3 to Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Controls

ML21334A022
Person / Time
Site:	Beaver Valley
Issue date:	11/22/2021
From:	Energy Harbor Nuclear Corp
To:	Office of Nuclear Reactor Regulation
Shared Package
ML21334A043	List: L-21-164, 3 to Updated Final Safety Analysis Report, Chapter 12, Conduct of Operations ML21334A020 ML21334A021 ML21334A022 ML21334A023 ML21334A024 ML21334A025 ML21334A026 ML21334A027 ML21334A028 ML21334A029 ML21334A030 ML21334A031 ML21334A032 ML21334A033 ML21334A034 ML21334A035 ML21334A036 ML21334A037 ML21334A038 ML21334A039
References
L-21-164
Download: ML21334A022 (184)
v • d • e

Text

{{#Wiki_filter:BVPS UFSAR UNIT 1 Rev. 19 SECTION 7 INSTRUMENTATION AND CONTROLS TABLE OF CONTENTS Section Title Page

7.1 INTRODUCTION

7.1-1 7.1.1 Identification of Safety Related Systems 7.1-2 7.1.2 Identification of Safety Criteria 7.1-3 7.1.2.1 Design Criteria Compliance 7.1-3 7.1.2.2 Reactor Trip System 7.1-4 7.1.2.3 Engineered Safety Features Actuation 7.1-5 System 7.1.2.4 Quality Assurance 7.1-8 7.1.2.5 Safety-Related Equipment Identification 7.1-8 7.2 REACTOR TRIP SYSTEM 7.2-1 7.2.1 Description 7.2-1 7.2.1.1 Reactor Trips 7.2-1 7.2.1.1.1 Nuclear Overpower Trips 7.2-2 7.2.1.1.2 Core Thermal Overpower Trips 7.2-3 7.2.1.1.3 Reactor Coolant System Pressurizer 7.2-4 Pressure and Level Trips 7.2.1.1.4 Reactor Coolant System Low Flow Trips 7.2-4 7.2.1.1.5 Steam Generator Trips 7.2-6 7.2.1.1.6 Turbine Trip - Reactor Trip 7.2-6 7.2.1.1.7 Safety Injection Signal Actuation Trip 7.2-7 7.2.1.1.8 Manual Trip 7.2-7 7.2.1.1.9 System Accuracies 7.2-7 7.2.1.1.10 Anticipated Transient Without Scram 7.2-7 Mitigating System Actuation Circuitry 7.2.1.2 Reactor Trip System Interlocks 7.2-8 7.2.1.2.1 Power Escalation Permissives 7.2-8 7.2.1.2.2 Blocks of Reactor Trips at Low Power 7.2-8 7.2.1.3 Coolant Temperature Sensor Arrangement 7.2-9 7.2.1.4 Pressurizer Water Level Reference Leg 7.2-9 Arrangement 7.2.1.5 Analog System 7.2-10 7.2.1.6 Digital Logic System 7.2-10 7.2.1.7 Isolation Amplifiers and Isolation Devices 7.2-10 7.2.1.8 Energy Supply and Environmental Variations 7.2-10 7.2.1.9 Trip Levels 7.2-10 7.2.1.10 Seismic Design 7.2-10 7.2.2 Analysis 7.2-12 7.2.2.1 Evaluation of Design Limits 7.2-12 7.2.2.1.1 Trip Settings 7.2-13 7.2.2.1.2 DNBR Protection Evaluation 7.2-13 7-1

BVPS UFSAR UNIT 1 Rev. 19 TABLE OF CONTENTS (CONTD) Section Title Page 7.2.2.1.3 Reactor Coolant Flow Measurement 7.2-13 7.2.2.2 Evaluation of Compliance to Applicable 7.2-13 Codes and Standards 7.2.2.2.1 Evaluation of Compliance With 7.2-13 IEEE Std. 279-1971 7.2.2.2.2 Evaluation of Compliance With 7.2-22 IEEE Std. 308-1971 7.2.2.2.3 Evaluation of Compliance With 7.2-22 IEEE Std. 323-1971 7.2.2.2.4 Evaluation of Compliance With 7.2-22 IEEE Std. 334-1971 7.2.2.2.5 Evaluation of Compliance With 7.2-22 IEEE Std. 338-1971 7.2.2.2.6 Evaluation of Compliance With 7.2-23 IEEE Std. 344-1971 7.2.2.2.7 Evaluation Compliance With AEC General 7.2-23 Design Criteria 7.2.2.3 Specific Control and Protection 7.2-23 Interactions 7.2.2.3.1 Neutron Flux 7.2-23 7.2.2.3.2 Coolant Temperature 7.2-23 7.2.2.3.3 Pressurizer Pressure 7.2-24 7.2.2.3.4 Pressurizer Water Level 7.2-24 7.2.2.3.5 Steam Generator Water Level and 7.2-25 Feedwater Flow 7.2.2.3.6 Anticipated Transient Without Scram 7.2-26 Mitigating System Actuation Circuitry 7.2.3 Tests and Inspections 7.2-28 7.2.3.1 Inservice Tests and Inspections 7.2-28 7.2.3.2 Periodic Testing of the Nuclear 7.2-29 Instrumentation System 7.2.3.3 Periodic Testing of the Process Analog 7.2-29 Channels of the Protection Circuits 7.3 ENGINEERED SAFETY FEATURES SYSTEM 7.3-1 7.3.1 Description 7.3-1 7.3.1.1 Functional Design 7.3-1 7.3.1.1.1 Signal Computation 7.3-2 7.3.1.1.2 Devices Requiring Actuation 7.3-3 7.3.1.2 Design Bases: IEEE Std. 279-1971 7.3-3 7.3.1.3 Implementation of Functional Design 7.3-5 7.3.1.3.1 Analog Circuitry 7.3-5 7.3.1.3.2 Digital Circuitry 7.3-6 7.3.1.3.3 Final Actuation Circuitry 7.3-7 7.3.1.4 Auxiliary Systems Required for ESF Operation 7.3-7 7.3.2 Analysis 7.3-10 7.3.2.1 Evaluation of Compliance With 7.3-10 IEEE Std. 279-1971 7.3.2.1.1 Single Failure Criteria 7.3-10 7.3.2.1.2 Equipment Qualification 7.3-10 7-2

BVPS UFSAR UNIT 1 Rev. 33 TABLE OF CONTENTS (CONTD) Section Title Page 7.3.2.1.3 Channel Independence 7.3-11 7.3.2.1.4 Control and Protection System Interaction 7.3-11 7.3.2.1.5 Capability for Sensor Checks and Equipment 7.3-11 Test and Calibration 7.3.2.2 Evaluation of Compliance With 7.3-19 IEEE Std. 308-1971 7.3.2.3 Evaluation of Compliance With 7.3-19 IEEE Std. 323-1971 7.3.2.4 Evaluation of Compliance With 7.3-19 IEEE Std. 338-1971 7.3.2.5 Evaluation of Compliance With 7.3-19 IEEE Std. 344-1971 7.3.2.6 Summary 7.3-20 7.3.2.6.1 Loss-of-Coolant (LOCA) Protection 7.3-20 7.3.2.6.2 Steam Break Protection 7.3-21 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4-1 7.4.1 Description 7.4-1 7.4.1.1 Monitoring Indicators 7.4-2 7.4.1.2 Controls 7.4-2 7.4.1.2.1 General Considerations 7.4-2 7.4.1.2.2 Pumps and Valves 7.4-3 7.4.1.2.3 Diesels 7.4-3 7.4.1.2.4 Valves 7.4-3 7.4.1.3 Equipment and Services Available for 7.4-4 Hot Shutdown 7.4.1.4 Equipment and Systems Available for Cold 7.4-5 Shutdown 7.4.2 Analysis 7.4-6 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5-1 7.5.1 Description 7.5-1 7.5.2 Analysis 7.5-3 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6-1 7.6.1 Residual Heat Removal Isolation valves 7.6-1 7.6.2 Reactor Coolant System Loop Isolation 7.6-1 Valve Interlocks 7.6.2.1 Description 7.6-1 7.6.2.2 Analysis 7.6-1 7.6.3 Emergency Safety Features Protection 7.6-2 Channels Power Supply 7.7 UNIT CONTROL SYSTEMS 7.7-1 7.7.1 Description 7.7-1 7.7.1.1 Reactor Control System 7.7-3 7.7.1.2 Full Length Rod Control System 7.7-4 7.7.1.3 Unit Control Signals for Monitoring and Indicating 7.7-5 7.7.1.3.1 Monitoring Functions Provided by the 7.7-5 Nuclear Instrumentation 7-3

BVPS UFSAR UNIT 1 Rev. 20 TABLE OF CONTENTS (CONTD) Section Title Page 7.7.1.3.2 Rod Position Monitoring of Full Length Rods 7.7-6 7.7.1.3.3 Control Bank Rod Insertion Monitoring 7.7-6 7.7.1.3.4 Rod Deviation Alarm 7.7-7 7.7.1.3.5 Rod Bottom Alarm 7.7-7 7.7.1.4 Unit Control System Interlocks 7.7-7 7.7.1.4.1 Rod Stops 7.7-8 7.7.1.4.2 Automatic Turbine Load Runback 7.7-8 7.7.1.5 Pressurizer Pressure Control 7.7-8 7.7.1.6 Pressurizer Water Level Control 7.7-9 7.7.1.7 Steam Generator Water Level Control 7.7-9 7.7.1.8 Steam Dump Control 7.7-10 7.7.1.8.1 Load Rejection Steam Dump Controller 7.7-10 7.7.1.8.2 Reactor Trip Steam Dump Controller 7.7-11 7.7.1.8.3 Steam Header Pressure Controller 7.7-11 7.7.1.9 Incore Instrumentation 7.7-11 7.7.1.9.1 Thermocouples 7.7-11 7.7.1.9.2 Movable Neutron Flux Detector Drive System 7.7-12 7.7.1.9.3 Control and Readout Description 7.7-12 7.7.1.10 Ultrasonic Feedwater Flow Meter 7.7-13 7.7.2 Analysis 7.7-14 7.7.2.1 Separation of Protection and Control 7.7-15 Systems 7.7.2.2 Response Consideration of Reactivity 7.7-16 7.7.2.3 Step Load Changes Without Steam Dump 7.7-18 7.7.2.4 Loading and Unloading 7.7-18 7.7.2.5 Load Rejection Furnished by Steam Dump 7.7-18 System 7.7.2.6 Turbine-Generator Trip With Reactor 7.7-19 Trip 7.8 OPERATING CONTROL STATIONS 7.8-1 7.8.1 Main Control Room Layout 7.8-1 7.8.2 Shutdown Panel 7.8-1 7.8.3 Back-up Indicating Panel (BIP) 7.8-1 7.8.4 Information Display and Recording 7.8-2 7.8.5 Occupancy Requirements 7.8-4 7.9 TECHNICAL SUPPORT CENTER (TSC) 7.9-1 7.9.1 Control Room 7.9-1 7.9.2 Emergency Response Facility (ERF) 7.9-1 7-4

BVPS UFSAR UNIT 1 Rev. 32 LIST OF TABLES Table Title 7.1-1 Safety Related Schematic Diagrams - Index of Drawings - DLC-TR-1001 7.1-2 Safety Related Schematic Diagrams - Index of Drawings - DLC-TR-1002 7.2-1 (Deleted) 7.2-2 (Deleted) 7.2-3 Reactor Trip Signal System Total Allowances 7.2-4 Seismic Qualification of Stone & Webster ESF Systems and Emergency Power Systems 7.3-1 Instrumentation Operation Condition for Engineered Safety Features 7.3-2 Instrument Operating Conditions for Isolation Functions 7.3-3 Interlocks for Engineered Safety Features Actuation System 7.3-4 (Deleted) 7.3-5 Indicator Lamps 7.4-1 Remote Shutdown Panel Monitoring Instrumentation 7.5-1 Main Control Board Indicators and/or Recorders Available to the Operator Condition II and III Events 7.5-2 Main Control Board Indicators and/or Recorders Available to the Operator Condition IV Events 7.7-1 Control Room Indicators and/or Recorders Available to the Operator to Monitor Significant Unit Parameters During Normal Operation 7.7-2 Unit Control System Interlocks 7.8-1 Equipment Operable From Back-up Indicating Panel 7.8-2 Back-up Indicating Panel Instruments 7-5

BVPS UFSAR UNIT 1 Rev. 21 LIST OF FIGURES Figure Title 7.2-1 Instrumentation and Control System Logic Diagram, Sheet 1 through Sheet 16 7.2-2 Setpoint Reduction Function for Overtemperature T Trips 7.2-3 Overpower, Overtemperature T Protection 7.7-1 Simplified Block Diagram of Reactor Control System 7.7-2 Control Bank Rod Insertion Monitor 7.7-3 Rod Deviation Comparator 7.7-4 Block Diagram of Pressurizer Pressure Control System 7.7-5 Block Diagram of Pressurizer Level Control System 7.7-6 Block Diagram of Steam Generator Water Level Control System 7.7-7 Block Diagram of Steam Dump Control System 7.7-8 Basic Flux - Mapping System 7.8-1 Control and Computer Rooms Arrangement 7.8-2 Outline, Emergency Shutdown Panels A and B 7-6

BVPS UFSAR UNIT 1 Rev. 19 SECTION 7 INSTRUMENTATION AND CONTROLS

7.1 INTRODUCTION

Section 7 presents the various unit instrumentation and control systems by relating the functional performance requirements, design bases, system descriptions, design evaluations and tests and inspections for each. The information provided in this section emphasizes those instruments and associated equipment which constitute the protection system as defined in IEEE Std. 279-1971.(1) The primary purpose of the instrumentation and control systems is to provide automatic protection against unsafe and improper reactor operation during steady state and transient power operations (Conditions I, II and III) as defined in Section 14 and to provide initiating signals to mitigate the consequences of faulted conditions (Condition IV). Consequently, the information presented in Section 7 emphasizes those instrumentation and control systems which are central to ensuring that the reactor can be operated to produce power in a manner that ensures no undue risk to the health and safety of the public. It is shown that the applicable criteria and codes, such as the General Design Criteria (GDC) and IEEE Standards, concerned with the safe generation of nuclear power are met by the Westinghouse protection system. Definitions The definitions below establish the meaning of words in the context of their use in Section 7.

1. CHANNEL: An arrangement of components and modules as required to generate a single protection action signal when required by a generating station condition. A channel loses its identity where single action signals are combined.

2. MODULE: Any assembly of interconnected components which constitutes an identifiable device, instrument or piece of equipment. A module can be disconnected, removed as a unit and replaced with a spare. It has definable performance characteristics which permit it to be tested as a unit. A module could be a card or other subassembly of a larger device, provided it meets the requirements of this definition.

3. COMPONENTS: Items from which the system is assembled (e.g., resistors, capacitors, wires, connectors, transistors, tubes, switches, springs, etc.).

4. SINGLE FAILURE: Any single event which results in a loss of function of a component or components of a system. Multiple failures resulting from a single event shall be treated as a single failure.

7.1-1

BVPS UFSAR UNIT 1 Rev. 19

5. PROTECTION ACTION: A protective action can be at the channel or the system level. A protective action at the channel level is the initiation of a signal by a single channel when the variable sensed exceeds a limit. A protective action at the system level is the initiation of the operation of a sufficient number of actuators to effect a protective function.

6. PROTECTIVE FUNCTION: A protective function is the sensing of one or more variables associated with a particular generating station condition, signal processing, and the initiation and completion of the protective action values of the variable established in the design basis.

7. TYPE TESTS: Tests made on one or more units to verify adequacy of design.

8. COLD SHUTDOWN CONDITION: When the reactor is subcritical by at least 1 percent k/k and Tavg is 200°F.

9. HOT SHUTDOWN CONDITION: When the reactor is subcritical, by an amount greater than or equal to the margin specified in the applicable Technical Specifications, and Tavg is within the range specified in the applicable Technical Specification.

10. PHASE A CONTAINMENT ISOLATION: Closure of all non-essential process lines which penetrate containment. Initiated by containment high pressure signal or safety injection signal.

11. PHASE B CONTAINMENT ISOLATION: Closure of remaining process lines.

Initiated by containment high-high pressure signal (process lines do not include Engineered Safety Feature lines). 7.1.1 Identification of Safety Related Systems The instrumentation and control system and supporting systems discussed in Section 7 that are credited in the accident analyses and those needed to shut down the unit safely are:

1. Reactor trip system

2. Engineered Safety Features (ESF) actuation system.

Tables 7.1-1 and 7.1-2 list the schematics included in the reports which describe the safety-related systems.(2) The reactor trip system and portions of the ESF actuation system are designed and provided by Westinghouse. The systems used to activate ESF and other safety-related functions provided by Stone & Webster are:

1. Quench Spray System Instrumentation and Controls

2. Containment Recirculation Spray System Instrumentation and Controls

3. Containment Pressure Measuring System 7.1-2

BVPS UFSAR UNIT 1 Rev. 19

4. River Water System Instrumentation and Controls

5. Primary Component Cooling System Instrumentation and Controls

6. Containment Isolation Valves Instrumentation and Controls

7. Auxiliary Feedwater Pumps Instrumentation and Controls

8. Main Steam Stop Valves Instrumentation and Controls

9. Diesel Generators Instrumentation and Controls.

The reactor trip system and the Engineered Safety Features (ESF) actuation system were identical, with several minor exceptions, to those provided on North Anna Power Station Units 1 and 2 (Docket Nos. 50-338 and 339) at the time of the issuance of the original BVPS-1 Operating License. None of the differences between North Anna and BVPS-1 have an adverse effect on the safety of BVPS-1, and were resolved by the time the operating license was issued. All safety-related systems identified above comply with IEEE Std. 279-1971(1) and all applicable GDC, as published in 1971. 7.1.2 Identification of Safety Criteria 7.1.2.1 Design Criteria Compliance The safety-related systems in Section 7 were designed to comply with the following documents as discussed in the appropriate sections:

1. "General Design Criteria for Nuclear Power Plant Construction Permits," Federal Register, July 11, 1967

2. "Safety Guides for Water Cooled Nuclear Power Plants," Division of Reactor Standards, Atomic Energy Commission, October 27, 1971

3. "Criteria for Protection Systems for Nuclear Power Generating Stations," IEEE Std. 279-1971, The Institute of Electrical and Electronic Engineers, Inc.

4. "Criteria for Class IE Electric Systems for Nuclear Power Generating Station,"

IEEE Std. 308-1971, The Institute of Electrical and Electronic Engineers, Inc.

5. "IEEE Trial-Use Standard: General Guide for Qualifying Class I Electrical Equipment for Nuclear Power Generating Station," IEEE Std. 323-1971, The Institute of Electrical and Electronic Engineers, Inc.

6. "IEEE Trial-Use Guide for Type Tests of Continuous-Duty Class I Motors Installed Inside the Containment of Nuclear Power Generating Stations," IEEE Std. 334-1971, The Institute of Electrical and Electronic Engineers, Inc.

7.1-3

BVPS UFSAR UNIT 1 Rev. 19

7. "IEEE Trial-Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems," IEEE Std. 338-1971, The Institute of Electrical and Electronic Engineers, Inc.

8. "IEEE Trial-Use Guide for Seismic Qualification of Class I Electrical Equipment for Nuclear Power Generating Stations," IEEE Std. 344-1971, The Institute of Electrical and Electronic Engineers, Inc.

Certain safety-related electrical equipment relied upon to remain functional during and following design basis events have been replaced to be in compliance with the requirements of 10CFR50.49. These replacement equipment items were required to be in compliance with more recent revisions of the above standards. Specific equipment which has been upgraded is identified in the Equipment Qualification File and maintained in accordance with 10CFR50.49. Upgraded safety related components are designed to comply with the following documents: IEEE 323-1974 and IEEE 344-1975. 7.1.2.2 Reactor Trip System The reactor trip system acts to limit the consequences of Condition II events (faults of moderate frequency such as loss of feedwater flow) by, at most, a shutdown of the reactor and turbine, with the unit capable of returning to operation after corrective action. The reactor trip system features impose a limiting boundary region to plant operation which ensures that the reactor safety limits are not exceeded during Condition II events and that these events can be accommodated without developing into more severe conditions. Reactor Trips The reactor trip system automatically initiates reactor trip:

1. Whenever necessary to prevent fuel damage for an anticipated malfunction (Condition II)

2. To limit core damage for infrequent faults (Condition III)

3. So that the energy generated in the core is compatible with the design provisions to protect the reactor coolant pressure boundary for limiting faults (Condition IV).

Turbine Trips The reactor trip system initiates a turbine trip signal whenever reactor trip is initiated to prevent the reactivity insertion that would otherwise result from excessive reactor system cooldown and to avoid unnecessary actuation of the engineered safety features actuation system. Manual Trip The reactor trip system provides for manual initiation of reactor trip by operator action. 7.1-4

BVPS UFSAR UNIT 1 Rev. 19 Design Bases The design requirements for the reactor trip system are derived by analyses of unit operating and fault conditions where automatic rapid control rod insertion is necessary in order to prevent or limit core or reactor coolant boundary damage. The design limits for this system are:

1. Minimum Departure from Nucleate Boiling Ratio (DNBR) shall not be less than the design limit as a result of any anticipated transient or malfunction (Condition II faults).

2. Power density shall not exceed the rated linear power density for Condition II faults. See Section 3 for fuel design limits.

3. The stress limit of the reactor coolant system for the various conditions shall be as specified in Appendix B.3.

4. Release of radioactive material shall not be sufficient to interrupt or restrict public use of those areas beyond the exclusion radius as a result of any Condition III fault.

5. For any Condition IV fault, release of radioactive material shall not result in an undue risk to public health and safety.

Codes and Standards The reactor protection instrumentation meets IEEE criteria as set forth in IEEE Std. 279-1971.(1) Environmental Requirements The environmental design bases are given in IEEE Std. 279-1971.(1) A list of Nuclear Steam Supply System (NSSS) Protective channels required to operate in the post-accident environment, and the required duration of operation is maintained in the BVPS-1 Environmental Qualification Program in accordance with 10 CFR 50.49. 7.1.2.3 Engineered Safety Features Actuation System The ESF actuation system acts to limit the consequences of Condition III events (infrequent faults such as primary coolant spillage from a small rupture which exceeds normal charging system makeup and requires actuation of the safety injection system). The ESF actuation system also acts to mitigate Condition IV events (limiting faults, which include the potential for significant release of radioactive material). General Performance Requirements Signals additional to those developed by the reactor trip system shall be generated by the ESF actuation system in order to protect against the effects (and reduce the consequences) of more serious types of accidents designated as Condition III and IV events. These are serious abnormal conditions in the reactor coolant system, main steam system or containment vessel and include loss-of-coolant accident or a steam break. 7.1-5

BVPS UFSAR UNIT 1 Rev. 19 The functional performance requirements for the ESF system are discussed in detail in Section 6. Automatic Actuation Requirements The primary functional requirements of the ESF actuation system is to receive input signals (information) from the various on-going processes within the reactor plant and containment and automatically provide, as output, timely and effective signals to actuate the various components and subsystems comprising the ESF system. These output signals ensure that the ESF system will meet its design bases as outlined in Section 6. The functional diagrams presented in Figure 7.2-1, Sheets 5, 6, 7 and 8 provide a graphic outline of the functional performance requirement of the actuation system. Manual Actuation Requirements The ESF actuation system has provisions for manually initiating from the control room all of the functions of the ESF system. Manual actuation serves as backup to the automatic initiation and provides selective control of ESF service features. Design Bases The design bases for the ESF may be found in Section 6. The following is a discussion of the requirements imposed on the ESF actuation system by the design bases: In addition to the requirements for a reactor trip for anticipated abnormal transients, the facility shall be provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary ESF systems. The occurrence of a limiting fault, such as a loss of coolant accident or a steam break, requires a reactor trip plus actuation of one or more of the ESF systems in order to prevent or mitigate damage to the core and reactor coolant system components and ensure containment integrity. In order to accomplish these design objectives, the ESF system shall have proper and timely initiating signals which are to be supplied by the sensors, transmitters and logic components making up the various instrumentation channels of the ESF actuation system. The specific functions which rely on the ESF actuation system for initiation are:

1. A reactor trip, provided one has not already been generated by the reactor trip system

2. Safety injection, actuations of the following items are programmed to ensure proper power demands on the ESF buses:

a. Cold leg injection valves

b. Charging pumps

c. Low head safety injection pumps 7.1-6

BVPS UFSAR UNIT 1 Rev. 19

d. River water system

e. Auxiliary feedwater system.

3. Phase A containment isolation

4. Phase B containment isolation

5. Steam line isolation

6. Main feedwater line isolation

7. Control room isolation and pressurization

8. Containment depressurization

9. Supplementary leak collection

10. Emergency diesel generators.

Codes and Standards The ESF actuation system meets the criteria as set forth in IEEE Std. 279-1971.(1) In addition, the minimum performance for each of the ESF actuation systems to be specified in terms of time response, accuracy and range is in accordance with the requirements set forth in this document. Environmental Requirements In addition to the environmental design bases listed in IEEE Std. 279-1971,(1) the following additional environmental requirements are applicable:

1. During the initial phase of either a loss of coolant or main steam line break accident, the ESF actuation system will provide the required signals. Therefore, ESF actuation system components are designed and arranged so that radioactive, mechanical and thermal environments accompanying any emergency situation in which the components are required to function do not interfere with that function.

2. Pressurizer pressure and level sensors are required to operate during the first half hour following an accident, or until the pressure and water level are reduced below the span of the instruments, whichever happens first.

3. The containment sump level instrumentation will function for at least 3 hours following an accident.

4. The air and motor operated containment isolation valves (phase A and B containment isolation) will function on initiation from a safety injection signal (for phase A) or a high-high containment pressure signal (for phase B).

7.1-7

BVPS UFSAR UNIT 1 Rev. 19 Beaver Valley's Environmental Qualification Program maintains ranges of environmental conditions for plant areas in which Class 1E electrical equipment components are or could be located in the future. Refer to the BVPS-1 Environmental Qualification Program for a listing of these areas. 7.1.2.4 Quality Assurance Descriptions of applicable quality assurance can be found in Appendix A. 7.1.2.5 Safety-Related Equipment Identification There are four separate protection sets identifiable with process equipment associated with the reactor trip and ESF actuation systems. A protection set is comprised of more than a single process equipment rack. The color coding of each process equipment rack nameplate coincides with the color code established for the protection set of which it is a part. Redundant channels are separated by locating them in different equipment rack sets. Separation of redundant channels begins at the process sensors and is maintained in the field wiring, containment penetrations and equipment racks to the redundant trains in the logic racks. At the logic racks the protection set color coding for redundant channels is clearly maintained until the channel loses its identity in the redundant logic trains. The color coded nameplates described below provide identification of equipment associated with protective functions and their channel set association: Protection Set Color Coding I Red with white lettering II White with black lettering III Blue with white lettering IV Yellow with black lettering Each field wire termination point is tagged to assist identification. However, the tags are not color coded. All non-rack mounted protective equipment and components are provided with an identification tag or nameplate. Small electrical components such as relays have nameplates on the enclosure which houses them. All cables are numbered with identification tags. For further details of the process analog system, see Sections 7.2, 7.3 and 7.7. There are identification nameplates on the input panels of the digital logic system. For details of the digital logic system, see Sections 7.2 and 7.3. The installation of other cable complies with the criteria presented in Section 8. 7.1-8

BVPS UFSAR UNIT 1 Rev. 19 References for Section 7.1

1. "Criteria for Protection Systems for Nuclear Power Generating Stations", IEEE Std. 279-1971, The Institute of Electrical and Electronic Engineers, Inc.

2. "Safety-Related Schematic Diagrams", Duquesne Light Company Topical Reports DLC-TR-1001 and DLC-TR-1002 (Proprietary).

7.1-9

BVPS UFSAR UNIT 1 Rev. 19 7.2 REACTOR TRIP SYSTEM 7.2.1 Description The reactor trip system uses sensors which feed analog circuitry consisting of two to four redundant channels which monitor various unit parameters. The reactor trip system also contains the digital logic circuitry necessary to automatically open the reactor trip breakers. The digital circuitry consists of two redundant logic trains which receive input from the analog protection channels. Each of the two trains, A and B, is capable of opening separate and independent reactor trip breakers RTA and RTB, respectively. The two trip breakers in series connect three phase a-c power from the rod drive motor generator sets to the rod drive power cabinets, as shown on Figure 7.2-1, Sheet 2. When either of the trip breakers opens, power is interrupted to the rod drive power cabinets, and the control rods fall, by gravity, into the core. The rods cannot be withdrawn until an operator resets the trip breakers. The trip breakers cannot be reset until the bistable which initiated the trip is re-enerqized. Bypass breakers BYA and BYB are provided to permit testing of the trip breakers, as discussed below. Each reactor trip breaker is tripped by two devices, an undervoltage trip attachment (UVTA) and shunt trip attachment (STA) and each bypass breaker can be tripped by the UVTA only or by both devices. The UVTA is supplied with d-c voltage from the solid state protection system and during unit power operation, the d-c voltage applied to the UVTA coil on each reactor trip breaker prevents the trip lever from coming in contact with the trip bar preventing the breaker from opening. For a reactor trip, a loss of d-c voltage to the undervoltage coil releases the trip plunger and trips open the breaker. The STA is supplied power from the 125v d-c system and during unit power operation is de-energized. When the coil of the STA is energized, a moving core is attracted into the coil sleeve which pulls on a trip lever causing the breaker to open. Additionally, a shunt trip relay is installed in parallel with the UVTA for the reactor trip breakers (RTA, RTB) only and is normally energized during power operation. Upon de-energization, contacts from this relay energize the STA. This provides a diverse/backup means to automatically trip the breakers (RTA, RTB) upon receipt of a trip signal from the reactor trip system. 7.2.1.1 Reactor Trips The various reactor trip circuits automatically open the reactor trip breakers whenever a condition monitored by the reactor trip system reaches a preset level. In addition to redundant channels and trains, the design approach provides a reactor trip system which monitors numerous system variables, i.e., protection system functional diversity. The extent of this diversity has been evaluated for a wide variety of postulated accidents and is detailed in Reference 7. 7.2-1

BVPS UFSAR UNIT 1 Rev. 23 7.2.1.1.1 Nuclear Overpower Trips The specific trip functions generated are as follows: Power Range High Neutron Flux Trip The power range high neutron flux trip circuit trips the reactor when two-out-of-four power range channels exceed the trip setpoint. There are two independent bistables each with its own trip setting (a high and low setting). The high trip setting provides protection during normal power operation and is always active. The low trip setting, which provides protection during startup, can be manually bypassed when two-out-of-four power range channels read above approximately 10 percent power (P-10). Three-out-of-four channels below 10 percent automatically reinstates the trip function. Refer to Technical Specifications for a listing of all Reactor Trip system interlocks. Intermediate Range High Neutron Flux Trip The intermediate range high neutron flux trip circuit trips the reactor when one-out-of-two intermediate range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup, can be manually blocked if two-out-of-four power range channels are above approximately 10 percent power (P-10). Three-out-of-four power range channels below this value automatically reinstates the intermediate range high neutron flux trip. The intermediate range channels (including detectors) are separate from the power range channels. The intermediate range channels can be individually bypassed at the nuclear instrumentation racks to permit channel testing during unit shutdown or prior to startup. This bypass action is annunciated on the control board. Source Range High Neutron Flux Trip The source range high neutron flux trip circuit trips the reactor when one-out-of-two source range channels exceeds the trip setpoint. This trip, which provides protection during reactor startup and unit shutdown, can be manually bypassed when one-out-of-two intermediate range channels reads above the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 value. This trip is also automatically bypassed by two-out-of-four logic from the power range permissive (P-10). This trip function can also be reinstated below P-10 by an administration action requiring manual actuation of two control board mounted switches. Each switch will reinstate the trip function in one of the two protection logic trains. The source range trip point is set between the P-6 setpoint (source range cutoff flux level) and the maximum source range flux level. The channels can be individually blocked at the nuclear instrumentation racks to permit channel testing during unit shutdown or prior to startup. This blocking action is annunciated on the control board. Power Range High Positive Neutron Flux Rate Trip This circuit trips the reactor when an abnormal rate of increase in nuclear power occurs in two-out-of-four power range channels. This trip provides protection against rod ejection accidents of low worth from mid-power and is always active. 7.2-2

BVPS UFSAR UNIT 1 Rev. 24 7.2.1.1.2 Core Thermal Overpower Trips The specific trip functions generated are as follows: Overtemperature T Trip This trip protects the core against low DNBR and trips the reactor on coincidence as given in the Technical Specifications with one set of temperature measurements per loop. The setpoint for the trip is continuously calculated by analog circuitry for each loop by solving the equation found in Technical Specification Table 3.3.1-1. One power range channel separately feeds each overtemperature T trip channel. Changes in f( I) can only lead to a decrease in trip setpoint, as shown in Figure 7.2-2. The single pressurizer pressure parameter required per loop is obtained from separate sensors which are connected to three pressure taps at the top of the pressurizer. This results in one pressure tap per loop. Refer to Section 7.2.2.3.3 for an analysis of this arrangement. Figure 7.2-1, Sheet 5, shows the logic for the overtemperature T trip function. A detailed functional description of the process equipment associated with this function is contained in Reference 1. Overpower T Trip This trip protects against excessive power (fuel rod rating Protection) and trips the reactor on coincidence as given in the Technical Specifications with one set of temperature measurements per loop. The setpoint for each channel is continuously calculated using the equation found in Technical Specification Table 3.3.1-1. The source of temperature information is identical to that of the overtemperature T trip and the resultant T setpoint is compared at the same T. Figure 7.2-1, Sheet 5, shows the logic for this trip function. The detailed functional description of the process equipment associated with this function is contained in Reference 1. 7.2-3

BVPS UFSAR UNIT 1 Rev. 19 7.2.1.1.3 Reactor Coolant System Pressurizer Pressure and Level Trips The specific trip functions generated are as follows: Pressurizer Low Pressure Trip The purpose of this trip is to protect against low pressure which could lead to a DNBR less than the design limit, and to limit the necessary range of protection afforded by the overtemperature T trip. The parameter being sensed is reactor coolant pressure as measured in the pressurizer. Above P-7, the reactor is tripped when the compensated pressurizer pressure measurements fall below preset limits. This trip is blocked below P-7 to permit startup. The coincidence logic and interlocks are given in the Technical Specifications. The trip logic is shown on Figure 7.2-1, Sheet 6. A detailed functional description of the process equipment associated with this trip is provided in Reference 1. Pressurizer High Pressure Trip The purpose of this trip is to protect the reactor coolant system (RCS) against system overpressure. The same sensors and transmitters used for the pressurizer low pressure trip are used for the high pressure trip except that separate bistables are used for trip. These bistables trip when uncompensated pressurizer pressure signals exceed preset limits on coincidence as given in the Technical Specifications. There are no interlocks or permissives associated with this trip function. The trip logic is shown on Figure 7.2-1, Sheet 6. A detailed functional description of the process equipment associated with this trip is provided in Reference 1. Pressurizer High Water Level Trip This trip is provided as a backup to the high pressurizer pressure trip and serves to prevent water relief through the pressurizer safety valves. This trip is blocked below P-7 to permit startup. The coincidence logic and interlocks of pressurizer high water level signals are given in the Technical Specifications. The trip logic for this function is shown on Figure 7.2-1, Sheet 6. A detailed description of the process equipment associated with this function is provided in Reference 1. 7.2.1.1.4 Reactor Coolant System Low Flow Trips These trips protect against a DNBR of less than the design limit in the event of a loss-of-coolant flow situation. The means of sensing the loss-of-coolant flow are as follows: 7.2-4

BVPS UFSAR UNIT 1 Rev. 23 Low Reactor Coolant Flow The parameter sensed is reactor coolant flow. Three elbow taps in each coolant loop are used as a flow device that indicates the status of reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow rate has occurred. An output signal from two-out-of-three bistables in a loop would indicate a low flow in that loop. The coincidence logic and interlocks are given in the Technical Specifications. The detailed functional description of the process equipment associated with the trip function is provided in Reference 1. Reactor Coolant Pump Breaker Trip Opening of two or three reactor coolant pump breakers (depending upon power level), which is indicative of an imminent loss-of-coolant flow in those loops, will also cause a reactor trip. No credit is taken in the accident analyses for operation of this trip. One set of auxiliary contacts on each pump breaker serves as the input signal to the trip logic. The coincident logic and interlocks are given in the Technical Specifications. Reactor Coolant Pump Bus Undervoltage Trip This trip is a back-up to the low reactor coolant flow trip to protect against low flow which can result from loss of voltage to more than one reactor coolant pump (e.g., from unit blackout). No credit is taken in the accident analyses for operation of this trip. There is one undervoltage sensing relay connected to each reactor coolant pump bus. These relays provide an output signal when the bus voltage goes below 75 percent of rated voltage. Signals from these relays are time delayed to prevent spurious trips caused by short term voltage perturbations. The coincidence logic and interlocks are given in the Technical Specifications. Reactor Coolant Pump Bus Underfrequency Trip This trip is a back-up to the low reactor coolant flow trip to protect against low flow resulting from bus underfrequency for example, a major power grid frequency disturbance. A reactor coolant pump trip is also initiated in order to disengage the pumps from the power grid so that pump kinetic energy is available for full coastdown. No credit is taken in the accident analyses for operation of this trip. The function of this trip is to open the reactor coolant pump breakers and trip the reactor for an underfrequency condition. There is one underfrequency sensing relay connected to each reactor coolant pump bus. Signals from relays connected to any two of the buses (time delayed up to approximately 0.2 sec to prevent spurious trips caused by short term frequency perturbations) will trip all of the reactor coolant pump breakers. The same signal will also directly trip the reactor if the power level is above P-7. 7.2-5

BVPS UFSAR UNIT 1 Rev. 23 The reactor coolant pump breaker circuits are non-safety related. No credit is taken in the accident analyses for operation of the reactor trips associated with inputs from the reactor coolant pump breakers and reactor coolant pump buses. Figure 7.2-1, Sheet 5, shows the logic for the Reactor Coolant System (RCS) low flow trips. 7.2.1.1.5 Steam Generators Trips The Low-Low Steam Generator Water Level Trip protects the reactor from loss of heat sink in the event of a sustained steam/feedwater flow mismatch. This trip is actuated on two-out-of-three low-low water level signals occurring in any steam generator. The logic is shown on Figure 7.2-1, Sheet 7. A detailed functional description of the process equipment associated with this trip is provided in Reference 1. 7.2.1.1.6 Turbine Trip-Reactor Trip The turbine trip-reactor trip is actuated by two-out-of-three logic from the low auto stop oil pressure signals or by all closed signals from the turbine steam stop valves. A turbine trip causes a direct reactor trip above P-9. Below P-9, no direct reactor trip occurs, and the unit is expected to be able to recover from the transient with no challenges to the RCS provided sufficient secondary steam dump capacity is available. This trip is modeled in accident analyses but no credit is taken for operation of this trip. High-high steam generator level signals in two-out-of-three channels for any steam generator will actuate a turbine trip, trip the main feedwater pumps, close the main and bypass feedwater control valves, and close the feedwater isolation valves. The purpose is to protect the turbine steam piping from excessive moisture carryover caused by high-high steam generator level. Other turbine trips are discussed in Section 10. The logic for this trip is shown on Figure 7.2-1, Sheet 7. The analog portion of the trip shown on Figure 7.2-1, Sheet 15, is represented by dashed (----) lines. When the turbine is tripped, turbine auto stop oil pressure drops, and the pressure is sensed by three pressure sensors. A digital output is provided from each sensor when the oil pressure drops below a preset value. These three outputs are transmitted to two redundant two-out-of-three logic matrices, either of which trips the reactor above P-9. The auto stop oil pressure signal also dumps the auto stop emergency trip fluid closing all of the turbine steam stop valves. When all stop valves are closed, a reactor trip signal will be initiated if the reactor is above P-9. This trip signal is generated by redundant (two each) limit switches on the stop valves. 7.2-6

