ML20011D755
| ML20011D755 | |
| Person / Time | |
|---|---|
| Site: | Big Rock Point File:Consumers Energy icon.png |
| Issue date: | 07/01/1989 |
| From: | CONSUMERS ENERGY CO. (FORMERLY CONSUMERS POWER CO.) |
| To: | |
| Shared Package | |
| ML20011D723 | List: |
| References | |
| NUDOCS 8912280368 | |
| Download: ML20011D755 (52) | |
Text
-
TABLE OF CONTENTS CHAPTER 73 INSTRUMENTATION AND CONTROLS 7.1 INSTRUMENT AND CONTROL (I&C) INTRODUCTION 7.1.1 PLANT SAFETY AND MONITORING SYSTEMS 7.1.2 OTHER INSTRUMENTATION AND CONTROLS 7.2 REACTOR PROTECTION SYSTEM (RPS) 7.2.1 REACTOR PROTECTION SYSTEM DESCRIPTION 7.2.2 REACTOR PROTECTION SYSTEM RESPONSE TIME 7.2.3 REACTOR PROTECTION SYSTEM SENSORS 7.2.4 REACTOR MODE SELECTOR SWITCH 7.2.5 REACTOR PROTECTION SYSTEM POWER SOURCES AND ASSOCIATED CONTROLS
('
7.2.6 REACTOR PROTECTION SYSTEM LOGIC UNIT AND POWER SWITCHES 7.2.7 REACTOR PROTECTION SYSTEM ANNUNCIATOR CONTROL UNITS AND OPERATIONS RECORDER 7.2.8 REACTOR PROTECTION SYSTEM POST-TRIP REVIEW 7.2.9 REACTOR PROTECTION SYSTEM ISOLATION FROM NON-SAFETY SYSTEMS 7.3 NEUTRON MONITORING SYSTEM (NMS) 7.3.1 NEUTRON MONITORING SYSTEM DESCRIPTION 7.3.2 SOURCE RANCE MONITORING (CHANNEL 6 AND 7) 7.3.3 POWER (WIDE) RANCE MONITORING (CHANNELS 1,'2, AND-3) 7.3.4 FISSION COUNTERS (CHANNELS 8 AND 9) 7.3.5 IN-CORE FLUX MONITORING (CHANWELS 11 THROUCH 18) 7.4 ENGINEERED SAFETY FEATURES (ESP) INSTRUMENTATION AND CONTROL EVALUATIONS 7.4.1 ENCINEERED SAFETY FEATURES (ESP) SYSTEM CONTROL LOCIC AND DESIGN
, :O l
%/
7.4.2 EMERCENCY CORE COOLING SYSTEM (ECCS) ACTUATION SYSTEM TESTING i
MI1289-0453A-BX01 8912280368 891222 PDR ADOCK 05000155 K
O 7.5 REACTOR PROTECTION SYSTEM AND ENGINEERED SAFETY FEATURES TESTING INCLUDING RESPONSE-TIME TESTING 7.5.1 RPS & ESF TESTING, SEP TOPIC VI-10.A RESOLUTION 7.6 SYSTEM REQUIRED FOR SAFE SHUTDOWN 7.6.1 SAFE SHUTDOWN SYSTEMS 7.6.2 ELECTRICAL, INSTRUMENTATION, AND CONTROLS FEATURES OF SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.7 OTHER INSTRUMENTATION AND CONTROLS 7.7.1 REACTOR WATER LEVEL MONITORS IN THE REACTOR DEPRESSURIZATION 4
SYSTEM 7.7.2 CONTAINMENT PRESSURE AND WATER LEVEL MONITORING SYSTEMS 7.7.3 INSTRUMENTATION TO DETECT INADEQUATE CORE COOLING 7.7.4 POSTACCIDENT SAMPLING 7.7.5 CONTAINMENT HICH RANCE MONITOR CALIBRATION CONTROLS 7.7.6 STEAM DRUM AND REACTOR LEVEL INSTRUMENTS I
i MI1289-0453A-BX01
i
)
i pb 7.1 INSTRUMENT AND CONTROL (I&C) INTRODUCTION Control koom The main control room contains the control and instrumentation essential to the operator during plant operation. Arrangement of control console and panels is shown in Drawings 0740040235 and 0740040236.
Local Control Local Control Panels contain annunciators, recorders, indicators, switches and controllers associated with nearby equipment and systems.
Power Control The control rods are individually and manually' set by the operator.
This adjusts the reactor power level.
The operator adjusts the setting as necessary to compensate for reactivity changes caused by fuel burnup, changes in xenon concentration, and other variables effecting reactivity. For further detail, refer to Section 4.6 and 4.7 of this Updated FHSR.
p Turbine Control and Other Auxiliaries The instrumentation and controls for the_ turbine generator, feedwater heaters, main condenser and auxiliaries are described in Chapters 9 and 10 of this Updated FHSR.
7.1.1 PLANT SAFETY AND MONITORING SYSTEMS The plant safety and monitoring systems are considered to encompass the Reactor Protection System (RPS) and Neutron Monitoring System (NMS) along with related features; the control rod withdrawal permissive system; the refueling operation interlock system; and the plant monitoring systems.
7.1.1.1 Reactor Safety System The reactor safety system consists of sensing devices-and associated circuits which automatically initiate a reactor scram and other required actions. Certain of the sensing devices also initiate automatic closure of the containment sphere isolation valves, while other sensors will initiate emergency cooling of-the reactor through operation of the emergency condenser or through operation of the core spray system. Controls are available in the control room to permit manual initiation of penetration closures and manual initiation of the emergency condenser.
[
The reactor protection system is described in Section 7.2 below and
'v consists of two parallel safety channels, each of which has its own 7.1-1 MI1289-0453A-BX01
i i
i 1
/N power supply and separate chains of sensor trip contacts. The channels are designed on the fail-safe principle (de-energizing will cause a scram).
Tripping one protection system channel results in one of two solenoids per scram valve (and other valves such as scram dump tank vent and drain valves) being deenergized. The physical arrangement of the solenoid valves is such that with one solenoid energized, air pressure is maintained to the scram valves to keep them closed, and no control blade motion will occur.
Tripping both protection system channels results in all scram valve solenoids being deenergized, with the resultant opening of all scram valves and rapid control blade insertion.
In addition, tripping both protection system channels results in automatic closure of the containment ventilation valves and a turbine trip. A containment isolation signal is initiated on reactor trips resulting from loss of ac power, high containment pressure or low reactor water level.
Failure of Reactor Protection System Because of the failsafe design of the reactor protection system, significant malfunction will cause an immediate insertion of control rods and reactor shutdown. Also because of the failsafe design and the number of sensors provided and variables monitored, failure of a
(}
sensor will not impair the ability to transmit a scram signal or
(,,/
effect a scram.
7.1.1.2 CRD Instrumentation and Control The Plant Safety Systems encompasses the control rod withdrawal permissive and refueliag operation interlock functions which are described in Sections 4.7 and 9.1 of thir Updated FHSR and are i
further detailed in the Technical Specifications.
7.1.1.3 Plant Monitoring Systems The Plant Safety and Monitoring Systems encompass the Plant Monitoring i
Systems which include thet l
Process Radiation Monitoring Systems, refer to Chapter 11 of a.
this Updated FHSR.
Air Ejector Off-Gas Monitoring System Stack Cas Monitorins System (RGEM) l Emergency Condenser Vent Monitor Process Liquid Monitor System
!(
b.
Area Monitoring System, refer to Chapter 11 of this Updated A
FHSR.
l l
l l
7.1-2 Mil 289-0453A-BX01
Reactor Water Level Monitors in the Reactor Depressurization c.
System (RDS), refer to Section 6.9 and 7.7.1 of this Updated PHSR.
d.
Containment Pressure and Water Level Monitoring Systems, refer to Section 7.7.2 of this Updated FHSR.
7.1.2 OTHER INSTRUMENTATION AND CONTROLS In addition to the Instrumentation and Controls discussed in the remainder of Chapter 7, other sections of this Updated FHSR contain the details of instrumentation and control functions pertinent to the systems and components described therein. The following information is provided to supplement and/or direct the reader to those descriptions.
7.1.2.1 Reactor and Steam Drum Temperature Twenty thermocouples are attached to critical locations-on the ste.m drum and pressure vessel. Six thermocouples are attached to the drum I
with the remaining 14 attached to the pressure vessel. These thermo-couple temperatures are recorded on the main control panel and are used to monitor the heating and cooling rates of the pressure vessel and steam drum.
Refer to Section 5.3 and 5.4 of this Updated FHSR.
7.1.2.2 Pressure Instruments Pressure is measured at each end of the steam drum, indicated, and recorded in the control room on the main control panel. High pressure is also annunciated. Reactor pressure is measured, and is indicated i
on the main control panel.
7.1.2.3 Reactor Recirculating Loop Instrumentation The recirculating water flow of each loop is measured, indicated on-
. )
the main control panel, and recorded on the auxiliary panel in the control room.
The differential pressure across the recirculating pump is measured and indicated on the main control panel.
The pump seals are fully instrumented with pressures and temperatures being measured, indicated and annunciated in the control room,-
thereby providing the operator with the information necessary to determine the condition of the seals, reference Drawing 0740C40237.
i The recirculating pump motors are fully instrumented with bearing temperatures recorded and bearing oil level and vibration annunciated.
Refer to Section 5.4.1 of this Report.
7.1-3 M11289-0453A-BX01
4
\\
7.1.2.4 Reactor Cleanup Control System The reactor cicanup system instruments and controls are located on a local panel in the reactor enclosure.
Controls include remote manual valves for throttling cleanup flow, isolation of the cleanup loop in the event of a severe leak and resin sluicing and recharging.
A pressure switch prevents opening the resin charging line before relieving the pressure in the demineralizer vessel. Temperature monitoring at the demineralizer input during operation annunciates and trips the cleanup pump on high temperature to protect the resin bed. Refer to Section 5.4.6 of this Report.
7.1.2.5 process Radiation Monitoring Systems Instrumentation and Controls for the Process Radiation Monitoring Systems below are addressed in Section 11.5 of this Report:
Air Ejector Off-Cas Monitoring, also reference Section 10.4.2 of this Report.
Stack Cas Monitor System Process Liquid Monitor System Emergency Condenser Vent Monitor, also reference Section 6.8 of this Report.
Facilities for Process Monitoring The chemical laboratory includes equipment for performing appropriate analytical procedures in radiochemical and non-radioactive material analyses. A sepacate room containing counting equipment with shielded caves is provided in connection with the radiochemical analyses.
7.1.2.6 Area and Personnel Monitoring Systems Area Monitoring System Controls and Instruments are addressed in Section 11.5 of this Report. personnel Monitoring Controls are addressed in Chapter 12 of this Report. Fixed and portable personnel monitoring instrumentation is'available for appropriate monitoring during plant operation.
Instrument Calibration Facility 2
The radiation instrument calibration facility consists of a detached building with a shicided well and a lift mechanism for positioning a radioactive source at precise levels within the well. This facility provides for on-site calibration of the plant radiation monitoring instruments either directly or indirectly. Calibration will be done 7.1-4 M11289-0453A-BX01
-v-,
,y---
m T
T' e
1 i
i by positioning the instrument over the well and checking its response to predetermined levels of radiation from the source. A box type calibrator is provided for calibration of portable radiation I
instruments.
j l
i Hil289-0453A-BX01
=.
I J
7.2 REACTOR PROTECTION SYSTEM (RPS) 7.2.1 REACTOR PROTECTION GYSTEM DESCRIPTION The function of the reactor protection system is to initiate rapid rod insertion for reactor shutdown in the event that certain undesirable conditions develop in the nuclear steam supply or certain auxiliary systems. Depending on the initiating cause for shutdown, other secondary actions are also initiated by the protection system. The Reactor Protection System is shown on Drawina 0740030743.
The reactor protection system consists.of two independent fail-safe channels called Channel 1 and Channel 2.
The output of each channel must be de-energized to initiate a rapid shutdown, scram, or other system function.
Failure of a single major component or power supply will not prevent a desired scram nor cause a spurious scram.
On any scram initiation, the following actions will occurt a.
All control rods will be driven into the core at high speed.
b.
The scram and cause of scram will be alarmed in the Control Room.
O c.
The Reactor Building intake and exhaust ventilation valves C
will close, d.
The turbine generator will trip and output breaker opens.
e.
The scram dump tank vent and drain isolation valves will close.
i f.
Second Control Rod Drive pump starts,-if in " Standby."
