ML18354A426
| ML18354A426 | |
| Person / Time | |
|---|---|
| Site: | Palisades  |
| Issue date: | 12/20/2018 |
| From: | Consumers Power Co |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| Download: ML18354A426 (34) | |
Text
....
/\
/I ,
/.
- -*' .. - -"") !
~'**<.
_\/-* -(..
\_ / ,/-1,,
/ / ('
/
- - - - ;*!' j
,... .._,.)-'
~~J*:I --- . \. /)
//
(_.~./-* I //1
.{.I ,.- .*.
- .>*'..~'
(fl '
il l-' \~ .* /
5.5 How is the low leakage inte~rity bf the joints between the "Engi-neered Safeguards Rooms" and the containment building ensured in the event of seismic activity?
Answer:
The joints between the "Engineered Safeguards Rooms" and the containment building are sealed by an airtight seal, the details of which are shown in the attached sketch (Figure 5.5-1).
16 Ga plastic flashing material used has the following properties:
Property Test Method Ult Ten Strength (Avg Value) 1000 Psi (ASTM D-412-62T)
Ultimate Elongation %(Avg Value) 450 Psi (ASTM 412-62T)
The integrity of the seal will not be affected by the level of predicted seismic activity because of the above-mentioned properties of the flashing.
5.5-1
.r I-d 0
>A.
- ii en a:
0 CO~T AJ ~l'-1E~IT
~L...D~.
I COG.A... P.:>r:~ T r-a 4 11 " Co
COl..JTI 1-J *
~~'4 11 6. )C' l'i' r-1--\HS 11-J M~T~L.
. ,. IN-e!:~T~ ©* !i11 O, c. *
~--l-!-.,.....---1 CD C1 A. . PL-A~i I C F= L1~ $1-l r1--J G 0
- 0 I>,
CONi. C~MC:NT JOINTS@
~o !:: A. C.1-\ '::.D G\ r:
Al~ TIGl-lT 5E:..~l- FL AS WI NGl-c&c~1.-e.. 1'7. t !. o
ll z
0 a..
a:
u en ILi 0
0 ILi a:
DECH TEL JOB No 5935 REV.
"f
.--no C\J CV") I C\J co P'OWER AND I I INDUSTRIAL dC:O DIVISION
5.18 How were the personnel and emergency escape airlocks designed against earthquakes?
Answer:
Both locks were considered as rigid bodies and designed for vertical acceleration of 6.7% g and a horizontal of 25% g. These values equal or exceed the accelerations of the containment shell at the lock location for the design earthquake. The resulting stresses were combined with those from dead load and internal or external pressure as applicable with the total stress not exceeding that permitted by the ASME Boiler and Pressure Vessel Code,Section III, Subsection B. In addition, the structures were reviewed to insure that failure would not occur if the above accelerations were doubled. (Maximum Hypothetical Earthquake) 5.18-1
5.19 What specific provisions are being made to prevent the overhead cranes, or their trolleys, in the containment building and over the spent fuel pool from being displaced from their rails during an earthquake?
Answer:
The containment building and the spent fuel building over-head cranes have mechanical stops to prevent the bridge trolley and other items normally held by gravity from becoming dislodged by seismic action.
5.19-1
5.36 What specifications on the maximum chloride content were applied to all ingredients, including flyash, air entraining and water reducing agents used in concrete for the containment building?
How was conformance with these specifications confirmed?
Answer:
No special limitations beyond the requirements of ACI 318 and the applicable referenced ASTM specifications on chloride content were specified for any of the materials used in the containment concrete.
5 .36-1
the leading group, will interrupt the planned sequence. The out-of-sequence alarm will be actuated in such an event. Again, the non-sequential withdrawal is not a continuous withdrawal.
The major difference between a sequential and nonsequen-tial withdrawal is their respective power distributions during the withdrawal. Therefore, in order to examine the potential consequences of a nonsequential withdrawal, cases were studied for initial conditions of maximum bite (FSAR Fig 3-15) for full power, 50% of full power, and hot standby. For these initial conditions, the most unfavorable of non-sequential withdrawals were studied. The maximum total peaking factors are equal to or less than those assumed for the FSAR (sequential with-drawal) analysis except for the hot standby condition. For hot standby, the maximum total peaking factor may be several percent greater for the nonsequential case. In all cases the axial*power peak is lower in the core (and therefore more favorable from a DNB ratio standpoint) for the nonsequential cases relative to the associated sequential power distri-butions. For all cases analyzed, the DNB ratio is greater than 1.3.
7.2-3
I E'ME:RG(NC'I' orr MANUAL ROD Sr'~lCOHTROLSW/TCH RAIS£' LOWER
RRD(MD RUNDOWN)
~)Mo~S£L.5W ot:HOl'F
.~.-~~--m--~:- ~-r~
~)woD£S£L:!JW ootOFF
. =--- --------m -OC .;-,"f"--
~NODE.5EL.Sw OCHarl'
-m _m ____m__,11
~)MODE.s£L.sw oEMOFF
~*'"'---:~-----m. ;.~--- -
(da-)1o10D£SE.L.5W oCHOFF wf!J O
~*
~Slf J!'Cff AUTO 0
OBAL.
120 Ya-c (o~)GR.P.SCL.SW.
~GRP. sn. SW p OPT (~
r---------oA ll4~F~ ------ ---- ______ ----- ---- _________ ------- ---.;;P-v.OF~ ________________ ---- __ r_-_-_-_-_-_-_-_-_-_-_-_~_-_--<>;-V~.0-**_*_*'_"_.s_w-t----,
~ LOWER r-----06 I 3 o--- ---oB ~ -" J-_ 1.f =:~; -ir ~~ r llfi]
I z. l ~ ~- ~AL _1,_ ~.JLr--.J a"'""' 2'o ~8 ~:, 0'7 2'o so ~ . ...
,.o
- f " o"°" .. ° ,..,. "
<l-',,p
- ~ (:,~
~ on
~.~.;)
- 0. .
~ (.~o) lfzlool 9ic l<f~ ~)
. .0 Z!O
."" 00 'S
(~
d'
~, ll
(~)
~
"'"'(~
' ~ .. !ri'oil o"
o40 90 100 05 130 GRP.I
°"' snROO GRP.2. GRP. 3 GRP.4 P#R.SHAPING GRP. A "o o4 GRP.8 "o
/4o lf Gli:P I GRPE! C.RP3 GRP4- : RWP o~~
[F ~
ROD ROD ol ROIIS[L. ROD.Sn. ROD ROD ROD _f_
1/0 o,
o.J /$0 0/0
.. ROD RO[) S£LSW. RO!lSEL..SW' 11°0 ,o, JSO
°n o.,,
019 iz* /60 011 ~w SCLSIV .SEL* .SW .SELSW SW SW SEL.Slf' Sf'l.Slt' SEL. SW ITHDRAllW.
D ~ELAYS Gif
~.~o)
I
~o) 11
~o~ ~
420
~ " P2:ltl!BIT f41NOCNTn
\CIRCUl.1!
PWR. SHAPING GRP.'A GRJ!B ROD $fl.SW ROD SEL.SW RODSfi, SW. r.**=iil L TRIP _J
_J I I I r----- -- l 111 -
---;- il li u __.,_____ _ G~P.
