ML18334A136

From kanterella
Jump to navigation Jump to search
Revision 23 to Updated Final Safety Analysis Report, Section 7, Instrumentation and Controls
ML18334A136
Person / Time
Site: Hope Creek PSEG icon.png
Issue date: 11/12/2018
From:
Public Service Enterprise Group
To:
Office of Nuclear Reactor Regulation
Shared Package
ML18334A137 List:
References
LR-N18-0123
Download: ML18334A136 (679)
v  d  e


Text

SECTION 7 INSTRUMENTATION AND CONTROLS TABLE OF CONTENTS Section Title Page

7.1 INTRODUCTION

7.1-1 7.1.1 Identification of Systems Important to 7.1-1 Safety 7.1.1.1 General 7.1-1 7.1.1.2 Protection Systems 7.1-2 7.1.1.3 Engineered Safety Feature Systems 7.1-2 (Controls) 7.1.1.4 Systems Required for Safe Shutdown 7.1-4 7.1.1.5 Safety-Related Display Instrumentation 7.1-4 (Information Systems Important to Safety) 7.1.1.6 All Other Instrumentation Systems 7.1-5 Required for Safety (Interlock Systems Important to Safety) 7.1.1.7 Control Systems Not Required for Safety 7.1-6 7.1.2 Identification of Safety Criteria 7.1-6 7.1.2.1 Design Bases 7.1-7 7.1.2.2 Conformance to 10CFR50 Appendix A - 7.1-11 General Design Criteria (GDC) 7.1.2.3 Conformance to IEEE Standards 7.1-15 7.1.2.4 Conformance to Regulatory Guides 7.1-21 7.1.2.5 Independence of Safety-Related Systems 7.1-28 7.1.2.6 Instrument Errors 7.1-47 7.1.2.7 Conformance to ICSB Branch Technical 7.1-48 Position 7.1.2.8 Instrumentation and Control Systems 7.1-62 Power Supplies 7-i HCGS-UFSAR Revision 0 April 11, 1988 TABLE OF CONTENTS (Cont)

Section Title Page 7.2 REACTOR PROTECTION (TRIP) SYSTEM (RPS) 7.2-1 7.2.1 Description 7.2-1 7.2.1.1 RPS System Description 7.2-1 7.2.1.2 RPS System Testability 7.2-17 7.2.1.3 Design Bases 7.2-18 7.2.1.4 Final System Drawings 7.2-30 7.2.2 Analysis 7.2-30 7.2.2.1 Implementation of 10CFR50, Appendix A 7.2-30 General Design Criteria 7.2.2.2 Conformance to IEEE Standards 7.2-33 7.2.2.3 Conformance to NRC Regulatory Guides 7.2-41

7.3 ENGINEERED

SAFETY FEATURE SYSTEMS 7.3-1 7.3.1 Description 7.3-1 7.3.1.1 System Description 7.3-2 7.3.1.2 Design Bases 7.3-102 7.3.1.3 Final System Drawings 7.3-104 7.3.2 Analysis 7.3-105 7.3.2.1 ESF System - Instrumentation and Controls 7.3-105 for NSSS Systems 7.3.2.2 ESF Systems - Instrumentation and Controls 7.3-125 for Non-NSSS Systems

7.4 SYSTEMS

REQUIRED FOR SAFE SHUTDOWN 7.4-1 7.4.1 Description 7.4-1 7.4.1.1 Reactor Core Isolation Cooling System 7.4-1 7.4.1.2 Standby Liquid Control System 7.4-6 7.4.1.3 RHR/Reactor Shutdown Cooling Mode 7.4-10 7.4.1.4 Remote Shutdown Systems 7.4-10 7.4.1.5 Essential Auxiliary Supporting Systems 7.4-24 for Safe Shutdown Systems

7-ii HCGS-UFSAR Revision 23 November 12, 2018

TABLE OF CONTENTS (Cont) Section Title Page 7.4.1.6 Design Basis 7.4-25 7.4.2 Analysis 7.4-28 7.4.2.1 Reactor Core Isolation Cooling System 7.4-28 Instrumentation and Controls (Analysis) 7.4.2.2 Standby Liquid Control System 7.4-34 Instrumentation and Controls (Analysis) 7.4.2.3 RHR/Reactor Shutdown Cooling Mode 7.4-45 Instrumentation and Controls (Analysis) 7.4.2.4 Remote Shutdown Systems 7.4-45 7.4.2.5 Essential Auxiliary Supporting Systems 7.4-49 for Safe Shutdown Systems 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5-1 (INFORMATION SYSTEMS IMPORTANT TO SAFETY) 7.5.1 Description 7.5-1 7.5.1.1 General 7.5-1 7.5.1.2 Information Systems Identification 7.5-2 7.5.1.3 Information Systems Description 7.5-2 7.5.2 Analysis 7.5-24 7.5.2.1 Performance of Manual Safety Functions 7.5-24 7.5.2.2 Implementation of 10CFR50 Appendix A 7.5-24 General Design Criteria 7.5.2.3 Implementation of Regulatory Guides 7.5-25 7.5.2.4 Implementation of Branch Technical 7.5-26 Positions 7.5.2.5 Implementation of TMI Action Plan 7.5-27 Requirements 7.5.2.6 Analysis of IE Bulletin 79-27 7.5-27 7.5.3 References 7.5-29 7-iii HCGS-UFSAR Revision 0 April 11, 1988 TABLE OF CONTENTS (Cont) Section Title Page 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED 7.6-1 FOR SAFETY (INTERLOCK SYSTEMS IMPORTANT TO SAFETY) 7.6.1 Description 7.6-1 7.6.1.1 Process Radiation Monitoring System 7.6-2 7.6.1.2 High Pressure/Low Pressure System 7.6-2 Interlocks - Instrumentation and Controls 7.6.1.3 Leak Detection System - Instrumentation 7.6-5 and Controls 7.6.1.4 Neutron Monitoring System - 7.6-11 Instrumentation and Controls 7.6.1.5 Recirculation Pump Trip System - 7.6-18 Instrumentation and Controls 7.6.1.6 Main Steam Safety/Relief Valves - 7.6-18 Relief Function 7.6.1.7 Redundant Reactivity Control System (RRCS) 7.6-21 - Instrumentation and Controls 7.6.1.8 Safety System/Non-Safety System Isolation 7.6-24 (SSNSSI) 7.6.1.9 Design Bases 7.6-24 7.6.1.10 Final System Drawings 7.6-29 7.6.2 Analysis 7.6-29 7.6.2.1 Process Radiation Monitoring System - 7.6-29 (PRMS) Analysis 7.6.2.2 High Pressure/Low Pressure System 7.6-29 Interlocks - Analysis 7.6.2.3 Leak Detection System (Safety-Related) 7.6-37 Analysis 7.6.2.4 Neutron Monitoring System - Analysis 7.6-41 7.6.2.5 Recirculation Pump Trip (RPT) 7.6-52 System - Analysis 7-iv HCGS-UFSAR Revision 0 April 11, 1988 TABLE OF CONTENTS (Cont) Section Title Page 7.6.2.6 Main Steam Safety/Relief Valves - 7.6-61 Analysis 7.6.2.7 Redundant Reactivity Control System 7.6-61 7.6.2.8 Safety System/Nonsafety System Isolation 7.6-73 Analysis 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY 7.7-1 7.7.1 Description 7.7-1 7.7.1.1 Reactor Manual Control System (RMCS) 7.7-1 7.7.1.2 Recirculation Flow Control System (RFCS) 7.7-25 7.7.1.3 Feedwater Control System 7.7-34 7.7.1.4 Refueling Interlocks - Instrumentation 7.7-40 and Controls 7.7.1.5 Pressure Regulator and Turbine Generator 7.7-45 System (PRTGS) 7.7.1.6 Reactor Water Cleanup (RWCU) System 7.7-55 7.7.1.7 Area Radiation Monitoring Systems (ARMS) 7.7-55 7.7.1.8 Radwaste Systems 7.7-55 7.7.1.9 Fuel Pool Cooling and Cleanup System (FPCS) 7.7-55 7.7.1.10 Seismic Monitoring Instrumentation 7.7-55 7.7.1.11 Meteorological Monitoring Instrumentation 7.7-55a 7.7.1.12 Design Differences 7.7-55a 7.7.1.13 Traversing In-core Probe (TIP) System 7.7-55a 7.7.2 Analysis 7.7-55b 7.7.2.1 Rod Block Monitor 7.7-56 7.7.2.2 Reactor Manual Control System 7.7-57 7.7.2.3 Rod Sequence Control System 7.7-59 7.7.2.4 Common Power Source, Sensor or Sensor 7.7-60 Line Failure 7.7.2.5 High Energy Line Break/Control System 7.7-62 Failure 7.7.2.6 Anticipated Operational Occurrences 7.7-64 7.7.3 References 7.7-66 7-v HCGS-UFSAR Revision 16 May 15, 2008 LIST OF TABLES Table Title 7.1-1 Instrumentation Systems Identification 7.1-2 Codes and Standards Applicability Matrix for NSSS Control and Instrumentation Equipment 7.1-3 Codes and Standards Applicability Matrix for Non-NSSS Control and Instrumentation Equipment 7.1-4 Separation Requirements for Class 1E Panels, Instrument Racks and Control Boards 7.2-1 Reactor Protection System Instrumentation Ranges 7.2-2 Channels Used for Functional Performance of RPS 7.2-3 Reactor Protection System Response Times 7.3-1 High Pressure Coolant Injection System Instrumentation Ranges 7.3-2 Automatic Depressurization System Instrumentation Ranges 7.3-3 Core Spray Instrumentation Ranges 7.3-4 Low Pressure Coolant Injection Instrumentation Ranges 7.3-5 Primary Containment and Reactor Vessel Isolation Control System Instrument Ranges 7.3-6 Nuclear Steam Supply Shutoff System Isolation Valves/Signals 7-vi HCGS-UFSAR Revision 8 September 25, 1996 LIST OF TABLES (Cont) Table Title 7.3-7 RHR Containment Spray Cooling Mode System Instrumentation Ranges 7.3-8 RHR - Suppression Pool Cooling Mode Instrumentation Ranges 7.3-9 Containment Hydrogen Recombination System Instrumentation Ranges 7.3-10 Hydrogen/Oxygen Analyzer System Instrumentation Ranges 7.3-11 Not Used 7.3-12 Station Service Water System Instrumentation Ranges 7.3-13 Safety Auxiliaries Cooling System Instrumentation Ranges 7.3-14 Primary Containment Instrument Gas System Instrumentation Ranges *7.3-15 Variable Monitored Applicability Matrix for Systems Actuated to Provide Protective Actions 7.3-16 Isolation System Instrumentation Response Times 7.3-17 Emergency Core Cooling System Response Times 7.4-1 Reactor Core Isolation Cooling Instrument Ranges 7.4-2 Remote Shutdown Panel Instrumentation 7.4-3 Remote Shutdown Systems Redundant Instrumentation 7-vii HCGS-UFSAR Revision 12 May 3, 2002 LIST OF TABLES (Cont)

Table Title 7.5-1 Displayed Parameters Important to Safety

7.6-1 IRM System Trips

7.6-2 APRM System Trips

7.6-3 LPRM System Trips 7.6-4 High Pressure/Low Pressure System Interlocks Instrumentation Specifications

7.6-5 Leak Detection System Instrumentation Specifications

7.6-6 RRCS Trip Logic Response

7.6-7 Deleted 7.7-1 Design and Supply Responsibility of Plant Control Systems 7.7-2 Similarity to Licensed Reactors 7.7-3 Refueling Interlock Effectiveness

7.7-4 Seismic Monitoring Instrumentation and Surveillance Requirements

7.7-5 Meteorological Monitoring Instrumentation and Surveillance

Requirements

7-viii HCGS-UFSAR Revision 23 November 12, 2018

LIST OF FIGURES Figure Title 7.1-1 RPS Separation Concept 7.1-2 Nuclear Steam Supply Shut-off System 7.1-3 Emergency Core Cooling Systems (ECCS) Separation Scheme 7.1-4 Main Steam Line Isolation Separation Concept 7.1-5 RCIC Sensor Separation Scheme 7.1-6 Instrument Line Break Analysis, BOC; No HPCI; RCIC Available with ARI 7.1-7 Instrument Line Break Analysis, EOC; No HPCI; RCIC Available with ARI 7.1-8 Vessel Pressure Calculated From the Core - Heatup Analysis 7.1-9 Water level Calculated From the Core - Heatup Analysis 7.1-10 Peak Cladding Temperature Calculated From the Core - Heatup Analysis 7.2-1 Deleted: Refer to Vendor Technical Document PN1-C71-1010-0001 7.2-2 Trip Unit Calibration System 7.3-1 Deleted: Refer to Vendor Technical Document PN1-E41-1030-0064 7-ix HCGS-UFSAR Revision 20 May 9, 2014 LIST OF FIGURES (Cont) Figure Title 7.3-2 Deleted: Refer to Plant Drawing J-55-0 7.3-3 Deleted: Refer to Vendor Technical Document PN1-B21-1030-0021 7.3-4 Deleted: Refer to Plant Drawing J-41-0 7.3-5 Deleted: Refer to Vendor Technical Document PN1-E21-1030-0001 7.3-6 Deleted: Refer to Plant Drawing J-52-0 7.3-7 Deleted: Refer to Vendor Technical Document PN1-E11-1030-0020 7.3-8 Deleted: Refer to Plant Drawing J-51-0 7.3-9 Deleted: Refer to Vendor Technical Document PN1-G33-1020-0416 7.3-10 Deleted: Refer to Plant Drawing J-44-0 7.3-11 Isolation Control System for Main Steam Line Isolation Valves 7.3-12 Isolation Control System Using Motor-Operated Valves 7.3-13 Primary Containment Isolation System 7.3-14 Deleted: Refer to Plant Drawing J-57-0 7.3-15 Deleted: Refer to Plant Drawing J-58-0 7.3-16 Deleted: Refer to Plant Drawing H-89-0 7.3-17 Not Used 7-x HCGS-UFSAR Revision 20 May 9, 2014 LIST OF FIGURES (Cont) Figure Title 7.3-18 Deleted: Refer to Plant Drawing H-83-0 7.3-19 Deleted: Refer to Plant Drawing H-84-0 7.3-20 Deleted: Refer to Plant Drawing J-10-0 7.3-21 Deleted: Refer to Plant Drawing J-11-0 7.3-22 Deleted: Refer to Plant Drawing J-59-0 7.3-23 Deleted: Refer to Plant Drawing H-90-0 7.3-24 Deleted: Refer to Plant Drawing H-88-0 7.3-25 Deleted: Refer to Plant Drawing H-95-0 7.3-26 Deleted: Refer to Plant Drawing J-102-0 7.3-27 Deleted: Refer to Plant Drawing J-105-0 7.3-28 Deleted: Refer to Plant Drawing J-107-0 7.4-1 Deleted: Refer to Vendor Technical Document PN1-E51-1030-0061 7.4-2 Deleted: Refer to Plant Drawings J-49-0 and J-50-0 7.4-3 Deleted: Refer to Vendor Technical Document PN1-C41-1030-0043 7-xi HCGS-UFSAR Revision 20 May 9, 2014 LIST OF FIGURES (Cont) Figure Title 7.4-4 Deleted: Refer to Plant Drawing J-48-0 7.5-1 Deleted: Refer to Plant Drawing J-0600-0 7.5-2 Panel Space Allocation Main Control Area (Sheet 1 of 2). Sheet 2 of 2 deleted: Refer to Plant Drawing J-0602-0 7.5-3 DELETED 7.6-1 Ranges of Neutron Monitoring System 7.6-2 Deleted: Refer to Vendor Technical Document PN1-C51-1010-0028 7.6-3 Detector Drive System 7.6-4 Functional Block Diagram - IRM Channel 7.6-5 APRM Circuit Arrangement - Reactor Protection System Input 7.6-6 Power Range Monitor Detector Assembly Location 7.6-7 Deleted: Refer to Vendor Technical Document PN1-C51-1020-0029 7.6-8 Deleted: Refer to Vendor Technical Document PN1-C22-1030-0052 7.6-9 Final Safety Analysis Report HCGS Redundant Reactivity Control System ARI Valves 7.6-10 Electrical Protection Assemblies (EPAs) in the Power Range Neutron Monitoring System 7.6-11 Hope Creek LPCI Pressure Interlock 7-xii HCGS-UFSAR Revision 20 May 9, 2014 LIST OF FIGURES (Cont) Figure Title 7.6-12 (Deleted) 7.6-13 OPRM Locations and Channel Relationship 7.7-1 Deleted: Refer to Vendor Technical Document PN1-C11-1030-0183 7.7-2 Deleted: Refer to Vendor Technical Document PN1-C11-1050-0095 7.7-3 Reactor Manual Control System Operation 7.7-4 Reactor Manual Control Self-Test Provisions 7.7-5 Eleven-Wire Position Probe 7.7-6 Recirculation Flow Control 7.7-7 (Deleted) 7.7-8 Simplified Diagram Turbine Pressure & Speed Load Control Requirements 7-xiii HCGS-UFSAR Revision 20 May 9, 2014 SECTION 7 INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

This section identifies and describes instrumentation and controls (I&C) of systems important to safety and I&C of auxiliary systems that support the systems important to safety. Safety criteria and design bases that are requirements of I&C systems important to safety are identified. Analysis is provided to demonstrate how the requirements are met. Also identified and described are those control systems used during normal plant operation to control processes that may affect plant safety. Descriptions of the systems, their mechanical aspects, and safety functions are provided in other sections. Section 1.7 provides listings of electrical schematics and instrument location drawings that show locations of local instrumentation. 7.1.1 Identification of Systems Important to Safety 7.1.1.1 General The I&C systems important to safety are identified below and addressed in detail in subsequent sections of Section 7. Table 7.1-1 tabulates I&C systems and designates those built by the Nuclear Steam Supply System (NSSS) supplier (GE) and those designed and built by others. Table 7.1-1 also indicates similarity of Hope Creek Generating Station (HCGS) I&C to other plants' systems that have applied for or received a construction permit or operating license. 7.1-1 HCGS-UFSAR Revision 0 April 11, 1988 7.1.1.2 Protection Systems Protection systems are those I&C systems that initiate safety actions to mitigate the consequences of a design basis accident (DBA). The protection systems include the Reactor Protection (trip) System (RPS) discussed in Section 7.2, and the initiation of the Engineered Safety Features (ESF) Systems discussed in Section 7.3. 7.1.1.3 Engineered Safety Feature Systems (Controls) The ESF control systems regulate the operation of ESF systems following their initiation by the protection system. These ESF systems are identified below and described in Section 7.3. NSSS ESF systems include the following: 1. Emergency Core Cooling System (ECCS) a. High Pressure Coolant Injection (HPCI) System b. Automatic Depressurization System (ADS) c. Core Spray System d. Low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System. 2. Primary Containment and Reactor Vessel Isolation Control Systems (PCRVICS) 3. Residual heat removal - containment spray cooling mode (CSCM) 4. Residual heat removal - suppression pool cooling mode (SPCM). 7.1-2 HCGS-UFSAR Revision 0 April 11, 1988 Non-NSSS ESF systems include the following: 1. Primary Containment Isolation System (PCIS) 2. Containment Atmosphere Control System (CACS) a. Vacuum Relief Valve System (VRVS). 3. Main Control Room Habitability and Isolation System (MCRHIS) 4. NOT USED 5. Filtration, Recirculation, and Ventilation System (FRVS) 6. Reactor Building Ventilation Isolation System (RBVIS) 7. The following essential auxiliary supporting systems (EASS) are necessary to support ESF systems operation: a. Station Service Water System (SSWS) b. Safety Auxiliaries Cooling System (SACS) c. Class 1E power systems d. Primary Containment Instrument Gas System (PCIGS) e. ESF Equipment Area Cooling System (ESF-EACS) f. Control Area Chilled Water System (CACWS). 7.1-3 HCGS-UFSAR Revision 15 October 27, 2006 7.1.1.4 Systems Required for Safe Shutdown The systems required for safe shutdown are those control systems that are used to achieve and maintain a safe shutdown condition of the plant. The systems and facilities required for safe shutdown are described in Section 7.4 and listed below: 1. Reactor Core Isolation Cooling (RCIC) System 2. Standby Liquid Control (SLC) System 3. Residual heat removal - reactor shutdown cooling mode (RHR-RSCM) 4. Remote Shutdown System (RSS) 5. EASS necessary to support safe shutdown system operation: a. SSWS b. SACS c. Class 1E power systems d. Safe Shutdown Equipment Area Ventilation Systems (SSEAVS). 7.1.1.5 Safety-Related Display Instrumentation (Information Systems Important to Safety) The safety-related display instrumentation (information systems important to safety) provides information for manual initiation and control of safety functions, indication that plant safety functions are being accomplished, and information from which appropriate actions can be taken to mitigate the consequences of anticipated operational occurrences and accidents. Information systems important to safety also include information on the bypassed or 7.1-4 HCGS-UFSAR Revision 0 April 11, 1988 inoperable status of safety systems. The information systems important to safety are identified below and are discussed in Section 7.5: 1. Control Rod Position Indication System (CRPIS) 2. Bypassed and Inoperable Status Indication System (BISIS) 3. Plant Computer Systems (PCS) 4. Post-Accident Monitoring Instrumentation (PAMI). 5. Startup and Transient Monitoring System (STMS) 6. Safety Relief Valve Position Indication System (SRVPIS) 7. DELETED 7.1.1.6 All Other Instrumentation Systems Required for Safety (Interlock Systems Important to Safety) All other instrumentation systems required for safety include interlock systems important to safety that operate to reduce the probability of occurrence of specific events or to maintain safety systems in a state to ensure their availability in an accident. These systems and other safety systems are listed below and discussed in Section 7.6: 1. Process Radiation Monitoring System (PRMS) 2. High Pressure/Low Pressure System Interlocks (HPLPSI) 3. Leak Detection System (LDS) 4. Neutron Monitoring System (NMS) 5. Recirculation pump trip (RPT) controls and instrumentation 7.1-5 HCGS-UFSAR Revision 14 July 26, 2005

6. Main steam safety/relief valves (SRVs) - relief function 7. Redundant Reactivity Control System (RRCS) 8. Safety System/Nonsafety System Isolation (SSNSSI). 7.1.1.7 Control Systems Not Required for Safety The control systems not required for safety are those used during normal operation and are not relied upon to perform safety functions following anticipated operational occurrences or accidents. These control systems are listed below and discussed in Section 7.7: 1. Reactor Manual Control System (RMCS) 2. Recirculation Flow Control System (RFCS) 3. Feedwater Control System (FCS) 4. Refueling interlocks 5. Pressure Regulator and Turbine Generator System (PRTGS) 6. Reactor Water Cleanup (RWCU) System 7. Area Radiation Monitoring Systems (ARMS) 8. Radwaste systems 9. Fuel Pool Cooling and Cleanup System (FPCS). 7.1.2 Identification of Safety Criteria This section identifies safety criteria for I&C systems important to safety. These criteria establish the design, fabrication, construction, testing, and performance requirements. Safety 7.1-6 HCGS-UFSAR Revision 0 April 11, 1988 criteria include design bases, general design criteria (GDC) from 10CFR50, Appendix A, and guidelines. The criteria and guidelines considered in the design of HCGS NSSS furnished I&C systems important to safety are listed in Table 7.1-2. The GDC and the Regulatory Guides considered in the design of HCGS non-NSSS furnished I&C systems important to safety are listed in Table 7.1-3. See Section 1.10 for discussion of compliance with TMI Action Plan (NUREG 0737 and 0694) requirements for I&C systems. All HCGS safety-related instrumentation and controls equipment used in safety-related systems are subject to 10CFR50, Appendix B, as shown in Table 3.2-1. Note 7 to Table 3.2-1 specifically identifies this requirement. All safety-related instrumentation and controls furnished under GE scope of supply meet the quality assurance requirements of 10CFR50, Appendix B, in accordance with GE's QA program. This program is outlined in GE's document NEDO-11209 and has been accepted by the NRC. Periodic audits conducted by NRC, PSE&G, and GE's internal audit system have provided assurance that the QA program has been properly implemented. All safety-related controls and instrumentation have been identified and documented for traceability under the approved QA program. Necessary QA documentation has been maintained, including certifications and/or reports pertaining to all safety-related devices. NSSS records are proprietary items and can be made available for inspection on a specific request basis. 7.1.2.1 Design Bases Refer to Sections 7.2 through 7.6 for discussion of design bases for each system important to safety. 7.1-7 HCGS-UFSAR Revision 0 April 11, 1988 7.1.2.1.1 Single Failures of Passive Electrical Components Single failures of passive components in electrical systems are assumed in the design of HCGS safety systems. Refer to Sections 7.1, 7.2, 7.3, 7.4, and 7.6 for further discussions. Passive electrical failures will not impair the proper functioning of safety systems; such failures have been included in the analyses described in Section 15. 7.1-8 HCGS-UFSAR Revision 7 December 29, 1995 Page intentionally Blank 7.1-9 HCGS-UFSAR Revision 7 December 29, 1995 Page intentionally Blank 7.1-10 HCGS-UFSAR Revision 7 December 29, 1995 7.1.2.2 Conformance to 10CFR50 Appendix A - General Design Criteria (GDC) General conformance to General Design Criteria (GDC) for Nonnuclear Steam Supply System (NSSS) safety-related control and instrumentation systems is addressed in Section 3.1. GDC that apply to safety-related systems are discussed in detail in the analysis portions of Sections 7.2, 7.3, 7.4, 7.5, and 7.6. The following is a general discussion of those GDC that apply to NSSS safety-related control and instrumentation (I&C) systems: 1. GDC 1, Quality Standards and Records - All systems required for safety are designed and built in accordance with an established quality assurance program. 2. GDC 2, Design Bases for Protection Against Natural Phenomena - All systems required for safety are designed to withstand the effects of natural phenomena without loss of capability to perform their safety functions. 3. GDC 3, Fire Protection - All systems and components required for safety are designed and located to minimize the probability and effect of fires and explosions. Materials that are heat-resistant and noncombustible have been chosen wherever practicable. 4. GDC 4, Environmental and Missile Design Basis - Systems and components required for safety are designed to accommodate the effects of and be compatible with the environmental conditions associated with normal operations, maintenance, testing, and postulated accidents, including LOCAs. These systems and components are appropriately protected against dynamic events such as missiles and pipe whipping. 7.1-11 HCGS-UFSAR Revision 0 April 11, 1988
5. GDC 5, Sharing of Structures, Systems, and Components - Systems and components required for safety are not shared with any other nuclear power unit. 6. GDC 10, Reactor Design - The reactor core and associated coolant, control, and protection systems are designed with appropriate margins to ensure that specified acceptable fuel design limits will not be exceeded during any condition of normal operation, including the effects of anticipated operational occurrences. 7. GDC 12, Suppression of Reactor Power Oscillations - The instrumentation and control systems are designed to readily detect and initiate action to suppress reactor power oscillations. 8. GDC 13, Instrumentation and Control - Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions, and to control these variables and systems to ensure adequate safety. 9. GDC 15, Reactor Coolant System Design - The Reactor Coolant System I&C systems are designed to ensure that the design conditions of the reactor coolant pressure boundary (RCPB) are not exceeded. 10. GDC 19, Control Room - Controls and instrumentation are provided within the main control room complex for all safety-related systems. The reactor can also be shut down in an orderly manner from outside the control room as described in Section 7.4.1.4. 11. GDC 20, Protection System Functions - The protection systems are designed to sense accident conditions and 7.1-12 HCGS-UFSAR Revision 0 April 11, 1988 automatically initiate the operation of appropriate systems important to safety to ensure that specified fuel design limits are not exceeded. 12. GDC 21, Protection System Reliability and Testability - The high reliability relay and switch devices are arranged in two redundant divisions and maintained separately. Testing is covered in the discussion on conformance to Regulatory Guide 1.22. 13. GDC 22, Protection System Independence - The protection systems are designed with independence through redundancy or functional diversity to prevent loss of the protection function. 14. GDC 23, Protection System Failure Modes - The protection systems are designed to fail in a safe direction during anticipated operational occurrences including postulated adverse environments. No single credible event can cause any protection system to fail in an unsafe direction. 15. GDC 24, Separation of Protection and Control Systems - The protection systems are separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to both, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. 16. GDC 25, Protection System Requirements for Reactivity Control Malfunctions - The Reactor Protection System (RPS) is designed so that fuel design limits are not exceeded even with any single malfunction of the reactivity control system. 7.1-13 HCGS-UFSAR Revision 0 April 11, 1988
17. GDC 29, Protection Against Anticipated Operational Occurrences - The protection and reactivity control systems are designed to ensure an extremely high probability of accomplishing their safety function in the event of an anticipated operational occurrence. 18. GDC 30, Quality of Reactor Coolant Pressure Boundary - Pressure, level, and flow sensors that penetrate the RCPB have the highest practical quality standards. 19. GDC 33, Reactor Coolant Makeup - Reactor coolant makeup is provided to ensure that specified acceptable fuel design limits are not exceeded because of reactor coolant losses. 20. GDC 34, Residual Heat Removal - The Residual Heat Removal (RHR) System is provided to remove reactor residual heat to ensure that the specified acceptable fuel design limits are not exceeded even assuming a single failure. 21. GDC 35, Emergency Core Cooling - An Emergency Core Cooling System (ECCS) is provided to ensure cooling of the reactor following any loss of reactor coolant at undesirable rates even assuming a single failure. Appropriate isolation and leak detection systems are also provided. 22. GDC 37, Testing of Emergency Core Cooling System - The ECCS is designed to permit appropriate periodic pressure and functional testing including the controls that bring the system into operation. Appropriate isolation and display instrumentation systems are also provided. 23. GDC 38, Containment Heat Removal - Containment spray and suppression pool cooling systems are provided to ensure heat removal from the reactor containment following any loss-of-coolant accident (LOCA) even assuming a single failure. 7.1-14 HCGS-UFSAR Revision 0 April 11, 1988
24. GDC 40, Testing of Containment Heat Removal System - The containment spray, suppression pool cooling, and display instrumentation are designed to permit appropriate periodic and functional testing including the controls that bring the system into operation. 25. GDC 54, Piping Systems Penetrating Containment - Leak detection is provided for reactor core isolation cooling (RCIC), ECCS, main steam lines, and reactor water cleanup (RWCU) lines penetrating the containment. 26. GDC 60, Control of Releases of Radioactive Materials to the Environment - The nuclear power unit is designed to control the release of radioactive material from gaseous, liquid, and solid effluents to within prescribed limits through monitoring the release points and processing of effluents. 7.1.2.3 Conformance to IEEE Standards Conformance to IEEE standards (other than IEEE 279-1971) for non-NSSS safety-related I&C systems is addressed by the regulatory guides that endorse them, as discussed in Section 7.1.2.4. The following is a discussion of those IEEE standards that apply to NSSS safety-related systems described in Chapter 7: IEEE standards that apply to NSSS safety-related systems are also discussed in the applicable analysis portions of Sections 7.2, 7.3, 7.4, and 7.6. 1. Conformance to IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations - Conformance to IEEE 279-1971 is presented on a system basis in the analysis portions of Sections 7.2, 7.3, 7.4, and 7.6. As required by IEEE Standard 279, capability for at power testing has been provided in the design of the HCGS safety 7.1-15 HCGS-UFSAR Revision 0 April 11, 1988 systems. Conformance to the guidance specified in regulatory Guide 1.118 and correspondingly, IEEE Standard 338, is as stated in Section 1.8.1.118. The analysis portions of the various system descriptions in Section 7 describe the methods by which the safety system designs satisfy the testability requirements of IEEE Standard 279. The specific sections covering the testability of these systems are listed below: RPS - 7.2.1.2 ECCS - HPCI 7.3.1.1.1.1(3) - ADS 7.3.1.1.1.2(3) - CORE SPRAY 7.3.1.1.1.3(3) - RHR-LPCI 7.3.1.1.1.4(3) PCRVICS 7.3.1.1.2(4) RHR-CSCM 7.3.1.1.3(3) RHR-SPCM 7.3.1.1.4(3) PCIS 7.3.1.1.5(10) CACS - Supp. Chamber to 7.3.1.1.6.1(3) Drywell Press. Relief - RB to Supp. Chamber 7.3.1.1.6.2(3) Press. Relief Sys. - HOAS 7.3.1.1.6.3(3) - CHRS 7.3.1.1.6.4(3) MCRHIS 7.3.1.1.7(10) FRVS 7.3.1.1.9 RBVIS 7.3.1.1.10(8) EAS - SSWS 7.3.1.1.11.1(3) - SACS 7.3.1.1.11.2(3) PCIGS 7.3.1.1.1.11.4(3) CACWS 7.3.1.1.1.11.5(3) EACS - RBEAC 7.3.1.1.11.6.1(3) - ABDA 7.3.1.1.11.6.2(3) - ABCA 7.3.1.1.11.6.3(3) - SWIS 7.3.1.1.11.6.4(3) 7.1-16 HCGS-UFSAR Revision 12 May 3, 2002 RCIC 7.4.1.1.3 SLC 7.4.1.2.3 RRCS 7.6.2.7.2(2) 7.6.2.7.2(14) 7.6.2.7.4.1 Design drawings in the form of elementary diagrams, P&IDs, logic diagrams, instrument location drawings, and electrical drawings that describe this capability are listed in Tables 1.7-1, 1.7-2, and 1.7-3. In response to the NRC's request for additional information during the meeting of January 11, 1984, review of the systems identified above, with the exception of the Reactor Protection System (RPS), Reactor Core Isolation Cooling (RCIC) System, Standby Liquid Control (SLC) System, and Redundant Reactivity Control System (RRCS) was performed. The review examined the capability for the at power testing of all circuits and sensors used in these systems. All actuated contacts and devices were considered. The review did not identify any device or circuit bypassing methods, other than those specifically permitted by position C6 of Regulatory Guide 1.118, needed for ESF at power testing. Built-in test jacks, which provide connections for plug in test switches, built-in test switches, and normal operational equipment provide this testing capability as shown on the system elementary diagrams. During testing, redundant channels or systems are available to provide the safety function. During the review, the at power testability of an item was established if an affirmative response could be verified for the following three questions: 7.1-17 HCGS-UFSAR Revision 1 April 11, 1989
a. Is the item sufficiently accessible to conduct the test during normal operation? b. Is the item sufficiently isolable to permit its safety elated function to be verified or is a safety elated system or subsystem encompassing the item isolable and testable? c. Does any bypassing method that must be used to accomplish the test conform to position C6 of Regulatory Guide 1.118? By these criteria, for the NSSS safety systems reviewed two items were judged to be untestable at power, the ADS SRVs, which would cause depressurization if tested, and the steam tunnel temperature elements, which are inaccessible. The reliability and redundancy of the ADS instrumentation, logic, and actuation devices and the multiplicity of the SRVs adequately justify the lack of ADS at power testability. Adequate element multiplicity and comparison tests of at power output signals and electrical characteristics preclude the need for change of state testability of the steam tunnel temperature elements. By these criteria, for the non-NSSS safety systems reviewed the following items were judged to be untestable at power: a. PCIS - the LOCA signals of reactor low level (level 1), drywell high pressure, or manual initiation originating from core spray system relays K18A-D do not satisfy the criteria of question b above. This affects actuation signals to close 43 containment isolation valves, to trip 16 MCC breakers, and to initiate control room isolation. The affected equipment 7.1-18 HCGS-UFSAR Revision 0 April 11, 1988 is identified on Plant Drawing J-102-0 (Sheets 3 through 6) and Plant Drawing J-105-0 (Sheets 3 and 4). All other methods for actuation of this equipment can be verified at power; only this particular actuation signal can not be tested. b. PCIS - the coincidence circuitry for the Reactor Building area and refueling floor area high-high radiation signals do not satisfy the criteria of question b above. The individual high-high radiation signals can be verified up to the input buffers of the logic modules but must be tested one at a time since each signal is transmitted (through isolation devices) to all 4 channels of the PCIS simultaneously. See Plant Drawing J-102-0 (Sheets 6 through 9). This only affects the logic circuitry of the PCIS itself and does not inhibit the testing of the actual actuation signals from the PCIS to the individual actuated components. PSE&G plans to conduct that at power surveillance testing prescribed by the BWR 4 version of the NRC's Standard Technical Specifications. As surveillance procedures have become available and implemented, subsequent reviews have identified the need to utilize temporary alterations required for the proper performance of certain at power surveillance tests. When temporary alterations are utilized, they are strictly controlled by an administrative program which has been designed to implement the applicable recommendations of IE Information Notice 84-37. 2. Assessment to IEEE 323-1971, Qualifying Class 1E Equipment for Nuclear Power Generating Stations - Written procedures and responsibilities are developed for the design and 7.1-19 HCGS-UFSAR Revision 20 May 9, 2014 qualification of all Class 1E equipment. This includes preparation of specifications, qualification procedures, and documentation. NSSS qualification testing or analysis is accomplished prior to release of the engineering design for production. Standards manuals are maintained containing specifications, practices, and procedures for implementing qualification requirements, and an auditable file of qualification documents is available for review. Refer to Section 17 and Sections 3.10 and 3.11 for a complete description of conformance, including a discussion of the environmental qualification program. 3. Assessment to IEEE 338-1971, Periodic Testing of Nuclear Power Generating Stations - Assessment to IEEE 338 is presented on a system basis in the analysis portions of Sections 7.2, 7.3, 7.4, and 7.6 as part of the discussion of Regulatory Guide 1.22 compliance. 4. Assessment to IEEE 344-1971, Seismic Qualification of Class 1E Equipment - Although not a design basis, all safety-related I&C equipment is classified as Seismic Category I, designed to withstand the effects of a safe shutdown earthquake (SSE) and remain functional during normal and accident conditions. Qualification and documentation procedures used for Seismic Category I equipment and systems are identified in Section 3.10 and Table 3.2-1. 5. Conformance to IEEE 379-1972, Application of Single-Failure Criterion to Nuclear Power Generating Stations - Conformance to IEEE 379 is covered for each system in the analysis of IEEE 279, Paragraph 4.2, in Sections 7.2, 7.3, 7.4, and 7.6. 6. An assessment to IEEE 384-1974, Independence of Class 1E Equipment and Circuits - The safety-related systems described in Sections 7.2, 7.3, 7.4, and 7.6 follow the 7.1-20 HCGS-UFSAR Revision 0 April 11, 1988 independence and separation criteria for redundant systems in accordance with IEEE 279, Paragraph 4.6. The electrical power supply, instrumentation, and control wiring for redundant safety-related circuits are physically separated to preserve redundancy and ensure that no single credible event prevents completion of the protective function. Credible events include, but are not limited to, the effects of short circuits, pipe rupture, pipe whip, high pressure jets, missiles, fire, earthquake, and falling objects, and are considered in the basic plant design. The independence of tubing, piping, and control devices for safety-related I&C is achieved by physical space or barriers between separation groups of the same protective function. The criteria and bases for the independence of safety-related I&C, electrical equipment, cable, cable routing marking, and cable derating, are discussed in Sections 8.1.4.14 and 8.3.1. Fire detection and protection in the areas where wiring is installed is described in Section 9.5.1. 7.1.2.4 Conformance to Regulatory Guides Conformance to regulatory guides for non-NSSS systems is addressed in Section 1.8. The applicability of regulatory guides to each non-NSSS system is found in Table 7.1-3. Any differences in implementation of regulatory guides among systems are discussed in the sections in which specific systems are addressed. The statements on the degree of conformance to various regulatory guides which follow are intended to demonstrate an overall safety system level of compliance for NSSS systems. The applicability of 7.1-21 HCGS-UFSAR Revision 0 April 11, 1988 the conformance statements to each system is found in Table 7.1-2. Each individual system analysis discussion defines any difference in the degree of conformance to a particular regulatory guide. 1. Assessment to Regulatory Guide 1.11, Instrument Lines Penetrating Containment, February 1972 - All instrument lines penetrating or connected directly to the primary containment atmosphere, which are part of safety-related systems, follow the requirements of Regulatory Position C.1. This is accomplished by the following: a. Redundance b. Independence c. Allowing for safety system testability d. Line orificing or sizing e. Including automatic line shutoff capability if line integrity is lost. Refer also to Section 6.2.4. 2. Assessment to Regulatory Guide 1.21, Measuring Radioactive Effluents, June 1974 - The process radiation monitoring system is designed for measurement and evaluation of radioactive material releases. 3. Conformance to Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions, February 1972 - With respect to Paragraph D.3 of Regulatory Guide 1.22, administrative controls are considered "positive means" to limit the expansion of a bypass to redundant or diverse systems. Collective annunciation of bypassing by manual means is considered to satisfy the guidelines. System descriptions for each system are provided in Sections 7.2, 7.3, 7.4, and 7.6. 7.1-22 HCGS-UFSAR Revision 0 April 11, 1988
4. Conformance to Regulatory Guide 1.29, Seismic Design Classification, September 1978 - All NSSS safety-related instrumentation and control equipment is classified as Seismic Category I and is designed to withstand the effects of an SSE and remain functional during normal and accident conditions. Qualification and documentation procedures used for Seismic Category I equipment and systems are identified in Section 3.10 and Table 3.2-1. 5. Assessment to Regulatory Guide 1.30-August 1972, Quality Assurance Requirements for Instrumentation and Electrical Equipment - While not a design basis, the quality assurance requirements are applied during the plant design and construction phases and will also be implemented as an operational quality assurance program during plant operation in meeting the intent of Regulatory Guide 1.30. The specific requirements of Regulatory Guide 1.30 are met as discussed in Section 17. 6. Assessment to Regulatory Guide 1.45, Reactor Coolant Pressure Boundary Leakage Detection Systems, May 1973 - The RCPB leakage detection systems are provided to detect and, to the extent practical, identify the location(s) of the source of reactor coolant leakage. Further discussion is provided in Section 5.2.5. 7. Conformance to Regulatory Guide 1.47, Bypass and Inoperable Status Indication for Nuclear Power Plant Safety Systems, May 1973 - Each safety-related system described in Sections 7.2, 7.3, 7.4, and 7.6 is provided with an automatic or operator initiated system level bypass or inoperability annunciator type of display. Bypassed and inoperable status indication has been provided on a system level basis for all HCGS safety-related systems meeting the criteria established by 7.1-23 HCGS-UFSAR Revision 7 December 29, 1995 Section B of Regulatory Guide 1.47. The Bypassed and Inoperable Status Indication System (BISIS), discussed in revised Section 7.5.1.3.2, is the result of the application of the regulatory positions set forth in Section C of Regulatory Guide 1.47 to the HCGS safety-related systems. The BISIS is a collection of indicating lights from the various safety-related systems (listed in Section 7.5.1.3.2) for which bypassed and inoperable status indication is required by Regulatory Guide 1.47. These systems are designed in accordance with the specific requirements of Regulatory Guide 1.22 (including D.3a and 3b) to the degree stated in Section 1.8.1.22. System design drawings showing conformance to Regulatory Guides 1.22 and 1.47 have been provided to the NRC under separate cover and are listed on Tables 1.7-1, 1.7-2, and 1.7-3. The BISIS associated indications are included in Table 7.5-1. 8. Conformance to Regulatory Guide 1.53, Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems, June 1973 - Hope Creek Generating Station (HCGS) is in conformance with this guide which provides that protection systems meet Section 4.2 of IEEE 279-1971, in that any single failure within the protection systems does not prevent proper protective action at the system level when required. Conformance is achieved by specifying, designing, and constructing the engineered safety features (ESFs) to meet the single failure criterion, Section 4.2 of IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, and IEEE 379-1972, IEEE Trial-Use Guide for the Application of the Single-Failure 7.1-24 HCGS-UFSAR Revision 0 April 11, 1988 Criterion to Nuclear Power Generating Station Protection System. See the System Descriptions heading in Sections 7.2, 7.3, 7.4, and 7.6 for a discussion of details for each system. 9. Conformance to Regulatory Guide 1.62, Manual Initiation of Protective Actions, October 1973 - HCGS is in conformance with this guide which provides that manual initiation of each protective action at the system level be provided, that such initiation accomplish all actions performed by automatic initiation, and that protective action at the system level goes to completion once manually initiated. In addition, manual initiation is by switches readily accessible in the control room, and a minimum of equipment is used in common with automatically initiated protective action. Minimization of shared circuits is achieved by actuation as close to final devices as possible. Means are provided for manual initiation of the primary containment and reactor vessel isolation control system, the ECCSs, and for the Reactor Protection System (RPS) scram at the system level through the use of armed push buttons. Once initiated, the manual protective action goes to completion. 10. Conformance to Regulatory Guide 1.63, Electric Penetration Assemblies in Containment Structures for Light Water Cooled Nuclear Power Plants, October 1973 - See Section 1.8. 11. Assessment to Regulatory Guide 1.68, Preoperational and Initial Startup Test Programs for Water Cooled Power Reactors, November 1973 - Assessment to Regulatory Guide 1.68 is discussed in Section 1.8. 12. Assessment to Regulatory Guide 1.73, Qualification Tests of Electric Valve Operators Installed Inside the 7.1-25 HCGS-UFSAR Revision 0 April 11, 1988 Containment of Nuclear Power Plants, January 1974 - Assessment to Regulatory Guide 1.73 is discussed in Section 3.11.2. 13. Conformance to Regulatory Guide 1.75, Physical Independence of Electric Systems, January 1975 - A complete description of physical and electrical separation criteria is presented in Section 8.1.4.14. The extent of implementation of the requirements of Regulatory Guide 1.75 covers physical separation between divisions of essential systems and between essential systems and essential circuits being maintained for all essential NSSS systems except the Neutron Monitoring System (NMS) and the Process Radiation Monitoring System (PRMS), which are justified by analysis. 14. Assessment to Regulatory Guide 1.89, Qualification of Class 1E Equipment for Nuclear Power Plants, November 1974 - Regulatory Guide 1.89 is not a design basis for HCGS; however, equipment is qualified following the guidelines of IEEE 323-1971 as discussed in Section 3.11.2. Also refer to Section 3.11 for discussion of the environmental qualification program. 15. Assessment to Regulatory Guide 1.100, Seismic Qualifications of Electrical Equipment for Nuclear Power Plants, March 1976 - While not a design basis, the extent of conformance to Regulatory Guide 1.100 is discussed in Section 3.10. 16. Assessment to Regulatory Guide 1.105, Instrument Setpoints, November 1975 - While not a design basis, the design supplied includes the trip setpoint (Instrument Setpoint), allowable value (Technical Specification Limit). The analytical limit (design basis limit), Technical Specifications Limit and nominal setpoint are all appropriately separated from each other based upon 7.1-26 HCGS-UFSAR Revision 0 April 11, 1988 instrument accuracy, calibration capability, and design drift data. The setpoints are within the instrument accuracy range. The established setpoints provide margin to satisfy both safety requirements and plant availability objectives. 17. Assessment to Regulatory Guide 1.118, Periodic Testing of Electrical Power and Protection Systems, June 1978 - This regulatory guide, which endorses modified IEEE 338-1977, is not part of the design basis for HCGS. Discussion of IEEE 338 is presented on a system by system basis in the analysis portions of Sections 7.2, 7.3, 7.4, and 7.6. In a letter dated February 24, 1986 (C. A. McNeill, PSE&G, to E. Adensam, NRC), PSE&G identified the need to utilize lifted leads and jumpers for certain at power surveillance testing. With these certain exceptions, related to the use of temporary alterations during the performance of required at power surveillance tests, the Hope Creek design is in compliance with RG 1.118. For each exception where temporary alterations are required (e.g., lifting leads and jumpers), PSE&G committed to follow the guidance in Office of Inspection and Enforcement (IE) Information Notice 84-37, "Use of Lifted Leads and Jumpers During Maintenance or Surveillance Testing" which recommends a combination of administrative controls and functional tests to verify the restoration of proper system configuration following surveillance tests. This will provide reasonable assurance that the instrumentation will be restored to the correct configuration following surveillance testing where lifted leads and jumpers are needed. 7.1-27 HCGS-UFSAR Revision 0 April 11, 1988 7.1.2.5 Independence of Safety-Related Systems The safety-related I&C required to provide protective actions are physically arranged and separated to retain the minimum required equipment functional capability following a design basis accident (DBA). Figure 7.1-1 shows the RPS separation concept. The Nuclear Steam Supply Shutoff System (NSSSS) separation concept is shown on Figure 7.1-2. The ECCS separation scheme is shown on Figure 7.1-3. Figure 7.1-4 shows the main steam line isolation separation concept. Figure 7.1-5 is a layout of the RCIC sensor separation scheme. 7.1.2.5.1 Physical Separation The HCGS RPS cabinets (10C609, 10C611, 10C622 and 10C623) meet the requirements of IEEE Standard 384 as modified and endorsed by Regulatory Guide 1.75, as stated in Section 1.8.1.75. Cabinet lighting and receptacle power circuits are physically separated from RPS circuits by being routed in metallic conduit or by structural steel barriers. Physical separation between non-Class 1E and Class 1E instrumentation and control circuits is provided in panels, instrument racks and control boards in accordance with IEEE Standard 384, as modified and endorsed by Regulatory Guide 1.75 as stated in Section 1.8.1.75. Table 7.1-4 provides a listing of Class 1E panels, instrument racks and control boards reviewed for the separation requirements of IEEE Standard 384. Instrument racks are separated into channels. No two redundant piped or tubed safety-related instruments are located on the same rack. Where a 6-inch air space cannot be maintained between instrumentation and control circuits of different channels (both 7.1-28 HCGS-UFSAR Revision 0 April 11, 1988 Class 1E to Class 1E and Class 1E to non-Class 1E), barriers are provided in accordance with IEEE Standard 384. These barriers are metallic conduit, structural steel barriers, or non-metallic wrap (Havey Industries Siltemp Sleeving Type S or Siltemp Woven Tape Type WT65). The metallic conduit and structural steel barriers are noncombustible materials. The nonmetallic wrap (Siltemp) was successfully tested for use as an isolation barrier (reference Wyle Laboratories Test Report Number 56669). At HCGS, three isolation devices are used which do not satisfy the 6 inch air space requirement and, by design, barriers of the type identified above are not feasible. The 6 inch air space requirement is maintained for wiring associated with these devices except at the device itself where the separation is maintained not less than the physical distance between the input and output terminals of the isolation device. These devices are: 1. Analog isolator, model 156 - provides Class 1E to non-Class 1E isolation for low level analog inputs to the plant computer, 2. Struthers Dunn type 219 relay - provides Class 1E to non-Class 1E isolation for inputs to the plant annunciator (125 V dc contact interrogation voltage is used by the plant annunciator), 3. Allen Bradley model 700-200A12P relay - provides Class 1E to non-Class 1E isolation for inputs to the plant annunciator. These devices are fully qualified for their application as described in Section 7.1.2.5.2. Single failure analyses were performed to support air spaces less than 6 inches for the Neutron Monitoring System Panel (1OC608) and the Process Radiation Monitoring System Panels (1OC635 and 1OC636). This report was submitted under separate cover (R. L. Mittl to A. 7.1-29 HCGS-UFSAR Revision 0 April 11, 1988 Schwencer dated September 7, 1984). Subsequently, this report was revised and submitted in the following letters, R. L. Mittl to W. Butler, dated October 30, 1985 and C. A. McNeill to E. Adensam dated December 16, 1985. These letters confirmed that all safety-related cables within the NMS and PRMS panels either conformed to the criteria of RG 1.75 or were wrapped in the previously approved Sil-Temp tape with the following exception. The NMS input leads to the Redundant Reactivity Control System (RRCS) within these panels do not conform to the separation criteria discussed above. However, the NRC has reviewed the pertinent information regarding the RRCS and its divisional separation criteria and concludes that the failure RRCS (and its subsystems) will not adversely affect any safety system. Therefore, the separation criteria used within the NMS and PRMS panels are acceptable. It should be noted that the RRCS as an anticipated transient without scram (ATWS) prevention and mitigation design is subject to the requirements of a recently published rule (10CFR50.62) on this subject. No associated circuits have been identified in the non-NSSS panels, instrument racks, or control boards. Internal wiring identification is done using color code insulation or insulation marked with color coded tape. For panel sections of one channel only, internal wiring identification may not be done. Where common terminations are used, the requirements of IEEE Standard 384 are satisfied as stated above. Electrical equipment and wiring for the Reactor Protection System (RPS), the Nuclear Steam Supply Shutoff Systems (NSSSS) and the Engineered Safeguards Subsystems (ESS) are segregated into separate divisions designated I and II, etc., such that no single credible event is capable of disabling sufficient equipment to prevent reactor shutdown, removal of decay heat from the core, or closure of the NSSSS valves in the event of a design basis accident. No single control panel section (or local panel section or instrument rack) includes wiring essential to the protective 7.1-30 HCGS-UFSAR Revision 0 April 11, 1988 function of two systems that are backups for each other (Division I and Division II) except as allowed below: 1. If two panels containing circuits of different separation divisions are less than 3 feet apart, there shall be a steel barrier between the two panels. Panel ends closed by steel end plates are considered to be acceptable barriers provided that terminal boards and wireways are spaced a minimum of one inch from the end plate. 2. Floor-to-panel fire proof barriers must be provided between adjacent panels having closed ends. 3. Penetration of separation barriers within a subdivided panel is permitted, provided that such penetrations are sealed or otherwise treated so that an electrical fire could not reasonable propagate from one section to the other and destroy the protective function. 4. Where, for operational reasons, locating manual control switches on separate panels is considered to be prohibitively (or unduly) restrictive to normal functioning of equipment, then the switches may be located on the same panel provided no single event in the panel can defeat the automatic operation of the equipment. With the exception of panels 10C608, 10C635 and 10C636, internal wiring of the NSSS panels and racks has color coded insulation. Associated circuits are treated within a panel or rack in the same manner as the essential circuits. Where common terminations are used, the requirements of IEEE Standard 384 are satisfied. Electrical protection assemblies have been added between the power range NMS panel (10C608) and its two 120 V ac UPS power feeders as described in Section 7.6.1.4.2. 7.1-31 HCGS-UFSAR Revision 0 April 11, 1988 7.1.2.5.2 Electrical Isolation Isolator qualification included testing to demonstrate the capability of the isolator to perform its intended function (isolation) when subjected to conditions of maximum credible "hot short" voltage or short circuit current (where applicable) unless it could be demonstrated that the physical layout of the isolation system precluded this event from happening. Further, the maximum credible "hot short" voltage or short circuit current was applied in the transverse mode (signal to return) when testing. The methodology used in calculating the maximum credible "hot short" voltage and short circuit current values is described by the following: A. Assumptions: 1. Maximum "hot short" voltage conditions occur when the phase conductors of one cable become faulted with the phase conductors of a higher voltage cable without shorting to ground. 2. Maximum "hot short" voltage conditions and short circuits (to ground) do not occur simultaneously. 3. Maximum short circuit current is based on maximum connected source voltage and cable impedance. 4. None of the non-Class 1E electrical protection devices (i.e., fuses, circuit breakers, etc.) function to remove the fault identified in Assumption 3. 5. Cable impedance is based on temperature at 10C for conservatism. Actual temperature is expected to be higher, which would result in lower short circuit currents than those calculated at 10C. 7.1-32 HCGS-UFSAR Revision 0 April 11, 1988 B. Maximum credible "hot short" voltage calculation methodology: 1. The adjacent cable with the highest voltage potential that could be shorted to the cable of concern is determined from engineering drawings. 2. A 10 percent factor representing nominal voltage fluctuations is then added to the voltage potential of the cable identified in Step 1. 3. The maximum credible "hot short" voltage is then calculated by adding the fault voltage obtained in Step 2 to the nominal voltage of the cable of concern. C. Maximum credible short circuit current calculation methodology: 1. Calculate the maximum voltage from the normal source by summing the rated voltage, the voltage due to nominal voltage fluctuations, and where applicable, the voltage due to transformer tap fluctuations. 2. Calculate the cable impedance by multiplying the length of the cable of concern (actual constructed length or 95 percent of engineered length if actual constructed length is not available) by the impedance per length value (based on 10C) obtained from the manufacturer's specifications for the particular cable type and size. 3. The maximum credible short circuit current is then calculated by dividing the maximum voltage value obtained in Step 1 by the cable impedance value obtained in Step 2. 7.1-33 HCGS-UFSAR Revision 0 April 11, 1988 The test report for each isolation device identifies that the device was tested to the calculated (or higher) fault values. Testing performed on the isolation devices had the basic pass/fail criteria that no fault, including the maximum credible "hot short" voltage or short circuit current, on the non-Class 1E side of the isolation device could cause any misoperations or degradation of operation on the Class 1E side of the device. (This is interpreted as across divisional boundaries for isolation devices used in Class 1E to Class 1E applications). Electrical isolation between redundant non-NSSS safety-related circuits and between non-NSSS safety-related circuits and non-safety-related circuits is provided by the following: a. Bailey Solid State Interposing Logic System (SSILS) and Analog Instrumentation System (AIS) - These two systems utilize the Bailey 890 System for 1E to non-1E, and non-1E to 1E isolation. The basic components of the 890 System are input/output multiplexing modules and transmitter/receiver modules. Transmission is by fiberoptic cable. The transmitter module provides 1E to non-1E isolation; the receiver module provides non-1E to 1E isolation. The fiberoptic cable provides additional electrical isolation although it itself is not formally qualified. Seismic qualification for this isolation system is in accordance with qualification procedures and acceptance criteria defined in IEEE Standard 344-1975, and implemented by Regulatory Guide 1.100, Revision 1. This isolation system is located in and qualified for a mild environment as defined in Sections 3.11.2.4 and 3.11.2.5. The specified environmental conditions in which this isolation system is expected to operate are as follows: 7.1-34 HCGS-UFSAR Revision 8 September 25, 1996 Pressure: Atmospheric plus fractional inch of H2O Temperature: 104F maximum these conditions may 40F minimum exist 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> per year 83F +/- 2F Relative Humidity: 90 percent maximum 20 percent minimum Nuclear Radiation: 175 Rads Carbon (40 year TID) 88 Rads Carbon - Beta (180 day TID) 2.5 Rads Carbon - Gamma (180 day TID) (TID = Total Integrated Dose) Testing performed in accordance with SAMA Standard PMC 33.1-1978 ensures that this isolation system is adequately protected against the effects of electromagnetic interference (EMI). Testing performed in accordance with IEEE Standard 472-1974 ensures that this isolation system is adequately protected against the effects of voltage surges. "Hot short" fault testing was not performed on the Bailey 890 System. The Bailey 890 System provides physical separation of system components and fiberoptic signal transmission to virtually eliminate any possibility of a hot short propagating across divisional boundaries. The optical transmitter modules and optical receiver modules are physically located in separate cabinets. Signal transmission between the transmitter and receiver modules is by nonconductive fiberoptic cable. The fiberoptic cables are routed in dedicated raceways or inside protective flexible conduit in low voltage instrument cable raceways. 7.1-35 HCGS-UFSAR Revision 8 September 25, 1996 The Bailey 890 System qualification report, Bailey Controls Company Report Number QR-3102A-E14-10, was submitted to the NRC by letter dated November 22, 1985 (R. L. Mittl, PSE&G to W. Butler, NRC). b. Scientech - The Safety Parameter Display System (SPDS) and Startup Transient Monitoring System (STMS, also called GETARS) at HCGS are part of the Control Room Integrated Display System (CRIDS). This system consists of non-1E servers, non-1E desktop computers, and 1E and non-1E multiplexors. Communication between all multiplexors and the computers is via fiberoptic cable. Interface between the multiplexor/computer data buses and the fiberoptic cable is through the use of Ethernet-to-fiber media converters. The fiberoptic cable acts as the 1E to non-1E separation device. Seismic qualification for this isolation system is in accordance with qualification procedures and acceptance criteria defined in IEEE Standard 344-1975, and implemented by Regulatory Guide 1.100, Revision 1. This isolation system is located in and qualified for a mild environment as defined in Sections 3.11.2.4 and 3.11.2.5. The specified environmental conditions in which this isolation system is expected to operate are as follows: Pressure: Atmospheric plus fractional inch of H2O Temperature: 104F maximum these conditions may 40F minimum exist 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> per year 83F +/- 2F 7.1-36 HCGS-UFSAR Revision 18 May 10, 2011 Relative Humidity: 90 percent maximum 20 percent minimum Nuclear Radiation: 175 Rads Carbon (40 year TID) 88 Rads Carbon - Beta (180 day TID) 2.5 Rads Carbon - Gamma (180 day TID) Testing performed in accordance with EPRI TR-102323 Rev. 3 ensures that this isolation system is adequately protected against the effects of electromagnetic interference (EMI) and voltage surges. c. General Atomic (GA) Radiation Monitoring System (RMS) - This system utilizes two separate isolation methods depending upon the type of isolation required: 1) GA communications isolation device, GA Part Number 0357-5200, for 1E to 1E, 1E to non-1E and non-1E to 7.1-37 HCGS-UFSAR Revision 18 May 10, 2011 1E data transmission in a communications loop. Electrical isolation is provided by optically coupled isolators consisting of a 3-inch light pipe between an infrared LED and a silicon phototransistor. 2) OPTO 22, Model ODC-24, optical isolation device for 1E to non-1E and 1E to 1E digital applications - Electrical isolation is provided by a phototransistor and amplifier assembly contained within a sealed module. Seismic qualification for these isolation devices is in accordance with qualification procedures and acceptance criteria defined in IEEE Standard 344-1975, and implemented by Regulatory Guide 1.100, Revision 1. These isolation devices are located in and qualified for a mild environment as defined in Sections 3.11.2.4 and 3.11.2.5. The specified environmental conditions in which these isolation systems are expected to operate are as follows: 1) Communications isolation device Temperature: 104F maximum 40F minimum 85F average Relative humidity: 90 percent maximum 20 percent minimum 2) OPTO 22 Model ODC-24 Temperature: 78F maximum 66F minimum 72F average 7.1-38 HCGS-UFSAR Revision 8 September 25, 1996 Relative humidity: 60 percent maximum 20 percent minimum Testing performed in accordance with IEEE Standard 472-1974 ensures that these isolation devices are adequately protected against the effects of voltage surges. Testing performed in accordance with SAMA Standard PMC 33.1-1978 on a GA Model RM80 microprocessor containing optical isolators identical to those used in the communications isolation device verifies that the communications isolation device is adequately protected against the effects of EMI. No EMI susceptibility testing was performed on the OPTO 22 Model ODC-24 optical isolation device. The ODC-24 is a sealed module that plugs into a mounting rack leaving no exposed leads to act as antennae. All ODC-24 modules are mounted inside the same multi-bay control panel (1OC604) located in the main control room (which has been designated a (portable) radio free zone). The ODC-24 remains in an "off" state until ordered "on" by a change in state of an RM80 transistor switch output. As identified in the preceding paragraph, the RM80 was verified by test to be adequately protected against the effects of EMI. Based on the design, location and operation of the ODC-24 it should be immune from the effects of EMI. Testing was performed on the GA communications isolation device and the OPTO 22 Model ODC-24 optical isolation device to demonstrate their capability to function as isolation devices when subjected to the maximum credible "hot short" voltage with the fault applied in the transverse mode. The calculated maximum credible "hot short" voltage fault values for testing purposes were as follows: 7.1-39 HCGS-UFSAR Revision 13 November 14, 2003 Communications isolation device: 140 V ac OPTO 22 Model ODC-24: 162 V ac Based on the construction and function of the GA isolation devices, and with the concurrence of the NRC staff, short circuit current testing was deemed unnecessary and was not performed. The GA test report, GA Number E-255-1333, was submitted to the NRC by letter dated November 22, 1985 (R. L. Mittl, PSE&G to W. Butler, NRC). d. Remote control panels - Two isolation methods are provided for remote control panels requiring 1E to non-1E isolation. 1) Digital 1E to non-1E isolation - for this type of isolation and Struthers Dunn Type 219 and Allen Bradley Model 700-200A12P isolation relays are used. Relay coil to contact separation provides the isolation. 2) Analog 1E to non-1E isolation - for this type of isolation, TEC analog isolators, model 156, are used. Transformer coupling is used to provide the isolation. Seismic qualification for these isolation systems is in accordance with qualification procedures and acceptance criteria defined in IEEE Standard 344-1975, and implemented by Regulatory Guide 1.100, Revision 1. The Struthers Dunn Type 219 isolation relays are located in and qualified for a mild environment as defined in Sections 3.11.2.4 and 3.11.2.5. The specified environmental conditions in which these isolation relays are expected to operate are as follows: 7.1-40 HCGS-UFSAR Revision 8 September 25, 1996 Temperature: 104F +/- 2F maximum 40F +/- 2F minimum Relative Humidity: 90 percent maximum 20 percent minimum Nuclear Radiation: 200 Rads (40 year TID) Environmental qualification as defined in IEEE Standard 323-1974, and implemented by Regulatory Guide 1.89, Revision 0, is required for the Allen Bradley Model 700P-200A12P isolation relay. The specified environmental conditions in which this isolation relay is expected to operate are as follows: Normal Abnormal Accident Temperature, Minimum 40F 110F 148F Maximum 80F Average 69F Pressure, Minimum -0.25 in. H2O -3 psig Maximum 1.0 in. H2O 0 psig 1.0 in. H2O Relative Minimum 20 percent Humidity, Maximum 90 percent 100 100 percent percent Radiation, Total 8.8x102 rads 1.7x105 dose rads gamma Duration 40 yr 180 days The TEC Model 156 analog isolators are located in and qualified for a mild environment as defined in Sections 3.11.2.4 and 3.11.2.5. The specified environmental conditions in which these isolators are expected to operate are as follows: 7.1-41 HCGS-UFSAR Revision 8 September 25, 1996 Temperature: 104F +/-2F maximum 40F +/-2F minimum Relative humidity: 90 percent maximum 20 percent minimum Nuclear radiation: 200 Rads (40 year TID) No testing was conducted on the effects of EMI on the Struthers Dunn Type 219 or Allen Bradley Model 700-200A12P isolation relays. By design, these relays should be immune to the effects of EMI. Generic EMI susceptibility and emissions test were conducted on the TEC Model 156 analog isolators following Procedure 156-QP-04, "Electromagnetic Interference (EMI) Test for TEC Model 156 Analog Signal Isolator Module," which is Appendix B to Test Report 31041-QP-01, "Qualification Test Report for Environmental and Seismic Testing of the TEC Model 158 Analog Isolation System." Testing performed in accordance with IEEE Standard 472-1974 ensures that the Struthers Dunn Type 219 and Allen Bradley Model 700-200A12P isolation relays are adequately protected against the effects of voltage surges. Testing performed in accordance with IEEE Standard 472-1974 ensures that the TEC Model 156 analog isolators are adequately protected against the effects of voltage surges. Testing was performed on the Struthers Dunn Type 219 and Allen-Bradley Model 700-200A12P isolation relays to demonstrate their capability to function as isolators when subjected to the maximum credible "hot short" voltage or short circuit current with the fault applied in the 7.1-42 HCGS-UFSAR Revision 0 April 11, 1988 transverse mode. The calculated fault values for testing purposes were as follows: 1) Struthers Dunn Type 219 isolation relay "Hot short" voltage: 140 V ac Short circuit current: 350A 2) Allen-Bradley Model 700-200A12P isolation relay "Hot short" voltage: 650 V ac Short circuit current: 1300A Testing was performed on the TEC Model 156 analog isolators to demonstrate their capability to function as an isolator when subjected to the maximum credible "hot short" voltage with the fault applied in the transverse mode. The calculated "hot short" voltage for testing purposes was 170 V ac. Based on the output impedance characteristics of the TEC Model 156 analog isolator, short circuit current testing was deemed unnecessary and was not performed. Wyle Laboratories Test Report Number 47950-01 (for Struthers Dunn Type 219 isolation relays and TEC Model 156 analog isolators) was submitted to the NRC by letter dated November 22, 1985 (R. L. Mittl, PSE&G to W. Butler, NRC). Wyle Laboratories Test Report Number 47679-01 (for Allen-Bradley Model 700-200A12P isolation relays) was submitted to the NRC by letter dated November 22, 1985 (R. L. Mittl, PSE&G to W. Butler, NRC). e. Equipment Air Lock Isolation Dampers HD-9450A and B interlock with Receiving Bay Door #4323A - Potter Brumfield Model MDR-4134-1 isolation relays are utilized to provide both non-1E to 1E and 1E to non-1E isolation as shown below: 7.1-43 HCGS-UFSAR Revision 0 April 11, 1988
1) Non-1E to 1E - Receiving Bay Door #4323A (non-1E coil) permissive to Equipment Air Lock Isolation Dampers HD-9450A and B (1E contact) 2) 1E to non-1E - Equipment Air Lock Isolation Dampers HD-9450A and B (1E coil) permissive to Receiving Bay Door #4323A (non-1E contact) These two relays were purchased as qualified devices from General Electric. No EMI susceptibility testing was performed on the Potter Brumfield MDR relays. By design these relays should be immune to the effects of EMI. Testing was performed on the Potter Brumfield MDR relays to demonstrate their capability to function as an isolator when subjected to the maximum credible "hot short" voltage or short circuit current with the fault applied in the transverse mode. The calculated fault values for testing purposes were as follows: "Hot short" voltage: 650 V ac Short circuit current: 300 A Wyle Laboratories Test Report Number 47679-01 (for the Potter Flumfield MDR relay) was submitted to the NRC by letter dated November 22, 1985 (R. L. Mittl, PSE&G to W. Butler, NRC). 7.1-44 HCGS-UFSAR Revision 18 May 10, 2011 The isolation devices used to electrically separate nonessential and essential circuits are pursuant to the guidelines of IEEE Standard 384. Both relay and optical isolation devices are employed. The optical isolators utilize a fiber optic light pipe to electrically separate the input from the output. For example, an essential logic signal activates a light emitting diode, the light is transmitted through the light pipe to a photo switch and the switch changes state on receipt of the light signal and either blocks or transmits. The relay isolation devices provide the same degree of separation and are used typically for control voltage separation applications, i.e., 120 V ac and 125 V dc essential to nonessential and redundant essential circuits. The relays are mounted so that a metal barrier separates the coil from the contacts with a minimum distance of one inch between the coil and barrier and between the contact and barrier. Additionally, the Redundant Reactivity Control System (RRCS) uses isolated lamp drivers (card-mounted relays) to isolate Class 1E signals from certain non-Class 1E loads (e.g., indicators). The RRCS panel qualification used a 200 V dc line-to-line test across the output contacts to verify no degradation could be propagated back to the input circuit on the card. Summary of Purchase Specification: a. RELAY b. ISOLATOR 1. Design Specification 1. Application data specification a) MIL-R-19523 b) Contact Specification c) Coil Specification d) Insulation Specification e) Design Life f) Reliability 7.1-45 HCGS-UFSAR Revision 0 April 11, 1988
2. Class 1E Safety Function 2. Performance specification a) Functional Specification b) Reliability 3. Qualification Testing 3. Qualification Testing a) Ambient and Design Environments a) Tested as a panel b) Application Configuration subassembly Both isolation devices satisfy the concern of susceptibility to noise, shorts, surges, and faults. Adverse conditions affecting the coil or the semiconductor device cannot propagate through the isolation barrier (i.e., metal enclosure or fiber optic light pipe). Conversely, adverse conditions affecting the contacts or receiving semiconductor cannot propagate through the isolation barrier and affect the coil or transmitting semiconductor. Therefore, essential systems or circuits are electrically isolated from nonessential and/or redundant systems or circuits. Where the isolation/separation between divisional circuits and between divisional and nondivisional circuits is achieved with optical isolators, the input and output cards are comprised of semiconductors, resistors, and capacitors and are separated by a 1-inch-long quartz rod through a metal barrier. The optical isolators for the RRCS also have current-limiting resistors on the input circuits. The enclosures for both types of isolators are designed to hold either four or eight isolator cards; only cards for circuits from the same division are contained in the same enclosure. A worst case failure would cause loss of function to only one division; safety 7.1-46 HCGS-UFSAR Revision 0 April 11, 1988 function would not be lost because of the redundance of the other divisions. Specifications control the type of testing and qualification for the isolators. Line to line tests (140 V dc for two minutes and 400 V, one-millisecond pulses) have been successfully performed on the RRCS isolators. A successful 5-kV line to ground test was performed on the input circuit of the non-RRCS isolators. No degradation of the card on the other side of the barrier was used as a criterion for a successful test. Since the same type of enclosures are used for both types of isolators and since 5-kV far exceeds both the voltage of the RRCS isolator tests and the maximum postulated credible "hot short" voltage for all NSSS applications, the 5-kV test confirmed the capabilities of the barrier and enclosure to prohibit any detrimental effects to the cards on the other side of the barrier. An additional test of the optical isolators to verify that they can withstand the maximum credible fault current/voltage applied in the transverse mode has been performed. This test demonstrated that the maximum credible voltage applied to the optical isolators in the transverse mode will not be propagated through the quartz barrier to the other side of the device. The test plans, procedures, and reports are available on file for audit at GE. The optical isolator test report number is NEDE-30977. 7.1.2.6 Instrument Errors In the selection of I&C, the design of each system important to safety considers instrument drift, setability, and repeatability in the determination of setpoints. An adequate margin between safety limits and instrument setpoints is provided to allow for instrument error. The safety limits and setpoints are listed in the Technical Specifications. The amount of instrument error is determined by 7.1-47 HCGS-UFSAR Revision 0 April 11, 1988 test and experience. Setpoint selection is based on the known error. Test frequency is greater on instrumentation that demonstrates a tendency to drift. 7.1.2.7 Conformance to ICSB Branch Technical Positions The HCGS design incorporates the guidance of ICSB Branch Technical Positions (BTPs) 3, 21, 22, and 26 as listed on SRP Table 7.1. BTPs 4, 12, 13, 14, and 20 are not applicable to HCGS. Per Appendix 7-A to Chapter 7 of the SRP, BTP 16 has been deleted. The Branch Technical Positions (BTPs) that relate to Hope Creek control and instrumentation systems are BTPs 3, 21, 22 and 26. Information pertaining to BTP 21 and 22 are contained in Sections 7.1.2.9 and 7.5.1.3.2. Information pertaining to BTP 26 is contained in Section 7.2.1.3.6. Information related to BTP 22 is contained in the testability and analysis portions of Sections 7.2, 7.3, 7.4, and 7.6 for individual systems. The NSSS design allows for the functional testing of systems during plant operation. However, in order to prevent unwarranted reactor perturbations, certain equipment is tested only during shutdown, per the provisions of Regulatory Guide 1.22. a. ADS The system is designed such that there is no isolation between the reactor pressure vessel (RPV) and the ADS valves. The ADS uses safety-grade instrumentation and control equipment. All parts of the system except the valves can be checked during operation. The entire system can be tested during shutdown. 7.1-48 HCGS-UFSAR Revision 0 April 11, 1988
b. SLCS For positive rapid operation, the system design uses squib valves which cannot be tested during operation without injecting sodium pentaborate. The continuity of the squib valves is continuously monitored and indicated in the control room to ensure that the dual squibs in each valve are available. The explosive valves may be tested during shutdown. Several systems identified on Table 7.1-3 differ from SRP Table 7-1. These differences and justifications for the differences are identified below on a system by system basis. a. Primary containment isolation system (PCIS) - 1. Difference - The applicability of Regulatory Guide 1.47. to the PCIS. 2. Justification - The PCIS does not fall under the guidelines established in Regulatory Guide 1.47, Section B, for which automatic bypassed and inoperable status indication on a system level basis must be provided. The PCIS, described in Section 7.3.1.1.5, is not capable of being manually bypassed or placed out of service at the system level. Further, there are no operational bypasses associated with the PCIS. Certain valves actuated by the PCIS are provided with isolation override capabilities which allows for reopening of these valves after they have traveled to their isolated position. This override condition is specifically indicated in the main control room on a 7.1-49 HCGS-UFSAR Revision 0 April 11, 1988 component (valve) level. It is automatically removed when the PCIS initiating signal clears. See Section 7.3.1.1.5, part f. b. Engineered safety features (ESF) equipment area cooling system - 1. Difference - The applicability of Regulatory Guide 1.47 to the ESF equipment area cooling system. 2. Justification - The ESF equipment area cooling system consists of the following subsystems: (a) Reactor Building Equipment Area Cooling System (See Section 9.4.2) (b) Auxiliary Building Diesel Area Heating, Ventilation, and Air Conditioning (ABDA-HVAC) System (See Section 9.4.6) (1) diesel generator room recirculation (2) switchgear room cooling (3) diesel area battery room exhaust (4) diesel area 1E panel room supply (c) auxiliary building control area HVAC (ABCA-HVAC) (See Section 9.4.1) (1) control area battery exhaust (2) control equipment room supply (d) service water intake structure HVAC (See Section 9.4.7). 7.1-50 HCGS-UFSAR Revision 0 April 11, 1988 The design of the ESF equipment area cooling subsystems precludes the necessity for strict compliance with Regulatory Guide 1.47 since the criteria of Position 3 of the regulatory guide are not satisfied in any case. However, the ESF equipment area cooling systems do satisfy the intent of Regulatory Guide 1.47 as described in the following paragraphs: 1) Reactor Building equipment area cooling system: (a) remote control panel trouble alarm - a summary alarm in the main control room that alarms whenever the control switches (on the remote control panel) for an ECCS or SACS pump room cooler pair are in other than the normal configuration of "AUTO LEAD" and "AUTO." Individual alarms are provided on the remote control panel annunciator. (b) manual out of service indication - manual out of service switches and indicators are provided as an administrative control for use whenever an ECCS or SACS pump room cooler or pair of coolers must be placed out of service. This indication is provided on a per 1E channel basis and is also illuminated automatically whenever the associated standby diesel generator manual out of service switch is actuated. Actuation of a manual out of service switch also causes actuation of a "BOP Safety System Out-Of-Service" annunciator in the main control room. 7.1-51 HCGS-UFSAR Revision 0 April 11, 1988 (c) computer monitoring: i) low flow on an operating unit cooler (digital) ii) ECCS and SACS pump rooms temperature (analog) 2) (ABDA-HVAC) diesel generator room recirculation (a) remote control panel trouble alarm - a summary alarm in the main control room that alarms whenever a low flow condition is sensed on a running recirculation unit. This alarm condition does not occur when the recirculation unit control switch (at the remote control panel) is in the "STOP" position. this condition is individually alarmed on the remote control panel annunciator. (b) manual out of service indication - manual out of service switches and indicators are provided in the main control room as an administrative control for use whenever a recirculation unit must be placed out of service. This indication is provided on a per 1E channel basis and is also illuminated automatically whenever the associated standby diesel generator manual out of service switch is actuated. Actuation of a manual out of service switch also causes actuation of a "BOP System Out-Of-Service" annunciator in the main control room. 7.1-52 HCGS-UFSAR Revision 0 April 11, 1988 (3) computer monitoring: i) diesel generator room temperature (analog). (c) (ABDA-HVAC) switchgear room cooling (1) remote control panel trouble alarm - a summary alarm in the main control room that alarms whenever either of the following conditions exist on an operating switchgear room unit cooler: i) low flow - does not occur when the switchgear room unit cooler control switch (at the remote control panel) is in the "STOP" position. ii) unit cooler filter differential pressure high These alarms are individually indicated on the remote control panel annunciator. (2) main control room alarm/status lights - the following status lights are provided in the main control room for each switchgear room unit cooler: I) running (status) ii) stopped (status) iii) low flow (alarm) 7.1-53 HCGS-UFSAR Revision 0 April 11, 1988 (3) manual out of service indication - manual out of service switches and indicators are provided in the main control room as an administrative control for use whenever a switchgear room unit cooler must be placed out of service. This indication is provided on a per 1E channel basis and is also illuminated automatically whenever the associated standby diesel generator manual out of service switch is actuated. Actuation of a manual out of service switch also causes actuation of a "BOP Safety System Out-Of-Service" annunciator in the main control room. (4) computer monitoring: i) switchgear room exhaust temperature (analog). (d) (ABDA-HVAC) diesel area battery room exhaust (el. 148 ft.) (1) remote control panel trouble alarm - a summary alarm in the main control room that alarms whenever either of the following conditions exist: i) low flow - this alarm does not occur when the exhaust fan control switch (at the remote control panel) is in the "STOP" position. ii) exhaust fan not running These alarms are individually indicated at the remote control panel annunciator. 7.1-54 HCGS-UFSAR Revision 0 April 11, 1988 (2) computer monitoring: i) exhaust fan low flow (digital) ii) battery room exhaust temperature (analog). (e) (ABDA-HVAC) diesel area battery room exhaust (el. 163 ft-6in.) (1) remote control panel trouble alarm - a summary alarm in the main control room that alarms whenever a low flow condition exists on the running battery exhaust fan. This alarm does not occur if the exhaust fan control switch (at the remote control panel) is in the "STOP" position. The low flow alarms are individually indicated on the remote control panel annunciator. (2) computer monitoring: i) exhaust fan low flow (digital). (f) (ABDA-HVAC) diesel area 1E panel room supply (1) remote control panel trouble alarm - a summary alarm in the main control room that alarms whenever any of the following conditions exist: i) low flow - this alarm does not occur if the unit cooler control switch (at the remote control panel) is in the "STOP" position. 7.1-55 HCGS-UFSAR Revision 0 April 11, 1988 ii) unit cooler discharge temperature high or low iii) unit cooler filter differential pressure high These alarms are individually indicated on the remote control panel annunciator. (2) computer monitoring: i) unit cooler suction temperature (digital) - combined exhaust from the 1E panel rooms. (g) (ABCA-HVAC) control area battery exhaust (1) remote control panel trouble alarm - a summary alarm in the main control room that alarms whenever any of the following conditions exist: i) exhaust fan discharge low flow - this alarm does not occur if the battery exhaust fan control switch (at the remote control panel) is in the "STOP" position. ii) battery room exhaust flow low - for each control area battery room. These alarms are individually indicated on the remote control panel annunciator. (h) (ABCA-HVAC) control equipment room supply (1) control area HVAC trouble alarm - an annunciator in the main control room that 7.1-56 HCGS-UFSAR Revision 0 April 11, 1988 is actuated whenever any of the following conditions exist on the control equipment room supply system: I) cooler unit motor malfunction ii) cooler unit circuit breaker malfunction iii) control equipment room supply temperature high or low. (2) main control room status lights - the following status/alarm lights are provided in the main control room for each control equipment room supply cooler unit: i) overload/power failure (alarm) ii) inoperative (status) iii) low flow (alarm) iv) high filter differential pressure (alarm) v) high/low supply air temperature (alarm) vi) lockout (status) vii) auto (status) viii) start (status) ix) stop (status) 7.1-57 HCGS-UFSAR Revision 0 April 11, 1988 (3) out of service indication - the following conditions will actuate an auxiliary building control area HVAC out of service status light in the main control room: i) manual out of service ii) associated standby diesel generator manual out of service iii) associated channel of control area chilled water system out of service iv) control equipment room supply unit cooler locked out. Actuation of this out of service indication also causes actuation of a "BOP Safety System Out-Of-Service" annunciator in the main control room. (i) service water intake structure (1) remote control panel trouble alarm - a summary alarm is provided in the main control room that alarms whenever any of the following conditions exist: i) service water pump room supply fan low flow - this alarm will not occur if the supply fan control switch (at the remote control panel) is in the "STOP" position. ii) service water pump room exhaust fan low flow - this alarm will not occur if the exhaust fan control switch (at 7.1-58 HCGS-UFSAR Revision 0 April 11, 1988 the remote control panel) is in the "STOP" position. iii) traveling screen motor room supply fan low flow - this alarm will not occur if the supply fan control switch (at the remote control panel) is in the "STOP" position. iv) service water pump room temperature high or low v) traveling screen motor room temperature high or low. These alarms are all individually indicated on the remote control panel annunciator. (2) manual out of service indication - manual out of service switches and indicators are provided in the main control room as an administrative control for use whenever a service water pump room supply or exhaust fan or a traveling screen motor room supply fan is placed out of service. This indication is provided on a per 1E channel basis and is also illuminated automatically whenever the associated standby diesel generator manual out of service switch is actuated. Actuation of a manual out of service switch also causes actuation of a "BOP" Safety System Out-Of-Service" annunciator in the main control room. 7.1-59 HCGS-UFSAR Revision 0 April 11, 1988
c. Safe shutdown equipment area ventilation system (SSEAVS). The SSEAVS consists of two subsystems: 1. The Reactor Building equipment area cooling system (described in Section 9.4.2) which is also part of the ESF equipment area cooling system and is designed to the criteria applicable to that system. See part (b) of this response. 2. The remote shutdown panel (RSP) room HVAC system (described in Section 9.4.2). (a) Differences - the applicability of the following NRC regulatory positions to the RSP room HVAC system: (1) GDC 19 (2) IEEE Standard 279-1971 (3) Regulatory Guide 1.22 (4) Regulatory Guide 1.47 (5) Regulatory Guide 1.53 (6) Regulatory Guide 1.62 (7) Regulatory Guide 1.75 (8) Regulatory Guide 1.105 (9) Regulatory Guide 1.118 (b) Justification - The RSP room HVAC system, as described in Section 9.4.3, is not safety 7.1-60 HCGS-UFSAR Revision 0 April 11, 1988 related. The system design bases are specifically identified in Section 9.4.3.1.3. The above listed regulatory positions are applicable to safety systems. Since the instrumentation and controls of the RSP room HVAC system are not safety-related, strict compliance with these regulatory positions is not required for this system. Plant Computer Systems 1. Differences - The applicability of the following NRC regulatory positions to the plant computer systems: (a) GDC 1 (b) GDC 2 (c) GDC 4 (d) IEEE Standard 279-1971 (e) Regulatory Guide 1.22 (f) Regulatory Guide 1.47 (g) Regulatory Guide 1.53 (h) Regulatory Guide 1.75 (i) Regulatory Guide 1.105 (j) Regulatory Guide 1.118 2. Justification - The plant computer systems, as identified in Section 7.5.1.3.3, are nonsafety 7.1-61 HCGS-UFSAR Revision 0 April 11, 1988 related systems that provide information to operating personnel in the form of graphic displays and alarming functions. The listed NRC regulatory positions are applicable to protection systems and other systems important to safety. The plant computer systems do not fall under either of these categories and therefore do not fall under the applicability of these regulatory positions. 7.1.2.8 Instrumentation and Control Systems Power Supplies AC power is available from three subsystems - RPS motor generator sets, uninterruptible supplies and instrument/control power supplies. All of these subsystems provide nominal 120 volt, ac, 60 Hz at their distribution buses or panels. RPS power supply and distribution system are shown on Vendor Technical Document PN1-C71-1010-0001, Sheet 1 and are described in Section 8.3.1.5. There are two RPS motor generator sets and distribution panels. Uninterruptible ac power supplies (UPS) consist of Class 1E and non-Class 1E subsystems and are basically static inverter systems with provision for automatic transfer of power sources to alternate feeders. Section 8.3 and Plant Drawing E-0012-1 provide detailed information on the UPS subsystem. The UPS subsystem has eight Class 1E distribution panels, two per channel, and sixteen non-Class 1E distribution panels (see Plant Drawing E-0012-1). The instrument/control power subsystem is comprised of Class 1E and non-Class 1E distribution panels which are supplied from transformers in motor control centers to convert 480 volt to 120 volt, single phase. Plant Drawing E-1405-1, listed in Section 1.7, shows the Class 1E distribution panels, and the non-Class 1E, when used, are referenced in the schematic diagrams furnished as part of Section 1.7. DC power is available from two subsystems - 125 volt and +/-24 volt supplies. The nominal 125 volt supplies has Class 1E and non-Class 1E distribution systems; Section 8.3.2 and Plant Drawing E-0009-1 7.1-62 HCGS-UFSAR Revision 20 May 9, 2014 provide description of this subsystem. The non-Class 1E +/-24 volt subsystem is described in Section 8.3.2 and Plant Drawing E-0010-0. The instrumentation and control power supplies used for the systems of this section are referenced within the text and system drawings that are included in this section or Section 1.7. 7.1.2.9.1 NSSS Safety-Related Systems There are no "first of kind" instruments used in or providing inputs to NSSS safety-related systems. Microprocessors are used in the Redundant Reactivity Control System (RRCS). While the RRCS does not perform any reactor control functions, it does provide signals to trip the recirculation system, to runback the feedwater system, to initiate the standby liquid control system, and to initiate alternate rod insertion for mitigation of an ATWS event (see Section 15.8). The Performance Monitoring System (PMS) is non-safety-related, and isolation of safety related inputs to the PMS is shown functionally in the logic diagrams and elementary diagrams provided to the NRC and listed in Table 1.7-3. 7.1.2.9.2 Non-NSSS Safety Related Systems The non NSSS safety related, "first-of-kind" equipment used at HCGS consists of the following: 1. Bailey 862 Logic System - solid state logic modules - provide common signal levels, interfaces, and common logic arrays to provide the interface between the engineered safety features (ESF) systems (identified in Section 7.3) and the main control room controls and displays (identified in Section 7.5). High system reliability is achieved through the use of auctioneered redundant power supplies for the three different dc voltages utilized by the 862 logic modules: 7.1-63 HCGS-UFSAR Revision 20 May 9, 2014 a) 125 V dc for interrogation of field contacts b) 24 V dc for interrogation of main control room controls; for powering main control room status lights; for powering output driver relays c) 9 V dc for powering the 862 logic modules (onboard voltage regulators control this at 5 V dc for the logic and buffer circuitry). The integrity of each power supply is continuously monitored and any failure is annunciated in the main control room and indicated at the summary alarm panel of the affected logic assembly (cabinet). This summary alarm panel also provides indication of fuse module fuse failure, cooling fan failure, and in which bay (of the 12 bay assembly) the failure occurred. A digital logic assembly trouble summary alarm is annunciated in the main control room whenever any of the following conditions exist in a Class 1E logic assembly: a) Door open b) Fuse module fuse failure c) Fuse module interlock (fuse module withdrawn) d) Power bus failure e) Power supply failure f) Cooling fan failure g) Optic link failure (optical isolation system trouble). 7.1-64 HCGS-UFSAR Revision 0 April 11, 1988 High system reliability is achieved by segregating control of field devices (e.g., switchgear, MCC, etc.) into different circuits within a logic assembly. Each circuit is composed of a single fuse module and as many logic modules and output driver relays as required to control a field device. Several related field devices may be controlled from the same circuit. The fuse module protects the logic assembly power supplies from individual circuit faults. Testing of a system circuit may be performed from its control switch through the output(s) of the associated logic modules using a switch on the fuse module which, when operated, disables the output drive relays. This disabling is continuously indicated in the main control room. Light emitting diodes on the face of the logic module indicate the presence or lack of input signals from the associated control switch and the presence or lack of signals to the output driver relays. Modules are tested by first performing a bench test using test equipment to simulate input combinations at the required voltage level and verifying the appropriate outputs respond according to the design logic diagram. After installation in the control cabinet, input and output LEDs are checked for appropriate indications and at least one function is tested. If applicable, a surveillance test would be performed to verify required functions. 7.1-65 HCGS-UFSAR Revision 15 October 27, 2006 Although there is no in-service testing of the module, some failures are self-evident. As an example, the failure of an output buffer in indicating application would result in the loss of the indication at the main control console. In addition, during operation logic module LEDS can be observed to check module functionality and memory status. 7.1-66 HCGS-UFSAR Revision 17 June 23, 2009 In order to assure the NRC staff that, in addition to the above detailed discussion, the Bailey 862 SSLMs are reliable devices, the following commitments were made: I. Zone the lower equipment room on the 102 ft level so that the use of portable radios is prohibited during plant operation. II. The welder cables should be run close together from the welding unit to a point no further than 5 ft from the control system panels or cables before attaching the ground loop to prevent the formation of a loop antenna and avoid induced voltages getting into sensitive equipment. III. Designate as portable radio free areas the upper and lower equipment rooms and main control room in addition to the cable spreading rooms and the inverter rooms. IV. Conduct logic functional tests on the SSLMs on an 18 month frequency as is required in the Standard Technical Specifications. The Bailey 862 equipment is functionally described in the logic diagrams provided to the NRC and listed in Table 1.7-3. Equipment qualification reports are referenced in Sections 3.10 and 3.11. 2. Bailey 890 system - provides the interface and isolation between the main control room, safety-related instrumentation and the plant computer (control room integrated display system), and the plant annunciator system. The Bailey 890 system is also used to provide isolation between the Class 1E indicating lamp circuits and initiating logic circuits provided for lamp test. 7.1-67 HCGS-UFSAR Revision 15 October 27, 2006 The equipment is functionally described in the logic diagrams provided to the NRC and listed in Table 1.7-3. Equipment qualification reports are referenced in Sections 3.10 and 3.11. The Bailey 890 system isolation capabilities are discussed in Sections 7.1.2.5.1 and 7.1.2.5.2. 7.1.2.9.3 Non-NSSS System Interface with Safety-Related Systems The following non-NSSS systems at HCGS interface with safety-related systems using microprocessors, multiplexers, or computers: 1. Radiation Monitoring Systems (RMSs) - discussed in Sections 11.5.2.1.3 and 11.5.2.1.2, the Class 1E reactor building exhaust and refueling floor exhaust RMSs utilize RM 80 radiation processors manufactured by Sorrento Electronics Division of General Atomic (GA) Technologies Inc. to provide radiation monitoring. 7.1-68 HCGS-UFSAR Revision 15 October 27, 2006 The RM-80 is a microprocessor based device using the Intel 8085A microprocessor to provide data acquisition and signal processing. GA communications isolation device and OPTO 22 ODC-24 (digital) optical isolators are used to provide isolation where required. See Section 7.1.2.5.2 for a discussion of these isolation devices. 2. Suppression pool temperature monitoring system (SPTMS) - discussed in Section 6.2.1.1.10.3, the SPTMS utilizes the GA RM-80 radiation processor (see part 2.a above) to provide reliable indication of bulk suppression pool temperature to meet the requirements of a Regulatory Guide 1.97 Type A, Category I variable. Two independent RM 80s equipped with a new circuit board designed to perform this function are used to provide two channels of indication. The new circuit board uses previously qualified circuits in a new physical arrangement. The same isolation devices identified in Section a are used where isolation is required. 3. Control Room Integrated Display System (CRIDS) - part of the plant computer systems discussed in Section 7.5.1.3.3, the CRIDS computer interfaces with safety-related systems to provide information to the control room operator in the form of graphic displays and alarming functions. The CRIDS computer is also used to meet emergency response facility requirements (see Section 7.5.1.3.3). 7.1-69 HCGS-UFSAR Revision 15 October 27, 2006 The CRIDS is nonsafety-related and isolation of safety-related inputs is shown functionally in the logic diagrams and elementary diagrams provided to the NRC and listed in Table 1.7-3. See Sections 7.1.2.9.2 and 7.1.2.5.2 which discuss isolation capabilities of the Bailey 890 system. 4. Emergency Response Facility Data Acquisition System (ERFDAS) - the data acquisition system for the HCGS emergency response facilities (ERF). The CRIDS computer is used to process this information as discussed in Section 7.5.1.3.3. The ERFDAS uses the "Real Time Peripheral" (RTP) system supplied by Computer Products Inc. (CPI). The RTP uses multiplexers to provide data acquisition and signal isolation. The CPI RTP system isolation capabilities are discussed in Section 7.1.2.5.2. 5. Startup Transient Monitoring System (STMS) - discussed in Section 7.5.1.3.5, the STMS uses Validyne Model MC370AD-Q2 remote multiplexers to provide data acquisition and signal isolation of those safety-related signals needed to support plant startup testing. 7.1-70 HCGS-UFSAR Revision 0 April 11, 1988 system Reactor Trip System Engineered Safety Feature Systems Emergency Core Cooling System Primary Containment and Reactor Vessel Isolation Control System Residual heat removal -containment spray cooling mode Residual heat removal -suppression pool cooling mode Primary Containment Isolation System Containment Atmosphere Control System Main Control Room Habitability and Isolation System Filtration, Recirculation, and Ventilation System Reactor Building Ventilation Isolation System Station Service Water System Safety Auxiliaries Cooling System Class lE Power System Primary Containment Instrument Gas System ESF Equipment Area Cooling System Control Area Chilled Water System HCGS-UFSAR GE Design X X X X X TABLE 7.1-1 INSTRUMENTATION SYSTEMS IDENTIFICATION Design and Supply Responsibility GE Other Plant Similarity Others Plant Identification Degree of Similarity X Limerick (1) (1) X X Limerick (1) X X Limerick (1} X Limerick {1) X Limerick X None {2) X Limerick X None X None X None X None X None (3) X Limerick X None X None X None 1 of 3 Revision 12 May 3, 2002 I S stem Systems Reguired for Safe Shutdown Reactor Core Isolation Cooling System Standby Liquid Control System Residual heat removal Remote Shutdown System Remote Shutdown Panel Room HVAC System Safety-Related Diselay Instrumentation Rod Position Indication System and Inoperable Systems RMS ERFDAS Post-accident monitoring instrumentation Startup and Transient Monitoring System Relief Valve Position System All Other Instrumentation Systems Reguired Process Radiation Monitoring (main steam line monitor) HCGS-UFSAR TABLE 7.1-1 (Cant) Design Others X X X X X X X X X X X X X X X X X X X X for Safety X X 2 of 3 Limerick Limerick None None Limerick None Susquehanna, None None Susquehanna, Limerick None Limerick None Zimmer 1 (1) ( 4) (1) (1) Clinton Similar Clinton Similar Similar (6) (5) Revision 19 November 5, 2012 I TABLE 7.1-1 (Cont) Design and Supply Responsibility GE GE Other Plant Similarity System Design Supply Others Plant Identification Degree of Similarity

Process Radiation Monitoring System X Limerick Similar (other Class 1E monitors)

High Pressure/Low Pressure System interlocks X X Limerick (1)

Leak Detection System (NSSS)

X X Limerick (1) Leak Detection System (non

-NSSS) X None Neutron Monitoring System X X Nine Mile Point 2 Identical Recirculation Pump Trip system X X Limerick Identical Main steam safety/relief valves - relief X X Limerick Identical function Redundant Reactivity Control System X X None Safety system/nonsafety system isolation X None Suppression pool temperature monitoring X None

_______________________

(1) These systems are similar except that HCGS uses optical isolation, and the separation schemes and division assignments are different, as indicated by Figures 7.1-1 through 7.1

-5. (2) The HCGS Hydrogen/Oxygen Analyzer System (HOAS) is used only after a LOCA and for weekly oxygen concentration verification. Limerick HOAS is an on

-line system. The number of sampling points for the HCGS HOAS is different from the Limerick HOAS. HCGS originally had a positive pressure MSIV

sealing system that was subsequently removed.

