ML21307A216
ML21307A216 | |
Person / Time | |
---|---|
Site: | Perry |
Issue date: | 10/28/2021 |
From: | Energy Harbor Nuclear Corp |
To: | Office of Nuclear Reactor Regulation |
Shared Package | |
ML21307A174 | List:
|
References | |
L-21-018 | |
Download: ML21307A216 (353) | |
Text
TABLE OF CONTENTS Section Title Page 7.0 INSTRUMENTATION AND CONTROLS SYSTEMS 7.1-1
7.1 INTRODUCTION
7.1-1 7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS 7.1-1 7.1.2 IDENTIFICATION OF SAFETY CRITERIA 7.1-7 7.1.2.1 Regulatory Requirements 7.1-7 7.1.2.2 Regulation Conformance - 10 CFR 50, Appendix A 7.1-8 7.1.2.3 Conformance to IEEE Standards 7.1-11 7.1.2.4 Conformance to Regulatory Guides 7.1-13 7.1.3 PLANT PROTECTION SYSTEM-ELECTRONIC TRIP SYSTEM 7.1-17 7.1.3.1 General Description 7.1-18 7.2 REACTOR TRIP SYSTEM - REACTOR PROTECTION SYSTEM (RPS) 7.2-1 7.
2.1 DESCRIPTION
7.2-1 7.2.1.1 System Description 7.2-1 7.2.1.2 Design Basis Information 7.2-15 7.2.1.3 Final System Drawings 7.2-21 7.2.2 ANALYSIS 7.2-22 7.2.2.1 Conformance to 10 CFR 50, Appendix A - General Design Criteria 7.2-22 7.2.2.2 Conformance to IEEE Standards 7.2-24 7.2.2.3 Conformance to NRC Regulatory Guides 7.2-33 7.3 ENGINEERED SAFETY FEATURE SYSTEMS 7.3-1 7.
3.1 DESCRIPTION
7.3-1 7.3.1.1 System Description 7.3-3 7.3.1.2 Design Basis 7.3-60 7.3.1.3 Final System Drawings 7.3-68 7.3.2 ANALYSIS 7.3-68 7.3.2.1 ESF Systems - Instrumentation and Controls 7.3-68 Revision 12 7-i January, 2003
TABLE OF CONTENTS (Continued)
Section Title Page 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-1 7.
4.1 DESCRIPTION
7.4-1 7.4.1.1 Reactor Core Isolation Cooling (RCIC) System 7.4-1 7.4.1.2 Standby Liquid Control System (SLCS) 7.4-6 7.4.1.3 RHRS/Reactor Shutdown Cooling Mode (RSCM) 7.4-8 7.4.1.4 Remote Shutdown System (RSS) 7.4-9 7.4.1.5 Design Basis 7.4-23 7.4.1.6 Final System Drawings 7.4-27 7.4.2 ANALYSIS 7.4-27 7.4.2.1 Conformance to 10 CFR 50, Appendix A - General Design Criteria 7.4-27 7.4.2.2 Conformance to IEEE Standards 7.4-28 7.4.2.3 NRC Regulatory Guide Conformance 7.4-35 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5-1 7.
5.1 DESCRIPTION
7.5-1 7.5.1.1 General 7.5-1 7.5.1.2 Normal Operation 7.5-1 7.5.1.3 Abnormal Transient Occurrences 7.5-2 7.5.1.4 Accident Conditions 7.5-2 7.5.2 ANALYSIS 7.5-11 7.5.2.1 General 7.5-11 7.5.2.2 Normal Operation 7.5-12 7.5.2.3 Abnormal Transient Occurrences 7.5-12 7.5.2.4 Accident Conditions 7.5-12 7.5.2.5 System Drawings 7.5-16 7.5.2.6 Isolation Devices 7.5-16 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY 7.6-1 7.
6.1 DESCRIPTION
7.6-1 7.6.1.1 Process Radiation Monitoring System -
Instrumentation and Controls 7.6-2 7.6.1.2 High Pressure/Low Pressure Interlocks 7.6-2 7.6.1.3 Leak Detection System - Instrumentation and Controls 7.6-3 Revision 12 7-ii January, 2003
TABLE OF CONTENTS (Continued)
Section Title Page 7.6.1.4 Neutron Monitoring System (NMS) -
Instrumentation and Controls 7.6-10 7.6.1.5 Rod Pattern Control System (RPCS) -
Instrumentation and Controls 7.6-17 7.6.1.6 Recirculation Pump Trip (RPT) System -
Instrumentation and Controls 7.6-26 7.6.1.7 Fuel Pool Cooling System (FPC) -
Instrumentation and Controls 7.6-27 7.6.1.8 Containment Atmosphere Monitoring System -
Instrumentation and Controls 7.6-30 7.6.1.9 Hydrogen Control System 7.6-32 7.6.1.10 Offgas Building Exhaust System 7.6-33 7.6.1.11 Safety Relief Valves (SRV) - Relief Function 7.6-35 7.6.1.12 Anticipated Transient Without Scram - (ATWS)
Instrumentation & Controls 7.6-38 7.6.1.13 Design Basis 7.6-41 7.6.1.14 Final System Drawings 7.6-48 7.6.2 ANALYSIS 7.6-48 7.6.2.1 Safety-Related Systems - Instrumentation and Controls 7.6-48 7.6.2.2 Conformance to 10 CFR 50, Appendix A -
General Design Criteria (GDC) 7.6-48 7.6.2.3 Conformance to IEEE Standards 7.6-50 7.6.2.4 Conformance to NRC Regulatory Guides 7.6-56 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY 7.7-1 7.
7.1 DESCRIPTION
7.7-1 7.7.1.1 Reactor Vessel Head Seal Leak Detection 7.7-2 7.7.1.2 Rod Control and Information System (RC&IS) -
Instrumentation and Controls 7.7-2 7.7.1.3 Recirculation Flow Control System -
Instrumentation and Controls 7.7-21 7.7.1.4 Feedwater Control System - Instrumentation and Controls 7.7-28 7.7.1.5 Steam Bypass and Pressure Regulating System -
Instrumentation and Controls 7.7-34 7.7.1.6 Refueling Interlocks - Instrumentation and Controls 7.7-40 7.7.1.7 Design Differences 7.7-43 7.7.1.8 Process Computer System - Instrumentation 7.7-43 7.7.1.9 Reactor Water Cleanup System 7.7-49 Revision 17 7-iii October, 2011
TABLE OF CONTENTS (Continued)
Section Title Page 7.7.1.10 Process Sampling System 7.7-49 7.7.1.11 Gaseous Radwaste System 7.7-49 7.7.1.12 Drywell Vacuum Relief (DVR) System 7.7-49 7.7.2 ANALYSIS 7.7-50 7.7.2.1 Safety Function 7.7-50 7.7.2.2 Failure Modes and Malfunctions 7.7-51 Revision 12 7-iv January, 2003
LIST OF TABLES Table Title Page 7.1-1 Design and Supply Responsibility of Safety-Related Systems 7.1-20 7.1-2 Similarity to Licensed Reactors - Safety-Related Systems 7.1-22 7.1-3 Codes and Standards Applicability Index for Controls and Instrumentation 7.1-25 7.1-4 Summary Information Indicating Degree of Compliance with Regulatory Guide 1.97, Rev. 2 (NSSS Design)and (others) 7.1-34 7.2-1 Reactor Protection System Instrumentation 7.2-38 7.2-2 APRM System Trips 7.2-40 7.2-2a OPRM System Trips 7.2-41 7.2-3 Reactor Protection System Response Time Table 7.2-42 7.3-1 Isolation System Instrumentation Response Time Table 7.3-80 7.5-1 Safety-Related Display Instrumentation (Display Instrumentation for Safety-Related Systems) 7.5-17 7.6-1 IRM System Trips 7.6-60 7.6-2 LPRM System Trips 7.6-61 7.6-3 End-of-Cycle Recirculation Pump Trip System Response Time Table 7.6-62 7.7-1 Design and Supply Responsibility for Nonsafety-Related Systems 7.7-52 7.7-2 Similarity to Licensed Reactors for Nonsafety-Related Systems 7.7-53 7.7-3 Refueling Interlock Effectiveness 7.7-54 Revision 12 7-v January, 2003
7.0 INSTRUMENTATION AND CONTROLS SYSTEMS
7.1 INTRODUCTION
Chapter 7 presents specific detailed design and performance information for instrumentation and control of safety-related and major plant control systems utilized throughout the plant. The design and performance considerations of these systems, safety function and their mechanical aspects are described in other chapters. See <Section 1.7.1>
for a listing of electrical schematics, <Section 1.2> for plant layout drawings and <Section 3.2> for equipment classification.
7.1.1 IDENTIFICATION OF SAFETY-RELATED SYSTEMS The systems presented in Chapter 7 are classified according to the NRC
<Regulatory Guide 1.70>, Revision 3; namely, Reactor Protection (Trip)
System, Engineered Safety Feature Systems, Safe Shutdown Systems, Safety-Related Display Instrumentation, Other Systems Required for Safety, and Control Systems Not Required for Safety.
lists safety-related systems and identifies the designer and/or the supplier. Nonsafety-related systems are listed in- a. Reactor Protection (Trip) System (RPS) - instrumentation and controls initiate reactor shutdown by automatic control rods Revision 12 7.1-1 January, 2003
- b. Containment and Reactor Vessel Isolation Control System (CRVICS) -
- c. Emergency Core Cooling Systems (ECCS) - instrumentation and controls provide automatic initiation and control of specific core cooling systems, namely, High Pressure Core Spray system (HPCS),
- d. Neutron Monitoring System (NMS) - instrumentation and controls use incore neutron detectors to monitor core neutron flux. The neutron monitoring system provides signals to the RPS trip channels to scram the reactor. The Oscillation Power Range Monitors (OPRM) are used to detect and suppress the evidence of reactor thermal-hydraulic instability in a pre-determined region of the core power versus flow map. Average neutron flux or average simulated thermal power (APRM) is used as the overpower indicator during power operation. Intermediate Range Monitors (IRM) are used as power indicators during startup and shutdown. The neutron monitoring system also provides power level indication during planned operation.
- e. Process Radiation Monitoring System (PRM) - instrumentation and controls include a number of radiation monitors and monitoring subsystems which are provided on process liquid and gas lines that may serve as discharge routes for radioactive materials.
- f. Control Complex HVAC System - instrumentation and controls are provided to monitor the habitability of the control complex and to maintain it in a habitable condition by means of recirculation of the control complex air, during abnormal occurrences.
- g. Emergency Water System (EWS) - consists of the emergency closed cooling system and the emergency service water system.
- h. Combustible Gas Control System - consists of four subsystems: the hydrogen analysis system, the mixing system, the hydrogen recombination system, and the purge system. Instrumentation and controls are provided to detect the concentration of free hydrogen in the drywell and containment and to reduce the free hydrogen concentrations by dilution, recombination and purging.
- i. The Reactor Core Isolation Cooling System (RCIC) - instrumentation and controls provide initiation and control of makeup water to the reactor vessel, in the event that the reactor becomes isolated from the main condensers during normal plant operation by a closure of the main steam line isolation valves.
- j. The Standby Liquid Control System (SLCS) - instrumentation and controls provide manual initiation of a backup reactivity control system which can shut the reactor down from rated power to the cold condition in the event that all withdrawn control rods cannot be inserted manually by the rod control and information system to achieve reactor shutdown.
- k. The Leak Detection System (LDS) uses various temperature, pressure, radiation, level, and flow sensors to detect, annunciate and isolate (in certain cases) water and steam leakage paths in selected reactor systems.
- l. The RHRS Reactor Shutdown Cooling Mode (RSCM) is manually initiated to provide cooling to remove the decay and sensible heat from the reactor vessel so that the reactor can be refueled and serviced.
- m. The Fuel Pool Cooling System (FPCS) - instrumentation and controls monitor water temperature and controls cooling of the fuel pool.
- n. Containment Atmospheric Monitoring System - provides instrumentation for detecting and predicting the progression of abnormal occurrences in the containment and for monitoring after postulated accidents. Containment and Drywell temperature and pressure monitoring is provided by instrumentation with adjustable alarm features. The containment atmospheric monitoring system also provides suppression pool temperature monitoring instrumentation.
- o. Annulus Exhaust Gas Treatment System - Filters, monitors and exhausts any gases leaking from the containment vessel to the annulus by maintaining the area at a slight negative pressure.
- p. (Deleted)
- q. The Safety-Related Display Instrumentation is provided to inform the reactor operator when a manual safety action should be taken or is required and allows assessment of safety system status.
- r. The RHRS - Containment Spray Cooling Mode (CSCM) is an automatic or manually initiated subsystem of the RHR system that is provided to condense steam in the containment following a loss-of-coolant accident.
- s. The Remote Shutdown System (RSS) provides the capability to assure safe shutdown of the reactor in the event that the control room should become uninhabitable.
- t. Recirculation Pump Trip (RPT) system - instrumentation and controls are provided to reduce the severity of thermal transients on fuel due to turbine generator trip and load rejection events by tripping the recirculation pumps early in the event, thus rapidly reducing core flow and increasing void content and thereby reducing reactivity in conjunction with the control rod scram.
- u. RHRS Suppression Pool Cooling Mode (SPCM) is a manually initiated subsystem of the RHR system that is provided to cool suppression pool water to avoid elevated pool temperatures.
- v. Suppression Pool Makeup System - instrumentation and controls are provided for the transfer of water from the upper fuel transfer pool to the lower suppression pool when required. Suppression pool level monitoring is provided by this system.
- w. Pump Rooms Cooling System - provides instrumentation to maintain each of the pump rooms within the design temperature range and provide for the monitoring of airflow and temperature.
- x. ESF Building and Area HVAC System - provides instrumentation to control and monitor the heating, cooling, ventilation, and purification of areas such as the MCC, switchgear and miscellaneous electrical areas, battery rooms, and diesel generator building.
- y. Fuel Handling Area Ventilation System - instrumentation and controls monitor and control the supply of filtered and tempered air to various operating areas. Exhaust air is passed through charcoal filters prior to discharge.
- z. Offgas Building Exhaust System - provides instrumentation to monitor and control exhaust air from potentially contaminated areas such as the steam jet air ejector and various areas in the offgas building.
- a. Title 10 Code of Federal Regulations, Part 50 <10 CFR 50>
- b. Industry Codes and Standards Revision 12 7.1-7 January, 2003
- c. Regulatory Guides The specific regulatory requirements pertaining to each systems instrumentation and control is specified in
- a. General Design Criterion 1 - Quality Standards and Records The quality assurance program is discussed in <Chapter 17>.
- b. General Design Criterion 2 - Design Bases for Protection Against Natural Phenomena Wind and tornado loadings are discussed in <Section 3.2>, flood design is described in <Section 3.4> and seismic qualification of safety-related instrumentation and electrical equipment is discussed in <Section 3.10>.
- c. General Design Criterion 3 - Fire Protection The fire protection system and its design basis are discussed in
- d. General Design Criterion 4 - Environmental and Missile Design Bases The safety-related systems are designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents.
- e. General Design Criterion 5 - Sharing of Structures, Systems and Components Shared facilities do not impair the ability of safety equipment of the unit to perform its safety functions.
- f. General Design Criterion 10 - Reactor Design The safety-related systems are designed to monitor certain reactor parameters, sense abnormalities and to initiate protective actions to prevent fuel design limits from being exceeded, and to limit the release of radioactive material during conditions of normal or anticipated operational occurrences.
- g. General Design Criterion 13 - Instrumentation and Controls The safety-related instrumentation and controls monitor variables over their anticipated ranges for normal operation, anticipated occurrences and accident conditions and initiate protective systems to limit or prevent fuel damage and maintain the integrity of the reactor coolant pressure boundary.
- h. General Design Criterion 15 - Reactor Coolant System Design The safety-related systems provide sufficient margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation, including anticipated operational occurrences. If the monitored variables exceed their predetermined settings, automatic safety actions are provided.
- i. General Design Criterion 19 - Control Room A centralized location for safely operating the plant is provided by the control rooms.
- j. General Design Criterion 50 - Containment Design Basis The containment electrical penetrations are designed to accommodate the calculated pressure and temperature conditions resulting from a loss-of-coolant accident. See <Section 7.1.2.3.b>, for discussion of conformance to IEEE Standard 317.
- k. General Design Criteria 54, 55 and 56 - Isolation Criteria All process lines penetrating the containment are provided with isolation valves in accordance with specified criteria. Refer to
- a. Conformance to IEEE Standard 308 - Class 1E Power Systems for Nuclear Power Generating Stations Conformance to IEEE Standard 308 is described in <Section 8.3>.
- b. Conformance to IEEE Standard 317 - Electric Penetration Assemblies in Containment Structures Penetration assemblies meet the requirements of IEEE Standard 317 and Criterion 50 of <10 CFR 50, Appendix A>. All containment electrical penetration assemblies used for Class 1E and non-Class 1E circuits are designed to withstand, without loss of containment integrity, the maximum postulated overcurrent versus time conditions. For additional description see
- c. Conformance to IEEE Standard 323 - Qualifying Class 1E Equipment for Nuclear Power Generating Stations Conformance to IEEE Standard 323 is discussed in <Section 3.11>.
- d. Conformance to IEEE Standard 336 - Installation, Inspection and Testing Requirements for Instrumentation and Electric Equipment During the Construction of Nuclear Power Generating Stations Revision 12 7.1-11 January, 2003
- e. Conformance to IEEE Standard 338 - Periodic Testing of Nuclear Power Generating Stations Conformance to IEEE Standard 338 is presented on a system basis in the analysis portions of <Section 7.2>, <Section 7.3>,
- f. Conformance to IEEE Standard 344 - Seismic Qualification of Class 1E Equipment All safety-related instrumentation and control equipment is classified as Seismic Category I, designed to withstand the effects of the safe shutdown earthquake (SSE) and remain functional during normal and accident conditions. Qualification and documentation procedures used for Seismic Category I equipment and systems are identified in <Section 3.10>.
- g. Conformance to IEEE Standard 379 - Application of Single-Failure Criterion to Nuclear Power Generating Stations The extent to which the single failure criteria of IEEE Standard 379 is satisfied is specifically covered for each system in the analysis of IEEE Standard 279, Paragraph 4.2 in
- h. Conformance to IEEE Standard 384 - Independence of Class 1E Equipment and Circuits The safety-related systems described in <Section 7.2>,
- i. Conformance to IEEE Standard 387 - Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations Conformance to IEEE Standard 387 is discussed in <Section 8.3>.
- a. Conformance to <Regulatory Guide 1.6>
- b. Conformance to <Regulatory Guide 1.11>
- c. Conformance to <Regulatory Guide 1.29>
- d. Conformance to <Regulatory Guide 1.30>
- e. Conformance to <Regulatory Guide 1.32>
- f. Conformance to <Regulatory Guide 1.40>
- g. Conformance to <Regulatory Guide 1.47>
- 1. Pump motor breaker not in OPERATE position
- 2. Loss of pump motor control power Revision 12 7.1-15 January, 2003
- 3. Loss of motor operated valve control power/motive power
- 4. Logic power failure
- 5. Logic in test
- 6. System lineup improper
- 7. Bypass or test switches actuated Auxiliary supporting system inoperability or bypass resulting in the loss of other safety-related systems will cause actuation of system level annunciators for the auxiliary supporting system as well as those safety-related systems affected.
- h. Conformance to <Regulatory Guide 1.63>
- i. Conformance to <Regulatory Guide 1.68>
- j. Conformance to <Regulatory Guide 1.70>
- k. Conformance to <Regulatory Guide 1.75>
- l. Conformance to <Regulatory Guide 1.80>
- m. Conformance to <Regulatory Guide 1.89>
- n. Conformance to <Regulatory Guide 1.97>
- o. Conformance to <Regulatory Guide 1.100>
- p. Conformance to <Regulatory Guide 1.105>
- q. Conformance to <Regulatory Guide 1.118>
- 1. Reactor Protection Trip System Grand Gulf See Note(2a);
- 2. Containment and Reactor Vessel Grand Gulf See Note(2a)
- 3. Emergency Core Cooling System Grand Gulf See Note(2a) (2b)
- 4. Neutron Monitoring System Grand Gulf See Note (2d);
- 5. Rod Pattern Control System Grand Gulf See Note
- 6. Process Radiation Monitoring Grand Gulf See Note (2c)
- 8. Control Complex Heating, See Note See Note Ventilating and Air Conditioning System (1) (1)
- 9. Emergency Water Systems See Note See Note
- 10. Combustible Gas Control (1) (1)
- 11. Reactor Core Isolation Grand Gulf See Note Cooling System (2a)
- 12. Standby Liquid Control System Grand Gulf See Note (1) (1)
- 13. Containment Atmospheric See Note See Note Monitoring System Revision 12 7.1-22 January, 2003
- 14. Leak Detection Systems Grand Gulf Same for PNPP
- 15. RHRS - Reactor Shutdown (2b)
- 16. Fuel Pool Cooling System See Note See Note
- 17. (Deleted)
- 18. Safety-Related Display Grand Gulf See Note Instrumentation
- 19. Containment Vacuum Relief (1) (1)
- 20. RHRS - Containment Spray Grand Gulf See Note (2b) (2c)
- 21. Remote Shutdown System Hanford Interface valves of significance may vary but same control and instrument functions are provided
- 22. Recirculation Pump Trip Grand Gulf Same for PNPP (2b) (2c)
- 23. RHR System - Suppression Pool Grand Gulf See Note Cooling Mode (1) (1)
- 24. Suppression Pool Makeup System See Note See Note (1) (1)
- 25. Pump Rooms Cooling System See Note See Note Revision 12 7.1-23 January, 2003
- 27. Fuel Handling Area Ventilation See Note See Note System (1) (1)
- 28. Offgas Building Exhaust System See Note See Note (1) (1)
- 29. Standby Power Systems See Note See Note NOTES:
- a. Differences in instrumentation ranges and/or trip setting to accommodate difference in reactor vessel size. Instrument zero is 363.5 inches (TAF) and 533.00 inches above vessel zero for PNPP and Grand Gulf, respectively.
- b. Differences in equipment capacity to accommodate difference in reactor vessel size and/or supporting auxiliary equipment.
- c. Differences in physical configuration and/or the amounts of associated controls. PNPP has two containment spray loops and Grand Gulf has one.
- d. Differences due to difference in core size.
- e. Differences due to the use of multifunction equipment that has been sized to accommodate different vessel size. Pump sizing priority is based on the most rigid of duty requirements.
SUMMARY
INFORMATION INDICATING DEGREE OF COMPLIANCE WITH
<REGULATORY GUIDE 1.97>, REV. 2 (NSSS DESIGN)
Cate- Quali- Quality Redun- Power Variable Type gory(15) fication Assurance(2) dancy Range Supply Display Remarks Reactor Water Level A,B(16)
Wide Range 1 See Note(1) Yes Three 5 to 230 1E Control Room See Note(29)
Channels above TAF Panel & ERIS Fuel Zone 1 See Note(1) Yes Three 150 below 1E Control Room See Note(4)
Channels TAF to 50 Panel & ERIS above TAF Reactor Pressure A,B,C(16) 1 See Note(1) Yes Two 0-1,500 1E Control Room See Note(5)
Channels psig Panel & ERIS Neutron Flux B Average Power 2 See Note(1) Yes Eight 1012-1014 IE & Control Room See Note(6)
Range Channels NV (1014 Uninter- Panel & ERIS NV >100 ruptible power)
Control Rod Pos. B 3 N/A Commercial One Full in Uninter- Control Room Grade Display to Full ruptible Panel & ERIS for Each out Control Rod Drywell Sump B,C 3 N/A Commercial One 0-25 gpm Instr. Control Room See Note(8) (28)
(Equip. Drain- Grade Channel bus Panel & ERIS Ident.)
Drywell Sump B,C 3 N/A Commercial One 0-5 gpm Instr. Control Room See Note(8) (28)
(Floor Drain- Grade Channel bus Panel & ERIS Unindent.)
