ML18117A397
Text
TMI-1 UFSAR CHAPTER 07 7.0-1 REV. 18, APRIL 2006 7.0 INSTRUMENTATION AND CONTROL Instrumentation and control systems include the Reactor Protection System, the Engineered Safeguards Actuation System (ESAS), the Control Rod Drive System (CRDS), the Integrated Control System (ICS), the Nuclear Instrumentation System, the Non-Nuclear Instrumentation System (NNI), the Heat Sink Protection System (HSPS), and the Incore Monitoring System.
The Babcock and Wilcox designed control systems are the Integrated Control System (ICS),
the Non-Nuclear Instrumentation System, and the Control Rod Drive System. The ICS is responsible for automatic or manual control of the reactor (via the control rod drives), the steam generator main feedwater system, the turbine generator (via the turbine generator electrohydraulic control system), and the turbine bypass system, and is thus responsible for primary temperature control and steam generator water level control. In addition to providing visual indications and alarms, the NNI is responsible for automatic or manual control of the pressurizer heaters, pressurizer spray, and pressurizer level control valve, and is thus responsible for primary pressure and primary water level control.
TMI-1 UFSAR CHAPTER 07 7.1-1 REV. 24, APRIL 2018 7.1 PROTECTION SYSTEMS The protection systems, which consist of the Reactor Protection System (RPS), the Heat Sink Protection System (HSPS), and the Engineered Safeguards Actuation System (ESAS), perform important control and safety functions. The protection systems extend from the sensing instruments to the final actuating devices, such as circuit breakers and pump or valve motor contactors.
The RPS, a reactor protection logic system and a control rod drive system, was supplied by Babcock and Wilcox. Both normal and alternate flux, flow, and pressure control signals are supplied by the RPS. All of these outputs are buffered.
7.1.1 DESIGN BASIS The protection systems are designed to sense plant parameters and initiate safeguards actions in the event of abnormal plant parameter values. They meet the requirements of IEEE, Standard 279 (see 7.5, Reference 2).
The RPS is designed to meet all the requirements of the IEEE Standard 279 and the Appendix A General Design Criteria of 10CFR50.
7.1.1.1 Single Failure The protection systems meet the single failure criterion of the proposed IEEE, Standard 279 to the extent that:
- a.
No single component failure will prevent a protection system from fulfilling its protective functions when action is required.
- b.
No single component failure will initiate unnecessary protection system action where implementation does not conflict with the criterion above.
7.1.1.2 Redundancy All RPS functions are implemented by redundant sensors, measuring channels, logic, and actuation devices. These elements combine to form the protection channels as defined in the Technical Specifications.
7.1.1.3 Independence Redundant protection channels are electrically independent and packaged to provide physical separation.
TMI-1 UFSAR CHAPTER 07 7.1-2 REV. 24, APRIL 2018 7.1.1.4 Separation Protection channels are physically separated and are electrically isolated from regulating instrumentation. Only one string of instrumentation may be selected at a given time for use in a system control function, and electrical isolation is assured through the use of isolation amplifiers. Channel identification and separation are as described in Item h of Section 8.2.2.10.
7.1.1.5 Manual Trip Manual trip switches, independent of the automatic trip instrumentation, are provided.
7.1.1.6 Testing Manual testing facilities are built into the protection systems to provide for:
- a.
Precritical testing to give assurance that a protection system can fulfill its required protective functions.
- b.
Online testing to prove operability and to demonstrate reliability.
7.1.1.7 Environment Protection system detectors within the Reactor Building but outside the primary shield are designed for continuous operation in ambient conditions of 40F to 120F, 14.7 psia, and 100 percent humidity. Appendix 6B of theUFSAR addresses requirements for environmental qualification of protection system detectors.
Neutron detectors located in the Reactor Building, supplying flux level information to the RPS, are designed for continuous operation at 212F, 90 percent humidity, and 150 psig.
The reactor protection logic system located in the Control Building, is designed for continuous operation in ambient conditions of 110F and 80 percent humidity. Qualification testing has been completed on all its components. The specific tests conducted, the criteria for the tests, and the results of the tests are shown in Reference 1.
The Control Building heating, ventilation, and air conditioning systems (HVAC) as described in Section 9.8.1 are conservatively designed to provide a suitable environment for the control and electrical equipment.
The redundancy in HVAC equipment assures that no single failure of an active component will prevent proper environmental control.
In the unlikely event of complete loss of all HVAC, due to an Appendix R fire event the maximum ambient temperature expected 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after the loss of HVAC is shown below for each area of the Control Building:
TMI-1 UFSAR CHAPTER 07 7.1-3 REV. 24, APRIL 2018 Mitigating Action Area Temperature Required CB-FA-2a (480V 1P Switchgear Room)
<120F None CB-FA-2b (480 V 1S Switchgear Room) 117F None CB-FA-2c (Remote Shutdown Panel Room) 91F None CB-FA-2d (1A, 1C, 1E Inverter Room) 115F Open door between Inverter Room and Battery Room within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after loss of HVAC.
CB-FA-2e (1B & 1D Inverter Room) 119F Open door between Inverter Room and Battery Room within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after loss of HVAC.
CB-FA-2f (A&C Battery Room) 99F None CB-FA-2g (B&D Battery Room) 90F None CB-FA-3a (4160V 1D Switchgear Room) 102F None CB-FA-3b (4160V 1E Switchgear Room) 104F None CB-FA-3c (ESAS Cabinet Room) 93F None CB-FA-3d (Relay Room) 103F None CB-FA-4b (Control Room) 102F Manually deenergize one half of the normal Control Room lighting within 1 hr after loss of HVAC.
The failure of control building ventilation during an Appendix R event does not adversely affect safe shutdown in the event of a fire. This has been determined by an evaluation of test data which confirms that the temperature rise in the control building during Appendix R shutdown operation is limited to equipment design limits except for CB-FA-2d, CB-FA-2e, and CB-FA-4b.
In CB-FA-2d, CB-FA-2e, and CB-FA-4b where equipment design temperature limits are exceeded, the compensating actions above limit temperature rises to acceptable levels.
Operators can be relieved as required. Emergency fire procedures identify these preventive actions and the compensatory measures taken. Each safe shutdown system in the Control Building has been reviewed for sensitivity to elevated temperatures and found to have appropriate ratings for the intended service. The loss of the control building ventilation will not challenge these ratings because the equipment total hottest spot temperature limits will not be allowed to be exceeded. However, exceeding these temperature ratings for electrical equipment on a short-term basis would not be expected to cause immediate degradation or failure of the equipment contained in these areas. The buildup of hydrogen gas in the battery rooms will not reach a combustible level during the loss of ventilation. Safe shutdown can be achieved without ventilation and under a concurrent loss-of-offsite-power event. A discussion of the temperature analysis performed is provided in Section 9.8.1.
TMI-1 UFSAR CHAPTER 07 7.1-4 REV. 24, APRIL 2018 7.1.1.8 Seismic The protection systems are designed to function normally both during and after the maximum hypothetical earthquake (MHE). The nuclear instrumentation detectors and all equipment mounted in the nuclear instrumentation reactor protection system cabinets have been dynamically tested and shown to operate normally during excitation in excess of the maximum predicted accelerations at their locations through the frequency range expected during the earthquake. The specific tests conducted, including the results of the tests, are included in Reference 1.
7.1.2 REACTOR PROTECTION SYSTEM The RPS monitors parameters related to safe operation and trips the reactor to protect the reactor core against fuel rod cladding damage. It also assists in protecting against Reactor Coolant System damage caused by high system pressure by limiting energy input to the system through reactor trip action.
7.1.2.1 Design Basis The RPS includes all design basis features of Section 7.1.1 with the following additions:
- a.
Loss of Power A loss of power to an RPS channel will cause the affected protection channel to trip.
- b.
Equipment Removal The RPS initiates a protection channel trip whenever a module or subassembly is removed from the equipment cabinet. Provisions are made in each protection channel to supply an input signal which leaves the channel in a untripped condition for testing and maintenance. It is not possible to place more than one channel in a nontripped state.
7.1.2.2
System Design
- a.
System Logic The system, as shown on Drawing B&W 32835F, consists of four identical protection channels, each terminating in a trip relay within a reactor trip (RT) module. In the normal untripped state, each protection channel functions as an AND gate, passing current to the terminating relay and holding it energized as long as all inputs are in the normal energized (untripped) state. Should any one or more inputs become deenergized (tripped), the terminating relay in that protective channel deenergizes (trips). Thus, for the trip signals, each protective channel becomes an OR gate.
Each of the four protection channels terminates in a channel trip relay within a reactor trip module. There are four such modules. Each protective channel trip relay has four contacts, each controlling a logic relay in one reactor trip module. Therefore, each reactor trip module has four logic relays controlled by the four protection channels. The
TMI-1 UFSAR CHAPTER 07 7.1-5 REV. 24, APRIL 2018 four logic relays combine to form a 2 out of 4 coincidence network in each reactor trip module. The coincidence logics in all reactor trip modules trip whenever any two of the four protection channels trip.
The reactor trip modules are given the same designation as the protection channel whose trip relay they contain and in whose cabinet they are physically located. Thus, the protection channel A reactor trip module is located in protection channel A cabinet, and so forth (see Drawing B&W 32835F). The coincidence logic in each reactor trip module controls one or more breakers in the control rod drive power system.
The coincidence logic contained in the RPS channel A RT module controls breaker A in the control rod drive system as shown on Drawing B&W 32835F, channel B RT module controls breaker B, channel C Reactor Trip (RT) module controls breaker C, and channel D RT module controls breaker D. Breakers A and C are placed in series in one parallel path, and breakers B and D are in series in the other parallel path. All the 3-phase primary power to the rod drives is via these parallel paths.
The control rod drive circuit breaker and contactor combinations that initiate a reactor trip can best be stated in logic notation as:
AB or AD or BC or CD This is a 1 out of 2 logic used twice and is referred to as a 1 out of 2 x 2 logic. When any 2 out of 4 protection channels trip, all reactor trip module logics trip, commanding all control rod drive breakers to trip.
The undervoltage coils of the control rod drive breakers receive their power from the protection channel associated with each breaker. The manual reactor trip switch is interposed in series between each RT module logic and the assigned breaker's undervoltage coil.
As a backup to the breaker's UV coil trip, the breaker's shunt trip coil is energized by action of a voltage sensing relay which operates when a trip is initiated via the RPS logic.
- b.
Summary of Protective Functions The four RPS protective channels are identical in their functions, which combine in the system logic to trip the reactor automatically and protect the reactor core for the following conditions:
- 1)
When the reactor power, as measured by neutron flux, exceeds a fixed maximum limit.
- 2)
When the reactor power, as measured by neutron flux, exceeds the limit set by the reactor coolant flow and power imbalance.
- 3)
When the reactor power exceeds the limit set by the number and combination of reactor coolant pumps in operation.
TMI-1 UFSAR CHAPTER 07 7.1-6 REV. 24, APRIL 2018
- 4)
When the reactor outlet temperature exceeds a fixed maximum limit.
- 5)
When a specified reactor pressure-outlet temperature relationship is exceeded.
- 6)
When the reactor pressure falls below a fixed minimum limit or exceeds a fixed maximum limit.
- 7)
When Reactor Building pressure exceeds a fixed maximum limit.
In addition to the above protective trips, an anticipatory trip has been added to the RPS to trip the reactor on loss of both main feedwater pumps or a main steam turbine trip.
The abnormal conditions that initiate a reactor trip are keyed to the above listing and tabulated in Table 7.1-1.
- c.
Description of Protection Channel Functions The functions of the RPS described below apply to each protection channel.
- 1)
Overpower The nuclear instrumentation provides a linear neutron flux signal in the power range as an indication of reactor power to a protection system bistable trip module.
When the neutron flux signal exceeds the trip point of the bistable, the bistable trips, deenergizing the associated protection channel trip relay.
- 2)
Power Imbalance/Flow Trip Neutron flux and the reactor coolant flow are continuously monitored. A linear neutron flux signal is received from the nuclear instrumentation and a total reactor coolant flow signal is received from the flow tubes. A power level trip setpoint is established for a bistable trip module as the percentage reactor coolant flow rate multiplied by 1.08 minus reduction due to imbalance such that the four pump power imbalance boundaries on Figure 7.1-2 are not exceeded.
Less than four pump power imbalance protection is provided by the power level trip setpoint decrease because of flow decrease. When the neutron flux signal exceeds the power level trip setpoint established by the total reactor coolant flow and the reactor power imbalance, the bistable trips, deenergizing the associated protection channel trip relay.
- 3)
Power/Reactor Coolant Pumps Trip The reactor coolant pump power is monitored to determine that the pumps are running. Loss of a single pump initiates four independent signals, one to each protection channel. This information is received by a pump monitor logic which counts the number of reactor coolant pumps in operation and identifies the coolant loop in which the pumps are operating. The pump monitor logic output
TMI-1 UFSAR CHAPTER 07 7.1-7 REV. 24, APRIL 2018 controls the trip point of a power/pump comparator and initiates a protection channel trip for the conditions in Table 7.1-1.
- 4)
Reactor Outlet Temperature Trip The reactor outlet temperature is measured by resistance elements. The bridge for each resistance element is considered a part of, and is located within, its associated protection system channel.
The reactor outlet temperature signal from the temperature bridge passes through a signal converter and then is applied to a bistable trip module. When the temperature exceeds the trip point of the bistable, the bistable trips, deenergizing the channel trip relay.
- 5)
Pressure-Temperature Trip Figure 7.1-3 shows the operating reactor coolant pressure-temperature boundaries formed by the combined reactor high temperature, high reactor coolant pressure, low reactor coolant pressure, and pressure temperature comparator trip settings. The pressure-temperature comparator bistable (variable low pressure trip setpoint) trips whenever the specified reactor pressure-outlet temperature relationship is exceeded. The comparator forms the boundary line A-B shown on Figure 7.1-3.
The variable low pressure trip (VLPT) illustrated in Figure 7.1-3 is the Limiting Safety System Setting (LSSS). The Nominal VLPT setpoint installed on the RPS hardware provides additional margin to the LSSS. The Nominal VLPT setpoint and associated as-found/as-left acceptance criteria for surveillance testing were developed in accordance with the methods described in Reference 20.
- 6)
Reactor Pressure Trip The reactor coolant pressure signal from the pressure transmitter is received by a buffer amplifier module in the associated protection channel. This module acts as a signal conditioner and isolation unit.
Pressure signals go to a high pressure bistable trip module and a low pressure trip module. When the pressure exceeds the trip point of the high pressure bistable, the bistable trips, deenergizing the protection channel trip relay.
The low pressure bistable trips when the pressure falls below the trip point, tripping the protection channel trip relay.
The RPS high pressure trip setpoint is 2355 psig. The basis for raising the setpoint from 2300 psig to 2355 psig is provided in Reference 14. The requirements for limiting the frequency of PORV openings and limiting the probability of a SBLOCA due to a stuck open PORV (NUREG-0737, II.K.3.7 and II.K.3.2) are maintained on the basis that even though raising the high pressure trip setpoint will result in a small increase in the probability of opening the PORV, the increase is insignificant compared to the total openings of the PORV from all
TMI-1 UFSAR CHAPTER 07 7.1-8 REV. 24, APRIL 2018 events. This setpoint change reduces the frequency of reactor trips and therefore contributes to overall plant safety as well as plant availability.
- 7)
Reactor Building Pressure Trip Each of the four protection channels receives Reactor Building pressure information from an independent pressure switch. A contact buffer in each protection channel continuously monitors the state of the associated pressure switch. When the state of the pressure switch changes to that corresponding to a Reactor Building pressure exceeding the trip point specified in Table 7.1-1, the contact buffer deenergizes the protection channel's trip relay.
- 8)
Anticipatory Trip (Turbine Trip or FW Pump Trip)
Redundant non nuclear safety related pressure switches have been installed in the hydraulic oil systems for the main turbine and feedwater pumps to provide signals for anticipatory trip of the reactor. These signals are connected through contact buffers to corresponding channels in the RPS to satisfy the 2-out-of-4 reactor trip logic. Redundancy of the pressure switches and isolation between the non nuclear safety related pressure switch circuits and the 1E RPS circuits provide for a nuclear safety related system (Reference 13).
- d.
Availability of Information The modules, logic, and analog equipment associated with a single protection channel are contained wholly within two RPS cabinets. Within these cabinets, there is a meter for every analog signal employed by the protection channel and a visual indication of the state of every logic system. At the top of one cabinet, and easily visible at all times, is a protection channel status panel. Lamps on this panel give a quick visual indication of the trip status of the particular protection channel and of the RT module associated with it. Additional lamps on the panel give visual indication of a bypass or fan failure. Lamps have also been installed at the top of the RPS cabinets to indicate the status of the bypass bistable for reactor trip on loss of main feedwater pumps or main turbine trip.
In addition to the visual indications and readouts within the protection channel cabinets, each trip function, power supply, and analog signal may be monitored by the plant computer. Trip actions are sequence-recorded in the plant computer. Such sequencing permits the operator to identify readily the protection channel trip actions. Process instrumentation including power, flow, temperature, and pressure is indicated on the main control console.
Plant annunciator windows provide the operator with immediate indications of changes in the status of the RPS. The following conditions are annunciated for each RPS channel:
- 1)
Channel trip
- 2)
Failure of power range detector power supply
- 3)
Shutdown bypass
- 4)
Channel bypass
TMI-1 UFSAR CHAPTER 07 7.1-9 REV. 24, APRIL 2018 7.1.2.3 System Evaluation
- a.
System Logic The RPS is a four channel, redundant system in which the four protection channels are brought together in four identical 2 out of 4 logic networks of the RT modules. A trip in any two of the four protection channels initiates a trip of all four logic networks. The system to this point has the reliability and advantages of a pure 2 out of 4 system.
Each of the reactor trip modules (2 out of 4 logic networks) controls a control rod drive breaker. Thus, a trip in any two of the four protection channels initiates a trip of all the breakers. The power breakers, however, are arranged in what is effectively a 1 out of 2 x 2 logic (see Drawing B&W 32835F). This system combines the advantages of the 2 out of 4 and the 1 out of 2 x 2 systems, while eliminating some of the disadvantages of the 1 out of 2 x 2 system alone. The combination results in a system that is considered superior to either of the basic systems alone.
In evaluating system performance, it is arbitrarily assumed that failure can either prevent a trip from occurring or initiate trip action.
The redundant RPS input operates in a true 2 out of 4 logic mode so that the failure of an input leaves the system in either a 2 out of 3 or a 1 out of 3 logic mode, with either state providing sufficient redundancy for reliable performance.
The system can tolerate several input function failures without a reduction in performance capability provided the failures occur in unlike variables in different protection channels, or are of a different mode in different protection channels, or all occur within one protection channel. When a single protection channel fails, the system is left in either a 2 out of 3 or 1 out of 3 logic mode, as explained below.
The protection channel trip relay of each channel is located in a reactor trip module associated with each channel. Within each reactor trip module is a logic relay for each protection channel. These combine in each module to form the 2 out of 4 logic. A failure mode and effects analysis of the reactor trip module has demonstrated that single failures within the module or in its interconnections can produce only the following effects:
- 1)
Trip the breaker associated with the module
- 2)
Place the system in a 2 out of 3 mode, as if the associated protection channel had suffered a cannot trip failure.
- 3)
Place the system in a 1 out of 3 mode, as if the associated protection channel had tripped.
The combination of reactor trip modules and control rod drive breakers form a 1 out of 2 x 2 logic. At this level the system will tolerate a cannot-trip type of failure of one reactor trip module, or of the breaker associated with one reactor trip module without degrading the system's ability to trip all control rods. The failure analysis demonstrates that no
TMI-1 UFSAR CHAPTER 07 7.1-10 REV. 24, APRIL 2018 single failure involving a reactor trip module will prevent its associated breakers from opening.
- b.
Redundancy The redundancy of the RPS could be demonstrated by physically removing all the components associated with a single protection channel. Doing so would have all the remaining components and protective channels operational in a 1 out of 3 system.
- c.
Electrical Isolation All signals leaving the RPS are isolated from the system either by the use of isolation amplifiers for analog signals or by relay contacts (in the case of digital signals). The effect of this isolation is to prevent faults occurring to signal lines outside the RPS cabinets from being reflected into more than one protection channel. The isolation thus provided also assures that two or more protection channels cannot interact through the cross-coupling or faulting of related signal lines.
Faults such as short, open, or grounded circuits and cross connections of analog output signals from two or more channels have no effect upon the protection channels or their functions.
- d.
Periodic Testing and Reliability The use of 2 out of 4 logic between protection channels permits a channel to be tested online without initiating a reactor trip. Maintenance to the extent of removing and replacing any module within a protection channel may also be accomplished in the online state without a reactor trip.
To prevent either the online testing or maintenance features from creating a means for unintentionally negating protection action, a system of interlocks initiates a protection channel trip whenever a module is placed in the test mode or is removed from the system. Provisions are made in each protection channel to supply an input signal which leaves the channel in a nontripped condition for testing or maintenance.
The test scheme for the RPS is based upon the use of comparative measurements between like variables in the four protection channels and the substitution of externally introduced digital and analog signals as required, together with measurements of actual protective function trip points. A digital voltmeter is provided for making accurate measurements of trip point and analog signal voltages.
Online testing may be performed at different intervals and levels within the system consistent with satisfactory system reliability characteristics. The reliability of the system for random failures has been assured by careful selection of components, failure testing of logic elements, environmental testing of the system's modules, and long term prototype proof-testing with the Babcock & Wilcox Test Reactor (B&WTR), as described in Reference 1.
The reliability of the system logic, primarily the relays and coincidence networks in the RT modules, has been made very high so as to eliminate the need for frequent tests of
TMI-1 UFSAR CHAPTER 07 7.1-11 REV. 24, APRIL 2018 the logic. The logic relays are of two classes: one class designed for high speed, light electrical loads, and more than 107 operations under load; and the other class for switching electrical loads of up to 10 amperes and more than 106 operations.
Confirmation tests of operational reliability of these two types of relays, operated under load as they are used in the RPS, have been performed with no sign of failure or wear to 5 x 106 and 1.2 x 106 operations, respectively.
The system test scheme includes frequent visual checks and comparisons within the system on a regular schedule in which all protection channels are checked at one time, together with less frequent electrical tests conducted on a rotational plan in which tests are conducted on different protection channels at different times.
A regular check of all RPS indications is required. The check includes comparing the value of the analog variables between protection channels and observing that the equipment status is normal. In addition, power-range protection channel readings are compared with a thermal calculation of reactor power.
These checks are designed to detect the majority of failures that might occur in the analog portions of the system as well as the self-annunciating type of failure in the digital portions of the system. The electrical tests are designed to detect more subtle failures that are not self-evident or self-annunciating and are detectable only by testing.
Electrical tests are conducted on a rotational basis, periodically, in accordance with the technical specifications.
Rotational testing has several advantages. It significantly reduces the probability of system failure as compared to testing all protective channels at one time. It also reduces the chance of systematic errors entering the system.
- e.
Physical Isolation The need for physical isolation has been met in the physical arrangement of the protective channels within separate cabinets and wiring within the cabinets separating power and signal wiring so as to reduce the possibility of some physical event impairing system functions. The systems sensors are separated from each other. There are four pressure taps for the reactor coolant pressure measurements to reduce the likelihood of a single event affecting more than one sensor. Outside the RPS cabinets, vital signals and wiring are separated and physically protected to preserve protection channel independence and maintain system redundancy against physical hazards.
Design criteria for physically locating instrumentation transmitters associated with the RPS or the ESAS are as follows:
- 1)
Redundant transmitters sensing reactor coolant pressure are located outside the secondary shield wall on opposite sides, resulting in a separation of at least 35 feet.
- 2)
No single physical event will result in the loss of both redundant transmitters.
Reactor coolant flow transmitters for each loop are also located outside the secondary shield, separated from the reactor coolant pressure transmitters by the operating floor.
TMI-1 UFSAR CHAPTER 07 7.1-12 REV. 24, APRIL 2018
- 3)
Reactor Building pressure transmitters and pressure switches associated with ESAS operation are located outside the Reactor Building, with separate sensing lines and building penetrations for each of the three devices.
- f.
Primary Power The primary source of 120 Vac power for the RPS comes from four vital buses, one for each protection channel, as described in Chapter 8.
- g.
Manual Trip Manual trip may be accomplished from the control console by a trip switch. This trip is independent of the automatic trip system. Power for the control rod drive breakers' undervoltage coils comes from the RT modules. The manual trip switches are between the reactor trip module output and the breaker undervoltage coils. Opening of the switches opens the lines to the breakers, tripping them. There is a separate switch in series with the output of each reactor trip module. All switches are actuated through a mechanical linkage from a single pushbutton.
- h.
Bypassing Each protection channel is provided with two key-operated bypass switches, a channel bypass switch and a shutdown bypass switch.
The channel bypass switch enables a protection channel to be bypassed for maintenance purposes. Actuation of the switch initiates a visual alarm on the main console which remains in effect during any channel bypass. The key switch will be used to bypass one protection channel during online testing. Thus, during online testing the system will operate in 2 out of 3 coincidence. The key switches are interlocked in such a way that if one is in the bypass position, placing another in its bypass position will have no effect.
An RPS channel that is rendered inoperable by an associated equipment failure is typically bypassed in order to remove that channel from service. This places the RPS in a 2-out-of-3 Iogic for reactor trip actuation. If the equipment failure cannot be repaired during power operations, the RPS may be required to operate in this configuration for an extended period of time. This requires that prior to performing testing on another RPS channel; the channel to be tested must be placed in a tripped condition while the inoperable channel remains bypassed. This places the RPS in a 1-out-of-2 logic. This approach to testing is allowed since the redundancy requirements of Technical Specifications Table 3.5-1 are maintained. In this configuration, the RPS can still perform its safety functions in the event of a single channel failure. This is consistent with NUREG-1430 (Standard Technical Specifications - Babcox and Wilcox Plants) and is acceptable per TMI-1 Technical Specifications Amendment #189 and the conclusions of the associated NRC Safety Evaluation Report (See Section 7.5, Reference 22).
Testing of the inoperable channel would normally continue to be performed with that channel bypassed.
TMI-1 UFSAR CHAPTER 07 7.1-13 REV. 24, APRIL 2018 The shutdown bypass switch enables the power imbalance/flow, power pump, low pressure, and pressure temperature trips to be bypassed, allowing control rod drive tests to be performed after the reactor has been shutdown and depressurized below the low reactor coolant pressure trip point. To prevent operation at normal operating pressure without the protection that could otherwise be bypassed by means of the shutdown bypass switches, an additional bistable is employed in the shutdown bypass circuitry for each protection channel. If the shutdown bypass switch in a protection channel is in the bypass position, the bistable will trip the channel if the reactor coolant pressure exceeds 1720 psig nominal. The initiation of a shutdown bypass requires that the associated trip bistable first be manually reset.
A bypass arrangement has been provided to allow for startup and normal shutdown of the main turbine. The main turbine trip bypass may be placed in effect when reactor power is less than 45 percent. The bypass will be removed when reactor power is increased above 45 percent.
A bypass arrangement has been provided to allow for startup and normal shutdown of the feedwater pumps. Bypass of the feedwater pump trip signal may be placed in effect when reactor power is less than 7 percent. The bypass will be removed when reactor power is raised above 7 percent. The bypass function is accomplished individually in each of the four channels by means of bistables which monitor the power range nuclear instrumentation. The additional modules required in the reactor protection system are the same safety grade equipment type used in the original system.
A lamp on each protection channel status panel indicates the bypass status of the associated protection channel (see Item d of Section 7.1.2.2).
7.1.3 ENGINEERED SAFEGUARDS ACTUATION SYSTEM The ESAS monitors parameters to detect loss of integrity in the Reactor Coolant System pressure boundary and initiates operation of the high and low pressure injection systems, the Reactor Building isolation, the Reactor Building Cooling, and the Reactor Building Spray System. In addition, the signal is used to start the Emergency Diesel Generators and to control load sequencing. The devices actuated by the ESAS are listed in Table 7.1-2.
7.1.3.1 Design Basis The design basis for the system includes the items of Subsection 7.1.1 with the following additions:
- a.
