ML20099J015

From kanterella
Jump to navigation Jump to search
Chapter 7 of RESAR-SP/90 Westinghouse Advanced PWR Module 9, Instrumentation & Controls & Electric Power, Instrumentation & Controls
ML20099J015
Person / Time
Site: 05000601
Issue date: 11/30/1984
From:
WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:
Shared Package
ML19269B210 List:
References
NUDOCS 8503190570
Download: ML20099J015 (312)
v  d  e


Text

I l

i 7.0 INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

The instrumentation and control (I&C) systems presented in this. chapter provide protection against improper or unsafe reactor operation during steady-state and transient power operations. They will initiate selected protective functions to mitigate the consequences of design basis accidents.

\ Emphasis is placed on those I&C systems which assure that the reactor can be operated to produce power in a manner that ensures no undue risk to the health and safety of the public. This chapter relates the functional performance requirements, design bases, system descriptions, and safety evaluations for those systems. The safety evaluations show that the systems can be designed and built to confonn to the applicable criteria, codes, and standards concerned with the safe generation of nuclear power.

Definitions Terminology used in this chapter reflect an interdisciplinary approach to safety systems similar to that proposed in Institute of Electrical and

. Electronics Engineers, .Inc. (IEEE) Standard 603-1980 " Criteria for Safety Systems for Nuclear Power Generating Stations."

l '. Safety System: The aggregate of electrical and mechanical equipment necessary to mitig' ate the consequences of design basis accidents. The safety system for the Westinghouse nuclear steam supply system (NSSS) is composed of the integrated protection system, the protective action y system, safety related display instrumentation, and essential auxiliary supporting systems. The scope of the integrated protection system is shown in Figure 7.1-1.

2. Intearated Protection System: The aggregate of electrical and mechanical equipment which senses generating station conditions and generates the signals to actuate reactor trip and engineered safety features. (See Figure 7.1-2).

O WAPWR-I&C/EP 7 .1 -1 NOVEMBER, 1984 2083e:1d 8503190570 850227

{DR ADOCK 05000601 PDR

O

3. Protective Action System: The aggregate of electrical and mechanical equipment which accomplish reactor trip or ergineered safety features functions on demand from the integrated protection system.
4. Protective Function: Any one of the functions necessary to mitigate the consequences of a design basis accident. Protective functions will be initiated by the integrated protection system and will be accomplished by the protective action system. Examples of protective functions are reactor trip and engineered safety features (ESF) (such as emergency core cooling, steam line isolation, containment isolation, etc.).
5. Actuated Eauiomont: The assembly of prime movers and driven equipment used to accomplish a protective function (e.g., motors, shutdown rods, pumps, valves, etc.).
6. Actuation Device: A component that directly controls the motive power for actuated equipment (e.g., circuit breakers, relays, pilot valves, etc.).
7. Channel Set: One of the several separate and redundant segments of the integrated protection system. The channel set will include its associated sensors, field wiring, cabinets, and electronics used to generate one of the redundant actuation signals for a protective function. Channel sets are denoted by Roman numerals I - IV on the figures in this chapter. (See Figures 7.1-1 and 7.1-2) .
8. Channel: One of the several separate and redundant measurements of a l single variable used by the IPS in generating the signal to initiate a protective function. A channel loses its identity where it is combined i

with other inputs in the channel set.

9. Actuation Train: One of the several separate and redundant segments of the protective action system. The actuation train will include its associated actuation devices and actuated equipment necessary to accomplish one of the redundant portions of a protective function. This l 0 MAPWR-I&C/EP 7.1-2 NOVEMBER, 1984 2083e:1d

O model will employ 4 reactor trip actuation trains and 2 safeguards actuation trains. Reactor trip actuation trains are denoted by Roman numerals I - IV as dictated by the IPS channel set which originates the comand . Fluid systems portions of the safeguards trains use the Train-A, Train-B notation. Train-A equipment is actuated from Train-A logic cabinets, and Train-B equipment is actuated from Train-B logic cabinets.

(See Figure 7.1-2).

O 10.

Dearee of Redundancv:

The number of duplicate c'annels h monitoring a single variable, or the number of duplicate channel sets which can

. initiate a given protective function, or the number nf duplicate actuation

~

trains which can accomplish a given protective function. Redundancy will be employed to maintain protection capability when the safety system is degraded by a single random failure.

7.1.1 Identification of Safety Systems l A summary of the protective functions is given in Subsection 7.1.1.1 while detailed descriptions of the functions are given in Section 7.2 for reactor trip and 7.3 for engineered safety features actuation. Section 7.1 is oriented to the description and analysis of the safety system I&C architecture and hardware. The safety system will be comprised of the following subsystems:

1. The Intearated Protection System (IFS) which will generate the initiation signals for protective functions; i.e., reactor trip and engineered safety features. Components of the IPS are listed in Subsection 7.1.1.2, and the architecture of the IPS is discussed in Subsection 7.1.1.3.

i 2. The Protective Action System (PAS) which will accomplish reactor trip and engineered safety features functions on demand from the integrated protection system. Components of the PAS are listed in Subsection 7.1.1.4.

~3. Safetv-related Disolav Instrumentation which will be needed by the operator is listed in Section 7.5.

O WAPWR-l&C/EP 7.1-3 NOVEMBER, 1984 2083e:1d

4. Essential Auxiliary Supportino Systems which, although they do not perform O

j a safety function directly, will be necessary to operation of the l integrated protection system and protective action system. Examples of auxiliary supporting systems are the I&C power supplies and safeguards power supply system. These systems are identified in Subsection 7.1.1.6.

Chapter 7 discusses the instrumentation portions of the safety system which are required to function to achieve the system responses assumed in the accident analyses, and those needed to shutdown the plant safely. Section 7.1 describes the integrated protection system, the protective action system, and those portions of the safety related display instrumentation and auxiliary supporting systems not covered in other sections of this safety analysis report. (Where infonnation is presented in other sections, it is appropri-ately identified.) Section 7.2 discusses the reactor trip function, and Section 7.3 addresses the engineered saf ety features. Systems required for safe shutdown are discussed in Section 7.4 in support of other chapters.

Safety related display instrumentation is discussed in Section 7.5 and other instrumentation systems required for safety, such as the I&C power distribu-tion system and critical valve interlocks, are presented in Section 7.6.

Control systems are discussed in Section 7.7.

7.1.1.1 Protective Functions Protective Functions are those actions required to achieve the system responses assumed in the safety analyses, and those needed to shutdown the plant safely. As illustrated in Figure 7.1-1, protective functions will be initiated by the Integrated Protection System and will be accomplished by the protective action system. This report has grouped the protective functions into two classes:

1. Reactor Trip
2. Engineered Safety Features (ESF).

Each of these two classes are surmarized below and are presented in detail in lections 7.2 and 7.3 respectively.

O 7.1-4 NOVEMBER, 1984 MAPWR-I&C/EP 2083e:1d

O 7.1.1.1.1 Reactor Trip Function The safety system will automatically trip the reactor and initiate ESF (if required) whenever predetermined limits are approached. The integrated protection system will maintain surveillance on nuclear and process variables which are related to equipment mechanical limitations, such as pressure, and on variables which directly affect the heat transfer capability of the reactor, such as reactor coolant flow and temperature. When a limit is approached, the Integrated Protection System will initiate the signal to open the reactor trip circuit breakers. This action will remove power to the control rod drive mechanism coils permitting the rods to f all by gravity into the core. This rapid negative reactivity insertion will shut down the reactor.

The various parameters which go into generation of a reactor trip are dis-cussed in Section 7.2. The following is a sunenary listing of the conditions which could cause an automatic reactor trip:

O 1. Nuclear Startup Conditions: .

a. High source range count rate
b. High intermediate range current
c. High power range nuclear power (low setpoint)
2. . Nuclear Overpower Conditions:

> a. High power range nuclear power (high setpoint)

b. High positive nuclear flux rate
c. High negative nuclear flux rate
3. Core Heat Removal Conditions:

O a. Low Departure from Nucleate Boiling Ratio (DNBR)

b. High fuel linear heat generation rate (kw/ft)
c. Iow pressurizer pressure
d. Low reactor coolant pump speed
i. e. Low reactor coolant flow 7.1 -5 NOVEMBER, 1984 MAPWR-l&C/EP 2083e:1d .

I l

Primary System Pressure Conditions:

O 4.

a. High pressurizer pressure
b. High pressurizer water level S. Heatsink Conditions:
a. Low steam generator water level
b. High steam generator water level
6. Turbine tripped condition on plants without full load rejection capability
7. Whenever safety injection is automatically initiated
8. Seismic acceleration (optional)

In addition to the above automatic initiations, reactor trip could be generated directly by manual action (manual reactor trip or manual safety injection). The logic for this function is shown in Figure 7.2-1 (Sheets 2, 12, and 13) .

The detailed discussion and evaluation of the reactor trip function is contained in Section 7.2.

7.1.1.1.2 Engineered Safety Features Actuation Functions The occurrence of a limiting fault, such as a loss of coolant accident or a secondary system break, requires a reactor trip plus actuation of one or more engineered safety features (ESF) in order to prevent or mitigate damap 'a the core and reactor coolant system components, and to ensure containment integrity. The integrated protection system will determine whether or not safety limits are being approached for selected plant parameters. If they are, the integrated protection system will combine the signals through logic functions which respond to combinations indicative of accident situations.

O WAPWR-I&C/EP 7.1-6 NOVEMBER, 1984 2083e:1d

i O Once the required logic combination is generated, the integrated protection system will send the signals to the appropriate ESF , components of the protective action system.

The following is a summary listing of the engineered safety features. The various parameters which will go into actuation of the engineered safety features are discussed in Section 7.3.

O 1. Safety Injection (includes emergency core cooling and start of supporting systems essential to energency core cooling - such as diesels, etc.)

2. Steam Line Isolation
3. Containment Spray
4. Containment Isolation:
a. Phase-A Isolation
b. Phase-B Isolation
c. Containment Ventilatior. Isolation Main Feedwater Isolation 5.
a. Tripping of Main Feedwater Pumps 3
b. Closure of all Feedwater Isolation, Control, and Bypass Valves

!O l 6. Emergency Feedwater l

l

a. Pump Start, Steam Generator Letdown Isolation, and Startup Feedwatcr l Termination
b. Isolation to a Faulted Steam Generator l
7. Block of Boron Dilution 7 .1 -7 NOVEMBER, 1984 I

MAPWR-I&C/EP 2083e:1d

In addition to automatic actuation, engineered safety features can be initia-O ted manually as listed in Subsection 7.3.2.2.8.

The detailed discussion and evaluation of each engineered safety feature is contained in Section 7.3. The logic for their actuation is depicted in Figure 7.2-1.

7.1.1.2 Integrated Protection System Components The integrated protection system will be the " sense and command" portion of ,,

the safety system. It will monitor kev plant parameters and will initiate' appropriate protective functions when critical limits are approached.

Protective functions can also be manually initiated.

The integrated protection system (IPS) will consist of four redundant channel sets (denoted as I - IV) as illustrated in Figure 7.1-2. The system will include instrumentation to monitor process and nuclear variables. It will convert analog inputs to a digital format and will perform any required processingandcalculationsonthemeasurements. The results will be combined through coincidence matrices to generate the protective functions previously identified whenever fixed or calculated limits are exceeded. The IPS will also contain built-in test features and will provide information read-out on input parameters and system status. The IPS will also furnish the control system with the protection signals which will be used for plant cperational I control.

The IPS consists of the following major cabinets:

Integrated Protection Cabinets (IPC)

Engineered Safeguards Features Actuation Cabinets (ESFAC)

Main Control Board Multiplexer (MCB MUX)

Logic Cabinets Reactor Trip Switchgear (RTS)

O WAPWR-I&C/EP 7.1-8 NOVEMBER, 1984 2083e:1d

/

This subsection provides a description of the equipment which will make up the integrated protection system. The simplified one line-diagram of the IPS is shown in Figure 7.1-2. The basic elements of the integrated protection system O which are described in the following subsections are:

1. Sensors of the Integrated Protection System
a. Process sensors (flows, levels, pressures, temperatures)
b. Nuclear instrumentation detectors
c. Nitrogen -16 (N-16) power monitoring detectors Equipment status inputs (RCP speed and turbine trip) d.
2. Integrated Protection Cabinets (Subsection 7.1.1.3.1)
a. Analog to digital conversion and signal conditioning
b. Calculations and comparisons to setpoints
c. Voting matrices and manual inputs
d. Automatic tester
3. Engineered Safety Features Actuation Cabinets (Subsection 7.1.1.3.2 and 7.1.1.3.3)
a. ESF System level Logic
b. System-level manual actions
c. Automatic Tester / Data Acquisition
4. Logic Cabinets l

l a. Component level logic

b. Automatic tester
c. Functional logic computers In addition to the above listed elements, the following hardware architecture l is discussed as it will apply throughout the integrated protection system.

1 O i

i WAPWR-I&C/EP 7.1-9 NOVEMBER, 1981 2083e:1d

5. Data Link Structures O\
a. Isolation Devices
b. Electrical Data Links
c. Multiplexing
6. Microprocessors
7. Built-in Test Capabilities Refer to Section 7.6 for a description of the I&C power distribution system for the integrated protection system.

7.1.1.2.1 Sensors of the Integrated Protection System The integrated protection system (IPS) will monitor key variables which are related to equipment mechanical limitations and variables which directly affect the heat transfer capability of the reactor. Some limits, such as ONBR, will be calculated in the integrated protection cabinets f rom other part. meters when direct measurement of the variable is not possible. This subsection provides a description of the sensors which monitor the variables for the IPS. For convenience the discussions are grouped into the following 4 categories; a) Process sensors; b) Nuclear instrumentation; c) N-16 power monitoring detectors; d) Status inputs from field equipment. The inputs described are those which will be required by the IPS to generate the initia-tion signals for the protective functions previously identified. The use of each parameter is discussed in the sections which deal with each protective function and is not repeated here; e.g., reactor trip in Section 7.2 and engineered safety features actuation in Section 7.3.

7.1.1.2.1.1 Process Sensors The process sensors are devices which measure temperature, pressure, fluid flow, and fluid level. Process instrumentation by definition specifically O

7.1-10 NOVtHBER, 1984 WAPWR-!&C/EP 2003e:1d

O excludes nuclear and radiation measurements. The following variables will be measured by process sensors for the Integrated Protection System
1. Pressures
a. Pressurizer Pressure

, b. Containment Pressure

c. Steam Line Pressure
2. Levels
a. Pressurizer Water Level
b. Steam Generator Water Level (narrow and wide range)
3. Temperatures
a. Reactor Coolant Cold Leg Temperature (narrow range)

O

4. Flow
a. Reactor Coolant Flow

-Fressure transmitters may be force balance and motion balance and could 1

incorporate filled systems. Flows will be measured by using a dif ferential

[ pressure transmitter to measure the differential pressure created across orifices, elbow taps, or venturies. Level measurements will be made using differential pressure transmitters to measure the differential pressure between two vertical taps. Temperatures will be measured using resistance temperature detectors (RTDs).

I 7 .1.1. 2.1. 2 Nuclear Instrumentation Detectors Various types of neutron detectors will be used to monitor the leakage neutron .

flux f rom a completely shutdown condition to 120 percent of full power. The i power range charinels will be capable of recording overpower excursions up to 7.1-11 NOVEMBER, 1984 WAPWR-l&C/EP l 2083e:1d i _. ~ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ . _ _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ . , _ _ . _ _ . _ _ _ .

1 200 percent of f ull power. The neutron flux will cover a wide range between these extremes. Therefore, monitoring with several ranges of instrumentation will be necessary.

The lowest range (source range) will cover six decades of leakage neutron flux. The lowest observed count rate depends on the strenoth of the neutron sources in the core and the core multiplication associated with the shutdown reactivity. This will generally be greater than two counts per second. The next range (intermediate range) will cover eight decades. Detectors and instrumentation will be chosen to provide overlap between the higher portion of the source range and the lower portion of the intermediate range. The highest range of instrumentation (power range) will cover approximately two decades of the total instrumentation range. This will be a linear range that will overlap the higher portion of the intermediate range. Detector types for these three ranges will be:

Source Range - proportional counter Intermediate Range - compensated ionization chamber Power Range - uncompensated ionization chamber The power range detectors will be multi-element detectors containing four short separate active. volumes spaced uniformally axially. Each section will be surrounded by a controlled neutron environment which will prevent undue influence from neutrons scattered back from surrounding concrete. The neutron detectors will be installed in wells located.around the reactor vessel in the primary shield. See Figure 7.1-3.

O 7 .1.1. 2 .1. 3 Nitrogen-16 (N-16) Power Measuring Detectors The N-16 power monitoring instrumentation will provide an input into calculation af the DNBR and KW/f t reactor trip f unctions.

The N-16 detectors will monitor the thermal power of the NSSS by detecting the Nitrogen-16 (N-16) content in the coolant system. The H-16 content in the primary coolant is directly proportional to the fission rate in the core and NOVEMBER, 1984 liAPWR-!&C/EP 7.1-12 2083e:1d

O V

excludes nuclear and radiation measurements. The following variables will be measured by process sensors for the Integrated Protection System:

1. Pres"ures
a. Pressurizer Pressure
b. Containment Pressure
c. Steam Line Pressure
2. Levels
a. Pressurizer Water Level
b. Steam Generator Water L3 vel (narrow and wide range)
3. Temperatures
a. Reactor Coolant Cold Leg Temperature (narrow range)

O

4. Flow i
a. Reactor Coolant Flow Pressure transmitters may be force balance and motion balance and could incorporate filled systems. Flows will be measured by using a differential l

I pressure transmitter to measure the differential pressure created across orifices, elbow taps, or venturies. Level measurements will be made using differential pressure transmitters to measure the differential pressure between two vertical taps. Temperatures will be measured using resistance temperature detectors (RTDs).

7.1.1.2.1.2 Nuclear Instrumentation Detectors Various types of neutron detectors will be used to monitor the leakage neutron ,

flux f rom a completely shutdown condition to 120 percent of full power. The power range channels will be capable of recording overpower excursions up to O NOVEMBER, 1984 WAPWR-l&C/EP 7.1-11 2083e:1d

- . , _ _ _ _ _ _ - .__, _- _ ~ , _ _

O' 200 percent of full power. The neutron flux will cover a wide range between these extremes. Therefore, monitoring with several ranges of instrumentation will be necessary.

The lowest range (source range) will cover six decades of leakage neutron flux. The lowest observed count rate depends on the strength of the neutron sources in th? core and the core multiplication associated with the shutdown reactivity. This will generally be greater than two counts per second. The next range (intermediate range) will cover cight decades. Detectors and instrumentation Will be chosen to provide overlap between the higher port'on of the source range and the lower portion of the intermediate range. The highest range of instrumentation (power range) will cover approximately two decades of the total instrumentation range. This will be a linear range that will overlap the higher portion of the intermediate range. Detector types for these three ranges will be:

Source Range - proportional counter Intermediate Range - compensated ionization chamber Power Range - uncompensated ionization chamber The power range detectors will be multi-element detectors containing four short separate active. volumes spaced uniformally axially. Each section will be surrounded by a controlled neutron environment which will prevent undue influence f rom neutrons scattered back f rom sur.ounding concrete. The neutron detectors will be installed in wells located around the reactor vessel in the primary shield. See Figure 7.1-3.

O 7.1.1.2.1.3 Nitrogen-16 (N-16) Power Measuring Detectors into The N-16 power monitoring instrumentation will provide an input calculation of the DNBR and KW/ft reactor trip functions.

The N-16 detectors will monitor the thermal power of the NSSS by detecting the Nitrogen-16 (N-16) content in the coolant system. The N-16 content in the primary coclant is directly proportional to the fission rate in the core and NOVEMBER, 1984 7.1-12 HAPWR-I&C/EP 2083e:1d

O l is an isotope of nitrogen generated by neutron activation of oxygen contained in the water. Decay of the 'N-16 isotope produces high energy gamma rays which will penetrate the . wall of the high pressure piping. Therefore the N-16 l concentration in the primary coolant can easily be monitored by measuring the gansna radiation outside of the primary coolant piping.

Two N-16 detectors will be mounted externally on the hot leg of each reactor O coolant loop. They will be mounted as close as practical to the outside of the primary shield to minimize coolant transit time from the core to the hot

. leg detectors. The two detectors will be mounted diametrically opposed on the coolant pipe to obtain a more uniform contribution to the total signal from l .the cross section of fluid in the pipe.

The N-16 gamma detectors will be high sensitivity pressurized gas-filled gansna ionization chambers. They will be shielded from external background radiation by a lead housing to provide a controlled field of view of the pipe section. ,

O 7.1.1.2.1.4 Equipment Status Inputs Some inputs to the integrated protection system will not be measurements of l process or nuclear variables, but will be indications of the operational status of certain field-mounted equipment. The IPS will use two such status inputs. These are inputs which will reflect the speed of each reactor coolant pump and when the turbine has been tripped.

RCP speed will be monitored by a speed sensor which produces a digital output Os representative of the pump speed in revolutions per second. One speed sensor will be mounted on each reactor coolant pump.

The turbine trip'is provided by the turbine stop valves position detectors and trip fluid pressure detectors.

O .

7.1-13 NOVEMBER, 1984 WAPWR-I&C/EP 2003e:1d I

O 7.1.1.2.2 Engineered Safeguards Features Actuation Cabinets Two ESFAC's are required (assuming a two train design), designated ESFAC A and ESFAC B. Each cabinet is associated with one safeguard train. Major functions of the ESFAC include:

o Each ESFAC receives bistable trip signals via isolated data links from all four IPC's. These bistable trip signals correspond to the four protection system channels monitoring each process variable.

o Perform two out of four voting operation on the bistable trip signals and the system level ESF actuation logic. This logic includes the manual system level actuation inputs. The results of this logic are system level ESF actuation signals such as safety injection, containment isolation, and feedwater isolation.

o Provide sequencer for safety injection and blackout.

o Provide the system level ESF actuation outputs to the logic cabinets via redundant computer data links.

7.1.1.2.3 Logic Cabinets There are two sets of logic cabinets in a two train system (one set per train). The number of cabinets in each set is determined by the number and location of the various components (valves and pumps) under the control of the integrated protection system. Figure 7.1-2 shows a typical arrangement of logic cabinets. The logic cabinets provide the following functions:

o Receives system level ESF actuation signals from the ESFAC and combines these signals with interposing (interlocking) logic specific to each component.

o Receives component level conynand signals via redundant data links f rom the advanced control room, and transmits component status signals to the advanced control room via these same dat., ' inks.

WAPWR-I&C/EP 7.1-14 NOVEMBER, 1984 2083e:1d

O ,

)  ;

o Provides the power interface devices to switch control power to the final actuation devices for pump, valves and heaters controlled by the h

a IPS.

7.1.1.2.4 Main Control Board Multiplexers O Two redundant main control board multiplexers are required per safeguards actuation train. These multiplexers provide for the redundant transmission of component level manual actuation signals to the logic cabinets and for reception of component status / position information f rom the logic cabinets which is used for the display of component status. The data links f rom the MCB multiplexers to the logic cabinets, shown on Figures 7.1-1 (Sheet 3) and 7.1-2, have the characteristics of a " data highway" in that information may be transmitted and received from multiple drops on the data link.

Two plant safety monitoring system (PSMS) demultiplexers are also required to receive information for the PSMS displays. One is associated with IPC channels I and III. The other is associated with IPC Channels II and IV.

7.1.1.3 IPS Architecture 7.1.1.3.1 Integrated Protection Cabinets (IPC)

Each channel set will be contained in its own integrated protection cabinet, physically separated and electrically isolated from the IPC's of the remaining 3 channel sats.

Major functions of the IPC include the following:

o Input signal conditioning and digitizing of analog process inputs.

O Each IPC is associated with one protection system set and each receives process inputs from instrumentation associated with that set. ,

o Performing reactor trip logic and generating a reactor trip output to the reactor trip breakers. Each IPC provides two reactor trip outputs to the two reactor trip breakers in the same set.

WAPWR-I&C/EP 7.1-15 NOVEMBER, 1984 2083e:1d

_ _ _ _ _ _ _ _ _ _ _ _. _ _ _ . - _ _ . _ _ . - _ - _ _ ~ . _ _ _ _ _ _ ~ _ _ _ _ _

O o Providing bistable trip outputs from process channels for the engineered safeguards actuation' logic in the engineered safeguards features actuation cabinets. Each IPC provides bistable trip outputs to all ESFAC's. (Two ESFAC's exist assuming a two train system).

These outputs are transmitted via isolated data links as shown on Figure 7.1-2.

Each integrated protection cabinet consists of a four bay structure containing the following micro-computer subsystems (refer to Figure 7.1-4):

. Engineered Safeguards Features -

ESF 1 and ESF 2 Communications / Automatic Tester -

C/AT Trip Bus Function Group 1 -

RT Group 1 Function Group 2 -

RT Group 2 Trip Enable -

TE Global Trip -

GT

Figure 7.1-5 shows the IPC functional block diagram.

[

7.1.1.3.1.1 ESF Subsystem l

l The ESF subsystem consists of a micro-computer card frame containing micro-computer cards to perform the functions indicated in the block diagram given in Figure 7.1-6 (There will be two independent ESF subsystems.). This system receives analog (process variable) and digital (manual switch) inputs and performs the ESf logic necessary to the reactor trip system. It also provides the bistable trip signals to the ESFAC's. The ESF subsystem is comprised of the following board types:

o Data Link (receive / transmit) Controller -

Provides for all communications with the DA/AT subsystem.

O 7.1-16 NOVEMBER, 1984 WAPWR-I&C/EP 2083e:1d

/'N 4

9 o Central Processing Unit Board (CPU) - Main micro-computer. for subsystem and performs all calculations and logic for subsystem functions.

o Non-Volatile Memory (NVRAM) - Provides for storage of constants and setpoints used by subsystem. These constants may be mod'fied by the -

operator, but are retained upon loss of power.

o Data Link (transmit) - Data link interface for providing bistable trip signals to the ESFAC's.

o Analog I/O - Provides analog input signal conditioning for process inputs to the subsystem. Provides any analog outputs required from the ESF subsystem.

i o Digital I/O - Parallei I/O board for processing digital inpu s (such as changing from " manual system level actuation" to " operational bypasses") and digital outputs from the subsystem.

7 .1.1. 3 .1. 2 Ginbal Trip Subsystem This subsystem consists of a micro-computer card frame containing micro-computer cards to perform the functions indicated in the block diagram given in Figure 7 .1 -7 . This system collects the partial block trip and bypass status of the individual trip functions in its channel set and transmits this data to the redundant channel sets. The global trip subsystem also receives N the partial trip and bypass status from each of the other three channel sets and uses this information (with its own channel set trips and bypasses) to compute the global trip actuation. For the description of the global trip actuation refer to Reference 1 to Subsection 7.1.3. The global trip subsystem j O, is comprised of the following board types:

o Data Link (transmit) - Sends status information f rom the global trip subsystem to the data acquisition / auto tester subsystem.

7.1-17 NOVEMBER, 1984 WAPWR-I&C/EP 2083e:1d

o Central Processing Unit board (CPU) - Main micro-computer for O

subsystem. Controls all other boards in subsystem and performs all calculations and logic (e.g., 2/4 trip logic) for subsystem functions.

o Digital I/O - Provides global trip signals to the Trip Bus and O

receives bistable trip signals from other subsystems in the same IPC.

o Data Link (receive / transmit) - Three of these data links are required to send bistable trip signals f ron one IPC to the three other IPC's.

These Data Links also receive bistable trip signals from the three other IPC's.

7 .1.1. 3 .1. 3 Trip Enable Subsystem This subsystem consists of a micro-computer card frame containing micro-computer cards to perform the functions indicated in the block diagram given in Figure 7.1-8. This system receives data link messages f rom the three other IPC's containing partial trip and bypass status of individual trip functions.

l From this data and bypass status information in its own IPC, the trip enable subsystem computes the. trip enable actuations for each individual trip function. For the description of the trip enable actuation refer to Reference 1 to Subsection 7.1.3. The trip enable actuations are sent to the trip bus via parallel I/O lines. The trip enable subsystem is comprised of the following board types, o Data link (transmit) - sends status information f rom the trip enable subsystem to the data acquisition / auto tester subsystem.

o Central Processing Unit (CPU) - Main micro-computer for subsystem.

l Controls all other boards in subsystem and performs all calculations 1

i and logic for subsystem functions.

o Digital I/O - Provides trip enable signals to the trip bus and receives bistable trip signals from other subsystems in the same IPC.

O WAPWR-l&C/EP 7.1-18 NOVEMBER, 1984 2003e:1d i

O o Data Link (receive) - Three of these data links are required to receive bistable trip signals and bypass status f rom the three other

- .O IPC's.

7.1.1.3.1.4 Departure from Nucleate Boiling Ratio Subsystem (DNB) (This and FG1 are one subsystem.)

This subsystem consists of a micro-computer card frame containing micro-computer cards to perform the functions indicated in the block diagram given in Figure 7.1-9. This system receives analog process inputs and inputs f rom the data acquisition subsystem required to perform the DNB reactor trip logic and sends the DNB reactor trip signal to the trip bus. The DNB subsystem is comprised of the following board types.

o Data Link (receive / transmit) - Sends status information f rom the DNB subsystem to the data acquisition / auto tester subsystem.

O# o Central Processing Unit (CPU) - Main micro-computer for subsystem.

Controls all other boards in the subsystem and performs all I calculations and logic for subsystem functions.

o Non-Volatile Memory (NVRAM) - Provides for storage of constants and setpoints used by subsystem. These constants may be modified by the operator, but are retained upon loss of power.

o Analog I/O - Provides analog input signal conditioning for process O inputs to the subsystem.

o Digital I/O - Parallel I/O board for processing digital inputs and outputs (such as DNB reactor trip output to trip bus) from the subsystem.

O WAPWR-I&C/EP 7.1-19 NOVEMBER, 1984 2003e:1d

O 7.1.1.3.1.5 Function Group 1 and 2 Subsystems (FG 1/FG 2)

These subsystems each consist of a micro-computer card frame containing the micro-computer cards to perform the functions indicated in the block diagram given in Figure 7.1-9.

The function group subsystems provide for the processing of analog inputs to the system that provide direct reactor trip signals to the trip bus. This system also provides status information from these channels to the data acquisition / auto tester subsystem. Each function group subsystem is comprised of the following board types:

o Data Link (receive / transmit) - Sends status information from the function group subsystem to the data acquisition / auto test subsystem.

o Loop Processor - Single board controller that provided analog input signal conditioning, bistable trip comparator function and parallel I/O output of reactor trip signal to trip bus. Independent loop processor boards are provided for each reactor trip function.

7.1.1.3.1.6 Nuclear Instrumentation System Subsystem (NIS) (This and FG2 are one subsystem.)

For installation of the detectors of the NIS, refer to Figure 7.1-3.

The NIS subsystem consists of a micro-computer card f rame containing micro-computer cards to perform the required functions. This subsystem provides for the processing of analog process inputs and digital inputs required to generate the neutron flux reactor trip signals. These trip signals are then sent to the trip bus. The NIS subsystem is comprised of the following board types:

I o Data Link (receive / transmit) - Sends status information f rom the NIS subsystem to the data acquisition / auto tester subsystem.

HAPWR-I&C/EP 7.1-20 NOVEMBER, 1984 2083e:ld

4

'O o Central Processing. Unit (CPU) - Main micro-computer for subsystem.

{- Controls all other boards in the subsystem and performs all  !

calculations and logic for subsystem functions.

Non-Volatile Memory (NVRAM) - Provides for storage of constants and o

i setpoints used by subsystem. These . constants may be modified by the operator, but are retained upon loss of power.

f o Analog I/O - Provides analog input signal conditioning for process i inputs to the subsystem.

)

o Digital I/O - Parallel I/O board for processing digital inputs - and 7 i outputs (such as neutron flux reactor trip output to Trip Bus) f rom the subsystem. -

q 7.1.1.3.1.7 Auto Tester and Data Acquisition Subsystem (AT/DA) Architecture

!O The AT/DA subsystem consists of a micro-computer card frame containing

\ micro-computer cards to perform the functions indicated in the block diagram

given .in Figure 7.1-11. This subsystem provides a central data collection i point. The AT/DA collects and transmits all data that is required by the f plant safety monitoring system (PSMS), the integrated control cabinets (ICC),

! and the ACR computer. Automatic testing of the IPC is performed by this I subsystem via data links to all other subsystems in the IPC. The AT/DA subsystem is comprised of the following board types.

l o Data Base - Main CPU micro-computer for subsystem during normal operation. This board controls all other data link boards in the subsystem to manage the information collection f rom subsystems and to j transmit'the required data to the PSMS, ICC, and ACR computer. During .

normal operation, the data acquisition subsystem only receives data l from the other subsystems in the IPC. No data is transmitted to these j other subsystems.

\

7.1-21 NOVEMBER, 1984 j MAPWR-!&C/EP

}

2083e:1d

! I i - . . _ . _ _ _ , _ . . _ . . . _ . _ .

O o Test CPU - Main CPU board that controls all other data link boards in the subsystem during testing. This board provides all test features for the IPC. It controls analog and digital I/O to inject test signals into the various subsystems and monitors their response via the data link boards.

o Data Link boards for the following communication links:

1. External cabinet communications to PSMS, ICC and ACR Computer.
2. Inter subsystem communications w. thin the IPC.
3. To simulate data links f rom the other IPC's during testing of the IPC.

o Digital I/O - Parallel I/O board for processing digital I/O to test panel (operator interface) and for any digital test point monitoring or signal injection, o Analog I/O - Provides analog input signal conditioning for process 9 puts to the subsystem (that are being sent to the ICC or PSMS).

The methodology used for test signal injection and analog signal distribution is as follows. The analog input from the transmitter for a typical process input is routed to separate A/D converters for each subsystem that requires the signal. Test injection points are provided upstream of the A/D converters to allow the auto tester to inject simulated analog test inputs to the subsystem being tested without disrupting operation of the remaining subsystems. This method of analog signal distribution arsures the functional independence of the various subsystems in the IPC.

O l

O HAPWR-I&C/EP 7.1-22 NOVEMBER, 1984 2083e:1d

N

[

7.1.1.3.2 Engineered Safeguards Features Actuation Cabinets

' Each consists of a two bay cabinet containing ESFAC the following micro-computer subsystems (refer to Figure 7.1-12):

Engineered Safeguards Features System 1 CPU - ESF 1 Engineered Safeguards Features System 2 CPU - ESF 2 O Automatic Tester Figure 7.1-13 shows the ESFAC architecture.

The two ESF systems (ESF 1 and ESF 2) are redundant computer systems. Each of these receives the four data links from the IPC's via the data link cards shown. Two out of four voting and system level ESF logic is performed by the 2/4 logic CPU boards shown. Hard wired manual system level actuation switch inputs are incorporated into the ESF logic and the resulting system level connands are transmitted to the logic cabinets by means of the redundant data highway controllers. The system is arranged so that the logic cabinets will respond to system level commands from either ESF subsystem in a one out of two fashion. Continuous f ault detection ensures that spurious connands are not

! generated.

l The third micro-computer system in the ESFAC is the automatic tester system.

This subsystem, under the control of the I&C technician, injects simulated  ;

data link signals (via its data link board) into one of the two ESF l subsystems. It monitors the output data highways via the data highway control board to verify proper functioning of the ESF subsystem under test. The test CPU board, in addition to controlling this testing, disconnects the data highway signal from the ESF system under test to prevent spurious actuation.

l The test CPU also controls test computers in the logic cabinets, as slaves, to remotely test those cabinets. Via a separate data link board, the test CPU transmits the status of the ESFAC to the plant computer and post accident i monitoring system.

l l

1O .

WAPWR-I&C/EP 7.1-23 NOVEMBER, 1984 i

2083e:1d

O 7.1.1.3.3 Logic Cabinets Each logic cabinet consists of a single bay cabinet containing a single micro-computer card f rame and numerous I/O cards as shown in Figure 7.1-14.

The internal architecture of a typical logic cabinet is shown in Figure 7.1-15. Each logic cabinet will be capable of actuating approximately 30 (20 MOV's or 40 A0V's) components, thus seven logic cabinets per train would be required to accommodate the estimated 200 actuations. The actual number of logic cabinets would be determined by the final design of the fluid systems.

The modularity of this architecture allows the I&C to be tailored to the specific plant design. The types of components actuated (i.e., switch- gear, MCC A0V, etc.) could be mixed within any logic cabinet, however, the maximum layout benefit will be achieved if the actuations of a given type are grouped into individual cabinets.

7.1.1.3.4 Main Control Board Multiplexers The MCB multiplexers consist of multiple micro-computer card f rames. Each card f rame in the system has redundant counterpart to provide interf ace to the two redundant data highways in each actuation train. Each card f rame should be located in the MCB. panel housing the controls it is servicing. This will reduce the amount of hard wiring that must leave each MCB panel since all control pushbutton and' status light wiring will be internal wiring to the multiplexer card f rame Digital I/O boards. The actual number of card f rames will be determined by the number of inputs and outputs and by location in the i various MCB panels.

Each MCB multiplexer card frame contains the following board types:

o Central Processing Unit - Main micro-computer board controls all other

! boards in the card frame.

1 O l HAPWR-l&C/EP 7.1-24 NOVEMBER, 1984 l 2003e:1d l

L

O V

o Data Highway Control - Provides interface to the data highway for communications with the logic cabinets.

o Digital I/O Cards - Provide for control pushbutton inputs to the system and provide status light outputs to the MCB. The number of cards of this type will be determined by the number of components being serviced by the card frame.

The PSMS multiplexer consists of two single bay cabinets. One receiving information f rom IPC channels I and 111 and one receiving information f rom IPC channels II and IV. Each cabinet contains a micro-computer card f rame. This card frame contains the following board types.

t o Central Processing Unit - Main micro-computer board controls all other boards in the card f rame.

l o Data Link (receive) - Three data links are required to receive data f rom two IPC's and one additional remote data collection point. This remote data collection is for information not used in the IPC, but required in the PSMS (Radiation monitoring for example).

o Digital 1/0 - These cards provide digital inputs to the System f rom any control push buttons required and provide digital outputs to drive

status lights, o Analog Output Cards - To drive analog displays in the PSMS.

o CRT Display Generator - To drive any CRT displays used for PSMS.

7.1.1.3.5 Inter Cabinet Comunications (Refer to Figure 7.1-10)

A. IPC to IPC

!solated fiber optic data links (ref er to Figure 7.1-18) are used for these comunications links. The global trip subsystem in each IPC WAPWR-l&C/EP 7.1-25 NOVEMBER, 1984 l 2083e:1d

O controls this communication link. These are standard one way (simplex) conynunications used to transmit bistable trip status between IPS's for use in two out of four reactor trip logic.

B. IPC to ESFAC Two isolated fiber optic data links are required in each IPC. One associated with the train A ESFAC and one associated with the train B ESFAC. These data links are part of the ESF subsystem as they transmit bistable trip outputs to the ESFAC for use in safeguards actuation logic.

These data links are one way links that only transmit data to the ESFAC's.

C. ESFAC to Logic Cabinets Two redundant data highways are used for communications from the ESFAC to logic cabinets. Figure 7.1-1 shows this data highway for ESFAC A. This data highway provides for the transmission, by fiber optics, of ESF system level actuation signals to the logic cabinets and for the transmission of component status information back to the ESFAC (as required). The ESF actuation signals to the logic cabinets are transmitted redundantly over the two data highways. The logic cabinets are arranged to respond to an actuation signal f rom either data highway (one out of two). Extensive testing and error checking on this data highway prevent erroneous ESF actuation.

D. Logic Cabinets to MCB Multiplexer Two redundant data highways are used for communication of component level switch inputs from the MCB to the logic cabinets. Component status information is transmitted, by fiber optics, f rom the logic cabinets to the MCB over both of the redundant data highways. These data highways are shown on Figure 7.1-2. Component status information on the data highways is also available to other logic cabinets for interlocking functions. The O

MAPWR-l&C/[P 7.1-26 NOVEMBLR, 1984 2003e:1d

A U

logic cabinets are arranged to respond to a component level switch actua-tion signal from either data highway. Extensive testing and error checking on this data highway prevents erroneous component level O actuations.

E. IPC to PSMS. ICC and ACR Computer A single data link is provided from each IPC to each of these systems.

These data links are fiber optic isolated, transmit only, from the IPC to each of the systems listed. These data links provide required information to the PSMS, !CC, and ACR computer such as bistable trips, permissive / trip status, interlocks to ICS, or any other required information.

F. ESFAC to ACR Computer and PSMS A singic data link is provided f rom each ESFAC to each of these systems.

These data links are fiber optic isolated, transmit only, from the ESFAC d to each system. They provide required information to the ACR computer and PSMS such as ESF actuation status, component status, or general cabinet operational / test status.

7.1.1.3.6 General Hardware Selection Guidelines Standard board level products should be used to a great extent, however, some new boards will need to be developed. The output power interf ace boards in I

the logic cabinets f all into this new board category. These boards must have the ability to perform two out of three logic at the power interf ace (output switching) level. This is a new feature not in the old IPS design. This feature does dramatically improve the systems' f ault tolerance and is felt to be desirable.

O O

i WAPWR-l&C/EP 7.1-27 NOVEMBER, 1984 2083e:1d

O 7.1.1.3.7 Off Normal Operation (Failure Tolerance, Maintenance Test and Bypass)

The MAPWR IPS is designed with a high degree of reliability and fault tolerance. The following design guidelines demonstrate this capability, o 2/4 coincidence logic on all reactor trip actuations assures that any f ailure in a single protection channel cannot cause a spurious reactor trip or prevent a true reactor trip f rom occurring, if needed. This is true for all f ailures f rom the failure of a single instrument or component to the failure (loss of power) of an entire IPC.

o Reactor trip actuation logic reverts to 2/3 coincidence logic if one channel is bypassed or in test. This assures that a single f ailure while in test will not cause a spurious reactor trip or prevent a true reactor trip from occurring, if needed. The logic permitting placing of channels in a bypass condition is denoted by "2/4-BYP' on the Logic diagrams. The following table sunrnarizes the automatic voting logic associated with the number of inputs bypassed.

Number of Number of Remaining Inouts Bvoasted Inouts to Result in a Trio O two-out-of-four (2/4) 1 two-out-of-three (2/3) 2 one-out-of-two (1/2) (alarmed) 3 automatic trip 4 automatic trip The bypass logic will be designed to allow the system to meet the single f ailure criterion while permitting operation for an indefinite period of time with one or two channels bypassed for testing or maintenance. The example of the reactor trip voting logic is shown in Figures 7.1-16 and 7.1-17.

O HAPWR-l&C/EP 7.1-28 NOVEMBER, 1984 2003e:1d

O b

The logic sections of the integrated protection cabinets will also process the manual system-level inputs involved in the reactor trip function. These inputs are listed on Table 7.2-3 and are shown on the f unctional diagrams, Figure 7.2-1. Sheets 2,12, and 13. The voting logic for all parameters is shown on the functional diagrams.

p The voting logic for reactor trip functions will be contained within each integrated protection cabinet (IPC). The reattor trip breakers operate on a deenergize to trip principle restiting in acceptable consequences of failure modes that deenergize.

o ESF actuation logic in ESFAC's is 2/4 coincidenct jogic for bistable trip inputs f rom the IPC's. This assures that L. single protection channel failure cannot cause a spurious safeguards actuation or prevent a true safeguards actuation from occurring, ',f needed.

o ESF actuation logic is performed redundantly in each ESFAC. (Refer to Figure 7.1 -13) . Separate micro-computer card frames house this redundant logic so that any component failure related to one card frame (i.e., bus fault, board failure) cannot effect the other redundant card frame. The system level ESF actuation outputs are transmitted to the logic cabinets over two redundant data highways.

This assures that a single data highway f ailure will not prevent ESF actuation. Extensive error checking is continuously performed on these data highways to prevent any f ailures f rom causing spurious actuation.

l o Component level logic, in the logic cabinets, is threefold redundant (see Figure 7.1 -15) . The three redundant logic computers are contained in a single card f rame with the automatic tester and two O data highway controller boards. This is to allow each logic computer access to system level ESF actuation signals from both data highways.