Revision 12 7.1-34 January, 2003
TABLE 7.1-4 (Continued)
Cate- Quali- Quality Redun- Power Variable Type gory(15) fication Assurance(2) dancy Range Supply Display Remarks 6
Feedwater Flow D 3 N/A Commercial One 0-20x10 Instr. Control Room Grade Channel lb/hr bus Panel & ERIS (Two loops summed)
Containment Spray D 2 See Note(1) Yes One 0-10,000 1E Control Room See Note(9)
Flow Channel gpm, Panel & ERIS per loop open/closed Safety Relief D 2 See Note(1) Yes One Open/ 1E Control Room Valve Position Channel closed Panel & ERIS per SRV RCIC System Flow D 2 See Note(1) Yes One 0-800 125 Vdc Control Room Channel gpm 1E Panel & ERIS HPCS System Flow D 2 See Note(1) Yes One 0-10,000 1E Control Room Channel gpm Panel & ERIS LPCS System Flow D 2 See Note(1) Yes One 0-10,000 1E Control Room Channel gpm Panel & ERIS RHR System Flow & D 2 See Note(1) Yes One 0-10,000 1E Control Room See Note(9)
Low Pressure Channel gpm Panel & ERIS Coolant Injection per loop System Flow Standby Liquid D 2 See Note(1) Yes One 1E Control Room See Note(11)
Control System Channel 0-1,800 Panel & ERIS Pressure psig Standby Liquid D 2 See Note(1) Yes One 0-5,300 gal. 1E Control Room Control System Channel outlet Panel & ERIS Tank Level nozzle to overflow nozzle Revision 12 7.1-35 January, 2003
TABLE 7.1-4 (Continued)
Cate- Quali- Quality Redun- Power Variable Type gory(15) fication Assurance(2) dancy Range Supply Display Remarks (1)
RHR System D 2 See Note Yes One 0-10,000 1E Control Room See Note(12)
Service Water Channel gpm Panel & ERIS Flow per loop BWR Core B,C 1 N/A N/A N/A N/A N/A N/A See Note(18)
Thermocouple Revision 12 7.1-36 January, 2003
TABLE 7.1-4 (Continued)
SUMMARY
INFORMATION INDICATING DEGREE OF COMPLIANCE WITH
<REGULATORY GUIDE 1.97>, REV. 2 (OTHERS)
Cate- Quali- Quality Redun- Power Variable Type gory(15) fication Assurance(14) dancy Range Supply Display Remarks Containment and A,C(16) 1 See Note(1) Yes Two 0-10 H2 1E Control Room Drywell Hydrogen Channels Panel & ERIS Concentration (four locations each)
Drywell Pressure A,B,C,D(16)
Narrow Range 1 See Note(1) Yes Two 10 Hg to 1E Control Room Channels 5 psig Panel & ERIS Wide Range 1 See Note(1) Yes Two 30 Hg to 1E Control Room Channels 35 psig Panel & ERIS Suppression Pool A,D(16) 1 See Note(1) Yes Two 30-230F 1E Control Room Water Temperature Channels Panel & ERIS (eight locations each)
See Note(23)
Suppression Pool A,C,D(16)
Water Level Narrow Range 1 See Note(1) Yes Two 16.0-19.0 1E Control Room Channels ft Panel & ERIS Wide Range 1 See Note(1) Yes Two 2.0-24.0 ft 1E Control Room Channels Panel & ERIS Primary Contain- A,B,C ment Pressure Normal Range 1 See Note(1) Yes Two 10 Hg to 1E Control Room Channels 20 psig Panel & ERIS Wide Range 1 See Note(1) Yes Two 10 Hg to 1E Control Room Channels 60 psig Panel & ERIS Revision 12 7.1-37 January, 2003
TABLE 7.1-4 (Continued)
Cate- Quali- Quality Redun- Power Variable Type gory(15) fication Assurance(14) dancy Range Supply Display Remarks (1)
Primary Contain- B 1 See Note Yes Two valves, Open/Closed 1E Control Room See Note(7) (22) ment Isolation open & Panel & ERIS Valve Position closed switches each valve Containment C 3 N/A Commercial One 10-6-10-2 Diesel Control Room See Note(25)
Effluent Grade Channel µCi/cc backed Panel & ERIS Radioactivity-Noble non 1E Gases Radiation Exposure C 2 See Note(1) Yes Two 1-107 R/hr 1E Control Room See Note(24)
Rate (inside bldgs. Channels Panel & ERIS or areas which are in direct contact with primary containment where penetrations and hatches are located)
Effluent Radiation C 2 See Note(1) Yes One 10-6-105 1E Control Room See Note(17) (25)
Noble Gases Channel Ci/cc See Panel & ERIS See Note(25) Note(17)
Condensate Storage D 3 N/A Commercial One 20,000-470,000 Uninter- Control Room Tank Level Grade Channel gal. ruptible Panel & ERIS Drywell Atmosphere A,D 1 See Note(1) Yes Two 40-440F 1E Control Room Temperature Channels Panel & ERIS (three locations each)
Containment Atmos- A 1 See Note(1) Yes Two 50-300F 1E Control Room phere Temperature Channels Panel & ERIS (Four locations each)
Revision 12 7.1-38 January, 2003
TABLE 7.1-4 (Continued)
Cate- Quali- Quality Redun- Power Variable Type gory(15) fication Assurance(14) dancy Range Supply Display Remarks High Radioactivity D Liquid Tank Level Fuel Pool Filter/ 3 N/A Commercial One 0-10,000 Uninter- ERIS Demineralizer Grade Channel gal. ruptible Backwash Receiver Tank Condensate Filter 3 N/A Commercial One 0-10,000 Uninter- ERIS Backwash Receiver Grade Channel gal. ruptible Tank RWCU Filter/ 3 N/A Commercial One 0-3,300 Uninter- ERIS Demineralizer Grade Channel gal. ruptible Backwash Receiver Tank Safety-Related D 2 See Note(1) Yes Two 0-300 1E Control Room Supply Pressure Channels psig Panel & ERIS to ADS Cooling Water D Temperature to ESF Systems Components Emergency Closed 2 See Note(1) Yes One 50-150F 1E Control Room Cooling Loop Channel Panel & ERIS Temperature per loop ESW Loop Inlet 2 See Note(1) Yes One 0-100F 1E Control Room Temperature Channel Panel & ERIS per loop Emergency Vent D 2 See Note(1) Yes Open & Open/Closed 1E Control Room Damper Position closed Panel & ERIS switches each damper Revision 12 7.1-39 January, 2003
TABLE 7.1-4 (Continued)
Cate- Quali- Quality Redun- Power Variable Type gory(15) fication Assurance(14) dancy Range Supply Display Remarks (1)
Status of Standby D 2 See Note Yes One Various: 1E Control Room Power and Other Channel Voltage & Panel & ERIS Energy Sources per energy Current, &
Important to Safety source Breaker Status Primary Containment E 1 See Note(1) Yes Two 1-107 R/hr 1E Control Room Area Radiation Channels Panel & ERIS Hi-Range Reactor Building E 1 See Note(1) Yes Two 1-107 R/hr 1E Control Room Area Radiation Channels Panel & ERIS Radiation Exposure E 3 N/A Commercial One 10-4-104 Diesel Control Room See Note(21)
Rate (inside bldgs. Grade Channel R/hr backed Panel & Local or areas where non 1E access is required to service equipment important to safety)
Airborne Radioactive E 2 See Note(1) Yes One 10-6-105 1E Control Room See Note(17) (25)
Materials Released Channel Ci/cc See Panel & ERIS From Plant See Note(25) Note(17)
Particulates and E 3 N/A Commercial One 10-3-102 Diesel None See Note(25)
Halogens all Grade Channel Ci/cc backed Identified non 1E Plant Release Points with Onsite Analysis Capability Radioactivity C 3 N/A Commercial N/A 1/2 Tech Uninter- None See Note(27) (31)
Concentration or Grade (Sample) Spec Limit ruptible Radiation Level to 100 times in Circulating Tech Spec Primary Coolant limit, R/hr Revision 13 7.1-40 December, 2003
TABLE 7.1-4 (Continued)
Cate- Quali- Quality Redun- Power Variable Type gory(15) fication Assurance(14) dancy Range Supply Display Remarks Accident Sampling See Note(32)
Capability Analysis of Primary C 3 N/A Commercial N/A 10 Ci/gm- Uninter- None See Note(20) (31)
Coolant Grade (Sample) 10 Ci/gm or ruptible TID 14844 source term in coolant volume Cooling Water Flow D to ESF Systems Components Emergency Closed 2 See Note(1) Yes One 0-2,500 gpm 1E Control Room Cooling Loop Flow Channel Panel & ERIS per loop ESW Flow to ECCS 2 See Note(1) Yes One 0-3,000 gpm 1E Control Room HX Channel Panel & ERIS per loop ESW Flow to HPCS 2 See Note(1) Yes One 0-1,000 gpm 1E Control Room Diesel HX Channel Panel & ERIS ESW Flow to Stdby 2 See Note(1) Yes One 0-1,200 gpm 1E Control Room Diesel HX Channel Panel & ERIS per loop Airborne E 3 N/A Commerical Three Air sampling N/A None Radiohalogens and Grade Portable 10-9-10-3 Particulates Portable Units µCi/cc at Sampling with On-site analysis Analysis Capability facility Plant & Environs E 3 N/A Commercial Two 10-3-104 N/A None Radiation (Portable Grade Portable R/hr Instrumentation) Detector Units Revision 13 7.1-41 December, 2003
TABLE 7.1-4 (Continued)
Cate- Quali- Quality Redun- Power Variable Type gory(15) fication Assurance(14) dancy Range Supply Display Remarks Plant & Environs E 3 N/A Commercial One Unit Multi- Instr. Local Radioactivity Grade Channel bus Gamma Ray Spectrometer Meteorology E Wind Direction 3 N/A Commercial System A 0-540 N/A Control Room, See Note(30)
Grade System B Local Plant Computer System Wind Speed 3 N/A Commercial System A 10m, N/A Control Room, See Note(30)
Grade System B 0-100 mph, Local Plant 60m, Computer System 0-100 mph Estimation of 3 N/A Commercial System A -20 to 100F N/A Control Room, See Note(30)
Atmospheric Grade System B Delta T Local Plant Stability -6 to +12F Computer System (60-10m)
Containment & C 1 N/A N/A N/A N/A N/A N/A See Note(13)
Drywell Oxygen Concentration Drywell Spray D 2 N/A N/A N/A N/A N/A N/A See Note(26)
Flow Isolation Condenser D 2 N/A N/A N/A N/A N/A N/A See Note(19)
System Shell-Side Water Level Isolation Condenser D 2 N/A N/A N/A N/A N/A N/A See Note(19)
System Valve Position Radiation Exposure E - N/A N/A N/A N/A N/A N/A See Note(18)
Meters (Continuous Indication at Fixed Locations)
Revision 13 7.1-42 December, 2003
TABLE 7.1-4 (Continued)
NOTES:
(1)
Environmental and seismic qualification of Category 1 and 2 variables is in accordance with the PNPP Equipment Qualification Program.
(2)
Yes indicates that quality assurance is in accordance with NEDO-11209, NEBG BWR QA Program Description.
(3)
(Deleted).
(4)
Two existing fuel zone monitors have been upgraded to Category 1 requirements and one additional fuel zone monitor has been included.
(5)
Pressure indicating switches located on control room backpanels H13-P693 or H13-P694 will be utilized to verify reactor vessel pressure when the two channel readings disagree.
(6)
Neutron flux monitoring instrumentation (average power range), at PNPP is installed in accordance with the requirements set forth for Type B, Category 2 variables. This was determined to be acceptable per NEDO-31558-A (March 1993), CEI letter PY-CEI/NRR-1669L dated February 7, 1994, and NRC letter from J. B. Hopkins to R. A. Stratman dated February 23, 1994.
(7)
Primary containment isolation valve position is displayed in the Control Room by in/out lights. Recorders are not utilized for display of this variable.
(8)
Drywell sump level or drywell drain sump level (identified/unidentified leakage) is not considered a key variable since they neither automatically initiate safety-related systems nor do they alert the operator to take safety-related actions. The level of the drain sumps can be a direct indication of breach of the reactor coolant system pressure boundary, but may be ambiguous because there is water in the sumps during normal operation. There is other instrumentation required by <Regulatory Guide 1.97> that would indicate leakage in the drywell, such as, drywell pressure, drywell temperature and primary containment area radiation.
<Regulatory Guide 1.97> requires instrumentation to function during and after an accident. The drywell sump systems are deliberately isolated at the primary containment penetration upon receipt of an accident signal to establish containment integrity.
Therefore, by design, drywell level instrumentation serves no useful accident-monitoring function. Based on the above, this variable will be implemented at PNPP in accordance with Category 3 instead of Category 1 requirements.
(9)
RHR system valve position lineup will be displayed in the Control Room to verify flow through the containment spray flow loops.
Valve position instrumentation will also be implemented using Catetory 2 design criteria.
(10)
(Deleted)
(11)
Stand-by liquid control system discharge pump pressure and SLCS tank level, in lieu of flow, will be monitored at PNPP simultaneously to meet the intent of <Regulatory Guide 1.97>.
(12)
RHR service water flow will be monitored in lieu of RHR heat exchanger outlet temperature to verify system operation. Heat exchanger bypass valve position will also be verified by Control Room display.
Revision 13 7.1-43 December, 2003
TABLE 7.1-4 (Continued)
NOTES: (Continued)
(13)
The containment and drywell oxygen concentrate variable is not applicable to PNPPs design since PNPP does not utilize an inerted containment. Therefore, this variable will not be implemented per <Regulatory Guide 1.97>, Rev. 2.
(14)
Instruments designated as yes implements applicable Regulatory Guide requirements for Quality Assurance in <Regulatory Guide 1.97>, Rev. 2.
(15)
All Category 1 variables shall have at least one channel continuously recorded.
(16)
Variables, identified as Type A, have been selected based on developed BWROG generic emergency operating procedures.
(17)
A portion of the channel will utilize an existing monitor with a range of 10-6 to 10-2 µCi/cc which is designed nonsafety-related, non-Class 1E. This monitor is provided with diesel backed non-Class 1E power. (Revision 2 of <Regulatory Guide 1.97>, Subnote 9, permits the preceding.) Instrumentation for the remaining portion of the channel utilizes 2 monitors which expand the range from 1.7 x 10-3 to 105 Ci/cc, and which are designated safety-related, Class 1E.
(18)
BWR core thermocouples and radiation exposure meters (continuous indication at fixed locations) will not be implemented based on direction provided by Supplement 1 of <NUREG-0737>.
(19)
The isolation condensor system shell-side water level and valve position variables are not applicable to PNPPs design.
(20)
The Postaccident Sampling System, as designed to Category 3 requirements, will be utilized for this variable.
(21)
Existing instrumentation (10-1mR/hr to 104mR/hr) will be utilized for the lower end of the required range. Portable survey instruments (10-1R/hr to 104R/hr) will be utilized for the entire range specified in <Regulatory Guide 1.97>.
(22)
The primary containment isolation valve position variable is covered by both the NSSS and the BOP scope.
(23)
Suppression pool water temperature has eight sub-channels of temperature individually monitored on each recorder.
(24)
Area radiation Hi-Range monitors located in the Primary Containment are utilized to meet the requirements of this variable.
(25)
Each channel monitors the following four plant vents: Turbine Bay/Heater Bay exhaust vent, Offgas Building Vent Pipe, Unit 1 exhaust vent, and Unit 2 exhaust vent. Each channel consists of 3 detectors as described in Note 17.
(26)
The drywell spray flow variable is not applicable to PNPPs design.
(27)
<Regulatory Guide 1.97> specifies measurement of the radioactivity of the circulating primary coolant (coolant in active contact with the fuel) as the key variable in monitoring fuel cladding status during isolation of the NSSS. The subject of concern in the
<Regulatory Guide 1.97> requirement is assumed to be an isolated NSSS. This assumption is justified as current monitors in the condenser offgas and main steam lines provide reliable and accurate information on the status of fuel cladding when the plant is not isolated. Based on the above, the postaccident sampling system (PASS), designed to Category 3 requirements, will provide an accurate status of coolant radioactivity.
Revision 13 7.1-44 December, 2003
TABLE 7.1-4 (Continued)
NOTES: (Continued)
(28)
Drywell sump equipment and floor drain leakage will be displayed in the control room as a leakage rate instead of level.
(29)
Instrumentation meeting Category 3 design requirements is considered adequate to monitor water levels above the top of the wide range instruments.
(30)
Reference USAR <Section 2.3.3.1>, <Section 2.3.3.2> and <Section 2.3.3.3> for a description of the preoperational program and
<Section 2.3.3.4> for a description of the current operational program.
(31)
Samples obtained via the Postaccident Sampling System (PASS) can be analyzed by use of either onsite or offsite analytical instruments.
(32)
Refer to2.1 DESCRIPTION
7.2.1.1 System Description
- a. RPS Function The RPS is designed to cause rapid insertion of control rods (scram) to shut down the reactor when specific variables exceed predetermined limits.
A completely separate and diverse system, the redundant reactivity control system, is provided to mitigate the effects of a postulated Anticipated Transient Without Scram <Section 7.6.1.12>.
- b. RPS Operation Schematic arrangements of RPS mechanical equipment and information displayed to the operator are shown in <Figure 7.2-1> (RPS IED).
- 1. Neutron Monitoring System (NMS)
- 2. Reactor Vessel High Pressure A reactor vessel pressure increase during reactor operation compresses the steam voids and results in increased reactivity; this causes increased core heat generation that could lead to fuel barrier failure and reactor overpressurization. A scram counteracts a pressure increase by quickly reducing core fission heat generation. The reactor vessel high pressure scram works in conjunction with the pressure relief system to prevent reactor vessel pressure from exceeding the maximum allowable pressure. The reactor vessel high pressure scram setting also protects the core from exceeding thermal hydraulic limits that result from pressure increases during events that occur when the reactor is operating below rated power and flow.
- 3. Reactor Vessel Low Water Level Decreasing water level while the reactor is operating at power decreases the reactor coolant. Should water level decrease too far, fuel damage could result as steam voids form around fuel rods. A reactor scram reduces the fission heat generation within the core.
- 4. Reactor Vessel High Water Level Increasing water level while the reactor is at power indicates an increase in feed water flow and impending power increase.
- 5. Turbine Stop Valve Position A turbine trip will initiate closure of the turbine stop valves which can result in a significant addition of positive reactivity to the core as the reactor vessel pressure rise causes steam voids to collapse. The turbine stop valve closure scram initiates a scram earlier than either the neutron monitoring system or reactor vessel high pressure to provide required margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity caused by increasing pressure by inserting negative reactivity with control rods. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the reactor system, the turbine stop valve closure scram provides additional margin to the reactor vessel pressure limit.
- 6. Turbine Control Valve Position Generator load rejection with the turbine power above approximately 38 percent power or a turbine trip automatically initiates fast closure of the turbine control valves which results in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram initiates a scram earlier than either the neutron monitoring system or reactor vessel high pressure to provide required margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity resulting from increasing pressure by inserting negative reactivity with control rods. Although the reactor vessel high pressure scram, in conjunction with the pressure relief system, is adequate to preclude overpressurizing the reactor vessel, the turbine control valve fast closure scram provides additional margin to the reactor vessel pressure limit. The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure.
- 7. Main Steam Line Isolation Valves Position The main steam line isolation valve closure can result in a significant addition of positive reactivity to the core as reactor vessel pressure rises.
- 8. Scram Discharge Volume Water Level Water displaced by the control rod drive pistons during a scram goes to the scram discharge volume. If the scram discharge volume fills with water so that insufficient capacity remains for the water displaced during a scram, control rod movement would be hindered during a scram. To prevent this situation, the reactor is scrammed when the water level in the discharge volume is high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the discharge volume can accommodate a scram.
- 9. Drywell Pressure High pressure inside the drywell may indicate a break in the reactor coolant pressure boundary. Scram is initiated to minimize the possibility of fuel damage.
- 10. Main Steam Line Radiation Monitors Monitor input to the scram function has been deleted based on analysis presented in NEDO-31400A.
- 11. Manual Scram A scram can be initiated manually. There are four manual scram switches (A, B, C, and D); one for each of the four RPS trip channels. Activating manual scram switch A or C will de-energize the A scram pilot solenoid for all rods.
- 12. Reactor Mode Switch Manual Scram Even though the action is not a safety function, reactor scram can be initiated by placing the mode switch in the shutdown position. The mode switch consists of four electrically independent contact blocks. A Shutdown position contact from each of the four contact blocks provide an input to one of the four RPS trip channels. The scram signal, initiated by placing the mode switch in SHUTDOWN, is automatically bypassed after 10 seconds by a timer which allows the control rod drive hydraulic system valve lineup to be restored to normal before the control room operator can reset the RPS trip logic.
- a. Variables Monitored to Provide Protective Actions.
- 1. Neutron Flux
- 2. Reactor Vessel High Pressure
- 3. Reactor Vessel Low Water Level
- 4. Reactor Vessel High Water Level
- 5. Turbine Stop Valve Closure
- 7. Main Steam Line Isolation
- 8. Scram Discharge Volume High Level
- 9. Drywell High Pressure The plant conditions which require protective action involving the RPS are described in <Chapter 15> and <Appendix 15A>.
- b. Location and Minimum Number of Sensors Neutron flux is the only essential variable of significant spatial dependence that provides inputs to the reactor protection system.
- c. Prudent Operational Limits Prudent operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious scram is avoided. It is then verified by analysis that the release of radioactive material, following postulated gross failures of the Revision 12 7.2-17 January, 2003
- d. Margin The margin between operational limits and the limiting conditions of operation (scram) for the reactor protection system are accounted for in Technical Specifications.
- e. Levels Levels requiring protective action are provided in Technical Specifications.
- f. Range of Transient, Steady-State and Environmental Conditions Environmental conditions for proper operation of the RPS components are discussed in <Section 3.11>. The RPS power supply range of steady-state and transient conditions are provided in <Chapter 8>.
- g. Malfunctions, Accidents and Other Unusual Events Which Could Cause Damage to Safety Systems Unusual events are defined as malfunctions, accidents and others which could cause damage to safety systems. <Chapter 15> and
- 1. Floods The buildings containing RPS components have been designed to meet the PMF (Probable Maximum Flood) at the site location.
- 2. Storms and Tornadoes The buildings containing RPS components except the turbine generator building have been designed to withstand all credible meteorological events and tornadoes as described in
- 3. Earthquakes The structures containing RPS components except the turbine building have been seismically qualified as described in
- 4. Fires To protect the RPS in the event of a postulated fire, the system has been divided into four separate panels. If a fire were to occur within one of the panels or in the area of one of the panels, the RPS functions would not be prevented by the fire. Use of separation and fire barriers ensures that, even though some portion of the system may be affected, the RPS will continue to provide the required protective action
- 5. LOCA The following RPS system components are located inside the drywell and would be subjected to the effects of a design basis loss-of-coolant accident (LOCA).
- 6. Pipe Break Outside Secondary Containment Protection is described in <Section 3.6>.
- 7. Missiles Protection from missiles is described in <Section 3.5>.
- h. Minimum Performance Requirements See Technical Specifications.
- a. General Design Criterion 12 - Suppression of Reactor Power Oscillations The system design provides protection from excessive fuel cladding temperatures and protects the reactor coolant pressure boundary from excessive pressures which threaten the integrity of the system. Abnormalities are sensed, and, if protection system limits are reached, corrective action is initiated through an automatic scram.
- b. General Design Criterion 15 - Reactor Coolant System Design The RPS provides sufficient margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation, including anticipated operational occurrences. If the monitored variables exceed their predetermined settings, the system automatically responds to maintain the variables and systems within allowable design limits.
- c. General Design Criterion 20 - Protection System Functions The RPS monitors the appropriate plant variables to maintain the fuel barrier and reactor coolant pressure boundary and initiates a scram automatically when the variables exceed predetermined limits.
- d. General Design Criterion 21 - Protection System Reliability and Testability The RPS is designed with two groups of redundant trip channels and four independent and separated output channels. No single failure can prevent a scram, and removal from service of any component or channel will not result in loss of required minimum redundancy.
- e. General Design Criterion 22 - Protection System Independence The redundant portions of the RPS are separated, except the turbine scram inputs which originate from the non-seismic category turbine building, such that no single failure or credible natural disaster can prevent a scram. Reactor pressure and power are diverse to the turbine scram variables. In addition, drywell pressure and vessel water level are diverse variables.
- f. General Design Criterion 23 - Protection System Failure Modes The RPS is designed (including logic and actuated devices) to be fail safe. A loss of RPS electrical power or RPS air supply will result in a reactor scram. Postulated adverse environments will not prevent a scram.
- g. General Design Criterion 24 - Separation of Protection and Control Systems The RPS has no common components with any plant control system whose failure would significantly impair safety. The RPS does receive inputs from the reactor mode switch and the neutron monitoring system which also provide inputs to plant control systems through isolation devices.
- h. General Design Criterion 25 - Protection System Requirements for Reactivity Control Malfunctions The RPS provides protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary. Any monitored variable which exceeds the scram setpoint will initiate an automatic scram and not impair the remaining variables from being monitored, and if one channel fails, the remaining portions of the Reactor Protection System will function.
- i. General Design Criterion 29 - Protection Against Anticipated Operational Occurrences The RPS is highly reliable and will provide a reactor scram in the event of anticipated operational occurrences.
- a. IEEE Standard 279 Criteria for Protection Systems for Nuclear Power Generating Stations - The RPS design complies with the requirements of IEEE-279. The following is a discussion of specific conformance.
- 1. General Functional Requirement (IEEE Standard 279, Paragraph 4.1)
- 2. Single Failure Criterion (IEEE Standard 279, Paragraph 4.2)
- 3. Quality of Components and Modules (IEEE Standard 279, Paragraph 4.3)
- 4. Equipment Qualification (IEEE Standard 279, Paragraph 4.4)
- 5. Channel Integrity (IEEE Standard 279, Paragraph 4.5)
- 6. Channel Independence (IEEE Standard 279, Paragraph 4.6)
- 7. Control and Protection System Interaction (IEEE 279, Paragraph 4.7)
- 8. Derivation of System Inputs (IEEE Standard 279, Paragraph 4.8)
- 9. Capability for Sensor Checks (IEEE Standard 279, Paragraph 4.9)
- 10. Capability for Test and Calibration (IEEE Standard 279, Paragraph 4.10)
- 11. Channel Bypass or Removal from Operation (IEEE Standard 279, Paragraph 4.11)
- 12. Operating Bypasses (IEEE Standard 279, Paragraph 4.12)
- 13. Indication of Bypasses (IEEE Standard 279, Paragraph 4.13)
- 14. Access to Means for Bypassing (IEEE Standard 279, Paragraph 4.14)
- 15. Multiple Setpoints (IEEE Standard 279, Paragraph 4.15)
- 16. Completion of Protective Action Once it is Initiated (IEEE Standard 279, Paragraph 4.16)
- 17. Manual Initiation (IEEE Standard 279, Paragraph 4.17)
- 18. Access to Setpoint Adjustments, Calibration and Test Points (IEEE Standard 279, Paragraph 4.18)
- 19. Identification of Protective Actions (IEEE Standard 279, Paragraph 4.19)
- 20. Information Readout (IEEE Standard 279, Paragraph 4.20)
- 21. System Repair (IEEE Standard 279, Paragraph 4.21)
- 22. Identification of Protection Systems (IEEE Standard 279, Paragraph 4.22)
- a. <Regulatory Guide 1.22> - Periodic Testing of Protection System Actuation Function The RPS can be tested during reactor operation by the following separate tests:
- b. <Regulatory Guide 1.53> - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems See the discussion of IEEE Standard 279, Paragraph 4.2, in
- c. <Regulatory Guide 1.62> - Manual Initiation of Protective Actions Means are provided for manual initiation of the RPS at the system level through the use of four armed pushbutton switches located on the control room benchboard.