RElAY RJ!D
.,.l ROD RUN~
GRP RruY '~
LO'NE:R R.0!)
""' STOP L ~-~ UPPER LIMrT SW L S-39 LOWER Lr.WT LS-I LOWER
-e- SW
---a- LIMIT SVI a:::i*UlO 1lt.~ ~~[;C~~ J~¥:::~1~)( ~ASH ~~ROD
~p~~m~ L.ow5':
~ ....
~~J~ '-V-' ~
REGL.t.ATIN'G POWER ALnO MODE E~ ROD SHUTDOWN R!GtJLATlNG RO[)
LOWER BUS SIGNAL OFF RUNDOWN ROD INSERmN WITHDRAWAL RE:CiULATINCi PER ..SSIVE Pf'RMISSIV~
RtLAYS GRO~ RtLAYS e.uPPER S.£QUENTl""L PIRMl'=i!>IVE CON.llt.C.1"$ ARE
+ C:.~!:D A~E Tll.E LIMIT.
~~~S~~gr+:.t.,..&
- 5;[4 s~1"*
l"\!'l.t;
&ELOW THE L.IMIT.
GRP. TA"'
R!:LAY DE'llllrlON CONTACT CONTllCT CONTRcT UPPER ROD STOP (Uli!3)
UPPER ROD STOP cues)
MOTOR STNITTJI G#!CJUPZ
'0'""'
""""""~
ZLf 3L3 """'"'
UPPER.
2a.UEN11AL
~z:e ""'..,,.,"'
UR.S/AOI RAISE) (LOW URS p ..
~ IL~~
CONm<T lDSEj
~
ZL3 LOSEJ
~ ~ .. &OVE UPPEJi!. UPPER ea.ow U"5 5EOlJ£N7'AL SEQlJDflllL_
URS *c 120 Va*c fllE~l:J.S/'1£ PElt'N/S'5N¢ Cl:JNTRCT CON111Cr lLMITSWITCM LS-4 l:JRCPP£D 7VeaJNE l!OO li!UN#JRCI(
lltAe# ACTUArtOH SIGHRL Ol!O<JP 4
/
w R A A G w
/
(;:~] ~v~RJ'u~ ~0~1~00~]
IWTO .5EQU£NTlllL INHIBIT~
G_rr:TEi] TYPICAL FOR RODS 20 TYPICAL FOR ROCfi ,., 2.1- ... 1 TYPICAL FOR RODS K.u-*5
\ ,,(' y
/~p INDIC:TING L~ <iROUBS..JtB,l,Z,.3.4 LIGHTS
'p SHUTDOWN ROD DISPLAY L.ICiHTS (LOCATED ON SECTION CIZ-,J)
REGULATING ROD DISPLAY UGMTS (LOCAnD ON secnoN CIZ-3)
F'CJWE~ SHAPING ROD DISPLAY LIGHTS (LOCATED 011/ SECTION CIZ-.3)
Rod Drive Control System '"'COMBUSTION ENGINEERING, INC. Figure Schematic Diagram ~ WINDSOR, CONNECTICUT 7.2-1
will be installed in the more concentrated cable tray areas. F.ach of the spray heads is furnished with a thermal device which initiates oper-ation of the individual head. No temperature monitoring of raceways is provided. Protection from hot weld metal is provided on an individual basis in the spec~i:t_c areas where welding is performed. Raceways within the containment are i~ated in areas free of the projected missile paths.
Nonvital cables, except for those required to operate during a DBA, are the same as the cables used in the engineered safe-guards circuits. They are sized, rated, protected and,.except for separation, utilize identical type raceways sharing, where convenient, the same trays as engineered safeguards cables.
Each cable is tagged at both ends with a unique number.
Each raceway is assigned a unique number which defines the type such as rigid conduit or tray and the use, such as power, instrumentation or con-trol. Raceways are marked only for installation purposes.
The engineering office is responsible for design of schemes, raceway layouts assigning raceway and cable numbers, cable routing and separation. The field is required to install the raceways and cables as shown on the drawings and schedules. The field checking responsibility extends only to assuring that the raceway~ and cables are installed cor-rectly. Any design checking by the field is for their own information, but any questions or discrepancies arising from such checking are sent to the engineering office for resolution.
7.13-6
11.4 What would be the thy~oid and whole body doses to an operator in the control room during a DBA, including the contribution during ingress and egress? Summarize how these doses are calculated identifying all assumptions.
- Answer:
The following are calculated whole body and thyroid exposures to an operator who remains inside the control room for ten hours following a DBA and the contribution during ingress or egress:
- Whale.Body Ten Hours Inside Control Room 0.12 Rem Evacuation @ 100 Ft per Minute
'Thy-raid Ten Hours Inside Control Room o.48 Rem Evacuation @ 100 Ft per Minute 0.32 Rem a.Bo Rem Coefficients and Assumptions:
-u = 2m/sec cy = o.4 cz = 0.05 n = 0.33 d = 32.5m Building wake effect considered.
Control room filter efficiency of 95%.
No gas mask during evacuation.
11.4-1
7.5 Does the design of the controls for the engineered safety feature systems meet the requirements of IEEE 279 and the AEC General Design Criteria? Identify any systems that do not and justify each exception.
Answer:
It is our opinion that the controls for the engineered safety feature systems meet all of the requirements of IEEE 279.
It is our opinion that the controls for the engineered safety features systems meet the requirements of the following proposed AEC General Design Criteria:
Criterion 11 - Control Room 12 - Instrument and Control Systems 15 - Engineered Safety Features Protection Systems 19 - Protect ion Systems Reliability 20 - Protection Systems Redundancy and Independence 24 - Emergency Power for Protection Systems 25 - Demonstration of Functional Operability of Protection Systems 26 -*Protection Systems Fail-Safe Design 38 - Reliability and Testability of Engineered Safety Features 48 - Testing of Operational Sequence of Emergency Core Cooling Systems 60 - Testing of Containment Spray Systems The controls for the engineered safety features systems do not meet the requirements of the following proposed AEC General Design Criteria. An explanation is given for each case.
Criterion 23 - Protection Against Multiple Disability for Pro-tection Systems This criterion indicates that adverse conditions to which the engineered safety features systems might be exposed to in common shall not result in loss of the protection function. A strict interpre-tation of this AEC criterion would require separate rooms throughout the plant for each channel. We do not believe this is necessary. We do believe, however, that we have met the intent of this criterion, and the 7.5-1
discussion of AIF Criterion 23 in Appendix I, Page 1-ll of the FSAR sub-stantiates this.
Criterion 39 - Emergency Power for Engineered Safety Features This AEC criterion states in part that "As a minimum, the on-site power system and the off-site power system shall each, inde-pendently, provide this capacity assuming a failure of a single active component in each power system."
The Palisades plant does not meet this criterion in that a single failure in the off-site power system, such as loss of an incoming transmission line tower between the substation and the plant or loss of the start-up transformer during plant start-up or cooldown, would prevent off-site power from supplying engineered safeguards loads. We do not believe it is necessary to meet this AEC criterion with respect to single failures in off-site power sources since the Palisades Plant has two on-site emergency generators, either of which is adequate for supplying power to the redundant engineered safety features equipment.