The logic computers are progranned to respond to ESF actuation signals f rom either data highway (one out of two logic). This assures that the f ailure of one data highway will not prevent ESF component level l

WAPWR-!&C/EP 7.1-29 NOVEMBER, 1984 1

2003e:1d

I O

actuations. The extensive error checking on the data highways will prevent data highway f ailures f rom generating spurious ESF component level actuations. The component actuation output's from the logic computers is combined with the power interf ace cards in a two out of three voting scheme. This prevents a single f ailure in the power interface section from causing spurious actuation or preventing a required actuation. Block circuitry (to prevent final component actuation) is not required during testing of the power interface output devices as long as the power interf ace devices are tested one at a time.

During maintenance, these same features that provide for fault tolerance, allow the system to continue to operate with one channel or certain boards out of service for maintenance. Operation in this mode will, in some instances, increase the chances of a single failure causing a spurious actuation. Any IPC or transmitter associated with one channel set may be taken out of service for maintenance without plant shutdown. The data highways f rom the ESFAC's to the logic cabinets and from the logic cabinets to the MCB multiplexer's are redundant and one may be out of service, for maintenance, without directly causing plant shutdown. The logic computers in the logic cabinets are threefold redundant with two out of three coincidence logic on their outputs performed on the Power Interf ace cards. This permits one logic computer to be out of service, for maintenance, while the overall system remains operational operating in a one out of two mode for actuation.

I Diverse protective functions in an IPC are implemented in separate subsystems (separate card frames). When the same process input is required by more than one subsystem, the analog signal is split and run separately to A/D inputs of all required subsystems. This design provides functional computer independence (e.g., DNB, ESF, NIS independence) to protect the functional diversity of the entire system.

O l 7.1-30 NOVEMBER, 1984 MAPWR-l&C/EP 2083e:1d

O 7.1.1.3.8 Isolation Devices Data can be multiplexed. Isolation devices will be used to preserve electrical independence of channel sets, and to ensure that no interaction will occur between non-safety systems and the safety system. The following ,

topics are described in this subsection.

1. Isolation devices
2. Multiplexed data links Isolation devices will be incorporated into selected IPC data links to preserve channel set independence. Isolation devices will serve to prevent credible faults (such as open circuits, short circuits, or applied credible voltages) in one circuit f rom being propagated to another circuit where independence of the two circuits will be required.

Optical coupling (see Figure 7.1-18) will of fer improved physical and electri-cal isolation and separation since it will eliminate electrical conductive paths from receiving terminal to transmitting terminal.

4 Multiplexing Multiplexing of digital signals offers an approach to reducing the amount of field wiring within and among elements of the integrated protection system, and from the IPS to non-safety areas.

O 7.1.1.3.9 Microprocessors Distributed digital processing will be used in the integrated protection

. system.

!O

}{APWR-l&C/EP 7.1-31 NOVEMBER, 1984 2003c:1d

O Although the number of each type of element may vary, each microprocessor-based subsystem is typically composed of the following basic elements.

1. A Micro-processor-based Bus Controller / Processor
2. Software Programs
3. Memory
4. Interface Elements r
5. Data Busses The bus controller (microprocessor) would direct the data flow on the bus within the subsystem and would execute the program stored in memory. It may perform calculations, comparisons of values against setpoints, or coincidence logic operations. It could read data from memories or input interface devices, and could write data into memories or output devices.

The various program instructions which the microprocessor would execute are collectively referred to as sof tware. The philosophy to be used in building the functional software packages for each microprocessor subsystem is detailed in Appendix 7B. The design approach will maintain strict control over nesting and interrupt levels allowable in each software module. Software modules will have single entry and exit points. Once placed into a read-only memory, these programs will not be alterable.

Memory would be used for data and instruction storage and could be of three types:

1. Read-only Memory (ROM)
2. Volatile Random Access Memory (RAM)
3. Non-volatile Random Access Memory Read-only memory of fers a secure method of storing the system program which would be executed by the microprocessor. It will retain information on loss of power and cannot be altered by electrical noise or by microprocessor mal-functions. The program instructions stored in this type of memory could only be read. The microprocessor will not be able to write data into this memory.

O 7.1-32 NOVEMBER, 1984 WAPWR-I&C/EP 2083e:1d

Volatile random access memory of fers - a read-and-write memory for temporary storage or as a " scratch pad" for calculations. This type of memory may be temed " shared" memory if another subsystem could also read 'and write into it. In this way, the results of one functional subsystem could be used by another subsystem.

Non-volatile random access memory would be used to hold constants such as fixed setpoints. The microprocessor could only read from the memory, but the constants could be updated locally by using appropriate threshold devices (such as thumbwheel switches) _or a portable terminal. It is considered non-volatile since it will retain its information on loss of cabinet power.

This permits a secure storage, yet one which is flexible enough to permit field changes for periodic updating.

Interf ace elements would connect the functional subsystems to specific input or output devices, exclusive of the data transmitters or receivers used in multiplexing. Input interf aces might be analog-to-digital converters, contact interf aces or specialty interfaces. Output interfaces might be undervoltage driver cards for the reactor trip breakers, outputs to integrated logic cabinets, etc.

The data busses would be the lines over which data is moved at the conenand of the micro-processor bus controller and would connect the various elements of the subsystem together.

Functions performed by the subsystems would be asynchronous in that each would j run on its own clock, independent of any other in the system. Communication j between subsystems would be through the shared memories. Thus one subsystem could write a result of its calculation into a shared memory to be used at will by a second subsystem. Functions would be performed one at a time by j O executing, in sequence, program instructions stored in the read-only memory and thereby sampling inputs, performing calculations, manipulating data, and l generating outputs.

WAPWR-!&C/EP 7.1-33 NOVEMBER, 1984 j 2003e:1d

O 7.1.1.3.10 Built-in Test Capabilities The safety system instrumentation will be designed to facilitate periodic testing f rom the sensor inputs of the integrated protection system through to the actuated equipment of the protective action system. Complete testing will be accomplished through a series of overlapping sequential tests with the majority of the tests capable of being performed with the plant at full power. Where testing final equipment at power would upset plant operation or destroy equipment, provisions will be made to test the equipment at reduced power or when the reactor is shut down.

With the exception of operating the final actuators, the test philosophy would be to manually initiate the test sequence, with the test itself proceeding with a minimum of operator intervention. Each integrated protection cabinet will be furnished with an automatic tester (AT/DA) when architecture is discussed in Subsection 7.1.1.3.1.7. This will include injection of reference analog signals into cabinet circuitry, verification of the accuracy of setpoints and other constants, and verification that proper signals appear at other locations in the system. Similar testers will be furnished for the ESFAC and logic cabinets except the test reference signals are all digital.

The test will begin with checking of the analog-to-digital converters over their range of operation, using injected reference signals. Verification of the signal processing algorithms will be made by exercising the test signal sources and observing the results up to and including the attainment of a channel partial trip or actuation signal at the power interf ace. The tester will automatically place in bypass the voting logic associated with the channel function under test.

The overlapping test sequence will continue by inputting digital test signals at the output side of the threshold functions in combinations necessary to verify the voting logic. Some of the input combinations to the coincidence logic will cause outputs such as reactor trips, safety injection initiation, etc. The reactor trip circuit breaker will be a 2/4 arrangement such that one O

WAPWR-!&C/EP 7.1-34 NOVEMBER, 1984 2003e:1d I

D channel set tripping will not cause a reactor trip. (See Figure 7.1-17)

Therefore, the trip signal generated as the result of the voting logic test could actually open its associated pair of trip breakers. However; to reduce wear on 'the breakers through excessive tripping and to avoid a single failure causing a plant trip while testing is in progress, the reactor trip channel under test will be bypassed. (The trip breakers will be, by manual means, allowed to be tripped once during the test.) The bypass will cause the trip logic to revert to two-out-of-three in the remaining reactor trip trains.

The automatic tester will not test the' ESF actuators. This portion of the test will be accomplished by using the component-level actuation switches at the control boar'd. These signals will enter the integrated logic cabinet at the interposing logic; and, therefore, will overlap the automatic testing of ESF. For those final devices that can be operated at power, without upsetting the plant or damaging equipment, the test will be performed by pressing the manual actuate control which will cause the device to operate. Position O switches on the device itself will send a signal back to the integrated logic cabinet where it will be transmitted to the control board for display pur-l poses. The display will verify that the manual comand had been successfully completed, thus verifying operability of the final device. For those devices l

which can not be tested at power without damage or upsetting the plant, the I manual test will be conducted from test switches at the ESFAC. These switches will block device actuation but will verify the continuity of the wiring up to the actuation device. Operability of the final equipment would be demonstra-ted at reduced power or at shutdown, depending on the equipment.

O Operation procedures will prohibit testing two channel sets at the same time.

There will be no built-in interlocks to prevent simultaneous testing of two integrated protection cabinets. However, the use of bypasses by the tester

( p will ensure that the system could not be placed in an unsafe condition should

\ the procedure prohibiting simultaneous testing be violated. For example, testing two cabinets would amount to two bypasses, which would cause the voting logic to revert to a 1/2 coincidence for the remaining two channels.

Attempting to test three or four cabinets at the same time would cause a plant WAPWR-!&C/EP 7.1-35 NOVEMBER, 1984 2083e:ld

O trip. Therefore, the operational procedure restricting simultaneous testing of two or more cabinets will be made for operability. reasons to avoid unnecessary trips. i The built-in on-line testing capabilities of the integrated protection system provisions include complete on-line overlapping testing of the IPS f rom the sensor inputs, through to the protective action system. In the case of the RCP speed sensor, the on-line test (i.e., the test made during reactor operation) of the input circuitry will be made through the use of the IPS built-in tester, starting from a point as close as practical to the sensor itself. For the f ront end of the circuit which includes the sensor itself, which is not tested by use of the IPS built-in on-line tester, testing during reactor operation will be accomplished by cross-checking between channels that bear a known relationship to each other and that have read-outs available.

Thus the capability for sensor checks and for test and calibration are in accordance with Section 4.9 and 4.10 of IEEE-279-1971.

Periodic testing will be accomplished at a frequency identified in the Technical Specifications, Chapter 16.

In addition to periodic tests, the system will also be designed to perform j continuous error detection and data link testing as part of the normal digital processing. Error detection will not involve error correction. Where practical the on-line error detecting features implemented in the IPS will be designed to automatically place the channel in which the error was detected into a trip or bypass mode (either by direct bypass or reconfiguration). In the case of the automatic trip mode the operator shall have the option,to place that channel in a bypass mode in a short period of time. If the l automatic action is not practical the on-line error detecting feature will be designed to cause alarm annunciation to the operator. The resolution for the specific action for each error detection feature would be detertnined during l the R&D verification program.

l Once designed, verified, and placed into read-only memory, the protection system software will be error-free. Therefore, on-line testing of the l

HAPWR-!&C/EP 7.1-36 NOVEMBER, 1984 2083e:ld L

O

  • sof tware is not meaningful. Errors detected during periodic testing or by on-line diagnostics will have been caused by hardware malfunctions. This I

position for protection system software is based on two reasons. First, the software verification program will produce error-f ree sof tware. The tight controls over the software design, implementation, and verification which can ensure that the software will be error-f ree is detailed in Appendix 7B.

Second, the programs will be stored in read-only memory which can not be altered once the bit pattern is fabricated into the memory. Theref ore, the sof tware itself could not be altered by hardware malfunctions once placed into i-the microprocessor subsystem.

I 7.1.1.4 Protective Action System i

The protective action system will be the " execute" portion of the safety system. It will accomplish protective functions on demand from the integrated protection system.

a The protective action system will accomplish two types of protective func-tions; reactor trip and engineered safety features. The functions will be executed by " tripping" actuation devices which in turn will control motive power to the final actuated equipment. The protec1!ive action system will also furnish status feedback to the integrated protection system for interlocks and for transmission to the main control board for display, t Redundant segments of the protective action system will be called actuation trains. There will be two engineered safety features actuation trains (I and i II), either of which can accomplish the safety feature. Train I will actuate fluid systems Train A components. Train II will interface with Fluid Systems Train B components. There will be four reactor trip actuatio'n trains (I, II, p III and IV), any two or more of which can cause reactor trip. The following -

subsections describe the reactor trip and safeguards actuation trains and their actuation devices and actuated equipment.

O ,

HAPWR-I&C/EP 7.1-37 NOVEMBER, 1984 2003e:1d

O 7.1.1.4.1 Reactor Trip Actuation Trains The detailed description of each reactor trip function is given in Section 7.2. Each integrated protection cabinet will generate a reactor trip signal.

Each signal will be transmitted over a hard wired data link to two reactor trip circuit breakers in the associated reactor trip actuation train. (See Figure 7.1-17) The eight circuit breakers (two in each of the four trains) will be interconnected in a two-out-of-four configuration. When the reactor trip actuation trains receive trip signals, the respective circuit breakers will open. Opening of the circuit breakers in 2 or more reactor trip actuation trains will interrupt the power from the rod control power supply (motor-generator sets) to the rod control cabinets. Interruption of power will deenergize the control rod mechanism gripper coils, which will release the latches to allow the control and shutdown rods to fall by gravity into the reactor core.

The reactor trip switchgear consists of eight circuit breakers arranged in a two-out-of-f our matrix. These circuit breakers are located in two separate cabinets as shown in Figure 7.1-17. The RTS serves to trip the reactor by interrupting power to the control rod drive mechanisms which releases all control rods, thus allowing them to f all by gravity into the reactor core.

Each set of two circuit breakers in the RTS receives a trip signal from one integrated protection cabinet. With this arrangement, two IPC's must trip signals to the RTS to cause a reactor trip. The trip is implemented by undervoltage trip attachments and shunt trip devices on the circuit breakers.

To generate a reactor trip, the IPC interrupts power to the undervoltage trip attachments of the two circuit breakers under its control, as well as energizing the shLnt trip attachment. Either device, UVTA or shunt trip attachment, will trip the breaker.

The RTS may be actuated manually f rom the main control board via reactor trip O

switches hard wired to the shunt trip and undervoltage coils on each circuit breaker.

O l

WAPWR-l&C/EP 7.1-38 NOVEMBER, 1984 2003e:1d

i f

(

Once tripped, the reactor trip circuit breakers will have to be manually reset before power could be reconnected to the rod control cabinets. The trip breakers can not be reset as long as the trip signals are present f rom the integrated protection cabinets.

Each reactor trip breaker will be a 3-pole device which can be electrically p closed and opened f rom a remote location. All three poles will operate

\ simultaneously when the breaker is closed or opened. The breaker can be opened by energizing its shunt trip coil or by deenergizing its undervoltage trip coil. During normal plant operation, the undervoltage coil and an interposing relay will be energized by a DC voltage supplied from the integrated protection cabinet. The interposing relay will have a normally closed contact wired in series with the coil of the shunt trip attachment so that the shunt trip opens the breaker when the interposing relay is deener-gized. On an automatic reactor trip signal, the IPC will deenergize the undervoltage coil circuit and the interposing relay. This will cause the  !

circuit breaker poles to open. A manual reactor trip initiated f rom the main control board will deenergize the undervoltage coil through its integrated protection cabinet, and will also separately energize the shunt trip coil directly. This will provide a backup to the undervoltage trip. The main contacts of the reactor trip breaker will be capable of interrupting the short circuit current of the rod control power supply system. Auxiliary switch contacts of the breaker will be used for feedback to the integrated protection cabinet.

The eight breaker logic configuration will permit testing of the reactor trip O breakers without the use of auxiliary bypass breakers. The design will be such that the single failure criterion will be met while permitting operation for an indefinite period of time with one or two reactor trip actuation trains bypassed for testing, maintenance, or repair. The automatic tester in each IPC will be able to generate the channel set trip signal without causing a reactor trip. Actual trip of the breakers themselves is accomplished in the overlap portion of the test by operator action of the R.T. control switches in the IPC. During one bypass, the reactor trip logic will revert to a O

WAPWR-I&C/EP 7.1-39 NOVEMBER, 1984 2083e:1d

O two-out-of-three to trip design. During two bypasses, the logic will revert to a one-out-of-two design. Single failure criteria will still be met. See Subsection 7.1.2.2.11 for a description of reactor trip bypassing.

7.1.1.4.2 Safeguards Trains Signals to initiate components of an engineered safety feature will be generated by the logic cabinets. The NSSS design will utilize a two-train safeguards design. The logic cabinets will interface the protection system with the two trains of the ESF protective action system.

The logic cabinets' power switching devices (relays, SCRs, triacs, etc.) will switch control power to the safeguards actuation devices, which in turn will control motive power to the safeguards actuated equipment.

The safeguards actuation devices will consist of switchgear for controlling pumps and f an motors, Motor control centers for controlling motor-operated valves (MOVs) and small auxiliary motors, and solenoids for controlling air-operated valves (A0Vs) and dampers.

The Switchgear circuit breal:ers, the motor control center starters and most of the solenoids will operate on an energize-to-actuate principle.

Auxiliary contacts on the actuation devices will provide status feedback to the integrated logic cabinets for providing position information to the control board and for interlocking functions when necessary. Position switches will provide status feedback and interlock information for l

solenoid-operated and motor-operated valves.

The safeguards actuated equipment will consist of pumps, fans, valves, and dampers as follows:

1. Safety injection pumps and valves
2. Containment isolation velves, Phase-A, which will isolate all non-essential process lines on , safety injection.

7.1-40 NOVEMBER, 1984 HAPWR-1&C/EP 2003e:1d .

t O

3. Containment isolation, Phase-B
4. Emergency fan coolers
5. Emergency feedwater pumps
6. Emergency diesel generators
7. Feedwater isolation valves
8. Containment ventilation isolation valves and dampers l

[

9. Steamline isolation valves
10. Containment Spray pumps and valves
11. Valves to terminate boron dilution Section 7.3 correlates the actuated equipment to the various ESF actuation signals.

Fluid systems equipment in the safeguards trains will normally be labeled Train-A or Train-B. Train-A equipment will be actuated f rom ILC-A. Train-B equipment will be actuated f rom ILC-B. Either train alone will meet all the safeguards requirements.

l 7.1.1.5 Safety-Related Display Instrumentation Safety related display instrumentation provides the operator with information

CsJ' effect of manual actions taken following reactor trip due to a Condition II, III, or IV event as defined in Chapter 15. Section 7.5 describes the safety related display instrumentation.

O -

hiAPWR-I&C/EP 7.1-41 NOVEMBER, 1984 2083e:1d

7.1.1.6 Essential Auxiliary Supporting Functions O

The following systems will provide services such as cooling, lubrication, and energy supply, which may be required for safety system equipment to accomplish protective functions. The systems are listed here but are described in the referenced sections:

1. Instrument and control system power supply system (See Section 7.6)
2. Safeguards power supply system (See Chapter 8)
3. Emergency backup power supply system, including diesel generator support systems (See Chapter 8 of this module and Chapter 9 of RESAR-SP/90 PDA Module 13, " Auxiliary Systems")
4. Safeguards function portion of the service water system (See Section 9.2 of RESAR-SP/90 PDA Module 13 " Auxiliary Systems")
5. Service water component cooling water system (See Section 9.2 of l RESAR-SP/90 PDA Module 13. " Auxiliary Systems")
6. Portions of the chemical and volume control system (CVCS) which will be shared with emergency core cooling (See Section 9.3 of RESAR-SP/90 PDA Module 13, " Auxiliary Systems")

l t

7. Air conditioning, heating, cooling, and ventilation systems which will be necessary to maintain the environment for safety system equipment.

(See Section 9.4 of RESAR-SP/90 PDA Module 13, " Auxiliary Systems" and Appendix 7A of this module)

8. Emergency lighting l On the auxil,iary systems listed above, only the energy supply systems (1, 2, and 3), will be necessary for actuation of ESF functions. Reactor trip is implemented on a deenergize-to-trip principle. The remaining systens (4 through 7) will not be required for initiation of a protective function.

WAPWR-I&C/EP 7.1-42 NOVEMBER, 1984 2083e:1d i

i

O However, they may be required for proper functioning of actuated equipment some time after the protective function has been initiated.

O 7.1.1.7 I and C System Designers ,

Systems discussed in Chapter 7.will be supplied by Westinghouse. Interface

[~ information for integration and installation purposes is given Appendix 7A.

7 .1.1. 8 Plant Comparison [

The majority of functions performed by the RESAR-SP/90 I & C system will be similar to those performed by the Model 414 as documented in RESAR-414. The ,

significant functional dif ference is Model 414 used a safety-grade RPI input

! into' the DNB module, whereas, RESAR-SP/90 does not have safety-grade RPI input, because in determining radial core peaking factors the conservative assumption f or the RESAR-SP/90 is made so that the rods are at their rod insertion limits.

t The translation of functions into I & C system hardware does not result in significant differences between RESAR-SP/90 and RESAR-414 because both models l

employ similar micro-processor based systems.

Adequacy of the hardware and software will be demonstrated for the RESAR-SP/90 through a prototype verification and validation (V & V) program similar to the RESAR-414. Details on the prototype V & V program for RESAR-414 are documented in Reference 3.

7.1.2 Identification of Safety Criteria  !

f 7.1.2.1' Design Basis for Safety Systems The design bases presented in this subsection apply to the safety system Instrumentation described in Subsection 7 .1.1. Specific design bases information for protective functions are given in Sections 7.2 for reactor

( trip and 7.3 for ESF. The design bases presented include those required by Section 3 of IEEE 279-1971.  ;

WAPWR-I&C/EP 7.1-43 NOVEMBER, 1984 2083e:1d

~ _ . . . . , . . . _ _ , _ _ _ _ . . . , . - _ _ _ . . - . . _ . _ . _ . _ . , - , _ . . _ . . , - - . - . .m_. . - - _ , . _ - . .

O 7 .1. 2 .1.1 Design Basis; Generating Station Conditions Requiring Protective Actions (Paragraph 1 of Section 3 of IEEE 279-1971)

The safety system described in Subsection 7.1.1 shall be designed to protect the health and safety of the public by limiting the release of radioactive material during Condition II, III, and IV events to acceptable limits as defined in Chapter 15. The events are sununarized below:

Condition II Events O

These events (f aults of moderate frequency) are expected to occur at least once during the life of the plant and, at most, should result in a reactor trip with the plant being capable of returning to operation when the f ault is corrected. These events should not result in any fuel damage. See Chapter 15 for Condition II events.

Condition III Events O

I These events (infrequent faults) are expected to occur once during the life of l several plants. A small amount of fuel damage is acceptable in such an occurrence although the actual release of radioactive material must not be c

' sufficient to interrupt or restrict public use of those areas beyond the exclusion radius of the plant. See Chapter 15 for Condition III events.

Condition IV Events .

These events (postulated f aults) are never expected to occur during the life of any plant. Any release of radioactive material in this type of event must See not result in undue risk to the health and safety of the public.

Chapter 15 for Condition IV events.

In order to f acilitate the design of the protection system, Westinghouse has chosen a number of specific limits on certain process and design variables which, if met, imply that the radioactive material release limits will be met with a high degree of confidence.

These specific limits are defined on an accident by accident basis in Chapter 15.

NOVEMBER, 1984 7.1-44 HAPWR-I&C/EP 2003e:1d

v 7 .1. 2.1. 2 Design Basis; Variables Required to be Monitored for Protective Action and Their Minimum Performance Requirements (Paragraphs 2 and 9 of Section 3 of IEEE 279-1971)

The variables required to be nenitored for reactor trip and their ranges, accuracies.- and response times are discussed in Subsection 7.2.1.2.2 and are listed on Table 7.2-4 and applicability of these trips to design basis transients and accidents is presented in Table 7.2-5.

1 The variables required to be monitore'd for engineered safety features actuation and their ranges, accuracies, and response times are discussed in-Subsection 7.3.1.2.2 and are listed on Table 7.3-3.

The variables required to be monitored for post accident monitoring and their

! ranges and accuracies are discussed in Section 7.5.

i The design shall conform to the requirements of Paragraph 4.8 of IEEE O 279-1971. Conformance is discussed in Subsection 7.1.2.2.8.

7.1.2.1.3 Design Basis; Spatially Dependent Variables (Paragraph 3 of Section 3 of IEEE 279-1971)

The spatially dependent variables required to be monitored for the safety system are discussed in Subsection 7.2.1.2.3.

7.1.2.1.4 Design Basis; Protection During Various Reactor Operating Modes s (Paragraph 4 of Section 3 of IEEE 279-1971) i The safety system shall be designed to assure that protective functions can be initiated and accomplished during various reactor operating modes. The following specific design bases apply.

J O

s 7.1-45 NOVEMBER, 1984 MAPWR-l&C/EP 2083e:1d

1. Design Basis; Integrated Protection System Channel Bypass During Test O

of Maintenance.

The safety system shall be designed to permit the bypass - for maintenance, test, or repair - of any one protection channel in the group of channels monitoring a selected variable. The system shall be designed such that this bypass can be accomplished during power operation without causing initiation of a protective function. The system shall be designed to meet the single f ailure criterion while pervjtting power operation for an indefinite period of time with one channel of the selected variable bypassed.

With one channel bypassed, the system shall be designed to permit the bypass of a second channel in the group monitoring the same variable.

In this mode, the failure of a third channel in the group may result in a protective function being initiated. The system shall be designed to meet the single failure criterion while permitting power operation for an indefinite period of time with two channels of the selected variable bypassed. 0peration with,2 channels of one variable bypassed shall be alarmed in the control room.

The attempt to bypass three or more channels monitoring the same ,

variable shal'1 result in initiation of the protective functions associated with. that variable.

The aspects of the design which permit channel bypass while maintaining immunity to inadvertent initiation of a protective l function do not need to be applied to specific channels where the improved reliability is not deemed necessary.

l The capability for channel bypass or removal f rom operation shall conform to the requirements established by Paragraphs 4.11 through I 4.14 of IEEE 279-1971. Conformance is discussed in Subsections 7.1.2.2.11 through 7.1.2.2.14.

O WAPWR-I&C/EP 7.1-46 NOVEMBER, 1984 2083e:1d

O

, V

2. Design Basis; Protection System Blocks, Interlocks, and Permissives for Defined Reactor Operating Modes.

( Where operating requirements necessitate automatic or manual block of a protective function, the system shall be designed such that the block will be automatically removed whenever the appropriate permissive conditions are not met. Devices used to achieve automatic V removal of the block of a protective function shall be considered part of the safety system and as such shall be designed in accordance with the criteria in this section.

Interlocks are discussed in Sections 7.2, 7.3, and 7.6. The protection (P) interlocks are given on Tables 7.2-2 and 7.3-2. The safety analyses demonstrate that even under conservative critical conditions for either postulated or hypothetical accidents, the protective system will ensure that the NSSS will be put into and maintained in a safe state following an ANS Condition II, III or IV accident comensurate with applicable specifications and pertinent ANS l criteria. Therefore, the protective systems will be designed to meet IEEE Standard 279-1971 -and will be entirely redundant and separate, including all permissives and blocks. All blocks of a protective function will be automatically cleared whenever the protective function would be required to function in accordance with Paragraphs 4.11, 4.12 and 4.13 of IEEE Standard 279-1971. (See Subsections 7.1.2.2.11 - 7.1.2.2.13).

l p

'd 3. Design Basis; Multiple Setpoints Used During Defined Reactor Operating Modes It is not necessary that setpoints in the IPS be made more restrictive as a function of operational mode and this subject is, therefore, not applicable to the WAPWR IPS.

l

. WAPWR-I&C/EP 7.1-47 NOVEMBER, 1984 2083e:1d I

O:

4. Design Basis; Access to Protection System Bypasses, Blocks, and Setpoints The system shall be designed to provide for administrative control over access to the means for manually bypassing protection channels and for manually blocking protective functions. T'he design shall also provide for administrative control of access to all setpoint adjustments, channel calibration adjustments, and test points.

The system shall be designed to the requirements established by Paragraphs 4.14 and 4.18 of IEEE 279-1971. Conformance to these requirements is discussed in Subsections 7.1.2.2.14 and 7.1.2.2.18.

7.1.2.1.5 Design Basis; Determination of Protective Action Setpoints (Paragraphs 5 anc~ 6 of Section 3 of IEEE 279-1971)

The safety system shall autoratically initiate appropriate protective action l

whenever a condition monitored by the system reaches a preset level.

The design shall conform to the requirements established by Paragraph 4.1 of IEEE 279-1971. Conformance to this requirement is discussed in Subsection 7.1.2.2.1.

7.1.2.1.6 Design Basis; Protection Against Natural Phenomena and Unusual Events (Paragraphs 7 and 8 of Section 3 of IEEE 279-1971)

The ability to initiate and accomplish protective functions shall be maintained during and following natural phenomena defined in Chapter 3 as credible to the plant site, such as earthquakes, tornados, hurricanes, floods, winds, etc. The safety system design shall ensure that performance requirements relative to plant safety are met despite degraded conditions in the plant caJsed by credible events such as fire, flooding, vehicular crashes, explosions, missiles, electrical faults, toxic or corrosive gaseous releases, pipe whip, etc.

O 7.1-48 NOVEMBER, 1984 WAPWR-I&C/EP 2083e:1d

O Equipment shall be environmentally qualified to meet the accident conditions

- through which it is required to operate to mitigate the consequences of the

~ /' accident. The equipment shall be seismically qualified to meet appropriate earthquake levels as described in Chapter 3 of RESAR-SP/90 PDA Module 7,

" Structural / Equipment Design".

The design shall conform to the requirements established by Paragraphs 4.3,

%> 4.4, and 4.5 of IEEE 279-1971. Conformance to these requirements is discussed in Subsections 7.1.2.2.3 through 7.1.2.2.5.

7.1.2.1.7 Design Basis; Protection Against Equipment Malfunctions The ability of the safety system to initiate and accomplish protective functions shall be maintained despite credible equipment malfunctions within the safety system. Generally speaking, this basis forms the requirement for the safety system to meet the single failure criterion. To this end, the following specific design bases apply:

1. A single credible failure within the safety system shall not prevent initiation or execution of a protective function, even when channels are intentionally bypassed for test or maintenance for an indefinite period of time.
2. Where signals are derived from protection channels for control, no credible single failure in the protection channel shall cause a control system action requiring protective action by the redundant channels monitoring the same variable.
3. Where signals are derived from protection channels for non-safety systems, no credible f ailure in the non-safety system shall prevent the protection system from meeting its performance requirements.

Q

4. No single failure within the protection system shall cause a Condition II event (see Chapter 15) to progress to a Condition III event, or a Condition III event to progress to a Condition IV event.

7.1-49 NOVEMBER, 1984 HAPWR-1&C/EP 2003e:1d

G The systeri shall be designed to meet the single failure. criterion, as establisher; by Paragraph 4.2 of IEEE 279-1971. Conformance to this requirement'is discussed in Subsection 7.1.2.2.2. Prevention of control system interaction with the protection system shall be designed to the requirements of Paragraph 4.7 of IEEE 279-1971. Conformance is discussed in Subsection 7.1.2.2.7.

7 .1. 2 .1. 8 Miscellaneous Design Bases

1. Manual Actuation of Protective Functions Means shall be provided in the control room for manual initiation of all protective functions at the system level. Manual actuation shall rely on the minimum of equipment and, once initiated, should go to completion unless deliberate operator intervention is taken. Failure in the automatic initiation portion of a system-level function shall not prevent the manual initiation of that function.

The system shall be designed to comply with the requirements established by Paragraphs 4.16 and 4.17 of IEEE 279-1971. Conformance to these requirements are discussed in Subsections 7.1.2.2.16 and 7.1.2.2.17.

2. Physical Identification of Protection System Equipment l

In order to provide assurance that the design bases given in this section can be applied in the design, construction, maintenance, and

operation of the plant, all safety systems equipment shall be l

identified distinctly as being in the protection system. Markings shall be different for each redundant division of the safety system.

O The design shall conform to the requirements established by Paragraphs 4.22 of IEEE 279-1971. Conformance to this requirement is discussed in Subsection 7.1.2.2.22.

7.1-50 NOVEMBER, 1984 HAPWR-I&C/EP 2083e:1d

(

l

O

3. Capability for Checks, Test, Calibration, and System Repair The system shall be designed to permit checking the operational availability of each input sensor to the integrated protection system during reactor operation.

Capability shall be provided for testing and calibrating the channels and channel set equipment of the integrated protection system.

The system shall be designed to facilitate the diagnosis, location, and repair or adjustment of malfunctioning components.

The system shall be designed to conform to the requirements established by Paragraphhs 4.9, 4.10, and 4.21 of IEEE 279-1971.

Conformance to these requirements is discussed in Subsections 7.1.2.2.9, 7.1.2.2.10, and 7.1.2.2.21.

O 4. Information Read-Out The system shall be designed to permit identification of protective actions down to the channel level. The system shall be designed to provide the operator with information on the status of safety system equipment.

The design shall conform to the requirements established by Paragraphs 4.19 and 4.20 of IEEE 279-1971. Conformance is discussed in Subsections 7.1.2.2.19 and 20.

7.1.2.2 Conformance of the Safety System Instrumentation to Applicable Criteria f The safety system instrumentation described in Subsection 7.1.1 will be designed and built to conform to the applicable criteria, codes, and standards l

I concerned with the safe generation of nuclear power. Table 7.1-1 lists appli-cable General Design Criteria, NRC Regulatory . Guides and Branch Technical 7.1 -51 NOVEMBER, 1984 WAPWR-l&C/EP 2083e:1d

O Positions and Industry Standards. The table also identifies where the subject of the applicable standard or criteria is discussed within the Safety Analysis Report.

The design will confonn to the requirements concerned with the I&C portion of the safety system as discussed below. The topics are listed in the order in which they appear in Section 4 of IEEE 279-1971 since that standard umbrellas all requirements of the I&C portion of the safety system. Other criteria related to the IEEE 279-1971 requirements are also identified.

7.1.2.2.1 Conformance to General Functional Requirements (Paragraph 4.1 of IEEE 279-1971 GDC-13, GDC-15, Regulatory Guide 1.105)

The safety system will automatically initiate appropriate protective action whenever a condition monitored by the system reaches a preset value. The protective actions are identified in Subsection 7.1.1.1. Reactor trip functions are discussed in detail in Section 7.2 and engineered safety features in Section 7.3. Also provided in those sections are the ranges, 1

l accuracies, and typical response times on each variable to be used in generating a protective action.

Westinghouse will use three groups of values in detarmining reactor trip and l engineered safety features actuation setpoints, l

l The first group of values will be the safety limits assumed in the accident analyses (Chapter 15). These will be the least conservative values.

O The second group will consist of limiting values as listed in the Technical Specifications. These will be the maximum / minimum " ALLOWABLE VALUES" for Limiting Safety System Settings (LSSS) and Limiting Conditions for Operation (LCO) given in Chapter 16 of the integrated RESAR-SP/90 PDA document.

Limiting values will be obtained by subtracting a safety margin f rom the accident analysis values. The safety margin will account for instrument error, calibration uncertainties, and process uncertainties such as flow l

stratification and transport f actor ef fects, etc.

WAPWR-I&C/EP 7.1-52 NOVEMBER, 1984 l 2083e:1d

1 v

The third group will consist of the nominal values set into the equipment.

These values will be obtained by subtracting allowances fo,r instrument drif t i f rom the limiting values. The nominal values will allow for normal expected instrument setpoint drift such that the Technical Specification " Allowable

, Values" will not be exceeded under normal operation. These values are given as the " TRIP SETPOINTS" in Chapter 16 of the integrated RESAR-SP/90 PDA

.( document.

As illustrated above, the trip setpoint will be determined by factors other than the most accurate portion of the instrument's range. The only requirement on the instrument's accuracy value is that over the instrument span, the error must always be less than or equal to that assumed in the accident analyses. The instrument does not need to be the most accurate at the trip setpoint value as long as it meets the minimum accuracy requirements.

. Range selection for the instrumentation will cover the expected range of the process variable being monitored consistent with its application. The design i of the integrated protection system will be such that trip setpoints will not require process transmitters to operate within 5 percent of the high and low end of their calibrated span or range. Functional requirements established

, for every channel in the integrated protection system stipulate the maximum allowable errors on accuracy, linearity, and reproducibility. The protection channels will have the capability for and will be tested to ascertain that the characteristics throughout the entire span are acceptable and meet functional requirements specifications.

i

! In this regard it should be noted that specific functional requirements for l

! response time, setpoint, and operating span will be finalized contingent on the results and ev'aluation of safety studies to be carried out using data pertinent to the plant. Emphasis will be placed on establishing adequate performance requirements under both normal and f aulted conditions. This will j include consideration of process transmitter margins such that even under a j highly improbable situation of full power operation at the safety limits that adequate instrumentation response is available to ensure plant safety.

. O -

l MAPWR-I&C/EP 7.1-53 NOVEMBER, 1984 2083e:ld i

O 7.1.2.7.2 Conformance to the Single Failure Criterion (Paragraph 4.2 of IEEE 279-1971, IEEE 379-1972, Regulatory Guide 1.53)

Any credible single f ailure within the integrated protection system will not prevent the initiation or accomplishment of a protective function at the system level.

Redunf.ancy and functional diversity will be designed into the safety system to ensure that system performance requirements can be met even if the safety system is degraded by a single random failure. Redundancy will begin with the sensors monitoring the variables and will be carried through the signal processing and actuation electronics. Redundant actuation trains will also be provided. Subsections 7.1.1.2 and 7.1.1.3 describe the redundad nature of the safety system architecture. In addition, generally two or more diverse functions will initiate most protective actions. Diversity of protective functions is discussed in Section 7.2 for reactor trip, and in Section 7.3 for engineered safety features actuation.

Isolation devices will be incorporated into data links which connect redundant channel sets, or which carry signals to non-safety systems. The isolation devices will be tested to verify that credible faults, such as physical damage, short circuits, open circuits, or the application of credible f ault voltages on the devices output terminals, do not propagate back to the isolator's input terminals. The isolation devices provide assurance that, where protection signals are used by non-safety systems, that credible singie failures in the non-safety system will not degrade the performance of the safety system.

It is a design goal to minimize inadvertent reactor trips and safeguards actuations. Dual redundancy will be used in critical circuits which could malfunction and give an erroneous trip or ESF initiation signal. The reactor trip circuit breaker arrangement illustrated in Figure 7.1-19 and described in Subsection 7.1.1.3.1 will be designed such that a single failure will not cause a reactor trip. The two-out-of-four actuation train logic for reactor trip will require trip signals f rom two out of four channels sets. Although 7.1-54 NOVEMBER, 1984

((APWR-I&C/EP 2083e:ld

l 1

l! ,

!O p

two safeguards actuation trains will be used, the actuation logic for each

[

component will be performed redundantly within each ESFAC and will be "ored" in the logic cabinets. This dual logic is described in Subsection 7.1.1.2.4.

)'

It will be provided to minimize the probability of a random single failure I causing total loss of an ESF train. It will also enable the ESF actuation logic to meet single failure criterion during periodic testing.

! The design approach chosen to reduce the likelihood of inadvertent trips or .

I safeguards actuations will not negate the ability of the safety system to meet

! the single failure criterion, even when channels are bypassed for test or maintenance. Redundancy of equipment and the design bases applied to bypass capability will ensure compliance to the single failura criterion.

1 7.1.2.2.3 Conformance to the Requirements for Quality Components and Modules (Paragraph 4.3 of IEEE 279-1971, GDC-1)

Components and modules will be of a quality that is consistent with use in a nuclear generating station protection system. Chapter 17 describes the

{ Westinghouse quality assurance program.

7.1.2.2.4 Conformance to the Requirements for Equipment Qualification (Paragraph 4.4 of IEEE 279-1971, 600-2, GDC-4, GDC-13, IEEE 323-1974, IEEE 344-1975, Regulatory Guide 1.89, Regulatory Guide 1.100. EICS.10) i Electrical equipment within the safety system will be environmentally

[ qualified to meet the accident conditions through which it must operate to

) mitigate the consequences of the accident. The environmental qualification program for Class 1E electrical equipment is discussed in Section 3.11 of ,

RESAR-SP/90 PDA Module 7 " Structural / Equipment Design".

l i O The equipment will be qualified to the appropriate earthquake intensity as established in Chapter 3 of RESAR-SP/90 PDA Module 7, " Structural / Equipment I Design". The seismic qualification program is discussed in Section 3.10 of RESAR-SP/90 PDA Module 7. " Structural / Equipment Design".

f.

7.1-55 NOVEMBER, 1984 MAPWR-I&C/EP 2083e:1d

O Equipment locations shall be chosen such that the forces to which equipment has been qualified (see Section 3.10 and 3.11 of RESAR-SP/90 PDA Module 7,

" Structural / Equipment Design") are not exceeded.

7.1.2.2.5 Conformance to the Requirements to Maintain Channel Integrity (Paragraph 4.5 of IEEE 279-1971 GDC-2, GDC-3, GDC-4, Regulatory Guide 1.120)

The safety system instrumentation will be designed to maintain its capability to initiate its protective functions during and following natural phenomena defined in Chapter 3 of RESAR-SP/90 PDA Module 7 " Structural / Equipment Design" as credible to the plant site, such as earthquakes, tornados, hurricanes, floods, winds, etc. Functional capability will be maintained despite degraded conditions that may exist in the plant due to credible events such as fires, flooding, vehicular crashes, explosions, missiles, electrical faults, toxic or corrosive gaseous releases, pipe whip etc. The equipment will be environmentally and seismically qualified as discussed in the preceding subsection.

As noted in Chapter 3 of RESAR-SP/90 PDA Module 7 " Structural / Equipment Design" and Appendix 7A, the balance of plant applicant will normally be responsible for providing physical protection for Westinghouse supplied safety equipment against damage from natural phenomena or credible events external to the equipment. The NSSS integrated protection system design f acilitates such protection by providing the balance of plant designer a defense-in-depth approach in providing protection through a combination of barriers, physical separation, and analyses. For example, safety equipment could be located based on an analysis of potential hazards such that the equipment is outside the zone of influence of the hazard. Or the redundant elements of the safety system might be located in defined zones such that a damaging event in one zone would not affect redundant equipment in other zones. Or, the safety equipment could be bunkered or shielded such that defined potential hazards would not physically damage equipment or wiring. Safety equipment will, of course, be qualified to meet the accident environments for which it is assumed in Chapter 15 to operate. (See Sections 3.10 and 3.11 of RESAR-SP/90 PDA Module 7, " Structural / Equipment Design")

WAPWR-I&C/EP 7.1-56 NOVEMBER, 1984 2003e:1d

1 i

O Redundancy of equipment will ensure that protective functions can be f- accomplished despite loss of one of the redundant channel sets or actuation trains due to a credible event.

The integrated protection system will be structured such that the connunica-3 l, tion between redundant channel sets will occur at the integrated protection cabinets and ESFA cabinets. Cabinets processing low-level signals can be

} located in well-controlled areas of the plant. Connunication among channel sets is over isolated, data links. The isolation devices will prevent credible electrical and physical f aults in one channel set from propagating back to another channel set. A description of the isolators is con +.ained in Subsection 7.1.1.2.5. The ESFA cabinets will not ccmmunicate with each other but.will communicate with each IPC and will interface with high energy source safeguards actuation devices at the power interface for their respective train

! devices. They, therefore, may normally be located in the more hazardous areas of the plant. Therefore, the design provides for complete physical separation l and electrical independence of these cabinets. All signals which leave the integrated protection system from the integrated protection cabinet to l

j non-safety systems are via isolated data links.

1

!' Concerning potential hazards that may be caused by supplied equipment, every

- effort will be made to identify and eliminate potential causes of fire, missiles, etc. that might occur due to postulated faults within the equip-ment.- Equipment will be built to accepted industry codes, standards, and practices aimed at maximizing reliability and safety. For example, wiring used within electrical equipment, and devices used to protect wiring from O overcurrent (such as breakers, fuses, and current limiters), will be sized and coordinated according to National Electric Code requirements. Insulation used will be flame retardant and will meet National Electric Code, IEEE, and Under-writer's Laboratory requirements applicable to the environment in which the j wiring will be located. Electronics will be housed in cabinets of metal t construction coated with intumescent paint. As stated above, isolation

! devices will be incorporated into wiring leaving the protection cabinets to i the other cedundant protection cabinets or non-safety area. The independence ,

j ,

of electrical equipment will be assured as discussed in Subsection 7.1.2.2.6

- below.

7.1-57 NOVEMBER, 1984 WAPWR-I&C/EP 2083e:1d 1

, ..,.--n. ,, - -.n. -.,,,.,,_.~-,-n-__- . - - - - . - , . - . - . . , , - - - - - , . .

O

.7.1.2.2.6 Conformance to the Requirements to Maintain Channel Independence (Paragraph 4.6 of IEEE 279-1971 GDC-22 IEEE 384-1974, Regulatory Guide 1.75)

The flexibility of the IPS will enable the achievement of maximum physical separation of redundant B0P equipment comensurate with the hazard potentials identified for each location.

Where redundant equipment must communicate with each other, such as at the integrated protection cabinets, isolation devices will be employed to preserve physical and electrical independence of the channel sets. These devices are described in Subsections 7.1.1.2.5 and 7.1.2.2.7. They will also be used to preserve the independence of saf ety equipment f rom non-safety systems which may use protection signals.

Non-safety wiring will be separated from class 1E wiring by the maximum practical distances. Analyses, tests, or physical barriers will be used to i ensure the adequacy of wire routing where separation distances are less than those suggested by Regulatory Guides or industry standards.

~

1 l The physical separation criteria for IPS cabinets will include the applicable recommendations contained in Paragraph 5.6 of IEEE 384-1974. Specific

~

requirements to be app 1ied will be as follows:

1. Internal separation requirements pertaining to separation between redun-dant class 1E equipment in accordance with Subparagraph 5.6.2 of IEEE 384-74.
2. Non-class lE wiring requirements pertaining to separation between class 1E wiring and non-class 1E wiring in accordance with Subparagraph 5.6.5 of IEEE 374-74.

)

3. Cable entrance requirements of redundant Class 1E cables in accordance with Subparagraph 5.6.6.

l WAPWR-I&C/EP 7.1-58 NOVEMBER, 1984 2083e:1d

d

^ '

O -

U It is noted that the application of this criteria to instrumentation cabinets is endorsed by Regulatory Guide 1.75. .

Wiring for redundant channel sets and actuation trains will employ physical separation, analyses, isolation, tests, or barriers to ensure independence of the circuits.

O Additional physical separation criteria applying to installation of redundant Class 1E wiring is contained in Appendix 7A.

7.1.2.2.7 Conformance to the Requirements Concerning Control and Protection System Interaction (Paragraph 4.7 of IEEE 279-1971, 'GDC-24)

Conformance to the Reauirements on the Use of Isolation Devices The transmission of signals from protection system equipment for control sys-tem use will be through isolation devices. These devices will be classified as part of the protection system and will meet all of the requirements of Section 4 of IEEE 279-1971. The isolation devices will be tested to confirm

.that credible failures at the output of the isolation device will not prevent the associated protection system channel f rom meeting the minimum performance requirements.

The isolation device is described in Subsection 7.1.1.2.5. Credible failures to which the devices shall be tested are physical damage, short circuits, open circuits, grounds, and the application of the maximum AC or DC potentials as

- may be present in any cabinet in which the isolation device is located or in any wireway in which its electrical or optical lines run.

Conformance to Reautrements Concernino Control System Failures Interactina with the Protection System The protection system will be designed to permit margin to safety limits such that an unsaf e condition will not be caused by transients induced by normal power plant operation. The plant control system will attempt to keep the 7.1-59 NOVEMBER, 1984 HAPWR-l&C/EP 20B3e:1d

, .a . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ . _ _ . _ . __ __ - _ _ __. _-_

O reactor operating away f rom any safety limit. Should a control system f ail and cause a parameter to approach its limit, the protection system will trip the reactor as described in Section 7.2. The setpoints 'will be chosen to assure that the design bases established for credible events are met (see Subsection 7.1.2.2.1) . The accident analyses in Chapter 15 will not assume a control system action to reduce the severity of an accident. Assumptions made on control systems will be worst case assumptions - that their failure will drive the parameters involved toward their worst direction for safety. The safety system setpoints will thus account for these malfunctions.

As previously described, isolation devices will be employed to prevent credible faults in the control system from degrading the functional capability of the protection system.

Conformance to Reauirements Concernino Protection System Failures Interacting with Control Systems It is advantageous to use certain information derived from protection channels to control the plant. This concept reduces the number of penetrations into critical pressure boundaries, such as into the coolant loops, pressurizer, steam generators, etc. It also helps reduce congestion and ease separation in difficult plant areas such as in equipment compartments in the containment and l

I at containment penetrations.

1 Where protection signals are used for control, functional isolation will be provided between the control and protection systems.

A control system channel selection device will be used to ensure that malfunctioning protection channels will not send erroneous information to the

! control system. In this way, protection system malfunctions in a channel can not cause a control system action that will result in a protection function actuation using the remaining redundant channels monitoring that variable.

The selection device will continuously monitor the redundant channels which will be sending information to the control systems. The device will only pass WAPWR11&C/EP 7.1-60 NOVEMBER, 1984 2083e:1d

on to the control system those signals which are considered valid. If a signal is determined to be invalid by the channel selection device, it will not be passed on to control.

As long as at least three redundant channels of information are available, an invalid signal can be rejected by the selection device. This is done by comparing the redundant channels to one another and rejecting any one which deviates from the others by more than a reasonable amount, consistent with normal instrument channel drift and calibration tolerances. A detailed discussion of the signal selection algorithm used is made in Reference 2.

7.1.2.2.8 Conformance to Requirements Concerning the Derivation of System Inputs (Paragrtph 4.8 of IEEE 279-1971)

To the extent feasible and practical, protection system inputs will be derived from signals that are direct measures of the desired variables. These variables are listed in Table 7.2-4 for reactor trip and Table 7.3-4 for O engineered safety features actuation.

The protection system will calculate two variables where direct measurement is not feasible. These are the low DNBR reactor trip and the high Kilowatts per foot (KW/ft) reactor trip. These functions are described in Subsection 7 . 2 .1.1. 2.

7.1.2.2.9 Conformance to the Requirements to Provide Capability for Sensor Checks (Paragraphs 4.9 of IEEE 279-1971, IEEE 338-1975, Regulatory Guide 1.118) l Means will be provided for checking with a high degree of confidence the operational availability of each system input sensor during reactor

( operation. These will be accomplished by one of the following techniques:

I

! 1. By perturbing the monitored variable; or

2. By cross checking between channels that bear a known relationship to each l

other and that have read' outs available; or 7.1-61 NOVEMBER, 1984 WAPWR-1&C/EP 2083e:1d

/

O

3. By introducing any varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable.

7.1.2.2.10 Conformance to the Requirements to Provide Capab lity for Test and Calibration (Paragraph 4.10 of IEEE 279-1971 GDC-10 GDC-21. IEEE 338-1975, Regulatory Guide 1.22 Regulatory Guide 1.118 EICSB-5, EICSB-22)

Capability will be provided for testing and calibrating channels and devices used to derive the final system output signal from the various channel signals.

Subsection 7.1.1.2.7 describes the built-in testing capabilities of the integrated protection system. These capabilities will provide for complete on-line overlapping testing of the IPS from the inputs to the analog-to-digital converters, through the logic, to the actuation devices in

! the protective action system.

As permitted by Regulatory Guide 1.22, where actuated equipment is not tested O

! during reactor operation, it will be established that:

I

1. There is no practicable system design that would permit operation of the equipment without adversely affecting the safety or operability of the plant;
2. The probability that the protection system will fail to initiate the operation of the equipment is, and can be maintained, acceptably low without testing the equipment during reactor operation; and
3. The equipment can routinely be tested when the reactor is shutdown.

! It is anticipated that the following equipment shall not be tested on-line at full power:

I

1. Manual system-level actuation switches for protective functions.

1 O 7.1-62 NOVEMBER, 1984 MAPWR-I&C/EP 2083e:1d l

L

2. Actual tripping of the turbine, although one-at-a-time testing of individual trip fluid dump solenoids can be performed on Westinghouse turbines.
3. Closure of main steam isolation valves. (These may be tested at reduced power).

O

4. Full closure of the feedwater isolation or control valves.
5. Tripping of the main feedwater pumps.
6. Isolation of cooling water services for the reactor coolant pumps.

Where channels are bypassed for the purposes of testing, these will be automatically indicated and removed by the built-in tester. Bypass capability

( is discussed in Subsection 7.1.2.2.11.

l O 7.1.2.2.11 Conformance to Requirements on Channel Bypass or Removal from Operation (Paragraph 4.11 of IEEE 279-1971)

Provisions will be made within the integrated protection system for the application of bypasses, i.e., blocks of certain protective functions during operational modes such as test and maintenance. The bypass system will be designed in such a way that applicable criteria are met, including the single

! failure criterion, which is discussed in Subsection 7.1.2.2.2.

Channel level Bvoass Caoability A typical protection channel set will take inputs f rom one or more process sensors, perform some compensation or other calculation, and will terminate in

\ one or more threshold functions where the process variable will be compared against setpoints. The partial trip outputs from these comparisons will be sent to the logic portion of the protection system where signals will be with 4

the partial trip status of the other system where signals will be combined with the partial trip status of the other channels to initiate a protective WAPWR-!&C/EP 7.1-63 NOVEMBER, 1984 l

2003e:ld

O function, such as reactor trip. When a channel is to be tested, the sensor input will be removed and a test signal will be injected in its place, and will be exercised over the range of that input sensor. This method of testing will p roduc'e the 'need for blocking the partial trips to preserve plant availability. The bypass system will provide this plant availability while at the same time it will assure compliance to the single f ailure criterion. Each comparison function will be provided with a bypass, which will become an additional input to the logic which is downstream of the threshold functions.

Interlocks will be provided so that the gate, which will admit the injected test signal to the channel, cannot be closed until all of that channel's threshold functions have been bypassed. lhe logic which will combine four threshold function outputs and their associated bypasses in a scheme which will always meet the single failure criteria, irrespective of the number of bypasses applied, is considered proprietary by Westinghouse. A description and evaluation of this logic is contained in a separate report (Reference 1).

The effect of this logic scheme will be to provide a two-out-of-four coincidence logic which will revert to a two-out-of-three or a one-out-of-two logic when one or two bypasses are applied respectively. If three or more bypasses are simultaneously applied, the logic scheme will provide the necessary output to initiate the protective action in question, generally leading to a plant shutdown.

The bypass status, along with the threshold function outputs, will be transmitted between integrated protection cabinets by means of the isolated data' links described in Subsection 7.1.1.2.5.

In addition to using the bypasses during channel test, they will be used while maintenance is being performed on the channel or if the channel sensor is failed and cannot be immediately repaired.

Although there will generally be four protecton channels for each actuation function, all accident analyses or reliability studies will assume that one of these channels is in the bypass mode at the time of the accident. The purpose for this assumption will be to preclude any potential limitations which might have otherwise been ploced on the use of the bypass system.

EAPWR-I&C/EP 7.1-64 NOVEMBER, 1984 2083e:1d

O Reactor Trio Breaker Bvoass Capability O

- A reactor trip will be actuated by opening any two of four of the pairs of 4 reactor trip breakers, one pair being associated with each of four integrated protection cabinets. The breakers will be arranged such that the opening of any two pairs of breakers will de-energize the control rod drives, thus s wusing the reactor trip. See Subsection 7.1.1.4.1. During maintenance or s except once during testing of the trip actuation logic, the trip signals going 7 ,

to the undervoltage coils of the reactor trip breckers will be blocked. The logic for performing this bypass function is shown on Figure 7.2-1, Sheet 1.

A description and evaluation of the logic is contained in Reference 1. The logic will automatically ensure that no more than one pair (one actuation train) of breakers can be bypassed at any one time. In the. event that an attempt to bypass the breakers f ran one channel set occurs while another channel set is in the bypass mode, those breakers will be tripped rather than bypassed. Then if a trip signal is generated by either of the two remaining channel set (one-out-of-two) the reactor will trip. If more than two bypasses are actuated at a given time, the reactor will be tripped directly. The breaker bypass status will be contnunicated between the integrated protection cabinets by the same system of isolated data links which carry the partial

' trip information . If a trip of two remaining pairs occurs while one is in bypass, then that one will be tripped as well.

8voass of Encineered Safety Features p No ESF system-level actuation logic bypasses (for test or maintenance) will be

( provided. Instead, all of the actuation logic within the ESFAC cabinet will be in duplicate. Built in test capabilities are discussed in Subsection 7.1.1.3.10.

( 7.1.2.2.12 Conformance to Requirements on Operating Bypasses (Paragraph 4.12 of IEEE 279-1971)

In addition to the test and maintenance bypasses described in the previous section, several operating bypasses will be provided. These bypasses will EAPWR-I&C/EP 7.1-65 NOVEMBER, 1984 2083e:1d

O automatically block certain protective actions which would otherwise prevent modes of operations such as start-up, etc. All of the operating bypasses will ,

be automatically removed when the plant moves to an operating regime where the protective action would be required if an accident occurred. These operating bypasses are discussed in more detail in Subsections 7.2.1.1.9 and 7.3.1.1.11.

7.1.2.2.13 Conformance to Requirements to Provide Indication of Bypasses (Paragraph 4.13 of IEEE 279 1971, Regulatory Guide 1.47, EISCB-21)

Status indication for the channel level and the reactor trip breaker bypasses described in Subsection 7.1.2.2.11 will be provided in the control room. The display of the status information will be such that the operator can identify the specific function (s) which is bypassed, and also determine if the logic has reverted to 2/3 or 1/2. In addition to the status indication, an alarm will be sounded in the control room if more than one bypass has been applied to a given protection function, thus causing 1/2 logic. The bypass indication system will be a balance-of-plart design. Westinghouse will supply the necessary IPS bypass status outputs for use by the balance-of-plant designer.

7.1.2.2.14 Conformance to Requirements Controlling Access to the Means for Bypassing (Paragraph 4.14 of IEEE 279-1971)

The bypasse!. described in Subsection 7.1.2.2.11 could be initiated in either of two way., automatically via the automatic test system or manually via bypass swicches. In either case, the operator will have complete administrative control over bypass actuation. The automatic test sequence bypass will be nanually initiated and the manual bypass switches will be located inside the integrated protection cabinets. The IPC doors will be locked under administrative procedures.

7.1.2.2.15 Cc sformance to the Requirements on the Use of Multiple Setpoints (Paragraph 4.15 of IEEE 279-1971 EICSB-12)

This subject is not applicable to the EAPWR IPS because it is not necessary that setpoints be made more restrictive as a function of operational mode.

I l

EAPWR-l&C/EP 7.1-66 NOVEMBER, 1984 2083e:1d

The safety system will use two such setpoints; one will be the continuously calculated setpoint for low DNBR reactor trip, and the other will be the

( continuously calculated KW/f t value which will be compared against a fixed D setpoint. Subsection 7.2.1.1.3 provides a discussion of these trips. In each case the value computed will be based on the operating conditions and the protection needed during those operating conditions.

The nuclear channels will use three ranges of instrumentation (source, intermediate,' and power range) - each with fixed setpoints. These setpoints will provide protection during startup and could be blocked by manual control as described in' Subsections 7.2.1.1.1 and 7.2.1.1.9. Protection will be automatically reinstated when power falls below the applicable permissive levels.

7.1.2.2.16 Conformance to the Requirement for Completion of Protective Action Once it is Initiated (Paragraph 4.16 of IEEE 279-1971, Regulatory Guide 1.62)

Once initiated, protective functions at the system level will go to completion. The action of engineered safety features could be terminated on a component-by-component basis by deliberate operator intervention. Component-level manual reset controls will permit the operator to take this action only af ter the system-level signal is reset. One of the reasons component reset will be provided is to terminate ESF functions should they be inadvertently actuated. Specific information is provided in Subsections 7.2.2 and 7.3.2 for reactor trip and engineered safety features, respectively.

7.1.2.2.17 Conformance to the Requirements for Manual Initiation of Protective Functions (Paragraph 4.17 of IEEE 279-1971, Regulatory Guide 1.62)

Means will be provided for manual initiation, of protective functions at the system level. Manual initiation circuits will conform to the single f ailure criterion as described in Subsection 7.1.2.2.2.. The specific manual actions are described in Section 7.2 for reactor trip, and in 7.3 for engineered safety features.

WAPWR-I&C/EP 7.1-67 NOVEMBER, 1984 2083e:1d 1

O 1 The hardware which will be involved in nanual actions is discussed in Subsection 7.1.1.2.3 for reactor trip manual actions which will input to the integrated protection cabinet, and in Subsection 7.1.1.2.4 for the safety-level ESF manual actions which will input to the integrated logic cabinets. Table 7.2-3 lists system-level manual actions to the integrated protection cabinets, and Table 7.3-3 lists system-level manual actions relative to engineered safety features.

Manual initiation will depend on the operation of the minimum of equipment.

No single failure in either the automatic portion, manual portion, or shared portion will prevent manual or automatic initiation of a protective function at the system level. This capability will be achieved through the redundant structure of the integrated protection system.

7.1.2.2.18 Conformance to Requirements Governing Access to Setpoint Adjustments, Calibration, and Test Points (Paragraph 4.18 of IEEE 279-1971) l l Access to all setpoint adjustments, module calibrations, and test points will be under administrative control. Cabinet doors will be locked.

7.1.2.2.19 Conformance to the Requirements on Identification of Protective Actions (Paragraph 4.19 of IEEE 279-1971)

The initiation of a protective action will be identified and indicated down to the channel level. Except for post-accident monitoring information, this status information will not be consider safety-related. As such it will be transmitted to the main control board over isolated, data links f rom the protection system, for indication and recording.

7.1.2.2.20 Conformance to the Requirements for Information Read-Out (Paragraph 4.20 of IEEE 279-1971, Regulatory Guide 1.97) l l

t The protective system design will provide for status information to be l provided to the operator. Status information may be of four types; (a) 1 WAPWR-I&C/EP 7.1-68 NOVEMBER, 1984 2083e:ld

I i  !

parameter . values, (b) logic status, (c) equipment status, or (d) actuation device status. Safety relay displays are discussed in Section 7.5. t O 7.1.2.2.21 Conformance to the Requirement to Facilitate System Repair

-(Paragraph 4.21 of IEEE 279-1971) ,

The integrated protection system will be designed to facilitate the recognition, . location, replacement, repair and adjustment of malfunctioning components or modules. The built-in test capability described in Subsection 7.1.1.2.1 will provide a mechanism for periodically verifying the operability of all modules in the IPS, and of rapidly locating malfunctioning assemblies.

Continuous on-line error checking will also detect and locate problem areas.

Channel bypass will permit replacement of malfunctioning sensors or channel components i without jeopardizing plant ' availability while still meeting the single failure criterion.

-7.1.2.2.22 Conformance to the Requirements for Identification of Redundant Safety System Equipment (Paragraph 4.22 of IEEE 279-1971)

Distinctive markings will be applied to redundant segments of the integrated protection system and protective action system.

.The coior coded nameplates described below provide identification of equipment associated with protect'ive functions and their channel set or actuation train associations.

O' ' Channel Set or W.uation Train Color Codina

(:); (or Train-A) RED with WHITE lettering

, \._/ (II); (or Train-B) WHITE with BLACK lettering (III) BLUE with WHITE lettering (IV) YELLOW with BLACK lettering O

WAPWR-I&C/EP 7.1-69 NOVEMBER, 1984 2083e:1d

O All non-cabinet mounted protective equipment and components will be provided with an identification tag or nameplate. Small electrical components such as relays will have nameplates on the enclosure which houses them.

Refer to Appendix 7A; Section 7A.2, for interface information.

O 7.

1.3 REFERENCES

II)

1. Cook, 8. M. and Rowlins, D. H., "8ypass Logic for the Westinghouse 0

Integrated Protection System", WCAP 8897 (Proprietary) and WCAP 8898 (Non-Proprietary), Revision 1. October 1977.

2. Cook, B. M., "Model 414 Control System Signal Selection Device", WCAP 8899 (Proprietary) and WCAP 8900 (Non-Proprietary), May 1977.
3. Gallagher, J. M. (Jr.) (et. al.), "414 Integrated Protection System Prototype Verification Program", WCAP 9153 (Proprietary) and WCAP 9154 (Non-Proprietary), August,1977.

l l

i .

O O

(I) These topicals are submitted for background information only. Although

( they are RESAR-414-dependent, the same principles and strategies developed in these topicals will be applied to Model SP/90.

7.1-70 NOVEM8[R,1984 HAPWR-I&C/EP 2083e:1d

i o o o o o.O o

i. .
TABLE 7.1-1 l LISTING OF APPLICABLE CRITERIA l CRITERIA TITLE APPLICABLE SECTIONS ,

l

) 1. General Design Criteria (GDC), General Design Criteria for Nuclear 3.1.2, 7, 15 i> Appendix A to 10CFR Part 50 Power Plants GDC 1 . Quality Standards and Records 3, 7.1, 7.5, 17 GDC 2 Design Basis for Protection Against 3, 7.1, 7.2, 7.3, 7.5, 7A i Natural Phenomena GDC 3 Fire Protection 3, 7 / 9.5 GDC 4 Environmental and Missle Design Bases 3, 1.1. 7.1, 7.3

  • GDC 5 Sharing of Structures, Systems, and 3 Components

] GDC 10 Reactor Design 3, 7.1, 7.2, 7.3 GDC 11 Reactor Inherent Protection 3, 15 GDC 12 Suppression of Reactor Power 3, 7.7, 15 Oscillations GDC 13 Instrumentation and Control 3, 7.1, 7.2, 7.3, 7.5' i

5 l

~

l 4

WAPWR-I&C/EP 7.1-71 NOVEMBER, 1984 2083e:1d l

i - - - _ _ _ __

TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA CRITERIA TITLE APPLICABLE SECTIONS GDC 15 Reactor Coolant System Design 3, 7.1 GDC 17 Electric Power Systems 3, 7.6, 8 GDC 18 Inspection and Testing of Electric 3, 7.6, 8 Power Systems GDC 19 Control Room 3, 7.7 GDC 20 Protection System Functions 3, 7.2, 7.3, 7.5 GDC 21 Protection System Reliability and 3, 7.1, 7.2, 7.3 Testability GDC 22 Protection System Independence 3, 7.1, 7A.1 GDC 23 Protection System Failure Modes 3, 7.2, 7.3 GDC 24 Separation of Protection and Control 3, 7.1, 7.2, 7A.1 Systems GDC 25 Protection System Requirements for 3, 7.7, 15 Reactivity Control Malfunctions GDC 26 Reactivity Control System Redundancy 3, 7.7, 15 and Capability GDC 27 Combined Reactivity Control Systems 3, 7.3, 7.7, 15 Capability GDC 28 Reactivity Limits 3, 7.3, 7.7, 15 WAPWR-I&C/EP 7.1-72 NOVEMBER, 1984 2083e:ld O O O O O O O

O O O O O O O TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA CRITERIA TITLE APPLICABLE SECTIONS GDC 29 Protection Against Anticipated Opera ' 3, 7.1, 7.2, 7.3, 7.5 tional Occurrences Reactor Coolant Makeup GDC 33 3.1 GDC 34 Residual Heat Removal 3, 7.6.2 GDC 35 Emergency Core Cooling 3, 7.3.1,'7.3.2 GDC 37 Testing of Emergency Core Cooling 3, 7.3.2.2.6 System GDC 38 Containment Heat Removal 3, 7.3.1, 7.3.2 GDC 40 Testing of Containment Heat Removal 3, 7.3.2 System GDC 41 Containment Atmosphere Cleanup 3, 7.3.2 GDC 43 Testing of Containment Atmosphere 3, 7.3.2 Cleanup Systems ,

GDC 44 Cooling Water 3

~

GDC 46 Testing of Cooling Water System 3, 7.3.2 GDC 50 Containment Design Basis - 3 GDC 54 Piping Systems Penetrating Containment 3

! GDC 55 Reactor Coolant Pressure Boundary 3 l Penetrating Containment

! ifAPWR-I&C/EP 7.1-73 NOVEMBER, 1984 2083e:Id 1,.

.g

~

4

  • TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA

~

CRITERIA TITLE APPLICABLE SECTIONS GDC 56 Primary Containment Isolation 3 GDC 57 Closed Systqms Isolation Valves 3

2. Institute of Electrical and ,

Electronics Engineers (IEEE)

~

Standards: .

IEEE Std 279-1971 Criteria for Protection Systems for 7.1, 7.2, 7.3, 7.4, 7.5, 7.6 (ANSI N42.7-1972) Nuclear Power Generating Stations IEEE Std 308-1974 Criteria for Class 1E Power Systems 7.6, B for Nuclear Power Generating Stations IEEE Std 317-1972 Electric Peaetration Assemblies in B

~

Containment Structures for Nuclear Power Generating Stations IEEE Std 323-1974 IEEE Standard for Qualifying Class 1E 3, 7.1.2.2.4 Equipment for Nuclear Power Generating Stations .

IEEE Std 334-1974 Type Tests of Continuous - Duty Class 1E 8 Motors for Nuclear Power Generating Stations -

IEEE Std 336-1971 Installation, Inspection and Testing 7, 8 (ANSI N45.2.4-1972) Requirements for Instrumentation and .

Electric Equipment During the Con-structions of Nuclear Power Generating

. Stations.

WAPWR-I&C/EP ~7.1-74 NOVEMBER, 1984 2083e:1d O O -O O O O O

m O O -

O .

N D- ,

D~O -O -

,s ,

r TABLE 7.1-1 (Continued)

- LISTING OF APPLICABLE CRITERIA 7' CRITERIA ,

TITLE , APPLICABLE' SECTIONS

> IEEE Std 338-1975 '

. Criteria for the Periodic Testing or 7.1, 7.3, 7.5, 7A Nuclear Power Generating Station Class 1E Power & Protection Systems ,

IEEE Std 344-1975 Recommended Practices for Seismic 3, 7.1, 7A (ANSI N41.7) Qaulification of Class IE Equipment for ,

Nuclear Power Generating Stations IEEE Std 379-1972 Guide for the Application of the Single 7.1, 7.2, 7.3, 7.5 (ANSI N41.2) Failure Criterion to Nuclear Power Generating Station. Protection Systems IEEE Std 382-1972 Type Test:of Class 1 Electric Valve 3 ,

Operators ,

IEEE Std.384-1974 Criteria for Separation of Class 1E 7.1, 7.3, 7.5, 7A

, (ANSI N41.14) Equipment and Circuits ANSI /IEEE-ANS-7-4.3.2-1982 Applic3 tion Criteria for Programable 7.1 Digital Computer Systems in Safety Systems of Nuclear Power Generating "

Stations

3. Regulatory Guides (RG) ,,

RG 1.6 Independence Between Redundant Standby 3, 8

, (Onsite) Power Sources and Between

- Their Distribution Systems RG 1.9 Selection of Diesel Generator Set 3, 8 Capacity for Standby Power Supplies

~

RG 1.11 Instrument Lines Penetrating Primary 3 Reactor Containment.  ;

WAPWR-I&C/EP 7.1-75 NOVEMBER, 1984 2003e:1d

V s

~

TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA CRITERIA TITLE APPLICABLE SECTIONS RG 1.22 Periodic Testing of Protection System 3, 7.1, 7.3, 7.5 Actuation Functions RG 1.29 Seismic Design Classification 3, 7.1 l RG 1.30 Quality Assurance Requirements for 3, 17 the' Installation. Inspection, and Testing of Instrumentation and Electric Equipment

RG 1.32 Use of IEEE Std 308-1971, " Criteria 3, 8 for Class 1E Electric Systems for Nuclear Power Generating Stations" RG 1.40 Qualification Tests of Continuous 3 Duty Motors Installed inside the Containment of Water-Cooled Nuclear Power Plants RG 1.47 Bypassed and Inoperable Status Indica- 3, 7.1, 7A tion for Nuclear Power Plant Safety Systems RG 1.53 Application to the Single-Failure 3, 7.1, 7.3, 7.5 Criterion to Nuclear Power Plant Protection Systems RG 1.59 Design Basis Floods for Nuclear Power 3, 7 Plants RG 1.60 Design Response Spectra for Seismic 3, 7 Design of Nuclear Power Plants RG 1.61 Damping Valves for Seismic Design 3, 7 of Nuclear Power Plants WAPWR-I&C/EP 7.1-76 NOVEMBER, 1984 2083e:1d O O O O O O O

O O O O O O O TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA CRITERIA TITLE APPLICABLE SECTIONS RG 1.62 Manual Initiation of Protection Actions 3, 7.1, 7.2, 7.3 RG 1.63 Electric Penetration Assemblies in 3 Containment Structures for Water-Cooled Nuclear Power Plants RG 1.68

  • Preoperational and Initial Startup 3, 14 Test Programs for Water-Cooled Power Reactors RG 1.70 Standard Format and Content of Safety 3, 7 Analysis Reports for Nuclear Power Plants, Rev. 2 RG 1.73 Qualification Test of Electric Valve 3 Operators Installed Inside the Containment RG 1.75 Physical Independence of Electric 3, 7.1, 7A Systems RG 1.78 Assumptions for Evaluating the .7 Habitability of a Nuclear Plant Control Room During a Postulated Chemical Reload RG 1.79 Pre-operational Testing of Emergency 14 Core Cooling Systems for Pressurized '

Water Reactors RG 1,81 Shared Emergency and Shutdown Electric 3, 8 Systems for multi-unit Nuclear Power Plants RG 1.89 Qualification of Class IE Equipment 3 for Nuclear Power Plants WAPWR-I&C/EP 7.1-77 NOVERBER, 1984 2083e:1d

TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA CRITERIA TITLE APPLICABLE SECTIONS RG 1.95 Protection of Nuclear Power Plant 7 Control Room Operators Against an Accidental Chlorine Reload RG 1.97 Instrumentation for Light-Water-Cooled 7.1, 7.5 Nuclear Power Plants to Assess Plant Conditions D,uring & Following an Accident RG 1.100 Seismic Qualification of Electric 3, 7.1 Equipment for Nuclear Power Plants RG 1.105 Instrument Spans and Setpoints 7.1.2.2.1 (Tables 2.2-1 & 3.3-4)

RG 1.106 Thermal Overload Protection for 7A.6 Electric Motors on Motor-Operated valves RG 1.108 Periodic Testing of Die.el Generators 8 Used as Onsite Electric Power System j at Nuclear Power Plants l

RG 1.118 Periodic Testing of Electric Power 7.1.2.2.9, 7.1.2.2.10, 7.3.2.2.6,

& Protection Systems 7.5.3.3.10, 7.5.3.3.17, 7 A.9, 8 RG 1.120 Fire Protection Guidelines for Nuclear 7.1.2.2.5, 9.5 Power Plants WAPWR-I&C/EP 7.1-78 NOVEMBER, 1984 2083e:1d O O O O O O O

i O O O O O O O TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA CRITERIA TITLE APPLICABLE SECTIONS 3

4. Branch Technical Positions (BTP) EICSB BTP EICSB 3 Isolation of Low Pressure Systems from' 7.6.2 the High Pressure Reactor Coolant System BTP EICSB 4 Requirements on Motor-Operated Valves 7.3, 7A.6 in the ECCS Accumulator I.ines 1

]

BTP EICSB 5 Scram Breaker Test Requirements - 7.1.2.2.11,16 (Table 4.3-1 Item j Technical Specifications 21) i l BTP EICSB 9 Definition of Use of " Channel- (Table 4.3-1, item 2) of Ch. 16

Calibration" - Technical Specifications i

BTP EICSB 10 Elettrical and Mechanical Equipment 7.1.2.2.4, 3.10

{

Seismic Qualification Program BTP EICSB 12 Protection System Trip Point Changes 7.1.2.2.15, 7.2.1.1.1, 7.2.1.1.9 for Operation with Reactor Coolant 7.2.1.1.2 l Pumps Out of Service

BTP EICSB 13 Design Criteria for Auxiliary Feedwater 7.3 i Systems i

} BTP EICSB 14 Spurious Withdrawals of Single Control 7.7.2.2, 15.2.1, 15.2'.2, 15.3.6 Rods in Pressurized Water Reactors jl J

BTP EICSB 15 Reactor Coolant Pump Breaker Qualifi- Not applicable '

cation l

l WAPWR-I&C/EP 7.1-79 NOVEMBER, 1984

2003e
1d i

TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA CRITERIA TITLE APPLICABLE SECTIONS BTP EICSB 16 Control Element Assembly (CEA) Inter- Not applicable locks in Combustion Engineering Reactors BTP EICSB IB Application of the Single Failure Cri- TECH. SPEC. 3/4.5 (Ch.16),

teria to Manually-Controlled Electric- 7A.13 cally-Operated valves BTP EICSB 19 Acceptability of Design Criteria for Not applicable Hydrogen Mixing and Drywell Vacuum Relief Systems BTP EICSB 20 Design of Instrumentation and Controls 7.6.4, 6.3 Provided to Accomplish Changeover from Injection to Recirculation Mode BTP EICSB 21 Guidance for Application of Reg. 3A, 7.1.2.2.13, 7A.5 Guide 1.47 BTP EICSB 22 Guidance for Application of Reg. 3 A, 7.1.1. 2.7, 7.1.2.2.10, Guide 1.22 7A.9 BTP EICSB 23 Qualification of Safety-Related Display 3.10, 3.11, 7.5 Instrumentation for Post-Accident Con-dition Monitoring and Safe Shutdown BTP EICSB 24 Testing of Reactor Trip System and 7.1.2.2.9, 7.3.2.2.6, Engineered Safety Feature Actuation 7.5.3.3.10, 7A.9 System Sensor Response Time l

WAPWR-l&C/EP 7.1-B0 NOVEMBER, 1984 20B3e:1d O O O O O O O

O O O O O O O TABLE 7.1-1 (Continued)

LISTING OF APPLICABLE CRITERIA ,

CRITERIA ,

TITLE APPLICABLE SECTIONS ,

BTP EICSB 25 Guidance for the Interpretation of 3.1.2.4, 7.3.2.2.6-General Design Criterion 37 for Testing the Operability of the Emergency Core Cooling System as a Whole BTP EICSS 26 Requirements for Reactor Protection 7.2.1.1.6 System Anticipatory Trips BTP EICSB 27 Design Criteria for Thermal Overload 7A.6, 8 Protection for Motors of Motor-Operated Valves WAPWR-I&C/EP 7.1-81 NOVEMBER, 1984 2083e:1d

{

i j

  • Ig I (a.c) j i,

i t

O i 1

I O I a

l l

1 O

O

. I FIGURE 7.1 1 INTEGRATED PROTECTION SYSTEf1 ARCHITECTURE (SHEET 1 0F 3)

O (a.c)

O I

O 9

O FIG E 7.1-1 INTEGRATED PROTECTION SYSTEM ARCHITECTURE (SHEET OF3) l b' APWR-16C /E p MVEMBER, 1984

O  ;

(a.c) t r

i i

~

O  !

a

!O

! i i

t i

0  ;

I i

O  !

i i

O FIGURE 7.1-1 INTEGRATED PROTECTION SYSTEM ARCHITECTURE (SHEET 3 0F 3) i WAPWR-!&C/EP NOVEMEER, 1984  ;

i

i l

a, J

i

} t A

i l

FIGURE 7.1-2 (F0LD0VT)

"IPS SYSTEM BLOCK DIAGRAM" i

i PROPRIETARY i.

f l

J l

1 i

i 1

~

1 5

a 1

1 t

f EAPWR-!&C/EP NOVEMBER, 1984 i

r l . .. .

o o o o~ o O O 1

i er

! E

! i.i 5

o

! A i

CMAinsEL SET III 1 270a l  :-- CNANNEL SET II j, S/I p ,

I S/I

.l l 1

! l

{ 5_____.calal_____?._

i i i

I F-i P I P

1 CNANNEL SET II -- l 90 CHANNEL SET I I

(

I dei [CTORS:

  • POWER RANGE MULTI-EXCORE l

UNCOMPENSATED IONIZATION CilAMBER z

2 SOURCE RANGE PROPORTIONAL COUNTER AND INTERMEDIATE l j SII RANGE COMPENSATED IONIZATION CilAMBER FIGURE 7.1-3 N.I.S. DETECTOR LOCATIONS

l1~ -. -

g -

Ei f

N 0 0 l0 0 l l8 8. l l0 D l

" 0 0

.l l0 'O l l8 9 ,l l0 0

.l noirs:

1. THE TitRtt AS$Detlt$ AT U U U O d R SUPPL
2. THE A55DELT .1T THE BOTTOM OF EAot BAT 15 A BLOWER.
3. THE FOUR PANEt$ LOCAftD

($F AU10MLilt NEAR THE MIDDLE OF THE stACTOR TRIP FOUR BATS ARE OPERATOR 1 RIP /BiPA55 TRIP /BYPA55 itsita PAntt PANtt lui[RTACE PAKtts. (THE PAPet PANtt IR THE SECOMO BAT FROM THE ttFT 85 CURRENTLY A SPARE PANEL.) ,

TR 9  :* RT c5r AuTOMnTIC inant t .. u0tw u0ur ItsitR COMPUTER fl #1 o o o o D o o D il li il 1: W lt il lr COMNiitt

!! UOur

  1. 2 SInn f2

! *** "" "5 o o o o o o o o g

2 li il li i 'r-- ^

R li y m -

x y-F m ^ . y

_f _ .

x3 L
r ir-+---- I_ 8- -- = - h 2 = r--II- I M"'fi3? I r'~ r l

2:

Figure 7.1-4 Integrated Protection System - Cabinet / Subsystem Conceptual Arrangement O O O O e O O

O .

i PSMS

_ ICC i y ACR COMPUTER O' i _

f.

\

i O @ @  :

, i -

i RT RT

.E .E ESF S ESF S GROUP 1 GROUP 2 I I F GROUP 1 A GROUP 2 i A N x -

  • C Q \ 1 l

C OTHER _ u OTHER IPC -

1 GT TRIP BUS TE i -

IPC

t I jf REACTOR TRIP BREAKERS i

\

l FIGURE 7.1-5 IPC FUNCTIONAL BLOCK DIAGRAM i

l O

l l b,'APWR-I&C/E P NOVEMBER,1984 i

Er

l we e m-e2 -  ! s ,, !

s

=

c

.s s. - =  :  : a s

.- -r =

~

s =,. e

=

!! 5;

=,!-

3;E E5 i i "!!  !!

I #-

  • l#8 5 E#

-s 5 t#f

!a as 8

_1s= "s - r "a s -se a =ss as: re  : e Ra= s es anz

- - 4\ b 4, 4, t ), t>

E ce o

o v

- u M

$ %a w s

w o

e

__ C_, - a b -

- - C-- - E.= r y

[ -a a .-

i.I 3__-[

_ s_et 2

  • E i-.!1 w

E 3

O f, E Eg_ ._s E

- =a =s == -

> 6 L.

-E Ea9 - m 5:s -- w

--- sus i

-  :: o.

I .I.dE u

,g_

.al

_ =_- ,

a e

c 18: t 3_:-

e.

s w

a:

m

, v , o o s:m ce w::ue w a y E C Uh 5 5!

25 E -E e E 1" gi.

g a

.m A O [\ O 1

%/ \/ \/ V l

[ n elei.e-

.l l

MA NR-!&C/EP NOVEMBER, 1984

1, . i

! I i

i i  !

t i

< i i:  ;

y

- (a.c) iO l

l i

r t

i.

!. t l

4.

i I

l f

I P

O i

i i

t

. I i

t '

1 i

1 t

l I

FIGURE 7,1-7 IPC - GLOBAL TRIP SUBSYSTEM BLOCK DIAGRAM (GT)

MAPWR-!&C/tp NOVEMIER, 1984

O

- (a c)

O l l

l l

@1 O

i l

O l

i j FIGURE 7.1-8 IPC . TRIP ENABLE SUBSYSTEM BLOCK O!AGRAM l

EAPWR-l&C/EP NOVEMBER, 1984 i

l 9 e 9 9: 9 9

  • 9 .

.c I

l E

S 5

a M

i i

r t

W 7"

  • I
l t

l l rIGURE 7.1-9 TYPICAL RT GROUP SUBSYSTEM ARCHITECTURE [

(a c) g m

D l

w b

=

m e

, 5 i G.

M C:3

! D M

E O

e:C U

=

h E

o v

C I

b W

M O

O O

EAPWR-!t,C/EP NOVEMBER,1984

sm /~x ,x G U U U

~

J .

U DTW AMIC TRIF DBS T DIGITAL t/0 7 / 4 e

1 t

E

4 Sultrit isf9T3 SND

" ISPIC8 TOR OWTFWT".

' FOR TFST Faert S . . .

C rt'

/ Sraiat Cov*9ff 8teT304 WTTwent Fon trisiert tw Stamat isJrtT30s aza 33cual, realT0pl#G

" s PolsTS

% AN AR.00 TEST i ,

993 TO/F90M I/O 3 P AUTOMATIC > DOARDS T E (WBArrtRS) i y DIGITAL TEST ess m -

.b, .

anst.tII Traf AftALOG StapaL3 Out f*U15 1

as 737 aan es.ept mais Lines i

w a

DATA LINE g / mnTam y coMpernicAT30s 3555T37tn x

" < OTHER SUBST3fDet IN Tuss oinaan.

y so FIGURE 7.1-11 AUTOMATIC TESTER SUCSYSTEM ARClllTECTURE

O o m.

55

.5 50

.g w

t;O

^

m e

.5 z um ..

g $E j 2 m

~

.,,,a J

O * <

L g C E a w <

Un U

= $E  !! E 5E #5 Ei l'E am 8- --

i~

as

.=

s_ -n n- -

mz s- =5 =

g3 c5 28 39 3 OE

~ ": =

m ..

O "

z m

6--

so G

t l

>=

w M

m H

1 E

C "

=

w

- - - .... '..... e

.... co .... co _nn z m m m en <

- r 1 Sa' i d- u a

a Od # I E ii;5i <

  • - E g= 2aC =:s s

= t=:2 z o m m E WR  :::

=a E"

- - - _m, 24 BM o

c:r C, "

5

- U C

R" 'm

- w

.... om elli m m ~

=  :;jg -

3 5 NET E

er

:=

= g 3 g

= aj!.].

c, w

= = I a unr:

o amm== esame .Ju , )yp,,

ll !Il C

m C ,

EAPWR-!&C/EP h0VEMBER, 1984

l I

l O- -

_ (a,c)

C C

~

il O

O O FIGURE 7.1-13 ESFAC ARCHITECTURE MAPWR-!&C/EP wnvruaro 1oma ,

O O

@ GL @ @

l' 0 0

'l NTI$bIkHWAY O

INTERFACE g g TLECTRICAL/

i if;Ifb0hcIIIGHWAY 2/3 1/0 CARD INTERFACE PANEL --

i TEST / I MAINTENANCE I l

CPL' "

CARD FRAME 1 'l 2/3 i/o CARD  ;

i CPU I!

CARD I

FRAME I a m_ _ _ . ,

FR0f1T VIEW REAR VIEW FIGURE 7.1-14 FRONT-MOUNTED EQUIPMENT SKETCH HAPWR-I&C/EP NOVEMBER, 1994

r 1 i

1 O- - (a,c)

\

l l

1 i

O ,

I e l 1

w >

E D

U W  !

.U E

4 w

l 6

E m  :

O O

4  ;

! O t u

w i

J

W I I f' W

[

i

~

. I F.  ;

i

{' N i w i l E l- D '

1-e i

i h h  !

1 i

j.' i i

1 {

!; e s

k I

t l LO i

1

. WAPWR-1&C/[p~ NOVEMBER, 1984 4

T ""# 7 T*#rluPWWW---.

9 (a.c)

O O

O O

. - O FIGURE 7.1-16 EXAMPLE OF REACTOR TRIP VOTING LOGIC SHOWING CHANNEL PARTIAL TRIPS AND CHANNEL SET Tr.IPS HAPWR-I&C/EP NOVFMRTR. 14P4

1 ROD DRIVE MOTOR-GENERATOR SET O v l

O I III II IV CABINET 1 I II-O' III IV O CABINET 2 7

ROD CONTROL CABINET FIGURE 7.1-17 REACTOR TRIP SWITCHGEAR HAPWR-!&C/EP NOVEMBER, 1984

l I

9 O

I (a c)

(

O FIGURE 7.1-18 ALTEMATIVE METHODS - OPTICAL ISOLATION O

9 MAPh'R-I&C/EP NOVEMBER, 1984 i

s ,

/

7.2 REACTOR TRIP 7.2.1 Description s

Considerations such as mechanical or hydraulic limita.tions on equipment or heat transfer requirements on the reactor core define a safe operating region for the nuclear steam supply system (NSSS). Maneuvering of the plant within this safe operating region is permitted in response to normal power generation s demands. The NSSS design provides margin to the safety limits such that an unsafe condition is not caused by the transients induced by normal operating changes. The plant control system attempts to keep the reactor operating away from any safety limit. However, excursions toward a limit may occur because of abnormal demands on the generating station, malfunctions in the control system, or by sev'ere transients induced by occurrence of a Condition II or III event (see Chapter 15). Hypothetical events (Condition IV) are analyzed with respect to plant safety limits. The safety system ensures that the reactor is kept operating within the safe region by shutting down the reactor whenever safety limits are approached. Reactor trip is a protective function performed t

by the integrated protection system when it anticipates an approach of a i

parameter to its safety limit. Reactor shutdown occurs when electrical power is removed f rom the shutdown, gray, and control rod drive mechanism coils allowing the rods to fall by gravity into the reactor core.

The equipment involved in reactor trip is listed below and is shown in simplified block diagram form in Figure 7.2-2. Refer to Subsections 7.1.1.2 and 7.1.1.3 for a description of the equipment itself. The equipment involved is:

1. Intearated Protection System (4 redundant channel sets) l
a. Sensors and manual inputs
b. Integrated protection cabinets (IPCs) l l O WAPWR-I&C/EP 7.2-1 NOVEMBER, 1984

< 2235e:1d

? ,

2.

Protective Action System (4 redundant reactor trip actuation trains) 9

a. Reactor trip switchgear
b. Control and shutdown rods The integrated protection system maintains surveillance on key process variables which are directly related to equipment mechanical limitations, such as pressure, and on variables which directly affect the heat transfer capability of the reactor, such as flow and temperature. Some limits, such as DNBR, are calculated in the integrated protection cabinets from other parameters when direct measurement of the variable is not possible. The variables monitored for reactor trip are listed in Table 7.2-4.

Normally, four redundant measurements using four separate sensors, are made for each variable used for reactor trip. Selected analog measurements are converted to digital form by analog-to-digital converters within the integrated protection cabinets. Signal conditioning may be applied to selected inputs following the conversion to digital form. Following necessary l calculations and processing, the measurements are compared against -the applicable setpoint for that variable. A partial trip signal for the given parameter is generated if one channel's measurement exceeds its predetermined or calculation limit. All processing on all variables for reactor trip is duplicated in each of the four redundant segments of the integrated protection system called channel sets. Each channel set sends its channel's partial trip status to each of the other three channel sets over isolated multiplexed links. Each channel set is capable of generating a reactor trip signal if two or more of the redundant channels of a single variable are in the partial trip state.

The reactor trip signal from each of the four integrated protection cabinets is sent to a corresponding reactor trip actuation train of the protective action system. (See Figure 7.1-16)

O WAPWR-I&C/EP 7.2-2 NOVEMBER, 1984 2235e:ld

t O

1 Each of the 4 reactor trip actuation trains consists of two reactor trip I

circuit breakers. The reactor is tripped when two or more actuation trains receive a reactor trip signal. This automatic trip demand initiates the ,

/9 following two actions: 1) it deenergizes the undervoltage trip attachments (UVTA's) on the reactor trip breakers, and 2) it energizes the shunt trip devices on the , reactor trip breakers. Either action causes the breakers to trip. Opening of the appropriate trip breakers removes power to the rod drive mechanism coils, allowing the rodi to fall into the core. This rapid negative O reactivity insertion shuts down the reactor.

Bypasses of parameter channels used to generate reactor trip signals and of reactor trip actuation trains are permitted as described in Subsection 7.2.1.1.10. Single failure criterion is met even when one or two channels of reactor trip ar.tuation trains are bypassed. The reactor is automatically tripped' if three or four channels or trains are attempted to be bypassed.

Subsection 7.2.1.1 provides a description of each of the reactor trip functions. Subsection 7 . 2 .1. 2 provides the design bases information as required by Section 3 of IEEE 279-1971. Subsection 7.2.2 discusses conformance of the reactor trip function to the requirements stated in Section 4 of IEEE 279-1971. The functional diagrams for reactor trips, as well as for other protective functions, are presented in Figure 7.2-1.

7.2.1.1 Functional Des.cription The following subsections describe the specific reactor trip functions and are grouped according to the following eight conditions:

Os

1. Nuclear Startup Trips (Subsection 7.2.1.1.1)
2. Nuclear Overpower Trips (Subsection 7.2.1.1.2)

Core Heat Removal Trips (Subsection 7.2.1.1.3) 3.

4. Primary Overpressure Trips (Subsection 7.2.1.1.4)

, 5. Loss of Heatsink Trips (Subsection 7.2.1.1.5) l t

O WAPWR-I&C/EP 7.2-3 NOVEMBER, 1984 2235e:1d

6. Excessive Cooldown Trips (Subsection 7.2.1.1.6)
7. Turbine Trip (Subsection 7.2.1.1.7)

Table 7.2-1 lists the reactor trips and summarizes the coincidence logic to trip. The interlocks for each trip are given on Table 7.2-2. System level manual inputs to reactor trip functions are given on Table 7.2-3.

7.2.1.1.1 Nuclear Startup Trips

1. Source Rance High Neutron Flux Trio Source range high neutron flux trips the reactor when two of the four source range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and plant shutdown, can be manually blocked when the intermediate range channels reads above the P-6 setpoint value and is automatically reinstated when the intermediate range channels decrease below the P-6 setpoint value. This trip is automatically blocked by the power range protection interlock (P-10) and automatically reinstated below P-6. The source range trip setpoint is set between the P-6 setpoint (source range cutoff power level) and the maximum source range power level. The channels can be individually bypassed at the integrated protection cabinets to permit channel testing during plant shutdown or prior to startup. This bypass action is indicated on the control board.

The logic for this trip is shown on Figure 7.2-1, sheet 3. The development of permissives P-6 isshown on Figure 7.2-1, sheet 3 and P-10 is shown on Figure 7.2-1, sheet 4.

2. Intermediate Rance Hiah Neutron Flux TriD Intermediate range high neutron flux trips the reactor when two of the four intermediate range channels exceed the trip setpoint. This trip, which provides protection during reactor startup, can be manually blocked WAPWR-I&C/EP 7.2-4 NOVEMBER, 1984 O

2235e:1d

O if the power range channels are above approximately 10 percent power

( P-10) . The trip is automatically reinstated when the power range channels indicate less than 10 percent power. The ' intermediate range j channels (including detectors) are separate from the power range channels. The intermediate range channels can be individually bypassed at the integrated protection cabinets to permit channel testing during plant shutdown or prior to startup. This bypass action is indicated on the N control board.

L \

l The logic for this trip is shown on Figure 7.2-1, sheet 3. The development of permissive P-10 is shown on Figure 7.2-1, sheet 4.

3. , Power Rance Hich Neutron Flux Trio flow setDoints)

Power range high neutron flux (low setpoint) trips the reactor when two of the four power range channels exceed the trip setpoint.

The trip, which provides protection during startup, can be manually blocked when the power range channels read above approximately 10 percent power (P-10). The trip is automatically reinstated when the power range channels indicate 1e'ss than 10 percent power.

Channel bypass capability exists for each of the four channels as described in Subsec. tion 7.1.2.2.11.

The logic for this trip is shown on Figure 7.2-1, sheet 3. The development of permissive P-10 is shown on Figure 7.2-1, sheet 4.

1 7.2.1.1.2 Nuclear Overpower Trips

1. Power Rance Hich Neutron Flux Trip (Hich SetDoint)

Power range high neutron flux (high setpoint) trips the plant when two of the four power range channels exceed the trip setpoint. It provides O WAPWR-I&C/EP 7.2-5 NOVEMBER, 1984 2235e:1d

protection against excessive core power generation during normal operation and is always active. The logic for this trip is shown on Figure 7.2-1, e sheet 4. -

2. Hiah Positive Flux Rate Reactor Trio This trip protects the reactor when a sudden abnormal increase in power occurs in two out of the four power range channels. It provides DNB protection against ejection accidents of low worth rods f rom midpower and is always active. A channel is tripped when rate sensitive circuits in the channel detect rates of change in nuclear power above the setpoint value. The channel trip is latched by a memory such that the partial trip signal does not disappear when the rate of change in power goes below the setpoint value. Once, latched, the channel can only be reset from the control board by manual action. The reactor is tripped when two out of the four rate channels have tripped.

Channel bypass capability exists for each of the four channels as described in Subsection 7.1.2.2.11.

The logic for this trip is shown on Figure 7.2-1, sheet 4.

3. Hich Negative Flux Rate Reactor Trio This trip protects' the reactor when a sudden abnormal decrease in power l

occurs in two out of the four power range channels. It provides DNB protection against dropped control rods and is always active. A channel is tripped when rate sensitive circuits in the channel detect rates of change in nuclear power above the setpoint value. The channel trip is latched by a memory such that the partial trip signal does not disappear when the rate of change in power goes below the setpoint value. Once, latched, the channel can only be reset f rom the control board by manual action. The reactor is tripped when two out of the four rate channels

! have tripped.

I i

WAPWR-I&C/EP 7.2-6 NOVEMBER, 1984 O 2235e:ld i

O b Channel bypass capability exists for each of the four channels as described in Subsection 7.1.2.2.11.

The logic for this trip is shown on Figure 7.2-1, sheet 4.

7 . 2.1.1. 3 Core Heat Removal Trips

1. ~ Reactor trio on low DNB Ratio (DNBR)

O This function protects the reactor core against departure f rom nucleate boiling (DNB) by tripping the reactor when the N-16 measured thermal power (Q-16) exceeds the DNB ratio trip setpoint. The setpoint for this trip is calculated continuously by digital processing techniques for each reactor coolant loop as discussed below. Nitrogen-16 (N-16) monitors located on the hot and cold legs of each coolant loop are used to measure the thermal power level. Bypass capability for each channel exists as discussed in Subsection 7.1.2.2.11. The logic for this trip is shown on Figure 7.2-1, ,

sheet 5.

Refer to Figure 7.2-3 for the following discussion. The DNBR trip setpoint (QDNB) or each channel b dete M nd h selec W g De most limiting value of any of the following thermal power limits:

a. the thermal power at which exit boiling begins (Q ); or 3
b. the thermal power at which the core hot channel exit quality limit is reached (Q ); r 2
c. the thermal power at which & DNBR limit is reached in any of three potentially limiting cells (Q ' 0 ' 0 )*

3 4 5 O

O WAPWR-I&C/EP 7.2-7 NOVE'MBER, 1984 2235e:1d

The above thennal power values are computed by the following equations:

a.

Q) = (Q ref))

F ref Ah b.

Q2 = (Q ref2 )

  • F Ah p ref
c. Q3 = (Q ref3 )
  • N *E 1 (Max PIP)]

F ah ref h

d. Q4 = (Q ref4 ) * * [f2 (Max PIP)]

F Ah ref e.

05 = (Q ref5 )

  • p

Ah

(

where Q refg is defined as:

1 fl + t) s) (1 + t) s)

Tin + B4 P + C3 I) ,y 3 I T in P+D]

I Q refg = [Ag ), 3 g where i = 1 for use in the Q) calculation, i - 2 for use in the Q calculation, 3

i = 3 for use in the Q calculadon, 3

i = 4 for use in the 0 calculation, and 4

i = 5 for use in the 05ca culadon.

O NOVEMBER, 1984 O

HAPWR-I&C/EP 7.2-8 2235e:1d k

The parameters in the above equations are as follows.

A, B, j C. and Dg are preset manually-adfustable constants characteristic of the reactor core design. They are based on the ef fects of coolant inlet temperature-pressure on the thermal power limits. The constants are specified in the Technical Specifications.

is the core inlet coolant temperature (*F) and is obtained f rom the O

T in f ast response resistance temperature detectors (RTDs) located in the cold leg of each coolant loop.

P is the pressurizer pressure (psia) and is obtained from sensors connected to taps at the top of the pressurizer.

t j and t are time constants (seconds) and are specified in the 2

Technical Specifications.

s is the Laplace transfom operator (seconds )

l re is a preset constant which is characteristic of the reactor F

g core design. F is specified in the Technical Specifications.

F is the nuclear enthalpy rise hot channel factor, and is defined ah as the ratio of the integral of linear power along the rod with the l highest integrated power to the average rod power. F is i primarily a function of control rod position and reactor power. The l

insertion limit for the control rods, however, is specified in the Technical Specifications. Therefore, a bounding empirical relationship between power and F"h A can be developed. It is specified in the

! Technical Specifications. This correlation provides conservatism since the control rods are seldom at or near their rod insertion limits. The power measurement used is the N-16 power monitor input to each protection channel set. No additional compensation is provided in the protection O WAPWR-l&C/EP 7.2-9 NOVEMBER, 1984 2235e:1d

I N

system calculation of F to account for operation with a ah misaligned RCCA. Continued operation with a misaligned RCCA is not considered to be a normal mode of operation. '

f j (Max PIP) is a function of the parameter Max PIP. Max PIP is the maximum power times integrated power and is the maximum value of:

PIP = P,(J)

  • P (i)/J where J runs from 1 to 26.

$=i P in the above equation is a normalized vector containing 26 elements z

representing the core axial power distribution at 26 equi-spaced points f rom core bottom to core top. It is continuously computed using core axial power information supplied by the four-section excore neutron detectors. Pgis calculated from:

P = A X D where P is the 26-element vector containing the normalized axial flux distribution; A is the 4 by 26 element matrix of conversion coefficients and is calibrated during core life by incore flux maps; and D is a 4-element vector containing the output signals from the four segments of the excore detector.

Max PIP is a measure of the axial power distribution. f) (Max PIP) reduces the typical cell thermal power limit (Q ) when 3 the measured axial power distribution is worse in terms of DNB than the reference axial power distribution which was used in determining the thermal power limits, f) (Max PIP) increases 0 when 3 the converse is true, f 2 (Max PIP) is identical to f) (Max PIP) except that f 2 defines the axial power distribution effect on the thimble cell thermal power limit (Q4 ). Both f) and f 2 are determined in the design of the core and are specified in the technical specifications as Q/Q ref 3

  • 1 ax PIP) and Q/Q ref4=f2 (Max PIP).

NOVEMBER, 1984 O

hAPWR-I&C/EP 7.2-10 2235e:1d

( _.

4 O 2. Reactot_ trio on hiah KW/ft This function protects against excessive fuel rod power by tripping the reactor when the peak local power in the core exceeds the kilowatts per i O foot (Kw/ft) trip setpoint. The peak local power in the core is calculated continuously for each channel set as discussed below. N-16 l power monitors located in the hot leg of each coolant loop are employed to

! measure thermal power. Channel bypass capability exists for each of the v four channels. ' See Figure 7.2-1, sheet 5 for logic for the KW/ft trip.

t

, Refer to Figure 7.2-4 for the following discussion. The KW/ft setpoint is specified. in the Technical Specifications. The peak power level in the core is -compared against the setpoint value and is calculated by 1_ determining the maximum of:

Q(J) = Q g

  • P (J)
  • F (J)
  • U
  • S(J) where J runs from 1 to 26 Q is the core thermal power level as determined by the N-16 power 16 measurements.

r l Pg (J) is the normalized axial flux distribution vector that was

! discussed in the DNBR reactor trip in the preceding subsection.

U is a constant for conversion of pcwer to a Kw/ft value and is specified in the Technical Specifications.

S(J) is the densification spike penalty (preset at 26 elevations) and is

O specified in the Technical Specifications.

F .(J) is a vector containing the magnitude of the core radial peaking factor at 26 equi-spaced elevations f rom core bottom to core top. Like F

H, as described in the DNBR calculation, F (J) at elevation l "J" is primarily a function of control rod position and core power. Hence a simple correlation between nuclear power and F,y(J) is employed in the O WAPWR-I&C/EP 7.2-11 NOVEMBER, 1984 223Se:ld

calculation. This correlation is detennined based on core flux maps taken at different times during core life. No additional compensation is provided in the protection system calculation of F (J) to account for operation with a misaligned RCCA. Continued operation with a misaligned RCCA is not considered to be a normal mode of operation.

3. Reactor Trio low Pressurizer Pressure The purpose of this trip is to protect against low pressure which could lead to DNB. The parameter being sensed is reactor coolant pressure as measured in the pressurizer. Above P-10 the reactor is tripped when the pressurizer pressure measurements (compensated for rate of change) fall below preset limits. This trip is blocked below P-10 to permit startup.

The logic for this trip is shown on Figure 7 . 2-1, sheet 5. The development of the P-7 permissive is shown on Figure 7.2-1, sheet 4.

4. Reactor Trio on low Reactor Coolant Flow The parameter sensed is reactor coolant flow. Four elbow taps in each coolant loop are used as a flow device that indicates the status of reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow has occurred. A partial trip signal f rom two out of the four channels in a loop would indicate a low flo'w in that loop. Below P-7 the reactor trips on this function are blocked. Above P-7, but below the P-8 setpoint, reactor trip will occur if two out of the four loops have a low flow condition. Above the P-8 setpoint, low flow in any one loop will cause a reactor trip.

Bypass capability exists for each of the four channels in each of the four loops, as discussed in Subsection 7.1.2.2.11.

The logic for this trip is shown on Figure 7.2-1, sheet 5. The development of permissives P-7 and P-8 are shown on Figure 7.2-1, sheet 4.

WAPWR-I&C/EP 7.2-12 NOVEMBER, 1984 O

2235e:1d

- -= . - - - . - -

O 5. Reactor Trio on Reactor Coolant PumD Undersneed This function protects the reactor core from DNB in the event of loss of l flow in more than one loop by tripping the reactor when the speed on two out of the four reactor coolant pumps fall below the setpoints. Loss of flow in more than one loop could be caused by a voltage or f requency transient in the plant power supply such as would occur during a station blackout, or by accidental opening of more than one RCP circuit breaker.

i There is one speed detector mounted on each reactor coolant pump. The trip is blocked below P-10 to permit plant startup.

Bypass capability exists for the four RCP underspeed channels as described +

r in Subsection 7.1.2.2.11.

s The logic for this trip is shown on Figure 7.2-1, sheet 5. The development of P-7 isshown on Figure 7.2-1, sheet 4.

RCP speed is detected by a probe mounted on the' reactor coolant pump l

O' frame. The speed signal is transmitted to the integrated protection system to provide the trip logic function described above.

The RCP underspeed trip replaces the undervoltage and underfrequency reactor trips used. previously. The principle reason for this change is to l improve plant availability during voltage dip transients which do not result in violations of plant safety limits. The undervoltage trip setpoint was chosen to trip the reactor if the RCP motor pull out torque

! dropped below nominal due to low voltage. This event could cause a pump speed decrease and a consequent flow reduction. The basis for the undervoltage trip setpoint and time response was the demonstration of l acceptable results for the complete loss of flow accident. Transient voltage reductions- below the undervoltage trip setpoint followed by subsequent voltage recovery could result in an undervoltage reactor trip F even though pump speed and flow reductions would not violate safety limits.

l O WAPWR-I&C/EP 7.2-13 NOVEMBER, 1984 2235e:1d i

, . ~ _ _ . . _ _ _ . . . _ _ _ . _ _ , . . _ . _ , . . _ . _ _ _ . _ . _ , _ _ . . . _ _ , , . . _ - _ _ -

i The RCP underspeed trip provides a more direct measurement of the parameter of interest, and will permit the plant to ride through many postulated voltage dip transients without reactor trip if safety limits are not violated. Selection of the underspeed trip setpoint and time response provide for the timely initiation of reactor trip during the complete loss of flow accident and the limiting f requency decay event, consistent with the analysis results reported in Chapter 15.

The built-in on-line testing capabilities of the integrated protection system provisions include complete on-line overlapping testing of the IPS from the sensor inputs, through to the protective action system. For the RCP speed sensor, the on-line test is discussed in Subsection 7.1.1.3.10.

The basis for environmental qualification of the RCP speed detectors is that they will be required to perform their protective function (during the complete loss of flow accident and the limiting frequency decay event) in an environment (i.e., temperature, humidity, pressure, chemical, and radiation) no more severe than the environment in which they are required to perform their normal function. Therefore, it is not necessary to impose environmental qualification requirements on these detectors that are more restrictive than those imposed for use under rated conditions.

The RCP speed detectors will be qualified for use under rated conditions with their performance verified by actual on-line operation in the plant.

The RCP speed detectors will also require qualification to the worst vibrations to which they could be subjected and be required to operate.

7 . 2 .1.1. 4 Primary Overpressure Trips

1. Pressurizer Hiah Pressure Reactor Trio The purpose of this trip is to protect the reactor coolant system against system overpressure. The same sensors used for the pressurizer low pressure reactor trip are used for the high pressure trip except that NOVEMBER, 1984 O

WAPWR-1&C/EP 7.2-14 2235e:1d I

separate setpoints are used for trip. The high pressure channel trips when an uncompensated pressurizer pressure signal exceeds a preset limit.

There are no interlocks or permissives associated with this trip function.

Bypass capability exists for each channel as described in Subsection 7.1.2.2.11.

The -logic for this trip is shown in Figure 7.2-1, sheet 6.

t

2. Pressurizer Hiah Water level Reactor Trio This trip is provided as backup to the high pressurizer pressure reactor trip and serves to prevent water relief through the pressurizer safety valves. This trip is blocked below P-7 to permit startup.

Bypass capability exists for the four channels as described in Subsection 7.1.2.2.11.

O The logic for the trip is shown on Figure 7.2-1, sheet 6. The development l of P-7 isshown on Figure 7.2-1, sheet 4.

7.2 1.1.5 Loss of Heatsink Trips Reactor Trio on Low Water in anv Steam Generator This trip protects the reactor from loss of heat sink in the event of a loss of feedwater to the steam generators. The reactor is tripped when two out of ,

the four water level sensors in any steam generator produce signals below the setpoint value. Bypass capability exists for the four channels in each steam generator.

The logic for the trip is shown on Figure 7.2-1, sheet 7. There are no interlocks or permissives to this trip.

' O V

l WAPWR-I&C/EP 7.2-15 NOVEMBER, 1984 2235e:ld

7

  • 2.1.1. 6 Excessive Cooldown Trips Reactor Trio on Hiah Water level in any Steam Generator This trip protects the reactor from loss of heat sink in the event of a high e

level in the steam generators. The reactor is tripped when two out of the four water level sensors in any steam generator produce signals above the setpoint value. Bypass capability exists for the four channels in each steam generator.

The logic for this trip is shown on Figure 7.2-1, sheet 7. There are no interlocks or permissives for this trip.

7.2.1.1.7 Reactor Trip / Turbine Trip 7.2.1.1.7.1 Reactor Trip on a Turbine Trip [ Anticipatory]

This trip is actuated on two out of four protection channels indicating a turbine trip condition. A turbine trip condition in a channel is defined as closing of one of the four turbine throttle valves or low pressure of the turbine stop emergency trip fluid. As an option, the trip may be blocked by P-9 on plants without full load rejection capability.

The reactor trip on turbine trip provides additional protection and conserva-tism beyond that required for the health and safety of the public.

This trip is included as part of good engineering practice and prudent design. No credit is taken in any of the safety analyses (Chapter 15) for this trip.

The turbine provides anticipatory trips to the reactor protection system f rom contacts which change position when the turbine stop valves close or when the turbine autostop oil pressure goes below its setpoint.

O WAPWR-I&C/EP 7.2-16 NOVEMBER, 1984 2235e:1d

l One of the design bases considered in the protection system is the possibility of an earthquake. With respect to these contacts, their functioning is unrelated to a seismic event in that they are anticipatory to other diverse parameters which cause reactor trip. The contacts are shut during plant O- operation and open to cause reactor trip when the turbine is tripped. This design functions in a de-energize-to-trip fashion to cause a plant trip if power is interrupted, in the trip circuitry. This ensures that the protection system will not be degraded by this anticipatory trip because seismic design O considerations do not fom part of the design bases for anticipatory trip sensors. (The integrated protection cabinets which receive the inputs f rom the anticipatory trip sensors are, of course, seismically qualified as discussed in Section 3.10 of RESAR-SP/90 PDA Module 7. " Structural / Equipment ,

Design"). The anticipatory trips thus meet IEEE-279-1971, including redundancy, separation, single failure, etc. Seismic qualification of the contacts sensors is not required.

Bypass capability exists for the four channels, as described in Subsection 7.1.2.2.11.

The logic for these trips is shown on Figure 7.2-1, sheet 14. The development of the P-9 block is shown on Figure 7.2-1 sheet 4.

7 . 2 .1.1. 7 . 2 Turbine Trip on a Reactor Trip In implementing this function (TT-0-RT) it is recognized that full conformance to IEEE 279 and associated standards is not possible due to the fact that the turbine building is expected to not be in a seismic category I structure. If qualification of the turbine trip equipment (EHC solenoids) cannot be demonstrated, other applicable Sections of IEEE 279 (refer to 4.2, 4.3, 4.5 excluding seismic 4.6, and 4.10) are criteria for which conformance is to be provided. Although the power source for tripping the turbine need not to be Class 1E, it will use a highly reliable power s.pply. Furthermore the turbine trip on reactor trip will employ a deenergize to trip principle. The redundant trip paths between the protection system and the EHC will satisfy HAPWR-I&C/EP 7.2-17 NOVEMBER, 1984 2235e:1d

}

O separation-by-potential-and-by-space requirements. The installation of components will be done in a manner as reliable as reasonably achievable without reliance on electrical isolation. For the functional logic refer to Figure 7.2-1 (sheet 14).

7.2.1.1.8 Reactor Trip on Safety injection A reactor trip will be initiated if safety injection is actuated either automatically or manually. The means for actuating safety injection automatically are described in Section 7.3. This trip protects the core against a loss of reactor coolant or a steamline rupture.

Manual safety injection can be initiated from either of two controls on the control board. Operating either of the two controls will actuate safety injection and will give a reactor trip signal to the reactor trip actuation train f rom two dif ferent means. Outputs on each switch, each separated by a barrier and electrically separated, send their position status to the integrated protection system. These inputs will de-energize the under-voltage trip attachments (UVTA) on the reactor trip breakers, causing them to trip open. Additional outputs on each switch send their position status directly i to the shunt trip coil on each reactor trip circuit breaker. These provide a backup to the under-voltage coil trip of the breakers.

l l

The logic for this trip is shown on Figure 7.2-1, sheets 2 and 12.

7.2.1.1.9 Manual Reactor Trip The manual reactor trip consists of two switches on the nain control board, 9

either of which will open all eight of the reactor trip circuit breakers.

Outputs on each switch, each separated by a barrier and electrically separated, send their position status to the integrated protection cabinets.

These inputs will de-energize the under-voltage coils on the reactor trip circuit breakers, causing them to open. Additional outputs send their status O

WAPWR-I&C/EP 7.2-18 NOVEMBER, 1984 2235e:1d

O V information directly to the shunt trip attachment UVTA of each breaker.

Energizing the shunt trip coil opens the breaker contacts. This acts as a backup to the under-voltage coil trip of the breakers. -

O The logic for the manual trip is shown on Figure 7.2-1 Sheets 2 and 13.

There are no interlocks or bypasses associated with this trip.

7.2.1.1.10 Reactor Trip System Interlocks The interlocks used in the reactor trip functions are designated as P-xx permissives and are listed on Table 7.2-2. These permissives are implemented at the channel level rather than at the logic train level.

The logic architecture of the IPS does not lend itself to bringing the permissive function to a lower logic level in the creation of a trip function. Also the plant availability has been determined to be improved using the present technique because permissives are integrated to each channel.

, Manual blocks to reactor trip are listed on Table 7.2-3 and are described below:

1. Source Ranae Block (One control for each channel set)

This block can only be instituted above the P-6 setpoint, and is automatically removed below P-6. The channel is automatically bypassed above P-10, with bypass removed below P-10. See Figure 7.2-1. Sheet 3.

2. Intermediate Ranae Block (One control for each channel set)

This block can only be instituted above the P-10 setpoint and is automatically removed below P-10. See Figure 7.2-1, sheet 3.

O O

HAPWR-I&C/EP 7.2-19 NOVEMBER, 1964 2235e:1d l

3. Power Rance flow setooint) block (One control for each channel set)

O This block can only be instituted above the P-10' setpoint and is automatically removed below P-10. See Figure 7.2-1, sheet 3.

The above three manual blocks, when used in conjunction with the applicable permissives, are used during startup.

't . 2 .1.1.11 Bypasses of Reactor Trip Functions Each channel used in reactor trip can be bypassed, as discussed in Subsection 7.1.2.2.11, except for manual reactor trip, and reactor trips on safety injection. One channel can be bypassed for an indefinite period of time with the trip logic automatically reverting to a two-out-ol-three to trip. Two channels can be bypassed for an indefinite pe*iod of time with the trip logic reverting to a one-out-of-two to trip. Attempting to bypass more tMn two channel: will result in a reactor trip. The single failure criterion is met during bypasses.

The bypass is implemented automatically during on-line testing. Manual bypass is used during repair or maintenance of sensors or channel electronics.

7. 2 .1. 2 Design Bases For Reactor Trips This section provides the design bases information on the reactor trip function, including the information required by Section 3 of IEEE-279-1971.

Reactor trip is a protective functica generated as part of the integrated protection system. As such, there is no " reactor trip system" per se. Thosa design bases which relate to the eouipment which initiate and accomplish reactor trips are contained in Subsection 7.1.2.1 and are not repeated here.

The design bases presented here are concerned with the variables monitored for reactor trips, the minimum performance requirements in generating the trips, and the requirements placed on reactor trips during various reactor operating i modes.

l 1

O l W A P'c.'R-I &C / E P 7.2-20 NOVEMBER, 1984 l 2235e:ld

I g

O 7.2.1.2.1 Design Basis; Generating Station Conditions Requiring Reactor Trip (Paragraph 1 of Section 3 of IEEE-279-1971) i
O1 The generating station conditions requiring protective actions are analyzed in Chapter-15. Those conditions which would typically result in a reactor trip

. are listed on Table 7.2-5. This table correlates the accident conditions (II, III, or IV events) to each reactor trip.

l 7 . 2 .1. 2. 2 Design Basis; Variables Levels, Ranges, and Accuracies used in

' Reactor Trip Functions (Paragraphs 2, 5, 6, and 9 of Section 3 of IEEE-279-1971)

The variables required to be monitored for reactor trips are:

1. Neutron flux
2. Nitrogen-16 (N-16) in each loop

(

3. Pressurizer pressure ,
4. Water level in the pressurizer
5. Reactor coolant flow in each loop
6. Speed of each reactor coolant pump

,- 7. Water level in each steam generator l

8. Reactor coolant inlet temperature (Tcold) in each loop l- 9. Position of each turbine throttle stop valve ,
10. Pressure of the turbine stop emergency trip fluid-( ,
11. Position of each manual safety injection switch
12. Position of each manual reactor trip switch The typical ranges, ' accuracies, and resp'onse times for each variable are listed on Table 7.2-4.

A discussion on levels that, when reached, will require reactor trip is O contained in Subsection 7.1.2.2.1.

The " ALLOWABLE VALUES" for the Limiting Safety System Settings (LSSS) and the

" TRIP SETPOINT" for reactor trips are in the Technical Specifications.

O WAPWR-I&C/EP 7.2-21 NOVEMBER, 1984 2235e:ld

-,ww,. pww-_.---= ywam.w.,ng,,,-,,-w , _ n e- n .n _ n m m _

7.2.1.2.3 Design Basis; Spatially Dependent Parameters used in Reactor Trip (Paragraph 3 of Section 3 of IEEE-279-1971)

The parameter used for reactor trip which has a spatial dependence is the N-16 power measurement. The N-16 signals from the hot leg of each coolant loop are dependent on coolant density. In order to account for variations on coolant density in the hot leg piping, two N-16 power monitors are located 180 degrees apart on each hot leg. A representative hot leg N-16 signal f rom each loop is determined by averaging the signals from the two monitors.

Radially varying coolant inlet temperature is not a concern since the resistant temperature detectors (RTDs) are located downstream of the reactor coolant pemps. The pumps provide mixing of the coolant such that radial temperature variations do not exist.

Neutron flux is not a spatially dependent concern because of core radial symmetry. The variable is used for axial calculations involving neutron flux. Four-element multi-excore detectors furnish this axially-dependent information to the DNBR and KW/f t calculators as previously described. Each of the four detectors is a four-sectioned detector vertically-oriented, which l is referred to herein as a multi-sectional detector.

l l

7.2.1.2.4 Design Basis; Operational Limits for Variables in Various Reactor Operating Modes (Paragraph 4 of Section 3 of IEEE-279-1971)

During start-up or shutdown, reactor trips are provided for three ranges of neutron flux (source, intermediate, and power range). The source range, j

intermediate range, and power range (low setpoint) trips can be manually l blocked when the appropriate power escalation permissives are present. The trips are automatically re-instated during power de-escalation. Subsection 7.2.1.1 describes these reactor trips. Their interlocks are described in Subsection 7.2.1.1.9.

l l

NOVEMBER, 1984 O

WAPWR-I&C/EP 7.2-22 2235e:1d l

l

i i

O During testing or maintenance, it is advantageous to be able to bypass a channel monitoring a variable for reactor trip. Although no setpoints need to be changed for bypassing, the coincidence logic is automatically adjusted as described in Subsections 7.2.1.1.10 and 7.1.2.2.11. The logic assures that the remaining redundant channels for that variable will meet this single f ailure criterion. The logic is automatically reinstated when the bypass is removed.

7.2.1.2.5 Design Basis; Reactor Trips for Malf unctions, Accidents, Natural Phenomena, or Credible Events: (Paragraph 8 of Section 3 of IEEE-279-1971)

There are no reactor trip functions which directly shut down the reactor on occurrence of either natural phenomena (such as flood, wind, etc.) or credible events (such as fire, pipe whip, etc.). A seismic trip is provided as an option, however. The operator can, of course, trip the reactor at any time by

, pressing the manual reactor trip button. The safety system normally relies on provisions made by the owner to protect equipment against damage from events.

(See Subsection 7.1.2.2.5).

Functional diversity is~ employed in determining the reactor trips for accident conditions. Generally, two or more reactor trips will occur for the transients analyzed in the accident analyses.

For example, protection is provided for the complete loss of coolant flow event by low RCP speed and by low coolant flow reactor trips. Therefore, complete reliance is not made on a single reactor trip terminating a given v accident. Table 7.2-5 lists the reactor trips and the conditions which will normally result in each trip.

Redundancy is employed to provide assurance that reactor trips will be i generated on demand, even when the protection system is degraded by a single random failure within the equipment. All reactor trips are four-way

O '

MAPWR-I&C/EP 7.2-23 NOVEMBER, 1984 2235e:1d

. .-,-.._.-,_r,. , . . , _ . . . , , , , , . -..,._m, , , _ _ _

redundant. The single f ailure criterion is met even if one or two channels are bypassed, as discussed in Subsection 7.1.2.2.11. The reactor is tripped automatically if an attempt is made to bypass three or more thannels.

7.2.1.3 Final System Drawings Preliminary functional diagrams are .provided in Figure 7.2-1, sheets 1-14.

Final functional diagrams, block diagrams, electrical elementaries and other drawings required to assure electrical separation and perform a safety review will be provided in the plant specific applicant's Final Safety Analysis Report.

l 7.2.2 Analyses 7 . 2. 2.1 Failure Mode and Effects Analysis (FMEA)

Failure mode and effects analyses will be performed on the integrated

- protection system which initiates the reactor trip. Results of this study will be documented in a separate report for reference in the plant specific applicant's Preliminary Safety Analysis Report prior to issuance of the Construction Permit.

7.2.2.2 Conformance of the Reactor Trip Function to Applicable Criteria This section discusses conformance of the reactor trip function to applicable requirements as summarized in Table 7 .1 -1. Reactor trip is a protective function generated by the Westinghouse integrated protection system.

Consequently there is no " reactor trip system" per se. Requirements which address eauipment in the protection system are presented in Subsection 7.1.2.2 and are not repeated here. The discussions presented in this section address only the functional aspects of reactor trip.

O O

7.2-24 NOVEMBER, 1984 HAPWR-I&C/EP 2235eild

O v

7.2.2.2.1 Conformance to the General Functional Requirement for Reactor Trip (Paragraph 4.1 of IEEE-279-1971, GDC-13, GDC-20)

O Q Refer also to Subsection 7.1.2.2.1.

l The integrated protection system will initiate a reactor trip whenever a l condition monitored by the system reaches a preset level. The reactor trips are listed on Table 7.2-1 and are discussed in detail in Subsection 7.2.1.1.

The variables which are required to be monitored for these trips are listed in Subsection 7.2.1.2.2. Table 7.2-4 lists the typical ranges, accuracies, and response times for these variables. The levels which, when reached, requiring reactor trips are listed in the Technical Specifications.

l.

l As discussed in Subsection 7.1.2.2.1, the setpoints actually set into the equipment provide a margin to the safety limits which are assumed in the accident analyses. The safety limits are based on mechanical or hydraulic limitations of equipment or on heat transfer characteristics on the reactor Os core. While most setpoints used for reactor trip are fixed, there are continuously calculated setpoints for the DNBR trips. All setpoints for reactor trip have been selected on the basis or engineering design or safety i

studies. As previously stated, the setpoints all provide a margin before reactor trip is actually required to allow for uncertainties and instrument errors.

f The DNBR and KW/f t existing at any point in the core design is not a directly measurable quantity; however, the process variables that determine DNBR are sensed and evaluated. Small isolated changes in various process variables may

~

not individually result in violation of a core safety limit; whereas the combined variations over suf ficient time may cause the DNBR or KW/ft limit to be exceeded. The design concept for reactor trips takes cognizance of this situation by providing reactor trips associated with individual process s variables in addition to the DNBR and KW/ft safety limit trips. Process variable trips prevent reactor operation whenever a change in the monitored value is such that a core or safety limit is in danger should operation O

WAPWR-I&C/EP 7.2-25 NOVEMBER, 1984 2235e:1d

continue. Basically, DNBR and KW/ft trips provide protection for slow O

transients. Other trips such as low flow or high flux will trip the reactor for rapid changes in flow or flux respectively. This prevents fuel damage before actuation of the slower responding DNBR and KW/ft trips could be effected.

Table 7.2-5 summarizes the events which will normally result in reactor trips.

7.2.2.2.2 Confonnance to the Single Failure Criterion for Reactor Trip (Paragraph 4.2 of IEEE 279-1971 IEEE 379-1972)

Refer also to Subsection 7.1.2.2.2.

A single failure in the integrated protection system or the reactor trip actuation trains will not prevent a reactor trip, even when the reactor trip channels are bypassed for test or maiiltenance. Conformance of the equipment to this requirement is discussed in Subsection 7.1.2.2.2. In addition to the redundancy of equipment, diversity of reactor trip functions is incorporated.

Each Condition II, III, or IV event requiring a reactor trip will typically result in a trip f rom diverse parameters. Examples of these can be gained

'from correlating the events listed on Table 7.2-5 to the various reactor trips. For example, reactor trip because of an uncontrolled rod cluster control assembly bank withdrawal at power may occur on power range high j neutron flux, low DNBR, high KW/ft, pressurizer high pressure or pressurizer high water level. Reactor trip on complete loss of reactor coolant flow may occur on low flow or f rom the diverse parameter of low RCP pump speed. The accident analyses may ignore reactor trips from some pa rameters to intentionally allow the simulation of the event to proceed farther than will actually happen. These worst case assumptions provide additional conservatism to the results.

O O

WAPWR-I&C/EP 7.2-26 NOVEMBER, 1984 2235e:ld

O b 7.2.2.2.3 Conformance to the Requirements Covering Control and Reactor Trip Interactions (Paragraph 4.7 of IEEE 279-1971, GDC-24)

/

f Refer also to Subsection 7.1.2.2.7.

The Westinghouse nuclear steam supply system (NSSS) is designed to permit maneuvering of the plant in response to normal power generation demands without causing a reactor trip. The plant control system will attempt to keep the reactor operating away from any safety limit; however, the selection of the reactor trip setpoints does not assume such control actions. The accident analyses in Chapter 15 will usually assume that the plant is at normal operation commensurate with the operating mode at the onset of the accident.

That is, if a control system action leads to more conservative results, that assumption will be made. If, on the other hand, failure of a control system to work leads to more conservative results, that assumption will be made. In this way, reactor trips do not depend on control system actions.

As stated in Subsection 7.1.2.2.7, Westinghouse considers it advantageous to use certain protection channels for control. Isolation devices are incorporated into these data links to prevent control system f ailures from degrading the performance of the protection system.

Failures in a protection channel monitoring a variable which is also used for control will not result in control system actions requiring protection by the redundant channels monitoring that variable. This is discussed in Subsection 7.1.2.2.7.

O 7.2.2.2.4 Conformance to Requirements on the Derivation of System Inputs for Reactor Trip (Paragraph 4.8 of IEEE 279-1971)

Refer also to Subsection 7.1.2.2.8.

1 O

To the extent feasible, inputs used for reactor trip are derived from signals that are direct measurements of the desired variables. Two exceptions exist, EAPWR-I&C/EP 7.2-27 NOVEMBER, 1984 2235e:1d

r DNBR and KW/f t which cannot be directly measured. The process variables that O

do affect these parameters can be measured and they are used to calculate continuously the DNBR setpoint and the KW/ft values.

The DNBR trip setpoint is calculated from pressurizer pressure, reactor coolant inlet temperature, N-16, and nuclear axial power shape. Normal flow is assumed in the calculation. The setpoint is compared against N-16.

KW/f t is calculated f rom N-16, and the nuclear axial power shape in the core.

This value is compared against a fixed setpoint.

The DNBR and KW/f t trips are described in detail in Subsection 7.2.1.1.2.

7.2.2.2.5 Conformance to Requirements on Bypassing of Reactor Trip Functions (Paragraph 4.11, 4.12, 4.13, and 4.14 of IEEE 279-1971)

With the exception of the manual reactor trips, all reactor trips channels and the reactor trip actuation trains can be bypassed as described in Subsections i 7.1.2.2.11 through 7.1.2.2.14. The requirements of paragraphs 4.12 through 4.14 of IEEE 279-1971 are discussed in those subsections.

Operating bypasses for reactor trips are described in Subsection 7.2.1.1.9.

7.2.2.2.6 Conformance to Requirements on Multiple Setpoints used for Reactor Trips: (Paragraph 4.15 of IEEE 279-1971)

Conformance of the design for reactor trips to this requirement of IEEE 279-1971 is discussed in Subsection 7.2.1.2.4. Refer also to Subsection 7.1.2.2.15.

O O

WAPWR-I&C/EP 7.2-2B NOVEMBER, 1984 2235e:1d

O 7.2.2.2.7 Conformance to the Requirement for Completion of Reactor Trip Once it is Initiated: (Paragraph 4.16 of IEEE 279-1971, Regulatory Guide 1.62)

O Once initiated, all reactor trips will go to completion. Return to operation requires deliberate operator action to reset the reactor trip circuit breakers which were opened to trip the reactor. The circuit breakers cannot be closed l while the reactor trip signals are present f rom the respective integrated protection cabinets. A manual control is provided on the main control board for resetting the reactor trip signals in each integrated protection cabinet following a reactor trip. Refer also to Subsection 7.1.2.2.16.

7.2.2.2.8 Conformance to the Requirement to Provide for Manual Initiation of Reactor Trip: (Paragraph 4.17 of IEEE 279-1971, Regulatory Guide 1.62) l The reactor can be tripped by actuating one of two manual reactor trip l

controls from the main control board. The reactor can also be tripped by actuating one of two manual safety injection controls on the main control board. Both of these trips are described in detail in Subsections -7.2.1.1.7 and 7.2.1.1.8. Refer also to Subsection 7.1.2.2.17.

O l

l O

lO WAPWR-I&C/EP 7.2-29 NOVEMBER, 1984 223Se:1d

TABLE 7.2-1 REACTOR TRIPS Permissives &

Channel Set Bypass Interlocks Reactor Trip **

  • of Channels Trio logic: Logic: (See Table 7.2-2)
1. Source Range Reactor Trip 4 2/4 Yes* P-6, P-10
2. Intermediate Range Reactor 4 2/4 Yes* P-10
3. Power Range (Low Setpoint) Trip 4 2/4 Yes* P-10
4. Power Range (High Setpoint) Trip 4 2/4 Yes*
5. High Positive Flux Rate Trip 4 2/4 Yes*
6. High Negative Flux Rate Trip 4 2/4 Yes* ---
7. Low DNBR (N-16) Reactor Trip 4 (1/ loop) 2/4 Yes*
8. High KW/ft Reactor Trip 4 (1/ loop) 2/4 Yes*
9. Pressurizer Low Pressure Trip 4 2/4 Yes* P-7
10. Pressurizer High Pressure Trip 4 2/4 Yes* ---
11. Pressurizer liigh Water level Trip 4 2/4 Yes* P-7
12. Low Reactor Coolant Flow (a) 4/ Loop 2/4 In any loop Yes* P-8 (b) 4/ Loop 2/4 In 2/4 loops Yes* P-7
13. Reactor Coolant Pump Underspeed 4 (1/RCP) 2/4 Yes* P-7
14. Low Steam Generator Water Level 4/S.G. 2/4 In any S.G. Yes*
  • Bypass Logic = 2/4 with no bypasses; 2/3 with 1 bypass; 1/2 alarmed with 2 bypasses; automatic trip with three or four hypasses.
    • Reactor Trip Attuation Trains can also be bypassed with the logic as defined in "*" above.

WAPWR-l&C/EP 7.2-30 NOVEMBER, 1984 O:

7235e 1d O O O O O O

O O O O O O O TABLE 7.2-1 (Cont.)

REACTOR TRIPS 4

Permissives &

Channel Set Bypass Interlocks Reactor Trip **

  • of Channels TriD Loaic: Loaic: (See Table 7.2-2)
15. High Steam Generator Water Level 4/S.G. 2/4 In any S.G. Yes*
16. Closed Turbine Throttle Stop Valves 1/ valve 2/4 valves Yes* P-9 (optional on

, (not provided on plants with full plants without full load rejection capability) '

load rejection) i

! 17. Low Stop Emerg. Trip Fluid Pressure 4 2/4 Yes* P-9 (optional on I (not provided on plants with full plants without full I load rejection capability) load rejection)

) 18. Automatic Safety Injection 4 2/4 Yes*

1 l 19. Manual Safety Injection 2 switches 1/2 switches No

20. Manual Reactor Trip 2 switches 1/2 switches No 1

i i

l I

i 1 -

  • Bypass Logic = 2/4 with no bypasses; 2/3 with 1 bypass; 1/2 alarmed with 2 bypasses; automatic trip with j three or four bypasses.
    • Reactor Trip Attuation Trains can also be bypassed with the logic as defined in "*" above.

WAP"R-I&C/EP 7.2-31 NOVEMBER, 1984 l

2235e:1d 1

i TABLE 7.2-2 i REACTOR TRIP PERMISSIVES & INTERLOCKS Desianation Derivation Function 9

P-6 intermediate range Allows manual block of neutron flux above source range reactor trip, setpoint E6 intermediate range Automatically defeats any neutron flux below block of source range reac-setpoint. tor trip P-7 power range nuclear Permits reactor trips on power above setpoint low flow in more than one coolant loop, RCP und e r--

speed, pressurizer low pressure, and pressurizer high water level.

P-7 power range nuclear Blocks reactor trips on power below setpoint low coolant flow in more than 1 loop, RCP under-speed, pressurizer low pressure, and pressurizer high water level.

P-8 power range nuclear Permits reactor trip on power above setpoint low flow in any loop.

M power range nuclear Blocks reactor trip on power below setpoint low coolant flow in any single loop.

P-9* power range nuclear Permits reactor trip on a power above setpoint turbine trip.

P-9* power range nuclear Blocks reactor trip on a power below setpoint turbine trip.

P-10 power range nuclear (a) Allows manual block of power above setpoint power range (low setpoint) reactor trip.

  • P-9 is an option on those plants that do not have full load rejection capability. Plants with full load rejection do not incorporate a reactor trip on turbine trip.

?!APWR-I&C/EP 7.2-32 NOVEMBER, 1984 2235e:1d

4 1

4 TABLE 7.2-2 (Cont.)

REACTOR TRIP PERMISSIVES & INTERLOCKS i O

3 t

I Desianation Derivation Function l

}- (b) Allows manual block of intermediate range reactor t

trip and C-1. (See Table 7.7-1)

(c) Automatically blocks source

- range reactor trip (back-up l

to P-6)

(a) Defeats the block of power P-10 power range nuclear

! power below setpoint range (low setpoint) reac-tor trip.

(b) Defeats the block of i intermediate range reactor trip and C-1. (See Table 7.7-1) l (c) Permits manual reset of l ~

each source range channel reactor trip.

I O

I i

l O

I lO WAPWR-I&C/EP 7.2-33 NOVEMBER, 1984 l 2235e:1d i

f

TABLE 7.2-3 SYSTEM-LEVEL MANUAL INPUTS TO THE REACTOR TRIP FUNCTIONS MANUAL CONTROL TO CHANNEL SET FIGURE 7.2-1 SHEET:

(1) Manual Reactor Trip Control #1 I II III IV -(2&l3)

(2) Manual Reactor Trip Control #2 I II III IV (2&l3)

(3) Reactor Trip Reset I II III IV (13)

(4) Source Range Block, Ch. Set I  ! (3)

(5) Source Range Block, Ch. Set II II (3)

(6) Source Range Block, Ch. Set III III (3)

(7) Source Range Block, Ch. Set IV IV (3)

(8) Intermediate Range Block, Ch. Set I I (3)

(9) Intermediate Range Block, Ch. Set II II (3)

(10) Intermediate Range Block, Ch. Set III III (3)

(11) Intermediate Range Block, Ch. Set IV IV (3)

(12) Power Range Block (Low Setpoint), Ch. Set I I (3)

(13) Power Range Block (Low Setpoint), Ch. Set II II (3)

(14) Power Range Block (Low Setpoint), Ch. Set III III (3)

(15) Power Range Block (Low Setpoint), Ch. Set IV IV (3)

(16) Manual Safety Injection il I II III IV (2&l2)

(17) Manual Safety Injection #2 I II III IV (2&l2)

Note: All controls are located on the control board except as noted on the applicable sheet of Figure 7.2-1.

WAPWR-I&C/EP 7.2-34 NOVEMBER, 1984 9""" O G G G G S

O TABLE 7.2-4 REACTOR TRIP VARIABLES, LIMITS, RANGES, AND ACCURACIES

[0ESIGN BASIS FOR REACTOR TRIP)

PROTECTION SYSTEM VARIABLES RANGE OF ACCURACY RESPONSE O, PROTECTIVE FUNCTIONS TO BE MONITORED VARIABLES (TYPICAL)

(TYPICAL)

(NOMINAL)

TIME (SEC)*

A. Reactor Trios

1. Source Range High Weutron Flux 6 Decades of Neutron 15% of full 0.5 Neutron Flux Flux power 1 to 106 C/S
2. Interm. Range Neutron FlJx 8 Decades of Neutron 15% of full 0.5 High Neutron Flux Flux Overlapping scale Source Range by 2 1% of full

. Decades and Including scale I

100% Power From 10-4 to 10-3 amp

3. Power Range High Neutron Flux 1 to 120% Full Power 1% of Full 0.5 i

Neutron Flux Power l (Low Settig)

4. Power Range High Neutron Flux 1 to 120% of 1% of Full 0.5 Neutron Flux Full Power Power (Hi-Setting)
5. High Positive Neutron Flux 1 to 120% of 15% of Span 0.5 Flux Rate -

Full Power

6. High Negative Neutron Flux 1 to 120% of 15% of Span 0.5 Flux Rate Full Power
7. Low DNBR 15% of Rated 6.0 Core Power Reactor Coolant 510 to 630*F Inlet Temp.

(TCOLD)

Pressurizer 1700 to 2500 psig Pressure O WAPWR-!&C/EP 7.2-35 NOVEMBER, 1984 2235e:1d

TABLE 7.2-4 (Cont.)

O REACTOR TRIP VARIABLES, LIMITS, RANGES, AND ACCURACIES (DESIGN BASIS FOR REACTOR TRIP]

PROTECTION SYSTEM VARIABLES RANGE OF ACCURACY RESPONSE PROTECTIVE TO BE VARIABLES (TYPICAL) TIME FUNCTIONS MONITORED (TYPICAL) (NOMINAL) (SEr)*

N-16 Power 0 to 150% of Rated Core Power Excore Detector 0 to 120% of Rated Flux (Power Core Power Range)

8. High KW/ft 10% of Rated 2.5 Core Power N-16 Power 0 to 150% of Rated Core Power Excore Detector 0 to 120% of Rated Flux (Power Core Power Range)
9. Pressurizer Pressurizer 1700 to 2500 psig !18 psi 2.0 Low Pressure Pressure (Compensated Signal)
10. Pressurizer Pressurizer 1700 to 2500 psig 14 psi 2.0 High Pressure Pressure (Uncompensated Signal)
11. Pressurizer High Water Level Entire Cylindrical 2.3% of Full 2.0 Water Level Portion of Range AP Pressurizer Between Taps At Design Temp Pressure
12. Low Reactor Coolant Flow 0 to 120% of 12.5% of Full 1.0 Coolant Flow Rated Flow Flow Within Range of 70% to 100% of Full Power O

WAPWR-l&C/EP 7,2-36 NOVEMBER, 1984 2235e:1d

6 O

TABLE 7.2-4 (Cont.)

REACTOR TRIP VARIABLES. LIMITS, RANGES, AND ACCURACIES

[ DESIGN BASIS FOR REACTOR TRIP)

PROTECTION SYSTEM VARIABLES RANGE OF ACCURACY RESPONSE OPROTECTIVE TO BE VARIABLES (TYPICAL) fNONINAll TIME fSECl*

FUNCTIONS MONITORED fTYPICAM

13. Low Reactor Pump Speed 0 to 120% of !1.0% 0.6 Coolant Pump Rated Speed Speed
14. Low Water Level Water Level -8 ft. Below !2.3% of AP 2.0 in Any Steam Nominal Full Load Signal Over Generator Water Level Pressure Range of 700 to 1200 psig
15. High Water Level Water Level - 6 ft. Above 223% of AP 2.0 In Any Steam Nominal Full Load Signal Over l

Water Level Pressure Range i Generator of 700 to 1200 psig

16. Turbine Trip Valve Position N.A. N.A. 2.0 A. Closure of Turbine Throttle /Stop Valves B. Low Stop Emergency Fluid Pressure N.A. N.A. 2.0 Trip Fluid Pressure
17. Safety Injection See Section See Section See Section See 81 ESF B1 ESF B1 ESF Section B1 ESF N.A. N.A. N.A. N.A.
18. Manual Reactor Trip
  • Time f rom step change of the variable being monitored f rom 55 below to 5% above the setpoint. Value until the rods are free to fall.

7.2-37 NOVEMBER, 1984

, WAPWR-l&C/EP l 2235c:1d l

, .n.ii. .= , .i e 3- a = .i .=> . o o o o o oo o o o o o o o o o oo o a o g

  • $ .m dlll7 E "'"! . oo o o o o

~

I,! .n.. = > .n -n, . o e e

=

=g

.nm> =i on. . e e o  ;

Ig asia.114.Nwinuo a n =, 'l g

is .nmi .: .o .

  • E . . . . - > .

o e e

.unmi nuo i o e w o 3

. . .un. .i

.unmi.u,. n e o o o o o "a"Ml= .i o o

. u.n .m u. . .. n e o e

t",=0 n e e e m

= i. = =>e... . n e e  : y.=>... n ee o o e g 6 u.n .u. . .u-u. n o o oo o

  • i . .nion. n o o eo o o d li-ino. . .n-in. . oe o e e o e w.. . o o o o o d . ., , e e o o oo o o o o

, g u u uno. i. , e 4- un inu puis= mia s O o g

'8 m a;'4l.".= '. = . o e e o o o o e 4 5{ A""J..= . e o e g .0!?'llll.0 . O 5 "" 2;';"; i o e 5

- a i 6 5  !;  ! .!g I I=

!. I. a. j i

e

. , g  : ,s a s

, . a , ,

E fa f ' -

g 3 i *

  • EI I E.-

) gE 8= l '

5 g  ! A 8 I" f l .

I 8 li

[ [ I- gi  !

} 3 5 5 i i I I 3 -

i r 3 ) Is

1) Jg n s

I 3 l -

y

, .- a e 'l -

- g a ,- ,s I8 J r 3.]-l j3  ! E f I

  • E g I I  ! ! !E II I

o l l- r

. r r rI r

E g "alyl 21 s g s  ! . . s l,

u n e rl -

e E si st i s:e j=aj aI l- [, j i

i- ' g a 3.  ; 3 3 gl y 8! si sg i

,i-w1 r iIt' ,i 8 i : I I y

i v;,i 8;.

l )l [=s I: *n ii

- ,  ;=

t I ..

. .. i . ., i

  • : . .: 8 c.. I I g r

- : " ~

51 lE f ; s E at s,1-- 1 ~!};1,p  !. . j

. *I,i .j g i E

a :

  • ' 'f g i .

vE i i

,, s e, i

.t =s

==. g

. j * , ,-

g lL i l l ! ! i !! !! ! i.l :. !i !! !I l !, I .g ', ! !. i ni g5 3

in M. ',s h, ! -

. . . . . . . . , = . . . .

I Ill v

J.d. . . . . . . . . . . . . . . . . . . . . . . .

e m

.o 9 2 I; e -!:

=1

=g;

=g; iA sM O

4 f-f ,

L91 I e r

~

t. I i

e e FIGURE 7.2-1 i

(SHEETS 1 THROUGH 14) l j '- "pPWRSTANDARDFUNCTIONALDIAGRAMS" I i

! (FOLD 0VT)  :

l-PROPRIETARY f

G 1 i f

e l

I l

9 l

9 -MAPWR-!&C/EP NOVEMBER, 1984 l

I i

k

O

- (a,c' ,

O O

~

O O

t O

Figure 7.2 2. Generation of a Typicat Reactor Trip Function WAPWR-I&C/rp

4 i '

j .

4 . .s

. .. .** .t IE e e .e .e. .e se ad ..'"s'.e se s..

2*

r3 sees..es ens u . e ..

t . .J e.s.

es.s sws e . s . m. e.

.s.r .. s s..e.,e . to 8 8 ' 88'"* 8 8 mestie s see s M W .e ' e.o. ass .

7

! g g .. e, s. o.

i M i. .i .... .... ici .. i ic's c. e8:

y . _

si s

\

r

-.s.......

= r

.a=>

l ... . . . I ,;;7,... .g..., H ,=. '5,1 .; >=ni

c. p,.u,m,., (,.. ) .,.

. ., . er. . . . ,, , ....,

.. ., => s d. l t ..

i

, o.

! < e i >- -

i i _ , _ l_ _ _ _ _ u t_

l r.n's t

e.... ...( .n's,g ,I *..(.
s)..p**i
g *...(;g ,l.,w=*
e. I 1 ,. ei j

_ 1_ _

i 4 ....

. = e.;e,.e. e.

4

. ..a

.s

.t .- < = e.< .I_. .

i

=

<=

. M.-.. (I I. O

<= eu..= ..., su s j ,

l ."

l

.o

] (D , , .

1 FIGURE 7.2-3 BLOCK DIAGRAft OF DNBR CALCULATIONS i

I

4 i

i I

(a, l

i e i O

1 1

0 9

FIGURE 7.2-4 BLOCK DIAGRAM OF HIGH Kil/FT CALCULATIONS MAPWR-!&C/EP NOVEMBER, 1984

O 7.3 ENGINEERED SAFETY FEATURES (ESF)

In addition to the requirements for a reactor trip for anticipated abnormal sJ transients, the facility shall be provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary engineered safety features. The occurrence of a limiting fault, such as a loss of coolant accident or a secondary system break, requires a reactor trip O plus actuation of one or more of the engineered safety features in order to prevent or mitigate damage to the core and reactor coolant system components, and ensure containment integrity.

7.3.1 Description The integrated protection system (IPS) determines whether or not safety limits are being approached for selected plant parameters. If they are, the IPS combines the signals through logic matrices sensitive to combinations indicative of primary or secondary system boundary ruptures. Once the required logic combination is generated, the IPS will send the signals to actuate appropriate engineered safety features components in the protective action system. A block diagram of the IPS is given in Figure 7.1-2.

I The equipment involved in engineered safety features actuation is listed l below. (Refer to Subsections 7.1.1.2.2 and 7.1.1.2.3 for descriptions of the l

equipment.)

1. Integrated Protection System (4 redundant channel sets)
a. Sensors
b. Integrated Protection Cabinets (4 Cabinets)
c. Engineered Safety Features Actuation Cabinets (2 Cabinets) i d. Integrated Logic Cabinets
e. Manual Inputs and Status Indication O

, WAPWR-I&C/EP 7.3-1 NOVEMBER, 1984 2151e:1d I

,,- -- , -. .- - - . - - _ _ . , . _ , - , - . , - - - , n_ ,- - - - -__,--,_.----n,___.-- - _ _ _ ,__--_,

O

2. Protective Action System (2 redundant safeguards trains)
a. Actuation Devices (e.g., switchgear, motor control centers, auxiliary motors, and solenoids)
b. Actuated Equipment (e.g., valves, pumps, etc. -

see Subsection 7.1.1.3.2)

The following paragraphs sununarize the major functional elements of the IPS which are involved in generating an ESF actuation signal to a safeguards component. Ref er to Subsection 7.1.1.1.2 for detailed explanations of the functions.

Refer to Figure 7.1-2 for the following description.

Four sensors normally monitor each variable which is used for an engineered safety feature actuation. (These sensors may be monitoring the same variable for a reactor trip function as well.) Analog measurements are converted to digital form by analog-to-digital (A-0) converters within each of the 4 integrated protection cabinets (IPC's). Following any required signal conditioning or processing, the measurements are compared against applicable setpoints for the ESF function to be generated. When the measurement exceeds the setpoint, the output of the comparison results in a channel " partial trip" condition. The partial trip information for all channels is transmitted over isolated data links to engineered safety features actuation cabinets (ESFAC's)

I and II to form the basic signals which will eventually result in a safeguards Train-A or Train-B actuation. The voting logic is performed twice within each ESFAC. Each voting logic element will generate an actuation signal if the required coincidence of partial trips exist at its inputs.

Within each ESFAC, the signals are combined through ESF logic sensitive to accident situations to generate a system-level ESF signal. For example, a safety injection signal will be generated on coincidence of low-3 T and cold P-15, or on low pressurizer pressure, or on high-1 containment pressure, etc.

System-level ESF manual actions are also processed by the ESF logic in each ESFAC.

WAPWR-!&C/EP 7.3-2 NOVEMBER, 1984 2151e:1d

1 O

The system-level signals must then be broken down to the individual signals through the logic cabinets to start each component associated with an engineered safety feature. For example, a single safety injection signal must O start pumps, align valves, start diesel generators, etc. The interposing logic within each logic cabinet accomplishes this function and also performs necessary interlocking to ensure that components are properly aligned for safety. Component-level manual actions are also processed in the interposing logic. Since each logic cabinet computer signal is triplicated for reliability and to prevent inadvertent actuation, the triplicated component-level signals must be " voted" in the power interface. The power interf ace also transforms the low level signals to voltages and currents consensurate with the actuation devices which they must operate. The actuation devices in turn control motive power to the final safeguards component. The logic cabinets thus interf ace the integrated protection system to the 2 safeguards trains of the protective action system.

Subsection 7.3.1.1 provides a description of each of the engineered safety features. Subsection 7.3.1.2 provides the design bases information as required by Section 3 of IEEE 279-1971. Subsection 7.3.2 discusses conformance of the engineered safety features to the requirements stated in Section 4 of IEEE 279-1971. The functional diagrams for engineered safety features actuation are presented in Figure 7.2-1.

7.3.1.1 Functional Descriotion The following subsections describe the specific engineered safety features and are grouped into the following categories of actuation signals:

1. Safety Injection (Subsection 7.3.1.1.1)
2. Steamline Isolation (Subsection 7.3.1.1.2)

O 3.

4.

Containment Spray (Subsection 7.3.1.1.3)

Containment Isolation (Subsection 7.3.1.1.4)

5. Main Feedwater Isolation (Subsection 7.3.1.1.5)
6. Emergency Feedwater (Subsection 7.3.1.1.6)
7. Blocking Boron Dilution (Subsection 7.3.1.1.7)

O WAPWR-!&C/EP 7.3-3 NOVEM8ER, 1984 2151e:1d

O Table 7.3-1 lists the engineered safety features actuation signals and sunvnarizes the coincidence logic that will actuate these functions. The permissives and interlocks for the functions are given on Table 7.3-3.

System-level manual inputs to ESF are listed on Table 7.3-4.

7.3.1.1.1 Engineered Safety Features Actuated on a Safety Injection (SI)

Signal (See Figure 7.2-1 Sheet 12)

The safety injection signal will be derived from one or more of the following initiating means:

1. Manual Initiation of Safety Injection; or
2. High (Hi-1) Containment Pressure; or
3. Pressurizer Low Pressure; or
4. Low Compensated Steamline Pressure in any Steamline; or
5. Low-3 T n 2/4 loops.

cold To permit startup and cooldown, the safety injection signals on low compensated steamline pressure, low pressurizer pressure, or low-3 T eoid may be manually blocked when pressurizer pressure is below the P-11 setpoint. To permit operation below normal operating temperatures for at power reactivity control, the safety injection signal on low-3 T is automatically blocked cold whenever nuclear power is above the P-15 setpoint.

The safety injection signal may be manually reset af ter 30 to 150 seconds f ollowing initiation. It will remain reset until the reactor trip breakers are closed. The time delay assures that, on a blackout, the diesel generators have been brought up to speed and all the required loads sequenced on before permitting the operator to reset safety injection signal. Resetting the signal does not turn off any safeguards equipment, since individual components are required to latch in and seal on the $1 signal. (See note 5 on Figure 7.2-1, Sheet 12). However, the operator cannot take manual control of any safeguards component actuated by the safety injection signal, until the SI signal is first reset.

O WAPWR-!&C/EP 7.3-4 NOVEMBER, 1984 2151e:1d L

O The safety injection signal will actuate the following engineered safety features:

1. Startup of emergency feedwater pumps, steam generator letdown i isolation, and startup feedwater termination;
2. Startup of emergency diesels; O 3.

Start of service-water pumps and isolation of non-essential service water, if required;

4. Start of other purnps (e.g., component cooling);
5. Start of emergency fan coolers;
6. Emergency Core Cooling System and alignment ' of it to the safety injection mode.

O .

7. Safety injection diesel loading sequence when and if sequencing. is necessary; ,
8. Reactor trip, provided o ~e has not been generated by one of the reactor trip functions identified in Section 7.2;
9. Phase-A containment isolation to prevent' fission product release;

! 1.e., isolation of all lines not essential to safety injection; O

10. Containment ventilation isolation;
11. Control room isolation;

, 12. Feedwater isolation, i

h i

O WAPWR-!&C/EP 7.3-5 NOVEMBER, 1984 2151e:1d  ;

i

---.-._--,~n,_ -.-. - . - -.. . - - - - - . - - - , -

1 O

7 . 3.1.1. 2 Engineered Safety Features Actuated on a Steamline Isolation Sigial (See Figure 7.2-1. Sheet 10)

A steamline isolation signal will be derived f rom any one of the following conditions:

1. Manual initiation of steamline isolation; or
2. High steamline negative pressure rate; or
3. Low compensated steamline pressure or
4. High (Hi-2) containment pressure; or
5. Low-3 T cold Steamline isolation on conditions 3 or 5 above may be manually blocked when pressurizer pressure is below the P-11 setpoint. Steamline isolation on condition 5 is automatically blocked when nuclear power is abc /e the P-15 setpoint.

The steamline isolation signal will close all steamline isolation valves and bypass valves which are in parallel with the associated steamline isolation valves. In addition to manual system-level steamline isolation, each steamline isolation valve can be individually closed.

7 . 3 .1.1. 3 Engineered Safety Features Actuated on a Containment Spray Signal (See Figure.1.2-1, Sheet 13)

A signal to actuate containment spray will be generated f rom any of the following conditions:

1. Manual actuation of 1 pair out of the 2 pairs of manual spray switches; or
2. High (Hi-3) containment pressure.

The containment spray signal may be manually reset from the rain control board. This resets the signal but will not terminate spray.

WAPWR-!&C/EP 7.3-6 NOVEMBER, 1984 2151e:1d

F'-'

V The containment spray signal will actuate the following safeguards features:

1. Start of containment spray to reduce containment pressure and temperature following a loss of coolant accident or steamline break inside containment.
2. Containment isolation (Phase B) following a LOCA, steamline or feedline break accident inside containment, to limit radioactive releases. (Phase B isolation together with Phase A isolation results in isolation of all but the safety injection and containment spray lines penetrating the containment.)

In addition to the above, manual initiation of spray will cause containment ventilation isolation if not already actuated by safety injection.

7.3.1.1.4 Engineered Safety Features Actuated on a Containment Isolation Signal (See Figure 7.2-1, Sheet 13)

Phase A containment isolation will be generated on a safety injection signal (manual or automatic) as described in Subsection 7.3.1.1.1. It can also be initiated by one of two Phase A controls on the main control board.

Phase B containment isolation will be initiated on high (Hi-3) containment pressure or on manual initiation of containment spray, as described in Subsection 7.3.1.1.3.

Containment ventilation isolation will nccur on a safety injection signal (automatic or manual) as described in Subsection 7.3.1.1.1 or by manual initiation of Phase A isolation or by manual initiation of contain;nent spray, as described in Cubsection 7.3.1.1.3.

O 4

l0 -

WAPWR-!&C/EP 7.3-7 NOVEMBER, 1984 1

2151e:1d 1

7.3.1.1.5 Engineered Safety Features Actuated on a Feedwater Isolation O

Signal (See Figure 7.2-1. Sheets 2, 8,10)

A feedwater isolation signal will be generated under any of the f ollowing conditions:

1. Higb. water level in any steam generator; or
2. Saf ety injection (automatic or manual) see Subsection 7.3.1.1.1; or
3. Low-2 T in any 2/4 loops; or cold
4. Low pressurizer water level if the reactor has been tripped.

Condition 4 above will cause closure of all main feedwater control valves.

Conditions 1 through 3 above will cause tripping of all main feedwater pumps and closure of all feedwater isolation valves, main feedwater control valves and bypass valves.

Feedwater isolation on low-2 T cold may be manually blocked when the pressurizer pressure is below the P-11 setpoint. Feedwater isolation on low-2 T is auto:natically blocked whenever nuclear power is above the P-15 cold setpoint.

1.3.1.1.6 Engineered Safety Features Actuated on a Signal to Actuate the Emergency Feedwater System (See Figure 7.2-1, Sheets 7, 8)

The Emergency Feedwater Systut will be actuated on any of the following conditions:

1. Low-1 water level (narrow range instrumentation) in any steam generator coincident with the f ailure of the startup feedwater system to deliver adequate cooling flow to the same steam generator; or
2. Low-2 water level (wide range instrumentation) in any steam generator coincident with reactor trip; or O

7.3-8 NOVEMBER, 1984 WAPWR-l&C/EP 2151e:1d

3. Safety injection (automatic or manual) - see Subsection 7.3.1.1.1; or
4. Manual.

The following events occur on conditions 1-4 above:

1. Both motor and turbine driven emergency feedwater pumps are started.
2. The startup feedwater pump is stopped and startup feedwater flow control valves are closed.
3. Blowdown isolation and sample line valves are closed. They are also closed on low-1 water level in any steam generator.

The emergency feedwater isolation valves between either pair of steam generators, which have normally interconnected emergency feedwater lines, will I

close when an excessive pressure differential exists between them.

7.3.1.1.7 Engineered Safety Features Actuated on a Signal to Block Boron

Dilution (See Figure 7.2-1, Sheet 3)

A signal to ' block boron dilution will be derived from source range neutron

! flux increasing at an excessive rate (source range flux doubling). The source range flux doubling sig~nal may be blocked manually above the P-6 power level.

I It is automatically reinstated below P-6. The block of boron dilution is required if the source range flux doubling count rises during startup or shutdown, indicating an unplanned boron dilution. A signal to block boron dilution will close the volume control tank (VCT) outlet isolation valves and open the makeup valves from the spent fuel pit.

l l

t O

MAPWR-I&C/EP 7.3-9 NOVEMBER, 1984  !

2151e:ld

. . - . . . - _ _ . - _ - . . _ . . _ _ . _ _ _ _ . ~ _ . . . _ _ _ . . _ _ _ . . . _ _ _ _ _

7.3.1.1.8 Blocks, Permissives, and Interlocks for ESF Actuation O

The interlocks used for engineered safety features actuation are designated as P-xx permissives and are listed on Table 7.3-3.

Manual blocks to engineered safety features actuations are described below:

1. Safety Injection on pressurizer low pressure, low compensated cold (when nuclear power is below the steamline pressure, or low-3 T P-15 setpoint) can be manually blocked when pressurizer pressure is below the P-11 setpoint.
2. Steamline Isolation on low compensated steamline pressure, high negative steam pressure rate, or low-3 Tg (when nuclear power is .

below the P-15 setpoint) can be manually blocked when pressurizer is below the P-11 setpoint

3. Feedwater isolation on low-2 T cold (when nuclear power is below the

, P15 setpoint) can be manually blot.ked when pressurizer pressure is below the P-11 setpoint.

4. Tripping of the turbine on low-2 compensated T cold (when nuclear power is below the P-15 setpoint) can be manually blocked when pressurizer pressure is below the P-11 setpoint.
5. The block of baron dilution source range flux doubling can be manually defeated above the P-6 intermediate range power level.

l 7.3.1.1.9 Bypasses of Engineered Safety Features Actuations The channels used in engineered safety features actustion which can be manually bypassed in the integrated protection system are indicated on Table 7.3-1. A description of this bypass capability is given in Subsection 7.1.2.2.11. The actuation logic for ESF which is contained in the ESFAC and i

l O

WAPWR-I&C/EP 7.3-10 NOVEMBER, 1984 2151e:1d L

logic cabinets will not be bypassed for test. Instead, the output of one of the two ESF logic trains in a cabinet in test will be placed in a trip condition.

7.3.1.1.10 Sequencing of ESF Loads See Chapter 8.

O b 7.3.1.2 Desian Bases for Encineered Safety Features Actuation This section provides the design bases information for engineered safety features actuation, including the information required by Section 3 of IEEE 279-1971. Engineered safety features are protective functions initiated by the integrated protection system. Consequently, there is no ESF actuation system per se. Those design bases which relate to the equipment which initiate and accomplish engineered safety features are given in Subsection 7 .1. 2.1 and are not repeated here. The design bases presented here are O- concerned with the variables monitored for ESF actuation and the minimum performance requirements in generating the actuation signals.

' 7 . 3.1. 2.1 Design Basis; Generating Station Conditions Requiring ESF Actuation (Paragraph 1 of Section 3 of IEEE 279-1971)

The following is a summary of those generating station conditions requiring protective action:

1. Primary System i a. Rupture in small pipes or cracks in large pipes
b. Rupture of a reactor coolant pipe (loss of coolant accident)
c. Steam generator tube rupture.

l O

l WAPWR-I&C/EP 7.3-11 NOVEMBER,1984 l

2151e:1d l

O

2. Secondary System
a. Minor. secondary system pipe breaks resulting in steam release rates equivalent to a single dump, relief or safety valve
b. Rupture of a major steamline pipe
c. Rupture in feedline pipe Table 7.2-4 summarizes the engineered safety features as they relate to Condition II, III, or IV events as analyzed in Chapter 15.

7.3.1.2.2 Design Basis; Variables, Ranges, Accuracies, and Typical Response Times Used in ESF Actuation (Paragraphs 2, 5, 6, and 9 of Section 3 of IEEE 279-1971)

The variables required to be monitored for engineered safety features acutations are:

1. Pressurizer Pressure
2. Reactor Coolant Inlet Temperature (Tcold) in each loop
3. Steamline Pressure in each steamline
4. Containment Pressure j 5. Water level in each Steam Generator (Harrow and Wide Ranges)
6. Startup feedwater flow to each steam generator
7. Source Range neutron flux
8. Pressurizer Water Level A discussion on levels that, when reached, will result in engineered safety f eatures actuation, is given in Subsection 7.1.2.2.1. The " ALLOWABLE VALUES" for the Limiting Conditions for Operation (LCO) and the " TRIP SETPOINTS" for l

ESF actuations are given in the Technical Specifications.

O b'APWR-I&C/EP 7.3-12 NOVEMBER, 1984 2151e:1d I - ._ __ _ - _ _

I O Typical ranges, accuracies, and response times for the variables used in ESF actuations are listed in Table 7.3-2.

The response time of engineered safety features actuation is defined as the interval ret.oired for the engineered safety features sequence to be initiated subsequent to the point in time that the appropriate variable (s) exceed I setpoints. The response time includes sensor / process (analog) and logic (digital) delay plus the time delay associated with tripping open the reactor trip breakers and control and latching mechanisms, although the engineered safety features actuation signal occurs before or simultaneously with engineered safety features sequence initiation (See Figure 7.2-1, Sheet 12).

Therefore, the response times to initiate engineered safety features presented on Table 7.3-2 are conservative. The values listed are maximum allowable times consistent with the safety analyses and are systematically verified during plant pre-operational startup tests. These maximum delay times thus include all compensation and therefore require that any such network be aligned and operating during verification testing.

The integrated protection system associated with engineered safeguards actuation is always capable of having response time tests performed using the same methods as those tests performed during the .preoperational test program or following significant component changes.

7 . 3 .1. 2 . 3 Design Basts; Spatially Dependent variables Used for ESF Actuation (Paragraph 3 of Section 3 of IEEE 279-1971)

No spatially dependent variables are used for engineered safety features actuation.

7.3.1.2.4 Design Basis; Limits for ESF Parameters in Various Reactor Operating Modes (Paragraph 4 of Section 3 of IEEE 279-1971)

During startup or shutdown, various ESF actuations can be manually blocked if the pressurizer pressure is below the P-11 setpoint. These functions are listed in Subsection 7.3.1.1.8.

7.3-13 NOVEMBER, 1984

)fAPWR-I&C/EP 2151e:1d L

l During testing or maintenance of the integrated protection cabinets, certain O

channels used for ESF may be bypassed. Although no setpoints are changed for bypassing, the logic is automatically adjusted as described in Subsection 7.1.2.2.8. the ESF channels which can be bypassed in the integrated protection system (IPS) are listed on Table 7.3-1.

7.3.1.2.5 Design Basis; ESF Functions for Malfunctions, Accidents, Natural Phenomena, or Credible Events (Paragraph 8 of Section 3 of IEEE 279-1971)

The accidents which the various ESF functions are designed to mitigate are detailed in Chapter 15. Table 7.2-5 contains a summary listing of the engineered safety features which will typically be actuated for various Condition II, III, or IV events.

The safety system is qualified as discussed in Sections 3.10 and 3.11. It also normally relies on provisions made by the owner to protect equipment against damage from natural phenomena and credible events (See Subsection 7.1. 2. 2. 5 ) . Consequently there are no engineered saf ety features actuated by l the integrated protection system to mitigate the consequences of these types of events; e.g., extinguishing fires, etc.

Functional diversity is employed in determining the actuation signals for engineered saf ety f eatures. For example, a safety injection signal will be generated from high containment pressure, low pressurizer pressure, low compensated steamline pressure, etc. Therefore, completa reliance is not normally made on a single signal actuating ESF functions. The extent of this diversity can be seen f rom the initiating signals presented in Subsection 7.3.1.1. Table 7.3-1 also lists the ESF signals, and the conditions which will result at their actuation.

Redundancy will be employed to provide assurance that engineered safety features will be actuated on demand, even when the protection system is l

! degraded by a single random failure. This redundancy is described in Subsections 7.1.1.2 and 7.1.1.3. The single-failure criterion is met even when ESF channels are bypassed as previously described.

7.3-14 NOVEMBER, 1984 WAPWR-I&C/EP 2151e:1d

O 7.3.1.3 Final System Drawinas Functional block diagrams, electrical elementaries and other drawings as d required to assure electrical separation and to perform a safety review will be provided in the plant specific applicant's final safety analysis report.

Preliminary drawings for the instrumentation and control systems are included at the end of Sections 7.2, 7.3, 7.6, and 7.7.

7.3.2 Analysis for Engineered Safety Features Actuation 7.3.2.1 Failure Mode and Effects Analyses The failure mode and effects analyses that will be performed on the integrated protection system, as discussed in Subsection 7.2.2.1, will include analysis of the equipment which generates the actuation signals for engineered safety features. Results of this study will be documented in a separate report for reference in the plant specific applicant's preliminary safety analysis report prior to issuance of the construction permit.

7.3.2.2 Conformance of Enaineered Safetv Features to the Reauirements of IEEE 279-1971 This section discusses conformance of engineered safety features actuation to

~

the requirements of Section 4 of IEEE 279-1971. Engineered safety features accomplish a protective function when each ESF component receives an initiation signal f rom the integrated protection system. Consequently there O is no physically identifiable engineered safety features actuation system per se. Those requirements of Section 4 of IEEE 279-1971 which address equipment in the integrated protection system are presented in Subsection 7.1.2.2 and are not repeated here. The discussions presented in this section address only the functional aspects of actuating engineered safety features.

l O

WAPWR-I&C/EP 7.3-15 NOVEMBER,1984 2151e:1d l

i . _ _ . _ _ . _ _ _ _ , . _

7.3.2.2.1 Conformance to the General Functional Requirements for Engineered O

Safety Features Actuation (Paragraph 4.1 of IEEE 279-1971)

The integrated protection system (IPS) will automatically generate an actuation signal for an engineered safety feature whenever a condition monitored by the IPS reaches a preset value. The specific engineered safety features actuation functions are listed in Table 7.3-1 and are discussed in detail in Subsection 7.3.1.1 Table 7.3-2 lists the typical ranges, accuracies, and response times of the parameters being monitored. The engineered safety features, in conjunction with a reactor trip, protects against damage to the core and reactor coolant system components, as well as to ensure containment integrity following a condition II, III, or IV event. Table 7.2-4 summarizes the events which will normally result in the initiation of engineered safety features. The setpoints which, when reached, actuate engineered safety features are listed in the Technical Specifications.

7.3.2.2.2 Conformance to the Single Failure Criterion for Engineered Safety Features Actuation (Paragraph 4.2 of IEEE 279-1971)

A single failure in the integrated protection system (IPS), will not prevent an actuation of the engineered safety features when the condition monitored by the IPS reaches the preset value that requires the initiation of an actuation signal. The single failure criterion is met even when one of the engineered safety features actuation cabinets is being tested, as discussed in Subsection 7.1.1. 2. 7 , or when there is a bypass condition in connection with test or maintenance of channel set (s) in the integrated protection system.

7.3.2.2.3 Conformance to the Requirements for Channel Independence of the Engineered Safety Features Actuation (Paragraph 4.6 of IEEE 279-1971)

The discussion presented in Subsection 7.1.2.2.6 is applicable. The signals to initiate Train A of the engineered safety features are electrically WAPWR-I&C/EP 7.3-16 NOVEMBER, 1984 2151e:1d

O isolated f rom the signals to initiate the redundant train (Train B). Both safeguard trains of the safeguards protection action system are electrically independent and redundant, as well as the power supplies for the trains up to and including the final actuated equipment.

7.3.2.2.4 Conformance to the Requirements Governing Control and Protection System Interaction of the Engineered Safety Features Actuation (Paragraph 4.7 of IEEE 279-1971)

The discussions presented in Subsection 7.1.2.2.7 are applicable.

7.3.2.2.5 Derivation of System Inputs for Engineered Safety Features Actuation (Paragraph 4.8 of IEEE 279-1971)

To the extent feasible and practical, the integrated protection system inputs are derived f rom signals that are direct measures of the desired parameters.

p The parameters are listed in Table 7.3-2.

7.3.2.2.6 Capability for Sensor Checks and Equipment Test and Calibration of the Engineered Safety Features Actuation (Paragraph 4.9 and 4.10 of IEEE 279-1971)

The discussions of system testability in Section 7.1 is applicable to the sensors, signal processing, and actuation logic that initiate engineered safety features actuation.

The following discussions cover those areas in which the testing provisions differ from those used to generate a reactor trip.

Testino of Enaineered Safety Features Actuation l The testing program meets the requirements of Regulatory Guide 1.22 as I discussed in Subsection 7.1.2.2.10. The program is as follows:

WAPWR-I&C/EP 7.3-17 NOVEMBER, 1984 2151e:1d

l

1. Prior to initial plant operations, engineered safety features tests O

will be conducted.

2. Subsequent to initial startup, engineered safety features tests will ,

be conducted during each regularly scheduled refueling outage.

3. During on-line operation of the reactor, the integrated protection system will be fully tested as described. In addition, essentially all of the engineered safety features final actuators will be fully tested. The remaining few final actuators whose operation is not compatible with continued on-line plant operation will be tested at refueling shutdown.
4. During normal operation, the operability of testable final actuation devices of the engineered safety features will be tested by manual initiation from the control room.

During reactor operation, the basis for acceptability of engineered safety j features actuation will be the successful completion of the overlapping tests performed on the integrated protection system. Process indications are used to verify operability of sensors.

The basis for acceptability for the engineered safety features interlocks will be control board indication of proper receipt of the signal upon introducing the required input at the appropriate setpoint.

Maintenance checks (performed during regularly scheduled refueling outages),

such as resistance to ground of signal cables in radiation environments are based on qualification test data which identifies what constitutes acceptable radiation, thermal, etc. degradation.

Frecuency of performance of Engineered Safety Features Actuation Tests During reactor operation, complete integrated protection system testing (excluding sensors or those devices whose operation would cause plant upset) l WAPWR-I&C/EP 7.3-18 NOVEMBER, 1984 2151e:ld

i i

i r

is performed on a basis as specified in the Technical Specifications. Testing is also performed during scheduled plant shutdown for refueling.

Encineered Safetv Features Actuation Test Description The guidelines used in developing the testing circuitry and procedures are:

1. The test procedures must not involve the potential for damage to any plant equipment.
2. The tes't procedures must minimize the potential for accidental tripping. ,
3. The provisions for on-line testing must minimize complication of engineered safety features actuation circuits so that their reliability is not degraded.

Testina Durina Shutdown Emergency core cooling system tests will be performed at each major fuel reloading with the reactor coolant system isolated from the ECCS by closing the appropriate valves. This is in compliance with (1971) GDC-37.

Containment spray system tests will be performed at each major fuel reloading. The tests will be performed with the isolation valves in the spray supply lines at the containment and spray additive tank blocked closed and are initiated by tripping the normal actuation instrumentation.

Periodic Maintenance InsDections The maintenance procedures which follow may be accomplished in any order. The O f requency will depend on the operating conditions and requirements of the reactor power plant. If any degradation of equipment operation is noted, liAPWR-I&C/E9 7.3-19 NOVEMBER, 1984 2151e:ld

-- ._- . - . - - _ . - . _ - . _ _ _ _ . . . . , . . . . - _ . - . - . . _ _ - . . ~ . . _ _ - . _ ~

l i

O either mechanically or electrically, remedial action is taken to repair, replace, or readjust the equipment. Optimum operating perfonnance must be achieved at all times.

Typical maintenance procedures include the following:

O

1. Check cleanliness of all exterior and interior surfaces.
2. Check all fuses for corrosion.

O

3. Insp'ct e for loss or broken control knobs and burned out indicator lamps.
4. Inspect for moisture and condition of cables and wiring.
5. Mechanically check all connectors and terminal boards for looseness, poor connection, or corrosion.
6. Inspect the components of each assembly for signs of overheating or component deterioration.
7. Perform complete system operating check.

l 7.3.2.2.7 Conformance to Requirements on Bypassing of Engineered Safety Features Actuation Functions (Paragraph 4.11, 4.12, 4.13, and 4.14 l of IEEE 279-1971)

The discussions of Subsections 7.1.2.2.8 through 7.1.2.2.14 and 7.3.1.1.9 are O

applicable.