- a. Trip unit 0-56 in. 4
- b. Level switch 0-2.31 in. 4 Turbine Stop Position 0-100% 4(1)
- 1. Average Power Range Monitors: See Note(1)
- a. Flow Biased Simulated Thermal Power - High 0.09 See Note(2)
- b. Neutron Flux - High 0.09
- 2. Reactor Vessel Steam Dome Pressure - High 0.35 See Note(3)
- 5. Main Steam Line Isolation Valve - Closure 0.06
- 6. Turbine Stop Valve - Closure 0.06
- 7. Turbine Control Valve Fast Closure, Valve Trip System Oil Pressure - Low 0.07 See Note(4)
- 8. Oscillation Power Range Monitors 0.450 See Note(5)
3.1 DESCRIPTION
Section 7.3 describes the instrumentation and controls of the following plant Engineered Safety Features (ESF) systems:
- b. Containment and Reactor Vessel Isolation Control Systems (CRVICS)
- c. (Deleted)
- d. RHRS-Containment Spray Cooling Mode (RHRS-CSCM)
- e. RHRS-Suppression Pool Cooling Mode (RHRS-SPCM)
- f. Emergency Water Systems (EWS)(1)
- g. Control Complex HVAC System(1)
- j. Pump Room Cooling System(1)
- k. Containment Combustible Gas Control System
- l. Suppression Pool Makeup System
- m. Containment Vacuum Relief
- n. Standby Power Support Systems(1)
Revision 12 7.3-1 January, 2003
- o. Fuel Handling Area Exhaust Subsystem(2)
NOTE:
- 1. The following systems are considered to be ESF support systems not ESF systems in accordance with the guidance provided in
<NUREG-0800>, Section 7.3. These systems will continue to be treated as safety-related for design, construction, maintenance, testing, and other operational purposes.
Independent actuation of any one of these systems will not be reported per <10 CFR 50.73(a)(2)(iv)>.
- a. Emergency Closed Cooling Water (ECC) (P42)
- b. Control Complex Chilled Water (CCCW) (P47)
- d. Pump Room Cooling Systems (M28)(M32)(M39)
- e. Standby Power Support Systems (R44)(R45)(R46)(R47)(R48)
- 2. Only the exhaust subsystem of the fuel handling area ventilation system is ESF.
The sources which supply power to the engineered safety feature systems originate from onsite ac and/or dc safety-related busses or, as in the case of the CRVICS failsafe logic, from the nonsafety-related RPS MG sets. Refer to <Chapter 8> for a complete discussion of the ESF systems power sources.
Revision 12 7.3-2 January, 2003
7.3.1.1 System Description 7.3.1.1.1 Emergency Core Cooling Systems (ECCS) - Instrumentation and Controls The Emergency Core Cooling System is a network of the following subsystems <Section 6.3.1> and <Section 6.3.2>.
- a. High Pressure Core Spray System (HPCS).
- c. Low Pressure Core Spray System (LPCS).
- d. Low Pressure Coolant Injection (LPCI) mode of the Residual Heat Removal System (RHRS).
The purpose of ECCS instrumentation and control is to initiate appropriate responses from the system to ensure that the fuel is adequately cooled in the event of a design basis accident (DBA). The cooling provided by the system restricts the release of radioactive materials from the fuel by preventing or limiting the extent of fuel damage following situations in which coolant is lost from the reactor coolant pressure boundary.
The ECCS instrumentation detects a need for core cooling systems operation, and the trip systems initiate the appropriate response.
Included in this section is a discussion of protective considerations which are taken between the high pressure reactor coolant system and the low pressure ECCS system. The high pressure/low pressure interlocks are examined in <Section 7.6.1.2>.
Revision 12 7.3-3 January, 2003
The following plant variables are monitored and provide automatic initiation of the ECCS when these variables exceed predetermined limits:
- a. Reactor Vessel Water Level A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the reactor coolant pressure boundary and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes. Refer to
<Figure 5.1-3> for a schematic arrangement of reactor vessel instrumentation.
- b. Drywell Pressure High pressure in the drywell could indicate a breach of the reactor coolant pressure boundary inside the drywell and that the core is in danger of becoming overheated as reactor coolant inventory diminishes.
7.3.1.1.1.1 High Pressure Core Spray (HPCS) System -
Instrumentation and Controls
- a. HPCS Function The HPCS system supplies sufficient coolant flow following a reactor scram in the event of a loss-of-coolant accident. The HPCS system supplies makeup water to the reactor vessel in the event of reactor isolation and failure of the reactor core isolation cooling (RCIC) system <Section 6.3.2.2.1>.
- b. HPCS Operation Schematic arrangements of system mechanical equipment are shown in
<Figure 6.3-7>. HPCS system component control logic is shown in Revision 12 7.3-4 January, 2003
<Figure 7.3-1>. Elementary diagrams are listed in <Section 1.7.1>.
Plant layout drawings are shown in <Section 1.2>. Operator information displays are shown in <Figure 6.3-7> and
<Figure 7.3-1>.
The HPCS is initiated automatically by either reactor vessel low water level (Trip Level 2) or drywell high pressure. The system is designed to operate automatically for at least 10 minutes without any actions required by the control room operator. Once initiated, the HPCS logic seals-in and can be reset by the operator if reactor water level has been restored even if the high drywell pressure condition exists. Refer to <Figure 7.3-1> for a schematic representation of the HPCS system initiation logic.
Reactor vessel water level (Trip Level 2) is monitored by four redundant level transmitters. Each transmitter provides an input to a trip unit. The trip unit relay contacts are arranged in a one-out-of-two twice logic arrangement to assure that no single event can prevent the initiation of the HPCS.
Initiation diversity is provided by drywell pressure which is monitored by four redundant pressure transmitters. The trip unit relay contacts are electrically connected in a one-out-of-two twice logic arrangement to assure that no single instrument failure can prevent the initiation of the HPCS.
The HPCS components respond to an automatic initiation signal as follows (actions are simultaneous unless stated otherwise):
- 1. The HPCS diesel generator is signaled to start.
- 2. Following an initiation signal and if no loss of offsite power has occurred, the HPCS pump is automatically started after a time delay. If a loss of offsite power occurs concurrent with Revision 12 7.3-5 January, 2003
an initiation signal, the HPCS pump is automatically started immediately, once power is available at the bus.
- 3. The pump suction from the condensate storage tank valve E22F001, is signaled to open, provided the suppression pool suction valve E22F015 is not full open.
- 4. The test return valves E22F010, E22F011 and E22F023 are signaled closed.
- 5. The HPCS injection valve E22F004 is signaled to open.
The HPCS pump discharge flow and pressure are monitored by pressure transmitters. If pump discharge pressure is normal but discharge flow is low enough that pump overheating may occur the minimum flow return line valve E22F012 is signaled open. The valve is automatically closed if flow is normal. The HPCS reaches its rated flow in 27 seconds.
If the water level in the condensate storage tank falls below a predetermined level, the suppression pool suction valve E22F015 automatically opens. When E22F015 is fully open, the condensate storage tank suction valve E22F001 automatically closes. Two level transmitters are used to detect low water level in the condensate storage tank. Either transmitter can cause automatic suction transfer. The suppression pool suction valve also automatically opens if high water level is detected in the suppression pool. Two level transmitters monitor suppression pool water level and either transmitter can initiate opening of the suppression pool suction valve. During the automatic CST to suppression pool suction transfer, to prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valve must be open before the CST suction valve automatically closes.
Revision 15 7.3-6 October, 2007
The HPCS provides makeup water to the reactor until the vessel water level reaches the high level trip (Trip Level 8) at which time the injection valve E22F004 is automatically closed even if a high drywell pressure signal still exists. The pump will continue to run on minimum flow recirculation. The injection valve will automatically reopen if vessel level again drops to the low level (Trip Level 2) initiation point.
The HPCS pump motor and injection valve are provided with manual override controls. These controls permit the reactor operator to manually control the system following automatic initiation.
7.3.1.1.1.2 Automatic Depressurization System (ADS) -
Instrumentation and Controls
- a. ADS System Function The automatic depressurization system is designed to provide automatic depressurization of the reactor vessel by activating eight safety/relief valves. These valves vent steam to the suppression pool in the event that the HPCS cannot maintain the reactor water level following a LOCA. ADS reduces the reactor pressure so that flow from the RHRS-LPCI mode and LPCS, can inject into the reactor vessel in time to cool the core and limit fuel barrier temperature. Refer also to <Section 6.3.2>. Refer to
<Section 7.6.1.11> for the relief function of the safety/relief valves.
- b. ADS Operation Schematic arrangements of system mechanical equipment are shown in
<Figure 5.1-3>. ADS component control logic is shown in
<Figure 7.3-3>. Elementary diagrams are listed in <Section 1.7.1>.
Revision 12 7.3-7 January, 2003
Plant layout drawings are shown in <Section 1.2>. Operator information displays are shown in <Figure 5.1-3> and
<Figure 7.3-3>.
The ADS consists of two redundant and independent trip systems, trip systems A and B. The ADS trip system A actuates the A solenoid air pilot valve on each ADS safety/relief valve.
Similarly, the ADS trip system B actuates the B solenoid air pilot valve on each ADS safety/relief valve. Actuation of either solenoid pilot valve causes the ADS safety/relief valve to open and provide depressurization. To prevent inadvertent actuation of the ADS, two channels of logic for each ADS trip system (A & B) are used. Both channels must be activated to actuate an ADS trip system.
One channel of each trip system includes two differential pressure transmitter inputs monitoring reactor vessel low water level (Trip Level 3 and Trip Level 1). The low water Level 3 trip provides confirmation of a reactor vessel low water level condition. The second channel is redundant except the low water level confirmation signal is omitted. A manual inhibit switch is provided to allow the operator to prevent automatic ADS initiation.
To assure that adequate makeup water is available after the vessel has been depressurized, each trip channel includes a pump discharge pressure permissive signal indicating LPCI or LPCS system availability for vessel water makeup. Any one of the three LPCI pumps or the LPCS pump available for reactor coolant makeup is sufficient to permit automatic depressurization.
After receipt of the initiation signals and after a delay provided by timers, each of the two solenoid air pilot valves are energized.
This allows pneumatic pressure from the accumulator to act on the air cylinder operator. Each ADS trip system has a time delay that Revision 12 7.3-8 January, 2003
can be reset manually to delay system initiation. The time delay is selected to be within a period that allows the HPCS to perform its function prior to ADS initiation. In the event of HPCS failure, the time delay period is selected to allow initiation of ADS, LPCI and LPCS in time to maintain the fuel barrier temperature within acceptable limits. If reactor vessel water level is restored by HPCS prior to the end of the time delay, ADS initiation will be prevented.
Once initiated, the ADS logic seals-in and can be reset by the control room operator only when vessel water level returns to normal.
Two control switches (one for each trip system solenoid) are located in the control room for each safety/relief valve associated with the ADS. Each switch controls one of the two solenoid pilot valves.
7.3.1.1.1.3 Low Pressure Core Spray (LPCS) - Instrumentation and Controls
- a. LPCS Function The purpose of the LPCS is to provide low pressure reactor vessel core spray following a loss-of-coolant accident when the vessel has been depressurized and vessel water level has not been restored by the HPCS. The LPCS is functionally diverse to the LPCI mode of the residual heat removal system <Section 6.3.2>.
- b. LPCS Operation Schematic arrangements of system mechanical equipment are shown in
<Figure 6.3-8>. LPCS component control logic is shown in
<Figure 7.3-4>. Elementary diagrams are listed in <Section 1.7.1>.
Revision 12 7.3-9 January, 2003
Plant layout drawings are shown in <Figure 1.2>. Operator information displays are shown in <Figure 6.3-8> and
<Figure 7.3-4>.
The LPCS is initiated automatically by either reactor vessel low water level (Trip Level 1) and/or drywell high pressure. The system is designed to operate automatically for at least 10 minutes without any actions required by the control room operator. Once initiated, the LPCS logic seals-in and can be reset by the control room operator only when the initial conditions return to normal.
Refer to <Figure 7.3-4> for a schematic representation of the LPCS system initiation logic.
Reactor vessel water level (Trip Level 1) is monitored by two redundant level transmitters. Drywell pressure is monitored by two redundant pressure transmitters. The vessel level trip unit relay contacts and the drywell pressure trip unit relay contacts are connected in a one-out-of-two twice logic arrangement so that no single instrument failure can prevent initiation of LPCS (i.e.,
LPCS will be initiated when either both level channels, both pressure channels, or one level channel and one pressure channel are tripped).
The LPCS components respond to an automatic initiation signal simultaneously (or sequentially as noted) as follows:
- 1. The Division 1 diesel generator is signaled to start.
- 2. The normally closed test return line to the suppression pool valve E21F012 is signaled closed.
Revision 14 7.3-10 October, 2005
- 3. Following a LOCA initiation signal and if no loss of offsite power has occurred, the LPCS pump is automatically started after a time delay. If a loss of offsite power occurs concurrent with a LOCA initiation signal, the LPCS pump is automatically started immediately, once power is available at the bus.
Revision 14 7.3-10a October, 2005
- 4. Reactor pressure is monitored by a pressure transmitter which senses pressure on the vessel side of the LPCS injection valve E21F005. When the pressure is low enough to protect the LPCS from overpressure and power is available to the pump motor bus, the injection valve is signaled to open. A blue indicating lamp, labeled Pressure Permissive, is installed above the LPCS injection valve manual control switch which will illuminate to inform the operator that the injection pressure is low enough to prevent over pressurization of the LPCS piping.
The LPCS pump discharge flow is monitored by a differential pressure transmitter. When the pump is running and discharge flow is low enough to cause pump overheating to occur, the minimum flow return line valve E21F011 is opened. The valve is automatically closed if flow is normal.
The LPCS pump suction from the suppression pool valve E21F001 is normally open, the control switch is keylocked in the open position, and thus requires no automatic open signal for system initiation.
The LPCS pump and injection valve are provided with manual override controls. These controls permit the operator to manually control the system subsequent to automatic initiation.
7.3.1.1.1.4 RHRS - Low Pressure Coolant Injection (LPCI) Mode -
Instrumentation and Controls
- a. LPCI Function Low pressure coolant injection (LPCI) is an operating mode of the residual heat removal system (RHRS) <Section 5.4.7>. The purpose Revision 12 7.3-11 January, 2003
of the LPCI system is to provide low pressure reactor vessel coolant makeup following a loss-of-coolant accident when the vessel has been depressurized and vessel water level is not restored by the HPCS <Section 6.3.2>.
- b. LPCI Operation Schematic arrangements of system mechanical equipment is shown in
<Figure 5.4-13>. LPCI component control logic is shown in
<Figure 7.3-5>. Elementary diagrams are listed in <Section 1.7.1>.
Plant layout drawings are shown in <Section 1.2>. Operator information displays are shown in <Figure 5.4-13> and
<Figure 7.3-5>.
The LPCI system is initiated automatically by either reactor vessel low water level and/or by drywell high pressure. The system is designed to operate automatically for at least 10 minutes without any actions required by the control room operator. Once initiated, the LPCI logic seals-in and can be reset by the control room operator only when initial conditions return to normal.
Reactor vessel water level (Trip Level 1) is monitored by two redundant differential pressure transmitters. Drywell pressure is monitored by two redundant pressure transmitters.
To initiate the Division 2 LPCI (Loops B and C), the vessel level trip unit relay contacts and the two drywell pressure trip unit relay contacts are connected in a one-out-of-two-twice arrangement so that no single instrument failure can prevent initiation of LPCI (i.e., LPCI will be initiated when either both level channels, both pressure channels, or one level channel and one pressure channel are tripped).
The Division 1 LPCI (Loop A) receives its initiation signal from the LPCS logic.
Revision 14 7.3-12 October, 2005
The LPCI system components respond to an automatic initiation signal simultaneously (or sequentially as noted) as follows (the loop A components are controlled from the Division 1 logic; the loop B and C components are controlled from the Division 2 logic):
- 1. The Division 2 diesel generator is signaled to start from the loop B and C initiation logic.
- 2. When the offsite power or the diesel generators are providing power to the pump motor buses, sequential loading is provided.
This is accomplished by delaying the start of LPCI pumps A and B by 5 seconds while allowing the LPCI pump C to start immediately. The LPCS pump start is delayed when offsite power is providing power to the bus. If power is supplied by the diesel generators, the LPCS pump will start immediately.
- 3. The following normally closed valves are signaled closed to ensure proper system lineup:
(a) (Deleted)
(b) The RHR heat exchanger flush to suppression pool valves E12F011 A, B.
(c) (Deleted)
(d) (Deleted)
(e) The test return line to the suppression pool valves E12F024 A, B and E12F021.
(f) The containment spray valves E12F028 A, B.
Revision 12 7.3-13 January, 2003
- 4. Reactor pressure is monitored by pressure transmitters which sense pressure on the vessel side of LPCI injection valves.
When the pressure is low enough to protect the LPCI lines from overpressure and power is available to the pump motor buses, the injection valves are signaled to open. A blue indicating lamp, labeled Pressure Permissive, is installed above the LPCI injection valve manual control switch which will illuminate to inform the operator that the injection pressure is low enough to prevent over pressurization of the LPCI piping.
The heat exchanger bypass throttle valves E12F048 A, B and the heat exchanger outlet throttle valves E12F003 A, B are signaled to fully open after 110 second time delay. The open signal is automatically removed 10 minutes after system initiation to allow the operator to manually control these valves. This automatic opening function is designed to operate whenever these valves are controlled from the control room. The automatic opening function does not operate when control of these valves is transferred to the remote shutdown station.
Each LPCI pump discharge flow is monitored by a differential pressure transmitter which, when the pump is running and following an 8 second time delay, opens the minimum flow return line valve E12F064 A, B, C if flow is low enough that pump overheating may occur. The valve is automatically closed if flow is normal.
The three RHR pump suction valves from the suppression pool valves E12F004 A and B and F105 have their control switches keylocked in the open position, and thus require no automatic open signal for system initiation. The RHR heat exchanger Revision 12 7.3-14 January, 2003
inlet valves E12F047 A and B are administratively controlled to ensure that they are open and therefore do not require an automatic signal.
The upper pool shutdown cooling valves E12F037 A, B, the two series RHR heat exchanger vent valves E12F073 A and F074 A, B and the RHR shutdown cooling mode suction valves E12F006A, B are all normally closed and thus require no automatic close signal for system initiation. RHR heat exchanger vent valve 1E12F073B is normally open and thus requires an automatic signal to close.
The LPCI pump motors and injection valves are provided with manual override controls. These controls permit the operator to manually control the system subsequent to automatic initiation.
7.3.1.1.2 Containment and Reactor Vessel Isolation Control System (CRVICS) - Instrumentation and Controls
- a. CRVICS Function The CRVICS, also known as nuclear steam supply shutoff system (NSSSS), includes the instrument channels, trip logics and actuation circuits that automatically initiate valve closure providing isolation of the containment and/or reactor vessel, and initiation of systems provided to limit the release of radioactive materials.
- b. CRVICS Operation Schematic mechanical arrangements of containment isolation valves and other components initiated by CRVICS are shown in
- 1. Reactor Vessel Low Water Level A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the reactor coolant pressure boundary and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes.
- 2. Drywell High Pressure High pressure in the drywell could indicate a breach of the reactor coolant pressure boundary inside the drywell and that the core is in danger of becoming overheated as reactor coolant inventory diminishes.
- 3. Main Steam Line-High Radiation The main steam line radiation monitoring senses the gross release of fission products from the fuel and initiates alarms and automatic actions to contain the released fission products. Monitor input to isolate MSIVs and associated drain valves has been deleted based on analysis presented in NEDO-31400A.
- 4. Main Steam Line-Tunnel and Pipe Routing in Turbine Building High Ambient Temperature and Differential Temperature High ambient temperature in the tunnel and pipe routing areas in the turbine building in which the main steam lines are located outside of the primary containment could indicate a leak in a main steam line. Such a leak may also be indicated by high differential temperature between the outlet and inlet ventilation air for the MSL tunnel. The automatic closure of valves prevent the excessive loss of reactor coolant and the release of a significant amount of radioactive material from the reactor coolant pressure boundary.
- 5. Main Steam Line-High Flow Main steam line high flow could indicate a breach in a main steam line. Automatic closure of isolation valves prevents excessive loss of reactor coolant and release of significant amounts of radioactive material from the reactor coolant pressure boundary.
- 6. Main Turbine Inlet - Low Steam Pressure Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the nuclear system pressure regulator in which the turbine control valves or turbine bypass valves become fully open, and causes rapid depressurization of the reactor vessel.
- 7. Containment and Drywell Purge and Vent Exhaust Radiation Monitor The containment and drywell purge and vent exhaust radiation monitor consists of four sensor and trip units. Each channel has two trips. The upscale trip indicates high radiation and the downscale trip indicates instrument trouble.
- 8. Reactor Water Cleanup (RWCU) System-High Differential Flow High differential flow in the reactor water cleanup system could indicate a breach of the system pressure boundary of the cleanup system. The flow at the inlet to the system (suction from recirculation lines) is compared with the flow at the outlets of the system (flow return to feedwater or flow to the main condenser and/or radwaste).
- 9. Reactor Water Cleanup (RWCU) System-Area High Ambient Temperature and Differential Temperature High temperature in the equipment room areas of the reactor water cleanup system could indicate a breach in the reactor coolant pressure boundary in the cleanup system.
- 10. RHR System-Area High Ambient Temperature and Differential Temperature See Section 7.6.1.3.
- 11. High Temperature at the Outlet of the RWCU Nonregenerative Heat Exchanger A high temperature signal for coolant at the discharge of the nonregenerative heat exchanger indicates the potential for damage to the filter demineralizer resins.
- 12. SLCS Actuation Based on the need to prevent removal of the boron solution from the vessel after SLCS injection, RWCU isolation valves G33-F001 and G33-F004 are actuated closed by the CRVICS logic on inputs from SLCS pump A and pump B actuation respectively.
- 13. Reactor Vessel Pressure Operation of the RHR system at a high reactor vessel pressure could result in exceeding the design pressure of the system resulting in damage to piping and components and loss of reactor coolant.
- 14. Main Condenser Vacuum Trip The main turbine condenser low vacuum signal could indicate a leak in the condenser. Initiation of automatic closure of various valves will prevent excessive loss of reactor coolant and the release of significant amounts of radioactive material.
- a. Containment Spray Cooling Mode Function The containment spray cooling mode is an operating mode of the RHR system. It is designed to provide the capability of condensing steam in the containment atmosphere, removing fission products Revision 12 7.3-27 January, 2003
- b. Containment Spray Cooling Mode Operation Schematic arrangements of system mechanical equipment is shown in
- 2. Drywell high pressure is monitored by two redundant pressure transmitters. One of the two transmitters must indicate high pressure.
- 3. The containment pressure must equal or exceed 9 psig.
- 4. A 10-minute delay after LOCA is detected.
- a. RHRS-SPCM Function The suppression pool cooling mode is an operating mode of the residual heat removal system. It is designed to prevent suppression pool temperature from exceeding predetermined limits following a reactor blowdown of the ADS or safety/relief valves.
- b. SPCM Operation Schematic arrangements of system mechanical equipment is shown in
- 1. The RHR Pump (A or B) is started. The emergency service water pump is started and the RHR heat exchanger service water discharge valve is opened.
- 2. The RHR test return line valve E12F024 A, B is opened.
- 3. The RHR heat exchanger inlet and outlet valves E12F047 A, B and E12F003A, B are open. The heat exchanger bypass valve E12F048 A, B and valve E12F003 A, B are throttled as necessary.
- 1. Once reactor vessel water level has been restored, the LPCI flow must be terminated by closing the LPCI injection valve E12F042 A, B. Closing the injection valve causes the LOCA initiation logic to be overridden and allows operator control of the valve.
- 2. The RHR test return line valve E12F024 A, B control logic also has LOCA signal override provisions. This allows the operator to open the valve. The valves have provisions for throttling capability in order to support the operation of the M51 combustible gas mixing compressors. The After Coolers for these compressors are cooled using the RHR system.
- 3. The RHR heat exchanger inlet and outlet valves E12F047 A, B and E12F003 A, B are open. The heat exchanger bypass valve E12F048 A, B, can be closed after a time delay (a ten minute timer keeps this valve open following a LOCA).
