ML21286A371
Text
BFN-27 7.3 PRIMARY CONTAINMENT ISOLATION SYSTEM 7.3.1 Safety Objective To provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barrier, the Primary Containment Isolation System initiates automatic isolation of appropriate pipelines which penetrate the primary containment whenever monitored variables exceed preselected operational limits.
For a gross failure of the fuel, the Primary Containment Isolation System initiates isolation of the reactor vessel to contain released fission products. For a gross breach in the nuclear system process barrier outside the primary containment, the isolation system acts to interpose additional barriers (isolation valve plugs) between the reactor and the breach, thus stopping the release of radioactive materials and conserving reactor coolant. For gross breaches in the nuclear system process barrier inside the primary containment, the Primary Containment Isolation System acts to close off release routes through the primary containment barrier, thus trapping the radioactive material coming through the breach inside the primary containment.
7.3.2 Definitions Group A isolation valves listed in Table 5.2-2 are in pipelines that communicate directly with the nuclear system process barrier and penetrate the primary containment. These lines generally have two isolation valves in series--one inside the primary containment and one outside the primary containment.
Group B isolation valves listed in Table 5.2-2 are in pipelines that do not communicate directly with the nuclear system process barrier, but penetrate the primary containment and communicate with the primary containment free space.
These pipelines generally have two isolation valves in series--both of them outside the primary containment, except that on water-sealed lines, one isolation valve in addition to the water seal is adequate to meet isolation requirements.
Water sealing refers to lines which penetrate the pressure suppression chamber above the pool water level and terminate within the pressure suppression chamber well below the normal water level. The water in the line within the containment prevents communication between the atmosphere in the containment and the Reactor Building, even if the isolation valve fails to close. The water-sealing function is maintained as long as pressure suppression pool water level is maintained at or above prescribed limits.
7.3-1
BFN-27 7.3.3 Safety Design Basis
- 1. To limit the uncontrolled release of radioactive materials to the environs, the Primary Containment Isolation System shall, with precision and reliability, initiate timely isolation of penetrations through the primary containment structure, which could otherwise allow the uncontrolled release of radioactive materials whenever the values of monitored variables exceed preselected operational limits.
- 2. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, the Primary Containment Isolation System shall respond correctly to the sensed variables over the expected range of magnitudes and rates of change.
- 3. To provide assurance that important variables are monitored with a precision sufficient to fulfill safety design basis 1, an adequate number of sensors shall be provided for monitoring essential variables that have spatial dependence.
- 4. To provide assurance that conditions indicative of a gross failure of the nuclear system process barrier are detected with sufficient timeliness and precision to fulfill safety design basis 1, Primary Containment Isolation System inputs shall be derived, to the extent feasible and practical, from variables that are true, direct measures of operational conditions.
- 5. The time required for closure of the main steam isolation valves shall be short, so that the release of radioactive material and the loss of coolant as a result of a breach of a steam line outside the primary containment are minimal.
- 6. The time required for closure of the main steam isolation valves shall not be so short that inadvertent isolation of steam lines causes excessive fuel damage or excessive nuclear system pressure. This basis ensures that the main-steam-isolation-valve closure speed is compatible with the ability of the Reactor Protection System and Pressure Relief System to protect the fuel and nuclear system process barrier.
- 7. To provide assurance that closure of Group A and Group B automatic isolation valves is initiated, when required, with sufficient reliability to fulfill safety design basis 1, the following safety design bases are specified for the systems controlling Group A and Group B automatic isolation valves.
- a. Any single failure within the isolation system shall not prevent essential isolation action when required to satisfy safety design basis 1.
7.3-2
BFN-27
- b. Any anticipated intentional bypass, maintenance operation, calibration operation, or test to verify operational availability shall not impair the functional ability of any essential isolation system to respond correctly to essential monitored variables.
- c. The essential isolation system shall be designed for a high probability that when any essential monitored variable exceeds the isolation setpoint, the event shall result in automatic isolation and shall not impair the ability of the system to respond correctly as other monitored variables exceed their isolation setpoints.
- d. When a plant condition that requires isolation can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more essential isolation system channel(s) designed to provide protection against the unsafe condition, the remaining portions of the isolation control system shall meet the requirements of safety design bases 1, 2, 3, and 7a.
- e. The power supplies for the essential portions of the Primary Containment Isolation System shall be arranged so that loss of one supply cannot prevent automatic isolation when required.
- f. The system shall be designed so that, once initiated, automatic isolation action goes to completion. Groups 1-6 require deliberate operator action to return the system to normal operation after isolation action.
- g. There shall be sufficient electrical and physical separation between essential variables to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly.
- h. Earthquake ground motions shall not impair the ability of the Primary Containment Isolation System to initiate automatic isolation.
- 8. The following safety design bases are specified to assure that the timely isolation of main steam lines is accomplished, when required, with extraordinary reliability.
- a. The motive force for achieving valve closure for one of the two tandem-mounted isolation valves in an individual steam line shall be derived from a different energy source than that for the other valve.
7.3-3
BFN-27
- b. At least one of the isolation valves in each of the steam lines shall not rely on continuity of any variety of electrical power for the motive force to achieve closure.
- 9. To reduce the probability that the operational reliability and precision of the Primary Containment Isolation System will be degraded by operator error, the following safety design bases are specified for Group A and Group B automatic isolation valves.
- a. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables shall be under administrative control.
- b. The means for bypassing channels, logics, or system components shall be under administrative control.
- 10. To provide the operator with means, independent of the automatic isolation functions, to take action in the event of a failure of the nuclear system process barrier, it shall be possible for the control room operator to manually initiate isolation of the primary containment and reactor vessel.
- 11. The following bases are specified to provide the operator with the means to assess the condition of the Primary Containment Isolation System and to identify conditions indicative of a gross failure of the nuclear system process barrier.
- a. The Primary Containment Isolation System shall be designed to provide the operator with essential information pertinent to the status of the system.
- b. Means shall be provided for identification of essential trip system responses.
- 12. It shall be possible to check the operational availability of each essential channel and trip system during some reactor operating state.
7.3.4 Description 7.3.4.1 Identification The containment isolation system is designed to accomplish the safety design bases, and thus prevent the release of radioactive material to the environment after an accident, while ensuring that systems important for postaccident mitigation are 7.3-4
BFN-29 operational. Systems were evaluated and containment isolation provisions were provided based on the following.
- 1. Nonessential Systems - These systems are not required for postaccident mitigation and are isolated automatically upon receipt of a primary containment isolation signal (PCIS), or are provided with manual valves which are closed when containment integrity is required.
