ML20302A285
| ML20302A285 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 09/25/2020 |
| From: | Energy Harbor Nuclear Corp |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20302A348 | List:
|
| References | |
| L-20-234 | |
| Download: ML20302A285 (183) | |
Text
{{#Wiki_filter:Davis-Besse Unit 1 Updated Final Safety Analysis Report SECTION 7 TABLE OF CONTENTS Section Title Page 7.0 INSTRUMENTATION AND CONTROL 7.0-1
7.1 INTRODUCTION
7.1-1 7.1.1 Identification of Safety Related Systems 7.1-1 7.1.1.1 Systems Supplied by Babcock & Wilcox 7.1-1 7.1.1.2 Other Systems 7.1-1 7.1.1.3 SFAS Comparison with Another Plant 7.1-2 7.1.1.4 SFRCS Comparison with SFAS 7.1-3 7.1.2 Identification of Safety Criteria 7.1-3 7.1.2.1 Listing of Safety Criteria 7.1-3 7.1.2.2 Quality Assurance 7.1-4 7.1.2.3 Criteria for Preservation of Separation and Independence of Redundant Portions of Protections Systems, etc. 7.1-4 7.1.2.3.1 Spacing of Wiring and Components in Control Boards, Panels, and Instrument Racks 7.1-4 7.1.2.4 Compliance with IEEE Standard 323-1971 7.1-5 7.1.2.5 Physical Identification of the RPS, SFAS and CRDCS (Trip Portions) 7.1-5 7.1.2.6 Compliance with IEEE Standard 317-1971 7.1-5 7.1.2.7 Compliance with IEEE Standard 338-1971 7.1-6 7.2 REACTOR PROTECTION SYSTEM (RPS) 7.2-1 7.2.1 Description 7.2-1 7.2.1.1 Design Bases 7.2-1 7.2.1.2 System Description 7.2-4 7.2.1.2.1 System Logic 7.2-4 7.2.1.2.2 Protection Channel Functions 7.2-4 7.2.1.2.3 Maintenance Bypasses 7.2-7 7.2.1.2.4 Interlocks 7.2-7 7.2.1.2.5 Diversity 7.2-8 7.2.1.2.6 Information Display 7.2-8 7.2.1.2.7 Equipment Identification 7.2-8 7.2.1.3 System Supporting the RPS 7.2-8 7.2.1.4 Portions of RPS Not Required for Safety 7.2-9 7.2.1.5 Comparison of RPS With That of Another Station 7.2-9 7.2.1.6 RPS Drawings 7.2-9 7.2.2 Analysis 7.2-9 7.2.2.1 Compliance With IEEE Standard 279-1968 7.2-9 7.2.2.2 Compliance With IEEE Standard 338-1971 7.2-13 7.2.2.3 Compliance With AEC General Design Criteria 7.2-14 7.2.2.4 Compliance With Safety Guide 22 7.2-14 7.2.2.5 Compliance With Safety Guide 29 7.2-14 7-i UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE OF CONTENTS (CONTINUED) Section Title Page 7.3 SAFETY FEATURES ACTUATION SYSTEM (SFAS) 7.3-1 7.3.1 Description 7.3-1 7.3.1.1 Instrumentation and Control 7.3-1 7.3.1.1.1 Initiating Circuits 7.3-1 7.3.1.1.2 Logic 7.3-1 7.3.1.1.3 Bypasses 7.3-2 7.3.1.1.4 Interlocks 7.3-3 7.3.1.1.5 Sequencing 7.3-4 7.3.1.1.6 Redundancy 7.3-4 7.3.1.1.7 Diversity 7.3-4 7.3.1.1.8 Safety Actuated Devices 7.3-4 7.3.1.2 Supporting Systems 7.3-4 7.3.1.3 Non-Safety Systems 7.3-4 7.3.1.4 Design Basis 7.3-5 7.3.1.5 Drawings 7.3-6 7.3.2 Analysis of ESF Instrumentation and Controls 7.3-6 7.3.2.1 Implemented Design Documents 7.3-6 7.3.2.2 Compliance With AEC General Design Criteria 7.3-6 7.3.2.3 Compliance With IEEE Standard 279-1971 7.3-6 7.3.2.4 Compliance With IEEE Standard 323-1971 7.3-10 7.3.2.5 Compliance With IEEE Standard 338-1971 7.3-10 7.3.2.6 Compliance With AEC Safety Guide 22 7.3-10 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-1 7.4.1 Description 7.4-1 7.4.1.1 Control Rod Drive Control System (CRDCS) - Trip Portion 7.4-1 7.4.1.1.1 Design Bases 7.4-1 7.4.1.1.2 System Description 7.4-1 7.4.1.1.3 Supporting Systems 7.4-3 7.4.1.1.4 Portion of System Not Required for Safety 7.4-3 7.4.1.1.5 Comparison with SMUD Rancho Seco Station CRDCS Trip Circuits 7.4-3 7.4.1.1.6 Drawings 7.4-3 7.4.1.2 Reactor Protection System (RPS) 7.4-3 7.4.1.3 Steam and Feedwater Line Rupture Control System (SFRCS) 7.4-3 7.4.1.3.1 System Description 7.4-3 7.4.1.3.2 Initiating Circuits 7.4-4 7.4.1.3.3 Logic 7.4-4 7.4.1.3.4 Bypasses 7.4-5 7.4.1.3.5 Interlocks 7.4-5 7.4.1.3.6 Redundancy 7.4-6 7.4.1.3.7 Diversity 7.4-6 7-ii UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE OF CONTENTS (CONTINUED) Section Title Page 7.4.1.3.8 Supporting Systems 7.4-6 7.4.1.3.9 Non-Safety Systems 7.4-7 7.4.1.3.10 Design Bases 7.4-7 7.4.1.3.11 Drawings 7.4-10 7.4.1.4 Anticipatory Reactor Trip System (ARTS) 7.4-10 7.4.1.4.1 System Description 7.4-13 7.4.1.4.1.1 System Logic 7.4-13 7.4.1.4.1.2 Bypasses 7.4-13 7.4.1.4.1.3 Interlocks 7.4-14 7.4.1.4.1.4 Redundancy 7.4-14 7.4.1.4.1.5 Diversity 7.4-14 7.4.1.4.1.6 Supporting Systems 7.4-14 7.4.1.4.1.7 Non-Safety Systems 7.4-15 7.4.1.4.1.8 Design Bases 7.4-15 7.4.1.4.1.9 Setpoint Bases 7.4-15 7.4.1.4.1.10 Drawings 7.4-15 7.4.1.4.2 Compliance with IEEE Standard 279-1971 7.4-15 7.4.1.5 Steam Relief 7.4-17 7.4.1.6 Auxiliary Shutdown Panel 7.4-18 7.4.1.6.1 Hot Shutdown 7.4-18 7.4.1.6.2 Cold Shutdown 7.4-18 7.4.1.6.3 Design Bases 7.4-18 7.4.1.6.4 Drawing 7.4-19 7.4.1.7 Surveillance 7.4-19 7.4.2 Analysis 7.4-19 7.4.2.1 Control Rod Drive Control System (CRDCS) (Trip Portion) 7.4-19 7.4.2.1.1 Conformance to IEEE Standard 279-1971 7.4-19 7.4.2.1.2 Compliance with AEC General Design Criteria 7.4-20 7.4.2.1.3 Compliance with AEC Safety Guides 22 and 29 7.4-21 7.4.2.2 Reactor Protection System (RPS) 7.4-21 7.4.2.3 Steam and Feedwater Line Rupture Control System (SFRCS) 7.4-21 7.4.2.3.1 Compliance with IEEE Standard 279-1971 7.4-21 7.4.2.3.2 Compliance with IEEE Standard 338-1971 7.4-24 7.4.2.3.3 Compliance with AEC Safety Guide 22 7.4-24 7.4.2.4 Anticipatory Reactor Trip System (ARTS) 7.4-25 7.4.2.5 Auxiliary Shutdown Panel (ASP) 7.4-25 7.4.2.5.1 Compliance with IEEE Standard 279-1971 7.4-25 7.4.2.5.2 Compliance with AEC General Design Criteria 7.4-25 7.4.2.5.3 Compliance with AEC Safety Guides 7.4-27 7.4.2.6 Station Load Rejection 7.4-27 7.4.2.7 Turbine Trip 7.4-27 7-iii UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE OF CONTENTS (CONTINUED) Section Title Page 7.5 SAFETY-RELATED DISPLAY INFORMATION 7.5-1 7.5.1 Description 7.5-1 7.5.2 Analysis 7.5-3 7.5.2.1 Criteria 7.5-3 7.5.2.2 Compliance With Criteria 7.5-3 7.5.2.2.1 Criterion 1 7.5-3 7.5.2.2.2 Criterion 2 7.5-3 7.5.2.2.3 Criterion 3 7.5-3 7.5.2.2.4 Criterion 4 7.5-3 7.5.2.2.5 Criterion 13 7.5-4 7.5.2.2.6 Criterion 19 7.5-4 7.5.2.2.7 Criterion 64 7.5-4 7.5.2.2.8 Safety Guide 29 7.5-4 7.5.2.2.9 IEEE Standard 279-1971 7.5-4 7.5.2.3 Available Readouts 7.5-4 7.5.2.4 Design Adequacy 7.5-4 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-1 7.6.1 Description 7.6-1 7.6.1.1 Normal Decay Heat Removal Valve Control System 7.6-1 7.6.1.1.1 Design Basis 7.6-1 7.6.1.1.2 System Description 7.6-2 7.6.1.1.3 Supporting Systems 7.6-3 7.6.1.1.4 Portion of System Not Required for Safety 7.6-4 7.6.1.1.5 Drawings 7.6-4 7.6.1.2 Core Flooding Tank Isolation Valve Control System 7.6-4 7.6.1.3 Containment Spray Pump Anti-Cavitation Control System 7.6-4 7.6.1.3.1 Design Basis 7.6-4 7.6.1.3.2 System Description 7.6-5 7.6.1.3.3 Supporting Systems 7.6-5 7.6.1.3.4 Portions of Systems not Required for Safety 7.6-5 7.6.1.4 DELETED 7.6.2 Analysis 7.6-5 7.6.2.1 Normal Decay Heat Removal Valve Control System 7.6-5 7.6.2.1.1 IEEE Standards 7.6-5 7.6.2.1.2 AEC General Design Criteria 7.6-6 7.6.2.1.3 AEC Safety Guide 29 7.6-7 7.6.2.2 Core Flooding Tank Isolation Valve Control System 7.6-7 7.6.2.2.1 IEEE Standards 7.6-7 7.6.2.2.2 AEC General Design Criteria 7.6-8 7.6.2.2.3 AEC Safety Guides 22 and 29 7.6-9 7-iv UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE OF CONTENTS (CONTINUED) Section Title Page 7.6.2.3 Containment Spray Pump Anti-Cavitation Control System 7.6-9 7.6.2.3.1 IEEE Standards 7.6-9 7.6.2.3.2 AEC General Design Criteria 7.6-10 7.6.2.3.3 AEC Safety Guides 22 and 29 7.6-11 7.6.2.4 DELETED 7.7 CONTROL SYSTEMS 7.7-1 7.7.1 Description 7.7-1 7.7.1.1 Non-Nuclear Instrumentation (NNI) Station Control Systems 7.7-1 7.7.1.1.1 Comparison of NNI Control Systems with Those of Another Station 7.7-2 7.7.1.1.2 Major Design Criteria 7.7-2 7.7.1.2 Integrated Control System (ICS) 7.7-2 7.7.1.2.1 General Description 7.7-3 7.7.1.2.2 Unit Load Demand Control 7.7-3 7.7.1.2.3 Integrated Master Control 7.7-4 7.7.1.2.4 Steam Generator Control 7.7-5 7.7.1.2.5 Reactor Control 7.7-6 7.7.1.2.6 Boron Feed and Bleed Control 7.7-7 7.7.1.2.7 System Failure Considerations 7.7-7 7.7.1.2.8 System Limits 7.7-8 7.7.1.2.9 Modes of Control 7.7-8 7.7.1.2.10 Loss-of-Load Considerations 7.7-8 7.7.1.2.11 System Design Comparison 7.7-9 7.7.1.3 CRDCS (Without Trip Portion) 7.7-9 7.7.1.3.1 General 7.7-9 7.7.1.3.2 Equipment Description 7.7-10 7.7.1.4 Turbine Generator Electro-Hydraulic Controls (EHC) 7.7-15 7.7.1.4.1 System Identification 7.7-15 7.7.1.4.2 Equipment Design 7.7-15 7.7.1.4.3 Operational Considerations 7.7-17 7.7.2 Analysis 7.7-17 7.7.2.1 Non-Nuclear Instrumentation (NNI) Station Control Systems 7.7-17 7.7.2.2 Integrated Control System (ICS) 7.7-17 7.7.2.3 Control Rod Drive Control System (CRDCS) 7.7-17 7.7.2.4 Turbine Generator Electro-Hydraulic Controls (EHC) 7.7-17 7.7.2.5 System Monitoring 7.7-18 7.8 NUCLEAR INSTRUMENTATION (NI) 7.8-1 7.8.1 Description 7.8-1 7.8.1.1 Neutron Detectors 7.8-1 7-v UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE OF CONTENTS (CONTINUED) Section Title Page 7.9 INCORE MONITORING SYSTEM (IMS) 7.9-1 7.9.1 Description 7.9-1 7.9.2 Analysis 7.9-1 7.9.2.1 Calibration Techniques 7.9-1 7.9.2.2 Operating Experience 7.9-2 7.9.2.3 Detection of Power Distribution 7.9-3 7.10 STATION COMPUTER SYSTEM 7.10-1 7.11 STATION ANNUNCIATOR 7.11-1 7.12 NON-NUCLEAR INSTRUMENTATION (NNI) 7.12-1 7.13 POST ACCIDENT MONITORING SYSTEM (PAMS) 7.13-1 7.13.1 Design and Qualification Criteria 7.13-1 7.13.1.1 Single Failure 7.13-1 7.13.1.2 Power Sources 7.13-1 7.13.1.3 Availability 7.13-1 7.13.1.4 Quality Assurance 7.13-1 7.13.1.5 Indication Requirements 7.13-2 7.13.1.6 Recording Requirements 7.13-2 7.13.1.7 Accuracy 7.13-2 7.13.1.8 Identification 7.13-2 7.13.1.9 Service and Testing 7.13-2 7.13.1.10 Bypass 7.13-2 7.13.1.11 Isolation 7.13-2 7.13.1.12 Quality of Components 7.13-2 7.13.1.13 Environmental Qualifications 7.13-2 7.13.2 Supporting Systems 7.13-3 7.13.2.1 Safety System Interface 7.13-3 7.13.2.2 Non-Class 1E Interfaces 7.13-3 7.13.3 System Description 7.13-3 7.13.3.1 Containment High Radiation Monitors 7.13-4 7.13.3.2 Containment Wide Range Pressure Monitors 7.13-4 7.13.3.3 Containment Normal Sump and Wide Range Water Level Monitors 7.13-4 7.13.3.4 Containment Hydrogen Monitors 7.13-5 7.13.3.5 RC System Subcooling Margin Monitors 7.13-5 7.13.3.6 Incore Thermocouple 7.13-6 7.13.3.7 PORV and Pressurizer Safety Valves Position Indicators 7.13-6 7.13.3.8 Wide Range Noble Gas Monitors 7.13-6 7.13.3.9 Reactor Coolant Hot Leg Level Monitoring 7.13-6 7-vi UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE OF CONTENTS (CONTINUED) Section Title Page 7.13.3.10 Reactor Coolant Loop Pressure Monitors 7.13-7 7.13.3.11 Neutron Flux Detectors 7.13-7 7.13.3.12 Steam Generator Start-up Range Level Indicators 7.13-7 7.13.3.13 Steam Generator Outlet Steam Pressure 7.13-7 7.13.3.14 Reactor Coolant Loop Outlet Temperature 7.13-7 7.13.3.15 Pressurizer Level 7.13-8 7.13.3.16 High Pressure Injection Flow 7.13-8 7.13.3.17 Low Pressure Injection (DHR) Flow 7.13-8 7.13.3.18 Auxiliary Feedwater Flow Rate 7.13-8 7.13.3.19 Borated Water Storage Tank Level 7.13-8 7.13.4 Design Bases 7.13-8 7.13.5 DELETED 7.13.6 DELETED 7.14 SAFETY PARAMETER DISPLAY SYSTEM 7.14-1 7.14.1 Description 7.14-1 7.14.2 Design Bases 7.14-1 7.15 REFERENCES 7.15-1 7-vii UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report LIST OF TABLES Table Title Page 7.1-1 Safety Criteria Used in the Design of Safety Related Control and Instrumentation Systems 7.1-7 7.2-1 DELETED 7.2-2 DELETED 7.2-3 Environmental Conditions for Instrumentation and Controls 7.2-15 7.3-1 DELETED 7.3-2 Periodic Tests on SFAS and Actuated Equipment 7.3-12 7.3-3 Safety Features Actuation System Trip Setpoints 7.3-14 7.3-4 SFAS Operating Requirements 7.3-15 7.3-5 SFAS Performance Requirements 7.3-17 7.4-1 DELETED 7.5-1 Information Readouts Available to the Operator for Monitoring Conditions in Reactor, Reactor Coolant System, Containment Vessel, ECCS, and Steam Generators 7.5-5 7.7-1 DELETED 7.7-2 Integrated Control System Functions 7.7-19 7-viii UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report LIST OF FIGURES Figure Title 7.1-1 Guide to Assess Conduit to Conduit Separation 7.2-1 Reactor Protection System 7.2-2 DELETED 7.2-3 DELETED 7.2-4 DELETED 7.3-1 Safety Features Actuation System - Logic Diagram 7.3-2 Safety Features Actuation System - Signal Diagram 7.3-3 Safety Features Actuation System - Actuated Equipment Tabulation, Sheet 7 of 7 7.3-3A Safety Features Actuation System - Actuated Equipment Tabulation, Sheet 1 of 7 7.3-4 Safety Features Actuation System - Actuated Equipment Tabulation, Sheet 2 of 7 7.3-5 Safety Features Actuation System - Actuated Equipment Tabulation, Sheet 3 of 7 7.3-6 Safety Features Actuation System - Actuated Equipment Tabulation, Sheet 4 of 7 7.3-7 Safety Features Actuation System - Actuated Equipment Tabulation, Sheet 5 of 7 7.3-8 Safety Features Actuation System - Actuated Equipment Tabulation, Sheet 6 of 7 7.3-9 Nitrogen Supply System 7.3-10 DELETED 7.3-11 DELETED 7.3-11a DELETED 7-ix UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report LIST OF FIGURES (CONTINUED) Figure Title 7.4-1 CRDM Reactor Trip and Power Supply Configuration 7.4-2 Auxiliary Feedwater Pump Turbine Start Control System Logic 7.4-3 Main Steam Line and Main Feedwater Line Rupture Control System Logic 7.4-3A Main Steam Line and Main Feedwater Rupture Control System Logic 7.4-4 Steam and Feedwater Line Rupture Control System Logic Diagram 7.4-5 SFRCS-Actuated Equipment Tabulation Sheet 1 7.4-6 SFRCS-Actuated Equipment Tabulation Sheet 2 7.4-7 DELETED 7.4-8 Anticipatory Reactor Trip System Logic Diagram 7.4-9 Auxiliary Shutdown Panel (ASP) 7.6-1 Decay Heat Normal Suction Valve, Sheet 1 of 4 7.6-2 Decay Heat Normal Suction Valve, Sheet 2 of 4 7.6-3 Decay Heat Normal Suction Valve, Sheet 3 of 4 7.6-4 Decay Heat Normal Suction Valve, Sheet 4 of 4 7.6-5 DELETED 7.6-6 DELETED 7.7-1 Integrated Control System (ICS) 7.7-2 Unit Load Demand (ICS) 7.7-3 Integrated Master Control (ICS) 7.7-4 Steam Generator Control (ICS) 7.7-5 DELETED 7-x UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report LIST OF FIGURES (CONTINUED) Figure Title 7.7-6 Reactor Control (ICS) 7.7-7 DELETED 7.8-1 Nuclear Instrumentation System (NI) 7.8-2 Nuclear Instrumentation - Flux Ranges 7.8-3 Nuclear Instrumentation - Detector Locations 7.9-1 Incore Detector Locations 7.9-2 Typical Arrangement - Incore Instrument Channel 7.14-1 DELETED 7-xi UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report SECTION 7 7.0 INSTRUMENTATION AND CONTROL The instrumentation and control systems include the following: Reactor Protection System (RPS) Safety Features Actuation System (SFAS) Steam and Feedwater Line Rupture Control System (SFRCS) Control Rod Drive Control System (CRDCS) Auxiliary Shutdown Panel (ASP) Integrated Control System (ICS) Nuclear Instrumentation (NI) Non-Nuclear Instrumentation (NNI) Incore Monitoring System (IMS) Post Accident Monitoring System (PAMS) Anticipatory Reactor Trip System (ARTS) Station Computer System Station Annunciator Safety Parameter Display System (SPDS) The RPS is a protection system, as defined by IEEE Standard 279-1968, which performs the sole function of causing a trip of all reactor shim and safety rods (by actuating the associated CRDCS trip devices) when station conditions require such action. The SFAS is a protection system as defined by IEEE Standard 279-1971 which initiates action of various safety actuation devices to protect the reactor core during a LOCA and to mitigate the consequences of a LOCA. The SFRCS is a protection system as defined by IEEE Standard 279-1971 which initiates the auxiliary feedwater system and isolates the affected steam generator on a steam or feedwater line rupture. The CRDCS is divided into two portions. The trip portion performs the safety function of tripping the shim and safety rods when commanded to do so by the RPS. The control portion of the CRDCS performs the function of positioning control rods in response to commands from the ICS or the reactor operator. The ASP is a control panel designed to provide the operator with the necessary controls and instrumentation to maintain the station in a safe shutdown condition from outside the control room. The ICS is a non-safety system which automatically controls the station in response to commands preset by the operator. The ICS provides control rod motion (when CRDCS is in the automatic mode), normal feedwater control, and turbine control; the operator is also provided with the capability for manual override control of the station. The NI is divided into two portions. The Power Range instruments provide safety signals to the RPS (and therefore are considered a portion of the RPS). The Source and Intermediate Range instruments do not perform safety functions but are intended to provide information during reactor startup and shutdown. 7.0-1 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report The NNI System consists of various instrumentation and controls. Some functions performed are pressurizer heater control, pressurizer level control and monitoring of primary parameters. The IMS provides fuel management personnel and the operator with reactor core information based on signals detected by fixed incore neutron detectors and thermocouples. The system does not perform any safety or control functions. The PAM is a redundant channel safety related instrumentation and control system as defined by NUREG 0737. The instrumentation and controls are designed to monitor the course of an accident condition and to provide additional plant information to bring the plant back to normal condition. The ARTS is a redundant channel safety related instrumentation and control system as defined by IEEE Standard 279-1971. The instrumentation and controls are designed to trip the reactor when a parameter exceeds its setpoint indicating the approach of an unsafe condition, i.e., trip will de-energize the associated undervoltage coils for the CRDCS. The Station Computer and Annunciator are non-safety recording and alarm systems. The SPDS is a non-safety related display system that aids control room and supporting personnel during abnormal and emergency conditions in determining the safety status of the plant. 7.0-2 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report
7.1 INTRODUCTION
7.1.1 Identification of Safety-Related Systems 7.1.1.1 Systems Supplied by Babcock & Wilcox The safety-related systems supplied by Babcock & Wilcox for Davis-Besse Unit 1 which directly relate to the public safety are as follows:
- a. Protection System:
NI/RPS (portions required to sense approach to unsafe conditions and initiate a reactor trip)
- b. Systems Required for Safe Shutdown:
CRDCS (trip portions)
- c. Safety-Related Display Instrumentation:
- 1. RPS indication
- 2. Display instrumentation required to maintain safe hot shutdown Refer to Section 7.5 for a discussion of safety-related display instrumentation.
The major initial design features of all the above safety-related systems were identical to those of the Sacramento Municipal Utility Districts Rancho Seco station with the exception that Davis-Besse has two manual trip switches instead of one. In addition, the design of the CRDCS trip devices which are actuated by the RPS has been improved. Refer to Subsection 7.4.1.1 for a detailed discussion. 7.1.1.2 Other Systems
- a. SFAS The SFAS is required to sense unsafe conditions and actuate engineered safety features.
- b. Steam and Feedwater Line Rupture Control System (SFRCS)
The SFRCS is required to ensure adequate feedwater supply to remove reactor decay heat upon loss of the normal feedwater supply.
- c. PAMS The PAMS is required to monitor the course of an accident condition and provide additional plant information to return plant to normal condition.
7.1-1 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- d. ARTS The ARTS is required to monitor protective functions and trip the reactor when a parameter exceeds its trip setpoint.
- e. ASP The ASP is required to maintain the station in a safe hot shutdown condition should the main control room become unavailable.
- f. The essential power supply is discussed in Chapter 8.
7.1.1.3 SFAS Comparison with Another Plant The major design features of the SFAS and equipment as originally supplied by Consolidated Controls Corp. (CCC) for the Davis-Besse Nuclear Power Station Unit One are compared to Millstone Unit 2 in FSAR 7.1.1.3. 7.1-2 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.1.1.4 SFRCS Comparison with SFAS The major design features of SFRCS supplied by Consolidated Controls Corp. for the Davis-Besse Nuclear Power Station Unit One are similar, except where noted, to those of the SFAS. Features SFAS SFRCS Manufacturer CCC CCC System Logic 2 out of 4 2 out of 2 per actuation channel Channel bypass reduces to 2 out of 3 Not provided1 Number of sensor channels 4 2 Number of actuation channels 2 2 Logic components Solid state Solid state Output components Rotary relays Balanced armature relay2 Operating bypasses included Yes Yes Automatic test features included No No Bistable setpoint surveillance Yes Yes4 Manual test features included Yes Yes Surveillance features included Yes Yes Half-trip features Yes Yes Power loss causes Half-trip Half-trip Isolation devices (digital) Opto-electronic Opto-electronic and relays3 Isolation devices (analog) I/I converter I/I Converter Loss of sensor channel Alarm Alarm Seismic qualification Analysis & test Analysis & Test Design qualification Identical Identical Environmental qualification Test Test 7.1.2 Identification of Safety Criteria 7.1.2.1 Listing of Safety Criteria Refer to Table 7.1-1. 1Refer to Channel Bypass, Paragraph 7.4.1.3.4. 2Function similar; same tests have been satisfactorily performed 3SFRCS does not require interconnection between the redundant channels. 4Steam Generator Level only 7.1-3 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.1.2.2 Quality Assurance The Davis-Besse Quality Assurance program is discussed in Chapter 17. 7.1.2.3 Criteria for Preservation of Separation and Independence of Redundant Portions of Protections Systems, etc. Each channel of the RPS, SFAS, SFRCS, ARTS, and PAMS is contained in its own cabinet. The cabinets provide a fire barrier as well as a means of mechanically protecting the equipment. Interconnecting wire between redundant channels of each system satisfies the criteria for maintaining the necessary separation between channels. All signals leaving or entering the RPS, SFAS and ARTS are isolated from the system by either isolation amplifiers (for analog signals) or relay contacts (for digital signals). This isolation prevents faults occurring to signal lines outside the RPS, SFAS and ARTS cabinets from being reflected into more than one essential channel. The isolation thus provided also ensures that two or more protective channels cannot interact through the cross-coupling or faulting of related signal lines. Faults, such as short, open or grounded circuits and cross-coupling of external signals from two or more channels, have no effect on the protective channels or their functions. The isolation amplifier circuits of the RPS have been prototype-tested to assess their effectiveness to isolate the input signal from output circuit faults. They are capable of withstanding a short-circuit or a maximum of 400V DC or peak AC potential across their output without affecting the input source. The redundance and coincidence logics of the systems permit them to tolerate a failure and thus reduce the chance of an inadvertent reactor trip or actuation of engineered safety features. Each RPS, SFAS, SFRCS, and ARTS channel is powered from a different essential bus, so that power supply faults can affect only one channel at a time. The need for physical isolation has been met in the physical arrangement (each RPS, SFAS, SFRCS and ARTS channel is equipped with separate cabinets and wiring within the cabinets separating power and signal wiring; power here is considered to be the wires feeding cabinet interior area lighting, convenience outlets, and space heaters) to reduce the possibility of a physical event impairing system functions. Redundant Class 1E sensors and their connections to the process system have been sufficiently separated to ensure that the functional capability of the protection system has been maintained despite any single basis event or result therefrom. Sensor-to-sensor separation is a minimum of three feet. Some sensor-to-process connections of redundant sensors have a common section of line. This is justified since failure of this connection will cause the sensors to fail in the safe position. The CRDCS (trip portion) is discussed in Subsection 7.4.1.1. 7.1.2.3.1 Spacing of Wiring and Components in Control Boards, Panels, and Instrument Racks Isolation of wiring and components between essential redundant channels on control boards and panels is accomplished with a minimum of 12 inches of separation. This separation consists of free panel space, or recorders and indicators isolated from the redundant electrical systems by isolation amplifiers or power supplies. 7.1-4 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report Wherever the 12-inch separation cannot be met, metallic barriers are provided between essential redundant channels. A matrix for conduit separation has been developed (see Figure 7.1-1). Isolation of wiring and components between essential redundant channels is accomplished in field instrument racks by locating not more than one essential channel per instrument rack. Physical separation between field racks for redundant channels is maintained at 3 feet minimum. Whenever the minimum separation cannot be met, rigid barriers are provided between essential redundant channels. Structural protection is provided for rack-mounted instruments on an individual basis if the probability of physical damage from any event (pipe whip or falling objects) is considered probable. The equipment vendor has the responsibility for assuring that the design meets the applicable criteria enumerated in the procurement specification. The system design is subject to the approval of the equipment purchaser. The criteria and bases for installation of electrical cable for the protection systems are discussed in Subsection 8.3.1. The identification and physical separation of redundant channels of the RPS and SFAS are described in Subsection 8.3.1.2. 7.1.2.4 Compliance with IEEE Standard 323-1971 The RPS has been qualified to provide conformance with the requirements of the applicable design criteria. Since IEEE Standard 323-1971 was not available at the time of the equipment procurement, Topical Report BAW-10003A, Rev. 4 Qualification Testing of Protection System Instrumentation, does not follow the format of IEEE Standard 323-1971. However, BAW-10003A, Rev. 4 does establish that each type of equipment is qualified for its application. The documentation includes the application requirements, the equipment test specification and data from the qualification testing. Subsequent to the submittal and approval of BAW-10003A, Rev. 4, replacement RPS Reactor Trip Modules manufactured by Framatome have been approved for installation in the RPS. These Reactor Trip Modules are qualified in accordance with FTI Reactor Trip Module Qualification Test Report 51-5006947-00. 7.1.2.5 Physical Identification of the RPS, SFAS and CRDCS (Trip Portions) Instruments, instrument racks, cabinets, cables, conduits, cable trays, etc., associated with the RPS, SFAS, and CRDCS (trip portion) are color coded or tagged in order to easily identify them and their channel association. Additional discussion is found in Subsection 8.3.1.2. 7.1.2.6 Compliance with IEEE Standard 317-1971 The electrical penetrations comply with the IEEE Standard 317-1971, including all applicable codes and standards mentioned therein. The design of the electrical penetrations utilizes header plate assemblies of modular construction. The header plates are bolted to the welding neck flanges, which are field welded to the penetration nozzles. The Amphenol modules are redundantly sealed to the header plate assemblies by means of spring loaded pressure seals and o-rings. The Conax and Amphenol replacement modules are 7.1-5 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report redundantly sealed to the header plate by means of two sets of o-rings and a three piece ferrule assembly. The Conax modules are redundantly sealed to the Conax header plate by means of a three piece ferrule assembly. The header plate assemblies are redundantly sealed to the weld neck flange by means of double o-rings. 7.1.2.7 Compliance with IEEE Standard 338-1971 The protection systems are designed in compliance with the periodic testing requirements outlined in Sections 4.9 and 4.10 of IEEE Standard 279-1971 and as further interpreted and defined in IEEE Standard 338-1971. Due to the redundancy and separation of the multi-channel protection system designs, testing and calibration of components and modules can be performed during power operation. A preventive maintenance program has been developed which includes frequent on-line tests while the station is in full-power operation as well as during the infrequent periods when the reactor is shut down. Periodic testing and preventive maintenance procedures are an integral part of station operation. Only in the method of determining test intervals is there any deviation from the method prescribed in IEEE Standard 338. Initially the determination of the test interval was based on equipment technical specifications, past-operating experience, and empirical test data on like equipment. Throughout the life of the plant, the frequency of these periodic, on-line tests are modified as required to reflect current operating requirements. Unit testing, operating and maintenance procedures have been developed. The use of jumpers or other temporary forms of bypassing functions for operation or maintenance of safety related systems is very limited. Preoperational tests, by their nature, required greater use of jumpers or lifted wires. Temporary forms of bypassing are allowed when they neither compromise nuclear safety, nor the intent of the procedure. In addition, the use of temporary forms of bypassing functions do not violate the Technical Specifications of the Operating License. The use of temporary forms of bypassing is controlled in individual safety related procedures or Administrative Procedures. This procedure includes a log to document the status of temporary modifications to maintain cognizance by the station personnel as to the operability of a system and to prevent inadvertent safety function bypassing. The instrument ranges of instruments used for the engineered safety features system, reactor protection system and other safety related systems were established by making the actuated setpoint settings required to operate in the accurate portion of scale for the automatic initiation of the protective function. Instrumentation setpoints are established by considering the range of values in which protective action must occur before safety implications could be reached. The setpoint is then established within that tolerable range by allowing sufficient margins between the setpoint and the technical specification allowable limits to preclude the possibility of drifting out of technical specification allowable limits. 7.1-6 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.1-1 SAFETY CRITERIA USED IN THE DESIGN OF SAFETY RELATED CONTROL AND INSTRUMENT SYSTEMS System Applicable criteria RPS -- IEEE Standard 279-1968
-- IEEE Standard 338-1971
-- IEEE Standard 344-1971
-- AEC General Design Criteria (7-7-71) 1, 2, 3, 4, 5, 12, 13, 20, 21, 22, 23, 24, 25, 29
-- AEC Safety Guides 6, 22, 29 SFAS -- IEEE Standard 279-1971
-- IEEE Standard 308-1971
-- IEEE Standard 323-1971
-- IEEE Standard 338-1971
-- IEEE Standard 344-1971
-- AEC General Design Criteria 1, 2, 3, 4, 13, 15, 20, 21, 22, 23, 24
-- AEC Safety Guide 22, 29
-- In Addition, relevant ANSI, IPCEA and NEC recommendations are used as a guide in the system design CRDCS (trip portion) -- Intent of IEEE Standard 279-1971
-- IEEE Standard 344-1971
-- AEC General Design Criteria (7-7-71) 1-5, 20-29
-- AEC Safety Guides 6, 22, 29 SFRCS -- Applicable Sections of IEEE Standard 279-1971
-- IEEE Standard 308-1971
-- IEEE Standard 383-1974
-- IEEE Standard 384-1974
-- IEEE Standard C37.90.1-1974
-- IEEE Standard 338-1971
-- IEEE Standard 344-1975
-- AEC General Design Criteria (7-7-71) 1, 2, 3, 4, 13, 15, 20, 21, 22, 23, 24
-- AEC Safety Guides 22, 29 ASP -- Applicable Sections of IEEE Standard 279-1971
-- IEEE Standard 323-1971
-- IEEE Standard 338-1971
-- IEEE Standard 344-1971
-- AEC General Design Criteria (7-7-71) 1, 2, 3, 4, 13, 15, 19, 21, 22, 23, 24
-- AEC Safety Guides 22, 29 7.1-7 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.1-1 (Continued) SAFETY CRITERIA USED IN THE DESIGN OF SAFETY RELATED CONTROL AND INSTRUMENT SYSTEMS System Applicable criteria ARTS -- Applicable Sections of IEEE Standard 279-1971
-- IEEE Standard 323-1974
-- IEEE Standard 336-1971
-- IEEE Standard 338-1971
-- IEEE Standard 344-1975
-- IEEE Standard 384-1971
-- AEC Safety Guides 22, 29
-- AEC General Design Criteria (7-7-71) 1, 2, 3, 4, 13, 15, 20, 21, 22, 23, 24 PAMS -- Applicable Sections of IEEE Standard 279-1971
-- IEEE Standard 338-1971
-- IEEE Standard 323-1974
-- IEEE Standard 344-1975
-- Reg. Guide 1.118
-- Reg. Guide 1.97, Revision 3
-- Reg. Guide 1.89
-- AEC General Design Criteria (7-7-71) 1, 2, 3, 4, 13, 15, 19, 20, 21, 22, 23, 24, 64 Normal Decay Heat -- Applicable Sections of IEEE Standard 279-1971 Removal Valve Control -- IEEE Standard 323-1971 System -- IEEE Standard 338-1971
-- IEEE Standard 344-1971
-- AEC General Design Criteria (7-7-71) 1, 2, 3, 4, 13, 20, 21, 22, 23, 24
-- AEC Safety Guide 29 7.1-8 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.1-1 (Continued) SAFETY CRITERIA USED IN THE DESIGN OF SAFETY RELATED CONTROL AND INSTRUMENT SYSTEMS System Applicable criteria Core Flooding Tank -- Applicable Sections of IEEE Standard 279-1971 Isolation Valve -- IEEE Standard 323-1971 Control System -- IEEE Standard 338-1971
-- IEEE Standard 344-1971
-- AEC General Design Criteria (7-7-71) 1, 2, 3, 4, 13, 20, 22
-- AEC Safety Guide 22, 29 Containment Spray -- Applicable Sections of IEEE Standard 279-1971 Pump Anti-Cavitation -- IEEE Standard 323-1971 Control System -- IEEE Standard 338-1971
-- IEEE Standard 344-1971
-- AEC General Design Criteria (7-7-71) 1, 2, 3, 4, 13, 20, 21, 22, 23, 24
-- AEC Safety Guides 22, 29 7.1-9 UFSAR Rev 30 10/2014
Condu1t Hff" Conduit HSH Conduit *r Conduit "S" M1n1num Configuration Channel Ch1nnel Fmction Fmctlon Separation Horizontal x x C.l,P1,P2,P3 C,t,Pl,P2.P3 0-0 ..
£SS X ESS Y C,l,Pl,P2 C,I,Pl,P2 O*O" ab 'oJ- P3 C,I,Pl,P2,P3 O*l" NON*ESS l NON-ESS Y C,l,Pl,P2,Pl C,I ,Pl,P2 ,Pl o*o*
Jt(S) S(R) ESS Y C,I,Pl,P2 C,I,P1,P2,P3 0-0" (0-0") P3 C,l,Pl,P2,P3 0-0" (D*l") Vertical x x C,I,P1,P2,P3 C,I,Pl,P2,P3 o-o* Rts>O.J...0 ESS X ESS Y C,I,Pl C,l,Pl o-o*
. P2,P3 C,I,Pl,P2,P3 D*l" so>ITT NON-ESS X NON*ESS Y C,l,Pl,P2,P3 C,l,Pl,P2,P3 0*0" D,OQ)
ESS Y C,I,P1 C,I,P1,P2,Pl 0-0" (D-0") PZ,PJ C,I,Pl,P2,P3 o-o* (O-t-) Crossing x x C,l,Pl,P2,P3 C,l,Pl,P2,P3 o*o* J OR(S) ESS X ESS Y C,1,Pl C,l,Pl o-o* PZ C,l,Pl,P2 o-11s* T& S(R) a D Pl C,l,Pl,PZ,PJ o-r
-;ob tcOH*ESS X NON*ESS Y C,t,P1,P2,P3 C,l,P1,P2,P3 o-o*
ESS Y C,l,Pl *C,l,Pl,P2,P3 o-o* 0 (O*O*) P2 C.I.P1,P2,Pl O*O. (0-118*) S(R) Pl C,l,Pl,P2,P3 0-0 R(S) (0-1*) Notes:
- 1. l 1111ans conduit channel (1.e., 1,2,3,4,A,8,C).
- 2. Y..ans conduit channel (t.e ** 1,2,3,4,A,8,C) different fl'Oll conduit x.
- 3. Mf nt11a separ*t1ons 1clent1f1ed 1n parentheses apply when Non-Ess conduit brfdges ESS redundant conduits. Only one end of the bridge lftUSt satisfy separation, the separation 1111y bl zero at the other end.
'* C **ns Control.
- s. r ...ns lnstrunentat1on.
- 6. Pl means Power (Size c 12 AWG).
- 7. P2 llHnS Power (S1ze >12 AWG but not 13.8 KV. 4.16 KV, 480 v Sub).
- 8. P3 means Power (13.8 KV. 4.16 KV, 480 V Sub).
DAVIS-BESSE NUCLEAR POWER STATION
-***~,._.;,,.;.*
GUIDE TO ASSES~ CONDUIT TO CONDulT SEPARATION FIGURE 7 .1-1 REVISION 20 DECEMBER 1996 DB 11-18-96 DFN=/OBNPS2/RASDGN/UFIG711.DGN/I
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.2 REACTOR PROTECTION SYSTEM (RPS) The purpose of the RPS is to initiate a reactor trip when a sensed parameter (or group of parameters) exceeds a setpoint value indicating the approach of an unsafe condition. In this manner, the reactor core is protected from exceeding design limits and the Reactor Coolant (RC) System is protected from overpressurization. The scope of the RPS includes all electronics, signal processing equipment, and cabling from the system sensors to the input terminals of the CRDCS. 7.2.1 Description 7.2.1.1 Design Bases Reference BAW-10003A, Rev 4.
- 1. The generating station conditions which require protective action are described below:
- a. Departure from Nucleate Boiling (or Quality) and Kilowatt-Per-Foot Limits:
To maintain the integrity of the fuel cladding and to prevent fission product release, it is necessary to prevent overheating of the cladding under normal operating conditions. This is accomplished by operating within the nucleate boiling regime of heat transfer, wherein the heat transfer coefficient is large enough so that the clad surface temperature is only slightly greater than the coolant temperature. The upper boundary of the nucleate boiling regime is termed Departure from Nucleate Boiling (DNB). At this point there is a sharp reduction of heat transfer coefficient, which would result in high cladding temperatures and the possibility of cladding failure. Although DNB is not an observable parameter during reactor operation, the observable parameters of neutron power, reactor coolant flow, temperature and pressure can be related to DNB through the use of the W-3 and BAW-2 correlations. The W-3 and BAW-2 correlations have been developed to predict DNB and the location of DNB for axially uniform and non-uniform heat flux distribution. The local DNB ratio (DNBR), defined as the ratio of the heat flux that would cause DNB at a particular core location to the actual heat flux, is indicative of the margin to DNB. The minimum value of the DNBR, during steady-state operation, normal operational transients, and anticipated transients is limited to 1.3. A DNBR of 1.3 corresponds to a 94.3% probability at 99% confidence level for the W-3 correlation and a 95% probability at a 95% confidence level for the BAW-2 correlation that DNB will not occur. This is considered a conservative margin to DNB for all operating conditions. The W-3 correlation was used for the first fuel cycle and the BAW-2 correlation for several subsequent fuel cycles. The critical heat flux correlation used in the design of the current fuel cycle is described in the applicable reload report (see Appendix 4B). Kilowatt-per-foot limits are based on the combination radial and axial peak that prevents central fuel melting at the hot spot and are given in Appendix 4B, Reload Report. 7.2-1 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report Power peaking is not a directly observable quantity and therefore limits have been established on the basis of the reactor axial power imbalance produced by the power peaking.
- b. RC System Overpressurization:
The RC system serves as a barrier to prevent radionuclides in the RC from reaching the atmosphere. In the event of a fuel cladding failure, the RC system is a barrier agent against the release of fission products. Establishing a system pressure limit helps to assure the integrity of the RC system. The maximum transient pressure allowable in the RC system pressure vessel under the ASME Code, Section III, is 110% of design pressure. The maximum transient pressure allowable in the RC system piping, valves, and fittings under ANSI Section B31.7 is 110% of design pressure. Thus, the safety limit of 2750 psig (110% of the 2500 psig design pressure) has been established. The settings for the RPS high RC pressure trip and the pressurizer code safety valves have been established to ensure that the RC system pressure safety limit is not exceeded (See Technical Specifications). As required by 10 CFR 50.62, Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plant, a diverse scram system (DSS) was installed. The only function of the DSS is to provide a diverse method of deenergizing the regulating and safety rods in the event that the reactor protection system (RPS) does not function as designed. This is accomplished by sensing reactor coolant pressure, diverse from RPS sensor output, and degating the CRDM motor power supply silicon controlled rectifiers (SCRs), independent from the RPS degating contacts, in the control rod drive control system (CRDCS) on high reactor coolant system pressure. The DSS reactor coolant pressure setpoint is higher than the RPS high pressure trip setpoint and below the primary code safety valve setpoint. Trip setpoints are established to provide the necessary protection so that DNB, kW/ft limits, and pressure limits are not exceeded. Subsection 7.2.1.2.2 provides a description of each RPS trip.
- 2. Generating station variables that are required to be monitored in order to provide protective actions:
- a. Total out-of-core neutron flux (power level).
- b. RC system flow. The number and location of operating RC pumps are also monitored in order to provide a rapid indication of an imminent change in flow.
- c. RC system reactor outlet temperature.
- d. RC system pressure. The Containment Vessel (CV) pressure is also monitored in order to provide a backup measurement parameter for rapidly decreasing RC system pressure due to a loss-of-coolant accident.
7.2-2 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- e. Out-of-core neutron flux imbalance (power in the top half of the core minus power in the bottom half of the core).
- 3. Minimum number and location of sensors required to monitor adequately, for protective function purposes, those variables that have spatial dependence:
To maintain complete separation between RPS channels, each has its own sensor. Therefore, one sensor per RPS channel is provided for each measured parameter listed in item 2 above, except for item 2.b, which has two RC flow sensors per RPS channel (one for each loop) and four RC pump monitors per RPS channel (one for each pump). Refer to Figure 5.1-2 which depicts the layout of primary system sensors. Refer to Section 7.8.1.1 and Figure 7.8-3 for locations of power range neutron detectors.
- 4. Prudent operational limits for each variable in each applicable reactor operation mode: Refer to the Technical Specifications.
- 5. Margin between each operational limit and level marking onset of unsafe conditions: Refer to the Technical Specifications.
- 6. The level that when reached will require protective action: Refer to the Technical Specifications.
- 7. Range of transient and steady-state conditions of the energy supply and the environment during normal, abnormal, and accident circumstances throughout which the system must perform: Refer to Table 7.2-3.
- 8. The malfunctions, accidents, or other unusual events which could physically damage Protection system components for which provisions must be incorporated to retain necessary protection system action:
The RPS is designed to maintain the capability to perform its protective function during and after an earthquake (refer to Section 3.10). The vessel containing the equipment will protect it from flood, lightning, and wind. The RPS cabinets are housed in the control room where they are protected against fire, explosion, and missiles. All sensors and cables are located to minimize damage caused by fire, explosion, or missiles. The redundancy of the system will satisfactorily operate under all conditions. The system cabinets provide protection against mechanical damage and spread of fires between RPS channels. All sensors, signal transmission circuits, and signal conditioning devices are designed to function in postulated deteriorated environments to which they may be subjected for the length of time required to provide the protective action.
- 9. Minimum performance requirements including system response times, system accuracies, and ranges of the magnitudes of sensed variables to be accommodated until proper conclusion of the protection system action: Refer to the Technical Requirements Manual and Framatome Technologies document 32-1172392-02, Reactor Protection System String Error Calculations for response times and accuracies. Ranges are as follows:
7.2-3 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report Variable Range Reactor Power 0 to 125% FP RC Flow 0 to 160 mpph RC outlet temperature 520 to 620F RC pressure 1700 to 2500 psig Containment Pressure 0 to 20 psig Reactor power imbalance -62.5 to +62.5% FP 7.2.1.2 System Description 7.2.1.2.1 System Logic The RPS, as shown in Figure 7.2-1, consists of four identical protection channels which are redundant and independent. Each channel is served by its own independent sensors which are physically isolated from the sensors of the other protective channels. Each sensor supplies an input signal to one or more signal processing strings in the RPS channel. Each signal processing string terminates in a bistable which electronically compares the processed signal with trip setpoints. All bistable contacts are connected in series. In the normal untripped state, the contact associated with each bistable will be closed, thereby energizing the channel terminating relay (KA, KB, KC, or KD). Consider Channel 2 in Figure 7.2-1. Assume there is a trip of one of the bistables in Channel 2, thereby de-energizing relay KA, which causes contacts to open which in turn de-energize relays KA1, KA2, KA3, and KA4, causing one contact on each side of the vital power supply to the respective CRDCS Channel to open and causing the contact in series with light L3 in each channel to close. Should Channel 1 trip while Channel 2 is tripped, relay KB will de-energize causing contacts to open which in turn de-energize relays KB1, KB2, KB3, and KB4. When these relays de-energize, two more contacts will open in the vital power supply to each CRDCS channel. Thus when two out-of-four RPS channels trip, each of the four RPS channels will cause their respective CRDCS trip devices to trip. The manual trip switches are interposed between each reactor trip module and its associated CRDCS channel. Depressing a manual trip switch causes all four CRDCS channels to trip. 7.2.1.2.2 Protection Channel Functions As shown in Figure 7.2-1, contacts from seven trip bistables and a CV pressure switch contact buffer module are normally in series with the power supply to each of the protective channel trip relays. The trip bistables included are high pressure, low pressure, pressure-temperature, power/imbalance/flow, overpower, power/pumps, and high temperature. The first three compare RC pressure with fixed high and low pressure setpoints and a pressure setpoint which is a function of RC outlet temperature. The second three compare the output of the power range neutron flux monitor related to the protective channel with the total RC flow and core imbalance, a fixed high power setpoint, and a high power setpoint which is a function of the pump configuration. The seventh trip bistable compares RC outlet temperature with a high temperature setpoint. The CV pressure switch compares the CV pressure with a high pressure setpoint. 7.2-4 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report The trip functions of each RPS channel are as follows (refer to Figure 7.2-1):
- 1. High RC Pressure - Each RPS channel receives signals from a separate narrow-range RC pressure transmitter. Each pressure transmitter is powered from its own power supply, which is packaged in a module and mounted in the associated RPS channel cabinet. The output of each pressure transmitter is applied directly to the input of a buffer amplifier. The buffer amplifier module consists of an input stage amplifier driving a primary output amplifier and up to nine additional output amplifiers. The primary output amplifier supplies the signal to the RPS pressure bistables. The high RC pressure bistable module compares this input signal to an internal trip setpoint power supply. When the input signal from the buffer amplifier exceeds the setpoint of the bistable, its relay contact will open and de-energize (trip) the channel terminating relay.
- 2. Low RC Pressure - The same pressure transmitter and buffer amplifier described above supplies a signal to the low RC pressure bistable. When this input signal decreases below a preset setpoint of the bistable, its relay contact will open and de-energize (trip) the channel terminating relay.