- a. EWS Function The purpose of the emergency water systems instrumentation and controls is to initiate appropriate responses from the systems to ensure the ECCS system receives adequate cooling water in the event of a design basis accident. The emergency water systems consists of two subsystems:
- 1. Emergency Service Water (ESW) System
- 2. Emergency Closed Cooling (ECC) System Emergency water systems are also used during plant shutdown, hot standby condition and when running the RHR pumps and diesel generators.
- b. ESW System Operation The control and instrumentation equipment for the emergency service water system is located in the auxiliary building, diesel-generator building, service water pumphouse, and the intermediate building
- c. ECC System Operation The ECC system provides the required cooling water for the emergency core cooling support components, i.e., RHR pump and room coolers, LPCS room cooler, RCIC room cooler, control complex chillers and the hydrogen analyzers. The system is designed to provide the required cooling without compromising the independence of the redundant core cooling systems.
- 1. Emergency service water pumps start to supply cooling water to ECC system heat exchangers.
- 2. ECC system pumps start.
- 3. Motor-operated valves on nuclear closed cooling system supply and return lines to the fuel pool coolers are closed (0P42-F380A, B, 0P42-F440, 0P42-F390A, B, and 0P42-F445).
- a. System Function The purpose of the control complex HVAC system instrumentation and controls is to monitor the control complex atmosphere and to initiate appropriate responses from the system to ensure the continued habitability of the control complex. The instrumentation and controls for this system are shown on <Figure 6.4-1>,
- 1. Control room HVAC system
- 2. Control complex chilled water system
- b. System Operation The control room HVAC system consists of two independent control loops; the power for each loop is supplied from the Class 1E electrical system.
- a. System Function The ESF building and area HVAC systems provide and maintain suitable environmental conditions for ESF or ESF supporting Revision 13 7.3-37 December, 2003
- 2. Battery room exhaust system.
- 3. Diesel generator building ventilation system.
- b. System Operation The MCC, switchgear and miscellaneous electrical equipment area HVAC system consists of two redundant trains of fans, filters, plenums, and ductwork Refer to <Figure 9.4-1>.
- a. System Function The AEGTS maintains a negative pressure differential between the containment vessel annulus and the outside so that leakage from the containment vessel will be detained in the annular space, mixed with the annulus space air, diluted with air leakage into the annular space, and filtered before release to the unit vent
- b. System Operation The AEGTS consist of two independent and redundant systems. One system operates during normal plant operation and the standby system is automatically initiated by a LOCA signal or abnormal low air flow.
- a. System Function The purpose of the pump room cooling systems instrumentation and controls is to provide indication of proper cooling operation and to provide controls to put the cooling system into operation.
- b. System Identification The pump rooms cooling system consists of the following subsystems:
- 1. The emergency core cooling system pump room cooling systems (ECCSCS)
- 2. The emergency service water pumphouse ventilation system (ESWVS).
- 3. The emergency closed cooling pump area cooling system (ECPCS).
- c. System Operation
- 1. ECCSCS The fan cooling unit for the reactor core isolation cooling pump room will run in conjunction with the RCIC pump because it is interlocked with the RCIC turbine steam admission valve.
- 2. ESWVS The electric motor-operated outside and return air dampers in each fan mixing box are controlled by a temperature controller. The outside air dampers fail closed and the return air dampers fail open on loss of control signal. When the corresponding fan is stopped, the dampers are in their fail position. When the corresponding fan is started, the dampers are permitted to modulate.
- 3. ECPCS The fan cooling units are interlocked with the associated pump motor circuits and will run whenever their associated pump runs.
- a. Containment Combustible Gas Control System Function The purpose of the combustible gas control in containment system is to monitor for the presence of free hydrogen gas within the drywell and containment following the unlikely event of a LOCA and to provide a means of controlling the buildup of this gas in the containment. Upon the detection of predetermined concentrations of hydrogen, the mixing system, and recombiner system will be manually started to mix the atmosphere within the drywell and containment, and to reduce the concentration of hydrogen within the drywell and containment. The combustible gas purge system can also be manually placed in operation from the control room to vent the drywell
- 1. Hydrogen Analysis System
- 2. Hydrogen Mixing System
- 3. Hydrogen Recombination System
- 4. Combustible Gas Purge System
- b. System Operation The hydrogen analysis system consists of two completely redundant hydrogen analyzers each with control room recorders and switch stations. One is located in the auxiliary building at Elevation 620-6 and the other in the intermediate building at Elevation 654-6 <Figure 1.2-5> and <Figure 1.2-7>. One is supplied by Division 1, the other by Division 2. Each analyzer Revision 12 7.3-46 January, 2003
- a. System Function The suppression pool makeup (SPMU) system instrumentation and controls are designed to allow transfer of a portion of the water from the upper pool to the suppression pool. It will ensure long term drywell vent water coverage for all conceivable postaccident entrapment volumes, by gravity flow from the upper pool in accordance with the design basis described in <Section 6.2.7>.
- b. System Operation Four motor operated valves are furnished, two for each line, along with appropriate piping to route water from the upper pool to the suppression pool when the occasion demands it. Four narrow range (16-19 ft) suppression pool level measuring sensors are provided which will signal the need for water when the low-low water level (LLWL) is reached following a LOCA. Additionally, automatic makeup occurs following a LOCA plus a time delay. System logic is shown in <Figure 7.3-9>. For system P&ID, see <Figure 6.2-67>.
- a. System Function The CVR system is provided to limit the buildup of negative pressure inside the containment vessel in the event that one or both of the containment spray loops are inadvertently actuated
- b. System Operation The check valves are normally closed while the motor operated isolation valves are normally open. Both valves can be operated from the control room. The motor-operated isolation valve is closed automatically by a containment isolation signal. If vacuum relief is required during containment isolation, differential Revision 12 7.3-50 January, 2003
- a. System Function The purpose of the diesel generator support system instrumentation and control is to ensure the availability of an adequate fuel oil supply and starting air pressure to start and operate the diesel generators and to ensure that the ventilation fans are available to carry away heat from the diesel generators and prevent heat buildup in the room. Additionally, lubricating oil level and temperature and coolant temperature are maintained and monitored to assure quick start capability. The diesel generator ventilation system is discussed in <Section 7.3.1.1.8>.
- 1. Diesel generator fuel oil system.
- 2. Diesel generator starting air system.
- 3. Diesel generator ventilation system.
- 4. Lubricating oil system.
- 5. Cooling water system.
- b. System Operation
- 1. Diesel Generator Fuel Oil System The instrumentation and controls for the diesel generator fuel oil storage and transfer system are provided to ensure that fuel is always available in the day tank and to alert the plant operators to any conditions which might jeopardize that objective so that corrective action can be taken.
- 2. Diesel Generator Starting Air System The diesel generator starting air system instrumentation and controls are provided to ensure that an adequate supply of compressed air is always available during plant operation.
- 3. Diesel Generator Lubrication System The diesel engine lubrication oil system is provided with sensors, controls and alarms as required to ensure complete monitoring of satisfactory system performance, safe engine operation and to alert the plant operators to abnormal conditions requiring investigation and corrective action. For the standby diesel generators, this system is instrumented as shown on <Figure 9.5-11>. For the standby diesel generators, instrumentation and controls are provided to monitor system pressures at important points, lubrication oil temperatures in and out of the engine, sump tank level, and provide automatic operation of the keepwarm circulating pump and heater. The HPCS diesel generator lubricating oil system is detailed in
- 4. Diesel Generator Cooling Water System The diesel engine cooling water system is designed to remove the heat loads of the engine air intercooler, oil cooler and water jacket. Additional information on this system is provided in <Section 9.5.5> for the standby diesel generators and <Section 9.5.9.2> for the HPCS diesel generators.
- a. FHAES Function The purpose of the exhaust subsystem is to exhaust air from potentially contaminated areas. The air is filtered and passed through a charcoal filter train prior to discharge to atmosphere via the unit vent.
- b. FHAES Operation The exhaust subsystem consists of three-50 percent capacity exhaust fans and three-50 percent capacity charcoal filter trains. These filter trains include demisters, roughing filters, electric heating coils, HEPA prefilters, charcoal filters, and HEPA after-filters.
- 1. Indication of which exhaust fans are energized (status light).
- 2. Low air flow with exhaust fan in operation (alarm).
- 3. Smoke in exhaust fan common discharge ducts (alarm).
- 4. High radiation in the exhaust duct (alarm).
- 5. High and high-high temperature in the charcoal beds (alarm).
- 6. FHB HVAC system overload/power lost (alarm).
- 7. Continuous carbon bed temperature indication on panel H13-P904.
- 8. Exhaust air high moisture (alarm).
- a. Variables Monitored to Provide Protective Action The following variables are monitored in order to provide protective actions to the ESF systems:
- 1. HPCS (a) Reactor Vessel Low Water Level (Trip Level 2)
- 2. ADS (a) Reactor Vessel Low Water Level (Trip Level 3)
- 4. CRVICS (a) Reactor Vessel Low Water Level (Trip Level 3)
- 5. (Deleted)
- 6. RHRS-CSCM (a) Drywell High Pressure (b) Reactor Vessel Water Level (Trip Level 1)
- 7. RHRS-SPCM (a) Suppression Pool Temperature (b) Drywell High Pressure Revision 12 7.3-62 January, 2003
- 8. Emergency Water Systems: ESW and ECC (a) RHR, LPCS, RCIC, or Diesel Generator Start (b) HPCS Start (just Loop C of ESW is needed)
- 9. Containment Combustible Gas Control System (a) Containment hydrogen concentration
- 10. Standby Power Systems (a) HPCS and Standard Diesel Generator Systems (1) Refer to <Section 8.3.2>
- 12. Suppression Pool Makeup System (a) Reactor Vessel Low Water Level (Trip Level 1)
- 13. Containment Vacuum Relief System (a) Reactor Vessel Low Water Level (Trip Level 2)
- 15. Pump Room Cooling Systems (a) ECCS Pump Motor Running (b) RCIC Steam Admission valve Open. (RCIC Pump Room only)
- 16. Control Complex HVAC (a) Reactor Vessel Low Water Level (Trip Level 1)
- 17. Fuel Handling Area Ventilation System (a) Charcoal Filter Inlet High Radiation The plant conditions which require protective action involving the ESF systems are described in <Chapter 15> and <Appendix 15A>.
- b. Location and Minimum Number of Sensors Where applicable in Technical Specifications, the minimum number of sensors is specified to monitor safety-related variables. There are no sensors in the ESF systems which have a spatial dependence.
- c. Prudent Operational Limits Operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious ESF system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or the nuclear system process barrier, is kept within acceptable bounds.
- d. Margin The margin between operational limits and the limiting conditions of operation of ESF systems are accounted for in Technical Specifications.
- e. Levels Levels requiring protective action are established in Technical Specifications.
- f. Range of Transient, Steady-State and Environmental Conditions Environmental conditions for proper operation of the ESF components are discussed in <Section 3.11>.
- g. Malfunctions, Accidents and Other Unusual Events Which Could Cause Damage to Safety System
- 1. Floods The buildings containing ESF systems components have been designed to meet the PMF (Probable Maximum Flood) at the site location. This ensures that the buildings will remain water-tight under PMF conditions including wind generated wave action and wave runup. For a discussion of internal flooding protection, refer to <Section 3.4.1> and <Section 3.6>.
- 2. Storms and Tornadoes The buildings containing ESF systems components have been designed to withstand meteorological events described in
- 3. Earthquakes The structures containing ESF systems components have been seismically qualified as described in <Section 3.7> and
- 4. Fires To protect the ESF systems in the event of a postulated fire, the redundant portions of the systems are separated by fire barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the ESF systems functions would not be prevented by the fire. The use of separation and fire barriers ensures that even though some portion of the systems may be affected, the ESF systems will continue to provide the required protective action.
- 5. LOCA The ESF systems components functionally required during and/or following a LOCA have been environmentally qualified to remain functional as discussed in <Section 3.11>.
- 6. Pipe Break Outside Secondary Containment This condition will not affect the ESF systems. Refer to
- 7. Missiles Protection for safety-related components is described in
- h. Minimum Performance Requirements Minimum performance requirements for ESF instrumentation and controls are provided in Technical Specifications.
- a. Criterion 33 See <Section 7.3.1.1.1> (HPCS).
- d. Criterion 37, 46 See <Section 7.3.2.1.3> <Regulatory Guide 1.22>.
- e. Criterion 38 See <Section 7.3.1.1.4> (RHRS-CSCM), <Section 7.3.1.1.5>
- f. Criterion 40 See <Section 7.3.1.1.4> (RHR-CSCM) and <Section 7.3.1.1.5>
- g. Criterion 41 See <Section 7.3.1.1.11> (CCGC) and <Section 7.3.1.1.9> (AEGTS).
- h. Criterion 44 See <Section 7.3.1.1.6> (EWS)
- i. Criterion 64 See <Section 7.3.1.1.4> (CRVICS).
- a. IEEE Standard 279 Criteria for Protection Systems for Nuclear Power Generating Stations
- 1. General Functional Requirement (IEEE Standard 279, Paragraph 4.1)
- 2. Single Failure Criterion (IEEE Standard 279, Paragraph 4.2)
- 3. Quality Components (IEEE Standard 279, Paragraph 4.3)
- 4. Equipment Qualification (IEEE Standard 279, Paragraph 4.4)
- 5. Channel Integrity (IEEE Standard 279, Paragraph 4.5)
- 6. Channel Independence (IEEE Standard 279, Paragraph 4.6)
- 7. Control and Protection Interaction (IEEE Standard 279, Paragraph 4.7)
- 8. Derivation of System Inputs (IEEE Standard 279, Paragraph 4.8)
- 9. Capability of Sensor Checks (IEEE Standard 279, Paragraph 4.9)
- 10. Capability for Test and Calibration (IEEE Standard 279, Paragraph 4.10)
- 11. Channel Bypass or Removal from Operation (IEEE Standard 279, Paragraph 4.11)
- 12. Operating Bypasses (IEEE Standard 279, Paragraph 4.12)
- 13. Indication of Bypasses (IEEE Standard 279, Paragraph 4.13)
- 14. Access to Means for Bypassing (IEEE Standard 279, Paragraph 4.14)
- 15. Multiple Trip Settings (IEEE Standard 279, Paragraph 4.15)
- 16. Completion of Protective Action Once Initiated (IEEE Standard 279, Paragraph 4.16)
- 17. Manual Initiation (IEEE Standard 279, Paragraph 4.17)
- 18. Access to Setpoint Adjustments (IEEE Standard 279, Paragraph 4.18)
- 19. Identification of Protective Actions (IEEE Standard 279, Paragraph 4.19)
- 20. Information Readout (IEEE Standard 279), Paragraph 4.20)
- 21. System Repair (IEEE Standard 279, Paragraph 4.21)
- 22. Identification of Protection Systems (IEEE Standard 279, Paragraph 4.22)
- a. <Regulatory Guide 1.7>
- b. <Regulatory Guide 1.22>
- c. <Regulatory Guide 1.53>
- d. <Regulatory Guide 1.62> - Manual Initiation of Protective Actions The HPCS, LPCS and the Division 2 LPCI system are manually initiated at the system level from the control room by actuation of a switch. The LPCS switch also initiates the Division 1 LPCI system.
- e. <Regulatory Guide 1.73> - Qualification Testing of Electric Motor Operators installed Inside the Containment of Nuclear Power Plants See <Section 3.10> and <Section 3.11> for discussion of compliance.
- f. <Regulatory Guide 1.95> - Protection of Nuclear Power Plant Control Room Operators Against an Accidental Chlorine Release See <Section 1.8> for discussion of compliance.
- g. <Regulatory Guide 1.96> - Design of Main Steam Isolation valve Leakage Control System for Boiling Water Reactor Nuclear Power Plants MSIV-LCS has been eliminated and is abandoned in place.
- 1. Reactor Vessel Water Level (1)(2)(3)
- 2. Main Steam Line Pressure - Low 1.0 See Note (1)(2)(3)
- 3. Main Steam Line Flow - High 0.5 See Note NOTES:
4.1 DESCRIPTION
This section discusses the instrumentation and controls of the following systems required for safe plant shutdown:
- a. Reactor Core Isolation Cooling (RCIC) System
- b. Standby Liquid Control System (SLCS)
- c. RHRS Shutdown Cooling Mode (RSCM)
- d. Remote Shutdown System (RSS)
The sources which supply power to the safe shutdown systems originate from onsite ac and/or dc safety-related buses. Refer to <Chapter 8> for a complete discussion of the safety-related power sources.
7.4.1.1 Reactor Core Isolation Cooling (RCIC) System
- a. RCIC System Function The reactor core isolation cooling system <Section 5.4.6>
instrumentation is designed to maintain or supplement reactor vessel water inventory during the following conditions:
- 1. When the reactor vessel is isolated from its primary heat sink (the main condenser) and maintained in the hot standby condition.
- 2. When the reactor vessel is isolated and accompanied by a loss of normal coolant flow from the reactor feedwater system.
7.4-1 Revision 12 January, 2003
- 3. When the plant is being shutdown and normal coolant flow from the feedwater system is lost before the reactor is depressurized to a level where the reactor shutdown cooling mode of the RHR system can be placed into operation.
- b. RCIC System Operation Schematic arrangements of system mechanical equipment is shown in
<Figure 5.4-9>. RCIC system component control logic is shown in
<Figure 7.4-1>. Plant layout drawings are shown in <Section 1.2>
and elementary diagrams are listed in <Section 1.7.1>. Operator information displays are shown in <Figure 5.4-9> and
<Figure 7.4-1>.
The RCIC system can be initiated either manually or automatically.
The control room operator can initiate RCIC by operating the manual initiation switch which simulates an automatic initiation or by activating each piece of equipment sequentially as required.
RCIC is automatically initiated by four redundant differential pressure transmitters/trip relay contacts, arranged in a one-out-of-two-twice logic configuration, which sense reactor vessel low water trip (trip Level 2).
The RCIC steam line isolation motor-operated (MO) inboard valve, the RCIC steam line isolation MO outboard valve, and the turbine exhaust to the suppression pool MO valve are in the open position and they require no change of position for automatic system initiation.
7.4-2 Revision 12 January, 2003
The RCIC system responds to an automatic initiation signal and reaches design flow rate within 30 seconds as follows (actions are simultaneous unless stated otherwise):
- 1. The pump suction from the condensate storage tanks valve E51F010 is signaled open.
- 2. To ensure that pump discharge flow is directed to the reactor vessel only, the test return line to the condensate storage tank valves E51F022 and E51F059 are signaled closed.
- 3. The turbine steam inlet valve 1E51F0045 is signaled to open.
- 4. When the turbine steam inlet valve E51F045 starts to open, the RCIC pump discharge to reactor vessel valve E51F013 is signaled open. Valve E51F013 is prohibited from opening or, if open, automatically closes when E51F045 or the turbine trip and throttle valve is closed.
- 5. The turbine gland seal compressor is signaled to start.
- 6. When valve E51F045 leaves the closed position, the RCIC turbine speed accelerates until the automatic flow controller set point is reached and the system discharge flow is controlled by the turbine electronic governor mechanism.
If water level in the condensate storage tanks becomes low, RCIC pump suction is automatically transferred from the condensate storage tank to the suppression pool by opening valve E51F031.
When the Control Room is notified of the issuance of a tornado warning for the vicinity of the plant, or if a tornado is sighted in the immediate vicinity of the plant, administrative controls 7.4-3 Revision 12 January, 2003
require the RCIC suction to be aligned to the tornado missile protected suppression pool. Once valve F031 is fully open, the condensate storage tank valve E51F010 is automatically closed.
The RCIC system includes design features which provide system equipment protection or accomplish containment isolation if certain types of abnormal events occur. The turbine is either manually trip actuated by the control room operator or automatically shut down by closing the turbine trip and throttle valve if any of the following conditions are detected:
- 1. Turbine overspeed
- 2. High turbine exhaust pressure
- 3. RCIC isolation signal
- 4. Low pump suction pressure To protect the RCIC pump from overheating during low flow conditions, the pump discharge flow and pressure are monitored. If the pump discharge pressure transmitter indicates that the pump is running and the pump discharge flow transmitter indicates low flow, the minimum flow return line valve E51F019 is automatically opened.
The minimum flow valve is automatically closed when flow is normal or when either the turbine trip and throttle valve or the steam inlet valve E51F045 is closed.
High water level in the reactor vessel indicates that the RCIC system has performed satisfactorily in providing make up water to the reactor vessel. Further increase in level could result in RCIC system turbine damage caused by gross carry-over of moisture. To prevent this, a high water level trip is used to initiate closure 7.4-4 Revision 12 January, 2003
of steam supply valve E51F045, to shut off the steam to the turbine and halt RCIC operation. The system will automatically reinstate if the water level decreases to the reactor water low level trip point.
Air operated (AO) valves E51F025, F026, and F054, and a condensate drain pot are provided in a drain pipeline arrangement just upstream of the turbine supply valve. The water level in the steam line drain condensate pot is controlled by a level switch and valve E51F054 which energizes to allow condensate to flow out of the drain pot by bypassing the steam trap. The drainage path is isolated by closing E51F025 and E51F026 upon receipt of an RCIC initiation signal.
RCIC steam turbine exhaust line vacuum breaker valves E51F077, E51F078 and turbine exhaust to suppression pool MO E51F068 are normally open but close automatically following system trip on low steam line pressure if drywell pressure exceeds the setpoint.
Detection of abnormal conditions by redundant leak detection portions of the RCIC system will cause system isolation as follows:
- 1. Division 1 circuitry will override the manual control switches and signal the outboard steamline isolation valve F064 and pump suction to suppression pool valve F031 to close.
- 2. Division 2 circuitry will override the manual control switches and signal the inboard steamline isolation valve F063 and steamline warmup valve F076 to close.
The conditions that will initiate the isolation are:
- 1. RCIC low steamline pressure.
7.4-5 Revision 12 January, 2003
- 2. RCIC steam supply line high differential pressure.
- 3. Main steam tunnel high ambient or differential (inlet/outlet) ventilation air temperature.
- 4. RHR equipment area high ambient or differential (inlet/outlet) ventilation air temperature. Differential temperature instrumentation is required to provide the leak detection isolation signal only when the room coolers are running.
- 6. RCIC equipment area high ambient temperature.
For a complete description of the RCIC system leak detection isolation signals, see <Section 7.6.1>.
The RCIC system may be isolated after initiation by the control room operator by actuation of a switch which causes the outboard steamline isolation valve to close.
7.4.1.2 Standby Liquid Control System (SLCS)
- a. SLCS Function The standby liquid control system <Section 9.3.5> instrumentation is designed to manually initiate injection of a liquid neutron absorber into the reactor. Other instrumentation is provided to maintain this liquid chemical solution well above saturation temperature in readiness for injection.
7.4-6 Revision 12 January, 2003
The SLCS is a backup independent method of manually shutting down the reactor to cold shutdown conditions from normal operation or from anticipated transient conditions when control rod insertion capability is lost.
- b. SLCS Operation Schematic arrangements of system mechanical equipment is shown in
<Figure 9.3-19>. SLCS component control logic is shown in
<Figure 7.4-2>, with applicable drawings listed in <Section 1.7.1>.
Operator information displays are shown in <Figure 9.3-19> and
<Figure 7.4-2>.
The SLCS is initiated by the control room operator by turning a keylocked switch for system A, or a different keylocked switch for system B to the ON position. The key is removable in the OFF position. Should the selected pump fail to start, the other key switch may be used to select the alternate pump loop.
When the SLCS is initiated, the explosive-operated valve in the selected loop fires and the tank discharge valve starts to open immediately. The pump that has been selected for injection will not start until the tank discharge valve is fully open.
Pumps are interlocked so that either the storage tank discharge valve or the test tank discharge valve must be open for the pump to run unless the pumps are being tested using the momentary contact pump test switch. When SLCS system A is initiated the outboard RWCU isolation valve is automatically closed and when SLCS system B is initiated the inboard RWCU isolation valve is automatically closed.
7.4-7 Revision 12 January, 2003
7.4.1.3 RHRS/Reactor Shutdown Cooling Mode (RSCM)
- a. RSCM Function The Reactor Shutdown Cooling Mode <Section 5.4.7> of the RHR System is used during a normal reactor shutdown.
The RSCM consists of instrumentation designed to provide decay heat removal capability for the reactor core by accomplishing the following:
- 1. Reactor cooling during shutdown operation after the vessel pressure is reduced to approximately 130 psig.
- 2. Cooling the reactor water to a temperature at which reactor refueling and servicing can be accomplished.
- 3. Diverting part of the shutdown flow to the reactor vessel head to condense the steam generated from the hot walls of the vessel while it is being flooded.
- b. RSCM Operation The reactor shutdown cooling system contains two loops. Either loop is sufficient to satisfy the cooling requirements for shutdown cooling. However, both loops share a common suction line with two suction valves in series. In the event that one of the suction valves fails closed and normal shutdown cooling is not available, an alternate shutdown cooling loop may be established. The normal shutdown suction path may be bypassed by manually switching to take suction water from the suppression pool, returning through the LPCI line and manually opening the ADS valves to allow reactor water to flow back through the SRV discharge line to the suppression pool.
7.4-8 Revision 12 January, 2003
The ADS valves may be actuated by either Division 1 or Division 2 power, thus providing redundancy in the event of a divisional power failure.
See <Section 5.4.7> for a complete description of the RSCM operation.
