Updated Final Safety Analysis Report, Chapter 7, Instrumentation and Control Systems

ML22257A039
Person / Time
Site:	Grand Gulf
Issue date:	09/08/2022
From:	Entergy Operations
To:	Office of Nuclear Reactor Regulation
Shared Package
ML22257A024	List: ML22251A367 ML22257A005 ML22257A006 ML22257A007 ML22257A009 ML22257A010 ML22257A011 ML22257A013 ML22257A014 ML22257A015 ML22257A016 ML22257A017 ML22257A018 ML22257A020 ML22257A021 ML22257A022 ML22257A023 ML22257A025 ML22257A026 ML22257A027 ML22257A028 ML22257A030 ML22257A032 ML22257A033 ML22257A036 ML22257A037 ML22257A039 ML22257A040 ML22257A042 ML22257A043
References
GNRO2022-00027
Download: ML22257A039 (899)
v • d • e

Text

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE OF CONTENTS CHAPTER 7 INSTRUMENTATION AND CONTROL SYSTEMS

7.1 INTRODUCTION

............................................... 7.1-1 7.1.1 Identification of Safety-Related Systems ........ 7.1-1 7.1.1.1 Classification .................................. 7.1-1 7.1.2 Identification of Safety Criteria ............... 7.1-3 7.1.2.1 Design Bases .................................... 7.1-3 7.1.2.2 Independence of Redundant Safety- Related Systems ........................................ 7.1-32 7.1.2.3 Physical Identification of Safety-Related Equipment ...................................... 7.1-43 7.1.2.4 Conformance to Industry Standards .............. 7.1-44 7.1.2.5 Conformance to General Design Criteria ......... 7.1-46 7.1.2.6 Conformance to NRC Regulatory Guides ........... 7.1-47 7.1.2.7 Safety System Settings ......................... 7.1-52 7.1.3 Protection System In-Service Testability ....... 7.1-54 7.1.3.1 General ........................................ 7.1-54 7.1.3.2 Design Basis ................................... 7.1-54 7.1.3.3 General Description ............................ 7.1-55 7.1.3.4 Evaluation ..................................... 7.1-55 7.1.3.5 Surveillance and Testing ....................... 7.1-56 7.1.4 References ..................................... 7.1-56 7.2 REACTOR TRIP SYSTEM - (REACTOR PROTECTION SYSTEM) -

INSTRUMENTATION AND CONTROLS ............................... 7.2-1 7.2.1 Description ..................................... 7.2-1 7.2.1.1 System Description .............................. 7.2-1 7.2.1.2 Design Bases ................................... 7.2-33 7.2.1.3 Final System Drawings .......................... 7.2-38 7.2.2 Analysis ....................................... 7.2-38 7.2.2.1 Reactor Protection System - Instrumentation and Controls ................................... 7.2-38 7.2.3 References ..................................... 7.2-86 7.3 ENGINEERED SAFETY FEATURE SYSTEMS .......................... 7.3-1 7.3.1 Description ..................................... 7.3-1 7.3.1.1 System Description .............................. 7.3-2 7-i LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE OF CONTENTS 7.3.1.2 Design Basis Information ...................... 7.3-100 7.3.1.3 Final System Drawings ......................... 7.3-105 7.3.2 Analysis ...................................... 7.3-105 7.3.2.1 Emergency Core Cooling Systems -

Instrumentation and Controls .................. 7.3-106 7.3.2.2 Containment and Reactor Vessel Isolation Control System - Instrumentation and Controls 7.3-139 7.3.2.3 Main Steam Isolation Valve - Leakage Control System - (MSIV-LCS) - Instrumentation and Controls ...................................... 7.3-164 7.3.2.4 Containment Spray Cooling Mode Instrumentation and Controls .................................. 7.3-172 7.3.2.5 Combustible Gas Control System ................ 7.3-188 7.3.2.6 Feedwater Leakage Control (FWLC) System ....... 7.3-195 7.3.2.7 Standby Service Water System .................. 7.3-200 7.3.2.8 Standby Gas Treatment System .................. 7.3-207 7.3.2.9 Suppression Pool Makeup System ................ 7.3-213 7.3.2.10 Control Room Atmospheric Control and Isolation System .............................. 7.3-219 7.3.2.11 Standby Power System .......................... 7.3-225 7.3.2.12 Heating, Ventilating and Air Conditioning Systems for Engineered Safety Feature Areas . 7.3-225 7.3.2.13 Diesel Generator Auxiliary Systems ............ 7.3-225 7.3.2.14 Additional Design Considerations Analyses ..... 7.3-225 7.3.3 References .................................... 7.3-226 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN ......................... 7.4-1 7.4.1 Description ..................................... 7.4-1 7.4.1.1 Reactor Core Isolation Cooling (RCIC) System

- Instrumentation and Controls .................. 7.4-1 7.4.1.2 Standby Liquid Control System (SLCS) -

Instrumentation and Controls ................... 7.4-11 7.4.1.3 RHR/Reactor Shutdown Cooling System Mode -

Instrumentation and Controls ................... 7.4-17 7.4.1.4 Remote Shutdown System ......................... 7.4-21 7.4.1.5 Alternate Shutdown System ...................... 7.4-26 7-ii Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE OF CONTENTS 7.4.2 Analysis ....................................... 7.4-31 7.4.2.1 Reactor Core Isolation Cooling (RCIC) System

- Instrumentation and Control .................. 7.4-31 7.4.2.2 Standby Liquid Control System (SLCS)

Instrumentation and Controls ................... 7.4-43 7.4.2.3 Residual Heat Removal System - Reactor Shutdown Cooling Subsystem - Instrumentation and Controls ................................... 7.4-51 7.4.2.4 Remote Shutdown System ......................... 7.4-56 7.4.2.5 Alternate Shutdown System ...................... 7.4-62 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION ..................... 7.5-1 7.5.1 Description ..................................... 7.5-1 7.5.1.1 Design Bases .................................... 7.5-1 7.5.1.2 System Description .............................. 7.5-3 7.5.1.3 Bypassed and Inoperable Status Indication ...... 7.5-19 7.5.2 Analysis ....................................... 7.5-23 7.5.2.1 General ........................................ 7.5-23 7.5.2.2 Normal Operation ............................... 7.5-24 7.5.2.3 Abnormal Transient Occurrences ................. 7.5-24 7.5.2.4 Accident Conditions ............................ 7.5-24 7.5.2.5 Compliance with Regulatory/Industry Standards . 7.5-26 7.5.2.6 System Drawings ................................ 7.5-33 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY ...... 7.6-1 7.6.1 Description ..................................... 7.6-1 7.6.1.1 Refueling Interlocks System - Instrumentation and Controls .................................... 7.6-2 7.6.1.2 Process Radiation Monitoring System -

Instrumentation and Controls .................... 7.6-7 7.6.1.3 High-Pressure/Low-Pressure Systems Interlocks . 7.6-10 7.6.1.4 Leak Detection System - Instrumentation and Controls ....................................... 7.6-13 7.6.1.5 Neutron Monitoring System - Instrumentation and Controls ................................... 7.6-31 7.6.1.6 Deleted ........................................ 7.6-45 7-iii Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE OF CONTENTS 7.6.1.7 Rod Pattern Control System (RPCS) -

Instrumentation and Controls ................... 7.6-45 7.6.1.8 Recirculation Pump Trip (RPT) System -

Instrumentation and Controls ................... 7.6-49 7.6.1.9 Spent Fuel Pool Cooling and Cleanup System

- Instrumentation and Controls ................. 7.6-53 7.6.1.10 Component Cooling Water System (Fuel Pool Cooling) ....................................... 7.6-55 7.6.1.11 Deleted ........................................ 7.6-58 7.6.1.12 Auxiliary Building Isolation System ............ 7.6-58 7.6.2 Analysis ....................................... 7.6-60 7.6.2.1 Refueling Interlocks System - Instrumentation and Controls ................................... 7.6-60 7.6.2.2 Process Radiation Monitoring System -

Instrumentation and Controls ................... 7.6-61 7.6.2.3 High-Pressure/Low-Pressure System Interlocks ... 7.6-62 7.6.2.4 Leak Detection System - Instrumentation and Controls ....................................... 7.6-63 7.6.2.5 Neutron Monitoring System - Instrumentation and Controls ................................... 7.6-70 7.6.2.6 Rod Pattern Control System ..................... 7.6-77 7.6.2.7 Recirculation Pump Trip System ................. 7.6-78 7.6.2.8 Spent Fuel Pool Cooling and Cleanup System

- Instrumentation and Controls ................. 7.6-85 7.6.2.9 Component Cooling Water System (Fuel Pool Cooling) ....................................... 7.6-86 7.6.2.10 Deleted ........................................ 7.6-92 7.6.2.11 Auxiliary Building Isolation System ............ 7.6-92 7.6.2.12 Additional Design Considerations Analyses ...... 7.6-97 7.6.3 References ..................................... 7.6-98 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY .................... 7.7-1 7.7.1 Description ..................................... 7.7-1 7.7.1.1 Reactor Vessel - Instrumentation ................ 7.7-1 7.7.1.2 Rod Control and Information System -

7-iv Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE OF CONTENTS Instrumentation and Controls .................... 7.7-9 7.7.1.3 Recirculation Flow Control System -

Instrumentation and Controls ................... 7.7-25 7.7.1.4 Feedwater Control System - Instrumentation and Controls ................................... 7.7-32 7.7.1.5 Pressure Control and Turbine-Generator System

- Instrumentation and Controls ................. 7.7-37 7.7.1.6 Neutron Monitoring System - Traversing In-Core Probe (TIP) Subsystem - Instrumentation and Controls ................................... 7.7-45 7.7.1.7 Core Performance Monitoring System -

Instrumentation ................................ 7.7-47 7.7.1.8 Reactor Water Cleanup (RWCU) System -

Instrumentation and Controls ................... 7.7-50 7.7.1.9 Auxiliary Building Pressure Control ............ 7.7-53 7.7.1.10 Gaseous Radwaste System - Instrumentation and Controls ....................................... 7.7-55 7.7.1.11 Process Sampling System - Instrumentation and Controls ....................................... 7.7.60 7.7.1.12 Startup Transient Monitoring System ............ 7.7-63 7.7.2 Analysis ....................................... 7.7-64 7.7.2.1 Reactor Vessel - Instrumentation ............... 7.7-65 7.7.2.2 Rod Control and Information System -

Instrumentation and Controls ................... 7.7-66 7.7.2.3 Recirculation Flow Control System -

Instrumentation and Controls ................... 7.7-68 7.7.2.4 Feedwater Control System - Instrumentation and Controls ................................... 7.7-71 7.7.2.5 Pressure Control and Turbine-Generator System

- Instrumentation and Controls ................. 7.7-72 7.7.2.6 Neutron Monitoring System Traversing In-Core Probe Subsystem (TIP) - Instrumentation and Controls ....................................... 7.7-73 7.7.2.7 Core Performance Monitoring System -

Instrumentation ................................ 7.7-74 7.7.2.8 Reactor Water Cleanup System -

Instrumentation and Controls ................... 7.7-74 7-v Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE OF CONTENTS 7.7.2.9 Auxiliary Building Pressure Control ............ 7.7-75 7.7.2.10 Gaseous Radwaste System - Instrumentation and Controls ....................................... 7.7-76 7.7.2.11 Process Sampling System - Instrumentation and Controls ....................................... 7.7-77 7.7.3 References ..................................... 7.7-77 7-vi Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

LIST OF TABLES Table 7.1-1 System Identification and Responsibility (3 Sheets)

Table 7.1-2 Similarity to Licensed Reactors (11 Sheets)

Table 7.1-3 Identification of Safety Criteria (2 Sheets)

Table 7.1-4 Deleted Table 7.1-5 Deleted Table 7.1-6 Deleted Table 7.1-7 Deleted Table 7.1-8 Deleted Table 7.1-9 Deleted Table 7.1-10 Reactor Protection System and Deenergize-to-Operate Sensor Suffix Letters and Division Allocation Table 7.1-11 Four Division Grouping of the Neutron Monitoring System Utilizing Four Drywell Penetrations Table 7.1-12 Emergency Core Cooling System, Core Standby Cooling and RCIC Sensor Suffix Letters and Division Allocation Energize-to-Operate Table 7.1-13 System and Subsystem Separation Table 7.2-1 Reactor Protection System Instrumentation Specifications (2 Sheets)

Table 7.2-2 Deleted Table 7.2-3 Deleted Table 7.2-4 Deleted Table 7.2-5 Deleted Table 7.2-6 Deleted Table 7.2-7 Reactor Mode Switch RPS Function Bypasses and Interlocks (2 Sheets)

Table 7.3-1 Auxiliary Supporting Systems Requirements Table 7.3-2 High Pressure Core Spray System-Instrument Specifications Table 7.3-3 Automatic Depressurization System-Instrument Specifications 7-vii Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

LIST OF TABLES Table 7.3-4 Low Pressure Core Spray-Instrument Speci-fications LPCS and LPCI A Loop Table 7.3-5 Low Pressure Coolant Injection-Instrument Specifications Loops B and C Table 7.3-6 Deleted Table 7.3-7 Deleted Table 7.3-8 Deleted Table 7.3-9 Deleted Table 3-10 Containment and Reactor Vessel Isolation Control System Instrumentation Specifica¬tions (2 Sheets)

Table 7.3-11 Deleted Table 7.3-12 Deleted Table 7.3-13 Combustible Gas Control System Actuation Instrumentation Summary Table 7.3-14 Combustible Gas Control System Actuated Equipment List (2 Sheets)

Table 7.3-15 Combustible Gas Control System Failure Modes and Effects Analysis (3 Sheets)

Table 7.3-16 Feedwater Leakage Control System Actuation Instrumentation Summary Table 7.3-17 Feedwater Leakage Control System Actuated Equipment List Table 7.3-18 Feedwater Leakage Control System Failure Modes and Effects Analysis Table 7.3-19 Standby Service Water Initiating Signals Table 7.3-20 Standby Service Water System Actuated Equipment List (5 Sheets)

Table 7.3-21 Standby Service Water System Failure Modes and Effects Analysis (2 Sheets)

Table 7.3-22 Standby Gas Treatment System Actuation Instrumentation Summary Table 7.3-23 Standby Gas Treatment System Actuated Equipment List (2 Sheets)

Table 7.3-24 Standby Gas Treatment System Failure Modes and Effects Analysis (2 Sheets) 7-viii Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

LIST OF TABLES Table 7.3-25 Suppression Pool Makeup System Actuation Instrumentation Summary Table 7.3-26 Suppression Pool Makeup System Actuated Equipment List Table 7.3-27 Failure Modes and Effects Analysis Sup¬pression Pool Makeup System Table 7.3-28 Control Room Atmospheric Control and Isolation System Actuation Instrumentation Summary Table 7.3-29 Control Room Atmospheric Control and Isolation System Actuated Equipment List Table 7.3-30 Control Room Atmospheric Control and Isolation System Failure Modes and Effects Analysis Table 7.3-31 Drawing Comparison Table 7.4-1 Reactor Core Isolation Cooling Instrument Specifications Table 7.4-2 Reactor Shutdown Cooling Bypasses and Interlocks Table 7.4-3 Controls on Remote Shutdown Panel (2 Sheets)

Table 7.4-4 Remote Shutdown Panel Display Instrumen¬¬tation Table 7.4-5 Auxiliary Supporting Systems Requirements (5 Sheets)

Table 7.4-6 Controls on Appendix R - Alternate Safe Shutdown Panels (1 Sheet)

Table 7.5-1 Safety-Related Display Instrumentation (5 Sheets)

Table 7.5-2 Post-Accident Monitoring Instrumentation (18 Sheets)

Table 7.6-1 Refueling Interlock Effectiveness Table 7.6-2 Process Radiation Monitoring Systems-Instrument Characteristics Table 7.6-3 SRM System Trips Table 7.6-4 IRM Trips Table 7.6-5 LPRM System Trips Table 7.6-6 APRM System Trips 7-ix Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

LIST OF TABLES Table 7.6-7 Recirculation Pump Trip System Time Response (Design)

Table 7.6-8 Deleted Table 7.6-9 Component Cooling Water System Actuation Summary Table 7.6-10 Component Cooling Water System Actuated Equipment List Table 7.6-11 Deleted Table 7.6-12 Auxiliary Building Isolation System Actuated Equipment List (5 Sheets)

Table 7.6-13 Auxiliary Supporting System Requirements Table 7.6-14 Reactor Coolant Pressure Boundary Leak Detection Table 7.7-1 CRD Hydraulic System Indicators Table 7.7-2 Deleted 7-x Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

LIST OF FIGURES Figure 7.1.1 RPS Separation Concept Figure 7.1-2 Schematic Arrangement of RPV Nozzles for ECCS and Instruments Figure 7.1-3 Deleted Figure 7.1-4 NSSSS Separation Concept Figure 7.1-5 Main Steamline Isolation Separation Concept Figure 7.1-6 RCIC Sensor Separation Scheme Figure 7.1-7 Block Diagram Master Trip Circuit Figure 7.1-8 Block Diagram Slave Trip Circuit Figure 7.1-9 Block Diagram Calibration Unit with Remote Display Figure 7.1-10 Instrument Set Point Specification Basis Figure 7.2-1a Reactor Protection System IED Figure 7.2-1b Reactor Protection System IED Figure 7.2-1c Reactor Protection System IED Figure 7.2-2 Reactor Protection System Scram Functions Figure 7.2-3 Arrangement of RPS Channels and Logic Figure 7.2-4 Actuators and Trip Logics (Schematic)

Figure 7.2-5 Logics in One Trip System (Schematic)

Figure 7.2-6 Relationship Between Neutron Monitoring System and Reactor Protection System Figure 7.2-7 Configuration for Turbine Stop Valve Closure Reactor Trip Figure 7.2-8 Configuration for Main Steam Line Isolation Reactor Trip Figure 7.2-9 LPRM Channel Arrangement in the Core and APRM Channel Assignment (Sheet 1)

Figure 7.2-10 LPRM Channel Arrangement in the Core and APRM Channel Assignment (Sheet 2)

Figure 7.2-11 Block Diagram - RPS Protective Circuit -

Electrical Protection Assembly (EPA)

Figure 7.2-12 Configuration for Scram Discharge Volume High Water Level Scram Trip Figure 7.3-1 ECCS - Mechanical and Instrumen-tation Network Models 7-xi Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

LIST OF FIGURES Figure 7.3-2 Trip System ADS, LPCS, RHR A Figure 7.3-3 Trip System RHR B and C, HPCS, RCIC Figure 7.3-4 Emergency Core Cooling System (ECCS)

Separation Scheme Figure 7.3-5 Isolation Control System for Main Steam Line Isolation Valves Figure 7.3-6 Isolation Control System Using Motor-Operated Valves Figure 7.3-7 Deleted Figure 7.5-1 Operator's Control Console Figure 7.5-2 Reactor Core Cooling Benchboard Figure 7.5-3 Auxiliary Control Benchboard Figure 7.5-4 Diesel Generator Benchboard Figure 7.5-5 Containment & Drywell Instrumentation and Control System Figure 7.5-6 Ctmt and Drywell Inst and Control System Figure 7.6-1a Process Radiation Monitoring System Figure 7.6-1b Process Radiation Monitoring System Figure 7.6-1c Process Radiation Monitoring System Figure 7.6-1d Process Radiation Monitoring System Figure 7.6-1e Process Radiation Monitoring System Figure 7.6-1f Process Radiation Monitoring System Figure 7.6-2a Leak Detection System IED Figure 7.6-2b Leak Detection System IED (Continued)

Figure 7.6-2c Leak Detection System IED (Continued)

Figure 7.6-2d Leak Detection System IED (Continued)

Figure 7.6-3 Recirculation Pump Leak Detection Block Diagram Figure 7.6-4 RHR Area Temperature Monitoring System Block Diagram Figure 7.6-5 Vessel Penetrations for Nuclear Instru¬-

mentation Figure 7.6-6a Neutron Monitoring System IED Figure 7.6-6b Neutron Monitoring System IED (Continued) 7-xii Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

LIST OF FIGURES Figure 7.6-7 SRM/IRM Neutron Monitoring Unit Figure 7.6-8 Detector Drive System Schematic Figure 7.6-9 Functional Block Diagram of SRM Channel Figure 7.6-10 Functional Block Diagram of IRM Channel Figure 7.6-11 Power Range Monitor Detector Assembly Location Figure 7.6-12 APRM Circuit Arrangement for Reactor Protection System Input Figure 7.6-13 Ranges of Neuton Monitoring System Figure 7.6-14 Deleted Figure 7.6-15 Deleted Figure 7.6-16 Leak Detection System Figure 7.6-17 Leak Detection System Figure 7.7-1 Water Level Range Definition Figure 7.7-2 Rod Control and Information System Operation Figure 7.7-3 RC&IS Self Test Provisions Figure 7.7-4 Dual Eleven Wire Position Probe Figure 7.7-5 Deleted Figure 7.7-6 Feedwater Control System IED Figure 7.7-7 Simplified Diagram of Turbine Pressure and Speed-Load Control Requirements Figure 7.7-8 Turbine Generator Controls and Supervisory Equipment Figure 7.7-9 Detector Drive System Schematic Figure 7.7-10 Traversing In-Core Probe Assembly Figure 7.7-11 Transient Monitoring System Block Diagram 7-xiii Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

CHAPTER 7.0 INSTRUMENTATION AND CONTROL SYSTEMS

7.1 INTRODUCTION

This chapter presents the specific detailed design and performance information relative to the instrumentation and control aspects of the safety-related and power generation systems utilized throughout the plant. The information provided in this chapter emphasizes those instruments and associated equipment which constitute the protection system as defined in IEEE Standard 279, "Criteria for Protection Systems for Nuclear Power Generating Stations."

7.1.1 Identification of Safety-Related Systems Instrumentation and control systems supplied by General Electric are designated as either power generation systems or safety systems, depending on their function. Some portions of a system may have a safety function while other portions of the same system may be classified as power generation. A complete description of the reasoning behind this system of classification can be found in Appendix 15A, Nuclear Safety Operational Analysis.

The systems presented in Chapter 7.0 are also classified according to the NRC Standard Format for Safety Analysis Reports, Revision 2; namely, Reactor Protection (Trip) System, Engineered Safety Feature Systems, Safe Shutdown Systems, Safety-Related Display Instrumentation, Other Systems Required for Safety, and Control Systems Not Required for Safety. Table 7.1-1 lists the systems under each of these classifications and identifies the designer and/or the supplier. Table 7.1-2 identifies instrumentation and control systems that are identical to those of a nuclear power plant of similar design that has recently received NRC design or operation approval through the issuance of either a construction permit or an operating license. Differences and their effect on safety-related systems are also identified in Table 7.1-2.

7.1.1.1 Classification 7.1.1.1.1 Safety-Related Systems Safety systems provide actions necessary to protect the integrity of radioactive material barriers and/or prevent the release of radioactive material beyond allowable dose limits. These systems may be components, groups of components, systems, or groups of 7.1-1 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) systems. Engineered safety feature (ESF) systems are included in this category. ESF systems have the sole function of mitigating the consequences of design basis accidents.

7.1.1.1.2 Power Generation Systems Power generation systems are not required to protect the integrity of radioactive material barriers and/or prevent the release of radioactive material beyond allowable dose limits. The instrumentation and control portions of these systems may, by their actions, prevent the plant from exceeding preset limits which would otherwise initiate action of the safety systems.

7.1.1.1.3 General Functional Requirements Plant systems may have both a safety design basis and a power generation design basis depending on their function. The safety design basis states in functional terms the unique design requirements that establish limits for the operation of the system. The general functional requirements portion of the safety design basis presents those requirements which have been determined to be sufficient to ensure the adequacy and reliability of the system from a safety viewpoint. Many of these requirements have been introduced into various codes, criteria, and regulatory requirements.

7.1.1.1.4 Specific Regulatory Requirements The plant systems have been examined with respect to specific regulatory requirements which are applicable to the subject instrumentation and controls systems. These regulatory requirements include:

a. Applicable industry codes and standards

b. Appropriate Title 10 Code of Federal Regulations

c. NRC Electrical, Instrumentation and Control Systems Branch technical positions, and

d. NRC Regulatory Guides.

7.1-2 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2 Identification of Safety Criteria The specific regulatory requirements pertaining to each system's instrumentation and control are specified in Table 7.1-3.

Subsections 7.1.2.4 through 7.1.2.6 provide references as to where the discussions on conformance to the various regulatory requirements are provided. In several cases, the conformance of the plant design to the particular regulatory requirement is not directly measurable. As a result, each 7.X.2 subsection provides a discussion of those requirements as interpreted for Grand Gulf for that system. Those regulatory requirements that are measurable or are common for all systems are not necessarily discussed in the 7.X.2 subsections. Table 7.1-3 provides a summary of those regulatory requirements which either directly or indirectly apply to the systems listed.

7.1.2.1 Design Bases The technical design bases for the instrumentation and control equipment for each safety-related and power generation system are discussed on a system-by-system basis in the description portions of Sections 7.2, 7.3, 7.4, and 7.6.

Design bases and criteria for instrumentation and control equipment design are based on the need to have the system perform its intended function while meeting the requirements of applicable general design criteria, regulatory guides, industry standards, and other documents.

7.1.2.1.1 Reactor Protection System (RPS) - Instrumentation and Control 7.1.2.1.1.1 Safety Design Bases 7.1.2.1.1.1.1 General Functional Requirements The reactor protection system is designed to meet the following functional requirements:

a. The reactor protection system shall initiate a reactor scram with precision and reliability to prevent or limit fuel damage following abnormal operational transients.

Reactor operation in states that could result in development of power oscillations due to neutronic/

thermal-hydraulic instability shall be terminated by reactor scram.

7.1-3 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. The reactor protection system shall initiate a scram with precision and reliability to prevent damage to the reactor coolant pressure boundary as a result of excessive internal pressure; that is, to prevent nuclear system pressure from exceeding the limit allowed by applicable industry codes.

c. To limit the uncontrolled release of radioactive materials from the fuel assembly or reactor coolant pressure boundary, the reactor protection system shall precisely and reliably initiate a reactor scram on gross failure of either of these barriers.

d. To detect conditions that threaten the fuel assembly or reactor coolant pressure boundary, the reactor protection system inputs shall be derived from variables that are true, direct measures of operational conditions.

e. The reactor protection system shall respond correctly to the sensed variables over the expected range of magnitudes and rates of change.

f. A sufficient number of sensors shall be provided for monitoring essential variables that have spatial dependence.

g. The following bases assure that the reactor protection system is designed with sufficient reliability:

1. If failure of a control or regulating system causes a plant condition that requires a reactor scram but also prevents action by necessary reactor protection system channels, the remaining portions of the reactor protection system shall meet the requirements a, b, and c above.

2. Loss of one power supply shall neither cause nor prevent a reactor scram.

3. Once initiated, a reactor protection system action shall go to completion. Return to normal operation shall require deliberate operator action.

4. There shall be sufficient electrical and physical separation between redundant instrumentation and control equipment monitoring the same variable to 7.1-4 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) prevent environmental factors, electrical transients, or physical events from impairing the ability of the system to respond correctly.

5. Earthquake ground motions, as amplified by building and supporting structures, shall not impair the ability of the reactor protection system to initiate a reactor scram.

6. No single failure within the reactor protection system shall prevent proper reactor protection action, when required to satisfy safety design bases a, b, and c above.

7. Any one intentional bypass, maintenance operation, calibration operation, or test to verify operational availability shall not impair the ability of the reactor protection system to respond correctly.

8. The system shall be designed so that the required number of sensors for any monitored variable exceeding the scram set point will initiate an automatic scram.

h. The following bases reduce the probability that reactor protection system operational reliability and precision will be degraded by operator error:

1. Access to trip settings, component calibration controls, test points, and other terminal points shall be under the control of plant operations supervisory personnel.

2. Manual bypass of instrumentation and control equipment components shall be under the control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact shall be continuously annunciated in the control room.

7.1.2.1.1.1.2 Specific Regulatory Requirements In addition to the above functional design requirements, the reactor protection system instrumentation and control complies with the specific regulatory requirements shown in Table 7.1-3.

7.1-5 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.1.2 Power Generation Design Bases The reactor protection system has one power generation objective.

The set points, power sources, and control and instrumentation are arranged in such a manner as to preclude spurious scrams.

7.1.2.1.2 Containment and Reactor Vessel Isolation Control System - Instrumentation and controls 7.1.2.1.2.1 Safety Design Bases 7.1.2.1.2.1.1 General Functional Requirements The following functional design bases have been implemented in the containment and reactor vessel isolation control system:

a. To limit the release of radioactive materials to the environs, the containment and reactor vessel isolation control system shall, with precision and reliability, initiate timely isolation of penetrations through the containment and drywell whenever the values of monitored variables exceed preselected operational limits.

b. To provide assurance that important variables are monitored with a precision sufficient to fulfill Safety Design Basis a, the containment and reactor vessel isolation control system shall respond correctly to the sensed variables over the expected design range of magnitudes and rates of change.

c. To provide assurance that important variables are monitored to fulfill Safety Design Basis a, a sufficient number of sensors shall be provided for monitoring essential variables.

d. To provide assurance that conditions indicative of a failure of the reactor coolant pressure boundary are detected to fulfill Safety Design Basis a, containment and reactor vessel isolation control system inputs shall be derived from variables that are true, direct measures of operational conditions.

e. The time required to close the main steam line isolation valves shall be short to minimize the loss of coolant from a steam line break outside containment.

7.1-6 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

f. The time required to close the main steam line isolation valves shall not be so short that inadvertent isolation of steam lines causes a transient more severe than that resulting from closure of the turbine stop valves coincident with failure of the turbine bypass system. This ensures that the main steam isolation valve closure speed is compatible with the ability of the reactor protection system to protect the fuel assembly and reactor coolant pressure boundary.

g. To provide assurance that the closure of automatic isolation valves is initiated when required to fulfill Safety Design Basis a, the following safety design bases are specified for the systems controlling automatic isolation valves:

1. Any one failure, maintenance operation, calibration operation, or test to verify operational availability shall not impair the functional ability of the isolation control system.

2. The system shall be designed so that the required number of sensors for any monitored variable exceeding the isolation set point will initiate automatic isolation.

3. Where a plant condition that requires isolation can be brought on by a failure or malfunction of a control or regulating system, and the same failure or malfunction prevents action by one or more isolation control system channels designed to provide protection against the unsafe condition, the remaining portions of the isolation control system shall meet the requirements of Safety Design Bases a, b, c, and g.1.

4. The power supplies for the containment and reactor vessel isolation control system shall be arranged so that loss of one supply cannot prevent automatic isolation when required.

5. The system shall be designed so that, once initiated, automatic isolation action goes to completion. Return to normal operation after isolation action shall require deliberate operator action.

7.1-7 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

6. There shall be sufficient electrical and physical separation between redundant instrumentation and control equipment monitoring the same essential variable to prevent environmental factors, electrical faults, and physical events from impairing the ability of the system to respond correctly.

7. Earthquake ground motions shall not impair the ability of the containment and reactor vessel isolation control system to initiate automatic isolation.

h. The following safety design basis is specified to assure that the isolation of main steam lines is accomplished:

1. The isolation valves in each of the main steam lines shall not rely on electrical power to achieve closure.

i. To reduce the probability that the operational reliability of the containment and reactor vessel isolation control system will be degraded by operator error, the following safety design bases are specified for automatic isolation valves:

1. Access to all trip settings, component calibration controls, test points, and other terminal points for equipment associated with essential monitored variables shall be under the physical control or supervision of the control room operator.

2. The means for bypassing channels, trip logics, or system components shall be under the control of the control room operator. If the ability to trip some essential part of the system has been bypassed, this fact shall be continuously indicated in the control room.

j. To provide the operator with a means to take action that is independent of the automatic isolation functions in the event of a failure of the reactor coolant pressure boundary, it shall be possible for the operator to manually initiate isolation of the containment and reactor vessel from the control room.

7.1-8 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

k. The following bases are specified to provide the operator with the means to assess the condition of the containment and reactor vessel isolation control system and to identify conditions indicative of a gross failure of the reactor coolant pressure boundary.

1. The containment and reactor vessel isolation control system shall be designed to provide the operator with information pertinent to the status of the system.

2. Means shall be provided for prompt identification of channel and trip system responses.

l. It shall be possible to check the operational availability of each channel and trip logic during reactor operation.

7.1.2.1.2.2 Specific Regulatory Requirements The specific regulatory requirements met by the containment and reactor vessel isolation control system instrumentation and controls are shown in Table 7.1-3.

7.1.2.1.3 Emergency Core Cooling Systems - Instrumentation and Controls 7.1.2.1.3.1 Safety Design Bases 7.1.2.1.3.1.1 General Functional Requirements The emergency core cooling systems control and instrumentation are designed to meet the following functional safety design bases:

a. Automatically initiate and control the emergency core cooling systems to prevent fuel cladding temperatures from reaching 2200 F.

b. Respond to a need for emergency core cooling, regardless of the physical location of the malfunction or break that causes the need.

c. The following safety design bases are specified to limit dependence on operator judgement in times of stress:

7.1-9 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

1. The emergency core cooling systems shall respond automatically so that no action is required of plant operators within 10 minutes after a loss-of-coolant accident.

2. The performance of the emergency core cooling systems shall be indicated by control room instrumentation.

3. Facilities for manual control of the emergency core cooling systems shall be provided in the control room.

7.1.2.1.3.1.2 Specific Regulatory Requirements The controls and instrumentation for the emergency core cooling systems are designed to conform to the regulatory requirements shown on Table 7.1-3.

7.1.2.1.4 Neutron Monitoring System - Instrumentation and Controls 7.1.2.1.4.1 Source Range Monitor (SRM) Subsystem 7.1.2.1.4.1.1 Power Generation Design Basis The source range monitor (SRM) subsystem meets the following power generation design bases:

a. Neutron sources and neutron detectors together shall result in a signal-to-noise ratio of at least 2:1 and a count rate of at least 0.7 counts per second with all control rods fully inserted prior to initial power operation.

b. The SRM shall be able to perform the following functions:

1. Indicate a measurable increase in output signal from at least one detecting channel before the reactor period is less than 20 seconds during the worst possible startup rod withdrawal conditions.

2. Indicate substantial increases in output signals with the maximum permitted number of SRM channels out of service during normal reactor startup operations.

7.1-10 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

3. The SRM channels shall be on scale when the IRM first indicates neutron flux during a reactor startup.

4. Provide a measure of the time rate of change of the neutron flux (reactor period) for operational convenience.

5. Generate interlock signals to block control rod withdrawal if the count rate exceeds a preset value or falls below a preset limit (if the IRMs are not above the second range) or if certain electronic failures occur.

c. Perform its function in the maximum normal thermal and radiation environment.

d. Loss of a single power bus will not disable the monitoring functions of all the available monitors.

7.1.2.1.4.2 Intermediate Range Monitor (IRM) Subsystem 7.1.2.1.4.2.1 Safety Design Basis The IRM generates a trip signal that is used to prevent fuel damage resulting from anticipated or abnormal operational transients that occur while operating in the intermediate power range. The independence and redundancy incorporated in the design of the IRM is consistent with the safety design bases of the reactor protection system.

7.1.2.1.4.2.2 Specific Regulatory Requirements The IRM is designed in accordance with the specific regulatory requirements shown in Table 7.1-3 for the neutron monitoring system (NMS).

7.1.2.1.4.2.3 Power Generation Design Bases The IRM generates an interlock signal to block rod withdrawal if the IRM reading exceeds a preset value or if the IRM is not operating properly. The IRM is designed so that overlapping neutron flux indications exist with the SRM and APRM subsystems.

7.1-11 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.4.3 Local Power Range Monitor (LPRM) Subsystem 7.1.2.1.4.3.1 Safety Design Basis The LPRM is designed to provide a sufficient number of LPRM signals to satisfy the APRM safety design bases.

7.1.2.1.4.3.2 Power Generation Design Bases The LPRM supplies:

a. Signals to the APRM that are proportional to the local neutron flux at various locations within the reactor core.

b. Signals to alarm high or low local neutron flux.

c. Signals proportional to the local neutron flux to drive indicating meters and auxiliary devices to be used for operator evaluation of power distribution, local heat flux, minimum critical power ratio, and fuel burnup rate.

7.1.2.1.4.4 Average Power Range Monitor (APRM) Subsystem This information is evaluated in PUSAR Section 2.4.1.1.1.

7.1.2.1.4.4.1 Safety Design Basis Under the worst permitted input LPRM bypass conditions, the APRM is capable of generating a trip signal in response to average neutron flux increases in time to prevent fuel damage. The APRM is also capable of generating a trip signal in response to the combination of average neutron flux increases and reactor recirculation flow changes to terminate reactor operation in states that could result in development of power oscillations due to neutronic/thermal-hydraulic instability. The independence and redundancy incorporated into the design of the APRM is consistent with the safety design bases of the reactor protection system.

7.1.2.1.4.4.2 Specific Regulatory Requirements The APRM is designed in accordance with the specific regulatory requirements listed in Table 7.1-3 for the NMS.

7.1-12 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.4.4.3 Power Generation Design Bases The APRM provides the following functions:

a. A continuous indication of average reactor power (neutron flux) from a few percent to 125 percent of rated reactor power.

b. Interlock signals for blocking further rod withdrawal to avoid an unnecessary scram actuation.

c. A reference power level for controlling reactor recirculation system flow.

d. A reactor thermal power signal derived from each APRM channel which approximates the dynamic effects of the fuel.

e. In select APRM channels, continuous monitoring of LPRM A-,

B- and C-level signals for signs of local power oscillations characteristic of neutronic/thermal-hydraulic instability.

7.1.2.1.4.5 Traversing Incore Probe (TIP) Subsystem 7.1.2.1.4.5.1 Power Generation Design Bases The TIP meets the following power generation design bases:

a. Provides a signal proportional to the axial neutron flux distribution at selected small axial intervals over the regions of the core where LPRM detector assemblies are located. This signal shall be of high precision to allow reliable calibration of LPRM gains.

b. Provides accurate indication of the position of the flux measurement to allow pointwise or continuous measurement of the axial neutron flux distribution.

7.1.2.1.5 Refueling Interlocks - Instrumentation and Controls 7.1.2.1.5.1 Safety Design Bases Refueling interlocks meet the following safety design bases:

a. During fuel movements in or over the reactor core, all control rods shall be in their fully inserted positions.

7.1-13 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. No more than one control rod shall be withdrawn from its fully inserted position at any time when the reactor is in the refuel mode.

7.1.2.1.5.2 Specific Regulatory Requirements The refueling interlocks are designed in accordance with the specific regulatory requirements shown in Table 7.1-3.

7.1.2.1.6 Rod Control and Information System (RCIS) -

Instrumentation and Controls 7.1.2.1.6.1 Safety Design Basis The rod control and information system (RCIS) instrumentation and controls meet the following safety design bases:

a. The circuitry provided for the manipulation of control rods shall be designed so that no single failure can negate the effectiveness of a reactor scram.

b. Repair, replacement, or adjustment of any failed or malfunctioning component shall not require that any element needed for reactor scram be bypassed unless a bypass is normally allowed.

7.1.2.1.6.2 Specific Regulatory Requirements The rod control and information system instrumentation and controls are designed in accordance with the specific regulatory requirements shown in Table 7.1-3.

7.1.2.1.6.3 Power Generation Design Bases The rod control and information system is designed to meet the following power generation design bases:

a. Inhibit control rod withdrawal following erroneous control rod manipulations so that reactor protection system action (scram) is not required.

b. Inhibit control rod withdrawal in time to prevent local fuel damage as a result of erroneous control rod manipulation.

7.1-14 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Inhibit control rod movement whenever such movement would result in operationally undesirable core reactivity conditions or whenever instrumentation is incapable of monitoring the core thermal neutron flux.

d. Limit the potential for inadvertent rod withdrawals leading to reactor protection system action by designing the rod control and information system in such a way that deliberate operator action is required to effect a continuous rod withdrawal.

e. Provide the operator with the means to achieve prescribed control rod patterns, and provide information pertinent to the position and motion of the control rods in the control room.

7.1.2.1.7 Reactor Vessel - Instrumentation 7.1.2.1.7.1 Power Generation Design Basis Reactor vessel instrumentation is designed to provide the reactor operator with sufficient indication of reactor vessel coolant temperature, reactor vessel water level, reactor vessel pressure and nuclear system leakage to maintain proper normal operating conditions. These instruments augment existing information such that the operator can start-up, operate, shut down and service the reactor in an efficient manner.

7.1.2.1.8 Recirculation Flow Control System - Instrumentation and Controls 7.1.2.1.8.1 Safety Design Basis The recirculation flow control system functions so that no anticipated or abnormal operational transient resulting from a malfunction in the recirculation flow control system can result in damaging the fuel or exceeding nuclear system pressure limits.

7.1.2.1.8.2 Specific Regulatory Requirements The recirculation flow control system is designed in accordance with specific regulatory requirements shown in Table 7.1-3.

7.1-15 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.8.3 Power Generation Design Bases The recirculation flow control system is designed to meet the following power generation design bases:

a. To allow variation of the recirculation flow rate.

b. To allow both manual and automatic recirculation flow adjustment, so that manual control of reactor power level is possible.

7.1.2.1.9 Feedwater Control System - Instrumentation and Controls 7.1.2.1.9.1 Power Generation Design Basis The reactor feedwater control system regulates the feedwater flow over the entire power range of the reactor (1) to maintain adequate water level in the reactor vessel according to the requirements of the steam separators and (2) to prevent uncovering the reactor core.

7.1.2.1.10 Pressure Control and Turbine-Generator System -

Instrumentation and Controls 7.1.2.1.10.1 Power Generation Design Bases Since the turbine is slaved to the reactor, operation of the reactor demands that a pressure control concept be applied to maintain a constant turbine inlet pressure (within the range of the controller proportional band setting) with manual control of reactor power level handled by variation of the reactor recirculation flow.

The turbine pressure control, in maintaining constant turbine inlet pressure, operates the steam bypass valves such that a portion of nuclear boiler rated flow can be bypassed for transient steam flow loads above that which can be accepted by the turbine, as well as during the startup and shutdown phase. The turbine-generator pressure control system accomplishes the following control functions:

a. Control turbine speed and turbine acceleration

b. Operate the steam bypass system to keep reactor pressure within limits, and avoid large power transients 7.1-16 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Control main turbine stop valve pressure within the proportional band setting of the pressure controller 7.1.2.1.11 Process Radiation Monitoring System -

Instrumentation and Controls 7.1.2.1.11.1 Main Steam Line Radiation Monitoring Subsystem 7.1.2.1.11.1.1 Safety Design Basis The main steam line radiation monitoring subsystem is designed to meet the following safety design bases:

a. The subsystem is able to detect a gross release of fission products from the fuel under any anticipated operating combination of main steam lines.

b. The subsystem shall promptly indicate a gross release of fission products from the fuel.

c. On detection of a gross release of fission products from the fuel the subsystem shall provide the trip signal to the containment and reactor vessel isolation control system to isolate the reactor recirculation sample line.

7.1.2.1.11.1.2 Specific Regulatory Requirements The subsystem instrumentation and controls conform to the specific regulatory requirements shown in Table 7.1-3.

7.1.2.1.11.1.3 Power Generation Design Basis The main steam line radiation monitoring subsystem is designed to display in the control room an indication of gross gamma radiation level at the main steam tunnel.

7.1.2.1.11.2 Ventilation Systems - Radiation Monitoring Subsystem 7.1.2.1.11.2.1 Containment and Drywell Vent Exhaust Radiation Monitoring Subsystem 7.1.2.1.11.2.1.1 Safety Design Bases The subsystem:

a. Provides the capability of detecting gamma radiation level in the containment and drywell ventilation exhaust.

7.1-17 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Initiates control signals in the event the radiation level exceeds a predetermined level, to isolate the containment ventilation system, and to close containment purge and vent valves.

c. Provides alarms as the radiation level approaches the trip level for isolation and when the radiation level has reached the trip level for isolation.

7.1.2.1.11.2.1.2 Specific Regulatory Requirements The subsystem instrumentation and controls conform to the specific regulatory requirements shown in Table 7.1-3.

7.1.2.1.11.2.1.3 Power Generation Design Basis The subsystem:

a. Provides an indication in the control room of the gross gamma radiation level.

b. Provides a recorder signal.

7.1.2.1.11.2.2 Auxiliary Building - Fuel Handling Area Ventilation Exhaust Radiation Monitoring Subsystem 7.1.2.1.11.2.2.1 Safety Design Bases The subsystem:

a. Provides the capability of detecting gamma radiation level in auxiliary building - fuel handling area ventilation exhaust.

b. Initiates control signals in the event the radiation level exceeds a predetermined level to isolate the auxiliary building and fuel handling area ventilation systems and to initiate the standby gas treatment system.

c. Provides alarms as the radiation level approaches the trip level for isolation and when the radiation level has reached the trip level for isolation.

7.1.2.1.11.2.2.2 Specific Regulatory Requirements The subsystem instrumentation and controls conform to the specific regulatory requirements shown in Table 7.1-3.

7.1-18 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.11.2.2.3 Power Generation Design Basis The subsystem:

a. Provides an indication in the control room of the gross gamma radiation level.

b. Provides a recorder signal.

7.1.2.1.11.2.3 Auxiliary Building - Fuel Handling Area Pool Sweep Exhaust Radiation Monitoring Subsystem 7.1.2.1.11.2.3.1 Safety Design Bases The subsystem:

a. Provides the capability of detecting gamma radiation level in the auxiliary building - fuel pool sweep exhaust vent system.

b. Initiates control signals in the event the radiation level exceeds a predetermined level to isolate the auxiliary building and fuel handling area ventilation systems and to initiate the standby gas treatment system.

c. Provides alarms as the radiation level approaches the trip level for isolation and when the radiation level has reached the trip level for isolation.

7.1.2.1.11.2.3.2 Specific Regulatory Requirements The subsystem instrumentation and controls conform to the specific regulatory requirements shown in Table 7.1-3.

7.1.2.1.11.2.3.3 Power Generation Design Basis The subsystem:

a. Provides an indication in the control room of the gross gamma radiation level.

b. Provides a recorder signal.

7.1-19 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.11.2.4 Control Room Ventilation Intake Radiation Monitoring Subsystem 7.1.2.1.11.2.4.1 Safety Design Bases The subsystem:

a. Provides the capability of detecting gamma radiation level in the control room ventilation intake.

b. Initiates control signals in the event the radiation level exceeds a predetermined level, to isolate the control room and start the standby fresh air unit filtration fans.

c. Provides alarms as the radiation level approaches the trip level for isolation and when the radiation level has reached the trip level for isolation.

7.1.2.1.11.2.4.2 Specific Regulatory Requirements The subsystem instrumentation and controls conform to the specific regulatory requirements shown in Table 7.1-3.

7.1.2.1.11.2.4.3 Power Generation Design Basis The subsystem:

a. Provides an indication in the control room of the gross gamma radiation level.

b. Provides a recorder signal.

7.1.2.1.12 Core Performance Monitoring System - Instrumentation 7.1.2.1.12.1 Power Generation Design Bases

a. The core performance monitoring system is designed to determine periodically the three dimensional power density distribution for the reactor core and provide printed logs that permit accurate assessment of core thermal performance.

b. The core performance monitoring system provides nearly continuous monitoring based on established core operating limits at all times, especially during periods of power level changes.

7.1-20 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. The core performance monitoring system provides periodic and on-demand isotopic concentration data for each fuel bundle in the core.

d. Deleted.

e. Deleted.

7.1.2.1.13 Auxiliary Building Pressure Control System -

Instrumentation and controls 7.1.2.1.13.1 Power Generation Design Bases

a. The auxiliary building pressure control system functions to hold the fuel pool area of the auxiliary building at a negative pressure under all normal operating conditions.

7.1.2.1.14 Control Room Atmospheric Control and Isolation System - Instrumentation and Controls The design bases for the control room atmospheric control and isolation system are discussed in subsection 9.4.1.1.

7.1.2.1.15 Standby Service Water System - Instrumentation and Controls The design bases for the standby service water system are discussed in subsection 9.2.1.1.

7.1.2.1.16 Combustible Gas Control System - Instrumentation and Controls The design bases for the combustible gas control system are discussed in subsection 6.2.5.1.

7.1.2.1.17 Reactor Core Isolation Cooling (RCIC) System -

Instrumentation and Controls 7.1.2.1.17.1 Safety Design Bases

a. The system is capable of maintaining sufficient coolant in the reactor vessel in case of an isolation with a loss of main feedwater flow.

b. Provisions are made for automatic and remote manual operation of the system.

7.1-21 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Components of the RCIC system are designed to satisfy seismic Category I design requirements.

d. To provide a high degree of assurance that the system shall operate when necessary, the power supply for the system is from immediately available energy sources of high reliability.

e. To provide a high degree of assurance that the system shall operate when necessary, provision is made so that periodic testing can be performed during unit operation.

7.1.2.1.17.2 Specific Regulatory Requirements RCIC is considered a safe shutdown system rather than an emergency core cooling system. RCIC instrumentation and controls are designed to meet the specific regulatory requirements listed in Table 7.1-3 with exceptions as described in subsection 7.4.2.1.2.

7.1.2.1.18 Standby Liquid Control System (SLCS) -

Instrumentation and Controls 7.1.2.1.18.1 Safety Design Basis This system is capable of shutting the reactor down from full power to cold shutdown and maintaining the reactor in a subcritical state at atmospheric temperature and pressure conditions by pumping sodium pentaborate, a neutron absorber, into the reactor.

7.1.2.1.18.2 Specific Regulatory Requirements The system instrumentation and controls comply with the specific regulatory requirements shown in Table 7.1-3.

7.1.2.1.19 Gaseous Radwaste System 7.1.2.1.19.1 Specific Regulatory Requirements Specific regulatory requirements met by the system are listed in Table 7.1-3.

7.1.2.1.19.2 Power Generation Design Bases The instrumentation and control system is designed to:

7.1-22 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

a. Monitor and control the gaseous processing system and subsystems

b. Detect, indicate, and alarm a system or subsystem upset to provide sufficient time for corrective action 7.1.2.1.20 Reactor Water Cleanup (RWCU) System -

Instrumentation and Controls 7.1.2.1.20.1 Power Generation Design Basis The purpose of the reactor water cleanup system is to provide continuous processing of the reactor water to maintain the purity within specified limits. The system also provides the means for removal of reactor water. Although the RWCU system is of importance to startup and long term operation, the reactor may operate while the RWCU system is out of service.

7.1.2.1.21 Standby Power Systems 7.1.2.1.21.1 Safety Design Bases Safety design bases for the electrical power systems are described in subsections 8.3.1 and 8.3.2.

7.1.2.1.21.2 Specific Regulatory Requirements The specific regulatory requirements for the standby power systems are given in subsections 8.3.1 and 8.3.2.

7.1.2.1.21.3 Power Generation Design Basis Power generation design basis for the electrical power system are described in subsections 8.3.1 and 8.3.2.

7.1.2.1.22 Heating, Ventilating, and Air Conditioning (HVAC)

Systems for Engineered Safety Feature (ESF) Areas The design bases for HVAC systems for ESF areas are discussed in subsections 9.4.5.1.1 and 9.4.5.1.2.

7.1.2.1.23 Diesel Generator Auxiliary Systems The design bases for the diesel generator auxiliary systems are discussed in subsections 9.5.4.1, 9.5.5.1, 9.5.6.1, 9.5.7.1, and 9.5.8.1.

7.1-23 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.24 Leak Detection Systems - Instrumentation and Controls 7.1.2.1.24.1 Reactor Coolant Pressure Boundary Leakage Detection 7.1.2.1.24.1.1 Safety Design Bases The safety design bases for the leak detection systems are as follows:

a. Signals are provided to permit isolation of abnormal leakage before the results of this leakage become unacceptable.

b. The unacceptable results are as follows:

1. A threat of significant compromise to the reactor coolant pressure boundary.

2. A leakage rate in excess of the coolant makeup capability to the reactor vessel.

7.1.2.1.24.1.2 Specific Regulatory Requirements The part of leak detection that is related to isolation circuits is designed to meet requirements of the engineered safety feature systems and to comply with the specific regulatory requirements listed in Table 7.1-3.

7.1.2.1.24.1.3 Power Generation Design Basis A means is provided to detect abnormal leakage from the reactor coolant pressure boundary.

7.1.2.1.24.2 Steam and Power Conversion System Boundary Leakage Detection 7.1.2.1.24.2.1 Safety Design Bases The safety design bases for the leak detection systems are as follows:

a. Signals are provided to permit isolation of abnormal leakage before the results of this leakage become unacceptable.

b. The unacceptable results are as follows:

7.1-24 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

1. A threat of significant compromise to the steam and power conversion system boundary.

2. A leakage rate in excess of the coolant makeup capability to the reactor vessel.

3. A leakage rate in excess of radiological limits.

4. A leakage rate which will negate safety equipment function.

7.1.2.1.24.2.2 Specific Regulatory Requirements The specific regulatory requirements for the subject equipment are given in Table 7.1-3.

7.1.2.1.24.2.3 Power Generation Design Basis A means is provided to detect abnormal leakage from the steam and power conversion system boundary.

7.1.2.1.25 RHR - Reactor Shutdown Cooling Subsystem -

Instrumentation and Controls 7.1.2.1.25.1 Safety Design Bases The reactor shutdown cooling mode function of the RHR system is designed to meet the following functional design bases:

a. Instrumentation and controls are provided that will enable the system to remove the residual heat (decay heat and sensible heat) from the reactor vessel during normal shutdown.

b. All manual controls of the shutdown cooling system are provided in the control room and on the remote shutdown panels.

c. Performance of the shutdown cooling system is indicated by control room instrumentation and similar instrumentation on the remote shutdown panels.

7.1.2.1.25.2 Specific Regulatory Requirements The reactor shutdown cooling specific regulatory requirements are listed in Table 7.1-3.

7.1-25 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.25.3 Power Generation Design Bases The reactor shutdown cooling mode of the residual heat removal system (RHR) shall meet the following power generation design bases:

a. Provide cooling for the reactor during the shutdown operation when the vessel pressure is below approximately 135 psig

b. Cool the reactor water to a temperature which is practical for refueling and servicing operation

c. Provide means for reactor head cooling by diverting part of the shutdown flow to a nozzle in the vessel head. This flow will condense the steam generated from the hot walls of the vessel while it is being flooded, thereby keeping system pressure down.

7.1.2.1.26 Spent Fuel Pool Cooling and Cleanup System -

Instrumentation and Controls 7.1.2.1.26.1 Specific Regulatory Requirements The spent fuel pool cooling and cleanup system specific regulatory requirements are listed in Table 7.1-3.

7.1.2.1.26.2 Power Generation Design Basis The purpose of the spent fuel pool cooling and cleanup system instrumentation and control is to provide annunciation and control so that the spent fuel pool cooling system can maintain the shielding water in the spent fuel and equipment storage pools below a desired temperature and at a degree of clarity necessary to refuel and service the reactor.

7.1.2.1.27 Feedwater Leakage Control System - Instrumentation and Controls The design bases for the feedwater leakage control system are discussed in subsection 6.7.2.1.

7.1.2.1.28 Standby Gas Treatment System - Instrumentation and Controls The design bases for the standby gas treatment system are discussed in subsection 6.5.3.2.

7.1-26 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.29 Main Steam Line Isolation Valve-Leakage Control System (MSIV-LCS) - Instrumentation and Controls 7.1.2.1.29.1 Safety Design Basis Instrumentation and controls necessary for the functioning of the MSIV-LCS are designed in accordance with standards applicable to nuclear plant safety-related instrumentation and control systems.

The MSIV-LCS controls are provided with interlocks actuated from appropriately designed safety systems or circuits to prevent inadvertent MSIV-LCS operation.

7.1.2.1.29.2 Specific Regulatory Requirements The MSIV-LCS is designed to IEEE 279-1971, IEEE 323-1971, and Regulatory Guide 1.96. The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975. Qualification during the plant operating license stage is in accordance with IEEE 344-1975. Refer to Table 7.1-3 for additional considerations.

7.1.2.1.30 ATWS Mitigation Capability - Instrumentation and Controls 7.1.2.1.30.1 Special Event Design Basis The ability of the plant to accommodate anticipated transient without scram is defined and examined in Section 15.8 and Appendix 15A of Chapter 15 (Event 46).

7.1.2.1.30.2 Specific Regulatory Requirements Refer to discussions given in Section 15.8 and in Appendix 15A of Chapter 15 (Event 46) relative to the plant's ability to accommodate the postulated event.

7.1.2.1.31 Safety-Related Display - Instrumentation 7.1.2.1.31.1 Safety Design Basis The necessary display instrumentation is available to the operator in the control room to determine and accomplish all the required manual control actions consistent with safe plant operation.

7.1-27 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.31.2 Specific Regulatory Requirements Safety-related display instrumentation specific regulatory requirements are listed in Table 7.1-3.

7.1.2.1.31.3 Power Generation Design Basis Sufficient and reliable display instrumentation is provided so that all the expected power operation actions and maneuvers can be reasonably accomplished by the operator from the control room.

7.1.2.1.32 Component Cooling Water System (Fuel Pool Cooling)

Design bases for the CCW system are discussed in subsection 9.2.2.

7.1.2.1.32.1 Safety Design Bases

a. The intertie between the CCW system and the standby service water system allows transfer of the heat load of the fuel pool heat exchangers from the CCW system to the ultimate heat sink.

b. The CCW isolation valve associated with each fuel pool heat exchanger closes automatically on low flow.

c. Opening of the SSW supply valves is initiated manually by the operator from the control room.

7.1.2.1.32.2 Specific Regulatory Requirements Applicable regulatory requirements are shown in Table 7.1-3 and discussed in subsection 7.6.2.9.

7.1.2.1.33 Suppression Pool Temperature Monitoring System 7.1.2.1.33.1 Safety Design Bases

a. The suppression pool temperature monitoring system provides instrumentation to identify trends in suppression pool temperature in sufficient time for appropriate operator action to be taken.

b. The suppression pool temperature monitoring system is designed to operate in a post-LOCA environment and after a safe shutdown earthquake.

7.1-28 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.33.2 Specific Regulatory Requirements Applicable regulatory requirements are shown in Table 7.1-3 and discussed in subsection 7.6.2.11.

7.1.2.1.34 Auxiliary Building Isolation System Design bases for the secondary containment are discussed in subsection 6.2.3.

7.1.2.1.34.1 Safety Design Bases

a. The auxiliary building isolation system limits the release of radioactive material to the environment by isolating penetrations through the secondary containment.

b. Initiation of the auxiliary building isolation system is automatic in response to a signal from the containment and reactor vessel isolation control system, or manual from the control room.

c. The auxiliary building isolation system is designed to operate in a post-LOCA environment and after a safe shutdown earthquake.

7.1.2.1.34.2 Specific Regulatory Requirements Applicable regulatory requirements are shown in Table 7.1-3 and discussed in subsection 7.6.2.12.

7.1.2.1.34.3 Power Generation Design Basis The auxiliary building isolation system is designed in such a manner as to preclude spurious isolation.

7.1.2.1.35 RHR - Containment Spray Cooling System -

Instrumentation and Controls 7.1.2.1.35.1 Safety Design Basis The containment spray cooling mode function of the RHR system is designed to meet the following functional power generation design bases:

7.1-29 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

a. Instrumentation and controls are provided that will sense containment and drywell pressures and enable the system to provide condensation of steam in the containment air volume during a transient or accident event.

b. All manual controls of the containment spray subsystem are provided in the control room.

c. Performance of the containment spray subsystem is indicated by control room instrumentation.

7.1.2.1.35.2 Specific Regulatory Requirements Specific regulatory requirements met by the containment spray system are listed in Table 7.1-3.

7.1.2.1.36 Reactor Shutdown Outside the Control Room -

Instrumentation and Controls 7.1.2.1.36.1 Remote Shutdown System 7.1.2.1.36.1.1 Safety Design Bases Instrumentation and controls are provided to allow reactor shutdown outside the control room in the event that the control room becomes uninhabitable due to any cause with the exception of a control room exposure fire as postulated by 10 CRF 50, Appendix R. See subsection 7.1.2.1.36.2 for a discussion regarding an exposure fire in the main control room.

7.1.2.1.36.1.2 Specific Regulatory Requirements Specific regulatory requirements met by the remote shutdown system are listed in Table 7.1-3. The remote shutdown system meets the requirements of the systems which are instrumented and controlled as part of this feature.

7.1.2.1.36.2 Alternate Shutdown System 7.1.2.1.36.2.1 Safety Design Bases Instrumentation and controls are provided for one train of safe shutdown systems (Division 1), to allow reactor shutdown in the event of an exposure fire in the main control room, that could potentially disable redundant divisions of safe shutdown systems.

7.1-30 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.36.2.2 Specific Regulatory Requirements Specific regulatory requirements met by the alternate shutdown system are listed in Table 7.1-3. The alternate shutdown system meets the requirements of the systems which are instrumented and controlled as part of this feature.

7.1.2.1.37 Recirculation Pump Trip (End of Cycle RPT) System Instrumentation and Controls 7.1.2.1.37.1 Specific Regulatory Requirements Specific regulatory requirements met by the recirculation pump trip system are listed in Table 7.1-3.

7.1.2.1.37.2 Power Generation Bases The recirculation pump trip system is designed to meet the following functional design bases:

a. Instrumentation and controls are provided that will cause both recirculation pumps to trip when the main turbine trips or a generator load rejection occurs. The RPT will occur automatically in order to ensure that the reactor core remains within the conservative thermal hydraulic limits during certain abnormal operational transients.

b. Operational performance of the system is indicated by control room instrumentation.

7.1.2.1.38 RHR - Suppression Pool Cooling Mode -

Instrumentation and Controls 7.1.2.1.38.1 Specific Regulatory Requirements This mode of the RHR system is part of RHR shutdown cooling. See Table 7.1-3.

7.1.2.1.38.2 Power Generation Design Basis Instrumentation and controls are provided to allow the reactor operator to manually initiate suppression pool cooling to ensure that the pool temperature immediately after any relief valve discharge to the pool does not exceed the pre-established pool temperature limit.

7.1-31 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.1.39 Suppression Pool Makeup System - Instrumentation and Controls 7.1.2.1.39.1 Safety Design Basis The transfer of the containment upper fuel handling pool water to the suppression pool after a design basis loss-of-coolant accident is effected by the subject system.

The design bases for the suppression pool makeup system are discussed in subsection 6.2.7.1.

7.1.2.1.39.2 Specific Regulatory Requirements Specific regulatory requirements met by the subject system are given in Table 7.1-3.

7.1.2.1.40 In-Containment Area Radiation Monitoring System -

Instrumentation and Controls As a result of TMI Lessons Learned, a high range in-containment radiation monitoring system has been installed.

7.1.2.1.40.1 Safety Design Basis The monitoring of high range gamma radiation levels in the containment and the drywell after a design basis loss-of-coolant accident is accomplished by the area radiation monitoring system.

The design basis for this system is discussed in subsection 12.3.4.3.

7.1.2.1.40.2 Specific Regulatory Requirements Specific regulatory requirements met by the area radiation monitoring system are listed under Safety-Related Display Instrumentation in Table 7.1-3.

7.1.2.2 Independence of Redundant Safety-Related Systems 7.1.2.2.1 Introduction This section defines separation criteria for safety-related instrumentation and control equipment. Safety-related equipment to which the criteria apply is that necessary to mitigate the affects of anticipated and abnormal operational transients or design basis accidents. The objective of the criteria is to 7.1-32 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) delineate the separation requirements necessary to achieve true independence of safety-related functions compatible with the redundant and/or diverse equipment provided.

The following subsections individually address mechanical and electrical equipment separation. The specific functions systems, and equipment to which the criteria apply are listed followed by the corresponding safety criteria. The Grand Gulf design complies with Regulatory Guide 1.22, as discussed in subsection 7.1.2.6.4, except as stated in Appendix 3A.

7.1.2.2.2 Mechanical Systems and Equipment The following mechanical systems and related equipment (i.e.,

piping, valves, pumps, and heat exchangers) are needed to assure plant-wide, total operating spectrum safety functions protection.

Refer to Chapter 15 and Appendix 15A of Chapter 15 for total plant safety evaluation.

a. Emergency core cooling systems (ECCS)

1. Low pressure coolant injection (LPCI) system (subsystem of RHR),

2. Low pressure core spray (LPCS) system,

3. High pressure core spray (HPCS) system,

4. Automatic depressurization system (ADS).

b. Other cooling systems

1. Reactor core isolation cooling (RCIC) system,

2. Standby service water system,

3. RHR - containment spray cooling system,

4. RHR - reactor shutdown cooling system.

c. Containment systems

1. Primary containment,

2. Secondary containment,

3. Isolation control systems.

7.1-33 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

d. Emergency power systems

1. Standby ac power systems,

2. Emergency dc power systems.

e. Engineered safety feature systems

1. Combustible gas control system,

2. Standby gas treatment system (SGTS),

3. Suppression pool makeup system,

4. Control room atmospheric control and isolation system.

The criteria for separation of mechanical systems and equipment are discussed in Section 3.6.

7.1.2.2.3 Electrical Systems and Equipment The following electrical systems and equipment (including supporting systems) are necessary to assure proper plant-wide, total operating spectrum safety functions protection. Refer to Chapter 15 for total plant safety evaluation.

a. Reactor protection system (RPS) - instrumentation and control.

b. Containment and reactor vessel isolation control system (CRVICS) - instrumentation and controls.

c. Emergency core cooling systems (ECCS) - instrumentation and controls.

1. Low pressure core spray (LPCS) system,

2. Automatic depressurization system (ADS),

3. High pressure core spray (HPCS) system,

4. The low pressure coolant injection (LPCI) mode of residual heat removal (RHR) system.

7.1-34 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

d. Other cooling water systems - instrumentation and controls

1. RCIC system - instrumentation and controls,

2. Standby service water system - instrumentation and controls,

3. RHR - containment spray cooling system instrumentation and controls,

4. RHR - reactor shutdown cooling system -

instrumentation and controls.

e. Containment systems - instrumentation and controls

1. Containment and auxiliary building isolation control systems - instrumentation and controls.

f. Emergency power system - instrumentation and controls

1. Standby ac power systems - instrumentation and controls,

2. Emergency dc power systems - instrumentation and controls.

g. Engineered safety features - auxiliary systems -

instrumentation and controls

1. Combustible gas control system - instrumentation and controls,

2. Standby gas treatment system (SGTS) - instrumentation and controls,

3. Suppression pool makeup system - instrumentation and controls,

4. Control room atmospheric control and isolation system

- instrumentation and controls.

The criteria for separation of electrical systems and equipment is discussed in subsection 8.3.1.4.

7.1-35 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.2.4 System Separation Requirements 7.1.2.2.4.1 Reactor Protection System (RPS)

The following general rules apply to both RPS and CRVICS wiring associated with RPS.

a. RPS cable outside the main protection system cabinets may be run with other ESF wiring of the same division in the same raceway system. Under-vessel neutron monitoring cables are not placed in any enclosure that unduly restricts their flexibility. Neutron monitoring cables (SRM, IRM, and APRM) may be run in the same raceway provided that four-divisional separation is maintained.

b. Wiring to duplicate sensors on a common process tap is run in separate raceways to their separate destinations in order to meet the single-failure criterion.

c. Wiring for sensors of more than one variable in the same trip channel may be run in the same raceway.

d. Wires from both RPS trip system trip actuators to a single group of scram solenoids may be run in a single raceway; however, a single raceway does not contain wires to more than one group of scram solenoids. Wiring for two solenoids on the same control rod may be run in the same raceway.

e. Cables through the primary containment penetrations are so grouped that failure of all cabling in a single penetration cannot prevent a scram. (This applies specifically to the neutron monitoring cables and the main steam isolation valves position switch cables.)

f. Power supplies to systems which de-energize to operate (so-called "fail-safe" power supplies) require only that degree of separation that is deemed prudent to give reliable operation (i.e., continuity of operation).

Therefore, the protection system fly-wheel motor generator (MG) sets and load circuit breakers are not required to comply with these separation requirements, even though the load circuits go to separated panels.

7.1-36 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

g. The RPS wiring is run and/or protected such that no common source of potentially damaging energy (e.g., electrical fire in non-RPS wireways, malfunction or misoperation of plant equipment, pipe rupture, etc.) could reasonably result in loss of ability to scram when required.

7.1.2.2.4.2 Emergency Core Cooling System (ECCS) and Containment and Reactor Vessel Isolation Control System (CRVICS)

The following general rules apply to ECCS and CRVICS wiring:

a. Separation is such that no single failure can prevent operation of an engineered safety function. Redundant (even dissimilar) systems may be required to perform the required function to satisfy the single failure criterion.

Figures 7.1-2, 7.1-4 through 7.1-6, 7.3-4 and Table 7.1-13 illustrate equipment separation into divisions and the allowable interconnections through isolating devices.

b. The inboard and outboard CRVICS isolation valves are backups for each other; consequently they are independent of and protected from each other to the extent that no single failure can prevent the operation of at least one of an inboard/outboard pair of shutoff valves. Figure 7.1-5 illustrates the MSL isolation valve separation concept.

c. Isolation valve circuits require special attention because of their function in limiting the consequences of a pipe break outside the primary containment. Isolation valve control and power circuits are protected from the pipe lines that are responsible for isolating as follows:

(1) Essential isolation valve wiring in the vicinity of the outboard valve (or downstream of the valve) is routed in rigid conduit so as to take advantage of the mechanical protection afforded by the valve operator or other available structural barriers not susceptible to disabling damage from the pipe line break. Additional mechanical protection (barriers) is interposed as necessary between wiring and potential sources of disabling mechanical damage consequential to a break downstream of the outboard valve.

7.1-37 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

(2) Isolation valve control and/or power wiring run in a raceway with other cables is protected from secondary effects of damage to those cables whichmight result from a pipe break in a line requiring isolation (i.e., short-circuits which might overheat cables in an ESF raceway).

(3) MOVs which have a mechanical check valve backup for their isolation function are included in the division which embraces the system in which the valves are located, rather than adhering strictly to the inboard/outboard divisional classification. The testable check valve cable is run in the same division with the cables for the MOV in the same line.

7.1.2.2.5 Physical Separation Requirements 7.1.2.2.5.1 Field-Mounted Equipment Protection against multiple failure is accomplished by providing protection against single failures and, in addition, by providing minimum physical separation of 3 feet or physical barriers between redundant channels, instruments, and sensing lines. This separation requirement is imposed so that redundant functions are not destroyed by a design basis event which they must mitigate.

Emphasis has been placed on protecting against physical events that could damage more than one sensing line or transmitter.

Incidents considered are missiles, pipe whip, high-pressure jets, falling objects, and fire hazards.

The instrument sensing line installation for the scram discharge volume high water level trip does not meet the minimum separation requirement of 3 feet. However, since the scram discharge instrument volume level switches and level transmitters provide an anticipatory trip (to ensure that scram discharge instrument volume has adequate capacity to accept a scram) and are not required to operate to mitigate an accident, no physical separation requirements are applicable.

Structural protection for transmitters and conduits and/or other armor for sensing lines is provided where physical damage from any of the events listed above is considered possible.

Refer to Sections 3.5, 3.6, 8.3, and 9.5.1 for additional, related physical separation criteria.

7.1-38 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.2.5.2 Local Control Panels and Racks Separation is accomplished by locating redundant equipment on physically separated control panels and racks. Each control panel and rack contains equipment associated with only one division, although some racks also contain non-divisional equipment. In those cases, wiring to the non-divisional devices is run in conduit separate from the divisional wiring and is terminated in physically separated junction boxes.

7.1.2.2.5.3 Control Room Panels No single control panel (or local panel or instrument rack) is allowed to include wiring essential to the protective function of two systems that are backups for each other except as allowed by item d. and item e. below:

a. If two panels containing circuits of different separation divisions are less than 1 foot apart, there is a steel barrier between the two panels. Panel ends closed by steel end plates are considered to be acceptable barriers provided that terminal boards and wireways are spaced a minimum of 1 inch from the end plate.

b. Panel-to-floor fireproof barriers are provided between adjacent panels of different divisions, and divisional equipment on the same panel.

c. Penetration of separation barriers within a subdivided panel is permitted, provided that such penetrations are sealed or otherwise treated so that an electrical fire could not reasonably propagate from one section to the other and disable a protective function.

d. Where, for operational reasons, locating manual control switches on separate panels is considered to be prohibitively (or unduly) restrictive to manual operation of equipment, the switches are to be located on the same panel provided no credible single event in the panel can disable both sets of redundant manual or automatic controls. Wherever wiring of two different divisions exists in a single panel section, separate terminal boards are provided and spacing of terminal boards and wiring is such as to preclude the possibility of fire propagation from one division of wiring to another. One of a redundant pair of devices in close proximity within a single panel 7.1-39 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) is considered adequately separated from the other if the wiring to one of the devices has flameproof insulation and is totally enclosed in fire-resistant material, including outgoing terminals at the control panel boundary as well as at the device itself. However, consideration is given to locating redundant switches on opposite sides of the barrier formed by the end closures of adjacent panels wherever operationally acceptable.

e. Detailed design basis, description, and safety evaluation aspects for the PGCC system are comprehensively documented and presented in GE-Topical Report: "Power Generation Control Complex"; NEDO-10466-A (2/79); by H. Clay, as modified by Addendum 1 (12/79).

7.1.2.2.6 Cables Separation between redundant safety-related cables and between safety and nonsafety-related cables is effected by the use of separate cable trays, conduit, containment penetrations, and routing. Cables of redundant safety function equipment are run along separate routes and are separated horizontally and vertically.

The criteria and bases for the installation of electrical cable, such as cable derating, routing, spacing and marking are covered in Chapter 8. Fire detection and protection in the areas where wiring is installed are covered in subsection 8.3.3.

7.1.2.2.7 Separation Between Safety-Related and Non-Safety Systems Analog or digital information signals that go to the annunciator or plant computer are isolated from the safety-related systems by means of active electronic isolation devices. This isolation technique ensures that no credible failures on the output side of the isolators will affect the function of safety-related systems, and that the independence of safety-related systems is not jeopardized.

Each signal which is isolated in this fashion for non-NSSS systems and the signal type (analog or digital) are tabulated in drawings E-1283, E-1284, E-1285, and E-1286, which are included by reference in Section 1.7.

7.1-40 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The NSSS systems which require isolators for interfaces between safety and non-safety systems are as follows:

• Automatic depressurization system

• Containment and reactor vessel isolation control system

• Nuclear boiler process instruments

• Reactor recirculation

• Reactor protection

• Residual heat removal

• Low-pressure core spray

• High-pressure core spray

• Leak detection system

• Main steam line isolation valve - leakage control system

• Reactor core isolation cooling

• Fuel pool cooling and cleanup system The parameters which interface between safety and non-safety systems are illustrated on system elementary diagrams, (provided by reference in Section 1.7) and are discussed in the analysis for system compliance to IEEE Std 279-1971, paragraph 4.7.

There are three types of isolators used in the Grand Gulf Nuclear Station as described below:

a. Remote Isolators Two remote isolation cabinets are provided in the auxiliary building at El. 139' (H22-P501 and H22-P502),

and two remote isolation cabinets are provided in the control building at El. 148' (H13-P891 and H13-P892).

These cabinets provide isolation of digital signals only.

Each isolator consists of a light-emitting diode optically coupled to a phototransistor. Class IE wiring is kept separated from non-Class IE wiring by metal barriers.

The isolating devices have been designed so that the abnormal conditions listed below will not cause unacceptable influences in the Class IE portions of the isolating devices and input circuits. Unacceptable influences would be evidence of arcing, insulation breakdown, short circuit, or ground.

7.1-41 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Abnormal Conditions

1. Safe shutdown earthquake, SSE.(Refer to Section 3.10.)

2. Abnormal environmental operating conditions. (Refer to Tables 3.11-2 and 3.11-3.)

3. Malfunctions in the non-Class IE portions of the isolation device or output circuit such as short circuit, ground, circuit open, or application of potential of 1500 volts rms, 60 Hz for 60 seconds at the output terminals.

Testing of this equipment and the information concerning tests is summarized and maintained in the GGNS Environmental Qualification and Seismic Qualification Central Files.

b. Control Room Isolators (Digital)

All of the interfaces are made through optical isolators.

For all conditions, the isolators are required to maintain isolation capability without generating spurious safety signals which might result in a false safety action.

Testing of isolation devices against EMI, short circuit failures, and voltage faults/surges is described in General Electric's qualification records and is available for audit in San Jose.

The qualification testing has been completed for the isolators. A brief summary of testing is as follows:

• Fire and heat barrier test results show that the isolators provide an acceptable barrier.

• Electrical isolation capability is maintained up to 5 kV.

• Seismic fragility limit has been established at 32 Hz, 3.5g Z axis, 32 Hz, 14g Y axis and 36 Hz, 5g X axis.

• RF EMI susceptibility testing resulted in no undesired response, degradation of performance, or permanent damage.

7.1-42 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

• Complete records and test results are available for audit at General Electric, San Jose.

c. Control Room Isolators (Analog)

Analog isolators also make interfaces through optical isolators. The input isolator cards convert analog signals to serialized digital information, which is translated back to analog signals by the output isolator cards. The acceptance criteria and testing for control room analog isolators is the same as for control room digital isolators.

7.1.2.3 Physical Identification of Safety-Related Equipment Cable, tray, and switchgear identification are described in Chapter 8. The identification of instrumentation and control equipment is as follows:

7.1.2.3.1 Nameplates Nameplates of individual color background are provided for all safety-related equipment, except for components mounted in assemblies that are clearly identified as being in a protection system, neutron monitoring system in-core detectors, equipment mounted in control room panels, and thermocouples having existing identification which shows them as being safety-related.

Nameplates are applied to control room equipment in a manner which is consistent with human factors considerations. Each division uses a distinguishing color as noted below:

Division Color 1 Yellow 2 Blue 3 Green 4 Orange Non-divisional Black or other neutral color, such as metallic 7.1-43 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.3.2 Control Panel Wiring Within a cabinet or panel that is associated and identified with a single separation group, the internal wiring is exclusively associated with the same separation group and requires no further identification. The cabinet or panel, however, is identified as to separation group.

Wiring within control panels where more than one separation group is present is identified by the color of the wiring insulation.

The identifying colors are the same as used for nameplates, except black, gray, white or neutral color may be used for nondivisional wiring.

7.1.2.3.3 Sensory Equipment Grouping and Designation Letters Redundant sensory equipment for RPS or ESF is identified by suffix letters in accordance with Table 7.1-10 for RPS, CRVICS and other deenergize-to-operate systems; Table 7.1-12 for ECCS, RCIC, and other energize-to-operate systems; and Table 7.1-11 for the neutron monitoring system. These tables also show the allocation of sensors to their separated divisions.

7.1.2.4 Conformance to Industry Standards The instrumentation and control systems discussed in this chapter conform to the following industry standards. A tabulation of which standards are applicable to each system is provided in Table 7.1-3. In addition, each 7.X.2 subsection provides additional discussions on certain portions of these standards where it is felt that amplifying information is necessary. Those industry standards that do not require additional information are not necessarily listed in the 7.X.2 subsection.

7.1.2.4.1 IEEE Standard 279-1971 The Grand Gulf design conforms to the requirements of IEEE 279-1971. Additional information on conformance to IEEE 279 is discussed on a system-by-system basis in the analysis portions of Sections 7.2, 7.3, 7.4, 7.5, and 7.6.

7.1.2.4.2 IEEE Standard 308-1974 The Grand Gulf design conforms to the requirements of IEEE 308-1974. Additional information on conformance to IEEE 308 is discussed in subsection 8.3.1.2.1.

7.1-44 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.4.3 IEEE Standard 317-1972/1983 The Grand Gulf design conforms to the requirements of IEEE 317-1972. The Grand Gulf design conforms to the requirements of IEEE 317-1983 for fiber optic penetration assemblies only. Additional information on conformance to IEEE 317 is discussed in conjunction with Regulatory Guide 1.63 in Appendix 3A.

7.1.2.4.4 IEEE Standard 323-1971 The Grand Gulf design conforms to the requirements of IEEE 323-1971. Additional information on conformance to IEEE Standard 323 is discussed in subsection 3.11.2.

7.1.2.4.5 IEEE Standard 334-1971 The Grand Gulf design conforms to the requirements of IEEE 334-1971. Additional information on conformance to IEEE 334 is discussed in conjunction with Regulatory Guide 1.40 in subsection 3.11.2 and Appendix 3A.

7.1.2.4.6 IEEE Standard 336-1971 The postoperation quality assurance program is discussed in a separate topical report submitted to the NRC in 1978.