- 2. Essential Systems - These systems are required for postaccident mitigation and are not isolated automatically upon receipt of a PCIS. However, isolation of these lines, if required, is possible from the Main Control Room. The following systems are classified essential as a result of their accident-mitigation function:
(1) Standby Liquid Control (SLC),
(2) Reactor Core Isolation Cooling (RCIC; expected to operate, but not required for mitigation),
(3) High Pressure Coolant Injection (HPCI),
(4) Residual Heat Removal - Low Pressure Injection and Containment Cooling Modes (RHR),
(5) Core Spray (CS),
(6) Containment Atmospheric Dilution (CAD), and (7) Hardened Containment Venting System (HCVS)
Each line penetrating primary containment has been reviewed to ensure that (1) isolation of the line was based on its need to be inservice postaccident, and (2) each containment isolation valve received the proper isolation signal.
The Browns Ferry primary containment isolation signals are provided by diverse and redundant safety grade equipment. Browns Ferry complies with SRP 6.2.4 by isolating, in general, on (a) low reactor level, or (b) high drywell pressure. The PCIS setpoints were chosen such that isolation will occur prior to, or at the time of ECCS initiation. There are several other isolation modes in addition to the main PCIS logic.
For example, main steam isolation valves will also close as a result of high steam 7.3-5
BFN-29 flow or high steam line tunnel temperature. The primary containment ventilation system isolates on Reactor Building high radiation. The HPCI and RCIC systems have instrumentation to detect pipe breaks within their own flow paths, and to subsequently isolate the system.
The isolation logic is such that resetting the main primary containment isolation signals will not result in the automatic reopening of these isolation valves.
The Primary Containment Isolation System includes the sensors, channels, switches, and remotely-activated valve-closing mechanisms associated with the valves, which, when closed, effect isolation of the primary containment or reactor vessel, or both. The control systems for those Group A and Group B isolation valves that close by automatic action pursuant to the safety design bases are the main subjects of this section. Group A and Group B check valves are also included, although no control system is involved.
7.3.4.2 Power Supply The power for the channels and logics of the isolation control system is supplied from the Reactor Protection System motor-generator sets, the unit preferred power system, or the plant batteries. Isolation valves receive power from standby power sources. Power for the operation of two valves in a pipeline is fed from different sources for Groups 1-6 valves. In most cases, one valve is powered from an AC bus of appropriate voltage, and the other valve is powered by DC from the unit or plant batteries. Both of the HCVS isolation valves receive DC power from separate RMOV boards which remain powered during an Extended Loss of AC Power (ELAP) event. Power is available via manual transfer for each isolation valve to a dedicated HCVS battery system which ensures operability during the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of an ELAP. The main steam isolation valves, which are described in paragraph 7.3.4.6, use AC, DC, and pneumatic pressure in the control scheme. Table 5.2-2 lists the types of power to open and close each isolation valve.
7.3.4.3 Physical Arrangement Table 5.2-2 lists the pipelines that penetrate the primary containment and the associated valves that are considered part of the containment isolation control system. Pipelines which penetrate the primary containment and are in direct communication with the nuclear system process barrier generally have two Group A isolation valves, one inside the primary containment and one outside the primary containment. Pipelines which penetrate the primary containment and which communicate with the primary containment free space, but which do not 7.3-6
BFN-27 communicate directly with the nuclear system process barrier, generally have two Group B isolation valves located outside the primary containment. Group A and Group B automatic isolation valves are considered essential for protection against the gross release of radioactive material in the event of a breach in the nuclear system process barrier (see Figures 4.3-2a sheet 1, sheet 2, and sheet 3).
Power cables are run in conduits or trays from appropriate electrical sources to the motor or solenoid involved in the operation of each isolation valve. The control arrangement for the main steam isolation valves includes pneumatic piping and an accumulator for those valves for which air aids the spring in fast closing of the valves upon loss of Control Air supply. Pressure and water level sensors are mounted on instrument racks in either the Reactor Building or the Turbine Building. Valve position switches are mounted on the valve for which position is to be indicated.
Cables from each sensor are routed in conduits and cable trays to the Auxiliary Instrument Room. All signals transmitted to the Control and Auxiliary Instrument Rooms are electrical; no pipe from the nuclear system or the primary containment penetrates the Control or Auxiliary Instrument Room.
Pipes used to transmit level information from the reactor vessel to sensing instruments terminate inside the secondary containment (Reactor Building). The sensor cables and power supply cables are routed to cabinets in the Auxiliary Instrument Room, where the logic arrangements of the system are formed.
To ensure continued protection against the uncontrolled release of radioactive material during and after earthquake ground motions, the control systems required for the automatic closure of Group A and Group B valves are designed as Class I equipment, as described in Appendix C. This meets safety design basis 7h.
7.3.4.4 Logic The basic logic arrangement for essential trip functions is separated into two divisions (I and II), in which an automatic isolation valve is controlled by two trip systems. Where many isolation valves close on the same signal, two trip systems control the entire group. Where just one or two valves must close in response to a special signal, two trip systems may be formed from the instruments provided to sense the special condition. Valves that respond to the signals from common trip systems are identified in the detailed descriptions of isolation functions.
Each essential trip system receives input signals from at least one instrument channel for each essential, monitored variable. Thus, each essential, monitored variable provides independent inputs to the trip system. A total of four channels for each essential, monitored variable is provided for the logics of both trip systems except where redundancy considerations require a fewer number.
7.3-7
BFN-27 7.3.4.5 Operation For the case of normally energized logic, during operation of the plant when isolation is not required, sensor and trip contacts essential to safety are closed; channels and trip logics are energized. Whenever a channel sensor contact opens, its auxiliary relay de-energizes, causing contacts in the trip logic to open. The opening of a sufficient number of contacts in the trip logic de-energizes its actuator relay. When de-energized, the actuator relay opens a contact in an actuator logic. If a trip then occurs in either of the logic pairs of the other trip system, another actuator logic is de-energized. With both trip systems tripped, appropriate contacts open or close in valve control circuitry to actuate the valve closing mechanism. Automatic isolation valves that are normally closed, as well as those valves that are open, receive the isolation signal.
For the case of normally de-energized logic, such as used to control the HPCI and RCIC isolation valves, when isolation is not required, sensor and trip contacts are open and channels and trip logics are de-energized. Isolation signals are transmitted to the valves by the closure of contacts and the energizing of relays.
The control system for each Group A isolation valve is designed to provide closure of the valve in time to prevent uncovering the fuel as a result of a break in the pipeline which the valve isolates. The control systems for Group A and Group B isolation valves are designed to provide closure of the valves with sufficient rapidity to restrict the release of radioactive material to the environs below the reference values of 10 CFR 50.67.