(3) Four diesel generators are used in the HCGS design. Limerick has eight diesel generators for two units. Each of the Limerick units and HCGS have four independent Class 1E electric power buses. Each bus has a dedicated SDG unit. Any combination of three out of four Class 1E buses is adequat e to satisfy minimum Class 1E load demand caused by LOCA and/or LOP.

Each of Limerick SDGs is rated at 2850 kW continuous. Each of the HCGS SDGs is rated at 4430 kW continuous.

(4) Two SLC pumps are used in the HCGS design rather than three SLC pumps Limerick provides.

(5) Reactor vessel narrow range water level is measured by three identical, independent sensing systems in the HCGS design.

(6) Limerick uses redundant sensors, channel operation is identical to HCGS.

3 of 3 HCGS-UFSAR Revision 23 November 12, 2018

( 1 2 3 4 REACTOR X )( X X PROTECTION SYSTEM EMERGENCY CORE X X X X COOLING SYSTEM PRIMARY X X X X CONTAINMENT AND REACTOR VESSEL ISO SYS RHR CONTAINMENT )( X X X SPRAY COOLING RHR SUPPRESSION )( X X X POOL COOLING REACTOR CORE )( X X X ISOLATION COOLING STANDBY LIQUID X X X X CONTROL RHR REACTOR SHUTDOWN COOLING SAFETY-RELATED DISPLAY INSTRUMENTATION CONTROL ROD POSITION INDICATING SYSTEM HCGS-UFSAR ( TABLE 7.1-2 CODES AND STANDARDS APPLICABlllTY MATRIX FOR NSSS CONTROL AND INSTRUMENTATION EQUIPMENT (1) (2) GDC NUMBER 5 10 12 13 15 17 18 19 20 21 22 23 24 25 26 27 28 29 30 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X )( X X )( X X X X X X X X X X X X X )( X X X X X X X X )( X X C41 X X X X X X X X X X X 1 of 6 ( 33 34 35 37 X X X X X X X X X Revision 8 Septenfler 25, 1996 38 40 41 X X X X TABLE 7.1-2 CODES AND STANDARDS APPLICABILITY MATRIX FOR NSSS CONTROL AND INSTRUMENTATION EQUIPMENT (1) (2)

GDC NUMBER 1 2 3 4 5 10 12 13 15 17 18 19 20 21 22 23 24 25 26 27 28 29 30 33 34 35 37 38 40 41 PROCESS RADIATION MONITORING SYSTEM X X X X X X X X X X X X X X X HIGH PRESS/

LOW PRESS SYSTEM INTERLOCKS X X X X X X X X LEAK DETECTION S YSTEM X X X X X X X X X X X X X X X X NEUTRON MONITORING SYSTEM (8) X X X X X X X X X X X X X X X X X RECIRCULATION PUMP TRIP (3)

X X X X X X X X X X X X X X SAFETY RELIEF VALVES - RELIEF FUNCTION REDUNDANT REACTIVITY CONTROL SYSTEM (7) X X X X X X X X X X X X

2 of 6 HCGS-UFSAR Revision 23 November 12, 2018

( 43 44 REACTOR PROTECTION SYSTEM EMERGENCY CORE COOLING SYSTEM PRIMARY CONTAINMENT AND REACTOR VESSEL ISO SYS RHR CONTAINMENT SPRAY COOLING RHR SUPPRESSION POOL COOLING REACTOR CORE ISOLATION COOLING STANDBY LIQUID CONTROL RHR REACTOR SHUTDO\.IN COOLING SAfETY*RELATED DISPLAY INSTRUMENTATION CONTROL ROO POSITION INDICATING SYSTEM HCGS-UfSAR ( ( TABLE 7.1-2 CODES AND STANDARDS APPllCABlllTY MATRIX FOR NSSS CONTROL AND INSTRUMENTATION EQUIPMENT (1) (2) GOC NUMBER 46 54 55 57 60 61 63 64 279-1971 317-1972 (5) X X 8 X B X X X B X X 8 3 of 6 IEEE NUMBER 323-1971 338-1971 A A A A A A A A A A A A A A A A A 344-1971 379-1972 A A A A A A A A A X X X X X X X X Revision 8 September 25, 1996 384-1974 A A A A A A A A TABLE 7.1-2 CODES AND STANDARDS APPLICABILITY MATRIX FOR NSSS CONTROL AND INSTRUMENTATION EQUIPMENT (1) (2)

GDC NUMBER IEEE NUMBER 43 44 46 54 55 57 60 61 63 64 279-1971 317-1972 (5) 323-1971 338-1971 344-1971 379-1972 384-1974 PROCESS RADIATION MONITORING SYSTEM X X X A A A X A HIGH PRESS/

LOW PRESS SYSTEM INTERLOCKS X A A A X A LEAK DETECTION SYSTEM X X B A A A X A NEUTRON MONITORING SYSTEM (8) X B A A A X A RECIRCULATION PUMP TRIP (3)

X B A A A X A SAFETY RELIEF VALVES - RELIEF FUNCTION REDUNDANT REACTIVITY CONTROL SYSTEM (7) X X X X X X

4 of 6 HCGS-UFSAR Revision 23 November 12, 2018

( 1 .. 11 2!72 REACTOR A PROTECTION SYSTEM EMERGENCY CORE A COOLING SYSTEM PRIMARY A CONTAINMENT AND REACTOR VESSEL ISO SYS RHR CONTAINMENT A SPRAY COOLING RHR SUPPRESSION A POOL COOLING REACTOR CORE A ISOLATION COOLING STANDBY LIQUID A CONTROL RHR REACTOR A SHUTDOWN COOLING SAFETY-RELATED DISPLAY INSTRUMENTATION CONTROL ROD POSITION INDICATING SYSTEM HCGS-UFSAR ( TABLE 7.1-Z CODES AND STANDARDS APPLICABILITY MATRIX FOR NSSS CONTROL AND INSTRUMENTATION EQUIPMENT (1) (2) 1.21 1.22 1.29 1.30 1.45 1.47 , .53 1.62 6/74 2/72 9/78 8/72 5!73 5!73 6/73 10/73 X X A X X X X X A X X X X X A X X X X X A X X X X X A X X X X X A X X X X X A X X X X X A X X X 5 of 6 RG NUMBER 1.63 1.68 1 .. 73 1.75 10/73 (5) 11/73 1174 1/75 (6) A X 8 A A X 8 A A X A A X A A X B A A X A A X B A A X 1.89 1.100 1.105 11/74 3!76 11!75 A A A A A A A A A A A A A A A A A A A A A A A A A Revision 8 September 25, 1996 ( 1 .. 118 6/78 A A A A A A A A TABLE 7.1-2 CODES AND STANDARDS APPLICABILITY MATRIX FOR NSSS CONTROL AND INSTRUMENTATION EQUIPMENT (1) (2)

RG NUMBER 1.11 2/72 1.21 6/74 1.22 2/72 1.29 9/78 1.30 8/72 1.45 5/73 1.47 5/73 1.53 6/73 1.62 10/73 1.63 10/73 (5) 1.68 11/73 1.73 1/74 1.75 1/75 (6) 1.89 11/74 1.100 3/76 1.105 11/75 1.118 6/78 PROCESS RADIATION MONITORING SYSTEM A X X A X X A X A A A A HIGH PRESS/

LOW P RESS SYSTEM INTERLOCKS X X A X A X A A A A LEAK DETECTION SYSTEM X X A A X X B A X A A A A NEUTRON MONITORING SYSTEM (8) X X A X X B A X A A A A RECIRCULATION PUMP TRIP (3) X X A X X X B A X A A A A SAFETY RELIEF VALVES - RELIEF FU NCTION REDUNDANT REACTIVITY CONTROL SYSTEM (7)

X X X X X X X X X X X X X NOTES:

(1) All General Design Criteria, selected IEEE standards and Regulatory Guides 1.1 through 1.118 are included in th e plant design bases as indicated for each NSSS system.

(2) The letter X on the table indicates a system requirement and the letter A indicates that the code or standard is not a design basis, but the text provides a description of the extent of design agr eement. (3) The recirculation pump trip is related to the RPS trip. It is not assessed as the ATWS trip.

(4) Alternate reactivity control systems do not include SLCS for BWRs, only reactor manual control and recirculation flow control

. (5) Electric penetr ation assemblies are BOP scope, therefore IEEE 317 and Regulatory Guide 1.63 are not a NSSS design basis. See Table 7.1

-3 note. The letter B indicates NSSS systems requiring electrical penetrations.

(6) The extent of implementation for the requirements o f Regulatory Guide 1.75 Revision 1 are as follows: Physical separation between divisions of essential systems and between essential systems and essential circuits must be maintained for all essential NSSS systems except the neu tron monitoring system and t he process radiation monitoring system, which shall be justified by analysis.

(7) The appropriate editions of the referenced IEEE standards applicable to ATWS are IEEE 308

-1974, IEEE 323

-1974, IEEE 338

-1974, IEEE 344

-1975. (8) The appropriate editions of the referenced IEEE Standards for the NMS power range are I E EE 323-2003, IEEE 344

-2004, IEEE 7

-4.3.2-2003, and IEEE 379

-2000. The appropriate versions of the referenced Regulatory Guides for the NMS power range are RG 1.209 (3/07), RG 1.100 R3 (9/09), RG 1.75 R3, RG 1.152 R2 and RG 1.53 R2.

6 of 6 HCGS-UFSAR Revision 23 November 12, 2018

TABLE 7.1-3 CODES AND STANDARDS APPLICABILITY MATRIX f'OR NON-NSSS 1 2 4 13 19 20 21 22 PRIMARY CONTAINMENT ISOLATION X X X X X X X X SYSTEM CONTAINMENT ATMOSPHERIC CONTROL X X X X X X X X SYSTEM MAIN CONTROL ROOM HABITABILITY X X X X X X X X AND ISO SYSTEM FILTRATION, RECIRCULATION, AND X X X X X X X X VENTILATION SYSTEM REACTOR BUILDING VENTILATION ISOLATION SYSTEM (9) STATION SERVICE WATER SYSTEM X X X X X X X X SAFETY AUXILIARIES COOLING X X X X X X X X SYSTEM CLASS lE POWER {3) PRIMARY CONTAINMENT INSTRUMENT X X X X X X X X GAS SYSTEM CONTROL AREA CHILLED WATER X X X X X X X X SYSTEM ESF EQUIPMENT AREA COOLING X X X X X X X X SYSTEMS REMOTE SHUTDOWN SYSTEMS X X X X X SAFE SHUTDOWN EQUIPMENT AREA X X X X VENTILATION SYS. {12) 1 of 5 HCGS-UFSAR CONTROL AND INSTRUMENTATION GDC NUMBER 23 24 29 34 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X EQUIPMENT { 1 ) 35 41 X X X IEEE NUMBER 279-1971 X X X X X X X X X X Revision 12 May 3, 2002 I

  • TABLE 7-1-3 CODES AND STANDARDS APPLICABILITY MATRIX FOR NON-NSSS 1 2 4 13 19 20 21 BYPASSED AND INOPERABLE STATUS X X X X X INDICATION SYSTEM PLANT COMPUTER SYSTEMS {8) X X POST ACCIDENT MONITORING X X X X X INSTRUMENTATION STARTUP AND TRANSIENT MONITORING X (10) X (10) X (10} X SYSTEM SAFETY RELIEF VALVE POSITION X X INDICATION SYSTEM PROCESS RADIATION MONITORING X X X X X X X SYSTEM SAFETY SYSTEM/NON SAFETY SYSTEM ISOLATION {9) 2 of 5 HCGS-UFSAR CONTROL AND INSTRUMENTATION EQUIPMENT (1) GDC NUMBER 22 23 24 29 34 35 X X X X IEEE NUMBER 41 279-1971 X {11) X X Revision 14 July 26, 2005
  • I CODES AND STANDARDS APPLICABILITY MATRIX 1.11 1.22 1. 29 1. 30 1.40 1.47 (7) {2) PRIMARY CONTAINMENT ISOLATION X X SYSTEM CONTAINMENT ATMOSPHERIC CONTROL X X X X SYSTEM MAIN CONTROL ROOM HABITABILITY X X X ll.llD ISO SYSTEM FILTRATION, RECIRCULJl.,TION, AND X X X VENTILATION SYSTEM REACTOR BUILDING VENTII.Jl..TION ISOLATION SYSTEM (9) STATION SERVICE WATER SYSTEM X X X SAFETY AUXILIARIES COOLING X X X SYSTEM CLASS lE POWER (3) PRIMARY CONTAINMENT INSTRUMENT X X X X GAS SYSTEM CONTROL AREA CHILLED WATER X X X SYSTEM ESF EQUIPMENT AREA COOLING X X SYSTEMS REMOTE SHUTDOWN SYSTEMS X X X SAFE SHUTDOWN EQUIPMENT AREA VENTILATION SYS. ( 12} 3 of HCGS-UFSAR TABLE 7.1-3 FOR NON-NSSS CONTROL AND INSTRUMENTATION RG NUMBER 1. 53 1. 62 1.63 1. 68 1. 73 1. 75 ( 4) (5) (6) X X X X X X X X X X X X X X X X X X X X X X X EQUIPMENT{ll 1.80 (5) 1.89 X X X Revision May 3, 2002 1. 97 1.100 1.105 1.118 X X X X X X X X X X X X I X
  • *
  • TABLE 7.1-3 CODES AND STANDARDS APPLICABILITY MATRIX FOR NON-NSSS CONTROL AND INSTRUMENTATION EQUIPMENT(1} RG NUMBER 1.11 1.22 1-29 1.30 1.40 1.47 1.53 1.62 1.63 1.68 1. 73 1 .. 75 LBO 1.89 1.97 LlOO 1.105 {7} {2} (4) {5) {6} {5) BYPASSED AND INOPERABLE X X X X X X STATUS INDICATION SYSTEM PLANT COMPUTER SYSTEMS {B) X POST ACCIDENT MONITORING X X X X X X INSTRUMENTATION STARTUP AND TRANSIENT X X X MONITORING SYSTEM {10) {10} {10) SAFETY RELIEF VALVE X POSITION INDICATION SYSTEM PROCESS RADIATION X X X X X X X X X X X MONITORING SYSTEM SAFETY SYSTEM/NON SAFETY SYSTEM ISOLATION (9) NOTES: {1) The letter X on the table indicates the applicability of a code or standard to a system described in subsequent sections of Chapter 7. The extent to which HCGS design conforms is as stated in Section 1.8 for Regulatory Guides and Section 3.1.2 for GDCs. {2} Regulatory Guide 1.40 is not applicable to HCGS. see Section 1.8. (3} Refer to Section 8.1 for Class lE power codes and standards applicability. (4} Electrical penetrations are non-NSSS design responsibility. See Table 7.1-2 (RG 1.63} for NSSS systems requiring electrical penetrations. (5} see (6) See (7) See HCGS-UFSAR Section 14.2 for applicability of Regulatory Guide 1.68, 1.80. Sections 3.10/3.11 for applicability of Regulatory Guide 1.73. sections 17.1/17.2 for applicability of Regulatory Guide 1.30. 4 of s Revision 14 July 26, 2005 1.118 X X I X the TABLE 7.1-3 CODES AND STANDARDS APPLICABILITY MATRIX FOR NON-NSSS CONTROL AND INSTRUMENTATION EQUIPMENT(1) NOTES: (Cont) (8) The safety parameters display system and emergency response facilities information systems are provided by the plant computer systems. (9) Subsystem of the primary containment isolation system. (10) Applies only to the qualif;ed port;ons of the startup and transient monitoring system (see Section 7.5.1.3.5). (11) Bypassed and inoperable status indication system meets the requirements of IEEE Standard 279-1971 with the exceptfon that the indicators themselves are not seismically qualified. (12) The SSEAVS consists of the RSP room HVAC System and the RBEACS. The RBEACS is also part of the ESF Equipment Area Cooling System and satisfies the design requirements of that system. 5 of 5 HCGS-UFSAR Revision 8 September 25, 1996
  • *
  • Panels 1AC200 1BC200 1CC200 1DC200 1AC201 1BC201 1CC201 1DC201 lOC202 1AC213 1BC213 1AC215 1BC215 1AC281 1BC281 1CC281 1DC281 1AC285 1BC285 1CC285 1DC285 10C286 lOC399 10C401 lOC402 1AC420 1BC420 1CC420 1DC420 1AC421 TABLE 7.1-4 SEPARATION REQUIREMENTS FOR CLASS lE PANELS, INSTRUMENT RACKS AND CONTROL BOARDS H2;o2 Analyzer A Panel H2;o2 Analyzer B Panel H2;o2 Analyzer Heat Trace Panel H2;o2 Analyzer Heat Trace Panel SACS Control Panel A SACS Control Panel B SACS Control Panel C SACS Control Panel D RACS Heat Exchanger and Pumps Control Panel Instrument Gas Compressor A Control Panel Instrument Gas Compressor B Control Panel H2 A Power Distribution Panel H2 Recombiner B Power Distribution Panel Reactor Building Unit Cooler Control Panel Reactor Building Unit Cooler Control Panel Reactor Building Unit Cooler Control Panel Reactor Building Unit Cooler Control Panel Reactor Building FRVS Control Panel Reactor Building FRVS Control_ Panel Reactor Building FRVS Control Panel Reactor Building FRVS Control Panel Reactor Building Equipment Lock Ventilation Remote Shutdown Panel Diesel Generator Area Battery Room Panel Diesel Generator Area Battery Room Panel Diesel Generator A Exciter Panel Diesel Generator B Exciter Panel Diesel Generator C Exciter Panel Diesel Generator D Exciter Panel Diesel Generator A Local Engine Control Panel 1 of 5 HCGS*UFSAR Revision 0 April 11, 1988
  • *
  • Panels 1BC421 1CC421 1DC421 1AC422 1BC422 1CC422 1DC422 1AC423 1BC423 1CC423 1DC423 1AC428 1BC428 1CC428 1DC428 1AC482 1BC482 1AC483 1BC483 1CC483 1DC483 1AC485 1BC485 1AC486 1BC486 1AC487 1BC487 1AC488 1BC488 1AC489 1BC489 lAC490 TABLE 7.1-4 (Cont) Diesel Generator B Local Engine Control Panel Diesel Generator C Local Engine Control Panel Diesel Generator D Local Engine Control Panel Diesel Generator A Remote Control Generator Panel Diesel Generator B Remote Control Generator Panel Diesel Generator C Remote Control Generator Panel Diesel Generator D Remote Control Generator Panel Diesel Generator A Remote Engine Control Panel Diesel Generator B Remote Engine Control Panel Diesel Generator C Remote Engine Control Panel Diesel Generator D Remote Engine Control Panel Diesel Generator A Load Panel Diesel Generator B Load Sequencer Panel Diesel Generator C Load Sequencer Panel Diesel Generator D Load Sequencer Panel Electric Heater Control Panel 1AVH403 Electric Heater Control Panel 1BVH403 Diesel Area HVAC Control Panel Diesel Area HVAC Control Panel Diesel Area HVAC Control Panel Diesel Area HVAC Control Panel Control Area HVAC Control Panel Control Area HVAC Control Panel Diesel Area Panel Room Supply System Diesel Area Panel Room Supply System Water Chiller Panel Water Chiller Panel Chiller AK403 Power Panel Chiller BK403 Power Panel Electric Heater Control Panel 1AVH407 Electric Heater Control Panel 1BVH407 Yater Chiller A Control Panel 2 of 5 HCGS-UFSAR Revision 0 April 11, 1988
  • *
  • Panels 1BC490 1AC491 1BC491 1AC492 1BC492 1AC493 1AC494 1AC495 1BC495 1CC495 1DC495 1AC515 lBCSlS 1CC515 1DC515 1AC516 1BC516 1CC516 1DC516 1AC581 1BC581 1CC581 1DC581 lOC601 lOC602 lOC604 10C617 10C618 10C620 lOC621 lOC622 lOC623 TABLE 7.1-4 (Cont) Water Chiller B Control Panel Water Chiller A Power Panel Water Chiller B Power Panel Electric Heater Control Panel Electric Heater Control Panel Control Panel -Auxiliary Building Diesel Control Panel -Auxiliary Building Diesel Control Panel -Auxiliary Building Diesel Control Panel -Auxiliary Building Diesel Control Panel -Auxiliary Building Diesel Control Panel -Auxiliary Building Diesel Traveling Screen Control Panel Traveling Screen Control Panel Traveling Screen Control Panel Screen Control Panel Service Water Pump Panel Service Water Pump Panel Service Water Pump Panel Service Yater Pump Panel Intake Structure HVAC Control Panel Intake Structure HVAC Control Panel Intake Structure HVAC Control Panel Intake Structure HVAC Control Panel RRCS Division 1 Panel RRCS Division 2 Panel Class lE Radiation Monitoring Instrumentation Cabinet Division 1 RHR and Core Spray Relay Vertical Board Division 2 RHR and Core Spray Relay Vertical Board HPCI Relay Vertical Board RCIC Relay Vertical Board Inboard Isolation Valve Relay Vertical Board Outboard Isolation Valve Relay Vertical Board 3 of 5 HCGS-UFSAR Revision 0 April 11, 1988
  • *
  • Panels 10C628 lOC631 1AC633 1BC633 10C640 10C641 10C650 lOC651 1AC652 1BC652 1CC652 1DC654 1AC655 1BC655 1CC655 1DC655 1AC657 1BC657 1CC657 1DC657 1AC680 1BC680 1CC680 1DC680 TABLE 7.1-4 (Cont) ADS Division 2 Relay Vertical Board ADS Division 4 Relay Vertical Board Post LOCA H2 Recombiner A Control Cabinet Post LOCA H2 Recombiner B Control Cabinet Division 4 RHR and Core Spray Relay Vertical Board Division 3 RHR and Core Spray Relay Vertical Board Main Control Room Vertical Board Unit Operators Console lE Solid State Logic Cabinet Channel A lE Solid State Logic Cabinet Channel B lE Solid State Logic Cabinet Channel c lE Solid State Logic Cabinet Channel D lE Analog Logic Cabinet Channel A lE Analog Logic Cabinet Channel B lE Analog Logic Cabinet Channel c lE Analog Logic Cabinet Channel D lE Digital Termination Cabinet Channel lE Digital Termination Cabinet Channel lE Digital Termination Cabinet Channel lE Digital Termination Cabinet Channel A B c D lE Electrical Auxiliary Cabinet Channel A lE Electrical Auxiliary Cabinet Channel B lE Electrical Auxiliary Cabinet Channel c lE Electrical Auxiliary Cabinet Channel D Instrument Racks 10C002 Reactor Water Clean-up Rack 10C004 Reactor Vessel Level and Pressure A Rack lOCOOS Reactor Vessel Level and Pressure C Rack lOC009 Jet Pump Rack A 10C014 HPCI AjHPCI Leak Detection A Rack 4 of 5 HCGS-UFSAR Revision 0 April 11, 1988
  • *
  • TABLE 7.1-4 (Cont) Instrument Racks lOC015 lOC018 lOC021 lOC025 10C026 lOC027 lOC037 lOC041 lOC042 10C069 lOC208A lOC211 10C212 Main Steam C/D and Recirc A Flow Rack RHR A and ADS Rack RHR B and ADS Rack Main Steam C/D and Recirc A Flow Rack Reactor Vessel Level and Pressure D Rack Reactor Vessel Level and Pressure B Rack RCIC DfRCIC Leak Detection D Rack Main Steam A/B and Recirc B Flow Rack Main Steam A/B and Recirc B Flow Rack RHR D and ADS Rack RCIC/Reactor Cooling RCIC Pump RCIC Pump 5 of 5 HCGS*UFSAR Revision 0 April 11, 1988 C 2000 PS E G N u c l ea r , LL C. A ll R i gh t s R e s e r v e d.Upd a t e d FS A R PS E G N u c lea r, LL C Hop e C ree k N u c lea r G e n e r ating S t ation HO P E CREE K NU CLE A R G E N E R A T I NG S T A T ION R PS S E P A R A T ION CON C E P T F igu r e 7.1-1 A A P R M D A P R M R e v i s ion 23, NOV 12, 2018
  • * * "RP511 SENSORS NOTE 1 (Ty*p) RPS PANEL.S DIV t POWER CAC) I TRIP LOGIC A, DlV l AUX RELAYS INBOARD .. VALVES M.O. OR SOL. c ISOLATION DEVICE NOTE 1 OIV 1 =CHANNEL W DIV 2 =CHANNEL X OtV 3 =CHANNEL Y DlV 4 =CHANNEL Z FROM PROCESS TAPS I I TYPICAl ISOLATED LOGIC OR l"NFORMATION SIGNAl MANUAl SWITCHES I MANUAl SWlrCHES MOTOR STARTE;RS (WHERE USED) I TRIP TRIP LOGIC LOGIC 81 82 NON.RPS.SENSORS DlV 4 AUX RELAYS OUTBOARD VALVES M.O. OR SOL D D1V II WIRE.VAY DIV 4 POWER (AC &!OR DCl REVISION 0 APRIL 11, 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION NUCLEAR STEAM SUPPLY SHUT-OFF SYSTEM UPDATED FSAR FIGURE 7.1-2
  • *
  • CS 11 : RHR & CS RHR & CS *A** 1 : *>>" PUMPS I" t I DfV 1 : OIV 1 DIV 4 I DIV 4 OIV 2 BATT BAT'l' 1\ BATT BATT I FROM I FROM I 1 i-I -=-BATT BATT -=-.(TYP) T, I rT... I I . :, i l I I I ! , I ! ! ! ...,.L.o----,, ___ _.__ """_......___,. ,..-. ....................... ---"'* .-....-....-.. , .,._...._ ....... $ : I AOS LOGIC "nu I I ADS LOGtC "I" I I ICCS LOGIC SDG $ f ISOL LOGIC C622> SWGR & MCC SWGR & MCC ., P,:' "C NOTES:----REPRESENT SE9ARATION BARR IE RS BETWEEN REDUNDANT DIVISIONS. (NOT ACTUAl PANEL LAYOUT) SDG
  • DIESEL GENERATOR NOTE 1: DIV 1 =CHANNEL A DIV 2 =CHANNEL B DIV 3 = CHANNEL C DIV 4 =CHANNEL D I I ISOL LOGIC 1623} SDG $ I ECCS LOGIC "1)" SWGR& MCC D I I Ices LOGIC "! SDG $ I SWGR& MCC B REVISION 0 APRIL 11, 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION EMERGENCY CORE COOLING SYSTEMS (ECCS) SEPARATION SCHEME UPDATED FSAR FIGURE 7.1-3
  • -*
  • SENSORS RPS PANELS AILSA FE LOGIC NOTES: PROCESS TAP r-DIV 1 CONDUIT* PF10CESS TAP --, TRIP LOGIC A TRIP LOGIC C DIV II CONDUIT TRIP LOGIC D I TRIP LOGIC B AUXILIARY RELAYS INBOARD VALVES ANUAL SWITCH I I I MANUAL SWITCH I I NOTE 2 COMMON RACEWAY ,_......&.....__,._.....__, I (J) C/) _I _I 0 0 (J) (J) <( CD INBOARD VALVE I I I I .. INTERCONNECTING CONDUITS USED FOR MAIN STEAM ISOLATION VALVE LOGIC ONLY AUXILIARY RELAYS OUTBOARD VALVES (J) (J) _I _I 0 0 en (J) <( CD OUTBOARD VALVE REVISION 0 APRIL*11. 1988 1) SEE FIGURE 7.1*1 2) 2 INDIVIDUAL CABLES IN A SINGLE RACEWAY PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION MAIN STEAMLINE ISOLATION SEPARATION CONCEPT UPDATED FSAR FIGURE 7.1-4 c: t3 c )> :a ., G') c :D m :""" ... 0.. * (I) m ., l>:u :tin )>--In -(I) Om zz ::E:::tl m s: m MULTIPLE CIRCUIT REACTOR VESSEL LEVEL SENSORS 8 _L_L ---* OTHER
  • F _j_ _j_ __,..._ -r-* D H -L _L _L --r---_,_ I NOTE 1 (TYP.) ... DIV 2 OTHER DIV2 INPUT ::z::"'CCI oc -a= mr-nn mm m:a ::-::< zn em NOTES: INPUT CONTAINING DIV 2 DIV 2 I RCIC CONTROL DIV 4 TERMINAL BOX J TO DIV 4 EQUIPMENT DIV4 CABINET
  • I I
  • I I -_J I PANEL DIV2 nm ........ mm ,.n 1) DIVISIONS SHOULD CORRESPOND TO CHANNELS 8 AND D *SEE NOTE 1 ON FIGURE 7.1*3. :a-t m:a mn z,_ mz :::!m z,. men ,.!I: :::!i: Oz 2-< :a< ;:;; -'0 -""Z -'0 II 2) CIRCUilS FOR RCIC INITIATIONS UTILIZE CONTACTS ELECTRICALLY SEPARATE FROM THOSE USED FOR OTHER DIV 4 INPUTS.
  • _l_ ---I SEE NOTE DIV 4 WIREWAY
  • c: ""0 c )> -i m c ., :::1:1)>-(I) )> 0)> :::1:1 J>r:::l:l <-<C: >sas:: -C/)m r .. z l>tD-t 0-m ... z :ezm ., -Ot'D -l:z::o C) :z:"ttm c )>0)> :lJ m :""" _, I en :-al Clc -.,ca m!: """" :a en mm m:a ::111:< zn c:m ""m .-,.. mm >n ::10-i C'JI:a mn z,.. mz :r.ICJ _m i!;l: -* Clz 2< IIQ I g I( a: )I> ::a "'m :a< --r-cn ""'0 .. ""'z ;;o I
  • I COM£ PAE9SlR 2 l.lf lq I . t. PI J ¥ V '! IV 'l VI I 0.14, o.e 1.2 1 TIME (S£C1 x 10"' t .S..O" 120.1 I I r \.o:t J;;c tLlMIT..J lfi:EfMINGI81UILBl eo. tltA I I I -*a. o.q 0.8 1.2 ! TIME l SEC I X 10" 1.6 i tfs N ii5 ,
  • 1 rr srr-SKIRTJ 2 H lfVEL lfll ----t----1----1;_1 Nfl ftr*fiC IVIIl ttl II 10. 5 *10.11 """'c:: I *A::::::J .A ,,.......... I I 0.8 1.2 'S TIHE CSECI X 10 .. 1.6 !20.1 I I H'ts FLLIJ z o: AATED rw -*o. 0.1.1 o.a--*--*--* 1.6
  • * * "' 0 --' ID::' J tl I ,. . ... * . -.!: ; .fl"" 2
  • c --J '! --CD a
  • 0 : ": : t .* . . .,_ ... =:tw* r .. _,..,.., -_I " -fir. : 1 .. ., c ft .J .c 0 ., i -i REVISION 0 APRIL' 11, 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION INSTRUMENT LINE BREAK ANALYSIS, EOC; NO HPCI; RCIC AVAILABLE WITH ARI UPDATED FSAR FIGURE 7.1-7
  • -!! a
  • 0 200 400 600
  • BOO TtME tsl 1000 1200 1400 1600 REVISION 0 APRIL 11. 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION VESSEL PRESSURE CALCULATED FROM THE CORE* HEATUP ANALYSIS UPDATED FSAR FIGURE 7.1*8
  • .. -.J w >. w _, a: w ::: *
  • 60 40 30 __ _. ____ ____ ._ __ 0 200 400 600 TIME (s} 800 1000 1200 REVISION 0 APRIL 11, 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION WATER LEVEL CALCULATED FROM THE CORE* HEATUPANALYSIS UPDATED FSAR FIGURE 7.1-9
  • *
  • t w lr <( lr w CL 2 w .... C) z 0 0 <( ..J 0 500 <( w CL. 0 200 400 TIME (s) 600 800 1000 REVISION 0 APRIL 11. 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION PEAK CLADDING TEMPERATURE CALCULATED FROM THE CORE* HEATUP ANALYSIS UPDATED FSAR

7.2 REACTOR

PROTECTION (TRIP) SYSTEM (RPS) 7.2.1 Description 7.2.1.1 RPS System Description The Reactor Protection (trip) System (RPS) is a dual trip electrical alarm and actuating system designed to prevent the reactor from operating under unsafe or potentially unsafe conditions. The RPS is designed to cause rapid insertion of control rods (scram) to shut down the reactor when specific variables exceed predetermined limits. A completely separate and diverse system, the Redundant Reactivity Control System (RRCS), is provided to mitigate anticipated transients without scram (ATWS) events. See Section 7.6.1.7 for more information. Schematic arrangements of RPS mechanical equipment and information displayed to the operator are shown on Vendor Technical Document PN1-C71-1010-0001, RPS instrument engineering diagram (IED). The RPS instrumentation and sensor channel arrangements are shown in Table 7.2-1 and on Vendor Technical Document PN1-C71-1010-0001, respectively. RPS elementary diagrams and instrument location drawings are listed in Section 1.7. The RPS power supply is discussed in 8.3.1.5. The RPS instrumentation is divided into trip logic channels, trip logics, and trip actuator logics. During normal operation, all trip logic channel relays essential to safety are energized, i.e., logics, and actuators are energized. The RPS design is based on two separate (A and B) trip systems. Each of the trip systems has two independent trip logic channels (A1, A2, and B1, B2). Each trip logic channel is associated with the trip logics of the same designation. 7.2-1 HCGS-UFSAR Revision 20 May 9, 2014 Trip logic channels A1 and A2 (trip system A) outputs are combined in a one out of two logic arrangement to control the "A" pilot scram valve solenoid in each of the four rod groups (a rod group consists of approximately 25 percent of the total control rods). Trip logic channels B1 and B2 (trip system B) outputs are combined in a one out of two logic arrangement to control the "B" pilot scram valve solenoids in each of the four rod groups. When a trip logic channel contact opens, the trip logic deenergizes the trip actuator logic which deenergizes the pilot scram valve solenoids associated with that trip actuator logic. However, the other pilot scram valve solenoid for each rod must also be deenergized before the scram valves provide a reactor scram. There is one dual coil pilot scram valve and two scram valves for each control rod. The pilot scram valve is solenoid operated, with the solenoids normally energized. The pilot scram valves control the air supply to the scram valves for each control rod. With either pilot scram valve solenoid coil energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for control rod drive (CRD) water. When RPS trip logic channels A1 or A2 and B1 or B2 are tripped, the pilot scram valve solenoids are deenergized and air is vented from the scram valves, allowing CRD water to act on the CRD piston of each control rod, and all control rods are driven into the core. The water displaced by the movement of each rod piston is exhausted into a scram discharge volume. To restore the RPS to normal operation following any single actuator logic trip or a scram, each trip actuator must be manually reset. Once the condition that caused the actuator logic trip or the scram has cleared, the reset may be accomplished after a 10 second delay following a scram, but may be accomplished immediately following a trip of one or two unrelated trip actuators. The trip actuators are reset by operating switches in the main control room. Four reset switches (one per trip logic channel) are provided. 7.2-2 HCGS-UFSAR Revision 0 April 11, 1988 There are two 125 V dc solenoid operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. Electrical independence and diversity from the ac operated, dual coil, pilot scram solenoid valves are achieved using two separate, Class 1E, 125 V dc buses (Division I and Division II) for the backup scram solenoids. Valve position is not indicated in the control room because such indication is not required for backup valves. The backup scram valves will not be tested periodically, but each will be independently tested during refueling outages. Circuit details are shown on elementary diagram 791E414AC. When the solenoid for either backup scram valve is energized, the associated backup scram valve vents the air supply for the scram valves. This action initiates insertion of any withdrawn control rods regardless of the action of the scram pilot valves. The backup scram valves solenoids are energized (initiate scram) when trip logic channels A1 or A2 and B1 or B2 are both tripped. The trip units used at the HCGS are those described in the General Electric Topical Report NEDO-21617, "Analog Transmitter/Trip Unit System for Engineered Safeguard Sensor Trip Input". The trip unit/calibration system is all solid state and is designed to provide stable and accurate monitoring of process parameters. The system consists of master trip assemblies, slave trip assemblies, calibration units, card file assemblies, and other accessories. The master trip unit interfaces with a 4- to 20- milliampere (mA) transmitter or a three wire, resistance temperature detector (RTD), located at some remote location within the power plant installation. The slave trip unit is driven from the analog output of a master trip unit. The calibration unit has the capability of providing either a stable or transient calibration current that can be routed by a switch to any master trip unit. A drawing of the application is shown in Figure 7.2-2. 7.2-3 HCGS-UFSAR Revision 0 April 11, 1988 Test jacks are provided on the face of the master trip unit for precision measurement of actual parameter values. A two position logic inversion switch, internal to each trip unit, allows for the selection of either a high trip or low trip, thereby allowing the trip relays to be either energized or de-energized during normal operation. The system requirements dictate the position of the logic inversion switch. The master trip unit is a plug in, printed wire assembly designed to accept a 4- to 20- mA signal from the remote transmitter or to accept the input of a three wire RTD. The trip unit contains the circuitry necessary to condition these inputs and to provide the desired switching functions and analog output signals. The master trip unit provides an output to energize a trip relay at any point within the 4- to 20- mA range or within the resistance input signal range. It also contains an isolated panel meter that displays the value of the measured parameters, which can be scaled in the units of the process variable. The slave trip units are used in conjunction with master trip units when it is desirable to have different setpoints from a common transmitter. The slaves obtain their input from an analog output signal of the master trip unit. Up to seven slaves can be driven by a single master trip unit, thus allowing a possible eight different setpoints from a single measured parameter. Unlike the master, there is neither a direct connection of the slave to a transmitter nor are any analog signals generated by the slave. However, each slave has its own output logic switching function, which is independent of its master or other parallel slaves, for either a high or a low trip. These outputs may be used to supply "independent" sensor logic to any system or combination of systems within the same engineered safeguard division. Each master or slave trip unit is capable of supplying trip relay loads up to 1 amp at a nominal 24 V dc. Contacts from these relays provide the necessary logic function for the process variable input. The trip units are designed with output diode "isolation," which 7.2-4 HCGS-UFSAR Revision 0 April 11, 1988 allows parallel output connections of several trip units into one relay. The trip units are designed with individual power regulation circuits so that main power supply voltages need not be precisely regulated. This allows the use of a highly reliable, ferroresonant type power supply, which is not likely to fail in such a way as to introduce a high voltage to the system. This feature precludes catastrophic failure of all trip units on a single bus due to power supply failure. The power supplies are designed with built in diode "isolation" at the output so they may be connected in parallel for load sharing and/or bumpless transfer, given a single power supply failure. Power leads bypassing the diodes are also available for single unit applications or for individual unit voltage sensing when several power supplies are operated in parallel. The function of the calibration unit is to furnish the means by which an in-place calibration check of the master and slave trip units can be performed. The calibrator contains both a stable and transient current source. the normal use of the stable current is for verification of the calibration point of any given channel. The transient current source is used to provide a step current input into a selected channel such that the response time of that channel can be determined from the trip unit input to any point downstream in the logic to and including the final element. The readout assembly is a portable measurement and display device, which is inserted in the front of any calibration unit. It has two four digit displays with track applied calibration currents for any trip unit within the card file, as selected by a rotating switch on the front of the calibrator. The lower display, designated the calibration current display, continuously shows the total calibration current (stable current only, or stable and transient currents) generated by the calibration unit. The upper display, designated the trip current display, tracks the stable calibration current shown on the lower display until the trip output of the 7.2-5 HCGS-UFSAR Revision 8 September 25, 1996 master or slave trip unit being calibrated changes state. The calibration current reading at that point is latched on the trip current display by the trip status signal from the master or slave trip unit. The portability of this device yields two important advantages: 1. Only one readout assembly is required to calibrate all the trip units of this design used in the power plant; however, three readout assemblies are provided to give maximum availability of calibration hardware. 2. The unit is easily removed and calibrated against the laboratory bench standard to confirm its accuracy. then the standardized readout assembly is used to calibrate all the trip units, thus assuring maximum precision and consistency of process trip setpoints. The card file contains 13 slots, 12 of which may be used for any combination of master or slave trip units or blank fronts. The thirteenth is a double width slot designed for the calibrator only. Each card file is furnished with its own calibration unit regardless of the quantity of trip units within the file. The files are installed in standard 19-inch relay racks in quantities as required within each division cabinet. In essential safety systems incorporating multichannel logic design, cards can be configured within the files such that it is only possible to calibrate or test one channel at a time. This feature precludes inadvertent system activation because of erroneous test procedures. Bench Test Facility A power-up device is available for standardization and trouble shooting the components that comprise the trip unit/calibration system. The functions of the bench test unit are to provide: 7.2-6 HCGS-UFSAR Revision 8 September 25, 1996

1. A means to standardize the readout assembly to an onsite standard;
2. The capability to troubleshoot a failed trip unit; and
3. A means to perform a functional test procedure on a trip unit that is equivalent to the acceptance test procedure originally performed on the trip unit when it left the factory. This procedure will be

performed any time a trip unit is repaired.

Sensor logic trip channel inputs to the RPS, causing reactor scram, are

discussed in the following paragraphs.

7.2.1.1.1 Neutron Monitoring System

Neutron flux is monitored to initiate a reactor scram when predetermined limits

are exceeded.

Neutron Monitoring System (NMS) instrumentation is described in Section 7.6.

The NMS sensor channels are part of the NMS and not the RPS; however, the NMS logics are part of the RPS. Each NMS intermediate range monitor (IRM) logic receives its signal from one IRM channel and each average power range monitor (APRM) logic receives its signal from one APRM channel. The output logics of the APRM and IRM are combined to actuate a logic of one of the four RPS trip logic channels.

The NMS logics are arranged so that failure of any one logic cannot prevent the initiation of a high neutron flux trip or simulated thermal power trip. There are eight NMS logics associated with the RPS. Each RPS trip logic channel

receives inputs from two NMS logics.

The RPS circuitry can be configured to provide an additional level of protection by allowing for a reactor scram from a single source range monitor (SRM), IRM, or APRM. These noncoincident neutron monitoring trips are normally bypassed and are only required during certain control rod withdrawals when adequate shutdown margin has not been demonstrated. They are bypassed by installing shorting links in the RPS circuitry. With these shorting links

installed, SRMs are not capable of initiating a reactor scram while the IRMs and APRMs are capable of initiating a reactor scram based on coincident RPS

logic.

7.2-7 HCGS-UFSAR Revision 23 November 12, 2018

The NMS trip logic contacts for IRM and APRM can be bypassed by selector switches located in the main control room. APRM channels A, B, C, and D bypasses are controlled by one selector switch that will bypass only one APRM channel at any time. IRM channels A, C, E, and G bypasses are controlled by one selector switch and channels B, D, F, and H bypasses are controlled by a second selector switch. Bypassing either an APRM or an IRM channel will not

inhibit the NMS from providing protective action where required.

7.2.1.1.1.1 Intermediate Range Monitors The IRMs monitor neutron flux between the upper portion of the SRM range to the lower portion of the APRM range. The IRM detectors are positioned in the core by remote control from the main control room. The IRM is divided into two groups with four IRM channels in each group. Two IRM channels are associated with each of the trip channels of the RPS. The arrangement of IRM channels allows one IRM channel in each group to be bypassed.

Each IRM channel includes four trip circuits. One trip circuit is used as an instrument trouble trip. It operates on one of the three following conditions:

1. When the high voltage drops below a preset level
2. When one of the modules is not plugged in
3. When the operate calibrate switch is not in the "operate" position.

Each of the other trip circuits is specified to trip when preset downscale or N eutron F lux U pscale (reactor power) levels are reached.

The trip functions actuated by the IRM trips are indicated in Table 7.6-1. The reactor mode switch determines whether IRM trips are effective in initiating a reactor scram. With the reactor mode switch in "refuel" or "startup," an IRM upscale or inoperative trip signal actuates a NMS trip of the RPS. Only one of the IRM channels must trip to initiate a NMS trip of the associated RPS trip

channel.

7.2.1.1.1.2 Average Power Range Monitors There are four APRM channels. Each APRM channel consists of an APRM instrument, 2/4 logic module, quad low voltage power supply, LPRM instrument, and a calibration/monitoring panel.

The APRM channels receive and average input signals from the local power range monitor (LPRM) detectors and provide a continuous indication of average reactor power from a few percent to greater than rated reactor power.

7.2-8 HCGS-UFSAR Revision 23 November 12, 2018

The APRMs supply trip signals to the RPS and to the RRCS. Table 7.6-2 lists the APRM trip functions. Each APRM channel receives an independent flow signal input from each of the two recirculation loops and determines the tot al recirculation driving flow by summing these loop flow inputs. A total of eight loop flow signals are sensed from four pairs of elbow taps, two in each recirculation loop.

The outputs from all four APRM channel instruments go to each 2-out-of-4 voter (logic) module.

Each of the 2-out-of-4 voter logic modules interfaces to one of the four RPS input channels (A1, A2, B1, and B2). The trip outputs from all four APRMs are sent to each 2-out-of-4 voter logic module, such that each trip output sent to RPS is a voted result of all four APRMs. A trip output to RPS is provided when two of the same type of trip signals is in a tripped state for at least two non

-bypassed APRMs. APRM channel instrumentation trip inputs to the 2-out-of-4 voter logic modules can be b ypassed by a single fiber optic selector switch in the main control room. Only one APRM channel may be bypassed at any time. Each 2

-out-of-4 voter logic module is designed to receive one fiber optic bypass signal from the APRM bypass switch. The state of that bypass signal is retransmitted to the other 2-

out-of-4 logic modules in an isolated manner. Each 2-out-of-4 logic module will provide trip outputs to RPS as a voted result of the three un-bypassed APRMs when one channel is bypassed, resulting in a 2

-out-of-3 logic configuration. Bypassing an APRM channel will not inhibit NMS from providing a protective action when required. If a bypass indication from more than one APRM channel is received, none of the inputs to the 2

-out-of-4 voter logic modules are bypassed

At least two unbypassed APRM channels must be in the APRM upscale trip or inoperative trip state to cause an APRM Upscale/Inop RPS trip output from the APRM 2-out-of-4 voter channels. Similarly, at least two unbypassed APRM channels must be in the OPRM upscale trip state or inoperative state to cause an OPRM Upscale RPS trip output from the APRM 2-out-of-4 voter channels. The APRM Upscale/Inop and OPRM/Inop trips are combined and input to the 2-out-of-4 voter channels. All four voter channels will provide an RPS trip output, two to each RPS trip system. If only one unbypassed APRM channel is providing a trip output, each of the four APRM 2-out-of-4 voter channels will have a half-trip, but no trip signals will be sent to the RPS.

Removing voltage to a relay coil transmits trip outputs to the RPS, therefore loss of power results in actuating the RPS trips. Loss of a 2-out-of- 4 voter channel results in an RPS half-scram.

7.2-9 HCGS-UFSAR Revision 23 November 12, 2018

Total recirculation flow rate is calculated by each APRM chassis by adding the flow values for each loop to obtain total flow. The total flow value is used to produce flow-biased APRM scram and rod block setpoint values. The total recirculation flow is also used in the OPRM enable logic.

The LPRM signals are averaged to achieve an APRM flux value, which is then adjusted by either a manually entered or digitally transferred factor to allow calibration of the APRM to be APRM power. The APRM power is processed through a first order filter with a six second time constant to calculate simulated thermal power. Each APRM channel also calculates a flow signal that is used to -biased rod block and scram setpoints. The APRM simulated thermal power upscale rod block and scram trip setpoints are varied as a function of reactor recirculation flow. The slopes of the upscale rod block and scram trip response curves are set to track the required trip setpoint with recirculation flow changes. These calculations are all performed by the digital processor and result in a digital representation of APRM and

simulated thermal power, and of the flow

-biased rod block and scram setpoints.

Each APRM also includes an OPRM Upscale Function. The OPRM Upscale Function receives input signals from the LPRMs within the reactor core, which are

7.6.1.4.4)

In addition to the IRM upscale trip, instantaneous APRM trip function with a setpoint of 17 percent power is active when the reactor mode switch is in the "startup" position.

Diversity of trip initiation for excursions in reactor power is provided by the NMS trip signals and reactor vessel high pressure trip signals. An increase in reactor power will initiate protective action from the NMS as discussed in the

above paragraphs.

This increase in power results in a reactor pressure increase due to a higher rate of steam generation. The turbine control valve will stay open until the load limit of the turbine generator occurs. Once the pressure control limits are reached, reactor pressure will increase until the reactor vessel high pressure trip results. These variables are independent of one another and provide diverse protective action for this condition.

7.2.1.1.1.3 Oscillation Power range Monitor (OPRM)

Each APRM includes an OPRM Upscale Function. The OPRM Upscale Function receives input signals from the local power range monitor (LPRM) detectors within the reactor core, which are combined into cells for evaluation by the OPRM algorithms.

7.2-10 HCGS-UFSAR Revision 23 November 12, 2018

An OPRM Upscale trip is issued from an OPRM channel when the Confirmation Density Algorithm (CDA) in that channel detects oscillatory changes in the neutron flux as indicated by Period Confirmations and amplitude exceeding the specified setpoints for a specified number of OPRM cells in the channel. The CDA is credited in the Licensing Analysis for OPRM. An OPRM Upscale trip is also issued from the channel if any of the Defense-in-Depth Algorithms (DIDA) (Period Based Detection Algorithm (PBDA),Amplitude Based Algorithm (ABA), Growth Rate Algorithm (GRA)) exceed their trip condition for one or more cells in that channel. The PBDA, GRA, and ABA are not credited in the Licensing Analysis for the OPRM and are provided for defense

-in-depth only.

The OPRM Upscale Function is automatically trip

-enabled when thermal power, as indicated by the APRM Simulated Thermal Power, is greater than the licensing basis power setpoint and reactor recirculation drive flow is less than a licensing basis flow setpoint.

Three of the four channels are required to be operable. Each channel is capable of detecting thermal

-hydraulic instabilities by detecting the related neutron flux oscillations, and issuing a trip signal before the MCPR safety limit is exceeded.

7.2.1.1.2 Reactor Vessel High Pressure A reactor vessel pressure increase during reactor operation compresses the steam voids and results in increased reactivity, causing increased core heat generation that could lead to fuel cladding failure and reactor overpressurization. A reactor scram counteracts a pressure increase by rapidly inserting negative reactivity with the control rods, subsequently reducing core fission heat generation. The reactor vessel high pressure scram works in conjunction with the pressure relief system to prevent reactor vessel pressure from exceeding the maximum allowable design pressure. The reactor vessel high pressure trip setting also protects the core from exceeding thermal and/or hydraulic limits that result from pressure increases during events that occur

when the reactor is operating below rated power and flow.

Reactor pressure is monitored by four redundant pressure transmitters, each of which provides a reactor high pressure signal input to its corresponding RPS trip logic channel.

Diversity is provided by monitoring different sets of independent reactor vessel variables, i.e., main steam isolation valve (MSIV) closure, main stop valve closure, and turbine control valve fast closure.

7.2-11 HCGS-UFSAR Revision 23 November 12, 2018

7.2.1.1.3 Reactor Vessel Low Water Level Decreasing water level while the reactor is operating at power decreases the reactor coolant inventory. If excessive water level decrease occurs, fuel damage could result as steam voids form around fuel rods. A reactor scram

reduces the fission heat generation within the core.

Reactor vessel water level is monitored by four redundant differential pressure transmitters, each of which provides a reactor vessel low water level signal input to its corresponding RPS trip logic channel at reactor vessel reference

level 3, as shown on Plant Drawing M 1.

Diversity of reactor scram initiation for breaks in the reactor coolant pressure boundary (RCPB) is provided by high drywell pressure trip signals.

7.2.1.1.4 Main Stop Valve Position

A turbine trip initiates closure of the main stop valve, which can result in a

significant addition of positive reactivity to the core as the reactor vessel pressure rise causes steam voids to collapse. The main stop valve closure trip initiates a reactor scram earlier than either the NMS trip or reactor vessel high pressure trip to provide the required safety margin below core thermal hydraulic limits for this abnormal operational transient. The reactor scram counteracts the addition of positive reactivity caused by the increasing pressure by rapidly inserting negative reactivity with the control rods.

Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the main stop valve closure scram provides additional safety margin to

the reactor vessel pressure limit.

Main stop valve closure inputs to the RPS originate from eight redundant valve stem position switches mounted on the four main stop valves. Each switch opens before the valve is closed more than specified in the Technical Sp ecifications and provides positive indication of closure. Each switch provides an input signal to one of the four RPS trip logic channels. The logic is arranged so that closure of three or more valves is required to initiate a reactor scram.

The switches are arranged so that no single failure can prevent a main stop

valve closure scram.

7.2-12 HCGS-UFSAR Revision 23 November 12, 2018

Diversity of reactor scram initiation for increases in reactor vessel pressure due to termination of steam flow by main stop valve or turbine control valve closure is provided by reactor vessel high pressure trip and NMS trip signals.

The main stop valve closure scram trip is automatically bypassed if the turbine first stage pressure, as sensed by four pressure transmitters, is less than that corresponding to about 24 percent of rated reactor power. The bypass is automatically removed above about 24 percent of rated reactor power.

7.2.1.1.5 Turbine Control Valve Position

Generator load rejection with reactor power above approximately 24 percent or a turbine trip automatically initiates a fast closure of the turbine control valves, which results in a significant addition of positive reactivity to the core as nuclear reactor vessel steam pressure rise causes steam voids to collapse. The turbine control valve fast closure trip initiates a reactor scram earlier than either the NMS trip or nuclear system high pressure trip to provide the required safety margin below core thermal hydraulic limits for this abnormal operational transient. The reactor scram counteracts the addition of positive reactivity resulting from increasing pressure by rapidly inserting negative reactivity with the control rods. Although the nuclear system high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control valve fast closure scram provides additional margin to the nuclear system pressure limit. The turbine control valve fast closure trip setting is selected to provide timely indication of control valve fast closure.

Turbine control valve fast closure inputs to the RPS originate from oil line pressure switches on each of four fast acting control valve hydraulic mechanisms. Each pressure switch provides an input signal to one of the four RPS trip logic channels. If hydraulic oil line pressure is lost, a turbine control valve fast closure will initiate a reactor scram.

Automatic turbine control valve fast closure scram bypass is the same as provided for the main stop valve closure.

Diversity is provided by monitoring different sets of independent variables, i.e., MSIV closure, main stop valve closure, and turbine control valve fast closure, which are anticipatory of reactor high pressure and high power.

7.2.1.1.6 Main Steam Isolation Valves Position The MSIV closure can result in a significant addition of positive reactivity to the core as nuclear system pressure rises.

7.2-13 HCGS-UFSAR Revision 23 November 12, 2018

A single position switch with two independent contacts mounted on each of the eight MSIVs provides a MSIV closure signal to two separate channels of the RPS. Each switch is arranged to open before the valve is closed more than the setpoint, as specified in the Technical Specifications, to provide the earliest possible positive indication of closure. Either of the two RPS channels sensing isolation valve position can signal valve closure. Each RPS trip logic channel receives signals from the MSIVs associated with two main steam lines. The arrangement of signals within each logic requires the closing of at least one valve in each of the two main steam lines associated with that logic to cause a trip of that logic channel. Closure of at least one valve in three or more main steam lines is required to initiate a reactor scram. At plant shutdown and during plant startup, the MSIV closure scram must be bypassed in order to reset the RPS. This bypass is in effect when the mode switch is in the "shutdown," "refuel," or "startup" position. The bypass allows plant operation when the MSIVs are closed during low power operation. The bypass is removed when the mode switch is placed in "run". Diversity of reactor scram initiation due to MSIV closure is provided by reactor vessel high pressure trip and NMS trip signals. 7.2.1.1.7 Scram Discharge Volume Water Level Water displaced by the CRD pistons during a reactor scram is discharged to the scram discharge volume. If the scram discharge volume fills with water so that insufficient capacity remains for the water displaced by a reactor scram, control rod movement would be hindered during a scram. To prevent this situation, the reactor is scrammed when the water level in the discharge volume is high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the discharge volume can accommodate the water displaced during a scram. 7.2-14 HCGS-UFSAR Revision 12 May 3, 2002 Four nonindicating level switches (one for each channel) provide scram discharge volume (SDV) high water level inputs to the four RPS channels. An additional level indicating switch (trip unit), with transmitter, in each channel provides redundancy with the level switch in that channel. This arrangement provides diversity, as well as redundancy, to ensure that no single event could prevent a scram caused by SDV high water level. The scram discharge volume high water level trip bypass is controlled by the manual operation of two keylocked switches; a bypass switch and the mode switch. The mode switch must be in the "shutdown" or "refuel" position to allow manual bypass of this trip. This bypass allows the operator to reset the RPS trip relays so that the scram discharge volume may be drained. Resetting the trip actuators opens the scram discharge volume vent and drain valves. An annunciator in the main control room indicates the bypass condition. 7.2.1.1.8 Drywell Pressure High pressure inside the drywell may indicate a break in the RCPB. Reactor scram is initiated to minimize the possibility of fuel damage. Drywell pressure is monitored by four pressure transmitters. Each of the four transmitters provides an input to its corresponding RPS trip logic channel. Diversity is provided by monitoring reactor low water level. 7.2.1.1.9 Main Steam Line Radiation Monitors High radiation in the vicinity of the main steam lines may indicate a gross fuel element failure in the core. 7.2-15 HCGS-UFSAR Revision 12 May 3, 2002 Main steam line radiation is monitored by four redundant radiation monitors located in the steam tunnel. The four monitors provide Main Control Room annunciation when high gamma radiation is detected in the vicinity of the main steam lines. 7.2.1.1.10 Manual Scram Scram can be initiated manually. There are four manual scram pushbutton switches, one for each of the four RPS trip logic channels. Actuating the manual scram switch for trip logic channel A1 or A2 will deenergize the "A" scram pilot valve solenoid for all control rods. Actuating the manual scram switch for trip logic channel B1 or B2 will deenergize the "B" scram pilot valve solenoid for all control rods. To manually initiate a reactor scram, the manual reactor scram switches from trip logic channels A1 or A2 and B1 or B2 must be actuated. Manual reactor scram is diverse to all automatic reactor trip signals. 7.2.1.1.11 Reactor Mode Switch Manual Scram Even though the action is not a safety function, reactor scram can be initiated by placing the mode switch in the "shutdown" position. The mode switch consists of four independent banks of contacts. A "shutdown" position contact from each of the four contact blocks provides an input to its corresponding RPS trip logic channel. 7.2-16 HCGS-UFSAR Revision 12 May 3, 2002 The reactor scram signal, initiated by placing the mode switch in "shutdown", is automatically bypassed after a preset time delay has timed out. This allows the CRD hydraulic system valve lineup to be restored to normal, which must occur before the main control room operator can reset the RPS trip logic. 7.2.1.2 RPS System Testability The RPS can be tested during reactor operation by the methods described in the following paragraphs. The manual scram test involves depressing the manual scram switch for one trip logic channel, which deenergizes the actuators, opening contacts in the actuator output logic. After the first trip logic channel is reset, the second trip logic channel is tripped manually, and so forth for the four manual scram switches. The total test verifies the ability to deenergize all eight groups of scram pilot valve solenoids by using the manual reactor scram pushbutton switches. In addition to main control room and computer printout indications, pilot scram valve solenoid group indicator lights deenergize to verify that the actuator contacts have opened. The calibration test of the NMS is accomplished by means of simulated inputs from calibration signal units. Calibration and test controls for the NMS are located in the main control room. Their physical location places them under direct physical control of the control room operator. The single rod scram test verifies the capability of each rod to scram. It is accomplished by operating two toggle switches on the hydraulic control unit for the particular CRD. Timing traces can be made for each rod scrammed. Prior to the test, a physics review must be conducted to ensure that the rod pattern during scram testing will not create a rod of excessive reactivity worth. The sensor test involves applying a test signal to each RPS sensor trip circuit, in turn, and observing that a logic trip results. 7.2-17 HCGS-UFSAR Revision 0 April 11, 1988 This test also verifies the electrical independence of the trip logic channel circuitry. The test signals can be applied to the process type sensing instruments (pressure and differential pressure) through calibration taps. To gain access to the setting controls on each transmitter, a cover plate or sealing device must be removed. Only properly qualified plant personnel are granted access for the purpose of testing or calibration adjustments. Proper transmitter operation will be evaluated during plant operation by comparison of the analog output meters on the individual channel trip units. Any deviation of a reading from the norm (other units) would indicate a malfunction. The alarm log provided with the process computer allows verification of the correct operation of many sensors during plant startup and shutdown. MSIV position and main stop valve position can be checked in this manner. The verification provided on the alarm log is not considered in the selection of test and calibration frequencies and is not required for plant safety. The overall RPS response time is verified during preoperational testing from sensor trip to trip logic channel relay deenergization and actuator logic deenergization, and can be verified thereafter by similar testing. 7.2.1.3 Design Bases The RPS is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel cladding and the RCPB. Section 15 identifies and evaluates events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are presented in Section 15. 7.2-18 HCGS-UFSAR Revision 19 November 5, 2012 Variables monitored in order to provide protective actions to the RPS indicating the need for reactor scram are as follows: 1. Neutron flux 2. Reactor vessel high pressure 3. Reactor vessel low water level 4. Main stop valve closure 5. Turbine control valve fast closure 6. Main steam isolation valve closure 7. Scram discharge volume high level 8. Drywell high pressure The plant conditions that require protective action by the RPS are described in Section 15. 7.2.1.3.1 Location and Minimum Number of Sensors Neutron flux is the only essential variable of significant spatial dependence that provides inputs to the RPS. The basis for the number and location of NMS detectors is discussed below. The other requirements are fulfilled through the combination of logic arrangement. The minimum number and physical location of required LPRMs for each APRM is determined by using the following two transient analyses: 1. The first analysis is performed with operating conditions of 100 percent reactor power and 100 percent reactor 7.2-19 HCGS-UFSAR Revision 7 December 29, 1995 recirculation flow using a continuous rod withdrawal of the maximum worth control rod. In the analysis, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this

condition.

2. The second analysis is performed with operating conditions of 100 percent reactor power and 100 percent reactor recirculation flow using a reduction of recirculation flow at a fixed design rate. Again, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition.

The number of LPRM detector signals available as inputs to an APRM channel shall satisfy the following criteria:

a) The number of operable LPRM detector inputs shall be at least 20. The

APRM automatically enforces this requirement.

b) The number of operable LPRM detector inputs per core axial level (A, B, C, or D) shall be at least 3. The APRM automatically enforces this

requirement.

7.2.1.3.2 Prudent Operational Limits Prudent operational limits for each safety

-related variable trip setting are selected with sufficient margin to avoid spurious reactor scrams. It is then verified by analysis that the release of radioactive material, following postulated gross failures of the fuel or the RCPB, is kept within acceptable

bounds. Design basis operational limits, listed in the Technical Specifications, are based on operating experience and constrained by the safety

design basis and the safety analysis.

7.2.1.3.3 Margin The margin between allowable values and the nominal sensor trip setpoints for the RPS are those parameters listed in the Technical Specifications. The

margin includes the response times and sensor

7.2-20 HCGS-UFSAR Revision 23 November 12, 2018

setpoint drift. Annunciators are provided at the setpoints for the functions listed in the Technical Specifications to alert the control room operator to the cause of the unsafe condition. Response times for the Reactor Protection System appear in Table 7.2-3. 7.2.1.3.4 Levels Levels requiring protective action are provided in the Technical Specifications. 7.2.1.3.5 Range of Transient, Steady State, and Environmental Conditions Environmental conditions maintained for proper operation of the RPS components are discussed in Section 3.11. The RPS power supply ranges for steady state and transient conditions are provided in Section 8.3.1.5. 7.2.1.3.6 Malfunctions, Accidents, and Other Unusual Events That Could Cause Damage to Safety Systems Unusual events are defined as malfunctions, accidents, and other events that could cause damage to safety systems. Chapter 15 describes the following credible accidents and events: floods, storms, tornados, earthquakes, fires, loss-of-coolant accident (LOCA), pipe break outside containment, feedwater line break, and missiles. Each of these events is discussed below for the RPS. All components essential to the operation of the RPS are designed, fabricated, and mounted into appropriate seismically qualified structures. The sensors that monitor main stop valve position and turbine control valve fast closure for initiating reactor scram are designed and purchased to Seismic Category I. However, they are physically mounted on equipment that is not Seismic Category I, and are located in the Turbine Building, which is not a Seismic Category I structure. For this reason, other diverse variables (reactor pressure and NMS trips) may be relied upon for reactor scram, if components in the Turbine Building fail. 7.2-21 HCGS-UFSAR Revision 8 September 25, 1996 The cables for the main (turbine) stop valve closure and turbine control valve fast closure trip signals are run in protective conduit from the sensors to the RPS control panels in the main control complex. Each channel is run in its own conduit to maintain separation. Drawings showing the cable routing for these trip signals have been previously submitted to the NRC and are listed on revised Table 1.7-1. The specific drawings of concern are as follows: 1. E-1652-1, sheet 1 2. E-1653-1 3. E-1663-1 4. E-1664-1, sheet 4 5. E-1730-0 6. E-1750-0, sheet 1 7. E-1853-1, sheet 1 8. E-1863-1, sheet 1 9. E-1903-1, sheet 1 The specific sensors of concern are as follows: Sensor Function Location SB-ZS-N006A Main (Turbine) Stop Valve Closure Turbine Building SB-ZS-N006B Main (Turbine) Stop Valve Closure Turbine Building SB-ZS-N006C Main (Turbine) Stop Valve Closure Turbine Building SB-ZS-N006D Main (Turbine) Stop Valve Closure Turbine Building SB-ZS-N006E Main (Turbine) Stop Valve Closure Turbine Building SB-ZS-N006F Main (Turbine) Stop Valve Closure Turbine Building SB-ZS-N006G Main (Turbine) Stop Valve Closure Turbine Building SB-ZS-N006H Main (Turbine) Stop Valve Closure Turbine Building SB-PS-N005A Turbine Control Valve Fast Closure Turbine Building SB-PS-N005B Turbine Control Valve Fast Closure Turbine Building SB-PS-N005C Turbine Control Valve Fast Closure Turbine Building SB-PS-N005D Turbine Control Valve Fast Closure Turbine Building 7.2-22 HCGS-UFSAR Revision 0 April 11, 1988 The routing of the cables is such that each channel is routed in its own conduit with a minimum separation of at least 1 inch between redundant channel conduits. The only credible failures that could challenge the system are: 1) a safe shutdown earthquake, 2) a turbine missile, or 3) a high energy line break. The expected failure mode caused by these events would be loss of the sensor due to loss of continuity (i.e., wire broken or cable severed), which would result in a reactor trip signal being generated. If the trip sensor failed closed or shorted due to the fault, the high reactor pressure and high reactor power trips, which are diverse (see Sections 7.2.1.1.4 and 7.2.1.1.5), would still function providing adequate reactor protection. Further, shorting of a single sensor would not prevent protective action by the other related sensors. Each sensor input to the RPS logic is isolated from other sensor inputs by the use of interposing relays. This prevents a fault on a particular sensor cable causing an entire trip logic channel to be disabled. The following table lists other RPS powered sensors located in non-seismically qualified structures: Sensor Function Location SB-PT-N052A Main (Turbine) Stop Valve Closure Turbine Building and Turbine Control Valve Fast Closure Trips Bypass SB-PT-N052B Main (Turbine) Stop Valve Closure Turbine Building and Turbine Control Valve Fast Closure Trips Bypass SB-PT-N052C Main (Turbine) Stop Valve Closure Turbine Building and Turbine Control Valve Fast Closure Trips Bypass 7.2-23 HCGS-UFSAR Revision 0 April 11, 1988 Sensor Function Location SB-PT-N052D Main (Turbine) Stop Valve Closure Turbine Building and Turbine Control Valve Fast Closure Trips Bypass SM-PT-N076A MSIV*-Low Steam Line Pressure Turbine Building Trip (PCRVICS)** SM-PT-N076B MSIV*-Low Steam Line Pressure Turbine Building Trip (PCRVICS)** SM-PT-N076C MSIV*-Low Steam Line Pressure Turbine Building Trip (PCRVICS)** SM-PT-N076D MSIV*-Low Steam Line Pressure Turbine Building Trip (PCRVICS)** SM-PT-N075A MSIV*-Low Condenser Vacuum Trip Turbine Building (PCRVICS)** SM-PT-N075B MSIV*-Low Condenser Vacuum Trip Turbine Building (PCRVICS)** SM-PT-N075C MSIV*-Low Condenser Vacuum Trip Turbine Building (PCRVICS)** SM-PT-N075D MSIV*-Low Condenser Vacuum Trip Turbine Building (PCRVICS)**

  • MSIV - Main Steam Isolation Valve ** PCRVICS - Primary Containment and Reactor Vessel Isolation Control System Conformance to the requirements of IEEE Standard 279 and associated standards are discussed in Sections 7.2.2.2.1 (RPS Sensors) and 7.3.2.1.2 (PCRVICS sensors). 7.2-24 HCGS-UFSAR Revision 8 September 25, 1996 The cables for the trip signals from the RPS powered sensors listed above (i.e., the later table) are run in protective conduit from the sensors to the RPS control panels in the main control complex. Each channel is routed in its own embedded conduit with a minimum separation of at least 1 inch between redundant channel conduits. The cable routing for these signals is shown on the following drawings (listed on Table 1.7-1): 1. E-1804-1, sheet 2. E-1854-1 3. E-1865-1 4. E-1875-1 The expected failures, as described above would cause loss of the sensor(s) due to loss of continuity (i.e., wire broken or cable severed). This condition would cause no adverse affects on the RPS if the plant was operating at power since the normal condition of sensors SB-PT-N052 (A-D) is deenergized. The open condition on the PCRVICS sensor (SM-PT-N075 (A-D) and SM-PT-N076 (A-D)) circuits could result in a reactor scram, due to main steam isolation valve closure, if an open existed on at least one sensor circuit in each of the two NSSS trip systems. If the two RPS sensor circuits in the same RPS trip system (SB-PT-N052A and C or SB-PT-N052B and D) were to fail closed, due to the event, the main stop valve closure and turbine control valve fast closure scrams would be rendered inoperable. However, automatic reactor scram would still be provided by the diverse trip signal of reactor high pressure. Manual reactor scram is also available. Should the event result in the worst case condition of a short circuit (failed closed) condition of all the PCRVICS sensor circuits (SM-PT-N075 (A-D) and SM-PT-N076 (A-D)) in one or both NSSSS trip 7.2-25 HCGS-UFSAR Revision 0 April 11, 1988 systems, automatic isolation would still be provided by the diverse trip signal of reactor vessel low water level (level 1). Manual isolation is also available. Each sensor input to the RPS or NSSS logic is isolated from other sensor inputs by the use of interposing relays. This prevents a fault on a particular sensor cable causing an entire trip logic channel to be disabled. 7.2.1.3.6.1 Floods The buildings containing RPS components have been designed to meet the probable maximum flood (PMF) at the site location. This ensures that the buildings will remain watertight under PMF conditions including wind generated wave action and wave runup as described in Section 3.4. 7.2.1.3.6.2 Storms and Tornadoes The buildings containing RPS components, except for the turbine building, have been designed to withstand all credible meteorological events and tornados as described in Section 3.3. 7.2.1.3.6.3 Earthquakes The structures containing RPS components, except for the turbine building, have been seismically qualified, as described in Section 3.7, and will remain functional during and following a safe shutdown earthquake (SSE). 7.2.1.3.6.4 Fires To protect the RPS in the event of a fire or other hazard, the RPS trip logics have been divided into four separate sections within two separate RPS panels. The sections within a panel are separated by 7.2-26 HCGS-UFSAR Revision 0 April 11, 1988 barriers. The use of separation and barriers ensures that, even though some portion of the system may be affected by a hazard, the RPS will continue to provide the required protective actions. 7.2.1.3.6.5 LOCA The following RPS system components are located inside the drywell and would be subjected to the effects of a design basis LOCA: 1. NMS cabling from the detectors to the main control room 2. MSIV (inboard) position switches 3. Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines 4. Drywell pressure instrument taps. 7.2.1.3.6.6 Pipe Break Outside Containment This condition will not affect the reliability of the RPS. 7.2.1.3.6.7 Feedwater Line Break This condition will not affect the reliability of the RPS. 7.2.1.3.6.8 Missiles See Section 3.5, Missile Protection. 7.2.1.3.6.9 Minimum Performance Requirements See the Technical Specifications. 7.2-27 HCGS-UFSAR Revision 0 April 11, 1988 7.2.1.3.7 Single Failure For non-NSSS, the ESF and EAS systems are designed such that no two protection channels of the same system have sensors which share a common instrument line or tap. Therefore, no single failure of an instrument line or tap can cause a loss of required protection system redundancy for any non-NSSS ESF or EAS system. A walkdown will be performed to verify that installation is in accordance with the design. For NSSS, there are three cases where sensors share common instrument lines, two in the Reactor Protection System (RPS) and one in the Nuclear Steam Supply Shutoff System (NSSSS). RPS As shown on Figure 7.1-1, it is permissible for the RPS sensors A and B or C and D to share common instrument lines because of the use of one out of two twice, fail safe logic and the manner of allocating the related relays to the RPS logic channels ensures that no single line failure would prevent the RPS from functioning. RPS Case 1. Four pressure transmitters (C71-N052 A through D) at the first stage of the main steam turbine provide interlocks for the scram trip functions of the main stop valve and the control valve and for the end of cycle recirculation pump trip (RPT). See Section 7.6.1.5. The scram trip and the RPT are prevented when the first stage turbine pressure is below the setpoint. In this case, an instrument line fault would not prevent the scram function because of the one out of two twice logic arrangement. An instrument line fault could disable one of the two RPT systems, but the other would function normally to trip both recirculation pumps. Diversity for the scram trip functions of the main stop and control valves is provided by high reactor pressure sensed by four pressure 7.2-28 HCGS-UFSAR Revision 0 April 11, 1988 transmitters. Redundancy for the RPT function is provided by the ATWS RPT initiated by the redundant reactivity control system. See Section 7.6.1.7.2.

RPS Case 2. Eight differential pressure transmitters, four for each recirculation pump, provide recirculation suction flow input to the four APRMs

in the neutron monitoring system (NMS). These transmitters (B31-N014 A through D and B31-N024 A through D) provide input to the APRM channels, biasing the trip setpoints according to the drive flow rate. Diversity for the APRM (NMS) fixed flux scram trips is provided by high reactor pressure sensed by four pressure transmitters.

NSSSS Sixteen differential pressure transmitters, four in each main steam line, would identify a line break by sensing high flow. As for RPS, it is permissible for the A and B sensor and the C and D sensors to share instrument lines because of the one out of two twice, fail safe logic arrangement. Redundancy and diversity for the isolation trip function of these transmitters (B21-N086 A through D, B21-N087 A through D, B21-N088 A through D, and B21-N089 A through D) is provided by four temperature sensors for each steam line that would sense high temperature in the main steam tunnel and by four pressure sensors that would

sense low pressure at the input to the main stop valve.

For the remaining NSSS sensors, ESF and RPS systems are designed such that no two protective channels of the same system in separate divisions have sensors that share a common instrument line or tap. Therefore, no single failure of an instrument line or tap can cause a loss of required protection system redundancy for any NSSS, ESF, or RPS System.

7.2-29 HCGS-UFSAR Revision 23 November 12, 2018

7.2.1.4 Final System Drawings The instrument engineering diagrams (IEDs) have been provided for the RPS on Vendor Technical Document PN1-C71-1010-0001. RPS electrical schematics and instrument location drawings are listed in Table 1.7-3. Functional and architectural design differences between the Preliminary Safety Analysis Report (PSAR) and Final Safety Analysis Report (FSAR) are listed in Table 1.3-8. 7.2.2 Analysis The Reactor Protection (trip) System (RPS) is designed such that loss of plant instrument air, a plant load rejection, or a turbine trip will not prevent the completion of any required safety function. 7.2.2.1 Implementation of 10CFR50, Appendix A - General Design Criteria The following is a discussion of implementation of those General Design Criteria (GDC) that apply specifically to the RPS. 7.2.2.1.1 General Design Criterion 1, 2, 3, 4, and 5 For discussion of GDC 1, 2, 3, 4, and 5, see Section 7.1.2.2. 7.2.2.1.2 GDC 10, Reactor Design The RPS is designed to monitor certain reactor parameters, sense abnormalities, and, when trip points are exceeded, to scram the reactor to prevent fuel design limits from being exceeded. Scram trip setpoints are selected based on operating experience and the 7.2-30 HCGS-UFSAR Revision 20 May 9, 2014 safety design basis. There is no case in which the scram trip setpoints allow the core to exceed thermal or hydraulic safety limits. The RPS is designed to ensure that specified fuel design limits are not exceeded during conditions of normal or abnormal operation. 7.2.2.1.3 GDC 12, Suppression of Reactor Power Oscillations The system design provides protection from excessive fuel cladding temperatures and protects the reactor coolant pressure boundary (RCPB) from excessive pressures that threaten the integrity of the system. Abnormalities are sensed, and, if RPS limits are reached, corrective action is initiated through the automatic scram. 7.2.2.1.4 GDC 13, Instrumentation and Control For discussion on GDC 13, see Section 7.1.2.2. 7.2.2.1.5 GDC 15, Reactor Coolant System Design For discussion on GDC 15, see Section 7.1.2.2. 7.2.2.1.6 GDC 19, Control Room Control and instrumentation are provided in the main control room. The reactor can also be shut down in an orderly manner from outside the main control room as described in Section 7.4.1.4. 7.2.2.1.7 GDC 20, Protection System Functions The RPS monitors the appropriate plant variables to maintain the integrity of the fuel barrier and RCPB and initiates a reactor scram automatically when the variables exceed predetermined limits. 7.2-31 HCGS-UFSAR Revision 0 April 11, 1988 7.2.2.1.8 GDC 21, Protection System Reliability The RPS is designed with two groups of redundant sensor channels and four independent and separated output trip logic channels. No single failure can prevent a reactor scram, and removal from service of any component or channel will not result in loss of required minimum redundancy. 7.2.2.1.9 GDC 22, Protection System Independence The redundant portions of the RPS are separated such that no single failure or credible natural disaster can prevent a reactor scram. The turbine related reactor scram inputs originate from the non-Seismic Category I Turbine Building. The RPS is a fail safe design, and proper separation of turbine related reactor scram signals provide sufficient reliability. Reactor pressure and reactor power are diverse to the turbine related reactor scram variables. In addition, drywell pressure and reactor vessel water level are diverse variables. 7.2.2.1.10 GDC 23, Protection System Failure Modes The RPS is designed (including logic and actuated devices) to be fail-safe. A loss of electrical power or air supply will not prevent a reactor scram. Postulated adverse environments will not prevent a reactor scram. 7.2.2.1.11 GDC 24, Separation of Protection and Control Systems The RPS has no direct interaction with any plant control system. However, the RPS does receive inputs from the reactor mode switch and the Neutron Monitoring System (NMS), which also provide inputs to plant control systems through isolation devices. 7.2-32 HCGS-UFSAR Revision 0 April 11, 1988 7.2.2.1.12 GDC 25, Protection System Requirements for Reactivity The RPS provides protection against the onset and consequences of conditions that threaten the integrity of the fuel cladding and the RCPB. Any monitored variable that exceeds the reactor scram setpoint will initiate an automatic reactor scram and not impair the remaining variables from being monitored, and

if one channel fails, the remaining portions of the RPS will function.

7.2.2.1.13 GDC 29, Protection Against Anticipated Operational Occurrences

The RPS is highly reliable and will provide a reactor scram in the event of

anticipated operational occurrences.

7.2.2.2 Conformance to IEEE Standards

7.2.2.2.1 IEEE 279-1971 - Criteria for Protection Systems for Nuclear Power Generating Stations The Neutron Monitoring APRM and OPRM sub-systems meet the requirements of IEEE 603-1991 IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations. See Vendor Technical Document 432598 Vol. 16 for compliance review.

1. General Functional Requirement, Paragraph 4.1 - The RPS automatically initiates the appropriate protective actions, whenever the conditions described in Section 7.2.1.1 reach predetermined limits, with precision and reliability assuming the full range of conditions and performance discussed in Section 7.2.1.2.
2. Single Failure Criterion, Paragraph 4.2 - Each of the conditions (variables) described in Section 7.2.1.1 is monitored by redundant sensors supplying input signals to redundant trip logics. Independence of redundant RPS equipment, cables, instrument tubing, etc, is maintained and single failure criteria is preserved through the application of the separation criteria as described in Section 8.1.4.14 to ensure that no single credible event can prevent the RPS from accomplishing its safety function.

7.2-33 HCGS-UFSAR Revision 23 November 12, 2018

3. Quality of Components and Modules, Paragraph 4.3 - For a discussion of the quality of RPS components and modules, refer to Section 3.2. 4. Equipment Qualification, Paragraph 4.4 - All safety-related equipment as defined in Tables 3.10-1 and 3.10-2 is designed to meet its performance requirements under the postulated range of operational and environmental constraints. Detailed discussion of qualification is contained in Sections 3.10 and 3.11. 5. Channel Integrity, Paragraph 4.5 - For a discussion of RPS channel integrity under all extremes of conditions described in Section 7.2.1.3, refer to Sections 3.10 and 3.11. 6. Channel Independence, Paragraph 4.6 - RPS channel independence is maintained through the application of the separation criteria as described in Section 8.1.4.14. 7. Control and Protection System Interaction, Paragraph 4.7 - See Section 7.2.2.1, Compliance to GDC-24. 8. Derivation of System Inputs, Paragraph 4.8 - The RPS trip variables are direct measures of reactor overpressure, or reactor overpower, except when, due to the normal throttling action of the turbine governor valves with changes in the plant power level, measurement of control valve position is not an appropriate variable from which to infer the desired variable, which is "rapid loss of the reactor heat sink." Consequently, a measurement of a control valve fast closure trip is used, as the trip signal (indicative of load reject). 7.2-34 HCGS-UFSAR Revision 12 May 3, 2002
9. Capability for Sensor Checks, Paragraph 4.9 - Refer to Regulatory Guide 1.22 in Section 7.2.2.3. 10. Capability for Test and Calibration, Paragraph 4.10 - Refer to Regulatory Guide 1.22 in Section 7.2.2.3. 11. Channel Bypass or Removal from Operation, Paragraph 4.11 - The following RPS trip variables have no provision for sensor removal from service because of the use of valve position limit switches as the channel sensor: a. MSIV closure trip b. Main stop valve closure trip. During periodic testing of any one trip channel, a sensor may be valved out of service and returned to service under administrative control procedures. Since only one sensor is valved out of service at any given time during the test interval, protective action capability for RPS automatic initiation is maintained through the remaining redundant instrument channels. A sufficient number of intermediate range monitor (IRM) channels have been provided to permit any one IRM channel in a given trip system to be manually bypassed and still ensure that the remaining operable IRM channels comply with the IEEE 279 single failure design requirements. One IRM manual bypass switch has been provided for each RPS trip system. The mechanical characteristics of this switch permit only one of the four IRM channels of that trip system to be bypassed at any time. To accommodate a single failure of this bypass switch, electrical interlocks have also been incorporated into the bypass logic to prevent bypassing of more than one IRM in that 7.2-35 HCGS-UFSAR Revision 0 April 11, 1988 trip system at any time. Consequently, with any IRM bypassed in a given trip system, three IRM channels remain in operation to satisfy the RPS requirements.

A single manual APRM bypass switch is provided for all four APRM channels. This is a mechanical/optical switch that allows only one APRM channel to be bypassed at any time. This interlock is accomplished independently in each of the APRM/OPRM 2

-out-of-4 Voter channels. With any one APRM channel bypassed, the three remaining operating channels provide the necessary protection of the reactor.

Bypassing an APRM channel bypasses both the APRM and OPRM trips from that channel. None of the APRM/OPRM 2-out-of-4 Voter channels can be bypassed.

The mode switch produces operating bypasses, which need not be annunciated because they are removed by normal reactor operating sequence.

12. Operating Bypasses, Paragraph 4.12 - For a discussion of RPS operating bypasses, refer to Section 7.2.1.1.
13. Indication of Bypasses, Paragraph 4.13 - Indication has been provided in the main control room to show when any part of the RPS has been

bypassed or deliberately rendered inoperable.

For a discussion of bypass and inoperability indication, refer to Section 7.5.1.3.

14. Access to Means for Bypassing, Paragraph 4.14 - Access to means for bypassing any safety action or function for the RPS is under administrative control.

Control switches that allow safety system bypasses are keylocked. All keylock emergency switches in the main control room are designed such that their key can only be removed when the switch is in the "normal" position. All

7.2-36 HCGS-UFSAR Revision 23 November 12, 2018

keys will normally be removed from their respective switches during operation and maintained under administrative control. If a key is required, it will be obtained from the Shift Manager/control room supervisor via approved key control procedures.

15. Multiple Setpoints, Paragraph 4.15 - The reactor mode switch implements more restrictive reactor trip setpoints when it is shifted from "run" to "startup". As the mode switch is moved to "startup":
a. The average power range monitor (APRM) Neutron Flux - U pscale scram trip is replaced by the more restrictive APRM setdown

reactor trip set at 17 percent reactor power.

b. The intermediate range monitor (IRM) range switch dependent reactor trips are enabled.

In addition to the mode switch dependent multiple setpoints, the flow channels that supply control and reference signals for the APRM

simulated thermal power scram continually vary the reactor trip setpoint as flow changes. A sensed reduction in flow results in more

restrictive scram trip setpoints.

The devices used to prevent improper use of the less restrictive setpoints, i.e., the mode switch, IRM range switches, the IRM and APRM signal conditioning equipment, and the flow channels, are designed in accordance with criteria regarding the performance and

reliability of the RPS.

16. Completion of Protective Action Once It Is Initiated, Paragraph 4.16 -Once the RPS trip logic has been deenergized as a result of a sensor trip channel becoming tripped, or the depressing of a manual scram

pushbutton,

7.2-37 HCGS-UFSAR Revision 23 November 12, 2018

the scram contactor seal-in contact opens and completion of protective action is achieved without regard to the state of the initiating sensor trip channel. After initial conditions, i.e., variable trip and logic deenergization, return to normal, deliberate operator action is required to return (reset) the RPS logic to normal (energized). 17. Manual Initiation, Paragraph 4.17 - Refer to the discussion of the Regulatory Guide 1.62 in Section 7.2.2.3. 18. Access to Setpoint Adjustments, Calibration, and Test Points, Paragraph 4.18 - During reactor operation, access to setpoint or calibration controls is not possible for the following RPS trip variables: a. Scram discharge volume high water level trip, except for the redundant level transmitter trip b. MSIV closure trip c. Main stop valve closure trip. Access to setpoint adjustments, calibration controls, and test points for all other RPS trip variables are under the administrative control of the control room operator. 19. Identification of Protective Actions, Paragraph 4.19 - When any one of the redundant RPS trip sensors exceeds its setpoint value, a main control room annunciator is actuated to identify that variable and a digital alarm log is available from the process computer. 7.2-38 HCGS-UFSAR Revision 19 November 5, 2012

20. Information Readout, Paragraph 4.20 - The RPS is designed to provide the control room operator with accurate and timely information pertinent to its status. It does not give anomalous indications confusing to the control room operator. 21. System Repair, Paragraph 4.21 - During periodic testing of the RPS sensor channels (except as noted below) the control room operator can determine defective components and replace them during plant operation. During reactor operation, the control room operator is able to determine failed sensors for the following RPS trip variables, but subsequent repair can only be accomplished during reactor shutdown: a. MSIV closure trip b. Main stop valve closure trip c. NMS (APRM) trip d. NMS (IRM) trip Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the NMS may be accomplished during plant operation after appropriate bypassing of the defective instrument channel. The design of the systems facilitates rapid diagnosis and repair. 22. Identification of Protection Systems, Paragraph 4.22 - The identification scheme for the RPS is discussed in Section 8.1.4.14. 7.2-39 HCGS-UFSAR Revision 0 April 11, 1988 7.2.2.2.2 IEEE 308-1971 - Class 1E Power Systems for Nuclear Power Generating Stations See Section 8.3. 7.2.2.2.3 IEEE 323-1971 - Qualifying Class 1E Equipment for Nuclear Power Generating Stations See Section 7.1.2.3 for an assessment. 7.2.2.2.4 IEEE 338-1971 - Periodic Testing of Nuclear Power Generating Stations Periodic testing of RPSs is accomplished by testing from sensors to final actuators. This testing can be performed at any time during plant operation in overlapping portions. See Section 16, Technical Specifications, for further details. 7.2.2.2.5 IEEE 344-1971 - Seismic Qualification of Class 1E Equipment Seismic qualification of Class 1E electric equipment requirements is satisfied by all RPS equipment as described in Section 7.1.2.3. 7.2.2.2.6 IEEE 379-1972 - Application of Single Failure Criterion to Nuclear Power Generating Stations The RPS satisfies the requirement of this criterion by consideration of the different types of failure and the elimination of all potential violations of the single failure criterion from the system design. 7.2.2.2.7 IEEE 384-1974 - Independence of Class 1E Equipment and Circuits See Section 7.1.2.3 for an assessment. 7.2-40 HCGS-UFSAR Revision 0 April 11, 1988 7.2.2.3 Conformance to NRC Regulatory Guides The following is a discussion of conformance to those Regulatory Guides that apply specifically to the RPS. 7.2.2.3.1 Regulatory Guide 1.11 - Instrument Lines Penetrating Primary Reactor Containment See Section 7.1.2.4 for an assessment. 7.2.2.3.2 Regulatory Guide 1.22 - Periodic Testing of Protection System Actuation Function The system is designed so that it can be tested during plant operation from sensor device to final actuator device. The test must be performed in overlapping portions so that an actual reactor scram will not occur as a result of the testing. 7.2.2.3.3 Regulatory Guide 1.29 - Seismic Design Classification See Section 7.1.2.4 for conformance. 7.2.2.3.4 Regulatory Guide 1.30 - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment See Section 7.1.2.4 for an assessment. 7.2.2.3.5 Regulatory Guide 1.47 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems See Section 7.1.2.4 for conformance. 7.2.2.3.6 Regulatory Guide 1.53 - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems 7.2-41 HCGS-UFSAR Revision 0 April 11, 1988 See IEEE 279-1971, Paragraph 4.2, in Section 7.2.2.2 for conformance. 7.2.2.3.7 Regulatory Guide 1.62 - Manual Initiation of Protective Actions Conformance Means are provided for manual initiation of the RPS at the system level through the use of four armed pushbutton switches located on the main control room operator's console. Operation of two switches (one in each trip system) accomplishes the initiation of all actions performed by the automatic initiation circuitry. Placing the reactor mode switch in the "shutdown" position will also cause a system level initiation. 7.2.2.3.8 Regulatory Guide 1.68 - Initial Test Programs for Water Cooled Nuclear Power Plants See Section 14.2 for an assessment. 7.2.2.3.9 Regulatory Guide 1.75 - Physical Independence of Electric Systems See Section 8.1.4.14 for conformance. 7.2.2.3.10 Regulatory Guide 1.89 - Qualification of Class 1E Equipment for Nuclear Power Plants See Section 7.1.2.4 for an assessment. 7.2.2.3.11 Regulatory Guide 1.100 - Seismic Qualification of Electric Equipment for Nuclear Power Plants See Section 7.1.2.4 for an assessment. 7.2-42 HCGS-UFSAR Revision 0 April 11, 1988 7.2.2.3.12 Regulatory Guide 1.105 - Instrument Setpoints See Section 7.1.2.4 for an assessment. 7.2.2.3.13 Regulatory Guide 1.118 - Periodic Testing of Electric Power and Protection Systems See Section 7.1.2.4 for an assessment. 7.2-43 HCGS-UFSAR Revision 0 April 11, 1988
  • *
  • TABLE 7.2-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION RANGES{l) Function Reactor vessel high pressure Drywell high pressure Reactor vessel low water level (level 3) Scram discharge volume high water level Main stop valve closure Turbine control valve fast closure Main steam isolation valve closure Neutron Monitoring System HCGS-UFSAR Instrument Pressure transmitter Pressure transmitter Level transmitter Level switch Level transmitter Position limit switch Pressure switch Position limit switch See Section 7.6.1.4 1 of 2 Instrument Range 0 to 1500 psig 0 to 10 psig 0 to 60.. H 0 2 NA 0 to 100 in.w.g. Fully open to fully closed 250 to 3000 psi Fully open to fully closed Revision 7 December 29, 1995
  • *
  • Function Bypass Main stop valve and turbine control valve fast closure trip bypass Main steam isolation valve closure scram bypass TABLE 7.2-1 (Cont) Instrument Instrument Range Pressure transmitter 0 to 696.8 psig Mode switch NA (1) See the HCGS Technical Specifications, for instrument setpoints and allowable values. The range for safety-related instrumentation is selected to exceed the expected range of the process variable being monitored . 2 of 2 HCGS-UFSAR Revision 0 April 11, 1988 TABLE 7.2-2 CHANNELS USED FOR FUNCTIONAL PERFORMANCE OF RPS This table shows the normal number of channels used for the functional

performance of the RPS with the mode switch in the "run" position.

Channel Description Normal Neutron Monitoring System (APRM) 4 Neutron Monitoring System (IRM)

(1) 8 Neutron Monitoring System (OPRM) 4 Reactor vessel high pressure 4 Containment (drywell) high pressure 4 Reactor vessel low water level 4 (trip level 3)

Scram discharge volume high 4 water level

Manual scram 4 Main steam isolation valve position 2/valve Main stop valve position 2/valve Turbine control valve fast closure 4 Turbine first stage pressure 4 (bypass)

_________________________

(1) In all modes except run.

1 of 1 HCGS-UFSAR Revision 23 November 12, 2018

Table 7.2-3 REACTOR PROTECTION SYSTEM RESPONSE TIMES Response Time Functional Unit (Seconds)

1. Intermediate Range Monitors:
a. Neutron Flux - High NA b. Inoperative NA
2. Average Power Range Monitor (1):
a. Neutron Flux High (Setdown) NA b. Simulated Thermal Power High 0.09 (2)(5)
c. Neutron Flux High 0.09 (5) d. Inoperative NA e. 2-Out-Of-4 Voter 0.05(6) f. OPRM Upscale 0.40(7) 3. Reactor Vessel Steam Dome Pressure - High 0.55 (3) 4. Reactor Vessel Water Level - Low, Level 3 1.05 (3)
5. Main Steam Line Isolation Valve - Closure 0.06 6. This item intentionally blank
7. Drywell Pressure - High NA
8. Scram Discharge Volume Water Level - High NA a. Float Switch NA b. Level Transmitter/Trip Unit NA 9. Turbine Stop Valve - Closure 0.06 10. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low 0.08 (4) 11. Reactor Mode Switch Shutdown Position NA
12. Manual Scram NA Notes:

(1) Neutron detectors are exempt from response time testing. Response time shall be measured from the detector output or from the input of the first

electronic component in the channel.

(2) Not including simulated thermal power time constant, 6 +/- 0.6 seconds.

(3) Sensor is eliminated from response time testing for RPS circuits. Response time testing and conformance to the administrative limits for the remaining channel including trip unit and relay logic are required.

(4) Measured from start of turbine control valve fast closure.

(5) 0.09 second response tome includes 0.04 seconds for response time of PRNM system + 0.05 seconds for RPS logic.

(6) 2-Out-Of-4 Voter response time is measured from the input to the final relay. (7) OPRM Upscale response time includes the response time of the PRNM system up until the final PRNM relay output.