Loss of Power
- 1)
The loss of vital bus power in the instrument strings will initiate a trip of that portion of the logic associated with the affected instrument string.
- 2)
The loss of any one vital bus which powers the system logic will not initiate system actuation. The loss of two of the three buses used, however, will actuate all engineered safeguards except the Reactor Building Spray Systems.
- b.
Equipment Removal
- 1)
Removing modules from an instrument string will initiate a trip in that portion of the logic associated with the affected instrument string.
TMI-1 UFSAR CHAPTER 07 7.1-14 REV. 24, APRIL 2018
- 2)
Removing logic modules from one protective channel does not prevent any other protective channel from initiating system action.
- c.
Environment
- 1)
All signal conditioning and bistable modules used in the ESAS are identical to the modules used in the RPS, and their environmental qualifications are described in Section 7.1.1.7.
- 2)
DC relays were tested to assure their operability in an ambient temperature of 140oF and 100 per percent relative humidity for a period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
- 3)
AC relays were tested to assure their operability in an ambient temperature of 120oF and 90 per percent relative humidity.
- d.
Seismic
- 1)
All signal conditioning and bistable modules used in the ESAS are identical to the modules used in the RPS, and their seismic qualifications are described in Section 7.1.1.8.
- 2)
The original fully assembled ESAS relay cabinets were seismically tested to ensure their operability during and after either a Safe Shutdown Earthquake (SSE) or a design earthquake. Subsequent modifications to the relay and actuation cabinets were evaluated analytically in accordance with the site-specific seismic response spectra provided in ES-022T and the guidance of the Generic Implementation Procedure (GIP).
- e.
Bypass/Defeat
- 1)
The ability to bypass Low RCS Pressure actuation prior to reaching the actuation set-point is provided in the control room for normal shutdown.
- 2)
Control of Emergency Core Cooling System, Reactor Building Emergency Cooling and Reactor Building Spray equipment following an actuation may be regained from the control room by bypassing or defeating the appropriate actuation signal.
7.1.3.2
System Design
- a.
System Logic The Reactor Coolant pressure and Reactor Building pressure have been selected as parameters to initiate engineered safeguards action. Pressure of 1600 psig or 500 psig in the Reactor Coolant System, and 4 psig or 30 psig in the Reactor Building are the levels at which core injection and engineered safeguards actuation are initiated. These are hereinafter referred to as levels of protection. Each parameter is measured by three sensors, except for the Reactor Building Spray System, which is described in Item c.4) of Subsection 7.1.3.2.
The output signal of each sensor is monitored for each level of protection by a bistable which has two output relays, one for each of two channels.
TMI-1 UFSAR CHAPTER 07 7.1-15 REV. 24, APRIL 2018 Typical channels are shown on Figure 7.1-4. The six channels of one level of protection are used to make two redundant actuation systems. Each actuation is made by combining the contacts of the output relays of three channels, having separate initiating bistables, in as many 2 out of 3 matrices as there are engineered safeguards auxiliaries required to operate at that level of protection.
- b.
Summary of Protective Action Actions initiated by the ESAS are summarized in Table 7.1-2.
- c.
Description of Protection Channels
- 1)
High Pressure Injection and Loading Sequence (See Figure 7.1-4.)
Referring to one of three transmitters, a signal proportional to the reactor coolant pressure is applied to a bistable (BT1) and to a bypass bistable (BT2). The design of engineered safeguards bistables is such that when the reactor coolant pressure is above the setpoint and control power is available, a bistable interposing relay is energized.
The bypass enabling contact of the bypass bistable, however, closes when the pressure is below its setpoint and control power is available. This permits manual bypass for normal shutdown.
High pressure injection is initiated by de-energizing the multiple contact output relays constituting loading sequence block 1, in two out of the three channels.
The multiple contact output relays can be de-energized by the manual actuation relay, by their related test contact, and by an "OR" function made up of contacts which open when the reactor coolant pressure is below 1600 psig, the Reactor Building pressure exceeds 4 psig, or the reactor coolant pressure is below 500 psig, respectively.
A similar "OR" function is used in an "AND" configuration with a contact from the corresponding safeguards 4160V bus 2 out of 3 undervoltage scheme to deenergize the timed output relays of blocks 2, 3, and 4.
De-energizing output relays of blocks 1, 2, 3, and 4 in two of the three channels will start, in sequence, the equipment indicated in Table 8.2-11.
Motor-driven Emergency Feedwater pumps are prevented from starting during a 4160V bus undervoltage. If an auto-start signal is present from HSPS, a time delay relay scheme starts them five seconds after bus voltage is regained if no ESAS signal is present. If an ESAS signal, and an HSPS auto-start is present, the Motor-driven Emergency Feedwater pumps are started five seconds after the completion of block 4. This load is referred to as block 5.
TMI-1 UFSAR CHAPTER 07 7.1-16 REV. 24, APRIL 2018 The sequence of automatically started equipment in response to a safeguards initiation is the same whether offsite power is available or not. However, with offsite power available, any automatically started equipment running prior to safeguards initiation is not load shed but continues to run as required. Also, with offsite power available, the sequencing of automatically started equipment is not delayed by the 10 seconds required for the diesel generator to come up to speed and voltage, but begins immediately. Refer to FSAR Section 8.2.3 for a more detailed description of Diesel Generator Loading.
- 2)
Low Pressure Injection The channels of low pressure injection are equipped with bistables similar to those used for high pressure injection but which are adjusted to actuate at a lower setpoint. The output of the bistables will deenergize the same output relay as the high pressure injection bistables at 500 psig.
- 3)
Reactor Building Isolation and Cooling The channels of Reactor Building isolation and cooling are similar in design to the channels of high pressure injection and loading sequence except for the bistable and bypass circuit. When the Reactor Building pressure is below setpoint and control power is available, the bistable interposing relay is energized to reset state by means of the bypass pushbutton. A subsequent loss of power or rise in Reactor Building pressure above setpoint will de-energize the relay.
A continuous bypass of a channel is possible only after a 2 out of 3 actuation.
De-energizing the output relays of two out of three channels initiates Reactor Building isolation, starts Reactor Building cooling, and opens valves required for Reactor Building spray.
a)
Reactor Building Isolation The TMI-1 restart report imposed additional requirements for Reactor Building isolation, to deal with events of a magnitude where the Reactor Building setpoint was not reached.
In order to cover a broader spectrum of events for which containment isolation is desirable, the reactor trip signal is used as a diverse containment isolation signal. Because a reactor trip signal occurs on low reactor coolant pressure (1900 psig), it is anticipatory of ESAS and occurs prior to ESAS initiation (1600 psig).
In addition, individual high radiation signals will be used to prevent releases outside of the containment from:
(1)
Reactor Building sump drain (2)
Reactor Coolant System letdown line (3)
Reactor coolant drain tank vent
TMI-1 UFSAR CHAPTER 07 7.1-17 REV. 24, APRIL 2018 (4)
Reactor Building purge (5)
Reactor coolant sample lines (6)
Steam Generator sample lines (7)
Reactor coolant pump seal return (alarm only)
(8)
Intermediate closed cooling water (alarm only)
(9)
Reactor coolant drain tank pump discharge Closure of these paths by a signal that is not dependent on building pressure assures that there will be no uncontrolled release of radioactivity from the containment for design basis events.
A system feature to detect a break of the Nuclear Services Closed Cooling or Intermediate Closed Cooling Water System and isolate this path independently of the 30 psig isolation was added.
b)
Isolation and Cooling System Configuration and Essential Features The system configuration is diverse, therefore the probability of containment isolation when needed is very high. Various actions, such as override, have been provided which require operator action. Operator action to reopen selected containment isolation valves will be required after the signal override has been accomplished. Key operated permissive switches, where required, indications, and alarms are provided in the Control Room in a consistent manner.
(1)
Reactor Building Partial Isolation on Reactor Trip Reactor trip signals from the RPS are used to actuate the ESAS to isolate specific valves.
These valves are actuated closed by either 4 psig signal or reactor trip signal. A defeat circuit is provided for the reactor trip signal to allow valve operation during plant shutdown. The defeat circuit is enabled after reactor trip.
(2)
Reactor Building Isolation and RB Spray Alignment Reactor Building isolation takes place at the 4 psig level of protection. This level initiates Reactor Building isolation, and opens all valves required for Reactor Building Spray.
TMI-1 UFSAR CHAPTER 07 7.1-18 REV. 24, APRIL 2018 (3)
Reactor Building Partial Isolation on 30 psig Selected valves serving the Reactor Coolant Pumps are to close on 30 psig Reactor Building pressure only.
(4)
Reactor Building Emergency Cooling A low reactor coolant pressure signal (1600 psig) or a 4 psig Reactor Building pressure signal will initiate automatic start of the Reactor Building emergency cooling system and isolation of the Industrial Water Cooling System water to RB normal cooling coils.
(5)
Reactor Building Partial Isolation on High Radiation Lines which could transfer high levels of radiation from either the Reactor Coolant System or the Reactor Building are individually monitored to detect high levels of radiation and initiate closure of the associated isolation valves. This isolation system is not part of the ESAS.
(6)
Partial Isolation on NSCCW and ICCW Line Break The fluid levels in the Nuclear Services Closed Cooling and Intermediate Closed Cooling surge tanks are monitored. A low surge tank level, coincident with high pressure injection actuation, will initiate closing of specific valves.
- 4)
Reactor Building Spray Reactor Building spray is initiated by starting the pumps at 30 psig in the Reactor Building. This is achieved by sensing the Reactor Building pressure with two sets of three pressure switches. Each set of three pressure switches, which are wired in a two out of three matrix, controls the closing coil of the circuit breaker of one spray pump.
- d.
Availability of Information All system analog signals are indicated at the system cabinets and are monitored by the unit computer. Indicating lights on the relay cabinets monitor normal status of each relay. Emergency status of the output relays is indicated on the Control Room safeguards panel. The status of all auxiliaries required during an emergency is monitored on the Control Room safeguards panel. Selected alarm conditions of safeguards equipment are indicated on the Control Room annunciator. Process information is displayed on the Control Room console.
Indicating lights located on the Control Room console provide the operator with the following information regarding the status of each channel of high pressure injection and loading sequence and each channel of low pressure injection:
TMI-1 UFSAR CHAPTER 07 7.1-19 REV. 24, APRIL 2018
- 1)
Channel bypass permit
- 2)
Bypass reset permit
- 3)
Channel bypassed
- 4)
Engineered safeguards bistable tripped
- 5)
Protective function fully enabled
- 6)
Bypass reset Similarly, the following information is available for each channel of Reactor Building isolation and cooling:
- 1)
Engineered safeguards bistable tripped
- 2)
Protective function fully enabled
- 3)
Channel protective function enabled
- 4)
Post actuation defeat permit
- 5)
Channel defeated 7.1.3.3 System Evaluation
- a.
System Logic The ESAS is a basic three channel redundant system employing 2 out of 3 coincidence between measured variables. It will tolerate the failure of one of the three channels without losing the ability to perform its assigned functions.
Diversity in measured variables is provided to actuate the Emergency Core Cooling System by using reactor coolant pressure and/or Reactor Building pressure.
The reliability of the 2 out of 3 logic is maintained by providing a separate 2 out of 3 matrix for each safeguards auxiliary.
The system will tolerate failure of one out of three variables in either the reactor coolant pressure measurements or the Reactor Building pressure measurements without losing its ability to perform in complete accordance with design. The two systems are independent and each will tolerate a single failure.
Provision has been made for test and bypass of each bistable independently as described in items d. and f., respectively, of Subsection 7.1.3.3. Testing of each bistable will be accomplished by analog signal insertion. It is not possible to test and bypass more than one bistable at a time without initiating an engineered safeguards actuation. No single failure in these circuits will cause any loss of system function.
Physical and electrical isolation is maintained between channels where single failure could cause loss of protection.
TMI-1 UFSAR CHAPTER 07 7.1-20 REV. 24, APRIL 2018
- b.
Electrical Isolation The use of isolation amplifiers will effectively prevent any faults (shorts, grounds, or cross connection of signals) on any analog signal leaving the system from being reflected into or propagating through the system. The direct connection of any analog signal to a source of electrical power can, at most, negate information from the measured variable involved. A deenergize to actuate design does not require an isolated power supply. To prevent false actuation because of a single power supply failure, each transmitter and its associated bistables and channels are connected to separate vital buses.
- c.
Physical Isolation Physical isolation is provided between transmitters and associated bistables monitoring the same parameter. Each of the six channels of a level of actuation is physically isolated from the others up to the point where the 2 out of 3 matrices are formed.
Complete separation exists between the 2 out of 3 matrices of different actuations.
- d.
Periodic Testing and Reliability The ESAS is designed to be tested any time during plant operation or shutdown without requiring any defeat of its protective functions and fully complies with the requirements of the IEEE Standard 279(see 7.5, Reference 2).
The pressure sensors are periodically checked by comparing their output signals with the output signal of similar sensors monitoring the same parameter.
The bistables may be tested one at a time by substitution of signals at the isolation amplifier, allowing accurate adjustment of the setpoint. The two channels originating from one bistable will be tripped each time their initiating bistable is tested, assuring that protective action cannot be defeated.
A test switch associated with each engineered safeguards bistable which will permit demonstrating the bistable's capability to trip its associated channels.
Testing of the matrices is accomplished by actuating the auxiliaries they control.
The ESAS equipment associated with each actuation which can be tested simultaneously during power operation is grouped in specified test groups. The actuation channels output relays, which control the ESAS equipment, are similarly grouped in specified test groups.
A test circuit is provided, with control on the Control Room safeguard panel, to allow deenergization of a preselected test group of output relays of two channels of the same level of protection and of the same actuation. It yields a true 2 out of 3 actuation in the control circuit of each of the auxiliaries controlled by the preselected output relays. All output relays may be deenergized in the same manner in order to test the complete ESAS.
TMI-1 UFSAR CHAPTER 07 7.1-21 REV. 24, APRIL 2018 The testing of the Reactor Building pressure switches is accomplished by solenoid valve actuation from the Control Room safeguard panel. Instrument air at 30 psig is injected into the sensing line to the switch being tested. In the sensing line between the pressure switch and Reactor Building atmosphere is an excess-flow check valve which permits free flow in the direction from the Reactor Building to the switch, but will check closed at a specified rate of reverse flow. Upon introduction of the instrument air into the sensing line, this device closes and the switch is pressurized and actuates.
Deenergizing the solenoid valve cuts off the air, and a calibrated leak rate through the excess-flow check valve permits the pressure on the switch to decay, thus allowing the pressure switch to reset.
Accelerated tests performed by the manufacturer of the ESAS actuation output DC relays resulted in one contact failure per 4 x 107 operations. ESAS AC relays have been qualified within the bounds of the remaining life of the plant.
Factory tests of components and of complete channels followed by online tests confirmed the reliability of the systems.
- e.
Manual Trip A manual trip pushbutton has been provided on the Control Room console for each of the levels of protection of each actuation. Operation of the pushbutton energizes relays whose contacts perform an "OR" function with the matrices of the automatic actuation except for the matrices which are part of the loading sequence. Manual actuation of the loading sequence is made by deenergizing the timed output relays as shown on Figure 7.1-4, sheet 1. The power supply for the manual trip relays is taken from the station batteries. Different batteries are used for the two actuations.
The manual trip is testable during power operation in a manner similar to that of testing of the automatic actuations.
- f.
Bypassing The trip functions of the high and low pressure injection actuation signals may be bypassed whenever the reactor is to be depressurized below the trip point of the bistables. Bypassing must be initiated manually for each channel within a fixed pressure band above the protective system bistable trip point. The high pressure actuation signal may be bypassed only when the reactor pressure is <1750 psig nominal, and the low pressure actuation signal may be bypassed only when the reactor pressure is <900 psig nominal. The high pressure injection and low pressure injection bypasses are automatically reset when the reactor exceeds 1775 and 925 psig nominal, respectively.
On a concurrent loss of offsite power and a loss of A train station DC, the A diesel generator fails due to a loss of excitation. This failure would de-energize the AC and DC power supplies to the 1A, 1C and 1E inverter. As a result, 120 VAC vital distribution panels VBA and VBC would be lost. Engineered Safeguards actuation system train A is made inoperable as a result of this event. Train B actuates due to loss of VBA, which actuates channel #1, and loss of VBC, which de-energizes the HPI and LPI actuation and bypass bistables for channel #3. Because the bypass bistables are de-
TMI-1 UFSAR CHAPTER 07 7.1-22 REV. 24, APRIL 2018 energized, they fail to a condition that would not allow bypass. Engineered safeguards has a VBC powered relay in the channel B3 actuation circuit which allows manual bypass of HPI and LPI actuation using the control room bypass pushbuttons after it has inadvertently actuated due to the combination of power losses.
A manual bypass reset switch is also provided for increased flexibility during testing and/or operation.
The trip functions of the Reactor Building isolation and cooling can only be bypassed after actuation (see Item c.3 of Section 7.1.3.2).
The overriding of any one type of isolation signal (radiation, reactor trips, high Reactor Building pressure) to a containment isolation valve will not block any of the other signals from performing their isolation function.
- g.
Reset The ESAS trip bistables are adjusted for a minimum deadband, thereby allowing automatic reset when the monitored variable goes below or above its predetermined setpoint. After a trip has occurred and the bistable has reset, the operator can reset the logic remotely by pressing a Control Room console mounted reset switch. Thus, the operator is not required to leave the Control Room to reset the bistable. Resetting the trip bistable and the logic does not reset ESAS-actuated equipment.
Remote reset capability is provided for all of the channels in high pressure injection, low pressure injection, and Reactor Building isolation actuation "A", and for all channels in high pressure injection, low pressure injection, and Reactor Building isolation actuation "B".
ESAS logic cannot be reset remotely if the trip signal is present.
7.1.4 EMERGENCY FEEDWATER SYSTEM 7.1.4.1 Design Basis The TMI-1 Emergency Feedwater System (EFW) is required to remove heat from the primary system when the main feedwater system is not available. It is capable of holding the plant at hot standby and also capable of cooling down the plant to the point where the normal decay heat removal system can operate.
The EFW system is configured to insure the addition of EFW to the OTSGs assuming a single active failure concurrent with loss of offsite power. In addition, the modified system is capable of providing controlled emergency feedwater flow to the OTSGs for at least two hours without relying on alternating current (AC) power (Station Blackout). The two hour analysis is based on a TMI-1 restart commitment. The TMI-1 Station Blackout (SBO) specified duration, however, is four hours. See Section 8.5 for the Station Blackout evaluation.
The EFW system is designed so that a single failure will not result in the loss of emergency feedwater system function during a LOCA. The EFW system, including pump, control valves and actuation system are testable.
TMI-1 UFSAR CHAPTER 07 7.1-23 REV. 24, APRIL 2018 7.1.4.2
System Design
- a.
General Description The TMI Unit No. 1 EFW System is designed so that:
- 1.
The turbine driven and both motor driven Emergency Feedwater (EFW) pumps automatically start upon loss of both main feedwater pumps, loss of all four (4) Reactor Coolant Pumps, low OTSG water level, or high RB pressure.
- 2.
The motor driven EFW pumps are automatically loaded on the diesel generator during loss of offsite power if an HSPS Auto start signal is present.
- 3.
Redundant indication is available in the Control Room of EFW flow to each steam generator.
- 4.
Manual control of the EFW flow to each steam generator is available to the operator in the Control Room.
- 5.
Control Room annunciation for all auto start conditions of the EFW system is available.
- 6.
The EFW control valves (EF-V30A, EF-V30B, EF-V30C, EF-30D) fail closed on loss of air/signal/power.
- 7.
A two hour backup emergency source of instrument air is available to control key EFW and main steam valves.
- b.
Emergency Feedwater Actuation Heat Sink Protection System (HSPS)
All of the EFW pumps receive an auto-start signal on loss of both main feedwater pumps, loss of all four Reactor Coolant (RC) Pumps, low OTSG water level or high RB pressure. This is accomplished by sensing FW pump turbine hydraulic oil pressure, utilizing contacts from the RC pump power monitors, OTSG water level transmitters, and RB pressure transmitters. The RC pump power monitoring system and the main feed pump pressure sensing system are considered safety grade for the accidents during which they are required to operate. The hydraulic oil pressure switches are located in the Turbine Building. The remaining system is Class 1E. All sensors and cable for both HSPS trains meet the separation criteria as specified in Section 8.
The actuation system is arranged into two trains. (See Figures 7.1-5 and 7.1-6 for logic diagrams).
Actuation train "A" will automatically start the "A" motor driven emergency feedwater pump and the turbine driven pump whenever one of the following occurs:
- 1.
Low Feedwater Pump turbine (FW-U-1A and FW-U-1B) hydraulic oil pressure (<75 psig) by PS-829 and PS-830, respectively.
TMI-1 UFSAR CHAPTER 07 7.1-24 REV. 24, APRIL 2018
- 2.
Power to all four reactor coolant pumps is lost as sensed by RC Pump Power Monitors 1 for Pumps A through D.
The "B" actuation train is set up to automatically start the "B" motor driven emergency feedwater pump and the turbine driven pump. The actuation logic is the same as discussed above except that the following redundant inputs are utilized.
- 1.
Loss of the feed pumps is sensed using PS-542 and PS-543.
- 2.
Loss of all 4 RC Pumps is sensed using RC Pump Power Monitor 2 for Pumps A through D.
Each Actuation Train monitors and activates its pump based on the following:
- 3.
2 out of 4 Level Loops (LT-1046, LT-1047, LT-1042, LT-1043 OTSG A; LT-1054, LT-1055, LT-1050, LT-1051 OTSG B) sensing low level.
- 4.
2 out of 4 Pressure Loops (PT-1186, PT-1187, PT-1188, PT-1189) sensing high RB pressure.
- c.
Steam Generator Control and Indication All three EFW pumps discharge into a common header. Off of this common header, a separate six inch line delivers water to each steam generator. Each of the two supply lines contains 2 air operated control valves (EF-V30s). Under normal operation, air for the control of these valves is supplied from the instrument air system. The emergency air supply for the EFW System is described in Section 7.3.2.2.c.16. To provide assurance that EFW can be controlled when required, the failure mode of control valves EF-V30s are such that on loss of air, the valves will fail in the closed position and remain in this position.
- 1.
Automatic Control of EFW Flow to OTSG:
The control system is of dual setpoint design with the setpoints dependent on whether or not the Reactor Coolant Pumps (RCP) are running.
On loss of all four (4) RCPs, the control system opens and controls the EFW flow control valves to maintain a higher OTSG water level setpoint as required to achieve reactor natural circulation cooling within the Reactor Coolant System (RCS). If at least one RCP is operating, the control system controls OTSG water level to a lower setpoint sufficient for forced circulation RCS cooling. The lower setpoint is 25 inches of the startup range. The higher setpoint is 50 percent of the operating range.
- 2.
Manual Control:
The HSPS permits manual control of the EFW control valves from the Control Room.
TMI-1 UFSAR CHAPTER 07 7.1-25 REV. 24, APRIL 2018 A manual loader station for each control valve is also available at the Remote Shutdown Panels.
- 3.
Level Indication:
Steam Generator Level Indication is provided by HSPS as shown in Drawing 302-032. In addition, a diverse means of monitoring OTSG level is provided.
This level indication is independent of the HSPS.
The level indication of each SG is redundant and meets single failure criterion.
The level indication signals are derived from the Remote Shutdown Panel (RSP) instrumentation such that the RSP instrumentation is isolated from the Control Room indicators.
The equipment and display are in continuous operation during all operating modes and accident conditions of the plant.
- 4.
Flow Indication:
Each of the two EFW supply lines is provided with one flow element that creates a differential pressure which is monitored by two differential pressure transmitters. Associated signal conditioning modules develop and transmit flow signals to the Control Room where meters are installed to read flow directly. The design of the flow indication meets safety grade design criteria.
- d.
EFW System Primary Water Supply Condensate Storage Tanks comprise the primary water supply for the EFW System as described in Section 7.3.2.2.c.9.
7.1.4.3 System Evaluation The motor driven EFW pumps auto-start circuits and the diesel block loading sequence ensures that a single failure shall not result in less than the minimum required pump capacity being available under all conditions including loss of off site power.
The TMI-1 EFW design provides an emergency feed line with control provisions in line to each steam generator. The design is such that the required quantity of water can be provided to both steam generators during all single failure conditions involving a LOCA or loss of normal feedwater. Under steam line or feed line break conditions, when both main and EFW may be isolated to the affected steam generator, the single failure criteria is met with the unaffected redundant EFW control valves. To provide further assurance that EFW can be delivered: a two hour backup instrument air system is provided, the failure mode of the control valves is closed, control stations are provided in the Control Room, and flow instruments provide information to the operator for regulating flow.
To insure the operator can prevent an overfill and overcooling condition, manual control stations for EF-V30A, EF-V30B, EF-V30C and EF-V30D, are located in the Control Room to backup the existing level control system and plant instrumentation systems. In addition, plant procedures provide guidance to the operator in recognizing overcooling incidents and for taking prompt
TMI-1 UFSAR CHAPTER 07 7.1-26 REV. 24, APRIL 2018 corrective action. The operators are trained in the requirements of these procedures as part of the Operator Training Program.
7.1.5 Diverse Scram System The DSS provides a protective type function, tripping the reactor (similar to the RPS).
However, the DSS is part of Anticipated Transient Without Scram (ATWS) systems in accordance with 10 CFR 50.62 (the ATWS Rule). The ATWS Rule provides unique requirements compared to IEEE Standard 279 discussed in Section 7.1.1. These unique requirements will be discussed in Section 7.1.5.1. The DSS design will be discussed in Section 7.1.5.2.
Also included in meeting the ATWS Rule is the Turbine Trip on FW Pump Trip (TTFWPT) interlock. TTFWPT design is discussed in Section 7.1.5.3. The HSPS low level EFW initiation meets other requirements of the ATWS Rule. The HSPS is described in Section 7.1.4.
Specific discussions of the HSPS relative to the ATWS Rule are discussed within Section 7.1.5.1.
The below discussion utilizes ATWS when referring to systems which meet the ATWS Rule; DSS, HSPS, TTFWPT when referring to specific TMI systems.
7.1.5.1 Design Basis of ATWS 7.1.5.1.1 Non applicable IEEE 279 Requirements Single Failure, Redundancy, Independence, Separation, Manual Trip, and Seismic requirements of IEEE 279 are not applicable to ATWS.
7.1.5.1.2 Independence from RPS ATWS cannot share RPS components or support systems except for sensors. DSS, HSPS, and TTFWPT do not share components, support systems or sensors with the RPS. The DSS manual trip switch is located in the main control console with the manual scram switch. Power sources are discussed in Section 7.1.5.1.7.
7.1.5.1.3 Environment ATWS equipment must be qualified for normal, non-accident environments. DSS utilizes sensors which are qualified for DBE environments. All other ATWS components are located in mild environments, and the components are designed for these mild environments.
7.1.5.1.4 Testing and Inadvertent Actuation ATWS systems must be testable at power up to but not including the final actuation device.
DSS, HSPS, and TTFWPT are testable at power.
ATWS systems must be designed to prevent inadvertent actuation. The DSS utilizes 2 out of 2 (2/2), HSPS utilizes 2/4, and TTFWPT utilizes 2/3 logic coincidence to limit inadvertent actuation.
TMI-1 UFSAR CHAPTER 07 7.1-27 REV. 24, APRIL 2018 The DSS and TTFWPT are completely bypassed when testing. As a 4 channel protection system the HSPS is not completely bypassed when tested. Only those portions being tested are bypassed.
7.1.5.1.5 Quality Assurance QA applied to ATWS systems for test, maintenance and surveillance shall meet GL 85-06's QA guidance for ATWS equipment that is not safety related. DSS and TTFWPT are tested and maintained per the TMI QA plan for augmented quality equipment. As ATWS systems are not covered by tech spec, the DSS and TTFWPT are not surveilled. DSS and TTFWPT are, however, tested on a refueling basis. As a safety related protection system, the HSPS is tested, maintained and surveilled per tech spec.