- 3. High RC Temperature Trip - Each RPS channel receives reactor outlet temperature signals from a separate resistance temperature element. The element is supplied with a matched resistance bridge unit that is mounted in the associated RPS channel cabinet. The linear bridge produces an analog output that is fed to the signal converter which conditions the signal and produces two prime outputs. One output signal is supplied to the variable low RC pressure bistable. The other output is applied to the high RC temperature trip bistable.
When the input temperature signal from the signal converter exceeds the trip setpoint of the high RC temperature bistable, its relay contact will open and de-energize (trip) the channel terminating relay.
- 4. Variable Low RC Pressure - A pressure signal is sent to the pressure/temperature bistable from the same primary output amplifier of the buffer amplifier that supplies the high and low RC pressure bistables. This signal is compared to the pressure setpoint generated as a function of the temperature input to the signal converter described in (3) above. When the pressure signal is outside the allowable bounds, the pressure/temperature bistable will trip, opening its relay contact and de-energizing (tripping) the channel terminating relay. This trip allowable value as a function of temperature is contained in the Technical Specifications.
- 5. Overpower - Each RPS channel contains a two-section power range neutron flux detector. The signals from each half are summed to produce a total power signal.
This power signal is sent to the overpower, power/pumps, and power/imbalance/flow bistables. When the total power signal exceeds the overpower trip setpoint of the bistable, its relay contact will open, de-energizing (tripping) the channel terminating relay.
- 6. Power/Pumps - RC pump status (on-off) and information as to the loops in which pumps are operating, is monitored by pump monitors. The pump monitors provide an open or closed contact as the input to the RPS. The pump contact monitor module provides a variable signal which is a function of the number of running pumps and the loop in which they are running. This signal is used as a variable setpoint signal in the power/pumps bistable. If the total reactor power exceeds the 7.2-5 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report power/pumps setpoint, as determined by the pump configuration, the bistable will cause its associated relay contact to open, de-energizing (tripping) the channel terminating relay.
- 7. Power/Imbalance/Flow - Each RPS channel receives two differential pressure signals (one from each reactor coolant loop). The signals are developed by differential pressure transmitters that measure pressure drop across gentile tubes mounted in the two reactor coolant loops. The analog output of the transmitters is proportional to flow squared. The square root extractor converts the signal to one directly proportional to flow. The proportional flow signals from both RC loops are summed to produce a total RC flow signal in the summing amplifier.
Each RPS channel monitors reactor power imbalance. This is the difference between the power measured in the top half of the core and the power measured in the bottom half of the core by the two separate power range neutron flux detectors (refer to Section 7.8). The imbalance signal and the flow signal are combined in a Function Generator and the resultant function signal is compared with the total power signal in a bistable. The bistable will trip when the total reactor power signal exceeds the trip envelope limit in Appendix 4B. When this bistable trips, its relay contact opens, de-energizing (tripping) the channel terminating relay.
- 8. High CV Pressure - Each RPS channel monitors CV pressure by means of a pressure switch. If the CV pressure setpoint is exceeded, the pressure switch will open causing the high CV pressure contact buffer to open its contact. This will de-energize (trip) the channel terminating relay.
In addition, the RPS is designed to trip a channel upon loss of power or removal of any module required to perform a protective function.
- 1. Loss of Power - As shown in Figure 7.2-1, the primary sources of 120V AC power for the RPS are the four essential busses. Each channel is powered from a different essential bus. Within the system cabinets, each RPS channel is powered by separate plus and minus 15V DC channel power supplies. All bistables operate in a normally energized state and go to a de-energized state to initiate trip action.
Loss of power thus automatically forces the bistables into the tripped state. Failure of an essential bus or a channel power supply causes the affected channel to trip.
- 2. Equipment Removal - The removal of any module required to perform a protective function initiates the trip normally associated with that portion of the system. For example, removal of a bistable module trips the associated channel terminating relay, and removal of a reactor trip module activates the associated control rod drive trip mechanism. In the first case, removing a bistable not only breaks the contact chain leading to the channel reactor trip module, but it also breaks the contact chain leading to the module test interlock relay KT2, both of which result in a trip of the channel terminating relay. In the second case, removing a reactor trip module separates the essential instrument bus from the control rod drive trip mechanism, causing a control rod breaker trip. At the same time, a one-out-of-four trip input is sent to the other three reactor trip modules.
7.2-6 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.2.1.2.3 Maintenance Bypasses A channel bypass is provided to allow maintenance and periodic testing to be performed on individual channels. When initiated, the channel bypass will prevent the terminating relay of the bypassed channel from de-energizing (tripping). Therefore when a channel is bypassed, the overall system trip coincidence is two-out-of-three. If two of the remaining three unbypassed channels trip, all four RPS channels will de-energize their associated CRDCS trip channels. The bypass is initiated using key switches and when one channel is bypassed, an interlock prevents the other channels from being bypassed. The station annunciator will give the operator continuous visual indication when a channel is bypassed. Refer to Figure 7.2-1. When the key switch is turned, two associated contacts close, applying -15V to the terminating relay in the affected channel. Thus, the trip contacts of all the bistables are bypassed. A shutdown bypass is provided to allow rod withdrawal testing with the unit shutdown. To initiate the bypass the operator must turn a key switch in each RPS channel. Turning the key switch removes the following trips from the logic train: power/imbalance/flow, power/pumps, variable low RC pressure, and low RC pressure. The key switch also inserts the shutdown bypass high pressure trip. The setpoint of this trip is lower than the setpoint of the low pressure trip. (Refer to the Technical Specifications for setpoint values.) During normal operation the shutdown bypass high pressure trip bistable is normally tripped since operating pressure is greater than the trip setpoint. If the operator initiates the shutdown bypass with the unit at power, that RPS channel trips. The procedure for effecting this bypass is to wait until primary pressure is below the trip setpoint and the plant is shut down. The operator is then free to reset the tripped bistable and to turn the key switch in each channel. Figure 7.2-1 shows schematically how the bypassing of trip bistables is accomplished. When the bypass switch is turned, a normally closed contact opens and a normally open contact closes, connecting the trip bistables that will remain effective to the shutdown bypass high pressure trip bistable and the -15V power source. The other bistables are disconnected from the string. 7.2.1.2.4 Interlocks Electro-mechanical interlocks initiate an RPS channel trip whenever: (1) a test module that is used to test one of the seven trip bistables or the CV pressure switch contact buffer is placed in the test mode; or (2) any module vital to a trip signal is withdrawn, unless the RPS channel is bypassed. (Removal of the reactor trip module in any condition will trip its associated CRD breaker.) The station annunciator and computer give the operator visual indication of the RPS trip status. Another interlock is used to prevent the bypassing of more than one channel. Once a bypass is initiated, the other three channels are prevented from being bypassed by the removal of the ground Return path to the bypass circuits. Refer to Figure 7-3 in B&W Topical Report BAW 10003A, Rev. 4. The station annunciator and computer give the operator visual indication when a channel is bypassed. This interlock is in addition to normal administrative controls. 7.2-7 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.2.1.2.5 Diversity The RPS provides protection through the use of the diverse trip functions and sensors discussed in Subsection 7.2.1.2.2 and in Chapter 15 and the Technical Specifications. 7.2.1.2.6 Information Display Each RPS channel contains meters and indicators mounted in the system cabinets which display each input analog signal and visual indication of the state of each trip logic element. Total power (in percent power) and power imbalance (in percent power) are available to the operator on the control console. A strip chart recorder is available for continuously recording auctioneered total power (in percent power). Each RPS channel contains an alarm panel which is visible at all times and indicates the following:
- 1. Channel trip.
- 2. Cabinet fan failure.
- 3. Trip of any of the other three channels.
- 4. Channel bypass.
- 5. Shutdown bypass.
- 6. Breaker trip.
The station computer system monitors all analog input signals, all channel power supplies, and all trip modules. The station computer system will alarm if there is a power supply fault, a fan fails, or a cabinet door is open. The station annunciator indicates that an RPS channel trip has occurred, shutdown bypass has been initiated in a channel, or a channel has been bypassed. It also has the capability to indicate that a power range detector power supply fault has occurred, but this provision is not currently used. The station computer alarms and the station annunciator are not required to be tested as part of the Technical Specification surveillance testing requirements, but are functionally tested on a periodic basis to verify their proper operation. Information on displays is contained in Section 7.5. 7.2.1.2.7 Equipment Identification Refer to Subsection 7.1.2.5. 7.2.1.3 Systems Supporting the RPS The following systems provide support to the RPS:
- 1. Essential power supply (refer to Chapter 8).
- 2. CRDCS (refer to Subsection 7.4.1.1).
7.2-8 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.2.1.4 Portions of RPS Not Required for Safety Within the scope of the RPS, as defined in Section 7.2, the nonessential portions of the RPS (i.e., those portions performing no safety functions) are the displays of system parameters and test circuits. The power range test circuit does, however, provide continuity for safety-related signals leaving the detector before they enter signal conditioning modules. 7.2.1.5 Comparison of RPS with That of Another Station The major initial design features of the RPS at the Davis-Besse station are compared to that of Sacramento Municipal Utility Districts Rancho Seco station in FSAR Section 7.2.1.5. 7.2.1.6 RPS Drawings Drawings depicting RPS design are contained in Toledo Edison Specification M-536. 7.2.2 Analysis 7.2.2.1 Compliance with IEEE Standard 279-1968 The following discussions are keyed to Paragraph 4 of IEEE Standard 279-1968 and demonstrate compliance. (4.1) General Functional Requirements - The RPS will automatically perform its protective functions, that of tripping the reactor whenever station conditions exceed preset levels, under the design conditions listed in Section 7.2.1.1. (4.2) Single Failure Criteria - No single failure can prevent the RPS from performing its protective functions. A detailed single failure analysis of those portions of the system where a single failure might affect more than one channel is contained in Chapter 7 of Topical Report BAW-10003A, Rev. 4 Qualification Testing of Protection System Instrumentation (January 1976). The redundancy of all other RPS ensures that no single portions of the RPS ensures that no single failure will affect more than one channel. A single failure analysis of changes to the Anticipatory Reactor Trip System (ARTS) interfacing with the RPS was performed and submitted to the NRC in January 1986 (Serial 1231). The analysis concluded that the RPS meets the single failure criteria of IEEE-279. (4.3) Quality of Components and Modules - Equipment manufacturers were required to use high quality components and modules in equipment construction. Quality control procedures, used during fabrication and testing verify compliance with this requirement. Details of the QA procedures are contained in Chapter 17 of the FSAR. (4.4) Equipment Qualification - Qualification type tests are performed, in accordance with accepted procedures, to insure that the RPS equipment will perform under applicable design basis conditions. Refer to Topical Report BAW-10003A, Rev. 4 for applicable test data. Subsequent to the submittal and approval of BAW-10003A, Rev. 4, replacement RPS Reactor Trip Modules manufactured by Framatome have been approved for installation in the RPS. These Reactor Trip 7.2-9 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report Modules are qualified in accordance with FTI Reactor Trip Module Qualification Test Report 51-5006947-00. (4.5) Channel Integrity - Each RPS channel is designed and fabricated so that channel integrity will be maintained under the conditions specified in the system design bases. (4.6) Channel Independence - Each RPS channel is located in its own cabinets. The cabinets act as a barrier against fire and mechanical damage from external sources. Therefore physical damage (for instance, an internal fire) can, in the worst case disable only one of the four RPS channels. A minimum of channel interaction is required for the RPS to perform its protective action. The interaction occurs in the reactor trip module. A single failure analysis of this scheme is contained in Topical Report BAW-10003A, Rev. 4. The results of this failure analysis envelope both the original Bailey Reactor Trip Modules, as well as replacement RPS Reactor Trip Modules manufactured by Framatome, which were approved for installation in the RPS subsequent to the submittal and approval of BAW-10003A, Rev. 4. (4.7) Control and Protection System Interaction - The RPS provides inputs to control systems as follows: Four reactor power level signals to the NNI/ICS auctioneering circuitry, a flow differential pressure signal from each RC loop to the ICS via the NNI, and an RC pressure signal to the NNI. The RC loop flow D/P signals and the RC pressure signal that are supplied to the NNI can be selected from either RPS Channel 1 or Channel 2 using a plug and jack arrangement located in Channel 2. Additionally, the RPS provides a flow signal from each RC loop and four signals each of the following three parameters to the ICS for use in the Core Thermal Power (CTP) calculation: Reactor coolant narrow range pressure, reactor coolant total flow and reactor coolant narrow range temperature. If a single failure can cause a control system to malfunction and at the same time cause a protection channel to fail, the remaining channels must be capable of providing protection even when degraded by another single failure. Since only one RPS channel can share a given signal with a control system, a failure of that channel and another channel must be predicated in order to satisfy IEEE 279. Since the RPS is a four-channel system and uses two-out-of-four logic, the system will still be capable of causing a trip at the system level. The flow of the power range neutron flux signals is as follows. The flux signal from each channel is transmitted through individual isolation amplifiers. The signals from Channels 1 and 2 are sent to an auctioneer in the NNI. The signals from Channels 3 and 4 are sent to a second auctioneer in the NNI. The auctioneered outputs are sent to a third auctioneer in the ICS. The highest of the four signals is ultimately used by the ICS for reactor control. Destructive tests of the isolation amplifiers have established that they will block the passage, to the input, of + or - 400V DC or 400V AC (peak to peak) when applied to their output. Other tests demonstrate that the output of any isolation amplifier can be open, shorted, or grounded in any manner without effect upon 7.2-10 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report the input. Therefore, the reactor power level signals leaving the RPS and going to the control system are adequately isolated from the signals used to accomplish protection system functions. For a single failure to cause an ICS induced transient that requires protective action, the failure must either (1) occur downstream of an isolation amplifier, which would prevent the failure from adversely affecting the RPS, or (2) result in proper action of the RPS channel in which the failure occurred. In either case IEEE 279 is satisfied. (4.8) Derivation of System Inputs - The measured variables, listed in the Technical Specifications, are direct measurements of the required parameters. (4.9) Capability for Sensor Checks - Each RPS channel contains readouts for all analog signals. This allows the operator to check most sensors by monitoring the variable after it is perturbed or by cross checking the same variable in different RPS channels or other systems such as the NNI or station computer. A substitute input to the sensor of the same nature as the measured variable can be used in some cases to check sensor operation. (4.10) Capability for Test and Calibration - The use of two-out-of-four logic between channels permits an RPS channel to be tested on-line without initiating a reactor trip. Maintenance to the extent of removing and replacing any module within a channel may be accomplished in the on-line state without a reactor trip. The test scheme for the RPS is based on the use of comparative measurements between like variables in the four channels, and the substitution of externally introduced digital and analog signals, as required, together with measurements of actual protective function trip points. A digital voltmeter is provided for accurate measurement of trip point and analog signal voltages. The test circuits allow the operator to completely test the RPS channels at any time during reactor operation. The bistable test consists of inserting an analog input from an externally simulated signal or one of the channel test modules and varying the input until the bistable trip point is reached. The value of the inserted test signal, as monitored by both the system analog indicator and the test digital voltmeter, represents the true value of the bistable trip point. Thus, the test verifies not only that the bistable functions but also that the trip point is correctly set. During the test, satisfactory operation of the bistable can be observed by watching the output state light on the bistable module and the channel (subsystem) trip light on the reactor trip module. The reactor trip module two-out-of-four logic and the associated control rod drive trip breaker are tested by pressing various combinations of the logic test switches on the reactor trip module to simulate the six combinations of trips possible in a two-out-of-four coincidence logic. During the test, satisfactory performance of the trip logic relays is observed by watching the RPS TO UVD AC PWR AVAIL light on the CRD trip breaker cabinet. This test also verifies that the control rod drive trip breakers are actuated independently by the undervoltage and shunt trip devices. A regular visual check of all RPS indications is required, including such things as comparing the value of analog variables between channels and observing the 7.2-11 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report status of equipment. Such visual checks are made during each shift. On a regular schedule, the visual check includes the comparison of power range channel readings with a thermal calculation of reactor power. These frequent checks permit detection of the majority of failures that might occur in the analog portions of the system as well as the self-annunciating type of failure that could occur in the digital portions of the system. The electrical tests are designed for the detection of more subtle failures that are detectable only by testing. Electrical tests are conducted on a rotational basis in accordance with the Technical Specifications. (4.11) Channel Bypass or Removal From Operation - The RPS channel bypass is described in Subsection 7.2.1.2.3. This feature permits the testing and maintenance of a single channel during power operations. With the bypass in effect, the three remaining channels provide the necessary protection. Since only two channel trips are required to cause a reactor trip, a single failure will not prevent the RPS from fulfilling its protective function. The RPS is a de-energize-to-trip system. Therefore, if power is lost to a channel, that channel will trip, reducing the system trip coincidence to one-out-of-three. In the event that a module, which performs a protective function is removed from its rack, that RPS channel will trip (unless that channel is bypassed). (4.12) Operating Bypasses - The RPS contains no operating bypasses. (4.13) Indication of Bypasses - Initiation of the channel bypass is indicated locally on the RPS cabinets, and on the station annunciator board. Initiation of the shutdown bypass is continuously indicated locally on the RPS cabinets and on the station annunciator board. In the event a channel is de-energized, that channel trips. That fact is continuously indicated locally, on the RPS cabinets, by the station computer, and on the station annunciator board. (4.14) Access to Means for Bypassing - Activation of RPS bypass is accomplished using key switches. The keys are under administrative control. Also to effect a bypass, the normally locked RPS cabinet doors must be opened. These keys are also under administrative control. (4.15) Multiple Setpoints - The only multiple setpoint in the RPS is used by the overpower trip. The overpower trip setpoints are given in the Technical Specifications. In order to effect the shutdown bypass (refer to Subsection 7.2.1.2.3), the reactor must be shut down, and the overpower trip reset to 5% of rated power. After removing the shutdown bypass, with the station shutdown, the operator must reset the overpower trip to the normal trip setpoint value before the reactor can be started up. It is not necessary to automatically reset the overpower trip setpoint to 5% of rated power to provide adequate protection during shutdown bypass operation. (The lower trip setpoint is not credited in any Chapter 15 accident analysis.) Therefore, it is acceptable that the RPS design does not provide positive means 7.2-12 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report of assuring that this lower setpoint is used. Administrative control via Technical Specifications is sufficient. (4.16) Completion of Protective Action Once It is Initiated - All RPS trips are lock-in types so that a tripped channel remains in that state until deliberately reset by the operator. (4.17) Manual Actuation - Two manual trip switches in series are provided which are positioned downstream of the RPS trip modules just before the input terminals of the CRDCS. Depressing either switch will interrupt power from all four RPS channels to the CRDCS. Because the manual trip is downstream of the automatic trips, no failure of the automatic trips will inactivate the manual trip. The two RPS trip switches are located in the control room and are mounted on either side of the CRDM Control System Operator Control panel. The trip switches are recessed to prevent accidental actuation. (4.18) Access to Setpoint Adjustments, Calibration and Test Points - Setpoint adjustments, calibration and test points in the control room cabinet room are accessible only when the cabinets are open. The cabinet keys are under administrative control. Access to sensing equipment (transmitters, switches, etc.) is administratively controlled as part of general station access control to the protected and vital areas, as described in the security plan. Access is also administratively controlled through compliance with station procedures. (4.19) Identification of Protective Action - The station annunciator indicates when an RPS channel has tripped. The station computer indicates when a channel has tripped and the cause of the trip (e.g., high temperature, overpower, etc.). Each cabinet alarm panel indicates that the channel has tripped. The bistable modules inside the cabinets indicate which bistable in the channel was tripped. (4.20) Information Readout - Each RPS channel provides readouts for all analog signals as well as indication of channel trip status, status of each RC pump and CV pressure switch status. The station computer monitors most RPS analog signals and the status of each RPS channel trip. The station annunciator indicates when an RPS channel trips. Total power and power imbalance are continuously indicated on the control console. Refer to Section 7.5 for additional information on available indications. (4.21) System Repair - The RPS is designed so that periodic testing can locate failure down to the module level, at a minimum. The modular design of the system allows quick repair of malfunctions. (4.22) Identification - Refer to Subsection 8.3.1.2 for discussion of identification of Protection System Components. 7.2.2.2 Compliance with IEEE Standard 338-1971 Refer to Subsection 7.1.2.7 for a discussion on compliance. 7.2-13 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.2.2.3 Compliance with AEC General Design Criteria Refer to Section 3.1. 7.2.2.4 Compliance with Safety Guide 22 The RPS does incorporate a scheme of testing which complies with Safety Guide 22, Section D, Paragraph 2, (b) and (d). Utilizing logic toggle switches on the front face of the RPS reactor trip module, the output from any RPS channel can be tripped so that the associated CRDCS trip device (trip breaker) will open. This can be done without disrupting station operation since at least two trip devices in parallel must trip in order to cause rod insertion. Test circuits allow the operator to completely test the RPS channels at any time during reactor operation. 7.2.2.5 Compliance with Safety Guide 29 The RPS is seismically qualified as required by Safety Guide 29. A discussion relating to the qualification is contained in Section 3.10. 7.2-14 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.2-3 ENVIRONMENTAL CONDITIONS FOR INSTRUMENTATION AND CONTROLS Normal Calculated Operating Max. Worst Design Parameter Range Case Condition Value
- 1. Containment Vessel - inside primary shield - out of core detectors Temperature, F 70-200 300 212 Pressure, psig 0 0.5 40 40 Relative Humidity, % 10-80 100 90
- 2. Containment Vessel - inside secondary shield - RTDs Temperature, F 40-140 265 286 Pressure, psig 0 0.5 40 40 Relative Humidity, % 10-80 100 100 Radiation, rads 1300 rads/hour 5.7 x 104 (24 hr. 3.7 x 108 * (40 yrs.
x 40 years = period) period) 3.7 x 108
- Containment Spray None for 24 hours for 24 hours Chemicals:
H3BO3, Na3PO4 LiOH, Na2S2O3, H2. pH:4 to 9
- This dose is for a point inside the hot leg. For points outside the pipe the dose is a factor of 10 less.
- 3. Containment Vessel - outside secondary shield - transmitters, preamps Temperature, F 40-140 265 286 Pressure, psig 0 0.5 40 40 Relative humidity, % 10-80 100 100 Radiation, rads 25 millirads/hour 5.7 x 104 (24 hr. 7.0 x 104 (40 yrs.
x 40 years = period) period) 0.7 x 104 7.2-15 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.2-3 (Continued) ENVIRONMENTAL CONDITIONS FOR INSTRUMENTATION AND CONTROLS Normal Calculated Operating Max. Worst Design Parameter Range Case Condition Value
- 4. Auxiliary Building, Switchgear Rooms 585 ft. elev. Room No. 323, 324 and 325 603 ft. elev. Room No. 428, 428A, 428B, 429, 429A and 429B Temperature, F 60-104 104 Low Voltage Switchgear/Battery Room 112.3 Electrical Isolation Rooms 123 High Voltage Switchgear Rooms and Aux. 120 Shutdown Panel Room (Rooms 323, 324, and 325)
Pressure, psig 0 0 0 Relative Humidity, % 30-70 70 70 Radiation, rads in line components 35 rds/hour x 40 years = 1 x 107 1 x 107 (24 hr period) 2.0 x 107 (40 yr. period) Non-in line 25 millirads/hour x 40 years = 0.7 x 104 0.7 x 104 (24 hr. 1.5 x 104 (40 yr. period) period)
- 5. Auxiliary Building, Emergency Diesel Generator Rooms 585 ft. elev. Room No. 318 and 319 Temperature, F. 60-125 131 125 Pressure, psig 0 0 0 Relative Humidity, % 30-80 80 80 Radiation, rads In line components 35 rad/hour 1 x 107 (24 hr. period) 2.0 x 107 (40 yr.
x 40 years = period) 1 x 107 Non-in line 25 millirads/hour 0.7 x 104 (24 hr. 1.5 x 104 (40 yr. x 40 years = period) period) 0.7 x 104 7.2-16 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.2-3 (Continued) ENVIRONMENTAL CONDITIONS FOR INSTRUMENTATION AND CONTROLS Normal Calculated Operating Max. Worst Design Parameter Range Case Condition Value
- 6. Auxiliary Bldg., other areas Temperature, F 40-120 120 140 Pressure, psig 0 0.5 1.0 Relative Humidity, % 30-80 100 100 Radiation, rads In line components 35 rads/hour x 40 years =
1 x 107 1 x 107 (24 hr. period) 2.0 x 107 (40 yr. period) Non-in line 25 millirads/hour x 40 years = 0.7 x 104 0.7 x 104 (24 hr. 1.5 x 104 (40 yr. period) period)
- 7. Control Room Temperature, F 60-80 110 40-110 Pressure, psig Atmospheric Atmospheric Atmospheric Relative Humidity, % 20-60 80 80 Radiation, rads Background Background Background
- 8. Power Requirements for Instrumentation and Controls Voltage 117V AC 10%
Frequency 60 Hz 5% harmonic content 5% total and with 10% peak max. deviation from sine wave.
- 9. Seismic Requirements Refer to Section 3.10 NOTE: Normal operating range radiation values for the 40 year life of the plant were adjusted to account for periods of reactor shutdown and operation at less than full reactor power. Refer to Section 11.0.
7.2-17 UFSAR Rev 30 10/2014
'IO . . . . llD -t----+--CI-E$--~ ...... 11..S c-...ta 0---*--**- ----.- . -
~-a.---*--
-- f P-~
Lr-um:-
*-:s~~~*
E$--**- 0-...--*---
© ,._,_raw-.*---
0 :-::::..~'*CL- IS - -
© =:" ..."':..'"': :..~---"= :.:
- . & I l l _ _ _ _.,.,.
7749-M-536-1 -:t-J* DAVIS-BESSE NUCLEAR POtta STAT[OH
..____________________________________________ +-------------------------------------------------------------~. . . .+------' REACTOR PROTECTCON SYSTEM*<
M-536-1 P!!R . , ,,,, me FlGURE 7.2-t REVISION 21 NOYOOER 1998 MARGINAL QUALITY DOCUMENT BEST COPY AVAILABLE
- L
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.3 SAFETY FEATURES ACTUATION SYSTEM (SFAS) The design goal of the SFAS is to automatically prevent or limit fission product and energy release from the core, to isolate the containment vessel and to initiate the operation of the ESF equipment in the event of a loss-of-coolant accident (LOCA). The SFAS instrumentation and controls extend from the generating station variables to the input terminals of the safety features actuation control devices such as motor controllers and solenoid valves. The SFAS is divided into initiating or sensing channels, logic channels, and actuating channels. 7.3.1 Description 7.3.1.1 Instrumentation and Control 7.3.1.1.1 Initiating Circuits The initiating circuits of the SFAS are the sensing circuits monitoring the following station variables:
- 1. CV radiation level.*
- 2. CV pressure.
- 3. RC pressure.
- 4. BWST level.
- Amendment 221 to the Technical Specification eliminated the requirement for SFAS actuation on high containment radiation. The SFAS containment REs are turned off.
7.3.1.1.2 Logic The logic channels of the SFAS are made up of solid state components. Relays are used as terminating devices of the SFAS logic, as isolation devices for remote control pushbuttons, and as output signals to the station annunciator and computer. The SFAS, as shown in Figures 7.3-1 and 7.3-2, SFAS, Logic and Signal Diagrams, consists of four identical redundant sensing and logic channels and two identical redundant actuation channels. Each sensing channel includes analog circuits with analog isolation devices, and each logic channel includes trip bistable modules with digital (opto-electronic) isolation devices. The isolated output of the trip bistable module is used to comprise coincidence matrices with the terminating relays within the actuation channel of the SFAS. These opto-electronic isolation devices also provide isolation between channels. The trip bistables monitor the station variables and normally feed continuous electrical (fail-safe) signals into two-out-of-four coincidence matrices. Should any of the station variables exceed their trip setpoints, the corresponding bistables in each of the four channels will trip and cease sending output signals. Should two of the four channel bistables monitoring the same station variable cease to send output signals, the corresponding normally energized terminating relays on all channels will trip. 7.3-1 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report The terminating relays of sensing and logic Channels No. 1 and No. 3, must both be de-energized to activate safety actuation Channel No. 1. Similarly, sensing and logic Channels 2 and 4 are de-energized to activate safety actuation channel 2. The terminating relays act on the actuation control devices such as motor controllers and solenoid valves. The SFAS is a failsafe (de-energize-to-trip) system. Therefore, if power supply is lost to a channel, that channel will trip, reducing the system coincidence matrices from two-out-of-four to one-out-of-three mode. In the event that a module which performs a protective function is removed from its cabinet, that SFAS channel will trip unless it is bypassed (refer to Subsection 7.3.1.1.3). 7.3.1.1.3 Bypasses The SFAS includes channel bypasses, operating bypasses, and shutdown bypasses:
- 1. Channel Bypass - Each SFAS sensing and logic channel is provided with one key operated rotary test trip bypass switch. This switch enables the operator to change the two-out-of-four coincidence matrices into a two-out-of-three mode for one given generating station variable. In effect, the operator may (for one channel only) bypass one of the following variables:
- a. CV radiation.*
- b. RC pressure.
- c. CV pressure.
- d. BWST level.
- Amendment 221 to the Technical Specifications eliminated the requirements for SFAS actuation on high containment radiation. The SFAS containment REs are turned off.
These channel bypasses permit test, calibration or maintenance of the analog circuits of the SFAS including the transmitters of the generating station variables. The key and the operation of the switch is under administrative control. The switches are all keyed alike, with the key being removable only in the off-position (bypass non-activated). Electro-mechanical features are provided to prohibit the insertion and operation of more than one channel bypass. The off-position will be indicated at the SFAS cabinets and monitored and displayed by the station computer and annunciator. Motor controller bypasses are not provided. Controllers for motors driving equipment, the operation of which could damage any equipment or disrupt station operation, will only be tested during reactor shutdown. 7.3-2 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 2. Operating Bypasses - Each sensing and logic channel of the SFAS system includes two operating bypasses of the RC pressure trips, one for the RCS Low Pressure trip signal and the other for the RCS Low-Low Pressure trip signal to allow the depressurization of the RC system without initiating the RC pressure trips. For this purpose eight pushbuttons are located at the main control console, two for each channel.
The operating bypasses can only be actuated manually and only when the RC pressure is below the associated setpoints, not to exceed 1800 psig or 660 psig respectively. The bypasses will be automatically reset before the RC pressure exceeds 1800 psig or 660 psig, respectively. No operating bypasses are provided to prevent actuation of the SFAS on high CV pressure, or low BWST level. A minimum of three of the four pushbuttons of the RCS low pressure or RCS Low-Low Pressure bypass setpoints must be actuated to effectively bypass the RC Low or Low-Low pressure trips. Indications that bypassing is permissible and that bypassing has been effected are provided at the main control console, in the SFAS cabinets, and at the station computer and annunciator.
- 3. Shutdown Bypass - The SFAS Shutdown Bypass is provided to prevent spurious actuation of the SFAS and will be used only when the SFAS is not required to be operable by the Technical Specification. Use of the Shutdown Bypass will allow maintenance, modification and testing of the bypassed portion of the SFAS without the possibility of spurious equipment actuation. Under no circumstances will use of the Shutdown Bypass be allowed in any mode other than Mode 5, 6 and when the reactor is defueled.
The bypass is provided with a key actuated switch in each SFAS Logic cabinet (a total of eight) and individual push button switches, one push button switch for each piece of equipment in each Logic Channel. The bypass is provided by latch type relays which require electrical power to be set in the bypass position or reset from the bypass position. This scheme prevents any repositioning of the relays without energization of the bypass circuitry. The key and the operation of the switch is under administrative control. The bypass will be continuously indicated at the station annunciator and the station computer whenever any of the key switches are in bypass or when any of the latch type relays are in the bypass position. 7.3.1.1.4 Interlocks The SFAS provides interlocks to prohibit any manual or automatic override of the protective action until the trip signals of the SFAS are reset or blocked by the operator. Fault current conditions on motor operated equipment will override the interlocks and trip the equipment. 7.3-3 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report Interlocks which inhibit protective actions are described in Section 7.3.1.1.3. 7.3.1.1.5 Sequencing The SFAS will automatically sequence the protective action by loading equipment in steps to the emergency diesel generators if normal or reserve power is not available. Refer to Chapter 8. Figure 7.3-1 contains the sequence logic for the SFAS. 7.3.1.1.6 Redundancy The SFAS has redundancy as follows:
- 1. Each of the station variables listed in Subsection 7.3.1.4 (2) is monitored by at least one trip bistable in each of four redundant SFAS sensing and logic channels.
- 2. The signal from each trip bistable is divided into four independent signals, electrically isolated (buffered) from each other and fed into four redundant SFAS logic channels.
- 3. The logic terminating relays as outlined in Subsection 7.3.1.1.2 are combined into two redundant safety actuating channels to independently control the safety actuated devices.
7.3.1.1.7 Diversity Diversity in the SFAS is provided by monitoring RC pressure and CV pressure, to sense loss of coolant and activate protective action systems. Refer to the Technical Specifications. 7.3.1.1.8 Safety Actuated Devices The safety actuation devices are tabulated in Figures 7.3-3 through 7.3-8, SFAS Actuated Equipment Tabulation and described in Chapter 5, 6, 8, and 9. 7.3.1.2 Supporting Systems The supporting system of the SFAS is the essential power supply (Chapter 8) 7.3.1.3 Non-Safety Systems The non-safety systems and equipment associated with the ESF system are listed below:
- 1. Station annunciator (Section 7.11).
- 2. Station computer (Section 7.10).
- 3. Instrumentation systems to monitor the following ESF parameters:
- a. Containment spray flow
- b. CV emergency sump level
- c. BWST temperature 7.3-4 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- d. CV Radiation 7.3.1.4 Design Basis The design basis information of the SFAS as required by Section 3 of IEEE Standard 279-1971 are as follows:
- 1. Generating station conditions which require protective actions:
- a. Loss of coolant accident (LOCA)
- b. Steam line break
- 2. Generating station variables that are required to be monitored in order to provide protective actions:
- a. CV pressure
- b. RC pressure
- c. BWST level (permissive only)
- 3. The number and location of protective function sensors provided to monitor those variables that have spatial dependence:
Four (4) sensors (one for each channel) of each of the station variables as listed above. Refer to the EI&C drawings for the location drawings of the RC pressure sensors. For the relative locations of the CV pressure and BWST level sensors, refer to Figure 9.4-11a and 6.3-2a, respectively.
- 6. The levels, (Trip Setpoints) that when reached, will activate protective action are tabulated in Table 7.3-3. Allowable values are tabulated in the Technical Specifications.
- 7. The range of operating requirements for both the energy supply and the environment during normal, abnormal, and accident circumstances throughout which the system will perform are tabulated in Table 7.3-4.
- 8. The accidents or other unusual events which could physically damage protection system components or could cause environmental changes leading to functional degradation of system performance, and for which provisions are incorporated to retain the necessary protective action, are fire, missiles, flood, earthquake, and high energy line break for equipment outside the containment vessel, and fire, missiles, flood, earthquake, and LOCA for equipment inside the containment vessel.
- 9. The minimum performance requirements to be accommodated until proper conclusion of the protective action is assured, including system response times, system accuracies and ranges of the magnitudes of sensed variables are tabulated in Table 7.3-5.
7.3-5 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.3.1.5 Drawings The following drawings are related to the SFAS:
- 1. Logic diagrams: Figures 7.3-1 through 7.3-8.
- 2. Wiring Diagrams: Refer to the E&IC drawings.
- 3. Location drawings: Refer to the E&IC drawings and Figure 12.1-10.
- 4. Functional drawings: Figures 5.1-2, 6.3-1, 6.3-1A, 6.3-2, 6.3-2A, 7.3-9, 9.2-1, 9.2-2, 9.2-4a, 9.3-1, 9.3-16, 9.4-9, 9.4-11, 9.4-11A, 9.4-12.
7.3.2 Analysis of ESF Instrumentation and Controls 7.3.2.1 Implemented Design Documents The design criteria incorporated in the design of the SFAS include the documents as tabulated in Table 7.1-1. 7.3.2.2 Compliance with AEC General Design Criteria The SFAS complies with the AEC General Design Criteria as tabulated in Table 7.1-1 and as discussed in Appendix 3D. 7.3.2.3 Compliance with IEEE Standard 279-1971 The following discussions are keyed to Section 4 of IEEE Standard 279-1971 and demonstrate compliance with the above mentioned standard. (4.1) General Functional Requirement - The SFAS will, with precision and reliability, automatically perform its protective function, whenever the station conditions monitored by the SFAS reach a preset level, under the design conditions described in Subsections 7.3.1.4 (7), (8), and (9). The operating requirements of the SFAS components are listed in Table 7.3-4. (4.2) Single Failure Criterion - No single failure can prevent the SFAS from performing its protective function. (4.3) Quality of Components and Modules - The SFAS consists of high quality components and modules with minimum maintenance requirements and low failure rates. Quality control procedures were used during fabrication and testing to verify compliance with the requirements specified for the particular equipment. Details of the QA procedures are provided in Chapter 17 of the FSAR and Chapter 17 of the USAR. (4.4) Equipment Qualification - Type test data is available to verify that the SFAS equipment meet, on a continuing basis, the performance requirements determined to be necessary for achieving the system requirements. 7.3-6 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report (4.5) Channel Integrity - Each SFAS channel is designed, manufactured, and located so that channel integrity is maintained under the design condition listed in Subsections 7.3.1.4 (7) and (9). (4.6) Channel Independence - Each SFAS logic channel is located in its own cabinets. The cabinets act as a barrier against fire and mechanical damage from external sources. The distance between cabinets of redundant channels are 4 feet to 13 feet to satisfy the single failure criterion. (Refer to Figure 12.1-10.) The cabinets are in a room which offers environmental and missile protection. Channel independence criteria for the balance of the SFAS are described in Chapter 8. (4.7) Control and Protection System Interaction
- a. Classification of Equipment - Equipment that is used for protective and control function is classified as part of the protection system and meets the requirements of IEEE Standard 279-1971.
The protective action is designed to override and block any control function as shown on the schematics
- b. Isolation Devices - Safety features actuation signals are transmitted only to the control system to accomplish the protective action, in which case, the control system is assumed to form part of the SFAS and is subject to the same criteria. Therefore, no isolation devices are used between signal and controller.
The control signals to close normal decay heat valve DH-11 (refer to Subsections 6.3.2.16 and 7.6.1.1) and to open the core flooding tank isolation valves (refer to Subsections 6.3.2.15 and 7.6.1.2) originate in the SFAS logic cabinets but are isolated by relay contacts from the SFAS. The bistables (one in each SFAS channel), which control these relays, share sensors with the SFAS, but are independent of those bistables used for the SFAS signals; they therefore act as second isolation devices. Other than the above, signals from the SFAS are not utilized for any other control system use.
- c. Single Random Failure - A single random failure resulting in a control system action simultaneously causing a channel failure and a station condition requiring protective action is incredible.
- d. Multiple Failures Resulting From a Credible Single Event - No control system action can result in a condition requiring protective action and concurrently prevent the protective action of any SFAS channel.
(4.8) Derivation of System Inputs - The SFAS inputs are derived from signals that are direct measures of the station variables as listed in the Technical Specifications. 7.3-7 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report (4.9) Capability for Sensor Checks - Each SFAS sensing channel contains readouts at the main control panels for each monitored station variable, which permits cross-checking between channels. (4.10) Capability for Test and Calibration - Manual testing and calibration features have been provided to perform periodic testing and calibration operations.
- a. Manual Testing of Bistables - Each bistable monitoring a station variable has built-in provisions for testing.
To test a bistable, a test voltage is applied to its input by pressing a momentary pushbutton, this causes the bistable to trip. Local light, station annunciator and computer displays will verify proper operation.
- b. Manual Calibration of the SFAS Sensing Channels - Each SFAS sensing channel has one built-in adjustable signal generator with test jacks for connection to a precision indicating instrument. By means of a selector switch and momentary switches, the maintenance personnel are able to connect this signal generator to any one station variable of a given channel, while disconnecting the remote signal transmitter. The following calibration functions can be performed:
- 1. Calibrate bistable trip setpoint dial.
- 2. Calibrate the indicating instruments at the SFAS cabinets and compare with the indicating instruments at the main control panel.
The printout and the CRTs of the station computer provide the same information.
- c. Manual Testing of the System Logic - Each two-out-of-four logic coincidence matrix of a system logic (see Subsection 7.3.1.1.2) includes a local independent momentary pushbutton which, when operated, changes the matrix functioning to a one-out-of-four logic. This test with the simultaneous presence of a bistable test trip on any channel will de-energize the output relays of one channel of the protective action system being tested. See Table 7.3-2 for the list of the protective action systems (i.e., SFAS System No. and Description).
Any combination of two or more bistable trips of redundant channels associated with the same coincidence matrix logic will cause a trip of the related protective action system. In each case the trip is monitored by local lights, the station annunciator, and computer displays.
- d. Manual Testing of SFAS Equipment - Hand control switches for each SFAS control device are provided at the main control panel and locally to allow test of each individual safety actuated device.
(4.11) Channel Bypass or Removal From Operation - The SFAS station variable channel bypass is described in Subsection 7.3.1.1.3 (1). The channel bypass permits the testing, calibration and maintenance of a particular generating station variable of a single channel during power operation. With the bypass in effect 7.3-8 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report the three remaining channels of that station variable provide the necessary protection. Since only two channels of a variable need exceed the trip setpoint to cause a trip, a single failure will not prevent the station variable SFAS logic from fulfilling its protective function. (4.12) Operating Bypasses - The SFAS operating bypasses are described in Subsection 7.3.1.1.3 (2). Whenever the permissive conditions are not met, the bypasses will not be allowed or will be removed automatically. The bypass circuits used to prevent or achieve automatic removal of the bypasses are part of the protection system and are designed in accordance with IEEE Standard 279-1971. (4.13) Indication of Bypasses - Initiation of the channel bypass will be continuously indicated at the SFAS cabinets, by the station computer, and annunciator. Initiation of the operating bypasses will be continuously indicated at the SFAS logic cabinet, at the main control board, and by the station computer and annunciator. (4.14) Access to Means for Bypassing - The activation of SFAS channel bypass is accomplished by using key switches, which are under administrative control. Also, to initiate a bypass, a corresponding SFAS cabinet door must be opened. The cabinet door keys are also under administrative control. The activation of SFAS operating bypass is accomplished by depressing pushbuttons at the main control board. (4.15) Multiple Setpoints - The SFAS does not use multiple setpoints for any bistable monitoring the station variables. (4.16) Completion of Protection Action once it is initiated - The trip signals of the Bistables, the coincidence matrices, and the actuation control devices on the safety features actuation system are seal-in type, such that once initiated, a protective action at the system level shall go to completion and remain in the tripped state until deliberately reset by operator action. (4.17) Manual Initiation - Four manual trip switches are provided at the main control board; two switches to activate the two redundant CV Spray Systems and the remaining two switches to activate the two redundant SFAS channels exclusive of the Containment Spray Systems and the CV Emergency Sump Recirculation Systems. A manual control switch for each actuation device related to the SFAS is also located at the main control board in close proximity of the manual trip switches. Trip switches for each individual protective action system are provided in the SFAS logic cabinets. (4.18) Access to Setpoint Adjustments, Calibrations, and Test Points - Setpoint adjustments, calibration and test points in the control room cabinet room are accessible only when the SFAS logic cabinet doors are open. The door keys are under administrative control. Open doors will be alarmed by the station computer 7.3-9 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report and annunciator. Access to sensing equipment (transmitters, etc.) is administratively controlled as part of general station access control to the protected and vital areas, as described in the security plan. Access is also administratively controlled through compliance with station procedures. (4.19) Identification of Protective Action - Protective action will be initiated by tripping the corresponding bistable whenever the generating station variable sensed exceeds the setpoint. The tripping of these bistables will be indicated and identified by the station computer and annunciator with the exception of the BWST Level Bistable. The annunciation of the BWST Level Trip will be by logic modules. Each trip will also be indicated at the corresponding module in the SFAS logic cabinets. (4.20) Information Read-Out - Each SFAS channel provides, in the SFAS logic cabinets and at the main control panel, a readout for each monitored generating station variable as well as an indication of the SFAS trip status. The station computer monitors each SFAS station variable and the trip status of each SFAS channel. The station annunciator will indicate any SFAS channel trip with the exception of the BWST Level channel trip. The BWST Level channel trip annunciation occurs at the logic module which requires two bistable trips (two channel trips). (4.21) System Repair - The periodic testing can locate failure in an individual module. The modular design of the SFAS allows for quick repair of malfunctions. (4.22) Identification - The identification of the equipment including cabinets, trays and cables of the SFAS between redundant portions is accomplished by color coding and numbering as described in Chapter 8. 7.3.2.4 Compliance with IEEE Standard 323-1971 The SFAS complies with the basic requirements for the qualifications of Class 1E electrical equipment and meets IEEE Standard 323-1971. 7.3.2.5 Compliance with IEEE Standard 338-1971 The SFAS includes provision to permit testing in accordance with Section 5 of IEEE Standard 338-1971. (Refer to item (4.10) of Subsection 7.3.2.3). 7.3.2.6 Compliance with AEC Safety Guide 22 The SFAS design includes flexibility for periodic tests of the system during reactor operation. In general, the test of any protective action system (Reference Table 7.3-2) and the corresponding system logics can be performed during reactor operation. A half trip test of the logic and terminating relays is performed at the frequency required by Technical Specifications for the instrumentation system. The motive power and actuated equipment are tested in accordance with the applicable system Technical Specifications. The Safety Features Actuation System and the actuated equipment are tested while the plant is shutdown for refueling at the frequency required by Technical Specifications, with the exceptions noted in Table 7.3-2. The tests assure that the protective action system will respond to an actuation condition. 7.3-10 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report When the operation of the actuated equipment or testing of the terminating relays may damage station equipment, disrupt reactor operation, or is precluded by Technical Specifications or NRC commitment, the testing will be performed during refueling shutdowns. The containment isolation valves noted in Table 7.3-2 are also only tested while the plant has been shutdown for refueling due to the potential to interrupt power operation. 7.3-11 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.3-2 PERIODIC TEST ON SFAS AND ACTUATED EQUIPMENT OCCURRENCES PERIODIC TEST FREQUENCY Actuated Equipment Test SFAS-PROTEC-TIVE Logic and ACTION INCI- CV CV RC RC BWST Terminating During SYSTEM DENT PRESS PRESS PRESS PRESS LVL SYSTEM DESCRIPTION* Relays During Plant Refueling No.
- No. HI HI HI LO LO LO LO Half-trip test Operation Shutdown Remarks 11 1 X X Emergency ventilation Note 6 Quarterly Yes system 12 1 X X Containment purge and Note 6 Quarterly Yes Note 1 sample valve isolation system 21 2 X X High pressure injection Note 6 Quarterly Yes system 22 2 X X Containment Air Cooling Note 6 Quarterly Yes system 23 2 X X Component Cooling Water Note 6 Quarterly Yes Note 2 System 24 2 X X Service Water System Note 6 Quarterly Yes 25 2 X X Containment spray valve Note 6 Quarterly Yes 26 2 X X Emergency diesel generator Note 6 Monthly Yes 27 2 X X CV Isolation System No. 1 Note 6 Quarterly Yes MU2A, MU3 tested at Group 1 Refueling Shutdown only per Note 5.
28 2 X X CV Isolation System No. 1 Note 6 Quarterly Yes DH7A, DH7B, DH9A, Group 2 DH9B tested at Refueling Shutdown only per Note 5. 29 2 X X CV Isolation System No. 1 Note 6 Quarterly Yes Group 3 31 3 X X Low Pressure Injection Note 6 Quarterly Yes System 7.3-12 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.3-2 (Continued) PERIODIC TEST ON SFAS AND ACTUATED EQUIPMENT OCCURRENCES PERIODIC TEST FREQUENCY Actuated Equipment Test SFAS-PROTEC-TIVE Logic and ACTION INCI- CV CV RC RC BWST Terminating During SYSTEM DENT PRESS PRESS PRESS PRESS LVL SYSTEM DESCRIPTION* Relays During Plant Refueling No.* No. HI HI HI LO LO LO LO Half-trip test Operation Shutdown Remarks 32 3 X X CV Isolation System No. 2 Note 6 Quarterly Yes Group 1 33 3 X X CV Isolation System No. 2 Note 6 N/A Yes Note 5 Group 2 41 4 X Containment spray pump Note 6 Quarterly Yes 42 4 X CV Isolation System No. 3 Note 6 Quarterly Yes Note 5 Group 1 43 4 X CV Isolation System No. 3 Note 3 Group 2 51 5 X CV Emergency Sump Note 6 N/A Yes Note 5 Recirculation System
- USAR Figures 7.3-1 through 7.3-8 provide further information on SFAS system numbers and equipment actuated by SFAS.
Notes
- 1. The system includes actuated equipment of the control room normal air conditioning system. Twice monthly logic testing for containment purge valves (CV 5005 through CV 5008) is not required.
- 2. Steam Generator Auto Level Setpoint Control tested only during refueling shutdown due to potential interference to power operation.
- 3. Components no longer actuated by SFAS signal.
- 4. For periodic actuated equipment testing performed during plant operation, control room hand switches are normally used to actuate equipment.
- 5. The CV isolation valves of this system will be tested during refueling shutdown only due to potential interference to power operation.
- 6. As required by Technical Specifications.