BVPS UFSAR UNIT 1 Rev. 21 7.2.1.1.7 Safety Injection Signal Actuation Trip A reactor trip occurs when the Emergency Core Cooling System (ECCS) is actuated. The means of actuating the ECCS are described in Section 7.3. This trip protects the core against a loss of reactor coolant or steam. Figure 7.2-1, Sheet 8, shows the logic for this trip. A detailed functional description of the process equipment associated with this trip function is provided in Reference 1. 7.2.1.1.8 Manual Trip The manual trip consists of two switches with multiple outputs on each switch. One output is used to actuate the train A trip breaker and another output actuates the train B trip breaker. Operating a manual trip switch removes the voltage from the undervoltage trip coil and energizes the shunt trip coil either of which will cause a reactor trip. There are no interlocks which can block this trip. Figure 7.2-1, Sheet 3, shows the manual trip logic. 7.2.1.1.9 System Accuracies The system accuracies of the instrument trip signals required for unit safety are given in Table 7.2-3. 7.2.1.1.10 Anticipated Transient Without Scram (ATWS) Mitigating System Actuation Circuitry (AMSAC) AMSAC provides a backup system diverse and independent from the existing Reactor Protection System to (1) initiate a turbine trip and (2) initiate Auxiliary Feedwater flow, thereby providing adequate assurance that the Reactor Coolant System will not be subject to potential damage as a result of overpressure in the event of an ATWS with coincident loss of feedwater. AMSAC monitors feedwater flow in each of the three loops. Any two-out-of-three loops indicating a loss of feedwater flow initiates the AMSAC System timer, provided that the plant is at 40% turbine load or greater, or if the plant was at 40% turbine load or greater within the previous 180 seconds, as sensed by two-out-of-two turbine first stage pressure channels. 7.2-7

BVPS UFSAR UNIT 1 Rev. 23 7.2.1.2 Reactor Trip System Interlocks 7.2.1.2.1 Power Escalation Permissives The overpower protection provided by the out-of-core nuclear instrumentation consist of three discrete, but overlapping levels. Continuation of startup operation of power increase requires a permissive signal from the higher range instrumentation channels before the lower range level trips can be manually blocked by the operator. A one of two intermediate range permissive signal (P-6) is required prior to source range level trip blocking and detector high voltage cutoff. Source range level trips are automatically reactivated and high voltage restored when both intermediate range channels are below the permissive (P-6) level. There is a manual reset switch for administratively reactivating the source range level trip and detector high voltage when between the permissive P-6 and P-10 level, if required. Source range level trip block and high voltage cutoff are always maintained when above the permissive P-10 level. The intermediate range level trip and power-range (low setpoint) trip can only be blocked after satisfactory operation and permissive information are obtained from two of four power range channels. Individual blocking switches are provided so that the low-range power range trip and intermediate range trip can be independently blocked. These trips are automatically reactivated when any three of the four power range channels are below the Permissive (P-10) level, thus ensuring automatic activation to more restrictive trip protection. The development of the permissives P-6 and P-10 is shown on Figure 7.2-1, Sheet 4. All of the permissives are digital; they are derived from analog signals in the nuclear power range and intermediate range channels. See Technical Specifications for the list of protection system interlocks. 7.2.1.2.2 Blocks of Reactor Trips at Low Power Interlock P-7 blocks a reactor trip at low power (below approximately 10 percent full power) on a low reactor coolant flow or reactor coolant pump open breaker signal in more than one loop, reactor coolant pump undervoltage, reactor coolant pump underfrequency, pressurizer low pressure, pressurizer high water level. See Figure 7.2-1 for permissive applications. The low power signal is derived from three-out-of-four power range neutron flux signals below the setpoint in coincidence with two-out-of-two turbine first stage pressure signals below the setpoint (low unit load). The P-8 interlock blocks a reactor trip when the unit is below 30 percent of full power, on a low reactor coolant flow in any one loop. The block action (absence of the P-8 interlock signal) occurs when three-out-of-four neutron flux range signals are below the setpoint. Thus, below the P-8 setpoint, an automatic reactor trip will not occur until two loops are indicating low flow. See Figure 7.2-1, Sheet 4, for derivation of P-8, and Sheet 5 for applicable logic. 7.2-8

BVPS UFSAR UNIT 1 Rev. 19 The P-9 interlock blocks a reactor trip on a turbine trip at less than or equal to 49 percent power. The block action (absence of the P-9 interlock signal) occurs when three out of four neutron flux range signals are less than or equal to the 49 percent power level set point. Thus below the P-9 set point, the reactor will be allowed to operate and ride out the turbine trip transient, with load rejection with reactor power dissipated by steam dump. See Technical Specification for the list of Reactor Trip System Interlocks. 7.2.1.3 Coolant Temperature Sensor Arrangement The hot and cold leg temperature signals required for input to the protection and control functions are obtained using thermowell mounted RTDs installed in each reactor coolant loop. The hot leg temperature measurement in each loop is accomplished using three fast response narrow range RTDs mounted in thermowells. The hot leg thermowells are located within the three scoops previously used for the RTD bypass manifold. The scoops were modified during the seventh refueling outage by drilling a flow hole in the tip of the scoops so water will flow in through the existing holes in the leading edge of the scoop, pass the RTD and out through the new drilled hole in the tip of the scoop. The cold leg temperature measurements in each loop are accomplished by one fast response narrow range duel element RTD. The existing cold leg RTD bypass penetration nozzle was modified to accept the thermowell and RTD. Due to temperature streaming, the three fast response hot leg RTDs are electronically averaged to generate the hot leg temperature. In the event one of the three hot leg RTDs fails, the failed RTD will be disconnected and the hot leg temperature measurement will be obtained by averaging the remaining two RTD measurements in that loop. A bias adjustment will be applied to correct for the temperature offset. The bias adjustment will be based on the most recent periodic temperature measurement obtained at full power prior to the RTD failure. Subsequent measurements obtained from the remaining RTDs in that loop and the other loop RTDs may be used to (1) confirm the correct bias adjustment or (2) define changes required to the bias adjustment. In the event a cold leg RTD fails, the failed RTD should be disconnected from the logic cabinets and the installed spare cold leg RTD would then be connected in the failed RTD's place. Operation with less than two hot leg RTDs per loop or with both cold leg RTD elements per loop failed is not permissible. This channel is considered inoperable and should be placed in trip. The basis for operation utilizing the thermowell mounted RTDs is presented in Reference 24. 7.2.1.4 Pressurizer Water Level Reference Leg Arrangement The design of the pressurizer water level instrumentation includes a slight modification of the usual tank level arrangement using differential pressure between upper and a lower tap. The modification consists of the use of a sealed reference leg instead of the conventional open column of water. Refer to Section 7.2.2.3.4 for an analysis of this arrangement. 7.2-9

BVPS UFSAR UNIT 1 Rev. 23 7.2.1.5 Analog System The process analog system is described in Reference 1. 7.2.1.6 Digital Logic System The solid state protection logic system takes binary inputs (voltage/no voltage) from the process and nuclear instrument channels corresponding to conditions (normal/abnormal) of unit parameters. The system combines these signals in the required logic combination and generates a trip signal (no voltage) to the undervoltage coils of the reactor trip circuit breakers when the necessary combination of signals occur. The system also provides annunciator, status light and computer input signals which indicate the condition of bistable input signals, partial trip and full trip functions and the status of the various blocking, permissive and actuation functions. In addition, the system includes means for semi-automatic testing of the logic circuits. A detailed description of this system is given in Reference 3. 7.2.1.7 Isolation Amplifiers and Isolation Devices In certain applications, Westinghouse considers it advantageous to employ control signals derived from individual protection channels through isolation amplifiers contained in the protection channel, as permitted by IEEE Std. 279-1971.(13) In all of these cases, analog signals derived from protection channels for non-protective functions are obtained through isolation amplifiers located in the analog protection racks. By definition, non-protective functions include those signals used for control, remote process indication and computer monitoring. Isolation amplifier qualification tests are described in References 4 and 5. Isolation devices installed after May, 1980 were qualified to References 22 and 23 or equivalent. 7.2.1.8 Energy Supply and Environmental Variations The energy supply for the reactor trip system, including the voltage and frequency variations, is described in Section 8. The environmental design requirements are given in Reference 13. A list of the Nuclear Steam Supply System protection channels required to operate in the post-accident environment, and the required duration of operation, is maintained in the BVPS-1 Environmental Qualification Program in accordance with 10 CFR 50.49. See Section 7.2.2.2.1 for details on environmental design. 7.2.1.9 Trip Levels The levels that, when reached, will require trip action are given in the Licensing Requirements Manual. 7.2.1.10 Seismic Design For either earthquake (operating or design basis) the protection system equipment is designed to ensure that it does not lose its capability to perform its function, i.e., shut the unit down and maintain it in a safe shutdown condition. 7.2-10

BVPS UFSAR UNIT 1 Rev. 19 For the design basis earthquake, there may be permanent deformation of the equipment provided that the capability to perform its function is maintained. Typical protection system equipment is subjected to type tests under simulated seismic motion consisting of sine beats to demonstrate its ability to perform its functions. Type testing has been done on this equipment by using conservatively large accelerations and applicable frequencies. This testing conformed to the IEEE Std. 344-1971.(18) Analyses such as are performed for structures are not used for the reactor protection system equipment. However, the peak accelerations used are checked against those derived by structural analyses of operating and design bases earthquake loadings. Westinghouse topical reports provide the seismic evaluation of safety related equipment.(8)(9)(10)(11) The references provide a summary listing of equipment, applicable test results and seismic considerations. The results show that there were no electrical irregularities that would leave the unit in an unsafe condition even though some trips were initiated. The references also show that the typical protection system racks and cabinets were tested. The equipment that was installed at BVPS-1 is of the same type and materials as that which has been seismically tested and qualified. The seismic design and qualifications of the reactor protection system and ESF system imposed by Westinghouse on its suppliers were regulated using the Westinghouse quality assurance program discussed in Appendix A.4. A summary listing of equipment, applicable seismic considerations and test results for the Stone & Webster supplied ESF systems and emergency power systems is shown in Table 7.2-4. All applicable Stone & Webster equipment specifications included Attachment No. 6 which contained "Seismic Design Requirements" (SDR). The equipment supplier is required to perform a static analysis or a dynamic analysis or a test to demonstrate that the equipment meets the SDR. The SDR contains guidelines for static analysis, or requires approval by the engineers of calculation techniques used for a dynamic analysis, or approval by the engineers of test procedures. The SDR contains guidelines for the preparation of dynamic analysis or vibration test procedures. When the supplier completed the necessary work to satisfy the SDR, the data was submitted to the engineers for approval. Main control room boards within Stone & Webster scope of supply were designed so that the gross structural section as well as local plate sections, including the effects of mounted equipment, exhibit a minimum natural frequency above the "cutoff frequency" (i.e., rigid range of the amplified response curve) for the control room. Seismic Category I equipment is qualified, as a minimum, to acceleration levels applicable to the installed location on the boards in accordance with the procedures outlined in Section B.2.2. These procedures meet or exceed the requirements of Std. 344-1971. As noted in Section B.2.2, the response of racks, panels, cabinets and consoles is considered in assessing the capability of instrumentation and electrical equipment. Mounted equipment is tested, as a minimum, to acceleration levels consistent with those transmitted by their supporting structure. A design objective is to minimize amplification of floor accelerations by making members of mounted equipment more rigid. 7.2-11

BVPS UFSAR UNIT 1 Rev. 19 Resistance temperature detectors used to sense the temperature in the main coolant loops are rigid, ruggedly built devices designed to withstand the high temperature and flow vibration induced acceleration forces which they are subjected to when installed in the coolant loops. Flow induced vibration aging has been shown to have no effect on the seismic performance of the RTD's. The resistance temperature detectors are seismically and environmentally qualified by tests performed by the detector supplier. The nuclear instrumentation system power range neutron detector has been vibration tested in both the transverse (horizontal) direction and the longitudinal (vertical) direction at acceleration levels greater than those expected during a seismic disturbance at BVPS-1. Neutron current measurements were made during the tests and current, resistance and capacitance checks were made after the tests. No significant changes were seen. There was no mechanical damage to the detector. The nuclear instrumentation racks in the control room were seismically qualified by testing for the maximum acceleration expected at BVPS-1. Equipment for BVPS-1 is procured on a similar basis to that which was qualified. Any major design change in the equipment would require an evaluation to determine if the changes were of a nature so as not to affect the results of the seismic tests or would require the equipment to be requalified for seismic immunity. The seismic design discussed above and the references meets the requirements of GDC 2. 7.2.2 Analysis 7.2.2.1 Evaluation of Design Limits The reactor trip system automatically keeps the reactor parameters operating within a safe, stable region by tripping the reactor when the limits of the region are approached by abnormal transients. The region defined by the trip allows a certain margin before protective action is actually required to constrain the energy releases (See Section 14). This design meets the requirements of GDC 14. The nuclear power unit reactor trip system design employed by Westinghouse was evaluated in detail with respect to common mode failure and is presented in References 6 and 7. This design meets the requirements of GDC 21. Preoperational testing was performed on reactor trip system components and systems to determine equipment readiness for startup. This testing serves as a very real evaluation of the system design. Analyses of the results of Condition I, II, III and IV Events, including considerations of instrumentation installed to mitigate their consequences, are presented in Section 14. The instrumentation installed to mitigate the consequences of load rejection and turbine trip is given in Section 7.4. 7.2-12

BVPS UFSAR UNIT 1 Rev. 23 7.2.2.1.1 Trip Settings To ensure that the trip settings assumed for the safety analyses are maintained during reactor operation, Technical Specifications defining the required protective instrumentation settings for reactor trips, and reactor trip interlocks have been formulated. These required settings correspond to the trip points assumed in the analysis less appropriate allowance for errors. The source and intermediate range nuclear power trips, the turbine trip and the reactor coolant pump breaker and bus trips are included in the Technical Specifications, but no credit is taken for these trips in the safety analyses. 7.2.2.1.2 DNBR Protection Evaluation Figure 7.2-3 illustrates the typical core limits in terms of DNBR equal to the safety analysis DNBR limit for the hot channel and shows the overpower and overtemperature T reactor trips locus as a function of Tavg and pressure. The solid lines indicate a typical locus of DNBR equal to the safety analysis DNBR limit at various pressures and the dashed lines indicate maximum permissible trip points for the overtemperature T reactor trip. Actual setpoints, as given in the Technical Specifications, are lower to allow for measurement and instrumentation errors. The reactor trip system initiates reactor trip for a set of conditions for which the calculated DNBR in the hot channel approaches the safety analysis DNBR limit. The design meets the requirements of GDC 14. 7.2.2.1.3 Reactor Coolant Flow Measurement The elbow taps used on each loop in the primary coolant system are instrument devices that indicate the status of the reactor coolant flow. The basic function of this device is to provide information as to whether or not a reduction in flow rate has occurred. The correlation between flow rate and elbow tap signal is given by the following equation: 2 P/ Po = (w/wo) (7.2-3) where Po is the pressure differential at the referenced flow rate, wo, and P is the pressure differential at the corresponding flow rate, w. The full flow reference point was established during initial unit startup. Subsequent flow channel rescaling for normal 100% flow may be required for flow changes due to tube plugging, pump changes, etc. The low flow trip point is then established by extrapolating along the correlation curve. The expected absolute accuracy of the channel is within +/-10 percent and field results have shown the repeatability of the trip point to be within +/-1 percent. 7.2.2.2 Evaluation of Compliance to Applicable Codes and Standards 7.2.2.2.1 Evaluation of Compliance With IEEE Std. 279-1971 (13) The reactor trip system meets the requirements of IEEE Std. 279-1971 , as indicated below. 7.2-13

BVPS UFSAR UNIT 1 Rev. 19 Single Failure Criterion The protection system is designed to provide redundant (one-out-of-two, two-out-of-three or two-out-of-four) instrumentation channels for each protective function and one-out-of-two logic train circuits. These redundant channels and trains are electrically isolated and physically separated. Thus, any single failure within a channel or train will not prevent protective action at the system level when required. Single failure within the protection system shall not prevent proper protective action at the system level when required. Components and systems not qualified for seismic events or accident environments and nonsafety-grade components and systems are assumed to fail to function if failure adversely affects protection system performance. These components and systems are assumed to function if functioning adversely affects protection system performance. All failures in the protection system that can be predicted as a result of an event for which the protection system is designed to provide a protective function are assumed to occur if the failure adversely affects the protection system performance. After assuming the failures of nonsafety-grade, non-qualified equipment and those failures caused by a specific event, a random single failure is assumed. With these failures assumed, the protection system must be capable of performing the protective functions credited in the accident analyses. This design meets the requirements of the GDC 20 and IEEE 279-1971. Loss of input power, the most likely mode of failure, to a channel or logic train will result in a signal calling for a trip. This design also meets the requirements of the GDC 26. To prevent the occurrence of common mode failures, such additional measures as functional diversity, physical separation and testing as well as administrative control during design, production, installation and operation are employed, as discussed in Reference 6. This design also meets the requirements of GDC 19. Quality of Components and Modules For a discussion on the quality of the components and modules used in the reactor trip system, refer to Appendix A.4. The quality used also meets the requirements of GDC 1. Equipment Qualification Temperature in the control room and electronic equipment room is maintained for personnel comfort at 70+/-10°F. Design specifications for this equipment require that no loss of protective function should result when operating in temperatures up to 120°F and humidity up to 95 percent which may occur upon the loss of air conditioning and/or the ventilation system. Thus, there is a wide margin between the design limit and the normal operating environment for the protective equipment. Loss of the control room air-conditioning units will not adversely affect the operability of safety-related control and electrical equipment. Redundant river water cooling coils are provided as a back-up, in the event of failure of the air-conditioning units. Use of the river water cooling coils limits the worst case temperature environment to 120°F (equipment design limit) and is a condition that would require reactor shutdown. Electrical control system malfunction does not occur at temperature levels below 120°F, but it is considered that operator inefficiency for prolonged periods at elevated temperatures precludes continuous plant operation. Loss of ventilation in other equipment rooms containing safety-related control and electrical equipment will not adversely affect their operability because redundant ventilation systems or redundant safety-related control and electrical equipment are provided. Ventilation systems are designed 7.2-14

BVPS UFSAR UNIT 1 Rev. 19 to limit temperature to 104°F in spaces housing 40°C motors and 120°F in spaces housing 50°C motors. In the unlikely event that all ventilation is lost, both normal and redundant, space temperature will rise, creating a limiting condition necessitating plant shutdown. The average ambient limiting air temperature in areas containing electrical or instrumentation control equipment that would cause the plant to be shut down is covered in the Technical Specifications. The normal operating temperature for the protective equipment in the containment will be maintained below 120°F (except that for out of core neutron detectors the normal operating temperature will be maintained below 135°F). The protective equipment is designed for continuous operation within design tolerance in this environment. Qualification testing has been performed on the various protective system equipment. This testing included demonstrating operation of safety functions at elevated ambient temperatures up to 120°F and relative humidity up to 95 percent for control room and electronic equipment room equipment and in the full post-accident environment for a specified time for equipment required in the containment. Detailed results of these tests are retained by the suppliers. Qualification testing of safety equipment required to operate in the post accident environment is discussed in References 12 and 20. For Stone & Webster supplied equipment, the control equipment supplier has performed factory tests, which verify that the equipment will operate at temperatures up to 120°F without malfunction. The neutron detectors are designed for continuous operation at 135°F (the normal operating environment is below this value) and are capable of operation at 175°F for 8 hr. The power range detectors have been tested in temperatures in excess of 175°F for a period of 16 hr with negligible decrease in insulation resistance. The insulation resistance is the governing factor for severe environments. Temperature detectors are located in the neutron shield tank with indication and alarm in the control room. The results of testing discussed in the above paragraphs demonstrates that the design meets the requirements of GDC 23. Independence Channel independence is carried throughout the system, extending from the sensor through the devices actuating the protective function. Physical separation is used to achieve separation of redundant transmitters. Separation of wiring is achieved using separate wireways, cable trays, conduit runs and containment penetrations for each redundant channel. Redundant analog equipment is separated by locating modules in different protection rack sets. Each redundant channel is energized from a separate a-c power feed. This design meets the requirements of GDC 20. With regard to wiring in the analog process racks, Westinghouse has substantiated, through testing programs, that the process control system, nuclear instrumentation system and solid state Protection system designs as implemented in BVPS-1 are immune to degradation from:

1. Fault conditions at voltage levels existing in the racks

2. Induced noise generated by internal electrical faults and that radiated into the system and/or associated electrical cabling. The testing programs are described and documented by Westinghouse in their report for the Diablo Canyon Project.(21) 7.2-15

BVPS UFSAR UNIT 1 Rev. 23 In addition, the BVPS-1 equipment is further qualified by Revisions 1 and 2 to the December, 1974 Noise Test Report, dated February 1975 and October 1975, respectively. These revisions were also placed in the Diablo Canyon docket. Independence of the logic trains is discussed in Reference 3. Two reactor trip breakers are actuated by two separate logic matrices which interrupt power to the control rod drive mechanisms. The breaker main contacts are connected in series with the power supply so that opening either breaker interrupts power to all full length control rod drive mechanisms, permitting the rods to free fall into the core. The design philosophy is to make maximum use of a wide variety of measurements. The protection system continuously monitors numerous diverse system variables. The extent of this diversity has been evaluated for a wide variety of postulated accidents and is discussed in Reference 7. Generally, two or more diverse protection functions would terminate an accident before intolerable consequences could occur. This design meets the requirements of GDC 21 and 23. Control and Protection System Interaction The protection system is designed to be independent of the control system. In certain applications, the control signals and other nonprotective functions are derived from individual protective channels through isolation amplifiers or isolation devices. The isolation amplifiers are classified as part of the protection system and are located in the analog protective racks. The isolation devices are located in the analog and digital process cabinets. Non-protective functions include those signals used for control, remote process indication and computer monitoring. The isolation amplifiers are designed such that a short circuit, open circuit or the application of 120 v a-c or 140 v d-c on the isolated output portion of the circuit (i.e., the non-protective side of the circuit) will not affect the input (protective) side of the circuit. The isolation devices are designed to withstand fault conditions as specified in Reference Nos. 4, 5 and 23. The signals obtained through the isolation amplifiers are never returned to the protective racks. This design meets the requirements of GDC 22. A detailed discussion of the design and testing of the isolation amplifiers and isolation devices are given in References 4, 5, 22 and 23. These reports include the results of applying various malfunction conditions on the output portion of the isolation equipment. The results show that no significant disturbance to the isolation equipment input signal occurred. The design meets the requirements of GDC 31. Capability for Testing Periodic testing of the reactor trip system actuation functions, as described, complies with AEC Safety Guide 22, "Periodic Testing of Protection System Actuation Functions", February, 1971. Under the present design, there are protection functions which are only partially tested at power. These are as follows:

1. Generation of a reactor trip by tripping the turbine

2. Generation of a reactor trip by use of the manual trip switch 7.2-16

BVPS UFSAR UNIT 1 Rev. 19

3. Generation of a reactor trip by manually actuating the safety injection system

4. Generation of safety injection signal by use of the manual safety injection switch

5. Generation of containment spray signal by use of the manual spray actuation switch.

Testing of the final actuators for the automatic transfer from safety injection phase to recirculation phase will be conducted during plant shutdown. Where only parts of the system are tested at any one time, the testing sequence provides the necessary overlap between the parts to assure complete system operation. The protection system is designed to permit periodic testing of the analog channel portion of the reactor trip system during reactor power operation without initiating a protective action unless a trip condition actually exists. This is because of the coincidence logic required for reactor trip. Note, however, that the source and intermediate range high neutron flux trips must be bypassed during testing. The operability of the process sensors is ascertained by comparison with redundant channels monitoring the same process variables or those with a fixed known relationship to the parameter being checked. The in-containment sensors can be calibrated during unit shutdown and others can be calibrated as required. Nuclear instrument power range indicators are verified daily. Source and intermediate range channel sensors are not calibrated. Analog channel testing is performed at the analog instrumentation rack set by individually introducing dummy input signals into the instrumentation channels and observing the tripping of the appropriate output bistables. Process analog output to the logic circuitry is interrupted during individual channel test by a test switch which, when thrown, de-energizes the associated logic input and inserts a proving lamp in the bistable output. Interruption of the bistable output to the logic circuitry for any cause (test, maintenance purposes or removed from service) will cause that portion of the logic to be actuated (partial trip) accompanied by a partial trip alarm and channel status light actuation in the control room. Each channel contains those switches, test points, etc. necessary to test the channel. See Reference 1 for additional information. The power range channels of the nuclear instrumentation system are tested either by superimposing a test signal on the actual detector signal being received by the channel at the time of testing or by injecting a test signal in place of the actual detector signal. The output of the bistable is not placed in a tripped condition prior to testing when testing is performed by superimposing a test signal. Also, since the power range channel logic is two-out-of-four, bypass of this reactor trip function is not required. To test a power range channel, a "TEST-OPERATE" switch is provided to require deliberate operator action. Operation of the switch will initiate the "CHANNEL TEST" annunciator in the control room. Bistable operation is tested by increasing the test signal level up to its trip setpoint and verifying bistable relay operation by control board annunciator and trip status lights. 7.2-17

BVPS UFSAR UNIT 1 Rev. 19 It should be noted that a valid trip signal would cause the channel under test to trip at a lower actual reactor power level. A reactor trip would occur when a second bistable trips. No provision has been made in the channel test circuit for reducing the channel signal level below that signal being received from the nuclear instrumentation system detector. A nuclear instrumentation system channel which can cause a reactor trip through one of two protection logic (source or intermediate range) is provided with a bypass function which prevents the initiation of a reactor trip from that particular channel during the short period that it is undergoing test. These bypasses initiate an alarm in the control room. For a detailed description of the nuclear instrumentation system, see Reference 2. The reactor logic trains of the reactor trip system are designed to be capable of complete testing at power, except for those trips listed below. Annunciation is provided in the control room to indicate when a train is in test, when a reactor trip is bypassed and when a reactor trip breaker is bypassed. Details of the logic system testing are given in Reference 3. The reactor coolant pump breakers cannot be tripped at power without causing a unit transient. However, the reactor coolant pump breaker open trip logic can be tested at power. Manual trip cannot be tested at power without causing a reactor trip since operation of either manual trip switch actuates both Train A and Train B. Note, however, that manual trip could also be initiated from outside the control room by such means as manually tripping the turbine which would then initiate reactor trip, or manually tripping one of the reactor trip breakers. Actuation of safety injection by operation of the manual switch cannot be tested at power. The turbine trip breakers cannot be opened at power without upsetting normal plant operation. However, the logic portions of these trips is testable. Testing of the logic trains of the reactor trip system includes a check of the input relays and a logic matrix check. The following sequence is used to test the system: Check of Input Relays During testing of the process instrumentation system and nuclear instrumentation system bistables, each channel bistable is placed in a trip mode causing one input relay in Train A and one in Train B to de-energize. A contact of each relay is connected to a universal logic printed circuit card. This card performs both the reactor trip and monitoring functions. The contact that creates the reactor trip also causes a status lamp and an annunciator on the control board to operate. Either the Train A or Train B input relay operation will light the status lamp and annunciator. Each train contains a multiplexing test switch. At the start of a process or nuclear instrumentation system test, this switch (in either train) is placed in the A + B position. The A + B position alternately allows information to be transmitted from the two trains to the control board. A steady status lamp and annunciator indicates that input relays in both trains have been de-energized. A flashing lamp means that the input relays in the two trains did not both de-energize. Contact inputs to the logic protection system such as reactor coolant pump bus underfrequency relays operate input relays which are tested by operating the remote contacts as described above and using the same type of indications as those provided for bistable input relays. 7.2-18

BVPS UFSAR UNIT 1 Rev. 19 Actuation of the input relays provides the overlap between the testing of the logic protection system and the testing of those systems supplying the inputs to the logic protection system. Test indications are status lamps and annunciators on the control board. Inputs to the logic protection system are checked one channel at a time, leaving the other channels in service. For example, a function that trips the reactor on a two-out-of-four channel trip becomes a one-out-of-three trip when one channel is placed in the trip mode. Both trains of the logic protection system remain in service during this portion of the test. Check of Logic Matrices Logic matrices are checked one train at a time. Input relays are not operated during this portion of the test. Reactor trips from the train being tested are inhibited with the use of the input error inhibit switch on the semiautomatic test panel in the train. Details of semiautomatic tester operation are given in Reference 3. At the completion of the logic matrix tests, closure of the input error inhibit switch contacts is verified by either a continuity check or by channel inputs that are tripped. The logic test scheme uses pulse techniques to check the coincidence logic. All possible trip and non-trip combinations are checked. Pulses from the tester are applied to the inputs of the universal logic card at the same terminals that connect to the input relay contacts. Thus, there is an overlap between the input relay check and the logic matrix check. Pulses are fed back from the reactor trip breaker undervoltage coil to the tester. The pulses are of such short duration that the reactor trip breaker undervoltage coil armature cannot respond mechanically. Test indications that are provided are an annunciator in the control room indicating that reactor trips from the train have been blocked and that the train is being tested, and green and red lamps on the semiautomatic tester to indicate a good or bad logic matrix test. Protection capability provided during this portion of the test is from the train not being tested. The general design features and details of the testability of the logic system are described in Reference 3. The testing capability meets the requirements of GDC 19 and 25. Testing of Reactor Trip Breakers Normally, reactor trip breakers 52/RTA and 52/RTB are in service, and bypass breakers 52/BYA and 52/BYB are open (out of service). In testing the protection logic, pulse techniques are used to avoid tripping the reactor trip breakers. Modifications to the reactor trip switchgear (52/RTA, 52/RTB) were implemented to improve reactor trip system reliability based on NRC Generic Letter 83-28 dated July 8, 1983. A shunt trip relay was installed which de-energizes on a reactor trip signal and energizes the shunt trip attachment (STA). In addition to the relay, test pushbuttons and test jacks were added so that independent operation of the undervoltage trip attachment (UVTA) and STA can be verified. The shunt trip relay, test pushbuttons and test jacks are located on a panel installed in the reactor trip switchgear control wiring compartment. The bypass breakers were not modified. 7.2-19

BVPS UFSAR UNIT 1 Rev. 19 The following procedure describes the method used for testing the trip breakers:

1. With bypass breaker 52/BYA racked out, manually close and trip it to verify operation of the STA.

2. Rack in and close 52/BYA.

3. Block the automatic trip signal to the STA of 52/RTA by depressing the "block auto shunt trip" pushbutton. Manually trip 52/RTA through a protection system logic matrix.

4. Reclose 52/RTA

5. Manually trip 52/RTA by depressing the "test auto shunt trip" pushbutton.

6. Reclose 52/RTA

7. Trip 52/BYA

8. Repeat above steps to test trip breaker 52/RTB using bypass breaker 52/BYB.

During the test, the control room indication for the breakers are checked. Auxiliary contacts of the bypass breakers are connected into the alarm system of their respective trains such that if either train is placed in test while the bypass breaker of the other train is closed, both reactor trip breakers and both bypass breakers will automatically trip. Auxiliary contacts of the bypass breakers are also connected in such a way that if an attempt is made to close the bypass breaker in one train while the bypass breaker of the other train is already closed, both bypass breakers will automatically trip. The Train A and Train B alarm systems operate separate annunciators in the control room. The two bypass breakers also operate an annunciator in the control room. Bypassing of a protection train with either the bypass breaker or with the test switches will result in audible and visible indications. Refer to Section 7.7.1.2 for a discussion of the motor generator sets and power distribution to the control rod drives. The complete reactor trip system is normally required to be in service. However, to permit online testing of the various protection channels or to permit continued operation in the event of a subsystem instrumentation channel failure, a Technical Specification defining the minimum number of operable channels has been formulated. This Technical Specification also defines the required restriction to operation in the event that the channel operability requirements cannot be met. 7.2-20

BVPS UFSAR UNIT 1 Rev. 19 The reactor trip system is designed in such a way that the overall system time response can be tested by a series of response time tests of discrete portions of the system, with the results summed and verified to be within limits of the overall system requirement. The overall system response time tests are conducted in accordance with the time intervals specified in the Technical Specifications. The safety analyses utilize conservative numbers for trip channel response time. The measured channel response times are compared with those in the safety evaluations. On the basis of startup tests conducted on several units, the actual response times measured are less than the times used in the safety analyses. Bypasses Where operating requirements necessitate automatic or manual bypass of a protective function, the design is such that the bypass is removed automatically whenever permissive conditions are not met. Devices used to achieve automatic removal of the bypass of a protective function are considered part of the protective system and are designed in accordance with the criteria of this section. Indication is provided in the control room if some part of the system has been administratively bypassed or taken out of service. Multiple Setpoints For monitoring neutron flux, multiple setpoints are used. When a more restrictive trip setting becomes necessary to provide adequate protection for a particular mode of operation or set of operating conditions, the protective system circuits are designed to provide positive means or administrative control to ensure that the more restrictive trip setpoint is used. The devices used to prevent improper use of less restrictive trip settings are considered part of the protective system and are designed in accordance with the criteria of this section. Completion of Protective Action The protection system is so designed that, once initiated, a protective action goes to completion. Return to normal operation requires action by the operator. Manual Initiation Switches are provided on the control board for manual initiation of protective action. Failure in the automatic system does not prevent the manual actuation of the protective functions. Manual actuation relies on the operation of a minimum of equipment. Access The design provides for administrative control of access to all setpoint adjustments, module calibration adjustments, test points and the means for manually bypassing channels or protective functions. For details, refer to Reference 1. Information Read Out The protective system provides the operator with complete information pertinent to system status and safety. All transmitted signals (flow, pressure, temperature, etc.) which can cause a reactor trip can be either indicated or recorded for every channel, including all neutron flux power range currents (top detector, bottom detector, algebraic difference and average of bottom and top detector currents). 7.2-21

BVPS UFSAR UNIT 1 Rev. 21 Any reactor trip will actuate an alarm and an annunciator. Such protective actions are indicated and identified down to the channel level. Alarms and annunciators are also used to alert the operator of deviations from normal operating conditions so that he may take appropriate corrective action to avoid a reactor trip. Actuation of any rod stop or trip of any reactor trip channel will actuate an alarm. Identification The identification described in Section 7.1 provides immediate and unambiguous identification of the protection equipment. 7.2.2.2.2 Evaluation of Compliance With IEEE Std. 308-1971 See Section 8.5.4 for discussion on the power supply for the Protection system and compliance with IEEE Std. 308-1971.(15) 7.2.2.2.3 Evaluation of Compliance With IEEE Std. 323-1971(16) Safety-related equipment is type tested to substantiate the adequacy of design. This is the preferred method as indicated in Reference 16. Type tests may not conform to the format guidelines set forth in Reference 16. 7.2.2.2.4 Evaluation of Compliance With IEEE Std. 334-1971 The only continuous duty, Class I motors in containment are the inside recirculation spray pump motors. These will be specified to be tested in the manner set forth in IEEE Std. 334-1971.(17) 7.2.2.2.5 Evaluation of Compliance With IEEE Std. 338-1971(14) The periodic testing of the reactor trip system conforms to the requirements of Reference 14 with the following comments:

1. Protection system overall response time testing is conducted in accordance with the time intervals specified in the Technical Specifications, and consists of a series of response time tests of discrete portions of the system with the results summed and verified to be within the limits of the overall system requirement.

The overall response time testing is usually conducted during refueling outages and is rechecked if a component, significantly affecting the time response, is replaced during maintenance.

2. The reliability goals specified in Paragraph 4.2 of Reference 14 are being developed and adequacy of test frequencies will be demonstrated at a later date.

3. The periodic test frequency discussed in Paragraph 4.3 of Reference 14 and specified in the Technical Specifications is conservatively selected to ensure that equipment associated with protection functions has not drifted beyond its minimum performance requirements. If any protection channel appears to be marginal or requires more frequent adjustments due to unit condition changes, the test frequency is accelerated to accommodate the situation until the marginal performance is resolved.

7.2-22

BVPS UFSAR UNIT 1 Rev. 23

4. The test interval discussed in Paragraph 5.2, Reference 14, is developed primarily on past experience and modified if necessary to ensure that system and subsystem protection is reliably provided.