7.1.2.4.7 IEEE Standard 338-1971 The Grand Gulf design conforms to the requirements of IEEE 338-1971. Additional information on conformance to IEEE 338 is discussed on a system-by-system basis in the analysis portions of Sections 7.2, 7.3, 7.4, and 7.6.

7.1.2.4.8 IEEE Standard 344-1971/1975 The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975.

Qualification during the plant operating license stage is in accordance with IEEE 344-1975. See Section 3.10.

7.1.2.4.9 IEEE Standard 379-1972 The Grand Gulf design conforms to the requirements of IEEE 379-1972. The extent to which the single failure criterion of IEEE 379 is satisfied is specifically covered for each system in the analysis of IEEE 279, paragraph 4.2 (see subsection 7.1.2.4.1 above).

7.1-45 Revision 2020-009

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.4.10 IEEE Standard 384-1974 The Grand Gulf design conforms to the requirements of IEEE 384-1974. The safety-related systems described in Sections 7.2, 7.3, 7.4, 7.5, and 7.6 meet the independence and separation criteria for redundant systems in accordance with IEEE 279, paragraph 4.6, (see 7.1.2.4.1 above), IEEE 384, and Regulatory Guide 1.75.

The electrical power supply, instrumentation and control wiring for redundant circuits have physical separation to preserve redundancy and ensure that no single credible event will prevent operation of the associated function. Credible events include, but are not limited to, the effects of short circuits, pipe rupture, pipe whip, high pressure jets, missiles, fire, earthquake, and falling objects, and are considered in the basic plant design.

The independence of tubing, piping, and control devices for safety-related controls and instrumentation is achieved by physical space or barriers between separation groups of the same protective function. In locations where a specific hazard exists (missile, jet, etc.) which could produce damage to safety-related controls and instrumentation, the physical separation or structural protection provided is adequate to ensure that no multiple failures can result from a single common event.

The criteria and bases for the independence of electrical cable, including routine, marking and cable derating, are covered in Section 8.3. Fire detection and protection in the areas where wiring is installed is covered in subsections 8.3.3 and 9.5.1.

7.1.2.5 Conformance to General Design Criteria Appendix A of 10 CFR 50, General Design Criteria for Nuclear Power Plants, establishes requirements for the principal design criteria for water cooled nuclear power plants. Section 3.1 provides a detailed discussion of all general design criteria.

Subsection 3.1.1 provides a discussion of compliance to the GDC.

This section describes how the criteria that are applicable to all safety-related systems are satisfied. A tabulation of GDC applicable to each instrumentation and control system is provided in Table 7.1-3. In addition, each 7.X.2 subsection provides additional discussions on certain portions of these GDC where necessary.

a. Criterion 1 - Quality Standards and Records 7.1-46 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The Grand Gulf design conforms to GDC 1. Additional information on the quality assurance program is discussed in a separate topical report submitted to the NRC in 1978, as referenced in Chapter 17.

b. Criterion 2 - Design Bases for Protection Against Natural Phenomena The Grand Gulf design conforms to GDC 2. Additional information on wind and tornado loadings are discussed in Section 3.3, flood design in Section 3.4, and seismic qualification of instrumentation and electrical equipment in Section 3.10.

c. Criterion 3 - Fire Protection The Grand Gulf design conforms to GDC 3. Additional information on the fire protection system and its design bases are discussed in subsection 9.5.1. Fire protection for cable systems is described in subsections 8.3.3 and 9.5.1.

d. Criterion 4 - Environmental and Missile Design Bases The Grand Gulf design conforms to GDC 4. Additional information on missile protection is discussed in Section 3.5 and environmental qualification of equipment in subsection 3.11.2.

e. Criterion 5 - Sharing of Structures, Systems, and Components Grand Gulf Unit 2 has been cancelled. Thus, sharing of structures, systems, and components is no longer applicable to Grand Gulf Unit 1.

7.1.2.6 Conformance to NRC Regulatory Guides A discussion of the conformance of the Grand Gulf design to each Regulatory Guide applicable is provided in Appendix 3A. A tabulation of regulatory guides applicable to each instrumentation and control system is provided in Table 7.1.3. In addition, certain 7.X.2 subsections provide additional discussions on certain portions of these regulatory guides where necessary.

7.1-47 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The instrumentation and control systems discussed in this chapter conform to the following regulatory guides.

7.1.2.6.1 Regulatory Guide 1.6 The Grand Gulf design complies with the requirements of Regulatory Guide 1.6. Additional information on conformance to Regulatory Guide 1.6 is discussed in subsection 8.3.1.2.1.

7.1.2.6.2 Regulatory Guide 1.7 The Grand Gulf design complies with the requirements of Regulatory Guide 1.7. Additional information on conformance to Regulatory Guide 1.7 is discussed in subsection 6.2.5.

7.1.2.6.3 Regulatory Guide 1.11 The Grand Gulf design complies with the requirements of Regulatory Guide 1.11. Additional information on conformance to Regulatory Guide 1.11 is discussed in subsection 6.2.4.

7.1.2.6.4 Regulatory Guide 1.22 The Grand Gulf design complies with the requirements of Regulatory Guide 1.22. Additional information on conformance to Regulatory Guide 1.22 is discussed for the applicable systems in the analysis portion of Sections 7.2, 7.3, 7.4, and 7.6.

7.1.2.6.5 Regulatory Guide 1.29 The Grand Gulf design complies with the requirements of Regulatory Guide 1.29 except as stated in Appendix 3A.

The instrumentation and control equipment required to meet seismic Category I requirements of Regulatory Guide 1.29 is identified in Chapter 3, Table 3.2-1.

7.1.2.6.6 Regulatory Guide 1.30 The Grand Gulf design complies with the requirements of Regulatory Guide 1.30. Additional information is provided in Appendix 3A. Exceptions to the guide are discussed in the post-operation quality assurance program.

7.1-48 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.6.7 Regulatory Guide 1.32 The Grand Gulf design complies with the requirements of Regulatory Guide 1.32. Additional information on conformance to Regulatory Guide 1.32 is discussed in subsection 8.3.1.2.1.

7.1.2.6.8 Regulatory Guide 1.40 The Grand Gulf design complies with the requirements of Regulatory Guide 1.40. Additional information on conformance to Regulatory Guide 1.40 is discussed in subsection 3.11.2.

7.1.2.6.9 Regulatory Guide 1.45 The Grand Gulf design complies with the requirements of Regulatory Guide 1.45 except as stated in Appendix 3A. Additional information on conformance to Regulatory Guide 1.45 is discussed in subsection 7.6.2.4.2.1.

7.1.2.6.10 Regulatory Guide 1.47 The Grand Gulf design complies with the requirements of Regulatory Guide 1.47.The control circuits and indicators provided to monitor the bypassed and inoperable status of safety systems meet the requirements of Regulatory Guide 1.47 as stated in subsection 7.5.2.5.5 and as described in subsection 7.5.1.3.

7.1.2.6.11 Regulatory Guide 1.53 The Grand Gulf design complies with the requirements of Regulatory Guide 1.53. The safety-related system designs conform to the single fai1ure criterion. The analysis portions of Sections 7.2, 7.3, 7.4, 7.5, and 7.6 provide further discussion.

7.1.2.6.12 Regulatory Guide 1.56 The Grand Gulf design complies with the requirements of Regulatory Guide 1.56. The reactor water cleanup system provides the capability to maintain water purity in conformance with Regulatory Guide 1.56. Further discussion is provided in subsection 7.7.2.8.2.

7.1-49 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.6.13 Regulatory Guide 1.62 The Grand Gulf design complies with the requirements of Regulatory Guide 1.62. Manual initiation of the protective action is provided at the system level in the reactor protection system, containment and reactor vessel isolation control system, emergency core cooling systems, combustible gas control system (drywell purge), standby gas treatment system, suppression pool makeup system, control room atmospheric control and isolation system, and standby service water system. The analysis and description portions of Sections 7.2 and 7.3 provide further discussion.

7.1.2.6.14 Regulatory Guide 1.63 The Grand Gulf design complies with the requirements of Regulatory Guide 1.63. Additional information on conformance to Regulatory Guide 1.63 is discussed in subsection 8.3.1.2.3.1.

7.1.2.6.15 Regulatory Guide 1.68 The Grand Gulf design complies with the requirements of Regulatory Guide 1.68. Additional information on conformance to Regulatory Guide 1.68 is discussed in Chapter 14 and Appendix 3A.

7.1.2.6.16 Regulatory Guide 1.73 The Grand Gulf design complies with the requirements of Regulatory Guide 1.73. Additional information on conformance to Regulatory Guide 1.73 is discussed in subsection 3.11.2.

7.1.2.6.17 Regulatory Guide 1.75 The Grand Gulf design complies with the requirements of Regulatory Guide 1.75 except as stated in Appendix 3A. Additional information on conformance to Regulatory Guide 1.75 is discussed in subsections 7.1.2.2 and 8.3.1.4.

7.1.2.6.18 Regulatory Guide 1.80 The Grand Gulf design complies with the requirements of Regulatory Guide 1.80 except as stated in Appendix 3A.

7.1-50 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.2.6.19 Regulatory Guide 1.89 The Grand Gulf design complies with the requirements of Regulatory Guide 1.89 except as stated in Appendix 3A. Additional information on conformance to Regulatory Guide 1.89 is discussed in subsection 3.11.2.

7.1.2.6.20 Regulatory Guide 1.95 The Grand Gulf design complies with the requirements of Regulatory Guide 1.95 except as stated in Appendix 3A.

7.1.2.6.21 Regulatory Guide 1.96 The Grand Gulf design complies with the requirements of Regulatory Guide 1.96. The main steam isolation valve leakage control system is designed to the requirements of Regulatory Guide 1.96. Further discussion is provided in subsection 7.3.2.3.2.1.9.

7.1.2.6.22 Regulatory Guide 1.106 The Grand Gulf design complies with the requirements of Regulatory Guide 1.106. The thermal overload protection device of each "Q-listed" motor-operated valve is wired in one of four manners:

a. Such that it is continuously bypassed during normal plant operations. (Each valve train wired in this manner is equipped with a key-locked manual test switch located in the control room. Placing a switch in the test position allows the thermal overload devices to be placed in force for the system undergoing the test, and is continuously annunciated in the control room.)

b. Such that it can be manually bypassed by holding the control switch in the position that places the valve in its safe mode.

c. Such that it is automatically bypassed on receipt of a LOCA signal.

d. Such that it is continuously in the circuit, with setpoints determined in accordance with Paragraph C.2 of the Regulatory Guide. (During accident mitigation or bringing the plant to cold shutdown, these valves need not 7.1-51 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) change position from that of normal plant operation. If these valves for any reason change position from that of normal operation, they will not have any adverse affect on accident mitigation or normal shutdown efforts. As such, valves in this category do not have any safety function other than maintaining system integrity.)

7.1.2.7 Safety System Settings The safety system set points are listed in the design basis discussions for each safety system. The settings are determined based on operating experience and conservative analyses. The settings are high enough to preclude inadvertent initiation of the safety action, but low enough to assure that significant margin is maintained between the actual setting and the limiting safety system settings. Instrument drift, ease of set point adjustment, and repeatability are considered in the set point determination. The margin between the limiting safety system settings and the actual safety limits include consideration of the maximum credible transient in the process being measured.

Entergy Letter GNRO-2010/0056 identified that the instrument setpoint methodology currently implemented at GGNS is based on Instrument Society of America (ISA) Standard 67.04 Part II, 1994, Methodologies for the Determination of Setpoints for Nuclear Safety-Related Instrumentation, and the General Electric Hitachi (GEH) Instrument Setpoint Methodology (ISM) specified in NEDC-31336P-A, General Electric Instrument Setpoint Methodology. Additionally, in the NRC safety evaluation for Amendment No. 191, the NRC states: Entergy stated that its setpoint calculations in support of the EPU LAR were based on NEDC-31336P-A, General Electric Instrument Setpoint Methodology, September 1996 (Reference 120), which includes the NRC-approved SE dated November 6, 1995. GEH NEDC-31336P-A, Section 3.25, states, in part:

Turbine first stage pressure has been historically used as the parameter to approximate reactor power and effect the actual trip bypass. The Reactor Protection System (RPS) design purposely chooses this parameter, as opposed to the more direct measurement of power such as neutron flux, in order to assure diversity between the TSVC [turbine stop valve closure] and TCVFC [turbine control valve fast closure] scram functions and the neutron flux scram function.

7.1-52 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

This statement is not completely applicable as it pertains to GGNS because the UFSAR (Section 7.2.1.1.4.2 paragraph d and e) does not credit the neutron flux scram for diversity from the TSVC and TCVFC scrams. Rather, it credits the reactor vessel high-pressure trip signal. As such, Section 3.25 of NEDC-31336P-A is considered not applicable based on the current design and licensing basis for the GGNS. In License Amendment No. 217, the NRC staff determined that replacement of the TFSP signals with neutron flux signals for the purpose of performing P-bypass functions reduces the likelihood of malfunction of the signal to the bypass when compared to the original design.

The method employed to establish adequate margins for instrument set point drift, inaccuracy, and calibration uncertainty as discussed in NRC Regulatory Guide 1.105 is explained by reference to Figure 7.1-10. Because of the generic nature of this figure it is not drawn to any scale and is used solely to illustrate the qualitative relationships of the various margins. Starting with a Safety Limit as indicated at the extreme right hand of the figure, the first margin extends to the point marked Analytical Limit.

This margin is there to account for uncertainties in the calculational model used but excludes allowances for instrumentation. Thus the calculational model can assume ideal or perfect instruments. The next margin is between the Analytical Limit and the Allowable Value of the parametric set point, and accounts for instrument errors and calibration capability for the specific instrumentation. The remaining margin which is of interest from a safety standpoint is that shown between the Allowable Value and the Instrument Set Point. This margin is that which is deemed adequate to cover instrument drift which might occur during the established surveillance period. It follows that if during the surveillance period an instrument has drifted from its set point in a nonconservative direction but not beyond the allowable value, then the instrument performance is still within the requirements of the plant safety analysis.

For completeness, Figure 7.1-10 shows further margin between the Instrument Set Point and the Maximum (Licensed) Operating Point for the plant.During plant operation, transient overshoots may occur for certain parameters and instrument "noise" may be present. The instrument set point may also drift in a conservative manner. There must be sufficient margin between the instrument set point and the maximum operating point to avoid spurious reactor scrams or unwarranted system initiations.

7.1-53 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Not all parameters (functional units) have an associated analytical limit, and a Design Basis (DB) Limit is indicated. In general, the analytical limit is employed in those cases where a functional unit set point is directly associated with an analyzed abnormal plant transient or accident as described in Chapter 15 of the FSAR. Where a design basis limit is used, it is not always possible to provide simple quantification of the limit, e.g.,

IRMs are only required to overlap in range with portions of the SRM and APRM ranges. A similar situation occurs with the main steam line radiation sensors which have a set point based essentially on previous operating experience.

The periodic test frequency for each variable is determined from experimental data on set point drift and from quantitative reliability requirements for each system and its components.

7.1.3 Protection System In-Service Testability 7.1.3.1 General This subsection describes the equipment and features incorporated in the protection system design to facilitate in-service testability. Previous designs have included provisions for inservice testing; however, these new features will increase system reliability and simplify testing procedures.

7.1.3.2 Design Basis Operating experience indicates that direct pressure or differential pressure actuated switches installed in panels are subject to drift. Additionally, surveillance requirements on this instrumentation have led to a high rate of surveillance testing.

Surveillance testing requires a large amount of manpower to accomplish and places the plant in a half scram condition when an instrument is out of service for calibration or testing.

Therefore, the bases for these protection system changes are as follows:

a. Reduce the time required to be placed in a half scram condition in order to functionally test or calibrate a safety trip 7.1-54 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Reduce the functional test or calibration frequency for the primary sensor from once per month to once per fuel outage for multi-channel variables. This will allow calibration of the primary sensor to be performed when the reactor is shutdown.

c. Since the calibration and test for multi-channel variables will be performed when the plant is shutdown, the exposure to valving errors and hydraulic bump from valving for the RPV sensors will be virtually eliminated.

d. Virtually eliminate instrument testing related scrams

e. Virtually eliminate undetected primary sensor element drift due to the utilization of a meter in each primary sensor signal loop

f. Decrease the amount of time required to functionally test or calibrate the safety trip point

g. Eliminate the need for hydraulic snubbers at the input to the primary sensor

h. Significantly reduce the number of abnormal occurrence reports filed with the NRC for setpoint drift 7.1.3.3 General Description The trip unit/calibration system represents a best approach to meet the desires for testability and increased reliability. The trip unit/calibration system is an all solid-state electronic trip system designed to provide highly stable and accurate monitoring of critical process parameters.

The system consists of master trip assemblies, slave trip assemblies, calibration units, card file assemblies, and other accessories. The master trip unit interfaces with a 4-20 ma transmitter located at some remote location within the power plant. The slave trip unit is driven from the analog output of a master trip unit.The calibration unit has the capability of providing either a stable or transient calibration current that can be routed by a switch to any master unit.

7.1-55 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.3.4 Evaluation The master trip unit is a plug-in printed circuit assembly designed to accept a 4-20 ma signal from a remote transmitter.

The trip unit contains the circuitry necessary to condition the transmitter current and to provide the desired switching functions and analog output signals. The master trip unit provides energizing current at any point in the 4-20 ma input signal range for trip relays. The master trip unit also contains a panel meter that displays transmitter current and is scaled in the units of the process variable being measured by the transmitter wired to the master trip unit. A switch position selection internal to the master trip unit allows for selection of either high trip point or low trip point. This allows trip relays to be either energized or deenergized during normal operation.

Calibration of the master trip unit is performed by supplying stable and transient input currents of known accuracy. During calibration, the trip action is displayed on display #2 of the removable display assembly. The accuracy of the analog output of the master trip unit may also be checked during the calibration procedure. A block diagram of the master trip circuit is shown in Figure 7.1-7.

The slave trip unit contains the circuitry and trip relay energizing current required to perform the trip function. The slave trip unit is driven by the analog output signal from the master trip unit. There is no direct connection to any 4-20 ma transmitter. No analog output signals are generated by the slave unit. Calibration of the slave unit is accomplished by commanding the master trip unit which drives the slave unit under test into the calibration mode and then performing the normal calibration procedure. A block diagram of the slave trip circuit is shown in Figure 7.1-8.

7.1.3.5 Surveillance and Testing The function of the calibration unit is to furnish the means by which an in-place calibration check of the master and slave trip units can be performed. The calibrator contains a stable current source and a transient current source. Normal use of the stable current is for verification of the calibration point of any given channel. The transient current source is used to provide a step current input into a selected channel such that the response time of that channel can be determined. A block diagram of the calibration unit is shown in Figure 7.1-9.

7.1-56 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1.4 References

1. GNRI-2019/00030, Grand Gulf Nuclear Station, Unit 1 -

Issuance of Amendment to Modify the Updated Safety Analysis Report to Replace First Stage Pressure Signals with Power Range Neutron Monitoring System Signals (EPID L-2018-LLa-0072). March 12, 2019, [Amendment No. 217]

7.1-57 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-1: SYSTEM IDENTIFICATION AND RESPONSIBILITY System Designer Supplier Reactor Protection System Reactor Protection System (RPS) NSSS Partially-NSSS Engineered Safety Feature Systems Emergency Core Cooling System (ECCS) NSSS Partially-NSSS High Pressure Core Spray System (HPCS)

Automatic Depressurization System (ADS)

Low Pressure Core Spray System (LPCS)

Low Pressure Coolant Injection (LPCI-RHR)

Containment and Reactor Vessel Isolation Control System (CRVICS) NSSS Partially-NSSS Main Steamline Isolation Valve Leakage Control System (MSIVLCS) NSSS NSSS Feedwater Leakage Control System (FWLC) Non-NSSS Non-NSSS Combustible Gas Control System (CGCS) Non-NSSS Non-NSSS RHR - Containment Spray Cooling System (CSCS) NSSS Partially-NSSS Standby Gas Treatment System (SGTS) Non-NSSS Non-NSSS Suppression Pool Makeup System (SPMU) Non-NSSS Non-NSSS Control Room Atmospheric Control and Isolation System (CRACIS) Non-NSSS Non-NSSS Auxiliary Supporting Systems Standby Service Water System (SSW) Non-NSSS Non-NSSS 7.1-58 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-1: SYSTEM IDENTIFICATION AND RESPONSIBILITY (CONTINUED)

System Designer Supplier Standby Power System Non-NSSS Non-NSSS HVAC for ESF Areas Non-NSSS Non-NSSS Safeguard Switchgear and Battery Rooms Ventilation System Standby Service Water Pump-house Ventilation System Diesel Generator Building Ventilation System ECCS Pump Room Ventilation System Emergency Switchgear Rooms Ventilation System Diesel Generator Auxiliary Systems Partially-NSSS Partially-NSSS Systems Required for Safe Shutdown Remote Shutdown System (RSS) Non-NSSS Non-NSSS Alternate Shutdown System Non-NSSS Non-NSSS Reactor Core Isolation Cooling System (RCIC) NSSS NSSS Standby Liquid Control System (SLCS) NSSS NSSS RHR - Reactor Shutdown Cooling System NSSS NSSS Safety-Related Display Partially-NSSS Partially-NSSS Instrumentation All Other Systems Required for Safety Refueling Interlocks NSSS NSSS Process Radiation Monitoring System NSSS NSSS Leak Detection System NSSS NSSS Neutron Monitoring System NSSS NSSS 7.1-59 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-1: SYSTEM IDENTIFICATION AND RESPONSIBILITY (CONTINUED)

System Designer Supplier Intermediate Range Monitor (IRM)

Average Power Range Monitor (APRM)

Local Power Range Monitor (LPRM)

Source Range Monitor (SRM)

Rod Control and Information System NSSS NSSS Rod Block Trip System Rod Pattern Control System (RPCS)

Recirculation Pump Trip System (RPT) NSSS NSSS Spent Fuel Pool Cooling and Cleanup System (SFPCC) NSSS Partially-NSSS Component Cooling Water System-Fuel Pool Cooling Non-NSSS Non-NSSS Suppression Pool Temperature Monitoring System Non-NSSS Non-NSSS Auxiliary Building Isolation Control System Non-NSSS Non-NSSS ATWS Mitigation Capability NSSS NSSS Control Systems Not Required for Safety Reactor Vessel Instrumentation NSSS NSSS Rod Control and Information System- NSSS NSSS Rod Movement Control Recirculation Flow Control System NSSS NSSS Feedwater Control System Partially-NSSS Partially-NSSS Pressure Control and Turbine Generator System Partially-NSSS Non-NSSS Neutron Monitoring System NSSS NSSS Traverse Incore Probe (TIP)

NSSS Process Computer System NSSS NSSS Reactor Water Cleanup System (RWCU) NSSS Partially-NSSS Gaseous Radwaste System NSSS NSSS Auxiliary Building Pressure Control System Non-NSSS Non-NSSS 7.1-60 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-1: SYSTEM IDENTIFICATION AND RESPONSIBILITY (CONTINUED)

System Designer Supplier Process Sampling System (PSS) Non-NSSS Non-NSSS 7.1-61 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-2: SIMILARITY TO LICENSED REACTORS Plants Applying for or Having Construction Instrumentation and Controls Permit or Operating Similarity (System) License of Design (1) Reactor Protection System Zimmer-1, LaSalle See Note 1 (2) Containment and Reactor Vessel LaSalle See Note 2 Isolation Control System (3) Emergency Core Cooling System Zimmer-1, LaSalle See Note 3 (4) Main Steamline Isolation Valve None New design Leakage Control System (5) Feedwater Leakage Control None New design System (6) Combustible Gas Control None New design System (7) RHR - Containment Spray Cooling LaSalle See Note 3 Systems (8) Standby Gas Treatment System None New design (9) Suppression Pool Makeup None New design System (10) Control Room Atmospheric None New design Control and Isolation System (11) Standby Service Water System None New design (12) Standby Power System None New design (13) HVAC for ESF Areas None New design (14) Diesel Generator Auxiliary None New design Systems (15) Remote Shutdown System None New design (16) Reactor Core Isolation Zimmer-1, LaSalle See Note 3 Cooling System (17) Standby Liquid Control System None See Note 13 (18) Reactor Shutdown Cooling Zimmer-1, LaSalle See Note 3 System (19) Safety-Related Display LaSalle See Note 14 Instrumentation (20) Refueling Interlocks LaSalle Identical (21) Process Radiation Monitoring LaSalle See Notes 6 System and 10 (22) Leak Detection System LaSalle See Note 9 (23) Neutron Monitoring System Zimmer-1, LaSalle See Note 4 (24) Rod Control and Information LaSalle See Note 12 System (25) Recirculation Pump Trip Zimmer Identical (26) Spent Fuel Pool Cooling and Fermi 2 See Note 11 Cleanup System 7.1-62 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-2: SIMILARITY TO LICENSED REACTORS (CONTINUED)

Plants Applying for or Having Construction Instrumentation and Controls Permit or Operating Similarity (System) License of Design (27) Component Cooling Water None New design System-Fuel Pool Cooling (28) Suppression Pool Temperature None New design Monitoring (29) Auxiliary Building Isolation None New design Control System (30) Reactor Vessel Instrumentation Hatch-l See Note 5 (31) Recirculation Flow Control Zimmer-1 Identical System (32) Feedwater Control System None New design (33) Pressure Control and Turbine None New design Generator System (34) Deleted (35) Reactor Water Cleanup System Zimmer-1, LaSalle See Note 8 (36) Gaseous Radwaste System Hanford-2 See Note 15 (37) Auxiliary Building Pressure None New design Control System (38) ATWS Mitigation Capability None Later -

design not determined (39) Process Sampling System None New design (40) Alternate Shutdown System None New design Note 1 This plant has more control rods and a larger CRD scram discharge volume than Zimmer. This plant has sufficient discharge volume capacity to contain the required number of scrams and sufficient scram initiation equipment, (control rod solenoids, actuator logic, and control cables), to effect a scram. This plant has four manual scram buttons arranged in the same logic as the sensor.

On this plant, instrument racks have been located in four distinct quadrants of the power plant. This makes separation much easier. The Division 1 RPS equipment is now physically located with the Division 1 ECCS and isolation equipment.

7.1-63 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Note 2 The containment and reactor vessel isolation control system supplied for the Mark III containment is identical to the system supplied on LaSalle.

Instrument rack locations are different because of the different plant designs and the drywell ventilation system valves will be isolated along with the containment.

Note 3 The ECCS, RCIC system, and shutdown cooling system function exactly the same as the Zimmer and LaSalle ECCS, RCIC, and shutdown cooling systems using the same instruments (except for possible range or setpoint changes), valving, and logic. Containment spray is automatically initiated and there is no suppression pool spray. There are different interlocks on a different valve arrangement for containment spray. Instrument and instrument rack locations are different.

Note 4 The neutron monitoring system for this plant is similar to that previously described for LaSalle or Zimmer with the following differences:

a. Core size is larger, so the number of SRM channels has increased from four to six. Bypass provisions are made for bypassing one out of each group of three (two out of six) instead of one out of four. The quantity of meters for channel readout has increased from four to six and provision is made for recording all six outputs instead of two out of four. There are no safety consequences since the SRM has no safety functions.

b. Larger core size has 44 LPRM strings (176 detectors). The number of groups of LPRM channels is four, so the number of LPRM channels averaged in each APRM has increased to 44 against 21 and 20 for LaSalle and 17 and 14 for Zimmer. The assignment pattern has remained the same, so the quality of the average is maintained.

c. Fuel changes have increased the average thermal neutron fluxes throughout the core, but the leakage fluxes to which the LPRM detectors must be designed are either the same or slightly lower.

Thus, the equipment as designed for LaSalle or Zimmer is adequate for this plant.

d. APRM upscale trips have been changed so that a trip will occur on either of the following conditions:

(1) When APRM level signal (approximately 100 ms time constant) exceeds a fixed trip level of approximately 120 percent power, or (2). When APRM level signal (approximately 6-second time constant to be compatible with fuel rod time constant of 7-10 seconds) exceeds a trip level variable with recirculation driving flow having a fixed maximum of approximately 115 percent power.

7.1-64 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Analyses that show that these trips provide adequate core protection during power changes and transients, and retrofit of this feature (sometimes called "thermal power monitor") have been done for LaSalle, Zimmer, and other plants previously described.

e. The TIP system used for calibrating the LPRM detectors has minor changes resulting from Mark III containment design. Ball and shear valves previously required to seal off the guide tube paths where they penetrated the containment are no longer necessary, as the guide tubes no longer penetrate the containment. This also eliminates the logic circuits associated with the valves and the need to withdraw the TIPS on command of containment isolation, simplifying the system. The structural arrangement also permits the use of concrete wall sections for shielding against emanations from the drive cable.

The same number of TIP drive channels (five) are required for this plant as for LaSalle. As the TIP system is for calibration only, there are no core protection safety consequences.

Note 5

a. Water Level (1) Fuel Zone Range The water level in this range is called the "shroud water level" range for Hatch 1. The name was changed to "fuel zone" which is more descriptive of the measurement for this plant.

(2) The active range for Hatch 1 is -100/0/+200 inches with zero at the top of active fuel. The active range for this plant is -

153/0/147 inches with zero at the top of the active fuel.

All other features of this range are identical for Hatch 1 and this plant.

(3) Wide-Range Water Level The number of axial tap sets on the reactor pressure vessel is two for Hatch 1. The number of axial tap sets on the reactor pressure vessel is four for this plant. The reason for this change is to facilitate four-way separation for the reactor water level and pressure instrumentation.

The number of axial tap sets on the reactor pressure vessel is two for Hatch 1. The number of axial tap sets on the reactor pressure vessel is four for this plant. The reason for this change is to facilitate four-way separation for the reactor water level and pressure instrumentation.

Hatch 1 has temperature equalization columns for the wide-range water level instrument range. This design uses a cold-condensate, reference leg chamber with uninsulated impulse lines. It has been determined that the temperature equalization column for the wide-range level range does not improve the accuracy of the water level measurement sufficiently to warrant its use.

7.1-65 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

For Hatch 1, the routing of the impulse line from the reactor vessel to the drywell penetration is such that the reference leg and variable leg from the bottom of the temperature equalization column penetrates the drywell at the same elevation for the wide-range water level range. Because the uninsulated reference leg is more sensitive and has a faster response to changes in the drywell temperature than the temperature equalization column, the impulse lines for water level instrumentation reflect a different design for this plant. This design is to route the impulse lines from the reactor pressure vessel nozzle to the drywell so the elevation drop from the vessel nozzle to the drywell penetration is the same for the reference leg as it is for the variable leg within

+/-1 foot. The desired outcome of this drywell instrument impulse routing design is to eliminate the change in sensed water level that is caused by changes in the drywell temperature.

(4) Water Level Recording For Hatch 1, the water level is recorded on the narrow range as part of the feedwater control system. This range is intended to overlap the shroud water level range. For this plant, the new instruments have been added to facilitate recording of the wide-range water level on two separate recorders in the control room.

The narrow range is also recorded as part of the feedwater control system. All other features of this range are identical for Hatch 1 and this plant.

(5) Shutdown Range Same as Hatch 1.

(6) Upset Range Hatch 1 does not have upset range water level measurement. This range extends from zero (15 inches above bottom of dryer skirt) to +180 inches. It is provided to monitor effectively the water level in the area of the steam lines and is calibrated to measure accurately during reactor operation.

b. Vessel Pressure (1) Pressure Sensors The reactor vessel pressure for Hatch 1 is monitored with pressure switches which are connected to the reactor water level impulse lines. The pressure switches are distributed on two instrument panels. The reactor vessel pressure for this plant is monitored with pressure transmitters connected to the reference legs of the water level sensing lines. The pressure transmitters are distributed on four instrument panels. The reason for this change was to facilitate four-way separation for the reactor pressure instrumentation.

7.1-66 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Pressure Recording For Hatch 1, the reactor pressure is recorded as part of the feedwater control system. For this plant new instruments have been added to facilitate the recording of a larger range of reactor pressure on two recorders located in the control room.

All other features of this range are identical for Hatch 1 and this plant.

Note 6 (2)

The main steam line radiation monitoring subsystem, the containment and drywell ventilation exhaust radiation monitoring subsystem, and the carbon-bed vault radiation monitoring subsystem are identical to LaSalle's, except that LaSalle uses two channels to monitor the carbon-bed instead of one. The offgas pre-treatment radiation monitoring subsystem is different in that the detector and the electronics are different. Sensitivity is the same in both cases even though the package has been reduced in size, except for the electronics. The new electronics provide the same sensitivity as the old, but in a smaller package.

The offgas post-treatment radiation monitoring subsystem has new electronics and a redesigned sample rack, but is functionally identical. The redesigned sample rack utilizes a sample chamber with more shielding, and uses a Geiger-Mueller-type detector rather than a scintillation detector. This subsystem has greater sensitivity than that of LaSalle.

The following subsystems are identical to the containment and drywell ventilation exhaust subsystem discussed above: (1) auxiliary building fuel handling area ventilation exhaust; (2) auxiliary building fuel handling area pool sweep ventilation exhaust; (3) control room intake.

The offgas and radwaste building vent radiation monitoring subsystem uses the new electronics and redesigned sample rack described above. This plant will have one channel within this subsystem. LaSalle, however, has two channels.

The liquid process radiation monitoring subsystem uses new electronics and a new shielded-sample chamber for better channel sensitivity.

This plant's containment ventilation radiation monitoring subsystem, fuel handling area ventilation radiation monitoring subsystem, and turbine building ventilation radiation monitoring subsystem are identical with the offgas and radwaste building ventilation radiation monitoring subsystem described above.

Note 7 Deleted Note 8 This is not a safety-related system. The isolation valves for this system that are safety-related are treated under the containment and reactor vessel isolation control system.

Note 9 7.1-67 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

No differences exist between the safety-related components of the LaSalle design and this design. Some differences occur in the sump monitoring subsystem due to different sump arrangements. These differences have no safety consequence.

Note 10 Location of the detectors are different because of the different plant design.

Note 11 SFPCC is functionally equivalent, except that the cooling portion is safety-related.

Note 12 The rod control and information system differs from the LaSalle reactor manual control system in that: (1) rod pattern control function is dual channel instead of single channel; (2) the rod position information is dual channel instead of single channel and multiplexing equipment is inside containment instead of in the control room; (3) ganged rod (1 rod per quadrant of core) motion is permitted; (4) full core display is LED indication instead of incandescent lamps; (5) the rod pattern control function is extended into the power operation range where it assumes the previous function of a rod block monitor (preventing continuous rod withdrawal), and (6) additional separation and isolation is provided.

Note 13 SLCS logic is not similar to any plant design previous to BWR 6.

(1) In compliance with Regulatory Guide 1.75, the system has two electrically separated trains of control from essential power sources (Division 1 and 2).

This deletes simultaneous squib firing typical of previous plants so that each valve is fired individually with the initiation switch of each division. The same switches also open the pump inlet MOV and activate the main pump for that division.

(2) Control devices were moved from H13-P603 to H13-P601 because of divisional separation requirements.

(3) Since SLCS is considered a backup for the CRD system, it is not a safety requirement that the two trains be separated nor does the overall mechanical system need to be single-failure proof.

However, it is important for plant availability that they are separated. One pump and essential bus can be out of service for maintenance and the plant can continue at power. However, if both pumps are out of service, the plant must be shut down as required by the technical specifications.

(4) Continuity loops were expanded to include squib current limit resistors. Squib fuses were changed from "slow blow" to "fast-acting."

7.1-68 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

(5) Overload monitors and status lights were added and annunciators changed to comply with Regulatory Guide 1.47.

(6) Optical isolators were added to the divisional annunciator loops to comply with Regulatory Guide 1.75.

Note 14 Identical except that all safety-related display instrumentation is seismically qualified.

Note 15 Identical except that Grand Gulf has two condensers, whereas Hanford-2 has only one.

7.1-69 Revision 2016-00

Revision 2016-00 7.1-70 BRANCH TECHNICAL POSITIONS - EICSB NRC REGULATORY GUIDES 1.89(2) 1.95 1.96 1.97*** 1.6 1.7 1.11 1.22 1.106 1

3 4 1.29*

1.30 1.32 5

9 10 12 1.40 1.45 1.47 1.53 13 14 15 16 1.56 1.62**

1.63 18 19 20 21 1.66 1.68 1.73 22 1.75

• 1.26 (3) 23 24 25 26 1.80 27 X X X X X X X X X X X X X

X X REACTOR PROTECTIO SYSTEM X

X X X X X X X X X X X X X

X CONTAINMENT AND REACTOR X

VESSEL ISOLATION CONTROL X X X X X X X X

X X

X X X X X X X X X X EMERGENCY CORE COOLING X

X X X X X X X

X MAIN STEAMLINE ISOLATION X X X X X X VALVE LEAKAGE CONTROL X

X X X X X X X X X X X

X X X FEEDWATER LEAKAGE CONTROL X X X

X ENGINEERED SAFETY X

X X X X X X X X X X X X X

X X

X

• • 1.60 (3) COMBUSTIBLE GAS CONTROL X X X X X X X

X X RHR-CONTAINMENT SPRAY X X X X X X X X X COOLING SYSTEM X X X X

X FEATURES SYSTEMS X X X X X X X X X X STANDBY GAS TREATMENT X X X X X X X

X X

X X X X X X X X X SUPPRESSION POOL MAKEUP X

X X X X X X X X X X X X

X CONTROL ROOM ATMOSPHERIC X X CONTROL AND ISOLATION X

X X X X X X X X X X X X X

X X X STANDBY SERVICE WATER

---

SEE SECTION 8.3.1.2--------------------------------------------------- STANDBY POWER SYSTEM AUXILIARY X X X X X X X X X

X X X HVAC FOR ESF AREAS SYSTEMS X

X X X X X X X X X

X X X DIESEL GENERATOR AUXILIARIES

• • • • 1.100(3)

X X X X X X X X

X X

X X REMOTE SHUTDOWN X X X X X X X X

X X

X X ALTERNATE SHUTDOWN X

SYSTEMS REQUIRED X

X X X X X X X X X X X X

X X X REACTOR CORE ISOLATION COOLING X X X X X X X X X X

X X STANDBY LIQUID CONTROL X

X X X X X X X X X X X

X X X FOR SAFE SHUTDOWN REACTOR SHUTDOWN COOLING X X X X X X X X X X X

X X X SAFETY-RELATED DISPLAY INSTRUMENTATION X X REFUELING INTERLOCKS X X X X X X X X X X X PROCESS RADIATION MONITORING X X X X HIGH PRESSURE / LOW PRESSURE INTERLOCK PROTECTION X

X X X X X X X

X X X

X LEAK DETECTION X X X X X X X X X X NEUTRON MONITORING X

X X X X X X X X X ROD PATTERN CONTROL SYSTEM X X X X RECIRCULATION PUMP TRIP X SPENT FUEL POOL COOLING &

CLEANUP X

X X X X X X X X X X

X COMPONENT COOLING WATER X X FUEL POOL COOLING X

X X X X X X X X X X X

X SUPPRESION POOL TEMPERATURE X X Table 7.1-3: Identification of Safety Criteria(1) (sheet 1 of 3)

ALL OTHER SYSTEMS REQUIRED FOR SAFETY MONITORING X

X X X X X X X X X X X

X AUXILIARY BUIDLING ISOLATION X X CONTROL X X X REACTOR VESSEL INSTRUMENTATION X X RECIRCULATION FLOW CONTROL X FEEDWATER CONTROL X PRESSURE CONTROL AND TURBINE GENERATOR X CORE PERFORMANCE CONTROL SYSTEMS NOT REQUIRED MONITORING SYSTEM X X X REACTOR WATER CLEANUP X

X GASEOUS RADWASTE X X AUXILIARY BUILDING PRESSURE CONTROL FOR SAFETY X ROD CONTROL & INFORMATION X PROCESS SAMPLING Updated Final Safety Analysis Report (UFSAR)

GRAND GULF NUCLEAR GENERATING STATION

Revision 2016-00 7.1-71 10 CFR 50 APPENDIX A - GENERAL DESIGN CRITERIA GDC 5(5)

GDC 10 GDC 12 GDC 13 GDC 15 GDC 19 GDC 20 GDC 21 GDC 22 GDC 23 10 CFR 50.62 (4)

GDC 24 GDC 25 GDC 26 GDC 27 GDC 28 GDC 29 GDC 30 GDC 33 GDC 34 GDC 35 10CFR 50.34 GDC 37 GDC 38 GDC 40 GDC 41 GDC 43 GDC 1 GDC 44 GDC 46 GDC 50 GDC 54 GDC 55 GDC 56 GDC 57 GDC 60 GDC 61 GDC 63 GDC 2 GDC 64 10CFR 50.36 GDC 3 GDC 4 10CFR 50.55a X

X X

X X

X X

X X X X

X X X X X X X X REACTOR PROTECTIO SYSTEM X X X X X

X X

X X X

X X CONTAINMENT AND REACTOR X X X X X X VESSEL ISOLATION CONTROL X X X

X X

X X X

X X X X X X X X X EMERGENCY CORE COOLING X

X X X X

X MAIN STEAMLINE ISOLATION X X X X X X VALVE LEAKAGE CONTROL X X X

X X X

X X X X X X X X FEEDWATER LEAKAGE CONTROL X

X X ENGINEERED SAFETY X X X X X X X

X X X X X

X X X X COMBUSTIBLE GAS CONTROL X X X X

X X

X X X

X X RHR-CONTAINMENT SPRAY X X X X X X X X X COOLING SYSTEM X X X

X X

X X X

X X X X X X X FEATURES SYSTEMS STANDBY GAS TREATMENT X X X

X X

X X X

X X X X X X X X X SUPPRESSION POOL MAKEUP X X X

X X

X X X

X CONTROL ROOM ATMOSPHERIC X X X X X CONTROL AND ISOLATION X X X X X

X X

X X X

X X X X X X X X X X X STANDBY SERVICE WATER

---

SEE SECTION 8.3.1.2--------------------------------------------------- STANDBY POWER SYSTEM AUXILIARY X X X

X X

X X X

X X X X X X X HVAC FOR ESF AREAS SYSTEMS X X X

X X

X X X

X X X X X X X DIESEL GENERATOR AUXILIARIES X X X X

X X

X X X

X X X X X X X X REMOTE SHUTDOWN X X X X

X X X

X X X X X X X X X ALTERNATE SHUTDOWN X

SYSTEMS REQUIRED X X X X

X X REACTOR CORE ISOLATION COOLING X X X X X

X X

X X STANDBY LIQUID CONTROL X X X X

X X

X X X

X X X X REACTOR SHUTDOWN COOLING FOR SAFE SHUTDOWN X X X X X X X

X X X SAFETY RELATED DISPLAY INFORMATION X

X X

X X REFUELING INTERLOCKS X X X X

X X X X

X X X X X PROCESS RADIATION MONITORING X

X X HIGH PRESSURE / LOW PRESSURE X X INTERLOCK PROTECTION X X X

X X X

X X

X X X

X X X X X X X X X LEAK DETECTION X X X

X X

X X X

X X X X X X NEUTRON MONITORING X

X X X X X

X X X ROD PATTERN CONTROL SYSTEM X X X

X X

X X X

X X X X X RECIRCULATION PUMP TRIP X

X X X

X SPENT FUEL POOL COOLING &

X X CLEANUP X X X X X X X

X X X

X X COMPONENT COOLING WATER X X X X X X FUEL POOL COOLING X

X X

X X X X

X X SUPPRESION POOL TEMPERATURE X X X X X MONITORING ALL OTHER SYSTEMS REQUIRED FOR SAFETY X

X X Table 7.1-3: Identification of Safety Criteria(1) (sheet 2 of 3)

X X X

X X X X X

X X X X AUXILIARY BUIDLING ISOLATION CONTROL X X X REACTOR VESSEL INSTRUMENTATION X X RECIRCULATION FLOW CONTROL X FEEDWATER CONTROL X X X X X PRESSURE CONTROL AND TURBINE GENERATOR X CORE PERFORMANCE CONTROL SYSTEMS NOT REQUIRED MONITORING SYSTEM X REACTOR WATER CLEANUP X X GASEOUS RADWASTE X X X X AUXILIARY BUILDING PRESSURE CONTROL X

FOR SAFETY ROD CONTROL & INFORMATION X X X PROCESS SAMPLING RECIRCULATION PUMP TRIP - ATWS Updated Final Safety Analysis Report (UFSAR)

GRAND GULF NUCLEAR GENERATING STATION

Table 7.1-3: Identification of Safety Criteria(1) (sheet 3 of 3)

SYSTEMS REQUIRED CONTROL SYSTEMS NOT REQUIRED ENGINEERED SAFETY AUXILIARY FOR SAFE ALL OTHER SYSTEMS REQUIRED FOR SAFETY FOR SAFETY SAFETY-RELATED DISPLAY INSTRUMENTATION FEATURES SYSTEMS SYSTEMS SHUTDOWN CONTAINMENT AND REACTOR VESSEL REACTOR CORE ISOLATION COOLING REACTOR VESSEL INSTRUMENTATION RHR-CONTAINMENT SPRAY COOLING SPENT FUEL POOL COOLING &

PRESSURE CONTROL AND TURBINE MAIN STEAMLINE ISOLATION VALVE PROCESS RADIATION MONITORING HIGH PRESSURE / LOW PRESSURE FEEDWATER LEAKAGE CONTROL DIESEL GENERATOR AUXILIARIES ROD PATTERN CONTROL SYSTEM RECIRCULATION FLOW CONTROL CLEANUP AUXILIARY BUILDING PRESSURE REACTOR SHUTDOWN COOLING CONTROL ROOM ATMOSPHERIC REACTOR PROTECTIO SYSTEM EMERGENCY CORE COOLING COMBUSTIBLE GAS CONTROL SUPPRESSION POOL MAKEUP RECIRCULATION PUMP TRIP REACTOR WATER CLEANUP ROD CONTROL & INFORMATION COMPONENT COOLING WATER FUEL GENERATOR STANDBY SERVICE WATER STANDBY POWER SYSTEM STANDBY LIQUID CONTROL SYSTEM ALTERNATE SHUTDOWN REFUELING INTERLOCKS NEUTRON MONITORING POOL COOLING ISOLATION CONTROL HVAC FOR ESF AREAS REMOTE SHUTDOWN FEEDWATER CONTROL GASEOUS RADWASTE PROCESS SAMPLING SUPPRESION POOL TEMPERATURE CORE PERFORMANCE MONITORING LEAKAGE CONTROL CONTROL AND ISOLATION INTERLOCK PROTECTION LEAK DETECTION CONTROL MONITORING Updated Final Safety Analysis Report (UFSAR)

STANDBY GAS TREATMENT GRAND GULF NUCLEAR GENERATING STATION AUXILIARY BUIDLING ISOLATION CONTROL SYSTEM IEEE 279-1971 X X X X X X X X X X X X X X X X X X X X X X X X X X X IEEE 308-1971 X X X X X X X X X X X X X X X X X X X X

---

SECTION 8.3.1.2--------

IEEE 317-(8) X X X X X X X X X X X X X X X X X X X 1972/1983 IEEE STANDARDS (6) X X X X X X(9) X X X X X X X X X X X X X X X X X X X X X IEEE 323-1971 7.1-72 IEEE 334-1971(7) X IEEE 336-1971 X X X X X X X X X X X X X X X X X X X X X X X X X X IEEE 338-1971 X X X X X X X X X X X X X X X X X X X X X X X X IEEE 344-1971(1) X X X X X X X X X X X X X X X X X X X X X X X X X X X IEEE 379-1972 X X X X X X X X X X X X X X X X X X X X X X X X X X X X IEEE 384-1974 X X X X X X X X X X X X X X X X X X X X X X X IDENTIFICATION OF SAFETY CRITERIA (1) THE GRAND GULF DESIGN COMFORMS TO THE REQUIREMENTS OF (3) PROGRAM APPLICATION AS DISCUSSED IN UFSAR SECTIONS:

IEEE 344-1971 AS MODIFIED BY EISCB BRANCH TECHNICAL RG 1.26 - SECTION 3.2, APPENDIX 3A, CHAPTER 11 POSITION 10. SQRT REVIEW WAS SUBSEQUENTLY PERFORMED RG 1.60 - SECTION 3.7.1, APPENDIX 3A LBDCR 2021-022 AGAINST IEEE 344-1975. QUALIFICATION DURING THE PLANT RG 1.100 - SECTION 3.10, APPENDIX 3A OPERATING LICENSE STAGE IS IN ACCORDANCE WITH IEEE 344- (4) 10 CFR 50.44 1975. SEE SECTION 3.10.

(5) NOT APPLICABLE - REFERENCE SECTION 3.1.2.1.5 (2) REGULATORY GUIDE 1.89 IS AN ENDORSEMENT OF IEEE 323-194. SERI HAS ESTABLISHED A PROGRAM TO INCORPORATE (6) SOME OF THESE COMPONENTS WHICH ARE TESTED IN REGULATORY GUIDE 1.89 REQUIREMENTS FOR THOSE ITEMS ACCORDANCE WITH IEEE 323-1971 ALSO MEET THE MORE COVERED BY 10 CFR 50.49. STRINGENT REQUIREMENTS OF IEEE 323-1974.

(7) IEEE 334-1974 - REFERENCE APPENDIX 3.9.3A (8) IEEE 317-1983 - APPLICABLE ONLY TO FIBER OPTIC PENETRATION ASSEMBLIES.

(9) Equipment was removed from the EQ program scope in accordance with 10CFR50.44 and RG 1.7

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-4: DELETED 7.1-73 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-5: DELETED 7.1-74 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-6: DELETED 7.1-75 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-7: DELETED 7.1-76 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-8: DELETED 7.1-77 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-9: DELETED 7.1-78 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-10: REACTOR PROTECTION SYSTEM AND DEENERGIZE-TO-OPERATE SENSOR SUFFIX LETTERS AND DIVISION ALLOCATION Total Number Sensors Division 1 Division 2 Division 3 Division 4 Trip Trip Trip Trip Logic A Logic B Logic C Logic D 4 A B C D 8 A,E B,F C,G D,H 16 A,E,J,N B,F,K,P C,G,L,R D,H,M,S Division 1 Division 2 Division 3 Division 4 7.1-79 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-11: FOUR DIVISION GROUPING OF THE NEUTRON MONITORING SYSTEM UTILIZING FOUR DRYWELL PENETRATIONS Drywell Penetrations A B C D Wireway A1 B1 A2 B2 Neut. mon. chan.

APRM 1 2 3 4 IRM A&E B&F C&G D&H RPS Trip A1 B1 A2 B2 NOTES (1) Penetrations across top of table for 4-penetration grouping carry cables for neutron monitoring channels shown, and each channel serves RPS trip logic directly below it.

(2) Horizontal zoning represents LPRM cable and amplifier distribution to APRMs from various penetrations; e.g.,

penetration B carries cables for LPRMs going to APRM channels 1 and 2 (see Figure 7.1-1).

7.1-80 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-12: EMERGENCY CORE COOLING SYSTEM, CORE STANDBY COOLING, AND RCIC SENSOR SUFFIX LETTERS AND DIVISION ALLOCATION ENERGIZE-TO-OPERATE Division 1 Division 2 Division 3 Sensor Suffix Sensor Suffix Sensor Suffix Letters Letters Letters A, E B, F C,G* L,R*

Operate ECCS A Operate ECCS B and RCIC directly and used for RCIC initiation through isolation devices

• Sensors C and G may utilize common process taps Sensors L and R may utilize common process taps 7.1-81 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.1-13: SYSTEM AND SUBSYSTEM SEPARATION Low-pressure core RHR "B" and RHR "C" High-pressure core spray and RHR A spray Automatic Automatic Standby service depressurization* depressurization* water "C "A" "B" Outboard CRVICS valves Inboard CRVICS valves Standby service Standby service water A water B RCIC

• The A and B circuits to each ADS valve inside the containment are run in independent and separate rigid conduit.

7.1-82 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1-83 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1-84 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Figure 7.1-3 Deleted 7.1-85 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1-86 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1-87 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1-88 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1-89 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1-90 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1-91 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.1-92 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2 REACTOR TRIP SYSTEM - (REACTOR PROTECTION SYSTEM) -

INSTRUMENTATION AND CONTROLS 7.2.1 Description 7.2.1.1 System Description 7.2.1.1.1 Identification The reactor protection system (RPS) includes the motor-generator power supplies, sensors, relays, bypass circuitry, and switches that cause rapid insertion of control rods (scram) to shut down the reactor. It also includes outputs to the core performance monitoring system although this system is not part of the reactor protection system. Trip signals are received from the neutron monitoring system; however, other portions of this system are treated in Sections 7.5, 7.6, and 7.7.

7.2.1.1.2 Classification The reactor protection system, with the exception of the motor-generator power supplies, is classified as Safety Class 2, seismic Category I and Quality Group B (Electric Safety Class 1E). The motor-generator power supplies are classified nonessential.

7.2.1.1.3 Power Sources The reactor protection system receives power from four Class 1E uninterruptible power supplies (see Section 8.3.1.1.5.7) and two high inertia ac motor-generator sets (Figure 7.2-1). A flywheel provides high inertia sufficient to maintain voltage and frequency within 5 percent of rated values for at least 1 second following a total loss of power to the drive motor.

Alternate power is available to either reactor protection system bus. An interlock is provided to prevent paralleling of a motor-generator set with the alternate supply. Two redundant engineered safety feature (ESF) batteries supply dc power to the backup scram valve solenoids.

An electrical protection assembly (EPA) consisting of Class 1E protective circuitry is installed between the reactor protection system and each of the power sources (two reactor protection system motor/generator sets and two alternate voltage supplies).

7.2-1 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The EPA provides redundant protection to the RPS and other systems which receive power from the RPS buses by acting to disconnect the RPS from the power source circuits.

7.2.1.1.4 Equipment Design 7.2.1.1.4.1 General The reactor protection system instrumentation is divided into sensor channels, trip logics, and trip systems.

There are four or eight sensor channels for each variable. The sensor channels are designated as A, B, C, or D, and E, F, G, or H, if required. Sensor channels A(E), B(F), C(G), and D(H) are associated with trip logics A, B, C, and D, respectively, with the exception of MSIV closure where one sensor channel is associated with two trip logics.

There are four trip logics, which are designated as A, B, C, or D.

The A and C trip logics make up trip system A; the B and D trip logics make up trip system B.

The output signal from trip system A is connected to one pilot scram valve solenoid in rod groups 1, 2, 3, and 4. The output signal from trip system B is connected to the second pilot scram valve solenoid in rod groups 1, 2, 3, and 4.

During normal operation, all sensor trip and logic trip contacts essential to safety are closed; channels, logics, and actuators are energized. In contrast, however, trip contact bypass channels consist of normally open contact networks.

Table 7.2-1 lists the hardware implementation information on the function performed for this system. Figure 7.2-2 summarizes the reactor protection system signals that cause a scram.

The functional arrangement of sensor channels is shown in Figures 7.2-3, 7.2-6, 7.2-7, 7.2-8, and 7.2-12. Trip logics are shown in Figure 7.2-5. Trip system logics are shown in Figure 7.2-4. When a sensor channel operates, its relay de-energizes in the associated trip logic. The trip logic de-energizes its associated trip system, which de-energizes the scram pilot valve solenoids associated with that trip system. However, the other scram pilot valve solenoid for each rod must also be de-energized before the rods will be scrammed.

7.2-2 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

There is one pilot scram valve with two solenoids and two scram valves for each control rod, arranged as shown in Figure 7.2-1.

Each pilot scram valve is solenoid operated, with the solenoids normally energized. The pilot scram valve controls the air supply to the scram valves for each control rod. With either pilot scram valve solenoid energized, air pressure holds the scram valves closed. The scram valves control the supply and discharge paths for control rod drive water. Figure 7.1-1 shows how the scram pilot valve solenoids for each control rod are controlled by the trip system logics.

When the necessary trip systems are tripped for one group of scram valves, air is vented from the scram valves and allows control rod drive water to act on the control rod drive piston. Thus, all control rods are scrammed. The water displaced by the movement of each rod piston is vented into a scram discharge volume.

To restore the reactor protection system to normal operation following any single trip system trip or a scram, the trip system(s) must be reset manually. After a 10-second delay, reset is possible only if the conditions that caused the trip system trip have been cleared. The trip systems are reset by operating switches in the control room. Figure 7.2-5 shows the functional arrangement of reset contacts for one trip system.

There are three dc solenoid operated backup scram valves that provide a second means of controlling the air supply to the scram valves for all control rods. When the solenoids for all three backup scram valves are energized, the backup scram valves vent the air supply for the scram valves. This action initiates insertion of any withdrawn control rods regardless of the action of the scram pilot valves. The backup scram valves are energized (initiate scram) when the necessary trip system logics are tripped.

7.2.1.1.4.2 Initiating Circuits The reactor protection system scram functions, shown in Figure 7.2-2, are discussed in the following paragraphs.

a. Neutron Monitoring System Neutron monitoring system instrumentation is described in Section 7.6. Figure 7.2-6 clarifies how the neutron monitoring system channels and neutron monitoring system logic circuitry make up the reactor protection system 7.2-3 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) sensor channel. The neutron monitoring system channels are considered to be part of the neutron monitoring system; however, the neutron monitoring system logic circuitry is considered to be part of the reactor protection system sensor channel. Each neutron monitoring system logic receives signals from one intermediate range monitor (IRM) channel and one average power range monitor (APRM) channel. The position of the mode switch determines which input signals will affect the output signal from the logic.

The neutron monitoring system logic circuitry is arranged so that failure of any one logic cannot prevent the initiation of a high neutron flux scram. As shown in Figure 7.2-6, there are eight neutron monitoring system logics associated with the reactor protection system. Each reactor protection system sensor channel receives inputs from two neutron monitoring system logics.

1. IRM System Logic The IRMs monitor neutron flux between the upper portion of the source range monitor (SRM) range to the lower portion of the APRM subsystems. The IRM detectors can be positioned in the core by remote control. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor reaches a predetermined power level within the power range. The IRM is able to generate a trip signal that can be used to prevent fuel damage resulting from abnormal operational transients that occur while operating in the intermediate power range.

The IRM is divided into two groups of IRM channels arranged in the core as shown in Figure 7.6-5. Two IRM channels are associated with each reactor protection system sensor channel. Two IRM channels and their trip auxiliaries from each group are installed in one bay of a cabinet; the remaining two channels are installed in a separate bay of the cabinet. Full-length side covers isolate the cabinet bays. The arrangement of IRM channels allows one IRM channel in each group to be bypassed without compromising intermediate range neutron monitoring.

7.2-4 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Each IRM channel includes four trip circuits as standard equipment. One trip circuit is used as an instrument trouble trip. It operates on three conditions: (1) when the high voltage drops below a preset level, (2) when one of the modules is not plugged in, or (3) when the OPERATE/CALIBRATE switch is not in the OPERATE position. Each of the other trip circuits can be specified to trip when preset downscale or upscale levels are reached.

The trip functions actuated by the IRM trips are indicated in Table 7.6-4. The reactor mode switch determines whether IRM trips are effective in initiating a rod block or a reactor scram (Figure 7.2-6). With the reactor mode switch in REFUEL or STARTUP, an IRM upscale or inoperative trip signal actuates a neutron monitoring system trip of the reactor protection system. Only one of the IRM channels must trip to initiate a neutron monitoring system trip of the associated reactor protection system trip system.

The suitability of IRM detector locations can be determined from Figure 7.6-5, IRM Channel Arrangement in the Core, and from the environmental conditions described in subsection 3.11.2. Additional information can be obtained from Figures 5.2-6, 5.2-7, and 5.2-8, Nuclear Boiler System P&ID.

2. APRM System Logic The APRM channels receive input signals from the LPRM channels and provide a continuous indication of average reactor power from a few percent to greater than rated reactor power.

The APRM subsystem has sufficient redundant channels to meet industry and regulatory safety criteria.

Under the worst permitted input LPRM bypass conditions, the APRM subsystem is capable of generating a trip scram signal before the average neutron flux increases to the point that fuel damage is probable. The Oscillation Power Range Monitor (OPRM), a sub-function of the APRM, is also capable of generating a trip scram signal to terminate 7.2-5 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) reactor operation in states that could result in development of power oscillations due to neutronic/

thermal-hydraulic instability.

The outputs from all four APRM channels go to four independent 2-out-of-4 voter (logic) modules. Each of the 2-out-of-4 logic modules interfaces with one of the four RPS input channels (A1, A2, B1, and B2). The trip outputs from all four APRM channels are sent to each 2-out-of-4 logic module, such that each input sent to RPS is a voted result of all four APRM channels. A trip output to RPS is provided when at least two of the same type of trip inputs (APRM or OPRM) is in a tripped state. Table 7.6-6 itemizes the APRM trip functions. Any one APRM can initiate a rod block, regardless of the Reactor Mode switch position. The APRM upscale rod block and the thermal power scram trip set points vary as a function of reactor recirculation driving loop flow. The APRM signal for the thermal power scram trip is passed through a filter, which is a 6 second time constant to simulate thermal power. A faster response time APRM upscale trip has a fixed set point, not variable with recirculation flow. Any APRM upscale or inoperative trip from any one unbypassed APRM channel will result in a ²half-trip² in all four 2-out-of-4 logic modules, but no trip inputs to either RPS trip system. A trip of the APRM Neutron Flux - High, Setdown; Fixed Neutron - High; INOP; or Flow Biased Stimulated Thermal Power - High function from any two unbypassed APRM channels will result in a full trip in each 2-out-of-4 logic module, which in turn results in two trip inputs into each RPS trip system logic channel (A1, A2, B1, and B2). The system allows the operator to bypass the trips from one APRM channel, but no voter channels can be bypassed. A simplified circuit arrangement is shown in Figure 7.6-12.

In addition to the IRM upscale trip, a fast response APRM trip function with a set point of 15% power is active when the mode switch is not in the "RUN" position.

7.2-6 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Neutron monitoring system channel operating bypasses are described in subsection 7.2.1.1.4.4.1.

Diversity of trip initiation for unusual excursions in reactor power is provided by the neutron monitoring system trip signals and reactor vessel high-pressure trip signals. An increase in reactor power will initiate protective action from the neutron monitoring system as discussed in the above paragraphs. This increase in power will cause reactor pressure to increase due to a higher rate of steam generation with no change in turbine control valve position resulting in a trip from reactor vessel high pressure. Reactor vessel high pressure is an independent variable and for this condition provides diverse trip initiating circuits for the protective action (scram).

The suitability of LPRM detector locations can be determined from Figures 7.2-9 and 7.2-10, LPRM Channel Arrangement in the Core and the APRM Channel Assignments, and the environmental condition for the RPS described in subsection 3.11.2.1.1. Additional information can be obtained from Figures 5.2-6, 5.2-7, and 5.2-8, Nuclear Boiler System P&ID.

b. Reactor Pressure Reactor pressure is measured at four physically separated locations. A pipe from each location is routed through the drywell and terminates in the containment. One locally mounted, nonindicating pressure transmitter monitors the pressure in each pipe. Cables from these transmitters are routed to the control room. Each transmitter provides a high-pressure signal to one sensor channel as shown in Figure 7.2-3. The physical separation and the signal arrangement assure that no single physical event can prevent a scram caused by nuclear system high pressure.

The suitability of reactor pressure sensor locations can be determined from the instrument location drawings, provided by reference in Section 1.7, and the environmental conditions for the RPS described in 7.2-7 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) subsection 3.11.2. The piping arrangement of the reactor pressure sensors is shown on Figure 5.2-7, Nuclear Boiler System P&ID.

The discussion of diversity for reactor vessel high pressure is provided in subsection 7.2.1.1.4.5.

c. Reactor Vessel Low Water Level Reactor vessel low water level signals are initiated from level transmitters which sense the difference between the pressure due to a constant reference column of water and the pressure due to the actual water level in the vessel.

The transmitters are arranged on four sets of taps in the same way as the nuclear system high-pressure transmitters (Figure 7.2-3). The four pairs of lines terminate outside the drywell and inside the containment; they are physically separated from each other and tap off the reactor vessel at widely separated points. Other systems sense pressure and level from these same pipes. The physical separation and signal arrangement assure that no single physical event can prevent a scram due to reactor vessel low water level.

Diversity of trip initiation for breaks in the primary pressure boundary is provided by reactor vessel low water level trip signals and high drywell pressure trip signals.

If a break in the primary system boundary were to occur, a volume of primary coolant would be released to the drywell in the form of steam. This release would cause reactor vessel water level to decrease and drywell pressure to increase resulting in independent protective action initiation. Drywell high pressure is an independent variable and for this condition provides diverse trip initiating circuits for the protective action (scram).

The suitability of reactor vessel low water level sensor locations can be determined from the instrument location drawings provided by reference in Section 1.7, and the environmental conditions for the RPS described in subsection 3.11.2. The piping arrangement of the reactor vessel low water level sensors is shown on Figure 5.2-7, Nuclear Boiler System P&ID.

d. Turbine Stop Valve 7.2-8 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Turbine stop valve closure inputs to the reactor protection system are generated from pressure transmitters and trip units which sense hydraulic trip fluid pressure which is indicative of stop valve motion away from fully open. Two pressure transmitters and trip units are provided for each turbine stop valve. The trip units will actuate before the stop valves are more than ten percent closed. The pressure transmitters and trip units are electrically isolated from each other and from other plant equipment. Either of the two channels associated with one stop valve can signal valve closure, as shown in Figure 7.2-7. The logic is arranged so that closure of three or more valves initiates a scram.

Turbine stop valve closure trip channel operating bypasses are described in subsection 7.2.1.1.4.4.2.

Diversity of trip initiation for increases in reactor vessel pressure due to termination of steam flow by turbine stop valve or control valve closure is provided by reactor vessel high-pressure trip signals. A closure of the turbine stop valves or control valves at steady-state conditions would result in an increase in reactor vessel pressure. If a scram was not initiated from these closures, a scram would occur from high reactor vessel pressure. Reactor vessel high pressure is an independent variable and for this condition provides diverse trip initiating circuits for the protective action (scram).

The suitability of the turbine stop valve closure pressure transmitter locations can be determined from the instrument location drawings provided by reference in Section 1.7, and the environmental conditions for the RPS described in subsection 3.11.2.

e. Turbine Control Valve Turbine control valve fast closure inputs to the reactor protection system are generated from pressure transmitters and trip units which sense trip fluid pressure which is indicative of fast control valve closure. These pressure transmitters and trip units provide signals to the reactor protection system in the same way as the nuclear system 7.2-9 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) high pressure transmitters in Figure 7.2-3. If trip fluid pressure is lost, a turbine control valve fast closure scram is initiated.

Turbine control valve fast closure trip channel operating bypasses are described in subsection 7.2.1.1.4.4.2.

The discussion of diversity for turbine control valve fast closure is the same as that for turbine stop valve closure provided in subsection 7.2.1.1.4.5 and paragraph d. above.

The suitability of the turbine control valve fast closure sensor locations can be determined from the instrument location drawings provided by reference in Section 1.7, and the environmental conditions for the RPS described in subsection 3.11.2.

f. Main Steam Line Isolation Valves Position switches mounted on the eight main steam line isolation valves signal main steam line isolation valve closure to the reactor protection system. Each of the double-pole, single-throw switches is set to provide the earliest positive indication of closure (the set point is provided in the Technical Specifications). Both of the channels associated with each isolation valve signal valve closure. To facilitate the description of the logic arrangement, the position-sensing channels for each valve are identified and assigned to reactor protection system trip logics as follows:

Position-Valve Sensing Trip Identification Channels Logics Main steam line F022A A, B A, inboard valve (1) and (2)

Main steam line F028A A, B A, outboard valve (1) and (2)

Main steam line F022B B, C B, inboard valve (1) and (2) 7.2-10 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Position-Valve Sensing Trip Identification Channels Logics Main steam line F028B B, C B, outboard valve (1) and (2)

Main steam line F022C C, D C, inboard valve (1) and (2)

Main steam line F028C C, D C, outboard valve (1) and (2)

Main steam line F022D A, D D, inboard valve (1) and (2)

Main steam line F028D A, D D, outboard valve (1) and (2)

Thus, each trip logic receives signals from the valves associated with two steam lines (see Figure 7.2-8). The arrangement of signals within each trip logic requires closing of at least one valve in each of the steam lines associated with that trip logic to cause a trip of that logic. For example, closure of the inboard valve of steam line A and the outboard valve of steam line B causes a trip of trip logic B. This in turn causes a trip of trip system B. However, no scram occurs because a trip of both A and B trip systems is required for a scram. In no case does closure of two valves or isolation of two steam lines cause a scram due to valve closure. Closure of one valve in three or more steam lines is required to cause a scram.

Wiring for the position sensing channels from one position switch is physically separated in the same way that wiring to duplicate sensors on a common process tap is separated.

The wiring for position-sensing channels feeding the different trip logics of one trip system is also separated.

Main steam line isolation valve closure channel operating bypasses are described in subsection 7.2.1.1.4.4.3.

7.2-11 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Diversity of trip initiation for increases in reactor vessel pressure due to main steam isolation is provided by reactor vessel high pressure trip signals. A closure of the MSIVs at steady state conditions would cause an increase in reactor vessel pressure. If a scram were not initiated from MSIV closure, a scram would occur from high reactor vessel pressure. Reactor vessel high pressure is an independent variable and for this condition provides diverse trip initiating circuits for the protective action (scram).

The suitability of the main steam line isolation valve closure position switch locations can be determined from the instrument location drawings provided by reference in Section 1.7, and the environmental conditions for the RPS described in subsection 3.11.2.

g. Scram Discharge Volume Four nonindicating level transmitters provide scram discharge volume high water level inputs to the reactor protection system. Each transmitter provides an input to one trip logic (Figure 7.2-3). Additionally, four float type level switches also provide scram discharge volume high water level inputs to the reactor protection system which are redundant to the signals provided by the level transmitters and their associated indicating switches.

Each level switch provides a trip signal to a sensor trip channel. Each trip logic in turn receives input from a level transmitter sensor trip channel and a level switch sensor trip channel (see figure 7.2-5). Both the level transmitter and the level switch have identical level settings. The transmitters and level switches are arranged so that no single event will prevent a reactor scram caused by scram discharge volume high water level. With the predetermined scram setting, a scram is initiated when sufficient capacity still remains in the tank to accommodate a scram. Both the amount of water discharged and the volume of air trapped above the free surface during a scram were considered in selecting the trip setting. Diversity is provided by separate instrument sensing lines, tap locations and power supplies for the level switches and level transmitters in each scram discharge instrument volume. This instrumentation arrangement and logic scheme minimizes the potential that 7.2-12 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) either a line blockage or a common mode failure can prevent a reactor scram on high scram discharge instrument volume water level.

Scram discharge volume water level channel operating bypasses are described in subsection 7.2.1.1.4.4.4.

The scram discharge volume function is to receive water which is discharged from the control rod drives during a scram. If at the completion of the scram the level of water in the scram discharge volume is greater than the trip setting, the RPS cannot be reset until the discharge volume has been drained. The trip setting has been selected such that sufficient volume would be available to receive a full discharge of CRD water in the event that the scram discharge volume high level trip occurs and subsequent scram protection is required.

The suitability of the scram discharge volume water level provided by reference in Section 1.7, sensor locations can be determined from the instrument location drawings and the environmental conditions for the RPS described in subsection 3.11.2. The piping arrangement of the scram discharge volume level sensors is shown on Figure 4.6-7, CRD Hydraulic System P&ID.

h. Drywell Pressure Drywell pressure is monitored by four nonindicating pressure transmitters mounted on instrument racks outside the drywell in the containment. Instrument lines that terminate in the containment connect the transmitters with the drywell interior. The transmitters are physically separated and electrically connected to the reactor protection system so that no single event will prevent a scram caused by drywell high pressure. Cables are routed from the transmitters to the main control room. Each transmitter provides an input to one trip logic (see Figure 7.2-3).

The discussion of diversity for high drywell pressure is provided in subsection 7.2.1.1.4.5.

The drywell pressure sensors are located on instrument racks outside the drywell and inside the containment.

These racks also house the reactor vessel level and 7.2-13 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) pressure sensors. Instrument location drawings, provided by reference in Section 1.7, show the rack locations. The environmental conditions of the RPS are described in subsection 3.11.2.

i. Deleted

j. Reactor Vessel High Water Level High water level indicates an increase in feedwater flow and an impending power increase. The high-water-level trip causes a scram prior to significant power increase, limiting neutron flux and thermal transients so that the design basis is satisfied.

k. Manual Scram A scram can be initiated manually. There are four scram buttons, one armed pushbutton switch for each trip logic (A, B, C, D). To initiate a manual scram, at least two buttons must be armed and depressed. The manual scram buttons are arranged in two groups. One group contains the A and C switches (trip system A) and one group the B and D switches (trip system B). The switches in each group are located close enough to permit the simultaneous manual scram of both trip systems. By operating the manual scram button for one trip logic at a time and then resetting that logic, each trip system can be tested for manual scram capability. The reactor operator also can scram the reactor by interrupting power to the reactor protection system or by placing the mode switch in its shutdown position.

l. Mode Switch in SHUTDOWN The reactor mode switch initiates a scram when the keylocked switch is placed in the SHUTDOWN position. The four channels on the mode switch (A, B, C and D) are separated by steel barriers within a steel can, as described in subsection 7.2.1.1.4.7. The mode switch logic is the same as the manual scram (de-energizing the same logic device). A short time delay logic device automatically removes the scram signal (i.e., re-energizes the circuit to bypass the shutdown scram) on the fail-safe logic, as described in subsection 7.2.1.1.4.4.5.

7.2-14 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The "mode switch in SHUTDOWN" scram is not considered a protective function, as discussed in subsection 7.2.1.1.6.3 paragraph 1. Therefore diversity and redundancy of trip function are not required (but may be considered a diverse backup to manual scram).

Bypasses of other scram initiations are activated by the mode switch (as described in subsection 7.2.1.1.4.4),

namely the neutron monitoring system trips, main steam line isolation trip, reactor high water level, and scram discharge volume. The mode switch contacts energize logic devices, which bypass the sensor channels connected to RPS trip logics. The circuits are designed to be normally energized (fail-safe on loss of power) and single failure tolerant.

Interlocks between the reactor mode switch and the other systems are discussed in subsections 7.2.1.1.4.4.7 and 7.2.1.1.6.2.1.

The APRM upscale trip for low power operation versus that for high power operation is selected by the mode switch being out of or in the "RUN" position, respectively. Refer to the Technical Specifications for the APRM set points.

The main steam line isolation trip on low turbine inlet pressure is bypassed when in "STARTUP & HOT STANDBY",

"REFUEL" or "SHUTDOWN" modes. Refer to subsection 7.3.1.1.2.4.1.5, "Containment and Reactor Vessel Isolation Control System."

Mode switch functions are summarized on Table 7.2-7.

7.2.1.1.4.3 Logic The basic one-out-of-two-twice logic arrangement of the reactor protection system is illustrated in Figure 7.2-1. Each trip system receives signals from trip logics as shown in Figures 7.2-4 and 7.2-5. Each trip logic receives input signals from at least one sensor channel for each monitored variable. At least four channels for each monitored variable are required, one for each trip logic.

Sensor channel and trip logic relays are fast-response, high-reliability relays. Power relays for interrupting the scram pilot valve solenoids have high current carrying capabilities and are 7.2-15 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) highly reliable. All reactor protection system relays are selected so that the continuous load will not exceed 50 percent of the continuous duty rating. The system response time, from the opening of a sensor contact up to and including the opening of the trip actuator contacts, is less than 50 milliseconds. The time requirements for control rod movement are discussed in subsection 4.6.1.1.2.5.3, Reactivity Control Systems.

The time response from RPS sensor trip to actuators deenergized is provided in the Technical Specifications.

Each trip logic provides an input into the respective trip system as shown in Figure 7.2-4. Thus, either of the two trip system trip logics can produce a trip of the associated scram pilot valve solenoid. The scram pilot solenoid logic is a one-out-of-two arrangement. To produce a scram, both scram pilot solenoids for each scram pilot valve must be tripped. The overall logic of the reactor protection system trip function is termed one-out-of-two taken twice.

Diversity of variables is provided for the RPS but not among the logic circuits. One-out-of-two logic is utilized, with the sensor channels and the trip logics aligned. Diversity would imply the use of different types of logic in each channel of logic.

Scram reset is provided by the use of four independent reset switches, one in each of the four redundant trip logics. The reset is effected in conjunction with auxiliary relays. If a single channel is tripped, the reset is accomplished immediately upon operation of the reset switch. On the other hand, if a reactor scram condition is present, manual reset is prohibited for a 10-second period to permit the control rods to achieve their fully inserted position.

Scram reset redundancy is provided by use of four reset switches.

Actuation of both switches for one trip system is the minimum requirement for reset, following a scram and 10 second time delay. The use of four reset switches ensures that each RPS trip logic is reset and that the trip condition has cleared.

7.2.1.1.4.4 Scram Operating Bypasses A number of manual and automatic scram bypasses are provided to accommodate the varying protection requirements that depend on reactor conditions.

7.2-16 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

All manual bypass switches are in the control room, under the direct control of the control room operator. The bypass status of trip system components is continuously indicated in the control room.

7.2.1.1.4.4.1 Neutron Monitoring System Bypasses for the neutron monitoring system channels are described below.

The neutron monitoring scram sensor trip contacts for IRM and APRM can be bypassed by hand operated selector switches located on the reactor control benchboard in the control room. A single APRM channel (1, 2, 3, or 4) may be bypassed via the APRM bypass switch, which is an optical joystick.

Bypassing IRM channels is controlled by two selector switches.

One switch controls channels A, C, E, and G while the second switch controls channels B, D, F, and H. Each selector switch can bypass only one channel at a time.

Bypassing either an APRM or an IRM channel will not inhibit the neutron monitoring system from providing protective action when required.

The NMS operating bypasses are controlled by the reactor mode switch located on the operator control console in the control room. When the reactor mode switch is in the "RUN" mode, the IRM trips are bypassed; protection is provided by the APRM trips.

Refer to the Technical Specifications for NMS trips.

7.2.1.1.4.4.2 Turbine Stop Valve and Turbine Control Valve Fast Closure The turbine control valve fast closure scram and turbine stop valve closure scram are automatically bypassed if reactor power is low (below the bypass setpoint), as indicated by the Neutron Monitoring System. Closure of these valves below a low initial power level does not threaten the integrity of any radioactive material release barrier. Turbine control valve fast closure and turbine stop valve closure trip bypass is effected by four independent reactor power signals associated with the four divisions of the Power Range Neutron Monitoring System. Any one channel in a bypass state produces a control room annunciation.

No single failure of a transmitter can prevent a turbine stop valve closure scram or turbine control valve fast closure scram.

7.2-17 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

In addition, this bypass is automatically removed when reactor power exceeds the bypass reset point. This reset set point established to ensure the bypass is removed prior to reactor power exceeding the Analytic Limit 35.4 percent of rated power.

Reactor power is sensed by four physically separate and independent divisions of the Power Range Neutron Monitoring System. Redundancy has been achieved by connecting one reactor power output signal in parallel with each of the turbine stop valve and turbine control valve fast closure trip contacts in each of the four scram trip logics.

7.2.1.1.4.4.3 Main Steam Isolation Valves At plant shutdown and during initial plant startup, a bypass is required for the main steam line isolation valve closure scram trip in order to properly reset the reactor protection system.

This bypass has been designed to be in effect when reactor pressure is less than normal reactor operating pressure and the mode switch is in the SHUTDOWN, REFUEL, or STARTUP position. The bypass allows plant operation when the main steam line isolation valves are closed during low power operation. The bypass is removed when the mode switch is placed in the RUN position.

7.2.1.1.4.4.4 Scram Discharge Volume Level The scram discharge high-water-level trip bypass is controlled by the manual operation of four keylocked bypass switches, one for each channel, and the keylocked mode switch. The mode switch must be in the SHUTDOWN or REFUEL position. Four bypass channels emanate from the four banks of the RPS mode switch and are connected into the RPS logic. This bypass allows the operator to reset the reactor protection system scram relays so that the system is restored to operation allowing the operator to drain the scram discharge volume. Resetting the trip actuators opens the scram discharge volume vent and drain valves. An annunciator in the main control room indicates the bypass condition.

7.2.1.1.4.4.5 Mode Switch in Shutdown The scram initiated by placing the mode switch in SHUTDOWN is automatically bypassed after a short time delay. The bypass allows the control rod drive hydraulic system valve lineup to be restored to normal. An annunciator in the control room indicates the bypassed condition.

7.2-18 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Redundancy of the operating bypass with the mode switch in SHUTDOWN is provided by four separate time delay relays connected in a manner which provides redundancy of the bypass operation, but will not inhibit the scram initiation.