When a scram is caused by high reactor building pressure, low reactor i
water level or loss of station auxiliary power, the above actions will occur as well'as closure of all automatic containment isolation i
valves.
7.2.2 REACTOR PROTECTION SYSTEM RESPONSE TIME The safety system response time (the interval from the time a sensor trip contact operates until-the scram solenoid valves are de-energized) will be less than 100 milliseconds.
The containment sphere ventilation valves are designed to close within 6 seconds af ter any trip which initiates reactor scram.
(Refer to Section 15.0.5 of this Updated FHSR for an evaluation of response time. Section 6.2.4 of this Updated PHSR provides the details on ventilation valve design.)
P 1 O I
7.2-1 HI1289-0457A-BX01 l
A The following additional safety system response times have been designed into the systemt i
Closure of MSIV, 60 seconds, refer to Section 6.2.2 of this Updated FHSR.
Maximum Scram Insertion Time, 2.5 seconds for 90% Insertion 7.2.2.1 Reactor Protection System Response-Time Testina The NRC Systematic Evaluation Program (SEP) Topic VI-10.A, Testing of Reactor Trip System and Engineered Safety Features (ESF), Including Response-Time Testing is addressed in Section 7.5 of this Updated FHSR.
The evaluation conclusions for the Topic were further addressed in the Integrated Plant Safety Assessment Report (IPSAR), NUREC-0828, May 1984 and.in Section 4.21.2 of the IPSAR, resolution for RPS Response Time Testing included the following:
Response-time testing of the RPS does not include the sensors that initiate RPS action or ESP action. Response-time testing of the ESF systems does not include the system logic that actuates the valves.
It includes only the opening and/or closing time of the valves when they are actuated from a hand-switch in the control room. With d
regard to the testing of RPS and ESF sensors, the staff noted that neither IEEE Std. 338-1977 nor Regulatory Guide 1.118 requires response-time testing of neutron detectors. However, Regulatory Guide 1.118 does recommend the testing of cable capacitance or other i
suitable test. The remainder of the sensors that provide an' input to the protection system logic are snap' action, blind sensors. Such l
sensors are not suitable candidates for response-time testing in the field. However, the neutron monitoring cables and signal processing equipment could be response-time tested.
With regard to the ESP valve actuation logic, the staff has noted that it is composed of relays that are similar to those found in the RPS and the valve controls. The RPS and valve control relays are response-time tested.
The staff performed a limited Probabilistic Risk Assessment (PRA) of l
this issue for Big Rock Point to estimate the improvement in overall safety if response-time testing.of the ESP was required. The results of this PRA indicated that response-time testing has low risk significance. This occurs because response-time testing-is concerned with events on the order of seconds and the PRA has shown that l
response times of minutes are sufficient for the RPS-actuation to ensure the success of the suberiticality function in time to allow other safety systems to prevent core melt. Functional tests are g
sufficient to demonstrate functioning of the ESP on the order of 3
minutes, and these tests are performed at Big Rock Point.
7.2-2 MI1289-0457A-BX01
t l
On the basis of the limited PRA and past experience at Big Rock Point, the staff believes that the additional response-time testing of the neutron detector cables and the ESP valve logic is unnecessary.
7.2.3 REACTOR PROTECTION SYSTEM SENSORS The following provides a summary description of sensors and conditions which actuate the Reactor Protect!on System.
In the general case, there are four independent switch inputs for each trip function, all operating at the same set point. _Two of the sensor switches are connected to each protection channel. Trip l
operation of one of two sensor switches is required to operate its l
associated protection channel. Exceptions to the general case are the manual scram, recirculation line valves closed, the ac undervoltage and the high neutron flux trip function inputs. The contact type l
inputs are normally in the closed condition, maintaining a 26 volt dc input to the logic unit.
l If a sensor is disconnected for maintenance, this will automatically l
cause a trip (or trip input for a NMS sensor) on the safety channel to which the sensor is connected.
Certain sensing elements are continuously monitored so that an operation or failure is clearly indicated and identified for quick v
and easy maintenance.
1 A brief description of some of the emergency conditions and causes i
that would actuate the reactor protection system are outlined in the i
following paragraphs.
7.2.3.1 liigh Enclosure Pressure A differential pressure between the inside and outside of the reactor enclosure could indicate a major rupture within the enclosure. To monitor such a condition, four pressure switches, PS-664 and PS-665 connected to Protection Channel 1 and PS-666 and PS-667 connected to Protection Channel 2, are located outside the reactor enclosure, in the outside penetration area. When a pressure of equal to or less than 1.0 psig above atmospheric exists inside containment, a trip signal initiates a control rod scram and closure of all automatic j
containment isolation valves.
There are no bypass features for these trip inputs.
See Containment Isolation System description (Section 6.2 of this Updated FilSR) for additional automatic actions dealing with reactor building pressure.
3
.(V 7.2-3 MT1289-0457A-BX01
e 1
(s i
7.2.3.2 Low Reactor Water Level A low water level in the reactor could indicate a loss of water, such that the reactor core is in danger of being uncovered. Four level switches, LS-RE09A and LS-RE09C connected to Protection Channel 1 and l
LS-RE09B and LS-RE09D connected to Protection Channel 2, detect this l
condition when water level drops to a level corresponding to elevation L
610' 6" or equal to or greater than 2' 9" with a -1" tolerance limit above the top of active fuel.
If a trip signal is received, a control rod scram is initiated and I
all automatic containment isolation valves are closed. These sensors also energize the controls of the core spray cooling system (MO-7051, HO-7061), initiating core spray if the reactor pressure drops below less than 200 psig.
There are no bypass features for these trip inputs.
7.2.3.3 Low Steam Drum Water Level s
A trip signal from this condition anticipates a loss of water which could lead to a low reactor water level.
Four level switches LS-RE06A and LS-RE20A connectea to Protection Channel 1 and LS-RE06B and LS-RE20B connected to Protection Channel 2, detect this condition.
g'~g When the steam drum water level drops to equal to or greater than 8.0 by_,/
with a tolerance limit of "minus 0.5" inches below steam drum center l
line, a control rod scram is initiated.
l This trip function is bypassed when the mode switch is in the Bypass Dump Tank or Refuel position.
7.2.3.4 High Reactor Pressure l
l The occurrence of high pressure in the reactor could indicate trouble in the nuclear steam supply system. Four-pressure switches, PS-RE07A, PS-RE07C connected to Protection Channel 1 and PS-RE07B and PS-RE07D connected to Protection Channel 2, are set to trip at (1385 i 5 psig) which is 50 psi above the nominal reactor operating pressure. A trip input from this source initiates a control rod scram. This trip setting protects against the collapsing of steam voids causing an increase in reactivity.
If the reactor pressure should continue to rise above the scram trip setting, additional contacts on the pressure switches operate, initiating emergency condenser operation if the pressure increases to (1435 1 10 psig) which is 100 psi above the nominal reactor operating pressure. This trip setting protects against damage to the core, yet is adequate to avoid lifting the safety relief valves. The trip is further discussed in Section 6.8 of this Updated FHSR.
(}
There are no bypass features for these trip inputs.
7.2-4
-MI1289-0457A-BX01
l O)
\\~s 7.2.3.5 Main Steam Isolation valve Closed closure of main steam isolation valve HO-7050 (reference Section 10.3 of this Updated FHSR), to 5015% of full closure initiates a control l
-rod scram. This is accomplished by opening limit switch contacts LS-9 and LS-10 connected to Protection Channel 1 and LS-15 and LS-16 connected to Protection Channel 2.
This trip function is bypassed when the mode switch is in the Bypass Dump Tank or Refuel position.
7.2.3.6 High Condenser Pressure High condenser pressure is used as an indication that the main condenser (reference Section 10.4 of this Updated FHSR), is no longer available as a heat sink for the reactor output, thereby making necessary a control rod scram.
Pressure switches PS-654 and PS-655 connected to Protection Channel 1 and PS-652 and PS-653 connected to Protection Channel 2, detect this condition when condenser pressure reaches 8.0 1 0.5 inches Hg absolute pressure.
The high condenser pressure trip signal is automatically bypassed any time steam drum pressure is below a setpoint maximum of 500 psig.
(
This automatic bypass is accomplished by PS-REISA and PS-RE15B connected to Protection Channel l'and PS-RE150 and PS-RE15D connected to Protection Channel 2.
This trip function is also bypassed when the mode switch is in the Bypass Dump Tank or Refuel position.
7.2.3.7 High Scram Dump Tank Level A high water level in the scram dump tank (reference Section 4.7.4 of this Updated FHSR), would prevent high speed insertion of the control rods.
Four level switches, LS-RD08A and LS-RD08C connected to Protection Channel 1 and LS-RD08B and LS-RD08D connected to Protection Channel 2, detect this condition. When a water level of 5/16 1 1/2 inch below the tank center line is reached, a control rod scram is initiated.
This trip function is bypassed when the mode switch is in the Bypacs Dump Tank position, provided all control rods are fully inserted or bypass switch HS-7048 is engaged. This bypass is necessary to enable draining the dump tank af ter a scram in the event the tank level is above the scram trip setting thereby enabling reactor protection system reset.
f i
7.2-5 HI1289-0457A-BX01 i
-i
- k/
7.2.3.8 Recirculation Line Valves Closed The closure of these valves would prevent coolant circulation to the reactor core and a control rod scram is initiated to prevent development of excessive fuel temperatures. Analysis has shown that one recir-culation loop may be closed without damaging the core; therefore, the functional control is based on scramming the reactor only in the event that both recirculating loops are shut off by inadvertent closure of these valves.
A trip signal is received at approximate *y 10% of full simultaneous closure of both discharge valves, MO-N001A and MO-N001B, or both suction valves, MO-N003A and MO-N003B, or 50% of full simultaneous closure of both butterfly valves (Butterfly valves are locked open, electrically disabled, and RMCs removed), MO-N006A and MO-N006B, or any combination of these valves, one in each loop. That is, if recirculation is restricted in both loops, a trip signal will be inserted, (reference Section 5.4.3 of this Updated FHSk).
This trip function is bypassed when the mode switch is in the Bypass Dump Tank or Refuel position.
7.2.3.9 High Neutron Flux
/
The occurrence of high neutron flux would indicate a reactor output in excess of the safe level for continuous operation. Protection against such a condition is provided by the Wide Range Monitors, which are part of the Neutron Monitoring System, (reference Section 7.3 below).
If two of the three wide range monitors are in a " Neutron Flux Hi Hi Scram" condition a control rod scram is initiated. The " Neutron Flux Hi Hi Scram" can be caused by any of the following conditionst a.
120 1 5% power b.
10 t 2 second period when operating between 1 E-7% and 1%
power The occurrence of a short period would indicate an excessive rate of rise of reactor power during startup conditions.
Protection against such conditions is provided by the out-of-core reactor neutron monitoring system, (reference Section 7.3 below).
Equal to or less than 50 MWt/ min rate when operating between c.
1% and 50% power d.
Equal to or less than 20 MWt/ min rate when operating between 50% and 83.31 power V
7.2-6 HI1289-0457A-BX01
I t
l If one wide range monitor is in a " Neutron Flux Hi Hi Scram" condition, and another wide range monitor has a downscale trip, a control rod scram is initiated.
There are no bypass features for these trip inputs.
7.2.3.10 Manual Scram A manual trip is provided to enable the operator to scram the reactor in case of an unusual or unforeseen emergency. Depressing the switch opens contacts to both protection channel logic units, initiating a control rod scram. Additional contacts in the manual trip circuit deenergizes the undervoltage relays in each protection channel.
7.2.3.11 Loss of Auxiliary Power Supply Each protection bus has an undervoltage relay which opens breaker contacts in the 115 volt ac circuit to the master scram pilot valve solenoids-and to the control rod scram power switch components.
The undervoltage relay trips at 52 1 20 VAC. Refer to Section 7.2.5.3 of this Updated FHSR for further details.
The reactor protection system is supplied from the AC auxiliary power system through isolating motor generator sets which have enough
/%
energy stored in their flywheels to carry them through power system disturbances lasting approximately 10 seconds.
If power is unavailable, the reactor will be scrammed. Drawing 0740C30743 and Section 7.2.5 of this Updated FHSR provides details on the RPS power.
7.2.4 REACTOR MODE SELECTOR SWITCH l
Certain Reactor Protection System bypassing is accomplished by the-l reactor mode selector switch. The switch is key-locked and has four positions; shutdown, refuel, bypass dump tank, and run.