All automatic Group A and Group B valves can be closed by manipulating switches in the control room, thus providing the operator with means independent of the automatic isolation functions to take action in the event of a failure of the nuclear system process barrier. This meets safety design basis 10.
For Groups 1-6 and 8, once isolation is initiated, the valve continues to close, even if the condition that caused isolation is restored to normal. The operator must manually operate switches in the control room to reopen a valve which has been automatically closed. Unless manual override features are provided in the manual control circuitry, the operator cannot reopen the valve until the conditions which initiated isolation have cleared. This is the equivalent of a manual reset and meets safety design basis 7f.
A trip of an isolation trip system is annunciated in the control room so that the operator is immediately informed of the condition. The response of isolation valves is indicated by "open-closed" lights. All motor-operated Group A and Group B 7.3-8
BFN-27 isolation valves whose primary function is to isolate have two sets of "open-closed" lights. One set is located near the manual control switches for controlling each valve from the control room panel. A second set is located in a separate, central isolation-valve-position display in the control room. The positions of air-operated isolation valves are displayed in the same manner as motor-operated valves.
Inputs to annunciators, indicators, and the computer are arranged so that no malfunction of the annunciating, indicating, or computing equipment can functionally disable the system. Signals directly from the isolation control system sensors are not used as inputs to annunciating or data-logging equipment. Isolation is provided between the primary signal and the information output. The arrangement of indications pertinent to the status and response of the Primary Containment Isolation System satisfies safety design bases 11a and 11b.
7.3.4.6 Isolation Valve Closing Devices and Circuits Table 5.2-2 itemizes the type of closing device provided for each isolation valve intended for use in automatic or remote-manual isolation of the primary containment or reactor vessel. To meet the requirement that automatic Group A valves be fully closed in time to prevent the reactor vessel water level from falling below the top of the active fuel as a result of a break of the pipeline which the valve isolates, the valve-closing mechanisms are designed to give the minimum closing rates specified in Table 5.2-2. In many cases, a standard closing rate of 12 inches per minute is adequate to meet isolation requirements. Using the standard rate, a 12 inch valve is closed in 60 seconds. Conversion to nominal closing time can be made by using the size of the line to be isolated. Because of the relatively long time required for fission products to reach the containment atmosphere following a break in the nuclear system process barrier inside the primary containment, a standard closure rate (12 inches/minute) is adequate for the automatic closing devices on class B isolation valves. Because no releases occur for the 2 minute period following a LOCA, required closure time of 2 minutes is allowable for the inboard MSIVs. The design closure times for the various automatic isolation valves essential to reactor vessel isolation are shown in Table 5.2-2.
Motor operators for Group A and Group B isolation valves are selected with capabilities suitable to the physical and environmental requirements of service. The required valve closing rates were considered in designing motor operators.
Appropriate torque and limit switches are used to ensure proper valve seating.
Handwheels, which are automatically disengaged from the motor operator when the motor is energized, are provided for local-manual operation.
7.3-9
BFN-27 Direct, solenoid-operated isolation valves and solenoid air-pilot valves are chosen with electrical and mechanical characteristics which make them suitable for the service for which they are intended.
The main steam isolation valves are spring-closing, pneumatic, piston-operated valves designed to close upon loss of pneumatic pressure to the valve operator.
Closure time for the valves is adjustable between 3 and 10 seconds. Each valve is piloted by two, three-way, packless, direct-acting, solenoid-operated pilot valves--one powered by AC, the other by DC. An accumulator is located close to each main steam isolation valve to provide pneumatic pressure to assist valve closing in the event of failure of the normal air supply system.
The valve pilot system and the pneumatic pipelines are arranged so that when one or both solenoid-operated pilot valve(s) are energized, normal air supply provides pneumatic pressure to the air-operated pilot valve to direct air pressure to the main valve pneumatic operator. This overcomes the closing force exerted by the spring to keep the main valve open. When both pilots are de-energized, as would be the result of both trip systems tripping or placing the manual switch in the closed position, the path through which air pressure acts is switched so that the opposite side of the valve operator is pressurized, thus assisting the spring in closing the valve. In the event of air supply failure, the loss of air pressure will cause the air-operated pilot valve to move by spring force to the position resulting in main valve closure. Main valve closure is then effected by means of the air stored in the accumulator and by the spring.
Air pressure, acting alone, and the force exerted by the spring, acting alone, are each capable of independently closing the valve if no pressure above atmospheric pressure is present. The main steam isolation valves inside the primary containment (inboard) are designed to close under both pneumatic pressure and spring force with the vented side of the piston operator at the containment pressure corresponding to 2 minutes following a LOCA. (The outboard valve is exactly the same design, although it will be subjected to steam tunnel pressures.) The accumulator volume was chosen to provide enough pressure to close the valve when the pneumatic supply to the accumulator has failed. The supply line to the accumulator is large enough to make up pressure to the accumulator at a rate faster than the valve operation bleeds pressure from the accumulator during valve opening or closing.
A separate, single, solenoid-operated pilot valve with an independent test switch is included to allow manual testing of each main steam isolation valve from the control room. The testing arrangement is designed to give a slow closure of the isolation valve being tested to avoid rapid changes in steam flow and nuclear system 7.3-10
BFN-27 pressure. The valve mechanical design is discussed further in Subsection 4.6, "Main Steam Isolation Valves."
7.3.4.7 Isolation Functions and Settings The isolation trip settings/analytical limits of the Primary Containment Isolation System are listed in Table 7.3-2. The functions that initiate automatic isolation are itemized in Table 5.2-2.
Although this subsection is concerned with the electrical control systems that initiate isolation to prevent direct release of radioactive material from the primary containment or nuclear system process barrier, the additional information given in Table 5.2-2 can be used to assess the overall (electrical and mechanical) isolation effectiveness of each system.
Isolation functions and trip settings/analytical limits used for the electrical control of isolation valves in fulfillment of the previously stated safety design bases are discussed in the following paragraphs.
- 1. Reactor vessel low water level (Table 5.2-2, signals A and B).
A low water level in the reactor vessel could indicate that either reactor coolant is being lost through a breach in the nuclear system process barrier or that the normal supply of reactor feedwater has been lost and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes.
Reactor vessel low water level initiates closure of various Group A and Group B valves. The closure of Group A valves is intended to either isolate a breach in any of the pipelines in which valves are closed or conserve reactor coolant by closing off process lines. The closure of Group B valves is intended to prevent the escape of radioactive materials from the primary containment through process lines which are in communication with the primary containment free space or pressure suppression pool.
