ML19329D989
| ML19329D989 | |
| Person / Time | |
|---|---|
| Site: | Rancho Seco |
| Issue date: | 10/31/1967 |
| From: | SACRAMENTO MUNICIPAL UTILITY DISTRICT |
| To: | |
| References | |
| NUDOCS 8004090507 | |
| Download: ML19329D989 (64) | |
Text
-
l O
1 l
l l
O esmane 262 O
-o7 8004090
.-(
(
TABLE OF CONTENTS s
(
i 7.
INSTRUMENTATION AND CONTROL Section Page 7.1 PROTECTION SYSTEMS 7.1-1 7.1.1 DESIGN BASES 7.1-1 7.1.1.1 Vital Functions 7.1-1 7.1.1.1.1 Nonvital Functions 7.1-2 7.1.1.2 Principles of Design 7.1-2 7.1.1.2.1 Single Failure 7.1-2 7.1.1.2.2 Redundancy 7.1-2 7.1.1.2.3 Independence 7.1-2 7.1.1.2.4 Loss of Power 7.1-3 7.1.1.2.5 Manual Trip 7.1-4 7.1.1.2.6 Equipment Removal 7.1-4 7.1.1.2.7 Testing 7.1-4 7.1.1. 3 Functional Requirements 7.1-4 7.1.1. 4 Environmental Considerations 7.1-5 7.1.2 SYSTEM DESIGN 7.1-6 7.1.2.1 Svstem Description - Reactor Protection System 7.1-6 7.1.2.2 Descriotion - Safezuards Actuation System 7.1-8 7.1.2.3 Design Features 7.1-10 7.1.2.3.1 Redundancy 7.1-10 s
7.1.2.3.2 Independence 7.1-11 7.1.2.3.3 Loss of Power 7.1-11 7.1.2.3.4 Manual System Trip 7.1-11 7.1.2.3.5 Equipment Removal 7.1-12 7.1.2.3.6 Testing 7.1-12 7.1.2.3.7 Physical Isolation 7.1-13 7.1.2.3.8 Primary Power Source 7.1-13 7.1.2.3.9 Reliability 7.1-13 7.1.2.3.10 Instrumentation for Emergency Core Cooling 7.1-13 Initiation 7.1.2.3.11 Identification of Reactor Protection and Nuclear 7.1-14 Service Systems 7.1. 2. 4 Summary of Protective Actions 7.1-15 7.1.2.5 Relationship to Safety Limits 7.1-17 7.1.3 SYSTEMS EVALUATION 7.1-17 7.1. 3.1 Functional Capability - Reactor Protection System 7*1-17 7.1.3.2 Functional Capability - Safeguards Actuation System 7*1-18 7.1.3.3
- Preoperational Tests
- 7.1-19 7.1. 3. 4 Component Failure Considerations 7 1-19 7.1.3.5 Operational Tests 7.1-20 7.2 REGULATING SYSTEMS 7.2-1 7.2.1 DESIGN BASES 7.2-1 7.2.1.1 Compensation considerations 7.2-1 7.2.1.2 Safety Considerations 7.2.2 7.2.1.2.1 Shutdown Margin 7.2-2 7.2.1.2.2 Reactivity Rate Limits 2b3 7.2-2
- (
7.2.1.2.3 Power Peaking Limits 7.2-2 7.2.1.2.4 Power Level Limits 7.2-2
- 7. 2.1. 3 Startup considerations 7.2-2 Amendment 3 7-1 L
Section Page j
7.2.2 SYSTEM DESIGN 7.2-3 7.2.2.1 Description of Reactivity Control 7.2-3 7.2.2.1.1 General Description 7.2-3 7.2.2.1.2 Reactivity Control 7.2-3 7.2.2.1.3 Reactivity Worth 7.2-5 7.2.2.1.4 Reactor Control 7.2-5 7.2.2.2 Integrated Control System 7.2-6 7.2.2.2.1 Turbine control 7.2-7 7.2.2.2.2 Steam Generator Control 7.2-8 7.2.3 SYSTEM EVALUATION 7.2-9 7.2.3.1 System Failure Considerations 7.2-9 7.2.3.2 Interlocking 7.2-9 7.2.3.3 Emergency Considerations 7.2-10 7.2.3.4 Loss-of-Load Considerations 7.2-10 7.3 INSTRUMENTATION 7.3-1 7.3.1 NUCLEAR INSTRUMENTATION 7.3-1 7.3.1.1 Design 7.3-1 7.3.1.1.1 Test and Calibration 7.3-2 7.3.1.1.2 Power Range Detectors 7.3-2 7.3.1.1.3 Detector Locations 7.3-2 7.3.1.2 Evaluation 7.3-3 7.3.1.2.1 Loss of Power 7.3-3 7.3.1.2.2 Reliability and Component Failure 7.3-3 7.3.1.2.3 Protection Requirements 7.3-3
.. /
7.3.2 NONNUCLEAR PROCESS INSTRUMENTATION 7.3-3 7.3.2.1 System Desian 7.3-3 7.3.2.2 System Evaluation 7.3-5 7.3.3 INCORE MONITORING SYSTEM 7.3-5 7.3.3.1 Design Basis 7.3-5 7.3.3.2
System Design
7.3-5 7.3.3.2.1
System Description
7.3-5 7.3.3.2.2 Calibration Techniques 7.3-6 7.3.3.3 System Evaluation 7.3-6 7.3.3.3.1 Operating Experience 7.3-6 7.3.3.3.2 B&W Experience 7.3-7 7.4 OPERATING CONTROL STATIONS 7.4-1 7.4.1 GENERAL LAYOUT 7.4-1 7.4.2 INFORMATION DISPLAY AND CONTROL FUNCTION 7.4-1 7.4.3
SUMMARY
OF ALARMS 7.4-2 7.4.4 COMMUNICATION 7.4-2 7.4.5 OCCUPANCY 7.4-2 7.4.6 AUXILIARY CONTROL STATIONS 7.4-3 7.4.7 SAFETY FEATURES 7.4 -4 7.4.8 SYSTEM EVALUATION 7.4.4 7.4.8.1 Information Available Post Accident 7.4.4 7.4.8.2 Control Room Availability 7.4.4 j
264 7-11 Amendment 3 3
LIST OF FIGURES Figure Number Title 7.1-1 Reactor Protection System Block Diagram 7.1-2 Nuclear Instrumentation and Protection Systems 7.1-3 Typical Control Circuits for Engineered Safeguards Equipment -
Elementary Diagram 7.1-4 Reactor Power Measurement Errors and Control Limits 7.2-1 Reactor and Steam Temperatures Versus Reactor Power 7.2-2 Reactor Control Diagram - Integrated Control System 7.2-3 Automatic Control Rod Groups - Typical Worth Curve Versus Distance Withdrawn 7.2-4 Steam Generator and Turbine Control Diagram - Integrated Control System 7.3-1 Nuclear Instrumentation Flux Ranges 7.3-2 Nuclear Instrumentation Detector Locations 7.3-3 Non-Nuclear Instrumentation Schematic 7.3-4 Incore Instrumentation Arrangement 7.3-5 Typical Arrangement - Incore Instrumentation Channel 7.4-1 Control Room Layout 9
l 2.65 Amendment 3 t
(%)
(
7.
INSTRUMENTATION AND C0hTROL
-s v
7.1 PROTECTION SYSTEMS The protection systems, which consist of the reactor protection system and
)
the safeguards actuation system, perform the most important control and safety functions. The protection systems extend from the sensing instru-ments to the final actuating devices, such as trip circuit breakers and pump or valve motor contactors.
7.1.1 DESIGN BASES
~
The reactor protection system monitors parameters related to safe operation and trips the reactor to protect the reactor core against fuel rod cladding damage caused by departure from nucleate boiling (DNB), and to protect against reactor coolant system damage caused by high system pressure. The safeguards actuation system monitors parameters to detect failure of the reactor coolant system and initiates reactor building isolation and engi-neered safeguards operation to contain radioactive fission products in the reactor building.
7.1.1.1 Vital Functions The reactor protection system automatically trips the reactor to protect the reactor core under these conditions:
a.
When the reactor power, as measured by neutron flux, exceeds the limit set by the reactor coolant flow.
2 b.
Loss of both reactor coolant pumps in one loop.
c.
The reactor outlet temperature reaches an established maxi-mum limit.
d.
The reactor pressure reaches an established minimum limit.
1 The reactor protection system automatically trips the reactor to protect the reactor coolant system when the reactor pressure reaches an established 4
maximum limit.
'l l
1 The safeguards actuation system automatically performs the following vital I
functions:
a.
Commands operation of injection emergency core coolant.
b.
Commands operation of the reactor building emergency cooling
((]
system and the reactor building spray system, 4
2%
c.
Amendment 2 7.1-1
Protection Systems c.
Commands closing of the reactor building isolation valves.
)
The core flooding system is a passive system and does not require safe-guards actuation system action.
7.1.1.1.1 Nonvital Functions The reactor protection system provides an anticipatory reactor trip when the reactor startup rate reaches specified limits.
7.1.1.2 Principles of Design The protection systems are designed to meet the requirements of the IEEE proposed " Standard for Nuclear Power Plant Protection Systems," dated September 13, 1966.
Prototype and final equipment will be subject to qualification tests as required by the subject standard.
The tests will establish the adequacy of equipment performance in both normal and accident environments.
The major design criteria are summarized in the following paragraphs.
7.1.1.2.1 Single Failure a.
No single component failure shall prevent the protection systems from fulfilling their protective functions when action is required.
b.
No single component failure shall initiate unnecessary protection system action, provided implementation does not conflict with the criterion above.
7.1.1. 2. 2 Redundancy All protection system functions will be implemented by redundant sensors, instrument strings, logic, and action devices that combine to form the protection channels.
7.1.1.2.3 Independence Redundant protection channels and their associated elements will be elec-2 trically independent and packaged to provide physical separation.
r Separate detectors and instrument strings are not, in general, employed for protection system functions and regulation or control. Sharing instrumentation for protection and control functions is accomplished within 2h[
Amendment 2 7.1-2
Protection Systems
,1
( (i
).
the framework of the separation criteria of the IEEE Standard by the employment of isolation amplifiers in each of the multiple outputs of the analog protection system instrument strings.
2 The isolation amplifiers are precision operational amplifiers having a closed loop unity gain and a low dynamic output impedance.
The effective-ness of the isolation amplifiers has been proven by actual test.
These amplifiers are effectively lossless elements in the forward or analog out-put direction and an open circuit in the reverse direction.
Virtually any type of fault may be imposed upon the output of an isolation amplifier and not be reflected or detected at the amplifier's input.
This means that any isolated output may be shorted, opened, grounded, cross coupled with other signals, or directly coupled to a power source (such as 230 v a-c), etc., without affecting the input of the isolation amplifier in any way.
Isolation amplifiers are employed on all analog outputs of instrument channels associated with the protection systems.
The isolation amplifiers are physically a part of the analog instrument module so that the analog 3
signals are effectively isolated before fanning out to other parts of the system.
In those cases where protection and control systems share analog signals of a common origin, the isolation amplifiers serve to assure the failure (l
)
independence of the protection system.
Faults in the control s ystem can
\\~ /
not be reflected into the protection system.
Beginning with the output of the isolation amplifier, any element in the signal path up to and including the control system may be removed or faulted without affecting the protec-tion system.
The system therefore meets the requirements of Criterion 22 (PSAR 1.4.22).
This design provision may be stated as a corollary to the design criteria:
13 "A direct short, open circuit, ground fault, faulting to a power source of less than 410 volts, or bridging of any two points at the output terminals of a protection system analog instrument string having multiple outputs shall not result in a significant disturbance within more than one output."
2 Testing has demonstrated.that the protection system design will meet the above criteria.
7.1.1.2.4 Loss of Power a.
A loss of power in the reactor protection system will cause the affected channel' to trip.
b.
Availability of power to the safeguards actuation system will be continuously indicated. The loss of instrument
- power, i.e., vital bus power, to the instrument strings and bistables will initiate a trip in the affected channels.
' ! '/
S l
)
'3J l
268 Amendment 3 7.1-3
Protection Systems
~~
G,,
System actuation requires control power from one of the engineered safeguards de power buses so that loss of this power does not actuate the system.
The system equipment is divided between the redundant engineered safeguards channels in such a way that the loss of one of the de power busses does not inhibit the system's intended safeguards functions.
7.1.1.2.5 Manual Trip Each protection system will have a manual actuating switch or switches in the control room which shall be independent of the automatic trip instru-mentation. The manual switch and circuitry will be simple, direct-acting, and electrically connected close to the final actuating device.
7.1.1.2.6 Equipment Removal The reactor protection system will initiate a trip of the channel involved when modules, equipment, or subassemblies are removed.
Safeguards Actuation System channels will be designed to provide for servicing a single channel without affecting integrity of the other redundant channels or without com-promising the criterion that no single failure will prevent actuation.
G) 7.1.1.2.7 Testing Manual testing facilities will be built into the protection systems to provide for:
a.
Preoperational testing to give assurance that the protection systems can fulfill their required functions, b.
On-line testing to prove operability and to demonstrate reliability.
~
7.1.1. 3 Functional Reauirements The functional requirements of the protection systems are those specified under vital functions together with interlocking functions.
The functional requirements of the reactor protection system are to trip the reactor under the following conditions.
a.
The reactor power, as measured by neutron flux, reaches an allowable limit set by the number of operating reactor coolant pumps.
b.
The reactor power, as measured by neutron flux, reaches an 3
allowable limit set by the measured reacto
'--* flow.
)
}gg Amendment 3 7.1-4
.y e. -.
~
Protection Systems
( *n' sd) c.
Both reactor coolant pumps in one loop are lost.
(This also covers loss of three pumps and loss of all pumps.)
d.
The reactor outlet temperature reaches a preset maximum limit.
a e.