7.4.1.4 Remote Shutdown System (RSS)
- a. RSS Function The RSS is designed to achieve a cold reactor shutdown from outside the control room following these postulated conditions:
- 1. The plant is at normal operating conditions and all plant personnel have been evacuated from the control room and it is inaccessible.
- 2. The initial event that causes the control room to become inaccessible is assumed to be such that the reactor operator can manually scram the reactor before leaving the control room. Two backup means of scramming the reactor from outside the control room are available. This can be accomplished by opening the output breakers at ATWS UPS distribution panels EVIA and EVIB or by opening the output breakers of the RPS MG sets.
- 3. Under normal conditions, the main turbine pressure regulators may be controlling reactor pressure via the bypass valves. It is assumed that this turbine generator control panel function is also lost. In the event of a pressure decrease to the MSIV isolation setpoint, the inboard MSIVs will be shut from the 7.4-9 Revision 12 January, 2003
Division 1 remote shutdown panel. Increases in reactor pressure will be relieved through the safety relief valves to the suppression pool.
- 4. The reactor feedwater system which is normally available is also assumed to be inoperable. Reactor vessel water inventory is provided by the RCIC system.
The RSS is required only during times of control room inaccessibility when normal plant operating conditions exist (i.e.,
no transients or accidents are occurring).
- b. Remote Shutdown System Operation Some of the existing systems used for normal reactor shutdown operation are also utilized in the remote shutdown capability to shut down the reactor from outside the control room. The Division 1 remote shutdown capability is designed to control the required shutdown systems from outside the control room irrespective of hot shorts, open circuits, or shorts to ground in the associated control room circuits that may have resulted from an event causing an evacuation (for example, a damaging fire in the control room). The functions needed for Division 1 remote shutdown control are provided with manual transfer switches at the remote shutdown panel which override controls from the control room, provide complete electrical isolation of the associated control room circuits, and transfer the controls to the Division 1 remote shutdown panel. Division 1 remote shutdown control is not possible without actuation of the transfer devices. All necessary power supplies and control logic are also transferred. Operation of the transfer devices used to transfer control of devices from the control room to the Division 1, remote shutdown panel, causes an alarm in the control room. Access to the Division 1 remote shutdown panel is administratively and procedurally controlled.
Revision 15 7.4-10 October, 2007
Most system equipment (i.e., valves and pumps) necessary for proper system lineup and complete system control are located on the Division 1 Revision 15 7.4-10a October, 2007
remote shutdown panel. Additional equipment required for remote shutdown capability are provided with combination transfer/control switches located on associated MCC doors (valves) and local panels (fans, chillers, pumps). Operation of these transfer/control switches causes an alarm in the control room by de-energizing voltage monitor relays. Equipment required for remote shutdown capability that has only voltage monitoring and/or indicating light circuits in the control room are provided with isolating fuses.
Redundant remote shutdown capability is provided using the Division 2 remote shutdown controls. These controls are designed to parallel the controls from the control room. All signals required for the Division 2 remote shutdown panel will be supplied from the ERIS data acquisition cabinet. An indicating panel for the Division 2 remote shutdown system is located in the Division 2 switchgear room. The Division 2 remote shutdown is controlled by pull-to-lock switches mounted on the switchgear and MCC panels.
The pull-to-lock switches are used to control pumps and valves of associated essential safe shutdown systems.
Manual activation of safety relief valves and the initiation of the reactor core isolation cooling (RCIC) system will maintain reactor water inventory and bring the reactor to a hot shutdown condition after scram. In the case of the Division 2 remote shutdown system, assume that automatic initiation of HPCS has occurred, thereby providing for RCIC system backup. During this phase of shutdown, the suppression pool will be cooled by operating the residual heat removal (RHR) system in the suppression pool cooling mode. Reactor pressure will be controlled and core decay and sensible heat rejected to the suppression pool by relieving steam pressure through the relief valves.
This procedure will cool the reactor and reduce its pressure at a controlled rate until reactor pressure becomes so low that the RCIC 7.4-11 Revision 12 January, 2003
system is unable to sustain operation. The RHR system will then be operated in the shutdown cooling mode using the RHR system heat exchanger to cool reactor water and bring the reactor to the cold low pressure condition.
- 1. Reactor Core Isolation Cooling (RCIC) System The following RCIC System equipment/functions have transfer and control switches located on the Division 1 remote shutdown control panel:
E51-F010: Motor-operated valve (pump suction from condensate storage)
E51-F013: Motor-operated valve (RCIC injection shutoff)
E51-F019: Motor-operated valve (minimum flow to suppression pool)
E51-F022: Motor-operated valve (test bypass to condensate storage)
E51-C004: Gland seal system air compressor E51-F031: Motor-operated valve (pump suction from suppression pool)
E51-F045: Motor-operated valve (steam to turbine)
E51-F059: Motor-operated valve (test bypass to condensate storage)
E51-F063: Motor-operated valve (steam supply line isolation inboard)
E51-F064: Motor-operated valve (steam supply line isolation, outboard)
E51-F068: Motor-operated valve (turbine exhaust to suppression pool)
E51-F076: Motor-operated valve (steam line warmup line isolation) 7.4-12 Revision 12 January, 2003
E51-F077: Motor-operated valve (vacuum breaker isolation outboard)
E51-F078: Motor-operated valve (vacuum breaker isolation inboard)
E51-F510: Motor-operated valve (turbine trip and throttle valve)
See <Figure 5.4-10>.
The following RCIC system instrumentation is provided on the Division 1 remote shutdown control panel:
C61-R001: RCIC flow controller and indicator C61-R003: RCIC turbine speed indicator Indicating lights are provided for conditions of turbine tripped, turbine bearing oil low pressure, turbine governor bearing oil temperature high, and turbine coupling end bearing oil temperature high.
Valve position and pump status indicators are also provided.
- 2. Residual Heat Removal (RHR) System The following RHR system loop A equipment/functions have transfer and control switches located at the Division 1 remote shutdown control panel:
E12-C002A: Residual heat removal pump E12-F003A: Motor-operated valve (heat exchanger shell side outlet)
E12-F004A: Motor-operated valve (RHR pump suction)
E12-F006A: Motor-operated valve (shutdown cooling)
E12-F006B: Motor-operated valve (shutdown cooling) 7.4-13 Revision 12 January, 2003
E12-F008: Motor-operated valve (outboard shutdown isolation)
E12-F009: Motor-operated valve (inboard suction isolation)
E12-F011A: Motor-operated valve (RHR heat exchanger flow to suppression pool)
E12-F023: Motor-operated valve (reactor head spray)
E12-F024A: Motor-operated valve (RHR test line)
E12-F027A: Motor-operated valve (injection shutoff)
E12-F028A: Motor-operated valve (containment spray)
E12-F037A: Motor-operated valve (shutoff upper pool cooling)
E12-F042A: Motor-operated valve (RHR injection)
E12-F047A: Motor-operated valve (heat exchanger shell side inlet)
E12-F048A: Motor-operated valve (heat exchanger shell side bypass)
E12-F040: Motor-operated valve (discharge to radwaste)
E12-F053A: Motor-operated valve (RHR injection)
E12-F064A: Motor-operated valve (RHR pump minimum flow)
E12-F609: Motor-operated valve (SPCU to RHR second outboard isolation)
The following RHR system loop B equipment/functions have control switches located at their respective motor control centers or switchgear panels:
E12-C002B: Residual heat removal pump E12-F003B: Motor-operated valve (heat exchanger shell side outlet)
E12-F004B: Motor-operated valve (RHR pump suction)
E12-F011B: Motor-operated valve (RHR heat exchanger flow to suppression pool)
E12-F024B: Motor-operated valve (RHR test line)
E12-F027B: Motor-operated valve (injection shutoff)
E12-F028B: Motor-operated valve (containment spray)
E12-F037B: Motor-operated valve (shutoff upper pool cooling) 7.4-14 Revision 12 January, 2003
E12-F042B: Motor-operated valve (RHR injection)
E12-F047B: Motor-operated valve (heat exchanger shell side inlet)
E12-F048B: Motor-operated valve (heat exchanger shell side bypass)
E12-F053B: Motor-operated valve (RHR injection)
E12-F064B: Motor-operated valve (RHR pump minimum flow)
See <Figure 5.4-13>.
The following RHR instrumentation is located on the Division 1 remote shutdown control panel:
C61-R005: RHR flow indicator for loop A The following RHR instrumentation is located on the Division 2 remote shutdown indicating panel:
C61-R025: RHR flow indicator for loop B.
Valve position status indication and pump status indication.
- 3. Nuclear Boiler System The following functions have transfer and control switches located at the Division 1 remote shutdown control panel and control switches at the Division 2 remote shutdown control panel:
B21-F051C: Air operated safety relief valve B21-F051G: Air operated safety relief valve B21-F051D: Air operated safety relief valve 7.4-15 Revision 12 January, 2003
The following functions have transfer and control switches located at the Division 1 remote shutdown control panel:
B21-F022A: Inboard main steam line A isolation valve.
B21-F022B: Inboard main steam line B isolation valve.
B21-F022C: Inboard main steam line C isolation valve.
B21-F022D: Inboard main steam line D isolation valve.
The following function has transfer/control switches located on the associated MCC compartment door:
B21-F019: Motor-operated valve (main steam line drain isolation)
The following nuclear boiler instrumentation is provided on the Division 1 remote shutdown control panel:
C61-R012: Reactor pressure/level recorder C61-R010: Reactor level indicator C61-R011: Reactor pressure indicator The following nuclear boiler instrumentation is provided on the Division 2 remote shutdown control panel:
C61-R030: Reactor level indicator C61-R031: Reactor pressure indicator Valve position status indicators.
See <Figure 5.1-3>
7.4-16 Revision 12 January, 2003
- 4. Reactor Water Cleanup System The following function has transfer/control switches located on the associated MCC compartment door:
G33-F004: Motor-operated valve (reactor water cleanup discharge isolation).
- 5. Emergency Service Water System The following loop A emergency service water system equipment/functions have transfer and control switches located at the remote shutdown control panel:
P45-F014A: Motor-operated valve (RHR heat exchanger isolation)
P45-F068A: Motor-operated valve (RHR heat exchanger isolation)
P45-F130A: Motor-operated valve (pump discharge shutoff)
P45-C001A: Emergency service water pump The following loop B emergency service water system equipment/functions have control switches located on the associated motor control centers and switchgear panels:
P45-F014B: Motor-operated valve (RHR heat exchanger isolation)
P45-F068B: Motor-operated valve (RHR heat exchanger isolation)
P45-F130B: Motor-operated valve (pump discharge shutoff)
P45-C001B: Emergency service water pump See <Figure 9.2-1>.
7.4-17 Revision 12 January, 2003
The following emergency service water system instrumentation is provided on the Division 1 remote shutdown control panel:
P45-R033A: Flow indicator (RHR heat exchanger A)
P45-R055A: Flow indicator (ECC system heat exchanger A)
The following emergency service water system instrumentation is provided on the Division 2 remote shutdown control panel:
P45-R033B: Flow indicator (RHR heat exchanger B)
P45-R055B: Flow indicator (ECC system heat exchanger B)
Valve position and pump status indicators.
- 6. Emergency Closed Cooling System The following loop A emergency closed cooling system equipment has transfer and control switches located at the Division 1 remote shutdown control panel:
P42-C001A: Emergency closed cooling pump A The following loop B emergency closed cooling system has control switches located on the associated switchgear panel in the Division 2 switchgear room:
P42-C001B: Emergency closed cooling pump B Pump status indicators. See <Figure 9.2-3>.
The following emergency closed cooling system instrumentation is provided on the Division 1 remote shutdown control panel:
P42-R045A: Flow indicator (ECC system heat exchanger A) 7.4-18 Revision 12 January, 2003
The following emergency closed cooling system instrumentation is provided on the Division 2 remote shutdown control panel:
P42-R045B: Flow indicator (ECC system heat exchanger B)
- 7. Instrument Power The following instrument 120 Vac power systems have a transfer switch located at the Division 1 remote shutdown panel:
R41-K050: 120 Vac instrument power
- 8. Containment Atmosphere Monitoring System The following containment atmosphere monitoring system instrumentation is provided on the Division 1 remote shutdown control panel:
D23-R230: Recorder (drywell pressure/temperature)
D23-R240: Recorder (suppression pool level/temperature)
The following containment atmosphere monitoring system instrumentation is provided on the Division 2 remote shutdown panel:
D23-R260: Drywell temperature indicator D23-R270: Suppression pool temperature indicator D23-R280: Drywell pressure indicator G43-R102: Suppression pool level indicator
- 9. MCC, Switchgear and Miscellaneous Electrical Equipment Area HVAC Systems/Battery Room Exhaust System 7.4-19 Revision 12 January, 2003
The following loop A MCC, switchgear, and miscellaneous electrical equipment area HVAC Systems, and battery room exhaust system equipment have a common transfer/control switch located on the 480V switchgear panel EF1AO1 M23-C001A: MCC, switchgear and miscellaneous electrical equipment area HVAC supply fan A M23-C002A: MCC, switchgear and miscellaneous electrical equipment area HVAC return fan A M24-C001A: Battery room exhaust fan A P47-F045A: MCC, SWGR and miscellaneous electrical equipment area train A chilled water temperature control MOV
- 10. Emergency Closed Cooling Pump Area Cooling System The following loop A emergency closed cooling pump area cooling system equipment has fuse isolation provided for control room indication, voltage monitoring and annunciation circuits:
M28-B001A: Emergency closed cooling pump area cooling system ventilation fan A.
- 11. Emergency Service Water Pumphouse Ventilation System The following loop A emergency service water pumphouse ventilation system equipment have a common transfer/control switch and manual control units (for dampers) located in the emergency service water pumphouse ventilation system remote shutdown panel:
M32-C001A: Emergency service water pumphouse system ventilation Unit A 7.4-20 Revision 12 January, 2003
M32-F070A: Emergency service water pumphouse system pump house wall louver A M32-F040A: Emergency service water pumphouse system fan inlet air damper A M32-F050A: Emergency service water pumphouse system mixing air damper A
- 12. Emergency Core Cooling System Pump Room Cooling System The following emergency core cooling system pump room cooling system equipment have fuse isolation provided for control room indication and voltage monitoring circuits:
M39-B001A: Emergency core cooling system pump room cooling system RHR pump A and heat exchanger cooler.
M39-B004: Emergency core cooling system pump room cooling system RCIC pump room cooler.
- 13. Diesel Generator Building Ventilation System The following loop A diesel generator building ventilation system equipment is isolated from the control room by diesel generator A control transfer switch, located on the diesel generator A control panel, and actuated by an engine running interlock located in the diesel generator A engine control panel. The dampers are controlled by a setpoint station located on the Division 1 remote shutdown control panel which receives an input from a separate temperature transmitter used only for remote shutdown:
M43-C001A: Diesel generator building ventilation system ventilation fan A M43-F020A: Diesel generator building ventilation system outside air damper 7.4-21 Revision 18 October, 2013
M43-F030A: Diesel generator building ventilation system return (recirculation) air damper M43-F031A: Diesel generator building ventilation system return (recirculation) air damper M43-F070A: Diesel generator building ventilation system exhaust damper M43-F071A: Diesel generator building ventilation system exhaust damper
- 14. Control Complex Chilled Water System The following loop A control complex chilled water system equipment have individual transfer/control switches located on the associated switchgear panels in the Division 1 switchgear room and local control panel at the chiller.
P47-B001A: Control complex chilled water system control complex chiller A P47-C001A: Control complex chilled water system chilled water pump A
- 15. Emergency Service Water Screen Wash System The following emergency service water screen wash system equipment has fuse isolation provide for control room auto start and voltage monitoring circuits:
P49-D001A: Emergency service water screen wash system screen control 7.4-22 Revision 12 January, 2003
- 16. Safety-related Instrument Air System The following loop A safety-related instrument air system equipment have transfer/control switches located on the associated MCC compartment doors:
P57-F015A: Motor-operated valve (containment isolation)
P57-F020A: Motor-operated valve (drywell isolation)
- 17. Standby Diesel Generator System The following Division 1 standby diesel generator (R43-S001A) components are provided with fuse and transfer switch isolation from the control room:
Voltage regulator control and indicating light Generator field metering
- 18. Diesel Generator Fuel Oil System The following diesel generator fuel oil system equipment is provided with fuse isolation for control room voltage monitoring circuit:
R45-C001A: Diesel generator fuel oil system fuel oil transfer pump A 7.4.1.5 Design Basis The safe shutdown systems are designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary.
<Chapter 15> identifies and evaluates events that jeopardize the fuel barrier and reactor coolant pressure boundary. The methods of assessing 7.4-23 Revision 12 January, 2003
barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are also presented in
<Chapter 15>.
- a. Variables monitored to provide protective actions RCIC - Reactor vessel low water level (trip Level 2) is monitored in order to provide protective actions to the safe shutdown systems. All other safe shutdown systems are initiated by operator actions.
The plant conditions which require protective action involving safe shutdown are described in <Chapter 15> and <Appendix 15A>.
- b. Location and Minimum Number of Sensors Technical Specifications will discuss the minimum number of sensors required to monitor safety-related variables. There are no sensors in the safe shutdown systems which have a spatial dependence.
- c. Prudent Operational Limits Prudent operational limits for each safety-related variable trip setting are selected with sufficient margin so that a spurious safe shutdown system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or the nuclear system process barrier, is kept within acceptable bounds.
- d. Margin The margin between operational limits and the limiting conditions of operation of safe shutdown systems are accounted for in Technical Specifications.
7.4-24 Revision 12 January, 2003
- e. Levels Levels requiring protective action are established in Technical Specifications.
- f. Range of Transient, Steady-State and Environmental Conditions Refer to <Section 3.11> for environmental conditions. Refer to
<Section 8.2.1> and <Section 8.3.1> for the maximum and minimum range of energy supply to the safe shutdown systems instrumentation and controls. All safety-related instrumentation and controls are specified and purchased to withstand the effects of these energy supply ranges.
- g. Malfunctions, Accidents and Other Unusual Events Which Could Cause Damage to Safety System
<Chapter 15> describes the following credible accidents and events:
floods, storms, tornadoes, earthquakes, fires, LOCA, pipe break outside containment, and feedwater line break. Each of these events is discussed below for the safe shutdown systems.
- 1. Floods The buildings containing safe shutdown system components have been designed to meet the PMF (Probable Maximum Flood) at the site location. This ensures that the buildings will remain water-tight under PMF conditions including wind generated wave action and wave runup. For a discussion of internal flooding protection, refer to <Section 3.4.1> and <Section 3.6>.
7.4-25 Revision 12 January, 2003
- 2. Storms and Tornadoes The buildings containing safe shutdown system components have been designed to withstand meteorological events described in
<Section 3.3>.
- 3. Earthquakes The structures containing safe shutdown system components have been seismically qualified as described in <Section 3.7> and
<Section 3.8>, and will remain functional during and following a safe shutdown earthquake (SSE). Seismic qualification of instrumentation and electrical equipment is discussed in
<Section 3.10>.
- 4. Fires To protect the safe shutdown systems in the event of a postulated fire, the redundant portions of the systems are separated by fire barriers or physical distance. The use of separation and fire barriers ensures that even though some portion of the systems may be affected, the safe shutdown systems will continue to provide the required protective action. See <Section 9.5.1> for a discussion of fire protection.
- 5. LOCA The safe shutdown systems components located inside the drywell and containment which are functionally required following a LOCA have been environmentally qualified to remain functional as discussed in <Section 3.11>.
7.4-26 Revision 12 January, 2003
- 6. Pipe Break Outside Containment This condition will not affect the safe shutdown systems.
Refer to <Section 3.6>.
- 7. Missiles Protection for safe shutdown systems is described in
<Section 3.5>.
- h. Minimum Performance Requirements Minimum performance requirements for safe shutdown systems instrumentation and controls are provided in Technical Specifications.
7.4.1.6 Final System Drawings The final system drawings, including piping and instrumentation diagrams (P&ID) and functional control diagrams (FCD), have been provided or referenced for the safe shutdown systems.
7.4.2 ANALYSIS The safe shutdown systems are designed such that loss of instrument air, a plant load rejection or a turbine trip will not prevent the completion of the safety function.
7.4.2.1 Conformance To <10 CFR 50, Appendix A> - General Design Criteria The following is a discussion of conformance to those general design criteria which apply specifically to the safe shutdown systems. Refer 7.4-27 Revision 12 January, 2003
to <Section 7.1.2.2> for a discussion of General Design Criteria which apply as indicated in- a. General Design Criterion 19 - Control Room The remote shutdown system consists of equipment located outside the control room which is sufficient to provide and assure prompt hot shutdown of the reactor and to maintain safe conditions during hot shutdown. The equipment also provides capability for subsequent cold shutdown of the reactor.
- b. General Design Criterion 34 - Residual Heat Removal The reactor shutdown cooling mode of the residual heat removal system removes residual heat from the reactor when it is shutdown and the main steamlines are isolated, to maintain the fuel and reactor coolant pressure boundary within design limits. Redundant cooling routes are provided to meet the single failure criteria.
- a. IEEE Standard 279 The reactor shutdown cooling mode of the residual heat removal system uses the same equipment used by the LPCI mode. Therefore, refer to <Section 7.3.2> for the RSCM standards and regulatory compliance.
- 1. General Functional Requirement (IEEE Standard 279, Paragraph 4.1)
- 2. Single-Failure Criterion (IEEE Standard 279, Paragraph 4.2)
- 3. Quality of Components and Modules (IEEE Standard 279, Paragraph 4.3).
- 4. Equipment Qualification (IEEE Standard 279, Paragraph 4.4).
- 5. Channel Integrity (IEEE Standard 279, Paragraph 4.5).
- 6. Channel Independence (IEEE Standard 279, Paragraph 4.6).
- 7. Control and Protection Interaction (IEEE Standard 279, Paragraph 4.7).
- 8. Derivation of System Inputs (IEEE Standard 279, Paragraph 4.8).
- 9. Capability for Sensor Checks (IEEE Standard 279, Paragraph 4.9).
- 10. Capability for Test and Calibration (IEEE Standard 279, Paragraph 4.10).
- 11. Channel Bypass or Removal from Operation (IEEE Standard 279-1971, Paragraph 4.11).
- 12. Operating Bypasses (IEEE Standard 279, Paragraph 4.12).
- 13. Indication of Bypasses (IEEE Standard 279, Paragraph 4.13).
- 14. Access to Means for Bypassing (IEEE Standard 279, Paragraph 4.14).
- 15. Multiple Setpoints (IEEE Standard 279, Paragraph 4.15).
- 16. Completion of Protective Action Once it is Initiated (IEEE Standard 279-1971, Paragraph 4.16).
- 17. Manual Initiation (IEEE Standard 279, Paragraph 4.17).
- 18. Access to Setpoint Adjustment (IEEE Standard 279, Paragraph 4.18).
- 19. Identification of Protective Actions (IEEE Standard 279, Paragraph 4.19).
- 20. Information Readout (IEEE Standard 279, Paragraph 4.20).
- 21. System Repair (IEEE Standard 279, Paragraph 4.21).
- 22. Identification (IEEE Standard 279, Paragraph 4.22).
- a. <Regulatory Guide 1.22> - Periodic Testing of Protection System Actuation Functions The RCIC system is capable of being completely tested, except for the discharge valve to the head cooling spray nozzle, during normal plant operation to verify that each element of the system, is capable of performing its intended safety function.
- b. <Regulatory Guide 1.53> - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems See IEEE Standard 279, Paragraph 4.2, located in <Section 7.4.2> of the USAR for RCIC and SLCS.
- c. <Regulatory Guide 1.62> - Manual Initiation of Protective Actions The RCIC system is initiated at the system level manually from the control room by actuation of an armed pushbutton which simulates an automatic initiation.
5.1 DESCRIPTION
7.5.1.1 General This section describes the instrumentation which provides information to the operator to enable him to perform required safety functions.
The safety-related display instrumentation (SRDI) is listed in
- a. Operator verification that reactor shutdown has occurred may be made by observing one or more of the following indications:
- 1. Control rod status lamps indicating each rod fully inserted.
- 2. Control rod scram pilot valve status lamps (power available) indicating open valves.
- 3. Neutron monitoring power range channels and recorders downscale and SRM recorders downscale.
- 4. Annunciators for reactor protection system variables and trip logic in the tripped state.
- 5. Process computer logging of trips and control rod position log. The power source is the computer power supply from the plant uninterruptable auxiliary ac bus.
- b. The reactor operator may verify reactor isolation by observing one or more of the following indications:
- 1. Isolation valve position lamps indicating valve closure.
- 2. Main steam line flow indication downscale.
- 3. Annunciators for the containment and reactor vessel isolation system variables and trip logic in the tripped state.
- 4. Process computer logging of trips.
- c. Operation of the emergency core cooling and the RCIC system following the accident may be verified by observing the following indications:
- 1. Annunciators for high pressure core spray, low pressure core spray, residual heat removal, automatic depressurization system, and reactor core isolation cooling system sensor initiation logic trips.
- 2. Flow and/or pressure indications for each emergency core cooling system are provided and are operable before and after a SSE.
- 3. RCIC isolation valve position indicating open valves.
- 4. Injection valve position lights indicating either open or closed valves.
- 5. Relief valve initiation circuit status by open or closed indicator lamps.
- 6. Process computer logging of trips in the emergency core cooling network.