Analytic methods for determining reliability are not used to determine test interval. 7.2.2.2.6 Evaluation of Compliance With IEEE Std. 344-1971 The seismic testing, as discussed in Section 7.2.1.10, References 8, 9, 10 and 11, conforms to the guidelines set forth in IEEE Std. 344-1971(18) with the exceptions noted in Section 7.2.1.10. 7.2.2.2.7 Evaluation of Compliance With AEC General Design Criteria(19) The reactor trip system meets the requirements of the GDC wherever appropriate. Specific cases are noted as they are discussed in Section 7. 7.2.2.3 Specific Control and Protection Interactions 7.2.2.3.1 Neutron Flux The flux difference between the upper and lower long ion chambers from three of the four power range neutron detectors are used as inputs to the overtemperature T setpoints. The isolated output from the fourth channel is used for automatic rod control. In addition, a deviation signal will give an alarm if any neutron flux channel deviates significantly from any of the other channels. Also, the control system will respond only to rapid changes in indicated neutron flux; slow changes or drifts are compensated by the temperature control signals. Finally, an overpower signal from any nuclear channel will block manual rod withdrawal. The setpoint for this rod stop is below the reactor trip setpoint. A negative reactivity insertion in excess of Technical Specifications implies a dropped rod. The automatic rod withdrawal function has been eliminated. 7.2.2.3.2 Coolant Temperature The input signals to the Reactor Control System are obtained from electronically isolated protection Tavg and Delta-T signals, (one per loop). A Median Signal Selector (MSS) is implemented in the Reactor Control System, one for Tavg and one for Delta-T. The MSS receives three signals as input and selects the medium signal for input to the appropriate control systems. Any single failure (high or low) in a calculated temperature will not result in adverse control system behavior since the failed high or low temperature signal will be rejected by the MSS. Hence, the implementation of an MSS in the Reactor Control System in conjunction with the two out of three protection logic satisfies the requirements of IEEE 279-1971, Section 4.7, "Control and Protection System Interaction." The response time allocated for measuring RCS hot and cold leg temperature using thermowell mounted fast response RTDs is as specified in the BVPS-1 License Requirements Manual. 7.2-23

BVPS UFSAR UNIT 1 Rev. 23 In addition, channel deviation signals in the control system will give an alarm if any temperature channel deviates significantly from the median value. The manual rod withdrawal blocks will also occur if any two of the temperature channels indicate an overtemperature or overpower condition. 7.2.2.3.3 Pressurizer Pressure The pressurizer pressure protection channel signals are used for high and low pressure protection and as inputs to the overtemperature T trip protection function. This unit uses separate channels for protection and control. A spurious high pressure signal from one channel can cause decreasing pressure by actuation of either spray or relief valves. Additional redundancy is provided in the low pressurizer pressure reactor trip logic and in the logic for safety injection to ensure low pressure protection. The pressurizer heaters are incapable of overpressurizing the reactor coolant system. Overpressure protection is based upon the positive surge of the reactor coolant produced as a result of turbine trip under full load, assuming the core continues to produce full power. The self-actuated safety valves are sized on the basis of steam flow from the pressurizer to accommodate this surge at a setpoint of 2,500 psia and an accumulation of 3 percent. Note that no credit is taken for the relief capability provided by the power-operated relief valves during this surge. In addition, operation of any one of the power-operated relief valves can maintain pressure below the high pressure trip point for most transients. The rate of pressure rise achievable with heaters is slow and ample time and pressure alarms are available to alert the operator of the need for appropriate action. 7.2.2.3.4 Pressurizer Water Level Three pressurizer water level channels are used for reactor trip. Isolated signals from these channels are used for pressurizer water level control. A failure in the level control system could fill or empty the pressurizer at a slow rate (on the order of half an hour or more). Experience has shown that hydrogen gas can accumulate in the upper part of the condensate pot on conventional open reference leg systems in pressurizer water level service. At reactor coolant system operating pressures, high concentrations of dissolved hydrogen could blow water out of the reference leg and cause a large level error, measuring higher than actual level. Accurate calculations of this effect have been difficult to obtain. To eliminate the possibility of such effects, a bellows is used in a pot at the top of the reference leg to provide an interface seal and prevent dissolving of hydrogen gas into the reference leg water. Supplier tests were run which confirmed a time response of less than 1.0 sec. 7.2-24

BVPS UFSAR UNIT 1 Rev. 23 The reference leg is uninsulated and will remain at local ambient temperature. This temperature will vary somewhat over the length of the reference leg piping under normal operating condition but will not exceed 140°F. During a blowdown accident, any reference leg water flashing to steam will be confined to the condensate steam interface in the condensate pot at the top of the temperature barrier leg and will have only a small (about 1 inch) effect on measured level. Some additional error may be expected due to effervescence of hydrogen in the temperature barrier water. However, even if complete loss of this water is assumed, the error will be less than 1 ft and can be tolerated. Calibration of the sealed reference leg system is done in place after installation by application of known pressure to the low pressure side of the transmitter and measurement of the height of the reference column. The effects of static pressure variations are predictable. The largest effect is due to the density change in the saturated fluid in the pressurizer itself. The effect is typical of level measurements in all tanks with two phase fluid and is not peculiar to the sealed reference leg technique. In the sealed reference leg, there is a slight compression of the fill water with increasing pressure, but this is taken up by the flexible bellows. A leak of the fill water in the sealed reference leg can be detected by comparison of redundant channel readings on line and by physical inspection of the reference leg off line. Leaks of the reference leg to atmosphere will be immediately detectable by off scale indications and alarms on the control board. A closed pressurizer level instrument shutoff valve would be detected by comparing the level indications from the redundant level channels (three channels). In addition, there are alarms on one of the three channels to indicate an error between the measured pressurizer water level and the programmed pressurizer water level. There is no single instrument valve which could affect more than one of the three level channels. The high level trip setpoint provides sufficient margin such that the undesirable condition of discharging liquid coolant through the safety valves is avoided. Even at full power conditions, which would produce the worst thermal expansion rates, a failure of the level control would not lead to any liquid discharge through the safety valves. This is due to the automatic high pressurizer pressure reactor trip actuating at a pressure sufficiently below the safety valve setpoint. For control failures which tend to empty the pressurizer, two-out-of-three logic for safety injection action at low pressurizer pressure ensures that the protection system can withstand an independent failure in another channel. In addition, ample time and alarms exist to alert the operator of the need for appropriate action. 7.2.2.3.5 Steam Generator Water Level and Feedwater Flow The basic function of the reactor protection circuits associated with low steam generator water level and low feedwater flow is to preserve the steam generator heat sink for removal of long term residual heat. Should a complete loss of feedwater occur, the reactor would be tripped on low-low steam generator water level. In addition, redundant auxiliary feedwater pumps are provided to supply feedwater in order to maintain residual heat removal after trip preventing eventual thermal expansion and discharge of the reactor coolant through the pressurizer relief valves into the relief tank when the main feedwater pumps are incapacitated. The reactor trip acts before the steam generators are dry to reduce the required capacity and starting time requirements of these auxiliary feedwater pumps and to minimize the thermal transient on the reactor coolant system and steam generators. Therefore, the following reactor trip circuit is 7.2-25

BVPS UFSAR UNIT 1 Rev. 20 provided for each steam generator to ensure that sufficient initial thermal capacity is available in the steam generator at the start of the transient: A low-low steam generator water level A spurious high signal from the feedwater flow channel being used for control would cause a reduction in feedwater flow. The mismatch between steam demand and feedwater flow produced by this spurious signal will actuate alarms to alert the operator of this situation in time for manual correction or, if the condition is allowed to continue, the reactor will eventually trip on a low-low water level signal independent of indicated feedwater flow. A spurious low signal from the feedwater flow channel being used for control would cause an increase in feedwater flow. The mismatch between steam flow and feedwater flow produced by the spurious signal would actuate alarms to alert the operator of the situation in time for manual correction. If the condition is allowed to continue, a two-out-of-three high-high steam generator water level signal from any steam generator independent of the indicated feedwater flow, will cause feedwater isolation, and trip the turbine. The turbine trip will result in a subsequent reactor trip. In addition, the three element feedwater controller incorporates reset action on the level error signal, such that with expected controller settings a rapid increase or decrease in the flow signal would cause only a small change in level before the controller would compensate for the level error. A slow change in the feedwater signal would have no effect at all. A spurious low or high steam flow signal would have the same effect as high or low feedwater signal, discussed above. Furthermore, a spurious high or low steam generator water level signal from the protection channel will be rejected by the median signal selector eliminating spurious feedwater control actions. The implementation of the median signal selector in the steam generator water level control system satisfies the requirements of IEEE Std. 279-1971, Section 4.7 "Control and Protection Interaction." 7.2.2.3.6 Anticipated Transient Without Scram (ATWS) Mitigating System Actuation Circuitry (AMSAC) The basic function of AMSAC is to provide adequate assurance that the Reactor Coolant System will not be subject to potential damage as a result of overpressure in the event of an ATWS with coincident loss of feedwater. The AMSAC System design is not safety-related, and does not meet IEEE Standard 279. However, the implementation incorporates good engineering practice such that the existing protection system continues to meet all applicable safety-related criteria. Generic Letter 85-06, "Quality Guidance for ATWS Equipment That Is Not Safety-Related", outlines the quality assurance criteria that must be applied to the AMSAC equipment. 7.2-26

BVPS UFSAR UNIT 1 Rev. 23 AMSAC monitors feedwater flow in each of the three loops. Failure of any feedwater loop instrument loop (signal out-of-range high or low) will block AMSAC actuation. Any two-out-of-three loops indicating a loss of flow initiates the AMSAC System, provided that the plant is at 40% turbine load or greater as sensed by two-out-of-two turbine first stage pressure channels. It is the C-20 permissive that allows AMSAC actuation, provided the plant is at 40 percent turbine load or greater as sensed by two-out-of-two turbine first stage pressure channels. The C-20 permissive also blocks AMSAC actuation below 40 percent turbine power as sensed by one-out-of-two turbine first stage pressure channels. Short-term protection against high Reactor Coolant System pressure is not required until 70% of nominal load is reached. However, in order to minimize the amount of Reactor Coolant system voiding during an ATWS, AMSAC will be in operation at and above 40% of nominal power. This will minimize spurious AMSAC actuation during startup. To ensure AMSAC remains armed long enough to perform its function in the event of a turbine trip, the C-20 permissive signal (first stage turbine pressure interlock) is maintained for approximately 180 seconds (timer B5). The AMSAC initiation is time delayed, variable and dependent upon percent power. At full power, the time delay from timer B3 in the feedwater flow logic circuitry is 25 seconds and at 40% is 150 seconds. This time delay permits the Reactor Protection System to respond first. To avoid inadvertent AMSAC actuation on the loss of one main feedwater pump, the time delay permits the unfaulted main feedwater pump to automatically increase the flow rate to above the AMSAC arming setpoint. Recovery in this circumstance is possible since each main feedwater pump is capable of delivering typically 60% of full capacity. The setpoint to actuate AMSAC is 25% of nominal main feedwater flow. Three flow transmitters in Protection Channel IV (FT-1FW-476, 486 and 496) provide sensor input to the AMSAC Logic Cabinet. The AMSAC input flow signals are derived by tying into the existing feedwater flow protection loop in the Primary Process Racks. The signal isolators in the Process Racks separate the Class 1E AMSAC input circuits from the non-Class 1E AMSAC input circuits. The turbine load input signals also make use of the signal isolators in the Primary Process Racks. Output signals from the AMSAC Logic Cabinet will automatically start the two motor-driven Auxiliary Feedwater Pumps (1FW-P-3A and 3B) and the steam turbine-driven Auxiliary Feedwater Pump (1FW-P-2). Output electro-mechanical isolation relays located in the AMSAC cabinet, ensure electrical isolation of the non-Class 1E AMSAC output circuits from the Class 1E actuation circuitry for the Auxiliary Feedwater Pumps. The Auxiliary feed pump discharge pressure signal also automatically closes the Steam Generator blowdown isolation and sample isolation valves in all loops. At the same time, the AMSAC output signals will automatically initiate a turbine trip. The Class 1E turbine trip circuitry isolation is maintained with the same type isolator relay as that used for the Auxiliary Feedwater Pump circuitry. The AMSAC System is designed such that all AMSAC actuation outputs will be automatically blocked if any of the three feedwater flow input signals go out-of-range high or low. A loss of power to any of the three feedwater flow instrument loops will produce an out-of-range low signal and prevent a spurious AMSAC actuation. The AMSAC System is designed to remain armed during transient conditions experienced during feedwater isolation. The AMSAC power supplies are not required to be safety-related but are capable of performing safety functions on a loss of offsite power. AMSAC Logic Cabinet power is supplied from (UPS-ERFS-1) through (PNL-AC-22) and is independent from the Reactor Trip System power supplies. 7.2-27

BVPS UFSAR UNIT 1 Rev. 24 The AMSAC Logic Cabinet is seismically qualified since it is located in the Process Equipment Room at Elevation 713'-6". In addition, all output electro-mechanical isolation relays are seismically qualified to ensure electrical isolation of the Class 1E circuitry from the non-Class 1E circuitry. The AMSAC System may be bypassed to allow for test and surveillance while at power, maintenance, repair or calibration to prevent inadvertent turbine trip and Auxiliary Feedwater Pump starts. The Bypass Switch (BS/MS 440) is located in the AMSAC Logic Cabinet at the test panel. 7.2.3 Tests and Inspections The reactor trip system meets the testing requirements of Reference 14 with the exceptions given in Section 7.2.2.2.5. The testability of the system is discussed in Section 7.2.2.2.1. The test intervals are specified in the Technical Specifications. 7.2.3.1 Inservice Tests and Inspections Periodic surveillance of the reactor trip system is performed to ensure proper protective action. This surveillance consists of channel checks, channel calibrations and channel operational testing as defined and required by the Technical Specifications. 7.2-28

BVPS UFSAR UNIT 1 Rev. 20 7.2.3.2 Periodic Testing of the Nuclear Instrumentation System The following periodic tests of the nuclear instrumentation system are performed:

1. Testing at unit shutdowns

a. Source range testing

b. Intermediate range testing

c. Power range testing.

2. Testing between P-6 and P-10 permissive power levels:

a. Source range testing

b. Intermediate range testing

c. Power range testing.

3. Testing above P-10 permissive power level:

a. Intermediate range testing

b. Power range testing.

Operability of the neutron flux rate trip channels associated with dropped rods and ejected rod protection is verified periodically by introduction of a step change using the channel drawer test circuits. The test method includes verification of the time delay set into the rate unit during preoperational tests. The value of the time constant is set during initial start-up test by introduction of a step change using the Nuclear Instrument channel drawer test circuits. This test will be repeated periodically as required to verify the network time constant. Any deviations noted during the performance of these tests are investigated and corrected in accordance with the established calibration and troubleshooting procedures provided in the unit technical manual for the nuclear instrumentation system. Control and protection trip settings are indicated in the Technical Specifications. 7.2.3.3 Periodic Testing of the Process Analog Channels of the Protection Circuits The following periodic tests of the analog channels of the protection circuits are performed:

1. Tavg and T protection channel testing

2. Pressurizer pressure protection channel testing

3. Pressurizer level protection channel testing

4. Steam generator level protection channel testing 7.2-29

BVPS UFSAR UNIT 1 Rev. 21

5. Reactor coolant flow protection channel testing

6. Turbine first stage pressure channel testing.

The following conditions are required for these tests:

1. These tests may be performed at any unit power from cold shutdown to full power.

2. Before starting any of these tests with the unit at power, all redundant reactor trip channels associated with the function to be tested must be in the normal (untripped) mode in order to avoid spurious trips.

3. Testing is conducted in accordance with the Technical Specifications.

In addition to the above, the trips identified in Section 7.2.2.2.1 as not being testable at power will be tested periodically at shutdown. 7.2-30

BVPS UFSAR UNIT 1 Rev. 19 References for Section 7.2

1. J. A. Nay, "Process Instrumentation for Westinghouse Nuclear Steam Supply Systems",

WCAP-7671, Westinghouse Electric Corporation (April 1971).

2. J. B. Lipchak and R. A. Stokes, "Nuclear Instrumentation System", WCAP-7669, Westinghouse Electric Corporation (April 1971).

3. D. N. Katz, "Solid Stage Logic Protection System Description", WCAP-7672, Westinghouse Electric Corporation (June 1971).

4. J. Bruno, "Isolation Tests Process Instrumentation Isolation Amplifier W Computer and Instrumentation Division Model 131-110", WCAP-7824, Westinghouse Electric Corporation (December 16, 1971).

5. R. Bartholemew and J. Lipchak, "Test Report, Nuclear Instrumentation System Isolation Amplifier", WCAP-7819, Revision 1, Westinghouse Electric Corporation (January 1972).

6. W. C. Gangloff and W. D. Loftus, "An Evaluation of Solid State Logic Reactor Protection in Anticipated Transients", WCAP-7706, Westinghouse Electric Corporation (September 1971).

7. T. W. T. Burnett, "Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors", WCAP-7306, Westinghouse Electric Corporation (April 1969).

8. E. L. Vogeding, "Seismic Testing of Electrical and Control Equipment", WCAP-7817, Westinghouse Electric Corporation (January 1970).

9. E. L. Vogeding, "Seismic Testing of Electrical and Control Equipment (WCID Process Control Equipment)", WCAP-7818, Supplement 1, Westinghouse Electric Corporation (December 1971).

10. L. M. Potochink, "Seismic Testing of Electrical and Control Equipment (Low Seismic Plants)", WCAP-7817, Supplement 2, Westinghouse Electric Corporation (December 1971).

11. E. L. Vogeding, "Seismic Testing of Electrical and Control Equipment (Westinghouse Solid State Protection System)", WCAP-7817, Supplement 3, Westinghouse Electric Corporation (December 1971).

12. J. Locante and E. G. Igne, "Environmental Testing of Engineered Safety Features Related Equipment (NSSS Standard Scope)", WCAP-7744, Volume I, Westinghouse Electric Corporation (August 1971).

13. "Criteria for Protection Systems for Nuclear Power Generating Stations", IEEE Std. 279-1971, The Institute of Electrical and Electronic Engineers, Inc.

7.2-31

BVPS UFSAR UNIT 1 Rev. 19 References for Section 7.2 (CONTD)

14. "IEEE Trial Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protection Systems", IEEE Std. 338-1971, The Institute of Electrical and Electronic Engineers, Inc.

15. "IEEE Standard Criteria for Class IE Electric Systems for Nuclear Power Generating Stations", IEEE Std. 308-1971, The Institute of Electrical and Electronic Engineers, Inc.

16. "IEEE Trial-Use Standard; General Guide for Qualifying Class I Electric Equipment for Nuclear Power Generating Stations", IEEE Std. 323-1971, The Institute of Electrical and Electronic Engineers, Inc.

17. "IEEE Trial-Use Guide Type Tests and Continuous-Duty Class I Motors Installed Inside the Containment of Nuclear Power Generating Stations", IEEE Std. 334-1971, The Institute of Electrical and Electronic Engineers, Inc.

18. "IEEE Trial-Use Guide for Seismic Qualification of Class I Electric Equipment for Nuclear Power Generating Stations", IEEE Std. 344-1971, The Institute of Electrical and Electronic Engineers, Inc.

19. "Proposed General Design Criteria for Nuclear Power Plant Construction Permits",

Federal Register, (July 11, 1967).

20. J. J. Carey, "Environmental Qualification of Class IE Equipment", Letter to NRC, Duquesne Light Company (October 15, 1981).

21. "Westinghouse Protection System Noise Tests", Westinghouse Electric Corporation (December 1974) Filed with the NRC for review on the Diablo Canyon Project, docket nunbers 50-275 and 50-323.

22. "Equipment Qualification Data Package - Process Protection System"; EQDP-ESE-13, Rev. 3, 7/81; Westinghouse Electric Corporation.

23. "Westinghouse 7300 Series Process Control System Noise Tests", WCAP-8892-A dated June 1977.

24. "RTD Bypass Elimination Licensing Report for Beaver Valley Unit 1", WCAP-12058 (December 1988).

7.2-32

BVPS UFSAR UNIT 1 Rev. 22 7.3 ENGINEERED SAFETY FEATURES SYSTEM 7.3.1 Description The engineered safety features (ESF) actuation system senses selected unit parameters, determines whether or not predetermined safety limits are being exceeded and, if they are, combines the signals into logic matrices sensitive to combinations indicative of primary or secondary system boundary ruptures. Once the required logic combination is completed, the system sends actuation signals to those ESF components whose aggregate function best serves the requirements of the accident. This design meets the requirements of 1967 GDC 12 and 15. 7.3.1.1 Functional Design The following is a summary of those unit conditions requiring protective action:

1. Primary System:

a. Rupture in small pipes or cracks in large pipes.

b. Rupture of a reactor coolant pipe loss of coolant accident (LOCA)

c. Steam generator tube rupture

2. Secondary System:

a. Minor secondary system pipe breaks resulting in steam release rates equivalent to a single dump, relief or safety valve

b. Rupture of a major steam pipe.

The following summarizes the unit variables required to be monitored for each accident:

1. Ruptures in small or cracks in large primary system pipes:

a. Pressurizer pressure

b. Containment pressure

2. Rupture of a reactor coolant pipe (LOCA):

a. Pressurizer pressure

b. Containment pressure

3. Steam generator tube rupture:

a. Pressurizer pressure 7.3-1

BVPS UFSAR UNIT 1 Rev. 19

4. Minor secondary system pipe breaks:

a. Pressurizer pressure

b. Steam line pressures

c. Steam line pressure rate

d. Containment pressure

5. Rupture of a major steam pipe:

a. Pressurizer pressure

b. Steam line pressures

c. Steam line pressure rate

d. Containment pressure 7.3.1.1.1 Signal Computation The ESF actuation system consists of two discrete portions of circuitry:

1. An analog portion consisting of three to four redundant channels which monitor various unit parameters such as the reactor coolant system (RCS) and steam system pressures, temperatures, and flows, and containment pressures

2. A digital portion consisting of two redundant logic trains which receive inputs from the analog protection channels and perform the needed logic to actuate the ESF.

Each digital train is capable of actuating the ESF equipment required. The intent is that any single failure within the ESF actuation system shall not prevent system action when required. The redundant concept is applied to both the analog and logic portions of the system. Separation of redundant analog channels begins at the process sensors and is maintained in the field wiring, containment vessel penetrations and the analog protection racks, terminating at the redundant groups of safeguards logic racks. This design meets the requirement of the 1967 GDC 19. Section 7.2 provides further details on protective instrumentation. The same design philosophy applies to both systems and conforms to 1967 GDC 19, 20, 21, 22 and 23. The variables are sensed by the analog circuitry as discussed in Reference 1 and in Section 7.2. The outputs from the analog channels are combined into actuation logic as shown on sheets 5, 6, 7 and 8 of Figure 7.2-1. Tables 7.3-1 and 7.3-2 give additional information pertaining to logic and function. The interlocks associated with the ESF actuation system are outlined in Table 7.3-3. The interlocks satisfy the functional requirements discussed in Section 7.1.2. 7.3-2

BVPS UFSAR UNIT 1 Rev. 24 The transfer from the safety injection mode to the recirculation mode will automatically take place on two out of four extreme low level signals from the refueling water storage tank (RWST) coincident with a safety injection signal. 7.3.1.1.2 Devices Requiring Actuation The following are the actions which the ESF actuation system initiates when it is called on to perform its function:

1. Safety injection

2. Reactor trip

3. Feedwater line isolation by closing all main feedwater control and feedwater isolation valves, feedwater pump trip and closure of main feedwater pump discharge valves. (Main feedwater pump discharge valves are not credited for feedwater isolation in the safety analyses.)

4. Auxiliary feedwater system actuation

5. River water (pump start and system isolation)

6. Containment depressurization system

7. Containment isolation

8. Control room ventilation system isolation and pressurization

9. Emergency diesel startup

10. Main steam line isolation.

7.3.1.2 Design Bases: IEEE Std. 279-1971(2) The unit conditions which require protective action are given in Section 7.3.1.1. The unit variables that are required to be monitored in order to provide protective actions are also summarized in Section 7.3.1.1. The only variable sensed by the ESF actuation system which has spatial dependence is reactor coolant temperature. The effect on the measurement is negated by taking multiple samples from the reactor coolant hot leg and averaging these samples electronically in the process protection system. The parameter values that will require protective action are given in the Technical Specification. The malfunctions, accidents or other unusual events which could physically damage protection system components or could cause environmental changes are as follows:

1. Loss of Coolant Accident (LOCA)

2. Steam breaks

3. Earthquakes 7.3-3

BVPS UFSAR UNIT 1 Rev. 23

4. Fire

5. Explosion (Hydrogen buildup inside containment)

6. Missiles

7. Flood Minimum performance requirements are as follows:

1. SYSTEM RESPONSE TIMES: Are defined as the time interval from when the monitored parameter exceeds its ESF actuation setpoint at the sensor until the ESF equipment is capable of performing its safety function (valves have repositioned, pumps have started and discharge pressures are at their required values). These times include sensor response times and diesel generator starting and sequence loading delays where applicable.

The system response time does not specifically include any effects associated with transfer functions (dynamic compensators - lag, lead/lag and rate lags). Plant safety analyses typically use both the system response time and applicable dynamic compensators (modeled separately) to calculate the overall response of a protective function to changes in an input parameter. During periodic system response time testing, it is not always practical (or desirable) to turn off transfer functions. The use of a step input change allows for time response testing to be performed with dynamic compensation operational. For a listing of the actual overall BVPS Unit 1 ESF response time requirements, refer to the Licensing Requirements Manual (LRM).

2. SYSTEM ACCURACIES: System accuracies are as defined in UFSAR Table 7.2-3 for all identified reactor trip system and ESF parameters.

3. RANGES OF SENSED VARIABLES: Ranges of sensed variables required to generate the protection action are:

a. For loss of coolant accident

1) Pressurizer pressure 1,700 to 2,500 psig

2) Containment pressure -10 to 55 psig

b. For steam break protection

1) Steam line pressure 0 to 1,400 psig

2) Containment pressure -10 to 55 psig 7.3-4

BVPS UFSAR UNIT 1 Rev. 26 7.3.1.3 Implementation of Functional Design 7.3.1.3.1 Analog Circuitry The process analog sensors and racks for the ESF actuation system are covered in Reference 1. Discussed in this report are the parameters to be measured including pressures, tank and vessel water levels, and temperatures, as well as the measurement and signal transmission considerations. These latter considerations include the basic current transmission system, transmitters, orifices and flow elements, resistance temperature detectors and pneumatics. Other considerations covered are automatic calculations, signal conditioning and location and mounting of the devices. The sensors monitoring the primary system are located as shown on the piping flow diagrams in Section 4, reactor coolant system. The secondary system sensor locations are shown on the steam system flow diagrams given in Section 10. Containment pressure is sensed by four physically separated differential pressure transmitters mounted by strong supports outside of the containment. The distance from penetration to transmitter is kept to a minimum and separation is maintained. This arrangement conforms to GDC 53. The following is a description of those process channels not included in the reactor trip or ESF actuation systems which enable additional monitoring of in-containment conditions in the post LOCA recovery period. These channels are located outside of the containment (with the exception of sump instrumentation) and will not be affected by the accidents:

1. REFUELING WATER STORAGE TANK LEVEL: Level instrumentation on the refueling water storage tank consists of four qualified Class 1E independent channels. Three of the level channels have indication in the control room and the fourth is recorded. Two channels, one for each train, are alarmed. Five distinct level setpoints are employed for alarm and control.

a. ABOVE NORMAL LEVEL - used to avoid overfilling of the tank.

b. BELOW NORMAL LEVEL - alarms if the level drops below the Technical Specification required volume for injection by the emergency core cooling system in the event of a loss of coolant accident.

c. LEVEL LOW - any one of three channels used for this function actuates a common alarm in the main control room. A two-out-of-three low level signal coincident with a containment pressure high-high signal starts the recirculation spray pumps.

d. LEVEL EXTREME LOW - in addition to the indicators and recording in the control room, any one of the four level channels actuates a common alarm in the main control room. A two-out-of-four low level signal coincident with a safety injection signal automatically transfers operation from the injection phase to the recirculation phase and also provides alarm indication.

e. COLD SHUTDOWN LEVEL LOW - alarms if the level drops below the Licensing Requirements Manual required volume for a functional borated water source during cold shutdown.

7.3-5

BVPS UFSAR UNIT 1 Rev. 28

2. SAFETY INJECTION CHARGING PUMPS DISCHARGE PRESSURE: These channels clearly show that the pumps are operating. The transmitters are outside the containment.

3. PUMP ENERGIZATION: Pump motor power feed breakers indicate that they have closed by energizing indicating lights on the control board.

4. VALVE POSITION: All ESF systems remote operated valves have position indication on the control board to show proper positioning of the valves. Red and green indicator lights are located next to the manual control station showing open and closed positions. In the cases of the accumulator isolation valves, redundancy of position indication is provided by valve stem mounted limit switches which actuate annunciators on the control board when the valves are not correctly positioned for safeguards. The low head injection discharge valve to the cold legs (MOV-SI890C) uses a similar stem mounted limit switch to annunciate should the valve be out of position. However, since the valve operator has the power locked out, the normal red and green indicators lights will be off.

The stem mounted switches are independent of the motor operator limit switches and control power. See Section 7.6 for additional information. The red and green indicator lights for Main Steam Isolation Bypass Valves MOV-1MS-101A, B, and C will be off, since the valve operators will have power removed during power operation.

5. SUMP INSTRUMENTATION: The containment sump instrumentation consists of three multi-level magnetic float type switches. There are two wide range (0-90 inches) transmitters and one narrow range (3-15 inches) transmitter. The narrow range transmitter monitors the sump level under normal conditions. Both wide range levels and the narrow range level are displayed in the control room. A recorder in the control room is provided for one of the wide range level signals.

The containment sump level instrumentation was upgraded as a requirement of an NRC Order(14) in response to NUREG 0737 TMI issue II.F.1.5. In addition to the above instrumentation, the following local instrumentation is available:

a. Containment depressurization spray test lines total flow.

b. Safety injection test line pressure and flow.

7.3.1.3.2 Digital Circuitry The ESF actuation logic racks are discussed in detail in Reference 3. The description includes the considerations and provisions for physical and electrical separation as well as details of the circuitry. Reference 3 also covers certain aspects of on-line test provisions, provisions for test points, considerations for the instrument power source, consideration for accomplishing physical separation and provisions for ensuring instrument qualification. The outputs from the analog channels are combined into actuation logic as shown on sheets 5 (Tavg), 6 (pressurizer pressure), 7 (steam pressure) and 8 (ESF actuation) of Figure 7.2-1. To facilitate ESF actuation testing, two cabinets (one per train) are provided which enable operation, to the maximum practical extent, of safety features loads on a group by group basis until actuation of all devices has been checked. Final actuation testing is discussed in detail in Section 7.3.2. 7.3-6

BVPS UFSAR UNIT 1 Rev. 22 7.3.1.3.3 Final Actuation Circuitry The outputs of the solid state logic protection system (the slave relays) are energized to actuate, as are most final actuators and actuated devices. These devices are listed as follows:

1. Safety injection system pump and valve actuators. See Section 6 for flow diagrams and additional information.

2. Containment isolation (Phase A - signal isolates all non-essential process lines on receipt of safety injection signal: Phase B - signal isolates remaining process lines (which do not include safety injection lines) on receipt of two-out-of-four high-high containment pressure signal). For further information see Section 6.

3. River water pump and valve actuators (Section 9)

4. Auxiliary feed pumps start (Section 10)

5. Diesel start (Section 8)

6. Feedwater isolation (Section 10)

7. Control room and supplementary leak collection ventilation valves and damper actuators and control room pressurization valves (Section 6 and 9)

8. Steam line isolation valve actuators (Section 10)

9. Recirculation spray and quench pumps and valve actuators (Section 6).

If an accident is assumed to occur coincident with a station electrical blackout, the ESF loads must be sequenced onto the diesel generators to prevent overloading them. This sequence is discussed in Section 8. The design conforms to 1967 GDC 37 and 41. 7.3.1.4 Auxiliary Systems Required for ESF Operation The following auxiliary systems are essential to the proper functioning of engineered safety features:

1. River water system (continuously after Design Base Accident [DBA]).

2. Emergency diesel generator fuel oil system (continuously after DBA)

3. Control room air-conditioning system (continuously after DBA)

4. Control room emergency ventilation system (30 min after DBA)

5. Leak collection system (continuously after DBA)

6. Diesel generator building ventilation system (continuously after DBA) 7.3-7

BVPS UFSAR UNIT 1 Rev. 22

7. Intake structure ventilation system (continuously after DBA)

8. Emergency switchgear and battery room ventilation system (continuously after DBA)

9. Electrical power distribution system (continuously after DBA)

Instrumentation and controls required for the above auxiliary systems are designed to the same standards as those for the ESF Systems that they support, including IEEE Std. 279-1971.(2) The 2 train design concept featuring independence and separation between trains, is utilized for all instrumentations and controls that are necessary for the ESF auxiliary systems to perform their safety functions. Included are all components from the sensors to the actuated equipment of the systems. A separate power supply will be provided for each train. A loss of electric power to one train will not affect the operation of the redundant train. Each train will be supplied from a separate emergency bus. Indication of interrelated system variables will provide the operator with sufficient information to determine the response of the ESF systems if one of the auxiliary system monitors should fail. For example, if the flow measurement loop in the river water line going to a recirculation spray cooler fails, the temperature indicator of the cooled fluid will indicate whether the cooler is functioning properly. Special consideration is given to the environmental and seismic capabilities of instrumentation and control equipment in the ESF auxiliary systems. Verification that the equipment has been designed, built and installed in accordance with the specified criteria is accomplished through analysis, performance test and/or type test data and quality assurance and quality control methods. Testing and inspection of instrumentation associated with ESF auxiliary systems is performed on the instrumentation associated with the parts of the system that will not be in use during normal unit operation. Instrumentation associated with ESF auxiliary systems that will be in use during normal operation (river water system) will not require periodic testing, since operability will be demonstrated by their continuous use. The following discusses the instrumentation and controls for the auxiliary systems required to support the ESF: River Water System The river water system is described in Section 9.9 and is shown on Figure 9.9-1. The river water system is required to supply cooling water for ESF and auxiliary systems essential to ESF:

1. Four recirculation spray heat exchangers

2. Three high-head safety injection pump lube oil coolers

3. Two emergency diesel generator cooling system heat exchangers.

4. The control room air-conditioning condensers.

Three river water pumps are provided to supply water to the two river water headers. Connection of pumps and valves for the system are described in Section 9.9.2. 7.3-8

BVPS UFSAR UNIT 1 Rev. 19 Continuous radiation monitoring will be provided in the river water discharge from the component cooling water heat exchangers during normal operation (Section 11.3.3.3.17). After an accident that activates the containment isolation phase B signal, continuous radiation monitoring will be provided in the discharge of each train of recirculation spray heat exchangers (Section 11.3.3.3.18). Each recirculation spray heat exchanger will have a remotely operated valve in its supply and discharge line. On a high radiation alarm, the operator can isolate the affected recirculation spray heat exchanger train by closing the isolation valves and its supply and return header. Control switches and indicating lights for the river water pump motors will be provided on the main control board. Any river water pump can be started manually from the control room. A standby river water pump will be started automatically when either a diesel loading sequence signal is received or on receipt of safety injection signal with normal power available. All other pressure in either of the two river water headers will be visually and audibly alarmed in the control room. Redundant supply headers, each having redundant actuated supply valves, supply water to the recirculation spray heat exchangers. Each diesel generator heat exchanger is supplied by a single supply header with redundant actuated supply valves. Emergency Diesel Generator Fuel Oil System The emergency diesel generator fuel oil system design and description is given in Section 9.1 and shown in Figure 9.14-1. This system is required to supply fuel oil to the emergency diesel generator day tanks for proper operation of the emergency diesel generators. The emergency generator fuel oil system is divided into two separate redundant mechanical and electrical trains. This dual train concept provides sufficient redundancy that will prevent failure of an active or passive component from impairing the system's capability to supply fuel oil to at least one of the diesel engines. Each of the two emergency diesel generator fuel oil storage tanks is provided with fuel oil tank level indication locally. Each of the two emergency diesel generator oil day tanks is provided with level switches, which will automatically start and stop the associated fuel oil transfer pumps. In addition to the level switch for pump control, local manual control of the pump is provided. At a predetermined high or low level, separate emergency diesel generator day tank level switches will actuate a high or low alarm on the emergency diesel generator panel. Controls and indication will be tested functionally during startup and periodically thereafter as stated in Section 9.14.6. Ventilation Systems The objective of the instrumentation and controls for the safety-related ventilation system components is to maintain temperature within the designed limits required. 7.3-9

BVPS UFSAR UNIT 1 Rev. 23 Manual controls and indication of the status of all safety-related components are available in the main control room. Automatic and manual controls of redundant components are independent and are electrically and physically separated. Failure of an operating component and/or starting of the redundant component is indicated in the control room. Redundant motors and motor-operated dampers have power supplied from separate emergency buses. Motor-operated dampers fail in the as-is position on loss of power. Each redundant air-operated damper and damper seal with solenoid pilot valve has power supply to the solenoid from a separate d-c bus. The air-operated dampers are designed to fail in the position of greater safety on the loss of air and/or power. Electrical Power Distribution System The electrical power distribution system and its design bases are described in Section 8. 7.3.2 Analysis 7.3.2.1 Evaluation of Compliance With IEEE Std. 279-1971(2) 7.3.2.1.1 Single Failure Criteria The discussion presented in Section 7.2.2.2.1 is applicable to the ESF actuation system, with the following exception. In the ESF, a loss of instrument power will call for actuation of ESF equipment controlled by the specific bistable that lost power (containment depressurization spray excepted). The actuated equipment must have power to comply. The power supply for the protection systems is discussed in Section 8. For containment depressurization spray, the final bistables are energized to trip to avoid spurious actuation. There are four manual containment depressurization spray switches (two per train) on the control panel. Train A actuation requires simultaneous actuation of both manual train A control switches. Manual actuation of train B requires simultaneous actuation of both manual train B control switches. Thus, manual actuation of a train of containment depressurization spray requires simultaneous actuation of two manual controls. This is considered acceptable because spray actuation on high-high containment pressure signal provides automatic initiation of the system via protection channels meeting the criteria in Reference 2. Moreover, all safety related equipment (valves, pumps, etc.) can be individually manually actuated from the control board. Hence, a secondary mode of containment depressurization spray initiation is available. This design conforms to 1967 GDC 21 and 26. 7.3.2.1.2 Equipment Qualification The environmental qualification of safety related electrical equipment, required to perform a safety function under postulated accident conditions, was reviewed. A summary of the BVPS-1 safety related electrical equipment identified was included in the responses to NRC IE Bulletin 79-01B(9) and to 10 CFR 50.49(11,12). This information is maintained in the BVPS-1 Environmental Qualification Program in accordance with 10 CFR 50.49. The environmental qualification program addresses aging, submergence, loss of coolant accident and main steam line break inside primary containment, and various high energy line breaks outside primary containment. 7.3-10

BVPS UFSAR UNIT 1 Rev. 23 The resistance temperature detectors for Tavg measurement are only required as a backup to the steamline pressure instruments during the accidents; however, they are qualified to operate in the accident environment. They are typically rugged devices and are expected to survive in the environment long enough to perform their initiation function (less than 1 min), and are not subsequently used. The steam line flow sensors are also required only for steam break accidents and are expected to perform their initiation function within a relatively short period of time (less than 1 min) following the break. However, they are qualified to operate in the accident environment. 7.3.2.1.3 Channel Independence The discussion presented in Section 7.2.2.2.1 is applicable. The ESF outputs from the solid state logic protection cabinets are redundant and the actuations associated with each train are energized up to and including the final actuators by the separate a-c power suppliers which power the logic trains. 7.3.2.1.4 Control and Protection System Interaction The discussions presented in Section 7.2.2.2.1 are applicable. 7.3.2.1.5 Capability for Sensor Checks and Equipment Test and Calibration The discussions of system testability in Section 7.2.2.2.1 are applicable to the sensors, analog circuitry and logic trains of the ESF actuation system. The following discussions cover those areas in which the testing provisions differ from those for the reactor trip system: Testing of ESF Actuation Systems The ESF systems are tested to provide assurance that the systems will operate as designed and will be available to function properly in the unlikely event of an accident. The testing program, which conforms to GDC 25, 38, 46, 48, 57, and to the Safety Guide 22, is performed in accordance with the requirements specified in the Technical Specifications. During on-line operation of the reactor, all of the ESF analog and logic circuitry will be fully tested. In addition, essentially all of the ESF final actuators will be fully tested. The remaining few final actuators whose operation is not compatible with continued on-line unit operation will be partially tested with the exception of the automatic transfer from safety injection to recirculation feature that is tested during plant shutdown. During normal operation, the operability of testable final actuation devices of the ESF will be tested by manual initiation from the safeguards test panel. Under the present design, those protection functions which are only partially tested at power are the following:

1. Closing the main steam valves (see discussion under Section 7.3.2.1.5, Actuation testing).

2. Closing the feedwater control valves.

7.3-11

BVPS UFSAR UNIT 1 Rev. 23

3. Closing the feedwater isolation valves.

4. Tripping the main feedwater pump circuit breakers.

5. Closing the reactor coolant pump seal water return isolation valves.

6. Closing the reactor coolant pump component cooling water isolation valves.

7. Turbine trip.

The actuation logic for the functions listed is tested as described in this section. As required by Safety Guide 22, where actuated equipment is not tested during reactor operation, it has been determined that:

1. There is no practicable system design that would permit operation of the actuated equipment without adversely affecting the safety or operability of the plant.

2. The probability that the protection system will fail to initiate the operation of the actuated equipment is, and can be maintained, acceptably low without testing the actuated equipment during reactor operation.

3. The actuated equipment can routinely be tested when the reactor is shut down.

Where the ability of one of the two trains to respond to a bona fide accident signal is intentionally bypassed for the purpose of performing a test during reactor operation, each bypass condition is automatically indicated to the reactor operator in the main control room by a common "ESF testing" annunciator for the train in test. Test circuitry does not permit the two ESF trains to be tested at the same time so that extension of the bypass condition to the redundant train is prevented. In accordance with an NRC Order(13), administrative procedures are implemented to require redundant independent verification of the operability of the remaining engineered safety features whenever any safety system, or subpart thereof, is intentionally removed from service. Performance Test Acceptability Standard for the Safety Injection Signal and for the Containment Isolation Phase B (CIB) Signal Generation During reactor operation, the basis for ESF actuation systems acceptability will be the successful completion of the overlapping tests performed on the reactor trip and the ESF actuation systems. Analog checks verify operability of the sensors. Analog checks and tests verify the operability of the analog circuitry from the input of these circuits through to and including the logic input relays. Solid state logic testing checks and digital signal path from and including logic input relay contacts through the logic matrices and master relays and perform continuity tests on the coils of the output slave relays; final actuator testing operates the output slave relays and verifies operability of those devices which require safeguards actuation and which can be tested without causing a unit transient. A continuity check is performed on the actuators of the untestable devices. Operation of the final devices is confirmed by control board indication and visual observation that the appropriate pump breakers close and automatic valves shall have completed their travel. 7.3-12

BVPS UFSAR UNIT 1 Rev. 23 The basis for acceptability for the ESF interlocks will be control board indication of proper receipt of the signal upon introducing the required input at the appropriate setpoint. Maintenance checks (performed during regularly scheduled refueling outages), such as resistance to ground of signal cables in radiation environments, are based on qualifications test data which identifies what constitutes acceptable radiation, thermal, etc., degradation. Frequency of Performance of ESF Actuation Tests Complete system testing is performed in accordance with the frequency specified in the Technical Specifications. ESF Actuation Test Description The following sections describe the testing circuitry and procedures for the on-line portion of the testing program. The guidelines used in developing the circuitry and procedures are:

1. The test procedures must not involve the potential for damage to any unit equipment.

2. The test procedures must minimize the potential for accidental tripping.

3. The provisions for on-line testing must minimize complication of ESF actuation circuits so that their reliability is not degraded.