The reactor coolant pressure reaches a preset maximum limit.
f.
The reactor coolant pressure reaches a preset minumum limit.
g.
The reactor startup rate reaches a maximum limit while operat-ing below a preset power level.
Interlocking function of the reactor protection system are to:
a.
Bypass the startup rate trip when the reactor power reaches a preset value.
b.
Inhibit control rod withdrawal on the occurrence of a pre-determined startup rate, slower than the rate at which reactor is initiated.
The functional requirements of the safeguards actuation system are to:
Start operation of high pressure injection upon detection a.
,[~'h (s3%)
of a low reactor coolant system pressure or high reactor building pressure.
b.
Start operation of low pressure injection upon detection of a very low reactor coolant system pressure or high reactor building pressure, Operate the reactor building isolation valves upon detection c.
of a moderately high reactor building pressure.
d.
Start the reactor building emergency cooling units upon detection of a moderately high reactor building pressure.
Start the reactor building spray system upon detection of a e.
s high reactor building pressure.
7.1.1.4 Environmental Considerations I
The operating environment for equipment within the reactor building will normally be controlled to less than approximately 120 F.
The reactor-pro-tection system instrumentation within the reactor building is designed for continuous operation in an environment of 140 F, 60 psig, and 100 percent relative humidity, but will function with less accuracy at the. accident temperature.
("fN 270 m
Amendment 3
-7.1-5
Protection Systems The environment for the neutron detectors will be limited to 150 F with a relative humidity of less than 90 percent. The detectors are designed for contiruous operation in an environment of 175 F, 90 percent relative humidity, and 150 psig.
The safeguards actuation system equipment inside the reactor building will be designed to operate under the accident environment of a steam-air mix-ture.
Protective equipment outside of the reactor building, control room, and relay room is designed for continuous operation in an ambient atmosphere of 120 F and 90 percent relative humidity. The control room and relay room ambient will be maintained at the personnel comfort level; however, protective equipment in the control room and relay room will operate within design tolerance up to an ambient temperature of 110 F.
7.1.2 SYSTEM DESIGN 7.1. 2.1 System Description - Reactor Protection System Figure 7.1-1 is a block diagram of the Reactor Protection System.
The sys-tem consists of four identical protection channels, each terminating in a noninverting bistable and reactor trip relay.
In the normal untripped state, each channel functions as an AND gate, passing current to the termi-nating bistable and holding the reactor trip relay energized only if all T
channel inputs are in the normal energized (untripped) state.
Should any one or more inputs to a c.hannel become deenergized (tripped), the terminat-ing bistable in that channel trips, deenergizing the reactor trip relay.
Thus, for trip signals each channel becomes an OR gate.
Contacts from the reactor trip relays (RS) are arranged into four identical 2-out-of-4 coincidence networks. Each pair of these coincidence networks 3
controls the power to one of the two identical control rod drive power
- supplies, i
The reactor trip circuits are shown in more detail on Figure 7.1-2 which is an overall diagram showing the nuclear instrumentation system (7.1-2A),
reactor protection system (7.1-2B), and the safeguards actuation system (7.1-2C).
Figure 7.1-2B shows the circuit breakers controlling input power to each control rod drive clutch assembly and the manner in which the reactor trip relays trip these circuit breakers.
Reactor trip is accomplished by interrupting all input power to each drive clutch assembly.
Each control rod drive clutet pr r} 3upply receives its input power through two circuit breakers in series so that opening of
(
either interrupts that source of power.
The two control rod drive clutch power supplies operate in parallel so that both must be deenergized for the control rods to trip.
Circuit breakers No. 1 and No. 2 control primary power to one clutch assembly power supply, and circuit breakers No. 3 and No. 4 control power to the other. Thus, reactor trip is accomplished by tripping one circuit breaker in each of these pairs, w
r 7.1-6 Amendment 3 e
s
Protection Systems The control rod drive clutch holding coil power supply circuit breakers are equipped with undervoltage coils which must be energized for the cir-cuit breaker to be closed or to remain closed.
The holding voltage for the undervoltage coil of each circuit breaker is taken from the vital bus.
In each circuit breaker (Nos. 1, 2, 3, and 4) the undervoltage coils are ener-gized through contacts of their associated trip relays RS1, RS2, RS3, and RS4 under normal conditions with all trip relays energized.
If trip relays RS1 and RS2, RS1 and RS3, RS1 and RS4, RS2 and RS3, RS2 and RS4, or RS3 3
and RS4 become deenergized, each circuit breaker undervoltage coil will be deenergized, and the circuit breaker will open. Thus any 2-out-of-4 trip relays will cause each circuit breaker to open, removing power.
See Figure 3.2-68.
The trip circuits and devices are redundant and independent.
Each breaker is independent of each other breaker, so a single failure within one trip circuit does not affect any other trip circuit or prevent trip.
By this arrangement each breaker may be tested independently by the manual test switch. One segment of the manual reactor trip switch is included in each of the circuit breaker trip circuits to implement the " direct action in the final device" criterion.
The power / flow monitor logic details are also shown on Figure 7.1-2.
There are four identical sets of power / flow monitor logic, one associated with each protective channel.
Each set of logic receives an independent total reactor coolant flow signal (IF), a " number of pump motors in operation"
(? x(,l signal (Pn), and three isolated reactor power level signals (9).
The power / flow monitor continuously compares the ratio of the reactor neutron power to the reactor coolant flow.
Should the reactor power as measured by the linear power range channels exceed 1.07 times the total reactor coolant flow, a reactor trip is initiated. All measurements are in terms of percent full flow or full (ratad) power. When the reactor is operating above a predetermined neutron power, X% FP, a reactor trip is initiated immediately upon the loss of a single pump. Below this power level a reactor trip is initiated when the reactor power to reactor coolant flow ratio exceeds 1.07.
Thus below a predetermined reactor power there l2 is opportunity for the control system to reduce the reactor power to an acceptable level without a reactor trip.
There are four combinations of logic functions within the power / flow mon-itor which may lead to a reactor trip; refer to Figure 7.1-2.
The purpose of (A1) is to compare the total reactor coolant flow against the number of operating pump motors, Pn.
Normally, the loss of a pump will cause an instantaneous decrease in Pn with the flow signal lagging.
Should the reverse ever occur, as might be indicative of a lost pump rotor, (A1) will initiate a reactor trip if the reactor power is greater than a predetermined value, X7. FP (El).
( ~
Below X% FP, the flux-flow comparator (D1) will trip the reactor when the 7.L )
flux to flow ratio exceeds 1.07.
l2 t
272 Amendment 3 7 1-7
Protsetion Systems The (B1) ccmparator compares the reactor coolant flow against the number of operating pumps to determine that not more than one pump has been coin-cidentally lost. Should (B1) detect the coincident loss of more than one pump, the logic is raquired to determine that the ratios of reactor power to operating pumps (C1) and reactor power to reactor coolant flow (D1) are 2l both less than 1.07.
If either of these conditions is not satisfied, a reactor trip results.
The (Cl) comparator continuously compares the number of operating pump motors against the reactor power. A reactor trip is immediately initiated upon loss of a pump when the reactor power is above a predetermined value, X7. FP (El).
Below this power level, (Cl) will not actuate a trip unless the (B1) comparator detects the loss of more than one pump.
1 The (F1) relay initiates a reactor trip upon loss of two reactor coolant pumps in one loop, as determined by the monitor logic.
7.1.2.2 Description - Safeguards Actuation System Figure 7.1-2C shows the action initiating sensors, bistables, and logic for the safeguards actuation system.
The major difference between this system and the reactor protection system are:
a.
Each protective action is initiated by either of two channels with 2-out-of-3 coincidence logic between input signals.
b.
Either of the two channels is independently capable of initi-
)
ating the desired protec.tive action through redundant safe-guards equipment.
c.
Protective action is initiated by the application of power to the terminating control relays through the coincidence logic.
There are three independent sensors for each input variable.
Each sensor terminates in a histable device.
The outputs of the three bistables asso-ciated with each variable operate intermediate relays which are formed into two identical and independent 2-out-of-3 coincident logic networks or chan-nels.
Safeguards action is initiated when either of the channels associated with a variable becomes energized through the coincident trip action of the associated bistables.
The engineered safeguards equipment is divided
~
between redundant actuation channels as shown in Figure 7.1-2(C).
The division of equipment between channels is based upon the redundancy of equip-ment and functions.
Where two active safeguards valves are connected in redundant manner, each valve will be controlled by a separate engineered 2l safeguards channel as shown in Figure 7.1-2(C).
When active and passive (check valve) safeguards valves are used redundantly, the active valve will be equipped with two OR control elements, each driven by one of the safe-guards channels.
Redundant safeguards pumps will be controlled in the same manner as redundant active valves.
Figure 7.1-2(C) shows a typical control scheme for both safeguards valves and pumps.
j
.tt 7.1-8 Amendment 3 273
Protection Systems p( w)
Separate dual logic channels for reactor building spray pumps and valves
(\\/
are provided. The separate logic permits testing the Reactor Building spray 2
system without actually spraying water by starting the pumps with the valves closed and opening the valves with the pumps shut off.
Figure 7.1-3 shows typical control circuits for equipment serving safe-guards functions.
Each circuit provides for normal start-stop control by the plant operator as well as automatic actuation.
Normal starting and stopping are initiated by momentary contact pushbuttons or control switches.
The control circuit shown for a decay heat removal pump is typical of the l2 controller of a large pump started by switchgear. There are three makeup pumps, two are equipped with single control relays powered from separate safeguards actuation channels. The third pump is equipped with two control relays, CR1 and CR2, each of which is powered from separate safeguards actuation chatutels. Energizing the control relays through their associated safeguards actuation channel, energizes the pump circuit breaker closing coil and starts the pump.
The control of the reactor building spray pumps and decay heat removal pumps is by means of single control relays in each pump control circuit.
2 Each pump is controlled by separate engineered safeguards channels. Safe-guards action is initiated when the pt.mp control relay is energized by its associated engineered safeguards channel.
' [d The control circuit for a reactor building isolation valve is typical of a motor-operated valve which is required to close as its engineered safeguards action.
If the valve is employed as one of two active redundant valves, then it is controlled by a single safeguards actuation channel to CR1.
If the valve is employed with a passive redundant check valve, then the motor-operated valve is controlled by two safeguards actuation channels with CR1 and CR2 connected in an "0R" configuration.
The control relays, when energized by their associated safeguards actuation channels, close the valve through contacts which duplicate the manual CLOSE pushbutton and at the same time override any existing signal calling for the valve to open. A torque switch opens the control circuit when the valve seats to permit torque closing.
' Air-operated engineered safeguards valves automatically go to their engineered safeguards position upon loss of control air.
Valves used with active redundant valves are equippped with a single electrical actuator for control by a single engineered safeguards channel as shown in Figure 7.1-2 (C). Valves used with passive redundant check valves are equipped with two electrical actuators, each controlled by a single safeguards channel operating in an OR configuration.
Engineered safeguards action is initiated when power is applied to the electrical actuator.
The control of the reactor building spray pumps is by means of single con-trol relays in each pump controller.
Each pump is controlled by separate I
engineered safeguards channels.
Safeguards action is initiated when the
'(q) pump control relay is energized by its associated engineered safeguards
. V channel.
Amendment 3-7.1-9 274
Protection Systems Certain electrically-actuated valves of the containment ~ isolation system require some form of electric power for initiation and operation.
There-
)
fore, on loss of voltage they remain in their respective positions.
The isolation system is designed to prevent single component failures (e.g.,
relays, voltage transients, etc.) from inadvertently initiating isolation and causing unwarranted plant shutdown and potentially damaging transient upsets.
Justification for using these components is based on the following facts.
a.
No single failure in the engineered safeguards system will prevent reactor building isolation.
b.
In cases where diaphragm air-operated valves are used for isolation, the valves are held open by air pressure and are closed by a compressed spring, c.
As described in 5. 6.2, Type I and 11 penetration isolation requires that the valves be redundant and that one valve be backed up with another of different type.
d.
In cases where Type III penetration valves described in 5.6.2, are singular and electrically-actuated, the valves are provided with redundant control circuits from redundant power sources.
For example, electrically-controlled diaphragm-operated valves will have two electrical solenoid valves, either of which can independently vent the diaphragm operator on command signals from the respective redundant circuits causing the valve to close under spring power.
e.
Fail-safe features provided in redundant power supplies assure the availability of the necessary power supplies so that emergency systems can perform their functions.
Loss of all power to the containment isolation system, which requires the assumption of multiple failures, would result in a loss of function of many elements of this system.
7.1.2.3 Design Features 7.1.2.3.1 Redundancy The reactor protection system is redundant for all vital inputs and func-tions. Redundancy begins with the sensor.
Each power range input variable is measured four times by four independent and identical instrument strings.
Only one of the four is associated with any one protective channel.
The total and complete removal of one protective channel and its associated vital instrument strings would not impair the function of any other instru-ment or protective channel.
There are two source range channels and two intermediate range channels, each with its own independent sensor.
7.1-10 2[}
Amendment 3
Protsetion Systtms
{
Thesafeguardsactuationsy$temisSisoredundant for all vital inputs and j
functions.
Each input variable is measured by three independent and iden-
~
tical instrument strings.
The total removal of any one instrument string will not prevent the system from performing its intended functions.
7.1.2.3.2 Independence The redundancy, as described above, is extended to provide independence in the reactor protection system.
Each instrument string feeding into one protective channel is operationally and electrically independent of every other instrument string.
Each protective channel is likewise functionally and electrically independent of every other channel.
Only in the coincidence output are the channels brought into any kind of
.n common relationship.
Independence is preserved in the coincidence circuits through insulation resistance and physical separation of the coincidence networks and their switching elements.
'Ihe safeguards actuation system instrumentation and control have electri-cally and physically independent instrument strings.
The output of each bistable is electrically independent of every other bistable.
Independence is preserved in the coincidence networks through insulation resistance and physical separation of the switching elements.
[
7.1.2.3.3 Loss of Power The reactor protection system initiates trip action upon loss of control l2 power. All bistables operate in a normally-energized state and go to a de-energized state to initiate action.
Loss of power thus automatically forces the bistables into the tripped state.
Figure 7.1-2B shows the system in a de-energized state.
The safeguards actt.ation system instrumentation strings terminate in bistable trip elements similar to those in the reactor protection system.
Loss of instrument power up to and including the bistables forces the histables into the tripped state initiating safeguards action. The logic networks and the equipment control elements are powered from the engineered safeguards de power buses.
Electrical safeguards equipment is powered from one of the engineered safeguards ac power buses. Loss of engineered safe-guards power to the logic networks or to the safeguards equipment does not initiate safeguards action as desc~ribed in 7.1.1.2.4.
Safeguards action is initiated by energizing command circuits rather than by de-energizing.
7.1.2.3.4 Manual System Trip The manual actuating devices in the protection systems are independent of the automatic trip circuitry and are not subject to failures that make the automatic circuitry inoperable.
The manual trip devices are independent control switches for each power controller.
The independent control 1
(p switches,,,however, are all. actuated through a mechanical linkage to a common manual trip switch or push button.
Protection Systems 7.1.2.3.5 Equipment Removal The removal of modules or subassemblies from vital sections of the reactor protection system will initiate the trip normally associated with that portion of the system.
The removal criterion is implemented in two ways:
(1) advantage is taken of the inherent characteristics of a normally-energized system, and (2) interlocks are provided.
An inherent characteristic is illustrated by considering the power supply for one of the reactor protection channels.
Removal of this power supply automatically results in trip action by virtue of the resulting loss of power.
No interlock is required in such cases.
Other instances require a system of interlocks built into the equipment to ensure trip action upon removal of a portion of the equipment.
The safeguards actuation system provides for servicing without affecting the integrity of the redundant channels.
7.1.2.3.6 Testing The protection systems will meet the testing criterion and its objectives.
The test circuits will take advantage of the systems' redundance, inde-pendence, and coincidence features which make it possible to initiate trip signals manually in any part of one protective channel without. affecting the other channels.
,)
This test feature will allow the operator to interrogate the systems from the input of any bistable up to the final actuating device at any time during reactor operation without disconnecting permanently installed equipment.
The test of a bistable consists of inserting an analog input and varying the input until the bistable trip point is reached. The value of the inserted test signal represents the true value of the bistable trip point.
Thus the test verifies not only that the bistable functions, but that the trip point is correctly set.
Prestartup testing will follow the same procedure as the on-line testing except that calibration of the analog instrument strings may be checked with less restraint than during reactor operation.
As shown in Figure 7.1-2B, the power breakers in the reactor trip circuit may also be manual'y tested during operation. The only limitation is that not more than one power supply may be interrupted at a time without causing a reactor trip.
Protection system instrumentation will be subject to an accident' environ-ment (qualification) test as required by the proposed IEEE standard for nuclear power plant protection systems. The tests will establish the adequacy of equipment performance in both normal-and accident environments.
277 7.1-12 mendment 3
,t
- i Protection Systems k(
The qualification tests required will be run on final equipment. The accident environment test will not include the accident radiation environ-ment. The ability of the neutron detectors to perform their intended func-tion will be judged from the detector supplier's typical test data.
7.1.2.3.7 Physical Isolation j
The physical arrangement of all elements associated with the protection systems will reduce the probability of a single physical event impairing the vital-functions of the system.
For example, pressure measurements of reactor coolant pressure will be divided between four redundant pressure
~
taps in order to reduce the probability of collective damage to all sensors by a single accident.
System equipment will be distributed between instrument cabinets in order to reduce the probability of damage to the total system by some single event.
Wiring between vital elements of the system outside of equipment housing will be routed and protected within the unit so as to maintain redundancy of the systems with respect to physical hazards.
i 7.1.2.3.8 Primary Power Source The primary source of control power for the reactor protection system is the vital buses described in 8.2.2.9.
The source of power for the measur-ing elements in the safeguards actuation system is also from the vital buses.
Command circuits from the safeguards actuation system coincidence logic that extend to engineered safeguards equipment controllers are powered from battery-backed engineered safeguards buses.
Engineered safe-guards equipment such as pump and motor operators and their starting con-tactors are powered from the engineered safeguards power buses.
7.1.2.3.9 Reliability Design criteria for the reactor protection system and the safeguards actuation system have been formulated to produce reliable systems.
System c
design practices, such as redundant equipment, redundant channels, and coincidence arrangements permitting in-service testing, have been employed to implement reliability of protective action.
The best grades of commer-cially available components will be used in fabrication.
A system fault I
analysis will be made considering the modes of failure and determining their effect on the system vital functions.
Acceptance testing and peri-odic testing will be designed to ensure the quality and reliability of the completed systems.
7.1.2.3.10 Instrumentation for Emergency Core Cooling' Initiation D'
m 1
278 Amendment 3 ?
7 1-13
,e
Protection Systems The instrumentation system makes use of both physical and electrical isola-
]
tion. High pressure and low pressure injection is activated by both low reactor coolant and high reactor building pressure signals originating from three pressure transmitters measuring the reactor coolant system pressure, as shown in Figure 7.3-3, and three pressure transmitters measuring the reactor building pressure.
Two reactor coolant pressure transmitters are connected to one reactor pipe; the third transmitter is connected to the other reactor outlet pipe. Each transmitter has a separate tap on the reactor coolant piping inside the secondary shield. The transmitters are physically separated from each other and located outside the secondary shield inside the reactor building. The transmitters' electrical outputs leave the reactor building through sep-arate penetrations.
The three reactor building pressure transmitters are connected to the reactor building through independent taps. The transmitters are physically separated from each other and are located outside the reactor building.
The output of each transmitter provides isolated signals to its associated bistable trip devices. The bistable trip devices of a given logic function are physically separated by cabinet barriers. Each pressure transmitter and its associated bistable trips are powered from separate battery-backed vital bus power sources, the same power sources which power the reactor protection channels. Two, isolated 125 volt d-c control power sources are used for the power to the engineered safety features channels and logic, as shown in Figure 7.1-2C.
Each major function is, therefore, activated 2
from two independent sources of control power.
The operation of the engineered safety features channels and the trip relays forming the system logic is described in 7.1.2.2.
The high order of system redundancy assures compliance with the single failure criteria of 7.1.1.2.1.
7.1.2.3.11 Identification of Reactor Protection and Nuclear Service Systems All equipment, circuits and devices associated with the reactor protection and the nuclear service systems will be identified by colored tags or markers.
Each piece of equipment, module, or device, including rear of panel items such as terminal blocks, back of control switches, test switches, etc., will be identified by a red tag or nameplate provided by the manufacturer with appro-priate markings. Cables will carry fixed identifying sleeves at each terminating point. The sleeves will be transparent plastic material enclosing a red colored marking tag.
Control switches, pos.ition indicators, etc., mounted on the front of control panels or the console till be identified by a red colored bezel and/or nameplate.
The colored identification systems described above will be perma-i ~
' nent.and they will be prominently displayed such that operating
'or' maintenance personnel will not inadvertantly operate the wrong
}
l control device or test switch, or disconnect the wrong circuit.
279 7.1-14 Amendmer* 1
Protection Systems
-(j 7.1.2.4 Summary of Protective Actions The -bnormal conditions which initiate a reactor trip are listed below:
Trip Value or Trip Variable No. of Sensors Normal Range Condition for Trip Neutron Flux 4
0-1007.
107.57. of full (rated) l2 power Neutron Flux /
4 Flux 2 to 4 pumps (1) Number of operating Reactor Coolant 16 Reactor Cool-coolant pump motors Flow ant Pump exceeds total coolant Monitors flow and reactor power 1
2 Flow Tubes exceeds predetermined level.
(2) Ratio of reactor power to total reactor coolant flow exceeds 1.07.
l2 (3) More than one reactor coolant pump 1
motor is lost and reac-s tor power exceeds
(*
remaining pump capabil-ity by more than a rati 2
of 1.07.
(4) Reactor power exceeds number of oper-ating pump motors and the reactor power exceeds predetermined I
level.
(5) Loss of two reactor coolant pumps in one loop.
Startup Rate 2
0-2 Decades /
5 Decades / min.
min Reactor Coolant 4
2,120 -
2,350 psig Pressure 2,250 psig 2,050 psig Reactor Outlet 4
520-603 F 610 F Temperature V
2 280 Amendment 2 7.1-15
Protection Systems
's O
The reactor trip functions of the power / flow monitor logic are summarized as follows:
Trip Variable No. of Sensors j
0 12; 4 flux channels Neutron Flux
=
Reactor Coolant IF Flow
=
2 flow tubes; 8Ap; 4IF No. of Operating Pumps P
=
n 16; 4 pump monitors (a)
(0 > 1. 07P ) and (0 > X7.)*
n Loss of more than one pump (b)
(0 > 1.07P ) and (IF - P )
=
n n
Abnormal relation of P > IF (c)
(0 > X7.)* and (P - IF)
=
n n
(d)
(0 > 1.07 IF)
- Predetermined neutron power level to be specified during detail design.
Actions initiated by the engineered safeguards protective system are:
Action Trip Condition Normal Value Trip Point High Pressure Low Reactor 2,120 - 2,250 psig 1,800 psig Injection Coolant Pressure or High Reactor Building Pressure Atmospheric 10 psig 2
Low Pressure Very Low Reactor 2,120 - 2,250 psig 200 psig Injection Pressure or High Reactor Building Pressure Atmospheric 10 psig 4
Start Reactor High Reactor Atmospheric 4 psig Building Emergency Building Cooling Unit and Pressure Reactor Building Isolation Reactor Building High Reactor Atmospheric 10 psig Spray Building Pressure m
7.1-16 28}
Amendment 2
Protection Systems 7.1.2.5 Relationship to Safetv Limits Trip setpoints tabulated in 7.1.2.4 are consistent with the safety limits that have been established from the analyses described in Section 14.
The set point for each input, which must initiate a trip of the reactor pro-tection system, has been established at a level that will ensure that con-trol rods are inserted in sufficient time to protect the reactor core.
Likewise, the set points for parameters initiating a trip of the safeguards actuation system are established at levels that will ensure that corrective action is in progress in sufficient time to prevent an unsafe condition.
Factors such as the rate at which the sensed variable can change, instru-mentation and calibration inaccuracies, bistable trip times, circuit breaker trip times, control rod travel times, valve times, and pump start-ing times have been considered in establishing the margin between the trip set points and the safety limits that have been derived.
The flux trip set point of 107 percent is based upon the tolerances and l2
~
error bands shown in Figure 7.1-4.
The incident flux error is the sum of the errors at the output of the measuring channel resulting from rod motion, and instrument drift during the interval between heat balance checks of nucl, ear instrumentation calibration.
- 7. 'l. 3 SYSTEMS EVALUATION
-(,I 7.1. 3.1
?
Functional Capability - Reactor Protection System The reactor protection system has been designed to limit the reactor power to a level within the design capability of the reactor core.
In all acci-dent evaluations the time response of the sensors and the protective chan-nels are considered.
Maximum trip times of the protection channels are listed below.
a.
Temperature - 5 see b.
Pressure - 0.5 sec c.
Flux - 0.3 sec l2 d.
Pump monitor - 0.3 sec Since all uncertainties are considered as cumulative in deriving these times, the actual times may be only one-half as long in most cases.
Even these maximum times, when added to control rod drop times, provide con-servative protective action.
The reactor protection system will limit the power that might result from an unexpected reactivity change.
Any change of this nature will be detected and arrested by high reactor coolant temperature, high reactor coolant pres-sure, or high neutron flux protective action.
0282 i
Amendment 2 7.1-17 Amendeent 2
Protection Systems An uncontrolled rod withdrawal from startup will be detected by the abnorm-ally f ast startup rate in the intermediate channels and high neutron flux in the power range channels.
A startup rate trip from the intermediate-range channels is incorporated in the reactor protection system.
A rod withdrawal accident at power will immediately result in a high neutron flux trip.
Reduced reactor coolant flow results in a reduced allowable reactor power.
The reactor coolant pump monitor operates to set the appropriate reactor power limit by adjusting the power level trip point.
A total loss of flow results in a direct reactor trip, independent of reactor power level.
Two major measurements feed the power / flow monitor:
(a) reactor coolant flow, and (b) neutron power level.
The flow tubes which provide the reac-tor coolant flow measurement will exhibit no change during the reactor life.
A periodic calibration of the flow transmitters will be made.
The neutron power level signal will be recalibrated by comparison with a routine heat balance. The power range channels use detectors arranged to effec-tively average the measurement over the lengtb of the core as described in 7.3.1.1.2.
Therefore, their output is expected to be within 4 percent of the calibrated value during normal regulating rod group position changes and the need for additional calibration thereby eliminated.
A loss of reactor coolant will C-esult in a reduction of reactor coolant pressure. The low pressure trip serves to trip the reactor for such an occurrence.
A significant turbine-side steam line rupture is reflected in a drop of reactor coolant pressure.
The low reactor pressure trip shuts down the station for such an occurrence.
7.1. 3. 2 Functional Capability - Safeguards Actuation System The safeguards actuation system is a graded protection system. The pro-gressive actions of the injection systems as initiated by the safeguards actuation system provide sufficient reactor coolant under all conditions while minimizing the possibility of setting the entire system in operation inadvertently.
The key variable associated with the loss of reactor coolant is reactor pressure.
In a loss-of-reactor-coolant accident, the reactor pressure will fall, starting high pressure injection at 1,800 psig.
If high pressure injection does not arrest the pressure drop, then low pressure injection starts upon a signal of 200 psig. The high reactor building pressure is b
2 used to provide diversification in actuation of both high pressure injection and low pressure injection.
The key variable in the detection of an accident that could endanger reac-tor building integrity is reactor building pressure.
A reactor building pressure of 4 psig initiates operation of the reactor building emergency cooling unit and isolation of the building while a higher pressure of 10 psig initiates operation of the reactor building sprays.
7.1-18 Amendment'2
- e~.
Protection Systems
(
7.1.3.3 Pre-operational Tests valid testing of analog sensing elements associated with the protection
'l systems will be accomplished through the actual manipulation of the measured variable and comparison of the results against a standard.
Routine preoperational tests will be performed by the substitution of a calibrating signal for the sensor.
Simulated neutron signals may be sub-stituted in each of the source, intermediate, and power range channels to check the operation of each channel.
Simulated pressure, temperature, and level signals may be used in a similar fashion. This type of testing is valid for all elements of the system except the sensors.
The sensors should be calibrated against standards during shutdowns for refueling, or whenever the true status of any measured variable cannot be assessed because of lack of agreement among the redundant measurements.
The final defense against sensor failure during operation will be the plant operator. The redundancy of measurements provides more than adequate oppor-tunity for comparative readings.
In addition, the redundancy of the systems reduces the consequences of a single sensor failure.
7.1.3.4 Component Failure Considerations The effects of failure can be understood through Figure 7.1-2(B).
In the g
reactor protection system, the failure of any single input in the " tripped" (7m) direction places the system in a 1-out-of-3 mode of operation for all variables. Failure of any single input in the "cannot trip" direction places the system in a 2-out-of-3 mode of operation for the variable involved, but leaves all other variables in the normal 2-out-of-4 coinci-l2 dence mode. With a " tripped", open circuit fault, in one channel the system would be able to tolerate a minimum of two "cannot trip," short circuit failures within the same measured variable before complete safety protection of the variable were lost. With one " tripped," open circuit fault, a second identical fault within the same variable would trip the reactor.
A similar fault relationship exists between channels as a result of the 2-out-of-4 coincidence output.
One ' trip" faulted channel places the sys-tem in a 1-out-of-3 or single-channel mode.
A "cannot trip" faulted chan-nel places the system in a 2-out-of-3 mode.
At the final device, a " trip" faulted power breaker does not affect the protective channel mode of operation, reactor trip being dependent upon one of two breakers in the unaffected primary power supply to the control rod drives.
A breaker faulted in the "cannot trip" mode leaves the system dependent upon the second breaker in the affected primary power supply.
The safeguards actuation system is a 2-out-of-3 input type o f system.
It can tolerate one fault of the "cannot trip" variety in each of the coinci-dence networks.
For this type of fault, all remaining inputs must function
/i correctly.
A " tripped" input fault allows any one of the two remaining
'i inputs to initiate action.
]f Amendment 2 7.1-19
Protection Systems Primary power input to both protection systems has been arranged to mini-mize the possibility of loss of power to either protection system.
Each channel of the protection system will be supplied from one of the four vital busses described in 8.2.2.9.
The operator can initiate a reactor trip independent of the automatic protection action.
The engineered safeguards have been connected to multiple busses to mini-mize total loss of safeguard capability.
The individual parts of the safe-guards actuation system can be placed in operation through manual operator controls independent of the automatic protection equipment.
7.1. 3. 5 Operational Tests The protection systems are designed and have the facilities for routine manual operational testing.
Most inputs to the protection systems originate from an analog measurement of a particular variable.
Every input of this type is equipped with a continuous readout device.
A routine check by the operator of each reading as compared to the other redundant readings available for each variable will uncover measurement faults.
These elements plus the bistables and relays of the protection systems require a periodic dynamic test.
Each system provides for routine testing.
Each bistable may be manually tripped, and the results of that trip traced through the system logic and visually indicated to the operator.
The trip point setting of each bistable may be verified by the application of an analog signal proportional to the measured variable, and that signal may be varied until the bistable element trips.
t 7.1-20 Amendment 2
e I
CHANNEL CHANNEL CHANNEL CHANNEL i
2 3
4 l
l HIGH NEUTRON FLUX l
HIGH REACTOR l
OUTLET TEMP.
HIGH REACTOR "0R" "0R" "0R" "0R" COOLANT PRESSURE GATE GATE GATE GATE LOW REACTOR FOR FOR FOR FOR COOLANT PRESSURE TRIP l
TRIP TRIP TRIP HIGH REACTOR START-I UP RATE (below 10 per I
cent rated power) g LOSS OF REACTOR l
COOLANT PUHPS l
INPUTS TYPICAL OF ALL FOUR CHANNELS I
I I
BISTABLE l
BISTABLE BISTABLE BISTABLE I
I A
l B
C D
________ __ _ _l 2 OUT OF 4 2 OUT OF 4 COINCIDENCE COINCIDENCE F
4 ROD DRIVE R0D DRIVE POWER SOURCE.H0. I POWER SOURCE NO. 2 BREAKERS BREAKERS FIGURE 7.1-1 REACTOR PROTECTION SYSTEM BLOCK DIAGRAM hSMUD SACRAMENTO MUNICIPAL UTILITY DISTRICT
I
(
NUCLE AR INSTRUMENTATION AND RE ACTOR PROTECTION SYSTEM G.,
O O
O e
36
..f.
l LE *"
\\.
N N-
[:. 4h': t1 ' '
l# df a
- c. -
I I.
].
m@
o q o
=P L.h m+g, i
._... n. ]n:
q]. 7.. p ~.
N\\
9-y\\-=
_U
\\
.c ""
='
=
!p
.._.,,...41 T,i g
4 h
,O 9
W "o1 ; h. --
..M-1--
T j
0%'
~
A p
19 x.
"l o.,.,
1
}'
I~
/=x. -
=c, L..:.a,
lh.
.1-r n
a
/
O-
.,o,.
'T T
- - 1 H
- @P l..
u 2 to r.t tu te t.
f.J Q,C Q
-3,.~~'
l I 1.
1 1 Ti h.
I.A7 i
m
~
,L_m 4.
L _- al-~.
-a,.j p..
4 LJ L
/
6 O_.
- =-
I.
g
- _gy, q
-7 u.
e--6 Er--}.
l 4
y g
- g_.,,
w-.-
o ie a
G t-
.Q-N ml[ -. } r
=
ie-m v '.
L
's' '
j*
b N I~-'7!__I-i4_4 b 'g' 4 '!- I..-
i b!f 7
%do e,.
1 f.-. Ih. L
'"E n.. i- :- lfE
- p. e
'r
- .E 3
m, ra- -4, 3
,I
+ - u1 E) e,.,_[
-.m 1
v.
r f- +- u1 I
<=
j i
Q.
N
," f 4b.l
-i.'.=,i
~ ' ~
Cr-5 - 1 :. m....-.. N g :
. 1.
,1 T, -
cT 7
+1, do i
C 3. r-, _
t i
I
} r 7,,,, 1-
,Het.
e!
g.
q* *.
+
e jJ, v. m] =
c -- s I
D' 3,,.
t p..
-G 3,,.
4.=.,...
I g-
.~..I (9 _ _,
s (.s _ _ _,
i
..r t
) 17 ]., I i
'*' 'i,. T..~
} "' -}'
e,..
g, f-f '" I l
?-+-
I*
i' l v-
- [
Q,,
N
?
--J
[2 '
%o 60 l
T..-
C ;:-
- <;- p _.;J.__
[. -. - - - - - - - -}
j
^g r- -
j I
l
[
- 3....
M 9
M.
.-s i
_m qh*
f..
y,
.. 4 ;.
. -.m r
.J T
-J I
e C-2 V
f dP G i
3" " L..
L*..
' W.1 ET4-Q:
4
- '" 1 }.
rm
- - - k'e GS.s. tc t.
n
-.x
.]*,'
7 =. v.-
{h s
A B
M 28-7 i
\\o
d
~*
,,. :.~-'.
.. D.? p. $1 l
~f. - [. i 1
SAFEGUARDS ACTUATION SYSTEM
' a;Y-a' E,.?;_ '#** *-#j 7M I
I ~~.-
l lw. --
s
- i
!li m.
~
w.p.
g.
g.
t '-
l l
s--
4 c -+* o--t.
I.-
-, c.,
F,. c &
o 1
l O
b i
-O 4
l ! et..
t
.A
_c y
i 1
+ -.
m..
l
_4,,,,
.g Lrg-..
' ~,,.
?-
1-
~'
w.y
__ c. _
. -.c.
m r-4-
i
_.q
--c<
ei
~*E_~~~.._
~
4-b
(-
~
@ 4 ~~ ~
.. H..~.-
-e+.
i.
i.
r 1
. - 0
'P: r.~.-.
>-c y-t-
o...;.. _.
~., >.
9.. -.. _
e+.
r i
4,.-
on 4,,,
t.
+-. ;-
1.,
o.-...-
'++.#.,
I,M,
_-4...........
1 o
'-:c,,,-
q.. -..
e O
i es ;.- :.:: --~
- i. c 't-I' N, :ce.::;.;. : ;--
e +. +.
y.,..
1
- n.. -
-3 + +..
G~ ' ".D-4.
t.
O.... -
=~. :::- -- --
- ~
I O
i t.
j
-o D--
4.
4 i
C 485u8mP FIGURE 7.1-2 NUCLEAR INSTRUMENTATION AND PROTECTION SYSTEMS
$SMUD SACRAMENTO MUNICIPAL UTILITY DISTRICT Amendment 3 i
.____._.-_-_,,#[,]
s., r,
$l
+9-(ff E 0~-$k 5
&E l
I e
j l
i.___._____,",i,",
t" 6J rc
-, ao-n_-; c
.r..
8= 3
,e d
-v n
La ra, i
ro-oao ~s
,,ea aau.~ a >
-- c
.y,;,-
i O
Md
>II l
rt.
i s.. w 1
L_>i t
=..,
c.,
I t
3 5
5 5
fse-o l se-t f 413 f se-*
CC N TROL CICCutT (0p QEAlf09 $UlloiNG $PCAY VALVf3
($)
I l
- r P"' ]'mfrv.
yyy l
Er
=
0- -) - + - 9 i
r,,
r, l
4s.em.m l
l ycar
. re :..
=ce
- ce, I
i l
j 2
l p
i
,,3 i
i I
+
l
_J 2
L.. l 14 y
I l
I d
I ss
- (
ss T
I r___
c_
/" /r=
s l
l n,
nos.e c
l t _ I __;
u_T __
A y
1
=
y, COMTROL CiCCufT FCE Low Pet 3SUGF 1Ah/FC1 ton / PWD tconewor sessure costaos) l l LUl M
'~~
s,..
i
.4,._.~....,s... _. ~....
.... 1-
- r...... s
}
2, s e..
3.
.,ew m,2. *.,..,,
.m
=
rs g
3
...-j
t., as e
y l
3"l"" " D1'".'i " "'Q % f @
l
[:')
41 f
1 u
1 -._.. _
.a A
..,,.e s.= reos s e ee
,g,,
R s
f' tal c ow,. t t s..suc.-u...a.w.,cd,.s,..G, r.F
~.,...
,__y
,,.y
- s.am,w.. s' c. a se,> *ty c.*. i._
k.
nocausscro. c vua
.,s n
. ~. c......
rg 1-,
1 T e,.4, - co.w r,e.s&
es.,
cc se.
reo a
c st.v
- $.,,**,.,s,,,,
g,,,,
- sn AZ 21 a s -.o. C.,vton rc',.c.
w
,,,p
,,, (ett es L
s,or,,1.v, eg h,,,,
~
> ?!
b ca.s.ve
- t
( cc
.,o.,
%.e,
s
.e a. !
i u, s.,o.s e t e.,,r o,s,.u s,,.
w,
.... r.w
... eer 1
l,,,.
i,
=...
g..
7 v9, CAL f t.AC TQQ bu,lDiM.C,r 3Old flOh! VALVt*
(
10e S'. qts 4 c..ol) i
..%.~.,,, i
].
- =
s,a,r >~ ua car.cr oe.ea eur
, t,,
~
,n l
=~~
.-.c~
-ar
.::c,,-~;.g,o;;. gc,,,,
c rur n ar,.a a
a m,%,
cj g g L
..~
~,..
~
~
e
- u. w.
,e me
.e w
J e
GonD Ct. S..
8,.#
(
,F g
g, ga
..n.
~
~
n.
u.
u.,n n.,
n,,a...,,
~
v '" ='"
un.
~
~ c c.,,r
[1 c.
u
-~
a ea n
.,~
-n
'~
a, tw casee C..sep 3 *ste
,......,.,..,.,, e.n t -w ra_
c-->~~~
,~
t
,.~.,,.,sm.,,.-
~.,
u.
=
c. c..,
n
~
u..e.
.ca
~.. ~..,.
,.,,g....
.jo,....,..,<.,,,...
o.
~
- c. r~<.
.,.. r r..c
,n.~r..
~~~
""~* *~'~
m.*.",.~;; ;n,c.: = " * ~ = =
r, a
..n...c.a
.,c
~,~.
ca
..,..,..,. ~.,......n...
~,.
....c.,._,.,.,,,<,,..,u..,~.
.. u.
..ar
,,,...,..,.~r...
,m, J
/*
e a.t FIGURE 7.1-3 TYPICAL CONTROL CIRCUITS FOR ENGINEERED SAFEGUARDS EQUIPMENT p
ELEMENTARY DIAGRAM hSMUD SACRAMENTO MUNICIPAL UTILITY DISTRICT 2 9 0 Ameoomeet u
m Indicated Reactor Power with - 2% Heat Balance Error and - 4% Flux Error I
i i
l l
I I
I I
l I
l l
l l
l l
l l
l l
l E
8 8
5h b c:
x 2
x*E 2
indicated Reactor Power with - 2% Heat Balance Error a
I l
l 1
1 I
I I
i i
I l
l l
l l
I r x
~
e 5
5 555 S 2 o
=
o w
N.N y g a
r-x m
a o r*
='a R
2 5
e 3 $
Indicated Reactor Power with + 2% Heat Balance Error g
m
" '~
8 i
l i
I I
I l
1 l
1 i
i I
N g
555 8
(
)
g o
2 O
\\.
/
r_-
a
.a en mp g
a.
g E5
~
Indicated Reactor Power with oo u
$ 7 gg g
t 2% Heat Balance Error and + tl% Flex Error A
WM l
l
[
l l
l l
l l
l
' l m
2 R
H o
5 goo
?
g 5
555
- C W a
w NNm a
c,o D
o$m g
Ir-r-
z e
c-Mx" 3"
Z t" $ 7 O
B rn n r%
True Reactor Power r-U U
u y
5 I
I I
I I
i i
i i
I i
i i
I I
I I
i i
I i
i l
l
~g
\\
i Us 8
55 55 55555 5
5E 55 i
0 o e E
m, a
x E$
5 r
N 5'
w
<m J
r]
7.2 REGULATING SYSTEMS 7.2.1 DESIGN BASES-7.2.1.1 Compensation Considerations Reactor regulation is based upon the use of movable control rod assemblies (CRA*) and chemical neutron absorber (boric acid) dissolved in the reactor coolant.
Relatively fast reactivity effects including Doppler, xenon, and moderator temperature are controlled by the control rods, which are capable of rapid compensation.
Relatively slow reactivity effects, such as fuel burnup, fission product buildup, samarium buildup, and hot-to-cold moderator defi-cit, are controlled by soluble boron.
~
It is possible to change the reactor coolant system boric acid concentra-tion to " follow" xenon transients over approximately 70 percent of each core cycle without control rod operation.
However, to reduce waste handl-ing requirements resulting from chemicals shim operation, control rods are used throughout core life for xenon transient associated with normal power changes.
Chemical shim is used in conjunction with control rods to compensate for equilibrium xenon conditions.
At the beginning of first core life when the moderator temperature reactiv-i t [(,/
T ity coefficient may be zero or slightly positive, the control rod drive response is faster than necessary to maintain the power error within the
, ~
allowed deadband.
Analog computer analysis shows that the only change in control response when a positive moderator coefficient of reactivity exists is an increased frequency of control rod motion.
The reactor controls are designed to maintain a constant average reactor coolant temperature over the load range from 15 to 100 percent of rated power.
The steam system operates on constant pressure at all loads.
The average reactor coolant temperature decreases over the range from 15 per-cent load to zero load.
Figure 7.2-1 shows the reactor coolant and steam tenperatures over the entire load range.
Input signal to the reactor controls include reactor coolant average temp-erature, megawatt demand, and reactor power as indicated by out-of-core neutron detectors.
The soluble bcron dilution is initiated manually and terminated automatically or manually.
Manual rod control is used below 15 percent of rated power.
Automatic or manual rod control may be used above 15 percent of rated power.
Increasing power transients between 20 and 90 percent power are limited to ramp changes of 10 percent per minute and step increases of 10 percent.
Power increases from 15-20 percent and above 90 percent are limited to 3 percent per minute.
Decreasing power transients between 100 and 20 percent power are limited to ramp changes of 107./ min and step decreases of 10
(/
- Control rod, rod, and control rod assembly (CRA) are used interchangeably v
in this section and elsewhere in this report.
7.2-1
^-
Regulating Systems percent.
Decreasing power transients between 20 and 15 percent power are
~ j limited to steps of 37. and ramps of 3%/ min.
The turbine bypass system
~
permits a load drop of 40 percent or a turbine trip from 40 percent load without safety valve operation.
The turbine bypass system and safety valves permit a 100 percent load drop without turbine trip to satisfy
" blackout" requirements as described in 14.1.2.8.2.
7.2.1.2 Safety Considerations A
7.2.1.2.1 Shutdown Margin The control rods are provided in sufficient number to allow a hot shutdown that is greater than 1 percent suberitical with the rod assembly of greatest worth fully withdrawn and a typical level of soluble boron (Figure 3.2-1).
7.2.1.2.2 Reactivity Rate Limits The maximum average rate of change of reactivity that can be inserted by any group of rods does not exceed 5.8 x 10-5(Ak/k)sec.
(The accidental with-drawal of the rod group of greatest worth is discussed in 14.1.2.2 and 14.1.2.3).
The maximum normal rate of pure water addition does not change reactivity worth more than 3 x 10-6 ak/k) sec.
Reactivity control may be exchanged G
between rods and soluble boron consistent with the design bases listed j
above.
7.2.1.2.3 Power Peaking Limits The nominal reactivity available to a power regulating control rod group is limited so that established radial and axial flux-peaking limits are not exceeded with the rod group in any position at power levels up to 100 per-cent power.
7.2.1.2.4 Power Level Limits The reactor automatic controls incorporate a high limit and a low limit of power level demand to the reactor.
Limits are imposed on reactor megawatt demand by lack of feedwater flow capability and reactor coolant system flow capability.
- 7. 2.1. 3 Startup Considerations Over the life of the nuclear unit, startup will occur at various tempera-ture levels and after varying periods of downtime.
Examples of regulating s
system design. requirements as related to startup are:
293 7.2-2
Regulating Systems a.
Control rod and/or control rod group " withdraw inhibit" on
,s_( ' '
high startup rate (short periori) in the source range and intermediate range.
b.
Reactor trip on high startup rate in the intermediate range.
c.
Startup control mode.
This mode prevents automatic rod with-drawal below 15 percent pcwer.
d.
In startup control mode, the controls are arranged so that the steam system follow 3 reactor power rath2c than turbine system power demand.
The controls will limit steam dump to the condenser when condenser vacuum is inadequate.
e.
Sufficient control rod worth is provided to override peak xenon and return to power following a hot shutdown or hot standby.
During cold shutdown it will be necessary to increase boron concentration to maintain shutdown margin.
Following a cold shutdown, boron concentration changes will be made during startup.
A number of rod assembli as (or groups),
sufficient to provide 1 percent shutdown margin during startup, are required to be withdrawn before a dilution cycle.
f.
Minimum pressurizer water level conditions must be met before and during startup.
~
/,
Q _/
7.2.2 SYSTEM DESIGN 7.2.2.1 Description of Reactivity Control 7.2.2.1.1 General Description The reactor controls move control rod assemblies to regulate the power out-put of the reactor and maintain constant reactor coolant average tempera-ture above 13 percent rated pcwer.
As shown in Figure 7.2-2, the cegawatt demand signal is added to the reactor coolant average temperature error to form a reactor power level demand signal.
The reactor power level demand signal is compared to the average reactor power level measured by the power range detectors in the nuclear instrumentation.
When the resulting reactor power level error signal exceeds the deadband, the output signal is a con-trol rod drive " withdraw" or " insert" command to the controlling rod group.
For reactivity control limits see 3.1.2.2.
7.2.2.1.2 Reactivity Control i
Reactivity control is maintained by movable control rod assemblies and by soluble boron dissolved in the reactor coolant.
The moderator temperature coefficient (cold to hot critical), as well as long-term reactivity changes caused by fuel burnup and fission product poisoning, are controlled by
(
adjusting soluble boron concentration.
Short-term reactivity changes
~s caused by power change, xenon polsoning, and moderator. temperature change sig from 0 to 15 percent power are controlled by control rods.
294 y-I6 7.2-3
Regulating Systems First-cycle values for the reactivity components and control distribution
.}
are listed in Tables 3.2-4 and 3.2-5.
Twenty-one of the 69 control rod assemblies are assigned to automatic con-trol of reactor power level during the first core cycle.
Thereafter, 25 rod assemblies are used. These control rod assemblies are arranged in four symmetrical groups which operate in sequence.
The position of one automatic group is used as an index to soluble boron dilution.
Soluble boron adjust-ment is initiated manually and terminated automatically.
The position of this group acts as a " permissive" to restrict the start of dilution to a
" safe" rod position pattern.
The position of the same group terminates dilution automatically.
During reactor startup, control rod assemblies are withdrawn in a predeter-mined sequence in symmetrical groups of four or more rods.
The group size is preset, and individual control rod assembly assignments to a group are made at a control rod grouping panel.
However, the operator can select any individual control rod and any rod group for motion as required.
A typical control rod group withdrawal scheme is as follows:
First Cycle Equilibrium Cycle Group 1 16 CRA's 12 CRA's Group 2 12 CRA's 12 CRA's
)
Group 3 12 CRA's 12 CRA's Group 4 8 CRA's S CRA's Group 5 4 CRA's 8 CRA's Group 6 8 CRA's 9 CRA's Group 7 5 CRA's
> Regulating Groups' 4 CRA's Group 8 4 CRA's 4 CRA's An automatic sequence logic unit is used for reactor control with four regulating rod groups in the power range.
This unit allows operation of no more than one control rod group simultaneously except over the last 25 percent travel of one group and the first 25 percent travel of the next group when overlapping motion of two groups is permitted.
This tends to linearize the reactivity insertion from group to group as shown in Figure 7.2-3.
As fuel burnup progresses, dilution of the soluble boron is controlled as follows:
When the partially withdrawn active control rod group reaches the fully
~
withdrawn point, interlock circuitry permits setting up a flow path from a demineralized water tank, in lieu of the normal flow path of borated makeup, to the reactor coolant system.
Demineralized water is fed to the reactor coolant system, and borated reactor coolant is removed, u
7.2-4 r
~
Regulating Systems The reactor controls insert the active regulating rod group to compensate for the reduction in boron concentration.
When the control rod group has been inserted to the 75 percent withdrawn position, the dilution flow is automatically blocked. The dilution cycle is also terminated automatically by a preset timing device, which is independent of rod position.
- Normally, a dilution cycle is required every several days.
7.2.2.1.3 Reactivity Worth The maximum worth of any group of the four automatic control groups is approximately 1.27. Ak/k.
At design speed, a group requires approximately 6 minutes to travel full stroke.
This rate of control rod group travel results in a reactivity rate of 5.8 x 10-5(ak/k)sec.
The maximum rate of reactivity addition with the soluble boron system, i.e., injecting unborated water from the makeup system at 70 gpm maximum, is 3.0 x 10-6(Ak/k)sec.
Table 3.2-5 shows a shutdown reactivity analysis.
The rod worth provided gives a shutdown margin of 517. Ak/k or more under normal conditions, and a margin in excess of 1% Ak/k with the rod of greatest worth stuck in the withdrawn poaition.
Under conditions where cooldown to reactor building ambietit conditions is O ~x required, concentrated soluble boron will be added to the reactor coolant ki to produce a shutdown margin of at least 17. Ak/k.
The reactivity changes from hot zero power to a cold condition, and the corresponding increases in boric acid concentration, are listed in Table 3.2-6.
7.2.2.1.4 Reactor Control The reactor control is made up of analog computing equipment with inputs of megawatt demand, core average power, and reactor coolant average tem-perature. The output of the controller is an error signal that causes the control rod drive to be positioned until the error signal is within a deadband.
A block diagram of the reactor control is shown in Figure 7.2-2.
First reactor power level demand (N ) is computed as a function of the d
megawatt demand (MW ) and the reactor coolant system average temperature d
deviation (5T) from the set point, according to the following equation:
2 (A7 + j[ai dt)
K MW
+ K N
=
d i d Megawatt demand is introduced as a part of the demand signal through a proportional unit having an adjustable gain factor (K ).
The temperature 1
deviation is introduced as a part of the demand signal after proportional
^
(
plus reset (integral) action is applied.
For the temperature deviation, I
g is th'e adjustable' gain and 7 is the adjustable integration factor 296 7.2-5
Regulating Systems The reactor power level demand (N ) is then compared with the average d
reactor power level signal (N ), which is derived from the nuclear instru-i d - N ) is the reactor power level mentation.
The resultant error signal (N i
error signal (E ).
p When the reactor power level error signal (E ) exceeds the deadband settings, p
the control rod drive receives a command that withdraws or inserts rods depending upon the polarity of the power error signal.
The following additional features are provided with the reactor power con-troller:
a.
An adjustable low limit on the megawatt demand signal (MW ) to cut out the automatic reactor control action, d
b.
A high limit on reactor power level demand (N )-
d c.
An adjustable low limit on reactor power level demand (N )-
d Separate from, but related to, the automatic reactor control system is the reactor coolant flow signal system.
Power to each reactor coolant pump motor is monitored as an indication of reactor coolant flow.
Logic units continuously compare the number of energized pumps to the measured reactor power to sense that the flow is adequate for the operating power level.
If the flow is low, the reactor power level demand is reduced by the integrated 2
control system. A similar reduction in reactor power level demand is pro-
')
vided from the reactor coolant flow measurement.
7.2.2.2 Intecrated Control System The integrated control system maintains constant average reactor coolant temperature and constant steam pressure in the nuclear unit during steady state and transient operation between 15 and 100 percent rated power.
Figures 7.2-2 and 7.2-4 show the overall system. The system is based on the integrated boiler-turbine concept widely used in fossil-fuel-fired utility plants.
It combines the stability of a turbine-following system with the fast response of a boiler-following system.
Optimum overall unit performance is maintained by limiting steam pressure variations; by limit-ing the unbalance that can exist among the steam generator, turbine, and the reactor; and by limiting the total unit load demand upon loss of capa-bility of the steam generator feed system, the reactor, or the turbine generator.
Figure 7.2-2 shows the reactor control portion of the integrated control system described in 7.2.2.1.4.
Figure 7.2-4 shows the steam generator and turbine control portion of the integrated control system.
This control receives inputs of megawatt demand, system frequency, and steam pressure, and supplies output signals to the turbine bypass valve, turbine speed changer, and steam generator feedwater flow controls with changing operat-ing conditions.
)
'297 g
7.2-6 Amendment 2
Regulating Systems
./ O The turbine and steam generator are capable of automatic control from zero g.
power t.o_ rated power with optional manual control.
The reactor controls are designed for manual operation below 15 percent rated power and for automatic or manual operation above 15 percent rated power.
The turbine is operated as a turbine-following unit with the turbine control valve pressure set point varied in proportion to megawatt error. The steam generator is operated as a boiler-following system in which the feedwater-flow demand to the steam generator is a summation of the magawatt demand -
and the steam. pressure error.
The integrated control system obtains a load demand signal from the system dispatch center or from the operator.
A frequency loop is added to match the speed droop of the turbine speed controls. The load demand is restrained by a maximum load limiter, a minimum load limiter, a rate limiter, and a run-back limiter.
In normal operation the megawatt demand (Mwd) limits would gi be set as follows:
Maximum load limit 1007.
Il Minimum load limit 157.
7 Rate limit 10*/. per minute The runbacks act to runback and/or limit the load demand on any of the following conditions:
a.
One or more reactor coolant pumps are inoperative.
(b b.
Total feedwater flow lags total feedwater demand by more than 5 percent.
The four shim / safety rod groups are not fully withdrawn.
c.
d.
Assymetric rod withdrawal patterns exist.
e.
The generator separates from the 230 kv bus.
The output of the limiters is a megawatt demand signal which is applied to the turbine control, steam generator control, and reactor control in par-allel. The reactor control responds to the megawatt demand signal as described in 7.2.2.1.4.
7.2.2.2.1 Turbine Control
' The megawatt demand is compared with the generator megawatt output, and the
-resulting megawatt error signal is used to change the steam pressure set point. The turbine valves then change position to control steam pressure.
As the megawatt error reduces to zero, the steam pressure set point is returned to the steady state value.
By limiting the effect of megawatt error on the steam pressure set point, the system can be adjusted to permit controlled variations in steam pressure to achieve any desired rate of tur-
]
bine response'to. megawatt demand.
l 298 Amendment 1 7.2-7 l
e Regulating Systems 7.2.2.2.2 Steam Generator Control
'N Control of the steam generator is based on matching feedwater flow to megawatt demand with bias provided by the error between steam pressure set point and steam pressure. The pressure error increases the feedwater flow demand if the pressure is low.
It decreases the feedwater flow demand if the pressure is high.
The basic control actions for parallel steam generator operation are:
a.
Megawatt demand converted to feedwater demand.
b.
Steam pressure compared to set pressure, and the pressure error converted to feedwater demand.
c.
Total f eedwater demand computed from sum of a and b.
d.
Total feedwater flow demand split into feedwater flow demand for each steam generator, e.
Feedwater demand compared to feedwater flow for each steam generator.
The resulting error signals position the feedwater flow controls to match feedwater flow to feedwater demand for each steam generator.
For operation below 15 percent load, the steam generator control acts to maintain a preset minimum downcomer water level.
The conversion to level
}
control is automatic and is introduced into the feedwater control train through an auctioneer. At low loads below 15 percent, the turbine bypass 1
valves will operate to limit steam pressure rise.
The steam generator control also provides ratio, limit, and runback actions as shown in Figure 7.2-4 which include:
a.
Steam Generator Load Ratio Control Under normal conditions the steam generators will each produce one-half of the total load.
Steam generator load ratio control is provided to balance reactor inlet coolant temperatures during operation with more reactor coolant pumps in one loop than in the other.
b.
Rate Limits Rate limiters are manually set to restrict loading or unloading rates to those that are compatible with the g
turbine and/or the steam generator.
,)
U :.
299 7.2-8 Amendment 1
Regulating Systems c.
Water Level Limits x~ /
A maximum water level limit prevents gross overpumping of feedwater and ensures superheated steam under all operat-ing conditions.
A minimum water level limit is provided for low load control.
d.
Reactor Coolant Pump Limiters These limiters restrict feedwater demand to match reactor coolant pumping capability.
For example, if.one reactor
~
coolant pump is not operating, the maximum feedwater-demand to the steam generator in.the loop with the inoper-ative pump is limited to approximately one-half normal.
Reactor Outlet and Feedwater Low Temperature Limits e.
These limiters reduce feedwater demand when the reactor outlet temperature or the feedwater temperature is low.
f.
-Feedwater Pump. Capability A feedwater pump capability runback signal limits the megawatt demand signal whenever total feedwater flow lags
'(
)
total feedwater demand by 5 percent.
,; a 7.2.3 SYSTEM EVALUATION 7.2.3.1 System Failure Considerations a.
Redundant sensors are available to the integrated control system.
The operator can select any of the redundant sensors from the control room.
b.
Manual reactivity control is available at all power levels.
Loss of electrical power to the automatic controller reverts c.
reactor control to the manual mode.
7.2.3.2 Interlocking a.
Control rod withdrawal is prevented on the occurrence of a positive short period below 10 percent power.
b.
The automatic sequence logic sets a predetermined insertion and withdrawal pattern of the four regulating rod groups.
LO L -
s-v y
. >gg 7.2-9
Regulating Systems c.
Control circuitry allows manually-selected operation of any
..~)
single control rod assombly or control rod group throughout the power range.
d.
An interlock will prevent actuation of both withdrawal and insertion of control rods simultaneously with the insertion signal overriding the withdrawal.
e.
Control rod drive switching circuits allow withdrawal of no more than a single control rod group in the manual mode.
f.
The automatic sequence logic limits regulating rod motion to one group out of four at one time except at the upper and lower 25 percent of stroke where operation of two groups is permitted to linearize reactivity versus stroke.
g.
Maximum and minimum limits on the reactor power level demand signal (N ) Prevent the reactor controls from initiating d
undesired power excursions.
h.
Maximum and minimum levels on the megawatt demand signal (MW ) prevent the reactor controls from initiating undesired d
power excursions.
7.2.3.3 Emergency Considerations e) a.
Loss of power to the control rod drive magnetic clutch initiates a reactor trip, b.
When emergency conditions arise that exceed the capability of the control system, the operator can revert to the manual control mode.
7.2.3.4 Loss-of-Load Considerations The nuclear unit is designed to accept 10 percent step load rejection without safety valve action or turbine bypass valve action.
The combined actions of the control system and the turbine bypass valve permit a 40 percent load reduction or a turbine trip from 40 percent load without safety valve action.
The controls will limit steam dump to the condenser when ccndenser vacuum is inadequate, in which case the safety valves may operate.
The combined actions of the control system, the turbine bypass valve, and the safety valves permit a 100 percent load rejection without turbine trip.
This permits the unit to ride through a " blackout" condi-
- tion, i.e.,
sudden rejection of electrical load down to auxiliary load without turbine trip.
(The " blackout" provisions are discussed in 14.1.2.8.2.)
~
L 7G)
.)
7.2-10
e Regulating Systems
(
The features that permit continued operation under load rejection condi-
_f tions include:
a.
Integrated Control System During normal operation the integrated control system (see Figure 7.2-4), controls the unit load in response to load demand from the system dispatch center or from the operator.
During normal load changes and small frequency changes, tur-bine control is through the speed changer to maintain con-stant steam pressure.
During large load and frequency upsets, the turbine governor
~
takes control to regulate frequency.
For these upset condi-tions, frequency error at the input to the integrated control system becomes more important in providing load matching.
b.
100 Percent Relief Capacity in the Steam System This provision acts to reduce the effect of large load drops on the reactor system.
Consider, for example, a sudden load rejection greater than 10 percent.
When the turbine generator starts accelerating, the governor valves and the intercept valves begin to close
-[^'
to maintain set frequency.
At the same time the megawatt 7
(y demand signal is reduced, which reduces the governor speed changer setting, feedwater flow demand, and reactor power level demand.
As the governor valves close, the steam pres-sure rises and acts through the control system to reinforce the feedwater flow demand reduction already initiated by the reduced megawatt demand signal.
In addition, when the load i
rejection is of sufficient magnitude, the turbine bypass valves open to reject excess steam to the condenser, and the safety valves open to exhaust steam to the atmosphere.
The rise in steam pressure and the reduction in feedwater flow cause the average reactor coolant temperature to rise which reinforces the reactor power level demand reduction, already established by reduced megawatt demand, to restore reactor coolant temperature to set value.
As the turbine generator returns to set frequency, the tur-bine controls revert to steam pressure control rather than frequency control.
This feature holds steam pressure within relatively narrow limits and prevents further large steam pressure changes which could impose additional load changes of opposite sign on the reactor coolant system.
As a result, the reactor, the reactor coolant system, and the steam sya-tem run back rapidly and smoothly to the new load level.
~.
302 M
i m
~
s.
7.2-11
l 6 20 Reactor Outlet Temperature J
600 g
Steam N
Temp.
x 580 dReactorAverage Temperature i
N 560 r
t-Reactor Inlet Temperature 540 T
at 925 psia 520 0
20 40 60 80 100 Rated Reactor Power (2,452 MWt), %
FIGURE 7.2-1 REACIOR AND STEAM TDIPERATURES VERSUS REACIOR POWER 303 h SMUD SACRAMENTO MUNICIPAL UTILITY DISTRICT t
f
- TO OTh[
- !C DR I p-A' TOMATIC J
('
p----+
SEQUENCE l
LOGIC l
I l
1 I
I I
NO.B FEED.ATER l
l I
'c.
T<2, a
I l
l l
l l
DEADBAND w
em m i
Tc. I Tn. E
_T J
AT. [
E
.F A
.f
.s
~
N,.F l
304
.. - _ =. - - - _.
?
\\r
I CONTROL
(( GROUPS i
CONTROL R00 DRIVE GROUP STEAM Tn2 Th, s
STEAM REACTOR GENERATOR
)
FEE 0 WATER e
)
a
's
'c.
i i
AVERAGE LOOP NO. i Th, N-I I
AVERAGE NW
{-
Tc
=
la I
p Tc ID COMPARE EMAND aT_.
AVERAGE
=-
AND COMPUTER COMPARE LOOP NO. 2 Tbg i
LEGEND ST AVERAGE Tc g
hACTORCOOLANTSYSTEM TEAM SYSTEM l
Tc DNTROL SYSTEM 20 EACTOR COOLANT SYSTEM COLD LEG TEMPERATURE
' ACTOR COOL ANT SYSTEM HOT LEG TEMPERATURE E
WERAGE REACTOR COOLANT SYSTEM TEMPERATURE
' VI ATION OF AVERAGE TEMPERATURE FROM SETPOINT E
EACTOR POCER LEVEL ERROR, N - N; EDVELOCITYDEMAND i
FIGURE 7.2-2 fGACATTDEMAND REACTOR CONTROL DIAGRAM (ACTOR POCER LEVEL INTEGRATED CONTROL SYSTEM
- ACTOR PODER LEVEL DEMAND SMUD SACRAMENTO MUNICIPAL UTILITY DISTRICT 305
i k4 i
14. 0 i
/
f
/
i i
Max. Dif ferential (Ak/k)/i b
~
e Worth = 13.95 x 10
/
/
p
- 2. 5
/,/
g 2.0 g
i; i.5
/
y 1.0 f
/
)
- 0. 5 i
0 25 50 75 100 0
25 50 75 100 0
Group 7 Position Group 5 Position 0
25 50 75 I00 0
25 50 75 100 Group 8 Position Group 6 Position Distance Withdrawn. %
306 FIGURE 7.2-3 AUTOMATIC CONTROL ROD GRO i
RAWN
~~
SW66fl EcHRVE VERSUS DISTANCE WITJ
[
[i l
,y
~l
'$.~
$0C h
^
I t
l k
~
f C0efa0LS l'
I Massuuse Lq MIRIMUM L0ad hl RATE Lih h
$neM/5&f tff RODS 90T OUT a55YMETRIC RODS RutRACR Lim l
aen eUT a
MEGAeATT P
- ERROR S
l I
I h
M PRES $URE SET P0187 E t0JUSTE01 l CONTROLLER l l C0aTROLLER l 1
1 TURRest l
TLeRint RTPASS g
$PE ED W ALyt l C0eTROL5 f
Rt4CTOR C00 Leaf RE ACTOR C00Lauf PUMP CAPARILlTT Pyner LlulTER RUaRACR $165AL L
RE ACTOR COOL &eT TEMP LIMITER LOW F EEDvATER YtesP LeutTER STEAM GEuf RATOR LEVEL LIMITit l C0eTROLLER l l C0eTROLLER FEEDwaTER FL0u IIA 8IUP CONTROLS FEIO 94LVE LOOP I l
I N
i FEEDwaTER FL0s
' %l '
10 RO. a r
i STEau GENERATOR
E t
I toutfi' l l
f REQutP*.T SET P0l#T A
E I 't1 l
Ltif f l
l 11 LOS$ Of LOAD TER LE GE ND:
FEED Puur CAPaCITT EDC. $1 STEM 015Pa1Cu CEntit
- utGa_aTT DEuau0 Rustats $1Gual a. Olf f EREuct g. STEau PaE55unt P
f P 5ET. $f tau SET PRE 55utt g
TO W,. FEE 0waf tli FLOW p
u. uanual SET P3leT n/a. uanual/ automatic I
L. STEau 6tuta&T0a LEVEL T,. staCTOR DUTLET Yturttafulf I
l Ct>P an aTOR 1,. ataCTOR tutif TEuPERATutt l'RE550st -'
y 8
FEtomatta TtuPEtafuRE LEROR fut ugueER Sus 5CalPT5 PEFin 10 LOOP e au0 LOOP,
F EEDeaf te 8,
DEuanD C ALCuLaTOR 1014t FEEDeaTER d-fttuauD
'eg tl STiam GEutR ATOR Lead Rail 0 CONTROL 1E ACTOS l'
RiaCT04 M ani C00L ati PUMP 3 REACTOR C00Lauf ttaCTOR C00Lauf Puur LlulTER Pu'dP Ca' ABIL ITT CEiC10e st ACTOR
- Uusats StGhat g
C0ta asi -
- C00L auf PU# I PuuP 4 RtaCTOR C00Lailf i
'h2 TEur LlulTER "3
LOW FEEDuaTER T'I f2 TEMP LlulTEn 5f tau GEuEtaTOR L,
g 2
LIVEL LlulTER I
[CouTR0utt [
[ nuTRau. I e,,
FIGURE 7. 2-4
'", t 0," '
STEAM GENERATOR AND TURBINE
>[E0,'lt vE CONTROL DIAGRAM-INTEGRATED 1
l CONTROL SYSTEM t
t i
~
)SMUD FEEDeaftR FL0s e
SACRAMENTO MUNICIPAL UTILITY DISTRICT '
308 J
Instrumentation 7.3 INSTRLDIEhTATION
^
7.3.1 NUCLEAR INSTRUMENTATION The nuclear instrumentation system is shown in Figure 7.1-2A.
Emphasis in the design is placed upon accuracy, stability, and reliability.
Instru-ments are redundant at every level.
The design criteria stated in 7.1.1.2 have been applied to the design of this instrumentation.
7.3.1.1 Design The nuclear instrumentation has eight channels of neutron information
~
divided into three ranges of sensitivity:
source range, intermediate range, and power range.
The three ranges combine to give a continuous measurement of reactor power from source level to approximately 125 percent of rated power or ten decades of information.
A minimum of one decade of overlap-ping information 's provided between successive higher ranges of instru-mentation.
The r.ationship between instrument ranges is shown in Figure 7.3-1.
The source range instrumentation has two redundant count rate channels originating in two high sensitivity proportional counters.
These channels are used over a counting range of 1 to 103 counts per second as displayed on the operator's control console in terms of log counting rate.
The channels also measure the rate of change of the neutron level as displayed
(,
for the operator in terms of startup rate from -1 tc +10 decades per minute.
No protective functions are associated with the source range because of inherent instrumentation limitations encountered in this range.
However, one interlock is provided, i.e.,
a control rod withdraw hold and alarm on high startup rate in either channel.
Ti.e intermediate range instrumentation has two log N channels originating in two identical electrically gamma-compensated ion chambers.
Each channel provides seven decades of flux level infornation in terms of log ion cham-ber current and startup rate.
The ion chamber output range is from 10-11 to 10-4 amperes.
The startup rate range is from -1 to +10 decades per minute.
Protective action on high startup rate is provided by these chan-nels.
A high startup rate on either channel causes a reactor trip.
Prior to a reactor trip, high startup rate in either channel will initiate a con-trol rod withdraw hold interlock and alarm.
The power range channels have four linear level channels originating in 12 uncompensated ion chambers.
The channel output is directly proportional to reactor power and covers the range from 0 to 125 percent of rated power.
The system is a precision analog system which employs a digital technique to provide highly accurate signals for instrument calibration and reactor trip set point calibration.
The gain of each channel is adjustable, pro-viding a means for calibrating the output against a reactor heat balance.
Protective action on high flux level consists of reactor trip initiation by the power range channels at preset flux levels.
209 g
7.3-1
Instrumentation Additional features pertinent to the nuclear instrumentation system are
~ ')
as follows:
a.
Independent power supplies are included in each channel.
Primary power originates from the vital buses described in 8.2.2.9.
Where applicable, isolation transformers are pro-vided to ensure a stable, high-quality power supply, b.
The proportional counters used in the source range are designed to be secured when the flux level is greater than their useful operating range.
This is necessary to obtain prolonged operating life.
c.
The intermediate range channels are supplied with an adjust-able source of gamma-compensating voltage.
7.3.1.1.1 Test and Calibration Test and calibration facilities are built into the system. The test facil-ities will meet the requirements outlined in the discussion of protection systems' testing.
Facilities for calibration of the various channel amplifiers and measuring equipment will also be a part of the system.
7.3.1.1.2 Power Range Detectors Twelve uncompensated ionization chambers are used in the power range chan-nels.
Three chambers are associated with each channel, i.e.,
one near the bottom of the core, a second at the midplane, and a third toward the top of the core The outputs of the three chambers are combined in their respective linear amplifiers. A means is provided for reading the indivi-dual chamber outputs as a manual calibration and test function during normal operation.
7.3.1.1.3 Detector Locations The physical locations of the neutron detectors are shown in Figure 7.3-2.
The power range detectors are located in four primary positions, 90 degrees apart around the reactor core.
The two source range proportional counters are located on opposite sides of the core adjacent to two of the power range detectors.
The two intermediate range compensated ion chambers are also located on opposite sides of the core, but rotated 90 degrees from the source range det ecto rs.
T 0:
>J 7.3-2 310
Instrumentation 7.3.1.2 Evaluation
__,/.
The nuclear instrumentation will monitor the reactor over the 10 decade range from source to 125 percent of rated power. The full power neutron 9
flux level at the power range detectors will be approximately 10 nv.
The detectors employed will provide a linear response up to approximately 4 x i
1010 nv before they are saturated.
The intermediate range channels overlap the source range and the power range channels in an adequate manner, providing the continuity of informa-tion needed during startup.
The axial and radial flux distribution within the reactor core will be measured by the incore neutron detectors (7.3.3).
The out-of-core detec-tors are primarily for reactor safety, control, and operation information.
7.3.1.2.1 Loss of Power The nuclear instrumentation draws its primary power from redundant battery-backed vital buses described in 8.2.2.9.
7.3.1.2.2 Reliability and Component Failure
( 'T~
The requirements established for the reactor protection system apply to
( (,/
the nuclear instrumentation.
All channel functions are independent of every other channel, and where signals are used for safety and control, electrical isolation is employed to meet the criteria of 7.1.1.2.
~
7.3.1.2.3 Protection Requirements The relation of the power range channels to the reactor protection system has been described in 7.1.
To maintain the desired accuracy in trip action, the total error from drif t in the power range channels will be held to 11/2 percent at rated power over a 30-day period.
Routine tests and recalibration will ensure that this degree of deviation is no t exceeded.
Bistable trip set points of the power range channels will also be held to an accuracy of fl/2 percent of rated power.
The accuracy and stability of the equipment will be verified by vendor tests.
7.3.2 NON-NUCLEAR PROCESS INSTRLDIENTATION 7.3.2.1
System Design
The non-nuclear instrumentation measures temperatures, pressures, flows, and levels in the reactoi coolant system, steam system, and reactor auxil-iary systems.
Process variables required on a continuous basis for the startup, operation, and shutdown of the nuclear unit are indicated, 311 u
{
7.3-3
Instrumentation recorded, and controlled from the control room. The quantity and types of f
process instrumentation provided will ensure safe and orderly operation of all systems and processes over the full operating range of the plant.
The amounts and types of various instruments and controllers shown are intended to be typical examples of those that will be included in the various systems when final design details have been completed. The non-nuclear process instrumentation for the reactor coolant is shown in Figure 7.3-3 and on the reactor auxiliary system drawings in Sections 5, 6, 9, and 11.
Process variables are monitored as shown on the non-nuclear instrumentation and reactor auxiliary system drawings and are as follows:
a.
In general, resistance elements are used for temperature measurements.
Fast-response resistance elements monitor the reactor outlet temperature.
The outputs of these fast-response elements supply signals to the protective system.
b.
Pressures are measured in the reactor coolant system, the steam system, and the reactor auxiliary systems.
Pressure signals for high and low reactor coolant pressures and high reactor building pressure are provided to the protection systems.
c.
Reactor coolant pump motor operation is monitored as an indi-cation of reactor coolant flow.
In addition, reactor coolant fl w signals are obtained and indicated by means of reactor 2
coolant flow meters. This information is fed to the reactor controls and reactor protection system, d.
Flow in the steam system is obtained through the use of calibrcted feedwater flow nozzles.
Flow information is utilized for control and protective functions in the steam system.
Steam generator level measurements are provided for control and alarm functions, e.
Pressurizer level is measured by differential pressure trans-mitters calibrated to operating temperature and pressure.
The pressurizer level is a function of the reactor coolant system makeup and letdown flow rate.
The letdown flow rate is remote manually controlled to the required flow.
Pressur-izer level signals are processed in a level controller whose output positions the makeup control valve in the makeup line to maintain a constant level, f.
Reactor coolant system pressure is maintained by a control system that energizes pressurizer electrical heaters in banks at preset pressure values below 2,175 psig or actuates spray control valves if the pressure increases to 2,230 psig.
v 0t
}
l '
7.3-4 Amendment 2
Instrumentation 7.3.2.2 System Evaluation
'()
a.
Redundant instrumentation has been provided for all inputs to the protection systems and vital control circuits.
b.
Where wide process variable ranges are required and precise control is involved, both wide-range and narrow-range instru-mentation are provided.
c.
Where possible, all instrumentation components are selected from standard commercially-available products with proven operating reliability.
d.
All electrical and electronic instrumentation required for safe and reliable operation will be supplied from redundant vital ac instrumentation buses.
7.3.3 INCORE FONITORING SYSTEM 7.3.3.1 Design Basis The incore monitoring system provides neutron flux detectors to monitor core performance.
No protective action or direct control functions are performed by this system.
All high pressure system connections are
((\\_,/)
terminated within the reactor building.
Incore, self-powered neutron detectors measure the neutron flux in the core to provide a history of power distributions and disturbances during power operating modes.
Data obtained will provide measured power distribution information and fuel burnup data to assist in fuel management decisions.
7.3.3.2
System Design
7.3.3.2.1
System Description
The incore monitoring system consists of assemblies of self-powered neutron detectors located at 52 preselected radial positions within the core. The incore monitoring locati.ons are shown on Figure 7.3-4.
In this arrangement, an incore detector assembly, consisting of six local flux detectors and one background detector, is installed in the instrumentation tube of each of 2
52 fuel assemblies (Figures 3.2-62).
The local detectors are positioned at six different axial elevations to provide the axial flux gradient. The outputs of the local flux detectors are referenced to the background deteutor output sc that the differential signal is a true measure of neutron flux.
Oc
[
. x~ /
en 6ent 2 7.3-5
Instrumentation As shown in Figure 7.3-4, seventeen detector assemblies are located to act as symmetry monitors. The remaining 35 detector assemblies, plus five of the 17 symmetry monitors, provide monitoring of every type of fuel assembly in the core when quarter core symmetry exists.
2 Readout for the incore detectors is performed by the plant data logger /com-puter system rather than by individual indicators. This system sounds alarms if local flux conditions exceed predetermined values. The alarm function of the incore instrumentation which is incorporated in the plant data logger / computer serves to warn the operator of unusual power distributions developing within the core. The system has incorporated into it online diag-3 nostic routines to test the ability of the alarms to function when called upon to do so.
Loss of the alarms would require that the operator monitor the incore detector readouts. Normal readouts will be provided on the computer, and a sufficient quantity of readouts will be provided at an 2
alternate location. Therefore, there are no consequences to the failure of the alarm functions, except the operator action indicated above.
When the reactor is depressurized, the incore detector assemblies can be inserted or withdrawn through guide tubes which originate at a shielded 2
area in the reactor building as shown in Figure 7.3-5.
These guide tubes, after completing two, 90-degree turns, enter the bottom head of the reactor vessel where internal guides extent' up to the instrumentation tubes of 52 selected fuel assemblies. The instrumentation tube then serves as the guide for the -incore detector assembly or probe detector tubes. The incore detector assemblies are fully withdrawn only for replacement.
During refueling operations, the incore detector assemblies are withdrawn approxi-mately 13 feet to allow free transfer of the fuel assemblies. Af ter the fuel assemblies are placed in their new locations, the incore detector 2l assemblies are returned to their fully inserted positions in the core, and the high pressure seals are secured.
7.3.3.2.2 Calibration Techniques The nature of the detectors permits the manufacture of nearly identical detectors which will produce a high relative accuracy between individual detectors. The detector signals must be compensated for burnup of the neutron sensitive material. The data handling system integrates each detector output current and generates a burnup correction factor to be applied to each detector signal oefore printing out the corrected signal in terms of percent of rated power.
The data handling system computes an average power value for the entire core, normalized to the reactor heat balance. This average power value is compared to each neutron detector signal to provide the core power distribution pattern.
7.3.3.3 System Evaluat'._on yv-7.3.3.3.1 Operating Experience The AECL has te2n operating incore, self-powered neutron detectors at Chalk Rivur since 1962.
They have been successfully applied to both the NRX and MtU reactors and have been operated at fluxes beyond those expected in normal pressurized water reactor service.
3l4 7.3-6 Amendment 3
Instrumentation
_,/
7.3.3.3.2 B&W Experience Self-powered, incore neutron detectors have been assembled and irradiated in The Babcock & Wilcox Company development program that began in 1964.
Results from this program have produced confidence that self-powered detec-tors used in an incore instrument system for pressurized water reactors will perform as well, if not better, than any system of incore instrumen-tation currently in use.
The B&W development program includes these tests:
a.
Parametric studies of the self-powered detector.
b.
Detector ability to withstand PWR environment.
c.
Multiple detector assembly irradiation tests, d.
Background effects, e.
Readout system tests, f.
Mechanical withdrawl-insertion tests, g.
Mechanical high pressure seal tests.
/ /~ '
i h.
Relationship of flux measurement to power distribution j
experiments.
Preliminary conclusions drawn from the results of the test programs at the B&W Lynchburg pool reactor, the B&W test reactor, and the Big Rock Point nuclear power plant are as follows:
a.
The detector sensitivity, resistivity, and temperature effects are satisfactory for use.
b.
A multiple detector assembly can provide axial flux data in a single channel and can withstand reactor environment.
An assembly of six local flux detectors, three background detectors, and two thermocouples has been successfully
~
operating in the Big Rock Point reactor since May 1966.
c.
Data collection systems are successful as read-out systems for incore monitors.
d.
Background effects will not prevent satisfactory operation in a PWR environment.
Irradiatio'n of detector assemblies and evaluation of performance data are continuing to provide detailed design information for the incore instru-mentation system.
[
J 315 Amendment 2 7.3-7 M
t f
al 10 10 1
I i
-4 I
--10 125 9
10
.- -- 100
-10 d
~0 0
10 o
=
10
-6
-10 3
7 1
10 E --'
70"I i
6 10
-c
-10 5
10 5
l u.
=
c
-- 106
__10-9 c
S 4
o 10
~~
2
_go-10 on 105
=
z 1y -
o 10
,,1o-11 u
p 10 c.
5
- ic) 10 m
~
2
- 1o r
1 "o0
-- 10 g
-1 c
10 E
1 2
}
g 10 "f
a:
0.1 j
Eg c
=SE aE
" a=
n sr FIGURE 7.3 1 NUCLEAR INSTRUMENTATION FLUX RANGES Uk
~.
SACRAMENTO MUNICIPAL UTILITY DISTRICT Amendment 2
I PC ClO L
UCIC UCIC
.d
,0.
'
- l >,
/>' 4 :
- a. d ~ t 1
o.'.
,2.*'.:.
.,,y.
UCIC UCIC CIC PC LEGEND PC - PROPORTIONAL COUNTER - SOURCE RANGE DETECTOR ClC - COMPENSATED 10N CHAMBER -
INTERMEDIATE RANGE DETECTOR UCIC - UNCOMPENSATED ION CHAMBER - POWER RANGE DETECTOR FIGURE 7.3-2 NUCLEAR INSTRUMENTATION DETECTOR LOCATIONS 317$ SMUD M
0 SACRAMENTO MUNICIPAL UTILITY DISTRICT j
c;...
e
- ..... O...
1 n
v th v
F _.w ___
l E
. y 4
U.,-
[.- - :-
., cr v I, V,
~ O.
l
[
.=...,5.,---O--__,i (b:
k l
f
~
i l
... Ao A.
O...
a %..
9, -
- -l l'-~
...c..
l r -..... - : _ _ _...
....,___i;-.-.;--
e I
t 1
g
.......,.,,.,6....
--______s C.
i e
s iT I
t i
3 9
8 I
...T l
V' l
l l
8 g,-.J 8
'GMg g
____.'_.-___4, i
.= >um.
i.vi.
i 6
a i
a b_e i
..e,, f
= 7, _ a e J g,
g g
g i
i i,
i e,
a 5
II.
a 5
e g
I l
.f I
__1__:.______
6
.r. _ _
\\
,n, v,
i I
I I
g Um.o_
O 1
e i
s >
I e.t B
)
l l
l
,x
- - r u.
i.
e t.e-_.__
518
/
M a
I
I d
p.g___
4N, 1 Mb,
l..,..g.v -
s i
.f x m
v.
I _, Y..--
Js l
V m.:
3 i
,NY..,.
6 I
i,
' 'g **
h l
g
.i_ :
i i
s i
I
_/..
l s
A l'
l l
- ........, r
..... c I
il
-l.. _ _
.,.1 _M. !
l
. l ll.;'*!.
J.
(_A.,
1
. =. -.~...
- d 1
__.r '
l i
..3 l
v l.,
i',,
, l~,.
l l l, i.
.________r.,...._____2__,...,
r N,.. Q n
l i
lll I'- - I - - - - - - - - - -, l l l
U. l V.' ',
U'..'
l l
l l
t s
'li
..h.,..
ii.,
.. _ _ _ _ ;_.. _ _ _ _ _ _4_: ; :
ll l
.r.. T i
'a v
_m_
- q )i.
[ ]. g,Y.
i l l i !.
2 i
_7 i
1 1
n.
)
n
< m.
g
.il c _ L L t-t, j
l, r-----
a._,.. _ _,. _ - _ - _ _, _ _ _ _ _.
i, m
r
,i, l
k,,,'
r,------r'l
___m,i V..
(**
g
- d,q e
l i
r
'y,- -
u___.,
L
_y
,___,;, ; _ q,,3,.,.. j
--I Q -).
, I..-
l l
- -- 1 1
.i
-l,lr h _.
<h o.
'"ll,', m
> > V, --------- Y.
x I
P
--]ql I
- -, 1 ur
, i, -._______________m..l...,
A,
,r i
~
i m,.-
{.L I
a=
.y
... et FIGURE 7. 3 -3 NON-NUCLEAR INSTRUMENTATION SCHEMATIC 7
$ym. sMun SACRAMENTO MUNICIPAL UTILITY DISTRICT Amendment I ts
e e
e 9 0 g Total core monitors e
e based on 1/4 core e
@ e O 9
symme t r y 9 0 e
e 9
e t e
e e
e O Symmetry monitors.
9 0 e e O
O e
O 9
9 0 9 0 O
e e
e e
Combination total core g
O e e O 9
and symmetry monitors.
O e
n I
i I
i E
AXIAL FLUX I
N ACTIVE CORE SHAPE l
LENGTH I
i dl dl BACKGROUND DETECTOR LOCAL FLUX DETECTORS FIGURE 7.3-4 INCORE INSTRUMENTATION ARRANGDiENT esuun SACRAMENTO MUNICIPAL UTILITY DISTRICT Amendment 2
e S
ELECTRICAL CONNECTOR i-Y 2500 PSI SEAL s,
e
- s s
a
,i' 4
9 GUIDE TUBE p
)
E k,I O
9 r
AN a
A 8
o p
b A
J I
o,
=
j o
. (
i s I
i i
FIGURE 7.3-5 TYPICAL ARRANGEMENT - IN00RE INSTRUMENTATION CHANNEL h))SMUD SACRAMENTO MUNICIPAL UTILITY DISTRICT Amendment 2
7.4 OPERATING CONTROL STATIONS Following proven power station design philosophy, all control stations, switches, controllers, and indicators necessary to start up, operate, and shut down the nuclear unit will be located in one control room.
Control functions necessary to maintain safe conditions af ter a loss-of-coolant accident will be initiated from the centrally-located control room.
Con-trols for certain auxiliary systems may be located at remote control sta-tions when the system controlled does not involve power generation control or emergency functions.
7.4.1 GENERAL LAYOUT The control room will be designed so that one man can supervise operation of the unit during normal steady state conditions.
During other than normal operating conditions, other operators will be available to assist the control operator.
Figure 7.4-1 shows the control room layout for the station.
Pertinent instrumentation and control devices for start-up, shutdown and normal and emergency operation are located on the console and the vertical control board.
bbst of the essential instruments and controls for power operation are on the console.
The vertical control board contains instrumentation less essential than that which normally requires the operator's attention during start-up, before the reactor is critical and during shutdown.
The instrumentation s
h j,
is arranged in groups on the panels so that when corrective action is required, all pertinent indicators, recorders and controls are within easy reach of the operator.
7.4.2 INFORMATION DISPLAY AND CONTROL FUNCTION The necessary information for routine monitoring of the nuclear unit and the plant will be displayed on the control room consoles and panels in the immediate vicinity of the operator.
Information display and control equip-ment frequently employed on a routine basis, or protective equipment quickly needed in case of an emergency, will be mounted on the consoles.
Recorders and radiation monitoring equipment will be mounted on the verti-cal panel.
Less frequently used equipment, such as indicators and control-1ers used primarily during startup or shutdown, will be mounted on the vertical panels.
A plant computer will be available in the control room for alarm monitoring, performance monitoring, and data logging.
On-demand printout is available to the operator at his discretion in addition to the computer periodic log-ging of station variables.
- [
\\. s g
- 322 7.4-1 l
Operating Control Stations Information available in the control room will include the following:
I' )
a.
Information from Inside Containment (1)
Reactor coolant pressure (2)
Reactor coolant flow (3)
Reactor coolant temperature (4)
Pressurizer level (5)
Steam generator level (6)
Steam generator pressure (7)
Core flooding tank level (8)
Core flooding tank pressure 1
(9)
Reactor building sump level
~
(10)
Reactor building temperature b.
Information from Outside Containment (1)
Reactor building pressure (2)
Feedwater flow (3)
Reactor building spray flow (4)
High pressure injection flow (5)
Low pressure injection flow (6)
Borated water storage tank level 7.4.3
SUMMARY
OF ALARMS
~~I Visible and audible alarm units will be incorporated into the control room to warn the operator if unsafe conditions are approached by any sys-tem.
Audible reactor building evacuation alarms are to be initiated from the radiation monitoring system or manually by the operator. Audib le alarms will be sounded in appropriate areas throughout the plant if high radiation conditions are present.
7.4.4 COMMUNICATION Station telephone and paging systems will be provided with redundant power supplies to provide the control room operator with constant communication with all areas of the station.
Acoustic booths will be supplied where it a
is necessary to communicate from areas.where the background noise level is high.
Communications outside the station will be through the local tele-phone company.
7.4.5 OCCUPANCY Safe occupancy of the control room during abnormal conditions will be provided for in the design of the auxiliary building.
Adequate shielding will be used to maintain tolerable radiation levels in the control room for maximum hypothetical accident conditions.
The control room ventila-tion system will be provided with radiation detectors and appropriate
/
alarms.
Provisions will be made for the control room air to be recircu-
' _,/
lated.
Emergency lighting will be provided.
j 323 7.4-2 Amendment 1
Operating Control Stations h(j)
The potential magnitude of'a fire in the control room will be limited by the following factors.
a.
The control room construction will be of noncombustible materials.
b.
Control cables and switchboard wiring will be constructed
)
such that they have passed the flame test as described in Insulated Power Cable Engineers Association Publication S-61-402 and National Electrical Manufacturers Association Publication WC.5-1961.
c.
Furniture used in the control room will be of metal construc-
~
tion.
d.
Combustible supplies such as logs, records, procedures, man-uals, etc., will be limited to the amounts required for station operation.
e.
All areas of the control room will be readily accessible for fire extinguishing.
l f.
Adequate fire extinguishers will be provided.
g.
The control room will be occupied at all times by a qualified person who has been trained in fire extinguishing techniques.
The only flammable materials inside the control room will be:
a.
Paper in the form of logs, records, procedures, manuals, diagrams, etc.
b.
Small amounts of combustible materials used in the manufacture of various electronic equipment.
~
The above list indicates that the flammable materials will be distributed to the extent that a fire would be unlikely to spread. Therefore, a fire, if started, would be of such a small magnitude that it could be extinguished by the operator using a hand fire extinguisher.
The resulting smoke and vapors would-be removed by the ventilation system.
~
Essential auxiliary equipment _will be controlled by either stored energy, closing-type, air circuit breakers which will be accessible and can be manually closed in the event de control power is lost, or by ac motor starters which have individual control transformers.
7.4.6 AUXILIARY CONTROL STATIONS Auxiliary. control stations will be provided where their use simplifies control of auxiliary systems equipment such as waste evaporator, sample
- )
valve selectors, chemical addition, etc.
The control functions initiated.
g g
Operating Control Stations from local control stations will not directly involve either the engineered
'O
(
' )
safeguards system or the reactor control system.
Sufficient indicators and alarms will be provided so that the central control oom operator is made aware of abnormal conditions involving remote control stations.
7.4.7 SAFETY FEATURES The primary objectives in the control room layout are to provide the necessary controls to start, operate, and shut down the nuclear unit with sufficient information display and alarm monitoring to insure safe and reliable operation under normal and accident conditions.
Special emphasis will be given to maintaining control integrity during accident conditions.
The layout of the engineered safeguards section of the control board will be designed to minimize the time required for the operator to evaluate the system performance under accident conditions.
Any deviations from pre-determined conditions will be alarmed so that the operator may take correc-tive action using the controls provided on the control panel.
7.4.8 SYSTEM EVALUATION 7.4.8.1 Information Available Post Accident The information available to the operator in the control room following a DBA will depend on its source and the extent of the post-accident damage, q
g All information available from outside the containment, see paragraph 7.4.2, will be available post accident.
Information from within the containment
_)
may be available under the reactor building conditions which exist follow-ing the accident.
The readings will not be as accurate; however, they will be satisfactory for monitoring evidence that safe conditions exist within the nuclear steam supply system.
7.4.8.2 Control Room Availability The safe operation and shutdown of the power plant will be conducted from the control room. This room is specifically designed to permit the operator to perform his duties under all credible accident conditions.
The forced abandonment of the room is not deemed credible for the follow-ing reasons.
The control room has been given the highest priority for a.
shielding from external radiation of any area in the plant.
b.
Non-flammable construction will be used in construction materials and all interior components, i.e.,
control boards, furniture, etc.
Adequate fire-fighting equipment will be available in the c.
control room and operators will have fire-fighting training.
d.
{
I Self-contained air breathing equipment will be available in the control room for operator use.
)
~ _./
7.4-4 C?~
3 2 5 ^=e=ameat t
Operating Control Stations
,. ( m) e.
Cables and switchboard wiring will pass flame tests as
/
N/
required by IPCEA publication S-61-402 and NEMA WC 5-1961.
f.
Combustable materials in the control room will be kept to the minimum required for normal operation reference and records. Permanent plant records and non-essential refer-ence will be stored elsewhere, g.
Accessibility to the control room will be from three points.
I h.
The auxiliary boards provide a fire and smoke barrier between most of the resistance electrical devices that could generate large amounts of smoke.
1.
Fire-proof or fire-resistant doors will be installed on all rooms adjoining the control room where significant amounts of combustable materials are stored.
(O x- /
Or 326 1
f'"x I
\\
'\\~ -)
s Amendment 1 7.4-5
l
{
d I
_mmmmm MM M
M M M M-Y AUXILIARY EQUIPMENT CABINETS i
i i
e VERTICAL CONTROL BOARD
/
CONSOLE
/
u i
TOILET KITCHEN SUPER SOR EG ER I M IM IM FIGURE 7.4-1
,g7 CONTROL ROOM LAYOUT
) L. I essuo SACRAMENTO MUNICIPAL UTILITY DISTRICT \\'
m-
-