7.1.5.1.6 ATWS Power Sources ATWS power sources must be independent of reactor trip related power sources and not dependant on offsite power or meet other acceptable NRC design criteria as per Holahan (NRC) to Stalter (BWOG) letter of September 7, 1988. The DSS utilizes offsite power as loss of offsite power always results in reactor trip. The HSPS utilizes reactor trip system related power supplies because it is a 4 channel protection system. TTFWPT utilizes the security system 120VAC inverter supply.
7.1.5.1.7 ATWS Equipment/Component Diversity Requirements Equipment provided for ATWS shall be diverse from that utilized in the reactor trip systems in original design and throughout plant life.
The design of the ATWS systems meets diversity requirements of the ATWS rule.
Programmatic commitments to maintaining diversity include the computer based component maintenance system (Component Record List) references to diversity requirements which are described below in this section.
7.1.5.1.7.1 DSS Diversity Requirements Equipment/components of DSS shall be diverse from that of the reactor trip system. The affected equipment/components in the DSS consist of the PT 949/963 electronic modules and power supplies in the Signal Conditioning Cabinets; the electronic modules, relays, and power supplies in the DSS cabinet; and inputs to the DCRDCS.
7.1.5.1.7.2 HSPS Diversity Requirements Certain equipment/components of the HSPS shall be diverse from that of the reactor trip system. The affected equipment/components in the HSPS consist of electronic modules, relays and power supplies associated with OTSG startup level loops and low level EFW actuation logic.
7.1.5.1.7.3 TTFWPT Diversity Requirements Certain equipment/components of the TTFWPT shall be diverse from that of the reactor trip system. The affected equipment/components, consists of the security power system inverter
TMI-1 UFSAR CHAPTER 07 7.1-28 REV. 24, APRIL 2018 SED-INV-0001; and the relays and isolators associated with monitoring the FW pump turbine hydraulic oil pressure.
7.1.5.1.7.4 Reactor Trip System Diversity Requirements All components of the RPS cabinets and the AC circuit breakers of the CRDCS shall be diverse from the equipment/components identified above in Sections 7.1.5.1.7.1 through 7.3.
7.1.5.2 DSS Design The DSS monitors RC pressure with two channels of instrumentation. If both channels indicate RC pressure is above setpoint the DSS provides two digital inputs (one per channel) to the DCRDCS. Upon actuation of both channels of DSS, the DCRDCS will open a normally-closed solid-state relay contact in each of the 61 SRPSs. The result is deenergization of all control rods and reactor trip. Reference Gilbert/Commonwealth, Inc. Drawing 802-003 for a simplified logic presentation.
7.1.5.3 TTFWPT Design FW pump U-1A and U-1B turbine hydraulic oil pressure is monitored by pressure switches. If both turbines are tripped as evidenced by 2/3 pressure switches on each turbine, the EHC system will trip the turbine.
7.1.5.4 System Evaluation The DSS provides an independent method of automatically tripping the reactor in the event the RPS related reactor trip system fails. It is designed in accordance with the ATWS rule and, as such, its critical features are independence and diversity from the reactor trip system and emphasis on not failing in a tripped state.
The DSS and the TTFWPT designs emphasize decreasing the probability of inadvertent actuations without the complexity required of protection systems to provide high probability of correctly actuating when required. The HSPS initiation of EFW, while meeting ATWS requirements, also meets safety related requirements for automatic initiation of EFW, and as such, it is designed, maintained and surveilled as a IEEE 279 protection system.
TMI-1 UFSAR CHAPTER 07 7.1-29 REV. 18, APRIL 2006 TABLE 7.1-1 (Sheet 1 of 2)
SUMMARY
Trip Value Steady-State or Condition Trip Variable No. of Sensors Normal Range For Trip Overpower 4 two-section 2-100%
105.1% of rated flux sensors power.
Power based 4 two-section NA 1.08 times flow minus on imbalance flux sensors, reduction due to and flow 8 differential imbalance.
pressure flow transmitters, 2 flow nozzles Power/RC pumps 8 pump 2 to 4 pumps Reactor neutron power trip monitors exceeds 55% rated with 16 power with one pump contacts operating in each loop or, Loss of two operating reactor coolant pumps in same loop or, Loss of one or two reactor coolant pumps during two-pump operation.
High Reactor outlet 4 temperature 532-604F 618.8F temperature sensors
TMI-1 UFSAR CHAPTER 07 7.1-30 REV. 18, APRIL 2006 TABLE 7.1-1 (Sheet 2 of 2)
SUMMARY
Trip Value Steady-State or Condition Trip Variable No. of Sensors Normal Range For Trip Reactor Coolant 4 pressure 2090-2220(1) 2355(1)psig (high)
Pressure sensors psig 1900(1) psig (low)
High Reactor 4 pressure
-0.5 psig to 4 psig Building sensors 0.5 psig pressure Turbine/FW 12 pressure 2 FW pumps Loss of both FW pumps trip sensors and main pumps(2) or (4 pressure turbine not turbine trip(3) sensors each tripped unit)
(1) At pressure sensor taps (2) Automatically bypassed below 7% power. Reference 19.
(3) Operative above 45% power and automatically bypassed below 45% power
TMI-1 UFSAR CHAPTER 07 7.1-31 REV. 19, APRIL 2008 TABLE 7.1-2 (Sheet 1 of 2)
ENGINEERED SAFEGUARDS ACTUATED DEVICES Actuation A Actuation A or B Actuation B A. Emergency Core Cooling DH-P-1A DH-P-1B DH-V-4A DH-V-4B DH-V-5A DH-V-5B MU-P-1A MUP1B MU-P-1C MU-V-14A MU-V-14B MU-V-16A MU-V-16C MU-V-16B MU-V-16D MU-V-36 MU-V-18 MU-V-37 B. Reactor Building Cooling AH-E-1A AH-E-1C AH-E-1B BS-P-1A BS-P-1B BS-V-1A BS-V-1B BS-V-2A*
BS-V-2B*
BS-V-3A BS-V-3B RR-P-1A RR-P-1B RR-V-1A RR-V-1B RR-V-3A RR-V-3C RR-V-3B RR-V-4A RR-V-4B RR-V-4C RR-V-4D
- As a result of the conversion to Trisodium phosphate for the chemical buffer, Valves BS-V-2A and BS-V-2B are no longer required to open by the ESAS.
TMI-1 UFSAR CHAPTER 07 7.1-32 REV. 19, APRIL 2008 TABLE 7.1-2 (Sheet 2 of 2)
ENGINEERED SAFEGUARDS ACTUATED DEVICES Actuation A Actuation A or B Actuation B C. Reactor Building Isolation AH-V-1B AH-V-1A AH-V-1D AH-V-1C CA-V-2 CA-V-13 CA-V-4A CA-V-5A CA-V-5B CA-V-189 CA-V-4B CF-V-2A CF-V-19A CF-V-20A CF-V-2B CF-V-19B CF-V-20B CM-V-1 CM-V-2 CM-V-3 CM-V-4 IC-V-3 IC-V-4 IC-V-2 IC-V-6 MU-V-3 MU-V-2A&B MU-V-25 MU-V-26 NS-V-4 NS-V-15 NS-V-35 WDG-V-3 WDG-V-4 WDG-V-303 WDL-V-304 WDL-V-534 WDL-V-535 RB-V-7 RB-V-2A D. ECCS & RB Cooling Support AH-E-15A AH-E-15B AH-E-27A AH-E-27B DC-P-1A DC-P-1B DR-P-1A DR-P-1B NR-P-1A NR-P-1B NR-P-1C NR-V-4A NR-V-4B NS-P-1A NS-P-1B NS-P-1C E. Emergency Electrical Power EG-Y-1A EG-Y-1B Devices affected by ES Load Sequencing and Load Shedding are not comprehensively included in this Table.
TMI-1 UFSAR CHAPTER 07 7.1-33 REV. 18, APRIL 2006 TABLE 7.1-3 (Sheet 1 of 2)
ENGINEERED SAFEGUARDS ACTUATION SYSTEM SET POINTS (AND PERMISSIBLE BYPASSES)
Initiating Signal Function Set Point High Reactor Building Reactor Building spray 30 psig pressure(1)
Reactor Building isolation 30 psig High pressure injection 4 psig Low pressure injection 4 psig Start Reactor Building cooling and Reactor Building isolation 4 psig Low Reactor Coolant High pressure injection 1600(2) and System pressure 5003 psig Low pressure injection 16002 and 5003 psig Reactor Building isolation and Reactor Building cooling 1600 psig2 1 Cannot be bypassed.
2 May be bypassed below 1775 psig on decreasing pressure and is automatically reinstated above 1800 psig on increasing pressure.
3 May be bypassed below 925 psig or decreasing pressure and is automatically reinstated above 950 psig on increasing pressure.
Bases High Reactor Building Pressure The basis for the 30 and 4 psig set points for the high pressure signal is to establish a setting which would be reached in adequate time in the event of a LOCA, cover a spectrum of break sizes and yet be far enough above normal operation maximum internal pressure to prevent spurious initiation.
TMI-1 UFSAR CHAPTER 07 7.1-34 REV. 18, APRIL 2006 TABLE 7.1-3 (Sheet 2 of 2)
ENGINEERED SAFEGUARDS ACTUATION SYSTEM SET POINTS (AND PERMISSIBLE BYPASSES)
Low Reactor Coolant System Pressure The basis for the 1600 and 500 psig low reactor coolant pressure set points for high and low pressure injection initiation is to establish a value which is high enough such that protection is provided for the the entire spectrum of break sizes and is far enough below normal operating pressure to prevent spurious initiation. Bypass of HPI below 1750 psig, and LPI below 900 psig, prevents ECCS actuation during normal system cooldown.
TMI-1 UFSAR CHAPTER 07 7.2-1 REV. 23, APRIL 2016 7.2 REGULATION SYSTEMS 7.2.1 DESIGN BASES Reactor output is regulated by the use of movable control rod assemblies and soluble boron dissolved in the coolant. Control of relatively fast reactivity effects, including Doppler, xenon, and moderator temperature effects, is accomplished by the control rods. The control response speed is designed to overcome these reactivity effects. Relatively slow reactivity effects, such as fuel burnup, fission product buildup, Samarium buildup, hot to cold moderator reactivity deficit and integral absorber (gadolinium) burnup, are controlled by soluble boron.
Control rods are normally used for control of Xenon transients associated with normal reactor power changes. Chemical shim shall be used in conjunction with control rods to compensate for equilibrium Xenon conditions. Reactivity control may be exchanged between rods and soluble Boron consistent with limitations on power peaking. Reactor regulation is a composite function of the ICS and CRDS. Design data for these substations are given in the following subsections.
7.2.2 CONTROL ROD DRIVE SYSTEM The CRDS includes drive controls, power supplies, position indicators, operating panels and indicators, safety devices, and enclosures.
7.2.2.1 Design Basis The CRDS design bases are categorized into safety considerations, reactivity rate limits, startup considerations, and operational considerations.
- a.
Safety Considerations
- 1)
The Control Rod Assemblies (CRA) are inserted into the core upon receipt of protection system trip signals. Trip command has priority over all other commands.
- 2)
No single failure shall inhibit the protective action of the CRDS.
- b.
Reactivity Rate Limits The speed of the mechanism and group rod worth provide the reactivity change rates required. For design purposes, the maximum rate of change of reactivity that can be inserted by any group of rods has been set in Item b. of Section 14.1.2.2. The drive controls, i.e., the drive mechanism and rods combination, have an inherent speed limiting feature.
- c.
Startup Considerations The CRDS design bases for startup are as follows:
- 1)
Reactor regulation during startup is a manual operation.
TMI-1 UFSAR CHAPTER 07 7.2-2 REV. 23, APRIL 2016
- 2)
Control rod out motion is inhibited when a high startup rate (short period) in the source range or intermediate range is detected.
- d.
Operational Considerations For operation of the reactor, functional criteria related to the rod drive control system are:
- 1)
CRA Positioning The CRDS provides for controlled withdrawal, controlled insertion and holding of the CRAs, to establish and maintain the power level required for a given reactor coolant boron concentration.
- 2)
Position Indication Continuous rod position indication, as well as full-in and full-out position indication, is provided for each control rod drive.
- 3)
System Monitoring The CRDS design includes provisions for routinely monitoring conditions that are important to safety and reliability.
7.2.2.2
System Design
The CRDS provides for withdrawal and insertion of the CRAs to maintain the desired reactor output. This is achieved either through automatic control by the ICS, discussed in Section 7.2.3, or through manual control by the operator. As noted previously, this control compensates for short term reactivity changes. It is achieved through the positioning in the core of 61 CRAs.
The 61 rods are grouped for control and safety purposes into seven groups. Four groups function as safety rods, and three groups serve as regulating rods. The seven groups may be assigned from four to twelve CRAs.
Control rods are arranged into symmetric (by core quadrant) groups by utilizing the Engineering Work Station (EWS) to edit a database contained in the PLC software which defines desired rod group patterns. Twenty-nine rods are assigned to the regulating groups, and 32 rods are assigned to the safety rod groups. A typical rod grouping arrangement is shown below:
Safety Rods Regulating Rods Group 1 - 8 Group 5 - 12 Group 2 - 8 Group 6 - 8 Group 3 - 8 Group 7 - 9 Group 4 - 8
TMI-1 UFSAR CHAPTER 07 7.2-3 REV. 23, APRIL 2016 During startup, the safety rod groups are withdrawn first, enabling withdrawal of the regulating control groups. The sequence allows operation of only one regulating rod group at a time except where reactivity insertion rates are low (first and last 25 percent of stroke), at which time two adjacent groups are operated simultaneously in overlapped fashion. These insertion rates are shown on Figure 7.2-1.
As fuel is depleted, dilution of soluble boron in the reactor coolant is necessary. Interlocks from safety rod position are used to permit selection of continuous feed and bleed and to terminate this continuous cycle on rod insertion loss of Safety Rods Out signal. The dilution cycle is terminated when a preset volume has been added to the coolant. IEEE 279 standard (see 7.5, Reference 2) criteria were not used for these circuits because the function is time dependent and backup control elements consisting of a series valve, a pump control, and a pneumatic controller may be used to terminate the dilution cycle.
- a.
System Equipment The CRDS consists of three basic components: (1) control rod drive motor supplies, (2) system logic, and (3) trip breakers.
The power supplies consist of 61 Single Rod Power Supplies (SRPS), with two identical halves wired as a redundant pair and connected to each CRDM. Each SRPS uses a redundant 6 phase half wave rectifier design. In each half of a SRPS, rectification and switching of power are accomplished through the use of silicon controlled rectifiers (SCRs). This switching sequentially energizes first two, then three, then two of the six CRA motor stator windings in stepping motor fashion, to produce a rotating magnetic field for the CRA motor to position the CRA. Switching is achieved by gating the six SCRs on for the period each winding must be energized. Because each of the six windings uses SCRs to supply power, six gating signals are required.
Gating signals for the SRPS are generated by Programmable Logic Controller (PLC) using software containing logic to accept automatic commands from the ICS, or direct manual commands from the Operator Control Panel (OCP). These commands are converted to sequential digital outputs which cause the mechanism motor to step at the proper speed and direction to provide a 3-2 hold control, which ensures two coils are energized when there are no commands. If one coil becomes de-energized the control position will be maintained, but cannot be exercised.
The PLC is also known as a Triple Modular Redundant (TMR) Controller using a triplicate processor running in parallel, with redundant selection of the "good" signal in the event of failure or malfunction of the controlling "slice." An auctioneering network determines if any anomalies exist and selects the most credible (via a two-out-of-three voting network) of the three available signals. Each processor executes the application program simultaneously and independently. Redundant power supplies are used for all CRD mechanisms. Each is capable of carrying the full load and each is fed from separate power sources with a common SCR gating signal control source.
The system logic encompasses those functions which command control rod motion in the manual or automatic mode of operation, including CRD sequencing, safety and protection features, and the manual trip function. Major components of the system are
TMI-1 UFSAR CHAPTER 07 7.2-4 REV. 23, APRIL 2016 the RPS interface reactor trip breakers, Position Indication Panel (PIP), operator's control panel (OCP), TMR Controllers, Engineering Work Station (EWC), and the SRPS.
The EWS is used for software control inputs. In addition to the TMR controllers, a second PLC is devoted exclusively to processing absolute and relative control rod position indication signals.
Switches are provided at the operator's control panel for selection of the desired rod control mode. Control modes are: (1) automatic mode: where rod motion is commanded by the ICS and (2) manual mode: where rod motion is commanded by the operator. Manual control permits operation of a single rod or a group of rods. Alarm lamps on the rod drive control panel alert the operator to the system's status at all times.
The sequence section of the logic system utilizes rod position signals to generate control interlocks which regulate rod group withdrawal and insertion. Sequence logic applies in both automatic and manual modes of reactor control and controls the regulating groups only. Analog position signals are generated by the reed switch matrix on the CRA. When operating in the sequence mode, the PLC controls sequential withdrawal and insertion of numerically adjacent regulating groups. Two adjacent groups are enabled coincidentally within 25% overlap regions, in order to minimize effects of lower rod worth at their upper and lower extremes in travel.
The automatic sequencer circuit can control only rod groups 5, 6, and 7. The safety rod groups, groups 1 through 4, are controlled manually, one group at a time. In addition, the operator must select the safety group to be controlled and transfer it to the auxiliary power supply before control is possible. There is no way in which the automatic sequencer can affect the operations required to move the safety rods.
The selection of manual control mode and sequence bypass mode functions permit intentional out of sequence conditions. "Sequence" operation may be bypassed at any time if the manual control mode has been selected. If automatic control is selected, "sequence" operation cannot be bypassed. This condition is indicated to the operator.
"Sequence override" operation permits selection of any rod group or any single rod for control. It will not permit selection of more than one rod group at any given time. Motion of more than one group at any given time also is not possible when this operation is selected.
Inputs to the system logic from the RPS and the ICS provide interlock control over rod motion. These interlocks cause rod motion command lines and/or automatic control mode selection to be inhibited.
Under certain conditions the nuclear instrumentation generates an "out inhibit" signal.
When this signal is received by the CRD system, all out command circuits are disabled, thus preventing withdrawal of all rods in either automatic or manual control.
Automatic insertion of rods can only be commanded by the ICS when the CRD system is in the automatic mode. These commands can only affect rod groups 5, 6, and 7.
In the CRDS, two methods of position indication are provided: An absolute position indicator and a relative position indicator. The absolute position transducer consists of a
TMI-1 UFSAR CHAPTER 07 7.2-5 REV. 23, APRIL 2016 series of magnetically operated reed switches mounted in a tube parallel to the motor tube extension. Each switch is hermetically sealed. Switch contacts close when a permanent magnet mounted on the upper end of the lead screw extension comes in close proximity. As the lead screw (and the CRA) moves, the switches operate sequentially, producing an analog voltage proportional to position. Other reed switches included in the same tube with the position indicator matrix provide full-in and full-out limit indications.
The relative position indication is calculated by the TMR processor. The relative position indicators serve as a backup to the absolute position indication. Both absolute and relative rod positions are displayed to the control room operator.
CRDS trip breakers are provided to interrupt power to the control rod drive motors.
When power is removed, the roller nuts disengage from the lead screw and a gravity free-fall trip of the CRA occurs. Two series trip methods are provided for removal of power to the CRA motors. First, a trip is initiated when RPS logic interrupts power to the undervoltage (UV) coil of the main ac feeder breakers.
As a backup to the breaker's UV coil trip, the breaker's shunt trip coil is energized by action of a voltage sensing relay which operates when a trip is initiated via the RPS logic.
The ac power feed breakers are of the three pole, stored energy type and are equipped with instantaneous undervoltage and shunt trip coils. Each of the four ac feed breakers is housed in a separate metal clad enclosure.
All breakers are electrically operated to provide remote reset capability. Each breaker undervoltage trip coil is operated from the RPS.
7.2.2.3 System Evaluation
- a.
Safety Considerations A reactor trip occurs whenever power has been removed from the rod drive motors.
The design provides two stored-energy breakers, which do not require power to interrupt the electrical feeds to rod drive control power supplies. All devices have interrupting capacity of sufficient rating to open under any group load configuration. Reactor trip is further assured by providing series trip devices, split buses, and provisions for periodic testing. Trip redundancy is provided by series breakers, while availability and testability are provided through dual power sources. Redundant power supplies permit testing of the trip action of each breaker without loss of plant availability.
The direct current must be greater than 3 Amperes per coil (2-coil "hold mode") in order to hold a drive in the withdrawn position. The probability of an external dc source being applied to the control rod drive mechanisms downstream from the reactor trip points such that the CRAs are held in their withdrawn positions after a trip, is not considered credible for the following reasons:
- 1)
The trip devices in the control rod drive system remove all dc power from the drives.
TMI-1 UFSAR CHAPTER 07 7.2-6 REV. 23, APRIL 2016
- 2)
Control rod drive power cables are terminated at only three points between the control rod drive cabinets and the drive mechanisms.
Two of these terminations are made outside and inside the Reactor Building electrical penetrations inside junction boxes containing only control rod drive power cables. The third termination is made in inline connectors (one per drive) in the area of the reactor. The only other cables terminated in this area are the control rod drive instrumentation cables. The instrumentation cables are terminated to inline connectors of a different size and configuration; therefore, mismating of connectors could not be accomplished.
- 3)
No cable splices are permitted between termination points described.
- 4)
The dc systems from the batteries at TMI-1 are not grounded and are equipped with ground detecting circuitry.
In summary, series redundant trip devices having adequate rating, testability, and a split-bus arrangement ensure safety of reactor trip circuits.
- b.
Reactivity Rate Limits The desired rate of change of CRA reactivity insertion and uniform reactivity distribution over the core are provided for by the control rod drive and power supply design and the selection of rods in a group. The motor, lead screw, and power supply designs are fixed to provide a uniform rate of speed of 30 inches per minute. The speed is controlled digitally by the PLC. The reactivity change is then controlled by the rod group size. To insure flexibility in this area, rod group assignments are entered off-line at the EWS into password-protected software. This determines desired rod group worth distribution to coordinate with varying core reload design. Any rod may be assigned to any group, so long as the same group pattern exists in each core quadrant.
A linear reactivity insertion rate is provided for by the withdraw-insert sequence of rod groups. As described in Item a. of Subsection 7.2.2.2, the sequencer provides for the sequencing of groups 5, 6, and 7. These control interlocks do not conform to IEEE, Standard 279 1971 (see 7.5, Reference 2) requirements because protection against the total rod withdrawal accident is provided by the RPS as analyzed in Section 14.1.2.2.
Uniform and symmetrical reactivity addition rate is provided by synchronous withdrawal of all rods to that group. All rods in anyone group will have the same CRD motor stator windings simultaneously energized. Such synchronous withdrawal is achieved by duplication in design of the Pulse Generator/Monitor (PG/M) module within the TMR Controller. The TMR architecture employs a highly synchronous triplicate processor set running in parallel. Each processor "slice" executes the application program simultaneously and independently, verifying data, control, clock, and synchronization signals. These signals are partitioned and down loaded in such a manner as to optimize execution times of the algorithms controlling synchronous motion of the design.
Each control rod is provided with a rod position indication monitor (see Item d. below) to sense asymmetric rod patterns by comparing the individual rod position with its group
TMI-1 UFSAR CHAPTER 07 7.2-7 REV. 23, APRIL 2016 average position. When the rod moves out of step from its group by a preset amount, the monitor alarms the condition to the operator, computer, and ICS. Depending on the power setting and the control mode, action is initiated by the ICS to insert rods and reduce power.
- c.
Startup Considerations The rod drive controls receive interlock signals from the ICS and nuclear instrumentation (NI). These inputs are used to inhibit automatic mode selection if large errors exist in the ICS reactor controls and to inhibit out motion for high startup rates, respectively.
In addition to the startup considerations, dilution controls, to permit removal of reactor shutdown concentrations of boron in the reactor coolant, are provided. This control bypasses the normal reactor coolant dilution controls, described in Section 7.2.2.2, providing all safety rods are withdrawn from the core and the operator initiates a continuous feed and bleed cycle.
- d.
Operational Considerations The CRA positioning system provides the ability to move any rod to any position required consistent with reactor safety. As noted in Item b. above, a uniform speed is provided by the drive system. A fixed rod position when motion is not required is obtained by the power supply ability to energize two adjacent windings of the CRA motor stator. This static energizing of the windings maintains a latched stator and fixed rod position.
- 1)
Position Indication As previously described, two separate position indication signals are provided.
The absolute position sensing system produces signals proportional to CRA position from the reed switch matrix located on each CRA mechanism. The relative position indication system produces a signal proportional to the number of electrical pulses sent to the CRD motor stator windings, as determined through processing of these signals by a TMR PLC whose function is to process the absolute and relative position indication signals.
Position indication is provided for all 61 control rods by the Position Indication Panel (PIP) on the vertical board. Absolute and relative position indication is provided for each control rod. The arithmetic averages of the absolute position signals of all CRAs in each group are displayed.
Indication is provided on the PIP to indicate when each rod is: (1) fully inserted, (2) fully withdrawn, (3) under control, and (4) whether a fault is present.
Indicators on the operator's console show full insertion, full withdrawal, under control, and fault indication for each of the seven control rod groups.
Failures which could result in unplanned control rod withdrawal are continuously monitored by fault detection circuits. When failures are detected, indicator lights and alarms on the panel alert the operator. Fault indicator lights remain on until the fault condition is cleared by the operator. A list of indicated faults is shown below:
TMI-1 UFSAR CHAPTER 07 7.2-8 REV. 23, APRIL 2016 a)
Asymmetric rod patterns (indicate and alarm) b)
Sequence faults (indicator and alarm) c)
Rod position sensor faults d)
Safety rods not withdrawn (indicator only)
Faults serious enough to warrant immediate action produce automatic correction commands from the fault detection circuits. Status indicators on the operator's console provide monitoring of control modes.
- 2)
Description of Each Fault Detector a)
Asymmetric Rod Monitoring (1)
Design Basis - To detect and alarm if any rod deviates from its group reference position by more than a maximum of 13 inches true position.
(2)
DCRDCS Logic Operation - For each control rod, the TMR controller continuously compares the individual rod absolute position signal with the absolute group reference (average) signal.
The absolute value of the difference between the two signals is computed, and if this difference is less than the set point, no output results. If, however, the difference is greater than the set point, the TMR PLC alarms the asymmetric condition. Two alarm channels are provided. The first is at a 7 inch signal differential between individual rod position and group average position (maximum 11 inch true position separation. The second alarm set point is at 9 inch signal differential (maximum 13 inch true position separation) and initiates the action described below.
(3)
Corrective Action - Action taken upon detection of an asymmetric rod fault depends upon the control mode and the power level in effect at the time the fault is detected. Corrective action is the same for any asymmetric condition including "stuck-in,"
"stuck-out," or dropped control rods.
Detection of a 7 inch signal differential is defined as an asymmetric rods alarm. Actuation of this alarm causes an asymmetric rod alarm to be displayed for that rod on the position indication panel and an alarm signal to be sent to the plant computer and annunciator.
If the condition is not corrected and the separation increases to a 9 inch signal difference, the following actions occur:
TMI-1 UFSAR CHAPTER 07 7.2-9 REV. 23, APRIL 2016 (a)
"Asymmetric fault" lamp on the operator's console is energized. If operation is in the manual control mode, operation action is required by administrative control.
(b)
If the ICS is in automatic and the fault is in connection with a dropped rod, a "runback fault" signal is sent to the ICS.
The ICS will impose a asymmetric rod withdrawal High Load Limit. Additionally, the control rod drive system generates an "Out Inhibit" signal which disables the "Out" command circuits to all drives when Reactor power is greater then 60%. "Out Inhibit" signals are sent to the ICS, plant annunciator, and plant computer.
Reactor power remains limited to 60 percent maximum in automatic control until the fault is corrected.
(c)
The TMR controller removes ant rod with an asymmetric rod fault from the API and RPI group averages to prevent sequence faults during a Runback condition.
b)
Sequence Monitoring (1)
Design Basis - To detect any motion of the regulating rod groups outside the predetermined automatic sequence patterns and to alert the operator of the sequence fault so that manual corrective action may be taken.
(2)
DCRDCS Logic Operation - The TMR controller continuously compares the relative group average (reference) signals for each regulating rod group with the allowable sequence patterns.
(3)
Corrective Action - When an out of sequence condition is detected control panel alarm lamps, as well as annunciator and plant computer alarms, alert the operator to the malfunction.