We have addressed ourselves to AIF Criterion 39 in Appendix I, Page I-17 of the FSAR. A further discussion on transmission line failure appears in answer to Question 8.1.
7.5-2
"" t .. .. I
~
- t<? ~~~'~
I a::: 1.
I 0
FAN BLADE I ; ~
0 1' I Ll r ....I u..
~l J
\ J*, - . --r I;
!d
~
I I I I
I
- I - i _J I
0 - I I- I c::
LLl
- I ,
-Cl a...
V,)
I c::
0 I-I 0 c::
I
.. I I
! -I c.!:l z:
V,) ~ ...;., *o i ix
=> ~$
0 I c::: -
- c c:::
c:: . 0 I- I r-- .......
0 I-0 >-
i:!:-
Vl I
- I I
\ I II I
I I-I LL.
- I I 1
I ~
<:(
I ~-,
- c
- I I V,)
I I:
1rrr-I c::
0 A\
{=~ I-1~ µ.+i 1'1 I 0 c::
-~; l I
'ii
_J.
0 C,.)
rRlFAN BLADE I :j..i i'{t ~]11 11:\,
I 1'11 L&J 11 N LU 11~ 1~'"~1' z ~ I
'-1/
, l"'-J I ~~ :'
~*<rl~ 1:
-~~I
~ / / '~~* ',*. :1~ '
--'*r-- : I I I I r a:i LU
- s:
I ...
l
' t. -
T l --* -
Motor-Flywheel Assembly . '"'COMBUSTION ENGINEERING, INC. Figure
[5:!I . WINDSOR, CONNECTICUT 14.1-1
14.2 What are the potential consequences of an uncontrolled withdrawal of an individual control rod?
Answer:
Should a malfunction in the control system cause withdrawal of an individual control rod, two separate systems are designed to alert the operator to the condition (FSAR Section 7.4.2.3). The primary rod position sensing system measures rod positions by use of synchros. If the positions of the highest and lowest.rods deviate by as much as four inches, the primary rod position sensing system will initiate an alarm.
A second alarm will be initiated if the deviation is six inches or more.
Another system, the secondary rod position sensing system, measures rod position by use of rod actuated magnetic reed switches. Four-inch and six-inch deviation alarms are actuated by this system also. Therefore, there are four separate alarms to alert the operator of the condition and operator failure to respond to one of these alarms (a necessary condition for an uncontrolled withdrawal) is incredible.
14.2-1 I_
The whole body and thyroid doses are calculated for a ground release into the building wake. Wind speed was assumed to be 2 m/sec and the Sutton diffusion parameters were taken to be n = 0.33, Cy = 0.40 and Cz = 0.05.
For the credible failure of 13 fuel rods in either the spent fuel pool or the reactor vessel, the maximum offsite whole body dose is 0.007 rad; the maximum offsite thyroid dose is 0.066 rad.
14.l
9.4 CONCLUSION
The potential offsite doses resulting from a credible fuel handling accident in the spent fuel pool area or containment building are less than the guidelines of 10 CFR 100.
TABLE 14.19-1 ACTIVITY RELEASE FROM FUEL RODS TO WATER, CURIES (TWO DAYS AFTER SHUTDOWN)
Worst Rod Worst Outer Row Xe-133 215 2,256 I-l31 93 1,050 1-.
- ~ Kr-85 9 112 TABLE 14.19-2 MAXIMUM OFFSITE DOSE Dose, Rad Thyroid Whole Body 0.066 0.007 14.19-4 Rev 4/10/69
However, a detailed evaluation of historic epicenters, the re-gional geology and a study of actual foundation conditions at the site indicate that a Zone VIII assignment is too conserva-tive for the Palisades Plant. Correlations made in the course of the recent investigations suggest a concentration of the major epicenters (Maximum Intensity VIII) about 200 miles south-east from the site focused on the ancient regional structures termed the Cincinnati and Findlay Arches (see Figure 2-10).
These structural features are considered the foci of the his-toric earthquakes experienced along the arch lineation.
As pointed out by Richter, "Seismic Regionalization" (1959)
Bulletin of the Seismological Society of America, Volume 49, No 2, the occurrence of a major earthquake (Intensity IX) along the western end of the St I.a.wrence rift would result in the as-signment of Intensity VIII to areas of thick deposits of soft unconsolidated foundation materials. However, foundation condi-tions such as reported above at the Palisades site warrant a reduction in probable maximum intensity to between VI and VII (MM).
The lower intensity earthquake~ (Intensity V to VI) recorded within 100 miles of the site have no known correlation with tec-tonic or structural features. These earthquakes probably can be considered as related to the marginal seismicity surrounding the Canadian shield or attributed to the lesser-known phenomenon termed "post-glacial rebound."
The compacted glacial material underlying the sand dunes would not be expected to significantly amplify seismic tremors trans-ferred to it from the underlying bedrock. In fact, the tendency for amplification of seismic accelerations can be relatively discounted due to the relationship between the shallow depth of overburden (material over bedrock) at the site and the length of seismic waves.
Thus, the applicant considers that the site area is beyond the significant influence of the. major seismic activity associated with the arch zone (because of distance and foundation conditions) but within the area where minor earthquakes resulting from Canadian shield marginal seismicity or "post-glacial rebound" are generally geographically distributed.
Based on the above, a maximum intensity at the site of between VI and VII (MM) is anticipated. This intensity corresponds to a sur-face acceleration value of 0.05 g.
2.
4.4 CONCLUSION
S (a) Anticipated maximum earthquake intensity at the Palisades Plant site is between VI and VII (MM).
(b) Recommended surface acceleration value was 0.05 g; however, 0.1 g was used for the plant design earthquake, and 0.2 g as the hypothetical earthquake.
2-16
0 below 250 F. This cooling water is from the component cooling system and is under low pressure and not connected to the primary water system. A seal leakage collection cup is provided with a thermocouple in the seal leak-off line to monitor for cooling water or seal failure. Seal leakage is drained to the primary system drain tank.
Rack and Pinion Assembly The rack and pinion assembly is an integrated unit which fits into the lower pressure housing and couples to the motor drive package through the upper pressure housing. This unit carries the bevel gears which transmit torque from the vertical drive shaft to the pinion gear. The vertical drive sha~ has splined couplings at both ends and may be lifted out when the upper pressure housing is removed. Ball bearings are provided for supporting the bevel gears and the pinion gear. The rack engages the pinion, and is held in proper engagement with the pinion by the backup rollers which carry the load due to gear tooth reactions. The gear assembly is attached to a stainless steel tube supported by the upper part of the pres-sure housing. This tube also carries and positions the guide tube which surrounds the rack. The rack is a tube with gear teeth on one side of its outer surface and flats on the opposite side which form a contact surface for guide rollers. Flats are cut on two opposite sides of the rack tube for forming the rack teeth and for a contact surface for the backup rollers. The upper end of the rack is fitted with an enlarged section which runs in the guide tube and provides lateral support for the upper end of the rack. It also acts as a piston in controlling water flow in the lower guide tube dashpot. The top section also carries a permanent magnet which is used to operate a rod position indicator outside the pres-sure housing. The load on the guide tube is transferred through a connection at its upper end to the support tube then to the pressure housing. The support for the guide tube contains an energy absorber at the top end of the tube which deforms to limit the stresses on the tie rod, connector shaft and control rod in case the mechanism is scrammed without water in the dashpot. If such a "dry scram" should occur, the mechanism and control rod would not be damaged; however, it would be necessary to disassemble the drive and replace the guide energy absorber.
Motor Drive Package Power to operate the drive is supplied by a fractional horsepower, I 120 V, single phase, 60 Hertz motor. The output is coupled to the vertical drive shaft through a magnetic clutch and an antireverse clutch operating in parallel. When the magnetic clutch is energized, the drive motor is connected to the main sha~ and can drive the rod either up or down. With the magnetic clutch de-energized, the rod will drop due to its own weight. The motor shaft is fitted with an electrically operated brake which is connected to release the brake when the motor is energized. When the motor is de-energized, the
- brake is set by means of springs. This brake prevents driving except by means of the motor and thus holds the drive and control rod in position. The magnetic clutch when de-energized separates 3-58 Rev 4/10/69
accordance with IPCEA were performed and the insula-tion met all requirements. The control and power cables were then tested to DEA concurrent temperature, pressure and humidity conditions while carrying rated current.
All samples passed the electrical and physical tests in accordance with IPCEA.
6.1.4 DESIGN ANALYSIS Ability to meet the core protection criteria is assured by the following design features:
(a) A high capacity passive system which requires no outside source and will supply large quantities of borated water to rapidly re-cover the core after a major loss-of-coolant accident up to a break of the largest primary coolant line.
(b) A pumping and water storage system with internal redundancy which will inject borated water to provide core protection 6-12g Rev 4/10/69 Rev 7/15/69
Containment de-isolation is accomplished by a manual reset push button on each circuit when containment pressure and radiation have decreased below the isolation trip points on at least three of the four pressure and radiation sensors.
Prior to reopening any of the isolation valves following an accident, administrative controls will require samples of the containment atmosphere and of the recirculated water to be taken and checked for activity.
5.1.6.3 Design Analysis (a) System Reliability - Margins of Safety System reliability is achieved with the following features:
(1) Automatic containment isolation valves are air-operated fail-closed type, with the exception of the component cooling water return isolation valves as explained previously. The electrical circuity for developing the isolation signal and actuating the isolation valves is fully redundant and powered from the preferred a-c system.
(2) Where required, isolation valves are arranged in series so that no single failure will compromise plant safety.
(b) Provisions for Testing and Inspection Components of the containment isolation system outside the con-tainment are accessible for periodic inspection during plant operation. Components inside the containment are accessible only during plant shutdown.
Provisions are made for pressure testing between all isolation valves in a series arrangement enabling the verification of valve seating or check valve operation.
Operation of the automatic isolation valves can be tested during plant shutdown by means of push buttons located in the main control room.
5.1.7 CONSTRUCTION 5.1.7.1 Construction Methods (a) Governing Codes The following codes of practice were used to establish standards of construction procedure:
ACI 301 - Specification for Structural Concrete for Buildings (Proposed)
ACI 318 - Building Code Requirements for Reinforced Concrete 5-34
. (4) Piping and connections for these transmitters are separated and isolated to provide independence. The output of each transmitter is an ungrounded current loop (see typical loop, Figure 7-2) supplying signal receivers and bistable trip modules.
(5) .The trip modules have three isolated outputs which feed the logic matrices. Additional outputs feed the pretrip alarm, the trip alarm and a sequence-of-events recorder. Provi-sions are also made for test inputs to the trip modules for normal protective system testing and are described in 7.2.6.
The protective system outputs referred to here are connected into logic matrices as shown in Figure 7-lB.
LOGIC OPERATION (SEE FIGURE 7-lB)
The instrument channels which supply protective action operate channel trip modules; each module includes three. sealed, electro-magnetically actuated reed relays and associated contacts. Four modules are actuated for each trip condition, eg, high primary coolant pressure. The relays in each module are numbered one, two and three. Ea.ch relay has a single-pole, double-throw (SPIY.l')
contact. The normally open contacts of the No 1 relays in the Channel A and B modules are connected into a two-out-of-two logic ladder matrix. (The normally open contacts ar!9 used for the logic ladders so that the relays are energized and the con-tacts closed under operating conditions.) *The respective No 2 and No 3 relay contacts are similarly connected into separate logic ladder matrices. With the Channels C and D modules arranged in a similar manner, there are a total of six independent matrices.
These logic ladders are designated the AB, AC, AD, BC, BD and CD logic trips.
The output of each logic ladder is a logic trip set of four sealed, electromagnetically actuated power reed* relays. Each relay in
- these sets has an SPDT contact. The contacts from one relay of the set from each logic ladder output are placed in series with corresponding contacts.from the remaining sets in *each of the four trip paths. Each of these paths is the power supply line to a power trip relay which interrupts the power to the CRDM clutches. De-energizing of any one power trip relay interrupts (opens) one trip path and effects a one half trip. De-energizing any set of logic trip relays (which results from trip action of any two channels through a ladder matrix) causes an interruption of all trip paths and a full trip.
If' one of the trip modules is .to be removed for maintenance, the logic matrices may be changed from a two-out-of'-f'our trip to a two-out-of-three trip by the operation of' the logic bypass switch (shown on the output of the trip module, Figure 7-2). One key-operated switch is provided for each trip parameter. Only one key is provided for the trips for any one variable to assure that only one of a group of four could be bypassed at one time.
- 7-8
-l_
7.2.6 TESTING Provisions are made for periodic testing of the protective _system to assure its reliability. These tests cover the trip paths from sensor to the output to the final.CROM clutches.
During reactor operation, the measuring channels are checked by
- comparing the outputs of similar channels and cross-checking with related measurements. The trip modules are tested by inserting a voltmeter in the circuit, noting the signal level, and initiating a test input which is also indicated on the voltmeter. This pro-vides the necessary overlap inthe testing process and also enables the test to establish that the trip can be effected within the re-quired tolerances. The test signal is provided by an eXternal test signal generator.which is connected to the trip module at the sig-nal input terminals. With the test signal generator connected, the desired signal is selected and then inserted into the trip module by depressing the manual test switch. The test circuit permits various rates-of-change of signal input to be used. Trip action (opening) of each of the trip module relays is indicated by indi-vidual lights on the front of the trip module. The pretrip alarm action is indicated by a separate light.
The sets of logic trip relays at the output of each* logic matrix
- are .tested one at a time. The test circuits in the logic permit only one logic ladder to be opened and one set of relays to be held at a time; the application of hold.power to one set denies the power source to the other sets. In testing a logic trip set, eg, AB, a holding current is initiated in the test coils of the logic trip relays by turning the matrix relay trip*test switch to "off"* and depressing the matrix logic AB test push-button switch.
Operation of the matrix trip test switch de-energizes a parallel pair of module trip relays. With the ladder~logic relay contacts open, the logic trip relays may be de-energized one at a time (by rotating the matrix relay trip test switch) to initiate a half-trip. Indicator lights on the trip relay coils and on the d-c power supply a-c feed lines provide verification that coil opera-tion and half-trip conditions have occurred.
EF'.F'Em'S OF CIRCUIT' AND COMPONENT FAILURES The protective system is designed and arranged to perform its func-tion with single failures. Some of the faults and their effects are described below. These are typical of the faults that are considered during the system analysis.
In the analog portion of the system:
(1) A loss of signal in a channel initiates channel trip action for all trips except high rate-of-change of power, high power level and high pressurizer pressure.
7-10
(13) The d-c clutch power supply circuits operate ungrounded so that single grounds have no effect. The clutches are supplied in two groups by separate pairs of power supplies to further reduce the possibility of clutches being improperly held. The clutch impedances and load requirements are such that the ap-plication of any other local available voltage will not prevent clutch release, eg, connection of the clutch supply circuit to the battery distribution circuit would cause the distribution circuit fuse to blow due to excessive current drain. Connec-tion to a 115 volt a-c circuit would have similar effects.
Connection to available low-voltage d-c, such as the nuclear
.instrumentation power supplies, would have no effect since these power supplies have insufficient capacity to supply the load.
7.2.8 POWER SOURCES The power for the protective system is supplied from four separate independent preferred a-c buses. Each preferred bus is supplied from the battery system through an inverter to assure an uninter-rupted, transient-free source of power.
Each preferred bus also has provision for connection to an instru-ment a-c bus to permit servicing of the inverters.
The distribution circuits to the preferred buses are provided with circuit protective devices to assure that individual circuit faults are isolated.
PHYSICAL SEPARATION The location of sensors and the connection of sensing lines to the process loop are effected to assure channel separation and preclude the possibility of single events negating a system action. The process transmitters located inside the containment, which are re-quired for short-term operation following a DBA, are rated and have been tested under simulated DBA conditions (see Section 6.1.3.2c). The routing of cabl~s from these* transmitters is arranged so that the cables are separated from each other and from power cabling to reduce the danger of common event failures.
This includes separation at the containment penetration areas.
More detail on cable installation is discussed in Section 8.5.2.3.
In the control room, the four nuclear instrumentation and protec-tive system trip channels are located in individual compartments.
Mechanical and thermal barriers between these compartments reduce the possibility of common event failure. Outputs from the compo~
nents in this area to the control boards are buffered so that shorting, grounding, or the application of the highest available local voltages does not cause channel malfunction.
7-12 Rev 7/15/69
7.3.1.4 Pressurizer Level Regu1ating 1*9 Pressurizer level is maintained within an operating band by means of the chemical and.volume control system. Water is continuously drained and charged automatic8lly to and from the volume control tank with regulating system inputs from pressurizer level sensors.
The level-set point is programmed as a function of Tavg (average of hot and cold leg temperatures); There are two completely inde-pendent automatic control.channels with channel selection by means of a manual control switch.
- Automatic control is normally used during operation but manual control may be utilized at any time.
7.3.1.5 Steam Dump and Bypass The steam dump system provides a means of dissipati.ng excess NSSS stored energy and sensible heat following a turbine trip without lifting the safety valves. Steam .is discharged from the main steam lines to the atmosphere via steam dump valves and to the condenser via a steam bypass valve. The steam dump and bypass valves are sized to prevent opening of the steam generator safety valves fol-lowing a turbine trip at full load.' The steam flow is. regulated by the dump and bypass valves in response to Tavg and secondary pressure signals. Refer to Figure 7-8. .
- Inputs to the system are Tavg' turbine trip signal and steam header pressure.
7.3.i.6 Turbine Cutback Automatic load reduction is accomplished by a turbine runback signal supplied to the turbine governor controls whenever a dropped rod condition is sensed.
7.3.1.7 Turbine Generator Control System The turbine generator control system is the means by which the
- turbine generator is made to meet the electrical load demand placed upon it. The turbine impulse chamber pressure, turbine speed, and electrical load are used as the control indices.
SYSTEM DESIGN 7.3.2.1 Reactor Regu2ating A block diagram of the reactor regulating system is shown in Figure 7-9. The system consists of:
(1) Two four-input controllers for rod motion.
(2) Two primary coolant average temperature (Tref) programmers.
(3) One loop 1 - loop 2 Tavg deviation alarm unit.
7-16
with some reactor parameters at values which would normally cause a trip. For these special operations, zero power mode bypass switches may be used to bypass the low flow, low steam generator pressure, and the low therm.al margin/low-pressure trip functions.** These bypasses are automatically removed above lo-4% power. ,
- Interlocks to prohibit regulating group withdrawal are provided to prevent the reactor from reaching undesirable conditions. These interlocks are swmnarized in Table 7-3.
TABLE 7-3 Manual Manual Automatic Individual Sequential Sequential Withdrawal Control Group Control Group Control Prohibit Conditions Mode Mode Mode Tavg Deviation x Tavg - Tref Deviation x Pretrip Overpower x x x Rod Drop x High Start-up.Rate (Between 10-4% and 15% Power) x x x The part-length rods may be moved.manually either individually or as a group. A selector switch prevents simultaneous manual move-ment of the part-length and any other rods. The part-length rods have upper and lower limits of travel.
7.3.2.2 Primary Pressure R~gulating Two independent pressure channels provide suppressed range (1500 to 2500 psia) signals for control of the pressurizer heaters and spray valves. The output of either controller may be manually selected to perform the control function. During norrn8.l operation, a small group of heaters is proportionally controlled to maintain operating pres-sure. If the pressure falls below the proportional band, all of the heaters are energized. Above the normal operating range, the spray valves are proportionally opened to increase the spray flow rate as pressure rises. A small continuous flow is maintained through the spray lines at all times to keep the pipes warm and reduce thermal shock as the control valves open.
- Three bypass switches will be provided. Each bypass switch will remove these trip functions from one of the four protective system channels.
7-19 Rev 7/15/69
7.3.3.4 Pressurizer Level Regulating Two separate level control systems are provided with redundant level transmitters and controllers. The controllers are located in the main control room. Control can be accomplished by either automatic or manual operation. Three charging pumps and three letdown orifice valves provide redundant means of increasing or decreasing primary coolant water inventory. The variable pres-surizer level control program maintains primary coolant discharge and addition required during plant load changes.
7.3.3.5 Steam Dump and BypaSS The steam dump valves can be operated from either the main control room or from the engineered safeguards local panel. Automatic or manual control is provided at the main control room station.
Inadvertent opening of the atmospheric dump valves is prevented by requiring that the turbine stop valves be closed before the dump valves can be opened. Excessive primary system cooldown by the dump valves when in automatic control is prevented by a narrow-range temperature signal which has a minimum output corresponding to 517° F. .
_Turbine bypass is available whether the turbine valves are open or closed and will limit the maximum steam pressure to 700 psia during hot standby.
7.3.3.6 Turbine Cutback Turbine cutback when required is assured by two separate detection systems and two separate control devices.
The control rod insert limit switches and the power range flux de-tectors will both sense a dropped control rod. Actuation of either detection system will initiate a turbine cutback.