- 7. Relief valve discharge pipe temperature monitors.
- a. Drywell and Containment Pressure Monitoring Drywell/containment differential pressure is measured and indicated in the control room. Separate annunciation is provided in the control room on high positive differential and high negative differential pressure. Drywell pressure narrow range and wide range measurements are recorded in the control room and the narrow range measurement is indicated and annunciated in the control room.
- b. Drywell and Containment Temperature Monitoring Temperature signals from sensors located in the drywell and the containment are recorded in the control room. An alarm for high average drywell temperature per division and a common alarm for high containment temperature for each channel are annunciated in the control room. One temperature sensor from each channel in the drywell and the containment has its signal indicated in the control room.
- c. Suppression Pool Temperature Monitoring Each channel of the suppression pool temperature sensors transmits the sensors signals to temperature switches and then to two and Revision 12 7.5-7 January, 2003
- d. Suppression Pool Water Level There are nine suppression pool level transmitters. Four of the transmitters sense narrow-range (16-19 ft) and provide signals for annunciation, recording and automatic makeup to the suppression pool. A fifth narrow range (16-19ft) transmitter is provided for remote shutdown panel indication and recording. Two accident monitoring suppression pool level transmitters sense and record wide range suppression pool level (2-24ft) in the control room.
- a. Reactor Water Level and Pressure Vessel water level and pressure sensor instrumentation described in
- b. Suppression Pool Water Level and Temperature This instrumentation complies with the requirements of IEEE Standard 279 and provides recorded outputs. All equipment, except the recorders and indicators, will perform its required function during and after the seismic event. Recorders and instrumentation perform their required function after the seismic event; however, pen or pointer flutter is expected to occur during the event.
- c. Drywell and Containment Pressure and Temperature This instrumentation is redundant, electrically independent and is qualified to be operable during and after a LOCA. Power is from independent buses and the instrumentation complies with the requirements of IEEE Standard 279 and provides recorded outputs.
- d. Emergency Core Cooling Systems Performance of emergency core cooling systems (ECCS) following an accident may be verified by observing redundant and independent indications as described in <Section 7.5.1.4.2.3.1.c> and fully satisfies the need for operator verification of operation of the system.
- e. Continued Shutdown Tracking The various indications described in <Section 7.5.1.4.2> provide adequate information regarding status of the reactor vessel level and pressure to allow reactor operators to make proper decisions regarding core and containment cooling operations, and fully satisfies the need for postaccident surveillance of these variables.
- f. Non-NSSS Engineered Safety Features and Auxiliary Supporting Systems Performance of engineered safety features and auxiliary supporting systems may be verified by observing the various indications described in <Section 7.5.1.2>. Displays showing the status of all ESF equipment and pertinent analog parameters are located on control room benchboards, in the same area as the associated ESF system controls, so that the operator can immediately assess the status of ESF systems and take whatever actions necessary under all plant conditions. This instrumentation is redundant, electrically independent between ESF divisions and is qualified to be operable during and after a LOCA and before and after a seismic event.
6.1 DESCRIPTION
<Section 7.6> describes the instrumentation and control systems required for safety not discussed in other sections. The systems include:
- a. Process Radiation Monitoring System
- b. High Pressure/Low Pressure Systems Interlocks
- c. Leak Detection System (LDS)
- e. Rod Pattern Control System (RPCS)
- f. Recirculation Pump Trip System (RPT)
- g. Fuel Pool Cooling System
- h. Containment Atmosphere Monitoring System
- i. Hydrogen Control System
- j. Offgas Building Exhaust System
- k. Safety/Relief Valve-Relief Function
- l. Redundant Reactivity Control System (RRCS)
The sources which supply power to the safety-related systems described in this section originate from onsite ac and/or dc safety-related buses or, as in the case of the fail-safe logic NMS and portions of the LDS, Revision 12 7.6-1 January, 2003
from the nonsafety-related RPS MG sets. Refer to <Chapter 8> for a complete description of the safety-related systems power sources.
7.6.1.1 Process Radiation Monitoring System - Instrumentation and Controls The safety-related portions of the process radiation monitoring system are described in <Section 7.2.1> and <Section 7.3.1>. The main steam line and containment ventilation exhaust radiation monitoring systems and all other systems are discussed in <Section 11.5>.
7.6.1.2 High Pressure/Low Pressure Interlocks
- a. Function Instrumentation and controls are provided to prevent overpressurization of certain low pressure equipment.
- b. System Operation Schematic arrangement of mechanical equipment involved is shown in
<Figure 5.4-13>. Component control logic for the equipment involved is shown in <Figure 7.3-5>. Elementary diagrams are listed in <Section 1.7.1>.
The following high pressure/low pressure interlock equipment is provided:
Interlocked Parameter Process Line Type Valve Sensed Purpose RHR Shutdown MO E12-F009 Reactor Prevents valve opening Cooling MO E12-F008 Pressure until reactor pressure Suction is below system design Isolation pressure Revision 12 7.6-2 January, 2003
Interlocked Parameter Process Line Type Valve Sensed Purpose RHRS Shutdown MO E12-F053A,B Reactor Prevents valve opening Cooling Pressure until reactor pressure Injection is below system design pressure RHRS Head MO E12-F023 Reactor Prevents valve opening Spray Pressure until reactor pressure is below system design pressure The shutdown cooling suction isolation valves, head spray valve, and shutdown cooling injection valve have redundant interlocks to prevent the valves from being opened when the primary system pressure is above the subsystem design pressure.
7.6.1.3 Leak Detection System - Instrumentation and Controls The safety-related portions of the leak detection system are main steam line leak detection, RCIC system leak detection, RHR system leak detection, and reactor water cleanup system leak detection.
- a. Leak Detection System Function The main portion of the leak detection system instrumentation and controls is designed to monitor leakage from the reactor coolant pressure boundary and initiate alarms and/or isolation when predetermined limits are exceeded <Section 5.2.5>.
Revision 12 7.6-3 January, 2003
- b. Leak Detection System Operation Schematic arrangements of system mechanical equipment and operator information displays are shown in <Figure 7.6-1>. LDS component control logic is shown in <Figure 7.3-5>, <Figure 7.4-1>, and
<Figure 7.3-3>. Plant layout drawings are shown in <Section 1.2>
and elementary diagrams are listed in <Section 1.7.1>.
Systems or parts of systems which contain water or steam and which are in direct communication with the reactor vessel, are provided with leakage detection systems.
Each of the required leakage detection systems inside the drywell is designed with a capability to detect leakage less than established leakage rate limits. Refer to Technical Specifications.
Major components within the drywell that by nature of their design are sources of leakage (e.g., pump seals, valve stem packing, equipment drains), are collected ultimately in an equipment drain sump.
Equipment associated with systems within the drywell (e.g.,
vessels, piping, fittings) share a common volume. Steam or water leaks from such equipment are collected ultimately in the floor drain sumps.
Each sump is protected against overflowing to prevent leaks of an identified source from masking those from unidentified sources.
Outside the containment, the piping within each system monitored for leakage is in compartments or rooms separate from other systems, wherever feasible, so that leakage may be detected by sump level, ambient or differential area temperature or high process flow.
Revision 12 7.6-4 January, 2003
Sensors, wiring, and associated equipment of the leak detection system which are associated with the isolation valve logic are designed to withstand the conditions that follow a design basis loss-of-coolant accident <Section 3.11>.
The operator is kept aware of the status of the leak detection system variables through meters, digital displays and recorders which indicate the measured variables in the control room. If a trip occurs, the condition is annunciated in the control room.
Discussions of the specific portions of the Leak Detection System are as follows:
- 1. The MSL leak detection
- 2. RCIC system leak detection
- 3. RHR system leak detection
- 4. Reactor water cleanup system leak detection 7.6.1.3.1 MSL Leak Detection The MSL Leak Detection system is described in <Section 7.3.1>.
7.6.1.3.2 RCIC System Leak Detection The steam lines of the RCIC system are monitored for leaks by the leak detection system. Leaks from the RCIC will cause a change in at least one of the following monitored parameters: sensed equipment area temperatures, steam flow rate, or steam pressure. If the monitored variables indicate that a leak may exist, the detection system initiates an RCIC isolation signal.
Revision 12 7.6-5 January, 2003
The following is a description of each RCIC leak detection method:
- a. RCIC System Isolation - RCIC Equipment Area Temperature Monitoring (see item e. for the RHR Area description.)
High temperature in the RCIC equipment area could indicate a breach in the RCIC steam line reactor coolant pressure boundary.
Two redundant ambient area and differential temperature monitoring channels are provided. The redundant ambient area instrument provides input to one of two logic channels (ESF Division 1 or Division 2).
Using 1 out of 2 logic for a division, an RCIC equipment area high area ambient temperature initiates an isolation of either the RCIC system inboard or outboard isolation valves. The differential temperature is required to operate only when the RCIC room cooler is running and provides alarm only.
A bypass/test switch is provided in each logic channel for the purpose of testing the temperature monitor without initiating RCIC system isolation.
Diversity is provided by RCIC steam line flow and pressure monitoring.
- b. RCIC Flow Rate Monitoring The steam line flow rate from the reactor vessel leading to the RCIC turbine is monitored by four differential pressure transmitters. During high flow conditions, the flow rate trip unit initiates the auto-isolation signal. A time delay in each logic division prevents inadvertent system isolations due to pressure spikes <Section 7.4.1>.
Revision 14 7.6-6 October, 2005
High flow in the steam line initiates isolation of the RCIC system.
Diversity is provided by ambient temperature, differential temperature and RCIC steam line pressure monitoring.
- c. RCIC Pressure Monitoring The steam line pressure from the reactor vessel leading to the RCIC turbine is monitored by two pressure transmitters. In the presence of a leak, resulting in low line pressure, the RCIC pressure trip unit initiates the auto-isolation signal <Section 7.4.1>.
Diversity is provided by ambient temperature, differential temperature and RCIC steam line flow monitoring.
Outputs from the two monitoring circuits are used to generate the RCIC auto-isolation signals (one for each division) to isolate the inboard and outboard isolation valves.
- d. Main Steam Line Tunnel Area Temperature Monitoring High temperature in the MSL tunnel could indicate a breach in the reactor coolant pressure boundary.
Two redundant MSL ambient temperature and temperature monitoring channels are provided. Each redundant instrument provides input to one of two logic channels (Division 1 or Division 2).
Using 1 out of 1 logic for a division, a MSL tunnel high area ambient temperature initiates an isolation of either the RCIC inboard or outboard isolation valves.
Revision 15 7.6-7 October, 2007
- e. RCIC System Isolation - RHR Equipment Area Temperature Monitoring High Temperature in the RHR Equipment Areas could indicate a breach in the RCIC steam line reactor coolant pressure boundary, because some RCIC steam piping remains in the RHR equipment areas even after elimination of the Steam Condensing Mode of RHR, as shown on USAR Figure 3.6-70a.
Revision 14 7.6-7a October, 2005
Two redundant ambient temperature and temperature monitoring channels are provided for each of two RHR equipment areas. Each redundant instrument provides input to one of two logic channels (Division 1 or Division 2). Any high RHR equipment area ambient temperature for a division will initiate isolation of either the inboard or outboard RCIC isolation valves.
The differential temperature is required to operate only when the RHR room coolers are running.
7.6.1.3.3 RHR System Leak Detection The RCIC steam supply line in the RHR heat exchanger rooms is monitored for leaks by the leak detection system as described above in Section 7.6.1.3.2.e. Also, leaks from the RHR reactor coolant pressure boundary are detected by equipment area ambient temperature monitoring, and by low water level in the reactor vessel. If the monitored parameters indicate that a leak exists, the LDS (ambient) initiates an RHR isolation signal.
Outputs from both circuits are used to generate the RHR auto-isolation signal (one for each division) to isolate the inboard and outboard isolation valves.
The following is a description of each RHR leak detection method:
- a. RHR System Isolation - RHR Equipment Area Temperature Monitoring High temperature in the equipment room areas of the RHR system could indicate a breach in the reactor coolant pressure boundary in the RHR system.
Revision 15 7.6-8 October, 2007
The RHR area temperature monitoring circuit is identical to the one described for the RCIC leak detection method <Section 7.6.1.3.2.e>.
Two redundant ambient and differential temperature monitoring channels are provided for each of two RHR equipment areas. Each Revision 14 7.6-8a October, 2005
redundant instrument provides input to one of two logic channels (Division 1 or Division 2).
Any high RHR equipment area ambient temperature for a division will initiate an isolation signal closing either the RHR inboard or outboard isolation valves.
The differential temperature is required to operate only when the RHR room coolers are running and provides an alarm function only.
A bypass/test switch is provided in each logic channel for the purpose of testing the temperature monitor without initiating RHR system isolation.
Diversity is provided by Reactor Vessel Water Level - Low, Level 3 monitoring.
- b. RHR Flow Rate Monitoring Flow rate monitoring is provided on the RCIC steam supply line to the RHR heat exchanger rooms by redundant differential pressure transmitters, which can initiate an isolation of the RCIC isolation valves, as described above in Section 7.6.1.3.2.b.
Revision 15 7.6-9 October, 2007
7.6.1.3.4 Reactor Water Cleanup System Leak Detection The RWCU leak detection system monitors equipment area ambient and differential temperature and inlet and outlet differential flow.
Automatic isolation of the RWCU system isolation valves is initiated when monitored parameters indicate that leakage exists.
The following is a description of each RWCU leak detection method:
- a. RWCU Differential Flow Monitoring Refer to <Section 7.3.1>.
- b. RWCU Area Temperature Monitoring Refer to <Section 7.3.1>.
7.6.1.4 Neutron Monitoring System (NMS) - Instrumentation and Controls The safety-related portions of the neutron monitoring system are the Intermediate Range Monitor (IRM), Local Power Range Monitor (LPRM),
Average Power Range Monitor (APRM) and Oscillation Power Range Monitor (OPRM).
- a. Neutron Monitoring System Function The neutron monitoring system instrumentation and controls are designed to monitor reactor power (neutron flux) from startup through full power operation.
Revision 14 7.6-10 October, 2005
- b. Neutron Monitoring System Operation The neutron monitoring system uses incore detectors, either fixed (LPRM) or retractable (IRM), to determine neutron flux levels.
NMS will initiate a scram when predetermined limits are exceeded and provide operator information during and after accident conditions.
The NMS component control logic is shown in <Figure 7.6-2>.
7.6.1.4.1 Intermediate Range Monitor (IRM)
- a. IRM Function The IRM monitors neutron flux from the upper portion of the SRM range to the lower portion of the power range (APRM) as shown in
<Figure 7.6-3>.
- b. IRM Operation The IRM has eight channels, each of which includes one detector that can be positioned in the core by remote control. Refer to
<Figure 7.6-4>. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor mode selector switch is placed in the RUN position.
Each detector assembly consists of a fission chamber attached to a low-loss, quartz-fiber-insulated transmission cable. The detector cable is connected underneath the reactor vessel to a triple-shielded cable that is connected to the preamplifier.
The preamplifier converts current pulses to voltage pulses, modifies the voltage signal, and provides impedance matching. The Revision 12 7.6-11 January, 2003
preamplifier output signal is then sent to the IRM signal conditioning electronics.
Each IRM channel input signal from the preamplifier can be amplified and attenuated. IRM preamplification is selected by a remote range switch that provides 10 ranges of increasing attenuation (the first six are called low range, the last four are called high range). As the neutron flux of the reactor core increases, the signal from the fission chamber is attenuated to keep the input signal to the inverter in the same range. The output signal, which is proportional to neutron flux at the detector, is amplified and supplied to a locally mounted meter, a remote meter and recorder.
The IRM scram trip functions are discussed in <Section 7.2.1.1.b>.
The IRM trips are shown in- a. LPRM Function The LPRMs provide localized neutron flux detection over the full power range for input to the APRM.
- b. LPRM Operation The LPRM includes 164 detectors located at 41 locations at different axial heights in the core; each detector location contains four fission chambers. <Figure 7.6-5> shows the LPRM detector radial layout scheme.
- a. APRM Function The function of the APRM is to average signals from the LPRMs and provide a flow reference reactor scram when neutron flux exceeds predetermined flux.
- b. APRM Operation The APRM has eight redundant channels. Each channel uses input signals from a number of LPRM channels. Four APRM channels are associated with each trip system of the RPS.
- a. OPRM Function The function of the OPRM is to detect and suppress evidence of reactor thermal-hydraulic instability in the core by providing a scram when regional (neutron flux) oscillations in the core exceed predetermined levels.
- b. OPRM Operation The OPRM system has four (4) redundant and independent trip channels and each channel contains two (2) OPRM modules. Each OPRM channel receives signals from existing LPRM signals. The assignment of the LPRM signals to each OPRM channel is grouped Revision 12 7.6-16 January, 2003
- a. System Function The Rod Pattern Control System (RPCS) is a subsystem of the RC&IS
- b. System Operation Rods may be moved in either gang or single rod mode and in either single notch or continuous mode.
- 1. A set of rod position information reed switches contained in a dual rod position probe in each rod drive.
- 2. Separate cables to independent rod position multiplexers which are arranged one cabinet for each division.
- 3. Separate rod action control cabinets which are arranged one cabinet for each division and which have the electronic circuits which contain the RPCS control logic.
- 1. Position word which includes information on the following:
- 2. Request word which includes information on the following:
- 3. Alternate rod word which includes information of the following:
- 4. High power setpoint indication (HPSP),
- 5. Low power setpoint indication (LPSP),
- 6. Low power alarm point indication (LPAP),
- 7. Selected and driving.
- 1. Substitute data shall not replace good data.
- 2. Not more than one rod per gang may have substitute data at one time.
- 3. Data from the other channel may not be used if it is substitute data.
- 4. Good data received will replace substitute data.
- 1. Reactor power is below the LPSP and the control rods are out of sequence as specified by the appropriate step in the Emergency Operating Procedures (EOPs). The operator will rapidly insert control rods using the In Timer Skip.
- 2. During a reactor shutdown utilizing the Improved BPWS Control Rod Insertion Process as described in USAR,
- c. RPCS Logic The control logic and rod group identification information are in electronic Read Only Memory (ROM) circuits contained in the rod action control cabinets. These ROMs are not site programmable except through engineering design change requiring new electronic circuit cards. These circuit cards may be changed to reflect cycle-dependent physics analysis.
- 1. Groups 5, 6, 7, 8, 9, and 10 must be fully inserted before Group 1, 2, 3, or 4 can be moved.
- 2. Groups 1 and 2 (3 and 4) must be fully inserted or fully withdrawn before Group 3 or 4 (1 or 2) can be moved.
- 3. If Groups 1 and 2 (3 and 4) are fully inserted, Groups 3 and 4 (1 and 2) can be moved without banking at axial positions.
- 4. If Groups 1 and 2 (3 and 4) are fully withdrawn, all rods in Groups 3 and 4 (1 and 2) must be banked at axial positions.
- 5. For a group to be banked at axial positions, all control rods in a group must be between the same group axial bank limits, inclusive.
- 6. After moving any Group 1, 2, 3, or 4 control rod, all control rods in that group must be either fully withdrawn or fully inserted before moving any control rod in any other group.
- 7. The order of control rod movement within a group is arbitrary.
- 8. Groups 1, 2, 3 and 4 must be fully withdrawn before Group 5, 6, 7, 8, 9, or 10 can be moved.
- 9. For any rod in a banked group to be moved past an axial bank position, all rods in that group must be at the same axial bank limit.
- 10. If Group 9 or 10 (7 or 8) is not full in, Groups 5 and 6 and either Group 9 or 10 (7 or 8) must be at or beyond axial bank Position 12 in order for Group 7 or 8 (9 or 10) to be moved.
- 1. If Groups 1 and 2 (3 and 4) are fully withdrawn, Groups 5, 6,7, 8, 9, 10, and 3 and 4 (1 and 2) must be withdrawn in single notch mode below axial bank Position 12.
- a. System Function The recirculation trip system is designed to aid the RPS in protecting the integrity of the fuel barrier. Turbine stop valve closure or turbine control valve fast closure will initiate a scram and concurrent recirculation trip in order to keep the core within the thermal hydraulic safety limits during operational transients.
- b. System Operation Initiating circuitry is shown on <Figure 7.2-1>. RPS inputs sense turbine stop valve closure (turbine trip) or turbine control valve Revision 12 7.6-26 January, 2003
- a. FPCS Function The function of the FPC system is to remove decay heat from the spent fuel storage pool to ensure adequate cooling of irradiated stored fuel assemblies. The FPC system also purifies the storage pool water, maintains water clarity for fuel handling operations, and fills and drains the fuel transfer canal <Section 9.1.3>.
- a. System Function The containment atmosphere monitoring system instrumentation and controls <Figure 7.6-7> are intended to detect and aid in the prediction of the progression of abnormal occurrences inside the containment and to monitor the containment after postulated accidents.
- b. System Operation All safety-related pressure and temperature channels are recorded with the recorder appearing on the postaccident monitoring panel in the control room.
- a. System Function The hydrogen control system (HCS) consists of 102 igniter assemblies mounted throughout the containment and drywell. Each igniter assembly is capable of igniting low volumetric concentrations of hydrogen present during a hydrogen generation event. This postulated event creates large quantities of hydrogen Revision 12 7.6-32 January, 2003
- b. System Operation The hydrogen control system is operated in accordance with the Emergency Operating Procedures (EOPs). Prior to the hydrogen concentration reaching a predetermined hydrogen concentration (minimum detectable level) in the drywell or containment, or the reactor vessel water level reaching above top of active fuel, the hydrogen igniters are placed in service. The igniters are energized by two OFF-NORM-ON handswitches located in the control room on panel H13-P800. Red-green indication lights for each handswitch are provided. There are no interlocks associated with the hydrogen control system.
- a. System Function The function of this system is to exhaust air from potentially contaminated areas through a charcoal filter train prior to discharging it to the atmosphere.
- b. System Operation Schematic arrangement of mechanical equipment and instrumentation is shown on <Figure 9.4-10>.
- 1. Indication of which fan is operating (status light).
- 2. Low air flow with fan operating for each fan (alarm).
- 3. High and high-high temperature in the charcoal filter beds (alarm and readout).
- 4. High radioactivity in the exhaust air before and after the filters (alarm).
- 5. Smoke in each exhaust fan discharge duct (alarm).
- 6. Motor overload or power loss for each fan (alarm).
- a. Over Pressure Relief Feature Initiate operation of three groups (Low, Middle, High) of SRVs, at three respective pressure setpoints. This feature automatically adjusts the relief capacity to the size of the overpressure condition. The reclose pressure setpoint (reset) for any group is separately adjusted, and adequate deadband is provided to eliminate rapid open/close operation and minimize system stresses.
- b. Low-Low Set Point Relief Logic In order to assure that no more than one relief valve reopens following a reactor isolation event, six SRV valves are provided with lower opening and closing setpoints. These setpoints override the normal setpoints following the initial opening of the relief valves and act to hold these valves open longer, thus preventing more than a single valve from reopening subsequently. This system logic is referred to as the low-low setpoint relief logic and functions to ensure that the containment design basis of one safety/relief valve operating on subsequent actuations is met.
- a. Low water Level 2 recirculation trips
- b. Manual initiation
- c. High reactor pressure recirculation trips and feedwater runback signal.
- a. Variables Monitored to Provide Protective Actions The following variables are monitored in order to provide protective action inputs:
- 1. High Pressure/Low Pressure Interlocks (a) Reactor pressure
- 2. Leak Detection System (a) RCIC area temperatures - ambient (b) RCIC steam line flow rate (c) RCIC steam line pressure (d) RHR area temperatures - differential and ambient (e) RWCU area temperatures - differential and ambient (f) RWCU differential flow Revision 12 7.6-42 January, 2003
- 3. Neutron Monitoring System (a) IRM neutron flux (b) APRM neutron flux (c) OPRM neutron flux oscillations
- 4. Rod Pattern Control System (a) Reactor Power Level (b) Control Rod Selection
- 5. Recirculation Pump Trip System (a) Turbine Stop Valve Closure (b) Turbine Control Valve Fast Closure
- 6. Fuel Pool Cooling System (a) Fuel Transfer Tube Drain Tank Level (b) High Drywell Pressure Revision 12 7.6-43 January, 2003
- 7. Containment Atmosphere Monitoring System This system has no automatic protective actions. Its function is to monitor conditions and provide information.
- 8. Offgas Building Exhaust System This system has no automatic protective actions.
- 9. Safety/Relief Valves - Relief Function (a) Reactor Vessel Pressure
- 10. Redundant Reactivity Control System (a) Reactor Pressure (b) Reactor Vessel Water Level (c) Reactor Power The plant conditions which require protective action involving the safety-related systems discussed in <Section 7.6> are described in
- b. Location and Minimum Number of Sensors See Technical Specifications for the minimum number of sensors required to monitor safety-related variables. The IRM and LPRM detectors are the only sensors which have spatial dependence.
- c. Prudent Operational Limits Operational limits for each safety-related variable trip setting are selected with sufficient operating levels so that a spurious safety system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or nuclear system process barrier, is kept within acceptable bounds.
- d. Margin The margin between operational limits and the limiting conditions of operation of the safety-related systems are accounted for in Technical Specifications.
- e. Levels Levels requiring protective action are established in Technical Specifications.