7.2.1.1.4.4.6 Maintenance, Calibration, or Test Bypasses Each reactor scram sensor can be removed for maintenance, test, or calibration.When a channel is removed from service, annunciation of the administrative tripping of one of the four channels or alarming of the channel bypass is provided in the control room.

Individual channels for main steam line isolation valve closure, drywell high pressure, reactor vessel high pressure, reactor vessel low water level, and CRD scram discharge volume high water level are administratively tripped when any one sensor is removed for maintenance, test, or calibration.

An individual channel for neutron monitoring (APRM and IRM) trips can be manually bypassed during any mode of operation. Each APRM and IRM bypass is indicated by a light in the control room.

Main steam line isolation valve closure sensors may be removed from service during operation while the mode switch is in the RUN mode, but this causes a channel trip to occur, and is annunciated in the control room.

Turbine stop valve closure and turbine control valve fast closure sensors may be removed from service during operation. This results in an administratively controlled trip of the sensor channel and annunciation of a logic trip in the control room.

Administrative controls during maintenance, test, and calibration are specified in the individual maintenance, test, and calibration procedure and in the plant administration procedure manual. A discussion of the bypass indication is provided in subsection 7.2.2.1.2.3.1.13.

7.2.1.1.4.4.7 Interlocks The scram discharge volume high-water-level trip bypass signal interlocks with the reactor manual control system to initiate a rod block. The interlock is performed using isolated relay contacts so that no failure in the control system can prevent a scram.

7.2-19 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Reactor vessel low water level, reactor vessel pressure, and drywell high pressure signals are shared with the containment and reactor vessel isolation control system. The sensors feed relays in the reactor protection system whose contacts interlock with the containment and reactor vessel isolation control system.

A discussion of the neutron monitoring system interlocks to rod block functions is provided in subsection 7.6.1.6.

The reactor mode switch has interlocks to other than the reactor protection system. These interlocks are discussed in subsections 7.6.1.1, Refueling Interlocks, 7.3.1.1.9.4, Suppression Pool Make-up, 7.3.1.1.2.4.1.5.6, MSIV Trip on Turbine Inlet Low Pressure, 7.6.1.5.6 and Table 7.6-6, APRM Trips.

7.2.1.1.4.5 Redundancy and Diversity Instrument piping into the reactor vessel is routed through the drywell wall and terminates inside the containment. Instruments mounted on instrument racks in the containment sense reactor vessel pressure and water level information from this piping.

Valve position switches are mounted on valves from which position information is required. The sensors for reactor protection system signals from equipment in the turbine building are mounted locally. The four Class 1E uninterruptible power systems and two motor-generator sets that supply power for the reactor protection system are located in areas where they can be serviced during reactor operation. Cables from sensors and power cables are routed to four reactor protection system cabinets in the control room. One cabinet is also used for two aligned sensor channels and trip logics.

The redundancy requirements for the RPS have been met by the utilization of physically separate sensor taps, sensing lines, sensors, sensor rack locations, cable routing and termination in four separate panels in the control room. The use of separate sensors for each RPS variable feeding each trip logic and the use of two trip logics per scram pilot valve solenoid achieves redundancy of the RPS system. For additional information on redundancy of RPS subsystems, refer to subsection 7.2.1.1.4.2, paragraphs a. through h.

No redundancy of the RPS power supply is provided. There are four Class 1E uninterruptible power systems and two M-G sets which supply electrical power. Each of the M-G sets powers two channels of scram solenoids and trip logics with the exception of the 7.2-20 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) sensor trip channels of drywell high pressure, reactor vessel high pressure, reactor vessel low water level, reactor vessel high water level, scram discharge volume high water level, and trip channel scram sensors. These parameters have four channels, with each channel powered from an independent Class 1E uninterruptible power supply (division 1, 2, 3 and 4). A loss of one M-G set or one division of Class 1E uninterruptible power will not inhibit protective action nor cause a scram.

Functional diversity is provided by monitoring independent reactor vessel variables. Pressure, water level, and neutron flux are all independent and are separate inputs to the system. Also, main steam line isolation valve closure, turbine stop valve closure, and turbine control valve fast closure are anticipatory of a reactor vessel high pressure and are separate inputs to the system.

Diversity of variables for main steam line breaks outside the drywell, which initiate main steam line isolation and, in turn, reactor trip initiation, is covered in subsection 7.3.1.1.2.4.1.3.5.

Other leaks outside the drywell are detected by sump levels. The leak detection signals have no reactor trip function.

Additional discussions of diversity of RPS variables are provided in subsection 7.2.1.1.4.2, paragraphs a. through h.

7.2.1.1.4.6 Actuated Devices The actuator logic opens when a trip signal is received, and de-energizes the scram valve pilot solenoids. There are two pilot solenoids per control rod. Both solenoids must de-energize to bleed the instrument air from and open the inlet and outlet scram valves to allow drive water to scram a control rod. One solenoid receives its signal from one trip system and the other from the other trip system. The failure of several control rods to scram will not prevent a complete shutdown.

The instrument air system provides support to the RPS by maintaining the air-operated scram valve closed until a scram is required.

The individual control rods and their controls are not part of the reactor protection system. For further information on the scram valves and control rods see Section 4.6.

7.2-21 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The scram pilot valve solenoids are supplied from the 120 V ac RPS MG Sets A and B.

In addition to the two scram valves for each control rod drive, there are three backup scram valves which are used to vent the common header for all control rods. The backup scram valves are energized to initiate venting and are individually supplied with 125 V dc power from the plant batteries. Any use of plant instrument air system for auxiliary use is so designed that a failure of the air system will cause a safe direction actuation of the safety device.

7.2.1.1.4.7 Separation The terms "conduit," "wireway," and "raceway" refer to protective routing devices for cable and wiring. With regard to the separation criteria specified in IEEE Standard 384-1977, "conduit," "wireway," and "raceway" are equivalent. The terms are used interchangeably in Section 7.2 of the FSAR. This terminology is consistent with definition specified in IEEE Standard 384-1977.

Four independent sensor channels monitor the various process variables listed in subsection 7.2.1.1.4.2. The sensor devices are separated such that no single failure can prevent a scram.

All protection system wiring outside the control system cabinets is run in rigid metal wireway. Physically separated cabinets or cabinet bays are provided for the four scram trip logics. The electrically separate arrangement of RPS sensors mounted in local racks is shown in Figure 7.2-3. In situ locations for local RPS racks and panels are shown on the instrument location drawings provided by reference in Section 1.7. Cable routing from sensor to control room panel is shown in raceway plans, provided by reference in Section 1.7. The criteria for separation of sensing lines and sensors is discussed in subsection 7.1.2.2.

The mode switch, scram discharge volume high-water-level trip bypass switches, scram reset switches, and manual scram switches are all mounted on one control console. Each device is mounted in a metal enclosure and has a sufficient number of barrier devices to maintain adequate separation. Conduit is provided from the metal enclosures to the point where adequate physical separation can be maintained without barriers.

The outputs from the trip systems to the scram valves are run in four wireways.

7.2-22 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The four wireways match the four scram groups shown in Figure 7.2-

1. The groups are selected so that the failure of one group to scram will not prevent a reactor shutdown.

To gain access to those calibration and trip setting controls located outside the control room, operations personnel must remove a cover plate, access plug, or sealing device before any trip settings can be adjusted.

Reactor protection system inputs to annunciators, recorders, and the computer are arranged so that no malfunction of the annunciating, recording, or computing equipment can functionally disable the reactor protection system. Direct signals from reactor protection system sensors are not used as inputs to annunciating or data logging equipment. Electronic isolators are provided between the primary signal and the information output.

In addition, alternate separation devices (relays providing coil to contact or contact to contact separation) are utilized to provide adequate separation on the trip system relays and sensor channel/trip logic relays.

7.2.1.1.4.8 Testability The reactor protection system can be tested during reactor operation by five separate tests.

The first of these is the manual scram test. Depressing the manual scram button for one trip logic will de-energize the actuators, opening contacts in the trip system. After the first trip logic is reset, the second trip logic is tripped manually and so forth for the four manual scram buttons. The total test verifies the ability to de-energize all eight groups of scram pilot valve solenoids by using the manual scram push button switches. In addition to control room and computer printout indications, scram group indicator lights verify that the trip system contacts have opened.

The second test is the trip logic test. It is accomplished by operating the keylocked test switches, one at a time, for each trip logic. The switch de-energizes the logic relay associated with that sensor channel and causes the associated relay contacts to open. The test verifies the ability of each trip logic to de-energize. In addition to annunciator and computer printout indications, the actuator and contact action can be verified by observing the physical position of these devices.

7.2-23 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The third test includes calibration of the neutron monitoring system by means of simulated inputs from calibration signal units. Calibration and test controls for the neutron monitoring system are located in the control room. Their physical location places them under direct physical control of the control room operator. Subsection 7.6.1.5, Neutron Monitoring System, describes the calibration procedure.

The fourth test is the single rod scram test, which verifies the capability of each rod to scram. It is accomplished by operating two toggle switches on the hydraulic control unit for the particular control rod drive. Timing traces can be made for each rod scrammed. Prior to the test, a physics review must be conducted to assure that the rod pattern during scram testing will not create a rod of excessive reactivity worth.

The fifth test involves applying a test signal to each reactor protection system sensor channel, in turn, and observing that a logic trip results. This test also verifies the electrical independence of the channel circuitry. The test signals can be applied to the process type sensing instruments (pressure, differential pressure and level) through calibration taps.

Calibration and test controls for pressure transmitters, level transmitters, level switches, and valve position switches are located in the turbine building and containment. To gain access to the setting controls on each transmitter, a cover plate or sealing device must be removed. For scram discharge volume level float type switches, a switch housing must be removed to gain access to the setting control. The control room operator is responsible for granting access to the setting controls. Only properly qualified plant personnel are granted access for the purpose of testing or calibration adjustments.

Transmitter and level switch operation will be ascertained during plant operation by comparison of the four individual channel trip units. Any deviation of a reading from the norm (other units) would indicate a malfunction.

Transmitter and level switch testing and calibration will be performed in accordance with the Technical Specifications.

The alarm typewriter provided with the process computer shows verification of the correct operation of many sensors during plant startup and shutdown. Main steam line isolation valve position and turbine stop valve position can be checked in this 7.2-24 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) manner. The verification provided on the alarm typewriter is not considered in the selection of test and calibration frequencies and is not required for plant safety.

[HISTORICAL INFORMATION] [During preoperational testing, the sensor response time is measured using a hydraulic ramp-test method similar to that described in Electric Power Research Institute Report No. NP-267, entitled, "Sensor Response Time Verification." Subsequently on a surveillance basis, the sensor response time is measured using the hydraulic ramp-test method or the process noise analysis method as described in the Westinghouse report to the Nuclear Regulatory Commission titled "THE USE OF PROCESS NOISE MEASUREMENTS TO DETERMINE RESPONSE CHARACTERISTICS OF PROTECTION SENSORS IN U.S. PLANTS" and ISA Std. S67.06 1984 Section 12.1.2.]

The response time of the trip comparators and trip delays is determined using the transient current source test method described in the General Electric Report NEDO 21617-A, entitled, "Analog Transmitters/Trip Unit System for Engineered Safeguard Sensor Trip Inputs." This test is performed as part of the preoperational test and during subsequent surveillance testing.

7.2.1.1.5 Environmental Considerations Electrical modules for the reactor protection system are located in the drywell, containment, and the turbine building. The environmental conditions for these areas are shown in Table 3.11-1.

7.2.1.1.6 Operational Considerations 7.2.1.1.6.1 Operator Information 7.2.1.1.6.1.1 Indicators Scram group indicators extinguish when a trip logic trips.

Recorders in the control room also provide information regarding reactor vessel water level, reactor vessel pressure, drywell pressure, and reactor power level.

7.2-25 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.1.1.6.1.2 Annunciators Each reactor protection system input is provided to the annunciator system through electronic isolators. Logic trips also signal the annunciator system. Manual trips signal the annunciator system.

When a reactor protection system sensor channel trips, it lights an engraved red annunciator window, common to all the channels for that variable, on the reactor control panel in the control room to indicate the out-of-limit variable. Each trip logic lights a red annunciator window to indicate which logic has tripped. As an annunciator system input, a reactor protection system sensor channel trip also sounds a horn, which can be silenced by the operator. The annunciator window lights latch in until reset manually. Reset is not possible until the condition causing the trip has been cleared. The location of alarm windows permits the operator to quickly identify the cause of reactor protection system trips and to evaluate the threat to the fuel or reactor coolant pressure boundary.

7.2.1.1.6.1.3 Computer Alarms A computer printout identifies each tripped sensor channel; however, the physical position of the reactor protection system relays may also be used to identify the individual sensor that caused the trip in a group of sensors monitoring the same variable.

All reactor protection system trip events are recorded by an alarm typewriter controlled by the core performance monitoring system.

This permits subsequent analysis of an operational transient that occurs too rapidly for operator comprehension of events as they occur. The first 80 events are recorded in chronological sequence; events occurring within a milliseconds of one another are treated as having occurred simultaneously. Use of the alarm typewriter and computer is not required for plant safety. The printout of trips is particularly useful in routinely verifying the correct operation of pressure, level, and valve position switches as trip points are passed during startup, shutdown, and maintenance operations.

7.2-26 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.1.1.6.2 Operator Controls 7.2.1.1.6.2.1 Mode Switch A conveniently located, multiposition, keylock mode switch is provided to select the necessary scram functions for various plant conditions. The mode switch selects the appropriate trip relays for scram functions and provides appropriate bypasses.

The switch also interlocks such functions as control rod blocks and refueling equipment restrictions, which are not considered here as part of the reactor protection system. The switch is designed to provide separation between the four trip logics. The mode switch positions and their related scram functions are as follows:

a. SHUTDOWN Initiates a reactor scram; bypasses main steam line isolation scram.

b. REFUEL Selects neutron monitoring system scram for low neutron flux level operation (but does not disable the APRM scram); bypasses main steam line isolation scram.

c. STARTUP Selects neutron monitoring system scram for low neutron flux level operation; bypasses main steam line isolation scram.

d. RUN Selects neutron monitoring system scram for power range operation.

7.2.1.1.6.2.2 Safety-Related Portions of Control Systems Which Inhibit or Limit the Response of the Reactivity Control System There are no portions of control systems which inhibit or limit the response of the reactivity control system.

7.2-27 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.1.1.6.3 Set Points Instrument ranges are chosen to cover the range of expected conditions for the variable being monitored. Additionally, the range is chosen to provide the necessary accuracy for any required set points and to meet the overall accuracy requirements of the channel.

a. Neutron Monitoring System Trip To protect the fuel against high heat generation rates, neutron flux is monitored and used to initiate a reactor scram. The neutron monitoring system set points and their bases are discussed in subsection 7.6.1.5, Neutron Monitoring System Instrumentation and Controls.

The fast response APRM trip function with an upscale set point of 15 percent is active when the mode switch is not in RUN.

b. Nuclear System High Pressure Excessively high pressure within the nuclear system threatens to rupture the reactor coolant pressure boundary. A nuclear system pressure increase during reactor operation compresses the steam voids and results in a positive reactivity insertion; this causes increased core heat generation that could lead to fuel failure and system overpressurization. A scram counteracts a pressure increase by quickly reducing core fission heat generation.

The nuclear system high-pressure scram setting is chosen slightly above the reactor vessel maximum normal operation pressure to permit normal operation without spurious scram, yet provide a wide margin to the maximum allowable nuclear system pressure. The location of the pressure measurement, as compared to the location of highest nuclear system pressure during transients, was also considered in the selection of the high-pressure scram setting. The nuclear system high-pressure scram works in conjunction with the pressure-relief system to prevent nuclear system pressure from exceeding the maximum allowable pressure. The nuclear system high pressure scram setting also protects the core from exceeding thermal hydraulic limits that result from pressure increases during events that occur when the reactor is operating below rated power and flow.

7.2-28 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Reactor Vessel Low Water Level Low water level in the reactor vessel indicates that the reactor is in danger of being inadequately cooled.

Decreasing water level while the reactor is operating at power decreases the reactor coolant inlet subcooling. The effect is the same as raising feedwater temperature.

Should water level decrease too far, fuel damage could result as steam forms around fuel rods. A reactor scram protects the fuel by reducing the fission heat generation within the core. The reactor vessel low water level scram setting was selected to prevent fuel damage following abnormal operational transients caused by single equipment malfunctions or single operator errors that result in a decreasing reactor vessel water level. The scram setting is far enough below normal operational levels to avoid spurious scrams. The setting is high enough above the top of the active fuel to assure that enough water is available to account for evaporation loss and displacement of coolant following the most severe abnormal operational transient involving a level decrease. The selected scram setting was used in developing thermal-hydraulic limits.

The thermal-hydraulic limits set operational limits on the thermal power level for various coolant flow rates.

d. Turbine Stop Valve Closure Closure of the turbine stop valve with the reactor at power can result in a significant addition of positive reactivity to the core as the nuclear system pressure rise causes steam voids to collapse. The turbine stop valve closure scram initiates a scram earlier than either the neutron monitoring system or nuclear system high pressure.

It is required to provide a satisfactory margin below core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity caused by increasing pressure, by inserting negative reactivity with control rods. Although the nuclear system high-pressure scram, in conjunction with the pressure-relief system, is adequate to preclude overpressurizing the nuclear system, the turbine stop valve closure scram provides additional margin to the nuclear system pressure limit. The turbine stop valve closure scram setting provides the earliest positive indication of valve closure.

7.2-29 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

e. Turbine Control Valve Fast Closure With the reactor and turbine generator at power, fast closure of the turbine control valves can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The turbine control valve fast closure scram initiates a scram earlier than either the neutron monitoring system or nuclear system high pressure. It is required to provide a satisfactory margin to core thermal-hydraulic limits for this category of abnormal operational transients. The scram counteracts the addition of positive reactivity resulting from increasing pressure, by inserting negative reactivity with control rods. Although the nuclear system high-pressure scram, in conjunction with the pressure-relief system, is adequate to preclude overpressurizing the nuclear system, the turbine control valve fast closure scram provides additional margin to the nuclear system pressure limit.

The turbine control valve fast closure scram setting is selected to provide timely indication of control valve fast closure.

f. Main Steam Line Isolation The main steam line isolation valve closure can result in a significant addition of positive reactivity to the core as nuclear system pressure rises. The main steam line isolation scram setting is selected to give the earliest positive indication of isolation valve closure. The logic allows functional testing of main steam line isolation sensor trip channels by partially closing a main steam line isolation valve.

g. Scram Discharge Volume High Water Level Water displaced by the control rod drive pistons during a scram goes to the scram discharge volume. If the scram discharge volume fills with water so that insufficient capacity remains for the water displaced during a scram, control rod movement would be hindered during a scram. To prevent this situation, the reactor is scrammed when the water level in the discharge volume is high enough to verify that the volume is filling up, yet low enough to ensure that the remaining capacity in the volume can accommodate a scram.

7.2-30 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

h. Drywell High Pressure High pressure inside the drywell may indicate a break in the reactor coolant pressure boundary. It is prudent to scram the reactor in such a situation to minimize the possibility of fuel damage and to reduce energy transfer from the core to the coolant. The drywell high-pressure scram setting is selected to be as low as possible without inducing spurious scrams.

i. Deleted

j. Reactor Vessel High Water Level Increasing water level while the reactor is at power indicates an increase in feedwater flow and an impending power increase. The high water level trip causes a scram prior to a significant power increase, limiting neutron flux and thermal transients so that the fuel design basis is satisfied.

Reactor vessel high water level is monitored by four redundant differential pressure transmitters, each of which provides a reactor vessel high water level signal input to one of the four RPS trip logics.These are the same transmitters that provide the reactor vessel low water level trip.

An operating bypass of the reactor vessel hiqh water level trip is provided in all reactor operating modes, except RUN.

k. Manual Scram Push buttons are located in the control room to enable the operator to shut down the reactor by initiating a scram.

l. Mode Switch in SHUTDOWN When the mode switch is in SHUTDOWN, the reactor is to be shut down with all control rods inserted. This scram is not considered a protective function, because it is not required to protect the fuel or nuclear system process barrier and it bears no relationship to minimizing the release of radioactive material from any barrier. The 7.2-31 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) scram signal is removed after a short delay, permitting a scram reset that restores the normal valve lineup in the control rod drive hydraulic system.

7.2.1.1.7 Containment Electrical Penetration Assignment Electrical containment penetrations are assigned to the protective system on a four channel basis. In each division, penetrations are uniquely assigned to:

a. Neutron monitors (SRM, IRM, APRM)

b. Process instrumentation (pressure and level)

c. Position switches on MSIV This arrangement precludes interferences and crosstalk between circuits using different voltages and signal functions.

Each penetration is provided with a NEMA-4 enclosure box on each end, providing continuation of the metal wireways described in subsection 7.2.1.1.4.7.

7.2.1.1.8 Cable Spreading Room Description The separation criteria used in cable spreading rooms is described in subsection 8.3.1.4.1. Cable routing through the cable spreading rooms is shown on raceway plans provided by reference in Section 1.7.

7.2.1.1.9 Control Room Area The control room area is divided into three floors. Divisions 2 and 4, reactor protection system vertical boards, are located on the central floor and divisions 1 and 3, reactor protection system vertical boards, are located on the upper floor. The vertical boards are installed on false flooring and are connected to individual termination cabinets by under floor cable ducts. The consoles for reactor control for divisions 1, 2, 3, and 4 are located in the center section on the central floor.

7.2.1.1.10 Control Room Cabinets and Their Contents The reactor protection system vertical boards for channels A, B, C, and D each contain the trip units, sensor channel and trip logic relays, test switches, trip indicating lights, and terminal boards for the individual channel and division.

7.2-32 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The console for reactor control contains the reactor mode switch, bypass switches, scram solenoid valve status indicating lights, and manual scram switches.

7.2.1.1.11 Test Methods that Enhance RPS Reliability Surveillance testing is performed periodically on the reactor protection system during operation. This testing includes sensor calibration, sensor functional testing, and trip response time measurement with simulated inputs to individual trip units and sensors. The sensors, which are transmitters, can be checked by comparison of the readings on other channels of the same variable.

7.2.1.1.12 Interlock Circuits to Inhibit Rod Motion as well as Vary the Protective Function There are no interlock circuits which inhibit rod motion as well as vary the protective functions.

7.2.1.1.13 ATWS Provisions Provisions are made for this event by the alternate rod insertion system discussed in section 4.6.1.1.2.4.2.5, the recirculation pump trip system discussed in section 5.4.1.7.10, and the standby liquid control system discussed in section 9.3.5.

7.2.1.1.14 Support Cooling Systems, H&V Systems Descriptions The control room HVAC system is described in subsections 6.4, 9.4.1, and 7.3.1.1.10.

7.2.1.2 Design Bases Design basis information required by IEEE 279-1971 is discussed in the following paragraphs. These IEEE 279 design basis aspects are considered separately from those more broad and detailed design basis for this system cited in subsection 7.1.2.1.1.

7.2.1.2.1 Conditions The generating station conditions which require protective action are identified below:

a. Generator load rejection above 35.4 percent of rated power.

b. Turbine trip above 35.4 percent of rated power.

7.2-33 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Main steam line isolation valve closure during operation in the RUN mode.

d. Pressure controller failure (open control valves) resulting in low steam line pressure.

e. Excess coolant inventory resulting in turbine trip due to high water level.

f. Shutdown cooling (RHR) malfunction causing decreasing coolant temperature.

g. Loss of feedwater flow.

h. Loss of auxiliary power.

i. Recirculation pump seizure.

j. Recirculation flow control failure with increasing flow.

k. Steam jet air ejector failure followed by low main condenser vacuum trip of the turbine.

l. Deleted

m. Loss-of-coolant accident.

n. Main steam line break.

o. Feedwater system piping break.

p. Failure of air ejector lines - scram occurs when the turbine trips following loss of condenser vacuum.

q. Turbine trip resulting from any of the conditions described in subsection 10.2.2.

r. Reactor vessel low- and high-water-level trips .

s. Reactor operations in states that could result in development of power oscillations due to neutronic/

thermal-hydraulic instability.

7.2.1.2.2 Variables The generating station variables which require monitoring to provide protective actions are identified in Table 7.2-1.

7.2-34 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.1.2.3 Sensors A minimum number of 21 LPRMs per APRM are required to provide adequate protective action. This is the only variable which has spatial dependence as discussed in IEEE 279, paragraph 3.3.

7.2.1.2.4 Operational Limits Prudent operational limits for each safety-related variable trip setting are selected to be far enough above or below normal operating levels so that a spurious scram is avoided. It is then verified by analysis that the release of radioactive material, following postulated gross failures of the fuel or the nuclear system process barrier, is kept within acceptable bounds. Design basis operational limits are based on operating experience and constrained by the safety design basis and the safety analyses.

Trip setpoints are developed from the design basis information which takes into account the transient response of the total system. Also accounted for is the margin which includes allowances for instrumentation accuracy, calibration error, sensor response times and sensor and setpoint drift.

7.2.1.2.5 Margin Between Operational Limits The margin between operational limits and the limiting conditions of operation (scram) for the reactor protection system includes the maximum allowable accuracy error and sensor set point drift.

Annunciators are provided to alert the reactor operator of the onset of unsafe conditions.

7.2.1.2.6 Levels Requiring Protective Action Levels requiring protective action are the design basis set points and are at least as limiting as the limiting safety system settings.

7.2.1.2.7 Ranges of Energy Supply and Environmental Conditions The reactor protection system (RPS) 120 V ac power is provided by Class 1E uninterruptible power system and high inertia MG sets.

Voltage regulation of the high inertia MG sets is designed to respond to a step load change of 50 percent of rated load with an output voltage change of not more than 15 percent. The flywheel on each MG set provides stored energy to maintain voltage and frequency within +/-5 percent, for one second, preventing momentary 7.2-35 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) switchyard transients from causing a scram. RPS relays and contactors will operate without failure within the range of -15 percent to +10 percent of rated voltage. An alternate source of 120 volt power is provided to each RPS bus as discussed in Section 8.3.1.1.5.3. For Class 1E uninterruptible power system see Section 8.3.1.1.5.7. The UPS is regulated such that the inverter output voltage is maintained at 118V plus 31/2% to minus 21/2%.

Environmental conditions for proper operation of the RPS components are covered in GGNS Environmental Qualification files.

7.2.1.2.8 Unusual Events Chapter 15 and Appendix 15A, Accident Analysis, describe the following credible accidents and events; floods, storms, tornados, earthquakes, fires, LOCA, pipe break outside containment, and feedwater line break. Each of these events is discussed below for the subsystems of the RPS.

a. Floods The buildings containing RPS components have been designed to meet the PMF (Probable Maximum Flood) at the site location. This ensures that the buildings will remain watertight under PMF. Therefore, none of the RPS functions is affected by flooding. Water level (flood) design is described in Section 3.4.

b. Storms and Tornados The buildings containing RPS components have been designed to withstand all credible meteorological events and tornados as described in subsection 3.3.2.

c. Earthquakes The structures containing RPS components except the turbine building have been seismically designed as described in Sections 3.7 and 3.8, and will remain functional during and following a safe shutdown earthquake (SSE). The RPS components contained in the turbine building are backup scram variables for the reactor pressure trip. Seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10.

d. Fires 7.2-36 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

To protect the RPS in the event of a postulated fire, the RPS trip logics have been divided into four separate sections within two independent RPS panels. The sections are separated by fire barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the RPS functions would not be prevented by the fire. The use of separation and fire barriers ensures that, even though some portion of the system may be affected, the RPS will continue to provide the required protective action. Refer to subsection 9.5.1 for additional information on plant fire protection.

e. LOCA The following RPS subsystem components are located inside the drywell and would be subjected to the effects of a design basis loss-of-coolant accident (LOCA):

1. Neutron monitoring system (NMS) cabling from the detectors to the control room.

2. Reactor vessel pressure and reactor vessel water level instrument taps and sensing lines and drywell pressure sensing lines, which terminate outside the drywell.

These items have been environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11 and indicated in Table 3.11-3.

f. Pipe Break Protection against dynamic effects associated with the postulated rupture of piping is discussed in Section 3.6.

g. Missiles Missile protection is described in Section 3.5.

7.2.1.2.9 Performance Requirements A logic combination (one-out-of-two-twice) of trip logic division trips, actuated by abnormal or accident conditions, will initiate a scram, and produces independent logic seal-ins within each of the four trip logics. The trip conditions will be annunciated and recorded on the process computer. The trip seal-in will maintain a 7.2-37 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) scram signal condition at the control rod drive system terminals until the sensor channels have returned within their normal operating range and the trip logic seal-in is manually reset by operator action. Thus, once a trip signal is present long enough to initiate a scram and the seal-ins, the protective action will go to completion.

7.2.1.3 Final System Drawings The final RPS drawings are processed at two different levels relative to this document.

First, all the necessary system and subsystem level piping and instrumentation diagrams (P&IDs), system flow diagrams (SFDs),

and channel logic diagrams are provided in this FSAR as referenced in this section.

Secondly, functional control diagrams (FCDs), detailed circuit, component design elements, electrical elementary diagrams, cabinet, and panel layout drawings (or similar finite detail design diagrams) are being provided under separate cover by reference in Section 1.7. This documentation is complementary to discussions and drawings included in this document.

There are no functional or architectural design basis differences or changes to this system between the approved preliminary PSAR design and the FSAR final design under review. A direct comparison of the subject documents verifies this observation. A list of drawings supplied under separate cover is given in Section 1.7.

7.2.2 Analysis 7.2.2.1 Reactor Protection System - Instrumentation and Controls 7.2.2.1.1 General Functional Requirements Conformance Presented below are analyses to demonstrate how the various general functional requirements and the specific regulatory requirements listed under the reactor protection system design bases (subsection 7.1.2.1.1) are satisfied.

7.2-38 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.2.1.1.1 Conformance to Design Basis Requirements 7.2.2.1.1.1.1 Design Bases in Subsection 7.1.2.1.1.1.1.a.

The reactor protection system is designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary. Chapter 15, Accident Analysis, identifies and evaluates events that jeopardize the fuel barrier and reactor coolant pressure boundary. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are sought and identified, are presented in that chapter.

The reactor protection system is designed to prevent development of power oscillations due to neutronic/thermal-hydraulic instability by terminating reactor operation in states that could result in development of power oscillations due to neutronic/

thermal-hydraulic instability considering reasonably limiting anticipated operational occurrences. Chapter 4.4 presents the analysis of thermal-hydraulic stability and the methods for assuring that power oscillations are prevented from developing.

Design bases from subsection 7.1.2.1.1 require that the precision and reliability of the initiation of reactor scrams be sufficient to prevent, or limit, fuel damage and to prevent damage to the coolant boundary as a result of excessive internal pressure.

Table 7.2-1, RPS Instrumentation Specifications, provides a listing of the sensors selected to initiate reactor scrams and delineates the needed accuracy and transient response for each variable. This information is used to establish the precision of the RPS variable sensors.

Reliability of the RPS is assured through the selection of reliable components and performance of analyses such as failure mode and effects analysis (FMEA). FMEAs are used to determine that the reactor protection system is not subject to any common mode failures.

The selection of tentative scram trip settings has been developed through analytical modeling, experience, historical use of initial set points, and adoption of new variables and set points as experience was gained. The initial set point selection method provided for settings which were sufficiently above the normal operating levels (to preclude the possibilities of spurious 7.2-39 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) scrams or difficulties in operation), but low enough to protect the fuel and pressure barrier. As additional information became available or systems were changed, additional scram variables were provided using the above method for initial set point selection. The selected scram settings are analyzed to verify that they are conservative and that the fuel, fuel barriers, and nuclear system process barriers are adequately protected. In all cases, the specific scram trip point selected is a conservative value that prevents damage to the fuel or reactor coolant pressure boundary, taking into consideration previous operating experience and the analytical models.

7.2.2.1.1.1.2 Design Basis in Subsection 7.1.2.1.1.1.1.b.

The scram initiated by nuclear system high pressure, in conjunction with the pressure-relief system, is sufficient to prevent damage to the reactor coolant pressure boundary as a result of internal pressure. The main steam line isolation valve closure scram provides a greater margin to the nuclear system pressure safety limit than does the high-pressure scram. For turbine-generator trips, the stop valve closure scram and turbine control valve fast closure scram provide a greater margin to the nuclear system pressure safety limit than does the high-pressure scram. Chapter 15, Accident Analysis, identifies and evaluates accidents and abnormal operational events that result in nuclear system pressure increases. In no case does pressure exceed the nuclear system safety limit.

7.2.2.1.1.1.3 Design Basis in Subsection 7.1.2.1.1.1.1.c.

The scram initiated by the reactor vessel low water level satisfactorily limits the radiological consequences of gross failure of the fuel or reactor coolant pressure boundary. Chapter 15 evaluates gross failures of the fuel and reactor coolant pressure boundary; in no case does the release of radioactive material to the environs result in exposures which exceed the guide values of applicable published regulations.

7.2.2.1.1.1.4 Design Basis in Subsection 7.1.2.1.1.1.1.d.

Scrams are initiated by variables which are designed to monitor fuel temperature and protect the reactor coolant pressure boundary. The neutron monitoring system monitors fuel temperature indirectly using incore detectors. The incore detectors monitor the reactor power level by detecting the neutron level in the core. Reactor power level is directly proportional to neutron 7.2-40 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) level and the heat generated in the fuel. Although the neutron monitoring system does not monitor fuel temperature directly, by establishing a correlation between fuel temperature and reactor power level, scram set points can be determined for protective action, which will prevent fuel damage.

The reactor coolant pressure boundary is protected by monitoring parameters which indicate reactor pressure directly or anticipate reactor pressure increases. Reactor pressure is monitored directly by pressure sensors, which are connected directly to the reactor pressure vessel through sensing lines and pressure taps.

In addition, reactor pressure transients are anticipated by monitoring the closure of valves which shut off the flow of steam from the reactor pressure vessel and cause rapid pressure increases. The variables monitored to anticipate pressure transients are main steam line isolation valve position, turbine stop valve position, and turbine control valve (fast closure) position. If any of these valves were to close, pressure would rise very rapidly, therefore, this condition is anticipated and a trip is initiated prior to any pressure transient occurring.

Chapter 15, Accident Analysis, identifies and evaluates those conditions which threaten fuel temperature and reactor coolant pressure boundary integrity. In no case does the core exceed a safety limit.

7.2.2.1.1.1.5 Design Basis in Subsection 7.1.2.1.1.1.1.e.

The scrams initiated by the neutron monitoring system, drywell pressure, reactor vessel pressure, reactor vessel water level, turbine stop valve closure, and turbine control valve fast closure variables will prevent fuel damage. The scram set points for these variables have been designed to cover the expected range of magnitude and rates of change during abnormal operational transients without fuel damage. Chapter 15, Accident Analysis, identifies and evaluates those conditions which threaten fuel integrity. With the selected variables and scram set points, adequate core margins are maintained relative to thermal-hydraulic safety limits.

7.2.2.1.1.1.6 Design Basis in Subsection 7.1.2.1.1.1.1.f.

Neutron flux is the only essential variable of significant spatial dependence that provides inputs to the reactor protection system. The basis for the number and locations is discussed below.

The other requirements are fulfilled through the combination of 7.2-41 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) logic arrangement, channel redundancy, wiring scheme, physical isolation, power supply redundancy, and component environmental capabilities.

Two transient analyses are used to determine the minimum number and physical location of required LPRMs for each APRM.

a. The first analysis is performed with operating conditions of 100 percent reactor power and 100 percent recirculation flow using a continuous rod withdrawal of the maximum worth control rod. In the analysis, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition.

b. The second analysis is performed with operating conditions of 100 percent reactor power and 100 percent recirculation flow using a reduction of recirculation flow at a fixed design rate. Again, LPRM detectors are mathematically removed from the APRM channels. This process is continued until the minimum numbers and locations of detectors needed to provide protective action are determined for this condition.

The results of the two analyses are analyzed and compared to establish the actual minimum number and location of LPRMs needed for each APRM channel.

Core-wide power shape changes can occur without control rod movement (i.e., flow variations, quasi steady-state xenon redistribution and core-wide transients). A detailed APRM design analysis is made using variation in core flow, control rod movement and variation in core power distributions for determining the effects of LPRM assignments and failures on APRM accuracy.

Movement of a control rod further from the center will generate a tilt in the power distribution that will result in a higher ratio of local power increase to average power increase since the LPRM's will on the average, be further from the source of the perturbation. This event is used to evaluate the effect of localized power increases on the APRM's ability to predict an accurate average power increase. The rod pattern controller 7.2-42 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) system contains the rod withdrawal limiting function to minimize the consequences of any rod movement which could initiate excessive localized power increases (see subsection 7.6.1.7).

Withdrawal of the highest worth rod (usually located but not restricted to the center region of the core) concentrates the core power increase to a more localized region of the core. Withdrawal of a rod near the periphery of the core could be as limiting an event. In general, however, the most reactive rod gives the more conservative basis for determining the effects of normal operating control rod maneuvers on LPRM assignments and failure in the APRM system.

7.2.2.1.1.1.7 Design Basis in Subsections 7.1.2.1.1.1.1.a through h.

Sensors, sensor channels, and trip logics of the reactor protection system are not used directly for automatic control of process systems. An isolated neutron monitoring system signal is used with the recirculation flow control system as described in subsection 7.7.1.3. Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the protection system.

Failure of either reactor protection system power supply would result in the de-energization of one of the two scram valve pilot solenoids on each scram valve. Alternate power is available to the reactor protection system buses. A complete, sustained loss of electrical power to both power supplies would result in a scram if the loss exceeds the ride-through capability of the power supplies. A failure of one of the Class 1E uninterruptible power supplies would de-energize only its associated sensor trip channels and would not cause scram. Failure of selective two-out-of-four divisions of the Class 1E uninterruptible power system would result in the de-energization of the associated sensor trip channel and reactor scram.

The reactor protection system is designed so that it is only necessary for trip variables to exceed their trip set points for sufficient length of time to de-energize the scram relay contactors and open the seal-in contacts of the associated trip logic. Once this is accomplished, the scram will go to completion, regardless of the state of the variable which initiated the protective action.

When the initiating condition has cleared and a sufficient (10 7.2-43 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) second) time delay has occurred, the scram may be reset only by actuation of the scram reset switches in the control room by the operator.

Reactor protection cabling is routed in separate conduits for each division for all wiring for sensors, racks, panels, and scram solenoids.

Physical separation and electrical isolation among redundant portions of the reactor protection system is provided by separated process instrumentation, separated racks, and either separated or protected panels and cabling.

Separate panels are provided for each division, except for the control room console which has internal metal barriers. Where equipment from more than one division is in a panel, divisional separation is provided by fire barriers and through the use of separated terminal boards. Where wiring from more than one division is present at a single component, divisional separation is provided by fire barriers on the component in addition to routing of the wiring from the component in separate conduits.

Separate racks are provided for the reactor protection sensor instrumentation for each division and are installed in different locations.

7.2.2.1.1.1.8 Design Basis in Subsection 7.1.2.1.1.1.1.h.

Access to trip settings, component calibration controls, test points, and other terminal points is under the control of plant operations supervisory personnel.

Access control is provided by use of administrative control procedures which require: (1) that approved procedures be used to perform calibration and testing, which require obtaining permission prior to performance; (2) that locked open or closed valves may be used to prevent manual bypass of mechanical systems, and (3) that operations personnel within the control room monitor and control access to panels and cabinets within the control room.

Manual bypass of instrumentation and control equipment components is under the control of the operator in the control room. If the ability to trip some essential part of the system is bypassed, this fact is continuously annunciated in the control room.

7.2-44 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

For the subsystem operational bypasses discussed in subsection 7.2.1, bypassing of these subsystem components provides a continuous annunciation in the control room. If other components are bypassed, such as taking a sensor out-of-service for calibration or testing, this condition will also be annunciated continuously in the control room through an administratively controlled trip of the RPS logic associated with that component.

7.2.2.1.1.1.9 Other Design Basis Requirements The reactor protection system is a one-out-of-two twice logic system. Theoretically, its reliability is slightly higher than a two-out-of-three system and slightly lower than a one-out-of-two system.However, because the differences are slight, they can, in a practical sense, be neglected. The dual trip system is advantageous because it can be tested thoroughly during reactor operation without causing a scram. This capability for a thorough testing program significantly increases reliability.

The environment in which the instruments and equipment of the reactor protection system must operate was considered in setting the environmental specification given in Table 3.11-1. The specifications for the instruments located in the containment or turbine building are based on the worst expected ambient conditions.

The control room maximum environment is predicated on supplying the control room with 100 percent outside air with no refrigeration. The minimum environment is predicated on a mixture of outside and recirculated air concurrent with minimum equipment heat loss. The reactor protection system components that must function in the environment resulting from a reactor coolant pressure boundary break inside the drywell are the condensing chambers and the inboard main steam line isolation valve position switches. Special precautions are taken to ensure their operability after the accident. The condensing chambers and all essential components of the control and electrical equipment are either similar to those that have successfully undergone qualification testing in connection with other projects, or additional qualification testing under simulated environmental conditions has been conducted.

To ensure that the reactor protection system remains functional, the number of operable sensor channels for the essential monitored variables is maintained at or above the minimum given in 7.2-45 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) the Technical Specifications. The minimums apply to any untripped trip logics; a tripped logic may have any number of inoperative sensor channels. Because reactor protection requirements vary with the mode in which the reactor operates, the tables show different functional requirements for the RUN and STARTUP modes.

These are the only modes where more than one control rod can be withdrawn from the fully inserted position.

In case of a loss-of-coolant accident, reactor shutdown occurs immediately following the accident as process variables exceed their specified set point. Operator verification that shutdown has occurred may be made by observing one or more of the following indications:

a. Control rod status lamps indicating each rod fully inserted.

b. Control rod scram pilot valve status lamps indicating open valves.

c. Neutron monitoring power range channels and recorders downscale.

d. Annunciators for RPS variables and trip logic in the tripped state.

e. Process computer logging of trips and control rod position log.

The trip settings discussed in subsection 7.2.1 are not changed to accommodate abnormal operating conditions. Actions required during abnormal conditions are discussed in the Technical Specifications. Transients requiring activation of the reactor protection system are discussed in Chapter 15.0. The discussions there designate which systems and instrumentation are required to mitigate the consequences of these transients.

7.2.2.1.2 Conformance to Specific Regulatory Requirements 7.2.2.1.2.1 Conformance to NRC Regulatory Guides General exceptions and positions taken on the Regulatory Guides, and the Revision of the Guide that is followed, are discussed in Appendix 3A of this FSAR. Specific applications of selected guides to the RPS are discussed in this subsection.

7.2-46 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.2.1.2.1.1 Regulatory Guide 1.11 Conformance to Regulatory Guide 1.11 is discussed in subsection 6.2.4.

7.2.2.1.2.1.2 Regulatory Guide 1.22 The system is designed so that during plant operation it may be tested from sensor device to final actuator device. The test must be performed in overlapping portions so that an actual reactor scram will not occur as a result of the testing.

7.2.2.1.2.1.3 Regulatory Guide 1.29 All electrical and mechanical devices and circuitry between process instrumentation and protective actuators and monitoring of systems important to safety are classified as seismic Category I.

7.2.2.1.2.1.4 Regulatory Guide 1.30 The postoperation quality assurance program is discussed in Chapter 17.

7.2.2.1.2.1.5 Regulatory Guide 1.47 Bypassed and inoperable status indication meets the requirements of Regulatory Guide 1.47 as stated in subsection 7.5.2.5.5 and as discussed in subsection 7.5.1.3.

7.2.2.1.2.1.6 Regulatory Guide 1.53 Compliance with NRC Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the reactor protection system to meet the single failure criterion, Section 4.2, of IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE 379-1972, "IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems." Redundant sensors are used and the trip logic is arranged to ensure that a failure in a sensor channel, the trip logic or an actuator will neither prevent nor initiate protective action. Separated channels and trip logics are employed, so that a fault affecting one will not prevent the others from operating properly.

7.2-47 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The reactor protection system is normally energized, with two motor-generator sets and four independent Class 1E uninterruptible power systems for power. One of the two M-G sets and two of the four Class 1E uninterruptible power supplies power each scram pilot valve solenoid and associated sensor trip circuitry, respectively. Therefore, a single failure of one M-G set or one of the two designated Class 1E uninterruptible power supplies will produce a trip on one scram pilot valve solenoid.

Complete loss of two M-G sets, or selective loss of two-out-of-four division Class 1E uninterruptible power system will trip the reactor.

Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it will operate properly when called upon. Testing incorporates all elements of the system under one test mode or another, including sensors, sensor channels, trip logics, trip system output and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing there are always enough channels and systems available for operation to provide proper protection.

7.2.2.1.2.1.7 Regulatory Guide 1.62 Means are provided for manual initiation of reactor manual scram at the system level through the use of four armed push button switches.

Operation of these switches accomplishes the initiation of all actions performed by the automatic initiation circuitry.

These switches are located on the operator's control console.

The amount of equipment common to initiation of both manual scram and automatic scram is kept to a minimum through implementation of manual scram at the final devices (scram contactor) of the protection system. No failure in the manual, automatic, or common portions of the protection system will prevent initiation of reactor scram by manual or automatic means.

The "minimum of equipment" objective is accomplished for the initiation of manual scram through its implementation at the final devices (scram contactor) of the protection system.

7.2-48 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Manual initiation of reactor scram, once initiated, goes to completion as required by IEEE 279-1971, Section 4.16.

7.2.2.1.2.1.8 Regulatory Guide 1.63 Conformance to Regulatory Guide 1.63 is discussed in subsection 8.3.1.2.3.1.

7.2.2.1.2.1.9 Regulatory Guide 1.68 Written procedures and responsibilities are developed for the preoperational and startup testing of the system. Proper operation in all combinations of logic, calibration, and operability of primary sensors, except for neutron monitoring system and process radiation sensors; proper trip and alarm settings; proper operation of permissive, prohibit, and bypass functions; and operability of bypass switches are verified.

Redundancy, electrical independence, coincidence, and safe failure on loss of power and operability of backup scram solenoid valves and devices including detectors, logic, trip points, and final control elements are demonstrated.

7.2.2.1.2.1.10 Regulatory Guide 1.75 The reactor protection system complies with the criteria set forth in IEEE 279-1971, paragraph 4.6 and Regulatory Guide 1.75.

Class IE circuits and Class IE associated circuits are identified and separated. Class IE isolation devices are provided in the design where an interface exists between separation divisions and between non-Class IE and Class IE or Class IE associated circuits.

Physical and electrical independence of the instrumentation devices of the system is provided by channel independence for sensors exposed to each process variable. Separate and independent conduits are routed from each device to the respective control room panel. Each sensor channel has a separate and independent section of a control room panel which is separated by a barrier from the other channel. Trip logic outputs are separate in the same manner as the sensor channels.

7.2.2.1.2.1.11 Regulatory Guide 1.89 Written procedures and responsibilities are developed for the design and qualification of all RPS equipment. This includes preparation of specifications, qualification procedures, and documentation for RPS equipment. Qualification testing or 7.2-49 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) analysis is accomplished prior to release of the engineering design for production. Standards manuals are maintained containing specifications, practices, and procedures for implementing qualification requirements, and an auditable file of qualification documents is available for review. All of this is included in the design even though the RPS does not fully comply with Regulatory Guide 1.89. See Appendix 3A for further discussion of compliance with Regulatory Guide 1.89.

7.2.2.1.2.2 Conformance to 10 CFR 50, Appendix A - General Design Criteria For discussion of General Design Criteria 1, 2, 3, 4, and 5 see subsection 7.1.2.5.

7.2.2.1.2.2.1 General Design Criterion 10 The reactor protection system is designed to monitor certain reactor parameters, sense abnormalities, and to scram the reactor thereby preventing fuel design limits from being exceeded when trip points are exceeded. Scram trip set points are selected based on operating experience and by the safety design basis. There is no case in which the scram trip set points allow the core to exceed the thermal-hydraulic safety limits. Power for the reactor protection system is supplied by two independent M-G sets and four Class 1E uninterruptible power system. An alternate power source is available for each RPS bus.

The system is designed to ensure that the specified fuel design limits are not exceeded during conditions of normal or abnormal operation.

7.2.2.1.2.2.2 General Design Criterion 12 The system design provides protection from excessive fuel cladding temperatures and protects the reactor coolant pressure boundary from excessive pressures which threaten the integrity of the system. Local abnormalities are sensed, and if protection system limits are reached, corrective action is initiated through an automatic scram. High integrity of the protection system is achieved through the combination of logic arrangement, redundancy, power supply redundancy, and physical separation.

7.2-50 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.2.1.2.2.3 General Design Criterion 13 Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions to assure adequate safety. Each system input is monitored and annunciated.

7.2.2.1.2.2.4 General Design Criterion 15 The system acts to provide sufficient margin to ensure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation, including anticipated operational occurrences. If the monitored variables exceed their predetermined settings, the system automatically responds to maintain the variables and systems within allowable design limits.

7.2.2.1.2.2.5 General Design Criterion 19 Controls and instrumentation are provided in the control room.

The reactor can also be shut down in an orderly manner from outside the control room as described in subsection 7.4.1.4.

7.2.2.1.2.2.6 General Design Criterion 20 The system constantly monitors the appropriate plant variables to maintain the fuel barrier and primary coolant pressure boundary and initiates a scram automatically when the variables exceed the established set points.

7.2.2.1.2.2.7 General Design Criterion 21 The system is designed with four independent and separated sensor channels and four independent and separated trip logics. No single failure or operator action can prevent a scram. The system can be tested during plant operation to assure its availability.

7.2.2.1.2.2.8 General Design Criterion 22 The redundant portions of the system are separated such that no single failure or credible natural disaster can prevent a scram.

Functional diversity is employed by measuring flux, pressure, and level in the reactor vessel, which are dependent variables and are diverse.

7.2-51 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.2.1.2.2.9 General Design Criterion 23 The system is fail safe. A loss of electrical power or air supply will not prevent a scram. Postulated adverse environments will not prevent a scram.

7.2.2.1.2.2.10 General Design Criterion 24 The system has no control function. It is interlocked to control systems through isolation devices.

7.2.2.1.2.2.11 General Design Criterion 25 The reactor protection system conforms to the requirements of General Design Criterion 25. The method of conformance is listed below:

The redundant portions of the system are designed such that no single failure can prevent a scram. Functional diversity is employed by measuring flux, pressure, and level in the reactor vessel, which are all reactivity dependent variables.

The RPS system provides protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the reactor coolant pressure boundary. Any monitored variable which exceeds the scram set point will initiate an automatic scram and not impair the remaining variables from being monitored, and if one channel fails the remaining portions of the reactor protection system will function.

The rod pattern control system (RPCS) conforms to General Design Criterion 25 by reducing the consequences of the postulated rod drop accident to an acceptable level by restricting the patterns of control rods that can be established to predetermined sets.

See subsection 7.6.1.7 for additional information.

7.2.2.1.2.2.12 General Design Criterion 29 The system is highly reliable so that it will scram in the event of anticipated operational occurrences.

7.2.2.1.2.3 Conformance with Industry Codes and Standards 7.2.2.1.2.3.1 IEEE Standard 279-1971 The reactor protection (trip) system conforms to the require 7.2-52 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) ments of this standard. The following is a detailed discussion of this conformance.

7.2.2.1.2.3.1.1 General Functional Requirement (IEEE Std.279-1971, paragraph 4.1)

The following RPS trip variables provide automatic initiation of protective action in compliance with this requirement:

a. Scram discharge volume high-water-level trip

b. Main steam line isolation valve closure trip

c. Turbine stop valve closure trip

d. Turbine control valve fast closure trip

e. Reactor vessel low- and high-water-level trip

f. Deleted

g. Neutron monitoring (APRM) system trip

h. Neutron Monitoring (IRM) system trip

i. Drywell high-pressure trip

j. Reactor vessel high-pressure trip The reactor system mode switch selects appropriate operating bypasses for various RPS variables in the shutdown, refuel, startup, and run modes of operation. Other manual controls, such as the CRD scram discharge volume high water level bypass, the manual scram pushbutton switches, and the RPS reset switch are arranged so as to assure that the process variables providing automatic initiation of protective action will continue to remain in compliance with this requirement.

The RPS reset switch is under the administrative control of the operator. Since the reset switch, through auxiliary relay contacts, is introduced in parallel with the trip actuator seal-in contact, failure of the reset switch cannot prevent initiation of protective action when a sufficient number of channels assume the tripped condition. Hence, the automatic initiation requirement for protective action is not invalidated by this reset switch.

7.2-53 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The RPS trip logic, trip system output, and trip actuators are determined to comply with this requirement through automatic removal of electric power to the control rod drive scram solenoids when one or more RPS variables exceeds the specified trip set point.

Manual reset by the operator bypasses the seal-in contact to permit the RPS to be reset to its normally energized state when all process sensor channels are within their normal (untripped) range of operation.

7.2.2.1.2.3.1.2 Single Failure Criterion (IEEE Std. 279-1971,paragraph 4.2)

The following RPS trip variables are individually implemented with four redundant and physically separated sensor channels in compliance with this requirement:

a. Main steam line isolation valve closure trip

b. Turbine stop valve closure trip

c. Turbine control valve fast closure trip

d. Reactor vessel low- and high-water-level trip

e. Neutron monitoring (APRM) system trip

f. Neutron monitoring (IRM) system trip

g. Drywell high-pressure trip

h. Reactor vessel high-pressure trip The following RPS trip variable is implemented with two independent redundant groups. Each group has four redundant sensor channels divided into two physically separated groups in compliance with the requirement:

i. Scram discharge volume high-water-level trip The scram discharge volume water level sensors are grouped by scram discharge instrument volume (SDIV). Two level transmitters and two level switches are grouped at one SDIV and the other two level transmitters and two level switches are grouped at the opposite SDIV. To minimize the potential consequences of postulated common mode failures, 7.2-54 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) the float type level switch sensing instrumentation is redundant to, and diverse (manufacture, design logic and operating principle) from the level transmitter sensing instrumentation. Separate instrument lines and tap locations are used for the level switches and transmitters.

RPS manual controls also comply with the single failure criterion. Four manual scram pushbuttons are arranged into two groups on the operator's control console, and are separated by approximately 6 inches within each group to permit the operator to initiate manual scram with one motion of one hand. The two groups of manual scram pushbuttons are separated by approximately 3 feet, and the switch contact blocks are enclosed within metal barriers.

The mode switch consists of a single manual actuator shaft with four distinct, steel barrier-separated, switch banks. Each bank is housed within a fire retardant cover. Contacts from each bank are wired in conduit to individual metallic terminal boxes.

The scram discharge volume high-water-level trip bypass requires manual operation of the mode switch and one of four bypass switches for each trip channel. Each of these four bypass switches, in conjunction with a set of mode switch contacts, is used to energize the corresponding channel bypass relays to establish the trip bypass. There is no single failure of this bypass function that will satisfy the condition necessary to establish the bypass condition. Hence, the function complies with the single-failure criterion.

The main steam line valve closure trip operating bypass is implemented with redundant mode switch contacts in a similar manner.

The turbine stop valve closure trip and control valve fast closure trip operating bypass complies with the single-failure criterion.

Reactor power is sensed by four physically separate and independent divisions of the Power Range Neutron Monitoring System (PRNMS). Wiring from the PRNMS is routed to the RPS cabinets and divisional separation is maintained along the route.

The logic configuration for the bypass is the standard one-out-of-two twice arrangement such that a single bypass is associated with a single trip logic for stop valve closure and a single trip logic for control valve fast closure.

7.2-55 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

No single failure of this bypass circuitry will interfere with the normal protective action of the RPS trip function.

The RPS reset switch and associated logic comply with this design requirement. The reset switch is constructed with a single operator and two physically and electrically separated contact blocks. The wires from the contact blocks go through conduit to metallic terminal boxes.

Since opening of the channel trip logic contacts is the initiating event for reactor scram, failure of the reset switch will not prevent de-energization of the trip actuators during the time interval that the process actually exceeds the trip set point.

Those portions of the RPS downstream of the sensor channels also comply with this design requirement. Any postulated single failure of a given trip logic will not affect the remaining three trip logics. Similarly, any single failure of one trip system will not affect the other trip system, and any single failure of a scram pilot valve solenoid will not affect the other scram pilot valve solenoids. The cabling associated with one trip logic is routed in a conduit that is physically separated from similar cabling associated with the other trip logics.Cabling from the trip system to the scram solenoid groups is routed in individual conduits to comply with this design requirement. Because any individual control rod may fail to operate from either the A or B solenoid valves, wiring of these two solenoids for one control rod are routed together within a single conduit.

7.2.2.1.2.3.1.3 Quality of Components and Modules (IEEE Std.279-1971, paragraph 4.3)

The following RPS trip variables are implemented with components and modules which exhibit high quality and high reliability characteristics:

a. Scram discharge volume high-water-level trip

b. Main steam line isolation valve closure trip

c. Turbine stop valve closure trip

d. Turbine control valve fast closure trip

e. Reactor vessel low- and high-water-level trip 7.2-56 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

f. Deleted

g. Neutron monitoring (APRM) system trip

h. Neutron monitoring (IRM) system trip

i. Drywell high-pressure trip

j. Reactor vessel high-pressure trip The RPS manual control switches are also selected to be of high quality and reliability.

The four pressure transmitters and trip units selected for the turbine stop valve closure trip and control valve fast closure trip operating bypass are of high quality and reliability.

The RPS trip logic consists of series-connected relay contacts from the sensor channel output relays. The relays are of high quality and reliability.

The RPS trip system consists of relay contacts connected in a specific arrangement from the trip actuators. The actuators are of high quality and reliability.

7.2.2.1.2.3.1.4 Equipment Qualification (IEEE Std. 279-1971, paragraph 4.4)

Vendor certification is required that the sensor associated with each of the following RPS trip variables, manual switches, and trip logic components performs in accordance with the requirements listed on the purchase specification as well as in the intended application. This certification, in conjunction with the existing field experience with these components in this application, serves to qualify these components.

a. Scram discharge volume high-water-level trip

b. Main steam line isolation valve closure trip

c. Turbine stop valve closure trip

d. Turbine control valve fast closure trip

e. Reactor vessel low- and high-water-level trip

f. Deleted 7.2-57 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

g. Neutron monitoring (APRM) system trip

h. Neutron monitoring (IRM) system trip

i. Drywell high-pressure trip

j. Reactor vessel high pressure trip GE Nuclear Energy Division has conducted qualification tests of the relay panels to confirm their adequacy for this service. In situ operational testing of these sensors, channels, and the entire protection system will be performed at the plant site during the preoperational test phase.

7.2.2.1.2.3.1.5 Channel Integrity (IEEE Std. 279-1971,paragraph 4.5)

The channel manual switches and components of the following RPS trip variables are specified to operate under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents:

a. Scram discharge volume high-water-level trip

b. Main steam line isolation valve closure trip

c. Turbine stop valve closure trip

d. Turbine control valve fast closure trip

e. Reactor vessel low- and high-water-level trip

f. Deleted

g. Neutron monitoring (APRM) system trip

h. Neutron monitoring (IRM) system trip

i. Drywell high-pressure trip

j. Reactor vessel high-pressure trip Even though the channel interpretation is not appropriate to the RPS trip logic, trip system, and trip actuators, they are designed to be operable under normal and abnormal conditions of environment, energy supply, malfunctions, and accidents.

7.2-58 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.2.1.2.3.1.6 Channel Independence (IEEE Std. 279-1971,paragraph 4.6)

The four redundant sensor channels for the following RPS trip variables are physically separated and electrically isolated from one another to meet this design requirement:

a. Scram discharge volume high-water-level trip

b. Turbine stop valve closure trip (derived from eight individual channels which are grouped in four RPS trip channels)

c. Turbine control valve fast closure trip

d. Reactor vessel low- and high-water-level trip

e. Deleted

f. Drywell high-pressure trip

g. Reactor vessel high-pressure trip The scram discharge volume high-water-level trip is derived from four individual level transmitter channels and four level switch channels which are grouped into four RPS trip logics.

Physical separation of the four sensor channels of turbine variables is 3 feet.

The main steam line isolation valve closure trip is derived from eight individual sensor channels which are grouped into four redundant RPS sensor channels.

The eight IRM and four APRM channels are electrically isolated and physically separated from one another so as to comply with this design requirement.

The manual scram pushbutton is a trip logic component. The trip logics are physically separated and electrically isolated to comply with this design requirement.

The mode switch banks are physically separated and electrically isolated to comply with this design requirement.

7.2-59 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The circuitry for the RPS trip variable operating bypasses complies with this design requirement. Sufficient physical separation and electrical isolation exists to assure that the operating bypass channels are satisfactorily independent.

Moreover, the conditions for bypass have been made quite stringent in order to provide additional margin.

The four RPS reset channels to the trip actuators are physically separated and electrically isolated. Similarly, the RPS trip logic and trip systems are physically separated and electrically isolated.

7.2.2.1.2.3.1.7 Control and Protection System Interaction (IEEE Std. 279-1971 paragraph 4.7)

The redundant channels for the following RPS trip variables are electrically isolated from the plant control systems in compliance with this design requirement:

a. Scram discharge volume high-water-level trip

b. Main steam line isolation valve closure trip

c. Turbine stop valve closure trip

d. Turbine control valve fast closure trip

e. Reactor vessel low- and high-water-level trip

f. Deleted

g. Neutron monitoring (APRM) system trip

h. Neutron monitoring (IRM) system trip

i. Drywell high-pressure trip

j. Reactor vessel high-pressure trip Each sensor channel output relay uses one contact within the RPS trip logic. One additional contact on each relay is wired to a common annunciator in the control room and another contact on each relay is wired to the process computer cabinets, both through electronic isolation devices, to provide a written log of the channel trips. There is no single failure that will prevent proper functioning of any protective function when it is required.

7.2-60 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The main steam line isolation valve limit switch contacts for RPS use are routed through separate conduit connections relative to the other limit switches used for indicator lights in the control room. After the cabling emerges from the limit switch junction box associated with each main steam line isolation valve, it is routed separately from any other cabling in the plant to the RPS panels in the control room.

Turbine stop valve closure and turbine control valve fast closure pressure sensor outputs are routed in Class IE conduit or wireways to the logic cabinets in the control room.

Within the IRM and APRM modules (i.e., prior to their output trip unit driving the RPS) analog outputs are derived for use with control room meters, recorders, and the process computer.

Electrical isolation has been incorporated into the design at this interface to prevent any single failure from influencing the protective output from the trip unit. The trip unit outputs are physically separated and electrically isolated from other plant equipment in their routing to the RPS panels.

The manual scram pushbutton has no control interaction.

The reactor system mode switch is used for protective functions and restrictive interlocks on control rod withdrawal and refueling equipment movement. Additional contacts of the mode switch are used to disable certain computer inputs when the alarms would represent incorrect information for the operator. No control functions are associated with the mode switch. Hence, the switch complies with this design requirement. The system interlocks to control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system.

The RPS scram discharge volume high-water-level trip bypass circuitry complies with this design requirement. For each channel bypass relay, four contacts are used in the bypass logic (one contact per RPS channel). One contact of each relay is also wired to a common annunciator in the control room and one contact, from bypass Channel A and B, is wired to the control rod block circuitry to prevent rod withdrawal whenever the channel bypass is in effect. There are no control system interactions with these bypass relay outputs. The scram discharge volume trip system 7.2-61 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) interfaces with control systems only through isolation devices such that no failure or combination of failures in the control system will have any effect on the reactor protection system.

The main steam line isolation valve closure trip bypass has no interaction with any control system in the plant. RPS logic uses two contacts from each main steam line isolation valve closure trip bypass relay. One contact bypasses the MSIV closure trip, the second initiates a control room annunciator for this function.

Turbine stop valve and control valve trip bypasses provide input to the RPT logic. One output relay contact from each channel is used within the RPS trip logic, one contact is used to provide input to the RPT logic and one additional contact from each channel provides input to common control room annunciator for the bypass function.

Switch contacts of the RPS reset switch are used only to control auxiliary relays. Contacts from the relays are used only in the trip actuator coil circuit. Consequently, this RPS function has no interaction with any other system in the plant.

Reactor vessel water level and reactor vessel high-pressure transmitter outputs are routed in metal conduit from the sensor to the RPS panels in the control room.

The RPS trip logic circuitry which uses the trip signals (relay contacts) of the various sensors causes the energization/ de-energization of the scram relays (variously called trip actuators or scram contactors). Both the RPS trip logic and the associated scram relay circuitry (trip system logic) are totally separate from other plant systems by design, including cable separation and use of electronic isolators for control room annunciation, process computer input, and initiation of the backup scram valves, and therefore will have no interaction with plant control systems. Additionally, the pilot scram valve solenoids, which are controlled by the scram relays, are physically separate and electrically isolated from other parts of the control rod drive hydraulic control unit. Regarding auxiliary trip units, design provisions (electronic isolators) are made so as to prevent detrimental interaction between control and protection circuits, in accordance with the compliance statements of IEEE Std 279-1971, paragraph 4.7.

7.2-62 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.2.1.2.3.1.8 Derivation of System Inputs (IEEE Std. 279-1971, paragraph 4.8)

The following RPS trip variables are direct measures of a reactor overpressure condition, a reactor over-power condition, a gross fuel damage condition, or abnormal conditions within the reactor coolant pressure boundary:

a. Reactor vessel low- and high-water-level trip

b. Deleted

c. Neutron monitoring (APRM) system trip

d. Neutron monitoring (IRM) system trip

e. Drywell high-pressure trip

f. Reactor vessel high-pressure trip The measurement of scram discharge volume water level is an appropriate variable for this protective function. The desired variable is available volume to accommodate a reactor scram.

However, the measurement of consumed volume is sufficient to infer the amount of remaining available volume since the total volume is a fixed, predetermined value established by the design.

The measurements of main steam line isolation valve position and turbine stop valve trip fluid pressure are appropriate variables for the reactor protection system. The desired variable is loss of the reactor heat sink; however, isolation or stop valve closure is the logical variable to infer that the steam path has been blocked between the reactor and the heat sink.

Due to the normal throttling action of the turbine control valves with changes in the plant power level, measurement of control valve position is not an appropriate variable for this protective function. The desired variable is rapid loss of the reactor heat sink; consequently, some measurement of control valve closure rate is indicated.

Protection system design practice has discouraged use of rate sensing devices for protective purposes. In this instance, it was determined that detection of hydraulic actuator operation would be a more positive means of determining fast closure of the control valves.

7.2-63 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Loss of hydraulic pressure in the EHC oil lines which initiates fast closure of the control valves is monitored. These measurements provide indication that fast closure of the control valves is imminent.

This measurement is felt to be adequate and a proper variable for the protective function taking into consideration the reliability of the chosen sensors relative to other available sensors and the difficulty in making direct measurements of control-valve fast closure rate.

Since the mode switch is used to connect appropriate trip relays into the RPS logic depending upon the operating state of the reactor, the selection of particular contacts to perform this logic operation is an appropriate means for obtaining the desired function.

Since the intent of the turbine stop valve closure trip and control valve fast closure trip operating bypass is to permit continued reactor operation at low power levels when the turbine stop or control valves are closed, the selection of PRNMS reactor power is an appropriate variable for this bypass function.

Due to the manual action required for scram discharge volume high-water-level trip bypass, this design requirement is satisfied by operator interaction with a single bypass switch and the mode switch.

7.2.2.1.2.3.1.9 Capability for Sensor Checks (IEEE Std. 279-1971, paragraph 4.9)

During reactor operation, the analog display of each of the four redundant sensor channels for the following RPS trip variables may be directly compared:

a. Scram discharge volume high-water-level

b. Reactor vessel low- and high-water-level

c. Drywell high-pressure

d. Reactor vessel high-pressure

e. Turbine stop valve trip fluid pressure (eight sensors)

f. Turbine control valve control fluid pressure 7.2-64 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The scram discharge volume level transmitters and level switches may be tested by operating instrument valves in proper sequence in conjunction with quantities of demineralized water. The test procedure is similar to the calibration procedure for this variable.

During reactor operation, one transmitter of each of these variables may be valved out of service at a time to perform testing under administrative control. For the scram discharge volume high-water-level trip, one transmitter or its redundant level switch may be valved out of service at a time to perform testing under administrative control. During this test, operation of the sensor and the RPS sensor channel may be confirmed. At the conclusion of the test, administrative control must be used to ensure that the sensor has been properly returned to service.

The main steam line isolation valve position switches are tested during valve movements which cause the limit switches to operate at the set point value of the valve position.

The logic of the four MSIV trip logic trips is as follows:

Trip logic A (tripped) = Inboard or outboard valve partially closed in MSL-A, and inboard or outboard valve partially closed in MSL-D B (tripped) = Inboard or outboard valve partially closed in MSL-A, and inboard or outboard valve partially closed in MSL-B C (tripped) = Inboard or outboard valve partially closed in MSL-B, and inboard or outboard valve partially closed in MSL-C D (tripped) = Inboard or outboard valve partially closed in MSL-C, and inboard or outboard valve partially closed in MSL-D For any single valve closure test, two of the eight instrument channels will be placed in a tripped condition, but none of the scram pilot valve solenoids will be tripped, and no RPS annunciation or computer logging will occur. This arrangement permits single valve testing without corresponding tripping of the RPS. The observation that no RPS trips result is a valid and necessary test result.

7.2-65 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

At reduced power levels, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer printout of the trip channel identification. For example, closure of one valve in main steam line A and another valve in main steam line B, will produce trips in trip logic B and trip system B and should not produce trips in trip logics A, C, or D. These observations are another important test result that confirm proper RPS operation.

In sequence, each possible combination of single valve closure and switch operation is performed to confirm proper operation of all eight instrument channels.

These test results confirm that the valve limit switches operate as the valves are manually closed.

The turbine stop valve trip fluid pressure transmitters are also tested during valve movements which cause the associated trip units to operate at the set point value.

The logic of the four turbine stop valve trip logic trips is as follows:

Trip logic A (tripped) = Turbine stop valve 1 closed, and turbine stop valve 2 closed B (tripped) = Turbine stop valve 1 closed, and turbine stop valve 3 closed C (tripped) = Turbine stop valve 3 closed, and turbine stop valve 4 closed D (tripped) = Turbine stop valve 2 closed, and turbine stop valve 4 closed For any single stop valve closure test, two of the eight instrument channels will be placed in a tripped condition, but none of the trip logics will be tripped, and no RPS annunciation or NSSS computer logging will occur. This arrangement permits single valve testing without corresponding tripping of the RPS, and the observation that no RPS trips result is a valid test result.

For a two stop-valve (1 and 3, 2 and 4, 1 and 2, or 3 and 4) closure test, one trip logic will be tripped, annunciated, and logged by the NSSS computer. Either one of the stop valves in 7.2-66 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) these pairs is closed and the second stop-valve closure is simulated with a test switch. This arrangement permits two-valve testing with corresponding single channel tripping of the RPS, and the observation that a trip result is a valid test result.

At reduced power levels, but greater than 35.4 percent of rated power, two valves may be tested in sequence to produce RPS trips, annunciation of the trips, and computer printout of the trip channel identification. These observations are another important test result that confirm proper RPS operation.

Each possible combination of single valve closure and switch operation is performed in sequence to confirm proper operation of all eight instrument channels.

During reactor operation in the run mode, the IRM detectors are stored below the reactor core in a low flux region. Movement of the detectors into the core will permit the operator to observe the instrument response from the different IRM channels and will confirm that the instrumentation is operable.

In the power range of operation, the individual LPRM detectors will respond to local neutron flux and provide the operator with an indication that these instrument channels are responding properly. The four APRM channels may also be observed to respond to changes in the gross power level of the reactor to confirm their operation.

Each APRM instrument channel may also be calibrated with a simulated signal introduced into the amplifier input and each IRM instrument channel may be calibrated by introducing an external signal source into the amplifier input.

During these tests: proper instrument response may be confirmed by observation of instrument lights in the control room and trip annunciators.

Operation of the mode switch may be verified by the operator during plant operation by performing certain trip relay tests to confirm proper RPS operation. Movement of the mode switch from one position to another is not required for these tests since the connection of appropriate sensors to the RPS logic as well as disconnection of inappropriate sensors may be confirmed from the sensor tests.

7.2-67 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.2.1.2.3.1.10 Capability for Test and Calibration (IEEE Std.

279-1971, paragraph 4.10)

The following RPS trip variables have provisions for sensor test and calibration during reactor operation in compliance with this design requirement:

a. Reactor vessel low- and high-water-level trip

b. Neutron monitoring (APRM) system trip

c. Neutron monitoring (IRM) system trip

d. Drywell high-pressure trip

e. Reactor vessel high-pressure trip

f. Turbine stop valve closure (trip fluid pressure) trip

g. Turbine control valve fast closure (control fluid pressure) trip A test of the scram discharge volume water level sensors (level transmitter or level switch) can be performed during full power operation. At plant shutdown, the level transmitters and level switches may be calibrated by introducing a fixed volume of water into the discharge volume and observing that all level transmitters and level switches respond accordingly.

During plant operation, the operator can confirm that the main steam line isolation valve limit switches and turbine stop valve trip fluid pressure transmitters and associated trip units operate during valve motion, from full open to full closed and vice versa, by comparing the time that the RPS trip occurs with the time that the valve position indicator lights in the control room signal that the valve is fully open and fully closed. These tests do not confirm the exact set points, but do provide the operator with an indication that the RPS sensors operate between the limiting positions of the valve. During reactor shutdown, calibration of the main steam line isolation valve limit switch set point at a valve position of 10 percent closure is possible by physical observation of the valve stem.

7.2-68 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The APRMs are calibrated to reactor power by using a reactor heat balance and the TIP system to establish the relative local flux profile. LPRM gain settings are determined from the local flux profiles measured by the TIP system once the total reactor heat balance has been determined.

The gain-adjustment-factors for the LPRMs are produced as a result of the process computer nuclear calculations involving the reactor heat balance and the TIP flux distributions. These adjustments, when incorporated into the LPRMs permit the nuclear calculations to be completed for the next operating interval and establish the APRM calibration relative to reactor power. The APRM gains are adjusted using the instruments front panel display or accepting the APRM gain calculated from the percent core thermal power (% CTP) downloaded from the Plant Process Computer.

During reactor operation, one manual scram pushbutton may be armed and depressed to test the proper operation of the switch, and once the RPS has been reset, the other switches may be armed and depressed to test their operation one at a time. For each such operation, a control room annunciation will be initiated and the process computer will print the identification of the pertinent trip.

Operation of the reactor system mode switch from one position to another may be employed to confirm certain aspects of the RPS trip logics during periodic test and calibration. During tests of the trip logics, proper operation of the mode switch contacts may be easily verified by noting that certain trip relays are connected into the RPS logic and that any other trip relays are disconnected from the RPS logic in an appropriate manner of the given position of the mode switch.

In the startup and run modes of plant operation, procedures are used to confirm that scram discharge volume high-water-level sensor channels are not bypassed as a result of operating the bypass switch. In the shutdown and refuel modes of plant operation, a similar procedure is used to confirm that all four sensor channels are bypassed. Due to the ON-OFF nature of the bypass function, calibration is not meaningful.

Administrative control must be exercised to place one reactor power trip unit in the calibration mode for the periodic test.

During this test, a variable calibration signal may be introduced 7.2-69 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) to operate the trip unit at the set point value. When the condition for bypass has been achieved on an individual sensor under test, the control room annunciator for this bypass function will be initiated. If the RPS trip logic associated with this sensor had been in its tripped state, the process computer will log the return to the normal state for the RPS trip logic. When the plant is operating above 35.4 percent of rated power, testing of the turbine stop valve and control valve fast closure trip channels will confirm that the bypass function is not in effect.

Operation of the reset switch following a trip of one RPS trip system will confirm that the switch is performing its intended function. Operation of the reset switch following scram will confirm that all portions of the switch and relay logic are functioning properly since half of the control rods are returned to a normal state for one actuation of the switch.

A manual scram switch permits each individual trip logic, trip system, and trip actuator to be tested on a periodic basis.

Testing of each process sensor of the protection system also affords an opportunity to verify proper operation of these components.

7.2.2.1.2.3.1.11 Channel Bypass or Removal from Operation (IEEE Std. 279-1971, paragraph 4.11)

The following RPS trip variable has no provision for channel bypass or removal from service because of the use of valve position limit switches as the channel sensor:

a. Main steam line isolation valve closure trip During periodic test of any one sensor channel, a transmitter may be valved out of service and returned to service under administrative control procedures. Since only one transmitter is valved out of service at any given time during the test interval, protective capability for the following RPS trip variables is maintained through the remaining instrument channels:

b. Turbine stop valve closure trip

c. Scram discharge volume high-water-level trip

d. Turbine control valve fast closure trip

e. Reactor vessel low- and high-water-level trip 7.2-70 LBDCR 2018-024

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

f. Drywell high-pressure trip

g. Reactor vessel high-pressure trip A sufficient number of IRM channels has been provided to permit any one IRM channel in a given trip system to be manually bypassed and still ensure that the remaining operable IRM channels comply with the IEEE Std. 279-1971 design requirements.

One IRM manual bypass switch has been provided for each RPS trip system. The mechanical characteristics of this switch permit only one of the four IRM channels of that trip system to be by passed at any time. In order to accommodate a single failure of this bypass switch, electrical interlocks have also been incorporated into the bypass logic to prevent bypassing of more than one IRM in that trip system at any time. Consequently, with any IRM bypassed in a given trip system, at least two and generally three IRM channels remain in operation to satisfy the protection system requirements.

The APRM system is designed so that only one APRM channel may be bypassed at any given time. The APRM bypass switch is a five-position, center-locking joystick that mechanically switches four fiber optic signals. The bypass switch is optically isolated.

When the switch is in one of the four bypass positions, light from only one of the four fiber optic signals (corresponding to the switch position) is allowed to pass through the switch. With an APRM channel bypassed, two or more APRM channels out of three will result in a trip output from all four-voter channels. The voter channels cannot be bypassed.

With a single APRM bypassed, sufficient APRM channels remain in operation to provide the necessary protection for the reactor.

The use of four banks of contacts for the mode switch permits any RPS trip logic, which is connected into the mode switch, to be periodically tested in a manner that is independent of the mode switch itself. Consequently, for any stated position of the mode switch, a sufficient number of trip logics will remain operable during the periodic test to fulfill this design requirement.

Movement of the mode switch handle from one position to another will disconnect all redundant channels associated with the former position and will connect all redundant channels pertinent to the latter position. In this manner, the mode switch complies with this design requirement.

7.2-71 LBDCR 2018-024

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Since actuation of one manual scram pushbutton places its RPS trip system in a tripped condition, it is in compliance with this design requirement.

7.2.2.1.2.3.1.12 Operating Bypasses (IEEE Std. 279-1971, paragraph 4.12)

The following RPS trip variables have no provision for an operating bypass (i.e., removal of the protective capability for all channels of the RPS trip variable):

a. Reactor vessel low-water-level trip

b. Deleted

c. Neutron monitoring (APRM) system trip

d. Drywell high-pressure trip

e. Reactor vessel high-pressure trip An operating bypass of the scram discharge volume high-water-level trip is provided in the control room for the operator to bypass the trip outputs in the shutdown and refuel modes of operation. Control of this bypass is achieved through administrative means, and its only purpose is to permit reset of the RPS trip logic followed by scram discharge volume draining.

The bypass is manually initiated and must be manually removed to commence withdrawal of control rods after a reactor shutdown.

An operating bypass is provided for the main steam line isolation valve closure trip. The bypass requires that the reactor system mode switch, which is under the administrative control of the operator, be placed in the shutdown, refuel, or startup position.

The only purpose of this bypass is to permit the reactor protection system to be placed in its normal energized state for operation at low power levels with the main steam line isolation valves not fully open.

For each of these operating bypasses, four independent bypass channels are provided through the mode switch to assure that all of the protection system criteria are satisfied.

An operating bypass of the turbine stop valve and closure and turbine control valve fast closure trips is provided whenever the reactor power is low (below the bypass setpoint). The only purpose 7.2-72 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) of the bypass is to permit the reactor protection system to be placed in its normal energized state for operation at low power levels prior to opening the turbine stop valves.

During normal plant operation above 35.4 percent of rated power, the bypass circuitry is in its passive, de-energized state. At these conditions, removal of the bypass for periodic test is permitted since it has no effect on plant safety. Under low power conditions when the bypass is in affect, one bypass channel may be removed from service at a time without initiating protective action or affecting plant safety. This removal from service is accomplished under administrative control of plant personnel.