7.3.2.2.8 Conformance to the Requirement for Completion of Engineered Safety l Features Actuation Once Initiated (Paragraph 4.16 of IEEE 279-1971)

Once initiated, engineered safety features will go to completion unless l

l deliberate operator action is taken to terminate the function on a component-O WArWR-I&C/EP 7.3-20 NOVEMBER, 1984 2151e:1d l

r-O by-component basis. The ability to terminate operation of ESF components is necessary for several reasons. For example, components must be turned off and properly aligned if inadvertently actuated. Also, a component may have to be removed from operation for repair or maintenance.

Equipment actuated on a safety injection (SI) cannot be turned off for 30 to 120 seconds following initiation of the SI signal. This assures that the diesel generator will have attained its speed and that all required loads have-been sequenced onto the generator before the SI signal can be reset. This interlock is shown on Figure 7 . 2-1, Sheet 12. Once reset, the safety injection signal will not be reinitiated as long as the reactor trip circuit breakers are open.

Resetting a system-level ESF signal does not terminate any ESF function.

Rather, it permits the operator to individually turn off equipment. Equipment cannot be reset until the system-level signal is reset.

7.3.2.2.9 Conformance to the Requirement to Provide Manual Initiation At the System-Level for All ESF Actuations (Paragraph 4.17 of IEEE 279-1971)

Manual initiation at the system-level exists for all engineered safety features actuations. Specifically these are:

1. Safety Injection 2 SI switches
2. Steamline Isolation 2 Steamline Isolation Switches l
3. Containment Spray 2 pairs of 2 Spray Switches p 4. Phase-A Isolation 2 Phase-A Isolation Switches
5. Phase-B Isolation Manual Spray actuates Phase-B Isolation f

O WAPWR-I&C/EP 7.3-21 NOVEMBER, 1984 2151e:ld

i l

O

6. Containment Vent. Isolation Manual Spray or Manual Phase-A Isolation actuates Containment Ventilation Isolation.
7. Feedwater Isolation 2 Manual Feedwater Isolation Switches
8. Emergency Feedwater Manual Safety Injection, 2 manual start switches in control room, or 2 local manual start switches As a minitrum, two switches are provided to assure that the protective function can be manually initiated at the system-level despite a single random f ailure in one switch. In certain applications, e.g., containment spray, two pairs of switches are provided. One pair must be actuated simultaneously to actuate spray. This reduces the likelihood of inadvertent spray while still assuring that the single failure criterion is met.

7.3.2.3 Sununa ry The effectiveness of the integrated protection system in initiating engineered safety features is evaluated in Chapter 15, based on the ability of the system to contain the effects of Condition III and IV faults, including loss of coolant and steamline' break accidents.

The integrated protection system, in order to initiate engineered safety features actuation, must detect Condition III and IV faults and generate signals which actuate the engineered safety features. The system must sense the accident condition and generate the signal actuating the protection function reliably and within a time consistent with that determined by the accident analyses in Chapter 15.

Longer times are associated with the actuation of the mechanical and fluid system equipment associated with engineered safety features. This includes the time required for switching, bringing pumps and other equipment to speed, O

WAPWR-I&C/EP 7.3-22 NOVEMBER, 1984 2151e:ld

and the time required for them to take load. Evaluation of engineered safety features in mitigating consequences of breaks in the primary and secondary systems is as follows:

O loss of Coolant Protection By analysis of loss of coolant accident and in system tests it has been verified that, except for very small coolant system breaks which can be protected against by the charging pumps followed by an orderly shutdown, the ef fects of various loss of coolant accidents are reliably detected by the low pressurizer pressure signal; the emergency core cooling system (safety injection) is actuated in time to prevent or limit core damage.

For large coolant system breaks, the passive accumulators inject first because of the rapid pressure drop. This protects the reactor during the unavoidable delay associated with actuating the active emergency core cooling system phase.

(~ High containment pressure also actuates the steamline isolation and safety injection systems. Therefore, emergency core cooling actuation can be brought about by sensing this other direct consequence of a primary system break, that l

l 'is, the engineered safety features actuation system detects the leakage of the l

l coolant into the containment. The generation time of the actuation signal as given in Table 7.3-2 is adequate.

Containment spray will provide additional emergency cooling of containment and also limit fission product release upon sensing elevated containment pressure (Hi-3) to mitigate the effects of a loss of coolant accident.

The delay time between detection of the accident condition and the generation of the actuation signal for these systems is in Table 7.3-2 and is well within the capability of the protection system equipment. However, this time is

\ short compared to that required for startup of the required fluid and supporting systems.

I i

i O WAPWR-I&C/EP 7.3-23 NOVEMBER, 1984 2151e:1d f

1 I

O The analyses in Chapter 15 show that the diverse methods of detecting the accident condition and the time for generation of the signals by the protection systems are adequate to provid.e reliable and timely protection against the effects of loss of coolant.

Steamline Break Protection The emergency core cooling system is also actuated in order to protect against a steamline break. Table 7.3-1 gives the signals that make up the excessive cooldown protection function. Table 7.3-2 gives the time between occurrence of the signals that make up the excessive cooldown protection signal and high containment pressure (for breaks in containment), and generation of the actuation signal. Analysis of steam break accidents assuming this delay for signal generation shows that the safety injection system is actuated for a steam break in time to limit or prevent further core damage. There is a reactor trip and the core reactivity is further reduced by the highly borated water injected by the safety injection system.

Additional protection against the effects of a steamline break is provided by feedwater isolation which occurs upon initiation of the functions shown in Table 7.3-1.

l Additional protection against a steamline break accident is provided by steamline isolation; i.e., closure of all steamline isolation valves in order to prevent uncontrolled blowdown of all steam generators. Table 7.3-1 gives the signals that make up t' steamline isolation function. The generation of the steamline isolation signals, as given in Table 7.3-2, is again short compared to the time to trip the fast-acting steamline isolation valves which are designed to close in less than approximately 5 seconds.

The analyses in Chapter 15 of steamline break accidents (see RESAR-SP/90 PDA l Module 6/8, " Secondary Side Safeguards System / Steam and Power Conversion System") and an evaluation of the integrated protection system design shows that the engineered safety features actuations are ef fective in preventing or mitigating the effects of a steamline break accident.

WAPWR-I&C/EP 7.3-24 NOVEMBER, 1984 2151e:1d

}

l Feedline Break Protection Engineered safety features are actuated in order to protect' against a feedline break. Following reactor trip due to a low steam generator water level trip setpoint, a steamline isolation signal is obtained when the pressure in the steamlines falls below a given setpoint. When the setpoint is reached, all main steam isolation valves are closed which guarantees a steam supply for the turbine driven emergency feedwater pumps, a

Assurance that adequate feedwater is available for the feedline break is provided by the emergency feedwater system which includes two motors driven pumps and two turbine driven pumps. The emergency feedwater pumps are initiated automatically by the signals identified in Table 7.3-1.

Analysis of the feedline break accident shows that minimum emergency feedwater capacity is adequate to remove decay heat, to prevent overpressurization of the reactor coolant system, and to prevent uncovering the reactor core.

Minimum emergency feedwater capacity is that capacity available following a feedline break event assuming the worst single failure. The analysis in l

Chapter 15 of the feedline break accident (see RESAR-SP/50 PDA Module 6/8,

" Secondary Side Safeguards System / Steam and Power Conversion System") shows that the engineered safety features actuations are effective in mitigating the effects of a feedline break accident.

l -

O O

l O WAPWR-I&C/EP 7.3-25 NOVEMBER, 1984 l

L 2151e:ld

- . - . . . _ . . - , , - . . ~ . . , , . , . . . ____,,,_.-y.. , _ , _ . . , _ . . . _ , ,___, , ,_ ,,_ __ m_ , . - _ _ . - . _ . . - _ . - _ - . _

TABLE 7.3-1 ENGINEERED SAFETY FEATURES ACTUATION SIGNALS Channel Set Permissives ESF Actuation Signal {_of Channels Trio Logic & Interlocks

1. SAFETY INJECTION (Figure 7.2-1, Sheets 7, 9, 10)
a. Manual Safety Injection 2 switches 1/2 switches
b. High (Hi-1) Containment Pressure 4 2/4-BYP*
c. Pressurizer low Pressure 4 2/4-BYP* Manual block permitted below P-
d. Low Compensated Steamilne 4/steamline 2/4-BYP* in Manual block permitted below P-Pressure any st. line 1/ loop 2/4 loops P-15; Manual block permi'
e. Low-3 T cold below P-11
2. STEAMLINE ISOLATION (Figure 7.2-1, Sheets 7, 8, 9, 10)
a. High Steamline Negative 4/steamline  ? /4-BYP in any Manual block permitted below P Pressure Rate steamline*
b. Low Pressurizer Pressure 4 2/4-BYP* Manual block permitted below P
c. High (Hi-2) Containment Pressure 4 2/4-BYP*
d. Low Compensated Steamline 4/steamline 2/4-BYP in any Manual block permitted below P-1 Pressure steamline*
e. Low-3 T 1/1 op 2/4 loops P-15; Manual block permitt r.old below P-11
f. Manual Steamline Isolation 2 switches 1/2 switches
  • 2/4-BYP indicates automatic bypass logic. The logic is 2/4 with no bypasses; 2/3 with one bypass; 1/2 with two bypasses; and automatically actuated with three or four bypasses.

7.3-26 NOVEMBER, 1984 MAPWR-ISC/EP 0""" O O O e - - _ - - -

e e

O O O O O O O TABLE 7.3-1 (Cont.)

, ENGINEERED SAFETY FEATURES ACTUATION SIGNALS i Channel Set Permissives ESF Actuation Signal # of Channels TriD LOQic & Interlocks i

3. CONTAINMENT SPRAY (Figure 7.2-1, Sheet 13)
a. Manual Containment Spray , 4 switches 2/4 switches j b. High (Hi-3) Containment Pressure 4 2/4-BYP*
4. CONTAINMENT ISOLATION (PHASE-A) l
a. Safety Injection Signal (Auto See item Number 1(a) through (e) and Manual)
b. Manual Phase-A Isolation 2 switches 1/2 switches CONTAINMENT ISOLATION (PHASE-B)
a. High (Hi-3) Containment Pressure 4 2/4-BYP* ----
b. Manual Containment Spray 4 switches 2/4 switches l CONTAINMENT VENTILATION ISOLATION i a. Safety Injection (Auto or Manual) See item Number 1(a) through (e)
b. Manual Phase-A Isolation 2 switches 1/2 switches --

l c. Manual Containment Spray 4 switches 2/4 switches l

l 2/4-BYP indicates automatic bypass logic. The logic is 2/4 with no bypasses; 2/3 with one bypass; l/2 with j two bypasses; and automatically actuated with three or four bypasses.

t

! WAPWR-I&C/EP 7.3-27 NOVEMBER, 1984 2151e:ld i

l l

l l TABLE 1.3-1 (Cont.)

ENGINEERED SAFETY FEATURES ACTUATION SIGNALS l

Channel Set Permissives j

ESF Actuation Signal # of Cha'nnels Trio logic & Interlocks

5. FEE 0 WATER LINE ISOLATION (Closure of Isolation and Modulating Valves)

(Figure 7.2-1, Sheets 2, 5, 8, 11, 16)

a. Steam Generator High Water 4/Lt. Gen. 2/4-BYP in any Level steam generator *
b. Safety Injection Signal (Auto- See Item Number 1(a) through (e) and Manual
c. Manual Feedwater Isolation 2 switches 1/2 switches
d. Low-2 T 1/1 p 2/4 loops P-16 cold ,

FEEDWATER ISOLATION (Trip of all Main F/w Pumps)

a. Steam Generator High Water 4/St. Gen. 2/4-BYP in any ----

Level steam generator *

b. Manual Feedwater Isolation 2 switches 1/2 switches ----
c. Safety Injection Signal (Auto See Items Number 1(a) through (e) and Manual)
  • 2/4-BYP indicates automatic bypass logic. The logic is 2/4 with no bypasses; 2/3 with one bypass; 1/2 with two bypasses; and automatically actuated with three or four bypasses.

WAPWR-I&C/EP 7.3-28 NOVEMBER, 1984 bSle:ld O O O O O O

O O O O O O O IABLE 7.3-1 (Cont.)

ENGINEERED SAFETY FEATURES ACTUATION SIGNALS Channel Set Permissives ESF Actuation Signal # of Channels Trio logic & Interlocks

6. EMERGENCY FEEDWATER (Figure 7.2-1 Sheet 8)
a. Low-1 Steam Generator Water . 4/St. Gen. 2/4-BYP in any Level Coincident With Low steam generator
b. Low-2 Water level Coincident 2/St. Gen. 1/2 With Reactor Trip
c. Safety injection Actuation See Item Number 1
d. Manual 2 1
7. BLOCK OF BORON DILUTION (Figure 7.2-1, Sheet 3)
a. Flux Doubling Calculation 4 2/4-BYP
  • 2/4-BYP indicates automatic bypass logic. The logic is 2/4 with no bypasses; 2/3 with one bypass; 1/2 with two bypasses; and automatically actuated with three or four bypasses.

WAPWR-!&C/EP 7.3-29 NOVEMBER, 1984 2151e:1d

TABLE 7.3-2 ESFAS VARIADLES, LIMITS, RANGES AND ACCURACIES Conditions of the Variable or Other ESF Range of Protection Variables Actuation Signals Variables System Response Protective to be That Initiate (Typical) Accuracy Time Functions Monitored Protective Action (Nominal) (Typical) .(Sec)

B. EX ,

1. Safety l Injection (S.I.)

Containment Containment -5 to 60 psig 11.8% of span 1.6 pressure pressure-Hi-1 Pressurizer Pressurizer 1700 to 2500 psig i 14 psi 1.0 pressure pressure-low (uncompensated signal)

2. S.I. Portion of Excessive Cooldown Protection Reactor coolant low -3 T-cold 510 to 6300F 12.50F 6.0 inlet temperature (Tcold)

Steamline Low compensated 0 to 1400 psig 12.3% of Span 1.0 pressure steamline pressure WAPWR-I&C/EP 7.3-30 NOVEMBER, 1984 l

t b2Sle:ld o e e o e e

4 i

O O O O O O O t-TABLE 7.3-2 (continued) l ESFAS VARIABLES, LIMITS, RANGES AND ACCURACIES l Conditions of the .

Variable or

) Other ESF Range of Protection i variables Actuation Signals variables System Response

Protective to be That Initiate (Typical) -

Accuracy Time l Functions Monitored Protective Action (Nominal) (Typical) (Sec) l

3. Containment Containment Contairment -5 to 60 psig 11.8% of span 1.5 Spray pressure pressure Hi-3 f 4. Containment l

Isolation 4

{ A. Phase A See 1 & 2 above Safety injection See 1 & 2 above See 1 & 2 above See 1 & 2 ab i

j B. Phase B Containment Contair. ment -5 to 60 psig 1.8% of span 1.5

pressure ,

pressure Hi-3 3

. C. Containment See 1 & 2 above Safety injection See 1 & 2 above See 1 & 2 above See 1 & 2 ab t

vent.

( Isolation Radiation level Contair ment l radioattivity-H1

5. Steamilne Isolation

, Containment Contair ment -5 to 60 psig 1.1.8% of span 1.5-

pressure pressure - Hi-2

! l l See 2 above Excessive cooldown See 2 above See 2 above See 2 above 1

l Steam pressure Negative steam 0 to 1400 psig 12.3% of span 1.0 i rate pressure rate  !

- high I

i l l , WAPWR-l&C/EP 7.3-31 NOVEMBER, 1984 l 2151e:1d i

TABLE 7.3-2 (continued)

ESFAS VARIABLES, LIMITS, RANGES AND ACCURACIES Conditions of the Variable or Other ESF Range of Protection Actuation Signals Variables System Response i variables Time

! Protective to be That Initiate (Typical) Accuracy Monitored Protective Action (Nominal) (Typical) (Sec)

Functions

6. Feedwater i

Line Isolation Pressurizer Pressurizer Cylindrical 12.3% of Full 2.0 water level water level portion of PRZ range 8P coincident with between taps at reactor trip design temp /

press See 2 above Excessive cooldown See 2 above See 2 above See 2 above Reactor coolant low 2 T-cold 510 to 6300F 12.5% F 6.0 inlet temperature (T-cold)

Water level in High steam gener- 8 feet below 12.3% of 8P 2.0 steam generator erator water level nominal level to span over pres-6 feet above sure range nominal level from 700 to 1400 psig 7.3-32 NOVEMBER, 1984 WAPWR-l&C/EP N151e:1d 9 9 9 9 e e

O O O O O O O TABLE 7.3-2 (continued)

ESFAS VARIABLES, LIMITS, RANGES AND ACCURACIES Conditions of the Variable or Other ESF Range of Protection Variables Actuation Signals Variables System Response Protective to be That Initiate (Typical) Accuracy Time Functions Monitored Protective Action (Nominal) (Typical) (Sec)

7. Startup of emergency feedwater pumps Water level in Low SFWS flow in 8 feet below 12.3% of AP 2.0 steam generator coincid'ence with nominal level to span over pres-low-l level in any 6 feet above sure range SG nominal level f rom 700 to 1400 psig See 1 & 2 above Safety injection See 1 & 2 above See 1 & 2 above See 1 & 2 ab.

Water level in Low-2 W. R. level 8 feet below 12.3% of AP 2.0 nominal level to steam generator in coincidence span over pres-with reactor trip 6 feet above sure range from nominal level 700 to 1400 psig

8. Turbine trip Water level in High water level -42 feet below 12.3% of AP 2.0 steam generator in steam generator nominal level to span over 6.5 feet above pressure range from 700 to 1400 psig WAPWR-I&C/EP 7.3-33 NOVEMBER, 1984 2151e:1d

TABLE 7.3-2 (continued)

ESFAS VARIABLES, LIMITS, RANGES AND ACCURACIES Conditions of the variable or Other ESF Range of Protection Variables Actuation Signals Variables System Response Protective to be That Initiate (Typical) Accuracy Time Functions Monitored Protective Action (Nominal) (Typical) (Sec)

See 2 above Excessive cooldown See 2 above See 2 above See 2 above Reactor trip-circuit-breaker open in 2 or more actuation trains Reactor coolant low-2 Tcold 510-6300F i?.50F 6.0 inlet temp T-cold

9. Block steam dump Reactor coolant Low-1 T-cold 510 to 6300F 12.50F 6.0 inlet temperature (T-cold)
10. Block boron dilution Neutron flux High source range 1 to 106 c/sec 15% of equiv. 0.5 neutron flux linear full scale output WAPWR-I&C/EP 7.3-34 NOVEMBER, 1984 e "*"' e e e e e e

p _ _ _ _ _ _ _ . . -._ _ ~ _ _ _ _ _ ._ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ . _ - .

O TABLE 7.3-3 INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTQi O Function Desianation* Derivation Performed

, P-6 Intermediate range Allows manual block of source neutron flux channels range channels thus permitting above setpoint boron dilution P-6 Intermediate range Defeats any manual block of source neutron flux channels range channels permitting source below setpoint block of boron dilution 4

P-11 Pressurizer pressure (a) Permits manual block of safety below setpoint injection on low pressurizer j pressure, low steamline pres-

, sure, or low 3 T-cold (b) Permits manual block of steamline isolation on low steamline pressure, or low 3 T-cold I

(c) Permits manual block of feedwater isolation on low 2 T-cold

! (d) Permits manual unblock of steamline isolation on high negative steamline pressure

, rate.

O MAPWR-I&C/EP 7.3-35 NOVEMBER, 1984 2151e:1d

,-.,-nm,.,. _ _ - - , _ - - . , , ,_.,_,.,.,,,,,n____, ,,-n---v-, , , . _ _ _ _ . , , _ , , , _ ,,. . _ ,, - --,n- n ,- _-.- - - . - . .

O TABLE 7.3-3 (Cont.)

INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM O

Function Designation

  • Derivation Performed P-11 Pressurizer pressure (a) Defeats manual block of safety O

above setpoint injection on low pressurizer pressure, low steamline pres-sure, or low 3 T-cold (b) Defeats manual block of steamline isolation on low steamline pressure, or low 3 T-cold (c) Defeats manual block of feedwater isolation on low 2 T-cold (d) Defeats manual unblock of steamline isolation on high negative steamline pressure rate (e) Opens all . accumulator isola-O tion valves P-15 Power range nuclear (a) Permits safety injection and power below setpoint steamline isolation on low 3 T-cold O

WAPWR-I&C/EP 7.3-36 NOVEMBER, 1984 2151e:ld

O TABLE 7.3-3 (Cont.)

INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM O Function Desianation* Derivation Performed (b) Permits feedwater isolation on low 2 T-cold P-15 Power range nuclear (a) Blocks safety injection and power abovo setpoint steamline isolation on low 3 T-cold (b) Blocks feedwater isolation on low 2 T-cold P-16 Reactor trip breakers (a) Trips turbine open or reactor trip signal present (b) Permits closure of main feedwater control valves on low pressurizer water level I

(c) Prevents  % ving of the feedwater system valves which are closed on high steam generator water level or low O 2 T-cold l

(d) Prevents automatic re-activa-tion of safety injection af ter a delayed manual reset of safety injection O

WAPWR-I&C/EP 7.3-37 NOVEMBER, 1984 2151e:1d

O TABLE 7.3-3 (Cont.)

INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM Function O

Desianation* Derivation Performed P-16 Reactor trip breakers (a) Prevents closure of main feed-closed and no trip control valves on low pressur-signal present lizer water level (b) Permits opening of the feed-water system valves which are closed on high steam generator water level or low 2 T-cold (c) Permits automatic re-activation of safety injection after a delayed manual reset of safety injection NOTES:

  • (P-XX) = presence of the P-XX signal (P-XX) = absence of the P-XX signal O

WAPWR-l&C/EP 7.3-38 NOVEMBER, 1984 2151e:1d

i O TABLE 7.3-4 SYSTEM-LEVEL MANUAL INPUTS TO THE INTEGRATED LOGIC CABINETS (ILC)

TO INPUT CHANNEL SET

1. Emergency Cooldown Protection Block - I I
2. Emergency Cooldown Protection Block - II II
3. Emergency Cooldown Protection Block - III III
4. Emergency Cooldown Protection Block - IV IV
5. Emergency Cooldown Protection Reset - 1 I
6. Emergency Cooldown Protection Reset - II II
7. Emergency Cooldown Protection Reset - III III
8. Emergency Cooldown Protection Reset - IV IV
9. Safety Injection Actuation 1 I II
10. Safety Injection Actuation 2 I II
11. Containment Spray #1 I II
12. Containment Spray #2 I II
13. Containment Spray #3 I II
14. Containment Spray #4 I II
15. Containment Isol. - ,A #1 I II
16. Containment 1501. - ,A #2 I II
17. Steamline Isolation #1 I II
18. Steamline Isolation #2 I II
19. SI Reset & Block - CH I I
20. SI Reset & Block - CH II II
21. Cont. Spray Reset - CH I I
22. Cont. Spray Reset - CH II II
23. Cont. 1s01. ,A Reset - CH I I
24. Cont. Isol. ,A Reset - CH II II
25. Cont. Isol. 98 Reset - CH I I
26. Cont. Isol. 9B Reset - CH II II O WAPWR-I&C/EP 7.3-39 NOVEHBER, 1984 2151e:1d

TABLE 7.3-4 (Cont.)

SYSTEM-LEVEL MANUAL INPUTS TO THE INTEGRATED LOGIC CABINETS (ILC)

TO INPUT CHANNEL

27. Contain. Vent Isol. Reset I I
28. Contain. Vent Isol Reset II II
29. Steamline Isol. Reset - CH I I
30. Steamline Isol. Reset - CH II II
31. Feedwater Isolation Reset - I I
32. Feedwater Isolation Reset - II II
33. Block Boron Dilution Block - I I
34. Block Boron Dilution Block - II II
35. Block Boron Dilution Block - III III
36. Block Boron Dilution Block - IV IV
37. Block Boron Dilution Reset - 1 1
38. Block Boron Dilution Reset - II II
39. Block Boron Dilution Reset - III III
40. Block Boron Dilution Reset - IV IV O

O NOVEMBER, 1984 O

WAPWR-I&C/EP 7.3-40 2151e:ld

7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN The functions necessary for safe shutdown are available from instrumentation channels that are associated with the major systems in both the primary and secondary systems of the nuclear steam supply system (NSSS). These channels are normally aligned to serve a variety of operational functions, including startup and shutdown as well as protective functions.

I However, prescribed procedures for securing and maintaining the plant in a safe condition can be instituted by appropriate alignment of selected systems in the NSSS. The discussion of these systems together with the applicable codes, criteria and guidelines is found in other RESAR-SP/90 PDA modules, as appropriate. In addition, the alignment of shutdown functions associated with the engineered safety features (ESF) which are invoked under postulating limiting fault situations is discussed in Chapter 6 of the integrated RESAR-SP/90 PDA document and Section 7.3.

Two kinds of shutdown conditions, both capable of being achieved with or without of f site power, are addressed in this section: hot standby and cold shutdown. Hot standby is a stable condition of the reactor achieved shortly

,af ter a programmed or emergency shutdown of the plant. Cold shutdown is a stable condition of the plant achieved after the residual hett removal process has brought the primary coolant temperature below 200*F. A description of l systems required to achieve and maintain cold shutdown are described in Subsection 5.4.7 'of RESAR-SP/90 PDA Module 1, " Primary Side Saf eguards System".

For either case of safe shutdown, i.e., hot standby or cold shutdown, the

! reactivity control systems maintain a subtritical condition of the core. The plant technical specifications explicitly define both hot standby and cold shutdown conditions.

I I

p As a minimum, tSe electrically powered equipment necessary to be aligned for

() achieving and , maintaining safety grade cold shutdown without of f site power, and with an event initiated by a single random f ailure, with limited operator action outside the control room, are:

\ WAPWR-I&C/EP 7.4-1 NOVEMBER, 1984 2084e:1d

1. Emergency Class lE electrical power supply
2. Emergency feedwater system
3. Residual heat removal (and isolation) system
4. Borated EWST water inventory supply to the suction of the high head safety injection (HHSI) pumps
5. Redundant discharge system f rom and including the HHSI pump system supplying RCS
6. Pressure relief system for RCS
7. Decay heat removal using steam generator PORVs and bypass ,
8. Emergency letdown system
9. Reactor protection system O
10. Component cooling water
11. Service water The instrumentation and functions which are required to be aligned for maintaining hot standby are:
1. Prevent the reactor f rom achieving criticality in violation of the technical specifications
2. Provide an adequate heat sink such that design and safety limits are not exceeded WAPWR-I&C/EP 7.4-2 NOVEMBER, 1984 O

2084e:ld

3. Pressurizer pressure control
4. Reactor coolant system inventory control O 7.4.1 Description

~

The hot standby systems are identified in the following lists together with the associated instrumentation and controls provisions. The identification of the monitoring indicators (Subsection 7.4.1.1) and controls (Subsection 7.4.1.2) are those necessary for maintaining a hot standby. The equipment and services for a cold shutdown are identificd in Subsection 7.4.1.4. Loss of the local controls and normal automatic control systems are not assumed coincident with evacuation.

7.4.1.1 Monitoring Indicators The characteristics of these indicators, which are provided outside as well as inside the control room, are described in Section 7.5. The necessary O' indicators are as follows:

1. Water level indicator for each steam generator
2. Pressure indicator for each steam generator by means of steamline pressure indicator
3. Pressurizer water level indicator
4. Pressurizer pressure indicator 7.4.1.2 Controls l 7.4.1.2.1 General Considerations
1. The turbine is tripped. This can be accomplished at the turbine as well as in the control room.

O WAPWR-I&C/EP 7.4-3 NOVEMBER, 1984 2084e:ld

2. The reactor is tripped. This can be accomplished at the reactor trip O

switchgear as well as in the control room.

3. Safety related manual controls for hot standby shutdown are located inside as well as outside the main control room. These controls are provided with REMOTE / LOCAL selector switches located outside the main control room. An annunciator is alarmed in the main control room and the indicator lights in the main control room are turned of f when LOCAL CONTROL is selected; and control of the switchgear is transferred from the control room to a local station (s).
4. All automatic systems continue functioning.

7.4.1.2.2 Pumps and Fans

1. Start-up feedwater pump Normally on a loss of electrical power, the start-up feedwater pump would come on as part of the blackout sequence. The emergency feedwater pumps start automatically on an accident sequence or can be l started manually. START /STOP controls located outside as well as i

j inside the control room are provided.

2. HHSI pumps START /STOP motor controls for these pumps are located outside, as well as inside the control room.
3. Service water pumps These pumps will start automatically following a loss of normal electrical power. START /STOP motor controls are located outside as well as inside the control room.

WAPWR-I&C/EP 7.4-4 NOVEMBER, 1984 O

2084e:1d

O 4. Component cooling water pumps These pumps, energized from the emergency generator, start O automatically following a loss of normal electrical power. START /STOP controls are located outside as well as inside the control room.

5. Control room ventilation units including the control room air inlet dampers.

The control room ventilation units have START /STOP controls and LOCAL / REMOTE switches.

7.4.1.2.3 Emergency Generators These units start automatically following a loss of normal AC power. However, manual controls for diesel startup are provided locally at the emergency generator as well as within the control room. For a description of Class 1E power supplies, refer to Section 8.3.

7.4.1.2.4 Valves and Heaters

1. HHSI flow control Flow control valves fail open. Subsequent control can be maintained by the use of solenoid valves described in Subsection 5.4.7 of RESAR-SP/90 PDA Module 1, " Primary Side Safeguards System" controlled nanually from both inside and outside the control room.
s
2. Letdown valves Letdown can be established through the emergency letdown line, if normal letdown is unavailable, by manual control f t ;m both inside and outside the control room.

i O WAPWR-I&C/EP 7.4-5 NOVEMBER, 1984 2084e:1d

l l

l l

l

3. Emergency feedwater control valves O

Manual control with transfer switches for these valves are located locally. These controls duplicate functions that are inside the control room.

4. Steam generator safety valves
5. Pressurizer heater control ON/0FF control with selector. switch is provided for two backup heater groups outside the control room. The heater groups are connected to separate buses, such that each can be connected to separate emergency generators in the event of loss of outside power. The controls are grouped with the charging flow controls and duplicate functions available in the control room.

7 . 4 .1. 3 Control Room Evacuation It is noted that the instrumentation and controls listed in Subsections 7.4.1.1 and 7.4.1.2 which are used to achieve and maintain a safe shutdown are available in the even,t that an evacuation of the control room is required.

l These controls and instrumentation channels together with the equipment identified in Subsection 7.4.1.4 identify the potential capability for cold shutdown of the reactor subsequent to a control room evacuation through the use of suitable procedures. The control room evacuation shall not occur simultaneously or coincident with an abnormal operating condition (ANS Condition II, III, or IV), except the loss of of f site power which would be coincident. Normal controls from the control room would be expected to function under all conceivable events.

7.4.1.4 Equipment and Systems Necessary for Cold Shutdown

1. Emergency feedwater pumps (See RESAR-SP/90 PDA Module 6 " Secondary Side Safeguards System").

O WAPWR-I&C/EP 7.4-6 NOVEMBER, 1984 2004e:ld

i O 2. Boration capability i 3. HHSI pumps

4. Service water pumps
5. Control room ventilation i

V 6. Component cooling pumps

7. Residual heat removal pumps (Subsection 5.4.7 of RESAR-SP/90 PDA Module 1 " Primary Side Safeguards System")
8. Certain motor control center and switchgear (Section 8.3)
9. Controlled steam release i 10. Nuclear instrumentation system (NIS); source range or intermediate range (Section 7.2). For a more complete description of the NIS, refer to WCAP 8255.
11. Reactor coolant inventory control (HHSI pumps and emergency letdown)
12. Pressurizer pressure control including opening control for pressurizer l

relief valves and heater control l

13. Accumulator piping and valving for isolation and venting O

In addition, the press,urizer pressure and steam line pressure safety injection trip signals must be blocked and the accumulator isolation valves closed.

Controls are provided to block the steamline low pressure and pressurizer low pressure signals. These controls prevent an S15 provided that the pressure within the pressurizer is less than a predetermined design level.

l O WAPWR-I&C/EP 7.4-7 NOVEMBER, 1984 2084e:1d l.

7 . 4 .1. 5 Other Considerations

1. Additional shutdown air compressors are powered from Class lE buses and are provided to increase availability of normal controls and minimize operator actions.
2. Other equipment supplied from Class 1E buses to minimize impact on nonsafety equipment in containment include:

O

a. Containment recirculation coolers
b. CRDM air cooling fans
3. Loss of instrument air does not prevent the operation of the minimum systems necessary for hot standby or cold shutdown described in Subsection 7.4.1.

7.4.2 Analysis Hot standby is a safe stable plant condition, automatically reached following a reactor trip from power. The plant design features also permit the achievement of cold shutdown as referred to in Subsection 7 . 4 .1. 2 and described in Subsection 5.4.7 of RESAR-SP/90 PDA Module 1, " Primary Side Saf eguards System". In the unlikely event that access to the control room is restricted, the plant can be safely kept at a hot standby by the use of the I monitoring indicators and the controls listed in Subsections 7.4.1.1 and 7.4.1.2, and described in Subsection 7.4.1.3, until the control room can be re-entered.

! Cold shutdown conditions can be achieved from outside the control room through l

the use of suitable procedures and by virtue of local control of the equipment l listed in Subsection 7.4.1.2, in conjunction with the instrumentation and centrols provided external to the control room.

1 WAPWR-I&C/EP 7.4-8 NOVEMBER, 1984 O

2084e:1d

o i

O The controls available external to the control room provide the capabilities of achieving and maintaining a safe shutdown when the main control room is inaccessible. The controls necessary for imediate operator action to

establish a stable plant condition are available on the ASP or in adjacent
emergency switchgear rocms. The controls provide a means of sustaining the capability for boration, letdown, residual heat removal, natural circulation, continuing reactor coolant pump seal injection and for thermal barrier cooling water flow, and depressurization.

The instrumentation and control functions which are required to be aligned for maintaining safe shutdown of the reactor that are discussed above are the minimum number of instrumentation and control functions.

Proper operation of other nonsafety related systems will allow a more normal shutdown to be made and maintained by preventing a transient (Section 7.7).

In considering more restrictive conditions than those discussed in Section l 7.4, certain accidents and transients are postulated in the safety analyses l

which take credit for safe shutdown when the protection systems reactor trip terminates the transients and the engineered safety features system mitigates the consequences of the accident. In these transients, in general, no credit is taken for the control system operation should such operation mitigate the consequences of a transient. Should such operation not mitigate the consequences of a transient, no penalties are taken in the analyses for incorrect control system actions over and above the incorrect action of the control system, whose equipment f ailure was assumed to have initiated the transient. These analyses presented in Chapter 15.0 of various PDA modules O show that safety is not adversely affected when such transients include the following:

1

! 1. Inadvertent boron dilution

2. Loss of normal feedwater O

WAPWR-I&C/EP 7.4-9 NOVEMBER, 1984 2084e:ld

3. Loss of external electrical load and/or turbine trip
4. Loss of AC power to the station auxiliaries (station blackout)

The results of the analysis which determined the applicability of the nuclear steam supply system safe shutdown systems to the NRC General Design Criteria, IEEE Standard 279-1971, applicable NRC Regulatory Guides and other industry standards are presented in Table 7.1-1. The functions considered and listed below include both safety-related and nonsafety-related equipment.

1. Reactor trip system
2. Engineered safety features actuation system
3. Safety-related display instrumentation for post-accident monitoring
4. Main control board
5. Controls & instrumentation external to the control room
6. Residual heat removal
7. Instrument power supply
8. Control systems O

l O

WAPWR-I&C/EP 7.4-10 NOVEMBER, 1984 O

2084e:1d

l 7.5 INSTRUMENTATION IMPORTANT TO SAFETY 7.5.1 Introduction An analysis was conducted to identify the appropriate variables and to establish the appropriate design bases and qualification criteria for instrumentation employed by the operator for monitoring conditions in the reactor coolant system, the secondary heat removal system, and the O containment, including engineered safety functions and the systems employed for attaining a safe shutdown condition.

The instrumentation is used by the operator to monitor the WAPWR throughout all operating conditions including anticipated operational occurrences and accident and post-accident conditions.

7.5.2 Variable Classifications and Requirements The plant safety analyses and evaluations define the design basis accident (DBA) event scenarios for which preplanned operator actions are required.

Accident monitoring instrumentation is necessary to permit the operator to take required actions to address these analyzed situations. However, instrumentation is also necessary for unforeseen situations (i.e., to ensure that, should plant conditions evolve differently,than predicted by the safety analyses, the control room operating staff has sufficient information to evaluate and monitor the course of the event). Additional instrumentation is also needed to indicate to the operating staff whether the integrity of the fuel cladding, the reactor coolant pressure boundary (RCPB), or the reactor O containment has degraded beyond the prescribed limits defined as a result of the plant safety analyses and other evaluations.

Five classifications of variables have been identified to provide this ,

instrumentation:

O MAPWR-I&C/EP 7. 5-1 NOVEMBER, 1984 2084e:1d

l I

l A. Those variables that provide information needed by the operator to perform O

manual actions identified in the operating procedures and associated with DBA events are designated type A. These variables are restricted to preplanned actions for DBA events. The basis for selecting type A variables is given in Subsection 7.5.2.2.1.

B. Those variables needed to assess that the plant critical safety functions are being accomplished or maintained, as identified in the plant safety analysis and other evaluations, are designated type B.

C. Those variables used to monitor for the gross breach or the potential for gross breach of the fuel cladding, the RCPB, or the containment are designated type C.

D. Those variables needed to assess the operation of individual safety systems and other systems important to safety are designated type D.

E. Those variables thet are required for use in determining the magnitude of the postulated releases and continually assessing any such releases of radioactive materials are designated type E.

The five classifications of variables are not mutually exclusive, in that a given variable (or instrument) may be included in one or more types. When a variable is included in one or more of the five classifications, the equipment monitoring this variable meets the requirements of the highest category l identified.

Three categories of design and qualification criteria are used. This classification is made in order to identify the importance of the information and to specify the requirements placed on the accident monitoring

, instrumentation. Category 1 instrumentation has the highest performance requirements and should be utilized for information which cannot be lost under any circumstances . Category 2 and Category 3 instruments are of lesser importance in determining the state of the plant and do not require the same level of operational assurance.

O MAPWR-I&C/EP 7.5-2 NOVEMBER, 1984 l 20B4e:1d 1

The primary differences between category requirements are in qualification, application of single failure, power supply, and display . requirements.

Category 1 requires seismic and environmental qualification, the application 4

of a single failure criteria, utilization of emergency power, and an imediately accessible display. Category 2 requires environmental and seismic qualification commensurate with the required function but does not require the single failure criteria, emergency power, or an immediately accessible

display. Category 2 requires, in ef fect, a rigorous performance verification v for a single instrument channel. Category 3, which is high quality comercial 4

grade, does not require qualification, single failure criteria, emergency power, or an imediately accessible display.

4 Table 7.5-1 sumarizes the following information for each variable identified:

A. Instrument range or status.

~

B. Type and category.

C. Environmental qualification.

D. Seismic qualification.

E. Number of channels.

F. Power supply.

7.5.2.1 Definitions 7.5.2.1.1 Design Basis Accident Events Those events, any one of which could occur during the lifetime of a particular

, unit, and those events not expected to occur but postulated because their consequences would include the potential for release of significant amounts of radioactive gaseous, liquid, or particulate material to the environment are DBA events. Excluded are those events (defined as normal and anticipated operational occurrences in 10 CFR 50) expected to occur more frequently than once during the lifetime of a particular unit.

O WAPWR-!&C/EP 7.5-3 NOVEMBER, 1984 2084e:1d I

,-----------,---,--.,---.,--nn,-,.n--,,.--,,,.. - - - , - , ~.---.-..,--n,----,.--,~,_,. . - . . . - - - - - - , - - - . _ - .

The limiting accidents that were used to determine instrument functions are:

o Loss-of-coolant accident (LOCA),

o Steam line break.

o Feedwater line break o Steam generator tube rupture.

7 . 5 . 2 .1. 2 Hot Standby Hot standby is the state of the plant in which the reactor is subtritical such that k,pf is less than or equal to 0.99 and-the reactor coelant system (RCS) temperature is greater than or equal to 350'F.

7 . 5 . 2 .1. 3 Cold Shutdown Cold shutdown is the state of the plant in which the reactor is subcritical such that k,pg is less than or equal to 0.99, the RCS temperature is less l than 200*F, and the RCS pressure is less than or equal to 10 CFR 50, Appendix I

G limits.

7.5.2.1.4 Controlled Condition A controlled condition is the state of the plant that is achieved when the

" subsequent action" portion of the plant emergency procedures is implemented and the critical safety functions are being accomplished or maintained by the control room operating staff.

7. 5. 2.1. 5 Critical Safety Functions Critical safety functions are those safety functions that are essential to prevent a direct and immediate threat to the health and safety of the public.

These are the accomplishing or maintaining of:

l 0 Reactivity control o Reactor coolait system integrity WAPWR-1&C/EP 7.5-4 NOVEMBER, 1984 2004e:1d l

l l

O o Reactor coolant inventory control o Reactor core cooling.

o Heat sink maintenance.

o Reactor containment environment.

7.5.2.1.6 Immediately Accessible Information Innediately accessible information is information that is visually available to the control room operating staf f immediately (i.e., within human response time requirements)', once they have made the decision that the informatIon is needed.

7.5.2.1.7 Primary Information Primary information is information that is essential for the direct accomplishment of the preplanned manual actions necessary to bring the plant into a safe condition in the event of a DBA event; it does not include those variables that are associated with contingency actions.

7.5.2.1.8 Contingency Actions Contingency actions are those manual actions that address conditions beyond the DBA events.

7.5.2.1.9 Key Variables Key variables are those variables which provide the most direct measure of the v information required.

7.5.2.1.10 Backup Information Backup information is that information, made up of additional variables beyond those classified as key, that provide supplemental and/or confirmatory information to the control room operating staff. Backup variables do not O WAPWR-!&C/EP 7.5-5 NOVEMBER, 1984 20B4e:ld '

provide indication which is as reliable or complete as that provided by primary variables and are not usually relied upon as the sole source of information. .

7.5.2.2 Variable Types These accident monitoring variables and information display channels are those that are required to enable the control room operating staf f to perform the functions defined by type A, B, C, D, and E classifications as follows.

7.5.2.2.1 Type A Type A variables provide the primary information required to permit the control room operating staff to:

A. Perform the diagnosis to be specified in the WAPWR emergency operating instructions.

B. Take the specified, preplanned, manually controlled actions for which no automatic control is provided that are required for safety systems to accomplish their safety function in order to recover from the DBA.

C. Attain and maintain a cold shutdown condition.

The verification of the actuation of safety-related systems has been excluded from the type A definition. The variables which provide this verification are included in the definition of type D.

t l Type A variables are restricted to preplanned actions for DBA events.

Variables used for contingency actions and additional variables which might be utilized are of types B, C, D, and E.

l l

l I WAPWR-I&C/EP 7.5-6 NOVEMBER, 1984 O

20B4e:1d I

O 7.5.2.2.2 Type B Type 8 variables provide to the control room operating staff information to assess the process of accomplishing or maintaining critical integrity safety 2

O functions (i.e., reactivity control, RCS integrity, RCS inventory control, reactor core cooling, heat sink maintenance, and reactor containment i

environment).

7.5.2.2.3 Type C Type C variables provide the control room operating staff information to i monitor:

A. The extent to which variables that indicate the potential for causing a gross breach of a fission product barrier have exceeded the design basis values.

t

8. The incore fuel cladding, the RCP8, or the primary reactor containment which may have been subject to gross breach.

These variables include those required to initiate the early phases of an emergency plan. Excluded are those associated with monitoring of radiological release from the plant which are included in type E.

j Type C variables used to monitor the potential for breach of a fission product barrier have an arbitrarily determined extended range. The extended range was chosen to minimize the probability of instrument saturation even if conditions I

O' exceed those predicted by the safety analysis.

