the core is dependent upon the

pumped water ejected from the ECCS pumps initiated via the SI actuation

signal.

All pumps used for safety injection, emergency containment cooling and

containment spray and associated instrumentation are located outside the

containment. The emergency containment cooler fans and associated

instrumentation are located inside containment and have been environmentally

qualified accordingly. The operation of the equipment can be verified by

instrumentation that reads in the control room.

Depending upon the magnitude of the loss-of-coolant incident, information

relative to the pressure of the Reactor Coolant System will be required to

determine which pumps will be used for recirculation. Wide range RCS

pressure instrumentation will be used to decide when the charging pumps can

be used, if available, for make-up water, such as for a relatively small

loss-of-coolant accident. Otherwise, the discharge pressure of the charging

pumps as read on instrumentation outside the containment, will be sufficient.

In conjunction with the available accumulator instrumentation, a full range

of system pressure can be determined.

7.5-6 Revised 04/17/2013 Core recirculation and containment spray recirculation (if necessary) will be

manually accomplished when the containment level provides sufficient NPSH and

the refueling water storage tank reaches the low-low alarm setpoint.

Considerations have been given to all the instrumentation and information

that will be necessary for the recovery time following a loss-of-coolant

accident. Instrumentation external to the containment; such as radioactivity

monitoring

equipment, will not be affected by this postulated incident and will be

available to the operator.

7.5.3 SYSTEM

EVALUATION

Redundant instrumentation has been provided for all inputs to the protective

systems and vital control circuits.

Where wide process variable ranges and precise control are required, both

wide range and narrow range instrumentation is provided.

Instrumentation components were originally selected from standard

commercially available products with proven operating reliability.

Replacements are upgraded (whenever practical) with nuclear grade components

when required.

All electrical and electronic instrumentation required for safe and reliable

operation is supplied from the vital instrumentation buses.

Pressurizer Pressure

Low pressurizer pressure provides primary input for the actuation of

emergency core cooling. Two-out-of-three logic will prevent false actuation

of the SIS in the event of a spurious pressure signal. Figure 7.2-8e

provides additional details concerning the initiation of safety injection.

A safety injection block switch is provided to permit the Reactor Coolant

System to be depressurized for maintenance and refueling operations without

actuation of the Safety Injection System.

7.5-7 Revised 04/17/2013 This manual block switch will be interlocked with pressurizer pressure in such a way that the blocking action will automatically be removed above a

preset pressure as operating pressure is approached. If two-out-of-three

pressure signals are above this preset pressure, blocking action cannot be

initiated. The block condition will be indicated by status lights on

vertical panel A.

Steam Generator Level Control During Unit Cooldown

The successful operation of the engineered safety features involves only

actuation functions, with one exception. This exception is the steam

generator level control function associated with cooldown using the auxiliary

feedwater pumps. This level control system involves remote manual

positioning of feedwater flow and auxiliary feedwater control valves in order

to maintain proper steam generator water level. Steam generator water level

indication and controls are located in the control room and locally.

Environmental Capability

The components of the ESFAS are designed and laid out so that adverse

environments accompanying an emergency situation, in which components are

required to function, do not interfere with that function. Refer to Appendix

8A for additional information pertaining to Environmental Qualification.

7.5.4 REGULATORY

GUIDE 1.97, REVISION 3

A review of Turkey Point Units 3 and 4 instrumentation was conducted against

Regulatory Guide 1.97, Revision 3, "Instrumentation for Light-Water Cooled

Nuclear Power Plants to Assess Plant and Environs Conditions During and

Following an Accident." The references listed in Section 7.5.4.4 identify

related correspondence between FPL and NRC.

7.5.4.1 REGULATORY GUIDE 1.97 (REVISION 3) REQUIREMENTS

Regulatory Guide 1.97, Revision 3, divides all instrumentation used for Post Accident Monitoring into five functional types as defined below:

Type A Variables: Those variables to be monitored that provide the primary information required to permit the control room operator to take specific

manually controlled actions for which no automatic control is provided and

that are required for safety systems to accomplish their safety function for

design basis accident events.

7.5-8 Revised 04/17/2013 Primary information is information that is essential for the direct accomplishment of the specified safety functions; it does not include those

variables that are associated with contingency actions that may also be

identified in written procedures.

Type B Variables: Those variables that provide information to indicate whether plant safety functions are being accomplished. Plant safety

functions are (1) reactivity control, (2) core cooling, (3) maintaining

reactor coolant system integrity, and (4) maintaining containment integrity (including radioactive effluent control).

Type C Variables: Those variables that provide information to indicate the potential for being breached or the actual breach of the barriers to fission

product releases. The barriers are (1) fuel cladding, (2) primary coolant

pressure boundary, and (3) containment.

Type D Variables: Those variables that provide information to indicate the operation of individual safety systems and other systems important to safety.

These variables are to help the operator make appropriate decisions in using

the individual systems important to safety in mitigating the consequences of

an accident.

Type E Variables: Those variables to be monitored as required for use in determining the magnitude of the release of radioactive materials and

continually assessing such releases.

Table 1 of Regulatory Guide 1.97, Revision 3 provides design and

qualification criteria for Post Accident Monitoring Instrumentation used to

measure the various variables identified in Table 3 (for PWRs). The criteria

are divided into three categories depending on the importance to safety of

the specific variable.

In general, Category 1 provides for full qualification, redundancy, and

continuous realtime display and requires onsite (standby) power. Category 2

provides for qualification but is less stringent in that it does not (of

itself) include seismic qualification, redundancy, or continuous display and

requires only a high-reliability power source (not necessarily standby

power). Category 3 is the least stringent. It provides for high-quality

commercial grade equipment that requires only offsite power.

7.5-9 Revised 04/17/2013 7.5.4.2 EVALUATION CRITERIA

The Regulatory Guide 1.97, Revision 3, requirements cover the requirements of

10 CFR 50.49, NUREG-0737, and Generic Letter 82-33.

The following is the evaluation criteria used to develop the parameter

listing summary sheets presented in Tables 7.5-1 and 7.5-2. The information

provided in these tables was developed in response to Regulatory Guide 1.97, Revision 3, and Generic Letter 82-33.

7.5.4.2.1 ENVIRONMENTAL QUALIFICATION CRITERIA

1. Category 1 Instrumentation
a. Instrumentation located in harsh environments should comply with the requirements of 10 CFR 50.49. An entry of "Comply" in the

column headed "Environ Qual" of the parameter listing summary

sheets indicates that the instrumentation is required to meet the

requirements of 10 CFR 50.49 and is included in the Turkey Point

Environmental Qualification Program.

b. Instrumentation located in mild environments are not required to be environmentally qualified. This is denoted in the parameter

listing summary sheets by an entry of "N/A"in the column headed "Environ Qual."

2. Category 2 Instrumentation

For Category 2 instrumentation the same criteria are used as for Category 1 instrumentation.

3. Category 3 Instrumentation

Environmental qualification of Category 3 instrumentation is not required. This is denoted in the parameter listing summary sheets by

an entry of "N/A" in the column headed "Environ Qual."

7.5-10 Revised 04/17/2013 7.5.4.2.2 SEISMIC QUALIFICATION CRITERIA

1. Category 1 Instrumentation

The original plant licensing basis for Turkey Point did not include any commitment to seismically qualify plant equipment to the requirements

of IEEE Standard 344-1975 (Regulatory Guide 1.100). "Original

equipment" complies with the seismic qualification approach which was

the basis for plant licensing. Original mechanical and electrical

equipment was purchased under specifications that included a

description of the seismic design criteria for the plant. However, no

seismic specifications were employed in the original instrumentation

purchase orders. Type testing documented in Westinghouse's WCAP 7397-1

provides verification of the seismic design objective for

instrumentation.

For new/replacement instrumentation, qualification to IEEE Standard 344-1975 is implemented whenever practicable. As a minimum, such

equipment must meet the seismic criteria for original equipment.

Based on the above, the entry of "Comply" in the column headed "Seismic Qual" associated with the parameter listing summary sheets is only

intended to denote that seismic qualification is required.

2. Category 2 and 3 Instrumentation Regulatory Guide 1.97, Revision 3, does not identify any specific provisions for Category 2 and 3 instrumentation. Therefore, an entry

of "N/A" in the column headed "Seismic Qual" of the parameter listing

summary sheets indicates that there is no requirement for seismic

qualification.

7.5-11 Revised 04/17/2013 7.5.4.2.3 REDUNDANCE

1. Category 1 Instrumentation

Table 1, Design and Qualification Criteria for Instrumentation of Regulatory Guide 1.97, Revision 3 identifies specific provisions for

redundancy including physical independence of instrument channels in

accordance with Regulatory Guide 1.75. Turkey Point's licensing basis

does not include any commitment to the requirements of Regulatory Guide

1.75. However, electrical and physical separation of Post-Accident

Monitoring circuits is provided.

For category 1 variables, separation of redundant channels is used, to the maximum practical extent, beginning at the process sensors.

Separation of redundant channels of field wiring continues through

containment penetrations to the analog protection racks. Physical

separation of field wiring for category 1 variables is achieved using

separate raceway and containment penetrations for each redundant

channel. Such separation ensures that physical damage affecting one

channel will not affect its redundant channel. Isolation devices are

provided for SPDS/ERDADS/DCS computer interfaces in accordance with

Regulatory Guide 1.75.

The entry in the column headed "Redundance" of the parameter listing summary sheets identifies the redundant component(s) credited for

compliance to the regulatory guide. In most instances, where

components under the column headed "Tag No." are credited for recording

function, an entry of "N/A" has been used to indicate that redundance

is not required by the regulatory guide. "N/A" has also been entered

in the "Redundance" column associated with Containment Isolation Valve

Position Indication (i.e., item no. B15). This denotes that redundant

valve position indication is not required. However, an evaluation has

been performed to demonstrate the capability of the Control Room

operator to verify isolation of containment penetrations.

2. Category 2 and 3 Instrumentation

For category 2 and 3 instrumentation, Regulatory Guide 1.97, Rev. 3 identifies no specific provision for redundancy. An entry of "N/A" in

the column headed "Redundance" associated with the parameter listing

summary sheets denotes that redundance is not required.

7.5-12 Revised 04/17/2013 7.5.4.2.4 POWER SOURCES

1. Category 1 Instrumentation

Category 1 instrumentation should be powered from one of the following Class 1E power sources:

a. 120 VAC uninterruptable power supply (inverters)
b. 120 VAC power backed up by the Emergency Diesel Generators
c. 125 VDC safety-related batteries

The column headed "Power Supply" associated with the parameter listing summary sheets contains a reference to a note identifying which of the

above power sources is used to power the main instrument loop providing

Post-Accident Monitoring.

2. Category 2 Instrumentation

Category 2 instrumentation should be supplied from a high reliability power source which can be either from:

a. 120 VAC safety-related or nonsafety-related uninterruptable power supply, or b. 120 VAC power backed up by an Emergency Diesel Generator, or
c. 125 VDC safety-related battery, or
d. 125 VDC nonsafety-related battery

The column headed "Power Supply" associated with the parameter listing summary sheets contains a reference to a note identifying which of the

above power sources is used to supply the main instrument loop

providing Post-Accident Monitoring.

3. Category 3 Instrumentation

Regulatory Guide 1.97, Revision 3, does not identify any specific provisions for Category 3 instrumentation. Therefore, an entry of "N/A" in the column headed "Power Supply" of the parameter listing

summary sheets indicates that there are no power supply requirements.

7.5-13 Revised 04/17/2013 7.5.4.2.5 DISPLAY AND RECORDING

1. Category 1 Instrumentation

Category 1 instrumentation should be displayed on a real-time display.

The indicator may be on a dial, digital display, electronic display or

strip chart recorder.

Recording of instrumentation readout should be provided for at least one redundant channel. Where dedicated strip chart recorder is not

provided, recording should be updated and sorted in computer memory and

displayed on demand.

2. Category 2 Instrumentation

Category 2 instrumentation should be displayed on an individual instrument or it may be processed for display on demand. Signal from

effluent radioactivity and area monitors should be recorded.

3. Category 3 Instrumentation

For Category 3 Instrumentation the same criteria are used as for Category 2 instrumentation except that signals from effluent

radioactivity, area and meteorology monitors should be recorded.

In general, instrumentation located on Main Control Room Boards and panels

are credited for Post-Accident Monitoring and are identified on the Parameter

Listing Summary Sheets in the column headed "Tag No." However, for various

Regulatory Guide 1.97 variables, the SPDS/ERDADS/DCS has been credited for

indication and/or recording capability. In these instances, SPDS or ERDADS

is identified on the parameter listing summary sheets in the column headed "CR (Control Room) Display Location." SPDS or ERDADS is indicated only when

computer capability is required in order to comply with the minimum

requirements of Regulatory Guide 1.97.

7.5-14 Revised 04/17/2013 7.5.4.2.6 RANGE

Control Room instrumentation should meet the range specified for the variable

in Regulatory Guide 1.97. In general, if two or more instruments are

required to cover a particular range, overlapping of instrument span shall be

provided. The parameter listing summary sheets in the column headed "Existing

Instrument Range." identifies the instrument range associated with a variable

as provided by Control Room indication. The column headed "Required

Instrument Range" identifies the range required by Table 3 "PWR Variables" of

Regulatory Guide 1.97 Revision 3.

7.5.4.3 TYPE A VARIABLES

Regulatory Guide 1.97, Revision 3, states that Type A variables are plant

specific. In order to identify the Type A variables which are specific to a

plant, a review must be performed of those EOP's which are pertinent to a

design basis accident event (i.e., anticipated operational occurrences or

serious events outside the design basis are not considered). A review was

conducted against the EOPs and the following parameters were designated as

Type A variables:

1. RCS Pressure
2. RCS Hot Leg Temperature
3. RCS Cold Leg Temperature
4. Steam Generator Level Narrow Range
5. Refueling Water Storage Tank Level
6. Pressurizer Level
7. Core Exit Temperature
8. Steam Generator Pressure
9. Containment Sump Water Level Wide Range
10. Safety Injection Pump Status
11. EDG Output (KW)
12. 4KV Bus Voltage

The assumptions, methodology and results of the EOP review are documented in

Reference 4.

7.5-15 Revised 04/17/2013 7.5.

4.4 REFERENCES

1. Letter L-84-20, J W Williams, Jr. (FPL) to D G Eisenhut (NRC), dated January 26, 1984.
2. Letter L-85-176A, J W Williams, Jr (FPL) to S A Varga (NRC), dated May 10, 1985.
3. Letter, "Instrumentation to Follow the Course of an Accident -

Conformance to Regulatory Guide 1.97, Revision 3," D G McDonald (NRC) to

C O Woody (FPL), dated March 20, 1986.

4. Regulatory Guide 1.97 Emergency Operating Procedure dated September 1990 prepared by Engineering Planning and Management, Inc. (EPM) (Attachment 5 of PC/M 90-391).
5. EPM Letter No. EL06090-158, dated October 1, 1990, "Supporting Documentation Associated with the FSAR Revision of Regulatory Guide 1.97

Commitments."

6. Letter L-88-290, FPL to the NRC, dated July 21, 1988.
7. NRC Letter to FPL, dated April 13, 1992, Docket Nos. 50-250 and 50-251.

This letter provides justification to downgrade the SI accumulator

instrumentation from RG 1.97 Category 2 to Category 3.

8. Letter L-2011-046, "License Amendment Request No. 214, Accident Monitoring Instrumentation Technical Specification Changes Regarding High Range - Noble Gas Effluent Monitors - Main steam Lines Accident Monitoring Instrumentation," August 17, 2011.

7.5-16 Revised 04/17/2013

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018 NOTES FOR TABLE 7.5-1 TURKEY POINT UNIT 3 Sheet 1 OF 9

For Tag No. Column

(LS) = Limit Switch Associated with Valve

For Existing Instrument Range Column

1. Portable sampling with onsite analysis capability is capable of providing a range from less than 1E-9 micro Ci/CC to greater than 1E-3

micro Ci/CC.

2. Portable instrumentation provides a range of:

A. 1E-3 R/HR to values greater than 1E4 R/HR photons; and

B. 1E-3 R/HR to values greater than 1E4 R/HR beta and low-energy photons 3.Existing range monitors up to 7.4E-2 micro Ci/CC. Plant specific analysis justifies smaller range. Particulates and halogens collected

on filter cartridge and monitored in lab after sample collection period

(30 minutes design for accident situations).

4.No instrument is provided for this variable. Elimination of the need to provide on-site analysis capability for this variable has been accepted by the NRC in their safety analysis report related to technical specification amendments 211/205, dated 1/31/2001.

For Required Instrument Range Column

1. RG 1.97 requires the following ranges:

A. 1E-3 R/HR to 1E4 R/HR photons; and

B. 1E-3 R/HR to 1E4 R/HR beta and low-energy photons

For Environmental Qualification Column

1. The Safety Injection Accumulator Discharge Valves MOV-865A, B and C are administratively controlled and are required to be in the open position

during normal operation. These valves are not required to change

position under accident conditions. Administrative control is

accomplished by locking open the associated motor control center circuit

breakers. Since administrative control via electrical de-energization

of the valves ensures that the valves will be in their safe position

during 06/18/2001 NOTES FOR TABLE 7.5-1 (Continued)

Sheet 2 OF 9

an accident, environmental qualification of the limit switches providing position indication is not required.

For Power Supply Column

Power source is identified as:

1. Class 1E, 120 VAC uninterruptable power supply (inverters)
2. Class 1E, 120 VAC power backed up by the Emergency Diesel Generator
3. Class 1E, 125 VDC safety-related battery
4. Non-Class 1E, 120 VAC uninterruptable power supply
5. Indication is powered from the circuits being monitored via PTs, CTs, etc.
6. Transducers internal to the inverter providing computer display signals for inverter current and voltage are powered by the inverter internals.
7. The SPING monitors communicate with both primary and backup control terminals which are powered from plant inverters and backed up by the

safety-related batteries. SPING Monitors RAD-3(4)-6417 are powered from

non-vital lighting panels capable of being powered from the emergency

diesel generators. SPING Monitors RAD-3-6418, RAD-6426, and RAD-6304

are powered from a vital AC power panel which is automatically backed up

by an emergency diesel generator.

For Display Location

1. Control Room metering is credited for primary indication of Emergency Diesel Generator Output (MW). Recording capability for this variable is

also available via DCS/ERDADS.

For Schedule/Justification Column

1. The following notes referenced under the "Schedule/Just" column of the

Revised 04/17/2013 NOTES FOR TABLE 7.5-1 (Continued)

Sheet 3 OF 9

Parameter Listing Summary Sheets correspond to the technical justifications identified below:

A. This justification demonstrates the acceptability of the existing uninterruptable power source (UPS) associated with the DCS (SPDS/ERDADS) for the monitoring of Category 1 variables. This

acceptability is based upon the existing UPS allowing the DCS (SPDS/ERDADS) to perform its credited RG 1.97 functions:

(1) Recording of Category 1 Variables -

Control Room indication is normally used to provide trending while DCS (SPDS/ERDADS) is used only as a backup to those

instruments. In those cases where DCS (SPDS/ERDADS) is

being used to trend Category 1 variables, either the

trending is not necessary to the Control Room operator's

decisions or the operator can obtain the real time

information via the monitoring of Control Room indication.

(2) Indication of Category 1 Variables -

DCS (SPDS/ERDADS) is only used as a backup means of indication for certain containment isolation valves but is

not credited for RG 1.97 indication for any other Category 1

variable.

(3) Containment Isolation Valve Indication -

In the few instances where DCS (SPDS/ERDADS) is credited for backup indication associated with containment isolation

valves, computer power will be available from the UPS

battery for at least the first 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of the accident.

This period of operability is sufficient to allow the

completion of containment isolation.

B. This justification demonstrates that the DCS (SPDS/ERDADS), although classified as non-nuclear safety-related, is capable of

Revised 01/31/2013 NOTES FOR TABLE 7.5-1 (Continued)

Sheet 4 OF 9

providing the necessary Regulatory Guide functions for which it is credited.

(1) The DCS (SPDS/ERDADS) is not essential to the monitoring of Category 1 variables. The computer is credited only for

backup indication of a few containment isolation valves (i.e., valve position indication) but is not credited for

either primary or backup indication for any other Category 1

variables.

(2) The DCS (SPDS/ERDADS) is not essential in providing the Control Room operators with vital trending or recording

information. Control Room indication is normally used to

provide trending while DCS (SPDS/ERDADS) is used only as a

backup to those instruments. In those cases where DCS (SPDS/ERDADS) is being used to trend Category 1 variables, either the trending is not necessary to the operator's

decisions or the operator can obtain the real time

information via the monitoring of Control Room indication.

(3) The DCS (SPDS/ERDADS) provides primary indication of certain Category 2 and 3 variables. In general, the DCS (SPDS/ERDADS) complies with the Category 2 and 3 design and

qualification criteria identified in Table 1 of RG 1.97.

(4) The DCS (SPDS/ERDADS) does not diminish the capability of the Control Room operators to obtain the necessary post-

accident monitoring information or in achieving the safe

shutdown of the plant. Based upon conclusions (1) and (2)

above, it can be further concluded that the DCS (SPDS/ERDADS) does not perform an essential function with

respect to Category 1 post-accident monitoring.

C. This justification demonstrates that the lack of overlap between the ranges of Containment Sump Water Level narrow and wide range

instrumentation does not jeopardize the capability of providing the

Control Room operators the critical information required during

Revised 01/31/2013 NOTES FOR TABLE 7.5-1 (Continued)

Sheet 5 OF 9

plant accident conditions. This is based on an analysis which provides the following:

(1) The deadband in Containment Sump Water Level indication between 369" and 397" causes less than 6% error in indication.

(2) The resulting error in indication is introduced in a non-critical range of the required indication. Thus the deadband does not

prevent the operator from obtaining the required information:

(a) Low level (narrow range) indication of the initial ingress of water into the sump to allow the assessment of water

source and rate.

(b) High level (wide range) indication for operator response to containment flooding.

(c) Determination of the ability to transfer to cold leg recirculation in the event of loss of reactor or secondary

coolant based upon having achieved minimum pump NPSH.

D. This justification clarifies the inconsistency between the Accumulator Tank Level ranges identified in the previous FPL RG 1.97 submittals of

January 26, 1984 and May 10, 1985, and the existing Control Room instrumentation range of 6,400 to 6,870 gals. The existing Control Room range of 6,400 to 6,870 gals. uses the same basis for justification as identified and approved by NRC in its Safety Evaluation dated March 20, 1986. Accumulator tank pressure is also credited for determining

accumulator tank level. As pressure drops in the accumulators, application of the Ideal-Gas state equation provides indication of how

much water remains in the accumulator following actuation. As an

operator aid, a curve has been made available to the operator which

correlates accumulator pressure to accumulator level. The accumulator

instrumentation have been down graded, per NRC letter dated April 13, 1992 Docket Nos. 50-250 and 50-251, from R.G. 1.97 Category 2 to

Category 3.

Revised 04/06/2018 NOTES FOR TABLE 7.5-1 (Continued)

Sheet 6 OF 9 E. This justification clarifies the use of flow meters integral to hand indicating controllers as a means of providing valve position

indication. The integral flow meters provide "closed" position

indication by indicating zero flow and "not closed" position

indication by indicating higher than zero flow.

F. This justification identifies alternative instrumentation being credited for the monitoring of Containment Spray Flow. An

alternative method of monitoring this variable was identified in to FPL RG 1.97 submittal dated May 10, 1985. The

alternative instrumentation provides monitoring of the operation of

the Containment Spray System, as intended by RG 1.97. This is

accomplished by monitoring the proper alignment of Containment

Spray valves and operation of the Containment Spray pumps. In

addition, the monitoring of containment temperature and pressure

assures that containment cooling systems are performing their

required function. Monitoring of RWST level provides indirect

indication of the Containment Spray flow function.

G. This justification identifies alternative instrumentation being credited for the monitoring of Containment Fan Heat Removal. An

alternative method of monitoring this variable was identified in to FPL RG 1.97 submittal dated May 10, 1985. The

method used to address this variable monitors the operation of the

Emergency Containment Cooling (ECC) fans and verifies that

Component Cooling Water (CCW) flow has been established to the ECC

coolers. In addition, the monitoring of containment pressure and

temperature provides indirect indication of the Containment Fan

Heat Removal function.

H. This justification provides the rationale for not recording containment isolation valve position (Category 1 variable).

Recording of containment isolation valve position is not essential

for operator action. Containment valve position is available to

the operators via Control Room indicating lights. The operators

depend on the real time information provided by indicating lights

to verify containment isolation. Thus the operators do not need

trending of valve position to verify isolation.

Rev. 10 7/92 NOTES FOR TABLE 7.5-1 (Continued)

Sheet 7 OF 9 I. This justification provides the basis for the acceptability of the existing range for Containment Sump Water Level narrow range indication. The existing range of LI-6308A&B includes a 0-5 inch deadband (i.e., no specific reading can be obtained). However, since the 0-5 inch deadband is outside of the loop measurement range and insignificant compared to the span of 364 inches, the lower limit of the indicator scale of 0-5 inches is acceptable.

J. This justification provides the basis for the acceptability of the existing range for Containment Sump Water Level narrow range recording. The existing range of LR-6308A&B includes a 0-5 inch deadband (i.e., no specific reading can be obtained). However, since the 0-5 inch deadband is insignificant compared to the span of 364 inches, the lower limit of the recorder scale of 0-5 inches is acceptable.

K. This justification demonstrates that the lack of units of measure (i.e., inches) associated with the Control Room indication for Containment Sump Water Level wide range, LI-6309A&B, will not mislead the Control Room operators. This is based on the operators being familiar with the applicable units of measure via training.

L. Wide range monitoring for Steam Generator Level is provided via a single non-Class 1E wide range level loop. This justification demonstrates that, although wide range monitoring may not be available during an accident scenario, the Control Room operator will have sufficient information to identify and mitigate an accident and to determine the availability of the steam generators as heat sinks. This is based upon the following:

(1) Steam generator level will either remain within narrow range level indication or, if steam generator level has fallen below narrow range indication, that Auxiliary Feedwater has been initiated and will result in the recovery of steam generator level to within narrow range limits. This is accomplished via the associated emergency operating procedures.

Rev. 10 7/92 NOTES FOR TABLE 7.5-1 (Continued)

Sheet 8 OF 9 (2) RCS temperature (i.e., hot and cold leg water temperature) and pressure are available to determine the effectiveness of the steam generators as heat sinks.

2. Since the original containment isolation design for Turkey Point was not required to provide redundant valve position indication, the redundancy criteria of RG 1.97 are not applicable to the existing plant design. As a result, in order to address the RG 1.97 concern for ensuring Control Room capability to verify isolation status, an RG 1.97 Containment Isolation Valve Evaluation was performed. The evaluation considers the effects of single failure of valve indication and demonstrates the capability for the Control Room operator to verify isolation of Containment penetrations.
3. An exception to this variable has been accepted by NRC in its Safety Evaluation Report dated March 20, 1986.
4. All 24 channels of the Area Radiation Monitoring System (ARMS) have been replaced by PC/M 89-462 to comply with commitments made to the NRC in FPL letter L-88-290 (Reference 6). L-88-290 commitments require the use of instrumentation with a range of 10

-3 R/hr to 10 2 R/hr. Instrumentation installed under PC/M 89-462 has a range of 10

-4 R/hr to 10 4 R/hr, which exceeeds both Regulatory Guide 1.97 recommendations and L-88-290 commitments.

5. No instrumentation has been provided since effluent discharge is through a common plant vent.
6. No recording capability exists for 4KV Bus Voltage (Category 1 variable). The emergency operating procedures presently credit the monitoring of 4KV Bus Voltage to allow the Control Room operator to determine the loss of power to a 4KV bus. Control Room meter indication of 4KV bus voltage is available and is adequate to allow the operator to identify the loss of bus voltage on a realtime basis. Trending of bus voltage is not necessary. Therefore, recording of the variable is not essential.

Rev. 10 7/92 NOTES FOR TABLE 7.5-1 (Continued)

Sheet 9 OF 9

7. NOT USED
8. NOT USED
9. The original plant design included 51 core exit thermocouples. Due to the potential for individual sensor failures, the actual number of

operable thermocouples may be reduced below this value.

10.NOT USED 11.Existing instrument range of "OPEN/CLOSED" is derived from a single limit switch contact. The contact provides CLOSED/NOT CLOSED position

to ERDADS which then defines and displays the position as OPEN or CLOSED

at the CR, TSC and EOF consoles.

12.On-site analysis capability for this variable has been eliminated in favor of grab samples and offsite analysis. This change is consistent

with commitments documented in NRC safety evaluation for technical

specification amendments 211/205, dated 1/31/2001.

Revised 04/17/2013

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018

Revised 04/06/2018 NOTES FOR TABLE 7.5-2 TURKEY POINT UNIT 4 Sheet 1 OF 9

For Tag No. Column

(LS) = Limit Switch Associated with Valve

For Existing Instrument Range Column

1. Portable sampling with onsite analysis capability is capable of providing a range from less than 1E-9 micro Ci/CC to greater than 1E-3

micro Ci/CC.

2. Portable instrumentation provides a range of:

A. 1E-3 R/HR to values greater than 1E4 R/HR photons; and

B. 1E-3 R/HR to values greater than 1E4 R/HR beta and low-energy photons 3.Existing range monitors up to 7.4E-2 micro Ci/CC. Plant specific analysis justifies smaller range. Particulates and halogens collected

on filter cartridge and monitored in lab after sample collection period

(30 minutes design for accident situations).

4.No instrument is provided for this variable. Elimination of the need to provide on-site analysis capability for this variable has been accepted by the NRC in their safety analysis report related to technical specification amendments 211/205, dated 1/31/2001.

For Required Instrument Range Column

1. RG 1.97 requires the following ranges:

A. 1E-3 R/HR to 1E4 R/HR photons; and

B. 1E-3 R/HR to 1E4 R/HR beta and low-energy photons

For Environmental Qualification Column

1. The Safety Injection Accumulator Discharge Valves MOV-865A, B and C are administratively controlled and are required to be in the open position

during normal operation. These valves are not required to change

position under accident conditions. Administrative control is

accomplished by locking open the associated motor control center circuit

breakers. Since administrative control via electrical de-energization

of the valves ensures that the valves will be in their safe position

during 06/18/2001 NOTES FOR TABLE 7.5-2 (Continued)

Sheet 2 OF 9

an accident, environmental qualification of the limit switches providing position indication is not required.

For Power Supply Column

Power source is identified as:

1. Class 1E, 120 VAC uninterruptable power supply (inverters)
2. Class 1E, 120 VAC power backed up by the Emergency Diesel Generator
3. Class 1E, 125 VDC safety-related battery
4. Non-Class 1E, 120 VAC uninterruptable power supply
5. Indication is powered from the circuits being monitored via PTs, CTs, etc.
6. Transducers internal to the inverter providing computer display signals for inverter current and voltage are powered by the inverter internals.
7. The SPING monitors communicate with both primary and backup control terminals which are powered from plant inverters and backed up by the

safety-related batteries. SPING Monitors RAD-3(4)-6417 are powered from

non-vital lighting panels capable of being powered from the emergency

diesel generators. SPING Monitor RAD-6304 and steam line monitor RAD-

6426 are powered from vital AC power panels which are automatically

backed up by an emergency diesel generator.