Reaccor Protection System trip functions bypassed by the selector switch are shown below:
Mode Selector Switch Position Trip Functions Bypassed i
Run None *)
I Bypass Dump Tank (a)
Low Steam Drum Water Level Recirculation Waterline Valves Closed Dteam Line Backup Isolation Valve C HighWaterLevelinScramDumpTankged-High Condenser Pressure Refuel (d)
Low Steam Drum Water Level Recirculation Waterlines Valves Closed Steam Line Backup Isolation Valve Closed High Condenser Pressure 7.2-7 HI1289-0457A-BX01
.._~
1 Shutdown None(c)
(a) Control rod withdrawal is prevented by interlock while switch is in this position.
(b) Bypass of this trip function is necessary to enable emptying the dump tank af ter a scram.
(c) With the mode switch in the " shutdown" position, both the scram circuit and the control rod withdrawal circuit are open.
The ventilating duct circuit power supply is transferred to a point which provides penetration closure protection through signals from "high~ containment sphere pressure" and " low water level in reactor vessel." This permits normal ventilation in the containment-sphere during shutdown when the control rods are held in the full-in position. None of the reactor safety system signals are bypassed since there is no need to withdraw control rods.
(d) With the mode switch in the refuel position and the crane positioned over the reactor vessel,. crane operation is prevented if any one rod is withdrawn from full-in position.
(e) liigh condenser pressure reactor trip is automatically bypassed any time steam drum pressure is below a set point maximum of 500 psig.
7.2.5 REACTOR PROTECTION POWER SOURCES AND ASSOCIATED CONTROLS 7.2.5.1 Power Supply Each reactor protection Channel is powered by a separate motor generator set (MG Set No 1 or MG Set No 2).
Each MG set has a self-contained exciter and output voltage regulator. - The motor input is three phase 480 volts from Bus 1A or 2A.
Each generator is rated 6.25 Kva and supplies 120 volt ac single phase powcr to each at protection system Channel as well as to various critical instrumentation systems. Each MG set is mechanically coupled to an inertia flywheel enabling it to ride out minor system voltage disturbances. Loss of 480-volt power to the motors is alarmed immediately in the contr,o1 l
room allowing approximately 10 seconds time to transfer to Alternate l
Power as discussed in 7.2.5.2 below. Generator output is restored l
(af ter motor is up to speed) by a manual reset.
7.2.5.2 Alternate Power Supply Loss of power supplied by one of the MG sets described above would cause only one reactor protection system Channel to operate.
By manual actuation of the alternate power controller in the main control room, an alternate 120-volt supply from Panel 1Y can be switched to either of the two protection buses or to the Neutron h
Monitoring Bus No 3 (which is normally supplied by the 125-volt, de V
station battery through an inverter). This alternate power supply 7.2-8 M11289-0457A-BX01 l
1-ai
~.
t
-[
(---
control is interlocked so that only one of.these three buses can be t
supplied at any one time from Panel 1Y.
This alternate supply (Panel lY) is normally fed from the 30 Kva Instrunient and Control Transformer 1A on Bus lA unless this source of power is lost, in which case an automatic throwover operates to supply power from the Instrument and Control Transformer 2B on Emergency Bus 28.
The control rod position indication is normally fed through Panel lY1 however, a third MG set can supply power to the control rod position indication system in the event of total loss of power to Panel lY.
This MC set, which starts automatically upon loss of power to Panel lY, is powered by the station battery at 125 vcits de and has a single phase 115 volts ac output.
With the power selection switch in the " Pull For Bus 3" position, this MG set is interlocked off and Instrument and Control Transformer IA supplies power to the control rod position indication system through Panel lY via alternate contacts.
7.2.5.3 RPS Bus Undervoltage Each protection bus has an undervoltage relay which opens contacts in g
the 115-volt, ac circuit to the scram pilot valve solenoids, the
(/
master scram solenoid valve, the scram dump tank solenoid vent,-drain
(_,
and equalizing vent valves and the turbine trip and sphere ventilation trip relays. These undervoltage relays (CB-REllA and CB-REllB) operate at a RPS bus voltage of 52120 volts and require manual reset upon tripping.
It should also be noted that the balance of the automatically actuated containment isolation valves will close upon a i
sustained loss of power to both protection channels by de-energization of the isolation valve control relays K-1K4A, K-lK4B, K-2K4A and K-2K4B.
7.2.6 REACTOR PROTECTION SYSTEM LOGIC UNIT AND POWER SWITCHES 7.2.6.1 Logic Unit The logic unit is a transistorized unit that performs a rapid low power switching function upon receipt of a trip signal from a sensor or combinatior. of sensors. LU-RE03A serves Protection Channel 1 and LU-RE03B serves Protection Channel 2.
The logic unit contains circuit breakers and push-button switches which can be operated manually to simulate sensor operation (contact opening) for testing purposes.
The self-contained logic unit power supply is a solid-state, 26 volt, de supply which powers the contact-type sensor circuits and also
(
supplies power to the logic circuitry at a level of 16 volts dc.
7.2-9 MI1289-0457A-BX01
i i
r I
The normal output of the logic unit is a low-voltage de signal to the control rod scram circuitry and the reactor containment penetration closure circuitry of the power switch. This output drops to less than one volt upon receipt of appropriate trip signal inputs to the logic unit.
7.2.6.2 power Switches The power switches (CB-RE04A and CB-RE17A for Channel 1 and CB-RE04B and CB-RE178 for Channel 2) perform a rapid electrical switching function through the use of a combination of five relays.
These power switch coils (K1 through K5) are all normally energized.
Upon loss of input from.the logic unit, the coils will de-energize to initiate RPS actions.
7.2.7 REACTOR PROTECTION SYSTEM ANNUNCIATOR CONTROL UNITS AND OPERATIONS RECORDER 7.2.7.1 Annunciator Control Units Each protection Channel contains two annunciator control units (ACU-RE02A and ACU-RE02C for Channel 1 and ACU-RE02B and ACU-RE02D for Channel 2) which contain 26-volt, de relays and 115-volt, ac relays. These relays perform annunciator functions as well as trip
(
bypass control functions associated with Mode Selector Switch S4 located on the control console, (refer to 7.2.4 above).
7.2.7.2 Operations Recorder All protection system sensor circuits are continuously monitored so that an operation or failure is recorded for later.eference or for identifying spurious single-channel trips which would not be annunciated l
on the Station Annunciator. The monitoring is provided by Iwo, l
Thirty-Channel Operations Recorders OR-RE01A and OR-RE01B, one for each protection channel. These recorders normally operate with a.
chart speed of approximately 1 1/2 inches per hour. When the first trip signal is received, the chart speed is increased to permit l
identification of trip sequence.
t l
Upon application of the trip signal, the Operations Recorder pen relay, corresponding to the particular sensor, de-energizes, initiating a pen travel offset.- Subsequent sensor operations initiate offsets also and thus trip sensor action'can be more accurately timed at the faster chart speed.
7.2.8 REACTOR PROTECTION SYSTEM POST-TRIP REVIEW The plant Manager or his designated alternate will be notified immediately of all reactor scrams and will approve subsequent start-ups.
Start-up of the reactor following a scram will not proceed until the
[)
cause of the scram has been determined and the necessary corrective
(.-
action taken. The evaluation and approval of the Consumers Power 7.2-10 MI1289-0457A-BX01
Company Ceneral Office will be required for all start ups following an unexplained scram.
P Plant Administrative and Operating Procedures require designated personnel complete a Reactor Trip Report which provides:
1.
A description of the initiating event.
~
I 2.
A verification that all automatic scram sensors that should have actuated, did indeed actuate.
3.
Verification that the automatic trip of the RPS did indeed trip the safety system (and not the follow-up action by the Operator via the manual scram).
7.2.8.1 Reactor Trip Report The Reactor Trip Report-is utilized for evaluation and review of each i
unscheduled reactor trip involving control rod blade motion. The trip report is required to determine that response was proper and that anomalies are corrected prior to returning the reactor to power operation. The cause of the trip is determined, the proper operation of safety-related equipment that was challenged must be verified, and assurance established that the trip event did not have any other p
detrimental effect on the plant in terms of nuclear safety.
b The trip report assures that RPS or ESF equipment which appears to have been challenged without operation, is tested for proper operability prior to restart after a scram.
7.2.8.2 Post-Trip Review (Data and Information Capability)
A detailed description of the sources of plant information relied upon to conduct the review and analysis of plant trips was provided in the November 7, 1983 CPCo response to Generic Letter 83-28.
l I
Plant parameters and equipment actuations are monitored primarily by l-pen-type recorders. Sequence of event recorders for post trip review are limited to the Operations Recorder and the 138 KV line volts / amps Recorder. A summary description of these recorders and the parameters monitored is provided below:
Operations Recorder (Reference Section 7.2.7.2 above)
The Operations Recorder system consists of four strip chart ink pen-event (on-off) recorders. The system monitors the voltage (on-off) to the scram pilot valves and the relay coil voltage that controls the closure of the dump tank isolation valves, the turbine stop valve, and the containment ventilation isolation valves. The recorders g
are powered by the reactor protection motor generator sets.
U 7.2-11 MI1289-0457A-BX01
l r
1(
The trip inputs monitored aret 1.
High reactor building pressure 2.
Low reactor water level 3.
High reactor pressure 4.
Recirculation valve partial closure 5.
Main steam isolation valve partial closure 6.
High scram dump tank' level 7.
High neutron flux (power (wide) range) 8.
High condenser pressure 9.
Low steam drum water level 10.
Manual trip 138 KV Line Volts / Amps Recorder
' O The strip chart recorder monitoring the 138 kV transmission line has V
event (on-off) indicators which show the 138 kV line oil circuit breaker (199 OCB) trips and closures and the main generator output oil circuit breaker (116 OCB) trips and closures as well as other tone relay control signals.
Certain other par meters are either continuously recorded on circular ink pen recorders; continuously printed on strip charts; continuously recorded on strip chart ink pen recorders; and intermittently printed on strip chart recorders. Reference l'rawina 0740C40236_for locations and type of recorder involved.
Certain of these recorders are powered from 480 Volt Bus lA through l
16C transformer IA and backup power is supplied automatically from the Emergency bus 2B which is supplied by power from the emergency diesel generator on loss of normal station power supply to bus 2B.
Other data available to assess operational evente, include operator log sheet information and log books maintained by the il Control Operator, Shift Supervisor, and Auxiliary Operators. When conditions warrant, written statements from operators and other plant personnel are obtained for assessment. Also, off-site technical groups provide evaluations of transmission line and other electrical equipment transients when requested by plant management.
7.2-12 HI1289-0457A-BX01-
i i
L 7.2.9 REACTOR PROTECTION SYSTEM ISOLATION FROM NON-SAFETY SYSTEMS The NRC Systematic Evaluation Program (SEP) Topic VII-1.A, Isolation of Reactor Protection System From Non-Safety Systems - Final Safety Evaluation Report (SER) dated September 2,1982 included a technical evaluation and review of the isolation of the RPS from the controls and non-safety systems.
i
(
Discussion and Obiectives Non-safety systems generally receive control signals from the reactor protection system (RPS) sensor current loops. The non-safety circuits are required to have isolation devices to insure the independence of the RPS channels..The objective of our review was to verify that operating reactors have RPS designs which provide effective and qualified isolation of non-safety systems from safety systems to assure that safety systems will function as required.
The RPS parameters identified in the Big Rock Point Technical Specifications and reviewed are as follows:
High Reactor Building Pressure Low Reactor Water Level Low Steam Drum Water Level
/"~
High Reactor Pressure
(
Main Steam Line Valve Closed High Condenser Pressure High Scram Dump Tank Level Recirculation Line Valves Closure High Neutron Level Flux Short Reactor Period (same contacts as High Neutron Flux -
reference FC-599)
Manual Scram Protection Against Picoammeter Circuit-Failure (Power Range Monitor Circuit Failure reference FC-599)
RPS Bus Undervoltage Review Criteria General Design Criterion 24, " Separation of Protection'and Control Systems," of Appendix A, "Ceneral Design Criteria for Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of Production and Utilization Facilities."
IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations," Section 4.7.2.
NRC Safety Evaluation Conclusions
'f Based on current licensing criteria and review guidelines, the plant reactor protection system complies with all current licensing criteria 7.2-13 HIl289-0457A-BX01
i l
i I
L listed above, except that the power supplies for the RPS channels do not satisfy the single failure criterion.