1 of 1 HCGS-UFSAR Revision 23 November 12, 2018

Figure F7.2-1 SH 1-5 intentionally deleted. Refer to Vendor Technical Document PN1-C71-1010-0001 for all sheets in DCRMS HCGS-UFSAR Revision 20 May 9, 2014

  • * ,RESSURE TRANIMinER o* -o ( ) . , ,. 15 MASTER TAtlt UNIT 2
  • t 10 ,, PRESSURE TRANSMITTER ( * -< ....---n:== ... ) , ,. 15 MASTER TRIP UNIT I t 10 11 rcr-cpt,,., ,RESIURE TRANSMITTER o* -c
  • 0 , c) * *-------* , ,. 15 MASTER TRIP' UNIT SLAVE TftiP UNIT I I 10 11 12 4 4 12 I t 10 1 1 rc-), II DRYWELL PREDURE TRIP LEVEL 1 TR" LEVEL 2 TRIP K3 *IN CALiaftATION, OR GROSS FAILURE RELAY LEVEL 1 TRIP K4 *CARD OUT OF III'ILE,OA POWIA FAILURE RELAY PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK GENERATING STATION TRIP UNIT CALIBRATION SYSTEM UPDATED FSAR REVISION 1, APRfl11, 1989 FIGURE 7.2-2

7.3 ENGINEERED

SAFETY FEATURE SYSTEMS This section describes and analyzes the instrumentation and controls used to initiate and control the operation of the Engineered Safety Feature (ESF) Systems and Essential Auxiliary Supporting (EAS) Systems. The I&Cs include both automatic and manual initiation and control of the ESF and EAS systems. The controls regulate the operation of ESF systems following their initiation. 7.3.1 Description Nuclear Steam Supply System (NSSS) ESF systems include the following: 1. Emergency Core Cooling Systems (ECCS) 2. Primary Containment and Reactor Vessel Isolation Control Systems (PCRVICS) 3. Residual heat removal (RHR)/containment spray cooling mode (CSCM) 4. RHR/suppression pool cooling mode (SPCM) Non-NSSS ESF systems include the following: 1. Primary Containment Isolation System (PCIS) 2. Containment Atmosphere Control System (CACS) 3. Main Control Room Habitability and Isolation System (MCRHIS) 4. Not Used 5. Filtration, Recirculation, and Ventilation System (FRVS) 7.3-1 HCGS-UFSAR Revision 12 May 3, 2002

6. Reactor Building Ventilation Isolation System (RBVIS) 7. EAS systems a. Station Service Water System (SSWS) b. Safety Auxiliaries Cooling System (SACS) c. Class 1E power systems d. Primary Containment Instrument Gas System (PCIGS) e. Control Area Chilled Water Systems (CACWS) f. ESF Equipment Area Cooling Systems (EACS). The buses that supply power to the ESF systems originate from onsite ac and/or safety-related dc sources or, in the case of the PCRVICS fail safe logic, from the nonsafety-related RPS interruptible power supply. By letter dated December 4, 1985 (C. A. McNeill, Jr., PSE&G, to E. Adensam, NRC), PSE&G committed to perform tests to verify that the safety equipment remains in the emergency mode when the ESF logics are reset. Refer to Section 8 for a complete discussion of the ESF systems power sources. 7.3.1.1 System Description 7.3.1.1.1 Emergency Core Cooling Systems The ECCS is a network of the following subsystems: 1. High pressure coolant injection (HPCI) 7.3-2 HCGS-UFSAR Revision 0 April 11, 1988
2. Automatic Depressurization System (ADS) 3. Core Spray System 4. Low pressure coolant injection (LPCI) mode of the RHR system. The purpose of the ECCS network is to protect the reactor core against fuel cladding damage in the unlikely event of a loss-of-coolant accident (LOCA). Protection is provided for any primary steam line break up to and including the double ended break of the largest line. See also Sections 6.3.1 and 6.3.2. The ECCS instrumentation detects a need for core cooling systems operation, and the trip systems initiate the appropriate response. Included in this section is a discussion of protective considerations that are taken between the reactor coolant system (RCS) at high pressure and the low pressure ECCS. The high pressure/low pressure interlocks are examined in Section 7.6.1.2. The following plant variables are monitored and provide automatic initiation of the ECCS when these variables exceed predetermined limits: 1. Reactor vessel water level - A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the reactor coolant pressure boundary (RCPB) and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. Refer to Plant Drawing M-42-1, Nuclear Boiler Vessel Instrumentation P&ID, for a schematic arrangement of reactor vessel instrumentation. 7.3-3 HCGS-UFSAR Revision 20 May 9, 2014
2. Drywell pressure - High pressure in the drywell could indicate a breach of the RCPB inside the drywell and that the core is in danger of becoming overheated as reactor coolant inventory diminishes. 7.3.1.1.1.1 High Pressure Coolant Injection System 1. HPCI function - The HPCI system supplies makeup water to the reactor core in the event of a LOCA or reactor isolation and failure of the RCIC system. The HPCI system is capable of starting and delivering cooling water at rated flow into the reactor vessel within 35 seconds following receipt of the initiation signal. 2. HPCI operation - Schematic arrangements of system mechanical equipment are shown on Figure 6.3-1, HPCI P&ID. HPCI system control logic is shown on Figures 7.3-1, HPCI Functional Control Diagram (FCD), and 7.3-2, HPCI Logic Diagram. Instrument specifications are listed in Tables 7.3-1 and Section 16, Technical Specifications. Instrument location drawings and electrical schematics are identified in Section 1.7. Operator information displays are shown on Figures 6.3-1, HPCI P&ID, and 7.3-1, HPCI FCD. When actuated, the HPCI system pumps water from either the condensate storage tank (CST) or the suppression pool to the reactor vessel via the feedwater system and core spray system. The HPCI system includes the turbine driven pump, dc motor driven auxiliary oil pump, gland seal condenser dc condensate pump, gland seal condenser dc vacuum pump, automatic valves, control devices for this equipment, sensors, trip channels, and logic circuitry. 7.3-4 HCGS-UFSAR Revision 9 June 13, 1998 The HPCI is initiated automatically by either reactor vessel low water level (L2) and/or drywell high pressure, as shown on Figure 5.1-4, Nuclear Boiler Vessel Instrumentation P&ID. Reactor vessel water level (L2) is monitored by four redundant level transmitters. Each transmitter provides an input to a trip unit. The associated trip unit relay contacts are arranged in a one out of two twice logic arrangement to ensure that no single failure can cause or prevent the initiation of the HPCI system. Initiation diversity is provided by drywell high pressure, which is monitored by four redundant pressure transmitters. The associated trip unit relay contacts are electrically connected in a one-out-of-two twice logic arrangement to ensure that no single instrument failure can cause or prevent the initiation of the HPCI system. Upon receipt of an initiation signal, reactor steam is automatically admitted to the HPCI turbine by opening the HPCI turbine steam supply valve. The HPCI pump discharge injection valves are signaled to open, initiating makeup water flow to the reactor vessel. The HPCI pump discharge flow and pressure are monitored by a flow transmitter, a pressure transmitter, and associated trip units. If pump discharge pressure is normal but discharge flow is low enough that pump overheating may occur, the minimum flow return line valve is signaled to open. The valve is automatically closed if flow is normal. If the water level in the CST falls below a predetermined level, the suppression pool suction valve automatically opens. When the suppression pool suction valve is fully open, the CST suction valve automatically closes. Two 7.3-5 HCGS-UFSAR Revision 10 September 30, 1999 level transmitters are used to detect low water level in the CST. Either transmitter can automatically cause suction transfer. The suppression pool suction valve also automatically opens if high water level is detected in the suppression pool. Two level transmitters monitor suppression pool water level, and either transmitter can initiate opening of the suppression pool suction valve. To prevent losing suction to the pump, the two suction valves are interlocked so that one suction path must be open before the other closes. See Plant Drawing J-55-0, Sheet 4 for valve operation logic. The HPCI provides makeup water to the reactor until the vessel water level reaches the high level trip (L8), at which time the HPCI turbine stop valve is tripped and the injection valves are automatically closed. If vessel level again drops to the low level (L2) initiation point, as shown on Plant Drawing M-42-1, Nuclear Boiler Vessel Instrumentation P&ID, the HPCI turbine stop valve automatically resets and reopens, and the injection valves reopen to initiate HPCI flow into the reactor vessel. To allow testing of the HPCI system at low reactor pressures, the level 8 trip can be bypassed with a keylocked switch. This switch is located in the lower control equipment room on the HPCI relay panel. Continuous indication of this bypass is provided in the main control room. The HPCI turbine is functionally controlled, as shown on Vendor Technical Document PN1-E41-1030-0064, HPCI FCD. The turbine governor limits the turbine speed and adjusts the turbine steam control valve so that design pump discharge flow rate is obtained. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the HPCI system pump discharge line. 7.3-6 HCGS-UFSAR Revision 20 May 9, 2014 Manual positioning of the flow controller is available to permit the control room operator to manually control the system following initiation. The turbine is automatically shut down by closing the turbine trip and throttle valve if any of the following conditions are detected: a. Turbine overspeed b. High turbine exhaust pressure c. High water level in the reactor vessel (L8) d. Low pump suction pressure e. Auto-isolation signal. In the event that the main control room becomes uninhabitable, reactor vessel water level would normally be maintained by operation of the RCIC system from the remote shutdown panel (RSP). Should RCIC operation be disrupted due to some failure at the RSP, the HPCI system would still function to maintain reactor vessel water level by automatically cycling on and off at L2 and L8 respectively (see Section 7.4.1.4). 3. HPCI testability - The HPCI instrumentation and control system is capable of being tested during normal unit operation to verify the operability of each system component. Testing of the initiation transmitters, which are located outside the drywell, is accomplished by isolating each transmitter, one at a time, and applying a test pressure or differential pressure source. This verifies the operability of the transmitters. Trip units 7.3-7 HCGS-UFSAR Revision 0 April 11, 1988 located in the control equipment room are calibrated individually by a calibration source with verification of setpoint by a digital readout located on the calibration module. Adequate control room indications are provided. Testing for functional operability of the control logic relays can be accomplished by use of plug-in test jacks and switches in conjunction with single trip unit tests. Availability of other control equipment is verified during manual testing of the system with the HPCI pump discharge returning to the CST. Water is not injected into the reactor vessel by the HPCI system during periodic testing when the plant is at power. With the following exceptions, test controls are arranged so that the system can automatically fulfill its safety functions. a. Flow controller in manual mode b. Operator initiated closure of either or both inboard/outboard isolation valves (an alarm sounds when the valves are in any position other than fully open) c. Test plug inserted and test switch in position to interlock discharge valves (out of service annunciator alarms in the main control room to indicate HPCI in test mode). 7.3.1.1.1.2 Automatic Depressurization System 1. ADS function - The ADS is designed to provide automatic depressurization of the reactor vessel by actuating five main steam safety/relief valves (SRVs). These valves vent steam to the suppression pool in the event that the HPCI 7.3-8 HCGS-UFSAR Revision 0 April 11, 1988 cannot maintain the reactor water level following a LOCA. The ADS reduces the reactor pressure so that flow from the low pressure ECCS (LPCI and core spray systems) can inject into the reactor vessel in time to cool the core and maintain fuel cladding temperature within allowable limits. 2. ADS operation - Schematic arrangements of system mechanical equipment is shown on Plant Drawing M041-1, Nuclear Boiler P&ID. ADS control logic is shown on Vendor Technical Document PN1-B21-1030-0021, Nuclear Boiler System FCD, and Plant Drawing J-41-0, Nuclear Boiler Logic Diagram. Instrumentation specifications are listed in Table 7.3-2 and Section 16. Instrument location drawings and electrical schematics are identified in Section 1.7. Operator information displays are shown on Plant Drawing M-41-1, Nuclear Boiler P&ID, and Vendor Technical Document PN1-B21-1030-0021, Nuclear Boiler System FCD. To prevent inadvertent actuation of the ADS, two channels of logic for each ADS trip system (B and D) are used. Both channels must function to actuate an ADS trip system. Refer to Vendor Technical Document PN1-B21-1030-0021 for a schematic representation of the ADS initiation logic. Each channel contains a single input from a drywell high pressure sensor. In addition, one channel includes two differential pressure sensor inputs monitoring reactor vessel low water level (L3 and L1). The second low water level trip (L3) provides confirmation of a reactor vessel low water level condition. The other channel, in addition to drywell high pressure, includes a single reactor vessel low water level (L1) input. Two initiation signals and one permissive signal are used for the ADS. These signals are reactor vessel low water level, high drywell pressure, and RHR and/or core spray pumps running. If all these signals are present, the ADS safety/relief valves will open after the ADS timer runs 7.3-9 HCGS-UFSAR Revision 20 May 9, 2014 out; but if the high drywell pressure signal is not present, the ADS safety/relief valves will open after the high drywell pressure bypass timer and the ADS timer run out. In the automatic initiation logic, each logic channel includes a pump discharge pressure permissive signal indicating LPCI and/or Core Spray System availability for providing reactor vessel makeup water. The automatic ADS logic trip system B requires the following ECCS pump running configurations to function: RHR pump B or D or core spray pump B, and RHR pump B or D or core spray pump D. The automatic ADS logic trip system D requires the following ECCS pump running configurations to function: RHR pump A or C or core spray pump A, and RHR pump A or C or core spray pump C. The automatic depressurization system (ADS), including the sensors and logic circuitry, is in Channel B and Channel D. Channels A and C are not used for ADS. The ADS logic provides the pump-available permissive signals to the initiation logic. The sensors for the B and D core spray pumps and the B and D RHR pumps provide input to the ADS trip system B using only Channel B. Sensors for the A and C core spray pumps and the A and C RHR pumps provide input to the ADS trip system D, using only Channel D. There are no cross connections between any channels in this permissive logic circuitry; hence there is conformance to separation requirements. The ADS elementary diagram (791E403AC) provides details of the design. 7.3-10 HCGS-UFSAR Revision 0 April 11, 1988 After receipt of the initiation signals and after a delay provided by time delay relays, each of the two solenoid pilot air valves for all ADS valves are energized. This allows pneumatic pressure from each ADS valve accumulator to act on the air cylinder operator of its respective ADS valve. Each ADS trip system timer can be reset manually to delay system initiation. If reactor vessel water level is restored by the HPCI system prior to the end of the time delay, ADS initiation will be prevented. A manual inhibit switch is provided in each division of the ADS initiation logic. By placing this switch in the inhibit position, the operator will inhibit automatic depressurization. This will be indicated by a white status light and an annunciator window in the main control room. If the ADS has already begun and the initiation signal is sealed in, the inhibit switch will not break the seal-in, and the operation of the ADS will not be terminated. The ADS trip system B actuates the A solenoid pilot valve on each ADS valve. Similarly, the ADS trip system D actuates the B solenoid pilot valve on each ADS valve. Actuation of either solenoid pilot valve causes the ADS valve to open to provide depressurization. Manual initiation of the ADS trip systems or individual ADS valves is possible from the main control room. To manually initiate an ADS trip system, the control room operator must actuate two armed pushbutton switches, one for each of the logic channels associated with that trip system. Manual initiation bypasses the ADS trip system time delay and all the trip logic. The control room operator can manually open an individual ADS valve by depressing one of the two pushbutton switches (one for each pilot solenoid) that will bypass the trip logic and energize the associated pilot solenoid allowing air to 7.3-11 HCGS-UFSAR Revision 0 April 11, 1988 open the valve. In addition, controlled access (key lock) hand switches provide local manual control for certain ADS valves. 3. ADS testability - The ADS has two complete trip systems, one in trip system B and one in trip system D. Each trip system has two channels, both of which must operate to initiate ADS. One channel contains two time delay relays, one to delay ADS and give the HPCI system an opportunity to restore reactor vessel level and the second to bypass the high drywell pressure trip. Four test jacks are provided, one for each channel. To prevent spurious actuation of ADS during testing, only one channel will be tested at a time. An annunciator is provided in the main control room to indicate that a test plug is inserted in both channels of a trip system at the same time. Operation of the test plug switch and the permissive contacts will close one of the two series relay contacts in the ADS valve solenoid circuit. This will cause a panel light to extinguish indicating proper channel operation and also continuity of the solenoid electrical circuit. Testing of the other channel is similar. Annunciation is provided in the main control room whenever a test plug is inserted into a test jack to indicate to the operator that the ADS is in a test status. Testing of the ADS does not interfere with automatic operation if required by an initiation signal. 7.3.1.1.1.3 Core Spray System 1. Function - The Core Spray System is designed to deliver sufficient water spray to the reactor core in the event of a LOCA. The system includes two spray loops, each physically and electrically separated so that no single event will render both loops inoperable. Each loop includes two core spray pumps, appropriate valves, the 7.3-12 HCGS-UFSAR Revision 0 April 11, 1988 piping to route water from the suppression pool to the reactor vessel, a spray sparger, and the necessary controls and instrumentation to start, operate, and test the system. 2. Operation - The schematic arrangement of system mechanical equipment is shown on Plant Drawing M-52-1, Core Spray P&ID. Component control logic is shown on Vendor Technical Document PN1-E21-1030-0001, Core Spray FCD. Instrument specifications are shown in Table 7.3-3 and Section 16. Instrument location drawings and electrical schematics are identified in Section 1.7. Operator information displays are shown on Figure 6.3-6 and Vendor Technical Document PN1-E21-1030-0001. There are four completely separate core spray control circuits, one for each pump, C001A, B, C, and D. The control circuit for pump A also controls valves in loop A as required to direct pump discharge flow to the reactor vessel. In a similar manner, the controls for pump B also control loop B valves. The control circuits for pumps C and D control the pumps only. If offsite ac power is available, the core spray pumps in loop A (pumps C001A and C001C) and the core spray pumps in loop B (pumps C001B and C001D) start after a 10-second delay. If offsite ac power is not available, the core spray pumps in both spray loops start 6 seconds after the standby diesel generators (SDGs) become available for loading. The pump discharge lines are provided with minimum flow bypass valves to protect the core spray pumps from overheating when system operation is required, but reactor vessel pressure is still too high to allow the inboard and outboard injection valves to open. When flow in the discharge line is sensed below the open setpoint and the 7.3-13 HCGS-UFSAR Revision 20 May 9, 2014 pumps are running, the motor operated minimum flow bypass valve is signaled open to direct pump discharge flow back to the suppression pool. When the sensed discharge flow is greater than the close setpoint, the bypass valves are signaled closed to conserve pumping capacity. The close setpoint is at a higher flow than the open setpoint, to prevent excessive cycling of the minimum flow bypass valve. The Core Spray System pumps are initiated by two variables, reactor vessel low water level (L1) and drywell high pressure, arranged in a one out of two twice logic. Additionally, a reactor low pressure permissive is provided in one out of two twice logic before the injection valves are signaled open. Manual initiation is provided for the core spray system, which bypasses the initiation logic except that the reactor low pressure permissive must be present to open the injection valves. Once the core spray system is initiated, the signals are sealed in until manually reset. For the control scheme, see Vendor Technical Document PN1-E21-1030-0001, Core Spray FCD. Core spray control logic is shown in Plant Drawing J-52-0, Core Spray Logic Diagram. Reactor vessel low water level is monitored by eight level sensors, two for each core spray pump initiation logic circuit. Each level sensor provides an input to a trip unit located in the control equipment room. The eight level sensors are located in the Reactor Building outside of the primary containment for accessibility. Only the sensing lines penetrate the primary containment. Drywell pressure is monitored by eight sensors mounted on instrument racks in the Reactor Building outside of the primary containment. Four pressure sensing lines penetrate the primary containment to allow the sensors to 7.3-14 HCGS-UFSAR Revision 20 May 9, 2014 monitor drywell pressure. Each drywell high pressure sensor provides an input to a trip unit located in the control equipment room. Reactor pressure is monitored by eight pressure sensors mounted on racks in the Reactor Building. Two pressure sensing lines penetrate the primary containment to allow the sensors to monitor reactor vessel pressure. Each pressure sensor provides an input to a trip unit located in the control equipment room. 3. Core Spray System testability - The Core Spray System is capable of being tested during normal operation. Drywell pressure and low water level initiation transmitters are individually isolated and subjected to a test pressure. This verifies the operability of the transmitter as well as the calibration range. The trip units mounted in the control equipment room are calibrated individually by a calibration source with verification of setpoint by a digital readout located on the calibration module. Other control equipment is functionally tested during manual testing of each loop. Adequate indications in the form of panel indicating lights, annunciators, and printed computer output are provided in the main control room. 7.3.1.1.1.4 RHR - Low Pressure Coolant Injection Mode 1. LPCI function - LPCI is an operating mode of the RHR system. The purpose of the LPCI mode is to provide low pressure reactor vessel coolant makeup following a LOCA when the vessel has been depressurized and vessel water level can not be maintained by the HPCI system. 7.3-15 HCGS-UFSAR Revision 0 April 11, 1988
2. LPCI operation - Schematic arrangements of system mechanical equipment is shown on Plant Drawing M-51-1, RHR P&ID. LPCI component control logic is shown on Vendor Technical Document PN1-E11-1030-0020, RHR FCD, and Plant Drawing J-51-0, RHR Logic Diagram. Instrument specifications are listed in Table 7.3-4 and Section 16. Instrument location drawings and electrical schematics are identified in Section 1.7. Operator information displays are shown on Plant Drawing M-51-1, RHR P&ID, and Vendor Technical Document PN1-E11-1030-0020, RHR FCD. The LPCI system is initiated automatically by either reactor vessel low water level and/or drywell high pressure connected in an one out of two twice logic arrangement. The system is designed to operate automatically without any actions by the control room operator. Once initiated, the LPCI logic seals-in and can be reset by the control room operator when initiating conditions return to normal. Refer to Vendor Technical Document PN1-E11-1030-0020 for a representation of the LPCI A, B, C, and D initiation logic. The loop A components are controlled from channel A logic, loop B from channel B, loop C from channel C, and loop D from channel D. The LPCI system components respond to an automatic initiation signal simultaneously (or sequentially as noted). a. If normal auxiliary (offsite) power is available at the pump motor buses, the LPCI loop A and B pumps are signaled to start. After a preset time delay (5 seconds), LPCI loop C and D pumps are signaled to start. If offsite power is not available and the SDGs are supplying power to the pump motor buses, all four loops A, B, C, and D start simultaneously. 7.3-16 HCGS-UFSAR Revision 20 May 9, 2014
b. A pressure switch monitors the pressure downstream of each LPCI injection valve. When the pressure is low enough and power is available at the associated pump motor bus, the injection valve is signalled to open. c. The following normally closed valves are signaled closed to ensure proper system lineup: (1) The RHR heat exchanger flush to suppression pool valves (2) The test return line to the suppression pool valves (3) The suppression chamber spray valves d. The normally open heat exchanger bypass valves are signaled open. The open signal is automatically removed 3 minutes after system initiation to allow the operator to close the valve and initiate use of the heat exchanger. The flow in each LPCI pump discharge line is monitored by a differential pressure transmitter. Whenever the flow is less than a predetermined low flow setpoint and the LPCI pump is running, the minimum flow return line valve opens automatically after a 10-second time delay to bypass sufficient flow back to the suppression pool to prevent the LPCI pump from overheating. The minimum flow return line valve closes automatically after an initial 6-second time delay following a LPCI pump start, whenever the LPCI pump discharge line flow is greater than the low flow setpoint. The four valves on the RHR pump suctions from the suppression pool have their control switches keylocked in the "open" position, and thus require no automatic open signal for system initiation. 7.3-17 HCGS-UFSAR Revision 17 June 23, 2009 The two series service water crosstie valves have their control switches keylocked in the close position, and thus require no automatic close signal for system initiation. The two series containment spray valves, the two series RHR heat exchanger vent valves, and the RHR shutdown cooling mode suction valves are all normally closed and thus require no automatic close signal for system initiation. The LPCI pump motors and injection valves are provided with manual override controls. These controls permit the operator to manually control the system subsequent to automatic initiation. 3. LPCI testability - The LPCI is capable of being tested during normal operation. Drywell high pressure and reactor vessel low water level initiation transmitters are individually isolated and subjected to a test pressure. This verifies the operability of the transmitters as well as the calibration range. Trip units mounted in control equipment room panels are calibrated individually by introducing a calibration source and verifying the setpoint by a digital readout located on the calibration module. Other control equipment is functionally tested during manual testing of each loop. Adequate indications in the form of panel indicating lights and annunciators are provided in the main control room. 7.3.1.1.2 Primary Containment and Reactor Vessel Isolation Control Systems 1. PCRVICS function - PCRVICS provides the means to automatically isolate the primary containment and/or reactor vessel by closing the inboard and outboard isolation valves of the main steam lines and of the process lines of other systems. 7.3-18 HCGS-UFSAR Revision 8 September 25, 1996 Isolation of these systems reduces the possibility of uncovering the reactor core and limits the release to the environment of radioactive materials from other systems that may incur leaks or breaks. Leaks are detected by monitoring and sensing high temperatures, abnormal pressures, abnormal flow rates, low water levels, and high radiation levels. PCRVICS encompasses sensors, instrumentation, and trip logic from the Nuclear Steam Supply Shutoff System (NSSSS), nuclear boiler Leak Detection System (LDS), Process Radiation Monitoring System (PRMS), and all other systems that provide sensing or require isolation. See Section 6.2.4 for a complete description of primary containment and reactor vessel process lines and the isolation signals applied to each. 2. PCRVICS interface - PCRVICS incorporates the isolation functions of all systems penetrating the primary containment boundary. The NSSS control system interfaces are shown in the following references: Interface System Document Plant Drawing/Vendor Technical Document Containment isolation Nuclear Boiler P&ID M-41-1 valves and other RHR P&ID M-51-1 initiated components Nuclear Boiler System FCD PN1-B21-1030-0021 RWCU P&ID M-44-1 Reactor Recirculation P&ID M-43-1 Equipment Drain Flow Diagram (P&ID) M-61-0 Floor Drain Flow Diagram (P&ID) M-61-1 7.3-19 HCGS-UFSAR Revision 20 May 9, 2014 Interface System Document Plant Drawing/Vendor Technical Document FRVS Flow Diagram M-83-1 (P&ID) M-84-1 Component control logic Nuclear Boiler System FCD PN1-B21-1030-0021 RHR FCD PN1-E11-1030-0020 RWCU FCD PN1-G33-1020-0416 Instrument Table 7.3-5 specifications NSSSS isolation Table 7.3-6 valves/signals Operator information Nuclear Boiler PN1-B21-1030-0021 displays System FCD Instrument location drawings and electrical schematics are identified in Section 1.7. 3. PCRVICS operation - During normal plant operation, the isolation control system sensors and trip logic relays that are essential to safety are energized. When abnormal conditions are sensed, instrument contacts open and deenergize the trip logic relays and thereby initiate isolation. Once initiated the PCRVICS trip logics seal-in and may be reset by the operator only when conditions return to normal. See Table 7.3-6 for PCRVICS isolation valves/signals. Each main steam isolation valve (MSIV) has two control solenoids. Each solenoid receives inputs from two redundant logics. A signal from either logic will deenergize one solenoid. For any one valve to close automatically, both of its solenoids must be deenergized. 7.3-20 HCGS-UFSAR Revision 20 May 9, 2014 The MSIV logic has a minimum of four redundant instrument channels for each measured variable. One channel of each variable is connected to one trip logic. One group of redundant logics (A,C) is used to control one solenoid of both inboard and outboard valves of all four main steam lines, and the other group of redundant logics (B,D) is used to control the other solenoid of both inboard and outboard valves. The four PCRVICS trip logics are arranged in a one out of two twice logic combination (trip logic A or C and B or D). Refer to Figure 7.3-11. The main steam line drain valves, reactor water sample valves, and RHR system isolation valves also operate in pairs. The inboard valves close if isolation logics A and B are tripped, and the outboard valves close if logics C and D are tripped (refer to Figure 7.3-12). The Reactor Water Cleanup (RWCU) System isolation valves close upon single logic trip (A for inboard and B for outboard). Refer to Plant Drawing J-44-0. The PCRVICS actuation also provides (via PCIS) isolation signals to the FRVS, signals to remove nonessential loads from essential buses, and signals to isolate the Reactor Building Ventilation System (RBVS). The following variables provide inputs to the PCRVICS logics for initiation of reactor vessel and containment isolation, as well as the initiation or trip of other plant functions when predetermined limits are exceeded. Combinations of these variables, as necessary, provide initiation of various isolating and initiating functions as described in Table 6.2-16 and below: a. Reactor vessel low water level - A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the RCPB 7.3-21 HCGS-UFSAR Revision 20 May 9, 2014 and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. Reactor vessel low water level initiates closure of various valves. The closure of these valves is intended to isolate a breach of the RCPB, conserve reactor coolant by closing off process lines, and limit the release of radioactive materials from the primary containment through process lines that communicate with the RCPB or primary containment. Three reactor vessel low water level isolation trip settings are used to complete the isolation of the primary containment and the reactor vessel. The first (and highest) reactor vessel low water level isolation trip (L3) initiates closure of the RHR shutdown cooling system isolation valves. The main steam lines are left open to allow the removal of heat from the reactor core. The second (and lower) reactor vessel low water level isolation trip (L2) initiates the RCIC and HPCI cooling systems, closes primary containment isolation valves, trips recirculation pumps, initiates alternate rod insertion (ARI) and contributes to Standby Liquid Control (SLC) System logic. The third (and lowest) reactor low water level isolation trip (L1) initiates RHR and core spray cooling systems, closes MSIVs, contributes a signal to ADS logic, starts the SDG and isolates the drywell coolers. Reactor vessel low water L2 and L3 are monitored by two sets of four redundant level transmitters, associated trip units, and logic. Each set of four is distributed among the four logic channels. One 7.3-22 HCGS-UFSAR Revision 12 May 3, 2002 set of four level transmitters, located in the NSSSS, monitors reactor vessel water level and provides the L2 trip signal. The other set of four level transmitters, located in the Reactor Protection System (RPS), monitors reactor vessel water level, and provides the L3 trip signal. Relay contacts for water L3 logic are provided from the RPS for use by the NSSSS. Diversity of trip initiation for pipe breaks inside of primary containment is provided by monitoring drywell high pressure. b. Drywell high pressure - High pressure in the drywell could indicate a breach of the RCPB inside the drywell and that the core is in danger of becoming overheated as reactor coolant inventory diminishes. High drywell pressure is monitored by one set of four redundant differential pressure transmitters, associated trip units, and logic. This set of instruments is located in the RPS and is distributed among the four logic channels. Relay contacts for high drywell pressure are provided from RPS for use by the NSSSS. c. Main steam line high radiation - The main steam line radiation monitoring system senses the gross release of fission products from the fuel and initiates appropriate actions to limit fuel damage and contain the released fission products. Four detectors, one for each main steam line, monitor the gross gamma radiation. Each detector provides an input to one of the four PCRVICS trip logic channels. 7.3-23 HCGS-UFSAR Revision 0 April 11, 1988 Each monitoring channel consists of a gamma-sensitive ion chamber and a log radiation monitor. Each radiation channel has four trip circuits. The high-high and inoperative trip circuits are combined in an "or" configuration and interlock to the RPS in the form of relay contacts. The RPS in turn interlocks this signal to PCRVICS with relay contacts to initiate Reactor Water Sample Valve closure and mechanical vacuum pump trip on a main steam line radiation monitor inoperative trip or a high-high trip. The four trip outputs high-high, NOP, high and low are used to initiate alarms or are used in the balance of plant (BOP). A fifth signal, proportional to radiation from each radiation monitor, is an analog signal processed by the Radiation Monitoring System (RMS) through a local radiation processor. The readout of the four MSL-RMS radiation values is located in the main control room. The RMS provides data logging and display of the RMS CRT. All readout equipment is located in the main control room. The MSL-RMS analog values are connected through isolation circuits to a non-Class 1E computer for control room display and data logging (see Section 11.5). When the main steam line radiation value exceeds a predetermined setpoint, the PCRVICS initiates closure of reactor water sample valves. d. Main steam line tunnel high ambient temperature - High ambient temperature in the main steam line tunnel in which the main steam lines are located could indicate a leak in 7.3-24 HCGS-UFSAR Revision 7 December 29, 1995 a main steam line. The automatic closure of the MSIVs will prevent excessive loss of reactor coolant and the release of a significant amount of radioactive material from the RCPB. Four redundant main steam line high ambient temperature sensors for each main steam line are provided in the main steam tunnel. Each main steam line isolation trip logic channel is deenergized by high ambient temperature in the main steam line tunnel as indicated by any of the four temperature sensors associated with that logic channel. One group of redundant logic channels (A, C) is used to control one solenoid of both inboard and outboard valves of all four main steam lines, and the other group of redundant logic channels (B, D) is used to control the other solenoid of both inboard and outboard valves. The four trip logic channels are arranged in a one out of two twice logic combination (trip logic A or C and B or D) in order to produce an isolation signal. Functional operability of all temperature sensors/monitors can be verified by readout comparisons, continuity test, or applying a heat source to the locally mounted temperature-sensing elements. Functional operability of each trip logic channel can be tested independently during normal operation. An indicator light in the control room verifies the operability of each trip logic channel. When a predetermined increase in main steam line tunnel ambient is detected, trip signals initiate 7.3-25 HCGS-UFSAR Revision 4 April 11, 1992 closure of all main steam line isolation and drain valves. Diversity of trip initiation signals for high main steam line tunnel ambient temperature is provided by main steam line high flow, and steam line low pressure instrumentation. e. Main steam line high flow - Main steam line high flow could indicate a breach in a main steam line. Automatic closure of MSIVs prevents excessive loss of reactor coolant and release of significant amounts of radioactive material from the RCPB. Each of the four trip logic channels receives inputs of main steam line flow from each main steam line. This flow signal is provided by redundant differential pressure transmitters and their associated trip units. When a significant increase in main steam line flow is detected by both trip systems (A and B), trip signals initiate closure of all main steam line isolation and drain valves. f. Main turbine inlet low steam pressure - Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the nuclear system pressure regulator in which the turbine control valves or turbine bypass valves become fully open, and causes rapid depressurization of the reactor vessel. Four redundant pressure transmitters and associated trip units monitor steam line pressure. Each trip unit provides input to one of 7.3-26 HCGS-UFSAR Revision 17 June 23, 2009 the four trip logic channels. When low pressure is detected in each trip system, the PCRVICS initiates closure of all main steam isolation and drain valves. g. Reactor Building Ventilation Radiation Monitoring System - See Section 7.3.1.1.5, Balance of Plant Primary Containment Isolation System. h. RWCU system high differential flow - High differential flow in the RWCU system could indicate a breach of the RWCU system. The RWCU outlet flow and the discharge flow to the condenser are compared to the RWCU inlet flow and the Crack Monitoring System inlet flow to the RWCU system. Density of the RWCU system water at the flow monitoring regions will be used in determining differential flow to maintain accurate indication under all RWCU operating conditions. Two redundant differential flow sensing channels compare the RWCU system inlet outlet flow. Each of the flow sensing channels provides an input to one of the two (inboard or outboard) logic trip channels. When an increase in RWCU system differential flow is detected, the PCRVICS initiates closure of all RWCU system isolation valves. Diversity of trip initiation signals for RWCU system line break is provided by instrumentation for reactor low water level, differential flow, and high ambient or differential temperature in RWCU equipment areas. 7.3-27 HCGS-UFSAR Revision 4 April 11, 1992 The RWCU system high differential flow trip is bypassed by an automatic timing circuit during normal RWCU system surges. This time delay bypass prevents inadvertent system isolations during system operational changes. i. RWCU system area high ambient temperature and differential temperature - High temperature in the 7.3-27a HCGS-UFSAR Revision 4 April 11, 1992 THIS PAGE LEFT INTENTIONALLY BLANK 7.3-27b HCGS-UFSAR Revision 4 April 11, 1992 equipment room areas of the RWCU system could indicate a breach in the RWCU system. Twelve differential temperature sensor/monitors monitor the RWCU equipment room ventilation inlet/outlet ducts. Twelve ambient temperature sensor/monitors monitor the RWCU equipment room. Six of the twelve ambient and six of the twelve differential temperature sensor/monitors are associated with each of two (channel A and channel D) trip logics. When a predetermined increase in RWCU system area ambient or differential temperature is detected by any one or more of the twelve temperature sensor/monitors within channel A, the RWCU inboard isolation valve is signaled to close. A similar predetermined temperature increase detected by any one or more of the twelve channel D temperature sensor/monitors will signal the outboard RWCU isolation valve to close. The RWCU system's inboard or outboard isolation valves close upon a single logic trip. Each inboard and outboard isolation valve has an indicator light, which gives the operator an indication of the valve closure. The functional operability of the temperature sensor/monitors may be verified independently as discussed for the MSIVs in Section 7.3.1.1.2. Each logic channel is provided with a test switch with which the functional operability of each logic channel can be tested independently during normal operation. Diversity of trip initiation signals for RWCU area high ambient temperature or high differential 7.3-28 HCGS-UFSAR Revision 17 June 23, 2009 temperature is provided by reactor low water level trip, and RWCU system high differential flow. j. RWCU SLC system actuation - Actuation of the SLC system will initiate isolation of RWCU by closing the RWCU, inboard and/or outboard isolation valve. Diversity is provided for this trip initiation signal from the Redundant Reactivity Control System (RRCS). k. RWCU high temperature at outlet of non-regenerative heat exchanger - A predetermined increase in temperature at the outlet of the non-regenerative heat exchanger will initiate isolation of the RWCU system by closing the RWCU outboard isolation valve only. No diversity is provided for this trip initiation signal. Two redundant differential pressure transmitters, one for each trip logic, monitor the RHR shutdown cooling mode suction line. The output trip signal of each sensor initiates a logic trip and closure of either the inboard or outboard RHR system isolation valve. l. Main condenser vacuum trip - The main condenser low vacuum signal could indicate a leak in the condenser. Initiation of automatic closure of the MSIVs and steam line drain valves will prevent excessive loss of reactor coolant and the release of significant amounts of radioactive material to the environment. Four redundant pressure transmitters and associated trip units monitor the main condenser vacuum. Each trip unit (low vacuum switch) provides an input to one of the four trip logic channels. 7.3-29 HCGS-UFSAR Revision 0 April 11, 1988 When a significant decrease in main condenser vacuum is detected by each trip system (A and B), the PCRVICS initiates closure of all main steam line isolation and drain valves. The main condenser low vacuum trip can be bypassed manually when the main stop valve is less than 90 percent open to allow for starting up the plant. No diversity is provided for the main condenser low vacuum trip. 4. PCRVICS testability - The operation of each subsystem up to and including the actuators can be independently verified during normal plant operation. Instrument setpoints are tested by simulated signals of sufficient magnitude to verify the alarm points. 7.3.1.1.3 RHR-Containment Spray Cooling Mode 1. Containment spray cooling mode function - The containment spray cooling mode is an operating mode of the RHR system. It is designed to condense steam in the suppression chamber air volume and/or the drywell atmosphere following a LOCA. See Section 6.2.2 and Table 7.3-7. 2. Containment spray cooling mode operation - The containment spray cooling mode is initiated by the control room operator by diverting LPCI flow to either the suppression chamber or the drywell by opening the containment spray valves or by closing the LPCI injection valve and opening the selected containment spray valves. Containment spray will operate upon a permissive signal from the high drywell pressure interlock. The following conditions must exist before the operator can initiate a containment spray cooling loop: 7.3-30 HCGS-UFSAR Revision 0 April 11, 1988
a. The LPCI initiation signal (either manual or automatically from a LOCA signal) must exist. b. Drywell high pressure is monitored by two redundant pressure transmitters. One of the two must indicate high pressure. See Table 7.3-7. c. The operator must close the LPCI injection valve. The LPCI mode of operation can be overridden; but only by conscious operator action; that is, several remote manual switches must be operated to bring valves into proper alignment for operation in other modes. The LPCI mode cannot be overridden by any automatic action. Once the LPCI mode is in operation, operator action is required to place the RHR system in any other condition. 3. Containment spray cooling mode testability - Two full flow test lines are provided to route RHR pump discharge flow to the suppression pool. Flow is capable of being diverted into these test lines to test operations of pumps and major parts of control systems during reactor operation. Other control equipment is functionally tested during manual testing of each loop. Adequate indication in the form of panel indicating lights and annunciators are provided in the main control room. 7.3-31 HCGS-UFSAR Revision 12 May 3, 2002 7.3.1.1.4 RHR Suppression Pool Cooling Mode 1. RHR suppression pool cooling mode function - The SPCM is an operating mode of the RHR system. It is designed to prevent suppression pool water temperature from exceeding predetermined limits following a reactor blowdown by the ADS or SRVs. 2. RHR SPCM operation - The RHR-SPCM is initiated by the control room operator either during normal plant operation or following a LOCA, when the Suppression Pool Water Temperature Monitoring System, as discussed in Section 7.6, indicates that suppression pool water temperature may exceed a predetermined limit. Suppression pool cooling is commenced by initiating SACS flow to the RHR heat exchanger, starting the RHR pump, opening the suppression pool return valve, and closing the heat exchanger bypass valve. If RHR has initiated in the LPCI mode, the RHR pump will already be running; the LPCI injection valve and suppression pool return valve must be overridden. 7.3-32 HCGS-UFSAR Revision 12 May 3, 2002 In the event that the main control room becomes uninhabitable, RHR-SPCM loop B can also be initiated from the remote shutdown panel (RSP) (see Section 7.4.1.4). Operation from the RSP is totally operator controlled and all RHR loop B automatic initiation signals are disabled when the Channel B RSP transfer switch is placed in the "Emergency" position. The RHR-SPCM can be manually initiated locally on RHR loop A as a backup to operation of RHR loop B from the RSP. The RHR loop A local pump and valve controls are identified on Table 7.4-3. 3. RHR-SPCM testability - The RHR-SPCM is capable of being tested during normal operation. Testing for functional operability can be accomplished by manual testing of each loop. Adequate indication in the form of panel indicator lights and annunciators is provided in the main control room. 7.3.1.1.5 Primary Containment Isolation System 1. PCIS function - The PCIS is designed to ensure primary containment integrity by initiating closure of non-NSSS 7.3-33 HCGS-UFSAR Revision 12 May 3, 2002 primary containment isolation valves following a design basis accident (DBA). Each channel of the PCIS is actuated by the following input signals as shown on Plant Drawing J-102-0: a. Reactor vessel water level low (L2) (For definition of reactor vessel water level trip functions, see Plant Drawing M-42-1) b. Reactor vessel water level low (L1) c. Drywell pressure high d. Reactor Building radiation high e. Refueling floor area radiation high f. Manual initiation. A block diagram of the PCIS is shown on Figure 7.3-13. A specific identification of primary containment isolation is provided in Section 6.2.4. 2. PCIS operation - The PCIS initiates isolation of the following lines penetrating the primary containment: a. Reactor Auxiliaries Cooling System (RACS) cooling water supply and return b. RCPB Leak Detection system gas sampling and return c. Torus Water Cleanup System supply and return d. Primary containment purge supply and exhaust e. Hydrogen/oxygen analyzer sampling and return 7.3-34 HCGS-UFSAR Revision 20 May 9, 2014
f. Hydrogen recombiner supply and return g. Primary containment instrument gas supply and return h. Drywell floor drain sump discharge to radwaste i. Drywell equipment drain sump discharge to radwaste j. Drywell coolers chilled water supply and return. The PCIS also provides the initiating circuitry for the following two subsystems: a. The Reactor Building Ventilation Isolation System (RBVIS) - described in Section 7.3.1.1.10. b. The Safety System/Non-Safety System Isolation (SSNSSI) System - described in Section 7.6.1.8. The PCIS is capable of both automatic and manual initiation. Pushbutton switches are provided in the main control room to enable the operator to manually initiate the PCIS. 3. PCIS power sources - Each PCIS channel is provided power from its associated Class 1E bus. Figure 7.3-13 identifies those portions of the PCIS requiring Class 1E (ESF) power. 4. PCIS initiating circuits - The following three systems provide initiating signals to each PCIS channel: 7.3-35 HCGS-UFSAR Revision 12 May 3, 2002
a. Radiation Monitoring System (RMS) - (1) Reactor Building high radiation (2) Refueling floor area high radiation b. Primary Containment and Reactor Vessel Isolation Control System (PCRVICS) - (1) Reactor vessel water level low (L2), or drywell pressure high, or manual initiation from the Nuclear Steam Supply Shutoff System (NSSSS) c. Core Spray System - (1) Reactor vessel water level low (L2) (2) Drywell pressure high (3) Reactor vessel water level low (L1) and/or drywell pressure high or manual initiation (routed through the associated Class 1E channel emergency load sequencer (ELS)). Capability for manual initiation of each PCIS channel has been provided by four switches, one for each PCIS channel, located in the main control room. These switches are of the armed pushbutton type wherein the operator must first rotate the switch collar to "arm" the pushbutton and then depress the pushbutton to actuate the isolation circuitry. 5. PCIS logic and sequencing - No sequencing is required for the PCIS. Plant Drawing J-102-0 shows the PCIS logic and isolation signal fanout. Plant Drawing J-107-0 shows the ELS logic and Plant Drawing J-105-0 shows the ELS signal fanout. 7.3-36 HCGS-UFSAR Revision 20 May 9, 2014 The PCIS initiation signals are logically combined as described below to initiate the PCRVICS, and the core spray system are logically combined as described below to initiate closure of the non-NSSS primary containment isolation valves. These isolation valves can be broken down into two actuation groups: a. Valves that close upon reactor vessel water level low (L2), drywell pressure high, Reactor Building radiation high, or manual initiation. Each PCIS channel will cause isolation of its associated valves whenever any of the following combinations of initiating signals exist: (1) PCIS manual initiation (2) Reactor vessel water level low (L2), drywell pressure high, or manual initiation signal from the PCRVICS in conjunction with a reactor vessel water level low (L2) or drywell pressure high signal from the core spray system (3) Reactor building radiation high signals from 2 out of 3 reactor building radiation monitoring channels b. Valves that close on reactor vessel water level low (L1), drywell pressure high, or manual initiation. Each PCIS channel will cause isolation of its associated valves upon receipt of a signal from the 7.3-37 HCGS-UFSAR Revision 13 November 14, 2003 associated core spray channel indicating LOCA conditions of reactor vessel water level low (L1) and/or drywell pressure high or upon core spray manual initiation. This signal is routed through the associated Class 1E channel ELS (for LOCA sequencing) to the PCIS. 6. PCIS bypasses and interlocks - The capability to override the PCIS isolation signal to certain valves is provided due to operational requirements of the systems with which these valves are associated. For example, the drywell atmosphere hydrogen/oxygen analyzer primary containment isolation valves are closed following a LOCA. Override of the isolation signal is necessary to allow reopening of the system isolation valves so that a sample of the drywell atmosphere can be obtained to determine hydrogen and oxygen percentages. The override can not be effected unless a PCIS isolation signal exists and the affected valve has attained its isolated position. Each override is instituted at the component (valve) level by a pushbutton switch in the main control room which, when depressed, restores normal control of the valve to the control room operator. Each override condition is specifically identified in the main control room and is automatically removed when the PCIS initiating signal clears. Those primary containment isolation valves that have override capability are identified on Table 6.2-16. Operation of the PCIS is not interlocked with any other systems. 7. PCIS redundancy and diversity - The PCIS consists of four redundant initiating channels as shown on Plant Drawing J-102-0. 7.3-38 HCGS-UFSAR Revision 20 May 9, 2014 In addition to manual initiation, diverse initiating signals of reactor low level (L2 and L1), drywell high pressure, Reactor Building high radiation, and refueling floor area high radiation are provided to each PCIS initiation channel. 8. PCIS actuated devices - Table 6.2-16 lists all valves actuated by the PCIS. Plant Drawing J-102-0 shows the PCIS initiation logic and isolation signal fanout. 9. PCIS separation - Separation is maintained between redundant portions of the PCIS by using physical distance and electrical separation barriers in accordance with the requirements of Regulatory Guide 1.75. The redundant portions of the PCIS are assigned to separate Class 1E electrical channels. 10. PCIS testability - The three systems providing inputs to the PCIS have testability as described in the following sections: a. PCRVICS - refer to Section 7.3.1.1.2 b. RMS - refer to Section 11.5.2.1 c. Core spray controls and instrumentation - refer to Section 7.3.1.1.1.3. The PCIS controls and instrumentation are capable of being tested, from the sensor through actuated devices by the overlap method during normal power operation. The sensors (transmitters) can be valved out of service, one at a time, and functionally tested using an appropriate test source. This test will verify proper circuit operation from the sensor to the input of the actuation device. 7.3-39 HCGS-UFSAR Revision 20 May 9, 2014 The PCRVICS and core spray trip units can be tested by providing an input signal from a calibration device. This test will verify circuit function from the channel trip unit to the input of the actuation device. Actuated devices can be individually tested from the main control room by manual operation of control switches. Each PCIS actuation channel and its associated actuated devices can be functionally tested as follows: (1) Operation of the PCIS manual initiation switch. (2) Simultaneous insertion of test signals into the PCRVICS and core spray systems to simulate conditions of reactor vessel water level low (L2) or drywell pressure high. (3) Manual actuation of the reactor building high radiation trips at the local radiation processors (LRPs). (4) Manual actuation of the refueling floor area high radiation trips at the LRPs (tests the RBVIS function). (5) Insertion of test signals into the core spray system to simulate LOCA conditions of reactor vessel water level low (L1) and/or drywell pressure high (tests the LOCA (L1) isolation function). (6) Operation of the core spray manual initiation switch. 7.3-40 HCGS-UFSAR Revision 15 October 27, 2006
11. PCIS environmental considerations - The instrumentation and controls of the PCIS are qualified as Class 1E equipment. The sensors are mounted locally or on local instrument racks. The actuation circuitry is located in instrumentation panels in the control equipment room and the main control room. All equipment is qualified for the appropriate environmental conditions. Refer to Section 3.11 for details of the qualification testing. 12. Main control room displays - The status of each valve actuated by the PCIS is indicated in the main control room. The PCIS process variable inputs of drywell pressure, reactor vessel water level, and radiation levels are displayed in the main control room. 13. PCIS setpoints - Refer to Section 16, Technical Specifications, for a listing of the PCIS setpoints. 7.3.1.1.6 Containment Atmosphere Control System The CACS incorporates features for accomplishing the following functions: 1. Removing radioactive contaminants from all primary containment gas prior to its release to the environment 2. Inerting and purging the primary containment 3. Limiting differential pressure between the drywell and the suppression chamber 4. Limiting differential pressure between the reactor building and the primary containment 7.3-41 HCGS-UFSAR Revision 15 October 27, 2006
5. Monitoring hydrogen and oxygen concentrations in the primary containment 6. Controlling hydrogen concentration in the primary containment after a LOCA 7. Monitoring the temperature and pressure of the drywell and the suppression chamber. The CACS system serves the drywell and suppression chamber in various modes during normal reactor operation, reactor shutdown, and post-accident conditions. Portions of the system are nonsafety-related. Only safety-related portions of the CACS are described in this section. The nonsafety-related systems, which are discussed in Section 6, are as follows: 1. Containment Inerting and Purge System (CIPS) 2. Containment Prepurge Cleanup System (CPCS). 7.3.1.1.6.1 Suppression Chamber to Drywell Pressure Relief System 1. Suppression Chamber to Drywell Pressure Relief (SCDPR) System function - The purpose of the SCDPR system is to limit the differential pressure between the suppression chamber and the drywell. See Section 6.2.5 for description of the mechanical system equipment. 2. SCDPR System Operation - The SCDPR system consists of 8 vacuum relief valves. The valves are of a swing check valve type design. They are located on the vent header of the drywell to suppression chamber vent system to prevent the drywell pressure from falling 2.5 psid below the suppression chamber pressure. The vacuum relief valves reach their full-open position when a 0.25 psid pressure 7.3-42 HCGS-UFSAR Revision 0 April 11, 1988 differential exists, allowing the venting of noncondensibles from the suppression chamber to the drywell. Four position switches are provided with each vacuum relief valve. Two provide fully open valve position signals and two provide fully closed valve position signals. Each position switch signal provides an input to an indicating light in the main control room, which indicates the status of the vacuum relief valve (fully open, fully closed). The same fully open and fully closed valve position signals are input to logic that will provide outputs to two indicating lights in the main control room. These indicating lights are both illuminated whenever the vacuum relief valve is in a partially open condition. See Plant Drawing J-57-0. An input to the computer is provided when either of the fully closed position signals is not present. See Plant Drawing J-57-0. 3. SCDPR system testability - Each relief valve in the SCDPR system can be tested during normal plant operation from the main control room. Each relief valve has a test pushbutton switch and a solenoid valve associated with it. Depressing the test pushbutton switch energizes the solenoid valve which directs gas from the PCIGS to open the vacuum relief valve. When the test pushbutton is released, the solenoid valve deenergizes, and the relief valve returns to normal operation depending on the primary containment conditions. This test verifies the proper operation of the vacuum relief valve, status lights, and computer input. 7.3-43 HCGS-UFSAR Revision 20 May 9, 2014 7.3.1.1.6.2 Reactor Building to Suppression Chamber Pressure Relief System 1. Reactor Building to suppression chamber pressure relief (RBSCPR) function - The purpose of the RBSCPR system is to limit the differential pressure between the reactor building and the suppression chamber. See Section 6.2.5 for a description of the mechanical system equipment. 2. RBSCPR operation - The RBSCPR system consists of two vacuum relief assemblies, each providing a ventilation path from the reactor building to the suppression chamber. Each RBSCPR system assembly consists of a check valve and a normally closed butterfly valve. A differential pressure transmitter senses the pressure differential between the reactor building and the suppression chamber. When this differential reaches a specified limit, a pressure differential switch provides an input signal to a solenoid valve, associated with the butterfly valve, which energizes and directs gas from the PCIGS to open the butterfly valve. This allows the Reactor Building atmosphere to enter the suppression chamber and equalize the pressure difference. The suppression chamber to drywell pressure differential is equalized through the SCDPR system discussed in Section 7.3.1.1.6.1. When the differential pressure is reduced to a specified level, the solenoid valve deenergizes and the butterfly valve returns to the closed position. The check valve prevents the suppression chamber atmosphere from venting into the Reactor Building should the butterfly valve fail to close after the differential has been reduced. Valve position switch contacts are monitored on each butterfly valve and each check valve providing fully open and fully closed valve position signals to illuminate valve position indicating 7.3-44 HCGS-UFSAR Revision 0 April 11, 1988 lights in the main control room. An input is provided to the computer whenever the butterfly valve is not 100 percent closed. 3. RBSCPR system testability - The RBSCPR system controls and instrumentation are capable of being tested from sensors through actuated devices during normal power operation. Each sensor (transmitter) can be valved out of service and functionally tested using an appropriate test source. This test will verify proper circuit operation from the sensor input through the actuated device. The calibration of the alarm units (differential pressure switches) can be checked from the appropriate cabinet in the control equipment room without initiating operation of the actuated device. When an alarm unit is placed "in test" an output is provided to illuminate an indicating light in the main control room to advise the control room operator of the "in test" status. This indicating light is automatically extinguished when the alarm unit is placed back in operation. See Plant Drawing J-57-0. Each check valve and butterfly valve in the RBSCPR system can be individually tested from the main control room by the operation of an associated pushbutton test switch. When the pushbutton test switch is depressed, the associated solenoid valve of the valve being tested is energized and directs gas from the PCIGS to open the butterfly or check valve. When the pushbutton test switch is released, the solenoid valve deenergizes and the valve under test returns to its normal operating status. Satisfactory operation is determined by observation of the expected valve position indicating light patterns during the test. 7.3-45 HCGS-UFSAR Revision 20 May 9, 2014 7.3.1.1.6.3 Hydrogen/Oxygen Analyzer System (HOAS) 1. HOAS function - The purpose of the HOAS is to measure the percentage of hydrogen and oxygen in the primary containment atmosphere. See Section 6.2.5 for the arrangement of the mechanical system equipment. 2. HOAS operation - The HOAS consists of two redundant hydrogen oxygen analyzers (HOAs). Each HOA can sample the primary containment atmosphere from three points: one from the drywell proper, one from the drywell dome, and one from the suppression chamber. The HOA takes suction from the selected sample line, analyzes the containment atmosphere sample for percent oxygen and percent hydrogen content, and exhausts the sample to the suppression chamber through a return line. Bottled gas is provided for calibrating and operating the HOAS using 5 percent hydrogen in nitrogen and 5 percent oxygen in nitrogen, for the calibration of the hydrogen and oxygen analyzer cells, respectively, in each HOA. Each HOA sample and return line is provided with an inboard and outboard containment isolation valve. See Section 6.2.4. These containment isolation valves are signaled closed by containment isolation signals from the PCIS. Once closed, an override capability has been provided to allow reopening of the valves to permit sampling of primary containment atmosphere for hydrogen and oxygen following a LOCA. Four containment isolation override pushbutton switches, two for each HOA, have been provided in the main control room for accomplishing the override function. One override switch, when depressed, initiates override of the PCCS containment isolation signals to its respective HOA sample and return line inboard containment isolation valves. The other override 7.3-46 HCGS-UFSAR Revision 8 September 25, 1996 switch associated with the same HOA, when depressed, initiates override of the PCIS containment isolation signals to the HOAS sample and return line outboard containment isolation valves. The override signal also illuminates an indicating light (one for each override switch) in the main control room to advise the control room operator of the override condition. The override is automatically removed and the indicating light extinguished when the PCIS containment isolation signal clears. Each containment isolation valve provides an input to the computer whenever it is not 100 percent closed. See Plant Drawing J-57-0. Each HOA has a subpanel mounted in a main control room panel section and a remote control cabinet. Control switches and status indicating lights are provided to allow HOA calibration and operation from either location. Percent oxygen and percent hydrogen are indicated on meters at each location for use during calibration and operation. Percent oxygen is repeated on indicating meters located near the drywell equipment hatches. However, the HOA sample and return line containment isolation valves cannot be operated from the remote control cabinet. A three pen recorder for each HOA allows a permanent record to be maintained. One pen identifies which sample stream the HOA is analyzing, one pen records the percent oxygen in the sample, and one pen records the percent hydrogen in the sample. Signals from each of the inboard containment isolation valves in the HOA sample lines are interlocked in logic which prevents the sample stream identifying pen from recording an erroneous stream identification should two or more sample lines be open. See Plant Drawing J-57-0. 7.3-47 HCGS-UFSAR Revision 20 May 9, 2014 The three sample lines for each local HOA panel are individually Class-1E electrically heat traced. Channel C power is provided to the heat tracing for HOA "A," channel D power for HOA "B" heat tracing. The return lines are not heat traced. Individual temperature controllers located adjacent to the respective local HOA panel maintain their sample lines temperature between 250°F and 270°F to prevent condensation formation. Thermocouples are mounted along each sample line to provide input to that sample line's temperature controller. The following heat tracing system failures are individually indicated at each heat tracing panel and provided as a common trouble alarm for both panels in the main control room: 1. Current failure/low temperature 2. Power failure - with the exception of low temperature on lines that are shared (common) with the HOAS and CACS used for nitrogen makeup to the drywell. The common trouble alarm from each heat tracing panel is repeated from the plant annunciator system to the plant computer system for logging purposes and alarm identification via the main control room CRTs. The following system failures are annunciated at the local control panel and are repeated in the form of a common system trouble alarm in the main control room: a. HOA pump enclosure pressure high/low, b. HOA calibration and reagent gas pressure low, c. HOA hot box temperature high/low, 7.3-48 HCGS-UFSAR Revision 15 October 27, 2006
d. HOA cell failure. The HOA common system trouble alarm in the main control room is also annunciated whenever predetermined levels of hydrogen or oxygen are detected. 3. HOAS testability - Each HOA in the HOAS is capable of being tested during normal plant operation. With the HOA warmed up (a minimum six hour warm-up is required prior to any testing or calibration) and operating in the standby mode, system flow rates can be checked by placing the main power switch (located on the analyzer sub-panel in the main control room) in the "analyze" position and observing the flow meters on the remote analyzer panel. Needle valves are provided for adjusting the system flows as necessary. Once proper flow rates are established, the operator can check zero and span calibration by operation of the function selector switch (located on the analyzer sub-panel in the main control room) first to the "zero" position and then to the "span" position. In the "zero" position, the operator should observe 0 percent readings on the percent H2 and O2 indicators located on the analyzer sub-panel in the main control room and on the remote analyzer panel. In the "span" position, the operator should observe readings on the percent H2 and O2 indicators corresponding to the calibration gas percentage supplied to the analyzer. Calibration gases of 5% H2 in N2 and 5 percent O2 in N2 are provided for initial calibration of the HOAs and for verifying calibration during system operation. A heated compartment, "hot box", is provided in each HOA to maintain the temperatures of the incoming sample and analyzer cells sufficiently high to prevent condensation 7.3-49 HCGS-UFSAR Revision 0 April 11, 1988 of the gases in the system. Proper hot box operation can be verified by removing the hot box cover and measuring the internal temperature with a suitable temperature monitoring device (i.e., calibrated pyrometer). Proper operation of the HOA sample pump (located in the remote analyzer panel) can be verified by attaching a pressure gauge to the test tee provided at the pump discharge and observing the discharge pressure with the pump running. 7.3.1.1.6.4 Containment Hydrogen Recombination System (CHRS) 1. Containment Hydrogen Recombination System (CHRS) function - The function of the CHRS is to reduce the hydrogen concentration of the primary containment atmosphere following a beyond design basis accident. See Section 6.2.5 for the arrangement of the mechanical system equipment. Instrument specifications are listed in Table 7.3-9. 2. CHRS operation - The CHRS consists of two hydrogen recombiners located in the Reactor Building outside of the primary containment. Each recombiner takes a suction from the drywell atmosphere. The CHRS thermally recombines the hydrogen and contained oxygen in the drywell gas. The recombined gas is cooled by spray water from the RHR system. The cooled effluent returns to the suppression chamber through the CPCS line. Primary containment temperature and pressure are measured to provide the control room operator with information necessary for the proper operation of the CHRS. The drywell atmosphere inlet line and the suppression chamber return line for each hydrogen recombiner are provided with two isolation valves outside primary containment. See Section 6.2.4. The cooling water line 7.3-50 HCGS-UFSAR Revision 15 October 27, 2006 from the RHR system to each hydrogen recombiner is provided with two system isolation valves. These containment and system isolation valves are signaled closed by containment isolation signals from the PCIS. Once closed, an override capability has been provided to allow reopening of the valves so that the CHRS can be placed in operation following a LOCA. Four containment isolation override pushbutton switches, two for each hydrogen recombiner, have been provided in the main control room for accomplishing the override function. One override switch, when depressed, initiates override of the PCIS containment isolation signals to its respective hydrogen recombiner atmosphere inlet, suppression chamber return, and cooling water from RHR line first isolation valves. The other override switch associated with the same hydrogen recombiner, when depressed, initiates override of the PCIS containment isolation signals to the hydrogen recombiner atmosphere inlet, suppression chamber return, and cooling water from RHR line second isolation valves. The override signal also illuminates an indicating light (one for each override switch) in the main control room to advise the control room operator of the override condition. The override is automatically removed and the indicating light extinguished when the PCIS containment isolation signal clears. Each primary containment isolation valve provides an input to the computer whenever it is not 100 percent closed. See Plant Drawing J-58-0. Each hydrogen recombiner has a main control panel located in the control room. Control switches, process indicators, and status indicating lights are provided on the control panel, allowing hydrogen recombiner operation from the main control room. The CHRS system is designed for manual initiation, operation, and shutdown from the 7.3-51 HCGS-UFSAR Revision 20 May 9, 2014 main control room. However, the hydrogen recombiners are tripped automatically by any of the following conditions: a. Heater wall temperature high-high b. Reaction chamber shell temperature high-high c. Return gas temperature high. An alarm is annunciated (audible and/or visual) at the CHRS control panel whenever any of the following conditions exist during CHRS operation: a. Heater wall temperature high b. Reaction chamber wall temperature high c. Reaction chamber gas temperature low d. Return gas temperature high e. Through gas flow low. f. Heater gas temperature 2/3 through heater (high) g. Heater outlet gas temperature high Any alarm at the CHRS control panel will also annunciate a common alarm on the main annunciator panel in the main control room. 3. CHRS testability - The CHRS is capable of being tested during normal plant operations. Control and instrumentation is tested along with the remainder of components in an integrated system test. 7.3.1.1.7 Main Control Room Habitability and Isolation System (MCRHIS) 1. MCRHIS function - The MCRHIS provides means to isolate the main control room from airborne radioactive contamination 7.3-52 HCGS-UFSAR Revision 13 November 14, 2003 or smoke entering through the main control room ventilation system and maintains habitability in the main control room. The Control Room Emergency Filter (CREF) System provides a means of pressurizing the main control room during isolation. The main control room Heating, Ventilation, and Air Conditioning (HVAC) System including the control room supply (CRS) units and the control room return air (CRRA) fans, provides the proper environment for the main control room and adjacent areas. For description and operation, see Sections 9.4.1 and 6.4. 2. MCRHIS power sources - Power for the I&C associated with the MCRHIS is supplied from the Class IE 120 V ac, and 125 V dc systems. See Section 8 for a description of the electrical system. 3. MCRHIS equipment design - Equipment design is described in Sections 6.4 and 9.4.1. 4. MCRHIS initiating circuits - The MCRHIS is initiated automatically by outside air high radiation, discussed in Section 11.5, reactor vessel low water level (L1), or drywell high pressure. Operating and standby fans for main CRS and control area exhaust (CAE) are determined manually. An operating fan low flow signal will start a standby fan. The Control Room Emergency Filtering (CREF) System is initiated by the isolation signals from the MCRHIS. 5. MCRHIS logic and sequencing - Two modes of isolation and MCREF system operation are provided: a. Complete intake and exhaust isolation of the main control room and total CREF recirculation b. Intake air is diverted through the CREF along with recirculation air. See Sections 9.4.1 and 6.4 for 7.3-53 HCGS-UFSAR Revision 13 November 14, 2003 details. See Plant Drawing H-89-0 for the MCRHIS control logic diagram. 6. MCRHIS bypasses and interlocks - The handswitch of each fan in the CREF system and the main control room HVAC system, when in the "lockout" position, provides inputs to a control room out of service display. The isolation system is interlocked with the CREF system to maintain ventilation within the main control room during isolation. The CRS fans are interlocked with the CRRA fans and the chilled water pumps. 7. MCRHIS redundancy and diversity - To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one to one basis with the mechanical equipment they serve. Diversity is not applicable. 8. MCRHIS actuated devices - The MCRHIS does not actuate any other devices. 9. MCRHIS separation - The controls, instrumentation, and power supplies of the MCRHIS are physically separated and electrically independent for each of the redundant trip channels. See Section 8.1.4.14 for a discussion of the electrical system separation. 10. MCRHIS testability - The operability of the isolation initiating circuits of the MCRHIS may be verified by tripping the individual radiation monitor circuits or by manually initiating the channels using handswitches located in the main control room. Operability of the initiating circuits of the CREF system may be verified by putting each CREF fan in the "auto" mode and tripping the respective isolation channel. 7.3-54 HCGS-UFSAR Revision 20 May 9, 2014 Operability of the initiating circuits of the main control room HVAC fans may be verified by alternately placing each fan in the "auto" mode while the other fan of the pair is shut down. In addition, all fans may be manually tested by handswitches located in the main control room. 11. MCRHIS environmental consideration - The I&C for the MCRHIS are located in the main control complex. The environmental considerations for this area are discussed in Section 3.11. 12. MCRHIS operational considerations a. MCRHIS general information - The main control room HVAC system is required for normal operation of the main control room. The MCRHIS and the MCREF system are required for emergency operation of the main control room. b. MCRHIS control room operator information - The control room operator is provided with an isolation initiation alarm and an isolation incomplete alarm in the main control room for each of the two isolation channels. In addition, a common system trouble alarm is provided in the main control room. The control room operator is provided with the following indications or alarms for the CRS system: (1) Fan motor status (2) System flow rate indication and low flow alarm (3) Low inlet pressure alarm (4) High filter differential pressure alarm 7.3-55 HCGS-UFSAR Revision 0 April 11, 1988 (5) High and low supply air temperature alarm.

The following safety-related information is provided for the CREF system:

(1) Fan motor status and damper position status

(2) System mode - "outside air" or "recirculation" (3) First HEPA filter differential pressure indication and high alarm

(4) Low system flow alarm

(5) Charcoal filter entering air high humidity alarm

13. MCRHIS setpoints - For setpoints, see Section 16, Technical Specifications

7.3.1.1.8 Not Used

7.3-56 HCGS-UFSAR Revision 22 May 9, 2017

THIS PAGE INTENTIONALLY BLANK 7.3-57 HCGS-UFSAR Revision 12 May 3, 2002 THIS PAGE INTENTIONALLY BLANK 7.3-58 HCGS-UFSAR Revision 12 May 3, 2002 THIS PAGE INTENTIONALLY BLANK 7.3-59 HCGS-UFSAR Revision 12 May 3, 2002 THIS PAGE INTENTIONALLY BLANK 7.3-60 HCGS-UFSAR Revision 12 May 3, 2002 THIS PAGE INTENTIONALLY BLANK 7.3-61 HCGS-UFSAR Revision 12 May 3, 2002 7.3.1.1.9 Filtration, Recirculation, and Ventilation System (FRVS) 1. FRVS function - During an isolation of the Reactor Building, the FRVS Recirculation System recirculates and filters air in the Reactor Building to reduce the concentration of potentially present radioactive halogens and particulates. The FRVS Ventilation System controls the Reactor Building at a negative pressure with reference to outside atmosphere and further filters the atmosphere to limit offsite doses. For description and operation of the FRVS, see Section 6.8. 2. FRVS power sources - The instruments and controls associated with the FRVS are supplied from Class 1E power sources. 3. FRVS equipment design - Equipment design is described in Section 6.8. 4. FRVS operation - The FRVS is initiated automatically by the RBVIS following a LOCA or refueling area accident. RBVIS initiation is described in Section 7.3.1.1.10. When actuated, the RBVIS will initiate the automatic start of all six FRVS recirculation units. Two units designated for standby will be manually stopped and re-aligned to "auto" mode and will start automatically if any one of the four operating units fails upon low flow. The FRVS recirculation units can be manually test-started from the main control room. Unit low flow, high differential filters pressure and high efficiency particulate air (HEPA) filter high differential pressure are alarmed in the main control room. See Plant Drawing H-83-0, Reactor Building Supply and FRVS Recirculation Logic Diagram. 7.3-62 HCGS-UFSAR Revision 20 May 9, 2014 The following indications are also provided in the main control room for each FRVS recirculation unit: a. Charcoal filter upstream air temperature b. Filter unit exhaust air temperature c. HEPA filter differential pressure d. Recirculation unit airflow. Upon initiation of the FRVS, the FRVS vent system will automatically start to provide another degree of iodine removal capability. The relatively small quantity of air (approximately 9000 cfm or 3/40 of the recirculated flow maximum to about 250 cfm or 1/400 or the recirculation rate for steady-state conditions) extracted from the FRVS recirculation system is released to the atmosphere through a vent at the top of the Reactor Building to maintain the building at a negative pressure. The building outside reference pressure sensors are located on the Reactor Building lower roof, El. 132 ft. Noble gas offline radiation monitors sample the duct downstream of the FRVS vent filter units. These monitors provide the control room operator with information on the radioactivity concentration of the FRVS effluents. This information is used to evaluate the quantity of radioactivity being released to the environment and the effectiveness of the filtration system. Sampling filters are provided for onsite iodine particulate analysis. See also Section 11.5. One of two FRVS vent system units will be operated with the other one on standby. The standby unit will start automatically if the one in operation fails on low flow. 7.3-63 HCGS-UFSAR Revision 0 April 11, 1988 The FRVS vent units can be manually test started from the main control room. Unit low flow, and combined HEPA filter and charcoal bank differential pressure are alarmed at the main control room. See Plant Drawing H-84-0, Reactor Building Exhaust and FRVS Vent Logic Diagram. The following indications are also provided in the main control room for each FRVS vent unit: a. Charcoal filter upstream air temperature b. Filter unit differential pressure c. Filter unit inlet air flow d. Reactor Building/outside differential pressure. 5. FRVS bypasses and interlocks - The FRVS is interlocked with the Reactor Building Isolation System. 6. FRVS redundancy and diversity - Controls and instrumentation are provided on a one to one basis with the mechanical equipment they serve to maintain the redundancy of the equipment. Diversity is not applicable. 7. FRVS actuated devices - No additional devices or systems are actuated by the FRVS. 8. FRVS separation - Separation is maintained for the redundant controls, instrumentation, and power sources of the FRVS by physical barriers and spatial distance. See Section 8.1.4.14 for a discussion of electrical system separation. 7.3-64 HCGS-UFSAR Revision 20 May 9, 2014