For Display Location

1. Control Room metering is credited for primary indication of Emergency Diesel Generator Output (MW). Recording capability for this variable is

also available via DCS/ERDADS.

For Schedule/Justification Column

1. The following notes referenced under the "Schedule/Just" column of the

Revised 04/17/2013 NOTES FOR TABLE 7.5-2 (Continued)

Sheet 3 OF 9

Parameter Listing Summary Sheets correspond to the technical justifications identified below:

A. This justification demonstrates the acceptability of the existing uninterruptable power source (UPS) associated with the

DCS/SPDS/ERDADS computer for the monitoring of Category 1

variables. This acceptability is based upon the existing UPS

allowing the DCS/SPDS/ERDADS computer to perform its credited

RG 1.97 functions:

(1) Recording of Category 1 Variables -

Control Room indication is normally used to provide trending while DCS/SPDS/ERDADS is used only as a backup to those

instruments. In those cases where DCS/SPDS/ERDADS is being

used to trend Category 1 variables, either the trending is

not necessary to the Control Room operator's decisions or

the operator can obtain the real time information via the

monitoring of Control Room indication.

(2) Indication of Category 1 Variables -

DCS/SPDS/ERDADS is only used as a backup means of indication for certain containment isolation valves but is not credited

for RG 1.97 indication for any other Category 1 variable.

(3) Containment Isolation Valve Indication -

In the few instances where DCS/SPDS/ERDADS is credited for backup indication associated with containment isolation

valves, computer power will be available from the UPS

battery for at least the first 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of the accident.

This period of operability is sufficient to allow the

completion of containment isolation.

B. This justification demonstrates that the DCS/SPDS/ERDADS computer, although classified as non-nuclear safety-related, is capable of

Revised 04/17/2013 NOTES FOR TABLE 7.5-2 (Continued)

Sheet 4 OF 9

providing the necessary Regulatory Guide functions for which it is credited.

(1) The DCS/SPDS/ERDADS computer is not essential to the monitoring of Category 1 variables. The computer is

credited only for backup indication of a few containment

isolation valves (i.e., valve position indication) but is

not credited for either primary or backup indication for any

other Category 1 variables.

(2) The DCS/SPDS/ERDADS computer is not essential in providing the Control Room operators with vital trending or recording

information. Control Room indication is normally used to

provide trending while DCS/SPDS/ERDADS is used only as a

backup to those instruments. In those cases where

DCS/SPDS/ERDADS is being used to trend Category 1 variables, either the trending is not necessary to the operator's

decisions or the operator can obtain the real time

information via the monitoring of Control Room indication.

(3) The DCS/SPDS/ERDADS computer provides primary indication of certain Category 2 and 3 variables. In general, the

DCS/SPDS/ERDADS computer complies with the Category 2 and 3

design and qualification criteria identified in Table 1 of

RG 1.97.

(4) The DCS/SPDS/ERDADS computer does not diminish the capability of the Control Room operators to obtain the

necessary post-accident monitoring information or in

achieving the safe shutdown of the plant. Based upon

conclusions (1) and (2) above, it can be further concluded

that the DCS/SPDS/ERDADS computer does not perform an

essential function with respect to Category 1 post-accident

monitoring.

C. This justification demonstrates that the lack of overlap between the ranges of Containment Sump Water Level narrow and wide range

instrumentation does not jeopardize the capability of providing the

Control Room operators the critical information required during

Revised 04/17/2013 NOTES FOR TABLE 7.5-2 (Continued)

Sheet 5 OF 9

plant accident conditions. This is based on an analysis which provides the following:

(1) The deadband in Containment Sump Water Level indication between 369" and 397" causes less than 6% error in

indication.

(2) The resulting error in indication is introduced in a non-critical range of the required indication. Thus the

deadband does not prevent the operator from obtaining the

required information:

(a) Low level (narrow range) indication of the initial ingress of water into the sump to allow the

assessment of water source and rate.

(b) High level (wide range) indication for operator response to containment flooding.

(c) Determination of the ability to transfer to cold leg recirculation in the event of loss of reactor or

secondary coolant based upon having achieved minimum

pump NPSH.

D. This justification clarifies the inconsistency between the Accumulator Tank Level ranges identified in the previous FPL

RG 1.97 submittals of January 26, 1984 and May 10, 1985, and the existing Control Room instrumentation range of 6,400 to 6,870 gals.

The existing Control Room range of 6,400 to 6,870 gals. uses the same basis for justification as identified and approved by NRC in its Safety Evaluation dated March 20, 1986. Accumulator tank

pressure is also credited for determining accumulator tank level.

As pressure drops in the accumulators, application of the Ideal-Gas

state equation provides indication of how much water remains in the

accumulator following actuation. As an operator aid, a curve has

been made available to the operator which correlates accumulator

pressure to accumulator level. The accumulator instrumentation

have been downgraded, per NRC letter dated April 13, 1992, Docket

Nos. 50-250 and 50-251, from R.G. 1.97 Category 2 to Category 3.

Revised 04/06/2018 NOTES FOR TABLE 7.5-2 (Continued)

Sheet 6 OF 9

E. This justification clarifies the use of flow meters integral to hand indicating controllers as a means of providing valve position

indication. The integral flow meters provide "closed" position

indication by indicating zero flow and "not closed" position

indication by indicating higher than zero flow.

F. This justification identifies alternative instrumentation being credited for the monitoring of Containment Spray Flow. An

alternative method of monitoring this variable was identified in to FPL RG 1.97 submittal dated May 10, 1985. The

alternative instrumentation provides monitoring of the operation of

the Containment Spray System, as intended by RG 1.97. This is

accomplished by monitoring the proper alignment of Containment

Spray valves and operation of the Containment Spray pumps. In

addition, the monitoring of containment temperature and pressure

assures that containment cooling systems are performing their

required function. Monitoring of RWST level provides indirect

indication of the Containment Spray flow function.

G. This justification identifies alternative instrumentation being credited for the monitoring of Containment Fan Heat Removal. An

alternative method of monitoring this variable was identified in to FPL RG 1.97 submittal dated May 10, 1985. The

method used to address this variable monitors the operation of the

Emergency Containment Cooling (ECC) fans and verifies that

Component Cooling Water (CCW) flow has been established to the ECC

coolers. In addition, the monitoring of containment pressure and

temperature provides indirect indication of the Containment Fan

Heat Removal function.

H. This justification provides the rationale for not recording containment isolation valve position (Category 1 variable).

Recording of containment isolation valve position is not essential

for operator action. Containment valve position is available to

the operators via Control Room indicating lights. The operators

depend on the real time information provided by indicating lights

to verify containment isolation. Thus the operators do not need

trending of valve position to verify isolation.

Rev. 15 4/98 NOTES FOR TABLE 7.5-2 (Continued)

Sheet 7 OF 9

I. This justification provides the basis for the acceptability of the existing range for Containment Sump Water Level narrow range

indication. The existing range of LI-6308A&B includes a 0-5 inch

deadband (i.e., no specific reading can be obtained). However, since the 0-5 inch deadband is outside of the loop measurement

range and insignificant compared to the span of 364 inches, the

lower limit of the indicator scale of 0-5 inches is acceptable.

J. This justification provides the basis for the acceptability of the existing range for Containment Sump Water Level narrow range

recording. The existing range of LR-6308A&B includes a 0-5 inch

deadband (i.e., no specific reading can be obtained). However, since the 0-5 inch deadband is insignificant compared to the span

of 364 inches, the lower limit of the recorder scale of 0-5 inches

is acceptable.

K.This justification demonstrates that the lack of units of measure (i.e., inches) associated with the Control Room indication for Containment Sump Water Level wide range, LI-6309A&B, will not mislead the Control Room operators. This is based on the operators being familiar with the applicable units of measure via training.

L. Wide range monitoring for Steam Generator Level is provided via a single non-Class 1E wide range level loop. This justification

demonstrates that, although wide range monitoring may not be

available during an accident scenario, the Control Room operator

will have sufficient information to identify and mitigate an

accident and to determine the availability of the steam generators

as heat sinks. This is based upon the following:

(1) Steam generator level will either remain within narrow range level indication or, if steam generator level has fallen

below narrow range indication, that Auxiliary Feedwater has

been initiated and will result in the recovery of steam

generator level to within narrow range limits. This is

accomplished via the associated emergency operating

procedures.

(2) RCS temperature (i.e., hot and cold leg water temperature) and pressure are available to determine the effectiveness of

the steam generators as heat sinks.

2. Since the original containment isolation design for Turkey Point was not required to provide redundant valve position indication, the redundancy

Rev. 16 10/99 NOTES FOR TABLE 7.5-2 (Continued)

Sheet 8 OF 9 criteria of RG 1.97 are not applicable to the existing plant design. As a result, in order to address the RG 1.97 concern for ensuring Control

Room capability to verify isolation status, an RG 1.97 Containment

Isolation Valve Evaluation was performed. The evaluation considers the

effects of single failure of valve indication and demonstrates the

capability for the Control Room operator to verify isolation of

Containment penetrations.

3. An exception to this variable has been accepted by NRC in its Safety Evaluation Report dated March 20, 1986.
4. All 24 channels of the Area Radiation Monitoring System (ARMS) have been replaced by PC/M 89-462 to comply with commitments made to the NRC in

FPL letter L-88-290 (Reference 6). L-88-290 commitments require the use

of instrumentation with a range of 10

-3 R/hr to 10 2 R/hr. Instrumentation installed under PC/M 89-462 has a range of 10

-4 R/hr to 10 4 R/hr, which exceeeds both Regulatory Guide 1.97 recommendations and L-88-290 commitments.

5. No instrumentation has been provided since effluent discharge is through a common plant vent.
6. No recording capability exists for 4KV Bus Voltage (Category 1 variable). The emergency operating procedures presently credit the

monitoring of 4KV Bus Voltage to allow the Control Room operator to

determine the loss of power to a 4KV bus. Control Room meter indication

of 4KV bus voltage is available and is adequate to allow the operator to

identify the loss of bus voltage on a realtime basis. Trending of bus

voltage is not necessary to ensure accomplishment of this manual action.

Therefore, recording of the variable is not essential.

7. NOT USED
8. NOT USED

Revised 04/17/2013 NOTES FOR TABLE 7.5-2 (Continued)

Sheet 9 OF 9 9.The original plant design included 51 core exit thermocouples. Due to the potential for individual sensor failures, the actual number of

operable thermocouples may be reduced below this value.