Although variables selected to fulfill type C functions may rapidly approach the values that indicate an actual gross f ailure, it is the final steady-state value reached that is important. Therefore, a high degree of accuracy and a rapid response time are not necessary for type C information display channels.

O WAPWR-1&C/EP 7.5-7 NOVEMBER, 1984 2004e:1d

7.5.2.2.4 Type D O

Type D variables provide the control room operating staff sufficient information to monitor the perfomance of:

A. Plant safety systems employed for mitigating the consequences of an accident and subsequent plant recovery to attain a cold shutdown condition. These include verification of the automatic actuation of safety systems.

B. Other systems normally employed for attaining a cold shutdown condition.

7.5.2.2.5 Type E Type E variables provide the control room operating staf f information to:

A. Monitor the habitability of the control room.

B. Monitor the plant areas where access may be required to service equipment necessary to monitor or mitigate the consequences of an accident.

C. Estimate the magnitude of release of radioactive material through identified pathways and continually assess such releases.

D. Monitor radiation levels and radioactivity in the environment surrounding the plant.

7.5.2.3 Variable Categories O

The qualification requirements of the type A, B, C, D, and E accident monitoring instrumentation are subdivided into three categories. Descriptions of the three categories are given below. Table 7.5-2 briefly sumarizes the selection criteria for type A, B, C, D, and E variables into each of the three categories. Table 7.5-3 briefly sumarizes the design and qualification requirements of the three designated categories.

O WAPWR-!&C/EP 7.5-8 NOVEMBER, 1984 2084e:1d

l O 7.5.2.3.1 Category 1 7.5.2.3.1.1 Selection Criteria for Category 1 O The selection criteria for Category 1 variables have been subdivided according to the variable type. For type A, those key variables used for diagnosis or

, providing information for necessary operator action have been designated Category 1. For type B, those key variables used for monitoring the process of accomplishing or maintaining critical safety functions have been designated Category 1. For type C, those key variables used for monitoring the potential for breach of a fission product barrier have been designated Category 1.

There are no type D or type E Category 1 variables.

7 . 5. 2 . 3.1. 2 Qualification Criteria for Category 1 The instrumentation is seismically and environmentally qualified in accordance with Sections 3.10 and 3.11, respectively, of RESAR-SP/90 PDA Module 7,

" Structural / Equipment Design". Instrumentation shall continue to read within the required accuracy following but not necessarily during a seismic event.

At least one instrumentation channel is qualified from the senser up to and including the display. For the other instrumentation channels, qualification as a minimum is applied up to and includes the channel isolation device.

(Refer to Subsection 7.5.2.3.4. in regards to extended range instrumentation qualification.)

7.5.2.3.1.3 Design Criteria for Category 1 A. No single f ailure within either the accident-monitoring instrumentation,

! its auxiliary supporting features, or its power sources, concurrent with the f ailures that are a cause of or result from a specific accident, will O prevent the control room operating staf f f rom being presented the required information. Where f ailure of one accident-monitoring channel results in information ambiguity (e.g., the redundant displays disagree), the WAPWR-l&C/EP 7.5-9 NOVEMBER, 1984 2084e:1d

l O

additional information is provided to allow the control room operating staff to analyze the actual conditions in the plant. This is accomplished by providing additional independent channels of information of the same variable (addition of an identical channel) or by providing independent channels which monitor different variables which bear known relationships to the channels (addition of a diverse channel (s)). Redundant or diverse channels are electrically independent and physically separated from each other with two-train separation and from equipment not classified important to safety in accordance with Regulatory Guide 1.75, " Physical Independence of Electric Systems".

If ambiguity does not result f rom failure of the channel, then a third redundant or diverse channel is not required.

B. The instrumentation is energized from station emergency standby power sources, battery backed where momentary interruption is not tolerable, as discussed in Regulatory Guide 1.32, " Criteria for Safety-Related Electric Power Systems for Nuclear Power Plants".

l C. The out-of-service interval will be based on normal Technical Specification requirements for the system it serves where applicable or where specified by other requirements.

D. Servicing, testing, and calibration programs are specified to maintain the capability of the monitoring instrumentation. For those instruments where the required interval between testing is less than the normal time interval between generating station shutdowns, a capability for testing during power operation is provided.

E. Whenever means for removing channels from service are included in the l design, the design f acilitates administrative control of the access to l such removal means.

F. The design facilitates administrative control of the access to all setpoint adjustments, module calibration adjustments, and test points.

O MAPWR-!&C/EP 7.5-10 NOVEMBER, 1984 2084e:1d l

M

/^N Q

G. The monitoring instrumentation design minimizes the development of conditions that would cause meters, annunciators, recorders, alarms, etc.,

to give anomalous indications that could be potentially confusing to the

( control room operating staff.

H. The instrumentation is designed to f acilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules.

I. To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables. An indirect measurement is made only when it can be shown by analysis to provide unambiguous information.

i J. Periodic checking, testing, calibration, and calibration verification will be performed in accordance with the applicable portions of Regulatory Guide 1.118. " Periodic Testing of Electric Power and Protection Systems".

K. The range selected for the instrumentation encompasses the expected operating range of the variable being monitored to the extent that saturation does not negate the required action of the instrument in accordance with the applicable portions of Regulatory Guide 1.105,

" Instrument Setpoints".

7.5.2.3.1.4 Information Processing and Display Interface Criteria for Category 1 The interf ace criteria specified here provide requirements to be implemented in the processing and displaying of the information.

A. The control room operating staf f has insnediate access to the information

/7 f rom redundant or diverse channels in units of measure familiar to the staff; i.e. for temperature readings, degrees should be used, not volts.

Where two or more instruments are needed to cover a particular range, overlapping instrument spans are provided.

l O HAPWR-I&C/EP 7.5-11 NOVEMBER, 1984 2084e:1d

_ _ _- ~ _ _. _ _ _ __ __ _ ._ _ _ _ .___ ._.____

B. A historical record of at least one instrumentation channel for each process variable is maintained. A recorded pre-event history for these channels is required for a minimum of 1 h, and continuous recording of these channels is required following an accident until continuous recording of such information is no longer deemed necessary. The term

" continuous recording" is not intended to exclude the use of discrete time sample data storage systems. This recording is available when required and does not need to be immediately accessible.

7.5.2.3.2 Category 2 7.5.2.3.2.1 Selection Criteria for Category 2 The selection criteria for Category 2 variables are subdivided according to the variable type. For types A, B, and C, those variables which provide preferred backup information are designated Category i.. For type 0, those key variables that are used for monitoring the performance of safety systems have been designated Category 2. For type E, those key parameters to be monitored for use in determining the magnitude of the release of radioactive materials and for continuously assessing such releases have been designated Category 2.

7.5.2.3.2.2 Qualification Criteria for Category 2 Category 2 instrumentation is qualified from the sensor up to and including the channel isolate device for at least the environment (seismic and/or environmental) in which it must operate to serve its intended function.

7.5.2.3.2.3 Design Criteria for Category 2 A. Category 2 instrumentation associated with those safety-related systems that are required to operate following a safe shutdown earthquake to mitigate a consequential plant incident are energized f rom a seismically qualified power source, which is battery backed where momentary interruption is not tolerable. Otherwise, the instrumentation is O

WAPWR-!&C/EP 7.5-12 NOVEMBER, 1984 2084e:1d

O energized f rom a highly reliable onsite power source, not necessarily the emergency standby power, which is battery backed where momentary interruption is not tolerable.

B. The out-of-service interval will be based on normal Technical Specification requirements for the system it serves where applicable or where specified by other requirements.

V C. Servicing, testing, and calibration programs will be specified to maintain the capability of the monitoriag instrumentation. For those instruments whera the required interval between testing is less than the normal time interval between generating station shutdowns, a capability for testing during power operation is provided.

D. Whenever means for removing channels f rom service are included in the design, the design f acilitates administrative control of the access to

. such removal means.

lO l E. The design facilitates administrative control of the access to all setpoint adjustments, module calibration adjustments, and test points.

F. The monitoring instrumentation design minimizes the potential for the development of conditions that would cause meters, annunciators, recorders, and alarms, etc., to give anomalous indications that could be potentially confusing to the operator.

G. The instrumentation is designed to facilitate the recognition, location, Os replacement, repair, or adjustment of malfunctioning components or modules.

H. To the extent practicable, monitoring instrumentation inputs are from l sensors that directly measure the desired variables. An indirect measurement is made only when it can be shown by analysis to provide unambiguous information.

O WAPWR-l&C/EP 7.5-13 NOVEMBER, 1984 2004e:1d

O I. Periodic checking, testing, calibration, and calibration verification will be in accordance with applicable portions of Regulatory Guide 1.118,

" Periodic Testing of Electric Power and Protection Systems".

J. The range selected for the instrumentation encompasses the expected O

operating range of the variable being monitored to the extent that saturation does not negate the required action of the instrument in accordance with the applicable portions of Regulatory Guide 1.105,

" Instrument Setpoints".

7.5.2.3.2.4 Information Processing and Display Interface Criteria for Category 2 The instrumentation signal is, as a minimum, processed for display on demand.

Recording requirements are variable specific and are determined on a case-by-case basis.

7.5.2.3.3 Category 3 7.5,2.3.3.1 Selection Criteria for Category 3 The selection criteria, for Category 3 variables have been subdivided according to the variable type. For types B and C, those variables which provide backup information have been designated Category 3. For types 0 and E, those variables which provide preferred backup information have been designated Category 3. There are no Category 3 type A variables.

7.5.2.3.3.2 Qualification criteria for Category 3 O

The instrumentation is high quality, commercial grade which is not required to provide information when exposed to a post-accident adverse environment.

O HAPWR-!&C/EP 7.5-14 NOVEMBER, 1984 2084e:1d

l f

-7.5.2.3.3.3 Design Criteria for Category 3 A. _ Servicing, testing, and calibration programs will be specified to maintain the capability of the monitoring instrumentation. For those instruments

Os where the required interval between testing is less than the normal time interval between generating station shutdown, a capability for testing

, during power operation is provided.

B. Whenever means for removing channels from service are included in the design, the design facilitates administrative control of the access to such removal means.

C. The design facilitates administrative control of the access to all setpoint adjustments, module calibration adjustments, and test points.

D. The monitoring instrumentation design minimizes the potential for the i development of conditions that would cause meters, annunciators, recorders, and alarms, etc., to give anomalous indications that could be 1

potentially confusing to the operator.

4 E. The instrumentation is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules.

t F. To the extent practicable, monitoring instrumentation inputs are from sensors that directly measure the desired variables. An indirect

! measurement is made only when it can be shown by analysis to provide unambiguous information.

O 7.5.2.3.3.4 Information Processing and Display Interface Criteria for >

Category 3 -

, The instrumentation signal is, as a minimum, processed for display on demand.

i

  • Recording requirements are variable specific and have been determined on a i case-by-case basis.

I

!O

l WAPWR-I&C/EP 7.5-15 NOVEMBER, 1984 2084e:1d l

7.5.2.3.4 Extended Range Instrumentation Qualification iriteria The qualification environment for extended range instrumentation is based on the DBA events; the assumed maximum qualification value of the monitored variable shall be equal to the specified maximum range for the variable. The monitored variable is assumed to approach this peak by extrapolating the most severe initial ramp associated with the DBA events. The decay is considered proportional to the ' decay for this variable associated with the DBA events.

No additional qualification margin needs to be added to the extended range variable. All environmental envelopes, except those pertaining to the variable measured by the information display channel, are those associated with the DBA events. The environmental qualification requirement for extended range instrument does not account for steady-state elevated levels that may occur in other environmental parameters associated with the extended range variable. For example, a sensor measuring containment pressure must be qualified f or the measured process variable range (i.e., three times design pressure for concrete containments), but the corresponding ambient temperature is not mechanistically linked to that pressure. Rather, the ambient l

temperature value is the bounding value for DBA events analyzed in Chapter

15. The extended range requirement is to ensure that the instrument will continue to provide information if conditions degrade beyond those postulated in the safety analysis. Since extended variable ranges are nonmechanistically determined, extension of associated parameter levels is not justifiable and is therefore not required.

l l

7.5.3 Description of variables ,

7.5.3.1 Type A Variables l

Type A variables are defined ia Subsection 7.5.2.2.1. They are the variables which provide primary information required to permit the control room operating staff to:

A. Perform the diagnosis to be specified in the WAPWR emergency operating procedures.

WAPWR-I&C/EP 7.5-16 NOVEMBER, 1984 O

2084e:1d

1 B. Take specified preplanned manually controlled actions for which no tutomatic control is provided that are required for safety systems to accomplish their safety function to recover from s design basis accident (N (DBA) event. (Verification of actuation of safety systems is excluded f rom type A and is included as type D.)

C. Attain and maintain a cold shutdown condition.

[

V Key type A variables have been designated Category 1. These are the variables which provide the most direct measure of the information required. The key type A variables are:

o Reactor coolant system (RCS) upper- and lower- range pressure.

o WR hot leg reactor coolant temperature (Tht)'

o WR cold leg reactor coolant temperature (Tcold)*

o WR steam generator level, o Pressurizer level, o Containment pressure.

o ' team line pressure.

o Containment sump water level, o Emergency feedwater storage tank level.

o Emergency feedwater flow.

o Containment radiation level.

o Steamline radiation.

o Core exit temperature.,

o RCS subcooling.

'v) No type A backup variables have been identified. Therefore, no Category 2 or 3 variablei have been, designated. A sumary of type A variables is provided in Tahle 7.5-4. ,

7.5.3.2 Type B variables Type B variables are defined in Subsection 7.5.2.2.2. They are the variables that provide information to the control room ' operating staff to assess the O process of ' accomplishing or maintaining critical safety functions, i.e.:

O

!!APWR-I&C/EP i

7.5-17 NOVEMBER, 1984 2084e:1d

l O

o Reactivity control.

o RCS pressure control.

o Reactor coolant inventory control. ,

o Reactor core cooling, o Heat sink maintenance.

o Primary reactor containment environment.

Variables which provide the most direct indication (i.e., key variable) to assess each of the six critical safety functions have been designated Category

1. Preferred backup variables have been designated Category 2. All other backup variables have been designated Category 3. These are listed in Table 7.5-5.

7.5.3.3 Type C Variables Type C variables are defined in Subsection 7.5.2.2.3. Basically, they are the variables that provide to the control room operating staff information to monitor the potential for breach or actual gross breach of:

(

o Incore fuel clad.

o RCS boundary, o Containment boundary.

/

(Variables associated with monitoring of radiological release from the plant

! are included in type E.)

Those type C key variables which provide the most direct measure of the potential for breach of one of the three fission product boundaries have been designated Category 1. Backup information indicating potential for breach is l designated Category 2. Variables which indicate actual breach have been designated as preferred backup information and are designated Category 2.

Table 7.5-6 summarizes the selection of type C variables.

O<

WAPWR-I&C/EP 7.5-18 NOVEMBER, 1984 2004e:1d

O 7.5.3.4 Type D Variables Type D variables are defined in Subsection 7.5.2.2.4. They are those variables that provide sufficient information to the control room operating j staff to monitor the performance of:

A. Plant safety systems employed for mitigating the consequences of an accident and subsequent plant recovery to attain a safe shutdown O' condition, including verification of the automatic actuation of safety systems.

B. Other systems normally employed for attaining a cold shutdown condition.

Type D key variables are designated Category 2. Pre'nred backup information is designated type D Category 3.

The following systems or major components have been identified as requiring type D information to be monitored:

A. Reactivity control (employed for verifying that the reactor has tripped and that adequate negative reactivity has been added to the core to prevent a return to criticality).

B. Pressurizer level and pressure control (assess status of the RCS following return to normal pressure and level control under certain post-accident

^

conditions).

C. Chemical and volume control system (CVCS) (employed for attaining a safe shutdown under certain post-accident conditions).

D. Secondary pressure and level control (employed for restoring / maintaining a secondary heat srink under post-accident conditions).

E. Integrated safeguards system (ISS) including the containment systems and residual heat removal system (RHRS).

HAPWR-I&C/EP 7.5-19 NOVEMBER, 1984 2084e:1d i

_ . . . _ _ . _ . - _ _ . _ . , _ . , _ - , _ , _ _ _ , . - _ _ . _ , _ . . . _ , _ _ . _ . . . _ . _ _ _ _ _ _ _ ~ _ - _ ,

F. Emergency feedwater system (EFWS).

G. Component cooling water system (CCWS).

H. Essential service water system (ESWS).

I. Heating, ventilation, and air conditioning (HVAC).

J. Electric power to vital safety systems.

K. Verification of automatic actuation of safety systems.

Table 7.5-7 lists the key variables identified for each system listed above.

For the purpose of specifying seismic qualification for type D Category 2 variables, it is assumed that a seismic event and a break in Seismic Category 1 piping will not occur concurrently. As a result, the limiting event is an unisolated (single failure of a main steam isolation valve) break in Nuclear Safety Class 2 main steam piping. Instrumentation necessary to monitor this

, event and associated with the safety systems which are required to mitigate it l should be seismically qualified. Similarly, the environmental qualification of type D Category 2 variables depends on whether the instrumentation is subject to a high-energ'y line break when required to provide information.

7.5.3.5 Type E Variables Type E variables are defined in Subsection 7.5.2.2.5. They are those variables that provide the control room operating staff with information to:

l A. Monitor the habitability of control room.

B. Monitor the plant areas where access may be required to service equipment necessary to monitor or mitigate the consequences of an accident, l

l O

WAPWR-I&C/EP 7.5-20 NOVEMBER, 1984 2084e:1d

O l C. Estimate the magnitude of release of radioactive materials through  !

identified pathways.

D. Monitor radiation levels and radioactivity in the environment surrounding the plant.

Key type E variables are qualified to Category 2 requirements. Preferred backup type E variables are qualified to Category 3 requirements. ,'

Table 7.5-8 lists the key type E variables.

7.5.4 Bypassed and Inoperable Status Indication for Engineered Safety Features Systems 7.5.4.1 Description For a description of the Bypassed and Inoperable Status Indication (BISI) d System and compliances to Regulatory Guide 1.47, refer to RESAR-SP/90 PDA Module 15. "ACR/ Human Factors".

O O

O WAPWR-I&C/EP 7.5-21 NOVEMBER, 1984 2084e:1d

TABLE 7.5-1 (Sheet 1 of 11)

POST-ACCIDENT MONITORING INSTRUNENTATION Qualification Required Range / Type / Environ- Number of Power Variable Status Category mental Seismic Instruments Supply Notes Reactor coolant 1200-3600 A1, B1, Yes Yes 3 per unit IE Transmitters locate pressure (upper B2, C1 outside of contala=

range C2, 02 Reactor coolant 0-1400 A1, B1, Yes Yes 3 per unit 1E Transmitters loc pressure (lower B2, D2 outside of conta range)

RCS wide range 50' to A1, 81, Yes Yes 2 per loop 1E Thot 700*F B2 aCS wide range 50* to A1, B1, Yes Yes 2 per loop 1E Tcold 700*F B2, C1 Wide range steam 0 to 100 A1, B1, Yes Yes 3 per steam 1E Temperature comt generator water percent of B2, 02 generator t level span i

! Pressurizer 0 to 100 A1, 81, Yes Yes 3 per unit 1E level percent D2 of span Containment 0 to 53 A1, B1, Yes Yes 3 per unit 1E pressure psig C2, D2 Steamline pres- O to 1350 A1, B1, Yes Yes 3 per loop IE sure psig D2 WAPWR-I&C/EP 7.5-22 NOVEMBER, 1984 1

6 *"" O O O O O O

- __ .__ _ _ _ _ _ _ _ - _ _ - _ - - _ _ _ ~ .

i i

O O O O O O TABLE 7.5-1

(Sheet 2 of 11)
POST-ACCIDENT MONITORING INSTRUMENTATION i Qualification Required

. Range / Type / Environ- Number of. Power i Variable Status Category mental Seismic Instruments Supply Notes l t containment 0 to 100% A1, B1, Yes Yes 3 per unit- 1E water level level B2, C2 l

Emergency feed- O to 100 A1, 02 Yes Yes 3 per tank 1E water storage percent of tank level span

]

l Total emergency 0 to max. A1, B1, yes Yes 2 per loop 1E feedwater flow runout flow D2 Containment 10-4 A1, B1 Yes Yes 2 per unit 1E I radiation level 108 R/hr E2 i Steamline 10-l to Al Yes Yes 1 per loop 1E I

radiation 103 pC1/cm3 monitor l Core exit 100 to A1, B1, Yes Yes 4 per core 1E

! temperature 2200*F C1 quadrant per

)

1 train l RCS sul voling 200*F sub- A1, B1 Yes Yes 3 per unit 1E cooling to 35'F super-

heat 1

Neutron flux 10-8 to 81 Yes Yes 2 per unit IE

100 percent of full power 1

i j WAPWR-I&C/EP 7.5-23 NOVEMBER, 1984 i 2084e:1d 1

TABLE 7.5-1 (Sheet 3 of 11)

POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required Range / Type / Environ- Number of Power Variable Status Category mental Seismic Instruments Supply Notes Reactor vessel 0 to 100 B1, C1 Yes Yes 2 per unit 1E water level percent plenum height; O to 100 percent reactor vessel height Containment 0 to 10 B1, C1 Yes Yes 2 per unit 1E hydrogen percent concentration partial pressure Control rod 0 to 228 B3, D3 No No 2 per con- Non-1E position steps trol rod indication Cont:Inc.ent -5 to 140 C1, C2 Yes Yes 3 per unit 1E pressure psig (extended range)

Plant vent 10-6 to C2, E2 No Yes 1 per unit 1E radiation 104 pCi/cm3 level Site environ- NA C3, E3 No Na NA NA mental radiation level WAPWR-l&C/EP 7.5-24 NOVEMBER, 1984 9""" O O O O O O

O O O O O O.O TABLE 7.5-1 (Sheet 4 of 11) j POST-ACCIDENT MONITORING INSTRUMENTATION J Qualification Required Range / Type / Environ- Number of Power Variable Status Category mental Seismic Instruments Supply Notes I RCS activity NA' C3 No No 1 NA (post-accident

sampling)

Containment Closed / C2, D2 Yes Yes 1 per 1E l isolation valve Not Closed valve j status

] Power-operated Closed / D2 Yes Yes 1 per 1E l relief (PORV) Not closed valve valve status ,

Primary safety Closed /not 02 yes Yes 1 per 1E

valve status closed valve 4 i

! Pressurizer On/off D2 Yes Yes 2 per unit 1E heater power

availability I
Charging system 0 to 110 D2 Yes Yes 1 per path 1E
flow percent

! design flow I

! Letdown flow 0 to 110 02 Yes Yes 1 per path 1E l percent l design flow

, Volume control 0 to 100 D2 No Yes 1 per tank 1E l tank level percent of span e

WAPWR-I&C/EP 7.5-25 NOVEMBER, 1984 ,

] 2084e:1d 1

1 i

TABLE 7.5.2-1 '

(Sheet 5 of 11)

POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required Range / Type / Environ- Number of Power Variable Status Category mental Seismic Instruments Supply Notes Chemical and Closed / D2 Yes Yes 1 per valve lE volume control Not closed system valve

  • status Chemical and On/off D2 Yes Yes 1 per pump 1E volume control system pump status Reactor coolant 0 to 20 D2 No Yes 1 per pump lE pump seal injec- gal / min tion flow Steam generator Closed / D2 Yes Yes 1 per valve IE atmospheric Not closed PORV status Steam generator Closed / D2 Yes "es 1 per valve lE safety valve Not closed status e Main steam line Closed / B2, D2 Yes Yes 1 per valve lE isolation valve Not closed status Main steamline Closed / B2, D2 Yes Yes 1 per valve 1E isolation bypass Not closed valve status Main feedwater Closed / D2 Yes Yes 1 per loop lE control v;lve Not closed status WAPW C/EP 7. NOVEMBE 84

O O O O O O O TABLE 7.5.2-1 (Sheet 6 of 11)

POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required Range / Type / Environ- Number of Power Variable Status Category mental Seismic Instruments Supply Notes Main feedwater Closed / D2 Yes Yes 1 per loop IE bypass valve Not closed status Main feedwater Closed / D2 Yes Yes 1 per valve 1E isolation valve Not closed status Main feedwater 0 to 110 D2 No No 1 per loop Non-1E flow oercent design flow Startup feedwater ciosed/ D2 Yes Yes 1 per vaPwe IE .

control valve Not closed status Startup feedwater 0 to 110 02 No No 4 per loop Non-1E flow percent design flow Steam generator Closed / D2 Yes Yes 1 per valve 1E overflow valve Not closed status Steam generator Closed / D2 Yes Yes 1 per 1E blowdown Not closed valve isolation valve status Safety injection 0 to 110 D2 Yes Yes 1 per train 1E flow percent design flow WAPWR-I&C/EP 7.5-27 NOVEMBER, 1984 2084e:1d

TABLE 7.5-1 (Sheet 7 of 11)

POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required Range / Type / Environ- Number of Power Variable Status Category mental Seismic _ Instruments Supply Notes RHR/ containment 0 to 110 D2 Yes Yes 1 per train IE spray flow percent design flow EWST level O to 100 02 Yes Yes 1 per tank lE percent ISS valve Open/ closed D2 Yes Yes 1 per valve lE status (SI, RHR/

CS, accumulators, core reflood tanks)

Accumulator 0 to 750 D2 Yes Yes 1 per accumulator lE pressure psig Core reflood 0 to 300 D2 Yes Yes 1 per tank lE tank pressure psig psi 9 RHR heat _

50 to 400 D2 Yes Yes 1 per exchanger lE

- exchanger inlet *F temperature R'HR heat 50 to 400 D2- Yes Yes 1 per exchanger lE exchanger outlet *F temperature Fan cooler 0 to 110 D2 Yes No 1 per cooler lE motor speed percent design speed WAPWR-I&C/EP 7.5-28 NOVEMBER, 1984 2084e:ld O O O O O O O

i 1

O O O O O O O 4

l TABLE 7.5-1

] (Sheet 8 of 11)

POST-ACCIDENT MONITORING INSTRUMENTATION l Qualification Required Range / Type / Environ- Number of Power Variable- Status Supply Category mental Seismic Instruments Notes Emergency feed- Open/ closed D2 Yes Yes 1 per valve 1E water valve

status Component 0 to 200 D2 No Yes 1 per train 1E

! cooling water psig header pressure l

i Component 0 to 300*F D2 No Yes 1 per train IE j cooling water header temperature j

] Component 0 to 100 D2 No Yes 1 per train IE

cooling water percent

! surge tank j level Component cooling 0 to 110 D2 Yes Yes 1 per component 1E water flow to percent

{ engineered safety design flow features com-

]

ponents Component cooling Open/ closed D2 Yes/No Yes 1 per valve 1E

water valve i status i

Essential service O to 200 02 No Yes 1 per header 1E

water header psi pressure i

i WAPWR-I&C/EP 7.5-29 NOVEMBER, 1984 l 2084e:1d

TABLE 7.5-1 (Sheet 9 of 11)

POST-ACCIDENT MONITORING INSTRUMENTATION Oualification Required Range / Type / Environ- Number of Power Variable Status Category mental Seismic Instruments Supply Notes Essential service 0 to 110 02 No Yes 1 per header 1E water flow percent design flow RCS boron concen- O to 2000 D3 No No 1 per unit Non-lE tration ppm Heating, ventila- Open/ closed D2 Yes Yes 1 per damper 1E tion, and air-conditioning system status Engineered High/ low D2 Yes Yes 1 per ESF lE safety features component .

(ESF) environment temperature Ac, de, vital Bus 02 No Yes 1 per bus 1E instrument specific voltage Reactor trip Open/ D2 No Yes 1 per breaker 1E breaker position Closed Turbine stop Closed / D2 No No 1 per valve Non-lE valve status Not closed Turbine control Closed / D2 No No 1 per valve Non-lE valve status Not closed Emergency feed- On/off D2 No Yes 1 per pump lE water pump status (motor-driven)

W ,I&C/EP -30 NdVE 1984

! O O O O O O

{ TABLE 7.5.2-1 4

(Sheet 10 of 11)

POST-ACCIDENT MONITORING INSTRUMENTATION

Qualification Required Range / Type / Environ- Number of Power j variable Status Category mental Seismic Instruments Supply Notes i

Turbine driven Open/ closed D2 Yes Yes 1 per pump 1E j emergency feed-

water pump supply l valve status -

1 Safety injection On/off D2 Yes Yes 1 per pump 1E

] pump status

) RHR/ containment On/off D2 Yes Yes 1 per pump 1E

spray pump status j Component cooling On/off D2 No Yes 1 per pump IE l

water pump status Essential service On/off D2 No Yes 1 per pump 1E j water system pump status j Reactor vessel Open/ closed 02 Yes Yes 1 per valve 1E

head vent valve j status Control room 10-5 to E2 No Yes 1 per control 1E radiation level 1 R/hr room

! Plant vent air E2 No Yes 1 per plant vent 1E flo.# rate i l

Condenser air 10-6 to E2 No Yes 1 per ejector 1E i

ejector radia- 105 uti/cc

) tion level i

l i

j WAPWR-I&C/EP 7.5-31 NOVEMBER, 1984 i

i

TABLE 7.5-1 (Sheet 11 of 11)

POST-ACCIDENT MONITORING INSTRUMENTATICN Oualification Required Range / Type / Environ- Number of Power Variable Status Category mental Seismic Instruments Supply Notes Condenser air E2 No Yes 1 per ejector 1E ejector flow rate Steam generator 10-1 to E2 Yes Yes 1 per valve or lE safety relief 103 pC1/cc header valve radiation level Steam generator E2 Yes Yes 1 per valve lE safety / relief or header valve flow rate Radiation level 10-6 to E2 No Yes 1 per pathway lE from liquid 10-1 pC1/cc pathways Liquid pathways E2 No Yes 1 per pathway lE flow rate Other potential 10-6 to E2 No Yes 1 per source IE sources of radia- 104 pCi/cc tion release Other potential E2 No Yes 1 per source IE i source flow rate Area radiation 10-4 to E2 No Yes Site specific 1E 108 R/hr Environs radia- E3 No No Site specific Non-lE tion level Meteorological Site E3 No No Site Non-lE parameters specific specific 5R-I&C/EP e

~

e e.5-32 e e NOVWR1984

O O O O O O O

, TABLE 7.5-2

SUMMARY

OF SELECTION OF CRITERIA Typ_e Category 1 Category 2 Category 3 l A Key variables that are used for Variables which provide None diagnosis or providing informa- preferred backup infomation 4 tion necessary for operator action l B Key variables that are used Variables which provide Variables which provide for monitoring the process of preferred backup information backup information I accomplishing or maintaining

! critical safety functions i

C Key variables that are used Variables which provide Variables which provide i for monitoring the potential preferred backup information backup information

, for breach of a fission product j barrier i

D None Key variables which are used Variables which provide preferrt

! for monitoring the performance backup information which are use

of plant systems for monitoring the performance t plant systems E None Key variables to be monitored Variables to be monitoried whici for use in determining the provide preferred backup informi
magnitude of the release of tion for use in determining the radioactive materials and magnitude of the release of radio-l for continuously assessing active materials and for continu-
such releases. ously assessing such releases.

l l

i i

! WAPWR-I&C/EP 7.5-33 NOVEMBER, 1984 2084e:1d i

TABLE 7.5-3

SUMMARY

OF DESIGN, QUALIFICATION, AND INTERFACE REQUIREMENTS Qualification Category 1 Category 2 Category 3 Environmental Yes As appropriate No (See Subsection 7.5.2.3.2.2)

Seismic Yes As appropriate No (See Subsection 7.5.2.3.2.2.)

Design Single failure Yes No No Power suppiy Emergency diesel Emergency diesel generator /onsite As required generator (as appropriate, see Subsection 7.5.2.3.2.3.A) i Channel out of Technical Technical As required ,

service Specifications Specifications .

Testability Yes Yes As required Interface Minimum Immediately Demand Demand j indication accessible Recording Yes As required As required (See Subsection 7.5.2.3.2.4.) (See Subsection 7.5.2.3.3.

4 l

WAPWR-I&C/EP 7.5-34 NOVEMBER, 1984 2084e:1d O O O O O O O

I TABLE 7.5-4

SUMMARY

OF TYPE A VARIABLES Variable Type /

Variable Function Category RCS pressure (lower- and upper-range) Key Al t Thot ( ) ey Al Tcold ( R) , Key Al Steam generator level (temperature compensated WR) Key Al Pressurizer level' Key Al Containment pressure Key Al Steamline pressure Key A1 Containment water level Key Al Emergency feedwater storage tank level Key A1 Emergency feedwater flow Key Al l:

Containment radiation level Key Al Steamline radiation monitor Key A1

! Core exit temperature Key Al RCS subcooling Key A1 O

O O

WAPWR-!&C/EP 7.5-35 NOVEMBER, 1984 2004e:1d i

i.-_,____._.._________.._.____-. . _ _ - _ _

TABLE 7.5-5

SUMMARY

OF TYPE B VARIABLES Function Variable Type /

Monitored Variable Function Category Reactivity Neutron Flux Key B1 control WR T hot Backup (P)* B2 WR T Backup (P) B2 cold Control rod position Backup B3 RCS RCS pressure (lower and upper range) Key B1 Integrity WR T Key B1 g

WR T ey B1 cold Reactor Pressurizer level Key B1 coolant Reactor vessel water level Key B1 inventory Containment water level Backup (P) B2 control WR steam generator level Backup (P) 82 Reactor Core exit temperature Key B1 core Reactor vessel water level Key B1 cooling RCS subcooling Key B1 WR T Backup (P) 82 hot WR T Backup (P) B2 cold RCS pressure (WR) Backup (P) B2 Heat sink Steam generator level (WR)' Key B1 maintenance Emergency feedwater flow Key B1 Steamline pressure Key B1 Main steamline isolation and bypass Backup (P)* B2 valve status Containment Containment pressure Key B1 O

environment Containmcat arec radiation Key B1 Containment water level Key B1 Containment hydrogen concentration Key B1

  • P = preferred 7.5-36 NOVEMBER, 1984 l WAPWR-I&C/EP 2084e:1d i

I 0 TABLE 7.5-6 I

(Sheet 1 of 2) l

SUMMARY

OF TYPE C VARIABLES

[

Function Monitored Variable Condition Variable Function Type /

Category

. Incore fuel Core exit Potential Key C1 clad temperature for breach Reactor vessel Potential Key C1 water level for breach RCS activity Actual breach Backup C3 RCS RCS pressure Potential Key C1 boundary (upper range) for breach RCS temperature Potential Key C1 (wide range) for breach RCS pressure Actual breach Backup (P)* C2 (upper range)

Containment Actual breach Backup (P) C2 a pressure Containment Actual breach Backup (P) C2 water level Containment Containment Potential for Key C1 boundary pressure breach (extended range)

Containment Potential Key C1 hydrogen for breach concentration Plant vent Actual breach Backup (P) C?

radiation O level i

  • P = preferred WAPWR-I&C/EP 7.5-37 NOVEMBER, 1984 2084e:1d

l i

TABLE 7.5-6 (Sheet 2 of 2)

SUMMARY

OF TYPE C VARIABLES Function Variable Type /

Monitored Variable Condition Function Category Containment Actual breach Backup (P) C2 isolation valve status Cantainment Actual breach Backup (P) C2 pressure (extended range)

Site environ- Actual breach Backup C3 mental radiation O

O l

9 O

WAPWR-I&C/EP 7.5-38 NOVEMBER,1984 2084e:1d

s

('

TABLE 7.5-7 (Sheet 1 of 4) ,

SUMMARY

OF TYPE D VARIABLES Variable Type /

O System Variable Function Cateaory Reactivity Reactor trip breaker position Key D2 Control Rod Position Backup D3 Control Turbine Stop Valve Status Key D2 O System Turbine Control Valve Position Key Backup D2 03 RCS Boron Concentration Power-operated relief Key 02 Pressurizer level and valve (PORV) status Safety valve status Key D2 pressure Pressurizer level Key 02 control RCS pressure (WR) Key D2 Pressurizer heater power Key 02 availability Charging system flow Key D2 CVCS Letdown flow Key 02 Volume control tank level Key D2 Seal injection flow Key D2 CVCS valve status Key D2 Head vent valve status Key D2 Secondary Steam generator atmospheric steam Key D2 O' pressure and dump valve status level control Steam generator safety valve status Key D2 Main steam isolation valve and Key 02 bypass valve status Main feedwater control and bypass Key D2 status O WAPWR-ISC/EP 7.5-39 NOVEMBER, 1984 2084e:1d

I TABLE 7.5-7 (Sheet 2 of 4)

SUMMARY

OF TYPE D VARIABLES Variable Type /

System Variable Function Cateaory Main feedwater isolation valve status Key D2 Startup feedwater control valve status Key D2 Main feedwater flow Key D2 Startup feedwater flow Key D2 Emergency feedwater flow Key D2 Steam generator level (WR) Key D2 Steam generator overflow valve status Key D2 Steam generator blowdown isolation Key D2 valve status Steamline pressure Key D2 ISS (including Emergency water storage tank level Key D2 containment Total SIS flow Key D2 spray and Total RHR/ containment spray flow Key D2 residual heat EWST level Key D2 removal) ISS valve status Key 02 Accumulator pressure Key D2 Core reflood tank pressure Key D2 RHR heat exchanger inlet and outlet Key 02 temperature Fan cooler motor speed Key D2 Containment pressure Key D2 Emergency Emergency feedwater flow Key 02 feedwater Emergency feedwater valve status Key D2 system Emergency feedwater storage tank level Key D2 NOVEMBER, 1984 l WAPWR-I&C/EP 7.5-40 20B4e:ld i

TABLE 7.5-7 (Sheet 3 of 4)

SUMMARY

OF TYPE D VARIABLES O System Variable Variable Function Type /

Category Component CCWS header pressure Key 02 cooling water CCWS heador temperature Key D2 system CCWS surge tank level Key D2 Flow to ESF components Key D2 CCWS valve status Key 02 Essential ESWS header pressure Key D2 service water ESWS flow Key D2 system HVAC Environmental for ESF components Key 02 System status Key D2 Electric AC/DC vital instrument voltage Key D2.

power Verification Reactor trip breaker position Key D2 of automatic Turbine stop valve position Key D2 actuation's of Turbine control valve position Key 02 safety systems ac/dc vital bus voltage Key D2 Main feedwater control valve status Key 02 OV Main feedwater bypass valve status Key 02 Main feedwater isolation valve status Key 02 Containment isolation valve status Key D2 Emergency feedwater valve alignment Key 02 p Emergency feedwater pump start (motor- Key D2 driven)

Emergency feedwater pvnp supp1r valve Key D2 status (turbine-driven)

O WAPWR-I&C/EP 7.5-41 NOVEMBER, 1984 2004e:1d

r TABLE 7.5-7 (Sheet 4 of 4)

SUMMARY

OF TYPE D VARIABLES Variable Type /

System variable Function Category SI pump start Key D2 CCWS pump start Key D2 ESWS pump start Key D2 RHR/ containment spray pump start Key D2 CVCS pump status Key D2 SI valve alignment Key D2 Containment spray valve alignment Key 02 SI flow Key D2 RHR/ containment spray flow Key D2 Emergency feedwater flow Key D2 O

l l

)

. l

/

O

.i O

WAPWR-I&C/EP 7.5-42 NOVEMBER, 1984 2084e:1d

, ,- p

O TABLE 7.5-8 l

SUMMARY

OF TYPE E VARIABLES j

Variable Type /

Variable Function Cateaorv Control room radiation level Key E2 l

Plant vent radiation level Key E2 Plant vent air flow rate Key E2 O' Condenser air ejector radiation level Key E2 Condenser air ejector flow rate Key E2 Steam generator safety / refuel valve radiation level Key E2 Steam generator safety / relief valve flow rate Key E2 Radiation level of material discharged from liquid Key E2 pathways Liquid pathways flow rate Key E2 l Other potential sources of radiation release Key E2 Other potential source flow rate Key E2 Environs radiation level Backup (P)* E3 Meteorological parameters Backup (P)* E3 Containment radiation level Key E2 Area radiation in areas ~ requiring accessibility Key E2 LO

  • P = preferred O WAPWR-I&C/EP 7.5-43 NOVEMBER, 1984 2084e:1d 4

..-.,,.__-._....,....-..-,,_,,,...__,-.,._.,,-__.____,,....,~._,,,.,m ~ . , . -

O 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY n

A 7.6.1 Instrumentation and Control System Power Supplies Q -

1 7.6.1.1 Description .

Each of the four channels of the integrated protection system (IPS) has its own dedicated 120V AC vital iristrumentation and control power supply. Each of the four sets of 120V AC electrical power supply distribution paneYs (2 panels i per set) receives its power f rom either of two 120V AC sources. The primary ,

panel is fed f roa two interlocked circuit breakers, each with a separate source. Refer to the one line diagram shown in Figure 7.6-1. One so,urce is a

-regulating stepdown transformer; the other source, an instrument inverter.

The interlock on the primary panel is such that only one of the two circuit breakers may be closed at one time. Each of the four inverters can receive its power f rom either of two sources: one a 480V 3-phase AC source; the other, a 125V battery source. The inverter can use either the 12SV DC source

  • l or the 480V 3-phase AC source to make 120V AC instrument power. The 480V 3-phase AC power is rectified to become 120V DC. This rectified DC is auctioneered with the DC from the battery to automatically select the source that powers the inverter. The back-up panel' receives power from the ,

regulating transformer Source. Although generically a two battery supply for i l four vital instrument inverters has been used satisfactorily on many Westinghouse plants, in a previous Westinghouse submittal for review of an IPS plant (see RESAR 414) the NRC Staff has required four independent Class 1E l- batteries and battery chargers for the four vital instrument inverters.

Although the Westinghouse evaluation of the two battery systems for the IPS has indicated that adverse interactions between control and protection cannot result due to the loss of a single power source, Westinghouse requires a four battery _ system for current IPS in the interest of increased conservatism and to acknowledge previously expressed NRC requests.

l l

l I

l O

WAPWR-I&C/EP 7 . 6-1 NOVEMBER, 1984 2084e:1d

~

c.

7 2 s

' 6 7.6.1.2 Analysis ,

1 It can, therefore, be more readily concluded that no single failure of a power source will prevent a regtired protection function to occur, or create an adverse interaction between the control and protection systems as a result of the loss of a single power source.

Based on the scope definitions presented in IEEE-308, Sept. 1971 IEEE-279, 1971, and IEEE-338, 1971, the criterion which is applicable to the instrumentation and control power supply system is IEEE-308 (Sept. 1971). The design will be in compliance with IEEE-308 (Sept. 1971) and Safety Guide 6.

Availability of this system will be verified by periodic testing performed on the served systems and by checking the inverter output and auctioneering circuit by alternately deenergizing one input at a time. The Inverters will be seismically qualified.

7.6.2 Residual Heat Removal Isolation Valves - Interlocks and Actuation 7.6.2.1 Description The residual heat removal isolation valves will normally be closed and will be only opened for residual heat removal af ter system pressure has been reduced to low RCS pressure 550 psig and temperature conditions.

1. Each residual heat removal valve will be provided with red (open) and green (closed) position indicating lights located in the main Control Room at the control switch for each valve. The valve position sensing I for the valve position readout in the control room is by means of the cam operated switch within the motor operator of the valve.
2. The interlock and actuation logic functions will be as shown in the logic diagram of Figure 7.6-2.

This interlock is provided for the normally closed, motor operated RHR inner and outer suction isolation valves (9000A, B, C, D and 9001A, B, C, D) to O

WAPWR-I&C/EP 7.6-2 NOVEMBER, 1984 2084e:1d w

O prevent the suction valves for a specific RHR subsystem from being opened by operator action unless the RCS pressure as measured by the appropriate RCS wide-range. pressure channel, is less than 550 psig and the following corresponding valves are in a closed position:

Spray additive isolation valves (9112, 9212, 9213, 9113)

RHR/EWST suction isolation valves (9007A, B, C, D)

-- Containment spray header isolation valves (9011 A, B, C, 0; 9009A, B, 4 C, 0)

-- System test line isolation valves (8813A, B, C, 0; 8814A, 8, C, D)

High head pump discharge isolation valves (8803A, B, C, D)

RHR to CVCS letdown isolation valve (where applicable) (9018A, B)

O .

This prevent-open feature ensures that each of the four RHR subsystems are properly . aligned for normal cooldown operations. The closed valves, listed above, provide a docble barrier against leakage from the RHR subsystems either in conjunction with a series check valve or by providing two closed series motor-operated valves.

l' .

The interlock also automatically closes the innsr and outer RHR suction j isolation valves in the event that the RCS pressure were to increase to a value greater than 750 psig. This automatic closing feature ensures that both valves will be closed during a plant startup prior to reaching operating ,

conditions, should one have been inadvertently left open by operator omission. The valves may be closed by ' operator action from the main control board at any time.

The wide-range RCS pressure interlock for both the prevent open and the autoclosure features on the inner isolation valves is independent and diverse f rom that provided to the outer isolation valves. Diversity is provided by

, WAPWR-1&C/EP 7.6-3 NOVEHBER, 1984 l 2004e:1d

_ _ _ - - _ _ - ~ _..._. _ _ __ _ . _ _ _- _ - - _ _ . . . . _ _ _ _ . . _ . . _ _ . _ . _ . _ _ _ _ _ _ . _ _ , _ . - _

use of the set of wide range pressure inner transmitters of a model different Ol than the set of outer transmitters.

7.6.2.2 Analysis of Residual Heat Removal Valves - Interlocks and Actuation Based on the scope definitions presented in IEEE 279-1971 and IEEE 338-1971, these criteria do not apply to the residual heat removal isolation valve interlocks, because their function is not required during or af ter a design basis event. However, in order to meet NRC requirements and because of the possible severity of the consequences of loss of function, the requirements of IEEE Standard 279-1971 will be applied with the following comments.

1. For the purpose of applying IEEE Standard 279-1971, to this circuit, the following definitions will be used,
a. Protection System The two valves in series in each of the four lines and all components of their interlocking and closure circuits. (Note that the RHRS consists of four subsystems, each consisting of pump, a heat exchanger and valving to control the cooldown and isolate the system as necessary.)
b. Protective , Action The automatic initiation and maintenance of residual heat removal system isolation from the reactor coolant system when reactor coolant system pressures are above the preset value.
2. On-line Testability; IEEE Standard 279-1971, Paragraph 4.10: The above mentioned pressure interlock signals and logic will be tested on line to the maximum extent possible without adversely affecting safety. This test will include the initiating signals f rom which are derived the actuation and interlocking signals through to the actuation and interlocking signals available f rom the train oriented O

WAPWR-IEC/EP 7.6-4 NOVEMBER, 1984 2084e:1d

O V

integrated logic cabinets. This is done in the best interests of safety since an actual actuation to permit opening the valve could potentially leave only one remaining valve to isolate the low pressure Residual Heat Removal System from the Reactor Coolant System.

3. IEEE Standard 279-1971, Paragraph 4.15: This requirement does not apply, as the setpoints are independent of mode of operation and are not changed.

Environmental qualification of the valves and wiring are discussed in Section 3.11 of RESAR-SP/90 PDA Module 7 " Structural / Equipment Design". The safety-grade cold shutdown concept imposes a conflicting requirement to f'

provide a single failure RHRS initiation function along with the classical single failure autoclose function. The WAPWR design for cold shutdown is based on no operator action outside of the control room. Therefore, the WAPWR design with two electrical trains incorporates an RHRS suction valve p arrangement with four way independence. Each RHRS suction valve is powered by

( a separate power supply and interlocked with a separate RCS pressure transmitter. RHR subsystems "A" and "D" have one suction valve powered by

-train "A" and one suction valve powered by " battery train A". " Battery train A" includes one battery, inverter (or notor-generator), and circuitry. The battery is continually charged by vital bus "A". RHR subsystems "B" and "C" have one suction valve powered by train "B". Battery train "B" is similar to battery train "A" except that battery train "B" constitute independent power supplies and provide the single failure autoclosure capability not provided by two electrical sources. Single failure initiation capability is provided by the two totally redundant pairs of RHR subsystems.

7.6.3 Critical Function Isolation Motor Operated Valve Interlocks q The control circuits for the accumulator and core reflood tank discharge i

O isolation valves designated " critical function valves", are shown in Figure 7.6-3. The accumulator and core reflood tank discharge isolation valves are j motor operated, normally open valves which are controlled f rom the MCP.

l0 WAPWR-I&C/EP 2004e:ld 7.6-5 NOVEMBER, 1984 I

. . _ , . - _ . - . . , - - _ _ _ . . . . - - - _ _ _ - - - - . - . - . - - - . . _ _ . , . - - ~ _ . . . - . - - . . . - _ - . - , _

These valves are interlocked such that:

a) They open automatically on receipt of an "S" signal with the MCP switch in either the "AUT0" or "CLOSE" position.

b) They open automatically whenever the RCS pressure is above the SI unblock pressure (P-11) specified in the Technical Specifications only when the MCP switch is in the "AUT0" position.

c) They cannot be closed as long as an "S" signal is present.

The MCP switches for these valves are three position switches which provide a

" spring return to AUT0" from the OPEN position and a " maintain position" f rom the CLOSE position.

The " maintain in CLOSE" is required to provide an administrative 1y controlled manual block of the automatic opening of the valve at RCS pressure above the SI unblock pressure (P-11). The manual block or " maintain in CLOSE" position may be required in order to perform check valve leak tests or other anticipated operations.

l Administrative control is required to ensure that any accumulator valve, which has been closed at pressures above the SI unblock pressure, is returned to the "AUT0" position. Verification that the valve automatically returns to its normal full open position would also be required.

During plant shutdown, the accumulator valves are in a closed position. To prevent an inadvertent opening of these valves during that period, the accumulator valve breakers should be opened or removed. Administrative control is again required to ensure that these valve breakers are closed during the pre-startup procedures.

These normally open, motor operated valves have been identified as " critical O

f unction" valves, and alarms indicating a mispositioning (with regard to their ECCS function) are provided. The alarms sound in the main control room.

7.6-6 NOVEMBER, 1984 O

WAPWR-I&C/EP 2084e:ld

i

' O Refer to Figure 7.6-4 for the logic diagram for the critical function valve alarm.

An alarm will sound for any critical-function valve for the following O conditions when the RCS pressure is above the "SI unblocking pressure":

a) Valve motor operator limit switch indicates valve is not fully open, or b) Valve stem mounted limit switch indicates valve is not fully open.

The valve stem limit switch shall repeat itself at given intervals.

In' addition, each critical function valve will be provided with red (open) and green (closed) position indicating lights located in the main Control Room at the control switch for each valve. The valve position sensing for the valve position readout in the' control room is by means of the cam operated switch within the motor operator of the valve.

O It has been shown, in discussing the foregoing features of the control and indication for the critical . function valves that the instrumentation and control for these valves complies with Branch Technical Position ICSB 3.

i u

O

. O O WAPWR-I&C/EP 7.6-7 NOVEMBER, 1984 2084e:1d

i

<- (a.C)

)

f 4

7

<* l J

I i

,=.

l h 4

FIGUt! 7.6-1 TYPICAL 16C ELtCTRICAL POWER DIstateuTION 5fsitM . 11e va:

MAPWR-!&C/EP NOVEMBER, 1984 f

l

i (a,c O

O t

W O

~

O FIGURE 7.6-2 LOGIC DIAGRAM FOR INTERLOCKS OF RHR C00LDOWN SUCTION ISOLATION OPERATED VALVES (SHEET 1 0F 2)

MAPWR-I&C/EP NOVEMBER, 1984

l l

4 1

l'

~ (a,L;

. ~

~

l 1

l i

1

t d

I 4

.i 4

i.

lG 1

I i

t.

i  ;

i l'< l t.

s  !

l t

t,.

2 i

i i .

FIGURE 7.6-2 LOGIC DIAGRAF.5 FOR INTERLOCK $ OF RHR C00LDOUN 2 SUCTION ISOLATION MOTOR OPERATED VALVES

($HEET20F2) l@  :

t 1'

} EAPWR-!&C/EP NOVEMBER,1984 I

1

O (a,c)

_, g i

O O

L.

O FIGURE 7.6-3 LOGIC DIAGRAri FOR MOTOR OPERATED VALVE INTERLOCKS FOR ACCUMULATOR AND CORE REFLOOD TANK DISCHARGE ISOLATION VALVES MAPWR-I&C/EP NOVEMBER, 1984

. . . . . _ . . _ _ _ _ _ _ _ _ _ _ . _ _ . - - - . . . . _ _ - - . - . - ~ m. - - ._ - ---- - . --- - - - --

b k.

T

i. .

I l 4  :

} _

(a .c)

A -

j.e g .

4 .

.t i., ,

i l

1 i I i

4 f

f i.

1 -~ ,

L@

l t

t i.

4 lI.

t i ,

i  !

! i i,

i

. 1 1 r

I v

FIGURE 7.6-4 LOGIC DIAGRAM FOR CRITICAL FUNCTION VALVE ALARM i WAPWR-!&C/EP NOVEMBER,1984

\

I i

"mw*' -

I s

i 7.7 CONTROL AND INSTRUMENTATION SYSTEMS

( \

The purpose of the MAPWR control systems is to establish and maintain the plant (especially the nuclear steam supply system) operating conditions within O prescribed limits. A well designed control system can improve plant safety by minimizing the number of situations for which some protective response must be initiated. A well designed system should also relievei the operator from routine tasks, so that he can maintain a more global perspective of the plant conditions.

The HAPWR control systems are referred to as integrated, because they share a commonality of hardware design and implementation philosophy. They will also be designed to be functionally integrated so as to provide enhanced responsiveness during plant transients. The term integrated should not be construed as having all the control functions performed in a single piece of ha rdwa re. In fact, specific design requirements are imposed which limit the impact of individual equipment failures.

The NSSS control systems regulate the operating conditions in the plant automatically in response to changing plant conditions and changes in plant load demand. These operating conditions include the following:

o RCS Temperature The NSSS control systems function to maintain the reactor coolant system (RCS) temperature at or near a programmed value which may be a function of plant load or other operating conditions. Steam conditions for the turbine will depend strongly on the temperature maintained in the reactor coolant. RCS temperature may also be used as a mechanism for maintaining core reactivity.

O i

O WAPWR-I&C/EP 7.7-1 NOVEMBER, 1984 2004e:ld

o Nuclear Power Distribution O

Operating limits include the distribution of nuclear energy production within the core as well as its average value. The axial distribution of the nuclear power will be maintained within prescribed limits, o RCS Pressure The RCS coolant must be pressurized to prevent significant boiling at the high operating temperatures required for good plant performance.

This pressure must be ' controlled within limits which prevent reductions which would expose the fuel to possible DNB or from increases which would challenge the RCS design pressure.

o Pressurizer Water Level In order to provide a suf ficient buf fer for plant transients, the RCS pressurizer contains a prescribed volume of water and steam which depends on plant load and operating temperature.

o Steam Generator Water Level The steam generator water level must be maintained within limits which are set to assure adequate energy removal capability and to avoid moisture carryover.

o Steam Dump For very fast and large transients such as load rejections, an additional thermal load (steam dump) must function until nuclear power can be reduced. This steam dump is also used to maintain hot no load or hot low load conditions prior to turbine iaading. It also provides a means for plant cooldown.

O WAPWR-I&C/EP 7.7-2 NOVEMBER, 1984 2084e:1d

O l 7.7.1 Description l

1 The plant control and instrumentation systems described in this section will perform the following functions:

1. Automatic Power Control System (APCS)

The APCS will coordinate the responses of the various reactivity control O\ mechanisms so as to provide an enhanced reactor performance. The APCS will enable daily load follow operation with a minimum of manual control required by the operator. Load regulation and f requency control will be compatible with the APCS operation.

2. Rod Control System The Rod Control System is designed to maintain nuclear power and reactor coolant temperature, without challenges to the protection systems, during nornal operating transients.
3. Boron Control System The boron control system will change the reactor coolant boron concentration as directed by the APCS in such a manner that the axial nuclear power distribution and other operating conditions are maintained.
4. Pressurizer Pressure Control The pressurizer pressure control system will act to maintain or restore the pressurizer pressure to the nominal operating value following normal operating transients. The control system will react to avoid any challenges to the protection systems during these operatir ' transients.

The necessity for pressure relief via the power operated relief valves (PORVs) should be minimized.

O WAPWR-!&C/EP 7.7-3 NOVEMBER, 1984 2084e:1d

5. Pressurizer Water Level Control O

The pressurizer water level control system will establish and maintiin or restore pressurizer water level to its required value. The required water level will be programmed as a function of reactor coolant system temperature and power generation to minimize charging and letdown requirements. No challenges to the protection system are to result f rom normal operational transients.

6. Steam Generator Water Level Control System The purpose of the steam generator water level control system is to maintain the steam generator water level at a predetermined setpoint during steady state operation, and to maintain the water level within operating limits during normal transient operation. The water level control system will act to restore normal water level following a unit trip. The various modes of feedwater addition will be automated to require a minimum of operator involvement.
7. Steam Dumo Control The steam dump control system will react to prevent a reactor trip following a sudden loss of electrical load. The steam dump control system will also ensure .that stored energy and residual heat are removed l following a reactor trip so that the plant can be brought to equilibrium 1

no-load conditions without actuation of the steam generator safety valves. The steam dump control system is also to provide for maintaining the plant at no-load or low load conditions and should facilitate a controlled cooldown of the plant.

7.7.1.1 Automatic Power Control System (APCS)

The APCS is a direct extension of the core reactivity control systems. It is intended to provide an integrated control of these systems such that the core O

WAPWR-!&C/EP 7.7-4 NOVEMBER, 1984 2084e:1d

O axial power distribution and other parameters are maintained in a automatic and prescribed manner. Rather than controlling just a single mechanism such as boron concentration, or control rod position, this control system will provide a integrated response to reactivity control.

The APCS is designed to relieve the operstor f rom the difficult and time consuming duty of manipulating the reactivity control mechanisms during s periods of time in which the power level or power distribution is changing.

! The APCS should be capable of providing control in the load range from 15% to i

100% power. The APCS will allow daily load follow operation on a 14-1-8-1 hr.

cycle from 100-50% power subject only to core power distribution limits. The l APCS will also facilitate concurrent load regulation and f requency control.

Each of the control systems with which the APCS interfaces must be capable of

! being operated independently. Although this mode of operation is intended for those infrequent times that the APCS is not available.

I The inputs to the APCS will consist of those parameters necessary to describe O the current state of the NSSS:

Current power level Power distribution (axial of fset)

Cold leg temperature (TCOLO}

Boron concentration Control rod position Gray rod position Water displacer rod positions The operating constraints will include such items as control rod insertion and withdrawal limits, the range of allowable operating temperatures, and the range of allowable power distributions.

O Power distribution is characterized in terms of an axial offset (A.O.)

parameter which is obtained f rom the power range multi-section excore neutron detectors. Axial offset is computed as:

O WAPWR-I&C/EP 2004e:1d 7.7-5 NOVEMBER, 1984

O A.D. = Dower in toD power in of co.e top of core +- Dower in bottom power in bottom of of core Core As in the Model 414 reactor, the therinodynamic state will be measured and controlled in terms of the cold leg temperature, T cold. Since the operating power level is also available f rom compensated N-16 measurements in the hot leg, the temperature rise across the reactor can be inferred. Control rod and gray rod positions will be supplied to the APCS via the appropriate position monitoring system.

The APCS will enable the NSSS to follow turbine load changes without requiring operator actions. This capability will make possible the use of remote dispatching, i.e., setting the turbine load f rom the economic dispatch center rather than locally at the plant site. The use of remote dispatching will allow the unit to be fully integrated into the economic dispatch and load follow requirements of the utility, and h61p to maintain grid fault security.

The APCS will provide, as an optional output, data on how large a power change the plant can safely accept while maintaining automatic control, and how

, quickly it can make the change. The operator will be provided with manual l

overrides to restrict or prohibit altogether the remote dispatching.

7.7.1.2 Rod Control System i A PWR is inherently s' table due to negative temperature and power reactivity l

! feedback effects. However, in order to maintain the temperature within the desired control band, neutron absorbing control rods are inserted into the l

l core. By adjusting control rod insertion in conjunction with other reactivity control mechanisms such as soluble boron concentration or gray rod position, additional operating goals can be achieved (e.g., minimizing axial power peaking, maximizing spinning reserve capability, etc.).

Automatic rod control will be available over the entire range of power operation, including power escalation for turbine synchronization and loading. Stable and accurate control of RCS temperature is provided within an O

WAPWR-I&C/EP 7.7-6 NOVEMBER, 1984 2084e:ld L

I l

I established control deadband. Deadband for temperature control is provided te eliminate unnecessary rod motion and to allow greater flexibility of reactivity control through variations in moderator temperature. The rod q control system must be responsive to plant transients to maximize the margins b to plant safety actuation setpoints, and yet must not result in excessive rod motion for automatic frequency control and load regulation operation.

In order to allow the elimination of the RCS hot leg narrow range temperature

\ measurement and the associated bypass line piping, the control system will be designed to operate on the basis of the cold leg temperature. Control performance with this modification will be designed to be at least comparable to previous performance based on control of average core temperature.

Rod control will be provided by two distin , but integrated, control systems. The first of these systems will be designed to provide rod control at low power levels and is shown in Figure 7 . 7 -1. This system will be designed to provide direct control of nuclear power. In order to assure that RCS temperature is maintained at the proper value, this operation must be applied in conjunction with automatic steam pressure control by the steam dump control system. The low power rod control system will receive a nuclear power demand signal in terms of the power which is to be attained, and the rate at which power is to be increased / decreased. Control logic will be supplied to coordinate this controller with the control for the high power range and to prevent automatic low power rod control if automatic steam dump pressure i

control is unavailable. Control action will be taken based on the dif ference between demanded nuclear power and measured nuclear power.

The rod control in the high power range (15-100% power) is shown in Figure 7.7-2. The purpose of this control system is to maintain the RCS coolant temperature within a specified range (deadband) of a setpoint value which is a function of power level and possibly other operating parameters. Reactor coolant system temperature is established by measurement of the cold leg temperature, since an accurate measurement of this value is possible without

complex and costly sampling scoops and bypass piping. The reference T cold is a programmed function of turbine power. To provide responsive transient l

O WAPWR-I&C/EP , 7.7-7 NOVEMBER, 1984 t

2084e:ld i

- . _ . . _ , _ - __ ,______.._._____.__..._____.,._....._m..,. _ . , - - . _ _ _ _ _ _ _ _ _ _ . , . _ _ , _ . , _ .

performance, control action will also be provided based on the difference between power extracted by the turbine and that supplied by the reactor. The power dif ference is passed through a high pass filter to eliminate any long term of fsets due to errors in measuremeat of nuclear or turbine power.

Both rod control systems generate direction and speed demand signals for the O

control rods only. The direction of rod movement is based on the sign of the control error, and the speed demand is based on its magnitude. The rod speed signal will vary between a minimum speed of 3.75 inches / minute and a maximum speed of 45 inches / minute (60 to 72 steps / minute). Manual control will be provided which will move the control rods at a prescribed fixed speed.

Each control bank will be subdivided into two groups to obtain smaller incremental reactivity changes / step. All rod control cluster assemblies in a group will be electrically parallel to move simultaneously. There will be

~

individual position indication for each rod cluster control assembly.

A summary of the rod cluster control assembly sequencing characteristics is given below
1. Two groups within the same bank will be stepped such that the relative l

position of the group will not differ by more than one step.

2. The control banks will be programmed such that withdrawal of the banks will be sequenced in' the following order; control bank A, control bank B, t

control bank C and control bank D. The programmed insertion sequence will be the opposite of the withdrawal sequence, i.e., the last control bank withdrawn (bank D) with be the first control bank inserted.

t l 3. The control bank withdrawals will be programmed such that when the first bank has reached a preset position, the second bank will begin to move out simultar,eously with the first bank. When the first bank has reached the top of the core, it will stop, while the second bank will continue to move toward its f ully withdrawn position. When the second bank has reached a I

c ifAPWR-I&C/EP 2084e:1d 7.7-8 NOVEMBER, 1984 e

f preset position, the third bank will begin to move out. This withdrawal ,

sequence will continue untti the unit has reached the desired power level. .The control bank insertion sequence will be the opposite. '

4. . Overlap between successive control banks will be adjustable between 0 to 80 percent with an accuracy of 1 step.

. 5. Rod speed for the control banks will be capable of being controlled between a minimum of 6 steps per minute and a maximum 72 steps per minute.

i

7. 7.1. 3 Control Rod Position Monitoring
1. Digital Rod Position The digital rod position indication system will measure the actual position of each rod using a detector which will consist of discrete coils mounted concentric with the rod drive pressure housing. The coils will be located axially along the pressure housing and will magnetically sense the entry and presence of the rod drive shaft through its center line.

2.' Demand Position System The demand position system will count the pulses generated in the rod

- drive control system to provide a digital readout of the demanded bank position.

The demanded and measured rod position signals will be displayed on the O control board. The plant computer will provide an audible alarm whenever an individual rod position signal has deviated from the other rods in the bank by a preset limit. The alarm will be set with appropriate allowance for instrument error and within suf ficiently narrow limits to preclude exceeding core design hot channel factors, l' a O 7.7-9 NOVEMBER, 1984

+ WAPWR-!&C/EP 2084e:1d l

_ _ _ _ _ _ _ . - _ _ . . _ _ _ _ _ _ _ , , _ _ _ _ . . . , - . _ . _ . ~ . _ - _

i O

Alarms will also be generated if any shutdown rod is detected to have left its fully withdrawn position, or if any control rod is detected at the bottom position except as part of the normal insertion sequence.

7.7.1.4 Control Rod Insertion and Withdrawal Limits 9

With the reactor critical, the normal indication of reactivity status in the core will be the position of the control bank in relation to reactor power (as indicated by the N-16 power monitors). The N-16 power signal will be used to calculate insertion limits for the control banks. Two alarms will be provided for each control bank.

1. A " low" alarm will alert the operator of an approach to the rod insertion limits which will require boron addition by following normal procedures with the chemical and volume control system, or gray rod insertion.
2. A " low-low" alarm will alert the operator to take immediate action to add boron to the reactor coolant system by any one of several alternate methods, or to insert gray rods.

I The purpose of the control bank rod insertion alarms is to give warning to the operator of excessive rod insertion. The insertion limit will maintain sufficient core reactivity shutdown margin following reactor trip and will provide a limit on the maximum inserted rod worth in the unlikely event of a j hypothetical rod ejection. Insertion limits will ensure that acceptable l nuclear peaking factors are maintained. Since the amount of shutdown l reactivity required for the design shutdown margin following a reactor trip will increase with increasing power, the allowable rod insertion limits must be decreased (the rods must be withdrawn further) with increasing power. The insertion limit will be calculated from the reactor power as measured by the N-16 power monitor according to the following equation:

2u, = A * ( QN-16)auct + B 1

!!APWR-I&C/EP 7.7-10 NOVEMBCP, 1984 2084e
ld l

1

a O

O where Z

gg

= Maximum permissible insertion limit for the affected control bank

= Highest reactor power signal of all N-16 power monitors (ON-16} auct A,B = Constants chosen to maintain I > the actual limit l based on physics calculations l O G

The control rod bank demand position (Z) will be compared to Z LL as follows:

If 2 - Z LL $ D a low alarm will be actuated If 2 - Z $ E a low-low alarm will be actuated 7.7.1.5 Control Rod Stops and Turbine Runbacks Rod stops will be provided to prevent abnormal power conditions which could g result f rom excessive control rod withdrawal initiated by either a control V system malfunction or operator violation of administrative procedures.

l- Automatic turbine load runback will be initiated by an approach to DNB or high l kw/ft conditions. This will prevent high power operation that might lead to an undesirable condition. However, the limit, if reached, will be protected by reactor trip.

In addition to the turbine runbacks, the turbine load reference will be f rozen during ramp load increases if the reactor coolant cold leg temperature is below l O the programmed reference by an excessive amount. The ramp load increase will O automatically resume when the excessive temperature deviation no longer exists.

7.7.1.6 Boron Control System Soluble boron concentration represents one of the mechanisms for maintaining core reactivity. It is used in conjunction with additional reactivity control l

O WAPWR-!&C/EP 7.7-11 NOVEMBER,1984 2084e:1d

mechanisms such as control rods, and moderator temperature to meet reactor O

operating goals (e.g., axial offset, spinning reserve, water processing requirements) as directed by the APCS. The boron recycle system (BRS) will provide either highly borated or demineralized water for the RCS makeup depending on whether boration or dilution is required.

Under normal operation, the boron control system will respond to changes in Boron concentration demand as dictated by the APCS. The boron control system in conjunction with the BRS must be capable of changing the RCS boron concentration as required to follow the reference 14-1-0-1,100%-50%-100% load follow cycle, when RCS boron concentration is sufficiently high.

7.7.1.7 Gray Rod Control System In addition to high worth control rods, the WAPWR will accommodate relatively low worth gray rods. The gray rods assemblies will be either fully inserted or fully withdrawn. They will be operated in conjunction with the control rods, and other mechanisms for controlling reactivity, in such a manner as to meet overall plant operating objectives.

Automatic control of the gray rods will be provided by the APCS. The APCS I will determine when gray rod insertion or withdrawal will be advantageous in meeting the plant performance requirements. Only one group of gray rod assemblies will be allowed to be in motion at any particular time. The gray rod control system will compare the actual and demanded positions of the gray rods and will alert the operator if any discrepancies occur. The gray rods will be inserted and withdrawn in a pre-selected sequence where the sequence for withdrawal is opposite that of insertion. Gray rods will be utilized for power distribution control during those periods of reactor operation with low boron concentration. They also serve as a backup to the BRS during operation with high boron concentration.

O O

WAPWR-1&C/EP 7.7-12 NOVEM8ER, 1984 2084e:ld

O 7.7.1.8 Pressurizer Pressure Control System The NSSS pressure must be closely regulated during operation to prevent pressure from increasing to the point where a safeguards actuation is required to ' prevent overstressing the pressure boundary; or from decreasing to a condition where safeguards actuation is required to prevent the possibility of DNB. Fine control of pressure to tho desired setpoint is accomplished by regulating the output of a group of variable heaters. Large decreases in pressure are accommodated by actuation of on/of f heaters and by the inherent flashing f rom the water mass in the pressurizer which is at saturation. Large pressure increases are controlled by actuating pressurizer spray to condense steam.

Pressurizer pressure control must be designed to provide stable and accurate control of pressure to its predetermined setpoint. Automatic pressure control is to be available from the point at which nominal pressure is established in the startup cycle to 100% power. During steady state operating conditions,

\ the heater output must be regulated to make up for pressurizer heat loss and a

small continuous pressurizer spray. During normal transient c;eration, the
pressure must be regulated to provide adequate margin to safety systems actuation or reactor trip. Pressurizer PORV operation should not be required for all normal transients including full load rejection. The control system is designed so as to minimize equipment duty (e.g., spray nozzle thermal I cycling due to spray actuation) due to automatic frequency control operation.

l l

The design for control of pressurizer pressure is shown in Figures 7.7-3 and 7.7-4. Because of the different dynamic characteristics of the heaters and spray; separate control algorithms are provided for each.

Small and/or slowly varying changes in pressure will be regulated by l

modulation of the proportional heaters. Reset (integral) action is included

~

to maintain pressure at its setpoint. Decreases in pressure larger than that which can be accommodated by the proportional heaters will result in the

! actuation of the backup heaters. The backup heaters will be deactivated when O

WAPWR-I&C/EP 7.7-13 NOVEMBER, 1984 2004e:ld

the proportional heaters alone are capable of restoring pressure. Large O

increases in the pressurizer water level will also result in activation of the backup heaters. The purpose of this action is to avoid the accumulation of subcooled fluid in the pressuriz.>r, so that flashing of the pressurizer fluid will act to limit the pressure der.cy se on any subsequent outsurge.

Pressure increases too large and fast to be handled by reducing the proportional heater output will result in spray actuation. Spray action will continue until pressure has dect' eased to the point at which the proportional heaters can again regulate pressure. The control system is designed 50 that spray is not actuated unless it is required, in order to minimize the spray nozzle duty. The system should not keep spray on any longer than is required so that any subsequent depressurization is not made worse. For normal transients including a full load rejection, this control system must act promptly to prevent opening of the PORVs.

7.7.1.9 Pressurizer Level Control System The pressurizer water inventory or level control is designed to provide a reservoir for the RCS inventory changes which occur due to changes in RCS density. As the RCS temperature is increased f rom hot zero load to f ull load '

values, the RCS fluid expands. To minimize the duty on the water handling systems, the pressurizer level is programmed to absorb this change. The pressurizer level control regulates charging flow to the RCS to compensate for any differences between letdown and charging flow so as to maintain the programmed level .

Pressurizer level control is designed to provide stable and accurate control of pressurizer level to its programmed value as derived f rom the current operating parameters. Automatic level control is supplied f rom the point in the startup cycle where the hot zero load Level is established through 100%

power. In addition to power, the reference water level is also compensated for changes in operating temperature that result from such things as rod control deadband, or reduced T,yg return to power operation.

O WAPWR-!&C/EP 7.7-14 NOVEMBER, 1984 2004e: Id

x n ,

'bv ,

The design for_ the < pressurizer level control' system is shown in Figure 7.7-5.

The reference level for the pressurizer is characterized in terms of N-16 derived power (QN -16), and RCS cold leg temperature (Teold). Dud ng startup, the reference water level is held at the hot zero power value. The error between the measured level and the computed reference level is used in the control algorithm to provide a modulating signal for charging flow. The level control system must be responsive enough to accommodate the RCS O

V

' inventory shrink and swell for the maximum heatup and cooldown during startup and shutdown.

7.7.1.10 Steam Generator Water Level Control System Steam generator water level control maintains a reservoir or heat sink for the power generated by the reactor. Safety and/or operational concerns establish a range within which water level must be maintained. Steam generator water level is controlled by adjusting the feedwater flow in relation to the steam i flow. Control of level during a disturbance is complicated by a phenomenon referred to as " shrink and swell". A change in steam flow, with feedwater flow held constant, will give rise to a short term level ef fect which is opposite that of the long term ef feet of the flow change. This shrink or swell arises f rom a hydraulic, force and mass redistribution within the steam generator downcomer and the tube bundle.

The design of the steam generator water level control system must provide for stable and accurate control of water level over a wide range of operating conditions. Automatic water level control is to be available as soon as narrow range water level control is called for in the startup sequence.

l u Automatic water level control must remain available through 100% power with a minimum of requirements for operator input. Water level control is to j encompass initial feeding of the steam generator using the startup feedwater system, as well as feeding of the steam generator by the main feedwater system

'O '

using the main and bypass feedwater valves. Continuous feedwater control is to be provided between these modes.

!O WAPWR-l&C/EP 7.7-15 NOVEMBER, 1984 2004e:ld

The feedwater control system is to be responsive to changes in plant O

parameters to minimize the likelihood of normal transients producing undesirable operating conditions. The control is compensated for the ef fects of shrink and swell on water level to provide impr)ved control action.

The three distinct, but integrated, modes of feedwater control are indicated in Figures 7.7-6 to 7.7-8. Main feedwater valve control will employ measurement of steam flow and feedwater flow since large and rapid changes in steam flow are likely to occur during high power operation. Steam generator level measurement will be used with integral action to insure that the referer.ce level is naintained even in the event of steam and feedwater flow measurement errors. Steam pressure changes are included in the control algorithm to provide improved transient responsiveness to shrink and swell.

The control logic signals are used to effect the transition between control modes (i.e., main, bypass, startup).

The control of the bypass feedwater valve will be utilized for low power operation. Steam and feedwater flow measurements are not useful for this mode, because they tend to be noisy and inaccurate at low power. Reset action will be provided on water level to maintain the required setpoint. Control logic signals will be used to direct a smooth transition between control modes. Steam dump in the pressure control mode should be used in conjunction with low power feedwater control to minimize the impact of any operating disturbances.

Startup feedwater control will be used to maintain the steam generator water level during the steaming phases of plant heatup and cooldown. This control will be based on maintaining water level at an adjustable setpoint. 1 1

7.7.1.11 Steam Dump Control System Steam dump provides an auxiliary heat removal capability from the NSSS. Steam dump is utilized when there is a sudden decrease in the power being supplied to the turbine, and when that decrease is larger than that which can be l O

WAPWR-I&C/EP 7.7-16 NOVEMBER, 1984 2084e:Id

_ _ _ _ . _ =- ._

O accommodated by the other NSSS control systems. Steam dump is also used to provide a regulated heat removal during startup and cooldown and when maintaining the plant in a hot standby condition. This steam flow is taken directly from the steam header to the turbine condenser (or to atmosphere if so designed).

The steam dump control system must be able to very rapidly detect any large mismatch between power delivered to the turbine and power produced by the reactor, and initiate the proper steam dump to prevent a reactor trip or safeguards initiation. Steam dump should, in conjunction with pressurizer pressure control, prevent actuation of the pressurizer PORVs following a full load rejection.

The steam dump control s$sstem must be able to regulate steam flow in order to maintain a reference plant condition (steam pressure) during low power and standby operating conditions. In addition, the steam dump control system should be able to gradually reduce the steam generator saturation temperature to provide a programmed plant cooldown rate as part of the plant cooldown procedure.

The steam dump control system will be composed of two control systems. The first of these' is shown in Figure 7.7-9. This is a power mismatch control system which is designed to detect substantial primary / secondary load imbalances due to a load rejection or trip. The controller is designed to provide trip open logic to the appropriate steam dump valves to compensate for this power difference. Compensated turbine power (turbine first stage pressure) and nuclear (N-16) power are used to provide the power mismatch signal. The error between the reference T and measured T * "3' cold cold to return the plant to the proper operating point.

. The second control system, shown in Figure 7.7-10, is a steam pressure

-( controller. This control system is applied when the NSSS is being maintained

in a hot, low power condition prior to turbine loading. It is also used to l- provide a controlled cooldown, the controller will translate the decreasing i

O WAPWR-I&C/EP 7.7-17 NOVEMBER, 1984 2084e:ld ,

O temperature demand to a steam pressure setpoint using saturated water property tables. Af ter compensation, this signal will be used to provide the pressure control setpoint.

Interlocks are provided to minimize the possibility of inadvertent or O

unwarranted operation of the steam dump valves.

7.7.1.12 Signal Selector l

The integrated control system for the HAPWR will derive certain of its control inputs from signals which are also utilized in the integrated protection system. A number of advantages accrue from this design philosophy:

i) The NSSS will be controlled from the same measurements with which it is protected, thereby assuring the control system will function to maintain margins between operating conditions and safety limits, and reduce the likelihood of spurious trips.

ii) Reducing the number of redundant measurements for any single process variable reduces the overall plant complexity at critical pressure boundary penetrations. This leads to a reduction is separation requirements within the containment as well as to a decrease in plant cost and maintenance requirements.

In order to obtain these advantages, certain measures must be taken to ensure the independence of the protection and control systems. The criteria for these measures are contained in the Standard IEEE-279-1971 (specifically Section 4.7). In addition to specifying that isolation devices must be provided to guard the protection system against possible electrical faults in i the control system, this standard contains the following paragraphs which describe the functional independence that must exist for control and protection system actions; O

l HAPWR-I&C/EP 7.7-18 NOVEMBER, 1984 2084e:ld l

f~h V "4.7.3 Single Random Failure. Where a single random failure can cause a control system action that results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundant protection channels shall be capable of providing the protective action even when degraded by a second random failure.

Provisions shall be included so that this requirement can still be met if a channel is bypassed or removed from service for test or maintenance purposes. Acceptable provisions include reducing the required coincidence, defeating the control signals taken from the redundant channels, or initiating a protective action for the bypassed channel."

In designs previous to the Model 414 Westinghouse met this criteria by providing a two-out-of-four (2/4) logic on protection variables which were also used for control, and reverting to one-out-of-three (1/3) protection by initiating a protection action (s) when that channel was taken out of service for test or rasintenance. The disadvantage of this procedure was that while plants were operated in this 1/3 mode, they were exposed to the possibility that a single component failure or spurious signal could cause an inadvertent

' plant trip. The Westinghouse integrated protection system avoids this exposure by using a bypass logic during test and ntaintenance wherein the 2/4 logic reverts to 2/3 logic. This action necessitates a different mechanism for complying with the. functional independence of control and protection as required by IEEE-279.

In the integrated control and protection system, functional independence of control and protection is obtained by providing a signal selection device for those signals which are also utilized in the protection system. The purpose of the signal selection device is to ensure that a f ailed signal which could 4

result in failure of a protection channel will not result in a control action that could result in a plant condition requiring that protective action. The signal selection device will provide this capability by comparing all of the redundant signals and automatically eliminating an aberant signal from use in O

WAPWR-I&C/EP 7.7-19 NOVEMBER, 1984 2084e:1d

O the control system. This capability will exist for bypassed sensors or for sensors whose signals have diverted from the expected error tolerance.

The redundant signal selector subsystems receive identical data from the IPC's and perform identical selection algorithms. Both subsystems provide validated data to both redundant highways of the process bus. When there is no failure of either signal selector or either highway, the control subsystems are f ree to use data f rom either of the signal selectors via either of the highways.

The redundancy serves two purposes; it protects against a failure disrupting the control system, and it provides the capability to remove one of the selectors from service for automatic testing while maintaining normal control using data from the other selector.

7.7.2 Analysis The plant control systems will be designed to assure high reliability in any anticipated operational occurrence as well as to meet the following objectives which will be considered in the design process insofar as it is practical.

7.7.2.1 Performance The control system shall be capable of manuevering the plant through the reference transients below. This maneuvering shall be done without the need for manual intervention and without violating plant protection or component limits, even with expected adverse instrument errors.

1) The capability to accept 10% step load decreases from any initial power level between 100% and 25% of full power, and step load increase of 10%

f rom any initial power level between 15% and 90% of full power without reactor trip or steam dump actuation.

2) The capability to accept ramp load changes at 5% power per minute while operating in the range of 15% to 100% of f ull power without reactor trip or steam dump system actuation, subject to core power distribution limits.

O WAPWR-I&C/EP 7.7-20 NOVEMBER, 1984 2084e:1d

b)

%J

3) The capability to accept the design full load rejection without reactor trip.  !

O V 4) The capability to accept a turbine trip f rom full power operation with reactor trip but without actuation of any of the emergency safeguards systems.

5) The capability to follow the design basis net load follow pattern for 95%

of the fuel cycle. The design basis load follow pattern is defined as the daily (24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period) cycle consisting of 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> operation at 100%

power, followed by 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> linear ramp to 50% power, followed by 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of operation at 50% power and then a 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> linear ramp back to 100% power.

The ICS shall not be limiting in providing this capability.

6) The capability to return to at least 90% power f rom part power operation during the daily load follow cycle at a rate of 5% power per minute. The capability should be maintained for at least 85% of the fuel cycle length.
7) The capability to perform the design basis load regulation during steady

-state operation, or during the design basis load follow cycle. The design basis load regulation operation consists of unplanned, random load changes as of ten as every 3 minutes with a maximum value of 15% power from the long term average value.

8) Frequency control capability will be accommodated in the design of the ICS.

l- The control system shall permit manuevering the plant through the transients j described above without actuation of any of the following:

l

1) Steam generator safety valves
2) Steam generator power operated relief valves O' 3) Pressurizer safety valves
4) Pressurizer power operated relief valves In addition, these valves shall not be actuated during a normal plant trip.

WAPWR-I&C/EP 7.7-21 NOVEMBER, 1984 2004e:1d l

I _ - - - . ._. -. -- - . _ _ _ - _ _ _ . . . _ - . _ - . , _ - _-. . - - - - , _ .

O 7.7.2.2 Availability / Operability The impact of the ICS on plant unavailability or inoperability should be minimized. The probability of a failure in the ICS resulting in plant unavailability during the eighteen (18) month fuel cycle should be reasonably small. The plant is defined to be unavailable if the failure (s) result in the plant being unable to achieve and/or maintain all steady state operating points within the warranted plant output.

Both automatic and manual control are provided for each of the control functions identified here. Manual control will override automatic control.

While in the manual mode, the automatic system will track the manual system so that upon transfer to the automatic mode, the transfer will be bumpless. (A bumpless transfer is defined as a transfer between modes which maintains a continuous and smooth control signal). Sufficient information will be supplied to the operator to allow manual operation in a safe and efficient manner.

The ICS design should minimize the time required for startup following a reactor trip or load rejection, it should also minimize any requirements for setpoint changes due to changes in plant operations (e.g., water displacer rod withdrawal).

The ICS should reduce' the requirements for complex operator actions during normal operation. Automatic control systems are used where practical.

7.7.2.3 Safety No single f ailure at the component level within the ICS or its supporting systems, should be able to initiate an event so rapid that an operator could not reasonably intervene to prevent reactor trip or ESF actuation. This criterion is not meant to be applicable during maintenance of the ICS.

O WAPWR-I&C/EP 7.7-22 NOVEMBER, 1984 2084e:1d

l i

O Consequences of credible failures in control system are to be no greater than the maximum failure of a single system.

The ICS design should reduce the number of possible interactions between ,

control and protection systems which could lead to a degraded accident l

condition, and reduce the probability and consequence of failures in the l control systems on plant safety and operability.

i O

I l

O O

i i

O

! MAPWR-I&C/EP 7.7-23 NOVEMBER, 1984

2084e
1d

4 I

i i

I 1

I (a c) 1 ,

i i

l l

t I -

)

t l

k I

e i

I

'l 1

i e

4 i

i  !

s 1

i FIGURE 7.7-1 LOW POWER R0D CONTROL SYSTEM -

EAPWR-!&C/EP i NOVEMBER,1984

,.,.,,_w . , ,, , , . , . . - _g_,_n,.r-,, ,, y

(a,c)O l

O I

l O

i O

O l

O l

O FIGURE 7.7- 2 HIGH POWER ROD CONTROL SYSTEM E'Apwn yggfgp NOVEMBER, 1984 i

_ Je,h.ea_._ 4 4 .ad-..42 'Ai_4 S m-e 4 --e .m.4h 4 wm AA -+ 5 - ma , _a_.,,_4 an - m .__-_. . _.a a a

m i

9 .

s i

< L

- - (a.c) l i.

1  ?

3 i

s I  ;

l l

I h

h FIGURE 7.7 3 PRESSURIZER HEATER CONTROL I

WAPWR-!&C/EP NOVEMBER, 1984 [

F e

O

~ a.c, 9 O

l 1

~

O O

FIGURE 7.7 4 PRESSURIZER SPRAY CONTROL O

l EAPWR-I&C/EP NOVEMBER,1984

- l 4 l l

t 1

l Ib t

i ,

I l 1

I  :

i (a.c) i a

O P

e 1

i.

1 1 -.

J 1

1 4

I 4

1 4

4 4

i i i i i 1

s

! FIGURE 7.7-5 PRESSURIZER WATER LEVEL CONTROL  !

4 r i

J i [

(a .c O

O O

l 4

O O

l FIGURE 7,7- 6 SG LEVEL CONTROL-NORMAL POWER el '

a EAPR-I &C/E P . . ~ . . . . . . . ..

4 i

j. '

i I

i (a,c) l l

I L

i a

.i i

l J

b 1 ..

i L

t t

FIGURE 7.7- 7 SG LEVEL CONTROL - LOW POWER i

l 4-M b'APWR-!&C/EP ......... _

wyg m ,,,

i i

e O

(a.C)

O O

O FIGURE 7.7- 8 SG LEVEL CONTROL - STARTUP/ SHUTDOWN O

WAPWR-1At/rp

f-i 4

4 i

4 l9 4.

I (a.c)  !

i

(

~

y I Y i

i i

f i

i 1

! t i

i I

i f

9 l t

4 i

! i I

i i

J i

f i

i l l.

4 I-i: FIGURE 7.7-9 STEAM DUMP - POWER IMBALANCE CONTROL 4

4 4

I 1

!e l

EAPWR-I&C/EP NOVEMBER, 1964

] ,

i i a r f

1 4

4. --__ _ _ _ l

i i

I O

i (a,c O

O i

O O

FIGURE 7.7- 10 STEAM DUMP - PRESSURE CONTROL

}iAPWR-I&C/EP NOVEMBER, 1984

Retrieved from "https://kanterella.com/w/index.php?title=ML20099J015&oldid=2779181"