9. FRVS testability - The FRVS can be fully tested during normal power operation. All FRVS recirculation and vent system fans can be manually started from the main control room or the entire system can be functionally tested by manually actuating the refueling area radiation monitoring system high-high radiation trips. See Plant Drawings H-83-0 and H-84-0. 10. FRVS environmental consideration - All instrumentation and controls are selected to meet the normal, accident, and post-accident conditions of pressure, humidity, temperature, radiation, and vibrations expected at their respective locations. See Section 3.11. 11. FRVS setpoints - For setpoints, see Section 16, Technical Specifications. 7.3.1.1.10 Reactor Building Ventilation Isolation System 1. RBVIS function - The RBVIS, a subsystem of the PCIS, isolates the Reactor Building following a LOCA or refueling area accident so that potentially radioactive halogens and particulates within the Reactor Building may be controlled by the FRVS. The supply isolation valves are part of the Reactor Building Supply System. A schematic diagram (P&ID) of the reactor building supply system is shown on Plant Drawing M-83-1. The exhaust isolation valves are part of the Reactor Building Exhaust System. A P&ID of that system is shown in Plant Drawing M-84-1. 2. RBVIS power sources - The RBVIS is powered from the Class 1E power system discussed in Section 8.3. 3. RBVIS equipment design - Equipment design is described in Section 9.4.2. 7.3-65 HCGS-UFSAR Revision 20 May 9, 2014
4. RBVIS initiating circuits - The RBVIS initiates reactor building isolation automatically upon receipt of any of the following: a. PCIS manual initiation. b. Drywell high pressure, reactor vessel low water level (L2), or manual initiation signal originating from the NSSSS, in conjunction with drywell high pressure, or reactor vessel low water level (L2) signal originating from the Core Spray System. c. Refueling floor area high radiation signals from two out of three refueling floor exhaust radiation monitoring channels. d. Reactor Building high radiation signals from two out of three reactor building exhaust radiation monitoring channels. RBVIS initiation logic seals in and can only be reset when all initiation signals have cleared. See Plant Drawing H-83-0 for the Reactor Building supply isolation logic, and Plant Drawing H-84-0 for the Reactor Building exhaust isolation logic. The PCIS is discussed in Section 7.3.1.1.5. PCIS Initiation logic and isolation signal fanout are shown on Plant Drawing J-102-0. 5. RBVIS redundancy and diversity - See the discussion of redundancy and diversity for the PCIS in Section 7.3.1.1.5. 6. RBVIS actuated devices - The FRVS is actuated by the RBVIS. 7.3-66 HCGS-UFSAR Revision 20 May 9, 2014
7. RBVIS separation - The controls, instruments, and power supplies of the isolation system are physically separated and electrically independent for each of the redundant trip channels. See Section 8.1.4.14 for a discussion of electrical system separation. See the discussion of separation for the PCIS in Section 7.3.1.1.5. 8. RBVIS testability - The RBVIS can be fully tested during normal power operation. The isolation dampers operated by the RBVIS can be individually tested from the main control room, or the entire system can be functionally tested by manually actuating the Reactor Building Radiation Monitoring System high-high radiation trips. See Plant Drawings H-83-0 and H-84-0. 9. RBVIS environmental considerations - The controls and instrumentation for the RBVIS are located in the reactor building and the main control complex. The environmental considerations for these areas are discussed in Section 3.11. 10. RBVIS setpoints - See Section 16, Technical Specifications, for setpoints. 7.3.1.1.11 Essential Auxiliary Supporting Systems 7.3.1.1.11.1 Station Service Water System (SSWS) 1. SSWS function - The SSWS is described in Section 9.2.1. This system provides cooling water to the SACS and the RACS from the Delaware River. The SSWS P&ID is shown on Plant Drawing M-10-1. 2. SSWS operation - During normal station operation, the SSWS supplies cooling water to both SACS and RACS heat exchangers. Following a LOCA or a RACS pump room flooded signal, 7.3-67 HCGS-UFSAR Revision 20 May 9, 2014 the SSWS provides cooling water only to the SACS heat exchangers. The SSWS is also capable of providing an alternate source of makeup water to the RHR system for flooding the drywell and the fuel pool cooling system. The SSWS consists of two redundant loops, each divided into two portions. The first portion of each loop draws river water through a parallel series of equipment: traveling water screens (TWSs), station service water (SSW) pumps, and SSW strainers. The two SSW pumps discharge into a common header, which is considered the end of the first portion of an SSWS loop. The second portion supplies cooling water to RACS and SACS heat exchangers, emergency makeup water to RHR, fuel pool cooling, and SACS. Station service water passes through the RACS and SACS heat exchangers and empties into a common header which is routed to the cooling tower to supply circulating water system makeup. The instrumentation associated with these two portions is described below and listed in Table 7.3-12. a. The first portion of an SSWS loop (1) TWS (a) TWS function - River water entering the intake structure passes through the TWS enroute to the SSW pump pits. The TWS prevents large debris from entering the SSWS. (b) TWS operation - The TWS can be controlled manually from the remote control cabinet, or will run in low speed anytime the SSW pump is in service. The TWS will switch to high speed when the differential level across the TWS exceeds the level sepoint. In normal operation, the TWS runs on low speed when the associated SSW pump and booster spray pump are running. 7.3-68 HCGS-UFSAR Revision 12 May 3, 2002 The control room integrated display system (CRIDS) computer monitors the TWS differential water level and generates an alarm in the main control room. TWS zero speed, low speed, and high speed status indications are available in the CRIDS computer. A spray water booster pump and its associated motor-operated valve admit water for spraying down the TWS. The booster pump running is the permissive for running the TWS. If the booster spray pump trips, the TWS will stop running. The TWS is also stopped by screen drive overload or phase overcurrent signals. (2) SSW pumps (a) SSW pump function - The SSW pumps provide the motive force for routing the river water from the intake structure to the various components served by the SSWS. 7.3-69 HCGS-UFSAR Revision 12 May 3, 2002 (b) SSW pump operation - The SSW pumps are normally operated with one pump running in each SSWS loop with control from the main control room. The SSW pumps can also be started and stopped from their respective SSWS remote control cabinet located in the intake structure. Starting an SSW pump from its remote control cabinet requires a permissive signal from the main control room. The control room operator satisfies this permissive by placing the SSW pump control in manual and then depressing a remote permissive pushbutton switch. Stopping an SSW pump from its remote control cabinet requires no permissive signal and can be done at any time. SSW pumps can be manually started from the main control room but are normally maintained in automatic control. In this mode, any of the following signals will start a nonoperating SSW pump: 1) LOCA signal consisting of reactor vessel low water level (L2), drywell high pressure, or manual initiation signals originating from the NSSSS system and the Core Spray System. 2) High-high radiation signals from two out of three refueling floor area radiation monitoring system channels. 3) High-high radiation signals from two out of three reactor building radiation monitoring system channels. 7.3-70 HCGS-UFSAR Revision 0 April 11, 1988
4) "High radiation" manual initiation signal. 5) Low flow signal from the running SSW pump in the same loop as detected by a high differential pressure across that pump's strainer. If a LOP occurs, with or without a LOCA, all running SSW pumps stop and then all four SSW pumps start automatically when signaled to start by the emergency load sequencer. See Plant Drawing J-10-0. An SSW pump start initiates open signals to that pump's associated discharge valve, strainer main backwash valve, and SACS heat exchanger outlet valve which will then open following preset time delays. This establishes SSW flow through the SACS heat exchangers. When the SSW pump is secured, these valves are automatically signaled to close. The SSW pumps must be manually secured when they are no longer needed. This can be done from the main control room or the remote control cabinet. The only automatic pump breaker trips are provided by protective relaying identified on Plant Drawing E-0006-1. (3) SSW strainers and main backwash valves 7.3-71 HCGS-UFSAR Revision 20 May 9, 2014 (a) SSW strainers and main backwash valves function - The SSW strainers remove particulate matter from the SSW pump discharge water to minimize contaminants in the system that could cause a reduction in the cooling capabilities of the SSWS. One SSW strainer is provided for each SSW pump. The SSW strainers are self-cleaning and use strained effluent as a backwashing medium. For the SSW pumps, 10 seconds after a pump starts, the associated strainer main backwash valve opens and remains open until the pump is stopped to supply a larger amount of water for backwashing the strainer. (b) SSW strainers and main backwash valves operation - Each SSW strainer is rotated by a drive motor that is energized whenever the strainer's associated SSW pump is running. The strainer motor deenergizes when the SSW pump is secured. SSW strainer main backwash valves are controlled from the main control room. Each main backwash valve opens with a pump running signal from the associated SSW pump and closes when the pump running signal is removed. 7.3-72 HCGS-UFSAR Revision 12 May 3, 2002 High-high SSW strainer differential pressure is alarmed in the main control room. The SSW strainer main backwash valves can also be manually opened or closed from the main control room. If SSW strainer main backwash valve control is taken out of automatic, a valve close signal is initiated and locked in and a common loop trouble alarm for the associated SSWS loop is annunciated in the main control room. SSW strainer main backwash valve motor and SSW strainer drive motor conditions of overload or control power failure are also alarmed in the main control room. See Plant Drawing J-10-0, SSWS Logic Diagram. (4) Deleted 7.3-73 HCGS-UFSAR Revision 20 May 9, 2014
b. The second portion of an SSWS loop (1) Emergency makeup loop (a) Emergency makeup loop function - The emergency makeup loops provide a path for SSWS water to reach the RHR, fuel pool 7.3-74 HCGS-UFSAR Revision 16 May 15, 2008 cooling, or SACS systems in the event that SSWS water is needed as an emergency supply to any or all of these systems. (b) Emergency makeup loops operation - Each of the two emergency makeup loop is normally isolated from the rest of the SSWS by two normally closed motor operated butterfly valves, which are manually operated from the main control room using keylocked switches. The isolation valves for fuel pool makeup and SACS expansion tank makeup are also manually operated from the main control room. The pressure between the two isolation valves on each emergency makeup loop is monitored. A pressure switch is actuated upon high pressure, which would indicate significant leakage past the first isolation valve. The pressure switch provides an output to actuate a system trouble alarm in the main control room for the affected loop. Emergency makeup loop isolation valve conditions of motor overload or control power failure are also annunciated in the main control room. Each emergency makeup loop isolation valve has a normally open air operated leakage drain valve associated with it. The leakage drain valve is signaled to close when its associated isolation valve starts to open. 7.3-75 HCGS-UFSAR Revision 16 May 15, 2008 Each of the emergency makeup loops can supply emergency makeup water to the SACS and fuel pool cooling systems. However, only loop B is capable of providing makeup water to the RHR system; there is no crossover to the RHR system from loop A. (2) SACS loop (a) SACS loop function - Two independent loops are provided to supply water to all SACS heat exchangers (tube side) to remove the heat generated by the components in the SACS. (b) SACS loop operation - On each SACS heat exchanger, there is a manual inlet valve and a motor operated outlet valve. The inlet valve is equipped with a position switch to annunciate common system trouble and out of service alarms for the affected SSWS loop in the main control room when the valve is not fully open. A differential pressure switch across the tube side of each SACS heat exchanger actuates upon low differential pressure, indicating a low SSWS flow condition through the heat exchanger. The low flow condition is alarmed in the main control room. The SACS heat exchanger motor operated outlet valves can be manually opened or closed from the main control room but are normally maintained in automatic control. When in automatic, each SACS heat exchanger outlet valve will open following any start of its associated SSW 7.3-76 HCGS-UFSAR Revision 0 April 11, 1988 pump once a preset time delay is satisfied. An additional open permissive signal from the emergency load sequencer is required following a LOP. Each SACS heat exchanger outlet valve will automatically close upon receipt of a pump stopped signal from its associated SSW pump unless the pump was stopped by a bus power failure. Manual control of the SACS heat exchanger outlet valves is provided so that the SACS heat exchanger lineup can be shifted as necessary to satisfy any SACS cooling requirements. A motor overload or control power failure condition on any SACS heat exchanger outlet valve is alarmed in the main control room. The parallel SACS heat exchangers in each SACS loop discharge into a common line that passes through a motor operated SACS loop outlet valve enroute to the cooling tower. This valve is manually operated from the main control room and has no automatic functions. Conditions of motor overload or control power failure for this valve are alarmed in the main control room. The yard dump valve is normally closed and is controlled from the main control room by a keylock switch. During normal operation, the dump valve in each SACS loop will be closed unless there is a restricted SACS loop outlet flow situation as indicated by a high pressure buildup sensed at the SACS loop heat exchanger common discharge. If two out of three high pressure switches 7.3-77 HCGS-UFSAR Revision 0 April 11, 1988 actuate, the dump valve is signaled to open. The control switch for each dump valve has a lockout feature that inhibits the valve from opening upon the above process condition by initiating a locked in close signal to this valve. Any of the following conditions will actuate an out of service alarm in the main control room for the affected SACS cooling loop: SACS heat exchanger inlet valve not fully open, SACS heat exchanger outlet valve overload/power failure, SSWS to cooling tower MOV overload/power failure, yard dump valve overload/power failure, or any yard dump valve high pressure switch in test. See Section 7.5. Any of the following conditions will actuate a system trouble alarm: high pressure at SACS heat exchangers common discharge, SACS heat exchanger low flow, yard dump valve locked closed, SACS heat exchanger outlet valve overload/power failure, SACS heat exchanger inlet valve not fully open, or SACS loop outlet valve to cooling tower overload/power failure. See Plant Drawing J-10-0, SSWS Logic Diagram. (3) RACS loop (a) RACS loop function - The RACS loop supplies water to the tube sides of the RACS heat exchangers to remove the heat generated by the RACS components. 7.3-78 HCGS-UFSAR Revision 20 May 9, 2014 (b) The RACS loop operation - RACS heat exchangers are cooled by station service water from SSWS loops A and B. Water from each SSWS loop passes through its respective RACS cooling loop supply valve into a common line and then passes through the RACS cooling loop supply isolation valve, the tube sides of the parallel RACS heat exchangers, and the RACS cooling loop outlet isolation valve to the cooling tower. The RACS cooling loops A and B supply valves, and the RACS cooling loop inlet and outlet isolation valves are Class 1E and safety-related. The remaining portion of the RACS cooling loop is not safety-related. The RACS cooling loops A and B supply valves, and the RACS cooling loops inlet and outlet isolation valves are opened manually from the main control room. Upon receipt of a LOCA signal, consisting of reactor vessel low water level (L1) or drywell high pressure signals from the core spray system, or a RACS pump room flooded signal, the RACS cooling loops A and B supply valves and RACS cooling loop inlet and outlet isolation valves are automatically closed to isolate the RACS cooling loop from the SSWS. An overload or control power failure condition of any of the RACS cooling loop Class 1E valves is alarmed in the main control room. 7.3-79 HCGS-UFSAR Revision 0 April 11, 1988 In the event that the main control room becomes uninhabitable, SSWS loop B can also be initiated from the remote shutdown panel (RSP) (see Section 7.4.1.4). Operation from the RSP is totally operator controlled and all SSWS loop B automatic initiation signals are disabled when the Channel B RSP transfer switch is placed in the "Emergency" position. SSWS loop A can be manually initiated locally as a backup to operation of SSWS loop B from the RSP. SSWS loop A local pump and valve controls are identified on Table 7.4-3. 3. SSWS testability - The SSWS is fully testable during normal power operation. System redundancy is such that an entire loop can be placed out of service for testing without disrupting normal plant operation. All safety-related alarm or switch units are supplied with on line testability and when placed in test, signals are provided to the main control room to indicate the in-test status and, where applicable, that a protective interlock has been bypassed. All system setpoints can be checked by insertion of simulated signals of sufficient magnitude to verify accuracy. All SSW pump/valve interlocks can be verified by normal plant operations such as starting up and securing the system. 7.3.1.1.11.2 Safety Auxiliaries Cooling System 1. SACS function - The purpose of the SACS system is to provide a heat sink for the ESF equipment by circulating demineralized water in a closed loop system. The system is designed with sufficient heat removal capacity to bring the nuclear boiler to cold shutdown condition in the required amount of time. The system also provides for protection of the SACS system from a pipe break in the Turbine Auxiliaries Cooling System (TACS). 7.3-80 HCGS-UFSAR Revision 0 April 11, 1988
2. SACS operation - Schematic arrangements of system mechanical equipment are shown on Plant Drawing M-11-1. SACS control logic is shown on Plant Drawing J-11-0. Instrument specifications are listed in Table 7.3-13 and Section 16, Technical Specifications. Instrument location drawings and electrical schematics are identified in Section 1.7. The SACS is normally maintained in automatic operation with both SACS pumps operating in one loop, supplying all normal SACS loads and the TACS cooling loop. The other loop is maintained in standby. Controls have been provided in the main control room that allow the control room operator to manually shift the SACS lineup as necessary to maintain proper system operation during periods of abnormal heat loads or unusually high SSWS injection temperatures. The SACS is monitored continuously to detect inleakage of radioactively contaminated water from the reactor associated components. Sample points are provided at selected equipment to facilitate leak location. Any inleakage will be contained in the SACS expansion tanks. Expansion tank overflow is routed to the liquid radwaste system for processing. In case of water losses due to small leakage from the SACS, a low level switch in the expansion tank will signal open the demineralized water makeup supply valve. If the makeup supply is not sufficient to compensate for water losses, then a low-low level switch will actuate an individual head tank low-low level alarm and annunciate a SACS loop system trouble alarm in the main control room. The SACS may then be manually shifted to the standby loop. In the event the small break occurs in the TACS loop, low-low-low head tank level in the SACS loop will isolate the TACS completely. 7.3-81 HCGS-UFSAR Revision 20 May 9, 2014 The SACS pump differential pressure is monitored by a differential pressure transmitter. The SACS loop flow is monitored by a flow transmitter. If an operating SACS pump differential pressure is low, that pump will trip automatically. This will result in a low flow condition in the operating loop, which will signal the standby SACS pumps to start and transfer TACS cooling to the standby SACS loop. LOCA signals of reactor vessel low water level (L1) and/or drywell high pressure from the core spray system or a LOP will initiate operation of all four SACS pumps and all four associated SACS heat exchangers. The SACS will operate as two isolated, redundant loops to provide cooling water to equipment identified in Section 9.2.2. The same signals of LOCA and/or LOP will also initiate closure of the following SACS valves: a. TACS supply and return isolation valves b. Fuel pool cooling heat exchanger cross connecting valves c. PCIGS compressor cooler cross connecting valves. The valves supplying cooling water to the RHR pump seal and motor bearing coolers will open upon RHR pump start. Since the RHR heat exchangers do not require cooling water for at least 10 minutes, cooling to the heat exchangers is initiated manually. The SSWS has interties to the SACS to provide emergency makeup water during conditions where makeup water is needed with loss of makeup and the normal supply from the demineralized water system is unavailable. To prevent inadvertent admission of seawater to the SACS, each emergency makeup loop is isolated from the SSWS by two normally closed, keylocked, motor operated butterfly valves. 7.3-82 HCGS-UFSAR Revision 20 May 9, 2014 The pipe between the butterfly valves is normally empty and is continuously drained. In addition, the pipe between the butterfly valves is equipped with a high pressure switch that detects the presence of water resulting from leaks or inadvertent operation of an outboard butterfly valve and alarms this condition in the main control room. The SACS system is protected against the effects of guillotine pipe breaks in the TACS. Two hydropneumatic accumulators are provided at the SACS/TACS supply and return headers. These accumulators are currently analyzed to operate water-solid. The pressure wave from TACS to SACS resulting from a guillotine break in the TACS is dampened to below the allowable pressure limits of SACS. The response of the TACS isolation valves 1EGHV-2522A/C or 1EGHV-2522B/D following a TACS piping break are adequate to maintain the operability of the affected SACS loop. In the event that the main control room becomes uninhabitable, SACS loop B can also be initiated from the remote shutdown panel (RSP) (see Section 7.4.1.4). Operation from the RSP is totally operator controlled and all SACS loop B automatic initiation signals are disabled when the Channel B RSP transfer switch is placed in the "Emergency" position. SACS loop A can be manually initiated locally as a backup to operation of SACS loop B from the RSP. SACS loop A local pump and valve controls are identified on Table 7.4-3. 7.3-83 HCGS-UFSAR Revision 19 November 5, 2012
3. SACS testability - The SACS is fully testable during normal power operation. System redundancy is such that an entire loop can be placed out of service for testing without disrupting normal plant operation. All safety-related alarm or switch units are supplied with on-line testability and when placed in test, signals are provided to the main control room to indicate the in-test status and, where applicable, that a protective interlock has been bypassed. All system setpoints can be checked by insertion of simulated signals of sufficient magnitude to verify accuracy. Total system functional operation can be verified by shifting the system lineup as necessary to observe proper operation of all SACS components. 7.3.1.1.11.3 Class 1E Power Systems Refer to Section 8 for a complete discussion of ESF Class 1E power systems. 7.3.1.1.11.4 Primary Containment Instrument Gas System 1. PCIGS function - The normal function of the PCIGS is to provide compressed gas from the primary containment to operate pneumatic devices. In the event of a DBA, the PCIGS will provide makeup instrument gas from outside the drywell to the ADS valve actuators inside the primary containment. Many of the normal gas users will be isolated. See Section 9.3.6 for further information. 2. PCIGS operation - Manual control of the PCIGS compressors is either from the main control room or from a panel located adjacent to the PCIGS compressors. Control of all PCIGS valves is from the main control room at all times. PCIGS system control logic is shown on Plant Drawing J-59-0. 7.3-84 HCGS-UFSAR Revision 20 May 9, 2014
a. Main control room operation of the PCIGS compressors is by means of a switch having the following functions: (1) "Remote" - The "start" switch on the local panel is interlocked with this switch so that starting is allowed only when the "remote" switch contact is closed. (2) "Manual" - Closure of this switch allows the control room "start" switch to be operative. (3) "Auto-lead" - The compressor starts automatically when the instrument gas receiver pressure drops to the low trip setpoint and stops when normal pressure is reached. (4) "Auto" - The compressor starts automatically when the instrument gas receiver pressure reaches the low-low trip setpoint and stops when the normal pressure is reached. (5) "Start" - The compressor will run continuously unless protective shutdown is initiated by primary containment isolation signal trip, LOCA trip or compressor protection circuitry. (6) "Stop" - This switch causes the compressor to stop immediately. (7) "Stop/start" - switches are provided on the remote control panel and/or the compressor skid. b. The following protective signals are provided to shut down the PCIGS compressors: (1) Low lubricating oil pressure (2) High lubricating oil temperature (3) High discharge gas temperature 7.3-85 HCGS-UFSAR Revision 12 May 3, 2002 (4) High cooling water temperature (5) High inlet gas temperature (6) Low cooling water flow (7) High discharge gas pressure (8) Low suction pressure (9) High receiver pressure. The PCIGS compressor is also automatically shut down upon receipt of a primary containment isolation signal. A containment isolation signal, which trips the PCIG compressor, is initiated whenever any of the following combinations of initiating signals is present: (1) Drywell high pressure, reactor vessel low water level (L1), or manual initiation signal from the Core Spray System (2) Two out of three high radiation signals from the Reactor Building Radiation Monitoring System (3) "High radiation" manual initiation. The primary containment isolation signal also initiates closure of the following PCIGS valves: (1) PCIGS instrument gas header inboard and outboard containment isolation valves (2) PCIGS compressor suction inboard and outboard containment isolation valves (3) PCIGS containment instrument gas supply header shutoff valves A primary containment isolation signal is also initiated whenever any of the following combinations of initiating signals is present: 7.3-86 HCGS-UFSAR Revision 12 May 3, 2002 (1) Drywell high pressure, reactor vessel low water level (L2), or manual initiation signal from the NSSSS (2) Two out of three high radiation signals from the Reactor Building Radiation Monitoring System (3) "High Radiation" manual initiation. The primary containment isolation signal described in the preceding paragraph also initiates closure of the following PCIGS valves: (1) PCIGS supply header cross-connecting valves (2) PCIGS supply to suppression chamber vacuum relief valves inboard and outboard containment isolation valves (3) PCIGS supply to traversing in-core probe (TIP) purge equipment containment isolation valve (4) PCIGS to CACS emergency pneumatic supply valves. An isolation override capability has been provided for the PCIGS compressor start circuitry and the PCIGS instrument gas inboard and outboard containment isolation valves to allow restarting the system following primary containment isolation and to enable the system to supply instrument gas to the SRVs. All other PCIGS valves, except PCIGS to CACS emergency pneumatic supply valves that were closed by the primary containment isolation signal remain closed and cannot be reopened until the isolation initiation signals have cleared and the initiation logic has been reset. The PCIGS to CACS emergency pneumatic supply valves are also provided with the isolation override capability and can be aligned to operate from the PCIGS as backup upon loss of instrument air. The PCIGS compressor suction is manually shifted to the reactor building atmosphere following primary containment isolation and both PCIGS trains are operated in the auto-lead mode. 7.3-87 HCGS-UFSAR Revision 12 May 3, 2002 Any condition of motor overload or control power failure on any PCIGS valve is alarmed individually and annunciated by a common system trouble alarm in the main control room. Any alarm condition at the remote control panel is annunciated in the main control room by a remote control panel trouble alarm. 3. PCIGS testability - The PCIGS is fully testable during normal operation. Each PCIGS compressor train is capable of supplying the entire PCIGS load requirement. This allows for securing one entire train for maintenance. All system setpoints can be checked by inserting simulated signals of sufficient magnitude to verify accuracy. PCIGS valve and compressor train functional operation can be verified by startup and normal operation of the system. 7.3.1.1.11.5 Control Area Chilled Water System - Instrument and Controls 1. CACWS function - The CACWS provides a means of cooling the air supplied to parts of the auxiliary control area. The primary function of CACWS is to provide chilled water to the main control room and control equipment room air conditioning units. The CACWS also provides chilled water to the switchgear room and the Reactor Building SACS room cooling units. A separate subsystem, the safety-related panel room chilled water system, provides chilled water to the Class 1E panel room and technical support center (TSC) air conditioning units, and the remote shutdown panel (RSP) room cooling units. 2. CACWS operation - The power for the instruments and controls associated with the CACWS is supplied from the Class 1E power system. See Section 8 for a description of the electrical systems. 7.3-88 HCGS-UFSAR Revision 8 September 25, 1996 Equipment design is described in Section 9.2.7. The CACWS is normally controlled from the main control room. However, the CACWS chillers can be placed in an auto-start condition from their respective remote control panel when a permissive signal from the main control room is present. One chilled circulating water pump and its associated chiller for each CACWS subsystem are started manually from the main control room to correspond with the cooling coils intended for use. The other chilled water circulating pump and chiller for each CACWS subsystem are put in "auto" and "on" respectively. If an associated fan unit fails or is shut down, it sends a "stop" signal to its corresponding chilled water circulating pump and chiller. If a circulating water pump or chiller shuts down, the corresponding fan units shut down and the resulting low chilled water flow in the loop signals the standby circulating water pump and chiller to start. The standby fan units start after chilled water flow is established. The chillers and chilled water circulating pumps stop upon a LOP. The chilled water circulating pump in the run mode is restarted by a signal from the emergency load sequencer after power has been restored to the bus. The associated chiller also receives a start permissive signal from the emergency load sequencer. The starting of a CACWS chilled water circulating pump initiates an "auto-start" signal to the appropriate SACS pump to ensure that sufficient heat removal capacity is provided for the SACS loop that provides cooling to the CACWS chiller associated with that chilled water circulating pump. Any CACWS chiller motor or chilled water circulating pump motor malfunction is annunciated in the main control room by a common system trouble alarm. Any alarm on a CACWS 7.3-89 HCGS-UFSAR Revision 12 May 3, 2002 remote control panel is annunciated in the main control room by a remote panel trouble alarm. The controls, instrumentation, and power supplies of the CACWS are physically and electrically separated for each of the redundant systems. See Section 8.1.4.1.4 for the electrical system separation. To maintain the redundancy of the mechanical equipment, the controls and instrumentation are provided on a one to one basis with the mechanical equipment they serve. See Plant Drawing H-90-0, Auxiliary Building CACWS Logic Diagram. The controls for the CACWS are located in the control enclosure; the environmental consideration for this area and control qualification summary is provided in Section 3.11. In the event that the main control room becomes uninhabitable, CACWS loop B can also be initiated from the remote shutdown panel (RSP) (see Section 7.4.1.4). Operation from the RSP is totally operator controlled and all CACWS loop B automatic initiation signals are disabled when the Channel B RSP transfer switch is placed in the "Emergency" position. CACWS loop A can be manually initiated locally as a backup to operation of CACWS loop B from the RSP. CACWS loop A local pump and chiller controls are identified on Table 7.4-3. 3. CACWS testability - The CACWS is fully testable during normal power operation. Operability of initiating circuits can be verified by manual testing of the pumps and chillers as follows: a. Manually start and stop pumps and chillers using handswitches located in the main control room 7.3-90 HCGS-UFSAR Revision 20 May 9, 2014
b. With the system in a normal operating lineup, stop one of the fan units associated with the running chiller and chilled water circulating pump pair and observe that the standby chiller and chilled water circulating pump pair and its associated fan units start. All CACWS setpoints can be checked by insertion of simulated signals of sufficient magnitude to verify accuracy. All CACWS alarm and/or switch units are provided with on-line testability and when placed in test provide a signal to the main control room to indicate the in-test status and also provide an input, where necessary, to indicate that a protective interlock is in test. See Plant Drawing H-90-0. 7.3.1.1.11.6 ESF Equipment Area Cooling System The ESF Equipment Area Cooling System comprises the following subsystems: 1. Reactor Building Equipment Area Cooling (RBEAC) System 2. Auxiliary Building diesel area HVAC (ABDA-HVAC) 3. Auxiliary Building control area HVAC (ABCA-HVAC) 4. Service water intake structure HVAC (SWIS-HVAC). The purpose of the ESF Equipment Area Cooling System is to provide adequate cooling of ESF equipment by maintaining a suitable ESF equipment ambient temperature environment during normal and abnormal plant operation. 7.3-91 HCGS-UFSAR Revision 20 May 9, 2014 7.3.1.1.11.6.1 Reactor Building Equipment Area Cooling Instrumentation and Control 1. RBEAC function - The RBEAC system consists of unit cooler pairs providing cooling to the RCIC, HPCI, RHR, core spray, and SACS pump rooms. For description and operation, see Section 9.4.2. The RBEAC unit coolers are not required for normal cooling of these ESF areas, and they operate only when the room temperature is high. 2. RBEAC operation - The power for the instruments and controls associated with the RBEAC pump compartment unit coolers is supplied from the Class 1E power system. Equipment design is described in Section 9.4.2. Each pair of unit coolers serving all but the SACS pump rooms is set up in a lead-lag mode. Automatic start is initiated under the following conditions: a. When the area temperature exceeds the first stage temperature setpoint, the auto-lead fan will start. b. When the area temperature exceeds the second-stage temperature setpoint, the auto fan will start. c. If the auto-lead fan fails, the auto fan will start upon an auto-lead fan low flow switch signal. Each pair of unit coolers serving the SACS pump rooms is set up in a "lead-lag" mode. Automatic start is initiated under the following conditions: a. When the area temperature exceeds the setpoint, the auto-lead fan will start. 7.3-92 HCGS-UFSAR Revision 0 April 11, 1988
b. If the auto-lead fan fails, the associated control area chilled water circulating pump will stop. When the standby control area chilled water circulating pump starts, the unit cooler in the auto mode will start. The unit cooler fans serving the RCIC, HPCI, RHR, and core spray pump rooms are interlocked with and close SACS cooling water valves when in the "stop" position. Individual unit cooler trouble is annunciated at a remote control panel. Any alarm on the remote control panel is annunciated in the main control room by a summary unit cooler trouble alarm. To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one to one basis with the mechanical equipment they serve. The controls, instrumentation, and power supplies are physically and electrically separated for each of the RBEAC unit coolers. See Section 8.1.4.14 for a discussion of the electrical system separation. The controls for the subject equipment are located in the reactor enclosure. The environmental consideration for this area and the control qualification summary is provided in Section 3.11. See Plant Drawing H-83-0, Reactor Building Supply Logic Diagram. 3. RBEAC testability - The RBEAC system is fully testable during normal power operation. Operability of initiation circuits may be verified when the applicable unit cooler fans are operationally tested. The units may be manually tested using handswitches located on remote control 7.3-93 HCGS-UFSAR Revision 20 May 9, 2014 panels. RBEAC system setpoints can be checked by insertion of simulated signals of sufficient magnitude to verify accuracy. 7.3.1.1.11.6.2 Auxiliary Building Diesel Area HVAC Instrumentation and Controls 1. ABDA-HVAC function - The Auxiliary Building Diesel Area HVAC System provides cooling and ventilation to the diesel generator cells, diesel area switchgear rooms, diesel area battery rooms, and diesel area Class 1E panel rooms. The ABDA-HVAC system is required for normal operation and testing of the diesel generators when the plant is in operation. For description and operation, see Section 9.4.6. 2. ABDA-HVAC operation - The power for the instruments and controls associated with the ESF portions of the Auxiliary Building Diesel Generator Ventilation System is supplied from the Class 1E power system. Equipment design is described in Section 9.4.6. Each of the four SDGs has its own corresponding Diesel Generator Room Recirculation (DRR) Ventilation System. When an SDG is running or the SDG room temperature exceeds the setpoint, the corresponding DRR fan in the "auto-lead" mode starts and continues to run 45 minutes after the SDG stops and the cell temperature drops below the setpoint. If the DRR auto-lead fan fails or the cell temperature does not drop below the setpoint while the auto-lead fan is operating, the DRR auto fan starts. Each DRR is backed by its respective SDG and is initiated by a signal from the emergency load sequencer upon LOP. The DRR fans are interlocked with the SACS water valves serving the diesel generator room cooling coils. 7.3-94 HCGS-UFSAR Revision 0 April 11, 1988 Each of the four SDG switchgear rooms are cooled by a corresponding switchgear room unit cooler (SRC), which must be manually initiated from a remote control panel. Each of the four diesel area battery room exhaust fans (DABE) serving battery rooms at Elevation 146 feet 0 inches must be manually initiated from a remote control panel. The SRC units and DABE fans for elevation 146 feet are deenergized upon a low air flow signal from a local flow switch. Each SRC unit and DABE fan is backed by its respective SDG and is initiated by a signal from the emergency load sequencer upon LOP. One of the two DABE fans for Elevation 163 feet 6 inches is manually started and continuously operates in the "run" mode. The second DABE fan will start in the "auto" mode upon a low air flow signal from a flow switch monitoring the running fan. The fan in trouble will be deenergized. The diesel area Class 1E panel rooms are cooled and ventilated by two diesel area panel room supply (DAPRS) units. One of the two DAPRS units is manually started and continuously operates in the "run" mode. The second DAPRS unit will start in the "auto" mode upon a low air flow signal from a flow switch monitoring the running unit. The unit in trouble will be deenergized. Each DAPRS unit is diesel generator backed and is initiated through the diesel generator sequencer panel upon LOP. To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one to one basis with the mechanical equipment they serve. 7.3-95 HCGS-UFSAR Revision 0 April 11, 1988 The controls, instrumentation, and power supplies of the Auxiliary Building diesel generator area ventilation fans are physically and electrically separated for each of the fan systems. See Section 8.1.4.14 for a discussion of electrical system separation. The operator is provided with system trouble alarms for each system at a remote control panel. A system summary trouble alarm is provided in the main control room. The controls for the subject equipment are located in the auxiliary building diesel generator area. The environmental consideration for these areas and a control qualification summary is provided in Section 3.11. See Plant Drawing H-88-0, Auxiliary Building Diesel Area HVAC Logic. 3. ABDA-HVAC testability - The ABDA-HVAC is fully testable during normal power operation. Operability of the DRR initiating circuits may be verified as follows: a. By manually testing the fans using handswitches from the associated remote control panel. b. In the "auto-lead" mode, by tripping the diesel start signal or cell high temperature switch and observing the auto-lead fan start. c. In the "auto" mode, by tripping the diesel startup signal and cell high temperature switch and observing that the auto fan starts. d. In the "auto" mode, by tripping the low flow switch for the auto-lead fan and observing that the "auto" fan starts and the "auto lead" fan secures. 7.3-96 HCGS-UFSAR Revision 20 May 9, 2014 Operability of the SRC and DABE fans for Elevation 146 feet 0 inches may be verified by observation of normal operation of those units. The units may be tested using handswitches located on remote control panels. Verification of the operability of the DABE fans for elevation 163 feet 6 inches and the DAPRS units may be made by tripping the low flow switch of an operating unit and verifying that the standby unit starts and the operating unit secures. 7.3.1.1.11.6.3 Auxiliary Building Control Area HVAC (ABCA-HVAC) 1. ABCA-HVAC function - The ABCA-HVAC system provides cooling and ventilation to the control area HVAC equipment room and control area battery and electrical equipment rooms. The ABCA-HVAC system is required for normal operation of its service area. For description and operation, see Section 9.4.1. 2. ABCA-HVAC operation - The power for the instruments and controls associated with the ESF portions of the Auxiliary Building Control Area Ventilation System is supplied from the Class 1E power system. Equipment design is described in Section 9.4.1. The two control area battery exhaust (CABE) fans may be initiated manually from the remote control panel or by CABE lead fan air low flow. The two control equipment room supply (CERS) units are controlled from the main control room. One of the two CERS units is manually started, provided the associated chilled water circulating pump serving the unit is running. The CERS unit in the operate mode operates continuously. The second CERS unit is maintained in an 7.3-97 HCGS-UFSAR Revision 0 April 11, 1988 auto-standby mode and will start upon the following sequence of events: upon failure of the operating CERS unit, the low flow switch monitoring the unit will trip the unit and the associated chilled water circulating pump. The standby chilled water circulating pump will start and initiate the standby CERS unit. The following information for the CERS units is provided in the main control room: a. Fan running status and system operating mode b. System inoperability, overload, or power failure alarms c. Unit low flow alarm d. Unit filter high differential pressure alarm e. Supply air high or low temperature alarm. On a LOP, all CERS fans will stop. The operating unit fan will restart upon receipt of a permissive signal from the emergency load sequencer after the associated chilled water circulating pump restarts. The two control area battery exhaust (CABE) are controlled from their respective remote control panel. One of the two CABE fans is manually started and operates continuously in the "run" mode. The second CABE fan is maintained in an auto standby mode and will start upon a low air flow signal from a flow switch monitoring the running fan. The fan in trouble is deenergized by the low flow signal. 7.3-98 HCGS-UFSAR Revision 0 April 11, 1988 For each CABE fan, a low flow alarm is indicated at a remote control panel. Any alarm at the remote control panel is annunciated in the main control room by a system summary trouble alarm. On a LOP, both CABE fans will stop. The fan in the run mode will restart upon receipt of a permissive signal from the emergency load sequencer. To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one to one basis with the mechanical equipment they serve. The controls, instrumentation, and power supplies for the control area HVAC units are physically and electrically separated for each of the systems. See Section 8.1.4.14 for a discussion of electrical system separation. The controls for the ABCA-HVAC equipment are located in the auxiliary building control area and diesel generator area. The environmental consideration for these areas is provided in Section 3.11. See Plant Drawing H-089-0, Auxiliary Building Control Area Logic Diagram. 3. ABCA-HVAC testability - The ABCA-HVAC is fully testable during normal power operation. Operability of the CERS fans and the CABE fans may be verified by tripping the low flow switch of an operating unit and verifying that the standby unit starts and the operating unit secures. Setpoints may be checked by insertion of simulated signals of sufficient magnitude to verify accuracy. 7.3-99 HCGS-UFSAR Revision 20 May 9, 2014 7.3.1.1.11.6.4 Service Water Intake Structure HVAC 1. SWIS-HVAC system function - The SWIS-HVAC system provides ventilation and heating for the ESF pumps located in the intake structure. The SWIS-HVAC ventilation system is required for normal heating and cooling of the pump structure as well as for safeguard cooling of the pumps enclosed therein. For description and operation, see Section 9.4.7. b. SWIS-HVAC operation - The power for the instruments and controls associated with the SWIS ventilation system is supplied from the Class 1E power system. Equipment design is described in Section 9.4.7. Each of the SWIS-HVAC supply fans is operated in the "auto" mode, which allows the fan to start when the room temperature exceeds the setpoint of the room thermostat. Each SWIS exhaust fan is operated in the "auto" mode and will start when its associated supply fan is running. Each fan pair continues to run until the room space temperature drops below the room thermostat setpoint. If a running fan fails, a low airflow switch deenergizes the troubled fan. If a running supply fan is deenergized, its associated exhaust fan is deenergized by the loss of the supply fan running permissive signal. One of the two traveling screen motor room fans is manually started from its associated remote control panel and runs continuously. The standby fan, placed in the "auto" mode, starts upon a low air flow signal from the running fan. SWIS room high or low temperature and SWIS-HVAC fan low flow are alarmed at a remote control panel. Any alarm at 7.3-100 HCGS-UFSAR Revision 0 April 11, 1988 the remote control panel is annunciated in the main control room by a common system trouble alarm. To maintain the redundancy of the mechanical equipment, controls and instrumentation are provided on a one to one basis with the mechanical equipment they serve. The controls for the SWIS-HVAC equipment are located in the service water intake structure. The environmental consideration for these areas is provided in Section 3.11. The controls, instrumentation, and power supplies for the SWIS-HVAC fans are physically and electrically separated for each of the fan systems. See Section 8.1.4.14 for a discussion of the electrical system separation. See Plant Drawing H-95-0, Service Water Intake Structure and Miscellaneous Buildings Logic Diagram. 3. SWIS-HVAC testability - The SWIS-HVAC system is fully testable during normal power operation. Operability of the SWIS-HVAC supply fans may be verified by tripping the room thermostat, thus simulating high room temperature and observing that the SWIS-HVAC supply fan starts automatically. Operability of each SWIS-HVAC exhaust fan may be verified by starting the associated SWIS-HVAC supply fan and observing that the SWIS-HVAC exhaust fan starts automatically subsequent to the start of the supply fan. Verification of the operability of the traveling screen motor room fans may be made by tripping the low air flow switch of a running fan and observing that the standby fan starts automatically. 7.3-101 HCGS-UFSAR Revision 20 May 9, 2014 All system setpoints can be checked by insertion of simulated signals of sufficient magnitude to verify accuracy. 7.3.1.2 Design Bases The ESF systems are designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and/or the RCPB. Section 15 identifies and evaluates events that jeopardize the fuel barrier and/or RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified are presented in Section 15. Design bases are as follows: 1. Variables monitored to provide protective action - Variables monitored to initiate required protective actions by the ESF systems are summarized in Table 7.3-15. The plant conditions that require protective action involving the ESF systems are described in Section 15. 2. Location and minimum number of sensors - See the Technical Specifications for the minimum number of sensors required to monitor safety-related variables. There are no sensors in the ESF systems that have a spatial dependence. 3. Prudent operational limits - Operational limits for each safety-related variable trip setting are selected with sufficient margin to prevent spurious ESF system initiation. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel cladding or the RCPB, is kept within established limits. 7.3-102 HCGS-UFSAR Revision 0 April 11, 1988
4. Margin - The margin between operational limits and the limiting conditions of operation of ESF systems are listed, and the bases for those limits are stated in the Technical Specifications. 5. Levels - Levels requiring protective action are established in the Technical Specifications. 6. Range of transient, steady state, and environmental conditions - Refer to Table 3.11-3, "Environmental Design Criteria" Document No. D7.5, "Environmental Qualification Summary Report", Report No. ESQR-01, and Sections 3.11 and 3.1.2.1.4.1 for environmental conditions. Refer to Section 8.3 for the maximum and minimum range of energy supply to ESF instrumentation and controls. All ESF instrumentation and control equipment is specified and purchased to withstand the effects of energy supply extremes. 7. Malfunctions, accidents, and other unusual events that could cause damage to safety systems - Floods, storms, tornadoes, earthquakes, fires, pipe breaks outside containment, and LOCA events are discussed below for the ESF system: a. Floods - The buildings containing ESF systems components have been designed to meet the probable maximum flood (PMF) at the site location. This ensures that the buildings will remain watertight under PMF conditions including wind generated wave action and wave run-up. For a discussion of internal flooding protection, refer to Sections 3.4 and 3.6. b. Storms and tornadoes - The buildings containing ESF systems components have been designed to withstand meteorological events described in Section 3.3. 7.3-103 HCGS-UFSAR Revision 12 May 3, 2002
c. Earthquakes - The structures containing ESF systems components have been seismically qualified as described in Sections 3.7 and 3.8, and will remain functional during and following a safe shutdown earthquake (SSE). Seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10. d. Fires - Fire protection is discussed in Section 9.5.1. e. LOCA - The ESF systems components located inside the drywell and functionally required during and/or following a LOCA have been environmentally qualified to remain functional as discussed in Section 3.11. LOCA events are discussed in Chapters 6 and 15. f. Pipe break outside containment - This condition will not affect the ESF systems. Refer to Section 3.6. g. Missiles - Protection for safety-related components is described in Section 3.5. 8. Minimum performance requirements - Minimum performance requirements for ESF instrumentation and controls are provided in the Technical Specifications. Instrumentation response times for the Isolation System and the Emergency Core Cooling Systems appear in Tables 7.3-16 and 7.3-17, respectively. 7.3.1.3 Final System Drawings The following final system drawings have been provided for the ESF systems in this section or as indicated here or in the text: 1. Piping and instrumentation diagrams (P&IDs)/flow diagrams 2. Functional control diagrams (FCDs)/control logic diagrams 7.3-104 HCGS-UFSAR Revision 8 September 25, 1996
3. ESF systems electrical interconnection and schematic diagrams, identified in Section 1.7 4. Functional and architectural design differences between the Preliminary Safety Analysis Report (PSAR) and Final Safety Analysis Report (FSAR) listed in Table 1.3-8. 7.3.2 Analysis 7.3.2.1 ESF Systems - Instrumentation and Controls for NSSS Systems Sections 15 and 6 evaluate the individual and combined capabilities of the ESF systems. The ESF systems are designed such that a loss of instrument air, a plant load rejection, or a turbine trip will not prevent the completion of the safety function. 7.3.2.1.1 Conformance to 10CFR50 Appendix A The following is a discussion of conformance to those general design criteria (GDC) that apply specifically to the Nuclear Steam Supply System (NSSS) ESF systems. 1. GDC 1, 2, 3, 4, 5, 10, 13, and 15 - See Sections 7.1.2.2. 2. GDC 19, 20, 21, 22, 23, 24, and 29 - Conformance to these criteria are discussed in Sections 7.3.1.1.1.1 through 7.3.1.1.1.4. 3. GDC 30 - Pressure, level, and flow sensors that penetrate the reactor coolant pressure boundary (RCPB) have been designed, constructed, and tested to the highest practical quality standards. 4. GDC 33 - See Section 7.3.1.1.1, high pressure coolant injection (HPCI). 7.3-105 HCGS-UFSAR Revision 0 April 11, 1988
5. GDC 35 - See Section 7.3.1.1.1, Emergency Core Cooling System (ECCS) for conformance to GDC 35. 6. GDC 37 and 40 - See Section 7.3.2.1.3, Regulatory Guide 1.22. 7. GDC 38 - See Sections 7.3.1.1.3, Residual Heat Removal - Containment Spray Cooling Mode (RHR-CSCM) and 7.3.1.1,4 RHR-Suppression Pool Cooling Mode (RHR-SPCM). 7.3.2.1.2 Conformance to IEEE Standards 1. IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations a. General Functional Requirement, Paragraph 4.1 - The ESF systems automatically initiate the appropriate protective actions, whenever the parameters described in Section 7.3.1.2 reach predetermined limits, with precision and reliability assuming the full range of conditions and performance discussed in Section 7.3.1.2. b. Single Failure Criterion, Paragraph 4.2 - ESF systems are not required to meet single failure criteria on an individual channel basis. However, on a network basis, the single failure criterion does apply to ensure the completion of a protective function. Redundant sensors, wiring, logic, and actuated devices are physically and electrically separated such that a single failure will not prevent the required protective function from occurring. Refer to Section 8.1.4.14 for complete description of the Hope Creek Generating Station (HCGS) separation criteria. 7.3-106 HCGS-UFSAR Revision 0 April 11, 1988
c. Quality of Components and Modules, Paragraph 4.3 - For a discussion of the quality of ESF system components and modules, refer to Section 3.2. d. Equipment Qualification, Paragraph 4.4 - For a complete discussion of ESF equipment qualification, refer to Sections 3.5, 3.6, 3.10, and 3.11. e. Channel Integrity, Paragraph 4.5 - For discussion of ESF systems channel integrity under all extremes of conditions described in Sections 3.10 and 3.11, refer to Sections 7.3.1.2 and 8.3. f. Channel Independence, Paragraph 4.6 - ESF systems channel independence is maintained through the application of the HCGS separation criteria, as described in Section 8.1.4.14. g. Control and Protection Interaction, Paragraph 4.7 - There are no ESF system and control system interactions. h. Derivation of System Inputs, Paragraph 4.8 - The ESF variables are direct measures of the desired variables requiring protective actions. Refer to Sections 7.3.1.1.1 through 7.3.1.1.4 for NSSS systems. See Sections 7.3.1.1.5 through 7.3.1.1.11 for non-NSSS systems. i. Capability for Sensor Checks, Paragraph 4.8 - Refer to Section 7.3.2.1.3, Regulatory Guide 1.22, for NSSS systems. See Sections 7.3.1.1.5 through 7.3.1.1.11 for non-NSSS systems. 7.3-107 HCGS-UFSAR Revision 0 April 11, 1988
j. Capability for Test and Calibration, Paragraph 4.10 - Refer to Section 7.3.2.1.3, Regulatory Guide 1.22 for NSSS systems. See Sections 7.3.1.1.5 through 7.3.1.1.11 for non-NSSS systems. k. Channel Bypass or Removal from Operation, Paragraph 4.11 - During periodic testing of any one ESF system channel, a sensor may be isolated, tested, and returned to service under administrative control procedures. Since only one sensor that may be common to more than one system is isolated at any given time during the test interval, protective action capability for ESF system automatic initiation is maintained through the remaining redundant instrument channels. l. Operating Bypasses, Paragraph 4.12 - The ESF system contains the following operating bypasses. The Primary Containment and Reactor Vessel Isolation Control System (PCRVICS) has two operating bypasses: (1) The first is the main steam line low pressure operating bypass, which is imposed by means of the reactor mode switch. The reactor mode switch cannot be left in any position except "run", above 10 percent of rated reactor power, without initiating a reactor trip. Therefore, the bypass is removed by the normal reactor operating sequence. (2) The second is the low condenser vacuum bypass, which is imposed by means of a manual bypass switch in conjunction with closure of the main stop valves. Bypass removal is accomplished 7.3-108 HCGS-UFSAR Revision 0 April 11, 1988 automatically by the opening of the main stop valves or manually by placing the bypass switch in the "normal" position. Each trip logic channel of the Automatic Depressurization System (ADS) has a high drywell pressure trip bypass. When the high drywell pressure bypass timer runs out, the high drywell pressure trip will be bypassed, allowing the ADS to initiate under low water level conditions caused by a pipe break outside containment. A bypass is provided for the L8 trip circuit of the HPCI system to enable testing during low reactor pressures. Under these conditions, false trips can be generated due to the level instruments being out of calibration and indicating high reactor water level. A keylocked switch is provided at the HPCI relay panel in the lower control equipment room to engage the trip bypass. Continuous indication is provided in the main control room while in the bypass mode. m. Indication of Bypasses, Paragraph 4.13 - For a discussion of bypass and inoperability indication refer to Section 7.1.2.4, Regulatory Guide 1.47, for NSSS systems. See Sections 7.3.1.1.5 through 7.3.1.1.11 for non-NSSS systems. n. Access to Means for Bypassing, Paragraph 4.14 - Access to means of bypassing any safety action or function for the ESF systems is under the administrative control of the control room operator. The control room operator is alerted to bypasses as described in Section 7.1.2.4, Regulatory Guide 1.47, 7.3-109 HCGS-UFSAR Revision 0 April 11, 1988 for NSSS systems. See Sections 7.3.1.1.5 through 7.3.1.1.11 for non-NSSS systems. Control switches that allow safety system bypasses are keylocked, with the exception of the low pressure coolant injection (LPCI) injection valve manual override switches, which are pushbutton. All (except one) keylock switches in the main control room are designed such that their key can only be removed when the switch is in the "normal" position. The control switch for the CRD Scram Discharge Volume High Water Level Trip Bypass is the exception. The key associated with this switch can be removed in any of its positions (Normal and Bypass are the used positions). For details associated with the switch function, see Section 7.2.1.1.7. Keys for keylock control switches are individual labeled according to their own unique control switch function. They are affixed to the control room panels with magnetic strips. At the end of each shift, the reactor operator/plant operator (RO/PO) will audit the placement of these keys. A key must be either on the panel or inserted in the keylock switch. The RO/PO will report any problems to the CRS and make note of the audit in the appropriate NBU administrative procedure(s). o. Multiple Setpoints, Paragraph 4.15 - There are no multiple setpoints within the ESF systems. p. Completion of Protective Action Once Initiated, Paragraph 4.16 - Each of the automatically initiated ESF system control logics seal in electrically and remain energized after initial conditions return to normal. Deliberate operator action is required to return (reset) an ESF system logic to normal. q. Manual Initiation, Paragraph 4.17 - Refer to the discussion of Regulatory Guide 1.62 in 7.3-110 HCGS-UFSAR Revision 12 May 3, 2002 Section 7.3.2.1.3 for NSSS systems. See Sections 7.3.1.1.5 through 7.3.1.1.11 for non-NSSS systems. r. Access to Setpoint Adjustments, Calibration, and Test Points, Paragraph 4.18 - All access to ESF system setpoint adjustments, calibration controls, and test points are under the administrative control of the control room operator. s. Identification of Protective Actions, Paragraph 4.19 - ESF protection actions are directly indicated and identified by annunciators located in the main control room, and a digital alarm log is available from the process computer. t. Information Readout, Paragraph 4.20 - The ESF systems are designed to provide the operator with accurate and timely information pertinent to their status. They do not introduce signals that could cause anomalous indications confusing to the operator. u. System Repair, Paragraph 4.21 - The ESF systems are designed to permit repair or replacement of components. Recognition and location of a failed component will be accomplished during periodic testing or by annunciation in the main control room. v. Identification, Paragraph 4.22 - The ESF panels are identified by colored nameplates. The nameplate shows the channel to which each panel or rack is assigned, and also identifies the function in the system of each item of the control panel. The system to which each relay belongs is identified on the relay panels. 7.3-111 HCGS-UFSAR Revision 19 November 5, 2012 All cabling outside of panels are labeled to indicate channel assignment. 2. IEEE 323-1971, Qualifying Class 1E Equipment for Nuclear Power Generating Stations - For an assessment of equipment qualification, see Section 3.11.2. 3. IEEE 338-1971, Periodic Testing of Nuclear Power Generating Stations - Although not a design basis, the ESF systems are fully testable during normal operation. For further discussion of how the system designs conform, refer to Sections 7.3.1.1.1, 7.3.1.1.2, 7.3.1.1.3, and 7.3.1.1.4. Operation of each instrument channel is testable from the sensor to final logic relay. The sensor may be isolated and test pressure applied to the sensor to check operation of the complete instrument channel, sensor to trip unit. The channels monitoring the same variable may be cross compared. A calibration module may be used to test the trip unit of each channel. These tests will not interfere with automatic operation of the system if required by an initiation signal. Periodic testing is performed in accordance with plant maintenance procedures. These procedures establish the administrative control for removing from service only one instrument channel at a time. Plant maintenance procedures establish the frequency, schedule, and documentation required for the testing. The testing is performed at intervals such that credible failure may be detected and repaired before it would reduce reliability of the system. 4. IEEE 344-1971, Seismic Qualifications of Class 1E Equipment - For an assessment of IEEE 344-1971, see Section 3.10. 7.3-112 HCGS-UFSAR Revision 0 April 11, 1988
5. IEEE 379-1972, Application of Single-Failure Criterion to Nuclear Power Generating Stations - For an assessment, see the discussion of IEEE 279-1971, Paragraph 4.2, in Section 7.3.2.1.2. 6. IEEE 384-1974, Independence of Class 1E Equipment and Circuits - Although not a design basis, the criteria for independence in IEEE 279-1971, Paragraph 4.6, as further defined in IEEE 384-1974, are met as described in Section 8.3.1.4. 7.3.2.1.3 Regulatory Guide Assessments See Table 1.8-1 for commitments, revision numbers, and scope of Regulatory Guides. 1. Regulatory Guide 1.11, Instrument Lines Penetrating Primary Reactor Containment - Refer to Section 7.1.2.4 for assessment. 2. Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions - Conformance with Regulatory Guide 1.22 is as follows: The ESF systems instrumentation and controls are capable of being tested during normal plant operation to verify the operability of each system component unless that testing is detrimental to plant availability. Testing of safety-related sensors is accomplished by isolating each sensor, one at a time, and applying a test pressure or differential pressure source. In the case of the main steam line radiation sensors, the sensors may be removed and test sources applied. This verifies the operability of the sensor contacts, the sensor setpoint, and the associated logic components in the main control room. Functional operability of temperature sensors may be verified by readout comparisons, applying a heat source to the locally mounted temperature sensing elements or by continuity testing. 7.3-113 HCGS-UFSAR Revision 0 April 11, 1988 For the HPCI, core spray, and LPCI, testing for functional operability of the control logic relays can be accomplished by use of plug in test jacks and switches in conjunction with single sensor tests. Four test jacks are provided to allow Automatic Depressurization System (ADS) logic testing, one for each logic channel. During testing, only one logic should be actuated at a time. However, when the test plug is plugged into one channel, the complement channel of that trip system is automatically rendered inoperative. Therefore, inadvertent ADS actuation cannot occur even if both channels are placed in the test mode simultaneously. An annunciator is provided in the main control room to indicate if test plugs have been inserted in both channels in a division at the same time. Operation of the test plug switch and the permissive contacts will close one of the two series relay contacts in the ADS valve solenoid circuit. This will cause a panel light to extinguish, indicating proper channel operation and continuity of the solenoid electrical circuit. Annunciation is provided in the main control room whenever a test plug is inserted in a jack to indicate to the operator that an ECCS is in a test status. Operability of air operated, solenoid operated, and motor operated valves is verified by actuating the valve control switches and monitoring the position change by position-indicating lights at the control switch. ADS/SRVs are tested in accordance with Hope Creek Technical Specifications. 7.3-114 HCGS-UFSAR Revision 10 September 30, 1999 The ESF systems are provided with indications, status displays, annunciation, and computer printouts that aid the control room operator during periodic system tests to verify component operability and status. 3. Regulatory Guide 1.29, Seismic Design Classification - See Section 7.1.2.4 for conformance. 4. Regulatory Guide 1.30, Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment - See Section 7.1.2.4 for an assessment. 5. Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems - See Section 7.1.2.4 for conformance. 6. Regulatory Guide 1.53, Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems - Refer to the discussion of IEEE 279, Paragraph 4.2, in Section 7.3.2.1.2 for conformance. 7. Regulatory Guide 1.62, Manual Initiation of Protective Actions-Conformance - The ADS and the PCRVICS are manually initiated at the system level from the main control room by actuation of two armed pushbuttons (one for each logic channel). The RHR containment spray cooling mode is manually initiated from the main control room at the system level by actuation of the RHR pump start control switch and by opening the containment spray or suppression chamber spray valves. The RHR suppression pool cooling mode is manually initiated from the main control room by initiation of system pump and valve controls. 7.3-115 HCGS-UFSAR Revision 0 April 11, 1988 The actuation of the system level manual initiation switches simulates all the actions of automatic or manual (individual equipment initiation) system actuation. Non-NSSS: The HCGS non-NSSS ESF systems (as defined in Section 7.3.1) are as follows: a. Primary Containment Isolation System (PCIS) b. Containment Atmosphere Control System (CACS) c. Main Control Room Habitability and Isolation System (MCRHIS) d. Not Used e. Filtration, Recirculation, and Ventilation System (FRVS) f. Reactor Building Ventilation Isolation System (RBVIS). Of the five systems, only the PCIS, MCRHIS, FRVS, and RBVIS are initiated automatically with the PCIS generating the initiation signals for the FRVS and RBVIS. The MCRHIS can be automatically initiated via a PCIS isolation signal (see Section 7.3.1.1.5 for a discussion on the PCIS operation), but can also be automatically initiated by an isolation signal from CRV-RMS (see Section 7.3.1.1.7 for a discussion on the MCRHIS operation). Therefore the PCIS and MCRHIS are the only two non-NSSS ESF systems receiving automatic initiation signals. Manual initiation at the system level has been provided for the PCIS and MCRHIS, which duplicate the actions of the automatic initiation signals. Manual initiation is not dependent on the automatic initiation signals. 7.3-116 HCGS-UFSAR Revision 12 May 3, 2002 Conformance to the six positions of Regulatory Guide 1.62 is as follows: Position 1 - means have been provided for the manual initiation of the PCIS and the MCRHIS at the system level. Means have also been provided for manual initiation at the component level for all components (valves, pumps) actuated by the PCIS, MCRHIS, FRVS, and RBVIS. Position 2 - manual initiation of the PCIS and the MCRHIS performs all action performed by automatic initiation. Position 3 - the PCIS and the MCRHIS manual initiation switches are located on Section C and Section E respectively, of the operator's console in the main control room and are also easily accessible to the operator. The PCIS switches are of the armed pushbutton type similar to those used for NSSSS manual initiation. The switch collar must first be rotated to "arm" the pushbutton and then it can be depressed to provide the PCIS actuation. The arming feature prevents the inadvertent actuation of the PCIS. The MCRHIS switches are standard Bailey type RZ momentary pushbutton and lamp modules. Position 4 - the amount of equipment common to both manual and automatic initiation has been kept to a minimum. Equipment is common from the Bailey 862 logic modules, where the automatic and manual initiation signals are logically combined, as shown on Plant Drawings H-89-0 (MCRHIS) and J-102-0 (PCIS), through the actuation devices. Manual initiation is not dependent on any permissive signal common with automatic initiation logic. No single failure within the manual, automatic, or common portions of a PCIS or MCRHIS channel will prevent the manual or automatic initiation of the redundant PCIS or MCRHIS channels. 7.3-117 HCGS-UFSAR Revision 20 May 9, 2014 Further, the only single failure that could affect an entire PCIS or MCRHIS channel on a system and component level basis would be a loss of the Class 1E power supply to that channel. More information on the Bailey 862 logic modules is provided in Section 7.1.2.9. Position 5 - manual initiation of the PCIS and the MCRHIS at the system level requires the operation of a minimal amount of equipment as shown on Plant Drawings H-89-0 (MCRHIS) and J-102-0 (PCIS). Position 6 - manual initiation of the PCIS and the MCRHIS at the system level is designed such that once initiated the protective action goes to completion in conformance with the requirements of Section 4.16 of IEEE Standard 279-1971. NSSS: a. ECCS Each individual subsystem of the emergency core cooling systems (HPCI, ADS, Core Spray, and LPCI) has a provision for its own manual initiation. In addition, no single failure in the initiation portion of the network of systems will prevent manual or automatic initiation of redundant portions of the network. 1. HPCI The HPCI system is initiated automatically by a LOCA signal (low reactor water level and/or high drywell pressure) or by a system level remote manual switch. The subsystem can also be initiated by use of an individual remote manual switch for each valve including the turbine 7.3-118 HCGS-UFSAR Revision 20 May 9, 2014 driven pump. In all initiation modes, the system is prevented from operating by high water level (Level 8) using one out of two twice logic circuitry. 2. ADS The ADS function is initiated automatically by a LOCA signal (low reactor water level and high 7.3-118a HCGS-UFSAR Revision 5 May 11, 1993 THIS PAGE INTENTIONALLY BLANK 7.3-118b HCGS-UFSAR Revision 5 May 11, 1993 drywell pressure) or by system level remote manual switches. When initiated automatically, the ADS valves are prevented from opening unless both pumps in either of the two core spray loops, or any of the four RHR pumps, are running. If ADS is initiated by the system level manual switches, the LOCA signal and core spray/RHR pump running permissives are bypassed. In addition, each individual ADS valve can be opened manually without restriction from permissive sensors. 3. LPCI and Core Spray Low Pressure Coolant Injection (LPCI), an operating mode of the Residual Heat Removal (RHR) System, consists of four independent and redundant loops. Each loop contains a separate suction path from the suppression pool, a motor drive pump, necessary control and instrumentation devices and valves, and a separate injection path that discharges directly into the reactor. Each loop is assigned to a separate electrical safety division. Logic and motive power for each division is supplied from safeguarded power sources within that division. Each safety division is fully separated (including instrumentation, controls, and power cables) from each of the other safety divisions as required by the HCGS electrical separation criteria. Each LPCI pump will supply 100 percent of the loop's design flow. The following discussion describes the initiation and operation of the A LPCI loop only. The three remaining loops are initiated and operated similarly, and each loop is initiated and operated independently of the other loops. The A LPCI loop is automatically initiated when a LOCA condition (reactor vessel 7.3-119 HCGS-UFSAR Revision 12 May 3, 2002 low level or containment high pressure coincident with reactor low pressure) exists. LPCI can be manually initiated from the control room by arming and depressing the loop initiation switch. Upon receipt of the LOCA or manual initiation signal, the A RHR pump is automatically started. The necessary valves required to isolate non-LPCI portions of the RHR system from the LPCI flow path are automatically closed. A signal to open the A LPCI injection valve is initiated; however, the valve is interlocked to prevent opening if the pressure is greater than the RHR piping design maximum pressure (determined by monitoring the differential pressure across the injection valve), or if power is not available at the 4 kV bus to which the A RHR pump motor is connected. When the 4 kV bus is energized and reactor pressure has decreased to below the RHR piping design maximum pressure, the injection valve will automatically open and allow low-pressure coolant injection. Each of the components in the LPCI flowpath can also be manually operated from the control room by means of each component's individual control switch. Again, the LPCI valve is interlocked to prevent opening if reactor pressure is greater than the RHR piping design maximum pressure. The interlocks and control devices used in this manner are the same as those used for automatic operation. The core spray system consists of two independent and redundant loops. Each loop contains two motor driven pumps each with a 7.3-120 HCGS-UFSAR Revision 0 April 11, 1988 separate suction path from the suppression pool, necessary control and instrumentation devices and valves, and a discharge path that is common to both pumps and is connected directly to the reactor. Each pump supplies 50 percent of the required core spray flow so either loop can satisfy 100 percent of the core spray design requirements. Each pump, associated suction valve, instrumentation, controls, and motion devices are assigned to separate electrical safety divisions. Each division is fully separated (including instrumentation, controls, and power cables) from each of the other divisions, as required by the HCGS electrical separation criteria. Logic and motive power for each division is supplied from safeguarded power sources within that division. The remaining devices and valves in each loop are assigned to the same safety divisions as the pumps in that loop to provide adequate separation between the redundant loops. The following discussion describes the initiation and operation of the A core spray loop. The B loop is initiated and operated similarly and independently of the A loop. The A loop is automatically initiated when a LOCA condition (low reactor vessel level or high drywell pressure coincident with low reactor vessel pressure) exists. The A core spray loop can also be manually initiated by arming and depressing the A and C core spray initiation switches (B and D switches for the B loop). 7.3-121 HCGS-UFSAR Revision 0 April 11, 1988 Upon receipt of either the above loop initiation signals in their respective divisions of initiation logic, the A and C core spray pumps start automatically, the core spray test return lines to the suppression pool are automatically isolated, and a signal to open the inboard and outboard loop injection valves is initiated. However, the inboard and outboard injection valves are interlocked to prevent opening if reactor pressure is greater than the core spray piping design maximum pressure (determined by monitoring reactor pressure) or if power is not available at the 4 kV bus to which the A core spray pump is connected. When the 4 kV bus is energized and reactor pressure has decreased to below the core spray piping design maximum pressure, the injection valves will automatically open. Each of the components in the core spray flow path can also be manually operated from the control room by means of the component's individual control switch. Again, the injection valves are interlocked to prevent opening if reactor pressure is greater than core spray piping design maximum pressure. The interlocks and control devices used in this manner are the same as those used for automatic operation. Each loop of either core spray or LPCI in itself is not designed to sustain a single failure and still perform its design functions. Single failures such as loss of one division of safeguarded power, logic circuitry failure in one division, or an instrument failure in one division can disable one loop of core spray 7.3-122 HCGS-UFSAR Revision 0 April 11, 1988 and/or one loop of LPCI, including the manual and automatic operation of these loops. For a design basis accident coincident with a worst case single failure, the most demanding and limiting scenarios for low pressure ECCS are: 1. A pipe break that is not part of the low pressure ECCS and a single diesel generator failure. Three LPCI loops and one core spray loop would remain. 2. A low pressure ECCS pipe break and a single diesel generator failure. If the pipe break were in the core spray system, three LPCI loops would remain. If the pipe break were in LPCI, one core spray loop and two LPCI loops would remain. For either scenario, the remaining low pressure ECCS loops are more than sufficient to satisfy the low pressure coolant flow requirements to reactor. The above scenarios are more demanding of the low pressure ECCS than the failure of any one core spray or LPCI instrument. Hence, the consequences of a single core spray or LPCI instrument failure are bounded by the consequences for the above scenarios. Because the low pressure ECCS is designed with sufficient redundancy and separation to perform its design functions with the worst case single failure scenarios, no design changes are needed to reduce the consequences of a single failure of a core spray or LPCI instrument. 7.3-123 HCGS-UFSAR Revision 0 April 11, 1988
b. PCRVICS There are no interlocks involved in manual operation of the PCRVICS. c. Containment Spray Mode (RHR) and Suppression Pool Cooling Mode (RHR) These two modes of the RHR system are only initiated manually (no automatic initiation). d. CONCLUSION Of the ESF systems, only the HPCI, ADS, CS, and LPCI systems of the ECCS share permissive logic circuitry between the automatic and system level manual initiation logic circuitries. The design is acceptable because the individual subsystems of the ECCS are not required to meet the single failure criterion. The ECCS function will be achieved with any one of its subsystems inoperative. 8. Regulatory Guide 1.68, Initial Test Programs for Water-Cooled Nuclear Power Plants - See Section 1.8 for an assessment. 9. Regulatory Guide 1.73, Qualification Tests of Electric Valve Operators Installed Inside the Containment of Nuclear Power Plants - See Sections 3.10 and 3.11 for an assessment. 10. Regulatory Guide 1.75, Physical Independence of Electric Systems - See Section 7.1.2.4 for conformance. 7.3-124 HCGS-UFSAR Revision 0 April 11, 1988
11. Regulatory Guide 1.89, Qualification of Class 1E Equipment for Nuclear Power Plants - See Section 7.1.2.4 for an assessment. 12. Regulatory Guide 1.100, Seismic Qualification of Electric Equipment for Nuclear Power Plants - See Section 7.1.2.4 for an assessment. 13. Regulatory Guide 1.105, Instrument Setpoints - See Section 7.1.2.4 for an assessment. 14. Regulatory Guide 1.118, Periodic Testing of Electric Power and Protection Systems - See Section 7.1.2.4 for an assessment. 7.3.2.2 ESF Systems - Instrumentation and Controls for Non-NSSS Systems The non-NSSS ESF systems are designed such that a loss of instrument air, a loss of cooling water to vital equipment, a plant load rejection, or a turbine trip will not prevent the initiation or completion of any required safety function. The non-NSSS ESF and EAS systems are designed such that following system initiation the associated ESF/EAS safety-related equipment remains in its emergency mode even after automatic or manual reset of the actuation signals. Deliberate operator action is required to return the system to its normal operating lineup. 7.3.2.2.1 Conformance to 10CFR50, Appendix A The following is a discussion of conformance to those general design criteria (GDC) that apply specifically to the non-NSSS ESF systems with the exception of the Class 1E power systems, which are discussed in Section 8. 7.3-125 HCGS-UFSAR Revision 0 April 11, 1988
1. GDC 2 - The non-NSSS ESF systems are designed to withstand the effects of natural phenomenon. For further discussion, see Section 3.1. 2. GDC 4 - The non-NSSS ESF systems are designed to accommodate the effects of, and be compatible with, the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents (LOCAs). For further discussion, see Section 3.1. 3. GDC 13 - The non-NSS ESF systems are designed with sufficient instrumentation and controls to monitor and control system variables over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions. See Sections 7.3.1.1.5 through 7.3.1.1.11. 4. GDC 19 - For a discussion of conformance to GDC 19, see Sections 3.1 and 7.4.1.4. 5. GDC 20, 21, 22, 23, 24, and 25 - For a discussion of conformance to these GDC, see Section 3.1 and Sections 7.3.1.1.5 through 7.3.1.1.11. 6. GDC 29 - The non-NSSS ESF systems are designed to ensure an extremely high probability of accomplishing their safety functions in the event of anticipated operational occurrences. See Sections 7.3.1.1.5 through 7.3.1.1.11. 7. GDC 34, 35 - GDC 34 and 35 apply only to the SSWS and SACS. For a discussion of conformance to these GDC, see Sections 3.1 and 7.3.1.1.11. 8. GDC 41 - GDC 41 applies only to the containment atmosphere control system (CACS). For a discussion of conformance to GDC 41, see Section 7.3.1.1.6. 7.3-126 HCGS-UFSAR Revision 0 April 11, 1988 7.3.2.2.2 Conformance to IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations See Section 7.3.1.2. Conformance to IEEE 279-1971 is the same for non-NSSS and NSSS ESF systems except where specifically noted in Section 7.3.1.2. 7.3.2.2.3 Conformance to Regulatory Guides 1. Regulatory Guide 1.11, Revision O, Instrument Lines Penetrating Primary Reactor Containment - Regulatory Guide 1.11 applies only to the CACS and the Primary Containment Instrument Gas System (PCIGS). See Section 1.8.1.11 for a discussion of conformance to Regulatory Guide 1.11. 2. Regulatory Guide 1.22, Revision O, Periodic Testing of Protection System Actuation Functions - The non-NSSS ESF systems are capable of being tested during normal operation, as described in the testability portions of the individual system discussions in Sections 7.3.1.1.5 through 7.3.1.1.11. A general conformance discussion is provided in Section 1.8.1.22. 3. Regulatory Guide 1.29, Revision 3, Seismic Design Classification - See Section 1.8.1.29 for a discussion of conformance to Regulatory Guide 1.29. 4. Regulatory Guide 1.47, Revision O, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems - Bypassed and inoperable status indications for non-NSSS ESF and EAS systems are provided in the main control room in conformance with Regulatory Guide 1.47. For further discussion, see Sections 7.5.1.3.2 and 1.8.1.47. 7.3-127 HCGS-UFSAR Revision 0 April 11, 1988
5. Regulatory Guide 1.53, Revision O, Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems - See Section 1.8.1.53 for a discussion of conformance to Regulatory Guide 1.53. 6. Regulatory Guide 1.62, Revision O, Manual Initiation of Protective Actions - The non-NSSS ESF systems are designed to allow manual initiation from the main control room in conformance with Regulatory Guide 1.62. For further discussion, see Sections 7.3.1.1.5 through 7.3.1.1.11. 7. Regulatory Guide 1.63, Revision 2, Electric Penetration Assemblies in Containment Structures for Light Water Cooled Nuclear Power Plants - See Section 1.8.1.63 for a discussion of conformance to Regulatory Guide 1.63. 8. Regulatory Guide 1.75, Revision 2, Physical Independence of Electric Systems - See Sections 8.1.4.14 and 1.8.1.75 for a discussion of conformance to Regulatory Guide 1.75. 9. Regulatory Guide 1.89, Revision O, Qualification of Class 1E Equipment for Nuclear Power Plants - See Section 1.8.1.89 for a discussion of conformance to Regulatory Guide 1.89. 10. Regulatory Guide 1.100, Revision 1, Seismic Qualification of Electric Equipment for Nuclear Power Plants - See Sections 3.10 and 1.8.1.100 for a discussion of conformance to Regulatory Guide 1.100. 11. Regulatory Guide 1.105, Revision 1, Instrument Setpoints - See Section 1.8.1.105 for a discussion of conformance. 12. Regulatory Guide 1.118, Revision 2, Periodic Testing of Electric Power and Protection Systems - See 7.3-128 HCGS-UFSAR Revision 0 April 11, 1988 Section 1.8.1.118 for a discussion of conformance to Regulatory Guide 1.118. 7.3.2.2.4 Testability of BOP Instrumentation The at-power testability of a BOP instrument was established if an affirmative response could be verified for the following three questions: (1) Is the item sufficiently accessible to conduct the test during normal operation? (2) Is the item sufficiently isolatable to permit its safety related function to be verified, or is a safety related system or subsystem encompassing the item isolatable and testable? (3) Does any bypassing method that must be used to accomplish the test conform to Position C.6 of RG 1.118? Using the above criteria, the following safety systems items not related to the nuclear steam supply system were determined to be untestable at power. Primary Containment Isolation System (PCIS) (1) The loss of coolant accident (LOCA) signals of reactor low level (level 1), drywell high pressure, or manual initiation originating from core spray system relay K18A-D cannot be completely isolated for testing at power. This affects actuation signals to close their associated containment isolation valves, to trip 16 motor control center breakers, and to initiate control room isolation. However, all other methods for actuation of this equipment can be verified at power. The LOCA signals and manual initiation are tested at least once every 18 months (550 days). 7.3-129 HCGS-UFSAR Revision 0 April 11, 1988 (2) The coincidence circuitry for the reactor building area and refueling floor area high-high radiation signals cannot be completely isolated for testing at power. The individual high-high radiation signals can be verified up to the input buffers of the logic modules but must be tested one at a time because each signal is transmitted through isolation devices to all four channels of the PCIS simultaneously. This only affects the logic circuitry of the PCIS itself and does not inhibit the testing of the actual actuation signals from the PCIS to the individual actuation components. The coincidence circuitry for these two signals is tested at least once every 18 months (550 days). On the basis of the above information, the BOP portion of the Hope Creek design has provided adequate on-line testing capability for the actuation instrumentation channels, logic, and actuation devices of safety systems. 7.3-130 HCGS-UFSAR Revision 0 April 11, 1988
  • *
  • TABLE 7.3-1 HIGH PRESSURE COOLANT INJECTION SYSTEM INSTRUMENTATION RANGES Trip Function Reactor vessel high water level HPCI turbine HPCI turbine exhaust high pressure HPCI system pump high/low suction pressure Reactor vessel low water level Primary containment (drywell) high pressure HPCI pump minimum flow HPCI system steam supply low pressure HPCI pump discharge flow controller Condensate storage tank low level Suppression pool high water level Turbine overspeed HPCI turbine exhaust diaphragm high pressure HCGS-UFSAR Sensor Instrument Level transmitter Pressure transmitter Pressure transmitter Level transmitter Pressure transmitter Sensor Instrument Range -150 to +60 in. w.g. 0 to 200 psig 30" Hg Vac to 85 psig/ 30" Hg Vac to 0 psig -150 to +60 in. w.g. 0 to 10 psig Flow transmitter 0 to 700 gpm Pressure 0 to 200 psig transmitter Flow indicator 0 to 6000 gpm controller Level transmitter 0 to 20 +/- 10 in. w.g. Level transmitter 0 to 20 +/- 10 in. w. g. Electronic NA turbine governor controller Pressure trans-mitter 1 of 1 0 to 30 psig Revision 0 April 11, 1988 TABLE 7.3-2 AUTOMATIC DEPRESSURIZATION SYSTEM INSTRUMENTATION RANGES ADS Functions Reactor vessel low water level (L1) Reactor vessel low water level (L3) Drywall high pressure Core spray permissive RHR permissive ADS time delay High drywell pressure bypass time delay HCGS-UFSAR Instrument Instrument Range Level transmitter -150 to +60 in. w.g. Level transmitter o to +60 in. w.g. Pressure transmitter 0 to 10 psig Pressure transmitter 0-500 psig Pressure transmitter 0-500 psig Time-delay relay 12-120 seconds Time-delay relay 1-30 minutes 1 of l Revision 13 November 14, 2003
  • *
  • TABLE 7.3-3 CORE SPRAY INSTRUMENTATION RANGES Function Reactor vessel low water level (Ll) Drywell high pressure Injection lines differential pressure Pump minimum flow bypass Injection valve pressure HCGS-UFSAR Instrument Level transmitter Pressure transmitter Instrument Range -150 to +60 in. w.g. 0 to 10 psig Differential -10 to +10 psid pressure transmitter Flow 0 to 1000 gpm transmitter Pressure transmitter 0-1200 psig 1 of 1 Revision 0 April 11, 1988 LPCI Function Reactor vessel low water level (Ll) Drywall high pressure LPCI pump delay (normal power available -pumps C & D only) Injection valve pressure Pump minimum flow bypass HCGS-UFSAR TABLE 7.3-4 LOW PRESSURE COOLANT INJECTION INSTRUMENTATION RANGES Instrument Level transmitter Pressure transmitter Timer Pressure transmitter Flow transmitter 1 of 1 Instrument Range -150 to +60 in. w.g. o to 10 psig 0.55 -15 seconds o to 1000 psig o to 3045 gpm Revision 13 November 14, 2003 TABLE 7.3-5 PRIMARY CONTAINMENT AND REACTOR VESSSEL ISOLATION CONTROL SYSTEM INSTRUMENT RANGES PCRVICS Function Reactor vessel low water level (L2) Main steam line tunnel high temperature Main steam line high flow Main steam line high radiation Main turbine inlet, low steam pressure {run mode) Reactor vessel low water level (L1) High drywall pressure Reactor vessel pressure RWCU high differential flow HCGS-UFSAR Instrument Level transmitter Temperature switch Differential pres-sure transmitter Radiation monitor Pressure transmitter Level transmitter Pressure transmitter Pressure transmitter Differential flow comparator and alarm unit l of 2 Instrument Range -150 to +60 in. w.g. 0-150 paid l to 106 mR/h 0-1200 psig -150 to +60 in. w.g. 0 to 1.0 psig o to 1500 psig o to 450 gpm Revision 13 November 14, 2003 I PCRVICS Function . RWCU system area high temperature RWCU system area high differential temper-ature, inlet/outlet vents RWCU system non-regenerative heat exchanger outlet temperature SLCS initiated Reactor Building
  • ventilation high radiation Low main condenser vacuum trip TABLE 7.3-5 (Cant) Instrument Temperature switch Temperature switch Temperature switch Manual switch or RRCS initiation signal Radiation monitor Pressure transmitter
  • Instrumentation is part of PCIS, not PCRVICS. 2 of 2 HCGS-UFSAR Instrument Range NA 4.50 E-04 -l.20E-03J.LCi/cc o to 3.0 in. Hg abs Revision 13 November 14, 2003 I
  • * ** TABLE 7.3-6 NUCLEAR STEAM SUPPLY SHUTOFF SYSTEM ISOLATION VALVES/SIGNALS Isolation Auto Controlled Line Valves Isolation Si9nals ( 1} Main steam Main steam drain Reactor water sample TIP guide tube RHR suction shutdown cooling RHR return shutdown cooling RHR to radwaste RHR sample RWCU Balance of Plant Inbd Outbd -----X X X X X X X X X X X X X X X X X X 1 2 3 4 5 6 7 8 9 -------X X X X X X X X
  • X . X *.*** . X ***.* X * ** X *.*** X ** X *.*** X X X X X X X X X (l)Signal definitions are as follows: 1. Reactor vessel low water level (L1) 2. Reactor vessel low water level (L2} 1 of 2 HCGS-UFSAR 10 11 12 ---X X X X 13 14 15 16 ----X X X Revision 14 July 261 2005
  • *
  • *
  • TABLE 7.3-7 RHR CONTAINMENT SPRAY COOLING MODE SYSTEM INSTRUMENTATION RANGES Function Instrument Drywe11 high pressure Pressure transmitter 1 of 1 HCGS-UFSAR Instrument Range 0 to 10 psig Revision 0 April 11, 1988 Function TABLE 7.3-8 RHR-SUPPRESSION POOL COOLING MODE INSTRUMENTATION RANGES Instrument Instrument Range Reactor vessel low water Level transmitter -150 to +60 level (L1) Drywell high pressure Suppression pool temperature high HCGS-UFSAR Pressure trans-mitter Temperature recorder 1 of 1 in. w.g. 0 to 10 psig Revision 13 November 14, 2003 I CHRS Function Gas inlet flow Total gas flow Low total gas flow Gas inlet pres-sure High gas inlet pressure Blower inlet temperature High blower inlet temperature Gas inlet temperature Heater outlet gas temperature High heater outlet gas temperature HCGS-UFSAR TABLE 7.3-9 CONTAINMENT HYDROGEN RECOMBINATION SYSTEM INSTRUMENTATION RANGES Instrument Flow transmitter Flow transmitter Flow switch Pressure trans-mitter Pressure trans-mitter Thermocouple Temperature amplifier Thermocouple Thermocouple Instrument Range 0-20 in. w.g. 0-20 in. w.g. 0-20 in. w.g. 0-100 psia 0-100 psia 75-2200°F (Max.) 75-2200°F {Max.) Temperature switch 1289.5-1310.5°F 1 of 3 Revision 13 November 14, 2003 I CHRS Function. Heater gas temperature High heater gas temperature Low-low total gas flow Heater wall temperature High heater wall temperature High-high heater wall temperature Reaction chamber shell temperature High reaction chamber shell temperature High-high reaction chamber shell temperature Maintain reaction chamber gas temperature HCGS-UFSAR TABLE 7.3-9 (Cent) Instrument Instrument Range Thermocouple Temperature switch 1189.5-1210. 5°F Flow switch 0-20 in. w.g. Thermocouple Temperature switch 1382.5-1403. 5°F Temperature switch 1407-l437°F Thermocouple Temperature switch 1382 5-140.3. '5°F Temperature switch l407-l437°F Temperature indicating controller 2 of 3 Revision 13 November 14, 2003 CHRS Function Reaction chamber gas temperature Low reaction chamber gas temperature Return gas temperature High return gas temperature Drywall temperature Suppression chamber temperature Drywall pressure Suppression chamber pressure HCGS-UFSAR TABLE 7.3-9 (Cont) Instrument Instrument Range Thermocouple Temperature switch 75-2200°F Thermocouple 75-2200°F (Max.) Temperature switch 240-260°F RTD RTD Pressure -5 to 250 psig transmitter Pressure -5 to 250 psig transmitter 3 of 3 Revision 13 November 14, 2003 HOAS Function H2 analyzer calibration gas pressure low o2 analyzer calibration gas pressure low H2 analyzer reagent gas pressure low o2 analyzer reagent gas pressure low H2 analyzer calibration gas flow 02 analyzer calibration gas flow H2 analyzer reagent gas flow o2 analyzer reagent gas flow HCGS-UFSAR TABLE 7.3-10 HYDROGEN/OXYGEN ANALYZER SYSTEM INSTRUMENTATION RANGES Instrument Instrument Pressure switch 4-100 psig Pressure switch 4-100 psig Pressure switch 4-100 psig Pressure switch 4-100 psig Flow indicating 20-250 cern controller Flow indicating 20-250 cern controller Flow indicating 0-60 cern controller Flow indicating 0-60 cern controller 1 of 3 Range Revision 13 November 141 2003 HOAS Function H2 analysis o2 analysis High H2 in analyzer High o2 in analyzer High hot box temperature Low hot box temperature Low o2 Low H2 High sealed volume pressure Low sealed volume pressure Sample inlet pressure HCGS-UFSAR TABLE 7.3-10 {Cant) Instrument Instrument Range Analysis indicatig 0-10 percent ( 1) transmitter 0-30 percent ( l) Analysis indicating 0-10 percent (1) transmitter 0-30 percent (l) Analyzer switch 0-10 percent Analyzer switch 0-10 percent Temperature switch 100-300°F Temperature switch l00-300°F Flow switch 2.5-8 psid Flow switch 2.5-8 psid Pressure switch 30 in. Hg vac -140 in. Hg abs Pressure switch A 30 in. Hg vac -140 in. Hg abs Pressure switch B 15 in. Hg vac -15 in. Hg abs Pressure indicator 0-100 psi 2 of 3 Revision 13 November 14, 2003 I HOAS Function Unused sample gas flow Analyzed H2 flow Analyzed o2 flow ( 1) Dual range . HCGS-UFSAR TABLE 7.3-10 Instrument Flow indicator Flow indicator Flow indicator 3 of 3 (Cent) Instrument Range 5-45 cfh air 20-250 cern 20-250 cern Revision 13 November 14, 2003 TABLE 7.3-11 THIS TABLE IS DELETED 1 of 1 HCGS-UFSAR Revision 12 May 3, 2002 TABLE 7.3-12 STATION SERVICE WATER SYSTEM INSTRUMENTATION RANGES SSWS Function Station service water pump flow Station service water pump lube water pressure Station service water strainer high differential pressure SACS common discharge high pressure HCGS-UFSAR Instrument Differential pressure transmitter Pressure transmitter Differential pressure transmitter Pressure transmitter 1 of 1 Instrument Range 0-200 in. w.g. 0-20 psig 0-200 in. w.c. 0-20 psig Revision 13 November 14, 2003 I I SACS Function SACS expansion tank level SACS pump differential pressure SACS loop flow SACS supply, return side accumulator pressure HCGS-UFSAR TABLE 7.3-13 SAFETY AUXILIARIES COOLING SYSTEM INSTRUMENTATION RANGES Instrument Instrument Range Level transmitter Differential pressure transmitter Differential pressure transmitter Pressure transmitter 1 of 1 0-60 in w.g. 0-100 psid 0-627 in. w.c. 0-170 psig Revision 13 November 14, 2003 I PCIGS Function Instrument gas receiver low-low pressure Low lube oil pressure High lube oil temperature High compressor discharge temperature High cooling water temperature Low cooling water flow High discharge gas pressure Low suction pressure Instrument gas receiver high pressure HCGS-UFSAR TABLE 7.3-14 PRIMARY CONTAINMENT INSTRUMENT GAS SYSTEM INSTRUMENTATION RANGES Instrument Instrument Range Pressure switch Pressure switch Temperature switch Temperature switch Temperature switch Pressure switch Pressure switch Pressure switch Pressure switch 1 of 2 6-200 psig 1. 5-36 psig 3-100 psig 6-200 psig 0-30 in. Hg Abs 6-200 psig Revision 13 November 14, 2003 PCIGS Function Instrument gas receiver low pressure Compressor first stage discharge temperature Instrument gas receiver pressure HCGS-UFSAR TABLE 7.3-14 (Cant) Instrument Pressure switch Temperature switch Pressure transmitter 2 of 2 Instrument Range 6-200 psig 0-150 psig Revision 13 November 14, 2003 Reactor vessel low water level (l 1) Reactor vessel low water level (l 2) Reactor vessel low water level (L 3) Drywell high pressure Reactor vessel pressure Injection valve pressure (LPCJ) Main turbine inlet low steam pressure (run mode) Core spray pump discharge line flow RHR pump discharge line flow Main steam line high flow Main steam line high radiation Main steam line tunnel high Main steam line high pressure RWCU area high differential tenperature RWCU system high differential flow RWCU area high temperature Main control room air inlet plenun hfgh-hfgh radiation HCGS-UFSAR ( TABLE 7.3*15 VARIABLE MONITORED APPLICABILITY MATRIX FOR SYSTEM ACTUATED TO PROVIDE PROTECTIVE ACTIONS ECCS*CORE ECCS-HPCI ECCS-ADS SPRAY SYSTEM ECCS-LPCI PCRVICS CSCM SPCM PCIS CACS X X X X X X X X X X X X (8) X X X X X X (8) X X X X X X X X X X 1 of 2 Revision 8 septenmer 25, 1996 (

Reactor vessel low water level (L 1} Reactor vessel low water level (L 2) Reactor vessel low water level (L 3) Drywell high pressure Reactor vessel pressure Injection valve pressure {LPCIJ Main turbine inlet low steam pressure (run mode) Core spray pump discharge line flow RHR pump discharge line flow Main steam line high flow Main steam line high radiation Main steam line tunnel high temperature Main steam line high pressure RWCU area high differential temperature RWCU system high differential flow RWCU area high temperature Main control room air inlet plenum high-high radiation HCGS-UFSAR MCRHIS X X X TABLE 7.3-15 VARIABLE MONITORED APPLICABILITY MATRIX FOR SYSTEM ACTUATED TO PROVIDE PROTECTIVE ACTIONS FRVS/RBIS EASS-SSWS X X X X X la of 2 EASS-SACS X X X EASS-CLASS 1E {3) POWER SYSTEMS HPCI/RCIC ISOLATION {10) X I I I Revision 12 May 3, 2002 Reactor building high radiation SLC system actuation Non-regenerative heat exchanger high outlet temperature Main condenser low vacuum (trip) Reactor chamber Suppression chamber/drywell high differential pressure SSWS pump low flow SACS loop low flow Control area chilled water pump auto start signal ECCS-HPCI abbreviations: ECCS-ADS TABLE 7.3-15 VARIABLE MONITORED APPLICABILITY MATRIX FOR SYSTEM ACTUATED TO PROVIDE PROTECTIVE ACTIONS ECCS-CORE SPRAY SYSTEM ECCS-LPCI PCRVICS (4) X (4) (9) X X CSCM SPCM emergency core cooling system -high pressure coolant injection emergency core cooling system -automatic depressurization system PCIS X CACS (5) X { 6) X ECCS-HPCI ECCS-ADS ECCS-LPCI PCRVICS CSCM SPCM emergency core cooling system low coolant injection mode (of the residual heat removal system) PCIS CACS MCRHIS primary containment and reactor isolation control systems (residual heat removal} containment spray cooling mode (residual heat removal) suppression pool cooling mode primary containment isolation systems containment atmosphere control system main control room habitability and isolation systems FRVS/RBVIS filtration, recirculation, and ventilation system/reactor building ventilation, isolation system EASS-SSWS essential auxiliary supporting system -station service water system EASS-SACS essential auxiliary supporting system -safety auxiliary cooling system PCIGS primary containment instrument gas system EACS {engineered safety feature systems) equipment area cooling system (2) Deleted. (3} See chapter 8 for identification of variable monitored. (4) RWCU system only. {5) See Section 7.3.1.1.6.2 for system description. (6) See Section 7.3.1.1.6.1 for system description. (7) Manual initiations are not included in this table. (81 Permissive. (9} Not to be considered an ESF actuation unless in conjunction with associated accident condition signals (10) Turbine Exhaust Vacuum Breaker Isolation Only, with Low Steam Supply Pressure Signal 2 of 2 HCGS-UFSAR Revision 17 June 23, 2009 I Reactor building high radiation SLC system actuation Non-regenerative heat exchanger high outlet temperature Main condenser low vacuum (trip) Refueling floor area high radiation SSWS pump low flow SACS loop low flow Control area chilled water pump auto start signal HPCI/RCIC high Turbine Exhaust Diaphragm Pressure HPCI/RCIC high Area Differential Temperature HPCI/RCIC high Area Temperature HPCI/RCIC high Steam Flow HPCI/RCIC low Steam Supply Pressure HCGS-UFSAR MCRHIS TABLE 7.3-15 VARIABLE MONITORED APPLICABILITY MATRIX FOR SYSTEM ACTUATED TO PROVIDE PROTECTIVE ACTIONS FRVS/RBIS X X EASS-SSWS X X (9) X EASS-SACS X X ( 9) X {9) X 2a of 2 EASS-CLASS lE (3) POWER SYSTEMS HPCI/RCIC ISOLATION (9) X (9) X (9} X (9) X (9) X I Revision 17 June 23, 2009 Table 7.3-16 ISOLATION SYSTEM INSTRUMENTATION RESPONSE TIME Trip Function 1. Primary Containment Isolation a. Reactor Vessel Water Level 1) Low Low, Level 2 2) Low Low Low, Level 1 b. Drywall Pressure -High c. Reactor Building Exhaust Radiation -High d. Manual Initiation 2. secondary containment Isolation a. Reactor Vessel Water Level -Low Low, Level 2 b. Drywell Pressure -High c. Refueling Floor Exhaust Radiation -High (2) d. Reactor Building Exhaust Radiation -High (2) e. Manual Initiation 3. Main Steam Line Isolation Response Time <Seconds> tl} NA NA NA NA NA NA NA .:S 4.0 .:S 4.0 NA a. Reactor Vessel Water Level -Low Low Low, Level 1 s 1.0 (3} (4) NA b. Main Steam Line Radiation -High, High c. Main steam Line Pressure -Low d. Main Steam Line Flow -High e. Condenser Vacuum -Low f. Main Steam Line Tunnel Temperature -High g. Manual Initiation 4. Reactor Water Cleanup System Isolation a. RWCU A Flow -High b. RWCU A Flow -High, Timer c. RWCU Area Temperature -High d. RWCU Area Ventilation A Temperature -High e. SLCS Initiation f. Reactor Vessel Water Level -Low Low, Level 2 g. Manual Initiation s. Reactor Core Isolation Cooling System Isolation a. RCIC Steam Line A Pressure (Flow) -High b. RCIC Steam Line A Pressure (Flow) -High, Timer c. RCIC Steam Supply Pressure -Low d. RCIC Turbine Exhaust Diaphragm Pressure -High e. RCIC Pump Room Temperature -High f. RCIC Pump Room Ventilation Ducts A Temperature -High g. RCIC Pipe Routing Area Temperature High h. RCIC Torus Compartment Temperature -High i. Drywall Pressure -High j. Manual Initiation 1 of 2 HCGS-UFSAR .:S 1.0 (3) (4) .:S 0.5 (3) (4) NA NA NA NA NA NA NA NA NA NA HA NA RA NA NA NA NA NA NA NA Revision 8 September 25, 1996 Table 7.3-16 (Continued)

ISOLATION SYSTEM INSTRUMENTATION RESPONSE TIME Response Time Trip Function (Seconds) (1)

6. High Pressure Coolant Injection System Isolation
a. HPCI Steam Line Pressure (Flow) - High NA b. HPCI Steam Line Pressure (Flow) - High, Timer NA c. HPCI Steam Supply Pressure - Low NA d. HPCI Turbine Exhaust Diaphragm Pressure - High NA e. HPCI Pump Room Temperature - High NA f. HPCI Pump Room Ventilation Ducts Temperature

- High NA g. HPCI Pipe Routing Area Temperature - High NA h. HPCI Torus Compartment Temperature - High NA i. Drywell Pressure - High NA j. Manual Initiation NA 7. RHR Shutdown Cooling Mode Isolation

a. Reactor Vessel Water Level - Low, Level 3 NA b. Reactor Vessel (RHR Cut

-in Permissive)

Pressure - High NA c. Manual Initiation NA Notes:

(1) Isolation system instrumentation response time specified for the Trip Function actuating each valve group shall be added to isolation time shown in Technical Specification Table 3.6.5.2-1 for valves in each valve group to obtain ISOLATION SYSTEM RESPONSE TIME for each valve.

(2) Radiation detectors are exempt from response time testing. Response time shall be measured from detector output or the input of the first electronic component in the channel.

(3) Isolation system instrumentation response time for MSIVs only. No diesel

generator delays assumed for MSIVs.

(4) Sensor is eliminated from response time testing for MSIV actuation logic circuits. Response time testing and conformance to the administrative limits for the remaining channel including trip units and relay logic are

required.

2 of 2 HCGS-UFSAR Revision 22 May 9, 2017

Table 7.3-17 EMERGENCY CORE COOLING SYSTEM RESPONSE TIMES (1) Response Time fSecondsl 1. core Spray System s 2 7 ( 2) 2. Low Pressure Coolant Injection Mode of RHR System s 40 (2) 3. Automatic Depressurization System NA 4. High Pressure Coolant Injection System s 35 (2) 5. Loss of Power NA Notes: ( 1) The time delay relays in the Response Time Test loops require response verification through calibration. (2) ECCS actuation instrumentation is from response testing. 1 of 1 HCGS-UFSAR Revision 8 September 25, 1996 Figure F7.3-1 intentionally deleted. Refer to Vendor Technical Document PN1-E41-1030-0064 for all sheets in DCRMS HCGS-UFSARRevision20May 9, 2014 Figure F7.3-2 SH 1-6 intentionally deleted. Refer to Plant Drawing J-55-0 sheets 2, 4, 4A, 5, 6, and 7 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-3 SH 1-4 intentionally deleted. Refer to Vendor Technical Document PN1-B21-1030-0021 for all sheets in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-4 SH 1-3 intentionally deleted. Refer to Plant Drawing J-41-0 sheets 6, 11 and 12 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-5 SH 1-2 intentionally deleted. Refer to Vendor Technical Document PN1-E21-1030-0001 for both sheets in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-6 SH 1-3 intentionally deleted. Refer to Plant Drawing J-52-0 sheets 3, 4 and 10 in DCRMS HCGS-UFSARRevision20May 9, 2014 Figure F7.3-7 SH 1-4 intentionally deleted. Refer to Vendor Technical Document PN1-E11-1030-0020 for all sheets in DCRMS HCGS-UFSARRevision20May 9, 2014 Figure F7.3-8 SH 1-13 intentionally deleted. Refer to Plant Drawing J-51-0 sheets 3, 3A, 4, 4A, 7, 7A, 10, 10A, 11, 11A, 12, 12A and 25 in DCRMS HCGS-UFSARRevision20May201 49, Figure F7.3-9 SH 1 intentionally deleted. Refer to Vendor Technical Document PN1-G33-1020-0416 in DCRMS HCGS-UFSARRevision20May 9, 2014 Figure F7.3-10 intentionally deleted. Refer to Plant Drawing J-44-0 SH 5 in DCRMS HCGS-UFSARRevision20May 9, 2014 ISOLATION TRIP SYSTEM A L CHANNEL A A-C POWER !REACTOR PROTECTION SYSTEM BUS A OR INST. A-C BUS A) .iA __ -,-__ ....J.... I --I--6 LOGIC A1 I I I _j CHANNEL C _ic I INSTRUMENT CHANNELS l --I-I . } INPUTS FROM { OTHER I INST. CHANNELS --::r:::-LOGIC A2 1 ISOLATION LOGICS I ISOLATION ACTUATORS I 1 ISOLATION TRIP SYSTEM B r L _J CHANNEL B --, I o I _j CHANNEL 0 A-C POWER (REACTOR PROTECTION SYSTEM BUS B OR INST. A-C BUS B) _io ---I--I I -I----I--6 6 LOGIC Bl LOGIC 82 FROM AC POWER RPS MG SET A FROM AC POWER RPS MG SET B FROM AC POWER RPS MG SET A FROM AC POWER RPS MG SET B j_A1 IA2 J INBOARD VALVES (OIV. 1) j_} 81 TRIP I ACTUATOR JB2 LOGICS j_A1 IA2 J OUTBOARD VALVES (DIV.2) _.L IB2}TRIP ACTUATOR JBl LOGICS REVISION 0 APRIL 11, 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION ISOLATION CONTROL SYSTEM FOR MAIN STEAM LINE ISOLATION VALVES UPDATED FSAR FIGURE 7.3-11 r I I L CHANNEL A A-c POWER I REACTOR PROTECTION SYSTEM BUS A OR A*C POWER) .:LA --I--_j CHANNEL C J:.c --I-I I --I----::r::-6 6 LOGIC A1 LOGIC A2 INBOARD VALVES VALVE CONTROL POWER I \ I I I I CHANNELS I r L CHANNEL B lB } INPUTJ FROM { -I-OTHER ::r: TRIP CHANNELS -I-_ ISOLATJN LOGICS 6 I LOGIC 81 L...i!--J _j CHANNEL D A*C POWER (REACTOR PROTECTION SYSTEM BUS B OR A-C POWER) --:E--I --I--6 LOGIC 82 l VALVECONTROLPOWER ,---, ,---, I T1 I I I T2 I I I K1 I MOTOR CONTROLLERS I I I L ___ _j L ___ _l MOTOR CONTROLLER l MOTOR CONTROLLER PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION ISOLATION CONTROL SYSTEM USING MOTOR-OPERATED VALVES UPDATED FSAR FIGURE 7.3-12

-. . . . . -IF .. . i . i . l ' i -..-. .. aa & ... a &!k .. -.a--. .. -rftfft'IAft I' I I fttACTOR VESSEl AA"-1 .& ... A.ft.IILt .. ftiJII!Ii.1 .... ._. *aLIL.._ I Wt..JIIW .............., I ftLJL aT 3: I 11!""---------_. .. _.,._ .. ;;F __ _. .. ",..,.. ... -... --1 ' ... -. *--* .. -*-**ilL ... IIi .. _ a.11t:nu va.* """.,.. *--.. *-....... ...-.---***-** ..... --....... ____ _ ........ .. ,., .. SENSED ----...... .... .i .i 1 _I 1 ENGINEERED SAFETY FEATURES ,." .. ..-n,...l r A ........... ft. A I nvb-* nU"rn!;,. I"' J IYn!! . . . . . . . . . . . . . . . = I ! 11DP!RVL1 I ' . -. *------...._ ......... , ............ .. ._ ._ .... . _......._ __ _____ ...._ ... ...._ ...... ...._ _ __. -L ATI .... LaJ ** .. t-r.. t .._, ... ._...., .,... .. ..,,. ** . . . . . . ' -------___ ....__&___ ____ ....:__ _____ ............... __ JI. ______________ ......__...._ ___ _, _ _. _________ ._.., ______ __.-;11 _________________ .._ ___ _ ---. . . . . . ........ POWER . . . . . RAO!AT!C-N . . RiiRHiAFRH!HDPlRVL2 .-. . . . . I i -.. . ESF . . r ....... l:"n * ---_--------* . . . . . TO REACTOR &U!LD!HG ---.. ail II .aT,,...., g .,...,.,.,._.,.....' ,.._....., .. .., ................... .. --. ------...... ___ _.._ ---... -----* ....... ..,Ia&-.._...__.. I"E .... I ..... _. ............ ',... ..... lr"Y ................ ...,.. ... ** ...,. ** ._, .. t W_..L.WI!:. £SF ... _.,=, . . . . . . ... -. ----. . . . -. ,.-. . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . t t t .. ,.... t .. 1 r--fSF LOGIC l nL>r tn YL'

  • EME r I'OWEP. .. ............. .. ........ ,_,. . .. .. I :=.*=.: t . . . J ' ___ --.. . I f1L1t'/HVL1 .I . . . J --___ ., __ -. .. I" II f ...... , . --"""** .... ..,._ OF ISCLATIOP..J SIGrJAL ABBREViATiONS --_ ....... .-.---* .. _ .................... 1 L.J: A Ll"l II I I ll.lt.l * .;;; W' .0...1 II 0. I I I IRI .. I .. ... 1 "'11 .,..U' ..... ..., .... -w-* .,.... ....... r---. * * -* .. * ** -* * -----_________ ...... -.. ftPft&..J ftr"rllrl lll.ll':! t:::l .,,-,g Dl'\.1,11\ I 1*11U .......... .... .-.,,.,"".,.... * '""" ...... ..,,._. * -------------.-.. ..... --... ----'._ ....... _. :1 .... W'-11 IN VI-':."IL ..... r-1 I. rvrt *&. --... -** ... --------......... -.... -.... .... fl __ _ ..... .RW .. JIII:!I'IIo.!ltio....111111t. *--** ---__ .. _____ _ .... ......::: .. v.. -* IIIII!". _ .. ._... 0 A.DftiL 11, 1985 **1n1 1.1'1 L'tr.'ftl .. tn.r Pa .. .,..,...,._.,... * .. .., A ** --**-* ..... ,. rUDLtl .... .a1:.n Vllal: 1:1 1:"1 .. 1 ftal .. A-li.l 1*&.!'11111. *:11-*.a* W . -----------------* ........ ._ .. .,. .... _ ._ .... ._ ---**** r"lll** * , ____ ----** -***-----------.... _____ --------,.. ...... .... *111 ... 1 Ja.AU ........ &.III.TI-1.: .. ** _,_ -**--*' **-* .. .. l.,.l'*qv YI"IIU,. ......... ............................. _ ... __ ............ " ... .., *** n.:l ...... ft.ll * , ... III"II I """"I"'W I ,...._IIWIWI ... t* I ... _ ... --*--* -**----.. L1 I It: .... I._,.,. * ._,-, I I,...... ** ._. ' ""' I ._, .. , I R......_._ A ...... P"' ..... -ft & .... I r"ll ....,..,... *r..r-... ,.. ........ Plt*&*...-r I .'11..1_._ ---.,...,...... .... -.,...,...,.,...... . *--* *-...... *-

Figure F7.3-14 SH 1-5 intentionally deleted. Refer to Plant Drawing J-57-0 sheets 3, 4, 6, 7 and 8 in DCRMS HCGS-UFSARRevision20May 9, 2014 Figure F7.3-15 SH 1-2 intentionally deleted. Refer to Plant Drawing J-58-0 sheets 3 and 4 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-16 SH 1-10 intentionally deleted. Refer to Plant Drawing H-89-0 sheets 2, 3, 5, 6, 7, 10, 11, 12, 14, and 15 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 THIS FIGURE HAS BEEN DELETED PSEG NUCLEAR L.L.C. HOPE CREEK GENERATING STATION HOPE CREEK UFSAR -REV 12 SHEET 1 OF 1 May 3, 2002 F7.3-17 Figure F7.3-18 SH 1-7 intentionally deleted. Refer to Plant Drawing H-83-0 sheets 4, 5, 6, 8, 11, 13 and 14 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-19 SH 1-3 intentionally deleted. Refer to Plant Drawing H-84-0 sheets 3, 4 and 7 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-20 SH 1-17 intentionally deleted. Refer to Plant Drawing J-10-0 sheets 2-11, 13, 15, 18, 19, 20, 25 and 28 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-21 SH 1-12 intentionally deleted. Refer to Plant Drawing J-11-0 sheets 2-9, 14, 15, 26 and 33 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-22 SH 1-3 intentionally deleted. Refer to Plant Drawing J-59-0 sheets 2, 5 and 6 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-23 SH 1-6 intentionally deleted. Refer to Plant Drawing H-90-0 sheets 2-7 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-24 SH 1-5 intentionally deleted. Refer to Plant Drawing H-88-0 sheets 4, 5, 6, 9 and 10 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-25 SH 1-3 intentionally deleted. Refer to Plant Drawing H-95-0 sheets 2, 3 and 9 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-26 SH 1-8 intentionally deleted. Refer to Plant Drawing J-102-0 sheets 2-9 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-27 SH 1-10 intentionally deleted. Refer to Plant Drawing J-105-0 sheets 2-11 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.3-28 SH 1-3 intentionally deleted. Refer to Plant Drawing J-107-0 sheets 2, 3 and 4 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014

7.4 SYSTEMS

REQUIRED FOR SAFE SHUTDOWN 7.4.1 Description This section describes instrumentation and control systems associated with systems used to achieve and maintain a safe shutdown condition of the plant. The description is limited to those features that are unique to safe shutdown and not directly related to accident mitigation. The section discusses the instrumentation and controls of the following systems: 1. Reactor Core Isolation Cooling (RCIC) System 2. Standby Liquid Control (SLC) System 3. Residual heat removal reactor shutdown cooling mode (RHR-RSCM) 4. Remote shutdown facility (RSF) 5. Essential Auxiliary Supporting (EAS) System. The sources that supply power to the safe shutdown systems originate from onsite ac/dc safety-related buses. Refer to Section 8 for a complete discussion of the safety-related power sources. 7.4.1.1 Reactor Core Isolation Cooling System 7.4.1.1.1 Function The RCIC system consists of a turbine, pump, piping, valves, accessories, and instrumentation designed to ensure that sufficient reactor water inventory is maintained in the reactor vessel, thus ensuring continuity of core cooling. Reactor vessel water is 7.4-1 HCGS-UFSAR Revision 0 April 11, 1988 maintained or supplemented by the RCIC system during the following conditions: 1. When the reactor vessel is isolated and accompanied by a loss of normal coolant flow from the reactor feedwater system. 2. When a complete plant shutdown under conditions of loss of normal feedwater system is started before the reactor is depressurized to a level where the reactor shutdown cooling mode of the RHR system can be placed into operation. On a network basis, the high pressure coolant injection (HPCI) is a backup to RCIC for the safe shutdown function. RCIC, as a system by itself, is not required to be redundant, although the instrument channels are redundant for operational availability purposes. While no initiating signal diversity exists within the RCIC system, there does exist system level diversity with the HPCI system for plant conditions identified in Section 15. 7.4.1.1.2 Operation When actuated, the RCIC system pumps water from either the condensate storage tank (CST) or the suppression pool to the reactor vessel. The RCIC system includes one turbine, one turbine driven pump, one barometric condenser, one gland seal system dc powered vacuum pump, one dc powered vacuum tank condensate pump, automatic valves, control devices for this equipment, sensors, and logic circuitry. A schematic arrangement of equipment and control devices is shown on the RCIC piping and instrumentation diagram (P&ID), Plant Drawings M-49-1 and M-50-1. The RCIC system is initiated automatically after the receipt of a reactor vessel low-water level (L2) signal and produces the design flow rate within 30 seconds. The system then functions to provide design makeup water flow to the reactor vessel until the amount of 7.4-2 HCGS-UFSAR Revision 20 May 9, 2014 water delivered to the vessel is sufficient to restore vessel level, at which time (at L8 level) the RCIC system automatically shuts down. The controls are arranged to allow remote manual startup, operation, flow control, and shutdown. Reactor vessel low-water level is monitored by four level transmitters that sense the difference between the pressure due to a constant reference leg of water and the pressure due to the actual height of water in the reactor vessel. Each transmitter supplies a signal to trip units (an electronic switch that may be set to trip at various signal levels) that energize relays for control logic arranged in a one out of two twice logic. High water level in the reactor vessel indicates that the RCIC system has performed satisfactorily in providing makeup water to the reactor vessel. Further increase in level could result in gross carryover of moisture. The Terry turbine is capable of receiving water carryover from its steam supply line without sustaining damage; however, operating experience has demonstrated that water carryover transients and steam condensing transients have resulted in loss of system operability due to control system problems and turbine overspeed trips. To prevent this, a high water level trip is used to initiate closure of the RCIC steam supply valve to shut off the steam to the turbine and stop RCIC operation. The system will automatically reinitiate when the water level decreases to the reactor water level trip point. Four level transmitters and trip units that sense differential pressure are arranged in a one out of two twice logic to initiate a turbine shutdown. To allow testing of the RCIC system at low reactor pressures, the Level 8 trip can be bypassed with a keylocked switch. This switch is located in the lower control equipment room on the RCIC relay panel. Continuous indication of this bypass is provided in the main control room. Level transmitters used for the initiation of the RCIC system are located on instrument racks outside the drywell but inside the Reactor Building. The only operating components of the RCIC system that are located inside the drywell are the inboard steam line isolation valve and the steam line warm-up line isolation valve. 7.4-3 HCGS-UFSAR Revision 16 May 15, 2008 Trip units are located in the control equipment room. The sensing lines for the transmitters are physically separated from each other and tap off the reactor vessel at widely separated points. If the water level in the CST falls below a predetermined level, the suppression pool suction valve automatically opens. When the suppression pool suction valve is fully open, the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can automatically cause suction transfer. To prevent losing suction to the pump, the two suction valves are interlocked so that one suction path must be open before the other closes. See Plant Drawing J-49-0, Sheets 5, 5A, and 6 for valve operation logic. The only heat tracing required to be installed on safety-related instrument sensing lines at HCGS for the purpose of protecting the sensing line from freezing in cold weather is that heat tracing installed on the level sensing line from the condensate storage tank to the reactor building. This heat tracing is powered from a highly reliable standby diesel generator backed non-1E power source and is equipped with an alarm monitoring circuit which detects loss of power to the heat tracing or loss of thermostat. The non-1E battery-backed power supply for the alarm circuit is separate from the heat tracing power supply. The sensing line will also be supplied with an RTD to monitor the temperature of the process fluid in the sensing line where the sensing line is exposed to the severe weather conditions. This temperature indication and associated alarm will be available in the main control room via the plant computer. In the unlikely event that the analog output of the installed RTD becomes unavailable, administrative procedures will provide for verification that the sensing line is not in danger of freezing. Administrative controls will include requirements for verifying operability of the environmental control and monitoring systems at least once per year prior to the onset of freezing weather. 7.4-4 HCGS-UFSAR Revision 20 May 9, 2014 Heaters are not used in any HCGS safety-related panel to control humidity and/or temperature. One of the RCIC pump suction automatic switchover level switches is also used to provide CST low-low level indication at the remote shutdown panel (See Section 7.4.1.4.5.2) The RCIC turbine is functionally controlled as shown on the RCIC functional control diagram (FCD), Vendor Technical Document PN1-E51-1030-0061. The Turbine Governor Control System limits the turbine speed and adjusts the turbine steam control valve so that design pump discharge flow rate is obtained. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the RCIC system pump discharge line. The turbine is automatically tripped and the throttle valve closed if any of the following conditions are detected: 1. Turbine overspeed 2. High turbine exhaust pressure 3. Low pump suction pressure 4. Auto-isolation signal a. High area temperature b. Steam line high differential pressure or instrument line break c. Steam supply pressure low d. Exhaust diaphragm high pressure. 5. Reactor vessel high water level 7.4-5 HCGS-UFSAR Revision 20 May 9, 2014 Instrument ranges for the RCIC system controls and instrumentation are listed in Table 7.4-1. 7.4.1.1.3 Testability A design flow functional test of the RCIC system may be performed during normal plant operation by drawing suction from the CST and discharging through a full flow test return line to the CST. The discharge valve to the reactor vessel remains closed during the test, and reactor operation remains undisturbed. All components of the RCIC system are capable of individual functional testing during normal plant operation. Control system design provides automatic return from the test mode to operating mode if system initiation is required during testing. With the following exceptions, test controls are arranged so that the system can automatically fulfill its safety functions: 1. Flow controller in manual mode 2. Operator initiated closure of either or both inboard/outboard isolation valves. An alarm sounds when the valves are in any position other than fully open 3. Test plug inserted and test switch in position to interlock discharge valves. Out-of-service annunciator alarms in the main control room to indicate system in "test" mode. 7.4.1.2 Standby Liquid Control System 7.4.1.2.1 Function The Standby Liquid Control (SLC) System is an independent backup system for the control rod drive system. The SLC system is capable of shutting down the reactor from a full power condition, and maintaining it subcritical until the cold shutdown condition is 7.4-6 HCGS-UFSAR Revision 0 April 11, 1988 achieved, without control rod movement. The SLC system is not required to scram the reactor or operate when the reactor has been shut down by the control rod drive system. In the event of an ATWS, injection of the sodium pentaborate solution can be initiated manually by the operator or it is initiated automatically by the redundant reactivity control system (RRCS). The instrumentation and controls for the SLC system are designed to initiate and continue injection of a liquid neutron absorber into the reactor when manually and/or automatically called upon to do so. This equipment also provides the necessary controls to maintain this liquid chemical solution well above saturation temperature in readiness for injection. The SLC system process equipment, instrumentation, and controls essential for injection of the neutron absorber (sodium pentaborate solution) into the reactor is designed to withstand Seismic Category I earthquake loads. Any nondirect process equipment, instrumentation, and controls of the system, e.g., ventilation and drain lines, test piping, and test tank, are not required to meet Seismic Category I requirements; however, the local and main control room mounted equipment is located in seismically qualified panels. The SLC system is designed such that loss of plant instrument air, a plant load rejection, or a main turbine trip will not prevent the completion of any required safety function. 7.4.1.2.2 Operation The SLC system is a special event plant shutdown system. No single active component failure (SACF) of any plant system or component would necessitate the need for the operational function of the SLC system. It is included for a number of special consideration events: 1. Plant capability to shut down the reactor from normal operation without control rods, Section 15 7.4-7 HCGS-UFSAR Revision 0 April 11, 1988