There is no operating bypass for the IRM system. However, sensor channel trip logic for the neutron monitoring system changes when the mode switch is placed in the RUN mode.

7.2.2.1.2.3.1.13 Indication of Bypasses (IEEE Std. 279-1971, paragraph 4.13)

The operator must exercise administrative control over the valving out-of-service of one RPS trip variable sensor at a time.

Once a sensor has been removed from service and a simulated test signal has been introduced in excess of the set point, a control room annunciator will indicate the tripped condition and the process computer will provide a typed record of the channel identification.

When any IRM or APRM instrument channel output to the RPS is bypassed, this fact is indicated by lights for each channel located on the main control room panels.

Operating bypasses are annunciated in the control room. The scram discharge volume high-water-level trip operating bypass, the main steam line isolation valve closure trip operating bypass, and the turbine stop and control valve fast-closure trips operating bypass are individually annunciated to the operator.

When the conditions for any single bypass channel are satisfied, the control room operator is notified by means of an annunciator for that particular set of bypass conditions.

7.2-73 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.2.1.2.3.1.14 Access to Means for Bypassing (IEEE Std. 279-1971, paragraph 4.14)

All instrumentation root valves associated with the periodic testing of individual RPS trip variable sensors are under the administrative control of the operator.

Manual bypassing of any IRM or APRM channel is accomplished with control room selector switches under the administrative control of the operator.

Manual keylock switches control the scram discharge volume high-water-level trip operating bypass. The switches are located in the control room and are under the direct administrative control of the operator.

The Reactor Mode Switch controls the operating bypass of the main steam line isolation valve closure trip. The bypass is active whenever the Reactor Mode Switch is in any position other than RUN, i.e., when the switch is in the SHUTDOWN, REFUELOR STARTUP position. An annunciator in the control room alarms when the main steam line isolation valve closure trip is bypassed.

The mode switch is a keylock switch under the administrative control of plant personnel. Since other controls must be operated or other sensors must be in the appropriate state to complete the operating bypass logic, the mode switch itself satisfies this requirement.

Under low power conditions, all four channels of the turbine stop valve closure trip and control valve fast closure trip are bypassed automatically. The bypass setpoint is established to ensure the bypass is automatically removed prior to reactor power exceeding the Analytic Limit (35.4 percent of rated power).

During periodic testing of each bypass channel one sensor will be removed from service under administrative control.

7.2.2.1.2.3.1.15 Multiple Set Points (IEEE Std. 279-1971, paragraph 4.15)

The design requirement is not applicable to the following RPS trip variables because the set point values are fixed and do not vary with other reactor or plant parameters:

a. Scram discharge volume high-water-level trip 7.2-74 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Main steam line isolation valve closure trip

c. Turbine stop valve closure trip

d. Turbine control valve fast closure trip

e. Reactor vessel low- and high-water-level trip

f. Deleted

g. Neutron monitoring (APRM) system trip

h. Drywell high-pressure trip

i. Reactor vessel high-pressure trip The trip set point of each IRM channel is established at the 95 percent of full scale mark for each range of IRM operation. The IRM is a linear, half-decade per range instrument. Therefore, as the operator switches an IRM from one range to the next, the trip set point tracks the operator's selection.

In the transition from the startup to the run mode of operation, the reactor system mode switch is used to convert from IRM and APRM protection to APRM protection.

The APRM flow-biased simulated thermal power-high trip setpoint varies as a function of reactor recirculation flow. The APRM Flow-Biased Simulated Thermal Power - High trip function protects the reactor core against slow reactivity transients. The recirculation single-loop operation (SLO) setpoint is more conservative (lower) than the normal two-loop operation (TLO) setpoint. To operate in SLO mode, specific Technical Specification requirements must be met, one of which is to select the reduced setpoint. Because the SLO setpoint is more conservative than the TLO setpoint, operating in the TLO mode with the SLO setpoint selected does not adversely impact safe plant operation.

Each of these multiple set point provisions is a portion of the reactor protection system and complies with the design requirements of IEEE Std. 279-1971.

7.2-75 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Operation of the mode switch from one position to another imposes different RPS channels into the RPS trip logic in accordance with the reactor conditions imposed by the given position of the mode switch. This action does not influence the established set point of any given RPS channel, but merely connects one set of channels as another set is disconnected. Consequently, the mode switch meets this design requirement.

7.2.2.1.2.3.1.16 Completion of Protective Action Once it is Initiated (IEEE Std. 279-1971, paragraph 4.16)

The sensor output of the following RPS trip variables remains in a tripped state whenever the trip set point is exceeded:

a. Scram discharge volume high-water-level trip.

b. Main steam line isolation valve closure trip.

c. Turbine stop valve closure trip.

d. Turbine control valve fast closure trip.

e. Reactor vessel low- and high-water-level trip.

f. Deleted

g. Neutron monitoring (APRM) system trip.

h. Neutron monitoring (IRM) system trip.

i. Drywell high-pressure trip.

j. Reactor vessel high-pressure trip.

It is only necessary that the process sensors remain in a tripped condition for a sufficient length of time to de-energize the scram contactors and open the seal-in contact of the trip logic associated with the scram contactors. Once this action is accomplished, initiation of reactor scram proceeds regardless of the state of the process sensors that initiated the sequence of events.

Once the manual scram pushbuttons are depressed, it is only necessary to maintain them in that condition until the manual scram contactors have de-energized and open the seal-in contact 7.2-76 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) of the trip logic associated with the scram contactors. At this point, initiation of reactor scram proceeds regardless of the state of the manual scram pushbuttons.

The function of the mode switch is to provide appropriate RPS channels for the RPS trip logic on a steady-state basis for each of four given reactor operating states: shutdown, refuel, startup, and run. Protective action, in terms of the needed transient response, is derived from the other portions of the channels independent of the mode switch. Hence, the mode switch does not influence the completion of protective action in any manner.

The turbine operating bypass is placed into affect only at low reactor power levels as indicated by the Neutron Monitoring System. For plant operation above 35.4% percent rated power, the channels will initiate protective action once the scram contactors have de-energized and opened the seal-in contact associated with the RPS trip logic. Since the required time to open the seal-in contact is of the order of 13 milliseconds, the bypass pressure trip unit relay contacts will not respond quickly enough to prevent completion of the protective action.

The interface of the RPS trip logic and the trip actuators assures that this design requirement is accomplished. The trip actuator is normally energized and is sealed in by one of the power contacts to the trip logic. Once the trip logic has been open-circuited as a result of a sensor channel becoming tripped, the scram contactor seal-in contact opens and completion of protective action is accomplished without regard to the state of the initiating process sensor channel.

Under ordinary circumstances, the process sensor initiating reactor scram will remain in a tripped condition for a significant length of time (i.e., 2 to 10 seconds minimum) and will cause the trip actuators to de-energize and open the seal-in contact in the trip logic. The seal-in contact will be opened in approximately 13 milliseconds after the process sensor channel is placed in the tripped state, and the scram discharge volume high-water-level sensors will be in a tripped state within approximately 2 seconds.

Consequently, the trip system will be commanded to de-energize, (1) as long as the sensor channels remain tripped, or (2) as long as the seal-in contact remains open and is not bypassed by gross failure of the RPS reset switch.

7.2-77 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

As a result, failure of the RPS reset switch in such a manner as to bypass the seal-in contacts of the trip system will not affect reactor shutdown in any manner.

7.2.2.1.2.3.1.17 Manual Actuation (IEEE Std. 279-1971, paragraph 4.17)

Four manual scram pushbutton controls are provided on one control room panel to permit manual initiation of reactor scram at the system level. The four manual scram armed pushbuttons (one in each of the four RPS trip logics) comply with this design requirement.

The logic for the manual scram is one-out-of-two twice. Failure of an automatic RPS function cannot prevent the manual portions of the system from initiating the protective action. The manual scram pushbuttons are implemented into the scram contactor coil circuits in order to minimize the dependence of manual scram capability on other equipment.

Additional back-up to these manual controls is provided by the shutdown position of the reactor system mode switch and by the electrical power controls associated with the RPS MG sets.

No single failure in the manual or automatic portions of the system can prevent either a manual or automatic scram.

7.2.2.1.2.3.1.18 Access to Set Point Adjustments, Calibration, and Test Points (IEEE Std. 279-1971, paragraph 4.18)

During reactor operation, access to set point or calibration controls is not possible for main steam line isolation valve closure trip.

Access to set point adjustments, calibration controls, and test points for the following RPS trip variables is under the administrative control of plant personnel:

a. Scram discharge volume high-water-level trip

b. Turbine stop valve closure trip

c. Turbine control valve fast closure trip

d. Reactor vessel low- and high-water-level trip

e. Deleted 7.2-78 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

f. Neutron monitoring (APRM) system trip

g. Neutron monitoring (IRM) system trip

h. Drywell high-pressure trip

i. Reactor vessel high-pressure trip 7.2.2.1.2.3.9.19 Identification of Protective Actions (IEEE Std.

279-1971 paragraph 4.19)

When any one of the redundant sensors exceeds its set point value for the following RPS trip variables, a control room annunciator is initiated to identify the particular variable:

a. Scram discharge volume high-water-level trip

b. Turbine control valve fast closure trip

c. Reactor vessel low- and high-water-level trip

d. Deleted

e. Neutron monitoring (APRM) system trip

f. Neutron monitoring (IRM) system trip

g. Drywell high-pressure trip

h. Reactor vessel high-pressure trip Identification of the particular sensor channel exceeding its set point is accomplished as a typed record from the process computer or visual observation of the annunciators and/or instrument trip unit.

When any manual scram pushbutton is depressed, a control room annunciation is initiated and a process computer record is produced to identify the tripped RPS trip logic.

Identification of the mode switch in shutdown position scram trip is provided by the manual scram and the process computer trip logic identification printout, and the mode switch in shutdown position annunciator.

7.2-79 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Partial or full closure of any main steam line isolation or turbine stop valve causes a change in the status of position indicator lights in the control room. These indications are not a part of the reactor protection system but they do provide the operator with valid information pertinent to the valve status.

Partial or full closure of one or both valves in a particular set of two main steam lines will activate a control room annunciator when the trip set point has been exceeded. Closure of two or more turbine stop valves will activate a control room annunciator when the trip point has been exceeded. This same condition will permit identification of the tripped sensor channels in the form of a typed record from the process computer or by visual observation of the RPT associated valve indicator lights. See Section 7.6 for the RPT discussion.

Neutron monitoring system annunciators provided in the control room indicate the source of the RPS trip. The process computer provides a typed record of the tripped neutron monitoring system channel as well as identification of individual IRM and APRM channel trips. Each instrument channel, whether IRM or APRM, has control room panel lights indicating the status of the channel for operator convenience.

A control room annunciator and trip logic indicator lights are provided to identify the tripped portions of the RPS in addition to the previously described channel annunciators:

a. A or C trip logics tripped (trip system A)

b. B or D trip logics tripped (trip system B)

These same functions are connected through independent auxiliary contacts of the scram contactors to the process computer through electronic isolators to provide a typed record of the relay operations.

7.2.2.1.2.3.1.20 Information Readout (IEEE Std. 279-1971, paragraph 4.20)

The data presented to the operator for each of the following RPS trip variables complies with this design requirement:

a. Scram discharge volume high-water-level trip 7.2-80 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Main steam line isolation valve closure trip

c. Turbine stop valve closure trip

d. Turbine control valve fast closure trip

e. Reactor vessel low- and high-water-level trip

f. Deleted

g. Neutron monitoring (APRM) system trip

h. Neutron monitoring (IRM) system trip

i. Drywell high-pressure trip

j. Reactor vessel high-pressure trip 7.2.2.1.2.3.1.21 System Repair (IEEE Std. 279-1971 paragraph 4.21)

During periodic testing of the sensor channels for the following RPS trip variables, the operator can determine any defective component and replace it during plant operation:

a. Scram discharge volume high-water-level trip

b. Turbine control valve fast closure trip

c. Reactor vessel low- and high-water-level trip

d. Drywell high-pressure trip

e. Reactor vessel high-pressure trip

f. Turbine stop valve closure trip During reactor operation, the operator will be able to determine failed sensors for the following RPS trip variables, but subsequent repair can only be accomplished during reactor shutdown:

a. Main steam line isolation valve closure trip

b. Deleted

c. Neutron monitoring (APRM) system trip 7.2-81 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

d. Neutron monitoring (IRM) system trip During power operation, it may be necessary to reduce power in order to close valves in more than one main steam line. With this arrangement, a sequence of valve tests will permit the operator to fully determine a defective component, or isolate the difficulty to one of two limit switches in a given main steam line.

Replacement of IRM and LPRM detectors must be accomplished during plant shutdown. Repair of the remaining portions of the neutron monitoring system may be accomplished during plant operation by appropriate bypassing of the defective instrument channel. The design of the system facilitates rapid diagnosis and repair.

7.2.2.1.2.3.1.22 Identification of Protection System (IEEE Std.

279-1971, paragraph 4.22)

Each system cabinet is marked with the words Reactor Protection System and the particular redundant portion is listed on a distinctively colored marker plate. Cabling outside the cabinets is identified specifically as reactor protection system wiring.

The identification scheme used to distinguish between redundant cables and cable trays is discussed in subsection 8.3.1.3.

Redundant racks are identified by the identification marker plates of instruments on the racks. Control room panels are identified by tags on the panels, which identify and indicate the function of the contained logic channels.

7.2.2.1.2.3.2 Deleted 7.2.2.1.2.3.3 IEEE Std. 317 - 1972/1983 All electrical penetration assemblies used for Class IE and non-Class IE circuits are designed to withstand, without loss of containment integrity, the maximum postulated overcurrent vs time conditions, assuming a single failure of the circuit primary overcurrent protection apparatus. (Note: IEEE 317-1983 applies only to fiber optic penetration assemblies.)

Conformance to IEEE Std. 317-1972/1983 is discussed in subsection 8.3.1.2.3.g.

7.2-82 Revision 2020-009

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.2.1.2.3.4 IEEE Std. 323 - 1971 General guide for qualifying Class IE electric equipment - is satisfied by complete qualification testing and certification of all essential components. Records covering all essential components are maintained.

7.2.2.1.2.3.5 IEEE Std. 336 - 1971 The operating license stage quality assurance program is discussed in Chapter 17.

7.2.2.1.2.3.6 IEEE Std. 338 - 1971 Periodic testing of protection systems is complied with by being able to test the reactor protection system from sensors to final actuators at any time during plant operation. The test must be performed in overlapping portions.

7.2.2.1.2.3.7 IEEE Std. 344 - 1971/1975 Seismic qualification of Class IE electric equipment -

requirements are satisfied by all Class I RPS equipment as described in Section 3.10. The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975. Qualification during the plant operating license stage is in accordance with IEEE 344-1975.

7.2.2.1.2.3.8 IEEE Std. 379 - 1972 Application of the single-failure criterion to nuclear power generating station protection systems - requirements are satisfied by consideration of the different types of failure and carefully designing all potential violations of the single-failure criterion out of the system.

7.2.2.1.2.3.9 IEEE Std. 384 - 1974 This standard requires that instrumentation be located in separate cabinets or compartments of a cabinet. Subsection 7.2.1.1.4.7 discusses physical and electrical separation of components and instrumentation in panels associated with the reactor protection system. The separation provided meets the requirements of IEEE Std. 384-1974, Section 5.7.

7.2-83 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Additionally, the standard requires that redundant sensors and their connections to the process system be sufficiently separated to assure that functional capability of the protection system will be maintained despite any single design basis event or resulting effect.

The effects on sensor and sensing lines as a result of design basis events are discussed in subsection 7.2.1.2.8. Redundant pressure taps are located at widely divergent points around the reactor vessel. The sensing lines are routed to the sensors through separate penetrations in the primary containment.

Redundant sensors are located on separated racks outside the primary containment. The location and routing of sensors, sensing lines, and pressure taps meet the requirements of IEEE Std. 384-1974, Section 5.8.

The discussion of compliance with the separation requirements of IEEE Std. 384-1974 for Class IE power supplies for the RPS is provided in Chapter 8.0.

7.2.2.1.2.4 Conformance to NRC Branch Technical Positions 7.2.2.1.2.4.1 Branch Technical Position EICSB 10 Seismic qualification requirements of all Class IE RPS equipment are satisfied as described in Section 3.10.

7.2.2.1.2.4.2 Branch Technical Position EICSB 21 Bypassed and inoperable status indication is discussed in subsection 7.1.5.3.

7.2.2.1.2.4.3 Branch Technical Position EICSB 22 The system is designed so that during plant operation it may be tested from sensor device to final actuator device. The test must be performed in overlapping portions so that an actual reactor scram will not occur as a result of the testing. There is no actuated equipment in the system which is not tested during plant operation.

7.2.2.1.2.4.4 Branch Technical Position EICSB 26 Anticipating or backup trips for the system do comply with the requirements of IEEE Std. 279-1971 as discussed in subsection 7.2.2.1.2.3.1.

7.2-84 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2.2.1.3 Additional Design Considerations Analyses 7.2.2.1.3.1 Spurious Rod Withdrawals Spurious control rod removal will not normally cause a scram. A control rod withdrawal block may occur, however. Rod block was discussed in subsection 7.7.1.2.3.2.3 and is still not part of the RPS. A scram will occur, however, if the spurious control rod withdrawal causes the average flux to exceed the trip set point.

7.2.2.1.3.2 Loss of Plant Instrument Air System Loss of plant instrument air will cause the control rods to drift in, resulting in a scram.

7.2.2.1.3.3 Loss of Cooling Water to Vital Equipment There is no loss of cooling water which will affect the RPS.

7.2.2.1.3.4 Plant Load Rejection Electrical grid disturbances could cause a significant loss of load which would initiate a turbine-generator overspeed trip or control valves fast closure, resulting in a reactor scram. The reactor scram occurs to anticipate an increase in reactor vessel pressure due to shutting off the path of steam flow to the turbine. Any additional increase in pressure will be prevented by the safety/relief valves which will open to relieve reactor pressure and close as pressure is reduced. The reactor core isolation cooling (RCIC) or high-pressure core spray (HPCS) systems will automatically actuate and provide vessel makeup water if required.

The fuel temperature or pressure boundary thermal-hydraulic limits are not exceeded during this event as described in Chapter 15, Accident Analysis.

7.2.2.1.3.5 Turbine Trip Initiation of turbine trip by the turbine system depressurizes the trip fluid pressure and closes the turbine stop valves, initiating a reactor scram. The reactor scram anticipates an increase in reactor pressure due to turbine stop valve closure.

Any additional increase in reactor vessel pressure will be prevented by the safety/relief valves which will open to relieve 7.2-85 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) reactor vessel pressure and close as pressure is reduced. The RCIC and HPCS will automatically actuate and provide vessel makeup water if low water level occurs.

Initiation of turbine trip by loss of condenser vacuum causes closure of the turbine stop valves, initiating a reactor scram.

The fuel temperature or pressure boundary thermal-hydraulic limits are not exceeded during these events as described in Chapter 15, Accident Analysis.

7.2.3 References

1. GNRI-2019/00030, Grand Gulf Nuclear Station, Unit 1 - Issuance of Amendment to Modify the Updated Safety Analysis Report to Replace First Stage Pressure Signals with Power Range Neutron Monitoring System Signals (EPID L-2018-LLA-0072), March 12, 2019 [Amendment No. 217]

7.2-86 LBDCR 2018-076

TABLE 7.2-1: REACTOR PROTECTION SYSTEM INSTRUMENTATION SPECIFICATIONS Sensor Channels Plant Variable Instrument Range(1) Provided (2)

Reactor vessel high Pressure transmitter 0 to 1500 psig 4 Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION pressure Drywell high pressure Pressure transmitter 0 to 5 psig 4 Reactor vessel low water Level transmitter (3) -160/0/60" HO 4 level Scram discharge volume Level transmitter 0 to 150" HO 4 high water level Scram discharge volume Level switch N/A 4 7.2-87 high water level Turbine stop valve Pressure transmitter 0-3000 psig 8 closure Turbine control valve Pressure transmitter 0-3000 psig 4 fast closure Main steam line Position switch 90% open to 8 isolation valve closure fully open APRM high flux trip Neutron monitor 0-125% Power 4 LBDCR 2018-114 (fixed)

APRM high flux trip Neutron monitor 0-125% Power 4 (thermal power)

TABLE 7.2-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION SPECIFICATIONS (Continued)

Sensor Channels Bypass Function Instrument Range(1) Provided (2)

Reactor vessel high Level transmitter (3) -160/0/60" HO 4 Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION water level Scram discharge volume Manual switch N/A 4 high water level trip bypass Turbine stop valve Reactor power (4) 0 to 125% 4 and control valve fast Power closure trip bypass Main steam line Manual switch N/A 4 7.2-88 isolation valve trip bypass (1) See Technical Specifications/Technical Requirements Manual (TRM) for operational limits, levels requiring protective action, accuracy, trip settings, margin between operational limits, and response time requirements.

(2) See Technical Specifications/Technical Requirements Manual (TRM) for the minimum number of channels required.

(3) A common level transmitter is used for both high and low reactor vessel trips -

LBDCR 2019-021 separate trip units monitor the common level signal.

(4) Reactor power signals derived from the Power Range Neutron Monitoring System.

(5) This is a mechanical setting and can be adjusted over the full range, 90% to 100%.

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.2-2: DELETED 7.2-89 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.2-3: DELETED 7.2-90 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.2-4: DELETED 7.2-91 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.2-5: DELETED 7.2-92 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.2-6: DELETED 7.2-93 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.2-7: REACTOR MODE SWITCH RPS FUNCTION BYPASSES AND INTERLOCKS Startup &

Trip Function Shutdown Refuel Hot Standby Run Mode switch in scram bypass bypass bypass Shutdown(1)

IRM, neutron flux(2) oper oper oper bypass APRM, 15% flux(2) oper oper oper -

APRM, high flux (flow N/A(4) N/A N/A N/A biased)(3)

APRM, high flux fixed(3) - - - oper Reactor vessel high N/A N/A N/A N/A pressure Reactor vessel high bypass bypass bypass oper level MSIV closure bypass bypass bypass oper Drywell high pressure N/A N/A N/A N/A Scram discharge volume bypass bypass oper oper high water level(5)

Turbine stop valve N/A N/A N/A N/A closure Turbine control valve N/A N/A N/A N/A fast closure Interlocks Refueling Interlocks oper - - -

Rod Block Trips (5) - oper oper oper MSIV trip on Turbine bypass bypass bypass oper Inlet-low pressure Suppression Pool oper bypass - oper Make-up(6) 7.2-94 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

NOTES:

1. Placing the mode switch in SHUTDOWN initiates the scram by de-energizing the logic device for manual scram, but energizes the time-delay device that removes the trip signal after a short delay.

2. Normal range of operation is approximately 10% rated power. See Table 7.2-4.

3. Normal range of operation is 10 to 100% rated power. See Table 7.2-4.

4. Functions marked N/A are not affected by mode switch position.

5. Interlocks with Rod Block Trips, including scram discharge volume high, are discussed in subsection 7.7.1.2.3.2.

6. Refer to subsection 7.3.1.1.9.

7.2-95 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-96 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-97 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-98 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-99 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-100 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-101 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-102 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-103 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-104 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-105 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-106 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-107 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-108 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-109 LBDCR 2014-003

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.2-110 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3 ENGINEERED SAFETY FEATURE SYSTEMS 7.3.1 Description This section will examine and discuss the instrumentation and controls of the following plant engineered safety features (ESF) and essential auxiliary supporting (EAS) systems:

ESF Systems

a. Emergency Core Cooling Systems (ECCS)

(1)High Pressure Core Spray (HPCS)

(2)Automatic Depressurization System (ADS)

(3)Low Pressure Core Spray (LPCS)

(4)Low Pressure Core Injection (LPCI) mode of RHR

b. Containment and Reactor Vessel Isolation Control Systems (CRVICS)

c. Main Steam Line Isolation Valve Leakage Control System (MSIV-LCS)

d. RHR/Containment Spray System

e. Combustible Gas Control System (CGCS)

f. Feedwater Leakage Control System (FWLC)

g. Standby Gas Treatment System (SGTS)

h. Suppression Pool Makeup System

i. Control Room Atmospheric Control and Isolation System EAS System

a. Standby Service Water System (SSW) 7.3-1 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1 System Description 7.3.1.1.1 Emergency Core Cooling Systems (ECCS) -

Instrumentation and Controls 7.3.1.1.1.1 Network Identification The emergency core cooling system includes the following subsystems:

a. High-pressure core spray (HPCS) system

b. Automatic depressurization (ADS) system

c. Low-pressure core spray (LPCS) system

d. Low-pressure coolant injection (LPCI) mode of the residual heat removal system (RHR)

The purpose of ECCS instrumentation and controls is to initiate appropriate responses from the system to ensure that the fuel is adequately cooled in the event of a design basis reactor accident or transient. The cooling provided by the system restricts the release of radioactive materials from the fuel by preventing or limiting the extent of fuel damage following situations in which reactor coolant is lost from the nuclear system.

The emergency core cooling systems instrumentation detects a need for core cooling systems operation, and the trip systems initiate the appropriate response.

Successful core cooling for a specified line break accident is depicted in Figure 7.3-1. For small line breaks:

a. The depressurization phase is accomplished by HPCS, ADS A, or ADS B.

b. The low-pressure core cooling phase is accomplished by LPCS, and any two RHR pumps, or HPCS.

Similarly, the large break model uses the LPCS, HPCS, or the three RHR pumps for successful core cooling.

7.3-2 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Also included in this section is a discussion of protective considerations which are taken between the high-pressure reactor coolant system and the low-pressure ECCS system. The high-pressure/low-pressure interlocks are examined in subsection 7.6.1.3.

7.3.1.1.1.2 Network Power Sources The instrumentation and controls of the ECCS network system are powered by the 125 V dc and 120 V ac systems. The redundancy and separation of these systems are consistent with the redundancy and separation of the ECCS functional requirements. The power sources for the ECCS network systems are described in detail in Chapter 8.

7.3.1.1.1.3 High-Pressure Core Spray (HPCS) System Instrumentation and Controls 7.3.1.1.1.3.1 System Identification The control and instrumentation components for the high-pressure core spray (HPCS) system except process sensors are located outside the containment. Pressure and level transmitters used for HPCS initiation are located on racks inside the containment, but outside the drywell. Cables connect the sensors to control circuitry in the relay logic cabinet. The system is arranged to allow a full-flow functional test during normal reactor power operation.

The piping and instrumentation diagram is shown in Figure 6.3-1, and the electrical one-line diagram is shown in Figure 8.3-12.

7.3.1.1.1.3.2 Equipment Design The high pressure core spray system operates as an isolated system independent of electrical connections to any other system except the normal ac power supply. The HPCS system is designed to operate from normal offsite auxiliary power sources or from the Division 3 diesel generator if offsite power is not available.

7.3.1.1.1.3.3 Initiating Circuits Reactor vessel low water level is monitored by four level transmitters that sense the difference between the pressure due to a constant reference leg of water and the pressure due to the actual height of water in the vessel. Each level transmitter 7.3-3 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) provides an input to a trip unit. Cables from the level transmitters lead to the control room. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two twice arrangement to assure that no single event can prevent the initiation of the HPCS due to reactor vessel low water level. In order to minimize inadvertent system actuations due to level instrument power loss and restoration, a time delay feature allows for stabilization of the level transmitters loop output to the corresponding trip units. This time delay feature (located in control room panels) does not impact system operation upon receipt of a true reactor vessel low water level signal, and failure of the time delay feature is automatically monitored and annunciated in the control room. The initiation logic for HPCS sensors is shown in Figure 7.3-3.

Drywell pressure is monitored by four pressure transmitters.

Sensing lines that terminate outside the drywell allow the transmitters to communicate with the drywell interior. Cables are routed from the transmitters to the relay cabinets. Each drywell high pressure channel provides an input into the trip logic shown in Figure 7.3-3. The outputs of the trip units are connected to relays whose contacts are electrically connected to a one-out-of-two twice circuit so that no single event can affect high drywell pressure initiation of the HPCS.

The HPCS initiating logic automatically starts the HPCS diesel engine/generator set on receipt of a reactor vessel low water level signal or drywell high pressure signal. The system reaches its design flow rate within 32 seconds. Makeup water is discharged to the reactor vessel until the reactor high water level is reached. The HPCS then automatically stops flow by closing the injection valve. The controls are arranged to allow automatic or manual operation. The HPCS diesel engine/ generator is controlled as shown in the HPCS FCD (see Section 1.7). The HPCS diesel generator provides power to the HPCS pump motor and the HPCS motor-operated valves if normal auxiliary power is lost.

When at low reactor pressure (at or below 600 psig) an artificially high-water level (Level 8) trip may result in the closing of the HPCS injection valve thus causing HPCS isolation when the actual vessel level is below the high-water level setpoint. This condition results in the high drywell pressure and manual initiation signals to the HPCS injection valve being inhibited. The isolation logic may be manually reset once the indicated vessel level drops below the high-water level setpoint 7.3-4 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) or it will reset automatically when the indicated vessel level reaches the low-water level (Level 2). At this level the HPCS initiation logic is actuated.

Two ac operated pump suction valves are provided in the HPCS. One valve lines up pump suction from the condensate storage tank, the other from the suppression pool. The control arrangement is shown in the HPCS FCD (see Section 1.7). Reactor grade water in the condensate storage tank is the preferred source. On receipt of an HPCS initiation signal, the condensate storage tank suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction from suppression pool valve is open. If the water level in the condensate storage tank falls below a preselected level, first the suppression pool suction valve automatically opens, and then the condensate storage tank suction valve automatically closes. Two level transmitters are used to detect low water level in the condensate storage tank.

Either transmitter and associated trip unit can cause the suppression pool suction valve to open and the condensate storage valve to close. The suppression pool suction valve also automatically opens if high water level is detected in the suppression pool. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other closes.

7.3.1.1.1.3.4 Logic and Sequencing Either reactor vessel low water level or high drywell pressure automatically starts the HPCS as indicated in Figure 7.3-3. In certain situations the high drywell pressure signal may be inhibited as discussed in Subsection 7.3.1.1.1.3.3.

Two reactor vessel low water level trip settings are used to initiate the ECCS. The first low water level setting initiates the HPCS. The second low water level setting initiates the LPCI, LPCS, and ADS. This setting also closes the main steam line isolation valves (see subsection 7.3.1.1.2).

The reactor vessel low water level setting for HPCS initiation is selected high enough to prevent excessive fuel cladding temperature and fuel failure, but low enough to avoid spurious HPCS startups. The drywell high-pressure setting is selected to be as low as possible without inducing spurious HPCS startup.

7.3-5 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The HPCS system can be reset if reactor water level has been restored even if the high drywell pressure condition persists.

The HPCS pump can then be stopped and the injection valves closed.

Automatic restart will occur if the low water level condition returns.

7.3.1.1.1.3.5 Bypasses and Interlocks The HPCS pump motor and injection valve are provided with manual override controls which permit the operator manual control of the system following a LOCA.

During test operation, the HPCS pump discharge can be routed to the condensate storage tank or suppression pool. Motor-operated valves are installed in the test lines. The piping arrangement is shown in Figure 6.3-1. The control scheme for the valves is shown in the HPCS FCD (see Section 1.7). On receipt of an HPCS initiation signal, the valves in the two test lines close and remain closed. The valves in the test line to the condensate storage tank are interlocked closed, if the suppression pool suction valve is not fully closed, to maintain the quantity of water in the suppression pool.

The HPCS pump motor has permissive devices in the final actuation control circuitry. The HPCS pump motor starts when there is an automatic start signal. The only interlock for this pump to start is the voltage availability signal in the HPCS bus. In the event of an automatic initiation signal, the pump motor circuit breaker is not permitted to close unless the voltage on the pump motor supply bus is above the set point of undervoltage sensing coils.

Redundant sensing coils are provided to ensure that the failure of a single sensing coil will not prevent the closure of the pump motor circuit breaker. Redundant undervoltage relays are provided in the closing circuit of the pump motor circuit breaker so that the failure of one undervoltage relay will not prevent closure of the circuit breaker. Diversity is not required.

7.3.1.1.1.3.6 Redundancy and Diversity The HPCS is actuated by reactor vessel low water level or drywell high pressure. Both of these conditions will result from a design basis loss-of-coolant accident. In certain situations the high drywell pressure signal may be inhibited as discussed in Subsection 7.3.1.1.1.3.3.

7.3-6 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The HPCS system logic requires two independent reactor vessel water level measurements to concurrently indicate the high water level condition. When the high water level condition is reached following HPCS operation, the high water level signal closes the injection valve and thus terminates further injection by the HPCS until such time as the low water level initiation set point is reached. This prevents undesirable spillover of water into the main steam lines. Should the low water level condition reoccur, the injection valve will reopen to restore water level within the reactor.

One of the two transmitters used to sense high level is located in the Division 3 area of the containment and is tied to the Division 3 instrument line. The other transmitter is located in the Division 4 area of the containment and is tied to the Division 4 instrument line. Since two-out-of-two logic is required to close the injection valve, this ensures that a single instrument line or sensor failure cannot inadvertently abort the HPCS function. Both the sensors are electrically powered from Division 3 so that Division 4 power is not required to support the high level trip.

The transmitter and its cabling located in mechanical Division 4 are enclosed within metal barriers to preserve separation for the Division 3 power.

7.3.1.1.1.3.7 Actuated Devices All automatic valves in the HPCS system are equipped with remote-manual test capability. The entire system can be manually operated from the control room. In certain situations manual initiation may be inhibited as discussed in Subsection 7.3.1.1.1.3.3. Motor-operated valves are provided with limit switches to turn off the motor when the full open or closed positions are reached. When valves are seating, valve motor forces are controlled by either torque switches or limit switches.

The HPCS valves must allow design flow rate within 32 seconds from receipt of the initiation signal.

An ac motor-operated pump discharge valve is provided in the pump discharge pipeline. The control scheme for this valve is shown in the HPCS FCD (see Section 1.7). The valve opens on receipt of the HPCS initiation signal. The pump discharge valve closes automatically on receipt of a reactor high water level signal.

7.3-7 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.1.3.8 Separation 7.3.1.1.1.3.8.1 General Separation within the emergency core cooling system is such that no single occurrence can prevent core cooling when required.

Control and instrumentation equipment wiring is segregated into three separate divisions designated 1, 2, and 3 (Figure 7.3-4).

Similar separation requirements are also maintained for the control and motive power required. System separation is as follows:

Division 1 Division 2 Division 3 Low-pressure core RHR B and C High-pressure core spray and RHR A spray ADS A ADS B Systems shown opposite each other are considered a backup to the other. Control logic for all division 1 systems is powered by 125 V dc bus A and for division 2 systems is 125 V dc bus B. HPCS logic is powered by 125 V dc bus C.

7.3.1.1.1.3.8.2 Specific HPCS is a division 3 system (Figure 7.3-4). In order to maintain the required separation, HPCS logic relays, cabling, manual controls and instrumentation are mounted so that separation from divisions 1 and 2 is maintained.

7.3.1.1.1.3.9 Testability The high-pressure core spray instrumentation and control system is capable of being tested during normal unit operation to verify the operability of each system component. Testing of the initiation transmitters which are located outside the drywell is accomplished by valving out each transmitter, one at a time, and applying a test pressure source. This verifies the operability of the transmitters, as well as the calibration range. Trip units located in the control room are calibrated individually by a calibration source with verification of set points by a digital readout located on the calibration module.

Adequate control room indications are provided. Testing for functional operability of the control logic relays can be accomplished by use of plug-in test jacks and switches in 7.3-8 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) conjunction with single trip unit tests. Availability of other control equipment is verified during manual testing of the system with the pump discharge returning to the condensate storage tank.

While the plant is at power, water is not injected into the reactor vessel by the high pressure core spray system during periodic testing.

7.3.1.1.1.3.10 Environmental Considerations The only HPCS control components located inside the drywell are the control mechanism for the testable check valve on the HPCS pump discharge line and the Reactor level sensing lines and condensate pots. All other HPCS control and instrumentation equipment is located outside the drywell and is selected to meet the environmental considerations listed in Tables 3.11-1 and 3.11-3.

The level transmitters, sensing lines, and process taps used to detect low water level in the condensate storage tank are physically located inside the auxiliary building and thus are protected from the effects of cold weather. As indicated in Table 3.11-1 (Note 2), the minimum temperature inside the auxiliary building will be 65 F.

7.3.1.1.1.3.11 Operational Considerations 7.3.1.1.1.3.11.1 General Information Under abnormal or accident conditions where the system is required, initiation and control are provided automatically for at least 10 minutes. After that time, operator action may be required.

7.3.1.1.1.3.11.2 Operator Information A leak detection system was provided with the intent of continuously confirming the integrity of the injection piping between the inside of the reactor vessel and the core shroud. It has been determined that the system is only capable of detecting gross failures (double ended break and separation) at or near rated power/flow conditions. Since GGNS operating strategies typically dictate operation at reduced core flows, the instrumentation provides limited useful information. The ineffectiveness of the ECCS line break instrumentation is not a concern because a failure of the GGNS injection piping is not considered credible.

7.3-9 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

GGNS has committed to follow the reactor internals management plan outlined in EPRI Report TR-105707, October 1995, BWR Vessel and Internals Project, Safety Assessment of BWR Reactor Internals (BWRVIP-60). This program includes frequent inspections of the ECCS in-vessel piping. Subsequent to NRC review and approval of the EPRI program, the NSSS vendor performed a detailed flaw evaluation consisting of stress and load limit analyses for the internal core spray piping. This evaluation demonstrated that core spray piping stresses are low and corresponding crack growth rates are low. Based on this evaluation and the frequent inspections prescribed by the BWRVIP inspection methodology, the continued integrity of the ECCS in-vessel piping is assured.

The instrumentation provides limited useful information. The ineffectiveness of the ECCS line break instrumentation is not a concern because a failure of the GGNS injection piping is not considered credible.

GGNS has committed to follow the reactor internals management plan outlined in EPRI Report TR-105707, October 1995, BWR Vessel and Internals Project, Safety Assessment of BWR Reactor Internals (BWRVIP-06). This program includes frequent inspections of the ECCS in-vessel piping. Subsequent to NRC review and approval of the EPRI program, the NSSS vendor performed a detailed flaw evaluation consisting of stress and load limit analyses for the internal core spray piping. This evaluation demonstrated that core spray piping stresses are low and corresponding crack growth rates are low. Based on this evaluation and the frequent inspections prescribed by the BWRVIP inspection methodology, the continued integrity of the ECCS in-vessel piping is assured.

Pressure in the HPCS pump suction line is monitored by a pressure transmitter that is locally mounted to permit determination of suction head and pump performance. Numerous indications pertinent to the operation and condition of the HPCS system are available to the operator in the control room, as shown in Figure 6.3-1 and the HPCS FCD (see Section 1.7).

7.3.1.1.1.3.11.3 Set Points Refer to Table 7.3-2 for safety set points.

7.3-10 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.1.4 Automatic Depressurization System (ADS)-

Instrumentation and Controls 7.3.1.1.1.4.1 System Identification The Automatic Depressurization System (ADS) provides automatic reactor pressure vessel (RPV) depressurization after a Loss of Coolant Accident (LOCA) if the High Pressure Core Spray System (HPCS) fails. In the event of a small line break in the reactor coolant system, ADS depressurizes the RPV allowing the Low Pressure Emergency Core Cooling Systems to flood the core and prevent excessive fuel cladding damage resulting from fuel overheating.

The ADS functions as a backup to the operation of the HPCS through the automatic operation of selected safety/relief valves (SRV) installed on the main steam lines inside the drywell. For transient or accident events initiated by a line break inside the drywell or outside the drywell, including stuck open SRVs, the ADS depressurizes the RPV allowing the ECCS low pressure systems to flood the core and prevent excessive fuel cladding damage resulting from overheating. The containment suppression pool provides a heat sink for the steam relieved by the ADS/SRV operation.

The SRVs may be opened in two different modes. In the relief mode the valves are opened by an external pneumatic piston which can be actuated by signals from either the ADS initiation logic or from Nuclear Boiler pressure sensors. In the safety mode the valves are opened by steam pressure overcoming the spring force which holds the valve disc shut. The relief mode pressure actuation setpoint is lower than that of the safety mode. Manual handswitches can also open their respective valves in the relief mode.

7.3.1.1.1.4.2 Equipment Design The automatic depressurization system consists of redundant pressure and water level channels arranged in separated trip systems that control separate solenoid-operated air pilot valves on each SRV. These pilot valves control the pneumatic pressure applied to an air cylinder operator. The air cylinder operator controls the safety/relief valve. An accumulator is included with the control equipment to store pneumatic energy for relief valve operation.

7.3-11 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The accumulator can operate the safety/relief valve two times at 70 percent of drywell design pressure [16.6 psig (31.3 psia)]

following failure of the pneumatic supply to the accumulator. For the worst case of five valves (including one low-low set valve) on one division, the pneumatic system is capable under post accident conditions of providing two actuations for each ADS valve and then holding the ADS valves open for at least 3.5 days. Cables from the sensors lead to two separate relay logic cabinets where the redundant logics are formed. Station ESF batteries power the electrical control circuitry. The power supplies for the redundant control channels are separated to limit the effects of electrical failures. Electrical elements in the control system energize to cause the relief valves to open.

7.3.1.1.1.4.3 Initiating Circuits Two ADS trip systems are provided, ADS A and ADS B (see Figure 7.3-2). Division 1 sensors for low reactor water level and high drywell pressure initiate ADS A, and division 2 sensors initiate ADS B. The relays of one trip system are mounted in a different cabinet than the relays of the other trip system.

The reactor vessel low water level initiation setting for the ADS is selected to depressurize the reactor vessel in time to allow adequate cooling of the fuel by the LPCI or LPCS system following a loss-of-coolant accident in which the HPCS fails to perform its function adequately. The drywell high pressure setting is selected as low as possible without inducing spurious initiation of the automatic depressurization system. This provides timely depressurization of the reactor vessel if the HPCS fails to start, or fails after it successfully starts, following a loss-of-coolant accident.

The low-pressure pump discharge pressure setting used as a permissive for depressurization is selected to assure that at least one of the three LPCI pumps, or the LPCS pump, has received electrical power, has started, and is capable of delivering water into the vessel. The setting is high enough to assure that the pump will deliver at near rated flow without being so low as to provide an erroneous signal that the pump is actually running.

The pressure and level transmitters used to initiate one ADS trip system are separated from those used to initiate the other trip system on the same ADS valve. Reactor vessel low water level is detected by six transmitters that measure differential pressure.

7.3-12 LBDCR 2008-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Drywell high pressure is detected by four pressure transmitters which are located in the containment. The level instruments are piped so that an instrument pipeline break will not inadvertently initiate auto blowdown.

The initiating circuits for the ADS provide automatic depressurization of the RPV. For events which pressurize the drywell, the ADS is actuated automatically upon coincident signals of low RPV water levels (Levels 1 and 3) and high drywell pressure. The coincident signals activate a initiation time delay (105 sec. max setting per TRM) which is used in each ADS trip logic. The time delay setting before actuation of the ADS is long enough that the HPCS has time to operate, yet not so long that the LPCI and LPCS systems are unable to adequately cool the fuel if the HPCS fails to start. An alarm in the control room is annunciated when either of the timers is timing.

In addition, for events which do not pressurize the drywell, the ADS logic provides a bypass of the high drywell pressure. The bypass is accomplished by providing a nominal 9 minute bypass time delay actuated on the RPV Level 1 signal. The high drywell pressure bypass logic does not affect the ADS initiation logic for events which pressurize the drywell.

A manual inhibit switch is provided to allow the operator to inhibit ADS operation without repeatedly pressing the reset pushbutton. One manual switch is provided for each division. Each switch will activate an annunciator window to alert the operator of the inhibit action. The site specific emergency operating procedures provide the operator guidance for inhibiting the operation of the ADS initiation logic when conditions exist that are outside the ADS system design bases. The pressure relief function, the manual initiation of ADS, or the individual safety relief valve control, will not be affected by operation of the manual inhibit switch.

7.3.1.1.1.4.4 Logic and Sequencing

[HISTORICAL INFORMATION] [Three initiation signals are used for the ADS: reactor vessel low water level, drywell high pressure, and confirmed reactor vessel low water level. Either of two logic paths will initiate ADS:

7.3-13 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

1. Coincident low water level, a second (lower) low level (Level 1), the high drywell pressure bypass timer time delay exceeded, the second "ADS" timer time delay exceeded, and an ECCS pump running or

2. Coincident low water level, a second (lower) low water level (Level 1), high drywell pressure, the ADS timer time delay exceeded and an ECCS pump running.]

Reactor vessel low water level indicates that the fuel is in danger of becoming uncovered. The second (lower) low water level initiates the ADS. Drywell high pressure indicates a breach in the reactor coolant pressure boundary inside the drywell.

A permissive signal indicating LPCI or LPCS pump discharge pressure is also provided. Discharge pressure on any one of the three LPCI pumps or the LPCS pump is sufficient to give the permissive signal which permits automatic depressurization when the LPCI or LPCS systems are operable.

After receipt of the initiation signals and after a delay provided by timers, each of the two solenoid pilot air valves are energized. This allows pneumatic pressure from the accumulator to act on the air cylinder operator. The air cylinder operator holds the relief valve open. Lights in the control room indicate when the solenoid-operated pilot valves are energized to open a safety relief valve.

The ADS A trip system actuates the A solenoid pilot valve on each ADS valve. Similarly, the ADS B trip system actuates the B solenoid pilot valve on each ADS valve. Actuation of either solenoid-pilot valve causes the ADS valve to open to provide depressurization.

Manual reset circuits are provided for the ADS initiation signal.

By manually resetting the initiation signal, the delay timers are recycled. The operator can use the reset push buttons to delay automatic opening of the relief valves if such delay is prudent.

Manual inhibit switches are provided which prevent automatic ADS actuation, but do not inhibit the pressure relief function, manual initiation of ADS, or individual SRV control.

Two control switches are available in the control room for each safety/relief valve associated with the ADS. Each switch is associated with one of the two solenoid pilot valves and maintains 7.3-14 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) the maximum electrical separation consistent with the required operability. The switch on the division 1 (ESF Battery A) circuits is a three-position type OFF-AUTO-OPEN. The OPEN position is for manual safety/relief valve operation. The division 2 (ESF Battery B) switch may also be used for manual operation and has three positions, OFF-AUTO-OPEN. Manual opening of the relief valves provides a controlled nuclear system cool-down under conditions where the normal heat sink is not available.

7.3.1.1.1.4.5 Bypasses and Interlocks The operator can manually inhibit or manually delay the depressurization action by the manual inhibit switches or the manual reset push buttons, respectively. The manual inhibit switch prevents automatic ADS actuation but does not inhibit the pressure relief function, manual initiation of ADS, or individual SRV control. The manual reset switches reset both time delay logics and prevent depressurization for at least the time required to exceed the ADS initiation timer delay. The operator would make the decision to reset based on an assessment of other plant conditions.

ADS is interlocked with the LPCS and LPCI by means of pressure sensors located on the discharge of the LPCS and LPCI pumps.

These are the "low pressure ECCS pumps running" interlocks.

Although these interlocks are common to automatic and manual ADS initiation circuits, the independence of manual and automatic initiation is not compromised because each of the logics is duplicated (ADS A and ADS B), and for a failure of the ADS to occur both these interlocks would have to fail. At least one of the three LPCI pumps or the LPCS pump must be capable of delivering water into the vessel.

7.3.1.1.1.4.6 Redundancy and Diversity The ADS is initiated by high drywell pressure and low reactor vessel water level or by a timed bypass of the high drywell pressure signal and a coincident low vessel water level. The initiating circuits for each of these parameters are redundant as verified by the circuit description of this section.

7.3.1.1.1.4.7 Actuated Devices All safety relief valves in the ADS are actuated by five methods.

7.3-15 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

a. Automatic action from the logic chains in either division 1 or division 2 trip system as a result of high drywell pressure, low reactor vessel water level, and the event time in excess of that required for expiration of the ADS timers

b. Automatic action from the logic chains in either ADS division 1 or division 2 trip systems as a result of low reactor water levels and the total time exceeding the sum of the delays caused by the high drywell pressure bypass timer and the ADS initiation timer.

c. Manual action by the operator

d. Pressure transmitter trip unit contacts closing as a result of high reactor pressure

e. Mechanical actuation as a result of high reactor pressure (higher than pressure in item d.).

7.3.1.1.1.4.8 Separation ADS is a division 1 (ADS A) and division 2 (ADS B) system except that only one set of relief valves is supplied. Each relief valve can be actuated by either of two solenoid pilot valves supplying air to the relief valve air piston operators. One of the solenoid pilot valves is operated by trip system A and the other by trip system B. Logic relays, manual controls, and instrumentation are mounted so that division 1 and division 2 separation is maintained. Separation from division 3 is likewise maintained.

7.3.1.1.1.4.9 Testability ADS has two complete trip systems, one in division 1 and one in division 2. Each trip system has two trip logics, both of which must operate to initiate ADS. One trip logic contains a timer to delay ADS to give HPCS an opportunity to start. Four test jacks are provided, one for each trip logic. To prevent spurious actuation of ADS during testing, only one trip logic should be actuated at a time. An alarm is provided if a test plug is inserted in both trip logics in a trip system at the same time.

Operation of the test plug switch and the permissive contacts will close one of the two series relay contacts in the valve solenoid circuit. This will cause a panel light to come on indicating proper trip logic operation and also continuity of the solenoid electrical circuit. Testing of the other trip logic is similar.

7.3-16 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Annunciation is provided in the control room whenever a test plug is inserted in a jack to indicate to the operator that ADS is in a test status. Testing of ADS does not interfere with automatic operation if required by an initiation signal.

7.3.1.1.1.4.10 Environmental Considerations The signal cables, solenoid valves, condensate pots, sensing lines, and safety/relief valve operators are the only control and instrumentation equipment for the ADS located inside the drywell.

These items, and all the other equipment located outside the drywell, will operate in their worst-case environments shown in the Section 3.11 tables. Gamma and neutron radiation is also considered in the selection of these items.

7.3.1.1.1.4.11 Operational Considerations 7.3.1.1.1.4.11.1 General Information The instrumentation and controls of the ADS are not required for normal plant operations. When automatic depressurization is required, it will be initiated automatically by the circuits described in this section. No operator action is required for at least 10 minutes following initiation of the system.

7.3.1.1.1.4.11.2 Operator Information Valve actuation is verified in the control room by the SRV open/

close monitor system. This system consists of a pressure switch connected by a hydraulic sensing line to the discharge piping of the safety/relief valve. An open SRV pressurizes the discharge line and the hydraulic sensing line to the pressure switch, actuating the switch. The output of the pressure switch actuates a relay in the control room. The relay contacts provide input to the annunciator in the control room, to the process computer, and to an indicator light on a control room panel.

The pressure switch is designed for LOCA conditions and is actuated by increasing pressure in the discharge line. The switch will reset after the SRV closes and pressure in the line decays. A power supply monitor and annunciator are provided to alarm on loss of power to the monitor system. The system is designed for maximum vessel pressure. An open pilot valve or a leaking SRV will not actuate the pressure switch. Therefore, the system detects only an appreciably open SRV to eliminate misleading indications to the plant operator and will not respond to a leaking SRV.

7.3-17 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

A temperature element is installed on the safety/relief valve discharge piping several feet from the valve body. The temperature element is connected to a multipoint recorder in the control room to provide a means of detecting safety/relief valve leakage during plant operation. When the temperature in any safety/relief valve discharge pipeline exceeds a preset value, an alarm is sounded in the control room. The alarm setting is enough above normal rated power drywell ambient temperatures to avoid spurious alarms, yet low enough to give early indication of safety/relief valve leakage.

Even if an SRV is leaking, the temperature element will measure a temperature increase when the SRV opens initially during an overpressure transient, thus indicating valve operability. The primary demonstration of SRV operability is to periodically remote manually actuate SRV's one at a time, and observe the turbine bypass valve position change which is measured directly.

Grand Gulf, in addition, has installed valve position indication via pressure switches in the tail pipe section. This is per short term lessons learned, NUREG-0578.

7.3.1.1.1.4.11.3 Deleted 7.3.1.1.1.4.12 Safety/Relief Valves 7.3.1.1.1.4.12.1 System Identification The nuclear pressure relief system is designed to prevent overpressurization of the nuclear system that could lead to the failure of the reactor coolant pressure boundary.

7.3.1.1.1.4.12.2 SRV Equipment Design The automatic safety/relief system consists of redundant reactor pressure instrument channels arranged in separate trip systems that control separate solenoid-operated air pilots on each valve.

These pilot valves control the pneumatic pressure applied to an air cylinder operator. An accumulator, one on each valve, is included with the control equipment to store the pneumatic energy for relief valve operation. SRVs are initiat-ed by reactor vessel pressure. The SRVs are divided into three pressure groups. The first group consists of one valve which opens when vessel pressure exceeds 1103 psig. The second group consists of one valve which opens in its low-low set point mode (see subsection 7.3.1.1.1.4.12.9) and nine valves which open when vessel pressure 7.3-18 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) exceeds 1113 psig. The third group consists of nine valves which open when pressure exceeds 1123 psig. Control cables from the vessel pressure sensors lead to two separate logic cabinets where the redundant trip systems are formed. Separate station batteries power the electrical control circuitry. The power supplies for the redundant trip systems are separated to limit the effects of electrical failures. Power sources for the SRV solenoids and trip systems are the same as the ADS Divisions l and 2.

7.3.1.1.1.4.12.3 Initiating Circuits Reactor pressure is detected by four pressure transducers (two for each division) which are located in the containment. The SRV trip system requires a two-out-of-two trips (per division) on vessel pressure to open the SRVs. This also prevents inadvertent SRV actuation (of more than one valve) due to single failure of a trip unit or transmitter. The SRV trip systems are arranged such that no single failure will prevent SRV actuation. See subsection 5.2.2.4.1 for additional discussion of the trip system.

7.3.1.1.1.4.12.4 Logic and Sequencing

[HISTORICAL INFORMATION] [Two-out-of-two reactor vessel pressure instrument signals/trips are required to initiate the safety/

relief valves. High vessel pressure indicates the need for SRV actuation to prevent nuclear steam overpressure.

After receipt of the initiation signal, each of the two solenoid pilot air valves on each safety/relief valve is energized. Either or both solenoid actuations allow pneumatic pressure from the accumulator to be applied to the air cylinder operator. The air cylinder operator holds the valve open. The SRVs remain open until system pressure drops below the reclose set point.

Manual opening of each SRV is accomplished by either a control switch in the Division 1 (A trip system) portion of the main control room or by a control switch in the Division 2 (B trip system) portion of the control room panel.

Two redundant SRV trip systems are provided. Division 1 sensors for high reactor pressure initiate trip system A, and Division 2 sensors initiate trip system B. The components are mounted in two different cabinets.

7.3-19 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The SRV trip system A actuates the "A" solenoid pilot valve on each SRV. The SRV trip system B actuates the "B" solenoid pilot valve on each SRV. Actuation of either solenoid pilot valve causes the SRV to open to provide depressurization.]

7.3.1.1.1.4.12.5 Bypasses and Interlocks Bypasses and interlocks are not utilized in the SRV function.

7.3.1.1.1.4.12.6 Redundancy and Diversity The SRV logic is initiated by high reactor pressure. The initiating circuits for each of these variables are redundant, as explained in the circuit description of this subsection.

Diversity is not provided.

7.3.1.1.1.4.12.7 Actuated Devices All relief valves are actuated by three methods:

a. Automatic action resulting from the logic chains in either Division 1 or Division 2 trip system actuating;

b. Manually by the operator;

c. Mechanical actuation as a result of high reactor pressure.

7.3.1.1.1.4.12.8 Separation SRV logic is a Division 1 (trip system A) and Division 2 (trip system B) system. Each relief valve can be actuated by either of two solenoid pilot valves supplying air to the relief valve air piston operators. One of the solenoid pilot valves is operated by trip system A and the other by trip system B. Logic circuitry, manual controls, and instrumentation are designed so that Division 1 and Division 2 electrical separation is maintained.

7.3.1.1.1.4.12.9 Low-Low Set Point Logic In order to ensure that no more than one relief valve reopens following a reactor isolation event, six safety/relief valves are provided with lower opening and/or closing set points. The set points for the low-low set point logic are listed in the Technical Specifications. These set points override the normal set points following the initial opening of one or more relief valves and act to hold these valves open longer, thus preventing more than one single valve from subsequently reopening. This system logic is 7.3-20 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) referred to as the low-low set relief logic and functions so that the containment design basis of one safety/ relief valve operating on subsequent actuations is met. For additional information on the low-low set relief functions, see subsection 5.2.2.2.3.2. This logic is armed from the existing pressure sensors of any of the normal relief set point groups. When these sensors trip, low-low set logic automatically seals in the control circuitry of the selected valves and actuates a control room annunciator. The low-low set point logic remains sealed in until manually reset by the operator.

For a mild overpressure transient which would lift only the 1103 psig SRV, the SRV with a normal relief set point of 1113 psig and a low-low set point of 1073 psig will also lift when the low-low-set logic is armed by the 1103 psig SRV opening. Since the plant is designed to accommodate all SRVs opening initially during an overpressure transient, opening two SRVs is well within the design basis.

Once sealed in, the low-low set logic acts to hold selected relief valves open past their normal reclosure point until the pressure decreases to a predetermined low-low reclosing set point. Thus, these selected valves remain open longer than the other safety/

relief valves. This extended relief capacity consumes sufficient energy such that no more than one valve should reopen a second time. Also, the seal-in logic provides the first two low-low set valves with new reopening set points which are lower than their original set points to remove decay heat. These two valves provide redundancy in case of single valve failure. Transient analysis reveals that only the first valve will reopen on secondary transient peaks unless it failed. In that event, the second valve will act as back-up. (See Table 5.2-2 and subsection 5.2.2.2.3.2.)

The low-low set logic is designed with the same redundancy and single-failure criteria as the safety/relief valve logic (See subsection 5.2.2.4.1); i.e., no single failure of a logic component or solenoid valve will prevent any low-low set valve from opening. Upon a single electrical failure, more than one valve may inadvertently open or stick open; however, the probability of this happening is less than 10-6/year.

The valves associated with low-low set are arranged in three secondary set point groups or ranges (low, medium, and high). The "low" and "medium" pressure ranges consist of one valve each, 7.3-21 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) having altered reopen and reclose set points independently adjustable. These two valves are set considerably lower than their normal SRV set points. The remaining valves are simultaneously controlled by the "high" range sensors which have an independently adjustable reclose set point. The normal SRV opening set point is retained for this valve group, though reclose is extended in the low-low set operating mode.

The sensors are arranged in two trains for each division. These conform to safety/relief Logics A and E for Division 1 and B and F for Division 2. Thus, the single-failure criterion is maintained because two-out-of-two logic trains (per division) are required to open the valves, and one-out-of-two logic trains in each division act, to reclose them. The low range sensors which control the first valve are placed in Logic E (F) and the medium range sensors which control the second valve are placed in Logic A (B).

The highest pressure sensors, which are used for arming and sealing in low-low set logic, control four valves simultaneously.

Therefore, these are also arranged in redundant two-out-of-two (A.E) + (B.F) logic to maintain single-failure-proof integrity.

7.3.1.1.1.4.12.10 Testability The SRV system has two complete trip systems, one in Division 1 and one in Division 2. Either one can initiate depressurization.

Each trip system has two trip logics, both of which must operate to actuate the SRV. The SRV instrument channels' signals are tested by cross comparison between the channels which bear a known relationship with each other. Meters indicating vessel pressure for each instrument channel are mounted in the logic cabinets. The instrument channel set points may be verified by introducing a test signal to move the signal towards trip. The set point is verified by observing the meter and the indicator light on the output of the instrument channel trip device. Testing of one division of SRVs does not interfere with automatic operation of the other division. An SRV Group Test Switch exists for each division of SRVs, which allows for testing of all the SRV control circuits in the respective division without turning each individual SRV control switch to the OFF position. The SRV Group Test Switches do not inhibit the ADS function or the manual function of the SRVs. Annunciation is provided in the Control Room to alert Operations that the auto function of the SRVs has been disabled by actuation of the associated divisional group test switch.

7.3-22 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.1.4.12.11 Environmental Considerations The solenoid valves and their cables and the safety/relief valve operators are the only control and instrumentation equipment for the SRV system located inside the drywell. Equipment located outside the drywell will also operate in their normal and accident environments.

7.3.1.1.1.4.12.12 Operational Considerations 7.3.1.1.1.4.12.13 General Information The instrumentation and controls of the SRV system are required for normal plant operations to prevent nuclear system overpressure. When pressure relief action is required, it will be initiated automatically by the circuits described in this subsection.

7.3.1.1.1.4.12.14 Operator Information Valve actuation is verified in the control room by the SRV open/

close monitor system. This system consists of a pressure switch connected by a hydraulic sensing line to the discharge piping of the safety/relief valve. An open SRV pressurizes the discharge line and the hydraulic sensing line to the pressure switch, actuating the switch. The output of the pressure switch actuates a relay in the control room. The relay contacts provide input to the annunciator in the control room, to the process computer, and to an indicator light on a control room panel.

The pressure switch is designed for LOCA conditions and is actuated by increasing pressure in the discharge line. The switch will reset after the SRV closes and pressure in the line decays. A power supply monitor and annunciator are provided to alarm on loss of power to the monitor system. The system is designed for maximum vessel pressure. An open pilot valve or a leaking SRV will not actuate the pressure switch. Therefore, the system detects only an appreciably open SRV to eliminate misleading indications to the plant operator and will not respond to a leaking SRV.

A temperature element is installed on the safety/relief valve discharge piping several feet from the valve body. The temperature element is connected to a multipoint recorder in the control room to provide a means of detecting safety/relief valve leakage during plant operation. When the temperature in any safety/relief valve discharge piping exceeds a preset value, an 7.3-23 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) alarm is sounded in the control room. The alarm setting is far enough above normal (rated power) drywell ambient temperatures to avoid spurious alarms, yet low enough to give early indication of significant safety/relief valve leakage.

7.3.1.1.1.5 Low Pressure Core Spray (LPCS) - Instrumentation and Controls 7.3.1.1.1.5.1 System Identification The low pressure core spray (LPCS) system will supply sufficient cooling water to the reactor vessel to adequately cool the core following a design basis loss-of-coolant accident.

7.3.1.1.1.5.2 Equipment Design The LPCS includes one ac pump, appropriate valves, and piping to route water from the suppression pool to the reactor vessel (see Figure 6.3-4, LPCS P&ID). Except for the testable check valve, which is inside the drywell, the transmitters and valve closing mechanisms for the LPCS system are located in the containment and auxiliary building. Cables from the sensors are routed to relay logic cabinets where the control circuitry is assembled. The LPCS pump and automatic valves are powered from the Division 1 ESF ac bus that is capable of receiving standby power. Control power for the LPCS comes from ESF battery A. Control and motive power for the LPCS is from the same source as for LPCI Loop A.

7.3.1.1.1.5.3 Initiating Circuits Two reactor vessel low water level transmitters and trip units and two drywell high-pressure transmitters and trip units are electrically connected in a one-out-of-two twice arrangement so that no single event can prevent initiation of LPCS.

Reactor vessel low water level is monitored by two level transmitters that sense the difference between the pressure due to a constant reference leg of water and the pressure due to the actual height of water in the vessel. Each level transmitter provides an input to a trip unit (electronic switch) located in the control room. In order to minimize inadvertent system actuations due to level instrument power loss and restoration, a time delay feature allows for stabilization of the level transmitters loop output to the corresponding trip units. This time delay feature (located in control room panels) does not 7.3-24 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) impact system operation upon receipt of a true reactor vessel low water level signal, and failure of the time delay feature is automatically monitored and annunciated in the control room.

Low pressure interlocks for the injection valves in the low pressure ECC systems (LPCI & LPCS) are provided to prevent high reactor pressures from reaching low pressure components by preventing automatic and manual opening of the LPCI and LPCS injection valves when high reactor pressures are present downstream of the valves.

Drywell pressure is monitored by two pressure transmitters mounted on instrument racks in the containment. Sensing lines that terminate in the containment allow the transmitters to communicate with the drywell interior. Each drywell high-pressure transmitter provides an input to a trip unit (electronic switch) located in the control room.

The LPCS initiation signal also initiates the division 1 diesel generator.

7.3.1.1.1.5.4 Logic and Sequencing

[HISTORICAL INFORMATION] [The LPCS trip system is depicted in Figure 7.3-2 in a one-out-of-two twice network using level and pressure trip units. The initiation signal will be generated when:

a. Both level trip units are tripped

b. Both pressure trip units are tripped

c. Either of two other combinations of one level trip unit and one pressure trip unit is tripped Once an initiation signal is received by the LPCS control circuitry, the signal is sealed in until manually reset. The seal-in feature is shown in the LPCS FCD (see Section 1.7).

The LPCS and RHR A (LPCI A) trip system for the injection valves to open is also depicted in Figure 7.3-2 in a one-out-of-two-twice network using reactor vessel pressure trip units.]

7.3-25 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.1.5.5 Bypasses and Interlocks The LPCS pump motor and injection valve are provided with manual override controls which permit the operator manual control of the system following automatic initiation. Manual operation of the injection valve to open cannot be accomplished without the high pressure/low pressure interlock permissive. The injection valve can be overridden closed before the low pressure interlock permissive is achieved thereby preventing initial automatic injection.

Two pressure transmitters are installed in the pump discharge pipeline upstream of the pump discharge check valve. This pressure signal is used in the automatic depressurization system to indicate that the LPCS pump is running.

7.3.1.1.1.5.6 Redundancy and Diversity The LPCS is actuated by either reactor vessel low water level and/

or drywell high pressure. Both of these conditions will result from a design basis loss-of-coolant accident. As described in subsection 7.3.1.1.1.5.4, Logic and Sequencing, if one low level transmitter or trip unit fails, either high drywell pressure or a combination of low level and drywell pressure will initiate LPCS.

LPCS is a single pump system but is backed up by LPCI A within ECCS division 1.

Division 1 systems (LPCS, RHR A) and the division 2 systems (RHR B, RHR C) are further backed up by the division 3 HPCS.

7.3.1.1.1.5.7 Actuated Devices The control arrangement for the LPCS pump is shown in the LPCS FCD (see Section 1.7). The LPCS pump can be controlled by a control room remote switch or by the automatic control system.

Control arrangements for the automatic valves in the LPCS system are shown in the LPCS FCD. Motor-operated valves are provided with limit switches to turn off the motor when the full open or close positions are reached. When valves are seating, valve motor forces are controlled by either torque switches or limits switches. Thermal over-load devices are used to trip motor-operated valves and to provide alarms during system test only. All motor-operated valves have limit switches that provide control room indication of valve position. Each automatic valve can be operated from the control room.

7.3-26 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

All valves pertinent to LPCS operation travel full stroke within 58 seconds after the start of the maximum recirculation line break accident. See Table 6.3-1 for the operational sequence of the ECCS for DBA.

The LPCS system pump suction valve to the suppression pool is normally open. To position the valve, a keylock switch must be turned in the control room. On receipt of an LPCS initiation signal, the LPCS test line valve is signaled to close (it is normally closed during operation) to assure that the main system pump discharge is correctly routed.

The LPCS pump injection valve is automatically opened upon receipt of the initiation signal, provided the low pressure interlock permissive is met.

7.3.1.1.1.5.8 Separation LPCS is a division 1 system. In order to maintain the required separation, LPCS logic relays, manual controls, cabling, and instrumentation are mounted so that separation from divisions 2 and 3 is maintained.

7.3.1.1.1.5.9 Testability The LPCS is capable of being tested during normal operation.

Pressure and low water level initiation transmitters are individually valved out of service and subjected to a test pressure. This verifies the operability of the transmitter as well as the calibration range. The trip units mounted in the control room are calibrated individually by a calibration source with verification of set point by a digital readout located on the calibration module. Other control equipment is functionally tested during manual testing of each loop. Adequate indications in the form of panel lamps, annunciators, and printed computer output are provided in the control room.

7.3.1.1.1.5.10 Environmental Considerations The only control component pertinent to LPCS system operation that is located inside the drywell is the control mechanism for the air-operated check valve on the LPCS injection line. This item, and all the other equipment located outside the drywell, will operate in their worst-case environments as shown in the Section 3.11 tables.

7.3-27 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.1.5.11 Operational Considerations 7.3.1.1.1.5.11.1 General Information When the LPCS is required for abnormal and accident conditions, it will be initiated automatically and no operator action will be required for at least 10 minutes. After this time, manual operation may be initiated.

7.3.1.1.1.5.11.2 Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess LPCS system operation. Valves have indications of full open and full closed positions. The pump has indications for pump running and pump stopped. Alarm and indication devices are shown in Figures 6.3-4 (LPCS P&ID) and the LPCS FCD (see Section 1.7). A leak detection system was provided with the intent of continuously confirming the integrity of the injection piping between the inside of the reactor vessel and the core shroud. It has been determined that the system is only capable of detecting gross failures (double ended break and separation) at or near rated power/flow conditions. Since GGNS operating strategies typically dictate operation at reduced core flows, the instrumentation provides limited useful information. The ineffectiveness of the ECCS line break instrumentation is not a concern because a failure of the GGNS injection piping is not considered credible.

GGNS has committed to follow the reactor internals management plan outlined in EPRI Report TR-105707, October 1995, BWR Vessel and Internals Project, Safety Assessment of BWR Reactor Internals (BWRVIP-06), This program includes frequent inspections of the ECCS in-vessel piping. Subsequent to NRC review and approval of the EPRI program, the NSSS vendor performed a detailed flaw evaluation consisting of stress and load limit analyses for the internal core spray piping. This evaluation demonstrated that core spray piping stresses are low and corresponding crack growth rates are low. Based on this evaluation and the frequent inspections prescribed by the BWRVIP inspection methodology, the continued integrity of the ECCS in-vessel piping is assured.

7.3.1.1.1.5.11.3 Set Points Refer to the Technical Specifications for safety set points.

7.3-28 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.1.6 Low Pressure Coolant Injection (LPCI) System -

Instrumentation and Controls 7.3.1.1.1.6.1 System Identification Low pressure coolant injection (LPCI) is an operating mode of the residual heat removal system (RHR). The RHR system and its operating modes are discussed in Chapter 5. Because the LPCI system is designed to provide water to the reactor vessel following the design basis loss-of-coolant accident, the controls and instrumentation for it are discussed here.

7.3.1.1.1.6.2 Equipment Design Figures 5.4-16 and 5.4-17 (RHR P&ID) show the entire RHR system, including the equipment used for LPCI operation. The following equipment is essential for LPCI operation:

a. Three RHR main system pumps

b. Pump suction valves

c. LPCI injection valves

d. Vessel level transmitters

e. Drywell pressure transmitters

f. Reactor vessel pressure transmitters The instrumentation for LPCI operation controls other valves in the RHR. This ensures that the water pumped from the suppression pool by the main system pumps is routed directly to the reactor.

These interlocking features are described in this subsection.

LPCI operation uses three pump loops, each loop with its own separate vessel injection nozzle. Figures 5.4-16 and 5.4-17 (RHR P&ID) show the location of instruments, control equipment, and LPCI components. Except for the LPCI testable check valves, the components pertinent to LPCI operation are located outside the drywell.

Power for the LPCI system pumps is supplied from ac buses that can receive standby ac power. Two pumps are powered from the division 2 ESF bus and the third pump from the division 1 ESF bus, which also powers the LPCS. Motive power for the automatic valves comes from the bus that powers the pumps for that loop. Control power 7.3-29 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) for the LPCI components comes from the ESF dc buses. Channels for LPCI A are shown in the RHR FCD (see Section 1.7). Channels for LPCI B and LPCI C are shown in the RHR FCD.

LPCI is arranged for automatic and remote-manual operation from the control room.

7.3.1.1.1.6.3 Initiating Circuits LPCI A LPCI A is initiated from the LPCS trip system, described in subsection 7.3.1.1.1.5.3, Initiating Circuits.

LPCI B and C LPCI B and C reactor vessel low water level is monitored by two level transmitters mounted on an instrument rack in the containment that sense the difference between the pressure due to a constant reference leg of water and the pressure due to the actual height of water in the vessel. Each level transmitter provides an input to a trip unit (an electronic switch) located in the control room. In order to minimize inadvertent system actuations due to level instrument power loss and restoration, a time delay feature allows for stabilization of the level transmitters loop output to the corresponding trip units. This time delay feature (located in control room panels) does not impact system operation upon receipt of a true reactor vessel low water level signal, and failure of the time delay feature is automatically monitored and annunciated in the control room.

Drywell pressure is monitored by two pressure transmitters mounted on an instrument rack in the containment. Each drywell transmitter provides an input to a trip unit (an electronic switch) located in the control room.

The signals from the two level trip units and the two pressure trip units are electrically connected in a one-out-of-two twice arrangement so that no single event can prevent initiation of LPCI B and C. The trip system for LPCI B and C is shown in Figure 7.3-3.

The LPCI B and C trip system also initiates the division 2 diesel/

generator.

7.3-30 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.1.6.4 Logic and Sequencing

[HISTORICAL INFORMATION] [The overall LPCI operating sequence following the receipt of an initiation signal is as follows:

a. The valves in the suction paths from the suppression pool are normally open and require no automatic action to line up suction. LPCI motor-operated injection valves open provided the high pressure/low pressure system interlock permissive between the reactor coolant pressure boundary and the LPCI systems is available (see Section 7.6.1.3 for additional information).

b. The LPCI system pump C starts immediately, taking suction from the suppression pool. The LPCI A and B pumps start after a 5-second delay to limit the loading of the standby power sources.

c. Valves used in other RHR modes are automatically positioned so the water pumped from the suppression pool is routed correctly.

d. The LPCI check valves permit flow to the reactor vessel until vessel water level is adequate to provide core cooling and the LPCI pumps are manually shut off.

LPCI A trip system is common to the LPCS and is separated from the trip system for LPCI B and LPCI C. Each initiation uses the same logic form; however, LPCI A uses only division 1 trip units, and LPCI B and LPCI C use only division 2 trip units. Each trip system consists of two level instrument channels and two drywell high pressure instrument channels. After an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset.] The seal-in feature is shown in the RHR FCD (see Section 1.7).

7.3.1.1.1.6.5 Bypasses and Interlocks The LPCI pump motor and injection valve are provided with manual override controls which permit the operator manual control of the system following automatic initiation. Manual operation of the injection valve to open cannot be accomplished without the high pressure/low pressure interlock permissive. The injection valve can be overridden closed before the low pressure interlock permissive is achieved thereby preventing initial automatic injection.

7.3-31 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.1.6.6 Redundancy and Diversity The LPCI is actuated by reactor vessel low water level and/or drywell high pressure. Both of these conditions will result from a design basis loss-of-coolant accident and may result from lesser LOCAs. As described in subsection 7.3.1.1.1.5.6, if one low level transmitter or trip unit fails, either the high drywell pressure or a combination of low level and drywell pressure transmitters and trip units will initiate LPCI.

These two divisions of low-pressure emergency core cooling systems are further backed up by the division 3 HPCS.

7.3.1.1.1.6.7 Actuated Devices The functional control arrangement for the LPCI system pumps is shown in the RHR FCD (see Section 1.7). One LPCI system pump starts immediately and the other two start after a 5-second delay.

This delay reduces the demand placed on the onsite standby sources of power. The time delays are provided by timers (see Tables 7.3-4 and 7.3-5). The delay times for the pumps to start when normal ac power is not available include approximately 3 seconds for the start signal to develop after the actual reactor vessel low water level or drywell high pressure occurs, 10 seconds for the standby power to become available, and a sequencing delay to reduce demand on standby power. The total delay time from the time of the accident to the start of the main systems pumps are: pump A, 18 seconds; pump B, 18 seconds; and pump C, 13 seconds. The operator can manually control the pumps from the control room.

Two pressure transmitters are installed in each pump discharge pipeline to verify that pumps are operating following an initiation signal. The pressure signal is used in the automatic depressurization system to verify availability of low-pressure core cooling.

The main system pump motors are provided with overload protection. The overload relays maintain power on the motor as long as possible without harming the motor or jeopardizing the emergency power system.

All automatic valves used in the LPCI function are equipped with remote manual test capability. The entire system can be operated from the control room. Motor-operated valves have limit switches to turn off the motor when the full open or close positions are reached. When valves are seating, valve motor forces are 7.3-32 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) controlled by either torque switches or limit switches. Thermal overload devices are used to trip motor-operated valves during periodic tests and to provide alarms. Valves that have vessel and containment isolation requirements are described in subsection 7.3.1.1.2. LPCI valves travel full stroke within 30 seconds following system initiation and receipt of the RV low pressure permissive.

The LPCI system pump suction valves from the suppression pool are normally open. To reposition the valves, a keylock switch must be turned in the control room. On receipt of an LPCI initiation signal certain RHR valves are signaled to close (although they could be closed as part of the normal lineup) to assure that the LPCI system pump discharge is correctly routed. The set of valves that permit the main system pumps to take suction from the reactor recirculation loops (a lineup used during normal shutdown cooling system operation) are signaled to automatically close as described in Table 5.4-3.

A timer similar to that used in the LPCI system pump control circuitry cancels the LPCI open signal to the heat exchanger bypass valves after a 10-minute delay, which is time enough to permit satisfactory start of the LPCI system. The signal cancellation allows the operator to control the flow through the heat exchangers for other post-accident purposes.

7.3.1.1.1.6.8 Separation LPCI is a division 1 (RHR A) and division 2 (RHR B and C) system.In order to maintain the required separation, LPCI logic relays, manual controls, cabling, and instrumentation are mounted so that divisions 1 and 2 separation is maintained. Separation from division 3 is likewise maintained.

7.3.1.1.1.6.9 Testability The LPCI is capable of being tested during normal operation.

Drywell pressure and low water level initiation transmitters are individually valved out of service and subjected to a test pressure. This verifies the operability of the transmitters as well as the calibration range. Trip units mounted in the control room are calibrated individually by introducing a calibration source and verifying the set point by a digital readout located on the calibration module. Other control equipment is functionally 7.3-33 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) tested during manual testing of each loop. Adequate indications in the form of panel lamps and annunciators are provided in the control room.

7.3.1.1.1.6.10 Environmental Considerations The only control components pertinent to LPCI operation that are located inside the drywell are those controlling the air-operated check valves on the injection lines. Other equipment, located outside the drywell, is selected in consideration of the normal and accident environments in which it must operate (see Table 3.11-1).

7.3.1.1.1.6.11 Operational Considerations 7.3.1.1.1.6.11.1 General Information The pumps, valves, piping, etc., used for the LPCI are used for other modes of the RHR. Initiation of the LPCI mode is automatic and no operator action is required for at least 10 minutes. The operator may control the RHR manually after initiation to use its capabilities in the other modes of the RHR if the core is being cooled by other emergency core cooling systems.

7.3.1.1.1.6.11.2 Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess LPCI operation. Valves have indications of full open and full closed positions. Pumps have indications for pump running and pump stopped. Alarm and indications devices are shown in Figures 5.4-16 and 5.4-17 (RHR P&ID) and in the RHR FCD (see Section 1.7). A leak detection system was provided with the intent of continuously confirming the integrity of the injection piping between the inside of the reactor vessel and the core shroud. It has been determined that the system is only capable of detecting gross failures (double ended break and separation) at or near rated power/flow conditions. Since GGNS operating strategies typically dictate operation at reduce core flows, the instrumentation provides limited useful information. The ineffectiveness of the ECCS line break instrumentation is not a concern because a failure of the GGNS injection piping is not considered credible.

7.3-34 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

GGNS has committed to follow the reactor internals management plan outlined in EPRI Report TR-105707, October 1995, BWR Vessel and Internals Project, Safety Assessment of BWR Reactor Internals (BWRVIP-06). This program includes frequent inspections of the ECCS in-vessel piping. Subsequent to NRC review and approval of the EPRI program, the NSSS vendor performed a detailed flaw evaluation consisting of stress and load limit analyses for the internal core spray piping. This evaluation demonstrated that core spray piping stresses are low and corresponding crack growth rates are low. Based on this evaluation and the frequent inspections prescribed by the BWRVIP inspection methodology, the continued integrity of the ECCS in-vessel piping is assured.

Reactor vessel pressure transmitters are provided to alarm when the reactor vessel pressure is low enough for LPCI injection valves to open.

7.3.1.1.1.6.11.3 Deleted 7.3.1.1.1.7 Nonessential Components All nonessential components have been isolated from essential components so that a failure in a nonessential component will not prevent proper ECCS operation.

7.3.1.1.1.8 Supporting Systems The supporting systems required for the emergency core cooling systems are identified in Table 7.3-1 and are described as referenced in that table.

7.3.1.1.2 Containment and Reactor Vessel Isolation Control System - Instrumentation and Controls 7.3.1.1.2.1 System Identification The containment and reactor vessel isolation control system includes the sensors, channels, transmitters, and remotely activated valve closing mechanisms associated with the valves which, when closed, effect isolation of the containment or reactor vessel, or both.

7.3-35 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The containment and reactor vessel isolation control system (CRVICS) embraces all those systems that are required for reactor vessel and containment isolation during the various modes of operation. CRVICS consists principally of the following instrumentation and control subsystems:

a. MSIV Subsystem:

1. Reactor vessel - low water level

2. Main steam line tunnel - high temperature

3. Main steam line - high flow

4. Main turbine inlet - low steam pressure

5. Deleted

6. Main condenser - vacuum trip

b. Other Valves Subsystems:

1. Reactor water cleanup system - high differential flow

2. Reactor water cleanup system area - high temperature

3. RHR area - high temperature

c. Process Radiation Monitoring (PRM) Subsystems:

1. Main steam line - high radiation

2. Containment and drywell ventilation exhaust - high radiation The purpose of the system is to prevent the release of significant amounts of radioactive materials from the fuel and reactor coolant pressure boundary by automatically isolating the appropriate pipelines that penetrate the containment. The power generation objective of this system is to avoid spurious closure of particular isolation valves as a result of single failure. A specific identification of valves closed by CRVICS is provided in Table 6.2-44.

7.3-36 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.2 System Power Sources Power for the sensor trip channels, trip logics, and manual initiation trip circuits of the isolation control system are supplied from four Class 1E uninterruptible power systems (UPS),

division 1, 2, 3 and 4. Additionally, the main steamline isolation valves actuator logics are supplied from the RPS busses as described in Section 8.1.3.2 (see Figure 7.3-5). Other containment isolation valve actuator logics are supplied from two Class 1E uninterruptible power systems, division 1 and division 2 as described in section 8.3.1.1.5.7 (see Figure 7.3-6).

7.3.1.1.2.3 System Equipment Design Pipelines that penetrate the containment and drywell and directly communicate with the reactor vessel generally have two isolation valves, one inside the drywell and one outside the containment.

These automatic isolation valves are considered essential for protection against the gross release of radioactive material in the event of a breach in the reactor coolant pressure boundary.

Power cables run in raceways from the electrical source to each motor-operated isolation valve. Solenoid valve power goes from its source to the control devices for the valve. The main steam line isolation valve controls include pneumatic piping and an accumulator for those valves that use air as the emergency motive power source. Pressure, temperature, and water level sensors are mounted on instrument racks in either the containment, auxiliary building, or the turbine building. Valve position switches are mounted on motor- and air-operated valves. Switches are encased to protect them from environmental conditions. Cables from each sensor are routed in conduits and cable trays to the control room.

All signals transmitted to the control room are electrical; no pipe from the nuclear system penetrates the control room. The sensor cables and power supply cables are routed to cabinets in the control or electrical equipment rooms, where the logic arrangements of the system are formed.

7.3.1.1.2.4 System Initiating Circuits During normal plant operation, the isolation control system sensors and trip controls that are essential to safety are energized. When abnormal conditions are sensed, channel trip unit relay contacts open, which cause contacts in the trip logic to open and thereby initiate isolation. Loss of both logic power supplies also initiates isolation.

7.3-37 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

For the main steam line isolation valve control, four channels are provided for each measured variable except for main steam line flow high which has sixteen channels provided. One channel of each variable is connected to a particular logic in order to maintain channel independence and separation except for main steam line flow which has four channels in each logic. The outputs of trip logics A and C are used to control Solenoid A of the inboard and outboard valves of all four main steam lines, and the outputs of trip logics B and D are used to control Solenoid B of both inboard and outboard valves for all four main steam lines as shown in Figure 7.3-5.

Each main steam line isolation valve is fitted with two control solenoids. For each valve to close automatically, both of its solenoids must be de-energized. Each solenoid receives inputs from two trip logics; and a signal from either can cause de-energization of the solenoid.

The main steam line drain valves and reactor water sample valves also operate in pairs. The inboard valves close if two of the main steam line isolation trip logics, B and C, are tripped and the outboard valves close if the other two trip logics, A and D, are tripped as shown in Figure 7.3-6.

The reactor water cleanup system and residual heat removal system isolation valves are each controlled by two trip systems, one for the inboard valve and a second for the outboard valve.

The control system for the automatic isolation valves is designed to provide closure of valves in time to minimize the loss of coolant from the reactor and prevent the release of radioactive material from the containment. A secondary design function is to prevent uncovering the fuel as a result of a break in those pipelines that the valves isolate and to thereby restrict the release of radioactive material.

7.3.1.1.2.4.1 Isolation Functions and Settings The isolation trip settings of the reactor vessel isolation control system are listed in the Technical Specifications. The safety design bases of these isolation signals are discussed in the following paragraphs, and the functional control diagram (see Section 1.7) illustrates how these signals initiate closure of isolation valves.

7.3-38 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.4.1.1 Reactor Vessel Low Water Level 7.3.1.1.2.4.1.1.1 Subsystem Identification A low water level in the reactor vessel could indicate that reactor coolant is being lost through a breach in the reactor coolant pressure boundary and that the core is in danger of becoming overheated as the reactor coolant inventory diminishes.

Reactor vessel low water level initiates closure of various valves. The closure of these valves is intended to isolate a breach in any of the pipelines in which the valves are contained, conserve reactor coolant by closing off process lines, or prevent the escape of radioactive materials from the primary containment through process lines that communicate with the primary containment interior.

Three reactor vessel low water level isolation trip settings are used to complete the isolation of the containment and the reactor vessel. The first (and highest) reactor vessel low water level isolation trip setting initiates closure of RHR shutdown isolation valves. The second reactor vessel low water level isolation initiates closure of all valves in major process pipelines except the main steam lines. The main steam lines are left open to allow the removal of heat from the reactor core. The third (and lowest) reactor vessel low water level isolation trip setting completes the isolation of the containment and reactor vessel by initiating closure of the main steam line isolation valves, main steam line drain isolation valves, and specific RHR and LPCS isolation valves.

The first low water level setting (which is the RPS low water level scram setting) is selected to initiate closure of the RHR shutdown cooling isolation valves.

The second low water level setting is selected to initiate isolation at the earliest indication of a possible breach in the reactor coolant pressure boundary, yet far enough below normal operational levels to avoid spurious isolation. The pipelines which are isolated when reactor vessel low water level falls to this setting are listed in Table 6.2-44.

The third (and lowest) of the reactor vessel low water level isolation settings (the same water level setting at which the LPCI and LPCS systems are placed in operation) is selected low enough to allow the removal of heat from the reactor for a predetermined 7.3-39 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) time following the scram and high enough to complete isolation in time for the operation of emergency core cooling systems in the event of a large break in the reactor coolant pressure boundary.

The pipelines which are isolated when reactor vessel low water level falls to this setting are listed in Table 6.2-44.

Reactor vessel low water level signals are initiated from 16 differential pressure transmitters. They sense the difference between the pressure caused by a constant reference leg of water and the pressure caused by the actual water level in the vessel.

Four of the level transmitters are associated with the reactor protection system; each transmitter uses a trip unit to effect isolation of the RHR shutdown cooling lines when the water level has dropped to the first (highest) low water level setting. The other 12 level transmitters are used for CRVICS. Four of these transmitters use two trip units to effect isolation functions. Of these two isolation functions, one trip unit indicates that water level has dropped to the second low water level isolation setting, and another trip unit indicates that water level has dropped to the third (lowest) low water level isolation setting.

Twelve instrument sensing lines, attached to taps above or below the water level on the reactor vessel, are required for the differential pressure measurement and terminate outside the drywell and inside the containment. They are physically separated from each other and tap off the reactor vessel at widely separated points. This arrangement assures that no single physical event can prevent isolation, if required.

7.3.1.1.2.4.1.1.2 Subsystem Power Supplies Main steam line isolation valves (outboard and inboard) are supplied from reactor protection system buses A and B 120 V ac.

Divisions 1, 2, 3, and 4 trip logics for the MSIVs are supplied from Class 1E 120 VAC uninterruptible power, divisions 1, 2, 3, and 4, respectively.

Divisions 1 and 2 logics for RHR, RWCU, main steam line drain valves, and reactor water sample valves are supplied from 120 V ac Class IE uninterruptible power supplies, divisions 1 and 2, respectively.

Divisions 1 and 2 logics for other outboard and inboard isolation valves are supplied from reactor protection system bus A and B 120 V ac, respectively.

7.3-40 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Containment and drywell isolation valve motors or pilot solenoids, as appropriate, except MSIVs, are powered from the redundant ESF buses. See Table 6.2-44 for bus assignment for each valve.

7.3.1.1.2.4.1.1.3 Subsystem Initiating Circuits Sixteen water level transmitters provide inputs for 20 sensor channels which monitor the reactor vessel water level. The 20 sensor channels, in four independent groups of five each, provide inputs to four redundant groups of trip logics. The 16 level transmitters, in groups of four each, are installed at four separate locations on the reactor vessel and allow for the earliest possible detection of reactor vessel low water level.

7.3.1.1.2.4.1.1.4 Subsystem Logic and Sequencing

[HISTORICAL INFORMATION] [When a significant decrease in reactor vessel water level occurs, trip signals are transmitted to the CRVICS, which initiates closure of the main steam line isolation valves, and isolates the containment and drywell.

There are 20 instrumentation channels provided to assure that the protective action occurs when required, but prevents inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a divisional logic trip. Channel trips are arranged in one-out-of-two twice logics for the MSIVs and two-out-of-two logics for other valves. Division 1 or 3 and division 2 or 4 are required to initiate isolation of both inboard and outboard main steam line isolation valves. Divisions 2 and 3 or divisions 1 and 4 are required to initiate isolation of the main steam line drain valves, and other isolation valves, inboard or outboard.]

7.3.1.1.2.4.1.1.5 Subsystem Redundancy and Diversity Redundancy of trip signals for reactor vessel low water level is provided by 16 level transmitters which are associated with trip logics. Four level transmitters provide input to each of the trip logics. Transmitters associated with the same trip logic are located in the same area of the containment. There are four separate areas in the containment where this equipment is located. Class IE power supply is provided from Division 1, Division 2, Division 3 and Division 4 Class 1E UPS depending on the trip function requirements of the transmitter/sensor channel.

7.3-41 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Diversity of trip initiation signals for a pipe break inside the containment are provided by reactor vessel low water level and drywell high pressure. A decrease in reactor vessel water level or an increase in drywell pressure due to pipe break will initiate containment isolation.

7.3.1.1.2.4.1.1.6 Subsystem Bypasses and Interlocks There are no bypasses or interlocks for reactor vessel low water level trip.

7.3.1.1.2.4.1.1.7 Subsystem Testability Testability is discussed in subsections 7.3.2.2.2.3.1.9 and 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.2 Main Steam Line - High Radiation 7.3.1.1.2.4.1.2.1 Subsystem Identification High radiation in the vicinity of the main steam lines could indicate a gross release of fission products from the fuel.

High radiation near the main steam lines initiates isolation of the reactor water sample line.

The high-radiation trip setting is selected high enough above background radiation levels to avoid spurious isolation, yet low enough to promptly detect a gross release of fission products from the fuel.

The objective of the main steam line radiation monitoring subsystem is to monitor for the gross release of fission products from the fuel and, upon indication of such release, to isolate the reactor water sample line.

This subsystem classification is provided in Table 3.2-1.

7.3.1.1.2.4.1.2.2 Subsystem Power Sources The 120 V ac RPS buses A and B and four Class 1E uninterruptible power systems, division 1, 2, 3 and 4, are the power sources for the main steam line isolation valves and main steam line radiation monitoring subsystem. The 'A' pilot solenoid of the main steam line inboard and outboard isolation valves, and division 1 and 3 trip function, are powered from RPS bus A. The 'B' pilot solenoid and division 2 and 4 trip function are powered from RPS bus B.

7.3-42 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Divisions 1, 2, 3, and 4 trip logic for the MSIVs are supplied from Class 1E 120 VAC uninterruptible power, divisions 1, 2, 3, and 4, respectively. Each of the four channels of the main steam line radiation monitoring subsystem is powered from an independent Class 1E uninterruptible power system (division 1, 2, 3 and 4). The actuator logics for the main steam line drain and reactor water sample line valves are powered from an independent Class 1E uninterruptible power system division 1 and 2, as described in Section 8.3.1.1.5. Power for the outboard and inboard main steamline drain valves and reactor water sample line valves are from the ESF division 1 and 2 buses respectively.

7.3.1.1.2.4.1.2.3 Subsystem Initiating Circuits Four gamma-sensitive instrumentation channels monitor the gross gamma radiation from the main steam lines. The detectors are physically located near the main steam lines just downstream of the outboard main steam line isolation valves. The detectors are geometrically arranged to detect significant increases in radiation level with any number of main steam lines in operation.

Their location along the main steam lines allows the earliest practical detection of a gross fuel failure.

Each monitoring channel consists of a gamma-sensitive ion chamber and a log radiation monitor, as shown in Figure 7.6-1 (PRM IED).

Each log radiation monitor has three trip circuits. One upscale trip circuit is used to initiate isolation and alarm. The second circuit is used for an alarm and is set at a level below that of the upscale trip circuit used for isolation. The third circuit is a downscale trip that actuates an instrument trouble alarm in the control room and produces an isolation signal. The output from each log radiation monitor is displayed on a six-decade meter in the control room.

7.3.1.1.2.4.1.2.4 Subsystem Logic and Sequencing

[HISTORICAL INFORMATION] [When a significant increase in the main steam line radiation level is detected trip signals are transmitted to the CRVICS and the offgas system via RPS circuitry.

To contain radioactive materials, the mechanical vacuum pump is turned off and the mechanical vacuum pump line is shut and the reactor water sample line is isolated.

7.3-43 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Four instrumentation channels are provided to assure protective action when needed and to prevent inadvertent isolation resulting from instrumentation malfunctions.]

7.3.1.1.2.4.1.2.5 Subsystem Bypasses and Interlocks No operational bypasses are provided with this subsystem. However the individual log radiation monitors may be bypassed for maintenance or calibration by the use of test switches on each monitor. Bypassing one log radiation monitor will not cause an isolation, but will cause a single trip system trip to occur.

The main steam line radiation monitors are interlocked with the mechanical vacuum pump. An isolation signal will trip the mechanical vacuum pump.

7.3.1.1.2.4.1.2.6 Subsystem Redundancy and Diversity The number of monitoring channels in this subsystem provides the required redundancy and is verified in the circuit description.

The single failure criterion has been met in the design by providing redundant sensors, channels, trip logics, and trip systems which are seismically and environmentally qualified. The failure of a single component will not prevent the system from functioning in the event protective action is required.

In addition, a single failure will not initiate an isolation function, due to the use of two independent trip systems.

7.3.1.1.2.4.1.2.7 Testability A built-in source of adjustable current is provided with each log radiation monitor for test purposes. The operability of each monitoring channel can be routinely verified by comparing the outputs of the channels during power operation.

7.3.1.1.2.4.1.2.8 Environmental Considerations This subsystem is designed and has been qualified to meet the environmental conditions indicated in Section 3.11. In addition, this subsystem has been seismically qualified as described in Section 3.10.

7.3-44 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.4.1.2.9 Operational Considerations In the event of a high- or low-radiation level trip within any of the channels, the subsystem will automatically activate the appropriate alarm annunciator and provide a meter indication in the control room. Similarly, the occurrence of a high-high or an inoperable trip within any of the channels of the system will result in a close signal being sent to the reactor water sample valves and a signal being sent to turn off the mechanical vacuum pumps and close the vacuum pump lines.

The panels in the control room, associated with the CRVICS, are identified by tags which indicate the panel function and identification of the contained channels. The identification scheme for ESF system cables is described in subsection 8.3.1.3.

The only direct support required for the CRVICS is the electrical power system which is provided for the logic circuits from 120 V ac power supplies as described in subsection 7.3.1.1.2.4.1.2.2 and Chapter 8, and by the ESF power system for the isolation valves, except MSIVs, as described in subsection 8.3.1.1.

7.3.1.1.2.4.1.3 Main Steam Line - Space High Temperature 7.3.1.1.2.4.1.3.1 Subsystem Identification High ambient temperature in the space in which the main steam lines are located outside of the containment could indicate a breach in a main steam line. The automatic closure of various valves prevents the excessive loss of reactor coolant and the release of a significant amount of radioactive material from the reactor coolant pressure boundary.

When high ambient temperatures occur in the main steam line space, the following pipelines are isolated:

a. All four main steam lines

b. Main steam line drains The main steam line space high temperature trip is set far enough above the temperature expected during operation at rated power to avoid spurious isolation, yet low enough to provide early indication of a steam line break.

7.3-45 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

High temperature in the vicinity of the main steam lines is detected by dual element thermocouples located along the main steam lines in the auxiliary building. The temperature elements are located or shielded so that they are sensitive to air temperature and not the radiated heat from hot equipment.

The main steam line space temperature detection system is designed to alarm at a temperature indicative of a 5 gpm leak and initiate isolation at a temperature indicative of a 25 gpm leak.

7.3.1.1.2.4.1.3.2 Subsystem Power Supplies Main steam line isolation valves (outboard and inboard) are supplied from reactor protection system buses A and B 120 V ac.

The divisions 1, 2, 3, and 4 trip logics for the main steam line isolation valves are supplied from Class 1E 120 VAC uninterruptible power.

Division 1 and 2 logics for the outboard and inboard main steam line drain valves, respectively, are supplied from 120 V ac Class IE uninterruptible power supplies, divisions 1 and 2, respectively.

Power for the outboard and inboard main steam line drain valves is supplied from the ESF division 1 and 2 buses, respectively.

7.3.1.1.2.4.1.3.3 Subsystem Initiating Circuits Four space temperature sensing channels monitor the main steam lines area temperatures. One space temperature element is physically located near each of the main steam lines in the main steam line tunnel.

The locations of the temperature elements provide the earliest practical detection of main steam line breaks.

7.3.1.1.2.4.1.3.4 Subsystem Logic and Sequencing

[HISTORICAL INFORMATION] [When a significant increase in main steam line tunnel space is detected, trip signals are transmitted to the CRVICS. The containment and reactor vessel isolation control system initiates closure of all main steam line isolation and drain valves.

7.3-46 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Four instrumentation channels are provided to assure protective action when needed and to prevent inadvertent isolation resulting from instrumentation malfunctions. The trip signal of each instrumentation channel initiates a trip logic trip. The output trip signals of the trip logic are combined in one-out-of-two twice and two-out-of-two logics. Division 1 or 3 and division 2 or 4 are required to initiate main steam line isolation. Divisions 2 and 3 or divisions 1 and 4 are required to initiate main steam line drain isolation. Thus, failure of any one channel does not result in inadvertent action.]

7.3.1.1.2.4.1.3.5 Subsystem Redundancy and Diversity Redundancy of trip initiation for high space temperature is provided by four temperature elements installed at different locations within the main steam line tunnel. Each temperature element is associated with one of four channels. Each temperature trip unit is supplied from a different power supply.

Diversity of trip initiation for main steam line break is provided by main steam line tunnel high space temperature, main steam line high flow, and low-pressure instrumentation. An increase in space temperature, main steam line flow, or a decrease in pressure will initiate main steam line and main steam line drain isolation.

7.3.1.1.2.4.1.3.6 Subsystem Bypasses and Interlocks There are no bypasses or interlocks to other systems for main steam line high space trip signals.

7.3.1.1.2.4.1.3.7 Subsystem Testability See subsections 7.3.2.2.2.3.1.9 and 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.4 Main Steam Line - High Flow 7.3.1.1.2.4.1.4.1 Subsystem Identification Main steam line high flow could indicate a break in a main steam line. Automatic closure of various valves prevents excessive loss of reactor coolant and release of significant amounts of radioactive material from the reactor coolant pressure boundary.

On detection of main steam line high flow, the following pipelines are isolated:

a. All four main steam lines 7.3-47 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Main steam line drain The main steam line high flow trip setting was selected high enough to permit isolation of one main steam line for testing at rated power without causing an automatic isolation of the other steam lines, yet low enough to permit early detection of a steam line break.

High flow in each main steam line is sensed by four differential pressure transmitters that sense the pressure difference across the flow element in that line.

7.3.1.1.2.4.1.4.2 Subsystem Power Supplies Main steam line isolation valves (outboard and inboard) are supplied from reactor protection system buses A and B 120 V ac.

The divisions 1, 2, 3, and 4 trip logics for the main steam line isolation valves are powered from Class 1E 120 VAC uninterruptible power.

Divisions 1 and 2 logics for the outboard and inboard main steam line drain valves, respectively, are supplied from 120 V ac Class IE uninterruptible power supplies, divisions 1 and 2, respectively.

Power for the outboard and inboard main steam line drain valves is supplied from the ESF divisions 1 and 2 buses, respectively.

7.3.1.1.2.4.1.4.3 Subsystem Initiating Circuits Sixteen differential pressure sensing channels, four for each main steam line, monitor the main steam line flow. One differential pressure channel for each main steam line is associated with each of four logic channels. Four differential pressure transmitters are installed on each main steam line and allow the earliest possible detection of a main steam line break.

7.3.1.1.2.4.1.4.4 Subsystem Logic and Sequencing

[HISTORICAL INFORMATION] [When a significant increase in main steam line flow is detected, trip signals are transmitted to CRVICS. The containment and reactor vessel isolation control system initiates closure of all main steam line isolation and drain valves.

7.3-48 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Four instrumentation trip logics are provided to assure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The trip signal of each instrumentation channel initiates a trip logic trip. The trip signals of the logic divisions are combined in one-out-of-two twice and two-out-of-two logics. Divisions 1 or 3 and divisions 2 or 4 are required to initiate main steam line isolation. Divisions 2 and 3 or divisions 1 and 4 are required to initiate main steam drain isolation. Thus, failure of any one division does not result in inadvertent action.]

7.3.1.1.2.4.1.4.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for high flow is provided by four differential pressure transmitters connected to each main steam line. Each of the four differential pressure transmitters on a given steam line is associated with one of four logic divisions and is powered from an independent Class 1E uninterruptible power supply divisions 1, 2, 3 and 4.

Diversity of trip initiation signals is described in subsection 7.3.1.1.2.4.1.3.5.

7.3.1.1.2.4.1.4.6 Subsystem Bypasses and Interlocks There are no bypasses or interlocks to other systems from main steam line high flow trip signals.

7.3.1.1.2.4.1.4.7 Subsystem Testability Testability is discussed in subsections 7.3.2.2.2.3.1.9 and 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.5 Main Turbine Inlet - Low Steam Pressure 7.3.1.1.2.4.1.5.1 Subsystem Identification Low steam pressure at the turbine inlet while the reactor is operating could indicate a malfunction of the nuclear system pressure controller in which the turbine control valves or turbine bypass valves become fully open and cause rapid depressurization of the nuclear system. From part-load operating conditions, the rate of decrease of nuclear system saturation temperature could exceed the allowable rate of change of vessel 7.3-49 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) temperature. A rapid depressurization of the reactor vessel while the reactor is near full power could result in undesirable differential pressures across the channels around some fuel bundles of sufficient magnitude to cause mechanical deformation of channel walls. Such depressurizations, without adequate preventive action, could require thorough vessel analysis or core inspection prior to returning the reactor to power operation. To avoid these time-consuming requirements following a rapid depressurization, the steam pressure at the turbine inlet is monitored. Pressure falling below a preselected value with the reactor in the RUN mode initiates isolation of the following pipelines:

a. All four main steam lines

b. Main steam line drain The low steam pressure isolation setting was selected far enough below normal turbine inlet pressures to avoid spurious isolation, yet high enough to provide timely detection of a pressure controller malfunction. Although this isolation function is not required to satisfy any of the safety design bases for this system, the discussion is included to complete the listing of isolation functions.

Main steam line low pressure is monitored by four pressure transmitters that sense pressure downstream of the outboard main steam line isolation valves. The sensing point is located as close as possible to the turbine stop valves. The steam line pressure, where this sensor is located, changed and reduced the setpoint margin under EPU conditions. The margin assessment confirmed that the remaining margin at EPU conditions is acceptable for operation and does not require limitations on the performance of surveillances with the existing setpoint (Ref. 1).

7.3.1.1.2.4.1.5.2 Subsystem Power Supplies Main steam line isolation valves (outboard and inboard) are supplied from reactor protection system buses A and B 120 V ac.

The division 1, 2, 3, and 4 trip logics for the main steam line isolation valves are supplied from Class 1E 120 VAC uninterruptible power.

7.3-50 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Divisions 1 and 2 logics for the outboard and inboard main steam line drain valves, respectively, are supplied from 120 V ac Class IE uninterruptible power supplies, divisions 1 and 2, respectively.

Power for the outboard and inboard main steam line drain valves is supplied from the ESF divisions 1 and 2 buses, respectively.

7.3.1.1.2.4.1.5.3 Subsystem Initiating Circuits Four pressure sensing channels, one for each main steam line, monitor main steam line pressure. Each pressure channel is associated with one of four instrumentation channels. The locations of the pressure transmitters provide the earliest practical detection of low main steam line pressure.

7.3.1.1.2.4.1.5.4 Subsystem Logic and Sequencing

[HISTORICAL INFORMATION] [When a significant decrease in main steam line pressure is detected, trip signals are transmitted to the CRVICS. The containment and reactor vessel isolation control system initiates closure of all main steam line isolation valves and drain valves.

Four instrumentation channels are provided to assure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The output trip signal of each instrumentation channel initiates a logic trip.

The output trip signals of the trip logics are combined in one-out-of-two twice and two-out-of-two logics. Divisions 1 or 3 and divisions 2 or 4 are required to initiate main steam line isolation. Divisions 2 and 3 or divisions 1 and 4 are required to initiate main steam line drain isolation. Thus, failure of any one division does not result in inadvertent action.]

7.3.1.1.2.4.1.5.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for low pressure is provided by four pressure transmitters, one for each main steam line. Each pressure transmitter is associated with one of four divisional logics, and is powered from an independent Class 1E uninterruptible power supply (division 1, 2, 3 and 4).

Diversity of trip initiation signals is described in subsection 7.3.1.1.2.4.1.3.5.

7.3-51 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.4.1.5.6 Subsystem Bypasses and Interlocks The main steam line low pressure trip is bypassed by the reactor mode switch in the shutdown, refuel, and startup modes of reactor operation. In the RUN mode, the low-pressure trip function is operative.

There are no interlocks to other systems from main steam line low-pressure trip signals.

7.3.1.1.2.4.1.5.7 Subsystem Testability Testability is discussed in subsections 7.3.2.2.2.3.1.9 and 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.6 Drywell High-Pressure 7.3.1.1.2.4.1.6.1 Subsystem Identification High pressure in the drywell could indicate a breach of the reactor coolant pressure boundary inside the drywell. The automatic closure of various valves prevents the release of significant amounts of radioactive material from the containment.

The pipelines which are isolated on detection of high drywell pressure are listed in Table 6.2-44.

The drywell high-pressure isolation setting was selected to be as low as possible without inducing spurious isolation trips.

Drywell pressure is monitored by 12 pressure transmitters that are mounted on instrument racks outside the drywell. Instrument sensing lines that terminate in the containment connect the transmitters with the drywell interior.

7.3.1.1.2.4.1.6.2 Subsystem Power Supplies Divisions 1, 2, 3, and 4 trip logics for MSIVs are supplied from Class 1E 120 VAC uninterruptible power.

Divisions 1 and 2 logics for RHR, RWCU, main steam line drain, and reactor water sample valves are supplied from 120 V ac Class IE uninterruptible power supplies, divisions 1 and 2, respectively.

Logics for HPCS test line valves are supplied from 125 V dc ESF bus C.

7.3-52 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Divisions 1 and 2 logics for other outboard and inboard isolation valves are supplied from the 120 V ac reactor protection system buses A and B, respectively.

Containment and drywell isolation valve motors or pilot solenoids, as appropriate, except MSIVs, are powered from the redundant ESF buses. See Table 6.2-44 for bus assignment for each valve.

7.3.1.1.2.4.1.6.3 Subsystem Initiating Circuits Twelve pressure sensing channels monitor drywell pressure.

Pressure transmitters are installed at four different locations outside the drywell and provide the earliest practical detection of a line break inside the drywell.

7.3.1.1.2.4.1.6.4 Subsystem Logic and Sequencing

[HISTORICAL INFORMATION] [When a significant increase in drywell pressure is detected, trip signals are transmitted to the CRVICS which isolates the containment and drywell.

Twelve instrumentation channels are provided to assure protective action when required and to prevent inadvertent isolation resulting from instrumentation malfunctions. The trip signals of the instrument channels are combined into two-out-of-two, one-out-of-two twice, or one-out-of-two logics. Divisions 2 and 3 or divisions 1 and 4 instrumentation channels are required to initiate closure of inboard or outboard valves, respectively.

Thus, failure of any one division does not result in inadvertent action.]

7.3.1.1.2.4.1.6.5 Subsystem Redundancy and Diversity Redundancy of trip signals for drywell high pressure is provided by 12 pressure transmitters which are associated with trip logics. Three pressure transmitters provide input to each of the trip logics. Transmitters associated with the same trip logic are located in the same area of the containment. There are four separate areas in the containment where this equipment is located. Class IE power supply is provided from Division 1, Division 2, Division 3 and Division 4 uninterruptible power source.

7.3-53 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Diversity of trip initiation signals for line breaks inside of the drywell is provided by reactor low water level for those isolation valve subsystems initiated by high drywell pressure. An increase in drywell pressure or a decrease in reactor water level will initiate containment isolation.

7.3.1.1.2.4.1.6.6 Subsystem Bypasses and Interlocks There are no bypasses or interlocks for drywell high-pressure trip signals.

7.3.1.1.2.4.1.6.7 Subsystem Testability Testability is discussed in subsections 7.3.2.2.2.3.1.9 and 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.7 Containment and Drywell Ventilation Exhaust Radiation Monitoring Subsystem -

Instrumentation and Controls 7.3.1.1.2.4.1.7.1 Subsystem Identification The purpose of this subsystem is to indicate when excessive amounts of radioactive gases or materials exist in the containment or drywell exhaust and to effect appropriate action so that the release of radioactive gases to the environs is controlled.

The containment and drywell ventilation exhaust radiation monitoring subsystem is shown in Figure 7.6-1. The subsystem consists of four independent channels.

7.3.1.1.2.4.1.7.2 Subsystem Power Sources The 120 V ac Class 1E uninterruptible power supply systems (divisions 1, 2, 3 and 4) are the power sources for this subsystem. Each of the four sensor channels of the radiation monitoring system is powered from a different Class 1E uninterruptible power source.

7.3.1.1.2.4.1.7.3 Subsystem Initiating Circuits Each channel includes a Geiger-Muller type detector and an indicator and trip unit. The four channels share a recorder. All equipment except the detectors are located in the control room.

The detectors are located in the exhaust ductwork.

7.3-54 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.4.1.7.4 Subsystem Logic and Sequencing

[HISTORICAL INFORMATION] [Each channel has two trips. The upscale trip indicates high radiation, and the downscale trip indicates instrument trouble. When the instrument is switched to calibrate it is considered to be inoperative. Any one trip sounds an alarm in the control room. Two upscale trips, two inoperative trips, or one upscale trip and one inoperative trip on either set of channels will provide a trip signal for isolation of all containment and drywell ventilation penetrations. There are no sequencing requirements or provisions.]

7.3.1.1.2.4.1.7.5 Subsystem Bypasses and Interlocks No operational bypasses are provided, but the trip units for each sensor channel may be bypassed for maintenance or testing.

Bypassing the trip unit will cause a single trip system trip, which does not cause an isolation. If any additional trips (upscale or inoperative) occur from other trip units, the isolation function will be initiated.

7.3.1.1.2.4.1.7.6 Subsystem Redundancy and Diversity As discussed in subsection 7.3.1.1.2.4.1.7.1, the containment and drywell ventilation exhaust radiation monitoring subsystem consists of four independent sensor and trip units, sensing a common variable. This independence provides sufficient redundancy to ensure that a high-radiation condition will be detected and protective action initiated.

No diversity of trip variables is provided for the containment and drywell ventilation exhaust radiation monitors.

7.3.1.1.2.4.1.7.7 Subsystem Testability The monitors are readily accessible for inspection, calibration, and testing. The containment and drywell ventilation exhaust radiation monitoring subsystem and the response of the containment ventilation systems are routinely tested. Operation of the detectors can be verified through use of a portable gamma source.

7.3-55 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.4.1.7.8 Subsystem Environmental Considerations The environmental considerations are given in Tables 3.11-1,- 2, and -3. In addition, this subsystem has been qualified for conditions of an SSE.

7.3.1.1.2.4.1.7.9 Operational Considerations 7.3.1.1.2.4.1.7.9.1 General Information The containment and drywell ventilation exhaust radiation monitoring subsystem is required to prevent release of radioactive materials to the environs through the containment exhaust. The isolation function is performed automatically and provides computer alarm information to the control room to alert operating personnel of the condition.

7.3.1.1.2.4.1.7.9.2 Operator Information Refer to Table 7.3-10 for subsystem characteristics and display ranges.

7.3.1.1.2.4.1.7.9.3 Deleted 7.3.1.1.2.4.1.8 Reactor Water Cleanup (RWCU) System - High -

Differential Flow 7.3.1.1.2.4.1.8.1 Subsystem Identification High differential flow in the reactor water cleanup system could indicate a breach of the nuclear system process barrier in the cleanup system. The cleanup system flow at the inlet to the heat exchanger is compared with the flow at the outlet of the filter/

demineralizer. High differential flow initiates isolation of the cleanup system.

7.3.1.1.2.4.1.8.2 Subsystem Power Supplies Divisions 1 and 2 logics are supplied from 120 V ac Class IE uninterruptible power supplies, divisions 1 and 2, respectively.

Power for the outboard and inboard reactor water cleanup system isolation valves is supplied from ESF divisions 1 and 2 buses, respectively.

7.3-56 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.4.1.8.3 Subsystem Initiating Circuits Six differential flow sensing circuits monitor the reactor water cleanup system flow. Two circuits monitor the flow from recirculation suction, two circuits monitor the flow to the feedwater system, and two circuits monitor the flow to the main condenser. One of each flow circuit measurement is associated with each of two instrumentation channels. Two flow transmitters are located on the lines to the main condenser, return to feedwater system, and the suction line from recirculation system.

The locations of the flow transmitters provide the earliest practical detection of reactor water cleanup system line breaks.

7.3.1.1.2.4.1.8.4 Subsystem Logic and Sequencing

[HISTORICAL INFORMATION] [When a significant increase in reactor water cleanup system differential flow is detected, trip signals are transmitted to the CRVICS. The containment and reactor vessel isolation control system initiates closure of all reactor water cleanup system isolation valves.

Two instrumentation channels are provided to assure protective action, when required. The output trip signal of each instrumentation channel initiates a trip system trip and closure of either the inboard or outboard reactor water cleanup system isolation valve. To close both the inboard and outboard isolation valves, both trip systems must be tripped.]

7.3.1.1.2.4.1.8.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for high differential flow is provided by two flow transmitters installed on the suction from recirculation, the return to feedwater and the return to the main condenser. Each flow transmitter is supplied from a different power source (ESF power system divisions 1 and 2).

Diversity of trip initiation signals for reactor water cleanup system line break is provided by high differential flow and space temperature instrumentation. An increase in differential flow, and in some cases space temperature, will initiate reactor water cleanup system isolation.

7.3-57 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.4.1.8.6 Subsystem Bypasses and Interlocks Reactor water cleanup system high differential flow trip is bypassed automatically during reactor water cleanup system startup.

There are no interlocks to other systems provided from the reactor water cleanup system high differential flow trip signals.

7.3.1.1.2.4.1.8.7 Subsystem Testability Testability is discussed in subsection 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.9 Reactor Water Cleanup (RWCU) System - Area High Temperature 7.3.1.1.2.4.1.9.1 Subsystem Identification High temperature in the area of the reactor water cleanup system could indicate a breach in the reactor coolant pressure boundary in the cleanup system. High area temperature in the area initiates an alarm or an alarm and isolation of the reactor water cleanup system.

7.3.1.1.2.4.1.9.2 Power Supplies Divisions 1 and 2 logics are supplied from 120 V ac Class IE uninterruptible power supplies, divisions 1 and 2, respectively.

Power for the outboard and inboard reactor water cleanup system isolation valves is supplied from ESF divisions 1 and 2 buses, respectively.

7.3.1.1.2.4.1.9.3 Subsystem Initiating Circuits Eight space temperature sensing circuits monitor the reactor water cleanup system area temperatures. Four space temperature circuits are associated with each of two leak detection channels.

Four pairs of space temperature elements are located in various reactor water cleanup equipment areas. Eight pairs of temperature elements are located in the ventilation supply and exhaust ducts or other locations so as to be sensitive to ambient temperature changes in each area of the above locations. The locations of the temperature elements provide the earliest practical detection of any reactor water cleanup system line break.

7.3-58 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.4.1.9.4 Subsystem Logic and Sequencing When a significant increase in reactor water cleanup system area space temperature is detected, alarms and, for some of these areas, isolation signals are generated. Upon receiving an isolation signal, the containment and reactor vessel isolation control system initiates closure of all reactor water cleanup system isolation valves.

Eight sensor channels are provided to assure protective action when required. Where automatic trip signals are provided, the output trip signal of each sensor channel initiates a trip system trip and closure of either the inboard or outboard reactor water cleanup system isolation valve. In order to close both the inboard and outboard isolation valves, both trip systems must trip. Protection against inadvertent isolation due to instrumentation malfunction is not provided.

7.3.1.1.2.4.1.9.5 Subsystem Redundancy and Diversity Redundancy of leak detection signals from high space temperature is provided by two space temperature channels installed in the applicable reactor water cleanup system area, which are associated with one of two trip systems. Each temperature channel is supplied from a different power source.

An absence of separation between associated Class IE and non-Class IE control circuitry occurs on H22 P004 at device G33-N008.

This absence of separation cannot reduce the safety-related function availability of the safety-related controls powered by the Class IE control power as is demonstrated by the following analysis.

a. G33-N008 is a nonsafety-related temperature switch, the purpose of which is to close the RWCU outboard isolation valve on high temperature. Failure of G33-N008 by itself in no way affects plant safety because:

1. In the event the output of the temperature switch fails open, the respective outboard Division I valve will respond in the fail-safe mode and subsequently close.

2. In the event that the output of the temperature switch fails closed and a subsequent high temperature condition occurs at the nonregenerative heat 7.3-59 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) exchanger outlet, the respective outboard RWCU valve (G33-F004) will remain open. The consequence of these two events would cause the outlet resin filter to overheat and require maintenance. This condition is not a safety concern which would cause the release of radioactive effluent into the environment.

b. In case of a DBE, and coincident postulated credible failure of G33-N008, the following results would occur:

1. A low resistance short of the associated Class IE circuit inside G33-N008 would blow the fuse or trip the breaker in the Class IE circuit. Since the safety-related devices on that circuit are designed to be fail-safe, they will initiate the safety action on loss of power.

2. A resistance short of the associated (including the fuse failing to blow) Class IE circuit inside G33-N008 will not, under any condition, disable the safety function, because the safety function relies on normally closed contacts to open and de-energize a normally energized relay coil to initiate the safety function.

3. A short of the non-Class IE power circuit to the associated Class IE circuit inside G33-N008 will not disable the safety function for the same reason as item 2.

4. The same analysis, as above, applies to the absence of separation in the junction box on H22 P004 where the circuits are terminated.

Diversity is discussed in subsection 7.3.1.1.2.4.1.8.5.

7.3.1.1.2.4.1.9.6 Subsystem Bypasses and Interlocks Reactor water cleanup system high space temperature trips have no automatic bypasses associated with them.

There are no interlocks to other systems from the reactor water cleanup system high space temperature trip signals.

7.3-60 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.4.1.9.7 Subsystem Testability Testability is discussed in subsection 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.10 RHR System - Area High Temperature 7.3.1.1.2.4.1.10.1 Subsystem Identification High temperature in the area of the RHR system pumps could indicate a breach in the nuclear process barrier in the RHR shutdown cooling system. High area temperature initiates isolation of the RHR shutdown cooling system.

High temperature in the spaces occupied by the reactor shutdown cooling system piping and the reactor water cleanup system piping outside the drywell is sensed by thermocouples that indicate possible pipe breaks.

Temperature sensors in the equipment area of the RHR shutdown cooling system and the reactor water cleanup system will, when a high temperature is detected, cause isolation.

7.3.1.1.2.4.1.10.2 Power Supplies Division 1 and 2 logics are supplied from 120 V ac Class IE uninterruptible power supplies, divisions 1 and 2, respectively.

Power for the outboard and inboard RHR system isolation valves is supplied from the ESF divisions 1 and 2 buses, respectively.

7.3.1.1.2.4.1.10.3 Initiating Circuits Four space temperature sensing circuits monitor the RHR system area temperatures. Two space temperature circuits are located in each RHR equipment area associated with each of two trip systems.

The locations of the temperature elements provide the earliest practical detection of any RHR system line break.

7.3.1.1.2.4.1.10.4 Subsystem Logic and Sequencing

[HISTORICAL INFORMATION] [When a significant increase in RHR area space temperature is detected, trip signals are transmitted to the CRVICS. The containment and reactor vessel isolation control system initiates closure of all RHR system isolation valves.

7.3-61 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Four instrumentation channels are provided to assure protective action, when required. The output trip signal of each instrumentation channel initiates a trip system trip and closure of either the inboard or outboard RHR system isolation valve. To close both the inboard and outboard isolation valves, both trip systems must trip. Protection against inadvertent isolation due to instrumentation malfunction is not provided.]

7.3.1.1.2.4.1.10.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for high space temperature is provided by two space temperature channels of each type installed in each RHR equipment area. These are connected to one of two trip systems. Each space temperature channel in an area is supplied from a different power source.

Diversity of trip initiation signals for RHR line break is provided by space temperature variables and excess flow instrumentation variables. An increase in space temperature will initiate RHR system isolation. RHR system isolation is also initiated by an increase in flow using a combined RHR/RCIC flow monitoring system.

7.3.1.1.2.4.1.10.6 Subsystem Bypasses and Interlocks The RHR system high space temperature trip signals have no automatic bypasses associated with them.

There are no interlocks to other systems from the RHR system high space temperature trip signals.

7.3.1.1.2.4.1.10.7 Subsystem Testability Testability is discussed in subsection 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.1.11 Main Steam Line - Leak Detection 7.3.1.1.2.4.1.11.1 Subsystem Identification The main steam lines are constantly monitored for leaks by the leak detection system (Figure 7.6-2). Steam line leaks will cause changes in at least one of the following monitored operating parameters: sensed area temperature, flow rate, or low water level in the reactor vessel. If a leak is detected, the detection system responds by triggering an annunciator and initiating a steam line isolation trip logic signal. The main 7.3-62 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) steam line break leak detection subsystem consists of three types of monitoring circuits: a) The first of these monitors the ambient area temperature, causing an alarm circuit and main steam line isolation valve logic to be initiated when the observed temperature rises above a preset maximum; b) The second type of circuit monitors the mass flow rate through the main steam lines to provide comparative information and to initiate an alarm circuit and closure of isolation valves when the observed flow rate exceeds a preset maximum; and c) The third type of circuit detects low water level in the reactor vessel and sends a trip signal to the isolation valve logic when level decreases below a preselected set point.

The area temperature monitoring feature is discussed in 7.3.1.1.2.4.1.3.

The main steam line flow monitoring feature is discussed in 7.3.1.1.2.4.1.4.

The reactor vessel level monitoring feature is discussed in 7.3.1.1.2.4.1.1.

The RCIC high temperature and flow features are discussed in subsections 7.6.1.4.3.3.2 and 7.6.1.4.3.3.4, respectively.

7.3.1.1.2.4.1.12 Main Condenser Vacuum Trip 7.3.1.1.2.4.1.12.1 Subsystem Identification In addition to the turbine stop valve trip on low condenser vacuum, which is a standard component of turbine system instrumentation, a main steam line isolation valve trip from the low condenser vacuum instrumentation system is provided and meets the safety design basis of the containment and reactor vessel isolation control system.

The main turbine condenser low vacuum signal indicates a leak in the condenser. Initiation of automatic closure of various Class A valves will prevent excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process barrier. Upon detection of turbine condenser low vacuum, the following lines will be isolated:

a. All four main steam lines 7.3-63 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Main steam line drain There are four independent main condenser vacuum transmitters for the purpose of providing an isolation signal to the main steam isolation valves. Each vacuum transmitter has its own isolation (root valve) and pressurizing source connection for testing. The wiring and separation requirements for these switches are in accordance with IEEE Std. 279. The vacuum transmitter setting is selected so that it is compatible with safe turbine and main condenser operation at design conditions.

7.3.1.1.2.4.1.12.2 Subsystem Power Supplies Main steam line isolation valves (outboard and inboard) are supplied from reactor protection system buses A and B 120 V ac.

The divisions 1, 2, 3, and 4 trip logics for MSIVs are supplied from Class 1E 120 VAC uninterruptible power.

Divisions 1 and 2 logics associated with the outboard and inboard main steam line drain valves, respectively, are supplied from 120 V ac Class IE uninterruptible power supplies, divisions 1 and 2, respectively.

Power for the outboard and inboard main steam line drain valves is supplied from the ESF divisions 1 and 2 buses, respectively.

7.3.1.1.2.4.1.12.3 Subsystem Initiating Circuits Four pressure sensing circuits monitor main condenser vacuum.

One pressure circuit is associated with each of four instrumentation channels. The four pressure transmitters sense pressure in the high-pressure condenser which provides the earliest practical detection of main condenser leakage.

7.3.1.1.2.4.1.12.4 Subsystem Logic and Sequencing

[HISTORICAL INFORMATION] [When a significant decrease in main condenser vacuum is detected, trip signals are transmitted to the CRVICS. The containment and reactor vessel isolation control system initiates closure of all main steam line isolation and drain valves.

Four instrumentation channels are provided to assure protective action, when required, and to prevent inadvertent isolation resulting from instrumentation malfunctions.

7.3-64 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The output trip signal of each instrumentation channel initiates a logic trip. The output trip signals of the trip logics are combined in one-out-of-two twice and two-out-of-two logics.

Division 1 or 3 and division 2 or 4 are required to initiate main steam line isolation. Divisions 2 and 3 or divisions 1 and 4 are required to initiate main steam line drain isolation. All four logic divisions must trip to close both inboard and outboard main steam line drain valves. Therefore, failure of any one trip logic does not result in inadvertent isolating action.]

7.3.1.1.2.4.1.12.5 Subsystem Redundancy and Diversity Redundancy of trip initiation signals for low vacuum is provided by four pressure transmitters. Each pressure transmitter is connected to one of four trip logics. Two pressure transmitters are supplied from one power source and the other two are supplied from a different power source.

Diversity of trip initiation is not provided.

7.3.1.1.2.4.1.12.6 Subsystem Bypasses and Interlocks Main condenser low vacuum trip can be bypassed manually when condenser vacuum is less than normal (as during start-up).

There are no interlocks to other systems for main condenser low vacuum trip signals.

7.3.1.1.2.4.1.12.7 Subsystem Testability Testability is discussed in subsection 7.3.2.2.2.3.1.10.

7.3.1.1.2.4.2 System Instrumentation Sensors providing inputs to the containment and reactor vessel isolation control system are not used for the automatic control of the process system, thereby achieving separation of the protection and process systems. Channels are physically and electrically separated to reduce the probability that a single physical event will prevent isolation. Redundant channels for one monitored variable provide inputs to different isolation trip systems. The functions of the sensors in the isolation control system are shown in Figures 7.3-5 and 7.3-6.

7.3-65 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.5 System Logic

[HISTORICAL INFORMATION] [The basic logic arrangement is one in which an automatic isolation valve is controlled by two trip systems. Each trip system has two logics, each of which receives input signals from at least one channel for each monitored variable. Thus, two channels are required for each essential monitored variable to provide independent inputs to the logics of one trip system. A total of four channels for each essential monitored variable is required for the logics of both trip systems.

Either of the two logics associated with one trip system can produce a trip. The logic is a one-out-of-two twice arrangement.

To initiate valve closure, the trip logics of both trip systems must be tripped. The overall logic of the system could thus be termed one-out-of-two taken twice.

The one-out-of-two taken twice logic is used to control each main steam line isolation valve (MSIV). The four logic strings for this control are shown in the NBS FCD (see Section 1.7). The logic outputs used to control the main steam line drain valves could be termed two-out-of-two, applied to each valve. The logic strings for this control are shown in the NBS FCD. The variables that initiate automatic closure of the MSIVs are:

a. Low reactor water level

b. Deleted

c. High main steam line flow

d. High main steam line tunnel temperature

e. Low turbine throttle pressure in RUN mode

f. Main condenser low vacuum Drywell and containment isolation valves are controlled by drywell high pressure and reactor low water level signals. In this arrangement, two drywell pressure sensors are combined with two water level sensors. This logic could be termed two-out-of-two for each signal applied to each valve. These same drywell pressure and water level logics are used for initiation of the standby gas treatment system.

7.3-66 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The reactor water sample valves are controlled by reactor low water level and main steam line high-radiation signals. In this arrangement, two reactor low water level sensors are combined with two main steam line high-radiation sensors. This logic could be termed two-out-of-two for each signal applied to each valve.

The RHR isolation valves are controlled by reactor high pressure, high area temperature, and reactor low water level. Reactor high pressure logic could be termed one-out-of-two for each signal applied to each valve. Reactor low water level logic could be termed two-out-of-two for each signal applied to each valve. High area temperature logic could be termed one-out-of-one for each signal applied to each valve.

The reactor water cleanup isolation valves are controlled by two trip systems, using high DELTA flow, high area temperature, and low water level signals.] Also, standby liquid control initiation and high filter demineralizer inlet temperature signals are supplied to select valves to shutdown the system.

7.3.1.1.2.6 System Sequencing A discussion of all sequencing of all subsystem of the CRVICS is provided in subsection 7.3.1.1.2.4.

7.3.1.1.2.7 System Bypasses and Interlocks

[HISTORICAL INFORMATION] [A bypass of the main steam line low-pressure signal is effected in the startup, refuel, or shutdown modes of operation (see isolation functions and settings in subsection 7.3.1.1.2.4.1).

Interlocks are provided from position switches on the containment and drywell drain sump pump discharge lines to the radwaste system to turn off the drain sump pumps if the isolation valves close.]

7.3.1.1.2.8 System Redundancy and Diversity The variables which initiate isolation are listed in the circuit description, subsection 7.3.1.1.2.4.1. Also listed there are the number of initiating sensors and channels for the isolation valves.

7.3-67 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2.9 System Actuated Devices To prevent the reactor vessel water level from falling below the top of the active fuel as a result of a pipeline break, the valve closing mechanisms are designed to meet the minimum closing rates specified in Table 6.2-44.

The main steam line isolation valves are spring-closing, pneumatic, piston-operated valves, reference Figure 5.2-6. They close on loss of pneumatic pressure to the valve operator. This is a fail-safe design. Closure time for the valves is hydraulically controlled with a flow control valve and is adjustable between 3 and 10 seconds. Each valve is piloted by two three-way, packless, direct-acting, solenoid-operated pilot valves both powered by ac. An accumulator located close to each isolation valve provides pneumatic pressure for valve closing in the event of failure of the normal air supply system.

The sensor channel and trip logic relays for the instrumentation used in the systems described are high reliability relays. The relays are selected so that the continuous load will not exceed 50 percent of the continuous duty rating.

7.3.1.1.2.10 System Separation Sensor devices are separated physically such that no single failure (open, closure, or short) can prevent the safety action.

By the use of conduit and separated cable trays, the same criterion is met from the sensors to the logic cabinets in the control room. The logic cabinets are so arranged that redundant equipment and wiring are not present in the same bay of a cabinet.

Redundant equipment and wiring may be present in control room bench boards where separation is achieved by surrounding redundant wire and equipment in metal encasements. (A bay is characterized as having adequate fire barriers.) From the logic cabinets to the isolation valves, separated cable trays or conduit are employed to complete adherence to the single failure criterion.

7.3.1.1.2.11 System Testability The main steam line isolation valve instrumentation is capable of complete testing during power operation. The isolation signals include low reactor water level, high main steam line flow, high main steam line tunnel temperature, low condenser vacuum, and low 7.3-68 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) turbine pressure. The water level, turbine pressure, and steam line flow sensors are pressure or differential pressure type sensors which may be valved out of service one at a time and functionally tested using a test pressure source. The radiation measuring amplifier, which sends a signal to isolate only the reactor water sample valves, is provided with a test switch and internal test source by which operability may be verified.

Functional operability of the temperature trip units may be verified by testing from the control room. Control room indications include annunciation, panel lights and computer printout. The condition of each sensor is indicated by at least one of these methods in addition to annunciators common to sensors of one variable. In addition, the functional availability of each isolation valve may be confirmed by completely or partially closing each valve individually at reduced power using test switches located in the control room.

The cleanup system isolation and system shutdown signals include low reactor water level, equipment area high ambient temperature, high differential flow, high temperature downstream of the non-regenerative heat exchanger, and standby liquid control system actuation. The water level sensor is of the differential pressure type and can be periodically tested by valving each sensor out of service and applying a test pressure. The temperature switches may be functionally tested by removing them from service and applying a heat source to the temperature sensing elements. The differential flow transmitters may be tested by applying a test input. The various trip actuations are annunciated in the control room. Also, valve indicator lights in the control room provide indication of cleanup isolation valve position.

7.3.1.1.2.12 System Environmental Considerations The physical and electrical arrangement of the containment and reactor vessel isolation control system was selected so that no single physical event will prevent achievement of isolation functions. Motor operators outside the containment have weather proof-type enclosures. Solenoid valves used as air pilots, are provided with watertight enclosures. All cables and operators are capable of operation in the most unfavorable ambient conditions anticipated for normal operations. Temperature, pressure, humidity, and radiation are considered in the selection 7.3-69 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) of equipment for the system. Cables used in high-radiation areas have radiation-resistant insulation. Shielded cables are used where necessary to eliminate interference from magnetic fields.

Special consideration has been given to isolation requirements during a loss-of-coolant accident inside the drywell. Components of the containment and reactor vessel isolation control system that are located inside the drywell and that must operate during a loss-of-coolant accident are the cables, control mechanisms, and valve operators of isolation valves inside the drywell.

These isolation components are required to be functional in a loss-of-coolant accident environment. (See Tables 3.11-1, -2, and -3.) Electrical cables are selected with insulation designed for this service. Closing mechanisms and valve operators are considered satisfactory for use in the isolation control system only after completion of environmental testing under loss-of-coolant accident conditions or submission of evidence from the manufacturer describing the results of suitable prior tests.

7.3.1.1.2.13 System Operational Considerations 7.3.1.1.2.13.1 General Information The containment and reactor vessel isolation control system is not required for normal operation. This system is initiated automatically when one of the monitored variables exceeds preset limits. No operator action is required for at least 10 minutes following initiation.

All automatic isolation valves can be closed by manipulating switches in the control room, thus providing the operator with control which is independent of the automatic isolation functions.

7.3.1.1.2.13.2 Operator Information In general, once isolation is initiated, the valve continues to close even if the condition that caused isolation is restored to normal. The reactor operator must manually operate switches in the control room to reopen a valve that has been automatically closed. Unless manual override features are provided in the manual control circuitry, the operator cannot reopen the valve until the conditions that initiated isolation have cleared.

7.3-70 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

A trip of an isolation control system channel and the trip logic of main steam line isolation and drain valves are annunciated in the control room so that the reactor operator is immediately informed of the condition. The response of isolation valves is indicated by OPEN/CLOSED lights. All motor-operated and air-operated isolation valves have OPEN/ CLOSED lights.

Inputs to annunciators, indicators, and the process computer are arranged so that no malfunction of the annunciating, indicating, or computing equipment can functionally disable the system.

Direct signals from the isolation control system sensors are not used as inputs to annunciating or data logging equipment.

Isolation is provided between the primary signal and the information output.

7.3.1.1.2.13.3 Deleted 7.3.1.1.2.14 Nonessential Components All nonessential components have been isolated from essential components so that a failure in a nonessential component will not prevent proper CRVICS operation.

7.3.1.1.2.15 Supporting Systems The supporting systems required for the containment and reactor vessel isolation control system are identified in Table 7.3-1 and are described as referenced in that table.

7.3.1.1.3 MSIV-LCS - Instrumentation and Controls 7.3.1.1.3.1 System Identification The MSIV-LCS is designed to minimize the release of fission products which could leak through the closed MSIVs and bypass the standby gas treatment system after the postulated LOCA. This is accomplished by directing the leakage through the closed main steam isolation valves (MSIVs) to bleed lines which pass the leakage flow into an area served by the standby gas treatment system.

The instrumentation and controls of the MSIV-LCS are shown on the MSIV-LCS FCD (see Section 1.7).

7.3-71 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The instrumentation necessary for control and status indication of the MSIV-LCS are classified as essential and as such are designed and qualified in accordance with applicable IEEE Standards to function under seismic Category I and LOCA environmental loading conditions appropriate to their installation with the control circuits designed to satisfy the mechanical and electrical separation criteria.

7.3.1.1.3.2 Power Sources The instrumentation and controls of the main steam isolation valve leakage control system (MSIV-LCS) is powered by separate 120 V ac divisional power with each subsystem (inboard and outboard) powered by a different division.

7.3.1.1.3.3 Equipment Design The instrumentation components for the MSIV-LCS except for the reactor pressure sensors are located outside the containment.

Cables connect the sensors and transmitters to control circuitry within the logic panel. A functional test of the system instrumentation can be performed during normal reactor power operation. However, the MSIV-LCS isolation valves can only be tested one at a time. Inboard and outboard subsystem controls and instrumentation are electrically and mechanically separated to assure that no single failure event can disable the MSIV-LCS. The MSIV-LCS is designed to operate from normal offsite auxiliary power sources or from a divisional diesel generator set if offsite power is not available.

7.3.1.1.3.4 Initiating Circuits The MSIV-LCS can be manually actuated after a LOCA has occurred, provided that the reactor and steam line pressure are below the pressure permissive interlock set points and the inboard MSIVs are fully closed. The outboard subsystem is provided with one remote manual initiating switch, while the inboard subsystem is provided with one remote manual initiating switch per steam line.

The Outboard MSIV-LCS is the preferred division of MSIV-LCS operation. Establishing the Outboard MSIV-LCS as the preferred division provides greater assurance that leakage to the standby gas treatment system is minimized since there are two MSIVs prior to the outboard MSIV-LCS connection to the steam lines. In the 7.3-72 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) event of a single failure of either an inboard or outboard MSIV to close, the redundant valve is functional and the outboard MSIV-LCS operation is unaffected.

The inboard subsystem has individually controlled process lines provided for each steam line (see Figure 6.7-1, MSIV-LCS P&ID).

When the inboard subsystem is initiated, it depressurizes the steamlines. If the steam line pressure is greater than 5 psig after 1 minute, the bleed valves will close. If the pressure is not excessive, the bleed valves will remain open. Flow is established into an area serviced by the standby gas treatment system.

The outboard subsystem process lines from each main steam line are connected to a header connecting to the depressurization and bleedoff branch (see Figure 6.7-1, MSIV-LCS P&ID).

When the outboard subsystem is initiated, depressurization valves are opened and the exhaust blowers are activated. When the steam lines have depressurized to approximately atmospheric pressure, the depressurization branch valves are closed and flow is diverted to the blower suction lines.

7.3.1.1.3.5 Logic and Sequencing

[HISTORICAL INFORMATION] [A LOCA is signalled by high drywell pressure and low-low water level. After a LOCA has occurred, the MSIV-LCS system can be manually initiated.

Indicators for both reactor and steam line pressures for the inboard and outboard subsystems are available on the control cabinet.]

7.3.1.1.3.6 Bypasses and Interlocks Both the inboard and outboard subsystem are provided with reactor and steam line pressure interlocks to prevent inadvertent system initiation during normal reactor power operation. An inboard MSIV closure interlock is provided for each of the lines by a position switch which will prevent initiation of the MSIV-LCS if the inboard valve is open.

During test operation, the two motor operated valves cannot be opened simultaneously on a MSIV-LCS process line.

7.3-73 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.3.7 Redundancy and Diversity The MSIV-LCS consists of two subsystems: inboard and outboard.

Each subsystem has instrumentation, controls, and power sources which are separate and independent from each other. Either system may be manually initiated after a LOCA. This system is not required in itself to be diverse. It is interlocked by diverse parameter inputs.

7.3.1.1.3.8 Actuated Devices All actuated devices can be individually tested during normal plant operation.

7.3.1.1.3.9 Separation The instrumentation, controls, and sensors of each subsystem have sufficient physical and electrical separation to prevent environmental, electrical, or physical accident consequences from inhibiting the MSIV-LCS from performing its protective action.

Physical separation is maintained by use of separate divisional cabinets and racks for each subsystem. Electrical separation is maintained by separate sensors and circuits independent of each other.

7.3.1.1.3.10 Testability The operation of each subsystem up to and including the actuators can be independently verified during normal plant operation.

Instrument set points are tested by simulated signals of sufficient magnitude to verify the alarm points.

7.3.1.1.3.11 Environmental Conditions Controls and indicators are located in the control room. The sensors are located outside the containment. All controls, instrumentation, and sensors have been selected to meet the normal, accident, and post-accident worst case environmental conditions of temperature, pressure, humidity, radiation, and vibration expected at their respective locations. (Refer to Tables 3.11-1 and 3.11-3 for equipment qualification.)

7.3-74 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.3.12 Operational Considerations 7.3.1.1.3.12.1 General Information The MSIV-LCS is designed to be manually actuated no later than 20 minutes after a postulated design basis LOCA. All controls and instrumentation and indicators needed for effective operation are in the control room.

7.3.1.1.3.12.2 Operator Information The mechanical system description and performance evaluations in Section 6.7.1 provide a detailed discussion of the operators information and the necessary action to complete the system functional objectives. Refer also to the system's P&ID (Figure 6.7-1) and FCD (see Section 1.7).

7.3.1.1.3.12.3 Set Points There are no automatic set points. The system is manually actuated.

7.3.1.1.3.13 Nonessential Components All nonessential components have been isolated from essential components so that a failure in a nonessential component will not prevent proper MSIV-LCS operation.

7.3.1.1.3.14 Supporting Systems The supporting systems required for the main steam isolation valve leakage control system are identified in Table 7.3-1 and are described as referenced in that table.

7.3.1.1.4 RHR/Containment Spray System - Instrumentation and Controls 7.3.1.1.4.1 System Identification The containment spray system is an operating mode of the residual heat removal system automatically initiated when necessary variables exceed set points. It is designed to provide the capability of condensing steam in the containment atmosphere.

The system can be manually initiated if necessary.

The RHR system is shown in P&ID Figures 5.4-16 and 5.4-17.

7.3-75 Revision 2019-075

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.4.2 Power Sources Power for the RHR system pumps is supplied from two ac buses that can receive standby ac power. Motive power for the automatic valves comes from the bus that powers the pumps for that loop.

Control power for the RHR components comes from the dc buses.

7.3.1.1.4.3 Equipment Design Control and instrumentation for the following equipment is required for this mode of operation:

a. Two RHR main system pumps

b. Pump suction valves

c. Containment spray discharge valves Variables needed for automatic operation of the equipment are reactor water level, containment pressure, and drywell pressure.

The instrumentation for containment spray operation assures that water will be automatically routed from the suppression pool to the containment spray system for use in the containment air volume.

Containment spray operation uses two pump loops, each loop with its own separate discharge valve. All components pertinent to containment spray operation are located outside of the drywell.

Motive and control power for the two loops of containment spray instrumentation and control equipment are the same as that used for LPCI A and LPCI B.

The containment spray system can be manually initiated from the control room if drywell pressure is above the high set point, allowing the operator to act independently of automatic controls in the event of a loss-of-coolant accident.

7.3.1.1.4.4 Initiating Circuits Containment spray A Containment pressure is monitored by two absolute pressure transmitters mounted in instrument racks in the containment.

7.3-76 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Drywell pressure is monitored by two absolute pressure transmitters mounted in instrument racks in the containment.

Cables from these transmitters are routed to the control room relay logic cabinets.

The two containment pressure and the two drywell pressure transmitters are electrically connected so that no single sensor failure can prevent initiation of containment spray A.

The above sensors in combination with an approximate 10-minute time delay after LPCI initiation (reactor low water level and/or high drywell pressure) provide the automatic initiation signal for containment spray A. This signal is sealed in and must be manually reset.

Automatic initiation requires both high drywell pressure and high containment pressure signals. Manual initiation requires the existence of a high drywell pressure. There is no time delay on manual start.

Containment spray B Initiation of containment spray B is identical to that of A except that on automatic start an additional time delay of 90 seconds can be added by a second timer in the circuit, to preclude simultaneous automatic starting of both loops. However, analysis has shown that this additional time delay is not required and the train B timers are set so that both trains initiate simultaneously.

7.3.1.1.4.5 Logic and Sequencing

[HISTORICAL INFORMATION] [The operating sequence of containment spray following receipt of the necessary initiating signals is as follows:

a. The LPCI system pumps continue to operate.

b. Valves in other RHR modes are automatically positioned or remain as positioned during LPCI.

c. The service water pumps are signaled to start.

d. Service water supply and discharge valves to the RHR heat exchanger are signaled to open.

7.3-77 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

e. If the heat exchanger inlet and outlet valves are both open, the heat exchanger bypass valve is signaled to close. If either heat exchanger valve is closed, the bypass valve remains open. This provides the containment spray function, but without the heat exchangers first cooling the suppression pool water.

The containment spray system will continue to operate until the drywell pressure or containment pressure drops below the trip point and the operator depresses the reset pushbutton thus removing the logic seal-in. The operator can then initiate another mode of RHR.]

7.3.1.1.4.6 Bypasses and Interlocks No bypasses are provided for the containment spray system.

Interlocks are provided to correctly line up RHR system valves to perform the containment spray functions. These are shown in the RHR FCD (see Section 1.7).

7.3.1.1.4.7 Redundancy and Diversity Redundancy is provided for the containment spray function by two separated divisional loops. Redundancy of initiation sensors is described in subsection 7.3.1.1.4.4 under Initiating Circuits.

The initiating circuits for containment spray are not diverse.

7.3.1.1.4.8 Actuated Devices The RHR FCD shows the functional control arrangement of the containment spray system.

The RHR A and RHR B loops are utilized for containment spray.

Therefore, the pumps and valves are the same for LPCI and containment spray except that each has its own discharge valve.

See subsection 7.3.1.1.1.4.6, LPCI Actuated Devices for specific information.

7.3.1.1.4.9 Separation Containment spray is a division 1 (RHR A) and a division 2 (RHR B) system. Manual controls, logic circuits, cabling, and instrumentation for containment spray are mounted so that division 1 and division 2 separation is maintained. Separation from division 3 is also maintained.

7.3-78 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.4.10 Testability The containment spray system is capable of being tested up to the last discharge valve during normal operation. Drywell and containment pressure and reactor vessel water level initiation channels are tested by cross comparison between related channels.

The instrument channel trip set point is verified by manually introducing a test signal and observing the channel meter and indicator light on the output of the trip device. Testing for functional operability of the control logic relays can be accomplished by use of plug-in test jacks and switches in conjunction with single sensor tests. Other control equipment is functionally tested during manual testing of each loop. Adequate indication in the form of panel lamps and annunciators are provided in the control room.

7.3.1.1.4.11 Environmental Considerations Refer to Tables 3.11-1 and 3.11-3 for environmental qualification of the subject system equipment.

7.3.1.1.4.12 Operational Considerations 7.3.1.1.4.12.1 General Information Containment spray is a mode of the RHR, and is not required during normal operation.

7.3.1.1.4.12.2 Operator Information Sufficient temperature, flow, pressure, and valve position indications are available in the control room for the operator to accurately assess containment spray operation. Alarms and indications are shown in Figures 5.4-16 and 5.4-17 (RHR P&ID) and the RHR FCD (see Section 1.7).

7.3.1.1.4.12.3 Deleted 7.3.1.1.4.13 Nonessential Components All nonessential components have been isolated from essential components so that a failure in a nonessential component will not prevent proper containment spray operation.

7.3-79 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.4.14 Supporting Systems The supporting systems required for RHR/containment spray are shown in Table 7.3-1 and are described as referenced in that table.

7.3.1.1.5 Combustible Gas Control System Refer to subsection 6.2.5 for a description of the combustible gas control system (CGCS). The CGCS consists of two major safety-related subsystems: the drywell purge system and the hydrogen control system consisting of a hydrogen recombiner system and a hydrogen ignition system. A nonessential containment purge system is included as a backup to the containment hydrogen control systems.

7.3.1.1.5.1 Drywell Purge System The drywell purge system serves to purge the hydrogen produced after a LOCA into the larger containment volume for dilution. It also provides a means to relieve drywell vacuum following a LOCA.

Final system drawings for the CGCS are provided by reference in Section 1.7. The logic diagram is Drawing J-1237. The electrical schematic is Drawing E-1186. The system P&ID is provided as Figure 6.2-81.

7.3.1.1.5.1.1 Initiating Circuits Upon the occurrence of a LOCA, as monitored by the ECCS control system (see subsection 7.3.1.1.1), the drywell purge control system automatically closes the motor-operated inlet isolation valves and stops the drywell purge compressors, should they be operating for a test. When drywell pressure has dropped below the high differential pressure setpoint following a LOCA, the drywell purge system is automatically initiated. When drywell pressure drops below the low differential pressure setpoint following a LOCA, vacuum relief will then initiate at a differential pressure across the check valves of one psi. The drywell purge system may be manually initiated on a component or system level from the control room.

7.3-80 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.5.1.2 Logic

[HISTORICAL INFORMATION] [The drywell purge logic is arranged in two independent and redundant systems, each initiated by a one-out-of-two twice arrangement of drywell referenced to containment differential pressure sensors. Once initiated, seal-in features ensure that system operation goes to completion. Operator action is required to return each component of the drywell purge system to its normal state after the initiation signal is no longer present.

Each of the two trip systems is made up of individual solid state bistables and electromechanical relays to provide independence of control components and preserve the independence of the associated mechanical equipment.]

7.3.1.1.5.1.3 Bypasses There are no automatic or operating bypasses in the drywell purge system.

7.3.1.1.5.1.4 Interlocks The drywell purge system is interlocked with the ECCS to pre-vent system operation unless a LOCA has occurred. Initiation at the system level is prevented until 30 seconds after a LOCA is detected by a signal from the ECCS control system. An interlock is also provided to maintain the normal drywell vacuum relief valves closed during a LOCA.

The drywell purge compressors are equipped with low lube oil pressure and high lube oil temperature trips. However, the trips are bypassed except when the compressors are in the test mode.

Furthermore, should an accident occur during testing, the system initiation signal will override the lube oil trips. For more detail, see logic drawings J-1237, Sheets 20 and 40, provided by reference in Section 1.7.

7.3.1.1.5.1.5 Sequencing

[HISTORICAL INFORMATION] [Immediately upon detection of a LOCA, the drywell purge compressors are stopped and the drywell purge inlet and the post-LOCA vacuum relief isolation valves are closed, should the system be running for test, to ensure that there is no drywell bypass path. Thirty seconds after receipt of the LOCA signal, the drywell purge system is permitted to start.]

7.3-81 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

As steam condenses in the drywell, the drywell referenced to containment pressure will drop. When the drywell pressure falls below the high differential pressure setpoint, the purge compressors will start and the drywell purge inlet isolation valves will open. Further steam condensation causes the drywell pressure to drop below the low differential pressure setpoint at which time the post-LOCA vacuum relief isolation valves open. As the vacuum is relieved, the post-LOCA vacuum relief isolation valves close again and the purge compressors pressurize the drywell until noncondensible gases are forced through the horizontal vents in the suppression pool to the containment.

Refer to subsection 8.3.1.1.3 for a discussion of ESF bus load sequencing.

7.3.1.1.5.1.6 Redundancy Two completely independent and redundant drywell purge systems are provided, including independent and redundant trip systems and mechanical equipment. The two trip systems and their associated mechanical devices are powered from separate ESF buses. Physical and electrical separation is maintained between the two systems.

7.3.1.1.5.1.7 Diversity The drywell purge system may be initiated either automatically upon detection of a LOCA by the ECCS control system, or manually on a system or individual device basis.

7.3.1.1.5.1.8 Actuated Devices Component devices actuated by the drywell purge system are shown in Table 7.3-14.

7.3.1.1.5.1.9 Supporting Systems The supporting systems required for the drywell purge system are identified in Table 7.3-1 and are described as referenced in that table.

7.3-82 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.5.2 Hydrogen Control System The hydrogen control system serves to reduce the concentration of hydrogen in the drywell and containment. A hydrogen analyzer system is provided to indicate hydrogen concentration to the operator. Refer to subsection 7.5.1.2.8.3 for a description of the analyzer.

7.3.1.1.5.2.1 Initiating Circuits 7.3.1.1.5.2.1.1 Hydrogen Recombiners The hydrogen recombiners are manually initiated by the operator from the control room when the hydrogen concentration reaches the limits specified in the emergency procedures.

7.3.1.1.5.2.1.2 Hydrogen Igniters The hydrogen igniters are manually initiated by the operator from the control room when directed by the emergency procedures.

7.3.1.1.5.2.2 Logic The hydrogen recombiners are initiated by the operator, stop on loss of ESF voltage, and restart when voltage is restored.

Hydrogen igniter energization is initiated by the operator.

Igniters de-energize on loss of ESF voltage and re-energize when voltage is restored.

7.3.1.1.5.2.3 Bypasses There are no bypasses in the hydrogen control system.

7.3.1.1.5.2.4 Interlocks There are no interlocks in the hydrogen control system.

7.3.1.1.5.2.5 Sequencing Refer to subsection 8.3.1.1.3 for a discussion of ESF bus load sequencing. There is no other automatic sequencing in the hydrogen control system.

7.3-83 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.5.2.6 Redundancy Two completely independent and redundant hydrogen recombiners are provided. They each have 100 percent capacity and are physically and electrically separated.

Two completely independent and redundant hydrogen igniter banks are provided. There is at least one igniter from each bank in each compartment.

7.3.1.1.5.2.7 Diversity Diversity is provided for the CGCS as a whole by initiation on diverse signals: reactor low water level, drywell high pressure, or manual initiation. The hydrogen recombiners and hydrogen igniters are manually initiated only and, therefore, do not have diversity of initiation signals.

7.3.1.1.5.2.8 Actuated Devices Component devices actuated by the hydrogen control system are shown in Table 7.3-14.

7.3.1.1.5.2.9 Supporting Systems The supporting systems required for the hydrogen control system are identified in Table 7.3-1 and are described as referenced in that table.

7.3.1.1.5.3 Nonessential Components

a. Containment Purge System The containment purge system serves to purge the containment atmosphere of residual combustible gases and fission products prior to entry by personnel. The containment purge system equipment is not designed to survive a LOCA. Should it survive, it serves as a backup to the hydrogen control system. The containment air is exhausted through the containment cooling system deep-bed charcoal banks and high-efficiency particulate air filter.

b. Normal Drywell Vacuum Relief 7.3-84 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The normal drywell vacuum relief system is provided to relieve a vacuum in the drywell which may occur due to normal temperature and humidity changes in the drywell that cannot be accommodated by the HVAC system. This is not a safety system and is not connected with the post-LOCA vacuum relief line in the drywell purge system.

An interlock is provided to the drywell purge system to maintain the normal vacuum relief valves closed during a LOCA.

c. Computer and Annunciator Systems The CGCS logic and control systems are electrically isolated from the plant computer and annunciator systems.

Failure of the computer or annunciator will have no effect on the operation of the CGCS.

7.3.1.1.6 Feedwater Leakage Control System Refer to subsection 6.7.2 for a description of the feedwater leakage control (FWLC) system. The FWLC system minimizes the throughline leakage from the feedwater piping following a postulated LOCA by providing a positive water seal between the containment isolation valves on the feedwater lines.

Final system drawings for the FWLC system are provided by reference in Section 1.7. The logic diagram is Drawing J-1298.

The electrical schematic is Drawing E-1155. The system P&ID is provided as Figure 6.7-5.

7.3.1.1.6.1 Initiating Circuits The outboard portion of the FWLC system can be manually initiated after a LOCA has occurred, provided that the feed- water line pressure is below the permissive set point, and the outboard feedwater line shutoff valves are fully closed. The inboard portion of the FWLC system can be manually initiated after a LOCA has occurred, provided that the feedwater line inboard section pressure is below the permissive set point.

7.3-85 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.6.2 Logic

[HISTORICAL INFORMATION] [After a LOCA has occurred, the FWLC system can be manually initiated from the control room by the operator, provided that the feedwater leakage control system line pressure is below the permissive interlock set point and the feedwater shutoff valves are closed.]

7.3.1.1.6.3 Bypasses The FWLC system has no automatic or operating bypasses.

7.3.1.1.6.4 Interlocks Both the inboard and outboard subsystems are equipped with pressure interlocks which isolate the respective subsystems to prevent high feedwater back pressure in the RHR portion of the FWLC system. The outboard subsystem also requires the main feedwater lines isolation valves to be fully closed before subsystem initiation.

7.3.1.1.6.5 Sequencing There is no sequencing associated with the FWLC system.

7.3.1.1.6.6 Redundancy The FWLC system consists of two subsystems, inboard and outboard.

Each subsystem has instrumentation, controls, and power sources which are separate and independent from each other. Either or both subsystems may be manually initiated after a LOCA.

7.3.1.1.6.7 Diversity Either FWLC system may be initiated manually. The pressure interlocks of both inboard and outboard systems are backed up by check valves.

7.3.1.1.6.8 Actuated Devices Actuated devices of the FWLC system are listed in Table 7.3-17.

7.3.1.1.6.9 Supporting Systems The supporting systems required for the FWLC system are identified in Table 7.3-1.

7.3-86 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.6.10 Nonessential Components Computer and Annunciator Systems The FWLC system logic and control circuits are electrically isolated from the plant computer and annunciator systems.

Failure of the computer or annunciator system will have no effect on the FWLC system.

7.3.1.1.7 Standby Service Water System Refer to subsection 9.2.1 for a description of the standby service water (SSW) system. The SSW system is an essential auxiliary supporting system which contains the ultimate heat sink and provides cooling to the plant auxiliaries which are required for a safe reactor shutdown. It is composed of three independent trains, A, B, and C. Trains A and B serve redundant ESF equipment and other essential equipment. Train C serves only the HPCS system.

Final system drawings for the SSW system are provided by reference in Section 1.7. The logic diagram is Drawing J-1221. The electrical schematic is Drawing E-1225. The system P&ID's are provided as Figures 9.2-1, 9.2-2, 9.2-3, and 9.2-4.

7.3.1.1.7.1 Initiating Circuits The SSW system normally operates during periods of reactor shutdown or reactor isolation. It is initiated automatically upon occurrence of a LOCA (see subsection 7.3.1.1.2) or startup of any of the ESF systems it serves, or manually from control room switches, on a system or component level. System initiation signals are tabulated in Table 7.3-19. In addition, the SSW system is initiated automatically on a loss of offsite power through the associated load sequencing circuits.

7.3.1.1.7.2 Logic

[HISTORICAL INFORMATION] [No analog signals are processed by the SSW system initiating logic. Since the SSW system functions only to serve essential systems, its automatic initiation signals are derived from ESF systems and the diesel generators (and RCIC for Train A only). Each train of the SSW system serves independent equipment powered from separate ESF buses, and is initiated by a separate and independent logic system. Once automatically or manually initiated, operator action is required to return each 7.3-87 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) component of the SSW system to its normal (shutdown) condition.

Return to normal (shutdown) is prevented by the control system as long as the initiation signal is present, with the exception that the SSW basin transfer valves may be opened after a one-hour time delay.] Additionally, CGCS containment isolation valves to the drywell purge compressors may be closed (overridden) with the initiation signal present to provide containment isolation.

7.3.1.1.7.3 Bypasses The SSW system automatic signal to open the combustible gas control system (CGCS) compressor cooler valves may, at any time, be overridden manually by the control room hand switches in order to provide containment isolation.

7.3.1.1.7.4 Interlocks There are no interlocks used in the SSW system.

7.3.1.1.7.5 Sequencing Refer to subsection 8.3.1.1 for a discussion of ESF bus load sequencing. There is no other automatic sequencing in the SSW system.

7.3.1.1.7.6 Redundancy Instrumentation and controls associated with the three logic trains of the SSW system are physically and electrically separated. Trains A and B of the SSW system serve redundant essential equipment. Train C, serving only the HPCS system, in conjunction with either of the two main trains of the SSW system, or the two main trains alone, are sufficient to provide adequate cooling water to meet safe shutdown requirements (see subsection 9.2.1).

Additional redundant features include:

a. Independent power sources for each logic train

b. Actuation by redundant ESF systems as well as manual actuation.

7.3-88 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.7.7 Diversity SSW system initiation signals are derived from a variety of sources. Automatic initiation occurs on a signal indicating a LOCA from the LSS system for Trains A and B and the HPCS system for Train C. Initiation of any ECCS system or the diesel generators (or RCIC for Train A only) served by the SSW system causes system initiation. In addition, the operator can manually start the system at any time from the control room. Manual initiation of the components of the system is also provided in the control room. Control switches for the SSW system trains A and B pumps, cooling tower fans, and major valves are provided on the remote shutdown panel.

7.3.1.1.7.8 Actuated Devices Component devices actuated by the SSW system are shown in Table 7.3-20. The SSW system operates in different modes depending on the initiation signals present at any time. Initiation signals are shown in Table 7.3-19 as LOCA, manual initiation, ESF system running, diesel generator running (indicating loss of offsite power), and RCIC running (for Train A only).

7.3.1.1.7.9 Supporting Systems The SSW system is itself an auxiliary supporting system, required to operate as shown in Table 7.3-1. To operate, it requires that ESF power be available.

7.3.1.1.7.10 Nonessential Components

a. SSW pH Control In general, pH control of the SSW basin is not required.

However, if it becomes necessary it will be controlled by addition of chemicals.

b. SSW Chlorination Chlorine can be injected into the SSW basins.

Biological fouling in the standby service water system is normally prevented by addition of a non-oxidizing biocide.

c. SSW System Fill Tank Level Control 7.3-89 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The level in the standby service water fill tank is automatically maintained by makeup from the plant service water system. The fill tank is automatically isolated from the SSW system by a motor operated valve in series with three check valves (one for each loop) during system operation in LOCA or manually initiated modes. The motor operated valve, which is supplied from Division 1 ESF power, is automatically isolated by the Train A initiation logic only.

d. SSW Basin Makeup Control Basin level is normally automatically maintained from the PSWRW system. If the PSWRW system is not available, the two basins, taken together, contain sufficient water to make up all SSW system losses due to evaporation and drift for a period of 30 days after initiation of a shutdown.

Provision is also made to transfer water from one basin to the other for additional makeup if required.

e. Computer and Annunciator Systems The SSW system logic and control systems are electrically isolated from the plant computer and annunciator systems.

Failure of the computer or annunciator will have no effect on the operation of the SSW system.

7.3.1.1.8 Standby Gas Treatment System Refer to subsection 6.5.3 for a description of the standby gas treatment system (SGTS). The SGTS limits release to the environment of radioisotopes which may leak from the containment or fuel handling area under accident conditions.

Final system drawings for the SGTS are provided by reference in Section 1.7. The logic diagram is Drawing J-1236. The electrical schematic is Drawing E-1257. The system P&ID's are provided as Figures 6.5-2 and 6.5-3.

7.3.1.1.8.1 Initiating Circuits The SGTS is initiated automatically upon detection of a LOCA (high drywell pressure or low reactor water level) by the containment and reactor vessel isolation control system (see subsection 7.3-90 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.2) high radiation in the fuel handling area ventilation system exhaust or fuel pool sweep system exhaust, or manually from the control room.

The standby gas treatment system train, when placed in standby, is automatically initiated by the following signals:

a. Low air flow in the other standby gas treatment system filter train

b. Low negative pressure in the enclosure building

c. Low air flow from the other recirculation fan in the enclosure building.

The pressure in the enclosure building is detected by measuring the difference between the atmosphere inside the enclosure building and the outside atmosphere with two differential pressure transmitters for each of the two systems. The standby gas treatment system (SGTS) differential pressure transmitters are located in the auxiliary building at El. 166'-0" and El. 185'-

0". The sensing lines for these pressure transmitters are routed through the enclosure building to El. 234'-0", where the external pressure sensing line penetrates the siding and the internal pressure sensing line terminates in the vicinity of the penetration. The enclosure building area volume is not cooled.

Therefore, it is expected that the enclosure building atmosphere will consistently be at a higher temperature than the outside temperature because of solar heat gains and heat radiation and convection from the containment. A special vent connection is installed on the outside sensing line to prevent moisture collection due to precipitation. Condensation of humidity within the sensing lines in the enclosure building is unlikely, due to the temperature difference between the enclosure building and the outside air. The instrument tubing routed within the atmospherically controlled auxiliary building is isolated from outside conditions by the long tubing run within the enclosure building. Since the air within the differential pressure transmitter sensing lines is stagnant, it is anticipated that the portions of the sensing lines routed within the auxiliary building will be at the same temperature as the areas through which they are routed, thus precluding the condensation and collection of moisture. To further ensure that the pressure transmitters are not affected by moisture, pressure sensing lines are routed with a minimum 1-inch-per-foot slope and drip legs that 7.3-91 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) are periodically checked for moisture are installed upstream of the pressure transmitter. Two flow transmitters are provided to measure the flow from each standby gas treatment train, and one flow transmitter is provided to measure the flow from each enclosure building recirculation fan. (Refer to Figure 6.5-2)

By controlling SGTS flow to approximately 4000 cfm, a minimum of 1/4 inch water gauge negative pressure is maintained in the enclosure building.

7.3.1.1.8.2 Logic

[HISTORICAL INFORMATION] [The SGTS consists of two independent and redundant control systems. In this arrangement, a LOCA signal or two auxiliary building fuel handling area exhaust high radiation or inoperative signals, or two auxiliary building fuel handling area pool sweep exhaust high-radiation or inoperative signals, are used to initiate the standby gas treatment and isolate the auxiliary building fuel handling area, and enclosure and auxiliary buildings.

The two pressure trip units and two flow trip units are connected electrically in a one-out-of-four arrangement so that no single failure can prevent initiation of a train when on standby.

The inlet vanes of the filter train fans will be fully open when the system is not in operation.

When one of the two independent and redundant control systems is initiated manually or automatically, the following events take place:

a. The associated filter train fan starts, and its inlet and outlet dampers open

b. The associated enclosure building recirculation fan starts

c. The associated flow-control dampers open fully

d. The associated filter train fan inlet vanes remain fully open

e. The enclosure and auxiliary buildings are isolated by closing the following valves:

7.3-92 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

1. The associated auxiliary building fuel handling area ventilation system inlet and outlet isolation valves

2. The associated auxiliary building ventilation system air intake duct isolation valves

3. The associated containment cooling system auxiliary building isolation valves.]

When adequate negative pressure is obtained in the enclosure building plus an additional time delay for selected dampers, the signals from the pressure controllers cause the flow-control dampers to shift to the intermediate position to assure that a uniform negative pressure is maintained throughout the various areas of the enclosure and auxiliary buildings during long term operation of the standby gas treatment system. One hundred twenty seconds after system initiation, the signals from the flow controllers are applied to their respective filter train fan inlet vane actuators to maintain a constant exhaust flow no greater than 4000 cfm. An interlock causes these signals to be applied prior to the end of the 120 second period if the Enclosure Building Negative Pressure High alarm setpoint is reached.

Each of the two trip systems is made up of individual solid state bistables and electromechanical relays to provide independence of control components and to preserve the independence of the associated mechanical equipment.

7.3.1.1.8.3 Bypasses When the keylock switch for a standby gas treatment unit is placed in standby, the operator is permitted to stop the enclosure building recirculation fan and filter train fan in that unit provided that the standby system auto-initiation signals are not present. Stopping the filter train fan will return its inlet vanes to the fully open position, close the filter train inlet and outlet dampers, and fully open the flow-control dampers for that unit. If flow is lost in the operating filter train or recirculation fan, or if enclosure building negative pressure is lost, the standby filter train and recirculation fans start.

The standby gas treatment system is designed so that if a unit is placed in standby during normal plant operation it will start, since there will be no flow from the recirculation and filter train fans of the other unit.

7.3-93 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Placing a standby gas treatment unit in the standby mode does not affect the closure of the auxiliary building isolation valves.

7.3.1.1.8.4 Interlocks As discussed above in Section 7.3.1.1.8.2, the interlocks for the Standby Gas Treatment System are necessary to ensure that system alignment is achieved in support of system operation. By either manual or automatic initiation, system fans start, flow-control dampers and associated filter train fan inlet vanes open, and enclosure and auxiliary buildings are isolated by closure of associated isolation valves. Actuated Standby Gas Treatment System equipment is listed in Table 7.3-23.

7.3.1.1.8.5 Sequencing Refer to subsection 8.3.1.1. for a discussion of ESF bus load sequencing. There is no other automatic sequencing in the SGTS.

7.3.1.1.8.6 Redundancy Two completely independent and redundant SGTS are provided, including independent and redundant trip systems and mechanical equipment. The two trip systems and their associated mechanical devices are powered from separate ESF buses. Physical and electrical separation is maintained between the two systems.

7.3.1.1.8.7 Diversity Diversity is assured by providing four independent initiation signals for the SGTS. Refer to subsection 7.3.1.1.8.1.

7.3.1.1.8.8 Actuated Devices Component devices actuated by the SGTS are shown in Table 7.3-23.

7.3.1.1.8.9 Supporting Systems The supporting systems required for SGTS operation are identified in Table 7.3-1 and are described as referenced in that table.

7.3.1.1.8.10 Nonessential Components Computer and Annunciator Components 7.3-94 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The SGTS logic and control systems are electrically isolated from the plant computer and annunciator systems. Failure of the computer or annunciator will have no effect on the operation of the SGTS.

The SGTS A&B exhaust vents are also provided with an effluent radioactivity monitoring system that alarms in the control room upon reaching a high radiation level. See subsection 11.5.2.2.9 for a further description of this system.

7.3.1.1.9 Suppression Pool Makeup System Refer to subsection 6.2.7 for a description of the suppression pool makeup system. The suppression pool makeup system provides water from the upper containment pool to the suppression pool by gravity flow after a LOCA.

Final system drawings for the SPMU system are provided by reference in Section 1.7. The logic diagram is Drawing J-1279.

The electrical schematic is Drawing E-1220. The system P&ID is provided as Figure 6.2-82.

7.3.1.1.9.1 Initiating Circuits The suppression pool makeup system is automatically initiated 30 minutes after a LOCA is detected or on low-low suppression pool level following a LOCA. It can also be manually initiated provided a LOCA has occurred.

7.3.1.1.9.2 Logic

[HISTORICAL INFORMATION] [The suppression pool makeup system consists of two independent and redundant systems. LOCA initiation logic is based on a one-out-of-two twice arrangement of sensors. Low suppression pool level initiation logic is based on a one-out-of-two arrangement of sensors. Once initiated, the bistable nature of the final control elements of the system seals in the protective action unless terminated by the operator.

Each of the two trip systems is made up of individual solid state bistables and electromechanical relays to provide independence of control components and preserve the independence of the associated mechanical equipment.

7.3-95 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

In order to minimize the probability of an inadvertent dump of the upper containment pool due to a component failure, separate actuation circuit components are provided for each of the two final control elements (valves) in each of the two redundant trip systems.]

7.3.1.1.9.3 Bypasses The suppression pool makeup system is bypassed to prevent inadvertent actuation during refueling. The system can also be bypassed manually from a handswitch in the control room. This condition is continuously annunciated.

7.3.1.1.9.4 Interlocks The suppression pool makeup system is interlocked to prevent actuation without a coincident LOCA. An interlock between the two valves in each line is provided when in the operating mode to prevent inadvertent manual opening of both valves in one line while testing the valves.

7.3.1.1.9.5 Sequencing

[HISTORICAL INFORMATION] [A timer is provided in the suppression pool makeup system to initiate the system 30 minutes after a LOCA is detected. Refer to subsection 8.3.1.1 for a discussion of ESF bus load sequencing. There is no other automatic sequencing in the suppression pool makeup system.]

7.3.1.1.9.6 Redundancy Two completely independent and redundant suppression pool makeup lines are provided, including independent and redundant trip systems and mechanical equipment. The two trip systems and their associated motor operated valves are powered from separate ESF buses. Physical and electrical separation is maintained between the two systems.

7.3.1.1.9.7 Diversity Diversity is assured by providing three separate initiation signals for the suppression pool makeup system. Refer to subsection 7.3.1.1.9.1.

7.3-96 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.9.8 Actuated Devices Component devices actuated by the suppression pool makeup system are shown in Table 7.3-26.

7.3.1.1.9.9 Supporting Systems The supporting systems required for suppression pool makeup system operation are shown in Table 7.3-1 and are described as referenced in that table.

7.3.1.1.9.10 Nonessential Components Computer and Annunciator Systems The suppression pool makeup system logic and control systems are electrically isolated from the plant computer and annunciator systems. Failure of the computer or annunciator will have no effect on the operation of the suppression pool makeup system.

7.3.1.1.10 Control Room Atmospheric Control and Isolation System Refer to subsections 6.4.1 and 9.4.1 for a description of the control room HVAC system. This system is designed to provide a controlled environment to ensure the comfort and safety of the plant operators under all plant conditions. Two independent and redundant control room atmospheric control and isolation systems (CRACIS) serve Unit 1.

Final system drawings for the CRACIS are provided by reference in Section 1.7. The logic diagram is Drawing J-0240. The electrical schematic is Drawing E-0131. The system P&ID is provided as Figure 9.4-1.

7.3.1.1.10.1 Initiating Circuits Each of the independent CRACIS is initiated automatically on high-radiation, reactor low water level, or drywell high pressure (indications of LOCA, see subsection 7.3.1.1.2). Manual initiation is also provided from control room handswitches.

7.3-97 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.10.2 Logic

[HISTORICAL INFORMATION] [Each of the CRACIS is controlled by an independent trip system. This provides one-out-of-two logic at the system level to initiate control room isolation when required. Each of the independent trip systems is actuated by a two-out-of-two high-radiation, or manual initiation signal or loss-of-coolant accident signal from the containment and reactor vessel isolation control system. Once initiated, operator action is required to return each component to its normal condition.

The CRACIS trip systems are made up of solid state bistables and electromechanical relays to provide independence of control components and preserve independence of the associated mechanical equipment.]

7.3.1.1.10.3 Bypasses A fire detection signal from the filter of a standby fresh air unit will stop the associated standby fresh air unit fan and isolate the associated standby fresh air unit. This condition is annunciated in the control room. In this case the redundant standby fresh air unit will continue to provide ventilation to the control room.

A control room isolation signal will place the standby fresh air units in the recirculation mode. After 10 minutes, the operator may reposition valves to allow fresh air to be brought in through a standby fresh air unit.

The operator is permitted to stop either standby fresh air unit provided the redundant unit is operating along with its associated A/C unit, by placing the appropriate keylocked switch in the standby position. If flow is lost in the operating fresh air unit, the unit in the standby mode starts automatically. If a standby fresh air unit is placed in the standby mode during normal plant operation, it will start since there will be no flow from the redundant standby fresh air unit. Placing a fresh air unit in the standby mode does not affect the closure of control room isolation valves.

7.3.1.1.10.4 Interlocks There are no interlocks in the control room atmospheric control and isolation system.

7.3-98 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.1.1.10.5 Sequencing Refer to subsection 8.3.1.1. for a discussion of ESF bus load sequencing. There is no other automatic sequencing in the control room atmospheric control and isolation system.

7.3.1.1.10.6 Redundancy Two completely independent and redundant control room atmospheric control and isolation systems are provided, including independent and redundant trip systems and mechanical equipment. The two trip systems are powered from separate ESF buses. Physical and electrical separation is maintained between the two systems.

7.3.1.1.10.7 Diversity Initiation signals for the control room atmospheric control and isolation system are derived from four independent sources as listed in subsection 7.3.1.1.10.1.

7.3.1.1.10.8 Actuated Devices Component devices actuated by the control room atmospheric control and isolation system are shown in Table 7.3-29.

7.3.1.1.10.9 Supporting Systems The supporting systems required for CRACIS operation are identified in Table 7.3-1 and are described as referenced in that table.

7.3.1.1.10.10 Nonessential Components

a. Control Room Purge The control room intake duct is monitored for freon leakage from the air conditioning units.

b. Control Room Air Conditioning Unit Smoke Detection A smoke detector in the control room intake duct normally trips the associated air conditioning unit fan. A control room isolation signal bypasses the detector, preventing automatic fan trip.

c. Control Room HVAC Utility Exhaust Fan 7.3-99 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The control room HVAC utility exhaust fan is manually started and stopped by a control room handswitch. A control room isolation signal maintains the associated inlet valve closed, isolating and stopping the fan.

d. Computer and Annunciator Systems The CRACIS logic and control systems are electrically isolated from the plant computer and annunciator systems.

Failure of the computer or annunciator will have no effect on the operation of the CRACIS.

7.3.1.1.11 Standby Power System The standby power system is described in subsection 8.3.1.1.4.

7.3.1.1.12 Heating, Ventilating and Air Conditioning (HVAC)

Systems for Engineered Safety Feature (ESF) Areas The HVAC systems for ESF areas are described in subsection 9.4.5.

7.3.1.1.13 Diesel Generator Auxiliary Systems The diesel generator auxiliary systems are described in subsections 9.5.4, 9.5.5, 9.5.6, 9.5.7, and 9.5.8.

7.3.1.2 Design Basis Information The design of each engineered safety feature and auxiliary supporting system, including design bases and evaluation, is discussed in Chapter 6 or 9, respectively.

IEEE Standard 279-1971 establishes specific protection system design bases. The following information demonstrates how the design bases listed in section 3 of IEEE Standard 279-1971 are implemented:

(Note: Numbers correspond to those in the IEEE Standard)

1. Conditions The plant conditions which require protective action involving the systems of this section and other sections are examined and presented in Chapter 15 and Appendix 15A.

2. Variables 7.3-100 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The plant variables which require monitoring to provide protective actions are identified in Tables 7.3-2, 7.3-3, 7.3-4, 7.3-5 for ECCS and Table 7.3-10 for containment isolation function. For other ESF descriptions, refer to the individual system discussions, Tables 7.3-13, 7.3-16, 7.3-22, 7.3-25, and 7.3-28, or to Chapter 15 where safety analysis parameters for each event are cited.

The data presented in the tables contain some hardware implementation information on the function performed. Trip setpoints are developed from design basis information which takes into account the transient response of the total system.

3. Numbers of Sensors and Location The minimum number of sensors required to monitor safety-related variables are provided in the Technical Specifications. There are no sensors in the CRVICS, ECCS, CGCS, FWLCS, SGTS, SPMU, or CRACIS which have a spatial dependence, and therefore, location information is not relevant.

4. Operational Limits Operational limits for each safety-related plant variable are selected with sufficient margin so that spurious initiations are prevented. Design basis operational limits are based on operating experience and constrained by the safety design basis and the safety analyses.

5. Deleted

6. Levels Requiring Protective Action Levels requiring protective action are provided in the Technical Specifications.

7. Range of Energy Supply and Environmental Conditions of Safety Systems The range of transient and steady-state conditions of both the energy supply and the environment (for example, voltage, frequency, temperature, humidity, 7.3-101 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) pressure, vibration, etc.) during normal, abnormal, and accident circumstances throughout which the system must perform are discussed as follows:

a. Voltage and frequency The Class IE 120 V ac vital instrumentation and control power supplies are described in subsection 8.3.1.1.

b. For temperature, pressure, humidity, and radiation, the design environment for equipment is discussed in subsection 3.11.1.

CRVICS channel, logic, and main steam line isolation valve 120 V ac power is provided by the reactor protection system high-inertia MG sets. Divisions 1, 2, 3, and 4 trip logics for MSIVs is supplied by Class 1E 120 VAC uninterruptible power, division 1, 2, 3 and 4, respectively. The voltage regulator is designed to respond to a step load change of 50 percent of rated load with an output voltage change of not more than 15 percent. The flywheel on each MG set provides stored energy to maintain voltage and frequency within +/-5 percent, for 1 second, preventing momentary switchyard transients from causing a scram.

CRVICS relays will operate without failure within the range of -15 percent to +10 percent of rated voltage.

An alternate source of 120-volt power is provided to each RPS bus from a voltage regulator powered from the 480-volt emergency line. This alternate power is provided for the RPS bus when maintenance is required for an MG set.

ECCS 125 V dc power is provided by the ESF batteries.

ECCS 120 V ac power is provided by the instrument ac system.

8. Malfunctions, Accidents, and Other Unusual Events Which Could Cause Damage to Safety Systems The malfunctions, accidents, or other unusual events (for example, fire, explosion, missiles, lightning, flood, earthquake, wind, etc.) which could physically damage protection system components or could cause environmental changes leading to functional 7.3-102 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) degradation of system performance, and for which provisions must be incorporated to retain necessary protective action, are discussed as follows:

(a) Floods The buildings containing ESF system components have been designed to meet the PMF (Probable Maximum Flood) at the site location. This ensures that the buildings will remain water tight under PMF conditions. Therefore, none of the ESF functions are affected by flooding.

Water level (flood) design is described in Section 3.4.

(b) Storms and Tornados The buildings containing ESF components have been designed to withstand all credible meteorological events and tornados as described in subsection 3.3.2.

(c) Earthquakes The structures containing ESF components have been seismically designed as described in Sections 3.7 and 3.8, and will remain functional during and following a safe shutdown earthquake (SSE). Seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10.

(d) Fires To protect the ESF systems in the event of a postulated fire, the redundant portions of the systems are separated by fire barriers. If a fire were to occur within one of the sections or in the area of one of the panels, the ESF systems functions would not be prevented by the fire. The use of separation and fire barriers ensures that even though some portion of the systems may be affected, the ESF systems will continue to provide the required protective action.

7.3-103 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The HPCS System is not designated as a safe-shutdown system for the purposes of 10 CFR 50, Appendix R, Fire Protection Program and therefore is not required to be protected from exposure fires per 10 CFR 50, Appendix R.

However, in accordance with GDC 3, RG 1.75, and IEEE 384, the HPCS system shall be designed to minimize the probability and effects of fires on plant operation.

The fire protection system is described in subsection 9.5.1. Fire protection for cable systems is described in subsection 8.3.3.

(e) LOCA The following ESF system components are located inside the drywell and would be subjected to the effects of a design basis loss-of-coolant accident (LOCA) and would be required to remain operable:

Reactor vessel pressure and reactor vessel water level instrument taps, condensate pots, and sensing lines and drywell pressure sensing lines, which terminate outside the drywell.

These items have been environmentally qualified to remain functional during and following a LOCA as discussed in Section 3.11 and indicated in Table 3.11-3. A review has been conducted of the effects of high drywell temperature on reactor vessel water level instrumentation.

Instrument accuracy is not markedly affected by varying drywell temperatures, since the vertical drops of the sensing lines within the drywell are approximately equal.

(f) Pipe whip Protection against dynamic effects associated with the postulated rupture of piping is discussed in Section 3.6.

(g) Missiles 7.3-104 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Missile protection is described in Section 3.5.

9. Minimum Performance Requirements See the Technical Specifications and Technical Requirements Manual (TRM) for CRVICS performance requirements.

Within ECCS, performance requirements refer only to a system as a whole and not specifically to individual components except in the area of accuracy.

System allowable set point ranges and ranges of the sensors used are given for other ESF systems in Tables 7.3-13, 7.3-16, 7.3-22, 7.3-25, and 7.3-28.

7.3.1.3 Final System Drawings Electrical schematic diagrams, functional control diagrams (FCD's), final logic diagrams, and instrument location drawings are listed and provided by reference in Section 1.7. Piping and instrumentation diagrams are provided as figures in the appropriate sections of Chapters 5, 6, and 9.

A comparison between final logic diagrams and the logic diagrams submitted in the PSAR is provided in Table 7.3-31.

There are no safety, functional, or architectural design basis differences on the NSSS-designed ESF systems between the PSAR and the FSAR. Direct comparison between the PSAR and FSAR will verify this.

7.3.2 Analysis Appendix A of 10 CFR 50, General Design Criteria for Nuclear Power Plants, establishes requirements for the principal design criteria for water cooled nuclear power plants. Section 3.1 provides a detailed discussion of all general design criteria.

This section describes how the criteria that are applicable to all engineered safety feature and auxiliary supporting systems are satisfied. Criteria which are applicable only to specific systems are discussed in the following subsections for each system.

a. Criterion 19 - Control Room 7.3-105 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The control room layout is described in Section 7.5.

Control room isolation is described in subsection 7.3.1.1.10. Plant shutdown from outside the control room is described in subsection 7.4.1.4. For further discussion of criterion 19, see subsections 7.3.2.10 and 7.4.2.4.

b. Criterion 29 - Protection Against Anticipated Operational Occurrences The high functional reliability of the engineered safety features system is achieved through the combination of logic arrangement, redundancy, physical and electrical independence, functional separation, quality components, and inservice testability.

The extent to which NRC Regulatory Guides are satisfied is described in Appendix 3A. The extent to which applicable IEEE Standards are satisfied is described in subsection 7.1.2.4. A detailed discussion of how each system satisfies the requirements of IEEE 279-1971 and 338-1971 is provided in the following subsections for each system.

7.3.2.1 Emergency Core Cooling Systems - Instrumentation and Controls 7.3.2.1.1 General Functional Requirement Conformance Chapters 15.0, "Accident Analysis," and 6.0, "Engineered Safety Feature Systems," evaluate the individual and combined capabilities of the emergency core cooling systems. For the entire range of nuclear process system break sizes, the cooling systems prevent fuel cladding temperatures from exceeding 2200 F since the capabilities of the individual emergency core cooling loops overlap.

Instrumentation for the emergency core cooling systems must respond to the potential inadequacy of core cooling regardless of the location of a breach in the reactor coolant pressure boundary.

Such a breach inside or outside the containment is sensed by reactor low water level. The reactor vessel low water level signal is the only emergency core cooling system initiating function that is completely independent of breach location.

Consequently, it can actuate HPCS, LPCS, and LPCI.

7.3-106 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The other major initiating function, drywell high pressure, is provided because pressurization of the drywell will result from any significant nuclear system breach anywhere inside the drywell.

Initiation of the automatic depressurization system employs both reactor vessel low water level and drywell pressure signals in coincidence for breaks anywhere inside the drywell and employs reactor vessel low water level in conjunction with a drywell pressure bypass timer for breaks outside the drywell.

An evaluation of emergency core cooling systems controls show that no operator action is required to initiate the correct responses of the emergency core cooling systems. However, the control room operator can manually initiate every essential operation of the emergency core cooling systems. Alarms and indications in the control room allow the operator to interpret any situation that requires the emergency core cooling system and verify the responses of each system. This arrangement limits safety dependence on operator judgment, and design of the emergency core cooling systems control equipment has appropriately limited response.

The redundance of the control equipment for the emergency core cooling systems is consistent with the redundancy of the cooling systems themselves. The arrangement of the initiating signals for the emergency core cooling systems, as shown in Figures 7.3-2 and 7.3-3 is also consistent with the arrangement of the systems themselves. Each system, including its initiating sensors, is separated from the other systems within the network of emergency core cooling systems.

No failure of a single initiating channel can prevent the start of the cooling systems when required or inadvertently initiate these same systems.

An evaluation of the control schemes for each emergency core cooling system component shows that no single control failure can prevent the combined cooling systems from providing the core with adequate cooling. In performing this evaluation the redundancy of components and cooling systems was considered.

The minimum number of channels required to maintain functional performance is given in the Technical Specifications.

Determinations of these minimums considered the use and 7.3-107 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) redundancy of sensors in control circuitry and the relative reliability of the controlled equipment in any individual cooling system.

The ADS relief valves are controlled by two trip systems. The conditions indicated by the table result in both trip systems always remaining capable of initiating automatic depressurization. If an operable sensor is in the tripped state or if a synthetic trip signal is inserted in the control circuitry, automatic depressurization can be initiated when the other initiating signals are received.

The only equipment protective devices that can interrupt planned emergency core cooling system operation are those that must act to prevent complete failure of the component or system. In no case can the action of a protective device prevent other redundant cooling systems from providing adequate cooling to the core.

The locations of controls that adjust or interrupt operation of emergency core cooling systems components have been specified.

Controls are located in the control room and are under supervision of the control room operator.

The environmental capabilities of instrumentation for the emergency core cooling systems are discussed in the descriptions of the individual systems. Components that are located inside the containment and are essential to emergency cooling system performance are designed to operate in the containment environment resulting from a loss-of-coolant accident. Essential instruments located outside the drywell are also qualified for the environment in which they must perform their essential function.

Special consideration has been given to the performance of reactor vessel water level sensors, pressure sensors, and condensing chambers during rapid depressurization of the nuclear system. This consideration is discussed in Section 7.5.

Capability for emergency core cooling following a postulated accident may be verified by observing the following indications:

a. Annunciators for HPCS, LPCS, LPCI, and ADS trip system trips 7.3-108 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Flow and pressure indications for each emergency core cooling system

c. Isolation valve position lights indicating open valves

d. Injection valve position lights indicating either open or closed valves

e. Relief valve initiation circuit status by open-closed indicator lamps

f. Relief valve position may be inferred from reactor pressure indications

g. Process computer logging of trips in the emergency core cooling network

h. Relief valve discharge pipe temperature monitors and alarm.

A failure mode and effects analysis is provided and discussed in Section 6.3, Emergency Core Cooling System.

7.3.2.1.2 Conformance to Specific Regulatory Requirements 7.3.2.1.2.1 Conformance to NRC Regulatory Guides General exceptions and positions taken on the Regulatory Guides, and the revision of the guide that is followed, are discussed in Appendix 3A. Specific applications of selected guides to the ECCS are discussed in this subsection.

7.3.2.1.2.1.1 Regulatory Guide 1.6 In accordance with Regulatory Guide 1.6, ECCS electric power loads are rigorously divided into Division 1, Division 2 and Division 3 so that loss of any one group will not prevent the minimum safety functions from being performed. No interconnections exist which can compromise redundant power sources.

7.3.2.1.2.1.2 Regulatory Guide 1.11 Conformance to Regulatory Guide 1.11 is discussed in subsection 6.2.4.2.4.

7.3-109 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.1.2.1.3 Regulatory Guide 1.22 Conformance to this regulatory guide is achieved by providing system level indication when the system is rendered inoperable for test or maintenance, except for position D.3.b of the guide which is clarified and amplified in subsection 7.5.1.3.

7.3.2.1.2.1.4 Regulatory Guide 1.29 Instrumentation is classified as seismic Category I and is covered under Section 3.10.

7.3.2.1.2.1.5 Regulatory Guide 1.30 The post operation quality assurance program is discussed in Chapter 17.

7.3.2.1.2.1.6 Regulatory Guide 1.32 Conformance is described in the conformance to General Design Criterion 17 and IEEE Standard 308-1974.

7.3.2.1.2.1.7 Regulatory Guide 1.47 Bypassed and inoperable status indication meets the requirements of Regulatory Guide 1.47 as stated in subsections 7.5.2.5.5 and as discussed in subsection 7.5.1.3.

7.3.2.1.2.1.8 Regulatory Guide 1.53 Compliance with NRC Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the emergency core cooling systems so that they meet the single failure criterion described in Section 4.2 of IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE 379-1972, "IEEE Trail-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection System." Redundant sensors are used, and the logic is arranged to ensure that a failure in a sensing element trip system or an actuator will neither prevent nor spuriously initiate a trip function. Separated channels are employed, so that a fault affecting one channel will not prevent the other channels from operating properly. Specifications are provided to define channel separation for wiring not included with equipment supplied by General Electric.

7.3-110 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it will operate properly when called upon. Testing incorporates all elements of the system under one test mode or another, including sensors, trip systems, trip functions, and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests. During testing there are always enough channels and systems available for operation to provide proper protection.

7.3.2.1.2.1.9 Regulatory Guide 1.62 Means are provided for manual initiation of emergency core cooling at the system level through the following armed pushbutton switches:

a. HPCS: one switch in Division 3

b. ADS: four switches, two in Division 1 and two in Division 2

c. LPCS/RHR A: one switch in Division 1

d. RHR B/RHR C: one switch in Division 2 Operation of these switches accomplishes the initiation of all actions performed by the automatic initiation circuitry.

These switches are located in the control room on the designated ECCS division portions of the reactor core cooling benchboard, which is shown in Figure 7.5-2.

The amount of equipment common to initiation of both manual and automatic emergency core cooling is kept to a minimum through implementation of manual initiation of emergency core cooling at the final devices (relays) of the protection system. No failure in the manual, automatic or common portions of the protection system will prevent initiation of a sufficient amount of emergency core cooling equipment by manual or automatic means.

The minimum of equipment objective is achieved for the initiation of manual emergency core cooling through its implementation at the final devices of the protection system. In order to prevent manual initiation of vessel depressurization when low pressure core cooling capability is absent, the ADS manual initiation has 7.3-111 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) an interlock to assure proper conditions for depressurization (ac interlock). One interlock is provided for Division 1 ADS and a second independent interlock is provided for Division 2 ADS.

Manual initiation of emergency core cooling, once initiated, goes to completion as required by IEEE 279-1971 Section 4.16.

7.3.2.1.2.1.10 Regulatory Guide 1.63 Conformance to Regulatory Guide 1.63 is discussed in subsection 8.3.1.2.3.1.

7.3.2.1.2.1.11 Regulatory Guide 1.73 Conformance to Regulatory Guide 1.73 is discussed in subsection 3.11.2.

7.3.2.1.2.1.12 Regulatory Guide 1.75 General Separation Criteria Section 4.0.

Separation within the ECCS is such that controls, instrumentation, equipment and wiring is segregated into three separate divisions designated 1, 2, and 3. Control and motive power separation is maintained in the same manner. Separation is provided to maintain the independence of the 3 divisions of circuits and equipment so that the protection functions required during and following any design basis event can be accomplished.

a. All redundant equipment and circuits within ECCS require divisional separation. All pertinent documents and drawings identify in a distinctive manner separation and safety related status for each redundant division.

b. All redundant circuits and equipment are located within safety class enclosures. Separation is achieved by barriers, isolation devices and/or physical distance.

This type of separation between redundant systems assures that a single failure of one system will not affect the operation of the other redundant system.

c. The separation of redundant Class IE circuits and equipment within the ECCS is such that no physical connections are made between divisions. This separation 7.3-112 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) criteria assures that the failure of equipment of one redundant system cannot disable circuits or equipment essential to the operation of the other redundant systems.

d. Associated circuits are in accordance with Class IE circuit requirements up to and including the isolation devices. Associated circuits beyond the isolation devices do not again become associated with Class IE circuits.

Associated circuits within the ECCS are segregated into the three safety related divisions and meet all separation requirements imposed upon redundant safety related circuits.

Pertinent documents and drawings identify the associated circuits in a distinctive manner.

e. Separation between Class IE and non-Class IE circuits will meet the same minimum requirements for redundant Class IE circuits or they will be treated as associated circuits.

7.3.2.1.2.1.13 Regulatory Guide 1.89 Conformance to Regulatory Guide 1.89 is discussed in subsection 3.11.2.

7.3.2.1.2.1.14 Regulatory Guide 1.106 Conformance to Regulatory Guide 1.106 is discussed in subsection 7.1.2.6.21.

7.3.2.1.2.2 10 CFR 50 Appendix A

a. Criterion No. 13 Conformance to this requirement is achieved by monitoring appropriate variables over the range expected and providing containment isolation, emergency core cooling, and other functions to maintain the variables within the prescribed ranges.

b. Deleted

c. Criteria 20 through 24, 29, 33, 34, 35, and 37 Conformance to these criteria are shown in subsections 7.3.1.1.1.3, 7.3.1.1.1.4, 7.3.1.1.1.5, and 7.3.1.1.1.6.

See also Section 3.1.

7.3-113 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.1.2.3 Conformance to Industry Standards 7.3.2.1.2.3.1 IEEE 279-1971 7.3.2.1.2.3.1.1 General Functional Requirement (IEEE 279-1971 paragraph 4.1)

Automatic initiation of the ECCS is provided by sensors measuring reactor vessel low water level and drywell high pressure. The following systems are individually initiated by automatic means:

o HPCS o ADS o LPCS o LPCI mode of the RHR System This automatic initiation is accomplished with precision and reliability commensurate with the overall ECCS objective and is effective over the full range of environmental conditions depicted below:

a. Power supply voltages HPCS: HPCS has its own dc control, ac control, and motor power which is independent of offsite power and onsite power for Division 1 and 2 ECCS.

ADS: Tolerance is provided to complete loss of station ac power, but not to loss of both dc sources for ADS.

LPCS: System will not tolerate Division 1 ac or dc power failure; however, network redundancy assures adequate core cooling capability.

LPCI: Tolerance is provided to any degree of ac power supply failure such that failures cannot negate successful low pressure cooling. DC power supply failure will affect only one of the two LPCI Divisions.

b. Power supply frequency 7.3-114 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

HPCS: Full range of frequency available is tolerated.

ADS: No ac controls are used.

LPCS: Excessive frequency reduction is indicative of an onsite power supply failure and equipment shutdown in that division is required.

LPCI: Excessive frequency reduction is indicative of an onsite power supply failure and equipment shutdown in that division is required.

c. Temperature HPCS; ADS; LPCS; and LPCI:

Operable at all temperatures that can result from an accident. See also Section 3.11.

d. Humidity HPCS; ADS; LPCS; and LPCI:

Operable at humidities, including steam, that can result from a loss-of-coolant accident. See also Section 3.11.

e. Pressure HPCS; ADS; LPCS; and LPCI:

Operable at all pressures resulting from a LOCA as required. See also Section 3.11.

f. Vibration HPCS; ADS; LPCS; and LPCI:

Tolerance to conditions stated in Section 3.10.

g. Malfunctions Overall ECCS:

Network tolerance to failure of any single component to operate on command.

7.3-115 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

h. Accidents HPCS; ADS; LPCS; and LPCI:

Network tolerance to all design basis accidents without malfunction.

i. Fire Overall ECCS:

Network tolerance to single wireway fires or mechanical damage.

j. Explosion HPCS; ADS; LPCS; and LPCI:

Explosions are not defined in design bases.

k. Missiles ADS:

Separate routing of the ADS conduits within the drywell reduces to a very low probability the potential for missile damage to more than one conduit of ADS or damage to the pilot solenoid assemblies of ADS valves.

Overall ECCS:

Network tolerance to any single missile destroying no more than one pipe, wireway, or cabinet.

l. Lightning HPCS and ADS:

Ungrounded dc system not subject to lightning strikes.

LPCS and LPCI:

Tolerance to lightning damage limited to one auxiliary bus system. See comments under a and b.

m. Flood HPCS; ADS; LPCS; and LPCI:

7.3-116 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

All control equipment is located above flood level by design.

n. Earthquake HPCS; ADS; LPCS; and LPCI:

Tolerance to conditions stated in Section 3.10.

o. Wind and Tornado HPCS; ADS; LPCS; and LPCI:

Seismic Category I building houses all control equipment.

p. System Response Time HPCS; ADS; LPCS; and LPCI:

Responses are within the requirements of the need to start ECCS.

q. System Accuracies HPCS; ADS; LPCS; and LPCI:

Accuracies are within that needed for correct timely action.

r. Abnormal Ranges of Sensed Variables HPCS; ADS; LPCS; and LPCI:

The system is designed with tolerance against damage and misoperation due to abnormal ranges of sensed variables.

7.3.2.1.2.3.1.2 Single Failure Criterion (IEEE 279-1971, paragraph 4.2)

a. HPCS The HPCS, by itself, is not required to meet the single failure criterion. The control logic circuits for initiation and control are housed in a single relay cabinet and the power supply for the control logic and other HPCS equipment is from a single dc power source.

7.3-117 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The HPCS initiation sensors and wiring up to the HPCS relay logic cabinet do, however, meet the single failure criterion. Physical separation of instrument lines is provided so that no single instrument rack destruction or single instrument line or pipe failure can prevent initiation.

b. ADS The ADS system is comprised of two independent sets of controls for the two pilot solenoids and meets the single failure criterion. At least two failures would have to occur to cause actuation. Tolerance to the following single failures or events has been incorporated into the control system design and installation:

1. Single open circuit

2. Single short circuit

3. Single relay failure to pick up

4. Single relay failure to drop out

5. Single module failure (including multiple shorts, opens and grounds)

6. Single control cabinet destruction (including multiple shorts, opens and grounds)

7. Single instrument rack destruction (including multiple shorts, opens and grounds)

8. Single wireway destruction (including multiple shorts, opens and grounds)

9. Single control power supply failure (any mode)

10. Single motive power supply failure (any mode)

11. Single control circuit failure

12. Single sensing line (pipe) failure

13. Burnout of any single electrical component.

c. LPCS, LPCI 7.3-118 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Subsection 6.3.1.1.2 discusses reliability requirements of ECCS systems. In general, the LPCS system in conjunction with the RHR system LPCI mode Loop A, performs a safety function which is redundant with the RHR system LPCI mode Loop B and Loop C. This combination of systems meets the single failure criterion. Totally redundant and separate instrumentation and controls are provided in two safety divisions which are above reliability requirements.

Tolerance to the following single failures or events is provided in the control logic initiation circuitry so that these failures would disable only one loop:

1. Single open circuit

2. Single short circuit

3. Single relay failure to pick up

4. Single relay failure to drop out

5. Single module failure (including shorts, opens, and grounds)

6. Single control cabinet destruction (including shorts, opens, and grounds)

7. Single local instrument rack destruction (including shorts, opens, and grounds)

8. Single wireway destruction (including shorts, opens, and grounds)

9. Single control power supply failure

10. Single motive power supply failure

11. Single control circuit failure

12. Single sensing line (pipe) failure

13. Burnout of any single electrical component 7.3.2.1.2.3.1.3 Quality Components (IEEE 279-1971, paragraph 4.3)

a. HPCS 7.3-119 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Components used in the HPCS control system have been carefully selected for the specific application. Ratings have been selected to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below:

1. Switch and relay contacts carry no more than 50 percent of their continuous current rating.

2. Controls are energized to operate and have brief and infrequent duty cycles.

3. Motor starters and breakers are effectively derated for motor starting applications since their nameplate ratings are based on short circuit interruption capabilities as well as on continuous current carrying capabilities.

Short-circuit current-interrupting capabilities are many times the starting current for the motors being started, so that normal duty does not begin to approach maximum equipment capability.

4. Normal motor starting equipment ratings include allowance for a much greater number of operating cycles than the emergency core cooling application will demand, even including testing.

5. Instrumentation and controls are heavy duty, industrial type which have been subjected to the manufacturer's normal quality control and have undergone functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications, or qualified by tests, are selected for use in the HPCS control system.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

b. ADS 7.3-120 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Components used in the ADS control system have been carefully selected for the specific application. Ratings have sufficient conservatism to ensure against significant deterioration over the lifetime of the plant as illustrated below:

1. Switch and relay contacts carry no more than 50 percent of their continuous current rating.

2. Controls are energized to operate and have brief and infrequent duty cycles.

3. Instrumentation and controls are heavy duty industrial type which have been subjected to the manufacturer's normal quality control and have undergone functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications, or qualified by tests, are selected for use in the ADS.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

c. LPCS The discussion in this section for HPCS applies equally to the LPCS.

d. LPCI The discussion in this section for HPCS applies equally to the LPCI subsystem.

7.3.2.1.2.3.1.4 Equipment Qualification (IEEE-279-1971, paragraph 4.4)

a. HPCS 7.3-121 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

No components of the HPCS control system are required to operate in the drywell environment during LOCA conditions except for the condensation pots and the sensing lines of the vessel level transmitters.

Other process sensor equipment for HPCS initiation is located outside the drywell and is capable of accurate operation in ambient temperature conditions that result from abnormal (loss-of-ventilation and loss-of-coolant accident) conditions.

Panels and relay cabinets are located in the control room.

The HPCS control system components have demonstrated reliable operation in previous applications in nuclear power plant protection systems, in extensive industrial use, or by testing. See Sections 3.10 and 3.11.

b. ADS The solenoid valves, their cables, and the relief valve mechanical operators of the automatic depressurization system are located inside the drywell and remain operable in the loss-of-coolant accident environment. These items are selected with capabilities that permit proper operation in the most severe environment resulting from a design basis loss-of-coolant accident and have been environmentally tested to verify the selection. Gamma and neutron radiation is also considered in the selection of these items and only materials which are expected to tolerate the integrated dosage superimposed on other environmental factors for at least a 40-year period of normal plant operation without excessive deterioration are used (i.e., no need for a replacement is anticipated).

Other components of the ADS control system which are required to operate in the drywell environment are the condensate pots and sensing lines for the vessel level sensors. All other sensory equipment is located outside the drywell and is capable of accurate operation with wider swings in ambient temperature than results from normal or abnormal (loss-of-ventilation and loss-of-coolant accident) conditions. Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high pressure sensors are of the same type as used for the RPS and meet the same standards.

7.3-122 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Control panels and relay logic cabinets are located in the control room environment which presents no new or unusual operating considerations.

All components used in the ADS control system have demonstrated reliable operation in similar nuclear power plant protection systems, in industrial applications, or by testing. See Sections 3.10 and 3.11 also.

c. LPCS No components of the LPCS control system are required to operate in the drywell environment except for the condensation pots of the vessel level sensors and the testable check valve.

Other process sensor equipment for LPCS initiation is located outside the drywell and is capable of accurate operation in ambient temperature conditions that result from abnormal (loss-of-ventilation and loss-of-coolant accident) conditions.

Panels and the relay cabinet are located in the control room.

There are no components in the LPCS control system that have not demonstrated reliable operation in previous applications in nuclear power plant protection systems, in extensive industrial use, or by testing. See Sections 3.10 and 3.11.

d. LPCI No components of the LPCI System are required to operate in the drywell environment except for the condensate pots used with the vessel level sensors. All other sensory equipment is located outside the drywell and is capable of accurate operation with wider changes in ambient temperature than results from normal or abnormal (loss-of-ventilation and loss-of-coolant accident) conditions.

Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high pressure sensors are of the same type as used for the RPS and meet the same standards. Reactor vessel low pressure permissive sensors are of the same type as those discussed in the RPS. The testable check valves which are located 7.3-123 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) inside the drywell are considered to be part of the piping system rather than part of the control system. Control panels and relay logic cabinets are located in the control room environment which presents no new or unusual operating considerations.

All components used in the LPCI subsystem have demonstrated reliable operation in similar nuclear power plant protection systems, in industrial applications, or by testing.

7.3.2.1.2.3.1.5 Channel Integrity (IEEE-279-1971, paragraph 4.5)

a. HPCS The HPCS system instrument initiation channels (low water level and high drywell pressure) are designed to satisfy the channel integrity objective without taking credit for safe failure modes of equipment.

b. ADS The ADS is initiated from sensors which monitor reactor water level and drywell pressure. The reactor water level sensing signal is produced by four redundant sensors which are connected through sensing lines to two physically independent pressure taps on the reactor vessel. The drywell sensing signal is produced by four redundant sensors, which are connected to the drywell through physically separate pressure taps and sensing lines. The portions of the ADS system which are located inside the drywell have been environmentally qualified to meet the accident and environmental conditions described in Section 3.11 and Table 3.11-1. The portions of the ADS system which are located outside the drywell, including the drywell pressure sensors and sensing lines, have been environmentally qualified to meet the accident and environmental conditions described in Section 3.11 and Table 3.11-2.

The ADS is protected from changes in the power supply as described in 7.3.2.1.2.3.1.3.2 and 7.3.1.1.1.2.2.

Therefore, the ADS is provided with sufficient channel integrity to assure protective action when required.

7.3-124 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. LPCS The LPCS system instrument initiation channels (low water level and high drywell pressure) are designed to satisfy the channel integrity objective without taking credit for safe failure modes of operation.

d. LPCI The LPCI system initiation channels (low water level or high drywell pressure) are designed to satisfy the channel integrity objective without taking credit for safe failure modes of equipment.

7.3.2.1.2.3.1.6 Channel Independence (IEEE-279-1971, paragraph 4.6)

a. HPCS Channel independence for initiation sensors monitoring each variable is provided by mechanical separation. The C and G sensors for reactor vessel level, for instance, are located on one local instrument rack and the R and L sensors are located on a second instrument rack widely separated from the first. The C and G sensors have a common pair of process taps which are widely separated from the corresponding taps for sensors R and L.

Disabling of one or both sensors in one location does not disable the control for initiation.

HPCS independence from the other redundant ECCS portions is maintained.

b. ADS Channel independence for sensors exposed to each variable is provided by electrical and mechanical separation. The A sensors for reactor vessel level, for instance, are located on one local instrument rack identified as Division 1 equipment and the B sensors are located on a second instrument rack widely separated from the first and identified as Division 2 equipment. The A sensors have a common pair of process taps which are widely separated from the corresponding taps for sensors B. Disabling of 7.3-125 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) one or both sensors in one location does not disable the control for both of the automatic depressurization control channels.

Logic relays for the ADS are separated into Division 1 and Division 2 located in separate cabinets. Separate locations are provided on the control panels for all ADS controls.

c. LPCS Channel independence does not strictly apply to the LPCS system since the one-out-of-two taken twice logic is combined in a single trip system. Independence is provided between LPCS and the redundant portions of the ECCS network in Divisions 2 and 3.

d. LPCI Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The A and E sensors for reactor vessel low water level, for instance, are located on one local instrument rack that is identified as Division 1 equipment, and the B and F sensors are located on a second instrument rack, widely separated from the first and identified as Division 2 equipment. The A and E sensors have a common process tap, which is widely separated from the corresponding tap for sensors B and F. Disabling of one or all sensors in one location does not disable the control for the other Division.

Relay cabinets for Division 1 are in a separate physical division from that of Division 2, and each division is complete in itself, with its own station battery control and instrument bus, power distribution buses, and motor control centers. The divisional split is carried all the way from the process taps to the final control element, and includes both control and motive power supplies.

7.3.2.1.2.3.1.7 Control and Protection Interaction (IEEE-2791971, paragraph 4.7)

The HPCS, ADS, LPCS and LPCI systems are designed as safety systems and are designed to be independent of plant control systems. Annunciator circuits use independent and electrically 7.3-126 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) isolated contacts of sensor relays and logic relays, and cannot impair the operability of these systems. Regarding auxiliary trip units, design provisions (electronic isolators) are made so as to prevent detrimental interaction between control and protection circuits, in accordance with the compliance statements of IEEE Std 279-1971, paragraph 4.7.

7.3.2.1.2.3.1.8 Derivation of System Inputs (IEEE-279-1971, paragraph 4.8)

a. HPCS Inputs that start the HPCS system are direct measures of the variables that indicate the need for high pressure core cooling; viz., reactor vessel low water level or high drywell pressure.

b. ADS Inputs that start the automatic depressurization system are direct measures of the variables that indicate both the need and acceptable conditions for rapid depressurization of the reactor vessel; viz., reactor vessel low water level and high drywell pressure or reactor vessel low water level and the high drywell pressure bypass timer time delay exceeded and, for either of these conditions, at least one low pressure core cooling subsystem developing adequate discharge pressure, plus adequate time delay to allow HPCS to operate if available.

c. LPCS Inputs that start the LPCS system are direct measures of the variables that indicate the need for low pressure core cooling; viz., reactor vessel low water level and high drywell pressure. Reactor vessel level and drywell pressure sensors are described in subsection 7.3.1.1.1.5.2.

d. LPCI Inputs that start the LPCI subsystem are direct measures of the variables that indicate the need for low pressure core cooling; viz., reactor vessel low water, high drywell 7.3-127 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) pressure, and reactor low pressure. Reactor vessel level is sensed by vessel water level transmitters. Drywell high pressure is sensed by pressure transmitters.

7.3.2.1.2.3.1.9 Capability of Sensor Checks (IEEE-279-1971, paragraph 4.9)

All sensors are of the pressure sensing type and are installed with calibration taps and instrument valves, to permit testing during normal plant operation or during shutdown. The sensors can be checked by application of test pressure from a low pressure source after closing the instrument valve and opening the calibration valve.

The reactor vessel pressure and level, and high drywell pressure transmitters can be similarly checked for operability by valving out each transmitter and applying a test pressure source. This verifies the operability of the sensors as well as the calibration range. The trip units mounted in the control room are calibrated separately by introducing a calibration source and verifying the set point through the use of a digital readout on the trip calibration module.

7.3.2.1.2.3.1.10 Capability for Test and Calibration (IEEE-279-1971, paragraph 4.10)

a. HPCS The HPCS control system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Sensors can be exercised by applying test pressures. Trip systems can be exercised by means of plug-in test switches used alone or in conjunction with single sensor tests. Pumps can be started by the appropriate breakers, to pump against system injection valves and/or return to the suppression pool through test valves while the reactor is at pressure.

Motor-operated valves can be exercised by the appropriate control relays and starters, and all indications and annunciations can be observed as the system is tested.

Check valves are testable by a remotely operable pneumatic piston. HPCS water will not actually be introduced into the vessel except before initial fuel loading.

7.3-128 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. ADS The automatic depressurization system is not tested in its entirety during actual plant operation but provisions are incorporated so that operability of all elements of the system can be verified at periodic intervals. The operability of individual valves may be verified by means of the individual control switches on the control room panels. Testing of control circuitry is accomplished at the control relay cabinets by means of test jacks, switches, and indicator lights while exercising sensors one at a time. The test method is generally as follows:

Action Observation

a. Exercise a sensor 1. Sensor relay pickup

2. Alarm is given

b. Start a LPCS or RHR (LPCI Off-normal alarm mode pump

2. Low pressure cooling 1.

system available relay pickup

c. Exercise trip system by Trip system means of plug-in test relay pickup switch

2. Continuity lights on 1.

each valve circuit are energized

d. Reset trip system 1. Annunciators clear

e. Repeat above steps for Same as for associated other sensors, other low steps above.

pressure core cooling pumps, other logic channels.

c. LPCS The discussion in this section regarding HPCS test and calibration applies equally to the LPCS.

7.3-129 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

d. LPCI The discussion in this section regarding HPCS test and calibration applies equally to the LPCI subsystem.

7.3.2.1.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)

a. HPCS Calibration of a sensor that introduces a single instrument channel trip will not cause a protective function without the coincident trip of a second channel.

There are no instrument channel bypasses. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur.

b. ADS Calibration of each sensor will introduce a single instrument channel trip. This does not cause a trip system to trip.

Removal of an instrument channel from service during calibration will be brief and will not significantly increase the probability of failure to operate. There are no channel bypasses in the automatic depressurization system. Removal of a sensor from operation during calibration does not prevent the redundant trip system from functioning if accident conditions occur. The manual reset buttons can interrupt the automatic depressurization for a limited time. However, releasing either one of the two reset buttons will allow automatic timing and action to resume. In addition, a manual inhibit switch is provided to inhibit ADS operation without repeatedly pressing the reset buttons.

c. LPCS The discussion in this section regarding HPCS channel bypass is equally applicable to the LPCS system.

d. LPCI 7.3-130 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The discussion in this section regarding HPCS channel bypass is equally applicable to the LPCI subsystem.

7.3.2.1.2.3.1.12 Operating Bypasses (IEEE 279-1971, paragraph 4.12)

a. HPCS There are no operating bypasses in the HPCS.

b. ADS The ADS has no provision for operating bypasses.

c. LPCS There are no operating bypasses in the LPCS.

d. LPCI The LPCI subsystem has no provision for operating bypasses.

7.3.2.1.2.3.1.13 Indication of Bypasses (IEEE 279-1971, paragraph 4.13)

Automatic bypass indication is provided as described in subsection 7.5.1.3.

7.3.2.1.2.3.1.14 Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14)

a. HPCS Access to motor control centers and instrument valves is controlled as discussed for the LPCI subsystem in this section. Access to other means of bypassing are located in the control room and therefore are under the administrative control of the operators.

b. ADS Instrument valve position is under administrative control of plant operations personnel and cannot be changed without permission of responsible authorized personnel.

7.3-131 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Reset buttons are on the control panel in the control room. Control power breakers are in dc distribution cabinets which are under the administrative control of the operator.

c. LPCS The discussion in this section for the LPCI subsystem access for bypassing is equally applicable to the LPCS.

d. LPCI Access to switchgear, motor control centers and instrument valves will be procedurally controlled by the following administrative means:

1. Instrument valve position is under administrative control of plant operations personnel and cannot be changed without permission of responsible authorized personnel.

2. Lockable doors on the emergency switchgear rooms

3. Lockable breaker control switch handles in the motor control centers 7.3.2.1.2.3.1.15 Multiple Trip Settings (IEEE 279-1971, paragraph 4.15)

This section is not applicable to the HPCS, ADS, LPCS, or LPCI systems because all trip set points are fixed.

7.3.2.1.2.3.1.16 Completion of Protective Action Once Initiated (IEEE 279-1971, paragraph 4.16)

a. HPCS The final control elements for the HPCS system are essentially bistable, i.e., motor-operated valves stay open or closed once they have reached their desired position, even though their starter may drop out (which they do when the limit switch and/or torque switch setting is reached). In the case of the HPCS pump breaker, the automatic initiation signal is electrically sealed-in.

7.3-132 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Thus, protective action once initiated (i.e., flow established) will either go to completion, or continue until terminated by deliberate operator action, or automatically stopped on high vessel water level, or system malfunction trip signals.

b. ADS Each of the redundant depressurization control subsystems seals in electrically and remains energized until manually reset by one of the two reset pushbuttons or by manually de-energizing the ECCS pump run (provided the reactor water level initiation signals have cleared).

c. LPCS The final control elements for the LPCS system are essentially bistable, i.e., pump breakers stay closed without control power, and motor-operated valves stay open once they have reached their open position, even though the motor starter may drop out (which will occur when the valve open limit switch is reached).

In the event of an interruption in ac power, the control system will reset itself and recycle on restoration of power.

Thus, protective action, once initiated, will either go to completion or continue until terminated by deliberate operator action.

d. LPCI The discussion provided in this section for the LPCS is equally applicable to the LPCI subsystem.

7.3.2.1.2.3.1.17 Manual Initiation (IEEE 279-1971, paragraph 4.17)

a. HPCS The HPCS has an armed manual initiation pushbutton in parallel with the automatic initiation logic.

b. ADS 7.3-133 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The ADS has four manual initiation switches. Two switches are in each of the two ADS systems (A&B). Both switches for one system have to be closed to manually initiate ADS.

To further preclude inadvertent actuation, each switch is equipped with a collar which must be turned before electrical contacts of the pushbutton are effective.

Thus, to initiate ADS manually, the operator must turn two collars and depress two pushbuttons. Whenever a collar is turned, an annunciator is actuated. The manual initiation circuits contain an interlock which prevents manual initiation of a division when that division logic is in the test mode. Interlocks are also included which prevent manual initiation of ADS unless:

1. For Division 1, LPCI Loop A pump, or LPCS pump, discharge pressures are established.

1. For Division 2, LPCI Loop B pump, or LPCI Loop C pump, discharge pressures are established.

The ADS automatic initiation delay timer is provided to give HPCS ample time to automatically restore vessel level so that ADS actuation will not be needed. This delay timer is not provided for manual initiation since the operator will not initiate ADS until he determines it necessary without further delay.

c. LPCS The LPCS has an armed manual initiation pushbutton in parallel with the automatic initiation logic. This manual initiation will also initiate LPCI A.

d. LPCI LPCI A is manually initiated through the LPCS initiation circuitry in parallel with the automatic initiation logic which will also initiate LPCS. The LPCI B and C systems have an armed manual initiation pushbutton in parallel with the automatic initiation logic.

7.3-134 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.1.2.3.1.18 Access to Set Point Adjustments (IEEE 279 1971, paragraph 4.18)

Access to set point adjustments is under the administrative control of plant operations personnel.

The logic cabinets are located in the control room where access is under the control of the operator. Because of these restrictions, compliance with this requirement of IEEE 279 is considered complete.

7.3.2.1.2.3.1.19 Identification of Protective Actions (IEEE 279-1971, paragraph 4.19)

a. HPCS The discussion provided in this section for the LPCI subsystem is equally applicable to the HPCS.

b. ADS The discussion in this section for the LPCI subsystem is equally applicable to the ADS.

c. LPCS The discussion provided in this section for the LPCI subsystem is equally applicable to the LPCS.

d. LPCI Protective actions are directly indicated and identified by annunciator operation, sensor relay indicator lights, or action of the sensor relay, which has an identification tag and a clear glass front window permitting convenient, visible verification of the relay position. Any one of these indications should be adequate, so this combination of annunciation and visible verification of relay actuation fulfills the requirements of this criterion.

7.3.2.1.2.3.1.20 Information Readout (IEEE 279-1971, paragraph 4.20)

a. HPCS HPCS operator information is provided as follows:

7.3-135 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

1. Valve position lights for each automatic valve

2. Meter readouts for HPCS flow and HPCS pump discharge pressure

3. HPCS logic and system status lights

4. Annunciators for parameters that affect HPCS operation Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the HPCS function is available and/or operating properly.

b. ADS The information provided to the operator pertinent to ADS status is as follows:

1. Annunciators

2. Valve position lights for each valve

3. Reactor vessel level indication (a) Reactor vessel level is indicated in the control room.

From the foregoing it can be seen that change of state of any active component from its normal condition is called to the operator's attention; therefore, the indication is considered to be complete and timely. The condition of the ADS pertinent to plant safety is also considered to be adequately covered by the indications and alarms delineated above.

c. LPCS Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the LPCS function is available and/or operating properly.

d. LPCI 7.3-136 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the LPCI function is available and/or operating properly.

7.3.2.1.2.3.1.21 System Repair (IEEE 279-1971, paragraph 4.21)

The HPCS, ADS, LPCS and LPCI control systems are designed to permit repair or replacement of components.

All devices in the system are designed for a 40-year lifetime under the imposed duty cycles. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of shelf life than active life. However, all components are selected for continuous duty plus thousands of cycles of operation, far beyond that anticipated in actual service. The pump breakers are an exception to this with regard to the large number of operating cycles available. Nevertheless, even these breakers should not require contact replacement within 40 years, assuming periodic pump starts each 3 weeks.

Recognition and location of a failed component are accomplished during periodic testing. The simplicity of the logic makes the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. For example, estimated replacement time for the type of relays used is less than 30 minutes. Sensors which are connected to the instrument piping cannot be changed so readily, but they are required to be connected with separable screwed or bolted fittings, and electrical connectors are utilized for ease of removal.

7.3.2.1.2.3.1.22 Identification (IEEE 279-1971, paragraph 4.22)

The ECCS panels for HPCS, ADS, LPCS, and LPCI are identified by colored nameplates. The nameplate shows the division to which each panel or rack is assigned, and also identifies the function in the system of each item of the control panel. The system to which each relay belongs is identified on the relay panels.

Identification of cables and cable tray systems used for ECCS and other safety-related systems is discussed in subsection 8.3.1.3.

7.3-137 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.1.2.3.2 IEEE 308-1971 Class IE ac and dc power supply system ECCS loads are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised.

7.3.2.1.2.3.3 IEEE 323-1971 See subsection 3.11.2.

7.3.2.1.2.3.4 IEEE 338-1971 The ECCS systems are fully testable during normal operation in conformance with IEEE Std 338-1971. For further discussions of how the system designs conform, refer to FSAR subsections 7.3.1.1.1.3.9, 7.3.1.1.1.4.9, 7.3.1.1.1.5.9 and 7.3.1.1.1.6.9.

Operation of each instrument channel is testable from the sensor to the final logic relay. The pressure sensor may be valved out of service and test pressures applied to the sensor to check operation of the complete instrument channel, sensor to trip unit. The channels monitoring the same variable may be cross-compared. A calibration module may be used to test the trip unit of each channel. These tests will not interfere with automatic operation of the system if required by an initiation signal.

Periodic testing is performed in accordance with plant procedures. These procedures establish the administrative control for removing from service only one instrument channel at a time. Plant procedures establish the frequency schedule and documentation required for the testing. The testing is performed at intervals so that credible failure may be detected and repaired before it would reduce reliability of the system.

7.3.2.1.2.3.5 IEEE 344-1971/1975 The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975.

Qualification during the plant operating license stage is in accordance with IEEE 344-1975. See Section 3.10.

7.3-138 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.1.2.3.6 IEEE-379-1972 The Single Failure Criterion of IEEE 279-1971, paragraph 4.2 as further defined in IEEE 379-1972, "Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems" is met as described in subsection 7.3.2.1.2.3.1.2.

7.3.2.1.2.3.7 IEEE 384-1974 The criteria for independence of IEEE 279-1971, Paragraph 4.6 as further defined in IEEE 384-1974, are met as described in Subsection 7.3.2.1.2.3.1.6.

7.3.2.2 Containment and Reactor Vessel Isolation Control System Instrumentation and Controls 7.3.2.2.1 Conformance to General Functional Requirements The containment and reactor vessel isolation control instrumentation and control system (CRVICS) is analyzed in this subsection. This system is described in subsection 7.3.1.1.2, and that description is used as the basis for this analysis. The safety design bases and specific regulatory requirements of this system are stated in subsection 7.1.2.1.2. This analysis shows conformance to the requirements given in that subsection.

The containment and reactor vessel isolation control instrumentation and control system, in conjunction with other safety systems, is designed to provide timely protection against the onset and consequences of the gross release of radioactive materials from fuel and reactor coolant pressure boundaries.

Chapter 15 identifies and evaluates postulated events that can result in gross failure of fuel and reactor coolant pressure boundaries. The consequences of such gross failures are described and evaluated. Chapter 15 also evaluates a gross breach in a main steam line outside the containment during operation at rated power. The evaluation shows that the main steam lines are automatically isolated in time to prevent the loss of coolant from being great enough to allow uncovering of the core. These results are true even if the longest closing time of the valve is assumed.

The shortest possible main steam line valve closure time is 3 seconds. The transient resulting from a simultaneous closure of all main steam isolation valves in 3 seconds during reactor operation at rated power is discussed in Chapter 15.

7.3-139 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.2.2 Conformance to Specific Regulatory Requirements 7.3.2.2.2.1 Conformance to NRC Regulatory Guides General exceptions and positions taken, and the revision of the guide that is followed, are discussed in Appendix 3A. Specific applications of selected guides to the CRVICS are discussed in this subsection.

7.3.2.2.2.1.1 Regulatory Guide 1.11 Conformance to Regulatory Guide 1.11 is discussed in subsection 6.2.4.

7.3.2.2.2.1.2 Regulatory Guide 1.22

a. MSIV The main steam line isolation valves, associated logic, and sensor devices may be tested from the sensor device to one of the two solenoids required to verify that there are no obstructions to the valve stem at full power. A reduction in power is necessary to avoid reactor scram before performing a valve closure using two fast-acting main solenoids.

b. Other Isolation Valves:

Except for the main steam line isolation valves, all isolation valves may be tested from sensor to actuator during plant operation. The test may cause isolation of the process lines involved, but this is tolerable.

c. MSL High Radiation Monitoring and Process Radiation Monitoring (PRM) Subsystems:

These subsystems conform to Regulatory Guide 1.22 in that provisions which allow periodic testing of individual channels have been built into the monitoring instruments and the trip systems.

7.3.2.2.2.1.3 Regulatory Guide 1.29 All electrical and mechanical devices and circuitry between process instrumentation and protective actuators and monitoring of systems important to safety are classified as seismic Category I.

7.3-140 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.2.2.1.4 Regulatory Guide 1.30 The post operation quality assurance program is discussed in Chapter 17.

7.3.2.2.2.1.5 Regulatory Guide 1.47 Bypassed and inoperable status indication meets the requirements of Regulatory Guide 1.47 as stated in subsection 7.5.2.5.5 and as discussed in subsection 7.5.1.3.

7.3.2.2.2.1.6 Regulatory Guide 1.53 MSIV, Other Isolation Valves, MSL High Radiation Monitoring, and PRM Subsystems:

Compliance with NRC Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the engineered safeguards systems to meet the single failure criterion, Section 4.2 of IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," and IEEE 379-1972, "IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems." Redundant sensors are used, and the logic is arranged to ensure that a failure in a sensing element or the decision logic of an actuator will not prevent protective action. Separated channels are employed, so that a fault affecting one channel will not prevent the other channels from operating properly.

Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it will operate properly when required. Testing incorporates all elements of the system under one test mode or another, including sensors, trip logic, trip systems, trip functions, and actuated equipment. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests.

During testing there are always enough channels and systems available for operation to provide proper protection.

7.3.2.2.2.1.7 Regulatory Guide 1.62 MSIV and Other Isolation Valves:

7.3-141 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Means are provided for manual initiation of reactor isolation at the system level through the use of four armed pushbutton switches.

Operation of these switches accomplishes the initiation of all functions performed by the automatic initiation circuitry.

The amount of equipment common to initiation of both manual reactor isolation and automatic isolation is kept to a minimum through implementation of manual reactor isolation at the final devices (relays) of the protection system. No failure in the manual, automatic or common portions of the protection system will prevent initiation of reactor isolation by manual or automatic means.

Manual initiation of reactor isolation, once initiated, goes to completion as required by IEEE 279-1971 Section 4.16.

7.3.2.2.2.1.8 Regulatory Guide 1.63 Conformance to Regulatory Guide 1.63 is discussed in subsection 8.3.1.2.3.1.

7.3.2.2.2.1.9 Regulatory Guide 1.73 Conformance to Regulatory Guide 1.73 is discussed in subsection 3.11.2.

7.3.2.2.2.1.10 Regulatory Guide 1.75 Physical independence of electric systems of the containment and reactor vessel isolation control system is provided by channel independence for sensors exposed to each process variable using electrical and mechanical separation. Physical separation is maintained between redundant elements of the redundant trip systems thereby adding to the reliability of operation.

7.3.2.2.2.1.11 Regulatory Guide 1.89 The qualification of Class IE equipment for the containment and reactor vessel isolation control system is covered by subsection 3.11.2.

7.3-142 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.2.2.1.12 Regulatory Guide 1.106 Conformance to Regulatory Guide 1.106 is discussed in subsection 7.1.2.6.21.

7.3.2.2.2.2 Conformance to 10 CFR 50 Appendix A

a. Criterion 10 Appropriate margin has been provided to assure that specified acceptable fuel design limits are not exceeded.

b. Criterion 13

1. MSIV and Other Isolation Valves The integrity of the reactor core and the reactor coolant pressure boundary is assured by monitoring the appropriate plant variables and closing various isolation valves.

2. MSL High Radiation Monitoring and PRM Subsystems These subsystems conform to criterion 13 in that the instruments employed more than adequately cover the anticipated range of radiation under normal operating conditions with sufficient margin to include postulated accident conditions.

c. Deleted

d. Criterion 20

1. MSIV and Other Isolation Valves The containment and reactor vessel isolation control system automatically isolates the appropriate process lines. No operator action is required to effect an isolation.

2. MSL High Radiation Monitoring Subsystem The subsystem conforms to criterion 20 in that activation of the trip circuits results in alarm annunciator activation.

3. PRM Subsystem 7.3-143 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The subsystem conforms to criterion 20 in that activation of the trip circuit will result in alarm annunciator activation and a trip signal being sent to the plant vent system.

e. Criterion 21 MSIV, Other Isolation Valves, MSL High Radiation Monitoring, and PRM Subsystems:

The high reliability relay and switch devices are arranged in two redundant divisions and maintained separately.

Complete testing is covered in the discussion on conformance to Regulatory Guide 1.22 (subsection 7.3.2.2.2.1.2).

f. Criterion 22

1. MSIV and Other Isolation Valves Two redundant divisions are physically arranged so that no single failure can prevent an isolation.

Functional diversity of sensed variables is utilized.

2. MSL High Radiation Monitoring and PRM Subsystems These subsystems conform to criterion 22 in that the effects of natural phenomena and normal operation (including testing) will not result in the loss of protection.

g. Criterion 23

1. MSIV and Other Isolation Valves The system logic and actuator signals are failsafe.

The motor operated valves fail as is on loss of power.

2. MSL High Radiation Monitoring and PRM Subsystems These subsystems conform to criterion 23 in that the trip circuits associated with each channel have been designed to specifically "fail-safe" in the event of loss of power.

h. Criterion 24 7.3-144 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

MSIV, Other Isolation Valves, MSL High Radiation Monitoring, and PRM Subsystems:

The system has no control functions. The equipment is physically separated from the control system equipment to the extent that no single failure in the control system can prevent isolation.

i. Criterion 29 MSIV, Other Isolation Valves, MSL High Radiation Monitoring, and PRM Subsystems:

No anticipated operational occurrence will prevent this equipment from performing its safety function. No anticipated operational occurrence will prevent an isolation.

j. Criterion 34 MSIV and Other Isolation Valves:

Isolation signals are provided for the shutdown cooling subsystem of the RHR System.

k. Criterion 64 PRM Subsystem:

Continuous radiation monitoring is provided for this discharge path under all reactor conditions.

7.3.2.2.2.3 Industry Codes and Standards 7.3.2.2.2.3.1 IEEE 279-1971 7.3.2.2.2.3.1.1 General Functional Requirement (IEEE 279-1971, paragraph 4.1)

a. CRVICS The CRVICS initiates automatic closure of specific isolation valves from trip signals generated by specified process variables and maintains the valves in a closed position without further application of power until such time as a manual reset is permissible.

7.3-145 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The control system from each sensor to trip function is capable of initiating appropriate action and of doing it in a time commensurate with the need for valve closure.

Total time, from the point where a process out-of-limits condition causes a channel trip to the energizing or de-energizing of appropriate valve actuators, is less than 200 milliseconds. The closure time of valves ranges upward from a minimum of 3 seconds for the main steam line isolation valves, depending upon the urgency for isolation considering possible release of radioactivity. Thus it can be seen that the control initiation time is at least an order of magnitude lower than the minimum required valve closure time. Speed of the sensors and valve actuators are chosen to be compatible with the isolation function considered.

Accuracy of each of the sensing elements is sufficient to accomplish the isolation initiation within required limits without interfering with normal plant operation.

The reliability of the isolation control system is compatible with and higher than the reliability of the actuated equipment (valves).

The CRVICS equipment is designed for the full range of environmental conditions enumerated as follows:

1. Power supply voltage Tolerance exists to any degree of power supply failure in one motive power system or one control power system.

2. Power supply frequency Tolerance exists to any degree of power supply failure in one power system or one control power system.

3. Temperature System operates within required time limit at all temperatures that can result from an accident.

4. Humidity 7.3-146 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

System operates within required time limit at humidities (steam) that can result from a loss-of-coolant accident.

5. Pressure System operates at all pressures resulting from LOCA as required.

6. Vibration Tolerance to conditions stated in Section 3.10.

7. Malfunctions System is tolerant to any single component malfunction in any mode.

8. Accidents The system is designed to have tolerance against damage and misoperation due to environmental conditions induced by a design basis accident.

9. Fire System is tolerant to any single raceway fire, or fire within a single enclosure.

10. Explosion Explosions are not defined in design bases.

11. Missiles System has tolerance to any single missile destroying no more than one pipe, raceway, or cabinet.

12. Lightning Tolerance to lightning damage is limited to one auxiliary bus system.

13. Flood All control equipment is located above flood level by design.

7.3-147 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

14. Earthquake Tolerance to conditions stated in Section 3.10.

15. Wind and tornado Seismic Category I buildings house all control equipment.

16. System response time Responses are within requirements commensurate with the need to initiate CRVICS.

17. System accuracies Accuracies are within that needed for correct timely action.

18. Abnormal ranges of sensed variables The system is designed with tolerance against damage and misoperation due to abnormal ranges of sensed variables.

Valves and wiring which must function in the drywell environment in the event of a loss-of-coolant accident will have fulfilled their function within a very short time after such an event has occurred; probably before the environment has attained the design basis values.

b. Main Steam Line Radiation Monitoring Subsystem The main steam line radiation monitoring subsystem will detect and promptly indicate a gross release of fission products from the fuel under any operation for any combination of main steam lines.

On detection of a gross release of fission products from the fuel, the subsystem will initiate appropriate alarm annunciators and provide a "trip-occurred" signal to the reactor water sample valves via the RPS.

The high-high radiation trip setting is selected so that a trip will result from the fission products released at a low steam flow condition in the design basis rod drop accident. The setting is sufficiently above the 7.3-148 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) background radiation level in the vicinity of the main steam lines that spurious trips are unlikely at rated power. Yet the setting is low enough to trip on the fission products calculated to be released during the design basis rod drop accident. The amount of fuel damage and fission product release involved in this accident is relatively small. It is concluded that, for any situation involving gross fission product release, the main steam line radiation monitoring subsystem can provide prompt safety action.

c. Radiation Monitoring Subsystem The physical location and monitoring characteristics of the radiation monitoring channels are adequate to detect abnormal amounts of radioactivity in the exhaust ducts and to initiate isolation. The redundancy and arrangement of channels ensure that no single failure can prevent isolation when required. During refueling operation (including criticality tests) the monitoring system acts as an engineered safeguard against the consequences of the refueling accident and the rod drop accident. The response of the radiation monitoring subsystem to the refueling accident is presented in Chapter 15, Accident Analysis.

The purpose of this subsystem is to initiate isolation of potentially contaminated plant ventilation effluent paths and initiate containment isolation in the event of excessive amounts of radioactive gases and particulate in the containment. For two channels, two-out-of-two high-high radiation or inoperative trips shall close all drywell inboard and containment outboard ventilation isolation valves.

For the other two channels, the same signals will close equivalent drywell outboard and containment inboard ventilation isolation valves.

7.3.2.2.2.3.1.2 Single Failure Criterion (IEEE 279-1971 Paragraph 4.2)

a. CRVICS 7.3-149 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Tolerance to the following single failures has been incorporated into the control system design and installation:

1. Single open circuit

2. Single short circuit

3. Single relay failure to pickup

4. Single relay failure to drop out

5. Single module failure (including multiple shorts, opens, and grounds)

6. Single control cabinet destruction (including multiple shorts, opens, and grounds)

7. Single instrument panel destruction (including multiple shorts, opens, and grounds)

8. Single wireway destruction (including multiple shorts, opens, and grounds)

9. Single control power supply failure (any mode)

10. Single motive power supply failure (any mode)

11. Single control circuit failure

12. Single sensing line (pipe) failure

13. Burnout of any single electrical component.

b. PRM Subsystem This criterion is met since there are two independent pairs of channels which initiate redundant equipment. One failure effects only one pair of channels.

The single failure criterion has been met by the use of redundant sensors and logic to provide isolation functions, and by seismic and environmental testing of the subsystem components. A single failure in any portion of the subsystem channel circuitry or trip system logic will not prevent a required isolation function from being accomplished.

7.3-150 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Two separate power supplies have been provided to ensure that a single power failure will not cause a spurious isolation; however, a complete power failure will cause an isolation to occur.

c. MSL Radiation Subsystem The main steam line high radiation trip meets the single failure criterion by use of two redundant gamma sensors in each of two different locations which are designed to sense the same variable. The outputs from the sensors are connected and routed separately to two independent trip systems. A single failure would not inhibit accomplishment of the required isolation function. The equipment has been seismically and environmentally qualified to ensure operation.

Power is provided from two independent sources. A complete loss of power would cause an isolation to occur.

7.3.2.2.2.3.1.3 Quality of Components and Modules (IEEE 2791971 Paragraph 4.3)

a. CRVICS Components used in the isolation system have been carefully selected on the basis of suitability for the specific application. All of the sensors and logic relays are of the same types used in the RPS. Ratings have been selected with sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below:

1. Switch and relay contacts carry no more than 50 percent of their continuous current rating.

2. Isolation control is de-energized to trip, instead of energized to trip, and is thus made to call attention to the failures that may occur in coil circuits, connections or contacts.

3. Instrumentation and controls are heavy duty industrial type which have been subjected to the manufacturer's normal quality control and have undergone functional testing on the panel assembly floor as part of the integrated module test prior to 7.3-151 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications or have been qualified by tests are selected for use in the isolation system.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B. Minimum maintenance has been assumed to have been achieved if components can be reasonably expected to last 40 years or more without wearing out or failing under their maximum anticipated duty cycle (including testing).

b. PRM Subsystem The sensors and converters as well as the indicator and trip units are fully described in GE technical manuals, and have been used in other GE boiling water reactor power plants.

7.3.2.2.2.3.1.4 Equipment Qualification (IEEE 279-1971 Paragraph 4.4)

CRVICS:

No sensory components of the isolation system are required to operate in the drywell environment with the exception of the condensing chambers and sensing lines. All other sensory equipment is located outside the drywell and is capable of accurate operation with wider swings in ambient temperature than results from normal or abnormal (loss of ventilation and loss-of-coolant accident) conditions.