10.NOT USED 11.Existing instrument range of "OPEN/CLOSED" is derived from a single limit switch contact. The contact provides CLOSED/NOT CLOSED position

to ERDADS which then defines and displays the position as OPEN or CLOSED

at the CR, TSC and EOF consoles.

12. On-site analysis capability for this variable has been eliminated in favor of grab samples and offsite analysis. This change is consistent

with commitments documented in NRC safety evaluation for technical

specification amendments 211/205, dated 1/31/2001.

Revised 01/27/2013 7.6 IN-CORE INSTRUMENTATION

7.6.1 DESIGN

BASIS

The in-core instrumentation is designed to yield information on the neutron flux distribution and fuel assembly outlet temperatures at selected core locations.

Using the information obtained from the in-core instrumentation system, it is possible to confirm the reactor core design power distribution parameters and calculated hot channel factors. The system provides means for acquiring data and performs no operational control.

7.6.2 SYSTEM

DESIGN

The in-core instrumentation system consists of the Inadequate Core Cooling System (ICCS) and flux thimbles, which run the length of selected fuel assemblies to facilitate measurement of the neutron flux distribution within the reactor core.

The measured data obtained from the ICCS in-core temperature thermolcouples and flux distribution instrumentation system, in conjunction with previously determined analytical information, can be used to determine the fission power distribution in the core at any time throughout core life. This method is more accurate than using calculations alone.

Once the fission power distribution has been established, the maximum power output is primarily determined by thermal power distribution and the thermal and hydraulic limitations determine the maximum core capability.

The in-core instrumentation provides information which may be used to calculate the coolant enthalpy distribution, the fuel burnup distribution, and an estimate of the coolant flow distribution.

Both radial and azimuthal symmetry of power may be evaluated by combining the detector and thermocouple information from the one quadrant with similar data obtained from the other three quadrants.

The ICCS consists of three systems:

1. Core Exit Thermocouples System (CET)
2. Heated Junction Thermocouples System (HJTC)
3. Subcooled Margin Monitoring System (SMM)

7.6-1 Revised 09/18/2007 These three systems are briefly discussed below:

1. Core-Exit Thermocouples System This system originally included 51 thermocouples positioned to measure fuel assembly coolant outlet temperature at preselected locations; some thermocouples have been abandoned in accordance with plant procedures.

The temperature measurement signals from these thermocouples are carried through silicon-rubber insulated cables with stainless steel protective jackets routed in redundant channels. The thermocouples for the two channels have been selected in such a way that each channel indicates the temperature of the whole core. The thermocouple outputs are recorded in the computer room and indicated in the control room.

2. Heated Junction Thermocouple System This system includes eight pairs of heated/unheated thermocouples located axially in a probe assembly; some probes have had pairs of heated/ unheated thermocouples abandoned in accordance with plant procedures. There are two identical probe assemblies in the reactor vessel. The measurements from these thermocouples are carried through silicon-rubber insulated cables with stainless steel protective jackets routed in two redundant channels. Two pairs of thermocouples are located in the upper head region above the upper support plate and six pairs are located in the upper plenum region between core alignment and support plates. These thermocouples provide information regarding reactor coolant inventory. The outputs from these thermocouples are processed in the computer room and indicated in the control room.
3. Subcooled Margin Monitoring System This system includes two pressure transmitters to measure RCS pressure and one dual RTD in each hot and cold leg to measure RCS temperature. Reactor coolant system hot leg temperature (1 per loop per QSPDS channel), cold leg temperature (1 per loop per QSPDS channel) and RCS pressure (1 per QSPDS channel) are routed in two redundant channels to the computer room for saturation margin calculations.

In the computer room, the signals for these systems are processed by a computer installed in a seismically qualified cabinet for each channel. A display unit for each channel is installed in the control room for indication of processed parameters and these are connected to the computer with a fiber optic data link. Each ICCS (QSPDS) Channel is powered from a station vital power supply.

7.6-1a Revised 08/17/2016

Thermocouples Chromel-alumel thermocouples are threaded into guide tubes that penetrate the reactor vessel head through seal assemblies, and terminate at the exit flow end of the fuel assemblies. The thermocouples are provided with two primary seals, using high pressure screwed fittings from conduit to head. The thermocouple column to vessel seal consists of grafoil packing rings which are compressed by a drive sleeve to seal the annulus between the thermocouple column and the head port adapter. The head port adapter is threaded and seal welded onto the nozzle penetrating the vessel head. (See Figure 7.6.1.) The thermocouples are enclosed in stainless steel sheaths within the above tubes to allow replacement if necessary. Thermocouple outputs are recorded in the computer room and displayed in the control room. The support of the thermocouple guide tubes in the upper core support assembly is described in Section 3.

Movable Miniature Neutron Flux Detectors

Mechanical Configuration

Five fission chamber detectors (employing U 3 O 8 which is 90 percent enriched in U 235) can be remotely positioned in retractable guide thimbles to provide flux mapping of the core. Maximum chamber dimensions are 0.188-inch in diameter and 2.10 inches in length. The stainless steel detector shell is welded to the leading end of the helical wrap drive cable and the stainless steel sheathed coaxial cable. Each detector is designed to have a minimum thermal neutron sensitivity of 1.0 x 10

-17 amps/nv and a maximum gamma sensitivity of 3 x 10

-14 amps/R/hr. Operating thermal neutron flux range for these detectors is 1 x 10 10 to 8.7 x 10 13 nv. Other miniature detectors, such as gamma ionization chambers and boron-lined neutron detectors, can also be used in the system. Retractable thimbles into which the miniature detectors are driven are pushed into the reactor core through conduits which extend from the bottom of the reactor vessel down through the concrete shield area and then up to a thimble seal zone.

7.6-2 Revised 01/14/2010

The thimbles which are dry inside are closed at the leading ends, and serve as the pressure barrier between the reactor water pressure and the atmosphere. Mechanical seals between the retractable thimbles and the conduits are provided at the seal table.

During reactor operation, the retractable thimbles are stationary. They are extracted downward from the core during refueling to avoid interference within the core. A space above the seal table is provided for the retraction operation.

The drive system for the insertion of the miniature detectors consists basically of five drive assemblies, five path group selector assemblies and five rotary selector assemblies. The drive system pushes hollow helical-wrap drive cables into the core with the miniature detectors attached to the leading ends of the cables and small diameter sheathed coaxial cables threaded through the hollow centers back to the trailing ends of the drive cables. Each drive assembly generally consists of a gear motor which pushes a helical-wrap drive cable and detector through a selected thimble path by means of a special drive box and includes a storage device that accommodates the total drive cable length.

Further information on mechanical design and support is described in Section

3.2.3. During

the Unit 4 Cycle 27 refueling outage, the following twenty two thimble tubes were replaced/installed: C-12, E-11, G-14, H-1, M-3, J-3, L-11, N-12, F-2, L-5, J-7, G-9, F-13, F-8, F-6, H-4, N-5, C-8, L-9, J-5, L-4, AND N-7. Thimble tubes H-1 AND M-3 were capped due to not having their isolation valves, casings, fittings, and supporting frame within each respective tube. During the Unit 4 Cycle 29 refueling outage, thimble tubes H-1 and M-3 previously capped during the Cycle 27 refueling outage, were restored to operational status. Therefore, following the Cycle 29 refueling outage, all thimble locations are available in Unit 4 for flux mapping. Capped thimble tubes are periodically repositioned to minimize tube wall wear. While inspections may result in capping at additional thimble tube locations, the remaining number of detector thimbles will not decrease below the number of required thimbles available for peaking factor verification.

During Unit 3 cycle 24 refueling outage, F-13, G-7, H-3, L-4, L-9, N-5, N-8, H-13, M-3 and J-12 thimble tube core locations were replaced. During the Unit 3 Cycle 27 refueling outage, D-12, E-11, N-10, B-7, D-10, J-10 and G-9 thimble tube core locations were replaced. While future ECT inspections may result in capping thimble tube locations, the remaining number of detector thimbles will not decrease below the number of required thimbles available for peaking factor verification.

7.6-3 Revised 06/23/2016

Control and Readout Description The control and readout system provides means for inserting the miniature neutron detectors into the reactor core and withdrawing the detectors at a selected speed while plotting a level of induced radioactivity versus detector position. Each detector can be driven in or out at speeds of 72 feet per minute or 12 feet per minute. In normal operation, the detectors would move at a speed of 72 feet per minute outside the reactor core and 12 feet per minute when scanning the neutron flux. The average path length external to the core is 120 feet.

Up to five separate fuel assemblies can be scanned simultaneously. A full core map can be read in one hour. The control system consists of two sections, one physically mounted with the drive units, and the other contained in the control room. Limit switches in each drive conduit provide means for pre-recording detector and cable positioning in preparation for a flux mapping operation. Each gear box drives an encoder for positional data plotting. One group path selector (5 path) is provided for each drive unit to route the detector into one of the flux thimble groups. A rotary transfer assembly is a transfer device that is used to route a detector into any one of up to ten selectable paths. Fifty manually operated isolation valves allow free passage of the detector and drive cable when open, and prevents leakage of coolant in case of a thimble rupture, when closed. A path common to each group of flux thimbles is provided to permit cross calibration of the detectors.

The control room contains the necessary equipment for control, position indication, and flux recording. Panels are provided to indicate the core position of the detectors, and for plotting the flux level versus the detector position. Additional panels are provided for such features as drive motor controls, core path selector switches, plotting and gain controls. A "flux-mapping" consists, briefly, of selecting (by panel switches) flux thimbles in given fuel assemblies at various core quadrant locations. The detectors are driven or inserted to the top of the core and stopped automatically or manually.

An x-y plot (position vs flux level) is initiated with the slow withdrawal of the detectors through the core from top to a point below the bottom. In a similar manner other core locations are selected and plotted.

Each detector provides axial flux distribution data along the center of a fuel assembly. Data from selected fuel assemblies are then compared to obtain a flux map of the core.

7.6-4 Revised 06/23/2016

7.6.3 SYSTEM

EVALUATION

The thimbles are distributed nearly uniformly over the core with about the same number of thimbles in each quadrant. The number and location of thimbles have been chosen to permit measurement of local to average peaking factors to an accuracy of

+/-10% (95% confidence). Measured nuclear peaking factors will be increased to allow for possible instrument error. The maximum measured hot channel factor will be compared to the hot channel factors in the core operating limits. If the measured hot channel factor is larger than expected, reduced power capability will be indicated.