2. Plant capability to shut down the reactor from a transient incident without control rods, Section 15 Although this system has been designed to a high degree of reliability with many safety system features, it is not required to meet the safety design requirements of the safety systems. The SLC system is not designed for use as a safety system because of the large number of independent control rods available to shutdown the reactor which provide adequate redundancy. See Sections 9.3.5 and 15.8 for additional system information not contained in Chapter 7. While the injection portions of the SLC systems have been designed electrically as a Class 1E, redundant system, certain safety system design bases are not required and have not been incorporated in the design (e.g., there is no system level redundancy; that is, there is only one tank and one injection point and the heaters are nonredundant and are not Class 1E). The controls and instrumentation required to perform the injection function are redundant and the logic circuitry and instrumentation are separated into Channels A and B so that the failure of any single electrical component will not prevent injection. The injection logic circuitry including the initiation switches, pumps, and squib valves as well as inputs from RRCS are redundant, Class 1E, and electrically and physically separated. Details of the electrical design are contained in the SLC system elementary diagram (791E409AC). A schematic arrangement of equipment and control devices is shown on the SLC system P&ID, Plant Drawing M-48-1. SLC system control logic is shown on Plant Drawing M-49-0. Each redundant portion of the SLC system is initiated from the main control room in the same fashion. A keylocked switch is turned clockwise to the "on" position and an interlocked "start" pushbutton switch is depressed. Both loops of the SLC system are automatically initiated by the Redundant Reactivity Control System (RRCS) after a time delay, 7.4-8 HCGS-UFSAR Revision 20 May 9, 2014 provided that APRM power is not downscale. This automatic initiation signal will override the manually initiated pushbutton control switch; however, the manual shutoff signal will override the automatic initiation signal. Section 7.6.1.7 describes the automatic initiation of SLC system by the RRCS. When either SLC system switch is actuated to inject liquid neutron absorber into the reactor, the following devices are actuated: 1. One of the two explosive valves is fired 2. Either the inboard or outboard reactor water cleanup (RWCU) isolation valve closes 3. One of the two injection pumps is started 4. The pressure sensing equipment indicates that the SLC system is pumping liquid into the reactor. The SLC system is separated both physically and electrically from the Control Rod Drive (CRD) System. The SLC system instrument channels are separated in accordance with the requirements of Regulatory Guide 1.75. The redundant active components of the SLC system are physically and electrically separated. 7.4.1.2.3 Testability The SLC system is fully testable, with the exception of the explosive valves, during normal operation. Full system testing, by injection of demineralized water into the reactor pressure vessel (RPV), is performed during shutdown or refueling operations. 7.4-9 HCGS-UFSAR Revision 9 June 13, 1998 7.4.1.3 RHR/Reactor Shutdown Cooling Mode 7.4.1.3.1 RHR-RSCM Function The RHR-RSCM, discussed in Section 5.4.7.2, is used during a normal reactor shutdown or for long term cooling after vessel water level has been restored and pressure reduced following accident conditions. The RHR-RSCM consists of equipment designed to provide decay heat removal capability for the core by accomplishing the following: 1. Reactor cooling during shutdown operation after the vessel pressure is reduced to approximately 100 psig. 2. Cooling the reactor water to a temperature at which reactor refueling and servicing can be accomplished. 7.4.1.3.2 RHR-RSCM Operation See Section 5.4.7 for a complete description of the RHR-RSCM operation. 7.4.1.4 Remote Shutdown System 7.4.1.4.1 Remote Shutdown System Function The Remote Shutdown System (RSS) provides the means for achieving and maintaining safe shutdown conditions from outside the main control room in the unlikely event the main control room becomes uninhabitable. 7.4-10 HCGS-UFSAR Revision 14 July 26, 2005 The primary control station for the RSS is the remote shutdown panel (RSP). In the event of a failure at the RSP, sufficient redundant safety grade instrumentation and controls are available remote from both the main control room and the RSP to ensure that safe shutdown of the reactor can be achieved. The systems for which the RSP provides remote instrumentation and controls to accomplish this function are as follows: 1. RCIC - See Section 7.4.1.1. 2. RHR system (loop B) - See Sections 7.3.1.1.4 and 7.4.1.3. 3. Safety Auxiliaries Cooling System (SACS) (loop B) - See Section 7.3.1.1.11.2. 4. Station Service Water System (SSWS) (loop B) - See Section 7.3.1.1.11.1 5. Reactor Building Ventilation Systems (RBVS) (non-Class 1E) - See Section 7.3.1.1.11.6.1 6. Control Area Chilled Water System (CACWS) (loop B) - See Section 7.3.1.1.11.5 7. Nuclear boiler instrumentation - See Plant Drawings M-41-1, M-42-1 and M-55-1, and Table 7.4-2 8. Portions of the Fuel Pool Cooling System (FPCS) - See Section 9.1.3. 9. Main steam line safety/relief valves (manual actuation) - see Section 5.2.2. 7.4-11 HCGS-UFSAR Revision 20 May 9, 2014 Should operation of any of these systems become unavailable at the RSP due to some equipment fault or failure, the following systems can be utilized to effect safe reactor shutdown remote from the main control room: 1. HPCI - See Section 7.3.1.1.1.1. 2. RHR System (loop A) - See Sections 7.3.1.1.4 and 7.4.1.3 3. SACS (loop A) - See Section 7.3.1.1.11.2 4. SSWS (loop A) - See Section 7.3.1.1.11.1 5. CACWS (loop A) - See Section 7.3.1.1.11.5 6. Nuclear boiler instrumentation - See Plant Drawings M-41-1, M-42-1 and M-55-1, and Table 7.4-3. 7. Main steam line safety/relief valves (manual actuation - See Section 5.2.2. 7.4.1.4.2 RSS Power Sources Essential RSS instrumentation and controls are supplied power from the Class 1E buses which are backed by the standby diesel generators (SDGS) 7.4.1.4.3 RSS Equipment Design 7.4.1.4.3.1 General The design of the RSF is in accordance with seismic qualification requirements for Seismic Category I. The divisionalization and separation of safety-related systems and their components is provided for by the design of the panel in accordance with the requirements of Regulatory Guide 1.75. 7.4-12 HCGS-UFSAR Revision 20 May 9, 2014 The RSP itself is not designed to be single failure proof; however, sufficient accessible redundant safety grade indications and controls are available remote from the main control room to safely bring the reactor to the cold shutdown condition. This redundant instrumentation is identified in Table 7.4-3. A loss of offsite power (LOP) concurrent with the evacuation of the main control room has been considered in the RSS design and will not inhibit the ability to achieve cold shutdown remote from the main control room. 7.4.1.4.3.2 RSS Circuit Description For detailed circuit description, refer to the discussions of the individual systems identified in Section 7.4.1.4.1. 7.4.1.4.3.3 RSS Logic and Sequencing For further discussion of logic and sequencing, refer to individual systems identified in Section 7.4.1.4.1. 7.4.1.4.3.4 RSF Bypasses and Interlocks To prevent inadvertent breach of the high pressure/low pressure boundary between the reactor vessel at operating pressure and the RHR system, three valves are interlocked by pressure switches to prevent their opening when reactor pressure is above RHR system design pressure. These valves are: 1. E11-HV-F008, outboard shutdown isolation 2. E11-HV-F009, inboard shutdown isolation 3. E11-HV-F015B, shutdown cooling injection 7.4-13 HCGS-UFSAR Revision 14 July 26, 2005 For other bypasses and interlocks, see individual systems identified in Section 7.4.1.4.1. 7.4.1.4.3.5 RSS Redundancy and Diversity The instrumentation and controls on the RSP are redundant to one train of safe shutdown systems in the main control room. Operation of the transfer switches on the RSP to the emergency position isolates only this train of safe shutdown systems from the main control room. Sufficient instrumentation and controls redundant to those at the RSP are available at the switchgear panels (shown on Plant Drawing P-0054-0) and the control equipment room (shown on Plant Drawing P-0053-0) such that no postulated single failure at the RSP can prevent achieving and maintaining (verifying) the reactor plant in a safe shutdown condition when the main control room is uninhabitable. No jumpering, rewiring, or disconnection of circuits will be required to accomplish this. The capability for local manual or remote manual operation of valves which must be repositioned to achieve cold shutdown has been provided. This ensures cold shutdown capability in the event of a failure to a valve remote control circuit in accordance with the requirements of GDC 19. In the event that the RSP is lost, the design provides for separate equipment independent of that in the RSP. This equipment is presented in Table 7.4-3 and all is designed in accordance with Class 1E requirements. 7.4-14 HCGS-UFSAR Revision 20 May 9, 2014 7.4.1.4.3.6 RSS Actuated Devices Operation of the RSP transfer switches to the emergency position will initiate signals to close or open certain valves to facilitate safe shutdown. These valves and their after transfer positions are identified on Table 7.4-2. ECCS jockey pumps DR-228 (RHR loop B) and BP-228 (RCIC) are signaled to run on RSP transfer. Operation of the RSS equipment identified in Table 7.4-3 as being redundant to the equipment provided on the RSP is independent of the RSP transfer switches. 7.4.1.4.3.7 RSS Separation The RSS maintain full Regulatory Guide 1.75 separation criteria inside the RSP and conforms to both Regulatory Guide 1.75 and 10CFR50, Appendix R separation criteria outside of the RSP. 7.4.1.4.3.8 RSS Testability The RSS are designed to be operationally testable in accordance with the requirements of Regulatory Guide 1.68.2. Refer to Section 14 for the startup test program. 7.4.1.4.4 RSS Environmental Considerations Adequate environmental control capability is provided at the RSP room to produce a mild environment similar to that of the main control room. A description of the RSP-HVAC is provided in Section 9.4.3. 7.4-15 HCGS-UFSAR Revision 17 June 23, 2009 7.4.1.4.5 RSS Operational Considerations 7.4.1.4.5.1 RSS Description The RSS provides for remote control of the reactor systems needed to carry out the shutdown function from outside the main control room and bring the reactor to the cold shutdown condition in an orderly fashion. Those systems that are necessary to accomplish this function and for which controls and instrumentation are provided on the RSP are listed in Section 7.4.1.4.1 and are further defined here: 1. RCIC system to maintain reactor water level. 2. Safety relief valves and reactor pressure vessel (RPV) instrumentation to lower and monitor reactor vessel pressure, respectively. 3. RHR loop B for suppression pool cooling and shutdown cooling. 4. SACS loop B to supply cooling water to the RHR (B) heat exchanger, RCIC and RHR pump room coolers, RHR (B) motor oil and seal coolers, the SDG cooling loads, and other necessary loads. 5. SSWS loop B to supply cooling water to the SACS loop B heat exchangers. 6. Reactor containment and suppression pool monitoring instrumentation. 7. Control area chiller B for cooling various ESF equipment rooms and the main control room. 7.4-16 HCGS-UFSAR Revision 17 June 23, 2009
8. Safety-related panel chiller B for cooling the technical support center (TSC), RSP room, and the upper control equipment room. Table 7.4-2 is a listing of control and indicating devices on the RSP. The systems that might be needed to achieve safe shutdown remote from the main control room (in the event of a failure at the RSP) are identified in Section 7.4.1.4.1 and are further defined here: 1. HPCI system to maintain reactor water level. 2. Safety relief valves and reactor pressure vessel instrumentation to lower and monitor reactor vessel pressure, respectively. 3. RHR loop A for suppression pool cooling and shutdown cooling. 4. SACS loop A to supply cooling water to the RHR A Heat exchanger, HPCI and RHR pump room coolers, RHR A motor oil and seal coolers, the SDG cooling loads, and other necessary loads. 5. SSWS loop A to supply cooling water to the SACS loop A heat exchangers. 6. Alternate reactor containment and suppression pool monitoring instrumentation. 7. Control area chiller A for cooling various ESF equipment rooms and the main control room. 8. Safety-related panel chiller A for cooling the technical support center (TSC), RSP room, and the upper control equipment room. 7.4-17 HCGS-UFSAR Revision 0 April 11, 1988 Table 7.4-3 is a listing of alternative control and indicating devices (redundant to those provided at the RSP) available for achieving safe shutdown remote from the main control room in the event of a failure at the RSP. See Section 9.5.2.2.4 for a discussion of communications systems available for use at the RSF. Postulated conditions assumed to exist when the main control room becomes uninhabitable are as follows: 1. The plant is operating initially at or less than design power. 2. The plant is not experiencing or recovering from, any transient situations. The loss of offsite ac power is considered unlikely but credible; therefore, the RSP is powered from Class 1E power system buses and backup ac power will be automatically supplied by the SDGs. Manual controls for the SDGs are available in the Auxiliary Building at Elevation 130 feet (See Plant Drawing P-0054-0). 3. The plant is not experiencing any accident situations or seismic events. No design basis accident, including a loss-of-coolant accident, is assumed. 4. Specific circumstances that might actually lead to evacuation of the main control room are undefined. Examples of such hazards are fires and toxic gas releases. 5. All plant personnel have evacuated the main control room. 6. The cause of the evacuation is of such a nature that the control room operating personnel will have sufficient time to manually scram the reactor before leaving the main control room. As a backup procedure, manual trip of the circuit breakers for the Reactor Protection System (RPS) 7.4-18 HCGS-UFSAR Revision 20 May 9, 2014 logic provides the operator with the ability to scram the reactor from outside the main control room. 7. The event causing the main control room to be uninhabitable will not prevent access to the RSP room or other essential equipment areas that may have to be accessed. Further, any such event (other than a fire) would not result in consequential damage to or unavailability of systems required for safe shutdown. 8. If the reactor is not scrammed before leaving the control room and the MSIVs are still open, then the Feedwater system and the Turbine Bypass Valves may be regulating reactor level and pressure. The main turbine pressure regulator may be controlling reactor pressure via the bypass valves, however, the worst case is assumed and this function is considered not available. Therefore, main steam line isolation could occur at a specified low turbine inlet pressure or the operator may close the MSIVs by opening circuit breakers at the RPS panels (10C410 and 10C411). Reactor pressure is maintained below design pressure by the automatic cycling of the safety/relief valves which discharge to the suppression pool. The feedwater control system is also assumed to be unavailable and reactor water level must be maintained by operation of the RCIC system. In the event of a RCIC system failure, reactor water level will be maintained by the automatic operation of the HPCI system. 7.4.1.4.5.2 Procedure for Reactor Shutdown from Outside the Main Control Room The procedure shown in this section is solely for the purpose of demonstrating that the RSS are adequately designed to allow taking the reactor to a cold shutdown condition remote from the main control room. This procedure further assumes that all equipment installed at the RSP operates as designed. The plant operators will have detailed procedures to follow when actually performing a remote shutdown. These procedures will identify normal and alternate (redundant) means of achieving and maintaining (verifying) hot shutdown conditions, and ultimately 7.4-19 HCGS-UFSAR Revision 18 May 10, 2011 taking the reactor to a cold shutdown condition in accordance with the requirements of GDC 19. Upon determination of the need for main control room evacuation, the operator manually scrams the reactor from the unit operator's console prior to leaving the main control room. If time permits, prior to evacuating the main control room the operator should verify nuclear shutdown by scanning the rod position indication display for indication that the control rods have been inserted into the core and by observing downscale readings on the power and intermediate range Neutron Monitoring System recorders. Nuclear shutdown can be verified remote from the main control room by: 1. Observing the local nitrogen side pressure indicator for each hydraulic control unit scram accumulator for a low (post scram) pressure indication, or 2. By manually cycling a safety/relief valve from the RSP (after RSP takeover) and observing an appropriate cooldown as indicated by a reduction in steady state reactor pressure following the steam discharge. Pressure indication can be used since pressure and temperature are directly related in a saturated system. If the reactor were critical, pressure and, correspondingly, temperature would return to approximately their initial values since the reactor would see this evolution as a power transient. If the reactor was not scrammed and the MSIVs are still open, then opening the output breakers on feeders from RPS buses A and B located in the Auxiliary Building at the 54-foot elevation can be used to de-energize the reactor protection trip systems A and B as a backup means of scramming the reactor and closing the MSIVs. The operators will proceed to the RSP room, located approximately 48 yards from the main control room on the 137-foot level of the 7.4-20 HCGS-UFSAR Revision 16 May 15, 2008 Auxiliary Building, approximately a 2 minute walk. Access to the room is obtained by use of the security system card reader. Upon gaining access, the operator will determine the status of the reactor plant by observing the instrumentation displays provided on the RSP. Once the operator has ascertained current reactor plant conditions, (s)he may then transfer control of the equipment to the RSP. The four Class 1E safety channels and non-Class 1E channel are individually transferred with dedicated transfer switches. Transfer to the RSP will initiate a hot shutdown lineup with protective isolation. The transferred circuits will become inoperable from the main control room. RSP transfer is alarmed in the main control room to alert the operator in the event of an inadvertent or unauthorized RSP takeover. In addition to the five channelized transfer switches, there are dedicated transfer switches for each of the large pumps and compressors. These transfer switches may be used to manually sequence the loading of the SDGs from the RSP, in the event of the emergency load sequencer. If reactor water level dropped sufficiently to cause an automatic startup of the RCIC system prior to RSP takeover, the operator should verify proper operation of the system. If the RCIC system is not operating, the operator will manually start up the RCIC system and place it in operation. The operator will maintain reactor water level between the normal high and low alarm levels with the RCIC system. The reactor is now in a stable, hot shutdown condition with reactor pressure being maintained by manual or automatic cycling of safety/ relief valves (which discharge to the suppression pool) and reactor level being maintained by the RCIC system. From this condition, taking the reactor to cold shutdown involves manual cycling of the safety/relief valves to cool the reactor by discharging reactor steam to the suppression pool, thereby removing the decay heat generated by the reactor core. 7.4-21 HCGS-UFSAR Revision 8 September 25, 1996 The RCIC system is used to make up for reactor water inventory loss due to cooldown until steam pressure is too low to maintain the RCIC turbine in operation. The operator has sufficient instrumentation available to monitor the cooldown rate and will perform the cooldown at a rate not to exceed the maximum allowable cooldown rate for the reactor vessel. A 135,000 gallon reserve capacity is maintained in the CST for HPCI and RCIC use (see Section 9.2.6.2.1). This reserve will allow over 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> of RCIC operation at the design flow rate of 600 gpm. Three hours of RCIC operation is adequate to cool the reactor from the operating temperature to the RHR shutdown cooling initiation temperature, assuming a maximum cooldown rate of 100F/h. CST low-low level is displayed at the RSP by the illumination of an indicating lamp. The signal for this lamp originates from one of the two low-low level switches used to provide automatic RCIC pump suction switchover to the suppression pool in the event of a low CST level during normal operation (see Section 7.4.1.1.2). Automatic RCIC pump suction switchover is not provided when operating from the RSP and if further RCIC operation is desired, RCIC pump suction must be manually shifted to the suppression pool. The RHR system can be used in the suppression pool cooling mode to control temperature of the suppression pool water. Once reactor pressure has been lowered to the point where the RCIC turbine can no longer maintain operation (approximately 100 psig), the RHR system (Loop B) will be shifted from the suppression pool cooling mode to the shutdown cooling mode. This places the RHR heat exchanger directly into the reactor coolant flow loop. Reactor temperature is now maintained by controlling the amount of reactor coolant flow that passes through the RHR heat exchanger by adjusting the bypass flow around the heat exchanger. See Section 5.4.7.2.6. If offsite power is not available, the above procedure is modified as follows: Once reactor pressure has been lowered to the point where the RCIC turbine can no longer maintain operation (approximately 100 psig) the alternate shutdown cooling mode described in Section 15.2.9 is used. The alternate shutdown cooling mode in lieu of RHR B shutdown cooling mode uses the LPCI mode of RHR or Core Spray to fill up the reactor until the steam lines are flooded. One or more SRVs are opened so water flows out the relief valve and back to the suppression pool. 7.4-22 HCGS-UFSAR Revision 11 November 24, 2000 Monitoring and control of the SACS is provided to ensure that sufficient cooling water is provided to the RHR heat exchangers, RHR and RCIC room coolers, switchgear room coolers, and the SDGs. Monitoring and control of the SSWS is provided to ensure sufficient cooling water is provided to the SACS. The reactor plant is now in the cold shutdown condition and can be maintained in this condition as long as it is necessary or desired. 7.4.1.4.5.3 Main Control Room - RSS Interconnection Design Considerations Some of the existing systems used for normal reactor shutdown operation are also used in the RSS to shut down the reactor from outside the main control room. The RSS is designed to control the required shutdown systems from outside the main control room irrespective of shorts, opens, or grounds in the main control room control circuits that may have resulted from any event causing an evacuation. The functions needed for remote shutdown control from the RSP are provided with manual transfer devices that disconnect controls from the main control room and transfer them to the RSP. All necessary power supplies are also transferred. Operation of the transfer devices initiates an alarm in the main control room. The RSP is located outside the control complex. Access to this panel is administratively and procedurally controlled. 7.4.1.4.5.4 RSS Setpoints There is only one specific setpoint in the RSS: high-low pressure interlocks described in Section 7.4.1.4.3.4 7.4-23 HCGS-UFSAR Revision 8 September 25, 1996 7.4.1.5 Essential Auxiliary Supporting Systems for Safe Shutdown Systems 7.4.1.5.1 Station Service Water System Instrumentation and Controls The SSWS is essential for the operation of the shutdown cooling mode of the RHR system. Section 7.3.1.1 describes SSWS instrumentation and controls. Section 9.2.1 describes SACS equipment design. 7.4.1.5.2 Safety Auxiliaries Cooling System Instrumentation and Controls The SACS is essential for the operation of the shutdown cooling mode of the RHR system. Section 7.3.1.1 describes SACS instrumentation and controls. Section 9.2.2 describes SACS equipment design. 7.4.1.5.3 Class 1E Power Systems Class 1E power systems are essential for the operation of all safe shutdown systems. Portions of these power systems that feed each safe shutdown system are described in Power Sources in the description of each safe shutdown system in this section. Sections 8.3.1 and 8.3.2 describe the onsite Class 1E ac power system and the onsite Class 1E dc power system, respectively. 7.4.1.5.4 Safe Shutdown Ventilation Systems 7.4.1.5.4.1 Reactor Building Equipment Area Cooling System The Reactor Building Equipment Area Cooling (RBEAC) System provides cooling for all areas in which the RCIC, SLC system, RHR-RSCM, and other required systems are located. Section 7.3 describes the system's instrumentation and controls. Section 9.4.2 describes RBEAC system equipment design. 7.4.1.5.4.2 Remote Shutdown Panel Room HVAC System Section 9.4.3 describes the RSF-HVAC equipment and design. 7.4-24 HCGS-UFSAR Revision 0 April 11, 1988 7.4.1.6 Design Basis The safe shutdown systems are designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary (RCPB). Section 15, Accident Analysis, identifies and evaluates events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified are presented in this section. 7.4.1.6.1 Variables Monitored to Provide Protective Actions RCIC - Reactor vessel low water level (L2) is monitored in order to provide protective actions to the safe shutdown systems. All other safe shutdown systems are initiated by operator actions. The plant conditions that require protective action involving the safe shutdown are described in Section 15 and Appendix 15A. 7.4.1.6.2 Location and Minimum Number of Sensors See the Technical Specifications for the minimum number of sensors required to monitor safety-related variables. There are no sensors in the safe shutdown systems that have a spatial dependence. 7.4.1.6.3 Prudent Operational Limits Prudent operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious safe shutdown system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or nuclear system process barrier, is kept within acceptable bounds. 7.4-25 HCGS-UFSAR Revision 0 April 11, 1988 7.4.1.6.4 Margin The margin between operational limits and the limiting conditions of operation of safe shutdown systems are those parameters listed in the Technical Specifications. 7.4.1.6.5 Levels Levels requiring protective action are established in the Technical Specifications. 7.4.1.6.6 Range of Transient, Steady State, and Environmental Conditions Refer to Sections 3.11 and 3.1.2 for environmental conditions. Refer to Section 8.3 for the maximum and minimum range of energy supply to the safe shutdown systems instrumentation and controls. All safety-related instrumentation and controls are specified and purchased to withstand the effects of energy supply extremes. 7.4.1.6.7 Malfunctions, Accidents, and Other Unusual Events that Could Cause Damage to Safety System Section 15, Accident Analysis, describes the following credible accidents and events: floods, storms, tornados, earthquakes, fires, LOCA, pipe break outside containment, and feedwater line break. Each of these events is discussed below for the safe shutdown systems: 1. Floods - The buildings containing safe shutdown system components have been designed to meet the PMF (Probable Maximum Flood) at the site location. This ensures that the buildings will remain watertight under PMF conditions including wind generated wave action and wave run-up. For a discussion of internal flooding protection refer to Sections 3.4 and 3.6. 7.4-26 HCGS-UFSAR Revision 0 April 11, 1988
2. Storms and tornados - The buildings containing safe shutdown system components have been designed to withstand meteorological events described in Section 3.3. 3. Earthquakes - The structures containing safe shutdown systems components have been seismically qualified as described in Sections 3.7 and 3.8, and will remain functional during and following a safe shutdown earthquake (SSE). Seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10. 4. Fires - To protect the safe shutdown systems in the event of a postulated fire, the redundant portions of the systems are separated by fire barriers or physical distance. The use of separation and fire barriers ensures that even though some portion of the systems may be affected, the safe shutdown systems will continue to provide the required protective action. 5. LOCA - The safe shutdown systems components located inside the drywell that are functionally required following a LOCA have been environmentally qualified to remain functional as discussed in Section 3.11. 6. Pipe break outside secondary containment - This condition will not affect the safe shutdown systems. Refer to Section 3.6. 7. Missiles - Protection for safe shutdown systems is described in Section 3.5. 7.4.1.6.8 Minimum Performance Requirements Minimum performance requirements for safe shutdown systems instrumentation and controls are provided in Section 16, Technical Specifications. 7.4-27 HCGS-UFSAR Revision 0 April 11, 1988

7.4.2 Analysis

7.4.2.1 Reactor Core Isolation Cooling System Instrumentation and Controls (Analysis) 7.4.2.1.1 Implementation of General Requirements For events other than pipe breaks, such as reactor coolant pressure boundary (RCPB) isolations, the Reactor Core Isolation Cooling (RCIC) System has a makeup capacity sufficient to prevent the reactor vessel water level from decreasing to the level where the core is uncovered. To provide a high degree of assurance that the RCIC system will operate when necessary and in time to provide adequate inventory makeup, the power supply for the system is taken from energy sources of high reliability that are immediately available. No failure of a single initiating sensor either prevents or falsely starts the system. The RCIC system is designed such that loss of plant instrument air, a plant load rejection, or a main turbine trip will not prevent the completion of any required safety function. A design flow functional test of the RCIC system can be performed during plant operation by taking suction from the demineralized water in the condensate storage tank (CST) and discharging through the full flow test return line back to the CST. During the test, the discharge valve to the reactor vessel remains closed and the reactor operation is not disturbed. Control system design provides automatic return from the test mode to the operating mode if initiation is required during testing. 7.4-28 HCGS-UFSAR Revision 0 April 11, 1988 7.4.2.1.2 Implementation of 10CFR50 Appendix A - General Design Criteria The following general design criteria (GDC) apply specifically to RCIC. 1. GDC 1, 2, 3, 4, 5, 10, 13, and 15 - RCIC compliance is discussed in Section 7.1.2.2. 2. GDC 19, Control Room - RCIC controls and instrumentation are provided in the control room. The reactor can also be shut down in an orderly manner from outside the main control room as described in Section 7.4.2.4. 3. GDC 20, Protection System Functions - The RCIC system constantly monitors the water level in the reactor vessel and is automatically initiated when the level drops below the preestablished setpoint. 4. GDC 21, Protection System Reliability and Testability - The RCIC is fully testable from sensor to actuated device during normal operation. 5. GDC 22, Protection System Independence - The RCIC system is independent of the High Pressure Coolant Injection (HPCI) System to ensure that the safe shutdown function can be accomplished. 6. GDC 23, Protection System Failure Modes - Failure of the system to operate will not affect plant safety. 7. GDC 24, Separation of Protection and Control Systems - The RCIC system is completely independent of control systems so that no single control system failure can affect RCIC operation. 7.4-29 HCGS-UFSAR Revision 0 April 11, 1988

8. GDC 29, Protection Against Anticipated Operational Occurrences - The RCIC maintains the reactor vessel water level by providing makeup water if the reactor becomes isolated from the main condenser during normal operation. 9. GDC 30, Quality of Reactor Coolant Pressure Boundary - Instruments directly connected to the RCPB have the highest practical quality standards. 7.4.2.1.3 Conformance to IEEE Standards The following is a discussion of conformance to those IEEE standards that apply specifically to the RCIC. 1. IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations a. General Functional Requirements, Paragraph 4.1 - The RCIC is automatically initiated by reactor low water level and operates with precision and reliability, assuming the full range of conditions and performance discussed in Section 5.4.6. b. Single Failure Criterion, Paragraph 4.2 - The RCIC system is not required to meet the single failure criterion. The RCIC initiation sensors and associated logic do, however, meet the single failure criterion for automatic system initiation. The single failure criterion is met through physical and electrical separation. c. Quality of Components and Modules, Paragraph 4.3 - The components and modules of the RCIC instrumentation and control are the same high quality as the Emergency Core Cooling Systems (ECCS). The safety-related portion of the RCIC control and instrumentation components and modules is seismically 7.4-30 HCGS-UFSAR Revision 0 April 11, 1988 qualified to remain functional following a safe shutdown earthquake (SSE). d. Equipment Qualification, Paragraph 4.4 - All safety-related equipment as defined in Tables 3.10-1 and 3.10-2 is designed to meet its performance requirements under the postulated range of operational and environmental constraints. Detailed discussion of qualification is contained in Sections 3.10 and 3.11. e. Channel Integrity, Paragraph 4.5 - Channel integrity is maintained through the use of qualified components. Refer to Sections 3.10 and 3.11 for a discussion of component qualification. f. Channel Independence, Paragraph 4.6 - Channel independence for initiation sensors is provided by electrical and mechanical separation. g. Control and Protection Interaction, Paragraph 4.7 - The RCIC system has no interaction with other plant control systems. h. Derivation of System Inputs, Paragraph 4.8 - All inputs to the RCIC system that are essential to its operation are direct measures of appropriate variables. i. Capability for Sensor Checks, Paragraph 4.9 - All sensors are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown. 7.4-31 HCGS-UFSAR Revision 0 April 11, 1988
j. Capability for Test and Calibration, Paragraph 4.10 - The RCIC system is capable of being completely tested during normal plant operation to verify that each element of the system, whether active or inactive, is capable of performing its intended function. k. Channel Bypass or Removal from Operation, Paragraph 4.11 - Calibration of a sensor that introduces a single instrument channel trip will not cause a protective action without the coincident trip of a second channel. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning. l. Operating Bypasses, Paragraph 4.14 - a bypass is provided for the Level 8 trip circuit of the RCIC system to enable testing during low reactor pressures. Under these conditions, false trips can be generated due to the level instruments being out of calibration and indicating high reactor water levels. A keylocked switch is provided at the RCIC relay panel in the lower control equipment room to engage the trip bypass. Continuous indication is provided in the main control room while in the bypass mode. m. Indication of Bypasses, Paragraph 4.13 - For discussion of bypass and inoperability indication refer to Section 7.1.2.4. n. Access to Means for Bypassing, Paragraph 4.14 - Access to means for bypassing any safety action or function for RCIC is under administrative control of the control room operator. The operator is alerted to bypasses as described in Section 7.1.2.4. 7.4-32 HCGS-UFSAR Revision 0 April 11, 1988
o. Multiple Setpoints, Paragraph 4.15 - There are no multiple setpoints within the RCIC system. p. Completion of Protective Action Once It Is Initiated, Paragraph 4.16 - Once RCIC is initiated by reactor low water level, the logic seals in and system operation must go to completion until terminated by deliberate operator action or automatically stopped upon high vessel water level or system malfunction trip signal. q. Manual Initiation, Paragraph 4.17 - Each piece of RCIC actuation equipment required to operate pumps and valves is capable of manual initiation from the main control room. Failure of logic circuitry to initiate the RCIC system will not affect manual control of equipment. r. Access to Setpoint Adjustment, Paragraph 4.18 - All access to setpoint adjustments for RCIC is under administrative control of the control room operator. s. Identification of Protective Actions, Paragraph 4.19 - Protective actions are directly indicated and identified by annunciators located in the main control room, and a digital alarm log is available from the process computer. t. Information Readout, Paragraph 4.20 - The RCIC system is designed to provide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the operator. 7.4-33 HCGS-UFSAR Revision 19 November 5, 2012
u. System Repair, Paragraph 4.21 - The RCIC system is designed to permit repair or replacement of components during normal plant operation. Recognition and location of a failed component will be accomplished during periodic testing or by annunciation in the main control room. v. Identification, Paragraph 4.22 - All controls and instruments are located in one section of the main control room panel and clearly identified by nameplates and functional mimics. Relays are located in one panel for RCIC use only. Relays and panels are identified by nameplates. 2. IEEE 308-1971, Class 1E Power Systems for Nuclear Power Generating Stations - For an assessment of IEEE 308-1971, see Section 8.3. 3. IEEE 323-1971 - Qualifying Class 1E Equipment for Nuclear Power Generating Stations - An assessment for IEEE 323-1971 is described in Section 7.1.2.3. 4. IEEE 338-1971 Periodic Testing of Nuclear Power Generating Stations - An assessment for IEEE 338-1971 is discussed in Section 7.1.2.3 and Regulatory Guide 1.22. 5. IEEE 344-1971 Seismic Qualification of Class 1E Equipment - An assessment for IEEE 344-1971 is discussed in Section 7.1.2.3. 6. IEEE 379-1972 Trial Use Guide for Application of the Single Failure Criterion to Nuclear Power Generating Stations - See IEEE 279-1971, Sections 7.4.2.1.4.a.2. 7. IEEE 384-1971 Independence of Class 1E Equipment and Circuits - An assessment for IEEE 384-1971 is discussed in Section 7.1.2.3. 7.4-34 HCGS-UFSAR Revision 0 April 11, 1988 7.4.2.1.4 Implementation of NRC Regulatory Guides The following is a discussion of implementation of those regulatory guides that apply specifically to RCIC. See Table 1.8-1 for commitments, revision numbers, and scope. 1. Regulatory Guide 1.11, Instrument Lines Penetrating Primary Reactor Containment - An assessment is provided in Section 7.1.2.4. 2. Regulatory Guide 1.22, Period Testing of Protection System Actuation Functions - RCIC is fully testable from initiating sensors to actuated devices during full power operation. 3. Regulatory Guide 1.29, Seismic Design Classification - The safety-related portion of RCIC instrumentation and control is classified as Seismic Category I and is qualified to remain functional following an SSE. 4. Regulatory Guide 1.30, Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electrical Equipment - The post-operation Quality Assurance program is discussed in Chapter 17. 5. Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety System - The RCIC system is included in the bypassed and inoperable status indication, which meets the requirements of Regulatory Guide 1.47 as stated in Section 7.5. 7.4-35 HCGS-UFSAR Revision 0 April 11, 1988
6. Regulatory Guide 1.62, Manual Initiation of Protective Actions Conformance - The RCIC may be automatically or manually initiated from the main control room or manually from the remote shutdown panel outside the main control room. 7. Regulatory Guide 1.68, Initial Test Program for Water-Cooled Reactor Power Plants - This guide is not part of the design basis for Hope Creek Generating Station (HCGS), but is included for assessment of the design in Section 1.8. 8. Regulatory Guide 1.75, Physical Independence of Electric Systems - A complete description of physical and electrical separation criteria is presented in Section 8.3.1.4. The extent of compliance to the requirements of Regulatory Guide 1.75 is as follows: a. Isolators or physical separation are provided without affecting building or control/equipment room arrangements. b. Physical separation between Class 1E channels of essential systems and between essential systems and essential circuits is maintained for all essential Nuclear Steam Supply System (NSSS) systems except the Neutron Monitoring System (NMS) and the Process Radiation Monitoring System (PRMS), which are justified by analysis. 9. Regulatory Guide 1.89, Qualification of Class 1E Equipment for Nuclear Power Plants - Qualification of Class 1E equipment is discussed in Section 3.11. 10. Regulatory Guide 1.100, Seismic Qualification of Electric Equipment for Nuclear Power Plants - Seismic qualification 7.4-36 HCGS-UFSAR Revision 0 April 11, 1988 of Class 1E equipment is discussed in Section 3.10. However, this guide is not part of the NSSS design basis for HCGS, but is included for assessment of the design. 11. Regulatory Guide 1.105, Instrument Setpoints - See Section 7.1.2.4. 12. Regulatory Guide 1.118, Periodic Testing of Electric Power and Protection Systems - See Section 7.1.2.4. 7.4.2.2 Standby Liquid Control System Instrumentation and Controls (Analysis) 7.4.2.2.1 Implementation of General Requirements Redundant positive displacement pumps, explosive valves, primary containment isolation valves, and control circuits for the Standby Liquid Control (SLC) System have been provided as described in Section 7.4.1.2. This constitutes all of the active equipment required for injection of the liquid neutron absorber, sodium pentaborate solution. Continuity relays provide monitoring of the explosive valves, and indicator lights provide indication on the operators console in the main control room of system status. The SLC system is automatically initiated by the RRCS. This initiation will override the manually initiated pushbutton control switch, but the automatic initiation can be overridden by the manual stop signal. The SLC system will be automatically shut off when the sodium pentaborate solution falls to a prescribed low level in the SLC system storage tank. Two out of two, Class 1E, sensor logic is used. See Section 7.6.1.7 for a description of the RRCS. 7.4.2.2.2 Implementation of 10CFR50 Appendix A - General Design Criteria The following is a discussion of implementation of those GDC that apply specifically to the SLC system. 7.4-37 HCGS-UFSAR Revision 0 April 11, 1988
1. GDC 1, 2, 3, 4, 5, 13, and 19 - SLC system compliance is shown in Section 7.1.2.2. 2. GDC 30, Quality of the Reactor Coolant Pressure Boundary - Instruments directly connected to the RCPB have the highest practical quality standards. 7.4.2.2.3 Implementation of NRC Regulatory Guides The following is a discussion of implementation of those Regulatory Guides that apply specifically to the SLC system. See Table 1.8-1 for commitments, revision numbers, and scope. 1. Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions - The SLC system is fully testable, with the exception of the explosive valves, during normal operation. Full system testing, by injection of demineralized water into the reactor pressure vessel (RPV), is performed during shutdown or refueling operations. 2. Regulatory Guide 1.29, Seismic Design Classification - The control and instrumentation of the SLC system is classified as Seismic Category I and is qualified to remain functional following an SSE. 3. Regulatory Guide 1.30, Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment - The post-operation quality assurance program is discussed in Section 17. 4. Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety System Conformance - The continuity of the explosive valve circuits is continuously monitored and is annunciated in the main control room. The level and temperature of the 7.4-38 HCGS-UFSAR Revision 0 April 11, 1988 sodium pentaborate are monitored with the high and low levels and high and low temperature conditions annunciated in the main control room. The removal of all other equipment for servicing is administratively controlled by the control room operator. 5. Regulatory Guide 1.53, Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems - See Section 7.4.2.1.4, IEEE 279 - 1971, for degree of conformance. 6. Regulatory Guide 1.62, Manual Initiation of Protective Action Conformance - The SLC system may be manually initiated from the control room. The timing associated with the need for SLC system injection is large compared to 10 minutes so that the operator will have sufficient time to initiate the SLC system if necessary. 7. Regulatory Guide 1.68, Initial Test Programs for Water-Cooled Reactor Power Plants - An assessment of the plant preoperational and initial startup test program requirements is discussed in Section 1.8. This guide is not part of the design basis for HCGS, but is included for assessment of the design. 8. Regulatory Guide 1.75, Physical Independence of Electric System - See Sections 7.1.2.4. and 8.3.1.4 for conformance. 9. Regulatory Guide 1.89, Qualification of Class 1E Equipment for Nuclear Power Plants - Regulatory Guide 1.89 is not part of the design basis for HCGS; however, for an assessment of the design, see the discussion in Sections 7.1.2.4 and 3.11.2. 7.4-39 HCGS-UFSAR Revision 0 April 11, 1988
10. Regulatory Guide 1.100, Seismic Qualification of Electric Equipment for Nuclear Power Plants - Seismic qualification of Class 1E equipment is discussed in Section 3.10. However, this guide is not part of the design basis for HCGS, but is included for assessment of the design. 11. Regulatory Guide 1.118, Periodic Testing - See Section 7.1.2.4 for an assessment. 7.4.2.2.4 Conformance to IEEE Standards The following is a discussion of conformance to those IEEE standards that apply specifically to the SLC system. 1. IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations a. General Functional Requirements, Paragraph 4.1 - The SLC system is manually initiated by operator action and/or automatically initiated by the RRCS. Display instrumentation in the main control room provides the operator with information on reactor vessel water level, pressure, neutron flux level, control rod position, and scram valve status. b. Single Failure Criterion, Paragraph 4.2 - The SLC system is a backup method of manually shutting down the reactor. It is not necessary for the SLC system to meet the single failure criterion. However, the control circuits, pumps, pump motors, and the explosive valves are redundant so that no single failure in these components will cause or prevent initiation of the SLC system. c. Quality of Components and Modules, Paragraph 4.3 - For discussion of the quality of SLC system components, refer to Sections 3.2, 3.10, and 3.11. 7.4-40 HCGS-UFSAR Revision 0 April 11, 1988
d. Equipment Qualification, Paragraph 4.4 - No components of the SLC system are required to operate in the drywell environment. A maintenance valve is the only component located inside the drywell and is normally locked open. Other SLC system equipment is located in the Control Building or Reactor Building and is capable of operation following an SSE. e. Channel Integrity, Paragraph 4.5 - The SLC system is not required to operate during a design basis accident (DBA). It is designed to remain functional following an SSE. f. Channel Independence, Paragraph 4.6 - There are two channels of control circuits, discharge pumps, motors, and explosive valves. These two channels are independent of each other. Failure in one channel will not prevent the other from operating. g. Control and Protection Interaction, Paragraph 4.7 - The SLC system has no interaction with plant control systems. It has no function during normal plant operation. It is designed as a protection system, completely independent of control systems and other safety systems. h. Derivation of System Inputs, Paragraph 4.8 - The SLC system is initiated manually by the operator or automatically by the RRCS. Display instrumentation in the main control room provides the operator with information on reactor vessel water level, pressure, neutron flux level, control rod position, and scram valve status. Based on this information, the operator decides whether or not to initiate SLC system. 7.4-41 HCGS-UFSAR Revision 0 April 11, 1988
i. Capability of Sensor Checks, Paragraph 4.9 - The operational availability is checked for by the operator. The sensor checks are made by operator observations of analog indicators, indicating lamps, annunciators, and status lights located in the main control room and locally at the equipment. j. Capability for Test and Calibration, Paragraph 4.10 - The explosive valves may be tested during plant shutdown. The explosive valve control circuits are continuously monitored, and loss of continuity is annunciated in the main control room. The remainder of the SLC system may be tested during normal operation to verify that each element is capable of performing its function. k. Channel Bypass or Removal From Operation, Paragraph 4.11 - The discharge pumps and pump motors are redundant so that one pump may be removed from service during normal plant operation. l. Operating Bypass, Paragraph 4.12 - The SLC system has no function during normal plant operation. m. Indication of Bypass, Paragraph 4.13 - Removal of components from service is annunciated in the main control room. n. Access to Means for Bypass, Paragraph 4.14 - Removal of components from service during normal plant operation is under administrative control of the control room operator. o. Multiple Setpoints, Paragraph 4.15 - There are no multiple setpoints. 7.4-42 HCGS-UFSAR Revision 0 April 11, 1988
p. Completion of Protective Action Once Initiated, Paragraph 4.16 - The explosive valves remain open once fired and the injection will continue unless terminated by operator action. q. Manual Initiation, Paragraph 4.17 - The SLC system can be manually initiated by operator action, and is automatically initiated by the RRCS. No single electrical failure (see Section 7.4.2.2.4.a.2) within the manual, automatic, or common portions of the SLC system instrumentation could prevent the initiation of the SLC system. Manual initiation is dependent upon the operation of a minimum of equipment. r. Access to Setpoints Adjustment Calibration and Test Points, Paragraph 4.18 - The control circuits, injection pump, pump motors, and motor operated valves are accessible for test and service. s. Identification of Protective Actions, Paragraph 4.19 - The explosive valve status, once fired, is indicated in the main control room. t. Information Readout, Paragraph 4.20 - The discharge pressure of the SLC injection pump (sodium pentaborate solution), storage tank level, and motor operated valve and explosive valve status is indicated in the main control room. u. System Repair, Paragraph 4.21 - The control circuits, pumps, and pump motors may be repaired or replaced during normal plant operation. v. Identification, Paragraph 4.22 - All controls and instrumentation are clearly identified by nameplates and mimics. 7.4-43 HCGS-UFSAR Revision 0 April 11, 1988
2. IEEE 308-1971, Criteria for Class 1E Power Systems for Nuclear Power Generating Stations - See Section 7.1.2.3 for conformance. 3. IEEE 323-1971, Qualifying Class 1E Equipment for Nuclear Power Generating Stations - An assessment of IEEE 323-1971 is included in Section 7.1.2.3. 4. IEEE 338-1971, Periodic Testing of Nuclear Power Generating Station - Although not a design basis, the design of the SLC system permits periodic testing of the system from initiation to actuated devices except explosive valves. The explosive valve control circuit is continuously monitored and annunciated in main control room. 5. IEEE 344-1971, Seismic Qualification of Class 1E Equipment - Although not a design basis, the control and instrumentation of the SLC system is classified as Seismic Category I and will remain functional following an SSE. Qualification and documentation procedures used for Seismic Category I equipment and systems are identified in Section 3.10. 6. IEEE 379-1972, Trial Use Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Stations - See IEEE 279-1971, Section 7.4.2.1.4, for degree conformance. 7. IEEE 384-1974, Independence of Class 1E Equipment and Circuits - An assessment for IEEE 384-1974 is given in Section 7.1.2.3. 7.4-44 HCGS-UFSAR Revision 0 April 11, 1988 7.4.2.3 RHR/Reactor Shutdown Cooling Mode Instrumentation and Controls (Analysis) The residual heat removal reactor shutdown cooling mode (RHR-RSCM) uses the same equipment used by the low pressure coolant injection (LPCI) mode. Refer to Section 7.3.2 for reactor shutdown cooling mode (RSCM) standards and regulatory compliance. 7.4.2.4 Remote Shutdown System The normal operation of the Remote Shutdown System (RSS) does not require consideration of the effects of a loss of plant air systems, loss of cooling water to vital equipment, plant load rejection, or turbine trip. A discussion of these effects is included elsewhere in the FSAR in the sections describing the individual systems that make up the RSF. 7.4.2.4.1 RSS Conformance to Safety Design Bases For remote shutdown operation, no recovery from plant transients or emergency operation is assumed. The RSS interface with safety-related systems, such as residual heat removal (RHR) and RCIC, and during normal operation becomes part of, and meets the design criteria for, those systems. The capability to remotely shut down the reactor is based on the following functional criteria: 1. Sufficient instrumentation and controls are provided outside the main control room to allow prompt hot shutdown of the reactor and to enable achieving and maintaining cold shutdown conditions within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. 2. Suitable procedures are provided to the operator to ensure the accomplishments of criteria 1. 7.4-45 HCGS-UFSAR Revision 0 April 11, 1988 Section 15.9 contains a plant nuclear safety operational analysis. Section 15.9.6.6.3(3) contains an evaluation of reactor shutdown from outside the main control room. 7.4.2.4.2 RSS Implementation of 10CFR50, Appendix A, GDC 7.4.2.4.2.1 GDC 2, Design Bases for Protection Against Natural Phenomena Refer to Section 3.1 for a discussion of this GDC. 7.4.2.4.2.2 GDC 4, Environmental and Missile Design Bases Refer to Section 3.1 for a discussion of this GDC. 7.4.2.4.2.3 GDC 13, Instrumentation and Control Instrumentation and controls are provided to monitor variables and systems for remote shutdown conditions. Refer to Section 3.1 for a general discussion of this GDC. 7.4.2.4.2.4 GDC 19, Control Room The RSS consist of equipment at appropriate locations outside the main control room that is sufficient to provide and ensure prompt hot shutdown of the reactor and to maintain safe conditions during hot shutdown. The equipment also provides the capability for subsequent cold shutdown of the reactor. 7.4.2.2.5 GDC 34, Residual Heat Removal The RSS has control of the B train of the RHR system and therefore meets GDC 34. The other RHR trains can be operated locally with RHR train A designated as the alternate train for remote shutdown in the event of a failure to RHR train B. 7.4-46 HCGS-UFSAR Revision 0 April 11, 1988 Refer to Section 3.1 for a discussion of this GDC. 7.4.2.4.3 RSs Implementation of 10CFR50, 50.55a(h) - IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations The RSS are designed in conformance with the requirements of IEEE Standard 279-1971. The individual systems of which the RSS are comprised, meet the requirements of IEEE Standard 279-1971 as described in the individual system descriptions elsewhere in this section. 7.4.2.4.4 RSS Implementation of 10CFR50, Appendix R, Fire Protection Program The RSS are designed to ensure an alternative safe shutdown capability, in the event of a fire in the control complex, or any other event that may require main control room evacuation, thereby exempting the main control room from the physical fire protection separation requirements of Appendix R. In this alternative, dedicated safe shutdown capability is provided by the RSP. Once control has been transferred to the RSF from the main control room, the RSF is independent of the main control room and fully capable of performing a safe reactor shutdown to a hot, and ultimately, a cold condition. In the event that main control room evacuation is necessitated by some cause, other than a fire, sufficient redundant, safety-grade instrumentation and controls (identified in Table 7.4-3) are available remote from the main control room to ensure that cold shutdown conditions can be achieved even with a single failure at the RSP. Communications available for the RSS are discussed in Section 9.5.2.2.5. 7.4-47 HCGS-UFSAR Revision 0 April 11, 1988 The RSS room is provided with a nonsafety-related Heating, Ventilating, and Air Conditioning (HVAC) System that provides an environment similar to that of the main control room (see Section 9.4.3). No common failure exists, including smoke and toxic fumes that could cause the main control room and the RSP room to be uninhabitable at the same time. Additionally, the systems required for safe shutdown are sufficiently divided between the RSS and main control room so that, in the event of a fire destroying the RSP, there are sufficient controls and instrumentation available to bring the reactor to a safe and orderly shutdown from the main control room. 7.4.2.4.5 RSS Implementation of Regulatory Guides 7.4.2.4.5.1 Regulatory Guide 1.29 - Seismic Design Classification See Sections 7.4.1.4.3.1 and 1.8.1.29. 7.4.2.4.5.2 Regulatory Guide 1.53, - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems Refer to Sections 7.4.1.4.3.1 and 1.8.1.53. 7.4.2.4.5.3 Regulatory Guide 1.75 - Physical Independence of Electrical Systems See Sections 7.4.1.4.3.7 and 1.8.1.75. 7.4.2.4.5.4 Regulatory Guide 1.89 - Qualification of Class 1E Equipment for Nuclear Power Plants See Section 1.8.1.89. 7.4-48 HCGS-UFSAR Revision 6 October 22, 1994 7.4.2.4.5.5 Regulatory Guide 1.100 - Seismic Qualification of Electric Equipment for Nuclear Power Plants See Section 1.8.1.100. 7.4.2.4.5.6 Regulatory Guide 1.105 - Instrument Spans and Setpoints The range for each process variable monitored on the RSS is selected to encompass the expected operating range of the process variable being monitored during remote shutdown operation. The RSS includes instrumentation with setpoints that are established consistent with Regulatory Guide 1.105, as discussed in Section 1.8.1.105. 7.4.2.5 Essential Auxiliary Supporting Systems for Safe Shutdown Systems 7.4.2.5.1 Station Service Water System Instrumentation and Controls See Section 7.3.2 for analysis of the Station Service Water System (SSWS). 7.4.2.5.2 Safety Auxiliaries Cooling System Instrumentation and Controls See Section 7.3.2 for analysis of the Safety Auxiliaries Cooling System (SACS). 7.4.2.5.3 Class 1E Power Systems See Sections 8.3.1.2 and 8.3.2.2 for analysis of Class 1E power systems. 7.4.2.5.4 Safe Shutdown Equipment Area Ventilation Systems See Sections 9.4.2 and 9.4.3 for analysis of ventilation systems. 7.4-49 HCGS-UFSAR Revision 0 April 11, 1988
  • *
  • TABLE 7.4-1 REACTOR CORE ISOLATION COOLING INSTRUMENT RANGES RCIC Function Instrument Turbine exhaust diaphragm Pressure high pressure RCIC system pump high/ low suction pressure Reactor vessel high/low water level RCIC system steam supply low pressure Turbine overspeed RCIC system pump discharge pressure high RCIC minimum flow Turbine exhaust high pressure Condensate storage tank low-low level Flow transmitter Pressure transmitter Level transmitter Pressure transmitter Centrifugal device Pressure transmitter Flow trans-mitter Pressure transmitter Level switch Flow transmitter Range 0 -30 psig (High) 30" Hg vac to 85 psig (Low) 0 to 30" Hg Ab. {High)-150/0/+60 inches(l) 0-60 psig (Low)-150/0/+60 inches 0 -200 psig 0 -1500 psig 0 -200 gpm 0 -200 psig NA 0 -700 gpm (1) With zero reference 527.5 inches above vessel zero . 1 of 1 HCGS-UFSAR Revision 0 April 11, 1988
  • Channel Transfer Switches HSS-4410A HSS-44109 HSS-4410C HSS-4410D HSS-4410N RCIC System HV-4282 HV-F045 HV-FOOS HV-F007 HV-F031 HV-FOlO SV-F019 HV-F046 HV-F013 HV-F076 OP220 OP219 SI-4280-2 FIC-4158 ZA-4275 PAL-4276 TAIJ-4277 TAH-4278 LALL-N061 HV-F012(l) HV-F022(l) HV-F059(l) HV-F060(l) HV-F062(l) HV-F084(l) HV-F025(l) HV-F004(l) BP228(5) HCGS-UFSAR Hot Cold Shutdown Shutdown X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X
  • TABLE 7.4-2 REM:1I'E Sflt!I'IX)WN PANEL INS'I'RtJ1BNTATION Description Transfer switch Class lE Channel A Transfer switch Class lE Channel B Transfer switch Class lB Channel C Transfer switch Class lE Channel D Transfer switch Non-class IE Control -RCIC turbine trip/throttle Control -RCIC turbine shutoff valve Control -RCIC steam supply outboard isolation valve Control -RCIC steam supply inboard isolation valve Control -Suppression pool to RCIC pump suction valve .COntrol -Condensate storage tank to RCIC pump suction valve Control -RCIC pump discharge minimum flow valve Control -RCIC turbine cooling water supply valve Control -RCIC pump discharge to feedwater line isolation valve Control -RCIC steam line inboard isolation valve bypass valve Control -RCIC vacwm tank condensate pump Control -RCIC gland seal condenser vacuum pump Indication -RCIC turbine speed Control/Indication -RCIC pump injection flow Indicator -RCIC turbine trip Indication (Alarm) -RCIC turbine bearing oil pressure low Indication (Alarm) -RCIC High pressure turbine bearing temperature high Indication (Alarm) -RCIC low pressure turbine bearing temperature high Indication (Alarm) -Condensate storage tank level low-low Indication RCIC pump disch valve (open) Indication Test return valve to condensate storage tank (closed) Indication RCIC turb exh to suppr pool valve (open) Indication RCIC condenser vac pump disch valve (open) Indication RCIC turb exh outboard vac breaker isolation valve (open) Indication RCIC turb exh inboard vac breaker isolation valve (open) Indication RCIC cond pot drain to main cond valve (closed)
  • Indication RCIC vaculiD tank condensate pump discharge to clean ra.ct.mste valve (closed) Indication ECCS (RC!C) jockey pump (run) 1 of 5 Revision 0 April 11, 1988 Hot Cold Shutdown Shutdown Nuclear Boiler System PR-7853D X X LR-7854 X X PSV-F013F X X PSV-F013H X X PSV-F013M X X Reactor Recirculation System HV-F031B(IS> X X Suppression Pool Monitoring System LR-4805-2 X X TR-3647J X X TR-3647M X X RHR System HV-F006B X X HV-F004B X X HV-F007B X X HV-F048B X X HV-F015B X HV-F009 X HV-F008 X HV-F122B X X HV-4439 X X HV-F024B X X HV-F047B X X HV-F003B X X HV-F040 X X HV-F049 X HSS-44168 X X BP-202 X X TI-4401 X FI-4435 X X HV-F006A(2l X HV-F010B(2l X X HCGS-UFSAR TABLE 7.4-2 (Cant) Description Indication/recording reactor vessel pressure Indication/recording reactor vessel water level Control -main steam line B valve Control -main steam lineD valve Control -Main steam line A valve Indication -Reactor recirculation pump BP201 discharge valve (closed) Indication/recording suppression pool level Indication/recording -suppression pool temperature Indication/recording -suppression pool temperature Control Control control Control Control -RHR pump BP202 suction from recirc line valve -RHR pump BP202 suction from pool valve RHR pump BP202 min flow valve suppression pool -RHR loop B heat bypass valve -RHR loop B shutdown return valve Control RHR shutdown cooling suction from recirc line inboard isolation valve Control RHR shutdown cooling suction from recirc line outboard isolation valve Control -RHR loop B shutdown injection check valve bypass valve Control RHR disch to liquid bldg isolation valve Control RHR pump BP202 test return valve to suppression pool Control -RHR loop B heat exchanger shell side inlet valve Control RHR loop B heat exchanger shell side outlet valve Control -RHR disch to LRW outboard isolation valve Control -RHR disch to LRW inboard isolation valve Transfer switch RHR pump BP202 Control -RHR pump BP202 Indication -RHR disch temp,er*at:ul:e to liquid radwaste Indication -RHR loop B Indication RHR pump AP202 suction from recirc line valve (closed) Indication -RHR pump DP202 test return valve to suppression pool {closed) 2 of 5 Revision 17 June 23, 2009 I I
  • IN-F016B(2) HV-F027B(Z) HV-F017B(Z) HV-F004D(Z) HV-F021A(Z) HV-F0218(Z) DP-228(5) SACS HV-25228{7) HV-24968 HV-25128 IN-24918 HV-24948(9) HV-25208 8P210 HSS-24858 DP210 HSS-2485D TI-253582 FI-254983 IN-2314A HV-23148 HV-7921A HV-79218 HV-2317A . HV-23178 HV-7922A HV-79228 ssws HV-2204 HOOS-UFSAR Hot ShuWown X X X X X X X X X X X X X X X X X X X X X X Cold ShuWown X X X X X X X X X X X X X X X X X X X X X X
  • TABLE 7.4-2 (Cont) Description Indication -RHR loop 8 containment spray outboard isolation valve (closed) Indication RHR loop B suppression pool spray line isolation valve (closed) Indication -RHR low pressure coolant injection (LPCI) loop B injection valve (closed} Indication -RHR pump DP202 suction from suppression pool valve (open)
  • Indication -RHR loop A containment spray inboard isolation valve {closed) Indication -RHR loop 8 containment spray inboard isolation valve (closed) ECCS {RHR 8) jockey pump (run) Control -SACS loop 8 to Turbine Auxiliaries Cooling System {TACS) inboard supply/return valves Control -SACS loop 8 to TACS outboard supply/return valves Control -RHR loop B heat exchanger tube side outlet valve Control -SACS loop 8 heat exchanger B1E201 inlet valve Control -SACS loop B heat exchanger 82E201 inlet valve Indication -RHR pump 8P202 seal and motor bearing coolers cooling water supply valve (open) Control -SACS loop B punp BP210 Transfer switch -SACS loop 8 pump 8P210 Control -SACS loop 8 pump DP210 Transfer switch -SACS loop B pump DP210 Indication -SACS loop B heat exchanger outlet temperature Indication -SACS loop B pumps discharge flow Control -Fuel Pool Cooling System (FPCS) heat exchanger AE202 cooling water inlet valve . Control -FPCS heat exchanger BE202 cooling water inlet valve Control -FPCS heat exchanger AE202 cooling water outlet valve Control -FPCS heat exchanger BE202 cooling water outlet valve Control -FPCS heat exchanger cooling water inlet cross-connect valve Control -FPCS heat exchanger cooling water inlet cross-connect valve Control -FPCS heat exchanger cooling water outlet cross-connect valve Control -FPCS heat exchanger cooling water outlet cross-connect valve Control -Reactor Auxiliaries Cooling System heat exchanger supply valve (from SACS loop 8} 3 of 5
  • Revision 0 April 11, 1988
  • HV-2355B HV-2371B HV-23578 HV-2198B HV-21980 HV-2197B HV-21970 BP502 HSS-22198 DP502 HSS-22190 Standby Diesel Generator AG400 BG400 CG400 00400 Hot Shutdown X X X X X X X X X X X X X X X Ventilation and Cooling Sygtems{J) RBVS HD-9370A HD-93708 HD-9414A HD-9414B Switchgear Room Coolers XIL-9549A XIL-9549B XIL-9549C XIL-95490 X X X X X X X X Control Area Chilled Water System BK400 HSS-9652B BP400 HSS-966684 BP414 X X X X X X HCGS-UFSAR Cold Shutdown X X X X X X X X X X X X X X X X X X X X X X X X X X X X X
  • TABLE 7.4-2 (Cont) Description Control -SACS loop B heat exchanger B2E201 outlet valve Control -SACS loop B heat exchanger B1E201 outlet valve Control -SACS loop B to cooling tower valve Control -SSWS pump BP 502 discharge valve Control -SSWS pump DP502 discharge valve Control -SSWS strainer BF509 main backwash valve Control -SffivS strainer OF509 main backwash valve Control -SSWS pump BP505 Transfer switch -SSWS pump BP502 Control -SSWS pump DP502 Transfer switch -SSWS pump OP502 Indication -standby diesel generator AG400 circuit breaker Indication -standby diesel generator BG400 circuit breaker Indication -standby diesel generator CG400 circuit breaker Indication -standby diesel generator DG400 circuit breaker Indication -Reactor bldg supply isolation damper Indication -Reactor bldg supply isolation damper Indication -Reactor bldg exhaust isolation damper Indication -Reactor bldg exhaust isolation damper Indication -switchgear room (No. 5417) cooler AVH401 Indication -switchgear room (No. 5413) cooler BVH40l Indication -switchgear room (No. 5415) cooler CVH401 Indication -switchgear room (No. 5411) cooler DVH401 Control -control area chiller BK400 Transfer switch -control area chiller BK400 Control -control area chilled water circulating punp BP400 Control -safety-related panel room chiller BK403 Transfer switch -safety-related panel room chiller BK403
  • Cuntrol -safety-related panel room chilled water circulating pump BP414 4 of 5 Revision 0 April 11 , 1988 Hot Cold Shutdown Fuel Pool Cooling System!41 TABLE 7.4-2 (Cont) Control fuel pool filter demineralizer valve Control -fuel pool cooling pump AP211 Control -fuel pool cooling pump BP2ll HV-46898 AP211 BP211 TI-4683 Indication Fuel pool cooling pump discharge temperature (1) Valves of the RCIC system which travel to the noted position on RSP takeover. (2) Valves of the RHR system which travel to the noted position on RSP takeover. (3) All fans and coolers servicing reactor building pump rooms (RCIC, RHR, SACS) continue (4) The FPCS is not required for safe shutdown. Controls are provided to cover the uninhabitable. (5) ECCS (RCIC and RHR B) jockey pumps are signaled to run on RSP takeover. (6) Reactor recirculation valve HV-F031B is signaled to close on RSP takeover. (7) Operation of SACS valve HV-2496B is ganged to operation of SACS valve HV-2522B. (8) Operation of SACS valve HV-24960 is to operation of SACS valve HV-25220. (9) Valve of the SACS which travels to noted position on RSP takeover 5 of 5 HCGS-UFSAR during RSP takeover. of an extended period of main control room becoming Revision 17 June 23, 2009 I
  • TABLE 7.4-3 REMOTE SHUTDOWN SYSTEMS REDUNDANT INSTRUMENTATION RSP Device RCIC SYSTEM See Table 7.4-2 NUCLEAR BOILER SYSTEM PR-7853D LR-7854 PSV-F013F PSV-F013H PSV-F013M Primary Alternative Device HPCI System PIS-690 A, E, J, & N LIS-N691 A & E PSV-F013A PSV-F013E REACTOR RECIRCULATION SYSTEM HV-F031B None SUPPRESSION POOL MONITORING SYSTEM LR .. 4805-2 LI-4801-1 HCGS-UFSAR Alternative Device Description See remarks Indicating -trip units reactor vessel pressure Indicating -trip units reactor vessel level Control -main steam line A safety/relief valve Control -main steam line A safety/relief valve N/A Indication -suppression pool level 1 of 9 Remarks The HPCI system will function as a backup to the RSP -controlled RCIC system. The BPCI system will automatically cycle on reactor vessel level. Section 7.3.1.1.1.1 describes the HPCI system and its operation. Channel A instruments are located on GK panel 10C617 at Elevation 102 ft. of the Auxiliary Building control and diesel generator area. Channel A instruments are located on GE panel 10C617 at Elevation 102 ft. of the Auxiliary* Building control and diesel generator area. Local controls are provided at panel 10C631 for two Channel D safety/relief valves to meet GDC-19 requirements for remote shutdown. Panel 10C631 is located at Elevation 102 ft. of the Auxiliary Building control and diesel generator area. Position indication of this valve is not required for achieving safe shutdown. A Channel C local indicator mounted in a wallbox (1CTB4508) is located near panel 1CC655 at Elevation 163 ft. of the Auxiliary Building control and diesel generator area.
  • Revision 0 April 11. 1988
  • RSP Device TR-3647J TR-3647H RHR SYSTEM HV-F006B HV-F004B BP202 HV-F007B HV-F048B HV-F015B HCGS-UFSAR Primary Alternative Device TI-3881A2 HV-F006A HV-F004A AP202 HV-F007A HV-F048A HV-FOlSA
  • TABLE 7.4-3 (Cont) Alternative Device Description Indication -suppression pool temperature Control -RHR pump AP202 suction from recirc line valve Control -RHR pump AP202 suction from suppression pool valve Control -RHR pump AP202 Control -RHR pump AP202 minimum flow valve to suppression pool Control -RHR loop A changer bypass valve Control -RHR loop A shut-down cooling return valve 2 of 9 Remarks A Channel A local indicator mounted in a wallbox (1ATB4507) is located near panel AC655 at Elevation 163 ft. of the Auxiliary Building control and diesel generator area. Operation of this valve is required if RHR loop A is used for remote shutdown. Local valve controls are provided at HCC 10B451, located at Elevation 130 ft. of the Auxiliary Building. Operation of this valve is required if RHR loop A is used for remote shutdown. Local valve controls are provided at MCC 10B212, located at Elevation 102 ft of the Reactor Building. Normal/emergency selector switch located on the Class lE Channel A 4.16 kV switchgear 10A401 permits closing the circuit breaker to start RBR pump AP202. 10A401 is located at Elevation 130 ft. of the Auxiliary Building control and diesel generator area. Valve closes automatically once minimum flow rate is established. Operation of the valve is required if RHR loop A is used for remote shutdown. Local valve controls are provided at HCC 10B212, located at elevation 120 ft of the Reactor Building. Operation of this valve is required if RHR loop A is used for remote shutdown. Local valve controls are provided at HCC 10B481, located at Elevation 130 ft of the Auxiliary Building.
  • Revision 0 April 11, 1988
  • RSP Device HV-F009 HV-FOOB HV-Fl22B HV-4439 HV-F040 HV-F049 HV-F024B HV-F047B HV-F003B TI-4401 FI-4435 HV-F006A HCGS-UFSAR Primary Alternative Device None None None HV-F024A HV-F047A HV-F003A None FISH-N652A None Alternative Device Description N/A N/A N/A Control -RHR pump AP202 test return valve to suppression pool Control -RHR loop A heat exchanger shell side inlet valve control -RHR loop A heat exchanger shell side outlet valve N/A Indication -RHR loop A flow N/A
  • TABLE 7.4-3 (Cont) Remarks Safe shutdown can be achieved without operation of the RHR system in the shutdown cooling mode. Operation of the RHR loop A shutdown cooling injection check valve bypass valve is not required for achieving safe shutdown. Operation of the RHR discharge to liquid radwaste valves is not required for achieving safe shutdown. Operation of this valve is required if RHR loop A is used for remote shutdown. Local valve controls are available at MCC 10B212, located at Elevation 102 ft. of the Reactor Building. Operation of this valve is required if RHR loop A is used for remote shutdown. Local valve controls are provided at MCC 10B212, located at Elevation 102 ft. of the Reactor Building. Operation of this valve is required if RHR loop A is used for remote shutdown. Local valve controls are provided at MCC 10B212, located at Elevation 102 ft of the Reactor Building. Indication of RHR discharge temperature to liquid radwaste is not required for achieving safe shutdown. Channel A instrument is located on GE panel 10C617 at Elevation 102 ft. of the Auxiliary Building control and diesel generator area. See discussion of RPS device HV-F006B. 3 of 9 I Revision 14 July 26, 2005 *
  • RSP Device HV-FOlOB HV-F016B HV-F027B HV-F017B HV-F004D HV-F021B HV-F021A DP-228 SACS HV-2522B HV-2522D HV-2496B HCGS-UFSAR Primary Alternative Device HV-FOlOA HV-F016A HV-F027A HV-F017A HV-F004C See remarks See remarks CP-228 HV-2522A HV-2522C HV-2496A
  • TABLE 7.4-3 (Cont) Alternative Device Description Indication -RHR pump CP202 test return valve to suppression pool Indication -RHR loop A containment spray outboard isolation valve Indication -RHR loop A suppression pool spray line isolation valve Indication -RBR loop A pressure coolant injection loop A injection valve Indication -RHR pump CP202 suction from suppression pool valve See remarks See remarks Indication -ECCS (RHR A) jockey pump Control -SACS loop A to Turbine Auxiliaries Cooling System (TACS) inboard valve Control -SACS loop A supply to TACS outboard valve Remarks Valve position indication for each of these RHR loop A valves is available at the valve. The required shutdown position for each valve is the same as for its RPS counterparts. Valve HV-F004C is a locked open valve that supplies the suction to ECCS (RHR A) jockey pump CP228. Valve position can be verified by proper operation of CP228. Valve position indication for this valve is available at the valve. This valve is not required for achieving safe shutdown. Valve position indication for this valve is available at the valve. This valve is not required for achieving safe shutdown. Jockey pump CP228 is normally running. Operation of these valves is required if SACS loop A is used for remote shutdown These valves can be positioned manually as needed. Control -SACS loop A return Operation of these valves is required from TACS inboard valve if SACS loop A is used for remote shutdown. Local valve controls are 4 of 9
  • Revision 0 April 11, 1988 RSP Device HV-2496D HV-25128 HV-25208 HV-24918 HV-24948 8P210 DP210 TI-253582 FI-254983 HCGS-UFSAR Primary Alternative Device HV-2496C HV-2512A HV-2520A HV-2491A HV-2494A AP210 CP210 TI-2492A TI-2497A None Alternative Device Description Control -SACS loop A return from TACS outboard valve Control RHR loop A heat exchanger tube side outlet valve Indication RHR pump AP202 seal and motor bearing coolers cooling water supply valve Control -SACS loop A heat exchanger A1E201 inlet valve Control -SACS loop A heat exchanger A2E201 inlet valve Control SACS loop A pump AP210 Control SACS loop A pump CP210 Indication -SACS loop A heat exchanger AlE201 inlet temperature Indication -SACS loop A heat exchanger A2E201 inlet temperature N/A TABLE 7.4-3 (Cant) Remarks provided at MCC 108212 for HV-2496A and MCC 108232 for HV-2496C located at Elevation 102 ft of the Reactor Building. Operation of this valve is required if SACS loop A.is used for remote shutdown. Local valve controls are provided at MCC 108212, located at Elevation 102 ft of the Reactor Building. This valve opens automatically on receipt of a running signal from RHR pump position indication is available at the valve. This valve opens automatically when SACS pump AP210 starts. This valve pump CP210 automatically when SACS Normal/emergency selector switches located on the Class IE Channels A and C 4.16 kV 10A401 and 10A403 respectively closing of the circuit breakers to SACS pumps AP210 and CP210. 10A401 and 10A403 are located at Elevation 130 ft. of the Building control and diesel area. Temperature indication for SACS Loop A is available locally at the heat exchanger inlets. Temperature indication at the RSP is from the combined outlet of the SACS loop B heat exchangers. Adequate cooling water flow can be derived from the SACS loop A heat exchanger inlet temperatures. 5 of 9 Revision 17 June 23, 2009 I
  • RSP Device ssws HV-2204 HV-235SB HV-2198B HV-2371B HV-2198D HV-2197B HV-2197D HV-2357B BP502 DP502 HCGS-UFSAR Primary Alternative Device HV-2203 HV-235SA HV-2198A HV-2371A HV-2198C HV-2197A HV-2197C HV-2357A APS02 CP502
  • TABLE 7.4-3 (Cont) Alternative Device Description Remarks Control -Reactor Auxiliaries Operation of this valve is required Cooling System heat if SSWS loop A is used for remote exchanger supply valve shutdown. Local valve controls are (from SACS loop A) provided at MCC 10B212, located Control -SACS loop A heat exchanger A2E201 outlet valve Control -SSWS pump AP502 discharge valve Control -SACS loop A heat exchanger AlE201 outlet valve Control -SSWS pump CP502 discharge valve Control -SSWS strainer AF509 main backwash valve Control -SSWS strainer CF509 main backwash valve Control -SACS loop A to cooling tower valve Control -SSWS pump AP502 Control -SSWS pump CP502 6 of 9 at elevation 102 ft of the Reactor Building. These valves open automatically on on receipt of a pump running signal from SSWS pump AP502. These valves open automatically on receipt of a pump running signal from SSWS pump CP502. Valve opens automatically on high differential pressure across strainer AF509. Valve closes automatically on normal differential pressure across strainer AF509. Valve opens automatically on high differential pressure across strainer CF509. Valve closes automatically on normal differential pressure across strainer CP'509. This valve is normally open. Valve position indication is available at the valve. Normal/emergency selector switches located on the Class 1E channels A and C 4.16 kV switchgear, 10A401 and 10A403 respectively, permit closing the circuit breakers to start SSWS pumps AP502 and CP502. 10A401 and 10A403 are located at Elevation 130 ft. of the Auxiliary Building control and diesel generator area.
  • Revision 0 April 11, 1988 Primary AG400 See remarks BG400 See remarks CG400 See remarks DG400 See remarks REVS HD-9370A, AVH213 H0-93708, HD-9414A, HD-94148 BVH213 CVH213 OVH213 EVH213 FVH213 AVH206 BVH206 HCGS-UFSAR Alternative Indication -SDG A operating status Indication -SDG B operating status Indication -SDG C operation status Indication -SDG D operating status Indication -Filtration, Recirculation and Ventilation System (FRVSJ recirculation unit AVH213 Indication FRVS recirculation unit BVH213 Indication FRVS recirculation unit CVH213 Indication -FRVS recirculation unit DVH213 Indication -FRVS recirculation unit EVH213 Indication FRVS recirculation unit FVH213 Indication FRVS vent unit AVH206 Indication FRVS vent unit BVH206 TABLE (Cant) Standby diesel generator operating status can be verified at the SDG skids or the SDG remote*control panels 1A-DC422. The SDG skids are located at elevation 102 ft. of the Auxiliary Building control and diesel generator area. The SDG remote control panels IA-DC422 are located at Elevation 130 ft., of the Auxiliary Building control and diesel generator area Local start of FRVS recirculation and vent units is provided to cover the loss of RBVS control due to a the main control room. 7 of 9 Revision 17 June 23, 2009 I
  • RSP Device Primary Alternative Device SWITCHGEAR ROOM COOLERS XIL-9549A XIL-9549B XIL-9549C XIL-9549D None None None None CONTROL AREA CHILLED WATER SYSTEM (CACWS) BK400 AK400 BK403 AK403 BP400
  • AP400 BP414 AP414 HCGS-UFSAR
  • TABLE 7.4-3 {Cont) Alternative Device Description N/A N/A N/A N/A Control -control area chiller AK400 Control -safety-related panel room chiller AK403 Control -control area chilled water circulating pump AP400 Control -Safety-related Toom chilled water circulating pump AP414 8 of 9 Remarks Switchgear room cooler status can be determined locally. Normal/emergency selector switch located on the Class lE Channel C 4.16 kV switchgear 10A403 provides a permissive for closing the circuit breaker to start chiller AK400. Sequencer start switch BS-6855GF located on sequencer panel 1CC428 can be used to close the chiller breaker. Sequencer panel 1CC428 and 10A403 are located at elevation 130 ft. of the Auxiliary Building control and diesel generator area. Normal/emergency selector switch located on the Class lE Channel A 4.16 kV switchgear 10A401 provides a permissive for closing the circuit breaker to start chiller AK403. Sequencer start switch BS-6855EP located on sequencer panel 1AC428 can be used to close the chiller breaker. Sequencer panel 1AC428 and 10A401 are located at elevation 130 ft. of the Auxiliary Building control and diesel generator area. Sequencer start switch BS-6855GG located on sequencer panel 1CC428 can be used to energize the pump starter. Sequencer panel 1CC428 is located at elevation 130 ft. of the Auxiliary Building control and diesel generator area. Sequencer start switch HS-6855EP located on sequencer panel 1AC428 can be used to energize the pump starter. Sequencer panel 1AC428 is located at Elevation 130 ft. of the Auxiliary Building control and diesel generator area.
  • Revision 0 April 11. 1988
  • RSP Device Primary Alternative Device FUEL POOL COOLING SYSTEM See Table 7.4-2 None HCGS-UFSAR
  • TABLE 7.4-3 (Cont) Alternative Device Description N/A 9 of 9 Remarks The Fuel Pool Cooling System is not required for achieving safe shutdown.
  • Revision 0 April 11, 1988 Figure F7.4-1 SH 1-5 intentionally deleted. Refer to Vendor Technical Document PN1-E51-1030-0061 for all sheets in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.4-2 SH 1-9 intentionally deleted. Refer to Plant Drawing J-49-0 sheets 2, 3, 4, 5, 5A, 6, 7 and 8 for F7.4-2 sheets 1-8 in DCRMS Refer to Plant Drawing J-50-0 sheet 6 for F7.4-2 sheet 9 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.4-3 SH 1-2 intentionally deleted. Refer to Vendor Technical Document PN1-C41-1030-0043 for both sheets in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.4-4 SH 1-4 intentionally deleted. Refer to Plant Drawing J-48-0 sheets 2-5 in DCRMS HCGS-UFSARRevision20May 9, 2014 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION (INFORMATION SYSTEMS IMPORTANT TO SAFETY)

7.5.1 Description

7.5.1.1 General

This section describes the HCGS safety-related and nonsafety-related information systems. These systems provide information to operating personnel

to aid in the startup, operation, and testing of plant systems.

The main control room arrangement is shown on Plant Drawing J-0600-0. The primary operator interface with plant systems is the unit operator's console, C651, which houses controls, hardwired displays, and computer generated CRT displays. Operator interface with Engineered Safety Features (ESF) Systems, certain auxiliary support systems, the reactor control rod position indication system, and the turbine generator is provided on the main vertical board, C650.

Arrangement of instrumentation and controls on these panels is generally by system and is shown in detail on Plant Drawing J-0602-0. An operator's monitor console, C649, also provides surveillance of all systems using computer

generated CRT displays.

Human factors considerations are provided in Section 18.

The displayed parameters that are important to safety are listed in Table 7.5-1

which is organized by Regulatory Guide 1.97 variable type.

Types of displays indicated in Table 7.5-1 include pen recorders, digital and analog meters, status lights, and computer generated CRT displays. The displays listed are located on the operator interface panels in the main control room and local panels. Displays provided on the remote shutdown panel

are identified in Table 7.4-2.

7.5-1 HCGS-UFSAR Revision 20 May 9, 2014 The instrumentation and ranges shown in Table 7.5-1 are selected to allow tracking of process variables important to safety during all plant conditions including post-accident conditions and, where applicable, meet the requirements

of Regulatory Guide 1.97 as described in Section 1.8.1.97.

7.5.1.2 Information Systems Identification

The information systems are identified by the following categories:

1. Control Rod Position Indication System (CRPIS) (nonsafety-related)
2. Bypassed and Inoperable Status Indication System (BISIS) (safety-related)
3. Plant Computer Systems (PCS) (nonsafety-related)
4. Post-accident monitoring instrumentation (PAMI) (safety-related)
5. Startup and Transient Monitoring System (STMS) (nonsafety-related)
6. Safety Relief Valve Position Indication System (SRVPIS) (nonsafety-related)
7. DELETED

7.5.1.3 Information Systems Description

7.5.1.3.1 Control Rod Position Indication System

A description of the Reactor Manual Control System displays is provided in

Section 7.7.1.1.3.

7.5-2 HCGS-UFSAR Revision 14 July 26, 2005 7.5.1.3.2 Bypassed and Inoperable Status Indication System

The BISIS informs the operator of the unavailability of safety-related ESF and Essential Auxiliary Supporting (EAS) Systems. Automatic and manual indication is provided in the main control room to inform the operator that a system or

part of a system is not operable.

Automatic bypass of certain infrequently used pieces of equipment, such as manually locked open valves or manual disconnects, is not provided. However, manual activation of a system level bypass is administratively required, using handswitches in the main control room for those systems that have these infrequently used bypasses. Following the completion of administratively bypassing a system, operability must be verified by system testing prior to placing the system back in service and deactivation of the system bypass

indicating light.

Automatic indication is provided in the control room to inform the operator that a system is out of service. Indicator lights indicate which part of a system is not operable. Typically, system out of service annunciators energize

whenever one or more of the following conditions occur:

1. Pump motor breaker in pull to lock position
2. Bypass or test switches actuated.
3. Loss of motor operated valve control power or overload condition.
4. Remote shutdown panel takeover.
5. Loss of pump motor control power.
6. Diesel generator out of service.

7.5-3 HCGS-UFSAR Revision 0 April 11, 1988 Essential auxiliary supporting system inoperability or bypass resulting in the loss of other safety-related systems will cause actuation of system level annunciators for the auxiliary supporting system as well as those safety-

related systems affected.

Individual bypassed or out of service indicators for the following Nuclear Steam Supply System (NSSS) are arranged in the control section of the main control room panels to which the system is related. All bypassed and inoperable indicators, at a system or component level, are grouped together on

a panel section with indicators of variables.

1. Residual Heat Removal (RHR) System
2. Reactor Core Isolation Cooling (RCIC)
3. High Pressure Coolant Injection (HPCI) System
4. Core Spray System
5. Automatic Depressurization System (ADS)
6. Reactor Protection System (RPS)
7. Redundant Reactivity Control System (RRCS)
8. Primary Containment and Reactor Vessel Isolation Control System (PCRVICS)

In addition to the indication of bypass or inoperability, overhead annunciation is provided for each NSSS system train listed above. A bypass of one or more components within a system train actuates a corresponding annunciator to alarm the fact that a given system is impaired. All indicator circuits for the NSSS

systems of each channel are physically and electrically separated. The

7.5-4 HCGS-UFSAR Revision 0 April 11, 1988 annunciator circuits are physically and electrically isolated from safety circuits so that no credible failure of the annunciator circuits will degrade

the safety circuit below an acceptable level.

The following non-NSSS safety-related ESF and EAS systems are provided with nonsafety-related bypassed and inoperable status indicators arranged together

on a vertical board:

1. Station Service Water System (SSWS) and screen spray
2. SSWS to heat exchangers and Cooling Tower System
3. Safety Auxiliaries Cooling System (SACS)
4. Spent Fuel Pool Cooling System
5. Containment Atmosphere Control System (CACS)
6. Deleted
7. Primary Containment Instrument Gas System (PCIGS)
8. Standby Diesel Generator (SDG) System
9. Intake structure Heating, Ventilating, and Air Conditioning (HVAC)

System

10. Switchgear Cooling System
11. SDG Recirculation System
12. Reactor Building Exhaust System
13. Auxiliary Building Control Area HVAC
14. Reactor Building Filtration, Recirculation, and Ventilation System (FRVS)

7.5-5 HCGS-UFSAR Revision 15 October 27, 2006

15. Emergency Core Cooling System (ECCS) and SACS pump room coolers
16. Control area chilled water
17. Prepurge cleanup system
18. 125 V dc supply to inverter.

The system of status lights for bypass indication, together with other display information available to the operator, and periodic testing provide information so that the operator will be aware of the status of ESF and EAS systems. The indication system provides information so that frequent or routine bypass

operations with control circuits or manual process valves that could affect

system performance are made obvious.

The only means of cancelling automatic bypass indication is by correcting the

bypassed or inoperable condition.

The indication provisions, along with administrative controls, aid the operator in assessing the availability of component and system level protective actions.

This indication does not perform a safety function. The bypassed and

inoperable status indication lights and their annunciators can be tested by

depressing integrated test pushbuttons.

The bypassed and inoperable status indication system instrumentation is listed in Table 7.5-1. The locations of bypassed and inoperable status indicators and

switches are shown on Plant Drawing J-0602-0.

7.5-6 HCGS-UFSAR Revision 20 May 9, 2014 7.5.1.3.3 Plant Computer Systems

7.5.1.3.3.1 Plant Computer Systems Identification

The objective of the Plant Computer Systems (PCS) is to provide monitoring

functions and data to aid in effective and safe operation of the nuclear power

plant during normal and emergency operating conditions.

The Plant Computer Systems include:

1. Process Computer
2. Meteorological/Radiation Monitoring System (RMS) Computer
3. Emergency Response Facility Data Acquisition System (ERFDAS)
4. Control Room Integrated Display System (CRIDS).

The Plant Computer Systems are not Class 1E and do not perform any safety-related function. However, the systems do present information to the operator during all plant conditions using data acquired from both Class 1E and non-Class 1E circuits. Where the computer input/output is connected to Class 1E circuits, isolation devices are provided. These isolation devices are designed

and qualified as required by Regulatory Guide 1.97 and IEEE 279-1971.

7.5.1.3.3.2 PCS Functions

The Plant Computer Systems provide:

1. Real time monitoring and alarming for the primary and secondary plant equipment and systems
2. Guidance functions to aid plant operations

7.5-7 HCGS-UFSAR Revision 11 November 24, 2000

3. Meteorological/radiation calculations
4. Performance and efficiency calculations for the primary and secondary plant
5. Sequence of events recording
6. Collection and reporting of current and historical data for

immediate use and long term records

7. CRT displays to provide system diagrams and other graphic/alphanumeric display data
8. Safety Parameter Display System (SPDS) as defined by BWR Owner's Group (see Section 7.5.1.3.3.4)
9. Information to the Technical Support Center (TSC), and Emergency

Offsite Facility (EOF) (see Section 7.5.1.3.3.4).

7.5.1.3.3.3 PCS Operation

The Control Room Integrated Display Computer System (CRIDS) has access, via common memory and data links, to the Process, RMS, MET, MIDAS, Core Monitoring

System, RWM and LEFM Computer Systems. This enables the CRIDS to pool and present all information required by main control room personnel. The Core Monitoring System and RMS computer systems each have a CRT in the main control room which can be used to obtain additional information if required.

In addition to the main control room, information is provided to the following

areas from the Plant Computer Systems:

1. Technical Support Center (TSC)
a. RMS 7.5-8 HCGS-UFSAR Revision 23 November 12, 2018
b. CRIDS
2. Health Physicist Station - RMS
3. Reactor Engineer Station - Process
4. Emergency Offsite Facility (EOF) - RMS

The availability of the Plant Computer Systems will not compromise plant

availability or safety. Computer availability meets SPDS requirements.

7.5.1.3.3.4 Emergency Response Facilities

HCGS will use the computer systems to meet emergency response facilities (ERF)

requirements according to the guidelines detailed in Supplement 1 to NUREG-0737, Requirements for Emergency Response Capability, October, 1982. The SPDS

graphics will be as defined by the BWR Owners' Group.

The same displays and integrated data base will be available in the TSC via two

CRTs.

A data link from HCGS to the training center will provide remote access to RMS

information for the EOF.

7.5.1.3.4 Post-Accident Monitoring Instrumentation

Post-accident monitoring displays are designed to monitor plant variables

before, during, and following a design basis accident (DBA).

Instrumentation provided for the monitoring of post-accident conditions is qualified for operation in environmental and seismic conditions specified in

Sections 3.10 and 3.11. Displayed

7.5-9 HCGS-UFSAR Revision 11 November 24, 2000 parameters listed in Table 7.5-1 are furnished in accordance with criteria of Regulatory Guide 1.97, Revision 2. 7.5.1.3.5 Startup and Transient Monitoring System 7.5.1.3.5.1 Design Basis A high speed digital monitoring and recording system is included as a function of the Control Room Integrated Display System (CRIDS) at HCGS and serves as the Startup and Transient Monitoring System (STMS). The STMS system was originally a General Electric Transient Analysis Recording System, and the functions implemented on the CRIDS retain the name GETARS. Fully configured, the system is capable of real time monitoring, processing, and storage of up to 500 digital and analog digital points at a rate of up to 100 times per second each. 7.5.1.3.5.2 Deleted 7.5-10 HCGS-UFSAR Revision 18 May 10, 2011 7.5.1.3.5.3 Deleted 7.5-11 HCGS-UFSAR Revision 18 May 10, 2011 7.5.1.3.5.4 System Installation A Class 1E signal is defined as any plant parameter which must be accessed by connecting to or "tapping" directly an existing Class 1E circuit. All Class 1E signals will be monitored by Class 1E remote MUXs of the same division and channel or safety classification as the equipment from which the signal is being "tapped." The power supplied to each remote MUX will be via an existing Class 1E uninterruptible power supply (UPS) for the Class 1E MUXs and a non-Class 1E UPS for the non-Class 1E MUXs. RPS MUXs will be powered from interruptible RPS power. Connections to 7.5-12 HCGS-UFSAR Revision 18 May 10, 2011 Class 1E UPSs will be consistent with existing load group definitions so as not to degrade a redundant safety function due to the potential failure of a Class 1E power source. All Class 1E MUXs shall be mounted to seismically qualified racks or enclosures in a manner consistent with that used in the qualification testing. Similarly, all Class 1E cabling shall be routed in seismically qualified raceways. All other STMS equipment, including non-Class 1E Remote MUXs, shall be installed in accordance with standard plant construction practices and procedures so as to maximize system integrity and reliability. All cables and fiberoptic links shall be considered instrumentation and therefore segregated from power cables. The single exception is the power supply feeds from the UPSs, which shall be considered 120 Vac control circuits. The STMS design is identical to the SPDS design for 1E to non-1E isolation. Reference Section 7.1.2.5.2.b for a description of the isolation methodology. The fiberoptic links shall be procured in accordance with the flame test requirements of IEEE Standard 383-1974 to comply with the intent of safety-related quality requirements. The physical installation and identification of the Class 1E portion of the STMS are in accordance with Regulatory Guide 1.75, Revision 2, as clarified in Section 8.1.4.14. 7.5-13 HCGS-UFSAR Revision 18 May 10, 2011 The non-Class 1E circuits are routed in non-Class 1E raceways. All wiring for temporary signals will be non-Class 1E, and routed in non-Class 1E raceways. The 1E remote multiplexer units are qualified to EPRI TR-102323 Rev. 3 for EMI/RFI emissions and susceptibility requirements for a Safety-Related device. 7.5-14 HCGS-UFSAR Revision 18 May 10, 2011 7.5.1.3.5.5 Safety Analysis The STMS is installed to provide for the monitoring of plant parameters and the recording of data in support of the power ascension test program. It is a nonsafety-related system. 7.5.1.3.6 Safety Relief Valve Position Indication System (SRVPIS) 7.5.1.3.6.1 Design Basis The SRVPIS is designed: 1. To provide the control room operator with unambiguous indications of main steam line safety/relief valve (SRV) position 2. To be redundant to and diverse from the SRV position indication provided by the SRV tailpipe temperature recorder (TR-R614) 7.5-15 HCGS-UFSAR Revision 18 May 10, 2011

3. In conformance with the requirements of Regulatory Guide 1.97 and NUREG-0737.

7.5.1.3.6.2 System Description

The SRVPIS provides the control room operator with a positive and reliable

OPEN/CLOSED indication of all 14 SRVs and provides an alarm to alert the operator to abnormal SRV position which could result on a loss of reactor

coolant to the suppression pool.

The SRVPIS is an acoustic monitoring system consisting of accelerometers, preamplifiers, signal conditioning units, valve position displays, and interconnecting cabling. Those portions located inside the primary containment (accelerometers and interconnecting cables) are qualified for a loss of coolant

accident (LOCA) environment.

The accelerometers and cabling inside the primary containment are installed and supported such that they present no hazard to the seismically qualified

equipment that they are associated with.

7.5.1.3.6.3 System Operation

The SRVPIS accelerometers (sensors) are strap mounted to the discharge piping downstream of each SRV as close as possible to the valve. When an SRV is open, the accelerometer senses the flow noise created by the steam passing through the discharge piping and produces a signal proportional to the flow through the pipe. This signal is amplified by a preamplifier located outside the primary containment and transmitted to a signal conditioning unit located in the SRVPIS control panel in the main control room. The signal conditioning unit processes the signal and provides the operator with OPEN/CLOSED SRV position indication

and an alarm if the valve is determined to be open.

Each SRVPIS channel provides an input to a common "valve open" alarm switch.

When 1 or more SRVs are determined to be open, the

7.5-16 HCGS-UFSAR Revision 8 September 25, 1996 common alarm switch produces a signal to actuate an annunciator in the main control room providing audio and visual indication to the operator of the valve open status. The common alarm switch remains in the alarm state until all 14

SRVs are determined to be closed.

7.5.1.3.6.4 Installation

SRVPIS equipment is installed in accordance with the manufacturer's

instructions.

The accelerometers are mounted on the SRV discharge piping with stainless steel

pipe mounting straps as close as possible to the valve.

The preamplifiers for all 14 channels are located in a junction box outside the

primary containment.

The SRVPIS control panel (C605) is located in the main control room.

7.5.1.3.6.5 Calibration and Testing

Calibration and testing of the SRVPIS will be in accordance with the manufacturers recommendations at periods specified in Section 16, Technical Specifications and as described in the NRC SER for Hope Creek Technical

Specification Amendment No. 116.

Three types of calibration are performed on the SRVPIS:

1. Sensor sensitivity calibration - to verify and assure the proper operation of each sensor (accelerometer)
2. System sensitivity calibration - to verify and assure the proper operation of each monitoring channel
3. Operational calibration - to determine sensor crosstalk and establish setpoints for SRV open alarms.

7.5-17 HCGS-UFSAR Revision 10 September 30, 1999 7.5.1.3.6.6 Safety Evaluation

The SRVPIS is installed to provide operator information only and is not a safety-related system. It conforms to the requirements of Regulatory Guide 1.97 and NUREG-0737 (Action Item II.D.3) and provides a means of SRV position

indication. See Table 7.5-1.

7.5-18 HCGS-UFSAR Revision 14 July 26, 2005

THIS PAGE IS INTENTIONALLY BLANK

7.5-19 HCGS-UFSAR Revision 14 July 26, 2005

THIS PAGE IS INTENTIONALLY BLANK

7.5-20 HCGS-UFSAR Revision 14 July 26, 2005

THIS PAGE IS INTENTIONALLY BLANK

7.5-21 HCGS-UFSAR Revision 14 July 26, 2005

THIS PAGE IS INTENTIONALLY BLANK

7.5-22 HCGS-UFSAR Revision 14 July 26, 2005

THIS PAGE IS INTENTIONALLY BLANK

7.5-23 HCGS-UFSAR Revision 14 July 26, 2005

7.5.2 Analysis

7.5.2.1 Performance of Manual Safety Functions Manual safety functions are initially based upon primary information provided by Type A variables as defined by Regulatory Guide 1.97. Safe rod patterns are established by the control room operator from control rod position indications described in Section 7.7.1.1.3. Type A variables and control rod position indications are included in Table 7.5-1. 7.5.2.2 Implementation of 10CFR50 Appendix A - General Design Criteria The following general design criteria (GDC) apply specifically to information systems or displays important to safety. Refer to Section 3.1 for general discussion of the following GDC: 7.5-24 HCGS-UFSAR Revision 14 July 26, 2005

1. GDC 2, Design Basis for Protection Against Natural Phenomena
2. GDC 4, Environmental and Missile Design Basis - GDC 2 and 4 are applicable to variables that are classified as Categories 1 and 2 in Regulatory Guide 1.97. These variables are listed in Table 7.5-
1.
3. GDC 13, Instrumentation and Control - Instrumentation and displays are provided to monitor variables and systems over their anticipated ranges for all plant conditions, as appropriate, to ensure adequate safety, as indicated by Table 7.5-1. See

conformance to Regulatory Guide 1.97 in Section 1.8.1.97.

4. GDC 19, Control Room - Information systems and displays are provided in the main control room, from which actions can be taken to operate the plant safely under normal conditions and to maintain

it in a safe condition under accident conditions, as indicated by Table 7.5-1. See conformance to Regulatory Guide 1.97 in

Section 1.8.1.97.

7.5.2.3 Implementation of Regulatory Guides

The following Regulatory Guides, discussed in Section 1.8, apply specifically

to information systems or displays important to safety.

1. Regulatory Guide 1.47, Revision 0, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems - The bypassed and inoperable status indication system described in Section

7.5.1.3.2 complies with Regulatory Guide 1.47.

2. Regulatory Guide 1.75, Revision 2, Physical Independence of Electric Systems - The variables that are classified as Category 1

in Regulatory Guide 1.97, except as stated

7.5-25 HCGS-UFSAR Revision 0 April 11, 1988 in Section 1.8.1.97, are designed and implemented in accordance with the guidelines of Regulatory Guide 1.75, except as stated in

Section 1.8.1.75.

Bypassed and inoperable status indications provided by the NSSS supplier as described in Section 7.5.1.3.2, provide physically independent indications for each redundant safety system. Post-accident monitors as described in Section 7.5.1.3.5 provide physically independent indications for redundant safety systems as

listed in Table 7.5-1.

3. Regulatory Guide 1.97, Revision 2, Instrumentation for Light-Water Cooled Nuclear Power Plants - Information systems and displays important to safety are designed and implemented according to the guidelines of Regulatory Guide 1.97 with the clarifications and exceptions as stated in Section 1.8.1.97. Table 7.5-1 lists those parameters from Table 1 of Regulatory Guide 1.97 that are

displayed.

4. Regulatory Guide 1.105, Revision 1, Instrument Setpoints - The range for each displayed parameter listed in Table 7.5-1 is selected to encompass the expected operating range of the process variable being monitored so saturation will not negate the ability

of the instruments to measure and display the process variable.

7.5.2.4 Implementation of Branch Technical Positions

7.5.2.4.1 BTP ICSB 21, Guidance for Application of Regulatory Guide 1.47

The bypass and inoperable status indication described in Section 7.5.1.3.2

meets the supplemental guidance of BTP ICSB 21.

7.5-26 HCGS-UFSAR Revision 0 April 11, 1988 7.5.2.5 Implementation of TMI Action Plan Requirements

1. Item II.D.3, Relief and Safety Valve Position Indication, NUREG 0737 and NUREG 0694 - Table 7.5-1 includes displays that indicate flow in the valve discharge pipes of the main steam relief and safety valves. See Section 7.5.1.3.6 for a discussion of the

Safety Relief Valve Position Indication System.

2. Item II.F.1, Accident Monitoring Instrumentation, NUREG 0737 and NUREG 0694 - Positions 4, 5, and 6 of this TMI Action Plan item are

implemented in Table 7.5-1.

3. Item II.K.1.23, Reactor Vessel Level Indication, NUREG 0694 - All uses and types of reactor vessel water level indication used at HCGS for both automatic and manual initiation of safety systems are

shown on Plant Drawing M-42-1.

With all other conditions normal, other instrumentation that can provide the control room operator with the same information on

plant status (low reactor vessel water level) are:

a. Increase in reactor water temperature (measured at recirculation pump suction)
b. Decrease in reactor pressure
c. Increase in drywell sumps level.

7.5.2.6 Analysis of IE Bulletin 79-27

An analysis (see Reference 7.5-1) was conducted based on the Limerick

Generating Station (LGS-1) approach for answering the concerns raised in IE Bulletin 79-27. This methodology has been reviewed and approved by the NRC via

a report written for the LGS-1

7.5-27 HCGS-UFSAR Revision 20 May 9, 2014 project. However, as identified in Reference 7.5-4, HCGS conducted the analysis using a revised methodology.

An outline of this revised methodology is as follows:

1. Identify the systems (and subsystems) required to bring the plant to a cold shutdown under emergency conditions.
2. Identify the devices that provide information to the operator to achieve a cold shutdown.
3. Identify the power supply buses associated with the devices in Item 2.

above.

4. Analyze the effect of a loss of power to each bus identified in Item 3. above, and determine the ability to achieve a safe shutdown with this bus

loss.

5. Review system drawings to determine what type of information is available to the operator to alert him/her to a bus loss.
6. Review the Hope Creek emergency operating procedures, and verify that the procedures to restore power to the affected power buses are adequate.
7. Review the final plant operating procedures, and make modifications if necessary.

The analysis showed there is no situation where a single bus power failure would prevent plant personnel from achieving a safe shutdown condition. The results established that no single bus supplies power to all existing shutdown paths. The assignment of the instrument loads identified in this analysis is such that the loss of one bus would not prevent the minimum safety function

from being performed.

7.5-28 HCGS-UFSAR Revision 0 April 11, 1988 The failure of each of the buses are annunciated and are displayed by the computer in the control room, thereby giving the operator the knowledge of which power bus is lost. The analysis showed that control room personnel will have knowledge of individual bus and/or circuit failures and that the operator has alternative instruments and shutdown paths available to achieve a cold

shutdown condition.

The analysis was extended to include both Class 1E and non-Class 1E inverter supplied instrument power buses. These buses are identified on Table 2 of reference 1 corresponding to the Annunciator column designation of "120 V ac UPS Trbl." No design modifications or administrative controls were considered

necessary based on a re-review of IE Circular No. 79-02.

7.5.3 References

7.5-1 "Cold Shutdown/Power Bus Failure Analysis Report," Hope Creek Generating Station, Public Service Electric and Gas Company, August 1984.

7.5-29 HCGS-UFSAR Revision 0 April 11, 1988 TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY RG 1.97 Instrument RG 1.97 Indicating Variable Displayed Tag Design Range Accuracy Type of Display Location Type _ Parameter Number _ Category(1)

Provided _

Percent Display Area Panel(2)

A1 Suppression Chamber/

AR-5 041A 1 0-10%, 0-30% +/-0.5 Pen Recorder MCR C650CH Drywell Oxygen (0

2) AR-5041B 1 0-10%, 0-30% +/-0.5 Pen Recorder MCR C650CH Concentration

A1 Suppression Chamber/

AR-5039A 1 0-10%, 0-30% +/-0.5 Dual Range MCR C650CH Drywell Hydrogen (H

2) AR-5039B 1 0-10%, 0-30% +/-0.5 Pen Recorder MCR C650CH Concentration

Other Suppression Chamber/

AIS-5039A 10%, 0-30% +/-0.5 Indicator MCR C650EC Drywell H 2/02 AIS-5039B 10%, 0-30% +/-0.5 Indicator MCR C650EC Concentration

A2 Reactor Pressure PI-3684A 1 0 to 1500 PSIG

+/-0.5 Indicator MCR C650CH PI-3684A-1 1 0 to 1500 PSIG

+/-0.5 Indicator MCR C650BB PR-3684B 1 0 to 1500 PSIG +/-0.5 Pen Recorder MCR C650CH Other Reactor Pressure PR-R623A-B21 - 0 to 1500 PSIG

+/-0.5 Pen Recorder MCR C650CH PR-R623B-B21 - 0 to 1500 PSIG

+/-0.5 Pen Recorder MCR C650CH PI-R605-C32 - 0 to 1200 PSIG

+/-0.5 Indicator MCR C650CH A3 Coolant Level LI-R610-B21 1 -311 to -111 inches

+/-0.5 Indicator MCR C650AF in Reactor (3)

LR-R615-B21 1 -311 to -111 inches

+/-0.5 Pen Recorder MCR C650AG LR-R623A-B21 1 -150 to 60 inches

+/-0.5 Pen Recorder MCR C650CH LR-R623B-B21 1 -150 to 60 inches +/-0.5 Pen Recorder MCR C650CH LR-3622A 1 0 to 400 inches

+/-0.5 Pen Recorder MCR C650CH LR-3622B 1 0 to 400 inches

+/-0.5 Pen Recorder MCR C650CH Other Coolant Level LI-3682A - -150 to 60 inches

+/-0.5 Indicator MCR C650CH in Reactor (3)

LI-3682A -150 to 60 inches

+/-0.5 Indicator MCR C650BB LR-3682B - -150 to 60 inches

+/-0.5 Pen Recorder MCR C650CH LI-3683A - 0 to 60 inches

+/-0.5 Indicator MCR C650CH LR-3683B - 0 to 60 inches

+/-0.5 Pen Recorder MCR C650CH LI-R604-B21 - -150 to 60 inches

+/-0.5 Indicator MCR C650CC LI-R606A-C32 - 0 to 60 inches

+/-0.5 Indicator MCR C650CC LI-R606B-C32 - 0 to 60 inches

+/-0.5 Indicator MCR C650CC LI-R606C-C32 - 0 to 60 inches

+/-0.5 Indicator MCR C650CC LI-R605-B21 - 0 to 400 inches

+/-0.5 Indicator MCR C650CC LIC-R600-C32 - 0 to 60 inches

+/-1.0 Indicator/

MCR C651CB Controller LR-R608-C32 - 0 to 180 inches

+/-0.5 Pen Recorder MCR C650CC 0 to 60 inches

+/-0.5 1 of 23 HCGS-UFSAR Revision 22 May 9, 2017

TABLE 7.5-1 (Cont) RG 1.97 Sensor Safety Variable Displayed Location Related Power Parameter Tag Nlllber Drawing Channel conments A1 Suppression Chamber/ AE-5041A P0046 A LE Orywell Oxygen (0) concentration 2 AE-50418 P0046 B 1E A1 suppression Chamber/ AE-5039A P0046 A 1E orywell CH2> AE*5039B P0046 B 1E concentrat1on Other Suppression Chamber/ AE-5039A/AE-5041A P0046 A 1E Drywelt H /0 AE-50398/AE-50418 P0046 B 1E A2 Reactor Pressure PT*3684A J2102-1 A 1E PT-36848 J1902-1 B 1E Other Reactor Pressure PT-N078A-B21 J2102*1 " RPS PT-N0788-B21 J1602-1 X RPS PT-N005-C32 J2102-1 UPS A3 Coolant Level LT*N085B*B21 J2302-1 B 1E in Reactor (3) LT-N085A*B21 J2302-1 A 1E LT*N091A-B21 J2102-1 A 1E 0 Reference -bottom of dryer LT*N091B-B21 J1602-1 B 1E skirt (+527.511 above vessel zero) lT*3622A J2102-1 A 1E 0 Reference

  • bottom of dryer LT-36228 J1602*1 B 1E skirt (+527.511 above vessel zero) Other Coolant Level LT-3682A J2102-1 A 1E 0 Reference -bottom of dryer in Reactor (3) LT-36828 J1902-1 B 1E skirt (+527.5" above vessel zero) LT-3683A J2102-1 A 1E 0 Reference -bottom of dryer LT-36838 J1902-1 B 1E skirt (+527.511 above vessel zero) LT*N081C-B21 J1502-1 y RPS 0 Reference -Bottom of dryer PDT-N004A-C32 J2102-1 UPS skirt (+527.511 above vessel zero) POT*N004B*C32 J1602-1 UPS 0 Reference -bottom of dryer PDT-N004C-C32 J1502-1 UPS skirt (+527.511 above vessel zero) LT-N027-B21 J2102*1 UPS 0 Reference -bottom of dryer skirt (+527.511 above vessel zero> PDT*N004A-C32 J2102-1 UPS 0 Reference -bottom of dryer POT*N004B*C32 J1602-1 UPS skirt (+527.511 above vessel zero) PDT-N017*C32 J2102-1 UPS 0 Reference -bottom of dryer PDT*N004A/B-C32 J2102-1 UPS skirt (+527.su above vessel zero) J1602-1 1a of 23 HCGS*UFSAR Revision 8 Septenber 25, 1996 TABLE 7.5-1 (Cont) DISPLAYED PARAMETERS IMPORTANT TO SAFETY

RG 1.97 Instrument RG 1.97 Indicating Variable Displayed Tag Design Range Accuracy Type of Display Location Type _ Parameter Number _ Category(1)

Provided _

Percent Display Area Panel(2) Comments A4 Suppression Pool TR-3881A1 1 0 to 300F +/-0.5 Pen Recorder MCR C650CH Recorders Water Temperature TR-3881A1 & B1 have a calibra- ted range of 45 - 255F TR-3881B1 1 0 to 300F +/-0.5 Pen Recorder MCR C650CH

A5 Suppression Pool LI-4801 1 0 to 180 inches (4)

+/-0.5 Indicator MCR C650CH Water Level LI-4805-1 1 LR-4805-1 1 0 to 180 inches (4)

+/-0.5 Pen Recorder MCR C650BB

A6 Drywell Pressure PR-4960A2 1 -5 to 250 PSIG

+/-0.5 Pen Recorder MCR C650ED PR-4960B2 1 -5 to 250 PSIG

+/-0.5 Pen Recorder MCR C650ED PR-4960A3 1 -5 to 5 PSIG

+/-0.5 Pen Recorder MCR C650ED

Other Drywell Pressure PI-4960A2 - -5 to 250 PSIG

+/-0.5 Indicator MCR C650AE PI-4960B2 - -5 to 250 PSIG

+/-0.5 Indicator MCR C650AF PI-4960A3 - -5 to 5 PSIG

+/-0.5 Indicator MCR C650AE

A6 Suppression Chamber PR-4960A1 1 -5 to 250 PSIG

+/-0.5 Pen Recorder MCR C650ED Pressure PR-4960B1 1 -5 to 250 PSIG

+/-0.5 Pen Recorder MCR C650ED PR-4960B3 1 -5 to 5 PSIG

+/-0.5 Pen Recorder MCR C650ED

Other Suppression Chamber PI-4960A1 - -5 to 250 PSIG

+/-0.5 Indicator MCR C650AE Pressure PI-4960B1 - -5 to 250 PSIG

+/-0.5 Indicator MCR C650AF PI-4960B3 - -5 to 5 PSIG

+/-0.5 Indicator MCR C650AF

B1 Neutron Flux Not Implemented - (SRM)(23) See 1.8.1.97.4.2

2 of 23 HCGS-UFSAR Revision 22 May 9, 2017

TABLE 7.5-1 (Cont) RG 1.97 Sensor _

Safety Variable Displayed Location Related Power Type Parameter Tag Number Drawing_

Channel Supply Comments A4 Suppression Pool TE-3647A-1 JT105 A 1E TR-3881A1 and TR

-3881B1 Water Temperature TE-3647E-1 JT105 A 1E record average pool TE-3647H-1 JT105 A 1E temperature provided from TE-3647K-1* JT105 A 1E the Suppression Pool TE-3647N-1 JT105 A 1E Temperature Monitoring TE-3647P-1 JT105 A 1E Systems (SPTMS) A & B located TE-3547R-1 JT105 A 1E in the Radiation Monitoring TE-3648A-1 JT105 A 1E System (RMS) panel 10C604.

TE-3648B-1 JT105 A 1E Temperature elements TE-3648C-1 JT105 A 1E with an

  • are spares and do not provide inputs into TE-3647B-1 JT105 B 1E their associated SPTMS.

TE-3647C-1 JT105 B 1E TE-3647D-1* JT105 B 1E The SPTMS Readout on the RM

-23A TE-3647F-1 JT105 B 1E in panel 10C604 has a range of TE-3647G-1 JT105 B 1E 45-255F TE-3647J-1 JT105 B 1E TE-3647L-1 JT105 B 1E TE-3647M-1 JT105 B 1E TE-3647Q-1* JT105 B 1E TE-3648D-1 JT105 B 1E A5 Suppression Pool LT-4801 J1501-1 C 1E 0 Reference - 94 inches above Water Level LT-4805-1 J1801-1 A 1E the bottom of the suppression LT-4805-1 J1801-1 A 1E chamber.

A6 Drywell Pressure PT-4960A2 J2006-1 A 1E PT-4960B2 J1708-1 D 1E PT-4960A3 J2006-1 A 1E Other Drywell Pressure PT-4960A2 J2006-1 A 1E PT-4960B2 J1708-1 D 1E PT-4960A3 J2006-1 A 1E A6 Suppression Chamber PT-4960A1 J1503-1 A 1E Pressure PT-4960B1 J1903-1 D 1E PT-4960B3 J1903-1 D 1E Other Suppression Chamber PT-4960A1 J1503-1 A 1E Pressure PT-4960B1 J1903-1 D 1E PT-4960B3 J1903-1 D 1E B1 Neutron Flux Not Implemented See 1.8.1.97.4.2

2a of 23 HCGS-UFSAR Revision 22 May 9, 2017

TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY

This sheet intentionally deleted

3 of 23 HCGS-UFSAR Revision 22 May 9, 2017

TABLE 7.5-1 (Cont)

This sheet intentionally deleted

3a of 23 HCGS-UFSAR Revision 22 May 9, 2017

RG 1.97 lnstrlJTient Variable Displayed Tag Parameter Nlnber 82 Control Rod C11-Z2(7) Position 83 RCS Soluble Boron Concentration (Saq>le) 84 Coolant Level in Reactor 85 Core Thermocouples 86 RCS Pressure 87 Drywell Pressure 88 Drywell Equipment LI-4930 Drain Sump Level Drywell Floor LI *4931 Drain Sump Level 89 Primary Containment Pressure HCGS*UFSAR TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY RG 1.97 Indicating Design Range Accuracy Type of Provided Percent 3 Full intfuH out Position Lights 3 3 0 to 42 inches :1:1.0 Digital indicator 3 0 to 42 inches :1:1.0 Digital indicator 4 of 23 Location ill!! MCR C650CD MCR 10C604 MCR 10C604 Revision 8 September 25, 1996 RG 1.97 Sensor Variable Displayed Parameter Tag 82 Control Rod (8) Position 83 RCS Soluble Boron Concentration (Sarrple) 84 Coolant Level in Reactor 85 Core Thermocouples 86 RCS Pressure 87 Drywell Pressure 88 D rywell Equipment LT-4930 Drain Sump level Drywell Floor lT-4931 Drain Sump Level 89 Pr;mary containment Pressure HCGS*UFSAR TABLE 7.5*1 (Cont) Safety Location Related Power Drawing Channel Reactor UPS J-1702-1 D 1E J-1702-1 0 1E 4a of 23 C00111ents Refer to Table 9.3*3 Post Accident Sampling System (PASS) Refer to A3 Not implemented

  • See Section 1.8.1.97.3.2 Refer to A2 Refer to A6 Identified leakage 0 Reference is 2 inches above bottom of each sump Unidentified leakage 0 Reference is 2 inches above bottom of each sump Refer to A6 Revision 8 September 25, 1996 TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY RG 1. 97 Instrument RG 1. 97 Indicating Variable Displayed Tag Design Range Accuracy Type of Location Parameter Number Cate9or;t\ll Provided Percent DisElay Area Panell2l 810 Primary Containment ZIL-2553 1 Open/closed Status lights MCR C650DA Isolation Valve ZIL-2554 1 Open/closed Status lights MCR C650DA Position ZIL-2555 1 Open/closed Status lights MCR C650DA ZIL-2556 1 Open/closed Status lights MCR C650DA ZIL-3800A 1 Open/closed Status lights MCR C650DA ZIL-38008 1 Open/closed Status lights MCR C650DA ZIL-4310 1 Open/closed Status lights MCR C650DA ZIL-4311 1 Open/closed Status lights MCR C650DA ZIL-9531Al 1 Open/closed Status lights MCR C650DA ZIL-9531A2 1 Open/closed Status lights MCR C650DA ZIL-9531A3 1 Open/closed Status lights MCR C650DA ZIL-9531A4 1 Open/closed Status lights MCR C650DA ZIL-953181 1 Open/closed Status lights MCR C650DA ZIL-953182 1 Open/closed Status lights MCR C650DA ZIL-953183 1 Open/closed Status lights MCR C650DA ZIL-953184 Open/closed Status lights MCR C650DA ZIL-F001-G33 Open/closed Status lights MCR C650DA ZIL-F'004-G33 Open/closed Status lights MCR C650DA ZIL-F016-B21 Open/closed Status lights MCR C650DA ZIL-F019-B21 Open/Closed Status lights MCR C650DA XIL-J004 {20) Open/C.!.osed Status lights MCR C650DA ZIL-F022A2-B21 1 (20) Open/C.l_osed Status lights MCR C650DA ZIL-F02282-821 1 (21) Open/Closed Status lights MCR C650DA ZIL-F022C2-B21 1 {21) Open/Closed Status lights MCR C650DA ZIL-F022D2-B21 1 (21) Open/Closed Status lights MCR C650DA ZIL-F028A2-821 1 (21J Open/Closed Status lights MCR C650DA ZIL-F028B2-B21 1 (21) Open/Closed Status lights MCR C650DA ZIL-F028C2-B21 (21) Open/Closed lights MCR C650DA ZI L-F028D2-B21 (21) Open/Closed Status lights MCR C650DA HS-f039-G33 Open/closed Status 1 ghts MCR C651CD HS-8278 Open/closed Status 1 ghts MCR C650BB HS-f008-l-Ell Open/closed Status 1 ghts MCR C650AF HS-F015A-Ell Open/closed Status 1 ghts MCR C650AE HS-F015B-1-Ell Open/closed Status l ghts MCR C650AF HS-F005A-E21 Open/closed Status l ghts MCR C650BC 5 of 23 HCGS-UFSAR Revision 12 May 3, 2002 RG 1.97 Variable Displayed Parameter 810 Primary Contairooent Isolation Valve Position HCGS-UFSAR Tag Number ZS-2553 ZS-2554 ZS-2555 ZS-2556 ZS-3800A ZS-38008 ZS-4310 ZS-4311 ZS-9531Al ZS-9531A2 ZS-9531A3 ZS-9531M ZS-953181 ZS-953182 ZS-953183 ZS-953184 ZS-F001-G33 ZS-F004-G33 ZS-F016-B21 ZS-F019-B21 (9) (10) (10) ( 10) (10) (10) no l ZS-F008-El1. ZS-F015A-Ell ZS-F015B-Ell ZS-F005A-E21 Sensor Location Drawing: P1603-1 Pl703-1 P1603-1 P1703-1 1-P-BB-201 1-P-BB-201 1-P-BB-283 1-P-BB-216 P1603-l P1603-l Pl803-1 P1803-1 Pl703-1 P1703-l P1703-l P1704-l Pl707-1 Pl707-l Jl703-l Jl403-l ( Jl703-1 J1703-1 J1703-l Jl703-1 Jl703-1 Pl4C3-1 Pl803-1 P1603-l P1803-l TABLE 7.5-1 Safety Related Channel B D B D D D A D D D D c c c c A A w w w w A Sa of Power lE lE lE lE lE lE lE lE 1E lE lE lE lE lE lE lE lE lE 1E UPS RPS RPS RPS lE 1E (Cant) Conunents I
  • *
  • TABLE 7_5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY RG 1. 97 Instrument RG 1.97 Indicating Variable Displayed Tag Design Range Accuracy Type of DisElay Location Tl}2e Parameter Number Category{l} Provided Percent Display Area Panel{2} B10 Primary Containment HS-FOOSB-E21 1 Open/closed Status lights MCR C650CA (Cont'd} Isolation Valve HS-F006-E41 1 Open/closed Status lights MCR C650BB Position HS-F017A-Ell 1 Open/closed Status lights MCR C650AE HS-F017B-Ell l Open/closed Status lights MCR C650AF HS-F017C-Ell l Open/closed Status lights MCR C650AE HS-F017D-Ell. 1 Open/closed Status lights MCR C650AF HS-F002-E41 1 Open/closed Status lights MCR C650BB HS-F003-E41 1 Open/closed Status lights MCR C650BB HS-F100-F41 1 Open/closed Status lights MCR C650BB I HS-F007-1-E51 1 Open/closed Status lights MCR C650BA HS-F008-1-E51 l Open/closed Status lights MCR C650BA -HS-E076-1-ES1 1 Open/closed Status lights MCR C6SOBA HS-F013-1-ES1 1 Open/closed Status lights MCR C650BA HS-F006A-C41 1 Open/closed Status lights MCR C651CC HS-F006B-C41 1 Open/c).osed Status lights MCR C651CC HS-4956 1 Open/closed Status lights MCR C6SOED HS-4958 1 _Open/closed Status lights MCR C650ED HS-4978 1 Open/closed Status lights MCR C650ED HS-4979 1 Open/closed Status lights MCR C6SOED HS-4980 1 Open/closed Status lights MCR C650ED HS-4950 1 Open/closed Status lights MCR C650ED HS-4951 1 Open/closed Status lights MCR C6SOED HS-4952 1 open/closed Status lights MCR C650ED HS-SOSOA 1 Open/closed Status lights MCR C6SOED HS-SOSOB 1 Open/closed Status lights MCR C650ED HS-5052A 1 Open/closed Status lights MCR C650ED HS-5052B 1 Open/closed Status lights MCR C650ED HS-F021A-E11 1 Open/closed Status lights MCR C650AE HS-F021B-Ell 1 Open/closed Status lights MCR C650AF HS-F003-G14 1 Open/closed Status lights MCR C650DD HS-F004-Gl4 1 Open/closed Status lights MCR C650DD HS-F019-G14 1 Open/closed Status lights MCR C6SODD HS-F020-G14 1 Open/closed Status lights MCR C650DD HS-5126A 1 Open/closed Status lights MCR C6SOAA HS-5126B 1 Open/closed Status lights MCR C650AA HS-5152A 1 Open/closed Status lights MCR C650AA HS-5152B 1 Open/closed Status lights MCR C650AA HS-5161 1 Open/closed Status lights MCR C650AA HS-51.48 1 Open/closed Status lights MCR C6SOAA HS-5162 1 Open/closed Status lights MCR C650AA 6 of 23 HCGS-UFSAR Revision 14 .July 26. 2005
  • RG 1-97 sensor variable Displayed Parameter Tag Number BlO Primary Containment ZS-FOOSB-E21 {Cont'd) Isolation Valve ZS-F006-E41 Position ZS-F017A-Ell ZS-F017B-Ell ZS-F017C-Ell ZS-F017D-Ell ZS-F002-E41 ZS-F003-E41 ZS-Fl00-E41 ZS-F007-E51 ZS-F008-E51 ZS-F076-E51 ZS-F013-E51 ZS-F006A-C41 ZS-F006B-C41 ZS-4956 ZS-4958 ZS-4978 ZS-4979 ZS-4980 ZS-4950 ZS-4951 ZS-4952 ZS-5050A ZS-5050B ZS-5052A ZS-5052B ZS-F021A-Ell ZS-F021B-Ell ZS-F003-Gl4 ZS-F004-G14 ZS-F019-G14 ZS-F020-Gl4 ZS-5126A ZS-5126B ZS-5152B ZS-5161 ZS-5148 ZS-5162 HCGS-UFSAR Location Drawing Pl.603-1 Pl.803-1 P1B03-1 P1603-1 P1803-1 P1603-1 Pl703-l P1803-1 Pl703-1 Pl703-1 P1603-J. P1703-1 P1403-1 I-P-BH-201 I-P-BH-201 P1603-l P1802-1 P1603-1 P1603-1 P1802-1 P1707-l 1-P-GS-225 P1707-l 1-P-GS-236 P1603-1 P1707-1 P1603-1 Pl803-1 P1706-l Pl702-1 Pl402-l P1702-1 P1402-l Jl803-l J1603-1 Jl703-l. Jl704-l Jl703-l 1-P-KL-223 l-P-KL-230
  • TABLE 7.5-1 (Cont) Safety Related Power B lE A l.E A lE B lE c lE D lE c lE A 1E c lE D lE B lE D lE B lE A lE D* lE A lE A lE D lE D lE D lE D lE D lE A lE A lE B lE c lE D lE A lE B lE D lE B 1E c l.E B lE c lE B lE A lE D lE D lE A lE D lE 6a of 23 Comments I Revision 14 July 26, 2005
  • RG 1.97 RG 1.97 Variable Displayed Tag Design Parameter Nunber 810 Primary Containment HS*5147 1 (Cont1d) Isolation Valve HS-F071*E41 1 Position HS-F075-E41 1 HS*F042-E41 1 HS*F012-E41 1 HS-F084*1-E51 1 HS*F079-E41 1 HS-F062-1*E51 1 HS*F059*1*E51 1 HS*E031-1-E51 1 KS-F019-1-E51 1 HS-F060-1-E51 1 HS*F004D-E11 1 HS*F004B1*E11 1 HS-F004A-E11 1 HS*F004C*E11 1 HS*F024B1-E11 1 HS*F010B*E11 1 HS*F007D*E11 1 HS-F007B1-E11 1 HS*F024A-E11 1 HS*F010A*E11 1 HS*F007A*E11 1 HS*F007C-E11 1 HS*F027B*E11 1 HS*F027A-E11 1 HS*F0018-E11 1 HS*F001D-E11 1 HS*F001C*E21 1 HS*F001A-E21 1 HS*F015B-E21 1 HS*F031B*E21 1 HS*F031A*E21 1 HS-F015A*E21 1 HS-5029 1 HS*50548 1 HS*5053B 1 HCGS*UFSAR TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY Indicating Range Accuracy Type of Provided Percent Display Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Opentc l osed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status l1ghts Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights 7 of 23 Diselax Location Area MCR C650AA MCR C650BB MCR C650BB MCR C650BB MCR C650BB MCR C650BA MCR C650BB MCR C650BA MCR C650BA MCR C650BA MCR C650BA MCR C650BA MCR C650AF MCR C650AF MCR C650AE MCR C650AE HCR C650AF MCR C650AF MCR C650AF MCR C650AF MCR C650AE HCR C650AE HCR C650AE MCR C650AE HCR C650AF HCR C650AE MCR C650CA MCR C650CA MCR C650BC HCR C6508C HCR C650CA HCR C650CA HCR C650CA MCR C650CA HCR C650ED MCR C650ED MCR C650EO Revision 8 September 25, 1996 RG 1.97 Sensor Variable Displayed Parameter Tag Nllnber 810 Primary Containment ZS-5147 (Cont1d) Isolation ZS-F071*E41 ZS-F075-E41 ZS-F042*E41 ZS*F012-E41 ZS*F084-E51 ZS-F079*E41 ZS-F062-E51 ZS*F059*E51 ZS*F031-E51 ZS-F019*E51 ZS-F060*E51 ZS-F0040-E11 ZS*F004B*E11 ZS-f004A-E11 ZS*f004C*E11 ZS-F024B*E11 ZS*F010B*E11 ZS*F007D-E11 ZS*F007B*E11 ZS*F024A-E11 ZS-F010A-E11 ZS*f007A*E11 ZS-F007C-E11 ZS*F027B*E11 ZS* F027A-E11 ZS*f001B*E21 ZS-F001D-E21 ZS*F001C*E21 ZS-F001A-E21 ZS-F015B*E21 ZS*F031B*E21 ZS*F031A-E21 ZS*F015A*E21 ZS-5029 ZS-50548 ZS-50538 HCGS-UFSAR Location 1-P-KL-235 P2002-1 P2002-1 P2001-1 P2001*1 1-P-FC-216 P2002-t 1-P-FC-216 P2002*1 1-P-80*209 1-P-BD-205 1-P-FC-210 P1601-1 P1901-1 P2101-1 P1801*1 P1901*1 P1901*1 P1901-1 P1901-1 P2101*1 P2101-1 P2101-1 P2101-1 1-P-BC-255 1-P-BC-265 P1401-1 P1601-1 P1801-1 P1401-1 P1302-1 P1301-1 P1501-1 P1502-1 P1602*1 1-P*GS-237 P1302-1 TABLE 7.5-1 (Cont) Safety Related Power Channel c 1E A 1E A 1E A 1E A 1E D 1E c 1E B 1E B 1E B 1E B 1E B 1E 0 1E B 1E A 1E c 1E B 1E D 1E D 1E B 1E A 1E c 1E A 1E c 1E B 1E A 1E B 1E D 1E c 1E A 1E B 1E B 1E A 1E A 1E A 1E B 1E D 1E 7a of 23 Corrments Revision 8 Septenber 25, 1996 TABLE 7 .5*1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY RG 1.97 RG 1.97 Indicating Variable Displayed Tag Design Range Accuracy Type of Location Parame1er Nt.rrber Categor:d 1l Provided Percent llliJllix Panell2l 810 Primary Containment HS-4964 1 Open/closed Status lights MCR C650ED (Cont1d) Isolation Valve HS-4963 1 Open/closed Status lights MCR C650ED Position HS-4962 1 Open/closed Status lights MCR C650ED HS-4958 1 Open/closed Status lights MCR C650ED HS*5054A 1 Open/closed Status lights MCR C650ED HS-5053A 1 Open/closed Status lights MCR C650ED HS-5031 1 Open/closed Status lights MCR C650ED HS-4652 1 Open/closed Status lights MCR C650DC HS-4679 1 Open/closed Status lights MCR C650DC HS-4680 1 Open/closed Status lights MCR C650DC HS-4681 1 Open/closed Status lights MCR C650DC KS-0643A (22) 1 Open/closed Status lights local C912 HS*0643B (22) 1 Open/closed Status lights local C912 HS-4804 1 Open/closed Status lights MCR C650BB HS-49558 1 Open/closed Status lights MCR C650ED HS-49838 1 Open/closed Status lights MCR C650ED HS-4957 1 Open/closed Status lights MCR C650ED HS-4981 1 Open/closed Status lights MCR C650EO HS-50198 1 Open/closed Status lights MCR C650ED HS-49848 1 Open/closed Status lights MCR C650ED HS-4974 1 Open/closed Status lights MCR C650ED KS-0730A (22) 1 Open/closed Status lights local C912 HS-07308 (22) 1 Open/closed Status lights local C912 HS-5018 1 Open/closed Status lights MCR C650ED HS-4953 1 Open/closed Status lights MCR C650ED Hs*4955A 1 Open/closed Status lights MCR C650ED HS*4983A 1 Open/closed status lights MCR C650ED HS-5019A 1 Open/closed status lights MCR C650ED HS-4984A 1 Open/closed Status lights MCR C650EO HS*0731A (22> 1 Open/closed Status lights Local C912 HS-07318 (22) l Open/closed status lights Local C912 HS*8903A (22) 1 Open/closed Status lights Local C912 KS-89038 (22) 1 Open/closed Status lights local C912 HS-4966A 1 Open/closed status lights MCR C650ED HS*5022A 1 Open/closed Status lights MCR C650EO HS-49668 1 Open/closed status lights MCR C650ED HS-50228 1 Open/closed status lights MCR C650EO HS-0728A (22) 1 Open/closed Status lights Local C912 HS-07288 (22) 1 Open/closed Status lights local C912 HS-4803 1 Open/closed status lights MCR C650BB HS-49598 1 Open/closed status lights MCR C650EO HS*49658 1 Open/closed Status lights MCR C650ED KS-5155 1 Open/closed Status lights MCR C650AA HS-5154 1 Open/closed Status lights MCR C650AA 8 of 23 HCGS-UFSAR Revision 8 Septenber 25, 1996 TABLE 7.5-1 (Cont) RG 1.97 Sensor Safety Variable Displayed Location Related Power Parameter Tag Nl.Uber Drawing Channel Cornnents 810 Primary Containment zs-4964 P1402*1 A 1E (Cont1d) Isolation Valve ZS-4963 1-P-GS-210 D 1E Position ZS-4962 P1302-1 D 1E ZS-4958 P1802*1 A 1E ZS-5054A 1-P-GS-237 A 1E ZS*5053A P2002*1 c 1E ZS-5031 P2002-1 8 1E ZS-4652 P1901-1 A 1E ZS-4679 P1901*1 8 1E ZS-4680 P1501-1 A 1E ZS-4681 P1501-1 8 1E zs-0643A O*P*RC-201 UPS Valve 100% closed ZS-06438 0-P-RC-201 UPS available on MCR CRT ZS-4804 1*P*8J-224 A 1E ZS-49558 J2006-1 8 1E ZS-49838 J2006-1 D 1E ZS-4957 1 *P-SK-203 A 1E ZS-4981 1-P-SK-203 D 1E ZS-50198 J2006-1 8 1E ZS-49848 J2006*1 0 1E ZS-4974 1-P-GS-205 0 1E ZS-0730A 1-P-RC-203 UPS Valve 100% closed ZS-07308 1-P-RC-203 UPS available on MCR CRT ZS-5018 1-P-SK-202 A 1E ZS-4953 1-P-SIC-202 D 1E ZS-4955A 1-P-GS-220 A 1E ZS-4983A 1-P-GS-220 c 1E ZS-5019A 1-P-GS-221 A 1E ZS*4984A 1-P-GS-221 c 1E ZS*0731A 1-P-RC-204 UPS Valve 100% closed zs-07318 1-P-RC-204 UPS available on MCR CRT zs-8903A 1-P-RC-207 UPS zs-89038 1-P-RC-207 UPS ZS*4966A 1-P*GS-0202 A 1E ZS*5022A 1-P-GS-202 c 1E ZS-49668 1-P-GS-204 8 1E ZS-50228 1*P*GS-204 0 1E ZS*07Z8A 0-P-RC-201 UPS Valve 100% closed ZS-07288 O*P*RC-201 UPS available on MCR CRT ZS-4803 1-P-JB-223 A 1E ZS-49598 1-P-GS-201 8 1E ZS-49658 1-P-GS-201 0 1E ZS-5155 J2102-1 A 1E ZS-5154 J2102-1 D 1E Sa of 23 HCGS*UFSAR Rev;sion 8 Septenber 25, 1996 RG 1.97 Variable Type 810 (Cont'd) Displayed Parameter Primary Containment Valve Position Cl Radioactivity Con-centration or Radi-ation Level in Circulating Primary Coolant C2 Analysis of Primary Coolant (Gamma Spectrum) C3 Core Thermocouples C4 RCS Pressure C5 Primary Containment Area Radiation C6 Drywell Equipment Drain Sump Level )rywell Floor Drain Sump Level C7 Suppression Pool Water Level C8 Drywell Pressure C9 Pressure HCGS-UFSAR Instrument RG l. 97 Tag Design Number Categ_orr(l) HS-4959A HS-4965A HS-11541 HS-4865 HS-4866 HS-0707A (22) HS-07078 (22) HS-0729A (22) HS-07298 {22} HS-f032A HS-f032B 3 3 TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY Indicating Range Accuracy Type of Provided Percent Display Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights 9 of 23 Dis.ela:t: Area MCR MCR MCR MCR MCR Local Local Local Local MCR MCR Location Panel(2) C650ED C650ED C650ED C650CH C650CH C912 C912 C912 C912 C651BA C651BA Revision 12 May 3, 2002 RG 1.97 Variable Displayed Parameter 810 Primary Containment (Cont'dJ Isolation Valve Position Cl Radioactivity Con-centration or Radi-ation Level in Circulating Primary Coolant of Primary (Gamma Spectrum} C3 Thermocouples C4 RCS C6 Floor Drain Water Level Dryivell Pressure HCGS-TJFSAR Tag Number ZS-4959A ZS-4965A ZS-11541 ZS-4865 ZS-4866 ZS-0707A ZS-07078 ZS-0729A ZS-07298 ZS-f032A ZS-f032B Sensor Location Dra*.ving 1-P-GS-203 1-P-GS-203 1-P-GS-04 1-P-BJ-213 1-P-BJ-213 1-P-RC-202 l-P-RC-202 1-P-RC-202 1-P-RC-202 P1403-1 Pl403-l TABLE 7.5-1 (Cant} Safety Related Channel A c D c A B Power lE lE lE lE .i.E UPS UPS lE :E Comments Valve 100% closed available MCR CRT I RG 1. 97 Variable TYEe ClO Cll C12 C13 C14 Cl5 D1 D2 D3 D4 D5 Displayed Parameter Primary Containment Pressure Containment and Drywell Hydrogen Concentration Containment and Drywell Oxygen Concentration Containment Effluent Radioactivity Noble Gases Radiation Exposure Rate Effluent Radioactivity Noble Gases Main Feedwater Condensate Storage Tank Level Suppression Chamber Spray Flow Drywell pressure Suppression Pool Water Level HCGS-UFSAR Instrument FR-R607-C32 LR-2043 FI-4461A FI-4461B RG 1.97 Design Category(l) 1 1 1 3 2 3 3 2 2 2 2 TABLE 7.5-1 DISPLA.YED PARAMETERS IMPORTANT TO SAFETY Indicating 0 to 20 x 106 LBS/HR 0 to 54 x 104 GAL 0 to 1000 GPM 0 to 1000 GPM 10 of 23 Accuracy Percent +/-0.5 +/-0.5 +/-0.5 +/-0.5 Type of Display Pen Recorder Pen Recorder Indicator Indicator MCR MCR MCR MCR C650CC C650AD C650CH C650CH Revision 17 June 23, 2009 I RG 1.97 Sensor Variable Displayed Parameter ua Nl.l'llber C10 Primary Containment Pressure C11 Contairment and Drywell Hydrogen Concentration C12 Containment and Drywelt Oxygen concentration C13 Containment Effluent Radioactivity -Noble Gases C14 Radiation LExposure Rate C15 Effluent Radioactivity -Noble Gases 01 Main Feedwater PDT*N002A*C32 PDT*N002B-C32 Other Main Feedwater FT-N011A-C32 Flow FT-N011B*C32 FT*N011C-C32 D2 Condensate Storage LT-2043 Tank Level 03 suppression Chamber FT-4461A Spray Flow FT-44618 04 0 rywe ll pressure 05 suppression Pool Water Level HCGS*UFSAR TABLE 7.5-1 (Cont) Safety Location Related Power Drawing Channel J1005-1 UPS J1005-1 UPS J1105-1 UPS J1005-1 UPS J1005-1 UPS J1602-1 UPS J1802-1 A 1E J1602-1 8 1E 10a of 23 C0111llents Refer to A6 Refer to A1 Refer to A1 Filtration, recirculation and ventilation system vent, Refer to Table 11.5*1 Not irrplemented -See Section 1.8.1.97.3.3 North Plant Vent and South Plant vent, Refer to Table 11.5-1 Total feedwater flow Reactor feedpump AP101 Reactor feedpump BP101 Reactor feedpump CP101 Refer to A6 Refer to AS Revtsion 8 Septent>er 25, 1996 RG 1. 97 .:nstrument RG 1. 97 Var:iable Displayed Tag Design T:n2e Parameter Number Cate9:or::t:(l} 06 Suppression Pool Water Temperature 07 Drywell Atmosphere TR-4967A2 2 Temper:ature TR-496782 2 Other Suppression Chamber TR-4967Al Atmosphere Temperature TR-496781 DB Drywel.l Spray FI-4462A 2 flow r:::-44628 010 Primary System ZIL-52C3 Safety Relief ZIL-5204 L Valve Position, ZIL-5205 Including ADS ZIL-5206 2 (11) ZIL-5207 2 Zil-5208 2 ZIL-5209 ZIL-5210 ZIL-5211 ZIL-521.2 ZIL-5213 2 ZIL-5214 L ZIL-5215 2 ZIL-5216 2 Dl3 RC:C t:'low FTC-R600-E51 Dl4 HPCI flow FIC-R60C-E41 HCGS-UFSAR TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY Indicating Range Accuracy Type of Provided Percent DisElay 0 to 500f +/-0.5 Pen Recorder 0 to 5G0°F +/-0.5 Pen Recorder 0 to 500°F +/-0.5 Pen Recorder 0 to 500'T +0.5 Pen Recorder 0 to 12,000 GPM +/-0.5 Indicator to 2_2,COC GPP. +/-0.5 Indicator Open/closed S':atus lights Open/clcsed Status lights Open/closed lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status .i. ights Open/c2_osed Status :;_ights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights 0 to 700 GPM +/-1. 0 Indicator/ .-, 0 60 X 10 GPM +/-l.D Indicator/ Controller ll of 23 DiSJ2la:t: Location Area Panel(2J MCR C650ED MCR C650ED MCR C650ED MCR C650ED MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650CH MCR C650BA MCR C650BB Revision 12 May 3, 2002 RG 1. 97 Sensor Variable Displayed Parameter Tag Number D6 S;;ppression Pool Water Temperature D7 Drywell Atmosphere TE-4967A2 Temperature TE-496782 Other Suppers sian Chamber TE-4 967Al Atmosphere Temperature TE-496781 D8 Drywell Spray FT-4462A Flow FT-44628 DlO Primary System XE-4507A Safety Relief XE-45078 Valve Position, XE-4507C Ir.cluding ADS XE-45070 (! 1) XE-4S07E XE-4507F XE-4507G XE-4507H XE-4507J XE-4507K XE-4S07L XE-4507M XE-4507P XE:-4507R D13 RCIC Flow F':'-N003-E51 Dl4 EP:C Flo*., :T-NO::J8-E4l HCGS-UFSAR TABLE 7.5-1 Safety Location Related Drawing Channel Jl705-l A D Jl802-1 A n6o2-l D Jl803-1 A Jl602-1 B Jl705-l Jl705-l J1705-l Jl705-l J:i.705-l Jl705-1 Jl705-l Jl705-l Jl705-l ,Jl705-l Jl705-1 Jl705-l Jl705-1 Jl705-l J2201-l 8 J24J:.-::. A lla of 23 {Cont) Power lE 1E IE lE lE lE UPS UPS UPS UPS UPS UPS UPS UPS UPS UPS UPS UPS UPS UPS lE !E Comments Refer to A4 PSV-F013A-B21 {ADS) PSV-F013B-B21 {ADS) PSV-FO l3C-B21 \ADSJ PSV-F013D-B21 (ADS) PSV-F013E-B21 (ADS) PSV-FO l3 F -821 PSV-F013G-B21 PSV-F013H-B21 PSV-F013J-B2l PSV-F013K-B21 PSV-F013L-B21 PSV-F013M-B21 PSV-F013P-B21 PSV-fOlJR-821 Revision 12 May 3, 2002 RG 1.97 Variable Type DlS D16 Other D17 D18 D19 D20 021 Other 022 Other Displayed Parameter Core Spray System Flow LPCI System FlOW LPCI System Flow SLCS Pump Discharge Pressure (19t SLCS Storage Tank Level RHR System Flow RHR Heat Exchanger Outlet Temperature cooling Water Tem-perature to ESF Components Cooling Water Temperature to ESP System Components Cooling Water Flow to ESF System Components SACS Cooling Water Flow to RHR Heat Exchanger HCGS-UFSAR Instrument Tag Number FI-R601A-E2l FI-R601B-E21 FI-R603A-Ell FI-R603B-Bll FI-R603C-Bll FI-R60lD-Ell FR-R608A-Ell FR-R6088-Bll PI-R600A-C41 PI-R6008-C41 TR-R605-BU TI-2535A TI-25358 A2894 A2895 FI-2549Al FI-254981 FI-25llA FI-25118 RG 1.97 Design Cateqory(1) 2 2 2 2 2 2 3 3 2 2 2 2 2 2 2 TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY Indicating Range Provided 0 to 10 X 101 GPM 0 to 10 X 105 GPM o to 12 x 10' GPM 0 to 12 X 101 GPM 0 to 12 X 101 GPM 0 to 12 X 101 GPM 0 to 12 X 101 GPM 0 to 12 x 10' GPM 0 to 12 X lOa GPM 0 to 12 X 101 GPM 0 to 2000 PSIG 0 to 2000 PSIG 0 to sooo GAL 32 to JSO"F o to 120"P 0 to l20"P 12 to 95"F 32 to gs*p 0 tO 30 X 10' GPM 0 to 30 X 103 GPM 0 to 120 X 10' GPM 0 to 120 x 10' GPM 12 of 23 Accuracy Percent :tO.S :tO.S :tO.S +/-0.5 tO.S :tO.S tO.S tO.S tO.S :tO.S tl.O tl.O :tl.O :tO.S :tO.S :tO.S tl.O +/-1.0 :tO.S :tO.S :tO.S tO.S Type of Display Indicator Indicator Indicator Indicator Indicator Indicator Pen Recorder Pen Recorder Pen Recorder Pen Recorder Indicator Indicator Indicator Multi-point Recorder Indicator Indicator CRT CRT Indicator Indicator Indicator Indicator Display Location Area Panel (2) MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR C6SOBC C650CA C650AE C650AF C650AE C650AF C6SOAE C650AB C650AF C650AF C651CC C651CC C651CC C650BB C650CH C650CH various Various C650CH C650CH C650AB C650AF I Revision 11 November 24, 2000 RG 1.97 Sensor Variable Displayed Parameter Tag Numer D15 core Spray FT*N003A*E21 system Flow FT*N0038-E21 D16 LPCI System FT *N015A*E11 Flow FT*N0158-E11 FT-N015C-E11 FT-N015D-E11 Other LPCI System FT-N015A-E11 Flow FT-N015C*E11 FT*N0158*E11 FT-N0150-E11 D17 SLCS Dis-PT-N004A-C41 charge Pressure(19) PT*N0048*C41 D18 SLCS Storage LT*N012-C41 Tank Level 019 RHR System Flow 020 RHR Heat Exchanger TE*N027A-E11 Outlet Temperature TE*N027B-E11 D21 Cooling Water Tern* TE-2535A perature to ESF TE-25358 Coq>anents Other cooling Water TE-2445A to TE-24458 ESF System Cooponents 022 Cooling Water Flow FT*2549A1 to ESF System FT *254981 COI'J'4)0nents Other SACS Cootling Water FT-2511A Flow to RHR FT-25118 Heat Exchanger HCGS*UFSAR TABLE 7.5*1 (Cont) Safety Location Related Power Drawing Channel J1501*1 A 1E J1301*1 B 1E J2102*1 A 1E J1902-1 8 1E J2101-1 C(12) 1E J2201-1 D(12) 1E J2102-1 A 1E J2101*1 C(12) 1E J1902-1 8 1E J2201-1 D(12) 1E J1905-1 A 1E J1905-1 B 1E J2206-1 UPS J2102-1 UPS J1902-1 UPS J2303*1 A 1E J2303*1 B 1E J2303-1 UPS J2303-1 UPS J2403-1 A 1E J2203-1 B 1E J2302*1 A 1E J2302*1 8 1E 12a of 23 COfl1'nents Refer to 016 SACS Loop A HX Outlet SACS Loop 8 HX Outlet SACS loop A (TE*2445A) and Loop B (TE-24458) PI.Jll) Discharge Teftlltrature SACS loop A SACS loop 8 Rev1s1on 8 Septemer 25, 1996 RG 1.97 Instrllllent RG 1.97 Variable Displayed Tag Design Parameter Nl.lllber Catesorl,1l 023 High Radioactivity LR-R008 3 liquid Tank Level LR-R024 3 024 Emergency Ventilation HS-9414A 2 Daq>er Position HS-94148 2 HS-9370A 2 HS-93708 2 HS-9372A 2 HS-9372C 2 HS-9593A 2 HS-95938 2 HS-9598A 2 HS-95988 2 025 Status of Standby Pl-7603A 2 Power and Other PI-76038 2 Energy Sources In.,ortant to A3460 2 Safety (Hydraulic, A3461 2 Pneumatic) HCGS-UFSAR TABLE 7.5-1 DISPlAYED PARAMETERS IMPORTANT TO SAFETY Indicating Range Accuracy Type of Provided Percent Display 0 to 100% :t0.5 Pen Recorder 0 to 100% :t0.5 Pen Recorder 0 to 100% :t0.5 Pen Recorder Open/closed Status lights Open/closed Status lights Open/closed status lights Open/closed Status lights Open/closed Status lights Open/closed Status lights Open/closed Status l i ghts Open/closed Status lights Normal/isolated Status lights Normal/isolated Status lights 0 to 150 PSIG :t0.5 Indicator 0 to 150 PSIG tO.S Indicator 0 to 150 PSIG :t1.0 CRT 0 to 150 PSIG t1.0 CRT 13 of 23 Location Area Panel,2} LOCAL 10C300 LOCAL 10C300 LOCAL 10C300 MCR C651EG MCR C651EG MCR C651EG MCR C651EG MCR C651EG MCR C651EG MCR C651EG MCR C651EE MCR C651EE MCR C651EE MCR C650AS MCR C650AS HCR Various HCR Various Revision 8 September 25, 1996 RG 1.97 Sensor Variable Displayed Location Parameter Tag Nl.llber Drawing D23 High Radioactivity LT-N026A J7301-0 Liquid Tank Level LT*N0268 J7301-0 lT-N032 J3101-0 024 Emergency Ventilation ZS-9414A P9147-1 Oafl1ler Position ZS-94148 P9147-1 ZS-9370A P9147-1 ZS-93708 P9147-1 ZS-9372A P9185-1 ZS-9372C P9135-1 ZS*9593A P9256-1 ZS-95938 P9266-1 ZS-9588AA P9256-1 ZS-9588BA P9266-1 ZS-9598A P9256-1 ZS-9588AB P9256-1 ZS-958888 P9266-1 ZS-95988 P9256-1 025 Status of Standby PT-7603A J0904-1 Power and Other PT-76038 J0904-1 Energy Sources Jrrportant to PT-5175A J1404-1 Safety (Hydraulic, PT-51758 J1404*1 Pneumatic HCGS-UFSAR TABLE 7.5-1 (Cont) Safety Related Power Channel Offsite Power c 1E 0 1E c 1E D 1E A 1E A 1E c 1E 0 1E c 1E c 1E c 1E D 1E 0 1E 0 1E UPS UPS UPS UPS t3a of 23 Connents Waste Collector Tank A Waste Collector Tank 8 Waste Surge Tank (Tank Levels are available on MCR CRT) Instrument Air Supply Pressure Primary Containment Instrument Gas System Supply Pressure Revision 8 September 25, 1996 TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY RG 1.97 InstrlJ'nent RG 1.97 Indicating Variable Displayed Tag Design Range Accuracy Type of Location Parameter yunber Provided Percent Display lli! Paneli2! D25 Status of Standby VI*6372A 2 0 to 150 volts tO.S Indicator MCR C6500E (Cont'd) Power and Other AI-6373A 2 0 to 300 tO.S Indicator MCR C650DE Sources Important Vl-63728 2 0 to 150 volts tO.S Indicator MCR C650DE to Safety (Hydraut;c, Al-63738 2 0 to 300 anps tO.S Indicator MCR C6500E PnellnBtic) VI-6372C 2 0 to 150 volts tO.S Indicator MCR C6500E AI*6373C 2 0 to 300 anps tO.S Indicator MCR C650DE VI*6372D 2 0 to 150 volts tO.S Indicator MCR C650DE AI-63730 2 0 to 300 anps tO.S Indicator MCR C650DE VI *6371A 2 0 to 150 volts tO.S Indicator MCR C650DE AI*6370A 2 0 to 300 tO.S Indicator MCR C650DE VJ-63718 2 0 to 150 volts t0.5 Indicator MCR C650DE AI-63708 2 0 tO 300 BqlS tO.S Indicator MCR C650DE VI-6371C 2 0 to 150 volts t0.5 Indicator MCR C650DE AI*6370C 2 0 to 300 aqlS t0.5 Indicator MCR C650DE VI -63710 2 0 to 150 volts tO.S Indicator MCR C650DE AI*6370D 2 0 to 300 anps tO.S Indicator MCR C650DE VI*6374C 2 0 to 150 volts tO.S Indicator MCR C650DE AI*6375C 2 0 to 300 t0.5 Indicator MCR C650DE VI *63740 2 0 to 150 volts tO.S Indicator MCR C650DE AI-63750 2 0 to 300 aRPS t0.5 Indicator MCR C650DE VI-6401A 2 0 to 150 volts tO.S Indicator MCR C650DE AI -6429A 2 *1000 to 1000 aqlS tO.S Indicator MCR C650DE VJ-64018 2 0 to 150 volts t0.5 Indicator MCR C650DE AI-64298 2 *1000 to 1000 amps t0.5 Indicator MCR C650DE VI *6401C 2 0 to 150 volts !0.5 Indicator MCR C650DE AI *6429C 2 *1000 to 1000 amps tO.S Indicator MCR C650DE VI-64010 2 0 to 150 volts t0.5 Indicator MCR C650DE AI-64290 2 *1000 to 1000 amps tO.S Indicator MCR C650DE VI-6376C 2 0 to 150 volts tO.S Indicator MCR C650DE AI-6377C 2 -1000 to 1000 amps tO.S Indicator MCR C650DE VI *63760 2 0 to 150 volts t0.5 Indicator MCR C650DE AI-63770 2 *1000 to 1000 amps tO.S Indicator MCR C650DE AI *6466 2 *10 to 10 rna :1:0.5 Indicator HCR C650DE AI-6467 2 -10 to 10 rna t0.5 Indicator MCR C650DE Al-6468 2 *10 to 10 rna t0.5 Indicator MCR C650DE AI-6469 2 *10 to 10 rna t0.5 Indicator MCR C650DE Vl-6385 2 0 to 300 volts tO.S Indicator MCR C650DE AI-6386 2 0 to 75 aqJS :tO.S Indicator MCR C650DE Vl-6380 2 0 to 300 volts tO.S Indicator MCR C650DE AI-6381 2 0 to 75 arrps tO.S Indicator MCR C6500E VI -6404 2 0 to 300 volts tO.S Indicator MCR C650DE Al-6430 2 -1000 to 1000 amps t0.5 Indicator MCR C650DE VI-6382 2 0 to 300 volts tO.S Indicator MCR C650DE AI -6431 2 -300 to 300 amps t0.5 Indicator MCR C650DE 14 of 23 HCGS*UFSAR Revision 8 Septeniler 25, 1996 RG 1.97 Sensor Variable Displayed location 1m! Parameter Iag Nlfiber Drawing D25 Status of Standby VT-6372A E-3999 Power and Other AT*6373A E-3999 Sources Important VT-6372B E-3999 to Safety (Hydraulic, AT*6373B E-3999 Pne\ID&tic) VT-6372C E-3999 AT-6373C E-3999 VT-6372D E-3999 AT*6373D E-3999 VT*6371A E-3999 AT*6370A E-3999 VT-6371B E-3999 AT-6370B E-3999 VT*6371C E-3999 AT-6370C E-3999 VT-63710 E-3999 AT-63700 E-3999 VT-6374C E-3999 AT*637SC E-3999 VT-63740 E-3999 AT-63750 E-3999 VT-6401A E-3999 AT-6429A E-3999 VT-6401B E-3999 AT-6429B E-3999 VT-6401C E-3999 AT-6429C E-3999 VT-64010 E-3999 AT-64290 E-3999 VT-6376C E-3999 AT-63ITC E-3999 VT-63760 E-3999 AT-63770 E-3999 AT-6466 E-3999 AT-6467 E-3999 AT-6468 E-3999 AT-6469 E-3999 VT-6385 E-3999 AT-6386 E-3999 VT-6380 E-3999 AT-6381 E-3999 VT-6404 E-3999 AT-6430 E-3999 VT-6382 E-3999 AT-6431 E-3999 HCGS-UFSAR TABLE 7.5-1 (Cont) Safety Related Power Channel A 1E A 1E B 1E B tE c 1E c 1E D 1E D 1E A 1E A 1E B 1E B 1E c 1E c 1E D 1E 0 1E c 1E c 1E 0 1E 0 1E A 1E A 1E B 1E B 1E c 1E c 1E 0 1E 0 1E c 1E c 1E D 1E 0 1E A 1E B 1E c 1E 0 1E A 1E A 1E B 1E B 1E A 1E A 1E B 1E B 1E 14a of 23 Conments 125V de Battery Charger 1AD413 125V de Battery Charger 1A0413 125V de Battery Charger 1B0413 125V de Battery Charger 1B0413 125V de Battery Charger 1C0413 12SV de Battery Charger 1C0413 125V de Battery Charger 1DD413 125V de Battery Charger 1DD413 125V de Battery Charger 1A0414 125V de Battery Charger 1A0414 125V de Battery Charger 1B0414 125V de Battery Charger 1B0414 125V de Battery Charger 1C0414 125V de Battery Charger 1C0414 125V de Battery Charger 1DD414 125V de Battery Charger 100414 t25V de Battery Charger 1C0444 125V de Battery Charger 1C0444 12SV de Battery Charger 100444 12SV de Battery Charger 100444 125V de Switchgear Bus 100410 125V de Switchgear Bus 100410 125V de Switchgear Bus 100420 125V de Switchgear Bus 100420 12SV de Switchgear Bus 100430 125V de Switchgear Bus 10043000430 125V de Switchgear Bus 10044000440 125V de Switchgear Bus 10044000440 125V de Switchgear Bus 10043600436 125V de Switchgear Bus 10043600436 125V de Switchgear Bus 10044600446 125V de Switchgear Bus 10044600446 125V de Oistr Pnl 1A0417 gnd detd det 125V de Oistr Pnl 180417 gnd detd det 125V de Oistr Pnl 1C0417 gnd detd det 125V de Distr Pnl 100417 gnd detd det 250V de Battery Charger 10042300423 250V de Battery Charger 10042300423 250V de Battery Charger 10043300433 250V de Battery Charger 10043300433 250V de Switchgear Bus 10045000450 250V de Switchgear Bus 10045000450 250V de Switchgear Bus 10046000460 250V de Switchgear Bus 10046000460 Revision 8 September 25, 1996 TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY RG 1.97 RG 1.97 Indicating Variable Displayed Tag Design Range Accuracy Type of DisQLax Location Parameter NlJilber Provided Percent Area Panel 025 Status of Standby AI *6470 2 -10 to 10 ma :t:O.S Indicator MCR C650DE (Cont1d)Power and Other Al-6471 2 -10 to 10 ma :t:O.S Indicator MCR C650DE Sources Important VI-6388A 2 0 to 150 volts :t:O.S Indicator MCR C650DE to safety (Hydraulic, VI *6389A 2 0 to 150 volts :t:O.S Indicator MCR C650DE Pneunatic) AI*6405A 2 0 to 400 aq>s :t:0.5 Indicator MCR C650DE VI-63888 2 0 to 150 volts :t:O.S Indicator MCR C650DE VI-63898 2 0 to 150 volts :t:O.S Indicator MCR C650DE AI -64058 2 0 to 400 aq>s :t:O.S Indicator MCR C650DE VI-6388C 2 0 to 150 volts :t:O.S Indicator MCR C650DE VI*6389C 2 0 to 150 volts :t:O.S Indicator MCR C650DE AI-6405C 2 0 to 400 aq>s :t:O.S Indicator MCR C650DE VI-63880 2 0 to 150 volts :t:O.S Indicator MCR C650DE Vl-63890 2 0 to 150 volts :t:O.S Indicator MCR C650DE AI-64050 2 0 to 400 an.,s :t:O.S Indicator MCR C650DE VI-6463A 2 0 to 150 volts :t:O.S Indicator MCR C6463A VI*6464A 2 0 to 150 volts :t:O.S Indicator MCR C650DE AI*6465A 2 0 to 400 an.,s :t:O.S Indicator MCR C650DE VI-64638 2 0 to 150 volts :t:O.S Indicator MCR C650DE Vl-64648 2 0 to 150 volts :t:O.S Indicator MCR C650DE Al-64658 2 0 to 400 aq>s :t:O.S Indicator MCR C6500E VI-6463C 2 0 to 150 volts :t:O.S Indicator MCR C650DE VI*6464C 2 0 to 150 volts :t:O.S Indicator MCR C650DE AJ-6465C 2 0 to 400 aq>s :t:O.S Indicator MCR C650DE Vl-64630 2 0 to 150 volts :t:O.S Indicator MCR C650DE VJ-64640 2 0 to 150 volts :t:0.5 Indicator MCR C650DE Al-64650 2 0 to 400 an.,s :t:0.5 Indicator MCR C650DE AI-635281 2 0 to 1000 aq>s :t:O.S Indicator MCR C651E8 VJ-6353 2 0 to 5250 volts :t:O.S Indicator MCR C651E8 Al-6355A 2 0 to 200 a""s t0.5 Indicator MCR C651E8 AI-6352A1 2 0 to 1000 an.,s :t:O.S Indicator MCR C651E8 AI*6360A 2 0 to 200 aq>s :t:0.5 Indicator MCR C651EB Al-635284 2 0 to 1000 amps :t:O.S Indicator MCR C651E8 Vl-6367 2 0 to 5250 volts :t:0.5 Indicator MCR C651E8 AI-63558 2 0 to 200 amps f0.5 Indicator MCR C651EB AI-6352A4 2 0 to 1000 aqJS :t:O.S Indicator MCR C651EB AI-63608 2 0 to 200 aq>s 1:0.5 Indicator MCR C651E8 Al-635282 2 0 to 1000 arrps :t:O.S Indicator MCR C651EB Vl-6363 2 0 to 5250 volts :t:O.S Indicator HCR C651E8 AI *6355C 2 0 to 200 aq>s :t:O.S Indicator MCR C651E8 AI-6352A2 2 0 to 1000 amps :t:0.5 Indicator HCR C651EB Al*6360C 2 0 to 200 aq>s :t:O.S Indicator MCR C651E8 AI*6352B3 2 0 to 1000 arrps :t:O.S Indicator MCR C651E8 VI-6365 2 0 to 5250 volts f0.5 Indicator MCR C651EB AI -63550 2 0 to 200 aq>s :t:O.S Indicator MCR C651EB 15 of 23 HCGS*UFSAR Revision 8 Septetrb!r 25, 1996 TABLE 7.5-1 (Cont) RG 1.97 Sensor Safety Variable Displayed Location Related Power Parameter Tag NU'Iber Drawing Channel C011111ents 025 Status of Standby AT-6470 E*3999 A 1E 250V de MCC 100251 gnd det Power and Other AT-6471 E-3999 B 1E 250V de MCC 100261 gnd det Sources Important VT*6388A E-3999 A 1E Inverter 1AD481 de input to Safety (Hydraulic, VT*6389A E-3999 A 1E Inverter 1A0481 ac output Pneunatic) AT-6405A E-3999 A 1E Inverter 1A0481 output VT-63888 E*3999 8 1E Inverter 180481 de input VT-63898 E-3999 8 1E Inverter 180481 ac output AT-64058 E*3999 8 1E Inverter 180481 output VT-6388C E*3999 c 1E Inverter 1C0481 de input VT*6389C E-3999 c 1E Inverter 1C0481 ac output AT*6405C E-3999 c 1E Inverter 1C0481 output VT-63880 E-3999 0 1E Inverter 100481 de input VT-63890 E-3999 0 1E Inverter 100481 ac output AT-64050 E-3999 0 1E Inverter 100481 output VT*6463A E-3999 A 1E Inverter 1AD482 de input VT*6464A E*3999 A 1E Inverter 1A0482 ac output AT*6465A E-3999 A 1E Inverter 1A0482 output VT-64638 E-3999 B 1E Inverter 180482 de input VT-64648 E-3999 B 1E Inverter 180482 ac output AT-64658 E-3999 8 1E Inverter 180482 output VT*6463C E-3999 c 1E Inverter 1CD482 de input VT-6464C E-3999 c 1E Inverter 1C0482 ac output AT*6465C E*3999 c 1E Inverter 1CD482 output AT-64630 E-3999 D 1E Inverter 100482 de input VT-64640 E-3999 0 1E Inverter 100482 ac output AT-64650 E-3999 0 1E Inverter 100482 output AT-635281 E-3999 A 1E Xfmr 1BX501 feeder VT-6353 E-3999 A 1E 4.16KV Swgr 10A401 Bus AT-6355A E-3999 A 1E Xfmr 1AX401 feeder AT*6352A1 E-3999 A 1E Xfmr 1AX501 feeder AT-6360A E*3999 A 1E Xfmr 1AX400 feeder AT-635284 E-3999 B 1E Xfmr 18X501 feeder VT-6367 E-3999 8 1E 4.16KV Swgr 10A402 Bus AT-63558 E-3999 B 1E Xfmr 1BX401 feeder AT*6352A4 E-3999 8 1E Xfmr 1AX501 feeder AT-63608 E-3999 8 1E Xfmr 1BX400 feeder AT-635282 E-3999 c 1E Xfmr 1BX501 feeder VT-6363 E-3999 c 1E 4.16KV Swgr 10A403 Sus AT*6355C E-3999 c 1E Xfmr 1CX401 feeder AT-6352A2 E-3999 c 1E Xfmr 1AX501 feeder AT-6360C E-3999 c 1E Xfmr 1CX400 feeder AT-635283 E-3999 0 1E Xfmr 1BX501 feeder VT-6365 E-3999 0 1E 4.16KV Swgr 10A404 Bus AT-63550 E-3999 0 1E Xfmr 10X401 feeder 15a of 23 HCGS*UFSAR Revision 8 Septen'Der 25, 1996
  • RG 1.97 Instrument RG 1..97 Variable Displayed Tag Design T::t:E:e Parameter Number Category(!) D25 Status of Standby 2 (Cont'dl Power and Other AI-6360:0 2 Sources Important VI-6392A 2 Safety {Hydraulic, AI-6396A 2 Pneumatic) VI-6392B 2 AI-6396B 2 Vl-6392C 2 AI-6396C 2 VI-63920 2 AI-6396:0 2 D26 Turbin,e Bypass 650-CRTl., 651-CRTl 3 Valve Position 650-CRTl, 651-CRTl 3 650-CRTl, 651-CRTl 3 650-CRTl, 651-CRTl 3 650-CRTl, 651-CRTl 3 650-CRTl, 651-CRTl 3 650-CRTl, 651-CRTl 3 650-CRTl, 651-CRTl 3 650-CRTl, 651-CRTl 3 027 Condenser LIC-1657-1 3 Level LIC-1657-2 3 D28 Vacuum PR-1664A 3 PR-1664B 3 PR-1664C 3 D29 Condenser Cooling A2698 (13) 3 Water Flow A2704 {14} 3 A2701 {13) 3 A2707 (14) 3 HCGS-UFSAR
  • TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY Indicating Range Accuracy Type of Provided Percent Display 0 to 1000 amps +/-0.5 Indicator 0 to 200 amps +/-0.5 Indicator 0 to 5250 volts +/-0-5 Indicator 0 to 1000 amps +/-0.5 Indicator 0 to 5250 volts +/-0.5 Indicator 0 to 1000 +/-0.5 Indicator 0 to 5250 +/-0.5 Indicator 0 to 1000 amps +/-0.5 Indicator 0 to 5250 volts +/-0.5 Indicator 0 to 1000 amps +/-0.5 Indicator 0 to 100% open +/-2-0 LCD 0 to 100\: open +/-2-0 LCD 0 to 100% open +/-2-0 LCD 0 to 100% open +/-2-0 LCD 0 to open +/-2.0 LCD 0 to open +/-2.0 LCD 0 to 100\ open +/-2.0 LCD 0 to 100\ open +/-2 0 LCD 0 to 100% open +/-2 0 LCD 0 to 100\ +/-1.0 Indicator/ Controller 0 to 100\ +/-1.0 Indicator/ Controller 0 to 8 in. Hg ABS +/-0-5 Pen Recorder o to 8 in. Bg ABS +/-0.5 Pen Recorder o to 8 in. Hg ABS +/-0.5 Pen Recorder +/-1.0 CRT (15) +/-1.0 CRT +/-1.0 CRT {15) +/-1.0 CRT 16 of 23 DisElay Location Area MCR MCR MCR MCR .MCR MCR MCR MCR MCR .MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR .MCR MCR MCR MCR Panel(2) C651EB C651EB C651EB C651EB C651EB C651EB C651EB C651EB C651EB C651EB C650EA, C650EA, C650EA, C6SOEA, C650EA, C650EA, C650EA, C650EA, C6SOEA, C651AF C651AF C650AD C650AD C650AD various Various various Various C651DA C65l:OA C651DA C651DA C651DA C651DA C651DA C6S1DA C651DA Revision 14 July 26, 2005
  • RG 1.97 Sensor Variable Displayed Location Parameter !lEI Nlllber Drawing D25 Status of Standby AT*6352A3 E-3999 Power and Other AT-6360D E-3999 Sources Important VT-6392A E-3999 to Safety (Hydraulic, AT-6396A E-3999 Pneunatic) VT-63928 E-3999 AT-63968 E-3999 VT-6392C E-3999 AT-6396C E-3999 VT*6392D E-3999 AT-63960 E-3999 026 Turbine Bypass ZT*1007A J0704*1 Valve Position ZT-10078 J0704-1 ZT-1007C J0704-1 ZT-10070 J0704-1 ZT-1007E J0704-1 ZT*1007F J0704-1 ZT-1007G J0704*1 ZT-1007H J0704-1 ZT*1007J J0704-1 027 Condenser LT-1657A J0701-1 Hotwell Level LT-16578 J0601-1 L T-1657C J0501*1 028 Condenser Vacut.ITI PT*1664A J0705-1 PT-16648 J0605-1 PT-1664C J0605-1 029 Condenser Cooling TE-2106A J0302-1 Water Flow TE*2108A-1 J0302-1 TE-2108A*2 J0302-1 TE-2108A-3 J0302-1 TE-2108A-4 J0302-1 TE*2107A J0302-1 TE*2109A-1 J0302*1 TE-2109A*2 J0302-1 TE*2109A-3 J0302*1 TE*2109A-4 J0302-1 HCGS-UFSAR TABLE 7.5-1 (Cont) Safety Related Power Channel D 1E 0 1E A 1E A 1E B 1E 8 1E c 1E c 1E D 1E D 1E UPS UPS UPS UPS UPS UPS UPS UPS UPS UPS UPS UPS Off site Power UPS UPS UPS UPS UPS UPS UPS UPS UPS UPS 16a of 23 conrnents Xfmr 1AX501 feeder Xfmr 1DX400 feeder Diesel Generator 1AG400 Diesel Generator 1AG400 Diesel Generator 1BG400 Diesel Generator 1BG400 Diesel Generator 1CG400 Diesel Generator 1CG400 Diesel Generator 1DG400 Diesel Generator 1DG400 Location drawing identifies the location of the bypass valves One of the listed LTs inputs to both LICs as selected by HSS-1657 Condenser AE108 Condenser BE108 Condenser CE108 Condenser AE108 Condenser AE108 Condenser AE108 Condenser AE108 Condenser AE108 Condenser AE108 Condenser AE108 Condenser AE108 Condenser AE108 Condenser AE108 Revision 8 September 25, 1996 RG 1.97 Variable Displayed Parameter D29 Condenser Cooling (Cont'd) Water Flow 030 Primary Loop Recirculation Other Primary Loop Recirculation E1 Primary Containment Area Radiation-High Range E2 Reactor Building or Secondary Containment Area Radiation E3 Radiation Exposure Rate E4 Noble Gases and Vent Flow Rate HCGS-UFSAR lnstrll'llent Tag Nlllber A2699 (13) A2705 (14) A2702 (13) A2708 (14) A2700 (13) A2706 C14) A2703 {13) A2709 (14) FR-R614 FI-R617 FI*R613 Rl-4825A RI-48258 RG 1.97 Design 3 3 3 3 3 3 3 3 3 3 2 TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY Indicating Range Provided (15) (15) (15) (15) 3 0 to 55 X 103 GPM 0 to 55 X 10 GPM 3 0 to 55 x 103 GPM 0 to 55 X 10 GPM 7 10° to 107 R/hr 10° to 10 R/hr 17 of 23 Accuracy f!run! t1.0 t1.0 t1.0 t1.0 t1.0 t1.0 t1.0 :t:1.0 t0.5 :t:0.5 :t:0.5 t0.5 t1.0 t1.0 Type of CRT CRT CRT CRT CRT CRT CRT CRT Pen Recorder Pen Recorder Indicator Indicator Digital Indicator Digital Indicator Location !.!:!! MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR MCR Panel,21 Various Various Various Various Various Various Various Various C650CC C650CC C650CC C650CC 10C604 10C604 Revision 8 September 25. 1996 RG 1.97 Variable Displayed Parameter 029 Condenser Cool i ng (Cont1d) Water Flow 030 Primary Loop Recirculation Other Primary loop Reci rcu l at ion E1 Primary Containment Area Radiation
  • High Range E2 Reactor Building or Secondary Containment Area Radiation E3 Radiation Exposure Rate E4 Noble Gases and Vent Flow Rate Sensor Tas Nlllber TE*2106B TE-21088*1 TE-21088*2 TE-21088*3 TE-21088-4 TE-21078 TE-21098-1 TE-21098-2 TE-21098-3 TE-21098-4 TE*2106C TE*2108C-1 TE-2108C-2 TE*2108C-3 TE*2108C-4 TE*2107C TE*2109C-1 TE*2109C*2 TE*2109C-3 TE-2109C*4 FT-N014A*B31 FT-N024A*831 FT*N0140-B31 FT-N0240*B31 RE*4825A RE-48258 TABLE 7.5-1 (Cont) Safety Location Related Power Drawins Channel J0202*1 UPS J0202*1 UPS J0202-1 UPS J0202*1 UPS J0202-1 UPS J0202-1 UPS J0202-1 UPS J0202-1 UPS J0202-1 UPS J0202-1 UPS J0202*1 UPS J0202-1 UPS J0202*1 UPS J0202-1 UPS J0202-1 UPS J0202-1 UPS J0202-1 UPS J0202-1 UPS J0202-1 UPS J0202-1 UPS J1402-1 R UPS J2002-1 R UPS J1302-1 u UPS J2002-1 u UPS J1701-1 A 1E J1701-1 B 1E 17a of 23 Conments Condenser BE108 Condenser BE108 Condenser BE108 Condenser SE108 Condenser 8E108 Condenser 8E108 Condenser BE108 Condenser 8E108 Condenser BE108 Condenser BE108 Condenser CE108 Condenser CE108 Condenser CE108 Condenser CE108 Condenser CE108 Condenser CE108 Condenser CE108 Condenser CE108 Condenser CE108 Condenser CE108 Recirc Loop A Rec;rc Loop B Not implemented -See Section 1.8.1.97.3.3 Refer to Table 11.5*1 Refer to Table 11.5-1 Revtsion 8 September 25, 1996 RG 1. 97 Variable Displayed Parameter E5 Particulates and Halogens E7 Airborne Radiohalogens and Particulates E8 Plant and Environs Radiation E9 Plant and Environs Radioactivity E10 Wind Direction E11 Wind Speed E12 Estimation of Atmospheric Stability E13 Primary coolant and E14 Containment Air HCGS-UFSAR Instrlll'lent Tag NlJI'lber Portable Equipment Portable Equipment Portable Equipment RG 1.97 Design Category<1> 3 3 3 3 3 3 3 3 3 TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY Jnd1cat1ng Range Provided 18 of 23 Accuracy Type of Display Display Location Panel<2> Revision 8 September 25, 1996 RG 1.97 Variable Displayed Parameter ES Particulates and Halogens E7 Airborne Radiohalogens and Particulates E8 Plant and Environs Radiation E9 Plant and Environs Radioactivity E10 Wind Direction E11 Wind Speed E12 Estimation of Atmospheric StabiLity E13 Primary Coolant and Slfl1' E14 Contairment Air HCGS-UFSAR Sensor location Tag Nllnber Drawing TABLE 7.5*1 (Cont) 18a of 23 Safety Related Channel Power Conments Refer to Table 11.5-1 Refer to Table 2.3-29 Refer to Table 2.3-29 Refer to Table 2.3-29 Refer to Table 9.3-3 -primary coolant only Refer to Table 9.3-3 Revision 8 September 25, 1996 Displayed Tag Parameter Nt..rrber NSSS/ESF Systems Bypassed (out of service) Indication XAL*DS76-E11 XAL-DS86*E11 XAL-DS62-E51 XAL*DS74-E51 XAL-DS35-E21 XAL-DS42-E21 XAl-DS20-E21 XAL-DS27-E21 XAL-DSSO*B21 XAL*DS55-B21 XAL-DS16A-C71 XAL-OS16B*C71 XAL-0046A XAL-0046B XAL-DS2A*B21 XAL-DS20-B21 ESF/EAS System HS-7945A Bypassed Indication HS-79458 (BOP) KS-7945C HS-79450 HS*7946A HS-79468 HS*7947A HS-79478 HS*7948A HS-79488 HCGS-UFSAR TABLE DISPLAYED PARAMETERS IMPORTANT TO SAFETY -Indication Type of Provided out of service Status light Out of Service Status light Out of service Status light Out of service Status light Out of Service Status light Out of Service Status light Out of Service Status light Out of Service Status light Out of service Status light Out of Service Status light Out of service Status light Out of Service Status light out of service Status light Out of service Status light Out of service Status light Out of Service Status light Out of Service Status light Out of service Status light Out of service Status light Out of service Status light Manual Bypass/Off Status light Manual Bypass/Off Status tight Manual Bypass/Off Status light Manual Bypass/Off Status light Manual Bypass/Off Status light Manuat Bypass/Off Status light Manual Bypass/Off Status Ught Manual Bypass/Off Status light Manual Bypass/Off Status light Manual Bypass/Off Status light 19 of 23 BYPASSED AND INOPERABLE STATUS Location Area Panel<2) MCR C650AE MCR C650AF MCR C650AF MCR C650AF MCR C650BA MCR C650BA MCR C650BB MCR C650BB MCR C650BC MCR C650CA MCR C650BC MCR C650CA MCR C650CB MCR C650CB MCR C651CF MCR C651CF MCR C651DB HCR C651DB MCR C651CJ MCR C651CJ MCR C650DB MCR C650DB MCR C6500B MCR C650DB HCR C650DB MCR C650DB MCR C650DB HCR C650DB MCR C650DB MCR C650D8 Revision 8 September 25, 1996 RG 1.97 Sensor Variable Displayed location 1m! Parameter I as N I.JJbe r Drawing NSSS/ESF Systems E11-S64A 791E418AC Bypassed (out of service) E11-S64B 791E418AC lndicat;on E11-S64C 79E418AC E11-S64D 791E18AC E51*S19 791E421AC E51-S20 791E421AC E41*S24 791E420AC E41-S41 791E420AC E21*S20A 791E419AC E21*S20B 791E419AC E21-S20C 791E419AC E21-S20D 791E419AC B21-S8B 791E403AC 821-SBO 791E403AC C71-S11A 791E414AC C71-S11B 791E414AC 944E309AC 944E309AC B21*S73A 791E401AC 821-5730 791E401AC ESF/EAS System (17) J200(Q)*1277 Bypassed Indication ( 17) J200(Q)-1277 (BOP) ( 17) J200(Q)-1277 (17) J200(Q)*1277 ( 17) J200(Q)-1278 ( 17) JZOO(Q)-1278 (17) JZOO(Q)-1279 (17) J200(Q)-1279 (17) J200(Q)-1280 (17) J200(Q)-1280 HCGS-UFSAR TABLE 7.5-1 (Cont) Safety Related Power Channel A 1E B 1E c 1E D 1E B 1E D 1E A 1E c 1E A 1E B 1E c 1E D 1E B 1E 0 1E v RPS X RPS A 1E B 1E w RPS z RPS A 1E B 1E c 1E 0 1E A, c 1E B, D 1E A, C 1E B, 0 1E A 1E B 1E 19a of 23 Conments RHR RCIC HPCI Core Spray ADS RPS RRCS NSSSS SSWS Pump and Screen Spray ssws to Heat Exchangers and Cooling Tower SACS Spent Fuel Pool Cooling Revision 8 September 25, 1996 lnstrlJI'Ient Displayed Tag Parameter Nl.nber ESF/EAS Systems HS-7949A Bypassed Indication HS-79498 (SOP) (Cont1d) KS-7950A HS*7950B HS*7951A HS-79518 HS*7952C HS*7952D HS*7953A HS-79538 HS-7953C HS-79530 HS-7954A HS-79548 HS*7954C HS-79540 HS-7955A HS-7955B HS*7955C HS-79550 HS-7956A HS-7956B HS*7956C HS-79560 HS-7957A HS*7957B HS-7957C HS-7957D KS-7958A HS-79588 HS-7958C HS-79580 HCGS-UFSAR TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY
  • BYPASSED AND INOPERABLE STATUS Indication Type of Location Provided Area Panel(22 Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C65008 Manual bypass/Off Status light MCR C65008 Manual Bypass/Off Status light MCR C65008 Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C65008 Manual Bypass/Off Status light MCR C65008 Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off status light MCR c6500B Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light MCR c6soos Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C6500S Manual Bypass/Off Status light MCR c6SOOS Manual Bypass/Off Status light MCR C6500S Manual Bypass/Off Status light MCR c650os Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR c65oos Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR c6500B Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light MCR c650oB 20 of 23 Revision 8 September 25, 1996 Sensor Displayed Location Tag Nl.lllber Drawing ESF/EAS Systems (17) J200(Q)*1281 Bypassed Indication (17) J200(Q)*1281 (BOP) (Conttd) (11) JZ00(0)-1282 ( 17) J200(Q)-1282 (17) J200(Q)-1283 ( 17) J200(Q)*1283 (17) J200(Q)*1217 (17) J200(Q)-1217 (17) J200(Q)-1284 (17) JZOO(Q)-1284 (17) J200(Q)-1284 (17) J200(0)*1284 ( 17) JZOO(Q)-1285 (17) J200(Q) -1285 (17) J200(Q)-1285 (17) J200(Q)-1285 (17) J200(Q)-1286 (17) J200(Q)-1286 (17) J200(Q)-1286 ( 17) JZOO(Q)-1286 (17) J200(Q)-1287 (17) J200(0)-1287 (17) J200(0)*1287 ( 17) J200(Q)-1287 (17) J200(Q)-1288 (17) J200(0)-1288 ( 17) J200(Q)-1288 (17) JZOO(Q)-1288 (17) J200(Q)-1289 (17) J200(Q)-1289 (17) J200(Q)-1289 (17) J200(Q)-1289 HCGS-UFSAR TABLE 7.5-1 (Contl Safety Related Power lli!!!!l A, C 1E 8, D 1E A, B 1E c, 0 1E c 1E D 1E c 1E 0 1E A 1E B 1E c 1E 0 1E A 1E B 1E c 1E 0 1E A 1E B 1E c 1E 0 1E A 1E B 1E c 1E 0 1E A 1E B 1E c 1E D 1E A 1E B 1E c 1E 0 1E 20a of 23 Conrnents Containment Hydrogen/ Oxygen Analyzers Containment Hydrogen Recoobiners PCIGS Instrument Gas Non-1E Header Isolation Valves Standby Diesel Generators Intake Structure HVAC Switchgear Room Coolers Diesel Gen. Room Recirc. Sys. Reactor Bldg. Exhaust System Reactor Bldg. FRVS Revision 8 September 25, 1996 Displayed Tag Parameter Nl.lnber ESF/EAS Systems HS*7959A Bypassed I nd i cat ion HS-79598 (BOP)(Cont 1d) HS-7959C HS-79590 HS-7960C HS*7960D HS-7961A HS*7961B HS-7961C HS-79610 HS-7962 HS-7975A HS-79758 HS*7975C HS-79750 HCGS*UFSAR TABLE 7.5-1 DISPLAYED PARAMETERS IMPORTANT TO SAFETY -BYPASSED AND INOPERABLE STATUS Indication Type of Location Provided Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C6500B Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light HCR C650DB Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light MCR c650DB Manual Bypass/Off Status light MCR C6500S Manual Bypass/Off Status light MCR C650DS Manual Bypass/Off Status light HCR C6500S Manual Bypass/Off Status light MCR c650DB Manual Bypass/Off Status light MCR C650DB Manual Bypass/Off Status light MCR C6500B 21 of 23 Revision 8 September 25, 1996 Sensor Displayed location Parameter Tag Nl.llber Drawing ESF/EAS Systems (17) J200(Q)*1290 Bypassed Indication (17) J200(Q)-1290 CBOP)(Cont *d) (17) J200(Q)-1290 (17) J200(Q)-1290 (17) J200(Q)-1291 (17) J200(Q)-2952 (17) J200(Q)-2952 (17) J200(Q)-2952 (17) J200(Q)-1291 (17) J200(Q)-1291 (17) J200(Q)-2953 (17) J200(Q)-1457 (17) J200(Q) -1457 (17) J200(Q)-1457 (17) J200(Q)-1457 HCGS-UFSAR TABLE 7.5-1 Safety Related Channel A B c D c D A B c D A, 0 A B c D 21a of 23 (Cont) Power 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E 1E Conments ECCS and SACS Pump Room Coolers Aux. Bldg. Control Area HVAC Control Area Chilled Water Containment Prepurge Cleanup System 125V de Battery Chargers Revision 8 September 25, 1996 TABLE 7.5-1 NOTES 1. Displayed parameters important to safety are based on the HCGS position on Regulatory Guide 1.97, Revision 2, as described in Section 1.8.1.97 and the bypassed and inoperable status indication. 2. Panel numbers and panel sections (letter suffix) identifying the system as shown on Figure 7.5-2 for panels 10C650 and 10C651 in the main control room (MCR). 3. For the HCGS reactor vessel, the top of active fuel is at 366.3111 above vessel 0, the centerline of the main steam line is 658.511 above vessel 0. The instrumented range of reactor vessel level monitoring is 216.3111 to 927.5" above vessel 0. 4. The normal suppression pool level range is 168-1/2 to 172-1/2 inches above the bottom of suppression chamber. ECCS suction are at the following elevations (referenced to the bottom of the suppression chamber): (a) HPCI -38" (b) RHR -23.85" {c) Core spray -25.85" 5. Refer to GE Elementary Diagram 791E411AC (CSl-1080) for LPRM assignments to APRM and RBMs. 6. Deleted. 7. Cl1-Z2 is Rod and Detector Display Module on C650CD. 8. Indication is from individual rod position probes provided with each of the 185 control rods. Refer to GE Elementary Diagram 791E406AC (C11-1050). 9. XIL-J004 monitors tip shear valves SV-J004Bl, 2, 3, 4, 5 (C51} and tip ball valves SV-J004Al, 2, 3, 4, 5 (C51) positions. Refer to GE elementary 791E413AC (CSl-1060) for sensor and locations. -10. The position switches for the MSIVs are a part of the valve actuator assemblies and have no specific tag numbers. Refer to GE Elementary Diagram 791E401AC (821-1090). 11. ADS and SRV position is monitored by an accoustic monitoring system {described in Section 7.5.1.3.6). 12. Outputs from RHR flow transmitters FT-N015C and D-Ell are electrically isolated as shown on GE Elementary Diagram 791E418AC (Ell-1040), before terminating on recorders FR-R608A-Ell and FR-608B-E11. 13. Circulating water temperature at inlet to condenser (CRIDS I/0 point). 14. Circulating water temperature (average of 4 TEs) at outlet of condenser (CRIDS 1/0 point). 15. A positive delta T of the circulating water temperature across the conden-ser coupled with no decrease in condenser vacuum is an adequate indication of condenser cooling water flow. 22 of 23 HCGS-UFSAR Revision 0 ApriL 11, 1988 TABLE 7.5-1 NOTES (Cont'd) 16. Deleted. 17. The manual bypass light is actuated by the operator manually with its associated handswitch. The system it represents is channelized and powered by class 1E power supplies as noted in the "Safety Related Channel" column. The switches and their associated lights are powered by non

-1E UPS.

18. Not Used
19. SLCS pump discharge pressure has been substituted for SLCS flow. See Sections 1.8.1.97.3.3 and 1.8.1.97.4.7.
20. The TIP ball valves (SV-J004A1, 2, 3, 4, and 5) are not fully qualified in accordance with Regulatory Guide 1.97 requirements for a Category 1 variable. The TIP ball valves are not powered from a Class 1E battery-backed power source.

This can be justified by the fact that the TIP ball valves are normally closed, being open only when the TIP system is in use (approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> per month). Should a condition arise requiring containment isolation while the TIP is in use with a ball valve open and a detector in the guide tube, a signal is provided to withdraw the detector and subsequently close the ball valve. An explosive shear valve (powered from a source separate from that powering the ball valve) is installed in series with each ball valve and can be manually actuated in an emergency to shear the detector drive cable and seal the reactor end of the guide

tube.

21. Main steam line isolation valve (MSIV) position indication does not fully satisfy Regulatory Guide 1.97 requirements for a Category 1 variable. The MSIV position indication is powered by the fail-safe RPS power supply which is not battery-backed. A loss of the RPS power supply is acceptable from a safety standpoint however it would result in a loss of MSIV position indication. This power supply arrangement is justifiable since diverse methods exist for determining main steam line isolation status. Each main steam line is provided with a third valve in series with the MSIVs which can be closed by the control room operator. This valve is a Class 1E powered motor operated valve with Class 1E position indication provided in the main control room. A Class 1E indication of main steam line pressure is provided in the main control room operator with backup

status of main steam line isolation with or without MSIV position indication.

22. PASS sample line isolation valve position indication does not fully satisfy the Regulatory Guide 1.97 requirements for a Category 1 variable. PASS valve position indication is powered from an uninterruptible (battery backed) power supply which is not Class 1E. This power supply arrangement is justifiable since

the PASS sample lines are sealed closed barriers with two normally closed, normally deenergized, solenoid operated valves in series. A keylock permissive located in the main control room prevents inadvertent operation of the valves.

This design is allowed by Standard Review Plan 6.2.4,Section II, acceptance Criteria 6.f.

23. Deleted

23 of 23 HCGS-UFSAR Revision 22 May 9, 2017

Figure F7.5-l intentionally deleted. Refer to Plant Drawing J-0600-0 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 10C650 MAIN VERTICAL BOARD SECTIONS 10CB51 UNIT Of'ERATOR'S CONSOLE SECTIONS SECTION CONTENTS SECTION CONTENTS IIUN SUI ltiiDI 1\11 !!KtflON KCTtOM IECTIUM sunOM --INDEX SHEET --INDEX SHEET A R INSTRUt1ENT GAS R fl fDELETE:D fROM THIS PAHELI B COMPRESSED AIR B STATION SERVICE WRTER c F'IRE PROTECTION c SAFETY AUXII..IARIES COOL.DIG D REACTOR fiUXILIARlES COOLING D tDN.DfNSATE £ ClRCUL.RTlHG WRTtR E STATION SERVICE WATEr f tOKilE.MSERS F AEACTt:R LOll RAta PRESSUIE ItlllCATt:RS G fUR REtfOVf\L G RESIDUAL HEAT REHOVRl, A .. C S'I'STErtS H STORAG£ AND TRANSFER ,., RESIDUAL HEAT RErtOVAL, B I. D S'I'STEHS J OFf GAS B A REACTOR CORE ISOLATION COOLING I( I .8 HIGH PRESSURE CDOLRHT INJECTION c CORE SPRft'l'o A I. C SYSTE"S L FEEDWRTER HEATERS " REACTOR fEED Pi..111P TURBINE AUXILIARIES c A CORE SPRAY. B & D SYSTEttS B fl FEEDWATER B AUTO DEPRESSURIZATION SAFETY/RELIEF VALVES c A REACTOR WTR SAI'If'LE AND HEAD VENT c REACTOR RND HISCELUIHEOUS INDICATORS s REACTOR LEVEL CONTROL AND REACTOR ttERD VENT c STANDBY LIQUID CONTROL. D ROD RHO DETECTOR DISPLAY D REACTOR WATER CLEAN-UP £ LPRH LEVEL AND STATUS E REACTOR F I'IISCELLANEOUS MIN STEAf1 INDICATORS f REACTOR AND NEUTRON t\ONITORING G SEISttiC ANNUNCIATOR DISPLAY G REACTOR CONTROL. H POST ACCIDENT ttONITDRING H COtiTRDL ROD r-----* D R COHTRINHENT ISOLATION VAL V£5 DISPLAY J NUCLEAR STERH SUPPLY SHUTOFF' B SYSTEtt BYPASS STATUS INDICATION I( 11AIN STEAI1 c FUEL POOL COOLING RND TORUS WATER CLEANUP L 11AIN TURBINE flUXILIARIES D LIQUID RADWASTE 11 TURBINE SERLJNG STEAl'! AND DRAINS £ EKERGENCY BATTERIES AND INVERTERS D A HAIN TURBINE EHC R ELECTIUCRL DISTRIBUTION E R TURBINE GENERATOR AUXILIARIES 8 EP'ERGENCY 8 ELECTRICAL GENERRTJDN RNG DISTRIBUTION c CHILLED WillER c CONTAlNHENT HYDROGEN/OXYGEN ANALYZERS D DRYWELL tOOLING D CIJNTA[Nf'IENT ATHOSPHERE E RUim.IRR'f BUIUitHG COMTROL Rfl£R HVRC -E NON CLASS IE LOAD ISLN tiRCUlT IREfUCER STATUS L CONTROL f RUXILli'IRY IUlLDlt<<i DIESEL RRE.R H'IAC F REACTOR BUILDING til.. TRATION, RE:CIRCULATfON & tENTILRTJON G RERCTOR BUILDING Rev1s1on 12, May 3, 2002 Hope Creek Nuclear Station PSEG Nuclear, LLC PANEL SPACE ALLOCATI N MAIN CONTROL AREA HOPE CREEK NUCLEAR GENERATING STATION Updated FSAR Sheet 1 of 2 Fiqure 7.5-2 CD 2000 PS[G Nucle<r. llC. All Rights Reserved.

Figure F7.5-2 SH 2 intentionally deleted. Refer to Plant Drawing J-0602-0 sheet 1 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014

  • * * . I THIS FIGURE HAS BEEN DELETED I PSEG NUCLEAR L .. LC. HOPE CREEK GENERATING STATION HOPE CREEK UFSAR -REV 14 SHEET1 OF 1 July 26. 2005 F7.5-3 '.

7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY (INTERLOCK SYSTEMS IMPORTANT TO SAFETY) 7.6.1 Description This section describes systems that operate to reduce the probability of occurrence of specific events or to maintain safety systems in a state to ensure their availability in an accident. Also addressed are other systems important to safety that are not addressed elsewhere in Section 7. All other instrumentation systems required for safety differ from protection systems in that their safety action is taken prior to an accident or to prevent accidents. The systems described include: 1. Process Radiation Monitoring System (PRMS) 2. High Pressure/Low Pressure Systems Interlocks (HPLPSI) 3. Leak Detection Systems (LDS) 4. Neutron Monitoring System (NMS) 5. Recirculation Pump Trip System (RPT) 6. Main steam safety /relief valves (SRVs) - relief function 7. Redundant Reactivity Control System (RRCS) 8. Safety System/Nonsafety System Isolation (SSNSSI). The sources that supply power to the safety-related portions of systems described in this section originate from onsite ac and/or dc safety-related buses or non-Class 1E uninterruptible power supply for the power range NMS or, as in the case of the fail-safe 7.6-1 HCGS-UFSAR Revision 0 April 11, 1988 logic of the startup range NMS and portions of the LDS, from the non-Class 1E Reactor Protection System (RPS) motor generator sets. Refer to Section 8 for a complete description of the safety-related systems power sources. 7.6.1.1 Process Radiation Monitoring System The Process Radiation Monitoring Systems are described in Section 11.5, and the Class 1E portions are described in Sections 7.2.1.1.9 and 7.3.1.1.2.C.3. 7.6.1.2 High Pressure/Low Pressure System Interlocks - Instrumentation and Controls 7.6.1.2.1 HPLPSI System Function Instrumentation and controls are provided to prevent overpressurization of low pressure systems that interface with the reactor coolant pressure boundary (RCPB). 7.6.1.2.2 HPLPSI System Operation Schematic arrangements of mechanical equipment and instrumentation for the systems involved are shown on Plant Drawings M-51-1, Residual Heat Removal (RHR) P&ID, and M-52-1, Core Spray P&ID. Component control logics for the systems involved are shown on Vendor Technical Documents PN1-E11-1030-0020, RHR Functional Control Diagram (FCD), and PN1-E21-1030-0001, Core Spray FCD. Electrical schematics are identified in Section 1.7. Instrument specifications and setpoints are given in Table 7.6-4 and Section 16, respectively. 7.6-2 HCGS-UFSAR Revision 20 May 9, 2014 The following high pressure/low pressure interlock equipment is provided: Interlocked Process Parameter Line, Type, and Valve Sensed _ Purpose 1. RHR shutdown cooling Reactor Prevents valve opening suction, motor pressure until reactor pressure operated, F009 is below system design F008 pressure 2. RHR shutdown cooling Reactor Prevents valve opening injection, motor pressure until reactor pressure operated, F015A, B is below system design pressure 3. Deleted 4. RHR low pressure cool- Reactor Prevents pressurization ant injection (LPCI), pressure of the low pressure motor operated piping upstream of valve F017A,B,C, and D 5. Core spray injection, Reactor Prevents valve motor operated,F005A,B pressure opening until reactor pressure is below system design pressure The RHR shutdown cooling suction isolation valves and shutdown cooling injection valves have redundant interlocks to prevent the valves from being opened when the reactor pressure is above the system design pressure. These valves also receive a signal to close when reactor pressure is 7.6-3 HCGS-UFSAR Revision 14 July 26, 2005 above the system design pressure. The only high pressure/low pressure boundary device associated with the alternate remote shutdown system is RHR valve E11-HV-F015A (shutdown cooling injection). There is no pressure permissive interlock associated with this valve. However, it is controlled by a keylocked switch located in a motor control center (MCC); consequently, the operator would have to obtain the key from the normally locked RSP room before the control switch could be actuated and RHR valve F015A opened. In order to assure that an inadvertent manual actuation could not occur and cause a breach of the high pressure/low pressure boundary, PSE&G committed to implement the following items: 1. The labeling for alternate remote shutdown system RHR valve E11-HV-F015A reflects a warning that inadvertent actuation could cause overpressurization of the RHR piping. This labeling is designed, fabricated, and located in accordance with good human factors engineering principles. 2. Before full power operation, a low pressure permissive indication (e.g., blue light) was installed so that the operator at the MCC panel will know when RHR valve F015A can be opened without causing a breach of the reactor pressure boundary because of overpressurization of the RHR piping. Although the LPCI injection valves, MO F017A, B, C, and D, are interlocked to prevent opening when the pressure downstream of the valves is high, the injection line check valves F041A, B, C, and D and the relief valves F025A, B, C, and D provide additional overpressurization protection. The design prevents the injection valve from opening when the pressure downstream (sensed by pressure transmitter PT-N058) of the injection valve is greater than the design pressure of the LPCI piping. The pressure indicating switch (PIS-N658) has a nominal trip setpoint (NTSP) of 450 psi. Pressure downstream of the injection valve must be equal to or less than this NTSP before the automatic or manual open signal will be transmitted to the injection valve. Therefore, the LPCI low pressure piping that has a design pressure of 500 psi cannot be overpressurized by 7.6-4 HCGS-UFSAR Revision 7 December 29, 1995 injection valve openings. Inservice testing of the RHR injection valves will be performed during cold shutdown only, therefore, overpressurization during routine surveillance will not be a concern. The core spray injection valves MO F005A and B are prevented from opening until reactor pressure is low enough to prevent system overpressurization. Reactor pressure is sensed by four pressure transmitters in a one out of two twice configuration for each core spray injection valve. 7.6.1.3 Leak Detection System - Instrumentation and Controls The safety-related portions of the LDS are as follows: 1. Main steam line leak detection 2. Reactor Core Isolation Cooling (RCIC) System leak detection 3. High Pressure Coolant Injection (HPCI) System leak detection 4. Residual Heat Removal (RHR) System leak detection 5. Reactor Water Cleanup (RWCU) System leak detection 7.6.1.3.1 Leak Detection System Function The safety-related portions of the LDS instrumentation and controls are designed to detect reactor coolant leakage from portions of systems outside the primary containment and to initiate alarms and/or isolation when predetermined limits are exceeded. Refer to Section 5.2.5 for more information on the LDS. 7.6-5 HCGS-UFSAR Revision 0 April 11, 1988 7.6.1.3.2 Leak Detection System Operation LDS component control logics are shown on Vendor Technical Documents PN1-E11-1030-0020, RHR FCD, PN1-E51-1030-0061, RCIC FCD, and PN1-B21-1030-0021, Nuclear Boiler FCD. Instrument specifications are listed in Table 7.6-5. Instrument location drawings and electrical schematics are identified in Section 1.7. Systems or parts of systems that contain water or steam, and that are in direct communication with the reactor vessel, are provided with an LDS. Outside the primary containment, the piping within each system monitored for leakage is in compartments or rooms separate from other systems wherever feasible, so that leakage may be detected by ambient or differential area temperature, or high process flow. Sensors, wiring, and associated equipment of the LDS associated with the primary containment isolation valve logic are designed to withstand the conditions during and following a loss-of-coolant accident (LOCA). The operator is kept aware of the status of the LDS variables through meters and recorders that indicate the measured variables in the main control room. If unacceptable leakage occurs, the condition is annunciated in the main control room. The following describes or references descriptions of the safety-related portions of the LDS: 1. Main steam line leak detection - refer to Section 7.3.1. 2. RCIC and HPCI system leak detection - The steam lines of the RCIC and HPCI systems are monitored for leaks by the LDS. Leaks from the RCIC or HPCI system will cause a change in at least one of the following monitored parameters: temperatures of equipment and pipe routing areas, inlet steam flow rate, inlet steam pressure, or 7.6-6 HCGS-UFSAR Revision 20 May 9, 2014 turbine exhaust diaphragm pressure. If the monitored variables indicate that a leak exists, the LDS automatically isolates the affected system. The following is a description of each RCIC and HPCI LDS: a. RCIC and HPCI pump rooms area temperature monitoring - The RCIC pump room and HPCI pump room area ambient and differential temperature monitoring circuits are similar to those described for the main steam line tunnel temperature monitoring system. Refer to Section 7.3.1.1.2. Two redundant RCIC and HPCI pump room area ambient and differential temperature monitoring channels are provided for each LDS. Each redundant channel provides immediate input to channel B or D of the RCIC system, and channel A or C of the HPCI system for automatic isolation. Channel B provides input to the RCIC outboard steam supply isolation valve, and channel D provides input to the RCIC inboard steam supply isolation valve. Channel A provides input to the HPCI outboard steam supply isolation valve, and channel C provides input to the HPCI inboard steam supply isolation valve. If there were a leak in the equipment area, the temperature increase would be detected by any of the four (two ambient and two differential) temperature sensor/switches. Channel B or D will trip and cause an isolation depending on which sensor has detected the high temperature. Each channel has one ambient and one differential temperature sensor/switch. Since all four sensors are strategically located in the equipment area, the high temperature will be detected by more than one sensor during the leakage. Once the high temperature has been sensed, the trip 7.6-7 HCGS-UFSAR Revision 0 April 11, 1988 logic seals in. Also, an annunciation is provided in the control room. In addition, if there were a leak in the steam supply piping area, the temperature increase would be detected by any one or more of the four redundant high ambient temperature sensor/switches (one out of four) in each (B and D) channel. High RCIC and HPCI steam supply pipe routing area temperature or torus chamber area temperature actuates a 30 minute timer and initiates immediate annunciation of timer actuation in the main control room. If the temperature is not reduced before the timer times out, the affected system is automatically isolated; it seals in and is annunciated in the control room. The logic channel can be reset with the reset switch when the temperature has been reduced below the set point. The functional operability of the temperature sensor/switches may be verified independently as discussed previously for the MSIVs. Each logic channel is provided with a test switch to simulate the logic trip function. Each logic channel can be tested independently for functional operability during normal operation. An indicator light, which indicates RCIC or HPCI is in test, is provided for each channel; also, an out of service annunciation is provided in the control room during the test. Diversity is provided by the monitoring of steam line flow, steam line pressure, and turbine exhaust diaphragm pressure. b. RCIC and HPCI steam line flow rate monitoring - The inlet steam line flow rate is monitored by two redundant differential pressure switches. In the 7.6-8 HCGS-UFSAR Revision 0 April 11, 1988 presence of a leak, the flow rate monitor responds by generating an auto isolation signal. To eliminate the possibility of spurious system isolations, the RCIC and HPCI systems incorporate a time delay, which will prevent short term flow peaks from initiating a system isolation but will not interfere with the leak detection and isolation function. Refer to Section 7.4.1.1. Diversity is provided by the monitoring of pump room area temperature, steam line pressure, and turbine exhaust diaphragm pressure. c. RCIC and HPCI steam line pressure monitoring - Inlet steam line pressure to the RCIC or HPCI turbine is monitored by four redundant pressure switches, two for each logic channel. Using two out of two logic, a low steam line pressure signal from either logic channel initiates isolation of the affected system. Diversity is provided by the monitoring of pump room area temperature, steam line flow, and turbine exhaust diaphragm pressure d. RCIC and HPCI turbine exhaust diaphragm pressure monitoring - The turbine exhaust diaphragm pressure for the RCIC or HPCI turbine is monitored by four redundant pressure switches, two for each logic channel. Using two out of two logic, a high turbine exhaust diaphragm pressure signal from either logic channel initiates isolation of the affected system. Diversity is provided by the monitoring of pump room area temperature, steam line flow and steam line pressure. 7.6-9 HCGS-UFSAR Revision 0 April 11, 1988 Outputs from the monitoring circuits described above are used to generate the RCIC or HPCI system auto isolation signals (one for each channel) to isolate their respective inboard and outboard primary containment isolation valves. 3. RHR system leak detection - The steam lines to the RHR heat exchangers are monitored for leaks by the LDS. Leaks from the RHR system are detected by monitoring the RHR area temperature, which includes RHR equipment area high differential temperature, and RHR equipment area high ambient temperature. One temperature monitoring circuit is provided for each system. Each circuit provides main control room annunciation. Diversity is provided by the monitoring of flow rate in the HPCI inlet steam line. Refer to 7.6.1.3.2(2). 4. RWCU system steam leak detection - The following is a description of each RWCU leak detection method: a. RWCU differential flow monitoring - High differential flow in the RWCU system could indicate a breach of the cleanup system portion of the RCPB. The flow at the inlet to the system (suction from recirculation lines and from reactor vessel drain) is compared with the flow at the outlets of the system (flow return to feedwater or flow return to the main condenser and/or radwaste). Two redundant differential flow sensing channels compare the inlet and outlet flows of the RWCU system. Each of the flow monitoring sensor channels provides an input to one of the two (inboard or outboard) logic trip channels. 7.6-10 HCGS-UFSAR Revision 0 April 11, 1988 The RWCU high differential flow trip is bypassed by an automatic timing circuit during normal RWCU system flow surges. This time delay bypass prevents inadvertent system

isolations during system operational changes.

Diversity is provided by the monitoring of the RWCU area

temperature.

b. RWCU area temperature monitoring - Refer to Section 7.3.1.1.2.

7.6.1.3.3 Leak Detection System Testing

Periodic testing of the above monitors and their trip logic channels is performed in accordance with plant maintenance procedures. These procedures establish the administrative control for removing from service only one instrument channel at a time. Plant operation/maintenance procedures establish

the frequency, schedule, and documentation required for testing.

The testing is performed at intervals such that credible failure may be

detected and repaired before it would reduce the reliability of the system.

7.6.1.4 Neutron Monitoring System - Instrumentation and Controls

The safety-related subsystems of the Neutron Monitoring System, the intermediate range monitor (IRM), and the average power range monitor (APRM) including the local power range monitors (LPRMs) are discussed here. The

safety-related NMS instrumentation and controls are designed to monitor reactor power (neutron flux), and to trip the Reactor Protection System (RPS) when predetermined limits are reached. The NMS also provides the operator with real time information about the core power level and flux distribution during normal

operation and during and following an accident.

An Oscillation Power Range Monitor (OPRM) subsystem is also provided. This system detects power oscillations which can result from thermal-hydraulic reactor core instabilities, and provides alarms which alert the Control Room operator to their occurrence. The OPRM subsystem can also suppress these oscillations by providing trip signals to the Reactor Protection System (RPS) trip logic to shut down the reactor. Following DSS-CD implementation, DSS-CD is not required to be armed while in the DSS-CD Armed Region during the first reactor startup and during the first controlled shutdown that passes completely through the DSS-CD Armed Region. However, DSS-CD is considered OPERABLE and shall be maintained OPERABLE and capable of automatically arming for operation at recirculation drive flow rates above the DSS-CD Armed Region. The OPRM subsystem is described in Section 7.6.1.4.4.

7.6-11 HCGS-UFSAR Revision 23 November 12, 2018

7.6.1.4.1 Intermediate Range Monitor Subsystem The IRM subsystem monitors neutron flux from the upper portion of the s ource range to the lower portion of the power range as shown on Figure 7.6-1. There are eight IRM detectors providing flux level signals to eight channels of instrumentation, as shown on Vendor Technical Document PN1-C51-1010-0028. Each detector can be moved vertically in the reactor core, as shown on Figure 7.6-3. They are normally fully inserted during startup and are withdrawn after the reactor mode selector switch is placed in "run." The mode switch is placed in "run" when the APRMs are on scale (4 to 12 percent power), ensuring IRM/APRM overlap and continuity of neutron flux monitoring.

Each IRM detector is a miniature fission chamber attached to an insulated transmission cable. The detector cable is connected underneath the reactor vessel to a second cable, which carries the signal to a preamplifier shown on

Figure 7.6-4. IRM preamplification is selected by a range switch located in the main control room. It provides 10 ranges of increasing attenuation as the neutron flux in the reactor core increases, keeping the input signal to the IRM signal conditioning equipment in the same range. The signal conditioning equipment electronically converts the detector signal into a signal proportional to the neutron flux at the detector and provides gamma discrimination. The output signal is amplified and supplied to a remote recorder located on the main control room vertical board. The IRM neutron flux signal is also applied to trip units where IRM downscale, inoperative, upscale alarm, and upscale reactor trips are generated for use in the RPS or Reactor Manual Control System (RMCS), as shown on Vendor Technical Document

PN1-C51-1020-0029.

7.6.1.4.2 Local Power Range Monitor Subsystem

The LPRM subsystem provides localized neutron flux detection over the full power range for input to the APRM and OPRM subsystems. The LPRM detectors are mounted in strings of four with 43 strings distributed throughout the core. The detector at the bottom of each string (the A level detector) is located approximately 18 inches above the bottom of the core. Each succeedingly higher level detector (B, C, and D) is 36 inches above the one below. This places the D level detectors in all strings approximately 18 inches below the top of the core. In this manner, flux is monitored throughout the volume of the core.

The LPRM detector strings are radially placed such that every location or its symmetrical counterpart in another quadrant is monitored. The LPRM detector position is not adjustable. Power range monitor detector assembly locations are shown on Figure 7.6

-6. 7.6-12 HCGS-UFSAR Revision 23 November 12, 2018

The LPRM strings are located inside the vessel, each string enclosed in an in-core assembly consisting of a metal instrument tube containing the LPRMs, their associated cable, and a dry interior traversing incore probe (TIP) tube. The metal instrument tube is penetrated by small holes that allow circulation of the reactor coolant water to cool the LPRM fission chambers.

The loss of one or several LPRM detectors will not adversely affect the operation of the safety

-related APRM they supply. Each individual chamber of the assembly is a moisture proof, pressure sealed unit. They are designed to operate throughout the normal and transient pressures and temperatures encountered within the reactor vessel. Their wiring, cables, and connectors located within the drywell are designed for continuous duty in the drywell

environment. See Section 3.11 for environmental conditions.

The current signals from the LPRM detectors are transmitted to the APRM in the main control room. The current signal from a chamber is transmitted through the LPRM connector panels to its assigned APRM. The APRM input circuitry converts the current input to a digital signal that is proportional to the

magnitude of the neutron flux. The APRM provides isolated output signals that

are suitable as an input to the computer, recorders, etc.

Power for each LPRM is supplied from its associated APRM chassis. Current limiting is provided to protect the APRM instrument from the effects of faults in any or all of the LPRM detectors. Each high voltage power supply (HVPS) is able to operate with any number of LPRM detectors shorted.

Electrical protection assemblies (EPAs) identical to those used in the reactor

protection system (RPS) (described in Section 8.3.1.5.4) are installed between the power range NMS and the two 120 V ac feeders from the UPS power sources (see Figure 7.6-10). The EPAs ensure that the power range NMS never operates under degraded bus voltage or frequency conditions (undervoltage, overvoltage, underfrequency). The power range NMS panel (10C608) was analyzed with this power supply configuration to ensure that no single failure of the power range NMS could inhibit the proper operation of the reactor protection, rod block monitor, recirculation flow control, reactor manual control, and the redundant reactivity control systems required for the safe operation of the plant. The interfaces between the power range NMS and the RPS have adequate provisions for separation. The RPS cabling external to the NMS panel conforms to the

separation guidelines of Regulatory Guide 1.75, which the RPS must satisfy.

7.6-13 HCGS-UFSAR Revision 23 November 12, 2018

Separation criteria for the rod block monitor, recirculation flow control, reactor manual control, and the redundant reactivity control systems has not been changed.

The trip circuits for the LPRM provide signals to actuate lights and

annunciators. Table 7.6-3 lists the LPRM trips.

Each LPRM may be individually bypassed from its associated APRM instrument or

LPRM instrument front panel. A bypassed LPRM detector is excluded from the APRM Flux Calculation. In this way, each APRM can continue to produce an accurate signal representing average core power even if some of the assigned LPRMs fail during operation. If the number of functional assigned LPRMs drops to less than the minimum number required per channel or minimum number required per level (A, B, C, D), the APRM provides a rod block signal and trouble annunciation. The rod block monitor (RBM) instrument receives LPRM detector input signals from the APRM instruments. The LPRM signals used depends on the control rod selected. Upon selection of a rod for withdrawal or insertion, the conditioned signals from the LPRMs around that rod will be automatically selected by the two RBM channels. For a typical non-edge rod, each RBM channel averages LPRM inputs from two of the four B-level and D-level detectors, and all four of the C-level detectors. The LPRM detector signals are displayed on the RBM Operator display Assembly (ODA). The operator can readily obtain readings from all the LPRM detectors by selecting the control rods in order. The signals from the LPRM detectors surrounding the selected rod are used in the RBM to p rovide protection against local fuel overpower conditions.

7.6-14 HCGS-UFSAR Revision 23 November 12, 2018

This page left intentionally blank

7.6-15 HCGS-UFSAR Revision 23 November 12, 2018

7.6.1.4.3 Average Power Range Monitor The APRM subsystem monitors neutron flux from approximately 1 percent to above 100 percent power. There are four APRM channels, each receiving core flux level signals from 43 LPRM detectors. Each channel contains an APRM instrument that receives inputs from 22 of these detectors and an LPRM instrument that receives inputs from 21 of these detectors.

The APRM compares corrected LPRM values to high and low trip points and averages the filtered readings to obtain a value for the reactor average instantaneous neutron flux value (readings from bypassed LPRMs are automatically excluded from the average). The APRM provides output to a self

-contained provides APRM, LPRM, OPRM, and Recirculation Flow information to the plant operator. Outputs are also provided for Main Control Room recorders.

Refer to Section 7.2.1.1 for a description of the APRM inputs to the RPS, and Figure 7.6-5 for the RPS trip circuit input arrangement. APRM trips are summarized in Table 7.6-2.

The APRM will initiate a reactor scram at 17 percent core power in "startup" mode. When the mode switch is in "run," the APRM trip reference signal is provided by a signal that varies with recirculation flow. This provides a power following reactor scram setpoint. As power increases, the reactor scram setpoint also increases up to a fixed setpoint above 100 percent. Reactor power is always bounded with a reactor scram, yet the change in power require d to generate the reactor scram does not vary greatly with the operating power

level.

Provision is made for manually bypassing one APRM channel at a time.

Calibration or maintenance can be performed without tripping the RPS. Removal of an APRM channel from service without bypassing it will result in an APRM "inoperative" condition which causes a trip signal to the 2-out-of-4 voters, a rod block, and annunciation. The reactor protection system (RPS) is a dual trip system (trip systems A and B).

7.6-16 HCGS-UFSAR Revision 23 November 12, 2018

accepting the APRM gain downloaded from the plant process computer. Each APRM instrument is designed to provide automatic periodic testing of the replaceable hardware modules in an APRM Channel at least every 15 minutes. The APRM firmware (or software) continuously cycles through a series of tests of each module when the instrument keylock switch is in the performed by user control. The APRM status, such as instantaneous values, trip, and alarm indication are also provided in the control room at the main control room vertical board or at the Operator Display Assembly at the operator bench

board.

The PRNM equipment is powered from 120 Vac 60 Hz. Each PRNM chassis (APRM or RBM) is powered from redundant Low Voltage Power Supply (LVPS) modules contained within a single Quad Low Voltage Power Supply (QLVPS) chassis. One LVPS module is connected to UPS Bus A and the other LVPS module is connected to UPS Bus B. The LPRMs receive power from their associated APRM instrument and

the LPRM instrument.

APRM signals are sent to Redundant Reactivity Control System (RRCS) to enable the logic if additional reactivity control is necessary following an ATWS

event. The use of this signal is discussed in Section 7.6.1.7. The APRMs are designed to remain accurately functional for at least 20 minutes after an ATWS feedwater runback is initiated.

7.6.1.4.4 Oscillation Power Range Monitor

The OPRM function detects the onset of reactor core power oscillations resulting from thermal

-hydraulic instability and suppresses them by initiating trip signals to the reactor protection system (RPS) to scram the reactor. The detect and suppress confirmation density (DSS-CD) described in NEDC

-33075P-A is the stability solution utilized.

each. The OPRM system consists of four independent channels capable of detecting thermal hydraulic instability by monitoring the neutron flux within the reactor core. The OPRM function combines the signals from each LPRM in an OPRM cell and evaluates that combined cell signal using the OPRM algorithms to detect thermal hydraulic instabilities. An OPRM Upscale trip is issued from an OPRM channel when the confirmation density algorithm in that channel detects oscillatory changes in the neutron flux, indicated by period confirmations and amplitude exceeding specified setpoints for a specified number of OPRM cells in the channel.

7.6-17 HCGS-UFSAR Revision 23 November 12, 2018

An OPRM Upscale trip is also issued from the channel if any of the defense

-in-depth algorithms (PBDA, ABA, GRA) exceeds its trip condition for one or more cells in that channel. The OPRM Upscale Function is automatically trip

-enabled when THERMAL POWER, as indicated by the APRM Simulated Thermal Power, is 24% RTP corresponding to the MCPR monitoring threshold and react or recirculation drive flow is less than or equal to 70% of rated flow. This region is the OPRM Armed Region. 7.6.1.5 Recirculation Pump Trip System - Instrumentation and Controls 7.6.1.5.1 RPT Purpose

The reason for tripping the recirculation pumps is to reduce the impact on the fuel of thermal transients caused by turbine trip, generator trip, or load rejection. The rapid core flow reduction increases void content and thereby

introduces negative reactivity in conjunction with control rod insertion.

7.6.1.5.2 RPT Logic and Operation

The RPS detects turbine control valve fast closure and main stop valve closure, using four channels of sensor logic. This is combined into two channelized two

out of two trip logic for RPT.

Trip signal initiation requires confirmation from at least two sensor channels and reactor power above a preset level. No single failure will prevent RPT trip.

Each trip logic channel will trip both recirculation pumps.

7.6.1.6 Main Steam Safety/Relief Valves - Relief Function

7.6.1.6.1 Main Steam Safety/Relief Valves Function

The relief function of the main steam safety/relief valves (SRVs) is to relieve

high pressure conditions in the nuclear system that could

7.6-18 HCGS-UFSAR Revision 23 November 12, 2018

lead to the failure of the reactor coolant pressure boundary. The system actuates the SRV to vent steam to the suppression chamber and reduce reactor pressure. See Section 5.2.2 for further details. Also, see Section 7.3.1.1.1.2 for the Automatic Depressurization System (ADS) function of selected SRVs. 7.6.1.6.2 SRV Operation Schematic arrangement of SRV system mechanical equipment and operator information displays are shown in Plant Drawing M-41-1. The SRV component control logic is shown in Vendor Technical Document PN1-B21-1030-0021. Instrument location drawings and elementary diagrams are identified in Section 1.7. SRVs are spring loaded against reactor pressure and are set to mechanically open upon high reactor pressure conditions. Additionally, each SRV is equipped with pneumatic cylinder operation from a common gas supply which is capable of opening the SRVs by solenoid actuation to vent pneumatic pressure into the associated air cylinder, actuating the valve. This allows actuation of the SRVs at pressures below the setpoint of the springs from either remote manual switches or pressure switch signals. The 14 SRVs are arranged into three pressure setpoint groups. This feature automatically adjusts the relief capacity to the size of the overpressure condition. Adequate deadband is provided to eliminate rapid open/close operation and minimize system stresses. Automatic operation of the SRVs is initiated by high reactor vessel pressure. Manual capability is included in the trip system. Remote manual switches are installed in the main control room. Another three SRV remote manual switches are mounted on the remote shutdown panel (RSP). Lights in the main control room indicate when the solenoid operated pilot valves are energized to open their respective SRVs. 7.6-19 HCGS-UFSAR Revision 20 May 9, 2014 Low-low set relief logic is provided for two SRV's physically located on opposite sides of the reactor pressure vessel and powered from separate class-1E channels (one from channel B and one from Channel D). This automatic control system ensures that containment, SRV discharge lines, and reactor overpressure protection design bases are not exceeded. It accomplishes this by providing these valves with altered setpoints that are lower than the normal SRV spring-set opening and closing pressure setpoints. Two out of two high reactor pressure signals from two pressure switches are required to arm the low-low set logic for each of the selected SRV's. The high reactor pressure low-low set arming setpoints are selected to be higher than the normal reactor scram setpoint and lower than the lowest normal spring set SRV opening set pressure. The low-low set arming signal seals in lower automatic reopening and closing pressure setpoints for the selected SRV's and also actuates an annunciator in the main control room. The new lower close setpoint pressure ensures that the low-low set SRV's remain open longer than any other SRV that may have opened. This extended relief capacity ensures that no more than one SRV reopens a second time thus minimizing challenges to the SRV's. The lower reopening and closing setpoints remain sealed in until manually reset in the main control room. The two low-low set SRV's have different reopening and closing pressure setpoints. (The low-low set arming pressure setpoints are the same for both SRV's). One is designated as the "low" low-low set and the other is designated as the "high" low-low set SRV. The high low-low set SRV has reopening and closing pressure setpoints that are higher than those of the low low-low SRV and functions as a backup. Either low-low set SRV can provide the low-low set function by itself. Each low-low set SRV is provided with a 3-position ("AUTO", "OPEN", and "CLOSE") keylocked switch in the main control room 7.6-20 HCGS-UFSAR Revision 17 June 23, 2009 with the key removable in the "AUTO" position only. An annunciator is actuated whenever the switch is placed in the "CLOSE" position advising the control room operator of the out of service status of that low-low set SRV. The low-low set logic is designed with redundancy and single failure criteria, i.e., no single electrical failure can prevent both low-low set SRV's from opening or cause an inadvertent seal in of the low-low set logic. 7.6.1.7 Redundant Reactivity Control System (RRCS) - Instrumentation and Controls 7.6.1.7.1 RRCS Function The RRCS is a system designed to mitigate the potential consequences of an anticipated transient without scram (ATWS) event. The system consists of remote control panels, their associated ATWS detection and actuation logic and the necessary interface logic to the Reactor Recirculation System, the Feedwater Control System (FCS), the RWCU System, the Standby Liquid Control (SLC) System, and the alternate rod insertion (ARI) components of the Control Rod Drive (CRD) System required to perform specific functions in response to an ATWS event. 7.6.1.7.2 RRCS Operation The RRCS consists of reactor vessel pressure and level sensors, solid state logic, control equipment room cabinets and indications and interfaces with several systems actuated to mitigate an ATWS event as shown on the RRCS FCD, Vendor Technical Document PN1-C22-1030-0052. The solid state logic is divided into divisions 1 and 2, each of which is subdivided into logic channels A and B. The logic is energized to trip, and both channels A and B of either division must be tripped in order to initiate the RRCS protective actions. The system can be manually initiated by depressing two pairs of pushbutton switches (tripping both channels A and B) in the same division. This manual initiation 7.6-21 HCGS-UFSAR Revision 20 May 9, 2014 function is designed so that no single operator action can result in an inadvertent initiation. One pushbutton switch of each logic channel manual initiation pair provides an enable function and must be depressed first. This enables the second pushbutton switch in the pair which, when depressed, trips the logic channel. The manual initiation pushbutton switches are located in the main control room. There are four pairs of RRCS manual initiation pushbutton switches. The RRCS logic monitors reactor dome pressure and RPV water level. The logic will cause the immediate energization of the ARI valves when either the reactor high pressure trip setpoint or low water (L2) setpoint is reached, or manual initiation is actuated as shown in Table 7.6-6. Energization of the RRCS ARI valves depressurizes the scram air header independent of the logic and vent valves of the RPS system as shown on Figure 7.6-9. The valves are sized to allow insertion of all control rods to begin within 15 seconds. Positive position (open or closed) is indicated for all eight (8) RRCS ARI valves at the RRCS control panels. Additional immediate RRCS response to the initiation signals includes recirculation system pump motor breaker trip immediately if reactor high pressure is received or 9 seconds after a low water level (L2) signal is received. The high pressure initiation signal will initiate a feedwater runback after 25 seconds whether the feedwater pumps are in "auto" or "manual" if the APRM not downscale trip signal is present. Should power not be downscale 230 +/-5 seconds from the beginning of the ATWS event, the RWCU system will be isolated, and the SLC system will be automatically initiated. Ten minutes after SLC initiation, the RRCS, except for ARI function, can be reset provided that power as measured by the APRMs is downscale, RRCS actuation parameters have reset and the RRCS manual reset pushbutton switches located in the main control room are depressed. 7.6-22 HCGS-UFSAR Revision 15 October 27, 2006 The RRCS is continually checked by a solid state microprocessor based self-test system. This self-test system checks the RRCS (sensors, logic, and protective devices and itself). 7.6-22a HCGS-UFSAR Revision 15 October 27, 2006 THIS PAGE INTENTIONALLY LEFT BLANK 7.6-22b HCGS-UFSAR Revision 6 October 22, 1994 Nuclear boiler system instrumentation is provided to monitor reactor vessel high dome pressure and low RPV water level. The sensors, transducers, and trip units are Class 1E, independent of the RPS, and environmentally qualified to perform their protective function during ATWS events. The APRMs provide a downscale trip signal to the RRCS permissive logic. This signal is Class 1E and contains two channels of input per division. Each RRCS channel, except for ARI function, can be manually reset by depressing the RRCS reset pushbutton switches (four, one for each tripped channel) provided that APRM power is downscale, RRCS actuation parameters have reset, and 10 minutes has elapsed since initiation of the SLC system. When the RRCS is reset, the following seal-in signals are broken: 1. RWCU system isolation 2. Low water level (L2) recirculation pump trip 3. Manual initiation 4. High reactor pressure recirculation pump trip and feedwater runback 5. SLC system initiation. The RRCS ARI function is reset by the RRCS ARI reset pushbutton switches. This second set of four pushbutton switches (one for each channel) will enable the reset of the ARI logic 30 seconds after initiation of ARI provided that initiating signals have cleared. This 30-second time delay before the ARI reset permissive appears is designed to ensure that the RRCS ARI scram goes to completion. There is no RRCS bypass or operation bypass. 7.6-23 HCGS-UFSAR Revision 3 April 11, 1991 The RRCS is a two-divisional system. Separation is maintained between the redundant portions of the system to ensure compliance with the separation and single failure criteria. Two channels in a given division are kept separate until they terminate on a common device. This separation is done to satisfy the single failure criterion. The two divisions of RRCS logic are designed so that either can cause recirculation pump motor trip and feedwater run-back when a sufficient power reduction has not occurred. The RRCS meets the requirements of IEEE 279-1971 and Regulatory Guide 1.75, Revision 1. 7.6.1.8 Safety System/Non-Safety System Isolation (SSNSSI) 7.6.1.8.1 SSNSSI Function The function of the SSNSSI, a subsystem of the PCIS, is to maintain safety systems in a state that ensures their availability during and following an accident by isolating them from associated non-safety related systems upon a receipt of PCIS initiation signals. For discussions of this isolation function, refer to Sections 7.3.1.1.11.1 and 7.3.1.1.11.2. The PCIS is discussed in Section 7.3.1.1.5. PCIS initiation logic and isolation signal fanout are shown on Plant Drawing J-102-0. 7.6.1.9 Design Bases The safety-related systems described in Section 7.6 are designed to provide timely protective action inputs to other safety systems to protect against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Section 15 identifies and evaluates events that jeopardize the fuel cladding and RCPB. The methods of assessing fuel cladding damage and radioactive material releases, along with the methods by which abnormal events are identified, are also presented in Section 15. 7.6-24 HCGS-UFSAR Revision 20 May 9, 2014 The plant conditions that require protective actions are described in Section 15. 1. Variables monitored to provide protective actions. The following variables are monitored in order to provide protective action inputs: a. High pressure/low pressure system interlocks (1) Reactor pressure b. LDS (1) RCIC and HPCI area temperatures - differential and ambient (2) RCIC and HPCI steam line flow rates (3) RCIC and HPCI turbine exhaust diaphragm pressure (4) RCIC and HPCI low steam line pressure (5) RHR area temperatures - differential and ambient (alarm only - no protective action inputs) (6) RWCU area temperatures - differential and ambient (7) RWCU differential flow. c. NMS (1) Neutron flux during startup (SRM, IRM) (2) Core average neutron flux (APRMs, LPRMs) 7.6-25 HCGS-UFSAR Revision 0 April 11, 1988

d. RPT (1) Turbine control valve fast closure (2) Main stop valve closure (3) Reactor vessel dome pressure (RRCS) (4) Reactor vessel water level (level 2 - RRCS) e. SRVs - relief function (1) Reactor vessel pressure f. SSNSSI (1) Drywell pressure (2) Reactor vessel water level (level 1) (3) Class 1E 4 kV bus voltage g. RRCS (1) Reactor vessel pressure (2) Reactor vessel low water level (3) Reactor power 2. Location and minimum number of sensors - See the HCGS Technical Specifications for the minimum number of sensors required to monitor safety-related variables. LPRM detectors are the only NMS sensors that have spatial dependence as referenced in IEEE 279-1971 Paragraph 3.(3). 7.6-26 HCGS-UFSAR Revision 0 April 11, 1988
3. Prudent operational limits - Prudent operational limits for each safety-related variable trip setting are selected to be far enough above or below normal operating levels so that a spurious safety system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or RCPB, is kept within acceptable bounds. 4. Margin - The margin between operational limits and the limiting conditions of operation of the safety-related systems are those parameters as listed in the Technical Specifications. 5. Levels - Levels requiring protective action are established in the Technical Specifications. 6. Range of transient, steady state, and environmental conditions - Refer to Section 3.11 and Section 3.1.2.1.4.1 for environmental conditions. Refer to Section 8.3 for the maximum and minimum range of power supply to the safety-related instrumentation and controls of the systems described in Section 7.6. All safety-related instrumentation and controls are specified and purchased to withstand the effects of power supply ranges. Environmental conditions for proper operation of the systems described in Section 7.6 are discussed in Section 3.10 and 3.11. 7. Malfunctions, accidents, and other unusual events that could cause damage to safety systems - Chapter 15 describes the following credible accidents and events: floods, storms, tornados, earthquakes, fires, LOCA, pipe break outside containment, and missiles. a. Floods - The buildings containing safety-related components have been designed to meet the probable 7.6-27 HCGS-UFSAR Revision 0 April 11, 1988 maximum flood (PMF) at the site location. This ensures that the buildings will remain watertight under PMF including wind generated wave action and wave runup. Therefore, none of the functions are affected by flooding. For a discussion of internal flooding protection, refer to Sections 3.4 and 3.6. b. Storms and Tornados - The buildings containing safety-related components have been designed to withstand all credible meteorological events, including tornados, as described in Section 3.3. c. Earthquakes - The structures containing safety-related system components have been seismically qualified as described in Sections 3.7 and 3.8, and will remain functional during and following a safe shutdown earthquake (SSE). d. Fires - See Section 9.5.1, Fire Protection. e. LOCA - The safety-related system components described in Section 7.6 located inside the drywell and functionally required during and/or following a LOCA have been environmentally qualified to remain functional as discussed in Section 3.11 and as indicated in Section 3.11 tables. f. Pipe break outside containment - Protection for safety-related components is described in Section 3.6. g. Missiles - Protection for safety-related components is described in Section 3.5. 8. Minimum performance requirements - Minimum performance requirements for safety-related systems instrumentation and controls are provided in the Technical Specifications. 7.6-28 HCGS-UFSAR Revision 0 April 11, 1988 7.6.1.10 Final System Drawings Final system drawings have been provided for the safety-related systems in this section as follows: 1. Functional Control Diagrams (FCD)-NMS FCD, Vendor Technical Document PN1-C51-1020-0029 2. Instrument Engineering Diagrams (IED)-NMS IED, Vendor Technical Document PN1-C51-1010-0028 Electrical interconnection and schematic diagrams are listed in Table 1.7-1. Functional and architectural design differences between the PSAR and FSAR are listed in Table 1.3-8. 7.6.2 Analysis 7.6.2.1 Process Radiation Monitoring System (PRMS) - Analysis 7.6.2.1.1 Main Steam Line Radiation Monitoring System The analysis for the Main Steam Line Radiation Monitoring System is discussed in Section 7.3.2. 7.6.2.1.2 Other Process Radiation Monitors Portions of other process radiation monitors are discussed in Section 7.2 and Section 7.3 as part of the systems for which they are initiating circuits. 7.6.2.2 High Pressure/Low Pressure System Interlocks - Analysis 7.6.2.2.1 Implementation of General Functional Requirements The HPLPSIs provide an interface between low pressure systems and reactor pressure. When reactor pressure is low enough as not to 7.6-29 HCGS-UFSAR Revision 20 May 9, 2014 be harmful to the low pressure systems, the valves are permitted to open, exposing the low pressure system to reactor pressure. The interlocks are automatic, and the main control room operator is given indication of their status. 7.6.2.2.2 Implementation of 10CFR50 Appendix A - General Design Criteria (GDC) The following is a discussion of implementation of the GDC that apply specifically to the HPLPSI. 1. GDC 1, 2, 3, 4, and 5 - These criteria are discussed in Section 7.1.2.2. 2. GDC 15, Reactor Coolant System Design - See Section 7.1.2.2. 3. GDC 29, Protection Against Anticipated Operational Occurrences - See Section 7.1.2.2. 4. GDC 30, Quality of Reactor Coolant Pressure Boundary - Pressure sensors that penetrate the RCPB have the highest practical quality standards. 7.6.2.2.2.1 Conformance to IEEE Standards The following is a discussion of conformance to those IEEE standards that apply specifically to the HPLPSI. 1. Conformance to IEEE 279-1971, Criteria for Protection System for Nuclear Power Generation Station - The interlocks are designed in accordance with the single failure criterion, redundancy requirements, and testability criterion of their associated system. 7.6-30 HCGS-UFSAR Revision 0 April 11, 1988
2. Conformance to IEEE 323-1971, Qualifying Class 1E Equipment for Nuclear Power Generating Stations - See Section 7.1.2.3 for conformance. 3. Conformance to IEEE 338-1971, Periodic Testing of Nuclear Power Generating Stations - Although not a design basis, the design of the interlocks is such that they can be tested during reactor operation except for the actuated devices (valves). The valves can be tested during startup and shutdown. Details concerning testing of the interlocks can be found in the operational/test procedures. 4. Conformance to IEEE 344-1971, Seismic Qualification of Class 1E Equipment - See Section 7.1.2.3 for conformance. 5. Conformance to IEEE 379-1972, Application of Single - Failure Criterion to Nuclear Power Generating Stations - See the analysis of IEEE 279, Paragraph 4.2 of the associated systems for conformance to IEEE 379-1972. 6. Conformance to IEEE 384-1974, Independence of Class 1E Equipment and Circuits - See Section 7.1.2.3 for conformance. 7.6.2.2.3 NRC Regulatory Guide Assessments The following is a discussion of conformance to those Regulatory Guides that apply specifically to the HPLPSI. 1. Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions - See Section 7.6.2.2.2 for a discussion of conformance to IEEE 338-1971. 2. Regulatory Guide 1.29, Seismic Design Classification - See Section 7.1.2.4 for conformance. 7.6-31 HCGS-UFSAR Revision 0 April 11, 1988
3. Regulatory Guide 1.30, Quality Assurance Requirements for Instrumentation and Electrical Equipment - See Section 7.1.2.4 for an assessment. 4. Regulatory Guide 1.53, Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems - See Section 7.1.2.4 for conformance. 5. Regulatory Guide 1.68, Initial Test Programs for Water Cooled Nuclear Power Plants - An assessment for conformance to this Regulatory Guide is discussed in Section 1.8. 6. Regulatory Guide 1.75, Physical Independence of Electric Systems - The sensors and instrument and control panels that are part of the HPLPSI feature are separated and identified in accordance with Regulatory Guide 1.75. 7. Regulatory Guide 1.89, Qualification of Class 1E Equipment for Nuclear Power Plants - See Section 7.1.2.4 for an assessment. 8. Regulatory Guide 1.100, Seismic Qualification of Electrical Equipment for Nuclear Power Plants - See Section 7.1.2.4 for an assessment. 9. Regulatory Guide 1.105, Instrument Setpoints - See Section 7.1.2.4 for an assessment. 10. Regulatory Guide 1.118, Periodic Testing of Electrical Power and Protection Systems - See Section 7.1.2.4 for an assessment. 7.6.2.2.4 Evaluation Against BTP 3 The following provides a review of the NSSS high pressure/low pressure system interlocks (HPLPSI) per the guidelines of BTP3. 7.6-32 HCGS-UFSAR Revision 0 April 11, 1988 The interlocked valves of the HPLPSI are as follows: Valve Valve Power Logic Power (RHR)E11-F008 480 Vac Bus D RPS Bus B (RHR)E11-F009 480 Vac Bus A RPS Bus A (RHR)E11-F050A Instrument Bus A N/A (RHR)E11-F050B Instrument Bus B N/A (RHR)E11-F015A, B 480 Vac Bus D RPS Bus B (RHR)E11-F017A 480 Vac Bus A Instrument Bus A (RHR)E11-F017B 480 Vac Bus B Instrument Bus B (RHR)E11-F017C 480 Vac Bus C Instrument Bus C (RHR)E11-F017D 480 Vac Bus D Instrument Bus D (CS) E21-F004A 480 Vac Bus A Instrument Bus A (CS) E21-F004B 480 Vac Bus B Instrument Bus B (CS) E21-F005A 480 Vac Bus A Instrument Bus A (CS) E21-F005B 480 Vac Bus B Instrument Bus B The sensors that actuate the interlock logic (on pressure below setpoint) are on separate instrument lines and power such that no single failure can prevent core cooling. The electrical separation of the HPLPSIs is consistent with the systems of which they comprise a part and represents no deviation from the intent of Regulatory Guide 1.75 as discussed in Section 8.1.4.14. The interlocked valves of the HPLPSI meet BTP 3 in accordance with the following: Two Motor Operated Valves in Series (BTP 3, paragraph 3) E11-F008 and E11-F009 (RHR shutdown cooling, outboard and inboard suction valves, respectively) are two manually activated, motor operated valves in series. Both valves are inhibited from opening, and they close automatically if primary system pressure is above the setpoint. Reactor pressure is also indicated in the 7.6-33 HCGS-UFSAR Revision 14 July 26, 2005 control room. The logic components for both valves are independent. Each valve control circuit requires two permissive signals of reactor low pressure before the valves can open; this results in a four out of four logic to open the suction line. Removal of one signal (one out of four logic) isolates the line. The pressure permissive components rely on the transmitter trip unit

combination, which is testable from the control room.

Reactor pressure instrumentation used by the operator (via plant procedures) to initiate shutdown cooling is independent of the interlocks. Procedural controls ensure that the manually initiated shutdown cooling mode is not begun

until the reactor pressure is low.

Because of the foregoing additional safety design features, diversity of interlocks as suggested by paragraph 2 of BTP3 has not been implemented for the HCGS. This is consistent with all other BWR testability enhanced (transmitter

trip unit) plants such as Grand Gulf.

Motor Operated Valve in Series with an Air Operated Valve (Not Addressed in BTP3)

E11-F025A and E11-F025B (steam line) are motor operated valves in series with

BC-V636 (manual valve) and E11-F051B (steam pressure reducing air operated valve) respectively. With the exception of BC-V636, these valves are no longer f unctionally operative in the HCGS design. They have been locked closed.

Motor Operated Valves in Series with (Testable) Check Valves (BTP3, paragraph

4)

7.6-34 HCGS-UFSAR Revision 22 May 9, 2017

E11-F015A and E11-F015B (RHR shutdown cooling outboard injection valves) are manually activated, motor operated valves in series with BC-V636 (manual valve) and E11-F051B (I/P-controlled, air operated throttle valve). At a certain setpoint of heat exchanger shell pressure, these valves begin to close; they completely close before the heat exchanger design pressure is exceeded. A LOCA signal initiates closure of these air operated valves. In the event that the pressure reducing circuitry for E11-F051B should fail, pressure relief valve E11-F055B would maintain the pressure on the low pressure side below limits.

Motor Operated Valves in Series with (Testable) Check Valves (BTP3, paragraph

4)

E11-F015A and E11-F015B (RHR shutdown cooling outboard injection valves) are manually activated, motor operated valves in series with E11-F050A and E11-F050B (testable, air operated check valves), respectively. These motor operated valves (loops A and B) are inhibited from opening, and they close automatically if primary system pressure is above the setpoint. Both valves use the same valve control circuit, which requires two permissive signals of reactor loss pressure before the valves can open. Removal of one pressure

permissive signal will close the valves.

The remaining HPLPSI valves in this discussion are required for Emergency Core Cooling Systems (ECCS) operation. The recommendation of BTP3 was followed in

evaluating ECCS HPLPSI on an individual case basis.

Paired, Motor Operated Valves and Air Operated Check Valves

The valves listed below are paired, motor operated valves and air operated check valves, which isolate low pressure portions of the ECCS from the higher

pressure primary portion.

The LPCI injection motor operated valves E11-F017A, B, C, and D are interlocked to prevent opening when the differential pressure across

7.6-35 HCGS-UFSAR Revision 22 May 9, 2017

the valves exceeds the setpoint. This interlock applies to manual or automatic opening. The differential pressure is indicated by a permissive alarm in the control room. The normally closed, inboard, core spray injection valves, E21-F005A and E21-F005B and the normally open, outboard injection valves, E21-F004A and E21-F004B are interlocked to high reactor pressure (one out of two twice logic) to prevent their receiving an opening signal on automatic system initiation. The inboard and outboard valves are interlocked by a limit switch to prevent both valves in each loop from being opened manually at the same time during testing. LPCI Injection Valves In order to prevent overpressurization of the low pressure piping of the RHR system, the RPV shutdown suction valves F008 and F009 are interlocked to prevent opening when reactor pressure is greater than 100 psig. The F015A and B valves have interlocks which prevent them from opening when the reactor pressure is above the design pressure of the RHR system. The shutdown suction valves F006 A and B are not interlocked because suction valves F008 and F009 provide the required overpressure protection. Valves E11-F015 A and B are only opened during normal plant shutdown cooling when reactor pressure has been reduced to a pressure of 135 psig, which is substantially less than the discharge line design pressure. Valves E11-F050A and B, and relief valves E11-F025 A and B prevent overpressurization of the RHR low pressure piping if F015 A or B are inadvertently signaled to open when reactor pressure is above the RHR low pressure piping design pressure. The control logic for the LPCI injection valves F017A, F017B, F017C and F017D has been changed. A pressure interlock that further reduces the potential for overpressurization of the low design pressure piping has been incorporated in each valve. Figure 7.6-11 illustrates the design change. 7.6-36 HCGS-UFSAR Revision 1 April 11, 1989 The previous design permitted the injection valves to open when the differential pressure across the valves was equal to or less than 730 psi. Therefore, the injection valves could open when the reactor pressure was equal to 1080 psig (i.e.: 730 psi plus the LPCI pump discharge pressure of approximately 350 psi = 1080 psig). Failure of the inboard testable check valve could result in overpressurization of the LPCI low pressure piping upstream of the injection valve. The current design eliminates that failure concern by preventing the injection valve from opening when the pressure downstream of the injection valve is greater than the design pressure of the LPCI piping upstream of the injection valve. The pressure indicating switch has a nominal trip setpoint (NTSP) of 450 psi. Pressure downstream of the injection valve must be equal to or less than this NTSP before the automatic or manual open signal would be transmitted to the injection valve. 7.6.2.3 Leak Detection System (Safety-Related) - Analysis 7.6.2.3.1 Implementation of General Functional Requirement The part of the LDS instrumentation and controls that is related to the various subsystem isolation circuitry is designed to meet requirements of the Primary Containment and Reactor Vessel Isolation Control Systems (PCRVICS) cited in Section 7.3.2.2. 7.6.2.3.2 Implementation of NRC Regulatory Guides The following is a discussion of implementation of those Regulatory Guides that apply specifically to the safety-related portions of the LDS. 1. Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Function - The portion of the LDS that to provides outputs to the RWCU, HPCI, or RCIC isolation logic is designed so that periodic manual testing of the 7.6-37 HCGS-UFSAR Revision 7 December 29, 1995 isolation actuation logic may be performed while the reactor is at power. Indicator lamps are provided in the main control room to indicate that a particular logic channel is tripped. 2. Regulatory Guide 1.29, Seismic Design Classification - See Section 7.1.2.4 for conformance. 3. Regulatory Guide 1.30, Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment - See Section 7.1.2.4 for an assessment. 4. Regulatory Guide 1.45, Reactor Coolant Pressure Boundary Leakage Detection Systems - See Section 5.2.5 for an assessment. 5. Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems - The Leak Detection System indicates all bypass conditions in conformance with Regulatory Guide 1.47. See Section 7.1.2.4 for conformance. 6. Regulatory Guide 1.53, Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems - The portions of the leak detection system that provide outputs to RWCU, RCIC, and HPCI isolation logic comply with this Regulatory Guide. Discussion is provided in Section 7.3.2 under Regulatory Guide 1.53. 7. Regulatory Guide 1.75, Physical Independence of Electric Systems - Discussion of compliance with the Regulatory Guide is provided in Section 7.1.2.4. 8. Regulatory Guide 1.89, Qualification of Class 1E Equipment for Nuclear Power Plants - An assessment for this Regulatory Guide is provided in Section 7.1.2.4. 7.6-38 HCGS-UFSAR Revision 0 April 11, 1988

9. Regulatory Guide 1.100, Seismic Qualification of Electrical Equipment for Nuclear Power Plants - See Section 7.1.2.4 for an assessment. 10. Regulatory Guide 1.105, Instrument Setpoints - See Section 7.1.2.4 for an assessment. 11. Regulatory Guide 1.118, Periodic Testing of Electrical Power and Protection Systems - See Section 7.1.2.4 for an assessment. 7.6.2.3.3 Implementation of 10CFR50 Appendix A - General Design Criteria (GDC) The following is a discussion of implementation of those GDC that apply specifically to the safety-related LDS. 1. GDC 1, 2, 3, 4, 5, 10, and 13 - Refer to Section 7.1.2.2 for discussion of these criteria. 2. GDC 19, Control Room - The main control room has been designed with controls and instrumentation to safely operate the unit under normal operating conditions and to maintain the unit in a safe condition under accident conditions including LOCA. Refer to Section 7.4 for discussion of remote shutdown capabilities. 3. GDC 20 - Protection System Functions - Leak detection equipment senses accident conditions and initiates the PCRVICS when appropriate. 4. GDC 21 - Protection System Reliability and Testability - Protection related equipment is arranged in two redundant divisions and maintained separately. Testing is covered in the conformance discussion for Regulatory Guide 1.22. 7.6-39 HCGS-UFSAR Revision 0 April 11, 1988
5. GDC 22 - Protection System Independence - Protection related equipment is arranged in two redundant divisions so that no single failure can prevent isolation. Diversity of sensed variables is used. 6. GDC 23 - Protection System Failure Modes - Signals provided are such that isolation logic is fail-safe. 7. GDC 29 - Protection Against Anticipated Operational Occurrences - No anticipated operational occurrence can prevent a required isolation. 8. GDC 30 - Quality of Reactor Coolant Pressure Boundary - The system provides means for the detection and general location of the source of reactor coolant leakage. 9. GDC 34, 35, and 54 - Leak detection is provided for RCIC, ECCS, main steam lines, and RWCU lines penetrating the primary containment. 7.6.2.3.4 Implementation of IEEE Standards The following is a discussion of conformance to those IEEE standards that apply specifically to the safety-related LDS: 1. IEEE 279-1971, Criteria for Protection System for Nuclear Power Generating Stations - LDS isolation functions comply with IEEE 279 and are included in the IEEE 279 compliance discussions of the PCRVICS system, Section 7.3.2, for which this system provides logic trip signals. 2. IEEE 323-1971, Qualifying Class 1E Equipment for Nuclear Power Generating Stations - An assessment for IEEE 323 is discussed in Section 3.11 including a discussion of the environmental qualification program. 7.6-40 HCGS-UFSAR Revision 0 April 11, 1988
3. IEEE 338-1971, Periodic Testing of Nuclear Power Generating Stations - Although not a design basis, all active components of the LDS associated with the isolation signal can be tested during plant operation. 4. IEEE 344-1971, Seismic Qualifications of Class 1E Equipment and Circuits - An assessment for the LDS is given in Section 7.1.2.3(4). 5. IEEE 379-1972, Application of Single-Failure Criterion to Nuclear Power Generating Stations - The LDS isolation functions are in compliance with IEEE 379-1972, and are addressed in the IEEE 279 compliance discussion of ESF systems in Section 7.3.2.1.2, for which the LDS provides logic trip signals. 6. IEEE 384-1974, Independence of Class 1E Equipment and Circuits - See Section 7.1.2.3 for degree of conformance. 7.6.2.4 Neutron Monitoring System - Analysis 7.6.2.4.1 Implementation of General Functional Requirements The analysis for the RPS trip inputs from the IRM, the LPRM, and APRM subsystems is discussed in Section 7.2.2. 7.6.2.4.1.1 Intermediate Range Monitor Subsystem The IRM is the primary source of neutron flux information as the reactor approaches the power range. Its linear steps (approximately a half decade each) and the rod blocking features on both high flux level and low flux level require that all the IRMs remain on the correct range as core reactivity is increased by rod withdrawal. This arrangement ensures that the IRMs always provide a good indication of reactor power (neutron flux), and that adequate margin is maintained between the neutron flux reading and the trip point to 7.6-41 HCGS-UFSAR Revision 6 October 22, 1994 prevent unnecessary trips while ensuring that during a reactivity addition transient (such as a cold water slug injection or refueling accident) the trip point will be reached soon enough to prevent a large power transient. The sensitivity of the IRM is such that the IRM is on scale on the least sensitive (highest) range at approximately 15 percent of reactor power. The number and locations of the IRM detectors have been selected to provide sufficient intermediate range flux level information under the worst permitted bypass or detector failure conditions. In addition, an APRM setdown reactor trip is provided to limit core power transients when the reactor is not in the "run" mode. To ensure that each IRM is on the correct range, a rod block is initiated any time the IRM is downscale and not on the most sensitive (lowest) scale. A rod block is initiated if the IRM detectors are not fully inserted in the core unless the reactor mode switch is in the "run" position. The IRM reactor trips and the IRM rod block trips are automatically bypassed when the reactor mode switch is in the "run" position and the APRM system is providing NMS reactor trips and rod blocks appropriate to this higher power region of reactor operation. 7.6.2.4.1.2 Local Power Range Monitors The LPRMs provide detailed information about neutron flux throughout the reactor core and provide neutron flux information for the APRM system. The LPRMs are assigned into various groups that are powered by non-Class 1E uninterruptible power sources, allowing operation with one ac power supply failed or out of service without limiting reactor operation. Individual failed LPRM detector chambers can be bypassed. The flux information for a failed detector chamber location can be: 1. Interpolated from nearby chambers 2. Derived from an octant-symmetric chamber 7.6-42 HCGS-UFSAR Revision 6 October 22, 1994
3. Measured at the failed detector's location using the Traversing In-core Probe (TIP) Calibration System.

The APRM flux averaging operation accounts for / removes bypassed detector

inputs.

7.6.2.4.1.3 Average Power Range Monitoring System

Each APRM derives its signal from LPRM information. The number of LPRMs assigned to each of the four APRMs channels is 43. APRMs A and C operate protective trips in Subchannels A1 and A2 of the RPS Channel A trip logic, and APRMs B and D operate protective trips in Subchannels B1 and B2 of the RPS Channel B trip logic. The assignment, power separation, cabinet separation, and LPRM signal isolation are in accordance with the safety design basis of the RPS. The number and arrangement of APRM channels is such that one undetected failure or one bypassed channel in each trip system can be tolerated and still satisfy the RPS safety design bases.

The simulated thermal power APRM reactor scram setpoint is adequate to prevent fuel damage during an abnormal operational transient, as demonstrated in

Section 15.

7.6.2.4.2 Neutron Monitoring System Specific Requirement Conformance 7.6.2.4.2.1 Implementation of IEEE Standards The following is a discussion of conformance to those IEEE standards which

apply specifically to the NMS. Refer to

7.6-43 HCGS-UFSAR Revision 23 November 12, 2018

Section 7.1.2.3 for a discussion of IEEE standards that apply equally to all safety-related systems.

7.6.2.4.2.1.1 IEEE 279-1971, Criteria for Protection System for Nuclear Power Generating Station

1. General Functional Requirement (Paragraph 4.1) - The NMS automatically initiates both downscale and upscale rod block trips and reactor scrams whenever measured neutron flux exceeds certain trip setpoints. The NMS is designed to provide these protective trips in all operating modes. As the reactor operating mode is changed, the NMS subsystem used and the protective trip setpoints are automatically changed to guarantee that core flux is adequately monitored and adequate protection is always provided.
2. Single Failure Criterion (Paragraph 4.2) - The IRM subsystem of the NMS is designed such that failure of or bypass of one NMS channel inputting trip signal to each of the RPS divisions will not compromise the RPS design basis. The system can initiate rod block trips or reactor scrams even if a single failure removes a channel from the trip system. The APRMS comply with IEEE 603

-1991.

3. Quality of Components and Modules (Paragraph 4.3) - The NMS components and modules are of a quality consistent with minimum maintenance requirements and low failure rates.
4. Equipment Qualification (Paragraph 4.4) - Test data and the operating experience gained by the use of similar NMS equipment at operating plants confirms that the equipment will meet, on a continuing basis, the performance requirements determined to be

necessary for achieving the system requirements.

7.6-44 HCGS-UFSAR Revision 23 November 12, 2018

5. Channel Integrity (Paragraph 4.5) - The NMS equipment is designed to operate and to perform its safety-related functions in the environment of the mounting location of the components, indicated in Section 3.11. The NMS is not required to be operational after an accident, nor are components of the NMS required to be operational in accident environments. 6. Channel Independence (Paragraph 4.6) - Each NMS channel supplying trip signals to the RPS system is independent and physically separated from NMS channels supplying trip signals to other RPS divisions. This separation is accomplished through the choice of cable routing, cabinet construction, and circuit signal isolation, resulting in the removal of the effects of unsafe environmental factors, electrical transients, and the physical accident consequences documented in the design basis. The rod block signal outputs are likewise isolated. 7. Control and Protection System Interaction (Paragraph 4.7) - The transmission of signals from NMS equipment for control system use is accomplished through isolation devices (relays) classified as part of the protection system. No credible failure at the output of an isolation device will prevent the associated protection system channel from meeting the minimum performance requirements specified in the design basis. The scram logic requires one NMS trip signal into RPS Trip System A and one NMS trip signal into RPS Trip system B. With one NMS channel bypassed in the group of NMS channels feeding RPS Trip System A, and one bypassed in the group of NMS channels feeding RPS Trip System B, and an additional single random failure in a control system requiring protective action, the remaining redundant NMS channels (five IRM or three APRM) will continue to provide reactor scram signals to the RPS. 7.6-45 HCGS-UFSAR Revision 3 April 11, 1991
8. Derivation of System Inputs (Paragraph 4.8) - The NMS RPS inputs are derived from trip units set to trip when core neutron flux level signals or averaged signals exceed specified limits. The neutron flux is converted into an electrical current signal and applied to the NMS trip units. The tripped or nontripped RPS input state is therefore a direct measure of the neutron flux level being measured. 9. Capability for Sensor Checks (Paragraph 4.9) - Each NMS detector can be checked during reactor operation. This check can be accomplished by cross-checking between IRM channels while considering their relative core positions. Detector response to neutron flux can be verified by withdrawing or inserting the IRM detector being checked and observing for the appropriate response. Core power changes during startup and shutdown also provide a "perturbed monitored variable" which will cause an observable neutron flux change. In addition to this, the individual IRM detector's output can be read as an input to the IRM preamplifier located outside the main control room. The APRM detector signals (LPRM inputs) can be individually selected and displayed in the main control room during reactor operation. Changing reactor power can be monitored to provide evidence that the LPRM is correctly tracking power. The signal from each LPRM can also be cross-checked with the other LPRMs, or can be checked by running the TIP system probe up into the instrument tube to a position near the LPRM being checked. 10. Capability for Test and Calibration (Paragraph 4.10) - Each IRM and each APRM channel can be calibrated and/or tested during reactor operation. Trip setpoint checks can be done at each monitor channel drawer, and 7.6-46 HCGS-UFSAR Revision 0 April 11, 1988 calibration of LPRMs, APRMs, and IRMs can be done during reactor operation using core heat balance calculations.
11. Channel Bypass or Removal from Operation (Paragraph 4.11) - The NMS is designed to permit a channel to be bypassed for maintenance or calibration without initiating protective action at the system level. Four IRMs supply RPS trip signals to RPS trip system A, and the four other IRMs supply RPS trip signals to RPS trip system B. A trip of trip system A coincident with a trip of trip system B will result in a reactor scram. One IRM in each set of four may be bypassed. Removing more than one from each set of four will result in an IRM inoperative condition, which is an automatic trip of the

related RPS trip logic channel.

The APRM system is designed such that only one APRM may be bypassed at any given time. The bypass switch is a five-position center locking joystick that mechanically switches four fiber optic signals. The bypass switch is optically isolated. When the switch is in one of the four bypass positions, light from only one of the four fiber optic signals (corresponding to the switch position) is allowed to pass through the switch. With an APRM bypassed, a trip of two or more APRM channels out of three will result in a trip output from all four-voter channels. The voter channels cannot be bypassed.

When IRM or APRM channels are bypassed, the remaining active parts of the system continue to operate normally and supply NMS trip

signals to the RPS thereby satisfying the single failure criterion.

12. Operating Bypasses (Paragraph 4.12) - The IRM reactor scram is bypassed whenever the reactor mode switch is placed in the "run" position. Although this is not distinctly an operating bypass since it requires manual manipulation of the reactor mode sw itch, it is an automatic consequence of placing the reactor mode switch in "run." The APRM setdown trip signal (set at 17 percent reactor power) is also bypassed in the run

7.6-47 HCGS-UFSAR Revision 23 November 12, 2018

mode. Moving the reactor mode switch to "run" replaces the IRM trip signal and APRM setdown trip signal with the simulated thermal power APRM trip signal. The reactor mode switch is considered part of the RPS and is designed in accordance with RPS criteria.

13. Indication of Bypasses (Paragraph 4.13) - Whenever an IRM or APRM channel is bypassed, this condition is continuously indicated by a "bypassed" status light in the main control room. In addition to this, each channel's bypassed condition is indicated at the IRM signal conditioning equipment, or each of the 2-out-of-4 voters and by an annunciator in the main control room.

Whenever an IRM or APRM channel is deliberately rendered inoperative an IRM inoperative or APRM inoperative condition is continuously indicated on the main control panel, at the respective equipment, and by an annunciator.

14. Access to Means for Bypassing (Paragraph 4.14) - The bypass switch for the APRM and the bypass switch for the IRM system function to permit only one channel in each trip system to be bypassed at a time. Manipulating the switch to bypass a second channel on the same trip channel is possible only by first returning the

originally bypassed channel to service.

IRM and APRM channels may be taken out of service with the operating function switch on their respective signal conditioning equipment however, this will result in an IRM inoperative or APRM inoperative if that particular channel is not bypassed with the main control panel bypass switch prior to taking the ope rating function switch out of the "operate" position. Therefore, removing an unbypassed IRM or APRM channel from "operate" and placing it in "standby" or some other

7.6-48 HCGS-UFSAR Revision 23 November 12, 2018

test mode in order to bypass the channel will result in a half scram trip of the RPS for the IRM channel being inoperative or a channel trip in the 2

-out-of-4 voters for an APRM channel being inoperative and will actuate all the associated alarms.

The front panel of the APRM chassis has a key lock switch that can be used for test and calibration purposes. The channel is returned to its pretest status when the key lock switch is returned to the

OPER position.

15. Multiple Setpoints (Paragraph 4.15) - Both the APRM setdown trip signal in the "startup" mode and the APRM simulated thermal power trip signal in the "run" mode are multiple setpoints. The setdown trip signal is placed into service and removed from service by the positioning of the reactor mode switch. The APRM simulated thermal

power trip signal setpoint is automatically changed to more restrictive setpoints as recirculation flow is reduced. The mode switch and flow units used to prevent improper application of less restrictive trip signal setpoints are considered part of the RPS and are designed accordingly.

16. Completion of Protective Action Once It Is Initiated (Paragraph 4.16) - The NMS trip signals do not seal in at the IRM or APRM trip units. The trip signal will return to the non-tripped state as soon as core neutron flux conditions warrant. However, the RPS does contain built-in seal-in circuitry such that a momentary excursion of an NMS flux level above a trip signal setpoint will result in sealed in tripped RPS logic even after the neutron flux returns to normal levels. See Section 7.2.2, IEEE 279-1971, Paragraph 4.16 for details.

7.6-49 HCGS-UFSAR Revision 23 November 12, 2018

Provisions are made for manually resetting the RPS trip logic after the conditions causing the trip and a preset time delay have been satisfied.

17. Manual Initiation (Paragraph 4.17) - The control room operator can initiate a manual IRM high neutron flux trip by ranging down with one IRM range switch in each trip channel provided that core neutron flux is above the trip setpoint for that range.

A NMS neutron flux trip can also be manually initiated by taking one unbypassed IRM or APRM in each trip channel out of "operate,"

or by placing the reactor mode switch in "startup" when APRM

neutron flux (reactor power) is greater than 17 percent.

More appropriate means of manually tripping the RPS are discussed in Section 7.2.2, and IEEE 279-1971, Paragraph 4.17.

18. Access to Setpoint Adjustments (Paragraph 4.18) - The IRM and APRM signal conditioning drawers, LPRM cards, flow monitoring units, and related power supplies are mounted in cabinets which are located within the main control room. Setpoint adjustments, calibration adjustments, and test points are located within the cabinets behind closed doors. Access to the main control room is administratively controlled by limited security access (card reader doors) and licensed operator control of access within the main control room.
19. Identification of Protective Actions (Paragraph 4.19) - Status lights on the main control panel and the signal conditioning equipment indicate and identify each channel's status (tripped or

nontripped).

7.6-50 HCGS-UFSAR Revision 23 November 12, 2018

20. Information Readout (Paragraph 4.20) - Recordings of each channel are provided for both IRMs and APRMs. Indication can easily be compared channel to channel for verification of proper system operation. Metered indications are provided for each LPRM or APRM at the 7.6-50a HCGS-UFSAR Revision 1 April 11, 1989 THIS PAGE INTENTIONALLY BLANK 7.6-50b HCGS-UFSAR Revision 1 April 11, 1989 signal conditioning equipment. Metered indications are also provided on the main control room vertical board for the 16 LPRMs called by the RBM subsystem for whichever control rod is selected for movement. 21. System Repair (Paragraph 4.21) - The NMS signal conditioning equipment is designed to facilitate the recognition, location, replacement, repair, and adjustment of malfunctioning components or modules. 22. Identification (Paragraph 4.22) - NMS equipment is distinctively identified as to its function and channel. 7.6.2.4.2.1.2 IEEE 323-1971, Qualifying Class 1E Equipment for Nuclear Power Generating Stations An assessment for IEEE 323-1971 is given in Sections 7.1.2 and 3.11. Section 3.11 also includes a discussion of the environmental qualification program. 7.6.2.4.3 Implementation of 10CFR50 Appendix A - General Design Criteria (GDC) The following is a discussion of implementation of those GDC that apply specifically to the NMS. 1. GDC 1, 2, 3, 4, 10, 12, and 25 - The APRM, as an input to the RPS, complies with these criteria as discussed in Section 7.2.2. 2. GDC 13, 19, 20, 21, 22, 23, 24 - The APRM detection and associated electronics are designed to monitor the in-core flux over all expected ranges required for the safe operation of the plant. Automatic initiation of protection system action, reliability, testability, independence, and separation have been factored into the APRM design as required for protection systems. See 7.6-51 HCGS-UFSAR Revision 0 April 11, 1988 Section 7.2.2 for a detailed discussion of how the RPS meets these GDC requirements. 7.6.2.4.4 Implementation of Regulatory Guides The following is a discussion of implementation of those Regulatory Guides that apply specifically to the NMS. 1. Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems - The NMS meets the requirements of Regulatory Guide 1.47 through the use of bypass indication and annunciation as described in Section 7.6.2.4.4.1.1, Paragraph 4.13. 2. Regulatory Guide 1.75, Physical Independence of Electric Systems - See the discussion of compliance in Section 7.2.2, and in Section 7.6.2.4.4.1.1 Paragraph 4.6. 7.6.2.5 Recirculation Pump Trip (RPT) System - Analysis 7.6.2.5.1 Implementation of General Functional Requirements The function of the RPT system is to reduce the severity of thermal transients on fuel elements by tripping the recirculation pumps early in the transient event. Main stop valve closure, or turbine control valve fast closure, will initiate a scram and recirculation pump trip in time to keep the core within the thermal hydraulic safety limit during operational transients. The trip system includes the sensors, logic circuitry, load drivers and circuit breakers that cause main power to be disconnected from both recirculation pumps upon closure signals from the main stop valves or turbine control valves in the event of a turbine trip or generator load rejection, above a pre-set level of reactor power. By letter dated March 1, 1985, PSE&G stated that the EOC RPT provides for the insertion of negative core reactivity to improve 7.6-52 HCGS-UFSAR Revision 0 April 11, 1988 thermal margins for certain pressurization transients. The early part of the transient and the core void reactivity that the EOC RPT produces are not dependent on whether the final recirculation flow is determined by natural circulation or by a small power input to the recirculation pumps from a low frequency MG set. The transfer to the low frequency MG set is an inherent design characteristic of the BWR 5/6 plants but currently does not exist in BWR 4 plants. Therefore, it can be concluded that the EOC RPT transfer to the low frequency MG sets will serve no safety function in a BWR 4 plant and its absence is not detrimental to the effectiveness of the EOC RPT design at Hope Creek. 7.6.2.5.2 Implementation of 10CFR50 Appendix A - General Design Criteria (GDC) The following is a discussion of implementation of those GDC that apply specifically to the RPT system. 1. GDC 1, Quality Standards and Records - See Section 7.1.2.2. 2. GDC 2, Design Bases for Protection Against Natural Phenomena - See Section 7.1.2.2. 3. GDC 3, Fire Protection - See Section 7.1.2.2. 4. GDC 4, Environmental and Missile Design Bases - See Section 7.1.2.2. 5. GDC 5, Sharing of Structures, Systems, and Components - No part of the RPT system is shared with any other nuclear power unit. 6. GDC 10, Reactor Design - See Section 7.1.2.2. 7. GDC 13, Instrumentation and Control - See Section 7.1.2.2 7.6-53 HCGS-UFSAR Revision 0 April 11, 1988
8. GDC 20, Protection System Functions - The RPT system is designed to automatically initiate action intended to reduce the impact on the fuel of the thermal transients that result from anticipated operational transients thereby minimizing the adverse effects of such transients to the fuel. This is accomplished by the use of relay logic that generates the trip signal in response to the anticipated conditions without operator action. 9. GDC 21, Protection System Reliability and Testability - System reliability and testability is ensured by the system design requirements. System logic provides sufficient redundancy such that no single failure will impair the protective function. Also, removal from service of any single component or channel will not compromise the capability of the remaining logic to trip both recirculation pumps. 10. GDC 22, Protection System Independence - The RPT protective function is ensured by the use of independent redundant logic channels, either of which can trip both recirculation pumps. 11. GDC 23, Protection System Failure Modes a. Sensor logic - Sensor circuitry uses fail-safe logic. That is, the sensor logic deenergizes to initiate the trip logic. b. Trip logic - Trip logic is not fail-safe and must energize to generate the protective trip. Protection from loss of power is provided by the use of redundant trip logic powered from different channels. 7.6-54 HCGS-UFSAR Revision 0 April 11, 1988
12. GDC 24, Separation of Protection and Control Systems - Logic within the RPS generates the trip signal that is sent to the recirculation system to trip the recirculation pumps. System separation is achieved by the use of separate circuit breakers for this function. Each recirculation pump motor has two Class 1E breakers in series powered from two different channels. 7.6.2.5.3 Implementation of IEEE Standards The following is a discussion of implementation of those IEEE standards that apply. 7.6.2.5.3.1 IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations 1. General Functional Requirement (Paragraph 4.1) - Protective action occurs automatically in response to preset values of the sensed variables. This is accomplished by the use of pressure and position sensors which automatically initiate the relay operated trip logic which trips the recirculation pump circuit breakers without the necessity for manual action. Protective action is completed upon trip of the recirculation pump. 2. Single Failure Criterion (Paragraph 4.2) - No single failure will disable the capability to trip both recirculation pumps from high speed operation. This is accomplished by using redundant channelized (divisionally separated) sensor and trip circuitry. Either channel will trip both recirculation pumps. 3. Quality of Components and Modules (Paragraph 4.3) - For a discussion of quality of RPT components and modules, refer to Section 3.11. 7.6-55 HCGS-UFSAR Revision 8 September 25, 1996
4. Equipment Qualification (Paragraph 4.4) - Detailed discussion of equipment qualification is contained in Sections 3.10 and 3.11. 5. Channel Integrity (Paragraph 4.5) - The RPT equipment is designed to operate and to perform its safety-related function within the environment of the mounting location of the components, indicated in Section 3.11. The RPT is not required to be operational after an accident, nor are components of the RPT required to be operational in accident environment. 6. Channel Independence (Paragraph 4.6) - Channel independence is ensured by the use of physical separation, electrical independence, and mechanical barriers. 7. Control and Protection System Interaction (Paragraph 4.7) - Logic within the RPS generates the trip signal that is sent to the recirculation system to trip the recirculation pumps. Undesirable interaction between systems is prevented by the use of separate circuit breakers for this function. 8. Derivation of System Inputs (Paragraph 4.8) - Main stop valve closure is detected by a position switch that responds to valve position. Turbine control valve fast closure is detected by a pressure switch that detects turbine control valve hydraulic pressure. 9. Capability for Sensor Checks (Paragraph 4.9) - Provisions exist to allow closure of the main stop valve and fast closure of the turbine control valve separately, one valve at a time for test purposes without causing a recirculation pump trip. The input sensors and the division logic can be checked one channel at a time. 7.6-56 HCGS-UFSAR Revision 0 April 11, 1988
10. Capability for Test and Calibration (Paragraph 4.10) - The design requirement is met. Also see Section 7.6.2.5.4.a.1. 11. Channel Bypass or Removal from Operation (Paragraph 4.11) - Either RPT channel can be removed from service without affecting the capability of the remaining trip channel to perform the expected trip functions. This is accomplished by using two separate, independent logic circuits, either of which can generate the necessary trip signals for both pumps. 12. Operating Bypasses (Paragraph 4.12) - a. Automatic Bypass - At low reactor power, the RPT is not required. When reactor power is low, the function is automatically bypassed. When reactor power is above the setpoint, the bypass is automatically removed, by deenergizing the bypass relay. b. Manual Bypass - RPT can be manually bypassed. No provision exists for automatically removing the manual bypass. 13. Indication of Bypasses (Paragraph 4.13) - a. Automatic Bypass - Low reactor power level automatic bypass is automatically indicated in the main control room. This is the same annunciated bypass indication used by the RPS to indicate when main stop valve closure and turbine control valve fast closure trips are bypassed. b. Manual Bypass - The manual bypass is annunciated in the main control room by the same switch that is used to actuate the bypass. 7.6-57 HCGS-UFSAR Revision 0 April 11, 1988
14. Access to Means for Bypassing (Paragraph 4.14) - Manual bypass is accomplished with a keylock switch, which is administratively controlled.
15. Multiple Setpoints (Paragraph 4.15) - There are no multiple setpoints in the RPT.
16. Completion of Protective Action Once It Is Initiated (Paragraph 4.16) - Except for the manual and automatic bypasses, the logic is designed to progress automatically from sensor

actuation to the trip function without interruption.

17. Manual Initiation (Paragraph 4.17) - No provision exists for manual trip of the RPT circuit breakers.

The recirculation pump may be secured by tripping its respective variable frequency drive.

18. Access to Setpoint Adjustments, Calibration, and Test Points (Paragraph 4.18) - Administrative control of access to all setpoint adjustments, module calibration adjustments, and test points is maintained as described in Section 7.2.2.
19. Identification of Protective Actions (Paragraph 4.19) - Protective action is identified at the channel level by annunciation in the

main control room.

20. Information Read-Out (Paragraph 4.20) - White lamps illuminate to indicate the sensor open condition in conjunction with no bypass.
21. System Repair (Paragraph 4.21) - The system has been designed to facilitate the recognition, location, replacement, repair, or

adjustment of malfunctioning components.

7.6-58 HCGS-UFSAR Revision 23 November 12, 2018

22. Identification (Paragraph 4.22) - For methods of identification, refer to Section 8.3. 7.6.2.5.3.2 IEEE 379-1972, IEEE Trial Use Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems See discussion of IEEE 279-1971, Paragraph 4.2. 7.6.2.5.4 Implementation of Regulatory Guides The following is a discussion of implementation of those Regulatory Guides that apply specifically to the RPT system. 1. Regulatory Guide 1.22 (Safety Guide 22), Periodic Testing of Protection System Actuation Functions a. Main stop valve closure and turbine control valve fast closure may be accomplished one valve at a time for test purposes without causing pump motor trip. Sensor and logic test or calibration during power operation will not initiate pump trip. b. Both recirculation pump trip channels can be bypassed simultaneously. Indication of manual bypass is accomplished by annunciators. c. Circuit breakers can be tested and calibrated during the refueling outage. 2. Regulatory Guide 1.29, Seismic Design Classification - The RPT system is Seismic Category I and is designed to remain functional and perform its intended safety function in the event of an SSE. See Section 7.1.2.4. 7.6-59 HCGS-UFSAR Revision 0 April 11, 1988
3. Regulatory Guide 1.30, Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment - This Regulatory Guide is not a design basis for the RPT system. See Section 7.1.2.4 for an assessment. 4. Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems - See discussion of conformance to IEEE 279-1971, Paragraph 4.13. No capability exists to manually actuate bypass indication without also actuating RPT channel bypass. 5. Regulatory Guide 1.53, Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems - See discussion of IEEE 279-1971, Paragraph 4.2. 6. Regulatory Guide 1.62, Manual Initiation of Protective Actions - See discussion of IEEE 279-1971, Paragraph 4.17. 7. Regulatory Guide 1.68, Initial Test Programs for Water Cooled Nuclear Power Plants - An assessment for conformance to this guide is given in Section 1.8. 8. Regulatory Guide 1.75, Revision 1, Physical Independence of Electric Systems - Channel independence is ensured by the use of physical separation, electrical independence, and mechanical barriers. See also Section 7.1.2.4. 9. Regulatory Guide 1.89, Qualification of Class 1E Equipment for Nuclear Power Plants - See Sections 3.10 and 3.11. 10. Regulatory Guide 1.100, Seismic Qualification of Electric Equipment for Nuclear Power Plants - See discussion of seismic qualification in Section 3.10, and see Section 7.1.2.4 also. 7.6-60 HCGS-UFSAR Revision 0 April 11, 1988
11. Regulatory Guide 1.105, Instrument Setpoints - This Regulatory Guide is not a design basis for the RPT system. However, for an assessment of design compliance with the Regulatory Guide, refer to Section 7.1.2.4. 12. Regulatory Guide 1.118, Periodic Testing of Electric Power and Protection Systems - This Regulatory Guide is not a design basis for the RPT system. However, for an assessment of design compliance with the Regulatory Guide, refer to Section 7.1.2.4. 7.6.2.6 Main Steam Safety/Relief Valves - Analysis The SRVs are seismically qualified and their pilot solenoid valves receive power from Division 2, with the exception that one of the low-low set relief SRVs receives power from Division 4. The SRVs can be initiated manually or automatically upon reaching their trip setpoints. The mechanical spring actuated portion of the SRVs assures meeting the design basis relief function and mechanically, on a network basis, meet the single failure criterion. 7.6.2.7 Redundant Reactivity Control System 7.6.2.7.1 Conformance to General Functional Requirements The sensors, transmitters, trip units, and other assigned associated logic for the RRCS are Class 1E, separate and independent from the RPS, and environmentally qualified to expected ATWS conditions. The RRCS is diverse from the RPS. No credible common mode failure can prevent both normal scram and ATWS prevention or mitigation functions. The RRCS is designed to independently monitor reactor pressure and water level and to scram the reactor if these variables reach their respective trip setpoint. This scram is accomplished in the first few seconds after the trip by signals which cause rapid recirculation flow reduction and simultaneously 7.6-61 HCGS-UFSAR Revision 0 April 11, 1988 open the alternate rod insertion (ARI) valves venting the air supply holding the scram valves shut. Twenty five seconds after the RRCS trip additional core reactivity reduction is provided by a rapid termination (runback to 0 percent) of feedwater flow if the initiating signals include high pressure and core power is not downscale. Reactor high pressure is a symptom of loss of the primary heat sink and is indicative of vessel isolation. The RRCS recirculation trips and feedwater runback serve to reduce core power below the steam flow capability of the safety/relief valves prior to initiation of the SLC system. 7.6.2.7.2 Conformance to Regulatory Guides General exceptions to and positions taken on the regulatory guides, and the revision to the guide that is followed, are discussed in Section 1.8 and 7.1.2.4. Specific applications of selected guides to the RRCS instrumentation and controls are discussed in this subsection. 1. Regulatory Guide 1.6 - Revision 0, Independence Between Redundant Standby (Onsite) Power Sources and Between Their Distribution Systems - The RRCS electrically powered safety loads are separated into redundant load groups such that loss of any one group will not prevent the minimum safety functions from being performed. Division I RRCS logic is powered by 125 V dc from bus A division I. Division II logic is powered by 125 V dc from bus B division II. 2. Regulatory Guide 1.22 - Revision 0, Periodic Testing of Protection System Actuation Functions - The RRCS equipment is designed so that integrated system testing can be performed to verify overall system performance. 7.6-62 HCGS-UFSAR Revision 0 April 11, 1988
3. Regulatory Guide 1.29 - Revision 3, Seismic Design Criteria - The sensors, transmitters, trip units and associated logic for the RRCS are classified as Seismic Category I. The feedwater pump trip contacts are high quality but not necessarily safety grade. 4. Regulatory Guide 1.30 - Revision 1, Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment - See Section 7.1.2.4. 5. Regulatory Guide 1.32 - Revision 2, Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants - See Section 7.1.2.4. 6. Regulatory Guide 1.47 - Revision 0, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems - There is no RRCS bypass or operating bypass. The following annunciators are provided to communicate system status to the operating personnel in the main control room. a. RRCS Manual Initiation Enabled b. RRCS Potential ATWS (receipt of high pressure or low water level 2) c. Reactor Recirc Pumps Tripped d. RRCS FW Runback Initiated e. RRCS RWCU Isolation Initiated f. RRCS Confirmed ATWS (230 +/-5 second timer has timed out and APRM power is not downscale) g. SLC/RRCS Initiation Failure 7.6-63 HCGS-UFSAR Revision 0 April 11, 1988 Additional operator interface with the RRCS is provided by status lights in the main control room and at the RRCS remote control panels as follows. In the main control room (for each division): Manual Initiation Permissive (logic channel A) Manual Initiation Permissive (logic channel B) ARI Ready For Reset (logic channel A) ARI Ready For Reset (logic channel B) RRCS Ready For Reset (logic channel A) RRCS Ready For Reset (logic channel B) RRCS Logic A Trouble RRCS Logic B Trouble RRCS Channel A (B) Out of Service RRCS Manual Initiation ARI Initiated ARI Valve Open Feedwater Runback Initiated Test Fault (Essential Logic Failure) At the RRCS remote control panels (for each Division): High Dome Pressure Division 1 (Channel A) High Dome Pressure Division 1 (Channel B) Low Water Level 2 Trip Division 1 (Channel A) Low Water Level 2 Trip Division 1 (Channel B) RRCS Potential ATWS Division 1 RRCS RWCU Isolated Division 1 RRCS Confirmed ATWS Division 1 RRCS ATM Calibration or Gross Failure Division 1 RRCS Trouble Division 1 RRCS Recirculation Pumps Tripped Division 1 Analog indication of SLC tank level is also provided in the main control room. 7.6-64 HCGS-UFSAR Revision 0 April 11, 1988
7. Regulatory Guide 1.53 - Revision 0, Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems - The RRCS meets the requirements of IEEE 279-1971 and IEEE 379-1972 (see 7.6.2.7.4). 8. Regulatory Guide 1.62 - Revision 0, Manual Initiation of Protective Actions - Means are provided for manual initiation of the RRCS protective actions. The RRCS ARI function and, after time delays, the SLC system are initiated upon depression of the RRCS manual initiation pushbutton switches. The RRCS recirculation pump trip, and feedwater runback are not initiated by manual initiation of RRCS. These may be manually initiated at the respective system control panels using system breaker control switches. The SLC system can also be initiated using SLC system pump control switches. 9. Regulatory Guide 1.68 - Revision 0, Initial Test Programs for Water Cooled Nuclear Power Plants - See Section 1.8. 10. Regulatory Guide 1.75 - Revision 1, Physical Independence of Electric Systems - The RRCS meets Regulatory Guide 1.75. For methods of compliance with conditions involving the physical independence of electrical systems, see Section 8.3.1.4. 11. Regulatory Guide 1.89 - Revision 0, Qualification of Class 1E Equipment for Nuclear Power Plants - The RRCS Equipment is qualified to meet IEEE 323-1974 and IEEE 344-1975. 12. Regulatory Guide 1.100 - Revision 1, Seismic Qualification of Electric Equipment for Nuclear Power Plants - The RRCS equipment is qualified to meet IEEE 344-1975. 7.6-65 HCGS-UFSAR Revision 0 April 11, 1988
13. Regulatory Guide 1.105 - Revision 1, Instrument Setpoints - Instrument setpoints (accuracy, margin and drift) for reactor power, water level and pressure are described in the plant Technical Specifications, Section 16. 14. Regulatory Guide 1.118 - Revision 1, Periodic Testing of Electric Power and Protection Systems - The RRCS is continually checked by a solid state microprocessor based self-test which is part of the analog trip units. This system checks the RRCS sensors, logic, protective devices and itself. 7.6.2.7.3 Conformance to 10CFR50 Appendix A, General Design Criteria General Design Criteria (GDC), established in Appendix A of 10CFR50, which are generally applicable to all safety-related systems, are discussed in Section 3.1. Those with specific impact on the RRCS are described in this section. 1. GDC 1 Through 5, 13 and 19 - See Section 7.1.2.2. 2. GDC 20, Protection System Functions - The RRCS is completely automatic. 3. GDC 21, Protection System Reliability and Testability - The RRCS is designed for high functional reliability and its logic can be tested for the safety functions to be performed. No single failure in this two divisional, four channel protection system will result in the loss of the protective functions. 4. GDC 22, Protection System Independence - The RRCS is a two division class 1E system separate and diverse from the RPS. It has functional diversity via ARI, RPT, and feedwater runback. 7.6-66 HCGS-UFSAR Revision 0 April 11, 1988
5. GDC 24, Separation of Protection and Control Systems - The RRCS protection system interfaces with control systems through isolation devices. Specifically, the RRCS signals to the recirculation system pump and the signal to the feedwater control system to initiate runback both pass through isolators. This assures that electrical failures in the control systems cannot propagate back into the RRCS system and therefore cannot prevent other channels in the RRCS divisions from performing their protective functions. 6. GDC 29, Protection Against Anticipated Operational Occurrences - The RRCS is highly reliable because it is redundant, Class 1E, functionally diverse and has a continuous self-test capability. 7.6.2.7.4 Conformance to IEEE Standards 7.6.2.7.4.1 IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations 1. General Functional Requirement (Paragraph 4.1) - The RRCS will automatically initiate the appropriate protective actions whenever signals of reactor high pressure or low water level 2 are received. These actions include tripping of the reactor recirculation pump motors breaker, initiating a feedwater runback and RWCU system isolation, and initiation of the SLC system as necessary. 2. Single Failure Criteria (Paragraph 4.2) - The RRCS is two divisional with two logic channels (A and B) in each division. The RRCS protective action will be initiated when both logic channel A and B in either division are tripped. Different water level and pressure sensors feed each of the four channels of trip logic. Trip signals to trip the reactor recirculation pump act on duplicated breaker trip circuitry. The feedwater runback, RWCU system isolation, and the SLC system are all capable of 7.6-67 HCGS-UFSAR Revision 0 April 11, 1988 being initiated from either division. In this manner any single failure within RRCS cannot prevent the protective actions at the system level from taking place. 3. Quality of Components and Modules (Paragraph 4.3) - RRCS components and modules, and equipment in non-Class 1E systems supporting the RRCS (such as the reactor recirculation system pump motor breaker ATWS trip coils), are Class 1E electrical, suitable or and consistent with the low failure rates required for nuclear power station safety-related equipment, except as noted below. High quality, although not necessarily safety-grade equipment shall be used to meet the feedwater control runback ATWS reliability requirements. 4. Equipment Qualification (Paragraph 4.4) - Type test data or reasonable engineering extrapolation based on test data is available to verify that the RRCS can meet its performance requirements on a continuing basis. 5. Channel Integrity (Paragraph 4.5) - RRCS channels and components meet the necessary functional requirements of the environmental conditions for components described in Section 3.11. 6. Channel Independence (Paragraph 4.6) - Each channel, A and B, of each division of logic is independent and physically separated from the other channel. Separate sensors provide signals of reactor pressure and water level for each channel of each division. Signals are routed through separate cabling to separate analog trip modules (ATMs) and RRCS logic. Actuation signals also travel to the trip actuated devices via divisionally separated cabling. The design effectively decouples the effects of unsafe environmental factors, electrical transients, and physical accident consequences. 7.6-68 HCGS-UFSAR Revision 0 April 11, 1988
7. Control and Protection System Interaction (Paragraph 4.7) - The transmission of signals from RRCS protection system equipment for control system use is accomplished through isolation devices which are classified as part of the protection system and meet all the requirements of this standard. No credible failure at these isolators will prevent the associated protection system channel from meeting its design requirements. 8. Derivation of System Inputs (Paragraph 4.8) - The RRCS system inputs, reactor pressure, and water level, are derived from pressure and level transmitters that produce signals that are to the extent, feasible and practical, direct measures of these desired variables. 9. Capability for Sensor Checks (Paragraph 4.9) - The RRCS self-test unit automatically checks the RRCS level and pressure sensors. The automatic check determines if the sensor output is downscale, within normal operating bounds, or too high. If the sensor output is found to be abnormal, an alarm is sounded. The sensor's output can be observed and compared at the middle bay of the RRCS cabinet where the analog trip module diagnostic display is mounted. 10. Capability for Test and Calibration (Paragraph 4.10) - Each RRCS sensor provides input to an analog trip module (ATM). The ATM electronically monitors the incoming sensor signal level and provides the appropriate output to the RRCS logic if that sensor signal level goes beyond its trip setpoints. Sensor signal level can be read at the ATM and compared to the known characteristics of the transmitter. Trip setpoint can be adjusted at the ATM, and the operability of this trip module is checked repeatedly by the RRCS self-test unit. 7.6-69 HCGS-UFSAR Revision 0 April 11, 1988 RRCS sensors, logic, timers, and actuated devices are continuously checked by the RRCS self-test unit, meeting paragraph 4.10. 11. Channel Bypass or Removal From Operation (Paragraph 4.11) - The RRCS is designed such that portions may be removed from service for maintenance or testing without initiating the RRCS protective actions at the system level. Removal of portions of the RRCS for service will not result in protective actions because the system is normally deenergized. 12. Operating Bypasses (Paragraph 4.12) - There is no operating bypass affecting the RRCS. 13. Indication of Bypasses (Paragraph 4.13) - There is no manual bypass of the RRCS. 14. Access to Means for Bypassing (Paragraph 4.14) - The RRCS cannot be manually bypassed. 15. Multiple Setpoints (Paragraph 4.15) - There are no multiple setpoints applicable to the RRCS. 16. Completion of Protective Action Once It Is Initiated (Paragraph 4.16) - The RRCS protective actions are sealed in by the solid state logic. The RRCS ARI function cannot be reset for thirty seconds after its initiation. This assures that the scram will go to completion because the ARI valves are designed to vent the scram air header to cause insertion of all rods to begin within 15 seconds. All other RRCS protective actions cannot be reset for at least 10 minutes after the SLC system has been initiated. Since their reset requires APRM power to be downscale, this assures that the 7.6-70 HCGS-UFSAR Revision 0 April 11, 1988 insertion of negative reactivity function of RRCS will also go to completion. Operator control of the feedwater control system can be regained 30 seconds after initiation of the RRCS feedwater runback, independent of APRM power. Since the runback is designed to bring feedwater flow to 0 percent within 15 seconds, this protective function will also go to completion. 17. Manual Initiation (Paragraph 4.17) - The RRCS can be manually initiated by depressing the manual initiation pushbutton switches. The manual initiation signal is immediately sealed into the RRCS ARI logic and the RRCS SLC logic. 18. Access to Setpoint Adjustments (Paragraph 4.18) - The design of RRCS permits the administrative control of access to all setpoint adjustments, module calibration adjustments, and test points via enclosing the ATMs and logic in keylocked cabinets. 19. Identification of Protective Actions (Paragraph 4.19) - RRCS protective actions are indicated and identified down to the channel level by status lights and annunciators. 20. Information Readout (Paragraph 4.20) - The RRCS provides the operator with pertinent information as to its condition via status lights and annunciators. This includes indication of the various stages of the RRCS logic actuation such as recirculation pump trip, feedwater runback, SLC system initiation, and both potential and confirmed ATWS. An RRCS trouble annunciator is provided to signal a test fault, ATM in calibration or gross failure, or any of several RRCS logic state changes. Loss of power to RRCS is signaled by the RRCS Out of Service annunciator. 7.6-71 HCGS-UFSAR Revision 0 April 11, 1988
21. System Repair (Paragraph 4.21) - The RRCS system is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules. The use of the ATM facilitates the calibration, adjustment, or repair of the trip system. The modules are plug-in units which can be easily replaced. RRCS logic is separated by division and channel onto individual cards which can be easily replaced by spares. 22. Identification (Paragraph 4.22) - The RRCS protection system equipment is identified distinctively as being in the protection system, and its equipment is marked to clearly indicate divisional separation. Panels are labeled with distinctive marker plates. 7.6.2.7.4.2 IEEE 308-1974, Criteria for Class 1E Power Systems for Nuclear Power Generating Stations See Section 8.3. 7.6.2.7.4.3 IEEE 323-1974, Qualifying Class 1E Equipment for Nuclear Power Generating Stations The RRCS is in conformance with IEEE 323 as shown in Section 3.11.2. 7.6.2.7.4.4 IEEE 338-1975, Periodic Testing of Nuclear Power Generating Stations RRCS compliance with IEEE 338 is demonstrated in Section 7.6.1.7.2, ATM self-test capability, and in Section 7.6.2.7.4.1, paragraphs 4.9 and 4.10. 7.6-72 HCGS-UFSAR Revision 0 April 11, 1988 7.6.2.7.4.5 IEEE 344-1975, Seismic Qualifications of Class 1E Equipment The RRCS is qualified for seismic events as shown in Section 3.10. 7.6.2.7.4.6 IEEE 379-1972, IEEE Trial - Use Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems RRCS signal separation, cabinet separation, use of isolation circuitry, and number of channels per trip system are methods used to meet the single failure criterion. The RRCS self-test system eliminates non-detectable failures by continually checking RRCS sensors, logic, and trip devices. 7.6.2.7.4.7 IEEE 384-1974, Independence of Class 1E Equipment and Circuits The RRCS meets IEEE 384 as discussed in Section 7.1.2.3. The RRCS meets Regulatory Guide 1.75 as discussed in Section 7.6.1.7.2. Physical independence of electrical systems is discussed in Section 8.3. 7.6.2.8 Safety System/Nonsafety System Isolation - Analysis For a discussion on implementation of GDC, IEEE-279, and Regulatory Guides for SSNSSI, refer to Section 7.3.2. 7.6-73 HCGS-UFSAR Revision 0 April 11, 1988
  • *
  • Trip Function IRM upscale scram IRM inoperative(!) IRM upscale alarm IRM downscale IRM bypassed TABLE 7.6-1 IRM SYSTEM TRIPS Trip Action Reactor scram signal, annunciator display Reactor scram signal, annunciator display Rod block, annunciator display Rod block (exception on most sensitive scale), annunciator display Display (1) IRM is inoperative if module interlock chain is broken, "operate-calibrate" switch is not in "operate" position, or detector polarizing voltage is low . 1 of 1 HCGS-UFSAR Revision 0 April 11, 1988 TABLE 7.6-2 APRM SYSTEM TRIPS Trip Function Trip Point Range Action

APRM upscale Setpoint varied Rod block, annunciator, alarm with flow, slope display adjustable, inter- cepts separately adjustable

APRM-Simulated Setpoint varied Reactor scram signal, Thermal Power with flow, slope annunciator display High adjustable, intercepts separ- ately adjustable

Neutron Flux High

< 17% Reactor scram signal, (Setdown) annunciator display

Neutron Flux High

< 118% Reactor scram signal, annunciator display APRM (1) Reactor scram signal, Inoperative rod block annunciator, D isplay 2-Out-of-4 Voter NA Reactor scram signal, annunciator display OPRM - Upscale NA Reactor scram signal, a nnunciator display

1 of 2 HCGS-UFSAR Revision 23 November 12, 2018

TABLE 7.6-2 (Cont) (1) APRM INOP is driven by any of the following:

a) A Critical Self

-test fault is detected in the APRM instrument.

c) The firmware/software watchdog timer has timed out d) Loss of input power to the APRM

2 of 2 HCGS-UFSAR Revision 23 November 12, 2018

TABLE 7.6-3 LPRM SYSTEM TRIPS Trip Function Trip Point Range Trip Action LPRM 2 percent to full A nnunciator downscale scale LPRM 2 percent to full Annunciator upscale scale LPRM bypass Manual APRM averaging compen- bypass sation

1 of 1 HCGS-UFSAR Revision 23 November 12, 2018

  • *
  • TABLE 7.6-4 HIGH PRESSURE/LOW PRESSURE SYSTEM INTERLOCKS INSTRUMENTATION SPECIFICATIONS Function Instrument RHR shutdown Pressure cooling isolation transmitter pressure high LPCI injection Pressure valve pressure transmitter high Core spray in-Pressure jection valve transmitter pressure high HCGS-UFSAR Instrument Range 0-1500 psig 0-1000 psig 0-1200 psig 1 of 1 Number of Channels 4 4 2 Revision 0 April 11, 1988 TABLE 7.6-5 LEAK DETECTION SYSTEM INSTRUMENTATION SPECIFICATIONS
  • Instrument Number of Function Instrument Range Instruments RCIC turbine Pressure 0 -30 psig 4 diaphragm transmitter exhaust pressure high HPCI turbine Pressure 0 -30 psig 4 diaphragm transmitter exhaust pressure high RCIC ventilation Differential 0 -150°F 2 pump room high temperature
  • differential switch temperature RWCU equipment Differential 50 -150°F 12 area high temperature differential switch temperature RWCU equipment Temperature 50 -350°F 12 area ambient switch temperature high RCIC equipment Temperature 50 -350°F 3 area ambient switch temperature high
  • 1 of 3 HCGS-UFSAR Revision 0 April 11, 1988
  • *
  • TABLE 7.6-5 (Cont) Function Instrument RCIC pipe routing Temperature area ambient temperature high RCIC torus compartment area temperature high Main steam line switch Temperature switch Temperature tunnel temperature switch high Main steam line Differential tunnel differential switch temperature high RHR area ambient temperature high HPCI ventilation Temperature switch Differential pump room differ-temperature ential temperature switch high RCIC turbine steam supply flow high HPCI turbine steaa supply flow high Differential pressure transmitter Differential pressure transmitter Instrument Range +/-300 in. w.g. +/-500 in. w.g. 2 of 3 HCGS -UFSAR. Number of Instruments 2 6 1 1 2 2 2 2 Revision 0 April 11, 1988
  • *
  • TABLE 7.6-5 (Cont) Function Instrument RHR equipment area Differential differential temperature high Main steam line ambient tempera-ture high RWCU differential flow high HPCI equipment area ambient temperature high temperature switch Temperature switch Differential flow comparator Temperature switch HPCI pipe routing Temperature area ambient switch temperature high HPCI torus compartment area temperature high RCIC steam supply pressure low Temperature switch Pr *essure transmitter HPCI steam supply Pressure pressure low transaitter Instrument 0 -80 gpm 0 -200 psig 0 -200 psig 3 of 3 HCGS-UFSAR Number of Instruments 2 16 2 3 2 6 4 4 Revision 0 April 11, 1988 RRCS Initiation Signal Immediate Reactor High Pressure Reactor Water Low Level 2 MaRJBl Initiation ARI Rec i rc Pt.l'rf) Motor Trip Start 30, 25, ard 230 :!: 5 sec timers ARI Start 9, 30, and 230:!: 5 sec timers ARI Start 30 and 230 :!: 5 second timers
  • SLC, FW, Runback, RPT Reset HCGS-UFSAR 9 Seconds After InitiaUon Recirc Pulp Motor Trip TABLE 7.6-6 RRCS TRIP LOGIC RESPONSE -RRCS LOGIC RESPONSE -After 25 Seconds Ard APRM Not Downscale FW Runback 30 Seconds After Initiation ARI reset permissive available ARl reset permissive available ARI reset permissive available 1 of 1 After 230 + 5 Secords ard APRM Not Downscale 10 Minutes After 230 + 5 Sec Timer times out SLC system initiation SLC* reset possible RWCU isolated if initiation 10 minute signals have timer started cleared SLC system initiation SLC* reset possible RWCU isolation if initiation 10 minute signals have timer started cleared SLC system initiation SLC* reset possible RWCU isolation if initiation 10 minute signals have timer started cleared Revision 3 April 11, 1991 TABLE 7.6-7

This Table has been deleted

1 of 1 HCGS Revision 23 November 12, 2018

SRM lAM LPRM APRM OPERATION 1014

  • z g -100 u -... "<
  • a: 1-w to'3 -r-f[ a: -I"'-w !: 0 a.. -10 1012 ----_..._ -' z 0 0 w > ;: 1-C) .5 to11 -(J cr z w )( < Cl) Ct < ::1 .-w -0.1 _, w > % a: _, z _, 0 :>> c: ..... a: 1010 w w z 0.01 0 ...J -a.. --=:: -r-t-z c:: w ..... u X a: w a.. 1.1.1 109 -._ -o 10-3 < -a: w > * "< soB ---10-* a.. 0 :J w .-c: a: .::: w t-IJ') Cl) 107 2 > ,o-5 _, -106 -to-6 105 ------SOURCe REVISION 0 APRIL 11, 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION
  • RANGES OF NEUTRON MONITORING SYSTEM UPDATED FSAR FIGURE 7.6-1 Figure F7.6-2 SH 1-2 intentionally deleted. Refer to Vendor Technical Document PN1-C51-1010-0028 for both sheets in DCRMS HCGS-UFSAR Revision 20 May 9, 2014
  • *
  • MOTOR FLEXIBLE CABLE POSITION SWITCHES DRIVE CONTROL MONITOR CIRCUITRY REVISION 0 APRIL 11. 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION DETECTOR DRIVE SYSTEM UPDATED FSAR FIGURE 7.6-3 c: )> 0 ., en )> :::tl ., G') c :a m ...., en .Ia * ., c z 0 -z :::0):11 S:r om ::1:1 ):110 zn ZA me r-l:>> C) :x1 I :z:"'CC gC: rn!::; nn :a en rnrn rn::a :1111:< zn c: rn nm t""'r-rnm C'):D rn-Zn rn> ::aZ )ICI :::!C':I Zl> C')t:n c:nn -tO ->ill: -t"'CC -,. Clz 2< :u< r?!i ... o .;-"2 ... o I +24V REMOTE DRIVE CONTROL
  • MODULE INTERLOCKS
  • OPERATIONAL AMPLIFEA } REMOTE . LOCAL <0---+}TFUP D OUTPUT .UPSCALE I .
  • tHI-HI)TAIP.ON LEVEL LOCAL LAMP o-+-}TRIP C OUTPUT UPSCALE I I
  • IHI) ALARM ON Lf;:VEL LOCAL LAMP o--}TRIP B OUTPUT DOII\INSCALE ALARM ON LEVEL LOCAL LAMP o---+} TRIP OUTPUT I I
  • INSTRUMENT INOPERATIVE C 2000 PS E G N u c l ea r , LL C. A ll R i gh t s R e s e r v e d.Upd a t e d FS A R PS E G N u c lea r, LL C Hop e C ree k N u c lea r G e n e r ating S t ation HO P E CREE K NU CLE A R G E N E R A T I NG S T A T ION A P R M C I RC U I T A RRANG E M E N T- F igu r e 7.6-5 R E A C T O R P R O TE C T ION S Y S TE M I N P U T R e v i s ion 23, NOV 12, 2018
  • *
  • PRESSURE VESSEL TIP CALIBRATION TUBE LPRM DETECTOR -,,___ FUELBUNOLE CONTROL ROO BLADE .... ( ' I t I I I -I_. t I J I I 1 I I I 1. I . I I I I I I I I I I : """-"".....__ REVISION 0 APRIL 11, 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION POWER RANGE MONITOR DETECTOR ASSEMBLY LOCATION UPDATED FSAR FIGURE 7.6*6 Figure F7.6-7 SH 1-7 intentionally deleted. Refer to Vendor Technical Document PN1-C51-1020-0029 for all sheets in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.6-8 SH 1-9 intentionally deleted. Refer to Vendor Technical Document PN1-C22-1030-0052 for all sheets in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 c -o 0 )> -i m 0 ., Cf.l )> ::tl ., G') c ::tl m -..J e:n ch BACKUP SCRAM VALVf5 -ENERGIZE TO VENf LINE + F.liOA INSTRUMENT AIR ., (") ::t -"" = onZ m!:: £:;: -4 mm ::tl::tl(l) m::a oml> :=-::::;: r-O'"" zn m c:m cnC-4 (I) >n -4 )> )> :a -t m2z e1=:! 3::-4)> )>:;or-m> :em-< -tm < (") (I) 2 l> )>-4::C men r-< m <-(:3 l>S: m-4 """"" (1)-(::tl -1 2< l'>:rl 'Um :rJ< ;::(;) .... iS ..... z .,IQ c.o co co F111 R PS SIGNAL AR\ VALVE'S Ef\\ERGIZE TOVElJ.T LINE EXH EXH + 4 FJ.G;O 8 Fl"O A fll <t'" RRCS DIV1 I ..... .... EXH RRCS DIV2 I ..,. .... EXH TO HCU BANK B TO J-ICU BANK A RRCS DIV 2. EXH L1 TO F"OIO 5DV DRAIN VAL\JE ND .... RRC5 D\Vt EXH Fl<D3A EXH ND I:V' ... IGJ3B RRC5 DIV2 1"0 FOll SDV VENT VAL'JE r --------------------------------------_,_--FROM AC POWER SUPPL. Y 1AD483 (SEE FJG.S.3*11,SHT. 3) t NON-CLASS IE UPS SYSTEM FfD1 rc, POWER SlPPL Y 180483 <SEE FIG. 8.3 .. 11, SHT. 3) 120V f£ OIST.Pft. IBJ483 EPA SOLID.sTATE PROTECTIVE CIRCUITRY POWER RANGE NMS BUSA 10C608 CLASS'E NON-ESSENTIAL POWER NON-DIVISIONAL SAFETY RELATED SYSTEM J EPA SOLID-6TATE PROTECTIVE CtRC:UlTRY POWER RANGe NMS BUSB 100608 I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I R 16 M 15 2008 8VlSJOn ' ay ' Creek Nuclear Generoti'SL,Station PSEG Nucleart LLC ELEC RICAL PROTECTION ASSEM IES <EPAs> IN THE POWER RANGE NEUTRON MONITORING SYSTEM HOPE CREEK NUCLEAR GENERATING STATlON Updated FSAR Figure 7.6 .. 10
  • *
  • PREVIOUS DESIGN TORPV NTSP=730 MO dPIS AUTOLOCA OR MANUAL ........ ..--dPT N058 : ................................................................................... -----------*-********--*-; CURRENT DESIGN TORPV NTSP=450 MO PIS AUTOLOCA OR MANUAL *************************** ........ PT N0 58 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION Updated FSAR HOPE CREEK LPCI PRESSURE INTERLOCK Revision 7. December 29. 1995 Figure 7.6-11

. THIS FIGURE HAS -* BEEN DELETED. e PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK GENERATING STATION e HOPE CREEK LPCI PRESSURE INTERLOCK UPDATED FSAR REVISION 1. APRIL 11. 1989 FIGURE 7.8*12 TRIP SYSTEM A TRIP LOGIC At A2 TRIP SYSTEM B TRIP LOGIC Bl, B2 BAY 1 BAY 2 BAY 3 BAY 4 BAY 5 FIBER OPTICS --------------------------------------/ / ,...----------r---_..,._ ----------r--" / / ' OPRM I I OPRM OPRM APRM OPRM APRM E Cl LPRM A RBM B AI APRM A cz c A2 (WER AN!J :OW .... .... -D ........ .... ............. *NA R-A2 \_1 +/ +7 !BAY 5l L -NO R-Al FU-C R-A2 FU-C POWER AND FLOW R-AZ FU-A FROM APRM E TO OPRM Cl FU-C POWER AND FLOW R BZ SIFU-0 FU-8 FU-B POWER R-B2 TO OPRM 02 \;* FU-8 T"" -NB FROM APRM BAY ll / L -NO, .--/ ..,-" ;' _,"' I I ---OPRM APRM F OPRM / OPRM / OPRM LPRM 81 Dl .... APRM 0 82 J.e"' APRM B RBM A 02 8 ", ....... / / ' ;' / ' ' ------------------------__ / ' FIBER OPTICS / ' -------' // i I " / , ./ .... i PRM A .... ' l E:PRM 83 I J I FU -B APRM 0 FU -0 FU -C APRM C FU -A APRM F _I I APRM E ' ' _1_ I I I I F-ND F-NC F-NC F-NA 10-C-608 OPRM INTERCONNEC T10N 10-C -608 RPS IRl.e CHANNEl.. QlY LD8C APRM w I AI A.E X 2 81 B.F y 3 A2 C. E z 4 BZ D.F COLOR GREEN PURPLE BLUE ORANGE NEUTRON MONITORING SYS SEPERA HON CODE -Al/A2/A3/A4 N!IN2/N3/N4 RPS CHANNEL DRIVE SlGNAL S F -FLOW DRIVE SIGNALS L -LPRM SIGNALS R -RPS LOGIC lRPS OUTPUT FROM OPRMS NOT CONNECTED DURiNG THE OPERATING CYCLE FOLLOWING INS TALLATIONl FU-FLOW' UNrT SIGNALS PlB.t S(JMI ELECTRC JNJ CAS COI'Nff HOPE CREEK (It(RATNi STATION OPRM Locations and FSAR RevlSICII\ \ lllqCjS Ftg 7.6*13

7.7 CONTROL

SYSTEMS NOT REQUIRED FOR SAFETY 7.7.1 Description Section 7.7 describes instrumentation and controls of those major Plant Control Systems used for normal operation that are not relied upon to perform safety functions following anticipated operational occurrences or accidents. The systems include: 1. Reactor Manual Control System (RMCS) 2. Recirculation Flow Control System (RFCS) 3. Feedwater Control System (FCS) 4. Refueling interlocks (RI) 5. Pressure Regulator and Turbine Generator System (PRTGS) 6. Reactor Water Cleanup (RWCU) System 7. Area Radiation Monitoring Systems (ARMS) 8. Radwaste System 9. Fuel Pool Cooling and Cleanup System (FPCS) Refer to Table 7.7-1 for system design and supply responsibility and Table 7.7-2 for similarity to licensed reactors. 7.7.1.1 Reactor Manual Control System (RMCS) 7.7.1.1.1 RMCS Function The RMCS provides the operator with the means to make changes in nuclear reactivity via the manipulation of control rods so that reactor power level and core power distribution can be controlled. 7.7-1 HCGS-UFSAR Revision 0 April 11, 1988 This system is a power generation system, and is classified as not related to safety. The RMCS includes the interlocks that inhibit rod movement (rod block) under certain conditions. The RMCS does not include any of the circuitry or devices used to automatically or manually trip the reactor; these circuitry and devices are discussed in Section 7.2. In addition, the mechanical devices of the control rod drives (CRDs) and the CRD hydraulic system are not included in the RMCS. The latter mechanical components are described in Section 4.6.1. 7.7.1.1.1.1 System Power Sources The RMCS receives electrical power from the 120 V ac UPS system. 7.7.1.1.2 RMCS Operation The RMCS includes the following: 1. CRD control system 2. Rod block trip system 3. Rod position probes 4. Position indication electronics. Plant Drawings M-46-1 and M-47-1 show the schematic arrangement of the CRD hydraulic system. Vendor Technical Document PN1-C11-1030-0183 shows the component control logic for the CRD hydraulic system. The block diagram for the RMCS is shown on Vendor Technical Document PN1-C11-1050-0095. Although the figures also show the arrangement of scram devices, these devices are not part of the RMCS. Control rods are moved by water pressure, from a CRD pump, on the appropriate end of the CRD piston. The pressurized water 7.7-2 HCGS-UFSAR Revision 20 May 9, 2014 moves the piston, attached by a connecting rod to the control rod. Three modes of control rod operation are used: insert, withdraw, and settle. Four solenoid operated valves are associated with each control rod to accomplish these actions. 7.7.1.1.2.1 CRD Control When the operator selects a control rod for motion and operates the rod insert or withdraw control switch, independent messages are formulated in the A and B portions of the CRD control system as shown on Figure 7.7-3. A comparison test is made of these two messages, and if identical results are confirmed, a serial message in the form of electrical pulses is transmitted to all hydraulic control units (HCUs). The message contains two portions: the identity or "address" of the selected HCU and operation data on the action to be executed. Only the addressed HCU responds to this message and proceeds to execute the rod movement commands. Upon receipt of the transmitted command signal, the responding HCU transmits an "acknowledge" message back to the main control room for comparison with the original command. The message contains: 1. Its own hard-wire identity "address" 2. Identification of the operation currently being executed 3. Status indication of valve positions, accumulator conditions, and test switch positions. In either rod motion direction, the A and B messages are formulated and compared each millisecond and, if they agree, are transmitted to the HCU selected by the operator. Continued rod motion depends on receipt of a train of sequential messages because the HCU insert, withdraw, and settle valve control circuits are ac coupled. The system must operate in a dynamic manner to affect rod motion. 7.7-3 HCGS-UFSAR Revision 0 April 11, 1988 Any disagreement between A and B formulated messages or the responding echo message prevents further rod motion. Electrical noise disruptions have only a momentary effect on the system operation. On Figure 7.7-4, three action loops of the solid-state RMCS are depicted: 1. Loop A - The high speed loop (duration 200 microseconds) alternately: a. Commands the selected rod b. Either scans a rod for status information or directs a portion of a single HCU self-test. 2. Loop B - The medium speed loop (143 millisecond duration) alternately: a. Monitors the status of all rods b. Completes two seven step self checks of one HCU unit. 3. Loop C - The low speed loop (41 to 253 second duration) self-tests all HCUs one at a time to ensure correct execution of actions commanded. These tests are of such short duration that the valves do not move. The loop speeds given are only approximations intended to give the relative time required for these operations. The numerical values are approximations or rounded off values as follows: Loop A One test or scan word is 102.4 microseconds and one operator follow word is 102.4 microseconds. Since these are alternating words, the total time between initiation of test words during this phase is 204.8 microseconds. 7.7-4 HCGS-UFSAR Revision 0 April 11, 1988 This is approximately 200 microseconds. Loop B ACTION TIME REQUIRED (MICROSECONDS) A. Find AC peak 8504.8 B. 5 test words sent (5 x 102.4) 512.0 C. 5 scans (5 x 102.4) 512.0 D. Full scan (operator follow and scan word) 37888.0 E. Get first test ack word 204.8 F. Total for test "0" of 1st HCU 47621.6 G. Total (no errors) (3 x line F) 142864.8 This is approximately 143 milliseconds. Loop C ACTION TIME REQUIRED (MICROSECONDS) A. Test one rod 143000 B. Advance thru unused idents 1600 Subtotal 144600 C. Times 185 rods 26751000 D. Adv. thru unused idents/half cycles 8200 Total 26759200 E. Times 2 half cycles, equals 53518400 This is within the range of 41 to 253 seconds. Note: If the system detects errors as it performs its checks, additional checks will be done automatically, raising the total time for Loop C. If an HCU fails a test or the return digital word is altered by electrical noise, Loop B automatically performs additional self test checks. If these tests obtain satisfactory results, the loops proceed as usual, but if a preset number of errors are detected, the system stops all rod motion by removing the ac-power supply to the CRD control valves. Operator action is then necessary to restore the system to normal operation. The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the 7.7-5 HCGS-UFSAR Revision 11 November 24, 2000 selection circuitry to a no rod selection condition. Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod-selected condition is not possible (except for loss of control circuit power) until any moving rod has completed the movement cycle. The self-test function can be placed in a manual mode of operation by means of the Test Address generator Manual/Auto switches on the Fault map card. In the manual test mode, a rod motion inhibit signal is sent to the Analyzer to prevent operator rod motion commands from being sent to the HCUs, and the Rod Bypassed indicator is illuminated on the Rod Select module. Only the rod location displayed on the Test Address indicator is being tested. The scan sub-loop is still active and HCU status data will continue to be updated and displayed in the control room. This mode can be used for diagnosis of self-test errors or to bypass multiple faults while maintaining other logic control outputs functional, such as refueling bridge interlocks. Likewise, the scan function can also be placed in a manual mode of operation by means of the Scan Address generator Manual/Auto control switches on the Fault map card. In the Manual Scan mode, a rod motion inhibit signal is sent to the Analyzer to prevent operator rod motion commands from being sent to the HCUs, and the Rod Bypassed indicator is illuminated on the Rod Select module. Only the rod location displayed on the Scan Address indicator is being polled and the self-test sub-loop is stopped. This mode can be used for diagnosis of self-test errors or to bypass multiple faults while maintaining other control logic outputs functional, such as refueling bridge interlocks. The direction in which the selected rod moves is determined by the position of four switches located on the main reactor control panel. These four switches, "insert," "withdraw," "continuous insert," and "continuous withdraw" are pushbuttons that return by spring action to a contact open position. 1. Rod motion insert cycle - The following is a description of the operation of the RMCS during the insert cycle. The cycle is described in terms of the insert, withdraw, and settle commands from the RMCS. With a control rod selected for movement, depressing the "insert" switch and then releasing the switch energizes the insert command for a limited time. Just as the insert command is removed, the settle command is automatically energized and remains energized for a 7.7-6 HCGS-UFSAR Revision 11 November 24, 2000 limited time. The insert command time setting and the rate of drive water flow provided by the CRD hydraulic system determine the distance traveled by a rod. The time setting results in a one notch (6-inch) insertion of the selected rod when the insert pushbutton is depressed. Continuous insertion of a selected control rod is possible by holding the "insert" switch down, as long as rod movement is within pattern constraints. A second switch can be used to cause continuous insertion of a selected control rod. This switch is the "continuous insert" switch. By holding this switch "in," the unit maintains the insert command in a continuous, energized state to cause continuous insertion of the selected control rod. When released, the timers are no longer bypassed and normal insert and settle cycles resume to time out and stop the drive. 2. Rod motion withdraw cycle - The following is a description of the operation of the RMCS during a withdraw cycle. The cycle is described in terms of the insert, withdraw, and settle commands. With a control rod selected for movement, depressing the "withdraw" switch energizes the insert valves at the beginning of the withdrawal cycle to allow the collet fingers to disengage the index tube. When the insert valves are deenergized, the withdraw and settle valves are energized for a controlled period of time. The withdraw valve is deenergized before motion is complete; the drive then settles until the collet fingers engage. The settle valve is then deenergized, completing the withdraw cycle. This withdraw cycle is the same whether the "withdraw" switch is held continuously or momentarily depressed. The timers that control the withdraw cycle are set so 7.7-7 HCGS-UFSAR Revision 0 April 11, 1988 that the rod travels one notch (6 inches) per cycle. Provisions are included to prevent further control rod motion in the event of timer failure.

A selected control rod can be continuously withdrawn if the "withdraw" switch is held in the depressed position at the same time that the "continuous withdraw" switch is held in the depressed position. With both switches held in these positions, the withdraw and settle commands are continuously energized, and the selected rod will continuously withdraw until the buttons are released and the withdraw timer completes its cycle or a rod block is generated.

7.7.1.1.2.2 Rod Block Trip System

The rod block trip portion of the RMCS inhibits movement or selection of

control rods upon receipt of certain input signals.

A similar grouping of neutron monitoring equipment that is used in the Reactor Protection System (RPS) is used in the rod block circuitry.

Half of the total monitors, the source range monitor (SRM), intermediate range monitor (IRM), average power range monitor (APRM), and rod block monitor (RBM),

provide inputs to one of the RMCS rod block logic circuits and the remaining half provide inputs to the other RMCS rod block logic circuit. The recirculation flow upscale rod block trip signals are provided by the APRM. The scram discharge volume high water level signals are provided as inputs into both of the two rod block logic circuits. Both rod block logic circuits sense when the high water level reactor trip for the scram discharge volume is

bypassed.

The rod withdrawal block from the rod worth minimizer trip affects one rod

block logic circuit. The rod insert block from the rod

7.7-8 HCGS-UFSAR Revision 23 November 12, 2018

worth minimizer prevents both notch insertion and continuous insertion.

The APRM and RBM rod block settings are varied as a function of simulated thermal power (STP). Analyses show that the selected settings are sufficient to avoid both RPS action and control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. The rod block from the scram discharge volume high water level uses two non

-indicating float switches installed on each scram discharge volume. Two additional float switches provide main control room annunciation of increasing level before the rod block level is reached.

1. Rod block functions - The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed in the following sections.

Vendor Technical Document PN1-C11-1050-0095 shows all the rod block functions on a logic functional control diagram. The rod block functions provided specifically for refueling situations are

described in Section 7.7.1.4.

a. With the mode switch in the "shutdown" position, no control rod can be withdrawn. This enforces compliance with the

intent of the shutdown mode.

b. The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following

conditions:

(1) Any STP upscale rod block alarm - The purpose of this rod block function is to avoid conditions that would require RPS action if allowed to proceed. The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram

setting is reached.

7.7-9 HCGS-UFSAR Revision 23 November 12, 2018

(2) Any APRM inoperative alarm - This ensures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or correctly bypassed. (3) Scram discharge volume high water level - This ensures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block earlier than the scram that is initiated on scram discharge volume high water level. (4) Scram discharge volume high water level scram trip bypassed - This ensures that no control rod is withdrawn while the scram discharge volume high water level scram function is out of service. (5) The rod worth minimizer (RWM) can initiate a rod insert block and a rod withdrawal block. The purpose of these functions is to reinforce procedural controls that limit the reactivity worth of control rods under lower power conditions. The rod block trip settings are based on the allowable control rod worth limits established for the design basis rod drop accident. Adherence to prescribed control rod patterns is the normal method by which this reactivity restriction is observed. (6) Not Used (7) Rod position information system malfunction - This ensures that no control rod can be 7.7-10 HCGS-UFSAR Revision 11 November 24, 2000 withdrawn unless the rod position information system is in service. (8) Either RBM upscale alarm - This function is provided to stop the erroneous withdrawal of a control rod so that local fuel damage does not result. Although local fuel damage poses no significant threat in terms of radioactive material released from the nuclear system, the trip setting is selected so that no local fuel damage results from a single control rod withdrawal error during power range operation. (9) Either RBM inoperative alarm - This ensures that no control rod is withdrawn unless the RBM channels are in service or correctly bypassed. c. With the reactor mode switch in the "run" position, any of these additional conditions initiates a rod block: (1) Any APRM downscale alarm - This ensures that no control rod will be withdrawn during power range operation unless the average power range neutron monitoring channels are operating correctly or are correctly bypassed. All unbypassed APRMs must be on scale during reactor operations in the "run" mode. (2) Either RBM downscale alarm - This ensures that no control rod is withdrawn during power range operation unless the RBM channels are operated correctly or are correctly bypassed. Unbypassed RBMs must be on scale during reactor operations in the "run" mode. 7.7-11 HCGS-UFSAR Revision 0 April 11, 1988 (3) Any APRM flow upscale alarm - This ensures that no control rod is withdrawn when the flow rate is unusually high. (4) Insufficient number of LPRMs

d. With the mode switch in the "startup" or "refuel" position, any of these additional conditions initiates a rod block:

(1) Any SRM detector not fully inserted into the core when the SRM count level is below the retract permit level and any IRM range switch on either of the two lowest ranges. This ensures that no control rod is withdrawn unless all SRM detectors are correctly inserted when they must be relied on to provide the operator with neutron flux level information.

(2) Any SRM upscale level alarm - This ensures that no control rod is withdrawn unless the SRM detectors are correctly retracted during a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is designed to detect and measure

neutron flux.

(3) Any SRM downscale alarm - This ensures that no control rod is withdrawn unless the SRM count rate is above the minimum prescribed for low neutron flux level

monitoring.

(4) Any SRM inoperative alarm - This ensures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is

available.

7.7-12 HCGS-UFSAR Revision 23 November 12, 2018

(5) Any IRM detector not fully inserted into the core - This ensures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available and correctly located. (6) Any IRM upscale alarm - This ensures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is correctly upranged during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring RPS action (trip) in the event that a rod withdrawal error is made during low neutron flux level operations. (7) Any IRM downscale alarm except when range switch is on the lowest range - This ensures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being correctly monitored. This rod block prevents the continuation of a reactor startup if the operator upranges the IRM too far for the existing flux level. Thus, the rod block ensures that the IRM is on scale if control rods are to be withdrawn. (8) Any IRM inoperative alarm - This ensures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available. 2. Rod block bypasses - To permit continued power operation during repair or calibration of equipment for selected functions that provide rod block interlocks, a limited number of manual bypasses are permitted as follows: 7.7-13 HCGS-UFSAR Revision 0 April 11, 1988

a. One SRM channel
b. Two IRM channels (one on RPS bus A and one on RPS bus B) c. One APRM channel
d. One RBM channel.

The permissible IRM bypass is arranged in the same way as in the RPS. The IRMs are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. The

arrangement allows the bypassing of one IRM in each rod block logic circuit.

APRM channel provides its trip inputs to the four 2/4 logic modules. Outputs from one APRM channel can be bypassed by a single selector switch on the reactor control bench board in the main control room. Each 2/4 logic module is designed to receive a fiber optic bypass signal from the APRM bypass switch

indication from more than one APRM channel is received, none of the APRM inputs to the 2/4 logic modules will be bypassed and a trouble alarm will be generated

These bypasses are affected by positioning switches in the main control room.

A light in the main control room indicates the bypassed condition.

An automatic bypass of the SRM detector position rod block is affected as the neutron flux increases beyond a preset low level of the SRM instrumentation.

The bypass allows the detectors to be partially or completely withdrawn without receiving a detector wrong position rod block as a reactor startup is

continued.

An automatic bypass of the RBM rod block occurs when the power level is below a preselected level or when a peripheral control rod is selected. Either condition indicates that local fuel damage is not a threat and that RBM action is not required.

The rod worth minimizer (RWM) rod block functions are automatically bypassed

when reactor power

7.7-14 HCGS-UFSAR Revision 23 November 12, 2018

increases above a preselected value in the power range. The RWM can be manually bypassed for maintenance at any time. 7.7.1.1.2.3 Rod Position Probes The position probe is a long cylindrical assembly that fits inside the CRD. It includes 53 magnetically operated reed switches, located along the length of the probe and operated by a permanent magnet fixed to the moving part of the hydraulic drive mechanism. As the drive, and with it the control rod blade, moves along its length, the magnet causes reed switches to close as it passes over the switch locations. The particular switch closed then indicates where the CRD, and hence the rod itself, is positioned. The switches are located as follows: No. of Switches Switch Indication 1 Beyond full in 2 Full in at notch 00 23 Even notch positions 02-46 24 Odd mid-notch positions 01-47 2 Full out at notch 48 1 Overtravel beyond full out All of the mid notch or odd switches are wired in parallel and treated as one switch, for purposes of external connections, and the two full in switches are wired in parallel and treated as one switch. These and the remaining switches are wired in a 5 x 6 array (the switches short the intersection) and are routed out in an 11-wire cable to the processing electronics (the probe also includes a thermocouple which is wired out separate from the 5 x 6 array as shown on Figure 7.7-5). 7.7-15 HCGS-UFSAR Revision 17 June 23, 2009 7.7.1.1.2.4 Position Indication Electronics The position indication electronics consists of a set of probe multiplexer cards (one per four rod group), a set of file control cards (one per 11 multiplexer cards), and one set of master control and processing cards serving the whole system. All probe multiplexer cards are the same except that each has a pair of plug in daughter cards containing the identity code of one four rod group (the probes for the corresponding four rods are connected to the probe multiplexer card). The system operates on a continuous scanning basis with a complete cycle every 45 milliseconds. The operation is as follows: the control logic generates the identity code of one rod in the set, and transmits it using time multiplexing to all the file control cards. These in turn transmit the identity with timing signals to all of the probe multiplexer cards. The one multiplexer card with the matching rod identity will respond and transmit its identity (locally generated) plus the raw probe data for that rod back through the file control card to the master control and processing logic. The processing logic does several checks on the returning data. First, a check is made to verify that an answer was received. Next, the identity of the answering data is checked against that which was sent. Finally, the format of the data is checked for legitimacy. Only a single even position or, full in plus position 00, full out plus position 48, odd, overtravel, or blank (no switch closed) are legitimate. Any other combination of switches is flagged as a fault. If the data passes all of these tests, it is: 1. Decoded and transmitted in multiplexed form to the displays in the main control panel. 2. Loaded into a memory to be read by the computer as required. 7.7-16 HCGS-UFSAR Revision 0 April 11, 1988 As soon as the rod's identity is processed, the next rod's identity is generated and processed and so on for all of the rods. When data for all rods has been gathered, the cycle repeats. The RMCS is totally operable from the main control room. Manual operation of individual control rods is possible with a jog switch for control rod insertion, withdrawal, or settle. Rod position indicators, described below, provide the necessary information to ascertain the operating state and position of all control rods. Conditions that prohibit control rod insertion are alarmed with the rod block annunciator. 7.7.1.1.3 RMCS Control Room Displays The rod information display on the reactor control panel is patterned after a top view of the reactor core. The display is designed to allow the operator to acquire information rapidly by scanning. Across the face of the full core display are marks indicating the location of the rods in the core. Next to each mark are several indicators that illuminate to indicate specific conditions associated with the rod. These indicators are as follows: Indicator Lamp Color Meaning XX-YY White Rod selected Drift Amber Rod is drifting Accum Amber Accumulator trouble Trip Blue Scram valves have opened Full in Green Rod is full in Full out Red Rod is full out During operation, all rods either fully withdrawn or fully inserted are indicated on the full core display with full in or full out lights. In addition to the indication on the full core display, a drifting rod is indicated by an alarm and red light in the main control room. The rod drift condition is also monitored by the plant computer. 7.7-17 HCGS-UFSAR Revision 19 November 5, 2012 Surrounding every group of four rods on the full core display are four local power range monitors (LPRM) displays. LPRM displays. Each display consists of an amber LPRM upscale and a white LPRM downscale indicator for each detector, A, B, C, and D level, in that particular LPRM string. In non-peripheral regions of the core, the volume within the perimeter of the square formed by four LPRM strings contains four control rods. This is represented by another display using four digital windows displaying the notch position of four rods inside four LPRM strings. The selected rod determines which group of four rods is displayed. When a rod is selected, the digital window corresponding to the selected rod is backlit, and the backlit window indicates the selected rod's position. The other three rods of the four rod group have their notch positions displayed in the digital windows in the same geometric arrangement as exists between those four rods in the core. Rod groups at the periphery of the core may have less than four rods. When the selected rod is a member of a group with less than four rods, the rod positions are displayed as before and the digital window corresponding to a rod that does not exist remains blank. The operator can also obtain a computer printout of all rod positions. On either side of the four rod position display are eight meters indicating the readings of the 16 LPRMs surrounding the core volume containing the selected rod. These 16 LPRM displays permit the operator to monitor changes in local flux around each rod as it is moved. By changing the selected rod, the operator can examine the flux at each LPRM in the core. If a rod drive piston moves to the overtravel position, an alarm is sounded in the main control room. This provides a means to verify that the drive-to-rod coupling is intact because, with the coupling in its normal condition, the drive cannot be physically withdrawn to the overtravel position. Coupling integrity can be checked by attempting to withdraw the drive to the overtravel position. 7.7-18 HCGS-UFSAR Revision 0 April 11, 1988 The CRD control system provides data for display to the selected rod identification, accumulator trouble, and rod scram indicators. The LPRM high and low flux levels and the 16 LPRM readings are provided by the power range NMS. The remaining information to the displays and the position information for the plant computer are provided by the rod position information subsystem of RMCS. The following main control room display lights or CRT displays are provided to allow the operator to know the conditions of the CRD hydraulic system and the control circuitry: 1. Stabilizer valve selector switch position 2. Insert command energized 3. Withdraw command energized 4. Settle command energized 5. Insert and withdraw blocks 6. Continuous withdrawal 7. Pressure control valve position 8. Flow control valve position 9. Drive water pump low suction pressure (alarm and pump trip) 10. Drive water filter high differential pressure (alarm only) 11. Charging water (to accumulator) low pressure (alarm only) 12. CRD hydraulic high temperature (CRT display) 7.7-19 HCGS-UFSAR Revision 19 November 5, 2012

13. Scram discharge volume not drained (alarm only) 14. Scram pilot valve air header high/low pressure (CRT display) 15. CRD system flow 16. Scram discharge volume vent and drain valve position 7.7.1.1.4 Environmental Consideration The RMCS (control and position indication circuitry) is not required for any plant safety function, nor is it required to operate during any associated design basis accident (DBA) or transient occurrence. The RMCS circuitry is required to operate only in the normal plant environments during normal power generation operations. The CRD HCUs are located outside the drywell in the Reactor Building, with the environmental conditions described in Section 3.11. The logic, control units, and readout instrumentation are located in the main control room, with the environmental conditions described in Section 3.11. The CRDs and position detectors are located beneath the reactor vessel in the drywell. The normal design environments encountered in these areas are described in Section 3.11. 7.7.1.1.4.1 Setpoints The RMCS has no safety setpoints. 7.7-20 HCGS-UFSAR Revision 0 April 11, 1988 7.7.1.1.5 Rod Worth Minimizer (RWM) Subsystem to the RMCS The RWM operation reduces the consequences of the postulated rod drop accident to an acceptable level by constraining control rod movement to predetermined patterns and sequences. See Section 4.3 for a description of the permissible control rod withdrawal sequences. 7.7.1.1.5.1 RWM Inputs and Outputs For the RWM to perform its constraining function, it receives inputs from the following sources: 1. The Rod Position Information System (RPIS) - The RPIS communicates the numerical position of each rod, its "full in" or "full out" status. 2. The RMCS Rod Drive Control System (RDCS) - The RDCS communicates the identity of the selected rod. 3. Main Steam Flow - The main steam flow signal is used as a permissive for the RWM blocking and alarm functions. Above a certain power level, as indicated by the main steam flow, the RWM rod blocks are not necessary and are automatically bypassed. 4. The Reactor Engineer programs the RWM with the rod sequence which will be used by the operator to withdraw or insert control rods. 7.7-21 HCGS-UFSAR Revision 11 November 24, 2000
5. Operator display selections - These selections determine what information the RWM will display. The RWM provides the following outputs: a. Two interlocks to the RDCS (1) Rod insert permission (2) Rod withdrawal permission b. RWM indications (1) Rod insert block (2) Rod withdrawal block (3) Insert and Withdraw Errors (4) Power level below or above the LPSP (5) Rod Group Selected All signals leaving or entering the Process Computer, RPIS, and RDCS are buffered to minimize the chance of failures within one system adversely affecting another. 7.7.1.1.5.2 RWM Equipment 7.7.1.1.5.2.1 RWM Program The RWM is a stand-alone unit which contains the RWM program. Reactor Engineering accesses the RWM program from the RWM unit and programs in a rod by rod sequence derived from the Banked Position Withdrawal Sequence (BPWS) or an improved version such as the Reduced Notch Worth Procedure. 7.7-22 HCGS-UFSAR Revision 11 November 24, 2000 7.7.1.1.5.2.2 RWM Operator's Display The operator's display is a small front panel mounted unit that includes readouts and controls necessary for normal operation of the RWM. It includes individual indicators for rod inhibits such as "insert block" and "withdraw block," and a two digit digital display of the rod group selected. The operator's display also includes indication of up to two "insert errors" and one "withdraw error." 7.7-23 HCGS-UFSAR Revision 9 June 13, 1998 7.7.1.1.5.3 Environmental Considerations This system is designed to meet the environmental conditions for the main

control room described in Section 3.11.

7.7.1.1.5.4 RWM Functions

The RWM is designed primarily to mitigate the consequences of the postulated rod drop accident, which analysis shows to be of no concern at power levels in excess of 8.5 percent rated thermal power. Mitigation is achieved by constraining control rod movements by the operator to predetermined patterns and sequences that ensure that control rods of high worth are not obtained below the 8.5 percent power level. The RWM is required to be in operation during reactor startup and shutdown between 0 and a nominal 8.5 percent rated thermal power. The design criterion is that any potential rod drop accident should not result in fuel rod enthalpies in excess of 280 cal/g. Over the operating ranges of power level and fuel exposure, the resultant fuel rod enthalpy is a function of several parameters, of which control rod worth is the most significant and controllable.

7.7-24 HCGS-UFSAR Revision 23 November 12, 2018

7.7.1.1.5.4.1 RWM Bypass The startup or shutdown of the reactor may continue without the RWM. When the RWM is bypassed, a second licensed operator must be present to check rod

movements, over the prescribed power range, 0 to 8.5 percent.

7.7.1.2 Recirculation Flow Control System (RFCS)

7.7.1.2.1 RFCS Function

The objective of the RFCS is to control reactor power level, over a limited range, by controlling the flow rate of the reactor recirculating water. Signals from the redundant reactivity control system can cause a trip of the recirculation pump motors in the event of an ATWS.

The control involves varying the speed of the recirculation pumps by changing the voltage and frequency of the ac supply to each pump motor. The ac supply is provided by a Variable Frequency Drive (VFD) for each pump. Because flow rate is directly proportional to pump speed (which is proportional to VFD output frequency

), VFD output frequency is considered the controlled variable of the system.

Speed demand is the reference input to the system and speed demand is determined by the operator by pressing speed increase and decrease pushbuttons on the console. The flow control subsystem is designed to limit the range and rate of change of pump speed, and to otherwise ensure proper operational and equipment protection.

7.7-25 HCGS-UFSAR Revision 23 November 12, 2018

This system is a Power Generation System and is classified as not related t o safety.

7.7.1.2.2 RFCS Operation

Reactor recirculation flow is changed by adjusting the speed of the two reactor recirculating pumps. This is accomplished by adjusting the frequency and voltage of the electrical power supplied to the recirculation pump motor as shown on Figure 7.7-6. At various control rod patterns, reactor power can be automatically controlled by controlling recirculation flow. This control is

effective above approximately 65 percent of full power for the rod pattern.

An increase in recirculation flow causes the reactor power level to increase.

When recirculation flow is reduced the power level is reduced.

If the feedwater flow is below the value that provides minimum required

recirculation pump NPSH, recirculation pump speed is automatically limited.

The RFCS includes the following:

1. RFCS pump drive motor control
2. RFCS variable frequency drive (VFD)

7.7-26 HCGS-UFSAR Revision 23 November 12, 2018

3. RFCS speed control components.

7.7.1.2.2.1 RFCS Pump Drive Motor Control

Each recirculation pump motor has its own VFD for a power supply. To change the speed of the reactor recirculation pump, the VFD changes the frequency and magnitude of the voltage supplied to the pump motor to give the desired pump speed. The RFCS uses a demand signal from the operator who adjusts the speed setting of the VFD. The reactor power change resulting from the change in recirculation flow causes the initial pressure regulator to reposition the

turbine control valves.

7.7.1.2.2.

2 RFCS Variable Frequency Drive

The two VFDs and their controls are identical. The VFD set can continuously supply power to the pump motor at any speed between approximately 20 percent and 102.68 percent of the drive motor speed. The VFD is capable of starting the pump and accelerating it from standstill to the desired operating speed when the pump motor thrust bearing is fully loaded by reactor pressure acting

on the pump shaft.

7.7-27 HCGS-UFSAR Revision 23 November 12, 2018

This page left intentionally blank.

7.7-28 HCGS-UFSAR Revision 23 November 12, 2018

This page left intentionally blank.

7.7-29 HCGS-UFSAR Revision 23 November 12, 2018

7.7.1.2.2.3.7 RFCS Speed Limiter

The speed setpoint signal is automatically limited to approximately 30 percent of rated pump speed if the recirculation pump main discharge valve is not fully open, or if the feedwater flow is less than 20 percent of rated flow, or if the reactor water level is low, or if one condenser circulating water pump trips (leaving two or less condenser circulating water pumps running) when condenser pressure is greater than or equal to 5.8 inches HgA, or if generator stator cooling is lost. The setpoint is limited by another limiter if the reactor level is low and any feedwater pump is tripped, or if a secondary condensate pump trips when feedwater flow is greater than 7 3.65 percent, or if one condenser circulating water pump trips (leaving three condenser circulating water pumps running) when condenser pressure is greater than or equal to 4.5

7.7-30 HCGS-UFSAR Revision 23 November 12, 2018 inches HgA. If the discharge valve is closed and the pump is at high speed, the pump may overheat. If feedwater flow is less than 20 percent of rated flow, there is not enough subcooling of the downcomer water to provide the net positive suction head needed for the jet pumps and recirculation pumps to

operate at speeds greater than approximately 30 percent.

7.7.1.2.2.4 RFCS Recirculation Loop Starting Sequence

Each recirculation loop is independently started as follows:

1. The starting sequence is manually initiated by pressing a pushbutton on the main control room Operator Console.

The VFD precharge sequence starts provided that:

a. The 7.2 kV bus is energized to more than 70 percent of nominal voltage.
b. The recirculation loop suction valve is fully open.
c. The recirculation loop discharge valve is fully closed.
2. When the precharge sequence is complete, the VFD automatically closes the 7.2 kV breaker. 3. The pump is started by pressing a pushbutton switch on the console.

7.7-31 HCGS-UFSAR Revision 23 November 12, 2018

4. The

-.

5. The recirculation loop discharge valve is opened automatically.

After the pump has started and the discharge valve is open, the speed may be

changed manually from the console.

7.7.1.2.3 RFCS Testability

The VFD functions during normal power operation. Any abnormal operation of these components can be detected during operation. The components that do not continually function during normal operation can be tested and inspected for calibration and operability during scheduled plant shutdowns. All the RFCS components can be tested and inspected during scheduled shutdowns.

7.7-32 HCGS-UFSAR Revision 23 November 12, 2018

7.7.1.2.4 RFCS Environmental Considerations The RFCS is not required for safety purposes, nor is it required to operate after a DBA. The system is required to operate in the normal plant environment for power generation purposes only.

The only part of the recirculation flow control equipment in the drywell is th e pump motor. It is subject to the design conditions environment specified in

Section 3.11.

The logic control units and instrumentation are located in the auxiliary building control area and are subject to that environment, as discussed in

Section 3.11.

7.7.1.2.5 RFCS Operational Consideration

Indication and alarms are provided to keep the operator informed of the status of systems and equipment, and to quickly determine the location of malfunctioning equipment. Temperature monitoring of the equipment is alarmed if safe levels are exceeded. Indicators are provided to show pump power requirements, set speed, recirculation loop flow, valve positions, and control signals, all of which determine system status. Alarms are provided to alert the operator of malfunctioning control signals and inability to change pump speed. 7.7.1.2.6 RFCS Setpoints

The RFCS has no safety setpoints.

7.7-33 HCGS-UFSAR Revision 23 November 12, 2018

7.7.1.3 Feedwater Control System 7.7.1.3.1 Feedwater Control System Function The Feedwater Control System (FCS) controls the flow of feedwater into the reactor vessel to maintain the vessel water level within predetermined limits during all normal plant operating modes. The range of water level is based upon the requirements of the steam separators. (This includes limiting carryover, which affects turbine performance, and carryunder, which affects recirculation pump operation.) The FCS uses vessel water level, steam flow, and feedwater flow as a three element control. Single element control is also available based on water level only. Normally, the signal from the feedwater flow is equal to the steam flow signal; thus, if a change in the steam flow occurs, the feedwater flow follows. The steam flow signal provides anticipation of the change in water level that will result from change in load. The level signal provides a correction for any mismatch between the steam and feedwater flow that causes the level of the water in the reactor vessel to rise or fall accordingly. This system is a power generation system and is classified as not related to safety. 7.7.1.3.1.1 FCS Power Sources The FCS is provided with two independent power sources. One source is 125 VDC batteries and the other source is from a 120 VAC instrument bus. The two sources each supply independent power supplies within the FCS. Outputs of the supplies are auctioneered at the card level within the system. A loss of any source or any supply will have no affect on system operation. Any failure is alarmed to the operator. 7.7-34 HCGS-UFSAR Revision 7 December 29, 1995 7.7.1.3.2 System Operation During normal plant operation, the FCS automatically regulates feedwater flow into the reactor vessel. The system can be manually operated. The FCS instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel. During automatic three element operation, these three measurements are used for controlling feedwater flow. The optimum reactor vessel water level is determined by the requirements of the steam separators. The separators limit water carryover in the steam going to the turbines and limit steam carryunder in water returning to the core. The water level in the reactor vessel is maintained within +/-2 inches of the setpoint value during normal operation. The control capability is achieved during plant load changes by balancing the mass flow from the reactor vessel. The FCS uses turbine driven reactor feed pumps and an output flow that is controlled by varying the speed of the turbine driven feed pumps. The Redundant Reactivity Control System (RRCS) can initiate a feedwater runback, reducing flow to 0 percent within 15 seconds. This runback is independent of the feedwater control operating mode, and overrides the loss of signal interlock which prohibits change of reactor feedwater pump output under loss of control signal conditions. Control of the feedwater system can be regained by the operator 30 seconds after the runback begins. This runback is discussed in Section 7.6.1.7. ATWS alarm lights are provided on the front of the feedwater control panel. The feedwater system trip contacts associated with the RRCS ATWS runback are required to be high quality but not necessarily safety grade. Variables sensed for system operation include the following: 7.7-35 HCGS-UFSAR Revision 7 December 29, 1995

1. Reactor vessel water level 2. Main steam line flow 3. Feedwater flow 4. RFP discharge header pressure 5. Reactor pressure. 7.7.1.3.2.1 Reactor Vessel Water Level Reactor vessel narrow range water level is measured by three sensing systems. For each channel, a differential pressure transmitter senses the difference between the pressure caused by a constant reference column of water and the pressure caused by the variable height of water in the reactor vessel. All three of the differential pressure signals are used for indication and control. The control system automatically selects the level signal to use for control. A signal is considered valid if it is in range and not in test. If all three signals are valid, the median signal is used for control. If two signals are valid, the lower of the two is used. If only one signal is valid, it will be used for control. All three signals are used to generate trip signals to trip the RFPTs and the main turbine. Two out of the three channels must exceed their setpoints for the trip. A fourth level sensing system (upset range) provides level information beyond the span of the narrow range devices. The controlling narrow range signal and the upset range signal are continually recorded in the main control room. All levels are indicated and displayed on a CRT. 7.7.1.3.2.2 Main Steam Line Flow Steam flow is sensed at each main steam line flow venturi by a differential pressure transmitter. The differential pressure signal is linearized to give the steam flow rate and is indicated in the main control room. The signals are summed to produce a total steam flow signal for feedwater flow control. The total steam flow signal is recorded in the main control room. 7.7-36 HCGS-UFSAR Revision 7 December 29, 1995 7.7.1.3.2.3 Feedwater Flow A feedwater flow signal is derived from a transmitter measuring the differential pressure across a flow element in each of the three reactor feedwater lines. Each feedwater signal is linearized by a square root extractor, then summed to produce a total flow rate. The feedwater flow rate signal is recorded in the main control room. Turbine driven reactor feed pump speed control is the flow adjustment technique involved. There are three modes of automatic control for the flow of feedwater. They are 1) start up level control, 2) single element control, and 3) three element control. Manual control is also available. 1. Start up level control - In the startup level control mode, measured level is compared to level setpoint and a proportional plus integral control algorithm is executed within the control system. The output of the algorithm is transmitted to the startup level control valve to modulate the flow of water. If a RFP is placed in automatic, the speed of the pump will automatically adjust to maintain an operator selectable differential pressure across the start up valve. 2. Single element control - In single element control, measured level is compared to level setpoint and a proportional plus integral control algorithm is executed within the control system. The output of the control algorithm is used as a speed demand signal to the pumps. Single element control is active when a RFP is in automatic and the start up valve is manual and power is less than 35 percent. 3. Three element control - In three element control, measured level is compared to level setpoint. Steam flow and feed flow are subtracted from each other to develop a steam flow feed flow mismatch. The signals are combined and a proportional plus integral control algorithm is executed within the control system. The output of the control algorithm is used as a speed demand signal to the pumps. Three element control is active one minute after a RFP is in automatic and the start up valve in manual and power is greater than 35 percent. 7.7-37 HCGS-UFSAR Revision 17 June 23, 2009 This Page Intentionally Blank 7.7-38 HCGS-UFSAR Revision 7 December 29, 1995 7.7.1.3.2.4 FCS Interlocks with Other Systems The FCS also provides interlocks and control functions to other systems. When one of the reactor feed pumps is lost and coincident or subsequent low water level exists, recirculation flow is reduced to within the power capabilities of the remaining reactor feed pumps. This reduction aids in avoiding a low level reactor trip by reducing the steaming rate. Reactor recirculation flow is also reduced on sustained low feedwater flow coincident with low recirculation flow control valve position to ensure that adequate NPSH will be provided for the recirculation system. Alarms on steam flow are provided for use in the RWM logic. Interlocks from steam flow are used to initiate insertion of the RWM block. An alarm on low steam flow indicates that the above RWM insertion interlock setpoint is being approached. Alarms are also provided for high and low water level and reactor high pressure. Interlocks will trip the plant turbine and feedwater pumps in the event of reactor high water level. 7.7.1.3.2.5 FCS Interface with Turbine Driven Reactor Feedwater Pump Speed Control Feedwater is delivered to the reactor vessel through variable speed turbine driven feedwater pumps, which are arranged in parallel. During planned operation, the feedwater control signal from the level controller is fed to the turbine speed control systems, which adjust the speed of their associated feed pumps so that the feedwater flow is proportional to the feedwater demand signal. Each turbine driven feed pump can be controlled by its panel display station. If the feedwater control 7.7-39 HCGS-UFSAR Revision 7 December 29, 1995 signal is lost, an alarm unit in the feedwater control circuit initiates an alarm in the main control room and locks the turbine speed controller at its position just prior to losing the signal. A diverse signal path will then be made available to the operator to manually adjust the speed of the pump. 7.7.1.3.2.6 FCS Testability The FCS continually monitors itself and performs on line diagnostics. Any failure is annunciated in the control room. The RFP and main turbine trip channels are provided with a test panel to perform tests in any operational mode. The performance of a test neither prevents nor causes a trip. 7.7.1.3.2.7 FCS Environmental Considerations The FCS is not required for safety purposes, nor is it required to operate after a DBA. This system is required to operate in the normal plant environment for power generation only. The reactor feed pumps in the turbine building experience the normal design environments. 7.7.1.4 Refueling Interlocks - Instrumentation and Controls 7.7.1.4.1 Refueling Interlocks Function The purpose of the refueling interlocks is to restrict the movement of control rods and the operation of refueling equipment. This reinforces operational procedures that prevent the reactor from becoming critical during refueling operations. The refueling interlocks system is not a safety-related system. 7.7-40 HCGS-UFSAR Revision 7 December 29, 1995 7.7.1.4.2 Refueling Interlocks Operation and Equipment The refueling interlocks circuitry sense the condition of the refueling equipment and the control rod positions to prevent movement of refueling equipment or control rods that might place refueling floor operating personnel in a potentially unsafe situation. These interlocks are a backup to administrative procedures that limit core reactivity during refueling operations. Redundant circuitry is provided to sense the following conditions: 1. All rods inserted 2. Refueling platform positioned near or over the core 3. Service platform jib crane loaded 4. Fuel grapple loaded. Additional circuitry monitors the reactor mode switch in the "refuel" position. The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operations and control rod movement as indicated in Table 7.7-3. 7.7.1.4.2.1 Refueling Interlock Sensors The refueling interlock sensors include the following: 1. Limit switches along the rail supporting the movement of the refueling platform toward and away from the core. Either switch can send a signal to the Reactor Manual Control System (RMCS) to cause a rod block with the reactor in the "refuel" mode and the fuel grapple loaded, or a rod block in the "startup" mode if the platform is 7.7-41 HCGS-UFSAR Revision 2 April 11, 1990 near or over the core. These two mechanical switches are attached to the platform and are tripped open by a long, stationary ramp mounted adjacent to the platform rail. These switches open before the platform or any of its hoists is physically located over the reactor vessel to indicate the approach of the platform toward the core. 2. Load limit switch on the fuel grapple. This switch is set to operate when the hoist is loaded with a fuel bundle. The hoist loaded signal can initiate a rod block or prevent the motion of the refueling bridge toward the core. The load switch opens at a load weight that is lighter than that of a single fuel assembly. In addition to the above, the mode switch and RMCS provide signals to the refueling interlocks to prevent hoist and platform motions under certain conditions, as listed in Table 7.7-3. The two portions of the RMCS operate two contacts to indicate an all-rods-in condition. The "full in" condition for each rod is established by closure of a magnetically operated reed switch in the rod's position indicator probe, as discussed in Section 7.7.1.1.2.3. The circuitry in the RMCS requires that the "full in" switch be closed for each rod before the all-rods-in signal to the refueling equipment is generated. In the refueling mode, the main control room operator has an indicator light for "refueling mode select permissive" whenever all control rods are fully inserted. This indication can be compared with control rod position data from the computer, as well as control rod in-out status on the full core display. Whenever a control rod withdrawal block situation occurs, the operator receives annunciation and computer logs of the rod block. The operator can compare these outputs with the status of the variable providing the rod block condition. Both channels of the control rod withdrawal interlocks must agree that permissive conditions 7.7-42 HCGS-UFSAR Revision 2 April 11, 1990 exist in order to move control rods; otherwise, a control rod withdrawal block occurs. Failure of one channel may initiate a rod withdrawal block, and will not prevent application of a valid control rod withdrawal block from the remaining operable channel, as indicated in Table 7.7-3. During refueling operations, no more than one control rod is permitted to be withdrawn. This is enforced by logic within the RMCS that prevents the selection of a second rod for movement with any other rod not fully inserted in the refuel mode. With the mode switch in "refuel", the RMCS circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn. Operation of refueling equipment is prevented by interrupting the power supply to the equipment. Interlock operation deenergization of the bridge drive power prevents its motion, and deenergization of the hoist power supply opens the hoist load switches giving a false indication that the hoist is loaded. This interlock prevents control rod withdrawal with the mode switch in the "startup" or "refuel" positions. 7.7.1.4.2.2 Refueling Interlock Indication and Controls Each hoist has an analog load cell readout that displays hoist load directly to the operator. Load sensing is by hydraulic load cells that use demineralized water as the operating fluid. Associated interlock and load functions are performed by set point modules and programmable logic controllers. The vertical position of the grapple is shown by an indicator in the refueling bridge operator cab. After calibration, this readout allows the operator to know the relative separation between fuel assemblies in the core and the grapple. Elsewhere in the operator's cab are individual pushbuttons and joy sticks 7.7-43 HCGS-UFSAR Revision 13 November 14, 2003 provided for local control of the platform and its hoists, and an analog type readout for the platform's X-Y position relative to the reactor core or fuel storage racks. The platform operator can immediately determine whether the platform and hoists are responding to his local instructions and can, in conjunction with the main control room operator, verify proper operation of each of the three categories of interlocks (hoist loaded, bridge position, and rod position). 7.7.1.4.2.3 Refueling Interlocks Service Platform Bypass A bypass for the service platform hoist load interlock is provided. When the service platform is no longer needed, its power plug is removed. This deenergizes the power supply to the hoist. Deenergizing the service platform hoist power supply opens the hoist load switches and gives a false indication that the hoist is loaded. This interlock prevents control rod withdrawal with the mode switch in the "startup" or "refuel" positions. The bypass plug is physically arranged to prevent the connection of the service platform power plug unless the bypass plug is removed. 7.7.1.4.3 Level of Interlock Action The rod block interlocks and refueling platform interlocks provide two independent levels of interlock action. The interlocks that restrict operation of the platform hoist and grapple provide a third level of interlock action since they would be required only after a failure of a rod block and refueling platform interlock. 7.7-44 HCGS-UFSAR Revision 13 November 14, 2003 7.7.1.5 Pressure Regulator and Turbine Generator System (PRTGS) 7.7.1.5.1 System Identification 7.7.1.5.1.1 General One of the features of direct cycle boiling water reactors (BWRs) is the direct passage of the nuclear boiler generated steam through the turbine and regenerative system. In this system, the turbine is slaved to the reactor in that steam generated by the reactor is normally accepted by the turbine. The operation of the reactor requires a pressure regulator to maintain a constant (within the range of the regulator controller proportional band setting) turbine inlet pressure. The pressure regulator employed at Hope Creek is a General Electric Mark VI digital electro-hydraulic control (DEHC) system. The turbine pressure regulator normally controls the turbine control valves to maintain constant (within the range of the DEHC's control algorithms) turbine inlet pressure. In addition, the pressure regulator also operates the steam bypass valves so that a portion of nuclear boiler rated flow can be bypassed when operating at steam flow loads above those that can be accepted by the turbine, as well as during the startup and shutdown phases. The overall Turbine Generator and Pressure Control System accomplish the following: 1. Controls turbine speed and load 2. Operates the steam bypass system to keep reactor pressure within limits and avoid large power transients 3. Regulates main turbine inlet pressure 4. Provides turbine fault and overspeed protection 7.7-45 HCGS-UFSAR Revision 14 July 26, 2005 7.7.1.5.1.2 PRTGS Classification The PRTGS is classified as a primary power generation system. That is, it is not a safety system, but its operation is essential to the power production cycle. 7.7.1.5.2 PRTGS Power Sources 7.7.1.5.2.1 Normal The DEHC system receives two power supplies from reliable 120 VAC power sources. The control room displays are powered from the respective normal and backup power supplies to the DEHC. 7.7-46 HCGS-UFSAR Revision 14 July 26, 2005 7.7.1.5.2.2 PRTGS Alternate If either electrical power source fails, power flow is not interrupted. 7.7.1.5.3 PRTGS System Design 7.7.1.5.3.1 General BWR pressure is controlled by regulating the main steam pressure immediately upstream of the main stop and turbine control valves through modulation of the turbine control or steam bypass valves. Command signals to these valves are generated by triple modular redundant (TMR) digital controllers using the sensed turbine inlet pressure signals as the feedback. For normal operation, the turbine control valves regulate steam pressure. However, whenever the total steam flow demand from the pressure regulator exceeds the capacity of the turbine control valves, the pressure control system sends the excess steam flow directly to the main condenser through the steam bypass valves. The plant's ability to follow grid system load demands is determined by adjusting reactor power level, varying reactor recirculation flow (manually), or manually moving control rods. In response to the resulting steam production changes, the pressure control system adjusts the turbine control valve to accept the steam output change, thereby regulating steam pressure. 7.7-47 HCGS-UFSAR Revision 14 July 26, 2005 7.7.1.5.3.2 PRTGS Steam Pressure Control During normal plant operation, steam pressure is controlled by the main turbine control valves, positioned in response to the pressure regulation demand signal. The steam bypass valves are normally closed. The DEHC system digital controllers utilize a median select hierarchy for turbine control. Three pressure transmitters, tapped into the turbine inlet, provide main steam pressure (throttle pressure) to the digital controllers. The DEHC pressure controller acts to ensure that the desired pressure set point is achieved by coordinating the positioning of the turbine control valves, which respond to the turbine controller's speed/load set point commands. Thus, if the Pressure Control System requires that additional steam flow be released from the reactor when the control valves reach wide open, the control signal error to the bypass valves increases and causes bypass valve actuation. 7.7-48 HCGS-UFSAR Revision 14 July 26, 2005 7.7.1.5.3.3 PRTGS Steam Bypass System The Steam Bypass System is designed to control steam pressure when reactor steam generation exceeds turbine requirements during startup (pressure, speed ramping, and synchronizing), when reactor steam generation exceeds the turbine steam flow requirements during power operation, load reduction and

turbine/generator trips, and cooldown.

The bypass capacity of the system is 2 1.75 percent of the Nuclear Steam Supply System (NSSS) rated steam flow; sudden load reductions within the capacity of the steam bypass can be accommodated without reactor scram.

Normally, the bypass valves are closed and the pressure regulator controls the turbine control valves, directing all steam flow to the turbine. If the DEHC speed or load control algorithms restrict steam flow to the turbine, the DEHC controls system pressure by opening the bypass valves. If the capacity of the bypass valves is exceeded while the turbine cannot accept an increase in steam flow, the system pressure rises and Reactor Protection System (RPS) action

causes the reactor to shutdown.

The pressure regulator compares the measured steam supply pressure to the turbine operator entered pressure demand and develops the steam flow demand for both the CVs and BPVs based on the magnitude of the pressure error. Each bypass valve is independently operated. The bypass valves are opened sequentially in order to maintain responsive throttling control of the reactor system pressure. A positive demand bias is provided for opening the bypass valves manually during reactor heatup. An automated feature is also provided

for cool-down using the bypass valves.

Bypass valves and controls are designed so that bypass steam flow is shut off upon loss of control system electrical power, hydraulic pressure, or low

condenser vacuum.

7.7-49 HCGS-UFSAR Revision 23 November 12, 2018

7.7.1.5.3.4 PRTGS Turbine Speed Load Control Systems 7.7.1.5.3.4.1 Normal Operation During base load plant operation, the turbine load reference is held above the desired load, so that the pressure regulation demand governs the turbine control valves. 1. PRTGS behavior of turbine outside of normal operation a. Turbine startup - Prior to turbine startup, sufficient reactor steam flow is generated to permit the steam bypass valves to maintain reactor pressure control while the turbine is brought up to speed and synchronized under its speed load control. b. Partial load rejection - During partial-load rejection transients, which appear to the reactor as a reduction in turbine load demand resulting from an increase in generator (or grid) frequency, the turbine pressure control scheme allows the reduced turbine speed load demand to override the pressure regulation demand and thereby directly regulate the turbine control valves. The pressure controller modulates the bypass valves to maintain reactor pressure. c. Turbine shutdown or turbine generator trip - During turbine shutdown or turbine generator trip conditions, the main stop valves and turbine control valves are closed. Reactor steam flow is then passed through the steam bypass valves under steam pressure control and through the SRVs, as needed. 7.7-50 HCGS-UFSAR Revision 14 July 26, 2005

d. Steam bypass operation DEHC pressure regulation is achieved by tight coordination between the turbine control valve positioning and the bypass valve positioning algorithms. The combined control of the bypass valves and the turbine control valves acts to maintain the reactor system pressure at the desired set point. Pressure regulation is transferred to the bypass valves when the turbine/generator is flow or load set point limited. During a turbine or generator trip, or power load unbalance events that result in fast closure of the turbine control or intercept valves, the turbine flow

reference signal used in computing turbine steam bypass demand is immediately tripped to zero to allow the bypass

valves to fast open quickly.

e. Loss of turbine control system power Primary and Backup Protection Controllers has its own independent power supply. In the event that power is lost to the controllers, the turbine controls and valves are designed so that the main stop and control valves close upon loss of

control system power or hydraulic pressure.

7.7.1.5.3.5 PRTGS Turbine Generator to Reactor Protection System Interface

The RPS initiates reactor scram when any monitored plant condition requires it. Two such conditions are: main stop valve closure and turbine control valve fast closure when reactor power is above 24 percent of rated power. The main stop valve closure signal is generated before the main stop valves have closed more than 7 percent. This signal originates from position switches that sense stop valve motion away from fully open. Two limit switches are provided for each of

the main stop valves. The switches are closed

7.7-51 HCGS-UFSAR Revision 23 November 12, 2018

when the stop valves are fully open, and open within 10 milliseconds after the setpoint is reached. The switches are electrically isolated from each other and from other turbine plant equipment. The turbine control valve fast closure signal is generated by four hydraulic oil pressure sensors that are located on each control valve and that sense hydraulic oil pressure decay as an indication of fast control valve closure. The switches are closed when the valves are open, and open within 30 milliseconds after the control valves start to close in a fast closure mode. All sensors have individual shutoff valves and calibration taps. To avoid reactor scram due to main stop valve closure or turbine control valve fast closure when power is below 30 percent of rated power, two independent sensing lines are provided from the turbine shell pressure taps in the high pressure turbine and are connected to pressure switches to supply power level signals to the RPS. The pressure taps are located to provide a pressure signal proportional to turbine steam flow. The pressure taps are shared with other instrumentation sensors. All sensors have individual shutoff valves. 7.7.1.5.3.6 PRTGS Turbine Generator to Main Steam Isolation System Interface Four independent main condenser vacuum sensors provide an isolation signal to the NSSS main steam isolation valves (MSIVs). Condenser vacuum transmitters and trip units are discussed in Section 7.3.1.1.2. 7.7.1.5.3.7 PRTGS Testability Controls are provided to test the turbine valve RPS interface signal switches in the following ways: 1. Actuate each stop valve individually to the 10 percent closed point with no interaction with other valves 7.7-52 HCGS-UFSAR Revision 0 April 11, 1988

2. Actuate the following pairs of stop valves to the 10 percent closed point, one pair at a time: 1 and 2; 3 and 4; 1 and 3; 2 and 4 3. Actuate one control valve fast closure hydraulic oil pressure switch at a time from the DEHC's control panel 4. Individually test each main condenser low vacuum instrument channel. 7.7.1.5.4 PRTGS Environmental Considerations The Turbine Generator Control System is required to operate in the normal plant environment for power generation purposes only. Instruments and controls on the turbine exist in the Turbine Building normal design environment as listed in Section 3.11. The logic, remote control units, and instrument terminals located in the control area of the Auxiliary Building exist in the environment listed in Section 3.11. 7.7.1.5.5 PRTGS Operational Considerations 7.7.1.5.5.1 General Information Process variables controlled by the digital pressure regulator and speed/load control system are displayed in the main control room on DEHC's operators workstation touchscreen human machine interface (HMI) at the turbine generator section of the control boards. Manual and automatic control modes for the various turbine generator operational modes, e.g., startup, normal operation, and shutdown, are available to the operator from the main control room. The HMI display provides visual indication of turbine status, alarms, and "soft keys and controls". Auto display lights are provided to inform the operator of the operating mode of the turbine generator unit. Three pressure control channels, operating in a median select configuration on the DEHC system, receive inputs from independent pressure transducers in the main steam 7.7-53 HCGS-UFSAR Revision 14 July 26, 2005 line upstream of the main steam stop valves (MSSVs) and from the pressure reference unit. Main steam pressure indications and pressure setpoint adjustments/indications are located on the HMI touchscreen on the turbine control panel. 7.7.1.5.5.2 PRTGS Reactor Operator Information The NSSS pressure regulator has the following controls and information displayed on the operator's workstation HMI touchscreen in the main control room: 1. Main steam pressure transducer output 2. Main steam pressure regulator setpoint 3. Individual bypass valve position indicator 4. Individual bypass valve demand control signal 5. Bypass valve test controls 6. Individual control valve position indication 7. Individual control valve demand control signal. 7.7.1.5.5.3 PRTGS Setpoints There are no safety setpoints associated with this system. 7.7-54 HCGS-UFSAR Revision 14 July 26, 2005 7.7.1.6 Reactor Water Cleanup (RWCU) System The controls and instrumentation of the RWCU system are discussed in Section 5.4.8. 7.7.1.7 Area Radiation Monitoring Systems (ARMSs) The controls and instrumentation of the ARMS are discussed in Section 12.3. 7.7.1.8 Radwaste Systems The controls and instrumentation for the radwaste systems are discussed in Sections 11.1, 11.2, 11.3, and 11.4. 7.7.1.9 Fuel Pool Cooling and Cleanup System (FPCS) The instrumentation and controls of the FPCS are discussed in Section 9.1.3. 7.7.1.10 Seismic Monitoring Instrumentation The operability of the seismic monitoring instrumentation ensures that sufficient capability is available to promptly determine the magnitude of a seismic event and evaluate the response of those features important to safety. This capability is required to permit comparison of the measured response to that used in the design basis for the facility. Accordingly, the seismic monitoring instrumentation identified in Table 7.7-4 should be maintained operable by the performance of the channel check, channel calibration and channel functional tests at the indicated frequencies. Additionally, each of the above seismic monitoring instruments actuated during a seismic event greater than or equal to 0.01 g shall be restored to operable status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and a channel calibration performed within 5 days following the seismic event. Data should be retrieved from actuated instruments and analyzed to determine the magnitude of the vibratory ground motion. 7.7-55 HCGS-UFSAR Revision 8 September 25, 1996 7.7.1.11 Meteorological Monitoring Instrumentation The operability of the meteorological monitoring instrumentation ensures that sufficient meteorological data is available for estimating potential radiation doses to the public as a result of routine or accidental release of radioactive materials to the atmosphere. This capability is required to evaluate the need for initiating protective measures to protect the health and safety of the public. Accordingly, the meteorological monitoring instrumentation identified in Table 7.7-5 should be maintained operable by the performance of the channel check and channel calibration tests at the indicated frequencies. 7.7.1.12 Design Differences Refer to Tables 7.7-1 and 7.7-2 for supply responsibility and similarity of system designs to other nuclear power plants. 7.7.1.13 Traversing In-core Probe (TIP) System 7.7.1.13.1 Description The traversing In-Core Probe (TIP) System is a subsystem of the Neutron Monitoring System. It is used in the calibration of the LPRM detectors and the update of the Core Monitoring System parameters that incorporate LPRM and TIP data into the thermal limit calculations. There are 5 TIPs with 9 or 10 channels per TIP. Each channel covers the axial length of the active core for a specific radial location and provides data corresponding to the local neutron flux. Each TIP can access a common channel to allow for cross-calibration of the TIPs. The 43 unique channels correspond to the 43 LPRM strings. The Core Monitoring System processes the TIP data. Data from a specific TIP is valid only if the TIP was cross-calibrated using the common channel. The Core Monitoring System invalidates TIP data if it does not meet numerical requirements. At least two thirds of the radial locations (29 of 43) must have valid data for the TIP data to be used to calibrate LPRMs and/or update the Core Monitoring System parameters. 7.7-55a HCGS-UFSAR Revision 16 May 15, 2008 7.7.1.13.2 Bases The accuracy of the Core Monitoring System is qualified for instrumentation failure up to a limit. This limit assures that the spatial neutron flux distribution of the reactor core can be accurately calculated. As long as two thirds of the radial locations (29 of 43) have valid data, the qualification requirements have been met and the TIP data can be used to calibrate LPRM detectors and/or update the Core Monitoring System parameters. 7.7.2 Analysis Refer to the safety evaluations in Section 15, which show that the systems described in this section are not used to provide any DBA safety function. Safety functions are provided by other systems. Section 15 also evaluates all credible control system failure modes, the effects of those failures on plant functions, and the response of various safety-related systems to those failures. 7.7-55b HCGS-UFSAR Revision 18 May 10, 2011 The major plant control systems described above have no direct interface with any safety-related systems and, thus, control system failures evaluated in Section 15, have no adverse effect on the safety-related system. 7.7.2.1 Rod Block Monitor The rod block monitor (RBM) is designed to prohibit erroneous withdrawal of a control rod during operation at high power levels. This prevents local fuel damage under permitted bypass and/or local power range monitor (LPRM) detector failure conditions and prevents local fuel damage during a single rod withdrawal error. Because local fuel damage poses no significant threat relative to radioactive release from the plant, the RBM is a power generation system and is not used for accident mitigation. Although the RBM does not perform a safety-related function, in the interest of plant economics and availability it is designed to meet certain salient design principles of a safety system. These include the following: 1. Redundant, separate, and isolated RBM channels. 2. Redundant, separate, isolated rod selection information; including isolated contacts for each rod selection pushbutton providing input to each RBM channel. 3. Independent, isolated RBM level readouts and status displays from the RBM channels. 4. A mechanical barrier between channels A and B of the manual bypass switch. 5. Multiple manual RBM channel bypass is prohibited by switch design. 7.7-56 HCGS-UFSAR Revision 0 April 11, 1988
6. Independent, separate, isolated rod block signals from the RBM channels to the RMCS circuitry.
7. Failsafe design; loss of power initiates a rod block.
8. A trip of either RBM channel initiates a rod block.

The RBM interfaces with the following:

1. LPRM: LPRM signal information is provided to each RBM channel from either the APRM instrument or LPRM instrument for each division via

fiber optic link. 2. Flow Signal: Recirculation flow inputs are provided to the RBM from either the APRM instrument or LPRM instrument for each division via fiber optic link for trip reference.

3. APRM System: Independent, separate, isolated APRM reference signals are supplied to each RBM channel for trip reference.

7.7.2.2 Reactor Manual Control System

A failure modes and effects analysis has not been performed on the Reactor Manual Control System (RMCS) because it is a nonsafety-related plant operational control system. All inputs to the RMCS from other systems that provide rod motion inhibiting interlocks are optically isolated to electrically segregate the RMCS from the interfacing systems. Therefore, there is no direct

coupling of the RMCS with any protection system.

To provide high reliability, the RMCS has been designed with certain inherent

features described below:

1. Data transmission, storage, comparison (tests), and HCU control are time based per the RMCS master clock, which oscillates at a period of 0.4 microseconds. Each subsystem within the RMCS that must process received data for transfer to other subsystems and the internal logic that is generated for data transfer and internal

decisions

7.7-57 HCGS-UFSAR Revision 23 November 12, 2018

are "triggered" by the master clock. Faults that modify the frequency of transmission, i.e., logic gate failure (either on/off or intermittent), will cause errors that are indicated by the fault mapping subsystem and cause rod blocks. Because the system is dynamic, changes in the frequency of transmitted and received pulses (data) facilitate fault detection from the rod select module to the HCU solenoid valve. 2. Rod motion is inhibited if a comparison error exists between the rod select command with the HCU selection acknowledgement (also time based) and the interpretation of that command from the HCU. 3. HCU operation is directly dependent upon continuous receipt of the command word (time based). Faults either inhibit power to the solenoid valves, or the rod motion timer senses a change relative to the motion expected and inhibits further actions. 4. The rod worth minimizer subsystem (RWM) consists of an operator panel and a RWM unit which contains the RWM program. This program has the identification of all rod groups and logic control information required to prevent movement of rods into unacceptable rod patterns. This logic is programmable. 5. The RWM acts to prevent the withdrawal of an out of sequence control rod, to prevent continuous control rod withdrawal errors during reactor startup, and to minimize the core reactivity transient during a rod drop accident. The consequences of a rod withdrawal error in the startup range were generically analyzed, demonstrating that the licensing basis criterion for fuel failure is still satisfied even when the RWM fails to block rod 7.7-58 HCGS-UFSAR Revision 11 November 24, 2000 withdrawal. Thus, the RWM, which is a subsystem of the nonsafety-related RMCS, is not safety-related. The safety action required for the control rod drop incident (a reactor scram) is provided by the safety-related intermediate range monitor (IRM) subsystem of the Neutron Monitoring Systems (NMS). If the core flux scram trip setpoint is reached during a flux transient, the IRM will both block further rod withdrawal and initiate a scram. Furthermore, a second safety-related NMS scram trip, supplied by the average power range monitor (APRM), can terminate the core power transient. 6. The following diagnostics are provided: o Fault map to locate system faults from self test or normal operation. o Self test feature that scans all logic memory (permanent and temporary locations) and, on error detection, will transfer that information to the fault mapping subsystem. Self test is manual or automatic. o System Diagnostic is used to test the RWM program by applying and then removing insert and withdraw blocks. 7.7.2.3 Rod Worth Minimizer The Rod Worth Minimizer (RWM) acts to prevent withdrawal of an out of sequence control rod; to prevent continuous control and withdrawal errors during reactor startup; and to minimize the core reactivity transient during a rod drop accident. The consequences of a rod withdrawal error in the startup range are analyzed in Section 15.4, demonstrating that the licensing basis criterion for fuel failure is still satisfied even when the RWM fails to block rod withdrawal. Thus, the RWM, which is a subsystem of the Reactor Manual Control System (RMCS), is not safety related. The safety action required for the continuous control rod drop accident (a reactor scram) is provided by the safety related intermediate range monitor (IRM) subsystem of the Neutron Monitoring Systems (NMS). If the core flux scram trip setpoint is reached during a flux transient, the IRM will both block further rod withdrawal and initiate a scram. Furthermore, a second 7.7-59 HCGS-UFSAR Revision 11 November 24, 2000 safety-related NMS scram trip, supplied by the average power range monitor (APRM), can terminate the core power transient. The RWM does not interface with safety related systems. 7.7.2.4 Common Power Source, Sensor or Sensor Line Failure Two analyses (see References 7.7-2 and 3) were conducted based on the General Electric methodology for answering NRC concerns for common power source failures and common sensor or sensing line failures. This methodology, which received NRC concurrence via reports for the Grand Gulf, Shoreham, and WNP-2 projects, was used for the Hope Creek project. The outline of the methodology for the common power source analysis is as follows: 1. Identify all non safety grade control systems that have the potential for affecting the critical reactor parameters of water level, pressure, or power. 2. Review these control systems at the component level, and identify the effects of the loss of power on each system component and the subsequent interactions with other components and systems. 3. Generate bus trees denoting the bus hierarchy and cascading configuration of all power buses that supply components of the control systems under study. 4. Perform a combined effects analysis. Evaluate the failure of each power bus (e.g. load center, motor control center) starting with the lowest level source common to multiple control systems and working up each bus tree to the highest common power level. At each level examine the effects of the single bus failure and the consequences of cascading bus failures on all control system components. 7.7-60 HCGS-UFSAR Revision 9 June 13, 1998

5. Postulate the limiting transient events as a result of the combined effects analysis, and compare these events with those analyzed in Chapter 15. 6. Perform additional transient calculations or analyses necessary to ensure that the worst case limiting event is bounded by those analyzed in Chapter 15 with the assumption that there is a single active failure in a safety system required to mitigate the effects of the event. 7. Document the results of the analyses of common power source failure, and provide recommendations as appropriate. The outline of the methodology for the common sensor and sensor line failure analysis is as follows: 1. Identify the non-safety-grade control systems to be included as in Item (1) of the methodology for the analysis of common power source failures. 2. Identify all instrument sensing lines and sensors utilized by two or more of these control systems. 3. Analyze the effects of a complete plug or a guillotine break in each of these common instrument lines. Examine the effects of erroneous signals on each instrument and on each function (e.g., scrams, trips, permissive signals) that could be actuated or rendered inoperative. 4. Examine the interactive effects among all systems affected by the common sensing line or sensor failures and the consequential combined effects on the critical reactor parameters. 5. Compare the consequences of these postulated events with those analyzed in Section 15 to ensure the consequences of the postulated events are bounded by the results of the Section 15 7.7-61 HCGS-UFSAR Revision 0 April 11, 1988 events and to ensure the postulated events will not require actions or responses beyond the capabilities of the operators or the safety systems. Perform additional transient calculations or analyses necessary to ensure that the worst case limiting event is bounded by those analyzed in Section 15 with the assumption that there is a single active failure in a safety system required to mitigate the effects of the event. 6. Document the results of the analyses of common sensor and sensor line failures and provide recommendations as appropriate. The conclusion of these analyses was that the limits of minimum critical power ratio (MCPR), peak vessel and main steamline pressures, and peak fuel cladding temperature for the expected operational occurrence category of events would not be exceeded as a result of common power source or common sensor failures for control systems. Although transient category events were postulated as a result of these studies, the net effects were positively determined to be less severe than those of the original, conservative, Section 15 events. It should be noted that these studies used the event consequence logic of the Section 15 analyses, but started the logic chain from a specific source (e.g., a single bus or sensor failure) rather than a system condition (e.g., feedwater runout). By approaching the studies in this manner, a great deal of confidence can be placed in the studies conclusions. The soundness of the total plant design was demonstrated by its being tolerant of these interactions. 7.7.2.5 High Energy Line Break/Control System Failure An analysis (see Reference 7.7-1) was conducted based on the General Electric methodology for answering the concerns raised in IE Information Notice 79-22. The NRC has concurred with this methodology via its review prepared for the Shoreham and Grand Gulf projects. 7.7-62 HCGS-UFSAR Revision 0 April 11, 1988 An outline of the methodology for the high energy line break/control system failures is as follows: 1. Identify all non safety grade control systems and components within these systems whose failure could affect the critical reactor parameters of water level, pressure, and power. 2. Establish assumptions and criteria for determining high energy lines and pipe break locations and for evaluating the consequences (pipe whip, jet impingement, environment) of pipe breaks. Environmental conditions such as high temperature, high pressure, and high humidity will be considered. 3. Identify from appropriate plant drawings those plant locations where high energy lines with postulated break locations coexist with non safety components of control-grade systems. 4. Conduct a plant walkdown to verify the locations of control system components and to determine their proximity to HELB locations. 5. Postulate pipe breaks in the zones defined, and determine which control system components are affected by each possible pipe break. 6. Analyze the potential effects on the control system components impacted, and determine the effects on any controlled component. 7. Combine the effects of the HELB with potential simultaneous malfunctions of adjacent control system components, and determine the effect on the critical reactor parameters. 8. Compare the effects with the transient and accident analyses in Chapter 15 of the FSAR, considering an additional single active component failure in a mitigating safety system. 7.7-63 HCGS-UFSAR Revision 0 April 11, 1988
9. Identify postulated events that are beyond Section 15 analyses, and recommend corrective actions. The analysis described each of the postulated HELB events and their limiting effects on the reactor parameters. In most cases, the effects of the postulated HELB/control system failures events were shown to be less severe than the Unacceptable Results for Incidents of Moderate Frequency - Anticipated Operational Transient presented in Section 15. In all cases, the effects of the postulated events were shown to be bounded by the Unacceptable Results for Limiting Faults - Design Basis (Postulated) Accidents presented in Section 15. It was concluded that safe reactor shutdown is assured for all postulated events and the consequences of these postulated events would not result in any significant risk to the health and safety of the public. 7.7.2.6 Anticipated Operational Occurrences The following nonsafety grade systems/components may be actuated during the course of anticipated operational occurrences (transients) shown in Section 15: 1. Level 8 turbine trip 2. Level 8 feedwater trip 3. Turbine bypass 4. Recirculation runback 5. Rod worth minimizer 6. Rod block monitor 7. The relief function of the safety relief valves. 7.7-64 HCGS-UFSAR Revision 9 June 13, 1998 None of these systems are required to mitigate the accidents discussed in Section 15. Table 15.0-5 lists transients where nonsafety grade systems/components are actuated during the course of the event. The analyses for each of the transients are based on the single failure criterion associated with the abnormal transients (abnormal transients are defined as events that occur as a result of equipment malfunctions as a result of a single active component failure or operator error). Following this single failure, the resulting transient is simulated in a conservative fashion to show the response of primary system variables and how the various plant systems would interact and function. Although the analysis of certain transient events assume the operation of specific nonsafety grade equipment to provide a realistic transient signature, failures of such equipment would not make these events more thermally or pressure limiting than the limiting accidents already addressed in Section 15. Periodic testing is prescribed by the NRC's Standard Technical Specifications for Level 8 turbine trip, Level 8 feedwater trip, turbine bypass, the rod worth minimizer, the rod block monitor, and the relief function of the safety relief valves. The recirculation runback feature of the HCGS is primarily an operational device to increase plant availability. It reduces the incidence of scrams from low vessel water level due to mis-operations of the feedwater system. Although the recirculation runback feature is simulated in the analyses of a complete loss of feedwater flow, as described in Section 15.2.7, the analyses show it does not make a significant contribution to the mitigation of this event. The analysis confirm that the reactor power would begin decreasing at the initiation of the feedwater loss because the reduced inlet subcooling would increase the voids. This would tend to increase the MCPR and to decrease reactor pressure. Therefore, in the absence of recirculation runback there would be no challenge to the 7.7-65 HCGS-UFSAR Revision 9 June 13, 1998 core thermal margin or vessel pressure boundary before scram, and it would be inappropriate to prescribe surveillance of the recirculation runback feature in the technical specifications. 7.7.3 References 7.7-1 "High Energy Line Break/Control Systems Failures Analysis," Hope Creek Generating Station, Public Service Electric and Gas, August 1984. 7.7-2 "Common Power/Control Systems Failures Evaluation," Hope Creek Generating Station, Public Service Electric and Gas Company, August 1984. 7.7-3 "Common Sensor Failure Evaluation Report," Hope Creek Generating Station, Public Service Electric and Gas Company, August 1984. 7.7-66 HCGS-UFSAR Revision 0 April 11, 1988
  • *
  • TABLE 7.7-1 DESIGN AND SUPPLY RESPONSIBILITY OF PLANT CONTROL SYSTEMS NSSS Design Reactor Manual Control System X Recirculation Flow Control System X Feedwater Control System X Refueling interlocks X Pressure regulator and Turbine Generator System Reactor Water Cleanup System X Area Radiation Monitoring System Radwaste Systems Liquid radwaste X Gaseous radwaste Solid radwaste Fuel Pool Cool and Cleanup Systems 1 of 1 HCGS-UFSAR NSSS Others Supply Supply X X X X X X X X X X X X X Revision 0 April 11, 1988
  • *
  • TABLE 7.7-2 SIMILARITY TO LICENSED REACTORS Instrumentation and Controls {System) Reactor Manual Control System Recirculation Flow Control System Feedwater Control System Refueling interlocks Pressure regulator and Turbine Generator System Reactor Water Cleanup System Area Radiation Monitoring Systems Radwaste Systems Liquid radwaste Gaseous radwaste Solid radwaste Fuel Pool Cooling and Cleanup System HCGS-UFSAR Plants Applying for or Having Construction Similarity Permit or Operating License Of Design Limerick Identical Limerick Limerick Limerick Original Design Limerick, susquehanna La Salle None Susquehanna Limerick Susquehanna Limerick None None 1 of 2 Identical d . l (1) I ent1.ca Identical Identical Similar Similar Similar Revision 14 July 26, 2005 7 .. 7 ** 2 (Cont) (1) v*ce:s;:s:,e:l narJ::mll' :is Jll,E:asured. l:::*y t:hree :i.*::l,emt:ieal, sensing, sys t:em1s ln t:l"l>E! HGGS d12:.s .. 2 of 2 HGGS-UFSAR 0 Aprtl 11. 1988 Refueling Platform Refueling Platform Hoist Situation Position FG 1 Not near UL core 2 Not near UL core 3 Not near UL core 4 Not near L core 5 Not used 6 Over core UL 7 Over core L 8 Not near UL core 9 Not near UL core 10 Not near UL core 11 Not near UL core 12 Not near UL core 13 Not near UL core 14 Not near UL core HCGS-UFSAR TABLE 7. 7-3 REFUELING INTERLOCK EFFECTIVENESS Service Platform Hoist Control Rods Switch Attemat UL All rods in Refuel-Move refueling plat-"form over core UL All rods in Refuel Withdraw rods UL One rod withdrawn Refuel Move refueling plat-form over core UL One or more rods Refuel Move refueling plat-withdrawn form over core UL All rods in Refuel Withdraw rods L All rods in Refuel Withdraw rods L All rods in Refuel Withdraw rods L All rods in Refuel Operate service platform hoist L One rod withdrawn Refuel Operate service platform hoist UL All rods in Start-Move refueling plat-up form over core L All rods in Start-Operate service up platform hoist L One rod withdrawn Start-Operate service up platform hoist L All rods in Start-Withdraw rods up 1 of 2 Results No restrictions Cannot withdraw more than one rod No restriction Platform stopped before over core Cannot withdraw more than one rod Rod block Rod block No restrictions Hoist operation prevented Platform stopped before over core No restrictions Hoist operation prevented Rod block Revision 16 May 15, 2008 Refueling Platform Situation Position 15 16 Not near core Over core FG Fuel grapple HCGS-UFSAR Refueling Platform Hoist !§ UL UL TABLE 7.7-3 (Cont) Service Platform Hoist Control Rods UL All rods in UL All rods in Attempt Start-Withdraw rods up Start-Withdraw rods up UL .., Unloaded L Loaded 2 of 2 Results No restrictions Rod block Revision 13 November 14, 2003

( ( ( TABLE 7.7*4 SEISMIC MONITORING INSTRUMENTATION AND SURVEILLANCE REQUIREMENTS CHANNEL MEASUREMENT CHANNEL FUNCTIONAL CHANNEL INSTBUMENIS 8ND SENSQ! RANGE CHECK CALIBRATION 1. Triaxial Accelerographs ... 5001 from Reactor Building Free Field, 601 Below Grade t 1G " SA R b. Primary Containment Foundation, Room 4101 :t 1G M SA R c. Refueling floor in Reactor Building :1: 1G M SA R d. Core Spray Piping in Drywell t 1G M SA R e. Auxiliary Building Foundation t 1G M SA R z. Triaxial Peak Accelerographs a. Reactor Support Lateral Truss :t 5G NA NA R b. core Spray Piping in Orywell t: 5G NA NA R c. Service Water Pumping t: 5G NA NA R 3. Triaxial Seismic Switches a. Primary Containment Foundation, Room 4101 (Trigger) NA NA SA R b. Primary Containment Foundation, Room 4101 (Switch) NA NA SA R 4. Triaxial Response-Spectrum Recorders a. Primary Contairment FOU"dation (north-south) 1.0 -32.0 Hz* M SA R b. Primary Containment Foundation (east-west) 1.0-32.0 Hz.* M SA R c. Primary Containment Foundation (vertical) 1.0-32.0 Hz* M SA R

  • Each recorder has 16 reeds responsive to 16 discrete frequencies from 1 .0*32.0 Hz.. Each recorder also contains 16 switches integrally related to the 16 reeds which provide independent control room indication when predetermined acceleration levels and design limits have been exceeded. M At least once every 31 days. SA At least once every 6 months. R At least once every 18 months. NA Not Applicable. 1 of 1 Revision 8 septemer 25, 1996

'-"' TABLE 7.7-5 METEOROLOGICAL MONITORING INSTRUMENTATION AND SURVEILLANCE REQUIREMENTS INSTRUMENT a. Wind Speed 1. Elev. 33 ft. 2. Elev. 150 ft. b. Wind Direction 1. Elev. 33 ft. 2. Elev. 150 ft. c. Air Temperature Difference 1. Elev. 150 -33 ft. D At least once daily. SA At least once every 6 months. HCGS-UFSAR 1 of 1 CHANNEL CHECK D D D D D CHANNEL CALIBRATION SA SA SA SA SA Revision 8 September 25, 1996 Figure F7.7-1 SH 1-7 intentionally deleted. Refer to Vendor Technical Document PN1-C11-1030-0183 for all sheets in DCRMS HCGS-UFSAR Revision 20 May 9, 2014 Figure F7.7-2 intentionally deleted. Refer to Vendor Technical Document PN1-C11-1050-0095 SH 2 in DCRMS HCGS-UFSAR Revision 20 May 9, 2014

  • *
  • ROO ROO WITHDRAWAL MOTOR ROO ROO WITHDRAWAL MOTION BLOCK BLOCK t STOP STOP CONTROLS SELECTION SELECTION CONTROLS B t t t t t ACTtVlTY ACTIVITY CONTROL CONTROL A B DATA SERIAL DATA *COMPARE ADDRESS OF HCU SELECTED OPERATION ACTION CODE -1 HCU1 , .. --..... HCUI+l r -HCUO 1---.
  • COMPARE cp.-__ SERIAL DATA .. PARALLEL 1-----..._ .. OUTPUT DATA FOR DISPLAY ANALYZER OUTPUT DATA ADDRESS OF HCU RESPONDING OPERATION TAKING PLACE HCU STATUS REVISION 0 APRIL 11, 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION REACTOR MANUAL CONTROL SYSTEM OPERATION UPDATED FSAR FIGURE 7.7-3
  • * /'---..... I " I \ I I I I I I I l + I I LOOP c ,1 1 41 TO 253 sec I I I t I I I I t I I I l I \ ; , ___ /
  • START n""1 k=1 TEST HCU "n" COMMAND ROD TEST HCU "n" COMMAND ROD NO LOOPB 143 msec REVISION 0 APRIL' 11 .. 1988 PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION REACTOR MANUAL CONTROL SELF-TEST PROVISIONS UPDATED FSAR FIGURE 7.7-4

.J ----u i<: * :I I o1' * " OiUt3$NI z . OOli ii: 1 Z:'iS 1 l'iS I. t)";,: l),-,YUJ.Ull\0 61'S NMWHOH.liM OOH 81'S I li'S * . I I 9P'; I I <:it>S "s, ti'S c:*s t*S ; r OI'S I I ' I 6tS lltS 1-I I LtS I I 9tS , I JotS ' I ti:S I ; tts 1 i ItS

  • I ... (I!:S I Ill 0
  • ct .. e f>l.,; I c IJl$ : u 5 !: as z I 9lS-I f E I 'itS ;; 0 *t!> ._ \ tts . as I ll$ . -. OlS I _. __ .,_ -r ------* ----IllS I I I tl'S'i J 91S , 'iiS I *as ; ... ns * * ""' liS I
  • u .., c us :;) .. ""' ... 1.1 OlS 1 \i ---. -I REVISION 0 60S APRIL 11. 1988 i( . J 80S 1 LOS r PUBLIC SERVICE ELECTRIC AND GAS COMPANY :r( 90S I o* HOPE CREEK NUCLEAR GENERATING STATION .. sos-* ..OS .. I CO$ I < ELEVEN-WIRE POSITION PROBE i( lOS &OS I I "C 00$ I I --"ON H:JJ.IM$ _,. --UPDATED FSAR FIGURE 7.7-5 '

PS E G N u c lea r LL C C 2013 PS E G N u c l ea r LL C. A ll R i gh t s R e s e r v e d.

R E C I RC U L A T ION F L O W CON T R O L F igu r e 7.7-6 R e v i s ion 23, NOV 12, 2018 R e v i s ion 23, NOV 12, 2018 Upd a t e d FS A R Hop e C ree k N u c lea r G e n e r ating S t ation HO P E CREE K NU CLE A R G E N E R A T I NG S T A T ION

  • *
  • THIS FIGURE HAS BEEN DELETED . PUBLIC SERVICE ELECTRIC AND GAS COMPANY HOPE CREEK NUCLEAR GENERATING STATION Updated FSAR REVISION 7 DECEMBER 29. 1995 Figure 7.7-7
  • *
  • THIS FIGURE HAS BEEN DELETED PSEG NUCLEAR L.L.C. HOPE CREEK GENERATING STATION HOPE CREEK UFSAR -REV 14 SHEET 1 OF 1 July 26. 2005 F7. 7-8
Retrieved from "https://kanterella.com/w/index.php?title=ML18334A136&oldid=1379417"