Operator action is required by administrative control.
c)
Rod Position Sensor Faults All rod position sensor faults lead to false asymmetric, stuck, or dropped rod symptoms which are acted upon by the asymmetric rod monitor described in Item a) above.
d)
Safety Rods Not Withdrawn (1)
Design Basis - To prevent, on plant start, withdrawal of the regulating rods until the safety rods are fully withdrawn.
(2)
Circuit Operation - The circuit continuously monitors the group "out" limit for the four safety rod groups. When the four groups are all fully withdrawn, automatic control is permitted.
(3)
Corrective Action - Alarms are provided.
TMI-1 UFSAR CHAPTER 07 7.2-10 REV. 23, APRIL 2016 7.2.3 INTEGRATED CONTROL SYSTEM 7.2.3.1 Design Basis The ICS provides the proper coordination of the reactor, steam generator feedwater control, and turbine under all operating conditions. Proper coordination consists of producing the best load response to the unit load demand while recognizing the capabilities and limitations of the reactor, steam generator feedwater system, and turbine. When any single portion of the plant is at an operating limit or control section is on manual, the ICS design uses the limited or manual section as a load reference.
The ICS maintains constant average reactor coolant temperature between 22 and 100 percent rated power and constant steam pressure at all loads. Optimum unit performance is maintained by limiting steam pressure variations; by limiting the unbalance between the steam generator, turbine, and the reactor; and by limiting the total unit load demand upon loss of capability of the steam generator feed system, the reactor, or the turbine generator. The control system provides limiting actions to assure proper relationships between the generated load, turbine valves, feedwater flow, and reactor power.
7.2.3.2
System Design
- a.
General Description The ICS includes four subsystems as shown on 1D-621-41-1000. The four subsystems are the unit load demand, the integrated master control, the steam generator control, and the reactor control.
The system philosophy is that control of the plant is achieved through feed-forward control from the unit load demand (ULD). The ULD produces demands for parallel control of the turbine, reactor, and steam generator feedwater system through respective subsystems.
The steam generator control is capable of automatic or manual feedwater control from startup to full output. The integrated master control is capable of automatic or manual turbine valve control from minimum turbine load to full output and of manual control below minimum turbine load. The reactor control is designed for automatic or manual operation above 22% RP output, and for manual operation below 22% RP.
The basic function of the ICS is matching megawatt generation to ULD. The ICS does this by coordinating the steam flow to the turbine with the rate of steam generation. To accomplish this efficiently, the following basic reactor/steam generator requirements are satisfied:
- 1)
The ratios of feedwater flow and Btu input to the steam generator are balanced as required to obtain desired steam conditions.
- 2)
BTU input and feedwater flow are controlled:
TMI-1 UFSAR CHAPTER 07 7.2-11 REV. 23, APRIL 2016 a)
To compensate for changes in fluid and energy inventory requirements at each load.
b)
To compensate for temporary deviations in feedwater temperature resulting from load change, feedwater heating system upsets, or final steam pressure changes.
- b.
Unit Load Demand The ULD is designed to accomplish two objectives related to the operation of the plant.
First, the ULD conditions the load demand signal to make it compatible with the power level of the plant and its ability to change load. Second, the ULD initiates load limiting and runback functions to restrict operation within prescribed limits. Drawing 1D-621 1000 illustrates the functions incorporated in the subsystem.
When in full automatic mode, Unit Load Demand may be controlled automatically to maintain ULD within a control band by comparison to a calculated Core Thermal Power input from the Plant Process Computer; or manually as set by the operator. Provisions are made to transfer the ULD control to manual operation in the event of failure of the automatic feature.
The load demand is restrained by a maximum load limiter, a minimum load limiter, a rate limiter, and a runback limiter.
Rate limiting is designed as a function of load, so transients are limited, as shown in Table 7.2-1.
The runback limiter acts to run back and/or limit the load demand such that the following conditions will be met:
- 1)
Loss of one or more reactor coolant pumps results in a runback to the power corresponding to the remaining pumps capability and at a rate that will maintain a continuous rod insertion demand.
- 2)
Reduction of reactor coolant flow; results in a runback to the power corresponding to the available flow and at a rate that will maintain the system heat balance.
- 3)
Loss of one feed pump results in a runback to the power corresponding to the remaining pump capability and at a rate that will maintain a continuous rod insertion demand.
- 4)
When an asymmetric rod withdrawal pattern exists, the ICS will runback thermal power to a level that will limit the increase in local linear heat rate in the fuel that is induced by the dropped rod.
The output of the limiters is a megawatt demand signal which is applied to the turbine control, steam generator feedwater control, and reactor control in parallel.
TMI-1 UFSAR CHAPTER 07 7.2-12 REV. 23, APRIL 2016 The controlling subsystems of the ICS (turbine control, steam generator feedwater control, and reactor control) normally operate in the automatic mode in response to a demand signal from the ULD. The subsystems control function is kept within preestablished bounds under other than normal automatic operation by a load-tracking feature built into the ICS. The system will switch to the load tracking mode if any of the following conditions exists:
- 1)
Reactor Subsystem under manual control ("Bailey" or "Diamond" control station.
- 2)
Errors greater than preset limits develop between the demand and the variable in feedwater control, or the reactor control.
- 3)
A reactor trip occurs.
- 4)
Both feedwater loop master controllers to manual.
- 5)
The turbine control station is in manual (including turbine trip).
- 6)
Both main generator output (230 kV) breakers open.
- 7)
The steam generator/reactor master control station is in manual.
In this mode, the load demand is made to follow the manual or limited control subsystem by using the actual generator output as the demand input to the ULD. Load tracking continues until the limiting condition is brought back to within the preestablished deadband or the subsystem is returned to automatic operation, at which time the ULD returns to the manual mode.
- c.
Integrated Master The integrated master has been designed to receive the megawatt demand signal from the ULD subsystem and convert this signal into a demand for the feedwater, turbine, and reactor control. A functional diagram of the integrated master control is shown on Drawing 1D-621-41-1000. The megawatt demand is compared with the generator megawatt output, and the resulting megawatt error signal is used to change the steam pressure set point. The turbine valves then change position to control steam pressure.
As the megawatt error reduces to zero, the steam pressure set point is returned to the steady-state value. By limiting the effect of megawatt error on the steam pressure set point, the system can be adjusted to permit controlled variations in steam pressure to achieve the desired rate of turbine response to megawatt demand.
ULD is also used as the feed-forward demand to the steam generator and reactor while operating in the integrated control mode. This demand is compensated for deviations in the steam header pressure from its set point. The pressure error increases the steam generator and reactor demands if the pressure is low. It decreases the steam generator and reactor demands if the pressure is high.
The turbine bypass system operates from the OTSG pressure error of individual steam generator pressures as an overpressure relief for the turbine header.
TMI-1 UFSAR CHAPTER 07 7.2-13 REV. 23, APRIL 2016
- d.
Steam Generator Control Control of the steam generator is based on matching feedwater flow to the feedwater demand produced in the integrated master control. Drawing 1D-621-41-1000 illustrates the steam generator feedwater controls.
The basic control actions for parallel steam generator operation are:
- 1)
Steam pressure compared to set pressure, and the pressure error applied to megawatt demand.
- 2)
Megawatt demand converted to feedwater demand.
- 3)
Total feedwater flow demand split into feedwater flow demand for each steam generator.
- 4)
Feedwater demand compared to feedwater flow for each steam generator. The resulting error signals position the feedwater flow controls to match feedwater flow to feedwater demand for each steam generator.
For operation below 22 percent load, the steam generator control acts to maintain a preset minimum water level. The conversion to level control is automatic and is introduced into the feedwater control train through an auctioneer. (At electrical loads below 22% RP, the turbine bypass valves will operate to control steam pressure rise.)
The steam generator control also provides ratio, limit, and runback actions, as shown on Drawing 1D-621-41-1000, which include:
- 1)
Steam Generator Load Ratio Control Under normal conditions, the steam generators will each produce one half of the total load. Steam generator load ratio control is provided to balance reactor inlet coolant temperatures during operation with more reactor coolant pumps in one loop than in the other.
- 2)
Water Level Limits A maximum water level limit prevents overpumping of feedwater to preclude flooding the OTSG nozzles and the subsequent loss of aspirating steam.
A minimum water limit is provided for below 22% RP low load control.
- 3)
Reactor Coolant Flow Limiters These limiters restrict feedwater demand to match reactor coolant pumping capability.
- 4)
Reactor Outlet and Feedwater Low Temperature Limits These limiters reduce feedwater demand when the reactor outlet temperature or the feedwater temperature is low.
TMI-1 UFSAR CHAPTER 07 7.2-14 REV. 23, APRIL 2016
- 5)
Feedwater Cross Limits A feedwater demand signal is limited to maintain the feedwater demand always within 5 percent of the reactor power. Feedwater demand is limited to within about 5 percent of the reactor power demand both in the increase and decrease feedwater demand directions.
- 6)
Steam Generator Pressure Limit Individual steam generator pressure limits respective feedwater demands whenever pressure increases in the steam generators.
- 7)
Feedwater Valve Control Valve position demand for each steam generator is applied to both the startup and the main feedwater valves, through control stations. These valves are sequenced into operation so that the startup valve opens first (at low load) followed by the main feedwater valve as load is increased. Overlap exists between the end of startup valve stroke and the beginning of main valve stroke.
- 8)
Feedwater Pump Control The coarse demand for the feedwater pumps is derived from the total feedwater demand signal. Feedwater pump speed is then fine tuned to maintain a constant differential pressure drop across feedwater valves.
- e.
Reactor Control The reactor control is designed to maintain a constant average reactor coolant temperature over the load range from 22 to 100 percent of rated power. The steam system operates on constant pressure at all loads. The average reactor coolant temperature decreases over the range from 22 percent to zero load. Figure 7.2-8 shows the reactor coolant and steam temperatures and the steam pressure over the entire load range.
The reactor control consists of analog computing equipment with inputs of megawatt demand, core power, and reactor coolant average temperature. The output of the controller is an error signal that causes the control rod drive to be positioned until the error signal is within a deadband. A block diagram of the reactor control is shown on Drawing 1D-621-41-1000.
First, reactor power level demand (Nd) is computed as a function of the megawatt demand (MWd) and the reactor coolant system average temperature deviation
from the set point, according to the following equation:
dt 1
K MW K
N 2
d 1
d
TMI-1 UFSAR CHAPTER 07 7.2-15 REV. 23, APRIL 2016 Megawatt demand is introduced as a part of the demand signal through a proportional unit having an adjustable gain factor (K1). The temperature deviation is introduced as a part of the demand signal after proportional plus reset (integral) action is applied. For the temperature deviation, K2 is the adjustable gain and is the adjustable integration factor.
The reactor power level demand is then compared with the reactor power level signal, which is derived from the nuclear instrumentation. The resultant error signal is the reactor power level error signal.
When the reactor power level error signal exceeds the deadband settings, the control rod drive receives a command that withdraws or inserts rods depending upon the polarity of the power error signal.
The following additional features are provided with the reactor power controller:
- 1)
A high limit on reactor power level demand.
- 2)
An adjustable low limit on reactor power level demand.
- 3)
A megawatt demand limit imposed by lack of feedwater flow capability from the steam generator controls.
The ICS reactor controls incorporate automatic or manual control of Reactor Demand above 22% RP and manual control of Reactor Demand below 22% RP.
The reactor control subsystem also generates the following interlock signals:
- 1)
A signal to the CRDS to prevent placing the rod drive controls in the automatic mode if a large error exists in the ICS.
- 2)
A signal to the CRDS to cause the rod drive controls to revert to the manual mode if power for automatic operation of the ICS is lost.
- 3)
A signal to the CRDS indicating that reactor power is greater than 60 percent, which is used to generate the "out inhibit" signal.
- 4)
A signal to the reactor coolant pump motor controls which prevents starting an idle pump when reactor power is greater than 30 percent.
7.2.3.3 System Evaluation
- a.
System Failure Considerations
- 1)
Redundant sensors for major system parameters are available to the ICS. Either redundant sensor is selectable by the operator or automatically by signal verification hardware in the event of a sensor failure.
- 2)
A loss of either of the two main power feeds (ICS-Auto and ICS-Hand) or any of the subfeeds will actuate an annunciator in the Control Room. Indicator lights
TMI-1 UFSAR CHAPTER 07 7.2-16 REV. 23, APRIL 2016 located in the Control Room provide indication of a loss of either of the two main power feeds and any of the auto or hand subfeeds.
- 3)
Manual reactivity control is available at all power levels. Loss of electrical power to automatic control reverts the control system to manual. Power is fed to individual ICS components such that ICS control will not become inoperative upon loss of either one of the main power supplies.
- 4)
Upon loss of all internal power to the ICS/NNI power, Safety Grade Plant Variables (described in Section 7.3.2.2.c.13) a Class 1E Group, whose signal source is obtained from the Safety Grade Remote Shutdown Signal Conditioning cabinets via isolated outputs, provides the operator with essential plant information required to achieve cold shutdown.
- 5)
Upon a failure of the ULD STAR module (loss of power, algorithm stops running, or analog output fails) the Steam Generator / Reactor Master control station will automatically be transferred to Hand.
- b.
System Limits Maximum and minimum limits on the reactor power level demand signal (Nd) prevent the automatic reactor controls from initiating undesired power excursions. Maximum and minimum levels on the megawatt demand signal (MWd) prevent the reactor controls from initiating undesired power excursions.
Cross limiting between the steam generators and the reactor prevents reactor power excursions that may result in a reactor trip from reactor coolant pressure or temperature.
- c.
Modes of Control The ICS is designed to revert to a "Load Tracking" mode of control to tie the unit to the subsystem on manual or to the subsystem being limited.
In startup control mode, the controls are arranged so that the steam system follows reactor power rather than turbine system power demand. The controls will limit steam bypass to the condenser when condenser vacuum is inadequate.
- d.
Loss of Load Considerations The nuclear unit is designed to accept 10 percent step load rejection without MS safety valve action or turbine bypass valve action. The PORV lift setpoint was reset to a value greater than the high reactor trip setpoint, significantly decreasing the likelihood that the plant could be successfully run back without the reactor tripping following a loss of load.
The combined actions of the control system and the turbine bypass system was designed to permit a load rejection without safety valve action equal to the capacity of the turbine bypass system. The controls will limit steam dump to the condenser when condenser vacuum is inadequate, in which case the safety valves may operate.
TMI-1 UFSAR CHAPTER 07 7.2-17 REV. 23, APRIL 2016 The features that permit continued operation under load rejection conditions include:
- 1)
Integrated Control System During normal operation, the ICS controls the unit load in response to load demand from the operator. During normal load changes and small turbine speed changes, turbine control is through the EHC system to maintain constant steam pressure.
During large load and speed upsets, the turbine EHC system takes control to regulate speed.
- 2) 100 percent Relief Capacity in the Steam System This provision acts to reduce the effect of large load drops on the reactor system. TMI-1 presently cannot accommodate a loss of load condition without a reactor trip.
Consider, for example, a sudden load rejection greater than 10 percent. When the turbine generator starts accelerating, the governor valves and the intercept valves begin to close to maintain speed. At the same time, the megawatt demand signal is reduced, which reduces EHC demand, feedwater flow demand, and reactor power level demand. As the governor valves close, the steam pressure rises and acts through the control system to reinforce the feedwater flow demand reduction already initiated by the reduced megawatt demand signal. In addition, when the load rejection is of sufficient magnitude, the turbine bypass valves open to reject excess steam to the condenser, and the safety valves open to exhaust steam to the atmosphere. The rise in steam pressure and the reduction in feedwater flow cause the average reactor coolant temperature to rise, which reinforces the reactor power level demand reduction, already established by reduced megawatt demand, to restore reactor coolant temperature to set value.
As the turbine generator returns to set speed, the turbine controls revert to steam pressure control rather than speed control. This feature holds steam pressure within relatively narrow limits and prevents further large steam pressure changes.
TMI-1 UFSAR CHAPTER 07 7.2-18 REV. 18, APRIL 2006 TABLE 7.2-1 (Sheet 1 of 1)
INTEGRATED CONTROL SYSTEM TRANSIENT LIMITS Power Range Ramp Input Limit Step Input Limit Transient
(% Full Power) (% Power/min) (% Power)
Power increase 0 - 15 NA NA 15 - 20 5
0 20 - 90 10 10 90 - 100 5
0 Power decrease 100 - 20 10 10 20 - 15 5
0 15 - 0 NA NA
TMI-1 UFSAR CHAPTER 07 7.3-1 REV. 23, APRIL 2016 7.3 INSTRUMENTATION 7.3.1 NUCLEAR INSTRUMENTATION The nuclear instrumentation system is shown on Figure 7.3-1. The system meets the intent of the proposed Reference 2.
7.3.1.1 Design Basis The nuclear instrumentation (NI) system is designed to supply the reactor operator with neutron information over the full operating range of the reactor and to supply reactor power information to the RPS and to the ICS.
The system sensors and instrument strings are redundant in each range of measurement.
Measurement ranges are designed to overlap to provide complete and continuous information over the full operating range of the reactor.
7.3.1.2
System Design
The nuclear instrumentation has 10 channels of neutron information. Two channels are wide range (10-8 to 100 percent full power). The remaining eight channels consist of three ranges of sensitivity (source range, intermediate range and power range) which combine to give a continuous measurement of reactor power from source level to approximately 125 percent of rated power or ten decades of information. A minimum of one decade of overlapping information is provided between successive higher ranges of instrumentation. The relationship between instrument ranges is shown on Figure 7.3-2.
The source range instrumentation has two redundant count rate channels. These channels are used over a counting range of 0.1 to 106 count/sec and are displayed on the operator's control console in terms of log count rate. The channels also measure the rate of change of the neutron level as displayed for the operator in terms of startup rate from -0.5 to +5 decades per minute. An interlock is provided, i.e., a control rod withdraw "inhibit" on a high startup rate of
+2 decade/min in either channel.
The intermediate range instrumentation has two identical log channels originating in two electrically adjustable gamma compensated ion chambers. Each channel provides eight decades of flux level information in terms of the log of ion chamber current and startup rate.
The ion chamber measuring range is from 10-11 to 10-3 ampere. The startup rate range is from
-0.5 to +5 decades per minute. A high startup rate of +3 decades per minute in either channel will initiate a control rod withdraw inhibit.
The power range instrumentation has four linear level channels originating in four composite uncompensated ion chambers. The channel output is directly proportional to reactor power and covers the range from 0 to 125 percent of rated power. The gain of each channel is adjustable, providing a means of calibrating the output against a reactor heat balance.
Dual indicators on the control console provide the operator with both total reactor power information and reactor power imbalance information from each of the four channels. The method of obtaining power and imbalance is described in the following section.
TMI-1 UFSAR CHAPTER 07 7.3-2 REV. 23, APRIL 2016 One of two power range channels may be selected to provide reactor power information to the ICS. While the selected channel is the normal source of reactor power information for control, the operator may substitute the information from the other channel. The four power range channels, NI-5, 6, 7 and 8, supply reactor power level information continuously to the RPS.
Isolation amplifiers are used to buffer every signal leaving the system cabinets. The isolation amplifiers prevent the reflection of faults on external signal lines back into the system (see Item
- c. of Section 7.1.2.3).
The wide range instrumentation has two redundant safety grade channels and two backup redundant safety grade channels, each originating in a dual element fission chamber detector.
Wide range power is displayed on two indicators on Panel PC in the Control Room. One indicator is connected to either NI-11 or 11A. The other is connected to either NI-12 or 12A.
- a.
Neutron Detectors The intermediate range compensated ion chambers are of the electrically adjustable gamma-compensating type. Each detector has a separate adjustable high voltage power supply and an adjustable compensating voltage supply.
Uncompensated ion chambers are used in the power range channels. Each power range detector consists of two 72 inch sections with a single high voltage connection and two separate signal connections. The outputs of the two sections are summed and amplified by the linear amplifiers in the associated power range channel to obtain a signal proportional to total reactor power. A signal proportional to the difference in percent full power between the top and bottom halves of the core, the reactor power imbalance is derived from the difference in currents from the top and bottom sections of the detector. The difference signal is displayed on the control console to permit the operator to maintain proper axial power distribution. The manual test and calibration facilities provide a means for reading the output of the individual sections of the detector. Each detector has a combined sensitive volume extending approximately from the bottom to the top of the reactor core.
Dual element fission chamber detectors are used in the source range and wide range channels. Each detector, approximately 58 inches long, is connected via special Class 1E qualified cable to an amplifier assembly outside the Reactor Building. Connected to each amplifier is a signal processing unit that provides the output to the Control Room indicator.
The physical locations of the neutron detectors are shown on Figure 7.3-3. A power range detector is located external to each quadrant of the core.
The two intermediate range detectors are located on opposite sides of the core but rotated approximately 55 degrees from the source range detectors.
- b.
Test and Calibration Test and calibration facilities are built into the system. The facilities permit an accurate calibration of the system and the detection of system failures in accordance with the
TMI-1 UFSAR CHAPTER 07 7.3-3 REV. 23, APRIL 2016 requirements of the reactor protective system design and IEEE Standard 279(see 7.5, Reference 2).
7.3.1.3 System Evaluation The nuclear instrumentation will monitor the reactor over a minimum 10 decade range from source to 125 percent of rated power. The full-power neutron flux level at the power range detectors will be approximately 3.2 x 109 nv. The detectors employed will provide a linear response up to 2.5 x 1010 nv.
The intermediate range channels overlap the source range and the power range channels as shown on Figure 7.3-2, providing the continuity of information needed during startup.
The steady-state radial flux distribution within the reactor core will be measured by the incore neutron detectors (see Section 7.3.3). Both out-of-core and incore detectors will be used to obtain the axial power distribution. The sum of the outputs from the two sections of each (out-of-core) power range detector will be calibrated to a heat balance. The sum will be recalibrated whenever it is determined that the heat balance exceeds the sum by 2 percent or more. The signals from the two sections of the detector may be individually read and compared independent of the sum of the outputs. The operator, therefore, may correlate the difference between the core power distribution obtained from the out of core signal against the core power distribution obtained from the incore system.
- a.
Primary Power The nuclear instrumentation draws its primary power from the vital buses as described in Section 8.2. Redundant channels are supplied by different vital buses.
- b.
Reliability and Component Failure The requirements established for the RPS apply to the nuclear instrumentation. All channel functions are independent of every other channel, and where signals are used for safety and/or control, electrical isolation is employed to meet the criteria of Section 7.1.1.
- c.
Relationship to Reactor Protective System The relation of the nuclear instrumentation to the RPS is described in Section 7.1. Each power range channel provides level information to a different RPS channel. Either channel NI-5 or channel NI-6 may be selected to supply power level information to the ICS.
7.3.2 NON-NUCLEAR INSTRUMENTATION 7.3.2.1 Design Basis The non-nuclear instrumentation provides the required input signals of process variables for the Reactor Protection, regulating, and auxiliary systems. It performs the required process control functions in response to those systems and provides instrumentation for startup, operation, and shutdown of the reactor system under normal and emergency conditions.
TMI-1 UFSAR CHAPTER 07 7.3-4 REV. 23, APRIL 2016 7.3.2.2
System Design
The non-nuclear instrumentation provides measurements used to indicate, record, alarm, interlock, and control process variables such as pressure, temperature, level, and flow in the Reactor Coolant System, secondary system, and auxiliary reactor systems as shown on Drawings C-302-650 and C-302-081.
Process variables required on a continuous basis for the startup, operation and shutdown of the unit are indicated, recorded, and controlled at the Control Room.
Response time and accuracy of measurements are adequate for reactor protection and regulating systems and other control functions to be performed.
Instrumentation in the protection systems is provided to operate as required under the environmental conditions specified in Section 7.1.
- a.
Non-Nuclear Instrumentation in Protection Systems Four independent measurement channels are provided for each process parameter for input to the RPS.
Three independent measurement channels are provided for each process parameter for input to the ESAS.
- 1)
Reactor Outlet Temperature Reactor outlet temperature inputs to the RPS are provided by two fast-response resistance elements and associated transmitters in each loop.
- 2)
Reactor Coolant Flow Reactor coolant flow inputs to the RPS are provided by eight high-accuracy differential pressure transmitters which measure flow through calibrated flow tubes. Operation of each reactor coolant pump breaker is also monitored as an indication of flow.*
One differential pressure transmitter signal for each loop is utilized as the normal flow measurement providing input to the ICS.
- Note: In addition, Refueling Procedure 1550-01 provides an indirect determination of actual total Reactor Coolant System flow rate by a comparison of plant heat balance against measured flow rates. This procedure is performed once each cycle and within 90 days of resumption of power operation following a refueling.
- 3)
Reactor Coolant Pressure RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each loop. One pressure transmitter signal is utilized for pressurizer pressure control.
TMI-1 UFSAR CHAPTER 07 7.3-5 REV. 23, APRIL 2016 ESAS inputs of reactor coolant pressure in each loop are provided by redundant pressure transmitters. Pressure signals are utilized for recording, low pressure alarm, interlock to decay heat removal return flow valves, pressure versus core flooding valves position alarm (for erroneous valve position), essential indication of reactor coolant pressure, and alarm of system pressure versus ESAS bistable conditions.
- 4)
Reactor Building Pressure Reactor building pressure inputs to the Engineered Safeguards Actuation System are provided by three absolute pressure transmitters which are located outside the Reactor Building. These provide inputs for initiation of Reactor Building isolation, high pressure injection, low pressure injection, and Reactor Building emergency cooling. Reactor Building sprays are initiated by two sets of three pressure switches.
- b.
Non-Nuclear Instrumentation in Regulating Systems Selective redundant measurements and input signals are provided for the process variables required for critical control functions.
The following inputs to the ICS are provided:
- 1)
Reactor Outlet Temperature Selected loop or unit average outlet temperature input is provided in each loop by two resistance temperature detector elements and associated transmitters.
The redundant process signals are also monitored by the Smart Automatic Signal Selector (SASS) for signal mismatch and/or the failure of an input signal.
- 2)
Reactor Inlet Temperature Selected loop or unit average inlet temperature input is provided in each loop by two resistance temperature detector elements and associated transmitters. The redundant process signals are also monitored by SASS for signal mismatch and/or the failure of an input signal.
- 3)
Reactor Average Temperature Two sets of selected reactor inlet/outlet temperatures are summed and averaged, as necessary, to provide average RCS A loop, B loop, and unit temperatures.
- 4)
Reactor Inlet Differential Temperature Reactor inlet differential temperature is indicated and provided for input to the ICS.
TMI-1 UFSAR CHAPTER 07 7.3-6 REV. 23, APRIL 2016
- 5)
Reactor Coolant Flow Reactor coolant flow signals are provided for each loop and summed for total flow. Total flow is recorded and "low" total flow is alarmed. Selective redundant measurement of flow in each loop by either of two loop flow transmitters is provided from the RPS. The redundant process signals from the RPS are also monitored by SASS for signal mismatch and/or the failure of an input signal.
Loop "low" flow signals provide the logic for automatic selection of reactor controlling average temperature. Contacts from reactor coolant pump motor breakers provide fast indication to the ICS that a pump has tripped.
- 6)
Feedwater Temperature Feedwater temperature input is provided by a dual element resistance temperature detector and associated transmitters for feedwater flow temperature compensation. The selected input provides signals for indication and ICS feedwater control. The redundant process signals are also monitored by SASS for signal mismatch and/or the failure of an input signal.
- 7)
Feedwater Flow Feedwater flow input is provided from startup and redundant main feedwater flow transmitters for each loop. The main feedwater flow measurement in each loop is provided by redundant differential pressure transmitters that measure flow through a flow nozzle. The redundant main feedwater process signals are also monitored by SASS for signal mismatch and/or the failure of an input signal.
Startup feedwater flow measurement in each loop is provided by a differential pressure transmitter that measures flow through a flow nozzle. Startup and selected main feedwater signals are indicated and the full range flow signal from the ICS is recorded for each loop.
- 8)
Feedwater Control Valves Differential Pressure Pressure drop measurement across the valves is provided for input by redundant differential pressure transmitters. The selected input signal is also indicated.
The redundant process signals are also monitored by SASS for signal mismatch and/or the failure of an input signal.