During the Unit 4 Cycle 20 refueling outage, two of the core mapping thimble tubes at H-1 and M-3 were modified by the insertion of a thermocouple cable.

During Unit 3 Cycle 24 refueling outage, F-13, G-7, H-3, L-4, L-9, N-5, N-8, H-13, M-3 and J-12 thimble tube core locations were replaced. During the Unit 3 Cycle 27 refueling outage, D-12, E-11, N-10, B-7, D-10, J-10 and G-9 thimble tube core locations were replaced. During the Unit 4 Cycle 22 refueling outage, two core mapping thimble tubes at locations E-11 and G-14 were removed from service by capping at their respective seal table high pressure fitting. However, since the minimum complement of thimbles are expected to remain available, there is no impact on the uncertainties assumed in the surveillance of incore peaking factors. During RFO 4-25 CET, H-1 and M-3 thimble tubes have been disconnected, spared repositioned and abandoned in place. During the Unit 4 Cycle 29 refueling outage, thimble tubes H-1 and M-3 previously capped during the Cycle 27 refueling outage, were restored back to operational status. While future ECT inspections may result in capping thimble tube locations, the remaining number of detector thimbles will not decrease below the number of required thimbles available for peaking factor verification. Capped thimble tubes are periodically repositioned to minimize tube wall wear.

7.6.4 REGULATORY

GUIDE 1.97, REVISION 3

A review of Turkey Point Units 3 and 4 accident monitoring instrumentation and control systems was conducted against the requirements of Regulatory Guide 1.97, Revision 3. Subsection 7.5.4 presents the requirements of Regulatory Guide 1.97, Revision 3, and the results of the conducted review.

7.6-5 Revised 06/23/2016

7.7 OPERATING

CONTROL STATIONS

7.7.1 DESIGN

BASIS

Criterion: The facility shall be provided with a control room from which actions to maintain safe operational status of the plant can be controlled. Adequate radiation protection shall be provided to permit access even under accident conditions to equipment in the control room or other areas as necessary to shutdown and maintain safe control of the facility without excessive radiation exposures of personnel (1967 proposed GDC 11).

NUREG-0737, "Clarification of TMI Action Plan Requirements", published in October 1980, provided a comprehensive and integrated plan to improve safety at power reactors. Clarification item I.D.1, "Control Room Design Reviews," required all licensees and applicants for operating licenses to develop a Detailed Control Room Design Review (DCRDR) to identify and correct design deficiencies. This review includes an assessment of the control room layout for human factors considerations that have an impact on operating effectiveness.

Draft NUREG-0801, "Evaluation Criteria for Detailed Control Room Design Review," provides the guidelines in determining the acceptability of the DCRDR and resultant control room improvements. Subsection 7.7.3 provides a description of the DCRDR for Turkey Point Units 3 and 4.

Clarification item III.D.3.4, "Control Room Habitability Requirements," of NUREG 0737 required all licensees to assure that control room operators would be adequately protected against the effects of an accidental release of toxic or radioactive gases, such that the unit(s) could be safely operated or shutdown if required.

To satisfy these design bases, the units are equipped with a control room which contains the controls and instrumentation necessary for operation of the reactor and turbine generator under normal, abnormal, and accident conditions. The units are also equipped with remote shutdown capability to which allow safe shutdown of the plant from outside the control room if control room evacuation is required.

7.7-1 09/14/2001 Sufficient shielding, distance, and containment integrity are provided to assure that control room personnel radiation exposure under MHA conditions does not exceed 10CFR50 Appendix A, GDC 19 limits during occupancy of, ingress to and egress from the control room. Multiple self-contained breathing apparatus units are in and near the control room for use by the control room personnel during accidental release of toxic gases. The control room ventilation consists of a system having a large percentage of recirculated air. The fresh air intake is automatically closed to control the intake of airborne activity upon Containment Isolation Actuation Signal.

To ensure that the control Room operators are not impaired by an ammonia storage tank spill at Turkey Point Unit 5, a layer of floating (special surface blanketing) balls has been installed in the impoundment basin below the ammonia storage tanks. These balls will automatically arrange themselves into a close packed formation if a spill occurs and reduce the release of ammonia to the atmosphere.

Consequence modeling demonstrates that the concentration of ammonia in the control room will remain below the Occupational Safety and Health Administration Permissible Exposure Levels (OSHA-PEL) without operator action. 7.7.2 SYSTEM DESIGN 7.7.2.1 Control Room The principal criterion of control station design and layout is that all controls, instrumentation displays and alarms required for the safe operation and shutdown of the unit are readily available to the operators in the Control Room.

The Control Room arrangement provides a north-south separation. The alarms for the two units are in opposite ends of the room and have different tones to make them distinguishable to the operator.

The control room Control Board has been designed to minimize the operators surveillance area. Control stations on the boards are grouped according to function so as to minimize the possibility of operator error.

The Control Room control boards consist of console and adjacent vertical panels arranged as shown on Figure 7.7-1. The console contains those switches and control stations which are most frequently employed during normal unit operation. The vertical panels contain those control stations used less frequently (e.g. start-up or shut-down). 7.7-2 Revised 04/25/2007

Indicators and trend recorders are located on both the console and vertical panels. Those located on the vertical panels are positioned to be in front of that section of the console which contains functionally related control stations and indicators.

The Unit 3 detailed control board layout drawings are as follows: Figures 7.7-2a, 7.7-2b, 7.7-3, through 7.7-6. The Unit 4 detailed control board layout drawings are as follows: Figures 7.7-7, through 7.7-12.

7.7.2.2 Remote (Alternate) Shutdown Capabilities

Provisions have been made so that the operators can maintain the units in a safe hot standby condition by means of controls located outside the control room. Refer to Engineering Guidelines for Fire Protection for Turkey Point Units 3 & 4 (Reference 12) for a description of the remote (alternate) shutdown capabilities provided for at Turkey Point.

7.7-3 Revised 09/20/2016

7.7.3 SYSTEM

EVALUATION - HUMAN FACTORS ENGINEERING

7.7.3.1 HFE Program

In response to the requirement of NUREG-0737, Clarificaton item I.D.1 "Control Room Design Review", and supplement 1 to NUREG-0737, FPL established and maintains a Human Factors Engineering program to review the design of the control room and remote shutdown capabilities to identify and correct design deficiencies. The design review was performed following the guidelines of NUREG-0700, "Guidelines for Control Room Design Review" and NUREG-0801, "Evaluation Criteria for Detail Control Room Design Review".

7.7.3.2 Detail Control Room Design Review Implementation

A summary report which outlined the activities performed for the implementation of the Detailed Control Room Design Review was issued on November 1, 1983. This report was prepared following the outline recommended in Section 5.2 of NUREG-0700. This report discusses:

a) The Detailed Control Room Design Review phases.

b) The technical activities.

c) Method of assessments of discrepancies.

d) Method of identification and selection of enhancement and design solutions.

e) Review results of Human Engineering Discrepancies, Human Engineering Discrepancy Assessment, and the selected enhancement and design solutions.

f) Improvements to be made.

g) Schedule of implementation.

7.7-4 Revised 09/20/2016 An overview of the major activities and methods utilized in the Detail Control Room Design Review is presented below:

Technical Approach

The technical approach utilized in the DCRDR included those activities listed below. A detailed discussion of the methodologies and a discussion of the finding, of each of the surveys is included in Section 2.0 of the DCRDR report. o Review of operating experience o Assembly of control room documentation o Review of system functions and task analysis o Surveys - noise - lighting - control room environment - design conventions - controls and displays

- computers - emergency garmets - labeling - annunciators - anthropometrics - force/torque - communications - maintainability o Verification of task performance capability o Validation of control room functions o Assessment of discrepancies.

Each survey report addresses: o Task Objectives - The type of data to be collected or human performance variables under analysis. o Review Team - The personnel required to conduct the task. o Criteria - Generally, the review guidelines appropriate to the evaluation being conducted. o Task Definition - Steps or procedures followed in the conduct of the task.

o Outputs and Results - Task results. These are Human Engineering Discrepancies which may be drawn upon by subsequent tasks (e.g., Task Analysis).

7.7-5 Revised 09/20/2016

Assessment The surveys identified Human Engineering Discrepancies (HEDs). These HEDs were assessed for error inducing potential and the system consequences of the potential error. The means of resolving the HEDs were also reviewed.

The basic assessment process was divided into four steps as follows:

o Assess extent of deviation from NUREG-0700 guidelines o Assess Human Engineering Discrepancy impact on error occurrence o Assess potential consequences of error occurrence o Assign Human Engineering Discrepancy scheduling priority.

Based on the assessment of the HEDs probability of inducing errors a priority for correction was assigned. The HED priority was utilized in the establishment of a backfit schedule.

Implementation

The backfit schedule program for the correction of the HEDs was established based on the following functions: o Human engineering discrepancy priority o Engineering and procurement lead time requirements and constraints o Overall plant outage schedules.

The design solutions and/or enhancements selected for the correction of the HEDs were based on the recommendations of NUREG-0700. o Analysis of correction by enhancement o Analysis of correction by design alternatives o Assess extent of correction.

7.7-6 Revised 09/20/2016 As part of the correction of HEDs several backfit activities, plant change modifications, were implemented. These activities' objectives were to reduce the potential of human errors. Examples of these activities are: the Performance Enhancement Program (PEP) which has improved training drawings and installed more-legible Fiberglass tags on valves, the Visual Instructive Plan which has installed tags throughout the plant which have improved legibility. Panels, 4KV, 480V load center, 480V motor control center, lighting panel, and field component labeling have been modified to include unit color-code information. Additionally the appropriate unit number (i.e. 3 or 4) is used as the first character in the component number.

Emergency Operating Procedures (EOPs) and Off-Normal Operating Procedures (ONOPs) have been reviewed and changed to a new format that will reduce the potential for human error (References 1 to 11). In the new format, procedures are required to be written to the entry-level person, and have less print per page, one action per step, and cautions and warnings before, rather than after the applicable steps. A review also has been made of normal operating procedures (non-emergency) ,

maintenance procedures, health physics, and chemistry procedures, etc, with the intention of making them "user-friendly".

7.7.3.3 DCRDR Implementation Evaluation

The Turkey Point Detailed Control Room Design Review (DCRDR) Program Plan was submitted to the NRC on May 20, 1983. The program plan utilized Supplement 1 to NUREG-0737, NUREG-0700, and NUREG-0801 as the bases for the program development. The Turkey Point DCRDR Summary Report was then submitted on November 1, 1983.

7.7-7 Revised 09/20/2016 The NRC reviewed these reports and provided FPL with a draft Safety Evaluation and Technical Report of the Turkey Point DCRDR on February 2, 1984. This report indicated that a pre-implementation audit would be necessary to resolve the open or confirmatory items identified in the Safety Evaluation. The NRC then conducted the pre-implementation audit of the DCRDR program at Turkey Point on April 2 through 6, 1984.

The results of the NRC audit identified the resolved items and those items requiring additional information. The NRC stated that a meeting would be appropriate to discuss FPL plans, methods, and schedules for submittal of a supplement to the Turkey Point DCRDR Summary Report.

FPL reviewed the requirements of NUREG-0737, Supplement 1 and the operating experience review problems identified and established programs to review and resolve the open or confirmatory items. The Supplemental Summary Report, issued on April 1, 1986 describes the review process. The ten items contained in the supplementary summary report are lised below:

1. Operating Experience Review Problems.
2. LER Review.
3. Task Analysis.
4. HFE Review of Post Control Room Changes.
5. Additional HED Justification.
6. Reverification of Control Room Changes.
7. Reverification of Control Room Changes to Ensure No New HEDs.
8. Future Control Room Changes.
9. Supplemental Summary Report.
10. Integration Into Other Programs.

The methodology utilized in the review and resolution of the open or confirmatory items is contained in the DCRDR Supplemental Summary Report.

7.7-8 Revised 09/20/2016 On April 1, 1986, FPL submitted the Supplemental Summary Report on Turkey Point 3 and 4 DCRDR. A preliminary evaluation of the Supplemental Summary Report by NRC resulted in the identification of concerns regarding completion schedules for proposed DCRDR modifications. FPL responded with a September 3, 1986, submittal outlining the schedule for completion of DCRDR modifications. On December 15, 1986, the NRC transmitted a letter along with the Safety Evaluation of the Supplemental DCRDR report. The NRC concluded that FPL had conducted a comprehensive DCRDR program for Plant Turkey Point which satisfied the requirements of Supplement 1 to the NUREG-0737, item I.D.1.

7.

7.4 REFERENCES

1. NRC Generic Letter 82-33, NUREG-0737 Supplement 1,"Requirements for Emergency Response Capability," dated December 17, 1982.
2. FPL letter to the NRC L-83-237,"Supplement 1 to NUREG 0737 - Generic Letter 82-33," dated, April 15, 1983.
3. NRC Generic Letter 83-22,"Safety Evaluation of `Emergency Response Guidelines'," dated June 3, 1983.
4. NRC Confirmatory Order, "Order Confirming Commitments on Emergency Response Capability," dated February 23, 1984.
5. FPL letter to the NRC L-84-270,"Upgrade Emergency Operating Procedures (EOPs) - Procedures Generation Package," dated October 1, 1984.
6. FPL letter to the NRC L-85-472,"Emergency Operating Procedures Upgrade," dated December 23, 1985.
7. NRC (Office of NRR) letter to FPL, "Modification of Commission Order Dated February 23, 1984," dated December 24, 1985.
8. NRC (Office of NRR) letter to Westinghouse Owner's Group, "Supplemental Safety Evaluation Report by the Office of NRR in the Matter of the Westinghouse Owner's Group Emergency Response Guidelines," dated December 26, 1985.
9. NRC (Div. of Reactor Safety) letter to FPL, "Emergency Operating Procedure (EOP) Inspection Program," dated November 3, 1989.

7.7-9 Revised 09/20/2016

10. NRC (Div. of Reactor Projects) letter to FPL, "Turkey Point Units 3 and 4 - Procedures Generation Package - TMI Action Plan Items I.C.1.2 and I.C.1.3," dated December 15, 1989.
11. NRC Inspection Report No.s 50-250/89-53 and 50-250/89-53, dated March 14, 1990.
12. STD-M-006, Engineering Guidelines for Fire Protection for Turkey Point Units 3 & 4.

7.7-10 Revised 09/20/2016

7.8 MISCELLANEOUS

ALARMS

7.8.1 Design

Basis

Loose Parts Detection System

The loose parts monitor is a non-safety system used to detect unusually high

vibration levels in the primary reactor coolant system. This system will be

utilized to give indication of a possible loose metal part which might

accumulate in one of the steam generators or in the reactor vessel. This

system is strictly for surveillance and performs no safety function. (See

figure 7.8-1)

7.8.2 System

Design

The loose parts metal impact system is comprised of thirteen active and two

spare accelerometers strategically located inside containment: two on the

reactor vessel upper head, two active and two spare at the lower area of the

reactor vessel, two just above the tube sheet on each steam generator, and

one near the feedwater inlet on each steam generator (this accelerometer

monitors the secondary side of the steam generator). Each of these locations

is a natural collection region for a potential loose part. Cable routings for

each pair of sensors monitoring the same general area are physically

separated from each other from the sensor to the control room to provide

redundancy.

7.8.3 Alarm

Indication

Overall system alarm indication is provided by an annunciator window in Panel "G" in 3C06 for Unit 3 and 4C06 for Unit 4. Specific sensor alarm is

indicated at the process rack. The overall system alarm is also input to the

Digital data Processing System.

7.8-1 Rev 4 7/86

7.9 Leading

Edge Flow Meter

7.9.1 Design

and Operation The Turkey Point Extended Power Uprate (EPU) raised the licensed maximum power level to 2644 MWt. The EPU change to the maximum rated thermal power (RTP) included a 1.7% Measurement Uncertainty Recapture (MUR). Modifications required for the MUR portion of the EPU included installation of the Cameron Leading Edge Flow Meter (LEFM) Check Plus system. The use of LEFM for determination of Feedwater (FW) temperature and FW mass flow, results in an overall calorimetric uncertainty of 0.30%. The MUR uprate of 1.7% results from the difference between the original 2% power determination uncertainty (required by 10CFR50 Appendix K) and the LEFM based calorimetric uncertainty of 0.30%. The MUR is based on the following Cameron Topical Reports:

1) ER-80P, "Improving Thermal Power Accuracy and Plant Safety While Increasing Operating Power Level Using the LEFM Check System," dated March 1997 (NRC SER dated March 8, 1999) (Reference 1).
2) ER-160P, "Supplement to Topical Report ER-80P: Basis for a Power Uprate with the LEFM Check System," dated May 2000 (NRC SER, dated January 19, 2001) (Reference 2).
3) ER-157P, "Supplement to Topical Report ER-80P: Basis for a Power Uprate with the LEFM Check or Check Plus System," dated October 2001 (NRC SER, dated December 20, 2001) (Reference 3).

The LEFM feedwater flow measurement system is a ultrasonic 8-path transit time flow meter. The LEFM Check Plus system consists of one flow element (meter) installed in each of the three FW flow headers. Each meter has two transit planes which consist of four transit paths. The individual LEFM Check Plus flow elements have been calibrated in a site-specific model test at Alden Research Laboratories with traceability to National Standards. The LEFM flow elements (meters) are installed at specific locations upstream from the existing FW venture nozzles. The resulting piping configurations were explicitly modeled as part of the LEFM meter factor and accuracy assessment testing performed at Alden Research Laboratories. Test data and results for the flow elements are documented in Cameron Engineering Reports ER-748 and ER-752, "Meter Factor Calculation and Accuracy Assessment for Turkey Point 3 and 4 Nuclear Power Plant". (Reference 4).

7.9-1 Revised 04/17/2013 The Calibration factor (also know as the meter factor) and the uncertainty in the calibration factor for the LEFM Check Plus system is based on these Cameron engineering reports.

The LEFM Check Plus system is used for continuous calorimetric power determination by providing FW mass flow and FW temperature input data to the distributed control system (DCS), which is the computer system used for automated performance of the calorimetric power calculations. The LEFM system communicates with the DCS via redundant digital communication links. Individual Steam Generator Heat Rates are calculated in the DCS using the LEFM flow and temperature data along side an independent calculation using the conventional instruments (Feedwater Flow Venturis and Temperatures). The LEFM based Heat Rate data is integrated into appropriate DCS calorimetric display screens to facilitate side-by-side comparison with Heat Rate data based on the conventional instruments. For each steam generator, a correction factor is established to allow operation during a 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> allowed outage time during which the LEFM condition can be corrected. The plant may remain at 100% power using the correction factor times the conventional instrument heat rates (Ventrui Corrected value).

The LEFM Check Plus system incorporates self-verification features to ensure that hydraulic profile and signal processing requirements are met within the site-specific design basis uncertainty analysis contained in the Cameron Report ER-783, "Bounding Uncertainty Analysis for Thermal Power Determination at Turkey Point Units 3 & 4 Using the LEFM Check Plus System." (Reference 5). Critical performance parameters are continually monitored for every individual meter path with alarm set points established to ensure corresponding assumptions in the uncertainty analysis remain bounding. A main control room annunciator is provided for operator notification of LEFM degraded system performance or system failure.

Operability of the LEFM instrumentation is required to support an overall calorimetric uncertainty of 0.30%. Operability requirements and associated action statements are identified below.

7.9.2 Operational

Restrictions Operability of the LEFM instrumentation is required to support an overall calorimetric uncertainty of 0.30%.

7.9-2 Revised 04/17/2013 Limiting Condition for Operation The LEFM instrumentation shown in Table 7.9-1 shall be OPERABLE Applicability: MODE 1 Action: a) With the number of OPERABLE LEFM / Calorimetric instrument channels less than the minimum required by Table 7.9-1, restore the inoperable channels to OPERABLE status or be in compliance with the reduced power limits of Table 7.9-2 within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.

Operation at 2644 MWT may continue within the 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> window provided the Venturi Corrected value is selected.

b) If the plant experiences a power change of greater than 2% during the 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> period, then power level will be restricted to less than or equal to 2599.0 MWt until the LEFM system is fully OPERABLE.

7.

9.3 REFERENCES

1. Engineering Report, ER-80P, "Improving Thermal Power Accuracy and Plant Safety While Increasing Operating Power Level Using the LEFM Check System," dated March 1997 (NRC SER dated March 8, 1999).
2. Engineering Report, ER-160P, "Supplement to Topical Report ER-80P: Basis for a Power Uprate with the LEFM Check System," dated May 2000 (NRC SER, dated January 19, 2001).
3. Engineering Report, ER-157P, "Supplement to Topical Report ER-80P: Basis for a Power Uprate with the LEFM Check or Check Plus System," dated October 2001 (NRC SER, dated December 20, 2001).
4. Engineering Reports, Cameron ER-748 and ER-752, "Meter Factor Calculation and Accuracy Assessment for Turkey Point 3 & 4 Nuclear Power Plant," June 2010.
5. Engineering Report, Cameron Report ER-783, "Bounding Uncertainty Analysis for Thermal Power Determination at Turkey Point 3 & 4 Using the LEFM Check Plus System." June 2010.

7.9-3 Revised 04/17/2013 TABLE 7.9-1 LEFM CALORIMETRIC INSTRUMANTATION

Functional Unit Total No. of Channels Minimum Channels Operable LEFM CPU 2 1 LEFM Meter Section (Path 1-4, 5-8) 6 6 Calorimetric portion of DCS 1 1

Revised 04/17/2013 TABLE 7.9-2 REDUCED POWER LIMITS APPLICABLE to INOPERABLE LEFM CALORIMETRIC INSTRUMANTATION Maximum MWt Maximum Power Total Power uncertaintySelected Calorimetric Mode of Operation Description of Inoperable LEFM Calorimetric Instrument 2638.7 99.8% 0.50% LEFM One meter Section (Plane) in any LEFM in "Check Mode" (Level 2 LEFM System Status) 2599.0 98.3% 2.0% Venturi Any LEFM Meter in "Fail Mode" (Level 3 LEFM System Status) or Loss of communication with both LEFM CPUs. 2599.0 98.3% 2.0% ------ Calorimetric Portion of DCS is OOS

Revised 04/17/2013 APPENDIX 7A DISTRIBUTED CONTROL SYSTEM / SAFETY ASSESSMENT SYSTEM /

EMERGENCY RESPONSE DATA ACQUISITION AND DISPLAY SYSTEM The Safety Assessment System (SAS)/Emergency Response Data Acquisition and

Display System (ERDADS), which is implemented in the plant Distributed

Control System (DCS), has been designed to meet the requirements of NUREG-

0696, "Functional Criteria for Emergency Response Facilities," including the

requirements for the Safety Parameter Display System (SPDS). This system

also meets the requirements of NUREG-1394, "Emergency Response Data System (ERDS) implementation."

1.0 DESIGN

BASES

Due to the requirement for obtaining many signals from various safety

systems, the isolation/termination cabinets and the processing cabinets are

seismically qualified to IEEE 344-1975.

The remaining computer and display equipment is not required to be qualified;

and, as it is not part of any safety related system, it is not safety grade.

All equipment located in the control room is mounted to sufficiently restrain

it from affecting any other equipment in the event of an earthquake.

Although not a safety-related system, redundant computer systems are utilized

to meet the reliability requirement in NUREG-0696, "Functional Criteria for

Emergency Response Facilities."

2.0 GENERAL

DESCRIPTION

The Safety Assessment System (SAS)/Emergency Response Data Acquisition and

Display System (ERDADS) which includes the Safety Parameter Display System (SPDS) is a real time computer based Distributed Control System (DCS)

designed to assist control room personnel in evaluating the safety status of

the plant. The SAS/ERDADS aids in the coordinated control of the reactor

during upset conditions while concurrently providing information of concern

to the public. The SPDS includes a set of predetermined electronic displays

designed to yield relevant, timely, accurate, and unambiguous information to

the control room operators, the technical support advisors, and the offsite

public safety officials. The SPDS displays a small but critical subset of

the parameters available in the control room, thus reducing the problems

associated with

7A-1 Revised 01/31/2013 information overload and parameter selection. At the same time, by preselecting and grouping critical parameters for each display, the SPDS

facilitates comprehension of the prevailing plant and public safety

conditions. This is achieved by presenting high-level displays which

summarize plant safety function status, plant system performance, and

radiological and meteorological data. However, detailed information is not

sacrificed. Each display may be examined at an intermediate or subsystem

level as well as at the individual signal level if detailed information is

desired. Finally, the DCS/SAS/ERDADS is also designed to be useful for

normal operations, allowing the operators to become familiar with the

functions during day-to-day operation. By sharing common, near real-time

displays and pre-selected information, operators, technical support staff, and members of the emergency operations facility staff may cooperate

effectively to bring the plant to a safe condition and to assess the

potential impact on public safety.

3.0 SYSTEM

OPERATION

The system consists of six major elements:

1) Plant Process Parameters
2) Signal Isolation and DCS (ERDADS) Input Signal Processing 3) DCS (ERDADS) Data Processing 4) Plant Data Network 5) Data Link Processing 6) Graphic Display/Readout Equipment

See Figure 7A-1 for the Typical DCS/SAS/ERDADS System Configuration.

7A-2 Revised 01/31/2013

4.0 PLANT

PROCESS PARAMETERS The plant process parameters consist of a preselected set of analog and

digital plant signals that are required to assess the plant's overall

condition. The majority of these signals originate from the plant's existing

instrument loops; however, some dedicated instrument loops have been

provided.

Input parameter validation consists of two types of reasonability checks.

First all signals are compared with the sensor range limits. Secondly, whenever redundant input signals are available for a single parameter, cross

checking is performed to identify significant differences between redundant

signals. The presence of suspect input signals are indicated on all displays

containing parameters derived from those signals.

5.0 SIGNAL

ISOLATION

The DCS ERDADS safety related (SR) signals provided for ERDADS use are supplied with SR Foxboro DCS TAs(Termination Assemblies), FBMs (Field Bus Modules), cables and baseplates (qualified for Class 1E service).

6.0 DCS (ERDADS) DATA PROCESSING The Unit 3 and Unit 4 DCS (ERDADS) are completely separate and independent from each other. Redundant pairs of DCS (ERDADS) control processors (CP) are provided for each unit. The CP pairs act in a redundant fashion to provide bumpless transfer to the backup CP upon detection of failure in the master CP. Each CP processes the input data from the associated DCS field input signal modules (analog, digital and pulse), and performs the programmed logic functions to support the graphical displays. The DCS CP pairs communicate in peer-to-peer fashion with each other and with the graphic display workstations via the Plant Data Network.

7A-3 Revised 01/31/2013

7.0 PLANT

DATA NETWORK The Plant Data Network (PDN) is a redundant and diverse Ethernet switched network. It functions as a communication backbone for the plant DCS (ERDADS), allowing peer-to-peer communication between various DCS control processors, workstations, and archiving historians. The PDN network switches are powered from diverse station inverters to avoid single failure impacts.

A SR inverter provides backup power to the Control Room PDN switches.

Isolating fuses provide the SR to NNS boundary. The Unit 3 and Unit 4 PDNs are isolated from each other.

8.0 DATA LINK PROCESSING

SAS/ERDADS has data interface links to communicate with the Eberline

Computer, the Digital Data Processing System (DDPS), Kaye generator monitors, and Inadequate Core Cooling System (QSPDS) computer. These data interface

links are considered as non-nuclear safety related, with the exception of the

qualified fiber optic link/isolation provided between SAS/ERDADS and QSPDS.

In addition to the fiber optic link, several QSPDS inputs are hard wired to

the SAS isolation cabinets. In accordance with the requirements of NUREG-

1394, unit specific data links are provided between the ERDADS computer

output communication server and the NRC Operations Center. This data link, which would be activated during a site emergency, provides a direct near-

real- time transfer of critical data. The Emergency Response Data System (ERDS) data link has been designed to provide the following data which is

necessary to assess the severity of the accident and the potential public

impact: (1) core and reactor coolant system conditions, (2) conditions

inside containment, (3) radioactivity release rates and (4) meteorological

data. The DCS platform is unit specific system architecture. The only

common system interface with the DCS platform will occur at the Technical

Support Center, Operational Support Center and the Emergency Operations

Facility. This is required since the facilities are shared between the units

for the plant emergency plan.

Various data links provide data to the DCS (ERDADS) processor to support information displays and application programs. These data links are comprised of data/information interface for the NRC for the Emergency Response Data System (ERDS), Eberline Computer (Radiation Monitoring), Kaye Generator Monitors, The Qualified Safety Parameters Display System (QSPDS), Data Link Health Status, Annuciator Alarms and the Metrological Data Link which is transmitted serially by fiber optic modems to the computer room DCS (ERDADS).

7A-4 Revised 01/31/2013

9.0 GRAPHIC

DISPLAY/READOUT EQUIPMENT General purpose displays located in the control room, the computer room, the Technical Support Center and the Emergency Operating Facility, provide access to a comprehensive set of system-oriented mimic, tabular and trend displays.

In addition specific user-defined display capability is available. The DCS (ERDADS) and the DCS (SPDS) graphics are displayed on workstation and flat panel display. A continuous calorimetric flat panel display is also provided in the control room. A DCS (SPDS) touch screen display is used as a SPDS graphics navigation tool. The DCS operator workstations display ERDADS information in the Control Room. QSPDS display 3B is mounted in the Operator Console (3C256).

10.0 SYSTEM POWER Power is supplied to the DCS/SAS/ERDADS through four Uninterruptible Power Systems (UPS), which provide redundant supplies to the computer. Each UPS is

comprised of a distribution panel, a static transfer switch, a static

inverter, and a regulating transformer. The UPS ensures that the

DCS/SAS/ERDADS computer installation is not operationally impaired by power

fluctuations or failures.

Single phase, 120 volt, 60 Hz power is supplied to the distribution panels

through primary or alternate feeds by means of static transfer switches. The

primary feeds are two - 20 kVA and two - 10 kVA static inverters that are

powered by the auxiliary power upgrade 125V DC buses. In the event of a

failure in the primary feed, static transfer to the alternate feed is

accomplished. Manual switching is provided for maintenance purposes. The

alternate feeds are from the Condensate Polishing System Motor Control

Center via 480/120 volt, single phase, regulating transformers (two - 10 kVA

and two - 25 kVA). These power supplies are non-safety related.

The DCS ERDADS and PDN systems are powered from sources that collectively provide a robust power supply capable of withstanding a short duration

(<2hours) Loss of Offsite Power (LOOP) coincident with loss of any single panel, inverter, battery, or AC power feed without the interruption of service. This is accomplished by employing NNS station inverters for powering DCS and PDN equipment. Critical components are provided with redundant power feeds and are designed to automatically switch to the redundant source upon loss of one of the power sources. One of the redundant feeds to each of the PDN Zone switches in the Control Room is provided from a Safety Related inverter to provide PDN functionality during an extended LOOP.

Extended LOOP is that period of time after which the NNS batteries have discharged (approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />). This will provide additional DCS (ERDADS) functional capability by having one safety related source powering the PDN Zone switches.

7A-5 Revised 01/31/2013

Retrieved from "https://kanterella.com/w/index.php?title=ML18117A096&oldid=1380735"