)
The staff finds that the reactor protection system is adequately protected by suitably qualified isolators with the exception of the possible effects from the motor generator sets.
The concern voiced by the NRC related to the potential for a sustained voltage or frequency transient in the RPS Power Supply (MG set or alternate feed) to overheat half of the scram valves and prevent a scram.
CPCo letter dated March 11, 1983 provided a response addressing the above NRC concerns. In the submittal, the resolution involved reduction of the setpoint of RPS HC set over-voltage relays to 125 VAC and the setpoint of the MG set regulators to 115 1 2 VAC. The set Point Changes were accomplished via SPC-83-037 and 83-038.
7.2.9.1 Reactor Protection System Isolation From Non-Safety Systems Final Resolution The NRC Final Integrated Plant Safety Assessment Report (IPSAR)
NUREG-0828 - May 1984, Section 4.22 for SEP Topic VII-1.A provided the resolution f or this issue.
OQ By a letter dated March 11, 1983, the licensee submitted an analysis of the protection provided. As a result of this analysis, the licensee has reduced the voltage regulator and the overvoltage protection relay setpoints to limit the maximum sustained voltage.
In addition to the setpoint change, teFting has shown that scram solenoid power requirements are less than the' minimum: rated operating conditions for all voltages below rated operating voltage down to plunger dropout.
(As a result, the coil cannot overheat before a scram is initiated.) Finally, the analysis showed that motor thermal overloads provide protection against underfrequency events resulting-from mechanical failure of the motor-generator sets. Underfrequency events from degraded plant bus conditions have been reviewed under Topic VIII-1.A (Section 3.1 of this IPSAR).
In view of the protection provided, the fact that the ' equipment is of the same quality as that used in other engineered safety features, and the fact that the plant has experienced several undervoltage transients (to scram valve plunger dropout) without equipment damage, the staff concludes that modifications-to provide additional protection beyond those made by the licensee will not provide a significant increase in protection. Also, as noted in the licensee's letter of.
March 11, 1983, periodic replacement and testing programs for these solenoid valves have been effective in preventing multiple failures.
The staff finds the modifications made by the licensee acceptable.
Ob 7.2-14 HI1289-0457A-BX01
i O
7.3 NEUTRON MONITORING SYSTEM (NMS) 7.3.1 NEUTRON MONITORING SYSTEM DESCRIPTION The system indicates and records neutron activity of the reactor, from source range to 150% power.
Interlocks in the system provide for manual reactor control and automatic safety functions. The Neutron Monitoring System is depicted on Drawina 0740F30760.
The reactor is normally monitored by five channels of out-of-core instrumentation. Channels 1, 2, and 3 are DC Wide Range Monitors which measure power from 1E-7 to 150% power. Channels 6 and 7 are Source Range Monitors which measure power from 1E-1 to 1E 6 counts per second. The detectors for these five channels are located at-core level in vertical chamber guide tubes within the concrete surrounding the reactor vessel. Refer to Chapter 5, Figure 5.1 of this Updated PHSR for Channel 1, 2, 3, 6 and 7 locations.
Channels 1 and 7 are powered by the number one Motor Generator (MG)
Set of the Reactor Protection System. Cnannels 2 and 6 are powered by the number two MC Set of the Reactor Protection System. Channel 3 is powered by the Station Battery through a static inverter.
NOTE:
Former Intermediate Range Channels 4 and 5 were removed by p
Facility Change PC-599 in 1988 and were replaced by the Wide Range Monitors.
Two additional channels, 8 and 9, are used for core loading and physics testing. The detectors, commonly known as " dunkers", are mounted in watertight fixtures that can be located in any desired position within the reactor.
Channels 11 through 18 are in-core assemblies that measure reactor flux throughout the core in both the axial and radial planes. The in-core monitors are depicted on Drawing 0740F30751.
7.3.2 SOURCE RANCE MONITORING (CHANNEL 6 AND 7)
Channels 6 and 7 provide logarithmic neutron flux level and period information from source level to seven deca withoutmovingdetectors(approximately10~gsabovesourcelevel, to 10~3% of rated power). The principal components in each channel are a neutron detector, pulse preamplifier, source range monitor instrument, log count rate meter, log count rate recorder and period meter. Cas-filled Boron-10 lined proportional counters with a sensitivity of approximately-12 counts /nv are used as detectors.
Provisions are made for remotely positioning the detectors. The detectors are suspended in guide tubes opposite the core outside the pressure vessel and are positioned from the control console to any of three positions. By moving the detectors away from the midplane of the core, their effective range may be extended. A short period on either channel will be annunciated s/
in the control room.
Mil 289-0458A-BX01
i
-i
)
I J
l O
Each Source Range Monitor receives pulses from a proportional counter via a pulse preamplifier. The average of the series of pulses is i
displayed on a remote log count rate meter with log indication range of IE-1 to IE6 counts per second (CPS). Reactor period information is also displayed on a remote period meter with an indication range of -100 to infinity to +10 seconds.
If a Source Range Monitor measures a short period of equal to or greater than 20 seconds, an alarm is sounded on the NSSS Annunciator.
The Source Range Monitors provide downscale bypass contacts to permit control rod drive withdrawal when reactor power is less than IE-7%.
The contacts, in parallel with the Wide Range Monitor downsc' ale interlocks, are closed between 1 CPS and 4000 CPS. The contacts are open on power failure, open when <1 CPS, open when >4000 CPS and open when the high voltage is <250 volts.
The Source Range Monitors are not connected to the Reactor Protection System since the highest power level monitored is far below any potentially hazardous power level.
7.3.3 POWER (WIDE) RANCE MONITORING (CHANNELS 1, 2,' AND 3)
Three Wide Range Monitors make up the pnwer range channels. They provide indication of neutron flux over the range of IE-7 to.150%
y power. The Wide Range Monitors receive their input signals from compensated ion chambers. From this input the Wide Range Monitor determines reactor power level and calculates both reactor period and power rate.
Channels 1, 2 and 3 provide logarithmic neutron flux 1 and period scram protection from approximately 1 x 10-9 vel information
% to 1% rated power and linear neutron flux level information from approximately 1%
to 150% rated power for the 84 fuel bundle core. The-principal components in each channel are a neutron detector, DC-wide range monitor, power level recorder and operator display assembly which indicates power level'and period. The detectors are gamma e ionchamberswithadesignsensitivityofatleast2.2x10-gpensated amperes /nv. These neutron monitoring detectors are suspended in-guide tubes opposite the core outside the pressure vessel and are positioned by manual means. The channel output is connected to the reactor safety system to provide high neutron flux and short period scram protection.
The +800 V DC polarizing voltage and -800 V DC compensating voltage is supplied by high voltage power supplies within the Wide Range Monitor.
Maintenance of the neutron monitors may be performed by tripping (placing in inoperative position) one of the three neutron monitors in either channel.
7.3-2 HIl289-0458A-BX01
l
=s Power levels are presented on an electroluminescent display in bargraph and numerical form.
Below 1% power, the upper bargraph will present the power on a Icg scale between IE-7 and 150% power while the lower bargraph will present reactor period on a hyperbolic scale between -100 and +10 seconds.
Above 1% power, the upper bargraph will present the power on a linear scale between 0 and 150% power while the lower bargraph will~present power rate on a linear scale between 0 and 60 MWt/ min.
7.3.3.1 Wide Ranae Monitor Setpoints Following is a list of set points associated with the Wide Range Monitort
' Trip Type Cause Hi-Hi Trip 120 1 5% power or 10 1 2 second period when operating at I
<1% power i p or V
$ 50 MWt/ min rate when operating between 1%
and 50% power or 5 20 MWt/ min rate when operating between 50% and 83.3% power Hi Alarm 5 105% power or
> 15 second period when operating at <1%-
power or 5 37.5 MWt/ min rate when operating between 1% and 50% power or
$ 15 MWt/ min rate when operating between O
50% and 83.3% power Or
~
7.3-3 MI1289-0458A-BX01
t I
\\
$ 10 MWt/ min rate when operating above 83.3% power Downscale Trip Power <downscale trip point, 1E-7% power (adjustable IE-7 to 9.99E-1%)
or HVPS self-test f ault or INOP mode Downscale Alarn Power <downscale alarm point, IE-7%
power (adjustable IE-7 to.9.99E-l%)
or Any self-test fault or INOP mode y
Refuel Setback Power >4E-l% power The Hi-Hi Trip, Hi Alarm and Downscale Alarm are annunciated on.the NSSS Annunciator Panel.
7.3.3.2 Control Rod Withdrawal Block A control rod withdrawal block will occur if any one Wide Range Monitor is in a Hi Alarm condition.
Similarly, when above 4E-6%
(roughly 4000 CPS) power, a control rod withdrawal block will occur if any one Wide Range Monitor is in a downscale alarm condition.
A third control rod block scheme is effective _only with the mode switch in the refuel position. When any one Wide Range Monitor reads
>4E-l% power, control rod drive withdrawal permissive is denied.
Refer to Section 4.7.6 of this Updated FHSR for a description of the permissive system.
i 7.3.3.3 Wide Range Monitor Power Correction l
The Wide Range Monitor has two adjustable power correction factors.
The first, rated power, is adjustable between 0.80 and 2.00, with 1.00 = 240 MWL or 100% power. The second, detector sensitivity, is adjustable between 0.30 and 3.00, with 1.00 = 2.11E-4 amperes or 100%
power.
7.3-4 HI1289-0458A-BX01 j
F l
i
\\--
7.3.4 FISSION COUNTERS (CHANNELS 8 AND 9)'
Two " temporary" channels are assembled for each refueling outage.
The electronics, rack mounted in Room 442, receive their input from fission counter type detectors. These channels are used for core loading and physics testing.
The fission counters are mounted in watertight fixtures that can be i
located in any desired position within the reactor.
Remote meters and recorders in the control room indicate-the count rate on a log scale from 1 CPS to IES CPS.
At the completion of core loading and physics testing activities, channels 8 and 9 are disassembled and stored until the next refueling.
7.3.5 IN-CORE FLUX MONITORINC (CHANNELS 11 THROUCH 18)
In-core flux monitors are used to evaluate predicted-power distributions and detect power oscillations or deviations from expected power distributions in time for the operator to take corrective action to avoid exceeding local heat flux limits. The incores monitor flux distribution at points throughout the reactor core in both the axial and radial planes under power conditions. Flux is monitored in eight
()
radial positions located throughout the core.
In each position, the
( j flux is monitored at three elevations, giving a total of. 24 measurements for the complete core.
Flux is measured by miniature fission chambers located at the desired points of measurement. The three chambers for one channel are fabricated into one assembly with the chambers spaced at approximately eighteen inch intervals.
The signal is carried in mineral-insulated stainless steel sheathed cable. The cable is welded to the ion chambers to make a pressure-tight assembly.
Section 5.3.1.9.12 of t
this Updated FHSR provides additional detector information.
i The ion chamber assemblies are mounted through a nozzle and encasement, which penetrates the bottom of the reactor vessel. The chamber leads pass through a high pressure connection at the bottom of the reactor i
vessel and terminate in an electrical connector located at the end of the assembly outside of the reactor vessel.
The cables from the electrical connectors on each assembly are routed-to amplifiers with indicating instruments and alarm on the control panel. An integrated rod position and in-core flux level display is provided on the main panel.
The use of in-core monitors is required during power operation.
At such times, sufficient in-cores will be operable to provide comparison l
data.
If less than 6 in-core monitors are available or less than 1-
! /~
\\--
detector in any axial level, reactor power shall be restricted to 80%
of the heat flux limits. The in-core flux monitoring channels are 7.3-5 l
MI1289-0458A-BX01 l
~.
not used to initiate reactor scram, and these monitors are not connected in the reactor safety system. Connection of the in-cores t
tc the safety system is considered unnecessary because (1)'the l
reactor core is relatively small, and (2) the out-of-core instrumentation is more reliable and provides proper detection of core conditions.
I In-Core System Evaluation CPCo letter dated August 10, 1977 provided an evaluation of the in-core system to clarify the Original FHSR conclusions in (1) and (2) above.
The Big Rock Point reactor contains a relatively small, highly coupled, high leakage core. Because there is no flow control capability, power level and distribution at any given time is solely a function of the control rod pattern and exposure distribution. Due to its high leakage characteristics, the core is very stable, analytically predictable and not subject to power oscillations.
Because of inherent uncertainties in the instruments themselves, such as cable and chamber leakage properties and U-235 burnup, Big Rock Point in-cores serve a limited function in the detection of Technical-Specification heat flux limits.
OQ Fluxwire irradiation as outlined in Section 7.3.5.1 below, and in-core recalibration, are performed periodically to examine general trends in the power distribution and to correct for the uncertainties associated with the instruments and chambers.
Overall compliance with Technical Specification limits is based almost exclusively on conservative thermal hydraulic computer analyses (CROK) normalized to actual flux distribution measurements (fluxwires).
This results in minimal reliance bein8 placed on in-core calibration to detect exceeding these limits.
NRC Evaluation of In-Core Detecters, During the integrated assessment for Big Rock Point, CPCo proposed to delete the Technical Specification operability requirement for the incore detectors. As discussed in the Integrated Plant Safety Assessment Report (IPSAR), NUREC-0828, Section 5.3.13,'the staff agreed with this approach provided that operability requirements for the flux wire system be included in the Technical Specifications instead.
9 In a submittal dated February 20, 1985, CPCo decided not to pursue these Technical Specification changes at this time and that IPSAR Section 5.3.13 should, therefore, be considered closed.
h)
Either system will provide the operator with adequate indication of
\\d the neutron flux distribution in the reactor. Since the licensee's 7.3-6 Hil289-0458A-BX01
(
request will retain the operability requirements for the incore flux detectors, the staff considers this matter resolved.
7.3.5.1 Flux Wire Irradiation A calibration tube is provided in each in-core ion chamber assembly which allows a small diameter wire to be inserted into the assembly during reactor operation. This tube extends the full length of the assembly and adjacent to each lon chamber.
When the wires are inserted, each ion chamber and the portions of wire adjacent to it, experience approximately the same neutron flux.
Since the rire extends the full active fuel length, an axial neutron flux distribution is obtained at each radial location of monitor assemblies.
The wires are run in and out of the reactor, using a wire insertion tool which is located in a shielded area near the bottom of the reactor vessel. The wires are pushed through an extension of the calibration tube which penetrates the shield wall and connects with the ion chamber assembly on the bottom of the reactor vessel. After irradiation, the wires are withdrawn into the case of the insertion tool.
Each wire will be counted along its length. The counts at each interval are then plotted and the location of ion chambers indicated on the plot from the known location of the chambers.
(
O l
7.3-7 Mll289-0458a-BX01
I i
/
\\
I 7.4 ENClWEERED SAFETY FEATURES (ESP) INSTRUMENTATIOW AND CONTROL EVALUATIONS 7.4.1 ENGINEERED SAFETY FEATURES (ESP) SYSTEM CONTROL LOCIC AND DESIGN The NRC Systematic Evaluation Program (SEP) Topic VII-2, ESF System Control Logic and Design was completed and a Safety Evaluation Report (SER) was issued February 1, 1982 with a replacement page issued May 18, 1982 providing corrections.
i
(
The objectives of SEP Topic VII-2 was to determine if non-safety systems which may be electronically connected to the ESF are properly isolated from the ESP and if the isolated devices or techniques used meet current licensing criteria. This criteria included the following, as detailed in the SER Ceneral Design Criterion 22, " Protection System Independence,"
of Appendix A, "Ceneral Design Criteria of Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of Production and Utilltation Facilities."
Ceneral Design Criterion 24, " Separation of Protection and Control Systems," of Appendix A, " Central Design Criteria of Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing nf Production and Utilization Facilities."
IEEE Standard 279-1971, " Criteria for Protection Systems for Nuclear Power Generating Stations," Section 4.7.2.
As discussed in the Technical Evaluation Report portion of the SER, the ESF Systems evaluated and their selection are the same as those outlined in Section 6.1 of this Updated FHSR.
7.4.1.1 Emergency Core Cooling Systems (ECCS) Controls The ECCS is addressed in Section 6.3 of this Updated FHSR which provides a discussion of ECCS control logic and design.
Evaluation The ECCS uses separate sensors, logic systems and power sources for its operation.
Isolation from control and non-safety systems is by relay and switch contacts, which is satisfactory.
~
7.4.1.2 Enclosure Spray System Controls The enclosure spray system is addressed in Section 6.3 of this Updated FHSR which pruvides a discussion of the enclosure spray control logic and design.
)
i 7.4-1 Mil 289-0A59A-BX01
I i
L Evaluation The containment spray sensors, logic and remote manual control switches are separate from and independent of control and non-safety systems. Use of thermal breakers for valve power operation and 1
separate buses provide adequate isolation for the valves.
7.4.1.3 Emergency Condenser System (ECS) Controls l
The Emergency Condenser is addressed h Section 6.8 of this Updated FilSR which provides a discussion of the ECS control logic and design.
Evaluation Use of bistable switch contacts in separate channels provide adequate isolation between channels and from control and non-safety systems.
r Power to the valves is from a common power bus.
Failure of this bus could prevent emergency condenser operation.
7.4.1.4 Containment Isolation System (CIS) Controls i
The Containment Isolation System is addressed in Section 6.2 of this Updated FHSR which provides a discussion of the CIS control logic and design.
Evaluation The containment isolation system consists of redundant channels and is isolated from control and non-safety systems by relay contacts, switch contacts and thermal circuit breakers.
7.4.1.5 Reactor nepressurization System (RDS) Controls The Reactor Depressurization System is addressed in Section 6.9 of this Updated FilSR which provides a discussion of the RDS control logic and design.
Evaluation Isolation of the RDS from control and non-safety functions is by bistable, relay and switch contacts.
Cach channel is fed by a separate UPS and isolated by circuit breaker and fuse. Status information is from bistables and relays operated from the logic system.
1.imit and position switches provide valve position indication.
Separate process instrumentation monitors the operating performance of the RDS. The RDS is adequately isolated from other safety, control and non-safety. systems.
I 7.4-2 Mil 289-0459A-BX01
l 7.4.1.6 Engineered Safety Features (ESP) System Control Lonic and Design Evaluation Conclusions WRC Safety Evaluation Report (SER) Conclusions As a result. of our review, the staff concludes that Big Rock Point conforms to current licensing criteria listed in Section 7.4.1 above for electrical isolation of redundant safety features.
l The powering of duplicate equipment from the same safety buses is l
addressed in SEP Topic VI-7.C.1, Appendix K - Electrical Instrumentation and Control EI4C Re-reviews, which concluded BRP net current licensing criteria for that topic in an SER issued February 22, 1982.
7.4.2 EMERGENCY CORE COOLING SYSTEN (ECCS) ACTUATION SYSTEM TESTING The NRC Systematic Evaluation Program (SEP) Topic VI-7.A.3. ECCS Actuation System was completed and a Final Safety Evaluation Report (SER) was issued August 20, 1982.
The objective of the review was to determine if all Emergency Core Cooling System (ECCS) components, including pumps and valves, are included in component and system tests, if the scope and frequency of periodic testing are identified, and if the test program meets l
current licensing criteria. The systems included in the ECCS are the Core Spray and Core Spray Recirculation System. The criteria utilized l
in the review included the following, as detailed in the SER Ceneral Design Criterion 37, " Testing of Emergency Core Cooling System," of Appendix A, " General Design Criteria for Nuclear Power Plants," 10 CFR Part 50, " Domestic Licensing of i
Production and Utilization Facilities," January 1, 1981.
Branch Technical Position ICSB 25, " Guidance for the Interpretation of CDC 37 for Testing the Operability of the Emergency Core Cooling System as a Whole."
Regulatory Culde 1.22, " Periodic Testing of the Protection System Actuation Functions," Section D.1.a and D.4.
Nuclear Regulatory Commission Standard Review Plan, Section 7.1, Appendix B, "Cuidance for Evaluation of Conformance to IEEE STD 279," Section 11.
i l
7.4.2.1 Core Spray System Actuation Testina The Core Spray System is addressed in Section 6.3 of this Updated FHSR. The following provides an evaluation of this portion of the ECCS.
7.4-3 Mll289-0459A-BX01
f Core Spray System Evaluation The Big Rock Point Plant Technical Specification requires on a monthly basis that (a) the core spray system injection valves and the core spray system shell side inlet valve an verified to be operable by remote manual actuation, (b) the core spray system core spray heat exchanger is leak tested, (c) both fire pumps are automatically actuated by the pump actuating circuitry, (d) valve VPI-19 (previously MO-7069) is verified to be locked or sealed in the open position, and (e) the closure of the deluge system automatic isolation valve is verified when the core spray injection valves receive an open signal.
During each major refueling outage, the Big Rock Point Plant Technical Specification requires that (a) the core spray system actuation inst.rumentation, the pressure instrumentation, and the flow instrumentation is calibrated, (b) the two core spray system containment isolation check valves are verified not to be stuck shut, (c) the fire system basket strainer differential pressure switches are calibrated, and (d) the core spray system injection valves with water flow normally blocked are verified to be operational upon manual and automatic actuation. The Big Rock Point Plant Technical Specification has also established that the instrumentation for the core spray system be checked, tested, and calibrated on a periodic basis.
There is no established requirement in the Technical Specifications p
for a periodic systems integrated test to determine the operability of the system as a whole as required by General Design Criterion 37.
However, the licensee, through the use of procedures, performs system level testing (ie, the automatic actuation from sensor input to verification of proper actuated component response) which includes test overlap and time response verifications. These procedures are l
performed at every refueling and specific precautions are taken to-assure that no fire water from Lake Michigan flows into the reactor Core.
i 7.4.2.2 Core Spray Recirculation System Actuation Testing
\\
I The Core Spray Recirculation features are addressed in Section 6.3 of l
this Updated FHSR.
The following provides an evaluation of this i
portion of the ECCS.
Core Spray Recirculation Evaluation The Big Rock Point Plant Technical Specifications specify that a test tank and appropriate valving is provided in the Core Spray Recirculation System so the pump suction conditions and the flow characteristics of the system can be periodically tested. The Technical Specification also requires, on a monthly basis, that the hose required for backup cooling water to the core spray recirculation heat exchanger is verified to be installed on a designated rack in the screen house.
l During each major refueling outage, the Technical Specification requires that (a) the recirculation system be operationally checked through the test tank flow path, (b) the valve MO-7066 is verified to 7.4-4 mil 289-0459A-BX01
L t
V be operable upon manual actuation, (c) the hose used for backup cooling water to the core spray recirculation heat exchanger is verified to be operable and free of obvious defects, and (d) a leak and flow check of the backup cooling water hose when connected between the screen house fire water connection and the core spray recirculation heat exchanger is performed. The Technical Specification requires that the instrumentation for the recirculation system be checked, tested and calibrated on a periodic basis.
j The Core Spray Recirculation System is not tested from the manual actuation through to the establishment of flow during reactor operation as specified by Standard Review Plan Section 7.2, Appendix B, Section
- 11. Testing of the Core Spray Recirculation System during reactor operation is not practical during plant operation or shutdown because full operation of the recirculation system requires that the core spray system be in operation (ie, the core spray system injection valves must be open) and a water supply be available in the bottom of l
the containment sphere. The Technical Specifications do not establish testing or position verification requirements for the valves in the flow path for the Core Spray Recirculation System, nor is an integrated systems test required during refueling to determine system operability.
llowever, the licensee through the use of two refueling outage test procedures verifles the capability of the system to serve in the l
recirculation mode.
The following has been determined pertaining to the testing and testability of the Core Spray and Core Spray Recirculation Systems.
1.
The design of both the Core Spray and the Core Spray Recirculation system make testing of the systems impractical during reactor operation.
i 2.
The Big Rock Point Technical Specifications do not require a systems integrated test to determine system operability as a whole. However, the licensee performs this testing by plant test procedures, using test overlap and time response verification.
Therefore, the core spray system does comply l
to the current reactor licensing criteria.
i l
3.
The Big Rock Point Technical Specifications do not establish testing or position verification requirements for the valves in the flow path for the core spray recirculation system nor an integrated system test. However, the licensee through the use of plant test procedures verifies the capability of the core spray recirculation system to serve in the recirculation mode. Therefore, the core spray recirculation system does comply to the current reactor licensing criteria.
NRC Safety F. valuation Report (SER) Conclusions Based upon our review, the staff concludes that Big Rock Point
(
conforms to current licensing criteria and is, therefore, acceptable.
7.4-5 Mll289-0459A-BX01
l m
t
\\
7.5 REACTOR PROTECTION SYSTEM AND ENGINEERED SAFETY FEATURES TESTING i
1
- INCLUDING RESPONSE TIME TESTINC l
l The NRC letter dated November 9, 1982 provided a Final Safety Evaluation Report on Systematic Evaluation Program (SEP) Topic VI-10.A, Testing of Reactor Trip System and Engineered Safety Features, Including i
Rerponse Time.
The objective of the review was to determine if all Big Rock Point Reactor Protection System (RPS) components, including pumps and valves, are included in component and system tests, if the scope and frequency of periodic testing is adequate, based on comparison with current Standard Technical Specifications (STS) and if the test l
program meets current licensing criteria. The review will also address these same matters with respect to the Engineered Safety Features (ESP) systems.
Review Criteria l
Cencral Design Criterion 21, " Protection System Reliability and Testability," of Appendix A, "Ceneral Design Criteria for Nuclear Power Plants," 10 CFR Part 50, Domestic Licensing of Production and Utilitization Facilities, January 1, 1981.
(~'s Regulatory Guide 1.22, Periodic Testing of the Protection System t]
Actuation Funettons, February 17, 1972, Sections D.l.a and D.4.
IEEE Standard 338-1975, Periodic Testing of Nuclear Power Generating Station Class IE Power and Protection Systems, portions of Sections 3 and 6.3.4.
General Design Criterion 40, " Testing of Containment Heat Removal Systems," of Appendix A, "Ceneral Design Criteria for Nuclear Power Plants," 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, January 1, 1981.
Nuclear Regulatory Commission Standard Review Plan, Section 7.1, Appendix B, " Guidance for Evaluation of Conformance to IEEE STD 279," Section 11.
NUREC-0123, Rev.3, St andard Technical Specifications for General Elect ric Boiling Water Reactors, Fall 1980, Tables 4.3.1.1-1, 4.3.2.1-1, and 4.3.3.1-1 NRC Safety Evaluation Report (SER) Conclusion From the staff's review, we have determined that some sensors and their signal processing and logic elements are not tested in a manner that satirfies current licensing criteria.
I
\\
\\/
The need to implement a neutron monitorint system response time test will be determined during the integrated assessment.
~
l 7.5-1 Mll289-0461A-BX01
i i
p]
\\'v The staff has also determined that required instrument calibration is performed in accordance with plant procedures, however, some of these tests are not included in the plant Technical Specifications. The need to revise the plant Technical Specifications will be determined during the integrated assessment.
7.5.1 RPS AND ESF TESTING, SEP TOPIC VI-10.A RESOLUTION The NRC Integrated Plant Safety Assessment Report (IPSAR) NUREC-0828, May 1984 Final Report in Section 4.21 provided the following resolutions for this issue.
10 CFR 50 (CDC 21), as implemented by Regulatory Guide 1.22 and the BWR Standard Technical Specifications (STS) (NUREC-0123), requires that the Reactor Protection System (RPS) be designed to permit periodic testing of its functioning, including a capability to test c: ennels independently. During the topic review, the following issues were identified.
7.5.1.1 Surveillance Frequency Requirements Resolution The Big Rock Point Technical Specifications do not require calibration of the initiation channels for the RPS, the emergency condenser system, and the containment isolation system. Calibration of these systems is controlled by plant test procedures, which are scheduled
(
in the Technical Specifications.
The Big Rock Point Technical Specifications specify response times but do not require response-time testing of the RPS and Engineered Safety Features (ESP) systems. Response-time tests are controlled by plant test procedures! RPS response-time test intervals are greater than that specified in the STS.
For Big Rock Point, the staff agrees with the licensee position that operating experience justifies a test interval that is greater than that specified in the STS.
7.5.1.2 Reactor Protection System Response-Time Testing Resolution Refer to Section 7.2.2 of this Updated FilSR.
v 7.5-2 Mil 2B9-0461A-BX01
t l
l C
7.6 SYSTEMS REQUIRED POR SAFE SHUTDOWN This section will be separated into two sub-sections dealing with a
" Safe Shutdown Systems Report," and " Electrical, Instrumentation, and Control Features of Systems Required for Safe Shutdown." Both of these sub-sections include reference to NRC Safety Evaluation Report (SER) information from Systematic Evaluation Program (SEP) Topics which have been corrected to reflect design changes since these SERs were issued.
7.6.1 SAFE SilUTDOWN SYSTEMS The NRC provided a Final Safety Evaluation for Systematic Evaluation Program Topics V-10.B Ri!R Reliabilityi V-11.B. RHR Interlock Require-mental and VII-3 Systems Required for Safe Shutdown. This " Safe Shutdown Systems Report" was issued September 10, 1982 and has been updated by CPCo to reflect current plant design.
7.6.1.1 Comparison of Shutdown and Cooldown System With Current NRC Criteria The current criteria used in the evaluation of the design of systems required to achieve cold shutdown for a new facility are listed in the Standard Review Plan (SRP) Section 5.4.7 and Branch Technical Position RSB 5-1 Rev. I and Regulatory Guide 1.139, " Guidance for
(
Residual lleat Removal." This section discusses the comparison of these criteria with the safe shutdown systems of the Big Rock Point plant. This comparison will be done by quoting a section of the Branch Technical Position RSB 5-1 and then discussing the degree to which the plant meets the requirements of that particular section.
Functional Requirements The system (s) which can be used to take the reactor from normal operating conditions to cold shutdown shall satisfy the functional requirements listed below Processes involved in cooldown are heat removal, depressurization, flow circulation, and reactivity control. The cold shutdown conditions, as described in the Standard Technical Specifications, refers to a subcritical reactor with a reactor coolant temperature no greater than 212*F for a BWR.
The General Design Criteria listed are as specified in 10 CPR 50, Appendix "A".
1.
The design shall be such that the reactor can be taken from normal operating conditions to cold shutdown using only safety grade systems. These systems shall satisfy General Design Criteria 1 through 5.
-O i
g 7.6-1 MI1289-0462A-BX01
i i
i i
/"~\\
\\
2.
The system (s) shall have suitable redundancy in components and features, and suitable interconnections, leak detection, and Isolation capabilities to assure that for onsite electrical power system operation (assuming offsite power is not available) and for offsite electrical power system operation (assuming i
onsite power is not available) the system function can be accomplished assuming a single failure.
3.
The system (s) shall be capable of being operated from the control room with either only onsite or only offsite power available with an assumed single failure.
In demonstrating i
that the system can perform its function assuming a single failure, limited operator action outside of the control room would be considered acceptable if suitably justifled.
4.
The system (s) shall be capable of bringing the reactor to a cold shutdown condition, with only offsite or onsite power available, within a reasonable period of time following i
shutdown, assuming the most limiting single failure.
Background
A " safety grade" system is defined, in the NUREC 0138* discussion of issue No.1, as one which is designed to seismic Category I (Regulatory Cuide 1.29), quality group C or better (Regulatory Cuide 1.26), and O,
is operated by electrical instruments and controls that meet Institute of Electrical and Electronics Engineers Criteria for Nuclear Power Plant Protection Systems, (IEEE 279). Big Rock Point was constructed prior to the issuance of Regulatory Guides 1.26 and 1.29 (as Safety Guides 26 and 29 on 3/23/72 and 6/7/72 respectively) and IEEE 279, dated August 30, 1978.
- Staf f Discussion of Fif teen Technical Issues Listed in Attachnent to November 3, 1976 Memorandum from Director, NRR to NRR Staff, NUREC 0138, November 1976.
Evaluation Cencral Design Criteria (CDC) I requires that systems be designed, fabricated, erected, and tested to quality standards, that a Quality Assurance (QA) program be implemented to assure these systems perform their safety functions, and that appropriate records of design, f abrication, erection, and testing be kept.
Regulatory Cuide (RC) 1.26 provides the current NRC criteria for quality group classification of safety-related systems. Although RC 1.26 was not in effect when Big Rock Point was constructed, certain systems at Big Rock were evaluated in accordance with portions of this guide as part of the SEP.
In general, the high pressure system at Big Rock was designed and built to the 1955
( 'l version of ASME Boiler and Pressure Vessel Code, Section 1,
\\m /
Nuclear Code Cases 1270N and 1273N, and ASA B31.1, (refer to 7.6-2 M11289-0462A-BX01
i O
Chapter 3, Table 3-1 of this Updated FHSR). Although the safety-related systems at Big Rock were not designed, fabricated, erected, and tested using RC 1.26, the maintenance and modification of certain systems is currently conducted in accordance with portions of this guide.
For example, the RDS was designed and built to the standards of those regulatory guides.
At the time the Big Rock Point Plant was licensed, the NRC criteria for QA were not developed. The QA program for operation of Big Rock, SEP Topic XVII, was approved by the staff on September 17, 1976 and the current QA program is addressed in Chapter 17 of this Updated FHSR.
CDC 2 states that structures and equipment important to safety shall be designed to withstand the effects of. natural phenomena without loss of capability to perform their safety function. Natural phenomena considered weres The effects of tornadoes which were reevaluated during the course of the SEP in Topics II-A " Severe Weather Phenomena," III-2 " Wind and Tornado-loadings," and III-4.A " Tornado Missiles." These are addressed in Chapter 2 and 3 of this Updated FHSR.
Floods and flood effects which were reassessed in the SEP review i
under Topics II-3.B " Flooding Poter ial and Protection Requirements,"
I g
and III-3 " Hydrodynamic Loads." These are addressed in Chapter 2 l
and 3 of this Updated FHSR.
Within the SEP review, the potential for and consequences of a seismic event at the Big Rock Point site were reassessed under j
several review topics. The seismic potential and consequences i
are addressed in Chapters 2 and 3 of this Updated FHSR.
CDC 3 requires structures, systems, and components important to safety to be designed and located to minimize the effects of fires and explosions.
The BRP fire protection reevaluation resulting from the Browns Ferry fire and 10 CFR 50 Appendix "R" were reviewed by the NRC l.
Staff. The Fire Protection System and Alternate Shutdown System are addressed in Chapter 9 of this Updated FHSR.
CDC 4 requires that equipment important to safety be designed to withstand the effects of environmental conditions for normal operation, maintenance, testing and postulated accidents. Also the equipment should be protected against dynamic effects including internal and external missiles pipe whip, and fluid impingement.
The SEP reevaluated the various aspects of this criterion when reviewing topics 111-12 " Environmental Qualification of Safety-l Related Equipment" (USI A-24), III-5.A " Effects of Pipe Breaks d
Inside Containment," 111-5.B " Pipe Breaks Outside Containment,"
7.6-3 Mil 289-0462A-BX01
i
(
I
)
(N-and III-4 " Missile Generation and Protection." These are discussed in Chapter 3 of this Updated FHSR.
CDC 5 is not applicable for the Big Rock Point Plant because it
{
does not share any equipment with other power units.
7.6.1.2 1.isting of Safe Shutdown Systems or Components Although other systems are available to perform shutdown and cooldown functions as described in this Updated FHSR, based on NRC review of systems available at Big Rock Point to accomplish these functions in accordance with the provisions of BTP RSB 5-1, the NRC determined that the following minimum number of systems is required (Notel the portions within parenthesis identify the Section within this Updated PHSR where these systems or components are described):
1.
Reactor Protection and Trip System (Section 7.2) 2.
Emergency Condenser (Section 6.8) 3.
Fire Protection Water System (Section 9.5) 4.
Reactor Depressurization System (Section 6.9) 5 Core Spray Systems (Section 6.3) 6.
Post Incident System (Section 6.3) 7.
Instrumentation for Shutdown and Cooldown (Table 7.6-1 and Section 9.6)
/N 8.
Emergency Power (AC and DC) for the Above Systems and Equipment
\\
(Section 8.3 and 8.4) 9.
Alternate Shutdown System (Section 9.6)
,Tahle 3.1 in Chapter 3 of this Updated FHSR lists these safe shutdown systems along with a comparison of present design criteria with the criteria to which these systems were designed.
7.6.1.3 Safe Shutdown Instrumentation and Controls The instrumentation listed in Table 7.6-1 represents those parameters that indicate overall reactor performance (eg., steam drum level, pressure) and those instruments that monitor performance of the systems being used for the shutdown (eg., emergency condenser level).
The latter set is included to enable the operator to detect degradation in system performance prior to loss of function.
It should be noted that Table 7.6-1 Instruments identified were those selected by the NRC in the review of this SEP Topic.
In certain cases, other instruments are utilized which meet Electrical Equipment Qualification Raquirements, refer to Section 3.11 of this Updated FHSR.
[J
\\
x-7.6-4 Hil289-0462A-BX01
4 TABLE 7.6-1 LIST OF SAFE SHUTDOWN INSTRUMENTS
+
Component / System Instrument Reactor System Steam drum level (LE-1D25 A&B, l
LI-IA77 and ID59, LT-IA18, ID13) i i
Steam drum pressure (PT-IA07B t
and PR-IA09)
Emergency Condenser Shell level (LT-3150, LI-3305 and LS-3549)
Fire Water System Fire System pressure (PI-338) 5 Core Spray System Core Spray flow (PT-2162, FI-2335)
Backup Core Spray Core Spray flow (FT-2163, FI-2336)
O Core Spray Recirculation Core Spray Recire pressure System (PS-638)
Containment water level (LS-3562 through 3565)
Emergency AC Power Emergency Diesel voltage and current indication Emergency DC Power 125V DC System voltage indication Alternate Shutdown 125V DC Alternate Shutdown DC Power voltage indication Alternate Shutdown Refer to Section 9.6 of Instruments this Updated FHSR i
t l
l t
7.6-5 Mll289-0462A-BX01
)
h
-s 7
i
' v)
Some of the instrumentation listed would not normally be needed for a shutdown. If the emergency condenser is available, only steam drum j
level, steam drum or reactor pressure and emergency condenser shell r
level would be needed. Additional readouts were provided at the alternate shutdown control panel described in Section 9.6 of this Updated THSR.
If the emergency condenser cannot be used, other instrumentation would be used to monitor RDS, PIS performance, such as containment water level. It would also be desirable to have flow indications for the post-incident cooling system.
7.6.1.4 Safe Shutdown Methods The emergency condenser provides the most desirable means of decay heat removal in those situations in which the main condenser is not available for cooldown. The tube side of the condenser is designed for primary system pressure. Redundant inlet and outlet flow paths are available. However, the outlet valves are powered by a common DC alternate shutdown bus and would not meet the requirements of IEEE 279 for single f ailure and separation.
Therefore, with an assumed loss of offsite power (shutdown with only onsite power) and a single failure which disables the Alternate Shutdown 125 VDC bus, the emergency condenser DC outlet valves would be inoperable and the l (T) emergency condenser could not be used for shutdown.
In this case,
(,
the RDS, core spray system, and post incident cooling system are l
operable and provide an acceptable means to depressurize and cool the reactor. Depressurization of the reactor with RDS, coolant injection with the core spray systems, and long term cooling by the post-incident cooling system provide this ability.
However, because the RDS discharges to containment, and its ose would require an extensive containment cleanup effort, this is not the most desirable cooldown method.
l Activation of the RDS and core spray for shutdown with loss of off site power and an assumed single failure can be done from the control room. However, realignment of the post-incident cooling system for long term cooling requires operator action outside the control room but not inside containment.
Activation of RDS results in a very rapid cooldown. Blowdown with RDS is rapid and the coolant temperature follows at saturation conditions. This is followed by injection of cool water from the core spray (fire water) system and then recirculation using the post incident cooling system core spray heat exchanger.
If DC power is not lost the emergency condenser is used for cooldown.
Experience at the plant has shown that the heat removal capacity of the emergency condenser is large enough that it is necessary to take IT action to limit the cooldown to within Technical Specification limits.
\\~ /
Plant experience has also shown that the emergency condenser and a single shutdown cooling system pump and heat exchanger are 7.6-6 Mll289-0462A-BX01
4 i
k- /
sufficient to cool the plant to cold shutdown within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The following subsections provide an evaluation of the capability of the plant systems to perform this cooldown.
Although the Shutdown Cooling System is normally used to attain cold shutdown conditions during routine shutdown of the plant, it is su :eptible to a failure to open of either a single suction or discharge isolation valve located inside the containment sphere.
Furthermore, operator entry to containment is necessary to restore power to the valve breakers for remote valve operation. The isolation valves are equipped with handwheels for manual operation in the event of an electrical malfunction. However, the RDS, core spray, and post-incident cooling systems can be used to attain cold shutdown, if requiredt and these systems are not susceptible to single failures.
7.6.1.5 Residual Heat Removal / Shutdown Cooling System RHR/SCS Controls Evaluations The Shutdown Cooling System is described in Section 5.4.5 of this Updated FHSR which includes an evaluation of SCS Isolation Controls.
The following provides additional analyses and evaluations to supplement the control discussions presented therein.
7.6.1.5.1 SCS Pressure Relief Controls Evaluation i
O
( j At Big Rock Point, two small relief valves set at 300 psig are installed in the SCS.
Relief capacity of each valve is approximately 25 gpm.
No significant pressure transients are expected because BWR pressures are determined by saturated steam conditions.
The relief valve discharge drains to the containment enclosure sump and would not impact safety related equipment.
7.6.1.5.2 SCS Pump Protection Controls Evaluation The Shutdown Cooling System pumps are tripped only on pump overload or by local manual action. There is no protection from overheating, cavitation or loss of pump suction fluid. However, the deviation from this BTP provisions is acceptable because the facility possesses other means to remove core decay heat which are redundant to the-Shutdown Cooling System pumps.
7.6.1.5.3 SCS Controls Testing Evaluation The SCS interlock and auto closure setpoints are checked each refueling and the valves are exercised to assure operability. The licensee has-stated that the tests meet the intent of Regulatory Guide 1.22.
OV 7.6-7 Mil 289-0462A-BX01
i l
7.6.1.6 Procedures For Safe Shutdown and Cooldown Evaluation Operational procedures for bringing the plant from normal operating power to cold shutdown were reviewed by the NRC as discussed in the September 10, 1982 SER which concluded that the existing procedures for safe shutdown and cooldown were in conformance with Regulatory Guide 1.33.
Subsequent to this SER, plant Emergency Operating Procedures (EOPs) were developed as described in Section 13.5 of this Updated FHSR.
7.6.1.7 Cooling Water Requirements For Safe Shutdown Appendix "A" of the NRC September 10, 1982 Safety Evaluation Report i
(SER) provided an evaluation of " Safe Shutdown Water Requirements,"
which supplements the " Safe Shutdown Systems Report" contained therein. The following provides a summary of the Appendix which has been corrected to reflect current design.
Standard Review Plan (SRP) 5.4.7, " Residual 11 eat Removal (RilR)
System" and Branch Technical Position (BTp) RSB 5-1, Rev.1, " Design Requirements of the Residual Heat Removal System" and Regulatory Guide 1.139 " Guidance for Residual lleat Removal" are the current criteria used in the Systematic Evaluation Program (SEP) evaluation 4
of systems required for safe shutdown.
l The original design criteria for the SEP facilities did not require the ability to achieve cold shutdown conditions. For these plants, and for the majority of operating plants, safe shutdown was defined as hot shutdown.
Therefore, the design of the systems used to w hieve cold shutdown condition was determined by the reactor plant i
vendor and was not based on any safety concern.
5 Safe Shutdown Cooling Water Evaluation After the reactor trip, the reactor system pressure and temperature increase towards the safety valve pressure setpoint because the main condenser is not operable following an assumed loss of offsite power.
The emergency condenser is automatically initiated as described in Section 6.8 of this Updated FilSR. Capacity, makeup water, and operation of the emergency condenser is also described in Section 6.8 and are such that a cooldown to Shutdown Cooling System SCS initiation conditions can be performed in a reasonable time.
As the cooldown progresses, the reactor system fluid contracts and the need for reactor system makeup exists to keep the level of.
coolant in the steam drum.
If the emergency condenser is used to accomplish the depressurization, the shrink will not uncover the core even if no makeup is provided for approximately four hours. The reactor feed system, which is normally used to inject water into the f
I reactor at high pressure is not available because it depends on O
offsite power. The Control Rod Drive hydraulic system, which can.
7.6-8 Hil289-0462A-BX01
~-
k I\\' ')
also supply high pressure water, is not considered to be available because it was no* designed as a safety system and, therefore, is not included on the safe shutdown system list. Without these high pressure reactor makeup systems, the operator would rely on the Core l
Spray (CS) system to supply reactor coolant, if needed. The CS system operates using fire system pressure, and therefore, if reactor pressure is not below fire system pressure, the operator must initiate or permit automatic initiation of the Reactor Depressurization System
[
(RDS) to lower the pressure sufficiently for CS flow into the reactor system to occur.
In fact, the RDS can be manually initiated at any time during the cooldown sequence following reactor trip, provided the reactor vessel level at RDS initiation is at or below the RDS automatic actuation levell and the CS system will provide adequate core cooling (refer to Section 6.9 of this Updated FHSR for RDS operation). Thus for Safe Shutdown, the RDS and emergency condenser are considered redundant to each other for the function of plant cool down. The main reasons that the emergency condenser is included on the safe shutdown list are to provide a core cooling method which does not reduce the reactor system coolant inventory since Big Rock Point does not have the high pressure coolant injection capability that most other boiling water reactors have and because use of the RDS would require extensive cleanup of the containment building.
Normally, long term heat removal would be accomplished by the Shutdown
(~'g Cooling System (SCS).
If this system and its auxiliary systems are (j
available, it would be started at a reactor system pressure of ~200 psig. However, since the SCS initiation requires operator action inside containment and its auxiliaries were not designed and constructed with the quality of the plant engineered safety features systems, the RDS, core spray, and containment cooling systems (Post Incident Cooling System) would be relied on for long-term cooling of the plant. The core heat and stored heat in the reactor system materials is transferred to the containment by the core spray and RDS. The containment heat removal systems transfer the heat to the.Itimate heat sink.
Safe Shutdown Cooling Water SER Conclusion Based on the staff's evaluation of safe shutdown water requirements at Big Rock Point, we have concluded that (1) the fire protection water system provides a virtually unlimited supply of makeup water for the emergency condenser, and (2) because of the RDS, Core Spray and Post-Incident Cooling System capabilities, the plant systems permit a cooldown to cold shutdown conditions in accordance with BTP RSB5-1 requirements.
7.6.1.8 Resolution of Safe Shutdown Related SEP Topics The following provides a discussion of how the Plant meets the safety g ~s objectives of associated Safe Shutdown Systematic Evaluation Program N, -)
Toptes.
(
7.6-9 HI1289-0462A-BX01
7.6.1.8.1 Topic V-10.8 RHR System Reliability The safety objective for this topic is to ensure reliable plant shutdown capability using safety grade equipment subject to the guidelines of SRP 5.4.7 and BTP RSB $~1.
The Big Rock Point systems have been compared with these criteria, and the results of these comparisons are discussed and sunumerized in 7.6.1 above. Because it does not contain system redundancy (single letdown and return lines),
the Shutdown Cooling System, which performs the function of a Residual lleat Removal System, does not satisfy the review guidelines. Iloweve r,
we have concluded that the other systems at Big Rock Point fulfill the safety objective. The staff notes the following 1.
The redundant emergency condenser condensate valves are powered by a single DC bus and so are susceptible to the single failure of this bus, although several sources are available to energize this bus. This single failure in conjunction with loss of offsite power would require the use of RDS and Core Spray for cooldown. Since an alternate method of shutdown exists, albeit one with undesirable operational consequences, and given the demonstrated low frequency of total loss of offsite power, the possible single f ailure mode f or the emergency condenser is considered acceptable.
2.
The present plant Technical Specifications for the emergency condenser permit one tube bundle to be inoperable until the next plant outage if a tube leak develops during plant operation. One tube bundle is capable of removing reactor
. decay heat (refer to Section 6.8 for operation with a leaking outlet valve).
7.6.1.8.2 Topic V-II.A Requirements for Isolation of High and Low Pressure Systems The safety objective of this topic is to assure adequate measures are taken to protect low pressure systems connected to the primary system from being subjected to excessive pressure which could cause failures and in some cases potentially cause a LOCA outside of containment.
This topic is assessed in this report only with regard to the isolation requirements of the SCS system from the RCS. As discussed in Section 5.4.5 of this Updated FilSR, adequate overpressure protection exists.
7.6.1.8.3 Topic V-11.B RHR Interlock Requirement s The safety objective of this topic is identical to that of Topic V-ll.A.
The staff conclusion regarding the Big Rock Point valve interlocks, as discussed in Section 5.4.5 of this Updated FilSR, is that adequate interlocks exist.
7.6-10 Mll289-0462A-BX01
I 7.6.1.8.4 Topic VII.3 Systems Required For Safe Shutdown s-The Safety objectives of this topic aret 1.
To assure the design adequacy of the safe shutdown system to (a) initiate automatically the operation of appropriate systems, including the reactivity control systems, such that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences or postulated accidents, and (b) initiate the operation of systems and components required to bring the plant to a safe shutdown.
2.
To assure that the required systems and equipment, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown are located at appropriate locations outside the control room and have a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.
3.
To assure that only safety grade equipment is required for a plant to bring the reactor coolant system from a high pressure condition to a low pressure cooling condition.
Safety objective 1(a) wi'll be resolved in the SEP Design Basis Event O
These reviews will determine the acceptability of the plant reviews.
response, including automatic initiation of safe shutdown related systems, to various Design Basis Events, ie, accidents and transients (refer to Section 7.6.1 above, and Chapters 2, 3 and 15 of this Updated PHSR).
Objective 1(b) relates to availability in the control room of the control and instrumentation systems needed to initiate the operation of the safe shutdown systems and assures that the control and instru-mentation systems in the control room are capable of following the l
plant shutdown from its initiation to its conclusion at cold shutdown conditions. The ability of the Big Rock Point Plant to fulfill objective 1(b) is discussed in the preceding subsections of Section 7.6.
Based on these discussions, we conclude that safety objective 1(b) is met by the safe shutdown systems subject to the findings of-related SEP Electrical, Instrumentation, and Control topic reviews (refer to Section 7.6.2 below for resolution).
Safety objective 2 requires the capability to shutdown to both hot shutdown and cold shutdown conditions using systems, instrumentation,.
and controls located outside the control room.
The fire protection reviews for addressing shutdown following a fire in the control room were completed. An Alternate Shutdown control panel was installed containing vital instrumentation for use during plant shutdown and cooldown.
Suitable procedures for reaching both
! Ih l O-hot and cold shutdown conditions using the Alternate Shutdown System l
t I
7.6-11 l
mil 289-0462A-BX01
I
(%
L]
\\
was prepared in accordance with 10 CFR 50, Appendix R, Item III-L, (refer to Section 9.6 of this Updated THSR).
The adequacy of the safety grade classification of safe shutdown systems at Big Rock Point, to show conformance with safety objective l
3, were completed in part under SEP Topic III-1, " Classification of Structures, Components, and Systems (Seismic and Quality)," and in part under the Design Basis Event reviews. Table 3-1 in Chapter 3 of i
this Updated FHSR provides certain information derived from these SEP Topic reviews.
7.6.2 ELECTRICAL, INSTRUMENTATION, AND CONTROL FEATURES OF SYSTEMS REQUIRED FOR SAFE SHUTDOWN The NRC revised Safety Evaluation Report (SER) for the Electrical, Instrumentation and Controls (EI&C) Systems identified as being required for safe shutdown was issued under Systematic Evaluation Program (SEP) Topic VII-3, Systems Required for Safe Shutdown, by letter dated December 17, 1982.
The SER was based on information enclosed in NRC letter dated October 29, 1982 and the resolution of Inspection and Enforcement Bulletin IEB 79-27.
CPCo response to IEB 79-27 was provided March 19, 1980 and dealt with the " Loss of Nonclass 1-E Instrumentation and Control Power System During Operation."
Evaluation The systems required to take the reactor from hot shutdown to cold shutdown, assuming only offsite power is available or only onsite power is available and a single El&C failure are in compliance with current licensing guidelines and the safety objectives of SEP Topic VII-3.
SinFle failures of EI6C equipment cannot render all short and long-term cooling systems inoperable.
The instrumentation available to control room operators to reach and maintain the reactor in cold shutdown conditions does not meet current lice'nsing criteria since a single failure can cause a loss of vital indication such as reactor temperature, pressure and level, as well as process instrumentation for safe shutdown systems.
The capability to shut down and cool down the reactor from outside the control room exists and is in compliance with the safety objectives of SEP Topic VII-3, except that instrumentation to verify shutdown and cooldown conditions from outside the control room is inadequate, (Note:
Instrumentation added for Alternate Safe Shutdown has been reviewed and accepted by the NRC subsequent to this NRC Evaluation).
Procedures exist to take the plant to cold shutdown from outside the control room to satisfy the safety objectives of SEP Topic VII-3.
.0 v
7.6-12 Mll289-0462A-BX01
I Conclusions The staff has concluded that the present design is an acceptable alternative to current-licensing guidelines until Regulatory Cuide 1.97 Revision 3 backfit decisions are made. Accordingly, we consider this topic to have been completed acceptably for Big Rock Point.
i i
(
i; 7
i i
i i
s t
i l
i l
?
i i
t i
f f
?
i
. i I
.5~
7.6-13 Mil 289-0462A-BX01 I
...-~~.n,
..n
,,+a_-.a
,,-a-.
,-n.....--n,.m-m
,,,.S-s,-n.,
,,-,,_n,.,
--- n n,. e-w r
,,,r r
v
--.-..e,-,nn-.
r--,
O 7.7 OTHER INSTRUMENTATION AND CONTROLS j
I 7.7.1 REACTOR WATER LEVEL MONITORS IN THE REACTOR DEPRESSURIZATION SYSTEM i
Four narrow range water level monitors are provided in the main control room as part of the Reactor Depressurizing System to be used for detection of adequate core cooling during accident situations.
At least two reactor water level indicators in the Reactor Depressur-irstion System will be operable during power operation. Refer to Section 6.9 of this Updated FHSR for further information on RDS controls.
7.7.2 CONTAINMENT PRESSURE AND WATER LEVEL MONITORING SYSTEMS i
Two containment pressure monitors and two containment water level monitors are provided with readouts in the main control room for accident monitoring. The containment pressure and water levtl monitors will be operable during power operations. Other operability l
and testing requirc<nents are as outlined in the Technical Specif-ications. The containment pressure and water level monitors were installed via Facility Change FC-498 and FC-499 and details on these l
Instruments were submitted to the NRC September 5, 1980.
Evaluation k
The Integrated Plant Safety Assessment Report (IPSAR) Section 5.4.11 of NUREC 0828 - May 1984 provided the followings l
NUREC-0737, Item II.F.1, requested licensees to install or upgrade instrumentation to moni.or variables including containment pressure and containment water level following an accident. The other instruments in Item II.F.1 are discussed in Sections 6.2.11, 7.7.5, and 7.7.3 of this Updated FHSR.
In a safety evaluation dated April 16, 1984 the staff concluded that Big Rock Point conforms with the guidelines for Item II.F.1.
I 7.7.3 INSTRUMENTATION TO DETECT INADEQUATE CORE COOLING The NRC, by letter dated February 12, 1986 provided the following information on this issue In November 1980 the Nuclear Regulatory Commission (the Commission) published NUREC-0737 entitled, " Clarification of TMI Action plan Requirements." Item II.F.2, entitled, " Instrumentation for Detection of Inadequate Core Cooling," the subject of this memorandum, required nuclear plants to install instrumentation which would provide indication of certain process parameters to assist the operators in determining whether adequate core cooling water and subcooling exists in the reactor.
(
7.7-1 mil 289-0463A-BX01
i
[
By submittal dated July 31, 1981, CPCo provided a final evaluation for the installation of additional wide-range level instrumentation for the facility. CPCo concluded that the existing instrumentation at the facility provides unambiguous indication of inadequate core r
cooling as well as the approach of inadequate core cooling. This letter completed CPCo's response to NUREC-0737 Item II.F.2.
In May 1984 the Commission issued WUREC-0828, " Integrated Plant Safety Assessment Systematic Evaluation," (IPSAR) for the facility.
Section 5.3.19, Instrumentation To Detect Inadequate Core Cooling, of the IPSt.R concluded that implementation of the instrumentation required by NUREC-0737, Item II.F.2 would not reduce risk significantly at the facility. Attachment 3 of Appendix D of the IPSAR states that I
installation of the required instrumentation may save only 0.3 person rem / reactor year. The Commission has determined this savings to be insignificant.
Therefore, based on the conclusions above, the February 12, 1986 letter serves to complete the Commission's activity with respect to the requirements of NUREC-0737, Item II.F.2 for the facility.
7.7.4 POSTACCIDENT SAMPLINC NUREC-0828, May 1984 Final Integrated Plant Safety Assessment Report p
(IPSAR) Section 5.4.5 provided the following concerning Postaccident Sampling System Controls NUREC-0737, Item II.B.3, required licensees to provide a postaccident sampling system. Criteria were included in NUREC-0737 describing what parameters were to be sampled and how quickly the sample results should be available.
On the basis of its review of the PRA, the staff has concluded that the installation of a postaccident sampling system that meets the guidance of NUREC-0737 would not significantly improve the safety of Big Rock Point. Item II.B.3 of NUREC-0737 requested that capability be provided to sample and analyze the primary coolant and containment atmosphere under postaccident conditions. The position statement for Item II.B.3 indicates that the primary purpose' of the sampling system is to provida an indication of the degree of core damage after an accident without excessive exposure to the personnel performing the sampling. The licensee argues that the high range containment radiation monitors provide such an indication. The staff's review concluded that the licensee can estimate the degree of core damage based on measurements from these monitors (letter dated October 18, t
1982). Also, the installation of additional san.pling systems to meet l
the guidance of Item II.B.3, including exposure control, would be extremely expensive and would provide very little additional data on the degree of core damage. Therefore, the staff concludes that the licensee should not be required to install additional sampling n
(
systems at Big Rock Point to meet the guidance of Item II.B.3 of
\\
NUREC-0737.
7.7-2 M11289-0463A-BX01 L
i b)
V 7.7.5 CONTAINMENT HICH RANCE MONITOR CALIBRATION CONTROLS
[
The containment atmosphere is monitored by two high range gansna l
monitors. The monitors are designed to measure gamma radiation in containment under accident conditions from 1 R/hr to IE+06 R/hr. The monitors are located external to the containment sphere. The readouts of the monitors are located in the control room. Further details on these monitors is provided in Chapter 11 of this Updated FHSR.
NUREC-0828, May 1984 Final Integrated Plant Safety Assessment Report l
(IpSAR), Section 5.3.11.2 provided the following informationt NUREC-0737, Item II.F.1.3, identifies specific requirements for a containment high range monitor. The staff evaluated the implementation of this requirement as part of Amendment No. 54 to the license and i
concluded that the operability and surveillance provisions for the containment high range radiation monitor are acceptable.
However, at the time of the integrated assessment, the licensee had not yet obtained a suitable calibration source that could be used to put the monitors into service.
The licensee subsequently obtained a suitable source. The staff considers this issue to be completed acceptably.
7.7.6 STEAM DRUM AND REACTOR LEVEL INSTRUMENTS Steam Drum and Reactor Water Level Instruments are depicted on Drawing 0740032101.
In 1979, modifications were performed on the primary coolant level elements removing the temperature compensation from the cold reference leg of each element. The purpose of these modifications was to eliminate the possibility of reference-leg flashing during loss-of-coolant transients of a particular size and location in the primary system.. (The changes were accomplished via Specification Change SC-79-036.)
Removal of the temperature compensation permitted the reference-leg l
temperatures to follow ambient conditions.
Because the ambient temperature was different at each level element, level indications varied by several inches depending on the element to which the level
~
instrument is connected.
Additional modifications to the level elements were performed via Facility Change FC-497 in 1980. This modification added heating elements to each reference column raising the reference-leg temperature slightly above ambient conditions to eliminate the variation in reference-leg average temperature. The temperature controllers for each reference-leg are located in panel C-52.
The drum level controllers are set to maintain an average reference-leg temperature of about 235'F, the reactor level controllers of about 235'F. An annunciator in the control room alarms if the actual average temperature O
of a reference-leg is higher or lower than the controller setpoint by 10'F.
The annunciator also alarms on an average reference-column i
7.7-3 Mll289-0463A-BX01
c V).
(
temperature that is 5'F above the controller setpoint.
Exceeding this alarm setpoint automatically disconnects the element from its power supply allowing the reference-leg temperature to drop to ambient conditions. This lower temperature causes instrumentation connected to the level element in question to indicate artificially lower primary coolant system setpoints. Operator response to the annunciation is presented in Alarm Procedures.
Technical Specifications require that the measured reference-les temperature be less than 250'F and requires annual testing of the level instrumentation. This testing frequency was found acceptable during the review of SEP Topic VI-10. A.
Section 5.3.16 of NUREC-0828, May 1984 Final Integrated Plant Safety Assessment Report provided the following discussion concerning the Steam Drum and Reactor Level Instruments lleat Trace Panel C-52.
CPCo Resolution Additional ventilation was provided via Specification Change SC-83-028 to reduce indicator drift and improve instrument availability.
)
lO i
l 7.7-4 H11289-0463A-BX01