Description of Initiation Circuitry Several systems comprise the total ESF system, the majority of which may be initiated by different process conditions and be reset independently of each other. The remaining functions (listed in Section 7.3.1.1.5) are initiated by a common signal (safety injection) which in turn may be generated by different process conditions. In addition, operation of all other vital auxiliary support systems, such as auxiliary feedwater, component cooling and river water, is initiated via the safeguards starting sequence actuated by the safety injection signal. Each function is actuated by a logic circuit which is duplicated for each of the two redundant trains of ESF initiation circuits. The output of each of the initiation circuits consists of a master relay which drives slave relays for contact multiplication as required. The logic, master and slave relays are mounted in the solid state logic protection cabinets designated train A and train B, respectively, for the redundant counterparts. The master and slave relays circuits operate various pump and fan circuit breakers or starters, motor-operated valve contactors, solenoid operated valves, emergency generator starting, etc. 7.3-13

BVPS UFSAR UNIT 1 Rev. 24 Analog Testing Analog testing is identical to that used for reactor trip circuitry and is described in Section 7.2.3.3. Briefly, in the analog racks, bistable trip switches, proving lamps and analog test switches are provided. Administrative control requires, during bistable testing, that the bistable output be put in a trip condition by its trip switch which connects the proving lamp to the bistable and disconnects and thus de-energizes (operates) the bistable output relays in train A and train B cabinets. This, of necessity, is done on one channel at a time. Status lights and single channel trip alarms in the main control room verify that the bistable relays have been de-energized and the bistable outputs are in the trip mode. An exception to this is containment depressurization spray and RWST extreme low level, which are energized to actuate two-out-of-four and reverts to two-out-of-three when one channel is in test. The analog test switch is then operated and a signal is inserted through a test jack. Verification of the bistable trip setting is now confirmed by the proving lamp. Solid State Logic Testing After the individual channel analog testing is complete, the logic matrices are tested from the train A and train B logic rack test panels. This step provides overlap between the analog and logic portions of the test program. During this test, each of the logic inputs are actuated automatically in all combinations of trip and non-trip logic. Trip logic is not maintained sufficiently long enough to permit master relay actuation; master relays are "pulsed" in order to check continuity. Following the logic testing, the individual master relays are actuated electrically to test their mechanical operation. Actuation of the master relays during this test will apply to low voltage to the slave relay coil circuits to allow continuity checking, but not slave relay actuation. During logic testing of one train, the other train can initiate the required ESF function. For additional details, see Reference 3. Actuator Testing At this point, testing of the initiation circuits through operation of the master relay and its contacts to the coils of the slave relays has been accomplished. In the next step, operation of the slave relays and the devices controlled by their contacts will be checked. For this procedure, control switches mounted on a safeguards test cabinet panel in the logic rack area are provided for each slave relay. These controls are of the type that require two deliberate actions on the part of the operator to actuate a slave relay. By operation of these relays one at a time through the control switches, all devices that can be operated on line are tested. Devices are assigned to the slave relays such that no undesired effect on unit operation occurs. This procedure minimizes upset to the unit and again ensures that overlap in the testing is continuous, since the normal power supply for the slave relays is utilized. 7.3-14

BVPS UFSAR UNIT 1 Rev. 22 During this last procedure, close communication between the main control room operator and the man at the test panel is required. Prior to the energizing of a slave relay, the operator in the main control room ensures that unit conditions will permit operation of the equipment that will be actuated by the relay. After the tester has energized the slave relay, the main control room operator observes that all equipment has operated as indicated by appropriate indicating lamps, monitor lamps and annunciators on the control board, and using a prepared check list, records all operations. He then resets all devices and prepares for operation of the next slave relay actuated equipment. By means of the procedure outlined above, all devices actuated by ESF systems initiation circuits, with the following exceptions, are operated by the test circuitry:

1. MAIN STEAM ISOLATION: The main steam isolation valves can be partially tested during normal operation. The test sequence involves a test of solid state protection system output relay contact operation and continuity of solenoid coil initiating steam line isolation. These are tested via the on-line test cabinets.

2. FEEDWATER ISOLATION: Air-operated, spring closed regulating control valves and hydraulic/pneumatic isolation valves are provided for each main feedwater line. Operation of these valves is continually monitored by normal operation.

3. REACTOR COOLANT PUMP ESSENTIAL SERVICE ISOLATION:

a. Component cooling water supply and return. These valves cannot be fully tested during normal operation.

b. Seal water return header. These valves cannot be fully tested during normal operation.

The reactor coolant pump essential service isolation valves are not normally a part of the engineered safety features and are therefore not required to meet the testing requirements of Safety Guide 22. The main reason for not testing these valves periodically is that the reactor coolant pumps may be damaged. Although this would not result in a situation that endangers the health and safety of the public, it would result in unnecessary shutdown of the reactor for an extended period of time, so that the reactor coolant pump or certain of its parts could be replaced. This would place a great economic burden on the utility.

4. Other circuitry not associated with the ESF may require blocking; for example, main generator tripping.

Actuator Blocking and Continuity Test Circuits The limited number of components that cannot be operated on line are assigned to slave relays separate from those discussed above. For these components, additional blocking relays are provided which allow operation of the slave relays without actuation of the associated ESF devices. Interlocking prevents blocking the output of more than one slave relay at a time. The circuits provide for monitoring of the slave relay contacts, the devices' control circuit cabling, control voltage and the devices' actuating solenoids. 7.3-15

BVPS UFSAR UNIT 1 Rev. 24 Bypasses Table 7.3-5 describes the indication available to the control room operator that allows him to determine whether any part of the ESF actuation system has been administratively bypassed or taken out of service. Design criteria and a discussion of display instrumentation are provided in Section 7.5. In general, if any analog channel in the ESF actuation system is taken out of service for any reason, the channel is placed in the tripped mode and a channel trip status light is lit on the control board. In addition, an alarm will sound and an associated annunciator panel light will be lit. This holds true for the containment pressure channel associated with safety injection and steam line isolation functions. The channel bistable output relays associated with the containment spray and RWST extreme low level functions are not tripped to reduce the possibility of inadvertent actuation but are negated for test and maintenance purposes. A status light indicating a negated condition is provided for each channel. An annunciator indicating two-out-of-four channel rack doors open and channel test violation is also provided. When testing or maintenance is performed on the solid state logic protection racks or on the associated safeguards test cabinets, an annunciator is energized (one per rack or cabinet per train). With respect to final actuators and components of the ESF systems, a number of indications are provided, depending on the importance of the device. The following general statements are true. For any circuit breaker or motor starter, red and green status lights are provided adjacent to the controller. If a breaker or motor starter is racked out for maintenance or any other reason, both status lights will be extinguished. Likewise, if a safety feature pump has its switch placed in the pull to lock position, the indicating lamps would go out. Also, the switch would have its handle in an abnormal position compared with the other switches on the board, thus providing an additional visual aid to the operator. For critical functions, the plant design includes one, or a combination, of the following indications to show the operator the status of plant systems and to highlight the existence of an incorrect configuration:

1. Indication lights (red-open and green-closed) at the control switch for each valve By looking at the valve position indications, an operator can determine whether any component (tank, pump, valve, etc.) in the ESF system has been isolated or negated.

2. The following valves are audibly and visibly alarmed under the conditions indicated and are recorded on the sequence of events recorder:

a. Steamline stop valve not fully open

b. Safety injection refueling water storage tank suction valve not fully open

c. Safety injection pump minimum flow and test isolation valve not fully open 7.3-16

BVPS UFSAR UNIT 1 Rev. 24

d. Safety injection accumulator 1 discharge valve not fully open

e. Safety injection accumulator 2 discharge valve not fully open

f. Safety injection accumulator 3 discharge valve not fully open

g. Outside recirculation spray pump 2A suction or discharge valve not fully open

h. Outside recirculation spray pump 2B suction or discharge valve not fully open

i. Quench spray pump 1A suction valve not open or discharge valve not closed

j. Quench spray pump 1B suction valve not open or discharge valve not closed.

An administratively controlled status board indicates to the operator the availability of the systems. The indications are in the form of manually actuated back-lighted panels which display, at the system level, any system and train which is not operable as a result of bypassed or inoperable equipment. The status board is controlled by a licensed station operator who records his operations in a daily station log. This status board complies with the recommendations of AEC Regulatory Guide 1.47(10) with the exception that it will be administratively controlled, rather than automatically actuated. Time Required for Testing It is estimated that analog testing can be performed at a rate of several channels per hour. Logic testing can be performed in less than 30 minutes. Testing of actuated components (including those which can only be partially tested) will be a function of control room operator availability. It is expected to require several shifts to accomplish these tests. During this procedure, automatic actuation circuitry will override testing, except for those few devices associated with a single slave relay whose outputs must be blocked and then only while blocked. It is anticipated that continuity testing associated with a blocked slave relay could take several minutes. During this time the redundant devices in the other train would be functional. Summary The procedures described provide capability for checking completely from the process signal to the logic cabinets and from there to the individual pump and fan circuit breakers or starters, valve contactors, pilot solenoid valves, etc., including all field cabling actually used in the circuitry called upon to operate for an accident condition. For those few devices whose operation could seriously affect unit or equipment operation, the procedure provides for checking from the process signal to the logic rack and from there, low voltage application for monitoring of the balance of the individual control circuits. The procedures require testing at various locations.

1. Analog testing and verification of bistable setpoint are accomplished at process analog racks. Verification of bistable relay operation is done at the main control room status lights.

7.3-17

BVPS UFSAR UNIT 1 Rev. 23

2. Logic testing through operation of the master relays and low voltage application to slave relays is done at the logic rack test panel.

3. Testing of pumps, fans and valves is done at a test panel located in the vicinity of the logic racks in combination with the control room operator.

4. Continuity testing for those circuits that cannot be operated is done at the same test panel mentioned in 3 above.

Testing During Shutdown Emergency core cooling system (ECCS) tests will be performed at each major fuel reloading. With RCS pressure less than or equal to 350 psig and temperature less than or equal to 350°F, a test safety injection signal will be applied to initiate operation of the system. Containment depressurization spray system tests are discussed in Section 6.4 and the Technical Specifications. Periodic Maintenance Inspections The maintenance procedures which follow may be accomplished in any order. The frequency will depend on the operating conditions and requirements of the reactor power unit. If any degradation of equipment operation is noted, either mechanically or electrically, remedial action is taken to repair, replace or readjust the equipment. Optimum operating performance must be achieved at all times. Typical maintenance procedures include the following:

1. Check cleanliness of all exterior and interior surfaces

2. Check all fuses for corrosion

3. Inspect for loose or broken control knobs and burned out indicator lamps

4. Inspect for rust, moisture and condition of cables and wiring

5. Check all connectors and terminal boards for looseness, poor connection or corrosion

6. Inspect components for signs of overheating or component deterioration

7. Perform complete system operating check.

The balance of the requirements listed in Reference 2 (Paragraphs 4.11 through 4.22) are discussed in Section 7.2.2.2.1. Paragraph 4.20 of Reference 2 receives special attention in Section 7.5. 7.3-18

BVPS UFSAR UNIT 1 Rev. 33 7.3.2.2 Evaluation of Compliance With IEEE Std. 308-1971(5) See Section 8, which discusses the power supply for the protection systems, for discussions on compliance with this criteria. 7.3.2.3 Evaluation of Compliance With IEEE Std. 323-1971(6) The safety-related equipment is type tested to substantiate the adequacy of design. This is the preferred method as indicated in Reference 6. Type tests may not conform to the format guidelines set forth in Reference 6. 7.3.2.4 Evaluation of Compliance With IEEE Std. 338-1971(7) The periodic testing of the Westinghouse ESF actuation system conforms to the requirements of Reference 7 with the following comments:

1. Protection system overall response time testing is conducted in accordance with the time intervals specified in the Technical Specifications, and consists of a series of response time tests of discrete portions of the system with the results summed and verified to be within the limits of the overall system requirement.

The overall response time testing is usually conducted during refueling outages and would be required to be checked if a component, significantly affecting the time response, had been replaced during maintenance.

2. The reliability goals specified in Paragraph 4.2 of Reference 7 are being developed and adequacy of test frequencies will be demonstrated at a later date.

3. The periodic test frequency discussed in Paragraph 4.3 of Reference 7 and specified in the unit Technical Specification is conservatively selected to ensure that equipment associated with protection functions has not drifted beyond its minimum performance requirements. If any protection channel appears to be marginal or requires more frequent adjustments due to unit condition changes, the test frequency is accelerated to accommodate the situation until the marginal performance is resolved.

4. The test interval discussed in Paragraph 5.2, Reference 7, is developed primarily on past operating experience and modified if necessary to ensure that system and subsystem protection is reliably provided. Analytic methods for determining reliability are not used to determine test interval.

7.3.2.5 Evaluation of Compliance with IEEE Std. 344-1971(8) The seismic testing (see Section 7.2.1.10) conforms to the guidelines set forth in Reference 8. 7.3-19

BVPS UFSAR UNIT 1 Rev. 23 7.3.2.6 Summary The effectiveness of the ESF actuation system is evaluated in Section 14, based on the ability of the system to contain the effects of Condition III and IV faults, including loss-of-coolant and steam break accidents. The ESF actuation system parameters are based upon the component performance specifications which are given by the manufacturer or verified by test for each component. Appropriate factors to account for uncertainties in the data are factored into the constants characterizing the system. The ESF actuating system must detect Condition III and IV faults and generate signals which actuate the ESF. The system must sense the accident condition and generate the signal actuating the protection function reliably and within a time determined by and consistent with the accident analyses in Section 14. The order of magnitude of the time for the generation of the actuation signal of ESF actuation system is approximately one second. Much longer times are associated with the actuation of the mechanical and fluid system equipment associated with ESF. This includes the time required for switching, bringing pumps and other equipment to speed and the time required for them to take load. Operating procedures require that the complete ESF actuation system normally be operable. However, redundancy of system components is such that the system operability assumed for the safety analyses can still be met with certain instrumentation channels out of service. Channels that are out of service are to be placed in the tripped mode. 7.3.2.6.1 Loss-of-Coolant (LOCA) Protection By analysis of LOCA and in system tests, it has been verified that except for very small coolant system breaks which can be protected against by the charging pumps followed by an orderly shutdown, the effects of various LOCA's are reliably detected by the low pressurizer pressure signal; the ECCS is actuated in time to prevent of limit core damage. For large coolant system breaks, the passive accumulators inject first because of the rapid pressure drop. This protects the reactor during the unavoidable delay associated with actuating the ECCS phase. High containment pressure also actuates the ECCS providing additional protection as a backup to actuation on low pressurizer pressure. Emergency core cooling actuation can be brought about upon sensing this other direct consequence of a primary system break; that is, the protection system detects the leakage of the coolant into the containment. The generation time of the actuation signal of about 0.8 second, after detection of the consequences of the accident, is adequate. Containment depressurization spray will provide additional emergency cooling of containment and also limit fission product release upon sensing elevated containment pressure (high-high) to mitigate the effects of a LOCA. 7.3-20

BVPS UFSAR UNIT 1 Rev. 23 The delay time between detection of the accident condition and the generation of the actuation signal for these systems is assumed to be about 1.0 second; well within the capability of the protection system equipment. However, this time is short compared to that required for startup of the fluid systems. The analyses in Section 14 show that the diverse methods of detecting the accident condition and the time for generation of the signals by the protection systems are adequate to provide reliable and timely protection against the effects of loss-of-coolant. 7.3.2.6.2 Steam Break Protection The ECCS is also actuated in order to protect against a steam line break. About 1.0 second elapses between sensing low steam line pressure (as well as high steam pressure rate) and generation of the actuation signal. Analysis of steam break accidents assuming this delay for signal generation shows that the ECCS is actuated for steam line break cases in time to limit or prevent further damage. The safety injection signal also initiates reactor trip. Additional protection against the effects of steam break is provided by feedwater isolation which occurs upon actuation of the ECCS. Feedwater line isolation is indicated in order to prevent excessive cooldown of the reactor. Additional protection against a steam break accident is provided by closure of all steam line isolation valves in order to prevent uncontrolled blowdown of all steam generators. The generation of the protection system signal (about 0.8 second) is again short compared to the time to trip the fast acting steam line isolation valves which are designed to close in less than approximately 5 seconds. In addition to actuation of the ESF, the effect of a steam break accident also generates a signal resulting in a reactor trip on overpower T or following ECCS actuation. However, the core reactivity is further reduced by the highly borated water injected by the ECCS. The analyses in Section 14 of the steam break accidents and an evaluation of the protection system instrumentation and channel design shows the ESF actuation systems are effective in preventing or mitigating the effects of a steam break accident. 7.3-21

BVPS UFSAR UNIT 1 Rev. 33 References for Section 7.3

1. J. A. Nay, "Process Instrumentation for Westinghouse Nuclear Supply Systems", WCAP-7671, Westinghouse Electric Corporation (April 1971).

2. "Criteria for Protection Systems for Nuclear Power Generating Stations", IEEE Std. 279-1971, The Institute of Electrical and Electronics Engineers, Inc.

3. D. N. Katz, "Solid State Logic Protection System Description" WCAP-7672, Westinghouse Electric Corporation (June 1971).

4. Deleted by Rev. 0.

5. "Criteria for Class lE Power Systems for Nuclear Power Generating Stations", IEEE Std.

308-1971, The Institute of Electrical and Electronic Engineers, Inc.

6. "IEEE Trial Use Standard: General Guide for Qualifying Class 1 Electrical Equipment for Nuclear Power Generating Stations", IEEE Std. 323-1971, The Institute of Electrical and Electronic Engineers, Inc.

7. "IEEE Trial Use Criteria for the Periodic Testing of Nuclear Power Generating Station Protective Systems", IEEE Std. 338-1971, The Institute of Electrical and Electronic Engineers, Inc.

8. "IEEE Trial Use Guide for Seismic Qualification of Class 1 Electric Equipment for Nuclear Power Generating Stations", IEEE Std. 344-1971, The Institute of Electrical and Electronic Engineers, Inc. (August 11, 1971).

9. J. J. Carey, "Environmental Qualification of Class IE Equipment", Letter to NRC, Duquesne Light Company (October 15, 1981).

10. "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems",

RG-1.47, AEC Regulatory Guide.

11. Duquesne Light Company "Response to the NRC Equipment Qualification Rulemaking (10CFR50.49)" (May 20, 1983).

12. Duquesne Light Company submittal to the NRC on Environmental Qualification of Safety-Related Electrical Equipment (November 29, 1984).

13. V. J. Stello, Jr. (USNRC), BVPS-1 Order Modifying License, letter to S. Schaffer, President, Duquesne Light Company (December 5, 1979).

14. S. A. Varga (USNRC) BVPS-1 Order Modifying License, letter to J. J. Carey (BVPS)

(July 10, 1981). 7.3-22

BVPS UFSAR UNIT 1 Rev. 19 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN The functions necessary for safe shutdown are available from instrumentation channels that are associated with the major systems in both the primary and secondary portions of the nuclear steam supply system (NSSS). These channels are normally aligned to serve a variety of operational functions, including startup and shutdown as well as protective functions. In achieving a safe shutdown, benefit is taken from many of these systems and equipment having multiple functions, and as such there are not identifiable safe shutdown systems per se. Instrumentation systems used for safe shutdown which are specifically safety related are described in Sections 7.2 and 7.3. Prescribed procedures for securing and maintaining the unit in a safe condition can be instituted by appropriate alignment of selected NSSS systems. The discussion of these systems together with the applicable codes, criteria and guidelines is to be found in other sections of the Updated FSAR. In addition, the alignment of shutdown functions associated with the engineered safety features which are invoked under postulated limiting fault situations is discussed in Section 6 and Section 7.3. The instrumentation and control functions which are required to be aligned for maintaining safe shutdown of the reactor that are discussed in this section are the minimum number under nonaccident conditions. (Control room inaccessibility as well as offsite power interruptions during maintaining of hot shutdown are considered as incidents.) These functions will permit the necessary operations that will:

1. Prevent the reactor from achieving criticality in violation of the Technical Specifications

2. Provide an adequate heat sink such that design and safety limits are not exceeded.

7.4.1 Description The designation of systems that can be used for safe shutdown depends on identifying those systems which provide the following capabilities for maintaining a safe shutdown:

1. Boration with related charging and letdown capability

2. Adequate supply for auxiliary feedwater

3. Residual heat removal.

These systems are identified in the following lists together with the associated instrumentation and controls provisions. The identification of the monitoring indicators (Section 7.4.1.1) and controls (Section 7.4.1.2) are those necessary for maintaining a hot shutdown. The equipment and services available for hot shutdown are listed in Section 7.4.1.3, with the equipment and services available for a cold shutdown identified in Section 7.4.1.4. 7.4-1

BVPS UFSAR UNIT 1 Rev. 20 7.4.1.1 Monitoring Indicators The characteristics of these indicators, which are provided outside as well as inside the control room, are described in Section 7.5. The indicators with readouts external to the control room are shown in Table 7.4-1. 7.4.1.2 Controls 7.4.1.2.1 General Considerations

1. The turbine is tripped (note that this can be accomplished at the turbine as well as in the control room).

2. The reactor is tripped (note that this can be accomplished at the reactor trip switchgear as well as in the control room).

3. All automatic systems continued functioning (discussed in Sections 7.2 and 7.7).

4. For equipment having motor controls outside the control room (which duplicate the functions inside the control room), the controls will be provided with a selector switch which transfers control of the switchgear from the control room to a selected local station. Placing the local selector switch in the local operating position will give an annunciating alarm in the control room and will turn off the motor control position lights on the control room panel.

7.4-2

BVPS UFSAR UNIT 1 Rev. 21 7.4.1.2.2 Pumps and Valves

1. AUXILIARY FEEDWATER PUMPS: In the event of a main feedwater pump stoppage due to a loss of electrical power, the auxiliary feedwater pumps start automatically or can be started manually. Pump motor and valve controls located on the shutdown panel (SDP) (as well as being inside the control room) are provided as well as handwheel control for the valves.

2. CHARGING AND BORIC ACID TRANSFER PUMPS: Start/stop motor controls are provided for these pumps. The controls for the charging and boric acid pumps are located on the SDP (as well as in the control room).

3. RIVER WATER PUMPS: These pumps will start automatically following a loss of normal electric power. Start/stop motor controls are located on the shutdown panel as well as inside the control room.

4. COMPONENT COOLING WATER PUMPS: These pumps, energized from the diesel generator, start automatically following a loss of normal electrical power.

Start/stop controls located on the shutdown panel (as well as on the main control board) are provided.

5. REACTOR CONTAINMENT FAN COOLER UNITS: Start/stop motor controls with a selector switch are provided for the fan motors. The controls are located on the shutdown panel as well as inside the control room.

6. CONTROL ROOM VENTILATION UNIT INCLUDING THE CONTROL ROOM AIR INLET DAMPERS: A start/stop switch located just outside the control room is provided for this unit(s). Also, a control to close the inlet air damper(s) is provided. These controls duplicate functions inside the control room.

7.4.1.2.3 Diesels These units start automatically following a loss of normal a-c power. However, manual controls for diesel start-up are also provided locally at the diesel generators (as well as in the control room). 7.4.1.2.4 Valves

1. CHARGING FLOW CONTROL VALVE: Manual control at the shutdown panel is provided for the charging line flow control. These controls duplicate functions available in the control room.

2. LETDOWN ORIFICE ISOLATION VALVES: Open/close controls on the shutdown panel for the letdown orifice isolation valves are grouped with the controls for the charging flow control valve. These controls duplicate functions that are inside the control room.

7.4-3

BVPS UFSAR UNIT 1 Rev. 27

3. AUXILIARY FEEDWATER CONTROL VALVES: These normally open valves may be adjusted from the control room. In addition, remote manual controls are provided on the shutdown panel that duplicate functions that are inside the control room.

4. CONDENSER STEAM DUMP AND ATMOSPHERIC STEAM RELIEF VALVES:

The condenser steam dump and atmospheric relief valves are automatically controlled. Manual operator control is provided on the shutdown panel as well as automatic control inside the control room and in the auxiliary feedwater pump area for the atmospheric relief valves. Steam dump to the condenser is blocked on high condenser pressure.

5. PRESSURIZER HEATER CONTROL: On-off control with selector switches are provided for two backup heater groups. The heater groups are connected to separate buses, such that each can be connected to separate diesels in the event of loss of outside power. The control is grouped with the charging flow controls and duplicates functions available in the control room.

It is noted that the instrumentation and controls listed in Sections 7.4.1.1 and 7.4.1.2 which are critical to achieving and maintaining a safe shutdown are available in the event an evacuation of the control room is required. These controls and instrumentation channels together with the equipment and services identified in Sections 7.4.1.3 and 7.4.1.4 which are available for both hot and cold shutdown identify the potential capability for cold shutdown of the reactor subsequent to a control room evacuation through the use of suitable procedures. Therefore, the applicable requirements of 1971 GDC 19 are met. 7.4.1.3 Equipment and Services Available for Hot Shutdown

1. Auxiliary feedwater pumps - for blackout condition, the auxiliary feedwater pumps start automatically within one minute. (See Section 10 for discussion of pumps)

2. Reactor containment recirculation air cooler units (See Section 5.4 for discussion of coolers)

Note: These units are not available when normal power is not available.

3. Diesel generators - loaded within 1 min. (See Section 8 for discussion of diesels)

4. Lighting in the areas of unit required during this condition (See Section 8 for discussion of lighting)

5. Pressurizer heaters - (See Section 4 for discussion of heaters)

6. Communication network to be available for prompt use between the shutdown panel area and the following areas:

a. Outside telephone exchange

b. Diesel generator building

c. Switchgear room.

7. Boric acid transfer pumps (See Chapter 9) 7.4-4

BVPS UFSAR UNIT 1 Rev. 19

8. Charging pumps (See Chapter 9)

9. River water pumps (See Chapter 9)

10. Component cooling pumps (See Chapter 9)

11. Instrument air compressors (See Chapter 9)

12. Control room ventilation unit and air inlet damper (See Chapter 9)

13. Shutdown panel (See Section 7.8.2).

7.4.1.4 Equipment and Systems Available for Cold Shutdown

1. Reactor coolant pump (see Section 4)(1)

2. Auxiliary feedwater pumps (see Section 10)

3. Boric acid transfer pump (see Section 9)

4. Charging pumps (see Section 9)

5. River water pumps (see Section 9)

6. Containment fans (see Section 5.4)

(Note: These fans are not available when normal power is not available.)

7. Control room ventilation (see Section 9)

8. Component cooling pumps (see Section 9)

(1) (See footnote on page 7.4-6).

9. Residual heat removal pumps (see Section 9)

10. Certain motor control center and switchgear sections

11. Controlled steam release and feedwater supply (see Section 7.7 and Section 10) 12 Boration capability (see Section 9) 13 Nuclear instrumentation system (source range and intermediate range) (see Sections 7.2 and 7.7).

14. Reactor coolant inventory control (charging and letdown) (see Section 9)

15. Pressurizer pressure control including opening control for pressurizer relief valves (heaters and spray) (see Section 4).(1)

For cold shutdown, the safety injection signal trip circuit must be defeated and the accumulator isolation valves closed. 7.4-5

BVPS UFSAR UNIT 1 Rev. 19 (1) Instrumentation and controls for these systems may require some modification in order that their functions may be performed from outside the control room. Note that the reactor plant design does not preclude attaining the cold shutdown condition from outside the control room. An assessment of unit conditions can be made on a long-term basis (a week or more) to establish procedures for making the necessary physical modifications to instrument and control equipment in order to attain cold shutdown. During such time, the unit could be safely maintained at hot shutdown condition. Detailed procedures to be followed in effecting cold shutdown from outside the control room are best determined by unit personnel at the time of the postulated incident. 7.4.2 Analysis Hot shutdown is a stable unit condition, automatically reached following a unit shutdown. The hot shutdown condition can be maintained safely for an extended period of time. In the unlikely event that access to the control room is restricted, the unit can be safely kept at a hot shutdown until the control room can be re-entered by the use of the monitoring indicators and the controls listed in Sections 7.4.1.1 and 7.4.1.2. These indicators and controls are provided outside as well as inside the control room. The safety evaluation of the maintenance of a shutdown with these systems and associated instrumentation and controls has included consideration of the accident consequences that might jeopardize safe shutdown conditions. The accident consequences that are germane are those that would tend to degrade the capabilities for boration, adequate supply for auxiliary feedwater and residual heat removal. The results of the accident analyses are presented in Section 14. Of these, the following produce the most severe consequences, relative to capability of adequate boration, supply for auxiliary feedwater, and/or residual heat removal:

1. Uncontrolled boron dilution

2. Loss of normal feedwater

3. Loss of external electrical load and/or turbine trip

4. Loss of all a-c power to the station auxiliaries (station blackout).

It is shown by these analyses that safety is not adversely affected by these incidents with the associated assumptions being that the instrumentation and controls indicated in Sections 7.4.1.1 and 7.4.1.2 are available to control and/or monitor shutdown. These available systems will allow a maintenance of hot shutdown even under the accident conditions listed above which would tend toward a return to criticality or a loss of heat sink. 7.4-6

BVPS UFSAR UNIT 1 Rev. 26 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5.1 Description Tables 7.5-1 and 7.5-2 list the information readouts provided to the operator to enable him to perform required manual safety functions and to determine the effect of manual actions taken, following a reactor trip. The tables list the information readouts required to maintain the unit in a hot shutdown condition or to proceed to cold shutdown within the limits of the Technical Specifications. Reactivity control after condition II and III faults will be maintained by administrative sampling of the reactor coolant for boron to ensure that the concentration is sufficient to maintain the reactor subcritical. The SPDS was added per NRC Order(1) to address NUREG 0737 Item I.D.2. The major station monitoring systems at the Beaver Valley Power Station are the:

1. Annunciators

2. Status Lights

3. Miscellaneous Recorders and Indicators

4. Computer Data Acquisition and Display Systems Display units for each of the monitoring systems noted above are located in the main control room.

Information on safety-related equipment is provided to the operator by the Sequence of Events Recorder and the Plant Computer System. All abnormal functions related to plant safety or operation, primary and secondary plant, including critical electrical protection trips, will be monitored through the sequence of events recorder. In general, most inputs to the sequence of events recorder are duplicated on the control room annunciators, although in many cases where practical, inputs of a similar nature connected to the sequence of events recorder on an individual basis may be grouped into one input on an annunciator. Annunciators may also have inputs that are not necessarily critical and that will not be duplicated on the events recorder. The plant computer system is for process monitoring only. It does not control any process and it will not alarm unless some process is acting abnormally. The computer is not considered an events recorder. It provides plant data by display devices in the control room. Miscellaneous recorders and indicators are provided to permit startup of the plant in the event that the plant computer is out of service. 7.5-1

BVPS UFSAR UNIT 1 Rev. 26 The annunciator system consists of a large number of window displays segregated into groups generally according to process or function. One group of display windows will have a first out feature, i.e., if a number of alarms on this group are annunciated almost simultaneously a means is provided to indicate which alarm occurred first. The status of all safety-related instrument bistables is monitored by status lights, annunciators and the plant computer. All containment isolation trip valves and safety-related motor-operated valves have their status monitored by lights on the main control board. All safety related switchgear is monitored by indicating lights on the main control board. The control, indicating, alarm and computer inputs derived from the reactor protection system circuits are electrically isolated from the latter by means of isolation amplifiers or equivalent buffering circuits. The isolation amplifiers are contained in the reactor protection circuits. As such, a failure of the output of an isolation amplifier will have no effect on the input circuit. The physical arrangement of indicating lights on the main control board, which are powered direct from safety related circuitry, is such that no single failure can simultaneously affect redundant safety-related circuits. The safety related display instrumentation needed to enable the operator to perform required manual safety functions for post-accident monitoring of Condition II and III events involve the following seven parameters as shown in Table 7.5-1:

1. Tcold or Thot (measured, wide-range)

2. Pressurizer Water Level

3. System Pressure (wide-range)

4. Containment Pressure

5. Steam Line Pressure

6. Steam Generator Water Level (wide range)

7. Steam Generator Water Level (narrow range)

For each of the seven parameters, there are at least two channels of instrumentation, of which, one channel is recorded. 7.5-2

BVPS UFSAR UNIT 1 Rev. 22 The safety-related display instrumentation needed to enable the operator to perform required manual safety functions for post-accident monitoring of Condition IV events involve the following six parameters, as shown in Table 7.5-2:

1. Containment Pressure

2. Refueling Water Storage Tank

3. Steam Generator Water Level (narrow range)

4. Steam Generator Water Level (wide range)

5. Steam Line Pressure

6. Pressurizer Water Level Except for wide-range steam-generator water level, each of the above parameters has at least two channels of instrumentation, of which one channel is recorded. Wide-range steam-generator water level is provided with one channel of instrumentation (one channel per steam generator), which is recorded.

The instrumentation channels which provide the information for the above parameters are powered from the 120 V a-c instrument buses. The instrument buses, being train oriented, are such that two are normally supplied from one emergency bus and the other two from the second emergency bus. 7.5.2 Analysis The information system that provides the signals to the indicators and/or recorders listed in Tables 7.5-1 and 7.5-2 is described in Section 7.2, "Reactor Trip System", with the exceptions of the refueling water storage tank level and the steam generator wide-range water level. The refueling water storage tank level is indicated by four independent single channel systems. Three of the level channels are indicated in the control room and the fourth is recorded. Any one of the four level channels actuates a common alarm in the main control room. Each steam generator water level (wide range) is indicated and recorded by a single channel system. No automatic protection or control functions are provided by these channels. The remaining signals are obtained through isolation amplifiers from the protection channels. This allows the automatic protection system to function independent of any failure of the nonprotection equipment and provides the most reliable means of obtaining the information. As shown in the tables, sufficient duplication of information is provided to ensure that the minimum information required will be available. The information is part of the operational monitoring of the unit which is under surveillance by the operator during normal unit operation. This is functionally arranged on the control board to provide the operator with easily interpretable unit conditions. Comparisons between duplicate information channels or between functionally related channels enables the operator to readily identify a malfunction in a particular channel. 7.5-3

BVPS UFSAR UNIT 1 Rev. 22 There is no basis for assuming that the occurrence of an accident itself degrades the display system; therefore, the status and reliability of the information is known to the operator before, during and after the accident. No special separation is required to ensure necessary and sufficient information availability. In fact, such separation could reduce the operator's ease of interpretation of operating data. The design criteria used in the display system are listed below:

1. Range and accuracy requirements are determined through the analyses of Condition I, II, III or IV faults. The display system meets the following requirements:

a. The range of the readouts extend over the maximum expected range of the variable being measured.

b. The combined indicated accuracies are within the errors assumed in the safety analyses.

2. Power for the display instruments is obtained from the nominal 120 V a-c vital bus system. This system is described in Section 8.

Those channels determined to provide useful information in charting the course of events are recorded. 7.5-4

BVPS UFSAR UNIT 1 Rev. 19 References for Section 7.5

1. Darrell G. Eisenhut (USNRC) - NUREG 0737 Item I.D.2, USNRC Order to J. J. Carey (BVPS) (June 12, 1984).

2. Generic Letter 82-33, 'Supplement 1 to NUREG 0737 - Requirements for Emergency Response Capability' (December 17, 1982).

3. J. J. Carey (BVPS) "Generic Letter 82-33 Supplement 1 to NUREG 0737 Response," to Darrel Eisenhut (USNRC) (April 15, 1983).

7.5-5

BVPS UFSAR UNIT 1 Rev. 19 7.6 ALL OTHER SYSTEMS REQUIRED FOR SAFETY 7.6.1 Residual Heat Removal Isolation Valves The RHR system inlet and discharge isolation valves are normally closed and are only opened for residual heat removal after system pressure is reduced to approximately 400 psig, and system temperature has been reduced to approximately 350 F. Refer to Section 9.3 for details of the RHR system and to Section 9.3.3.2 in particular for the details on the inlet and discharge isolation valve interlocks. 7.6.2 Reactor Coolant System Loop Isolation Valve Interlocks 7.6.2.1 Description The purpose of these interlocks is to ensure that an accidental startup of an unborated and/or cold, isolated reactor coolant loop results only in a relatively slow reactivity insertion rate. The interlocks are required to perform a protective function. Therefore, there are two (2) independent limit switches (one on the stem and one in the motor operator) having contacts that are closed when a valve is fully open, and two (2) independent limit switches having contacts that are closed when a valve is fully closed. Other sets of the limit switch contacts operate the position indicator lights. Another interlock includes two (2) differential pressure switches in each line which bypasses a cold leg loop isolation valve. This is the line which contains the relief line isolation valve. It should be noted that flow through the relief line isolation valve indicates:

1. The valves in the line are open

2. The line is not blocked

3. The pump is running.

7.6.2.2 Analysis For the analysis of this system, see Section 14. Only those interlocks and alarms relating to core protection are described. Those required for coolant pump protection are not part of the protection system. In addition to the interlocks, an alarm is provided to indicate that the bypass valve is not closed. This will give an alarm when all loops are required to be in service and the bypass valve is not fully closed. An alarm is used because, if the bypass valve is opened at full power, the core flow reduction is of the order of 2 to 5 percent and does not result in an immediate DNB problem. 7.6-1

BVPS UFSAR UNIT 1 Rev. 19 7.6.3 Emergency Safety Features Protection Channels Power Supply The 120 v a-c vital bus system, which supplies engineered safety features protection channels, is discussed in Section 8.5.4 and is shown in Figure 8.4-1. 7.6-2

BVPS UFSAR UNIT 1 Rev. 23 7.7 UNIT CONTROL SYSTEMS The general design objectives of the unit control systems are:

1. To establish and maintain power equilibrium between primary and secondary system during steady state unit operation.

2. To constrain operational transients so as to preclude unit trip and re-establish steady state unit operation.

3. To provide the reactor operator with monitoring instrumentation that indicates all required input and output control parameters of the systems and provides the operator the capability of assuming manual control of the system.

7.7.1 Description Table 7.7-1 lists the information available to the operator for monitoring conditions in the reactor, the Reactor Coolant System (RCS), the containment and in the process systems throughout all operating conditions of the unit, including anticipated operational occurrences. The functional design of the BVPS-1 unit control systems was functionally the same as that employed on the Surry Nuclear Power Plant at the time of issuance of the BVPS-1 Operating Licensing. The unit control systems described in this section perform the functions described below. Reactor Control System The reactor control system enables the nuclear plant to accept a step load increase or decrease of 10 percent and a ramp increase or decrease of 5 percent per minute within the load range of 15 percent to 100 percent without reactor trip, steam dump or pressurizer relief valve actuation, subject to possible xenon limitations. This system also maintains reactor coolant average temperature (Tavg) within prescribed limits by creating the bank demand signals for moving groups of full length Rod Cluster Control Assemblies (RCCA) during normal operation and operational transients. Automatic control rod insertion may be used for temperature (Tavg) control. However, rod withdrawal can only be performed manually due to the deletion of the automatic rod withdrawal capability. Manual control of rod operation may be performed at any time within the range of the defined insertion limits. The Tavg control also supplies signals to pressurizer level control and steam dump control. Rod Control System The rod control system provides for reactor power modulation by manual or automatic control (automatic rod insertion only) of full length control rod banks in a preselected sequence and for manual operation of individual banks. 7.7-1

BVPS UFSAR UNIT 1 Rev. 23 Systems for Monitoring and Indicating The following monitoring and indicating systems are provided:

1. Monitoring alarm system alerts the operator if the required core reactivity shutdown margin is not available due to excessive control rod insertion.

2. Control rod position indication system displays rod positions.

3. Monitoring alarm system alerts the operator in the event of control rod deviation exceeding a preset limit.

Unit Control System Interlocks (See Table 7.7-2) Unit control system interlocks are used to prevent further withdrawal of the control banks when signal limits are approached that predict the approach of a DNBR limit or kW/ft limit and inhibit automatic turbine load change as required by the Nuclear Steam Supply Subsystem (NSSS). Pressurizer Pressure Control The pressurizer pressure control maintains or restores the pressurizer pressure to the design pressure (which is well within reactor trip and relief and safety valve actuation setpoint limits) following normal operational transients that induce pressure changes by control (manual or automatic) of heaters and spray in the pressurizer. Also provides steam relief by controlling the pressurizer power relief valves. Pressurizer Water Level Control The pressurizer water level control establishes, maintains and restores pressurizer water level within specified limits as a function of the average coolant temperature. Changes in level are caused by coolant density changes induced by loading, operational and unloading transients. Level changes are produced by charging flow control (manual or automatic) as well as by manual selection of letdown orifices. Maintaining coolant level in the pressurizer within prescribed limits by actuating the charging and letdown system thus provides control of the reactor coolant water inventory. Steam Generator Water Level Control The steam generator water level control establishes and maintains the steam generator water level to within predetermined physical limits during normal operating transients. It also restores the steam generator water level to within predetermined limits at unit trip conditions by regulating the feedwater flow rate. Steam generator water inventory control is manual or automatic through use of feedwater control valves. 7.7-2

BVPS UFSAR UNIT 1 Rev. 22 Steam Dump Control The steam dump control permits steam to be dumped to the condenser as necessary to accommodate excess power generation in the reactor during turbine load reduction transients. It also ensures that stored energy and residual heat are removed following a reactor trip to bring the unit to equilibrium no load conditions without actuation of the steam generator safety valves, maintains the unit at no load conditions, and permits a manually controlled cooldown of the unit. In-Core Instrumentation The in-core instrumentation provides information on the neutron flux distribution and on the core outlet temperatures at selected core locations. 7.7.1.1 Reactor Control System The reactor control system enables the nuclear plant to follow load changes including the acceptance of step load increase or decreases of 10 percent and ramp increases or decreases of 5 percent per minute within the load range of 15 percent to 100 percent without reactor trip, steam dump or pressure relief, subject to possible xenon limitations. The system is also capable of restoring coolant average temperature to within the programmed temperature deadband following a change in load. Manual control rod operation may be performed at any time. The reactor control system controls the reactor coolant average temperature by regulation of control rod bank position. The reactor coolant loop average temperatures are determined from hot leg and cold leg measurements in each reactor coolant loop. There is an average coolant temperature (Tavg) computed for each loop, where: Thot + Tcold Tavg = (7.7-1) 2 The error between the programmed reference temperature (based on turbine first stage pressure) and the median of the average measured temperatures (which is then processed through a lead-lag compensation unit) from each of the reactor coolant loops constitutes the primary control signal as shown in general on Figure 7.7-1 and in more detail on the functional diagrams shown in Figure 7.2-1, sheet 9. The system is capable of restoring coolant average temperature to the programmed value following a change in load. The programmed coolant temperature increases linearly with turbine load from zero power to the full power condition. The Tavg also supplies a signal to pressurizer level control and steam dump control and rod insertion limit monitoring. The temperature channels needed to derive the temperature input signals for the reactor control system are derived from the protection system RTD's. The Tavg and T signals used in the control-grade logic are input into a median signal selector which selects the signal between the highest and lowest values of the three loop inputs. This avoids any adverse plant response caused by a single signal failure. 7.7-3

BVPS UFSAR UNIT 1 Rev. 22 An additional control input signal is derived from the reactor power versus turbine load mismatch signal. This additional control input signal improves system performance by enchancing response. 7.7.1.2 Full Length Rod Control System The full length rod control system is described in Reference 3. The full length automatic rod control system receives rod speed and direction signals from the Tavg control system. The rod speed demand signal varies over corresponding range of 8 to 72 steps/minute depending on the magnitude of the error signal. The rod direction demand signal is determined by the positive or negative value of the error signal. Automatic rod withdrawal capabilities have been disabled for enhanced reactivity management. Manual control is provided to move a control bank in or out at a prescribed fixed speed. Rods are withdrawn (or inserted) in a predetermined programmed sequence by the automatic programming equipment. The manual and automatic controls are further interlocked with the control interlocks (see Table 7.7-2). The shutdown banks are always in the fully withdrawn position during normal operation and are moved to this position at a constant speed by manual control prior to criticality. A reactor trip signal causes them to fall by gravity into the core. There are two shutdown banks. The control banks are the only rods that can be manipulated under automatic control. Each control bank is divided into two groups to obtain smaller incremental reactivity changes per step. All RCCA in a group are electrically paralleled to move simultaneously. There is individual position indication for each RCCA. Power to rod drive mechanisms is supplied by two motor generator sets operating from two separate 480 v, three-phase buses. Each generator is the synchronous type and is driven by a 150 hp induction motor. The a-c power is distributed to the rod control power cabinets through the two series connected reactor trip breakers. The variable speed full length rod control system rod drive programmer affords the ability to insert small amounts of reactivity at low speed to accomplish fine control of reactor coolant average temperature about a small temperature deadband, as well as furnishing control at high speed. A summary of the RCCA sequencing characteristics is given below.

1. Two groups within the same bank are stepped such that the relative position of the groups will not differ by more than one step.

2. The control banks are programmed such that withdrawal of the banks is sequenced in the following order: control bank A, control bank B, control bank C and control bank D. The programmed insertion sequence is the opposite of the withdrawal sequence, i.e., the last control bank withdrawn (bank D) is the first control bank inserted.

7.7-4

BVPS UFSAR UNIT 1 Rev. 23

3. The control bank withdrawals are programmed such that when the first bank reaches a preset position, the second bank begins to move out simultaneously with the first bank. When the first bank reaches the top of the core, it stops, while the second bank continues to move toward its fully withdrawn position. When the second bank reaches a preset position, the third bank begins to move out, and so on. This withdrawal sequence continues until the unit reaches the desired power. The control bank insertion sequence is the opposite.

4. Overlap between successive control banks is adjustable between 0 to 50 percent (0 and 115 steps), with an accuracy of +/-1 step.

5. Rod speeds for control banks are capable of being adjusted between a minimum of 8 steps per min and a maximum of 72 steps per min.

7.7.1.3 Unit Control Signals for Monitoring and Indicating 7.7.1.3.1 Monitoring Functions Provided by the Nuclear Instrumentation The nuclear instrumentation system is described in Reference 2. The power range channels are important because of their use in monitoring power distribution in the core within specified safe limits. They are used to measure reactor power level, axial power imbalance and radial power imbalance. These channels are capable of recording overpower excursions up to 200 percent of full power. Suitable alarms are derived from these signals as will be described below. Basic power range signals are:

1. Total current from a power range detector (four such signals from separate detectors);

these detectors are vertical and have an active length of 10 ft

2. Current from the upper half of each power range detector (four such signals)

3. Current from the lower half of each power range detector (four such signals).

Derived from these basic signals are the following (including standard signal processing for calibration):

4. Indicated nuclear flux (four such signals)

5. Indicated axial flux imbalance, derived from upper half flux minus lower half flux (four such signals).

Alarm functions derived are as follows:

6. Deviation (maximum minus minimum of four) in indicated nuclear power

7. Upper radial tilt (maximum to average of four) on upper-half currents 7.7-5

BVPS UFSAR UNIT 1 Rev. 33

8. Lower radial tilt (maximum to average of four) on lower-half currents.

Nuclear power and axial unbalance is selectable for recording. Indicators are provided on the control board for nuclear power and for axial power imbalance. 7.7.1.3.2 Rod Position Monitoring of Full Length Rods The Rod Position Monitoring of Full Length Rods is described in References 4, 7, 8, 13, and 14. Two separate systems are provided to sense and display control rod position as described below:

1. ANALOG SYSTEM: An analog signal is produced for each RCCA by a linear variable transformer.

Direct continuous readout of every RCCA position is presented to the operator by touch screen displays, without need for operator selection or switching to determine rod position. A rod bottom (rod drop) alarm is provided. Readout of every RCCA position is also available from the in-plant computer (IPC) by selecting the appropriate computer point. A computer point for each RCCA is provided. When the IPC is used as the primary means of rod position indication, administrative controls require the control room staff to continuously display the IPC computer point(s) in the control room.

2. DEMAND POSITION SYSTEM: The demand position system counts pulses generated in the rod drive control system to provide a digital readout of the demanded bank position.

The demand position and analog rod position indication systems are separate systems; each serves as backup for the other. Operating procedures require the reactor operator to compare the demand and analog (actual) readings upon recognition of any apparent malfunction. Therefore, a single failure in rod position indication does not in itself lead the operator to take erroneous action in the operation of the reactor. 7.7.1.3.3 Control Bank Rod Insertion Monitoring When the reactor is critical, the normal indication of reactivity status in the core is the position of the control bank in relation to reactor power (as indicated by the RCS loop T) and coolant average temperature. These parameters are used to calculate insertion limits for the control banks. The purpose of the control bank rod insertion monitor is to give warning to the operator of excessive rod insertion. The insertion limit maintains sufficient core reactivity shutdown margin following reactor trip and provides a limit on the maximum inserted rod worth in the unlikely event of a hypothetical rod ejection and limits rod insertion such that acceptable nuclear peaking factors are maintained. Since the amount of shutdown reactivity required for the design shutdown margin following a reactor trip increases with increasing power, the allowable rod insertion limits must be raised (the rods must be withdrawn further) with increasing power. For control banks C and D a parameter which is proportional to power is used as an input to the insertion monitor. This is the delta T between the hot leg and the cold leg, which is a direct function of reactor power. 7.7-6

BVPS UFSAR UNIT 1 Rev. 20 The rod insertion limit monitor is a feature that alerts the operator to a reduced shutdown reactivity situation. Figure 7.7-2 shows a block diagram representation of the control rod bank insertion monitor. The monitor is shown in more detail in the functional diagrams shown in Figure 7.2-1, sheet 9. In addition to the rod insertion monitor for the control banks, an alarm system is provided to warn the operator if any shutdown RCCA leaves the fully withdrawn position. Rod insertion limits are determined by:

1. Determining the allowed rod reactivity insertion at full power consistent with the purposes given above

2. Determining the differential reactivity worth of the control rods when moved in normal sequence

3. Determining the change in reactivity with power level by relating power level to rod position

4. Linearizing the resultant limit curve. All key nuclear parameters in this procedure are measured as part of the initial and periodic physics testing program.

Any unexpected change in the position of the control bank under automatic control, or a change in coolant temperature under manual control, provides a direct and immediate indication of a change in the reactivity status of the reactor. In addition, samples are taken periodically of coolant boron concentration. Variations in concentration during core life provide an additional check on the reactivity status of the reactor, including core depletion. 7.7.1.3.4 Rod Deviation Alarm The demanded and measured rod position signals are displayed on the control board. They are also monitored by the unit computer which provides a visual printout and an audible alarm whenever an individual rod position signal deviates from the bank demand counter by a preset limit. The alarm can be set with appropriate allowance for instrument error and within sufficiently narrow limits to preclude exceeding core design hot channel factors. Figure 7.7-3 is a block diagram of the rod deviation comparator and alarm system. 7.7.1.3.5 Rod Bottom Alarm A rod bottom signal for the full length rods detector interface board in the analog/digital rod position system as described in References 7 and 8, is used to operate a control relay, which generates the "ROD BOTTOM ROD DROP" alarm. 7.7.1.4 Unit Control System Interlocks The listing of the unit control system interlocks, along with the description of their derivations and functions, is presented in Table 7.7-2. It is noted that the designation numbers for these interlocks are preceded by "C". The development of these logic functions is shown in the functional diagrams (Figure 7.2-1, sheets 9 to 16). 7.7-7

BVPS UFSAR UNIT 1 Rev. 23 7.7.1.4.1 Rod Stops Rod stops are provided to prevent abnormal power conditions which could result from excessive control rod withdrawal initiated by either a control system malfunction or operator violation of administrative procedures. Rod stops are the Cl, C2, C3 and C4 control interlocks identified in Table 7.7-2. The C3 rod stop derived from overtemperature T and the C4 rod stop, derived from overpower T are also used for turbine runback, which is discussed below. 7.7.1.4.2 Automatic Turbine Load Runback Automatic turbine load runback is initiated by an approach to an overpower or overtemperature condition. This will prevent high power operation that might lead to an undesirable condition, which, if reached, will be protected by reactor trip. Turbine load reference reduction is initiated by either an overtemperature or overpower T signal. Two out of three coincidence logic is used. A rod stop and turbine runback are initiated when: T > T rod stop for both the overtemperature and the overpower condition. For either condition in general: Trod stop= T setpoint - BP where Bp is a setpoint bias and where Tsetpoint refers to the overtemperature T reactor trip value and the overpower T reactor trip value for the two conditions. The turbine runback is continued until T is equal to or less than Trod stop This function serves to maintain an essentially constant margin to trip. 7.7.1.5 Pressurizer Pressure Control The RCS pressure is controlled by using either the heaters (in the water region) or the spray (in the steam region) of the pressurizer plus steam relief for large transients. The electrical immersion heaters are located near the bottom of the pressurizer. A portion of the heater group is proportionally controlled to correct small pressure variations. These variations are due to heat losses, including heat losses due to a small continuous spray. The remaining (backup) heaters are turned on when the pressurizer pressure controlled signal demands approximately 100 percent proportional heater power. The spray nozzles are located on the top of the pressurizer. Spray is initiated when the pressure controller spray demand signal is above a given setpoint. The spray rate increases proportionally with increasing spray demand signal until it reaches a maximum value. 7.7-8

BVPS UFSAR UNIT 1 Rev. 22 Steam condensed by the spray reduces the pressurizer pressure. A small continuous spray is normally maintained to reduce thermal stresses and thermal shock and to help maintain uniform water chemistry and temperature in the pressurizer. Three power relief valves limit system pressure for large positive pressure transients. In the event of a large load reduction, not exceeding the design unit load rejection capability, the pressurizer power operated relief valves might be actuated for the most adverse conditions, e.g., the most negative Doppler coefficient, and the minimum incremental rod worth. The relief capacity of the power operated relief valves is sized large enough to limit the system pressure to prevent actuation of high pressure reactor trip for the above condition. A block diagram of the pressurizer pressure control system is shown on Figure 7.7-4. 7.7.1.6 Pressurizer Water Level Control The pressurizer operates by maintaining a steam cushion over the reactor coolant. As the density of the reactor coolant changes, with reactor coolant temperature, the steam water interface moves to absorb the variations with relatively small pressure disturbances. The water inventory in the RCS is maintained by the CVCS. During normal unit operation, the charging flow varies to produce the flow demanded by the pressurizer water level controller. The pressurizer water level is programmed as a function of coolant median average temperature. The pressurizer water level decreases as the load is reduced from full load. This is a result of coolant contraction following programmed coolant temperature reduction from full power to low power. The programmed level is designed to match as nearly as possible the level changes resulting from the coolant temperature changes. To control pressurizer water level during startup and shutdown operations, the charging flow is manually regulated from the main control room. A block diagram of the pressurizer water level control system is shown on Figure 7.7-5. 7.7.1.7 Steam Generator Water Level Control Each steam generator is equipped with a three element feedwater flow control system which maintains a programmed water level. The three element feedwater controller regulates the feedwater valve by continuously comparing the feedwater flow signal, the programmed level and the pressure compensated steam flow signal. Continued delivery of feedwater to the steam generators is required as a sink for the heat stored and generated in the reactor following a reactor trip and turbine trip. An override signal closes the feedwater valves when the average coolant temperature is below a given temperature and the reactor has tripped. Manual control of the feedwater control system is available at all times. At low power levels between 0 percent and 20 percent, the steam generator water level can also be controlled automatically by using the feedwater bypass valve which parallels the main feedwater valve. The bypass valve control scheme uses existing steam generator water level, reference water level, and steam flow signals as inputs. A steam generator level error signal is generated and fed into a proportional-plus-integral controller. The controller's output is added to a signal proportional to steam flow; and the resulting signal modulates the position of the bypass feedwater valve to maintain the desired steam generator water level. 7.7-9

BVPS UFSAR UNIT 1 Rev. 23 Additional monitoring of steam generator water level is possible by using the Backup Indicating Panel (BIP) in conjunction with local pressure indicators on main steam instrument lines. Refer to Section 7.8.3 for further description of the BIP and its functions. A block diagram of the steam generator water level control system is shown in Figure 7.7-6. 7.7.1.8 Steam Dump Control The unit is capable of accepting a 50 percent load rejection from full load without reactor trip. The steam dump system is capable of accepting 40 percent of full load steam flow at full load steam pressure. The automatic steam dump system is able to accommodate this abnormal load rejection and to reduce the effects of the transient imposed upon the RCS. By bypassing main steam directly to the condenser, an artificial load is thereby maintained on the primary system. The rod control system can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions. If the difference between the reference Tavg (Tref) based on turbine first stage pressure and the lead/lag compensated median Tavg exceeds a predetermined amount, and the interlock mentioned below is satisfied, a demand signal will actuate the steam dump to maintain the RCS temperature within control range until a new equilibrium condition is reached. To prevent actuation of steam dump on small load perturbations, an independent load rejection sensing circuit is provided. This circuit senses the rate of decrease in the turbine load as detected by the turbine first stage pressure. It is provided to unblock the dump valves when the rate of load rejection exceeds a preset value corresponding to a 10 percent step load decrease or a sustained ramp load decrease of 5 percent/minute. Prior to engaging the turbine, heat is generally removed from the Reactor Coolant System by dumping steam to the condenser. Since Tref is not available until the turbine has been placed in service, the steam dump control system is typically run in steam pressure control mode with a constant setpoint corresponding to no-load conditions. This causes Tavg at low power conditions to be slightly higher than program Tavg. This condition has been reviewed(9) and shown to be acceptable. A block diagram of the steam dump control system is shown on Figure 7.7-7. 7.7.1.8.1 Load Rejection Steam Dump Controller This circuit prevents large increase in reactor coolant temperature following a large, sudden load decrease. The error signal is a difference between the lead/lag compensated median Tavg and the reference Tavg is based on turbine first stage pressure. The Tavg signal is the same as that used in the RCS. The lead/lag compensation for the Tavg signal is to compensate for lags in the unit thermal response and in valve positioning. Following a sudden load decrease, Tref is immediately decreased and Tavg tends to increase, thus generating an immediate demand signal for steam dump. Since control rods are available in this situation, steam dump terminates as the error comes within the maneuvering capability of the control rods. 7.7-10

BVPS UFSAR UNIT 1 Rev. 26 7.7.1.8.2 Reactor Trip Steam Dump Controller Following a reactor trip, determined by the presence of the reactor trip breaker open signal, the load rejection steam dump controller is defeated and the reactor trip steam dump controller becomes active. Since control rods are not available in this situation, the demand signal is the error signal between the lead/lag compensated median Tavg and the no load reference Tavg. When the error signal exceeds a predetermined setpoint the first two banks of steam dumps actuate open in a prescribed sequence. As the error signal reduces in magnitude indicating that the reactor coolant system Tavg is being reduced toward the reference no-load value, the dump valves are modulated by the reactor trip controller to regulate the rate of removal of decay heat and thus gradually establish the equilibrium hot shutdown condition. The error signal determines whether a group of valves is to be tripped open or modulated open. In either case, they are modulated when the error is below the trip-open setpoints. 7.7.1.8.3 Steam Header Pressure Controller Residual heat removal is maintained by the steam generator pressure controller (manually selected) which controls the amount of steam flow to the condensers. This controller operates a portion of the same steam dump valves to the condensers which are used during the initial transient following turbine/reactor trip on load rejection. 7.7.1.9 Incore Instrumentation The incore instrumentation system consists of Chromel-Alumel thermocouples at fixed core outlet positions and 50 flux thimbles for movable miniature neutron detectors which can be positioned at the center of selected fuel assemblies, anywhere along the length of the fuel assembly vertical axis. The basic system for insertion of these detectors is shown in Figure 7.7-

8. Sections 1 and 2 of Reference 5 outline the incore instrumentation system in more detail.

The minimum number of operable incore thermocouples for plant operation is defined by Technical Specifications. 7.7.1.9.1 Thermocouples Chromel-Alumel thermocouples are inserted into tubes that penetrate the reactor vessel head through seal assemblies, and terminate at the exit flow end of the fuel assemblies. The thermocouples are provided with a graphite and swage type seal from conduit to head. The thermocouples are supported in guide tubes in the upper core support assembly. The incore thermocouples are monitored by the Train A and B Inadequate Core Cooling (ICC) Monitoring System as described in Section 7.8.4 and can be read on the ICCM graphic displays in the Control Room. A data link from the ICC monitors provide incore thermocouple signals to the plant computer, which includes the Safety Parameter Display System. The incore thermocouples have been environmentally qualified for use in post accident monitoring in accordance with NUREG-0737. 7.7-11

BVPS UFSAR UNIT 1 Rev. 19 7.7.1.9.2 Movable Neutron Flux Detector Drive System Miniature fission chamber detectors can be remotely positioned in retractable guide thimbles to provide flux mapping of the core. See Reference 5 for neutron flux detector parameters. The stainless steel detector shell is welded to the leading end of carbon-steel helical wrap drive cable and to stainless steel or Inconel sheathed coaxial cable. The retractable thimbles, into which the miniature detectors are driven, are pushed into the reactor core through conduits which extend from the bottom of the reactor vessel down through the concrete shield area and then up to a thimble seal table. The thimbles are closed at the leading ends, are dry inside, and serve as the pressure barrier between the reactor water pressure and the atmosphere. Mechanical seals between the retractable thimbles and the conduits are provided at the seal line. During reactor operation, the retractable thimbles are stationary. They are extracted downward from the core during refueling to avoid interference within the core. A space above the seal line is provided for the retraction operation. The drive system for the insertion of the miniature detectors consists basically of drive assemblies, five path rotary transfer operation selector assemblies and ten path rotary transfer selector assemblies as shown in Figure 7.7-8. These assemblies are described in Reference 5. The drive system pushes hollow helical wrap drive cables into the core with the miniature detectors attached to the leading ends of the cables and small diameter sheathed coaxial cables threaded through the hollow centers back to the ends of the drive cables. Each drive assembly consists of a gear motor which pushes a helical wrap drive cable and a detector through a selective thimble path by means of a special drive box and includes a storage device that accommodates the total drive cable length. The leakage detection and gas purge provisions are discussed in Reference 5. Manual isolation valves (one for each thimble) are provided for closing the thimbles. When closed, the valve forms a 2,500 psig barrier. The manual isolation valves are not designed to isolate a thimble while a detector/drive cable is inserted into the thimble. The detector/drive cable must be retracted to a position above the isolation valve prior to closing the valve. A small leak would probably not prevent access to the isolation valves and thus a leaking thimble could be isolated during a hot shutdown. A large leak might require cold shutdown for access to the isolation valve. 7.7.1.9.3 Control and Readout Description The control and readout system provides means for inserting the miniature neutron detectors into the reactor core and withdrawing the detectors while plotting neutron flux versus detector position. The thimbles are distributed nearly uniformly over the core with about the same number of thimbles in each quadrant. The control system consists of two sections, one physically mounted with the drive units, and the other contained in the control room. Limit switches in each transfer device provide feedback of path selection operation. Each gear box drives an encoder for position feedback. One five path operation selector is provided for each drive unit to insert the detector in one of five functional modes of operation. A ten path rotary 7.7-12

BVPS UFSAR UNIT 1 Rev. 30 transfer assembly is a transfer device that is used to route a detector into any one of up to ten selectable paths. A common path is provided to permit cross calibration of the detectors. The control room contains the necessary equipment for control, position indication and flux recording for each detector. Additional panels are provided for such features as drive motor controls, core path selector switches, plotting and gain controls. A "flux-mapping" consists, briefly, of selecting (by panel switches) flux thimbles in given fuel assemblies at various core quadrant locations. The detectors are driven to the top of the core and stopped automatically. An x-y plot (position versus flux level) is initiated with the slow withdrawal of the detectors through the core from top to a point below the bottom. In a similar manner, other core locations are selected and plotted. Each detector provides axial flux distribution data among the center of a fuel assembly. Various radial positions of detectors are then compared to obtain a flux map for a region of the core. The thimbles are distributed nearly uniformly over the core with approximately the same number of thimbles in each quadrant. The number and location of these thimbles have been chosen to permit measurement of local to average peaking factors to an accuracy of +/-5 percent (95 percent confidence). Measured nuclear peaking factors will be increased by 5 percent to allow for this accuracy. An additional increase to the measured nuclear peaking factor for reduced flux thimble availability is discussed in Sections 3.3.7 and 5.1.6 of the Licensing Requirements Manual. If the measured power peaking is larger than acceptable, reduced power capability will be indicated. Operating plant experience has demonstrated the adequacy of the incore instrumentation in meeting the design bases stated. 7.7.1.10 Ultrasonic Feedwater Flow Meter The ultrasonic feedwater flow meter system is used in measuring feedwater flow and calculating thermal power. Nuclear plants are licensed to operate at a specified core thermal power, and the uncertainty of the calculated values of this thermal power determines the probability of exceeding the power levels assumed in the design-basis transient and accident analyses. The ultrasonic feedwater flow meter system provides measurements of feedwater mass flow and temperature yielding a total power uncertainty of +/-0.6% of reactor thermal power. The system consists of an electronic cabinet located in the Process Controls Area, and a measurement section (spool piece) installed in the 26-inch main feedwater header. Ultrasonic feedwater flow meter electronics consist of a digital system controlled by software to employ the ultrasonic transit time method to measure line integral velocities at precise locations with respect to the pipe centerline. The system measures the flight time of acoustic energy pulses to determine the feedwater mass flow rate. Transducers that transmit and receive the pulses are mounted in the measurement section spool piece. Transient time differences between pulses are used to determine the fluid velocity and temperature. An alarm is provided in the control room to alert operators should the system require maintenance (References 10 and 11). 7.7-13

BVPS UFSAR UNIT 1 Rev. 20 The system software was developed and is maintained using a verification and validation program compliant with IEEE standard 7-4.3.2-1990 and ASME standard NQA-2a-1990 (References 10 and 11). The mass flow rate and feedwater temperature is displayed on the local display panel, and transmitted to the plant process computer for use in the calorimetric measurement. 7.7.2 Analysis The unit control systems are designed to ensure high reliability in any anticipated operational occurrences. Equipment used in these systems is designed and constructed to maintain a high level of reliability. Proper positioning of the control rods is monitored in the control room by bank arrangements of the individual position columns meters for each RCCA. A rod deviation alarm alerts the operator of a deviation of one RCCA from the other rods in that bank position. There are also insertion limit monitors with visual and audible annunciation. A rod bottom alarm signal is provided to the control room for each full length RCCA. Four excore long ion chambers also detect asymmetrical flux distribution indicative of rod misalignment. Overall reactivity control is achieved by the combination of soluble boron and rod cluster control assemblies. Long term regulation of core reactivity is accomplished by adjusting the concentration of boric acid in the reactor coolant. Short term reactivity control for power changes is accomplished by the rod control system which automatically moves RCCA's. This system uses input signals including neutron flux, coolant temperature and turbine load. The unit control systems will prevent an undesirable condition in the operation of the unit that, if reached, will be protected by reactor trip. The description and analysis of this protection is covered in Section 7.2. Worst case failure modes of the unit control systems are postulated in the analysis of off-design operational transients and accidents covered in Chapter 14, such as the following:

1. Uncontrolled RCCA withdrawal from a subcritical condition

2. Uncontrolled RCCA withdrawal at power

3. RCCA misalignment

4. Loss of external electrical load and/or turbine trip

5. Loss of all a-c power to the station auxiliaries (station blackout)

6. Excessive heat removal due to feedwater system malfunctions

7. Excessive load increase.

7.7-14

BVPS UFSAR UNIT 1 Rev. 23 These analyses show that a reactor trip setpoint is reached in time to protect the health and safety of the public under these postulated incidents and that the resulting coolant temperatures produce a DNBR well above the design limit. Thus, there will be no cladding damage and no release of fission products to the RCS under the assumption of these postulated worst case failure modes of the unit control system. 7.7.2.1 Separation of Protection and Control Systems In some cases, it is advantageous to employ control signals derived from individual protection channels through isolation amplifiers or isolation devices connected to the protection channel. As such, a failure in the control circuitry does not adversely affect the protection channel. Accordingly, this postulated failure mode meets the requirements of 1967 GDC 22. Test results have shown that a short circuit, open circuit or the application of 120 v a-c or 140 v d-c on the isolated output portion of the circuit (i.e., the non-protective side of the circuit) will not affect the input (protective) side of the circuit. The test voltages used for qualifying the isolation amplifiers (120 v a-c or 140 v d-c) are those normally present in racks, cabinets, control board and computer associated with the isolated signal and could credibly be accidentally connected to the isolated signal terminals. The isolation amplifier prevents these abnormal voltages or fault conditions (short circuits and open circuits) at the isolated (non-protective) location from impairing the protective action when required. The 7300 series isolation devices were qualified by applying a short, 250v d-c and 580v a-c at their outputs. The NUS series isolation devices were qualified by applying a short, 140 VDC and 480 VAC at their outputs. These tests verified that the identified fault voltages applied to the isolation device output did not cause any degradation of protection action as clarified in Reference Numbers 4 and 23 of Section 7.2. Where a single random failure can cause a control system action that results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundant protection channels are capable of providing the protective action even when degraded by a second random failure. This meets the applicable requirements of Section 4.7 of IEEE Std. 279-1971.(6) The pressurizer pressure channels needed to derive the control signals are physically isolated from the pressure channels used to derive protection signals. Channels of the nuclear instrumentation that are used in the protective system are combined to provide non-protective functions such as signals to indicating or recording devices, the required signals are derived through isolation amplifiers. The loop Tavg and Delta-T channel required inputs to the steam dump system reactor control system, the control rod insertion monitor and the pressurizer level control system are electrically isolated prior to being routed to the control cabinets. A median signal is then calculated for Tavg and Delta-T in the control cabinets utilizing a Median Signal Selector (MSS) for input to the appropriate control systems. For the steam generator water level control system, signals are derived from a Median Signal Selector in each loop. These have been installed in each loop to eliminate IEEE Std. 279-1971 concerns with the steam generator level protection system. This will eliminate a failure of a steam generator level transmitter from affecting the steam generator level system. 7.7-15

BVPS UFSAR UNIT 1 Rev. 25 7.7.2.2 Response Consideration of Reactivity Reactor shutdown with control rods is completely independent of the control functions since the trip breakers interrupt power to the full length rod drive mechanisms regardless of existing control signals. The design is such that the system can withstand accidental withdrawal of control groups or unplanned dilution of soluble boron without exceeding acceptable fuel design limits. Thus, the design meets the applicable requirements of 1967 GDC 31. No single electrical or mechanical failure in the rod control system could cause the accidental withdrawal of a single RCCA from the partially inserted bank at full power operation. The operator could deliberately withdraw a single RCCA in the control bank, this feature is necessary in order to retrieve a rod, should one be accidentally dropped. In the extremely unlikely event of simultaneous electrical failures which could result in single withdrawal, rod deviation would be displayed on the unit annunciator, and the rod position indicators and IPC computer points for rod position would indicate the relative positions of the rods in the bank. Withdrawal of a single RCCA by operator action, whether deliberate or by a combination of errors, would result in activation of the same alarm and the same visual indications. Each bank of control and shutdown rods in the system is divided into two groups of 4 mechanisms each. The rods comprising a group operate in parallel through multiplexing thyristors. The two groups in a bank move sequentially such that the first group is always within one step of the second group in the bank. A definite schedule of actuation or deactuation of the stationary gripper, movable gripper and lift coils of a mechanism is required to withdraw the RCCA attached to the mechanism. Since the four stationary gripper, movable gripper and lift coils associated with the RCCA's of a rod group are driven in parallel, any single failure which could cause rod withdrawal would affect a minimum of one group of RCCA. Mechanical failures are in the direction of insertion or immobility. The identified multiple failure involving the least number of components consists of open circuit failure of the proper two out of sixteen wires connected to the gate of the lift coil thyristors. The probability of open wire (or terminal failure) is 0.016 x 10-6 per hour by MIL-HDB217A. These wire failures would have to be accompanied by failure, or disregard, of the indications mentioned above. The probability of this occurrence is therefore too low to have any significance. Concerning the human element, to erroneously withdraw a single RCCA, the operator would have to improperly set the bank selector switch, the lift coil disconnect switches, and the in-hold-out switch. In addition, the three indications would have to be disregarded or ineffective. Such series of errors would require a complete lack of understanding and administrative control. A probability number cannot be assigned to a series of errors such as these. Such a number would be highly subjective. The rod position indication system provides direct visual displays of each control and shutdown rod assembly position and a signal to the IPC (in-plant computer) for each control and shutdown rod assembly position. When an IPC computer point(s) is used as the primary means of rod position indication, administrative controls require that the IPC computer point(s) be continuously displayed in the control room. The unit computer alarms for deviation of rods from their banks. In addition, a rod insertion limit monitor provides an audible and visual alarm to warn the operator of an approach to an abnormal condition due to dilution. The low-low insertion limit alarm alerts the operator to follow emergency boration procedures. The facility reactivity control systems are such that acceptable fuel damage limits will not be exceeded even in the event of a single malfunction of either system. 7.7-16

BVPS UFSAR UNIT 1 Rev. 22 An important feature of the control rod system is that insertion is provided by gravity fall of the rods. In all analyses involving reactor trip, the single, highest worth RCCA is postulated to remain untripped in its full out position. One means of detecting a stuck control rod assembly is available from the actual rod position information displayed on the control board. The control board position readout for each full length rod, gives the unit operator the actual position of the rod in steps. The indications are grouped by banks (e.g., control bank A, control bank B, etc.) to indicate to the operator the deviation of one rod with respect to other rods in a bank. This serves as a means to identify rod deviation. The unit computer monitors the actual position of all rods. Should a rod be misaligned from the other rods in that bank by more than the limit given in the Technical Specifications, the rod deviation alarm is actuated. Misaligned RCCA's are also detected and alarmed in the control room via the flux tilt monitoring system which is independent of the unit computer. Isolated signals derived from the nuclear instrumentation system are compared with one another to determine if a preset amount of deviation of average power has occurred. Should such a deviation occur, the comparator output will operate a bistable unit to actuate a control board annunciator. This alarm will alert the operator to a power imbalance caused by a misaligned rod. By use of individual rod position readouts, the operator can determine the deviating control rod and take corrective action. Thus the design of the unit control systems meets the applicable requirements of GDC 12 and 1967 GDC 31. The boron system can compensate for all xenon burnout reactivity transients without exception. The rod system can compensate for xenon burnout reactivity transients over the allowed range of rod travel. Xenon burnout transients of larger magnitude must be accommodated by boration or by reactor trip (which eliminates the burnout). The boron system is not used to compensate for the reactivity effects of fuel/water temperature changes accompanying power level changes. The rod system can compensate for the reactivity effects of fuel/water temperature changes accompanying power level changes over the full range from full load to no load at the design maximum load uprate. The boron system (by the use of administrative measures) will maintain the reactor in the cold shutdown state irrespective of the disposition of the control rods. The overall reactivity control achieved by the combination of soluble boron and rod cluster control assemblies meets the applicable requirements of 1967 GDC 27. 7.7-17

BVPS UFSAR UNIT 1 Rev. 23 7.7.2.3 Step Load Changes Without Steam Dump The rod control system restores equilibrium conditions, without a trip, following a plus or minus 10 percent step change in load demand, with a combination of manual and automatic control. Automatic control allows control rod insertion only. With automatic rod withdrawal disabled, control rod withdrawal can only be performed manually. Steam dump is blocked for load decrease less than or equal to 10 percent. A load demand greater than full power is prohibited by the turbine control load limit devices. The rod control system minimizes the reactor coolant average temperature deviation during the transient within a given value and restores average temperature to the programmed setpoint. Excessive pressurizer pressure variations are prevented by using spray and heaters and power relief valves in the pressurizer. The control system will limit nuclear power overshoot to acceptable values following a 10 percent increase in load to 100 percent. 7.7.2.4 Loading and Unloading Ramp loading and unloading of 5 percent per minute can be accepted over the 15 to 100 percent power range with a combination of manual and automatic control without tripping the unit. Automatic control allows control rod insertion only. With automatic rod withdrawal disabled, control rod withdrawal can only be performed manually. The function of the control system is to maintain the coolant average temperature as a function of turbine-generator load. The coolant average temperature increases during loading and causes a continuous insurge to the pressurizer as a result of coolant expansion. The sprays limit the resulting pressure increase. Conversely, as the coolant average temperature is decreasing during unloading, there is a continuous outsurge from the pressurizer resulting from coolant contraction. The pressurizer heaters limit the resulting system pressure decrease. The pressurizer water level is programmed such that the water level is above the setpoint for heater cut out during the loading and unloading transients. The primary concern during loading is to limit the overshoot in nuclear power and to provide sufficient margin in the overtemperature delta-T setpoint. 7.7.2.5 Load Rejection Furnished by Steam Dump System When a load rejection occurs, if the difference between the required temperature setpoint of the RCS and the actual average temperature exceeds a predetermined amount, a signal will actuate the steam dump to maintain the RCS temperature within control range until a new equilibrium condition is reached. The reactor power is reduced at a rate consistent with the capability of the rod control system. Reduction of the reactor power is automatic. The steam dump flow reduction is as fast as rod cluster control assemblies are capable of inserting negative reactivity. The rod control system can then reduce the reactor temperature to a new equilibrium value without causing overtemperature and/or overpressure conditions. The steam dump steam flow 7.7-18

BVPS UFSAR UNIT 1 Rev. 23 capacity is greater than 40 percent of full load steam flow at full load steam pressure, which supports the unit in accepting a 50 percent load rejection from full load without reactor trip. The steam dump flow reduces proportionally as the control rods act to reduce the average coolant temperature. The artificial load is therefore removed as the coolant average temperature is restored to its programmed equilibrium value. The dump valves are modulated by the reactor coolant average temperature signal. The required number of steam dump valves modulate depending upon the magnitude of the temperature error signal resulting from loss of load. 7.7.2.6 Turbine-Generator Trip With Reactor Trip Whenever the turbine-generator unit trips at an operating power level above the P-9 permissive setpoint, the reactor also trips. The unit is operated with a programmed average temperature as a function of load, with the full load average temperature significantly greater than the equivalent saturation pressure of the main steam safety valve setpoint. The thermal capacity of the RCS is greater than that of the secondary system, and because the full load average temperature is greater than the no load temperature, a heat sink is required to remove heat stored in the reactor coolant to prevent actuation of steam generator safety valves for a trip from full power. This heat sink is provided by the combination of controlled release of steam to the condenser and by makeup of cold feedwater to the steam generators. The steam dump system is controlled from the reactor coolant average temperature signal whose setpoint values are programmed as a function of turbine load. Actuation of the steam dump is rapid to prevent actuation of the steam generator safety valves. With the dump valves open, the average coolant temperature starts to reduce quickly to the no load setpoint. A direct feedback of temperature acts to proportionally close the valves to minimize the total amount of steam which is bypassed. The feedwater flow is cut off when the average coolant temperature decreases below a given temperature following the reactor trip or when the steam generator water level reaches a given high level. Additional feedwater makeup is then controlled manually to restore and maintain steam generator water level while assuring that the reactor coolant temperature is at the desired value. Residual heat removal is maintained by the steam header pressure controller (manually selected) which controls the amount of steam flow to the condensers. This controller operates a portion of the same steam dump valves to the condensers which are used during the initial transient following turbine and reactor trip. The pressurizer pressure and water level fall rapidly during the transient because of coolant contraction. The pressurizer low pressure trip setpoint is programmed so that the pressure following the turbine and reactor trip is above the low pressurizer pressure safety injection setpoint. If heaters become uncovered following the trip, they are de-energized and the CVCS will provide full charging flow to restore water level in the pressurizer. Heaters are then turned on to restore pressurizer pressure to normal. 7.7-19

BVPS UFSAR UNIT 1 Rev. 23 The steam dump feedwater control systems are designed to prevent the average coolant temperature from falling below the programmed no load temperature following the trip to ensure adequate reactivity shutdown margin. 7.7-20

BVPS UFSAR UNIT 1 Rev. 33 References for Section 7.7

1. Deleted by Revision 0.

2. J. B. Lipchak and R. A. Stokes, "Nuclear Instrumentation System," WCAP-7669, Westinghouse Electric Corporation (April 1971).

3. A. E. Blanchard and D. N. Katz, "Solid State Rod Control System, Full Length," WCAP-7778, Westinghouse Electric Corporation (December 1971).

4. A. E. Blanchard, "Rod Position Monitoring," WCAP-7571, Westinghouse Electric Corporation (March 1971).

5. J. J. Loving, "In-Core Instrumentation (Flux-Mapping System and Thermocouples),"

WCAP-7607, Westinghouse Electric Corporation (July 1971).

6. "Criteria for Protection Systems for Nuclear Power Generating Stations," IEEE Std. 279-1971, The Institute of Electrical and Electronic Engineers, Inc.

7. "Interface Requirements for the Beaver Valley Unit 1 CERPI System," 00197-ICE-4101, ABB Combustion Engineering Nuclear Operations.

8. "Technical Description for the Beaver Valley Unit 1 CERPI System," 00197-ICE-4403, ABB Combustion Engineering Nuclear Operations.

9. E. A. Dzenis, "Responses to Tavg Variation Questions," Westinghouse Electric Corporation letter, DLC-99-744 (June 17, 1999).

10. FENOC Letter to U.S. Nuclear Regulatory Commission, License Amendment Request Nos. 289 and 161 (Attachment C, Items 6 and 8), Letter Number L-01-006, dated January 18, 2001.

11. Safety Evaluation by the Office of Nuclear Reactor Regulation Related to Amendment Nos. 243 and 122 to Facility Operating License Nos. DPR-66 and NPF-73, Page 5, dated September 24, 2001.

12. NUS Qualification Report EIP-QR-800.

13. "Ovation-based CERPI System Upgrade Functional Requirements Specification", WNA-DS-03383-DLW, Westinghouse Electric Company (June 2015)"

14 "Beaver Valley Unit 1 & 2 Digital Control Systems Ovation Display Design Specification and Implementation Guidelines", WNA--DS-03302-DLW, Westinghouse Electric Company (February 2015) 7.7-21

BVPS UFSAR UNIT 1 Rev. 32 7.8 OPERATING CONTROL STATIONS 7.8.1 Main Control Room Layout The main control room, shown in Figure 7.8-1, is located in the service building between the reactor and the turbine portions of the station. This room is missile protected, independently air-conditioned and protected against radiation as discussed in Sections 7.8.4, 9.13.4 and 11.3. The design and layout of the main control room are such that all controls, instrumentation, displays and alarms required for the safe operation and shutdown of the station are available to the operators in the main control room. The design of the control room meets the requirements of GDC 19. 7.8.2 Shutdown Panel A shutdown panel (SDP) located two floors below the main control room provides the capability for hot shutdown of the unit should the main control room become uninhabitable. Delayed cold shutdown can be effected without access to the main control room; however, this would require manual operation of valves, use of local controls, etc. Provisions have been made to ensure that events leading to the evacuation of the control room will not render the shutdown panel area uninhabitable. It is considered that the event leading to the evacuation of the control room will be the accumulation of a concentration of smoke that would render the control room uninhabitable. Under these conditions, manual operation of control room smoke dampers isolate the control room air-conditioning zone preventing the transfer of smoke to other air-conditioned zones. This ensures that the shutdown panel area will remain habitable because smoke is confined to the control room. Refer to Figure 7.8-2 for a layout of the instrumentation and controls available at the shutdown panel. 7.8.3 Back-up Indicating Panel (BIP) A Backup Indicating Panel, located in the East Cable Vault, and associated equipment in the East and West Cable Vaults, provide indication and controls that can be used as an alternative to normal equipment during some fire scenarios. Transfer switches are installed in the East and West Cable Vault to transfer control or instrument signals from their normal circuit to the BIP. With the control circuit or instrument loop transferred to the BIP, the circuit is disconnected from any cables leading to the Control Room or process racks and is therefore independent of the original fire areas of concern. The BIP a-c distribution panel also provides reliable alternate power to the incore thermocouple reference junction box and to a portable source range drawer, which can be connected to the preamplifier in the East Cable vault to monitor sources range indication in the event all normal source range channels are lost as a result of the fire. 7.8-1

BVPS UFSAR UNIT 1 Rev. 32 A d-c distribution panel, fed from the BIP ac distribution panel via a rectifier, supplies 125-vdc power to the BIP for control of RCGVS vent valves and containment air recirculation cooler inlet isolation valves. The key lock transfer switches which interface with safety related equipment meet all redundancy, separation, and QA requirements for safety related instrumentation and controls as described elsewhere in this chapter. The BIP is not QA Category I. Tables 7.8-1 and 7.8-2 list the equipment and the instrumentation available at the Backup Indication Panel. 7.8.4 Information Display and Recording Alarms and annunciators in the main control room provide the operators with warning of an approach to reactor/turbine trip or unit conditions which might lead to damage of components or unsafe conditions. Other displays and recorders are provided for indication of routine unit operating conditions and for the maintenance of records. Refer to Section 7.5.1 for additional information on the safety related display instrumentation. Consideration is given to the fact that certain systems normally require more attention from the operator. The reactor-turbine control system information is therefore prominently located on the board. Alarms and annunciators in the main control room provide the operators with positive position indications of the pressurizer safety and relief valves. Monitoring system consisting of active and passive acoustic transducers monitor flow through these valves. Signals from the pickups are transmitted via locally mounted charge amplifiers to a cabinet outside the containment. The cabinet contains electronics that generate both position indications and alarms. This information is also fed to the sequence of events recorder. The Inadequate Core Cooling Monitoring System (ICCMS) provides indication of incore thermocouple temperatures, reactor coolant system subcooling margin, and reactor vessel fluid level or relative void content. These parameters are important in detecting imminent or actual degradation of reactor core cooling after an accident. The ICCMS is designed to meet the requirements of NUREG-0737, Item II.F.2 with exceptions described in References 1 and 2. The ICCMS consists of two independent, essentially duplicate trains of microprocessor based electronics. The microprocessors (Train A and B), located in the instrument rack room, process signals from the incore thermocouples, Reactor Coolant System Wide Range pressure and hot leg temperature instruments, reactor coolant pump breaker status contacts, and Reactor Vessel Level Instrumentation System (RVLIS) transmitters, hydraulic isolators and capillary line RTD's. Each train has a Class 1E qualified flat panel graphics display located in the control room. The ICCMS performs the core subcooling monitoring function by comparing the incore thermocouple or reactor coolant loop hot leg temperature with the saturation temperature corresponding to the indicated reactor coolant system pressure. The resulting subcooling margin is indicated on the control room display and a control room alarm is provided when insufficient thermocouple subcooling margin exists. The ICCMS provides control room displays of individual incore thermocouple temperatures, uses the thermocouple temperatures in the subcooling margin calculations, and generates control room alarms when a degraded or inadequate core cooling condition is indicated. 7.8-2

BVPS UFSAR UNIT 1 Rev. 19 The Reactor Vessel Level Instrumentation System (RVLIS) provides the Reactor Vessel fluid level or relative void content. The Reactor Vessel level information, displayed on the ICCMS displays in the control room, is used, along with other available information, to determine the approach to, existence of, or recovery from inadequate core cooling and to detect the presence of a gas bubble or void. The RVLIS is used during gas venting to monitor the venting progress. The RVLIS is designed in accordance with the guidance of NUREG-0737. The system uses measurement of the differential pressure (top to bottom of the Reactor vessel or top of vessel to hot leg) to determine the vessel level. The system consists of two redundant trains of mechanical and electrical equipment. The differential pressure transmitters (three per train) and wide-range pressure transmitter (one per train) are located outside of containment and are connected to the vessel by armored capillary tubing. Two isolators are installed on each of six capillary lines, one near the vessel tap and one outside containment. A manual isolation valve is installed adjacent to each vessel tap prior to the first isolator. The isolator outside containment has a limit switch which actuates in the event the capillary line to the transmitter loses demineralized water with which the line is filled. RTDs on vertical runs of capillary and the thimble guide tube (used for the vessel bottom pressure tap) measure temperature to compensate for density variations. The RTDs, pressure transmitters, and isolators are seismically and environmentally qualified. The vessel level display consists of three values, one for each differential pressure transmitter. The operator may elect to monitor a 30-minute vessel level trend history or the sensor status (operator disabled or off scale) in addition to vessel level. The vessel level from the Train A microprocessor may be recorded on a strip chart recorder located in the control room. The system may be tested and calibrated at any time subject to administrative controls. The electrical equipment is constructed as Class 1E, and seismically (IEEE-344) and environmentally (IEEE-323) qualified. The two trains of equipment are physically separated and powered from independent vital buses such that one train will remain functional following a single failure. Failure of a single train will not result in ambiguity since the trains are redundant in all functions. Existing plant signals powered from a bus different from the microprocessors are isolated by qualified equipment. The Non-1E reactor coolant pump contact-closure inputs are isolated for input to the microprocessor. RVLIS and thermocouple signals to the plant computer are isolated within the microprocessor. The operational status of the sensors is continuously monitored by the microprocessor. Based upon past experience, the equipment in the main control room will operate properly in a room temperature range of 65°F to 85°F. Protective instruments are designed to have no loss of protective function for temperatures up to 120°F. The design of the unit control system includes adequate instrumentation for proper and safe operation at all times. In addition, supplemental information is provided to the operator by the plant computer and the sequence of events recorder which read out in the main control room. They are not required for safe operation of the unit. 7.8-3

BVPS UFSAR UNIT 1 Rev. 26 The primary function of the plant computer is to monitor plant processes and equipment. The plant computer system is configured with redundant central processor units that provide data communications to the display monitors and printers located in the main Control Room, Service Building Process Instrument Room, the Technical Support Center (TSC) and Emergency Operation Facility (EOF) of the Emergency Response Facility. The Safety Parameter Display System (SPDS) provides plant information in a form which allows the operator to analyze and diagnose the cause of abnormality, determine corrective action and monitor plant response. The Safety Parameter Display System is a function included on the In-plant Computer system. The Safety Parameter Display System (SPDS) is designed to display the status of the following six critical safety functions (CSFs) to the operators on the Control Room displays.

1. Sub-criticality Status - for loss-of-sub-criticality, loss-of-core shutdown

2. Core Cooling Status - for inadequate core cooling, degraded core cooling, saturated core cooling

3. Heat Sink Status - for loss-of-secondary heat sink, steam generator overpressure, steam generator high level, loss-of-normal steam release capabilities

4. Vessel Integrity Status - for imminent pressurized thermal shock, anticipated pressurized thermal shock

5. Containment Integrity Status - for high containment pressure, containment flooding, high containment radiation level

6. Inventory Status - for high pressurizer level, low pressurizer level, voids in reactor vessel The sequence of events recorder is used to record the sequence of operation events for abnormal unit conditions and to indicate change in status. The events recorder records off-normal and return to normal events, the time of occurrence and the sequence of occurrence.

The plant computer obtains data by scanning analog and digital signals from sensors monitoring station parameters. It logs data and alarms various off-normal conditions. Monitoring programs are included for surveillance of reactor control and protection systems operation and for nuclear process calculations. 7.8.5 Occupancy Requirements Safe occupancy of the control room envelope (CRE) during abnormal conditions is provided for in the design of the service building. Adequate shielding is used to maintain tolerable radiation levels in the main control room under accident conditions, as discussed in Section 11.3. The main control room is provided with an area radiation monitor and appropriate alarms. Provisions are made to maintain the CRE under a positive ambient pressure to minimize inleakage during a radiological event by supplying the CRE from a filtered air supply on a containment isolation phase B signal or in the event of high activity signal by the control room area monitor. Filtration of outside air is provided by charcoal and high efficiency particulate (HEPA) filters. This is discussed in Section 9.13. Emergency lighting is provided. 7.8-4

BVPS UFSAR UNIT 1 Rev. 32 7.8-5

BVPS UFSAR UNIT 1 Rev. 19 References for Section 7.8

1. J.J. Carey (DLC), "NUREG - 0737, Item II.F.2. ICC Instrumentation System", Letter to S.A. Varga (NRC), (April 24, 1984).

2. J.D. Sieber (DLC), "NUREG - 0737, Item II.F.2., ICC Instrumentation System", Letter to the NRC, (January 12, 1987).

7.8-6

BVPS UFSAR UNIT 1 Rev. 28 7.9 TECHNICAL SUPPORT CENTER (TSC) 7.9.1 Control Room The Station Control Room is the primary location for the assessment and coordination of corrective actions for essentially all emergency conditions. The Control Room is equipped with the readout and controls for all critical plant systems, the readout and assessment aids related to all critical plant systems, the readout and assessment aids related to radiological and meteorological monitoring systems, and access to all Station Communications systems. The Control Room is initially the primary location for accident management and emergency communications until the Technical Support Center is activated. 7.9.2 Emergency Response Facility (ERF) Plant data display equipment has been installed in the Technical Support Center (TSC) and Emergency Operations Facility (EOF) areas within the Emergency Response Facility. NUREG-0696, 1980 has been used as a guide in the engineering, design and installation of this equipment. A dual In-Plant Computer System (IPC) has been installed in the computer room of the Unit 1 Control Room with power supplied from uninterruptible power supplies. A fiber optic communications link is used for communications between the Emergency Response Facility and plant computer. Several independent voice communications systems are provided in the ERF to access the Control Room and various support areas.

1. Technical Support Center (TSC)

Plant variables are available through plant computer workstations and printers.

2. Emergency Operations Facility (EOF)

Plant variables are available through plant computer workstations and printers. 7.9-1

BVPS UFSAR UNIT 1 TABLES FOR SECTION 7

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 4 Nuclear Instrumentation SYS Source 5655D49 6 3-7-73 Range N-31 Functional Block Diagram Nuclear Instrumentation SYS Intermediate 5655D50 5 6-16-72 Range N-35 Functional Block Diagram Nuclear Instrumentation SYS Power 5655D51 8 3-7-73 Range N-41 Functional Block Diagram Nuclear Instrumentation SYS Auxiliary 5655D52 6 6-12-73 Channels Functional Block Diagram Interconnecting Wiring Diagram 5985D22 7 3-14-72 Interconnecting Wiring Diagram 5985D23 7 3-14-72 4,160V Elementary Diagram Bus 1A 11700-E-5K 9 3-30-73 Undervoltage 4,160V Elementary Diagram Bus 1B 11700-E-5AK 9 3-30-73 Undervoltage 4,160V Elementary Diagram Bus 1C 11700-E-5BL 9 3-30-73 Undervoltage Elementary Diagram 11700-E-11BP 1 2-21-72 Misc. Ckts. Sheet 61 7 Safeguards Test Cabinet Sheet 1 7241D67 3 12-1-72 Safeguards Test Cabinet Sheet 3 7241D67 3 12-1-72 Safeguards Test Cabinet 7241D67 3 12-1-72 Sheet 4 Safeguards Test Cabinet 7241D67 3 12-1-72 Sheet 5 1 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 7 Safeguards Test Cabinet Sheet 6 7241D67 3 12-1-73 Safeguards Test Cabinet Sheet 7 7241D67 2 10-25-72 Safeguards Test Cabinet Sheet 8 7241D67 3 12-1-72 Safeguards Test Cabinet Sheet 9 7241D67 Safeguards Test Cabinet Sheet 10 7241D67 3 12-1-72 Safeguards Test Cabinet Sheet 11 7241D67 3 12-1-72 Safeguards Test Cabinet Sheet 12 7241D67 3 12-1-72 Safeguards Test Cabinet Sheet 13 7241D67 3 12-1-72 8 Switch Contact Diagram Sheet 2 11700-E-3B 10 2-27-73 4,160V Elementary Diagram Bus lA 11700-E-5B 10 2-15-73 Supply ACB41A 4,160V Elementary Diagram Stub Bus Tie 11700-E-5DD 6 3-30-73 ACB-lE5 4,160V Elementary Diagram Low Head 11700-E-5DH 6 11-1-72 Safety Inj. PP(SI-P-lA) 4,160 Elementary Diagram Outside Recirc. 11700-E-5DM 7 2-27-73 Spray PP(RS-P-2A) 4,160V Elementary Diagram Pri. Comp. 11700-E-5DP 7 9-23-72 Cool PP. CC-P-lA 2 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 8 4,160V Elementary Diagram Charging PP 11700-E-5DQ 8 2-28-73 Hi Head SAF. Inj. (CH-P-lA) 4,160V Elementary Diagram Stm. Gen. 11700-E-5DT 2 2-28-73 Aux. Feedpump (FW-P-3A) 4,160V Elementary Diagram Stub Bus Tie 11700-E-5ED 6 3-30-73 ACB-lF5 4,160V Elementary Diagram Low Head 11700-E-5EG 6 11-1-72 Safety Inj. PP. (SI-P-lB) 4,160V Elementary Diagram Charging PP 11700-E-5EL 8 3-5-73 HI Head Saf. Inj. (CH-P-lB) 7 4,160V Elementary Diagram 11700-E-5EM 6 10-24-72 4,160V Elementary Diagram Pri. Comp. 11700-E-5EP 7 9-23-72 Cool PP CC-P-lB 4,160V Elementary Diagram Pri. Comp 11700-E-5EQ 8 2-28-73 Cool PP CC-P-lC Sheet 1 4,160V Elementary Diagram Pri. Comp 11700-E-5ER 7 9-23-72 Cool PP CC-P-lC Sheet 2 4,160 Elementary Diagram Stm. Gen. Aux. 11700-E-5EU 2 2-28-73 Feed Pump (FW-P-3B) Elementary Diagram 11700-E-6C 7 7-6-72 480V Swgr. - Powerhouse Sheet 3 Elementary Diagram 11700-E-6AA 7 1-3-73 480V Swgr. - Emerg. Bus Swgr. Sheet 25 3 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 7 Elementary Diagram 11700-E-6AE 5 9-25-72 480V Swgr. - Emerg. Bus Swgr. Sheet 29 Elementary Diagram 11700-E-6AG 5 9-21-72 480V Swgr. - Emerg. Bus Swgr. Sheet 31 Elementary Diagram 11700-E-6BH 13 4-25-73 480V MCC Ckts. Sheet 8 Elementary Diagram 11700-E-6BJ 8 11-1-72 480V MCC Ckts. Sheet 9 Elementary Diagram 11700-E-6BR 10 3-7-73 480V MCC Ckts. Sheet 16 Elementary Diagram 11700-E-6BS 8 11-22-72 480V MCC Ckts. Sheet 17 Elementary Diagram 11700-E-6BT 9 11-22-72 480V MCC Ckts. Sheet 18 Elementary Diagram 11700-E-6BU 6 7-7-72 480V MCC Ckts. Sheet 19 Elementary Diagram 11700-E-6BV 8 11-1-72 480V MCC Ckts. Sheet 20 Elementary Diagram 11700-E-6BW 5 10-10-72 480V MCC Ckts. Sheet 21 4 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 7 Elementary Diagram 11700-E-6CC 4 9-29-72 480V MCC Ckts. Sheet 27 Elementary Diagram 11700-E-6CG 6 4-25-73 480V MCC Ckts. Sheet 31 Elementary Diagram 11700-E-6CK 7 12-29-72 480V MCC Ckts. Sheet 34 Elementary Diagram 11700-E-6CX 2 1-5-73 480V MCC Ckts. Sheet 46 Elementary Diagram 11700-E-6DF 5 5-20-73 480V MCC Ckts. Sheet 54 Elementary Diagram 11700-E-6DH 7 4-25-73 480V MCC Ckts. Sheet 56 Elementary Diagram 11700-E-6DJ 4 1-9-73 480V MCC Ckts. Sheet 57 Elementary Diagram 11700-E-6DK 3 10-10-72 480V MCC Ckts. Sheet 58 Elementary Diagram 11700-E-9A 4 1-11-73 Turbine Controls Sheet 1 Elementary Diagram 11700-E-9B 4 1-11-73 Turbine Controls Sheet 2 Elementary Diagram 11700-E-llF 6 2-14-73 Misc. Ckts. Sheet 6 5 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 7 Elementary Diagram 11700-E-llG 6 2-14-73 Misc. Ckts. Sheet 7 Elementary Diagram 11700-E-llH 7 11-22-72 Misc. Ckts. Sheet 8 Elementary Diagram 11700-E-llJ 6 4-25-73 Misc. Ckts. Sheet 9 Elementary Diagram 11700-E-llM 5 11-22-72 Misc. Ckts. Sheet 12 Elementary Diagram 11700-E-llN 7 4-25-73 Misc. Ckts. Sheet 13 Elementary Diagram 11700-E-llQ 4 11-22-72 Misc. Ckts. Sheet 15 Elementary Diagram 11700-E-llR 8 2-14-73 Misc. Ckts. Sheet 16 Damper Motors - Vent Sys. Bldg. Service Exh. Elementary Diagram 11700-E-llV 3 3-12-73 Misc. Ckts. Sheet 20 Elementary Diagram 11700-E-llW 3 2-14-73 Misc. Ckts. Sheet 21 Elementary Diagram 11700-E-llX 6 4-25-73 Misc. Ckts. Sheet 22 Elementary Diagram 11700-E-llAM 4 11-22-72 Misc. Ckts. Sheet 36 6 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 7 Elementary Diagram 11700-E-llAN 4 12-28-72 Misc. Ckts. Sheet 37 Elementary Diagram 11700-E-llAP 4 12-28-72 Misc. Ckts. Sheet 38 Elementary Diagram 11700-E-llAQ 5 4-2-73 Misc. Ckts. Sheet 39 Elementary Diagram 11700-E-llAR 5 12-28-72 Misc. Ckts. Sheet 40 Elementary Diagram 11700-E-llAS 4 11-22-72 Misc. Ckts. Sheet 41 Elementary Diagram 11700-E-llAZ 5 2-14-73 Misc. Ckts. Sheet 47 Elementary Diagram 11700-E-llBA 5 2-14-73 Misc. Ckts. Sheet 48 Elementary Diagram 11700-E-llBB 4 3-12-73 Misc. Ckts. Sheet 49 Elementary Diagram 11700-E-llBC 3 9-19-72 Misc. Ckts. Sheet 50 Elementary Diagram 11700-E-llBE 4 3-12-73 Misc. Ckts. Sheet 52 Elementary Diagram 11700-E-llCP 1 11-1-72 Misc. Ckts. Sheet 85 7 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 9 4,160V Elementary Diagram 11700-E-5DB 7 2-27-73 Aux. Diesel Gen. No. 1 ACB 4,160V Elementary Diagram 11700-E-5DG 6 10-18-72 Residual Heat Removal PP. (RH-P-lA) 4,160V Elementary Diagram 11700-E-5DJ 7 2-27-73 River Water Pump (WR-P-lA) 4,160V Elementary Diagram 11700-E-5EB 7 2-28-73 Aux. Diesel Gen. No. 2 ACB 4,160V Elementary Diagram 11700-E-5EF 6 10-18-72 Residual Heat Removal PP. (RH-P-lB) 4,160V Elementary Diagram 11700-E-5EH 7 2-28-73 River Water Pump (WR-P-lB) 4,160V Elementary Diagram 11700-E-5EJ 8 2-28-73 River Water Pump (WR-P-lC) Sheet 1 Elementary Diagram 11700-E-6U 9 1-9-73 480V Swgr. - Emerg. Bus Swgr. Sheet 19 Elementary Diagram 11700-E-6W 9 10-21-72 480V Swgr. Powerhouse & Emerg. Bus Sheet 21 Elementary Diagram 11700-E-6AB 10 9-22-72 480V Swgr. Emerg. Bus Swgr. Sheet 26 Elementary Diagram 11700-E-6AH 7 1-19-73 480V Swgr. Emerg. Bus Swgr. Sheet 32 Elementary Diagram 11700-E-6AJ 480V Swgr. Emerg. Bus Swgr. Sheet 33 8 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 9 Elementary Diagram 11700-E-6AL 5 1-22-73 480V Swgr. Emerg. Bus Swgr. Sheet 35 Elementary Diagram 11700-E-6BD 9 3-7-73 480V MCC Ckts. Sheet 4 Elementary Diagram 11700-E-6CA 7 4-2-73 480V MCC Ckts. Sheet 25 Elementary Diagram 11700-E-6CL 6 3-7-73 480V MCC Ckts. Sheet 35 Elementary Diagram 11700-E-6CQ 6 2-9-73 480V MCC Ckts. Sheet 39 Elementary Diagram 11700-E-6CS 6 3-19-73 480V MCC Ckts. Sheet 41 Elementary Diagram 11700-E-6DC 6 4-25-73 480V MCC Ckts. Sheet 51 Elementary Diagram 11700-E-6DM 7 3-7-73 480V MCC Ckts. Sheet 60 Elementary Diagram 11700-E-6DN 3 6-16-72 480V MCC Ckts. Sheet 61 Elementary Diagram 11700-E-6DP 5 3-7-73 480V MCC Ckts. Sheet 62 Elementary Diagram 11700-E-6DQ 4 3-7-73 480V MCC Ckts. Sheet 63 9 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 9 Elementary Diagram 11700-E-6DW 7 3-7-73 480V MCC Ckts. Sheet 69 Elementary Diagram 11700-E-6DY 6 1-10-73 480V MCC Ckts. Sheet 71 Elementary Diagram 11700-E-6ED 1 3-7-73 480V MCC Ckts. Sheet 76 Elementary Diagram 11700-E-llE 6 1-19-73 Misc. Ckts. Sheet 5 Elementary Diagram 11700-E-llT 4 5-3-72 Misc. Ckts. Damper Motors - Fuel Bldg. Sheet 18 Elementary Diagram 11700-E-llAT 6 3-19-73 Misc. Ckts. Sheet 42 Elementary Diagram 11700-E-llBQ 5 3-12-73 Misc. Ckts. Sheet 62 Elementary Diagram 11700-E-llCT 1 3-26-73 Misc. Ckts. Sheet 89 Elementary Diagram 11700-E-12A 6 3-12-73 Diesel Automatic Loading Ckts. Sheet 1 Elementary Diagram 11700-E-12B 7 3-12-73 Diesel Automatic Loading Ckts. Sheet 2 10 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-1 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1001* Tab Title Drawing No. Revision Date 9 Elementary Diagram 11700-E-12AF 6 2-6-73 Misc. Ckts. Diesel Gen. No. 1 and No. 2 Sheet 1 Elementary Diagram 11700-E-12AG 6 4-2-73 Misc. Ckts. Diesel Gen. No. 1 and No. 2 Sheet 2

• These drawings are part of the "Safety Related Schematic Diagrams," Duquesne Light Company Topical Reports DLC-TR-1001 and DLC-TR-1002 (Proprietary), that were submitted to the AEC on May 15, 1973. This Safety Related Schematic Diagrams Index of Drawings is maintained for historical record purposes and will not be updated. (For a cross-reference to updated drawings, see drawing RE-21EZ.)

11 of 11

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-2 SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1002* Tab Title Drawing No. Revision Date 5 T/Tavg Control Block 5656D70 5 8-17-71 Diagram Sheet 1 Steam Dump Control System 5656D70 4 8-17-71 Block Diagram Sheet 2 Tavg - Protection System Block 5656D70 4 8-17-71 Diagram Sheet 3 Pressurizer Level Control Protection 5656D70 5 8-17-71 Block Diagram Sheet 4 Pressurizer Pressure Protection Control 5656D70 5 8-17-71 Block Diagram Sheet 5 Steam Generator Level Control 5656D70 4 8-17-71 Protection System Block Diagram Sheet 6 Steam Break Protection Block Diagram 5656D70 3 8-17-71 Sheet 7 Loop Isolation Valve 4.4 3-6-70 Temp. Interlock Reactor Coolant Flow (Protection) 4.5 4-22-68 Reactor Coolant Flow Tag 4.6 4-22-68 Numbers (Protection) 10 Logic Diagram Symbols 11700-LSK-0-1A 6 2-21-72 A,B,C 1B,1C Turbine Trips 11700-LSK-1-2A 2 5-18-73 A,B,C,D,E,F,G,H 2B,2C,2D,2E,2F, 2G,2H Digital Symbols 11700-LSK-0-1A 5 10-26-71 Analog Symbols 11700-LSK-0-1B 5 10-26-71 1 of 7

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-2 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1002* Tab Title Drawing No. Revision Date 10 Radiator Monitors - Air 11700-LSK-3-1A 4 11-18-72 Ejector, A,B 1B Digital Symbols 11700-LSK-0-1A 5 10-26-71 Analog Symbols 11700-LSK-0-1B 5 10-26-71 Demineralized Water 11700-LSK-3-3A Storage Tanks Digital Symbols 11700-LSK-0-1A 6 2-21-72 Analog Symbols 11700-LSK-0-1B 6 2-21-72 General Notes 11700-LSK-0-1C 6 2-21-72 Steam Generator Feed Pump Start, 11700-LSK-5-8A, 4 5-10-73 Stop and Discharge Valves A,B,C B,C Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-72 1B,1C Auxiliary Feed Pump - Turbine Driven 11700-LSK-5-13B 5 4-25-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-72 1B,1C Steam Bypass System 11700-LSK-11-14A 5 5-17-73 B,C,D,E,F,G,H,J,K Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-72 1B,1C Component Cooling Pump 11700-LSK-12-7A 2 3-13-73 A,B,C,D 7B,7C,7D Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-72 1A,1B,1C Component Cooling System Surge 11700-LSK-12-11A 3 5-15-73 Tank Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 1A,1B,1C 2 of 7

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-2 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1002* Tab Title Drawing No. Revision Date 10 Pressure & Temperature Control 11700-LSK-12-12A 12B 3 5-1-73 Component Cooling System Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 1A,1B,1C Main Steam Line Trip and Bypass Valves 11700-LSK-15-2A 1 5-3-73 A,B,C,D 2A,2B,2C,2D Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Component Cooling System Surge Tank 11700-LSK-12-112 3 5-15-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Component Cooling System Pressure & 11700-LSK-12-12A 3 5-1-73 Temperature Control Radiation Monitors 11700-LSK-12-12B 3 5-1-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Main Steam Line Trip and Bypass Valves 11700-LSK-15-2A 1 5-3-73 A,B,C,D 2B,2C,2D Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 River Water Pumps and Valves 11700-LSK-17-1A 2 4-5-73 A,B,C,D,E,F 1B,1C,1D,1E,1F Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Air Conditioning & Refrigeration Control 11700-LSK-21-1A 2 5-9-73 Room A,B,C,D,E,F 1B,1C,1D,1E,1F Process Cooling Safeguards Area 3 5-1-73 Digital, Analog Symbols, A,B 11700-LSK-0-1A 6 2-21-73 Process Cooling System Auxiliary Building 11700-LSK-21-11 4 3-5-73 Digital, Analog Symbols, A,B 11700-LSK-0-1A 6 2-21-73 Containment Air Recirculation A,B,C 11700-LSK-21-15A, 3 3-2-73 15B,15C 3 of 7

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-2 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1002* Tab Title Drawing No. Revision Date 10 Digital, Analog Symbols, A,B 11700-LSK-0-1A 6 2-21-73 Ventilation System CRDM Shroud 11700-LSK-21-16A 3 3-5-73 A,B,C 16B,16C Ventilation System Leak Collection 11700-LSK-21-18A 4 5-11-73 A,B,C,D,G 18B,18C,18D,18G Radiation Monitor E,F 11700-LSK-21-18E 18F 4 5-11-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Containment Purge and Exhaust 11700-LSK-21-19A 3 5-16-73 A,B,C,D 19B,19C,19D Radiation Monitors E,F 11700-LSK-21-19E 19F 3 5-16-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-72 Service Transformer Protection A,B 11700-LSK-22-3.1A 1B 2 4-23-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-72 4,160V Power System - Normal 11700-LSK-22-4A, 2 4-25-73 A,B,C,D,E,F 4B,4C,4D,4E,4F Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-72 4,160V Power System Emergency 11700-LSK-22-5A 2 4-23-73 A,B,C,D,E 5B,5C,5D,5E Diesel Generator Starting A,B,C 11700-LSK-22-6A 6B,6C 1 5-18-73 Diesel Generator 1 Breaker lE9 D,E,F 11700-LSK-22-6D 6E,6F 1 5-18-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-72 480V Power System A, 11700-LSK-22-7A 2 5-3-73 B,C,D 7B,7C,7D Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-72 480V Emergency Power System 11700-LSK-22-81 1 4-23-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-72 4 of 7

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-2 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1002* Tab Title Drawing No. Revision Date 10 Pressurizer Control A,B, 11700-LSK-25-6A 3 5-15-73 C,D,E,F,G,H,I,J,K,L 6B,6C,6D,6E,6F,6G6H,6I

                                            ,6J,6K,6L Digital, Analog Symbols, Notes A,B,C     11700-LSK-0-1A              6   2-21-72 Residual Heat Removal System A,B,C       11700-LSK-25-7A,            4   4-19-73 7B,7C Digital, Analog Symbols A,B              11700-LSK-0-1A              5   10-26-71 Neutron Shield Tank Cooling              11700-LSK-25-8A             2   11-8-72 Digital, Analog Symbols A,B              11700-LSK-0-1A              6   10-26-71 Charging Pumps A,B,C,D,E                 11700-LSK-26-1A,            2   1-29-73 1B,1C,1D,1E Digital, Analog Symbols A,B              11700-LSK-0-1A              5   10-26-71 Low Head Safety Injection Pumps          11700-LSK-26                1   1-29-73 Digital, Analog Symbols, Notes A,B,C     11700-LSK-0-1A              6   2-21-72 Boric Acid Transfer                      11700-LSK-26-6A 6B          2   5-15-73 Pumps A,B Digital, Analog Symbols, Notes A,B,C     11700-LSK-0-1A              6   2-21-72 Inside Recirculation Spray Pumps         11700-LSK-27-1A             3   5-1-73 Outside Recirculation Spray Pumps        11700-LSK-27-1B             3   5-1-73 Outside Recirculation Spray Pump 11700-LSK-27-1C                     3   5-1-73 Suction and Discharge Valves Digital, Analog Symbols, Notes A,B,C     11700-LSK-0-1A              6   2-21-73 Quench Pumps                             11700-LSK-27-9A             3   4-11-73 Quench Pump Suction and Discharge 11700-LSK-27-9B                    3   4-11-73 Valves Digital, Analog Symbols, Notes A,B,C     11700-LSK-0-1A              6   2-21-73 5 of 7

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-2 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1002* Tab Title Drawing No. Revision Date 10 Containment Vacuum System A,B,C 11700-LSK-27-10A 2 5-15-73 10B,10C Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Containment Depressurization & 11700-LSK-27-12A 12B 3 5-4-73 Containment Isolation Sig. Initiation System A,B Digital, Analog Symbols Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Sealed System Vacuum Pump 11700-LSK-27-13A 3 5-8-73 Containment Leakage Monitoring System Safety Injection and Containment 11700-LSK-27-16A 2 1-10-72 A,B,C,D,E,F,G 16B,16C,16D,16E, 16F,16G Digital Symbols 11700-LSK-0-1A 6 2-21-73 Chemical Addition Tank 11700-LSK-29-4A 3 3-30-73 and Pump Refueling Water Chemical Addition 11700-LSK-29-4B 3 3-30-73 Valve Digital, Analog Symbols A,B 11700-LSK-0-1A,1 6 2-21-73 Refueling Water Refrigeration Unit 11700-LSK-29-5A 3 3-6-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Refueling Water Recirculation Pumps 11700-LSK-29-6A 3 5-1-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Primary Water Supply Pumps 11700-LSK-33-18A 3 5-9-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Reactor Containment Sump Pumps 11700-LSK-34-2A, 2B 2 5-7-73 A,B Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Primary Drains Transfer Pumps A,B 11700-LSK-34-3A 3B 3 4-25-73 6 of 7

BVPS UFSAR UNIT 1 Rev. 19 Table 7.1-2 (CONTD) SAFETY RELATED SCHEMATIC DIAGRAMS INDEX OF DRAWINGS DLC-TR-1002* Tab Title Drawing No. Revision Date 10 Digital, Analog Symbols A,B 11700-LSK-0-1A, lB 6 2-21-73 Safeguards Area Sump Pumps 11700-LSK-34-A 2 2-10-73 Auxiliary Building Sump Pumps "North" 11700-LSK-34-7A 2 2-10-73 Digital, Analog Symbols, Notes A,B,C 11700-LSK-0-1A 6 2-21-73 Transfer Tank and Pumps 11700-LSK-34-9A 3 5-11-73 (Outside Containment)

• These drawings are part of "Safety Related Schematic Diagrams," Duquesne Light Company Topical Report DLC-TR-1002 (Proprietary) that were submitted to the AEC on May 15, 1973.

This Safety Related Schematic Diagrams Index of Drawings is maintained for historical record purposes and will not be updated. 7 of 7

BVPS UFSAR UNIT 1 Rev. 23 Table 7.2-3 REACTOR TRIP SIGNAL SYSTEM TOTAL ALLOWANCES See (1) Reactor Trip and ESF Signal Allowance Note

1. Power range neutron flux, high setpoint 5.8 low setpoint 8.3

2. Power range neutron flux, high positive rate ---- 2

3. Intermediate range neutron flux ---- 2

4. Source range neutron flux ---- 2

5. Overtemperature delta T 5.9

6. Overpower delta T 4.1

7. Pressurizer pressure low reactor trip 3.1

8. Pressurizer pressure high 4.4

9. Pressurizer water level high ---- 2

10. Loss of RCS flow 2.7

11. Not Used ----

12. Steam generator water level low-low (for SLB) 19.6 (for LONF) 14.6 (for Large FLB) 19.6 (for S/I FLB) 19.6

13. Not Used ----

14. Containment pressure high, 4.2 intermediate high-high 3.3 high-high 2.2

15. Pressurizer pressure low, SI 14.4

16. Steamline pressure low 3.9

17. Negative steamline pressure rate ---- 2

18. Steam generator water level high-high 9.0 1 of 2

BVPS UFSAR UNIT 1 Rev. 24 Table 7.2-3 (CONTD) REACTOR TRIP SIGNAL SYSTEM TOTAL ALLOWANCES See Reactor Trip and ESF Signal Allowance(1) Note

19. RWST level extreme low 2.7 (High) 4.0 (Low)

20. Undervoltage RCP ---- 2

21. Underfrequency RCP 0.5 Hz

22. 4.16 Emergency bus undervoltage, trip feed, start diesel ---- 2

23. 4.16 Emergency bus undervoltage (degraded voltage) ---- 2

24. 480 Volt emergency bus undervoltage (degraded voltage) ---- 2

25. Auto stop oil pressure low ---- 2 NOTES:

1. In percent span

2. Not used in safety analysis

3. All uncertainties have been accounted for in the determination of reactor trip and ESF setpoints (Reference WCAP-11419-P, Revision 6).

2 of 2

BVPS UFSAR UNIT 1 Rev. 19 Table 7.2-4 SEISMIC QUALIFICATION OF STONE & WEBSTER ESF SYSTEMS AND EMERGENCY POWER SYSTEMS (Note: All Seismic Considerations are Transmitted in Specification attachment No. 6.) Calculation or Equipment Test Results Containment Vibration Test Results Pressure Submitted and Approved Transmitters Rack Mounted Vibration Test Results Modules For Submitted and Approved Containment Pressure Channels Containment Static Analysis Submitted Isolation And Approved Trip Valves Pressure Vibration Test Results Indicators Submitted And Approved and Switches Temperature Vibration Test Results Indicators and Submitted and Approved Switches 4 kv Motors Calculation Approved 7/10/72 Diesel Generator Set Calculation Approved 4/11/73 4 kv Switchgear Approved 480v Unit Substation Certified 7/25/79 5kv Power Cable Not Required Motor Control Centers Test Approved 9/23/71 Main Control Board Calculation Approved 3/26/73 1 of 2

BVPS UFSAR UNIT 1 Rev. 19 Table 7.2-4 (CONTD) SEISMIC QUALIFICATION OF STONE & WEBSTER ESF SYSTEMS AND EMERGENCY POWER SYSTEMS (Note: All Seismic Considerations are Transmitted in Specification attachment No. 6.) Calculation or Equipment Test Results 600v Power Cable Not Required 1,000v Control Cable Not Required Cable Trays Calculation Approved 3/25/71 Penetrations Calculation Approved 3/6/71 600v Instrument Cable Not Required 125v Battery Charger 1-4 Test Approved 1/24/73 125v Batteries 1-4 Calculations Approved 1/25/73 125v Battery Switchgear Test Approved 1/10/73 Free Standing Power Calculation Approved 3/28/73 Distribution Panels Surface Mounted Approved by Calculation 5/3/73 Power Distribution Panels and 5/24/73 Category I Heat Tracing Approved Triax Cable Not required Inverters (4Ps) Approved Miscellaneous Relay Approved Panels - Category 1 Transfs. - Category 1 Approved ac Distribution Cabinets - Calculation Approved 8/8/73 Category 1 2 of 2

BVPS UFSAR UNIT 1 Rev. 19 Table 7.3-1 INSTRUMENTATION OPERATING CONDITION FOR ENGINEERED SAFETY FEATURES No. of Channels No. of To No. Functional Unit Channels Trip

1. SAFETY INJECTION

a. Manual 2 1

b. High containment pressure 3 2

c. Pressurizer low pressure 3 2

d. Low steamline pressure 3/steamline 2/steamline

2. CONTAINMENT DEPRESSURIZATION SPRAY

a. Manual 2 2

b. Containment pressure high-high 4 2 1 of 1

BVPS UFSAR UNIT 1 Rev. 19 Table 7.3-2 INSTRUMENT OPERATING CONDITIONS FOR ISOLATION FUNCTIONS No. of No. of Channels No. Functional Unit Channels to Trip

1. CONTAINMENT ISOLATION

a. Automatic safety injection See Item No. 1(b) through (d) of Table (Phase A) 7.3-1

b. Containment pressure See Item No. 2(b)

(Phase B) of Table 7.3-1

c. Manual Phase A 2 1 Phase B See Item No. 2(a) of Table 7.3-1

2. STEAM LINE ISOLATION

a. High steam pressure rate 3/steamline 2/steamline

b. Containment pressure See Item No. 1(b) of Table 7.3-1 (Intermediate High-High) (Different setpoint -

see the Technical Specification)

c. Manual 1/loop 1/loop

3. FEEDWATER LINE ISOLATION

a. Safety injection See Item No. 1(b) through (d) of Table 7.3-1 1 of 1

BVPS UFSAR UNIT 1 Rev. 33 Table 7.3-3 INTERLOCKS FOR ENGINEERED SAFETY FEATURES ACTUATION SYSTEM Designation Function Input Performed P-4(2) Reactor trip Trip the main turbine Isolate Main Feedwater Regulating Valves with coincident low Tavg Prevents opening of the Main Feedwater isolation valves if previously closed on Safety Injection or Steam Generator water level - High High with low Tavg Prevents automatic reactuation of Safety Injection after a manual reset of Safety Injection Reactor not tripped Safety Injection actuation may be manually reset after a 75 second delay. If P-4 is enabled, subsequent automatic Safety Injection initiation is blocked until P-4 is reset (Reactor Trip Breakers closed). P-11 2/3 Pressurizer pressure Allows manual block of safety below setpoint injection actuation on low pressurizer pressure signal Blocks automatic opening of the power relief valves 2/3 Pressurizer pressure Defeats manual block of above setpoint safety injection actuation P-14 2/3 Steam generator water Closes all feedwater control level above setpoint on any valves steam generator Trips all main feedwater pumps which closes the pump discharge valves(1) Actuates turbine trip Closes main feedwater containment isolation valves (1) Main feedwater pump discharge valves are not credited for feedwater isolation in the safety analyses. The motor driven AFW pumps start indirectly as a result of the Main Feedwater Pump trip caused by this signal. (2) See Table 7.7-2 for control system functions. 1 of 1

BVPS UFSAR UNIT 1 Rev. 19 Table 7.3-5 INDICATOR LAMPS FUNCTION INDICATION

• Low-Low Tavg A each channel (common window for all 3)

T each channel P output of two-out-of-three logic

• Pressurizer water A each channel (common window for all 3) level
• Pressurizer pressure Same as pressurizer water level P-11 T each channel; pressurizer pressure A P-11 status (converse of 2/3 high pressurizer pressure)

Pressurizer safety P each train blocked (allowed if pres-injection block surizer pressure is low)

• Low steam line pressure T each of 3 channels A one annunciator for all 3 channels Steam line safety P each train blocked (permitted by P-12, Low-Low Tavg) injection block Containment pressure A annunciator for High and High-High containment pressure (one for each set) T each channel Safety injection P permitted after time delay and receipt blocked of P-4 (Reactor Trip)

Steam line stop valves A common window for all 3 closed Spray actuation and A window for each Phase B Isolation Solid state logic A train test (each train) protection system ESF test cabinets A train in test (both cabinets)

• Functions do not indicate that an ESF feature is bypassed by rather that it is tripped or partially tripped (single channel) and is safe.

Legend: A Alarm Annunciator T Trip status lights P Permissive status light 1 of 1

BVPS UFSAR UNIT 1 Rev. 21 Table 7.4-1 REMOTE SHUTDOWN PANEL MONITORING INSTRUMENTATION INSTRUMENT MEASUREMENT RANGE

1. Steam Generator Water Level 0 to 100%

2. Auxiliary Feedwater Flow 0 - 400 GPM

3. Steam Generator Pressure 0 - 1400 psig

4. Pressurizer Level 0 - 100%

5. Pressurizer Pressure 1700 to 2500 psig

6. Source Range Nuclear Flux 1 to 106 CPS

7. Source Range Startup Rate -0.5 to +5 DPM

8. Intermediate Range Nuclear Flux 10-11 to 10-3 amps

9. Intermediate Range Startup Rate -0.5 to +5 DPM

10. Reactor Coolant Temperature - Hot Leg 0 - 700°F

11. Reactor Coolant Temperature - Cold Leg 0 - 700°F

12. RHR Temperature - HX Outlet 50 - 400°F 1 of 1

BVPS UFSAR UNIT 1 Rev. 20 Table 7.5-1 MAIN CONTROL BOARD INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR CONDITION II AND III EVENTS Typical No. of Channels Accuracy Indicator/ Parameter Avail. Req. Range Required Recorder Purpose

1. Tcold or Thot 1 Thot 1 in 0-700 F +/-4% of full range All channels Ensure maintenance of (measured, wide 1 Tcold any are recorded proper cooldown rate range) per loop operating and to ensure mainten-loop ance of proper relation-ship between system pressure and temperature for NDTT considerations.

2. Pressurizer 3 1 Entire distance +/-3% of level at All 3 channels Ensure maintenance of Water Level between taps 2,250 psia indicated; one proper reactor coolant channel is selected inventory for recording

3. System Pressure 2* 1 0-3,000 psig +/-4% of full range Indicated and Ensure maintenance of (wide range) recorded proper relationship between system pressure and temperature for NDTT considerations.

4. Containment Pressure

a. Normal Range 4 1 0-115% of +/-3% of full All 4 are Monitor containment design pressure scale indicated and conditions to indicate one channel is need for potential safe-recorded. guards actuation.

1 of 2

BVPS UFSAR UNIT 1 Rev. 23 Table 7.5-1 (CONTD) MAIN CONTROL BOARD INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR CONDITION II AND III EVENTS Typical No. of Channels Accuracy Indicator/ Parameter Avail. Req. Range Required Recorder Purpose

b. Wide Range 2 2 0-200 psia +/-5% of full Both are indicated Monitor containment scale and one channel conditions to indicate is recorded need for potential safe-guards actuation.

5. Steam Line 3/loop 1/loop 0-1,400 psig +/-3% of full All required Monitor steam generator Pressure scale channels are pressure conditions indicated and during hot shutdown and one channel from cooldown and for use in each steam line recovery from steam gen-is recorded. erator tube ruptures.

6. Steam Generator 1/Steam ** +6 to -42 ft +/-5% of level All channels Ensure maintenance of Water Level Generator from nominal span (cold) recorded reactor heat sink.

(wide range) full load water level

7. Steam Generator 3/Steam ** +6 to -11.5 ft +/-7% of level All channels Ensure maintenance of Water Level Generator from nominal span (hot) indicated; the reactor heat sink (narrow range) full load water channels used level for control are recorded.

• In order to assure that the integrity of the reactor coolant pressure boundary can be maintained or a loss of integrity can be directly diagnosed, an acoustic monitoring system is provided for the pressurizer safety and relief valves to monitor (indicate and alarm) their positions. Indicators and alarms are located on the control board in the Control Room.
  • Minimum Requirements: One level channel per steam generator (either wide or narrow range) with at least two wide range channels.

2 of 2

BVPS UFSAR UNIT 1 Rev. 23 Table 7.5-2 MAIN CONTROL BOARD INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR CONDITION IV EVENTS No. of Channels Accuracy Indicator/ Parameter Avail. Req. Range Required Recorder Purpose

1. Containment Pressure

a. Normal Range 4 1 0-115% of +/-5% of full scale All 4 are indicated and Monitor post-LOCA design pressure one channel is recorded containment conditions

b. Wide Range 2 2 0-200 psia +/-5% of full scale Both are indicated one Monitor post-LOCA channel is recorded containment conditions

2. Refueling Water 4 2 0-51 ft +/-3% of level span Three are indicated, one Ensure that water is Storage Tank channel is recorded, all flowing to the safety four channels share a injection system after a common alarm function LOCA and automatically shift from injection to recirculation mode.

3. Steam Generator 3/Steam * +6 to -11.5 ft +/-10% of level span(1) All channels indicated, Detect steam generator Water Level (narrow Generator from nominal full the channels used for tube rupture; monitor range) load level control are recorded steam generator water level following a steam line break.

4. Steam Generator 1/Steam * +6 to -42 ft from +/-10% of level All channels recorded Detect steam generator Water Level (wide Generator nominal full load span(1) tube rupture; monitor range) steam generator water level following a steam line break.

1 of 2

BVPS UFSAR UNIT 1 Rev. 19 Table 7.5-2 (CONTD) MAIN CONTROL BOARD INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR CONDITION IV EVENTS No. of Channels Accuracy Indicator/ Parameter Avail. Req. Range Required Recorder Purpose

5. Steam Line 3/Steam 1/Steam 0-1,400 psig +/-5% of full scale All channels are Monitor steam line Pressure line line indicated and one pressures following steam channel from each generator tube rupture or steam line is recorded steam line break.

6. Pressurizer Water 3 1 Entire distance Indicate that level is All 3 are indicated and Indicate that water has Level between taps somewhere between one is recorded returned to the pressurizer 0 and 100% of span following cooldown after steam generator tube rupture or steam line break.

(1) For the steam break, when the water level channel is exposed to a hostile environment, the accuracy can be relaxed. The indication need only convey to the operator that water level in the steam generator is somewhere between the narrow range steam generator water level taps.

     *Minimum requirements One level channel per steam generator (either wide or narrow range) 2 of 2

BVPS UFSAR UNIT 1 Rev. 19 Table 7.7-1 CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT UNIT PARAMETERS DURING NORMAL OPERATION No. of Channels Indicated Indicator/ Parameter Available Range Accuracy Recorder Location Notes NUCLEAR INSTRUMENTATION

1. Source Range

a. Count rate 2 1 to 106 +/-7% of the linear full Both channels Control counts/sec scale analog voltage indicated. Either board may be selected for recording.

b. Startup rate 2 -1.5 to 5.0 +/-7% of the linear full Both channels Control decades/min scale analog voltage indicated. board

2. Intermediate Range

a. Flux level 2 8 decades of +/-7% of the linear full Both channels Control One two-pen neutron flux scale analog voltage indicated. Either board recorder is corresponds to 0 and +/-3% of the linear may be selected used to record to full scale full scale voltage in for recording. any of the 8 analog voltage the range of 10-4 10-3 nuclear overlapping the amps channels (2 source range by 2 source range decades 2 intermediate range and 4 power range) 1 of 10

BVPS UFSAR UNIT 1 Rev. 23 Table 7.7-1 (CONTD) CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT UNIT PARAMETERS DURING NORMAL OPERATION No. of Channels Indicated Indicator/ Parameter Available Range Accuracy Recorder Location Notes NUCLEAR INSTRUMENTATION (CONTD)

b. Startup rate 2 -1.5 to 5.0 +/-7% of the linear full Both channels Control decades/min scale analog voltage indicated board

3. Power Range

a. Uncompensated ion 4 0 to 120% of full +/-1% of full span All 8 current NIS Racks chamber current (top and power signals indicated in control bottom uncompensated ion room chambers)

b. DELETED 2 of 10

BVPS UFSAR UNIT 1 Rev. 24 Table 7.7-1 (CONTD) CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT UNIT PARAMETERS DURING NORMAL OPERATION No. of Channels Indicated Indicator/ Parameter Available Range Accuracy Recorder Location Notes NUCLEAR INSTRUMENTATION (CONTD)

c. Upper and lower ion chamber 4 -30 to +30% +/-3% of full power Diagonally Control current difference opposed board channels may be selected for recording at the same time using recorder in item 2.

d. Average flux of the top and 4 0 to 120% of full +/-3% of full power for All 4 channels Control bottom ion power for indication in- dicated. Any board indication +/-2% for recording 2 of the four channels may be recorded.

e. Average flux of the top and 4 0 to 200% of full +/-2% of full power to All 4 channels Control bottom ion chambers power 120%, +/-6% of full recorded board power to 200%.

f. Flux difference of the top and 4 -30 to +30% +/-4% All 4 channels Control bottom ion chambers indicated. board 3 of 10

BVPS UFSAR UNIT 1 Rev. 19 Table 7.7-1 (CONTD) CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT UNIT PARAMETERS DURING NORMAL OPERATION No. of Channels Indicated Indicator/ Parameter Available Range Accuracy Recorder Location Notes REACTOR COOLANT SYSTEM

1. Taverage (measured) 2/Loop 530 to 630F +/-2F All channels Control indicated board

2. T(measured) 2/Loop 0 to 150% of full +/-3% of full power All channels in- Control power T T dicated. One board channel is selected for recording.

a. Tcold or Thot 1 Thot and1 0 -700 +/-4% Both channels Control (measured, wide range) Tcold per recorded. board loop

3. Overpower T Setpoint 1/loop 0 to 150% of full +/-3% of full power T All channels in- Control power T dicated. One board channel is se-lected for re-cording.

4. Overtemperature T Setpoint 1/loop 0 to 150% of full +/-3% of full power T All channels in- Control power T dicated. One board channel is se-lected for re-cording.

5. Pressurizer Pressure 5 1,700 to +/-20 psi All channels in- Control 2,500 psig dicated board 4 of 10

BVPS UFSAR UNIT 1 Rev. 19 Table 7.7-1 (CONTD) CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT UNIT PARAMETERS DURING NORMAL OPERATION No. of Channels Indicated Indicator/ Parameter Available Range Accuracy Recorder Location Notes REACTOR COOLANT SYSTEM, CONT'D

6. Pressurizer Level 3 Entire distance +/-3% of P signal at All channels in- Control Two pen between taps 2,250 psia dicated. One board recorder used, channel is se- second pen lected for re- records cording reference level signal

7. Primary Coolant Flow 3/loop 0 to 120% of Repeatability of +/-3% All channels in- Control rated flow of full flow dicated. board

8. Reactor Coolant Pump 1/loop 0-1,200 amp All channels in- Control One channel for Bus Amperes dicated. board each bus

9. System Pressure Wide Range 2 0-3,000 psig +/-4% All channels in- Control dicated and board recorded.

10. Subcooled Margin to Saturation 2 -35 to 200 °F All channels in- Control On ICC dicated. board Graphics Displays

11. Pressurizer Safety and Relief Valve 1 Open - Close Indicator Control Active and positions board passive acoustic pickups REACTOR CONTROL SYSTEM

1. Demanded Rod Speed 1 0 to 100% of +/-1.5% The one channel Control rated speed is indicated board 5 of 10

BVPS UFSAR UNIT 1 Rev. 23 Table 7.7-1 (CONTD) CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT UNIT PARAMETERS DURING NORMAL OPERATION No. of Channels Indicated Indicator/ Parameter Available Range Accuracy Recorder Location Notes REACTOR CONTROL SYSTEM (CONT'D.)

2. Median Tavg 1 530 to 630°F +/-2°F The one channel Control Selects the is recorded. board signal between the highest and lowest values of the three loop Tavg inputs

3. Treference 1 540 to 590°F +/-2°F The one channel Control is recorded board

4. Control Rod position If system not available, borate and sample accordingly.

a. Number of steps of demanded 1/group 0 to 232 steps +1 step Each group is Control These signals rod withdrawal indicated during board are used in rod motion conjunction with the measured position signals (4b) to detect deviation of any individual rod from the demand position. A deviation will actuate an alarm and annunciator.

6 of 10

BVPS UFSAR UNIT 1 Rev. 33 Table 7.7-1 (CONTD) CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT UNIT PARAMETERS DURING NORMAL OPERATION No. of Channels Indicated Indicator/ Parameter Available Range Accuracy Recorder Location Notes REACTOR CONTROL SYSTEM (CONT'D)

b. Full length rod measured 1 for each 0 to 235 steps +/-5% of full scale Each rod Control position rod ( +12 steps) position is board indicated

5. Control rod bank measured 4 0 to 232 steps +/-1% of total bank All 4 control rod Control 1. One channel for position travel bank positions board each control rod are recorded bank.

along the low-low limit alarm for each bank.

2. An alarm and annunciator is actuated when any rod control bank reaches the low insertion limit and when any rod control bank reaches the low-low insertion limit 7 of 10

BVPS UFSAR UNIT 1 Rev. 23 Table 7.7-1 (CONTD) CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT UNIT PARAMETERS DURING NORMAL OPERATION No. of Channels Indicated Indicator/ Parameter Available Range Accuracy Recorder Location Notes CONTAINMENT SYSTEM Containment pressure

a. Normal range 4 0-115% of design +/-3% of full scale All 4 channels Control pressure indicated board

b. Wide range 2 0-200 psia +/-5% of full scale Both are indi- Control cated and one board channel is recorded FEEDWATER AND STEAM SYSTEMS

1. Auxiliary feedwater flow 1/Steam 50 to 800 gpm +/-4% of maximum All channels Control One channel to line indicated board measure the flow of each steam generator

2. Steam generator level 3/Steam +6 to -11.5 feet +/-3% of level (hot) All channels in- Control One channel to (narrow range) generator from nominal full dicated. The board measure the load level channels used flow to each for control are steam recorded. generator

3. Steam generator 1/Steam +6 to -42 from +/-5% of level All channels Control level (wide range) generator indicated. board

4. Programmed steam 1/Steam +6 to -11.5 feet +/-2% All channels generator level generator indicated.

8 of 10

BVPS UFSAR UNIT 1 Rev. 24 Table 7.7-1 (CONTD) CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT UNIT PARAMETERS DURING NORMAL OPERATION No. of Channels Indicated Indicator/ Parameter Available Range Accuracy Recorder Location Notes FEEDWATER AND STEAM SYSTEMS (CONT'D)

5. Main feedwater flow 2/Steam 0 to 5 MPPH +/-3% All channels in- Control generator dicated. The board channels used for control are recorded.

6. Magnitude of signal 1/main 0 to 100% of valve +/-1.5% All channels Control 1. One channel controlling main and 1/bypass opening indicated. board for each bypass feedwater main and control valves bypass feedwater control valve

2. OPEN/

SHUT indication is provided in the control room for each main and bypass feedwater control valve 9 of 10

BVPS UFSAR UNIT 1 Rev. 24 Table 7.7-1 (CONTD) CONTROL ROOM INDICATORS AND/OR RECORDERS AVAILABLE TO THE OPERATOR TO MONITOR SIGNIFICANT UNIT PARAMETERS DURING NORMAL OPERATION No. of Channels Indicated Indicator/ Parameter Available Range Accuracy Recorder Location Notes FEEDWATER AND STEAM SYSTEMS (CONT'D)

7. Steam flow 2/Steam 0 to 5 MPPH +3% All channels Control board Accuracy is equipment Generator indicated. The capability; however, channels used absolute accuracy for control are depends on applicant recorded calibration against feedwater flow.

8. Steam line pressure 3/loop 0 to 1,400 psig +/-3% All channels Control board indicated.

9. Steam dump modulate signal 1 0 - 85% max. +/-1.5% The one Control board OPEN/SHUT indication is calculated steam channel provided in the control flow is indicated room for each steam dump valve

10. Turbine first stage 2 0 to 120% of max. +3% Both channels Control board OPEN/SHUT indication is pressure calculated turbine indicated provided in the control load room for each turbine stop valve 10 of 10

BVPS UFSAR UNIT 1 Rev. 23 Table 7.7-2 UNIT CONTROL SYSTEM INTERLOCKS Designation Derivation Function C-1 1/2 neutron flux (intermediate range) Blocks manual control rod above setpoint withdrawal C-2 1/4 neutron flux (power range) above Blocks manual control rod setpoint withdrawal C-3 2/3 overtemperature T above setpoint Blocks manual control rod withdrawal Actuates turbine runback via load reference Defeats remote load dispatching C-4 2/3 overpower T above setpoint Blocks manual control rod withdrawal Actuates turbine runback via load reference Defeats remote load dispatching C-7 1/1 time derivative (absolute value) of Makes steam dump valves turbine first stage pressure (decrease available for either tripping or only) above setpoint modulation 1 of 2

BVPS UFSAR UNIT 1 Rev. 23 Table 7.7-2 (CONTD) UNIT CONTROL SYSTEM INTERLOCKS Designation Derivation Function C-8 Turbine trip, 2/3 turbine auto stop oil Blocks steam dump control pressure below setpoint via load rejection Tavg controller. or 4/4 turbine valves closed Makes steam dump valves available for either tripping or modulation No turbine trip, 2/3 turbine auto stop oil Blocks steam dump control pressure above setpoint and 1/4 turbine via turbine trip Tavg inlet line stop valves not closed controller C-9 Any condenser pressure above setpoint, Blocks steam dump or All circulation water pump breakers open P-4(1) Reactor Trip Closes main feedwater valves on low Tavg below setpoint. Blocks steam dump control via load rejection Tavg controller Makes steam dump valves available for either tripping or modulation Reactor not tripped Blocks steam dump control via plant trip Tavg controller (1) See Table 7.3-3 for engineered safety features actuation system functions. 2 of 2

BVPS UFSAR UNIT 1 Rev. 32 Table 7.8-1 Equipment Operable From BIP CONTROL EQUIPMENT LOCATION DESCRIPTION TV-CC110E2 BIP Containment Air Recirculation Cooler Inlet Isolation TV-CC110E3 BIP " TV-CC110B BIP " TV-CC110D BIP Containment Air Recirculation Cooler Discharge Isolation TV-CC110F1 BIP " SOV-RC102B BIP Reactor Coolant Gas Vent Isolation to Reactor Vessel SOV-RC103B BIP Reactor Coolant Gas Vent Isolation to Pressurizer SOV-RC105 BIP Reactor Coolant Gas Vent Isolation Vent to Containment LCV-CH460A West Letdown Orifice (close valve Cable Isolation Valve only) Vault PCV-RC-455D West Pressurizer Power-and 456 Cable Operated Relief Valve (close valve Vault only) PCV-RC-455C East Pressurizer Power-(close valve Cable Operated Relief Valve only) Vault 1 of 1

BVPS UFSAR UNIT 1 Rev. 32 Table 7.8-2 BIP Instruments INSTRUMENT DESCRIPTION RANGE LOCATION PI-RC403BP RCS Loop 1B Hot 0-3000 psig BIP Leg Wide Range Pressure LI-RC460BP Pressurizer Level 0-100% BIP TI-RC290BP Core Exit Thermo- couples 0-700F BIP (Selector switch for TC-29, 38, 40, or 43) TI-RC410BP RCS Cold Leg Temp. 0-700F BIP (Selector Switch for TRB-RC-410, 420, or 430) LI-FW475BP Steam Generator Level NR 0-100% BIP (Selector switch for LT-FW-475, 485 or 495) Source Range Drawer Portable Nuclear Instrument - East Cable Source Range Dwr. (one- Vault hour hookup time) 1 of 1

                                        -ffis                ##F#F{F&{+frllr F                                                                                  llt a

s s tEE Flil E=Igi; EEFSSEE g

                                                            *sr il                  ;IF                       Ei ta ta E                                             giEf:E F

3 II I iiiititiE ;EE iHEHFE P tI

                                       -                        EEiEEiIlBi              HE*IE EEiiE         EEE 1.r     F      :

EFI t:l gT-*E; o l\ ta I qs Etg FF fr T  ;( \ a 8 3

                                       *[

HEIEF E ;: ii \rhLh B eo 1 J tll I

    !                                                                                              rJ  #                         2 ul!;

gE >ur .g 1 f 1E = n l"H E ll =3 ilr gg -t

                                                                                                =t        g q

E S 3s 3 *f, I FE f;i4H*t TF FgaE E* aI

t

                                                                      .iJ                       E   g lrE  rs5 I N    L=tr                         l             r*

i g 3 .= u I f;EEEiil*E E

                                                                      !i ci E 3 e a                q I       c E a

n c nil n 2

                                                                                                       !     C' C' I             6 I

iI n! O q . q =E P- a* HE a - taE at E : rr ct tt a tB II 5H iiiEiiiiEli l*l*[l !ci

                                                                             =a=

EIi S

                                                                                       ;F
                                                                                                    =

T E! t sr -

                                                                                                             =s; i c :

c 4 I t it EEI HIEE :*3 fr { C' D E= - iE ie 6

                         ;:il!t:'                                                                                    .tt tv
                                                                                 ;t6                                 2 E:El3; ;

t?n f;E v fiE *s 4

g E :f

                                                                                 =                                       iF
                                                                                                             #giE i

i; qF

• E Hs 6 E

Eiii i E;illii t 6 I E s i i3

                                                                                                             ;r 6

• E g FHHF FEii:iii'i:E e Ir; T E
• f I H T 5 ft 0'll EEtr E t

Id 5i rEl

r i 6,

                         *flil EI F3 I
                      .iP@
                                                     - l i t H

a t I EESEliiEE ,,*l'iiii#l E lEEg E EiF

FF s

fiF Hfig$E$ Fi't liiE siE iis I g n m N)

                                                                                                                                        *o

REV 20 ROD Oftive SUPPLY ONE LINE DIAGRAM TRAIN A REACTOR SHUNT TRIP SIGNALS MANUAL REACTOR TRIP SIGNAL (SHEET 3>- MANUAL SAFETY MJECTtON SIGNAL ISHEET LOGIC TRAIN A REACTOR TRIP SIGNALS ) sum* MANUAL TRIP SIGNAL (SHEET 3) SOURCE RANGE, HIGH FLUX (INTERLOCKED BY P-5. & P INTERMEQIATE RANGE. HIGH FLUX ( INTERLOCKED BY P-IB) - [HIGH FLUX.LOW SETPOMT (INTERLOCKED BY P-I0I-

                                                                          \ HIGH FLUX. HIGH SETPOINT

(.HIGH FLUX RATE LOW PRIMARY J L0W FL0W "* ""Y I OF 3 LOOPS I INTERLOCKED BY P-8 COOLANT FLOW [ LOT FLOW OR REACTOR COOLANT PUMP BREAKERS OPEN W AW 2 OF 3 LOOPS (INTERLOCKED BY P-7 I-UNDERVOLTAOE (INTERLOCKED BY P-7) TO SAFETY IKjeCTION UNDERFREOUENCY (INTERLOCKED BY P-7) BLOW 10WC (MOT at HIGH PRESSURE: LOW PRESSURE (INTERLOCKED BY P-7l -

                                                       . HIGH LEVEL (INTERLOCKED BY P-71 HI FECDMTEfl ISOLATION LOGIC (MEET I J)

I LOW-LOW STEAM GENERATOR WATER LEVEL-B) AUTOMATIC SIGNAL - LOW AUTO STOP OIL PRESSURE OR ALL STOP VALVE CLOSED (INTERLOCKED BY P-<>>>- REACTOR 1<<IP tlDM. FOR TWSIIC TRIP <SMECT IS) TO STEAM DUMP CONTROL LOGIC (SHUT 10) TO STEAM OUMP LOGIC TRAIN B REACTOR TRIP SIGNALS CONTROL IMIC (MBIT I MANUAL TRIP SICMAL (SHEET 3> IS StfCTT INJIETim row iooic (SMrrr a> SOURCE RANGE. HIGH KLUX (INTERLOCKED BY P-5 & P-HJ1 INTERLOCKED RANGE. HIGH FLUX (INTERLCCKEED BY P-IBl  : f HIGH FLUX. LOW SF.TPOINT (INTERLOCKS) RY P-18) POWER RANGE J HIGH FLUX. HIGH SETPOINT 10 HtWITER I HIGH FLUX RATE ISDUTim UXHC (5MECT

                                                      ' OVERTE.<<iPERATURE AT                                                                                 :

OVERPOWER AT .. ,. ._..,.... r ...-. - _..... , - - - , LOW PRIMARY f LOW FLOW IN ANY 1 OF 3 LOOPS (INTERLOCKED BY P-8 ) COOLANT FLOW { LOW FLOW OR REACTOR COOLANT PUKP BREAKERS OPEN IN AMY 2 OF 3 LOOPS I MTERIDCKEO BY P-7 I REACTOR T<<H>> SIOWL m TURBINE TRIP (SMET 19) UNDEK VOLTAGE (INTERLOCKED BY P-71  :

                                                      . UNOERFREOUENCYdNTERLOCKED BY P-71                           '
                                                      'HIGH PRESSURE LOW PRESSURE (INTERLOCKED BY P-7)
                                                      .HIGH LEVAL (MTERLOCKE BY ^-7>

[LOW-LOW STEAM GENERATOR WATER LEVEL-SAFETY INJECTION SIGNAL ISHEET AUTOMATIC SIGNAL-TURBINE TRIP SIGNAL (SHEET IB) LOW AUTO STOP OIL PRESSURE OR ALL STOP VALVES CLOSED (INTERLOCKED BY P TRAIN B REACTOR SHUNT TRIP SIGNALS MANUAL REACTOR TRIP SIGNAL (SHEET 31 MANUAL SAFETY INJECTION SIGNAL (SHEET 8>

2. NORMAL. REACTOR OPERATION IS TO BE WITH REACTOR TRIP BREAKERS 62/ftTA ANO 52/RTB M SERV1CE/CL0SE0 ANO BYPASS BREAKER S2/8VA ANO 52/BYB OWING TEST ONE BY-PASS BREAKER IS TO BE PUT IN SERVICE/CLOSED AND THEN THE RESPECTIVE REACTOR TRIP BREAKER IF OPERATED USING ft SIMULATEO REACTOR TRIP SIGNAL IH THE TRAIN UNDER TEST. THE REACTOR WILL NOT BE TRIPPEO BY THE SIMULATED SIGNAL SINCE THE BY-PASS BREAKER IS CONTROLEO FROM THE OTHER TRAIN. ONLY ONE REACTOR TRIP BREAKER IS TO BE TESTED AT A TIME! so one en id

3. ALL CIRCUITS ON THIS SHEET ARE NOT REDUNDANT BECAUSE BOTH TRAINS ARE SHOWN.

4. OPEN/CLOSE INDICATION FOR EACH TRIP BREAKER ANO EACH BYPASS BREAKER IH CONTROL ROOM.

THIS UFSAR FIGURE SUPERSEDES FIGURE OF SAME NO. REV. 18 FIGURE 7.2-i INSTURMENTATION AND CONTROL SYSTEM LOGIC DIAGRAM, SH. 2 (8700-0L020-1075 REV.C) BEAVER VALLEY POWER STATION UfoFT NO. 1 UPDATED FINAL SAFETY ANALYSIS REPORT 27-MAR-2002

REV 33 POWER RANGE POWER RANGE HIGH NEUTRON BLOCK CONTROL FLUX RATE REACTOR TRIP SOURCE RANGE REACTOR TRIP INTERMEDIATE RANGE REACTOR TRIP POWER RANGE REACTOR TRIP <NOTES l & I I II I II II III I I I I I I OTHER s s LOGIC I/N 41K I [/N 44K I t---- 7 I t---- 7 I SOURCE RANGE TRAIN MANUAL MANUAL BLOCK CONTROL I RESET RESET NOTES I & 2 I INOTE 61 I I !NOTE 6> I IV NC 44K II Ill IV TRIP BYPASS TRIP BYPASS I/N 318 l/N 32B

      <NIS RACK)                                                  !NIS RACK>

HV CONTROL ~ - - - - - 4 SW 5104 ON TO TO I.A. ROD I.A. ROD STOP STOP HIGH NEUTRON FLUX CSHEET 4l <SHEET 4l (HIGH SET POINT) REACTOR TRIP

                                                                                                                                                                      !SHEET 2l                                                                      HIGH NEUTRON FLUX RATE TO                                                                                                                                                            REACTOR TRIP I.A. ROD                                                                                                                                                           (SHEET 21 STOP
                                                                                  <SHEET 41 HIGH NEUTRON FLUX CLOW SET POINT)

ENERGIZE REACTOR TRIP SOURCE RANGE H, V. lSHEET 2> tEITHER LOGIC TRAIN) HIGH NEUTRON FLUX H[GH NEUTRON FLUX REACTOR TRIP REACTOR TRIP

                                <SHEET 21                                                            (SHEET 21 RESET NOTES:                                                                                                                                                               REACTOR TRIP I. THE REDUNDANT MANUAL BLOCK CONTROLS CONSIST OF TWO CONTROLS ON THE CONTROL BOARD FOR EACH RANGE. ONE FOR EACH TRAIN.

2. 1/N 33A IS IN LOGIC TRAIN A. REACTOR TRIP I/N 338 IS IN LOGIC TRAIN B. (SHEET 21

3. 1/N 38A IS IN LOGIC TRA[N A.

I IN 38B IS IN LOGIC TRA [N 8,

4. 1/N 47A IS IN LOGIC TRAIN A.

JIN 478 IS IN LOGIC TRAIN 8.

5. TWO COMPUTER INPUTS ARE CONNECTED TO THIS CIRCUIT. INDIVIDUAL FOR EACH TRAIN.

6. MANUAL RESET CONTROLS CONSIST OF FOUR MOMENTARY CONTROLS IN THE CONTROL ROOM.

ONE CONTROL FOR EACH INSTRUMENT CHANNEL.

7. HIGH VOLTAGE MANUAL CONTROL SWITCH Sl04 IS LOCATED ON SOURCE RANGE DRAWER. ONE FOR EACH TRAIN.

FIGURE 7.2-1 INSTRUMENTATION AND CONTROL SYSTEM LOGIC DIAGRAM, SH. 3

                                                                                                                                                                                                                                                            <NUCLEAR INSTR. & MANUAL TRIP SIGNALS)

BEAVER VALLEY POWER STATION UNIT NO.I UPDATED FINAL SAFETY ANALYSIS REPORT

REV 21 POWER RANGE INTERMEDIATE POWER RANGE HIGH NEUTRON FLUX ROO STOP BLOCK AUTOMATIC 6 MANUAL ROD WITHDRAWAL NOTES: E-PO5III0N SWITCHES ON A NIS RACK. SWITCH 1/N 4<M BTPASSES EITHER NC-4IL OP KC-O1.. SWITCH t/N 4<<< BVPASSCS EITVCn NC-4ZL OR MC-44L. P-8

           *SHEET 5)

OVERPOWER ittlO STOP (BLOCK AUTOMATIC & MANUAL* nod withdrawm. (SHEET <M HOT HEOUMDOMT FIGURE 7.2-1 INSTRUMENWION AND CONTROL SYSTEM LOGIC DIAGRAM. SH. 4 (8700-01.020-0061, REV. D) BEAVER VALLEY POWER STATION IMF NO. 1 UPDATED FMAL SAFETY ANALYSE I

REV 21 UNDERFRIOUENCr RCP Bi/SJCJ BUS I BUS £ Wi 3

                                                                                                          ,(Not       ^

Ibi "L M "L 1. B.l SEC C O 8.1 SEC V 2 B-> Stt OTHEBS (MAX) ^ <\ (HAK) y^ (MA*) TMP (NOTE J) OP<<N LOW hism t *va U>>Pl LOOPS UOO*>3 LOH>I 100PC l.OOI>>3

                                               ©       ©       @

RCACTOA T*P NOTES: L SETPOINT FOR UNOEBVOtTACE RELAYS SHOULD BE ^ 75? THE MAXIMUM ALLOWABLE DETECTOR TIME DELAY (WITH THE ADJUSTABLE OEtAY SET TO ZERO) BETWEEN REACHING THE SETPOINT VALUE AND PASSING ON THE SIGNAL TO THE REACTOR TRIP CIRCUITRY SHOULD NOT EXCEED 0.1 SEC. THIS UFSAR FIGURE SUPERSEDES FIGURE OF SAME NUMBER REV. 17 I THE SETPOINT Of THE UNDERFREqUENCY RELAYS SHOULD BE ADJUSTABLE BETWEEN 54 CPS AND $9 CPS. THE MAXIMUM ALLOWABU DETECTOR TIME DELAY, INCLUDING THE ADJUSTABLE DELAY, BETWEEN REACHING THE SETPOINT VALUE AND PASSING ON THE SICNAL TO THE RCP TRIP CIRCUITS SHOULD NOT EXCEED APPROX. 0£ SEC. FIGURE 7.2-1 J. THE MAXIMUM AlifiWABIE TIME DELAY BETWEEN THE TIME THE RCP BREAKERS RECEIVE A TRIP SIGNAL ANO THE TIME THE BREAKERS HAVE INSTRUMENTATION AND CONTROL SYSTEM TRIPPED ANO PASSED ON AN OPEN SIGNAL TO THE REACTOR TRIP LOGIC DIAGRAM SH. 6 LOGIC SHOULD NOT EXCEED 0.1 SEC. (8700-01.020-1076, REV.B) BEAVER VALLEY POWER STATION HOT NO. 1 UPDATED FINAL SAFETY ANALY8>> REPORT

3 b o dr o

                                                                 ?,

1llt ila

                                                                 =o
                                                                 \,o
                                                                 >i Lrl.
                                                                 ^,i a                                     ura tl
                           'l I                  I                  a5
                           -                                     i{
                                                                  !r ttt
                                                                  ,.Q f                 efr                  ;ia
                                                                  <t
                                                                  -tt
               $i                            3I                  g rqo
               "{

3

                                                    \a ii I
                                                    ,rr n
                                                 \  {'

7 I r R o I t o t 3

                                                            .il
                                                             ,l l,r c

I j a j n a 5r

                                     -5 7-Io                    E t

Ztr t A'2

                                     ->D E'F llr a

ua rl t! gi= Ja I tl FT t. 3 l'I 6 H v 5H ;35=I  ! T G a I

  *fi;i:eH                                                   e I; ??Eei        #lE ig;F FE6i.{3-                      1 att   692                        I I

I 3H {i*

                  'iEl          J-o ln    T    :                  =t
                                =u Dg    ilij                    "6 3FE rsi
                                   ?

o Ez si

  ,69
                   ;ia                                  :iI aE;                                   Ft FF         r'!

F'--? I a=a m-{ { T Trrl m 7r3 tU m

REV. 20 HIGH STEAM PRESSURE RATE STEAMLINE S. I. STEAM GENERATOR Hi-HI LEVEL (RATE-LAC COMPENSATED) BLOCK CONTROL

                                                                                                                                       <NOTE )>
                                                                  - A - A ©- A CD- A © & - A  zfe. ©- A ©* zSi LOW STEAMLINE PRESSURE (LEAO-LAC COMPENSATED)

NOTES

1. THE REOUMMNT HANIML BLOCK CONTROL CONSISTS OF TWO CONTROLS ON THE CONTROL BOARO.ONE FOR EMM TRAIN.

2. TWO COMPUTER IHPUTS ARE CONNECTED TO THIS CIRCUIT.

INDIVIDUAL FOR EACH TRAIN. X POSITION DETECTION IS ACCOMPLISHED ST TWO POSITION SWITCHES (INDIVIDUAL FOR EACH TRAIN) PER STOP VALVE. FIGURE 7.2-1 INSTRUMENTATION AND CONTROL SYSTEM LOGIC DIAGRAM, SH. 7 (6700-01.020-0064, REV. F) BEAVER VALLEY POWER STATIC**-*#IT NO. 1 UPDATED-.FJfcj$Ws<<0EfcTy. ANALYSIS REPORT 27-KAR-2BB2 M£2

REV. 33 STEAM GENERATOR PRESSURIZER CONTAINMENT PRESSURE MANUAL ACTUATION FROM CONTROL ROOM CONTROL BOARD AREA MONITORS BY OTHERS BY OTHERS BY OTHERS HIGH STEAM LOW PRESSURE STEAMLINE LOW PRESSURJZER RATE PRESSURE PRESSURE

 <SHEET 71                      <SHEET 7)        <SHEET 6) 2 I I

7_ I L MANUAL RESET ANO BLOCK INOTE 81

                                                                                                                                                                                               - - - - - - - - - - - - - - - - - - - - - __________________________ .J r*----------------                                                                      MANUAL SET M.R.

(NOTE 81 BY 0 NES BY OTHERS FEEDWATER REACTOR ISOLATION TRIP

                                                                       <SHEET 13) fNOTE 7>        <SHEET 21                                                     ~lNES
                                                                         <NOTE 6)        <NOTE 6)
                                                                                                                             ~-~~-----B_;_o~--
                                                                                                                                                         ~----+I__,'L===+====~---*~-:--------8-Y'-'--l
                                                                              --------                                                                                                                                                                                                  BY EHERGENCY                                   AUXILIARY                                                  RIVER WATER DIESEL                                                                               CONTAINMENT                        SPRAY CONTAINMENT START-UP                                  FEEDWATER PU<PS ISOLATION PHASE A
                                                                                                                                                                    <PUMP STARTI    ACTUATION CIB                 ISOLATION CONTAINMENT ISOLATION                    CONTROL RM. I tSHEET 141                                                                   INOTE 11)               PHASE A                                       PHASE 8/                      INTAKE DU2J
                                                                                                                                                     !SHEET 141                                                                                                                      I     ISOLATION SPRAY
                                                              !NOTE 61 NOTES:

INOTE 6) <NOTE 61 INOTE 6J <NOTE 61 INOTE 61

                                                                                                                                                                                                                                                            !NOTE m l::=_

I. TWO MOMENTARY CONTROLS, OPERATING Of EITHER 6. COMPONENTS ARE ALL INDIVIDUALLY SEALED IN CLATCHEDJ. SO q_ LIGHTS SHOULD BE PROVIDED IN THE CONTROL CONTROL WILL ACTUATE. THAT LOSS Of THE ACTUATION SIGNAL WILL NOT CAUSE THESE ROOM FOR EACH STEAMLINE STOP VALVE TO COMPONENTS TO RETURN TO THE POSITION HELO PRIOR TO THE INDICATE WHEN THE VALVE IS REALLY CLOSED

2. TWO MOMENTARY CONTROLS, ACTUATION IS EFFECTED ONLY IF ADVENT OF THE ACTUATION SIGNAL. OR FULLY OPEN.

BOTH CONTROLS ARE OPERATED SIMULTANEOUSLY.

3. ONE MOMENTARY CONTROL PER LOOP ON THE CONTROL BOARD. 7. FEEOWATER ISOLATION INCLUDES THE TRIPPING OF ALL MAIN 10. ALSO CLOSES THE BYPASS VALVE IN PARALLEL FEEDWATER PUMPS. WITH THE ASSOCIATED STEAM LINE STOP VALVE.

4. CONTAINMENT PRESSURE 8ISTABLES FOR SPRAY ACTUATION ARE ENERGJZE*TO-ACTUATE IOTHER BtSTABLES ARE OE-ENERGIZE-TO- 8. THE REDUNDANT MANUAL RESET CONSISTS OF TWO P<<JMENTARY II. THE MANUAL ACTUATION CIRCUITS FOR SPRAY ANO ACTUATE>, CONTROLS ON THE CONTROL BOARD. ONE FOR EACH TRAIN. THE CONTAINMENT ISOLATION PHASE B ARE NOT REDUNDANT.

MANUAL RESET CONTROLS ARE SUPPLIED BY OTHERS. TRAJN A SHOWN. TRAIN 8 IS SIMILAR.

5. ENCLOSED CIRCUITRY IS NOT PART OF THE SAFEGUARDS SYSTEM THIS UFSAR FIGURE SUPERSEDES FIGURE OF SAME NO.REV.22 FIGURE 7.2-1 INSTRUMENTATION AND CONTROL SYSTEM LOGIC DIAGRAM, SH. 8 (BVl 01.020-0065, REV. E. BVl LSK-005-015A, REV. 13 & BVI LSK-005-015B, REV. 13)

BEAVER VALLEY POWER STATION UNIT NO.I UPDATED FINAL SAFETY ANALYSIS REPORT

REV 33 TAVG TAVG TAVG LOOP 1 LOOP2 LOOP3 C-4 C-3 LIT LIT LIT OVER- OVER-C-2 C-1 I I LOOP 1 LOOP 2 LOOP3 HIGH FLUX HIGH FLUX I POWER TEMP. (1/4) (1/2) I lff LIT (POWER INTERMEDIATE I I I I ROD BOTTOM SIGNAL (2/3) (2/3) RANGE) RANGE I I I I r-ANY FULL LENGTH ROD (SHEET 5) (SHEET 5) (SHEET 4) (SHEET 4) I I I I FROM ROD POSITION I I I I t-@ INDICATION SYSTEM I I I I

                                                                                                                                                      ©-1 I                                                                                                                      I          I t-I          I
                                                                                                                                                                                                                                      ~-fI'\                                 ©-J
                                                                                                        ~----~--,.--~----1 I
                                                                                                                                                                                                                                          'C;J
                                                                                                                                                                           +-----

I  : I I 7 +-----~---1 I ~

                                                                                                                                                                                                                                                                .tm.:-----+:

POWER RANGE TURBINE FIRST I NEUTRON FLUX STAGE PRESSURE ~-~---1  : _.tf5l;.. fc---- ~ --,.-- I,.~,, I I I I I i tu I SP~Bu I I I

                                                                           --------+                                                                           i                              ~

I I I I +

                                                                                                                                                                                              'fu L_        ~                                                I A

I I u  : u ~ 4g9u c I 1 A 1 I 1---+--- (NOTE 4) (NOTE 4)  : (NOTE 4) 3 A 3

                                                                                               ~

I (NOTE4) (NOTE4) (NOTE4) i I MANUAL I BLOCK I I MEDIAN SIGNAL I I SELECTOR (NOTE 2) I T REF I MEDIAN SIGNAL

                                                                            ---~                I                                                                                                                                                                                      SELECTOR
                                                                                                  --,.IL_---~-@-~R2_--~-+I -*--1-+T~-S--------....,_--------------~
                                                                                                                                         -~

U+T4S>U+T5S> 1-----------,.------------*-------------...... I I

                                                                                                                                                                                                                                                                                             --------------~

l_____~ - ------ ~: ----l-----J L J, I I I r--------- --.---- ------,------------Y Igs ~------- 1 BIAS BIAS ~ BIAS ~ BIAS

                                               =v                                                                           t                 t I                    :                                                                   :                 :                    ~I                          ~I               :~I+                i/4!1+

1g11 ~ A ~ ~ L +~ 1 +~

                                @      lL      -

TO STEAM DUMP CONTROL TO PRESSURIZER LEVEL CONTROL (NOTE 3) I (NOTE 3) (SHEET 10) (SHEET 11) I I NOTES: I I 1. ALL CIRCUITS ON THIS SHEET ARE NOT REDUNDANT. I 2. KQT MAY VARY IN INVERSELY PROPORTIONAL TO LOAD WITH A FIXED I I I LIMIT OR MAY VARY IN TWO DISCRETE STEPS WITH BREAK POINTS BANK D P O S I T I O N - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

• AT 30
• 50% AND 60 TO 80% TURBINE LOAD.

BANK C POSITION _____________ _; __________ ..:,____ I I II II

3. THE SUMMER OUTPUTS HAVE FIXED MANUALLY ADJUSTABLE UPPER LIMITS I I I I I BANK B POSITION -------------~----1  :  :  :  : 4. ALARM 1 AND ALARM 3 MUST HAVE REFLASH CAPABILITY.

FIXED MANUAL ROD SPEED BANK A POSITION - - - - ---r-@--7 t-+@r-+ t-+@-+ t-+@r-t II ~-J L~_J L~_J L~J I I I I AUTO-MANUAL SELECTOR SWITCH r-- r-- r-- r-- I I I I I I I I I I I I I I I

                                                               ---(D lcii:E 'Tcf9 E RODS IN RODS OUT ANALOG ROD SPEED (1)       1..@ 1..
           "'-----------V SIGNAL                                                                                                                         A
                                         ---------~/                                                                                            LOW       LO-LO             LOW        LO-LO          LOW     LO-LO      LOW     LO-LO                  FIGURE 7.2-1 FULL LENGTH CONTROL BANKS BANK A                        BANK B                 BANK C             BANK D INSTRUMENTATION AND CONTROL SYSTEM LOGIC DIAGRAM, SH.9 (FUNCTIONAL DIAGRAM ROD CONTROLS AND ROD BLOCKS)

BEAVER VALLEY POWER STATION UNIT NO. 1 UPDATED FINAL SAFETY ANALYSIS REPORT

REV 21

                                                                                                                                                                                                      ^1 BV NE4       0THCK5 STEAM LINE STEAM HEADER '                                   PRESSURE STEAM DUMP                                                                                                                                                                                PRESSURE INTERLOCK SELECTOR                                                                                                                                                                                I               LOOP                                LOOPS SWITCH INOTE 3)                                                                                                                                                                                                   I                                   I STEAM DUMP CONTROL MODE SELECTOR SW STEAM HEADER       5TEAM GCNEGMM      StCAM GENERATOR        6tEO PRESSURE          PRESSURE            PRESSURE-n       PRESSURE CONTROLLER        CONTROLLER          CONTROLLER       CONTROLLER TAVG      STEAM PRESS Kll">>r^S>>          K12" riss
                                                                                                                                                                                                                     "                           "12'^riiS1 I

LOAD REJECTION I /" CONTROLLER! / I MODULATE MODULATE OUL THE LOOP I THE LOOPS Tm6lOOP3 ATMOSPHERIC ATMOSfHERtC ATMOSPHERIC PELIEF VALVE RELIEF VALVE RELIEF VALvE NOTES: STEAM OUMP IS BIOCKEO BY BLOCKING AIR TO THE OUMP VALVES AND VENTING THE DIAPHRAGMS. REDUNDANT LOGIC OUTPUT OPERATES 2 SOUNOIO VENT VALVES IN SERIES TO REDUNDANTLY INTERLOCK THE AIR LINE BETWEEN EACH VALVE DIAPHRAGM AND ITS ASSOCIATED POSITIONER. THE SOLENOID VALVES ARE DE-ENERGIZE TO VENT.CAUSING THE MAIN DUMP VALVE TO CLOSE IN 5 SECONDS. CIRCUITRY ON THIS SHEET IS NOT REDUNDANT EXCEPT WHERE INDICATED REDUNDANT. SELECTOR SWITCH WITH THE FOLLOWING 3 POSITIONS: ON - STEAM DUMP IS PERMITTED BYPASS - t/WG INTERLOCK IS BYPASSEO FOR LOW W

                                                                                                                                                                                                                       - SPRING RETURN.TO ON-POSITION.

OFF - STEAM DUMP IS NOT PERMITTED AND RESET TAvc BYPASS THE REOUNDANT INTERLOCK SELECTOR SWITCH CONSISTS OF TWO CONTROLS s ON THE CONTROL BOARO. ONt FOR EACH TRAIN. THE TWO ANALOG SIGNAL INPUTS COMING FROM IURBINE PRESSURE MUST COME FROM DIFFERENT PRESSURE TAPS TO MEn THE SINGLE FAILURE CRITERION. THE CONDENSER AVAILABLE LOGIC IS TYPICAL ACTUAL MPLEMENTATION MAY BE DIFFERENT. L.I&MT5 SHOULD BE PGOVlDeO IKI THE OOUTOSt. (SCOW FOB EACH DUMP VALVE "TO I>>4O<<1AT6 WhEMTMS VALVE IS PUULX1 CIOSFO OB RiLLV OPBNI. T BY 1 OTHERS MODULATE THE CONDENSER DUMP VALVES ACCORDING

                                                                                                                                                             >ING1TO THg FOLLOWING SEQUENCE

7. OUTPUTS FOR SIGNAL CCWARATORS IIC-408F & TC-4BBPIARE NO LONGER BEING UTILIZED MOOULES ARE RETIRED IN PLACE Si BUKK. 3TM. DUMP M.VES TO MALt> OF THK TftiP OPEN k>> TRlPOPENji. TRIP OPEN K>> TRIP OPEN-^

CON DENVER COH OF THE " OF TM6 ^ OrTME OF THS 4-8 i TCV-MSie6ASiS3 DVJMP VAW COHMMSCft CONDENSER CONDENSER COdOtHSfiR WW e-12 TCV-MSIB6A4iA5ie4iB6 (NOTC 1) OUMP DUMP DUMP VALVESi PCV-MSIBBA, VALVESi TCV-MSI06A4 VALVESi TCV-MSIB6AI1 VALVESt TCV-HSI0EA3l 12-16

              ?CV-MSlB6ftiB.-BI A2ft&B2S7            A7:BliB5             16-20 RlbUNOANT-                                                            (HOTB Oii FK3URE 7.2-1 INSTRUMENTWION AND CONTROL SYSTEM LOGIC DIAGBIAM, SH.1O (8700-01.020-0067, REV. F)

BEAVER VALLEY POWER STATION UNIT NO. 1 UPDATED HNAL SAFETY ANALYSIS REPORT

3 6 o 6l E o c0

                                                                                        *lir=  {9F deB*

i0 l l#t I tFq I l,ll,

                                                                                                              );$
                                                                                 -- T--- -?-

Ir$, e r' i l =i EE6'6) 5

                                                     >@+

z g o

                                      '+9 s,

z o n o ct { F x itt

                                                                    'l'l n   il$fri                                    . G ior                                                ,

ir t: otj l0 if;ni i \ \!r {zx l :I i,r ile

                                                                                                           't t

I

                                                                                                            /

J i? 6< tlo - al no a - rQ i- :t ),

                                                              -l ,.                               gtrz I                   -d                   {

I l a tt ' a r< z p

                  ,r'fii4                                     J I

I inf;iiP 0$68 9; a,r*l iu99 UY Y'llF,

                  >z Z1 Jt           nro                                                  li'6
                      'tm o z r 0

gf;id ii^ gly I 4iri l *--+--o e sbizi j/".l---i i I;* 3l I " 4 - -l t p l t " g r----i F-r-*Jrrl l; ) F--J  ;  ; I r! ffif rfr II i r @(lr H r l 'i il I l--r-Tln5 I *-l-'_1. i :@llr F:l t I f' lr

                                                                                                   @l'
  =;maE:c r

ln FI r 'E E <?a o o F{ iir ci aii lillEi' I n"

                                                      !6o o - 6
                                                      @ f , r Z=

in m o-ro t'

                                                .q r

{ ffiFgi; a z

  -<o    l=   o 3i=fl?

atrz

       )'-:!

r 6c Ha 7 T

  #=          4                                                                                                              m 3=ry nc)         -\'
  -{.

t\ s

c o N e o o o .o iEi a

                                                                                                         ,o

{ lr l;I t o t-g E  ? I sr<qrD li ,l r o o=i!= o

                                                    .f                                           aq q rt I                                              {

r iD n 1 I It ,B ftt; ,o r I { li;g H i3 c t t.

                        !;5*              i{     6 t>

F:5 fi gFHl t ut , d - t FEiE e iFi @ x a

                                       $:t                                                              a F

T i t t'l t e IgFl ,It !1

                                                                                           =rl ili "l*

iEHi

Ft

l gf, I

flBa ili"' i  ? I t: Fl irir

                       ;EE                                                                     arl 3 I

HE; o u f;a tJi

                       $ 3;                                       1 IEF a o .a lrr fD
                                            ? ,

fiFHE F t t n a t I o I 3t{ at tl t r c llr ur 0e t I c, It a! ri a

                                            , ,rl                                             ^o-l3:i            i t

v. li t !r,l a < tro

                                                                                                              -o

t rt nlt iEEl!-- ;a

                                                                                                             -l t1          C6
                                                                                                             'D i g ; t tr h AP                                                            ;!           F{

tl

                                      ;                                                                          l, a                                                                   !

lr} tr I t !i 3 i q I I fi l' o 'r

                                              ;r       {

I o s 2 tt .l

                                                       ,                                            D        J.

I i.arl o e ll t ar -l

                                       'r ! <

lr t D fi { a a o 26 { E! ao t F 3 c(p:E+r=Tl 3S ild848 3 q, f;f;*=:eH o

                                                                                                       ,g J

n I n I

  *r           ?ra3l                                                                                  0     i FI                                                                             r..n9 dFSE                                                              r ct--.
  ! Pt         l692 in >3' ru J.<.

fiH {ilu si (}c

  =n                                                                                z,+?
                 -o :                                                  -r-r tt F og             f;H                                                                   'f F3 fri                                                               tir; 62             EP ac             H a nZ             Td m
  . I l-r {r l       {

T Ei3 m N) m

r c e N (9 e o s h I

i. gE

                                                                                                   . c

EF i5E !F

                                                              ..1=!

i1 i 8=g I gF3 u fr*sII I

                                                                                              .-t i

4 D 3 o A E D o Eii;f; t tr j I

                                                                    $6; I

o! 63n-  : 2<;IlE I

                                                                    $6;

9 B E E- - - - i -

                                        -iEslq             I                                    -

Ydfg'; bD i <t i iiJi EEe At to 8s' 9 . c ' e! 6 -eE72 ii I:

                                                     \
                                                                                 -FI_rg
                                                                                   --PE =fr r'-l                   s 3fiEf;                                          f, 1gr          - :Bei s

2 or

                                                                                      ^I fl
                                                                                 '-1  rl . I ti
                                                                                 ) t'

( , !

                                                                                 . BMH   l a

ao i* E o z t

                                                                                                        ,{

o 4 cq' c . )a F - T l fl! ?iAqF qiseif;sisia!*i**ssi

• aE

                                                                           *Eo ilfi F::CF ilfEleElFsHislde;qF$                                          lsi 86
  ;FeFF3il            Eg            E
                      't$EE;ig;EiEiiiiEfr
  ;;   HFi=

ifi dH-i E:l=Ei: EEs EiilE iE

       =e g;g                FIIEgii
                             *i,;gll tt
  ,6P qF? ili           f n

iz s3 m-{ -l m Tm oz,  ? Ic)

  -l'                                                                                                      N)

CO

REV 12(1-94) M GCMCRATO* Z steam Loss op rcwee CONTAINMENT ISOLATION SAFETY INJECTION 2/3 LOW tOW ZfS LOW VOW 3/3 tow low PHASE A SIGNAL (SHKCT l) ( 7) (SHEET 6 > (SHEET 8) BV 10NG ay f others OTHEI art oTHen<< awsac OTHERS MANUAL START COMTROL ROOM MOT EEDWNOANT BLACKOUT SlGMAL, MANUAL START SHUTDOWN BWEL BLACKOUT MANUAL STOP MMUUAL COMTROU MAMMAL CONTROL COWTROL ROOM CONTROL ROOM CONTROL, ROOM MANUAL STOPSOTDOWN (More e) ma fhiOTt 6> MANUAL CONTROL LOCAL MANUAL CONTROL u LOCAL (MOTES t-if.) CNOTfiS 2(C)  !. TRAIN A CONTROLS MAFP 1. BREAKER #

              *MS4C STAftT (KOTE TRAIN 8 CONTROLS MAFP I. BREAKER

2. LOCAL CONTROL OVERRIDES ALL OTHER SIGNALS.

MANiML, START.CONTROL, ROOM(N0TC7; 1 LOCAL OVERRIDE ACTUATES ALARM IN CONTROL ROOM. MOTOR ORIVC.M TURBINE DRIVEM MM. FEED rUMP Am. fcco pump 4. OPEN/SHUT INDICATION IN CONTROL ROOM. FEED VALVES SYSTEM VALVt 5. MOTOR OPERATING LIGHTS IN CONTROL ROOM. TURBINE SPIED 6. INDIVIDUAL FOR EACH VALVE. MANUAL STOP CONTROL ROOM (*NOTe 7} 4> CONTROL.

7. INDIVIDUAL FOR EACH PUMP.

MANUAL 3TOP,{8J3g?<< (NOTES 2.3*7;

                                                                                                                                                                         <<. THE TURBINE SPOD CQNTROl IS TYPICAL ACTUAL IMPLEMENTATION MAY MOT INCLUDE SP££O CONTROL PIPE TUNNEL                                                                                                       9. SEE FDXBORD OWC& 8700-120-1164,1165, IK^IIBI.

TEMP HIGH STOP I. (w) DRAWMG KSS03B, SH.I4 3TART START _JSTOP TURBINE DRIVEN MOTOR DRIVEN AUX FEED PUMP TURBrwe AU<<. ntO PUMPS DISCHARGE AT DRIVEN OPERATING AUX FCCO PRESSURE PUMP MOTOR DRIVEN FEED PUMPS DISCHARGE AT OPERATING PRESSURE CLOSE BLOWOOWN CLOSE SAMPLE

                                                                              .ISOLATION VALVES                     LINE VALVES                                       FIGURE 7.2-1
                                                                                                      -1 FOR STEAM GENERATORS                                                       msTiujMEiranoN and coktrol system LOGIC DIAGRAM, SH. 14 (8700-LSK-5-15A,5-15B,5-13A,5-13B)

BEAVER VALLEY POWER STATION UNTT NO. 1 UPDATED FMAL SAFETY ANALYSIS REPORT

REV 22 P4 STM. GEN. STM. GEN. P4 REACTOR TRIP HI-HI LEVEL OR SI HI-HI LEVEL OR St REACTOR TRIP TURBINE POWER TRAIN B CSHEET 2) TRAIN B (SHEET 13) TRAIN A (SHEET 131 TRAIN A (SHEET 2) (TURBINE FIRST STAGE PRESSURE) Bvf <2)ME>> BY I OTHERS AMSAC TURBINE TRIP E-H O.C. POWER FAILURE MANUAL TURBINE TRIP CONOENSER VACUUM TURBINE BRC.OIL TURBINE PROTECTION TRIPS OVERSPEEO (AS REQUIRED BY OTHERS) MM Q COW AAlTQ

. STOP Oik PBHftWRt WCDtfNDANT TUAOIMC RVM6ACM LJ VIA LOAO MOT REDUMOAMT MOT BlOttMOAMT C-4 C-3 OVF.BIF.MPFRTIJRE                OVERPOWER AT   12/31 AT 12/31 i?e-?/opci                                                                                                                                                         :SHFET Ol                      ISHEEI 51 dump                                                                                                                                                                                                          NOTES:

THESE SIGNALS INDICATE THE CLOSING OF THE STOP VAIVES. POSITION DETECTION 15 ACCOM PLISHED BV 2 SWITCHES PER STOP VALVE ONE FOR EACH TRAIN. REDUNDANCY IS INDICATED IN REGARDS TO E INTERCEPTOR

                                                                                                            ~l    WDUHOOKT                                                                                                   REQUIREMENTS ONLY.

OPEN/SHUT INDICATION IN CONTROL ROOM. TIM VALVES RCLAY LOOIC (CTCLlO THE REMOTE DISPATCHING IS TYPICAL ACTUAL IMPLEMENTATION MAY NOT INCLUDE REMOTE Ito-60 sec. DISPATCHING. GENERATOR MOTORING PROTECTION SHOULO NOT DEFEAT THE 30 SEC OELAY. SEE FOXBORO DWGS. 8700-I.2O-1164,1165. 1166 & 1161. TO DEFEAT REMOTE AUXILIARY RUUCft LOAD RCFKRCMCC DISPATCHING BUS 1RANSFER AT 20O M PCR HlHUTt (NOTE 4> I8Y OTHERS) C6Y OTMBRS) MOT REDUNDANT 7 FIGURE 7.2-1 INSTRUMENTOION AND CONTROL SYSTEM LOGIC DIAGRAM, SR 15 (8700-01.020-0072. REV. G) BEAVER VALLEY POWER STATION UNIT NO. 1 UPDATED FINAL SAFETY ANALYSIS REPORT

REV. 21 COV.D LBS. LOOP RELIEF COLD LEG LOOP Reuep pouo leg loop STOP VALVS STOP VALVB SELECTOR SWITCH SBLBCTOtt SWITCH FLOW 8BL6CTOH SWITCH p; (NOTES) NOTES: THE ENCLOSED CIRCUIT MEHS THE PROTECTION REDUNDANCY REQUIREMENT BY COMBMINC SIGNALS FROM THE HOT AND COLD LEG. POSITION DETECTION IS BY i INDEPENDENT LIMIT SWITCHES FOR EACH VALVE POSITION. SIGNALS ARE REQUIRED IN BOTH TRAINS BEFORE THE ACTUATION IS PERMITTED. LOSS OF SIGNAL TO THE TIME OELAY WILL CAUSE THE TIMER TO RESCT TO THE BEGINNING OF THE CYCLE. flOW OETECTIOtl FOR EACH LOOP IS BY 2 INDEPENDENT SWITCHES. ONE FOR EACH TRAIN. THE BYPASS VALVE OPEN SIGNAL INTERLOCK OF TriE PERMIT START OF RCP IS NOT TOR REACTOR PROTECTION AND IS NOT REDUNDANT. OPEN/SHUT INDICATION IN CONTROL ROOM. THIS UFSAR FIGURE SUPERSEDES FIGURE OF SAME NUMBER REV. 4 FIGURE 7.2-1 iNSTmiMEtrnnoN and control system LOGIC WAGRAM, SH.16 (8700-01.020-0073, REV. E) BEAVER VALLEY POWER STATION UNIT NO. 1 UPDATED FMAL SAFETY ANALYSIS REPORT

l REV. 20 I F (A0) A0 A2 0 A

                                       *l
     - NEUTRON FLUX DIFFERENCE BETWEEN UPPER AMD LOWER LONG ION A0 CHAMBERS.

At,A2 - LIMIT OF F(A*) DEAOBAND B,,B2 - SLOPE OF RAMP; DETERMINES RATE AT WHICH FUNCTION REACHES IT*S MAXIMUM VALUE ONCE DEADBAMD IS EXCEEDED C!FC2 - MAGNITUDE OF MAXIMUM VALUES THE FUNCTION MAY ATTAIN FIGURE 7.2-2 SETPOINT REDUCTION FUNCTION FOR OVERTEMPERATURE OELTA-T TRIPS BEAVER VALLEY POWER STATION UNIT NO. 1 UPOATED FINAL SAFETY ANALYSIScREPORT PREPARED OH CAEOOt THE OtSU

o o 60 56 52 legfho: OVENTEl'PERAfUftE \ LINES FOR N VARIOUS PftESSUHES \ OHBR L'MTS TOR VARIOUS J I I 560 570 580 590 600 610 620 630 6*10 FIGURE 7.2-3 TYPICAL OVERPOWER, OVERTEMPERTURE AT PROTECTION BEAVER VALLEY POWER STATION UNIT 1 UPDATED FINAL SAFETY ANALYSIS REPORT

REV. 22 NOTES;

1. TEMPERATURES ARE MEASURED AT STEAM GENERATOR'S INLET AND REACTOR COOLANT PUMP OUTLET

2. PRESSURE IS MEASURED AT THE PRESSURIZER TH AVG AVC COLO l£G COLO LEG COLO LEG AVERAGE' TEKPERTURE AVERAGE TEMPERTURE AVERAGE TEMPERTURE UNIT LOOP! (MIT LOOP Z UNIT LOOP 3 TAVO TAVO MEDIAN SIGNAL SELECTOR TO STEAM DUMP TO PRESSURIZER LEVEL SYSTEM - PROGRAMMER KUCLEARFLUX SIGNAL TURBINE LOAD SIGNAL TURBINE LOAD SIGNAL LEAD-LAG POWER MISMATCH COMPENSATION UNIT COMPENSATION UNIT AVERAGE TEMPERATURE PROGRAMMER MANUAL ROO CONTROL ROD SPEED UNIT ROO DRIVE POWER 4 REOUN MN1 REACTOR TRIP NOTEi BREAKER 1 AUTOMATIC ROO SEQUENTIAL ROD WITHDRAWAL CONTROL UNIT IS OISABLED (AUTOMATIC CONTROL) 1 t

REACTOR TRIP BREAKER 2 PERMISSIVE CIRCUITS (ROO INTERLOCK) CONTROL ROD ROO I ACTUATOR DRIVE POWER FIGURE 7.7-1 CONTROL ROD DRIVE MECHANISM SIMPLIFIED BLOCK DIAGRAM OF REACTOR CONTROL SYSTEM BEAVER VALLEY POWER STATION UPDATED FINAL SAFETY ANALYSIS REPORT

REV. 20 LOW ALARM A LOW-LOW ALARM

                                                                  /ALA         A ZLL*A<*T>MEDIAN+
                                                                 / l\        /
                                                                               /A
                                                                                -2 >

COMPARATOR 1

                              + C UV MEDIAN*                NOTE 3 COMMON FOR ALL FOUR CONTROL BANKS BANK POSITION SIGNAL      z DEMAND BANK COUNTER               TYPICAL OF ONE CONTROL BANK NOTEi 1. ANALOG CIRCUITRY IS USED FOR THE COMPARATOR NETWORK

2. COMPARISON IS DONE FOR ALL CONTROL BANKS

3. MEDIAN AT IS USED FOR CONTROL BANKS 'C AND '0' ONLY. BANKS 'A' AND 'B' REFERENCE A CONSTANT BANK POSITION.

FIGURE 7.7-2 CONTROL BANK ROD INSERTION MONITOR BEAVER VALLEY POWER STATION UNIT NO. 1 UPDATED FINAL SAFETY ANALYSIS REPORT PREPARED OV^fc? CAEDU the atsu cM*Ssr&W

I REV. 0 (1/82) ALARM DEMAND BANK SIGNAL (ROD CONTROL) INDIVIDUAL RCD POSITION COMPARATOR READING (LVDT) OF THOSE RODS CLASSIFIED AS MEMBERS OF THAT SANK NOTE: I. DIGITAL OR ANALOG SIGNALS MAY 8E USED FOR THE COMPARATOR COMPUTER INPUTS.

2. THE COMPARATOR WILL ENERGIZE THE ALARM IF THERE EXISTS A POSITION DIFFERENCE GREATER THAN A PRESENT LIMIT BETWEEN ANY INDIVIDUAL ROD AND THE DEMAND BANK SIGNAL.

3. COMPARISON IS INDIVIDUALLY DONE FOR ALL CONTROL BANKS.

F16URE 7.7-3 ROD DEVIATION COMPARATOR BEAVER VALLEY POWER STATION UNIT NO. 1 UPDATED FINAL SAFETY ANALYSIS REPORT

1 REV. 0 (1/82) PRESSURIZER PRESSURE SIGNAL REFERENCE PRESSURE y (>7 3I) (-> PID CONTROLLER REMOTE MANUAL POSIT ION ING r SPRAY CONTROLLER y t i POWER RELIEF POWER TO BACKUP TO VARIABLE VALVE #\ RELIEF HEATER HEATER VALVE CONTROL CONTROL n FIGURE 7.7-4 BLOCK DIAGRAM OF PRESSURIZER PRESSURE CONTROL SYSTEM SEAVER VALLEY POWER STATION UNIT NO. 1 JPOATED FINAL SAFETY ANALYSTS REPORT

REV, 8 (1/90) MEDIAN PRESSURIZER LEVEL SIGNAL 1 REMOTE MANUAL CONTROL

                                  \

1 >>>> PI CONTROLLER TO Bl HEATER y f CHARBIN6 FLOW CONTROL VALVE PO8ITION AND/OR CHARQINB PUMP SPEED FIGURE 7.7-5 BLOCK DIAGRAM OF PRESSURIZER LEVEL CONTROL SYSTEM BEAVER VALLEY POWER STATION UNIT 1 UPDATED FINAL SAFETY ANALYSIS REPORT

REV 22 TURBINE FIRST STAGE PRESSURE NOTEt CONSTANT LEVEL = 447. LEVEL PROGRAMMER STEAM GENERATOR WATER LEVEL SIGNAL. STEAM FLOW FEEDWATER PROGRAMMED SIGNAL FLOW SIGNAL FILTER SET POINT REMOTE MANUAL N.R. STEAM FLOW, POSITIONING GAIN UNIT PI CONTROLLER

                        £
         <<. PI CONTROLLER                             PI CONTROLLER MAIN FEEOWATER                            BYPASS FEEOWATER CONTROL VALVE                             CONTROL VALVE DYNAMICS                                   OYNAMICS MAIN FEEOWATER                             BYPASS FEEOWATER CONTROL VALVE POSITION                       CONTROL VALVE POSITION FIGURE        7.7-6 BLOCK DIAGRAM OF STEAM GENERATOR WATER LEVEL CONTROL SYSTEM BEAVER VALLEY POWER STATION UNIT NO. 1 UPDATED FINAL SAFETY ANALYSIS REPORT

STEM DUMP CONTROL IN MANUAL REV 21 MEOIAN (STEAM PRESSURE CONTROL) TAVQ TURBINE FIRST TAYG REFERENCE r STAGE PRESSURE HO-LOAD TAVQ RATE/LAO COMPENSATION LEAO/LAO TURBINE COMPENSATION TRIP LOAD REJECT I OH BISTABLE (-)( I )<>{+) (-) DEFEAT LOAD REJECTION STEAM DUMP CONTROL; ALLOW PUNT TRIP STEAM DUMP CONTROL BISTA8LES BISTABLES' STEAM (1) HEADER PRESSURE SET PLANT TRIP PRESSURE CONTROLLER LOAD REJECTION CONTROLLER n STEAM DUMP PI CONTROLLER CONTROL T LOAD REJECTION CONTROL OR PLANT TRIP CONTROL TRIP OPEN STEAM DUMP VALVES I J HIGH CONDENSER BACK PRESSURE AUTO (TAVQ OR ALL CIRCULATING WATER MANUAL CONTROL) PUMP BREAKERS OPEN

        ' ' 1 (STEAM PRESSURE AIR SUPPLY TO         CONTROL)

DUMP VALVES BLOCK AIR SUPPLY TO MODULATE CONDENSER CONDENSER DUMP VALVES DUMP VALVES NOTES: (1.) THIS BISTABLE IS OEFEATEO. FIG. 7.7-7 BLOCK DIAGRAM OF STEAM DUMP CONTROL SYSTEM BEAVER VALLEY POWER STATION UNIT 1 UPDATED FINAL SAFETY ANALYSIS REPORT

I REV. 0 (1/82) SAFETY SWITCHES-LIMIT SWITCHE 5-PATH TRANSFERS INTERCONNECTING DRIVE TUBING UNITS O-PATH TRANSFERS SEAL TABLE FI6URE 7.7-8 BASIC FLUX - NAPPIN6 SYSTEM BEAVER VALLEY POWER STATION UNIT NO. UPDATED FINAL SAFETY ANALYSIS REPORT

RE V 32

                                                                                                                                                                                                      ~I r

VERTICAL BO ARD I MAIN ENTRANCE DC DIS T PN L CONTROL ROOM NO i PNL-DCI

                                              'f
                                              "'+---+-++--,
                                              "'.,_,,~-,--t- 1:,---c RTSR*l SEISMIC MONITOR ING CAB INET <lER-CCC-ll VIB-MON-8 1(pNL*BL[)(,-SERV)

I CO NTRO L ROOM NOTE 7 t--------+;E EL 7 13'*6" SECT 1-i" SCALE 3/4,t'-0" _____.,_.F PNL*AC

• BB NOTES PNL -AC-6A--->-"7 OFFICE 1. DELE TED TRF-PW R-8 _ ___,__r TOILET 2. DELETED 3.CIRCLES NOT IDENTIFIED ARE FOR REFERE NCE ONLY.

NO TE 8

4. PANEL IS SECURED TO FLOOR WITH !j,~ I H\LTl QUlCI<

1~f+ft mt\tt?o~j-~l4i~~'/&&}~~tH OF BOLTS 5 . DELETED 6 . DELETED IPC- IPC-RK- RK- 6 . DELETED MISC VB

7. FOR CONTROL ROOM OPERATOR CONSOLES ANO EQUIPMENT PNl*VITBUS*2 LAYOUT REFER TO 2010. 910-000-002.

COM ~UTE/? / RK-CMP) 8. FOR COMMUNICATOR STATION L AYOU T REFER TO 2010.910-000-002. IPC-RK-RK-CMP-

                                                                                                  ~~P-    RK-CMP-0 1 RK-CMP-00  ~~- ~~-

9. L OCATED INSIDE PC DESK <REF . 2010.9 10-000-002,J DC DIST PNL CR 03 02 CPUB CPUA N02 (TRAIN B). 8700-01 .040-0001 COMPUTER RM

( PNL*OC-~ cos

REFERENCES:

                                                            '---+-II--+-',___ _ _ __. '---------'-----~"~'-'"-'T.....;.'-'-"~""~"~"--....1.-4---'l~                                                      51LL 0.TAILS & FLOOR CFEHU<<3S ARRGT -S.:;A RM SHEETS I & 2 RE*38A RE-278 & 27C CND PLAN SEC ALARM STATION                    RE 6'1EL MAIN STM. MON ITORING MICRO                                                                                                                                                            DET. CCTV CA EN T ENCLCl3URE                  RE 64EL
                  ~~~~ - ~ANEL DL-MS!00            f------'                                                                                                                                              MCA PLAN VI EW EQU I PMENT LAYOU T            2010 .9\0-000-002 PLAN- EL 735' 6" SCALE   Y+"*/'0" FIGURE 7.8-1 CONTROL AND COMPUTER ROOMS ARRANGEMENT BEAVER VALLEY POWER STATION UNIT NO. I UPDATED FINAL SAFETY ANALYSIS REPORT m:\ul\re0270a0.d37

REV. 0 (1/82) BILL Or MATERIAL WCHWCWCC8

                                                                                                                                                              >>    NO              MKWMIDM I. i&WrilC    IITOO-I.I2-P4C                        t                         >>iiiimitaMl       >>>>ot          l*k<<vr<<J( '*O liwliwi *>>**

1. WIRING 0IAG.0WC--aR)0-Rr-S(<< _!* 4 rawrttl^ To fc^impn* >

A. 4 2 tm **<<>>>>*>> f<<-P->>>> f<<.>>. **

                                                                                                                                                         >>                  I. K<<..t~ Mf<<<* MB- k->><<           r<<t>> O>>a>>f <<<<.raif*.<<W>>.n T<<-<<4ft<<OV*K T<<-HtlO<<>>

3. row LOCATION Or SHUTfK PNLS <<1E - M7O(i-R(-34AD a 2t_£s M>>,-rH<<.r ^

MP<<tfMlflC MOl-tMlfO MOD > p<<J I9t ^ i. 0 P<<t COa-.,- :is... r. 1

                                                                                                                                                        >. e.-.e. j  1 2

ILi ts '>> I? I* li-' 1 TV **  ?~'<<3. >-^-*** D>>* l

                                                                                                                                                                                                                                     %t-r-it     -

i<< Wntilnnl'litSiM .

                                                                                                                                                                                                                                     /t-t-.Tf'
                                                                                                                                                       ,c C.   ' v p<<<< i i  -.S  .*

T.. (!>><<

                                                                                                                                                                                                                   ** (*:<<(

ff V<<* T" fLSj p <<=t F* *?J tip ci f ci p c o p lo b p-ci a v p ci

• pjg P B ".p. i" T">' '

fM> ** ^* ft <* com r'<k sm. *<A>><<.>> t>i<< e<<-- *- >>* e--P--: -. f.'.C(tl T" camt<<ck iM^afw. 3-*4 nft>>^ *f ma*-*. *r llUWMj Hm-p* ** is 3 <<<<<<<<<<<*< t,p-->><<n>>.i.<<>> 5FTI.T.7. - n << 28 C-VO-'JOv <<** le

                                                                                                                                                                                   >>!        L5!      :

n'fcwwe' si T" si ti-rMATfj < 2 Pr. **<Di<<>>T-.<< 1TM &Eu M*'E% rill 1 Pr IMD'C>>>>3<< STM. fct<<<<. <<<<'l<< .>><<<** i PI-MS4K '

• pt. iuO':<'9' S>> w; - >* B*
• u -ISO*.

M->;pt V tov<<< winUm * *<<*** t-r. UIWWHIMU>>IW" I*" Ml Mf II- Ht**Of-

                                                                                                                                                         *fi-

• 42 PI-KC4%.9* i 1 PT ^PlC^Top p<<T<<t1.1"pw-:-;oAt 4>> Tt-Rc*lV i it- ai41 .

tt 11-KC >&'

• IK. <<io>c>>t:>>

4>> 1 Pt. t*iOtC>>--<<>> U. tn.-:.'.t """<<<< inw>til hum '<<n. \Hn' FI6URE 7-8-2 (RE-25H, REV. 1) SECTtOM A-A INiCRNALS'Bt OUTLINE. EMERGENCY SHUTDOWN PANELS A & B BEAVER VALLEY POWER STATION UNIT NO. 1 UPDATED FINAL SAFETY ANALY6IS REPORT}}