7.3-13 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.3-3 SAFETY FEATURES ACTUATION SYSTEM TRIP SETPOINTS Functional Units Trip Setpoints Allowable Values* Instrument Strings
- 1. Containment Pressure - High 18.7 psia
- 2. Containment Pressure - High - High 40.0 psia
- 3. RCS Pressure - Low 1600 psig
- 4. RCS Pressure - Low - Low 470 psig
- 5. BWST Level 108.5 inches
- Refer to Technical Specification Table 3.3.5-1 for the Allowable Values 7.3-14 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.3-4 SFAS OPERATING REQUIREMENTS Allowable Range Allowable Range for abnormal for accident Equipment Parameters Nominal value conditions conditions
- 1. SFAS equipment Power supply voltage 118V AC 118V AC 10% 118V AC 10%
in cabinet room Power supply 60Hz 60Hz 3Hz 60Hz 3Hz Frequency Ambient temperature 75F 40-110F 40-130F (for 168 hours) Ambient humidity 40% RH Up to 80% RH Up to 100% RH (without condensation) Ambient pressure Atmospheric Atmospheric Atmospheric 2a. RC pressure Ambient temperature 40-160F 40-284F ** 40-284F ** sensors inside the CV Ambient humidity 100% RH 100% RH, 100% RH, saturated saturated steam steam Ambient pressure Atmospheric 40 psig 40 psig Ambient radiation 1 rad/hr 2.47 x 107 rad 2.47 x 107 rad accum accum 2b. solenoids inside Ambient temperature 30-120F 30-284F ** 30-284F ** the CV Ambient humidity 100% RH 100% RH, 100% RH, saturated saturated steam steam Ambient pressure Atmospheric 40 psig 40 psig Ambient radiation 1 rad/hr 2.47 x 107 rad 2.47 x 107 rad accum accum
- 3. CV pressure Ambient temperature 80F 40-120F 40-120F sensors, outside CV Ambient humidity 50% 30-100% RH 30-100% RH Ambient pressure Atmospheric Atmospheric Atmospheric
- 4. BWST level Ambient temperature -30 to 110F -30 to 110F -30 to 110F sensors outdoors Ambient humidity 40-100% RH 40-100% RH 40-100% RH Ambient pressure Atmospheric Atmospheric Atmospheric 7.3-15 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.3-4 (Continued) SFAS OPERATING REQUIREMENTS Allowable Range Allowable Range for abnormal for accident Equipment Parameters Nominal value conditions conditions
- 5. Motor control Ambient temperature 32 to 104F
- 32 to 104F
- 32 to 104F
- centers, low voltage unit sub-stations, medium voltage switchgear, Ambient humidity 40 to 100% RH 40 to 100% RH 40 to 100% RH solenoids outside CV Ambient pressure Atmospheric Atmospheric Atmospheric Control power 120V AC 120V AC 10% 120V AC 10%
supply voltage 120V DC 90 to 140V DC 90 to 140V DC Control power 60Hz 60Hz 60Hz 3Hz supply frequency
- 6. All above, 1 thru 5 Seismic requirements Refer to Section 3.10
- 7. Items 1, 3, 4, Ambient radiation N/A N/A N/A and 5 outside CV
- 8. Items 1. 3. and 5 High energy line Refer to Section 3.6 break environment outside CV
- High Voltage Switchgear Rooms, Auxiliary Shutdown Panel Room and Component Cooling Water Pump Room (Rooms 323, 324, 325 and 328) have a maximum worst case temperature of 120F. ECCS Pump Rooms and Decay Heat Exchanger Pit (Rooms 105, 113 and 115) have a maximum worst case temperature of 140F.
- Equipment is qualified for a maximum containment temperature of 284 degrees F. Refer to Section 3.11 for maximum accident analysis temperatures.
7.3-16 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.3-5 SFAS PERFORMANCE REQUIREMENTS Measured System response Ranges of sensed variables station variable times (a) System accuracies to be accommodated
- 1. CV pressure 5 sec (b) 0 - 60 psia
- 2. RC pressure 5 sec (b) 0 - 2500 psig
- 3. BWST level 5 sec (b) 0 - 50 feet (a) System response times do not include response time of the actuated equipment.
(b) System accuracy requirements are factored into Technical Specification Allowable Values determined in accordance with approved setpoint methodology 7.3-17 UFSAR Rev 30 10/2014
moo LOGIC FUNCTION
- ANO CON TAIM!£~~i'.6\5~1b tAOIA TI ON STATION VARIABLES BORATED WAT\~ilO~~~ UN'i I FYFI i1 i2 il j4 ~ii '<ri2,....j3,...,j4 i1 il i3 j4 il i2 j3 j4 *OR
;; 1 ::g, :;1
~: ~: ~:*I ~: ~ : ~! ~: ~:
~*
~:
~ : ~: ~: ~ : *I *I
- I CURRENllVOUACE ~.
o:: ~: ~; o: :
/f 0 NOT
~;
6:1 Q:1 :i:I :i:J SOURCE
~:
- X I £.r l ~I ~I I I I I I I I I I I I I I I I I
~~
I I I I I I I I I I I I I ON DELAY I I I I I I I I I SAME AS SAME AS SA!£ AS CHANNEL NO. I CHANNEL NO. I CHAHN[L NO. I OFF DELAY
~-
BISTABLE HIGH IL.. LO* t I AUTOMA TI C OR MANUA L RE SEi i
$ ISIUTI NC OR BUFFER A~PLIF IER IDIGITAU
$A ISOLATING OR BUFFER AIJl'LIFIER IANALOGl 0--- lESTICALIBRAll NG !£ANS
-0 ALARM !REMOTEl
-0 OATA LOGGER !REMOTE!
TD BLOCK
--n - INDI CATING LIGfil R
- REMOTE 0- INDI CATING INSTRUMENT MMN TARI MANUAL SWITCH C11 PUSHBUTTON
--, MAINTA INED MANUAL SWITCH OR PUSH6UTT ON CHANNEL LOCATl!Xi INSTRUMENT NO. EOU I P~NT ELEM . OWG. i I C5762C PSH7528A PRZR HTR E-528 51167 2 C5l55C PSHl529A HVCF!A E*52B SH27 TERMI NAL WITH INTERCONNECTION BEl>H N CABINET;;
I C57630 PSH7530A HVCF IB E-518 SH27 2 C51560 PSHl531A HVOHI IE & E-528 SH24 I I I I PRZR HTR & SHGl l lERMINAL WITH CONNECTION TO/FROM CABINET TO CH.2 CH.l L_ __ ___ _:_~".__C_A~~:.'..5_~~~c-~~s~~"._O_~ ______ i I 10 CH. 2 ----{>-
- RELAI DRIVER AMPLIFIES TTBS TE ST TRIP BYPASS SWITCH REFERENCE DRAWINGS:
SEE SHEET 2 CV PURCE & Slof'L __ . _____ _c_~~~U-~Q,_L __ _ VLV ISO SYS moc ~! j1s11Jfu1i 11 nr* ISEE NO fE 21I ISEENDTE 211 ISEE NOTE 21l ! FROM FROM FROM CHANNELS 1, l, 4 CHANNELS 2, l,4 CHANNELS 2, l,4 i K TS ll 2 TSIJJ fS ll4 TS212 TS21l TS2 14 TS3 12 TSJ!l TSll4 nr 14 MANUAL { TR IP R
'* -- --s>>i8iil- - -li[iAi(ciiiCu-11s *-*- *- *- *--,
~~~.~n JiQilli I. THI S DRAWING IS MEANT AS AN ATTACHMENT TO S.'EC IFICATION 7l4Hl0 ' SAFET Y FEA!URES AClUAl l!Xi SYSTEM' .
lin.n I 2. !H IS DRAWING INDI CA TES CHANNEL NO. I THE ARRAN G[NEN!S OF CHANNEL N0.1 lHRU NO. 4 ARE THE SA!£. TYP ICAL EX!ERNAL DAVIS-BESSE NUCLEAR POWER STATION DUlPUl CONNECTICXiS WITH lNlERllE BET W£EN lHE CHANNEL OUTPU TS AS SHOWN JN FIGURE !.
- l. THE LOGIC IS SHOWN IM A FAIL-SAFE MOOE - NO~ M ALLY ENERGIZED INCL UDING OUTPUT RELAY . THE CONTACT S ARF SHOWN DE-l NERGIZED.
TO SYSIEM LOGI C 4. BR IDGE "OR' '<HEN OUTPUT IS NOT SEOUENCEO. SE E SHEET 1-REFERENCE DRAWING !I TEMS I, l IHRU 121. SAFETY FEATURES ACTUAT ION SYSTEM
~~--* I
- s. VALUE OF RESISTANCE SHALL BE SELECTED 10 MAINTAIN 1oor.
LIGHT OUTPUT WITH ONE CONTA CT CLOSED, ANO 70r. LICHT LOGIG DIAGRAM T ~REMOTE i OUTPUT WITH BOTH COOTACTS OPEN.
* -TYPICAL FOR N. O.
ANO N.C . PUSHBUTTONS i 6. PROVIDE ONE 111 OUTPUl RELAY FOR EACH PRO TECTIVE EDUI PMENT ITEM TO BE ACTUATED !SEE SHEET 2-REFERENCE DRAWING I ITEMS I, 7 THRU J2). E-16 SH. 1 FIGURE 7.3- 1 I MEMORI WITH MANUALIMI
- 7. UNUSED INPUTS SHALL BE BRIDGED WHEN THE ACTJAC TION
~ORM MATICIAI RES[! I LOG IC CIRCUIT IS EMPLOHO FOR S2, Sl, S< AHO SS.
~~~OR~~w !I 8. FOR NOMENCLATURE OF THE ANALOG ANO DIGTAL SIGNALS SEE LECENO ON DRAWING El6 SH.2.IUSAR FI GUR E 7.3-21 .
REV IS ION 31
. - - - - - ADJ. VOLIACE MAN TEil i 9. PROV l!l: ONE! l l 14JNl10RING RELAY FOR EACH ACTUA TED EOUJPMEN T ITEM EXCEPT FOR ACfUAlED EOUJ PMENT WITH i REMOTr MONITORING CONTACT AS SPEC IFIED ON DWG. E!lR.
i !~I~ ~~~iE~\~~IlNOEO OCTOBER 2016 JO. PROVIDE ONE 111 SAFETY ACTUATI ON KlNllORING ISAMI LIGHT LOGIC FOR EACH ACTUATEO EQUIPMENT. DIAGRAM ANO DOCS NCl i ICONTI NUED SHE(! 2 I REPRE SENl ACTUAL BIS TABLE ~ WIRING CONFIGURATIONS OB 06 16 OFN*I :/ELEC/EIGSH l.OGN
DESCRIPTION COHTAINM[NT VESSEL RAOIATIDN CONTAINMENT VE SSEL PRESSURE S[NSOR GROUP ~O. I SENSOR GROUP ~. l ANAi QG SIGNAi S t.. INPUT SIGNAL FROM STATION VARIABLES r1*-**-**-**~~;l;~-~~~~----*-**-**-*1-*1-**-**-*~~~~~~-N~:;--*-**-**-**-1*-**r**-**-~~;~E~-~~.;-**-**-**-**-,---**t**-**-~~A~~~~~~~;*-**----**-** J*-**-**-**-*-c~~~;~-~~--~----*-**-**-*r-t**-**-**-*c;;~~;*;;;.*;- ** -**--*-**-*r-*i-*-*-- **-*~;;~~;*;o*.-1--*-* *-**-**-*r* * --t-----*- * ~;;~;;*~:~--*-*-- **-**-*-1 CR I - CHANNEL
"'[__CONTAINMENT VESSEL RADIAT I ON CPI ! CPJ CP2 ! CP4 !
! ! ! CP - CONTAINMENT VE SSEL PRESSURE L,,. L,, L,, ,
RCP - REAC!OR COOLANT PRESSURE
..,_ - BORATED WATER STORAGE TANK LEVEL QI(j!TAI SIGNAi S RCPI TRIP SIGNAL TS221
~
TRIP BISTABLE CHANNEL BISTABLE NO. Of SENSOR GROIJ' H PSH1000A PSLRC01B4¢ SENSOR GROUP i LOGIC NUllJER ll2 1 I S\ I I lSl IJ TSl 12 TSll4 :TSJ\I TS211
~
! CHANNEL SYSTEM INCIDENT
! NOTE: SAFETY SIGNAL I Sl ANO SAFETY ACTUAfl ON SICNAl ISAl NUMBERS ARE SIMI LAR TO LOCH:
NUMBERS A,B,C ... ARBITRARY OIJTPUT SIGNAL SEQUENTIAL LETTERS . ii FAIL-SAFE R!:LIY 'AND ' GATE AS SHO'lN
"~mElli!
ON FIGURE I, SHEET \. l.m
! ! NOTES:
I iJHEFT I CONT IN!JfO) 11 I II ! 11 i I I II I ilmfimti§ili1I l lUfilft§fi§=fili1I I I. TO BE PROVIDED IN CH.I & CH . 2 ONLY. i1 I 1 II ,II I i1 II 1 I i1 II 12. REACTOR COOLANT PRESSURE INDICATION OUTPUT FOR CH.J AND CH. 4 ONLY. ri I 214 I 214 I 214 I 214 I 214 I 114 1!1 114 214 I 214 I 214 I 114 I 214 11 214 214 I 214 I 114 114 I 214 214 I 114 I 214 I 214 214 I 214 1! !I 214 I 214 I 114 I 114 I I 214 214 1!1,....21.._4...,l,......_21""4....,..2... 14.....,_l..1'-'14...;=l""'-'i-1'"'2... 14..........,12... 14...,l'l,....21... 4""1,.....21.._4.,l...2.._1'"'4...1....2'"'14......=1 I 114 I 214 11 214 I 114 I 114 I 114 I I 114 114 I \J. WIDE RANGE PRESSURE SIGNAL TO NNI : OWG. m9-E-GDJA SYSTEM LOGIC CIRCUIT rn rn SH. 9 IFOR CHANNEL 2 ONL Yl SYSTEM LOGIC NO. Lill ll21 l\13 L!1l L\12 Ll22 Ll\4 L\24 L111 L221 _1 L291 L2\ J L223 L293 L212 l222 L291 L2 14 L2Z4 L294 14. SIGHOL OUTPUT USED ON CH . I & CH. 2 ONLY. 1 1 1 111 1 1 1 1 1 111 1 1 1 1 1 11 1 1 1 1 15. ALL ANNUNCIATOR ANO COMPUTER OLARMS ARE NOT 0. -*:*~~:~ ~ ~: _*~. - ~ ~.L_~*"i__'. *:**: . . g LJ1 _l!_ ~1.]1.~*:r_ _'.*:r__ ::*! _~ ;:~ -~. *~._ ..,_~ .*:*~.L'.:*f____r* *r _*~_f .*_*1__
- 16. OUTPUT SIGNAL 10 PSH7528B AND PSH7531B IN CH. I &
CH. 4 RESPECTIVELY. t IL~*-0-EL-ET_rn_*~~~~~~~~~~~~ L_ ___[ \ ___ [fl:":J1___ :. *r___1*::::*_....t_I __ -- :......... 00"_1'*
\8. DELETED.
- 19. REA CTOR COOLANT WIDE RANGE PRESSURE SIGNAL TOT-SAT METER ! N ALL FOUR CHANIUS, BUFFEREO OUTPUT SIGNAL TO BE I 10 5 VOLTS D.C.
- 10. REACTOR COOLAN T WIDE RANCE PRESSURE SIGNAL TO IE I-SAT METER JN ALL FOUR CHANNELS.
SAFETY ACTUATION SIGNAL < < - - - - - -
- 21. INPUT LOGIC WIRING SEQUENCE FROM CHANNELS 11, 2,l & 4l
~\~U~}~~E~~N~~l4WN!~*Ct ~ ~ ~ ~ ~ : ~ ~
~- H++H+Ht+.._ ______________-:_:_ __-:J._:_ __ :._..::. ________________ *I+ - -
- : IS SHOllH DIAGRAMAT\CALL T ANO MAY NOT REPRESENT THE llTE~!..,2H!!!!_1.£!__ --------------------------- H-t -l+ - - - ++H-l ~-------------- ACTUAL WIRING SEQUENCE CONF IGURATION. THE INPUT FROM E
THE ASSOC IATEO CHANNEL 11.E. THE INPUT rROM THE Cl!ANtH "Woill,A~1T~AH~~~~lsl:Ai ~ ~ ~ ~ ~ ~ § § ~ I TRIP BISTABLE INTO THE CHANNEL I OIJTPUT MODIJLEI ALWAYS COMES INTO GATE S SHOWN FOR CHANNELS I OR 2. ~~~~~~~ --------------------------~-~-~----~----------------------------------------~~--~~--~--~--------------- 11. M & IE EOUIPMENT JS USED AS THE I NDICATOR UTILIZING TEST JACKS PROVIDED ON THE CABINET PANEL. i . - - - - - - - - - - - - - - - - - - - - SAFETY ACTUATION INC IDEN T NO. \ --------------------0----------------------- SAFETY ACTUATION INCIDENT N 0 . 1 - - - - - - - - - - - - - - - - - - - - - - NOTES; \SHEET 21 FOR CHANllEL BYPASSES OPERATING 8YP4SSES, CHANNEL FAILURE SURVEILLANCES, SEQUENCERS ANO BUHER CIRCUITS, SEE LOGIC DIAGRAM owe. E-16 SH.I IUSAR FIG. 7.3- 11. OCSCRIPTJ()l REACTOR COOLANT PRESSURE BORATED WATER STORAG£ TANK LE VEL REFERENCE QRAW!NG l SENSOR GROUP N0.2 SENSOR GROUP N0.4 I. E*I TB \SHEET 71 "SAFETY FEATURES ACTUATION SYSTEM ACTUATED INPUT SIGNAL FROM EOUIP\£NT TABUL4l\ON LEGEND, S\GIUL DESCR \Pl\ON ~ NOTES " STATION VARIABLES r* --------*----**--*-.. -*--**-**-**r** **-**-**-----*-*--.. - .. -------*i-** ----*-**-.. -------*------*--*-,----- --**--*----**-*---*----*--** IUSAR FIG . 7.l-31.
- 1. COOSOUDATEO CONIR11S CORPORATlllll owe. S9N\6-I THRU 4
- CHANNEL NO. I : CHANNEL HQ, J : CHA\>tlEL NO. 2 : CHANNEL N0.4 I I I I
()749-EJO-ll THRU 16,1l THRU JO,Jl THRU l8 ,4T & 48l rn~ IFSAR APPENDIX 7-BI
!I RCP1 I !\ RCP3
- l. 1749-E-760 BLOCK DIAGRAM, SFAS REMOTE POSI TION SWITCH TI NUATI ON RCP1 RCP4 CPI CPl MONITORING SEE CORO. A- 11 1 \ I I I
~"""'" ' ~.,..**.
- 4. 1749-E*76\ BLOCK DI AGRAM , INTERCOHNECTINC CABLES
~E§§~~~~~~~~=======t=t====~======t=t====~-------r-i---,
[~~'"*m* ~'"~" ~m*m' ~""'"" ¢~'"~' ~'"'~ THIS owG.
¢""""'" ¢,.,,,,
- 5. 7749-E-761 BLOC! DIAGRAM, SFAS MI SC. CIRCUITS
- 6. 7749*[*540 CONNECTION DIAGRAM, SFAI TRIP BISTABLE 7. E-17B \SHEET 11 ' SAFETY FEATURES ACTUATION SYSTEM ACTUATEO EOUIPJUT TABULATIOO" (USAR FIG. T.J-3AI.
- rs221 ITRLK T511J ITRL! TS222 ITRlK TS224 I TRLK TS321 TSl23 8. E-178 \SHEET 21 "SAFETY FEATURES ACTUAT!Oll SYSTEM PRZR HTR HVCF\B HVCFIA HYOHI I ~ ACTUATEO EOIJ\PMENT TABll.AlJOO" I USAR FIG. T. J-41.
PRZR NTR
- 9. E-17B !SHEET ll "S AFETY FEATURES ACTUATION SYSTEM
~~~H~i~~~~~~~~§~E1 3~~~~~~~~§~t!,~~~~~~~~~au,.~~~~~~~~~~ill ! ACTUATED EOIJIPMENT TABULA TIOO ' IUSAR FI G. l.J-5l.
- 10. E-ITB !SHEET 41 "SAFETY FEATURES ACTUATION SYSTEM ACTUATED El)JJPMENT TABULAl!OO " IUSAR FI G. 7.l-6l.
; i i \ I . E-118 !SHEET 51 ' SAFETY FEATURES ACTUATION SYSTEM ACTUATED EOUIP~NT TABULATION' IUSAR FIG. T.J*7l.
- 11. E-17B !SHEET GI "SAFETY FEATURES ACTUATION SYSTEM ACTUATED EOUIPMENT TABULATION" IUIAR FIG . T.l-81.
FAIL-SAFE RELAY
'ANO' GATE DAVIS-BESSE NUCLEAR POWER STATION SAFETY FEATURES ACTUATION SYSTEM SIGNAL DIAGRAM E-16 SH. 2 FIGURE 7.3-?
REVISION 31 OCTOBER 2016 THIS OWG. IS INTENDED Al A SYSTEM LOGIC DIAGRAM ANO DOES NOT REPRESENT ACTUAL WIRING CONf IGURATJONS 08 06-06-16 OFN°! :/HEC/£ 16SH2.0CN
LEGEND SAFETY ACTUATION SIGNAL DESCRIPTION A ***** ALARM/PERMISSIVE SA4 l lA l) I ..... INTERLOCK ~SEQUENTIAL LETTER F ***** FUNCTION ACTUATION CHANNEL ST ***** START SYSTEM SH ..... START HALF SPEED INCIDENT SP *.... STOP SAFETY ACTUATION SIGNAL 0 .**.* OPEN c ..... CLOSE *ACTUATED EQUIPMENT WITH REMOTE MONITORING CONTACT (SEE NOTE 9 OF DWG. 7749-E-16, SH. 1) T ***** TRIP RC ..... RELAY CONTACT CLASSIFICATION (NOTE 2) NOTES:
- 1. THIS DRAWING IS MEANT AS AN ATTACHMENT TO DRAWING 7749-E16.
- 2. THE RELAY CONTACTS ARE CLASSIFIED TO ACTUATE THE CONTROL DEVICES AS FOLLOWS:
RC 1 ... 4. 16 KV & 480 V SWGR RC 2 ... 480 V STARTER SIZE ONE RC 3 ... 480 V STARTER SIZE FOUR, EXCEPT FOR Cl-1, c_ Cl-2 AND Cl-3 WHICH USE POTTER BRUMFIELD TYPE MOR RELAY ----~ RC 4 ... 125 V DC SOLENOID VLV SEE SECTION 10.6.2.3 OF SPEC 7749-E30
- 3. BLOCK SIGNAL TO SYSTEM LOGIC WILL AUTOMATICALLY RESET ON AN UNDERVOLTAGE CONDITION.
- 4. SA511A/B AND SA512A/B PROVIDE A PERMISSIVE SIGNAL TO VALVES DH7A/B AND DH9A/B TO ALLOW THE OPERATOR TO REPOSTION THE VALVES AFTER BLOCKING SFAS LEVEL 2.
IN ADDITION, SA511A/B AND SA12A/B INITIATE THE CONTROL ROOM ANNUCIATOR TO ALERT THE OPERATOR TO PERFORM THIS FUNCTION.
- 5. SURVEILLANCE, SAM LOGIC, AND PUMP JUMPER MODULE DEFINITIONS:
lX - MOTOR OPERATED VALVE MODULE 2I - SOLENOID OPERATED VALVE MODULE - INTERNALLY WIRED CABINET MODULE 2F - SOLENOID OPERATED VALVE MODULE - FIELD DAVIS-BESSE NUCLEAR POWER STATION WIRED CABINET MODULE SAFETY FEATURES ACTUATION SYSTEM 3X - PUMP, FAN AND DIESEL GENERATOR MODULE ACTUATED EQUIPMENT TABULATION 4I - SAM RELAY BOARD - NEEDED ON INTERNALLY SHEET 7 OF 7 WIRED CABINET ONLY E-17B SH. 7 SX - PUMP JUMPER MODULE FIGURE 7. 3-3
** - 3X MODULES USED FOR DEISEL GENERATOR REVISION 24 CIRCUITS MUST HAVE JUMPER INSTALLED AS JUNE 2004 SHOWN ON VENDOR DRAWING E-30-343.
ACTUATED EQUIPMENT TABULATION EQUIPMENT EQUIPMENT SURVEILL SA SIGNAL FUNCTION MOO SAM LOGIC PUMP JMPR SEO. TYPE MOO TYPE MOO TYPE RC SCHEME VDWG. NO. VDWG. NO. ITEM NO. DESCRIPTION NO. 1(2)/3(4) 1(2)/3(4) \(2)/3(4) STEP DWG. NO. CH. ]( 2) CH. 3( 4) c 30-1 EMER VENT FAN 1 SA 11 lA ST lX lX 4I 1 2 E58B-8 E-30-14 E-30-35 HV 5439 ECCS RM 105 HV &A/C ISO VLV SA 1118 c 1X IX 41 1 2 E60B-5 E-30-14 E-30-35 HV 5440 ECCS RM 105 HV &A/C ISO VLV SA 111C c 1X IX 41 1 2 E60B-5 E-30-14 E-30-35 HV 5024 EMER VENT FAN t VLV FRM AUX. BLDG. SA 11 ID c IX 1X 41 t 2 E58B-11 A&B E-30-14 E-30-35 sv 5716 ECCS RM 115 ISO DMPR. SA 11 IE* c 2F 21 1 4 EGOB-23 E-30-14 E-30-35 c 30-2 EMER VENT FAN 2 SA 112A ST IX IX 41 1 2 E58B-8 E-30-24 E-30-28 HV 5441 ECCS RM 115 HY &A/C ISO VLV SA 1128 c lX 1X 41 1 '2 E60B-5 E-30-24 E-30-28 HV 5442 ECCS RM 115 HY &A/C ISO VLV SA l 12C c IX IX 4I I 2 £608-5 E-30-24 E-30-28 HV 5025 EMER VENT FAN 2 VLV FRM AUX. BLDG. SA 1120 c 1X tX 4I 1 2 E58B-1 l A&B E-30-24 E-30-28 sv 5715 ECCS RM 105 ISO DMPR. SA 112E* c 2F 2I 1 4 E60B-23 E-30-24 E-30-28 SPARE SA 121A 1 3 E-30-14 E-30-35 HV 5008 CTMT PURGE OUT ISO VLV SA 1218* c 2F 2I 1 4 E58B-7 A&B E-30-14 E-30-35 HV 5011A CTMT AIR SAMPLE ISO VLV SA 121C* c lX tX 1 2 E58B-14 A-C E-30-14 E-30-35 HV 50118 CTMT AIR SAMPLE ISO VLV SA 121D* c 1X 1X 1 2 E58B-15 A&B E-30-14 E-30-35 HV 501 lC CTMT AIR SAMPLE ISO VLV SA 121E* c IX lX 1 2 E58B-14 A-C E-30-14 E-30-35 HV 50110 CTMT AIR SAMPLE ISO VLV SA 121F* c 1X 1X 1 2 E58B-t 5 A&B E-30-14 E-30-35 HV 5006 CTMT PURGE IN ISO VLV SA 12lG* c 2F 21 1 4 E58B-6 E-30-14 E-30-35 HV 5009 MECH PENT RMS 2 & 4 PURGE VLV SA 121H* c 2F 2I 1 4 E58B- 7 A&B E-30-14 E-30-35 HV 5016 MECH PENT RMS 1 &3 PURGE VLV SA 121 I* c 2F 2I 1 4 E58B-7 A&B E-30-14 E-30-35 HV 5011E CTMT AIR SAMPLE RET ISO VLV SA 121J* c tX IX 1 2 E58B-14 A-C E-30-14 E-30-35 SPARE SA 121K 1 2 E-30-14 E-30-35 sv 5301 CTRM AIR HANDL VLV 1 SA 12 ll* c 2F 21 1 4 E60B-14 A-0 E-30-14 E-30-35 SPARE SA 122A '1 3 E-30-24 E-30-28 HV 50100 CTMT AIR SAMPLE ISO VLV SA 1228* c lX IX 1 2 E588-14 A-C E-30-24 E-30-28 HV 5004 MECH PENT RMS 1 &3 PURGE VLV SA 122C* c 2F 2I 1 4 E58B- 7 A8<8 E-30-24 E-30-28 HV 5021 MECH PENT RMS 2 &4 PURGE VLV SA 1220* c 2F 21 1 4 E58B- 7 A&B E-30-24 E-30-28 I HV HV HV 5005 5007 5010A I CTMT PURGE IN ISO VLV CTMT PURGE OUT ISO VLV CTMT AIR SAMPLE ISO VLV I SA I SA I SA 122E* 122F* 122G* I I c c c I 2F 2F IX 21 2I lX I I I I I 1 1 I I 11 I 22 4 4 E58B- 7 A&B E58B-6 E58B-15 A&B E-30-24 E-30-24 E-30-24 I E-30-28 I E-30-28 E-30-28 I HV 50108 CTMT AIR SAMPLE ISO VLV SA 122H* c 1X IX E58B-14 A-C E-30-24 E-30-28 HV 5010C CTMT AIR SAMPLE ISO VLV SA 1221* c lX 1X 1 2 E58B-15 A&B E-30-24 E-30-28 HV 5010E CTMT AIR SAMPLE RET ISO VLV SA 122J* c 1X 1X 1 2 E58B-14 A-C E-30-24 E-30-28 SPARE SA 122K 1 2 E-30-24 E-30-28 sv 5311 CTRM AIR HANDL VLV 2 SA 122L* c 2F 2I 1 4 E60B-14 A-0 E-30-24 E-30-28 p 58-1 HP INJ PMP t SA 21 IA* ST 3X 3X 5X 5X 2 1 E52B-5 A&B E-30-14 E-30-35 HV HP2C HP INJ 1-1 VLV SA 2118 0 1X tX 4I 2 2 E52B-26 A&B E-30-14 E-30-35 HV HP2D HP INJ 1-2 VLV SA 211 C 0 lX 1X 4I 2 2 E52B-26 A&B E-30-14 E-30-35 SPARE SA 2110* 2 4 E-30-14 E-30-35 DAVIS-BESSE NUCLEAR POWER STATION SAFETY FEATURES ACTUATION SYSTEM ACTUATED EQUIPMENT TABULATION SHEET 1 OF 1 E-17B SH. 1 FIGURE 7. 3-3A REVISION 25 JUNE 2006 DB 03-13-06 DFN=I :/ELEC/E17BSH1.0GN
ACTUATED EQUIPMENT TABULATION EQUIPMENT EQUIPMENT SURVEILL SAM LOGIC PUMP JMPR SEO. SA SIGNAL FUNCTION MOD SCHEME VDWG. NO. VDWG. NO. TYPE MOD TYPE MOO TYPE RC DWG. NO. CH. I< 2) CH. 3C 4) ITEM NO. DE SCRIPT ION NO. 1(2)/3(4) 1<2)/3(4) 1<2)/3(4) STEP p 58-2 HP INJ PMP 2 SA 212A* ST 3X 3X 5X 5X 2 1 E52B-5 C&D E-30-24 E-30-28 HV HP2A HP INJ 2- I VL V SA 2128 0 IX IX 41 2 2 E52B-26 A&B E-30-24 E-30-28 HV HP2B HP INJ 2-2 VL V SA 212C 0 IX IX 41 2 2 E52B-26 A&B E-30-24 E-30-28 SPARE SA 2120* 2 4 E-30-24 E-30-28 c 1-1 CTMT CLR FAN 1 SA 221A SH IX IX 41 5 3 E58B-1 A&B E-30-14 E-30-35 c 1-3 CTMT CLR FAN 3 SA 2218 SH IX IX 41 5 3 E58B-2 A&B E-30-14 E-30-35 SPARE SA 221C 5 2 E-30-14 E-30-35 SPARE SA 2210* 5 4 E-30-14 E-30-35 c 1-2 CTMT CLR FAN 2 SA 222A SH IX IX 41 5 3 E58B-1 A&B E-30-24 E-30-28 c 1-3 CTMT CLR FAN 3 SA 2228 SH IX IX 41 5 3 E58B-2 C&D E-30-24 E-30-28 SPARE SA 222C 5 2 E-30-24 E-30-28 SPARE SA 2220* 5 4 E-30-24 E-30-28 p 43-1 CC PUMP I SA 231A* ST 3X 3X 5X SX 1 1 E50B-3 C&D E-30-14 E-30-35 p 43-3 CC PUMP 3 SA 2318* ST 3X 3X 5X 5X 1 1 ESOB-4 A-F E-30-14 E-30-35 HV 5070 CTMT VACM RLF ISO VLV SA 231C c IX IX 41 1 2 E58B-10 A&B E-30-14 E-30-35 HV 5071 CTMT VACM RLF ISO VLV SA 2310 c IX IX 41 1 2 E58B-I 0 A&B E-30-14 E-30-35 HV 5072 CTMT VACM RLF ISO VLV SA 231E c IX IX 41 1 2 E58B-10 A&B E-30-14 E-30-35 HV 5073 CTMT VACM RLF ISO VLV SA 231F c IX IX 41 1 2 E58B-10 A&B E-30-14 E-30-35 HV 5074 CTMT VACM RLF ISO VLV SA 231G c IX IX 41 I 2 E58B-10 A&B E-30-14 E-30-35 LY 6453 SG AUTO LVL CTRL SA 231H T IX IX 41 1 2 E44B-24 E-30-14 E-30-35 p 43-2 .CC PUMP 2 SA 232A* ST 3X 3X 5X 5X 1 1 E50B-3 A&B E-30-24 E-30-28 p 43-3 CC PUMP 3 SA 2328* ST 3X 3X 5X 5X 1 1 E50B-4 A-F E-30-24 E-30-28 HV 5075 CTMT VACM RLF ISO VLV SA 232C c IX IX 41 1 2 E588-10 A&B E-30-24 E-30-28 HV 5076 CTMT VACM RLF ISO VLV SA 2320 c IX IX 41 I 2 E588-10 A&B E-30-24 E-30-28 ( HV 5077 CTMT VACM RLF ISO VLV SA 232E c IX IX 41 1 2 E58B-10 A&B E-30-24 E-30-28 HV 5078 CTMT VACM RLF ISO VLV SA 232F c IX IX 41 1 2 E58B-10 A&B E-30-24 E-30-28 HV 5079 CTMT VACM RLF ISO VLV SA 232G c IX IX 41 1 2 E58B-10 A&B E-30-24 E-30-28 LY 6454 SG AUTO LVL CTRL SA 232H T IX IX 41 1 2 E44B-24 E-30-24 E-30-28 p 3-1 SW PUMP I SA 241A* ST 3X 3X 5X 5X 4 I E488-6 A&8 E-30-14 E-30-35 p 3-3 SW PUMP 3 SA 2418* ST 3X 3X 5X 5X 4 1 E488-1 I A-0 E-30-14 E-30-35 TV 1424 SW FROM CC HX I ISO VLV SA 241C* 0 21 2F 4 4 E488-30 E-30-14 E-30-35 TV 1429 SW FROM CC HX 3 ISO VLV SA 2410* 0 21 2F 4 4 E488-31 A&B E-30-14 E-30-35 SPARE SA 241E 4 2 E-30-14 E-30-35 p 3-2 SW PUMP 2 SA 242A* ST 3X 3X 5X 5X 4 I E488-6 C&D E-30-24 E-30-28 p 3-3 SW PU.~P 3 SA 2428* ST 3X 3X 5X 5X 4 1 E48B-11 C-F E-30-24 E-30-28 TV 1434 SW FROM CC HX 2 ISO VLV SA 242C* 0 21 2F 4 4 E48B-30 E-30-24 E-30-28 DAVIS-BESSE NUCLEAR PO~R STATION SAFETY FEATURES ACTUATION SYSTEM ACTUATED EQUIPMENT TABllATION E-t 78 SH. 2 FIGURE 7. 3-4 REVISION 22 NOVEMBER 2000 DB 11-15-00 DFN=I :/ELEC/E17BSH2.DGN
ACTUATED EQUIPMENT TABULATION SURVEILL SAM LOGIC PUMP JMPR SCHEME VDWG. NO. VDWG. NO. EQUIPMENT EQUIPMENT SA SIGNAL FUNCTION MOD TYPE MOD TYPE MOD TYPE SEO. RC DWG. NO. CH. J( 2> CH. 3( 4> ITEM NO. DESCRIPTION NO. 1(2)/3(4) 1(2)/3(4) 1(2)/3(4) STEP TV 1429 SW FROM CC HX 3 ISO VLV SA 2420* 0 21 2F 4 4 E488-31 A&8 E-30-24 E-30-28 SPARE SA 242E 4 2 E-30-24 E-30-28 HV 1530 CS 1 ISO VLV SA 251A 0 IX IX 41 I 2 E528-21 A&8 E-30-15 E-30-36 SPARE SA 2518 I 2 E-30-15 E-30-36 SPARE SA 251C* 1 4 E-30-15 E-30-36 HV 1531 CS 2 ISO VLV SA 252A 0 IX IX 41 I 2 E528-21 A&8 E-30-25 E-30-29 SPARE SA 2528 I 2 E-30-25 E-30-29 SPARE SA 252C* I 4 E-30-25 E-30-29 E648-1 A-F K 5-1 EMER DG I SA 261A* ST 3X** 3X** 5X sx 1 2 NOTE 3 E-30-15 E-30-36 SPARE SA 2618 I 2 E-30-15 E-30-36 SPARE SA 261C* 1 4 E-30-15 E-30-36 E64B-2 A-F K 5-2 EMER DG 2 SA 262A* ST 3X** 3X** 5}( 5X 1 2 NOTE 3 E-30-25 E-30-29 SPARE SA 2628 1 2 E-30-25 E-30-29 SPARE SA 262C* 1 4 E-30-25 E-30-29 HV MU2A RC LETDOWN DELAY COIL OUT VLV SA 271A c IX IX 41 I 2 E498-18 E-30-15 E-30-36 SPARE SA 2718 I 2 E-30-15 E-30-36 SPARE SA 271C* 1 4 E-30-15 E-30-36 HV 2012A CTMT NORM SUMP ISO VLV SA 2710 c IX IX 41 I 2 E568-24 A&B E-30-15 E-30-36 HV 240A RC PRZR SAMPLE VLV SA 271E c IX IX 41 I 2 E52B-t5 E-30-15 E-30-36 HV 1399 SW ISO VLV TO CLNG WTR SA 271F c IX IX 41 1 2 E488-9 A&8 E-30-15 E-30-36 HV 1773A RC OT HOR ISO VLV SA 271G* c 21 2F I 4 E528-39 E-30-15 E-30-36 HV 1719A CTMT VENT HOR ISO VLV SA 271H* c 21 2F 1 4 E528-39 E-30-15 E-30-36 HV 607 SG 1 SAMPLE ISO VLV SA 2711* c 21 2F I 4 E468-23 A&8 E-30-15 E-30-36 SPARE SA 271J* I 4 E-30-15 E-30-36 HV 235A PRZR ONCH TK SAMPLE ISO VLV SA 271K* c 21 2F 1 4 E52B-32 E-30-15 E-30-36 HV 1544 CF TK I H20 & N2 FILL ISO VLV SA 271L* c 21 2F 1 4 E528-29 A&B E-30-15 E-30-36 HV MU3 RC LETDOWN HI TEMP VLV SA 272A* c 21 2F 1 4 E49B-22 A-C E-30-25 E-30-29 SPARE SA 2728* 1 4 E-30-25 E-30-29 HV 20128 CTMT NORM SUMP ISO VLV SA 272C c IX IX 41 1 2 E56B-25 A&B E-30-25 E-30-29 HV 2408 RC PRZR VAPOR SAMPLE VLV SA 2720 c IX IX 41 1 2 E528-16 A&B E-30-25 E-30-29 HV 1542 CF TK VENT ISO VLV SA 272E* c 21 2F 1 4 E528-29 A&B E-30-25 E-30-29 HV 1395 SW ISO VLV TO CLNG WTR SA 272F c IX IX 41 1 2 E48B-9 A&B E-30-25 E-30-29 HV I 7738 RC OT HOR ISO VLV SA 272G* c 21 2F 1 4 E52B-40 E-30-25 E-30-29 HV 17198 CTMT VENT HOR ISO VLV SA 272H* c,.. 21 2F 1 4 E52B-40 E-30-25 E-30-29 HV 598 SG 2 SAMPLE iSO VLV SA 2721* \,
... T Ll 2F t I 4 E46B-23 A&B E-30-25 E-30-29 SPARE SA 272J* 1 4 E-30-25 E-30-29 DAVIS-BESSE NUCLEAR POWER STATION SAFETY FEATURES ACTUATION SYSTEM ACTUATED EOUIP~NT TABULATION E-178 SH. 3 FIGURE 7.3-5 REVISION 22 NOVEMBER 2000 DB 11 00 DFN=I :/ELECIE17BSH3.DGN
ACTUATED EQUIPMENT TABULATION EQUIPMENT EQUIPMENT SURVEILL SAM LOGIC PU.4P JMPR SEO. SA SIGNAL FUNCTION MOD SCHEME VDWG. NO. VDWG. NO. TYPE MOD TYPE MOD TYPE RC OWG. NO. CH. 1<2> CH. 3< 4> ITEM NO. DESCRIPTION NO. 1<2)/3(4) 1<2)/3(4) 1(2)/3(4) STEP HV 2358 PRZR ONCH TK SAMPLE ISO VLV SA 272K* c 21 2F 1 4 E52B-33 E-30-25 E-30-29 HV 1541 CF TK 2 H20 & N2 FILL ISO VLV SA 272L* c 21 2F 1 4 E52B-29 A&B E-30-25 E-30-29 HV DH9B CTMT EMER SUMP VLV SA 281A c IX IX 41 I 2 £528-19 A-C E-30-16 E-30-37 DELETED DELETED DELETED DELETED SPARE SA 281F I 2 E-30-16 E-30-37 HV DH7B BWST OUT VLV SA 281G 0 IX IX 41 I 2 E52B-t9 A-C E-30-16 E-30-37 HV 236 N2 CTMT ISO VLV SA 28 IH* c 21 2F I 4 £628-5 E-30-JG E-30-37 HV 229A PRZR ONCH TK OUT ISO VLV SA 2811* c 21 2F 1 4 [528-34 E-30-16 E-30-37 SPARE SA 281J* 1 4 E-30-16 E-30-37 DELETED DELETED DELETED SPARE SA 281N* I 4 [30-16 E-30-16 E-30-37 HV 232 PRZR QNCH TK IN ISO VLV SA 282A* c 21 2F 1 4 E528-36 E-30-26 E-30-30 HV 2298 PRZR ONCH TK OUT ISO VLV SA 2828* c 21 2F 1 4 E528-35 E-30-26 E-30-30 DELETED HV 1545 CF TK SAMPLE VLV SA 2820* c 21 2F 1 4 £528-29 A&8 E-30-26 E-30-30 HV DH9A CTMT EMER SUMP VLV SA 282E c IX IX 41 1 2 £528-19 A-C E-30-26 E-30-30 DELETED HV DH7A BWST OUT VLV SA 282G 0 IX IX 41 1 2 E52B-t9 A-C E-30-26 E-30-30 HV 2011 CTMT INSTR AIR ISO VLV SA 282H* c 21 2F 1 4 E62B-4 E-30-26 E-30-30 HV 2010 CTMT SERV AIR ISO VLV SA 2821* c 21 2F 1 4 E628-4 E-30-26 E-30-30 SPARE SA 282J* 1 4 E-30-26 E-30-30 DELETED SPARE SA 282L I 2 E-30-26 E-30-30 HV 5090 CTMT H2 DILUTION IN ISO VLV SA 291A c IX IX 41 I 2 E58B-5 A&8 E-30-16 E-30-37 SPARE SA 2918 I 2 E-30-16 E-30-37 HV 6831A RCP STOP DEMIN WTR ISO VLV SA 291C* c 21 2F 1 4 E498-20 E-30-16 E-30-37 SPARE SA 2910* I 4 E-30-16 E-30-37 HV 5038 CTMT H2 DILUTN OUT ISO VLV SA 291E c IX IX 41 I 2 E588-5 A&B E-30-16 E-30-37 SPARE SA 291F I 2 E-30-16 E-30-37 SPARE SA 291G I 2 E-30-16 E-30-37 SPARE SA 292A 1 2 E-30-26 E-30-30 HV 5065 CTMT H2 DILUTION IN ISO VLV SA 2928 c IX IX 41 1 2 E58B-5 A&B E-30-26 E-30-30 HV 68318 RCP STOP DEMIN WTR ISO VLV SA 292C* c 21 2F 1 4 E498-19 AS!B E-30-26 E-30-30 SPARE SA 2920* 4 E-30-26 E-30-30 HV 5037 CTMT H2 DILUTN OUT ISO VLV SA 292E c IX IX 41 I 2 E58B-5 A&8 E-30-26 E-30-30 DAVlS-BESSE NUCLEAR POWER STATlON SAFETY FEATURES ACTUATION SYSTEM ACTUATED EQUIPMENT TABll.ATION E-178 SH. 4 FIGURE 7.3-6 REVISION 22 NOVEMBER 2000 DB 11-15-00 DFN=I :/ELEC/E17BSH4.0GN
ACTUATED EQUIPMENT TABULATION SURVEILL SAM LOGIC PUMP JMPR SCHEME VOWG. NO. VOWG. NO. EQUIPMENT EQUIPMENT SA SIGNAL FUNCTION MOO TYPE MOD TYPE MOO TYPE SEO. RC ITEM NO. DESCRIPTION NO. STEP OWG. NO. CH. I< 2> CH. 3< 4) 1(2)/3(4) 1(2)/3(4) 1< 2)/3( 4) SPARE SA 292F 1 2 E-30-26 E-30-30 SPARE SA 292G 1 2 E-30-26 E-30-30 p 42-1 DH PMP I SA 311A* ST 3X 3X 5X 5X 3 I E52B-6 A&B E-30-14 E-30-35 SPARE SA 31 IB 3 2 E-30-14 E-30-35 HV 1467 CC FROM OH CLR 1 OUT VLV SA 31 IC* 0 2F 21 3 4 E50B-1 I E-30-14 E-30-35 HV 2733 DH PMP I SUCT VLV FROM BWST SA 31 ID 0 IX IX 41 3 2 E52B-23 A&B E-30-14 E-30-35 HV OHl4B DH CLR I OUT VLV SA 311E* 0 2F 21 3 4 E52B-25 A&B E-30-14 E-30-35 HV OHl3B DH CLR I BYPASS VLV SA 311F* 0 2F 21 3 4 E52B-25 A&B E-30-14 E-30-35 p 42-2 DH PMP 2 SA 312A* ST 3X 3X 5X 5X 3 1 E52B-6 C&D E-30-24 E-30-28 SPARE SA 3128 3 2 E-30-24 E-30-28 HV 1469 CC FROM DH CLR 2 OUT VLV SA 312C* 0 2F 21 3 4 E50B-1 I E-30-24 E-30-28 HV 2734 OH PMP 2 SUCT VLV FROM BWST SA 3120 0 IX IX 41 3 2 E52B-23 A&B E-30-24 E-30-28 HV OHl4A DH CLR 2 OUT VLV SA 312E* 0 2F 21 3 4 E52B-25 A&B E-30-24 E-30-28 HV OHl3A OH CLR 2 BYPASS VLV SA 312F* 0 2F 21 3 4 E52B-25 A&8 E-30-24 E-30-28 HV 1495 CC AUX EQUIP IN VLV SA 321A* c 2F 21 1 4 E50B-l 5 A&B E-30-15 E-30-36 SPARE SA 3218 1 2 E-30-15 E-30-36 HV 1460 CC VLV TO MAKE UP PUMP SA 322A* c 2F 21 I 4 E50B-12 A&B E-30-25 E-30-29 SPARE SA 3228 I 2 E-30-25 E-30-29 2 E-30-15 E-30-36 D SPARE SA 331A 1 SPARE SA 3318 1 2 E-30-15 E-30-36 SPARE SA 331C* I 4 E-30-15 E-30-36 SPARE SA 331D* 1 4 E-30-15 E-30-36 HV MU59A RCP 2-1 SEAL RET VLV SA 331E c IX IX 41 I 2 E52B-30 A&B E-30-16 E-30-37 HV MU59B RCP 2-2 SEAL RET VLV SA 331F c lX IX 41 I 2 E52B-30 A&B E-30-16 E-30-37 HV MU59C RCP 1-1 SEAL RET VLV SA 331G c IX IX 41 1 2 E52B-30 A&B E-30-16 E-30-37 HV MU590 RCP 1-2 SEAL RET VLV SA 331H c IX IX 41 I 2 E52B-30 A&8 E-30-16 E-30-37 SPARE SA 331 I* 1. 4 E-30-16 E-30-37 HV MU66B RCP 2-2 SEAL IN ISO VLV SA 331J* c 21 2F 1 4 E52B-18 A&B E-30-16 E-30-37 HV MU66C RCP 1-1 SEAL IN ISO VLV SA 331K* c 21 2F 1 4 E52B-18 A&B E-30-16 E-30-37 SPARE SA 332A 1 2 E-30-25 E-30-29 SPARE SA 3328 1 2 E-30-25 E-30-29 SPARE SA 332C* 1 4 E-30-25 E-30-29 SPARE SA 3320* 1 4 E-30-25 E-30-29 HV MU6GA RCP 2-1 SEAL IN ISO VLV SA 332E* c 21 2F 1 4 E52B-18 A&B E-30-26 E-30-30 HV MU38 RCP SEAL RET ISO VLV SA 332F* c 21 2F 1 4 E49B-19 A,B&C E-30-26 E-30-30 HV MU660 RCP 1-2 SEAL IN ISO VLV SA 332G* c 21 2F 1 4 E52B-18 A&B E-30-26 E-30-30 p 56-1 CS PMP 1 SA 411A* ST 3X 3X 5X 5X 5 1 E52B-7 A&B E-30-15 E-30-36 SPARE SA 41 IB 5 2 E-30-15 E-30-36 p 56-2 CS PMP 2 SA 412A* ST 3X 3X 5X 5X 5 1 E52B-7 A&8 E-30-25 E-30-29 SPARE SA 4128 5 2 E-30-25 E-30-29 DAVIS-BESSE NUCLEAR PO~R STATION SAFETY FEATURES ACTUATION SYSTEM ACTUATED EOUIPtlNT TABllATION E-178 SH. 5 FIGURE 7.3-7 REVISION 22 NOVEMBER 2000 DB 11~1s-oo DFN=l:/ELEC/E17BSH5.0GN
ACTUATED EQUIPMENT TABULATION EQUIPMENT SURVEILL SAM LOGIC PUMP JMPR SEO. SA SIGNAL FUNCTION MOO SCHEME VDWG. NO. VDWG. NO. EQUIPMENT TYPE MOO TYPE MOO TYPE RC ITEM NO. DESCRIPTION NO. 1(2)/3(4) 1(2)/3(4) 1(2)/3(4) STEP DWG. NO. CH. t< 2) CH. 3< 4) HV 141 IA CC IN ISO VLV TO CTMT SA 421A c IX IX 41 1 2 E50B-23 A&B E-30-15 E-30-36 HV 1407A CC OUT ISO VLV FROM CTMT SA 4218 c IX IX 41 I 2 E50B-9 A&B E-30-15 E-30-36 HV t567A CC IN ISO VLV TO CRD SA 421C c IX IX 41 1 2 ESOB- 7 A&B E-30-15 E-30-36 HV 1328 CC CRD BOOSTER PMP 1 SUCT VLV SA 4210 c IX IX 41 1 2 E50B-8 A&B E-30-15 E-30-36 SPARE SA 421E* I 4 E-30-15 E-30-36 HV 141 IB CC IN ISO VLV TO CTMT SA 422A c lX IX 41 1 2 E50B-24 A&B E-30-25 E-30-29 HV t407B CC OUT ISO VLV FROM CTMT SA 4228 c lX IX 41 I 2 E50B- I0 A&B E-30-25 E-30-29 HV 15678 CC IN ISO VLV TO CRD SA 422C c IX IX 41 I 2 E50B-21 A&B E-30-25 E-30-29 HV 1338 CC CRD BOOSTER PMP 2 SUCT VLV SA 4220 c IX IX 41 1 2 E50B-8 A&B E-30-25 E-30-29 SPARE SA 422E* 1 4 E-30-25 E-30-29 SPARE SA 431A* 1 4 E-30-15 E-30-36 SPARE SA 43 tB 1 2 E-30-15 E-30-36 SPARE SA 431C I 2 E-30-15 E-30-36 SPARE SA 4310 1 2 E-30-15 E-30-36 SPARE SA 431E* I 4 E-30-15 E-30-36 SPARE SA 431F 1 2 E-30-15 E-30-36 SPARE SA 432A* 1 4 E-30-25 E-30-29 SPARE SA 432B 1 2 E-30-25 E-30-29 SPARE SA 432C 1 2 E-30-25 E-30-29 SPARE SA 4320 1 2 E-30-25 E-30-29 SPARE SA 432E I 4 E-30-25 E-30-29 SPARE SA 432F 1 2 E-30-25 E-30-29 E52B-19 A-C CTMT EMER SUMP VLV SA 51 IA A IX IX 41 I 2 NOTE 4 E-30-16 E-30-37 HV DH98 E52B-l 9 A-C HV OH78 BWST OUT VLV SA 5118 A IX IX I 2 E-30-16 E-30-37 SPARE SA 51 IC* I 4 NOTE 4 E-30-16 E-30-37 SPARE SA 51 ID* 1 4 E-30-16 E-30-37 E52B-19 A-C CTMT EMER SUMP VLV SA 512A A IX IX 41 I 2 NOTE 4 E-30-26 E-30-30 HV DH9A E52B-19 A-C HV DH7A BWST OUT VLV SA 5128 A IX IX I 2 E-30-26 E-30-30 SA 512C* I 4 NOTE 4 E-30-26 E-30-30 SPARE SPARE SA 5120* I 4 E-30-26 E-30-30 DAVIS-BESSE NUCLEAR POWER STATION SAFETY FEATURES ACTUATION SYSTEM ACTUATED EOUIPtENT TABULATION E-178 SH. 6 FIGURE 7. 3-8 REVISION 22 NOVEMBER 2000 DB 11-15-00 DFN=l :/ELEC/E17BSH6.0GN
10 11
" " 15 16 17 CLEAN WASTE tOtlTOR Tit' 1*1
- 1. ALL VALVES ARE PREFIXED WITH "NN"' UNLESS OTHE~WISE NOTED.
- 2. FOR VALVES SHOWN ON THIS FIGURE. ACTUAL POSITIONS ARE OUTSIDE I U61QE
" CQNTAUtMEMTJCll\ITAINMENT FIG H.2-2 CONTROLLED BY PLANT PROCE~ES.
ll.ASINE 109 EL£CTAOK'tDAAtA..IC Cl>>ITAOI.. S't'STEM C1.E411 WASTE NONITOll: TIC 1-2 10 PllESSllllZEfl
*o Ol£NCW TAI<<
r**---- -------------------------------, FIG 9.1-2 RESIN
- c~~-~--~---r--1,._---'---l'.J---+,.__. f'IU. 1ANC 1-2
! 196 10
! STUM GENERATOR 1-1 f'IG 9.l-16
~---~----~----~----~------] ., 1--------+r=t~tCAllON
- 1. , .
Cf'IG 9.3-161 10 COAE FL.OOOING SYS'FtM 1----------..... ~~~~~~1111 Cf'ICi 11.2-21
*o 1---.-+.--o"-J,__ _,~rr~~:: PACICAOE 1-2 STEAM OU£RATOA 1-2 1FIG 11.2-2 MOTE 21 IORIC ACIO PACKAGE 1-1 51 n, '-...+---t~---of:!r~IO~H~-~r~2)
HTPICAll 10 STEAM GENERATOR 1*1 67 AESIN FILL TAHICl-1
~10 H.2-2 NITROOEN FILL CtNIECtlON 386*
I .. 17 18 WASTE CiAS 1------- TO Ml5C
~;~~v;:,_
!FIG 11.2*3 NOTE 21 1ATING SYSTEM COMPRESSION TAHIC FIG 9.*-7 PSE3'~
OECAY TANCS f'Ui 1-1.J-1 IVI~ TO WAS1E [YAPQAAT(lt 0 - - - -....--Po\CICAGE 10 AUll a:llLER FIG 10.1*2
!FIG 11.2*3 NOTE 21 10 ,.______.,..,.___..
MISC lo\STE 1c~~ MONITOR "'* r**-**-**-**-**-**-**-**-----*-**-**-**-**-**-------**-*------*-**- t-------------ST(JtAO[ ,.""I""" 1Afr<<
*-*--**-**-**-**-**-**~
10
! 10 VENT RESIN
! ELECTRIC MISC WASTE DRAIN TANK lf'IG 11.2-21
! HEATER COOL.Utf MAltil nm*ic[] ,_ ,.
10 f'IG S.1-2 i DETERGENT WASTE DRAIN HEATER CONC£NTAA TES TMAOEU.NCl-1 TYPICAL ELECTRICAi.. PENETRAtlON LllJUID VITtCJRAVAI.. LINE THE CN CHANGE FOR THIS FIGURE WAS TO REPRINT IT TO SHOW
-----1-.. NITROGEN SU'PL Y HEADER EAST ELECTRICAL PENETRATION ROOM CORRECT LINE WEIGHT AS REQUIRED BY DBBP-CM-1002. ATTACHMENT THERE WAS NO PHYSICAL OR TECHNICAL CHANGES MADE.
CSE£ 1'PICAL ZONE G-121 ATM VAPOA:IZ£R :fr,~~~~ WHOLE DRAWING NOT CLOUDED FOR CLARITY. ELECTRICAL PUETllATIONS REMOVE THIS NOTE AT NEXT UPDATE. 115 LOCAL LIOUIO
*~~~M4------..~--i~--,r-,
12 u NITROGD4
... :,\fJ'r~
ELECTRICAL NITROGEN SU'PLY HEADER WEST ELECTRICAL PEMETRAllON ROOM cSIE TYPICAL ZONE G-121 DAVI S*BESSE NUCLEAR POWER STATION UNIT NO 1 TKE TOLEDO EDISON COltFANY FILL CONC110N P£1rTRAllOllS FUNCTIONAL DRAWING
- NITROGEN SUPPLY SYSTEM REVISION 30
-e BLDG COIL FIGURE NO REY L---**-**-*-----------**-**-**-**-**-**-**-**-*---*-----*-**-**-**-**--*-**-**-**-**-**-**-**-**-**-**-**-**--*-**--*-**-**-
OCTOBER 2014 F [()URE 7. 3-9 4 10 12 13
" 15 16 17
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4.1 Description The design of the systems required for safe shutdown is to provide for positive and safe reactor shutdown from all operating and transient load conditions without damage to the reactor. This is accomplished by a combination of automatic and manual systems. With regard to these systems, safe reactor shutdown is defined as that station condition in which the reactor is 1.0 percent subcritical and the reactor coolant system temperature and pressure are in the normal operating range. 7.4.1.1 Control Rod Drive Control System (CRDCS) - Trip Portion 7.4.1.1.1 Design Bases The design bases for the CRDCS trip circuits are listed below: (keyed to applicable parts of Section 3 of IEEE Standard 279-1968). (3.1) The CRDCS is required to trip the shim-safety control rod drive mechanisms (CRDMs) whenever it receives an automatic trip command signal from the RPS or ARTS or a manual trip command signal from the operator. (3.2) The CRDCS monitors the output voltage of the RPS network. (3.6) The NI/RPS monitors primary plant parameters to operate the logic network. Refer to the Technical Specifications. (3.7) The trip command does not require electrical power and is so arranged that the shim-safety CRDMS will trip upon loss of power. The CRDCS is designed to operate continuously at a temperature of 122°F (maximum) and a relative humidity of 80 percent (maximum). (3.8) All CRDCS components influencing trip action are designed such that trip action is neither prevented nor delayed during or following a safe shutdown earthquake. (3.9) The maximum allowable trip command time delay (difference between time power is interrupted to the CRDMS and time trip input is received from the RPS) within the CRDCS is 100 milliseconds. 7.4.1.1.2 System Description The control rods are inserted into the core upon receipt of the RPS, ARTS, DSS, or manual trip signals, which act to de-energize the CRDMs. This reactor shutdown feature (the trip portion) of the CRDCS is the only aspect of the CRDCS which affects public safety and as such it is designed to very exacting and restrictive criteria. The function of the CRDCS trip devices, shown in Figure 7.4-1, is to interrupt power to the CRDMs. The CRDCS trip logic is designed so that when power is removed from the control rod drive mechanism, the roller nuts disengage from the lead screw, and a free-fall gravity insertion of the 7.4-1 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report control rods occurs. Two diverse and independent trip methods, in series, are provided for removal of power to the mechanisms. First, a trip is initiated when power is interrupted to the undervoltage (UV) coils of the main AC feeder breakers and to the undervoltage relays in the shunt trip circuits. Second, a trip is initiated when the gating signals to the silicon controlled rectifiers (SCRs) are interrupted. Since parallel power feeds are provided, interruption of both feeds is required for trip action in either method of trip. The trip circuits consists of four independent RPS trip channels (Channels 1, 2, 3 and 4), an ARTS trip signal, two manual reactor trip switches in series, and at least one trip actuation device for each channel. Each of the four RPS trip channels receives power from the RPS and is energized for the non-tripped (normal) condition. A channel is defined as tripped when it is de-energized. Two diverse and independent methods of CRDM power interruption are provided in order to ensure that trip will occur when commanded. These methods are in series within the system. The primary method of trip interrupts the three-phase AC power to the CRDM motor power supplies. Three-pole, metal-clad power circuit breakers equipped with instantaneous undervoltage coils and shunt trip devices are used as primary trip devices. Because two parallel power circuits feed the CRDM motor power supplies, two AC trip breakers are provided in series in each feed. RPS Channel 2 energizes the undervoltage coil of breaker A and RPS Channel 4 energizes the undervoltage coil of breaker C to form the trip mechanism for the main bus. RPS Channel 1 energizes the undervoltage coil of breaker B and RPS Channel 3 energizes the undervoltage coil of breaker D to form the trip mechanism for the secondary bus. The trip breaker can remain closed only if its undervoltage coil is energized. Upon loss of voltage at the undervoltage coil due to interruption by an RPS, ARTS or manual trip signal, the breaker trips (opens). No external power is required to trip the breakers which have stored-energy trip mechanisms. The trip breakers must be manually reset once tripped. Breaker reset is possible only after the trip signal is reset to the untripped state. Each trip breakers shunt trip circuit operates as follows. An undervoltage (UV) relay is installed in parallel with the undervoltage coil of the trip breaker. Again, voltage interruption due to a trip signal deenergizes the UV relay causing it to energize the shunt trip device which is powered from essential 125 VDC, thereby tripping the breaker. The second trip method interrupts the gate control signals to the SCRs in each of the sixty-one pairs of individual CRDM motor power supplies. The trip is provided by means of an electronic trip relay (K2) connected across the undervoltage device of trip breakers C and D. Loss of power to a K2 relay will cause a contact to open to notify the Control Rod Drive Control System (CRDCS) controller to degate the CRDM motor power supply SCRs through interrupting the gate control signals to the SCRs in each CRD motor power supply. When the gate signals are interrupted, the SCRs will revert to their open state on the next negative half-cycle of the applied AC voltage, thus removing all power at the outputs of the motor power supplies. Because the power supplies have redundant halves, two sets of SCRs for each CRDM motor power supply are provided. RPS channel 3 provides the trip signal for one set of SCRs through the K2 relay in trip breaker D and RPS Channel 4 provides the trip signal to the other set of SCRs through the K2 relay in trip breaker C. The K2 trip relays and the associated SCR gate trip signals can remain in their non-tripped state only if the associated RPS channel is energized. When an RPS channel trips, the associated trip relays de-energize, interrupting the SCR gate control signals through the CRDCS controller. 7.4-2 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report RPS Channel 3 acts as a functional back-up to Channel 1. RPS Channel 4 acts as a functional back-up to Channel 2. The trip relays must be manually reset once tripped. This reset is possible only if the RPS trip channels are in the reset mode. No trip bypasses or interlocks are provided in the trip circuits. 7.4.1.1.3 Supporting Systems The CRDCS circuits have the reactor protection system as the supporting system. The RPS provides the power to the four trip channels. Also, the essential 125VDC system is a supporting system, providing power to the shunt trip devices, and the essential 120VAC system powers the undervoltage coils and relays through the RPS system. 7.4.1.1.4 Portion of System Not Required for Safety The remainder of the CRDCS is described in Section 7.7. 7.4.1.1.5 Comparison with SMUD Rancho Seco Station CRDCS Trip Circuits CRDCS trip circuits at Davis-Besse are compared to SMUD Rancho Seco in FSAR Section 7.4.1.1.5. 7.4.1.1.6 Drawings Refer to EI&C drawings. 7.4.1.2 Reactor Protection System (RPS) The RPS monitors parameters related to safe operation and trips the reactor to protect the reactor core against damage. It also protects against Reactor Coolant System overpressure caused by energy input to the system by the reactor. A detailed description of the RPS is given in Section 7.2. 7.4.1.3 Steam and Feedwater Line Rupture Control System (SFRCS) The design goal of the SFRCS is to mitigate release of high energy steam, to automatically start the Auxiliary Feedwater System in the event of a main steam line or main feedwater line rupture, to automatically start the Auxiliary Feedwater System on the loss of both main feed pumps (via the S/G low level or high FW/SG reverse differential pressure trips) or the loss of all four RC pumps, and to prevent steam generator overfill and subsequent spillover into the main steam lines. The SFRCS also provides a trip signal to the Anticipatory Reactor Trip System (ARTS), see Section 7.4.1.4. 7.4.1.3.1 System Description The SFRCS is required to ensure an adequate feedwater supply to the NSSS steam generators to remove reactor decay heat during periods when the normal feedwater supply and/or the electric power supply to essential auxiliaries has been lost. The auto-essential steam generator level control includes a dual setpoint. Following automatic actuation of auxiliary feedwater by the SFRCS, steam generator level will be controlled to the 7.4-3 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report minimum level required to maintain natural circulation if no SFAS Level 2 actuation (low RCS pressure or high reactor building pressure) occurs. For accident conditions where both auxiliary feedwater and SFAS Level 2 are automatically actuated, the auto-essential level control will maintain a minimum actual level of 120 inches above the lower tube sheet. In the event of a main steam line rupture, the SFRCS will close both main steam isolation valves and all main feedwater control and stop valves and trip the main turbine. Initiation will occur no later than when the pressure in the main steam line drops to the steamline pressure-low setpoint. The Auxiliary Feedwater System (AFS) will also be initiated at this level, and both auxiliary feed pump turbines will be aligned with the unaffected steam generator. After automatic initiation of the auxiliary feed system, the operator may assume manual control. The manual control system is essential, and a manual speed control is provided for each turbine at the main control board and the auxiliary shutdown panel to control the auxiliary feedwater flow to each steam generator. The auxiliary feed pump turbine steam inlet isolation valves are also containment isolation valves that can be remote manually closed when required by station conditions. In the event of a main feedwater line rupture, the SFRCS will close both main steam isolation valves, close both main feedwater control and stop valves, trip the main turbine and initiate the auxiliary feedwater system when the pressure downstream of the last check valve in a main feedwater line to a steam generator exceeds upstream pressure by more than the SFRCS Main Feedwater/Steam Generator reverse differential pressure setpoint. SFRCS trip setpoints are listed in the Technical Requirements Manual. Annunciator alarms audio and visual) are provided for the following SFRCS trip conditions:
- 1. Steam Generator Low Pressure
- 2. Steam Generator to Feedwater Differential Pressure and Steam Generator High Level
- 3. Loss of four Reactor Coolant Pumps and Steam Generator Low Level A complete description of the Auxiliary Feedwater System is provided in Subsection 9.2.7.
7.4.1.3.2 Initiating Circuits The initiating circuits of the SFRCS are the sensing circuits monitoring the following station parameters. Required trip setting Allowable Values are listed in Technical Specifications.
- 1. Main steam line pressure
- 2. Main feedwater/steam generator reverse differential pressure
- 3. Steam generator level
- 4. RC pump monitor 7.4-4 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.4.1.3.3 Logic The logic channels of the SFRCS are made up of solid state components. Relays are used as output isolation and terminating devices of the SFRCS logic, as isolation devices for remote control pushbuttons, and as output signals to the station annunciator and computer. The SFRCS, as shown in Figures 7.4-2 and 7.4-3, consists of two identical redundant and independent channels. Each channel consists of two AC supplied logic trains. The logic trains are identical and are maintained separate and independent within the channel cabinet. The sensor-to-cabinet cable runs are maintained separate by physical space or metallic conduit. The logic for the SFRCS and the SFRCS actuated equipment is shown in Figures 7.4-2 through 7.4-6. The SFRCS is a failsafe (de-energize-to-trip) system. Therefore, if power to a logic system is lost, that logic system will trip. The SFRCS and the SFRCS actuated equipment are designed to allow single failure without preventing the system from performing the required operation. 7.4.1.3.4 Bypasses The SFRCS includes channel bypasses and operating bypasses.
- 1. Channel bypass: The only bypasses provided are those on the Main Control Board (MCB) and Auxiliary Shutdown Panel (ASP) for the Auxiliary Feedwater System. The operation of these switches is under administrative control. The switch position of these bypasses are indicated on the MCB and/or ASP and alarmed in the control room.
- 2. Operating bypasses: Two out of two logic is provided to allow the operator to bypass each channel to prevent initiation under normal cool down when the main steam line pressure drops below the Technical Specification value.
The bypasses are automatically reset by a one out of two logic before the main steam line pressure exceeds the Technical Specification value. 7.4.1.3.5 Interlocks Fault current conditions on motor operated equipment will override the trip to the equipment. Interlocks which inhibit protective actions are described below. The SFRCS close signal to the following valves may be blocked to allow manual opening if an SFRCS actuation has closed them: SP7A Main Feedwater 2 Start Up Control Valve SP7B Main Feedwater 1 Start Up Control Valve FW 601 Main Feedwater 2 Stop Valve FW 612 Main Feedwater 1 Stop Valve 7.4-5 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report This will allow feeding the steam generators with the start-up feed pump to remove core decay heat in the event both MFPs/MFPTs and AFPs/AFPTs are lost, providing additional diversity in cooling to the steam generators. Also, the SFRCS close signal to the following valves may be blocked after an SFRCS actuation: PV-ICS11A Atmospheric Vent Valve PV-ICS11B Atmospheric Vent Valve This will facilitate the control of steam generator pressure using the Atmospheric Vent Valves after an SFRCS actuation. The SFRCS signal to the following valves may be blocked to allow repositioning of the valves if an SFRCS actuation has occurred: MS 106 MS Line 1 to AFPT 1-1 Isolation Valve MS 106A MS Line 2 to AFPT 1-1 Isolation Valve MS 107 MS Line 2 to AFPT 1-2 Isolation Valve MS 107A MS Line 1 to AFPT 1-2 Isolation Valve AF 3869 Aux. Feed 1-1 to SG 1-2 Stop Valve AF 3870 Aux. Feed 1-1 to SG 1-1 Stop Valve AF 3871 Aux. Feed 1-2 to SG 1-1 Stop Valve AF 3872 Aux. Feed 1-2 to SG 1-2 Stop Valve MS 603 SG 2 Drain Line Isolation Valve MS 611 SG 1 Drain Line Isolation Valve This will allow the operator to reposition the valves as he deems necessary after automatic SFRCS actuation. Low pressure switches are provided to close the steam supply isolation valves on low AFP suction pressure. See USAR section 9.2.7.3 for more details. Low pressure switches in a 2 out of 2 (with one set of 2 required for actuation) logic are provided to close the steam supply isolation valves for each Auxiliary Feedpump Turbine. The SFRCS has a built in block feature when the main steam line pressure drops below the low pressure block permissive value specified in the Technical Specifications to allow blocking the Steam Generator Low Pressure or High Level Trip Initiation during normal plant startup or shutdown. This block is automatically reset before the main steam line pressure exceeds the Technical Specification block reset value. 7.4.1.3.6 Redundancy The SFRCS redundancy is provided through independent logic and power circuits as described in Subsection 7.4.1.3.3 and shown on Figures 7.4-2 through 7.4-6. 7.4.1.3.7 Diversity Diversity in the SFRCS is provided by monitoring main steam line pressure, main feedwater/steam generator reverse differential pressure, main steam generator level to sense 7.4-6 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report main steam line or main feedwater line rupture and to provide steam generator isolation, main turbine trip, and Auxiliary Feedwater System initiation. 7.4.1.3.8 Supporting Systems The supporting system of the SFRCS is the essential power supply (Chapter 8). 7.4.1.3.9 Non-Safety Systems The non-safety systems and equipment utilized in the SFRCS system are listed below:
- 1. Station annunciator (Section 7.11).
- 2. Station computer (Section 7.10).
- 3. Startup and main feedwater control valves (used as backup protection to main feedwater stop valves).
- 4. Steam generator main feedwater isolation (block) valves.
- 5. Main turbine trip. (Section 10.2.3) 7.4.1.3.10 Design Bases The design bases of the SFRCS (in accordance with IEEE Standard, 279-1971) are listed below.
- 1. Generating station conditions which require protective action:
SFRCS initiation is required following - Low or high* level in either steam generator Main steam line rupture (low pressure) Main feedwater line rupture Loss of all four reactor coolant pumps
*The high level trip is not required for mitigation of any Chapter 15 design basis accident analyses and should not be construed as a USAR/license requirement.
- 2. Generating station variables that are required to be monitored in order to provide protective action:
Main steam pressure Steam generator level Differential pressure across the feedwater line check valve RC pump status 7.4-7 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 3. Minimum number and location of sensors required to monitor adequately, for protective function purposes, those variables that have spatial dependence:
Main steam pressure - Four pressure switches located on each main steam line upstream of the main steam isolation valve. Steam generator level - Four level transmitters located on each steam generator. Differential pressure between main feedwater line and steam generator - Four differential pressure switches across each main feedwater line check valve downstream of the main feedwater control valve. RC pump status Pump current monitors on each motor circuit.
- 4. Prudent operational limits for each variable in each reactor operation mode:
Main steam pressure - The normal operational limits of the pressure in each main steam line is controlled at 880 +/- 10 psig, at the turbine header. During plant startup turbine header pressure is controlled at 870 +/- 10 psig until sometime after 50% power turbine header pressure is increased to 880 psig. Steam generator level - The normal operational level in each steam generator ranges from the bottom of the operate range instrumentation (102 inches above the lower tube sheet) to the high level alarm which can be set as high as 96% on the operate range (the 96% elevation is 382 inches above the lower tube sheet). Differential pressure across the main feed line check valve - The normal operating value of differential pressure is zero psid under all reactor power conditions.
- 5. Margin between operational limit and level marking onset of unsafe conditions:
Main steam pressure - With turbine header pressure maintained at approximately 880 psig, there is sufficient margin between normal operation and the specified SFRCS trip value. 7.4-8 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report Steam generator level - The steam generators are operated at approximately 40 indicated SG startup level when on their low level limit. This is sufficiently above the approximately 23 indicated level (16.9 actual above top of lower tube sheet) required by Technical Specifications for a low level trip Allowable Value. These levels are based on operating conditions. The replacement OTSG indicated level remains unchanged because the location of the level sensing connections remains unchanged, however the actual water level of above the top of lower tube sheet will increase because the replacement OTSG tubesheet is 1.8125 thinner than the original tubesheet. For the replacement OTSG the maximum operational level in each steam generator is 96% on the operating level (approximately 383.8 inches above the lower tube sheet). A minimum of 60.3°F superheat ensures that the ROTSG will be operating in the acceptable range as shown on the Maximum Allowable Steam Generator Level curve in the Technical Specification when the operating level is 96%. The high level SFRCS limit is analyzed in Calculation C-NSA-083.03-005. The high level trip is not expressed in units of inches above the lower tube sheet. Differential pressure across the main feedwater line check valve - The minimum operational differential pressure between each main feedwater line and its respective steam generator is zero psi. This differential pressure provides a margin between the minimum operational differential pressure and the differential pressure Allowable Value requiring protective action.
- 6. The levels, that when reached, will activate protective actions are tabulated in the Technical Specifications, except for high steam generator level, which is discussed in previous item number 5.
- 7. The range of transient and steady-state conditions of the energy supply and the environment during normal, abnormal, and accident circumstances throughout which the system must perform:
Power source requirements for the SFRCS for all conditions are as follows: AC: 120 volts +/- 10%, 60 Hz +/- 3 Hz, grounded DC: 125 volts (105 - 140 volts) ungrounded The SFRCS equipment needed to mitigate an accident is qualified for the environment in which it is located, for the accidents the equipment is designed to mitigate, per the stations environmental qualification program. Normal, abnormal/accident conditions are considered as part of this program. Peak room temperatures are listed in USAR Table 3.6-11. The environmental qualification program uses 100% relative humidity for high energy line break accidents. 7.4-9 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 8. Malfunctions, accidents, or other unusual events which could physically damage protection system components for which provisions must be incorporated to retain necessary protection system action:
The SFRCS is designed to withstand physical damage or loss of function caused by earthquakes. The control system is also located in a building area designed to protect the equipment from flood, lightning, wind, and missiles.
- 9. The SFRCS is digital/analog, therefore, the system response time is virtually instantaneous except for steam generator level transmitters, which have a 1.6 +/- 0.2 sec. response time and for the main feedwater/steam generator reverse differential pressure signals, which have 1/2 second time delay. The required response times for SFRCS components are contained in the Technical Requirements Manual.
7.4.1.3.11 Drawings The following drawings are related to SFRCS equipment:
- 1. Functional drawings - Figure 10.3-1, 10.4-12, and 10.4-12A
- 2. Logic drawings - Figures 7.4-2 through 7.4-6.
- 3. Wiring diagrams - EI&C drawings (USAR Section 1.5.3.12) 7.4.1.4 Anticipatory Reactor Trip System (ARTS)
The purpose of the ARTS is to initiate a reactor trip when a sensed parameter exceeds its setpoint value, indicating the approach of an unsafe condition thereby reducing the magnitude of pressure and temperature transients on the Reactor Coolant System caused by loss of feedwater events or turbine generator trips. The scope of the ARTS includes all electronic signal processing equipment and cabling from the system sensors to the RPS cabinets. The following discussion is keyed to Section 3 of IEEE Standard 279-1971.
- 1. Generation station conditions which require protective action:
(a) Turbine generator trip (b) Both Main Feedpump Turbines trip
- 2. Generating station variables that are required to be monitored in order to provide protective actions:
(a) Turbine-Generator Status (b) Main Feedpump Turbine Status 7.4-10 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 3. Although these variables do not have spatial dependency, the number and location of sensors which are provided to monitor for protection function purposes:
(a) Turbine Generator Status: Four pressure switches monitoring the hydraulic oil pressure at the fast acting solenoids for the turbine generator main stop valves. (b) Main Feedpump Turbine Status: Four pressure switches for each pump monitoring the oil pressure of the feedpump turbine high pressure stop valve.
- 4. Prudent operational limits for each variable during reactor operational mode:
(a) Turbine Generator Status: Although the nominal system pressure in the hydraulic oil system is 1600 psig, the nominal minimum operational limit was historically determined to be the point at which the standby pump starts, 1300 psig. However, during testing of any one main stop valve, when pressure to the associated ARTS pressure switch goes to approximately 0 psig, low pressure transients could be detected by ARTS pressure switches on other ARTS channels (located on other main stop valves). These low pressure transients caused a trip of one of the other three ARTS channels. To preclude this, the nominal field settings were reduced to 275 psig and hydraulic snubbers were added to the pressure switch sensing lines. The actual minimum operational limits for each pressure switch during main stop valve testing were not determined. (b) Main Feedpump Status: Although the nominal system pressure in the control oil system is above 200 psig, the minimum operational limit was determined to be the nominal setpoint for the low pressure alarm, 130 psig.
- 5. The margin between operational limit and level marking onset of an unsafe condition:
(a) Turbine Generator Status: Since the hydraulic oil pressure at the main stop valves quickly approaches 0 psig for a turbine trip, the pressure value marking onset to an unsafe condition is any value less than that normally expected during normal operation or testing. Based on this, and considering that the minimum operational limits were not determined, the margins between the operational limits and the levels marking onset of an unsafe condition cannot be determined. Lack of ARTS channel trips since the setpoints were lowered and the snubbers were installed supports the conclusion that sufficient margin exists to preclude inadvertent trips. Additionally, the 275 psig nominal 7.4-11 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report setpoint provides sufficient margin to ensure the pressure switches trip prior to the hydraulic oil pressure stabilizing at approximately 0 psig. (b) Main Feedpump Turbine Status: Since during normal operation the control oil pressure at the high pressure stop valves is above 130 psig, and this pressure quickly approaches 0 psig for a turbine trip, the pressure value marking onset to an unsafe condition is any value less than that normally expected during normal operation. Based on this, there is no margin between the minimum operational limit and the level marking onset to an unsafe condition. However, the 75 psig nominal setpoint provides sufficient margin to ensure the pressure switch trips prior to the control oil pressure stabilizing at approximately 0 psig.
- 6. The trip levels that, when reached, will produce protective actions:
(a) Turbine Generator Status: The reactor will be automatically tripped when the Turbine Generator Stop Valve oil pressure decreases below the setpoint. (b) Main Feedpump Status: The reactor will be automatically tripped when the oil pressure of both Feedpump Turbine High Pressure Stop Valves decreases to 75 psig.
- 7. Range of transient and steady-state conditions of the energy supply and the environment during normal, abnormal, and accident circumstances throughout which the system must perform:
The ARTS cabinets are located in the main cabinet room. All other sensors are located in the turbine building where the environmental conditions are 40 to 100 percent humidity, atmospheric pressure and temperatures to 120°F.
- 8. Malfunctions, accidents or other unusual events which could physically damage protection components and for which design provisions must be incorporated to retain necessary protective action:
Except for the portion of the system located within the Turbine Building, the ARTS is designed to withstand physical damage or loss of function during and after an earthquake. The system is also located in a building area designed to protect the equipment from flood, lightning, wind, and missiles. Pressure switches on main turbine generator and on main feed pumps conform to IEEE Standard 279-1971 and are environmentally qualified. However, seismic criteria is not included in qualification regarding mounting location for that portion of the trip system located within the nonseismic Category I Turbine Building. 7.4-12 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 9. For minimum performance requirements, including system response times, system accuracies, range of the magnitudes and a rate of change of the sensed variables to be accommodated until proper conclusion of the protection system action, refer to Toledo Edison Specification E-241Q (cabinets) and M-367Q (pressure switches).
7.4.1.4.1 System Description 7.4.1.4.1.1 System Logic The ARTS contains four redundant and independent channels. The turbine trip input is automatically bypassed at 45% of rated thermal power or less. The other two inputs (MFPT and SFRCS) are active in Mode 1. One group of pressure switches will monitor the hydraulic oil pressure at the fast acting solenoids for the turbine generator main stop valves and will trip the reactor when the main turbine is tripped. Another group of pressure switches will monitor the oil pressure which is associated with the high pressure stop valves for both main feedwater pump turbines. When these sensors detect the loss of both main feedpumps, the reactor will be tripped. Associated with each of these main feedwater pump turbine oil pressure switches is a test toggle switch. The administratively controlled toggle switch simulates a trip condition to the logic when the respective main feedwater pump turbine is not tripped yet not providing flow to the steam generator, such as during plant startup. Four additional input signals from the SFRCS, providing a diverse means of tripping the reactor but not required by the Technical Specifications, will trip the reactor when the SFRCS is initiated, see Section 7.4.1.3. Each group of four sensing channels is connected to two out of four logic gates by additional isolation devices. The output from these two out of four logic gates is applied to the associated undervoltage coils for the control rod drive trip breakers and to the undervoltage relays for the shunt trip circuits for trip breakers. The logic channels are made up of solid state components. Relays are used as output isolation and termination devices of the ARTS logic and as isolation devices for output signals to the station annunciator and computer. The ARTS system is shown in Figure 7.4-8. The ARTS is a fail-safe, de-energize-to-trip system. Therefore, if the power supply is lost to a logic system, that logic system will trip. The ARTS actuating equipment is designed to allow single failure without preventing the system from performing the required operation. 7.4.1.4.1.2 Bypasses Channel Bypass or Removal from operation - Each safety grade ARTS sensing and logic channel is provided with three test bypass switches. These switches enable the operator to change the two-out-of-four coincidence matrices into a two-out-of-three mode for a given variable. The channel bypass permits the testing, calibration, and maintenance of a particular generating station variable of a single channel during power operation. With the bypass in effect, the three remaining channels of that station variable provide the necessary protection. Because only two channels of a variable need exceed the trip setpoint to cause a trip, a single failure will not prevent the station variable logic from fulfilling its protective function. All four ARTS Main Feed Pump bypass switches are placed in the bypass position during plant shutdown to allow both Main Feed Pump Turbines to be tripped without tripping the reactor. Also, all four ARTS Main Feed Pump bypass switches are placed in the bypass position during 7.4-13 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report plant startup which allows ARTS channels to be reset and control rod drive breakers to be closed. During startup, the switches are returned to the normal position at two percent power after a Main Feed Pump Turbine is placed in service. Operating Bypass - The operating bypass automatically blocks the Turbine-Generator Status input when the reactor power is at 45% power or less. The bypass is automatically removed when reactor power is above the blocking bistable setpoint. The reactor power signals originate from the Reactor Protection System. BAW-1893, Basis for Raising Arming Threshold for Anticipatory Reactor Trip on Turbine Trip, (Reference 2) provided justification for establishing the 45% reactor power arming level based, in part, on available secondary steam relief capacity. Serial letter 1487 (Reference 3) addressed the acceptability of the 45% reactor power arming level with an available first-bank (1050 psig setpoint) Main Steam Safety Valve capacity of 20% of full power steam flow. The ARTS Turbine Trip arming level of 45% is based on the following:
- Turbine Bypass Valves capacity of 25% of full power steam flow,
- First - bank (1050 psig setpoint) Main Steam Safety Valves capacity of 20% of full power steam flow, and
- A 5% reactor power reduction from the time at which the turbine trip occurs until the RPS high-pressure setpoint is reached.
7.4.1.4.1.3 Interlocks An interlock is provided which prevents reset of the ARTS until the initiating signals of the station parameters are returned to normal. 7.4.1.4.1.4 Redundancy ARTS redundancy is provided by four redundant and independent sensing, logic, and actuation channels as shown on Figure 7.4-8. 7.4.1.4.1.5 Diversity Diversity for the ARTS system is provided by the use of signals from the Turbine-Generator, Feedpump Turbine, and Steam and Feedwater Line Rupture Control System. 7.4.1.4.1.6 Supporting Systems The ARTS interfaces with RPS. Reference Figure 7.4-8. An isolated reactor power output signal from the RPS is used to block the Turbine-Generator Trip input signal when reactor power is at 45% power or less. This signal is transmitted to an isolated bistable located in each of the four ARTS channels. The bistables reset automatically when the reactor power is above the blocking bistable setpoint. The output from the ARTS is terminated in the RPS cabinet as part of the reactor trip circuit. The signals are isolated and independent. No single failure will create an adverse effect on plant safety. All interfaces between protection systems and the ARTS are isolated. The isolation devices are qualified to withstand any adverse condition which could degrade the 7.4-14 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report operation of the protection system. Also, SFRCS (subsection 7.4.1.3), Essential Power (Chapter 8) and CRDCS (Subsection 7.4.1.1) form a part of supporting system. 7.4.1.4.1.7 Non-Safety Systems The non-safety systems and equipment utilized in ARTS system with no credit taken for operability, except item 3 and 4 are listed below:
- 1. Station Annunciator
- 2. Station Computer
- 3. Main Feedpump Turbine Stop Valves.
- 4. Main Turbine Stop Valves.
7.4.1.4.1.8 Design Bases The design bases of the final ARTS in accordance with IEEE Standard 279-1971 are detailed in Subsection 7.4.1.4.2. 7.4.1.4.1.9 Setpoint Bases Setpoint Bases for the ARTS are provided in subsection 7.4.1.4 paragraphs 4 and 5. 7.4.1.4.1.10 Drawings Drawings depicting (ARTS) design are contained in Figure 7.4-8 and the EI&C drawings. 7.4.1.4.2 Compliance with IEEE Standard 279-1971 The following discussion is keyed to Section 4 of IEEE Standard 279-1971 and demonstrates compliance with the above mentioned Standard: (4.1) General Functional Requirements - The Safety Grade ARTS will, with precision and reliability, automatically perform its protective function, whenever the station conditions monitored by the system reach a preset level, under the design condition listed in the discussion of Section 3 of IEEE Standard 279-1971. (4.2) Single Failure Criterion - No single failure can prevent the system from performing its protective function. (4.3) Quality of Components and Modules - The system consists of high quality components and modules with minimum maintenance requirements and low failure rates. Quality control procedures were used during fabrication and testing to verify compliance with requirements specified for the particular equipment. (4.4) Equipment Qualification - Type test data is available to verify that the system equipment meets, on a continuing basis, the performance requirements. 7.4-15 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report (4.5) Channel Integrity - Each channel of the system is designed, manufactured, and located so that the channel integrity is maintained under the design conditions listed in the discussion of Section 3 of IEEE Standard 279-1971. (4.6) Channel Independence - Each system channel is located in its own cabinet. The cabinets act as a barrier against fire and mechanical damage from external sources. The cabinets are in a room which offers environmental and missile protection. (4.7) Control and Protection System Interaction (a) Classification of Equipment - Equipment that is used for protection and control functions is classified as part of the protection system and meets the requirements of IEEE Standard 279-1971. (b) Isolation Devices - Output signals from the system are through isolation devices which are classified as part of the system and meet all the requirements of IEEE Standard 279-1971. (4.8) Derivation of System Inputs - The ARTS pressure switches monitoring the Turbine Generator Hydraulic Oil pressure and the Main Feedpump Turbine Control Oil pressures provide a direct means for sensing turbine trips. The isolated reactor power output signal from RPS provides a direct measurement of that parameter. The SFRCS status input provides a diverse means of tripping the reactor, but is not required within the ARTS for safe shutdown. (4.9) Capability for Sensor Checks - Each ARTS pressure switch is provided with manual calibration capability as discussed in (4.10) and being located in the turbine building, is accessible during reactor operation. (4.10) Capability for Test and Calibration
- a. Manual testing capability is provided for each input signal to the system to simulate sensor operation.
- b. Manual calibration capability is provided for pressure switches from the Turbine-Generator and Main Feedpump Turbines. These can be independently isolated and simulated process parameters applied to check calibration.
(4.11) Channel Bypass or Removal From Operation - The ARTS station variable channel bypass is described in Subsection 7.4.1.4.1.2 and 7.4.1.4.2 item (4.13). (4.12) Operating Bypasses - The ARTS operating bypass is described in Subsection 7.4.1.4.1.2 and 7.4.1.4.2 item (4.13). (4.13) Indication of Bypasses - Initiation of the channel bypass will be continuously indicated at the system cabinets, the station computer and the annunciator. Initiation of the operating bypass will be continuously indicated at the ARTS system cabinet, the station computer and the annunciator. 7.4-16 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report (4.14) Access to Means for Bypassing - The activation of the ARTS channel bypass is accomplished by using switches, which are under administrative control. To initiate a bypass, a corresponding cabinet door must be opened. The cabinet door keys are under administrative control. (4.15) Multiple Setpoints - The ARTS does not use multiple setpoints for any station parameter. (4.16) Completion of Protective Action Once it is Initiated - The reactor, once tripped by the system, cannot be restarted until the operator deliberately resets the individual cabinets and recloses the CRDM breakers when station parameters return to normal. (4.17) Manual Initiation - Manual initiation of the systems protective actions is accomplished by means of the reactor trip buttons located on the main control board, as described in Subsection 7.2.2.1 Paragraph (4.17). (4.18) Access to Setpoint Adjustments, Calibrations, and Test Points - Setpoint adjustment and calibration of the station parameter sensing switches are under administrative controls. Test points will be accessible only when the system cabinet doors are open. The door keys are under administrative control. Open doors will be alarmed by the station computer and annunciator. (4.19) Identification of Protective Actions - Protective action will be initiated whenever the generating station parameters sensed exceed the setpoint. These parameters are alarmed on the station computer. Each trip will also be indicated by the logic system in the system logic cabinets. Failures of 118 volt AC power sources are also monitored at the station computer and annunciator and indicated at the logic cabinets. (4.20) Information Readout - Reactor power is the only ARTS associated generating station variable which as Control Room indication and it is described in Section 7.2, Reactor Protection System. Indications of the status of ARTS are discussed in item (4.19). (4.21) System repair - The periodic testing can locate failure in a logic system. The modular design of the system will allow for quick repair of malfunctions. (4.22) Identification - The identification of the equipment, including cabinets, trays and cables of the system redundant portions, is accomplished by color coding and numbering as described in Chapter 8. 7.4.1.5 Steam Relief Steam pressure control following a reactor trip is provided to prevent excessive cooling of the RC fluid by controlled steam release to the atmosphere. Steam relief is accomplished by the code safety valves on each main steam line. A description of the safety valves is given in Chapter 10. 7.4-17 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.4.1.6 Auxiliary Shutdown Panel 7.4.1.6.1 Hot Shutdown If temporary evacuation of the control room is required due to some abnormal station condition, the operator can establish and maintain the station in a safe hot shutdown condition through the use of an Auxiliary Shutdown Panel located outside the control room. The following controls and instrumentation are provided on this panel to accomplish hot shutdown:
- 1. Pressurizer level indicators.
- 2. Pressurizer heater controls and control transfer switches (to or from the Main Control Boards).
- 3. RC pressure indicators.
- 4. RC temperature indicators.
- 5. Steam generator level indicators.
- 6. Main steam pressure indicators.
- 7. Auxiliary feed pump governor controls and control transfer switches (to or from the Main Control Boards).
- 8. Service water isolation valve switches and control transfer switches (to or from the Main Control Boards).
Two each of the above controls and instrumentation are provided and are identical and redundant to one another. Procedures directing use of the Auxiliary Shutdown Panel and equipment outside the control room to establish and maintain hot shutdown conditions are provided in the station Abnormal Procedures. 7.4.1.6.2 Cold Shutdown Inasmuch as the station can be maintained in a safe hot shutdown condition from outside the control room until access to the control room is regained, the need for taking the station to a cold shutdown condition from outside the control room is not anticipated. However, the ability to bring the station to a cold shutdown condition from outside the control room exists with the present station design. Through local controls, all necessary functions can be performed outside the control room, and with proper manpower and coordination the station can be cooled down over an extended period of time. Such an action includes the formulation at that time of a procedure based on an assessment of the situation. 7.4-18 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.4.1.6.3 Design Bases In accordance with Criterion 19, the capability of establishing a hot shutdown condition and maintaining the station in a safe status during the mode is considered an essential function. To ensure availability of the Auxiliary Shutdown Panel after control room evacuation, the following design features have been utilized:
- a. The Auxiliary Shutdown Panel, including all instrumentation mounted on it, is designed to withstand any physical damage or loss of function caused by earthquakes.
- b. The panel, including instrumentation, is designed to comply with the requirements of IEEE Standard 279-1971.
- c. The operator is required only to trip the reactor prior to control room evacuation.
7.4.1.6.4 Drawing The ASP location is shown on Figure 3.6-3 (panel C3630). Figure 7.4-9 is the layout drawing of the ASP. Figures 5.1-2, 10.3-1, and 10.4-12A are the functional drawings for the devices controlled by the ASP. 7.4.1.7 Surveillance The instrumentation utilized to monitor the necessary station variables for the systems required for safe shutdown is discussed in Section 7.5. 7.4.2 Analysis 7.4.2.1 Control Rod Drive Control System (CRDCS) (Trip Portion) 7.4.2.1.1 Conformance to IEEE Standard 279-1971 The trip portion of the CRDCS complies with the following applicable portions of IEEE Standard 279-1971: (4.2) Single Failure Criterion - Any single failure within the CRDCS will not prevent proper initiation at the system level. (4.3) Quality of Components and Modules - Equipment manufacturers are required to use high quality components and modules in equipment construction. Quality control procedures, used during fabrication and testing, verify compliance with this requirement. (4.4) Equipment Qualification - Type test data is available to verify that the CRDCS equipment meets the performance requirements necessary for achieving the required system response. (4.6) Channel Independence - The essential controls for safe shutdown are packaged in two independent and physically separated channels to reduce the likelihood of 7.4-19 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report interactions between channels during maintenance operations or in the event of channel malfunction. (4.7) System Interaction - There is no interaction between control systems and the CRDCS trip portion. (4.9) Capability for Test and Calibration - Manual testing facilities have been built into the CRDCS Trip Channels for on-line testing in conjunction with the RPS. The test routines are designed to demonstrate, without interfering with normal reactor or plant operation, that the CRDCS Trip Channels can fulfill their required safety functions. All tests may be performed with the CRDCS on-line with no sacrifice of independence. (4.16) Completion of Protective Action Once Initiated - Once initiated the full insertion of the shim safety control rods is only dependent upon gravity. Therefore, the action continues to completion after trip initiation. Return to operation requires subsequent deliberate operator action. (4.17) Manual Initiation - Two manual trip switches in series are provided which are positioned upstream of the CRDCS. Depressing either switch interrupts power from all four RPS channels to the CRDCS. Since the operator manual trips are downstream of the RPS automatic trips, no failure of the automatic trips will inactivate the manual trips. (4.18) Access to Setpoint Adjustments, Calibrations, and Test Points - Setpoint adjustments and test points are accessible and calibration is possible only when the Reactor Trip Breaker (RTB) cabinets are open. Access to the RTB cabinets is administratively controlled as a part of general station access control to the protected and vital areas as described in the security plan. Access to the RTB cabinets is also administratively controlled through compliance with station procedures. (4.19) Identification of Protective Action - The plant annunciator indicates that an RPS channel has tripped sending a trip signal to the CRDCS and indicates that the CRDCS has tripped. (4.20) Information Readouts - As a minimum, the following are indicated on the cabinet front panels:
- 1. Cabinet fan failure, where fans are used.
- 2. Trip state of CRD trip devices housed in the cabinets.
(4.21) System Repair - The CRDCS is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components. (4.22) Identification - Refer to Subsection 8.3.1.2 for a discussion of identification of protection system components. 7.4-20 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.4.2.1.2 Compliance with AEC General Design Criteria Refer to Appendix 3D for criteria discussions. 7.4.2.1.3 Compliance with AEC Safety Guides 22 and 29 Refer to Section 7.2.2.4 for discussion concerning compliance with Safety Guide 22. The trip portions of the CRDCS are seismically qualified to comply with Safety Guide 29. 7.4.2.2 Reactor Protection System (RPS) The analysis of the RPS is described in detail in Section 7.2. 7.4.2.3 Steam and Feedwater Line Rupture Control System (SFRCS) 7.4.2.3.1 Compliance with IEEE Standard 279-1971 The following discussions are keyed to Section 4 of IEEE Standard 279-1971 and demonstrate compliance with the above mentioned standard. (4.1) General Functional Requirement - The SFRCS, with precision and reliability, automatically performs its protective function, whenever the station conditions monitored by the SFRCS reach a preset level, under the design conditions described in Subsection 7.4.1.3.10. (4.2) Single Failure Criterion - No single failure prevents the SFRCS from performing its protective function. (4.3) Quality of Components and Modules - The SFRCS consists of high quality components and modules with minimum maintenance requirements and low failure rates. Quality control procedures were used during fabrication and testing to verify compliance with the requirements specified for the particular equipment. (4.4) Equipment Qualification - Type test data is available to verify that the SFRCS equipment meets, on a continuing basis, the performance requirements determined to be necessary for achieving the system requirements. (4.5) Channel Integrity - Each SFRCS channel is designed, manufactured, and located so that channel integrity is maintained under the design conditions listed in Subsection 7.4.1.3.10. (4.6) Channel Independence - Each SFRCS actuation channel is located in its own set of cabinets. The cabinets act as a barrier against fire and mechanical damage from external sources. The cabinets are in a room which offers environmental and missile protection. 7.4-21 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report (4.7) Control and Protection System Interaction
- a. Classification of Equipment - Equipment that is used for protection and control function is classified as part of the protection system and meets the requirements of IEEE Standard 279-1971.
- b. Isolation Devices - No output signals from the SFRCS are used for controlling purposes.
- c. Single Random Failure - A single random failure resulting in a control system action simultaneously causing a channel failure and a station condition requiring protective action is incredible.
- d. Multiple Failures Resulting From a Credible Single Event - No control system action can result in a condition requiring protective action and can concurrently prevent the protective action of any SFRCS channel.
(4.8) Derivation of System Inputs - With the exception of the steam generator level transmitters, the SFRCS inputs are digital signals that are direct measures of the station parameters as listed in Subsection 7.4.1.3.2. (4.9) Capability for Sensor Checks - Input sensor indicating lights are provided. Test pushbuttons for these input signals are also provided at the SFRCS cabinets. The four level transmitters are checked by monitoring the variable after it has been perturbed or by cross checking the same variable in different channels or other systems. (4.10) Capability for Test and Calibration
- a. Manual testing is provided for each input signal to the SFRCS to simulate sensor operation.
- b. Manual calibration capability is provided by the level transmitter, the pressure switch differential pressure switch and the current transducer/dual alarm module. These can be independently isolated and simulated process parameters applied to check calibration.
(4.11) Channel Bypass or Removal From Operation - The SFRCS channel bypass is described in Subsection 7.4.1.3.4. Maintenance is permissible to each separate, independent logic system without necessity for bypasses. Removing one logic system will reduce the channel coincidence matrices from two-out-of-two logic to a one-out-of-one logic, or a half-trip state. For logic descriptions refer to Subsection 7.4.1.3.3. (4.12) Operating Bypasses - The SFRCS operating bypasses are described in Subsection 7.4.1.3.4. Whenever the permissive conditions are not met, the bypasses will not be allowed or will be removed automatically. The bypass circuits used to prevent or achieve automatic removal of the bypasses are part of the protective system and are designed in accordance with IEEE Standard 279-1971. 7.4-22 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report (4.13) Indication of Bypasses - Initiation of the channel bypass will be continuously indicated at the MCB or the ASP. Initiation of the operating bypasses will be continuously indicated at the SFRCS logic cabinet, at the main control board, and by the station computer and annunciator. (4.14) Access to Means for Bypassing - The channel and operating bypasses are under administrative control as described in Subsection 7.4.1.3.4. A bypass capability is provided for normalizing all digital trip inputs into the SFRCS to facilitate testing. This switch bypass provision is to be used only in modes 4, 5, and 6 when the SFRCS is not required by tech specs, is alarmed when in bypass, and is administratively controlled by use of keyswitch. (4.15) Multiple Setpoints - The SFRCS does not use multiple setpoints for any station parameters. (4.16) Completion of Protective Action Once It Is Initiated - The actuated Class 1E equipment once initiated by the SFRCS will remain in the actuated state until deliberately and individually reset by operator action. Some of the equipment actuated by SFRCS will change to a different actuated state if a second, different SFRCS trip (SG low pressure) occurs. (4.17) Manual Initiation - Manual initiation at system level is provided by two (2) trip switches for each channel, at the main control board. The function of these control switches are as follows: 1a. Initiate AFW from SFRCS actuation Channel 1 taking steam from SG 1 and providing flow to SG 1. 1b. Initiate AFW from SFRCS actuation Channel 2 taking steam from SG 2 and providing flow to SG 2. 2a. Provide AFW flow as described in 1a and, in addition, isolate SG 1. 2b. Provide AFW flow as described in 1b and, in addition, isolate SG 2. (4.18) Access to Setpoint Adjustments, Calibrations, and Test Points - Set-point adjustment and calibration of the station parameter sensing switches are under administrative controls. The test points in the SFRCS cabinets are accessible only when the cabinet doors are open. The door keys are under administrative control. Open doors are alarmed by the station computer and annunciator. Access to sensing equipment (transmitters, switches, etc.) is administratively controlled as part of general station access control to the protected and vital areas, as described in the security plan. Access is also administratively controlled through compliance with station procedures. (4.19) Identification of Protective Actions - Protective action will be initiated whenever the generating station parameters sensed exceed the setpoint. These parameters are alarmed on the station annunciator or the station computer. Each trip is also indicated by the logic system in the SFRCS logic cabinets. 7.4-23 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report Failures of power supplies are also monitored at the station computer and annunciator and indicated at the logic cabinets. (4.20) Information readout - This is a digital system but analog signals provided from instrumentation outside of the SFRCS are displayed on the main control boards and the station computer. One SFRCS SG level transmitter from each SG provides level input to a level indicator on the main control board. Another transmitter from each SG, from diverse power sources, provides level input to the Post Accident Monitoring (PAM) Panel. Additionally all eight of the SFRCS steam generator level transmitters have level indication in the SFRCS cabinet. (4.21) System Repair - The periodic testing can locate failure in a logic system. The modular design of the SFRCS allows for quick repair of malfunctions. (4.22) Identification - The identification of the equipment, including cabinets, trays, and cables of the SFRCS redundant portions, is accomplished by color coding and numbering as described in Chapter 8. 7.4.2.3.2 Compliance with IEEE Standard 338-1971 The SFRCS includes provision to permit testing in accordance with Section 5 of IEEE Standard 338-1971. (Refer to item 4.10 of Subsection 7.4.2.3.1 and to Subsection 7.4.2.3.3). 7.4.2.3.3 Compliance with AEC Safety Guide 22 The SFRCS is designed to provide the greatest possible flexibility for periodic tests of the system during reactor operation. In general, the test of any protective action system, including the corresponding system logics, actuation devices, and actuated equipment, can be performed during reactor operation. A half-trip test of the logic and actuation devices is performed twice monthly (once from each logic channel). Actuated equipment tests are performed in accordance with the plant Technical Specifications. When the actuation of the actuated equipment may damage station equipment or disrupt reactor operation, the tests are performed when the reactor is shutdown. 7.4-24 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report The following equipment is routinely tested ONLY when the reactor is shut down: Equipment Item No. Equipment Description MS 101 Main steam line 1 isolation valve FW 612 Main feedwater 1 stop valve MS 100 Main steam line 2 isolation valve FW 601 Main feedwater 2 stop valve SP6A Main feedwater 2 control valve SP6B Main feedwater 1 control valve FW 779 SG #2 main feedwater isolation (block) valve FW 780 SG #1 main feedwater isolation (block) valve SP 7A Startup feedwater 2 control valve SP 7B Startup feedwater 1 control valve ICS 11A Atmospheric vent valve 2 ICS 11B Atmospheric vent valve 1 MS 603 SG #2 blowdown isolation valve MS 611 SG #1 blowdown isolation valve 7.4.2.4 Anticipatory Reactor Trip System (ARTS) The analysis of ARTS is described in detail in Section 7.4.1.4. 7.4.2.5 Auxiliary Shutdown Panel (ASP) 7.4.2.5.1 Compliance with IEEE Standard 279-1971 The Auxiliary Shutdown Panel is designed to meet the intent of IEEE Standard 279-1971. The manual control circuits located on the panel are designed such that any single failure will not prevent proper protective action (maintaining safe hot shutdown) when required. This is accomplished by fully redundant manual controls for the systems required for safe shutdown utilizing separate essential power supplies. Indications provided meet IEEE Standard 279-1971 with the exception of Sections 4.1, 4.11 thru 4.17 and 4.19 which deal with automatic controls. To prevent interaction between the redundant systems, the manual control channels are wired independently and separated with no electrical connections between redundant manual control systems. Normal automatic control circuits and non-essential monitor circuits are electrically isolated from essential controls and indications to prevent jeopardizing the reliability of the systems required for safe shutdown. 7.4.2.5.2 Compliance with AEC General Design Criteria
- 1. General Design Criterion 1 The Auxiliary Shutdown Panel utilizes high quality components. Quality control procedures were used during fabrication and testing to verify compliance with the requirements specified.
7.4-25 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 2. General Design Criterion 2 The Auxiliary Shutdown Panel is designed to withstand damage or loss of function from earthquakes and is located in a building designed to protect the system from wind, flood and lightning.
- 3. General Design Criterion 3 The Auxiliary Shutdown Panel is designed and constructed of materials to prevent fire and resulting loss of function. A fire-stop seal of silicone rubber foam is provided at the interconnection of the two-panel Subsections where a common grounding bar is routed.
- 4. General Design Criterion 4 The Auxiliary Shutdown Panel is designed and located to prohibit damage or loss of function from missiles. Loss of function due to missile damage to both redundant manual control systems is considered incredible.
- 5. General Design Criterion 13 The Auxiliary Shutdown Panel is provided with adequate manual controls and indications of monitored station variables to provide positive safe hot shutdown of the RC system from outside the control room.
- 6. General Design Criterion 15 The Auxiliary Shutdown Panel provides sufficient manual controls to maintain the station in a safe hot shutdown condition without exceeding the design limits of the RC system and components.
- 7. General Design Criterion 19 Refer to the discussion in Appendix 3D.
- 8. General Design Criterion 21 The ASP has been designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. The redundancy and independence designed into the ASP are sufficient to ensure that no single failure results in loss of the protection function and that removal from service of any component or channel does not result in loss of the required minimum redundancy.
The ASP has been designed to permit periodic testing of its functioning when the reactor is in operation, including the capability to detect any loss of redundancy that may have occurred.
- 9. General Design Criterion 22 The ASP has been designed to ensure that the effects of natural phenomena and of normal operating, maintenance, testing, and postulated accident conditions do not result in loss of the protection function.
7.4-26 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 10. General Design Criterion 23 This criterion is not applicable, per se, to the ASP but to the manual control systems located on this panel. See Subsection 7.4.2.5.1 for discussion of the criterion.
- 11. General Design Criterion 24 The protection systems associated with the ASP have been separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems has been limited to ensure that safety is not significantly impaired.
7.4.2.5.3 Compliance with AEC Safety Guides
- 1. Safety Guide 22 The ASP is designed to be tested periodically during station operation.
- 2. Safety Guide 29 The ASP is designed to withstand the effects of an earthquake without loss of function or physical damage. The ASP is classified Seismic Class I in accordance with the guide.
7.4.2.6 Station Load Rejection An analysis of the station conditions following a load rejection is given in Chapter 15. 7.4.2.7 Turbine Trip An analysis of the station conditions following a turbine trip is given in Chapter 15. 7.4-27 UFSAR Rev 32 9/2018
MOTOR ~-----------------1 GENERATOR BF 211 __:4.::.;80:......:..:VA""'C,_,-=3-'P"""H"'"AS_E_ Bus "A" :1 AIE TRIP rci'C""TDiDl~: IE TRIP _ _ _--r-----:::::-:::-1-:-,-!:B~U~S~";A~":77::::---1 1--~--1""1 BREAKER 1----i TRANSFORMER 96 VAC 6 PHASE BREAKER }-+-----L.:.:::.:::~J-~~"-"--'-'-'=1
'-----' I I
I I IE IE 122 SINGLE ROD 61 CRDM I CRDM MOTOR DC POWER I POWER SUPPLY 16 PHASESJ MOTORS I REDUNDANT MODULES ( TYPICALI A I REACTOR POWER BLISSES ( 2 PER CRDMI I I PROTECTION TO SINGLE ROD B I I SYSTEM (RPSI POWER SUPPL! ES c I AAI--~~~~~::::::~ I I IE IE BB /'II.._/ I I VOLTAGE cc I-----_. I B D REGULA TOR BUS "B" DC SUPPLY 480 VAC, 3 PHASE BE 211 ---"~.!.:!!"'--'~==-------='-"=---=----+-1 BREAK ER BUS "B" I IE TRIP rl~E...JT~R:;;IPJl...!j_--l rT-RA-N-SF-O-RM_E_Rl-9-6~V=AC:.......!:6:....P_HA_S_E--l PHASES CRDM MOTOR DC 1 1----i BREAK ER : RETURN CURRENT I I I I L _____________ ---' POWER SUPPLY TRIP NON IE NON IE INPUTS ELECTRONIC TRIP SCR ELECTRONIC GATE TRIP TRIP C SIGNALS ELECTRONIC TRIP D DSS A I I I I DSS B I DIVERSE SCRAM SYSTEM INC. Ol 14-21111
!IC. I.DI 98-oaaJ
-*- *-' " -=-=
IS!IEll FIJI I&: lll!YISICINI
~*-
DAVIS-BESSE NUCLEAR POWER STATION UNIT NO 1 Tiii TO~IDO IDISet.I C-AICI' REVISION 31
.. OCTOBER 2016 -e FIG. 7.4-1 2
IFll*Dl-.vl111'11.IDlllDI
ll*lm.F lll*t<SJal lllS-520l IKIS~AI \ 11-KSJm
!IL-KSJ911 12\ml ZS*ICSJIE IZS*ICSSll
.,, GOJ '11.Y FRJ.r a.oso ZS-5119A IZS-51191>
AFPT llllll SIEM llUT ll*KSlll ISO lllUE N.U Q.OSED 11l*JCS9.11 C51116 llS-SOU 1HIS-S99AI IC5l091 ZS-illS IZS-5991 fall Ol'OI zs.-. <ZS-599A> RUT llPO a.ost: L__ ZS-iOt IZS-599> 11$-SOU IHIS*599AJ 1 Z:m 1 I rRJ.r a.oso CLOSE C5106 !C5709> ll*ICS.m 11$-c(ll( IHIS*m£1 (51116 C5106 ICSTOtl l'Oll£I (lff C5106 IC5199> IC5T091 C510S ll-ICH lll-<<CZ_,I A HIS-ICN lllS-ta-t> IJS*lO&A INIS*11J1AI Q.050 llS"'40! lllS-i4!1ll1 r.. 111$*!071 ZS-106 IZS*!Oll faJ.T Cll'Ell
~(51116 11 IC5JO!ll (2'005) PSl.-49218 ll'Sl 11111. 1111 C5101 1$*311A 1Rs-312Al llS***
lllMO'fi fllJ.T U.OSO 11$-105.W 111$-IOHBI' Q.ost: ZS-106 IZS-101> kOCI C51G& IC5109> RS-lllA IR$*112A> !OS[C HIS-1382 IHIS-13'31 Cll'Ell C51ZI Of£ll ZS*1:!12 IZS*1313> l'Sl-4930l ll'Sl-ftllA) HIS*Ul21 lllS*l31311 ,::;m, Fm.ll OPEii ll(llOlf. (l630 HIS*1382A lllS*13'3AI llS-IO&A lllS*11J1A> Cll'Ell Cl'3C) HIS*l3121 lllS*13131> LOCAL (3630
.::::m, Cl.OSI ZS*1312 IZS*l3U>
ftil a.oso HIS-1312& lllS*UllAI GPEll ZS-3110 IZS-31121 IZOIO> a.ost: (3630 N*:sll10 IN*:sllnl faJ.T Cll'Ell II C51116 11$*13'2 111$*13831 Q.ost tslZI kOCI C510fi ICSJO!I> M.4RGINAl QUALITY DOCUMENT RS*1118 IRS-11211 llS"'453 lllS-6454> LOii tsnt
--le..,._5!1 BEST COPY AVAILABLE 11$*3'10 lllS-3112> $0.[C'IS LOii
$[1POlllT$
SAZ31H 1$A232111 llS*105E lllS*llJ1E >
~~10 1-----'ZS"-*-'-31_10"-'<ZS'"-*-'-31'1?'-'->-+--< II C5111&
Q.05£ C5106 IC57091 IN*:sllnl faJ.J CLOSO Rs-211A IRS-t12A>
-...TE n-64$2 llS*IOIU 111$-101£11' ZS*3110 IZS-31121 1n-MS*1 faJ.T Clost:O Ol'£ll ZS*lOlA !Z$-llJ1AI }':-< C51116 1~:l:f:1 t-----:fti:=-To-Cll'Ell=----~ IC5T091 ZS~IZS~l RI.LY Q.OSEI RS-411A IRS-41ZAI LIC"'452 !LIC"'451 I MITO C5106 151091 PSl.*ffiel IPSl.-493111 llS-*-
Q.ost: 111$-IOUI ZS*IOlA !ZS*107AI faJ.T CLOSOI NOTES: Q.ost C5106 1(5109> I.TIE LOGIC SIOll ~ M OWllSlll'l.lfltATIOll l1f 11 JCTM. LOGIC. almQ. SlllTCIES .1110 lll1EllOCIS. 11110! MIC IMlllit ¥111
- AS'IERISl l*I llf. 1'"'5 TO
- 5flCS Mii l'llOCUU IY 1'lt:
SFllCS- . . TIElfllll[ IRE PMT Of 11 ASSCICIATED SFllC$ OITPIT SICIUI.. 11($[ CCllllll SVITO£S JM> lll1Ell<<IS llf. SllOlll fCll QJIUn OU.
- t. F* 1M111. lllTIATIClll llf llAll STEM Liii[ 1 Mii f'UDllA'IER Lil ...,_ c.nllOL STS'ltllo $(( lGelC II.Oil! £-11.
], Ol'Ell CllQIT ICES llOT SOL IL DAVIS-BESSE NUCLEAR POWER STATION r.c: L AUXILIARY FEEOWATER PUMP TURBINE I JI Ul$"'5nt8J 11$~ 1 - - - - - - - - - - - - c ~ cs104 Q.ost CS1G& IC5l09>
llS*l8H lllS*llTI I
<SV-5Ntl>
LOCATICll TABLE START CONTROL SYSTEM LOGIC Cf[ll C5705 !C5l091 RS*lll( IR$*112CI CS121 CS105 csm llAll llAll CQITlla. CQITlla. PMfl. PM!!. M-051 FIGURE 7.4-2 llAl*~!Wil. 11$*""8 lllS*ll1181 CSnT llAlll ~ PNe. llOOl C5105 ICSTOS> C5109 llUll CQITlla. l'Ml:l. REFEREMCE DRAV ING 1 ~ .WXIL IMT S1111Wi11 ,Mil. llS*l8H lllS*lln I 1. 8 llllW $1[.lllLll **I* F£tllll&TEHll REVISION 24 0 1~~ Q.05[ C5~ ICSlOtl Uf'*3111J U'1IJIE Cllllllll. SYSTDI LGelC. RS*lllC IRS*312CI 0 JUNE 2004
- 2. £*11 51.1,2 I 3 STUii i IUDllATER Lii( ll.Pl1.ll£ CClll1llCll STSlf.11 LO&IC tlMiRM.
11$"40! lllS._1* ClllfVTtl POllT
- S. [-118 SIL I I 2 STEM I IUDllATER Lit( ll.Pl1.ll£ CClll1llCll STS1tll .ctUATED E*ll'IOT TaaaATICll. PS*lo&A. I. C. t } *lloMT ~ llJl9111E I 121
- 4. TI49+t03A. I. t llAIW STEM . . IEKAT STSTOL IPS*llJ1A. I. C. ti lllJI $1(M Ill.ET Lii( I'll[~
1------n-*_:stM __-'lZS~*-3'71_1_ _ ">';< CS11l6 S. TI49-IHOTA. I STUii GEIEllATill ~ SlS19L SVIT<IES
- llllT C5101 l'S.l.T Q.OS[O )..:..{ CIE!lt .WXlllMT *t1.t111G llOCll lOC
r D£-£NElltOIZC nv-101c1 ~ SY-IOOC
--------------+---<"'f D£-E>E*CllE RS-6l24A IRS-6313"1 fSY*IOlDI SY-1000 HIS*10t IHIS-1001
- I
© N I RS.-=:...:-C.;.:l22A:=.;...1---RS"--6l..:c..;_tl:;.;Al_ _-+--------<-t0(-EIEIOIZE
- 1sv-1011.1
~
Us*10tD 1ZS*10001 S'f-100 CSIOI JfiWOiEN ZS-101[ IZS-100£1 flO.LI CLOSED 1 r DE*£HUCIZ£r SY-101A cSY-tOOU 1 DE-EIERCIZE sv-1011 1sv-1ooe1 HIS*l94 IHIS*llSI t IJ'EN CSIOI HIS-194 IHIS-J1SI t EIEROllE 1lv-Jm v- ** r ~ lS~-l'"-'4_,_l"-'ZS....:.*l~IS~l----'Y.-< C5JOI FILL 1 ll'E* >.::-{ CLOSE CSIOI HIS*UOJ <HIS-64041
- t-------~ .irn;, I 0£-E>ERO IZ£ L - _J
.I ZS*J94 IZS*JISI 11111. INll CSIOI flO.LT CLOSED RS*itll IRS-61281 ZS=-"*il:..cl....:.<"-'lS'-'-tOJ='-1------------'Y.-<
~
Hls-611 IHIS:jO.ll C5108 1CSl101 ll'EN C5l'Cf IC5l'IO! FULLY ll'f.N >.::-{ NOTE& HIS*ill IHIS-60ll CLOSE CSTOI IC51101 ZS"'"-"-'1"-'-l-'-(.:.:ZS....:.-60~3"-1------------f.i
~
CSIOI ICSTIOI FULLY CLOSED ).::,{
,__ _ _ ___, 0£-EIERCIZE SV*ICSlllU 1SY*ICSt1AI I
~ - -i IC$111 CLOSE t1CS11AJ
'"""'"'~uu----'---~~~~-~-~-~-*l_CS_ll_A_I- - - - 1.c.s.
HIS*ICSllD IHIS*ICSllCJ t ILOCI CSIOI PIC*ICS118 IPIC*ICSI 1AI csliO - - , IZ959J s~~~~~f\1 L - csv-1cs1u.11I
~I ~~~:1£ '
11cs1u.1
~~~,,..,-~"-~'-=~~""~""1_zs_-1_cs_11_A_1- - - - { 1 csioe II r
D£-£NEROIZE
-i
,:~:~:::,
-"R"-H-"'S""-BA"-'<-"'RS"-'"'5'-"AA~I-----..-------+-----t D£-£1ERGIZE I r
- tSV*SP6821 ...._
SV*SPIA2
-i EJC:!~-U!_IC:.Jill5U_
C5112 NS-S~ INS *SP6AI
- ENERGIZE 1$Y*Sf'llt>
SY*SPIAI r
!ESE! C5l,2N IC5162NI
~~~:~ Il _J CSY-SP6A21 e C51ot zs-i0t *t czs-100-11 Fil.LI Cl.OSCO
~IZ6811 i---;ZS=-*'-"10"-1*,;,,I~<ZS=*-"100'-=-'--l'-I FILL! OPEN
---1.i
>.::-{
C570I
OTESt
. fOR NOTES Mil RlFEllE!IC! DRAWIN::S SEE IJWC, 1115(1).
Hl~*llQ 1~1s-m1 Ol'£H CSIOI NOi[ 6 *I zs-110 m-m1 FILLY ll'Elf R CSIDll JCS DAVfS-BESSE NUCLEAR POWER STATION RS*64AA IRS-648.\1 ICS LOCATION TABLE MAfN STEAM LINE AND MAfN FEEDWATER LIN[
~F RUPTURE CONTROL SYSTEM LOGf C HIS-190 CMIS-171> HSY 100 LOCAL C<INIROL SIAJl(Jj ZS*llO 1ZHl91 HSY IOt LOCAL C<INIROL SIAl((Jj
- C51ot
~~ moe HUI fiOS!D ~:1~1* M-050A NSV IOOE LOCAL C<INIROL SfATllll FIGURE 7.4-3 I
HSY 10!£ LOCAL C<INIROL SIAJl(Jj CSIOI !llllN CGITllCI. PNIL CSl'OI IMIM CGITllCI. PNIL REVISION 22
- p C5110 !MIN CGllllGL PAlll.
~~:::
C5112 !11111 CGllllGL PAIEI.
!WI. N '
t'lJlllllllE r*JP
~ 0 Clllf'Ul[JI l'UINI NOVEMBER 2000
(..(N I: lf'I0';1N(f,O.& . lil,lo
~Hl:,:S:,.;-6::.:1,::2,;,:*H;.;l;.::S..:-60~1.._I_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _.,., Hm2 'zs-c12czs-co11 OPEN C:S71 7 llOTE 6 I NV*I01 I FULLY 0P£H :m C5717 --
NOTES:
.:V~ *'121ZS-C01 I
( IHV-iiOI l FUU..Y CLOSED NI *114 IN .u* llAN. INIT C570T IN/Al RS 4A
-£11£110I ZEJ-NIS*Sl'7All I MIS-SI',., SV-51'713 1$V*SP7A31 I - -
REFERENCE DRAWINGS: ILOCK C5712
.----1-------+--oa---i.
IL.oat
,m:;~;:, I AUXILIARY FEEDvATER l'UllP C5712 I TUltlllNE START CONTltOL SYSTEM LOGIC*
I z,£*11 SN. I ,2 a l lrMI ~9=i.TEMl£1 J----t--t-----------91 LOOIC DIAGRAM* DE -£JIEJIOI ZEJ- I SV-51'185 I SV*SP7AS I I I - L __
- J,[*198 SH,1 I 2 STEAM I FEEDW&mt LIHE llUl'TUR£ CONTllOI.. SYSTEM L ___ _
ACTUATED £QUl,...,T I RS-64All IRS-64A111 TAllUL&TION.
-I 4*12501-N-oolA,loC W.IN SlEAM AHO REHEAT SYSTbc.
a.ou FV*SP71 IFV*Sl'7U
!lo ?74t-M-007A I I STtAlt GENERATOR SECON)AftY $Y$T£M, ANTICIPATIIRY 11£.\CTOR TRIP SYSTEM LOGIC Dl&GllAN
-oERCIZEJ-L __
SV*SP782 - - -f" - - 7.12501 -N-GSOA ltAIN STEAM LINE I llAIN ISV*SP7A21 FE£0VAml LIN£ IWPJUllE CONTROL. SYSTEM LOOIC 8LOCl t---11-----11-t-+--oo---1. ,m::~~, CS712 OE-ENEllCI ZEJ-J--'-i~------------ CSY*Sl'7A41 SV*SP784 - - - - - t-------:p-
-:p-
~~m 1 cs*-s'u' HIS*SP7 IHI -sl'718> ~Jll L - - -;
1sv-si>1u1I R£S£T csnz I I
,r--,-
CllES£T
--:1 11-:p-
* ,m:~~.1 C571Z I ENERGIZE L _j I
.i::i:~ **
HIS*SP7A8 IHIS*S'7118> m,2---*--i FIC ICS*llll IFIC ICS*l3A>
-I F~~. L -f ~1 RESET C5l12 I I I I I f 11*~1 fiii?W ; ICS L~-!--t Cf\l*SP7Al (-~ IFY-51'7Al I I I
. I I '
~~~~ff L _I_ t J r---....---. ISY*Sl'TAZI I - I I MARGINAL QUALITY DOCUMENT HIS*SP7C9 IHIS*SP7DI>
RESU csnz RESET I I I BEST COPY AVAILABLE
* ,=if:JJ&:, I I C5T12 1 I I
~JJll LI - _II _ _j _l _
L L ___:p-- ISY*Sl'7A4l HIS*Sl'T IHIS-51'1091 IESIET CSTIZ DAVIS-BESSE NUCLEAR POWER STATION PSl.*101A ll'SL*100A> SY*IOIA cSY*IOOAIDEENERGIZED IT'll'.l MAIN STEAM LINE ANO MAIN FEEOWATER LINE PSL*IOll ll'SL*10Gll SY*IOll cSY*tOOll RUPTURE CONTROL SYSTEM LOGIC I PSI. *101 CI PSl. *I 00C M-0508 FIGURE 7.4-3A lsY*101CI SY*IOOC I '51..*I OtD l l'SL *I 000 ISY*IOIOI SV*1000 REVISION 21 NOVEMBER 1998 8'"*
SG*2 ll'S*-1 SO*I luu.-1 tw-1 SG*2 SO*I SG*Z
~ (@-IPWI [§ill C!!El SG*I 1iiiii!J SG*2
!u111-soul ,...SIM
.....,, ,...SG-2
_,1 SCi-1
~INS-im:!
SG*Z SG-1 50*2 1151-t<llJ lllSl-l CRS!-1'11 1151-1 115MtD llSl .. ,UJ CISMIJI CRSl..711 CISl-1 1151-IBI CllSl-Glll 1151-t!lll 1151...il *~**PllS--1 llSl-05!1 UISl-1 Ull
- ILOCllll 1811.!.
llS* llS- llS- llS* - i~~~m* i*** lllC .... lflC *** I ::: ~, 11u111111-1 UClll TB."
--i I
T..-......
- - - -~~~~BL~ -
T.. --11:1111.:r_ _ _
~.-nc**it
-Id- ..
't' ... llliai *~*
-l-- .,. DAVIS-BESSE NUCLEAR POWER STATION SFRCS LOGIC DIAGRAM I
lo':. llr * *t:t.\,,.,, LOGIC CHANNELS I AND 3
-w ,... , _,.. -... - -
I I
- - ws*I~ t.r~. ... AND ACTUATION CHANNEL t lfW IWllAL lNlTlATION* - _J'atll¥L
-l-I
- -- -- -- - - -- -- - i M oe-nw IFIC$ AC1U11BI E<<llMICI LIST ACUTIGI - I E-18 SH. l FIGURE 7. 4-4 1~D~DDEJD
-** . . US *. . ---ITS C]Ej~
s ... ..c*1r-c11 s ....... *w-vs 1 ........ **-1 REVISION 27 JUNE 2010
' ::: m~nr1111
, _ ......<<VJ 0 *** - -llSIRCS t ... u:a WtillY Ar a
*A ...
,., lllllD -
-r1t-1E - M!Cfllllf.Mt M fOIO SIUIS$ DB 04-02-10 DFN=l:/ELEC/EISSHl.OGN
SG-2 I PS-MIA I CISl"'3t> 50*2 lPS*llllEl CISl-8141 SG*I I PS*llllC I CISl-1121 SG*I SG-2 fLILL-l ll.S.L-l CISl-1 1151*1111 SCH SG*2 Ii#..,..,,~ CISl-1 dlSMMJ 1-zt 1151-1121
!L!H-*
SG-1 QISl-tlll SG-2
!1>>1PM1l CISl-GUI
,...SG-1
.,.,,~
CISl ..?41 SG-2 11151_, SG-2 SG*I ll'llS*Wt lPOS--l dl51-1521 CISl-tal SG-2
!fm-1 Ins--!
CISE-1541 Sil-I CMl-1 I I FLASllllll Ullll UHZI I LL~!LM!!ll!! ~ - - g:::lr. 111111!. u: ::: I ... I
.
- ISIUI! 111*2
*T..--*
*T.. __ ._IE 11111 - - - -
*T..-niAlll-11A!E I, & lllP .M.Gllflll'lll Clll'l(M.1 T..-Gl~IE niA . . F*
- --J 1111', --AU -
fCll ...llEll-SIE9GTJ. mi 11£EJ I 1111PMJDH* i
...,,.n za f'
1'Zati¥i*CLLM*M1.t1M*1
..*-==
J
- Mill!* ILLM*M UIM*t 4
- I 5
- lall'ZllLLll*llUIGRIP 1111PI
- PClll'ZGRIJllllP
'1l-- .,.....,
DAVIS-BESSE NUCLEAR POWER STATION SFRCS LOGIC DIAGRAM
= Wiii+/-
- I 1141
***-.£- LOGIC CHANNELS 2 AND 4 M rmc1
*DUlll(I.
- t115iJt. AND ACTUATION CHANNEL 2 flfY MANUAL lNlTlATION
_j ....1... '-' ..,.., - _., iSlllCSICRMlEl&llNllUST.ltlla!Ul-Z E-18 SH.2 FIGURE 7.4-4 1~D~DEJt:jD D~~ s.,.IH*-****-*IH REVISION 27 llEllt
- o
*** OJllE
' ;::
- ff"..tflllll I
-IEtllrAl:s cmuns
... II.Ill -ILllY AT 1111 f::~:ll JUNE 2010 P ... -ric*-a*
A ... lftlQ All-tAIE Wiii C!IGIEBD lllML NIU SGIG 08 04-02-10 DFN=l:/ELEC/El8SH2.0GN
LEGEND T _.J__ LCH*l SYMBOL LOGIC FUNCTION
*v LCH-1 SG-t SG-2 I LT-SP!IBI LT-SP'IA6 I I 1V I I SEllSINO I I TS-51'!88 TS*SP9MI JY-SP'i1B8 LSHli-SP9B8 OR NOT I I
!-$--s-11{4* '
250n RELAY ORrVER IBUFF£R£DI I I ALARM OUTPl/f MOOULE 181.fFfREOI
! *ill 1 COKTACT SIGNAL BUFFER ISOLATOR !FJELD Bl.HERi U*SP!lll8 250n 250n I SOL\
LY-SP9B8-2 I I SI
,._ ______, Kl L~
!WITH LOGIC CHANNEL OESJGNATIONI LOOJC MODULE OUTPUT I I
- MAN. !NIT. WHERE
""--mp/
COHTACTS 1% 1 RELAY ISOLATOR. SIGNAL ISOLATOR I I 48 voe APl'L !CABLE 48 voe I CllMMLt LOGIC I I RETURN AAHTI-CYCLE CIRCUITS 0.0SE SIGIW. TO NCC RETURN
+ BLOCK I1 -{!}-
SINGLE SHOT DEVtC£ L,l__ NOT SHOWN CIRCUITS MOT SHOWll I L JL J 1£CHAN!CAL FJELD SEHSDR
!CONTACT SHOION IN SHELF P()SITIONI T
ELECTRONIC TRANSMITTER 14-211MI SG-1 SG-2 LCH-1 _.J__ LCH-3 I KEY SWITCH KS*! BYPASS TOGGLE SWITCH 58041 I I I 48 voe -ot; SIGNAL TEST PROVISION IFORDETAJLSEETIHSO';G.I I CH~3 5Elf511111 I I COMPUTER Al.ARM Diil Y IVES I I I SG*2 I ffi- I Kiii lli Al.ARM IAtffJMCIATOR ~ COll'UTERI t,., DR*GATED Wllll R£DOOAKT ACTUATIOM CHANllEL I PS-168!10 I I Pf'Ell WITH JNOJCATlNG LIGHT, R... RED, G... GREEN, (R -04\J y SWITCH PER lOGlC ClfANNEL ANO ONE 11 I INDIVlDUAL BYPAS$ TOGGL!: SWITCH PER DIGITAL INPUT.
~: I Y*** YEllml MAINTAINED TDGGl.E SWITCH DR PUSHBUTTON I I I MONEKT ARY MANUAL SW!TCll OR PUSHBUTTON I I IfrtllICATING lNSTRUMENT
- R*** REMOTE I I kl! I 51 K51 OfF DELAY LSLL-51'!119 LSlllMllll9 LSLL.;;i>9A7 LSllH-SPMT I I ON DELAY RETURN RETURN 48 VDC 48 VllC cmmNUATlON Of LOGlC CHANNEL 3 UJENTICA L SIM'l lfIEO INPUT DETAILED lff'UT I I RETURN RETOON TO LOGIC CHANNEL I. SANE APPLIES TD LCH~'I AND LCH-2.
I I L JL 8JSTAIU LOW IAlfTO Rl:SETI WITH CONTACT OUTPUT; COOACT TO OPEN OH LOW HllGH> COM)JTION. i C@::JO!:JC~:JC:~::J Si CE:]C@::]QOCE:] v-~------------~~-------------- L. ** LOW, li *** HJGH
,-2T LCH-1 _.J__ LCll-3 lllmSJ SG-t SG-2 CRSJ-1241 IRSJ-130 I
INPl/I INPlll I. ~~J~~.~'trNE~~IJl'.'~m~~I~~~ SlllSING tT-SPW JUl'ERED Jllll'ERED 2
- i'frli\Acfc ~*~NG.tt\N1IB~bi~ F'~~~m\. 1' 2
I 15-SPW J. ~~! bt~ll/lt D~Wl[.'&!~b,~L ~R~rrJf~~NIEl.
- 4. SHEET 3 Of TIHS OllAWING INDICATES TH! SFRCS NW.OG CIRCUITS 1;M I ["06~E~~JJlS~~m!~M~ BISIABLES FDR All FWI I 5. 4 SEPARATE ESSEllT JAL CABINETS.
DGJCCltANllEl.l*l ltET, LOGIC OfAfff:L I &: 3 I I C5T92A ,,, CHANNEL 2
- 4
!ill:.lli lli:ill csm ... LOGIC CHANNEL 2 & 4 CL()S( CLOSE FOR MISC. NON s.
THE FlX.LOWING IAL SFRCS INTERFACE CABINETS ARE PROVJDEO: I I I !ill:.lli OPEN 26 186 K86 C5762Z ..
- CHANNEL A C5792Z , *
- CHANNEL B
- 6. THE LOGIC ANO ALL OUTPUT TRIP RELAYS SHALL BE Pmt'ER FAIL ~SAFE IOE-£NERGIZ£ TO TRIPI.
LSU-51'!86 LSHH-5P!86 LSLL*SMAa 1 I K55" J, ALARM CIRCUIT COKTACTS SHALL OPEN TO ALARM, WITH THE COIL CIRCUIT I IN GENERALI DE-ENERGIZED TO ALARM. i* THE INPlll SENSOR CONTACTS ARE CLOSED UNDER NORMAL INO TRJP) Rl:Tlll!< RETURN OPERATING CONDITIONS. I LOCIC 01Atf£1.2 I TO LCll*l TO LCH-2 TO LCH*4 I I 9
* ~~~mg ~Nll~s~W'~~[~~rn~Dl~ITH L,l tO LCH-1 PONER ON POWER ON PMR ON Pllitll ON COKTACT OPEN TO ALARM.
RESET CIRCUIT RESET CIRCUIT RESET CJRCUIT I I I I RIISE! CIRCUIT 10. SfRCS OUTPlllS TO ARTS: LOGIC CHANNEL I THRU CHANNEL 4 ARE L POWER ON RESET I NP UIS JL 11. CDNNECTED TO ARTS CHANNEL I Tlf!U CHANNEL 4 RESPECTIVELY. INPl/f S!GIW.S FROM MAIN FEEDWATER PRESSURE DifFEREKTJAL SWITCHES ARE TO BE TINE DELAYED BY TOI BEFORE ACTUATING LOOIC. SEE NOTE 12 FOR SETTING.
- 12. MAX[Ml.IM TUE ARE T
INl7TE* THESE ECTIYE Of MAXJWUM LCH-1 _.J__ LCH*3 LCH-1 _.J__ lCH-3 PROi:tlREMEKT
- rn1 .** a. or.
UES. SEE NOTE II* SG-1 SG-2 I ZS voe I I l
. !02 ... 2. 01.
V 48 VDC 4& voe .!03 ... 5. 01. - ~ U*SP9A9 I I 125 YDC 3. THIS DtlAWJNG IS !KTENOEO AS A SYSTEM LOGIC DIAGRAM AND SENSINll DOES NOT Rl':PRESENT ACTUAL WIRING CONFIGURATION. I I I I CHAlllEL 4 TS-SMA9 I I t4. ~~~,:u~~~ 8 r~~B ~2li~Slfiir>~J~~~~.sHtniN ON JM* ~~~M"t'.risI;m ~2 iit:s 1 ~~1~'~-~\.s- °" 15
~ 82 I I
!83 ~
- I I I ~
SEE SHEET I DAVIS-BESSE NUCLEAR POWER STATION I Fl I I TTAl TTA3 I 82 182 22 100 A I I TTAI 83 K23 83 rm 21 SFRCS LOGIC DIAGRAM K50
- KHO t I I KSG' KllO
- MISCELLANEOUS CIRCUITS voe 48 voe 48 VDC RE111RN ~
48 voe E-18 SH.3 I I I 48 I I IJIGIC T-G TRIP A FIGURE 7.4-4 QWllEL4 RETURN
- MAN. INil. CIRCUIT RETURN A JSUl.ATillN RELAY RETURN
- NAN. lNIT. ClRCUJT RETURN L,l__
NOT SHOWN NOT SHOWN I I I I J L I _ CE"!!!IA!I~ _511~ 2_ JL REVISION 27 SC LE'IEL !NSTRUMENTAHON JUNE 2010 OB 04-02-10 DFN,l: /ELEC/E 1BSH3. OGN
SFRCS ACTUATED EQUIPMENT TABULATION EQUIPMENT p & ID OPERATIONAL EQUIPMENT SIGNAL ELEMENTARY SF RCS SF RCS BLOCK MANUAL INIT ITEM NO. NO. SCHEMATIC OE SCRIPT ION NO. DWG. NO. OWG. NO. FUNCTION SWITCH NO. SWfTCH NO. REMARKS SV-101A M-003A OS-008 SH. t MN. STM. LINE I ISO VALVE RS-6213A E-468 SH. ID SF-0038 SH.9 DE-ENERGIZE NIA HIS-6403 SV-1018 M-003A } CLOSE MS-101 OS-008 SH. 1 MN. STM. LINE 1 ISO VALVE RS-621 IA E-468 SH. IA SF-0038 SH.9 DE -ENERG-I ZE NIA HIS-6403 SV-1 OlCID M-003A OS-008 SH. 1 MN. STM. LINE 1 ISO VALVE RS-6324A E-468 SH. IF SF-0038 SH.8 DE-ENERGIZE N/A NIA SV-IOIE M-003A } CLOSE MS- I01 OS-008 SH. I MN. STM. LINE I ISO VALVE RS-6322A E-468 SH. IE SF-0038 SH.8 DE-ENERGIZE NIA NIA SV-1 OOA M-003A OS-008 SH. 1 MN. STM. LINE 2 ISO VALVE RS-6224A E-468 SH. ID SF-0038 SH.10 DE-ENERGIZE NIA HIS-6404 SV-1008 M-003A } CLOSE MS-I 00 OS-008 SH. I MN. STM. LINE 2 ISO VALVE RS-6322A E-468 SH. IA SF -0038 SH. 10 DE-ENERGIZE NIA HIS-6404 SV-1 OOC/D M-003A OS-008 SH. I MN. STM. LINE 2 ISO VALVE RS-6313A E-468 SH. IF SF -0038 SH. 7 DE-ENERGIZE NIA N/A SV-!OOE M-003A } CLOSE MS-I 00 OS-008 SH. I MN. STM. LINE 2 ISO VALVE RS-6311A E-468 SH. lE SF -0038 SH. 7 DE-ENERGIZE N/A NIA MS-I 06 M-003C OS-0178 AFPT-1 MN. STM. 1 IN ISO VALVE RS-tit A E-468 SH.54A/8 SF-0038 SH.13 CLOSE HIS-106A8 N/A MS-106 M-003C OS-0178 AFPT-1 MN. STM. I IN ISO VALVE RS-311 A E-468 SH.54A/8 SF-0038 SH. 13 OPEN HIS-106A8 HIS-6401/3 MS-I 07 M-003C OS-0178 AFPT-2 MN. STM. 2 IN ISO VALVE RS-I 12 A E-468 SH.4A/8 SF-0038 SH.14 CLOSE HIS-107A8 NIA MS-107 M-003C OS-0178 AFPT-2 MN. STM. 2 IN ISO VALVE RS-312 A E-468 SH.4AIB SF-0038 SH.14 OPEN HIS-! 07A8 HIS-6402/4 AF-3870 M-0078 OS-017A AFPT-1 DISCH. TO SG-1 VALVE RS-lit B E-448 SH.20 SF-0038 SH. 5 CLOSE HIS-38708 NIA AF-3870 M-0078 OS-017A AFPT-1 DISCH. TO SG-1 VALVE RS-311 8 E-448 SH.20 SF-0038 SH. 5 OPEN HIS-38708 HIS-6401/3 AF-3872 M-007B OS-017A AFP-2 DISCH. TO SG-2 VALVE RS-112 8 E-448 SH. 15 SF-0038 SH.6 CLOSE HIS-38728 NIA AF-3872 M-0078 OS-017A AFP-2 DISCH. TO SG-2 VALVE RS-312 8 E-448 SH.15 SF-0038 SH.6 OPEN HIS-38728 HIS-6402/4 AF-3869 M-0078 OS-017A R'-~11 C E-448 SH. 14Al8 SF-0038 SH.3 CLOSE HIS-38698 HIS-6401/3 M( AFP-1 DISCH. TO SG-2 VALVE AF-3869 M-0078 OS-017A AFP-1 DISCH. TO SG-2 VALVE RS-111 ~1 E-448 SH. 14A/8 SF-0038 SH. 3 OPEN HIS-38698 NIA AF-3871 M-0078 OS-017A AFP-2 DISCH. TO SG - 1 VAL VE RS-312 C E-448 SH~l4Al8 SF-0038 SH~4 CLOSE HIS-38718 HIS-6402/4 AF-3871 M-0078 OS-017A AFP-2 DISCH. TO SG-1 VALVE RS-112 C E-448 SH. 14Al8 SF-0038 SH.4 OPEN HIS-38718 NIA SV-SP6AI M-0078 OS-012A SH.2 MN. FW. 2 CTRL. VALVE RS-65AIA E-448 SH.9 SF-0038 SH.29 DE-ENERGIZE N/A N/A SV-SP6A2 M-0078 } CLOSE FW-SP6A OS-012A SH.2 MN. FW. 2 CTRL. VAL VE RS-65A3A E-448 SH.9 SF -0038 SH. 29 DE-ENERGIZE NIA N/A SV-SP7Al/3 M-0078 OS-012A SH.2 MN. FW. 2 SU. CTRL. VALVE RS-65A38 E-4 48 SH. 2IB SF-0038 SH.31 DE-ENERGIZE HIS-SP788 NIA SV-SP7A5 M-0078 OS-012A SH.2 } CLOSE FW-SP7A MN. FW. 2 SU. CTRL. VALVE RS-65A 1B E-448 SH.21C SF-0038 SH.31 DE-ENERGIZE HIS-SP788 N/A SV-SP7A2 M-0078 OS-012A SH.2 MN. FW. 2 SU. CTRL. VALVE RS-64848 E-448 SH.21A SF-0038 SH.34 DE-ENERGIZE HIS-SP7DB HIS-6404 SV-SP7A4 M-0078 OS-012A SH.2 } CLOSE FW-SP7A MN. FW. 2 SU. CTRL. VALVE RS-64828 E-448 SH.21D SF -0038 SH. 34 DE-ENERGIZE HIS-SP7D8 HIS-6404 FW-780 M-0078 OS-012A SH.2 SG-1 MN. FW. ISO. VALVE RS-64A A E-448 SH.5 SF-0038 SH. 27 CLOSE N/A HIS-6403 sv-101-1 M-003A OS-008 SH. I MN. STM. LINE 1 WU. ISO. VALVE RS-611 A E-468 SH.32A SF-0038 SH.11 DE-ENERGIZE NIA HIS-6403 CLOSE MS-I 01-1 SV-ICSl lBl/2 M-007A OS-008 SH. I SG-1 ATM. STM. VENT VALVE RS-611 0 E-468 SH. 78Al8 SF-0038 SH.23 DE-ENERGIZE HIS-ICSI ID HIS-6403 CLOSE ICSI 1B SV-394 M-003A OS-008 SH. 1 MN. STM. LINE 1 WU. DRAIN ISO. VALVE RS-611 8 E-468 SH.3 SF-0038 SH. 17 DE-ENERGIZE NIA HIS-6403 CLOSE MS-394 FW-612 M-0078 OS-012A SH.2 MN. FW. I STOP VALVE RS-611 E E-448 SH.4Al8 SF-0038 SH.25 CLOSE HIS-612A HIS-6403 MS-611 M-0078 OS-008 SH. 1 SG-1 DRAIN VALVE RS-611 C E-468 SH.33/A SF-0038 SH. 19 CLOSE HIS-6118 HIS-6403 SV-5889A M-003C OS-0178 AFPT-1 MN. STM. IN ISO. VALVE RS-511 A E-468 SH. 71 SF-0038 SH.21 DE-ENERGIZE N/A HIS-6401/3 OPEN MS-5889A SFRCS OUTPUT TRIP SIGNAL DESCf IPTION
REFERENCES:
RS-4213C E-18 SH~l SFRCS LOGIC DIAGRAM - LOGIC CHANNELS I & 3 SIGNAL FAN-OUT LETTER (A-El AND ACTUATION CHANNEL 1 LOGIC CHANNEL (OMITTED IF COMBINED SIGNALlCl-4l Q E-18 SH.2 SFRCS LOGIC DIAGRAM - LOGIC CHANNELS 2 & 4 ACTUATION CHANNEL (J,2,A,8l AND ACTUATION CHANNEL 2 DAVIS-BESSE NUCLEAR POWER STAT[ON TRIP CONDITION FAN-OUT (1-6l E-18 SH.3 SFRCS LOGIC DIAGRAM - MISCELLANEOUS CIRCUITS SAFETY FEATURES ACTUATION SYSTEM UNIQUE TRIP CONDITION (1-6) SF-003 SERIES SFRCS INTERNAL SCHEMATIC DIAGRAMS ACTUATED EOUlPMENT TABULATION RUPTURE CONTROL SYSTEM TRIP OUTPUTS E-198 SH. 1 FIGURE 7.4-5 REVISION 26 JUNE 2008 OB 02-28-08 DFN=I :/ELECIE19BSH1 .DGN
~* I .
J; .* SFRCS ACTUATED EQUIPMENT TABULATION
- EOOIPll'.NT P *ID CffRATUJIM. EOOIPIOT SIQtAl. ELEIENTARY SF RCS SF RCS BLOCl MAJIJAL. INIT ITEll NO. NO. SCHEMATIC DESCRIPTl<Jt NO. D~. NO. D~. NO. FUNCTION SWITCH ti>. SWITOI NO. REMARIS AATS-1 I/A NIA ANTICIPATORY REACTCJI TRIP SYSTEM-I RS-521 ll E-658 SH.to SF -0038 SH. J5 TRIP NIA HIS-6401/l ARTS-3 I/A NIA ANTICIPATORY AEACTCJI TRIP SYSTtM-3 RS-5213~ E-658 SH.10 SF -0038 SH. 35 TRIP NIA HIS-6401/l } TRIP REACT~
SY-SPel *0018 OS-012A SH.2 Ill. FW. 1 CTRt.. VAL VE RS*6582A E-4-tl SH.9 SF-0038 ~\4. JO DE-ENERGIZE NIA Nil sv-~ M-OG18 OS-012A SH.2 NN. FW. I CTRl. VALVE RS-6584A E-448 SH.9 SF-0038 SH.30 DE-ENERGIZE N/A NIA } CLOSE fl*SP68 SV-SP181/3 M-0018 OS-Ol2A SH.2 ttt. FW. I SU. CTRl.. VAL VE RS*64A38 E-448 SH.218 SF-0038 SH. JJ DE-ENERGIZE HIS-SP7A8 HIS-6403 SV-:>P185 M-0018 OS-012A SH.2 ttt. FW. l SU. CTRl.. VALVE RS-64At8 E-448 SH.21C Sf-0038 DE-EHERGIZE HIS-SP7A8 } a.OSE fl-SP78 SH. 33 HIS-6403 SV*SP182 M-0018 OS-012A SH.2 ttt. FW. 1 SU. CTRl. VAL YE RS-658-i& E-448 SH.21A SF'-0038 SH. 32 DE -EH£RC IZE HIS-SP7C8 NIA SV*SPl84 *0078 OS-012A SH.2 Ill. FW. 1 SU. CTRl.. VALVE RS-65828 E-448 SH.210 SF-0038 SH.32 } a.OSE fl*SP78 DE -EHERG I ZE HIS-SP7C8 NIA FW-7'19 M-0078 OS-012A SH.2 SG-2 ... A. ISO. VALVE RS-648 A E-448 SH.5 SF-0038 SH. 28 CLOS£ NIA HIS-6404 sv-100-1 *OOJA OS-008 SH. I ttt. STM. LINE 2 W. ISO. VALVE RS-612 A E-468 SH.J2A Sf -0038 SH. 12 DE-ENERGIZE NIA HIS-6404 CLOSE MS-100-1 SV-1~1 IAl/2 M-007A OS-008 SH. I SG-2 ATM. STM. VENT VALVE RS-612 0 E-468 SH. 79A/8 Sf-0038 SH. 24 DE-EUERGIZE HIS-1CS11C HIS-6-404 CLOSE ICSllA SY-375 M-OOJA OS-008 SH. I alt. STM.. LINE 2 W. DRAIN ISO. VAL VE RS-612 8 E-468 SH.3 SF-0038 SH. 18 DE-ENERG!ZE NIA HIS-6404 CLOSE MS-375 flf-601 M-0078 OS-012A SH.2 MN. FW. 2 STOP VALVE RS-612 E E-448 SH.4A/8 SF-0038 SH. 26 CLOSE HIS-601A HIS-6404 MS-603 *0078 os-ooa SH.1 SG-2 DAAill STOP VALVE RS-612 C E-468 SH.33/A Sf-0038 SH. 20 Cl.OS£ HIS-6038 HIS-6404 SY-588 M-003C OS-0178 AFPT 2 *
- STM. IN. ISO VAL YE RS-512 A E-468 SH. 71 SF -0038 SH. 22 DE-ENERGIZE NIA HIS-640214 OPEN MS-58898 ARTS-2 MIA NIA ANTICIPATCJIY REACT~ TRIP SYSTEM-2 RS-S222A E-658 SH.to Sf-0038 SH. 36 TRIP N/A HIS-640214 ARTS-4 I/A NIA AHTICIPAT~Y REACT~ TRIP SYSTtM-4 RS*5224A E-658 SH.to SF -0038 SH. 36 TRIP NIA HIS-6<40214 } TRIP REACTOR * ... -~ -* .... -* -. '~ ...-.. ;-; .. *- .. ..:
MS-106A M-003C OS-0178 AFPT-1 ** STM. 2 IN. ISO. VALVE RS-211 A E-468 SH.46AIB SF-0038 SH.15 OPEN HIS-l06EB NIA MS-106A M-003C OS-0178 AFPT-1 ** STM. 2 IN. ISO. VALVE RS-411 A E-468 SH.46A/8 Sf-0038 SH. 15 CLOSE HIS-106£8 NIA MS-107A MS*J07A N-003C OS-0178 N-003C OS-0178 AFPT-2 ** STM. I IN. ISO. VALVE RS-212 A E-468 SH.4WB Sf-0038 SH. 16 OPEN HIS-107£8 NIA AFPT-2 *
- STM. I JN. ISO. VALVE RS-412 A E-468 SH.46A/8 SF-0038 SH. 16 CLOSE HIS*I07EB NIA TTA II/A NIA TIRJUE rRJP-A RS-SJA A E-428 SH.53 Sf-0038 SH. 37 TRIP NIA HIS-640113 TRIP TleINE TTB NIA NIA T\RSINE TRIP-8 RS-538 A E-428 SH.53 Sf-0038 SH. 38 TRIP N/A HIS-640214 TRIP TlelNE DAVIS-BESSE NUCLEAR POWER STATION SFRCS - ACTUATED EQUIPMENT TABULATION SFRCS OUTPUT TRIP SIGNAL DESCRIPTION REFER£NCES1 El9B SH. 2 R1S*
~~ 3C'-SIGIUL 42 1 SEE E-198 SH. I FAN-<llT lETTtR <A-£>
lOGIC CHANNEL UIUTTEO IF COIUNEO SIGIULH 1-4> FIGURE 7.4-6 ACTUATION CHMNEl C1, 2,A,B> TRIP COOITICll FAN-OUT Cl-6) llllll£ TRIP CCJl>ITIC* CJ-6)
-RlPTW C<*TRCl. -SYSTEM TRIP CllTPUTS REVISION 12 JULY 1990
CllANNEl. 2 INPUTS CllAIMl 3 INPUTS CllANIEL '4 INPUTS I!!:
.: e.
~
... ~ *~ ~
i le t;
~ m !!i ~
I I ...
*i
!Q :!!i z:
g i i
~
I_ I I 11 I I II I. I I 11 l'ODIT A
'I 11 I I TO Cll.3
- 11) QI.~
iI TO Cll.2 1 ' I I I ... 11 I, i5 5<55 i5i5i5 555 i5i5i5 i5i5i5 iSlJ~ ~~~ I l l Ill I I I I I II..----....__.___....__...._.__._.~--~---.
~ l~I ~II ~~I ~~~
II ,....._.._..1..-..L-___.__.L-L-.I___,.........__._~~__.__._, ~~~ I .,.L-....L.-L-1..--..._.L....._S...YS-lEM--LOG..._lC..._..._...__ I _...__,'----'L.-, I I SYSTEM LOGIC I I SYSTEM LOGIC I I CHAl'IEL z I I CllAHf£l. 3 I I CHAJDEI. 4 LI-------------------, I - - - - - - - - - - - - - - - - - - CA8It£T~ I - - - - - - - - - - - - - - - - - - Cl8ltT~ I - - - - - - - - - - - - - - - - - - "CABTN£T~ REFERENCE DRAWINGS TI-49-£-11 S1UI M> f'IDWlilEll LlllE 1llPRR COlll1d. Sl'S1Ell LOGIC OIMilUM TI~-19 SfllCS-ACTIIAlEI mlll'IQT TMllUTICll TI.ft-E-6511 llSC. SFAS Mii SF1ICS ClllCUm Sll.J0-12
~ - l<<IT
[} Tm/CALillllt.nll8 IEJllS
~ - AL.\1111 (IBCJrEl R - llOllTE llJIDTM!'I IU. SWJTDI fXl l'USHIUTTIJI
--<>- - lDll1lW. 'llTll COllCUCH TMICll CM.
-i>- - RWY llAMR AM'l.lflER l1BS - JEST lRIP llYl'ASS SllJTOI
+-
)::::(
- IMOICATllllO l!GllT JSa.ATillG Oii IUffR *UHER
¢- BISTMI.£ LOI !~TIC ~l
~ - INDICATIN8 IllSIRllEIT I
_ _ _ _ _ _ __J 1IWI. { 1 TRIP I }EET I R I R I I SVAffiWiOGIC LI I 'illlE TRIP*---lllll--+ <TYPICAL I I tlll1'M'
~ lliff'O ronn 1111531 1IOIE 1 Il _ _ _ _ _ _ _ _ _ _ _ _ DR!'&
_ _ _ _ _ _ _ _ _J I camn I 0 WTfUf AEUJS- TO ROO IJllI\IE llRE.IWI TRIP I L - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - _j ANJICIPATQRY REACTOR TRIP SYSTEM !ARTS! I, DESIGN CRJ"TE!UA CABINET l SYleOL DETAIL CIRCUIT DAVIS-BESSE NUCLEAR POWER STATION ANTICIPATORY REACTOR TRIP A. 1llE DESIGN Mil (Jl£JIA7ICll IF TIE *ARW llll 1111 DEGIWIE TIE llEUJID..ITT
~fl IF T1£ 11'5 Oii SFICS, I. SEPMATI* SIW.L ll llAm.UllD llETl&ll llEllUllMIT l£ C1W1E.S . .
llMEI I( 18 IOI IE au.LS. SEPWTJM CllllERIA Slllll l&T Tl( llEWlll001S IF IW 219-1911 PCEPT Fiii Tl£ PllRJIQf Of 1l1E Sl'SIDI 111 11'$ -.1ai llETS TIE llEGllllEBllS ~ l&E 219-1951. SYSTEM LOGIC DIAGRAM C. 1llE sm&I SIMU. IE fllll TtST.8.E. D. llD SllllU FAD..lll: W1ll Nl'IEllSELY AFFECT l1IE ll'EJll.TIIM If 11£ Sl'Sla I -...:UTQR <SEE lll1E 31 E-28 E. LOSS IF coma. POEI Ol IEllVM. IF A 11111.E ml C.lllSE 71£ ASSOCU.lBI CIUllE. 1ll lRIP. F. 1llE STSlEll WIU llE ~T Clllil.IF!ED Me DIST.ti.LEI Yllll 111£ Dm'TII*
<I IOHI FIGURE 7.4-8
~C~
CJ 11£ FR£SSJ£ SICNLS flllll lllE 1111811£-<0ERATill Me TIE MADI Fm Piii' 1IJl&DIE$. 11£ COMelTS USO> Mil All CMll.ES ASSllCUTtD Wlllf ll£SE CDIQJ!TS SllAU. BE !llSTAl.1.Ell AS IE srsmcs. llBllEWBI, lUSlUC CRmJIJA 11LL lllT M'ft.T IG.VlllllG 11£ lllmlfl~ oVll lllSTALLATllll Of 1IE IEVICES UlC.UED WITIIDI 'M 1\RillE 81111..DIS -.JOI ts Niil I> SElSlllt CAT. I S111JC1111[. REVISION 25
- 6. 11£ llESl'CllSE TIIE Of 1HE SYSllll S1W.L IE l.ESS TUI art ElllM. 10 511 ll!lUSECOlllS. llOIJI[ f f H. IDfU!Elll-.CIATlll 'lMl6 SllAll IE PlllMID to IOllTill at 1NPllTS
=~~ lll1l'Ul' mr ctmITT, CAllllET LOSS IF l'Olt1I -
- rtl'ICAL RI! 1.0. at LC..
PUSl8ITTlll JUNE 2006 ff RDlrfi smal 111!1' USED
C3630 DEVICE LOCATIONS ISEE NOTE 8J C3630 FROllT LAYOUT I 4"-0* I I KB IFIQITI (FW.L-IEll I PUN VIEW IN.T.S. I I I
---------1----------
,. ,.Ir. -"fr* ..
BOO..
~
-f---+--- I+
'IYz* s*
00 0 0 00 0 CUTOUT DETAIL FOO T.10
+ + +
lllSCll lteltATOllS lmll& Slit: IT SllJ(
+ aPl'LICMll.£1'1111*
F11-w>lD-t 4:*1 nl-m>Jl-1 ISA*I
= =
! ©~ CiiD ITiD Ciifii] CiW CiiD [iii) i [iii] [iii] CiiiJ
©~ CiW CiiD Ciiil
~ ~ ~ ~ .. ~
MARGINAL QUALITY DOCUMENT
©~©~~:r ©~©~©~
BEST COPY AVAILABLE 0 0 L---------~-~------1 I I
- t. EGUIPllEllT llEOllllllC llMl.ln - 1$ IDOITIFllD 111 l l llLL (If" llllEllUL, - . ,
- 2. m=.TO~IU~~ VllllED VITI ORIGI-1ft~mr.-
~ ~t:E~T~-~:f.~'&m~
$1'.lllESVITCMESllZS._112t_llZ9.lllEVI-~
I =*~"'rl>n?Lfti/11.t =lff",!JF£lJs\ ':&11.;_ I S.
.. -*~ f/l IEGll- '°us. - . Gii , _ ........
- l. £T1S LIGKl'S *J -
1_ _ __
*6 - 12SWC JU. 0 - ME 120VAC.
lo . , . - llC , _ LA'IGUT FOR IEYICI IESl-TQI$. J____
** - . a 1 1 IS LOCAllD QI TW flF SltTOI.
- 10. ........'"- .... Oii.OR - AS nl.l.llllSL t -ti I 154 *111 $UllFME,MJICI COllE
- a. 19 Tt*H
- --**lllt: tal£
--ACIE.10.l.Oll~
t1. - . a 1 1 - ' I U AS FGU.Ollh UPT l'OSITIGllt WI ltllllttl'OSITICINt 502 11.P, llo. Clllllll'. LEJ1[ll SIZE
$U[
FllST LlllE OICIA'lllllf stcoie Liii: 111111 Liii: t.£Tltl SIZE Silt 1-1 :s* ,. FIRST LlllE EllliRAYllllf stCGlll LlllE 111111 LlllE t.£TTO Silt SIZE FIRST LlllE stCOlll LlllE BGIAYlll; 1111111 LlllE Fc.rmtllll: I I I'll* 2131 1 \ti' v,*111* llSllC2 .. 1'11211 2t I ($(( llJI[ 51 2 I 1*1 :s* laCRll CllClMI >> 1 %' 1'13' SOWIC[ 11111 ISll S8.£CT 51 1 \ti" %*111* IS I01I 3 I 1'1 3* S1bll ICmnT<<t Y*'\ )1 5' 1 v.* ,,, v,*x11* IS S99I v.- 1* 1'1 :s* 'f.*
'° 4 I JZ I I ¥.-11¥.* 11$6455 , . , I IS lllJA ISO: ll01E ti 5 I 1* 1'1,. ~RI QIGlMT :SS 1 v.* %'111* lllCIM '1 1 v.* %'Ill' ISIOll ISO: lllJIE:SI 1*1 :s* ' I 1* 1'1 :s*
S1bll GOU J4 1 %" %*111* Tl llCl82 '2 I \ti" %'Xll' ISfGIO ISUll01E31 1 I PR2R 11R JS 1 %" %'1tl* Pl '3ell I \ti' l'i'Xll' llS 13121
,* I 1*
r1 r 1*1 :s* jfpJ I GOW1lYCOIT
- 1
'f.* %'111*
Vo 11* ISP111S M I 14* v,*x 11* IS 1ort ISU llllE JI I l'llZlm J1 I Pl SP1211 Qi I \ti' v,*x11* *IS , , . 1sa llllE 10 11 I I 1* 1*1 ,. 1*13*
.lfl'T 2 GOii lo\.V CtllT
~llRClll.
*J9 I
I IJ.* v,*1 ,,. LlllCIN
%'X 11' Tl llClM "51 I v.* VJ*111* llS 13'S 1*1 :s*
12 I %' jfpJ I GOW COllT stl.£CT 40 I %*111- Pl 63'5oU 13 14 I I 1*1 :s* 1*1 J* jfpJ I GOW SPI COIT l'llZlmClll. 41 42 t I v.*
%'1 ll' LI Sl'9AS
%'X11' Pl SPIZAI 10 I
1 l'I 2' 1'12' 1111 SIC *I 1111 SIC <1 DAVIS-BESSE NUCLEAR POWER STATION 15 I %' 1*1 J* jfpJ 2 GOW COIT SELECT G t %" %*12* a CGlllll1. 11 1 LI u ... y. 14 1i*x 2%* SFllCS-sA 12'4 11 lllH llP M Cll UO II VllH 11P I of I' 11 I I 1*1 :s* 1*1 :s* jfpf2GOWSPllCOIT l'llZlm CTIL stl.£CT 44 45 I I
,,,** 2* CllllCCilmlll..
ir,*12* SCOllllll. 12 I J... ~- 1i*x 2%* SFllCS-0 SA -4911lllHIEP1-1 Cll !115 IK VIII llP H AUXILIARY SHUTDOWN PANEL
.* (ASP) 1*1 :s* " 1*
I I %* ,,,** 2* ClllltGllllll. I 1 14 12'1 II lllH llP 1*Z UO II VllH 11P 1-1 SPMt: <SU llOlt 2131 T3 u ... Yo ll'l 2%' SFllCS*SA Cll 1' I 1* 1*1 :s* SPiii[ <SU llllT£ 213> 47 1 v.* Vo 11* llSllCH 14 11-12%* sncs-asa v.- T4 I ~* 4' 11lllHIEP1*2 Cll S5 Ill 1111llP1-1 M-592 1*1 :s* u ... Yo 20 I 'ft* SDIYIC[ WIR ISO 11.Y I %*111* llS l<Sla 21 I 'f.* 1'1 :s* Al'lllm CTIL stl.£tT 41 I v.* %*111* llS ICS. 15 I VJ* l'I J* 11-1
.,.. "n FIGURE 7.4-9 I 1*1 J* t t'I 3' IM 22 SPllll[ <SU llOlt 2'31 50 I %' %*111* llSllCM 1* 1*1 :s* I 14* %'X 1ir,* l-wJt-1 2l I SPMt: <SU llOTE 2'31 51 I %'1 ll' llSICSlto\
1'1 :s* \ti' %*11%*
'ft* 11 t l-WJC-1 v.*
24 I mtlCl W1R ISO 'LY 52 I '!.' %'XII' llS ICS3M 1*1 :s* v,*11v,* l-w>>-1 1* I 19 25 v.* I <SU llllT£ 2131 I ir,*111* llS llC2*T 2' 21 I I 1* 1*1 :s* 1*1 :s* -IClmt
<SU 11111[ 2131 ISO ElCT 54
!115 I
1 v.- ,,,
%'1 ll' llS IOlll
%'X ll' llS "'8 IO I I v.-
%'X !VJ' Vt-*,.
l.Wlo\-1 s s REVISION 24 1* 1*1 :s* v.* 12 1 \li' l'r'l I' JUNE 2004 ZI I ($(( llOT[ 2'31 5' I llS llCA ISU. 11111[ ti I] 1 %' ir,*11* SS 14 t %' l'r"l I' SS
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.5 SAFETY-RELATED DISPLAY INFORMATION The necessary information to monitor the nuclear steam supply system, the containment system and the balance of station is displayed on the operators console and the various vertical boards located within the control room. Essential information is also displayed on the auxiliary shutdown panel. These indications include the information to control and operate the station through all operating conditions of the station including anticipated operational occurrences and accident and post-accident conditions. 7.5.1 Description Safety surveillance instrumentation, which includes indicators, recorders, lights, annunciators, CRT displays and the station computer, is provided for the following systems.
- 1. CV Environment.
- 2. Reactor Coolant.
- 3. Reactor.
- 4. CRDCS (trip portion).
- 5. Auxiliary Feedwater.
- 6. Auxiliary Shutdown Panel.
- 7. ESF Status.
- 8. RPS Status.
- 9. ARTS Status.
- 10. PAMS Status.
Sufficient information is provided to enable the operator to maintain the station in a safe condition following both anticipated operational occurrences and accident and post-accident conditions. For the convenience of the operating personnel, all reactor safety systems are presented graphically on the main control panels designated for the Safety Features Status Display. Instruments are either located on process mimic lines or are shown connected to certain systems by influence lines. The Containment Vessel, Reactor, Core Flooding Tanks, pumps, heat exchangers, etc., are shown schematically in the systems. Pumps, fans, and valves are in most cases represented by their respective control switches and status indicating lights. All mimic process lines and equipment are in color. Safety related equipment which is automatically initiated by SFAS to satisfy safety functions is provided with a Safety Actuation Monitoring (SAM) amber indicating light/switch. These SAM lights are located primarily on the safety features status display panels and operate as follows: 7.5-1 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 1. Light off:
Conditions: No safety actuation demand or a safety actuation demand with equipment failing to actuate.
- 2. Light dim:
Condition: Safety actuation demand and the equipment successfully in safety actuation mode of operation.
- 3. Light full on:
Condition: Safety actuation demand but safety signal is blocked. The equipment item associated with the blocked system logic is still in the safety actuation mode of operation.
- 4. Light flashing:
Condition: Safety actuation demand but safety signal is blocked. The equipment item associated with the blocked system logic is in a non-safety actuation mode of operation. The remote manual block signal has no effect as long as no trip signal exists in the safety actuation system logic. Position indicating lights for motor-operated valves or running lights for pumps and fans are provided in the control room. All safety related solenoid valves are fail safe upon loss of control voltage, and are indicated by position lights independent of the control voltage. Located on the main control panel, in clear view of the operator, are manually operated indicator lights provided to warn the operator of a safety system that is inoperable because of previous failure, repair work in progress, or routine maintenance being performed on the system. These manually operated indicator lights are for systems identified below. Auxiliary Feedwater System Component Cooling System Service Water System HPI System Core Flooding System Emergency Ventilation System Emergency Diesel Generator Control Room Cooling System BWST System Containment Air Cooling System Steam Generator Isolation Containment Isolation Low Pressure Injection System Containment Spray System 7.5-2 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report This indication is manual on-off type that will be initiated by the operator or other qualified personnel when a safety system is not in service. These indication lights will be illuminated as long as the system is inoperable, in compliance with Regulatory Guide 1.47. Regulatory Guides 1.40 and 1.41 apply to components as discussed in Chapters 3 and 8. 7.5.2 Analysis 7.5.2.1 Criteria The following criteria have been utilized for those surveillance systems required for safety:
- 1. General Design Criteria 1, 2, 3, 4, 13, 19, 64.
- 2. Safety Guide 29.
- 3. IEEE Standard 279-1971 excluding Sections 4.1, 4.11 through 4.17 and 4.19, as these apply to actuation systems.
- 4. The NI instrumentation, as described in Section 7.8, meets the requirements for separation of protection and control systems and for single failure as specified in IEEE Standard 279-1968.
Those surveillance systems required for safety are the indications for the systems required for safe shutdown, protection systems status (including actuated devices), and post-accident CV monitoring. Seismic design ensures availability of the display information throughout a safe shutdown earthquake. The indicators are seismically qualified and will remain undamaged by such an earthquake, with the calibration unaffected. 7.5.2.2 Compliance With Criteria The required safety surveillance systems comply with the criteria listed in Subsection 7.5.2.1 as follows: 7.5.2.2.1 Criterion 1 All required surveillance systems are manufactured and tested to QC procedures described in Chapter 17. 7.5.2.2.2 Criterion 2 All required surveillance systems are Seismic Class I design. 7.5.2.2.3 Criterion 3 Required surveillance systems are wired with fire retardant wire. 7.5.2.2.4 Criterion 4 All required surveillance systems are located in areas that remain virtually free of adverse environmental effects resulting from abnormal station operating conditions. 7.5-3 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.5.2.2.5 Criterion 13 The required surveillance systems provide indication to assure adequate safety for normal operation, anticipated operational occurrences, and accident conditions. 7.5.2.2.6 Criterion 19 Adequate surveillance systems are provided both in the control room and outside the control room to enable the operator to take appropriate actions as may be required by station operations. 7.5.2.2.7 Criterion 64 CV radiation monitoring is available for normal operation, anticipated operational occurrences, and accident conditions. 7.5.2.2.8 Safety Guide 29 All surveillance instrumentation required in shutting down the reactor and maintaining the reactor in a safe condition, monitoring the status of station protection systems and monitoring the CV hydrogen and radiation levels are Seismic Class I. 7.5.2.2.9 IEEE Standard 279-1971 All required surveillance systems meet the intent of IEEE Standard 279-1971 on a point by point basis with the previously stated exceptions of 4.1, 4.11 through 4.17, and 4.19. 7.5.2.3 Available Readouts Table 7.5-1 lists the information readouts available for monitoring conditions in the reactor, reactor coolant system, CV, ECC system, and steam generators. 7.5.2.4 Design Adequacy The utilization of the design criteria listed in Subsection 7.5.2.1 for required surveillance systems ensures the availability of these systems during all station operating modes including accident. Surveillance systems not required for station safety but that do serve as operating aids are generally redundant in available means of display. This diversity plus the interrelation that exists among display information ensures their availability to the operator during all station operating modes except the worst possible cases in which these surveillance systems are not required. 7.5-4 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.5-1 INFORMATION READOUTS AVAILABLE TO THE OPERATOR FOR MONITORING CONDITIONS IN REACTOR, REACTOR COOLANT SYSTEM, CONTAINMENT VESSEL, ECCS, AND STEAM GENERATORS Number of Indicator Type of Sensor Accuracy, Indicator Measured Parameter Readout Channels Indicator Range % of Full Scale Location Source range neutron level (NI) B, F, E 2 10-1 to 10+6 cps +/-1 A, B, D Source range neutron level # B, F 2 10 105 cps +/-1 B, D Source range startup rate (NI) A, F 2 -1 to 10 dpm +/-1 A, B, D Intermediate range neutron level (NI) B, F 2 10-11 to 10-3 amp +/-1 A, B, D Intermediate range neutron level (NI) E 1 10-11 to 10-3 amp +/- .5 B Intermediate range startup rate (NI) A, F 2 -1 to 10 dpm +/-1 A, B, D Power range neutron level (NI) A, F 4 0 to 125% FP +/-1 A, B, D Power range neutron level (NI) E 1 0 to 125% FP +/- 0.5 B Wide Range Log Power # B, F 2 10 2 x 102% +/-1 B, D Power range neutron level Imbalance (NI) A, F 4 60 to +65% FP +/-1 A, B, D RC loop outlet temperature** A, F ANN. 4 in each loop 520-620°F +/-1 A, B, C, D RC unit outlet temperature E, F ANN.
- 520-620°F +/- .5 B, D RC loop outlet temperatures** A, D, F 2 in each loop 120-920°F +/-1 B, D RC loop inlet temperature A, F, 4 in each loop 520-620°F +/-1 B, D RC loop inlet temperature A, D, F 2 in each loop 50-650°F +/-1 B, D RC unit inlet temperature A, F, ANN.
- 520-620°F +/-1 B, D RC loop average temperature A, F, ANN.
- 520-620°F +/-1 B, D RC unit average temperature D, E, F ANN.
- 520-620°F +/- .2 B, D RC loop temperature difference A, F, ANN.
- 0 to 70°F +/-1 B, D RC unit temperature difference A, F, ANN. * -10 to +10°F +/-1 B, D 0 to 70°F 7.5-5 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.5-1 (Continued) INFORMATION READOUTS AVAILABLE TO THE OPERATOR FOR MONITORING CONDITIONS IN REACTOR, REACTOR COOLANT SYSTEM, CONTAINMENT VESSEL, ECCS, AND STEAM GENERATORS Number of Indicator Type of Sensor Accuracy, Indicator Measured Parameter Readout Channels Indicator Range % of Full Scale Location Incore Temperature # A, D, F 2 (2/Core Quad) 0 - 2300°F +/-1 B, D RC loop pressure # A, D, E, F, 2 0 - 3000 psig +/-1 B, C, D RC loop pressure** A, E, F ANN. 4 0 - 2500 psig +/-1 A, B, C, D 4 1700 - 2500 psig RC loop low range pressure A 1 in loop two 0 to 500 psig +/-1 B Pressurizer level ** A, F, ANN. 2 0 to 320 in. +/- 1.5 B, C, D Pressurizer level A, E, F ANN. 1 0 to 320 in. +/- 1.5 B, C, D Pressurizer temperature A, F 2 0 to 700°F +/-1 B, D Pressurizer Relief Valves # A, C, F 2 0 - 100% +/-1 B, D RC loop flow A, F, ANN. 4 in each loop 0 - 90 x 106 lb/hr +/-1 A, B, D RC total flow E, F, ANN.
- 0 - 180 x 106 lb/hr +/- .5 A, B, D BWST level** A, F, ANN. 4 0 - 50 ft. +/- 1.5 B, D Steam generator startup range level ** A, F, ANN. 2 in each loop 0 - 250 in. +/- 1.5 B, C, D Steam generator startup range level A, D 4 in each loop 0 - 300 in. +/-1 A, B, D (SFRCS) # SFRCS cabinets, 2 in each loop in CTRM Steam generator operating range level E ANN. 1 in each loop 0 - 100% +/- 0.5 B, D Steam generator operating range level F 2 in each loop 0 - 100% -- D Steam generator full range level A, F, ANN. 1 in each loop 0 - 650 in. +/-1 B, D RC saturation *# D, F, ANN. 2 NA - B, D RC Hot Leg Level *# F 2 NA - D 7.5-6 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.5-1 (Continued) INFORMATION READOUTS AVAILABLE TO THE OPERATOR FOR MONITORING CONDITIONS IN REACTOR, REACTOR COOLANT SYSTEM, CONTAINMENT VESSEL, ECCS, AND STEAM GENERATORS Number of Indicator Type of Sensor Accuracy, Indicator Measured Parameter Readout Channels Indicator Range % of Full Scale Location Station electrical distribution A, C, F 2 -- +/-2 B, D Auxiliary feedwater status ** C, F, ANN. 1 per loop -- -- B, C, D Auxiliary feedwater flow # A, D, F 2 per SG 0 - 1000 gpm +/-1 B, D Containment vessel wide range A, F, D 2 0 - 200 psia +/-1 B, D pressure # Containment vessel pressure A, F, ANN. 4 0 - 60 psia +/-1 A, B, D Containment vessel hydrogen **# A, F ANN. 2 0 - 10% +/- 1.5 A, B, D Containment vessel radiation (REs B, F, ANN. 4 0 - 1000 mR/hr +/-1 A, B, D are turned off) Containment vessel radiation B, F, E, ANN. 2 10 10--1 µCi/cc +/-1 A, B, D Containment High Range Radiation # B, F 2 100 - 108 R/HR +/-1 B, D Containment vessel isolation status ** C, F 1 per valve -- -- B, D Containment vessel temperature A, F, ANN. 6 -- +/- 1.5 B, D Containment vessel normal sump A, F, D 2 534.5 - 538.5 ft. +/-1 B, D level # Containment vessel wide range water A, F, D 2 538 - 593 ft. +/-1 B, D level # ARTS Status C, F ANN. 4 -- -- A, B, D SFAS status ** C, F, ANN. 4 -- -- B, D Safety features equipment status ** C, F, 2 -- -- B, D RPS status ** C, F, ANN. 2 -- -- B, D SFRCS status ** C, F, 2 -- -- B, D HPI system status C Manual -- -- B LPI system status C Manual -- -- B Containment spray system status C Manual -- -- B 7.5-7 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.5-1 (Continued) INFORMATION READOUTS AVAILABLE TO THE OPERATOR FOR MONITORING CONDITIONS IN REACTOR, REACTOR COOLANT SYSTEM, CONTAINMENT VESSEL, ECCS, AND STEAM GENERATORS Number of Indicator Type of Sensor Accuracy, Indicator Measured Parameter Readout Channels Indicator Range % of Full Scale Location Core flood system status C Manual -- -- B BWST system status C Manual -- -- B Emergency Diesel Generator System C Manual -- -- B Status Containment air cooling system status C Manual -- -- B Emergency ventilation system status C Manual -- -- B Aux. Feedwater System Status C Manual -- -- B Component Cooling System Status C Manual -- -- B Service Water System Status C Manual -- -- B Control Room Cooling System Status C Manual -- -- B Steam Generator Isolation Status C Manual -- -- B Containment Isolation Status C Manual -- -- B Steam generator outlet pressure ** A, F 1 in each loop 0 - 1200 psig +/-1 B, C, D (@ c acc. = +/- 1.5%) Steam generator outlet pressure A, F 1 in each loop 0 - 1200 psig +/-1 B, D High pressure injection flow ** A, D, F, ANN. 2 in each loop 0 - 500 gpm +/-1 B, D, C Low pressure injection (DHR) flow ** A, F ANN. 1 in each loop 0 - 5000 gpm +/-1 B, D Containment spray flow A, F, ANN. 1 in each loop 0 - 2000 gpm +/- 1.5 B, D Core flood tank pressure A, F, ANN. 2 in each tank 0 - 700 psig +/-1 B, D Core flood tank level A, ANN. 2 in each tank 0 - 14 ft. H2O +/-1 B Decay heat pump suction temp. A, ANN. 1 in each loop 0 - 400°F +/-1 B Decay heat cooler outlet temp. A, ANN. 1 in each loop 0 - 400°F +/-1 B HPI system pump and valve status ** C, F 1 in each loop -- -- B, D LPI system pump and valve status ** C, F 1 in each loop -- -- B, D Containment spray pump and valve C, F 1 in each loop (valves, 2 in each loop) -- B, D status ** 7.5-8 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.5-1 (Continued) INFORMATION READOUTS AVAILABLE TO THE OPERATOR FOR MONITORING CONDITIONS IN REACTOR, REACTOR COOLANT SYSTEM, CONTAINMENT VESSEL, ECCS, AND STEAM GENERATORS Number of Indicator Type of Sensor Accuracy, Indicator Measured Parameter Readout Channels Indicator Range % of Full Scale Location Core flood valve status ** C, F, ANN. 1 in each loop -- -- B, D BWST valve status ** C, F 1 in each loop -- -- B, D Containment emergency sump C, F ANN. 1 in each valve -- -- B, D valve status ** Containment air recirculation fan C, F 1 in each loop -- -- B, D status Containment air cooling fan status ** C, F 1 in each loop -- -- B, D Emergency ventilation system fan and damper status ** C, F 1 in each loop -- -- B, D MSIV status C 1 in each loop -- -- B Core Tilt/ imbalance A, F ANN. 4 -- +/- 1% B, D Legends: Type of Readout Indicator Location A - Linear scale indicator ANN. - Audiovisual A - System cabinets B - Log scale indicator indication (non- B - Main control boards C - Indicator light Class 1E) C - Auxiliary panel D - Digital indicator D - Station computer printout E - Recorder F - Station computer output and/or SPDS output (this output non-Class 1E) Notes:
- Two or more signals are combined to produce the indicated parameter
** Indications are required surveillance equipment on safety systems for safe shutdown and/or post-accident monitoring and utilize the design criteria listed in Subsection 7.5.2.1 (Readout types A, D, and C only).
# Post-accident monitoring by redundant essential sensors.
7.5-9 UFSAR Rev 32 9/2018
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6.1 Description The following control systems are provided for station safety in addition to the Reactor Protection System and Safety Features Actuation system previously discussed in Sections 7.2 and 7.3. These controls are used to prevent overpressurization of low pressure systems, prohibit possible malfunctions in safety equipment, or to enable safety equipment to perform as designed. 7.6.1.1 Normal Decay Heat Removal Valve Control System 7.6.1.1.1 Design Bases The design bases of the Normal Decay Heat Removal Valve Control System (in accordance with IEEE Standard 279-1971) are listed below:
- 1. Generating station conditions which require protective action:
RC system pressure above the design pressure of the decay heat removal system.
- 2. Generating station variables that are required to be monitored in order to provide protective action:
RC system pressure
- 3. Minimum number and location of sensors required to monitor adequately, for protective function purposes, those variables that have spatial dependence and diversity:
One RC pressure switch located on RC loop one (1) is utilized to operate one isolation valve. The RC wide range pressure transmitter on RC loop two (2) is utilized to operate the other, redundant, isolation valve.
- 4. Prudent operational limits for each variable in each operation:
The normal operational limit of the Decay Heat Removal System is 30-260 psig.
- 5. Margin between each operational limit and level marking onset of unsafe conditions:
The Decay Heat Removal System is normally initiated when RC pressure is below 270 psig. The lowest design pressure rating of the Decay Heat Removal System piping is 300 psig. This provides a margin of 30 psi between the normal operational limit of 270 psig.
- 6. The level that when reached will require protective action:
The normal decay heat removal valves will require closure when the reactor coolant pressure reaches the pressure stated in Subsection 7.6.1.1.2. 7.6-1 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 7. Range of transient and steady-state conditions of the energy supply and the environment during normal, abnormal and accident circumstances throughout which the system must perform:
The range of the environment of the valves, pressure transmitter, and pressure switch varies from normal conditions of 40% relative humidity, atmospheric pressure and 120F to 100% relative humidity, 38 psig and up to 284F. The essential power supply is discussed in Chapter 8.
- 8. The malfunctions, accidents or other unusual events which could physically damage protection system components for which provisions must be incorporated to retain necessary protection system action:
The normal decay heat removal valve control system is designed to withstand physical damage or loss of function caused by earthquakes and missiles. The control system is also located in a building area designed to protect the equipment from flood, lightning and wind. In addition, 480V AC power is removed from DH-11 and DH-12 when the valves are closed and the plant is in Mode 1, 2 or 3 to prevent inadvertent opening in case of fire. Control power is removed from DH 11 and DH 12 when the Decay Heat Removal system is in operation to prevent inadvertent closure during cooldown. This protects the suction of the Decay Heat Pumps.
- 9. Minimum performance requirements including system response times, system accuracies, ranges of the magnitudes and rates of change of sensed variables to be accommodated until proper conclusion of the protection system action:
The response and accuracy of the signal comparator are discussed in Section 7.3. The valves and process instruments are capable of withstanding normal operating reactor coolant pressure of 2155 psig, transient operations causing pressure to go as high as 2350 psig, and anticipated accident pressure transient of 2500 psig. 7.6.1.1.2 System Description The design of the Decay Heat Removal system includes controls on each of the high-pressure motor operated valves in the suction line from the RC system. These independent and diverse controls are designed to prevent the valves from being opened when the RCS pressure is above the design pressure of the Decay Heat Removal System. DH-11 can not be opened until RCS pressure decreases below approximately 251 psig (referenced to RCS pressure tap at elevation 633) or approximately 281 psig referenced to the center line of the valve (elevation 599 9). DH-12 can not be opened until RCS pressure decreases below approximately 266 psig at the RCS pressure tap or approximately 296 psig at the centerline of the valve. The interlocks will also cause an automatic close signal to the valves when the interlocks reset on increasing RCS pressure. The setpoint of the resets are not significant. PSV-4849, the relief valve in the suction line, will terminate any overpressurization transient once the suction line valves have been opened. In addition, interlocks are provided which trip the pressurizer heaters if the primary system reaches approximately 301 psig at the RCS pressure taps (elevation 633) and one or both of the suction line valves are not fully closed. However, as noted above, the relief valve in the 7.6-2 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report Decay Heat suction line should prevent RCS pressure from reaching this setpoint unless one of the suction line valves is closed. The allowable value for the automatic closure on DH-11 and DH-12 is < 328 psig (referenced to the RCS pressure instrument tap) which is 34.8 psi higher than the setpoint of the decay heat removal suction line relief valve referenced to the same elevation. Control power is removed from DH-11 and DH-12 when the Decay Heat Removal system is in operation to prevent inadvertent closure during cooldown. This protects the suction of the Decay Heat pumps. Power is removed from DH-11 and DH-12 after they are closed and the plant is in MODE 1, 2, or 3. This prevents inadvertent opening during plant operation, particularly in the case of fire. Power is only restored to the valves after RCS pressure has been reduced to below the interlock setpoint during cooldown. The pressure interlock signal to DH-12 is derived from an RC pressure switch located in RC loop one (1). The interlock signal to DH-11 is derived from a signal comparator located in the SFAS cabinet. The signal comparator receives its RC pressure signal from the RC loop two (2) wide range RC pressure transmitter that supplies the signal to the SFAS. By using two different devices to sense RC pressure and provide the interlock signals, diversity is achieved in the system. The decay heat valve interlocks do not have a manual bypass. Remote manual operation is prevented as long as the RC pressure is above the setpoint of the signal comparator and the pressure switch. Procedural guidance for overriding the interlocks has been provided if they interfere with a normal, controlled cooldown. The pressurizer heater trip interlock signals are derived from the signal comparators located in the SFAS cabinets. The signal comparators receive their reactor coolant pressure signal from RC loop 1 or 2 wide range pressure signal from the RC loop 1 or 2 wide range pressure transmitter that supplies the signal for the corresponding SFAS cabinet. The pressurizer heater trip interlocks are provided by means of relay logic on redundant essential relay cabinets. A separate output relay is provided for the essentially powered pressurizer heater control circuits and the non-essentially powered pressurizer heater control circuits, in each redundant trip interlock logic. A contact from the same signal comparator in the SFAS that provides the RC pressure closing signal to one DH valve is used in one trip interlock logic to indicate RC pressure above 301 psig at the RCS pressure instrument tap. A similar signal comparator is provided in a redundant SFAS channel for the other trip interlock logic. To provide limit switch contact to indicate that either valve is not fully closed into each redundant trip interlock logic, a stem-mounted limit switch is provided on both DH-11 and DH-12. Each stem-mounted switch is redundant to the limit switch provided in the motor operator. Thus all the necessary wiring into the trip interlock logic is completely separate and independent. Valves DH-11 and DH-12 are ensured to be closed prior to raising RCS pressure as described above and they are also inside the CV. Therefore, the valves are not controlled by SFAS. 7.6.1.1.3 Supporting Systems The normal decay heat removal valve control system obtains control power from the essential power supply (Chapter 8). 7.6-3 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.6.1.1.4 Portion of System Not Required for Safety The alarms to the station annunciator and station computer are not required for safety. 7.6.1.1.5 Drawings Electrical schematic diagrams of the normal decay heat removal valve control system are shown in Figures 7.6-1, 7.6-2, 7.6-3, and 7.6-4. 7.6.1.2 Core Flooding Tank Isolation Valve Control System A control system is provided to open the core flooding tanks injection isolation valves and prevent their closing when the RC pressure rises above a preset level. A complete description of the control system is given in Subsection 6.3.2.15. 7.6.1.3 Containment Spray Pump Anti-Cavitation Control System 7.6.1.3.1 Design Basis The design bases of the Containment Spray pump anti-cavitation control system (in accordance with IEEE Standard 279-1971) are listed below.
- 1. Generating station conditions which require protective action:
The station condition which requires action is a safety features mode of operation and suction required from the CV Emergency Sump.
- 2. Range of transient and steady-state conditions of the energy supply and the environment during normal, abnormal, and accident circumstances throughout which the system must perform:
The valve actuators are designed for temperatures of 60 to 120F, 40 to 100% relative humidity and atmospheric pressure. The essential power supply is discussed in Chapter 8.
- 3. The malfunctions, accidents or other unusual events which could physically damage protection system components for which provisions must be incorporated to retain necessary protection system action:
The Containment Spray pump anti-cavitation control system is designed to withstand physical damage or loss of function caused by earthquakes and located to prevent missile damage. The control system is also located in a building area designed to protect the equipment from flood, lightning and wind.
- 4. Minimum performance requirements including system response times, system accuracies, ranges of the magnitudes and rates of change of sensed variables to be accommodated until proper conclusion of the protection system action:
The valves fully stroke in less than 35 seconds. 7.6-4 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.6.1.3.2 System Description Controls are provided to automatically throttle the Containment Spray pumps discharge isolation valves when the pumps take suction from the CV Emergency Sump to prevent cavitation of the pumps due to lower NPSH from the CV Emergency Sump. When 2-out-of-4 level sensors on the BWST sense low tank level, a permissive signal is provided to allow the manual opening of the CV Emergency Sump valves after blocking the SFAS incident level 2. The BWST outlet valve closes and the spray discharge valves throttle down when the sump valves open. The spray discharge valves are part of the CV cooling systems and are controlled by the SFAS, which opens the valves during initial Engineered Safety Features operation. Manual control of the valves is available from the Safety Features Actuation panel in the main control room. 7.6.1.3.3 Supporting Systems The Containment Spray pump anti-cavitation Control system receives control power from the essential power supply (Chapter 8) and control signals from the SFAS (Section 7.3). 7.6.1.3.4 Portions of System not Required for Safety Alarms to the station annunciator and station computer are not required for safety. 7.6.1.4 Deleted 7.6.2 Analysis 7.6.2.1 Normal Decay Heat Removal Valve Control System 7.6.2.1.1 IEEE Standards
- 1. IEEE Standard 279-1971 The Normal Decay Heat Removal Valve Control System is designed to meet the intent of IEEE Standard 279-1971. The control circuits are designed such that any single failure will not prevent proper protective action (normal decay heat removal valve closure) when required. This is accomplished by using two completely redundant control systems, one for each normal decay heat removal valve. Each redundant control system receives control power from a separate essential supply.
In order to prevent interaction between the redundant systems, the control channels are wired independently and separated with no electrical connections between control channels. Sections 4.11 through 4.15 of IEEE Standard 279-1971 are not considered applicable to this control system. 7.6-5 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 2. IEEE Standard 338-1971 The Normal Decay Heat Removal Valve Control System includes provisions to permit testing the valves sequentially during normal station shutdown. No means to bypass the controls on these valves is provided.
7.6.2.1.2 AEC General Design Criteria
- 1. General Design Criterion 1 The control system utilizes high quality components manufactured and tested in compliance with quality control procedures. The QA program is described in Chapter 17.
- 2. General Design Criterion 2 The control system is designed to withstand damage or loss of function from earthquakes and is located in a building designed to protect the system from wind, flood and lightning.
- 3. General Design Criterion 3 The control system is designed and constructed of materials to prevent propagation of fire.
- 4. General Design Criterion 4 The control system is designed and located to prohibit damage or loss of function from missiles. Loss of both valve control systems, either of which serves to prevent overpressurizing the decay heat removal system, is considered incredible.
- 5. General Design Criterion 13 Instrumentation to monitor the RCS pressure and the status of the normal decay heat removal valves is available in the main control room. Independent control for each valve is also available in the main control room for routine testing and manual operation (prior to the automatic closure control).
- 6. General Design Criterion 20 The SFAS has been designed to automatically close the normal decay heat removal valves when the RC pressure exceeds the pressure stated in Subsection 7.6.1.1.2.
- 7. General Design Criterion 21 The Normal Decay Heat Removal Valve Control System has been designed for high functional reliability commensurate with the safety functions to be performed.
The redundancy and independence designed into the protection system are sufficient to ensure that no single failure results in loss of the protection function 7.6-6 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report and that removal from service of any component or channel does not result in loss of the required minimum redundancy.
- 8. General Design Criterion 22 The Normal Decay Heat Removal Valve Control System has been designed to ensure that the effects of natural phenomena and of normal operating, maintenance, testing, and postulated accident conditions do not result in loss of the protection function. Diverse principles of operation in the form of manual as well as automatic control have been used to prevent loss of the protection function.
- 9. General Design Criterion 23 The Normal Decay Heat Removal Valve Control System will fail into a state considered acceptable since failure of the signal to close one valve will not prevent an independent signal from closing the other valve. One closed valve is sufficient to ensure that the DH system will not be subjected to pressure in excess of design conditions.
- 10. General Design Criterion 24 The automatic control system has been separated from the manual control system, to the extent that failure of any single manual control system component or channel, or failure or removal from service of any single automatic control system component or channel that is common to the manual and automatic control systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the automatic and manual control systems has been limited to ensure that safety is not significantly impaired.
7.6.2.1.3 AEC Safety Guide 29 The Normal Decay Heat Removal Valve Control System is designed to withstand the effects of an earthquake without loss of function or physical damage. The control system is classified Seismic Class I in accordance with the guide. 7.6.2.2 Core Flooding Tank Isolation Valve Control System 7.6.2.2.1 IEEE Standards
- 1. IEEE Standard 279-1971 The Core Flooding Tank Isolation Valve Control System is designed to meet the intent of IEEE Standard 279-1971. The control circuits are designed such that any single failure will not prevent proper protective action (Core Flooding Tank isolation valve opening) when required. Both Core Flooding Tank isolation valves shall be full open before the reactor can go critical. This is accomplished by using two completely redundant control systems, one for each core flooding tank isolation valve. Each redundant control system receives control power from a separate essential supply. In order to prevent interaction between the redundant systems, the control channels are wired independently and separated with no electrical 7.6-7 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report connections between control channels. After the Core Flooding Tank isolation valves are fully open, the breaker of the combination line starter of each isolation valve will be manually tripped open and padlocked. The keys will be under administrative control. Sections 4.11 through 4.15 of IEEE Standard 279-1971 are not considered applicable to this control system.
- 2. IEEE Standard 338-1971 The Core Flooding Tank isolation valve control system includes provisions to permit testing the valves during refueling. No means to bypass these valves is provided.
7.6.2.2.2 AEC General Design Criteria
- 1. General Design Criterion 1 The control system utilizes high quality components manufactured and tested in compliance with quality control procedures. The QA program is described in Chapter 17.
- 2. General Design Criterion 2 The control system is designed to withstand damage or loss of function from earthquakes and is located in a building designed to protect the system from wind, flood, and lightning.
- 3. General Design Criterion 3 The control system is designed and constructed of materials to prevent propagation of fire.
- 4. General Design Criterion 4 The control system is designed and located to prohibit damage or loss of function from missiles.
- 5. General Design Criterion 13 Instrumentation to monitor the status of the Core Flooding Tank isolation valves and the RC system pressure is available in the main control room. Independent control for each valve is also available in the main control room (prior to automatic opening).
- 6. General Design Criterion 20 The SFAS has been designed to automatically open the Core Flooding Tank isolation valves before the RC pressure exceeds 800 psig, to ensure that specified fuel design limits cannot be exceeded as a result of anticipated operational occurrences.
7.6-8 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 7. General Design Criterion 22 The Core Flooding Tank isolation valve control system has been designed to ensure that the effects of natural phenomena and of normal operating, maintenance, testing, and postulated accident conditions do not result in loss of the protection function. Diverse principles of operation in the form of manual as well as automatic control have been used to prevent loss of the protection function.
7.6.2.2.3 AEC Safety Guides 22 and 29
- 1. Safety Guide 22 The Core Flooding Tank isolation valve control system can be tested periodically during refueling.
- 2. Safety Guide 29 The Core Flooding Tank Isolation Valve Control System is designed to withstand the effects of an earthquake without loss of function or physical damage. The control system is classified Seismic Class I in accordance with the guide.
7.6.2.3 Containment Spray Pump Anti-Cavitation Control System 7.6.2.3.1 IEEE Standards
- 1. IEEE Standard 279-1971 The Containment Spray Pump Anti-Cavitation Control System is designed to meet the intent of IEEE Standard 279-1971. The control circuits are designed such that any single failure will not prevent proper protective action (spray isolation valve throttling) when required. This is accomplished by using two completely redundant control systems, one for each containment spray isolation valve. Each redundant control system receives control power from a separate essential supply. In order to prevent interaction between the redundant systems, the control channels are wired independently and separated with no electrical connections between control channels.
Sections 4.11 through 4.15 of IEEE-Standard 279-1971 are not considered applicable to this control system.
- 2. IEEE Standard 338-1971 The Containment Spray Pump Anti-Cavitation Control System includes provisions to permit testing the valves sequentially during normal station operation. Testing will be done in such a manner as not to inject spray into the CV or to jeopardize station safety.
7.6-9 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.6.2.3.2 AEC General Design Criteria
- 1. General Design Criterion 1 The control system utilizes high quality components manufactured and tested in compliance with quality control procedures. The QA program is discussed in Chapter 17.
- 2. General Design Criterion 2 The control system is designed to withstand damage or loss of function from earthquakes and is located in a building designed to protect the system from wind, flood and lightning.
- 3. General Design Criterion 3 The control system is designed and constructed of materials to prevent propagation of fire.
- 4. General Design Criterion 4 The control system is designed and located to prohibit damage or loss of function from missiles. Loss of both Containment Spray Systems, either of which is adequate for safety, is considered incredible.
- 5. General Design Criterion 13 Instrumentation to monitor the status of the Containment Spray isolation valves and the CV Emergency Sump valves is available in the main control room.
Independent control for each spray system including valves is available also in the main control room.
- 6. General Design Criterion 20 The Containment Spray Pump Anti-Cavitation Control System has been designed to automatically throttle the Containment Spray pumps discharge valves when the pumps take suction from the CV Emergency Sump to prevent cavitation and subsequent loss of the pumps due to lower NPSH from the CV Emergency Sump.
- 7. General Design Criterion 21 The Containment Spray Pump Anti-Cavitation Control System has been designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. The redundance and independence designed into the protection system are sufficient to ensure that no single failure results in loss of the protection function and that removal from service of any component or channel does not result in loss of the required minimum redundancy. The protection system has been designed to permit periodic testing of its functioning when the reactor is in operation, including the capability to detect any loss of redundancy that may have occurred.
7.6-10 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 8. General Design Criterion 22 The Containment Spray Pump Anti-Cavitation Control System has been designed to ensure that the effects of natural phenomena and of normal operating, maintenance, testing, and postulated accident conditions do not result in loss of the protection function. Diverse principles of operation in the form of manual as well as automatic control have been used to prevent loss of the protection function.
- 9. General Design Criterion 23 The Containment Spray Pump Anti-Cavitation Control System, responsible for throttling a Containment Spray pump discharge valve, will fail into a state considered acceptable since failure of the signal to throttle one valve will not prevent an independent signal from throttling the other valve. One pump in conjunction with its throttled discharge valve in addition to one containment air cooler fan will provide sufficient containment atmosphere cooling capability.
- 10. General Design Criterion 24 The automatic control system has been separated from the manual control system to the extent that failure of any single manual control system component or channel, or failure or removal from service of any single automatic control system component or channel that is common to the manual and automatic control systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the automatic and manual control systems has been limited to ensure that safety is not significantly impaired.
7.6.2.3.3 AEC Safety Guides 22 and 29
- 1. Safety Guide 22 The Containment Spray Pump Anti-Cavitation Control System can be tested periodically during station operation.
- 2. Safety Guide 29 The Containment Spray Pump Anti-Cavitation Control System is designed to withstand the effects of an earthquake without loss of function or physical damage.
The control system is classified Seismic Class I in accordance with the guide. 7.6.2.4 Deleted 7.6-11 UFSAR Rev 30 10/2014
A-t~--- 9 XI TOL OL ZS Cj> ZS Cj> 4SOV B._._....__ 1m
'34> 10& 20 '
STEM -J_33 ZS-ZSDHllA STEM _L33 ZS-ZSDH11A MOUNTED -rac (SEE NOTE 8) MOUNTED Tac (SEE NOTE 8) M
,6rff:
60H! SA c.....i._............. ZS 0 ZS O 33 TO INTLK PART OF [Q694J 13* bC
~~ NOTE.4fS)
'TR.31 SH. 67 SEE SH. 248 r~
TOINTLI(. fj fi,32.~ SHG.7 { Z.S-1:.'M I 1) VRX I?> Si 12 v----..,._---oM, iR~I __-+_ __, '---_.,oj....... CL2. P8
??.l B
WO! I )(l,i'Q .a1 _ .... Rl,Gt, . CU.f XI TR !n T12l 1~~-1----' cu CL ,C.L.Z. Cl.'2., XZ. .
-r1,
?1.
lS (t} T2, CL2 T!,T2,T3 T3
¥W021
. m-M
.c. I.SQ B
('A\ 6 ~!:.ON 11 {.Ut NOTt 4. S) WO! I, W04 I iA ~t. G',W"'CL21,C.:.l.,'JCI, W031 TR. -rru1. J(-\,,C., )(l t SP D2 (L) ( F) R.G,WO~CLl,C..Lll Tlllt, Trw,
...........__ 'CE>'
(SEE NOTE
!J c
( J) W041 Cl.21
* - - - XA.1, XA2, W02,1, W031, SP a 14 SL.. OC I< OIAGRA M FOP.. 1CHE.ME. N*. AND NOTE.' iE.E. S.H. 2.4&.
~-- -- DAVIS-BESSE NUCLEAR POWER STATION DECAY HEAT NORMAL SUCTION VALVE SHEET I OF 4 E-528 SH. 24A FIGURE 7. 6-1
£ REVISION 27 0
JUNE 2010 DB 04-15-10 DFN=J/RASDGN/E52BSH24A.DGN/CIT
.SCMEME MCC s.u.r ~HANNEI W02E . E.GUlPME.NT NUM5ERS PRE~I~ ~~ "PSH ISO OESCR\PTlC'N MO c. C.D e M PA P& s~ RC. I F=\lA 4J 2 C.D F\\"--1 P2C.SG c*p-.;c..o Rc.3701. PiiH7.55lA t-1ISDH1\A DH NO~MAL *s.&JCT LINE VLV B~t l30 b$.4 HISb\.\ \\0 C.5704 5F\\o0 MVDHl\0 P2PSF xa.4*
Xl NO-rES
=
FOR GEWE.RAL NOTES S&'& OWG INDEX £. '26 ~
?Pe. 2.
s. FOA SWITCH DETAIL!* 6EE DW<:a EC)f\ VA~VE "LlMlT""-'WITC\\ DEVELOP~e~T ~EE e.aoa 5M1 FIG'7* DWG. '&!OB SH. SA r1G.C. 13 XL .- ( se £ NGT£ l\ i\\\5 SHEEi l . . . LO!a~ M~33 4 !>MONN A"T HIGH kE.1,C.TOR. COOLMt PREt>>COURE OR OF ti z POWl.f AT SAAS CA81N&1' csi~o ca
<C(
c;J 2T~o 14~M(lc S. F'OI\ &A. $CHE.M~TIC, t.E.E DWQ. 7749-E-.S0-27 DELETED
- c
~ RI QI
- 7. DE LE.TE 0
~
~Pe {>pe,
...d
~
'"1 Gl1@ Crl CD;RI ~* Id
- z z A *A 0
cJ 9. ~S IS A STEM -MOUN"T E.C> LIMIT C:.W!TCH. di 7 OS 8 DS
- 9. FOR OETAtLS ~F ISOLAllOtJ SWli(H (BLUE lNOIC.ATORLtGllT.
0 CD CD Se f DW6 E-303 SH 17 Fie.... I
...~ R
'R / ' c. JO OVERLOAD HE~le~~ REPLACED B-'V 4iHORTll~6 BAR.
JI. f\ELO TO ~U~\ R010R*~ W\\\-\ SW\lC..\\ CONl~C..T~ 51\\Q.U 8
- )
10 ACTUAlE WHtN v~ V£. RE.At.\\£.<:. zocro. *s 01 di ~.
- d. -o to tz cJ
- 12. F\ELD 10 ADJUST R01DR *4 SO -n&Ai LIMIT SWITCH CON,.AC.TQ I~,
15, I" ClOSE AND UMfT ~WtTCH CONTJCi 13 CPENS WHEN TH~ VALVE IS FUU."Y CLOSEO.
~ \~. F\E:LD TO Ab.JUST ROTO~ *3 SUCH "THAT CONT~T If. WILL 0 PF\OVIOf SPECIFIED TARGE'T THRUST ON SEATING.
~
WOI WO DAVIS-BESSE NUCLEAR POWER STATION DECAY HEAT NORMAL SUCTION VALVE SHEET 2 OF 4
--------------------------u*~ E52B SH. 248 RC- RC3702 ZS-ZSDHl\A c- C5704 FIGURE 7.6-2 PC- PAC3E.
.JT- JT3702 REVISION 20 DECEMBER 1996
,.. 4&0V l f ,......,.....,.___6o0 Hl _
- c. ....._.,._____ FOi\ S.t.HttAt NO. f NOTtS. &tt .S.HE.LT !40 XI I)--I-)-I--1si t~
)(I c ,
1Gi,W01 1CLl,CL.ll. 480-120V ll ( J) rP.t, 'T"n ,SP, SP x1a *TR~1 1x1,cLtt, (H) bo ( Gl CLa.P.1.eaa1 sP, )(t __........... ft- l tD PB M X2,W01L f\1 1~ 1,wo,cL.a1, RI.QI SP ,Cl.2.1,lt, Tl,T2.,Tl B. TR at 12 TR31, W04 I (I) (F) CL.XI ,TA;rP.2.1, (cJ X12 ,TQl,CL2.,Xl (a) 1~Wlos TA~:.i XA,X&, x12 ,CLa Tl,T2.,T3 PA W021 C 9.l TA~I 6 ~ ~:
?I_ '!LiNb 13f!
W031 121:°: Q2 y~ 13 OS TR2.I
*---~ 12o;;;;.-~~--oa (SEE NOTE 9) CO tL2.I 3f; W041 8 [zl26]
(Z£DHl2) Tl T2. T.\ Cl.II ZS 9 zs_1 33
~~ ?~ ?fA I f~, STEM - J_ 33 ZS-ZSDH 12A MOUNTED T"ac (SEE NOTE 8)
STEM MOUNTED T" ac ZS-ZSDH12A (SEE NOTE 8) Tl' T2 T.a *~ - - - -
~PtN NEUTR.AL.
7T~' Y'- ZS 6 ZS 6
~ !IA C.LO'ti CL.I TO INTLK PART OF [Q695J
. SH. 67 SEE SH. 240 go. 4
~
4 DSt CJ2 CL
*~ DAVIS-BESSE NUCLEAR POWER STATION 2'4Qi.
.l..4to. DECAY HEAT NORMAL SUCTION VALVE asJ1c. SHEET 3 OF 4 E-52B SH. 24c FIGURE 7.6-3 REVISION 27 JUNE 2010 DB 04-15-10 DFN=J/RASDGN/E52BSH24C.DGN/CIT
~tHElliE Na.
MCC s.u. NI. CHANNEL ""t PREFIX C-& c co E.QUIPMENT
~
NUM6E.~ M PA PB F ISO DE.SCRI PTION
~E.H&~ £lie. 49 I 0!>6 HISDMl2.0 C!;704 CDE.UPrf &E.llSl MVOHl2.0 PIP2.M PIC.2.L PSHP.C.2.&4 141SPHf2.A Off. NOP.MAL SUCTION LINE,; VA..LVE NOTE.&:
I. FOR GE.NE.l\AL NOTES &E.E.. DWQ. INDEX E..S2.6. 2.. FOi\ &WITCH OE.TAIL.& oE.E. DWG. E306,&H.71 FIQ.7
- 3. FOR. VALVE. LIMIT ,W. D~VE.L.OPft\E.NT S.U. DWG. E.lO&.IH.lfA Flfi.C i(SEE KUT'E K> TIU~ SHcET}.
- 4. P$H SHOWH #\T LOW R~"TOR COOLANT PRtSSURE. 9
- 5. DELETED
'* DELE\El>
- 7. 'ZS IS I\ STEM.-MOUl-&T!O LlMIT 6WlTGH.
8.FOR DETA\LS Cf' ISOLAl\ON SW\TCK AND BLUE. INDICA.TOR Ll'*HT SEE o~ca.. E-308 St\. \7, Fl'*-1 *
- 9. CN~R\.MD HE"iER; REPLl!t\CEt> SY SHOl\TlNGt BARS.
ti 10.AEU> TO AD7U&'T ROTOR *t. Wlnt SW,TC" CONTAC~ S "'n\R\J 8 iD AC\UATE W"Et\I v~... REl\CHeCi~~M *5~/-o".
'° <it 0
- c II. FIELD iO AbJ'UST Ral'oR*4' 50-rMT 5WITCK COMT~C.T'i 14,IS,lb CLOSE ANO SWITC~ ~ 13 ('r.iENS *WM&N 1'HE. VA\..'16
~. _fULLY CLOSE.Dy I:? 12. fl[lt> TO A[)JUS'i Pl>T°" ..-3 Sl.C.H iHAl COMTAC.T 12. . )
- ~ i..,,
w t;
~--------..__.....----.__._...--*------------
Will PRO"U~E SPEC\tlED TARGETl"Rusr DN SEATING__} z z 0 u
!!! /
R. Q
!c
/
co tn%
~
..... 14 PSHX
<.) R.C.2&4
--0--iJ-f 0 WOI WO JT .t. ISO/OFF C DAVIS-BESSE NUCLEAR PO\£R STATION e-.1 c-=o-- c DECAY HEAT NORMAL SUCTION VALVE N SHEET 4 OF 4
~L.. E!.' ~~ 1. .
__.________.,__________________-u~ CD-CDEllB-2 IT
- .! l*
* "~-, ~;~-n~~,~
.P_J;Lo~~
C- C5i04 (QS-DHi2) FIGURE 7.6-4
'CS- lSDHIZA JT- Ji:.;701 PC- PBC20 REVISION 20 DECEteER 1996
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.7 CONTROL SYSTEMS 7.7.1 Description 7.7.1.1 Non-Nuclear Instrumentation (NNI) Station Control Systems Instrumentation and control systems, the functions of which are not essential to station safety are:
- 1. Automatic RC Pressure Control - The pressurizer heaters are grouped into banks which are energized automatically when the RC pressure drops below setpoint values. The first bank utilizes proportional control through an SCR controller.
During normal steady state operation, this bank varies with RC pressure to compensate for pressurizer spray operation. There is also an Auto plus Base Load position on the number two non-essential heater bank designed to replace ambient heat losses. The remaining banks of pressurizer heaters are automatically controlled by bistable relays in the pressure control instrument, which energize each bank progressively, on decreasing pressure setpoints. Each bank also has manual controls. Pressurizer spray is controlled by a motor operated valve which is opened or shut by a bistable relay in the instrument string monitoring RC pressure. The pilot operated relief valve is controlled by an on-off signal from an electronic pressure switch. The valve is opened when the pressurizer pressure exceeds the high pressure setpoint, and is closed when the pressure is reduced. On a loss of NNI power, the pressurizer heaters, pressurizer spray valve, and PORV will not function in Automatic. They can, however, be controlled manually with their respective hand switches.
- 2. Automatic Pressurizer Level Control - The pressurizer level signal for level control is manually selected from one of three differential pressure transmitters and is temperature compensated. This level signal is recorded, used for high and low alarms, interlocks to prevent energizing pressurizer heaters in automatic with a low pressurizer level, and supplies a level control signal. The level controller automatically positions the makeup control valve in the Makeup and Purification System (see Chapter 9) to maintain a preset pressurizer level selected by the operator in the control room.
- 3. Makeup System Feed and Bleed Control - The batch controller is used to add a preset amount of borated water to the RC system (refer to Subsection 7.7.1.2.6).
The batch controller receives an electrical signal from the borated water feed flow transmitter. The batch controller automatically closes the feed control valve when the batch sizer shutdown point is reached. The batch size is adjustable. The feed control valve can be manually controlled. On a loss of NNI power, the valves require local, manual control. 7.7-1 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.7.1.1.1 Comparison of NNI Control Systems with Those of Another Station The initial design of the NNI control systems for the Davis-Besse Nuclear Power station were essentially the same as those for the Sacramento Municipal Utility District, Rancho Seco station. 7.7.1.1.2 Major Design Criteria Refer to Section 7.12. 7.7.1.2 Integrated Control System (ICS) The ICS provides the proper coordination of the reactor, steam generator feedwater control, and turbine under all operating conditions. Proper coordination consists of producing the best load response to the unit load demand while recognizing the capabilities and limitations of the reactor, steam generator feedwater system, and turbine. When any single portion of the station is at an operating limit or a control section is on manual, the integrated control system uses the limited or manual section as a load reference. The ICS maintains the control consistent with current operating conditions of the unit by operation in the following modes.
- 1. Integrated reactor-steam generator-turbine mode for normal conditions.
- 2. Turbine following mode if the capabilities of the reactor or steam generator feedwater systems are limited.
- 3. Reactor-steam generator following mode if the capability of the turbine-generator system is limited.
The ICS maintains constant average RC temperature between low level limits and 100% rated power and constant steam pressure at all loads. Optimum unit performance is maintained by limiting steam pressure variations; by limiting the unbalance between the steam generator, turbine, and the reactor; and by limiting the total unit load demand upon loss of capability of the steam generator feed system, the reactor, or the turbine generator. The control system provides limiting actions to assure proper relationships between the generated load, turbine valves, feedwater flow, and reactor power. The normal response of the RC system and the feedwater system to increasing and decreasing power transients is limited by the ICS. The combined actions of the control system and the turbine bypass to the condenser permits a 40% load rejection without code safety valve operation. The combined actions of the control system, the turbine bypass to the condenser and the code safety valves are designed to permit a 100% load rejection without reactor trip. A reactor trip may occur on a loss of load at high power due to the addition of the Anticipatory Reactor Trip System (ARTS) and the raising of the Pilot Operated Relief Valve (PORV) setpoint. See Section 15.2.7.3. Table 7.7-2 lists all of the functions of the ICS and the applicable subsystem which accomplishes the action. These functions increase station reliability but are not required for safe operation of the station. As explained in Chapter 15, the safety analysis assumes no credit for any ICS function which might be available to prevent or mitigate the consequences of an accident. 7.7-2 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.7.1.2.1 General Description The ICS includes four independent subsystems as shown in Figure 7.7-1: (1) The Unit Load Demand Control, (2) the Integrated Master Control, (3) the Steam Generator Control and (4) the Reactor Control. The system philosophy is that control of the station is achieved through feedforward control from the unit load demand control. The Unit Load Demand Control produces demands for parallel control of the turbine, reactor, and steam generator feedwater system through respective subsystems. The boron feed and bleed controller, a subsystem of the reactor control, exercises permissive control of continuous feed and bleed operation of the makeup and purification system. The Integrated Master Control is capable of automatic or manual turbine load to full output, and of manual control below minimum turbine load. The steam generator control is capable of automatic or manual feedwater control from startup to full power output. The reactor control is designed for automatic or manual operation above the low level limit, and for manual operation below the low level limit. The basic function of the ICS is matching megawatt generation to unit load demand. The ICS does this by coordinating the steam demand required by the turbine with the rate of steam generation. To accomplish this efficiently, the following basic reactor/steam-generator requirements are satisfied:
- 1. Feedwater flow to the steam generators is normally balanced as required to obtain desired steam conditions. Feedwater flow to the steam generators may be ratioed provided the flowrate to each steam generator is less than the limit to preclude flow induced vibrations of the steam generator tubes or the design limit, whichever is more restrictive. A cycle specific evaluation must be completed to evaluate the flowrate limit prior to ratioing the feedwater flow to each steam generator.
- 2. Feedwater flow is controlled:
- a. To compensate for changes in fluid and energy inventory requirements at each power level.
- b. To compensate for temporary deviations in feedwater temperature resulting from load change, feedwater heating system upsets or final steam pressure changes.
7.7.1.2.2 Unit Load Demand Control The Unit Load Demand (ULD) is designed to accomplish two objectives related to the operation of the station. First, the ULD permits the operator to manually establish power output of the station and allow for automatic operation of the unit at the specified setting; and secondly, the ULD initiates load limiting and runback functions to restrict operation within prescribed limits. Figure 7.7-2 illustrates the functions incorporated in the subsystem. In manual operation, the ULD obtains a load demand signal from the operator. In automatic operation, the ULD obtains a Core Thermal Power (CTP) demand signal from the operator. The 7.7-3 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report demand is compared against the ULD calculated CTP, and the error is processed by Proportional-Integral (PI) control, which provides the load demand. The load demand is restrained by a maximum load limiter, a minimum load limiter, and a rate limiter. Rate limiting is designed as a function of load, so normal transients are limited as shown below:
- 1. Loss of any number of RC pumps; runback at 20% per minute to the power corresponding to the remaining pumping capability.
- 2. Deleted
- 3. Loss of one main feedwater pump; runback at 20% per minute to within the remaining pump capability.
- 4. Low deaerator level; runback at 20% per minute to 55% of rated thermal power.
- 5. High main feed pump discharge pressure; runback at 20% per minute to 60% of rated thermal power.
The controlling subsystem of the ICS (turbine control, steam generator feedwater control and reactor control) normally operate in the automatic mode in response to a demand signal from the ULD. The subsystems control function is kept within pre-established bounds under other than normal automatic operation by a load tracking mode. The system will switch to the load tracking mode if any of the conditions listed in Table 7.7-2, Item 2, exist. In the load tracking mode, the load demand is made to follow the manual or limited control subsystem by using the actual generator output as the demand input to the ULD. Load tracking continues until the limiting condition is brought back to within the pre-established deadband or the subsystem is returned to automatic operation. The output of the limiter is a megawatt demand signal which is forwarded to the integrated master control subsystem. 7.7.1.2.3 Integrated Master Control The Integrated Master Control has been designed to receive the megawatt demand signal from the Unit Load Demand subsystem and convert this signal into a demand for the feedwater, turbine, and reactor control. A functional diagram of the Integrated Master Control is shown in Figure 7.7-3. For turbine control, the megawatt demand is compared with the generator megawatt output, and the resulting megawatt error signal is used to change the steam pressure setpoint. The turbine valves then change position to control steam pressure. As the megawatt error reduces to zero, the steam pressure setpoint is returned to the steady state value. By limiting the effect of megawatt error on the steam pressure set point, the system can adjust steam pressure to achieve the desired rate of turbine response to megawatt demand. The megawatt demand is also utilized as the feedforward demand to the steam generator and reactor while operating in the integrated control mode. This demand is compensated by deviations in the steam header pressure from its setpoint. The pressure error increases the steam generator and reactor demands if the pressure is low. It decreases the steam generator and reactor demands if the pressure is high. The control signal to the steam generator subsystem is feedwater demand and the control signal to the reactor is megawatt demand. 7.7-4 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report The Turbine Bypass System operates from the main steam header pressure error or individual steam generator pressures as an overpressure relief for the turbine header. The Turbine Bypass System will bypass 25% of steam flow to the condenser or vent 10% of steam flow to the atmosphere via atmospheric vent valves. Normal bypass is to the condenser for startup, shutdown, or load changes. The bypass control prevents operation of the turbine bypass valves when the condenser is not available and switches the control to the atmospheric vent valves. 7.7.1.2.4 Steam Generator Control Control of the steam generator is based on matching feedwater flow to the feedwater demand produced in the Integrated Master Control. Figure 7.7-4 illustrates the steam generator feedwater controls. The basic control actions for parallel steam generator operation are as follows:
- 1. Unit load demand, modified by megawatt error and turbine header pressure error, is converted to a total feedwater demand.
- 2. Total feedwater flow demand split into feedwater flow demand for each steam generator.
- 3. Feedwater demand compared to feedwater flow for each steam generator. The resulting error signals position the feedwater flow control system to match feedwater flow to feedwater demand for each steam generator.
For operation below the low level limit, the Steam Generator Control System acts to maintain a preset minimum downcomer water level in the steam generator. The conversion to level control is automatic and is introduced into the feedwater control train through an auctioneer. At electrical loads below the low level limit turbine bypass valves will operate to control steam pressure rise. The steam generator control also provides ratio, limit, and runback actions as shown in Figure 7.7-4 which include:
- 1. Steam Generator Load Ratio Control - Under normal conditions the steam generators will each produce one-half of the total load. Steam generator load ratio control is provided to balance RC inlet temperature during operation with unbalanced RC loop flow to minimize undesirable core power distribution.
- 2. High Level Limits - A maximum water level limit prevents flooding of the steam generator aspirating ports.
- 3. A low level limit is provided to ensure a minimum water level in the downcomer section.
- 4. RC Flow Limits - Upon transition from 4 to 3 RCP operation, primary flow rates begin to shift towards 104% in the primary loop with two operating RCPs, and towards 46% flow in the loop with one RCP. The FW ratio circuits will immediately ratio feedwater demands based on the difference in measured RC flows.
7.7-5 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 5. Deleted
- 6. Feedwater demand is cross limited to the reactor neutron error. If the neutron error is outside a (-5% to +10%) deadband, the feedwater demand is modified to more closely follow neutron flux.
- 7. Deleted
- 8. Deleted
- 9. Feedwater Valve Control - Valve position demand for each steam generator is applied to both the startup and the main feedwater valves, through control stations.
These valves are sequenced into operation so that the startup valve opens first (from zero to 15% load) followed by the main feedwater valve.
- 10. Main Feedpump Control - Main feedpump speed is controlled to maintain a constant differential pressure drop across the feedwater valves.
7.7.1.2.5 Reactor Control The ICS Reactor Control is designed to maintain a constant average RC temperature over the load range from the low level limit to 100% of rated power. The average RC temperature decreases over the range from approximately 28% to zero load. Figure 5.5-6 shows the RC and steam temperatures over the entire load range. The ICS Reactor Control consists of analog computing equipment with inputs of megawatt demand, core power, and RC average temperature. The output of the controller is an error signal that causes the control rod drive to be positioned until the error signal is within a deadband. A block diagram of the reactor control is shown on Figure 7.7-6. First, reactor power demand (Nd) is computed as a function of the megawatt demand (MWd) and the RC system average temperature deviation (T) from the setpoint, according to the following equation: 1 N d K 1 MWd K 2 T T dt . Megawatt demand is introduced as a part of the demand signal through a proportional unit having an adjustable gain factor (K1). The temperature deviation is introduced as a part of the demand signal after proportional plus reset (integral) action is applied. For the temperature deviation, (K2) is the adjustable gain and is the adjustable integration factor. The reactor power level demand (Nd) is then compared with the reactor power level (Ni), which is derived from the nuclear instrumentation. The resultant error signal, (Nd - Ni) is the reactor power level error signal (En). When the reactor power level error signal (En) exceeds the deadband settings, the CRDCS receives commands that withdraw or insert control rods depending upon the polarity of the power error signal. 7.7-6 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report The following additional features are provided with the reactor power controller:
- 1. A high limit on reactor power level demand (Nd).
- 2. A low limit on reactor power level demand (Nd).
The ICS Reactor Control incorporates automatic or manual rod control above the low level limit of rated power and manual ICS reactor control below low level limits. The reactor control subsystem also generates the following interlock signals:
- 1. A signal to the CRDCS to prevent placing the rod drive controls in the automatic mode if a large error (En) exists in the ICS.
- 2. A signal to the CRDCS to cause the rod drive controls to revert to the manual mode if power for automatic operation of the ICS is lost.
- 3. A signal to the CRDCS indicating that reactor power is greater than 60% which is used to generate the Out Inhibit signal.
- 4. A signal to the RC pump motor controls which prevents starting an idle pump when reactor power is greater than 60%. This pump interlock system, although useful in preventing a cold water accident, is not necessary for reactor protection and does not meet safety feature criteria (Subsection 15.2.6).
7.7.1.2.6 Boron Feed and Bleed Control The boron feed and bleed controller is made up of digital logic from rod position. The outputs from the controller is a permissive signal to Makeup and Purification System to allow continuous feed-and-bleed. The controller allows continuous feed-and-bleed when control rod groups 1, 2, 3 and 4 are 100% withdrawn and control rod group 5 is greater than 25% withdrawn. The controller will terminate feed-and-bleed if any safety group is not 100% withdrawn and/or control rod group 5 is not greater than 25% withdrawn. 7.7.1.2.7 System Failure Considerations Redundant sensors for major system parameters are available to the ICS. The operator can select any of the redundant sensors from the control room. There are Smart Analog Selector Switches (SASS) designed to monitor for failed parameter signals. The SASS modules monitor: Feedwater Flow (both loops) OTSG Pressure (both loops) Feedwater Temperature Feedwater Valve Delta P (both loops) OTSG Operate Level (both loops) OTSG Startup Level (both loops) Turbine Throttle Pressure 7.7-7 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report RC Hot Leg Temperature (both loops) RC Cold Leg Temperature (both loops) Loop Delta T Cold RC Average Temperature Megawatt Electric The SASS modules are normally selected to the NNI-X powered instrument and will automatically transfer to the NNI-Y instrument if the X fails. Redundant process inputs are utilized in the Core Thermal Power (CTP) calculation derived in the ULD subsystem of the ICS. The CTP algorithm monitors the input process variables for quality, and selects a redundant input in the event that an out-of-range input is found. Manual reactivity control is available at all power levels. Redundant power supplies are provided in the event of an electric power failure. 7.7.1.2.8 System Limits Maximum and minimum limits on the reactor power level demand signal (Nd) prevent the automatic reactor controls from initiating undesired power excursions. Maximum and minimum levels on the megawatt demand signal (MWd) prevent the unit load demand controls from initiating undesired power excursions. Cross limiting between the steam generators and the reactor minimize the effects of undercooling and overcooling transients. 7.7.1.2.9 Modes of Control The ICS is designed to revert to a load tracking mode of control to tie the unit to the subsystem on manual or to the subsystem being limited. In the track mode, the operator demand for MWe is replaced by the actual electrical generation of the power plant. In startup control mode, the controls are arranged so that the steam system follows reactor power rather than turbine system power demand. The controls will transfer steam line pressure control from the turbine bypass valves to the atmospheric vent valves on inadequate condenser vacuum or when either MSIV is less than 90% open. 7.7.1.2.10 Loss-of-Load Considerations The nuclear unit is designed to accept 10% step load rejection without safety valve or turbine bypass valve action. The combined actions of the control system, and the turbine bypass to the condenser permit a 40% load rejection without code safety valve action. The controls will limit steam bypass to the condenser when condenser vacuum is inadequate. The features that permit continued operation under load rejection conditions include the following: 7.7-8 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 1. ICS - During normal operation the ICS controls the unit load in response to load demand from the operator. During normal load changes and small frequency changes, turbine control is through the speed changer to maintain constant steam pressure.
- 2. 100% Relief Capacity in the Steam System - This provision acts to reduce the effect of large load drops on the reactor system.
Consider, for example, a sudden load rejection greater than 10%. When the turbine generator starts accelerating, the governor valves and the intercept valves begin closure to maintain set frequency. At the same time the megawatt demand signal is required, which reduces the governor speed changer setting, feedwater flow demand, and reactor power level demand. As the governor valves close, the steam pressure rises and acts through the control system to reinforce the feedwater flow demand reduction already initiated by the reduced megawatt demand signal. In addition, when the load rejection is of sufficient magnitude, the turbine bypass valves open to reject excess steam to the condenser and safety valves open to exhaust steam to the atmosphere. The rise in steam pressure and the reduction in feedwater flow cause the average reactor coolant temperature to rise which reinforces the reactor power level demand reduction, already established by reduced megawatt demand, to restore RC temperature to the set value. A reactor trip may occur on a loss of load at high power due to the addition of the Anticipatory Reactor Trip System (ARTS) and the raising of the Pilot Operated Relief Valve (PORV) setpoint. See Section 15.2.7.3. 7.7.1.2.11 System Design Comparison The initial design of the ICS for Toledo Edison Companys, Davis-Besse Nuclear Power Station is compared to the Sacramento Municipal Utility District Rancho Seco Station in FSAR Section 7.7.1.2.11. 7.7.1.3 CRDCS - Without Trip Portion 7.7.1.3.1 General The CRDCS provides for withdrawal and insertion of groups of control rod assemblies (CRAs) to produce the desired reactor power output. These functions are achieved through CRDCS automatic control by the ICS, or, through CRDCS manual control by the operator. The controls provide shut down capability and compensate for short-term reactivity changes by positioning the 53 regulating CRAs and the 8 axial power-shaping rod (APSR) assemblies. The 53 CRAs are arranged in seven groups: four rod groups function as safety groups and three rod groups function as regulating rod groups. Each of the seven groups may be assigned from 4 to 12 rods. The CRDCS utilizes triple modular redundant (TMR) processing of inputs, outputs, and commands. This results in making the CRDCS control logic hardware single failure proof. The TMR scheme within processor hardware is used to achieve internal redundancy on all critical circuits. There are three identical slices in each processor module that perform identical functions simultaneously and independently. The processor output of each slice is voted in a majority voting circuit to provide the processor output. 7.7-9 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report There are two independent processor controllers in the CRDCS. Processor 1 (P1) and Processor 2 (P2). Both processors work in parallel with one another while performing separate tasks. Processor P1 is responsible for critical logic tasks as well as monitoring for IN and OUT limits, receiving input from the Operator Control Panel (OCP) and other plant systems. Processor P1 also controls the rod power supply Pulse Generator / Monitor (PG/M) modules for developing SCR gating signals, rod power monitoring and development of the Relative Position Indication (RPI) information. Processor P2 is responsible for monitoring Absolute Position Indication (API) information, zone reference switches and AC input voltage acceptability. To increase the fault tolerance, the processor modules are configured such that both P1 and P2 operate with a primary module and also have a backup standby module located in its adjacent slot. The standby processor module will automatically perform all controls and communication functions should the primary modules self-diagnostics determine that a transfer to the standby processor is necessary. The speed of the drive mechanism and the worth of the rod group provide the reactivity change rates required. Each CRDM has an inherent speed-limiting feature that is accomplished through the use of the CRDCS Pulse Generator / Monitor modules which each contain a quartz crystal controlled clock. Thus, the speed of rod motion is fixed, and the rod group size is the only CRDCS parameter that modifies the reactivity addition rate. The rod grouping capability is for flexibility in meeting any possible configuration dictated by fuel cycle and maneuverability considerations. Control rods are arranged into groups within the CRDCS controller programming. Typically, 28 rods might be assigned to the regulating groups, and 25 rods assigned to the safety groups. A typical rod grouping arrangement might be as follows: Axial power-shaping Safety group/rods Regulating group/rods group/rods Group 1/4 Group 5/12 Group 8/8 Group 2/8 Group 6/8 Group 3/4 Group 7/8 Group 4/9 The safety groups are normally fully withdrawn when the reactor is operating at power. The axial power-shaping group serves to correct flux imbalances within the core of the reactor. The regulating groups serve as the principal reactor reactivity control medium. During startup, safety groups 1 through 4 are withdrawn first, enabling withdrawal of regulating control group 5. Once group 5 is equal to or greater than 75% withdrawn, group 6 will be enabled and can be withdrawn. Similarly, withdrawal of group 7 will be enabled when group 6 is equal to or greater than 75% withdrawn. Upon regulating group insertion, group 6 is enabled when group 7 is equal to or less than 25% withdrawn and group 5 is enabled when group 6 is equal to or less than 25% withdrawn. Overlap was established to counteract the dropping off of rod worth near the ends of rod travel. The CRDCS receives interlock signals from the ICS and Nuclear Instrumentation (NI). The ICS interlock signals are used to permit automatic mode selection if the ICS neutron error is less 7.7-10 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report than +1% of the power demand while the Nuclear Instrumentation Interlock signals inhibit out-motion for high startup rates as determined by source range and intermediate range NI. A requirement for continuous boron addition and dilution, controlled by the ICS, is the full withdrawal of groups 1-4 and the 25% or greater withdrawal of group 5. 7.7.1.3.2 Equipment Description The CRDCS consists of three basic components: (1) motor control system, (2) system logic, and (3) trip circuitry (described in Subsection 7.4.1.1). Motor Control System: The motor control system contains sixty-one pairs of individual CRDM motor power supply modules for the 61 CRDM motors. Two channels of three phase AC input power are converted into six phase AC power through two CRDCS power system transformers. The AC input power is then rectified to DC power in the individual CRDM motor power supply modules through silicone controlled rectifiers. Redundant pairs of individual CRDM motor power supplies are provided to allow for on-line maintenance since a single power supply is capable of supplying power to its assigned control rod motor. Each individual power supply of the power supply pair is powered from one of two separate AC input power sources. Together the power supply pairs develop reliable redundant power. The power supplies sequentially energizes first two, then three, then two of the six CRDM motor-stator windings in stepping fashion to produce a rotating magnetic field for the CRDM motor to position the CRA. Switching is achieved by gating the associated SCRs on for the period of time that each winding must be energized. Because each of the six CRDM motor stator windings utilizes SCRs to supply power, six gating signals are required. When motion is not required, a fixed rod position is achieved by continuously energizing two adjacent windings of the CRDM motor stator. This static energizing of the windings maintains a latched CRDM and a fixed rod position. Gating signals for the SCRs in the individual CRDM motor power supplies are generated by microprocessor controlled Pulse Generator / Monitor modules and associated gate drive boards. Command signals to position the control rod drives are introduced at the Pulse Generator / Monitor modules input from the CRDCS microprocessor based controller. The desired rate of change of CRA reactivity insertion and uniform reactivity distribution over the core are provided for by the control rod drive and power supply design and the selection of rods in a group. The motor, leadscrew, and power supply designs are fixed to provide a uniform rate of speed of 30 in./min in the run mode. The reactivity change is then controlled by the rod group worth. To ensure flexibility in this area, software programming has been included in the CRDCS microprocessor controller to enable the interchange of rod worth between rod groups. Any rod may be assigned into any group (with the exception of group 8) through CRDCS controller software changes. The individual CRDM motor power supplies, are identical. Each half of a single rod power supply is powered from a separate source and is capable of holding or maneuvering the individual rods. Each individual rod is grouped so that a uniform and symmetrical group reactivity insertion rate can be achieved by synchronous withdrawal of all rods in that group. A set of control rods is assigned to a specific group of rods and the CRDCS operates this set of rods together. 7.7-11 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report The CRDCS can be used to reposition a single rod if an individual rod has to be repositioned. System Logic and Rod Position Indication: The CRDCS microprocessor controllers contain those functions that control rod motion in the manual or automatic modes of operation and functions which monitor system operation. Major subsystems of the CRDCS include the operators control panel, CRA position indication displays, automatic control logic functions and system monitoring functions. Switches are provided at the Operator Control Panel (OCP) for selection of the desired control mode. The control modes are (1) automatic mode, in which rod motion is commanded by the ICS, and (2) manual mode, in which motion is commanded by the operator. Manual control permits operation of a single rod and unsequenced group withdrawal. Indicator lamps on the control panel and assigned plant computer points inform the operator of the system status at all times. Indicators on the OCP show full insertion, full withdrawal, and enabled for motion, for each of the eight control rod groups. Trip Confirm, Asymmetric Fault, System Fault, In Travel, Out Travel, Inhibit Out, Inhibit Sequence, and Inhibit Auto indications are also provided on the OCP. In the CRDCS, two methods of position indication are provided: absolute position indication and relative position indication. The absolute position transducer is essentially fully redundant consisting of two independent voltage dividers each with a series of magnetically operated reed switches mounted in a tube parallel to the CRDM motor tube extension. Switch contacts close when a permanent magnet mounted on the upper end of the CRA leadscrew extension comes near. As the leadscrew (and the control rod assembly) moves, the switches operate sequentially, producing a stepped analog voltage proportional to position. This analog voltage consists of two output channels which are inputs to the CRDCS. The two Absolute Position Indication (API) inputs are considered independent and under normal operations are averaged together. If during the CRDCS API median select checking process a channel of API is determined to be bad or inactive, the CRDCS controller will automatically select only the good channel which will be used for API calculations and display. If both channels are considered bad, the average of the two channels will be used for all API calculations and display. The full scale accuracy with both circuits in operation is approximately 3 inches (full scale = 139 inches). The accuracy with one circuit in operation is approximately 4 inches. Other reed switches included in the same tube with the position indicator matrix provide full-in and full-out limit indications. The relative position indication (RPI) is determined in the CRDCS controller by calculating the individual rod position based on CRDM motor power supply SCR gating commands (full scale = 139 inches). The accuracy of this indication is 1.53% of full travel. If the RPI is in error compared to the Absolute Position Indication (API), the RPI may be reset by selecting the group or rod and pressing the RPI reset pushbutton on the Operator Control Panel. When RPI reset is selected from the OCP, the CRDCS Controller sets the value of RPI equal to the current API value for each selected CRDM or group. The API value will be the average of the two API inputs unless one of the API inputs has been removed as a result of deviating from the median value by more than the assigned limit. In this situation, the one good API value is used to set RPI. The CRDM to be reset will be selected by the same method used to select them for movement. 7.7-12 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report Regulating group sequencing utilizes API rod group average position signals to generate control interlocks which regulate rod group withdrawal and insertion. Sequencer control may be operated in the automatic mode or in the manual mode to control regulating groups 5 through 7 only. The group average signal serves as an input to the CRDCS controller logic to activate group overlap at approximately 25% or 75% of group rod withdrawal. The CRDCS controller provides outputs to the individual CRDM motor power supplies to command the rod groups to be moved in the proper sequence. The selection of the manual control mode and sequence bypass mode functions permits intentional out-of-sequence conditions. This condition is indicated to the operator on the OCP. Control rod position-indicating readout devices in the control room consist of two control panel-mounted video monitors. Collectively the monitors are called the Position Indication Panel (PIP). Relative, absolute position and group average position information is displayed on the rod position displays. The group average values displayed on the position indication panel is the arithmetic average of the absolute position signals of all CRAs in a group that do not have an asymmetric fault condition present. Each of the two position indication monitors normally displays 4 groups, 1 - 4 and 5 - 8. Either monitor can display either set of rod groups. The PIP displays each rods API value via a bar graph and numeric percentage and the RPI value via a numeric percentage. The PIP indicates if a rod is ON Control and indicates if the rod has an asymmetric alarm or fault compared to the API group average. The PIP also indicates percentage withdrawn for each group from the calculated API group average. Below the PIP are LEDs for each rod 0% withdrawn zone reference indication. These LEDs have a battery back-up to ensure 0% indication is available upon a loss of all power to the CRD system. Failures which could result in improper system operation are continuously monitored by the CRDCS fault detection algorithms. When failures are detected, indicator lights and alarms remain on until the fault condition is cleared by the operator. A list of indicated faults is shown below:
- 1. Asymmetric rod patterns (indicators and alarm).
- 2. Sequence faults (indicator and alarm).
- 3. Safety rods not withdrawn (indicators and alarm).
Faults serious enough to warrant immediate action produce automatic correction commands from the fault detection algorithms. A description of each fault detector follows:
- 1. Asymmetric Rod Monitor:
- a. Design Basis - To detect and alarm if any control rod deviates from its group reference position.
7.7-13 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- b. System Operation - Each of the 61 control rods has its API signal continuously compared with its absolute group reference (average position) signal. The absolute value of the difference between the two signals is computed, and if this difference is less than the alarm setpoint, no output results. If, however, the difference is greater than the setpoint, a device is actuated which alarms the asymmetric condition. Two alarm setpoints are provided. One setpoint is programmed for a 7-inch signal differential (maximum 11-inch true position separation) and initiates an alarm only. The other setpoint is a 9-inch signal differential (maximum 13-inch true position separation) and initiates the action described below.
- c. Control Action - Action taken upon detection of an asymmetric rod fault depends on the control mode and the power level in effect at the time the fault is detected. Control action is the same for any asymmetric condition including stuck-in, stuck-out, or dropped control rods.
Detection of a 7-inch signal differential is defined as an asymmetric rod alarm. Actuation of this alarm causes the alarm indicator on the PI monitor panel for that rod to be illuminated and an alarm signal to be sent to the station computer and annunciator. If the condition is not corrected and the separation increases to a 9-inch signal difference, the following actions occur: (1) Asymmetric fault lamp on the operators console is energized. If operation is in the manual control mode, operator action is required. (2) ICS sends a signal to the Control Rod Drive System to indicate when Reactor Power is greater than 60% of rated power. If the Control Rod Drive System is in Automatic, an Out Inhibit signal is generated which disables the Out command. Out Inhibit signals are sent to the Control Rod Drive Operator Control Panel and computer.
- 2. Sequence Inhibit:
- a. Design Basis - To detect any motion of the rod groups outside the predetermined sequence patterns, and to prevent further sequenced motion when such conditions occur.
- b. System Operation - The sequence monitor function continuously compares the relative group average (position) signals for each regulating group with discrete, predefined rod positions.
- c. Control Action - When an out-of-sequence condition is detected and operation is in the automatic control mode, the automatic mode disengages, sequence bypass mode is selected and a sequence inhibit alarm lamp on the OCP and a station annunciator alerts the operator to the malfunction. Control reverts to manual and remains in manual until the fault is corrected and the system is reset by the operator.
- 3. Safety Rods Not Withdrawn:
7.7-14 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- a. Design Basis - To prevent, on station startup, withdrawal of the regulating rods until the safety rods are fully withdrawn.
- b. System Operation - The CRDCS continuously monitors the group out limits for the four safety rod groups. When the four groups are all fully withdrawn, signals are sent to the controller sequencer algorithm which then permits regulating group withdraw.
- c. Resultant Action - Annunciator is actuated.
Station annunciators monitor the status of the trip devices in the CRDCS and will alarm for a trip condition.
- 4. System Fault:
Design Basis - The CRDCS controller shall activate an internal flag within the application software and system fault indication to alert operators to CRDCS off normal conditions. System Operation - The CRDCS continuously monitors for off-normal conditions and alerts the control room operator through the OCP, Annunciator System and plant Computer for the following conditions: AC Power Bus Fault - Improper AC voltage to the CRDCS controllers or improper system Power transformer output. Single Rod Power Supply Fault - Rod power supply output low or not firing correctly. Position Indication Fault - CRDCS detects a mismatch between API and RPI, or failure of an API, RPI, In Limit or Out Limit. Regulating group sequencing error fault. Automatic rod latching failure fault. Asymmetric rod in a given rod group when not in Asymmetric Rod bypass. Patch fault error in rod group patching assignment. CRDCS Cabinet Cooling Fault - Cabinet high temperature. DC Power Supply (5 V API) Fault - High or low voltage on either 5 V API power supply. DC Power Supply (24 V) Fault - DC Failure or Overtemperature on any CRDCS 24 V power supply. System power, Field power or Power Supply input or output breaker open. 7.7-15 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report Group Select or insert/withdraw switch failure fault. Triplex Module Fault - Failure or fault on any CRCS module that leads to degraded or non-functional condition. Resultant Action - Annunciator Alarm, OCP System Fault lamp and Computer Point Alarm are actuated. CRDCS Peripheries An Engineering Work Station (EWS) can be connected to the CRDCS for the review of alarms and system status. The EWS can also be used for introducing programming changes such as CRDM group patching modifications. The ability to change CRDM Patching will only be available when the system is offline and requires the application software be recompiled before changes take effect. The EWS is password protected. The CRDCS also has a rod drop timer assembly to capture rod drop times following a reactor trip or in support of rod drop time testing. 7.7.1.4 Turbine Generator Electro-Hydraulic Controls (EHC) 7.7.1.4.1 System Identification The turbine generator electro-hydraulic controls (EHC) accomplish the following functions:
- 1. Control turbine speed and acceleration.
- 2. Control generator load to match load demand.
- 3. Control steam flow through the turbine to satisfy the load demands.
7.7.1.4.2 Equipment Design Normal turbine control system operating control is accomplished with an electro-hydraulic servo-positioning system using a triple modular redundant (TMR) digital control system. The digital system combines speed and load demand signals to modulate the positioning signal to the turbine control valves. The principle control programs are for speed, load, and flow. The descriptions of these programs are as follows: Speed Control Program: Speed control is used to control turbine speed and acceleration to rated speed, and as a means of controlling overspeed. The main speed control program function is to control speed and acceleration according to operator selected setpoints. The speed control program produces a speed error signal by comparing the desired speed with the actual turbine speed. Discrete setpoints for speed and acceleration are available during startup. When a higher speed setpoint is selected, the speed control system will accelerate the turbine at the set rate up to the selected speed. The speed control will then maintain speed at the setpoint. 7.7-16 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report Load Control Program: The load control program develops the steam flow load reference signal representing the desired turbine load. The load reference signal is ramped to the load setpoint. The operator provides the load setpoint and loading rate inputs in manual mode; in auto mode the Integrated Control System provides the input that raises or lowers the load. The load control program limits and modifies the load reference signal based on valve position limit, power load unbalance runback, stator cooling water runback, and combines them to modify or limit the output signals. The load control program also applies the rate of change in the load reference signal based on the system need. Flow Control Program: The flow control program uses the load reference signal and the speed error signal to produce a turbine power control valve reference signal. This signal controls the servo control modules that position the control valves and the intercept valves. Control Valve Positioning and Testing: All four control valves may be operated and positioned continuously over their entire stroke range by the effective control valve flow demand. The servo control modules produce the output to the servo valves that position the control valves. Each valves position is fed back to the control module; the servo regulators provide closed loop control valve positioning. A power load unbalance event energizes a fast-acting solenoid valve on the control valve mechanism which will close the respective valve. Each control valve can be tested during normal operation using special programming that lowers the control valve slowly until it is near the closed position; the program then actuates the fast acting solenoid valve to close the control valve rapidly for the remaining portion. Pushbuttons on the operator display screen in the control room are used to initiate the tests. The pressure disturbance caused by closing one of the steam admissions to the turbine will cause the other control valves to open somewhat so that the steady-state steam flow will be approximately constant. Control valve testing is done at approximately 96% load or less to provide enough margin for other valves to open sufficiently to compensate for the drop in load. Stop valve testing can be performed at 100% load. Areva calculation 32-5012132-00, Davis-Besse TSV Test FIV Analysis, evaluated the effects from the increased steam flow through the steam generator tubes which is not having its respective stop valve tested and concluded the effects acceptable with the steam generator tube stabilizer designs for the original once through steam generators. The replacement once through steam generators (ROTSG) were analyzed for increased steam flow which bounds turbine stop valve testing. These analyses conclude that the effects of increased steam flow are acceptable with plugged and stabilized tubes in the ROTSG. The ROTSG stabilizer is not qualified for use in a severed tube. The program includes interlocks that permit only one control valve or one stop valve to be tested at a time. Position indicating instruments, driven by the position transducers on each control valve are used to indicate valve position on the operator display screen. 7.7-17 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report Intercept Valve and Intermediate Stop Valve Positioning and Testing: Intercept valves control flow to the low pressure turbine hoods. One intercept valve in each hood is operated by the flow control program. The servo control modules produce the output to the servo valves that position these two intercept valves. Each valves position is fed back to the control module; the servo regulators provide closed loop control valve positioning. The system controls the position of the intercept valve in the opposite hood based on the servo controlled positioning valve position. It will remain closed until the positioning valve is nearly open; then it will open wide, returning to the closed position when the positioning valve closes to about half stroke. The intercept valves respond to an IV trigger function that may be required to quickly reduce turbine power and to limit peak speed. If a servo controlled intercept valve position lags the reference position by more than 10% all intercepts valves will rapidly close. When the cold reheat steam pressure is less than approximately 10% of rated and intercept valve fast closing is not essential, the fast acting logic is inhibited to prevent unnecessary intercept valve slamming, particularly during startup. When the emergency trip fluid system is tripped, the intercept valves and intermediate stop valves will be closed by the same signal as the control valves. Test controls are provided similar to those for the stop valves to test one intercept valve at a time in conjunction with the respective intermediate stop valve. 7.7.1.4.3 Operational Considerations Control and supervisory equipment is provided for remote operation from the turbine generator control panel in the control room. The ability of the station to follow system load demand is accomplished by the load control of the turbine generator in conjunction with the ICS regulation of reactor power and steam generation. However, the turbine speed governor can override the steam pressure controls, and the turbine control valves and throttle stop valves will close when a loss of generator load causes the speed of the turbine to increase beyond the overspeed set point. Speed status, control and stop valve position lights and indicators, main steam pressure, and generator load indications are displayed in the control room. 7.7.2 Analysis 7.7.2.1 Non-Nuclear Instrumentation (NNI) Station Control Systems The safety analyses of Chapter 15 do not assume contributions from the control systems; however, Chapter 15 includes analyses to demonstrate the adequacy of the protection systems in coping with NNI control system malfunctions. 7.7.2.2 Integrated Control System (ICS) The ICS is not safety related. However, it has functions important to safe plant operation. All functions to be performed by the ICS can also be manually performed from the main control 7.7-18 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report panels or at the Auxiliary Shutdown Panel (ASP). Therefore, the functions assumed to have been performed can be performed either by the ICS or manually. Chapter 15 contains analyses to demonstrate the adequacy of the protection systems to cope with ICS malfunctions. 7.7.2.3 Control Rod Drive Control System (CRDCS) Only the CRDCS trip circuitry performs a safety function. The other portions of the CRDCS are not required to function in any safety analysis. Chapter 15 contains analyses to demonstrate the adequacy of the protection systems to cope with CRDCS malfunctions. 7.7.2.4 Turbine Generator Electro-Hydraulic Controls (EHC) The turbine generator control system design provides a stable control response to normal load fluctuations. Total loss of the turbine generator control system, either by failure of the electric power supplies or loss of hydraulic fluid system pressure, will result in the closure of the turbine control valves and intercept valves. The main turbine bypass valves are capable of responding to the maximum closure rate of the turbine control valves so that the total steam flow is not significantly affected until the magnitude of the load rejection exceeds the capacity of the bypass valves. Load rejection in excess of bypass valve capacity will cause the code safety valves to open. The heat sink thus provided enables an orderly reduction in reactor power. The loss-of-load accident does not result in fuel damage or excessive pressure in the RC system. Abnormal operational transient analyses have been made for a load rejection of the turbine generator system and are included in Chapter 15. 7.7.2.5 System Monitoring NNI and ICS signals are monitored with a Data Acquisition and Analysis System (DAAS) unit. A DAAS unit is installed in Room 502 (control cabinet area) for monitoring NNI and ICS signals. The DAAS unit is used mainly for system trending and for diagnosis of system anomalies. Operators also use ICS DAAS displays to back-up Control Room indications. A DAAS unit consists of a computer, keyboard, monitor, and isolation rack. Signal cables are connected between the system cabinets and DAAS unit. The ICS DAAS unit includes a second monitor installed in the Control Room for use by operators. Isolation of the DAAS unit from the system signals is provided by an interface box that prevents the DAAS unit from causing an NNI or ICS malfunction. The EHC system does not provide input to the DAAS. The EHC has its own digital system (DEHC) that includes the monitoring functions and therefore is not required to interface with the DAAS. The DAAS system also interfaces with the Plant Process Computer and Start up test panel systems. 7.7-19 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.7-2 INTEGRATED CONTROL SYSTEM FUNCTIONS A. RUNBACKS: The following conditions will cause an ICS initiated runback:
- 1. Loss of one or more reactor coolant pumps will runback reactor power to the remaining pump capability.
- 2. Loss of one feedwater pump will runback reactor power to the remaining pump capability.
- 3. Low deaerator tank level will runback reactor power to 55%.
- 4. High main feedpump discharge pressure will runback reactor power to 60%.
B. INTERLOCKS:
- 1. A reactor coolant pump is prevented from being started if reactor power is above 60% (RC subsystem).
- 2. DELETED
- 3. The turbine is prevented from going to automatic ICS control if a large throttle pressure error exists (Integrated Master Subsystem).
C. CONTROL FUNCTIONS: The following control functions are performed by the ICS:
- 1. Load Limiting (ULD subsystem) - The ICS contains a maximum load limiter, a minimum load limiter, and a rate of change limiter to keep the unit within pre-established limits for normal operation.
7.7-20 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.7-2 (Continued) INTEGRATED CONTROL SYSTEM FUNCTIONS
- 2. Load Tracking: (ULD subsystem) - The ICS reverts to the load tracking mode to follow the device or component being limited. The following conditions cause the ICS to go the load tracking mode of control:
- a. Reactor cross limit - difference between reactor power and reactor demand exceeds +10 (Power > Demand) or -5% (Power < Demand).
- b. Feedwater cross limit - feedwater demand exceeds feedwater flow by plus 5 percent.
- c. Transfer of both feedwater loop demand control stations to manual.
- d. Transfer of the diamond rod control station to manual.
- e. Transfer of the reactor demand control station to manual.
- f. Transfer of the reactor/steam generator control station to manual.
- g. Transfer of the turbine control station to manual.
- h. Tripping open of both turbine-generator output breakers.
- i. Reactor tripped.
- j. Main turbine trip.
- 3. Feedwater Ratio Control: (SG subsystem) - The ICS controls the ratio of the feedwater demands for an unbalanced reactor coolant flow condition (loss of a reactor coolant pump or unbalanced feedwater flowrates (fouled OTSG). The feedwater control is ratioed/limited to the respective steam generator to permit proper control for the unbalanced condition. This function includes an input from the reactor coolant cold leg temperature instrumentation to prevent more than a 1F cold leg temperature difference with balanced MFW flow. When the SG load ratio controller is set to induce a Tc and unbalanced MFW flows, the maximum SG load ratio setpoint will be limited to prevent exceeding a cold leg temperature difference of more than 3F. Intentional changes in Tc shall be limited to 1F during any 30 minute period.
7.7-21 UFSAR Rev 31 10/2016
Davis-Besse Unit 1 Updated Final Safety Analysis Report TABLE 7.7-2 (Continued) INTEGRATED CONTROL SYSTEM FUNCTIONS
- 4. Turbine Bypass Control: (Integrated Master subsystem) - The ICS controls the steam bypass system in order to
- a. Provide pressure control at low loads before the turbine is capable of accepting pressure control. (Bleed excess steam to maintain constant header pressure.)
- b. Provide high-pressure relief if the turbine throttle pressure exceeds its setpoint by 50 psi in normal operation.
- c. Provide pressure control after a reactor trip.
- d. Provide a means of load rejection from partial loads without opening steam line safety valves.
- 5. Steam Generator Level Control (SG subsystem) - The ICS controls steam generator water level to prevent the following:
- a. Loss of all water (low level) in the steam generators, and
- b. Overfilling (high level). This limit ensures superheated steam under all operating conditions between the low level limit and 100% load.
- 6. Btu Limit Alarm (SG subsystem) - The ICS monitors the reactor coolant flow, feedwater temperature, reactor coolant outlet temperature, and steam generator outlet pressure and controls provides an alarm to assist the operator in ensuring that the required degree of superheat is maintained.
- 7. Feedwater Demand Calculator (SG subsystem) - In order to remove a constant amount of energy from the steam generators, the ICS controls the feedwater demand based on feedwater temperature. If feedwater temperature is lower than expected, total feedwater demand will be decreased; if feedwater temperature is high, total feedwater demand will be increased.
- 8. Reactor Power Limit (RC subsystem) - A high limit on reactor power demand prevents the ICS from commanding a power greater than 103% to avoid creating a high flux reactor trip. A low limit on reactor power demand prevents automatic control action at low power levels, thus providing stable low load, startup, and shutdown control.
7.7-22 UFSAR Rev 31 10/2016
UNIT LOAD DEMAND
--~~------------tINTEGRATED~--------------~
CDITRQ.. I r , 't 1' TURBINE TURBINE STEAM REACT~ BYPASS CONT Ra.. GE~RATOR CONTRCl.. CONTRCl.. CONTRCl..
~TES*
I. TURBI~ CCNTRCJ.. 15 FURNISt-£0 WITH THE TURBI~ ECJJIPh.E:NT. DAVIS-BESSE NUCLEAR POWER STATION INTEGRATED C°"TRCl_ SYSTEM CICS) FIGURE 7 . 7 - I REVISIO\J 16 JULY 1992
LEGEND TARGETLOAD H/A = HAND/AUTOMATIC CONTROL STATION H/A (%CTP) MWth =MEGAWATT THERMAL MWe =MEGAWATT ELECTRIC T= TRANSFER H= OPERATOR ADJUSTABLE SETPOINT 1 I PROPORTIONAL+ ,CORE THERMAL POWER (CTP) CALCULATION INTEGRAL CONTROL
~
(Pl)
/MWth MWeTO
~
IMWe GENERATED (ACTUAL) I 1 I LOAD TRACKING
,T-~ 1. SUBSYTEM IN MANUAL
- 2. LARGE ERRORS
- 3. REACTOR TRIP
- 4. TURBINE TRIP
- 5. GENERATOR BREAKERS TRIP
- 'MAXIMUM LOAD LIMIT 1 JHl
. JHl LIMITER I I
MINIMUM LOAD LIMIT
- JHl
' , -- RATE LIMIT I MWth TO MWe I RUN BACKS MEGAWATT 1. LOW DEAERATOR TANK LEVEL DEMAND (MWd) 2. HIGH MFP DISCHARGE PRESSURE
- 3. REACTOR COOLANT PUMPS AVAILABLE H
- 4. LOSS OF A FEED PUMP 1 I TO INTEGRATED MASTER DAVIS-BESSE NUCLEAR POWER STATION CONTROL FUNCTION IN UNIT- LOAD DEMAND (ICS)
JCS FIGURE 7.7-2 REVISION 29 DECEMBER 2012 na_n'1_1') ncto.1-1r111C'AD111crr77'1 nl"'t..11TTr
LEGEND MWd
- MEGAWATT DEMAND MEGAWATT DEMAND MWe
- ACTUAL MEGAWATT GENERATED FROM UNIT LOAD Ph
- TURBINE HEADER PRESSURE DEMAND CONTROL l'hs
- TURBINE HEADER PRESSURE SET POINT MWd EMw
- MEGAWATT ERROR Eph = TURBINE HEADER PRESSUR ERROR /
PA = STEAM GEN. OUTLET PRESSURE LOOP A EpA
- STEAM GEN. PRESSURE ERROR LOOP A
- 6. = DIFFERENTIAL PAS
- STEAM GEN. PRESSURE SET POINT LOOP A
~-llll'llW-H/A
- HAND/AUTO CONTROL STATIO~ ~
+
- SIGNAL SOURCE FROM NON-NUCLEAR lNSTRUMENTATION SYSTEM CONTROLLER CONTROLLER TURBINE CONTROL DEMAND LOW LEVEL LIMIT FEEOWATER DEMAND MEGAWATT DEMAND TO STEAM GENERATOR TO REACTOR CONTROL LOSS Of CONDENSER LIMITER CONTROL VACUUM TURBINE BYPASS ATMOS VENT VALVE VALVES LOOP A LOOP A (TYPICAL> DAVIS-BESSE NUCLEAR POVER STATION
<TYPICAL> INTEGRATED MASTER (ICS)
FIGURE 7.7-3 REVISION 19 MAY 1995
£ TEAM GENERATOR DEMAND FROM-::>
INTEGRATED MASTER CONTROL Wd CROSS LIMITER FROM REACTOR CONTROL 1--~ TO REACTOR CONTROL CROSS LIMITS STEAM GENERATOR LOAD RATIO CONTROL FEEOWATER LOOP A * --.... FEEOWATER LOOP B LEGEND
.CONTROL STATI~ ~ REACTOR COOLANT ~~ CONTROL STATION = FEEOWATER FLOW H/A FLOW l IMITER l ~/~ = AVERAGE REACTOR INLET TEMP <COLO LEGJ
= DIFFERENTIAL
- J
= HANO/AUTO CONTROL STATION
= FEEOWATER OEMANO -
= REACTOR OUTLET TEMPERATURE <HOT LEG>
Tm = FEEOWATER TEMPERATURE L =STEAM.GENERATOR LEVEL P = STEAM GENERATOR OUTLET PRESSURE
.i6..P = OIFF PRESSURE ACROSS FEEOWATER VALVES
..D..Ps = DIFF PRESSURE SET POINT E.i6..P = DIFF PRESSURE ERROR Ew = FEEOWATER ERROR LOW SELECTOR F = REACTOR COOLANT FLOW
+ = SIGNAL SOURCE FROM NON-NUCLEAR INSTRUMENTATION SYSTEM WdA , - - - - - * ' \ . - - - - - - - - - - - - - ' WdB SUM EwA EwB Wd CONTROLLER CONTROLLER CONTROLLER STEAM GENERATOR STEAM GENERATOR LEVEL LIMITER LEVEL LIMITER
/ .... ~ / ....1\
\!;/AJI \!;'AJ& DAVIS-BESSE NUCLEAR POYER STATION STEAM GENERATOR CONTROL (ICS)
. i FIGURE 7.7-4 MAIN FEEOWATER STARTUP FEEOWATER MAIN FEEOWATER MAIN FEEDWATER STARTUP FEEOWATER MAIN FEEOWATER VALVE LOOP A VALVE LOOP A PUMP A PUMP B VALVE LOOP B VALVE LOOP B REVISION 19 MAY 1995
LEGEND f~" AVERAGE TOPERATURE SET POINT Tc = REACTOR COOLANT SYSTEM COLO LEG TEt.PERATURE Th = REACTOR COOLANT SYSTEM HOT LEC TEM'ERATURE T ., REACTOR AVERA~ COOLANT TEt.PERATURE Er = DEVIATION OF AVERAGE TEM'ERATURE FROM SET POINT
~ = DIFFERENTIAL ----.......,
--H:-:-/A *HANO/AUTO CONTROL STATION:::::>
- -....-Nd " REACTOR POt.ER LEVEL DEMAND Ni
- REACTOR POER LEVEL N
- REACTOR POWER LEVEL ERROR MWd
- IE:CAWATT DEMAND
+ " SIGNAL SOURCE FROM NON-NUCLEAR INSTRUIE:NTATION SYSTEM 0 = SIGNAL SOURCE FROM NUCLEAR INSTRUMENTATION SYSTEM MEGAWATT DEMAND FROM LOOP A CNTECRATED MASTER CONTROL MWd FROM SIDM GENERATOR AVERAGE CONTROL ~OSS UMHS SELECTm LOOP 8 fe AVERAGE tEUTRON ERROR TO FEEOWATER CONmot.
FOR CROSS LIMITS OEADBAND ROO CONTRrt. DEMAND DAVIS-BESSE NUCLEAR POYER STATION REACTOR CONTROL (ICS) FIGURE 7.7-6 REVISION 19 MAY 1995
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.8 NUCLEAR INSTRUMENTATION (NI) The NI (see Figure 7.8-1) is designed to provide neutron flux information over the full range of reactor operations. To provide total monitoring, three ranges of neutron flux detectors are furnished: source range, intermediate range and power range. The power range detectors are required by the RPS to perform safety functions, and are part of the RPS (refer to Section 7.2). The power range instrumentation is discussed in this section for consistency. 7.8.1 Description The nuclear instrumentation consists of two source range channels, two intermediate range channels and four power range channels. This arrangement allows continuous monitoring of neutron flux level from source range to 125% of rated power. A minimum of one decade overlap between ranges is provided. Figure 7.8-2 presents a pictorial representation of the relation between instrument ranges. The source range instrumentation consists of two redundant count rate channels which use high sensitivity proportional counters as sensors. Each channel monitors neutron flux over the range of 10-1 to 106 counts per second and provides readouts of log count rate and startup rate for operator information. Control rod withdrawal is inhibited if the startup rate in either channel exceeds 2 decades/minute. The functioning of this interlock is not assumed in any accident analyses. Audible indication of the source range counts in the control room and containment during refueling operations is provided by the Ex-Core Neutron Flux Monitoring System (see Section 7.13.3.11). The intermediate range instrumentation consists of two redundant channels which utilize gamma-compensated ion chambers as sensors. Each channel provides eight decades of flux level information in terms of the log of ion chamber current and startup rate. The ion chamber measuring range is from 10-11 to 10-3 amperes. A high startup rate of 3 decades/min in either channel will initiate a control rod withdrawal inhibit. The functioning of this interlock is not assumed in any accident analysis. The power range instrumentation consists of four redundant, linear channels which utilize uncompensated ion chambers as sensors. The channel output is directly proportional to reactor power and covers the range from 1% to 125% of rated power. The gain of each channel is adjustable, providing a means of calibrating the output against a reactor heat balance. The circuitry for the measurement of power level for reactor control uses one auctioneering circuit to combine inputs from two power range channels and a second auctioneering circuit to combine the remaining two power range channels. These circuits are in the NNI cabinets. The two resultant signals are then auctioneered in the ICS cabinets to provide the highest power level to the Integrated Control System. To ensure that failures in the control system cannot produce a failure in the protection system, each signal that goes to a control system is isolated by isolation amplifiers. The resultant systems meet the requirements for separation of protection and control and for single failure as specified in IEEE Standard 279-1968 and the AEC General Design Criteria. 7.8.1.1 Neutron Detectors Proportional counters are used in the source range channels. The high voltage of both detectors is automatically switched off when the flux level is approximately one decade above 7.8-1 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report the useful operating range, or flux level is above 10-9 amps in both intermediate range channels or 10% power in power range channels NI-5 or NI-6 and NI-7 or NI-8. The high voltage is turned on automatically when the flux level returns to within one decade of the maximum useful range of the detector. The source range detectors are located on opposite sides of the core, 180 degrees apart. The intermediate range compensated ion chambers are electrically adjustable, gamma-compensating detectors. Each has a separate adjustable high voltage power supply and an adjustable compensating voltage supply. The two intermediate range detectors are also located on opposite sides of the core, but are rotated approximately 90 degrees from the source range detectors. An uncompensated ion chamber is used in each of the four redundant power range channels. Each power range detector consists of two 72-inch sections with a single high voltage connection and two separate signal connections. The outputs of the two sections are amplified by linear amplifiers and then summed in the associated power range channel. A signal proportional to the difference in the percentage of rated power between the top and bottom halves of the core is derived from the difference in currents from the top and bottom sections of the detector. The difference signal is displayed on the control console to permit the operator to maintain proper axial power distribution. Each detector has a combined sensitive volume extending approximately from the bottom to the top of the reactor core. The physical locations of the neutron detectors are shown in Figure 7.8-3. The power range detectors are spaced approximately 90 degrees apart around the reactor. The radial flux distribution within the reactor core is measured by the incore neutron detectors (refer to Section 7.9). Both out-of-core and incore detectors are used to obtain the axial power distribution. The sum of the outputs from the two sections of each power range detector is calibrated to within 2% of heat balance at 100 percent of rated thermal power (RTP). The power range detectors are allowed to indicate more than 2 percent above the heat balance power at power levels less than 100 percent of RTP. The specific allowance is a function of power level and is controlled administratively by plant procedures. The power range detectors must not indicate more than 2 percent below the heat balance power at any power level. The difference signal is unaffected by calibration of the sum. (This is controlled by procedure vice inherent design features.) Periodically the operator compares the difference indication from the power range channels with the difference obtained from the Incore Monitoring System (IMS). License Amendment No. 278 increased core rated thermal power by 1.63% from 2772 MWt to 2817 MWt, based on the use of more accurate instrumentation for heat balance measurement. The heat balance measurement uncertainty, based on use of the Caldon CheckPlusTM instrumentation, is 0.37%. The original design overpower limit of 112 percent of 2772 MWt includes a 2 percent allowance for potential transient neutron measurement errors. This error could be larger than 2 percent RTP for transients that result in an overcooling of the RCS coolant in the reactor vessel downcomer region. This is because the reduced downcomer temperature increases the shielding effect and lowers the neutron leakage measured by the power range detectors. Since the transient neutron measurement uncertainty could be larger than 2 percent RTP, actual core power could exceed the assumed 112 percent RTP design value prior to initiation of a high flux reactor trip. Reference 1 provides an evaluation of the temperature induced neutron 7.8-2 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report measurement errors for Davis-Besse. Results demonstrate that the DNBR penalty associated with power levels greater than 112 percent RTP is offset by the beneficial effect of the lower RCS temperature at the core inlet. Because of this, DNBR margin is maintained for power levels up to 123 percent RTP. Additional calculations have been performed and are evaluated for each fuel cycle that result in core power levels near 136 percent. Again, this is offset by the beneficial effect of the lower RCS temperature at the core inlet. Furthermore, for each reload, the RPS power/imbalance/flow reactor trip setpoint is verified to provide protection for these cases. 7.8-3 UFSAR Rev 30 10/2014
10 II IZ IJ 14 A IATt Fl NH-<9il I MARGINAL QUALITY DOCUMENT BEST COPY AVAILABLE I R.V. llllEllLDCI Nl*Z J SUl*ZDlll ISOlmlWIG(I H. V. INIEll.Ga STARllJ' OWN:LS NM CIHl[Rl(l)IAl[ RANCE> D D IAT£ Nl*4-<9il TlPICAL FOR NJ-I Ill Hl*l
-~L_I_,..--.-~2*4.~
'HIGH 'IU.TMI: QIT CJ'F' aT l J;D ~- SUI_*
3 D/11---'l'--t
~ _ IDl'UIER DlllCllED MM.CIG SIQW.
0 - aJ1fU1£111111111TCll£D CGllJ&ClS c.o. ltlEJI
*
- 10% FP c.o. WEii a* tlr FP 0 - LOCAllD Gii Uldllll. Cllll5a£ 0 - UICAllD LOCAi.Li ill OWllL ~*
RPS0 LllUR POllER Nl*S TD
/":\. -
\:J t FOi Cllll1'JllllTICll SEE c.536*\
*1-5 G
IJ*S6!{5A_FlltCTICll GOERATOll ~ NI°' Nl-1 r COOACTS ~ FOi 1I. Clll1lll. llOO l11-llll lllllllT
~ ---~
.... 0 e;fi> TORPS0 L11£.111 POIO NJ-I
>------,---...L.-.!!"~!.;;-l!!:;~~l-L,+.
_____ 111. ._~ }3.,plClllll flH:TUJW. DRAWINC fUt.EAR IHSTRlJEHTATillt SYSTEM
.... (;(1£AATUl(.V REVISION 20 DECEMBER 1996 118 11-14*9'
-e FIGURE T.8-J 2 10 II 12 e*~~.:: .. .::~:::::..::.:;..;:::.::--.:*
1o-3 t o1 o 10-4 109 N L..
.. 125 100 t o-s U)
<D ~
L.. 0 t 08 <D
- a. a..
10 E "O 0
.. t o-G <D t0 7 ...... 0 a::
c(I) c> x
.. 106 L..
L..
- J 10-1
- J <....>
LL. c 1o- 8 c 1os 0 0 S-t 06 en t o-9 0
- J
<D t 04 ....J
- z:
L.. 1oS urto 0 t o3 0
<D
...... "O 104 t o-11 c
Q) t 02 c 0 0
<D V> 1o3 10 L..
(l) a.. 102 U) c
- J t 0-1 0
<....> 10 <D (j) c 0
a:: 10-2 (I) Q)
- o. 1 ......
0 "O c en 0 NOTE: This figure depicts on Q)
<D E
a:: 0 <D approximate numerical L.. L..
'- en
- J c (I)
........ ~
relationships between 00 (/') a:: c 0 a.. detector neutron flux and the various instrument range indications. DAVIS-BESSE NUCLEAR POWER STATION NUCLEAR INSTRUMENTATION- FLUX RANGES FIGURE 7.8-2 REVISION ZO DECEMBER 1996 DB 11-18-96 llFN*~IC782.DGllCIT
l I
-Y 4 ...
NI *4 CIC NI* I z UCIC LEGEND
;c - PROPORTIONAL CO~NTER - SOURCE RANGE DETECTOR CIC - COIPENSATED ION CHAMBER - INTERMEDIATE RANGE DETECTOR UCIC - UNCOIPENSATED ION CHAllER - POIER RANGE DETECTOR DAYIS*IESS£ llJCLEAR POIER STATION NUCLEAR INSTRUIENTATlmt -
DETECTOR LOCAT I OMS FIGURE 7 .8-3 REVISION 0 JULY 1982
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.9 INCORE MONITORING SYSTEM (IMS) The IMS provides neutron flux detectors and core outlet thermocouples to monitor core performance. Incore self-powered neutron detectors measure the neutron flux in the core to provide a history of power distribution during operation. The thermocouples measure the temperature of the RC leaving the top of the core to provide a record of core exit temperature. In addition, the thermocouples in the sixteen symmetrical locations provide environmentally qualified and physically separated signals in accordance with NUREG 0737, Item II.F.2, and Regulatory Guide 1.97, Revision 3. Data obtained from the neutron flux detectors provides power distribution information and fuel burnup data to provide assistance in fuel management. The station computer provides normal system readout. 7.9.1 Description The IMS consists of assemblies of self-powered neutron detectors and thermocouples located at 52 positions within the core. The incore detector and thermocouple locations are shown in Figure 7.9-1. In this arrangement, an incore detector assembly consisting of seven local flux detectors, one background average flux detector and one core outlet thermocouple is installed in the instrumentation tube of each of 52 fuel assemblies as shown in Figure 7.9-1. The local detectors are positioned at seven different axial elevations to provide the axial flux gradient. The average background flux detector provides an integrated flux measurement along the axial length of the core. Readout for the IMS is performed by the station computer. When the reactor is depressurized, the IMS assemblies can be inserted or withdrawn through incore monitoring system piping which originates at a shielded area in the CV as shown in Figure 7.9-2 This piping enters the bottom head of the reactor vessel where internal guides extend up to the instrumentation tubes of 52 selected fuel assemblies. The instrumentation tube serves as the guide for the IMS assembly. During refueling operations, the IMS assemblies are withdrawn approximately 13 feet to allow free transfer of the fuel assemblies. After the fuel assemblies are placed in their new locations, the IMS assemblies are returned to their fully inserted positions. The capability is provided for selecting 1 of 8 qualified incore thermocouples as an input to each of the Tsat meters. This addition provides the flexibility to substitute appropriate combinations of incore thermocouples for the loop resistance temperature detectors (RTDs) which are used for primary temperature input to the subcooling meters. 7.9.2 Analysis 7.9.2.1 Calibration Techniques The nature of the detectors permits the manufacture of nearly identical units which produce a high relative accuracy. The detector signals are compensated continuously for burnup of the neutron sensitive material by the plant computer. Calibration of detectors is not required. The incore self-powered detectors are controlled to precise levels of initial sensitivity by Quality Control during manufacturing. The sensitivity of the detector changes over its lifetime due to such factors as detector burnup, control rod positions, and fuel burnup. The results of experimental programs to determine the magnitude of these 7.9-1 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report factors have been incorporated into calculations and are used to correct the outputs of the incore detector for these factors. The station computer calculates a depletion correction factor for each detector, based on detector geometry and the total neutron flux to which the detector has been exposed. Therefore, this correction factor is calculated as a function which varies with burnup. This factor, combined with experimental data on detector sensitivity as a function of detector length, is used to correct detector signals for conversion to power. The heat balance calculated by the station computer is used to normalize the reactor power data derived from the incore detectors. Operation of incore detectors in both power and test reactors has demonstrated that this means of detector compensation provides an accurate readout. The IMS is not used in the calibration of the power range total power signal. The power range total power signal is calibrated to a station heat balance when the difference between them exceeds a predetermined value. The axial imbalance is maintained during this calibration. The station computer continuously monitors the difference between the calculated heat balance and reactor power as measured by the out-of-core detectors, providing an alarm when the difference is greater than a preset value. The power range imbalance is calibrated to the IMS imbalance by adjusting the RPS linear amplifier modules gain settings. The maximum allowable deviation between the imbalance indicated by the Power Range Detectors and the value measured by the IMS is specified by Technical Specification. 7.9.2.2 Operating Experience Self-powered incore neutron detectors have been operated since 1962. Such detectors have been assembled and irradiated in a Babcock & Wilcox development program that began in 1964. The B & W Development Program included these tests:
- 1. Parametric studies of the self-powered detector.
- 2. Detector ability to withstand PWR environment.
- 3. Multiple detector assembly irradiation tests.
- 4. DELETED
- 5. DELETED
- 6. DELETED
- 7. High pressure seal tests.
- 8. Relationship of flux measurement to power distribution experiments.
Conclusions drawn from the results of the test program are as follows:
- 1. The detector sensitivity, resistivity, and temperature effects are satisfactory for use.
7.9-2 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 2. A multiple detector assembly can provide axial flux data in a single channel and can withstand a reactor environment.
- 3. Background effects will not prevent satisfactory operation in a PWR environment.
- 4. Station computer systems are compatible as readout systems for incore monitors.
For IMS development program results and conclusions, refer to B&W Topical Report BAW-10001-A, In-Core Instrumentation Test Program. 7.9.2.3 Detection of Power Distribution Under normal operating conditions, the incore detectors supply information to the operator in the control room. Each individual detector measures the neutron flux in its vicinity and is used to determine the local power density. The individual power densities are then averaged and a peak-to-average power ratio calculated. This information can be used to ensure core design limits are not violated, detect power oscillations, and detect misloaded fuel assemblies. The application of this system for detection of power distribution and its minimum sensitivity has been examined through the analysis of experimental data. A series of Physics Verification Program Reports developed under AEC Contract No. AT(30-1)-3647 and B&W Contract No. 41-2007 have previously been submitted to the Commission for review. Much of the data compiled was taken by self-powered detectors and shows the performance capabilities of the detectors. Upon initial installation, the self-powered detector has the capability to measure the relative flux with an accuracy of 5%. The use of the IMS to detect xenon oscillations is described in B&W Topical Report BAW-10010, Part 1, Stability Margins for Xenon Oscillations-Modal Analysis. 7.9-3 UFSAR Rev 30 10/2014
I C.tl
- TOTAL CORE MONITORS BASED ON 118 CORE SY!if((TRY J
7
- SYfff:lRl MONITORS KORTH 1
I '1' !-->-
* * *I
- Q COMBINATION TOTAL CORE r~
1* AND SYMURY MlN JTORS
~
~
-*1 "lMEfNJCOll'LE I
I I I AXIAL FLUX _ / ACTJ~ CORC I SHAPE LENGTH I I I BACKCROUND AVERAGE FlUX DETEC1'0R LOCAL FLUX DETECTOR DAVIS-BESSE NUCLEAR POVER STATION INCORE DETECTOR LOCATIONS FIGURE 7.9-1 REVISION 19 MAY 1995
INCOM INSTRUMENT - . . ~ REMOVAL TANK '
. I I
I ELECTRICAL CONNECTOR l! I 2500 SEAL PSI"'""""\~ I
\I
\\
IMS PtPING DlYIS*BESSE NUCLEAR POIER STATION TYPICAL ARRANGEMENT - INCORE INSTRUMENT CHANNEL FIGURE 7.9-2 REVISION 0. JULY 1982
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.10 STATION COMPUTER SYSTEM The purpose of the station computer is to monitor plant performance and display this information to the plant operator. It also performs calculations to support nuclear fuel management and checks input signals for abnormal ranges. Calculations are performed to provide operators with the status of plant nuclear and thermohydraulic conditions. No direct or indirect reactor protection or process control action is taken by the computer system. Should the computer be out of service for any reason, the ability of the plant to operate safely under manual or automatic control is not impaired. The plant process computer system of multiple computer work stations located throughout the station. All equipment is interconnected through a plant computer network. Redundant equipment with monitoring and fail over is provided for critical processing equipment. Printers are available to provide hardcopy printouts of alarms, logs, screen prints and reports. Critical processing equipment is powered from one of two separate uninterruptable power supplies. Plant data is acquired by sampling over 3000 station inputs via multiplexers located throughout the station. Typical inputs include flow, level, pressure, temperature, valve position and status of pumps or motors. Station status is obtained by scanning these inputs and providing the digital values for use by any of the workstations. The display of alarm messages is provided automatically. Operator-requested displays may consist of a single plant input, calculated variable or a group of pre-assigned inputs or calculated variables. All requests are done through the workstations via the keyboard or mouse. A sequence of event function is also provided by the plant process computer. The sequence of event function records off normal and return to normal events, the time of occurrence and the sequence of occurrence. The Plant Computer includes the Safety Parameter Display System (SPDS). Refer to Section 7.14 for the function of the SPDS. 7.10-1 UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.11 STATION ANNUNCIATOR The station annunciator, located at the main control board, provides the operator with visual and audible indications if limiting conditions are approached or abnormal conditions exist for any system so annunciated. In the event of annunciator non-operability or malfunction, station safety will not be compromised and station operation will not be prevented. 7.11-1 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.12 NON-NUCLEAR INSTRUMENTATION (NNI) Discussions relating to the instrumentation systems which monitor various station processes are included in the descriptions of various systems. The major design criteria related to NNI Control and instrumentation systems and listed below:
- 1. Regulating and control system instrumentation are separate from protective system equipment.
- 2. Sufficient instrumentation is provided to enable the operator to monitor all station operating conditions.
- 3. Instrumentation ranges shall be selected to measure the maximum process system design conditions as a minimum.
- 4. Where measurements of wide process ranges is required and precise control is also involved, both wide range and narrow range instruments are provided.
- 5. Process parameters used by the ICS during power operations are derived from selectable redundant transmitters.
7.12-1 UFSAR Rev 30 10/2014
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.13 POST ACCIDENT MONITORING SYSTEM (PAMS) The purpose of the Post Accident Monitoring System (PAMS) is to follow the course of an accident condition with wide range instrumentation, which will provide to the plant operators the essential safety status information allowing the operators to return the plant to a maintained, safe, shutdown condition. The scope of the PAMS Category 1 instrumentation includes all electronic signal processing equipment and cabling from the safety grade, Class 1E sensors (channels 1 and 2 of each variable) to the post accident instrument racks in the main control room and cabinet room. The racks house the indicating, recording, storing, calculating, and displaying modules for the essential accident condition information. Category 1 is intended for key variables. Category 2 generally applies to instrumentation for indicating system operating status. Category 3 instrumentation provides for backup and diagnostic functions. This section does not provide details for Category 2 and 3 instrumentation except for instruments identified in Section 7.13.3. 7.13.1 Design and Qualification Criteria The following information demonstrates the compliance with the NRC Regulatory Guide 1.97, Revision 3, for category 1. The PAMS also meets Regulatory Guide 1.89 and the methodology described in NUREG 0588. 7.13.1.1 Single Failure No single failure within the PAMS, its auxiliary support features, or its power sources, concurrent with a failure that is a condition or result of the specific accident will prevent the operator from being provided the essential information to determine the safety status of the Generating Station. 7.13.1.2 Power Sources All PAMS instrumentation is energized from the plant essential power bus which is backed up by batteries. Each channel is electrically independent for each measured variable. Essential power supplies are discussed in Chapter 8. 7.13.1.3 Availability The PAMS instrumentation is designed to be available for any accident condition, except as defined by Paragraph 4.11 of IEEE-279 1971 or as specified by Test Specification. 7.13.1.4 Quality Assurance NRC Regulatory Guides 1.33, 1.38, 1.39, 1.58 and 1.64 were used, to the extent possible on PAMS for quality assurance. 7.13-1 UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.13.1.5 Indication Requirements Where required, indication for both channels for each variable, has been provided. Where two or more instruments are required, overlapping instrument spans have been provided. 7.13.1.6 Recording Requirements Recorders or plant computers for each variable have been provided where trend and transient information are essential for operator action. 7.13.1.7 Accuracy The PAMS instrumentation will continue to read within the required accuracy following but not necessarily during a safe shutdown earthquake. 7.13.1.8 Identification The identification of the PAMS equipment including cabinets, trays, cables between redundant portions, is accomplished by color coding and numbering as described in Chapter 8. 7.13.1.9 Service and Testing Service testing and calibration programs have been provided to maintain the capability of PAMS. Instruments which require a shorter interval than refueling shutdowns are provided with built-in testing features which allow testing during power operation. Checking, testing and calibration is performed in accordance with Regulatory Guide 1.118. 7.13.1.10 Bypass Administrative controls to prevent a channel from being removed and thereby allowing access to all setpoints adjustments, module calibration adjustments and test points, have been provided by the use of cabinet door locks requiring keys. Out of service intervals are specified in the Technical Specification. 7.13.1.11 Isolation The transmission of PAMS signals for use by other systems has been provided with isolation devices (buffers). The isolation devices are located in an accessible rack for maintenance during accident conditions. 7.13.1.12 Quality of Components The PAMS consists of Class 1E high quality sensors and components to the extent possible. Inputs are provided which measure the desired variable. Utilization of instruments used during normal plant operation has been considered in the design and qualification criteria. 7.13.1.13 Environmental Qualification For PAMS Class 1E equipment installed to meet the requirements of Regulatory Guide 1.97, IEEE Standard 323-1974 and IEEE Standard 344-1971 have been utilized for the environmental qualification. While all PAMS Class 1E equipment satisfies the requirements of 10 CFR 50.49, 7.13-2 UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report some were original plant equipment and are in compliance with earlier versions of IEEE standards. All environmental envelopes except that pertaining to the variable measured by the information display channel are those associated with design basis accident events. Type test data is available to verify that the PAMS Class 1E equipment meet on a continuing basis the performance requirements. 7.13.2 Supporting Systems 7.13.2.1 Safety System Interface Wide range RC pressure signals from Safety Features Actuation System (SFAS) Channel 1 and 2 are supplied through isolation devices (buffers) for use in the subcooling margin processing instrumentation for the required reactor coolant system subcooling margin calculation. 7.13.2.2 Non-Class 1E Interfaces The PAMS interfaces with the non-safety (Non-Class 1E) equipment where no credit is taken for its operability.
- 1. Station Annunciator
- 2. Station Computer
- 3. SPDS multiplexer (MUXA) 7.13.3 System Description The PAMS Category 1 instrumentation consists of Class 1E, safety grade systems which contain independent instrumentation strings to monitor the following plant parameters:
- 1. Containment High Range Radiation Monitors
- 2. Containment Wide Range Pressure Monitors
- 3. Containment Normal Sump and Wide Range Water Level Monitors*
- 4. Containment Hydrogen Monitors # #
- 5. RC System Subcooling Margin Monitors* #
- 6. Incore Thermocouples
- 7. PORV and Pressurizer Safety Valves Position Indicators*
- 8. Wide Range Noble Gas Monitors*
- 9. Reactor Coolant Hot Leg Level Monitoring (HLLMS)**
- 10. Reactor Coolant Loop Pressure Monitors
- 11. Neutron Flux Detectors 7.13-3 UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report
- 12. Steam Generator Start-Up Range Level Indicators
- 13. Steam Generator Outlet Steam Pressure
- 14. Reactor Coolant Loop Outlet Temperature
- 15. Pressurizer Level
- 16. High Pressure Injection Flow
- 17. Low Pressure Injection (DHR) Flow
- 18. Auxiliary Feedwater Flow Rate
- 19. Borated Water Storage Tank Level**
- Containment Normal Sump Level, RC System Subcooling Margin Monitors, PORV and Pressurizer Safety Valves Position Indicators are Category 2 instrumentation, and Station Vent Wide Range Noble Gas Monitors.
- Exceptions have been taken and approved in Regulatory Guide 1.97 submittals and correspondence.
- The Subcooling Margin Monitor indicators are Non-1E and not safety grade.
- The Containment Hydrogen Monitors have been reclassified by the NRC as Category 3 as a result of a revision to 10 CFR 50.44 (Reference 4).
7.13.3.1 Containment High Radiation Monitors The Containment High Radiation Monitor consists of two (2) safety grade, electrically independent, physically separated gamma photon radiation level instrument strings, with a calibrated range of 100 -108 Rad/hr. Continuous indicators have been provided in the post accident racks located in the main control room. In addition, one string provides a signal output (non-class 1E) to the SPDS multiplexer (MUXA) and both strings provide an output (non-class 1E) to recorders in the radiation monitoring panels located in the main control room. 7.13.3.2 Containment Wide Range Pressure Monitors The Containment Wide Range Pressure Monitors consist of two (2) safety grade, Class 1E, electrically independent, and physically separated, pressure instrument strings with a maximum calibrated range of 200 psia. Local indicators are provided in the post accident panels in the main control room. One of the signals goes to the SPDS multiplexer (MUXA). 7.13.3.3 Containment Normal Sump And Wide Range Water Level Monitors The Containment Normal Sump and Wide Range Water Level Monitors each consist of two (2) safety grade water level instrument strings. Each normal range sump pit level instrument has 7.13-4 UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report an indicator in the main control room with a range of 0-4 feet. Actual sump pit depth is 2 feet 7 inches. The wide range water level monitors each have an indicator in the main control room with a range of 0-55 feet (i.e., containment bottom to 600,000 gallon calculated CTMT flood level). The wide range sensors overlap approximately 4 inches with the normal range sensors. Both normal and wide range instruments provide Non-Class 1E signals to the station computer. Also one each of the normal and wide range signals goes to the SPDS multiplexer (MUXA). 7.13.3.4 Containment Hydrogen Monitors The Containment Hydrogen Monitors consist of two cabinet cubicles. Each cubicle provides one channel with a metal barrier separating Channels 1 and 2. The Hydrogen Analyzer has a range of 0-10% hydrogen under both positive and negative containment pressure. Indicators have been provided in the control room and on the front panel of the cubicles. A redundant pump has been supplied with fail circuit pressure switch and alarm. When the initial pump fails, the parallel redundant pump provides flow. The hydrogen analyzer equipment is not required to operate in a continuous mode. Startup on the system is required 30 minutes after containment spray has been initiated during accident conditions. In addition, instrument signals have been provided to the station computer. One of the signals also goes to the SPDS multiplexer (MUXA). Note that 10 CFR 50.44 relaxes the requirements for the containment hydrogen monitors (Reference 4). 7.13.3.5 RC System Subcooling Margin Monitors The RC System Subcooling Margin Monitors are PAMS Category 2 instrumentation, as defined in Regulatory Guide 1.97. They consist of two (2) electrically independent, physically separated instrument processor strings. Each processor channel is provided with isolated Class 1E signal inputs from 100 ohm RTD detector instrument strings and pressure instrument strings (Hotleg Temperature 120-920F and Wide Range Reactor Pressure 0-2500 psig from the SFAS system isolation buffers.) Providing the isolation at the inputs to the meters meets the requirements of Regulatory Guide 1.97, which states that if an instrumentation channel signal is to be used in a computer-based display, recording, or diagnostic program, qualification applies from the sensor up to and including the channel isolation device. The Tsat meters are signal processors and therefore fall under this allowance. The processor channels calculate reactor coolant system subcooling and display the calculated value on digital meters located in the post accident racks in the main control room. Digital meters in the cabinet room will display, on demand, the temperature or pressure input values as well as reactor coolant system subcooling, saturation pressure, or saturation temperature. In addition, separate signal outputs are provided for the SPDS multiplexer (MUXA), station annunciator, and station computer. 7.13-5 UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.13.3.6 Incore Thermocouples The Incore Thermocouples consist of two (2) thermocouples from each reactor quadrant, for a total of (8), selectable for each Tsat meter located in the post accident racks. The thermocouples are redundant to the hot leg RTDs. All components except the Tsat meters are Class 1E. Buffer inputs are provided for the SPDS multiplexer (MUXA) and station computer. The hand switch and temperature indicators are located in the main control room. The range of the thermocouples is 0-2300F. 7.13.3.7 PORV and Pressurizer Safety Valves Position Indicators The PORV and Pressurizer Safety Valves Position Indicators are designed to monitor the power operated relief valve and safety valves positions. Flow through these valves generates acoustical levels or vibration which is detected on the discharge pipe by piezoelectric sensors that provide a charged output. An alarm module to test and display annunciator conditions and Open/Closed light indication is provided in the main control room. In addition, signal outputs are provided to the SPDS multiplexer (MUXA), station annunciator, and station computer. 7.13.3.8 Wide Range Noble Gas Monitors The wide Range Noble Gas Monitors consists of Normal Range and Accident Range Station Vent Monitors, which detect and measure the gross beta/gamma activity level of the isotopes present in gaseous form in the containment atmosphere or from the auxiliary building in the effluent release vents. The monitors utilize two detectors to cover the gaseous activity range from 10-7 Ci/cc to 105 Ci/cc. In addition, a collection system for particulates and halogens permits data gathering for levels at or below 102 Ci/cc. See section 11.4.2.2.4 for additional information. 7.13.3.9 Reactor Coolant Hot Leg Level Monitoring The Reactor Coolant Hot Leg Level Monitoring System (HLLMS) instrument strings (one per hot leg) are classified as important to safe operation, but not nuclear safety related, and are designed to safety Class 1E for the electrical portion up to and including the isolation device wired to non Class 1E equipment. The piping portions of the HLLMS are designed as ASME Section III Class 1 from the reactor coolant system tie-ins to the first isolation valve and Section III Class 2 from the first isolation up to and including the instrument shut off valves. The transmitters and sensing lines from each hot leg pipe are spatially separated. The lower tap for each transmitter is common, but each line is separately routed to the respective transmitter. Electrical separation for each redundant channel is provided by the routing of cable in separate conduits. Redundant Class 1E power is provided to each channel. The HLLMS provides a means to trend reactor coolant inventory. The HLLMS provides supplementary information to assist the operator in the assessment of the effectiveness of automatic safety functions (ESFAS). The HLLMS is only operational when the reactor coolant pumps are not running, and natural circulation is possible. 7.13-6 UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report The Level Transmitter and density compensation signals are sent to the plant computer. The channel 2 signals also go to the SPDS multiplexer (MUXA). An HLLMS algorithm takes these signals and RCS flow, temperature, pressure, and pump status signals and executes to determine actual hot leg level. The level can be accessed and displayed provided that the RCS pumps are off and the RCS is not experiencing rapid depressurization. 7.13.3.10 Reactor Coolant Loop Pressure Monitors The Reactor Coolant (RC) Loop Pressure Monitors consist of two (2) safety grade, Class 1E, electrically independent, physically separated, pressure instrument strings with a calibration range of 0-3000 psig. Indicators are provided in both the post accident panels in the main control room and the auxiliary shutdown panel. In addition, isolated signal outputs are provided to a chart recorder and the SPDS multiplexer (MUXA). 7.13.3.11 Neutron Flux Detectors The Neutron Flux Detectors consist of two (2) safety grade, Class 1E, electrically independent, physically separated fission chamber radiation level instrument strings, with the capability of a calibrated range of 10-2 1010 n/cm2 sec. This signal is processed for source range (10-1 105 cps) and wide range indication (10 2 x 102 % power). Continuous indicators have been provided in the post accident racks located in the main control room. The signal processor also provides audible indication in the main control room and in containment. 7.13.3.12 Steam Generator Start-up Range Level Indicators The Steam Generator Start-up Range Level Indicator consists of four (4) safety grade, Class 1E, electrically independent, physically separated readouts. Two readouts are 0-250 of water, two are 0-300 of water. Indicators are located on the main control board (fed from the Auxiliary Shutdown Panels) and on the Post Accident Monitoring (PAM) panels (fed from SFRCS). Two of these instrument strings have corresponding plant computer and SPDS multiplexer (MUXA) points. 7.13.3.13 Steam Generator Outlet Steam Pressure PAMS contains two (one per SG) safety grade Steam Generator Outlet Steam Pressure strings with indicators in the control room and corresponding plant computer points. The range of these strings is 0-1200 psig. These strings are redundant to two (one per SG) non-safety grade Steam Generator Outlet Steam Pressure strings with indicators in the control room and corresponding plant computer points. The safety grade instrument strings also go to SPDS multiplexer (MUXA) points. 7.13.3.14 Reactor Coolant Loop Outlet Temperature PAMS contains four (two per loop) safety grade RC loop Outlet Temperature strings with indicators in the control room and corresponding plant computer points. Two of these computer points also go to the SPDS multiplexer (MUXA). These strings have a range of 120-920F. 7.13-7 UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.13.3.15 Pressurizer Level PAMS contains two safety grade, Pressurizer Level strings with indicators in the control room and corresponding plant computer points. One of these signals also goes to the SPDS multiplexer (MUXA). These strings have a 0-320 inch range. 7.13.3.16 High Pressure Injection Flow PAMS contains four (two per train) safety grade High Pressure Injection Flow strings with indicators in the control room and corresponding plant and SPDS multiplexer (MUXA) points. These strings have a 0-500 GPM range. 7.13.3.17 Low Pressure Injection (DHR) Flow PAMS contains two (one per train) safety grade Low Pressure Injection Flow strings with indicators in the control room and corresponding plant and SPDS multiplexer (MUXA) points. These strings have a 0-5000 GPM range. 7.13.3.18 Auxiliary Feedwater Flow Rate PAMS contains four (two per train) safety grade Auxiliary Feedwater Flow strings with indicators in the control room. Two of these signals also go to the SPDS multiplexer (MUXA). The range of these strings is 0-1000 GPM. 7.13.3.19 Borated Water Storage Tank Level PAMS contains four safety grade Borated Water Storage Tank Level strings with isolated non-1E indicators in the control room and corresponding plant computer points. One of these signals also goes to the SPDS multiplexer (MUXA). The range of these strings is 0-50 feet. 7.13.4 Design Bases The design bases for the PAMS instrument strings are applicable to Regulatory Guides 1.97, Revision 3 and 1.89 and NUREG 0737 requirements. 7.13-8 UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.14 SAFETY PARAMETER DISPLAY SYSTEM The principal purpose and function of the SPDS is to aid the Control Room personnel during abnormal and emergency conditions in determining the safety status of the plant. 7.14.1 Description Information from plant instrumentation provides input to both the station computer and a separate multiplexer that is used as the primary source of data to the SPDS. The display and archive system provides the displays to workstations located in the Control Room, Technical Support Center (TSC), and Emergency Operations Facility (EOF) via the plant data network. Data and displays are also available to other locations with access to the plant data network. 7.14.2 Design Bases The SPDS displays are located convenient to the control room operators. The displays aid the Control Room operator in determining the status of the plant with a series of six alarms boxes. Each box represents the status of a critical safety function. The critical safety functions for NUREG 0737 Supplement 1 include; reactivity control, reactor core cooling and heat removal from the primary system, reactor coolant system integrity, radioactivity control, and containment conditions. Note that the extra safety function used in the Davis-Besse SPDS results from splitting the reactor core cooling and heat removal from the primary system function into two functions. The first of these is associated with the core heat removal from the standpoint of the primary system. The second function is related to secondary plant heat removal capabilities. These alarm boxes are located on all displays associated with SPDS. A list of alarm conditions associated with each box is also available to assist the Control Room operator in determining the cause of the alarm. The alarm conditions are activated by parameters reaching specified setpoints, which can be fixed or derived from the other parameters. This design provides a concise method of directly displaying the alarm conditions without requiring an analysis by the operator. The intent of this design is to provide indications of potential threats to the fulfillment of a critical safety function. These alarm conditions were developed to be consistent with the normal and emergency operating procedures. Historical trends of these parameters can also be selected for display to assist the operator in determining the status of critical safety functions. These displays and alarm boxes constitute the minimum SPDS display format. The SPDS displays incorporate accepted human factors principles. The operator is trained to identify unsafe plant conditions with, or without, an SPDS. The conservative design of the SPDS alarm logic is such that an omission of an alarm is preferable to an invalid alarm. The alarms have been designed with sufficient logic to eliminate false or inaccurate alarms. Thus, the design minimizes the possibility of an invalid alarm detracting the Control Room operator from safety-related instrumentation. The SPDS alarm logic is also designed to augment rather than duplicate other alarm indications available in the Control Room. A dedicated computer multiplexer (MUXA) provides the primary source of data for the SPDS. Those signals originating in Class 1E instrumentation strings are isolated from the safety grade portion of the system using the appropriate Class 1E-isolation devices. The parameters evaluated as most useful in determining the safety status of the plant were included on the input 7.14-1 UFSAR Rev 33 9/2020
Davis-Besse Unit 1 Updated Final Safety Analysis Report list of the dedicated multiplexer to provide a means of information redundant to data from the station computer. All data received from the station computer and the dedicated multiplexer is archived for future use. Historical SPDS information is readily available for displaying parameter trends at any plant computer workstation such as the Control Room, TSC, and EOF. 7.14-2 UFSAR Rev 33 9/2020
EI]>E c(=> l---
-<< (n a=.u1 lJl J>= * ()
I O
<--: c-rr z.(n@rrl -
!--u -
c) -{ TU) U1 (_
> L/) Tr'1
^;-n 4 ->
-{
LJ O => Z.
=. E
=
-E c= E X
LN T 7
= O r-f)
=; O C) OO O E
(,8 C Lr)-F=t- fr r-) u) = <T(,
-> U-l U1=U1 rrl
-J lTl
-TnZ. l/-l r'i T - tJ1 (JJ
- ^Ern
= F Z.
=o (f < -l -rrl
.z_ ^\) 7 Z. LATIH i>--i l- -....: L/-) =.
-{ E Z. '..- O 6)E(f lJ1 a R r-i ee E Trl l-E L.r1 --{ =.
>(/I> n
--t r- > --{ -
u-t - O (,TIH n rr] o Z. I N) tJ-l Tr"l
=. -t z. -l F
O T I --<>E - vt.fr- O
=
E fr OL, O
-l nt-H E=t Z.
Trl -S. l- =- L.n z. - Ir r-. E L,N l/'I
= EE OLr} G-- ;P 7 l-111 lt1 < - '-j 6J;
=# rn (-) a Trl O L./\
Tt< OZ a--r1 H--'
-u#Zb= =ffi -)E Ul T Ir J ^ I-
-c)TTI EO
-<*(_^L_
=r'_AJ(J -(
= -7 -<fr C) lrl- ,LJ- -O tr=-ql 47" L./1 O C -U--Jr' +fr O Ln liu-, I--
fr Yrr: _-<,r -O
@=F E
--Tl -,fr t-
-1 C) 5.r (-) z.
.-l -t
-l n=
OZ, + e,r O U 7 =3 C) Z.
Davis-Besse Unit 1 Updated Final Safety Analysis Report 7.15 REFERENCES
- 1. B&W No. 12-1123868-00 Task 96 NI Calibration Error Final Report, Babcock & Wilcox, Lynchburg, VA, February, 1981.
- 2. B&W Topical Report BAW-1893, Basis for Raising Arming Threshold for Anticipatory Reactor Trip on Turbine Trip, Babcock and Wilcox, Lynchburg, VA, October 1985.
- 3. Docket No. 50-346, Serial Number 1487, License Amendment Application to Revise Main Steam Safety Valve Relief Capacity/High Flux Trip Setpoint Relationship and Restate ASME Code Requirements for Main Steam Safety Valves, March 4, 1988.
- 4. Federal Register, Volume 68, Number 179, page 54123, Tuesday, September 16, 2003, Final Rule 10 CFR 50.44.
- 5. Areva calculation 32-5012132-00, April 13, 2001, Davis-Besse TSV Test FIV Analysis.
7.15-1 UFSAR Rev 30 10/2014}}