- 9)
Steam Generator Level Two "Startup" level and "operate" level inputs are provided from each steam generator via HSPS.
The "operate" level input is monitored and used to limit feedwater on "high" level limit. The "startup" level input is monitored and used to control feedwater on "low" level limit. The operate and startup level process signals are also monitored by SASS for signal mismatch and/or the failure of an input signal.
TMI-1 UFSAR CHAPTER 07 7.3-7 REV. 23, APRIL 2016
- 10)
Steam Generator Outlet Pressure Selected outlet pressure input is provided from each steam generator.
Measurement is made by pressure transmitters in both outlet lines of each steam generator. The selected input is also indicated. The redundant process signals are also monitored by SASS for signal mismatch and/or the failure of an input signal.
- 11)
Turbine Header Pressure Turbine header pressure measurement is provided for input by a pressure transmitter in each header line from the steam generators. The selected pressure signal is also recorded and high and low pressures alarmed. The redundant process signals are also monitored by SASS for signal mismatch and/or the failure of an input signal.
- 12)
Generated Megawatts Generated Megawatts measurement is provided for input by two megawatt transducers connected to potential and current transformers that are monitoring the generator output. Both megawatt signals are recorded and the selected input is indicated. The redundant process signals are also monitored by SASS for signal mismatch and/or the failure of an input signal.
- c.
Other Non-Nuclear Instrumentation The following instrumentation is provided for measurement and control of process variables necessary for proper reactor operation or for monitoring or controlling postaccident conditions:
- 1)
Pressurizer Temperature Pressurizer temperature is measured by a dual element resistance temperature detector and its associated transmitters. The selected output signal is indicated and supplies input for pressurizer level temperature compensation.
- 2)
Pressurizer Level Control Pressurizer level is measured by three differential pressure transmitters. From the first and second transmitters, one signal is selected for temperature compensation and output for recording, level control, alarms, and interlock to deenergize the pressurizer electric heaters on low level. The level controller output positions the makeup control valve in the Makeup and Purification System to maintain an operator selected level. Pressurizer level is lowered by reactor coolant letdown by manual control at the Control Room. Two pressurizer d/p signals are provided to the computer. A third level indication (independent of the ICS) is provided on the remote shutdown panel and in the Main Control Room.
TMI-1 UFSAR CHAPTER 07 7.3-8 REV. 23, APRIL 2016
- 3)
Reactor Coolant Pressure Control The reactor pressure signal used for pressure control is manually or automatically selected from one of two pressure transmitters used in the RPS.
The signal selected is used as input for automatic control of:
a)
Pressurizer electric heaters.
b)
Pressurizer spray control valve.
c)
Pressurizer PORV.
The heaters are grouped in banks which are energized below preset pressures.
The spray and relief valves are opened above preset pressures. The selected signal also provides input to a pressure controller which automatically modulates the output of three banks of heaters to maintain a preset pressure.
One pressure transmitter signal is recorded and high and low pressure alarmed for each loop.
Redundant pressure transmitters are provided for wide range reactor coolant pressure which provide indication in the Main Control Room and on the remote shutdown panel.
- 4)
Reactor Coolant Pump Interlocks Interlock signals are provided to the reactor coolant pump switching logics to prevent starting a pump: (1) without seal injection flow and (2) without cooling water. Interlocks are also provided to prevent starting the fourth pump until a preset reactor coolant inlet temperature is reached.
- 5)
Feed and Bleed Control The feed and bleed control instrumentation in the Makeup and Purification System provides control and interlocks to permit continuous letdown of reactor coolant and makeup to the system to adjust the reactor coolant boron concentration.
- 6)
Position Indication for Pressurizer PORV and Safety Valves In the event the Pilot Operated Relief Valve (PORV) or one of the Code Safety Valves (RC-RV1A and RC-RV1B) is actuated, it is necessary to detect it has opened and to verify it has reseated. Position indication in the Control Room is based on discharge flow as measured by differential pressure transmitters connected across elbow taps downstream of each of the valves. In addition, the PORV is monitored by accelerometers mounted on the valve.
A backup monitoring system measures valve position by monitoring the heatup and cooldown rates of the individual relief valve discharge lines. Differentially connected thermocouples compare the discharge line temperature of each valve
TMI-1 UFSAR CHAPTER 07 7.3-9 REV. 23, APRIL 2016 relative to the local ambient temperature. Curves plotted by the operators enable determination of cooldown rate, which is indicative of valve degree of closure when compared to proceduralized curves showing expected response of a closed/seated valve.
The thermocouple output is also input to the computer for data logging, trending and display of PORV tailpipe differential temperature in the Control Room. The plant computer provides a Control Room alarm to indicate a high temperature condition. Plant procedures direct the operator to observe RCDT instrumentation and PORV tailpipe temperatures to confirm valve closure after a valve cycle.
- 7)
Emergency Power Supply for PORV, Block Valve, and Pressurizer Level Indication a)
Pilot Operated Relief Valve (PORV) and Block Valve The plant design is such that emergency diesel generator power is supplied to the PORV (RC-RV2) and block valve (RC-V2) upon loss of offsite power.
b)
Pressurizer Level Instrumentation Backup electric power is supplied to the pressurizer level instrumentation power supplies upon loss of offsite power. The pressurizer level instrumentation is normally powered from the ICS/NNI system and from the Green vital bus (VBB). The station diesel generator and the station battery provide backup power sources for vital bus loads.
- 8)
Switchover from Injection Phase to Recirculation Phase The switchover of the Emergency Core Cooling System (ECCS) suction supply from the borated water storage tank (BWST) is accomplished by operator action as described in Section 6.1.
- 9)
Emergency Feedwater System Primary Water Supply (Condensate Storage Tank)
The function of the Condensate Storage Tank Low-Low level alarm is to alert the operator that a minimum of 50 minutes remains before the tank is emptied (assuming only one tank is available) [Reference 10]. Thus, the operator will have time to realign the Emergency FW Pumps to an alternate source of water.
Each of the two tanks has safety grade level indication and provides a low-low level alarm to the Control Room annunciator. The alarm modules are normally energized and alarm on either low-low level or loss of power. In addition, a local level indicator provides a means of reading tank level in case of loss of power or failure of the remote indicators.
TMI-1 UFSAR CHAPTER 07 7.3-10 REV. 23, APRIL 2016
- 10)
Instrumentation to Detect Inadequate Core Cooling The instrumentation required to detect Inadequate Core Cooling is provided as follows:
a)
Tsat Margin Monitoring and Alarm The Tsat meter displays, in the Control Room, the margin between the actual reactor coolant system temperature and the saturation temperature for the existing reactor coolant system pressure. An alarm is initiated if the margin should decrease below a preset value. Reactor coolant system temperature sensors that provide temperature inputs for the saturation margin computations are located in the RC system hot legs. Reactor coolant system pressure signals for Tsat computations are derived from RCS pressure transmitters. The Tsat computation equipment provides further isolation to the pressure and temperature signals through the use of isolation devices at the signal inputs.
The Tsat outputs to the annunciator system and to the computer utilize isolation devices to minimize potential hazardous effects from those systems. The Tsat computation equipment is seismically qualified and is mounted in Signal Processing Channel A (red) and in Signal Processing Channel B (green).
The Tsat Margin Monitor information is displayed on digital indicators on the Control Room back panel. The indicators display Tsat margin for RC Loop "A" and Loop "B". The Tsat margin monitors also provide isolated outputs to the plant computer and an isolated, "low Tsat margin" contact to the annunciation system for alarm annunciation, should Tsat margin be less than set point. The outputs to the plant computer provide trending and status monitoring information.
The two Tsat Margin Monitors are designed for continuous operation, and display. The plant procedures dictate that when forced or natural RC circulation is not provided, the operator shall use core exit thermocouples to determine subcooling margin.
b)
Core Exit Thermocouples 50 of 52 of the core exit thermocouples are brought to the computer. This provides considerable redundancy because the operators can assess postaccident core conditions adequately with a few of the installed thermocouples available. The temperatures are displayed on the plant computer which is powered from non-class 1E power with battery back-up power.
c)
Backup Incore Thermocouple Readout (BIRO)
The BIRO is a diverse readout system, redundant to the computer, for monitoring core exit thermocouple temperatures. Sixteen (16) of the 50 core exit thermocouples monitored by the (primary) computer readout system are also monitored by the BIRO system. The selected 16 core exit thermocouples are comprised of four from each core quadrant. These inputs to the BIRO system are electrically isolated from the computer system and are not dependent upon the operational status of the computer system. The Control Room operator has
TMI-1 UFSAR CHAPTER 07 7.3-11 REV. 23, APRIL 2016 the capability of switching any of the 16 core exit thermocouples, one at a time, from the computer system to the BIRO system for display on the indicator that is part of the BIRO system.
The BIRO system is powered from a class 1E source independent of the plant computer: if the plant computer power source is lost, the BIRO is still operable. The BIRO is powered by an inverter fed from the vital instrument bus. The BIRO affords the operator the capability of reading 16 thermocouples in a period of 6 minutes or less.
The operator can, via the selector switch in the Control Room, select the temperature thermocouple-of-interest for readout on the digital indicator. The switch and the indicator are located in the Control Room.
The primary (computer) and backup (BIRO) display channels are electrically independent. BIRO system and its associated hardware are Class 1E.
Physical separation of the temperature thermocouple channels is provided in accordance with Regulatory Guide 1.75, in that Regulatory Guide 1.75 requires a degree of separation commensurate with the damage potential of the hazard such that the independence of redundant electrical systems is maintained at an acceptable level.
At the location of the temperature thermocouple channel raceways inside the Reactor Building, the damage potential is limited to failures or faults internal to the electrical equipment or circuits. The incore detector cabling is self powered with extremely low electrical current capacity and voltage, and the individual temperature thermocouple cable jackets provide adequate separation inside the Reactor Building to prevent internal cable faults, which satisfies Regulatory Guide 1.75.
d)
Reactor Coolant Inventory Trending System (RCITS)
The RCITS provides a means for the Control Room operator to monitor the void content of the reactor coolant system (RCS) when the reactor coolant pumps (RCP) are running, and the water inventory of the RCS when the RCPs are off.
The RCS void fraction is calculated by the plant computer from RCP power using an empirical algorithm which was developed to yield the desired relationship between RCP power and RCS void fraction at the pump suction. The void fraction is calculated for each of the four RCPs displayed in the Control Room via the plant computer. The water level trending subsystem consists of two independent instrument loops to measure water level in the hot leg "candy canes" and two identical instrument loops to measure water level in the reactor vessel head above the RCS hot legs. The water level measurements are accomplished using differential pressure transmitters and are displayed via the plant computer.
Electrical components of the water level trending subsystem are class 1E qualified. The plant computer and associated wiring is non-class 1E, however.
The void fraction trending subsystem is also non-class 1E.
The Control Room operators take no action during or following any accident based on RCITS indication. The RCITS system improves the ability of the operators to diagnose the approach of inadequate core cooling and to assess the adequacy of responses taken to restore core cooling, i.e. additional confirmatory information.
TMI-1 UFSAR CHAPTER 07 7.3-12 REV. 23, APRIL 2016 e)
Other Instrumentation that Enables Recognition of Inadequate Core Cooling The following instrumentation is also considered for the recognition of inadequate core cooling:
(1)
Narrow range reactor coolant inlet temperature (2)
Narrow range reactor coolant average temperature (3)
Reactor coolant outlet temperature (hot leg)
(4)
RCS flow (5)
Narrow and wide range reactor coolant pressure (6)
Reactor coolant pump motor current (7)
Source range nuclear instrumentation (8)
Main steam pressure
- 11)
Postaccident Monitoring Postaccident monitoring instrumentation is provided to assess plant and environs conditions during and following an accident. Regulatory Guide 1.97 variables are classified as one of the following types:
A. Type A -
Variables to be monitored that provide the primary information required to permit the Control Room operator to take specific manually controlled actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for design basis accident events.
B. Type B -
Variables that provide information to indicate whether plant safety functions are being accomplished. Plant safety functions are:
(1) reactivity control; (2) core cooling; (3) maintaining reactor coolant system integrity and, (4) maintaining containment integrity (including radioactive effluent control).
C. Type C -
Variables that provide information to indicate the potential for being breached or the actual breach of the barriers to fission product releases.
D. Type D -
Variables that provide information to indicate the operation of individual safety systems and other systems important to safety.
E. Type E -
Variables to be monitored as required for use in determining the magnitude of the release of radioactive materials and continually assessing such releases.
TMI-1 UFSAR CHAPTER 07 7.3-13 REV. 23, APRIL 2016 Table 7.3-2 provides a summary of the TMI-1 design to the recommendations of Regulatory Guide 1.97, Revision 3. The following discussion summarizes the TMI-1 design bases as they pertain to the recommendations of Regulatory Guide 1.97, Revision 3.
CATEGORY 1 INSTRUMENTS
- 1.
Environmental Qualification Table 7.3-2 identifies the environment in which the instrumentation is located. The field sensors (i.e., transmitters eg. LT, FT, TE) are located in various plant areas, whereas, the secondary loop components such as indicators, recorders are located in the Control Room. For the line which shows the environment, the use of the term "Harsh" indicates that part of the loop (eg, field sensors) are located in a harsh environment; and "Mild" indicates that all components within the loop are located in a mild environment.
Equipment located in a harsh environment is in the TMI-1 EQ Master List. If the instrument loop components including field sensors are located in a mild area, they are not subject to the environmental qualification requirement.
Equipment installed in the plant prior to February 22, 1983 was qualified to NUREG 0588 Category 1 or DOR Guidelines and equipment installed after February 22, 1983 was qualified to NUREG 0588 Category 1.
- 2.
Seismic Qualification Sensors and their related accessories which are mounted locally are seismically qualified to the appropriate response spectra. The displayed devices, such as indicators, recorders, etc., which are located on panels in the Control Room, have been previously qualified to generic envelope spectra. Control Panels in the Control Room were procured based upon seismic requirements.
Control Panels in the Control Room were reviewed to insure the qualification basis is satisfactory and to insure the envelope spectra used for displayed devices bound the appropriate panel response spectra. Control Room panels and new and existing instrumentation installed on the panels are qualified utilizing seismic experience data and the methodology of Generic Letter 87-02.
- 3.
Channel Availability The instrumentation channel will be available prior to an accident except as provided in Paragraph 4.11, "Exception," as defined in IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Station," or as specified in the technical specifications. This availability applies only to the qualified portions of the channels.
This complies with the requirements in Regulatory Guide 1.97.
- 4.
Quality Assurance If the equipment is classified as 1E, it has been designed, procured, installed and maintained in accordance with the TMI-1 QA Program at the time of installation.
TMI-1 UFSAR CHAPTER 07 7.3-14 REV. 23, APRIL 2016
- 5.
Interfaces Category 1 instrument channels are electrically isolated from non-qualified portions of the instrument loop up to and including the isolation device.
- 6.
Servicing, Testing and Calibration Category 1 instrumentation is part of the planned maintenance program. As described in Chapter 13 of FSAR and Technical Specifications, testing is performed on instrument strings on a regular basis. The testpoints for the instrument strings are under administrative control to prevent unplanned testing. The isolators for the instrument strings are accessible during and following a design basis event (considering posted radiation fields). Normal calibration of instrumentation located inside containment is on a refueling cycle basis.
- 7.
Human Factors The Human Factors Evaluation has been completed as part of the Control Room Design Review Process. Human factors analysis recommendations were part of the CRDR submittal (per Letter No. 5211-84-2153, dated 6/29/84). RG 1.97 TYPE A, B & C variables are not designated as such by labels on the control room room panels.
Identification as recommended in RG 1.97 was considered a potential detriment to the quality and presentation of critical accident monitoring information.
- 8.
Direct Measurement To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables.
CATEGORY 2 INSTRUMENTS
- 9.
Environmental Qualification Same as Category 1 Instruments.
- 10.
Channel Availability The out-of-service interval is based on normal technical specification requirements for the system it serves, where applicable, or by other requirements.
- 11.
Quality Assurance Same as Category 1 Instruments.
- 12.
Interfaces 1E Qualified instrument channels are electrically isolated from non qualified portions of the instruments loop up to and including the isolation device.
TMI-1 UFSAR CHAPTER 07 7.3-15 REV. 23, APRIL 2016
- 13.
Servicing, Testing and Calibration Same as Category 1 Instruments.
- 14.
Human Factors Same as Category 1 Instruments.
15 Direct Measurement To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables.
CATEGORY 3 INSTRUMENTS
- 16.
Quality Assurance The instrumentation is of high quality commercial grade and is selected to withstand normal power plant service environment.
- 17.
Servicing, Testing and Calibration Instrumentation is part of the planned maintenance program. As described in Chapter 13 of FSAR and Technical Specifications, testing is performed on instrument strings on a regular basis. The test points for the instrument strings are under administrative control to prevent unplanned testing.
- 18.
Human Factors The Human Factors Evaluation has been completed as part of the Control Room Design Review Process. Human factors analysis recommendations were part of the CRDR submittal (Letter No. 5211-84-2153, dated 6/29/84).
- 19.
Direct Measurement To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables.
POSTACCIDENT MONITORING PROVISIONS INSTALLED PRIOR TO RG 1.97 RECOMMENDATIONS ARE DISCUSSED BELOW:
a)
Deleted b)
Reactor Building Level and Sump Level Instrumentation The reactor building sump level instruments and reactor building level instruments continuously display, in the Control Room, the level of fluids in the bottom of the reactor building and sump. The levels are recorded via the Plant Computer and an alarm will be initiated should such levels exceed a pre set value.
TMI-1 UFSAR CHAPTER 07 7.3-16 REV. 23, APRIL 2016 Four safety grade level transmitters are installed in the Reactor Building sump to monitor fluid levels in the sump. Transmitters have an indicating length of 0-144 inches. Two safety grade, float type, flood level transmitters are provided to monitor fluid levels under flooding conditions in the bottom of the reactor building.
Channel "C" includes two sump level transmitters and one flood type transmitter.
The remaining sump level and flood level transmitters are in Channel "D".
Channel "C" receives power from Vital Bus "C". Channel "D" receives power from Vital Bus "D".
Each flood transmitter sends its level signal to a dedicated receiver, which contains a level indicating meter, system controls, and a regulated dc power supply. The receivers also contain relays which work independently to initiate high, low, or intermediate level alarms. Alarm set points are adjustable and the alarm units are filter protected against false actuation by transient voltages.
Reactor Building Sump level transmitters send level signals to Foxboro signal conditioning units. The signal conditioning units also contain relay modules to provide High and High-High level alarms in the Control Room. Alarm setpoints on the signal conditioning modules are adjustable.
The isolated analog voltage outputs of the signal conditioning equipment is sent to the plant computer, to level indicators in the main Control Room and level signals are continuously monitored via the Plant Computer. The isolated output from the "C" sump level channel is also sent to a setpoint module for valve interlock functions.
The level transmitters are designed to withstand a pressure of 59 psig and a temperature of 286F. Also, the transmitters are designed and mounted to be operative after a SSE.
c)
Containment Hydrogen Indication - Safety grade continuous indication of containment hydrogen is available in the Control Room. Although Hydrogen monitors are available, the monitors are not in service during normal operations.
The range of indication will be 0 to 10 percent concentration.
d)
High Range Containment Radiation Monitor - Two safety grade containment radiation monitors that are physically separated are provided with continuous indicator presentation in the Control Room.
e)
High Range Effluent Monitor - High range effluent monitors are provided for each normal gas release point. See Section 11.4.
The high range effluent monitors have the range requirements of Reg. Guide 1.97, Rev.2. Vital bus power is employed for each system's modular assembly with the normal power supplying the monitor pumps with diesel generators as backups.
Postaccident iodine and particulate sample systems are provided as described in Sections 9.2.2 and 11.4.
TMI-1 UFSAR CHAPTER 07 7.3-17 REV. 23, APRIL 2016 Periodic testing and inspection is provided for the above variables and for R.G. 1.97 Category 1 variables as described in the Technical Specifications. Instrumentation for Coolant Inventory and Containment Isolation Valve Position is not included in Technical Specifications as these variables do not meet the criteria delineated in NRC Proposed Policy Statement on Technical Specification Improvements.
- 12)
Deleted
- 13)
Safety Grade Plant Variables Independent of ICS/NNI Displays The function of the Safety Grade Plant Variables in the Control Room is to provide the operator with indication of vital information in the event that all power internal to the NNI/ICS is lost. This design is designated as Nuclear Safety Related, Class 1E.
The signal sources are from the Safety Grade Remote Shutdown Signal Conditioning cabinets and Heat Sink Projection System cabinets via isolated outputs.
The indicators do not share power or unbuffered signals with the ICS/NNI equipment. The equipment and indicators are in continuous operation during all operating modes and accident conditions of the plant.
Listed in Table 7.3-1 are each of the plant variables displayed and its associated indicator tag numbers, panel location, power source, and range of readout in engineering units.
- 14)
Vibration and Loose Parts Monitoring System The system has eight (8) channels dedicated to loose parts detection: two (2) on the upper reactor vessel shroud; two (2) each at the "A" and "B" OTSG upper tubesheets; and, one (1) each on the No. 5 and No. 13 incore instrumentation guide piping. Detection of a loose part would trigger an alarm in the Control Room. The operator would then check the VLPM monitor to determine the specific channel that detected the loose part. Audio monitoring capability is available both in the Control Room and at the VLPM console. A personal computer and diagnostic software are available for online diagnostics.
The eight sensors channels of the VLPM are monitored at least once per shift by operations personnel. Each channel is listened to for unusual noises characteristic of loose parts.
The Decay Heat Removal Pump Vibration Monitoring System (Non-class 1E) is designed to detect incipient pump or motor degradation, particularly in the bearings of decay heat removal pumps, and to detect the presence of loose parts in the decay heat fluid system in the area of the heat exchanger inlet tube sheets. The Decay Heat Removal Pump Vibration Monitoring System consists of seismic pickups (6 total) and interface modules (6 total) which provide pump and heat exchanger vibration indication to a vibration monitoring panel located in the relay room. This system also includes thermocouples (6 total) which provide
TMI-1 UFSAR CHAPTER 07 7.3-18 REV. 23, APRIL 2016 pump and motor bearing temperature indication. The alert alarm of each of the six acceleration monitors is wired to a common annunciator in the Control Room.
Pump and motor bearing temperatures readout on the data logging computer.
- 15)
Reactor Coolant System Venting The reactor coolant highpoint vent system is controlled from panel "PC" in the Main Control Room. The panel includes open and close switches and "open/closed" position indicating lights. Each vent line is equipped with a differential pressure flow orifice. Each orifice feeds a differential pressure transmitter which provides a "flow/no flow" signal which is indicated by indicating lights on panel center (PC) in the main Control Room. During normal plant operation, the power sources are isolated from the solenoid operated vent valves by open contacts on each of the manually operated switches which are administratively controlled. In the event that the RCS requires venting of noncondensable gases, the vent valves are energized by the Control Room operator by manually setting the switch to the open valve position (contact closed). The circuit satisfies the single failure criteria. Should power be lost to the solenoid coil the valve will fail to closed. The switches are fully qualified as Class 1E. The high point vents do not fall within the scope of 10CFR50.49.
Reference FSAR Section 4.2.3.9 for a detailed discussion of reactor coolant system venting.
- 16)
Two-Hour Air Supply for Main Steam, Emergency Feedwater, and Reactor Building Emergency Cooling Controls.
A two hour backup air supply for Main Steam (MS), Emergency Feedwater (EF),
and Reactor Building Emergency Cooling (RR) system controls provides the motive force air for the MS-V4A, MS-V4B, MS-V6, EF-V30A, EF-V30B, EF-V30C, EF-V30D, and RR-V-6 should the normal plant instrument air be lost due to a total loss of AC power sources except the uninterrupted (Battery backed) power sources (Station Blackout). The backup air system is sized so that the bottled air supply will last for two hours assuming worst case cycling of the valves serviced. Provisions exist in the system to provide additional air should the two hour limit be exceeded. Refer to Section 9.10.3.2. The two hour analysis is based on a TMI-1 restart commitment. The TMI-1 Station Blackout (SBO) specified duration, however, is four hours.
The two hour air supply system consists of two trains (A&B) of 100 percent capacity each that can supply 90 psig air to the associated air operated devices for a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> period. Each train includes high pressure air storage, pressure-reducing valves that provide a low pressure (90 psig) regulated air supply, instrumentation, automatic switching valves that select predetermined source of air, and low pressure distribution headers.
TMI-1 UFSAR CHAPTER 07 7.3-19 REV. 23, APRIL 2016 7.3.2.3 System Evaluation The quantity and types of process instrumentation have been selected to provide assurance of safe and orderly operation of all systems and processes over the full operating range of the plant. Some of the criteria for design are:
- a.
Separate instrumentation has provided for the protective systems and vital control circuits.
- b.
Time of response and accuracy of measurements are adequate for protective and control functions to be performed.
- c.
Where wide process variable ranges are required and precise control is involved, both wide range and narrow range instrumentation is provided.
- d.
All electrical and electronic instrumentation required for operation is supplied from vital or regulated instrumentation buses.
7.3.3 INCORE MONITORING SYSTEM 7.3.3.1 Design Basis The Incore Monitoring System provides neutron flux detectors to monitor core performance.
Incore, self-powered neutron detectors measure the neutron flux in the core to provide a history of power distributions and fuel burnup data to assist in fuel decisions. The plant computer provides normal system readout and a backup readout system is provided for selected detectors.
7.3.3.2
System Design
- a.
System Description
The Incore Monitoring System consists of assemblies of self-powered neutron detectors located at 52 positions within the core. The incore detector locations are shown on Figure 7.3-6. In this arrangement, an incore detector assembly, consisting of seven local flux detectors and one background detector, is installed in the instrumentation tube of each of 52 fuel assemblies as shown on Figure 3.2-49. The local detectors are positioned at seven different axial elevations to provide the axial flux gradient. The outputs of the local flux detectors are referenced to the background detector output so that the differential signal is a true measure of neutron flux.
Readout for the incore detectors is performed by the plant computer. Multipoint recorder readouts of selected detectors are provided independent of the computer.
When the reactor is depressurized, the in core detector assemblies can be inserted or withdrawn through guide tubes which originate at a shielded area in the Reactor Building, as shown on Figure 7.3-7. These guide tubes enter the bottom head of the reactor vessel where internal guides extend up to the instrumentation tube of 52 selected fuel assemblies. The instrumentation tube serves as the guide for the incore detector assembly. During refueling operations, the incore detector assemblies are
TMI-1 UFSAR CHAPTER 07 7.3-20 REV. 23, APRIL 2016 withdrawn approximately 13 feet to allow free transfer of the fuel assemblies. After the fuel assemblies are placed in their new locations, the incore detector assemblies are returned to their fully inserted positions.
- b.
Calibration Techniques The nature of the detectors permits the manufacture of nearly identical detectors which produces a high relative accuracy between individual detectors. The detector signals are compensated continuously for burnup of the neutron-sensitive material.
Calibration of detectors is not required. The incore self powered detectors are controlled to precise levels of initial sensitivity by quality control during the manufacturing stage. The sensitivity of the detector changes over its lifetime because of such factors as detector burnup, control rod positions, and fuel burnup. The results of experimental programs to determine the magnitude of these factors have been incorporated into calculations and will be used to correct the output of the incore detectors for these factors. Operation of detectors in both power and test reactors has demonstrated that this compensation program, when coupled with the initial sensitivity, provides detector readout accuracies sufficient to eliminate the need for a calibration system.
7.3.3.3 System Evaluation
- a.
Operating Experience Self powered incore neutron detectors have been operated since 1962. Such detectors have been assembled and irradiated in a B&W development program that began in 1964.
The B&W development program included these tests:
- 1)
Parametric studies of the self-powered detector.
- 2)
Detector ability to withstand PWR environment.
- 3)
Multiple detector assembly irradiation test.
- 4)
Background effects.
- 5)
Readout system tests.
- 6)
Mechanical withdrawal-insertion tests.
- 7)
Mechanical high pressure seal tests.
- 8)
Relationship of flux measurement to power distribution experiments.
Conclusions drawn from the results of the test programs are as follows:
- 1)
The detector sensitivity, resistivity, and temperature effects are satisfactory for use.
TMI-1 UFSAR CHAPTER 07 7.3-21 REV. 23, APRIL 2016
- 2)
A multiple detector assembly can provide axial flux data in a single channel and can withstand reactor environment.
- 3)
Background effects will not prevent satisfactory operation in a PWR environment.
- 4)
Plant computer systems are successful as readout system for incore monitors.
For Incore Monitoring System development program results and conclusions, refer to Reference 4.
- b.
Detection of Power Distribution Under normal operating conditions, the incore detectors supply information to the operator in the Control Room.
Each individual detector measures the neutron flux at its vicinity and is used to determine the local power density. The individual power densities are then averaged and a peak to average power ratio calculated. This information can be used to indicate possible power oscillations. (See Section 3.2.2.2.1.3)
The application of this system for detection of power distribution and its minimum sensitivity was examined through the analysis of experimental data. A series of Physics Verification Program Reports were developed to demonstrate performance capability.
See Reference 5. Much of the data compiled was taken by self powered detectors and shows the performance capabilities of the detectors. Upon initial installation, the self powered detector has the capability to measure the relative flux with an accuracy of 5 percent of the flux when used in conjunction with an adjacent background detector. The sensitivity of the detector will decrease with exposure to neutron flux due to transmutation of the emitter in the detector. However, by use of integrated current inventories, it is felt that the additional inaccuracies shall be no more than 1 percent per year for the average flux conditions.
7.3.4 SAFETY PARAMETER DISPLAY SYSTEM 7.3.4.1 Design Basis The Safety Parameter Display System (SPDS) has been developed as an aid to the Control Room personnel in diagnosing abnormal conditions and determining if the actions taken by the operators have brought the plant to a stable and safe condition. The SPDS provides the user with concise and unambiguous information relating to the safety status of the plant. The SPDS is not meant to be the sole or even the primary means for the Control Room personnel to obtain this information. The primary means of determining the safety status of the plant is by using the information provided on the operating consoles located in the Control Room. The SPDS does provide a secondary station where the parameters required for determining the plant safety status have been gathered in one location. Since the SPDS is a very broad based diagnostic tool, it is designed for use by the Control Room personnel who are trying to grasp and maintain an overview of the plant safety status. Thus the primary users of the SPDS will be the Shift Technical Advisor (STA) and the Shift Manager (SM). These personnel can use the
TMI-1 UFSAR CHAPTER 07 7.3-22 REV. 23, APRIL 2016 SPDS to evaluate plant safety status, to analyze actions which should be taken, and to evaluate actions taken by the crew and their effects on the plant. Due to the intent and design of the SPDS the Control Room operator at the controls should rely on his operating console indication for plant control.
The approach used in designing the SPDS was to define the objectives of the SPDS and then select a set of Critical Safety Functions (CSF) which would describe the safety status of the plant. A detailed description of the SPDS objectives and CSF selection and verification is provided in Reference 15. NUREG 0737, Supplement 1, required information to be provided to the operator on:
- 1.
Reactivity Control
- 2.
Reactor Core Cooling and Heat Removal from the Primary System
- 3.
Reactor Coolant System Integrity
- 4.
Radiation Control
- 5.
Containment Conditions A verification and validation program was developed and implemented to provide an independent technical review and evaluation of SPDS software. The final verification and validation report is described in Reference 16.
7.3.4.2 Electrical Isolation The interface between safety related instrumentation and the nonsafety SPDS (plant computer) is provided via different types of isolators which are part of the design features of the safety related system.
7.3.4.3 Human Factors Program The Safety Parameter Display System (SPDS) is an aid to the Control Room personnel in determining overall plant safety status during power operation, post trip, and cold/refueling shutdown along with identifying abnormal conditions. Since the SPDS provides an overview of the plant safety status, the primary users have been identified to be the Shift Manager and Shift Technical Advisor. The SPDS allows the user to obtain a minimum set of important parameters at one location. These parameters are organized into five (5) Critical Safety Functions and displayed to allow for easy and unambiguous interpretation of the information.
The user interacts with the SPDS by means of the Plant Process Computer System. The computer alarm processor and the alarm CRT are used to alert the user of an abnormal condition identified by the SPDS logic. The user responds to SPDS alarms using the same human communication system and methods as all other process computer alarms.
The SPDS displays use CRT hardware and work stations in the TMI-1 Control Room. Users may select SPDS display from the SPDS menu and subsequent displays. If a CSF is in alarm, the SPDS menu will show the alarming CSF by backlighting the CSF item on the menu.
Once the user receives an alarm on the plant computer alarm CRT the user goes to the specific display for the critical safety function in alarm. When the user selects the alarming CSF display from the menu the actual plant parameter in alarm will show up backlit.
TMI-1 UFSAR CHAPTER 07 7.3-23 REV. 23, APRIL 2016 Each Critical Safety Function has two levels of alarm associated with it. Each level is signified by a different backlit color.
A hard copy of any display can be obtained upon request by the user.
The Human Factors Program resulted in a consolidation of the number of displays, with a consistent formatting in terms of use of color, labels, and standardization of method of presentation. Principles of NUREG-0700, Section 6.7, Process Computers have been followed, including the principles of grouping, ordering and usability. Structuring and organization of displays is logical and consistent with its intended use. The minimum information available on SPDS is listed on Table 7.3-3. Additional information is available on selected screens for the convenience of the user.
All the Control Room users are trained in the philosophy and use of the SPDS. The training allows the user to utilize the SPDS in determining whether the plant is responding in normal or abnormal manner. It also allows the user to interpret the adequacy of the actions taken by the operators.
TMI-1 UFSAR CHAPTER 07 7.3-24 REV. 18, APRIL 2006 TABLE 7.3-1 (Sheet 1 of 2)
SAFETY-GRADE PLANT VARIABLES (Independent of ICS/NNI Displays)
Power Plant Tag Panel Inv Inv Variable Number Loc Range 1A 1B OTSG Press. Loop A PI 950A PCL 0-1200 PSI X
OTSG Press. Loop B PI 951A PCL 0-1200 PSI X
RC Press. (wide) Loop A1 N/A N/A 0-3000 PSI X
RC Press. (wide) Loop B PI 949A PCL 0-3000 PSI X
OTSG-A S/U Level LR 1083 CC 0-100 IN X
LI 1104 CL 0-388 IN X
OSTG-B S/U Level LR 1083 CC 0-100 IN X
OSTG-A OP Level LR 1084 CC 0-100 X
LR 1107 CC 0-100 X
OSTG-B OP Level LR 1084 CC 0-100 X
LR 1107 CC 0-100 X
Makeup Tank Level LI 778A CC 0-100 IN X
Condensate Storage LI 1060 PLF 0-20 FT X
Tank A Level LI 1061 CC 0-20 FT X
Condensate Storage LI 1062 PLF 0-20 FT X
Tank B Level LI 1063 CC 0-20 FT X
Comp. Press. Level LV1 LI 777A CC 0-400 IN X
RC Hot Leg Temp Loop A TI 958A PCL 120-920 F X
RC Hot Leg Temp Loop B TI 960A PCL 120-920 F X
RC Cold Leg Temp Loop A TI 959A PCL 50-650 F
X RC Cold Leg Temp Loop B TI 961A PCL 50-650 F
X
TMI-1 UFSAR CHAPTER 07 7.3-25 REV. 18, APRIL 2006 TABLE 7.3-1 (Sheet 2 of 2)
SAFETY-GRADE PLANT VARIABLES (Independent of ICS/NNI Displays) 1 Transmitter PT 963 has computer point only, no Control Room PCL or CC indication exists.
PLF = Panel Left Front PCL = Panel Center Left CC = Center Console CL = Console Left
TMI-1 UFSAR CHAPTER 07 7.3-26 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 1 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 1 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 1.
Neutron Flux 1
1 10-6 Harsh NI-YE-11, NI-YE-12 B
to 100% full (NI-YE-11, NI-YI-11, NI-YI-12 power NI-YE-12, NI-YE-11A*, NI-YE-12A*
NI-YE-11A*,
NI-YE-12A*)
Comments:
TMI-1 range is 10-8 to 100% full power.
Power sources for NI-11 and NI-12 are VBA and VBB, respectively. Continuous recording and on-demand display capability for NI-11 and NI-12 is provided by plant computer. Control Room Display is NI-YI-11 and NI-YI-12 on Panel Center (PC).
- Backup Redundant Safety Grade Channels
- 2.
RCS Cold Leg 1
1 50F to 700F Harsh Water Temperature A, B (RC-TE-959, RC-TE-959, 961 961)
TI-959A, 961A Comments:
TMI-1 range is 50F to 650F. This is considered sufficient based on the fact that at maximum steam generator pressure of 1200 psig, saturation temperature is 600F. Thus, T-cold would at all times be less than or equal to this value. This is a B&W Owners Group generic position.
Computer input for recording moved to a qualified loop. Continuous recording and on-demand display capability is provided by plant computer. Control Room Display RC-TI-0959A, RC-TI-0961A (PCL).
- 3.
RCS Hot Leg 1
1 50F to 700F Harsh Water B
(RC-TE-958, Temperature 960)
RC-TE-958, 960 TI-958A, 960A Comments:
TMI-1 range is 120F to 920F. At temperatures less than 300F the plant will be in the decay heat removal mode at cold shutdown, and hot leg water temperature indication is not required.
Therefore, the existing range is considered sufficient. The decay heat removal system has additional temperature instrumentation to monitor the RCS in this
TMI-1 UFSAR CHAPTER 07 7.3-27 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 2 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 1 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 3. Con't.
temperature range. Category 1 core exit thermocouples also provide information below 120F.
Computer input for recording moved to a qualified loop. Continuous recording on-demand display capability to be provided by plant computer. Control Room Display RC-TI-958A, RC-TI-O960A (PCL).
- 4.
RCS Pressure 1
1 0 to 3000 psig Harsh RC-PT-949, 963 A,B,C (RC-PT-949, PI-949A 963)
Comments:
Redundancy is provided except for Control Room Display, for which one channel only provides 1E continuous indication. Qualified redundant display is provided on the remote shutdown panel. Computer input for recording moved to a qualified loop. Continuous recording and on-demand display capability is provided by the plant computer. Control Room Display RC-PI-949A (PCL).
- 5.
Core Exit 1
1 200F to 2300F Harsh Temperature A,B,C (Cables and IM-SPND 3,4,5,9, Connectors) 12,13,17,21,24,31, 34,38,42,48,49,52 Control Room Display RC-TI-0952 (PLF).
Continuous recording and on-demand display capability is provided by the plant computer.
- 6.
Coolant 1
1 Bottom of Hot Harsh Inventory B
Leg to Top (RC-LT-RC-LT-1033, 1034, of Vessel 1033, 1034, 1035,1036, 1035, 1036, RC-TE-1033, 1034 RC-TE-1033, 1052,1053,1054,1055 1034,1052, 1053,1054, 1055)
Control Room Display Computer Points only.
TMI-1 UFSAR CHAPTER 07 7.3-28 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 3 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 1 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 7.
Degrees of 1
1 200F Subcool Harsh Subcooling A,B to 35F (RC-TE-958, RC-TE-958, 960 Superheat 960 TI-977, 978 RC-PT-949, RC-PT-949, 963 963)
Control Room Display RC-TI-0977, RC-TI-0978 (CR).
- 8.
Containment Flood 1
1 Plant Harsh Water Level B,C Specific (WDL-LT-806, (Wide Range) 807)
WDL-LT-806, 807 LI-806, 807 RB ECCS 1
1 Plant Harsh Sump Water B,C Specific (DH-LT-810, 811)
Level DH-LT-810, 811 LI-810, 811 Comments:
Recording capability is by means of the plant computer. Control Room Display WDL-LI-0806, WDL-LI-0807, (CC, CR).
- 9.
Containment 1
1
-5 psig to 3 Harsh Pressure B,C times design (BS-PT-981A, BS-PT-981A, pressure 982A, 982B, 1186, 1187 982A, PR-981, 982 982B, 1186, 1197 BS-PI-981A, 982A, 982B, RB-PI-1186 Control Room display is by means of PI-981A, 982A, 982B and 1186. On-demand recording is available via Plant Process Computer points from PT-981 and 982A (0 - 175 psig) and from PT-1186 and 1187 (-5 to +15 psig).
- 10.
Containment 1
1 Closed/Not Harsh Isolation Valve B
Closed Position All remote operated containment isolation valves (see Table 5.3-2) have position indication in the Control Room.
Control Room Display Indicating Lights (PCR, CC, CR, PL, PC).
NOTE: MU-V-2A/B, IC-V-2 will continue to provide containment isolation but continuous position indication may be lost if the valve becomes submerged following LOCA. In this case, Control
TMI-1 UFSAR CHAPTER 07 7.3-29 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 4 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 1 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif. Range Environment Room personnel would normally have verified the valves in their closed positions, which is an operator follow-up action to a LOCA, prior to the possible loss of indication. However, the other containment isolation valve on each of the affected penetrations would maintain its position indication in the Control Room. This assures continuous indication of the RG 1.97 parameter, containment isolation.
- 11.
Containment Area 1
1 1 to 107R/hr Harsh Radiation-High C,E (RM-G22, Range G23)
RM-G22, G23 Control Room Display/Indicators on PRF.
Continuous Recording is provided by the Plant Computer.
- 12.
Containment Hydrogen 1
3 0 to 10 vol %
Mild Concentration C
HM-AE-42A, 42B HM-AR-42A, 42B Control Room Display HM-AR-42A and 42B on panel PL
- 13.
LPI/Decay Heat 1
1 0 to 100%
Harsh Removal System A,D design (DH-DPT, 802 Flow flow DH-DPT, 803)
DH-DPT-802, 803 FI-802A, 803A Comments:
Continuous recording and on-demand display capability is provided by the plant computer.
Control Room Display DH-FI-0802A (CC), DH-FI-0803A (CR).
- 14.
Flow in HPI System 1
1 0 to 110%
Harsh (Makeup Flow-in)
A,D design flow (MU-FT-1126, MU-FT-1126, 1127, 1127, 1128,
-1128, 1129 1129)
FI-1126, 1127 1128, 1129
TMI-1 UFSAR CHAPTER 07 7.3-30 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 5 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 1 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif. Range Environment Comments:
Continuous recording and on-demand display capability is provided by the plant computer.
Control Room Display MU-FI-1126 (CC), MU-FI-1127 (CC), MU-FI-1128 (CR), MU-FI-1129 (CR).
- 15.
Refueling Water 1
1 Top to Bottom Mild Storage Tank A,D Level (Borated Water Storage Tank)
LT-808, 809 LI-808A, 809A Comments:
Continuous recording and on-demand display capability is provided by the plant computer.
Control Room Display DH-LI-0808A (CC), DH-LI-0809A (CR).
- 16.
1 From tube Harsh Level A,D sheet to (FW-LT-775, FW-LT-775, 776, 788 separators 776, 788, 789 789)
Comments:
TMI-1 OTSGs do not have separators. Each OTSG has redundant, Category 1 qualified OTSG full range level indicators with a range of 0 to 640 inches, which satisfies the requirements of RG 1.97. Zero inches equals six inches above the lower tube sheet and the lower surface of the upper tube sheet is at 625 inches. This range is useful for normal heatups and cooldowns, and would be utilized should the startup range level indication go off-scale high; however this information need not be trended. During design basis accidents, the range of interest is up to the aspirating port (376 inches above lower tube sheet). This is a B&W Owner's Group position for 177FA lowered loop plants. To satisfy RG 1.97 recording requirements for steam generator level computer indication of start up level instruments (0-388") or Plant Computer Points from LT-788, 789 will be utilized. Control Room Display FW-LI-0775B, FW-LI-0776B, FW-LI-0788B, FW-LI-0789B (PLF).
TMI-1 UFSAR CHAPTER 07 7.3-31 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 6 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 1 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif. Range Environment
- 17.
1 From atmos-Harsh Pressure A,D pheric press.
(PT-950, PT-950,951,1180,1184 to 15% above 951,1180, PI-950A,951A the lowest 1184)
PI-1180, 1184 safety valve setting Comments:
Continuous recording (on-demand capability) is provided by plant computer. Control Room Display MS-PI-0950A, MS-PI-0951A (PCL), MS-PI-1180, MS-PI-1184 (PCL).
The loss of electric load transient presented in the TMI-1 FSAR Chapter 14 does not report the resulting steam pressures. However, a turbine trip analysis was performed to support replacement of the original OTSGs with replacement OTSGs (reference 21). The turbine trip event represents the limiting event with respect to secondary side overpressure. For this event, peak pressures of 2557 psig, 1138 psig, and 1123 psig were calculated in the RCS (lower RV),
lower SG, and in the steam lines, respectively. Normal TMI-1 post trip steam pressures have been in the range of approximately 1060 psig to 1080 psig.
The main steam lines are provided with safety relief valves, atmospheric dump valves (ADV) and turbine bypass valves (TBV) to prevent overpressurization of the lines, in accordance with ASME Code Section III requirements. Operability of the main steam safety valves ensures that the secondary system pressure will be limited to within code allowable pressure during the most severe anticipated system operating transient. The highest main steam safety valve setpoint is 4 percent above design. With a 3 percent accumulation to achieve full lift and
TMI-1 UFSAR CHAPTER 07 7.3-32 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 7 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 1 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 17. Con't.
full flow, the maximum pressure while the main steam safety valves are relieving will be 7 percent above the design pressure (1050 psig) which is less than 10 percent above the steam line design pressure, as specified by the ASME Code. This range is well within the indicated and accurate range for the TMI-1 steam generator pressure instrumentation. TMI-1 valve settings are indicated in TMI-1 FSAR Section 10.7.4.
TMI-1 has approximately 22 percent excess steam relief capacity when the plant is operating at 100 percent Full Power and all main steam safety valves are operable (without credit for the ADVs or TBVs). TMI-1 also has a main steam safety valve Technical Specification which limits the maximum allowable reactor power and thus steam flow, based on main steam safety valve operability. This will maintain that excess relief capacity.
Therefore, based on the fact that the highest safety valve setting is approximately 1092 psig, the steam relief capacity is approximately 22 percent above the expected steam flow rate, and the most limiting analysis indicates a maximum steam line pressure of about 1123 psig, it is concluded that the existing range of 0-1200 psig is sufficient.
The justification for this deviation from the instrument range requirements of Regulatory Guide 1.97, as described above, is consistent with the B&W Owner's Group Task Force evaluation of Regulatory Guide 1.97 variables as adopted by other B&W plants.
TMI-1 UFSAR CHAPTER 07 7.3-33 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 8 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 1 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 18.
Auxiliary or 1
1 0 to 110%
Harsh Emergency Feedwater A,D design flow (EF-FT-782, Flow 788, 791, FI-779, 782, 788 779) 791 EF-FT-782, 788, 791, 779 Comments:
Continuous recording, (on-demand display) capability is provided by plant computer. Control Room Display EF-FI-0779, EF-FI-0782, EF-FI-0788, EF-FI-0791 (CC).
- 19.
Condensate Storage 1
1 Plant Harsh Tank Water Level A,D Specific (CO-LT-1060, CO-LT-1060, 1061, 1062, 1063 1061,1062,1063)
CO-LI-1060, 1061, 1062, 1063 Comments:
Control Room Display CO-LI-1060, 1062 (PLF), CO-LI-1061, 1063 (CC).
TMI-1 UFSAR CHAPTER 07 7.3-34 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 9 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 2 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 1.
Containment 2
2 Plant Harsh Sump B,C Specific WDL-LT-804, 805 0811 Water Level (Narrow Range)
WDL-LT-804, 805 LI-804, 805 Comments:
The Plant Computer is used for Level Recording.
- 2.
Effluent Radio-2 2
10-6 to Mild activity-Noble C,E 105 ûCi/cc Gas Effluent 0-110% vent from Condenser design flow Air Removal RM-A5 Lo and Hi RM-G25 Comments:
Range is achieved by overlapping RM-A5 hi and lo and RM-G25.
Plant computer can record parameters, as required.
- 3.
Containment 2
2 10-6 to Mild Effluent Radio-C,E 10-2 ûCi/cc activity - Noble 0 to 110% vent Field Release Points design flow RM-A9 Lo and Hi RM-G24 Comments:
Range is achieved by overlapping RM-A9 hi and lo and RM-G24.
Plant computer can record parameters, as required.
- 4.
Effluent Radio-2 2
10-6 to Mild activity - Noble C,E 103 to ûCi/cc Gases from Auxiliary 0 to 110% vent Building design flow RM-A8 Lo and Hi
TMI-1 UFSAR CHAPTER 07 7.3-35 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 10 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 2 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 4. Con't.
Comments:
Range is achieved by overlapping RM-A8 hi and lo.
Plant computer can record parameters, as required.
- 5.
Decay Heat 2
2 40F to 350F Harsh Exchanger Out-D (DH2-TE1, let Temperature TE2)
DH2-TE1, 2 DH2-TI1, 2 Comments:
This instrument is part of the original plant installation. It was procured and installed as high quality commercial grade equipment. Over the years of operation it has demonstrated reliability and minimal maintenance. All future activities relative to this component will be subject to applicable QA requirements.
TMI-1 range is 0-300F. Decay heat removal operation is initiated when the RCS temperature is less than 300F (see FSAR Table 9.5-1). Therefore, the plant specific range of 0-300F is considered sufficient to cover all post accident conditions. Control Room Display DH-2-TI-1, DH-2-TI-2 (CC).
- 6.
Primary System 2
2 Closed/
Harsh Safety Relief D
Not Closed (DPT-921, Valve Positions or 922, Flow through or 923)
Pressure in Relief Valve VMS-ACC1, 2 RC-DPT-921, 922, 923 Control Room Display RC-DPI-921, RC-DPI-922, RC-DPI-923 (CC).
TMI-1 UFSAR CHAPTER 07 7.3-36 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 11 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 2 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 7.
Pressurizer Level 1
2 Top to Bottom Harsh RC1-LT1, 3 D
(RC1-LT, MU14 / RC1-LR 1,3 CH-2 LT-777 LT-777)
LI-777A RC2-TE1/2 Comments:
Level transmitter LT-777 is a Class 1E qualified instrument while level transmitters RC-LT-1, 3 are also environmentally qualified and are associated with the ICS which utilizes Class 1E power sources (EDG backed vital power). Two RTD temperature elements are located in one thermowell. Temperature element RC2-TE2 is used to compensate LT-777. Temperature elements RC2-TE1 and RC2-TE2 are selectable, provide an input to ICS, and are used to compensate RC-LT-1, 3. Level transmitter LT-777 is displayed in the Control Room on a digital indicator. RC-LT-1 or 3 is selected for display in the Control Room on a strip chart recorder.
LT-777 is not recorded. All three transmitters are environmentally qualified. The RTD elements (RC2-TE1 and RC2-TE2) used for temperature compensation for LT-777 and RC-LT-1 or 3 are environmentally qualified. Technical specifications require that at least one of the pressurizer level channels be operable during startup/power operation and hot standby. The pressurizer level indication design in conjunction with environmental qualification of the RTD elements used for temperature compensation, provides a highly reliable source of instrumentation for postaccident monitoring. Control Room Display RC-LI-0777A, MU14 / RC1-LR (CC).
- 8.
2 0 to 110%
Harsh Flow D
design (BS1-DPT1, BS1-DPT1, 2
- 2)
BS1-FI1, 2 BS1-FT-1 Comments:
Equipment which was part of the original plant installation was procured and installed as high quality commercial grade equipment. Over the years of operation it has demonstrated reliability and minimal maintenance. Recent activities relative to this component have been subject to applicable QA requirements, as will all future activities. Control Room Display BS-1-FI-1 (CC),
BS-1-FI-2 (CR).
TMI-1 UFSAR CHAPTER 07 7.3-37 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 12 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 2 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 8. Con't.
The failure of the building spray flow instrument would not prevent the building spray system from accomplishing its safety function for a design basis accident. This instrument is used to provide information on the operation of a safety system. Therefore, this instrument is classified as Type D, Category 2.
- 9. This item moved to Item 35 of this table.
TMI-1 UFSAR CHAPTER 07 7.3-38 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 13 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 2 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 10.
Make-up Flow-in 2
2 0 to 110% design Mild MU24 A/B FT MU24 A/B FI D
flow Comments:
This is the emergency boration path for reactivity transients and is not needed for events producing harsh environments.
This indication was provided as part of the original plant instrumentation, with portions replaced during the TMI-1 shutdown following the TMI-2 accident. It was procured and installed originally as high quality commercial grade equipment.
More recent activities relative to this indication have been subject to applicable QA requirements, as will all future activities. Control Room Display MU-24 A/B-FI (CC).
TMI-1 UFSAR CHAPTER 07 7.3-39 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 14 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 2 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 11.
Volume Control 2
2 Top to Mild Tank Level (Make-D Bottom up Tank Level)
LT-778 MU14 / RC1-LR CH-1 LI-778A MU-14LT Control Room Display MU-LI-0778A (CC).
- 12.
Nuclear Services Closed 2
2 40F to 200F Mild Cooling Water and D
Decay Closed Cooling Water Heat Exchanger Outlet Temperature NS-TE-229 DC-TE-250 and DC-TE-251 Comments:
These instruments are part of the original plant installation. They were procured and installed as high quality commercial grade equipment. Over the years of operation they have demonstrated reliability and minimal maintenance. All future activities relative to this component will be subject to applicable QA requirements.
Control Room display is by plant computer.
- 13.
Emergency Venti-2 2
Open/Closed Mild lation Damper D
Position (Control Room)
D28 and D617 Comments:
H&V Control Panel Display for AH-D-28 and AH-D-617. AH-D-37 was changed from an automatic control/isolation damper to a failed closed damper with no automatic or remote control. AH-D-39 was changed from a control/isolation damper to a manual balancing damper.
AH-D-36 was removed from the duct. AH-D-28 has a redundant damper AH-D-617 installed (First Floor Isolation for Control Building Envelop). AH-D-617 was added to the ESAS status panel in the main control room.
TMI-1 UFSAR CHAPTER 07 7.3-40 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 15 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 2 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 14.
Status of Standby 2
2 Plant Specific Mild Power and Other D
Energy Sources Comments:
IA-PT-222, IA-PI-222 measure and display instrument air pressure.
EG-W/VT-1A/B, EG-WM-1A/B measure diesel generator watts.
Annunciators A-3-7, A-3-8 indicate inverter faults.
- 15.
Vent from Steam 2
2 10-1 to Mild Generator Safety E
103 ûCi/cc; RV or Atmospheric (Duration of Dump Valves - Noble Release in Gases and Vent Flow Seconds and Rate Mass of Steam RM-G26, G27 per Unit Time)
Comments:
TMI-1 range is 3.96x10-2 to 980/947 ûCi/cc. The range of existing radiation monitors for vent from atmospheric dump valves is 3.96 x 10-2 to 980 ûCi/cc, which is taken from a test result conducted by Battelle. This does not envelope the recommended range of 10-1-103 ûCi/cc.
The upper range of 980 ûCi/cc is considered sufficient. These monitors were procured, installed and maintained in accordance with the Operational QA program, and represented the state of the art for this type of equipment at the time of purchase.
- 16.
Reactor Coolant None 2
None Harsh Pump Seal D
(MU42-DPT)
Injection Flow MU42-DPT MU42-FI TMI-1 range is 0-80 gpm. Seal injection flow indication is used to ensure RCP availability and to monitor total MU pump flow to ensure pump runout is not exceeded.
TMI-1 UFSAR CHAPTER 07 7.3-41 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 16 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 1.
3 Full in/
Position B
Not full in Comments:
Continuous rod position indication, as well as full-in or full-out indication are provided for each control rod drive. Alarm lamps on the CRD panel alert the operator to the system's status at all times. Control Room Display PI-1.
- 2.
Radioactivity 1
3 1/2 Tech. Spec.
Concentration or C
Limit to 100 times Radiation Level TSL in Circulating Primary Coolant Comments:
Currently, no state of the art instrumentation exists to adequately measure this variable on line.
The discussion of this variable is in the EGG report EE-6154, "Assessment of Generic Instrumentation System Used to Meet the Provisions of Regulatory Guide 1.97." This provides an excellent overview of the problem related to this measurement.
Existing letdown line radiation monitors can be used to provide indication of fuel failure during normal operation. However, this variable cannot be monitored after a LOCA, since the letdown line is isolated on low RCS pressure.
TMI-1 UFSAR CHAPTER 07 7.3-42 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 17 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 2. Con't.
for long term measurement. The letdown line radiation monitor is used as the initiator for sampling during normal operation and as a backup indication. Therefore, this is considered a Category 3 parameter. This is a B&W Owners Group generic position.
Note: Technical Specifications Amendment #253 eliminated the requirements to maintain a Post Accident Sampling System. The Post Accident Sampling System will be maintained for contingency actions and long-term post accident recovery operations.
- 3.
Accumulator Tank 2
3 10 to 90% Volume Level (Core Flood D
Tank Level)
CF2-LT1, 2, 3, 4 CF2-LI1, 2, 3, 4 Comments:
Core flood tank level indication is provided in the Control Room. This instrument provides the operator information pertaining to tank status during normal operation. However, since the core flooding system is totally passive, no monitoring of this parameter is required for any manual actions to mitigate the consequences of an accident. Therefore, this is considered a Category 3 parameter. This is a B&W Owners Group generic position.
NRC letter to GPUN, dated March 31, 1993 (Reference 17), concludes that Category 3 qualification of this instrumentation is acceptable. Control Room Display CF2LI1, CF2LI2, CF2LI3, CF2LI4 (CC-345, CC-347).
- 4.
Accumulator Tank 2
3 0 to 750 psig Pressure (Core D
Flood Tank Pressure)
CF1-PT 1, 2, 3, 4 CF1-PI 1, 2, 3, 4 Comments:
Core flood tank pressure indication is provided in the Control Room with a range of 0-800 psig.
This instrument provides the operator
TMI-1 UFSAR CHAPTER 07 7.3-43 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 18 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif. Range Environment
- 4. Con't.
information pertaining to tank status during normal operation. However, since the core flooding system is totally passive, no monitoring of this parameter is required for any manual actions to mitigate the consequences of an accident. Therefore, this is considered a Category 3 parameter. This is a B&W Owners Group generic position.
NRC letter to GPUN, dated March 31, 1993 (Reference 17), concludes that Category 3 qualification of this instrumentation is acceptable. Control Room Display CF1PI 1, CF1PI CF1PI 2, CF1PI 3, CF1PI 4 (CC-346, CC-348).
- 5.
3 Closed or Open Isolation Valve D
Position CF-V1A, B Comments:
These position indicators are associated with motor operated valves whose circuit breakers are opened (de-energized) when the reactor is critical. The CF system is designed to inject borated water into the reactor core during a LOCA. Operation of CF-V-1A/B after the event occurs is not required to satisfy the ECCS performance criteria or mitigate the consequences of an accident. Therefore, this is considered a Category 3 parameter. Control Room Display Panel CC.
- 6.
3 Motor Current Pump Status D
RC-P-1A, B, C, D
- 7.
Pressurizer Heater 2
3 0-700 Status D
RC2 TE1/2 RC2 TI
TMI-1 UFSAR CHAPTER 07 7.3-44 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 19 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 7. Con't.
Comments:
Pressurizer heater status is provided at TMI-1 by Category 2 indication of heater breaker status (on/off) displayed in the Control Room. In addition, Category 2 pressurizer temperature indication is displayed in the Control Room. Indication of pressurizer temperature provides another indication of heater function in addition to RCS pressure by indicating that the pressurizer fluid is saturated. The number of operating pressurizer heater banks is not essential information for the operator to prevent overloading a diesel generator. Diesel generator current can be monitored with the diesel generator ammeters, enabling the operator to determine (based on the known power consumption of the heaters) whether the heaters can be energized without overloading the diesel generators. The combination of pressurizer temperature, RCS pressure and heater breaker status gives the operator the information required to determine the effect on RCS pressure and the determination of whether the heaters are operating. Control Room Display RC2TI (CC 296).
- 8.
Quench Tank Level 3
3 Top to Bottom (RC Drain Tank D
Level)
LT-115 LR-115 Control Room Display WDL-LR-0115 (LWDS).
- 9.
Quench Tank 3
3 50F to 750F Temperature (RC D
Drain Tank Temperature)
TE-605, TT-605.
TI-605A/B Comments:
The RC drain tank is isolated upon reactor trip. RC drain tank temperature range is 50F to 400F. The RCDT has a relief valve set at 40 psig so that the tank temperature normally would not go above 287F. The RCDT has a rupture disk set at 55 +/-6 psig.
TMI-1 UFSAR CHAPTER 07 7.3-45 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 20 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 9. Con't.
Therefore, the bulk temperature can never go above 308F. In order for the tank pressure to increase above 40 psig, the PORV or safety valve would have to open, in which case the pressure would increase above 55 psig rapidly. The RCDT would be between 287F and 308F for a very short period of time only. RCDT pressure is indicated and has a range of 0 to 100 psig. Control Room Display WDL-TI-0605 A & B (LWDS).
- 10.
Quench Tank 3
3 0 to design Pressure (RC D
Pressure Drain Tank Pressure)
PT-323 PI-323 Control Room Display WDL-PI-0323 (LWDS).
- 11.
Deleted
- 12.
Main Feedwater Flow 3
3 0 to 110% Design FE-7A, 7B, 8A, 8B D
Flow FT-7, 8 FI-7A, 7B, 8A, 8B Control Room Display SP7A/B FI (CC # 46), SP 8A/B FI (CC # 41, 42, 47).
TMI-1 UFSAR CHAPTER 07 7.3-46 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 21 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 13.
Containment Atmos-2 3
40F to 400F phere Temperature D
(TE-655 A, I, K, & W)
Comments:
The purpose of the Containment Atmosphere Temperature indication as defined in RG 1.97 is to provide indication that the Reactor Building Cooling and/or Spray System is accomplishing its design objective, i.e. to cool the Reactor Building atmosphere and maintain it below its designated temperature limit following any postulated design basis accident. This objective is primarily confirmed by observation that the Category I qualified Containment Pressure indications are decreasing. These have a range to three times design pressure which will cover the complete spectrum of postulated accidents that challenge these systems. Accordingly, Containment Atmosphere Temperature indications provide a backup to the pressure indicators.
Therefore, this is considered a Category 3 parameter. This is a B&W Owners Group generic position.
The TMI-1 design basis accident containment analyses are provided in the updated FSAR Chapter 6. The presently installed 0 to 297F containment temperature indication provides sufficient range to monitor via computer display the entire spectrum of containment temperature transients as analyzed in the FSAR. The containment temperature will be the saturation temperature for indicated containment pressure during loss of coolant accidents and for any event in which building spray has been initiated. Based on these considerations the existing TMI-1 range is considered sufficient.
TMI-1 UFSAR CHAPTER 07 7.3-47 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 22 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 14.
Containment Sump 2
3 50F to 250F Water Temperature D
DH6-TE1, 2 Comments:
The minimum available NPSH for the decay heat removal and building spray pumps can be confirmed independent of sump temperature and NPSH is greater than required in the limiting design basis conditions. No automatic or manual actions are initiated based on this temperature. Therefore this is considered a Category 3 parameter.
Control Room Display DH6TI1, 2 (CC #406).
- 15.
Letdown Flow-Out 2
3 0 to 110%
MU4FT Design Flow Comments:
During design basis events such as LOCA's the Make-Up and Purification System is isolated.
Letdown flow indication is a backup variable to the makeup tank level for certain accidents.
Letdown flow rate can be estimated, if necessary, based pressurizer level. Therefore, this is considered a Category 3 parameter. Control Room Display MU4FI (CC #333).
- 16.
High-Level Radio-3 3
Top to Bottom active Liquid D
Tank Level LT-118A, 118B LI-118, WDL-LR-115
TMI-1 UFSAR CHAPTER 07 7.3-48 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 23 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 17.
Radiation Exposure 3
3 10-1 to Rate E
104R/hr RM-G-0001-0015,
- 18.
All Identified 3
3 10-3 to Plant Release Points -
E 102 ûCi/cc Sampling Particulates 0-110% Vent and Halogens Design Flow RM-A5, A8, A9 Comments:
Sample collected on silver zeolite and carbon. Onsite analysis capability exists.
- 19.
Airborne Radio-3 3
10-9 to halogens and Par-E 10-3 ûCi/cc ticulates from Various Locations (Portable)
- 20.
Plant and Environs 3
3 10-3 to Radiation (Portable E
104 R/hr Instrumentation)
(photons)
E-140, RO-2A, RO-7 10-3 to 104 rad/hr (beta)
TMI-1 UFSAR CHAPTER 07 7.3-49 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 24 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif. Range Environment
- 21.
Plant and Environs 3
3 Isotopic Radioactivity E
Analysis (Portable)
Comments:
Portable sampling capability; onsite laboratory analysis capability exists.
- 22.
Wind Direction 3
3 0-360 (+/-5 accuracy WW-WD-100A/B, 150 E
accuracy with a deflection of 10)
NWS-R-501 Starting speed less WW-DL-A than 0.4 mps (1.0 mph) Damping ratio greater than or equal to 0.4, delay distance less than or equal to 2 meters.
- 23.
Wind Speed 3
3 0-22 mps (50 mph).
WW-WS-100A, B E
+/-0.2 mps (0.5 mph)
WW-R-100A, B accuracy for speeds NWS-R-501 less than 2 mps (5 mph), 10% for speeds WW-DL-A in excess of 2 mps (5 mph), with a starting threshold of less than 0.4 mps (1.0 mph) and a distance constant not to exceed 2 meters.
TMI-1 UFSAR CHAPTER 07 7.3-50 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 25 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 24.
Estimation 3
3 Based on vertical of Atmospheric E
temperature difference Stability from primary meteorological system -5C to 10C, (-9F to 18F), and +/-0.15C WW-ASP-A, B accuracy per 50 meter WW-TE-33A, 150A intervals (+/-0.3F WW-TR-33B, 150B accuracy per 164 foot NWS-R-501 intervals) or analogous range WW-DL-A for alternate stability estimates.
- 25.
Primary Coolant 3
3 1 ûCi/ml and Sump Gross E
to 10Ci/ml Activity (Grab Sample)
Comment:
- Onsite analysis capability exists.
- 26.
Primary Coolant 3
3 Isotopic and Sump Gamma E
Analysis Spectrum (Grab Sample)
Comment:
- Onsite analysis capability exists.
TMI-1 UFSAR CHAPTER 07 7.3-51 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 26 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 27.
Primary Coolant 3
3 0 to 6000 ppm and Sump Boron E
Content (Grab Sample)
Comment:
- Onsite analysis capability exists.
- 28.
Primary Coolant 3
3 0 to 20 ppm and Sump Chloride E
Content (Grab Sample)
Comment:
- Onsite analysis capability exists.
- 29.
Primary Coolant 3
3 0 to 2000 cc and Sump Dissolved E
(STP)/kg Hydrogen or Total Gas (Grab Sample)
Comment:
- Onsite analysis capability exists.
- 30.
Primary Coolant 3
3 0 to 20 ppm and Sump Dissolved E
Comment:
- Onsite analysis capability exists.
TMI-1 UFSAR CHAPTER 07 7.3-52 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 27 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 31.
Primary Coolant 3
3 1-13 and Sump pH E
Comment:
- Onsite analysis capability exists.
- 32.
Containment Air 3
3 0 to 10 vol. %
Hydrogen Content E
Comment:
- Onsite analysis capability exists.
- 33.
Containment Air 3
3 0 to 30 vol. %
Oxygen Content E
Comment:
- Onsite analysis capability exists.
- 34.
Containment Air 3
3 Isotopic Gamma Spectrum E
Analysis (Grab Sample)
Comment:
- Onsite analysis capability exists.
- Note: Technical Specifications Amendment #253 eliminated the requirement to maintain a Post Accident Sampling System. The Post Accident Sampling System will be maintained for contingency actions and long-term post accident recovery operations (see Section 1.3.2.10 Postaccident Sampling).
TMI-1 UFSAR CHAPTER 07 7.3-53 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 28 of 31)
Evaluation of TMI-1 Compliance with Regulatory Guide 1.97 Requirements (RG 1.97) Category 3 Parameters RG 1.97 TMI-1 RG 1.97 Variable Classif.
Classif.
Range Environment
- 35.
Heat Removal by the Containment Fan Heat Removal System (CFHRS)
RR-PT-224, 225, 226 &
2 3
0-110% Design Harsh RR-PI-224, 225, 226 D
RR-FT-23,24,25 2
3 0-180% Design Harsh D
Comments:
The CFHRS is made up of the Reactor Building Emergency Cooling Water System (RR) and the Reactor Building Recirculation Fan Cooling System. The purpose of these systems is to provide a method of removing heat from the Reactor Building (RB) to keep the RB pressure below its design pressure limit in the event of a loss of coolant accident (LOCA). Primary indication of containment heat removal by the CFHRS is by RG 1.97 Category 1 containment pressure indication (listed above in this table). Additional monitoring is accomplished by fan cooler coil outlet water pressure (RR-PT/PI-224,225,226), river water pump motor breaker status, reactor building fan motor breaker status, RG 1.97 Category 3 containment temperature, river water cooler outlet flow on each cooler (RR-FT-23,24,25) as indicated on the plant computer. Also, available on the plant computer is river water inlet temperature. Outside the Control Room river water cooler outlet temperatures are available on each cooler.
If the primary indication suggests that cooling is not being accomplished then a more detailed evaluation of CFHR capability could be performed from these additional indications.
Appropriate emergency procedures verify proper cooler outlet river water backpressure control, proper individual river water cooler outlet flow and monitor containment pressure / temperature to verify the effectiveness of the fan coolers.
Fan cooler operability has a small effect on building pressure until the ECCS systems switch to the recirculation mode. Then, the fan coolers only have a gradual effect on containment response. They are only required to limit containment pressure until the RCS is being cooled by heat removal through OTSGs or by the Decay Heat Removal System. Appropriate Control Room indication to determine fan cooler operability is provided, ample time is available to determine the fan cooler heat removal capability if there is indication of problems in fan cooler operation, and there is a relatively small effect of containment fan coolers on containment pressure. Therefore, the existing combination of TMI-1 instruments provides an acceptable alternative equivalent to RG 1.97 recommendations.
Indication of RBEC Cooler Outlet pressure (RR-PI-224, 225, 226) is used to detect a failure of RR-V-6 which requires opening RR-V-5. If valid indication of RBEC cooler outlet pressure is not available, then RR-V-5 will be opened to ensure adequate RB cooling.
TMI-1 UFSAR CHAPTER 07 7.3-54 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 29 of 31)
Evaluation of TMI-1 Compliance with RG 1.97 Requirements (Parameters Not Applicable to TMI-1)
RG 1.97 Variable Classif.
Comments
- 1.
RCS Soluble 3
No online facility exists to Boron Concentration measure RCS soluble boron content (boron-meter). Off-line facility is utilized.
For TMI-1 the determination of Reactor Coolant Boron Concentration is by normal or post accident sampling. RCS boron need not be constantly monitored because the loss of negative reactivity due to xenon decay is sufficiently slow that the Control Room operator need not know instantaneously or constantly the boron concentration in the RCS. Therefore, TMI-1 sampling is considered sufficient for this parameter.
See item 27 of Category 3.
- 2.
Analysis of Primary 3
Postaccident sampling system Coolant (Gamma Spectra) covers this requirement. See items 26 and 25 of Category 3.
- 3.
Boric Acid Charging 2
Boric acid charging pump flow Flow is "not applicable" to B&W plants. The B&W designed NSSS does not include a charging system as part of the Emergency Core Cooling System (ECCS). Flow paths from the ECCS to the RCS include high pressure injection (HPI) and low pressure injection (LPI) with the BWST or the RB sump as
TMI-1 UFSAR CHAPTER 07 7.3-55 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 30 of 31)
Evaluation of TMI-1 Compliance with RG 1.97 Requirements (Parameters Not Applicable to TMI-1)
RG 1.97 Variable Classif.
Comments
- 3. Cont'd.
the suction source, and the core flood tank injection.
HPI and LPI flow rates and BWST, RB Sump, and Core Flood Tank levels are monitored (see items 8, 13, 14 and 15 of Category 1, item 1 of Category 2, and item 3 of Category 3). Therefore, Boric BA acid Charging Flow does not need Charging to be monitored as a Type D Flow variable to monitor the operation of the ECCS. This is a B&W Owners B&W Owners Group generic position.
- 4.
Component Cooling 2
Water Flow to ESF System Since all decay heat and nuclear services closed cycle cooling systems component cooling water valves are manual valves which are normally open, pump status and system temperature provide sufficient indication for system operation (except NSV 52 and 53, where valve position indication is provided). These indications are considered to meet the requirements of Reg. Guide 1.97.
TMI-1 UFSAR CHAPTER 07 7.3-56 REV. 23, APRIL 2016 TABLE 7.3-2 (Sheet 31 of 31)
Evaluation of TMI-1 Compliance with RG 1.97 Requirements (Parameters Not Applicable to TMI-1)
RG 1.97 Variable Classif. Comments
- 5.
Radioactive 3
The design pressure for these tanks is Gas Holdup 150 psig. When the pressure reaches Tank Pressure 82 psig, it initiates a local high pressure alarm. Also, this can be indicated on a local indicator or demand.
At 85 psig, the relief valve opens and discharges to the Auxiliary Building, where it will be detected and indicated by the Auxiliary Building radiation monitor.
Moreover, when the relief valve opens, it will annunciate in the common panel in the Control Room.
Based on these considerations, the existing indications and alarms are considered sufficient.
- 6.
Common Plant 2
TMI does not have a common plant vent.
Vent or Multi-purpose Vent -
Noble Gases and Vent Flow Rate.
- 7.
Reactor Shield 2
Not applicable, not in design for TMI.
Building Annulus (if in design) -
Noble Gases and Vent Flow Rate.
TMI-1 UFSAR CHAPTER 07 7.3-57 REV. 19, APRIL 2008 TABLE 7.3-3 (Sheet 1 of 2)
TMI-1 SAFETY PARAMETER DISPLAY SYSTEM PARAMETERS Critical Safety Functions PARAMETERS 1
2 3
4 5
REACTOR TRIP SIGNAL X
X X
X CORE POWER (HEAT BALANCE)
X X
POWER RANGE POWER X
POWER RANGE IMBALANCE X
SOURCE RANGE START UP RATE X
INTERMEDIATE RANGE START UP X
RATE RCS WIDE RANGE PRESSURE X
STEAM GENERATOR PRESSURE X
REACTOR BUILDING PRESSURE X
RC SATURATION TEMPERATURE X
MARGIN RCS WIDE RANGE COLD LEG X
X X
TEMPERATURE RCS WIDE RANGE HOT LEG X
INCORE THERMOCOUPLE X
TEMPERATURE REACTOR BUILDING TEMPERATURE X
HEATUP/COOLDOWN RATE X
X REACTOR BUILDING SUMP LEVEL X
X REACTOR BUILDING FLOOD LEVEL X
X HOT LEG WATER LEVEL X
PRESSURIZER LEVEL X
RCS TOTAL FLOW X
RCS LETDOWN FLOW X
RCS MAKEUP FLOW X
HIGH PRESSURE INJECTION FLOW X
MAIN FEEDWATER FLOW X
REACTOR COOLANT PUMP STATUS X
X X
VOID FRACTION X
RM-L1 LO (Letdown)
X RM-L2 (A Loop Decay Heat Closed)
X RM-L3 (B Loop Decay Heat Closed)
X
TMI-1 UFSAR CHAPTER 07 7.3-58 REV. 19, APRIL 2008 TABLE 7.3-3 (Sheet 2 of 2)
TMI-1 SAFETY PARAMETER DISPLAY SYSTEM PARAMETERS Critical Safety Functions PARAMETERS 1
2 3
4 5
RM-L9 (Intermediate Closed)
X RM-A2-GAS (RB Atmosphere)
X RM-A4-GAS (FHB Atmosphere)
X RM-A5 (Condenser Exhaust)
X RM-A6 GAS (Aux Bldg Atm)
X RM-A8 GAS (Plant Stack)
X RM-A9 GAS (RB Stack)
X RM-G22 (RB Hi Range)
X RM-G25 (Condenser Exhaust)
X RM-G26 (A Loop Steam Relief)
X RM-G27 (B Loop Steam Relief)
X CRITICAL SAFETY FUNCTIONS
- 1. Reactivity/Power Distribution
- 2. Primary Side Heat Removal
- 3. Reactor Coolant System Integrity
- 4. Radiation Control
- 5. Containment Conditions
TMI-1 UFSAR CHAPTER 07 7.4-1 REV. 24, APRIL 2018 7.4 OPERATING CONTROL STATIONS Following proven power station design philosophy, and human factors engineering principles, all control stations, switches, controllers, and indicators necessary to start up, operate, and shutdown the nuclear unit are located in the Control Room. Control functions necessary to maintain safe conditions after a LOCA are initiated from the Control Room. Controls for certain auxiliary systems are located at remote control stations when the system controlled does not involve power generation control or emergency functions.
7.4.1 GENERAL LAYOUT Following human engineering principles, the Control Room will provide, in a convenient manner, those controls and displays which are needed for normal planned plant evolutions, steady-state operation, and off-normal conditions. The Control Room is arranged to include an operating console to house frequently used and emergency indicators and controllers in close proximity and visible to the operator. Vertical panel boards house less frequently used controllers and information-type displays. The control board is formed by straight sections of benchboards arranged to form a semicircular operating console that allows the operator easy access to each section.
7.4.1.1 Safety Features Control Room consoles provide the necessary controls to start, operate, and shutdown the units with sufficient information display and alarm monitoring to insure safe and reliable operation under normal, abnormal, and accident conditions. Special emphasis is given to maintaining control during abnormal conditions. Information is displayed in the Control Room to indicate conditions within containment subsequent to an accident. The layout of the engineered safeguards section of the control board is designed to minimize the time required for the operator to evaluate the system performance under accident conditions.
7.4.2 INFORMATION DISPLAY AND CONTROL FUNCTION The necessary information for routine monitoring of the unit is displayed on the Control Room console or on visible panel boards in the immediate vicinity of the operator. Information display and control equipment frequently employed on a routine basis, or protective equipment quickly needed in case of an emergency, is mounted on the operating console. Recorders and radiation monitoring equipment are mounted on vertical panels in the Control Room.
Infrequently used equipment, such as indicators and controllers used primarily during startup or shutdown, are mounted on adjacent side panel boards.
The operating console is U-shaped with the inclined benchboard surface mounted with controllers and combination controllers with indicators. Behind each section of benchboard are located vertical boards having indicators and recorders associated with the respective section of benchboard; those items necessary for efficient operation are mounted high on the vertical board in full view of the operator. Less essential functions are displayed lower on the vertical boards. The center section of the operator's console will house the more important operating controls.
TMI-1 UFSAR CHAPTER 07 7.4-2 REV. 24, APRIL 2018 A computer is available in the Control Room for alarm monitoring, performance monitoring CRT Display, and data logging. On-demand printout is available to the operator at his discretion in addition to the computer periodic logging of the unit variables.
7.4.2.1 Console And Panel Layout Control consoles and panels were arranged to provide ready accessibility to those control functions requiring the most frequent attention, grouping of control and readout devices in relation to their function, and maintaining physical separation between redundant engineered safeguards system control and indication.
Control Room arrangement and panel designation are as shown on Drawing IE-155-02-003.
Section CC of the console contains those items normally required for routine station operation.
In the center of this section are control rod drive controls, ICS stations, reactor power indications, EFW, and data on reactor coolant and steam feedwater conditions. Also in this section are controls for reactor trip and manual initiation of ESAS. The controls for one half of the redundant emergency high pressure and low pressure injection systems, Reactor Building spray and cooling systems, and Decay Heat Removal Systems are at the right end of Section CC. The remaining half (injection and engineered safeguards auxiliary system controls) is on Section CR.
Section CL contains control and indication of the power generating portion of the unit, and includes the turbine generator control, feedwater, condensate and condensate booster pumps, and conventional plant cooling systems.
Panelboard section PC contains the control rod Position Indication Panel (PIP). For each individual control rod, visual indication is provided for rod position, asymmetric fault and alarm, and inserted and withdrawn position limit. Inverter backed LEDs are provided for verification of rod insertion in event of Station Blackout. This section is directly in front of the control rod control panel and is easily visible to the operator.
Panel section PCR contains indication of the status of engineered safeguards related equipment, arranged such that the operator can readily detect if a device fails to respond in the event of an engineered safeguards actuation. Also located on this panel are manual control for certain block valves not associated with normal unit operation and facilities for testing the engineered safeguards actuation channels.
Panel PCL contains electrical metering and recording equipment, saturation margin meters, and backup readout devices required for cold shutdown. Panel PLF contains turbine generator and feed pump turbine supervisory recorders and auxiliary equipment control, and panel PL contains spent fuel system control and indication, Reactor Building Purge Control and indication, and service/instrument air control and indication. Panel PR contains station 6900V, 4160V, and 480V electrical distribution system control. Panel PRF contains station radiation monitoring equipment.
Panel LWDS, near the Control Room north wall (west side), contains control portions of the Liquid Waste System associated with a change in reactor coolant boron concentration. Panel SS-1 contains electrical substation control and indication.
TMI-1 UFSAR CHAPTER 07 7.4-3 REV. 24, APRIL 2018 Panel H&V, against the Control Room north wall (east side), contains essential ventilation and air conditioning controls.
Computer consoles CCL and CCR contain an alarm status CRT, and utility CRTs with keyboards for supervisory personnel selected displays, along with a utility printer to obtain hardcopies of video displays. These consoles also provide a location for operators procedures, and communications and paging equipment.
7.4.2.2 Man-Machine Relationship In order to verify or further optimize the man-machine interface obtained in the design of the Control Room and control boards, a human factors engineering review has been conducted using a full scale mockup of the Control Room and control boards. The actual Control Room was used in determining ergonomic conditions relating to temperature, humidity, noise, and lighting. The review was performed by a team made up of GPU engineering staff, operating personnel, outside consultants, and human factors engineering specialists. The findings of this and other ongoing reviews were factored into the final Control Room for adherence to human factors criteria. Areas included in the study were:
- a.
Annunciator prioritization, location, and alarm acknowledge requirements.
- b.
Sufficient computer capability, CRT display, and printout hardware to provide adequate operator assistance.
- c.
Consistency of equipment labeling, demarcation, color coding, legend legibility, glare, parallax, and use of system mimic.
7.4.3
SUMMARY
OF ALARMS Visible and audible alarm units are incorporated into the Control Room to warn the operator if abnormal conditions are approached by any system. An audible Reactor Building evacuation alarm is initiated from the source range neutron detectors. Audible alarms are sounded in appropriate areas throughout the unit if high radiation conditions are present.
7.4.4 COMMUNICATION A Telephone System is provided utilizing handsets in the Control Room and in various areas in the Control Building and Service Building. Paging handsets and speakers have been provided for complete unit coverage. A redundant paging system including power supplies has been provided in areas where reactor shutdown and safeguards auxiliaries and equipment are located. All paging handsets are designed for acoustical noise rejection.
Non-emergency communication outside the plant is through the full period leased lines of the Bell Telephone Company of Pennsylvania and the licensees mobile radiotelephone system.
For emergencies, the communication system includes a dedicated telephone system that connects TMI with NRC headquarters, identified as the Emergency Notification System (ENS) that is used for reporting emergencies reliably to the NRC. For more details, see the "TMI-1 Emergency Plan."
TMI-1 UFSAR CHAPTER 07 7.4-4 REV. 24, APRIL 2018 7.4.5 HABITABILITY Habitability of the Control Room during abnormal conditions has been provided for in the design to ensure that Control Room operators can remain in the Control Room and take actions to operate and maintain the plant in a safe condition under accident conditions as required by GDC 19 of 10CFR50 Appendix A, and NUREG 0737, Item III. D.3.4. The Control Room, which is part of the Control Building Envelope (CBE), is located in the Control Building Elevation 355'-0". The Control Building is a Class I structure which is designed for the hypothetical aircraft incident. Adequate shielding has been provided to maintain tolerable radiation levels in the Control Room even in the event of a maximum hypothetical accident. The Control Building Ventilation System (CBVS), which serves the Control Building, has redundant fans and chillers and is provided with radiation detectors, and smoke detectors with appropriate alarms and interlocks. Provisions have been made for the Control Building air to be recirculated and to isolate the Control Building Envelope (CBE), in case of Engineered Safeguard Signal, Tunnel detection or Control Building high radiation signals. During Control Building High Radiation Signal the air is recirculated through HEPA and charcoal filters. Fresh air is drawn through an underground ventilation tunnel which has been provided with protection against combustible vapors, incipient explosions, and fires.
The Air Intake tunnel, 455 feet long provides a long residence time for any gas entering the Air Intake Structure. Coupling this feature with the bends and louvers in the openings on all sides of the Air Intake Structure, any released gases will have to traverse a long and winding course, and is subject to resistant wind forces during system isolation.
Due to the geometric arrangement of the Control Building, Air Intake Structure, and radiation source, the arrival of radioactive gas at these points at the same time is precluded. The Control Building and Air Intake Structure are approximately 350 feet and 70 azimuthally apart. The tunnel is also designed for the hypothetical aircraft incident.
7.4.5.1 Protection Against Fire The potential magnitude of a fire in the Control Room is small and is detailed in the TMI-1 Fire Hazards Analysis Report discussed in FSAR Section 9.9.
Control Room habitability could be challenged by smoke. To ensure Control Room habitability, the Control Building Ventilation System design includes isolation features which limit the spread of smoke for both internal and external (Air Intake Tunnel) events. The Fire Protection Program ensures that fire suppression and smoke removal activities maintain Control Room habitability.
7.4.5.2 Protection Against Radiological Releases A bounding analysis (Reference 14.3.103) of integrated 30-day control room Operator dose in the event of a LOCA demonstrates the dose will be less 10CFR50.67 guidelines (5 Rem). This analysis is based on the MHA containment and ES system leakage, shine from activity on CBHV filters and CBE unfiltered in-leakage. The conclusion is based on maintaining CBE unfiltered in-leakage below 1,000 CFM and ensuring the emergency control building ventilation system is established by Operator action within 30 minutes after a LOCA.
The use of an alternate source term and 10CFR50.67 guidelines was approved for CR
TMI-1 UFSAR CHAPTER 07 7.4-5 REV. 24, APRIL 2018 habitability analysis at TMI (Reference 14.3.142) 7.4.5.2.1 Design Basis The Control Building Envelope (CBE) includes Control Building Elevations 380-0 (Mechanical Equipment Rooms), 355'-0" (Main Control Room), 338'-6" and 322'-0", excluding Stairwell and Control Building Hallway (patio). These areas are shown on Figure 7.4-2 and the boundary is also shown on Figure 7.4-3.
While the CBVS is in the Emergency Recirculation mode of operation, the Main Control Room (CBE Elevation 355 - 0) is maintained at a positive pressure of 0.10 inches w.g. with respect to areas outside the CBE. Provisions have been incorporated as necessary into applicable procedures to account for single active component failures, and maintain the required positive pressure.
A positive pressure of 0.10 inches w.g. is not a criterion for the entire CBE. The pressure requirement in the cubicles of the CBE, other than the Main Control Room, is that they are maintained at a positive pressure with respect to the areas outside the CBE.
Radiological dose criteria used to establish habitability are referred to in Reference 6:
7.4.5.2.2 Control Building Envelope (CBE) System Design 7.4.5.2.2.1 Definition of Control Building Envelope (CBE)
The Control Building Envelope (CBE) consists of all areas served by the Control Building Emergency Ventilation System. The Control Building Envelope is defined in Section 7.4.5.2.1.
These areas are on four levels of the TMI-1 Control Tower which communicate directly with each other.
7.4.5.2.2.2 Ventilation System Design The TMI-1 Control Building Ventilation System (CBVS) during normal mode of operation serves the Control Building Envelope (CBE) and the Controlled Access Area (Elevation 306'-0" excluding the Hot Tool Room).
In the emergency mode the Control Building Ventilation System recirculates air conditioned, filtered air to the Control Building Envelope only. A schematic of the Control Building Ventilation System for emergency mode of operation is shown in Figure 7.4-3. The emergency recirculation mode of operation of the Control Building Ventilation System is initiated by high radiation in the Control Room, an engineered safeguard signal, or by an air intake tunnel device signal.
The TMI-1 Control Building Ventilation System has unique features that quantitatively and qualitatively enhance the protection of Control Room operators. Elevation 306'-0" Supply Dampers (AH-D-28 & AH-D-617) fail in the closed position to assure the isolation/ recirculation mode of the Control Building Ventilation System.
The Control Building Ventilation System is monitored via the H&V control panel in the Control
TMI-1 UFSAR CHAPTER 07 7.4-6 REV. 24, APRIL 2018 Room. Each of the Normal Supply Fans (AH-E-17A/B), Emergency Supply Fans (AH-E-18A/B) and Return Air Fans (AH-E-19A/B) has an indicator of the operational status. Elevation 306 Supply Dampers (AH-D-28 & AH-D-617) are monitored for status (open/closed indicated on the ESAS panel in the Control Room).
7.4.5.3 Toxic Gas Protection All chlorine containers in excess of 150 lbs. have been removed from the TMI-1 site.
Administrative controls prohibit the purchase, ordering and delivery onsite of containers greater than 150 lbs. Therefore, the chlorine detection system is no longer required to be operable and has been physically removed during the 10R outage (Regulatory Guide 1.95, Revision 1).
A spill of two (2), 55 gallon drums containing 370 pounds of morpholine (as a 40 percent solution) in the turbine building would result in a maximum of 0.107 weight ppm morpholine in the Control Room atmosphere. The threshold limit value for morpholine is 20 ppm. A spill of 69,000 pounds of morpholine (370 OBS x [20/0.107]) or 20,500 gallons as 40 percent solution, would just approach the acceptability limit. On this basis, it is concluded that the actual plant inventory of morpholine has no impact on Control Room habitability.
The evaporation rate of pure ethanolamine (ETA) is not available. Morpholine's evaporation rate is 0.9 percent by volume within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Since ETA is much less volatile than morpholine, it is safe and conservative to assume the evaporation rate of ETA is the same as morpholine's.
Therefore, if there is a chemical spill of 40% ETA from the 300-gallon liquid bin and using the evaporation rate of 0.9% (vol.) in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, and the turbine building ventilation rate of 798,000 cubic feet per minute (cfm), the ETA concentration in air after 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> would be 0.30 ppm. This is much lower than the 3 ppm TLV limit, thus, there will be no adverse effect on personnel safety around the chemical feed area and in the control room.
There is no established threshold limit value (TLV) or permissible exposure limit (PEL) for methoxypropylamine (MPA) in accordance with the American Conference of Governmental Industrial Hygienists (ACGIH) and the Occupational Safety and Health Administration.
Therefore, there is no value or limit upon which personnel safety resulting from airborne contaminants can be evaluated.
Storage of bulk hydrogen peroxide at the chemical cleaning building and chemical storage building will not adversely affect control room habitability. (Ref 23)
Protection from hazardous chemical releases is provided by administrative controls. On-site hazardous chemicals are controlled by the Controlled Materials and Hazard Communication Program. New chemicals are evaluated by the Controlled Materials Evaluation process.
The probability that an offsite chemical release would adversely impact the control room habitability and cause a radiation release is excess of 10 CFR 100 limits is periodically evaluated. Based on the most recent survey and analysis (Reference 24), the probability of such an event is less than the NUREG-0800 Section 2.2.3 threshold (1 x 10-7 / year) for considering potential accidents as design basis events. The licensing basis for the potential of a toxic gas hazard to impact control room habitability was established in response to NUREG-0737 Iitem III.D.3.4 (Reference 25).
TMI-1 UFSAR CHAPTER 07 7.4-7 REV. 24, APRIL 2018 7.4.5.4 Testing and Inspection The Emergency Control Room Air Treatment System is tested on a periodic basis as specified in Technical Specification Sections 3.15.1 and 4.12.1. This testing and inspection provides reasonable assurance of system operation.
The Control Building Envelope is tested on a periodic basis as specified in Technical Specification sections 6.20.c and 6.20.d. Testing of unfiltered air in-leakage into the CBE is performed in accordance with the testing methods and at the frequencies specified in Sections C.1 and C.2 of Regulatory Guide 1.197 Revision 0. Periodic assessment of Control Room habitability is performed at the frequency specified in Sections C.1 and C.2 of Regulatory Guide 1.197 Revision 0. Measurement, at designated locations, of the CBE pressure relative to external areas adjacent to the CBE boundary during Emergency Recirculation operation is performed on a 24-month interval. The results are trended and used as part of the periodic assessment of the CRE boundary.
7.4.6 REMOTE SHUTDOWN SYSTEM The remote shutdown (RSD) system provides the capability to place and maintain the unit in hot shutdown from a location other than the control room as required by 10 CFR 50 Appendix A, General Design Criteria 19. The reactor is automatically shutdown or manually shutdown prior to leaving the control room.
The RSD component control functions and monitoring capability are described in Table 7.4-1.
The table lists functions available from remote shutdown stations and other facilities outside of the control room, which are normally performed in the control room. The list includes the function and location and identifies which remote control and monitoring functions can be isolated from circuits in the control room, relay room, and ESAS rooms.
The remote shutdown system is relied upon for alternate shutdown capability in event a fire requires control room evacuation. Those functions necessary for safe hot shutdown after a fire have facilities to isolate the controls from potentially damaged circuits in the ESAS, relay room, or control room. The Fire Hazards Analysis Report (FHAR) describes the equipment design and operating response relied upon in such an event.
There are three Remote Shutdown Panels (RSP-A, RSP-B and Aux. RSP-B) located in the control building on the 322 elevation and three remote shutdown transfer switch panels (RSTSP-A, RSTSP-B, and RSTSP-C). Additional local control equipment is mounted on motor control centers and switchgear. The Remote Shutdown Panels (RSP*A, RSP-B, Aux. RSP-B) consist of three adjoining but physically separate safety grade panels. The separation between the panels is such that adequate physical and electrical separation is provided while still providing operator capability for comparison of plant variables between RSP-A and B. The Remote Shutdown Transfer Switch Panels (RSTSP) also consist of three separate safety grade panels. The safety function of the transfer switch panels applies only to the circuit isolation transfer switches and auxiliary relays which connect directly with safety grade equipment when the switches are in the normal mode. All the circuit isolation devices that interface with the safety system components are new class 1E qualified devices and designed so as not to degrade the existing safety functions. Separate sets of fuses are provided for the alternate shutdown circuits. These fuses are isolated by the transfer switches to preclude the deficiency described in Information Notice 85-09. With the circuit isolation devices set in the "normal"
TMI-1 UFSAR CHAPTER 07 7.4-8 REV. 24, APRIL 2018 mode, the remote shutdown system will not have any control interface or effect upon the plant safety functions. If "emergency" mode is selected, then it is annunciated in the control room.
Remote shutdown instrumentation and control capabilities (Table 7.4-1) are tested as required by Technical Specifications. The remote shutdown system instrumentation and controls not covered by TS 4.1.4 but required to satisfy a fire safe shutdown function per the FHAR, will be tested periodically as described in AP 1038.
7.4.7 EMERGENCY FACILITIES AND EQUIPMENT This Subsection describes the equipment and facilities that are used to:
A.
Assess the extent of accident hazards.
B.
Mobilize the resources required to mitigate the consequences of an accident.
C.
Provide protection to plant personnel.
D.
Support accident mitigation operations.
Emergency Facilities and their relation to each other are discussed in the Emergency Plan for Three Mile Island. Many of the facilities and much of the equipment are normally used for routine plant operations. Other items are reserved for use only on an "as needed" basis.
TMI-1 UFSAR CHAPTER 07 7.4-9 REV. 22, APRIL 2014 TABLE 7.4-1 (Sheet 1 of 6)
REMOTE SHUTDOWN SYSTEM CONTROL AND MONITORING FACILITIES A.
RSP-A Instrumentation Monitored Parameter Instrument No.
Range RCS T HOT LOOP A RC-TI-958 120 - 920 oF RCS T COLD LOOP A RC-TI-959 50 - 650 oF RCS Pressure (A Hot leg)
RC-PI-963 0 - 3000 psig OTSG A Pressure MS-PI-950 0 - 1200 psig OTSG A full range level FW-LI-775A 0 - 640 in OTSG B full range level FW-LI-788A 0 - 640 in EFW Flow to OTSG A EF-FI-779A 0 - 800 gpm EFW Flow to OTSG B EF-FI-791A 0 - 800 gpm DH A Cooler Outlet Temperature DH-TI-981 0 - 300 oF DH A Pump Inlet Temperature DH-TI-979 0 - 300 oF DH Loop A Flow DH-FI-802 0 - 5000 gpm B.
RSP-B Instrumentation Monitored Parameter Instrument No.
Range Reactor Source Range Flux NIYI12-1 10 106 lcps RCS T HOT LOOP B RC-TI-960 120 - 920 oF RCS T COLD LOOP B RC-TI-961 50 - 650 oF RCS Pressure (B Hot leg)
RC-PI-949 0 - 3000 psig Pressurizer Level RC-LI-777 0 - 400 in OTSG B Pressure MS-PI-951 0 - 1200 psig OTSG A full range level FW-LI-789A 0 - 640 in OTSG B full range level FW-LI-776A 0 - 640 in EFW Flow to OTSG A EF-FI-788A 0 - 800 gpm EFW Flow to OTSG B EF-FI-782A 0 - 800 gpm Makeup Tank Level MU-LI-778 0 - 100 in BWST Level DH-LI-809 0 - 60 ft DH B Cooler Outlet Temperature DH-TI-982 0 - 300 oF DH B Pump Inlet Temperature DH-TI-980 0 - 300 oF DH Loop B Flow DH-FI-803 0 - 5000 gpm
TMI-1 UFSAR CHAPTER 07 7.4-10 REV. 22, APRIL 2014 TABLE 7.4-1 (Sheet 2 of 6)
REMOTE SHUTDOWN SYSTEM CONTROL AND MONITORING FACILITIES C.
OTHER Indications on RSP-B and AUX RSP-B Panels Description Panel Seal lnjection Flow "Adeauate" / "Inadequate" RSP-B EG-Y-1B "operating" / "shutdown" lights RSP-B 1E 4160V Bus "energized" Iight RSP-B 1S 480V Bus "energized" Iight RSP-B 1T 480V Bus "energized" Iight RSP-B 1B ES MCC "energized" Iight RSP-B 1B ESV MCC "energized" Iight RSP-B 1B ES SH MCC "energized" Iight RSP-B 1C ESV MCC "energized" Iight RSP-B MU-P-3C "operating" / "shutdown" lights RSP-B MU-P-3B "operating" / "shutdown" lights RSP-B MU-V-8 BLEED/THRU position status lights RSP-B IA-P-1B "operating" / "shutdown" Iights RSP-B Communications "Gray Page Transferred" light "M&I system Transferred" light AUX RSP-B D.
RSP-A Controls Control of these components is transferred to RSD panel A and isolated from control room, relay room, and ESAS room circuits by switches in the A RSTSP (CB 338: ESAS Room).
Status indication is also provided for all components.
Component Function MS-V-4A Manual variable adjustment OTSG A Atmospheric dump valve EF-V-30A and EF-V-30C Manual variable adjustment Emergency feedwater flow control to OTSG A and B MU-V-3 Open or close Letdown isolation valve MU-V-14A Open (or close)
Train A MU pump suction valve from BWST MU-V-36 Open (or close)
Train A MU pump recirculation isolation valve IC-V-3 Open (or close)
ICCW reactor building isolation valve
TMI-1 UFSAR CHAPTER 07 7.4-11 REV. 22, APRIL 2014 TABLE 7.4-1 (Sheet 3 of 6)
REMOTE SHUTDOWN SYSTEM CONTROL AND MONITORING FACILITIES E.
RSP-B and AUX RSP-B Controls Control of these components is transferred to RSD panel B (or Aux RSD Panel B) and isolated from control room, relay room and ESAS room circuits by switches in the B RSTSP (CB 322:
1S 480V SWGR Room) or C RSTSP (CB 322: RSD Area). Status indication is also provided for all components.
Component Function Panel 1T Unit 4C TRIP or CLOSE 480V Feeder breaker (on 1T Bus) for 1B ES Screen House MCC AUX RSP-B 1T-02 TRIP or CLOSE 480V Feeder breaker (on 1T bus) for 1T 480V BUS AUX RSP-B Communications M/l Phones No control involved Transfer switch isolates circuits onIy RSTSP-B Communications Grey Page No control involved Transfer switch isolates circuits only RSTSP-B DC-P-1B Start or Stop Train B Decay Closed Cooling Water Pump AUX RSP-B DR-P-1B Start or Stop Train B Decay River Water Pump AUX RSP-B DR-V-1B Open or Close DR-P-1 B Discharge Valve AUX RSP-B EF-V-30B and EF-V-30D Manual variable adjustment Emergency feedwater flow control valve to OTSG A and B RSP-B IC-P-1B Start or Stop Train B Intermediate Closed Cooling Water Pump AUX RSP-B IC-V-2 Open (or close) ICCW reactor building isolation valve AUX RSP-B IC-V-4 Open (or close) ICCW reactor building isolation valve AUX RSP-B MS-V-4B Manual variable adjustment OTSG B Atmospheric dump valve RSP-B MS-V-8A and MS-V-8B CLOSE (or OPEN) Turbine Bypass Header Isolation Valves on OTSG A and B RSP-B MU-P-1B MU-P-3B Start or Stop Make Up Pump 1B MU-P-1B Main Oil Pump runs continuously RSP-B (MU-P-1B Transfers from RSTSP-C)
MU-P-1C MU-P-3C Start or Stop Make Up Pump 1C MU-P-1C Main Oil Pump runs continuously RSP-B
TMI-1 UFSAR CHAPTER 07 7.4-12 REV. 22, APRIL 2014 TABLE 7.4-1 (Sheet 4 of 6)
REMOTE SHUTDOWN SYSTEM CONTROL AND MONITORING FACILITIES Component Function Panel MU-V-14B OPEN (or CLOSE)
Train B MU Pump Suction Valve from BWST RSP-B MU-V-16C and MU-V-16D OPEN/STOP/CLOSE Train B High Pressure Injection Control Valves RSP-B MU-V-18 OPEN or CLOSE Normal RCS Makeup Isolation Valve RSP-B MU-V-20 CLOSE or OPEN Seal Injection Isolation Valve RSP-B MU-V-2A and MU-V-2B OPEN or CLOSE Letdown Cooler A & B Outlet Isolation Valves RSP-B MU-V-37 OPEN or CLOSE Train B MU Pump Recirculation Isolation Valve RSP-B NR-P-1C Start or Stop Train B Nuclear River Water Pump AUX RSP-B NR-V-1C Open or Close NR-P-1C Discharge Valve AUX RSP-B NR-V-15B JOG OPEN /CLOSED NR Flow through ICCW Cooler B AUX RSP-B NR-V-18 THROTTLED/BREAKER OPEN NR system return flow to MDCT Remote Control not used AUX RSP-B NS-P-1C Start or Stop Train B Nuclear Closed Cooling Water Pump AUX RSP-B RC-V-2 CLOSE (or OPEN)
PORV Block Valve RSP-B RC-V-3 CLOSE (or OPEN)
Spray Block Valve RSP-B RR-V-1B Open or Close Reactor Building Emergency Cooling River Water Pump Train B AUX RSP-B
TMI-1 UFSAR CHAPTER 07 7.4-13 REV. 22, APRIL 2014 TABLE 7.4-1 (Sheet 5 of 6)
REMOTE SHUTDOWN SYSTEM CONTROL AND MONITORING FACILITIES F.
OTHER RSD Controls Control of these components can be established outside of the control room (location is described) and isolated from control room, relay room and ESAS room circuits by switches described (and location). Status indication is also provided for all components.
Control(s)
Switch (Location)
Control Function Transfer Switch (Location) 1C ESV MCC ATS (CB 322: RSD Area)
USE Test switches to select 1P or 1S 480V power source to 1C ESV MCC NORM / EMERG (CB 322: In box to right of 1C ESV MCC ATS) 1S Unit 1C (CB 322: 1S 480V SWGR Room)
TRIP / CLOSE 480V Feeder Breaker (on 1S Bus) to 1B ES MCC NORM / EMERG / BYPASS (CB 322: 1S 480V SWGR Room) 1S-02 (CB 322: 1S 480V SWGR Room)
TRIP / CLOSE 480V feeder breaker (on 1S bus) to 1S 480V BUS NORM / EMERG / BYPASS (CB 322: 1S 480V SWGR Room) 1SA-E2 (CB 338: 1E 4160V SWGR Room)
TRIP / CLOSE 1E 4160V bus feeder breaker from 1A Aux XFMR NORM / EMERG / BYPASS (CB 338: 1E 4160V SWGR Room) 1SB-E2 (CB 338: 1E 4160V SWGR Room)
TRIP / CLOSE 1E 4160V bus feeder breaker from 1B Aux XFMR NORM / EMERG / BYPASS (CB 338: 1E 4160V SWGR Room)
AH-C-4B (CB 285: On York Control Panel)
START /STOP Train B Control Building Chiller NORM / EMERG (CB 285: On York Control Panel)
AH-P-3B (CB 322: on 1B ES MCC)
START /STOP Train B Control Building Chilled Water Pump NORM / EMERG (CB 322: 1B ES MCC)
DH-P-1B (CB 338: 1E 4160V SWGR Room)
TRIP / CLOSE START or STOP Train B Decay Heat Pump NORM / EMERG / BYPASS (CB 338: 1E 4160V SWGR Room)
OPEN / CLOSE DH-P-1A Suction from RB Sump Isolation Valve NORM / EMERG (AB 305: 1A ESV MCC)
OPEN / CLOSE DH-P-1B Suction from RB Sump Isolation Valve NORM / EMERG (AB 305: 1B ESV MCC)
EF-P-2B (CB 338: 1E 4160V SWGR Room)
TRIP / CLOSE START or STOP Train B Emergency Feedwater Pump NORM / EMERG / BYPASS (CB 338: 1E 4160V SWGR Room)
TMI-1 UFSAR CHAPTER 07 7.4-14 REV. 22, APRIL 2014 TABLE 7.4-1 (Sheet 6 of 6)
REMOTE SHUTDOWN SYSTEM CONTROL AND MONITORING FACILITIES Control(s)
Switch (Location)
Control Function Transfer Switch (Location)
EG-Y-1 B control panel (CB 338: 1E 4160V SWGR Room)
START PB, STOP PB "Cranking" Light, "Running" Light "Ready to load" Light 1E 4160V Bus Load (Watts) 1E 4160V Bus Voltage, Voltmeter NORM / EMERG (CB 338: on G11-02 on 1E 4160V SWGR)
G11-02 (CB 338: 1E 4160V SWGR Room)
TRIP I CLOSE EG-Y-1 B Output Breaker on 1E 4160V Bus NORM / EMERG / BYPASS (CB 338: 1E 4160V SWGR Room)
IA-P-1B (CB 322: on 1B ES MCC)
START / STOP Instrument Air Compressor B NORM / EMERG (CB 322: on 1B ES MCC)
Pressurizer Heater Group 9 (CB 322: 1S 480V SWGR Room: left of S2-ALT cab)
TRIP I CLOSE Energize or de-energize pressurizer heater group 9 from 1S 480V Bus Kirk-key controlled power transfer process AND isolation switch "Press HTR Group 9" NORMAL /
EMERG (CB 322: 1S 480V bus relay panel)
RC-P-1A (TB 322: 1A 6900V SWGR)
TRIP I CLOSE Breaker NORM / EMERG / BYPASS (TB 322: SWGR Room)
Isolated in EMERG RC-P-1B (TB 322: 1B 6900V SWGR)
TRIP I CLOSE Breaker NORM / EMERG / BYPASS (TB 322: SWGR Room)
Isolated in EMERG RC-P-1C (TB 322: 1A 6900V SWGR)
TRIP I CLOSE Breaker NORM / EMERG / BYPASS (TB 322: SWGR Room)
Isolated in EMERG RC-P-1D (TB 322: 1B 6900V SWGR)
TRIP I CLOSE Breaker NORM / EMERG / BYPASS (TB 322: SWGR Room)
Isolated in EMERG RR-P-1B (CB 338: 1E 4160V SWGR Room)
TRIP I CLOSE Breaker NORM / EMERG / BYPASS (CB 338: 1E 4160V SWGR Room)
S1-02 (CB 338: 1E 4160V SWGR Room)
TRIP /CLOSE 4160V feeder breaker (on 1E bus) to 1S 480V BUS NORM / EMERG / BYPASS (CB 338: 1E 4160V SWGR Room)
T1-02 (CB 338: 1E 4160V SWGR Room)
TRIP/CLOSE 4160V feeder breaker (on 1E bus) to 1T 480V BUS NORM / EMERG / BYPASS (CB 338: 1E 4160V SWGR Room)
T1-E2 (CB 338: 1E 4160V SWGR Room)
TRIP I CLOSE 1E 4160V bus tie breaker to 4160V 1C-1D-1E cross tie NORM / EMERG (CB 338: 1E 4160V SWGR Room)
TMI-1 UFSAR CHAPTER 07 7.5-1 REV. 24, APRIL 2018 7.5 References
- 1.
B&W-10003, Rev. 2, "Qualification Testing of Protection System Instrumentation."
- 2.
IEEE Standard 279, "Proposed Criteria for Nuclear Power Plant Protection Systems,"
dated August, 1968.
- 3.
Regulatory Guide 1.89 and NUREG-0578, Category 1.
- 4.
B&W Topical Report BAW-10001-A, "Incore Instrumentation Test Program".
- 5.
BAW-3647-7, Physics Verification Program Part II, Final Report, dated April 1968.
- 6.
Deleted.
- 7.
Deleted.
- 8.
Deleted.
- 9.
Pickard, Lowe, and Garrick Inc. Report, "TMI Control Room Habitability Study: Analysis of Hazards Posed by Postulated Accident Releasing Radioactivity, Ammonia, or Chlorine Onsite," dated May 1, 1984.
- 10.
GPUN Calc. No. C-1101-424-5360-035, Rev 0, "Time Value of Emergency Feedwater (EFW) Left in Condensate Storage Tanks at Lo-Lo Level Alarm".
- 11.
Deleted.
- 12.
Deleted
- 13.
"Basis for Raising Arming Threshold for Anticipatory Reactor Trip on Turbine Trip" BAW-1893, Rev. 0, October 1985.
- 14.
"Justification for Raising Setpoint for Reactor Trip on High Pressure", BAW-1890, September 1985.
- 15.
GPUN Topical Report No. 018, "TMI-1 Safety Parameter Display System Safety Analysis", April 24, 1984.
- 16.
GPUN Topical Report No. 027, "Final Verification and Validation Report on TMI-1 Safety Parameter Display System", December 30, 1985.
TMI-1 UFSAR CHAPTER 07 7.5-2 REV. 24, APRIL 2018
- 17.
NRC Letter, "Three Mile Island Unit 1 - Instrumentation to Follow the Course of an Accident Required by Regulatory Guide 1.97 (TAC No. M51361)," dated March 31, 1993.
- 18.
Pickard, Lowe and Garrick, Inc. Report PLG-0370, "Probabilistic Risk Assessment of Offsite Releases Initiated by a Toxic Chemical Release", dated July 30, 1984.
- 19.
TDR 246, Study of the Reactor Trip Bypass Upon Loss of Feedwater at Low Power for TMI-1.
- 20.
AREVA Calculation, 32-9048637-000, TMI Variable Low Pressure Trip Calculation, May 16, 2007.
- 21.
AREVA NP Inc. Document 51-9007385-004, "TMI-1 EOTSG Non-LOCA Event Evaluation and Summary Report."
- 22.
TMI-1 Technical Specifications Amendment #189, dated July 25, 1994.
- 23.
C-1101-826-E410-032, "TMI-1: CR Habitability Analysis for Hydrogen Peroxide Stored On-Site."
- 24.
C-1101-826-E410-033, "Control Room Habitability for Offsite Hazardous Chemical Releases."
- 25.
GPUN Letter 5211-84-2199, "Control Room Habitability (III.D.3.4., NUREG-0737)" and attached PLG-0370, August 8, 1984.