Reactor vessel level sensors are of the same type as for the RPS and meet the same standards. Drywell high pressure sensors are the same ones used for the RPS and meet the same standards. Control panels and relay logic cabinets are located in the control room environment which presents no new or unusual operating considerations.

All components used in the isolation system have demonstrated reliable operation in similar nuclear power plant protection systems, in industrial applications, or by testing.

7.3-152 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Qualification tests to qualify the items for this application on the component and module level are conducted by General Electric's Nuclear Energy Division.

In situ operational testing of the detectors, monitors and channels will be performed at the site during the preoperational test phase.

7.3.2.2.2.3.1.5 Channel Integrity (IEEE 279-1971 Paragraph 4.5)

a. CRVICS The isolation system is designed to tolerate the spectrum of failures listed under the general requirements and the single failure criterion, and so it satisfies the channel integrity objective of this paragraph.

b. PRM Subsystem The channel components will be operable under the predetermined normal and abnormal circumstances.

The trip channel components have been selected to fulfill these minimum requirements.

7.3.2.2.2.3.1.6 Channel Independence (IEEE 279-1971 Paragraph 4.6)

The four trip channels of this protective function are electrically isolated and physically separated in order to meet this design requirement.

Channel independence for sensors exposed to each process variable is provided by electrical and mechanical separation. Physical separation is maintained between redundant elements of the redundant control systems which will add to reliability of operation.

7.3.2.2.2.3.1.7 Control and Protection Interaction (IEEE 279-1971 Paragraph 4.7)

a. CRVICS

1. Classifications of Equipment There is no control function in the system. It is strictly a protection system.

7.3-153 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

2. Isolation Devices Isolation is provided between protective circuits and computer and annunciator circuits by the use of electronic isolators.

3. Single Random Failure No single random failure of a control system can prevent proper action of the isolation channel designed to protect against the condition.

4. Multiple Failures Resulting from a Credible Single Event. Analysis 3 above applies directly.

b. PRM Subsystem The four monitors for this protective function comply with this design requirement. Isolators are used to provide isolation signals to close appropriate valves. Separation of inboard and outboard circuitry prevents postulated failures from impairing subsystem operation.

7.3.2.2.2.3.1.8 Derivation of System Inputs (IEEE 279-1971 Paragraph 4.8)

a. CRVICS The inputs which initiate isolation valve closure are direct measures of variables that indicate a need for isolation, viz., reactor vessel low level, drywell high pressure, and pipe break detection. Pipe break detection utilizes methods of recognition of the presence of a material that has escaped from the pipe, rather than detecting actual physical changes in the pipe itself, so the system might more properly be called a leak detection system, and this is, in fact, the terminology most generally accepted and used at present.

b. PRM Subsystem The measurement of radiation in the containment and drywell ventilation exhaust is the appropriate variable to determine radioactive releases from the containment.

7.3-154 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.2.2.3.1.9 Capability for Sensor Checks (IEEE 279-1971 Paragraph 4.9)

a. CRVICS The instruments, which provide input signals to the CRVICS, can be checked one at a time by application of simulated signals. These include level, pressure, radiation and flow. Temperature sensors along the main steam line are testable by altering main steam line flow and observing the resulting ambient temperature change for recorded points and by lowering the set point until trip occurs for points connected to temperature switches.

Temperature sensors in the ventilation ducts are checked periodically by removing them from their wells and applying heat to the sensitive zone, and also by calibration, which requires removal from the circuit during calibration and replacement by calibrated units.

b. PRM Subsystem Due to the two-out-of-two configuration of the trip logic, one channel at a time may be removed from service to perform periodic tests.

7.3.2.2.2.3.1.10 Capability for Test and Calibration (IEEE 279-1971 Paragraph 4.10)

a. CRVICS All active components of the containment and reactor vessel isolation control system can be tested and calibrated during plant operation. The radiation sensors can be crosschecked against their companions for verification of operability and since they are used with reference to background, they do not require actual sensitivity verification on a frequent basis. The auxiliary relay circuits can be tested individually by pulling the individual valve circuit fuses and observing relay drop-out as manifested by the indicators provided on the contact blocks of each relay.

b. PRM Subsystem 7.3-155 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

An internal trip test circuit, adjustable over the full range of the trip circuit, is provided. The test signal is fed into the indicator and trip unit input so that a meter reading is provided in addition to a trip. All trip circuits are the latching type and must be manually reset at the front panel.

Means for calibrating these monitor units is provided, which consists of a test unit designed for use in the adjustment procedure for the area radiation monitor sensor and convertor unit. It provides several gamma radiation levels between 1 and 250 mrem/hr. The calibration unit source is Co60.

A cavity in the calibration unit receives the sensor and converter unit. Located on the back wall of the cylindrical lower half of the cavity is a window through which radiation from the source emanates. A chart on each unit indicates the radiation levels available from the unit for the various control settings.

7.3.2.2.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279-1971 Paragraph 4.11)

a. CRVICS Calibration of each sensor will introduce a single instrument channel trip. This does not cause a trip function without the coincident trip of at least one other instrument channel.

b. PRM Subsystem During the periodic test of any given channel, the controls associated with a monitor permit the monitor to be tested for proper operation and the two-out-of-two trip system logic prevents system level protective action. The two-out-of-two trip system logic channel when in the test mode provides an inoperative trip signal in order to meet the single failure requirements.

7.3.2.2.2.3.1.12 Operating Bypasses (IEEE 279-1971 Paragraph 4.12)

a. CRVICS 7.3-156 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The isolation valve control system has two bypasses. One is the main steam line low pressure bypass which is imposed by means of the mode switch in the other-than-run mode. The mode switch cannot be left in this position with neutron flux measuring power above 10 percent of rated power without imposing a scram. Therefore, the bypass is considered to be removed in accordance with the intent of IEEE 279-1971, although it is a manual action that removes it rather than an automatic one.

The low condenser vacuum bypass is imposed by means of four keylock manual bypass switches, one for each division. Bypass removal is accomplished manually when normal condenser vacuum is reestablished, by placing the bypass switches in the normal position.

In the case of the motor operated valves, electrical closure of the valve (either through automatic logic circuits or operation of the valve's control switch by the operator) can be prevented by shutting off electrical power to the motor starters. This action is indicated in the control room by indication lights going out. Both indication lights are de-energized because their power supply is taken from the same circuit as the valve motor starter.

As in other engineered safeguards systems many of the sensors for process variables operate from instrument lines hooked up, by necessity, with root valves and instrument valves. Shutting off these valves in certain selected combinations can disable redundant sensors and thus prevent operation of the system. Precautions are taken to preclude such a possibility by requiring that all instrument valves associated with engineered safeguards input sensors be maintained under the administrative control of plant operations personnel.

b. PRM Subsystem No operational bypasses are provided with this subsystem.

7.3.2.2.2.3.1.13 Indication of Bypasses (IEEE 279-1971 Paragraph 4.13)

a. CRVICS 7.3-157 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The mode switch bypass of the main steam line isolation signal is not indicated directly in the control room except by the position of the mode switch handle. The bypass of the low condenser vacuum is directly indicated in the control room by an annunciator.

As with other safeguards systems, there are means of deliberately rendering the system inoperative without giving indication of such conditions in the control room.

For instance, power supply breakers can be opened at motor control centers, or wires can be disconnected in an energize-to-operate system without giving indication. Nor is the so called "fail-safe" system immune from the equally disabling action of jumpering of normally closed contacts so their action will not be seen by the system.

Instrument valve shutoff is another disabling mechanism which is not directly indicated in the control room, but such action is under the operator's procedural control and cannot be taken without permission of responsible authorized personnel.

b. PRM Subsystem A downscale annunciation is produced during the monitor tests with its front panel controls. Substitution of the process input with a simulated input to the monitor produces downscale and upscale annunciations in the control room under specific conditions of the test.

7.3.2.2.2.3.1.14 Access to Means for Bypassing (IEEE 279-1971 Paragraph 4.14)

a. CRVICS The mode switch and condenser vacuum bypass switch are the only bypass switches affecting the containment isolation control system, and are centrally located on the operator's control console and reactor core cooling benchboard, respectively, and are keylocked.

As discussed in the paragraphs above, the instrument valves are not allowed to be operated without permission from responsible authorized plant operations personnel.

b. PRM Subsystem 7.3-158 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

During the periodic test, administrative control procedures must be followed to remove one monitor from service and subsequently return it to service.

7.3.2.2.2.3.1.15 Multiple Set Points (IEEE 279-1971 Paragraph 4.15)

Paragraph 4.15 of IEEE 279-1971 is not applicable because all set points are fixed.

7.3.2.2.2.3.1.16 Completion of Protection Action Once Initiated (IEEE 279-1971 Paragraph 4.16)

a. CRVICS All isolation decisions are sealed-in downstream of the decision making logic, so valves go to the closed position which ends protective action. Manual reset action is provided by two reset switches, so that inboard valves will be reset independent of outboard valves. This feature is incorporated only to augment the electrical separation of the inboard and outboard valves and not for any need to reset them separately.

b. PRM Subsystem The monitor output trip circuit remains in a tripped state whenever the gamma radiation level exceeds the established set point.

7.3.2.2.2.3.1.17 Manual Action (IEEE 279-1971 Paragraph 4.17)

a. CRVICS The CRVICS has four divisionally separated manual initiation switches which will separately activate each of the four MSIV logic streams and isolation system initiation at the system level.

The logic for manual initiation is one-out-of-two twice for the main steam line isolation valves and two-out-of-two for the other isolation valves. The manual initiation switches require two distinct operator actions (armed pushbuttons), to initiate the safety action. The manual 7.3-159 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) initiation circuits are at the system level, redundant, separated, testable during power operation, and meet the single failure criterion.

Manual controls are separated so that a single failure will not inhibit an isolation. The separation of devices is maintained in both the manual and automatic portion of the system so that no single failure in either the manual or automatic portions can prevent an isolation by either manual or automatic means.

b. PRM Subsystem This design requirement is not applicable to this protective function.

7.3.2.2.2.3.1.18 Access to Set Point Adjustments (IEEE 279- 1971 Paragraph 4.18)

a. CRVICS Access to set point adjustments for the CRVICS and logic cabinets is under administrative control of the plant operator.

Because of these restrictions, compliance with this requirement of IEEE-279 is considered complete.

b. PRM Subsystem Access to the monitors is under the administrative control of plant personnel.

7.3.2.2.2.3.1.19 Identification of Protective Actions (IEEE 279-1971 Paragraph 4.19)

a. CRVICS A common annunciator is provided for all sensor channels of each trip parameter. One annunciator is provided for all divisions of main steam line isolation and drain valves trip logics. This annunciator provides the operator with immediate indication of MSIV pilot valve deenergization and main steam line isolation valve closure.

b. PRM Subsystem 7.3-160 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Operation of the monitor front panel controls, whether for calibration or test purposes, results in an inoperative annunciation from that channel in the control room.

7.3.2.2.2.3.1.20 Information Readout (IEEE 279-1971 Paragraph 4.20)

a. CRVICS The information presented to the operator by the containment and reactor vessel isolation control system are as follows:

1. Annunciation of each process variable which has reached a trip point

2. Computer readout of trips on main steam line tunnel temperature or main steam line excess flow

3. Control power failure annunciation on each channel

4. Annunciation of steam leaks in each of the systems monitored, viz., main steam, cleanup, and RHR

5. Open and closed position lights for each isolation valve.

b. PRM Actuation of any radiation monitor to produce a tripped condition will initiate a control room annunciation and/or computer alarm.

This information is considered to fulfill the requirements for information readout.

7.3.2.2.2.3.1.21 System Repair (IEEE 279-1971 Paragraph 4.21)

a. CRVICS Those components which are expected to have a moderate need for replacement are designed for convenient removal.

This includes the temperature amplifier units and thermocouples in the ventilation ducts. The amplifier units are of circuit card or replaceable module construction and the thermocouples are replaceable units with disconnectable heads. Pressure sensors, vessel level 7.3-161 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) sensors, etc., can be replaced in a reasonable length of time, but these devices are considered to be permanently installed although they have nonwelded connections at the instrument, which will allow replacement. As with other safeguards, system reliability is built in rather than approached by accelerated maintenance. All devices in the system can be reasonably expected to last 40 years without failure, with the duty cycle expected to be imposed, including testing. However failures can be detected during periodic testing and replacement time will be nominal. Sensors are connected to instrument tubing with separate screwed or bolted fittings, and electrical connectors are utilized for ease of removal.

The main steam tunnel temperature elements are not accessible during normal plant operation because of radiation from the main steam lines. However, there are dual-element thermocouples with both elements wired to junction boxes outside the high radiation area. If an active element fails during plant operation the spare element can be easily wired into service at the junction box.

b. PRM Subsystem The one-to-one relationship of detector, monitor, and trip circuitry permits the operator to identify a faulty channel and determine the defective component.

Provisions have been made to facilitate repair of the channel components during plant operation.

7.3.2.2.2.3.1.22 Identification of Protection Systems (IEEE 279-1971 Paragraph 4.22)

a. CRVICS Panels and racks which house isolation system equipment are identified by a distinctive color marker plate listing the system name and designation of the particular redundant portion of the system. Cables, conduits and raceways are color coded displaying the appropriate redundant portion of the system, as described in subsection 8.3.1.3.

b. PRM Subsystem 7.3-162 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Special identification is provided for these monitors by special colored marker plates which identify the reactor protection system division with which the units are associated.

Identification of cables and cable trays is described in subsection 8.3.1.3.

Instrument panels in the control room are identified by tags which indicate the system and logic contained in each panel.

7.3.2.2.2.3.2 Conformance to IEEE 308-1971 Class IE ac power supply systems are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised.

7.3.2.2.2.3.3 Conformance to IEEE 317-1972/1983 Conformance to IEEE 317 is discussed in conjunction with Regulatory Guide 1.63 in subsection 8.3.1.2.3.1. (Note: IEEE 317-1983 applies only to fiber optic penetration assemblies.)

7.3.2.2.2.3.4 Conformance to IEEE 323-1971 The components of the CRVICS are covered by subsection 3.11.2.

7.3.2.2.2.3.5 Conformance to IEEE 336-1971 The post operation quality assurance program is discussed in Chapter 17.

7.3.2.2.2.3.6 Conformance to IEEE 338-1971 The system is testable during reactor operation. The test will completely test the sensors through to the final actuators, demonstrate independence of channels, and bare any credible failures while not negating the isolation function.

7.3.2.2.2.3.7 Conformance to IEEE 344-1971/1975 The seismic qualification of components of the containment and reactor vessel isolation control system is covered by Section 3.10. The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 7.3-163 Revision 2020-009

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

10. SQRT review was subsequently performed against IEEE 344-1975.Qualification during the plant operating license stage is in accordance with IEEE 344-1975. See Section 3.10.

7.3.2.2.2.3.8 Conformance to IEEE 379-1972 The single failure criterion of IEEE 279 as defined by IEEE 379-1972 is fully complied with in the design of the CRVICS.

7.3.2.2.2.3.9 Conformance to IEEE 384-1974 Conformance to IEEE 384 is discussed in subsection 7.1.2.4.10.

7.3.2.3 Main Steam Isolation Valve - Leakage Control System (MSIV-LCS) - Instrumentation and Controls 7.3.2.3.1 Conformance to General Functional Requirements The MSIV-LCS has redundant and separate instrumentation and controls to ensure that the system will be able to maintain its functional capability assuming a single active or passive failure. Instrumentation and controls are safety grade and selected to be operable under worst case environmental and seismic conditions at their respective location.

The use of different divisional power for the redundant system ensures that the system will be operable upon loss of a single divisional power.

Interlocks are provided to prevent inadvertent operation of the system under normal plant operation. Additional interlocks are provided to turn the system off when excessive flow occurs or when safe operating conditions are not met.

7.3.2.3.2 Conformance to Specific Regulatory Requirements 7.3.2.3.2.1 Conformance to Regulatory Guides General exceptions and positions taken on the Regulatory Guides, and the revision of the guide that is followed, are discussed in Appendix 3A. Specific applications of selected guides to the MSIV-LCS are discussed in this subsection.

7.3-164 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.3.2.1.1 Regulatory Guide 1.22 The MSIV-LCS can be tested during reactor operation. Testing will be performed in overlapping stages to assure system performance while preventing the accidental release of radioactive steam to the auxiliary building.

7.3.2.3.2.1.2 Regulatory Guide 1.29 All instrumentation and controls are tested and qualified to meet seismic Category I requirements and will be functional after a seismic event.

7.3.2.3.2.1.3 Regulatory Guide 1.30 The post operation quality assurance program is described in Chapter 17.

7.3.2.3.2.1.4 Regulatory Guide 1.47 The bypassed and inoperable status indication meets the requirements of Regulatory Guide 1.47 as stated in subsection 7.5.2.5.5 and as discussed in subsection 7.5.1.3.

7.3.2.3.2.1.5 Regulatory Guide 1.53 The system is designed with two independent and redundant portions to ensure that no single failure can prevent the safety function.

7.3.2.3.2.1.6 Regulatory Guide 1.62 System initiation is manual from the control room. Interlocks are provided to prevent inadvertent manual initiation during normal reactor power operation.

7.3.2.3.2.1.7 Regulatory Guide 1.75 The instrumentation and control devices and power supplies for each subsystem are completely separate and independent. Separate and independent conduits are routed from each device to the respective subsystem enclosure. The system conduit groupings comply with the requirements of this regulatory guide. Each subsystem has a separate and independent control room panel.

7.3-165 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.3.2.1.8 Regulatory Guide 1.89 The qualification of Class IE equipment for the MSIV-LCS is discussed in subsection 3.11.2.

7.3.2.3.2.1.9 Regulatory Guide 1.96 The MSIV-LCS is designed to comply with this regulatory guide, with the exception that the MSIV-LCS is not designed to reduce and control stem packing leakage or other direct leakage to the steam tunnel from the outboard MSIVs. Leakage from valve stem packing is within the SGTS boundary and addressed in subsection 5.2.5.2.

7.3.2.3.2.2 Conformance to 10 CFR 50, Appendix A 7.3.2.3.2.2.1 Criteria 13, 21, 22, 23, 24, 60 13 - Instrumentation and indicators are provided to monitor all of the variables that are necessary for the proper operation of the system.

21 - Components used are selected to specific requirements to assure high functional reliability. The system can be tested and failures determined during normal plant operations.

22 - The two subsystems are independent and physically separated with separate instruments and controls to provide assurance against loss of the protective function.

23 - The system is designed to close all valves upon loss of logic control power.

24 -The system has no control function.

60 - The MSIV leakage control system is designed to reduce the release of radioactive material.

7.3-166 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.3.2.3 Conformance to Industry Standards 7.3.2.3.2.3.1 IEEE 279-1971 7.3.2.3.2.3.1.1 General Functional Requirement (IEEE 279, paragraph 4.1)

The MSIV-LCS has no auto initiation feature but can be manually initiated from the Control Room after a LOCA event. After initiation, the operating control system can be shut down by signals indicating high steam line pressure or high reactor pressure. This prevents operation under conditions that could cause system damage or where system operation is neither necessary nor appropriate. The MISV-LCS is designed to initiate appropriate action to minimize the release of fission products that could leak through the closed MSIVs and bypass the SGTS after the postulated LOCA.

7.3.2.3.2.3.1.2 Single Failure Criterion (IEEE 279, paragraph 4.2)

The MSIV-LCS consists of two subsystems, inboard and outboard.

The two subsystems feature separate and independent sets of controls and instrumentation and meet the single failure criterion.

7.3.2.3.2.3.1.3 Quality of Components and Modules (IEEE 279, paragraph 4.3)

Components used in the MSIV-LCS have been carefully selected on the basis of suitability for the specific application. The logic relays have been selected with conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant.

Equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with requirements set forth in 10 CFR 50, Appendix B.

7.3.2.3.2.3.1.4 Equipment Qualification (IEEE 279, paragraph 4.4)

Class IE equipment qualification is demonstrated by the vendors or others by type tests on actual equipment in accordance with the purchase specification. Where necessary, operating experience or 7.3-167 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) analysis is used to supplement type tests. Qualification documentation is maintained to verify that the equipment is qualified.

7.3.2.3.2.3.1.5 Channel Integrity (IEEE 279, paragraph 4.5)

The MSIV-LCS is designed to maintain its functional capability under the environmental conditions, electrical transients, and malfunctions that may occur in the design basis LOCA.

7.3.2.3.2.3.1.6 Channel Independence (IEEE 279, paragraph 4.6)

Channel independence for sensors is provided by electrical and mechanical separation. Physical separation is maintained between the inboard and outboard subsystems to increase reliability of operation. The MSIV-LCS is sufficiently separated to give a high degree of reliability. There are no interfaces between the subsystems.

7.3.2.3.2.3.1.7 Control and Protection System Interaction (IEEE 279, paragraph 4.7)

There is no interaction between the MSIV-LCS and any control system.

7.3.2.3.2.3.1.8 Derivation of System Inputs (IEEE 279, paragraph 4.8)

All input signals to the instrument and control systems are derived from direct measurement of system variables.

7.3.2.3.2.3.1.9 Capability of Sensor Checks (IEEE 279, paragraph 4.9)

The sensors which are used for inputs to the MSIV-LCS can be checked one at a time by application of simulated signals during normal plant operation.

7.3.2.3.2.3.1.10 Capability of Test and Calibration (IEEE 279, paragraph 4.10)

All active components of the MSIV-LCS can be tested during plant operation. Valves can be tested by operating manual switches in the control room and observing indicating lights. Operation of the blowers from manual switches verifies the ability of the 7.3-168 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) starters and blowers to operate properly. Instrument set points are tested by simulated signals of sufficient magnitude to verify that the set points are within limits.

7.3.2.3.2.3.1.11 Channel Bypass or Removal from Operation (IEEE 279, paragraph 4.11)

The system design of two redundant and independent subsystems permits the removal from operation of one subsystem for testing, calibration, or maintenance without preventing the other subsystem from being operated in performance of its protective function.

7.3.2.3.2.3.1.12 Operating Bypasses (IEEE 279, paragraph 4.12)

There are no operating bypasses within the MSIV-LCS.

7.3.2.3.2.3.1.13 Indication of Bypasses (IEEE 279, paragraph 4.13)

When parts of the system have been deliberately made inoperative for test, calibration, or maintenance, indication of this condition is provided in the control room.

7.3.2.3.2.3.1.14 Access to Means for Bypassing (IEEE 279, paragraph 4.14)

Access to switchgear motor control centers and instrument valves is procedurally controlled by the following administrative means:

a. Lockable doors on the emergency switchgear rooms

b. Lockable breaker control switch handles in the motor control centers

c. Instrument valve position is under the administrative control of plant operations personnel and cannot be changed without permission of responsible authorized personnel.

7.3.2.3.2.3.1.15 Multiple Set Points (IEEE 279, paragraph 4.15)

All set points are fixed.

7.3-169 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.3.2.3.1.16 Completion of Protection Action Once Initiated (IEEE 279, paragraph 4.16)

The MSIV-LCS will remain in continuous operation after system initiation unless manually terminated or system isolation set points are exceeded. The inboard subsystem will isolate on high reactor pressure or high steam line pressure. The outboard subsystem will isolate on high reactor pressure or high steam line pressure.

7.3.2.3.2.3.1.17 Manual Actuation (IEEE 279, paragraph 4.17)

The MSIV-LCS can be initiated manually, at system level, from the control room.

7.3.2.3.2.3.1.18 Access to Set Point Adjustments, Calibration, and Test Points (IEEE 279, paragraph 4.18)

Access to set point adjustments, calibration points and test points is under administrative controls of qualified plant personnel.

7.3.2.3.2.3.1.19 Identification of Protective Actions (IEEE 279, paragraph 4.19)

Initiation of the MSIV-LCS is indicated in the control room.

7.3.2.3.2.3.1.20 Information Read-Out (IEEE 279, paragraph 4.20)

Meters located in the control room provide indication of process variables necessary for the proper operation of the MSIV-LCS.

Indicator lights actuated by valve position switches provide valve position indication.

7.3.2.3.2.3.1.21 System Repair (IEEE 279-1971, paragraph 4.21)

The system is designed to provide easy recognition of malfunctioning equipment through proper test procedures.

Accessibility is provided for the sensors and controls to facilitate repair or adjustment. MSIV-LCS isolation valves are located in the steam tunnel and repair will have to be made during shutdown.

7.3-170 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.3.2.3.1.22 Identification of Protection Systems (IEEE 279-1971, paragraph 4.22)

Color coded nameplates identify each logic cabinet and instrument panel of the MSIV-LCS.

7.3.2.3.2.3.2 Compliance to IEEE 308-1971 MSIV-LCS loads are physically separated and electrically isolated into redundant load groups so that safety action provided by redundant counterparts are not compromised.

7.3.2.3.2.3.3 Compliance to IEEE 323-1971 The Class IE equipment qualification is demonstrated by the vendor or others by type tests on actual equipment in accordance with the purchase specification. Where necessary, operating experience or analysis is used to supplement type tests.

Qualification documentation is maintained to verify that the equipment is qualified.

7.3.2.3.2.3.4 Compliance to IEEE 338-1971 The operability of the MSIV-LCS can be verified and credible failures are detectable through testing during normal plant operation. Each subsystem logic through the final actuators may be tested independent of the other subsystem. The input sensors and set points are checked by the application of simulated signals. A failure of a subsystem while testing will not prevent the other subsystem from being initiated.

7.3.2.3.2.3.5 Compliance to IEEE 344-1971/1975 Capability of the instruments and controls to meet seismic requirements has been demonstrated by the manufacturer or others.

Documentation to verify that the equipment is seismically qualified is maintained in the Seismic Qualification Central File. The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position

10. SQRT review was subsequently performed against IEEE 344-1975.Qualification during the plant operating license stage is in accordance with IEEE 344-1975. See Section 3.10.

7.3-171 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.3.2.3.6 Compliance to IEEE 379-1972 The single failure criterion of IEEE 279-1971, paragraph 4.2, as further defined in IEEE 379-1972 is met as described in subsection 7.3.2.3.2.3.1.2.

7.3.2.4 Containment Spray Cooling Mode (RHR) Instrumentation and Controls 7.3.2.4.1 General Functional Requirements Conformance When the RHR system is in the containment spray cooling mode, the pumps take suction from the suppression pool, pass it through the RHR heat exchangers, and inject it into the containment atmosphere.

In the event that containment pressure exceeds a predetermined limit, the RHR system flow will be diverted to containment spray headers (Containment Spray Mode of RHR). The flow of the RHR pump will pass through the containment spray nozzles quenching any steam.

7.3.2.4.2 Specific Regulatory Requirements Conformance 7.3.2.4.2.1 Regulatory Guides Conformance 7.3.2.4.2.1.1 Regulatory Guide 1.6 Conformance to this regulatory guide is achieved by dividing the containment spray electric power loads into Division l (Containment Spray A) and Division 2 (Containment Spray B) so that loss of any one division will not prevent the minimum safety functions from being performed. No interconnections exist which can compromise redundant power sources.

7.3.2.4.2.1.2 Regulatory Guide 1.11 Conformance to Regulatory Guide 1.11 is discussed in subsection 6.2.4.2.4 and 6.2.4.2.5.

7.3.2.4.2.1.3 Regulatory Guide 1.22 Conformance to this regulatory guide is achieved by providing system and component testing capability, either during reactor power operation or shutdown.

7.3-172 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.4.2.1.4 Regulatory Guide 1.29 All electrical and mechanical devices and circuitry between process instrumentation and protective actuators and monitoring of systems important to safety are classified as Seismic Category I, and is covered under Section 3.10.

7.3.2.4.2.1.5 Regulatory Guide 1.30 The quality assurance requirements of IEEE 336-1971 are applicable during the plant design and construction phases (see Section 7.1) and will also be implemented as an operational QA program during plant operation in response to Regulatory Guide 1.30. The specific requirements of Regulatory Guide 1.30 are met as discussed in Chapter 17.

7.3.2.4.2.1.6 Regulatory Guide 1.32 Conformance is described in the conformance to General Design Criterion 17 (see subsection 3.1.2.2.8) and IEEE 308-1974.

7.3.2.4.2.1.7 Regulatory Guide 1.47 Indication and annunciation is provided in the control room to inform the operator that a system or part of a system is inoperable. See subsection 7.5.1.3 for a discussion of the bypass indication capability provided.

7.3.2.4.2.1.8 Regulatory Guide 1.53 The system is designed with two independent and redundant trip systems to assure that no single failure can prevent the safety function.

7.3.2.4.2.1.9 Regulatory Guide 1.62 This system is manually initiated from the control room.

Interlocks are provided to prevent inadvertent manual initiation during normal reactor power operation. The manual controls are easily accessible to the operator so that action can be taken in an expeditious manner. Operation of the manual initiation accomplishes all of the actions performed by the automatic initiation circuitry.

7.3-173 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

No single failure in the manual, automatic or common portion of the protection system will prevent initiation by manual means.

Manual initiation, once initiated, goes to completion as required by IEEE 279-1971, Section 4.16 unless manually reset.

7.3.2.4.2.1.10 Regulatory Guide 1.63 Conformance to Regulatory Guide 1.63 is discussed in Subsection 8.3.1.2.3.1.

7.3.2.4.2.1.11 Regulatory Guide 1.73 Conformance to Regulatory Guide 1.73 is discussed in Subsection 3.11.2.

7.3.2.4.2.1.12 Regulatory Guide 1.75 Physical independence of electrical systems is provided by separation and isolation of redundant portions of the system including sensors, wiring, logic devices, and actuating equipment. Signals between redundant Class IE divisions and between Class IE and non-Class IE circuits are electrically and physically isolated to preclude a single failure from preventing the safety function. In addition, short circuit separation between wiring carrying essential and nonessential power is provided within a division by grounded metallic conduit. This prevents a single short-circuit failure from propagating to redundant power supplies.

7.3.2.4.2.1.13 Regulatory Guide 1.89 A discussion of the degree of conformance is contained in Section 3.11.2.

7.3.2.4.2.1.14 Regulatory Guide 1.106 Conformance to Regulatory Guide 1.106 is discussed in subsection 7.1.2.6.22.

7.3.2.4.2.2 Conformance to 10CFR50, Appendix A, General Design Criteria

a. Criterion 13: Instrumentation and Control 7.3-174 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Instrumentation is provided to monitor variables and systems over their anticipated ranges for normal operation, anticipated operational occurrences, and accident conditions to assure adequate safety.

b. Criterion 20: Protection System Functions Sensors are provided which sense accident conditions and initiate the CSCS as described in subsection 7.3.1.1.4.4.

c. Criterion 21: Protection System Reliability and Testability Functional reliability of the CSCS is assured by compliance with the requirements of IEEE Standard 279-1971, as described in subsections 7.3.1.2 and 7.3.2.4.3.1.

Testing of the CSCS is in compliance with IEEE Standard 338-1971, as described in subsection 7.3.2.4.3.5.

d. Criterion 22: Protection System Independence Independence of the CSCS is assured by design which includes redundancy as described in subsection 7.3.1.1.4.7.

e. Criterion 23: Protection System Failure Modes A single failure in a trip system is acceptable because a redundant trip system is available to fulfill the required safety action. The motor operated valves fail "as-is" on loss of power.

f. Criterion 24: Separation of Protection and Control Systems The CSCS are separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to both, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.

g. Criterion 34: Residual Heat Removal 7.3-175 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

A system is provided to remove reactor residual heat to assure that the specified acceptable fuel design limits are not exceeded.

h. Criterion 38: Containment Heat Removal The containment spray cooling system is provided to assure heat removal from the reactor containment following any loss-of-coolant accident.

i. Criterion 40: Testing of Containment Heat Removal System The containment heat removal system is designed to permit the appropriate periodic pressure and functional testing.

7.3.2.4.3 Conformance to Industry Codes and Standards 7.3.2.4.3.1 IEEE 279-1971 7.3.2.4.3.1.1 General Functional Requirement (IEEE 279-1971, paragraph 4.1)

Containment Spray Design IEEE 279-1971 Requirement Provision AUTO-INITIATION

a. Appropriate Appropriate action for the Action: containment spray control system is defined as activating equipment for introducing water into the containment spray discharge valves.

7.3-176 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Containment Spray Design IEEE 279-1971 Requirement Provision

b. Precision Precision is a term that does not apply strictly to the containment spray system control because of the wide range of set point values that could give appropriate action. However, the sensory equipment will positively initiate action before process variables go beyond precisely established limits.

c. With Reliability Reliability of the control system is compatible with the controlled equipment.

d. Environmental Conditions Over Full Range of Transient and Steady-State Conditions

1. Power Supply Tolerance is provided to any Voltage degree of ac power supply voltage fluctuation within one division such that voltage regulation failures in one division cannot negate successful low pressure core cooling. DC power supply failure will likewise affect only one of the two containment spray divisions.

2. Power Supply Same as d.1. above.

Frequency Excessive frequency reduction is indicative of an onsite power supply failure and equipment shutdown in that division is required.

7.3-177 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Containment Spray Design IEEE 279-1971 Requirement Provision

3. Temperature Operable at all temperatures that can result from any design basis loss-of-coolant (LOCA) accident.

4. Humidity Operability at humidities (steam) that can result from LOCA.

5. Pressure Operable at all pressures resulting from a LOCA as required.

6. Vibration Tolerance to conditions stated in Section 3.10.

7. Malfunctions Tolerance to any single component failure to operate on command.

8. Accidents Tolerance to all design basis accidents without malfunction.

9. Fire Tolerance to a single raceway or enclosure fire or mechanical damage.

10. Explosion Explosions not defined in bases.

11. Missiles Tolerance to any single missile destroying no more than one pipe, raceway, or electrical enclosure.

12. Lightning Tolerance to lightning damage limited to one auxiliary bus system. See comments under d.1.

7.3-178 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Containment Spray Design IEEE 279-1971 Requirement Provision

13. Flood All control equipment is located above flood level by design or protected against flooding.

14. Earthquake Tolerance to conditions stated in Section 3.10.

15. Wind Seismic Category I buildings house all control equipment.

16. System Response Responses are within the Time requirements commensurate with the need to start containment spray.

17. System Accuracies are within that Accuracies needed for correct timely action.

18. Abnormal Sensors do not saturate when Ranges overranged.

of Sensed Variables 7.3.2.4.3.1.2 Single-Failure Criterion (IEEE 279-1971, paragraph 4.2)

Redundancy in equipment and control logic circuitry is provided so that it is not possible that the complete containment spray system can be rendered inoperative using single failure criteria.

Two trip systems are provided. Division 1 trip system is provided to initiate loop A equipment and Division 2 trip system is provided to initiate loop B equipment.

Tolerance to the following single failures or events is provided in the sensing channels, trip systems, trip functions, and actuated equipment so that these failures will be limited to the possible disabling of the initiation of only one loop:

7.3-179 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

a. Single open circuit

b. Single short circuit

c. Single component failure open

d. Single component failure shorted or grounded

e. Single module failure (including shorts, opens, and grounds)

f. Single electrical enclosure involvement (including shorts, opens, and grounds)

g. Single local instrument cabinet destruction (including shorts, opens, and grounds)

h. Single raceway destruction (including shorts, opens, and grounds)

i. Single control power supply failure

j. Single motive power supply failure

k. Single control circuit failure

l. Single sensing line (pipe) failure

m. Burnout of any single electrical component All components used in the containment spray system have demonstrated reliable operation in similar nuclear power plant protection systems or industrial applications or in qualification tests meeting the requirements of IEEE 323.

7.3.2.4.3.1.3 Quality Components (IEEE 279-1971, paragraph 4.3)

Components used in the containment spray control system have been carefully selected on the basis of suitable conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant as illustrated below:

a. Switch and relay contacts carry no more than 50 percent of their continuous current rating.

b. Controls are energized to operate and have brief and infrequent duty cycles.

7.3-180 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Motor starters and breakers are effectively derated for motor starting applications since their nameplate ratings are based on short circuit interruption capabilities as well as on continuous current carrying capabilities.

Short-circuit current-interrupting capabilities are many times the starting current for the motors being started, so that normal duty does not begin to approach maximum equipment capability.

d. Normal motor starting equipment ratings include allowance for a much greater number of operating cycles than the emergency core cooling or containment spray applications will demand, including testing.

e. Instrumentation and controls are rated for application in the normal, abnormal, and accident environments in which they are located.

f. These components are subjected to the manufacturer's normal quality control and undergo functional testing on the panel assembly floor as part of the integrated module test prior to shipment of each panel. Only components which have demonstrated a high degree of reliability and serviceability in other functionally similar applications, or qualified by tests, are selected for use.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

7.3.2.4.3.1.4 Equipment Qualification (IEEE 279-1971, paragraph 4.4)

No components of the containment spray system are required to operate in the drywell environment. All sensory equipment is located outside the drywell but inside the containment and is capable of accurate operation with wider swings in ambient temperature than results from normal or abnormal (loss-of-ventilation and loss-of-coolant accident) conditions.

7.3-181 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.4.3.1.5 Channel Integrity (IEEE 279-1971, paragraph 4.5)

The containment spray system instrument channels (low water level or high drywell pressure or high containment pressure) are designed to satisfy the channel integrity objective without taking credit for safe failure modes of equipment.

7.3.2.4.3.1.6 Channel Independence (IEEE 279-1971, paragraph 4.6)

Channel independence of the sensors for each variable is provided by electrical isolation and mechanical separation. The A and E sensors for reactor vessel low water levels, for instance, are located on one local instrument panel that is identified as Division 1 equipment, and the B and F sensors are located on a second instrument panel, widely separated from the first and identified as Division 2 equipment. The A and E sensors have a common process tap, which is widely separated from the corresponding tap for sensors B and F. Disabling of one or all sensors in one location does not disable the control for the other division.

Logic cabinets for Division 1 are in a separate physical location from that of Division 2, and each division is complete in itself, with its own station battery control and instrument bus, power distribution buses, and motor control centers. The divisional split is carried all the way from the process taps to the final activated equipment, and includes both control and motive power supplies.

7.3.2.4.3.1.7 Control and Protection Interaction (IEEE 279 1971, paragraph 4.7)

The containment spray system is a safety system designed to be independent of plant control systems. Annunciator circuits receiving outputs from the system cannot impair the operability of the system control because of electrical isolation.

7.3.2.4.3.1.8 Derivation of System Inputs (IEEE 279-1971, paragraph 4.8)

The inputs which are permissive for the containment spray system are direct measures of the variables that indicate need for containment cooling. Drywell and containment high pressure is sensed by pressure transmitters. Reactor vessel level is sensed by vessel water level transmitters.

7.3-182 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.4.3.1.9 Capability for Sensor Checks (IEEE 279-1971, paragraph 4.9)

All sensors (reactor vessel level, drywell high pressure and containment high pressure) are of the pressure sensing type and are installed with calibration taps and instrument valves, to permit testing during normal plant operation or during shutdown.

The sensors can be checked by application of test pressure from a low pressure source after closing the instrument valve and opening the calibration valve. This verifies the operability of the sensors as well as the calibration range. The trip units mounted in the control room are calibrated separately by introducing a calibration source and verifying the set point through the use of a digital readout on the trip calibration module.

7.3.2.4.3.1.10 Capability for Test and Calibration (IEEE 279-1971, paragraph 4.10)

The containment spray system is capable of being completely tested during normal plant operation to verify that each element of the system, active or passive, is capable of performing its intended function. Motor-operated valves can be exercised by the appropriate control logic and starters, and all indications and annunciations can be observed as the system is tested.

The instrument channel trip set point may be tested by introducing a test signal of sufficient magnitude to trip the instrument channel trip device. The change of state of the trip device may be observed by visual inspection of the trip device output indicator light on the logic cabinet.

Calibration of the mechanical portion of the sensing elements may be performed when the plant is shut down. The transmitters must be valved such that a test pressure can be applied.

7.3.2.4.3.1.11 Channel Bypass or Removal from Operation (IEEE 279-1971, paragraph 4.11)

Calibration of each sensor will introduce a single instrument channel trip. This does not cause a protective function without coincident operation of a second channel.

7.3-183 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning if accident conditions occur. Removal of an instrument channel from service during calibration will be brief.

7.3.2.4.3.1.12 Operating Bypasses (IEEE 279-1971, paragraph 4.12)

Containment spray has no operating bypasses.

7.3.2.4.3.1.13 Indication of Bypasses (IEEE 279-1971, paragraph 4.13)

There are no automatic bypasses of any part of the containment spray control system. Deliberate opening of the valve motor breaker will give annunciation and de-energization of both valve position lights in the control room.

The racking-out of 4160 volt breakers is controlled procedurally and access is limited to authorized personnel. Consequently, this is considered equivalent to removing a valve or pump for maintenance. This is a maintenance procedure which is administered by tagging the removed breaker control switch located in the control room. In addition, abnormal position of the breaker is annunciated in the control room.

7.3.2.4.3.1.14 Access to Means for Bypassing (IEEE 279-1971, paragraph 4.14)

Access to switchgear, motor control centers, and instrument valves will be procedurally controlled by the following administrative means:

a. Instrument valve position is under the administrative control of plant operations personnel and cannot be changed without permission of responsible authorized personnel.

b. Lockable doors on emergency switchgear rooms

c. Lockable breaker control switch handles in the motor control centers.

7.3-184 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.4.3.1.15 Multiple Trip Settings (IEEE 279-1971, paragraph 4.15)

Paragraph 4.15 of IEEE 279 is not applicable because all set points are fixed.

7.3.2.4.3.1.16 Completion of Protection Action Once it is Initiated (IEEE 279-1971, paragraph 4.16)

The final control elements for the containment spray system are essentially bistable, i.e., pump breakers stay closed without control power, and motor-operated valves stay open once they have reached their open position, even though the motor starter may drop out (which will occur when the valve open limit switch is reached). In the event of an interruption in ac power the control system will reset itself and recycle on restoration of power.

Thus, protective action once initiated must go to completion or continue until terminated by deliberate operator action.

7.3.2.4.3.1.17 Manual Actuation (IEEE 279-1971, paragraph 4.17)

In no event can failure of an automatic control circuit for equipment in one division disable the manual electrical control circuit for the other containment spray division. Single electrical failures cannot disable manual control of the containment spray function.

Both containment sprays A and B have manual initiation switches in parallel with the automatic initiation logic.

7.3.2.4.3.1.18 Access to Set Point Adjustment (IEEE 279-1971-Paragraph 4.18)

Access to set point adjustments and logic cabinets for the containment spray system is under the administrative control of plant operations personnel.

Because of these restrictions, compliance with this requirement of IEEE 279 is considered complete.

7.3-185 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.4.3.1.19 Identification of Protective Actions (IEEE 279-1971, paragraph 4.19)

Protective actions are directly indicated and identified by annunciator operation and instrument channel indicator lights.

Either of these indications should be adequate, so this combination of annunciation and visible verification fulfills the requirements of this criterion.

7.3.2.4.3.1.20 Information Readout (IEEE 279-1971, paragraph 4.20)

Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the containment spray function is available and/or operating properly.

7.3.2.4.3.1.21 System Repair (IEEE 279-1971, paragraph 4.21)

The containment spray control system is designed to permit repair or replacement of components.

All devices in the system are designed for a 40-year lifetime under the imposed duty cycles with periodic maintenance. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of shelf life than active life. However, all components are selected for continuous duty plus thousands of cycles of operation, far beyond that anticipated in actual service. The pump breakers are an exception to this with regard to the large number of operating cycles available. Nevertheless, even these breakers should not require contact replacement within 40 years, assuming periodic pump starts each 3 weeks.

Recognition and location of a failed component will be accomplished during periodic testing. The simplicity of the logic will make the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. Sensors which are connected to the instrument piping are connected with separate screwed or bolted fittings, and electrical connectors are utilized for ease of removal.

7.3-186 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.4.3.1.22 Identification (IEEE 279-1971, paragraph 4.22)

A colored nameplate identifies each logic cabinet and instrument panel that are part of the containment spray system. The nameplate shows the division to which each panel or cabinet is assigned, and also identifies the function in the system of each item on the control panel.

Identification of cables and cable trays is discussed in subsection 8.3.1.3.

Instrument panels in the control room are identified by tags which indicate the system and logic contained in each panel.

7.3.2.4.3.2 Conformance to IEEE 308-1971 Class IE ac and dc power supply system containment spray cooling mode loads are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised.

7.3.2.4.3.3 Conformance to IEEE 317-1972/1983 Conformance to IEEE 317 is discussed in conjunction with Regulatory Guide 1.63 in subsection 8.3.1.2.3.1. See subsection 3.11.2 for a discussion on the degree of conformance. (Note: IEEE 317-1983 applies only to fiber optic penetration assemblies.)

7.3.2.4.3.4 Conformance to IEEE 336-1971 The post operation quality assurance program is discussed in Chapter 17.

7.3.2.4.3.5 Conformance to IEEE 338-1971 The operability of the containment spray cooling can be verified and failures are detectable through testing during normal plant operation. Each subsystem logic through the final actuators may be tested independent of the other subsystem. The input sensors and set points are checked by the application of simulated signals. A failure of a subsystem while testing will not prevent the other subsystem from being initiated.

7.3-187 Revision 2020-009

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.4.3.6 Conformance to IEEE 344-1971/1975 The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975.

Qualification during the plant operating license stage is in accordance with IEEE 344-1975. See Section 3.10.

7.3.2.4.3.7 Conformance to IEEE 379-1972 The single failure criterion of IEEE 279-1971, paragraph 4.2, as further defined in IEEE 379-1972, is met as described in subsection 7.3.2.4.3.1.2.

7.3.2.4.3.8 Conformance to IEEE 384-1974 The criteria for independence of IEEE 279-1971, paragraph 4.6, as further defined in IEEE 384-1974, are met as described in subsection 7.3.2.4.3.1.6.

7.3.2.5 Combustible Gas Control System 7.3.2.5.1 Conformance to 10 CFR 50 General Design Criteria General Design Criteria, established in Appendix A of 10 CFR 50, which are applicable to the CGCS are listed in Table 7.1-3.

Additional information is provided below.

a. Criterion 13: Instrumentation and Control Instrumentation is provided in the CGCS to monitor the appropriate variables required to automatically initiate the system, or to provide the operator with the information required to evaluate the need for manual initiation. The variables monitored are listed in Table 7.3-13. The ranges provided assure continuous monitoring during system operation. The system operates in order to maintain combustible gas levels below the flammable range.

b. Deleted

c. Criterion 20: Protection System Functions The plant conditions under which the CGCS must operate are shown in Chapter 15. Initiation circuits are des- cribed in subsections 7.3.1.1.5.1.1 and 7.3.1.1.5.2.1.

Initiation of the drywell purge system is automatic.

7.3-188 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

However, the operator must manually start the hydrogen recombiners and hydrogen igniters which are provided for long term hydrogen control. Hydrogen recombination will not be required for 4 days after a LOCA as described in subsection 6.2.5.3.3.

d. Criterion 21: Protection System Reliability and Testability Functional reliability of the CGCS is assured by compliance with the requirements of IEEE Standard 279-1971 as described in subsections 7.3.1.2 and 7.3.2.5.2.

Testing is in compliance with IEEE Standard 338-1971, as described in subsection 7.3.2.5.3.

e. Criterion 22: Protection System Independence Independence of the CGCS is assured by design which includes redundancy and diversity as described in subsections 7.3.1.1.5.1.6, 7.3.1.1.5.2.6, 7.3.1.1.5.1.7 and 7.3.1.1.5.2.7.

f. Criterion 23: Protection System Failure Modes The CGCS logic circuits are designed to fail to the preferred condition. Logic relays are de-energized to initiate the system. Motor operated vacuum relief and purge isolation valves fail as-is. Refer to subsection 7.3.2.5.5 for a discussion of failure modes of the CGCS.

g. Criterion 24: Separation of Protection and Control System The CGCS is physically and electrically separated from the nonessential normal vacuum relief control system. Failure of nonessential components will not interfere with protective actions.

h. Criterion 41: Containment Atmosphere Cleanup The CGCS serves to control the concentration of hydrogen in the containment and drywell atmosphere. Refer to subsection 6.2.5.2 for a description of CGCS operation.

Redundancy is described in subsections 7.3.1.1.5.1.6 and 7.3.1.1.5.2.6. Isolation is accomplished automatically by motor-operated isolation and check valves for drywell 7.3-189 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) penetrations and by two air operated valves for containment penetrations. The CGCS purge and vacuum relief lines are normally at atmospheric pressure. There is therefore no need for a leak detection system for these lines.

i. Criterion 42: Inspection of Containment Atmosphere Cleanup System Inspection of the CGCS is discussed in subsection 6.2.5.4.

j. Criterion 43: Testing of Containment Atmosphere Cleanup Systems Testing of the CGCS is discussed in subsections 6.2.5.4 and 7.3.2.5.3.

k. Criterion 54: Piping Systems Penetrating Containment Leak detection and isolation are discussed under Criterion 41 above. Redundancy is discussed in subsections 7.3.1.1.5.1.6 and 7.3.1.1.5.2.6. System testing is discussed in subsections 6.2.5.4 and 7.3.2.5.3.

l. Criterion 56: Primary Containment Isolation Both the drywell purge system and hydrogen control system are located entirely within the primary containment. The containment purge system penetrates the primary containment. Automatic isolation is provided upon detection of a LOCA by air operated valves on either side of the penetration. These valves are located as close as practical to the penetration and fail closed on loss of either instrument air or electric power. Hydrogen analyzer sample lines also penetrate containment and are addressed in Sections 3.1.2.5.7, 6.2.4.1, 6.2.4.2.4 and Table 6.2-44.

7.3.2.5.2 Conformance to IEEE Standard 279-1971 The CGCS is designed to conform to the requirements of Section 4 of IEEE Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, as described in this section.

a. Requirement 4.1: General Functional Requirement 7.3-190 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Actuation of the CGCS is automatic upon detection of a LOCA. Protective actions are taken when the containment vs drywell differential pressure reaches its set points as discussed in subsection 7.3.1.1.5. Actuation of the hydrogen recombiners is manual by the operator when the hydrogen concentration reaches the level discussed in subsection 7.3.1.1.5.2.1.1. Actuation of the hydrogen igniters is manual by the operator when directed by the emergency procedures.

b. Requirement 4.2: Single Failure Criterion The CGCS is comprised of two independent sets of controls for the physically separated actuated systems and meets the single failure criterion. Refer to subsection 7.3.2.5.5 for a discussion of failure modes and effects analysis.

c. Requirement 4.3: Quality of Components and Modules All components are specified to be of high quality and to require minimum maintenance. The quality control enforced during design, fabrication, shipment, field storage, installation, and component checkout used for instrumentation and control components and the documentation of quality control is in accordance with Regulatory Guides 1.28, and 1.38. Refer to Appendix 3A.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

d. Requirement 4.4: Equipment Qualification The CGCS components meet the equipment requirements described in Sections 3.10 and 3.11.

e. Requirement 4.5: Channel Integrity Type testing of components, separation of sensors and channels, and qualification of cabling are utilized to ensure that the channels will maintain the functional capability required under applicable extremes of conditions relating to the environment, energy supply, malfunctions, and accidents.

7.3-191 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Loss of or damage to any one path will not prevent the protective action of the redundant path. Sensors are piped so that blockage or failure of any one connection does not prevent protective system action. The process transmitters are located in the containment and are specified and rated for the intended service. Components that must operate during or after the LOCA are rated for the LOCA environment.

f. Requirement 4.6: Channel Independence Channel independence is provided by electrical and physical separation between the redundant systems.

g. Requirement 4.7: Control and Protection System Interaction The nonessential normal vacuum relief system is entirely separate and isolated from the CGCS. Isolation circuits are provided between the CGCS and the computer and annunciator circuits.

h. Requirement 4.8: Derivation of System Inputs The signals used for system inputs are direct measures of the desired variables. Manual initiation of the hydrogen recombiners is based on control room indication of hydrogen levels. Manual initiation of hydrogen igniters is based on control room indication of parameters identified in the emergency procedures.

i. Requirement 4.9: Capability for Sensor Checks CGCS sensors are checked by cross-checking between channels. Sufficient sensors are provided to readily identify a defective channel. The hydrogen analyzers may be checked from the control room and calibrated locally by the introduction of a calibration gas to the sample line.

j. Requirement 4.10: Capability for Test and Calibration Testing of the CGCS is discussed in subsections 6.2.5.4 and 7.3.2.5.3.

k. Requirement 4.11: Channel Bypass or Removal from Operation 7.3-192 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Any one of the protective system channels may be tested, calibrated, or repaired without initiating protective action. The single failure criterion continues to be met during these conditions.

l. Requirement 4.12: Operating Bypasses There are no operating bypasses in the CGCS. Portions of the CGCS may, however, be manually bypassed by pulling a fuse or tripping the feeder breakers to an emergency switchgear section or racking out a compressor motor starter feeder breaker at a motor control center.

m. Requirement 4.13: Indication of Bypasses Loss of control power or power to any component device is continuously indicated in the control room.

n. Requirement 4.14: Access to Means for Bypassing Access to all means for bypassing the CGCS is under administrative control.

o. Requirement 4.15: Multiple Set Points There are no multiple set points in the CGCS.

p. Requirement 4.16: Completion of Protective Action Once It Is Initiated Once initiated, operator action is required to return each component of the CGCS to its normal state. Return to normal is prevented by the control system as long as the initiation signal is present.

q. Requirement 4.17: Manual Initiation Each valve, compressor, and hydrogen recombiner is capable of individual manual initiation from the control room.Each system is capable of being initiated manually, on the system level, from the control room.

r. Requirement 4.18: Access to Set Point Adjustments 7.3-193 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Set point adjustments for the devices which are used by the combustible gas control systems are integral with the instruments on the instrument panels in the control room and are under the administrative control of the operator at all times.

s. Requirement 4.19: Identification of Protective Actions Initiation of either CGCS is annunciated in the control room. The status of each component of the system is also indicated by status lights in the control room.

t. Requirement 4.20: Information Readout Refer to Section 7.5 for a discussion of safety related display information.

u. Requirement 4.21: System Repair Identification of a defective channel is accomplished by observation of system status lights or by testing as described in subsection 7.3.2.5.3. Replacement or repair of components is accomplished with the affected channel bypassed. The affected trip system then operates in a two-out-of-three trip logic.

v. Requirement 4.22: Identification Refer to subsections 7.1.2.3 and 8.3.1.3 for a description of the ESF identification system.

7.3.2.5.3 Conformance to IEEE Standard 338-1971 All components of the CGCS can be tested during plant operation.

Valves and compressors can be tested from control room switches to verify operability. Each channel can be individually tested without initiating a trip function. Each of the two divisions of igniters can be actuated from control room switches to verify that power is available to the circuit. Upon the occurrence of a LOCA, any automatic isolation valve or drywell purge compressor test will be automatically overridden by the LOCA signal. Refer to subsection 6.2.5.4 for a discussion of testing of CGCS mechanical equipment.

7.3-194 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Testing of the drywell purge compressors is accomplished without initiating a scram (high drywell pressure) by opening the normal drywell purge line to return the containment air discharged into the drywell back to the containment coolers suction plenum.

7.3.2.5.4 Branch Technical Position EICSB 19 Since the CGCS is not a hydrogen mixing system, the specific recommendations of Branch Technical Position EICSB 19, "Acceptability of Design Criteria for Hydrogen Mixing and Drywell Vacuum Relief Systems," do not apply.

Although the drywell purge lines form a potential bypass around the suppression pool, a combination of automatic control system action and check valves on each purge line prevents the opening of these lines after an accident until blowdown is complete.

7.3.2.5.5 Failure Modes and Effects Analysis Failure modes and effects analysis for the CGCS is provided in Table 7.3-15. For failure modes of mechanical equipment refer to Table 6.2-46.

7.3.2.6 Feedwater Leakage Control (FWLC) System 7.3.2.6.1 Conformance to 10 CFR 50 General Design Criteria General Design Criteria, established in Appendix A of 10 CFR 50, which are applicable to the FWLC System, are listed in Table 7.1-

3. Additional information is provided below.

a. Criterion 13: Instrumentation and Control Instrumentation is provided for FWLC system manual initiation after LOCA occurrence to prevent the release of radioactivity through the feedwater lines isolation valves.

b. Deleted

c. Criterion 21: Protection System Reliability and Testability 7.3-195 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Functional reliability of the FWLC system is ensured by compliance with the requirements of IEEE Standard 279-1971 as described in subsections 7.3.1.2 and 7.3.2.6.2.

Testing is in compliance with IEEE Standard 338-1971 as described in subsection 7.3.2.6.3

d. Criterion 22: Protection System Independence Independence of the FWLC system is ensured by the design which includes redundancy and diversity as described in subsections 7.3.1.1.6.6 and 7.3.1.1.6.7.

e. Criterion 23: Protection System Failure Modes The FWLC system is equipped with fail-as-is motoroperated isolation valves. Refer to subsection 7.3.2.6.4 for a discussion of failure modes of the FWLC System.

f. Criterion 24: Separation of Protection and Control Systems The FWLC system is composed of two subsystems which provide the same function. The subsystems are physically and electrically separated. Failure of nonessential components will not prevent system operation.

7.3.2.6.2 Conformance to IEEE Standard 279-1971 The FWLC system is designed to conform to the applicable requirements of Section 4 of IEEE 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," as described in this section.

a. Requirement 4.1: General Functional Requirement The feedwater leakage control system has no automatic initiation feature, but is manually actuated from the control room within about 20 minutes after a postulated design-basis LOCA, as per Regulatory Guide 1.96.

b. Requirements 4.2: Single Failure Criterion The FWLC system is composed of two separate, independently controlled subsystems. A single failure will not prevent proper protective action.

c. Requirement 4.3: Quality of Components and Modules 7.3-196 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

All components are specified to be of high quality and to require minimum maintenance. The quality control enforced during design, fabrication, shipment, field storage, installation, and component checkout used for instrumentation and control components and the documentation of quality control is in accordance with Regulatory Guides 1.28, 1.30, and 1.38. Refer to Appendix 3A.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

d. Requirement 4.4: Equipment Qualification The FWLC system components meet the equipment qualification requirements described in Sections 3.10 and 3.11

e. Requirement 4.5: Channel Integrity Type testing of components, separation of sensors and channels, and qualification of cabling are utilized to ensure that the channels will maintain the functional capability required under applicable extremes of conditions relating to environment, energy supply, malfunctions, and accidents. Loss of, or damage to, any one path will not prevent the protective action of the redundant path.

f. Requirement 4.6: Channel Independence The redundant FWLC subsystems are electrically and physically separated.

g. Requirement 4.7: Control and Protection System Interaction The FWLC system is utilized only as a protective system.

h. Requirement 4.8: Derivation of System Inputs The FWLC protection system inputs are direct measures of the desired variables.

7.3-197 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

i. Requirement 4.9: Capability for Sensor Checks The FWLC system sensors can be checked by introduction and variation, as applicable, of a test input to simulate the measured variable.

j. Requirement 4.10: Capability for Test and Calibration The primary sensors provide an analog (4-20 mA) signal to trip units in the control room. The trip units provide contact outputs to drive the trip system and allow initiation of a trip function. A calibration unit mounted in the same rack as the trip units provides means to perform an in-place calibration check or set point adjustment.

k. Requirement 4.11: Channel Bypass or Removal from Operation Either of the two FWLC subsystems may be tested, calibrated, or repaired without initiating protective action. The single failure criterion continues to be met during this time.

l. Requirement 4.12: Operating Bypasses There are no operating or automatic bypasses in the FWLC system. The FWLC system may, however, be manually bypassed by pulling a fuse or manually racking out the feeder breakers to an emergency switchgear section, or manually opening a valve motor starter feeder breaker at a motor control center.

m. Requirement 4.13: Indication of Bypasses Control room annunciation is provided for the loss of control power to FWLC system isolation valves, and for the loss of power to trip units or trip units in calibration.

n. Requirement 4.14: Access to Means for Bypassing Access to all means for bypassing the FWLC system is under administrative control.

o. Requirement 4.15: Multiple Set Points All set points in the FWLC system are fixed.

7.3-198 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

p. Requirement 4.16: Completion of Protective Action Once It Is Initiated The feedwater leakage control system has no automatic initiation feature, but may be manually initiated by the control room operator following a design basis LOCA. The protective action will continue to operate provided the control logic permissives, feedwater shutoff valves position and feedwater leakage control system pressure, are satisfied, until subsequent operator action is initiated to stop the system.

q. Requirement 4.17: Manual Initiation The FWLC system is a manually initiated system. No single failure will prevent initiation of protective action.

r. Requirement 4.18: Access to Set Point Adjustments, Calibration and Test Points The electronic trip and calibration units are under administrative control in the control room.

s. Requirement 4.19: Identification of Protective Actions The status of each device in the system is indicated in the control room.

t. Requirement 4.20: Information Readout Refer to Section 7.5 for a discussion of safety-related display information.

u. Requirement 4.21: System Repair Each channel can be individually tested without initiating a trip function. System redundancy provides backup protection during test of one channel. Replacement or repair of components is accomplished with the affected channel bypassed.

v. Requirement 4.22: Identification Refer to subsections 7.1.2.3 and 8.3.1.3 for a description of the ESF system identification system.

7.3-199 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.6.3 Conformance to IEEE Standard 338-1971 FWLC system inboard isolation valve and outboard isolation valve with interlock can only be checked during unit shutdown.

All other components of the FWLC system may be checked on a routine basis without initiating a trip function.

7.3.2.6.4 Failure Modes and Effects Analysis Failure modes and effects analysis for the FWLC system is provided in Table 7.3-18. For failure modes of mechanical equipment refer to Table 6.7-2.

7.3.2.7 Standby Service Water System 7.3.2.7.1 Conformance to 10 CFR 50 General Design Criteria General design criteria established in Appendix A of 10 CFR 50, which are applicable to the Standby Service Water System, are listed in Table 7.1-3. Additional information is provided below.

a. Criterion 13: Instrumentation and Control The SSW system includes seismic Category I instrumentation to monitor system pressure, temperature, flow, radiation, and appropriate levels. This instrumentation is not essential to system operation and does not serve to control the SSW system. Cooling water to essential components during normal, reactor shutdown, and reactor isolation modes and following a LOCA is assured by monitoring the control logic signals of the ESF systems served by the SSW system and starting the SSW system when required.

b. Criterion 20: Protection System Functions The SSW system supports other ESF systems as shown in Table 7.3-1. The plant conditions under which these systems, and hence the SSW system, operate, are shown in Chapter 15. Initiation circuits are automatic as described in subsection 7.3.1.1.7.1. The SSW system operates to serve other ESF systems and is initiated when they start. It contains the ultimate heat sink for rejection of heat from plant auxiliaries required for safe reactor shutdown.

7.3-200 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Criterion 21: Protection System Reliability and Testability Functional reliability of the SSW system is assured by compliance with the requirements of IEEE Standard 279-1971, as described in subsections 7.3.1.2 and 7.3.2.7.2.

Testing is in compliance with IEEE Standard 338-1971, as described in subsection 7.3.2.7.3.

d. Criterion 22: Protection System Independence Independence of the SSW system is assured by design which includes redundancy and diversity as described in subsections 7.3.1.1.7.6 and 7.3.1.1.7.7.

e. Criterion 23: Protection System Failure Modes Where protective action is required under adverse environmental conditions during postulated accidents, the SSW system components are designed to function under such conditions.

Failure modes of the SSW system components are discussed in subsection 7.3.2.7.4 and are shown in Table 7.3-21.

f. Criterion 24: Separation of Protection and Control Systems The process control and SSW control systems are physically and electrically separated so that failure in the process system will not cause failure in the SSW control system.

g. Criterion 34: Residual Heat Removal The SSW system serves to transfer fission product decay heat and other heat from the RHR heat exchangers to the ultimate heat sink. Redundancy is provided by serving the redundant RHR heat exchangers from separate SSW trains.

The SSW system also provides cooling to the RHR pumps and pump rooms on a redundant basis. The SSW system operates on either onsite or offsite power through the ESF bus.

h. Criterion 38: Containment Heat Removal 7.3-201 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Containment heat is rejected to the ultimate heat sink through the RHR heat exchangers by the SSW system.

Redundancy is as discussed under Criterion 34.

i. Criterion 44: Cooling Water The SSW system serves to transfer heat from structures, systems, and components important to safety, to the ultimate heat sink. Refer to subsection 9.2.1 for a description of the SSW system and to subsection 9.2.5 for a description of the ultimate heat sink.

Redundancy of the SSW system is described in subsection 7.3.1.1.7.6. Leak detection is provided by monitoring discharge flow from each pump and cooling tower return flow for each train and comparing readings. Control room annunciation is provided for leakage from the SSW system.

Leakage can also be detected by a high level alarm from any one of the sumps located throughout the plant. Both high alarms and standby sump pump operation signals are monitored by the plant computer.

The SSW trains are supplied from separate ESF power supplies to assure operation with either onsite or offsite power.

j. Criterion 46: Testing of Cooling Water System Testing of the SSW system is described in subsection 9.2.1.4.

k. Criterion 54: Piping Systems Penetrating Containment The SSW system piping penetrates the containment to serve equipment located inside the containment. Leak detection is as described under Criterion 44. Isolation is provided on the influent side by a remote manually operated isolation valve outside the containment and a simple check valve inside the containment, and on the effluent side by remote manually operated isolation valves both inside and outside the containment. Redundancy is provided by use of two isolation valves. The operation of the isolation valves may be tested from the control room.

l. Criterion 64: Monitoring Radioactivity Releases 7.3-202 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Radiation monitors are provided for Trains A and B of the SSW system to detect contamination resulting from a tube leak in one of the RHR heat exchangers.

7.3.2.7.2 Conformance to IEEE Standard 279-1971 The SSW system is designed to conform with the requirements of Section 4 of IEEE Standard 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," as described in this section.

a. Requirement 4.1: General Functional Requirement As described in subsection 7.3.1.1.7, operation of the SSW system is automatic upon the occurrence of any of the initiation signals tabulated in Table 7.3-19. The SSW system control system is not required to monitor process variables, and therefore is initiated by signals indicating operation of other ESF systems or plant conditions requiring SSW system operation.

b. Requirement 4.2: Single Failure Criterion The SSW system is comprised of three independent sets of controls for the three physically separated activated systems and meets the single failure criterion. Refer to subsection 7.3.2.7.4 for a discussion of failure modes and effects analysis.

c. Requirement 4.3: Quality of Components and Modules All components are specified to be of high quality and to require minimum maintenance. The quality control enforced during design, fabrication, shipment, field storage, installation, and component checkout used for instrumentation and control components and the documentation of quality control is in accordance with Regulatory Guides 1.28, and 1.38. Refer to Appendix 3A.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

d. Requirement 4.4: Equipment Qualification 7.3-203 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The SSW control system meets the equipment qualification requirements described in Sections 3.10 and 3.11.

e. Requirement 4.5: Channel Integrity The SSW system is designed to operate under adverse environmental conditions as described in Section 3.11. It is designed to operate under extremes of conditions of energy supply as described in subsection 8.3.1.1.

f. Requirement 4.6: Channel Independence Channel independence is provided by electrical and physical separation. Physical separation is maintained between redundant elements of the redundant control systems where it will add to reliability of operation.

g. Requirement 4.7: Control and Protection System Interaction Isolation devices are provided between the SSW logic and the annunciator and computer systems. Annunciator and computer circuits cannot impair the operability of the SSW control system because of the electrical separation between controls of the subsystems.

h. Requirement 4.8: Derivation of System Inputs The inputs which initiate the SSW system are derived from signals that indicate a need for operation of the standby service water system. The signals are tabulated in Table 7.3-19.

i. Requirement 4.9: Capability for Sensor Checks The devices which initiate the SSW control system can be checked one at a time by application of test signals.

Because the SSW system initiation signals are derived from other systems, process variables are not monitored by this system.

j. Requirement 4.10: Capability for Test and Calibration All active components of the SSW control system can be tested and calibrated during plant operation. Logic circuitry can be checked by applying test or calibration 7.3-204 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) signals and observing trip system response. Pumps, fans, and valves can be tested by operating manual switches in the control room and observing the breaker position lights.

k. Requirement 4.11: Channel Bypass or Removal from Operation The SSW system is initiated manually, or by a signal from other ESF systems. Therefore, the sensors which initiate protective functions are tested with their respective systems and are described in the appropriate sections of Chapter 7. In general, testing one sensor will introduce a single channel trip. This does not cause system initiation without a coincident trip on a second channel.

The SSW system itself is a two-out-of-three system.

Removal of one train from service during testing is brief and will not prevent the remaining two trains from performing the required protection functions.

l. Requirement 4.12: Operating Bypasses There are no automatic bypasses of the SSW system. One train of the SSW system can be manually rendered inoperative by racking out a pump breaker, tripping the feeder to an emergency switchgear section, or opening a valve motor starter feeder breaker at a motor control center.

m. Requirement 4.13: Indication of Bypasses Loss of control power or bypass of any piece of equipment in the SSW system is continuously indicated in the control room.

n. Requirement 4.14: Access to Means for Bypassing Access to all means for bypassing the SSW system is under administrative control.

o. Requirement 4.15: Multiple Set Points There are no multiple set points in the SSW system.

7.3-205 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

p. Requirement 4.16: Completion of Protective Action Once It Is Initiated Once initiated, operator action is required to return actuated components of the SSW system to their normal condition. Return to normal is prevented by the control system as long as the initiation signal is present, with the exception that the SSW basin transfer valves may be opened after a one hour time delay. Additionally, CGCS containment isolation valves to the drywell purge compressors may be closed (overridden) with the initiation signal present to provide containment isolation.

q. Requirement 4.17: Manual Initiation Each pump, fan, and valve of the SSW system is capable of manual initiation from the control room. Each system is capable of being initiated manually at the system level from the control room.

r. Requirement 4.18: Access to Set Point Adjustments The SSW system contains no analog trips which are used for system initiation. Trip units which provide alarms are located in the control room so that access to set point adjustments and calibration controls are under administrative control.

s. Requirement 4.19: Identification of Protective Actions Initiation of any train of the SSW system is indicated in the control room through the observation of the component indicating lights. Successful alignment of all essential valves, pumps and fans is identified in the control room by annunciator operation for Trains A and B. The status of the SSW system valves, pumps and fans required for correct system operation is also indicated by status lights in the control room.

t. Requirement 4.20: Information Read-Out Refer to Section 7.5 for a discussion of safety-related display information.

u. Requirement 4.21: System Repair 7.3-206 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Failed components of the SSW system will be identified during periodic testing. The redundant SSW train provides protective action during repair outages.

v. Requirement 4.22: Identification Refer to subsections 7.1.2.3 and 8.3.1.3 for a description of the ESF system identification.

7.3.2.7.3 Conformance to IEEE Standard 338-1971 The SSW system can be tested on a system level by manually initiating the system. The protective action of the system has no adverse effects on plant operation.

Operation of pumps, fans, and valves from manual switches verifies the ability of breaker mechanisms to operate. The automatic control circuitry is designed to restore the standby service water system to normal operation if a loss of coolant accident occurs during a test.

7.3.2.7.4 Failure Modes and Effects Analysis Failure modes and effects analysis for the SSW system is provided in Table 7.3-21. For failure modes of mechanical equipment, see Tables 9.2-1 and 9.2-2.

7.3.2.8 Standby Gas Treatment System 7.3.2.8.1 Conformance to 10 CFR 50 General Design Criteria General design criteria, established in Appendix A of 10 CFR 50, which are applicable to the SGTS, are listed in Table 7.1-3.

Additional information is provided below.

a. Criterion 13: Instrumentation and Control Instrumentation is provided with the SGTS to monitor the appropriate variables and signals required to initiate the system and to maintain these variables within their prescribed ranges. The variables monitored are listed in Table 7.3-22. The ranges provided assure continuous monitoring over the full range of anticipated operational and accident conditions as specified in the Technical Specifications.

7.3-207 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Criterion 20: Protection System Functions The SGTS control system includes sensors that respond to accident conditions in order to automatically initiate system operation when required. The plant conditions under which the SGTS is required to operate are shown in Chapter 15. Initiation circuits are discussed in subsection 7.3.1.1.8.1. No operator action is required to initiate the SGTS during accident conditions.

c. Criterion 21: Protection System Reliability and Testability Functional reliability of the SGTS is assured by compliance with the requirements of IEEE Standard 279-1971, as described in subsections 7.3.1.2.6 and 7.3.2.8.2.

Testing is in compliance with IEEE Standard 338-1971, as discussed in subsection 7.3.2.8.3.

d. Criterion 22: Protection System Independence Independence of the SGTS is assured by design which includes redundancy and diversity, as discussed in subsections 7.3.1.1.8.6 and 7.3.1.1.8.7.

e. Criterion 23: Protection System Failure Modes The SGTS logic circuits are designed to fail in a safe position.Relays de-energize to initiate protective action. Motor operated dampers fail as-is on a loss of power. Failure modes of the SGTS are discussed in subsection 7.3.2.8.4.

f. Criterion 24: Separation of Protection and Control Systems The SGTS components are physically and electrically separated from nonessential plant control circuits.

Failure of nonessential equipment will have no effect on the SGTS.

7.3.2.8.2 Conformance to IEEE Standard 279-1971 The SGTS is designed to conform with the requirements of Section 4 of IEEE Standard 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," as described in this section:

7.3-208 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

a. Requirement 4.1: General Functional Requirement The SGTS is automatically initiated whenever any of the variables listed in subsection 7.3.1.1.8.1 reaches its set point.

b. Requirement 4.2: Single Failure Criterion The SGTS is comprised of two independent sets of controls for physically separated systems and meets the single failure criterion. Refer to subsection 7.3.2.8.4 for a discussion of failure modes and effects analysis.

c. Requirement 4.3: Quality of Components and Modules All components are specified to be of high quality and to require minimum maintenance. The quality control enforced during design, fabrication, shipment, field storage, installation, and component checkout used for instrumentation and control components and the documentation of quality control is in accordance with Regulatory Guides 1.28, 1.30, and 1.38. Refer to Appendix 3A.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

d. Requirement 4.4: Equipment Qualification The SGTS components meet the equipment requirements described in Sections 3.10 and 3.11.

e. Requirement 4.5: Channel Integrity Type testing of components, separation of sensors and channels, and qualification of cabling are utilized to ensure that the channels will maintain the functional capability required under applicable extremes of conditions relating to environment, energy supply, malfunctions, and accidents.

7.3-209 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Loss of or damage to any one path will not prevent protective action. Sensors are piped so that blockage or failure of any one connection does not prevent protective system action.

f. Requirement 4.6: Channel Independence Channel independence is provided by electrical and physical separation between the redundant systems.

g. Requirement 4.7: Control and Protection System Interaction No portion of the SGTS is used for both control and protection functions.

h. Requirement 4.8: Derivation of System Inputs The signals used to initiate the SGTS are direct measures of the desired variables.

i. Requirement 4.9: Capability for Sensor Checks The SGTS sensors may be checked as follows:

(a) Radiation monitors; enclosure building pressure transmitters Since there are four sensors monitoring the same variable, a defective sensor can be readily identified by cross-checking between channels.

(b) Filter train flow Although there are four transmitters (two on each train) monitoring this variable, the flow in each train is independent of the flow in the other train. Cross-checking between the two indicators for a single train indicates only that one transmitter is in error, not which one.

Identification of the defective channel may be made by comparing to other, related, variables for the affected filter train: pressure drop across elements of the filter train, damper positions, and fan status.

(c) Recirculation fan flow 7.3-210 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

A single flow transmitter is provided for each recirculation fan. These transmitters may be checked by opening or closing various system dampers and observing the transmitter response.

j. Requirement 4.10: Capability for Test and Calibration Testing of the SGTS is discussed in subsections 6.5.1.4 and 7.3.2.8.3.

k. Requirement 4.11: Channel Bypass or Removal from Operation Calibration or maintenance of the system radiation monitors will introduce a single channel trip. This does not cause system initiation unless there is a coincident trip on a second channel. Refer to subsection 7.3.1.1.8.3 for a discussion of other bypasses.

l. Requirement 4.12: Operating Bypasses Refer to subsection 7.3.1.1.8.3 for a discussion of SGTS bypasses. There are no operating bypasses in the SGTS.

Either of the systems can be manually rendered inoperative by pulling a fuse or tripping the breaker to an emergency switchgear section or racking out a fan motor starter feeder breaker at a motor control center.

m. Requirement 4.13: Indication of Bypasses Loss of control power or power to any component device is continuously indicated in the control room. Placement of one of the redundant SGTS in the standby mode is also indicated in the control room.

n. Requirement 4.14: Access to Means for Bypassing Access to all means for bypassing the SGTS is under administrative control. The standby switches are key operated from the control room.

o. Requirement 4.15: Multiple Set Points There are no multiple set points in the SGTS.

p. Requirement 4.16: Completion of Protective Action Once It Is Initiated 7.3-211 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Once initiated, operator action is required to return the SGTS to its normal state. Return to normal is prevented by the control system as long as the initiation signal is present.

q. Requirement 4.17: Manual Initiation Each system is capable of being initiated manually on the system level from the control room. Each of the system fans can also be manually started from the control room.

r. Requirement 4.18: Access to Set Point Adjustments Set point adjustments for the initiation sensors for the SGTS are under administrative control in the control room.

Set point and calibration adjustments require the use of tools for access and adjustment.

s. Requirement 4.19: Identification of Protective Action Initiation of the SGTS is annunciated in the control room.

The status of each device in the SGTS is indicated in the control room.

t. Requirement 4.20: Information Readout Refer to Section 7.5 for a discussion of safety related display instrumentation.

u. Requirement 4.21: System Repair Identification of a defective channel is accomplished by observation of system status lights or by testing as described in subsection 7.3.2.8.3. Replacement or repair of components is accomplished with the affected channel bypassed. The effected trip function then operates with a single sensor.

v. Requirement 4.22: Identification Refer to subsections 7.1.2.3 and 8.3.1.3 for a description of the ESF system identification system.

7.3-212 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.8.3 Conformance to IEEE Standard 338-1971 All components of the SGTS can be tested during plant operation.

Each channel can be individually tested without initiating a trip function. The fans and dampers associated with the charcoal filter trains can be tested by control room switches. The recirculation fan can also be tested on an individual basis from the control room. The occurrence of an accident during a test of SGTS equipment will automatically override the test signal.

Refer to subsection 6.5.1.4 for a discussion of testing of SGTS mechanical equipment.

7.3.2.8.4 Failure Modes and Effects Analysis Failure modes and effects analysis for the SGTS is provided in Table 7.3-24. For failure modes of mechanical equipment refer to Table 6.5-7.

7.3.2.9 Suppression Pool Makeup System 7.3.2.9.1 Conformance to 10 CFR 50 General Design Criteria General design criteria, established in Appendix A of 10 CFR 50, which are applicable to the suppression pool makeup system are listed in Table 7.1-3. Additional information is provided below.

a. Criterion 13: Instrumentation and Controls Instrumentation is provided with the suppression pool makeup system to monitor suppression pool level over the full range of anticipated levels during normal operations and accident conditions as required to initiate the system.

b. Criterion 20: Protection System Functions The suppression pool makeup system automatically responds to accident conditions detected by its sensors. The plant conditions under which the system is required to operate are shown in Chapter 15. Initiation signals are discussed in subsection 7.3.1.1.9.1. No operator action is required to initiate the system during accident conditions.

c. Criterion 21: Protection System Reliability and Testability 7.3-213 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Functional reliability of the suppression pool makeup system is assured by compliance with the requirements of IEEE Standard 279-1971, as described in subsections 7.3.1.2 and 7.3.2.9.3. Testing is in compliance with IEEE Standard 338-1971, as discussed in subsection 7.3.2.9.3

d. Criterion 22: Protection System Independence Independence of the suppression pool makeup system is assured by design which includes redundancy and diversity, as discussed in subsections 7.3.1.1.9.6 and 7.3.1.1.9.7.

e. Criterion 23: Protection System Failure Modes The suppression pool trip system is designed to fail into the preferred state. The motor-operated valves fail as-is on loss of power. The logic relays are energized to initiate trip functions in order to minimize the possibility of inadvertent dumping of the upper containment pool during normal operation. Refer to subsection 7.3.2.9.4 and Section 6.8 for a discussion of failure modes of the suppression pool makeup system.

f. Criterion 24: Separation of Protection and Control Systems The suppression pool makeup system components are physically and electrically separated from nonessential plant control circuits. Failure of nonessential equipment will have no effect on the system.

g. Criterion 35: Emergency Core Cooling The suppression pool makeup system is relied upon to dump upper containment pool water to the suppression pool to maintain drywell horizontal vent coverage and an adequate suppression pool heat sink volume to ensure that the primary containment internal pressure and temperature stay within design limits. The rate of dump is sufficient to prevent the five ECCS pumps from lowering the suppression pool level below the minimum required.

h. Criterion 37: Testing of Emergency Core Cooling System 7.3-214 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Provisions are included in the suppression pool makeup system to allow periodic testing of each component in the system without initiating protective action during reactor operation. Refer to subsection 7.3.2.9.3 for a discussion of system testing.

7.3.2.9.2 Conformance to IEEE Standard 279-1971 The suppression pool makeup system is designed to conform with the requirements of Section 4 of IEEE Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, as described below:

a. Requirement 4.1: General Functional Requirement The suppression pool makeup system is automatically initiated whenever the conditions it monitors require protective action. The level at which protective action is required is shown in the Technical Specifications.

b. Requirement 4.2: Single Failure Criterion The suppression pool makeup system, comprised of two independent and redundant actuation systems, meets all credible aspects of the single failure criterion. By providing two initiation signals from primary sensors, and by using separate relay logic circuits for the two valves in each system, it is assured that no single failure of an instrument or relay can cause an inadvertent dump of the upper containment pool. Refer to subsection 7.3.2.9.4 for a discussion of failure modes and effects analysis.

c. Requirement 4.3: Quality of Components and Modules All components are specified to be of high quality and to require minimum maintenance. The quality control enforced during design, fabrication, shipment, field storage, installation, and component checkout used for instrumentation and control components and the documentation of quality control is in accordance with Regulatory Guides 1.28, 1.30, and 1.38. Refer to Appendix 3A.

7.3-215 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

d. Requirement 4.4: Equipment Qualification The suppression pool makeup system components meet the equipment qualification requirements described in Sections 3.10 and 3.11.

e. Requirement 4.5: Channel Integrity Type testing of components, separation of sensors and channels, and qualification of cabling are utilized to ensure that the channels will maintain the functional capability required under applicable extremes of conditions relating to the environment, energy supply, malfunctions, and accidents.

Loss of or damage to any one path will not prevent the protective action of the redundant path. Sensors are piped so that blockage or failure of any one connection does not prevent the protective action of the redundant system.

f. Requirement 4.6: Channel Independence Channel independence is provided by electrical and physical separation between components of the two redundant systems.

g. Requirement 4.7: Control and Protective System Interaction No portion of the suppression pool makeup system is used for both control and protection functions.

h. Requirement 4.8: Derivation of System Inputs The level transmitters which provide signals as inputs to the suppression pool makeup system give a direct measure of suppression pool level.

i. Requirement 4.9: Capability for Sensor Checks 7.3-216 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

During operation, sensors may be checked by comparison of control room indications for each trip system. Both trip systems sense the same variable, therefore, a deviation between the two trip systems may indicate a failure or need for recalibration. Since there are six transmitters monitoring suppression pool level in the suppression pool makeup system, a defective channel may be readily identified by comparison.

j. Requirement 4.10: Capability for Test and Calibration An electronic trip and calibration system is provided for this and other systems throughout the plant. The primary sensors provide an analog (4-20 mA) signal to trip units in the control room. The trip units provide contact outputs to drive the trip logic and initiate a trip function.

A calibration unit mounted in the same rack as the trip units provides means to perform an in-place calibration check or set point adjustment. Refer to subsection 7.1.3 for a discussion of inservice testability.

k. Requirement 4.11: Channel Bypass or Removal from Operation Checking of each trip unit will introduce a single channel trip. This does not initiate protective action without a coincident operation of a LOCA signal channel.

l. Requirement 4.12: Operating Bypasses Refer to subsection 7.3.1.1.9.3 for a discussion of suppression pool makeup system bypasses. It may also be bypassed by manually racking out the feeder breakers to an emergency switchgear section or manually opening a valve motor starter feeder breaker at a motor control center.

These bypasses are under the control of supervisory personnel and are not intended to be automatically overcome by accident detection signals.

m. Requirement 4.13: Indication of Bypasses Bypass of either suppression pool makeup system is continuously indicated in the control room. See Section 7.5 for further discussion.

7.3-217 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

n. Requirement 4.14: Access to Means for Bypassing Access to all means for bypassing the suppression pool makeup system is under administrative control.

Handswitches for system bypass and instrument valves are located in the control room.

o. Requirement 4.15: Multiple Set Points All set points in the suppression pool makeup system are fixed.

p. Requirement 4.16: Completion of Protective Action Once It Is Initiated The action of the final control elements, i.e. motor operated valves, of the suppression pool makeup system, is sealed in. Once initiated, either automatically or manually, operator action is required to stop the flow of upper containment pool water to the suppression pool.

q. Requirement 4.17: Manual Initiation The suppression pool makeup system may be manually initiated on a system level from control room handswitches provided a LOCA has occurred or the ECCS has been initiated. It can also be initiated on a component level when the plant is in the shutdown mode. No failure in one division of the suppression pool makeup system can prevent operation of the redundant system.

r. Requirement 4.18: Access to Set Point Adjustments, Calibration and Test Points The electronic trip and calibration units are under administrative control in the control room. The use of tools is required to adjust the set points.

s. Requirement 4.19: Identification of Protective Actions Initiation of the suppression pool makeup system is annunciated in the control room. The status of each device in the system is indicated in the control room.

t. Requirement 4.20: Information Readout 7.3-218 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Refer to Section 7.5 for a discussion of safety related display instrumentation.

u. Requirement 4.21: System Repair Identification of a defective channel is accomplished by observation of system status lights or by testing as described in subsection 7.3.2.9.3. Replacement or repair of components is accomplished with the affected channel bypassed. The affected trip function then operates with a single sensor.

v. Requirement 4.22: Identification Refer to subsections 7.1.2.3 and 8.3.1.3 for a description of the ESF system identification system.

7.3.2.9.3 Conformance to IEEE Standard 338-1971 All components of the suppression pool makeup system can be tested during plant operation. Each channel can be individually tested without initiating a trip function. The dump valves can be individually opened from control room handswitches to test their operation. Interlocks are provided to prevent an inadvertent dump of the upper containment pool water during normal operation.

7.3.2.9.4 Failure Modes and Effects Analysis Failure modes and effects analysis for the suppression pool makeup system is provided in Table 7.3-27.

7.3.2.10 Control Room Atmospheric Control and Isolation System 7.3.2.10.1 Conformance to 10 CFR 50 General Design Criteria General design criteria, established in Appendix A of 10 CFR 50, which are applicable to the CRACIS, are listed in Table 7.1-3.

Additional information is provided below.

a. Criterion 13: Instrumentation and Control Instrumentation is provided in the CRACIS to monitor the appropriate variables and signals required to isolate the control room and start the air filtration system. The variables monitored are listed in Table 7.3-28. The ranges provided assure continuous monitoring during normal operation, anticipated operational occurrences, and 7.3-219 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) accident conditions. By isolating the control room when required, these variables are maintained within the prescribed operating ranges.

b. Criterion 19: Control Room The CRACIS provides radiation protection for the control room to permit access and occupancy of the control room under accident conditions, without personnel receiving radiation exposures in excess of 5 rem whole body or its equivalent to any part of the body, for the duration of the accident.

c. Criterion 20: Protection System Functions The plant conditions under which the CRACIS is required to operate are shown in Chapter 15. Initiation circuits are automatic as described in subsection 7.3.1.1.10.1. No operator action is required to initiate the CRACIS during accident conditions.

d. Criterion 21: Protection System Reliability and Testability Functional reliability of the CRACIS is assured by compliance with the requirements of IEEE standard 279-1971, as described in subsections 7.3.1.2 and 7.3.2.10.2.

Testing is in compliance with IEEE Standard 338-1971, as described in subsection 7.3.2.10.3

e. Criterion 22: Protection System Independence Independence of the CRACIS is assured by design, which includes redundancy and diversity, as described in subsections 7.3.1.1.10.6 and 7.3.1.1.10.7.

f. Criterion 23: Protection System Failure Modes The CRACIS logic circuits are designed to fail in a safe position. Relays de-energize to initiate protective functions. Motor operated valves and dampers fail as-is on a loss of power. Failure modes of the CRACIS are discussed in subsection 7.3.2.10.4.

g. Criterion 24: Separation of Protection and Control Systems 7.3-220 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The control room atmospheric control and isolation system is not used for both control and protection. See subsection 7.3.2.10.2, Requirement 4.7.

7.3.2.10.2 Conformance to IEEE Standard 279-1971 The CRACIS is designed to conform with the requirements of Section 4 of IEEE Standard 279-1971, "Criteria for Protection System for Nuclear Power Generating Stations," as described in this section.

a. Requirement 4.1: General Functional Requirement Actuation of the CRACIS is automatic whenever the variables reach their Technical Specification set point, as described in subsection 7.3.1.1.10.1.

b. Requirement 4.2: Single Failure Criterion The control room atmospheric control and isolation control system is comprised of two independent sets of controls for the two physically separate actuated systems and meets the single failure criterion. Refer to subsection 7.3.2.10.4 for a discussion of failure modes and effects analysis.

c. Requirement 4.3: Quality of Components and Modules The quality control enforced during design, fabrication, shipment, field storage, installation, and component checkout used for instrumentation and control components and the documentation of quality control is in accordance with Regulatory Guides 1.28, 1.30, and 1.38. Refer to Appendix 3A.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

d. Requirement 4.4: Equipment Qualification The control room atmospheric control and isolation system components meet the equipment qualification requirements described in Sections 3.10 and 3.11.

e. Requirement 4.5: Channel Integrity 7.3-221 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Type testing of components, separation of sensors and channels, and qualification of cabling are utilized to ensure that the channels will maintain the functional capability required under applicable extremes of conditions relating to environment, energy supply, malfunctions, and accidents.

Loss of or damage to any one path will not prevent the protective action of the redundant path. Sensors are piped so that blockage or failure of any one connection does not prevent protective system action.

f. Requirement 4.6: Channel Independence Channel independence for sensors is provided by electrical and mechanical separation.

g. Requirement 4.7: Control and Protection System Interaction The control room atmospheric control and isolation system is strictly an on-off system. Annunciator circuits using contacts of sensor relays and logic relays cannot impair the operability of the control room isolation control system because of the electrical separation between controls of the two subsystems.

h. Requirement 4.8: Derivation of System Inputs The inputs which initiate isolation are a direct measure of the variable that indicates a need for isolation.

i. Requirement 4.9: Capability for Sensor Checks The sensors which initiate the control room atmospheric control and isolation system can be tested one at a time by application of simulated signals.

The control room fresh-air intake radiation monitors are tested by using test signals or portable gamma sources.

j. Requirement 4.10: Capability for Test and Calibration All active components of the control room atmospheric control and isolation system can be tested and calibrated during plant operation or shutdown. Logic circuitry can 7.3-222 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) be checked by applying test or calibration signals to the sensors and observing trip system response. Valves can be tested by operating manual switches in the control room and observing the position lights. Operation of the fans from manual switches verifies the ability of breakers and fans to operate and verifies the operation of the associated fan damper.

k. Requirement 4.11: Channel Bypass or Removal from Operation Isolation of the control room has no adverse effects on plant operation and affords an excellent means of testing system operation.

Calibration and maintenance of other sensors introduces a single channel trip which will not initiate a trip function without coincident operation of a second channel.

l. Requirement 4.12: Operating Bypasses Refer to subsection 7.3.1.1.10.3 for a discussion of bypasses of the CRACIS.

m. Requirement 4.13: Indication of Bypasses Loss of control power or bypass of any piece of equipment in the CRACIS is continuously indicated in the control room. See subsection 7.5.1.3 for a discussion of bypass indicators.

n. Requirement 4.14: Access to Means for Bypassing Access to all means of bypassing the CRACIS is under administrative control. Handswitches for bypass circuits are located in the control room.

o. Requirement 4.15: Multiple Set Points There are no multiple set points in the CRACIS.

p. Requirement 4.16: Completion of Protective Action Once It Is Initiated Once initiated, operator action is required to return each component of the CRACIS to its normal condition. Return to normal is prevented by the control system as long as the 7.3-223 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) initiation signal is present, with the exception that the standby fresh air valves may be opened and the recirculation valves closed after a ten minute time delay.

q. Requirement 4.17: Manual Initiation Each fan and valve is capable of individual manual initiation from the control room. Each system is capable of being initiated manually at the system level from the control room.

r. Requirement 4.18: Access to Set Point Adjustments, Calibration, and Test Points Set point adjustments for the radiation detectors are under administrative control in the control room.

s. Requirement 4.19: Identification of Protective Actions Protective actions are directly indicated and identified by annunciator operation in the control room, sensor relay indicator lights, or actuated equipment status lights.

t. Requirement 4.20: Information Read-Out Refer to Section 7.5 for a discussion of safety related display information

u. Requirement 4.21: System Repair The control room atmospheric control and isolation system is designed to permit repair or replacement of components.

Identification of a defective channel is accomplished by observation of system status lights or by testing as described in subsection 7.3.2.10.3. The CRACIS redundant train provides isolation protection while repairs are made.

v. Requirement 4.22: Identification Refer to subsections 7.1.2.3 and 8.3.1.3 for a description of the ESF system identification system.

7.3-224 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.10.3 Conformance to IEEE Standard 338-1971 The CRACIS can be tested on a system level by actuating the system sensors or by manual means.The protective action of the system has no adverse effects on plant operation.

Control and logic circuitry used in the CRACIS can be individually checked by applying test or calibration signals and observing trip or control responses. Operation of fans and valves from manual switches verifies the ability of breaker mechanisms to operate. The automatic control circuitry ensures control room isolation if an accident occurs during a test.

7.3.2.10.4 Failure Modes and Effects Analysis Failure modes and effects analysis for the CRACIS is provided in Table 7.3-30. For failure modes of mechanical equipment see Table 9.4-2.

7.3.2.11 Standby Power System The analysis of the standby power system is discussed in subsection 8.3.1.2.

7.3.2.12 Heating, Ventilating and Air Conditioning Systems for Engineered Safety Feature Areas The analysis of the HVAC systems for ESF area is discussed in subsection 9.4.5.3.

7.3.2.13 Diesel Generator Auxiliary Systems The analyses of the diesel generator auxiliary systems are discussed in subsections 9.5.4, 9.5.5, 9.5.6, 9.5.7, and 9.5.8.

7.3.2.14 Additional Design Considerations Analyses 7.3.2.14.1 General Plant Safety Analysis The examination of the subject ESF system at the plant safety analyses level is presented in Chapter 15 and Appendix 15A.

7.3.2.14.2 Loss of Plant Instrument Air System Loss of plant instrument air will not negate the subject ESF system safety functions. Refer to Appendix 15A.

7.3-225 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3.2.14.3 Loss of Cooling Water to Vital Equipment Loss of cooling water to ECCS, containment and reactor vessel isolation systems and other systems described in this section, when subject to single active component failure or single operator error, will not result in the loss of sufficient ESF systems to negate their safety function. Refer to Appendix 15A.

7.3.3 References

1. Safety Analysis Report for Grand Gulf Nuclear Station Constant Pressure Power Uprate (commonly known as PUSAR),

NEDC-33477P, Rev. 0 (with Corrected Pages, March 2012, as corrected in 2016, issued as GGNS-SA-19-00002 Rev.0) 7.3-226 LBDCR 2020-012

TABLE 7.3-1: ESSENTIAL AUXILIARY SUPPORTING SYSTEMS REQUIREMENTS ESSENTIAL AUXILIARY SUPPORTING SYSTEMS Heating, Ventilating, and Air Conditioning Systems Safeguard Standby Switchgear ESF Service Standby Diesel and Electrical Diesel Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION ENGINEERED SAFETY Water Power Generator Water Battery Switchgear Generator ECCS Pump FEATURES SYSTEMS System Systems Building Pumphouse Rooms Rooms Systems Rooms Containment and Reactor X X X X Vessel Isolation Control System Emergency Core Cooling X X X X X X X X Systems MSIV Leakage Control X X X X X X X System 7.3-227 RHR-Containment Spray X X X X X X X X System Combustible Gas Control X X X X X X X System Feedwater Leakage X X X X X X X Control System Standby Gas Treatment X X X X X X X System Suppression Pool Makeup X X X X X X X System Revision 2016-00 Control Room Atmospheric X X X X X X X Control and Isolation System Referenced Subsection 7.3.1.1.7 8.3.1.1 9.5.4 9.4.5 9.4.5 9.4.5 9.4.5 9.4.5 for Description of 9.2.1 8.3.2.1 9.5.5 Auxiliary Supporting 9.5.6 Systems 9.5.7 9.5.8

TABLE 7.3-2: HIGH PRESSURE CORE SPRAY SYSTEM-INSTRUMENT SPECIFICATIONS Plant Variable Instrument Range Sensor Channels provided Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Reactor vessel low water Level transmitter -160/0/+60" 4 level (energize HPCS)

Drywell high pressure Pressure transmitter 0-5 psig 4 Reactor vessel high water Level transmitter -160/0/+60" 2 level trip Pump discharge pressure Pressure transmitter 0-1500 psig 1 7.3-228 Pump discharge flow Flow transmitter 0-30% 1 (minimum flow)

Spray sparger integrity(1) Differential pressure -10.0 to 1 transmitter +10.0 psid Suppression pool high Level transmitter 0-30" 2 water level Condensate storage tank Level transmitter 0-40 ft 2 low level Revision 2016-00

1. The ECCS Line Break Instrumentation has been maintained but it provides limited useful information. It is not capable of continuously confirming the integrity of the ECCS injection piping inside the reactor vessel as originally intended.

TABLE 7.3-3: AUTOMATIC DEPRESSURIZATION SYSTEM-INSTRUMENT SPECIFICATIONS Sensor Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Plant Variable Instrument Range Channels Provided Reactor vessel low water Differential pressure -160/0/60" 4 level (L1) transmitter Reactor vessel low water Differential pressure 0-60 2 level (L3) transmitter Drywell high pressure Pressure transmitter 0-5 psig 4 7.3-229 LPCI permissive Pressure transmitter 0-250 psig 6 LPCS permissive Pressure transmitter 0-250 psig 2 Automatic depressurization Timer 4-120 sec 2 time delay High drywell pressure Timer 1-30 min 4 bypass time delay RHR pump discharge pressure Pressure transmitter 0-500 psig 2 per pump Revision 2016-00 Reactor pressure Pressure transmitter 0-1200 psig 4 (Pressure relief)

TABLE 7.3-4: LOW PRESSURE CORE SPRAY-INSTRUMENT SPECIFICATIONS LPCS and LPCI A Loop Sensor Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Plant Variable Instrument Range Channels provided Reactor vessel low water Level transmitter -160/0/+60 2 Level 1 (LPCS & LPCI initiation)

Drywell high pressure Pressure transmitter 0-5 psig 2 (LPCS initiation)

Pump discharge flow Flow transmitter 0-30% 2 (1 per valve) 7.3-230 (minimum flow)

Valve pressure (LPCS & Pressure transmitter 0-700 psig 2 (1 per valve)

LPCI A injection valves, test mode only)

LPCI pump delay Timer 0.55-15 sec 1 (RHR A only)

LPCS pump discharge Pressure transmitter 0-700 psig 1 pressure Reactor vessel pressure Pressure transmitter 0-1200 psig 2 per strip system Revision 2016-00

TABLE 7.3-5: LOW PRESSURE COOLANT INJECTION-INSTRUMENT SPECIFICATIONS Loops B and C Sensor Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Plant Variable Instrument Range Channels provided Reactor vessel low water Level transmitter - 160/0/+60" 2 level (LPCI initiation)

Drywell high pressure Pressure transmitter 0-5 psig 2 (LPCI initiation)

LPCI pump delay Timer 0.55-15 sec 1 (Loop B only) 7.3-231 LPCI pump discharge low Flow transmitter 0-30% 2 (1 per pump) flow (minimum flow bypass)

LPCI injection valve pressure Pressure transmitter 0-700 psig 2 (1 per valve)

(test mode only)

Injection line Differential pressure -10/0/10 psid 1 system integrity (1) transmitter Reactor Pressure (LPCI B & C Pressure transmitter 0-1200 psig 2 per trip system injection valves system initiation)

Revision 2016-00

1. The ECCS Line Break Instrumentation has been maintained but it provides limited useful information. It is not capable of continuously confirming the integrity of the ECCS injection piping inside the reactor vessel as originally intended.

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-6: Deleted 7.3-232 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-7: Deleted 7.3-233 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-8: Deleted 7.3-234 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-9: Deleted 7.3-235 Revision 2016-00

TABLE 7.3-10: CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM INSTRUMENTATION SPECIFICATIONS Sensor Plant Variable Instrument Range Channels Provided Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Reactor vessel level Differential pressure 0 - 60" 4 3 trip transmitter Reactor vessel level 2 Differential pressure -160/0/60" 8 trip transmitter Reactor vessel level 1 Differential pressure -160/0/60" 8 trip transmitter Main steam line high Radiation (3) 1 to 10 mR/hr 4 radiation monitor (6 decade log) 7.3-236 Main steam line space Thermocouples: 50-350F 4 high temperature temperature Main steam line high flow Differential -50/0/250 16 pressure transmitter psid Main steam line low Pressure transmitter 0 - 1200 psig 4 pressure Drywell high pressure Pressure transmitter 0-5 psig 12 Containment and drywell Radiation (3) 0.01-100 mR/hr 4 ventilation exhaust monitor (4 decade log)

Revision 2016-00 high radiation Main condenser low Pressure transmitter 0-30' Hg 4 vacuum (abs)

TABLE 7.3-10: CONTAINMENT AND REACTOR VESSEL ISOLATION CONTROL SYSTEM INSTRUMENTATION SPECIFICATIONS (Continued)

Sensor Plant Variable Instrument Range Channels Provided Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION RCIC turbine steam line Thermocouple: 50-350F 2 space high temperature temperature RCIC turbine steam line Differential -100/0/+200" 2 high flow pressure transmitter Reactor shutdown cooling Thermocouple: 50-350F 4 system space high temperature temperature Reactor water cleanup Thermocouple: 50-350F 8 7.3-237 system space high temperature temperature Reactor water cleanup Differential -10/0/90 gpm 2 high differential flow pressure transmitter

1. Deleted

2. Deleted

3. Range of measurements depends on items such as source geometry, background radiation, shielding, energy levels, and method of sampling.

Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-11: Deleted 7.3-238 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-12: Deleted 7.3-239 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-13: COMBUSTIBLE GAS CONTROL SYSTEM ACTUATION INSTRUMENTATION

SUMMARY

Sensor Number of Instrument Variable Type Sensors Range Containment and drywell Differential 8 -2 to +2 differential pressure pressure psid transmitter Containment and drywell Hydrogen 4 0 to 10 hydrogen concentration Analyzer percent by volume 7.3-240 Revision 2016-00

TABLE 7.3-14: COMBUSTIBLE GAS CONTROL SYSTEM ACTUATED EQUIPMENT LIST Equipment Figure No. ESF Actuating Updated Final Safety Analysis Report (UFSAR)

Number (P&ID) Description Division Function Signal GRAND GULF NUCLEAR GENERATING STATION

a. Drywell Purge Subsystem C001A 6.2-81 Drywell Purge 1 Stop LOCA Compressor Start 30 sec. after LOCA and drywell press below high dp setpoint C001B 6.2-81 Drywell Purge 2 Stop LOCA Compressor 7.3-241 Start 30 sec. after LOCA and drywell press below high dp setpoint F003A 6.2-81 Drywell Purge 1 Close LOCA Inlet Isolation Valve Open 30 sec. after LOCA and drywell press below high dp setpoint F003B 6.2-81 Drywell Purge 2 Close LOCA Inlet Isolation Valve Revision 2016-00 Open 30 sec. after LOCA and drywell press below high dp setpoint

b. Post-LOCA Vacuum Relief Subsystem F005A 6.2-81 Post-LOCA Vacuum 1 Close LOCA Relief Isolation Valve Open 30 sec. after LOCA and drywell press below low dp setpoint

TABLE 7.3-14: COMBUSTIBLE GAS CONTROL SYSTEM ACTUATED EQUIPMENT LIST (Continued)

Equipment Figure No. ESF Actuating Number (P&ID) Description Division Function Signal F005B 6.2-81 Post-LOCA Vacuum 2 Close LOCA Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Relief Isolation Valve Open 30 sec. after LOCA and drywell press below low dp setpoint

c. Normal Drywell Vacuum Relief Subsystem F007 6.2-81 Normal Vacuum 1 Close LOCA Relief Valve F020 6.2-81 Normal Vacuum 2 Close LOCA Relief Valve 7.3-242

d. Containment Purge Subsystem F009 6.2-81 Containment Purge 1 Close LOCA Outboard Supply Iso Vlv F010 6.2-81 Containment Purge 2 Close LOCA Outboard Supply Iso Vlv Q1E61-F057 9.4-12 Containment 1 Close LOCA Purge Outboard Exhaust Iso Vlv Revision 2016-00 Q1E61-F056 9.4-12 Containment Purge 2 Close LOCA Inboard Exhaust Iso Vlv

e. Hydrogen Control Subsystem C003A 6.2-81 Hydrogen 1 Start HS-M620A (Manual)

Recombiner C003B 6.2-81 Hydrogen 2 Start HS-M620B (Manual)

Recombiner

TABLE 7.3-14: COMBUSTIBLE GAS CONTROL SYSTEM ACTUATED EQUIPMENT LIST (Continued)

Equipment Figure No. ESF Actuating Number (P&ID) Description Division Function Signal Updated Final Safety Analysis Report (UFSAR)

See Table Hydrogen 1 Energize HS-M650A (Manual)

GRAND GULF NUCLEAR GENERATING STATION 6.2-54 - Igniters See Table Hydrogen 2 Energize HS-M650B (Manual) 6.2-54 - Igniters 7.3-243 Revision 2016-00

TABLE 7.3-15: COMBUSTIBLE GAS CONTROL SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Failure Mode Effect on System Detection Remarks Loss of plant All normal drywell vacuum Immediate annunciation No effect on drywell Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION instrument air relief & containment purge on loss of instrument purge or hydrogen valves close air recombiners Loss of cooling water systems:

PSW No effect Annunciation on loss of PSW CCW No effect Annunciation on loss of CCW 7.3-244 TBCW No effect Annunciation on loss of TBCW Domestic water Loss of cooling to Low clg. wtr flow No effect on drywell containment purge annunciation (if purge or hydrogen compressor compressor is running) recombiners One SSW train Loss of cooling wtr to one Immediate annunciation Purge requirements met by drywell purge compressor on loss of SSW redundant compressor aftercooler and lube oil cooler Loss of power systems:

Revision 2016-00 Loss of one ESF ac bus Loss of one drywell purge Immediate annunciation Combustible gas control compressor on loss of bus requirements met by redundant system Loss of one division of hydrogen igniters Loss of one hydrogen recombiner

TABLE 7.3-15: COMBUSTIBLE GAS CONTROL SYSTEM FAILURE MODES AND EFFECTS ANALYSIS (Continued)

Failure Mode Effect on System Detection Remarks Updated Final Safety Analysis Report (UFSAR)

Motor-operated valves fail GRAND GULF NUCLEAR GENERATING STATION as is - (Affected bus only)

(See Note)

Normal drywell vacuum relief & containment purge isolation valves fail closed Affected Bus only Loss of one ESF Loss of one drywell purge Immediate annunciation Combustible gas control dc bus compressor on loss of bus requirements met by 7.3-245 redundant system Motor-operated valves close, If system in operation if open - (affected bus when failure occurs -

only) (See Note) drywell purge compressor and hydrogen recombiner continue to operate Normal drywell vacuum relief If recombiner power

& containment purge supply breaker is tripped isolation valves on affected manually after failure division fail closed occurs - it cannot be restarted Revision 2016-00 Differential pressure Periodic testing, Redundant sensor provides sensor failure comparison of protective action if channels, or computer required alarm Upscale Reduces coincidence req'd for purge initiation after LOCA

TABLE 7.3-15: COMBUSTIBLE GAS CONTROL SYSTEM FAILURE MODES AND EFFECTS ANALYSIS (Continued)

Failure Mode Effect on System Detection Remarks Downscale Reduces coincidence req'd Updated Final Safety Analysis Report (UFSAR) for vacuum relief after GRAND GULF NUCLEAR GENERATING STATION LOCA "System Initiate" switch failure Closed Prevents manual system Periodic testing Automatic initiation initiation after LOCA still operative.

Redundant channel can be manually initiated if required Open Reduces coincidence reqd Periodic testing Failure is in 7.3-246 for manual initiation after conservative direction LOCA "Normal - Reset" switch failure Closed Prevents system initiation Periodic testing Protection provided by on LOCA redundant system Open Prevents return to normal Periodic testing Failure is in after system operation conservative direction Revision 2016-00 NOTE:

Check valves in all purge and post-LOCA vacuum relief lines assure containment and drywell isolation when required, even in the event of loss of the motor-operated isolation valves.

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-16: FEEDWATER LEAKAGE CONTROL SYSTEM ACTUATION INSTRUMENTATION

SUMMARY

Sensor Number of Instrument Variable Type Sensors Range Feedwater leakage Pressure 2 0-50 psig control system transmitter line pressure 7.3-247 Revision 2016-00

TABLE 7.3-17: FEEDWATER LEAKAGE CONTROL SYSTEM ACTUATED EQUIPMENT LIST Figure No. Actuating Equipment No. (P&ID) Description Division ESF Function Signal Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION F001A-A 6.7-6 Feedwater 1 Close High pressure leakage control line isolation valve Open Manual F001B-B 6.7-6 Feedwater 2 Close High pressure leakage 7.3-248 control line isolation valve Open Manual Revision 2016-00

TABLE 7.3-18: FEEDWATER LEAKAGE CONTROL SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Failure Mode Effect on System Detection Remarks Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Loss of Power Systems:

Loss of one ESF Loss of one FWLC Immediate FWLC system AC bus subsystem annunciation on loss requirements met by of bus redundant subsystem Motor-operated valves fail as is (affected bus only) 7.3-249 Pressure sensor failure:

Upscale Prevent operation of Fault monitor alarm FWLC system one FWLC subsystem requirements met by redundant subsystem Downscale Loss of one FWLC Fault monitor alarm Will not prevent subsystem interlock normal system (Isolation valve operation open permissive)

Revision 2016-00 Interlock failure:

(Outboard FWLC subsystem)

TABLE 7.3-18: FEEDWATER LEAKAGE CONTROL SYSTEM FAILURE MODES AND EFFECTS ANALYSIS (Continued)

Failure Mode Effect on System Detection Remarks Updated Final Safety Analysis Report (UFSAR)

Feedwater No effect Indicating light or FWLC outboard GRAND GULF NUCLEAR GENERATING STATION isolation valve periodic check subsystem full closed limit requirements met by redundant interlock (both feedwater valves must be fully closed)

Loss of cooling No direct effect Annunciation on loss Loss of one SSW water (SSW) of SSW system causes loss 7.3-250 of diesel generator and possible loss of ac power. Redundant system provides protective action Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-19: STANDBY SERVICE WATER INITIATING SIGNALS

[HISTORICAL INFORMATION]

SSW Train A Initiation Logic RHR Pump A running LPCS Pump running RCIC Turbine Steam Supply Valve open Diesel Generator No. 11 running LOCA (reactor low water level or drywell high pressure)

Manual (control room handswitches)

SSW Train B Initiation Logic RHR Pump B running RHR Pump C running Diesel Generator No. 12 running LOCA (reactor low water level or drywell high pressure)

Manual (control room handswitches)

SSW Train C Initiation Logic HPCS System initiates HPCS Pump running HPCS Diesel Generator running Manual (control room handswitch) 7.3-251 Revision 2016-00

TABLE 7.3-20: STANDBY SERVICE WATER SYSTEM ACTUATED EQUIPMENT LIST Equipment Figure No. ESF Actuating Number (P&ID) Description Division Function Signal C001A 9.2-1 SSW Pump A 1 Start LOCA, Manual, ESF Div 1, RCIC, DG DIV 1 Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION C001B 9.2-1 SSW Pump B 2 Start LOCA, Manual, ESF Div 2, DG DIV 2 C002 9.2-1 HPCS Service 3 Start HPCS System Running, Water Pump Manual, HPCS DG Running C003A 9.2-1 SSW Cooling 1 Start LOCA, Manual, ESF Div Tower Fan A 1,RCIC, DG DIV 1 C003B 9.2-1 SSW Cooling 1 Start LOCA, Manual EFS Div 2, Tower Fan B RCIC, DG DIV 2 7.3-252 C003C 9.2-1 SSW Cooling 2 Start LOCA, Manual, ESF Div 2, Tower Fan C DG DIV 2 C003D 9.2-1 SSW Cooling 2 Start LOCA, Manual, ESF Div 2, Tower Fan D DG DIV 2 F001A 9.2-1 SSW Pump A Disch 1 Open LOCA, Manual, ESF Div 1, Valve (Note 4) RCIC, DG DIV 1 F001B 9.2-1 SSW Pump B 2 Open LOCA, Manual, ESF DIV 2, Disch. Valve (Note 4) DG DIV 2 F005A 9.2-1 SSW Cooling 1 Open LOCA, Manual, ESF Div 1, Revision 2016-00 Tower A Return (Note 4) RCIC, DG DIV 1 F005B 9.2-1 SSW Cooling 2 Open LOCA, Manual, ESF Div 2, Tower B Return (Note 4) DG DIV 2 F006A 9.2-1 Pump A Recirc. 1 Close (Note LOCA, Manual, to Basin 5) Containment Spray, ESF DIV 1, RCIC, DG DIV 1

TABLE 7.3-20: STANDBY SERVICE WATER SYSTEM ACTUATED EQUIPMENT LIST (Continued)

Equipment Figure No. ESF Actuating Number (P&ID) Description Division Function Signal F006B 9.2-1 Pump B Recirc. 2 Close (Note LOCA, Manual, to Basin 5) Containment Spray, ESF Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION DIV 2, DG DIV 2 F007A 9.2-1 Basin A Transfer 1 Close LOCA, Manual, (Note 1)

Valve F007B 9.2-1 Basin B Transfer 2 Close LOCA, Manual, (Note 1)

Valve F011 9.2-1 HPCS Service 3 Open HPCS System Running, Water Return Manual, HPCS DG Running F014A 9.2-3 RHR HX A SSW 1 Open LOCA, Manual, 7.3-253 Inlet Containment Spray F014B 9.2-4 RHR HX B SSW 2 Open LOCA, Manual, Inlet Containment Spray F018A 9.2-2 Diesel Gen. 11 1 Open LOCA, Manual, Diesel HX SSW Inlet Running F018B 9.2-2 Diesel Gen. 12 2 Open LOCA, Manual, Diesel HX SSW Inlet Running F068A 9.2-3 RHR HX A SSW 1 Open LOCA, Manual, Outlet Containment Spray Revision 2016-00 F068B 9.2-4 RHR HX B SSW 2 Open LOCA, Manual, Outlet Containment Spray F015A 9.2-1 Train A Blowdown 1 Close LOCA, Manual to Basin F015B 9.2-1 Train B Blowdown 2 Close LOCA, Manual to Basin

TABLE 7.3-20: STANDBY SERVICE WATER SYSTEM ACTUATED EQUIPMENT LIST (Continued)

Equipment Figure No. ESF Actuating Number (P&ID) Description Division Function Signal F016A 9.2-1 Train A Blowdown 1 Close LOCA, Manual Updated Final Safety Analysis Report (UFSAR) to Basin GRAND GULF NUCLEAR GENERATING STATION F016B 9.2-1 Train B Blowdown 2 Close LOCA, Manual to Basin F066A 9.2-3 Control Room A/C 1 Close LOCA, Manual, Loss of HX A PSW Inlet Offsite Power F066B 9.2-4 Control Room A/C 2 Close LOCA, Manual, Loss of HX B PSW Inlet Offsite Power F074A 9.2-3 Control Room A/C 1 Close LOCA, Manual, Loss of 7.3-254 HX A PSW Outlet Offsite Power F074B 9.2-4 Control Room A/C 2 Close LOCA, Manual, Loss of HX B PSW Outlet Offsite Power F125 9.2-3 PSW Inlet to 1 Close LOCA, Manual, Loss of Cont A/C HX & Offsite Power Div 2 ESF Room Coolers F189 9.2-4 PSW Outlet for 2 Close LOCA, Manual, Loss of Cont A/C HX & Offsite Power Revision 2016-00 Div 2 ESF Room Coolers F113 9.2-2 SSW Fill Tank 1 Close LOCA, Manual Outlet F241 9.2-3 ESF DIV 1 Swgr 1 Close LOCA, Manual Loss of Room Cooler Isol Offsite Power from PSW

TABLE 7.3-20: STANDBY SERVICE WATER SYSTEM ACTUATED EQUIPMENT LIST (Continued)

Equipment Figure No. ESF Actuating Number (P&ID) Description Division Function Signal F064A 9.2-3 SSW Inlet to 1 Open LOCA, Manual, Loss of Cont Rm A/C HX A Offsite Power Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION F064B 9.2-4 SSW Inlet to 2 Open LOCA, Manual, Loss of Cont Rm A/C HX B Offsite Power

& ESF Div 2 Room Coolers F081A 9.2-3 SSW Outlet from 1 Open LOCA, Manual, Loss of Cont Rm A/C HX A Offsite Power F081B 9.2-4 SSW Outlet from 2 Open LOCA, Manual, Loss of Cont Rm A/C HX B Offsite Power 7.3-255

& ESF Div 2 Room Coolers F237 9.2-3 SSW Inlet to ESF 1 Open LOCA, Manual, Loss of Div 1 Room Offsite Power Coolers F238 9.2-3 SSW Outlet from 1 Open LOCA, Manual, Loss of ESF Div 1 Room Offsite Power Coolers F154 9.2-4 SSW Return from 2 Open Loss of Offsite Power Instr. Air (Note 2)

Revision 2016-00 Compressors (TBCW Crosstie)

Close LOCA, Manual (Note 2)

F155A 9.2-4 SSW to Instr. 2 Open Loss of Offsite Power Air Compressor (Note 2)

(TBCW Crosstie)

Close LOCA, Manual (Note 2)

TABLE 7.3-20: STANDBY SERVICE WATER SYSTEM ACTUATED EQUIPMENT LIST (Continued)

Equipment Figure No. ESF Actuating Number (P&ID) Description Division Function Signal F155B 9.2-4 SSW to Instr. 2 Open Loss of Offsite Power Updated Final Safety Analysis Report (UFSAR)

Air Compressor (Note 2)

GRAND GULF NUCLEAR GENERATING STATION (TBCW Crosstie)

Close LOCA, Manual (Note 2)

F159A 9.2-2 CGCS Compressor 1 Open LOCA, Manual (Note 3)

A Cooler SSW Inlet F159B 9.2-4 CGCS Compressor 2 Open LOCA, Manual (Note 3)

B Cooler SSW Inlet 7.3-256 F160A 9.2-2 CGCS Compressor 1 Open LOCA, Manual (Note 3)

A Cooler SSW Outlet F160B 9.2-4 CGCS Compressor 2 Open LOCA, Manual (Note 3)

B Cooler SSW Outlet F168A 9.2-2 CGCS Compressor 1 Open LOCA, Manual (Note 3)

A F168B 9.2-4 CGCS Compressor 2 Open LOCA, Manual (Note 3)

Revision 2016-00 B Cooler SSW Outlet F239 9.2-3 ESF Div 1 Swgr 1 Close LOCA, Manual, Loss of Room Coolers Offsite Power Inlet from PSW F240 9.2-3 ESF Div 1 Swgr 1 Close LOCA, Manual, Loss of Room Coolers Offsite power Outlet from PSW

TABLE 7.3-20: STANDBY SERVICE WATER SYSTEM ACTUATED EQUIPMENT LIST (Continued)

Equipment Figure No. ESF Actuating Number (P&ID) Description Division Function Signal 1P44F042 9.2-23 SSW Supply to 2 Close LOCA, Manual (Note 2)

PSW In board Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Isolation Open Loss of Offsite Power (Note 2) 1P44F054 9.2-23 SSW Supply to 2 Close LOCA, Manual (Note 2)

PSW Out board Isolation Open Loss of Offsite Power (Note 2) 7.3-257 1P44F067 9.2-22 SSW Return from 2 Close LOCA, Manual (Note 2)

PSW Open Loss of Offsite power (Note 2)

NOTES

1. Valve may be manually opened after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> time delay

2. LOCA close signal overrides open signal Revision 2016-00

3. Open signal may be manually overridden to close valves for containment isolation.

4. Valve automatically opens after SSW Pump breaker closes. Manual operation is not dependent on SSW Pump breaker position.

5. Valve automatically opens on an actuation signal if no LOCA or Containment Spray signal is present and if F014 or F068 is not full open. Valve closes if F014 and F068 are full open.

TABLE 7.3-21: STANDBY SERVICE WATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS Failure Mode Effect on System Detection Remarks Loss of plant instr. Makeup to SSW basins from Immediate annunciation Basins sized for 30 days Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION air PSW valves close loss of plant instr. operation w/o makeup air Chlorine & acid Not required for safety valves close Fill tank connection to Not required for safety PSW closes Water hammer can occur if system not full when req'd.

CR AIC unit flow cant. C/R A/C will cycle on &

valve open full off to maintain 7.3-258 temperature ESF-A swgr room coolers Loss of cooling to Div 1 connection to PSW closes ESF swgr rooms. Manual SSW initiation req'd.

Loss of PSW, CCW, TBCW Loss of makeup from PSW Immediate annunciation No effect of SSW isolated systems on other systems from these systems.

Loss of 1 SSW train Cooling requirements met Annunciates on pump by redundant train trip, loss of flow, or CR indication Loss of control power Equipment fails to start Annunciates on loss of Cooling requirements met power by redundant system Revision 2016-00 Manual initiation switch failure Open Reduces coincidence Periodic testing req'd to lout of 1

TABLE 7.3-21: STANDBY SERVICE WATER SYSTEM FAILURE MODES AND EFFECTS ANALYSIS (Continued)

Failure Mode Effect on System Detection Remarks Closed Disables manual trip for Periodic testing Automatic trip still one SSW train available.

Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Redundant train available.

Components may be manually initiated individually.

Relay Failure Coil Failure Spurious trip of portion CR indication - Fail-safe logic of system periodic testing Contacts shorted Actuated device fails Periodic testing Redundant train meets 7.3-259 to operate cooling requirements Loss of ac power Pumps, fans, and valves Annunciator on loss Cooling requirements met on one division fail to of power by redundant system operate Loss of dc power Unable to close pump and Annunciator on loss Cooling requirements met fan circuit breakers on of power by redundant system one division Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-22: STANDBY GAS TREATMENT SYSTEM ACTUATION INSTRUMENTATION

SUMMARY

Sensor Number of Instrument Variable Type Sensors Range Auxiliary building G-M 4 0.01 - 100 fuel handling area detector mR/HR vent radiation Fuel handling pool G-M 4 0.01 - 100 sweep radiation detector mR/HR Enclosure building Differential 4 -2.5 to +2.5 pressure pressure in. w.c transmitter Recirculation fan Differential 2 O-20,000 cfm flow pressure (O-5.8 in.

transmitter w.c.)

(pitot tube)

Filter train flow Differential 4 O-5,000 cfm pressure (O-4.17 in.

transmitter w.c.)

(pitot tube) 7.3-260 Revision 2016-00

TABLE 7.3-23: STANDBY GAS TREATMENT SYSTEM ACTUATED EQUIPMENT LIST Equipment Figure ESF Actuating Number No.(P&D) Description Division Function Signal D001A 6.5-2 Charcoal Filter 1 Start LOCA, HI RAD. Manual, Train A Fan Stby Start (Note 1)

Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION D001B 6.5-2 Charcoal Filter 2 Start LOCA, HI RAD. Manual, Train B fan Stby Start (Note 1)

F023 6.5-2 Filter Train A Inlet 1 Open Fan D001A Running F024 6.5-2 Filter Train B Inlet 2 Open Fan D001B Running F025 6.5-2 Filter Train A Outlet 1 Open Fan D001A Running F026 6.5-2 Filter Train B Outlet 2 Open Fan D001B Running C001A 6.5-2 Enclosure Bldg. Recirc. 1 Start LOCA, HI RAD. Manual, 7.3-261 Fan A Stby start (Note 1)

C001B 6.5-2 Enclosure Bldg. Recirc. 2 Start LOCA, HI RAD. Manual, Fan B Stby Start (Note 1)

F00l 6.5-2&3 SGTS Flow Control 1 Open LOCA, HI RAD. Manual (Note 2) Damper Intermediate Pressure 1/4 in. H20 VAC

& Fan Running M41-F008 9.4-11 CTMT Cooling System 1 Close LOCA, HI RAD. Manual Aux. Bldg. Isol. Valve Revision 2016-00 IN41-F007 9.4-11 CTMT Cooling System 2 Close LOCA, HI RAD. Manual Aux. Bldg. Isol. Valve 1M41-F036 9.4-11 CTMT Cooling System 1 Close LOCA, HI RAD. Manual Aux. Bldg. Isol. Valve 1M41-F037 9.4-11 CTMT Cooling System 2 Close LOCA, HI RAD. Manual Aux. Bldg. Isol. Valve

TABLE 7.3-23: STANDBY GAS TREATMENT SYSTEM ACTUATED EQUIPMENT LIST (Continued)

Equipment Figure ESF Actuating Number No.(P&D) Description Division Function Signal IT41-F007 9.4-10 Aux. Bldg. Vent System 1 Close LOCA, HI RAD. Manual Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Isol. Valve T41-F006 9.4-10 Aux. Bldg. Vent System 2 Close LOCA, HI RAD. Manual Isol. Valve T42-F004 9.4-2 Fuel Handling Area 1 Close LOCA, HI RAD. Manual Vent System Isol. Valve 1T42-F003 9.4-2 Fuel Handling Area 2 Close LOCA, HI RAD. Manual Vent System Isol. Valve 1T42-F011 9.4-2 Fuel Handling Area 1 Close LOCA, HI RAD. Manual 7.3-262 Vent System Isol. Valve IT42-F012 9.4-2 Fuel Handling Area 2 Close LOCA, HI RAD. Manual Vent System Isol. Valve IT42-F019 9.4-2 Fuel Handling Area 1 Close LOCA, HI RAD. Manual Vent System Isol. Valve 1T42-F020 9.4-2 Fuel Handling Area 2 Close LOCA, HI RAD. Manual Vent System Isol. Valve Revision 2016-00 NOTES

1. Standby start: Keylock switch in standby position, and Low Negative Pressure (A), or Low Negative Pressure (C), or Low Recirc Fan (A) Flow, or Low Filter Train (A) Flow

TABLE 7.3-23: STANDBY GAS TREATMENT SYSTEM ACTUATED EQUIPMENT LIST (Continued)

2. Typical for the following devices:

Updated Final Safety Analysis Report (UFSAR)

Division 1 Division 2 GRAND GULF NUCLEAR GENERATING STATION F00l F002 F004 F003 F006 F005 F007 F008 F009 F0l0 F011 F012 F013 F014 F015 F016 7.3-263 F017 F018 F019 F020 FOZI-(See Note 3) F022 (See Note 3)

3. SGTS Flow Control Dampers F021 and F022 have no intermediate position.

Revision 2016-00

TABLE 7.3-24: STANDBY GAS TREATMENT SYSTEM FAILURE MODES AND EFFECTS ANALYSIS

[HISTORICAL INFORMATION]

Failure Mode Effect on System Detection Remarks Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Loss of plant instrument Ctmt cooling system Immediate annunciation on No direct effect on air isolation valves close loss of plant instrument SGTS equipment air Aux bldg vent. system isolation valves close Fuel handling area vent.

system isolation valves close Loss of cooling water systems 7.3-264 PSW No effect Annunciation on loss of PSW CCW No effect Annunciation on loss of CCW TBCW No effect Annunciation on loss of TBCW SSW No direct effect Annunciation on loss of Loss of one SSW system SSW causes loss of diesel generator and possible loss of ac power.

Revision 2016-00 Redundant system provides protective action.

Loss of power systems Loss on one ESF ac bus Loss of one charcoal Immediate annunciation on Redundant system provides filter train fan loss of BUS protective action

TABLE 7.3-24: STANDBY GAS TREATMENT SYSTEM FAILURE MODES AND EFFECTS ANALYSIS (Continued)

[HISTORICAL INFORMATION]

Failure Mode Effect on System Detection Remarks Updated Final Safety Analysis Report (UFSAR)

Motor-operated valves GRAND GULF NUCLEAR GENERATING STATION fail as is.

Enclosure bldg. recirc.

fan stops.

Ctmt cooling system isolation valves close Aux bldg. vent. system isolation valves close Fuel handling area vent system isolation 7.3-265 valves close Loss of one ESF dc bus Start charcoal filter Immediate annunciation Redundant recirc. fan train fan and open inlet on loss of bus provides protective and outlet valves action Enclosure bldg. recirc.

fan fails as-is.

Open flow control valves.

Ctmt cooling system aux.

bldg. vent system, and fuel handling area vent system isolation valves Revision 2016-00 close.

Sensor Failures Radiation Detector Reduces coincidence Annunciation or periodic required to start system testing.

TABLE 7.3-24: STANDBY GAS TREATMENT SYSTEM FAILURE MODES AND EFFECTS ANALYSIS (Continued)

[HISTORICAL INFORMATION]

Failure Mode Effect on System Detection Remarks Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Enclosure bldg. Flow control dampers Periodic testing pressure maintained wide open during system operation Upscale Standby system starts initiation signal present Downscale No immediate effect Periodic testing Redundant transmitter controls dampers and standby system operation Filter train or recirc.

fan flow 7.3-266 Upscale Prevents standby system Periodic testing Redundant system provides start on low recirc. fan required protective flow action Downscale Standby system starts Annunciation or if initiation signal periodic testing present Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-25: SUPPRESSION POOL MAKEUP SYSTEM ACTUATION INSTRUMENTATION

SUMMARY

Number of Instrument Variable Sensor Type Sensors Range Suppression pool Differential 4 0-180 inches w.c.

level (wide range) pressure (103'-6" to 118'-6")

transmitter Suppression pool Differential 2 0-12 inches w.c.

level (narrow pressure (111-0" to 112-0")

range) transmitter 7.3-267 Revision 2016-00

TABLE 7.3-26: SUPPRESSION POOL MAKEUP SYSTEM ACTUATED EQUIPMENT LIST Equipment Figure No.

Number (P&ID) Description ESF Division Function Signal Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION F00IA 6.2-82 Suppression 1 Open LOCA, low pool makeup supp. pool valve level, manual F00IB 6.2-82 Suppression 2 Open LOCA, low pool makeup supp. pool valve level, manual F002A 6.2-82 Suppression 1 Open LOCA, low pool makeup supp. pool valve level, manual F002B 6.2-82 Suppression 2 Open LOCA, low 7.3-268 pool makeup supp. pool valve level, manual Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-27: FAILURE MODES AND EFFECTS ANALYSIS SUPPRESSION POOL MAKEUP SYSTEM

[HISTORICAL INFORMATION]

Effect on Failure Mode System Detection Remarks Loss of plant None Immediate instrument annunciation on air loss of instrument air Loss of cooling None Annunciation on water systems effected system Loss of Power Systems:

Loss of one ESF Motor operated Immediate Protective action ac bus dump and annunciation on provided by instrument line loss of bus redundant system isolation valves is required.

on one system fail as-is Loss of one ESF Affected system Immediate Protective action dc bus fails as-is, annunciation on provided by cannot be loss of bus redundant system initiated if required.

If system is in operation, operator may still close dump valve by using system bypass switch.

Level sensor failure:

Upscale No immediate Periodic testing effect Downscale Immediate system Low level alarm on No adverse effects initiation affected channel on drywell upon LOCA structure or system operation AUTO - OFF bypass switch failure AUTO Dump valves cannot Periodic testing be reclosed after system operation.

7.3-269 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-27: FAILURE MODES AND EFFECTS ANALYSIS SUPPRESSION POOL MAKEUP SYSTEM (Continued)

[HISTORICAL INFORMATION]

Effect on Failure Mode System Detection Remarks OFF One system will "SPMU System out Protective action not operate. of service" provided by annunciation on redundant system periodic testing. if required.

System initiate switch failure Open Prevents manual Periodic testing Automatic initiation after initiation LOCA circuits still operative, redundant system can be manually initiated if required.

Closed Reduce coincidence Periodic testing required for manual initiation after LOCA 7.3-270 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-28: CONTROL ROOM ATMOSPHERIC CONTROL AND ISOLATION SYSTEM ACTUATION INSTRUMENTATION

SUMMARY

Number of Variable Sensor Type Sensors Instrument Range Outside air G-M Detector 4 0.01-100 MR/HR intake radiation Standby fresh Differential 2 0-5,000 cfm air flow pressure (0-4.9 in. w. c.)

transmitter (pitot tube)

Control room A/C Differential 2 0-40,000 cfm unit air flow pressure (0-8.0 in. w. c.)

transmitter (pitot tube) 7.3-271 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-29: CONTROL ROOM ATMOSPHERIC CONTROL AND ISOLATION SYSTEM ACTUATED EQUIPMENT LIST Equipment Figure ESF Number No. (P&ID) Description Division Function Remarks D002A 9.4-1 Standby fresh 1 Start air unit A D002B 9.4-1 Standby fresh 2 Start air unit B F007 9.4-1 Fresh air valve 1 Close May be manually reopened after 10 minutes F016 9.4-1 Fresh air valve 2 Close May be manually reopened after 10 minutes F008 9.4-1 Recirculation 1 Open May be manually valve closed after 10 minutes F014 9.4-1 Recirculation 2 Open May be manually valve closed after 10 minutes F005 9.4-1 STBY fresh air 1 Open See Note 1 damper F013 9.4-1 STBY fresh air 2 Open See Note 1 damper F010 9.4-1 Normal fresh air 1 Close inlet F011 9.4-1 Normal fresh air 2 Close inlet F003 9.4-1 Utility exhaust 1 Close valve F004 9.4-1 Utility exhaust 2 Close valve F001 9.4-1 Purge exhaust 1 Close valve F002 9.4-1 Purge exhaust 2 Close valve B002A 9.4-1 Air conditioning 1 - CRACIS signal unit fan bypasses freon and smoke detector circuits 7.3-272 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.3-29: CONTROL ROOM ATMOSPHERIC CONTROL AND ISOLATION SYSTEM ACTUATED EQUIPMENT LIST (Continued)

Equipment Figure ESF Number No. (P&ID) Description Division Function Remarks B002B 9.4-1 Air conditioning 2 - CRACIS signal unit fan bypasses freon and smoke detector circuits F009 9.4-1 Air conditioning 1 Open See Note 2 unit A inlet damper F012 9.4-1 Air conditioning 2 Open See Note 2 unit B inlet damper F017 9.4-1 Air conditioning 1 Open See Note 2 unit A outlet damper F018 9.4-1 Air conditioning 2 Open See Note 2 unit B outlet damper Note 1: Dampers open automatically when standby fresh air unit fan is running and close when fan is off.

Note 2: Dampers open automatically when control room AIC unit fan is running and close when fan is off.

7.3-273 Revision 2016-00

TABLE 7.3-30: CONTROL ROOM ATMOSPHERIC CONTROL AND ISOLATION SYSTEM FAILURE MODES AND EFFECTS ANALYIS Failure Mode Effect on System Detection Remarks Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Loss of plant System isolates Immediate annunciation Stby fresh air fans instrument air on loss of plant instr. do not start.

air Loss of cooling Operator may manually water: open stby fresh air valves & start stby fresh air fans.

PSW Loss of normal Immediate annunciation Normal cooling 7.3-274 cooling to one on PSW system requirements met by A/C compressor redundant A/C compressor.

Loss of normal Immediate annunciation On SSW system cooling to both on PSW system initiation, both A/C A/C compressors compressors transferred to SSW system.

One SSW train Loss of one A/C Immediate annunciation Cooling requirements compressor on SSW system may be redundant A/C Revision 2016-00 compr. on redundant SSW train.

CCW No effect Immediate annunciation on CCW system

TABLE 7.3-30: CONTROL ROOM ATMOSPHERIC CONTROL AND ISOLATION SYSTEM FAILURE MODES AND EFFECTS ANALYIS (Continued)

Failure Mode Effect on System Detection Remarks TBCW No effect Immediate annunciation Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION on TBCW system Loss of power:

One ac ESF Bus System isolates Immediate annunciation Stby fresh air fans on loss of bus do not start.

Operator may manually start redundant fresh air fan &

open stby fresh air intake 7.3-275 on redundant system.

One dc ESF Bus System isolates Immediate annunciation Stby fresh air fan &

on loss of bus A/C compressor of effected system start.

Revision 2016-00

TABLE 7.3-31: DRAWING COMPARISON PSAR FSAR Function/

System Reference Description Reference Function Description Effect on Safety Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Standby service Figure Only initiation Logic Dwg Complete system Provides more complete water system 7.3-21 logic shown J-1221 including all information. Shows signal interlocks, from containment spray actuated devices, initiation circuit to open and annunciation RHR Heat exchanger valves shown and close recirculation valves to assure cooling water to RHR Hx.

Combustible gas Figure Initiation logic J-1237 Complete system Provides more complete 7.3-276 control system 7.3-23 and actuated shown information.

equipment shown LOCA initiation Ensures that protective action revised to action goes to completion include seal-in once it is initiated.

Standby gas Figure Initiation logic J-1236 Complete system Provides more complete treatment 7.3-19 and actuated is shown information. Shows system equipment shown seal-in features, damper controls, etc.; steam tunnel dampers added.

Manual initiation Requires operator to reset Revision 2016-00 signal revised to manual initiation signal include seal-in before system can be stopped.

Suppression Figure Logic shown as J-1279 Logic shown in No effect pool makeup 7.3-24 FCD standard format system

TABLE 7.3-31: DRAWING COMPARISON (Continued)

PSAR FSAR Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Function/

System Reference Description Reference Function Description Effect on Safety Both makeup Actuation logic is Reduces possibility of valves in each prepared for each inadvertent dump of upper division actuated valve (initiation containment pool due to by same logic signals remain logic hardware failure.

common) 7.3-277 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3-278 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3-279 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3-280 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3-281 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3-282 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.3-283 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Figure 7.3-7 Deleted 7.3-284 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4.1 Description 7.4.1.1 Reactor Core Isolation Cooling (RCIC) System -

Instrumentation and Controls 7.4.1.1.1 System Identification 7.4.1.1.1.1 Function The reactor core isolation cooling system consists of a turbine, pump, piping, valves, accessories, and instrumentation designed to assure that sufficient reactor water inventory is maintained in the reactor vessel thus assuring continuity of core cooling.

Reactor vessel water is maintained or supplemented by the RCIC during the following conditions:

a. Should the reactor vessel be isolated and yet maintained in the hot standby condition.

b. Should the reactor vessel be isolated and accompanied by a loss of normal coolant flow from the reactor feedwater system.

c. Should a complete plant shutdown under conditions of loss of normal feedwater system be started before the reactor is depressurized to a level where the reactor shutdown cooling mode of the RHR system can be placed into operation.

7.4.1.1.1.2 Classification Electrical modules for the RCIC system are classified as Safety Class 2 and seismic Category I.

7.4.1.1.2 Power Sources The RCIC logic is powered by the 125 V dc division 1 system, except the inboard isolation valves trip system which is powered by the 125 V dc division 2 system. Motive power for inboard isolation valves is by division 2 standby ac power, while outboard isolation valves are driven by division 1 standby ac power. The remaining valves are driven by the division 1 dc system or are failed closed air operated valves (A.O.V.s) controlled via dc solenoids powered by divisions 1 and 2.

7.4-1 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.1.1.3 Equipment Design 7.4.1.1.3.1 General When actuated, the RCIC system pumps water from either the condensate storage tank or the suppression pool to the reactor vessel.

The RCIC system includes one turbine-driven pump, one gland seal system dc-powered air compressor, automatic valves, control devices for this equipment, sensors and logic circuitry. The arrangement of equipment and control devices is shown in the RCIC P&ID figures (5.4-10 and 5.4-11).

Level transmitters used for the initiation of the RCIC system are located on instrument racks outside the drywell but inside the containment. The only operating components of the RCIC system that are located inside the drywell are the inboard steam line isolation valve, the steam line warmup line isolation valve.

The rest of the RCIC system control and instrumentation components are located in the auxiliary building. Cables connect the sensors to control circuitry in the control room.

A design flow functional test of the RCIC system may be performed during normal plant operation by drawing suction from the condensate storage tank and discharging through a full flow test return line to the condensate storage tank. The discharge valve from the pump to the feedwater line remains closed during the test, and reactor operation remains undisturbed. All components of the RCIC system are capable of individual functional testing during normal plant operation. Control system logic provides automatic return from test to the operating mode if system initiation is required. There are three exceptions:

a. The flow controller in manual mode. This feature is required for operational flexibility during system operation.

b. Steam inboard/outboard isolation valves. Closure of either or both of these valves requires operator action to properly sequence their opening. An alarm sounds when either of these valves leaves the fully open position.

c. If circuit breakers have been manually racked out-of-service.

7.4-2 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The only manual action which requires more than momentary actuation is RCIC initiation out of the test mode when the discharge valve inlet to the condensate storage tank is open due to testing. This delayed actuation is applicable only in the test mode described above. However, for normal RCIC initiation, only momentary pushbutton contact is required.

There are no other manual pushbuttons that must be held depressed for more than a few seconds to initiate the desired action.

7.4.1.1.3.2 Initiating Circuits Reactor vessel low-water level is monitored by four level transmitters that sense the difference between the pressure to a constant reference leg of water and the pressure due to the actual height of water in the vessel. Each transmitter supplies a signal to trip units (an electronic switch which may be set to trip at various signal levels) that energize relays for control logic.

Trip units are located in the control room. The pipelines for the transmitters are physically separated from each other and tap off the reactor vessel at widely separated points.

The RCIC system is initiated only by low water level utilizing a one-out-of-two twice logic.

The RCIC system is initiated automatically after the receipt of a reactor vessel low water level signal and produces the design flow rate within 30 seconds when in a normal (standby) alignment, or within 50 seconds if the system must realign from a test mode wherein the full flow test return valves are open. Refer to Section 5.4.6.2.4). The system then functions to provide design makeup water flow to the reactor vessel until the amount of water delivered to the reactor vessel is adequate to restore vessel level, at which time the RCIC system automatically shuts down. The controls are arranged to allow remote-manual startup, operation, and shutdown.

The RCIC turbine is functionally controlled as shown in the RCIC functional control diagram (FCD) (See Section 1.7). The turbine governor limits the turbine speed and adjusts the turbine steam control valve so that design pump discharge flow rate is obtained.

The flow signal used for automatic control of the turbine is derived from a differential pressure measurement across a flow element in the RCIC system pump discharge line.

7.4-3 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The turbine is automatically shut down by tripping the turbine trip and throttle valve closed if any of the following conditions are detected:

a. Turbine overspeed.

b. High turbine exhaust pressure.

c. RCIC isolation signal from logic A or B.

d. Low pump suction pressure.

e. Deleted

f. Manual trip actuated by the operator.

Turbine overspeed indicates a malfunction of the turbine control mechanism. High turbine exhaust pressure indicates a condition that threatens the physical integrity of the exhaust line. Low pump suction pressure warns that cavitation and lack of cooling can cause damage to the pump which could place it out of service.

A turbine trip is initiated for these conditions so that if the causes of the abnormal conditions can be found and corrected, the system can be quickly restored to service. The trip settings are selected far enough from normal values so that a spurious turbine trip is unlikely, but not so far that damage occurs before the turbine is shut down. Turbine overspeed is detected by a standard turbine overspeed mechanical device. Two pressure transmitters and trip units are used to detect high turbine exhaust pressure; either trip unit can initiate turbine shutdown. One pressure transmitter and trip unit is used to detect low RCIC system pump suction pressure.

High water level in the reactor vessel indicates that the RCIC system has performed satisfactorily in providing makeup water to the reactor vessel. Further increase in level could result in RCIC system turbine damage caused by gross carry-over of moisture. To prevent this, a high-water-level trip is used to initiate closure of the steam supply valve, to shut off the steam to the turbine, and to halt RCIC operation. The system will automatically reinitiate if the water level decreases to the reactor low-water-level trip setpoint. Two level transmitters and trip units that sense differential pressure are arranged to require that both trip units trip to initiate a turbine shutdown.

7.4-4 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.1.1.3.3 Logic and Sequencing The scheme used for initiating the RCIC system is shown in the RCIC FCD (See Section 1.7). Instrument settings for the RCIC system controls and instrumentation are listed in Table 7.4-1.

7.4.1.1.3.4 Bypasses and Interlocks To prevent the turbine pump from being damaged by overheating at reduced RCIC pump discharge flow, a pump discharge bypass is provided to route the water discharged from the pump back to the suppression pool.

The bypass is controlled by an automatic, dc motor-operated valve whose control scheme is shown in the RCIC FCD (See Section 1.7).

The valve is closed at high flow or when either the steam supply or turbine trip valves are closed. Low flow combined with high pump discharge pressure opens the valve.

To prevent the RCIC steam supply pipeline from filling up with water and cooling excessively, a condensate drain pot, steam line drain, and appropriate valves are provided in a drain pipeline arrangement just upstream of the turbine supply valve. The control scheme is shown in the RCIC FCD. The controls position valves so that during normal operation steam line drainage is routed to the main condenser. The water level in the steam line drain condensate pot is controlled by a level switch and air operated valves which energize to allow condensate to flow out of the drain pot. Upon opening of the steam to RCIC Turbine Valve (1E51-F045), the drainage path is isolated.

To prevent the turbine exhaust line from filling with water, a condensate drain pot is provided. The water level in the turbine exhaust line condensate drain pot is controlled by a level switch which, upon sensing high-water level, opens the drain valve and allows condensate to flow to the dirty radwaste system. Upon opening of the steam to RCIC Turbine Valve (1E51-F045), the drainage path is isolated. The control logic is shown in the RCIC FCD.

During test operation, the RCIC pump discharge is routed to the condensate storage tank. Two dc motor-operated valves are installed in the pump discharge to condensate storage tank pipeline. The piping arrangement is shown in Figures 5.4-10 and 5.4-11. Upon receipt of an RCIC initiation signal, the valves close. The pump suction from the condensate storage tank and the 7.4-5 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) test discharge to the condensate storage tank valves are automatically closed if the suppression pool suction valve is fully open. Numerous indications pertinent to the operation and condition of the RCIC are available to the main control room operator. The RCIC FCD shows the various indications provided.

7.4.1.1.3.5 Redundancy and Diversity On a network basis, the RCIC is redundant to HPCS for the safe shutdown function. RCIC, as a system by itself, is not required to be redundant, although the instrument channels are redundant for operational availability purposes. While no initiating signal diversity exists within this system, there does exist system level diversity between RCIC and HPCS for plant conditions identified in Chapter 15.

The RCIC is actuated by reactor low water level. Four level sensors in a one-out-of-two twice circuit supply this signal.

7.4.1.1.3.6 Actuated Devices All automatic valves in the RCIC are equipped with remote-manual test capability so that the entire system can be operated from the control room. Motor-operated valves are equipped with limit and torque switches. These switches turn off the motors when movement is complete. When valves are seating, valve motor forces are controlled by either torque switches or limit switches. Thermal over-load devices are used to trip motor-operated valves during testing only. All motor- and air-operated valves provide control room indication of valve position. The system is capable of initiation independent of ac power.

To assure that the RCIC can be brought to design flow rate within 30 seconds from the receipt of the initiation signal when in a normal (standby) alignment, the following maximum operating times for essential RCIC valves are provided by the valve operating mechanisms:

RCIC turbine steam supply valve (F045) 15 seconds RCIC steam supply bypass valve (F095) 5 seconds RCIC pump discharge valves (F013) 15 seconds RCIC pump minimum flow bypass valve (F019) 5 seconds 7.4-6 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The operating time is the time required for the valve to travel from the fully closed to the fully open position, or vice versa.

The two RCIC steam supply line isolation valves are normally open and they are designed to isolate the RCIC steam line in the event of a break in that line. These valves are operated by ac motors powered from different ac sources and automatically close on receipt of an isolation signal. A normally closed dc motor-operated valve is located in the turbine steam supply pipeline just upstream of the turbine stop valve. The control scheme for this valve is shown in the RCIC FCD. Upon receipt of an RCIC initiation signal, this valve opens and remains open until closed by operator action from the control room or a RPV water level high (Level 8) signal is received.

The instrumentation for isolation consists of the following:

Outboard RCIC Turbine Isolation Valve

a. Ambient temperature switches - RCIC and RHR equipment area high temperature.

b. Ambient temperature switch - RCIC pipe routing area high temperature.

c. Differential pressure transmitters and trip units -RCIC or RHR/RCIC steam line high flow or instrument line break.

d. Two pressure transmitters and trip units - RCIC turbine exhaust diaphragm high pressure. Both trip units must activate to isolate.

e. Pressure transmitter and trip unit - RCIC steam supply pressure low.

f. Manual isolation if the system operation has been initiated.

Inboard RCIC Turbine Isolation Valve

a. Except for the manual isolation feature, a similar set of instrumentation causes the inboard valve to isolate.

Two pump suction valves are provided in the RCIC system. One valve lines up pump suction from the condensate storage tank; the other one from the suppression pool. The condensate storage tank is the preferred source. Both valves are operated by dc motors. The 7.4-7 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) control arrangement is shown in the RCIC FCD (See Section 1.7).

Upon receipt of an RCIC initiation signal, the condensate storage tank suction valve automatically opens. Condensate storage tank low-water level or suppression pool high-water level automatically opens the suppression pool suction valve. Full opening of this valve automatically closes the condensate storage tank suction valve.

One dc motor-operated RCIC pump discharge valve in the pump discharge pipeline is provided. The control scheme for this valve is shown in the RCIC FCD. This valve is arranged to open upon receipt of the RCIC initiation signal and closes automatically upon receipt of a signal that either the Turbine Trip and Throttle Valve or the Steam to RCIC Turbine Valve is fully closed.

7.4.1.1.3.7 Separation As in the emergency core cooling system, the RCIC system is separated into divisions designated 1 and 2. The RCIC is a Division 1 system, but the inboard steam line isolation valve, the steam line warmup line isolation valve, the inboard vacuum breaker isolation valve and the inboard turbine exhaust drain isolation valve are Division 2; therefore, part of the RCIC logic is Division 2. The inboard and outboard steam supply line isolation valves, the steam line warmup line isolation valve and the inboard and outboard vacuum breaker isolation valves are ac powered valves. The rest of the valves are powered by dc or air.

In order to maintain the required separation, RCIC logic relays, instruments and manual controls are mounted so that separation from Division 2 is maintained.

All power and signal cables and cable trays are clearly identified by division and safety classification.

The auxiliary systems that support the RCIC system are: the gland seal system (which prevents turbine steam leakage) and the lube oil cooling water system. An RCIC initiation signal activates the gland seal compressor and opens the cooling water supply valve thereby initiating the gland seal and lube oil cooling functions.

These systems remain on until manually turned off. However, the gland seal compressor will be inhibited from starting, or tripped off if a LPCS INITIATION SIGNAL is present.

7.4-8 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The method for identifying power and signal cables and cable trays as safety-related equipment and the scheme used to distinguish between redundant cables and cable trays are discussed in subsection 8.3.1.3. Instrument panels are identified in accordance with the requirements of Regulatory Guide 1.75.

7.4.1.1.3.8 Testability

[HISTORICAL INFORMATION] [The RCIC may be tested to design flow during normal plant operation as discussed in subsection 7.4.1.1.3.1. Water is drawn from the condensate storage tank and discharged through a full- flow test return line to the condensate storage tank. The discharge valve from the pump to the feedwater line remains closed during the test and reactor operation remains undisturbed.

Testing of the initiation transmitters which are located outside the drywell is accomplished by valving out each transmitter and applying a test pressure source. This verifies the operability of the sensor as well as the calibration range. The trip units in the control room are calibrated by introducing a calibration source and verifying the set point trip using a digital readout on the calibration module.] Testing and calibration of the transmitters will be performed in accordance with the Technical Specifications.

7.4.1.1.4 Environmental Considerations The only RCIC control components located inside the drywell that must remain functional in the environment resulting from a loss-of-coolant accident are the control mechanisms for the inside isolation valve and the steam line warmup line isolation valve.

The environmental capabilities of these devices are discussed in subsection 7.3.1.1.2.12, Containment and Reactor Vessel Isolation Control System. All of the equipment located outside the drywell will operate in their worst-case environments shown in the Section 3.11 tables. All safety-related RCIC instrumentation is seismically qualified to remain functional following a safe shutdown earthquake (SSE).

7.4.1.1.5 Operational Considerations 7.4.1.1.5.1 General Information Normal core cooling is required in the event that the reactor becomes isolated from the main condenser during normal operation by a closure of the main steam line isolation valves. Cooling is 7.4-9 LBDCR 2018-097

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) necessary due to the core fission product decay heat. Steam is vented through the pressure relief/safety valves to the suppression pool. The RCIC system maintains reactor water level by providing the makeup water. Initiation and control are automatic.

7.4.1.1.5.2 Reactor Operator Information The following items are located in the control room for operator information:

Analog Indication

a. RCIC pump suction pressure

b. RCIC pump discharge pressure

c. RCIC pump discharge flow

d. RCIC turbine speed

e. RCIC turbine exhaust line pressure

f. RCIC turbine supply steam pressure Indicating Lamps

a. Position of all motor-operated valves

b. Position of all solenoid-operated valves

c. All sealed-in circuits Annunciators Annunciators are provided as shown in the RCIC system FCD (See Section 1.7) and the RCIC system P&ID per Figures 5.4-10 and 5.4-11.

7.4.1.1.5.3 Set Points Instrument settings for the RCIC system controls and instrumentation are shown in Appendix 16B.

The reactor vessel low water level setting for RCIC system initiation is selected high enough above the active fuel to start the RCIC system in time to prevent the need for the use of the 7.4-10 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) engineering safeguards. The water level setting is far enough below normal levels that spurious RCIC system startups are avoided.

7.4.1.2 Standby Liquid Control System (SLCS) -

Instrumentation and Controls 7.4.1.2.1 System Identification 7.4.1.2.1.1 Function The instrumentation and controls for the standby liquid control system are designed to initiate and continue injection of a liquid neutron absorber into the reactor when manually called upon to do so. This equipment also provides the necessary controls to maintain this liquid chemical solution well above saturation temperature in readiness for injection.

7.4.1.2.1.2 Classification The standby liquid control system is a backup method of manually shutting down the reactor to cold subcritical conditions by independent means other than the normal method by the control rod system. Thus, the system is considered a control system and not a safety system. The standby liquid control process equipment, instrumentation, and controls essential for injection of the neutron absorber solution into the reactor is designed to withstand seismic Category I earthquake loads. Any non-direct process equipment, instrumentation, and controls of the system are not required to meet seismic Category I requirements; however, the local and control room mounted equipment is located in seismically qualified panels.

7.4.1.2.2 Power Sources The power supply to one explosive-operated injection valve, injection pump, and solution storage tank outlet valve is powered from the ESF division l bus. The power supply to the other explosive-operated injection valve, injection pump, and tank outlet valve is powered from the ESF division 2 bus. The power supplies to the tank heaters and heater controls are connected to the standby ac power supply and shed upon receipt of a LOCA signal. The power supply to the control room benchboard indicator lights and the level and pressure sensors is powered from an ESF instrument bus.

7.4-11 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.1.2.3 Equipment Design 7.4.1.2.3.1 General The SLCS is a special plant capability event system. No single active component failure (SACF) of any plant system or component would necessitate the need for the operational function of the SLCS. It is included for a number of special consideration events:

a. Plant capability to shut down the reactor without control rods from normal operation (refer to Appendix 15A).

b. Plant capability to shutdown the reactor without control rods from a transient incident (refer to Appendix 15A and Section 15.8).

Although this system has been designed to a high degree of reliability with many safety system features, it is not required to meet the safety design basis requirements of the safety systems.

7.4.1.2.3.2 Initiating Circuits The standby liquid control system is initiated in the control room by turning a keylocking switch for system A clockwise to the START position and/or a different keylocking switch for system B to the START position. The switch slip contacts remain in the activated position, but the mechanism spring returns to the center position from which the key is removable.

7.4.1.2.3.3 Logic and Sequencing

[HISTORICAL INFORMATION] [When one division of standby liquid control system is initiated, one explosive valve fires and the tank discharge valve starts to open immediately. The pump that has been selected for injection will not start until its associated tank discharge valve is at least to the 90 percent open point. In order to provide maximum MOV availability when the SLC system is in normal standby readiness, the overloads for the storage tank outlet valves are bypassed by a relay contact from a test switch in its NORMAL position. When the TEST position is selected, the overload short is removed, thus allowing motor protection during test operation of the valves.

When two pump operation is used, the above logic and sequencing occurs concurrently for both loops.]

7.4-12 LBDCR 2018-097

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.1.2.3.4 Bypasses and Interlocks Pumps are interlocked so that either the storage tank discharge valve or the test tank discharge valve must be open for the pump to run. Starting the A SLC pump to inject the neutron absorber into the reactor will isolate a reactor water clean-up suction outboard isolation valve using Division 1 logic. The B SLC train will isolate a reactor water clean-up suction outboard and inboard isolation valve using Division 2 logic.

7.4.1.2.3.5 Redundancy and Diversity Under special shutdown conditions, the SLCS is functionally redundant to the control rod drive system in achieving and maintaining the reactor subcritical. Therefore, the SLCS as a system by itself is not required to be redundant, although the active components and instrument channels are redundant for serviceability.

Diversity of initiating signals is a requirement only for RPS, ECCS, and containment isolation systems. Therefore, diversity of initiating circuits is not employed for the SLCS design. The SLCS provides, however, a diverse means for reactivity control in the liquid neutron absorber to the control rod drive system.

The method of identifying redundant power cables, signal cables and cable trays, and the method of identifying non-safety-related cables as associated circuits are discussed in subsection 8.3.1.3.

7.4.1.2.3.6 Actuated Devices When the standby liquid control system is initiated to inject a liquid neutron absorber into the reactor, the following devices are actuated:

a. One of the two explosive valves are fired.

b. One of the two storage tank discharge valves are opened.

c. One of the two injection pumps is started.

d. The pressure sensing equipment indicates that the standby liquid control system is pumping liquid into the reactor.

7.4-13 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

When both loops are initiated for mitigation of anticipated transients without scram (ATWS), both explosive valves are fired, both pumps are started, and both storage tank discharge valves (pump suction valves) are opened simultaneously on each loop.

7.4.1.2.3.7 Separation The SLCS is separated both physically and electrically from the control rod drive system. The SLC system instrument channels are separated in accordance with the requirements of Regulatory Guide 1.75. The redundant active components of the SLCS are physically and electrically separated.

7.4.1.2.3.8 Testability The instrumentation and control system of the standby liquid control system is tested when the system test is performed as outlined in subsection 14.2.12.1.3.

7.4.1.2.4 Environmental Considerations The environmental considerations for the instrument and control portions of the standby liquid control system are the same as for the active mechanical components of the system. This is discussed in Section 3.11. The instrument and control portions of the standby liquid control system are seismically qualified to remain functional following a safe shutdown earthquake (SSE). Refer to Section 3.10 for seismic qualification aspects.

7.4.1.2.5 Operational Considerations 7.4.1.2.5.1 General Information The control scheme for the standby liquid control system can be found in the functional control diagram (see Section 1.7). The standby liquid control system is manually initiated in the control room by inserting the key in the A or B keylocking switch and turning it for either system A or system B operation. If the operator chooses to operate both standby liquid control system loops to mitigate an ATWS event, both loops can be initiated by turning the A and B keylocked switches to the START position. It will take between 50 and 125 minutes to complete the injection and for the storage tank level sensors to indicate that the storage tank is dry. When the injection is completed, the system may be manually turned off by turning the keylocking switch counter-7.4-14 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) clockwise to the STOP position. The slip contacts will remain in their deactivated positions but the switch mechanism will spring-return to the center position for key removal.

7.4.1.2.5.2 Operator Information The following items are located in the control room for operator information:

Analog Indication

a. Storage tank level.

b. System pressures.

c. Explosive valves continuity.

Indicating Lamps

a. Pump status and auto trip.

b. Explosive valve continuity.

c. Position of injection line manual service valve.

d. Position of storage tank outlet valve.

e. Position of test tank discharge manual service valve.

Annunciators and Status Lights The standby liquid control system control room annunciators and status lights indicate:

a. Manual or automatic out-of-service condition of SLC system A and/or B due to:

1. Operation of manual out-of-service switch.

2. The loss of continuity of any explosive valve primers.

3. Storage tank outlet valve in test status.

4. Overload trip or power loss in pump or storage tank outlet valve controls.

b. