ML19324C989

From kanterella
Jump to navigation Jump to search
Amendment 28 to Updated Final Safety Analysis Report, Chapter 7, Control and Instrumentation - Redacted
ML19324C989
Person / Time
Site: Browns Ferry  Tennessee Valley Authority icon.png
Issue date: 10/04/2019
From:
Tennessee Valley Authority
To:
Office of Nuclear Reactor Regulation
References
Download: ML19324C989 (417)
v  d  e


Text

BFN-26 TABLE OF CONTENTS 7.0 CONTROL AND INSTRUMENTATION 7.1 Summary Description ....................................................................................................................... 7.1-1 7.1.1 Safety Systems ................................................................................................................... 7.1-1 7.1.2 Power Generation Systems ................................................................................................ 7.1-2 7.1.3 Safety Functions ................................................................................................................. 7.1-2 7.1.4 Plant Operational Control .................................................................................................... 7.1-4 7.1.5 Definitions ........................................................................................................................... 7.1-5 7.1.6 Environmental Qualification of Electrical Equipment ........................................................... 7.1-6 7.2 Reactor Protection System ............................................................................................................... 7.2-1 7.2.1 Safety Objective .................................................................................................................. 7.2-1 7.2.2 Safety Design Basis ............................................................................................................ 7.2-1 7.2.3 Description .......................................................................................................................... 7.2-3 7.2.4 Safety Evaluation ................................................................................................................ 7.2-16 7.2.5 Inspection and Testing ........................................................................................................ 7.2-20 7.3 Primary Containment Isolation System ............................................................................................. 7.3-1 7.3.1 Safety Objective .................................................................................................................. 7.3-1 7.3.2 Definitions ........................................................................................................................... 7.3-1 7.3.3 Safety Design Basis ............................................................................................................ 7.3-2 7.3.4 Description .......................................................................................................................... 7.3-4 7.3.5 Safety Evaluation ................................................................................................................ 7.3-22 7.3.6 Inspection and Testing ........................................................................................................ 7.3-29 7.4 Emergency Core Cooling Control and Instrumentation..................................................................... 7.4-1 7.4.1 Safety Objective .................................................................................................................. 7.4-1 7.4.2 Safety Design Basis ............................................................................................................ 7.4-1 7.4.3 Descriptions ........................................................................................................................ 7.4-3 7.4.4 Safety Evaluation ................................................................................................................ 7.4-27 7.4.5 Inspection and Testing ........................................................................................................ 7.4-29 7.5 Neutron Monitoring System .............................................................................................................. 7.5-1 7.5.1 Safety Objective .................................................................................................................. 7.5-1 7.5.2 Power Generation Objective ............................................................................................... 7.5-1 7.5.3 Identification ........................................................................................................................ 7.5-1 7.5.4 Source Range Monitor Subsystem ..................................................................................... 7.5-1 7.5.5 Intermediate Range Monitor Subsystem ............................................................................. 7.5-5 7.5.6 Local Power Range Monitoring Subsystem ........................................................................ 7.5-9 7.5.7 Average Power Range Monitor Subsystem ........................................................................ 7.5-13 7.5.8 Rod Block Monitor Subsystem ............................................................................................ 7.5-18 7.5.9 Traversing Incore Probe Subsystem ................................................................................... 7.5-20 7.0-i

BFN-26 TABLE OF CONTENTS 7.0 CONTROL AND INSTRUMENTATION 7.6 Refueling Interlocks .......................................................................................................................... 7.6-1 7.6.1 Safety Objective .................................................................................................................. 7.6-1 7.6.2 Safety Design Basis ............................................................................................................ 7.6-1 7.6.3 Description .......................................................................................................................... 7.6-1 7.6.4 Safety Evaluation ................................................................................................................ 7.6-5 7.6.5 Inspection and Testing ........................................................................................................ 7.6-5 7.7 Reactor Manual Control System ....................................................................................................... 7.7-1 7.7.1 Power Generation Objection ............................................................................................... 7.7-1 7.7.2 Safety Design Basis ............................................................................................................ 7.7-1 7.7.3 Power Generation Design Basis ......................................................................................... 7.7-1 7.7.4 Description .......................................................................................................................... 7.7-2 7.7.5 Safety Evaluation ................................................................................................................ 7.7-13 7.7.6 Inspection and Testing ........................................................................................................ 7.7-14 Appendix 7.7A Deleted Appendix 7.7B Deleted 7.8 Reactor Vessel Instrumentation ........................................................................................................ 7.8-1 7.8.1 Safety Objective .................................................................................................................. 7.8-1 7.8.2 Safety Design Basis ............................................................................................................ 7.8-1 7.8.3 Power Generation Objective ............................................................................................... 7.8-1 7.8.4 Power Generation Design Basis ......................................................................................... 7.8-2 7.8.5 Description .......................................................................................................................... 7.8-2 7.8.6 Safety Design Evaluation .................................................................................................... 7.8-8 7.8.7 Inspection and Testing ........................................................................................................ 7.8-8 7.9 Recirculation Flow Control System ................................................................................................... 7.9-1 7.9.1 Power Generation Objective ............................................................................................... 7.9-1 7.9.2 Power Generation Design Basis ......................................................................................... 7.9-1 7.9.3 Safety Design Basis ............................................................................................................ 7.9-1 7.9.4 Description .......................................................................................................................... 7.9-1 7.9.5 Safety Evaluation ................................................................................................................ 7.9-10 7.9.6 Inspection and Testing ........................................................................................................ 7.9-10 7.10 Feedwater Control System ............................................................................................................... 7.10-1 7.10.1 Power Generation Objective ............................................................................................... 7.10-1 7.10.2 Power Generation Design Basis ......................................................................................... 7.10-1 7.10.3 Description (Figures 7.10-2 through 7.10-8) ....................................................................... 7.10-1 7.10.4 Inspection and Testing ........................................................................................................ 7.10-9 7.0-ii

BFN-26 TABLE OF CONTENTS 7.0 CONTROL AND INSTRUMENTATION 7.11 Pressure Regulator And Turbine-Generator Control......................................................................... 7.11-1 7.11.1 Power Generation Objective ............................................................................................... 7.11-1 7.11.2 Power Generation Design Basis ......................................................................................... 7.11-1 7.11.3 Deleted ............................................................................................................................... 7.11-1 7.11.4 System Description (Figures 7.11-1 and 7.11-2)................................................................. 7.11-1 7.11.5 Deleted ............................................................................................................................... 7.11-4 7.11.6 Normal Operation................................................................................................................ 7.11-4 7.12 Process Radiation Monitoring ........................................................................................................... 7.12.1 7.12.1 Main Steam Line Radiation Monitoring System .................................................................. 7.12-1 7.12.2 Air Ejector Offgas Radiation Monitoring System ................................................................. 7.12-3 7.12.3 Main Stack Radiation Monitoring System ........................................................................... 7.12-5 7.12.4 Process Liquid Radiation Monitors...................................................................................... 7.12-7 7.12.5 Reactor Building Ventilation Radiation Monitoring System ................................................. 7.12-9 7.12.6 Plant Ventilation Exhaust Radiation Monitoring System ..................................................... 7.12-11 7.12.7 Unit Sharing of Monitoring Systems .................................................................................... 7.12-12 7.13 Area Radiation Monitoring System ................................................................................................... 7.13-1 7.13.1 Power Generation Objective ............................................................................................... 7.13-1 7.13.2 Power Generation Design Basis ......................................................................................... 7.13-1 7.13.3 Description .......................................................................................................................... 7.13-1 7.13.4 Inspection and Testing ........................................................................................................ 7.13-2 7.13.5 Additional Area Radiation Monitoring Systems ................................................................... 7.13-2 7.14 Drywell Leak Detection Radiation Monitoring System ...................................................................... 7.14-1 7.14.1 Safety Objective .................................................................................................................. 7.14-1 7.14.2 Power Generation Objectives ............................................................................................. 7.14-1 7.14.3 Power Generation Design Basis ......................................................................................... 7.14-1 7.14.4 Description .......................................................................................................................... 7.14-1 7.14.5 Safety Evaluation ................................................................................................................ 7.14-2 7.15 Health Physics Laboratory Radiation Monitoring Equipment ............................................................ 7.15-1 7.15.1 Power Generation Objective ............................................................................................... 7.15-1 7.15.2 Radiation Monitoring Equipment ......................................................................................... 7.15-1 7.15.3 Personnel Monitoring .......................................................................................................... 7.15-1 7.16 Process Computer System ............................................................................................................... 7.16-1 7.16.1 Safety Objective .................................................................................................................. 7.16-1 7.16.2 Power Generation Objective ............................................................................................... 7.16-1 7.16.3 Safety Design Basis ............................................................................................................ 7.16-1 7.16.4 Power Generation Design Basis ......................................................................................... 7.16-1 7.0-iii

BFN-26 TABLE OF CONTENTS 7.0 CONTROL AND INSTRUMENTATION 7.16.5 Description .......................................................................................................................... 7.16-2 7.16.6 Safety Evaluation ................................................................................................................ 7.16-8 7.16.7 Inspection and Testing ........................................................................................................ 7.16-9 7.17 Deleted ............................................................................................................................................ 7.17-1 7.18 Backup Control System .................................................................................................................... 7.18-1 7.18.1 Design Objectives ............................................................................................................... 7.18-1 7.18.2 Design Bases ...................................................................................................................... 7.18-1 7.18.3 Description .......................................................................................................................... 7.18-2 7.18.4 System Operation ............................................................................................................... 7.18-4 7.18.5 Design Evaluation ............................................................................................................... 7.18-4 7.18.6 Inspection and Test............................................................................................................. 7.18-5 7.19 Anticipated Transient Without Scram................................................................................................ 7.19-1 7.19.1 Design Objectives ............................................................................................................... 7.19-1 7.19.2 Design Bases ...................................................................................................................... 7.19-2 7.19.3 Descriptions ........................................................................................................................ 7.19-3 7.19.4 Design Evaluation ............................................................................................................... 7.19-4 7.19.5 Containment Cooling ......................................................................................................7.19-5 7.20 Instrument Setpoint Methodology ..................................................................................................... 7.20-1 7.20.1 Objectives ........................................................................................................................... 7.20-1 7.20.2 Design Bases ...................................................................................................................... 7.20-1 7.20.3 Descriptions ........................................................................................................................ 7.20-1 7.20.4 Instrument Setpoints - Design Output ................................................................................. 7.20-4 7.0-iv

BFN-28 LIST OF TABLES CONTROL AND INSTRUMENTATION Table Title 7.1-1 Systems (or Portions of Systems) Required to Mitigate LOCA and/or HELB 7.2-1 Reactor Protection System Instrumentation Specifications for Units 1 and 2 7.2-1a Reactor Protection System Instrumentation Specifications for Unit 3 7.2-2 Deleted 7.3-1 Deleted 7.3-2 Primary Containment Isolation System Instrument Specifications 7.4-1 Deleted 7.4-2 Automatic Depressurization System Instrumentation 7.4-3 Core Spray System Instrumentation 7.4-4 Low Pressure Coolant Injection Instrumentation 7.5-1 SRM Trips 7.5-2 IRM Trips 7.5-3 LPRM Trips 7.5-4a APRM Trips (Unit 1) 7.5-4b APRM Trips (Units 2 and 3) 7.5-4c Deleted 7.6-1 Refueling Interlock Effectiveness Sheet 1 Sheet 2 7.7-1 Reactor Manual Control System Instrumentation Sheet 1 Sheet 2 7.8-1 Reactor Vessel Instrumentation Sheet 1 Sheet 2 7.8-2 Primary Containment Monitoring Instrumentation Sheet 1 Sheet 2 7.12-1 Process Radiation Monitoring Systems Characteristics 7.12-2 Deleted 7.13-1 Deleted 7.13-2 Locations of Area Radiation Monitors Sheet 1 Sheet 2 Sheet 3 Sheet 4 Sheet 5 7.0-v

BFN-26 Table Title Sheet 6 Sheet 7 7.16-1 Deleted 7.16-2 Deleted 7.17-1 Deleted 7.17-2 Deleted 7.20-1 Design Output Documents Sheet 1 - Unit 1 Sheet 2 - Unit 2 Sheet 3 - Unit 3 7.0-vi

BFN-26 CONTROL AND INSTRUMENTATION LIST OF ILLUSTRATIONS Figure Title 7.1-1 Use of Protection System, Control, and Instrumentation Portions 7.2-1 Reactor Protection System, Single Line 7.2-2 Reactor Protection System, Auxiliary Instrument Room Panel 7.2-3 Reactor Protection System, Single Line 7.2-3a (Deleted) 7.2-3b (Deleted) 7.2-3c (Deleted) 7.2-3d (Deleted) 7.2-3e (Deleted) 7.2-3f (Deleted) 7.2-3g (Deleted) 7.2-3h (Deleted) 7.2-3i (Deleted) 7.2-3j (Deleted) 7.2-3k (Deleted) 7.2-3l (Deleted) 7.2-4 Schematic Diagram of Logics in Trip System A (Trip System B Similar) 7.2-5 Schematic Diagram of Actuators and Actuator Logics 7.2-6 Reactor Protection System, Scram Functions 7.2-7a Reactor Protection System Instrument Engineering Diagram 7.2-7b Reactor Protection System Instrument Engineering Diagram (Unit 3) 7.2-7c Reactor Protection System - Single Line 7.2-7d Reactor Protection System Instrument Engineering Diagram 7.2-8 Reactor Protection System, Auxiliary Instrument Panel 7.2-9 Reactor Protection System Auxiliary Instrument Room Panel 7.2-10 Typical Arrangement of Channels and Logics 7.2-11 Typical Configuration for Turbine Stop Valve Closure Scram 7.2-12 Typical Configuration for Main Steam Line Isolation Scram 7.2-13 (Deleted) 7.3-1, sht 1 Nuclear Boiler Flow Diagram 7.3-1, sht 2 Nuclear Boiler Flow Diagram 7.3-1, sht 3 Nuclear Boiler Flow Diagram 7.3-2a (Deleted) 7.3-2b (Deleted) 7.3-2c (Deleted) 7.3-2d (Deleted) 7.3-2e (Deleted) 7.3-2f (Deleted) 7.3-2g (Deleted) 7.3-2h (Deleted) 7.3-2i (Deleted) 7.3-2j (Deleted) 7.3-2k (Deleted) 7.0-vii

BFN-26 CONTROL AND INSTRUMENTATION LIST OF ILLUSTRATIONS (Cont'd)

Figure Title 7.3-2l (Deleted) 7.4-1a (Deleted) 7.4-1b sht 1 High Pressure Coolant Injection System, Flow Diagram 7.4-1b sht 2 High Pressure Coolant Injection System, Flow Diagram 7.4-1b sht 3 High Pressure Coolant Injection System, Flow Diagram 7.4-2a (Deleted) 7.4-2b (Deleted) 7.4-2c (Deleted) 7.4-2d (Deleted) 7.4-2e (Deleted) 7.4-2f (Deleted) 7.4-2g (Deleted) 7.4-2h (Deleted) 7.4-3 (Deleted) 7.4-4 (Deleted) 7.4-5a ECCS Preferred Pump Logic - Mechanical Control Diagram 7.4-5b (Deleted) 7.4-5c (Deleted) 7.4-5d Pre-ACD and Common ACD Signal - Mechanical Control Diagram 7.4-5e (Deleted) 7.4-5f (Deleted) 7.4-5g (Deleted) 7.4-5h (Deleted) 7.4-5i ECCS Preferred Pump Logic - Mechanical Control Diagram 7.4-5l Pre-ACD and Common ACD Signal - Mechanical Control Diagram 7.4-5m ECCS Preferred Pump Logic - Mechanical Control Diagram 7.4-6a sht 1 Residual Heat Removal System, Flow Diagram 7.4-6a sht 2 Residual Heat Removal System - Flow Diagram 7.4-6a sht 3 Residual Heat Removal System, Flow Diagram 7.4-6b sht 1 Residual Heat Removal System, Mechanical Flow Diagram 7.4-6b sht 2 Residual Heat Removal System - Mechanical Control Diagram 7.4-6b sht 3 Residual Heat Removal System - Mechanical Control Diagram 7.4-6b sht 4 Residual Heat Removal System - Mechanical Control Diagram 7.4-6b sht 5 Residual Heat Removal System - Mechanical Control Diagram 7.4-7a (Deleted) 7.4-7b ECCS Preferred Pump Logic - Mechanical Control Diagram 7.4-7c (Deleted) 7.4-7d (Deleted) 7.4-7e (Deleted) 7.4-7f (Deleted) 7.4-7g (Deleted) 7.4-7h (Deleted) 7.0-viii

BFN-26 CONTROL AND INSTRUMENTATION LIST OF ILLUSTRATIONS (Cont'd)

Figure Title 7.4-7i Pre-ACD and Com ACD Signal - Mechanical Control Diagram 7.4-7j (Deleted) 7.4-7k (Deleted) 7.4-7l (Deleted) 7.4-7m (Deleted) 7.4-7n (Deleted) 7.4-7p ECCS Preferred Pump - Residual Heat Removal System - Mechanical Control Diagram 7.4-8 (Deleted) 7.4-8a (Deleted) 7.4-8b (Deleted) 7.4-8c (Deleted) 7.4-8d (Deleted) 7.4-9 (Deleted) 7.5-1 (Deleted) 7.5-1a Startup Range Neutron Monitoring System, Instrument Engineering Diagram 7.5-1b Startup Range Neutron Monitoring System, Instrument Engineering Diagram 7.5-1c Startup Range Neutron Monitoring System, Instrument Engineering Diagram 7.5-2 SRM/IRM Neutron Monitoring Unit 7.5-3a Detector Drive System 7.5-3b (Deleted) 7.5-3c (Deleted) 7.5-4 Functional Block diagram of SRM Channel 7.5-5 (Deleted) 7.5-6 Source Range Monitoring System Core Locations 7.5-7 Functional Block Diagram of IRM Channel 7.5-8 IRM Locations 7.5-9 Control Rod Withdrawal Error 7.5-10 Normalized Flux Distribution for Rod Withdrawal Error 7.5-11 (Deleted) 7.5-11a Power Range Neutron Monitoring System, Instrument Engineering Diagram (Unit 2) 7.5-11b Power Range Neutron Monitoring System, Instrument Engineering Diagram (Unit 3) 7.5-11c Power Range Neutron Monitoring System, Instrument Engineering Diagram (Unit 1) 7.5-12 LPRM Locations 7.5-13 Power Range Neutron Monitoring Unit 7.5-14a LPRM to APRM Assignment Scheme (System A) (Unit 1) 7.5-14b LPRM to APRM Assignment Scheme (System B) (Unit 1) 7.5-14c Units 1, 2, and 3 LPRM to APRM Assignment Scheme 7.5-15 (Deleted) 7.5-16 (Deleted) 7.5-17 (Deleted) 7.5-17a Assignment of LPRM Assemblies to RBM's 7.5-17b Typical LPRM Assignments in RBMS (Units 1, 2, and 3) 7.0-ix

BFN-26 CONTROL AND INSTRUMENTATION LIST OF ILLUSTRATIONS (Cont'd)

Figure Title 7.5-18 RBM Channel A + C Response to Control Rod Motion 7.5-19 RBM Channel B + D Response to Control Rod Motion 7.5-20 Assignment to LPRM Strings to TIP Machines 7.5-21 Traversing In-Core Probe Subsystem Block Diagram 7.5-22 Traversing In-Core Probe Assembly 7.5-23a Neutron Monitoring System Physical Arrangement 7.5-23b Neutron Monitoring System Physical Arrangement 7.5-23c Neutron Monitoring System Physical Arrangement (Units 2 and 3) 7.5-23d Neutron Monitoring System Physical Arrangement (Unit 1) 7.5-24 (Deleted) 7.5-24a (Deleted) 7.5-24b (Deleted) 7.5-24c (Deleted) 7.5-24d (Deleted) 7.5-24e (Deleted) 7.5-24f (Deleted) 7.5-25 Ranges of Neutron Monitoring System 7.5-26 Typical IRM Circuit Arrangement for Reactor Protection System Input 7.5-27 (Deleted) 7.5-28 (Deleted) 7.6-1 Refueling Interlocks, Functional Block Diagram 7.7-1 Reactor Manual Control System Instrumentation 7.8-1 Reactor Vessel Instrumentation 7.8-2 Primary Containment Monitoring Instrumentation 7.12-1 Process Radiation Monitoring Systems Characteristics 7.12-2 (Deleted) 7.13-1 (Deleted) 7.13-2 Locations of Area Radiation Monitors 7.16-1 (Deleted) 7.16-2 (Deleted) 7.17-1 (Deleted) 7.17-2 (Deleted) 7.20-1 Design Output Documents Sheet 1 - Unit 1 Sheet 2 - Unit 2 Sheet 3 - Unit 3 7.0-x

BFN-26 CONTROL AND INSTRUMENTATION LIST OF ILLUSTRATIONS (Cont'd)

Figure Title 7.8-3 Reactor Vessel Temperature Monitoring System Physical Arrangement 7.9-1 (Deleted) 7.9-2 (Deleted) 7.9-3 (Deleted) 7.9-4a (Deleted) 7.9-4b (Deleted) 7.9-4c (Deleted) 7.9-4d (Deleted) 7.9-4e (Deleted) 7.9-4f (Deleted) 7.10-1 (Deleted) 7.10-2 Feedwater Control System, Mechanical Control Diagram 7.10-3 Feedwater Control System, Mechanical Control Diagram 7.10-4 Feedwater Control System, Mechanical Control Diagram 7.10-5 Feedwater Control System - Mechanical Control Diagram 7.10-6 Feedwater Control System - Mechanical Control Diagram 7.10-7 Feedwater Control System - Mechanical Control Diagram 7.10-8 Feedwater Control System - Mechanical Control Diagram 7.11-1 (Deleted) 7.11-2 Turbine Control and Reactor Pressure Control System Functional Block Diagram 7.12-1 (Deleted) 7.12-2a sht 1 Radiation Monitoring System - Mechanical Control Diagram 7.12-2a sht 2 Radiation Monitoring System - Mechanical Control Diagram 7.12-2a sht 3 Radiation Monitoring System - Mechanical Control Diagram 7.12-2a sht 4 Radiation Monitoring System - Mechanical Control Diagram 7.12-2a sht 5 Radiation Monitoring System - Mechanical Control Diagram 7.12-2a sht 6 Radiation Monitoring System - Mechanical Control Diagram 7.12-2a sht 7 Radiation Monitoring System - Mechanical Control Diagram 7.12-2b sht 1 (Deleted) 7.12-2b sht 2 Radiation Monitoring System - Mechanical Control Diagram 7.12-2b sht 3 (Deleted) 7.12-2b sht 4 Radiation Monitoring System - Mechanical Control Diagram 7.12-2b sht 5 Radiation Monitoring System - Mechanical Control Diagram 7.12-2b sht 6 Radiation Monitoring System - Mechanical Control Diagram 7.13-1 (Deleted) 7.16-1 (Deleted) 7.17-1 (Deleted) 7.17-2 (Deleted) 7.17-3 (Deleted) 7.17-4 (Deleted) 7.17-5 (Deleted) 7.17-6a (Deleted) 7.0-xi

BFN-26 CONTROL AND INSTRUMENTATION LIST OF ILLUSTRATIONS (Cont'd)

Figure Title 7.17-6b (Deleted) 7.17-6c (Deleted) 7.17-7 (Deleted) 7.17-8a (Deleted) 7.17-8b (Deleted) 7.17-8c (Deleted) 7.17-8d (Deleted) 7.17-9a (Deleted) 7-17-9b (Deleted) 7.17-9c (Deleted) 7.17-9d (Deleted) 7.0-xii

BFN-17 7.0 CONTROL AND INSTRUMENTATION 7.1

SUMMARY

DESCRIPTION The control and instrumentation section presents the details of the more complex control and instrumentation systems in the plant. Some of these systems are safety systems; others are power generation systems.

7.1.1 Safety Systems The safety systems described in the control and instrumentation section are given below.

a. Nuclear safety systems and engineered safeguards (required for accidents and abnormal operational transients):

Reactor Protection System, Primary Containment Isolation System, Core Standby Cooling Systems Control and Instrumentation, Neutron Monitoring System (specific portions), and Reactor Vessel Instrumentation (specific portions), and Anticipated Transients Without SCRAM.

b. Process safety systems (required for planned operation):

Neutron Monitoring System (specific portions),

Refueling Interlocks, Reactor Vessel Instrumentation (specific portions), and Process Radiation Monitors (except Main Steam Line Radiation Monitoring System).

7.1-1

BFN-16 7.1.2 Power Generation Systems The power generation systems described in the section are as follows.

Reactor Manual Control System, Recirculation Flow Control System, Feedwater System Control and Instrumentation, Pressure Regulator and Turbine-Generator Controls, Area Radiation Monitors, Main Steam Line Radiation Monitors, Site Environs Radiation Monitors, Health Physics and Laboratory Analysis Radiation Monitors, and Process Computer System.

7.1.3 Safety Functions The major functions of the safety systems are summarized as follows.

1. Reactor Protection System The Reactor Protection System initiates an automatic reactor shutdown (scram) if monitored system variables exceed preestablished limits. This action limits fuel damage and system pressure and thus restricts the release of radioactive material.
2. Primary Containment Isolation System This system initiates closure of various automatic isolation valves in response to off-limit system variables. The action provided limits the loss of coolant from the reactor vessel and contains radioactive materials either inside the reactor vessel or inside the primary containment. The system responds to various indications of pipe breaks or radioactive material release.
3. Core Standby Cooling Systems Control and Instrumentation This subsection describes the equipment required for the initiation and control of the High Pressure Coolant Injection System, Automatic Depressurization System, Core Spray System, and the Low Pressure Coolant Injection System.

7.1-2

BFN-17

4. Neutron Monitoring System The Neutron Monitoring System uses in-core neutron detectors to monitor core neutron flux. The safety function of the Neutron Monitoring System is to provide a signal to shut down the reactor when an overpower condition is detected. High average neutron flux is used as the overpower indicator. In addition, the Neutron Monitoring System provides the required power level indication during planned operation.
5. Main Steam Line Radiation Monitoring System Deleted
6. Refueling Interlocks The refueling interlocks serve as a backup to procedural core reactivity control during refueling operation.
7. Reactor Vessel Instrumentation The safety function of the reactor vessel instrumentation is to provide input to the reactor protection system and the core standby cooling systems. This instrumentation also provides information for the operator to take manual actions in addition to the above mentioned automatic system actions during abnormal and accident conditions. In addition, during planned operations the reactor vessel instrumentation monitors and transmits information concerning key reactor vessel parameters to ensure that sufficient control of these parameters is possible.
8. Process Radiation Monitors (except Main Steam Line Radiation Monitoring System)

A number of radiation monitoring systems are provided on process liquid and gas lines to provide sufficient control of radioactive material release from the site.

9. (Deleted) 7.1-3

BFN-17

10. Anticipated Transients Without SCRAM The design objective of the Anticipated Transients Without SCRAM (ATWS) is to provide an alternate means of bringing the reactor from full power operation (MODE 1) to a cold shutdown (MODE 4) condition independent of the normal means of shutdown. The ATWS design is intended to mitigate any abnormal operational transients, as defined in FSAR Section 1.4. The systems and equipment required by 10 CFR 50.62 for ATWS do not have to meet all of the stringent requirements normally applied to safety-related equipment.

However, this equipment is part of the broader class of structures, systems and components important to safety.

7.1.4 Plant Operational Control The major systems used to control the plant during planned operations are the following:

1. Reactor Manual Control System This system allows the operator to manipulate control rods and determine their positions. Various interlocks are provided in the control circuitry to avoid unnecessary protection system action resulting from operator error.
2. Recirculation Flow Control System This system controls the speed of the two reactor recirculation pumps by varying the electrical frequency of the power supply for the pumps. By varying the coolant flow rate through the core, power level may be changed. The system is arranged to allow for manual control (operator action).
3. Feedwater System Control and Instrumentation This system regulates the feedwater system flow rate so that proper reactor vessel water level is maintained. The feedwater system controller uses reactor vessel water level, main steam flow, and feedwater flow signals to regulate feedwater flow. The system is arranged to permit single-element (level only), three-element (level, steam flow, feed flow), or manual operation.
4. Pressure Regulator and Turbine-Generator Controls The pressure regulator and turbine-generator controls work together to allow proper generator and reactor response to load demand changes. The pressure regulator acts to maintain nuclear system pressure essentially constant, so that pressure-induced core reactivity changes are controlled. To 7.1-4

BFN-17 maintain constant pressure, the pressure regulator adjusts the turbine control valves or turbine bypass valves. The turbine-generator controls act to maintain turbine speed constant, so that electrical frequency is maintained.

The turbine-generator speed-load controls respond to load or speed changes.

The turbine-generator speed-load controls can initiate rapid closure of the turbine control valves (coincident with fast opening of the bypass valves) to prevent excessive turbine overspeed in case of loss of generator electrical load.

5. Process Computer System (RWM)

The process computer is provided to supplement procedural requirements for the control of rod worth during control rod manipulations during reactor startup and shutdown.

7.1.5 Definitions The complexity of the control and instrumentation systems requires the use of certain terminology for clarification in the description of the protection systems. See additional definitions in Subsection 1.2, "Definitions."

1. Channel--A channel is an arrangement of one or more sensors and associated components used to evaluate plant variables and to produce discrete outputs used in logic. A channel terminates and loses its identity where individual channel outputs are combined in logic. See Figure 7.1-1.
2. Sensor--A sensor is that part of a channel used to detect variations in the measured power plant variable. See Figure 7.1-1.
3. Logic--Logic is an arrangement of relays, contacts, and other components that produces a decision output. See Figure 7.1-1.
4. Trip System--A trip system means an arrangement of instrument channel trip signals and auxiliary equipment required to initiate action to accomplish a protective trip function. A trip system may require one or more instrument channel trip signals related to one or more plant parameters in order to initiate trip system action. Initiation of protective action may require the tripping of a single trip system or the coincident tripping of two trip systems. See Figure 7.1-1.
5. Actuation Device--An actuation device is an electrical or electromechanical module controlled by an electrical decision output used to produce mechanical operation of one or more activated devices to accomplish the necessary action. See Figure 7.1-1.

7.1-5

BFN-28

6. Activated Device--An activated device is a mechanical module in a system used to accomplish an action. An activated device is controlled by an actuation device. See Figure 7.1-1.
7. Trip--A trip is the change of state of a bistable device which represents the change from a normal condition. A trip signal, which results from a trip, is generated in the channels of a trip system and produces subsequent trips and trip signals throughout the system as directed by the logic.
8. Setpoint--A setpoint is that value of the monitored plant variable which causes a channel trip.
9. Component--A component includes those items from which the system is assembled (e.g., resistors, capacitors, wires, connectors, transistors, switches, springs, pumps, valves, piping, heat exchangers, vessels, etc.).
10. Module--A module is any assembly of interconnected components which constitutes an identifiable device, instrument, or piece of equipment.
11. Incident Detection Circuitry--Incident detection circuitry includes those trip systems which are used to sense the occurrence of an incident. Such circuitry is described and evaluated separately where the incident detection circuitry is common to several systems.
12. Channel calibration, channel check, channel functional test, and logic system functional definitions are provided in Technical Specification Section 1.1.

7.1.6 Environmental Qualification of Electrical Equipment The electrical equipment, within the scope of 10CFR50.49, at BFN was originally qualified to the acceptance criteria specified in either 1) Category I of NUREG-0588 (Institute of Electrical Engineers (IEEE) 323-1974) or 2) Category II of NUREG-0588 or the Division of Operating Reactor (DOR) guidelines of NRC Inspection and Enforcement (IE) Bulletin 79-01B (IEEE 323-1971). Replacement components are qualified in accordance with 10CFR50.49.

NRC IE Bulletin 79-01B Environmental Qualification of Class 1E Equipment, was issued January 14, 1980. Subsequent supplements were issued February 29, 1980, September 30, 1980, and October 24, 1980. This bulletin requires the licensee to perform a detailed review of the environmental qualification of Class 1E electrical equipment to ensure that the equipment will function under postulated accident conditions.

7.1-6

BFN-28 TVA evaluated the electrical qualification of the safety-related electrical components in harsh environments during accident conditions and responded to the NRC on October 31, 1980.

The NRC issued a Safety Evaluation, dated June 3, 1981, for the Environmental Qualification of Safety-Related Electrical Equipment, noting several deficiencies.

TVA responded in a letter dated September 29, 1981, to address these deficiencies.

The NRC Safety Evaluation, dated January 11, 1983, requested additional information from TVA. The TVA response, dated January 29, 1985, provided resolution to the NRC questions/deficiencies. In a letter dated August 8, 1985, the NRC concluded that BFN was in compliance with 10CFR50.49, and that proposed resolution to deficiencies noted was acceptable.

In July 1985, a TVA Environmental Qualification (EQ) program audit revealed significant deficiencies in the BFN EQ program. On August 6, 1985, the NRC issued Generic Letter 85-15 related to the deadlines for 10CFR50.49 compliance. Based on these developments, TVA subsequently voluntarily maintained BFN Units 1, 2, and 3, in shutdown conditions with the intent to correct deficiencies and establish and implement an EQ program that would assure compliance with 10CFR50.49.

Following shutdown, extensive rework of the BFN EQ program took place. The Environmental Qualification Project (EQP) was established to verify, with auditable records, that all plant equipment covered under 10CFR50.49 was qualified for its application and met its specified performance requirements when subjected to the conditions predicted to be present when it must perform its safety function; up to the end of its qualified life. Supplemental procedures were written, approved, and implemented. The purpose of Environmental Qualification Documentation Packages (EQDPs) is to document, in one place, everything needed about how a given piece of equipment was qualified, and what is necessary to maintain qualification for the life of the plant. In May of 1988, the NRC performed an inspection of BFNs partially completed EQ program. On October 21, 1988, the NRC issued a Safety Evaluation that concluded the BFN EQ program complied with the requirements of 10CFR50.49.

TVA letter dated October 24, 1988, committed to implement the EQ Program prior to the restart of each unit. The NRC Safety Evaluation for the BFN EQ Program was issued on January 23, 1991.

During the license renewal process for Units 1, 2, and 3, TVA was required to demonstrate that the equipment and components in the scope of the EQ program meet the requirements of 10CFR54.21(c)(1). Section 4.4 of the License Renewal Amendment addressed this requirement. In the Safety Evaluation dated April 2006, the NRC concluded that these components will be adequately managed for the period of extended operation.

7.1-7

BFN-28 The effects of Extended Power Uprate (EPU) on the environmental conditions for the qualification of electrical equipment have been evaluated. The evaluation indicates that the electrical equipment will continue to meet the relevant requirements of 10 CFR 50.49 following implementation of EPU.

TVA has a program in place to environmentally qualify safety-related electrical equipment (including cable) that is within the scope of 10CFR50.49 to ensure that the equipment will perform its safety-related function under environmental conditions associated with all normal, abnormal, and plant accident conditions.

The method of assuring that electrical components of safety-related equipment are qualified for their potential normal operational and worst-case accident environments is described in this section.

7.1.6.1 Equipment Identification and Environmental Conditions 7.1.6.1.1 Identification of Safety Systems Systems that are required to function to mitigate a loss-of-coolant accident (LOCA) or high-energy line break (HELB) are listed in Table 7.1-1; systems required to support these systems are also identified.

7.1.6.1.2 Identification of Equipment in Harsh Environments For the safety systems listed in Table 7.1-1, safety-related equipment within the harsh environment of the Design Basis Events (DBEs) was identified. This was based on a review of electrical instrument tabulations, mechanical piping drawings, mechanical heating and ventilation drawings, conduit and grounding drawings, Technical Specifications, the UFSAR, and Emergency Operating Instructions.

7.1.6.1.3 Environmental Conditions 7.1.6.1.3.1 Mild Environments Mild environments are those areas where: (1) the environmental conditions related to temperature, pressure, or relative humidity resulting from the direct effects of a DBE are no more severe than those which would occur during an abnormal plant operational condition; (2) the temperature will not exceed 130°F due to the indirect effects of a DBE (e.g., increased heat loads from electrical equipment); (3) the accident radiation dose is less than or equal to 1.0 x 104 rads; and (4) the total accident plus 60 year total integrated dose (TID) is less than or equal to 5.0 x 104 rads.

7.1-8

BFN-28 For equipment located in a harsh zone, that is required to function or not fail for mitigation of a specific DBA, if (for the specific DBA) the accident environment in the area in which the device is located would at no time be significantly more severe than the environment for normal operation, including anticipated operational occurrences, then the environment may be considered to be essentially mild for classification purposes. Essentially mild calculations are performed for the associated area to document that the accident environmental conditions do not impose significant environmental stresses over and above normal operating conditions (including anticipated operational transients) on the device in the associated area.

7.1.6.1.3.2 Harsh Environments Harsh area environmental conditions are defined as those conditions that exceed those of mild spaces. Environmental conditions have been established for all harsh environment areas resulting from a design basis event. Temperature, pressure, humidity, radiation, and submergence were the parameters considered.

7.1.6.2 Electrical Equipment within the Scope of 10CFR50.49 A systems analysis was conducted to identify for each UFSAR design basis accident, the equipment which must operate or stay as-is to ensure completion of safety related functions as defined in 10CFR50.49. These devices became the Master Components Electrical List (MCEL). This list includes devices in both harsh and mild environmental zones.

The BFN Component Master List (CML) was derived from the MCEL. The CML is a compilation, for areas designated as harsh on the environmental data drawings, of all safety-related equipment, any required nonsafety-related equipment, and any equipment added to comply with commitments to NUREG-0737 and/or NUREG-0578 and post-accident monitoring equipment (10CFR50.49b(3)). All MCEL supporting/ancillary equipment was then identified. All components were field verified. The 10CFR50.49 list is a compilation of data for electrical equipment which has been determined to be within the scope of 10CFR50.49 via the process beginning with the CML database through the evaluations performed in preparing a qualification EQDP (or EQ binder). Auditable documentation that supports environmental qualification for the equipment type is compiled and placed in the EQ binder or is referenced therein. The 10CFR50.49 list will be maintained for the life of the plant as a permanent record. This includes revisions resulting from changes occurring in the plant design and configuration which impact the equipment within the scope of 10CFR50.49. The 10CFR50.49 list for Units 1, 2, and 3 is maintained as part of the plant Master Equipment List (MEL) data. Post-accident Monitoring (PAM) equipment instrumentation (all Category 1 and 2 equipment, with the exception of Emergency Equipment Cooling Water flow) is qualified to the requirements of 10CFR50.49.

7.1-9

BFN-28 7.1.6.3 Qualification Tests and Analysis Qualification tests and analyses for safety-related electrical equipment were conducted in accordance with the requirements of 10CFR50.49, IE Bulletin 79-01B, and the guidelines of NUREG-0588.

7.1.6.4 Qualification Test Results Qualification test results are included or referenced in the EQ binder for safety-related electrical equipment in the 10CFR50.49 program.

7.1.6.5 References

1. NRC IE Bulletin 79-01B, Environmental Qualification of Class IE Equipment, dated January 14, 1980.
2. NRC Division of Operating Reactors, Guidelines for Evaluating Environmental Qualification of Class IE Electrical Equipment in Operating Reactors, dated November 13, 1979.
3. TVA Response to NRC IE Bulletin 79-01B, dated October 31, 1980.
4. NRC Safety Evaluation for Environmental Qualification of Safety-Related Electrical Equipment, dated June 3, 1981.
5. NUREG-0588, Interim Staff Position on Environmental Qualification of Safety-Related Electrical Equipment," Revision 1, dated July 1981.
6. BFN Letter to NRC, Response to NRC Safety Evaluation deficiencies, dated September 29, 1981.
7. NRC Safety Evaluation for Environmental Qualification of Safety-Related Electrical Equipment, dated January 11, 1983.
8. TVA Letter to NRC, Summary Status of TVAs Compliance with 10CFR50.49, dated January 29, 1985.
9. NRC Safety Evaluation for Environmental Qualification of Electric Equipment Important to Safety, dated August 8, 1985.
10. NRC Safety Evaluation for the Browns Ferry Nuclear Performance Plan, dated October 21, 1988.
11. NUREG-1843, Safety Evaluation Report Related to the License Renewal of the Browns Ferry Nuclear Plant, Units 1, 2, and 3, dated April 2006.
12. NRC Code of Federal Regulations, 10CFR50.49.
13. NRC Safety Evaluation Report on Tennessee Valley Authority: Browns Ferry Nuclear Performance Plan - Browns Ferry Unit 2 Restart, April 1989.
14. NRC Letter to TVA, Browns Ferry Nuclear Plant, Units 1, 2, and 3 - Issuance of Amendments Regarding Extended Power Uprate (CAC Nos. MF6741, MF6742, and MF6743), dated August 14, 2017.

7.1-10

BFN-28 Table 7.1-1 Systems (or Portions of Systems) Required to Mitigate LOCA and/or HELB Neutron Monitoring System Auxiliary Power Main Steam Supply Reactor Feedwater System RHR Service Water System Raw Cooling Water Control Air System Sampling and Water Quality Standby Liquid Control System Primary Containment System Standby Gas Treatment Emergency Equipment Cooling Water System Reactor Water Recirculation Reactor Water Cleanup System Reactor Building Closed Cooling Water System Reactor Core Isolation Cooling High Pressure Core Injection Residual Heat Removal Core Spray System Containment Inerting HPCI Torus Room Radwaste System Fuel Pool Cooling and Demineralizing System Containment Atmosphere Dilution System CRD Hydraulic System Radiation Monitoring System Cables, Control Stations, Junction Boxes, and Terminal Blocks

BFN-25 7.2 REACTOR PROTECTION SYSTEM 7.2.1 Safety Objective The Reactor Protection System provides timely protection against the onset and consequences of conditions that threaten the integrities of the fuel barrier (uranium dioxide sealed in cladding) and the nuclear system process barrier. Excessive temperature threatens to perforate the cladding or melt the uranium dioxide.

Excessive pressure threatens to rupture the nuclear system process barrier. The Reactor Protection System limits the uncontrolled release of radioactive material by terminating excessive temperature and pressure increases through the initiation of an automatic scram.

7.2.2 Safety Design Basis

1. The Reactor Protection System shall initiate, with precision and reliability, a reactor scram in time to prevent fuel damage following abnormal operational transients.
2. The Reactor Protection System shall initiate, with precision and reliability, a scram in time to prevent damage to the nuclear system process barrier as a result of internal pressure. Specifically, the Reactor Protection System shall initiate a reactor scram in time to prevent nuclear system pressure from exceeding the nuclear system pressure allowed by applicable industry codes.
3. To limit the uncontrolled release of radioactive materials from the fuel or nuclear system process barrier, the Reactor Protection System shall initiate, with precision and reliability, a reactor scram to prevent gross failure of either of these barriers.
4. To provide assurance that conditions which threaten the fuel or nuclear system process barriers are detected with sufficient timeliness and precision to fulfill safety design bases 1, 2, and 3, Reactor Protection System inputs shall be derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions.
5. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design bases 1, 2, and 3, the Reactor Protection System shall respond correctly to the sensed variables over the expected range of magnitudes and rates of change.
6. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design bases 1, 2, and 3, an adequate number of sensors shall be provided for monitoring essential variables that have spatial dependence.

7.2-1

BFN-25

7. The following bases provide assurance that the Reactor Protection System is designed with sufficient reliability to fulfill safety design bases 1, 2, and 3.
a. No single failure within the Reactor Protection System shall prevent proper Reactor Protection System action when required to satisfy safety design basis 1, 2, and 3.
b. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability shall not impair the ability of the Reactor Protection System to respond correctly.
c. The system shall be designed for a high probability that when any monitored variable exceeds the scram setpoint, the event shall result in an automatic scram and shall not impair the ability of the system to scram as other monitored variables exceed their scram trip points.
d. Where a plant condition that requires a reactor scram can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more Reactor Protection System channel(s) designed to provide protection against the unsafe condition, the remaining portions of the Reactor Protection System shall meet the requirements of safety design bases 1, 2, 3, and 7a.
e. The power supply for the Reactor Protection System shall be arranged so that loss of one supply neither causes nor prevents a reactor scram.
f. The system shall be designed so that, once initiated, a Reactor Protection System action goes to completion. Return to normal operation after protection system action shall require deliberate operator action.
g. There shall be sufficient electrical and physical separation between channels and between logics monitoring the same variable to prevent environmental factors, electrical transients, and physical events from impairing the ability of the system to respond correctly.
h. Earthquake ground motions shall not impair the ability of the Reactor Protection System to initiate a reactor scram.
8. The following bases are specified to reduce the probability that Reactor Protection System operational reliability and precision will be degraded by operator error.

7.2-2

BFN-25

a. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables shall be under administrative control.
b. The means for manually bypassing logics, channels, or system components shall be under administrative control. If the ability to trip some essential part of the system has been bypassed, this fact is continuously indicated in the control room. Bypassing of the NMS inop trip using the Operate-Calibrate bypass switch (fiber optic bypass switch (FOBS) on Units 1, 2, and 3) shall be under Administrative control to allow functional tests of the NMS to be performed.
9. To provide the operator with means independent of the automatic scram functions to counteract conditions that threaten the fuel or nuclear system process barrier, it shall be possible for the control room operator to manually initiate a reactor scram.
10. The following bases are specified to provide the operator with the means to assess the condition of the Reactor Protection System and to identify conditions that threaten the integrities of the fuel or nuclear system process barrier.
a. The Reactor Protection System shall be designed to provide the operator with information pertinent to the operational status of the protection system.
b. Means shall be provided for prompt identification of channel and trip system responses.
11. It shall be possible to check the operational availability of each channel and logic.

7.2.3 Description 7.2.3.1 Identification The Reactor Protection System includes the motor-generator power supplies with associated control and indicating equipment, sensors, relays, bypass circuitry, and switches that supply a signal to the Control Rod Drive (CRD) System to cause rapid insertion of control rods (scram) to shut down the reactor. It also includes outputs to the process computer system and annunciators. The Reactor Protection System is designed to meet the intent of the IEEE proposed criteria for nuclear power plant protection systems (IEEE-279-1971). The process computer system and annunciators are not part of the Reactor Protection System. Although scram signals 7.2-3

BFN-25 are received from the Neutron Monitoring System, this system is treated as a separate nuclear safety system in Subsection 7.5.

7.2.3.2 Power Supply Power to each of the two reactor protection trip systems is supplied, via a separate bus, by its own high-inertia, AC motor-generator set (see Figures 7.2-1, 7.2-3, and 7.2-7c). Each generator has a voltage regulator which is designed to respond to a step-load change of 50 percent of rated load with an output voltage change of not greater than 15 percent. High inertia is provided by a flywheel. The inertia is sufficient to maintain voltage and frequency within 5 percent of rated values for at least 1.0 second following total loss of power to the drive motor. Automatic circuit protectors were added to these MG sets to provide Class 1E isolation of the RPS should the supply voltage or frequency become abnormal.

Alternate power is available to either Reactor Protection System bus from an electrical bus that can receive standby electrical power. The alternate power switch prevents simultaneously feeding both buses from the same source. The switch also prevents paralleling a motor-generator set with the alternate supply. The DC power is supplied to the backup scram valve solenoids from the plant batteries.

7.2.3.3 Physical Arrangement Instrument piping that taps into the reactor vessel is routed through the drywell wall and terminates inside the secondary containment (Reactor Building). Reactor vessel pressure and water level information is sensed from this piping by instruments mounted on instrument racks in the Reactor Building. Valve position switches are mounted on valves from which position information is required. The sensors for Reactor Protection System signals from equipment in the Turbine Building are mounted locally in the Turbine Building. The two motor-generator sets that supply power for the Reactor Protection System are located in the Control Building in an area where they can be serviced during reactor operation. Cables from sensors, Analog Trip Unit (ATU) Cabinets, and power cables are routed to two Reactor Protection System cabinets in the Auxiliary Instrument Room, where the logic circuitry of the system is formed. One cabinet is used for each of the two trip systems. The logics of each trip system are isolated in separate bays in each cabinet, as shown in Figures 7.2-2, 7.2-8, and 7.2-9. The Reactor Protection System, except for the motor-generator sets and signals from nonseismic structures, is designed as Class I equipment to assure a safe reactor shutdown during and after seismic disturbances. The detailed requirements for Class I equipment are described in Appendix C.

7.2-4

BFN-25 7.2.3.4 Logic The Reactor Protection System is arranged as two separately powered trip systems.

Each trip system has three logics, as shown in Figure 7.2-4. Two of the logics are used to produce automatic trip signals. The remaining logic is used for a manual trip signal. The Source Range Monitoring System and mode switch in shutdown trip function actuate through the manual channel. Each of the two logics used for automatic trip signals received input signals from at least one channel for each monitored variable. Thus, two channels are required for each monitored variable to provide independent inputs to the logics of one trip system. At least four channels for each monitored variable are required for the logics of both trip systems.

As shown in Figure 7.2-5, the actuators associated with any one logic provide inputs into each of the actuator logics for the associated trip system. Thus, either of the two automatic logics associated with one trip system can produce a trip system trip.

The logic is a one-out-of-two arrangement. To produce a scram, the actuator logics of both trip systems must be tripped. The overall logic of the Reactor Protection System could be termed one-out-of-two taken twice except for the Power Range Neutron Monitoring System which implements a two-out-of-four logic design.

7.2.3.5 Operation (Figures 7.2-1, 7.2-3, 7.2-4 and 7.2-7c)

To facilitate the description of the Reactor Protection System, the two trip systems are called trip system A and trip system B. The automatic logics of trip system A are logics A1 and A2; the manual logic of trip system A is logic A3. Similarly, the logics for trip system B are logics B1, B2, and B3. The actuators associated with any particular logic are identified by the logic identity (such as actuators B2) and a letter (see Figure 7.2-4). The actuator logics associated with a trip system are identified with the trip system identity (such as actuator logics A). Channels are identified by the name of the monitored variable and the logic identity with which the channel is associated (such as reactor vessel high pressure channel B1).

During normal operation, all sensor and trip contacts essential to safety are closed; channels, logics, and actuators are energized.

There are two scram pilot valves and two scram valves for each control rod. Each scram pilot valve is solenoid-operated. The solenoids are normally energized. The two scram pilot valves, associated with a control rod, control the air supply to both scram valves for that rod. With either scram pilot valve energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for control rod drive water. One of the scram pilot valves for each control rod is controlled by actuator logics A, the other valve by actuator logics B. There are two DC, solenoid-operated, backup scram valves which provide a second means of controlling the air supply to the scram valves for all control rods. The DC solenoid 7.2-5

BFN-25 for each backup scram valve is normally deenergized. The backup scram valves are energized (initiate scram) when both trip system A and trip system B are tripped.

Whenever a channel sensor contact opens, its sensor relay deenergizes, causing contacts in the logic to open. The opening of contacts in the logic deenergizes its actuators. When deenergized, the actuators open contacts in all the actuator logics for that trip system. This action results in deenergizing the scram pilot valve solenoids associated with that trip system (one scram pilot valve solenoid for each control rod). Unless the other scram pilot valve solenoid for each rod is deenergized, the rods are not scrammed. If a trip then occurs in any of the logics of the other trip system, the remaining scram pilot valve solenoid for each rod is deenergized, venting the air pressure from the scram valves, and allowing control rod drive water to act on the control rod drive piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is vented into a scram discharge volume. When the solenoid for each backup scram valve is energized, the backup scram valves vent the air supply for the scram valves; this action initiates insertion of every control rod regardless of the action of the scram pilot valves.

A scram can be manually initiated. There are two scram buttons, one for logic A3 and one for logic B3. Depressing the scram button on the logic A3 deenergizes actuators A3 and opens corresponding contacts in actuator logics A. A single trip system trip is the result. To effect a manual scram, the buttons for both logic A3 and logic B3 must be depressed. By operating the manual scram button for one manual logic at a time, followed by reset of that logic, each trip system can be tested for manual scram capability. It is also possible for the control room operator to scram the reactor by interrupting power to the Reactor Protection System. This can be done by operating power supply breakers. The manual scram capability provided in the control room meets safety design basis 9.

To restore the Reactor Protection System to normal operation following any single trip system trip or scram, the actuators must be manually reset. Reset is possible only if the conditions that caused the trip or scram have been cleared, and it is accomplished by operating switches in the control room. This meets safety design basis 7f.

Whenever a Reactor Protection System sensor trips, it lights a printed annunciator window, common to all the channels for that variable, on the reactor control panel in the control room to indicate the out-of-limit variable. Each trip system lights an annunciator window indicating the trip system which has tripped.

A Reactor Protection System channel trip also sounds a buzzer or horn, which can be silenced by the operator. The annunciator window lights latch in until manually reset; reset is not possible until the condition causing the trip has been cleared. The physical positions of Reactor Protection System relays are used to identify the 7.2-6

BFN-25 individual sensor that tripped in a group of sensors monitoring the same variable.

The location of alarm windows provides the operator with the means to quickly identify the cause of Reactor Protection System trips and to evaluate the threat to the fuel or nuclear system process barrier.

To provide the operator with the ability to analyze an abnormal transient during which events occur too rapidly for direct operator comprehension, all Reactor Protection System trips are recorded by an alarm typewriter controlled by the Process Computer System. All trip events are recorded. The first 40 are recorded in chronological sequence, except that events occurring within 16 milliseconds of each other are treated as having occurred simultaneously. Use of the alarm typewriter and computer is not required for plant safety, and information provided is in addition to that immediately available from other annunciators and data displays.

The printout of trips is of particular usefulness in routinely verifying the proper operation of pressure, level, and valve position switches as trip points are passed during startups, shutdowns, and maintenance operations.

Reactor Protection System inputs to annunciators, recorders, and the computer are arranged so that no malfunction of the annunciating, recording, or computing equipment can functionally disable the Reactor Protection System. Signals directly from the Reactor Protection System sensors are not used as inputs to annunciating or data logging equipment. Isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the Reactor Protection System satisfies safety design bases 10a and 10b.

7.2.3.6 Scram Functions and Bases for Trip Settings The following discussion covers the functional considerations for the variables or conditions monitored by the Reactor Protection System. Table 7.2-1 lists the specifications for instruments providing signals for the system. Figure 7.2-6 shows the scram functions in block form.

1. Neutron Monitoring System trip--To provide protection for the fuel against high heat-generation rates, neutron flux is monitored and used to initiate a reactor scram. The Neutron Monitoring System setpoints and their bases are discussed in Subsection 7.5, "Neutron Monitoring System."
2. Nuclear system high pressure--High pressure within the nuclear system poses a direct threat of rupture to the nuclear system process barrier. A nuclear system pressure increase, while the reactor is operating, compresses the steam voids and results in a positive reactivity insertion, causing increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing the core fission-heat generation.

7.2-7

BFN-25 The nuclear system high-pressure scram setting is chosen slightly above the reactor vessel maximum normal operating pressure to permit normal operation without spurious scram, yet provide a wide margin to the maximum allowable nuclear system pressure. The location of the pressure measurement, as compared to the location of highest nuclear system pressure during transients, was also considered in the selection of the high-pressure scram setting. The nuclear system high-pressure scram works in conjunction with the pressure relief system in preventing nuclear system pressure from exceeding the maximum allowable pressure. This same nuclear system high-pressure scram setting also protects the core from exceeding thermal hydraulic limits as a result of pressure increases for some events that occur when the reactor is operating at less than rated power and flow.

3. Reactor vessel low water level--A low water level in the reactor vessel indicates that the reactor is in danger of being inadequately cooled. The effect of a decreasing water level while the reactor is operating at power is to decrease the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature. Should water level decrease too far, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission-heat generation within the core.

The reactor vessel low-water-level scram setting was selected to prevent fuel damage following those abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. Specifically, the scram setting is chosen far enough below normal operational levels to avoid spurious scrams, but high enough above the top of the active fuel to assure that enough water is available to account for evaporation losses and displacements of coolant following the most severe abnormal operational transient involving a level decrease. The selected scram setting was used in the development of thermal-hydraulic limits, which set operational limits on the thermal power level for various coolant flow rates.

4. Turbine stop valve closure--Closure of the turbine stop valve with the reactor at power can result in a significant addition of positive reactivity to the core as the nuclear system pressure rise collapses steam voids. The turbine stop-valve-closure scram, which initiates a scram earlier than either the Neutron Monitoring System or nuclear system high pressure, is required to provide a satisfactory margin below core thermal hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity due to pressure by inserting negative reactivity with the control rods. Although the nuclear system high-pressure scram, in 7.2-8

BFN-25 conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine-stop-valve-closure scram provides additional margin to the nuclear system pressure limit.

The turbine stop valve closure scram setting is selected to provide the earliest positive indication of valve closure. The trip logic was chosen both to identify those situations in which a reactor scram is required for fuel protection and to allow functional testing of this scram function.

5. Turbine control valve fast closure--With the reactor and turbine-generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises.

The turbine-control-valve-fast-closure scram, which initiates a scram earlier than either the Neutron Monitoring System or nuclear system high pressure, is required to provide a satisfactory margin to core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity due to pressure by inserting negative reactivity with the control rods. Although the nuclear system high-pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control-valve-fast-closure scram provides additional margin to the nuclear system pressure limit.

The turbine-control-valve-fast-closure scram setting is selected to provide timely indication of control-valve-fast-closure. The trip logic was chosen to identify those situations in which a reactor scram is required for fuel protection.

6. Main steam line isolation--The main-steam-line-isolation scram is provided to limit the release of fission products from the nuclear system. Automatic closure of the main-steam-line isolation valves is initiated upon conditions indicative of a steam line break. Immediate shutdown of the reactor is appropriate in such a situation. The scram initiated by main-steam-line isolation-valve closure anticipates a reactor vessel low-water-level scram. The main-steam-line-isolation scram setting is selected to give the earliest positive indication of isolation valve closure. The trip logic allows functional testing of main-steam-line-isolation trip channels with one steam line isolated.
7. Scram discharge volume high water level--The scram discharge volume receives the water displaced by the motion of the control rod drive pistons during a scram. Should the scram discharge volume fill up with water to the point where insufficient space remains for the water to be displaced should a scram be initiated, control rod movement would be hindered. To prevent this situation, the reactor is scrammed when the water level in the discharge volume attains a value high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the volume can accommodate a scram.

7.2-9

BFN-25

8. Primary containment high pressure--A high pressure inside the primary containment could indicate a break in the nuclear system process barrier. It is prudent to scram the reactor in such a situation to minimize the possibility of fuel damage and to reduce the addition of energy from the core to the coolant.

The reactor vessel low-water-level scram also acts to scram the reactor for loss-of-coolant accidents. The primary containment high-pressure scram setting is selected to be as low as possible without inducing spurious scrams.

9. Main steam line high radiation--High radiation in the vicinity of the main steam lines could indicate a gross fuel failure in the core. A non-safety related high radiation trip signal results in an isolation and trip of the Mechanical Vacuum Pump only. More information on the trip setting is available in Subsection 7.12, "Process Radiation Monitoring."
10. Deleted.
11. Manual scram--To provide the operator with means to shut down the reactor, pushbuttons are located in the control room; these initiate a scram when actuated by the operator.
12. Mode switch in SHUTDOWN--The mode switch provides appropriate protective functions for the condition in which the reactor is to be operated.

The reactor is to be shut down, with all control rods inserted, when the mode switch is in SHUTDOWN.

To enforce the condition defined for the SHUTDOWN position, placing the mode switch in the SHUTDOWN position initiates a reactor scram. This scram is not considered a protective function because it is not required to protect the fuel or nuclear system process barrier, and it bears no relationship to minimizing the release of radioactive material from any barrier. The scram signal is removed after a short time delay, permitting a scram reset which restores the normal valve lineup in the control rod drive hydraulic system.

7.2.3.7 Mode Switch A conveniently-located, multiposition, administratively-controlled mode switch is provided to select the necessary scram functions for various plant conditions. In addition to selecting scram functions from the proper sensors, the mode switch provides appropriate bypasses. The mode switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the Reactor Protection System. The switch itself is designed to provide separation between the two trip systems. The mode switch positions and their related scram functions are as follows:

7.2-10

BFN-28

a. SHUTDOWN - Initiates a reactor scram, bypasses main steam line isolation scram, and selects Neutron Monitoring System for low neutron flux level operation.
b. REFUEL - Selects Neutron Monitoring System for low neutron flux level operation (see Subsection 7.5, "Neutron Monitoring System"); bypasses main steam line isolation scram.
c. STARTUP - Selects Neutron Monitoring System scram for low neutron flux level operation (see Subsection 7.5, "Neutron Monitoring System"); bypasses main steam line isolation scram.
d. RUN - Selects Neutron Monitoring System scram for power range operation (see Subsection 7.5, "Neutron Monitoring System").

7.2.3.8 Scram Bypasses A number of scram bypasses are provided to account for the varying protection requirements depending on reactor conditions and to allow for instrument service during reactor operations. Some bypasses are automatic, others are manual. All manual bypass switches are in the control room under the direct control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact is continuously indicated in the control room. Bypassing of the NMS inop trip using the Operate-Calibrate bypass switch (fiber optic bypass switch (FOBS)) shall be under Administrative control to allow functional tests of the NMS to be performed.

Automatic bypass of the scram trips from main steam line isolation is provided when the mode switch is not in RUN.

The bypass allows reactor operations at low power with the main steam lines isolated and the main condenser not in operation. These conditions exist during startups (MODE 2) and certain reactivity tests during refueling (MODE 5).

The scram, initiated by placing the mode switch in SHUTDOWN, is automatically bypassed after a time delay of 2 seconds. The bypass is provided to eliminate a sustained SCRAM and to enable the SCRAM to be reset with the mode switch in SHUTDOWN. An annunciator in the control room indicates the bypassed condition.

An automatic bypass of the turbine control-valve fast-closure scram and turbine stop-valve-closure scram is effected whenever the reactor thermal power (as indicated by turbine first-stage pressure) is less than about 26 percent of its rated value. Closure of these valves from such a low initial 7.2-11

BFN-25 power level does not constitute a threat to the integrity of any barrier to the release of radioactive material. Bypasses for the Neutron Monitoring System channels are described in Subsection 7.5, "Neutron Monitoring System." A manual switch located the mode switch is in SHUTDOWN or REFUEL. This bypass allows the operator to reset the Reactor Protection System, so that the system is restored to its normal configuration while the operator drains the scram discharge volume. In addition to allowing the scram relays to be reset, actuating the bypass actuates the control rod block. Resetting the trip actuator opens the scram discharge volume vent and drain valves.

An annunciator in the control room indicates the bypass condition. The arrangement of bypasses meets safety design basis 8b.

7.2.3.9 Instrumentation Channels providing inputs to the Reactor Protection System are not used for automatic control of process systems; thus, the operations of protection and process systems are separated. The Reactor Protection System instrumentation is discussed as follows:

a. Neutron Monitoring System instrumentation is described in Subsection 7.5, "Neutron Monitoring System." The IRM and APRM channels are considered part of the Neutron Monitoring System. The Neutron Monitoring System logics are considered part of the Reactor Protection System. There are four Neutron Monitoring System logics associated with each trip system of the Reactor Protection System. Each Reactor Protection System logic receives inputs from two Neutron Monitoring System logics.

Each Neutron Monitoring System logic receives signals from one IRM channel and one APRM channel. (There are four APRMs which interface with the Reactor Protection System logic through four 2-out-of-4 trip voters. One trip voter provides divisional input into its associated RPS automatic trip logic channel.) The position of the mode switch determines which input signals will affect the output signal from the logic. The arrangement of Neutron Monitoring System logics is such that the failure of any one logic cannot prevent the initiation of a high neutron flux scram.

b. Nuclear system pressure is tapped from the reactor vessel at two separate locations. A pipe from each tap is led outside the primary containment and terminates in the Reactor Building. On Units 2 and 3, two locally mounted, nonindicating pressure transmitters monitor the pressure in each pipe. Cables from these transmitters are routed to the auxiliary instrument room. The two pairs of transmitters are physically separated. Each transmitter provides a high-pressure signal to one channel. The transmitters are arranged so that each pair provides an input to trip system A and trip system B, as shown in 7.2-12

BFN-25 Figure 7.2-10. The physical separation and the signal arrangement assure that no single physical event can prevent a scram due to nuclear system high pressure. On Unit 1, locally mounted pressure switches provide the input to the RPS logic.

c. Reactor vessel low-water-level signals are initiated from differential pressure transmitters which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. The transmitters are arranged in pairs in the same way as the nuclear system high-pressure transmitters (Figure 7.2-10). Two instrument pipelines (one above and one below the water level) attached to taps on the reactor vessel are required for the differential pressure measurement for each pair of transmitters. The two pairs of pipelines terminate outside the primary containment and inside the Reactor Building; they are physically separated from each other and tap off the reactor vessel at widely separated points. The Reactor Protection System pressure transmitters, as well as instruments for other systems, sense pressure and level from these same pipes. The physical separation and signal arrangement assure that no single physical event can prevent a scram due to reactor vessel low water level.
d. Turbine-stop-valve-closure inputs to the Reactor Protection System are from valve stem position switches mounted on the four turbine stop valves. Each of the double-pole, single-throw switches is arranged to open before the valve has closed more than 10 percent from its full-open position, providing the earliest positive indication of closure. Either of the two channels associated with one stop valve can signal valve closure, as shown in Figure 7.2-11. The logic is arranged so that closure of three or more valves initiates scram.
e. Turbine-control-valve-fast-closure inputs to the RPS are from four pressure switches which sense loss of EHC trip fluid pressure. Loss of EHC trip fluid pressure initiates control valve fast closure. One switch is mounted on each of the four control valves such that fast closure from either normal tripping or from hydraulic line failure is detected. Each pressure switch provides a signal to one of the two channels of the RPS, as shown in Figure 7.2-10. The logic is arranged so that operation of any one switch or two switches in the same channel initiates a half scram; and a simultaneous trip in each channel initiates a full reactor scram. Thus, if EHC trip fluid pressure is lost at the control valves, a turbine-control-valve-closure reactor trip signal is initiated.
f. There are eight main steam line isolation channels, two for each main steam line. Each channel senses isolation of the associated main steam line via a valve stem position switch on each isolation valve in the main steam line. The double-pole, single-throw switch on each main steam isolation valve is arranged to open before the valve has closed more than 10 percent from its full-open position providing the earliest indication of isolation. The closure of 7.2-13

BFN-25 the valve in a main steam line causes both channels associated with that steam line to signal isolation. Figure 7.2-12 shows the arrangement of main steam line isolation channels. The main-steam-line isolation-valve-closure scram function is effective only when the reactor mode switch is in RUN.

The outputs from the channels are combined in Reactor Protection System logic in such a way that the isolation of three or four main steam lines (closure of one valve in each of three or more main steam lines) causes a scram.

Figure 7.2-12 shows the logic arrangement. Wiring of the isolation channels from any one main steam line is physically separated in the same way that wiring to a duplicate sensor or a common process tap is separated. The effects of the logic arrangement and separation provided for the main-steam-line isolation-valve closure scram are as follows:

1. Closure of one valve for test purposes, with one steam line already isolated, without causing a scram due to valve closure,
2. Automatic scram upon isolation of three or more steam lines, and
3. No single failure can prevent an automatic scram required for fuel protection due to main steam line isolation.
g. Scram-discharge-volume high-water-level inputs to the Reactor Protection System are from four nonindicating float switches and four thermal dispersion level switches located in the Reactor Building. Each switch provides an input into one channel (Figure 7.2-10). The switches are arranged in pairs so that no single event will prevent a reactor scram due to scram-discharge-volume high-water level. With the scram setting as listed in Table 7.2-1, a scram is initiated while sufficient capacity remains in the discharge volume to accommodate a scram. Both the amount of water discharged and the volume of air trapped above the free surface during a scram were considered in selecting the trip setting.
h. On Units 2 and 3, primary containment pressure is monitored by four pressure transmitters which are mounted on instrument racks outside the drywell in the Reactor Building. Cables are routed from the transmitters to the auxiliary instrument room. Each transmitter provides an input to one channel (Figure 7.2-10). Pipes that terminate in the secondary containment (Reactor Building) connect the transmitters with the drywell interior. The transmitters are grouped in pairs, physically separated, and electrically connected to the Reactor Protection System, so that no single event will prevent a scram due to primary containment high pressure. On Unit 1, locally mounted pressure switches provide the input to the RPS logic.

7.2-14

BFN-25

i. Main steam line radiation is monitored by two gamma sensitive radiation monitors, which are discussed and evaluated in paragraph 7.12.1, "Main Steam Line Radiation Monitors."
j. Deleted.
k. Deleted.
l. Two turbine first-stage pressure transmitters are provided for each trip system to initiate the automatic bypass of the turbine-control-valve-fast-closure and turbine-stop-valve-closure scrams when the first stage pressure is below some preset fraction of rated pressure. The transmitters are arranged so that no single failure can prevent a turbine-stop-valve-closure scram or turbine-control-valve-fast-closure scram.
m. Channel and logic relays are fast-response, high-reliability relays. All Reactor Protection System relays are selected so that the continuous load will not exceed 50 percent of the continuous duty rating. Component electrical characteristics are selected so that the system response time, from the opening of a sensor contact up to and including the opening of the trip actuator contacts is less than 50 milliseconds. The time requirements for control rod movement are discussed in Subsection 3.4, "Reactivity Control Mechanical Design."

Sensing elements are equipped with enclosures so that they can withstand conditions that may result from a steam or waterline break long enough to perform satisfactorily.

Instruments for the Reactor Protection System (RPS) are qualified for the environment in which they are located and conditions to which they will be subjected. All RPS instruments which are located in a harsh environment as defined by the 10 CFR 50.49 Environmental Qualification Program meet the requirements to that program.

To gain access to those calibration and trip setting controls that are located outside the control room, a cover plate, access plug, or sealing device must be removed by qualified plant personnel before any adjustment in trip settings can be effected.

7.2-15

BFN-25 7.2.3.10 Wiring Wiring and cables for Reactor Protection System instrumentation are selected to avoid excessive deterioration due to temperature and humidity during the design life of the plant. Cables and connectors used inside the primary containment are designed for continuous operation at an ambient temperature of 150F and a relative humidity of 99 percent.

Cables required to carry low level signals (currents of less than 1 milliampere or voltages of less than 100 millivolts) are designed and installed to eliminate, insofar as practical, electrostatic and electromagnetic pickup from power cables and other AC or DC fields. Low level signal cables are routed separately from all power cables.

Wiring for the Reactor Protection System outside the enclosures in the control room is run in rigid metallic conduits used for no other wiring. The wires from duplicate sensors on a common process tap are run in separate conduits. Wires for sensors of different variables in the same Reactor Protection System logic may be run in the same conduit.

The scram pilot-valve solenoids are powered from eight actuator logic circuits--four circuits from trip system A and four from trip system B. The four circuits associated with any one trip system are run in separate conduits. One actuator logic circuit from each trip system may be run in the same conduit; wiring for the two solenoids associated with any one control rod may be run in the same conduit.

7.2.4 Safety Evaluation The Reactor Protection System is designed to provide timely protection against the onset and consequences of conditions that threaten the integrities of the fuel barrier and the nuclear system process barrier. It is the objective of Section 14.0, "Plant Safety Analysis," to identify and evaluate events that challenge the fuel barrier and nuclear system process barrier. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are sought and identified, are presented in that section.

Design procedure has been to detect tentative scram trip settings that are far enough above or below normal operating levels that spurious scrams and operating inconvenience are avoided; it is then verified by analysis that the reactor fuel and nuclear system process barrier are protected as is required by the basic objective.

A program is in place to determine the Analytical Limit for RPS process variables obtained by calculation and analysis to set values for scram trip point. The values shall be evaluated to ensure that it has sufficient margin from the design basis safety limit. The scrams initiated by Neutron Monitoring System variables, nuclear system 7.2-16

BFN-25 high pressure, turbine stop-valve closure, turbine control-valve fast closure, and reactor vessel low-water level are sufficient to prevent excessive fuel damage following abnormal operational transients. Section 14.0, "Plant Safety Analysis,"

identifies and evaluates the threats to fuel damage resulting from abnormal operational events. In no case does excessive fuel damage result from abnormal operational transients. The Reactor Protection System meets the timeliness and precision requirements of safety design basis 1.

The evaluation of the scram function provided by the Neutron Monitoring System is presented in the section describing that system.

The scram initiated by nuclear system high pressure, in conjunction with the pressure relief system, is sufficient to prevent damage to the nuclear system process barrier as a result of internal pressure. For turbine-generator trips, the turbine stop-valve-closure scram and turbine control-valve-fast-closure scram provide a greater margin to the maximum allowed nuclear system pressure than would the high pressure scram alone. Section 14.0 identifies and evaluates accidents and abnormal operational events that result in nuclear system pressure increases; in no case does pressure exceed the maximum allowed nuclear system pressure. The Reactor Protection System meets the timeliness and precision requirements of safety design basis 2.

The scrams initiated by the Neutron Monitoring System, main-steam-line isolation-valve closure, and reactor vessel low water level satisfactorily limit the radiological consequences of gross failure of the fuel or nuclear system process barriers. Section 14.0 evaluates gross failures of the fuel and nuclear system process barriers; in no case does the release of radioactive material to the environs exceed the guideline values of published regulations. The Reactor Protection System meets the precision requirements of safety design basis 3.

Because the Reactor Protection System meets the timeliness and precision requirements of safety design bases 1, 2, and 3 (monitoring variables that are true, direct measures of operational conditions), it is concluded that safety design basis 4 is met.

Because the Reactor Protection System meets the precision requirements of safety design bases 1, 2, and 3 using instruments with the characteristics described in Table 7.2-1, it is concluded that safety design basis 5 is met.

Neutron flux (the Neutron Monitoring System variable) is the only essential variable of significant spatial dependence that provides inputs to the Reactor Protection System. The basis for the number and locations of neutron flux detectors is discussed in Subsection 7.5, "Neutron Monitoring System." Because the precision requirements of safety design bases 1, 2, and 3 are met using the Neutron 7.2-17

BFN-25 Monitoring System as described, it is concluded that the number of sensors for spatially dependent variables satisfies safety design basis 6.

The items of safety design basis 7 specify the requirements that must be fulfilled for the Reactor Protection System to meet the reliability requirements of safety design bases 1, 2, and 3. It has already been shown in the description of the Reactor Protection System that safety design basis 7f has been met. The other requirements are fulfilled through the combination of logic arrangement, channel redundancy, wiring scheme, physical isolation, power supply redundancy, and component environmental capabilities. The following discussion evaluates these subjects.

In terms of protection system nomenclature, the Reactor Protection System is a one-out-of-two system used twice (1 of 2 x 2) (Power Range Neutron Monitoring System inputs implement a two-out-of-four logic). Theoretically, its reliability is slightly higher than a two-out-of-three system and slightly lower than a one-out-of-two system. However, since the differences are slight, they can, in a practical sense, be neglected. The advantage of the dual trip system arrangement is that it can be tested thoroughly during reactor operation without causing a scram.

This capability for a thorough testing program, which contributes significantly to increased reliability, is not possible for a one-out-of-two system.

The use of independent channels allows the system to sustain any channel failure without preventing other sensors monitoring the same variable from initiating a scram. A single sensor or channel failure will cause a single trip system trip and actuate alarms that identify the trip. The failure of two or more sensors or channels would cause either a single trip system trip, if the failures were confined to one trip system, or a reactor scram, if the failures occurred in different trip systems. Any intentional bypass, maintenance operation, calibration operation, or test, all of which result in a single trip system trip, leaves at least two channels per monitored variable capable of initiating a scram by causing a trip of the remaining trip system. The resistance to spurious scrams contributes to plant safety, because unnecessary cycling of the reactor through its operating modes would increase the probability of error or actual failure. It is concluded from the preceding paragraphs evaluating the logic, redundancy, and failure characteristics of the Reactor Protection System that the system satisfies the reliability requirement stated in safety design bases 7a and 7b.

Any actual condition in which an essential monitored variable exceeds its scram trip point is sensed by at least two independent channels in each trip system. Because only one channel must trip in each trip system to initiate a scram, the arrangement of two channels per monitored variable per trip system provides assurance that a scram will occur as any monitored variable exceeds its scram setting.

7.2-18

BFN-25 Each control rod is controlled as an individual unit. A failure of the controls for one rod would not affect other rods. The backup scram valves provide a second method of venting the air pressure from the scram valves, even if either scram pilot-valve solenoid for any control rod fails to deenergize when a scram is required. It is concluded from the evaluations in the above paragraphs that the Reactor Protection System meets safety design basis 7c.

Sensors, channels, and logics of the Reactor Protection System are not used directly for automatic control of process systems. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system. This meets safety design basis 7d.

Failure of either Reactor Protection System motor generator set would result, at worst, in a single-trip-system trip. Alternate power is available to the Reactor Protection System buses. A complete, sustained loss of electrical power to both motor-generator sets results in eventual loss of RPS instrumentation power, as delayed by the motor-generator set flywheel inertia. Loss of RPS instrumentation power initiates MSIV closure, which results in a reactor scram. This meets safety design basis 7e.

The environmental conditions in which the instruments and equipment of the Reactor Protection System must operate were considered in their design and installation. The instruments environmental requirements are based on the worst-expected environmental conditions in which the instruments must operate. All Reactor Protection System equipment that is in a harsh environment as established by the 10 CFR 50.49 Environmental Qualification Program meets the requirements of that program. The Reactor Protection System components, which are located inside the primary containment and which must function in the environment resulting from a break of the nuclear system process barrier inside the primary containment, are the condensing chambers and the inboard MSIV RPS limit switches. Special precautions are taken to ensure satisfactory operability after the accident. The condensing chambers are similar to those that have successfully undergone qualification testing in connection with other projects, and the limit switches are environmentally qualified.

The environmental capabilities of the Reactor Protection System components, combined with the previously described physical and electrical isolation of sensors and channels, satisfy safety design basis 7g.

Safe shutdown of the reactor during earthquake ground motion is assured by design of the system as a Class I system (see Appendix C) and the fail-safe characteristics of the system. The system only fails in a direction that causes a reactor scram when subjected to extremes of vibration and shock. This meets safety design basis 7h.

7.2-19

BFN-25 Calibration and test controls for the Neutron Monitoring System are located in the control room and are, because of their physical location, under the direct physical control of the control room operator. Calibration and test controls for pressure switches, level switches, and valve position switches are located on the switches themselves. These switches are located in the Turbine Building, Reactor Building, and primary containment. Electronic switches associated with RPS transmitters are located in the Control Building Auxiliary Instrument Room. To gain access to the setting controls on each switch, a cover plate or sealing device must be removed.

The control room operator is responsible for granting access to the setting controls to properly qualified plant personnel for the purpose of testing or calibration adjustments. This meets safety design basis 8a.

It has been shown in the description of the Reactor Protection System that safety design bases 8b, 9, 10a, and 10b are satisfied.

The following section covering inspection and testing of the Reactor Protection System demonstrates that safety design basis 11 is satisfied.

7.2.5 Inspection and Testing 7.2.5.1 General The Reactor Protection System can be tested during reactor operation by five separate tests. The first of these is the manual trip actuator test. By depressing the manual scram button for one trip system, the manual logic actuators are deenergized, opening contacts in the actuator logics. After resetting the first trip system, the second trip system is tripped with the other manual scram button. The total test verifies the ability to deenergize all eight groups of button switches. Scram group indicator lights verify that the actuator contacts have opened.

The second test is the automatic actuator test, which is accomplished by operating (one at a time) the administratively-controlled test switches for each automatic logic.

The switch deenergizes the actuators for that logic, causing the associated actuator contacts to open. The test verifies the ability of each logic to deenergize the actuator logics associated with the parent trip system.

The third test includes calibration of the Neutron Monitoring System. Subsection 7.5, "Neutron Monitoring System," describes the calibration procedure.

The fourth test is the single rod scram test, which verifies the capability of each rod to scram. It is accomplished by operation of toggle switches on the protection system operations panel. Timing traces can be made for each rod scrammed. Prior to the test, a physics review must be conducted to assure that the rod pattern during scram testing does not create a rod of excessive reactivity worth.

7.2-20

BFN-25 The fifth test involves the application of a test signal to each Reactor Protection System channel, in turn, and observing that a logic trip results. This test also verifies the electrical independence of the channel circuitry. The test signals can be applied to the process-type sensing instruments (pressure and differential pressure) through calibration taps. This test is performed in accordance with approved written procedures.

Reactor Protection System response times are first verified during preoperational testing and may be verified thereafter by similar tests. The elapsed times from sensor trip to each of the following events is measured:

a. Channel relay deenergized, and
b. Actuators deenergized.

The alarm typewriter provided with the process computer verifies the proper operation of many sensors during plant startups and shutdowns. Main-steam-line isolation valve position switches and turbine-stop-valve position switches can be checked in this manner. The verification provided by the alarm typewriter is not considered in the selection of test and calibration frequencies and is not required for plant safety.

The provisions for functionally testing and calibrating the Reactor Protection System meet the requirements of safety design basis 11.

Technical Specification Section 3.3.1.1 provides the technical specification associated testing requirements for the Reactor Protection System which typically includes periodic channel checks, channel functional tests, channel calibrations, and logic system functional tests. The technical specification bases provides additional details for specific surveillance requirements.

Channel functional tests verify actuation of the trip output relays or trip channels.

Additionally, the associated surveillance procedures verify operation of expected alarms. Channel calibrations for pressure or level sensing instrumentation utilize standard pressure sources or calibrated water columns as the calibration reference.

7.2.5.2 Seismic Test and Analysis Results GENERAL NOTE: The subject topic of this section is related to the NRC Unresolved Safety Issue A-46 Program and the Seismic Analysis Program, both of which are addressed in Appendix C.

7.2-21

BFN-22 TABLE 7.2-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION SPECIFICATIONS Units 1 and 2 Scram Function Instrument Analytical Limit (AL)

Neutron Monitoring See Neutron System Scram Monitoring System Nuclear System Pressure Transmitter 1071 psig (AL) (Unit 2)

High Pressure 1101 psig (AL) (Unit 1)

PT-3-22AA, -22BB, -22C, -22D Reactor Vessel Low Level Transmitter 518 inches above Water Level vessel zero (AL)

LT-3-203A-D,-184,-185 Turbine Stop Position Switch Before 10% valve Valve Closure closure from full open position Turbine Control Pressure Switch 550 psig Valve Fast Closure Main Steam Line Position Switch Before 10% valve Isolation Valve closure from full Closure open position Scram Discharge Level Switch 51 gal. (Unit 1 only)

Volume High 54.4 gal. (Unit 2 only)

Water Level Primary Containment Pressure Transmitter 2.6 psig (AL)

High Pressure Main Steam Line Gamma Radiation 3 times normal Radiation (For Unit 1 Monitor high full power only, not a safety background related function)

BFN-22 TABLE 7.2-1a REACTOR PROTECTION SYSTEM INSTRUMENTATION SPECIFICATIONS Unit 3 Scram Function Instrument Analytical Limit (AL)

Neutron Monitoring See Neutron System Scram Monitoring System Nuclear System Pressure Transmitter 1101 psig (AL)

High Pressure PT-3-22AA,-22BB, -22C, -22D Reactor Vessel Low Level Transmitter 518 inches above Water Level vessel zero (AL)

LT-3-203A-D,-184,-185 Turbine Stop Position Switch Before 10% valve Valve Closure closure from full open position Turbine Control Pressure Switch 550 psig Valve Fast Closure Main Steam Line Position Switch Before 10% valve Isolation Valve closure from full Closure open position Scram Discharge Level Switch 54.4 gal.

Volume High Water Level Primary Containment Pressure Transmitter 2.6 psig (AL)

High Pressure

BFN-22 Table 7.2-2 (Deleted by Amendment 13)

BFN-22 Figures 7.2-3a through 7.2-3l (Deleted by Amendment 22)

BFN-16 Figure 7.2-7 Deleted by Amendment 13.

BFN-16 Figure 7-2-13 Deleted

BFN-27 7.3 PRIMARY CONTAINMENT ISOLATION SYSTEM 7.3.1 Safety Objective To provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barrier, the Primary Containment Isolation System initiates automatic isolation of appropriate pipelines which penetrate the primary containment whenever monitored variables exceed preselected operational limits.

For a gross failure of the fuel, the Primary Containment Isolation System initiates isolation of the reactor vessel to contain released fission products. For a gross breach in the nuclear system process barrier outside the primary containment, the isolation system acts to interpose additional barriers (isolation valve plugs) between the reactor and the breach, thus stopping the release of radioactive materials and conserving reactor coolant. For gross breaches in the nuclear system process barrier inside the primary containment, the Primary Containment Isolation System acts to close off release routes through the primary containment barrier, thus trapping the radioactive material coming through the breach inside the primary containment.

7.3.2 Definitions Group A isolation valves listed in Table 5.2-2 are in pipelines that communicate directly with the nuclear system process barrier and penetrate the primary containment. These lines generally have two isolation valves in series--one inside the primary containment and one outside the primary containment.

Group B isolation valves listed in Table 5.2-2 are in pipelines that do not communicate directly with the nuclear system process barrier, but penetrate the primary containment and communicate with the primary containment free space.

These pipelines generally have two isolation valves in series--both of them outside the primary containment, except that on water-sealed lines, one isolation valve in addition to the water seal is adequate to meet isolation requirements.

Water sealing refers to lines which penetrate the pressure suppression chamber above the pool water level and terminate within the pressure suppression chamber well below the normal water level. The water in the line within the containment prevents communication between the atmosphere in the containment and the Reactor Building, even if the isolation valve fails to close. The water-sealing function is maintained as long as pressure suppression pool water level is maintained at or above prescribed limits.

7.3-1

BFN-27 7.3.3 Safety Design Basis

1. To limit the uncontrolled release of radioactive materials to the environs, the Primary Containment Isolation System shall, with precision and reliability, initiate timely isolation of penetrations through the primary containment structure, which could otherwise allow the uncontrolled release of radioactive materials whenever the values of monitored variables exceed preselected operational limits.
2. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, the Primary Containment Isolation System shall respond correctly to the sensed variables over the expected range of magnitudes and rates of change.
3. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, an adequate number of sensors shall be provided for monitoring essential variables that have spatial dependence.
4. To provide assurance that conditions indicative of a gross failure of the nuclear system process barrier are detected with sufficient timeliness and precision to fulfill safety design basis 1, Primary Containment Isolation System inputs shall be derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions.
5. The time required for closure of the main steam isolation valves shall be short, so that the release of radioactive material and the loss of coolant as a result of a breach of a steam line outside the primary containment are minimal.
6. The time required for closure of the main steam isolation valves shall not be so short that inadvertent isolation of steam lines causes excessive fuel damage or excessive nuclear system pressure. This basis ensures that the main-steam-isolation-valve closure speed is compatible with the ability of the Reactor Protection System and Pressure Relief System to protect the fuel and nuclear system process barrier.
7. To provide assurance that closure of Group A and Group B automatic isolation valves is initiated, when required, with sufficient reliability to fulfill safety design basis 1, the following safety design bases are specified for the systems controlling Group A and Group B automatic isolation valves.
a. Any single failure within the isolation system shall not prevent essential isolation action when required to satisfy safety design basis 1.

7.3-2

BFN-27

b. Any anticipated intentional bypass, maintenance operation, calibration operation, or test to verify operational availability shall not impair the functional ability of any essential isolation system to respond correctly to essential monitored variables.
c. The essential isolation system shall be designed for a high probability that when any essential monitored variable exceeds the isolation setpoint, the event shall result in automatic isolation and shall not impair the ability of the system to respond correctly as other monitored variables exceed their isolation setpoints.
d. When a plant condition that requires isolation can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more essential isolation system channel(s) designed to provide protection against the unsafe condition, the remaining portions of the isolation control system shall meet the requirements of safety design bases 1, 2, 3, and 7a.
e. The power supplies for the essential portions of the Primary Containment Isolation System shall be arranged so that loss of one supply cannot prevent automatic isolation when required.
f. The system shall be designed so that, once initiated, automatic isolation action goes to completion. Groups 1-6 require deliberate operator action to return the system to normal operation after isolation action.
g. There shall be sufficient electrical and physical separation between essential variables to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly.
h. Earthquake ground motions shall not impair the ability of the Primary Containment Isolation System to initiate automatic isolation.
8. The following safety design bases are specified to assure that the timely isolation of main steam lines is accomplished, when required, with extraordinary reliability.
a. The motive force for achieving valve closure for one of the two tandem-mounted isolation valves in an individual steam line shall be derived from a different energy source than that for the other valve.

7.3-3

BFN-27

b. At least one of the isolation valves in each of the steam lines shall not rely on continuity of any variety of electrical power for the motive force to achieve closure.
9. To reduce the probability that the operational reliability and precision of the Primary Containment Isolation System will be degraded by operator error, the following safety design bases are specified for Group A and Group B automatic isolation valves.
a. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables shall be under administrative control.
b. The means for bypassing channels, logics, or system components shall be under administrative control.
10. To provide the operator with means, independent of the automatic isolation functions, to take action in the event of a failure of the nuclear system process barrier, it shall be possible for the control room operator to manually initiate isolation of the primary containment and reactor vessel.
11. The following bases are specified to provide the operator with the means to assess the condition of the Primary Containment Isolation System and to identify conditions indicative of a gross failure of the nuclear system process barrier.
a. The Primary Containment Isolation System shall be designed to provide the operator with essential information pertinent to the status of the system.
b. Means shall be provided for identification of essential trip system responses.
12. It shall be possible to check the operational availability of each essential channel and trip system during some reactor operating state.

7.3.4 Description 7.3.4.1 Identification The containment isolation system is designed to accomplish the safety design bases, and thus prevent the release of radioactive material to the environment after an accident, while ensuring that systems important for postaccident mitigation are 7.3-4

BFN-27 operational. Systems were evaluated and containment isolation provisions were provided based on the following.

1. Nonessential Systems - These systems are not required for postaccident mitigation and are isolated automatically upon receipt of a primary containment isolation signal (PCIS), or are provided with manual valves which are closed when containment integrity is required.
2. Essential Systems - These systems are required for postaccident mitigation and are not isolated automatically upon receipt of a PCIS. However, isolation of these lines, if required, is possible from the Main Control Room. The following systems are classified essential as a result of their accident-mitigation function:

(1) Standby Liquid Control (SLC),

(2) Reactor Core Isolation Cooling (RCIC; expected to operate, but not required for mitigation),

(3) High Pressure Coolant Injection (HPCI),

(4) Residual Heat Removal - Low Pressure Injection and Containment Cooling Modes (RHR),

(5) Core Spray (CS),

(6) Containment Atmospheric Dilution (CAD), and (7) Hardened Wetwell Vent (HWWV)

(8) Hardened Containment Venting System (HCVS)

Each line penetrating primary containment has been reviewed to ensure that (1) isolation of the line was based on its need to be inservice postaccident, and (2) each containment isolation valve received the proper isolation signal.

The Browns Ferry primary containment isolation signals are provided by diverse and redundant safety grade equipment. Browns Ferry complies with SRP 6.2.4 by isolating, in general, on (a) low reactor level, or (b) high drywell pressure. The PCIS setpoints were chosen such that isolation will occur prior to, or at the time of ECCS initiation. There are several other isolation modes in addition to the main PCIS logic.

For example, main steam isolation valves will also close as a result of high steam 7.3-5

BFN-27 flow or high steam line tunnel temperature. The primary containment ventilation system isolates on Reactor Building high radiation. The HPCI and RCIC systems have instrumentation to detect pipe breaks within their own flow paths, and to subsequently isolate the system.

The isolation logic is such that resetting the main primary containment isolation signals will not result in the automatic reopening of these isolation valves.

The Primary Containment Isolation System includes the sensors, channels, switches, and remotely-activated valve-closing mechanisms associated with the valves, which, when closed, effect isolation of the primary containment or reactor vessel, or both. The control systems for those Group A and Group B isolation valves that close by automatic action pursuant to the safety design bases are the main subjects of this section. Group A and Group B check valves are also included, although no control system is involved.

7.3.4.2 Power Supply The power for the channels and logics of the isolation control system is supplied from the Reactor Protection System motor-generator sets, the unit preferred power system, or the plant batteries. Isolation valves receive power from standby power sources. Power for the operation of two valves in a pipeline is fed from different sources for Groups 1-6 valves. In most cases, one valve is powered from an AC bus of appropriate voltage, and the other valve is powered by DC from the unit or plant batteries. Both of the HWWV (Unit 3) isolation valves receive DC power from separate RMOV boards to ensure operability following a station blackout event.

Both of the HCVS (Units 1 and 2) isolation valves receive DC power from separate RMOV boards which remain powered during an Extended Loss of AC Power (ELAP) event. Power is available via manual transfer for each isolation valve to a dedicated HCVS battery system which ensures operability during the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of an ELAP. The main steam isolation valves, which are described in paragraph 7.3.4.6, use AC, DC, and pneumatic pressure in the control scheme. Table 5.2-2 lists the types of power to open and close each isolation valve.

7.3.4.3 Physical Arrangement Table 5.2-2 lists the pipelines that penetrate the primary containment and the associated valves that are considered part of the containment isolation control system. Pipelines which penetrate the primary containment and are in direct communication with the nuclear system process barrier generally have two Group A isolation valves, one inside the primary containment and one outside the primary containment. Pipelines which penetrate the primary containment and which communicate with the primary containment free space, but which do not 7.3-6

BFN-27 communicate directly with the nuclear system process barrier, generally have two Group B isolation valves located outside the primary containment. Group A and Group B automatic isolation valves are considered essential for protection against the gross release of radioactive material in the event of a breach in the nuclear system process barrier (see Figures 4.3-2a sheet 1, sheet 2, and sheet 3).

Power cables are run in conduits or trays from appropriate electrical sources to the motor or solenoid involved in the operation of each isolation valve. The control arrangement for the main steam isolation valves includes pneumatic piping and an accumulator for those valves for which air aids the spring in fast closing of the valves upon loss of Control Air supply. Pressure and water level sensors are mounted on instrument racks in either the Reactor Building or the Turbine Building. Valve position switches are mounted on the valve for which position is to be indicated.

Cables from each sensor are routed in conduits and cable trays to the Auxiliary Instrument Room. All signals transmitted to the Control and Auxiliary Instrument Rooms are electrical; no pipe from the nuclear system or the primary containment penetrates the Control or Auxiliary Instrument Room.

Pipes used to transmit level information from the reactor vessel to sensing instruments terminate inside the secondary containment (Reactor Building). The sensor cables and power supply cables are routed to cabinets in the Auxiliary Instrument Room, where the logic arrangements of the system are formed.

To ensure continued protection against the uncontrolled release of radioactive material during and after earthquake ground motions, the control systems required for the automatic closure of Group A and Group B valves are designed as Class I equipment, as described in Appendix C. This meets safety design basis 7h.

7.3.4.4 Logic The basic logic arrangement for essential trip functions is separated into two divisions (I and II), in which an automatic isolation valve is controlled by two trip systems. Where many isolation valves close on the same signal, two trip systems control the entire group. Where just one or two valves must close in response to a special signal, two trip systems may be formed from the instruments provided to sense the special condition. Valves that respond to the signals from common trip systems are identified in the detailed descriptions of isolation functions.

Each essential trip system receives input signals from at least one instrument channel for each essential, monitored variable. Thus, each essential, monitored variable provides independent inputs to the trip system. A total of four channels for each essential, monitored variable is provided for the logics of both trip systems except where redundancy considerations require a fewer number.

7.3-7

BFN-27 7.3.4.5 Operation For the case of normally energized logic, during operation of the plant when isolation is not required, sensor and trip contacts essential to safety are closed; channels and trip logics are energized. Whenever a channel sensor contact opens, its auxiliary relay de-energizes, causing contacts in the trip logic to open. The opening of a sufficient number of contacts in the trip logic de-energizes its actuator relay. When de-energized, the actuator relay opens a contact in an actuator logic. If a trip then occurs in either of the logic pairs of the other trip system, another actuator logic is de-energized. With both trip systems tripped, appropriate contacts open or close in valve control circuitry to actuate the valve closing mechanism. Automatic isolation valves that are normally closed, as well as those valves that are open, receive the isolation signal.

For the case of normally de-energized logic, such as used to control the HPCI and RCIC isolation valves, when isolation is not required, sensor and trip contacts are open and channels and trip logics are de-energized. Isolation signals are transmitted to the valves by the closure of contacts and the energizing of relays.

The control system for each Group A isolation valve is designed to provide closure of the valve in time to prevent uncovering the fuel as a result of a break in the pipeline which the valve isolates. The control systems for Group A and Group B isolation valves are designed to provide closure of the valves with sufficient rapidity to restrict the release of radioactive material to the environs below the reference values of 10 CFR 50.67.

All automatic Group A and Group B valves can be closed by manipulating switches in the control room, thus providing the operator with means independent of the automatic isolation functions to take action in the event of a failure of the nuclear system process barrier. This meets safety design basis 10.

For Groups 1-6 and 8, once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. The operator must manually operate switches in the control room to reopen a valve which has been automatically closed. Unless manual override features are provided in the manual control circuitry, the operator cannot reopen the valve until the conditions which initiated isolation have cleared. This is the equivalent of a manual reset and meets safety design basis 7f.

A trip of an isolation trip system is annunciated in the control room so that the operator is immediately informed of the condition. The response of isolation valves is indicated by "open-closed" lights. All motor-operated Group A and Group B 7.3-8

BFN-27 isolation valves whose primary function is to isolate have two sets of "open-closed" lights. One set is located near the manual control switches for controlling each valve from the control room panel. A second set is located in a separate, central isolation-valve-position display in the control room. The positions of air-operated isolation valves are displayed in the same manner as motor-operated valves.

Inputs to annunciators, indicators, and the computer are arranged so that no malfunction of the annunciating, indicating, or computing equipment can functionally disable the system. Signals directly from the isolation control system sensors are not used as inputs to annunciating or data-logging equipment. Isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the Primary Containment Isolation System satisfies safety design bases 11a and 11b.

7.3.4.6 Isolation Valve Closing Devices and Circuits Table 5.2-2 itemizes the type of closing device provided for each isolation valve intended for use in automatic or remote-manual isolation of the primary containment or reactor vessel. To meet the requirement that automatic Group A valves be fully closed in time to prevent the reactor vessel water level from falling below the top of the active fuel as a result of a break of the pipeline which the valve isolates, the valve-closing mechanisms are designed to give the minimum closing rates specified in Table 5.2-2. In many cases, a standard closing rate of 12 inches per minute is adequate to meet isolation requirements. Using the standard rate, a 12 inch valve is closed in 60 seconds. Conversion to nominal closing time can be made by using the size of the line to be isolated. Because of the relatively long time required for fission products to reach the containment atmosphere following a break in the nuclear system process barrier inside the primary containment, a standard closure rate (12 inches/minute) is adequate for the automatic closing devices on class B isolation valves. Because no releases occur for the 2 minute period following a LOCA, required closure time of 2 minutes is allowable for the inboard MSIVs. The design closure times for the various automatic isolation valves essential to reactor vessel isolation are shown in Table 5.2-2.

Motor operators for Group A and Group B isolation valves are selected with capabilities suitable to the physical and environmental requirements of service. The required valve closing rates were considered in designing motor operators.

Appropriate torque and limit switches are used to ensure proper valve seating.

Handwheels, which are automatically disengaged from the motor operator when the motor is energized, are provided for local-manual operation.

7.3-9

BFN-27 Direct, solenoid-operated isolation valves and solenoid air-pilot valves are chosen with electrical and mechanical characteristics which make them suitable for the service for which they are intended.

The main steam isolation valves are spring-closing, pneumatic, piston-operated valves designed to close upon loss of pneumatic pressure to the valve operator.

Closure time for the valves is adjustable between 3 and 10 seconds. Each valve is piloted by two, three-way, packless, direct-acting, solenoid-operated pilot valves--one powered by AC, the other by DC. An accumulator is located close to each main steam isolation valve to provide pneumatic pressure to assist valve closing in the event of failure of the normal air supply system.

The valve pilot system and the pneumatic pipelines are arranged so that when one or both solenoid-operated pilot valve(s) are energized, normal air supply provides pneumatic pressure to the air-operated pilot valve to direct air pressure to the main valve pneumatic operator. This overcomes the closing force exerted by the spring to keep the main valve open. When both pilots are de-energized, as would be the result of both trip systems tripping or placing the manual switch in the closed position, the path through which air pressure acts is switched so that the opposite side of the valve operator is pressurized, thus assisting the spring in closing the valve. In the event of air supply failure, the loss of air pressure will cause the air-operated pilot valve to move by spring force to the position resulting in main valve closure. Main valve closure is then effected by means of the air stored in the accumulator and by the spring.

Air pressure, acting alone, and the force exerted by the spring, acting alone, are each capable of independently closing the valve if no pressure above atmospheric pressure is present. The main steam isolation valves inside the primary containment (inboard) are designed to close under both pneumatic pressure and spring force with the vented side of the piston operator at the containment pressure corresponding to 2 minutes following a LOCA. (The outboard valve is exactly the same design, although it will be subjected to steam tunnel pressures.) The accumulator volume was chosen to provide enough pressure to close the valve when the pneumatic supply to the accumulator has failed. The supply line to the accumulator is large enough to make up pressure to the accumulator at a rate faster than the valve operation bleeds pressure from the accumulator during valve opening or closing.

A separate, single, solenoid-operated pilot valve with an independent test switch is included to allow manual testing of each main steam isolation valve from the control room. The testing arrangement is designed to give a slow closure of the isolation valve being tested to avoid rapid changes in steam flow and nuclear system 7.3-10

BFN-27 pressure. The valve mechanical design is discussed further in Subsection 4.6, "Main Steam Isolation Valves."

7.3.4.7 Isolation Functions and Settings The isolation trip settings/analytical limits of the Primary Containment Isolation System are listed in Table 7.3-2. The functions that initiate automatic isolation are itemized in Table 5.2-2.

Although this subsection is concerned with the electrical control systems that initiate isolation to prevent direct release of radioactive material from the primary containment or nuclear system process barrier, the additional information given in Table 5.2-2 can be used to assess the overall (electrical and mechanical) isolation effectiveness of each system.

Isolation functions and trip settings/analytical limits used for the electrical control of isolation valves in fulfillment of the previously stated safety design bases are discussed in the following paragraphs.

1. Reactor vessel low water level (Table 5.2-2, signals A and B).

A low water level in the reactor vessel could indicate that either reactor coolant is being lost through a breach in the nuclear system process barrier or that the normal supply of reactor feedwater has been lost and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes.

Reactor vessel low water level initiates closure of various Group A and Group B valves. The closure of Group A valves is intended to either isolate a breach in any of the pipelines in which valves are closed or conserve reactor coolant by closing off process lines. The closure of Group B valves is intended to prevent the escape of radioactive materials from the primary containment through process lines which are in communication with the primary containment free space or pressure suppression pool.

There are two reactor vessel low-water-level isolation trip settings used for the isolation of the primary containment and the reactor vessel. The first reactor vessel low-water-level isolation trip setting, which occurs at a higher water level than the second setting, initiates closure of certain Group A and Group B valves in major process pipelines except the main steam lines. The main steam lines are left open to allow the removal of heat from the reactor core.

The second and lower reactor vessel low-water-level isolation trip setting completes the isolation of the primary containment and reactor vessel by initiating closure of the main steam isolation valves and any other Group A or Group B valves that require isolation.

7.3-11

BFN-27 The first low-water-level setting, which is coincidentally the same as the reactor vessel low-water-level scram setting, was selected to initiate isolation at the earliest indication of a possible breach in the nuclear system process barrier, yet far enough below normal operational levels to avoid spurious isolation. Isolation of the following pipelines is initiated when reactor vessel low water level falls to this first setting (Table 5.2-2, signal A):

RHR reactor shutdown cooling supply, Reactor water cleanup, Drywell equipment drain discharge, Drywell floor drain discharge, Drywell purge inlet, Drywell main exhaust, Pressure Suppression chamber exhaust valve bypass, Pressure Suppression chamber purge inlet, Pressure Suppression chamber main exhaust, Drywell exhaust valve bypass, Pressure Suppression chamber drain, RHR-LPCI to reactor (in shutdown mode),

Drywell makeup, Pressure Suppression chamber makeup, Exhaust to standby gas treatment, Drywell radiation monitor, Containment atmosphere monitor, Drywell differential air compressor, and Traversing incore probes.

The second and lower of the reactor vessel low-water-level isolation settings was selected low enough to allow the removal of heat from the reactor for a predetermined time following the scram, and high enough to complete isolation in time for the operation of Core Standby Cooling Systems in the event of a large break in the nuclear system process barrier. This low-low-low water level setting is low enough that partial losses of feedwater supply would not unnecessarily initiate full isolation of the reactor, thereby disrupting normal plant shutdown or recovery procedures. Isolation of the following pipelines is initiated when the reactor vessel water level falls to this second setting (Table 5.2-2, signal B):

All four main steam lines, Main steam line drain, Reactor water sample line.

7.3-12

BFN-28

2. Main steam line high radiation (not a required safety related signal).

High radiation in the vicinity of the main steam lines could indicate a gross release of fission products from the fuel. High radiation near the main steam lines initiates isolation of the mechanical condenser vacuum pumps.

The high-radiation trip setting is selected high enough above background radiation levels to avoid spurious isolation, yet low enough to promptly detect a gross release of fission products from the fuel. Further information regarding the high radiation setpoint is available in Subsection 7.12, "Process Radiation Monitoring."

3. Main steam line space high temperature (Table 5.2-2, signal D).

High temperature in the space in which the main steam lines are located outside the primary containment could indicate a breach in a main steam line.

The automatic closure of various Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperatures occur in the main steam line space, the following pipelines are isolated:

All four main steam lines and Main steam line drains.

The main-steam-line-space, high-temperature trip is set far enough above the temperature expected during operations at rated power to avoid spurious isolation, yet low enough to provide early indication of a steam line break.

4. Main steam line high flow (Table 5.2-2, signal D).

Main steam line high flow could indicate a break in a main steam line. The automatic closure of various Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. Upon detection of main steam line high flow, the following pipelines are isolated:

All four main steam lines and Main steam line drain.

The main-steam-line high-flow trip setting was selected high enough to permit the isolation of one main steam line for testing without causing an automatic isolation of the rest of the steam lines, yet low enough to permit early detection of a steam line break.

7.3-13

BFN-27

5. Low steam pressure at turbine inlet (Table 5.2-2, signal P).

Low steam pressure at the turbine inlet, while the reactor is operating, could indicate a malfunction of the nuclear system pressure regulator, in which the turbine control valves or turbine bypass valves open fully. This action could cause rapid depressurization of the nuclear system. From part-load operating conditions, the rate of decrease of nuclear system saturation temperature could exceed the design rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pressures across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. Such depressurizations, without adequate preventive action, could require thorough vessel analysis or core inspection prior to returning the reactor to power operation. To avoid the time-consuming requirements following a rapid depressurization, the steam pressure at the turbine inlet is monitored and, upon falling below a preselected value with the reactor in the RUN mode (MODE 1), initiates isolation of the following pipelines:

All four main steam lines and Main steam line drain.

The low-steam-pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation, yet high enough to provide timely detection of a pressure regulator malfunction. Although this isolation function is not required to satisfy any of the safety design bases for this system, this discussion is included here to make the listing of isolation functions complete.

6. Primary containment (drywell) high pressure (Table 5.2-2, signal F).

High pressure in the drywell could indicate a breach of the nuclear system process barrier inside the drywell. The automatic closure of various Group B valves prevents the release of significant amounts of radioactive material from the primary containment. Upon detection of a high drywell pressure, the following pipelines are isolated:

RHRS shutdown cooling supply, Drywell equipment drain discharge, Drywell floor drain discharge, Traversing incore probe tubes, Drywell purge inlet, Drywell main exhaust, 7.3-14

BFN-27 Pressure Suppression chamber exhaust valve bypass, Pressure Suppression chamber purge inlet, Pressure Suppression chamber main exhaust, Drywell exhaust valve bypass, Pressure Suppression chamber drain, RHR-LPCI to reactor (in shutdown mode),

Drywell makeup, Pressure Suppression chamber makeup, Exhaust to standby gas treatment, Drywell radiation monitor, Containment atmosphere monitor, and Drywell differential air compressor.

The primary containment high-pressure-isolation setting was selected to be as low as possible without inducing spurious isolation trips.

7. RCIC equipment space high temperature (Table 5.2-2, signal K).

High temperature in the vicinity of the RCIC equipment could indicate a break in the RCIC steam line. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier.

When high temperature occurs near the RCIC equipment, the RCIC turbine steam line is isolated. The high temperature isolation setting was selected far enough above anticipated normal RCIC system operational levels to avoid spurious operation, but low enough to provide timely detection of an RCIC turbine steam line break.

8. RCIC turbine high steam flow (Table 5.2-2, signal K).

RCIC turbine high steam flow could indicate a break in the RCIC turbine steam line. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of RCIC turbine high steam flow, the RCIC turbine steam line is isolated. The high steam flow trip setting was selected high enough to avoid spurious isolation, but low enough to provide timely detection of an RCIC turbine steam line break.

9. RCIC turbine steam line low pressure (Table 5.2-2, signal K).

RCIC turbine steam line low pressure is used to automatically close two isolation valves in the RCIC turbine steam line, so that steam and radioactive 7.3-15

BFN-27 gases will not escape from the RCIC turbine shaft seals into the Reactor Building after steam pressure has decreased to such a low value that the turbine cannot be operated. The isolation setpoint is chosen at a pressure below that at which the RCIC turbine can operate effectively.

10. HPCI equipment space high temperature (Table 5.2-2, signal L).

High temperature in the vicinity of the HPCI equipment could indicate a break in the HPCI turbine steam line. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperature occurs near the HPCI equipment, the HPCI turbine steam supply line is isolated. The high temperature isolation setting was selected far enough above anticipated normal HPCI system operational levels to avoid spurious isolation, but low enough to provide timely detection of an HPCI turbine steam line break.

11. HPCI turbine high steam flow (Table 5.2-2, signal L).

HPCI turbine high steam flow could indicate a break in the HPCI turbine steam line. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of HPCI turbine high steam flow, the HPCI turbine steam line is isolated. The high steam flow trip setting was selected high enough to avoid spurious isolation, but low enough to provide timely detection of an HPCI turbine steam line break.

12. HPCI turbine steam line low pressure (Table 5.2-2, signal L).

HPCI turbine steam line low pressure is used to automatically close the two isolation valves in the HPCI turbine steam line, so that steam and radioactive gases will not escape from the HPCI turbine shaft seals into the Reactor Building after steam pressure has decreased to such a low value that the turbine cannot be operated. The isolation setpoint is chosen at a pressure below that where the HPCI turbine can operate efficiently.

13. Reactor Building ventilation exhaust high radiation, reactor zone or refuel zone (Table 5.2-2, signal Z).

High radiation in the Reactor Building ventilation exhaust could indicate a breach of the nuclear system process barrier inside the primary containment, 7.3-16

BFN-27 which would result in increased airborne radioactivity levels in the primary containment exhaust to the secondary containment.

The automatic closure of certain Group B valves acts to close off release routes for radioactive material from the primary containment into the secondary containment (Reactor Building). Reactor building ventilation exhaust high radiation initiates isolation of the following pipelines:

Drywell purge inlet, Drywell main exhaust, Pressure Suppression chamber exhaust valve bypass, Pressure Suppression chamber purge inlet, Pressure Suppression chamber main exhaust, Drywell exhaust valve bypass, Drywell makeup, Pressure Suppression chamber makeup, Exhaust to standby gas treatment, Drywell radiation monitor, Containment atmosphere monitor, and Drywell differential air compressor.

The high radiation trip setting selected is far enough above background radiation levels to avoid spurious isolation, but low enough to provide timely detection of nuclear system process barrier leaks inside the primary containment. Because the primary containment high-pressure-isolation function and the reactor vessel low-water-level-isolation function are adequate in effecting appropriate isolation of the above pipelines for gross breaks, the Reactor Building ventilation exhaust high radiation isolation function is provided as a third, redundant method of detecting breaks in the nuclear system process barrier significant enough to require automatic isolation.

14. Reactor Water Cleanup system high temperature (Table 5.2-2 signal J).

High temperature in the reactor water cleanup system spaces, could indicate a break in the cleanup system. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier.

When high temperature occurs, the reactor water cleanup system is isolated.

The high temperature isolation setting was selected far enough above the anticipated normal area temperature to avoid spurious operation, but low enough to provide timely detection of a cleanup system line break. The following pipelines are isolated:

7.3-17

BFN-27 Reactor water cleanup from reactor.

15. HPCI or RCIC turbine exhaust (Diaphragm) rupture disc high pressure (Table 5.2-2, HPCI-Signal E, RCIC-Signal G).

HPCI turbine exhaust high pressure between the rupture discs is used to automatically close the isolation valves in the HPCI turbine steam supply line so that high turbine exhaust pressure can be limited, thus providing equipment protection by reducing stresses on the turbine casing. The high pressure trip setting was chosen to indicate breach of the rupture disc.

The pressure switch location is shown on Figures 7.4-1b Sheets 1, 2, and 3.

An identical design is provided for the RCIC turbine exhaust rupture disc isolation function.

7.3.4.8 Instrumentation Sensors providing inputs to the Primary Containment Isolation System are not used for the automatic control of process systems, thus separating the functional control of protection systems and process systems. Channels are physically and electrically separated in such a way as to assure that a single physical event cannot prevent isolation. Channels for one monitored variable that are grouped near to each other provide inputs to different isolation trip systems. Table 7.3-2 lists instrument characteristics.

1. Reactor vessel low-water-level signals are initiated from eight differential pressure transmitters, which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. Four of the transmitters are used to indicate that water level has decreased to the first and higher low-water-level isolation setting; the other four are used to indicate that water level has decreased to the low-low-low water-level isolation settings.

The four transmitters for each level setting are arranged in pairs; each transmitter in a pair provides a signal to a different trip system. Two pipelines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for each pair of transmitters. The two pairs of pipelines terminate outside the primary containment and inside the secondary containment. They are physically separated from each other and tap off the reactor vessel at widely separated points. The reactor vessel low-water-level transmitters sense level from these pipes. This arrangement assures that no single physical event can prevent 7.3-18

BFN-27 isolation, if required. Cables from the level sensors are routed to the Auxiliary Instrument Room.

2. Main steam line radiation is monitored by two radiation monitors, which are described in Subsection 7.12, "Process Radiation Monitoring."

Gamma-sensitive radiation monitors are installed in the vicinity of the main steam lines just outside the primary containment. These monitors can detect a gross release of fission products from the fuel by measuring the gamma radiation coming from the steam lines. A high radiation trip signal results in an isolation and trip of the Mechanical Vacuum Pump only. These Units 1, 2, and 3 radiation monitors are not required to provide a safety related signal to any of the systems described above.

3. High temperature in the vicinity of the main steam lines is detected by 16 different temperature switches located along the main steam lines between the drywell wall and the turbine. Four of the switches (TS-1-17A-D) use temperature elements that are located in the valve vault just outside of primary containment to send a signal to an electronic switch located in the Aux instrument room. The detectors are located or shielded so that they are sensitive to air temperature and not the radiated heat from hot equipment. An additional temperature sensor is located near each set of four detectors for remote temperature readout and alarm. The temperature sensors activate an alarm at high temperature. Upon loss of power, an alarm condition is present to alert the operator that the instrumentation is inoperable. The main steam line space temperature detection system is designed to detect leaks of from 1 percent to 10 percent of rated steam flow. A total of four main steam line space high temperature channels is provided. Each main steam line isolation logic receives an input signal from one main steam line space high temperature channel.
4. High flow in each main steam line is sensed by four differential pressure transmitters, which sense the pressure difference across the flow restrictor in that line. Each main steam line isolation logic receives an input signal from one main steam line high flow channel. A trip occurs whenever the steam flow in any main steam line exceeds a preset amount.
5. Main steam line low pressure is sensed by four pressure transmitters, which sense pressure downstream of the outboard main steam isolation valves. One sensing point is located in each line after the header that connects the four steam lines upstream to the turbine stop valves. Each transmitter is part of an independent channel. Each channel provides a signal to one isolation trip system.

7.3-19

BFN-27

6. Primary containment pressure is monitored by four pressure transmitters, which are mounted on instrument racks outside the drywell. Pipes that terminate in the secondary containment connect the transmitters with the drywell interior. Cables are routed from the transmitter to the Auxiliary Instruments Room. The transmitters are grouped in pairs, physically separated, and electrically connected to the isolation control system so that no single event will prevent isolation due to primary containment high pressure.
7. High temperature in the vicinity of the RCIC equipment is sensed by four sets of four bimetallic temperature switches. The 16 temperature switches are arranged in four trip systems, with four temperature switches in each trip system. The four temperature switches in each trip system are arranged in one-out-of-two-taken-twice logic.
8. High flow in the RCIC turbine steam line is sensed by two differential pressure switches for Unit 1 and two differential pressure transmitters/trip units for Units 2 and 3 which monitor the differential pressure across an elbow installed in the RCIC turbine steam supply pipeline. The tripping of either trip channel initiates isolation of the RCIC turbine steam line. This is an exception to the usual channel arrangement. The reason for the exception was given in the discussion of the RCIC turbine high steam flow isolation function.
9. Low pressure in the RCIC turbine steam line is sensed by four pressure switches from the RCIC turbine steam line upstream of the isolation valves.

The switches are arranged in one-out-of-two-taken-twice logic, which must trip to initiate shutdown of the RCIC turbine.

10. High temperature in the vicinity of the HPCI equipment is sensed by four sets of four bimetallic temperature switches. The 16 temperature switches are arranged in two trip systems with eight temperature switches in each trip system. Each trip system consists of two channels. Each channel contains one temperature switch located in the pump room and three temperature switches located in the torus area.
11. High flow in the HPCI turbine steam line is sensed by two differential pressure transmitters/trip units which monitor the differential pressure across a mechanical flow element installed in the HPCI turbine steam pipeline. The tripping of either trip channel initiates isolation of the HPCI turbine steam line.

This is an exception to the usual sensor arrangement. The reason for the exception was given in the discussion of the HPCI turbine high steam flow isolation function.

7.3-20

BFN-27

12. Low pressure in the HPCI turbine steam line is sensed by four pressure switches from the HPCI turbine steam line upstream of the isolation valves.

The switches are arranged in a one-out-of-two-taken-twice logic which must trip to initiate shutdown of the HPCI turbine.

13. Reactor Building ventilation exhaust radiation is monitored by two sets of Reactor Building ventilation exhaust monitors, which are described in paragraph 7.12.5, "Reactor Building Ventilation Exhaust Radiation Monitoring System." The Reactor Building ventilation exhaust radiation signal is generated by two trip channels arranged such that it requires one channel at high trip, or both channels at downscale (instrument failure) trip, to cause isolation.
14. High temperature in the spaces occupied by the Reactor Water Cleanup (RWCU) System piping outside primary containment is sensed by resistive temperature device which input to analog trip devices that indicate possible pipe breaks. Logic relays are arranged in a one-out-two-taken-twice logic which must trip to initiate isolation of the RWCU System.

High temperature in the spaces occupied by the RHRS (shutdown cooling) piping, outside primary containment is sensed by temperature switches that indicate possible pipe breaks. The switches alarm only. Automatic isolation on high temperature is not required, since the reactor vessel low-water-level isolation function is adequate in preventing the release of significant amounts of radioactive material in the event of a pipe failure.

15. High pressure between the HPCI turbine exhaust (diaphragm) rupture discs is monitored by four nonindicating pressure switches which are mounted on instrument racks. The switches are arranged in a one-out-of-two-taken-twice logic, which must trip to initiate closure of the inboard HPCI turbine steam supply valve.

An identical design is provided for the RCIC turbine exhaust rupture disc isolation function.

7.3.4.9 Environmental Capabilities The physical and electrical arrangement of the Primary Containment Isolation System are selected so that no single physical event will prevent achievement of isolation functions. The location of Group A and Group B valves inside and outside the primary containment provides assurance that the control system for at least one valve on any pipeline penetrating the primary containment will remain capable of isolation. Electrical cables for isolation valves in the same pipeline are routed 7.3-21

BFN-27 separately. All equipment required to operate a design basis event meets the environmental qualification requirements of Section 1.5. Special consideration has been given to isolation requirements during a loss-of-coolant accident inside the drywell. Components of the Primary Containment Isolation System that are located inside the primary containment and that must operate during a loss-of-coolant accident are the cables, control mechanisms, and valve operators of isolation valves inside the drywell. These isolation components are required to be functional in a loss-of-coolant accident environment.

7.3.5 Safety Evaluation The Primary Containment Isolation System, in conjunction with other protection systems, is designed to provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barriers. It is the objective of Section 14.0, "Plant Safety Analysis," to identify and evaluate postulated events resulting in gross failure of the fuel barrier and the nuclear system process barrier. The consequences of such gross failures are described and evaluated in that section.

Design procedure has been to select tentative isolation trip settings that are far enough above or below normal operating levels that spurious isolation and operating inconvenience are avoided. It is then verified by analysis that the release of radioactive material following postulated gross failures of the fuel and nuclear system process barrier is kept within acceptable bounds. Trip setting selection is based on calculated values and constrained by the safety design basis and the safety analyses.

Chapter 14.0 shows that the actions initiated by the Primary Containment Isolation System, in conjunction with other safety systems, are sufficient to prevent releases of radioactive material from exceeding the guide values of published regulations.

Because the actions of the system are effective in restricting the uncontrolled release of radioactive materials under accident situations, the Primary Containment Isolation System meets the precision and timeliness requirements of safety design basis 1.

Because the Primary Containment Isolation System meets the precision and timeliness requirements of safety design basis 1 using instruments with the characteristics described in Table 7.3-2, it is concluded that safety design basis 2 is met.

Temperatures in the spaces occupied by various steam lines outside the primary containment are the only essential variables of significant spatial dependence that provide inputs to the Primary Containment Isolation System. The large number of 7.3-22

BFN-27 temperature sensors and their dispersed arrangement near the steam lines requiring this type of break protection provide assurance that a significant break will be detected rapidly and accurately. One of the four groups of temperature switches is located in the ventilation exhaust from the steam line space between the drywell wall and the secondary containment wall. This assures that abnormal air temperature increases are detected regardless of leak location in that space. It is concluded that the number of sensors provided for steam line break detection satisfied safety design basis 3.

The spatial locations of the sensors were selected to provide the optimum coverage relative to detection of leaks in the Engineered Safety Features Systems to initiate isolation when required. No special attempt was made to prevent spurious isolation, since isolation is acceptable on the frequency at which the spurious event is expected to occur.

Sources of steam leakage are discussed in Section 5.0.

Steam leaks into the steam tunnel from main steam line, feedwater line, or RCIC steam line breaks will cause the main steam isolation valves to close if the temperature at the temperature switches reach their setpoints.

Steam leaks into the building from the RCIC system, the HPCI system, and the Reactor Water Cleanup System could possibly affect the temperature sensors for other systems. However, the large surface area available for steam condensation and the circuitous path the steam must follow make it a highly unlikely event.

Inadvertent isolation of the Reactor Water Cleanup System is an operational inconvenience, but does not compromise the safety of the public. Any one of the systems can be reset and reactivated whenever the cause for isolation has been determined and then removed. Since there is a time delay involved whenever one system affects another system, the operator should be able to identify the faulted system. This would permit him to restore the nondamaged system or systems. If the operator makes a mistake and reactivates the faulted system, that system will be automatically isolated again.

Because the Primary Containment Isolation System meets the timeliness and precision requirements of safety design basis 1 by monitoring variables that are true, direct measures of operational conditions, it is concluded that safety design basis 4 is satisfied.

Chapter 14.0 evaluates a gross breach in a main steam line outside the primary containment during operation at rated power. The evaluation shows that the main steam lines are automatically isolated in time to prevent a release of radioactive material in excess of the guide values of published regulations and to prevent the 7.3-23

BFN-27 loss of coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed. The time required for automatic closure of the main steam isolation valves meets the requirements of safety design basis 5.

The shortest closure time of which the main steam valves are capable is three seconds. The transient resulting from a simultaneous closure of all main steam isolation valves in three seconds during reactor operation at rated power is considerably less severe than the transient resulting from inadvertent closure of the turbine stop valves (which occurs in a small fraction of one second) coincident with failure of the turbine bypass system. The Reactor Protection System is capable of accommodating the transient resulting from the inadvertent closure of the main steam isolation valves. This conclusion is substantiated by Chapter 14.0. This meets safety design basis 6.

The items of safety design bases 7, 8, and 9 must be fulfilled for the Primary Containment Isolation System to meet the design reliability requirements of safety design basis 1. It has already been shown that safety design bases 7f and 7h have been met. The remainder of the reliability requirement is met by a combination of logic arrangement, sensor redundancy, wiring scheme, physical isolation, power supply arrangement, and environmental capabilities. These subjects are discussed in the following paragraphs.

Because essential variables are monitored and arranged for physical and electrical independence, and because a dual trip system arrangement is used to initiate closure of essential automatic isolation valves, no single failure, maintenance operation, calibration operation, or test can prevent the system from achieving isolation. An analysis of the isolation control system shows that the system does not fail to respond to essential variables as a result of single electrical failures such as short circuits, ground, and open circuits. Loss of a single trip system trip is the result of these failures. Isolation is initiated upon a trip of the remaining trip system. For some of the exceptions to the usual logic arrangement, a single failure could result in inadvertent isolation of a pipeline. With respect to the release of radioactive material from the nuclear system process barrier, such inadvertent valve closures are in the safe direction and do not pose any safety problems. This meets safety design bases 7a and 7b.

The redundancy of channels provided for all essential variables provides a high probability that, whenever an essential variable exceeds the isolation setting, the system initiates isolation. In the unlikely event that all channels for one essential variable in one trip system fail in such a way that a system trip does not occur, the system could still respond properly as other monitored variables exceed their isolation settings. This meets safety design basis 7c.

7.3-24

BFN-27 The sensors, circuitry, and logics used in the Primary Containment Isolation System are not used in the control of any process system. Thus, malfunction and failures in the controls of process systems have no direct effect on the isolation control system.

This meets safety design basis 7d.

The various power supplies used for the isolation system logic circuitry and for valve operation provide assurance that the required isolation can be effected in spite of a single power failure. If AC for valves inside the primary containment is lost, DC is available for operation of valves outside the primary containment. The main steam isolation valve control arrangement is resistant to both AC and DC power failures.

Because both solenoid-operated pilot valves must be de-energized, loss of a single power supply will neither cause inadvertent isolation nor prevent isolation, if required. The logic circuitry for each channel is powered from the separate sources available from the Reactor Protection System buses, the unit preferred AC power supply, or the unit or plant batteries. In no case does a loss of a single power supply prevent achievement of an essential isolation function. This meets safety design basis 7e.

All instruments, valve closing mechanisms, and cables of the isolation control system can operate under the most unfavorable environmental conditions associated with normal operation. The discussion of the effects of rapid nuclear system depressurization on level measurement given in Subsection 7.2, "Reactor Protection System," is equally applicable to the reactor vessel low water level transmitters used in the Primary Containment Isolation System. The temperature, pressure, differential pressure, and level transmitters, cables, and valve closing mechanisms used were selected with ratings that make them suitable for use in the environment in which they must operate.

The special considerations (treated in the description portion of this subsection) made for the environmental conditions resulting from a loss-of-coolant accident inside the drywell are adequate to ensure operability of essential isolation components located inside the drywell.

The wall of the primary containment effectively separates adverse environmental conditions which might otherwise affect both isolation valves in a pipeline. The location of isolation valves on either side of the wall decouples the effects of environmental factors with respect to the ability to isolate any given pipeline. The previously discussed electrical isolation of control circuitry prevents failures in one part of the control system from propagating to another part. Electrical transients have no significant effect on the functioning of the essential isolation control system.

It is concluded that safety design basis 7g is satisfied.

7.3-25

BFN-27 The design of the main steam isolation valves meets the requirement of safety design basis 8a in that the motive force for closing each main steam isolation valve is derived from both a source of pneumatic pressure and the energy stored in a spring. Either energy source, alone, is capable of closing the valve. None of the valves relies on continuity of any sort of electrical power to achieve closure in response to essential safety signals. Total loss of the power used to control the valves would result in closure. This meets safety design basis 8b.

Easy access is provided for calibration and testing of pressure and level transmitters which are located in the Turbine Building, Reactor Building, and Auxiliary Instrument Room. Administrative control restricts access to the setting controls on each device.

A cover plate, access plug, or sealing device must be removed by personnel before any adjustment in trip settings can be effected. The location of calibration and test controls in areas under administrative control reduces the probability that operational reliability will be degraded by operator error. This meets safety design basis 9a.

Because the means for bypassing channels, logic, or system components are under administrative control, safety design basis 9b is met.

Because safety design bases 7, 8, and 9 have been met, it can be concluded that the Primary Containment Isolation System satisfies the reliability requirement of safety design basis 1. That the system satisfied safety design bases 10, 11a and 11b was shown in the description of the system. Paragraph 7.3.6 describes inspection and testing of the system and demonstrates that safety design basis 12 is satisfied.

Basis and Analysis for Isolation Valves Closure Times and Actions Setpoints Closure times for containment isolation valves in primary system lines are established to ensure that the valves are closed prior to the start of uncovering of the fuel caused by blowdown from the line. By ensuring that the fuel remains covered, fuel damage resulting from the blowdown is prevented, thereby limiting the uncontrolled release of radioactive materials to the environs. The radiological analysis for a typical blowdown outside the containment, with valve closure time in accordance with the above criteria, is presented in Chapter 14.

a. The differential pressure trip setting for high flow through the redundant flow meters in the RCIC is less than or equal to 300 percent of rated steam flow at 1140 psia (pre-uprated), 1189 psia (uprated). This trip point was selected to provide sufficient margin to prevent isolation during normal startup transient differential pressure measurements associated with the particular flow meters utilized (elbow taps). At lower steam pressures, the trip setting in percent of rated flow is conservatively lower. A time delay relay in the trip circuit prevents isolation during normal startup.

7.3-26

BFN-27 The differential pressure trip setting for high flow through the HPCI flow meter is less than or equal to 225 percent of rated steam flow at 1140 psia (pre-uprated), 1189 psia (uprated). This trip point was selected to provide sufficient margin to prevent isolation during normal startup transient differential pressure measurements associated with the particular flow meter utilized (venturi). At lower steam pressures, the trip setting in percent of rated flow is conservatively lower. A time delay relay in the trip circuit prevents isolation during normal startup.

b. The space temperature trip settings for main steam, RCIC and HPCI are determined by calculation. Analytical limits are established and the temperature trip set point set based on a calculated T which would result from a steam leak in the space.

The main steam, RCIC and HPCI systems are each monitored by 16 temperature sensors. These sensors are arranged in four trip logics with four sensors in each logic, as discussed in paragraph 7.3.4.8 of the FSAR. The 16 sensors for each system are physically arranged in four groups with four sensors in each group. One sensor in each group is in each of the four trip logics. The arrangement is as follows:

The main steam system temperature monitors are located as follows:

1. Four sensors spaced around the steam tunnel in the valve vault between the containment shield wall and the Reactor Building wall,
2. Four sensors equally spaced across the width of the steam tunnel above the steam lines in the Turbine Building midway between the Turbine Building wall and the vertical run of the steam lines,
3. Four sensors equally spaced across the width of the steam tunnel in the Turbine Building in the area of the vertical run of the steam lines, and
4. Four sensors located in the steam tunnel in the Turbine Building in the area above the turbine control valves, stop valves, and bypass valves.

The RCIC system temperature monitors for each unit are located as follows:

1. Four sensors in the RCIC corner room dispersed above the RCIC turbine-pump assembly, 7.3-27

BFN-27

2. Four sensors in the torus area above the RCIC steam line near the exit of the steam line from the torus area into the corner room,
3. Four sensors in the torus area above the RCIC steam line midway between the exit of the steam line from the torus area into the corner room and the entrance of the steam line into the torus area from the steam line tunnel, and
4. Four sensors in the torus area above the RCIC steam line near the entrance of the steam line into the torus area from the steam line tunnel.

The HPCI system temperature monitors for Unit 1 are located as follows:

1. Four sensors in the HPCI equipment room dispersed above the HPCI turbine-pump assembly,
2. Four sensors in the HPCI equipment room located in the vicinity of the ventilation exhaust grill,
3. Four sensors in the torus area above the HPCI steam line near the exit of the steam line from the torus area into the HPCI equipment room, and
4. Four sensors in the torus area above the HPCI steam line near the outboard containment isolation valve.

The HPCI system temperature monitors for Units 2 and 3 are located as follows:

1. Four sensors in the HPCI equipment room dispersed above the HPCI turbine-pump assembly,
2. Four sensors in the torus area above the HPCI steam line near the exit of the steam line from the torus area into the HPCI equipment room,
3. Four sensors in the torus area above the HPCI steam line midway between the exit of the steam line from the torus area into the HPCI equipment room and the containment penetration, and
4. Four sensors in the torus area above the HPCI steam line near the outboard containment isolation valve.
c. The temperature detectors for isolation of the Reactor Water Cleanup System were located in those areas that an RWCU high energy line break (HELB) was 7.3-28

BFN-27 postulated (ie; RWCU pump rooms, RWCU heat exchanger room, RWCU pipe trench and main steam valve vault). The temperatures detectors are set at a value above the maximum abnormal room temperatures to avoid spurious actuations due to ambient conditions and below the analytical limits to ensure timely detection of a pipe break. The analytical limit is a value established by the Reactor Building Environmental Analysis for a postulated HELB in the RWCU system to meet the requirements of 10 CFR 50.49. The temperature detector setpoint was selected to provide sufficient margin between the setpoint and the analytical limit to account for all inaccuracies inherent in the instrument loop.

The acceptable range of trip values for the reactor water cleanup (RWCU)

System pipe trench temperatures is from 130 to 150 F. This range of values was selected to exceed the ambient temperature sufficiently to avoid spurious operation, but low enough to provide timely detection of an RWCU line break at all reactor power conditions.

The temperature trip for the RHR system space gives an alarm based on leakage from the RHR system of less than 15 gpm.

7.3.6 Inspection and Testing Isolation valves can be tested to assure that they are capable of closing by operating manual switches in the control room and observing the position lights and any associated process effects. The essential channel and trip system responses can be functionally tested by applying test signals to each channel and observing the trip system response. Testing of the main steam isolation valves is discussed in Subsection 4.6, "Main Steam Isolation Valves." Reset of the main primary containment Isolation signals does not result in the automatic reopening of these isolation valves.

7.3-29

BFN-26 Table 7.3-1 (Deleted by Amendment 9)

BFN-26 TABLE 7.3-2 (Sheet 1)

PRIMARY CONTAINMENT ISOLATION SYSTEM INSTRUMENT SPECIFICATIONS Isolation* Trip Setting/

Signal Isolation Function Sensor Analytical Limit (AL)

A Reactor vessel low water level differential pressure 518 inches above vessel zero (AL) indicating switch B Reactor vessel low-low water differential pressure 372.5 inches above vessel zero level indicating switch (AL)

D Main steam line space high temperature switch 205°F (AL) for 12/3-TS-1-17A thru D/

temperature thru D Main steam line high flow differential pressure 144% rated flow (AL)

PDIS-1-13A-D, 25A-D, 36A-D, switch 50A-D E HPCI diaphragm Rupture Disc pressure switch 52 psig (AL) high pressure P Main steam line low pressure pressure switch 843 psig F Primary containment high pressure switch 2.6 psig (AL) pressure K RCIC turbine steam line space temperature switch 180°F (AL)

RCIC pump room area high temperature K RCIC Turbine steam line space temperature switch 155°F (AL) torus area high temperature K RCIC turbine steam line high differential pressure 1114 inch H20 (AL) flow switch K RCIC turbine steam line low pressure switch 40 psig (AL) pressure L HPCI turbine steam line space temperature switch 200°F (AL)

HPCI Pump Room Area high temperature

BFN-26 TABLE 7.3-2 (Sheet 2)

PRIMARY CONTAINMENT ISOLATION SYSTEM INSTRUMENT SPECIFICATIONS Isolation* Trip Setting/

Signal Isolation Function Sensor Analytical Limit (AL)

L HPCI Turbine Steam Line temperature switch 180°F (AL)

Space Torus Area High Temperature L HPCI turbine steam line high differential pressure switch 107 psid (AL) flow L HPCI turbine steam line low pressure switch 55 psig (AL) pressure Z Reactor Building ventilation radiation monitor 100 mr/hr exhaust high radiation J Reactor Water Cleanup RTD U2 190°F (AL)

System Main Steam Valve U3 205°F (AL)

Vault (TE-069-834A-D)

J Reactor Water Cleanup RTD 140°F (AL)

System Pipe Trench (TE-069-835A-D)

J Reactor Water Cleanup RTD 148°F*

System Pump Room 2A (TE-069-836A-D)

J Reactor Water Cleanup RTD 148°F*

System Pump Room 2B (TE-069-837A-D)

J Reactor Water Cleanup RTD U2 160°F (AL)

System Heat Exchanger Room U3 175°F (AL)

(TE-069-838A-D)

J Reactor Water Cleanup RTD U2 172°F (AL)

System Heat Exchanger Room U3 173°F (AL)

(TE-069-839A-D)

G RCIC diaphragm rupture disc Pressure switch 50 psig (AL) high pressure

  • See Table 5.2-2 for Isolation Signal Codes.

BFN-19 Figure 7.3-1 (Deleted by Amendment 17)

BFN-22 Figure 7.3-2a through 7.3-2I (Deleted by Amendment 22)

BFN-26 7.4 EMERGENCY CORE COOLING CONTROL AND INSTRUMENTATION 7.4.1 Safety Objective The controls and instrumentation for the Emergency Core Cooling Systems initiate appropriate responses from the various cooling systems so that the fuel is adequately cooled under abnormal or accident conditions. The cooling provided by the systems restricts the release of radioactive materials from the fuel by limiting the extent of fuel damage following situations in which reactor coolant is lost from the nuclear system.

Even after the reactor is shut down from power operation by the full insertion of all control rods, heat continues to be generated in the fuel as radioactive fission products decay. An excessive loss of reactor coolant allows the fuel temperature to rise, cladding to melt, and fission products in the fuel to be released. If the temperatures in the reactor rise to a sufficiently high value, a metal (zirconium) water reaction occurs which releases energy. Such a reaction increases the pressure inside the nuclear system and the primary containment. This threatens the integrity of the barriers, which are relied upon to prevent the uncontrolled release of radioactive materials. The controls and instrumentation for Emergency Core Cooling Systems prevent such a sequence of events by actuating core cooling systems in time to limit fuel temperatures to acceptable levels (less than 2200F).

7.4.2 Safety Design Basis

1. Controls and instrumentation shall (with precision and reliability) automatically initiate and control the Emergency Core Cooling Systems to allow removal of heat from the reactor core in time to prevent cladding temperatures in excess of 2200F so that fuel and core deformation do not limit effective cooling of the core.
2. Controls and instrumentation shall (with precision and reliability) initiate and control the Emergency Core Cooling Systems with sufficient timeliness to prevent more than a small fraction of the core from heating to a temperature at which a gross release of fission products occurs.
3. To meet the precision requirements of safety design bases 1 and 2, the controls and instrumentation for the Emergency Core Cooling Systems shall respond to conditions that indicate the potential inadequacy of core cooling, regardless of the physical location of the defect causing the inadequacy.
4. To place limits on the degree to which safety is dependent on operator judgment in time of stress, the following safety design bases are specified:

7.4-1

BFN-26

a. Appropriate responses of the Emergency Core Cooling Systems shall be initiated automatically by control systems when positive precise action is immediately required, so that no decision or manipulation of controls beyond the capacity of plant operations personnel is demanded.
b. Intelligence of the responses of the Emergency Core Cooling Systems shall be provided to the operator by control room instrumentation, so that faults in the actuation of safety equipment can be diagnosed.
c. Facilities for manual actuation of the Emergency Core Cooling Systems shall be provided in the control room, so that operator action is possible, yet reserved for the remedy of a deficiency in the automatic actuation of the safety equipment or for control over the long-term effects of an abnormal or accident condition.
5. To meet the reliability requirements of safety design bases 1 and 2, the following safety design bases are specified:
a. No single failure, maintenance, calibration, or test operation shall prevent the integrated operations of the Emergency Core Cooling Systems from providing adequate core cooling.
b. No protective device which causes interruption of performance or availability of the Emergency Core Cooling Systems shall be automatic, unless there is a high probability that continued use would make complete failure imminent. Instead, such protective devices shall indicate off-standard conditions for operator decision and action.
c. Any installed means of manually interrupting the availability of the Emergency Core Cooling Systems shall be under administrative control.
d. The power supplies for the controls and instrumentation for the Emergency Core Cooling Systems shall be chosen so that core cooling can be accomplished concurrently with a loss of normal auxiliary AC power.
e. The physical events that accompany a loss-of-coolant accident shall not interfere with the ability of the controls and instrumentation of the Emergency Core Cooling Systems to function properly.
f. Earthquake ground motion shall not impair the ability of essential controls and instrumentation of the Emergency Core Cooling Systems to function properly.

7.4-2

BFN-26

6. To provide the operator with the means to verify the availability of the Emergency Core Cooling Systems, it shall be possible to test the responses of the controls and instrumentation to conditions representative of abnormal or accident situations.

7.4.3 Descriptions 7.4.3.1 Identification The controls and instrumentation for the Emergency Core Cooling Systems are identified as that equipment required for the initiation and control of the following:

a. High Pressure Coolant Injection System (HPCI),
b. Automatic Depressurization System,
c. Core Spray System, and
d. Low Pressure Coolant Injection System (LPCI) (an operating mode of the Residual Heat Removal System).

The equipment involved in the control of these systems includes automatic injection valves, turbine pump controls, electric pump controls, relief valve controls, and the switches, contacts, and relays that make up sensory logic channels. Testable check valves and certain automatic isolation valves are not included in this description because they are described in Subsection 7.3, "Primary Containment Isolation System."

To ensure the functional capabilities of the Emergency Core Cooling Systems during and after earthquake ground motions, the controls and instrumentation for each of the systems are designed as Class I equipment as described in Appendix C.

This meets safety design basis 5f.

Backup controls are provided for the ECCS, as indicated in Figures 6.4-1, 6.4-3, and 6.4-5, 7.4-6b Sheets 1 through 5, and Section 7.18.

7.4.3.2 High Pressure Coolant Injection System (HPCI) Control and Instrumentation 7.4.3.2.1 Identification and Physical Arrangement When actuated, the HPCI system pumps water from either the condensate supply header or the pressure suppression chamber to the reactor vessel via the feedwater pipelines. The HPCI includes one turbine which drives both main and booster pumps, one DC motor-driven auxiliary oil pump, one gland seal condenser DC condensate pump, one gland seal condenser DC blower, automatic valves, control 7.4-3

BFN-26 devices for this equipment, sensors, and logic circuitry. The arrangement of equipment and control devices is shown in Figures 6.4-1, 6.4-3, 6.4-5, and 7.4-6b Sheets 1 through 5.

Pressure and level transmitters used in the HPCI are located on racks in the Reactor Building. The only operating component for the HPCI that is located inside the primary containment is one of the two HPCI turbine steam supply pipeline isolation valves. The rest of the HPCI control and instrumentation components are located outside the primary containment. Cables connect the sensors to control circuitry in the Auxiliary Instrument and Main Control Room. The system is arranged to allow full-flow functional testing during normal reactor power operation. Test controls are arranged so that the injection flow path will be automatically re-aligned to the reactor vessel should a HPCI initiation signal be received while testing. The HPCI flow controller could be in either AUTO or MANUAL during testing with the flow adjusted to less than full design flow rate. Operator action would be required to adjust the flow back to the design flow rate. The HPCI System is designed to meet the intent of the IEEE proposed criteria for Nuclear Power Plant Protection Systems (IEEE-279-1971).

7.4.3.2.2 HPCI Initiation Signals and Logic Reactor vessel low-water level and primary containment (drywell) high pressure are the two functions, either of which can automatically start the HPCI. Reactor vessel low-water level is an indication that reactor coolant is being lost and that the fuel is in danger of being overheated. Primary containment high pressure is an indication that a breach of the nuclear system process barrier has occurred inside the drywell.

The logic scheme used for the initiating functions is a dual trip system arrangement.

Each trip system receives initiation signals from two independent sensor channels for each monitored variable. Either trip system can start the HPCI. The trip systems are powered from reliable DC buses.

The reactor vessel low-water level setting for HPCI initiation is selected high enough above the active fuel to start the HPCI in time, both to prevent excessive fuel clad temperature and to prevent more than a small fraction of the core from reaching the temperature at which gross fuel failure occurs. The water level setting is far enough below normal levels that spurious HPCI startups are avoided. The primary containment high-pressure setting is selected to be as low as possible without including spurious HPCI startup.

7.4.3.2.3 HPCI Initiating Instrumentation Reactor vessel low-water level is monitored by four level transmitters that sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual height of water in the vessel. Two pipelines, attached 7.4-4

BFN-26 to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for each pair of transmitters. The pipelines terminate outside the primary containment and inside the Reactor Building; they are physically separated from each other and tap off the reactor vessel at widely separated points. These same pipelines are also used for pressure and water level instruments for other systems. The level transmitters for the HPCI are arranged in pairs, each pair sensing level from different pipelines. One transmitter in each pair provides an input to trip system A, the other to trip system B. This arrangement assures that no single event can prevent HPCI initiation from reactor vessel low-water level. Cables from the level transmitters lead to the auxiliary instrument room.

Primary containment pressure is monitored by four pressure transmitters which are mounted on instrument racks outside the drywell, but inside the Reactor Building.

Cables are routed from the transmitters to the auxiliary instrument room. Pipes that terminate in the Reactor Building allow the transmitters to communicate with the drywell interior. The transmitters are grouped in pairs and electrically connected so that no single event can prevent the initiation of the HPCI due to primary containment high pressure.

7.4.3.2.4 HPCI Turbine and Turbine Auxiliaries Control The HPCI controls automatically start the HPCI from the receipt of a reactor vessel low-water-level signal or primary containment high-pressure signal and bring the system to its design flow rate within 30 seconds (see Section 6.5 for value assumed in Emergency Core Cooling System analyses).

The controls then function to provide design makeup water flow to the reactor vessel until a high reactor water level trip is received at which time HPCI shuts down. The controls are arranged to allow remote-manual startup, operation, and shutdown.

HPCI flow is compared against the flow controller setting and turbine speed adjusted accordingly to achieve design flow. The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across an orifice type flow element in the HPCI discharge line. The HPCI Lube Oil System furnishes hydraulic pressure to the turbine stop and control valves by a DC powered auxiliary oil pump during startup and a turbine shaft driven oil pump as turbine speed increases.

Upon receipt of an initiation signal, the auxiliary oil pump starts and other automatic actions (e.g., steam admission valve opens) occur. Operation of the auxiliary oil pump provides lube oil pressure sufficient to begin opening the turbine stop and control valves. Because there is no HPCI flow at this point, the flow controller will be asking the turbine speed governor for full demand. When sufficient oil pressure is available to open the turbine stop valve, a limit switch on the valve starts the turbine 7.4-5

BFN-26 speed governor ramp generator function. This action takes the turbine control valve in the close direction until turbine speed begins reopening the valve so that the ramp function is followed. Once the ramp output exceeds the flow controller demand, the flow controller takes over turbine speed control and maintains HPCI flow at the design flow rate over the design range of HPCI discharge pressure.

The turbine is automatically shut down by tripping the turbine stop valve closed if any of the following conditions are detected (reset capability has been provided):

a. Auto isolation signal,
b. High turbine exhaust pressure,
c. Low pump suction pressure,
d. Low turbine steam supply pressure
e. Reactor vessel high-water level,
f. Turbine mechanical overspeed.

High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust pipeline. Low pump suction pressure warns that cavitation and lack of cooling could cause damage to the booster and/or main pump which could place the HPCI System out of service. A turbine trip is initiated for these conditions so that, if the causes of the abnormal conditions can be found and corrected, the system can be quickly restored to service. The turbine will automatically reset when these conditions are cleared. The turbine will then automatically restart if the required initiation signals are present. The trip settings are selected far enough from normal values so that a spurious turbine trip is unlikely, but not so close that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed mechanical-hydraulic device which automatically resets after the turbine trip. Two pressure switches are used to detect high turbine exhaust pressure; either switch can initiate turbine shutdown.

One pressure switch is used to detect low HPCI pump suction pressure.

High-water level in the reactor vessel indicates that the HPCI has performed satisfactorily in providing makeup water to the reactor vessel. Further increase in level could result in HPCI turbine damage caused by gross carryover of moisture.

The reactor vessel high-water-level setting which trips the turbine is near the top of the steam separators and is sufficient to prevent gross moisture carryover to the main steam line and then to the HPCI turbine. The two level transmitters that sense differential pressure feed analog trip units that are arranged to require that both analog trip units trip (coincidence) to initiate a turbine shutdown. The turbine will automatically restart on a low-water-level signal.

7.4-6

BFN-26 The controls are arranged for automatic or manual control. Upon receipt of an HPCI initiation signal, the auxiliary oil pump starts and provides hydraulic pressure to open the turbine stop valve and the turbine control valve. As the turbine gains speed, the shaft-driven oil pump begins to supply hydraulic pressure. After about 1/2 minute during an automatic turbine startup, the pressure supplied by the shaft-driven oil pump is sufficient, and the auxiliary oil pump automatically stops upon receipt of a high oil pressure signal. Should the shaft-driven oil pump malfunction, causing oil pressure to drop, the auxiliary oil pump restarts.

Operation of the gland seal condenser components--gland seal condenser condensate pump (DC), gland seal condenser blower (DC), and gland seal condenser water level instrumentation--capable of preventing outleakage from the turbine shaft seals. Startup of this equipment is automatic. Failure of this equipment will not prevent the HPCI from providing water to the reactor vessel.

7.4.3.2.5 HPCI Valve Control All automatic valves in the HPCI System are equipped with remote-manual test capability, so that the entire system can be operated locally, with the exception of the inboard steam line isolation valve, or from the Main Control Room.

Motor-operated valves are provided with appropriate torque switches or limit switches to turn off the motors when the full-closed positions are reached. Certain valves are automatically closed on isolation or turbine trip signals. All essential components of the HPCI controls operate from a reliable DC power source.

To ensure that the HPCI can be brought to design flow rate within 30 seconds from the receipt of the initiation signal, the following maximum operating times for essential HPCI valves are provided by the valve operation mechanisms.

HPCI turbine steam supply valve 30 seconds HPCI pump discharge valves 30 seconds HPCI pump minimum flow bypass valve 15 seconds The operating time for both the pump discharge valves and minimum flow bypass valve is the time for the valve to travel from the fully closed to the fully open position, or vice versa. The operating time for the steam admission valve is the time to travel from fully closed to opened sufficiently to provide adequate steam flow to allow the HPCI system to deliver required flow to the vessel.

The two HPCI steam supply line isolation valves are intended to isolate the HPCI steam line in the event of a break in that line; the operating time requirements for them are based on isolation specifications. These are described in Subsection 7.3, "Primary Containment Isolation System." A normally closed, DC motor-operated 7.4-7

BFN-26 isolation valve is located in the turbine steam supply pipeline just upstream of the turbine stop valve. Upon receipt of an HPCI initiation signal, this valve opens and remains open until closed by operator action from the control room.

Two normally open isolation valves are provided in the steam supply line to the turbine. The valve inside the drywell is controlled by an AC motor fed from a reactor MOV board. The valve outside the drywell is controlled by a DC motor. An electrically operated valve with automatic isolation function is in parallel with the outside containment isolation valve for start up after isolation purposes. The valves automatically close upon receipt of an HPCI turbine steam line high-flow signal, an HPCI turbine steam supply low-pressure signal, high steam line space temperature, or high turbine exhaust (diaphragm) rupture disc pressure. The instrumentation for isolation is described in Subsection 7.3, "Primary Containment Isolation System."

Three pump suction valves are provided in the HPCI. One valve lines up pump suction from the condensate supply header, the other two from the pressure suppression chamber. The condensate supply header is the preferred source. All three valves are operated by DC motors. Although the condensate storage tank suction valve is normally open, an HPCI initiation signal opens it if it is closed. If the level in the condensate supply header falls below a preselected value, the pressure suppression chamber suction valves automatically open. When the pressure suppression chamber valves are both fully open, the condensate supply header suction valve automatically closes. Two level switches are used to detect the condensate supply header level. Either switch can cause the pressure suppression chamber suction valves to open. The pressure suppression chamber suction valves also automatically open and the condensate supply header suction valve closes if a high-water level is detected in the pressure suppression chamber. Two level switches monitor the pressure suppression chamber water level. Either switch can initiate opening of the pressure suppression chamber suction valves. If open, the pressure suppression chamber suction valves automatically close upon receipt of the signals that initiate HPCI steam line isolation.

Two DC motor-operated HPCI pump discharge valves in the pump discharge pipeline are provided. One valve is used for maintenance purposes and remains in the open position during standby conditions. The other valve is normally closed.

Both valves receive an open signal upon receipt of a HPCI initiation signal. The valves remain open upon receipt of a turbine trip signal until closed by operator action in the control room.

To prevent the pump from being damaged by overheating at reduced HPCI pump discharge flow, pump discharge minimum flow bypass is provided to route the water discharged from the pump back to the pressure suppression chamber. The bypass is controlled by an automatic, DC motor-operated valve. If a HPCI initiation signal is present, the minimum flow bypass valve will open until HPCI flow increases at which time the valve will close. A flow switch that measures the pressure difference 7.4-8

BFN-26 across a flow element in the HPCI pump discharge pipeline provides the signals used for automatic operation of the minimum flow bypass valve. There is also an interlock provided to shut the minimum flow bypass whenever the turbine is tripped.

This is necessary to prevent drainage from the condensate supply header into the pressure suppression pool. In the event that the trip signal is reset and a valid HPCI initiation signal is present, the minimum flow bypass valve will reopen. However, the condensate drainage into the pressure suppression pool will be quite small and provides ample time for the operator to close the valve before pressure suppression pool level is affected.

To prevent the HPCI steam supply pipeline from filling up with water, a condensate drain pot, steam line drain with steam trap, and appropriate valves are provided in a drain pipeline arrangement just upstream of the turbine steam supply valve. The controls position valves so that during normal operation steam line drainage is routed to the main condenser. Upon receipt of an HPCI initiation signal, the turbine supply valve opens. The drainage path is isolated when the turbine steam supply valve is not fully closed. Excessive water collected in the condensate pot is controlled by a level control switch which opens the steam trap bypass level control valve to allow condensate to flow to the condenser. In the event that the condensing rate exceeds the blowdown rate, a level switch actuates to annunciate a high condensate pot level condition in the main control room and, at the same time, opens the HPCI steam line steam trap bypass valve to bypass the steam trap which is in series with the main condenser drain path. In Unit 1, excessive water collected in the condensate pot is drained to the condenser by a manual steam trap bypass valve. If a level switch actuates to annunciate a high condensate pot level condition in the main control room, the steam trap/drain pot arrangement must be manually drained using the steam trap bypass valve. Bypassing the steam trap reduces flow friction in the drain line and substantially increases flow to the condenser in order to return the condensate pot to its normal operating level.

During test operation, the HPCI pump discharge is routed to the condensate storage tanks. Two DC motor-operated test return throttle and block valves are installed in a test return line off the HPCI pump discharge line in order to route pump discharge flow back to the condensate storage tanks. The piping arrangement is shown in Figures 6.4-1, 6.4-3, and 6.4-5. Upon receipt of an HPCI initiation signal, the valves close and remain closed. The valves are automatically closed if either of the pressure suppression chamber suction valves are open. Numerous indications pertinent to the operation and condition of the HPCI are available to the control room operator. Figures 6.4-1, 6.4-3, and 6.4-5 show the control and logic of the various indications provided.

7.4.3.2.6 HPCI Environmental Considerations The only HPCI control component located inside the primary containment that must remain functional in the environment resulting from a loss-of-coolant accident is the 7.4-9

BFN-26 control mechanism and motor for the inboard isolation valve on the HPCI turbine steam line. The environmental capabilities of this valve and motor are discussed in Subsection 7.3, "Primary Containment Isolation System." The HPCI control and instrumentation equipment located outside the primary containment is selected in consideration of the normal and accident environments in which it must operate.

7.4.3.3 Automatic Depressurization System (ADS) Control and Instrumentation 7.4.3.3.1 Identification and Physical Arrangement Automatically controlled relief valves are installed on the main steam lines inside the primary containment. Six of the valves are dual purpose in that they will relieve pressure by normal mechanical action or by automatic action of an electro-pneumatic control system (see Subsection 4.4, "Nuclear System Pressure Relief System"). The relief by normal mechanical action is intended to prevent overpressurization of the nuclear system. The depressurization by automatic action of the control system is intended to reduce nuclear system pressure during a loss-of-coolant accident in which the HPCI fails, so that the relatively low-pressure core spray and LPCI systems can inject water into the reactor vessel. The ADS automatic control and instrumentation equipment for the main steam relief valves is described in this subsection. The controls and instrumentation for one of the main steam relief valves are discussed. Other main steam relief valves equipped for automatic depressurization are identical.

The control system consists physically of pressure and water level transmitters arranged in trip systems that control a solenoid-operated pilot air valve. The solenoid-operated pilot valve controls the pneumatic pressure applied to a diaphragm actuator which controls the main steam relief valve directly. An accumulator is included with the control equipment to store pneumatic energy for main steam relief valve operation. The accumulator is sized to hold five times the volume of air required for one valve operation following failure of the normal pneumatic supply to the accumulator. In addition, an emergency source of nitrogen is provided by the CAD system. Cables from the transmitters lead to the auxiliary instrument room where the logic arrangements are formed in cabinets. The electrical control circuitry is powered by direct current from the unit batteries. Both ADS initiation logic bus circuits are powered from a common source; however, one of the logic bus circuits is provided with an automatic transfer capability to an alternate power source so that the ADS automatic activation function will not be lost in the event of any single 250V DC power failure. See Table 6.5-3 for the Emergency Core Cooling Systems which are available for both recirculation suction and discharge breaks following an assumed single failure. Electrical elements in the control system energize to cause opening of the main steam relief valve. The automatic depressurization system is designed to meet the intent of the IEEE proposed criteria for Nuclear Power Plant Protection Systems (IEEE-279-1971).

7.4-10

BFN-26 7.4.3.3.2 Automatic Depressurization System Initiating Signals and Logic The initiating signals for the Automatic Depressurization System are reactor vessel low-water level, and primary containment (drywell) high pressure or a sustained reactor vessel low-water level signal will provide the initiating signal after a time delay. The above initiation paths and a permissive signal verifying that the two core spray or at least one RHR pumps are running must be present to cause the main steam relief valves to open. This permissive signal is not required to start the ADS delay timers but must be present to actuate the main steam relief valves. However, verification that the two core spray or at least one RHR pumps are running is required for ADS actuation for Units 1, 2, and 3. Reactor vessel low-water-level indicates that the fuel is in danger of becoming overheated. This low water level would normally not occur unless the HPCI failed. Primary containment high pressure indicates that a breach in the nuclear system process barrier has occurred inside the drywell.

After receipt of the initiation signals, and after a 120 seconds delay provided by timers, the solenoid-operated pilot air valve is energized, providing that at least one LPCI pump or the appropriate two core spray pumps are running, allowing pneumatic pressure from the accumulator to act on the diaphragm actuator. Pump discharge pressure switches are used to sense that the core spray or LPCI pumps are running. The diaphragm actuator is an integral part of the main steam relief valve and expands to hold the main steam relief valve open. Lights in the control room inform the control room operator whenever the solenoid-operated pilot valve is energized, indicating that the main steam relief valve is open or being opened.

A two-position switch is provided in the control room for the control of the main steam relief valves. The two positions are "open" and "auto." In the open position, the switch energizes the solenoid-operated pilot valve, which allows pneumatic pressure to be applied to the diaphragm actuator of the main steam relief valve.

This allows the control room operator to take action independent of the automatic system. The main steam relief valves can be manually opened to provide a controlled nuclear system cooldown under conditions where the normal heat sink is not available. Manual reset circuits and key-lock inhibit switches are provided for the reactor vessel low-water level and primary containment high-pressure initiating signals. By manually resetting the ADS initiating signals, the delay timers are recycled. By manually turning the key-lock inhibit switches to inhibit position, the ADS initiating signals are blocked preventing automatic opening of the main steam relief valves. This action is however, annunciated on the control room annunciators.

The operator can use the reset switches to delay automatic opening of the main steam relief valves or use the key-lock inhibit switches to prevent the opening of the main steam relief valves indefinitely if such actions are deemed prudent throughout the cooldown period. If at any time the circuits are not reset or the key-lock inhibit switches are not engaged, blowdown will start and will continue unless the circuits are manually reset to recycle the timers or the key-lock inhibit switches are engaged.

7.4-11

BFN-26 Each trip system can initiate automatic depressurization when the logic in that trip system is satisfied. The logic of each trip system includes a timer that delays the opening of the main steam relief valve. This allows time for the operator to decide whether it is prudent to further postpone automatic depressurization.

Automatic Depressurization System Instrumentation and settings are listed in Table 7.4-2. The wiring for the trip systems is routed in separate conduits to reduce the probability that a single event will prevent automatic opening of a main steam relief valve.

The reactor vessel low-water-level initiation setting for the Automatic Depressurization System is selected to open the main steam relief valves to depressurize the reactor vessel in time to allow adequate cooling of the fuel by the Core Spray and LPCI Systems following a loss-of-coolant accident in which the other makeup systems (feedwater, RCICS, HPCI) fail to maintain vessel water level.

The primary containment high-pressure setting is selected to be as low as possible without inducing spurious initiation of the Automatic Depressurization System.

7.4.3.3.3 Automatic Depressurization System Initiating Instrumentation The pressure and level transmitters used to initiate the Automatic Depressurization System are common to each main steam relief valve control circuitry. Reactor vessel low-water level is detected by six transmitters that measure differential pressure. Primary containment high pressure is detected by four pressure transmitters. Some of the transmitters used for these two initiating functions are the same ones used for the LPCI and Core Spray System. The primary containment high-pressure signals are arranged to seal into the control circuitry, they must be manually reset to clear.

Two timers are used in the control circuitry for each main steam relief valve. The delay time setting before the Automatic Depressurization System is actuated is chosen to be long enough so that the HPCI has time to start, yet not so long that the Core Spray System and LPCI are unable to adequately cool the fuel if the HPCI fails to start. An alarm in the control room is tripped when either of the timers is operating. Resetting the Automatic Depressurization System initiating signals recycles the timers.

The requirement that at least one of the LPCI pumps or two core spray pumps be running before automatic depressurization starts insures that cooling will be available to the core after the system pressure is lowered.

7.4-12

BFN-26 7.4.3.3.4 Automatic Depressurization System Alarms A single-train acoustic monitoring system has been installed to provide unambiguous main control room indication of main steam relief valve position (open or closed) and alarm. The acoustic monitoring system detects steam flow in the main steam relief valve discharge pipeline by using an accelerometer which is physically attached to the discharge tailpipe downstream. The accelerometers transmit conditioned signals back to a common electronics module located in the main control room. For each valve, the electronic module inserts a selective gain into the signal and provides a relative indication of steam flow through a series of ten indicating lights. A control room alarm initiates when the fifth light is illuminated.

A main steam relief valve discharge tailpipe temperature monitoring system is provided to detect and provide indication of relief status. A temperature element is installed in a thermowell in the main steam relief valve discharge tailpipe downstream of the valve discharge flange. The temperature element is connected to a multipoint recorder in the control room which provides a means of detecting main steam relief valve leakage during normal plant operation. When the temperature in any main steam relief valve discharge tailpipe exceeds a preset value, an alarm condition is indicated on the recorder in the control room. The temperature recorders installed in Units 2 and 3 have the capability to selectively raise the high temperature alarm setpoint on a per channel basis. Additionally, these recorders provide an interface to the plant process computer which has the capability to display and trend the discharge tailpipe temperatures. In addition to providing a leakage indication, the main steam relief valve discharge tailpipe temperature monitoring instrumentation provides an alternate main control room indication of main steam relief valve position.

A common "MAIN STEAM RELIEF VALVE OPEN" annunciator exists in the control room with inputs from all 13 acoustic monitors. The acoustic monitor system satisfies the requirements for main steam relief valve position indication.

A key-lock inhibit switch is in-line with each ADS initiating logic channel. When a key-lock inhibit switch is in the inhibit position, an alarm is sounded in the control room to inform the operators that ADS has been inhibited.

As relays and plant process sensors within each ADS initiating logic channel are activated, control room alarms are sounded to inform the operators of a pending ADS event. These alarms include: (1) RHR or CS pump running ADS blowdown permissive, (2) reactor water level low ADS blowdown permissive, (3) ADS high drywell pressure seal-in, (4) ADS auxiliary blowdown relays energized, and (5) ADS blowdown timers initiated.

Other control room annunciations are available to inform the operators of abnormal plant conditions or test conditions under which the ADS function is reduced or 7.4-13

BFN-26 compromised. These alarms include: (1) ADS main steam relief valve accumulator low control air pressure, (2) backup control panel selector switch in the emergency position, ADS blowdown system control power failure, (3) ADS blowdown system in test status, and (4) ADS blowdown system test switches misaligned. Any of these would indicate a potential degraded ability of the ADS main steam relief valves.

7.4.3.3.5 Automatic Depressurization System Environmental Considerations The signal cables, solenoid valves, and main steam relief valve operators are the only items of the control and instrumentation equipment of the Automatic Depressurization System that are located inside the primary containment and must remain functional in the environment resulting from a loss-of- coolant accident.

These items are selected with capabilities that permit proper operation in the most severe environment resulting from a design basis loss-of-coolant accident. Gamma and neutron radiation is also considered in the selection of these items. Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate.

7.4.3.4 Core Spray System Control and Instrumentation 7.4.3.4.1 Identification and Physical Arrangement The Core Spray System consists of two independent spray loops, as shown in Figures 6.4-2, 6.4-4, and 6.4-6. Each loop is capable of supplying sufficient cooling water to the reactor vessel to adequately cool the core by spraying following a design basis loss-of-coolant accident. The two spray loops are physically and electrically separated so that no single physical event makes both loops inoperable.

Each loop includes two AC motor-driven 50 percent-capacity pumps, appropriate valves, and the piping to route water from the pressure suppression pool to the reactor vessel. The controls and instrumentation for the Core Spray System include the sensors, relays, wiring, and valve-operating mechanisms used to start, operate, and test the system. Except for the check valve in each spray loop, which is inside the primary containment, the sensors and valve-closing mechanisms for the Core Spray System are located in the Reactor Building. The check valves are described in Section 6.0, "Emergency Core Cooling Systems." Cables from the sensors are routed to the Auxiliary Instrument Room where the control circuitry is assembled in electrical panels. The core spray pumps for each unit are powered from different AC buses that are capable of receiving standby power. The power supply for automatic valves is Class 1E and feeds from the same bus structure as the core spray pumps.

Control power for each of the core spray loops comes from separate DC buses. The electrical equipment in the Auxiliary Instrument Room for one core spray loop is located in a separate cabinet from that used for the electrical equipment for the other loop. The CS System is designed to meet the intent of the IEEE proposed criteria for Nuclear Power Plant Protection Systems (IEEE-279-1971).

7.4-14

BFN-26 7.4.3.4.2 Core Spray System Initiating Signals and Logic Trip settings are given in Table 7.4-3. The overall operation of the system following the receipt of an initiating signal is as follows:

a. Test bypass valves are closed and interlocked to prevent opening.
b. If normal AC power is available, the four core spray pumps start one at a time, in order, at 0.2, 7, 14, and 21 seconds.
c. If normal AC power is not available, the four core spray pumps start seven seconds after standby power becomes available. (The LPCI pumps start as soon as standby power is available.)
d. When reactor vessel pressure drops to 450 psig (See Section 6.5 for value utilized in the Emergency Core Cooling System analysis), the core spray inboard injection valve opens allowing water to be sprayed on the core once core spray discharge pressure overcomes RPV pressure.
e. When adequate pump discharge flow is indicated, the pump low-flow bypass valves shut, directing full flow into the reactor vessel.

Two initiating functions are used for the Core Spray System: reactor vessel low-water-level, and primary containment (drywell) high pressure plus low reactor vessel pressure (450 psig). Either initiation signal can start the system. The development of these accident signals is discussed further in Section 7.4.3.4.7.

Reactor vessel low-water level indicates that the core is in danger of being overheated due to the loss of coolant. Drywell high pressure plus low reactor vessel pressure indicate that a breach of the nuclear system process barrier has occurred inside the drywell. The reactor vessel low- water-level, primary containment high pressure and low reactor vessel pressure settings, and the instruments that provide the initiating signals are selected and arranged so as to assure adequate cooling for the design basis loss-of-coolant accident without inducing spurious system startups.

7.4.3.4.3 Core Spray System Pump Control The circuitry provides for detection of normal power availability, so that all pumps are automatically started in sequence. Each pump can be manually controlled by a control room remote switch or by the automatic control system. A pressure transducer on the discharge pipeline from each set of core spray pumps provides a signal to an indicator in the control room to indicate the successful startup of the pumps. If a core spray initiation signal is received when normal AC power is not available, the core spray pumps start, after a seven-second time delay, to allow the 7.4-15

BFN-26 start of the LPCI pumps to avoid overloading the source of standby power. If one core spray pump fails to start owing to a loss of normal or diesel generator bus voltage, the companion core spray pump motor in the affected core spray loop will not start either in order to avoid a pump run out condition which occurs when only one pump is operating to inject water into the reactor vessel. The core spray pump motors are provided with overload and undervoltage protection. Overload relays are applied so as to maintain power as long as possible without immediate damage to the motors or emergency power system. Undervoltage trips are provided with time delays sufficient to permit power transfer from auxiliary transformers to startup transformer source without tripping the pump power supply breaker open.

Undervoltage protection is locked out if an accident signal is present and the shutdown boards are being powered by the diesel-generators.

Flow-measuring instrumentation is provided in each of the core spray pump discharge lines. The instrumentation provides flow indication in the control room.

The standby AC power system is designed such that automatic restart of the core spray pumps, after manual shedding of same, is not available unless the initiating signal is removed (see Subsection 8.5).

7.4.3.4.4 Core Spray System Valve Control Except where specified otherwise, the remainder of the description of the Core Spray System refers to one spray loop. The second core spray loop is identical. All motor-operated valves are equipped with torque and limit switches to turn off the valve motor when the valve reaches the limits of movement and to provide control room indication of valve position. Each automatic valve can be operated from the control room. Valve motors are protected by overload devices.

Upon receipt of an initiation signal, the test bypass valve closes if it is open and is interlocked closed. The outboard injection valve (normally open but will open if it is closed) and the inboard injection valve will open provided all conditions necessary to inject are satisfied. The reactor pressure permissive setpoint for injection valve opening is selected low enough such that low pressure portions of the Core Spray System can not be overpressurized and yet high enough to open the inboard injection valve in time to provide adequate core cooling. Four pressure transmitters are used to monitor nuclear system pressure; these transmitters supply four analog trip units. Two analog trip units are used to monitor reactor pressure in a one-out-of-two logic arrangement which enables the injection valves' low pressure permissive. The full stroke operating times of the motor-operated valves are selected to be rapid enough to assure proper delivery of water to the reactor vessel in a design basis accident. The full stroke operating times are as follows:

7.4-16

BFN-26 Test bypass valve 30 seconds Pump suction valve standard closure rate Pump discharge valves 33 seconds Minimum flow bypass valves 15 seconds The standard closure rate is based on isolating a 12-inch line in 60 seconds.

Conversion to actual closing time can be made on this basis using the size of the line being isolated. A flow switch on the discharge of each set of pumps provides a signal to operate the minimum flow bypass line valve for each pump set. When core spray flow into the reactor pressure vessel reaches a predetermined setpoint, the minimum flow bypass valve closes and all flow is directed into the sparger at this time.

7.4.3.4.5 Core Spray System Alarms and Indications Core Spray System discharge pressure is monitored by a pressure switch which has a process tap just upstream of the normally closed inboard injection valve. If excessive pressure beyond that expected in the standby configuration is present, the pressure switch will actuate a Main Control Room annunciator to alert the operator to this condition so that corrective actions may be carried out.

A detection system is also provided to confirm the integrity of the core spray piping between the inside of the reactor vessel and the core shroud. A differential pressure switch measures the pressure difference between the bottom of the core and the inside of the core spray sparger pipe just outside the reactor vessel. If the core spray sparger piping is sound, this pressure difference will be the pressure drop across the core. If integrity is lost, this pressure difference will change, initiating an alarm in the control room. An increase in the normal pressure drop initiates an alarm in the control room. The pressure in each core spray pump suction and discharge line is monitored by locally mounted pressure gauges. The discharge pressure gauges are used for determining pump performance. Temporary pressure gauges are furnished during surveillance testing to measure the suction pressure of each pump for pump performance purposes because existing gauges do not provide sufficient accuracy.

7.4.3.4.6 Core Spray System Environmental Considerations There are no control and instrumentation components for the Core Spray System located inside the primary containment that must operate in the environment resulting from a loss-of-coolant accident. All components of the Core Spray System 7.4-17

BFN-26 that are required for system operation are outside the drywell and are selected in consideration of the normal and accident environments in which they must operate.

7.4.3.4.7 Core Spray System and Accident Signal Initiation The Core Spray System is initiated by sensors and relays based on low reactor vessel water level (Level 1 setpoint) or high drywell pressure coincident with low reactor pressure. These same sensors and relays are used to initiate the Common Accident Signal, as shown on Figures 7.4-5d, 7.4-5l and 7.4-7i. The Core Spray System initiation signal starts the core spray pumps and actuates core spray valves in the unit sensing the low water level or abnormal pressures, as discussed in Sections 7.4.3.4.3 and 7.4.3.4.4. The sensor/relay outputs are also used as inputs to the RHR (LPCI) initiation circuitry and for Units 1 and 2 only, initiate the ECCS preferred pump logic to trip the opposite units running RHR and Core Spray pumps.

The low reactor vessel water level or high drywell pressure coincident with low reactor pressure signals are also used to generate a Common Accident Signal, which affects the operation of components associated with all three units. The Common Accident Signal performs the following functions:

a) sends a signal to start all eight Unit 1/2 and Unit 3 diesel generators, b) trips the diesel generator output breakers (if closed),

c) defeats selected diesel generator protective trips, d) blocks the 4kV Shutdown Board auto transfer logic, e) trips and blocks the fire pumps A, B, and C auto start logic, f) starts the RHRSW (aligned to EECW) pumps, g) blocks subsequent RHRSW (aligned to EECW) pump start signal (if already running),

h) blocks the 4kV degraded voltage trips, i) trips the RHRSW pumps A2 and C2, j) trips the RCW pump 1D.

The low reactor vessel water level or high drywell pressure coincident with low reactor pressure signal also inputs to the 480V load shed logic in the unit where the signal originated. When this signal occurs, coincident with diesel generator voltage available, non-essential 480V loads are shed.

The Pre-Accident Signal is generated by low reactor vessel water level (Level 1 setpoint) or high drywell pressure signals, and again affects the operation of components associated with all three units. The Pre-Accident Signal sends a signal to start all eight Unit 1/2 and Unit 3 diesel generators. This feature anticipates an event and starts all eight diesels so that they are ready for electrical loading when required by the load sequencing logic.

7.4-18

BFN-28 Following an initiation of a Common Accident Signal (CAS) on either Units 1, 2, or 3 (which trips all eight diesel breakers), subsequent accident signal trips of the diesel breakers are blocked. A second diesel breaker trip on a "unit priority" basis is provided to ensure that during combinations of spurious and real accident signals, the diesel supplied buses are stripped prior to starting the RHR pumps and other ECCS loads. This diesel breaker re-trip will only occur if a spurious accident signal or a real accident signal from the other unit has previously tripped the diesel breakers. Inputs from the RHR initiation circuitry (shown on Figures 7.4-7b, 7.4-7i, and 7.4-7p indicating low reactor vessel water level or high drywell pressure coincident with low reactor pressure), combined with an existing CAS trip signal, will re-trip the diesel breakers on the unit where the RHR initiation signal originated.

The other unit's diesels will be unaffected by this second trip. Thus each unit is given priority over the block of subsequent CAS diesel breaker trips for its diesels.

This diesel breaker "Unit Priority Re-Trip" ensures that the diesel buses are stripped prior to starting the RHR pumps, Core Spray pumps and other required loads.

Section 8.5 provides a discussion and evaluation of the CAS signals to the diesel generator breakers and the Unit Priority Re-Trip signal.

For Units 1 and 2 only, the RHR and Core Spray pumps for both units are powered from the same 4kV shutdown boards (see Chapter 8). If the ECCS loads for both Units 1 and 2 were allowed to start during combinations of real and spurious accident signals, the combined Unit 1/2 ECCS pumps would overload the 4kV shutdown boards and their associated diesel generators on a loss of offsite power, or the 4kV shutdown buses if normal power were available. Therefore, during combinations of real and spurious accident signals the Unit 1/2 ECCS preferred pump logic will assign the Unit 1 ECCS loads to the Division I 4kV shutdown boards and the Unit 2 ECCS loads to the Division II 4kV shutdown boards. The Unit 1/2 ECCS preferred pump logic will allow the Unit 1 Division I RHR and Core Spray pumps (1A and 1C) to start and load on the Division I 4kV shutdown boards, and the Unit 2 Division II pumps (2B and 2D) will load on the Division II 4kV shutdown boards. This will ensure that the shared Unit 1/2 4kV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems described in Table 6.5-3.

If an accident signal was initiated in only one unit (Units 1 or 2) and any RHR or Core Spray pumps were already running in the opposite non-accident unit (e.g. for shutdown cooling), the Core Spray system will initiate the preferred pump logic to trip all of the non-accident units running RHR and Core Spray pumps. This ensures that any running RHR or Core Spray pumps in the non-accident unit would be tripped, unloading the Unit 1/2 4kV shutdown boards prior to the accident unit starting all of its ECCS pumps (both divisions) on an accident signal, with or without a loss of offsite power.

7.4-19

BFN-26 7.4.3.5. Low Pressure Coolant Injection Control and Instrumentation 7.4.3.5.1. Identification and Physical Arrangement Low pressure coolant injection (LPCI) is an operating mode of the Residual Heat Removal System (RHRS) that uses pumps and piping which are parts of the RHRS.

Because the LPCI system is designed to provide cooling water to the reactor vessel following the design basis loss-of-coolant accident, the controls and instrumentation for it are discussed here. Section 4.8, Residual Heat Removal System, describes the RHRS in detail.

The LPCI system for Units 1, 2, and 3 has been modified from the original design.

This modification changed the low pressure coolant injection mode of the RHR by deleting automatic loop selection in case of a loss-of-coolant accident by permitting simultaneous injection into both recirculation loops with backup capabilities.

Figures 7.4-6a sheets 1, 2, and 3 and 7.4-6b sheets 1, 2, 3, 4, and 5 show the entire Residual Heat Removal System, including the equipment used for LPCI operation.

The following list of equipment itemizes essential components for which control or instrumentation is required:

Four RHRS pumps, Pump suction valves, and LPCI-to-recirculation loop injection valves.

The instrumentation for LPCI operation provides inputs to the control circuitry for other valves in the Residual Heat Removal System. This is necessary to ensure that the water pumped from the pressure suppression chamber by the pumps is routed directly to a reactor recirculation loop. These interlocking features and the actions of the reactor recirculation loop valves are described in this subsection, because these actions are accomplished to facilitate LPCI operation.

LPCI operation uses two identical pump loops, each loop with two pumps in parallel.

The two loops are arranged to discharge water into different reactor recirculation loops. In Unit 2, this cross connection is closed off by a valve that has been electrically disabled in the closed position. The Unit 3 cross connection is isolated by an electrically disabled valve in the closed position or by a locked-closed manual shutoff valve. The Unit 1 LPCI loop cross-tie valve is removed; and the corresponding cross connection is removed by a combination of a blind flange and cut, capped connections. Figures 7.4-6a sheets 1, 2, and 3, and 7.4-6b sheets 1, 2, 3, 4, and 5 show the location of instruments, control equipment, and LPCI components relative to the primary containment. Except for the LPCI testable check 7.4-20

BFN-26 valves and the reactor recirculation loop pumps and valves, the components pertinent to LPCI operation are located outside the primary containment.

The power for the pumps is supplied from AC buses that can receive standby AC power. Each of the four pumps derives its power from a different shutdown board.

Motive power for the injection valves used during LPCI operation comes from a reactor MOV board, which receives standby AC power and can be automatically connected to alternate standby power sources. Control power for the LPCI components comes from the unit batteries. Redundant trip systems are powered from different batteries. The use of common buses for some of the LPCI components is acceptable because electrical isolation devices have been installed between the buses and the components.

LPCI is arranged for automatic operation and for remote-manual operation from the control room. The equipment provided for manual operation of the system allows the operator to take action independent of the automatic controls in the event of a loss-of-coolant accident. The LPCI System is designed to meet the intent of the IEEE proposed criteria for Nuclear Power Plant Protection Systems (IEEE-279-1971).

7.4.3.5.2. LPCI Initiating Signals and Logic The overall operating sequence for LPCI following the receipt of an initiation signal is as follows:

a. If normal AC power is available, the four pumps start one at a time, in order, at 0.2, 7, 14, and 21 seconds, taking suction from the pressure suppression chamber. The valves in the suction paths to the pressure suppression chamber are normally maintained open so that no automatic action is required to line up suction.
b. If normal AC power is not available, the four pumps start simultaneously, with no delay, as soon as the standby power source is available.
c. Valves in the containment cooling system are automatically closed so that the water pumped from the pressure suppression chamber is routed properly.
d. The Residual Heat Removal System service water pumps may be manually tripped (if running) because they are not needed for LPCI operation. If normal AC power is not available, the pumps are tripped by undervoltage. Pumps required to supply EECW are restarted automatically.
e. When nuclear system pressure has dropped to 450 psig (see Section 6.5 for analytical limit assumed in Emergency Core Cooling System analyses), the LPCI injection valves to both recirculation loops automatically open, allowing the LPCI 7.4-21

BFN-26 pumps to inject water into the pressure vessel as the reactor pressure drops below the pump shutoff head.

f. The LPCI system then delivers water to the reactor vessel via the recirculation loop to provide core cooling by flooding.
g. Recirculation pump discharge valves in both reactor loops automatically close when reactor pressure decreases to 230 psig (see Section 6.5 for analytical limit assumed in Emergency Core Cooling System analyses).

In the descriptions of LPCI controls and instrumentation that follow, Figures 7.4-6a sheets 1, 2, and 3 and 7.4-6b sheets 1, 2, 3, 4, and 5 can be used to determine the physical locations of sensors. Instrumentation and settings are given in Table 7.4-4.

Two automatic initiation functions are provided for the LPCI: reactor vessel low-water level, and primary containment (drywell) high pressure plus low reactor vessel pressure (450 psig). Reactor vessel low-water level indicates that the fuel is in danger of being overheated because of an insufficient coolant inventory. Primary containment high pressure plus low reactor vessel pressure is indicative of a break of the nuclear system process barrier inside the drywell.

Either initiation signal can start the system. Each of the initiating signals is sensed by four independent detectors arranged in a one-out-of-two-twice logic, as shown in Figures 7.4-7b, 7.4-7i, and 7.4-7p. The instruments used to detect reactor vessel low-water level, primary containment high pressure and low reactor vessel pressure are the same ones used to initiate the other ECCS. Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset.

The seal-in feature is shown in Figures 7.4-7b, 7.4-7i, and 7.4-7p.

For Units 1 and 2 only, the RHR and Core Spray pumps for both units are powered from the same 4kV shutdown boards (see Chapter 8). If the ECCS loads for both Units 1 and 2 were allowed to start during combinations of real and spurious accident signals, the combined Unit 1/2 ECCS pumps would overload the 4kV shutdown boards and their associated diesel generators on a loss of offsite power, and the 4kV shutdown buses if normal power were available. Therefore, during combinations of real and spurious accident signals the Unit 1/2 ECCS preferred pump logic will assign the Unit 1 ECCS loads to the Division I 4kV shutdown boards and the Unit 2 ECCS loads to the Division II 4kV shutdown boards. The Unit 1/2 ECCS preferred pump logic will allow the Unit 1 Division I RHR and Core Spray pumps (1A and 1C) to start and load on the Division I 4kV shutdown boards, and the Unit 2 Division II pumps (2B and 2D) will load on the Division II 4kV shutdown boards. This will ensure that the shared Unit 1/2 4kV shutdown boards are not overloaded while still maintaining the minimum number of required ECCS injection subsystems described in Table 6.5-3.

7.4-22

BFN-26 The Core Spray logic initiated Common Accident Signal and the LPCI logic initiated unit priority re-trip is required to ensure that the shared Unit 1/2 4KV shutdown boards are stripped prior to starting the RHR pumps, Core Spray pumps, and other required loads when the shutdown boards are being supplied by the diesel generators. With a real and spurious accident signal present, the Unit 1 initiated Unit priority re-trip signal will only re-trip the Division I diesel breakers while the Unit 2 initiated unit priority re-trip signal will only re-trip the Division II diesel breakers. This will ensure that a spurious unit priority re-trip signal will not re-trip all four Unit 1/2 diesel breakers, which would result in interrupting both divisions RHR and Core Spray pumps supplying the opposite unit in a real accident.

If an accident signal was initiated in only one unit (Units 1 or 2) and any RHR or Core Spray pumps were already running in the opposite non-accident unit (e.g. for shutdown cooling), the RHR system will initiate the preferred pump logic to trip all of the non-accident units running RHR and Core Spray pumps. This ensures that any running RHR or Core Spray pumps in the non-accident unit would be tripped, unloading the Unit 1/2 4kV shutdown boards prior to the accident unit starting all of its ECCS pumps (both divisions) on an accident signal, with or without a loss of offsite power.

7.4.3.5.3 LPCI Pump Mode Control The reaction of the pumps to an initiation signal depends on the availability of power.

If normal AC power is not available, the four main system pumps automatically start simultaneously after the standby power source (four diesel generators) is available, which takes about 10 seconds. (See Section 6.5 for analytical limit assumed in Emergency Core Cooling System analyses). If normal AC power is available, the four pumps start in a seven-second timed sequence (0.2, 7, 14, and 21 seconds) to prevent overloading the auxiliary power source.

The time delays are provided by timers, which are set as given in Table 7.4-4.

The timers provided in the LPCI circuitry for the main system pumps, as well as those used for the LPCI injection valves, are capable of adjustment over a range of 1.5 times the specified setting listed in Table 7.4-4.

Pressure indicators, installed in the pump discharge pipelines upstream of the pump discharge check valves, provide indication of proper pump operation following an initiation signal. Low pressure in a pump discharge pipeline indicates pump failure.

The location of the pressure indicators relative to the discharge check valves prevents the operating-pump discharge pressure from concealing a pump failure.

To prevent pump damage due to overheating at no-flow, the control circuitry prevents a pump from starting unless a suction path is lined up. Limit switches on suction valves provide control room light indications that a suction lineup is in effect.

7.4-23

BFN-26 If suction valves change from their fully open position during pump operation, the limit switches trip the pump power supply breaker.

The main system pump motors are provided with overload and undervoltage protection. The overload relays are applied so as to maintain power on the motor as long as possible without harm to the motor or immediate damage to the emergency power system. Undervoltage trips are provided with time delays sufficient to permit power transfer from auxiliary transformers to startup transformer source without tripping the pump power supply breaker open.

The Standby AC Power System is designed such that automatic restart of the RHR pumps, after manual load shedding, is not available unless the original initiation signal is lost (see Subsection 8.5).

7.4.3.5.4 LPCI Valve Control The automatic valves controlled by the LPCI control circuitry are equipped with appropriate torque and limit switches which turn off the valve-operating mechanisms whenever the valves reach the limits of travel. Seal-in and interlock features are provided to prevent improper valve positioning during automatic LPCI operation.

The operating mechanisms for the valves are selected so that the LPCI operation is in time for the system to fulfill its objective of providing adequate core cooling following a design basis loss-of-coolant accident, except when the system is being tested. The time required for the valves pertinent to LPCI operation to travel from the fully closed to the fully open positions, or vice versa, is as follows:

LPCI injection valves 40 seconds Reactor recirculation loop valves 36 seconds Containment spray valves - drywell 30 seconds Containment cooling valves -

pressure suppression chamber 30 seconds Residual Heat Removal System test line isolation valves 90 seconds The pump suction valves to the pressure suppression pool are normally open. Upon receipt of an LPCI initiation signal, certain reactor shutdown cooling system valves and the RHRS test line valves automatically close. By closing these valves, the pump discharge is properly routed. Also included in this set of valves are the valves which, if not closed, would permit the pumps to take a suction from the reactor recirculation loops, a lineup that is used during normal shutdown cooling system 7.4-24

BFN-26 operation. The LPCI injection valves and RHR cross-tie valve are normally closed with the cross-tie valve being electrically disabled in the closed position for Unit 2. In Unit 3, either of the two available RHR loop cross-tie isolation valves can be placed in the closed position for loop isolation. The Unit 1 LPCI loop cross-tie valve is removed; and the corresponding cross connection is removed by a combination of a blind flange and cut, capped connections.

The LPCI is designed for automatic operation following a break in one of the reactor recirculating loops. The LPCI logic opens the injection valves to the recirculation loops and closes the recirculation pump discharge valves in the recirculation loops.

No single failure or any single physical event can make all loops inoperable. See Subsections 6.4 and 4.8.

There is a requirement that reactor vessel pressure drop to a specified value before the valve logic will complete. There are four separate reactor pressure sensors for this function arranged in a one-out-of-two-twice logic. The injection valves will not open until reactor vessel pressure decreases to 450 psig (see Section 6.5 for analytical limit assumed in Emergency Core Cooling System analyses). LPCI flow then enters the vessel when the check valve opens, due to LPCI pressure being higher than reactor pressure. The recirculation discharge valves will not close until reactor vessel pressure decreases to 230 psig (see Section 6.5 for analytical limit assumed in Emergency Core Cooling System analyses).

A timer cancels the LPCI signals to the injection valves after a 5-minute delay time, which is long enough to permit satisfactory operation of the LPCI. The cancellation of the signals allows the operator to divert the water for other post-accident purposes. Cancellation of the signals does not cause the injection valves to move.

The manual controls in the control room allow the operator to open an LPCI injection valve only if nuclear system pressure is low or the other injection valve in the same pipeline is closed. These restrictions prevent overpressurization of low pressure piping. The same pressure switch used for the automatic opening of the valves is used in the manual circuit. Limit switches on both injection valves for each LPCI loop provide the valve position signals required for injection valve manual operation at high nuclear system pressures.

To protect the pumps from overheating at low flow rates, a minimum flow bypass pipeline, which routes water from the pump discharge to the pressure suppression chamber, is provided for each pair of pumps. A single motor-operated valve controls the condition of each bypass pipeline. Each minimum flow bypass valve automatically opens on sensing the low flow in the loop associated with the valve, and closes upon sufficient flow in the loop. Flow indications are derived from flow switches that sense the pressure differential across the length of each LPCI loop downstream of the cross-tie piping junction. Figures 7.4-6a sheets 1, 2, and 3 and 7.4-6b sheets 1, 2, 3, 4, and 5 show the location of the flow switches. If neither 7.4-25

BFN-26 pump in a pair is operating, but the pump suction valves are aligned for shutdown cooling, the minimum flow bypass valves are automatically closed. This is needed to avoid inadvertent blowdown of the reactor to the pressure suppression chamber during shutdown cooling.

480 Volt Reactor MOV Boards 2D and 2E which contain the power and control circuits for the RHR pump minimum flow bypass valves have not been environmentally qualified for operation following an RWCU line break outside primary containment. However, procedural controls have been established to ensure that if the RHR pumps start following an RWCU line break, operator action will prevent the pumps from continuing to run without adequate flow.

Electrical interlocks are installed between Division I RHR Shutdown Cooling Suction (SCS) Motor Operated Valves (MOVs) 2-FCV-74-2 and 2-FCV-74-13 and RHR Pressure Suppression Chamber (PSC) Isolation MOV 2-FCV-74-57. In addition, electrical interlocks are installed between Division II RHR SCS MOVs 2-FCV-74-25 and 2-FCV-74-36 and RHR PSC Isolation MOV 2-FCV-74-71. The interlocks are designed to prevent inadvertent draining of the reactor vessel by preventing the RHR SCS MOVs from opening if the RHR PSC Isolation MOV is open. The interlocks will also prevent the opening of the RHR PSC Isolation MOV if either of the RHR SCS MOVs are open.

The manual control circuitry for the recirculation loop valves is interlocked to prevent valve opening whenever an LPCI initiation signal is present.

The valves that allow the diversion of water for containment cooling are automatically closed upon receipt of an LPCI initiation signal. The manual controls for these valves are interlocked so that opening the valves by manual action is not possible unless primary containment (drywell) pressure is high, which indicates the need for containment cooling, and reactor vessel water level inside the core shroud is above the level equivalent to two-thirds the core height. Four switches are used to monitor drywell pressure for each loop set of valves. The signals are arranged in a one-out-of-two taken-twice logic so that at least two of the switches must register high to allow opening of the valves by manual action. The trip settings are selected to be as low as possible, yet provide indication of abnormally high drywell pressure.

A single level switch is used to monitor water level inside the core shroud for each loop set of valves. A keylock switch in the control room allows a manual override of the two-thirds core height permissive contact for the containment cooling valves.

Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess the LPCI operation. Valves (except for Units 2 and 3 RHR/LPCI System I and System II inboard isolation testable check valve, see Isolation Valves, Section 5.2.3.5) have indications of full-open and full-closed positions. Pumps have indications for pump running, pump 7.4-26

BFN-26 stopped, and pump tripped. Alarm and indication devices are shown in Figures 7.4-6a sheets 1, 2, and 3, 7.4-6b sheets 1, 2, 3, 4, and 5.

7.4.3.5.5 LPCI Environmental Considerations The only control components pertinent to LPCI operation, located inside the primary containment, that must remain functional in the environment resulting from a loss-of-coolant accident are the cables and valve closing mechanisms for the recirculation loop isolation valves. The cables and valve operators are selected with environmental capabilities that assure valve closure under the environmental conditions resulting from a design basis loss-of-coolant accident. Gamma and neutron radiation is also considered in the selection of this equipment. Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate.

7.4.4 Safety Evaluation In Sections 14.0, "Plant Safety Analysis," and 6.0, "Emergency Core Cooling Systems," the individual and combined capabilities of the standby cooling systems are evaluated. The control equipment characteristics and trip settings described in this subsection were considered in the analysis of the performance of the Emergency Core Cooling Systems. For the entire range of nuclear process system break sizes, the cooling systems are effective both in preventing excessive fuel clad temperatures and in preventing more than a small fraction of the reactor core from reaching the temperature at which a gross release of fission products can occur.

This conclusion is valid even with significant failures in individual cooling systems, because of the overlapping capabilities of the Emergency Core Cooling Systems.

The controls and instrumentation for the Emergency Core Cooling Systems satisfy the precision and timeliness requirements of safety design bases 1 and 2.

Safety design basis 3 requires that instrumentation for the Emergency Core Cooling Systems respond to the potential inadequacy of core cooling regardless of the location of a breach in the nuclear system process barrier. The reactor vessel low-water level initiating function, which alone can actuate HPCI, LPCI, and core spray, meets this safety design basis, because a breach in the nuclear system process barrier inside or outside the primary containment is sensed by the low-water-level detectors.

Because of the isolation responses of the Primary Containment Isolation System to a breach of the nuclear system outside the containment, the use of the reactor vessel low-water-level signal as the only standby cooling system initiating function that is completely independent of breach location is satisfactory. The other major initiating function, primary containment high pressure plus low reactor vessel pressure, is provided because the Primary Containment Isolation System may not be able to isolate all nuclear system breaches inside the primary containment. The 7.4-27

BFN-26 primary containment high pressure plus low reactor vessel pressure initiating signal for the Emergency Core Cooling Systems provides a second reliable method for sensing losses of coolant that cannot necessarily be stopped by isolation valve action. This second initiating function is independent of the physical location of the breach within the drywell. Coincident failure of the Primary Containment Isolation System would be needed for nuclear system breaks outside the primary containment. Thus, safety design basis 3 is satisfied.

An evaluation of Emergency Core Cooling System controls shows that no operator action beyond the capacity of the operator is required to initiate the correct responses of the Emergency Core Cooling Systems.

The alarms and indications provided to the operator in the control room allow interpretation of any situation requiring Emergency Core Cooling System operations and verify the response of each system. Manual controls are illustrated on functional control diagrams. The control room operator can manually initiate every essential operation of the Emergency Core Cooling Systems.

Because the degree to which safety is dependent on operator judgment in time of stress, the operator's response has been appropriately limited by the design of Emergency Core Cooling System control equipment, safety design bases 4a, 4b, and 4c are satisfied.

The redundancy provided in the design of the control equipment for the Emergency Core Cooling Systems is consistent with the redundancy of the cooling systems themselves. The arrangement of the initiating signals, which come from common sensors, for the Emergency Core Cooling Systems is similar to that provided by the dual trip system arrangement of the Reactor Protection System. No failure of a single initiating sensor channel can prevent the start of the cooling systems. The number of control components provided in the design for individual cooling system components is consistent with the need for the controlled equipment. An evaluation of the control schemes for each Emergency Core Cooling System component shows that no single control failure can prevent the combined cooling systems from providing the core with adequate cooling. In performing this evaluation, the redundancy of components and cooling systems was considered. The functional control diagrams provided with the descriptions of cooling systems controls were used in assessing the functional effects of instrumentation failures. In the course of the evaluation, protection devices which can interrupt the planned operation of cooling system components were investigated for the results of their normal protective action as well as mal-operation on core cooling effectiveness. The only protection devices that can act to interrupt planned Emergency Core Cooling System operation are those that must act to prevent complete failure of the component or system. Examples of such devices are the HPCI turbine overspeed trip, HPCI steam line break isolation trip, pump trips on low suction pressure, and automatically controlled minimum flow bypass valves for pumps. In every case, the 7.4-28

BFN-26 action of a protective device cannot prevent other redundant cooling systems from providing adequate cooling to the core.

The location of controls where operation of Emergency Core Cooling Systems components can be adjusted or interrupted has been surveyed. Controls are located in areas under the surveillance of operations personnel. Control room override of local switches is provided (except when transferred to backup control).

Other controls are located in the control room and are under the supervision of the control room operator.

The environmental capabilities of instrumentation for the Emergency Core Cooling Systems are discussed in the descriptions of the individual systems. Components that are located inside the primary containment, and which are essential to standby cooling system, performance are designed to operate in the environment resulting from a loss of coolant accident. See Subsection 1.5.

It is concluded from the previous paragraphs and the description of control equipment that safety design basis 5 is satisfied. The testing capabilities of the Emergency Core Cooling Systems, which are discussed in the following paragraph, satisfy design basis 6.

7.4.5 Inspection and Testing Components required for HPCI, LPCI, and core spray are designed to allow functional testing during normal power operation. The inboard isolation check valves can only be tested during cold shutdown (MODE 4 or 5). Overall testing of these systems is described in Section 6.0, "Emergency Core Cooling Systems."

During overall functional tests, the operability of the valves, pumps, turbines, and their control instrumentation can be checked. The ADS valves are subjected to tests during shutdown periods.

Logic circuitry used in the controls for the Emergency Core Cooling Systems can be individually checked by applying test or calibration signals to the sensors and observing trip system responses. Valve and pump operation from manual switches verifies the ability of breakers and valve-closing mechanisms to operate. The automatic control circuitry for the Emergency Core Cooling Systems is arranged to restore each of the cooling systems to normal operation if a loss-of-coolant accident occurs during a test operation, except for the RHR and core spray pump suction valves.

7.4.5.1 Periodic Testing Capability Provisions are made for timely verification that each active or passive component in each of the engineered safeguard subsystems is capable of performing its intended function as an individual component and/or in conjunction with other components. In 7.4-29

BFN-26 fulfillment of this general objective, tests are provided to verify that the following specific conditions exist.

1. Each instrument channel functions independently of all others.
2. Sensing devices respond to process variables and provide channel trips at correct values.
3. Paralleled circuit elements can independently perform their intended function.
4. Series circuit elements are free from shorts that can abrogate their function.
5. Redundant instrument or logic channels are free from interconnecting shorts that could violate independence in the event of a single malfunction.
6. No element of the system is omitted from the test if it can in any way impair operability of the system. If the test is done in parts, the parts must be overlapping to a sufficient degree to assure operability of the entire system.
7. Each monitoring alarm or indication function is operable.

Test-Method guidelines include the following:

1. Provisions are made for testing without requiring shutdown or unscheduled power change as a condition of the test. Tests do not impair functional capability of the safeguards system (i.e., redundant subsystems are not both tested at the same time).
2. Testing is accomplished without disturbing the existing wiring, where possible.

Pulling fuses is an acceptable practice. Second-party verification is used if wire lifting is necessary.

3. The use of clip leads is prohibited unless administrative controls are in place.

Attachment of meter leads is acceptable if the temporary connections to the circuit are conspicuous.

4. Test jacks permanently wired to existing circuitry are considered acceptable, provided the connection points are so chosen that no portion of the installed protective wiring is untestable and that external equipment connected to the test jack is a conspicuous departure from normal conditions.
5. Permanently wired test lights are provided such that the installation is not capable of producing an unsafe failure through any malfunction of the lamp.

7.4-30

BFN-26

6. It is not necessary to exercise more than one accident-sensing sensor at a time to accomplish a specific test. Redundant permissive sensors, such as reactor low pressure, may also be individually exercised as required to permit complete testing of a specific part of the system. Provisions are made for frequent, periodic testing of the entire system for complete operation, unless operationally unfeasible. Provisions are made to permit total system testing when plant operating conditions permit.
7. Indications of action are positive and easily identifiable, such as:
a. Annunciation without ambiguity,
b. Observation of the relay actuation,
c. Indicator lights,
d. Pump motor shaft turning,
e. Valve stem positions,
f. Pressure gauges, and
g. Flow indicators.
8. Application of test pressures to valved-out pressure sensors is an accepted method of exercising sensors. However, the installation allows such exercising without need of draining water-filled instruments and subsequent venting.
9. If any sensor is valved-out or otherwise removed from service during the test, if possible, positive indication is obtained that the sensor has been returned to service and will see changes in the process variable.
10. For Units 1 and 2, testing of Core Spray and LPCI System logic includes appropriate testing of the ECCS preferred pump logic and auto initiation inhibit to the other units Core Spray and LPCI. The inhibit is considered the contact in the auto initiating logic only (i.e., the permissive function of the inhibit). The test will consist of verifying continuity across the inhibit with a volt-ohmmeter.

7.4-31

BFN-24 TABLE 7.4-1 (Deleted by Amendment 16)

BFN-24 TABLE 7.4-2 AUTOMATIC DEPRESSURIZATION SYSTEM INSTRUMENTATION Trip Setting/

ADS Function Instrument Type INSTRUMENT No. Analytical Limit Reactor vessel low Level switch LS-3-58A - D 372.5 inches above water level vessel zero (AL) (Note 1)

Primary containment Pressure switch PIS-64-57A - D 2.6 psig (AL)

(drywell) high pressure Automatic depressurization Timer E-K34 & E-K35 120 seconds (AL) time delay LPCI pump discharge Pressure switch PS-74-8A & B, 19A & B 120 upper analytical limit pressure PS-74-31A & B, 42A & B 80 lower analytical limit Core spray pump Pressure switch PS-75-7, 16, 35, 44 205 upper analytical limit discharge Pressure 165 lower analytical limit Acoustic Monitor Accelerometer XE-1-5, 19, 22, 30, 31, 34 N/A High drywell pressure Timer 2-l-58A2 360 seconds (AL) bypass time delay for 2-1-58B2 ADS logic 2-1-58C2 2-1-58D2 Note 1: LIS-3-184 and -185 provide confirmatory low level signals.

BFN-24 TABLE 7.4-3 CORE SPRAY SYSTEM INSTRUMENTATION Trip Setting/

Core Spray Function Instrument Type INSTRUMENT No. Analytical Limit (AL)

Reactor vessel low Level switch LS-3-58A - D 372.5 inches above water level vessel zero (AL)

Primary containment Pressure switch PIS-64-58A - D 2.6 psig (AL) high pressure Reactor vessel low Pressure switch PIS-3-74A & B 335 psig (AL) pressure PIS-68-95 & 96 Core spray sparger Differential PDIS-75-28 & 56 2.0 psid differential pressure pressure switch Pump discharge flow Flow indicator FI-75-21 & 49 -

Pump suction pressure Pressure PI-75-4, 13, 32, 41 -

Pump discharge pressure Pressure PI-75-20 & 48 -

Pump discharge flow Flow switch FS-75-21 & 49 2584.8 gpm increasing 2211.2 gpm decreasing

BFN-24 TABLE 7.4-4 LOW PRESSURE COOLANT INJECTION INSTRUMENTATION Instrument Instrument Trip Setting/

LPCI Function Type Number Analytical Limit (AL)

Reactor vessel low water Level switch LS-3-58A - D 372.5 inches above level (LPCI pump start signal) vessel zero (AL)

Primary containment Pressure switch PIS-64-58A - D 2.6 psig (AL)

(drywell) high pressure (LPCI initiation)

Reactor vessel low water Level switch LIS-3-52 & 62-A 293 inches above level (inside shroud) vessel zero (AL) prevents containment spray LPCI sequence delay (pump A) Timer 0.2 seconds LPCI sequence delay (pump B) Timer 7 seconds LPCI sequence delay (pump C) Timer 14 seconds LPCI sequence delay (pump D) Timer 21 seconds LPCI reactor vessel low pressure Pressure switch PIS-3-74A & B 335 psig (AL)

PIS-68-95 & 96 LPCI injection valve initiation Timer 10A - K45A & B 5 minutes signal cancellation Containment spray valve Pressure switch PIS-64-58E, F, G, and H 1 psig p 2.6 psig manual control interlock (AL) low drywell pressure LPCI pump low flow Flow switch FS-74-50 & 64 1000/8000 gpm (AL)

Reactor vessel Pressure switch PS-3-74A & B 200 psig (AL) pressure permissive PS-68-95 & 96

BFN-25 7.5 NEUTRON MONITORING SYSTEM 7.5.1 Safety Objective The safety objective of the Neutron Monitoring System is to detect conditions in the core that threaten the overall integrity of the fuel barrier due to excessive power generation and to provide signals to the Reactor Protection System, so that the release of radioactive material from the fuel barrier is limited.

7.5.2 Power Generation Objective The power generation objective of the Neutron Monitoring System is to provide information for the efficient, expedient operation and control of the reactor. Specific power generation objectives of the Neutron Monitoring System are to detect conditions that could lead to local fuel damage and to provide signals that can be used to prevent such damage, so that plant availability is not reduced.

7.5.3 Identification The Neutron Monitoring System consists of six major subsystems as follows:

a. Source range monitor subsystem (SRMS),
b. Intermediate range monitor subsystem (IRMS),
c. Local power range monitor subsystem (LPRMS),
d. Average power range monitor subsystem (APRMS),
e. Rod block monitor subsystem (RBMS), and
f. Traversing in-core probe subsystem (TIPS).

7.5.4 Source Range Monitor Subsystem 7.5.4.1 Power Generation Design Basis

1. Neutron detectors shall be provided which result in a signal count-to-noise count ratio of no less than 3:1 and a count rate of no less than three counts per second with all control rods fully inserted.
2. The SRMS shall be designed to indicate a measurable increase in output signal from at least one detecting channel before the reactor period is less than 20 seconds during the worst possible startup rod withdrawal conditions.

7.5-1

BFN-25

3. The SRMS shall be designed to indicate substantial increases in output signals with the maximum permitted number of SRM channels out of service during normal reactor startup operations.
4. The SRMS shall be designed so that SRM channels are on scale when the IRMS first indicates neutron flux during a reactor startup.
5. The SRMS shall provide a measure of the time rate of change of the neutron flux (reactor period) for operational convenience.
6. The SRMS shall be capable of generating a trip signal to block control rod withdrawal if the count rate exceeds a preset value or if the SRMS is not operating properly. Coincident and non-coincident RPS trips will be provided as necessary for core alterations.

7.5.4.2 Description (Figures 7.5-1a, 1b, and 1c) 7.5.4.2.1 Identification The SRMs provide neutron flux information during reactor startup and low-flux-level operations. There are four SRM channels, each of which includes one detector that can be physically positioned in the core from the control room. The detectors are normally inserted during reactor shutdowns to provide core monitoring. During reactor startup SRM detectors may be withdrawn after the neutron flux has sufficient indication on the IRMs.

7.5.4.2.2 Power Supply The power for the monitors is supplied from the two separate 24-V DC buses, two monitors on one bus and two monitors on the other (see Subsection 8.8, "Auxiliary DC Power Supply and Distribution").

7.5.4.2.3 Physical Arrangement Each detector assembly consists of a miniature fission chamber operated in the pulse counting mode and attached to a low-loss transmission cable (See Figure 7.5-2.). The sensitivity of the detector is 1.2 x 10-3 cps/nv nominal, 5.0 x 10-4 cps/nv minimum, and 2.5 x 10-3 cps/nv maximum. The detector cable is connected underneath the reactor vessel to a triple-shielded coaxial cable. This shielded cable carries the pulses formed to a pulse current preamplifier located outside the primary containment.1 1 Morgan, W. R., "In-core Neutron Monitoring System for GE Boiling Water Reactors," APED-5706, November 1968.

7.5-2

BFN-25 The detector and cable are located inside the reactor vessel in a dry tube sealed against reactor vessel pressure. A remote-controlled detector drive system can move the detector along the length of the dry tube, allowing vertical positioning of the chamber at any point from 15 to 18 inches above the reactor (fuel) centerline to approximately 2 1/2 feet below the reactor fuel region (Figure 7.5-3a). The detector can be stopped at any location between the limits of travel, but only the end points of travel are indicated. When a detector arrives at a travel end point, the detector motion is automatically stopped.

The electronics for the source range monitors, their trips, and their bypasses are located in one cabinet. Source range signal conditioning equipment is designed so that it may be used for open-core experiments.

7.5.4.2.4 Signal Conditioning A current pulse preamplifier provides amplification and impedance matching to allow signal transmission to the signal conditioning electronics (Figure 7.5-4).

The signal conditioning equipment is designed to receive a series of input current pulses, to convert the current pulse series to analog DC currents corresponding to the logarithm of the count rate (LCR), to derive the period, to display the outputs on front panel meters, and to provide outputs for remote meters and recorders. The LCR meter displays the rate of the occurrence of the input current pulses, and the period meter displays the time in seconds for the count rate to change by a factor of 2.72(e). In addition, the equipment contains integral test and calibration circuits, trip circuits, power supplies, and selector circuits.

A high-voltage power supply supplies a polarizing potential for the fission counter detectors. The potential is introduced to the detector through a filter network to minimize noise coupling.

The pulses from the pulse preamplifier are of various heights. In general, the pulses produced by neutrons are larger than pulses due to gamma and noise. To count only neutrons, the pulse height discriminator (PHD) is set to reject the small pulses and to accept only the large pulses, the threshold being adjustable.

One output of the PHD has two stable states represented by full voltage and zero voltage. Each time an input pulse exceeds the threshold, the output of the PHD reverses state and holds that state until the next pulse causes another reversal. The PHD provides the pulse train input required by the log integrator. The PHD also has a scaler output, which produces an output pulse for every two input pulses crossing the threshold. The various signals are shown in the block diagram on Figure 7.5-4 outlined by circles. At (a), the current pulses are shown as four different amplitudes 7.5-3

BFN-25 to illustrate the action of the discriminator. At (b), the absolute amplitudes are increased, but the relative amplitudes remain proportional. A dashed line representing the threshold level is indicated. At (c), there is an output pulse for every input pulse exceeding the threshold. This pulse is shaped to be compatible with the scaler input requirements. At (d), the PHD cuts off the second pulse because it did not attain the threshold level.

The log integrator is a network arranged to synthesize the response, which is a logarithmic function of the counting rate. The log integrator circuit is a composite of several frequency-sensitive networks with their frequency breakpoints appropriately distributed to synthesize the response. Each network has a time constant that is selected so that the overall response time of the instrument varies with the counting rate. Thus, at low counting rates, the time constant is large to provide an adequate smoothing effect on the reading. At high counting rates, the time constant is small to provide for a faster overall response time.

The output of the log integrator is a current output requiring amplification.

Operational amplifier No. 1 is used to convert the current output from the log integrator to the standard signal used to drive the meter, recorders, trip circuits, and the period amplifier. Operational amplifier No. 2 is a differentiator with a resistor feedback and a capacitor input. The gain of the amplifier is scaled to produce a full-scale period reading of +10 seconds.

Calibration features are included to enable the accuracy of all measuring circuits to be verified and the trip level of the trip circuits to be set and checked. A signal generator provides two discrete frequencies for use in verifying the calibration of the log integrator and provides an operational check on the PHD.

7.5.4.2.5 Trip Functions The trip outputs of the SRMS are all designed to operate in the fail-safe mode; the loss of power to the trip auxiliaries causes the associated trips to function.

The SRMS provides SRM upscale, downscale, detector improper position, and inoperative signals to the reactor manual control system to block rod withdrawal under certain conditions. Any one SRM channel can initiate a rod block. These rod blocking functions are discussed in Subsection 7.7, "Reactor Manual Control System." Appropriate lights and annunciators are actuated to indicate the existence of these same conditions (Table 7.5-1). Any one of the four SRM channels can be bypassed by the operation of a switch on the operator's console.

By removing the shorting links from the RPS circuitry, an interface is created with the SRMs such that SRM trips will result in a reactor scram. The links can be removed in combinations so as to provide one out of two taken twice logic or so that any SRM upscale Hi Hi will cause a scram. This feature may be used during the 7.5-4

BFN-28 performance of core alterations. During core loading, an operable SRM or fuel loading chamber is required to be in the core quadrant where fuel is being loaded and at least one in an adjacent quadrant.

7.5.4.3 Power Generation Evaluation Examination of the sensitivity of the SRM detectors (paragraph 7.5.4.2.3) and their operating ranges of 106 cps indicates that the IRMS is on scale before the SRM reaches full-scale (see Figure 7.5-25). Further overlap is provided by retraction of the SRM chambers to any position between full-in and full-out. SRM detector retraction is possible without the occurrence of a rod block only if the indicated SRM count rate remains above the rod block trip level (102 cps), or if the IRM has been ranged to the third or any less sensitive (higher) IRM range.

7.5.4.4 Inspection and Testing Each SRM channel is tested and calibrated using procedures developed from the SRM instruction manual. Inspection and testing are performed as required on the SRM detector drive mechanism; the mechanism can be checked for full-insertion and retraction capability. The various combinations of SRM trips can be introduced to ensure the operability of the rod blocking functions.

7.5.5 Intermediate Range Monitor Subsystem 7.5.5.1 Safety Design Basis

1. The IRMS shall be capable of generating a trip signal that can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate power range.
2. The independence and redundancy incorporated in the design of the IRMS shall be consistent with the safety design basis of the Reactor Protection System.
3. The design bases function for neutron monitoring in the STARTUP mode is the APRM Neutron Flux-High, Setdown function.

7.5.5.2 Power Generation Design Basis

1. The IRMS shall be capable of generating a trip signal to block rod withdrawal if the IRMS reading exceeds a preset value or if the IRMS is not operating properly.
2. The IRMS shall be designed so that overlapping neutron flux indications exist with the SRMS and power range monitoring subsystems.

7.5-5

BFN-25 7.5.5.3 Description (Figures 7.5-1a, 1b, and 1c) 7.5.5.3.1 Identification The IRMS monitors neutron flux from the upper portion of the SRM range to the lower portion of the power range monitoring subsystems. The IRM subsystem has 8 IRM channels, each of which includes one detector that can be physically positioned in the core by remote control. The detectors are inserted into the core for a reactor startup (MODE 2) and are withdrawn after the reactor mode selector switch is turned to RUN (MODE 1). They are normally inserted any time the reactor is not at power.

7.5.5.3.2 Power Supply Power is supplied separately from two 24-V DC sources (see Subsection 8.8, "Auxiliary DC Power Supply and Distribution"). The supplies are split according to their use so that loss of a power supply will result in loss of only one trip system of the Reactor Protection System. Conduits and physical separation isolate the power buses external to the IRM cabinet.

7.5.5.3.3 Physical Arrangement Each detector assembly consists of a miniature fission chamber attached to a low-loss, transmission cable. When coupled to the signal conditioning equipment, the detector produces approximately a 30 percent reading on the most sensitive range with a neutron flux of 108 nv. The detector cable is connected underneath the reactor vessel to a triple-shielded cable, which carries the pulses generated in the fission chamber through the primary containment to the preamplifier. The detector and cable, which are located in the drywell, are movable in the same manner as the SRM detectors and use the same type of mechanical arrangement.

7.5.5.3.4 Signal Conditioning A voltage preamplifier unit located outside the primary containment serves as a preamplifier. This unit is designed to accept superimposed current pulses from the fission chamber, remove the DC component, convert the current pulses to voltage pulses, amplify the voltage pulses, establish the bandpass characteristics for the system, and provide a low impedance output suitable for driving a terminated cable.

The gain of the low range of the preamplifier is fixed, but the gain of the high range is variable over a limited range to permit tracking between low and high ranges. The preamplifier output signal is coupled by a cable to the IRM signal conditioning electronics (Figure 7.5-7).

The signal conditioning equipment for each IRM channel contains an input signal attenuator, additional stages of amplification, an inverter, a mean-square analog 7.5-6

BFN-25 unit, a calibration and diode logic unit, a range switch, power supplies, trip circuits, and integral test and calibration circuits. Each IRM channel receives its input signal from the preamplifier and operates upon it with various combinations of preamplification gain and amplifier attenuation ratios. The amplification and attenuation ratios of the IRM and preamplifier are selected by a remote range switch which provides ten ranges of increasing attenuation (the first six called low range and the last four called high range) acting upon the signal from the fission chamber.

As the neutron flux of the reactor core increases from 1 x 108 nv to 1.5 x 1013 nv, the signal from the fission chamber becomes larger. The signal from the fission chamber is attenuated to keep the input signal to the inverter in the same range.

The output current is proportional to the power contained in the pulses received from the fission chamber. This output signal, which is proportional to neutron flux at the detector, is amplified and supplied to a locally mounted meter. The meter has two linear scales on a single meter face. The appropriate range being used is indicated by the range switch position. Outputs are also provided for a remote meter and recorder. There is in the amplifier a potentiometer with a gain effect of 1 to 1.85, which provides an adjustment greater than one range position (approximately a factor of 3 in flux) in the output signal. The calibration and diode logic unit include a circuit to develop a triangular wave shape signal of adjustable amplitude to provide a means of full scale calibration of the power meter. Calibration settings of 40 percent and 125 percent on a 125 percent scale are possible.

The high-voltage supply associated with IRM supplies the polarizing potential for the fission chamber detector through a filter network to minimize noise coupling.

7.5.5.3.5 Trip Functions The IRMS is divided into two groups of IRM channels arranged in the core as shown in Figure 7.5-8. Each group of IRM channels is associated with one of the two trip systems of the Reactor Protection System. Four IRM channels and their trip auxiliaries (two from each RPS group) are installed in one bay of a cabinet; the other four channels and their trip auxiliaries are installed on another bay of the cabinet.

Full-length side covers on the cabinet bays isolate the IRM groups. The arrangement of IRM channels allows one IRM channel in each group to be bypassed without compromising intermediate range neutron monitoring.

Each IRM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates whenever the high voltage drops below a preset level or whenever one of the modules is not plugged in. It also operates when the Operate-Calibrate switch is not in the "operate" position and the Operate-Calibrate bypass switch is not depressed. Depressing the Operate-Calibrate bypass switch will allow the inop trip function to be bypassed in order to perform functional tests of the downscale and upscale level trips. Each of the other trip circuits can be chosen to operate whenever preset downscale or 7.5-7

BFN-25 upscale levels are reached. A simplified IRM circuit arrangement is shown in Figure 7.5-26.

The trip functions actuated by the IRM trips are indicated in Table 7.5-2. The reactor mode switch determines whether IRM trips are effective in initiating a rod block and a reactor scram.

Subsection 7.7, "Reactor Manual Control System," describes the IRM rod block trips. With the reactor mode switch in "REFUEL" or "STARTUP," an IRM upscale or inoperative trip signal actuates a Neutron Monitoring System trip of the associated channel of the Reactor Protection System. Only one IRM channel must trip to initiate a Neutron Monitoring System trip of the associated trip system of the Reactor Protection System (See Figure 7.2-8). If an IRM from each channel causes a channel trip, a full reactor trip follows.

7.5.5.4 Safety Evaluation The safety evaluation in Subsection 7.2, "Reactor Protection System," evaluates the arrangement of redundant input signals to the Reactor Protection System. The Neutron Monitoring System trip input to the Reactor Protection System and the trip channels used in actuating a Neutron Monitoring System trip are of equivalent independence and redundancy to other Reactor Protection System inputs.

The number and locations of the IRM detectors have been analytically and experimentally determined to provide sufficient intermediate range flux level information under the worst permitted bypass and detector-failure conditions. For verification of this, a range of rod withdrawal accidents has been analyzed. The most severe case assumes that the reactor is just subcritical with one-fourth of the control rods, plus one more rod, removed in the normal operating sequence. This configuration is shown in Figure 7.5-9. The error or malfunction is the removal of the control rod adjacent to the last rod withdrawn. The location of this rod has been chosen to maximize the distance to the second nearest detector for each Reactor Protection System trip system. It is assumed that the nearest detector in each Reactor Protection System trip system is bypassed. A scram signal is initiated when one IRM detector in each Reactor Protection System trip system reaches its scram trip level. The neutron flux versus distance resulting from this withdrawal is shown in Figure 7.5-10. Note that the second nearest detector in trip system B is farther away than the second nearest detector in trip system A. The ratio of the neutron flux, at this point, to the peak flux is 1/4100. This detector reaches its high scram trip setting of 120/125 full-scale at a local flux approximately 3.3 x 108 nv. At that time, the peak flux in the core is 1.35 x 1012 nv or 2.7 percent rated average flux. The core average power is 0.07 percent when scram occurs. For this scram point to be valid, the IRM must be on the correct range. To assure that each IRM is on the correct range, a rod block trip is initiated any time the IRM is both downscale and not on the most sensitive (lowest) scale. A rod block is initiated if the IRM detectors are 7.5-8

BFN-25 not fully inserted in the core and the reactor mode switch is not in the "RUN" position. The IRM scram trips are automatically bypassed when the reactor mode switch is in the "RUN" position and the APRMs are on scale. The IRM rod block trips are automatically bypassed when the reactor mode switch is in the "RUN" position.

The IRM detectors and electronics have been tested under operating conditions and verified to have the operational characteristics given in the description and, as such, provide the level of precision and reliability required by the Reactor Protection System safety design basis.

7.5.5.5 Power Generation Evaluation The intermediate range monitor subsystem is the primary source of information on the approach of the reactor to the power range. Its linear, approximately half-decade steps, with the rod blocking features on both high-flux level and low-flux level, require that the operator keep all the IRMs on the correct range to increase core reactivity by rod motion. The SRM overlaps the IRM as shown in Figure 7.5-25. The sensitivity of the IRM is such that the IRMS is on scale on the least sensitive (highest) range with the reactor power about 15 percent.

7.5.5.6 Inspection and Testing Each IRM channel is tested and calibrated using procedures developed from the IRM instruction manual. The IRM detector drive-mechanisms and the IRM rod blocking functions are checked in the same manner as for the SRM channels. Each of the various IRM channels can be checked to ensure that the IRM high-flux scram function is operable.

7.5.6 Local Power Range Monitoring Subsystem 7.5.6.1 Power Generation Design Basis

1. The LPRMS shall provide signals proportional to the local neutron flux at various locations within the reactor core to the average power range monitor subsystem (APRMS), so that accurate measurements of average reactor power can be made.
2. The LPRMS shall supply signals to the rod block monitor subsystem, so that measurement of changes in local relative neutron flux can be made during the movement of control rods.
3. The LPRMS shall be capable of alarming under conditions of high or low local neutron flux indication.

7.5-9

BFN-25

4. The LPRMS shall supply signals proportional to the local neutron flux to the process computer to be used in power distribution calculations, rod power density calculations, minimum critical power calculations, and fuel burnup calculations.
5. The LPRMS shall supply signals proportional to the local neutron flux to drive indicating meters and auxiliary devices to be used for operator evaluation of the power distribution, rod power density, minimum critical power, and fuel burnup.

7.5.6.2 Description (Figures 7.5-11a, 11b, and 11c) 7.5.6.2.1 Identification The LPRMS consists of the fission chamber detectors, the signal conditioning equipment, and trip functions. The LPRM signals are also used in the APRMS, RBMS, and process computer.

7.5.6.2.2 Power Supply Detector polarizing voltage for the LPRMs is supplied by redundant pairs of DC power supplies. Each DC power supply pair powers approximately one-eighth of the LPRMs. Power for the DC power supplies comes redundantly from the two 120 VAC Reactor Protection System buses via intermediate DC power supplies. These intermediate DC supplies also provide power for the LPRM amplifiers.

The power supplies can supply up to 3 milliamps for each LPRM detector, which ensures that the chambers can be operated in the saturated region at the maximum specified neutron fluxes. The voltage applied to the detectors varies no more than 2 VDC over the maximum variation of electrical input and environmental parameters.

7.5.6.2.3 Physical Arrangement The LPRMS includes LPRM detectors located throughout the core at different axial heights. Figure 7.5-12 illustrates the LPRM detector radial layout scheme, which provides a detector assembly at every fourth intersection of the narrower of the water channels around the fuel bundles (narrow-narrow water gap). Thus, every narrow-narrow water gap has either an actual detector assembly or a symmetrically equivalent assembly in some other quadrant.

The 43 LPRM detector assemblies, each containing four fission chambers, are distributed to monitor four horizontal planes throughout the core. The detector assemblies (Figure 7.5-13) are inserted into the core in spaces between the fuel assemblies through thimbles that are mounted permanently at the bottom of the core lattice and which penetrate the bottom of the reactor vessel. These thimbles are welded to the reactor vessel at the penetration point. They extend down into the 7.5-10

BFN-25 access area below the reactor vessel where they terminate in a flange, which mates to the mounting flange on the incore detector assembly. The detector assemblies are locked at the top end to the top fuel guide by means of a spring-loaded plunger.

This type of assembly is referred to as top entry-bottom connect, since the assembly is inserted through the top of the core and penetrates the bottom of the reactor vessel. Special water sealing caps are placed over the connection end of the assembly during installation and over the penetration at the bottom of the vessel during installation or removal of an assembly. This prevents the loss of reactor coolant water upon removal of an assembly and also prevents the connection end of the assembly from being immersed in the water during installation.

Each LPRM detector assembly contains four miniature fission chambers with an associated solid sheath cable. Each fission chamber produces a current which, when coupled with the LPRM signal conditioning equipment, provides the desired scale deflection throughout the design lifetime of the chamber. Each individual chamber of the assembly is a moisture-proof, pressure-sealed unit. Each assembly also contains a calibration tube for a traversing incore probe (TIP). The enclosing tube around the entire assembly contains holes to allow circulation of the reactor coolant water to cool the fission chambers. Numerous tests have been performed on the chamber assemblies, including tests of linearity, lifetime, gamma sensitivity, and cable effects. These tests and experience in operating reactors provide confidence in the ability of the LPRM subsystem to monitor neutron flux to the design accuracy throughout the design lifetime.

The four miniature fission chambers used on each assembly are designed to operate up to a temperature of 599F and a pressure of 1250 psig. The chambers are vertically spaced in the LPRM detector assemblies in such a manner as to give adequate axial coverage of the core, complementing the radial coverage given by the horizontal arrangement of the LPRM detector assemblies. Each miniature chamber consists of two concentric cylinders, which act as electrodes. The gas between the electrodes is ionized by the charged particles produced as a result of neutron fissioning of the uranium coated electrode. The negative ions produced in the gas are accelerated to the collector by the potential difference maintained between the electrodes. In a given neutron flux, all the ions produced in the ion chamber can be collected if the polarizing voltage is high enough. When this situation exists, the ion chamber is considered to be saturated. Output current is then independent of operating voltage and has a linearity of 1 percent (1 percent) over the design operating range.

7.5.6.2.4 Signal Conditioning The current signals from the LPRM detectors are transmitted to the LPRM amplifiers in the control room. The amplifiers are arranged on "LPRM Input Modules" mounted inside the APRM chassis assembly. The current signal from a chamber is 7.5-11

BFN-25 transmitted to its amplifier through coaxial cable. The amplifier is a linear current amplifier whose voltage output is proportional to the current input and, therefore, is proportional to the magnitude of the neutron flux. Additional low-level output signals are provided which are suitable as an input to the computer, recorders, etc. The outputs of each LPRM amplifier are isolated to prevent interference of the signal by inadvertent grounding or application of a stray voltage at the signal terminal point.

The amplifier output is "read" by digital processing electronics. The digital electronics applies hardware gain corrections, performs filtering, and applies the LPRM gain factors. The digital electronics provides output signals suitable for the computer, recorders and annunciators. The LPRM amplifiers also isolate the detector signals from the rest of the processing so that individual faults in one LPRM signal path will not affect other LPRM signals.

The LPRM amplifier signals can be read by the operator on the reactor console.

When a central control rod is selected for movement, the output signals from the amplifiers associated with the nearest sixteen LPRM detectors are displayed by selecting summary LPRM displays on digital operator displays. Subsection 7.7, "Reactor Manual Control System," describes in greater detail the indications on the reactor console.

7.5.6.2.5 Trip Functions The trip circuits for the LPRMs provide trip signals to activate digital displays indicating either upscale or downscale conditions. The outputs of the LPRM trip functions are designed to go to the "tripped" state on loss of power to the processing electronics. Table 7.5-3 indicates the trips.

The trip levels can be adjusted to within 0.5 percent of 0-to-125 percent range and are accurate to 1 percent of 0-to-125 percent range in the normal operating environment.

7.5.6.3 Power Generation Evaluation The local power range monitor subsystem, as calibrated by the traversing incore probe subsystem, provides detailed information about the neutron flux throughout the reactor core. The total of 43 LPRM assemblies, and their distribution, is determined by extensive calculational and experimental procedures. The division of the LPRMS into various groups for DC power supply allows operation with one DC power supply failed, or being serviced, without limiting reactor operation.

Individual failed chambers can be bypassed, and neutron flux information for the failed chamber location can be interpolated from nearby chambers. The core power monitoring software automatically accounts for a bypassed chamber. A substitute 7.5-12

BFN-25 reading for a failed chamber can be derived from an octant-symmetric chamber, or an actual flux indication can be obtained by insertion of a TIP to the failed chamber position, this value can be manually input into the core power monitoring software.

The LPRM outputs provide for the functions required in the LPRM power generation design basis. Each output is electrically isolated so that an event (grounding the signal or applying a stray voltage) on the reception end does not destroy the validity of the LPRM signal. Tests and experience demonstrate the ability of the detector to respond proportionally to the local neutron-flux changes.

7.5.6.4 Inspection and Testing LPRM channels are calibrated using data from previous full power runs and TIP data and are tested by procedures in the applicable instruction manual.

7.5.7 Average Power Range Monitor Subsystem 7.5.7.1 Safety Design Basis

1. The design of the APRMS shall be such that for the worst permitted input LPRM bypass conditions, the APRMS shall be capable of generating a scram trip signal in response to average neutron-flux increases resulting from abnormal operational transients in time to prevent fuel damage.
2. The design of the APRMS shall be consistent with the requirements of the safety design basis of the Reactor Protection System.

7.5.7.2 Power Generation Design Basis

1. The APRMS shall provide a continuous indication of average reactor power from a few percent to 125 percent of rated reactor power.
2. The APRMS shall be capable of providing trip signals for blocking rod withdrawal when the average reactor power exceeds pre-established limits set to prevent scram actuation.
3. The APRMS shall provide a reference power level for use in the rod block monitor subsystem.

7.5.7.3 Description 7.5.7.3.1 Identification The APRMS has four APRM channels, each of which uses input signals from a number of LPRM channels. Each of the four APRM channels provides inputs to four 7.5-13

BFN-25 two-out-of-four Trip Voter channels. Two of the voter channels are associated with one automatic trip system of the Reactor Protection System (RPS); the other two voter channels are associated with the other automatic trip system of the RPS.

Because all four APRM channels provide inputs to each of the four voter channels, all four APRM channels are associated with both trip systems of the RPS.

7.5.7.3.2 Power Supply The APRM channels receive power from the 120-V AC supplies used for the Reactor Protection System power (see Subsection 7.2).

Power for each APRM instrument channel is supplied redundantly by both 120 VAC RPS power buses. However, power for each 2-out-of-4 Trip Voter channel is supplied only by the 120 VAC bus which provides power to the voter's associated RPS trip system.

7.5.7.3.3 Signal Conditioning The APRMS uses digital electronic equipment which averages the output signals from a selected set of LPRMs, generates trip outputs via the 2-out-of-4 voter channels (see Section 7.5.7.3.4), and provides signals to readout equipment. Each APRM channel can average the output signals from up to 43 LPRM channels.

Assignment of LPRM channels to an APRM is shown in Figure 7.5-14c. The letters at the detector locations in Figure 7.5-14c refer to the axial positions of the detectors in the LPRM detector assembly. Position A is the bottom position, positions B and C are above position A, and position D is the topmost LPRM detector position. The pattern provides LPRM signals from all four core axial LPRM detector positions throughout the core. Some LPRM detectors may be bypassed, but the averaging logic automatically corrects for these by removing them from the average. The APRM value calculated from the LPRM inputs is adjusted by a digitally entered factor to allow calibration of the APRM to core thermal power based on heat balance.

Each APRM channel calculates a flow signal, representative of total core flow, which is used to determine the APRM's flow-biased rod block and scram setpoints. Each signal is determined by summing and processing flow signals from the two recirculation loops. These signals are sensed from two flow elements, one in each recirculation loop. The differential pressure from each flow element is routed to four differential pressure transmitters (eight total). Signals from a pair of differential pressure transmitters, one from each flow element, are routed to the input of an associated APRM chassis for processing. Each pair of differential pressure transmitters is associated with only one of the four APRM instrument channels.

During transients, the instantaneous fuel surface heat flux is less than the instantaneous neutron flux by an amount depending upon the duration of the 7.5-14

BFN-28 transient and the fuel time constant. For this reason, the flow-biased scram APRM flux signal is passed through a filtering network (Thermal Power Monitor) with a time constant which is representative of the fuel time constant. As a result of this filtering, APRM flow-biased scrams will only occur if the neutron flux signal is in excess of the setpoint and of sufficient time duration to overcome the fuel time constant and result in an average fuel surface heat flux which is equivalent to the neutron flux trip setpoint. This setpoint is variable up to 120 percent of rated power based on recirculation drive flow.

7.5.7.3.4 Trip Function The digital electronics for the APRMs provides trip signals directly to the Reactor Manual Control System and via the APRM 2-out-of-4 Trip Voter channels to the Reactor Protection System (RPS). Any two unbypassed APRM channels, via the APRM 2-out-of-4 voter channels, can initiate an RPS trip in both RPS trip systems.

Any one unbypassed APRM can initiate a rod block, depending upon the position of the reactor mode switch. Table 7.5-4a lists the APRM trip functions.

Subsection 7.7, "Reactor Manual Control System," describes in more detail the APRM rod block functions.

The APRM simulated thermal power upscale rod block and scram trip setpoints are varied as a function of reactor recirculation flow. The slope of the upscale rod block and scram trip response curves is set to track the required trip setpoint with recirculation flow changes.

At least two unbypassed APRM channels must be in the upscale or inoperative trip state to cause an RPS trip output from the APRM 2-out-of-4 voter channels. In that condition, all four voter channels will provide an RPS trip output, two to each RPS trip system. If only one unbypassed APRM channel is providing a trip output, each of the four APRM 2-out-of-4 voter channels will have a half trip, but no trip signals will be sent to the RPS. The trips from one APRM can be bypassed by operator action in the control room. Trip outputs to the RPS are transmitted by removing voltage to a relay coil, so loss of power results in actuating the RPS trips.

In the startup mode (MODE 2) of operation, the APRM "fixed" upscale trip setpoint is set down to a low level. This trip function is provided in addition to the existing IRM upscale trip in the startup mode (MODE 2). The trip settings/analytical limits are listed in Table 7.5-4a.

The trip functions are performed by digital comparisons of APRM electronics. The APRM flux value is developed by averaging the LPRM signals and then adjusting the average, using gain adjustment factors from heat balance calculations, to be the APRM power. The APRM power is processed through a first order filter with a six second time constant to calculate simulated thermal power. These calculations are all performed by the digital processor and result in a digital representation of APRM 7.5-15

BFN-28 and simulated thermal power. For each RPS trip and rod block alarm, the APRM power or simulated thermal power, as applicable (see Table 7.5-4b), is digitally compared to the setpoint (which was previously entered and stored). If the power value exceeds the setpoint, the applicable trip is issued.

7.5.7.3.5 Oscillation Power Range Monitor The Oscillation Power Range Monitor Subsystem (OPRMS) is a firmware-based function that utilizes APRMS equipment. The OPRMS is designed to detect reactor core thermal hydraulic instability and to provide control room indication, alarms, and trips associated with a potential reactor power instability event.

The OPRMS uses period-based, amplitude-based, and growth rate-based algorithms to detect core power oscillations. Only the period-based algorithm (PBA) is credited with providing an oscillation suppression trip before the fuel MCPR safety limit is violated. The amplitude-based (ABA) and growth rate-based (GRBA) algorithms are categorized as defense-in-depth features.

The OPRMS consists of four independent OPRM channels. Each OPRM channel consists of multiple OPRM cells. Each OPRM cell consisting of three or four LPRM inputs which are summed together and divided by the total number of active LPRM inputs to the OPRM cell. Each OPRM channel provides an oscillation suppression trip signal when one or more of the instability algorithms (PBA, ABA, or GRBA) for an operable OPRM cell has detected an instability condition. Each OPRM channel also provides an oscillation alarm and control rod block when the PBA/CDA logic alarm settings are confirmed by at least one and not more than two OPRM cells (based on setting) or upon entry into a predefined Exit Region on the power/flow map. The purpose of the alarm is to alert the operator of an instability or near-instability in time to allow mitigating actions to be taken.

When the reactor is operating in regions of the power/flow map where it has been determined that unstable power oscillations cannot occur, the OPRMS trip outputs are automatically bypassed. Each OPRM channel provides an input to the OPRM trip enable alarm that indicates when the reactor has entered the operating region where instability can occur and the oscillation trip output is no longer bypassed. The operating region where instability can occur is defined as below a predetermined value of total core flow and above a predetermined value of reactor power.

The OPRM and APRM scram trip signals are processed through 2-out-of-4 trip voters in each channel which provide RPS trip input signals. The OPRM scram trip signals are voted separately from the APRM scram trip signals so that a trip in one OPRM channel and a trip in one APRM channel will not cause an RPS scram.

7.5-16

BFN-25 If the OPRMS should become inoperable, pre-planned manual actions may be implemented to monitor and scram the reactor as required until the OPRMS is returned to service.

7.5.7.4 Safety Evaluation Each APRM derives its signal from information obtained from the LPRMs. The assignments, power separation, cabinet separation, and LPRM signal isolation are in accord with the safety design basis of the Reactor Protection System. There are four APRM channels with the Reactor Protection System trip outputs from each routed to each of four APRM 2-out-of-4 voter channels. Two voter channels are associated with each Reactor Protection System trip system. This configuration allows one APRM channel to be bypassed plus one failure while still meeting the Reactor Protection safety design basis.

APRM power (and simulated thermal power) are adjusted periodically based on heat balance to match true reactor power. This adjustment is made regularly at a rate sufficient to compensate for LPRM burnup and the related change in APRM values.

However, coolant flow changes and control rod movements can also affect the relationship between APRM measured flux and true reactor power and introduce errors. To accommodate the predictable APRM variations due to coolant flow and control rod changes, analysis are performed to determine limiting case values for both. Bounding values are then used in APRM setpoint calculations as an expected error. This analysis assures that there is adequate margin in the actual setpoints to assure safety limits are not exceeded even if the worst case error in APRM values is introduced due to coolant flow changes or control rod movements after heat balance calibration of the APRM has been performed.

The APRM scram setpoint is demonstrated to be adequate in preventing fuel damage as a result of abnormal operational transients by the analyses documented in Reference 1 of Section 14.0, "Plant Safety Analysis."

7.5.7.5 Power Generation Evaluation The APRMS provides the operator with four continuous recordings of the average reactor power. The rod blocking function prevents operation above the region defined by the design power response to recirculation flow control. The flow signal used to vary the rod block level is supplied from the recirculation system flow instrumentation. Two flow comparators monitor the four flow signals and initiate an alarm if the four signals are not in agreement. Because any one of the APRMs can initiate a rod block, this function has a high level of redundancy and satisfies the power generation design basis. One APRM channel may be bypassed. In addition, a minimum of 20 LPRM inputs, with three per axial level, is required for each APRM channel to be operative. If the number is less than this, an automatic APRM inoperative alarm and rod block are generated.

7.5-17

BFN-25 7.5.7.6 Inspection and Testing APRM channels are calibrated at power by a heat balance or using data from previous full-power runs and are tested by procedures in the applicable instruction manual. Each APRM channel can be individually tested for the operability of the APRM scram and rod blocking functions by introducing test signals.

7.5.8 Rod Block Monitor Subsystem 7.5.8.1 Power Generation Design Basis

1. The RBMS shall be designed to prevent local fuel damage as a result of a single rod withdrawal error under the worst permitted condition of RBM bypass.
2. The RBMS shall provide a signal to permit operator evaluation of the change in the local relative power level during control rod movement.

7.5.8.2 Description 7.5.8.2.1 Identification The RBMS has two RBM channels, each of which uses input signals from a number of LPRM channels. A trip signal from either RBM channel can initiate a rod block.

One RBM channel may be bypassed without loss of subsystem function.

7.5.8.2.2 Power Supply The RBMS power is received from the 120-V AC supplies used for the Reactor Protection System (RPS) (see Subsection 7.2).

Each RBM receives power redundantly from both RPS buses.

7.5.8.2.3 Signal Conditioning The RBM signal is generated by averaging a set of LPRM signals. The LPRM signals used depends on the control rod selected upon selection of a rod for withdrawal or insertion, the conditioned signals from the LPRMs around that rod will be automatically selected by the two RBM channels. (Figure 7.5-17a shows examples of the four possible LPRM/selected rod assignment combinations.) For a typical non-edge rod, each RBM channel averages LPRM inputs from two of the four B-position and D-position detectors, and all four of the C-position detectors. (See Figure 7.5-17b.) (This configuration is part of the RBM improvements described in Reference 1 of Section 14.0, "Plant Safety Analysis.") A-position LPRM detectors are not included in the RBM averages, but are displayed to the operator. When a 7.5-18

BFN-28 rod near, but not at, the edge of the core is selected, where there are fewer than four, but at least two, LPRM strings around the rod, the number of detectors used by the RBM channels is either six or four depending on how many LPRM strings are available. If a detector has been bypassed in the LPRM System, that detector is automatically deleted from the RBM processing and the averaging logic is adjusted to average only the remaining detectors.

After selection of a control rod, each RBM channel calculates the average of the related LPRM detectors and calculates a gain factor that will adjust the average to 100%. Thereafter, until another rod is selected, the gain factor is applied to the LPRM average to obtain the RBM signal value. The RBM signal value is compared to RBM trip setpoints (see 7.5.8.2.4).

When a peripheral rod is selected, or if the APRM value for the RBMs associated APRM is below the automatic bypass level (approximately 26% power), the RBM function is automatically bypassed, the rod block outputs are set to "permissive,"

and the RBM average is set to zero.

7.5.8.2.4 Trip Function The RBM supplies a trip signal to the Reactor Manual Control System to inhibit control rod withdrawal. The trip is set whenever the RBM signal value exceeds the RBM setpoint. As described in Reference 1 of Section 14.1, there are three different power-dependent setpoints, each a percentage above the RBM initial value of 100%. The particular setpoint that is applied is selected based on the simulated thermal power value from the RBM's associated APRM channel (an alternate APRM channel is assigned and is automatically used for inputs if the primary APRM channel is bypassed or inoperative). Higher APRM simulated thermal power values select a lower setpoint. That is, at higher power levels, the percentage increase in the RBM value allowed is less than at lower power levels. One of the two RBMs can be bypassed by the operator. Either RBM channel can prevent rod movement.

7.5-19

BFN-25 7.5.8.3 Power Generation Evaluation Motion of a control rod causes the LPRMs adjacent to the control rod to respond strongly to the change in power in the region of the rod in motion. Typical RBM channel responses are documented in Reference 1 of Section 14.1. This reference also provides documentation of rod withdrawal error analysis results which demonstrate that under limiting assumptions of LPRM failures the RBM setpoints will halt rod motion well before local fuel damage can occur.

7.5.8.4 Inspection and Testing The rod block monitor channels are tested and calibrated by procedures given in the applicable instruction manuals. The RBMs are functionally tested by introducing test signals into the RBM channels.

Local alarm lights representing upscale and downscale trips will be verified. The inoperative trip will be initiated to produce a rod block. The functions that cannot be verified to produce a rod block directly will be verified during the operating cycle.

7.5.9 Traversing Incore Probe Subsystem 7.5.9.1 Power Generation Design Basis

1. The TIPS shall be capable of providing a signal proportional to the axial gamma flux distribution at selected small axial intervals over the regions of the core where LPRM detector assemblies are located. This signal shall be of high precision to allow reliable calibration of LPRM gains.
2. The TIPS shall provide accurate indication of the position of the flux measurement to allow pointwise or continuous measurement of the axial gamma flux distribution.

7.5.9.2 Description 7.5.9.2.1 Identification The TIPS includes five traversing incore probe (TIP) machines, each of which has the following components:

a. One traversing incore probe (TIP),
b. One drive mechanism,
c. One indexing mechanism, 7.5-20

BFN-25

d. Up to 10 incore guide tubes, and
e. One chamber shield.

The subsystem allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. The guide tubes inside the reactor are divided into groups. Each group has its own associated TIP machine. The assignment of LPRM strings to the five TIP machines is shown in Figure 7.5-20.

7.5.9.2.2 Physical Arrangement A TIP drive mechanism uses a gamma sensitive detector attached to a flexible drive cable, which is driven from outside the primary containment by a gear box assembly.

The flexible cable is contained by guide tubes that continue into the reactor core.

The guide tubes are a part of the LPRM detector assembly and are specially prepared to provide a durable, low-friction surface. The indexing mechanism allows the use of a single detector in any one of ten different tube paths. The tenth tube is used for TIP cross calibration with the other TIP machines. The control system provides both manual and semi-automatic operation. Additionally, for Unit 1, only fully automatic operation is possible with all drives capable of operating concurrently.

The TIP signal is amplified and displayed on a meter or digital display (Unit 1 only).

Core position versus gamma flux is recorded in the Main Control Room on an X-Y recorder for Units 2 and 3. For Unit 1, the information is stored digitally and transmitted to the process computer. A block diagram of the drive system is shown in Figure 7.5-21.

The heart of each TIP machine is the probe (Figure 7.5-22), consisting of the detector and the associated signal drive cable. The detector is an argon filled chamber 0.213 inches in diameter and 1.0 inches in active length. The body of the detector is made of stainless steel with a titanium anode. Sensitivity of the detector is approximately 3 x 10-14 amps/R/hr. The detector can operate in a maximum gamma flux level of 2.8 x 109 R/hr. The nominal detector operating voltage is 100-V DC.

The signal current from the detector is transmitted from the TIP to amplifiers and readout equipment by means of a triaxial signal cable, which is an integral part of the mechanical drive cable. The outer sheath of the drive cable is constructed of carbon steel in a helix array. The cable drive mechanism engages this helix to effect movement in and out of the guide tubes. The inner surface of the guide tubing between the reactor vessel and the drive mechanism is coated with a ceramic bonded lubricant to reduce friction. The guide tubing inner surface is nitrided within the reactor vessel.

7.5-21

BFN-25 The cable drive mechanism contains the drive motor, the cable take-up reel, an analog probe position indicator for the recorder, and a mechanical counter to provide digital pulses to the control unit for positioning the TIP at specific locations along the guide tube.

The drive mechanism inserts and withdraws the TIP and its cable from the reactor and provides detector position indication signals. The drive mechanism consists of a motor and drive gearbox, which drives the cable in the manner of a rack and drive-pinion. A two-speed drive motor is used providing a high speed for insertion and withdrawal and a low speed for scanning the reactor core. (See Figure 7.5-23a, b, c, and d.)

A take-up reel is included in the cable drive mechanism to coil the drive cable as it is withdrawn from the reactor. This reel makes it possible to connect the TIP and its cable to the amplifier through a connector rather than slip rings which reduces possible noise and maintenance problems.

The analog position indicator and the mechanical counter (digital) are also driven directly from the output shaft of the cable drive motor. The analog position signal from a potentiometer and a flux amplifier output are used to plot gamma flux versus incore position of the TIP. The TIP position signal is also available to the process computer. The digital counter is used to position the TIP in the guide tube through the control logic with a linear position accuracy of 1 inch. The digital counter can control TIP positions at the top of the core for initiation of scan, and at the bottom of the core for changing to fast withdrawal speed.

A position limit switch provides an electrical interlock release when the probe is in the nominal zero position to allow the indexing mechanism to index the TIP to the next guide tube location. The limit switch is actuated when the end of the TIP passes a switch in the indexer. The cable drive motor includes an AC voltage-operated brake to prevent coasting of the TIP after a desired incore position is reached. When the system is not in use, the detector probe can be completely withdrawn to a position in the center of the chamber shield.

A circular transfer machine with ten indexing points functions as an indexing mechanism. Nine of these locations are for the guide tubes associated only with that particular TIP machine. The tenth location is for the guide tube common to all the TIP machines. Indexing to a particular tube location is accomplished manually at the control panel by means of a position selector switch which energizes the electrically actuated rotating mechanism.

The tube transfer mechanism is part of the indexing mechanism and consists of a fixed circular plate containing ten holes on the reactor side, which mate to a rotating single-hole plate. The rotating plate aligns and mechanically locks with each fixed hole position in succession. The indexing mechanism is actuated by a 7.5-22

BFN-25 motor-operated rotating drive. Electrical interlocks prevent the indexing mechanism from changing positions until the probe cable has been completely retracted beyond the transfer point. Additional electrical interlocks prevent the cable drive motor from moving the cable until the transfer mechanism has indexed to the preselected guide tube location.

A valve system is provided with a ball valve on each guide tube entering the primary containment. These valves are closed except when the TIP subsystem is in operation. A ball valve and a cable shearing valve are mounted in the guide tubing just outside the primary containment. They prevent the loss of reactor coolant in the event a guide tube ruptures inside the reactor vessel. A valve is also provided for an air purge line to the indexing mechanisms. A guide-tube ball-valve opens only when the TIP is being inserted. The shear valve is used only if a leak occurs when the TIP is beyond the ball-valve and power to the TIPS fails. The shear valve, which is controlled by a manually-operated, protected switch, can cut the cable and close off the guide-tube. The shear valves are actuated by detonation squibs. The continuity of the squib circuits is monitored by front panel indicator lights in the control room.

A guide-tube ball-valve is normally deenergized and in the closed position. When the TIP starts forward, the valve is energized and opens. As it opens, it actuates a set of contacts which gives a signal light indication at the TIPS control panel and bypasses an inhibit-limit switch, which automatically stops TIP motion if the ball valve does not open on command.

7.5.9.2.3 Signal Conditioning The TIP control and readout instrumentation is mounted in a cabinet in the control room. Since there are five groups of guide tubes, each with an associated TIP machine, there are also five groups of drive control equipment. For Units 2 and 3, there is a flux probe monitor which consists of six individual flux amplifiers (one spare) and associated DC power supplies. For Unit 1, a flux amplifier and associated DC power supply is located in each drive control drawer. For Units 2 and 3, a common X-Y recorder records the flux variations of each scan. An X-Y output is provided for use by the process computer. For Unit 1, the information is stored digitally in the drive control drawers and transmitter to the process computer. The TIP output is linear to within +1 percent of full scale when operated at a detector voltage of 100V-DC in a thermal neutron flux of between 2.8 x 1013 nv to 2.8 x 1014 nv. The probe and cable leakages contribute less than 1 percent of full scale output during the life of the detector. For normal operating conditions, the flux amplifier is linear to within 1.0 percent of full scale and drifts less than 1.0 percent of full scale during a 100-hour period at design operating conditions. Actual operating experience has shown the system to reproduce within 1.0 percent of full scale in a sequence of tests.

7.5-23

BFN-25 7.5.9.3 Power Generation Evaluation An adequate number of TIP machines is supplied to assure that each LPRM assembly can be probed by a TIP, and one LPRM assembly (the central one) can be probed by every TIP to allow intercalibration. Typical TIPs have been tested to prove linearity. The system has been field tested in an operating reactor to assure reproducibility for repetitive measurements, and the mechanical equipment has undergone life testing under simulated operating conditions to assure that all specifications can be met. For Units 2 and 3, the system design allows semi-automatic operation for LPRM calibration and process computer use. For Unit 1, fully automatic operation is possible. The TIP machines can be operated manually to allow pointwise flux mapping.

7.5.9.4 Inspection and Testing The TIPS equipment is tested and calibrated using heat balance data and procedures based on the applicable instruction manual.

7.5-24

BFN-22 Table 7.5-1 SRM TRIPS Trip Function Trip Action SRM upscale or inoperative Annunciator, amber light SRM upscale or inoperative Display, amber light, rod block SRM downscale (detector Bypass detector limit switch retraction permissive)

SRM downscale Annunciator, white light, rod block SRM downscale Display, white light SRM period Annunciator, amber light SRM period Display, amber light SRM retraction permissive Display, white light SRM bypassed Display, white light Table 7.5-2 IRM TRIPS Trip Function Trip Action IRM Hi-Hi or inoperative Scram IRM Hi-Hi or inoperative Annunciator, red light IRM Hi-Hi or inoperative Display, red light IRM upscale Rod block IRM upscale Annunciator, amber light IRM upscale Display, amber light IRM downscale Rod block (exception on most sensitive scale)

IRM downscale Annunciator, white light IRM downscale Display, white light IRM bypassed Display, white light

BFN-28 Table 7.5-3 LPRM TRIPS TRIP FUNCTION TRIP RANGE TRIP SETPOINT TRIP ACTION LPRM downscale 2% to full scale 3% Light and annunciator annunciator LPRM upscale 2% to full scale 100% Light and annunciator LPRM bypass Manual Switch N/A Light and annunciator and APRM, averaging compensation Table 7.5-4a APRM TRIPS TRIP FUNCTION TRIP POINT RANGE TRIP SETTING/ SETPOINT ACTION ANALYTICAL LIMIT (AL)

APRM downscale 0% to full scale N/A Rod Block APRM thermal power Varied with flow 0.55 Flow + 63.5% Rod Block upscale (high) adjustable APRM thermal power 7% to 27% 13% Rod Block upscale (in startup)

APRM inoperative N/A Not in operate, critical Rod Block self-test fault, or too few LPRM detectors APRM thermal Varied with flow 0.55 Flow Scram power upscale + 67.5%

flow biased adjustable (high-high)

APRM inoperative N/A Not in operate or Scram critical self-test fault APRM upscale 10% to 30% 23% Scram (in startup)

APRM upscale 10% to full scale 125.4% Scram Fixed trip (high-high)

BFN-28 Table 7.5-4b (Deleted)

BFN-22 Table 7.5-4c (Deleted by Amendment 19)

BFN-19 7.6 REFUELING INTERLOCKS 7.6.1 Safety Objective The refueling interlocks are designed to back up procedural core reactivity controls during refueling operation; specifically, the interlocks prevent an inadvertent criticality during refueling operations.

During a refueling operation, the reactor vessel head is removed, allowing direct access to the core. Refueling operations include the removal of reactor vessel upper internals and the movement of spent and fresh fuel assemblies between the core and the fuel storage pool. The service platform, refueling platform, and the equipment handling hoists on the platforms are used to accomplish the refueling task. The refueling interlocks reinforce operational procedures that prohibit making the reactor critical under certain situations encountered during refueling operations by restricting the movement of control rods and the operation of refueling equipment.

7.6.2 Safety Design Basis

1. During fuel movements in or over the reactor core, all control rods shall be in their fully inserted positions.
2. No more than one control rod shall be withdrawn from its fully inserted position at any time when the reactor is in the refueling mode (MODE 5).

7.6.3 Description The refueling interlocks include circuitry that senses the condition of the refueling equipment and the control rods. Depending on the sensed condition, interlocks are actuated, which prevents the movement of the refueling equipment or withdrawal of control rods (rod block).

Circuitry is provided which senses the following conditions:

a. All rods inserted and in refuel mode (MODE 5).
b. Refueling platform positioned near or over the core,
c. Refueling platform hoists fuel-loaded (fuel grapple, frame-mounted hoist, monorail-mounted hoist),
d. Fuel grapple not full up, and 7.6-1

BFN-19

e. Service platform hoist fuel-loaded.

A two-channel DC circuit indicates that all rods are in. The rod-in condition for each rod is established by the closure of a magnetically operated reed switch in the rod position indicator probe. The rod-in switch must be closed for each rod before the "all rods in and in Refuel Mode" signal is generated; two channels carry the signal.

Both channels must register the "all rods in and in Refuel Mode" signal in order for the refueling interlock circuitry to indicate the "all rods in and in Refuel Mode" condition.

The refueling platform is provided with two mechanical switches attached to the platform which are tripped open by a long, stationary ramp mounted adjacent to the platform rail. The switches open before the platform or any of its hoists are physically located over the reactor vessel, thereby providing indication of the approach of the platform toward the core or its position over the core.

The three hoists on the refueling platform are equipped with load weighing sensors that provide the control system signals indicating when a hoist is loaded. The setpoints for these hoist loaded signals are set to trip if the hoist weight is greater than that of a single fuel assembly. This provides positive indication whenever fuel is loaded on any hoist.

The telescoping fuel grapple hoist is provided with an elevation measurement as well as limit switches. The control system detects a condition indicative of a lowered hoist and provides a signal called "hoist is not at Normal Up."

The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operation and control rod movement, as described in Figure 7.6-1 and Table 7.6-1, and in the following:

Note: Interlocks which inhibit Refueling platform movement over the core may be defeated if fuel movement is inhibited, rod blocks remain in place, and the mode switch is administratively controlled in the refuel position.

a. Refueling platform travel toward or over the core is stopped when the following three conditions exist concurrently:
1. Any refueling platform hoist is loaded or the fuel grapple is not in its full up position,
2. All rods not fully inserted when in refuel mode, and
3. Refueling platform position is such that position switch No. 1 is open (platform near or over the core).

7.6-2

BFN-19

b. With the mode switch in STARTUP, refueling platform travel toward the core is prevented when the refueling platform No. 2 position switch is open (platform near or over the core).
c. With the mode switch in REFUEL, refueling platform travel towards the core is prevented when the following three conditions exist concurrently:
1. Refueling mode one rod permissive relay not energized (Energizing the one rod permissive relay requires all rods to be full-in initially, mode switch in REFUEL, and one rod selected).
2. The refueling platform No. 2 position switch is open (platform near or over the core).
3. All rods not fully inserted.
d. The refueling platform frame-mounted hoist "LIFT" electrical circuit is open when the following three conditions exist concurrently:
1. Frame-mounted hoist loaded,
2. All rods not fully inserted when the reactor mode switch is in "REFUEL,"

and

3. Refueling platform near or over the core.
e. The refueling platform monorail-mounted hoist "LIFT" electrical circuit is open when the following three conditions exist concurrently:
1. Monorail-mounted hoist loaded,
2. All rods not fully inserted when the reactor mode switch is in "REFUEL,"

and

3. Refueling platform near or over the core.
f. Operation of the telescoping fuel grapple is prevented when the following two conditions exist concurrently:
1. All rods not fully inserted when the reactor mode switch is in "REFUEL,"

and

2. Refueling platform near or over the core.

7.6-3

BFN-19

g. Operation of the service platform hoist is prevented when the following two conditions exist concurrently:
1. All rods not fully inserted, and
2. Service platform hoist loaded.
h. With the mode switch in REFUEL, any one of the following three conditions prevents a control rod withdrawal:
1. Refueling platform over the core with a load on any refueling platform hoist or the fuel grapple not fully up,
2. Service platform hoist loaded, or
3. Refuel mode one rod permissive relay not energized. (Once the relay is energized, selection of a second rod is blocked.)
i. With the mode switch in STARTUP, either one of the following conditions prevents a control rod withdrawal:
1. Refueling platform over the core, or
2. Service platform hoist fuel-loaded.

The prevention of a control rod withdrawal is accomplished by opening contacts at two different points in the rod block circuitry; prevention of refueling equipment operation is accomplished by interrupting the power supply to the equipment.

During refueling operations, the reactor mode switch is maintained locked in the SHUTDOWN or REFUEL position. Technical Specification Section 3.10 provides allowances for mode switch movement to other positions for testing and other prescribed activities subject to limitations as described in the technical specifications. With the mode switch in REFUEL position, no more than one control rod may be withdrawn; this is enforced by a redundant logic circuit, which uses the "all rods in" signal and rod selection signal to prevent the selection of a second rod for movement with any other rod not fully inserted. The simultaneous selection of two control rods is prevented by the interconnection arrangement of the select push buttons. With the mode switch in REFUEL, the circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn.

A bypass for the service platform hoist load interlock is provided. When the service platform is no longer needed, its power plug is removed, which deenergizes the power supply to the hoist; and the platform can be moved to a location away from 7.6-4

BFN-19 the core. Deenergizing the hoist power supply opens the hoist loaded relay contacts, giving a false indication that the hoist is loaded; this indication prevents control rod withdrawal with the mode switch in STARTUP or REFUEL. A bypass plug is provided to allow control rod movement in this situation. The bypass plug is physically arranged to prevent the connection of the service platform power plug unless the bypass plug is removed.

7.6.4 Safety Evaluation The refueling interlocks, in combination with core nuclear design and refueling procedures, prevent inadvertent criticality. The nuclear characteristics of the core assure that the reactor is subcritical even when the highest worth control rod is fully withdrawn. The combination of refueling interlocks for control rods and the refueling platform provide redundant methods of preventing inadvertent criticality even after procedural violations when the mode switch is in REFUEL position. The interlocks on hoists provide yet another method of avoiding inadvertent criticality.

Table 7.6-1 shows the effectiveness of the refueling interlocks. This table considers various operational situations involving rod movement, hoist load conditions, refueling platform movement and position, and mode switch manipulation. The initial conditions in situations 4 and 5 appear to be in contradiction to the action of refueling interlocks, because the initial conditions indicate that more than one control rod is withdrawn, yet the mode switch is in REFUEL. Such initial conditions are possible if the rods are withdrawn when the mode switch is in STARTUP, and then the mode switch is turned to REFUEL. The scram indicated in situation 17 of Table 7.6-1 is not a result of the refueling interlocks; it is the response of the Reactor Protection System to downscale neutron monitoring system channels when the mode switch is shifted to RUN. In all cases, proper operation of the refueling interlocks is successful in preventing either the operation of loaded refueling equipment over the core whenever any control rod is withdrawn or the withdrawal of any control rod when fuel-loaded refueling equipment is operating over the core. In addition, when the mode switch is in REFUEL, only one rod can be withdrawn; selection of a second is inhibited.

7.6.5 Inspection and Testing Complete functional testing of all refueling interlocks before any refueling outage will provide positive indication that the interlocks operate in the situations for which they were designed. By loading each hoist with a weight equal to a fuel assembly, positioning the refueling platform, and withdrawing control rods, the interlocks can be subjected to valid operational tests. Where redundancy is provided in the logic circuitry, tests can be performed to assure that each redundant logic element can independently perform its function.

7.6-5

BFN-19 Technical Specification Sections 3.9.1 and 3.9.2 provide limiting conditions of operation and surveillance requirements for the refueling interlocks. Testing of the refueling interlocks is also performed following any repair work associated with the interlocks.

7.6-6

BFN-16 TABLE 7.6-1 (Sheet 1)

REFUELING INTERLOCK EFFECTIVENESS Refueling Refueling Platform Service Platform Hoists Platform Mode Situation Position MMH* FMH* FG Hoist Control Rods Switch Attempt Result

1. Not near core UL* UL* UL* UL* All rods Refuel Move refueling No restrictions fully inserted platform over core
2. Not near core UL UL UL UL All rods Refuel Withdraw rods Cannot withdraw fully inserted more than one rod
3. Not near core UL UL UL UL One rod Refuel Move refueling No restrictions withdrawn platform over core
4. Not near core Any hoist loaded UL One rod Refuel Move refueling Platform stopped or FG not fully up withdrawn platform over core before over core
5. Not near core UL UL UL UL More than Refuel Move refueling Platform stopped one rod platform over core before over core withdrawn
6. Over core UL UL UL UL All rods Refuel Withdraw rods Cannot withdraw fully inserted more than one rod
7. Over core Any hoist loaded UL All rods Refuel Withdraw rods Rod block or FG not fully up fully inserted
8. Not near core UL UL UL L* All rods Refuel Withdraw rods Rod block fully inserted
9. Not near core UL UL UL L All rods Refuel Operate service No restrictions fully inserted platform hoist
10. Not near core UL UL UL L One rod Refuel Operate service Hoist operation withdrawn platform hoist prevented

BFN-16 TABLE 7.6-1 (Sheet 2)

REFUELING INTERLOCK EFFECTIVENESS Refueling Refueling Platform Service Platform Hoists Platform Mode Situation Position MMH* FMH* FG Hoist Control Rods Switch Attempt Result

11. Not near core UL UL UL UL All rods Startup Move refueling Platform stopped fully inserted platform over core
12. Not near core UL UL UL L All rods Startup Operate service No restrictions fully inserted platform hoist
13. Not near core UL UL UL L One rod Startup Operate service Hoist operations withdrawn platform hoist prevented
14. Not near core UL UL UL L All rods Startup Withdraw rods Rod block fully inserted
15. Not near core UL UL UL UL All rods not Startup Withdraw rods No restrictions fully inserted
16. Over core UL UL UL UL All rods Startup Withdraw rods Rod block fully inserted
17. Any Any condition Any condition Any condition, Startup Turn mode switch Scram reactor not at to run power
  • LEGEND: MMH - Monorail Mounted Hoist FMH - Frame Mounted Hoist FG - Fuel Grapple UL - Unloaded L - Fuel-loaded

BFN-16 Figure 7.6-2 Deleted by Amendment 9.

BFN-25 7.7 REACTOR MANUAL CONTROL SYSTEM 7.7.1 Power Generation Objection The objective of the Reactor Manual Control System is to provide the operator with the means to make changes in nuclear reactivity so that reactor power level and power distribution can be controlled. The system allows the operator to manipulate control rods.

7.7.2 Safety Design Basis

1. The circuitry provided for the manipulation of control rods shall be designed so that no single failure can negate the effectiveness of a reactor scram.
2. The Reactor Manual Control System shall act to limit the worth of individual control rods in conjunction with the rod worth minimizer system such that a postulated rod drop accident will not result in fuel pellet power density greater than 280 calories per gram (consult UFSAR Section 14.6.2 for additional information regarding control rod drop accident initial conditions and assumptions including the velocity limiter and RPS 120% flux trip functions).
3. The Reactor Manual Control System shall be designed to inhibit control rod withdrawal in time to prevent local fuel damage as a result of erroneous control rod manipulation (consult UFSAR Section 14.4.2 for additional information regarding erroneous control rod manipulation definitions).
4. The Reactor Manual Control System shall be designed to inhibit rod movement whenever such movement would result in operationally undesirable core reactivity conditions or whenever instrumentation (due to failure) is incapable of monitoring the core response to rod movement.

7.7.3 Power Generation Design Basis

1. The Reactor Manual Control System shall be designed to inhibit control rod withdrawal following erroneous control rod manipulations so that Reactor Protection System action (scram) is not required.
2. To limit the potential for inadvertent rod withdrawals leading to Reactor Protection System action, the Reactor Manual Control System shall be designed in such a way that deliberate operator action is required to effect a continuous rod withdrawal.
3. To provide the operator with the means to achieve prescribed control rod patterns, information pertinent to the position and motion of the control rods shall be available in the control room.

7.7-1

BFN-25 7.7.4 Description 7.7.4.1 Identification The Reactor Manual Control System consists of the electrical circuitry, switches, indicators, and alarm devices provided for operational manipulation of the control rods and the surveillance of associated equipment. This system includes the interlocks that inhibit rod movement (rod block) under certain conditions. The Reactor Manual Control System does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in Subsection 7.2, "Reactor Protection System." Nor are the mechanical devices of the control rod drives and the Control Rod Drive Hydraulic System included in the Reactor Manual Control System; these mechanical components are described in Subsection 3.4, "Reactivity Control Mechanical Design."

7.7.4.2 Operation 7.7.4.2.1 General Control rod movement is accomplished by admitting water under pressure from a control rod drive water pump into the appropriate end of the control rod drive cylinder. The pressurized water forces the piston, which is attached by a connecting rod to the control rod, to move. Three modes of control rod operation are used:

insert, withdrawal, and settle. Four solenoid-operated valves are associated with each control rod to accomplish the actions required for the various operational modes. The valves control the path that the control rod drive water takes to the cylinder. The Reactor Manual Control System controls the valves.

Two of the four solenoid-operated valves for a control rod are electrically connected to the insert bus. When the insert bus is energized and when a control rod has been selected for movement, the two insert valves for the selected rod open, allowing the control rod drive water to take the path that results in control rod insertion. Of the two remaining solenoid-operated valves for a control rod, one is electrically connected to the withdraw bus, and the other is connected to the settle bus. The withdraw valve that connects the insert drive water supply line to the exhaust water header is the one that is connected to the settle bus. The remaining withdraw valve is connected to the withdraw bus. When both the withdraw bus and the settle bus are energized and when a control rod has been selected for movement, both withdraw valves for the selected rod open, allowing control rod drive water to take the path that results in control rod withdrawal.

The settle mode is provided to insure that the control rod drive index tube is engaged promptly by the collet fingers after the completion of either an insert or withdraw cycle. During the settle mode, the withdraw valve connected to the settle 7.7-2

BFN-25 bus is opened, or remains open, while the other three solenoid-operated valves are closed. During an insert cycle, the settle action vents the pressure from the bottom of the CRD piston to the exhaust header, thus gradually reducing the differential pressure across the drive piston of the selected rod. During a withdraw cycle, the settle action again vents the bottom of the CRD piston to the exhaust header, while the withdraw drive water supply is shut off. This also allows a gradual reduction in the differential pressure across the control rod drive piston. After the control rod has slowed down, the collet fingers engage the index tube and lock the rod in position.

The arrangement of control rod selection pushbuttons and circuitry permits the selection of only one control rod at a time for movement. A rod is selected for movement by depressing a button for the desired rod on the reactor control bench board in the control room. This bench board is shown in Figure 7.7-2. The direction in which the selected rod moves is determined by the position of a switch, called the "rod movement" switch, which is also located on the reactor control bench board.

This switch has "rod-in" and "rod-out-notch" positions and returns by spring action to the "off" position. The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the selection circuitry to a no-rod selection. Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod-selected condition will not occur until any moving rod has completed its movement cycle unless control circuit power is lost or the settle bus is de-energized. Selection of the EMERG ROD IN position on the CRD NOTCH OVERRIDE switch on the reactor control bench board de-energizes the settle bus and allows selection of another control rod prior to completion of the control rod movement cycle.

7.7.4.2.2 Insert Cycle The following is a description of the detailed operation of the Reactor Manual Control System during an insert cycle. The cycle is described in terms of the insert, withdraw, and settle buses. The response of a selected rod when the various buses are energized has been explained previously.

A three-position rod movement switch is provided on the reactor control bench board. The switch has a "rod-in" position, a "rod-out-notch" position, and an "off" position. The switch returns by spring action to the "off" position. With a control rod selected for movement, placing the rod movement switch in the "rod-in" position and then releasing the switch energizes the insert bus for a limited amount of time. Just before the insert bus is deenergized, the settle bus is automatically energized and remains energized for a limited period of time after the insert bus is deenergized.

The insert bus timer setting and the rate of drive water flow provided by the control rod drive hydraulic system determine the distance traveled by a rod. The timer setting results in a one-notch (six-inch) insertion of the selected rod for each momentary application of a rod-in signal from the rod movement switch. Continuous 7.7-3

BFN-25 insertion of a selected control rod is possible by holding the rod movement switch in the "rod-in" position.

The CRD NOTCH OVERRIDE switch also can be used to initiate insertion of a selected control rod. This switch has an EMERG ROD IN, OFF, and NOTCH OVERRIDE position and spring returns to the OFF position. Holding this switch in the EMERG ROD IN position continuously energizes the insert bus causing a continuous insertion of the selected control rod.

7.7.4.2.3 Withdraw Cycles The following is a description of the detailed operation of the Reactor Manual Control System during a withdraw cycle. The cycle is described in terms of the insert, withdraw, and settle buses. The response of a selected rod when the various buses are energized has been explained previously.

With a control rod selected for movement, placing the rod movement switch in the "rod-out-notch" position energizes the insert bus for a short period of time.

Energizing the insert bus at the beginning of the withdrawal cycle is necessary to allow the collet fingers to disengage the index tube. When the insert bus is deenergized, the withdraw and settle buses are energized for a controlled period of time. The withdraw bus is deenergized prior to the settle bus, which, when de-energized completes the withdraw cycle. This withdraw cycle is the same whether the rod movement switch is held continuously in the "rod-out-notch" position or released. The timers that control the withdraw cycle are set so that the rod travels one notch (six inches) per cycle. An interlock is provided in the withdraw circuitry to deenergize the control circuit and prevent rod withdrawal if the withdraw bus timer fails to deenergize the withdraw bus after the specified time period.

A selected control rod can be continuously withdrawn if the rod movement switch is held in the "rod-out-notch" position at the same time that the CRD NOTCH OVERRIDE switch is held in the "notch-override" position. With both switches held in these positions, the withdraw bus is continuously energized.

7.7.4.2.4 Control Rod Drive Hydraulic System Control Two motor-operated pressure control valves, two air-operated flow control valves in parallel with only one operating, and four solenoid-operated stabilizing valves in parallel with only two operating are included in the Control Rod Drive Hydraulic System to maintain smooth and regulated system operation (see Subsection 3.4, "Reactor Control Mechanical Design"). The motor-operated pressure control valves are positioned by manipulating switches in the control room. The switches for these valves are located close to the pressure indicators that respond to the pressure changes caused by the movements of the valves. The air-operated flow control valve is automatically positioned in response to signals from an upstream flow 7.7-4

BFN-25 measuring device. The stabilizing valves are automatically controlled by the action of the energized insert and withdraw buses. The drive water pumps are controlled by switches in the control room. Each pump automatically stops upon indication of low suction pressure.

7.7.4.3 Rod Block Interlocks 7.7.4.3.1 General To achieve an operationally desirable performance objective, where most failures of individual components would be easily detectable or would not disable the rod movement inhibiting functions, the rod block logic circuitry is arranged as two similar logic circuits. Most common connection points that would, after failure, allow rod withdrawal under rod block conditions are eliminated. The two circuits are energized when control rod movement is allowed. Rod block contacts are normally closed, and rod block relays are normally energized. Each of the two similar circuits receive input trip signals from a number of trip channels. Three rod withdrawal block signals are associated with the two rod block circuits. Either of the two circuits can provide a separate rod block signal to the rod control circuitry. The individual signal from each circuit is called an "annunciating rod block control," because, when tripped, an annunciator is lighted and a buzzer is sounded in the control room to indicate the block signal. The third rod block signal is obtained by combining the outputs of the two similar logic circuits, the rod worth minimizer output (see Subsection 7.16, "Process Computer System"), and the rod block monitor outputs. This third signal is called the "nonannunciating rod block control," because, when tripped, the rod block condition is indicated in the control room by light indicator only. The two "annunciating rod block controls" are always placed in pairs in the rod control circuitry, while the "nonannunciating rod block control" is used independently. Both the two "annunciating rod block controls" and the "nonannunciating rod block control" must be in the permissive state for control rod withdrawal to be possible. A failure of any one of the three rod block controls cannot prevent the remaining parts of the rod block circuitry from initiating a rod block.