The turbine admission valves will be closed in response to either the turbine governor control or the turbine load limit control action.
The rate of cutback and the amount of cutback assure that no reactor core damage will result as the consequence of a dropped rod. The rate and amount of cutback have been investigated with an analog simulation of the NSSS. The amount of cutback is sufficient to com-pensate for the maximum calculated single rod worth. This rod worth will be verified in the start-up physics testing. The results of a dropped rod are presented in Section 14.4.
Turbine Generator Control System The electrohydraulic control system used is a conventional control system with many unit-years of operating experience. The system has been refined and has proved to be very reliable and superior to earlier control systems .
. 7-25
(5) Each of the f'our power range safety channels is physically separated from the others. Each start-up and logarithmic*
channel is separated from the other channel.
(6) Uninterrupted :power is supplied to the system from f'our separate a-c buses. U:>ss of one bus will disable one safety channel and one start-up or logarithmic channel.
(7) Loss of a-c power to channel logic results in a channel trip.
(8) All channel outputs are buffered so that accidental connec-tion to 120 volts a-c, or to channel supply voltage, or shorting individual outputs does not have any effect on any of the other outputs.
- Start-Up Channels - The start-up .channels are conventional counting type channels utilizing a pulse signal from a high sensitivity B-10 lined pro:portional counter. The pro:portional counter consists of two assemblies with twelve individual detectors in each assembly.
The use of multiple detector elements within each proportional counter assembly permits high neutron sensitivity while operating in gamma fluxes up to 200 rem/hr. System reliability is improved through use of integral triaxial detector cables within the region of high neu-tron arid gamma flux. The output of each detector assembly is fed separately to an initial amplification stage in a locally mounted preamplifier. The pulse outputs are then combined and again ampli-fied to drive 300 feet of cable between the preamplifier and the sig-nal processing drawer in the control room. Here, gamma pulses are discriminated against and the pulse input converted to a signal pro-
- portional to the logarithm of count rate. This signal drives a front panel meter, a remote recorder, a remote meter (all 1 cps to 3 x 105 cps range) and bistable trip units. An audio signal pro:portional to the count rate may be connected to control room and containment loud-speakers. The channel also provides a shaped pulse output for attachment of a scaler.
The log count rate signal is differentiated to provide rate-of-change of power information (-1 to 0 to +7 decades/minute). This rate sig- .
nal feeds a front panel meter, a remote meter and bistable trip units.
A drawer front panel meter indicates detector high voltage. Detec-tor voltage is also monitored by a trip unit which provides an alarm on decrease of voltage or removal of any of the drawer modules.
Channel test and calibration is accomplished by internally generated pulse signals. A fixed ramp signal is available for check of the rate-of-change circuitry.
A drawer-mounted bistable trip unit provides a visible and audible alarm at approximately 1.5 decades/minute. Trip units reset auto-matically when the trip condition clears. In addition to having two contact outputs f'or remote alarm, each trip actuates a front 7-32
The contact output of each trip unit is fed to a single channel of the reactor protective system. Thus, with two wide-range logarithmic channels, a separate rate trip signal is fed to Chanp~ls A, B, C and D of.the reactor protective system. The
<10-Ltcfo of full power rate-of-change bypass is initiated by the wide-range channel level signal. Th~ level signal is fed to two trip units set to trip above 10- %* Contacts from each trip unit open above 10-~ to remove the rate trip bypass and to re-move the zero power manually actuated bypass associated with a single channel. The zero power manual actuated bypass allows control rod drop testing, or rod withdrawal for other tests I during shutdown. The trips bypassed are low flow, low steam generator pressure, thermal margin/low ~ressure. These trips are automatically reactivated above 10- % full power.
The >15% full power rate-of-change trip bypass for a particular channel is initiated by a bistable trip unit in the power range safety channel. Above 15% full power, the bistable trip unit resets closing a contact in parallel with the rate trip contact associated with that channel (A, B, C or D). This method of rate trip bypass permits maximum independence of rate trip channels.
The rate-of-change of power pretrip alarm utilizes a single bistable trip unit (containing two sets of relay contacts) in each wide-range logarithmic channel. Each set of contacts feeds an auxiliary bistable trip unit in one of the channels of reactor protective system. The auxiliary trip unit in turn initiates the rod withdrawal prohibit signal and pretrip alarm. The signal to the auxiliary trip unit is bypassed below lo-4% and above 15% of full power to avoid spurious alarms and rod withdrawal prohibits.
Reset of the trip units operates as described for the start-up channels.
Power Range Safety Channels - The four power range channels measure flux linearly over the range of 1% to 125% of full power. The de-tector assembly consists of two uncompensated ion chambers for each channel. One detector extends axially along the lower half of the core.while the other, which is located directly above it, monitors flux from the upper half of the core. The upper and lower sections have a total active length of 12 feet. The d-c current signal from each of the ion chambers is fed directly to the control room drawer assembly without preamplification. Integral shielded cable is used within the region of high neutron and gamma flux.
The signal from each chamber (top and bottom) is fed to independent amplifiers. The output of the amplifiers is indicated, compared and summed. The individual ampli.fier output is indicated on the amplifier drawer. The outputs are compared with each other to in-dicate axial flux tilts. The summed output of the two amplifiers is indicated, recorded and compared with averaged summed outputs 7-35 Rev 7/15/69
of all four power range channels. Should the signal differ from the average signal by a preset amount, a front panel indicator and remote alarm is actuated. The summed signal is fed to trip units which in turn yield a contact output to the reactor pro-tective system *
. Two outputs of the summing circuit are available; l~ - 125% or 0.1~ - 12.5% full-scale indication depending upon the position of the channel range selector switch. The 1% - 125~ full-scale out-put is always fed to the comparator-averager which computes the average power level of all four channels and to the bistable trip unit* which disables the logarithmic channel rate trip above 15%
full*pbwer. Exc!:!pt for these two functions, the full-scale signal output is changed by the range selector switch resulting in the high power trip and pretrip set points Qeing lowered by a factor of ten when the range selected i~ 0.1% - 12.5%* The summing cir-cuit also has an X2 gain selector switch which disconnects the input of one ion chamber and doubles the gain for the other ion chamber to allow full-scale power indication should one ion chamber fail.
Each of the 1% :- 125% full-scale signals is also fed to a control rod drop-detection circuit which compares the immediate signal level with a time delayed (5 to 15 seconds) signal level *. Upon detection of a difference in the two signal levels, a turbine run.-
back signal is actuated to decrease the turbine output to 70%
power.
Channel calibration and test is accomplished by an internal current source which checks amplifier gain and linearity. A check of the level trip set point is provided by a current signal which is add~d to the normal detector output.
Each power range channel contains eight bistable trip units. Opera-tion of the bistable trip units is as follows:
Trip Approximate Unit Input Signal Trip Action Set Point 1 Detector Voltage Audible and Visible 15% Below Normal Module Interlock Alarm Operating Voltage Operate-Calibrate Switch 2 Power Level Trip Signal to RPS 106.5% Full Power (Four Pumps) 3* Power Level Pretrip Signal to Alarm 104.5% Full Power and Rod Withdrawal Prohibit* (Four Pumps) 7-36
The switchyard 345 kv power circuit breakers, the circuit from the switchyard to the generator main power transformer and the circuit from the switchyard to the start-up transformers are provided with disconnect switches to permit isolating any power circuit breaker or any circuit from the switchyard buses.
Zone relaying is provided for the circuit from the switchyard to the generator main power transformer and for the two switch-yard main buses. One of the main bus zones includes the circuit from the switchyard to the start-up transformers. The four out-going lines are each provided with high-speed relays. In addi-tion, all 345 kv power circuit breakers are provided with relays to trip the second zone breakers for each circuit should the line breakers fail to trip.
TABLE 8-1 RATINGS AND CONSTRUCTION OF COMPONENTS Breakers - 345 Kv Nominal
- 2000 A Continuous
- 41,000 A Momentary
- 25,000 Mva Interrupting Insulators - 1050 Kv BIL Main Bus - 3000 A Bay Bus - 2000 A Disconnect Switches - 2000 A Continuous
- 70,000 A Momentary Description - Switchyard Control System - The 24o volt and 120 volt, 60 hertz and 125 volt d-c switchyard power supplies are shown on Auxiliary Power Single Line Diagram, Figure 8-3. The two 24oo volt buses that supply power to the engineered safe-guards system also supply the switchyard control power through two 24oo-24o/120 volt, 6o hertz switchyard power transformers.
Each of the transformers supplies half the 240/120 volt, 6o hertz power requirements for the switchyard; however, either transformer can be connected to carry the total load via a bus tie breaker.
The a-c load is divided among four power panels; the loss of one power panel will not affect operation of the other three and hence will not jeopardize the total 24o/120 volt, 60 hertz auxiliary power in the switchyard.
The 125 volt d-c auxiliary power is supplied from a 6o-cell bat-tery which is located in the switchyard and can supply the switch-yard d-c power requirements for eight hours without recharging.
8-4
--* 8.4.1.2 Description and Operation Description - There are two emergency diesel engine-driven genera-tors of equal size. The generators have static type excitation and are provided with field flashing for quick voltage buildup.
The generators are connected to generator breakers located in the 2400 volt engineered safeguards switchgear. Each generator is connected to a separate 24oO volt bus. The generator breaker control is shown on Schematic Diagram Figure 8-6. Synchronizing equipment is provided to permit connecting the generator to the 2400 volt_bus for parallel operation with the normal or standby power source. The synchronizing equipment is automatically bypassed by breaker position interlocks to permit manual and automatic clos-ing of the emergency generator breaker on a dead bus.
The diesel engines are designed for air start and a separate com-pressor and receiver is provided for each engine. A separate fuel oil day tank is also provided for each engine. Each engine has two independent starting control circuits including two air motors, each initiated from a separate signal and energized from separate battery sources. The diesel engines, fuel oil systems and air start systems are equipped with instrumentation to monitor all important parameters and annunciate abnormal conditions.
Water and oil heaters are provided to maintain the engines in 11 start 11 readiness.
The emergency generators are equipped with the mechanical and electrical safeguards necessary to assure personnel protection and to prevent or limit equipment damage during operation or fault and overload conditions. The generators and their 2400 volt breakers have overcurrent and differential protection. All wiring will pass the vertical flame resistance test in accordance with ASTM D470-64T.
The emergency diesel generators and their auxiliaries are designed to withstand Seismic Class 1 acceleration forces without malfunc-tion. The emergency diesel generator systems and components are installed in tornado protected areas and the units are separated by a wall.
Each emergency generator supplies a separate 24oO volt bus and a redundant group of engineered safeguards consistent with the two-channel power concept.
Diesel Generator Control Circuits - Physical separation and elec-trical isolation are maintained between the two diesel generator control circuits. The automatic start initiation circuits are a part of the safety injection control circuits and are redundant and physically isolated. The control circuits, in addition to the "automatic" functions, are arranged for manual start-stop at the diesel and in the control room. The controls for the governor, voltage regulator, synchronizing and for the generator breaker are located in the control room.
8-19
I
-.)_ Testing in the "without standby power" mode will also initiate an emergency generator start. The bus load shedding will not occur with standby voltage available. After a test, the solenoid-operated valves will reset automaticallyj other equipment initiated will continue until shut down manually.
Testing of the engineered safeguards circuits while the plant is shut down can be performed in the same manner. A more complete and extensive test can also be performed by tripping two out of the four pressurizer low-pressure or two out of the four containment high-pressure devices in the initiating circuit matrix. Simulating loss of standby power will test the bus shedding and the actual sequence loading of the emergency generators.
8.5.2.3 Design Analysis Reliability of the safety injection system control circuits is assured by redundant circuits, each initiating operation of re-dundant load groups. Failure of control power to any one of the pressurizer low-pressure or containment high-pressure circuits will cause the circuit to fail in an SIS initiation signal mode.
Failure of control power on any one redundant circuit will be annunciated.
As noted in Section 8.1.1 and 8.1.2, the engineered safeguards electrical power and control buses are divided into two channels and the loads into two groups. Each channel consists of the following buses and power sources: One 24oo volt bus, one 480 volt load center, one 480 motor control center, one d-c distribu-tion center, one battery, two battery chargers, two preferred a-c buses, and two inverters and one diesel generator. The power source for driven equipment and the control power for that system are supplied from the sources in one channel. Where redundant equipment is utilized in one load group, as in the case of the injection valves, the redundant equipment is supplied from the opposite channel.
The raceways and containment penetrations for these systems are also divided into two groups. Physical separation is maintained between the two raceway systems and between the two penetration areas. The interconnecting cables for any one channel are run in their respective raceway system.
The reactor safety system is divided into four channels supplied from the four preferred a-c buses. The raceways for these sys-tems are divided into two physically separated raceway systems and the two channels within one raceway system are further sep-arated by a metal barrier within the raceway. Separate contain-ment penetrations are used for like circuits.
The schematic diagrams provide all the information necessary for making a circuit schedule and connection diagrams. The connection block diagram shown on each schematic diagram shows all the inter-connecting wire, where separation is required between redundant 8-26 Rev 4/10/69
The control system is designed on a two-channel concept with redundancy and physical separation. Each channel is capable of initiating contairunent isolation and operation of certain engi-neered safeguards.
8.5.4.2 Description and Operation Description - The containment high-pressure and radiation control logic is shown on Figures 8-8, 8-14 and 8-15 and the schematic on Figures 8-13 and 8-14. The controls consist of two independent and isolated groups of control circuits. The four radiation sensors and four pressure sensors are each connected to an auxiliary relay.
Four separate control circuits each consisting of one pressure and one radiation level sensor and their two auxiliary relays are con-nected to separate preferred a-c buses. There are two separate initiation circuits which consist of two out of four matrices and necessary auxiliary relays. The isolation valves operate from the 125 volt d-c source and are normally energized. It requires two high radiation or two high-pressure signals to close the isolation valves. This prevents spurious signals from causing containment isolation.
Operation - These control circuits have no direct plant shutdown function. The control is initiated only upon containment high radiation or high pressure.
Coincident two of four high radiation or two of four high contain-ment pressure signals will close all containment isolation valves not required for engineered safeguards except the component cooling line valves which are closed by srs.
At least three out of four pressure sensors must sense normal pressure and three out of four radiation sensors must sense normal radiation level before the operator can reset the pressure isola-tion circuits and the radiation isolation circuits. This will automatically open the containment isolation valves.
8.5.4.3 Design Analysis Reliability is assured by the redundancy in the initiating control circuits, in the design of the individual isolation valve control circuits and in the containment spray system and air cooler system control circuits. Failure in control source power to the pressure radiation sensor relay circuit or to the redundant initiating circuit causes the circuit to fail in a mode to initiate isolation.
Loss of control power will be annunciated in the control room, but isolation will not be effected unless a second failure occurs.
Failure of source power to the control circuit of any isolation valve or failure of the pilot valve solenoid of an isolation valve will cause that isolation valve to close.
Testing - Testing the containment high-pressure and high radiation circuits may be done only when the plant is shut down. One of two redundant key switches located in the control room may be 8-28
operated at a time to de-energize two of the four channels which will cause containment isolation or the test can be initiated by the operation of the pressure or radiation switches. To de-isolate the containment and return the isolation valves to their normal operating positions, the high-pressure and high radiation circuits must be manually reset.
8.5.5 SAFETY INJECTION AND REFUELING WATER TANK WW-LEVEL CONTROLS 8.5.5.1 Design Basis The SIRW tank low-level control system is designed to transfer the suction of the safety injection and containment spray pumps to the containment sump when the SIRW tank is essentially empty and to perform the functions re~uired to recirculate and cool the water which has accumulated in the containment building sump, for post-accident cooling of the core~ In the recirculation mode, it automatically provides component cooling water to the shell side of the shutdown cooling heat exchangers. The circuit is designed on a two-channel concept with each channel initiating the operation of separate and redundant hydraulic loops.
8.5.5.2 Description and Operation Description - The SIRW tank level control logic is shown on Fig-ure 8-18 and the schematic is shown on Figures 8-16 and 8-19.
The SIRW tank is provided with four level switches to detect low level with each connected to an auxiliary relay from separate preferred a-c supplies.
A separate circuit is provided for control of the recirculation valves associated with one recirculation loop consistent with the two-channel concept. In addition, each circuit controls the operation of one of the two redundant component cooling water valves to the shutdown heat exchangers, the component cooling water valve to one of the component cooling water heat exchangers and the service water valve for service water from one of the component cooling water heat exchangers.
Operation - The low-level control circuits have no normal or shutdown cooling operating function and will operate only after the SIRW tank has been essentially emptied. Coincident two of four low-level signals will automatically initiate the necessary valve operations to permit operation of the two recirculation loops. In addition, the low-level signal will be used to trip the low-pressure injection pump to protect the pump from low suc-tion pressure and will automatically start a second component cooling water pump. A manual bypass is provided so that the low-pressure injection pumps may be restarted. if the operators deem this necessary for long-term core cooling .
.e 8-29
9.11.2.3 Protection Against Radioactivity Release Protection against accidental radiation release from irradiated fuel is provided by the containment ventilation system and isolation ca-pability if required of the spent fuel pit and auxiliary building ventilation system. A special container is provided which will allow the remote underwater encapsulation of a fuel bundle with damaged fuel rods. Because of the submergence of the bundle in 10 feet of water any released fission products will be diluted and partially retained by the pool water.
The ventilation air for both the containment and spent fuel pool atmospheres flows through absolute particulate filters before dis-charging to the plant stack. The containment is normally isolated with purge air only required when access to the air room is desired.
In the event that the stack discharge should indicate a release in excess of the limits in the technical specifications, an alarm is received in the control room and the ventilation flow path from con-tainment is closed manually from the control room. The ventilation flow paths from the fuel handling area and radwaste area are also manually closed from the control room. In addition, the ventila-tion flow paths to and from containment are closed automatically upon containment high pressure or containment high radiation.
An irradiated fuel bundle which is suspected of having fuel rod clad-ding failures can be raised into the refueling machine mast and the water in the mast displaced with air. The subsequent heat-up of the irradiated fuel will force fission product gases from the fuel rods and into the mast of the refueling machine. These gases in the mast can then be sampled. If it is determined that the fuel bundle does have a leak, it will be transferred to the spent fuel pool in the normal manner and placed in the special container mentioned above.
9.11.3 SYSTEM DESIGN AND OPERATIONS 9.1i.3.1 General Refueling is accomplished by handling fuel bundles under water at all times. The refueling cavity and spent fuel pool are filled with borated water to a common level during refueling. The use of borated water provides a transparent radiation shield, a cooling medium, and a neutron absorber to prevent inadvertent criticality.
The fuel handling system transfers the fuel bundles between the re-fueling cavity and the fuel storage pool through a transfer tube.
The storage pool is designed to accommodate 272 fuel bundles (1-1/3 cores) plus space for an additional 1/3 core, 48 control rods and the spent fuel shipping cask.
The refueling machine removes a spent fuel bundle from the core, transports it to the tilt machine and deposits it in the transfer carriage within the tilt machine. The carriage is then rotated from a vertical position to a horizontal position and moved
/-* through the transfer tube to the spent fuel storage area. The 9-78 Rev 4/10/69
systems are in an operable condition. Detailed step procedures will be prepared for the loading operation to assure proper alignment of all auxiliary systems and proper conduct of in-core operations. The following general procedures will be utilized to insure that the initial loading is conducted in a safe manner:
(a) The reactor water is borated (1720 ppm) and valve checklists are prepared to minimize the possibility of the occurrence of a change in boron concentration. Periodically, samples of reactor water will be withdrawn and analyzed for boron content during the load-ing operation.
(b) Source range neutron detectors will be installed in the core with readouts availab~e at both. the loading area and main control room.
A communications link will be established between the control'room and loading area.
(c) The initial neutron source will be installed in the core with the first element and verification of the source range instrumentation made. Equipment will be provided to conduct inverse count rate monitoring of the core effective multiplication during loading.
(d) A tag board will be provided in the control room for identifying the location of all movable core components. These include sources, neutron detectors, fuel assemblies and control rods.
(e) The actual core loading will be conducted according to a pre-determined sequence which prescribes locations of fuel bundles, sources, temporary in-core neutron detectors and control rods.
(f) Continuous monitoring of source range instrumentation will be conducted and operations halted if any unusual increase in count rate is observed or if the inverse count rate plot indicates criticality prior to full core loading.
13.2.2 POSTLOADING TESTS Following core loading, the upper reactor internals and vessel head will be installed and a primary system hydro leak.test performed.
Complete control rod drive checkouts will then be performed to insure proper functioning of both mechanical and electrical components. Both cold and hot flow tests will then be carried out to determine the mechanical response of the assembled reactor internals to full flow conditions. Control rod drive performance including rod drop times will also be evaluated in the hot condition.
13.2.3 INITIAL CRITICALITY Initial criticality will be achieved by withdrawing control rods and then slowly diluting the boron concentration in the reactor water until a chain reaction is sustained. The approach to criticality will be monitored by the source range instrumentation, and inverse count rate ratio plots will be provided to predict the critical condition. Detailed procedures will be prepared and followed to 13-4