There are two reactor vessel low-water-level isolation trip settings used for the isolation of the primary containment and the reactor vessel. The first reactor vessel low-water-level isolation trip setting, which occurs at a higher water level than the second setting, initiates closure of certain Group A and Group B valves in major process pipelines except the main steam lines. The main steam lines are left open to allow the removal of heat from the reactor core.
The second and lower reactor vessel low-water-level isolation trip setting completes the isolation of the primary containment and reactor vessel by initiating closure of the main steam isolation valves and any other Group A or Group B valves that require isolation.
7.3-11
BFN-27 The first low-water-level setting, which is coincidentally the same as the reactor vessel low-water-level scram setting, was selected to initiate isolation at the earliest indication of a possible breach in the nuclear system process barrier, yet far enough below normal operational levels to avoid spurious isolation. Isolation of the following pipelines is initiated when reactor vessel low water level falls to this first setting (Table 5.2-2, signal A):
RHR reactor shutdown cooling supply, Reactor water cleanup, Drywell equipment drain discharge, Drywell floor drain discharge, Drywell purge inlet, Drywell main exhaust, Pressure Suppression chamber exhaust valve bypass, Pressure Suppression chamber purge inlet, Pressure Suppression chamber main exhaust, Drywell exhaust valve bypass, Pressure Suppression chamber drain, RHR-LPCI to reactor (in shutdown mode),
Drywell makeup, Pressure Suppression chamber makeup, Exhaust to standby gas treatment, Drywell radiation monitor, Containment atmosphere monitor, Drywell differential air compressor, and Traversing incore probes.
The second and lower of the reactor vessel low-water-level isolation settings was selected low enough to allow the removal of heat from the reactor for a predetermined time following the scram, and high enough to complete isolation in time for the operation of Core Standby Cooling Systems in the event of a large break in the nuclear system process barrier. This low-low-low water level setting is low enough that partial losses of feedwater supply would not unnecessarily initiate full isolation of the reactor, thereby disrupting normal plant shutdown or recovery procedures. Isolation of the following pipelines is initiated when the reactor vessel water level falls to this second setting (Table 5.2-2, signal B):
All four main steam lines, Main steam line drain, Reactor water sample line.
7.3-12
BFN-28
- 2. Main steam line high radiation (not a required safety related signal).
High radiation in the vicinity of the main steam lines could indicate a gross release of fission products from the fuel. High radiation near the main steam lines initiates isolation of the mechanical condenser vacuum pumps.
The high-radiation trip setting is selected high enough above background radiation levels to avoid spurious isolation, yet low enough to promptly detect a gross release of fission products from the fuel. Further information regarding the high radiation setpoint is available in Subsection 7.12, "Process Radiation Monitoring."
- 3. Main steam line space high temperature (Table 5.2-2, signal D).
High temperature in the space in which the main steam lines are located outside the primary containment could indicate a breach in a main steam line.
The automatic closure of various Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperatures occur in the main steam line space, the following pipelines are isolated:
All four main steam lines and Main steam line drains.
The main-steam-line-space, high-temperature trip is set far enough above the temperature expected during operations at rated power to avoid spurious isolation, yet low enough to provide early indication of a steam line break.
- 4. Main steam line high flow (Table 5.2-2, signal D).
Main steam line high flow could indicate a break in a main steam line. The automatic closure of various Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. Upon detection of main steam line high flow, the following pipelines are isolated:
All four main steam lines and Main steam line drain.
The main-steam-line high-flow trip setting was selected high enough to permit the isolation of one main steam line for testing without causing an automatic isolation of the rest of the steam lines, yet low enough to permit early detection of a steam line break.
7.3-13
BFN-27
- 5. Low steam pressure at turbine inlet (Table 5.2-2, signal P).
Low steam pressure at the turbine inlet, while the reactor is operating, could indicate a malfunction of the nuclear system pressure regulator, in which the turbine control valves or turbine bypass valves open fully. This action could cause rapid depressurization of the nuclear system. From part-load operating conditions, the rate of decrease of nuclear system saturation temperature could exceed the design rate of change of vessel temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pressures across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. Such depressurizations, without adequate preventive action, could require thorough vessel analysis or core inspection prior to returning the reactor to power operation. To avoid the time-consuming requirements following a rapid depressurization, the steam pressure at the turbine inlet is monitored and, upon falling below a preselected value with the reactor in the RUN mode (MODE 1), initiates isolation of the following pipelines:
All four main steam lines and Main steam line drain.
The low-steam-pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation, yet high enough to provide timely detection of a pressure regulator malfunction. Although this isolation function is not required to satisfy any of the safety design bases for this system, this discussion is included here to make the listing of isolation functions complete.
- 6. Primary containment (drywell) high pressure (Table 5.2-2, signal F).
High pressure in the drywell could indicate a breach of the nuclear system process barrier inside the drywell. The automatic closure of various Group B valves prevents the release of significant amounts of radioactive material from the primary containment. Upon detection of a high drywell pressure, the following pipelines are isolated:
RHRS shutdown cooling supply, Drywell equipment drain discharge, Drywell floor drain discharge, Traversing incore probe tubes, Drywell purge inlet, Drywell main exhaust, 7.3-14
BFN-27 Pressure Suppression chamber exhaust valve bypass, Pressure Suppression chamber purge inlet, Pressure Suppression chamber main exhaust, Drywell exhaust valve bypass, Pressure Suppression chamber drain, RHR-LPCI to reactor (in shutdown mode),
Drywell makeup, Pressure Suppression chamber makeup, Exhaust to standby gas treatment, Drywell radiation monitor, Containment atmosphere monitor, and Drywell differential air compressor.
The primary containment high-pressure-isolation setting was selected to be as low as possible without inducing spurious isolation trips.
- 7. RCIC equipment space high temperature (Table 5.2-2, signal K).
High temperature in the vicinity of the RCIC equipment could indicate a break in the RCIC steam line. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier.
When high temperature occurs near the RCIC equipment, the RCIC turbine steam line is isolated. The high temperature isolation setting was selected far enough above anticipated normal RCIC system operational levels to avoid spurious operation, but low enough to provide timely detection of an RCIC turbine steam line break.
- 8. RCIC turbine high steam flow (Table 5.2-2, signal K).
RCIC turbine high steam flow could indicate a break in the RCIC turbine steam line. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of RCIC turbine high steam flow, the RCIC turbine steam line is isolated. The high steam flow trip setting was selected high enough to avoid spurious isolation, but low enough to provide timely detection of an RCIC turbine steam line break.
- 9. RCIC turbine steam line low pressure (Table 5.2-2, signal K).
RCIC turbine steam line low pressure is used to automatically close two isolation valves in the RCIC turbine steam line, so that steam and radioactive 7.3-15
BFN-27 gases will not escape from the RCIC turbine shaft seals into the Reactor Building after steam pressure has decreased to such a low value that the turbine cannot be operated. The isolation setpoint is chosen at a pressure below that at which the RCIC turbine can operate effectively.
- 10. HPCI equipment space high temperature (Table 5.2-2, signal L).
High temperature in the vicinity of the HPCI equipment could indicate a break in the HPCI turbine steam line. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. When high temperature occurs near the HPCI equipment, the HPCI turbine steam supply line is isolated. The high temperature isolation setting was selected far enough above anticipated normal HPCI system operational levels to avoid spurious isolation, but low enough to provide timely detection of an HPCI turbine steam line break.
- 11. HPCI turbine high steam flow (Table 5.2-2, signal L).
HPCI turbine high steam flow could indicate a break in the HPCI turbine steam line. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive materials from the nuclear system process barrier. Upon detection of HPCI turbine high steam flow, the HPCI turbine steam line is isolated. The high steam flow trip setting was selected high enough to avoid spurious isolation, but low enough to provide timely detection of an HPCI turbine steam line break.
- 12. HPCI turbine steam line low pressure (Table 5.2-2, signal L).
HPCI turbine steam line low pressure is used to automatically close the two isolation valves in the HPCI turbine steam line, so that steam and radioactive gases will not escape from the HPCI turbine shaft seals into the Reactor Building after steam pressure has decreased to such a low value that the turbine cannot be operated. The isolation setpoint is chosen at a pressure below that where the HPCI turbine can operate efficiently.
- 13. Reactor Building ventilation exhaust high radiation, reactor zone or refuel zone (Table 5.2-2, signal Z).
High radiation in the Reactor Building ventilation exhaust could indicate a breach of the nuclear system process barrier inside the primary containment, 7.3-16
BFN-27 which would result in increased airborne radioactivity levels in the primary containment exhaust to the secondary containment.
The automatic closure of certain Group B valves acts to close off release routes for radioactive material from the primary containment into the secondary containment (Reactor Building). Reactor building ventilation exhaust high radiation initiates isolation of the following pipelines:
Drywell purge inlet, Drywell main exhaust, Pressure Suppression chamber exhaust valve bypass, Pressure Suppression chamber purge inlet, Pressure Suppression chamber main exhaust, Drywell exhaust valve bypass, Drywell makeup, Pressure Suppression chamber makeup, Exhaust to standby gas treatment, Drywell radiation monitor, Containment atmosphere monitor, and Drywell differential air compressor.
The high radiation trip setting selected is far enough above background radiation levels to avoid spurious isolation, but low enough to provide timely detection of nuclear system process barrier leaks inside the primary containment. Because the primary containment high-pressure-isolation function and the reactor vessel low-water-level-isolation function are adequate in effecting appropriate isolation of the above pipelines for gross breaks, the Reactor Building ventilation exhaust high radiation isolation function is provided as a third, redundant method of detecting breaks in the nuclear system process barrier significant enough to require automatic isolation.
- 14. Reactor Water Cleanup system high temperature (Table 5.2-2 signal J).
High temperature in the reactor water cleanup system spaces, could indicate a break in the cleanup system. The automatic closure of certain Group A valves prevents the excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier.
When high temperature occurs, the reactor water cleanup system is isolated.
The high temperature isolation setting was selected far enough above the anticipated normal area temperature to avoid spurious operation, but low enough to provide timely detection of a cleanup system line break. The following pipelines are isolated:
7.3-17
BFN-27 Reactor water cleanup from reactor.
- 15. HPCI or RCIC turbine exhaust (Diaphragm) rupture disc high pressure (Table 5.2-2, HPCI-Signal E, RCIC-Signal G).
HPCI turbine exhaust high pressure between the rupture discs is used to automatically close the isolation valves in the HPCI turbine steam supply line so that high turbine exhaust pressure can be limited, thus providing equipment protection by reducing stresses on the turbine casing. The high pressure trip setting was chosen to indicate breach of the rupture disc.
The pressure switch location is shown on Figures 7.4-1b Sheets 1, 2, and 3.
An identical design is provided for the RCIC turbine exhaust rupture disc isolation function.
7.3.4.8 Instrumentation Sensors providing inputs to the Primary Containment Isolation System are not used for the automatic control of process systems, thus separating the functional control of protection systems and process systems. Channels are physically and electrically separated in such a way as to assure that a single physical event cannot prevent isolation. Channels for one monitored variable that are grouped near to each other provide inputs to different isolation trip systems. Table 7.3-2 lists instrument characteristics.
- 1. Reactor vessel low-water-level signals are initiated from eight differential pressure transmitters, which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel. Four of the transmitters are used to indicate that water level has decreased to the first and higher low-water-level isolation setting; the other four are used to indicate that water level has decreased to the low-low-low water-level isolation settings.
The four transmitters for each level setting are arranged in pairs; each transmitter in a pair provides a signal to a different trip system. Two pipelines, attached to taps above and below the water level on the reactor vessel, are required for the differential pressure measurement for each pair of transmitters. The two pairs of pipelines terminate outside the primary containment and inside the secondary containment. They are physically separated from each other and tap off the reactor vessel at widely separated points. The reactor vessel low-water-level transmitters sense level from these pipes. This arrangement assures that no single physical event can prevent 7.3-18
BFN-27 isolation, if required. Cables from the level sensors are routed to the Auxiliary Instrument Room.
- 2. Main steam line radiation is monitored by two radiation monitors, which are described in Subsection 7.12, "Process Radiation Monitoring."
Gamma-sensitive radiation monitors are installed in the vicinity of the main steam lines just outside the primary containment. These monitors can detect a gross release of fission products from the fuel by measuring the gamma radiation coming from the steam lines. A high radiation trip signal results in an isolation and trip of the Mechanical Vacuum Pump only. These Units 1, 2, and 3 radiation monitors are not required to provide a safety related signal to any of the systems described above.
- 3. High temperature in the vicinity of the main steam lines is detected by 16 different temperature switches located along the main steam lines between the drywell wall and the turbine. Four of the switches (TS-1-17A-D) use temperature elements that are located in the valve vault just outside of primary containment to send a signal to an electronic switch located in the Aux instrument room. The detectors are located or shielded so that they are sensitive to air temperature and not the radiated heat from hot equipment. An additional temperature sensor is located near each set of four detectors for remote temperature readout and alarm. The temperature sensors activate an alarm at high temperature. Upon loss of power, an alarm condition is present to alert the operator that the instrumentation is inoperable. The main steam line space temperature detection system is designed to detect leaks of from 1 percent to 10 percent of rated steam flow. A total of four main steam line space high temperature channels is provided. Each main steam line isolation logic receives an input signal from one main steam line space high temperature channel.
- 4. High flow in each main steam line is sensed by four differential pressure transmitters, which sense the pressure difference across the flow restrictor in that line. Each main steam line isolation logic receives an input signal from one main steam line high flow channel. A trip occurs whenever the steam flow in any main steam line exceeds a preset amount.
- 5. Main steam line low pressure is sensed by four pressure transmitters, which sense pressure downstream of the outboard main steam isolation valves. One sensing point is located in each line after the header that connects the four steam lines upstream to the turbine stop valves. Each transmitter is part of an independent channel. Each channel provides a signal to one isolation trip system.
7.3-19
BFN-27
- 6. Primary containment pressure is monitored by four pressure transmitters, which are mounted on instrument racks outside the drywell. Pipes that terminate in the secondary containment connect the transmitters with the drywell interior. Cables are routed from the transmitter to the Auxiliary Instruments Room. The transmitters are grouped in pairs, physically separated, and electrically connected to the isolation control system so that no single event will prevent isolation due to primary containment high pressure.
- 7. High temperature in the vicinity of the RCIC equipment is sensed by four sets of four bimetallic temperature switches. The 16 temperature switches are arranged in four trip systems, with four temperature switches in each trip system. The four temperature switches in each trip system are arranged in one-out-of-two-taken-twice logic.
- 8. High flow in the RCIC turbine steam line is sensed by two differential pressure switches for Unit 1 and two differential pressure transmitters/trip units for Units 2 and 3 which monitor the differential pressure across an elbow installed in the RCIC turbine steam supply pipeline. The tripping of either trip channel initiates isolation of the RCIC turbine steam line. This is an exception to the usual channel arrangement. The reason for the exception was given in the discussion of the RCIC turbine high steam flow isolation function.
- 9. Low pressure in the RCIC turbine steam line is sensed by four pressure switches from the RCIC turbine steam line upstream of the isolation valves.
The switches are arranged in one-out-of-two-taken-twice logic, which must trip to initiate shutdown of the RCIC turbine.
- 10. High temperature in the vicinity of the HPCI equipment is sensed by four sets of four bimetallic temperature switches. The 16 temperature switches are arranged in two trip systems with eight temperature switches in each trip system. Each trip system consists of two channels. Each channel contains one temperature switch located in the pump room and three temperature switches located in the torus area.
- 11. High flow in the HPCI turbine steam line is sensed by two differential pressure transmitters/trip units which monitor the differential pressure across a mechanical flow element installed in the HPCI turbine steam pipeline. The tripping of either trip channel initiates isolation of the HPCI turbine steam line.
This is an exception to the usual sensor arrangement. The reason for the exception was given in the discussion of the HPCI turbine high steam flow isolation function.
7.3-20
BFN-27
- 12. Low pressure in the HPCI turbine steam line is sensed by four pressure switches from the HPCI turbine steam line upstream of the isolation valves.
The switches are arranged in a one-out-of-two-taken-twice logic which must trip to initiate shutdown of the HPCI turbine.
- 13. Reactor Building ventilation exhaust radiation is monitored by two sets of Reactor Building ventilation exhaust monitors, which are described in paragraph 7.12.5, "Reactor Building Ventilation Exhaust Radiation Monitoring System." The Reactor Building ventilation exhaust radiation signal is generated by two trip channels arranged such that it requires one channel at high trip, or both channels at downscale (instrument failure) trip, to cause isolation.
- 14. High temperature in the spaces occupied by the Reactor Water Cleanup (RWCU) System piping outside primary containment is sensed by resistive temperature device which input to analog trip devices that indicate possible pipe breaks. Logic relays are arranged in a one-out-two-taken-twice logic which must trip to initiate isolation of the RWCU System.
High temperature in the spaces occupied by the RHRS (shutdown cooling) piping, outside primary containment is sensed by temperature switches that indicate possible pipe breaks. The switches alarm only. Automatic isolation on high temperature is not required, since the reactor vessel low-water-level isolation function is adequate in preventing the release of significant amounts of radioactive material in the event of a pipe failure.
- 15. High pressure between the HPCI turbine exhaust (diaphragm) rupture discs is monitored by four nonindicating pressure switches which are mounted on instrument racks. The switches are arranged in a one-out-of-two-taken-twice logic, which must trip to initiate closure of the inboard HPCI turbine steam supply valve.
An identical design is provided for the RCIC turbine exhaust rupture disc isolation function.
7.3.4.9 Environmental Capabilities The physical and electrical arrangement of the Primary Containment Isolation System are selected so that no single physical event will prevent achievement of isolation functions. The location of Group A and Group B valves inside and outside the primary containment provides assurance that the control system for at least one valve on any pipeline penetrating the primary containment will remain capable of isolation. Electrical cables for isolation valves in the same pipeline are routed 7.3-21
BFN-27 separately. All equipment required to operate a design basis event meets the environmental qualification requirements of Section 1.5. Special consideration has been given to isolation requirements during a loss-of-coolant accident inside the drywell. Components of the Primary Containment Isolation System that are located inside the primary containment and that must operate during a loss-of-coolant accident are the cables, control mechanisms, and valve operators of isolation valves inside the drywell. These isolation components are required to be functional in a loss-of-coolant accident environment.
7.3.5 Safety Evaluation The Primary Containment Isolation System, in conjunction with other protection systems, is designed to provide timely protection against the onset and consequences of accidents involving the gross release of radioactive materials from the fuel and nuclear system process barriers. It is the objective of Section 14.0, "Plant Safety Analysis," to identify and evaluate postulated events resulting in gross failure of the fuel barrier and the nuclear system process barrier. The consequences of such gross failures are described and evaluated in that section.
Design procedure has been to select tentative isolation trip settings that are far enough above or below normal operating levels that spurious isolation and operating inconvenience are avoided. It is then verified by analysis that the release of radioactive material following postulated gross failures of the fuel and nuclear system process barrier is kept within acceptable bounds. Trip setting selection is based on calculated values and constrained by the safety design basis and the safety analyses.
Chapter 14.0 shows that the actions initiated by the Primary Containment Isolation System, in conjunction with other safety systems, are sufficient to prevent releases of radioactive material from exceeding the guide values of published regulations.
Because the actions of the system are effective in restricting the uncontrolled release of radioactive materials under accident situations, the Primary Containment Isolation System meets the precision and timeliness requirements of safety design basis 1.
Because the Primary Containment Isolation System meets the precision and timeliness requirements of safety design basis 1 using instruments with the characteristics described in Table 7.3-2, it is concluded that safety design basis 2 is met.
Temperatures in the spaces occupied by various steam lines outside the primary containment are the only essential variables of significant spatial dependence that provide inputs to the Primary Containment Isolation System. The large number of 7.3-22
BFN-27 temperature sensors and their dispersed arrangement near the steam lines requiring this type of break protection provide assurance that a significant break will be detected rapidly and accurately. One of the four groups of temperature switches is located in the ventilation exhaust from the steam line space between the drywell wall and the secondary containment wall. This assures that abnormal air temperature increases are detected regardless of leak location in that space. It is concluded that the number of sensors provided for steam line break detection satisfied safety design basis 3.
The spatial locations of the sensors were selected to provide the optimum coverage relative to detection of leaks in the Engineered Safety Features Systems to initiate isolation when required. No special attempt was made to prevent spurious isolation, since isolation is acceptable on the frequency at which the spurious event is expected to occur.
Sources of steam leakage are discussed in Section 5.0.
Steam leaks into the steam tunnel from main steam line, feedwater line, or RCIC steam line breaks will cause the main steam isolation valves to close if the temperature at the temperature switches reach their setpoints.
Steam leaks into the building from the RCIC system, the HPCI system, and the Reactor Water Cleanup System could possibly affect the temperature sensors for other systems. However, the large surface area available for steam condensation and the circuitous path the steam must follow make it a highly unlikely event.
Inadvertent isolation of the Reactor Water Cleanup System is an operational inconvenience, but does not compromise the safety of the public. Any one of the systems can be reset and reactivated whenever the cause for isolation has been determined and then removed. Since there is a time delay involved whenever one system affects another system, the operator should be able to identify the faulted system. This would permit him to restore the nondamaged system or systems. If the operator makes a mistake and reactivates the faulted system, that system will be automatically isolated again.
Because the Primary Containment Isolation System meets the timeliness and precision requirements of safety design basis 1 by monitoring variables that are true, direct measures of operational conditions, it is concluded that safety design basis 4 is satisfied.
Chapter 14.0 evaluates a gross breach in a main steam line outside the primary containment during operation at rated power. The evaluation shows that the main steam lines are automatically isolated in time to prevent a release of radioactive material in excess of the guide values of published regulations and to prevent the 7.3-23
BFN-27 loss of coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed. The time required for automatic closure of the main steam isolation valves meets the requirements of safety design basis 5.
The shortest closure time of which the main steam valves are capable is three seconds. The transient resulting from a simultaneous closure of all main steam isolation valves in three seconds during reactor operation at rated power is considerably less severe than the transient resulting from inadvertent closure of the turbine stop valves (which occurs in a small fraction of one second) coincident with failure of the turbine bypass system. The Reactor Protection System is capable of accommodating the transient resulting from the inadvertent closure of the main steam isolation valves. This conclusion is substantiated by Chapter 14.0. This meets safety design basis 6.
The items of safety design bases 7, 8, and 9 must be fulfilled for the Primary Containment Isolation System to meet the design reliability requirements of safety design basis 1. It has already been shown that safety design bases 7f and 7h have been met. The remainder of the reliability requirement is met by a combination of logic arrangement, sensor redundancy, wiring scheme, physical isolation, power supply arrangement, and environmental capabilities. These subjects are discussed in the following paragraphs.
Because essential variables are monitored and arranged for physical and electrical independence, and because a dual trip system arrangement is used to initiate closure of essential automatic isolation valves, no single failure, maintenance operation, calibration operation, or test can prevent the system from achieving isolation. An analysis of the isolation control system shows that the system does not fail to respond to essential variables as a result of single electrical failures such as short circuits, ground, and open circuits. Loss of a single trip system trip is the result of these failures. Isolation is initiated upon a trip of the remaining trip system. For some of the exceptions to the usual logic arrangement, a single failure could result in inadvertent isolation of a pipeline. With respect to the release of radioactive material from the nuclear system process barrier, such inadvertent valve closures are in the safe direction and do not pose any safety problems. This meets safety design bases 7a and 7b.
The redundancy of channels provided for all essential variables provides a high probability that, whenever an essential variable exceeds the isolation setting, the system initiates isolation. In the unlikely event that all channels for one essential variable in one trip system fail in such a way that a system trip does not occur, the system could still respond properly as other monitored variables exceed their isolation settings. This meets safety design basis 7c.
7.3-24
BFN-27 The sensors, circuitry, and logics used in the Primary Containment Isolation System are not used in the control of any process system. Thus, malfunction and failures in the controls of process systems have no direct effect on the isolation control system.
This meets safety design basis 7d.
The various power supplies used for the isolation system logic circuitry and for valve operation provide assurance that the required isolation can be effected in spite of a single power failure. If AC for valves inside the primary containment is lost, DC is available for operation of valves outside the primary containment. The main steam isolation valve control arrangement is resistant to both AC and DC power failures.
Because both solenoid-operated pilot valves must be de-energized, loss of a single power supply will neither cause inadvertent isolation nor prevent isolation, if required. The logic circuitry for each channel is powered from the separate sources available from the Reactor Protection System buses, the unit preferred AC power supply, or the unit or plant batteries. In no case does a loss of a single power supply prevent achievement of an essential isolation function. This meets safety design basis 7e.
All instruments, valve closing mechanisms, and cables of the isolation control system can operate under the most unfavorable environmental conditions associated with normal operation. The discussion of the effects of rapid nuclear system depressurization on level measurement given in Subsection 7.2, "Reactor Protection System," is equally applicable to the reactor vessel low water level transmitters used in the Primary Containment Isolation System. The temperature, pressure, differential pressure, and level transmitters, cables, and valve closing mechanisms used were selected with ratings that make them suitable for use in the environment in which they must operate.
The special considerations (treated in the description portion of this subsection) made for the environmental conditions resulting from a loss-of-coolant accident inside the drywell are adequate to ensure operability of essential isolation components located inside the drywell.
The wall of the primary containment effectively separates adverse environmental conditions which might otherwise affect both isolation valves in a pipeline. The location of isolation valves on either side of the wall decouples the effects of environmental factors with respect to the ability to isolate any given pipeline. The previously discussed electrical isolation of control circuitry prevents failures in one part of the control system from propagating to another part. Electrical transients have no significant effect on the functioning of the essential isolation control system.
It is concluded that safety design basis 7g is satisfied.
7.3-25
BFN-27 The design of the main steam isolation valves meets the requirement of safety design basis 8a in that the motive force for closing each main steam isolation valve is derived from both a source of pneumatic pressure and the energy stored in a spring. Either energy source, alone, is capable of closing the valve. None of the valves relies on continuity of any sort of electrical power to achieve closure in response to essential safety signals. Total loss of the power used to control the valves would result in closure. This meets safety design basis 8b.
Easy access is provided for calibration and testing of pressure and level transmitters which are located in the Turbine Building, Reactor Building, and Auxiliary Instrument Room. Administrative control restricts access to the setting controls on each device.
A cover plate, access plug, or sealing device must be removed by personnel before any adjustment in trip settings can be effected. The location of calibration and test controls in areas under administrative control reduces the probability that operational reliability will be degraded by operator error. This meets safety design basis 9a.
Because the means for bypassing channels, logic, or system components are under administrative control, safety design basis 9b is met.
Because safety design bases 7, 8, and 9 have been met, it can be concluded that the Primary Containment Isolation System satisfies the reliability requirement of safety design basis 1. That the system satisfied safety design bases 10, 11a and 11b was shown in the description of the system. Paragraph 7.3.6 describes inspection and testing of the system and demonstrates that safety design basis 12 is satisfied.
Basis and Analysis for Isolation Valves Closure Times and Actions Setpoints Closure times for containment isolation valves in primary system lines are established to ensure that the valves are closed prior to the start of uncovering of the fuel caused by blowdown from the line. By ensuring that the fuel remains covered, fuel damage resulting from the blowdown is prevented, thereby limiting the uncontrolled release of radioactive materials to the environs. The radiological analysis for a typical blowdown outside the containment, with valve closure time in accordance with the above criteria, is presented in Chapter 14.
- a. The differential pressure trip setting for high flow through the redundant flow meters in the RCIC is less than or equal to 300 percent of rated steam flow at 1140 psia (pre-uprated), 1189 psia (uprated). This trip point was selected to provide sufficient margin to prevent isolation during normal startup transient differential pressure measurements associated with the particular flow meters utilized (elbow taps). At lower steam pressures, the trip setting in percent of rated flow is conservatively lower. A time delay relay in the trip circuit prevents isolation during normal startup.
7.3-26
BFN-27 The differential pressure trip setting for high flow through the HPCI flow meter is less than or equal to 225 percent of rated steam flow at 1140 psia (pre-uprated), 1189 psia (uprated). This trip point was selected to provide sufficient margin to prevent isolation during normal startup transient differential pressure measurements associated with the particular flow meter utilized (venturi). At lower steam pressures, the trip setting in percent of rated flow is conservatively lower. A time delay relay in the trip circuit prevents isolation during normal startup.
- b. The space temperature trip settings for main steam, RCIC and HPCI are determined by calculation. Analytical limits are established and the temperature trip set point set based on a calculated T which would result from a steam leak in the space.
The main steam, RCIC and HPCI systems are each monitored by 16 temperature sensors. These sensors are arranged in four trip logics with four sensors in each logic, as discussed in paragraph 7.3.4.8 of the FSAR. The 16 sensors for each system are physically arranged in four groups with four sensors in each group. One sensor in each group is in each of the four trip logics. The arrangement is as follows:
The main steam system temperature monitors are located as follows:
- 1. Four sensors spaced around the steam tunnel in the valve vault between the containment shield wall and the Reactor Building wall,
- 2. Four sensors equally spaced across the width of the steam tunnel above the steam lines in the Turbine Building midway between the Turbine Building wall and the vertical run of the steam lines,
- 3. Four sensors equally spaced across the width of the steam tunnel in the Turbine Building in the area of the vertical run of the steam lines, and
- 4. Four sensors located in the steam tunnel in the Turbine Building in the area above the turbine control valves, stop valves, and bypass valves.
The RCIC system temperature monitors for each unit are located as follows:
BFN-27
- 2. Four sensors in the torus area above the RCIC steam line near the exit of the steam line from the torus area into the corner room,
- 3. Four sensors in the torus area above the RCIC steam line midway between the exit of the steam line from the torus area into the corner room and the entrance of the steam line into the torus area from the steam line tunnel, and
- 4. Four sensors in the torus area above the RCIC steam line near the entrance of the steam line into the torus area from the steam line tunnel.
The HPCI system temperature monitors for Unit 1 are located as follows:
- 2. Four sensors in the HPCI equipment room located in the vicinity of the ventilation exhaust grill,
- 3. Four sensors in the torus area above the HPCI steam line near the exit of the steam line from the torus area into the HPCI equipment room, and
- 4. Four sensors in the torus area above the HPCI steam line near the outboard containment isolation valve.
The HPCI system temperature monitors for Units 2 and 3 are located as follows:
- 2. Four sensors in the torus area above the HPCI steam line near the exit of the steam line from the torus area into the HPCI equipment room,
- 3. Four sensors in the torus area above the HPCI steam line midway between the exit of the steam line from the torus area into the HPCI equipment room and the containment penetration, and
- 4. Four sensors in the torus area above the HPCI steam line near the outboard containment isolation valve.
- c. The temperature detectors for isolation of the Reactor Water Cleanup System were located in those areas that an RWCU high energy line break (HELB) was 7.3-28
BFN-27 postulated (ie; RWCU pump rooms, RWCU heat exchanger room, RWCU pipe trench and main steam valve vault). The temperatures detectors are set at a value above the maximum abnormal room temperatures to avoid spurious actuations due to ambient conditions and below the analytical limits to ensure timely detection of a pipe break. The analytical limit is a value established by the Reactor Building Environmental Analysis for a postulated HELB in the RWCU system to meet the requirements of 10 CFR 50.49. The temperature detector setpoint was selected to provide sufficient margin between the setpoint and the analytical limit to account for all inaccuracies inherent in the instrument loop.
The acceptable range of trip values for the reactor water cleanup (RWCU)
System pipe trench temperatures is from 130 to 150 F. This range of values was selected to exceed the ambient temperature sufficiently to avoid spurious operation, but low enough to provide timely detection of an RWCU line break at all reactor power conditions.
The temperature trip for the RHR system space gives an alarm based on leakage from the RHR system of less than 15 gpm.
7.3.6 Inspection and Testing Isolation valves can be tested to assure that they are capable of closing by operating manual switches in the control room and observing the position lights and any associated process effects. The essential channel and trip system responses can be functionally tested by applying test signals to each channel and observing the trip system response. Testing of the main steam isolation valves is discussed in Subsection 4.6, "Main Steam Isolation Valves." Reset of the main primary containment Isolation signals does not result in the automatic reopening of these isolation valves.
7.3-29