When in the tripped state, the "nonannunciating rod block control" prevents the withdraw movement of a selected rod by opening the rod control circuit that is used to energize the withdraw bus. The "annunciating rod block controls" prevent the withdraw movement of a selected rod in a similar manner, but the rod control circuit is opened at a location different from that affected by the "nonannunciating rod block control." The rod block circuitry is effective in preventing rod withdrawal, if required, during both normal (notch) withdrawal and continuous (notch override) withdrawal.

If a rod block signal is received during a rod withdrawal, the control rod is automatically stopped at the next notch position, even if a continuous rod withdrawal is in progress.

7.7-5

BFN-25 The components used to initiate rod blocks in combination with refueling operations provide rod block trip signals to these same rod block circuits. These refueling rod blocks are described in Subsection 7.6, "Refueling Interlocks."

7.7.4.3.2 Rod Block Functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed later.

a. With the mode switch in SHUTDOWN, no control rod can be withdrawn. This enforces compliance with the intent of the SHUTDOWN mode.
b. The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following conditions:
1. Any average power range monitor (APRM) upscale rod block alarm.

The purpose of this rod block function is to avoid conditions that would require Reactor Protection System action if allowed to proceed. The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached.

2. Any APRM inoperative alarm. This assures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or properly bypassed.
3. Either rod block monitor (RBM) upscale alarm. This function is provided to stop the withdrawal of a control rod so that local fuel damage does not result from a localized power excursion.
4. Either RBM inoperative alarm. This assures that no control rod is withdrawn unless the RBM channels are in service or properly bypassed.

The RBM inoperable functions are 1) local RBM chassis mode switch not in operate, 2) less than the required number of LPRM inputs for the rod selected, 3) module unplugged (loss of input power), 4) self-test detected critical fault, and 5) RBM fails to null.

5. Any recirculation flow signal upscale or inoperative alarm. This assures that no control rod is withdrawn unless the recirculation flow functions, which are necessary for the proper operation of the APRMs are operable.

7.7-6

BFN-25

6. (Deleted).
7. Scram discharge volume high water level. This assures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block well in advance of that level which produces a scram.
8. Scram discharge volume high water level scram trip bypassed. This assures that no control rod is withdrawn while the scram discharge volume high water level scram function is out of service.
9. Rod worth minimizer (RWM) function of the process computer system initiates a rod insert block, a withdrawal block, or a rod select block.

The purpose of this function is to reinforce procedural controls that limit the reactivity worth of control rods under low power conditions. The rod block trip settings are based on the allowable control rod worth limits established for the design basis rod drop accident. Adherence to prescribed control rod patterns is the method by which this reactivity restriction is observed. Additional information of the rod worth minimizer function is available in Subsection 7.16, "Process Computer System."

10. Rod position information system malfunction. This assures that no control rod can be withdrawn unless the rod position information system is in service.
11. Rod movement timer switch malfunction during withdrawal. This stops control rod withdrawal and assures that no control rod can be withdrawn unless the timer is in service.
c. With the mode switch in RUN, only the following conditions initiates a rod block:
1. Any APRM downscale alarm. This assures that no control rod will be withdrawn during power range operation unless the average power range neutron monitoring channels are operating correctly or are correctly bypassed. All unbypassed APRMs must be on scale during reactor operations in the RUN mode.
2. Either RBM downscale alarm. This assures that no control rod is withdrawn during power range operation unless the RBM channels are operating correctly or are correctly bypassed. Unbypassed RBMs must be on scale during reactor operations in the RUN mode.

7.7-7

BFN-28

3. Any Oscillation Power Range Monitor (OPRM) alarm. The OPRM alarm is only enabled in the region of the power/flow map where the OPRM scram trip is enabled.
d. With the mode switch in STARTUP or REFUEL, the following conditions initiate a rod block:
1. Any source range monitor (SRM) detector not fully inserted into the core when the SRM count level is below the retract permit level and any intermediate range monitor (IRM) range switch on either of the two lowest ranges. This assures that no control rod is withdrawn unless all SRM detectors are properly inserted when they must be relied upon to provide the operator with neutron flux level information.
2. Any SRM upscale level alarm provided IRMs are below Range 8. This assures that no control rod is withdrawn unless the SRM detectors are properly retracted during a reactor startup. The rod block setting is selected at the upper end of the range in which the SRM is designed to detect and measure neutron flux.
3. Any SRM downscale alarm provided IRMs are below Range 3. This assures that no control rod is withdrawn unless the SRM count rate is above the minimum prescribed for low neutron flux level monitoring.
4. Any SRM inoperative alarm provided IRMs are below Range 8. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all SRM channels are in service or properly bypassed.
5. Any intermediate range monitor (IRM) detector not fully inserted into the core. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all IRM detectors are properly located.
6. Any IRM upscale alarm. This assures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is properly upranged during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring Reactor Protection System action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations.

7.7-8

BFN-25

7. Any IRM downscale alarm except when range switch is on the lowest range. This assures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being properly monitored.

This rod block prevents the continuation of a reactor startup if the operator upranges the IRM too far for the existing flux level; thus, the rod block ensures that the intermediate range monitor is onscale if control rods are to be withdrawn.

8. Any IRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available in that all IRM channels are in service or properly bypassed.

7.7.4.3.3 Rod Block Bypasses To permit continued power operation during the repair or calibration of equipment for selected functions which provide rod block interlocks, a limited number of manual bypasses are permitted as follows:

1 SRM channel, 2 IRM channels, 1 APRM channels, and 1 RBM channel.

The permissible IRM and APRM bypasses are arranged in the same way as in the Reactor Protection System. The IRMs are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. In Unit 1, the same type of grouping and bypass arrangement is used for the APRMs. The arrangement allows the bypassing of one IRM and one APRM in each group. In Unit 2 and Unit 3 there are four APRM channels, each receiving input from LPRM detectors covering the entire core. The channels are arranged so that adequate monitoring of the core is maintained with one channel bypassed.

These bypasses are effected by positioning switches in the control room. A light in the control room indicates the bypassed condition.

An automatic bypass of the SRM detector position rod block is effected as the neutron flux increases beyond a preset low level on the SRM instrumentation or when the IRMs are on range 3 or above. The bypass allows the detectors to be partially or completely withdrawn as a reactor startup is continued.

7.7-9

BFN-28 An automatic bypass of the RBM rod block occurs whenever the power level is below a preselected level or whenever a peripheral control rod is selected. Either of these two conditions indicates that local fuel damage is not threatened and the RBM action is not required.

The rod worth minimizer rod block function is automatically bypassed when reactor power increases above a preselected value in the power range. It may be manually bypassed for maintenance at any time. If control rods are to be manipulated while the rod worth minimizer function is manually bypassed, a second licensed operator will be present in order to verify control rod movement.

7.7.4.3.4 Arrangement of Rod Block Trip Channels The same grouping of neutron monitoring equipment that is used in the Reactor Protection System is also used in the rod block circuitry. One half of the total numbers of APRMs, IRMs, SRMs, and RBMs provides inputs to one of the rod block logic circuits, and the remaining half provides inputs to the other logic circuit. In Unit 1, one recirculation flow converter provides a rod block signal to one logic circuit; the remaining converter provides an input to the other logic circuit. The flow converter comparator provides trip signals to each flow converter trip circuit. In Unit 2 and Unit 3, each APRM receives recirculation loop A and B flow signals from a pair of differential pressure transmitters and calculates total recirculation flow. The APRM provides an alarm and control rod block on recirculation flow upscale conditions. In addition to the arrangement just described, both RBM trip channels (Unit 1) provide input signals into a separate circuit for the "nonannunciating rod block control."

Scram discharge volume high water level signals are provided as inputs to both rod block logic circuits. Both rod block logic circuits sense when the high water level scram trip for the scram discharge volume is bypassed. The rod withdrawal block from the rod worth minimizer trip affects a separate circuit that trips the "nonannunciating rod block control." The rod insert block from the rod worth minimizer function prevents energizing the insert bus for both notch insertion and continuous insertion.

The APRM rod block settings are varied as a function of recirculation flow such that the ratio of percent power to percent flow equals 0.55.

Analyses show that the settings selected are sufficient to avoid both Reactor Protection System action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted.

Additional detail on all the Neutron Monitoring System trip channels is available in Subsection 7.5, "Neutron Monitoring System." The rod block from scram discharge 7.7-10

BFN-25 volume high water level utilizes two nonindicating switches installed on the scram discharge volume.

7.7.4.4 Instrumentation The operator has three different displays of control rod position:

a. Full rod status display,
b. four rod display, and
c. process computer.

These displays serve the following purposes:

a. Provide the operator with a continuously available, presentation of each control rod's status,
b. Provide continuously available warning of an abnormal condition,
c. Present numerical rod position for each rod, and
d. Log all control rod positions on a routine basis.

The full rod status display is located on the upper vertical section of the reactor control board in the control room. It provides the following continuously available information for each individual rod:

a. Rod position, digital and fully inserted (green),
b. Rod position, digital and fully withdrawn (red),
c. Rod identification (coordinate position, white),
d. Accumulator trouble (amber),
e. Rod scram (blue), and
f. Rod drift (red).

Also dispersed throughout the display in locations representative of the physical location of LPRM strings in the core are LPRM lights as follows:

7.7-11

BFN-25

a. LPRM low flux level (white), and
b. LPRM high flux level (amber).

A separate, smaller display is located just below the large display on the vertical part at the bench board (see Figure 7.7-2). The information presented on this display includes the LPRM values for each of the detector arrays surrounding the rod selected (see Figure 7.7-4). Since each detector array contains four sensors in a vertical column and since there can be a maximum of four detector arrays surrounding a rod, sixteen meters are installed. Four rod position modules are between the LPRM indicators. [On Unit 2, operator display assemblies (ODAs) provide LPRM indications, and the four rod position displays are located below the ODAs.] These four modules will display rod position in two digits and rod selected status (white light, off or on) for the four rods located within the LPRM detector arrays being displayed. The rod position digital range is from 00 to 48, with 00 representing the fully in position, and 48, fully out; each even increment (e.g., 00-02, equals six physical inches of rod movement). The four rod display allows the operator to easily focus his attention on the core volume of concern during rod movements.

Control rod position information is obtained from reed switches in the control rod drive that open or close during rod movement. Reed switches are provided at each three-inch increment of piston travel. Since a notch is six inches, indication is available for each half-notch of rod travel. The reed switches located at the half-notch positions for each rod are used to indicate rod drift. Both a rod selected for movement and the rods not selected for movement are monitored for drift. A drifting rod is indicated by an alarm and red light in the control room. The rod drift condition is also monitored by the process computer.

The status color statements are integrated with the position numeral statement. See Figure 7.7-2.

Reed switches are also provided at locations that are beyond the limits of normal rod movement. If the rod drive piston moves beyond the fully withdrawn position, an alarm is sounded in the control room. The overtravel alarm provides a means to verify that the drive-to-rod coupling is intact, because, with the coupling in its normal condition, the drive cannot be physically withdrawn to the overtravel position.

Coupling integrity can be checked by attempting to withdraw the drive to the overtravel position and observing that the overtravel alarm does not annunciate.

The process computer receives position indication from each rod and is capable of displaying and printing control rod position information.

7.7-12

BFN-25 All displays are essentially independent of one another. Signals for the rod status display are hard-wired from the rod position information system cabinet (RPISC) buffer outputs, so that a signal failure of other parts of the RPISC will not affect this display. Likewise, the computer could conceivably fail and the rod status and rod position displays will continue to function normally.

The following control room lights, alarms, and indications are provided to allow the operator to know the conditions of the Control Rod Drive Hydraulic System and the control circuitry:

a. Stabilizing valve selector switch position,
b. Insert bus energized,
c. Withdraw bus energized,
d. Settle bus energized,
e. Withdraw permissive,
f. CRD Notch override emergency in direction,
g. Pressure control valve position,
h. Flow control valve position,
i. Drive water pump low suction pressure (alarm only),
j. Drive water filter high differential pressure (alarm only),
k. Charging water (to accumulator) high pressure (alarm and indication),
l. Control rod drive temperature (alarm only),
m. Scram discharge volume not drained (alarm only), and
n. Scram valve pilot air header low pressure (alarm only).

Additional instrumentation provided for the Reactor Manual Control System is presented in Table 7.7-1. Many of these Reactor Manual Control System indications are displayed on the Main Control Room Panels.

7.7-13

BFN-25 7.7.5 Safety Evaluation The circuitry described for the Reactor Manual Control System is completely independent of the circuitry controlling the scram valves. This separation of the scram and normal rod control functions prevents failures in the reactor manual control circuitry from affecting the scram circuitry. The scram circuitry is discussed in Subsection 7.2. Because each control rod is controlled as an individual unit, a failure that results in energizing of any of the insert or withdraw solenoid valves can affect only one control rod. The effectiveness of a reactor scram is not impaired by the malfunctioning of any one control rod. It can be concluded that no single failure in the Reactor Manual Control System can result in the prevention of a reactor scram, and that repair, adjustment, or maintenance of reactor Manual Control System components does not affect the scram circuitry. This meets safety design bases 1 and 2.

The rod block monitor limits local power spikes due to rod withdrawal. This meets safety design basis 3. The logic and instrumentation used in the reactor manual control system is designed to prevent rod movement in the event that one channel of a required protective function becomes inoperable. This meets safety design basis 4.

7.7.6 Inspection and Testing The Reactor Manual Control System can be routinely checked for proper operation by manipulating control rods using the various methods of control. Detailed testing and calibration can be performed by using standard test and calibration procedures for the various components of the reactor manual control circuitry.

7.7-14

BFN-25 Table 7.7-1 (Sheet 1)

REACTOR MANUAL CONTROL SYSTEM INSTRUMENTATION Measured Variable Instrument Type Instrument No. Trip Setting Pump Suction Pressure Pressure Indicator 2-PI-85-1 ---

Pump Suction Pressure Alarm Pressure Switch 2-PS-85-1 low pressure 2-PA-85-1 Pump Discharge Pressure Pressure Indicator 2-PI-85-9 ---

Filter Pressure Drop P Indicator 2-PDIS-85-10 high differential pressure System Flow Indication and Flow Indicator 2-FI-85-11A Controller 2-FI-85-11B Accum. HDR. CHG. PRESS Alarm Press Indicator 2-PA-85-13 high pressure Drive HDR. Flow Flow Indicator 2-FI-85-15A ---

2-FI-85-15B Drive HDR. Pressure Pressure Indicator 2-PI-85-16 ---

Drive HDR. Pressure Drop P Indicator 2-PDI-85-17A ---

2-PDI-85-17B Cooling HDR. Flow Flow Indicator 2-FI-85-25A ---

2-FI-85-25B Cooling Pressure Pressure Indicator 2-PI-85-26 ---

Cooling HDR. Pressure Drop P Indicator 2-PDI-85-18A ---

2-PDI-85-18B Stabilizing Flow Flow Indicator 2-FI-85-22 ---

Exhaust Pressure Pressure Indicator 2-PI-85-29 ---

Return Pressure Pressure Indicator 2-PI-85-31 ---

Scram Discharge Volume Level Level Switch 2-LS-85-45L ---

2-LS-85-45M Drive Temperature Monitor 2-TR-85-7A high temperature 2-TR-85-7B 2-TR-85-7A1 2-TR-85-7B1

BFN-25 Table 7.7-1 (Sheet 2)

REACTOR MANUAL CONTROL SYSTEM INSTRUMENTATION Measured Variable Instrument Type Instrument No. Trip Setting Instrument Air Supply Pressure Pressure Indicator 2-PI-85-12 ---

F. C. Station Air Pressure Pressure Indicator 2-PI-85-92 ---

Scram Pilot Air HDR. Pressure Pressure Indicator 2-PI-85-38 ---

Scram Pilot Air HDR. Pressure Pressure Switch 2-PS-85-38 low pressure high pressure Accum. N2 Chg. Pressure Pressure Indicator 2-PI-85-33A ---

2-PI-85-33B Exhaust Flow Flow Indicator 2-FI-85-30A ---

2-FI-85-30B FCV Electro/Pneumatic Converter Pressure/Current 2-FM-85-11A ---

2-FM-85-11B Reactor Pressure Pressure Indicator 2-PI-85-19 ---

Upstream Return Pressure Pressure Indicator 2-PI-85-28 ---

Control Rod Drive Overtravel Reed Switches S-50 over travel (Withdraw direction)

Control Rod Drive Overtravel Reed Switches S-51 full in over travel (insert direction)

Control Rod Position Reed Switches S00-S48 ---

(normal range)

Rod Block - neutron monitoring See "NEUTRON MONITORING SYSTEM" system trip channels Rod Block - rod worth minimizer See "PROCESS COMPUTER SYSTEM" Rod Block - flow converter and See "NEUTRON MONITORING SYSTEM" comparator trip channels

BFN-22 Figures 7.7-1a through 7.7-1d (Deleted by Amendment 22)

BFN-17 Figures 7.7-1e and 7.7-1f (Deleted by Amendment 17)

BFN-18 Figure 7.7-5 (Deleted by Amendment 18)

BFN-16 Figure 7.7-6 Deleted by Amendment 16

BFN-22 Figures 7.7-6a and 7.7-6b (Deleted by Amendment 22)

BFN-16 APPENDIX 7.7A (Deleted)

ROD SEQUENCE CONTROL SYSTEM FOR UNIT 1 (Deleted)

BFN-16 APPENDIX 7.7B ROD SEQQUENCE CONTROL SYSTEM FOR UNITS 1 and 3 Deleted

BFN-16 CONTENTS DELETED Deleted by Amendment 12

BFN-16 TABLES 7.7B-1 (Deleted) 7.7B-2 (Deleted)

FIGURES 7.7B-1 (Deleted) 7.7B-2 (Deleted) 7.7B-3 (Deleted) 7.7B-4 (Deleted) 7.7B-5 (Deleted) 7.7B-6 (Deleted) 7.7B-7 (Deleted) 7.7B-8 (Deleted) 7.7B-9 (Deleted)

Deleted by Amendment 12

BFN-25 7.8 REACTOR VESSEL INSTRUMENTATION 7.8.1 Safety Objective The safety objective of the reactor vessel instrumentation is to monitor and transmit information concerning key reactor vessel operating parameters during planned operations and abnormal and accident conditions to ensure that sufficient control of these parameters is possible in order to avoid: (1) release of radioactive material to the environs such that the limits of 10 CFR 20 are exceeded, (2) nuclear system stress in excess of that allowed by applicable industry codes, and (3) the existence of any operating conditions not considered by plant safety analyses.

7.8.2 Safety Design Basis Reactor vessel instrumentation shall be designed to:

a. Provide the operator with sufficient indication of reactor core flow rate during planned operations and abnormal and accident conditions to avoid operating conditions not considered by plant safety analyses.
b. Provide the operator with sufficient indication of reactor vessel water level during planned operations and abnormal and accident conditions to determine that the core is adequately covered by the coolant inventory inside the reactor vessel to avoid the release of radioactive materials to the environs such that the limits of 10 CFR 20 are exceeded, and to avoid operating conditions not considered by plant safety analyses.
c. Provide the operator with sufficient indication of reactor vessel pressure during planned operations and abnormal and accident conditions to avoid nuclear system stresses in excess of those allowed by applicable industry codes.
d. Provide the operator with sufficient indication of nuclear system leakage during planned operations and abnormal and accident conditions to avoid nuclear system stress in excess of that allowed by applicable industry codes and the release of radioactive material to the environs such that the limits of 10 CFR 20 are exceeded.

7.8.3 Power Generation Objective The power generation objective of the reactor vessel instrumentation is to monitor and transmit reactor vessel parameter information such that the convenient, efficient, and economical operation of the plant is facilitated.

7.8-1

BFN-25 7.8.4 Power Generation Design Basis Reactor vessel instrumentation shall be designed to monitor and transmit sufficient reactor vessel parameter information to the operator such that he is continually able to operate the plant conveniently, efficiently, and economically.

7.8.5 Description Figures 7.8-1 sheets 1, 2, 3, 4, 5, and 6 and 4.3-2a sheets 1, 2, and 3 show the numbers and arrangements of the sensors, switches, and sensing equipment used to monitor reactor vessel conditions. Because the reactor vessel sensors used for safety systems and engineered safeguards have been described and evaluated in other portions of the Safety Analysis Report, only those sensors that are not used for safety systems and engineered safeguards are described in this paragraph.

7.8.5.1 Reactor Vessel Surface Temperature A total of 46 thermocouples are attached to the reactor vessel, the vessel top head, the vessel head studs, and the control rod drive housings to provide the operator with temperature information so that the thermal stresses imposed on the vessel and its attachments can be determined. Figure 7.8-3 shows the locations of the thermocouples. Probe-type thermocouples are used to measure the temperature inside the reactor vessel head studs. Magnetically-attached thermocouples are used to measure the surface temperature of the vessel, top head, and top head flange. Thermocouple and temperature recorder instrumentation are listed in Table 7.8-1.

The collection of thermocouples provides temperature data representative of thick, thin, and transitional sections of the vessel and its attachments. The data obtained from the thermocouples are used as the basis for controlling the rate of heating or cooling of the vessel so that thermal stresses are appropriately limited. Selected temperatures are recorded on a multipoint recorder in the control room. The temperature of the reactor vessel flange and the vessel wall adjacent to the flange is recorded on a temperature recorder.

7.8.5.2 Reactor Vessel Water Level Reactor vessel water level indication is obtained by comparing the pressure exerted by the actual height of water inside the vessel to the pressure exerted by a constant reference column of water. Pipelines which are connected to widely separated nozzles in the reactor vessel lead from the vessel to locations outside the primary containment where they terminate at instrument racks in the Reactor Building.

Level-measuring instruments are attached to the appropriate sensor pipelines so that the proper differential pressure is applied to the level instruments. A condensing chamber is installed in the drywell on each of the pipelines used to 7.8-2

BFN-25 provide a reference column of water for level measurements. The reactor vessel instrumentation used for safety systems is described and evaluated in Subsection 7.2, "Reactor Protection System." Each of the instrument pipelines is fitted with one manual isolation valve and one excess flow check valve, both of which are located directly outside the drywell in the Reactor Building. The instrument pipelines slope downward in the direction of the instruments so that no air traps are formed. Pressure and differential pressure measuring instruments also use these same instrument lines.

Reactor vessel water level indication is provided in the main control room on various panels. Redundant indications are provided for the Feedwater Control System, narrow range, wide range, and water level inside the core shroud. Indication is provided for water level all the way to the top of the vessel. A level recorder that receives the controlling level signal from the Feedwater Control System provides a continuous record of narrow range reactor vessel water level. The Feedwater Control System provides high and low water level alarms. Another water level recorder is provided to continuously record the water level above the top of the core.

Table 7.8-1 lists the level instrumentation not previously described with other systems.

Each of the actions listed is described and evaluated in the subsection of the Safety Analysis Report where the system involved is described. The following list tells where various level-measuring components are discussed.

Level Instrumentation Subsection in Which Discussed Level transmitters for initiating Reactor Protection System scram (7.2)

Level transmitters for Primary Containment Isolation initiating containment or System (7.3) reactor isolation 7.8-3

BFN-25 Level transmitters used for HPCI, Emergency Core Cooling Systems LPCI, core spray, Automatic Controls and Instrumentation Depressurization System, (7.4) recirculation pump trip, or recirculation loop valve closure. Level transmitters used for Emergency Core Cooling System initiation.

Level transmitters used to measure Emergency Core Cooling Systems water level inside core shroud Controls and Instrumentation (7.4)

Level transmitters and recorders Feedwater Control System used for feedwater control (7.10)

Level transmitters used to trip Emergency Core Cooling Systems HPCI turbine. Controls and Instrumentation (7.4)

Level transmitters used to Reactor Core Isolation initiate the RCIC system. Cooling System (4.7)

Level Transmitters used to isolate RCIC turbine.

The large number of reactor vessel water level indications is sufficient in providing the operator with information with which the adequacy of the coolant inventory to cool the fuel can be determined. In addition, by verifying that reactor vessel water level is not rising to an abnormally high level, the operator is assured that turbines are not endangered by the possibility of water being carried into the steam lines.

The approach of abnormal conditions is brought to the operator's attention by audible and visual alarms. It should be noted that in no case requiring safety system response is operator action required; all essential protection system responses are completely automatic.

7.8.5.3 Reactor Vessel Coolant Flow Rates and Differential Pressures Figures 7.8-1 sheets 1, 2, 3, 4, 5, and 6 show the flow instruments, differential pressure instruments, and recorders provided so that the core coolant flow rates and the hydraulic performance of reactor vessel internals can be determined.

The differential pressure across each of the jet pumps is measured and indicated in the Main Control Room. Four jet pumps, two associated with each recirculation loop, are specially calibrated. They are provided with special pressure taps in the 7.8-4

BFN-25 diffuser sections. The differential pressure measured between the special taps allows precise flow calibration using jet pump prototype test performance data. The flow rates through the remaining jet pumps are derived from the measured pressure differences between the jet pump diffuser near the throat end and the core inlet plenum. The flow rates through the jet pumps associated with each recirculation loop are summed to provide control room indication of the core flow rate associated with each recirculation loop. The total flows for both recirculation loops are again summed to provide a recorded control room indication of the total flow through the core.

A differential pressure transmitter and indicator are provided to measure the pressure difference between the reactor vessel annulus outside the core shroud and the core inlet plenum. This indication can be used to determine the overall hydraulic performance of the jet pump group and to check the total core flow rate. These indications are available in the control room.

A differential pressure transmitter is provided to indicate core pressure drop by measuring the pressure difference between the core inlet plenum and the space just above the core support assembly. The pipeline used to determine the pressure in the core inlet plenum is the same pipeline provided for the Standby Liquid Control System. A separate pipeline is provided for the pressure measurement above the core support assembly. The differential pressure is both indicated and recorded in the Main Control Room.

Instrument pipelines leading from the reactor vessel to locations outside the drywell are provided with one manual isolation valve and one excess flow check valve. All of the flow and differential pressure instruments are located outside the primary containment.

This instrumentation permits the determination of total core flow in two ways. The first method is the readout of the summed flow measurements from all the jet pumps. The second method includes the use of jet pump prototype performance data, the jet pump differential pressures, and the differential pressure between the reactor vessel annulus and the core inlet plenum. A temporary correlation can also be made to define core flow as a function of reactor operating power level and the readout of the pressure difference between the reactor vessel annulus and the core inlet plenum. This correlation is of a temporary nature, because it will change with a fixed core arrangement over a period of time as a result of crud buildup on the fuel.

The control room flow rate readouts of the specially calibrated jet pumps can be used to cross-check the flow rate readouts of all the other jet pumps. A discrepancy in the cross-check is reason enough to check local flow indications. Core flow can also be determined by heat balance methods, using the output of sensors in the steam lines, feedwater lines, and the recirculation system.

7.8-5

BFN-25 Flow in each recirculation loop is measured by a flow element, as shown in Figures 7.8-1 sheets 2, 4, and 6. Recirculation water temperature is recorded in the control room. Indicated recirculation loop flow rates can be checked by using recirculation pump performance curves and the differential pressure between the reactor vessel annulus and the core inlet plenum. Extreme accuracy of the flow rate operational readouts in the control room is not necessary, because precise measurements can be obtained during reactor operation if they are desired.

7.8.5.4 Reactor Vessel Internal Pressure Reactor vessel internal pressure is detected by pressure switches, indicators, and transmitters from the same instrument pipelines used for reactor vessel water level measurements. Two pressure indicators, that sense pressure from different, separated instrument pipelines, provide pressure indications in the Reactor Building.

Three (Unit 1) and four (Units 2 and 3) reactor vessel pressure indications are provided in the Main Control Room. These come from the three pressure transmitters used in the Feedwater Control System. Reactor vessel pressure is continuously recorded in the Main Control Room on a recorder. The recorder receives a pressure signal from the Feedwater Control System. There is also a narrow range reactor pressure recorder in the control room. In addition, two pressure transmitters provide reactor pressure to indicators located in the control room. These two pressure indicators are available for postaccident monitoring (PAM) to indicate detection of potential breach in the reactor coolant pressure boundary and long-term surveillance of RPV pressure for one hundred days.

The following list shows where reactor vessel pressure measuring instruments used for the automatic control of equipment or systems are discussed.

Subsection in Which Pressure Instrumentation Discussed Pressure switches used to Reactor Protection System initiate a scram (7.2)

Pressure switches used for Emergency Core Cooling Core Spray System and LPCI Systems Controls and Instrumentation (7.4)

Pressure transmitters and Feedwater Control System recorders used for feedwater (7.10) control Differential pressure switches Emergency Core Cooling measuring differential pressure Systems Controls and between reactor vessel and Instrumentation (7.4) 7.8-6

BFN-25 jet pump riser pipes Differential pressure switches Emergency Core Cooling measuring differential pressure Systems Controls and between inside of core spray Instrumentation (7.4) sparger pipes and core inlet above the core support assembly Pressure indicators for 100 days Reactor Vessel postaccident monitoring Instrumentation (7.8) 7.8.5.5 Reactor Vessel Top Head Flange Leak Detection A connection on the reactor vessel flange is provided into the annulus between the two metallic seal rings used to seal the reactor vessel and top head flanges. This connection permits detection of leakage from the inside of the reactor vessel past the inner seal ring. The connection is piped to a collection chamber installed between two AC, solenoid- operated valves. The arrangement is shown in Figure 7.8-1 sheets 1, 3, and 5.

The upstream valve is normally open, the downstream valve normally closed. A level switch is provided to detect the accumulation of water in the collection chamber. This level switch actuates an alarm in the control room. A pressure switch is also provided to actuate the alarm in the control room as pressure in the leakage collection piping becomes abnormally high. A pressure indicator is provided to indicate the pressure inside the piping arrangement. The level switch is located inside the primary containment; and the pressure instruments are located outside the drywell, but inside the Reactor Building. The instrument pipeline for the pressure instruments is provided with one manual isolation valve and one excess flow check valve. The two solenoid valves are controlled by a switch in the control room. The positions of the valves are indicated by lights. If leakage past the inner seal ring is indicated, the upstream valve can be closed and the downstream valve can be opened by remote-manual operation from the control room. This action routes the accumulated leakage to the drywell equipment drain sump. After the collection chamber is drained, the solenoid-operated valves can be returned to their normal positions. The leakage rate can be determined by timing the period until the level alarm is reactivated. (See Subsection 4.10, "Nuclear System Leakage Rate Limits.")

A connection is provided on the reactor vessel beyond the outer metallic head seal.

This connection is piped to a point in the drywell accessible during reactor shutdown and is capped. (Note: In the event that difficulty is encountered in obtaining a pressure-tight seal on the inner metallic seal, it may be desirable to operate on the outer metallic seal only. It is possible to install a low-pressure seal beyond the outer metallic seal and monitor the space between for outer metallic seal leakage by use of this piped connection.)

7.8-7

BFN-25 7.8.5.6 Primary Containment Monitoring The instrumentation used for remote monitoring of operational occurrences and post-accident conditions in the primary containment is listed in Table 7.8-2. The range of each instrument and any trip functions are also provided. The configuration of these instruments is depicted in FSAR Figures 5.2-2a sheets 1, 2, and 3, 5.2-2b, 5.2-2c, 5.2-2d, 5.2-2e, 5.2-2f, 5.2-2g, 5.2-6a sheets 1, 3 and 4, and 5.2-6b, 5.2-6c, and 5.2-6d. Post-accident hydrogen and oxygen monitoring is further discussed in paragraph 5.2.6 of the FSAR.

7.8.6 Safety Design Evaluation The reactor vessel instrumentation is designed to provide sufficient continuous indication of key reactor vessel operating parameters during planned operations and abnormal and accident conditions such that the operator can efficiently monitor these parameters and anticipate any approach to operating conditions which could lead to any of the unacceptable safety results discussed earlier. The redundancy of all indicators provided assures that the possibility that all instrumentation could be lost simultaneously is so remote as to be negligible. In addition, sensors providing safety signals to the Reactor Protection System and Engineered Safeguards Systems for scram and isolation functions are separate from these indicator sensors such that loss of indication does not directly obviate protection against accidents and transients. It is therefore concluded that the safety design bases are satisfied.

7.8.7 Inspection and Testing A large number of spare thermocouples is provided on the reactor vessel and its attachments to permit cross-checking to verify proper thermocouple response.

Pressure, differential pressure, water level, and flow instruments are located in the Reactor Building and are piped so that calibration and test signals can be applied during reactor operation, if desired.

7.8-8

BFN-18 TABLE 7.8-1 (Sheet 1)

REACTOR VESSEL INSTRUMENTATION

  • Instrument Measured Variable Type Trip Setting Reactor vessel surface Thermocouple -

temperature Reactor Vessel top head Thermocouple -

surface temperature Reactor vessel top head Thermocouple -

flange surface temperature Reactor vessel surface Temperature -

temperature recorder Calibrated jet pump Flow -

flow transmitter Jet pump flow rate Flow -

transmitter

BFN-18 TABLE 7.8-1 (Cont'd)

(Sheet 2)

REACTOR VESSEL INSTRUMENTATION

  • Instrument Measured Variable Type Trip Setting Calibrated jet pump flow Flow -

indicator Jet pump flow rate Flow -

indicator Calibrated jet pump flow Square root -

extractor Recirculation loop flow Flow summer -

rate Recirculation loop flow Flow -

rate indicator Core total flow Flow -

summer

  • Other instruments measuring reactor vessel variables are discussed in sections of the Safety Analysis Report where the systems using the instruments are described.
    • Four level ranges with corresponding level trip settings.

BFN-18 TABLE 7.8-2 (Sheet 1)

PRIMARY CONTAINMENT MONITORING INSTRUMENTATION Instrument Range Instrument Location Trip Function Drywell Pressure Indication -15 to 65 psig Local and Control Room -

0-300 psig Drywell Pressure Recorder -15 to 65 psig Control Room Alarm on High Pressure 0-300 psig Drywell Temperature 0-400°F Control Room Local Alarm on High Temperature Indication (2)

Drywell Temperature Recorder 0-400°F Control Room Alarm on High Temperature Pressure Suppression Chamber Pressure 0-60 psig Local -

Indicator Pressure Suppression Chamber Pressure 0-60 psig Control Room -

Recorder Pressure Suppression Chamber Air 0-400°F Control Room -

Temperature Recorder Pressure Suppression Chamber Water -15" to +10" (U3) Control Room Alarm on High or Low Level Indication (Narrow Range) -25 to +25 (U2) Water Level Pressure Suppression Chamber Water Level 0-240" Control Room -

Indication and Recording (Wide Range)

BFN-18 TABLE 7.8-2 (Cont')

(Sheet 2)

PRIMARY CONTAINMENT MONITORING INSTRUMENTATION Instrument Range Instrument Location Trip Function Pressure Suppression Chamber Water 30°-230°F Control Room (2 Channels) Alarm on High Temperature Temperature Indication Local Drywell Flood Level 85' 4" above Control Room Alarm on High Level instrument penetration Drywell Equipment Drain Sump Level 0" to 40" above Local Alarm on decreasing level, sump floor on increasing level, and high fill rate Drywell Floor Drain Sump Level 0" to 40" above Local Alarm on decreasing level, sump floor increasing level, and high fill rate Drywell Sump Level (measured by 0-150 GPM Control Room -

integrated sump pump flow recording)

Leak Detection Monitor Low Level 10-106 cpm Local Alarm on High Radiation Radiation Oxygen analyzer* 0-25%** Control Room Alarm on High Oxygen 0-5% Concentration Postaccident Containment Atmosphere Monitoring System (1) High Level Radiation Recorder 1-107 R/Hr Control Room Alarm on High Radiation (2) Hydrogen Analyzer 0-20%** Control Room Alarm on High Hydrogen 0-100% Concentration

  • Monitor will be used in normal operation and in postaccident monitoring.
    • Range can be selected.

BFN-25 7.9 RECIRCULATION FLOW CONTROL SYSTEM 7.9.1 Power Generation Objective The objective of the Recirculation Flow Control System is to control reactor power level over a limited range by controlling the flow rate of the reactor recirculating water.

7.9.2 Power Generation Design Basis The Recirculation Flow Control System is designed to allow manual control of reactor power by adjusting the flow rate of the recirculation water.

7.9.3 Safety Design Basis The Recirculation Flow Control System shall function so that no operational transient resulting from a malfunction in the Recirculation Flow Control System can result in fuel damage or in a violation of the nuclear system pressure limit.

7.9.4 Description 7.9.4.1 General The Recirculation Flow Control System adjusts the flow rate of the recirculating pumps by adjusting the frequency and voltage supplied to the pump motors. The change in flow, then effects changes in reactor power.

An increase in recirculation flow temporarily reduces the void content of the moderator by increasing the flow of coolant through the core. Due to the higher moderator density, the core reactivity, and thus power level, is increased. At this higher power level (higher heat flux), the steam volume in the core increases with a subsequent decrease in core reactivity. A new steam void equilibrium is subsequently attained at the higher recirculation flow rate, which establishes a new steady-state power level. When the recirculation flow is reduced, the power level is reduced in the reverse manner.

When both reactor recirculation pumps are operating (Unit 2 only), one equalizer valve between the two recirculation pump discharge lines is opened and the other equalizer valve is closed. The motive power to the valves is removed. This prevents pressure buildup between the equalizer valves due to ambient and conduction heating of the water. Units 1 and 3 have a different recirculation pump discharge piping arrangement which does not have equalizing valves.

7.9-1

BFN-25 7.9.4.2 Variable Frequency Drive (Units 1, 2, and 3)

Units 1, 2, and 3 - Each variable frequency drive (VFD) supplies power to its associated recirculating pump motor. Each of the two VFDs and its controls are identical; therefore, only one description is given. The VFD can continuously supply power to the pump motor at any frequency between approximately 11.5 Hz and 57.5 Hz. The VFD is capable of starting the pump and accelerating it from standstill to the desired operating speed when the pump motor thrust bearing is fully loaded by reactor pressure acting on the pump shaft.

Units 1, 2, and 3 - The main components of the VFD are transformers, power cells and control center to adjust the output speed.

7.9.4.2.1 VFD Transformers (Units 1, 2, and 3)

Units 1, 2, and 3 - The VFD transformers supplies 3-phase voltages to the output power cells. The normal AC power for each transformer is supplied from that units associated unit station service transformer, and the alternate AC power is supplied from a different bus.

7.9.4.2.2 Power Cells (Units 1, 2, and 3)

Units 1, 2, and 3 - The VFD power cells provide output power to the recirculation pump motor.

7.9.4.3 Speed Control Components Units 1, 2, and 3 - The speed control system is a fault tolerant digital control system.

This system is configured to provide for individual VFD control and common master manual control. This control system is comprised of various I/O and processor modules with operator control stations in the main control room. The VFD has a master control center that interfaces with each VFDs speed control system. All control and limiting functions are performed via software operating on the processor modules.

7.9.4.3.1 Master Control Units 1, 2, and 3 - The master control station allows for varying the speed of both recirculation pumps simultaneously.

7.9.4.3.2 Speed Demand Limiter Units 1, 2, and 3 - The VFDs are equipped with a frequency change limiter. This limiter provides a limit to the rate of change of frequency for the VFD.

7.9-2

BFN-28 7.9.4.3.3 Manual Control Station (Units 1, 2, and 3)

Units 1, 2, and 3 - Each VFD is provided with an individual control station to allow individual manual control, and a parallel master control station with the capability of manually varying the speed of both recirculation pumps simultaneously.

7.9.4.3.4 Speed Controller (One for each VFD - Units 1, 2, and 3)

Units 1, 2, and 3 - The software implemented speed controller provides the signal that adjusts the VFD speed control.

Units 1, 2, and 3 - The individual VFD speed control setpoint signal is adjusted from the master control station during master manual control, and from the individual VFD control stations during individual VFD manual operation. A preset startup setpoint is input during pump startup.

7.9.4.3.5 Startup Signal Generator (One for Each VFD - Units 1, 2, and 3)

Units 1, 2, and 3 - A software startup signal generator will supply an output to the VFD control to provide for an approximate 11.5 hertz frequency of the recirculation pump motor.

7.9.4.3.6 Speed Limiter Two for Each VFD - Units 1, 2, and 3)

Units 1, 2, and 3 - The two speed limiters are implemented in software. Speed limiter No. 1 automatically limits the recirculation pump speed to 28 percent of rated speed if the recirculation pump main discharge valve is not fully open, or if the total feedwater flow is less than 16.6 percent of rated flow. Without this speed limiter, the recirculation pump could overheat if the recirculation pump discharge valve is partly closed. This speed limiter also prevents cavitation in the recirculation or jet pumps, if the feedwater flow drops below 16.6 of rated flow.

Speed limiter No. 2 automatically limits the recirculation pump speed to 75 percent of rated flow if one of the three feedwater pumps is at low flow and, coincidentally, the reactor water level is below the low-level alarm setpoint. This reduction of the recirculation pump speed reduces the reactor power to a level within the capacity of the remaining feedwater pumps flow, thus preventing plant shutdown due to a low-water-level scram. Units 2 and 3 - Speed limiter No. 2 is also initiated on a reactor scram signal to limit the recirculation pump speed to 75 percent of rated flow to mitigate the magnitude of reactor water level transients from a scram.

7.9-3

BFN-25 There are three operator initiated manual runbacks. Two runbacks are based on total steam flow (for an approximation of reactor power), and one based on total core flow 7.9.4.4 System Operation 7.9.4.4.1 Recirculation Loop Starting Sequence (Units 1, 2, and 3)

Each recirculation loop is independently put into operation by operating the controls of each recirculation loop as follows:

a. The starting sequence is manually initiated by placing the VFD start switch for one VFD in the start position. The VFD supply breaker closes provided that:
1. The recirculation loop suction valve is fully open.
2. The recirculation loop discharge valve is fully closed.
3. RPT breaker closed.
4. VFD lockout relay is reset.
5. 4160V Recirculation Board lockout relay is reset.
b. After recirculation pump start is sensed by a differential pressure switch, the jogging circuit initiates the pump discharge valve open sequence.
c. Recirculation flow is initially increased during startup to a preset value providing all control system permissives are met.
d. After startup, the master control station can control both recirculation loops or the individual VFD control stations can control their respective recirculation loop.
e. Recirculation flow is increased by manually increasing pump speed.

7.9.4.5 Recirculation Pump Trip (RPT) Control System 7.9.4.5.1 Description The recirculation pump trip (RPT) is the recirculation control system that trips the recirculation pump motors from their power supplies in response to a turbine-generator trip, load rejection, or an Anticipated Transient Without Scram (ATWS). Its function is to reduce the severity of the thermal transients on the fuel due to the turbine-generator trip and load rejection events by tripping the 7.9-4

BFN-28 recirculation pumps early in the event, and to reduce reactor power during an ATWS event. The rapid core-flow reduction increases void content and thereby reduces reactivity in conjunction with the control rod scram. See FSAR Section 7.19 for a description of the ATWS RPT system.

The RPT system is not classified as safety-related but is designed to Class 1E standards (IEEE 279). The RPT breakers and trip logic are designed as seismic Category 1, Class 1E equipment and are expected to remain functional in the event of a design basis earthquake. Input to the RPT trip logic is from relays in the reactor protection system (RPS).

The major components of the RPT system are RPS relays which trip on turbine control valve fast closure and stop valve position, RPS relays which respond to reactor output power level, separate division logic, and two circuit breakers for each pump motor.

The RPT System does not need to be operable until reactor thermal power is greater than or equal to 26 percent rated thermal power. It may remain inoperable above this power level if the minimum critical power ratio limits specified by the Core Operating Limits Report (COLR) for the RPT out-of-service condition are met.

7.9.4.5.2 System Design The RPT system design is based on two separate trip divisions; each has equipment for each measured variable. This system is designed to meet the single-failure criterion such that any single trip channel (sensor and associated equipment) or system component failure does not prevent the system from performing its intended function.

Electromechanical relays are used, as the logic elements within the RPT system and the RPT system logic are of the fail-safe type (i.e., trip on loss of electrical power). A switch is provided to reset the RPT system manually after pump trip.

The total delay time from start of "Turbine Stop Valve Closure," or "Turbine Control Valve Fast Closure," to complete suppression of the electric arc between the fully open contacts of the circuit breaker is less than 175 milliseconds at 80 percent of rated pump motor speed.

The start of the "Turbine Stop Valve Closure" event is defined as the beginning of turbine stop valve motion from its original full-open position.

The start of the "Turbine Control Valve Fast Closure" event is defined as the beginning of turbine control valve fast closure motion. If this event signal is not available as a time measurement reference, the control-valve hydraulic-pressure-7.9-5

BFN-25 switch change-of-state can be used as a substitute. This can be done only if it can be demonstrated that the hydraulic-pressure-switch change-of-state occurs before or within 30 milliseconds after the beginning of control valve fast closure motion.

When either of the end-of-cycle (EOC) recirculation pump breakers trips, the VFD breaker (Units 1, 2, and 3) is then tripped. This is accomplished through automatic logic control.

Both of the EOC breakers must be closed for the VFD breaker (Units 1, 2, and 3) to be closed. The interlock is accomplished through automatic logic control.

7.9.4.5.3 Equipment Individual components were procured to specifications which satisfy the operational and environmental conditions. Manufacturer and plant startup test data, or reasonable engineering extrapolation based on test data, are available to verify that equipment which must operate to provide protection system action meets, on a continuing basis, the performance requirements determined to be necessary for achieving the system requirements.

Primary Logic Elements and Sensors The primary trip channels and division logic elements are fast-response, high-reliability-type relays which are compatible with those relays used for the Reactor Protection System. Sensors and associated equipment are highly reliable, and the components are of a quality consistent with minimum maintenance requirements and low failure rate.

Circuit Breakers Each pump motor has two circuit breakers in series. The circuit breakers are designed, built, and supplied with quality assurance to Class 1E equipment.

One circuit breaker trip coil is used exclusively for the RPT system. Separate division control power supply is provided for each of the series-connected circuit breakers.

All control and information circuits for each breaker, except for the trip coil used for the RPT system, is provided with approved isolation devices (isolation relays or other devices per IEEE-Standard 384) to permit interfacing with non-Class-1E external control and information circuits.

7.9-6

BFN-25 Cables Wiring for the two-pump RPT system requires special isolation, routing, and protection considerations and is in accordance with the design criteria, Physical Independence of Electrical Systems."

Equipment Components The equipment components which form a part of the recirculation pump trip control system are listed below, along with their function and operating requirements.

Circuit Breaker Operating Requirements

a. Normal Range (a) Pump motor current at 30 percent to 100 percent rated speed
b. Accuracy (b, c) N/A
c. Number of Trip Coils Two
d. Interrupting Time Linear from 60 Hz to 15 Hz as follows:

System Reactor Pump Motor VFD (Units 1, 2, & 3) Breaker Frequency Power Speed Frequency Interrupting (Hz) (% NBR) (e) (% Rated) (Hz) Time (Milliseconds) 60 100 80 44.8 <135 60 30 30 16.8 <360 "Turbine Stop Valve Closure" Sensor

a. Normal Range (a) Fully open to fully closed
b. Accuracy (b, c) N/A
c. Trip Setting A fixed valve position less than or equal 90 percent open
d. Response Time (d) N/A 7.9-7

BFN-28 "Turbine Control Valve Fast Closure" Sensor

a. Normal Range (a) Fully open to fully closed
b. Accuracy (b, c) N/A
c. Trip Setting Low Emergency Trip System (ETS) Fluid Pressure
d. Response Time (d) N/A Recirculation Pump Trip System Bypass Switch
a. Normal Range (a) N/A
b. Accuracy (b, c) 3 percent rated power (e)
c. Bypass Setting 26 percent or less of rated power (e, f)
d. Response Time (d) N/A Notes:

(a) Prudent, steady-state operational limits of the measured variable.

(b) The maximum-allowable error (based on full range) or the measurement at the point of switch actuation.

(c) The maximum-allowable error (based on full range) in the trip setpoint for repetitive switch actuation.

(d) The maximum-allowable time from when the variable being measured just exceeds the trip setpoint for opening the trip channel sensor contact during a transient event.

(e) Rated power defined as the main turbine power that corresponds to the reactor operation at 100 percent power with 100 percent recirculation flow.

(f) If the setpoint of the RPT is different for TSV closure and control-valve fast-closure scram bypass in the RPS, the setpoint for TSV closure and control-valve fast-closure scram bypass govern.

7.9-8

BFN-28 7.9.4.5.4 Reliability The system is designed to accomplish the desired protection function and to minimize the effect of this additional system on plant availability.

The logic design does not cause the inadvertent trip of more than one pump, given a single component failure in the system. Each trip division is clearly identified to reduce the possibility of inadvertent trip of the recirculation pump during routine maintenance and test operations.

Redundant sensor circuits in each division (sensors, wiring, transmitter, amplifiers, etc.) are electrically, mechanically, and physically independent, so that they are unlikely to be disabled by a common cause except for an electrical power failure.

7.9.4.5.5 Testability Capability is provided for testing the system logic and calibrating instrument channels once per refueling outage. Channel functional testing is performed once per quarter to ensure continued operability of the RPT function.

Provisions allow closure of stop valve and fast closure of turbine control valve separately, at least one valve at a time (for normal routine valve test purposes),

without causing a pump motor trip.

The system input sensors and the division logic are capable of being checked one channel or division at a time. The sensors and system logic test or calibration during power operation does not initiate pump trip action at the system level.

Annunciators for RPT status are provided in the control room. Failure to restore normal signals to the sensors, or removal of bypass after test, is guarded against by making such failure conspicuous to the operating personnel and by ensuring that adequate checkoff, locking, and sealing procedures are followed.

7.9.4.5.6 Maintainability The RPT system is designed to facilitate the recognition, location, replacement, repair, or adjustment of setpoint and malfunctioning components or modules. Most failing components in the system can be repaired or replaced during reactor operation without initiating the pump trip action at system level.

7.9-9

BFN-25 7.9.4.5.7 Operation Information The RPT system is designed to provide the operator with accurate, complete, and timely information pertinent to the system status. Indicators and annunciators are provided for system input trip signals, initiation signal at system level, the status of trip coils, and the mechanical position of the circuit breakers.

7.9.4.5.8 System Interaction The RPT system is separated from other recirculation control systems to the extent that failure of any single component in those systems does not prevent the system from performing its intended function.

7.9.4.5.9 Performance The RPT system design meets the maximum time delay requirement such that rapid reactivity reduction is achieved early during turbine-generator trip or generator load-rejection event transients.

7.9.5 Safety Evaluation Units 1, 2, and 3 - The Recirculation Flow Control System is designed with a VFD System instead of the MG Set System. The VFD does not add inertia for coastdown time.

Transient analyses described in Section 14.0, "Plant Safety Analysis," show that no malfunction in the Recirculation Flow Control System can cause a transient sufficient to damage the fuel barrier or exceed the nuclear system pressure limits, as required by the safety design basis.

7.9.6 Inspection and Testing Units 1, 2, and 3 - The VFDs and their controls are functioning during normal power operation. Any abnormal operation of these components can be detected during operation. The components which do not continually function during normal operation can be tested and inspected during scheduled plant shutdowns.

Recirculation Flow Control System components are tested and inspected according to good maintenance practice and based on component manufacturers recommendations.

7.9-10

BFN-16 Figure 7.9-1 Deleted

BFN-22 Figure 7.9-2 (Deleted by Amendment 22)

BFN-16 Figure 7.9-3 Deleted

BFN-22 Figures 7.9-4a through 7.9-4e (Deleted by Amendment 22)

BFN-21 Figure 7.9-4f (Deleted by Amendment 21)

BFN-23 7.10 FEEDWATER CONTROL SYSTEM 7.10.1 Power Generation Objective The objective of the Feedwater Control System is to maintain a pre-established water level in the reactor vessel during planned operation.

7.10.2 Power Generation Design Basis The Feedwater Control System shall regulate the feedwater flow so that the proper water level in the reactor vessel is maintained according to the requirements for steam quality over the entire operating range of the reactor.

The feedwater flow shall also provide sufficient subcooled water to the reactor vessel during power operation to maintain normal operating temperatures.

7.10.3 Description (Figures 7.10-2 through 7.10-7)

The Feedwater Control System, during normal operation, automatically regulates feedwater flow into the reactor vessel. The system is capable of being manually operated.

The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel. The system also measures final feedwater temperature (Units 2 and 3 only). During automatic operation, the level, steam flow, and feed flow measurements are used for controlling feedwater flow.

The optimum reactor vessel water level is determined by the operation of the steam separators, which limit the water carryover with the steam going to the turbines, and which limit the steam carryunder with the water returning to the core. The water level in the reactor vessel is maintained within 2 inches of the desired level. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel.

The feedwater flow regulation is achieved by adjusting the speed of the turbine-driven feedwater pumps to deliver the required feedwater flow to the reactor vessel.

7.10.3.1 Reactor Vessel Water Level Measurement Reactor vessel water level is measured by four identical independent sensing systems. A differential pressure transmitter (dPT) senses the difference between the pressure due to a constant reference column of water and the pressure due to the variable height of water in the reactor vessel. These differential pressure transmitters are installed on pipelines that serve other systems (see Subsection 7.8, 7.10-1

BFN-23 "Reactor Vessel Instrumentation"). Each of the four dPTs supply signals to the Reactor Feedwater Control System (RFWCS). The average of the four dPTs is used to develop a controlling level signal.

Three wide range pressure transmitters supply reactor pressure signals to the RFWCS. The pressure signals are averaged and the average reactor pressure signal is then applied to each dP signal and the average dP signal to produce a pressure compensated level signal.

The four compensated level signals and three pressure signals are indicated in the control room. Both level and pressure loops have manual bypass switches installed above their respective indicators to allow an operator to take that particular loop out-of-service. The RFWCS level and pressure loop bypass status is indicated in the MCR.

Average water level is used by the RFWCS as the controlling water level.

Controlling water level and average reactor pressure are continually recorded in the control room.

7.10.3.2 Steam Flow Measurement Units 2 and 3 The steam flow is measured across each main steam line flow restrictor by a differential pressure transmitter. The differential pressure due to steam flow is sent to the RFWCS indicating mass flow rate.

The steam flow signals are compensated for adiabatic expansion of steam through the Main Steam flow nozzles and for temperature/density effects. The RFWCS sums all four main steam line flow signals to produce a total steam flow signal used in the control algorithm. Total steam flow is recorded in the control room.

Unit 1 The steam flow is measured across each main steam line flow restrictor by a differential pressure transmitter. The steam flow signal is then linearized by a square root converter to output a mass flow rate.

The corrected steam flow rate from each main steam line is indicated in the control room. The steam flow signals are added by a summer to produce a total steam flow signal for indication and feedwater flow control. The total steam flow is recorded in the control room.

7.10.3.3 Feedwater Flow Measurement 7.10-2

BFN-23 Units 2 and 3 Feedwater flow is measured in each feedwater line on the reactor side of the high pressure heaters. A flow element in each feedwater line is provided for flow measurement. The pressure difference across the flow element is sensed by a differential pressure transmitter. The differential pressure due to feedwater flow is sent to the RFWCS indicating mass flow rate. Four RFW temperature signals are used to provide density compensation for feedwater line flow. The feedwater inlet lines' flow elements are calibrated for incompressible flow at 380.1°F. A correction factor is applied to compensate for temperatures different from the calibrated density.

The feedwater flow signals are summed to provide a total feedwater flow signal used in the control algorithm. Total feedwater flow is recorded in the control room.

Unit 1 Feedwater flow is measured in each feedwater line on the reactor side of the high pressure heaters. A flow element in each feedwater line is provided for flow measurement. The pressure difference across the flow element is sensed by a differential pressure transmitter. The feedwater signal is then linearized by a square root converter to output a mass flow rate.

A summer is used to add the flow signals from the feedwater lines. The output from the summer is the total feedwater mass flow rate signal. This signal is used for indication and feedwater flow control. The total feedwater flow is recorded in the control room.

7.10.3.4 Feedwater Control Signal Units 2 and 3 The RFWCS generates a control signal which is sent to each Reactor Feedwater Pump Turbine (RFPT) governor. The governor is designed to maintain normal operation in the event of a single loss of power and at worst may cause the loss of a single RFPT in the event of a loss of two power supplies to the three governors.

The RFWCS is designed to be a fault tolerant system which can maintain normal operation in the event of any single component failure, including loss of a single power feed.

Different modes of operation are available between the RFWCS and the RFPT governors: Governor Manual, Local, RFWCS Individual Manual, Master Manual, Single Element, and Three Element.

7.10-3

BFN-23 The RFWCS is designed to maintain the water level in the reactor vessel within the designated range during all modes of plant operation.

Level Control (Units 2 and 3)

The basic RFWCS control algorithm implements a proportional-integral (PI) control scheme.

The system also has a programmed response to mitigate reactor vessel overfill following a reactor scram. The transient level overshoot will be limited by controlling flow from a single RFW pump.

Indication is provided by the RFWCS that the scram response logic is active. The operator may bypass this logic using a handswitch provided in the Control Room.

Indication of scram logic bypass is also provided to ensure the operator can determine system status. The programmed scram response logic will be a lock in signal which will only clear when either the Scram Response Inhibit handswitch is used or the Master Level Controller is taken to manual, the measured level increases above the level setpoint, or a pre-set time limit expires.

Governor Manual and Local Operating Modes (Units 2 and 3)

Each RFPT is controlled by a governor which adjusts the speed of the RFPT as determined by demand from the Control Room operator. The governor obtains speed feedback from either of two magnetic speed pickups. When first starting the turbine, the turbine will automatically ramp to its low speed stop of approximately 600 RPM. Speed can then be adjusted by using the speed control handswitch in the Control Room.

Local control of each turbine may be enabled from the Control Room provided the turbine is already in Governor Manual control. Full control of the turbine is then available for testing in each Reactor Feedwater Pump Room. Local control is similar to Governor Manual control except for the location of the controls.

RFWCS Individual Manual and Master Manual Operating Modes (Units 2 and 3)

In RFWCS Individual Manual mode, the reactor water level is controlled in an open-loop manner through operator adjustment of each feed pump speed (or startup valve demand) from its Control Station located in the Main Control Room. The Control Stations are similar to controllers, but only provide input and output display and do not actually perform any control function. All control functions are implemented in the RFWCS located in the Auxiliary Instrument Room.

In RFWCS Individual Manual mode, signal conditioning is performed on the demand signal by the RFWCS, but no control functions are implemented. The only limits on 7.10-4

BFN-23 operational demand are the Control Station maximum ramp rate, and minimum and maximum system output range limits.

The RFWCS is designed to operate in a Master Manual mode. In this mode, the available RFW pump Control Stations are placed in auto and the master level Control Station is in manual. Reactor water level is controlled in an open-loop manner through operator adjustment of the output demand signal from the master level Control Station located in the Main Control Room.

Unit 1 The feedwater control signal adjusts the speed of the turbine-driven feedwater pumps. The components which are manually operated, or which automatically function to produce the feedwater control signal, are the following.

Level Controller (Unit 1)

The level controller has two options, one- and three-element control. The one-element control has an input to the level controller which is the corrected level.

The level controller is a reverse-acting controller with a reasonable proportional band with reset control. The gain of the reset control is set to a small value for the purpose of eliminating the offset during steady-state operation. The reset control has little or no effect during a transient. One element control (water level) is the preferred process input to the controller when the reactor is operating at relatively low power levels. The water level is measured by two independent sensing systems, each consisting of a differential pressure transmitter connected to a reference condensing chamber leg located within the drywell. Each level signal is independently corrected for water density and indicated, and if selected as a control input, is recorded in the control room. When the mode selector switch is placed in the "one element" position, it routes the water level signal directly to the level controller. If this corrected water level signal decreases, the level controller output increases, which will restore the water inventory to the correct level. The three-element control is similar to the one-element control. The difference between the three- and one-element controls is the signal to the controller, which is the correct level signal verniered (plus or minus) by a water inventory signal. To obtain this inventory sense, feedwater flow is fed (minus) into number 2 input of a proportional amplifier and steam flow is fed (plus) into the number 1 input. The output is biased in such a way that, with no inventory (steam flow equals feedwater flow), the output is 50 percent. With inventory in the reactor (feedwater greater than steam), the output is less than fifty percent; and with inventory in the hot well (feedwater less than steam), the output is greater than 50 percent. This inventory signal is added inversely to the corrected level signal in a second proportional amplifier whose output is fed to the level controller. Thus, an anticipatory signal is obtained, correcting for projected changes in level due to process flow changes, 7.10-5

BFN-23 which will correct feedwater to lessen the effect of changes on reactor level. The deviation meter compares the true, sensed level with the controller setpoint.

Bias Manual/Automatic Transfer Station (One for each turbine driven feedwater pump) (Unit 1)

The bias manual/automatic transfer station is a manual station with a transfer switch.

While the turbine-driven feedwater pumps are being controlled by the level controller, the transfer switch is positioned so that the manual controller is bypassed and the level controller signal goes through the manual/automatic transfer station to a turbine-driven feedwater pump. During startup or when manual control is desirable, the level controller signal is blocked by the transfer switch and the feedwater control signal is transmitted and controlled at the manual/automatic transfer station by the operator.

7.10.3.4.1 Automatic Operation Single Element Mode (Units 2 and 3)

Single element mode applies to both the feedwater pumps and the startup valve.

When in single element mode, the operator adjusted level setpoint on the master level Control Station (or startup level Control Station) is compared to the average reactor level to generate an error signal which is used to drive a PI algorithm to generate the control signal to the control element (either the feedwater pump(s) or startup valve).

Three Element Mode (Units 2 and 3)

Three element mode applies only to the feedwater pumps. When in three element mode, the operator adjusted level setpoint on the master Control Station is compared to the average reactor level and the steam flow-feedwater flow mismatch to generate an error signal which drives a PI algorithm to generate the control signal to the feedwater pumps.

The main steam/feed flow mismatch and level error signals are input into the master controller PI algorithms.

Variable Tuning (Units 2 and 3)

Control system gains may vary based on plant operating conditions. A validated total steam flow signal is used to determine power level, and thereby vary the control system tuning parameters. This power variable tuning will prevent too rapid a response at low power levels and too sluggish a response at higher power levels.

7.10-6

BFN-23 The desired response from the PI control algorithm will be achieved by changing the gain and/or reset on the input error signal. This signal represents level error and steam flow/feed flow mismatch in three element control and level error in single element control.

Unit 1 The level controller setpoint is set for optimum reactor vessel water level for efficient steam separator operation (this includes limiting carryover and carryunder, which affects recirculation pump operation and turbine performance and longevity) and the need to maintain adequate reactor core cooling.

The ability of the Feedwater Control System to maintain reactor vessel water level within a small margin of optimum water level during plant load changes is accomplished by the three-element control signal. The three-element control signal consists of reactor vessel water level, total steam flow, and feedwater flow signals.

The three-element control signal is obtained as follows. The total steam flow signal and the total feedwater flow signal are fed into a proportional amplifier. The output from this amplifier reflects the mismatch between its input signals and is designated as the steam-flow/feedwater-flow error signal. If steam flow is greater than feedwater flow, the amplifier output is increased from its normal value when steam and feedwater flows are equal. The reverse is also true. This amplifier output is fed to a second proportional amplifier (3 element error summer) which also receives the reactor vessel water level signal. The addition of the reactor vessel water level signal to the steam-flow/feedwater-flow error signal results in the three-element control signal which is fed through the dynamic compensator to the level controller.

The feedwater control signal is adjusted by the level controller according to the requirements of the three-element control signal so that the required reactor vessel water level is maintained.

7.10.3.4.2 Optional Operating Modes Units 2 and 3 At power, three-element control is the preferred method of operation, but single-element control is always available provided there is at least one valid level signal available. With no valid level signals, the system reverts to RFWCS Master Manual mode.

Governor manual control is normally used only during the transition from feedwater pump startup to Individual manual control. Local control is also available, but is provided mainly for testing and is not normally used at power. The RFPTs can also 7.10-7

BFN-23 be controlled from their respective Woodward Governors located in the Auxiliary Instrument Room.

Unit 1 Optional methods of Feedwater Control System operation are available, but not normally used during power operation of the reactor. A one-element signal (reactor vessel water level) can be used to replace the three-element control signal to the level controller. The manual/automatic transfer stations can be individually operated to control each of the turbine-driven feedwater pumps.

Units 1, 2, and 3 During startup (MODE 2), feedwater can be supplied by the condensate booster pumps through the reactor feedwater pump low-flow-bypass control valve. This valve can be remotely controlled from the Main Control Room, either manually or automatically.

7.10.3.5 Turbine Driven Feedwater Pump Control Units 2 and 3 Feedwater is delivered to the reactor vessel through three turbine-driven feedwater pumps, which are arranged in parallel. The turbines are driven by steam from the reactor vessel. During normal operation, the speed demand signal from the RFWCS is supplied to the governor and a signal is sent to a final driver. The final driver controls a servo valve to vary the oil supply to operate the Reactor Feedwater Pump Turbine Control valves. If the signal from the RFWCS to the governor is out of range (nominal 4-20 mA), the governor will "fail-as-is" and initiate an alarm in the control room.

Unit 1 Feedwater is delivered to the reactor vessel through three turbine-driven feedwater pumps, which are arranged in parallel. The turbines are driven by steam from the reactor vessel. During normal operation, the flow demand signal from the level controller is fed to a function generator which linearizes the flow-versus-speed characteristics of the feed pump turbine. The output from the function generator is a speed demand signal which is used by the feed-pump turbine-speed governor to adjust speed to the desired value. Each turbine can be controlled by its manual/automatic transfer station. If the feedwater control signal to a turbine is lost, an alarm unit in the feedwater control circuit causes the turbine speed to lock "as is" and initiates an alarm in the control room.

7.10-8

BFN-23 7.10.4 Inspection and Testing Units 2 and 3 Feedwater flow-control-system components are tested and inspected based on manufacturer's recommendations and sound maintenance practices. This can be done prior to plant operation and during scheduled shutdowns. Reactor vessel water level indications from the four water level channels can be compared during operation (and are compared automatically by the RFWCS) to detect instrument malfunctions. Steam mass flow rate and feedwater mass flow rate can be compared during constant load operation to detect inconsistencies in their signals. The RFWCS continually performs diagnostic tests while operating and will provide operators with alarm(s) of system abnormalities.

Unit 1 Feedwater flow-control-system components are tested and inspected based on manufacturers' recommendations and sound maintenance practices. This can be done prior to plant operation and during scheduled shutdowns. Reactor vessel water level indications from the three water-level-sensing systems can be compared during normal operation to detect instrument malfunctions. Steam mass flow rate and feedwater mass flow rate can be compared during constant load operation to detect inconsistencies in their signals. The level controller can be tested while the Feedwater Control System is being controlled by the manual/automatic transfer stations.

7.10-9

BFN-22 7.11 PRESSURE REGULATOR AND TURBINE-GENERATOR CONTROL 7.11.1 Power Generation Objective The pressure regulator is a function of the turbine control system. The power generation objective of the pressure regulator and the turbine-generator control system is to provide an energy control system that, in conjunction with the Nuclear Steam Supply System controls, maintains essentially constant reactor pressure and limits transients during load variations.

7.11.2 Power Generation Design Basis

1. The pressure regulation function of the turbine control system is designed to manipulate turbine control valves and turbine bypass valves, individually or in parallel, to maintain reactor pressure within a narrow range of the pressure setpoint as reactor power varies from 0 percent to 100 percent nuclear boiler rated flow.
2. The turbine control system is designed to maintain a specified turbine load and speed.

7.11.3 Deleted 7.11.4 System Description (Figure 7.11-2)

The turbine control system encompasses the functions of controlling reactor pressure, turbine load, and turbine speed. The turbine control system is an electro-hydraulic control (EHC) system that combines digital process controls and data acquisition with high-pressure hydraulic actuators. The control system operates in one of five control modes: speed control, load control, pressure control, valve position limit and maximum combined flow limit control (see Figure 7.11-2). The control valve flow demand signals from the individual mode calculations combine at a low select bus. Of these signals, the one which calls for the least steam flow to the turbine determines the control valve position. The system is said to be in a particular mode when the control valve flow demand from that mode determines the control valve position. Indication of the control mode is available as part of the EHC system controls and displays.

Steam flow is controlled by valve position. The positioning controls are similar for the various servo controlled valves. Each positioning control acts upon a hydraulic valve actuator, a servo valve to control the valve actuator, an electronic position feedback signal which gives the actual valve position, and the valve position demand signal which provides the desired valve position. The demand signal is combined with the position feedback signal to produce the position error signal. The position error signal controls the servo valve to admit more hydraulic fluid to the hydraulic 7.11-1

BFN-22 actuator to open the steam valve or to bleed-off fluid from the hydraulic actuator to close the steam valve. When the demand signal equals the position feedback signal, the position error signal is zero resulting in no steam valve movement.

Each of the four turbine control valves has its own positioning servo. Each servo receives the control valve position demand signal. All four valves operate in parallel to control turbine steam flow.

Three of the six turbine intercept valves use positioning servos as described above.

Each positional valve receives the intercept valve flow. The positional valves operate in unison. The other three intercept valves positions are controlled by solenoid valves which are operated by the position of the positional valves. These valves are either fully open or fully closed. During normal operation, all six intercept valves are fully open.

Each of nine bypass valves uses a positioning control similar to those described above. The bypass valves are operated sequentially. A sequential bias signal is combined with the flow signal and position feedback signals to produce the position error signal. Each bypass valve positioning control receives the bypass valve flow signal. The bias signal is different for each bypass valve and provides the offset necessary for sequential operation.

7.11.4.1 Speed Control Mode In the speed control mode, the EHC system produces control signals used to control turbine speed and acceleration. The speed input signal is derived from active proximity probes and passive magnetic speed pickups. The speed inputs and the resultant rates of change are compared to reference signals for control of both turbine speed and acceleration. The steam flow signal thus produced is processed via the low select bus to effect changes in control valve position and consequently steam admission into the turbine. If more steam is available than is demanded by speed control, the excess steam is routed to the condenser via the bypass valves to control pressure. This mode is only active until the generator breaker is closed, at which time its control valve flow demand signal is switched off the low select bus.

However, speed will always affect the control valves during an overspeed through the control valve and intercept valve logic.

7.11.4.2 Load Control Mode In load control mode, the EHC system produces control signals necessary to maintain a specific turbine load. Turbine load is derived from a generator load sensor and a real power sensor. The operator can manually set the load reference signal which corresponds to the desired turbine load. The load reference signal is compared with the actual sensed generator load to produce a steam flow demand signal. This signal is processed via the low select bus to effect changes in control 7.11-2

BFN-22 valve position and consequently steam admission into the turbine. If more steam is available than is demanded by load control, the excess steam is routed to the condenser via the bypass valves to control pressure.

7.11.4.3 Pressure Control Mode In the pressure control mode the EHC system produces control signals necessary to maintain a specific system pressure. The system pressure controlled is operator selectable for either reactor pressure control or steam line header pressure control.

A total steam flow signal is generated which corresponds to the total steam flow through both the turbine control valves and turbine bypass valves necessary to maintain a specific system pressure at a given reactor power level. Reactor pressure is sensed from the reference leg for the reactor water level instruments, providing a direct reading of reactor vessel pressure. Four individual reactor pressure inputs are processed to produce a reactor pressure demand signal. Steam line header pressure is sensed upstream from the turbine stop valves in one of the main steam lines. Two individual header pressure inputs are processed to produce a header pressure demand signal, which is translated into a flow demand.

For either pressure control mode, the pressure demand signal is combined with the pressure reference signal, which is set by the operator, to produce the steam pressure error signal. This signal is processed via the low select bus to effect changes in control valve position and consequently steam admission into the turbine. If more steam is available than is demanded by pressure control, the excess steam is routed to the condenser via the bypass valves.

7.11.4.4 Valve Position Limit Mode In control valve position limit mode, the EHC system uses operator input to limit the positioning of the steam control valves by lowering the control valve position limit until it requests less steam than the other control modes, the operator may directly position the control valves. The control valve position limit signal, which is set by the operator, produces the control valve steam demand signal. This signal is processed via the low select bus to effect changes in control valve position and consequently steam admission into the turbine. If more steam is available than is demanded by the control valve position limit, the excess steam is routed to the condenser via the bypass valves to control pressure.

7.11.4.5 Maximum Combined Flow Limit Mode In the maximum combined flow limit mode, the EHC system compares the total steam flow in both the control valves and bypass valves with an operator controlled limit between 50 and 150 percent of rated steam flow. This limit is placed on the low select bus with the other control signals above and is only made active when steam 7.11-3

BFN-22 demand exceeds the setpoint, at which point it clamps the position of the control valves and/or the bypass valves to restrict total flow to its setpoint.

7.11.5 Deleted 7.11.6 Normal Operation 7.11.6.1 Initial Reactor Pressurization and Pressure Control During plant startup, pressure in the reactor is initially less than the specified reactor pressure setpoint and the turbine is shutdown. Both the control valve flow and bypass valve flow signals are zero causing the turbine control valves and bypass valves to be fully closed.

As power in the reactor is increased, initially, no steam flows from the reactor, but reactor pressure increases. When pressure begins to exceed the pressure setpoint, steam must be released from the reactor to maintain reactor pressure at the setpoint. Assuming that the control valve position limit, load setpoint and combined maximum flow limit are adjusted high enough that they do not affect control, and All Valves Closed is selected which produces a control valve signal of zero, the following will occur:

1. As pressure increases and then exceeds the pressure setpoint, pressure error becomes greater than zero.
2. The control valve flow signal equals the smallest of the inputs to the low select bus. At this time, the signal is zero because the demand based on All Valves Closed is zero. This holds the control valves closed.
3. The difference between the control valve demand and the pressure demand is the bypass demand. With the control valve flow signal equal to zero, the bypass demand equals the pressure demand.
4. Since the combined maximum flow limit is set high enough that it has no effect, the bypass demand will open the bypass valves.
5. For each bypass valve, the bypass demand is combined with the individual bypass valve position signal and the individual bypass valve bias signal to produce each bypass valves position error signal. With the small pressure demand which occurs during reactor startup, the sequential bias is great enough that the position error signal is less than zero for all bypass valves except the first one, holding all valves except the first one closed. For the first bypass valve, the position error signal will be greater than zero. This position error signal will operate the servo valve admitting hydraulic fluid to the hydraulic actuator to open the first bypass valve. As the valve opens, the position feedback signal 7.11-4

BFN-22 increases, the valve will continue to open until the position feedback signal equals the bypass demand producing a zero position error signal. The bypass valve remains positioned partly open.

As reactor power is increased, the amount of steam which must be released from the reactor to maintain the specified pressure increases. This produces an increased pressure demand which is processed as described above. The net effect is an increase in the bypass demand. This signal causes enough bypass valves to open to permit sufficient steam flow to maintain the specified reactor pressure.

7.11.6.2 Turbine Startup The turbine is normally started with the reactor at normal operating pressure and about 15-percent power. This amount of power produces sufficient steam for turbine acceleration and to meet the turbine vendors minimum turbine load requirements.

Turbine startup is initiated by operator selection of the desired speed and acceleration rates which set the speed reference and acceleration reference signals.

The zero speed signal from the speed sensor is combined with the speed reference signal to produce a speed error signal much greater than zero and the acceleration signal is combined with the acceleration reference signal to produce an acceleration error signal slightly greater than zero. The speed and acceleration error signals are applied to the low select bus.

During turbine startup the control valve demand equals the acceleration error signal since it is the smallest signal on the low select bus. For each control valve, the position feedback signal is combined with the control valve demand to produce the position error signal which is slightly positive when the control valve is fully closed.

This causes the servo valve to operate to admit hydraulic fluid to the hydraulic actuator opening the control valve. The valve will continue to open until the position feedback signal equals the control valve demand producing a zero position error signal which causes the servo valve to stop admitting hydraulic fluid to the hydraulic actuator. Each control valve unit receives the control valve demand causing all four control valves to operate in parallel. At this time, all four control valves will be slightly open admitting steam to the turbine causing it to accelerate. The acceleration signal is combined with the acceleration reference signal as described above and will cause slight changes in the control valve demand to position the control valves to produce a steady turbine acceleration rate. As actual turbine speed approaches selected turbine speed, the speed error signal decreases until the speed error signal is less than the acceleration error signal. The output from the low select bus will now be the speed error signal. This causes the control valve demand to decrease resulting in a slight decrease in control valve position and slightly reduces turbine steam flow. When the turbine speed equals the selected speed, the control valves will be open only enough to admit sufficient steam to the turbine to maintain the selected speed.

7.11-5

BFN-22 Simultaneous with operation of the control valves, the intercept valve demand ramps to 100 percent. The intercept valve demand is combined with each positionable intercept valves position feedback signal to produce individual intercept valve position error signals. The servo valves operate to admit hydraulic fluid to the hydraulic actuators to open these valves. They will continue to open until each valve position feedback signal equals the intercept valve demand. Each positionable intercept valve position feedback is compared to an almost fully open setpoint which controls an electrical solenoid valve which will operate to admit hydraulic fluid to one of the nonpositionable intercept valves hydraulic actuator causing the nonpositionable intercept valve to fully open. The six intercept valves operate to control steam flow between the high and low pressure turbines. Normally, all six valves are fully open.

While the turbine is accelerating and after it reaches the selected speed, it is still necessary to maintain steady pressure. This is accomplished by releasing steam from the reactor. Part of the steam is released through the turbine; the remainder must be released through the bypass valves. The pressure demand generated in the pressure control is proportional to the total steam which must be released through the control and bypass valves as described above. The control valve demand equals the speed/acceleration demand. The bypass demand is the difference between the pressure demand and the control valve demand. Generally, reactor power, pressure, and required pressure demand do not change during turbine startup. The bypass demand signal will be reduced by an amount equal to the control valve demand. The reduced bypass demand will reduce the amount of steam flowing through the bypass valves. At this time, the bypass valves are controlling pressure and will fluctuate as necessary to maintain the pressure at the specified setpoint.

7.11.6.3 Turbine Loading and Normal Plant Operation After the turbine achieves rated speed, the generator is synchronized with, and connected to, the power transmission system. This results in steady turbine speed, with speed control removed from the low select bus and speed only affecting control valve demand through the control valve and intercept valve overspeed regulation logic. As the operator increases the desired turbine load, the load reference signal increases. Assuming the load demand is still the smallest of the low select bus inputs, the control valve demand will increase by a corresponding amount. This causes the control valves to open further, admitting more steam to the turbine, and increasing the power produced in the turbine. As the control valve demand increases, there is a corresponding decrease in the bypass demand resulting in a decrease in steam flow through the bypass valves.

As turbine load is increased, a point occurs where the control valve demand equals the pressure demand. This produces a zero bypass demand resulting in no flow through the bypass valves.

7.11-6

BFN-22 Pressure corrections are controlled by either the control valves or the bypass valves depending on whether slight flow decreases or increases are required.

For normal plant operation, the load setpoint is adjusted higher than actual turbine load. All available steam is sent to the turbine. The control valves are regulating turbine load and controlling pressure including making minor control valve position changes to maintain pressure at the specified setpoint.

7.11-7

BFN-22 Figure 7.11-1 (Deleted by Amendment 22)

BFN-24 7.12 PROCESS RADIATION MONITORING A number of radiation monitors and monitoring systems are provided on process liquid and gas lines that may serve as discharge routes for radioactive materials.

The monitors include the following:

Main Steam Line Radiation Monitoring System Air Ejector Offgas Radiation Monitoring System Main Stack Radiation Monitoring System Process Liquid Radiation Monitors Reactor Building Ventilation Radiation Monitoring System Plant Ventilation Exhaust Radiation Monitoring System These monitors are described individually in this subsection.

7.12.1 Main Steam Line Radiation Monitoring System 7.12.1.1 Safety Objective The objective of the Main Steam Line Radiation Monitoring System is to monitor for the gross release of fission products from the fuel and, provide indication of such failure such that appropriate actions may be taken to limit fuel damage and contain the released fission products.

7.12.1.2 Safety Design Basis

1. The Main Steam Line Radiation Monitoring System shall be designed to give prompt indication of a gross release of fission products from the fuel.
2. The Main Steam Line Radiation Monitoring System shall be capable of detecting a gross release of fission products from the fuel under any anticipated operating combination of main steam lines.
3. Deleted
4. Deleted 7.12.1.3 Description Two gamma sensitive instrumentation channels monitor the gross gamma radiation from the main steam lines. The detectors are physically located near the main steam lines just downstream of the outboard main steam isolation valves in the space between the primary containment and secondary containment walls.

7.12-1

BFN-24 The detectors are geometrically arranged so that the system is capable of detecting significant increases in radiation level for a number of main steam lines in operation.

Their location along the main steam lines allows the earliest practical detection of a gross fuel failure. This meets safety design bases 1 and 2. The MSLRM channels are powered from independent divisions from one Reactor Protection System bus.

When a significant increase in the main steam line radiation level is detected, non-safety related trip signals are initiated. The main steam high radiation trip signal stops the mechanical vacuum pump and isolates its discharge path only. Closing of the main steam isolation valves, stopping the mechanical vacuum pump, and closing the mechanical vacuum pump line valve effects containment of radioactive materials. Although, the main steam line high radiation trip functions are not required safety related functions, they limit the resulting consequences of gross fuel failures.

The radiation trip setting selected is enough above the background radiation level in the vicinity of the main steam lines that spurious trips are avoided at rated power.

Yet, the setting is low enough that the monitors can respond to the fission products released from gross fuel failures.

Each monitoring channel consists of a gamma sensitive ion chamber and a log radiation monitor. Capabilities of the monitoring channel are listed in Table 7.12-1.

Each log radiation monitor has two trip circuits. One trip circuit comprises the upscale trip setting that is used to initiate isolation. The other trip circuit is a downscale trip that actuates an instrument trouble alarm in the Main Control Room.

The output level from each log radiation monitor is displayed on a six-decade meter in the control room.

The outputs from the two monitoring channels are recorded. The recorder has one upscale alarm circuit. The alarm setting is lower than the log radiation monitor upscale trip setting, so that an alarm is received in the control room before steam line isolation is effected.

The trip circuits for each monitoring channel operate normally energized, so that failures in which power to monitoring components is interrupted result in a trip signal.

The environmental capabilities of the components of each monitoring channel are selected in consideration of the locations in which the components are to be placed.

7.12.1.4 Safety Evaluation The system has been selected and designed with monitoring characteristics sufficient to provide plant personnel with indication of gross fuel failures. Since the system is not essential to any transients or accidents, safety related requirements are not imposed. However, sufficient redundancy, separation, and power requirements are included to provide prompt and accurate signals and indications.

7.12-2

BFN-24 7.12.1.5 Inspection and Testing A built-in, adjustable current source is provided for test purposes with each log radiation monitor. Routine verification of the operability of each monitoring channel can be made by comparing the outputs of the channels during power operation.

7.12.2 Air Ejector Offgas Radiation Monitoring System This paragraph describes the Air Ejector Offgas Radiation Monitoring System as it exists following installation of recombiners and charcoal absorbers in the condenser offgas system.

7.12.2.1 Safety Objective The objectives of the Air Ejector Offgas Radiation Monitoring System are to indicate when limits for the release of radioactive material to the environs are approached and to effect appropriate control of the offgas so that the limits are not exceeded.

7.12.2.2 Safety Design Basis

1. The Air Ejector Offgas Radiation Monitoring System shall provide an alarm to operations personnel whenever the radioactivity level of the air ejector offgas reaches short-term limits.
2. The Air Ejector Offgas Radiation Monitoring System shall provide a continuous record of the radioactivity released via the air ejector offgas line.
3. The Air Ejector Offgas Radiation Monitoring System shall initiate appropriate action in time to prevent exceeding short-term limits on the release of radioactive materials to the environs as a result of releasing the radioactivity contained in the air ejector offgas.

7.12.2.3 Description The Air Ejector Offgas Radiation Monitoring System is shown in Figures 7.12-2a sheet 1, sheet 2, sheet 5, sheet 6, and Figure 7.12-2b sheet 2.

The system consists of two radiation monitor subsystems. One subsystem is lined up to take a continuous sample from the offgas system just downstream of the charcoal filters. The other takes a continuous reading from the offgas pipe (see Subsection 9.5, "Gaseous Radwaste System (Modified)").

The post-treatment subsystem monitoring the offgas system downstream of the charcoal filters has two instrumentation channels. Each channel consists of a 7.12-3

BFN-24 gamma-sensitive detector, a logarithmic radiation monitor with a power supply and a meter, and a recorder point. The monitors and the recorder are located in the control room.

Each logarithmic radiation monitor is powered from a dependable source of power.

The two gamma-sensitive detectors are located in shielded chambers. A sample is drawn from the offgas line through the sample chambers where the radiation level of the gas is measured by two scintillation detectors, one located in each shielded chamber.

Each monitor has three upscale trips and a downscale trip. An upscale trip indicates high radiation. A downscale trip indicates instrument trouble. Any one trip will give an alarm in the control room. Any one upscale, high-radiation trip closes the carbon bed filter bypass valve (if open) and opens the offgas line to the carbon bed (if closed). Two upscale high-high-high radiation trips (one from each channel), or one upscale high-high-high radiation trip and one downscale trip, or two down-scale trips (one from each channel) send an isolation signal to the offgas system outlet valve.

The pretreatment subsystem monitoring the offgas pipe upstream of the six-hour holdup pipe has two instrument channels. One channel consists of a gamma-sensitive detector, a logarithmic radiation monitor with a power supply and a meter, and a recorder. The monitor and the recorder are located in the control room. The logarithmic radiation monitor is powered from the instrument bus.

The monitor has two upscale trips and a downscale trip. Each of the upscale trips and the downscale trip sound an alarm in the control room. No control action is performed by this channel.

Small changes in the offgas gross fission-product concentration can be detected by the continuous use of the other radiation channel. This linear radiation monitor is not a process monitor such as the channels described above, but is utilized as an expanded scale device for aiding in locating ruptured or failed fuel elements. The detector is a gamma-sensitive ionization chamber which monitors the same sample as the upstream air ejector offgas detector. The system uses a linear readout with a range switch instead of a logarithmic readout. The output from the monitor is recorded on a recorder. The channel is connected to a dependable source of power.

These gamma-sensitive ion chambers are positioned adjacent to the vertical sample chamber. The chamber is internally polished to minimize plate-out. A sample is drawn from the offgas line through the sample chamber by the main condenser suction.

The environmental and power supply design conditions are given in applicable design output documents for the control room equipment.

7.12-4

BFN-24 7.12.2.4 Safety Evaluation The Air Ejector Offgas Radiation Monitors have been selected with monitoring characteristics sufficient to provide plant operations personnel with accurate indication of radioactivity in the air ejector offgas. The system thus provides the operator with enough information to easily control the activity release rate. Because the system is not essential to any transients or accidents, no redundancy is required, although sufficient redundancy is provided to allow maintenance on one channel without losing the indications provided by the system.

7.12.2.5 Inspection and Testing Response may be checked by a known source. These monitors are used primarily for trending.

7.12.3 Main Stack Radiation Monitoring System 7.12.3.1 Safety Objective The objectives of the Main Stack Radiation Monitoring System are to indicate whenever limits on the release of radioactive noble gases to the environs are reached or exceeded, to obtain representative samples of radioactive iodine and particulates for laboratory analysis, and to indicate the rate of radioactive noble gas release during planned operations and during and following an accident.

7.12.3.2 Safety Design Basis

1. The Main Stack Radiation Monitoring System shall provide a clear indication to operations personnel whenever limits on the release of radioactive material to the environs are reached or exceeded.
2. The Main Stack Radiation Monitoring System shall indicate noble gas release rates from values above noble gas release rate limits and over the range from accident release rates down to release rates encountered during normal plant operation.
3. The Main Stack Radiation Monitoring System shall record the rate of release of radioactive noble gases to the environs and provide means for obtaining representative stack samples of radioactive iodine and particulates for laboratory analysis so that determination of the total amounts of activity released is possible.

7.12.3.3 Description 7.12-5

BFN-24 The Main Stack Radiation Monitoring System consists of two independent monitoring systems; a normal-range system used during planned operations which provides continuous monitoring for noble gases with grab sample capabilities for particulates and iodine, and a wide-range system used during normal and accident conditions which provides continuous monitoring for noble gases in the normal range, continuous monitoring at higher activity levels for noble gases, particulates and iodine in the accident range, and grab sample capabilities for noble gases, particulates and iodine in both the normal and accident ranges.

The normal-range system is shown in Figure 7.12-2a, sheet 3. The system consists of two individual channels. Each channel consists of a gamma-sensitive detector, a log count rate monitor that includes a power supply and a meter, and a recorder.

The monitors and the recorder are located in the control room. Both channels are connected to a dependable source of power.

Each monitor has two upscale trips and one downscale trip. Each trip initiates an alarm in the control room, but no control action is provided. The upscale alarms indicate high radiation, and the downscale alarm indicates instrument trouble. To monitor the main stack gas stream, a gas sample is drawn through an isokinetic probe which is located high enough in the vent stream to assure representative sampling. The sample passes through two shielded chambers where the radiation level of the vent gas is measured by two scintillation detectors, one located in each shielded chamber.

As shown in Figures 7.12-2a sheet 3 and sheet 4, the system also provides for monitoring iodine and particulates by the use of filters in the gas sample monitoring stream. The filters are routinely analyzed in a laboratory. The environmental and power supply design conditions are given in applicable design output documents.

A wide-range gaseous effluent radiation monitoring system shown in Figures 7.12-2a, sheet 4, and 7.12-2a, Sheet 7, is installed at the main stack and has the capability to continuously detect and measure concentrations of noble gas, particulate, and iodine effluent during and following an accident. The system consists of a normal-range channel which monitors noble gas drawn through a retrievable iodine and particulate filter canister connected to an isokinetic probe located in the stack. At a preset radiation level sensed by the normal-range noble gas monitor, the accident-range channel automatically starts and draws an isokinetic sample from the normal-range flow stream through shielded iodine and particulate detector chambers (one in operation and one spare) each equipped with retrievable filters and a high-range shielded noble gas detector chamber. Normal-range sample flow is bypassed around the normal-range filter canister and noble gas detector chamber when the accident-range monitors start. Connections are provided to obtain noble gas samples for laboratory analysis on both ranges. The system provides activity release rate indication and recording, upscale high radiation and 7.12-6

BFN-24 downscale instrument trouble alarms in the control room. It is powered from a dependable source of power.

7.12.3.4 Safety Evaluation The Main Stack Radiation Monitoring equipment has been selected with features and characteristics sufficient to provide plant Operations personnel with accurate indication of noble gas release and means for determining radioactive iodine and particulate activity release to the environs via the main stack vent under both normal- and accident-range conditions. The system thus enables Operations personnel to determine when release rate limits are reached or exceeded and determine the total amounts of activity released.

Because the system is not essential to any transients or accidents, no redundancy is required, although sufficient redundancy is provided to allow maintenance on one channel without losing the indication provided by the system.

7.12.3.5 Inspection and Testing Each individual channel includes a built-in check source and a purge line to purge the vent gas from the sampling chamber. Both the purge valve and the check source are operated from the control room, but the purge valve may also be operated locally.

7.12.4 Process Liquid Radiation Monitors 7.12.4.1 Safety Objective On process streams that normally discharge to the environs, Process Liquid Radiation Monitors are provided to indicate when operational limits for the normal release of radioactive material to the environs are exceeded. On the Liquid Radwaste System effluent, the monitor also closes valves to prevent release of liquid containing excessive radioactivity.

7.12.4.2 Power Generation Objective On process streams that do not discharge to the environs, Process Liquid Radiation Monitors are provided to indicate process system malfunctions by detecting the accumulation of radioactive material in a normally uncontaminated system.

7.12.4.3 Safety Design Basis 7.12-7

BFN-24 Process Liquid Radiation Monitors which are used to monitor streams that normally discharge to the environs shall provide a clear indication to operations personnel whenever the radioactivity level in the stream reaches or exceeds preestablished operational limits for the discharge of radioactive material to the environs.

7.12.4.4 Power Generation Design Basis Process Liquid Radiation Monitors monitoring streams that do not discharge to the environs shall provide a clear indication to operations personnel whenever the radioactivity level in the stream reaches or exceeds a preestablished limit above the normal radiation level of the stream. Unit 1 non-operating systems are exempt from this requirement.

7.12.4.5 Description The Process Liquid Radiation Monitors are shown in Figures 7.12-2b sheet 4, sheet 5, and sheet 6. Four individual channels with off-line detectors are provided for each unit. One channel monitors the Raw Cooling Water discharge, another channel monitors the Reactor Building Closed Cooling Water Systems, and the third and fourth channels monitor the RHR Service Water Discharge System I and System II RHRS heat exchangers. A separate channel with an in-line detector monitors the discharge from the Liquid Radwaste System which serves all units. All channels are connected to a dependable source of power.

Each of these monitors uses a scintillation detector and a ratemeter chassis. The chassis ratemeters and the recorders are all located in the Main Control Room except for the Radwaste System recorder, which is located on the radwaste control panel in the Radwaste Building.

Each channel has an upscale trip to indicate high radiation level and one downscale trip to indicate instrument trouble.

Raw cooling water is used to cool normally nonradioactive areas such as air compressors, turbine auxiliary systems, and pump bearings. It also cools the Reactor Building Closed Cooling Water System via heat exchangers. An increase in the radiation level of the raw cooling water discharge may indicate that a leak into the system from a contaminated stream has occurred.

The Reactor Building Closed Cooling Water System is utilized to provide cooling for potentially contaminated areas such as the drywell atmosphere cooling coils, nonregenerative heat exchanger, recirculation pumps and various sample coolers.

The system normally contains activity due to activation of added corrosion inhibitors and the use of potentially contaminated makeup water. Changes in the normal radiation level could indicate leaks of radioactive water into the system.

7.12-8

BFN-24 The Liquid Radwaste System provides for collection of waste liquids through various drainage systems. Because of high conductivity, not all of the waste liquids can be economically purified by demineralization. Consequently, some liquid containing radioactivity is eventually discharged from the system. The process liquid monitoring channel on the Liquid Radwaste System discharge indicates discharge radiation levels. As described in paragraph 9.2.5, the monitor closes two valves in the waste discharge line before the radioactivity concentration in the discharged waste exceeds the limit determined by Offsite Dose Calculation Manual (ODCM) methodology.

The RHR Service Water System serves as the heat sink for the RHRS in the shutdown cooling mode and the containment cooling mode. The water circulated through the heat exchangers by the RHRS will be primary water or pressure suppression pool water, both of which have a significant activity level. Changes in the normal radiation level in the RHR service water discharge could indicate leakage in the RHR heat exchangers.

The environmental and power supply design conditions are given in applicable design output documents.

7.12.4.6 Safety Evaluation The Process Liquid Radiation Monitors for the raw cooling water, radwaste and RHR service water discharges possess radiation detection and monitoring sensitivities sufficient to inform plant operations personnel whenever radiation levels in the discharges rise above preset limits.

7.12.4.7 Inspection and Testing All alarm trip circuits can be tested by using test signals or portable gamma sources.

7.12.5 Reactor Building Ventilation Radiation Monitoring System 7.12.5.1 Safety Objective The objectives of the Reactor Building Ventilation Radiation Monitoring System are to indicate whenever abnormal amounts of radioactive material exist in the Reactor Building, and to effect appropriate action so that the release of radioactive material to the environs is controlled.

7.12.5.2 Safety Design Bases

1. The Reactor Building Ventilation Radiation Monitoring System shall provide a clear indication to Operations personnel whenever abnormal amounts of radioactivity exist in the Reactor Building by monitoring the intake to the 7.12-9

BFN-24 reactor zone ventilation exhaust fans and the radiation levels at each unit's fuel pool.

2. The Reactor Building Ventilation Radiation Monitoring System shall initiate appropriate action to control the release of radioactive material to the environs when abnormal amounts of radioactive material exist in the Reactor Building.

7.12.5.3 Description The Reactor Building Ventilation Radiation Monitoring System is shown in Figures 7.12-2a sheet 1, sheet 5, and sheet 6, and specifications are given in Table 7.12-1. The system consists of six sets of Reactor Building Ventilation Monitors (two divisional monitors per unit). Each monitor has one channel of refuel zone logic and one channel reactor zone logic. Each refuel zone channel is comprised of two Geiger-Muller type detectors with a signal splitter located on the refuel floor next to each units fuel pool. Each reactor zone channel is comprised of two Geiger-Muller type detectors with a signal splitter located on the associated units reactor zone ventilation exhaust duct. One channel each of the refuel zone and reactor zone share a combination computer graphics display and trip unit. The refuel and reactor zone inputs are recorded on a single digital paperless recorder. All equipment is located in the control room except for the detectors and the signal splitters.

Power for this system is from the 120VAC Reactor Protection System Busses "A" and "B." Bus A supplies power to one monitor and Bus B supplies power to the other monitor.

There is a Reactor Building Ventilation Radiation Monitor (RBVRM) trip function for the refueling zone and a RBVRM trip function for the reactor zone. Each trip function is composed of two divisional trip systems. Each trip system has one channel for each zone. Each channel contains two sensors. A channel downscale/inoperable trip occurs when either of the sensors are indicating less than the low radiation setpoint or are inoperable. A channel upscale trip occurs when both of the sensors are indicating higher than the high radiation setpoint. Only one channel upscale trip is required for trip function initiation. Two channel downscale trips in a zone are required for trip function initiation. When the trip function occurs, the ventilation system of the affected zone is isolated, the Control Room Emergency Ventilation System (CREVS) is started, the Standby Gas Treatment System is initiated and the Primary Containment System is initiated closing various ventilation supply, purge, and exhaust paths. When any reactor zone is isolated the refuel zone (which is common to all three units) also isolates.

The environmental power supply design conditions are given in applicable design output documents.

7.12-10

BFN-24 7.12.5.4 Safety Evaluation The physical location and monitoring characteristics of the Reactor Building Ventilation Radiation Monitoring System Channels are adequate to provide detection capability for abnormal amounts of radioactivity in the Reactor Building and initiate isolation. The redundancy and arrangement of channels are sufficient to ensure that no single active component failure can prevent isolation when required.

7.12.5.5 Inspection and Testing The trip circuits are tested by using test signals or portable gamma sources.

7.12.6 Plant Ventilation Exhaust Radiation Monitoring System 7.12.6.1 Safety Objective The objectives of the Plant Ventilation Exhaust Radiation Monitoring System are to record the release of radioactive material from the plant buildings to the environs and alarm when preset limits are reached.

7.12.6.2 Safety Design Basis The Plant Ventilation Exhaust Radiation Monitoring System shall record the rate of release of gaseous and airborne radioactive material to the environs, so that determination of the total amounts of gaseous and airborne activity released is possible.

7.12.6.3 Description The Plant Ventilation Exhaust Radiation Monitoring System consists of 10 Continuous Air Monitors (CAM), each one their own subsystem. One subsystem separately samples the normal ventilation exhaust of the Turbine Building, reactor zone and refueling zone on each of three units; one subsystem monitors the normal ventilation exhaust from the Radwaste Building; two subsystems monitor the upper atmosphere of the Turbine Building near the Turbine Building roof ventilation exhausts on each of three units. These ventilating systems are described in subsection l0.12, "Heating, Ventilating and Air-Conditioning", and subsection 5.3, "Secondary Containment System".

Each subsystem consists of an assembly for monitoring Noble gases and filter capability for monitoring iodine and particulate activity. High activity or monitor malfunction is alarmed in the main control room. The activity levels are displayed locally and on a touch screen monitor in the main control room of Unit 1 at panel 1-9-2. The specifications for the system are given in applicable design output documents.

7.12-11

BFN-24 7.12.6.4 Safety Evaluation The plant ventilation exhaust radiation monitors have been selected with monitoring characteristics sufficient to provide plant operations personnel with accurate indication of radioactivity being released to the environs via the plant ventilation exhaust systems.

7.12.6.5 Inspection and Testing Each individual subsystem is tested and calibrated on a regular basis.

7.12.7 Unit Sharing of Monitoring Systems Four process radiation monitoring systems are shared among the three nuclear units. These are the Main Stack Radiation Monitoring System, the Reactor Building Ventilation Radiation Monitoring System, the Plant Ventilation Exhaust Radiation Monitoring System and the Liquid Radwaste Effluent Monitor. See Section 7.5 of Appendix F for detailed information.

7.12-12

BFN-16 Table 7.12-1 PROCESS RADIATION MONITORING SYSTEMS CHARACTERISTICS Instrument Range Instrument Upscale Trips Downscale Trips Monitoring System (1) Scale per Channel per Channel Main Steam Line 1-106mr/hr 6 Decade log 1 1 Air Ejector Offgas Pre-Treatment 1-106mr/hr 6 Decade log 2 1 Air Ejector Offgas Post-treatment 10-1 to 106 7 Decade log 3 1 counts per second Main Stack 10-1 to 106 7 Decade log 2 1 counts per second(2)

Liquid Process 101 to 106 5 Decade log 1 1 (Off-line Monitor) counts per minute(2)

Reactor Building Ventilation -

Reactor Zone 0.1 to 1E+3 mr/hr 4 Decade log 1 1 Reactor Building Ventilation -

Refuel Zone 10 to 1E+6 mr/hr 5 Decade log 1 1 Plant Ventilation 10-106 counts/minute Digital Display 1 1 Exhaust (1) Range of measurements is dependent on items such as the source geometry, background radiation, shielding, energy levels, and method of sampling.

(2) Readout is dependent upon the pulse height discriminator setting.

BFN-16 Table 7.12-2 (Deleted by Amendment 13)

BFN-16 Figure 7.12-1 Deleted by Amendment 7.

BFN-19 Figure 7.12-2b Sheet 1 (Deleted by Amendment 17)

BFN-19 Figure 7.12-2b Sheet 3 (Deleted by Amendment 17)

BFN-21 7.13 AREA RADIATION MONITORING SYSTEM 7.13.1 Power Generation Objective The objective of the Area Radiation Monitoring System is to warn of abnormal gamma radiation levels in areas where radioactive material may be present, stored, handled, or inadvertently introduced.

7.13.2 Power Generation Design Basis

1. The Area Radiation Monitoring System shall provide operating personnel with a record and an indication in the control room of gamma radiation levels at selected locations within the various plant buildings.
2. The Area Radiation Monitoring System shall provide local alarms where it is necessary to warn personnel of substantial immediate changes in radiation levels.
3. The Reactor Building Ventilation Radiation Monitor provides a safeguards containment isolation signal in the event of a refueling accident, as described in Section 7.12.5. (Reactor Building Ventilation Radiation Monitoring is a part of the Process Radiation Monitoring System.)

7.13.3 Description 7.13.3.1 Monitors The Area Radiation Monitoring System is shown as a mechanical control diagram in Figures 7.12-2a, Sheets l, 5, and 6. A typical channel consists of a combined sensor and convertor unit, a combined indicator and trip unit, a shared power supply, a shared multipoint recorder for Units 2 and 3, a digital paperless recorder for Unit 1, and a local audio alarm auxiliary unit.

Each monitor has an upscale trip that indicates high radiation and a downscale trip that may indicate instrument trouble. The Area Radiation Monitoring System trips sound alarms but causes no control action. The system is powered from the 120-V AC instrument bus (see Subsection 8.7). The trip circuits are set so that loss of power causes an alarm.

7.13.3.2 Locations Work areas where monitors are located are tabulated in Table 7.13-2. Annunciation and indication are provided in the control room.

7.13-1

BFN-21 7.13.4 Inspection and Testing An internal trip test circuit, adjustable over the full range of the trip circuit, is provided. The test signal is fed into the indicator and trip unit input so that a meter reading is provided in addition to a real trip. All trip circuits, with the exception of the upscale trip circuit, are of the latching type and must be manually reset at the front panel.

A portable calibration unit is also provided. This is a test unit designed for use in the adjustment procedure for the area radiation monitor sensor and converter unit.

7.13.5 Additional Area Radiation Monitoring Systems 7.13.5.1 Power Generation Objectives The objective of the Additional Area Radiation Monitoring Systems is to provide diversity in radiation detection devices to warn of abnormal radiation conditions that may be present.

7.13.5.2 Power Generation Design Basis The Additional Area Radiation Monitoring Systems shall provide operations personnel with alarms locally and/or in the Main Control Room of the presence of radiation levels in excess of pre-established limits based on the particular system design.

7.13.5.3 Description The Additional Area Radiation Monitoring Systems are as follows:

7.13.5.3.1 Air Particulate Monitoring Subsystem The continuous air particulate monitoring subsystem consists of self-contained units which sample and measure concentrations of radioactive airborne particulates at various plant locations. The continuous air monitors (CAMs) draw air through a sample assembly which contains a filter for particulate collection and detectors for measuring radioactivity levels in the collected particulates. Radioactive check sources and other means are provided to verify proper instrument response.

The CAMs located in the reactor, turbine, and radwaste buildings provide readouts and alarms locally and in unit control rooms. The remaining CAMs only provide local readout and alarms. The CAM units provide a means to alert personnel in the affected area as well as the control room (where applicable) of changes in airborne radioactivity concentration above predetermined levels.

7.13-2

BFN-21 CAMs are maintained in locations where significant radioactive airborne particulate concentrations could occur, such as equipment spaces for operational reactors versus those areas with equipment in long-term layup status. Additional airborne particulate monitoring is conducted by plant personnel using existing plant procedures.

7.13.5.3.2 Local Radiation Subsystem The local radiation monitoring subsystem consists of count ratemeters mounted throughout the plant area. The units provide a means whereby personnel engaged in work areas, where their job may require physical contact with radioactive materials, can do their own checking either as a routine or in special or unusual cases such as accidental spills, etc. Each monitor is located for operator convenience in scanning clothing, hands, and feet. A front-mounted speaker with volume control provides audible count rate indication. There is also a high-frequency audible alarm, which is actuated from an adjustable setpoint for warning of high radioactive contamination levels.

7.13.5.3.3 Personnel Contamination Monitor Subsystem Personnel contamination monitors are provided at major access points from designated radiologically controlled areas within the plant. Alarms are provided on these instruments to identify radioactive contamination on worker's skin or clothing.

7.13.5.3.4 Portal Monitoring Subsystem The portal radiation monitoring subsystem monitors all personnel leaving the plant area for radioactivity, including hand-carried personal articles. The radiation monitors in the portal serve as a final check against the transport of radioactivity by personnel exiting plant protected area.

Radiation monitors are located in each plant access control building for personnel egress. The radiation monitors have visual and audible alarm capability to alert personnel of potential radioactivity release.

7.13.5.3.5 Door Access Control Subsystem There are several areas in the Turbine, Reactor, and Radwaste Buildings where the entry of personnel must be controlled because of radiation levels. The door access control subsystem provides an audible and visual alarm in the control room of doors which are opened.

7.13-3

BFN-21 7.13.5.4 Inspection and Testing Each Additional Area Radiation Monitoring Subsystem will be given periodic inspection and calibration using electronic test equipment and calibration sources as required to assure that all devices are calibrated properly and available for operations personnel. The high radiation area door alarms (part of the Door Access Control Subsystem) are also functionally tested periodically.

7.13-4

BFN-18 Table 7.13-1 (Deleted by Amendment 13)

BFN-18 Table 7.13-2 LOCATIONS OF AREA RADIATION MONITORS Unit 1 Sheet 1 CHANNEL SENSOR AND CONVERTER LOCATION DETECTOR Floor Approx TVA Station Range Elevation Col Inst No. MR/HR Feet No. Description Number 1 0.11000 664.0 px-R5 Fuel Storage Pool Area - RE-90-1 Reactor Building 2 0.11000 664.0 ux-R3 Service Floor Area - RE-90-2 Reactor Building 3 0.11000 639.0 p-R5 New Fuel Storage - Reactor RE-90-3 Building 4 0.11000 639.0 s-R5 Recirculating Pump MG Set Area - RE-90-4 Reactor Building 5 0.11000 617.0 d-T4 Generator Operating Floor - RE-90-5 Turbine Building 6 0.11000 617.0 e-T6 RFP Operating Floor - RE-90-6 Turbine Building 7 0.11000 617.0 k-T3 Turbine Operating Floor - RE-90-7 Turbine Building 8 0.11000 617.0 p-R7 Main Control Room RE-90-8 9 0.11000 621.25 t-R6 Cleanup System Area - RE-90-9 Reactor Building 10 Not Used 11 0.11000 586.0 b-T6 SJAE and SPE Area - RE-90-11 Turbine Building 12 0.11000 586.0 d-T6 Feedwater Heater Area - RE-90-12 Turbine Building 13 0.11000 593.0 p-R6 North Cleanup System Area - RE-90-13 Reactor Building 14 0.11000 593.0 s-R6 South Cleanup System Area - RE-90-14 Reactor Building 15 0.11000 577.75 b-T2 Decontamination Room - RE-90-15 Turbine Building 16 0.11000 557.0 c-T4 Hotwell Pump Area - RE-90-16 Turbine Building

BFN-18 Table 7.13-2 (Continued)

LOCATIONS OF AREA RADIATION MONITORS Unit 1 (Continued)

Sheet 2 CHANNEL SENSOR AND CONVERTER LOCATION DETECTOR Floor Approx TVA Station Range Elevation Col Inst No. MR/HR Feet No. Description Number 17 0.11000 557.0 f-T4 Condenser Corridor - RE-90-17 Turbine Building 18 0.11000 557.0 f-T6 Condensate Demineralizer Area - RE-90-18 Turbine Building 19 0.11000 565.0 j-T3 Outside Steam Line Cavity - RE-90-19 Turbine Building 20 0.11000 565.0 r-R2 CRD-HCU West Area - RE-90-20 Reactor Building 21 0.11000 565.0 r-R6 CRD-HCU East Area - RE-90-21 Reactor Building 6

22 010 565.0 p-R5 TIP Room - Reactor Building RE-90-22 23 0.11000 565.0 p-R5 TIP Drive Area - Reactor RE-90-23 Building 24 0.11000 519.0 u-R1 HPCI Room - Reactor Building RE-90-24 25 0.11000 519.0 u-R1 RHR West Room - Reactor Building RE-90-25 26 0.11000 519.0 n-R1 Core Spray - RCIC Room - RE-90-26 Reactor Building 27 0.11000 519.0 n-R7 Core Spray Room - Reactor RE-90-27 Building 28 0.11000 519.0 u-R7 RHR East Room - Reactor Building RE-90-28 29 0.11000 519.0 u-R7 Pressure Suppression Pool Area RE-90-29 Reactor Building 32 0.11000 568.0 - Stack Room RE-90-32

BFN-18 Table 7.13-2 (Continued)

LOCATIONS OF AREA RADIATION MONITORS Unit 2 Sheet 3 CHANNEL SENSOR AND CONVERTER LOCATION DETECTOR Floor Approx TVA Station Range Elevation Col Inst No. MR/HR Feet No. Description Number 1 0.11000 664.0 px-R11 Fuel Storage Pool Area - Reactor RE-90-1 Building 2 0.11000 664.0 ux-R10 Service Floor Area - Reactor RE-90-2 Building 3 0.11000 639.0 p-R10 New Fuel Storage - Reactor RE-90-3 Building 4 0.11000 639.0 s-R10 Recirculating Pump M-G Set Area - RE-90-4 Reactor Building 5 0.11000 617.0 d-T8 Generator Operating Floor - RE-90-5 Turbine Building 6 0.11000 617.0 e-T6 RFP Operating Floor - Turbine RE-90-6 Building 7 0.11000 617.0 k-T9 Turbine Operating Floor - Turbine RE-90-7 Building 8 Not Used 9 0.11000 621.25 t-R9 Cleanup System Area - Reactor RE-90-9 Building 10 0.11000 586.0 j-T6 Feedwater Heater Area - Turbine RE-90-10 Building 11 Not Used 12 Not Used 13 0.11000 593.0 p-R9 North Cleanup System Area - RE-90-13 Reactor Building 14 0.11000 593.0 s-R9 South Cleanup System Area - RE-90-14 Reactor Building 15 Not Used 16 0.11000 557.0 c-T8 Hotwell Pump Area - Turbine RE-90-16 Building 17 0.11000 557.0 f-T8 Condenser Corridor - Turbine RE-90-17 Building 18 Not used 19 0.11000 565.0 j-T9 Outside Steam Line Cavity - RE-90-19 Turbine Building

BFN-18 Table 7.13-2 (Continued)

LOCATIONS OF AREA RADIATION MONITORS Unit 2 (Continued)

Sheet 4 CHANNEL SENSOR AND CONVERTER LOCATION DETECTOR Floor Approx TVA Station Range Elevation Col Inst No. MR/HR Feet No. Description Number 20 0.11000 565.0 r-R9 CRD-HCU West Area - Reactor RE-90-20 Building 21 0.11000 565.0 r-R13 CRD-HCU East Area - Reactor RE-90-21 Building 6

22 1010 565.0 p-R12 TIP Room - Reactor Building RE-90-22 23 0.11000 565.0 p-R12 TIP Drive Area - Reactor Building RE-90-23 24 0.11000 519.0 u-R14 HPCI Room - Reactor Building RE-90-24 25 0.11000 519.0 u-R8 RHR West Room - Reactor RE-90-25 Building 26 0.11000 519.0 n-R8 Core Spray - RCIC Room - RE-90-26 Reactor Building 27 0.11000 519.0 n-R14 Core Spray Room - Reactor RE-90-27 Building 28 0.11000 519.0 u-R14 RHR East Room - Reactor RE-90-28 Building 29 0.11000 519.0 u-R14 Pressure Suppression Pool Area RE-90-29 Reactor Building 30 0.11000 664.0 p-R12 Fuel Storage Pool Area - RE-90-30 Reactor Building 31 0.11000 557.0 c-T6 Raw Cooling Water Pumps Area - RE-90-31 Turbine Building

BFN-18 Table 7.13-2 (Continued)

LOCATIONS OF AREA RADIATION MONITORS Unit 3 Sheet 5 CHANNEL SENSOR AND CONVERTED LOCATION DETECTOR Floor Approx TVA Station Range Elevation Col Inst No. MR/HR Feet No. Description Number 1 0.11000 664.0 px-R19 Fuel Storage Pool Area - Reactor RE-90-1 Building 2 0.11000 664.0 ux-R17 Service Floor Area - Reactor RE-90-2 Building 3 0.11000 639.0 p-R17 New Fuel Storage - Reactor RE-90-3 Building 4 0.11000 639.0 s-R17 Recirculating Pump M-G Set Area - RE-90-4 Reactor Building 5 0.11000 617.0 d-T14 Generator Operating Floor - RE-90-5 Turbine Building 6 0.11000 617.0 e-T12 RFP Operating Floor - Turbine RE-90-6 Turbine 7 0.11000 617.0 k-T15 Turbine Operating Floor - Turbine RE-90-7 Building 8 0.11000 617.0 p-R16 Main Control Room - RE-90-8 9 0.11000 621.25 t-R16 Cleanup System Area - Reactor RE-90-9 Building 10 0.11000 586.0 j-T12 Feedwater Heater Area - Turbine RE-90-10 Building 11 0.11000 586.0 b-T12 SJAE and SPE Area - Turbine RE-90-11 Building 12 0.11000 586.0 d-T12 Feedwater Heater Area - Turbine RE-90-12 Building 13 0.11000 593.0 p-R16 North Cleanup System Area - RE-90-13 Reactor Building 14 0.11000 593.0 s-R16 South Cleanup System Area - RE-90-14 Reactor Building 15 Not used 16 0.11000 557.0 c-T14 Hotwell Pump Area - Turbine RE-90-16 Building 17 0.11000 557.0 f-T14 Condenser Corridor - Turbine RE-90-17 Building

BFN-18 Table 7.13-2 (Continued)

LOCATIONS OF AREA RADIATION MONITORS Unit 3 (Continued)

Sheet 6 CHANNEL SENSOR AND CONVERTER LOCATION DETECTOR Floor Approx TVA Station Range Elevation Col Inst No. MR/HR Feet No. Description Number 18 0.11000 557.0 f-T12 Condensate Demineralizer Area - RE-90-18 Turbine Building 19 0.11000 565.0 j-T15 Outside Steam Line Cavity - RE-90-19 Turbine Building 20 0.11000 565.0 r-R16 CRD-HCU West Area - Reactor RE-90-20 Building 21 0.11000 565.0 r-R20 CRD-HCU East Area - Reactor RE-90-21 Building 6

22 1010 565.0 p-R19 TIP Room - Reactor Building RE-90-22 23 0.11000 565.0 p-R19 TIP Drive Area - Reactor Building RE-90-23 24 0.11000 519.0 u-R21 HPCI Room - Reactor Building RE-90-24 25 0.11000 519.0 u-R15 RHR West Room - Reactor RE-90-25 Building 26 0.11000 519.0 n-R15 Core Spray - RCIC Room - RE-90-26 Reactor Building 27 0.11000 519.0 n-R21 Core Spray Room - Reactor RE-90-27 Building 28 0.11000 519.0 u-R21 RHR East Room - Reactor RE-90-28 Building 29 0.11000 519.0 u-R21 Pressure Suppression Pool Area - RE-90-29 Reactor Building 31 0.11000 557.0 c-T13 Raw Cooling Water Pumps - RE-90-31 Turbine Building

BFN-18 Table 7.13-2 (Continued)

LOCATIONS OF AREA RADIATION MONITORS Radwaste Building Sheet 7 CHANNEL SENSOR AND CONVERTER LOCATION DETECTOR Floor Approx TVA Station Range Elevation Col Inst No. MR/HR Feet No. Description Number 1 0.11000 546.0 wb-W6 Laundry Drain Tank RE-90-35 2 0.11000 546.0 wb-W3 Equipment Drain Sump Area RE-90-36 3 0.11000 565.0 wc-W6 Radwaste Control Room RE-90-37 4 0.11000 565.0 wa-W3 Access Corridor RE-90-38 5 0.11000 565.0 wc-W1 Waste Packaging Area RE-90-39 6 0.11000 578.0 wf-W3 Waste Sample Tank Area RE-90-40 7 0.11000 578.0 wb-W3 F.D. Sample Tank Area RE-90-41 8 0.11000 565.0 West Wall Radwaste Evaporator Building RE-90-42 NOTE: Indicators and trip units located on radwaste control panel. Annunciation on main control room panel.

BFN-16 Figure 7.13-1 Deleted by Amendment 9

BFN-16 7.14 Drywell Leak Detection Radiation Monitoring System 7.14.1 Safety Objective The safety objective of the Drywell Leak Detection Radiation Monitoring System is to maintain containment integrity when subjected to a primary containment isolation signal, to prevent the release of radioactive material to that area of the plant outside of the containment boundary.

7.14.2 Power Generation Objectives The objectives of the Drywell Leak Detection Radiation Monitoring System are to provide diversity in primary coolant leak detection ability and to annunciate abnormally high concentrations of radioactive particulates, iodines, and Noble gases within the drywell due to primary coolant leakage (Unit 1 only). The comparable Unit 2 and 3 systems shall provide similar diversity in primary coolant leak detection ability and will annunciate abnormally high concentrations of radioactive particulates and Noble gases within the drywell due to primary coolant leakage.

7.14.3 Power Generation Design Basis The Drywell Leak Detection Monitoring System shall provide operations personnel with indication and alarms, both locally and in the main control room, of the presence of radioactive particulates, iodines, and Noble gases in excess of preestablished limits based on the particular system/plant design (Unit 1 only). The comparable Unit 2 and 3 systems will provide indication and alarms, both locally and in the respective main control rooms, of the presence of radioactive particulates and Noble gases in excess of pre-established limits based on the particular system/plant design.

7.14.4 Description The Drywell Leak Detection Radiation Monitoring System consists of three Continuous Air Monitors (CAMs), one CAM per unit, located on the 593' elevation of their respective reactor buildings. Each CAM's supply and return lines are piped to allow selectable or composite samples from above the main steam relief valves and/or the recirculation pumps.

The Unit 1 system utilizes a CAM which is a self-contained radiation detection instrument capable of monitoring particulates, iodines, and Noble gases and providing local indication and alarms. The Units 2 and 3 systems utilize CAMs which are self-contained microprocessor based radiation detection instruments capable of monitoring radioactive particulates and Noble gases and providing local 7.14-1

BFN-17 indication. Operator selected operating parameters for the Units 1, 2, and 3 CAMs are stored in the non-volatile random access memory to prevent erasing during power outages.

Each CAM is hard wired to its respective main control room to provide indication and alarm capabilities in the main control rooms. Upon receipt of alarm, timely action will be taken to confirm the alarm and assess the possibility of increased drywell leakage.

The sample inlet of the Unit 1 CAM is routed through a two-chambered sampler assembly where the process stream goes through a filter paper, on which any particulate is deposited, then through the charcoal cartridge which traps the iodines, and into the gas chamber for low-range Noble gas measurement. The process stream goes through the solid state flow sensor, then through the pump, and finally to the sample outlet.

The sample inlets of the Unit 2 and Unit 3 CAMs are routed through a sampler/detector assembly where the process stream goes through filter paper which is monitored for particulate activity, then through a charcoal cartridge for removal of iodines and then into the gas chamber for low-range Noble gas measurement. The charcoal cartridge may be removed periodically to monitor for iodines. The process stream goes through the solid state flow sensor then through the pump and finally to the sample outlet.

Radioactive check sources are utilized for periodic checking of the detectors and the electronics for proper responses to pre-determined radiation levels.

7.14.5 Safety Evaluation The sample and return lines of each CAM are equipped with containment isolation valves which automatically close on a Primary Containment Isolation Signal (A, F, and Z) as described in Section 7.3.4.7. Thus, the system provides primary containment integrity when required, satisfying the safety objective.

7.14-2

BFN-25 7.15 HEALTH PHYSICS LABORATORY RADIATION MONITORING EQUIPMENT 7.15.1 Power Generation Objective The health physics and laboratory radiation monitoring equipment is used to monitor radiation and contamination levels in all normal and emergency conditions.

7.15.2 Radiation Monitoring Equipment Sufficient quantities of operational, portable health physics radiation survey instruments are maintained which are capable of detecting radiation types and intensities expected at BFN. These instruments are controlled in accordance with written procedures and instructions. Procedures and instructions have provisions for the unique identification of each instrument, instrument calibration techniques, calibration and operational check frequencies, and storage requirements, if necessary. Records are maintained which indicate instrument status, maintenance history, and calibration results. Traceability of reference standards and periodic revalidation of such standards with national standards is maintained.

7.15.3 Personnel Monitoring TVA provides dosimetry that is processed by a laboratory accredited by the National Voluntary Laboratory Accreditation Program of the National Institute of Standards and Technology in accordance with 10 CFR 20.1501. Personnel may also be monitored with self-reading dosimeters. Each person entering a radiologically controlled area is provided personnel monitoring device(s) if exposure conditions warrant. Dose information is used by a real-time dose tracking system and retained in a permanent historical database for generating required reports. Doses are calculated when dosimetry devices are not available or not practical.

7.15-1

BFN-23 7.16 PROCESS COMPUTER SYSTEM 7.16.1 Safety Objective A process computer is provided for each unit which will supplement procedural requirements for the control of rod worth during control rod manipulations during reactor startup and shutdown. The process computer, also referred to as the Integrated Computer System (ICS), provides various functions to enhance Operations awareness of plant conditions.

7.16.2 Power Generation Objective The power generation objectives of the Process Computer System are to provide a quick and accurate determination of core thermal performance, to improve data reduction, accounting, and logging functions for both the nuclear boiler and balance of plant equipment, and to supplement procedural requirements for control rod manipulation during reactor startup and shutdown.

7.16.3 Safety Design Basis The rod worth minimizer subsystem of the process computer shall provide inputs to the rod block circuitry to supplement and aid in the enforcement of procedural restrictions on control rod manipulation, so that rod worth is limited to the values assumed in plant safety analysis.

7.16.4 Power Generation Design Basis

1. The Process Computer System shall be designed to periodically determine the three-dimensional power density distribution for the reactor core and provide printed logs which permit accurate assessment of core thermal performance.
2. The Process Computer System shall provide continuous monitoring of the core operating level and appropriate alarms based on established core operating limits to aid the operator in assuring that the core is operating within acceptable limits at all times, including periods of maneuvering.

7.16-1

BFN-23 7.16.5 Description 7.16.5.1 Computer System Components 7.16.5.1.1 Central Processor The process computer (ICS) is a distributed computer system with one central processing computer linked via a local area network to other computers which perform necessary process computer functions. The ICS performs various calculations, makes necessary interpretations, and provides for general input/output (I/O) control and buffered transmission between I/O devices and memory.

7.16.5.1.2 Data Storage Subsystem Each ICS processor has sufficient data storage media and backup capabilities to perform its intended function of program execution and on/off-line data manipulation and storage.

7.16.5.1.3 Peripheral Input/Output Subsystem Peripherals with the ICS include several color graphic terminals (see 7.16.5.1.5),

printers, color copiers, and digital display units distributed among the main control room, TSC, computer room, and some areas outside the power block.

7.16.5.1.4 Process Input/Output Subsystem For the central processing computer, the process I/O hardware consists of high-speed scanning multiplexers capable of scanning and time-tagging input readings. A high precision clock is connected to those multiplexers with "sequence of event" digital inputs providing several millisecond (msec) resolution for these time critical points. Any point connected to the I/O multiplexers is capable of being scanned from every 100 msec to every 60 seconds selectable through software settings. These same multiplexers provide digital outputs to operate alarms, etc.

For the RWM, dedicated digital multiplexers are provided to allow interface to the Reactor Manual Control System.

The ICS inputs are composed of various nuclear system instrumentation to provide status and monitoring of core performance, operations status, and rod worth minimizer function. Other inputs are composed of instrumentation related to steam plant performance monitoring and other monitoring functions.

7.16-2

BFN-23 7.16.5.1.5 Operator Consoles The main control room is provided with several color graphic terminals which graphically display information about the status of the plant and its various systems.

Most terminals are provided with a standard typewriter keyboard, multiple dedicated function keys, and a touch sensitive faceplate on the CRT monitor. Functions can be accessed by touch screen and/or keyboard use.

7.16.5.1.6 Programming and Maintenance Console The programming and maintenance consoles, located in the computer room, permit control of the computers for troubleshooting and maintenance functions.

7.16.5.2 Reactor Core Performance Function 7.16.5.2.1 Power Distribution Evaluation The local power density of every six-inch segment for every fuel assembly is calculated, using plant inputs of pressure, temperature, flow, Local Power Range Monitor (LPRM) levels, control rod positions, and the calculated fuel exposure. Total core thermal power is calculated from a reactor heat balance. A three dimension diffusion theory based core model is used to establish a compatible relationship between the core coolant flow and core power distribution. The results are subsequently interpreted as local power at specified axial segments for each fuel bundle in the core.

The core evaluation analytical sequence is completed periodically and on demand, requiring several minutes to execute. Subsequent to executing the program the computer prints a periodic log for record purposes.

7.16.5.2.2 LPRM Calibration Flux level and position data from the Traversing Incore Probe (TIP) equipment are read into the computer. The computer evaluates the data and determines gain adjustment factors by which the LPRM amplifier gains can be altered to compensate for exposure-induced sensitivity loss. The gain adjustment factor computations indicate to the operator when such a calibration procedure is necessary.

7.16.5.2.3 Fuel Exposure Using the power distribution data, distribution of fuel exposure increments from the time of a previous power distribution calculation is determined and is used to update the distribution of cumulative fuel exposure. Each fuel bundle is identified by batch and location, and its exposure is stored for each of the axial segments used in the 7.16-3

BFN-23 power distribution calculation. These data are printed out on demand by the operator.

7.16.5.3 Rod Worth Minimizer Function The rod worth minimizer (RWM) function assists and supplements the operator with an effective backup control rod monitoring routine that enforces adherence to established startup, shutdown, and low power level control rod procedures. The computer prevents the operator from establishing control rod patterns that are not consistent with both defined Bank Position Withdraw Sequence (BPWS) sequencing constraints and corresponding prestored RWM sequences. Sequencing errors shall initiate appropriate rod select block, rod withdrawal block, and rod insert block interlock signals to the Reactor Manual Control Systems rod block circuitry. The RWM sequences stored in the computer memory are based on control rod withdrawal procedures designed to limit (and thereby minimize) individual control rod worths to acceptable levels as determined by the design basis rod drop accident.

The RWM function does not interfere with normal reactor operation, and in the event of a failure does not itself cause rod patterns to be established which would violate the above objective. The RWM function may be bypassed and its rod block function disabled only by specific procedural control initiated by the operator.

A small color graphic monitor is mounted on a panel in the control room to provide primary man-machine interface to the operators. The terminal has a touch sensitive screen. A small strip of buttons for hardwired indicators and system controls is mounted under the monitor.

7.16.5.3.1 RWM Inputs The following operator and sensor inputs are utilized by the RWM:

a. Rod Test Sequence (touch area activated)

By selecting this input option, the operator is permitted to withdraw and reinsert any one control rod in the core while all other control rods are maintained in the fully inserted position.

b. Normal/Bypass Mode An administratively controlled switch is provided to permit the operator to apply permissives to RWM rod block functions at any time during plant operation.
c. System Initialize 7.16-4

BFN-23 This input is initiated by the operator to start or restart the RWM programs and system at any time during plant operation.

d. Scan/Relatch Forces a full core scan, and relatches to the loaded RWM sequence if the RWM is operable and power is below the low power setpoint (LPSP).
e. Substitute Control Rod Allows the operators to manually enter control rod positions for rods with defective position indicators.
f. System Diagnostic Allows checking of rod block annunciators.
g. Control Rod Selected The RWM recognizes the binary coded identification of the control rod selected by the operator.
h. Control Rod Position The RWM recognizes the binary coded identification of the control rod position.
i. Control Rod Drive Selected and Driving The RWM utilizes this input as a logic diagnostic verification of the integrity of the rod select input data.
j. Control Rod Drift The RWM recognizes a position change of any control rod using the control rod drift indication. This information is used to evaluate requirements for automated full core scan updates and the status for permissible withdrawal or insertion of subsequently selected rods.

7.16-5

BFN-23

k. Reactor Power Level Feedwater flow and steam flow signals are used to implement two digital inputs to permit program control of the RWM function. These two inputs, the low power setpoint and the low power alarm setpoint, are used to disable the RWM blocking function at power levels above the intended service range of the RWM function.
l. Permissive Echoes Rod select, rod withdraw, and rod insert permissive echo inputs are utilized by the RWM as a verification "echo" feedback to the system hardware to assure proper response of a RWM output.
m. Diagnostic Inputs The RWM utilizes selected diagnostic inputs, such as cabinet over temperature and multiplexer on-line status, to verify the integrity and performance of the processor and associated data acquisition hardware.

7.16.5.3.2 RWM Outputs The RWM provides isolated contact outputs to plant instrumentation as follows:

a. Blocks The RWM is interlocked with the Reactor Manual Control System to permit or inhibit selection, withdrawal, or insertion of a control rod. These actions do not affect any normal instrumentation displays associated with the selection of a control rod.
b. Scan Mode This RWM output is used to synchronize acquisition of control rod position data during the scan mode.

7.16.5.3.3 RWM Indications The following information is available from both the color graphic monitor display located in the control room and the maintenance console in the computer room:

a. Sequence selected
b. Current group 7.16-6

BFN-23

c. Currently selected rod
d. Rods in group by ID
e. Rod positions
f. Insert limit
g. Withdraw limit
h. Insert error(s) by rod ID
i. Withdraw error by rod ID
j. Insert block
k. Withdraw block
l. Rod select warning
m. Rods with substituted positions
n. Status of sequence control
o. View sequence forward/backward
p. Emergency insert list Note: The electronic emergency insert list is not currently used. The emergency insert list is implemented by approved site procedures.

7.16.5.4 Alarm and Logging Functions 7.16.5.4.1 Analog Alarm

a. The following alarm checks are available for any analog input:

- Sensor limit check Prior to engineering unit conversion, the point is checked against its defined transducer range. If found outside this range it is set to a bad quality.

- Reasonability check 7.16-7

BFN-23 The point is compared to its defined engineering range, and is assigned a bad quality if it is outside that range.

- User settable HI/HIHI/LO/LOLO checks For each of six "Modes" any point may have HI,HIHI,LO, and LOLO alarm settings, providing up to 24 different alarm settings per point.

- Alarm by reference to another analog point Any point can be set to alarm if it exceeds another point's value, thus providing variable alarm limits.

b. All points in alarm will show up on the color graphic alarm display. Printing of alarm/return to normal on the designated printer in the control room can be selected on a point by point basis.

7.16.5.4.2 Digital Alarm All digital points can be set to alarm in either state (on/off, etc.), and will show up on the alarm display. It can be selected whether the point alarm will be printed in the control room.

7.16.5.4.3 Alarm History History of alarms is maintained in the on-line archive. Any change in quality code (i.e., alarm) is automatically entered in the archive.

7.16.5.4.4 Logs The ICS has the ability to produce various logs which can be printed on a periodic basis, upon occurrence of a plant trip or other event, and on operator demand.

7.16.5.5 Balance of Plant Functions Additional balance of plant functions are monitored as required.

7.16.6 Safety Evaluation As described in Chapter 14 ("Plant Safety Analysis" treatment of the control rod drop accident), the maximum rod worth below 10 percent power assumed was 0.025 k.

The rod worth minimizer operates to maintain the maximum rod worth below 0.01 k. At power levels above 10 percent of rated, the maximum rod worth possible was assumed in the control rod drop accident cases; thus no rod worth 7.16-8

BFN-23 control is required above 10 percent of rated power. Should the rod worth minimizer or program be inoperative for any reason, the reactor operator can maintain acceptable rod worth by adhering to preestablished control rod patterns and sequences when below 10 percent of rated power.

7.16.7 Inspection and Testing The Process Computer System is self checking. It performs diagnostic checks to determine the operability of certain portions of the system hardware, and it performs internal programming checks to verify that input signals and selected program computations are either within specific limits or within reasonable bounds.

RWM Technical Specification required testing is provided in Section 3.3.2.1 of the technical specifications. The surveillance procedures include provisions for verification of the proper annunciation of the selection error of at least one out-of-sequence control rod and verification of the RWM rod block function by moving an out-of-sequence control rod during reactor startups and shutdowns.

7.16-9

BFN-16 Table 7.16-1 (Deleted by Amendment 11)

BFN-16 Table 7.16-2 (Deleted by Amendment 11)

BFN-16 Figure 7.16-1 Deleted

BFN-16 7.17 Deleted 7.17-1

BFN-16 Table 7.17-1 Table 7.17-2 (Deleted by Amendment 16) (Deleted by Amendment 16)

BFN-16 Figures 7.17-1 through 7.17-9d (Deleted by Amendment 16)

BFN-16 Table 7.17-1 Table 7.17-2 (Deleted by Amendment 16) (Deleted by Amendment 16)

BFN-16 Figures 7.17-1 through 7.17-9d (Deleted by Amendment 16)

BFN-27 7.18 BACKUP CONTROL SYSTEM 7.18.1 Design Objectives The design objective of the Backup Control System is to provide: (1) a means to safely shut down the plant from locations outside the main control rooms, contiguous rooms at the same level as the control rooms, the spreading rooms, and contiguous rooms below the spreading rooms, collectively referred to as the control bay, and (2) a sufficient complement of suitable instrumentation and controls to bring the plant to the cold condition in an orderly fashion and maintain it in that state indefinitely.

Detailed requirements for achieving a safe and stable condition following a fire in the control room and evacuation of the control room are provided in the Fire Protection Report.

7.18.2 Design Bases The Backup Control System shall be designed to:

a. Provide for safe shutdown of any or all of the units in the plant after gross damage to the Control Bay (i.e., main control rooms, contiguous rooms at the same level as the control rooms, the spreading rooms and contiguous rooms in the level below the spreading rooms).
b. Provide redundant or diverse controls over the methods for cooling the reactors and removing heat dissipated to the containments.
c. Perform its function without creating any new common points of vulnerability in the control bay.
d. Perform its function without obtaining information from any sources in the control bay which may be damaged, inaccessible, etc..
e. Prevent failure in or to the backup control information readout equipment indicators from influencing the redundant readout equipment in the control room.
f. Maintain the separations of the divisions of backup control outside the control bay such that no failure will deprive the plant of essential shutdown services.
g. Consistent with (c) above, transfer control from the control room to the backup control locations regardless of the condition of the circuits in the control room (e.g., shorts, open-circuits, or grounds).

7.18-1

BFN-27

h. Provide control room annunciation of any transfer switch that is turned from its normal position.
i. Provide only shutdown capability from a normal operating state without consideration of any other accidents, such as LOCA, prior to or after the event that damages the control room.
j. Shut the plant down to essentially the same state as would occur with a loss of offsite power without incremental fuel failures.
k. Correct any spurious opening of valves which would lead to a loss of coolant or admission of high pressure fluids to low pressure systems.
l. Provide for manual operation of valves for only essential services, such as main steam, RBCCW, RHR, EECW, ADS inhibit, selected MSRVs, etc. (The general function of containment isolation is not required to be operable.)
m. Provide environmental protection at the backup control locations for operators and equipment regardless of the conditions in the control room.
n. Provide for initiating and maintaining backup control with the reactors at any normal operating pressure and level.
o. Provide for implementing of backup control with onsite power automatically available upon loss of offsite power; however, manual controls of the diesel generators shall be available as a backup for automatic transfer on loss of offsite power.
p. Provide for remote load control (4KV Shutdown Boards) to replace the electrical control board in the main control room. Alarms may be monitored from the diesel information panel for Unit 1/2 and from the 4KV Shutdown Boards for Unit 3..
q. Have redundant communication system(s) available between the backup control centers: electrical board rooms (includes shutdown board rooms), the Diesel Generator Buildings, the RCIC Relay Panels, and any other necessary locations.
r. Provide for operation of the fire pumps directly from the 4160-V shutdown boards irrespective of the condition of the control room.

7.18.3 Description The Backup Control System is a variation of the normal system used inside the control room to shut down the reactor when normal feedwater and electrical control 7.18-2

BFN-27 power supplies are not available and the normal heat sinks (turbines and condensers) may not be available. Reactor pressure is controlled and reduced, while decay heat and sensible heat are removed, by dumping steam through the main steam relief valves to the pressure suppression pool. The reactor pressure boundary is protected by the backup controls so that spurious openings of valves which could cause a loss of coolant or admit high pressure to low pressure piping systems are prevented.

Reactor water inventory is maintained by RCIC while the reactor(s) are above 50 psig (RCIC operates at a reduced flow rate between 50 psig and 150 psig reactor pressure) and augmented as desired (but not necessarily) by the control rod drive pumps while the reactor(s) are above 50 psig. Below 150 psig, makeup water can also be supplied from the RHR System as well as from control rod drive pumps, the RHRSW pumps or the condensate pumps, the pressure suppression pool is cooled by circulating the principal flow through the RHR pumps into and through the torus via the test bypass. These valves are designed for throttling.

All RHR pumps, all RHRSW pumps, and two heat exchangers per unit are equipped with backup controls to provide redundancy. On a three-unit basis, only one RHR pump, one RHR heat exchanger, and one RHRSW pump (providing cooling water to the heat exchanger) are necessary to be concurrently operated per unit for reactor and suppression pool cooling. Two of the RHRSW pumps are operated to provide cooling water to the EECW System via both header systems. The EECW System is provided with backup controls to ensure redundant operation of this system as an entity.

The onsite diesel generator system and associated shutdown boards are available to the Backup Control System. Load control for the Unit 1/2 and/or Unit 3 diesels may be directed from their respective remote locations (Diesel Information Center and 4KV Shutdown Boards for Unit 1/2 and 4KV Shutdown Boards for Unit 3).

Actual load manipulations are carried out at the 4KV Shutdown Boards in their respective electrical board rooms. Essential plant parameters are monitored from the backup control panels located in the electrical board rooms.

Undesired loads which might occur from circuit malfunctions are prevented by manual switching at the boards. All board breakers (except transformer breakers) are provided with transfer switches on the front of the individual panels at the equipment locations. These transfer switches are two-position "Normal-Emergency" 7.18-3

BFN-27 switches which, when in "Emergency" mode, preclude spurious breaker operations from remote or automatic sources as required.

7.18.4 System Operation The Backup Control System is put in operation when the control room operators are forced to evacuate. They would proceed to various locations in the diesel building, control building, and reactor building to shutdown board rooms, electrical board rooms, etc., which are provided with suitable instrumentation and controls from which they can effect and maintain a safe shutdown condition for an indefinitely long time. The detailed procedures for implementing backup controls will rely on the Shift Manager to initiate emergency action. Initially, the Shift Manager makes an assessment of the situation and attempts corrective measures to preclude evacuation. If abandonment becomes necessary, operators will scram the reactor by the scram switches at the Main Control Room panel, trip the recirculation pumps, start the onsite power system, and the EECW System (2 pumps). The main turbine is tripped and bypass operation is continued for as long as possible. The operators are dispatched to the dispersed backup control centers in the shutdown board rooms. The operators perform at the backup control centers and operate the transfer switches to disconnect the main steam relief valves (this prevents spurious blowdown of the primary system), and then operate the transfer switches on the main steam line isolation valves to transfer control to the Backup Control System.

All other transfers are accomplished by special switches at the switchgear and/or the motor control centers, and/or remote locations, except some of those for RCIC are done at the RCIC relay panel in the Reactor Building near the backup control center.

After operation of all the transfer switches, the plant is then shut down in an orderly manner to the cold condition.

7.18.5 Design Evaluation The Backup Control System is not an engineered safety feature, but is a design feature to cope with a forced evacuation from the control room(s). Fires or some other gross event could cause a forced evacuation of the Main Control Room, as well as cause common damage and loss of the control circuits multiple divisions of protection, safeguards equipment, and auxiliary supporting systems. Primarily, because of loss of control of the latter group of systems, the consequences of such an incident could be that the operating condition of the affected units might degrade to an indeterminate and/or unsafe state. This Backup Control System is designed to prevent this degradation, irrespective of the condition of the control and spreading rooms, and the circuits and equipment therein, and thus, provide for the capability to safely shut down the plant from outside the control room(s). (However, the event which occurred to cause such damage is considered to be a major damaging event in its own right, and is not an event preceding or following a loss-of-coolant accident.)

7.18-4

BFN-27 In effect, the system provides protection against damage in the control bay and is physically and electrically separated from these damaged areas. The system provides redundancy or a diverse means to effect a cold shutdown (MODE 4) condition considering the single failure criterion.

The transfer switches are of the maintained contact type, and transfer of any switch to the emergency position is annunciated in the Main Control Room.

The addition of the Backup Control System does not introduce any new common points of vulnerability, nor does it create any significant new hazards to existing safety circuits. Thus, the plant will not endanger the health and safety of the public under the condition of forced evacuation of the control room, even if unspecified damage occurs in the control room or the control bay.

7.18.6 Inspection and Test Any malpositioned transfer switches can be detected during operation and immediate corrective measures will be taken. Operability of components from the Backup Control Center will be tested to the extent practical once per operating cycle.

This includes testing of transfer of control of active components and instrument calibration.

7.18-5

BFN-24 7.19 ANTICIPATED TRANSIENT WITHOUT SCRAM 7.19.1 Design Objectives The objective of the design is the mitigation of Anticipated Transient Without Scram (ATWS). ATWS is to provide an alternate means of bringing the reactor from full power operation (MODE 1) to a cold shutdown (MODE 4) condition independent of the normal means of shutdown. For BWR's, the required systems are Standby Liquid Control system, the Alternate Rod Injection portion of Control Rod Drive system and the Recirculation Pump Trip (RPT) system.

The ATWS/RPT-ARI system is designed to meet the requirements of 10 CFR 50.62 and NRC guidance (NRC Generic Letters 85-03 and 85-06), which require the following:

- the system must be diverse and independent of the Reactor Protection System (RPS), from sensor output to the final actuation devices,

- redundant scram air header exhaust valves, and

- designed to perform its functions in a reliable manner.

It is not required to be redundant, or to function during or after a seismic event, a design basis accident or a sense line failure.

The ATWS design is intended to mitigate any abnormal operational transients, as defined in FSAR section 1.4.

The BFN Standby Liquid Control system is described in section 3.8, and the ARI-RPT system is described in the following sections.

7.19.1.1 Alternate Rod Injection (ARI) Design Objectives The performance objective for ARI is that rod insertion should be completed within one minute of initiation to preclude degradation of the fuel cladding, and should also be completed prior to scram discharge volume pressurization or fill.

7.19.1.2 Recirculation Pump Trip (RPT) Design Objectives To automatically trip the reactor coolant recirculation pumps on conditions indicative of an ATWS.

7.19.1.3 Standby Liquid Control System (SLCS) Design Objectives To provide a soluble boron concentration to the reactor vessel sufficient to bring the reactor from full power (MODE 1) to a cold shutdown (Mode 4) condition.

7.19-1

BFN-28 7.19.2 Design Bases 7.19.2.1 ARI Design Bases

1. The ARI function is initiated by high reactor vessel pressure or low reactor water level conditions. Setpoints to initiate ARI should allow the normal scram function to actuate first.
2. The scram air header should be depressurized in sufficient time that rod insertion following the ARI actuation signal occurs quickly enough that all rods will be fully inserted by the time the scram discharge volume (SDV) is full.
3. Rod insertion motion should be completed within sufficient time from ARI initiation for the safety considerations to be met.
4. Within thirty seconds following ARI initiation, the ARI function shall be capable of being reset, if automatic initiation signals have cleared, so that manual scram may again be attempted if it has been reset.
5. The ARI must be capable of functioning during loss of off-site power, but the power source is not required to be Class 1E. The power supply for ARI must be from non-interruptable power.
6. The ARI logic, circuitry and valves (and all other components, unless specifically excluded in 10CFR50.62 or elsewhere in this document) should be energize-to-trip.
7. The ARI system shall be diverse from the Reactor Protection System from sensor output to the actuation devices.
8. The ARI system shall have redundant scram air header exhaust valves.
9. The ARI system shall be designed to perform its function in a reliable manner.

7.19.2.2 RPT Design Bases The reactor coolant recirculation pumps shall automatically trip on high reactor vessel pressure or low reactor water level conditions. The allowable value for the ATWS-RPT instrumentation functions are provided in Technical Specification Section 3.3.4.2. Nominal trip setpoints are specified in the setpoint calculations for the reactor vessel water level - low-low, (level 2) function and for the reactor steam dome pressure - high function.

7.19-2

BFN-28 7.19.2.3 SLCS Design Bases To meet 10 CFR 50.62, the SLCS shall have the capability of injecting into the reactor pressure vessel a borated water solution at such a flow rate, boron concentration and boron-10 enrichment that the resulting reactivity control is at least equivalent to 86 gallons per minute of 13 weight percent sodium pentaborate solution at the natural boron-10 isotope abundance. The Extended Power Uprate analyses for ATWS assumes a flow capacity and boron content equivalent to 50 gpm of 8.7 weight percent and 94 atom percent Boron-10 enriched sodium pentaborate solution, which exceeds the requirements of 10 CFR 50.62.

7.19.3 Descriptions An ATWS is an expected operational transient (such as loss of feedwater, loss of condenser vacuum, or loss of offsite power) which is accompanied by a failure of the Reactor Protection System (RPS) to shutdown the reactor. The ATWS rule 10CFR50.62 requires specific improvements in the design and operation of commercial nuclear power facilities to reduce the likelihood of failure to shutdown the reactor following anticipated transients, and to mitigate the consequences of an ATWS event.

7.19.3.1 ARI Description The Alternate Rod Injection System (ARI) provides a path to reactor shutdown which is diverse and independent from the RPS. The ARI system consists of one three-way scram valve per trip system which will act to block control air upstream of the control rod drive system hydraulic control units (HCUs) while dumping the downstream side to atmosphere when an ATWS initiation signal is present for that train. Additionally, three vent valves in each trip system ensure a rapid blowdown of the air supply pressure to the HCU banks, as well as the scram discharge volume (SDV) vent and drain header branch. Loss of control air pressure to the HCUs causes control rod insertion by the control rod drive system.

7.19.3.2 RPT Description The Recirculation Pump Trip (RPT) design will automatically trip the reactor coolant recirculation pumps under conditions indicative of an ATWS.

7.19.3.3 SLCS Description The Standby Liquid Control System (SLCS) has the capability of injecting into the Reactor Pressure Vessel a borated water solution to bring the reactor from full power to a cold shutdown condition.

7.19-3

BFN-24 7.19.4 Design Evaluation 7.19.4.1 ARI Design Evaluation Slave trip units in the Analog trip units provide the ATWS reactor low level trip at the Level 2 setpoint and the ATWS high reactor pressure trip. The trip setpoints are selected such that a Reactor Protection System (RPS) low level scram and high pressure scram will occur prior to reaching the ATWS initiation setpoints. A coincident trip of either two low levels, or two high pressures, causes a reactor scram by energizing one of two identical, independent trains of four alternate rod injection valves (one to block the air supply, two to vent the hydraulic control headers and one to vent the scram discharge volume drain and vent valve air header). This depressurizes the control air supply to the hydraulic control units which inserts the control rods independently of the reactor protection system.

The ARI system is designed to assure rod insertion within sufficient time to meet safety considerations. In order to meet this criterion, it is necessary for BFN to depressurize the scram air header as fast as possible. Therefore, several air dump valves as well as air supply block valves are installed on the air supply headers for the Control Rod Drive (CRD) Hydraulic System.

Within thirty seconds following ARI initiation, the ARI function is capable of being reset if automatic initiation signals have cleared, so that manual scram may again be attempted if it has been reset.

The ATWS ARI system is supplied power from the 250V DC RMOV Board which has battery backup. This provides a continuous, non-interruptable source of power, so that the ARI system can perform its function in the event of loss-of-offsite power.

The power is isolated from the 1E source via safety-related isolation fuses.

All ARI logic, circuitry and valves are energize-to-function and are diverse from the RPS.

Additionally, depressurization of the scram valve operators are assisted by venting the air headers by two pairs of ARI vent valves. Each pair of vent valves are located close to each of the two HCU banks in order to minimize the depressurizing time of the scram air headers.

7.19.4.2 RPT Design Evaluation The ATWS RPT system utilizes the Monticello design where the end-of-life (EOL) breakers are used to trip the recirculating pumps. Two-out-of-two logic is utilized to prevent spurious trip signals. This design provides inputs to two class 1E breakers installed between each recirculation pump motor and its VFDs on Units 1, 2, and 3.

These breakers receive trip signals from both the End of Cycle RPS RPT and the 7.19-4

BFN-28 ATWS RPT. Separation between the End of Cycle RPS RPT and the ATWS RPT is provided by separate trip coils. Physical separation is maintained between the ATWS RPT and the RPS RPT wiring via a separate terminal block in the 4160V RPT Board switchgear.

7.19.4.3 SLCS Safety Design Evaluation (See FSAR Section 3.8, "Standby Liquid Control System")

7.19.5 Containment Cooling The containment response to an ATWS was evaluated. The details are provided in Subsection 14.12.5.3. A loss of offsite power is the ATWS initiating event that is limiting regarding containment cooling. Following the postulated event, reactor vessel coolant inventory makeup would be accomplished with the HPCI system which takes suction from the condensate storage tank. Reactor vessel pressure control is accomplished with operation of the Main Steam Relief Valves (MSRVs).

The steam discharge from the reactor vessel would be through the MSRV tailpipes directly to the suppression pool, with a resulting suppression pool water temperature increase. As discussed in Subsection 6.5.5.6, the NPSH analysis does not take credit for any containment pressure greater than that assumed to exist at the start of the postulated ATWS event.

7.19-5

BFN-22 7.20 INSTRUMENT SETPOINT METHODOLOGY 7.20.1 Objectives In the September 14, 2006, supplement to Technical Specifications (TS) change TS-453 Instrument Setpoint Methodology, TVA made an NRC commitment to incorporate into the SAR by reference the design output documentation which contains the nominal trip setpoints for the instrument functions that were changed by TS-453. The affected instrument functions are those to which the footnote was added to the TS instrument tables in the referenced TS-453 supplement and a listing of the design output documentation is provided in Table 7.20-1.

The commitment also specified that the methodology used to determine the nominal trip setpoint, the Allowable As Found (AAF) tolerance band and the Allowable As Left (AAL) tolerance band will be described in the UFSAR.

7.20.2 Design Bases The instrument setpoints methodology for Browns Ferry is consistent with ISA standard 67.04-2000 and is incorporated into TVA Technical Instructions for performance of instrument uncertainty analyses.

7.20.3 Description 7.20.3.1 Setpoint Methodology The following summarizes the methodology used for establishing instrument setpoints.

The establishment of setpoints and the relationships between a Nominal Trip Setpoint (NTSP), Allowable As Found (AAF) tolerance band, the Allowable As Left (AAL) tolerance band, Allowable Value (AV), Analytical Limit (AL), and Safety Limit are discussed in this section.

7.20.3.2 Safety Limit (SL)

A safety limit is specified to protect the integrity of physical barriers that guard against the uncontrolled release of radioactivity. The safety limit for a parameter is typically provided in the plant safety analyses in accordance with 10 CFR 50.36(c).1.ii.A.

7.20.3.3 Analytical Limit (AL)

The analytical limit represents the parameter value at which a safety action is assumed to be initiated to ensure that the safety limits are not exceeded during 7.20-1

BFN-22 either accidents or anticipated operational occurrences. The AL is developed from event analysis models including associated safety actions which consider parameters such as process delays, rod insertion times, core cooling flow rates, reactivity changes, or instrument response times. The AL may apply directly to a parameter (e.g., main steam relief valve opening pressure setpoint to maintain reactor pressure below its safety limit) or it may apply indirectly (e.g., reactor scram on low water level to main fuel peak clad temperature below its safety limit).

7.20.3.4 Technical Specification Allowable Value (AV)

The numerical parameter values/limits in the technical specification actions or surveillance requirements are the AVs. The AV is a value that the setpoint can have when tested periodically, beyond which the instrument channel shall be evaluated for operability. The AV ensures that sufficient margin exists to the AL to account for unmeasurables such as process effects and specified instrument uncertainties to ensure that the safety action is performed under worst case conditions before the AL is exceeded.

7.20.3.5 Nominal Trip Setpoint (NTSP)

The NTSP is the nominal value the instrument is set to when it is calibrated. Since many instruments cannot be set to an exact value, the instrument is set to the nominal setpoint within an allowed tolerance band as described in Section 7.20.3.9.

7.20.3.6 Operational Limit (OL)

The operational limit is a value which the operating parameter is not expected to exceed during normal operation. The NTSP is set beyond the OL so that spurious trips of the instrument do not occur.

7.20.3.7 Instrument Uncertainties Instruments exhibit errors or uncertainties, some of which can be measured or detected during a normal calibration while other errors cannot be measured during normal calibrations since the external factor causing the error is not present at that time. Examples of external factors which are not present during a normal calibration are design basis accident temperature, design basis accident radiation and some process dependent effects. Additionally, instruments exhibit other errors such as drift which must be calculated based on operating experience.

Instrument setpoint calculations include both the effects of the measurable, and unmeasurable uncertainties to ensure the associated safety actions are performed in a timely manner so that safety limits are not exceeded. Incorporating these uncertainties provides assurance that the AL will not be exceeded under accident conditions if the AV is satisfied under normal conditions.

7.20-2

BFN-22 The square root sum of the squares (SRSS) method is used for combining uncertainty terms to meet the following three criteria: random, independent, and approximately normal distribution. The probability that all of the independent processes would simultaneously be at their maximum value (i.e., + or -) is very small. The SRSS method provides a means to combine individual random uncertainty terms to establish a net random uncertainty term. All other uncertainties that do not meet any of the three criteria are arithmetic summed.

The allowance between the AL and the NTSP is to be large enough to contain the total uncertainty (measurable and unmeasurable), during accident or seismic and normal operation, as determined using the SRSS method. The allowance between the AV and the NTSP should be large enough to contain that portion of the instrument channel being tested for the surveillance interval (monthly, quarterly, or refueling) and should account for only the measurable uncertainties. Examples of this are:

1) Drift (based on surveillance interval)
2) Instrument uncertainties for the portion of the instrument channel tested.
3) Instrument uncertainties during normal operation which are measured during testing Another calculated variable defined as the normal measurable accuracy (Anf) also called the as found tolerance, provides a means to identify unacceptable instrument performance which, if exceeded, may require corrective action. The (Anf) represents a tolerance band on either side of the NTSP which defines the limits of acceptable instrument performance.

In the discussion which follows, it is assumed that the process variable increases toward the AL. If the process variable decreases toward the AL, the directions given would be reversed.

The limiting AV is determined by subtracting the unmeasurable uncertainty effects from the AL. The NTSP could then be calculated by subtracting the normal measurable uncertainties such as those items identified above, (drift, calibration uncertainties, and uncertainties observed during normal operations) plus any margin from the AV. This calculated AV is the bounding maximum limit Avmax. If margin exists between both the NTSP versus the AL and the NTSP and the operational limit, the NTSP could be reduced to a lower limit OL plus the normal uncertainties and then the AV could be reduced to the new NTSP plus the measurable uncertainties. This calculated AV is the bounding minimum value Avmin to prevent spurious initiations. The actual AV can be set within these two limits.

7.20-3

BFN-22 7.20.3.8 As Found Tolerance The as found tolerance provides a means to identify unacceptable instrument performance which, if exceeded, may require corrective action. The (Anf) represents a tolerance band on either side of the NTSP which defines the limits of acceptable instrument performance. As described previously, examples of the as found tolerance measurable uncertainties are:

1) Drift (based on surveillance interval)
2) Instrument calibration uncertainties for the portion of the instrument channel tested
3) Instrument uncertainties during normal operation which are measured during testing 7.20.3.9 As Left Tolerance This calibration tolerance is usually based on the reference accuracy of the device being calibrated. The selection of the as left tolerance (acceptance band) for a device is arbitrary; however, the as left tolerance shall be large enough to allow the trip setpoints to be easily adjusted between these limits. The as left tolerance should always be equal to or greater than the devices reference accuracy.

7.20.4 Instrument Setpoints - Design Output Table 7.20-1 lists the design output document for the parameters which meet the definition of a Limiting Safety System Setting (LSSS) in accordance with 10 CFR 50.36. These documents can be revised as needed under the provisions of 10 CFR 50.59.

7.20-4

BFN-22 Table 7.20-1 Design Output Documents Unit 1 Sheet 1 Tech Spec Design Output Documents - Unit 1 Function 3.3.1.1.3 1P-003-22AA-00 1P-003-22BB-00 1P-003-22CC-00 1P-003-22DD-00 3.3.1.1.4 1L-003-0203A-00 1IL-003-0203B-00 1L-003-0203C-00 1L-003-0203D-00 3.3.1.1.9 1P-047-0142-00 1P-047-0144-00 1P-047-0146-00 1P-047-0148-00 3.3.5.1.1.a 1L-003-0058A-00 1L-003-0058B-00 1L-003-0058C-00 1L-003-0058D-00 3.3.5.1.1.b 1P-064-0058A-00 1P-064-0058B-00 1P-064-0058C-00 1P-064-0058D-00 3.3.5.1.1.c 1P-003-0074A-00 1P-003-0074B-00 3.3.5.1.2.a 1L-003-0058A-00 1L-003-0058B-00 1L-003-0058C-00 1L-003-0058D-00 3.3.5.1.2.b 1P-064-0058A-00 1P-064-0058B-00 1P-064-0058C-00 1P-064-0058D-00 3.3.5.1.2.c 1P-003-0074A-00 1P-003-0074B-00 3.3.5.1.2.d 1P-003-0074A-00 1P-003-0074B-00 1P-068-0095-00 1P-068-0096-00 3.3.5.1.3.a 1L-003-0058A-00 1L-003-0058B-00 1L-003-0058C-00 1L-003-0058D-00 3.3.5.1.3.b 1P-064-0058A-00 1P-064-0058B-00 1P-064-0058C-00 1P-064-0058D-00 3.3.5.1.4.a 1L-003-0058A-00 1L-003-0058B-00 1L-003-0058C-00 1L-003-0058D-00 3.3.5.1.4.b 1P-064-0057A-00 1P-064-0057B-00 1P-064-0057C-00 1P-064-0057D-00 3.3.5.1.4.d 1L-003-0184-00 1L-003-0185-00 3.3.5.1.5.a 1L-003-0058A-00 1L-003-0058B-00 1L-003-0058C-00 1L-003-0058D-00 3.3.5.1.5.b 1P-064-0057A-00 1P-064-0057B-00 1P-064-0057C-00 1P-064-0057D-00 3.3.5.1.5.d 1L-003-0184-00 1L-003-0185-00 3.3.5.2.1 1L-003-0058A-00 1L-003-0058B-00 1L-003-0058C-00 1L-003-0058D-00 3.3.6.1.1.b 1P-001-0072-00 1P-001-0076-00 1P-001-0082-00 1P-001-0086-00

BFN-22 Table 7.20-1 Design Output Documents Unit 2 Sheet 2 Tech Spec Design Output Documents - Unit 2 Function 3.3.1.1.3 2P-003-22AA-00 2P-003-22BB-00 2P-003-22CC-00 2P-003-22DD-00 3.3.1.1.4 2L-003-0203A-00 2L-003-0203B-00 2L-003-0203C-00 2L-003-0203D-00 3.3.1.1.9 2P-047-0142-00 2P-047-0144-00 2P-047-0146-00 2P-047-0148-00 3.3.5.1.1.a 2L-003-0058A-00 2L-003-0058B-00 2L-003-0058C-00 2L-003-0058D-00 3.3.5.1.1.b 2P-064-0058A-00 2P-064-0058B-00 2P-064-0058C-00 2P-064-0058D-00 3.3.5.1.1.c 2P-003-0074A-00 2P-003-0074B-00 3.3.5.1.2.a 2L-003-0058A-00 2L-003-0058B-00 2L-003-0058C-00 2L-003-0058D-00 3.3.5.1.2.b 2P-064-0058A-00 2P-064-0058B-00 2P-064-0058C-00 2P-064-0058D-00 3.3.5.1.2.c 2P-003-0074A-00 2P-003-0074B-00 3.3.5.1.2.d 2P-003-0074A-00 2P-003-0074B-00 2P-068-0095-00 2P-068-0096-00 3.3.5.1.3.a 2L-003-0058A-00 2L-003-0058B-00 2L-003-0058C-00 2L-003-0058D-00 3.3.5.1.3.b 2P-064-0058A-00 2P-064-0058B-00 2P-064-0058C-00 2P-064-0058D-00 3.3.5.1.4.a 2L-003-0058A-00 2L-003-0058B-00 2L-003-0058C-00 2L-003-0058D-00 3.3.5.1.4.b 2P-064-0057A-00 2P-064-0057B-00 2P-064-0057C-00 2P-064-0057D-00 3.3.5.1.4.d 2L-003-0184-00 2L-003-0185-00 3.3.5.1.5.a 2L-003-0058A-00 2L-003-0058B-00 2L-003-0058C-00 2L-003-0058D-00 3.3.5.1.5.b 2P-064-0057A-00 2P-064-0057B-00 2P-064-0057C-00 2P-064-0057D-00 3.3.5.1.5.d 2L-003-0184-00 2L-003-0185-00 3.3.5.2.1 2L-003-0058A-00 2L-003-0058B-00 2L-003-0058C-00 2L-003-0058D-00 3.3.6.1.1.b 2P-001-0072-00 2P-001-0076-00 2P-001-0082-00 2P-001-0086-00

BFN-22 Table 7.20-1 Design Output Documents Unit 3 Sheet 3 Tech Spec Design Output Documents - Unit 3 Function 3.3.1.1.3 3P-003-22AA-00 3P-003-22BB-00 3P-003-22CC-00 3P-003-22DD-00 3.3.1.1.4 3L-003-0203A-00 3L-003-0203B-00 3L-003-0203C-00 3L-003-0203D-00 3.3.1.1.9 3P-047-0142-00 3P-047-0144-00 3P-047-0146-00 3P-047-0148-00 3.3.5.1.1.a 3L-003-0058A-00 3L-003-0058B-00 3L-003-0058C-00 3L-003-0058D-00 3.3.5.1.1.b 3P-064-0058A-00 3P-064-0058B-00 3P-064-0058C-00 3P-064-0058D-00 3.3.5.1.1.c 3P-003-0074A-00 3P-003-0074B-00 3.3.5.1.2.a 3L-003-0058A-00 3L-003-0058B-00 3L-003-0058C-00 3L-003-0058D-00 3.3.5.1.2.b 3P-064-0058A-00 3P-064-0058B-00 3P-064-0058C-00 3P-064-0058D-00 3.3.5.1.2.c 3P-003-0074A-00 3P-003-0074B-00 3.3.5.1.2.d 3P-003-0074A-00 3P-003-0074B-00 3P-068-0095-00 3P-068-0096-00 3.3.5.1.3.a 3L-003-0058A-00 3L-003-0058B-00 3L-003-0058C-00 3L-003-0058D-00 3.3.5.1.3.b 3P-064-0058A-00 3P-064-0058B-00 3P-064-0058C-00 3P-064-0058D-00 3.3.5.1.4.a 3L-003-0058A-00 3L-003-0058B-00 3L-003-0058C-00 3L-003-0058D-00 3.3.5.1.4.b 3P-064-0057A-00 3P-064-0057B-00 3P-064-0057C-00 3P-064-0057D-00 3.3.5.1.4.d 3L-003-0184-00 3L-003-0185-00 3.3.5.1.5.a 3L-003-0058A-00 3L-003-0058B-00 3L-003-0058C-00 3L-003-0058D-00 3.3.5.1.5.b 3P-064-0057A-00 3P-064-0057B-00 3P-064-0057C-00 3P-064-0057D-00 3.3.5.1.5.d 3L-003-0184-00 3L-003-0185-00 3.3.5.2.1 3L-003-0058A-00 3L-003-0058B-00 3L-003-0058C-00 3L-003-0058D-00 3.3.6.1.1.b 3P-001-0072-00 3P-001-0076-00 3P-001-0082-00 3P-001-0086-00

Retrieved from "https://kanterella.com/w/index.php?title=ML19324C989&oldid=2362622"