- f. Range of Transient, Steady-State and Environmental Conditions Environmental conditions for proper operation of components of instrumentation systems required for safety are discussed in
- g. Malfunctions, Accidents and Other Unusual Events Which Could Cause Damage to Safety Systems
- 1. Floods The buildings containing safety-related components have been designed to meet the PMF (probable maximum flood) at the site location. This ensures that the buildings will remain water tight under PMF including wind generated wave action and wave runup. Therefore, none of the functions are affected by flooding. For a discussion of internal flooding protection refer to <Section 3.4.1> and <Section 3.6>.
- 2. Storms and Tornadoes The buildings containing safety-related components have been designed to withstand all credible meteorological events and tornadoes as described in <Section 3.3>.
- 3. Earthquakes The structures containing safety-related system components have been seismically qualified as described in <Section 3.7>
- 4. Fires To protect the safety systems in the event of a postulated fire, the components have been separated by distance or fire barriers. The use of separation and fire barriers ensures that, even though some portion of the system may be affected, the safety function will not be prevented <Section 9.5.1>.
- 5. LOCA The safety-related systems components described in
- 6. Pipe Break Outside Containment Protection for these components is described in <Section 3.6>.
- 7. Missiles Protection for safety-related components is described in
- h. Minimum Performance Requirements Minimum performance requirements for safety-related systems instrumentation and controls are provided in the Technical Specifications.
- a. Criterion 12 - Suppression of Reactor Power Oscillations The NMS provides protective actions to the RPS to assure that fuel design limits are not exceeded.
- b. Criterion 21 The RRCS is designed for high functional reliability and its logic can be tested for the safety functions to be performed. No single failure in this two divisional, four channel protection system will result in the loss of the protective functions.
- c. Criterion 24 The RRCS protection system interfaces with control systems through isolation devices. Specifically, the RRCS signals to the recirculation system pump and LFMG breakers and the signal to the feedwater system to initiate runback both pass through isolators.
- d. Criteria 30, 34, 35 The leak detection system provides means for detecting the source of reactor coolant leakage.
- e. Criterion 41 See <Section 7.6.1.9> (Hydrogen Control System)
- a. IEEE Standard 279 - Criteria for Protection Systems for Nuclear Power Generating Stations
- 1. General Functional Requirement (IEEE Standard 279, Paragraph 4.1)
- 2. Single Failure Criterion (IEEE Standard 279, Paragraph 4.2)
- 3. Quality of Components and Modules (IEEE Standard 279, Paragraph 4.3)
- 4. Equipment Qualification (IEEE Standard 279, Paragraph 4.4)
- 5. Channel Integrity (IEEE Standard 279, Paragraph 4.5)
- 6. Channel Independence (IEEE Standard 279, Paragraph 4.6)
- 7. Control and Protection System Interaction (IEEE Standard 279, Paragraph 4.7)
- 8. Derivation of System Inputs (IEEE Standard 279, Paragraph 4.8)
- 9. Capability for Sensor Checks (IEEE Standard 279, Paragraph 4.9)
- 10. Capability for Test and Calibration (IEEE Standard 279, Paragraph 4.10)
- 11. Channel Bypass or Removal from Operation (IEEE Standard 279, Paragraph 4.11)
- 12. Operating Bypasses (IEEE Standard 279, Paragraph 4.12)
- 13. Indication of Bypasses (IEEE Standard 279, Paragraph 4.13)
- 14. Access to Means for Bypassing (IEEE Standard 279, Paragraph 4.14)
- 15. Multiple Setpoints (IEEE Standard 279, Paragraph 4.15)
- 16. Completion of Protective Action Once it is Initiated (IEEE Standard 279, Paragraph 4.16)
- 17. Manual Initiation (IEEE Standard 279, Paragraph 4.17)
- 18. Access to Setpoint Adjustments, Calibration and Test Points (IEEE Standard 279, Paragraph 4.18)
- 19. Identification of Protective Actions (IEEE Standard 279, Paragraph 4.19)
- 20. Information Readout (IEEE Standard 279, Paragraph 4.20)
- 21. System Repair (IEEE Standard 279, Paragraph 4.21)
- 22. Identification of Protection Systems (IEEE Standard 279, Paragraph 4.22)
- a. <Regulatory Guide 1.21> - Measuring, Evaluating and Reporting Radioactivity in Solid Wastes and Releases of Radioactive Materials in Liquid and Gaseous Effluents from Light-Water Cooled Nuclear Power Plants The process radiation monitoring system is in compliance with the applicable requirements of this regulatory guide.
- b. <Regulatory Guide 1.22> - Periodic Testing of Protection System Actuation Functions See <Section 7.2.2.3> for NMS conformance.
- c. <Regulatory Guide 1.45> - Reactor Coolant Pressure Boundary Leakage Detection System Provisions are made to monitor systems connected to the RCPB for signs of intersystem leakage, including radioactivity monitoring of process fluids (process radiation monitoring system) and reactor vessel water level monitoring (NSSS).
- d. <Regulatory Guide 1.53> - Application of the Single Failure Criterion to Nuclear Power Plant Protection Systems See IEEE 279-1971, Paragraph 4.2, <Section 7.6.2.3>.
- e. <Regulatory Guide 1.62> - Manual Initiation of Protective Actions The FPC system is manually initiated from the control room by actuation of system pump and valve controls.
- 1. Turbine Stop Valve - Closure 140
- 2. Turbine Control Valve -
7.1 DESCRIPTION
<Section 7.7> describes instrumentation and controls of major plant control systems whose functions are not essential for the safety of the plant. The systems include:
- a. Leak Detection System
- b. Rod Control and Information (RC&IS)
- c. Recirculation Flow Control System
- d. Feedwater Control System
- e. Steam Bypass and Pressure Regulating System
- f. Refueling Interlocks
- g. Reactor Water Cleanup System
- h. Process Sampling System
- i. Gaseous Radwaste System
- j. NSSS Process Computer
- k. Drywell Vacuum Relief (DVR) System Refer to
Revision 12 7.7-1 January, 2003
7.7.1.1 Reactor Vessel Head Seal Leak Detection Pressure between the inner and outer reactor vessel head seal ring is sensed by a pressure transmitter. If the inner seal fails, the pressure at the pressure transmitter is the vessel pressure and the associated trip unit will trip and actuate an alarm. The plant will continue to operate with the outer seal as a backup, and the inner seal can be repaired at the next outage when the head is removed. If both the inner and outer head seals fail, the leak will be detected by an increase in drywell temperature and pressure.
7.7.1.1.1 Safety/Relief Valve Seal Leak Detection Thermocouples are located in the discharge exhaust pipe of the safety/relief valve. The temperature signal goes to a multipoint recorder with an alarm and will be activated by any temperature in excess of a set temperature signaling that one of the safety/relief valve seats has started to leak.
7.7.1.2 Rod Control and Information System (RC&IS) -
Instrumentation and Controls
- a. RC&IS Function The RC&IS provides the operator with the means to make changes in nuclear reactivity by the operator manipulating control rods so that the reactor power level and power distribution can be controlled.
This system includes the interlocks that inhibit rod movement (rod block) under certain conditions. The RC&IS does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in <Section 7.2>. In addition, the mechanical devices of the control rod drives and the Revision 12 7.7-2 January, 2003
control rod hydraulic system are not included in the RC&IS. The latter mechanical components are described in <Section 4.6.1>.
- b. RC&IS Operation The RC&IS includes the following:
- 1. Control Rod Drive - Control System
- 2. Rod Block Interlocks
- 3. Rod Position Probes
- 4. Position Indication Electronics The rod pattern control system, a subsystem of RC&IS, is safety-related and discussed in <Section 7.6.1>.
<Figure 4.6-5> and <Figure 4.6-6> show the layout of the control rod drive-hydraulic system. <Figure 7.7-1> shows the functional arrangement of devices for the control of components in the control rod drive hydraulic system. Although the figures also show the arrangement of scram devices, these devices are not part of the RC&IS. Control rods are moved by water pressure, from a control rod drive pump, on the appropriate end of the control rod drive cylinder. The pressurized water moves a piston, attached by a connecting rod to the control rod. Three modes of control rod operation are used: insert, withdraw and settle. Four solenoid-operated valves are associated with each control rod to accomplish these actions.
When the operator selects a control rod for motion <Figure 7.7-2>
and operates the rod insertion pushbutton, independent messages are formulated in the Channel 1 and 2 portions of the rod interface Revision 12 7.7-3 January, 2003
system (RIS), a subsystem of RC&IS. These independent messages (or words) consist of a serial transmission of electrical pulses which carry information from one part of RC&IS to another. These messages are compared, bit by bit, and if identical, one is stored in a memory and the other is transmitted to all hydraulic control units (HCUs). The digital word to the HCUs contains, (1) the identity or address of the HCU which corresponds to the rod selected by the operator, and (2) data communicating the action to be executed by the rod. Only the HCU with an identical address to that contained in the transmitted digital word executes the rod movement command.
An operator request for withdrawal instead of insertion of a rod would be processed in a similar manner, except that the outgoing command word to the HCUs would have the proper sequence of electrical pulses (bits) to instruct the rod to withdraw (HCU directional control valves are shown in <Figure 4.6-6>.
Upon receipt of the command word, the selected HCU transponder transmits a digital acknowledge word back to the control room.
This acknowledgment contains (1) the identity (address) of the acknowledging HCU, (2) the actions currently being executed, and (3) status information of valve positioners, accumulator conditions and test switch positions. Parts of this returning word are compared with the original command word stored in memory as a check to see that the selected rod is performing the designated action.
When a predetermined number of disagreements between the Channel 1 and Channel 2 formulated words or the returning acknowledge word is reached, further rod motion is terminated and the operator is notified that a problem exists (this rod motion block in no way prevents the reactor protection system from initiating and completing a SCRAM).
Revision 12 7.7-4 January, 2003
Continued rod motion depends on the HCU receiving a train of sequential words because the HCU insert, withdraw and settle valve control circuits are AC coupled; i.e., the system must operate in a dynamic manner to effect rod motion. Thus, system failure (which generally results in static conditions) will terminate further rod motion.
In <Figure 7.7-3>, three action loops of the solid state RC&IS are depicted:
- 1. Loop A The high speed loop (duration = 200 sec) alternately:
(a) Commands the selected rod and (b) Either scans a rod for status information or directs a portion of a single HCU self-test.
- 2. Loop B The medium speed loop (duration = 205 to 1,270 msec) alternately:
(a) Monitors the status of all rods in order to update the RIS display and (b) Completes two seven step self checks of one HCU unit.
- 3. Loop C The low speed loop (duration = 36 to 234 sec) self-tests all HCUs one at a time to ensure correct execution of actions commanded. These tests are of such short duration that the valves do not move.
If an HCU fails a test or the return digital word is altered by electrical noise, Loop B automatically performs additional self-test checks. If these tests obtain good results, the loops Revision 19 7.7-5 October, 2015
proceed as usual, but if a preset number of errors are detected the system stops all rod motion by removing the AC power supplied to the drive control valves. Operator action is then necessary to restore the system to normal operation.
The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the selection circuitry to a no-rod-selection condition. Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod-selected condition is not possible (except for loss of control circuit power) until any moving rod has completed the movement cycle.
The direction in which the selected rod moves is determined by the position of four switches located on the reactor control panel.
These four switches, insert, withdraw, continuous insert, and continuous withdraw are pushbuttons which return by spring action to an off position.
A description of the operation of the reactor manual control system during an insert cycle follows. The cycle is described in terms of the insert, withdraw and settle commands from the RC&IS.
With a control rod selected for movement, depressing the insert switch and then releasing the switch energizes the insert command for a limited time. Just before the insert command is removed, the settle command is automatically energized and remains energized for a limited time. The insert command time setting and the rate of drive water flow provided by the control rod drive hydraulic system determine the distance traveled by a rod. The time setting results in a one-notch (6-in.) insertion of the selected rod for each momentary application of a rod-in signal from the rod movement Revision 12 7.7-6 January, 2003
switch. Continuous insertion of a selected control rod is possible by holding the insert switch.
A second switch can be used to affect insertion of a selected control rod. This switch is the continuous insert switch. By holding this switch in, the unit maintains the insert command in a continuous, energized state to cause continuous insertion of the selected control rod. When released, the timers are no longer bypassed and normal insert and settle cycles are initiated to stop the drive.
A description of the operation of the RC&IS during a withdraw cycle follows. The cycle is described in terms of the insert, withdraw and settle commands.
With a control rod selected for movement, depressing the withdrawal switch energizes the insert valves at the beginning of the withdrawal cycle to allow the collet fingers to disengage the index tube. When the insert valves are de-energized, the withdraw and settle valves are energized for a controlled period of time.
The withdraw valve is de-energized, before motion is complete; the drive then settles until the collet fingers engage. The settle valve is then de-energized, completing the withdraw cycle. This withdraw cycle is the same whether the withdraw switch is held continuously or momentarily depressed. The timers that control the withdraw cycle provide a fixed timing cycle. Flow control elements at each HCU DCV manifold are set so that the rod travels one notch (6-in.) per cycle. Provisions are included to prevent further control rod motion in the event of timer failure.
A selected control rod can be continuously withdrawn if the withdraw switch is held in the depressed position at the same time that the continuous withdraw switch is held in the depressed Revision 12 7.7-7 January, 2003
position. With both switches held in these positions, the withdraw and settle commands are continuously energized.
The following is a description of the operation of the RC&IS during the ganged rod mode.
In the ganged rod mode of operation, more than one rod may be moved at a time. This mode of operation facilitates plant startup and load following. Ganged rod movement can be used for either insert or withdrawal and the operation of the HCUs is the same as described for the withdraw and insert cycle. Ganged rod movement can be initiated at any power level and is subject to the constraints of the rod pattern control system.
To initiate ganged rod movement, the operator places the RC&IS in the gang drive mode by pushing the drive mode selector pushbutton on the operator control module. To select a gang of rods for motion, the operator can select any rod in that gang and the other rods in the gang are automatically selected. There are up to four rods in a gang. The selected gang may be inserted or withdrawn in either the notch mode or the continuous mode. Movement of the selected gang of rods is accomplished by operating the insert or withdraw pushbutton for single notch gang movement; and the simultaneous operation of the continuous pushbutton if continuous gang movement is desired.
The positions of all rods in a gang are continuously monitored by both channels of RC&IS and rod pattern control system. Violation of rod pattern constraints will result in insert and withdraw blocks on all rods. Correction of violation can be made by use of the single rod bypass function.
Revision 12 7.7-8 January, 2003
- 1. Control Rod Drive-Hydraulic System Control One motor-operated pressure control valve, two air-operated flow control valves, and four solenoid-operated stabilizer valve assemblies are included in the control rod drive hydraulic system to maintain smooth and regulated system operation. These devices are shown in <Figure 4.6-5> and
<Figure 4.6-6>. The motor-operated pressure control valve is positioned by manipulating a switch in the control room. The switch for this valve is located close to the pressure indicators that respond to the pressure changes caused by the movement of the valve. The air-operated flow control valve in service is automatically positioned in response to signals from an upstream flow measuring device. The stabilizer valves are automatically controlled by the energization of the insert and withdraw commands. The control scheme is shown in
<Figure 7.7-1>. There are two drive water pumps which are controlled by switches in the control room. Each pump automatically stops on indication of low suction pressure.
- 2. Rod Block Interlocks A portion of the RC&IS, upon receipt of input signals from other systems and subsystems, inhibits movement or selections of control rods.
(a) Grouping of Channels The same grouping of neutron monitoring equipment (SRM, IRM and APRM) that is used in the reactor protection system is also used in the rod block circuitry.
Half of the total monitors (SRM, IRM and APRM) provide inputs to one of the RC&IS rod block logic circuits and Revision 12 7.7-9 January, 2003
the remaining half provide inputs to the other RC&IS rod block logic circuit. Scram discharge volume high water level signals are provided as inputs into both of the two rod block logic circuits. Both rod block logic circuits sense when the high water level scram trip for the scram discharge volume is bypassed.
The APRM rod block settings are varied as a function of recirculation flow. Analyses show that the selected settings are sufficient to avoid both reactor protection system action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. The rod block from scram discharge volume high water level utilizes two differential transmitters installed on the scram discharge volume. A second trip unit on one transmitter provides a control room annunciation of increasing level below the level at which a rod block occurs.
(b) Rod Block Functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed in the following sections. <Figure 7.7-1> shows all the rod block functions on a logic diagram.
(1) With the mode switch in the REFUEL position, no control rod can be withdrawn except during the single rod test. This enforces compliance with the intent of the shutdown mode.
Revision 12 7.7-10 January, 2003
(2) The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following conditions:
- i. Any APRM inoperative alarm. This assures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or correctly bypassed.
ii. Scram discharge volume high water level. This assures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram.
The setting is selected to initiate a rod block earlier than the scram that is initiated on scram discharge volume high water level.
iii. Scram discharge volume high water level scram trip bypassed. This assures that no control rod is withdrawn while the scram discharge volume high water level scram function is out-of-service.
iv. Rod pattern control system. The purpose of the rod pattern control system is to limit the worth of any control rod such that no undesirable effects will result from a rod drop accident or a rod withdrawal error. The rod pattern control system will enforce operational procedural controls by applying rod blocks before any rod motion can produce high worth rod patterns. See <Section 7.6.1>
for further discussion of this system.
Revision 12 7.7-11 January, 2003
- v. Rod position information system malfunction.
This assures that no control rod can be withdrawn unless the rod position information system is in service.
vi. Rod measurement timer malfunction during withdrawal. This assures that no control rod can be withdrawn unless the two independent timers agree and are in service.
(3) With the reactor mode switch in the RUN position, any of the following conditions initiates a rod block.
- i. Any APRM downscale alarm. This assures that no control rod will be withdrawn during power range operation unless the average power range neutron monitoring channels are operating correctly or are correctly bypassed.
ii. Scram discharge volume high water level. This assures that no control rod will be withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram.
The setting is selected to initiate a rod block earlier than the scram that is initiated on scram discharge volume high water level.
iii. Scram discharge volume high water level scram trip bypassed. This assures that no control rod is withdrawn while the scram discharge volume high water level scram function is out-of-service.
Revision 12 7.7-12 January, 2003
iv. Any average power range monitor (APRM) flow biased upscale rod block. The purpose of this rod block function is to avoid conditions that would require reactor protective system action if allowed to proceed. The APRM high flow biased rod block setting is selected to intitiate a rod block before the APRM flow biased upscale scram setting is reached.
(4) With the mode switch in the STARTUP or REFUEL position, any of the following condition initiates a rod block:
- i. Any IRM upscale alarm. This assures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is correctly upranged during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring reactor protection system action scram) in the event that a rod withdrawal error is made during low neutron flux level operations.
ii. Any average power range monitor (APRM) upscale rod block alarm. The purpose of rod block function is to avoid conditions that would require reactor protection system action if allowed to proceed. The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached.
Revision 12 7.7-13 January, 2003
iii. Any IRM downscale alarm except when range switch is on the lowest range. This assures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being correctly monitored.
This rod block prevents the continuation of a reactor startup if the operator upranges the IRM too far for the existing flux level.
Thus, the rod block ensures that the intermediate range monitor is on scale if control rods are to be withdrawn.
iv. Any IRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available in that all IRM channels are in service or are correctly bypassed.
- v. Any source range monitor (SRM) detector not fully inserted into the core when the SRM count level is below the retract permit level and associated IRM switches are on either of the two lowest ranges. This assures that no control rod is withdrawn unless all SRM detectors are correctly inserted when they must be relied on to provide the operator with neutron flux level information.
vi. Any SRM upscale level alarm and associated IRM range switches are below Range 8. This assures that no control rod is withdrawn unless the SRM detectors are correctly retracted during a reactor startup. The rod Revision 12 7.7-14 January, 2003
block setting is selected at the upper end of the range over which the SRM is designed to detect and measure neutron flux.
vii. Any SRM downscale alarm and associated IRM range switches are on either of the two lowest ranges. This assures that no control rod is withdrawn unless the SRM count rate is above the minimum prescribed for low neutron flux level monitoring.
viii. Any SRM inoperative alarm and associated IRM range switches are below Range 8. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available.
ix. Any intermediate range monitor (IRM) detector not fully inserted into the core. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available.
(c) Rod Block Bypasses To permit continued power operation during repair or calibration of equipment for selected functions that provide rod block interlocks, a limited number of manual bypasses are permitted as follows:
(1) 1 SRM channel (1 on RPS Bus A or Bus B)
Revision 12 7.7-15 January, 2003
(2) 2 IRM channels (1 on Bus A and Bus B)
(3) 2 APRM channels (1 on Bus A and Bus B)
The permissible IRM and APRM bypasses are arranged in the same way as in the reactor protection system
<Section 7.2.1>. The IRMs are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. The same type of grouping and bypass arrangement is used for the APRMs. The arrangement allows the bypassing of one IRM and one APRM in each rod block logic circuit.
These bypasses are affected by positioning switches in the control room. A light in the control room indicates the bypassed condition.
An automatic bypass of the SRM detector position rod block is effected as the neutron flux increases beyond a preset low level on the IRM instrumentation.
- 3. Rod Position Probes The position probe is a long cylindrical assembly that fits inside the control rod drive. Each control rod drive has two sets of reed switches for redundant indication of all information. These two sets of switches are electrically and mechanically separate within a common enclosure. The reed switches are located along the length of the probe and operated by a permanent magnet fixed to the moving part of the hydraulic drive mechanism. As the drive, and with it the control rod blade, moves along its length, the magnet causes Revision 12 7.7-16 January, 2003
reed switches to close as it passes over the switch locations.
The particular switch closed then indicates where the control rod drive, and hence the rod itself is positioned.
The switches are located as follows: one at each of twenty-five notch (even) positions; one at each of twenty-four mid-notch (odd) positions; two at the fully inserted position (approximately the same location as the 00 notch); one at the fully withdrawn position (approximately the same location as the 48 notch position); and, one at the overtravel or decoupled position.
All of the mid-notch or odd switches are wired in parallel and treated as one switch (for purposes of external connections),
and the two full-in switches are wired in parallel and treated as one switch. These and the remaining switches are wired in a 5 x 6 array (the switches short the intersections) and routed out in an 11-wire cable to the processing electronics (the probe also includes a thermocouple which is wired out separate from the 5 x 6 array).
- 4. Position Indication Electronics The electronics consists of a set of probe multiplexer cards (one per 4-rod group where the 4-rod group is the same as the display grouping described above), a set of file control cards (one per 20 multiplexer cards), and one set of master control and processing cards serving the whole system. All probe multiplexer cards are the same except that each has a pair of plug-in daughter cards containing the identity code of one 4-rod group (the probes for the corresponding 4 rods are connected to the probe multiplexer card). The system operates on a continuous scanning basis with a complete cycle in approximately 60 milliseconds.
Revision 12 7.7-17 January, 2003
The operation is as follows: The control logic generates the identity code of one rod in the set, and transmits it using time multiplexing to all of the file control cards. These in turn transmit the identity with timing signals to all of the probe multiplexer cards. The one multiplexer card with the matching rod identity will respond and transmit its identity (locally generated) plus the raw probe data for that rod back through the file control card to the master control and processing logic. The processing logic does several checks on the returning data. First, a check is made to verify that an answer was received. Next, the identity of the answering data is checked against that which was sent. Finally, the format of the data is checked for legitimacy. Only a single even position or, full-in plus position 00, or full-out plus position 48, or odd, or overtravel, or blank (no switch closed) are legitimate. Any other combination of switches is flagged as a fault.
If the data passes all of these tests, it is decoded and transmitted in multiplexed form to the displays in the main control panel, and loaded into a memory to be read by the computer as required.
As soon as one rods data is processed, the next rods identity is generated and processed and so on for all of the rods. When data for all rods has been gathered, the cycle repeats. The RC&IS is totally operable from the main control room. Manual operation of individual control rods is possible with a pushbutton to effect control rod insertion, withdrawal or settle. Rod position indicators, described below, provide the necessary information to ascertain the operating state and position of all control rods. Conditions which prohibit control rod insertion are alarmed with the rod block annunciator.
Revision 12 7.7-18 January, 2003
A rod information display on the reactor control panel is patterned after a top view of the reactor core. The display allows the operator to acquire information rapidly by scanning. Digital windows provide an overall indication of rod pattern and allow the operator to quickly identify an abnormal indication. The following information for each control rod is also presented in the display:
(a) Rod full inserted (green)
(b) Rod fully withdrawn (red)
(c) Selected rod identification (d) Rod scram (green)
(e) Rod position (numeric) of selected rods (f) Rod position (numeric) of all rods Also dispersed throughout the display, in locations representative of the physical location of LPRM strings in the core, are LPRM lights as follows:
(a) LPRM high flux (red)
(b) LPRM string selected (yellow)
(c) LPRM downscale (green)
A continuous core rod position display is provided from both of the rod position information system cabinets. The data for the display is automatically alternated between the two RC&IS Revision 14 7.7-19 October, 2005
outputs at a rate that is visible to the operator so that position data faults are easily detected.
A separate, smaller display below the full core status display will provide the LPRM reading adjacent to the selected rod.
The associated LPRM for each rod in a gang may be selected and displayed so that the operator can easily observe core power response to the motion of the gang rods. Proper gang motion can be further confirmed by observing rod position changes indicated by the full core display.
The position signals of selected control rods, together with a rod identification signal, are provided as inputs to the online performance monitoring system. The acquisition of the rod position signal does not interrupt the rod position indication signal in the control room. The performance monitoring system can, on demand, provide a full core printout of control rod positions.
The following control room lights are provided to allow the operator to know the conditions of the control rod drive hydraulic system and the control circuitry:
(a) Insert command energized (b) Withdraw command energized (c) Settle command energized (d) Insert not permissive (e) Withdrawal not permissive (f) Insert required Revision 12 7.7-20 January, 2003
(g) Continuous withdrawal (h) Pressure control valve position (i) Flow control valve position (j) Drive water pump low suction pressure (alarm and pump trip)
(k) Drive water filter high differential pressure (alarm only)
(l) Charging water (to accumulator) low pressure (alarm only)
(m) Control rod drive temperature (alarm only)
(n) Scram discharge volume not drained (alarm only)
(o) Scram valve pilot air header high/low pressure (alarm only) 7.7.1.3 Recirculation Flow Control System - Instrumentation and Controls
- a. System Function The recirculation flow control system controls reactor power level, over a limited range, by controlling the flow rate of the reactor recirculating water.
- b. System Operation Reactor recirculation flow is varied by throttling the recirculation pumps discharge with control valves. The Revision 12 7.7-21 January, 2003
recirculation pumps operate at constant speed, on either LFMG or normal 60-cycle power. By adjusting the position of the discharge throttling valves, the recirculation system can automatically change the reactor power level <Figure 7.7-4> and <Figure 7.7-5>.
An increase in recirculation flow temporarily reduces the void content of the moderator by increasing the flow of coolant through the core. The additional neutron moderation increases reactivity of the core, which causes reactor power level to increase. The increased steam generation rate increases the steam volume in the core with a consequent negative reactivity effect, and a new steady-state power level is established. When recirculation flow is reduced, the power level is reduced in the reverse manner.
Each recirculation system loop flow control valve has its individual manual control system as well as the capability of being controlled in unison by the master-flux controllers. The master controller output demands a certain neutron flux level in the reactor which is compared with a filtered measurement of neutron flux. The resultant error is fed into a flux controller which, in turn, demands a drive flow in each loop.
Each loop has an individual flow controller that causes adjustment of valve position to meet a demanded change in loop flow and hence core flow and core power. This process continues until the error existing at the input of the flux controller is driven to zero.
The flux controller can remain in automatic even though the master controller is in manual.
The reactor power change resulting from the change in recirculation flow causes the pressure regulator to reposition the turbine control valves. If the original demand signal was a turbine load/speed error signal, the turbine responds to the change in Revision 12 7.7-22 January, 2003
reactor power level by adjusting the control valves, and hence its power output, until the load/speed error signal is reduced to zero.
- 1. Pump Motor Control Each reactor water recirculating pump drive motor is a four pole ac induction motor that will operate from the normal plant electrical supply during normal plant power operation.
At plant low-power levels, the recirculation pump motor will operate from the electrical output of the low-frequency motor generator (LFMG) set. Since the LFMG set electrical output frequency is at approximately one-fourth the normal plant electrical frequency, the recirculation pump motor will be driven at approximately one-fourth of its rated speed.
The LFMG set is not intended to be capable of starting the recirculation pump motor with the motor initially at zero speed. At low reactor power levels, the motor start is initiated on the normal plant electrical power supply. As the motor speed approaches rated full load speed, it is automatically tripped. When the motor speed coastdown is about 25 percent of rated full load speed, the motor will be reenergized from the LFMG set and driven at about 25 percent rated full load speed. Preceding initiation of the recirculating pump motor, the plant operator may manually start the LFMG set. If the LFMG set is not operating when the motor start is initiated, the LFMG will be automatically started.
If the recirculating pump motor start is initiated at higher reactor power levels, the LFMG set will not start automatically, and the pump/motor will continue to operate at rated full load speed.
Revision 12 7.7-23 January, 2003
Certain trip functions, as shown in <Figure 7.7-4>, will trip the recirculating pump motor and automatically transfer it to the LFMG set. Other trip functions will trip the motor without transfer to the LFMG set.
In addition to the normal drive motor trips, a high vessel pressure or low vessel level signals from the redundant reactivity control system, <Section 7.6.1.12>, will initiate a recirculation pump motor trip. Each trip sensor and channel is separate and independent from the reactor protection system, and includes a testability feature that will allow testing of each trip sensor while the recirculation system is in operation. The abnormal position of the test switch is annunciated.
- 2. Low-Frequency Motor-Generator (LFMG) Set The LFMG set consists of a 16-pole ac induction motor driving a 4-pole ac synchronous generator. This arrangement provides one-fourth normal plant frequency at the output of the generator. The generator exciter is directly connected to generator to provide a brushless excitation system. The voltage regulator for the excitation system is located in the auxiliary relay panel which is separate from the LFMG set.
Several permissives, shown in <Figure 7.7-4>, must be satisfied before the recirculation pump/motor can be operated from either the normal plant electrical system or the LFMG set. These permissives prohibit pump start until conditions assure there will be no damage to the system. <Section 4.4.3>
describes the regions of the operational map where operation is not permitted.
Revision 12 7.7-24 January, 2003
- 3. Valve Position Control Components The main flow regulating valves can be controlled individually or jointly. The master controller, flux demand limiter, flux controller, and total drive flow limiter are common to the control of both valves. The signal from these components is fed to two separate sets of control systems components, one for each limiter, a flow controller, a high-low signal failure alarm, a loss of signal valve motion inhibit interlock, a drive flow feedback signal to each flow controller, a valve actuator, and a limiter. The limiter runs back the main flow regulating valve if one of the reactor feed pumps should trip, with a coincident or subsequent reactor vessel low water level. This run back was intended to reduce reactor power to within the capacity of the remaining feedwater pump. This limiter function may be bypassed during single recirculation loop operation, since reactor power is kept within the capacity of one feedwater pump.
- 4. Master Controller The manual/automatic master controller provides a signal to control reactor flux. The automatic mode is not used at Perry.
- 5. Flux Demand Limiter The flux demand limiter is adjustable. Its purpose is to limit the neutron flux demanded by the flux controller, keeping it sufficiently below the high flux scram point to prevent scrams during reactor power increases.
Revision 12 7.7-25 January, 2003
- 6. Flux Controller The flux controller supplies a total drive flow demand signal to a flow controller station, which in turn supplies each flow loop with a demand signal. Under automatic control, the flux controller output is compared to the sensed loop flow from the feedback proportional amplifiers in each loop. The error signal is fed via the flow controller amplifier to the valve position, resulting in a change of loop flow and therefore core power.
Neutron flux is sensitive to changes in core flow in the frequency range of approximately 0.015 to 0.31 Hertz. The flux controller is a lag/lead compensated proportional-integral (P-I) controller. The lag/lead compensation removes the flux overshoot and the P-I controller provides a high gain output for low frequency input signal from feedwater or pressure disturbance.
- 7. Drive Flow Limiter The drive flow demand limiters are adjustable. The high signal limiter establishes the maximum drive flow demand limit needed for the upper end of the automatic load-following range. The low signal limit is determined from a core stability criterion and defines the lower end of the automatic load-following range. There is no low flow limit and the valve can be closed to its minimum position when the flux controller is in manual mode operation.
- 8. Flux Feedback Isolation Amplifier The flux feedback isolation amplifier performs a dual function. It is a secondary amplifier that completely Revision 12 7.7-26 January, 2003
isolates the reactor flow control system from the particular APRM that supplies its input signal. It also filters process noise in the flux signal. A failure in the amplifier cannot interfere with the protection system function of the APRMs.
Each of the two APRM channels available for flux feedback is further isolated or buffered by an additional primary isolation amplifier, so that the system complies with the requirements of Paragraph 4.7 of IEEE Standard 279.
- 9. Manual/Automatic Transfer Stations Switching between manual and automatic operations is done on the master, flux and individual flow controllers, using a manually operated switch. To automatically control loop flow by the flux controller, the transfer switch on the flux and flow controllers must be in the automatic position.
Setting the master control transfer switch to the manual position provides ganged parallel manual operation of the flow control loops. Switching to manual control on the master controller sets the cascade input or setpoint of the flux controller and hence the signal to the valve. The individual flow controllers must be in automatic mode. During startup, the flux controller output signal is determined by the manual signal level setting on the flux controller with the controller in manual mode.
- 10. Flow Controller The individual flow controller (one for each valve) transmits the signal that adjusts the valve position. During automatic operation, the input signal is received from the flux controller. During manual operation, each flow regulating Revision 12 7.7-27 January, 2003
valve can be manually positioned with the manual output signal raise/lower controls provided on each flow controller.
- 11. Limiter A limiting function is required (as briefly outlined in foregoing paragraphs). Electronic limiting, with reasonable range adjustment, is provided in each main flow control loop.
This limiter is normally held bypassed by auxiliary devices such as relay contacts. When the limiting permissive condition is reached, the main regulating valve control signal is limited to close the valve to the desired position.
- 12. Valve Actuator The valve actuator (one on each valve) is the electro-hydraulic device that moves the flow control valve to the desired position and maintains it there. The valve control system is designed to maintain the valve in the last position demanded if control power is lost.
The valve actuator has an inherent rate limiting feature that will keep the resultant rate of change of core flow and power to within safe limits in the event of upscale or downscale failure of the valve position or velocity control system.
7.7.1.4 Feedwater Control System - Instrumentation and Controls
- a. System Function The feedwater control system controls the flow of feedwater into the reactor vessel to maintain the vessel water level within predetermined limits during all normal plant operating modes. The range of water level is based on the requirements of the steam Revision 12 7.7-28 January, 2003
separators (this includes limiting carryover, which affects turbine performance, and carryunder, which affects recirculation pump operation). The feedwater control system uses vessel water level, steam flow and feedwater flow as a three-element control
<Figure 7.7-6>.
Single-element control is also available based on water level only.
Normally, the signal from the feedwater flow is equal to the steam flow signal; thus, if a change in the steam flow occurs, the feedwater flow follows. The steam flow signal provides anticipation of the change in water level that will result from change in load. The level signal provides a correction for any mismatch between the steam and feedwater flow which causes the level of the water in the reactor vessel to rise or fall accordingly.
- b. System Operation During normal plant operation, the feedwater control system automatically regulates feedwater flow into the reactor vessel.
The system can be manually operated.
The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel and the steam flow rate from the reactor vessel. During automatic operation, these three measurements are used for controlling feedwater flow.
The optimum reactor vessel water level is determined by the requirements of the steam separators. The separators limit water carry-over in the steam going to the turbines and limit steam carry-under in water returning to the core. The water level in the reactor vessel is maintained within approximately 2 in. of the setpoint value during normal operation and within the high and low Revision 12 7.7-29 January, 2003
level trip setpoints during normal plant maneuvering transients.
This control capability is achieved during plant maneuvering transients. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel.
The redundant reactivity control system in its automatic mode can initiate a feedwater runback, reducing flow to 0 percent within 30 seconds. This runback is independent of the feedwater control operating mode, and overrides the loss-of-signal interlock which prohibits change of feedpump output under loss of control signal conditions. Control of the feedwater system can be regained by the operator 30 seconds after the runback begins. This runback is discussed in <Section 7.6.1.12>. ATWS alarm lights are provided on the front of the feedwater control panel.
The following is a discussion of the variables sensed for system operation:
- 1. Reactor Vessel Water Level Reactor vessel narrow range water level is measured by three identical, independent sensing systems. For each channel, a differential pressure transmitter senses the difference between the pressure caused by a constant reference column of water and the pressure caused by the variable height of water in the reactor vessel. The differential pressure transmitter is installed on lines that serve other systems.
The control system automatically selects the median reactor level from the three level signals and uses it for feedwater control.
Revision 14 7.7-30 October, 2005
Each narrow range level channel also functions to provide failure tolerant trips of the main turbine and feed pump prime movers. All three narrow range reactor level signals and reactor pressure are indicated in the control room. A fourth level sensing system (wide range) provides level information beyond the span of the narrow range devices. The median narrow range water level and wide range water level signals are continually recorded in the control room.
- 2. Main Steam Line Steam Flow Steam flow is sensed at each main steam line flow restrictor by a differential pressure transmitter. A signal proportional to the true mass steam flow rate is linearized and indicated in the main control room. The signals are summed to produce a total steam flow signal for indication and feedwater flow control. The total steam flow signal is recorded in the control room.
- 3. Feedwater Flow Feedwater flow is sensed at a flow element in each feedwater line by differential pressure transmitters. Each feedwater signal is linearized and then summed to provide a total mass flow signal which is recorded in the control room. In addition, feedwater flow through each pump is sensed. The flow control loop subtracts the total feedwater flow from the setpoint provided by the level control loop to generate an error for the controller to act on. Valve position control or turbine speed change are the flow adjustment techniques involved.
Revision 14 7.7-31 October, 2005
Three modes of feedwater flow control and thus level control are provided.
(a) Startup automatic level control (1 Element Control)
(b) Run mode automatic flow control (3 Element Control)
(c) Manual control Separate level controllers are provided for each automatic mode. Each level control mode provides output indication as well as level setpoint and measured level. In the 1 Element control mode, measured level is compared to level setpoint within the controller to develop a controller output signal.
In this mode, it is possible to have two feed pumps in automatic control. A feed pump may be manually controlled by using the pumps manual/auto station faceplate.
During normal operation three element automatic control is provided. The total steam flow signal, modified by the conditioned level error signal, provides a flow demand signal to the feedwater flow control loop. The demanded flow is compared to actual total feed flow from running pumps. The resultant flow error signal, after conditioning by the proportional plus integral flow control loop changes the MFP valve position, and/or changes the turbine speed, zeroing the error signal.
Manual control is available by using the manual/auto station faceplates via the touch screen displays to accomplish the desired flow change. Automatic inventory control is available with any single pump or any combination of two pumps.
Revision 14 7.7-32 October, 2005
The level control system also provides interlocks and control functions to other systems. When one of the reactor feed pumps is lost and coincident or subsequent low water level exists, recirculation flow is reduced to within the power capabilities of the remaining reactor feed pumps. This reduction aids in avoiding a low level scram by reducing the steaming rate. Reactor recirculation flow is also reduced on sustained low feedwater flow coincident with low recirculation flow control valve position to ensure that adequate NPSH will be provided for the recirculation system.
Alarms are provided for high and low water level and reactor high pressure. Interlocks will trip the plant turbine and feedwater pumps in the event of reactor high water level.
Feedwater is delivered to the reactor vessel through a parallel arranged combination of two turbine-driven and one electric motor-driven feedwater pumps. The turbines are driven by steam from the reactor vessel. The electric motor-driven pump operates at constant speed and flow is controlled by a flow control valve. During planned operation, the feedwater control signal from the level control system is fed to the turbine speed control systems, which adjust the speed of their associated turbines so that feedwater flow is proportional to the feedwater demand signal. Each turbine can be controlled by its manual/automatic transfer station faceplates via the touch-screen displays. The Revision 15 7.7-33 October, 2007
feedwater controller, and the manual/auto transfer stations associated with each turbine speed controller, are the bumpless transfer types.
7.7.1.5 Steam Bypass and Pressure Regulating System -
Instrumentation and Controls
- a. System Function As a direct cycle boiling water reactor, the turbine is slaved to the reactor in that all (except steam to the moisture separator reheaters) steam generated by the reactor is normally accepted by the turbine. The operation of the reactor requires pressure regulation be employed to maintain a constant (within the range of the regulator controller proportional band setting) turbine inlet pressure with load following ability accomplished by variation of the reactor recirculation flow.
The turbine pressure regulator normally controls the turbine control valves to maintain constant (within the range of the regulator controller proportional band setting) turbine inlet pressure at a particular valve. In addition, the pressure regulator also operates the steam bypass valves such that a portion of nuclear boiler rated flow can be bypassed when operating at steam flow loads above that which can be accepted by the turbine as well as during the startup and shutdown phase.
The overall turbine generator and pressure control system accomplishes the following:
- 1. Control turbine speed and turbine acceleration.
- 2. Control the steam bypass system to keep reactor pressure within limits and avoid large power transients.
Revision 12 7.7-34 January, 2003
- 3. Control main turbine inlet pressure within the proportional band setting of the pressure regulator.
- b. System Operation Pressure control is accomplished by controlling main steam pressure immediately upstream of the main turbine stop and control valves through modulation of the turbine-control or steam-bypass valves.
Command signals to these valves are generated by redundant control elements using the sensed turbine inlet pressure signals as the feedback. For normal operation, the turbine control valves regulate steam pressure; however, when the total steamflow demand from the pressure regulator exceeds the capacity of the turbine control valves, the pressure control system sends the excess steam flow directly to the main condenser, through the steam bypass valves. The plant ability to follow grid-system load demands is enabled by adjusting reactor power level, by varying reactor recirculation flow (manually) or by manually moving control rods.
In response to the resulting steam production changes, the pressure control system adjusts the turbine control valve to accept the steam output change, thereby regulating steam pressure.
- 1. Steam Pressure Control During normal plant operation, steam pressure is controlled by the main turbine control valves, positioned in response to the pressure regulation demand signal. The steam bypass valves are normally closed.
The output of one of the regulators is used to provide combined flow demand, and bypass demand signals and is continuously compared to the output of the other regulator.
If the difference between any two comparable signals exceeds Revision 12 7.7-35 January, 2003
the permissible value, the signal which has changed the least in the previous few seconds assumes control.
To minimize pressure regulator disturbance during main steam isolation valve testing or main turbine stop valve testing, a pressure tap is taken from each main steam line ahead of the turbine stop valves and routed into an instrument header pressure equalization manifold. The pressure transmitters are connected to this manifold.
The turbine control valve (steam flow) demand signal is limited, after passage through the low value gate, to that required for full opening of the turbine control valves.
Thus, if the pressure control system requests additional steam flow from the reactor when the control valves reach wide open, the control signal error to the bypass valves will increase and cause bypass actuation.
Control for the turbine control valve is designed so that the valves will close upon loss of control system electric power or loss of hydraulic system pressure.
- 2. Steam Bypass System The steam bypass equipment is designed to control steam pressure when reactor steam generation exceeds turbine requirements such as during startup (pressure, speed ramping and synchronizing), sudden load reduction and cooldown.
The bypass capacity of the system is 35 percent (nominal) of the pre-power uprate NSSS rated steam flow; sudden load reductions of up to the capacity of the steam bypass can be accommodated without reactor scram.
Revision 18 7.7-36 October, 2013
Normally, the bypass valves are held closed and the pressure regulator controls the turbine control valves, directing all steam flow to the turbine. If the speed governor or the load limiter restricts steam flow to the turbine, the regulator controls system pressure by opening the bypass valves. If the capacity of the bypass valves is exceeded while the turbine cannot accept an increase in steam flow, the system pressure will rise and reactor protection system action will cause shutdown of the reactor.
The bypass valves are an automatically-operated, regulating type which are proportionally controlled by the turbine pressure regulator and control system.
The turbine control system provides a signal to the bypass valves corresponding to the error between the turbine control valve opening required by the controlling pressure regulator and the turbine control valve position demanded by the output of the low value gate circuit. An adjustable bias signal is provided to maintain the bypass valves closed for momentary differences during normal operational transients.
- 3. Turbine Speed/Load Control System The control signals supplied by the pressure regulator to the turbine control system and the signals which the pressure regulator requires from the turbine control system are shown in <Figure 7.7-7>. The turbine control system is designed to receive and supply the following signals:
(a) Signal 1 - The load demand signal varies from no load to rated load.
Revision 12 7.7-37 January, 2003
(b) Signal 2 - The pressure control demand signal varies from no load to rated load and is limited by the turbine flow limiter to place an upper bound on the total turbine and bypass flow demand.
(c) Signal 3 - The control valve position (flow) demand signal varies to close or open the valve. The turbine flow limiter limits the pressure control demand signal so that it does not exceed the value corresponding to valves fully open. Signal 3 is used by the pressure regulator as a turbine flow reference signal to operate the bypass valves when high steam pressure causes the pressure control signal, Signal 2, to be higher than Signal 3.
- 4. Turbine Speed-Load Control Interfaces (a) Normal Operation During base-load plant operation, the turbine load reference is held above the desired load, such that the pressure regulation demand governs the turbine control valves.
(b) Behavior of Turbine Outside of Normal Operation (1) Turbine Startup.
Prior to turbine startup, sufficient reactor steam flow is generated to permit the steam bypass valves to maintain reactor pressure control while the turbine is brought up to speed and synchronized under its speed-load control.
Revision 12 7.7-38 January, 2003
(2) Partial Load Rejection.
During partial load rejection transients, which are apparent to the reactor as a reduction in turbine load demand resulting from an increase in generator (or grid) frequency above rated, the turbine-pressure control scheme allows the reduced turbine speed-load demand to bias the pressure regulation demand and thereby directly regulate the turbine control valves.
(3) Turbine Shutdown or Turbine Generator Trip.
During turbine shutdown or turbine generator trip conditions, the main turbine stop valves and control valves are, or will be, closed. Reactor steamflow will then be passed through the steam bypass valves under steam pressure control, and through the reactor safety/relief valves, as needed.
(4) Steam Bypass Operation.
Fast opening of the steam bypass valves during turbine trips or generator load rejections requires coordinated action with the turbine control system.
When the turbine control valves are under pressure control, no bypass steamflow is demanded; conversely, when the turbine speed-load demand falls below the pressure regulation demand, a net bypass flow demand is computed. During turbine or generator trip events resulting in fast closure of the turbine stop or control valves, the turbine control valve demand is immediately tripped to zero Revision 12 7.7-39 January, 2003
as an anticipatory response, causing the bypass steamflow demand to equal the initial pressure regulation demand.
(5) Loss of Turbine Control System Power.
Turbine controls and valves are designed so that the turbine stop and control valves will close upon loss of control system power or hydraulic pressure.
7.7.1.6 Refueling Interlocks - Instrumentation and Controls
- a. Refueling Interlocks Function The purpose of the refueling interlocks is to restrict the movement of control rods and the operation of refueling equipment. This reinforces operational procedures that prevent the reactor from becoming critical during refueling operations.
- b. Refueling Interlocks Operation The refueling interlocks circuitry senses the condition of the refueling equipment and the control rods to prevent the movement of the refueling equipment or withdrawal of control rods (rod block).
Redundant circuitry is provided to sense the following conditions:
- 1. All rods inserted
- 2. Refueling platform positioned near or over the core
- 3. Refueling platform main hoist fuel-loaded
- 4. Reactor mode switch in Refuel position and not more than one rod withdrawn Revision 12 7.7-40 January, 2003
- a. System Function The function of the plant process computers is to provide a quick and accurate determination of core thermal performance; to improve Revision 14 7.7-43 October, 2005
- b. System Operation The Plant Process Computer is composed of two (2) CPUs (Central Processing Units). One CPU will be the primary and the second will be in standby. The standby CPU will take over all scan/log/alarm functions should the primary CPU experience any kind of failure.
- 1. Process alarm limits are either variable limits determined by the computer during computation or preprogrammed limits determined by the operator, and
- 2. A reasonableness limit of the analog input signal level programmed.
- 4) archive data, 5) core performance calculations, and 6) balance of plant calculations.
- 1. Option 1 is no longer used at Perry.
- 2. TIP data for inaccessible measurement locations may be replaced by data obtained from the on-line core monitoring system (process computer), normalized with available operating measurements.
- a. System Function The DVR system equalizes pressure between the drywell and outer containment volume (portion of containment volume outside drywell).
- b. System Operation Both the check valves and the motor-operated isolation valves are normally closed when the differential pressure between the containment and drywell is zero or positive. When the differential pressure between the containment and drywell is negative, the motor-operated isolation valves are opened electrically. The check valves open in response to the differential pressure and thus provide vacuum relief. The motor-operated isolation valves also close automatically on a containment isolation signal which consists of reactor low-low level or drywell high pressure. The containment isolation signal is overridden and the motor-operated isolation valves are automatically opened by a negative differential pressure signal. The system diagram and control logic for the motor-operated isolation valves are shown in
- 1. Rod Control & Information System X X
- 2. Recirculation Flow Control System X X
- 3. Feedwater Control System X X X
- 4. Steam Bypass and Pressure X X X Regulating System
- 5. Refueling Interlocks X X X
- 6. Reactor Water Cleanup System X X
- 7. Process Sampling X X
- 8. Gaseous Radwaste X X
- 9. NSSS Process Computer X X X Revision 14 7.7-52 October, 2005
- 1. Rod Control and Information Grand Gulf Size diff-System erence
- 2. Recirculation Flow-Control Grand Gulf Capacity System differences to accommo-date vessel size difference
- 3. Feedwater Control System Grand Gulf Capacity differences
- 4. Steam Bypass and Pressure River Bend Capacity Regulating System differences
- 5. Refueling Interlocks Grand Gulf Same for PNPP
- 6. Reactor Water Cleanup Grand Gulf
- 7. Process Sampling
- 8. Gaseous Radwaste Grand Gulf
- 1. Not near core UL UL UL All rods in Refuel Move refueling No restrictions platform over core
- 2. Not near core UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod
- 3. Not near core UL UL UL One rod Refuel Move refueling No restrictions withdrawn platform over core
- 4. Not near core L One rod Refuel Move refueling Platform stopped withdrawn platform over before over core core
- 5. Over core UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod
- 6. Over core L All rods in Refuel Withdraw rods Rod block
- 7. Not near core UL UL UL All rods in Startup Move refueling Platform stopped platform over before over core core
- 8. Not near core UL UL UL All rods in Startup Withdraw rods No restrictions
- 9. Over core UL UL UL All rods in Startup Withdraw rods Rod Block NOTE: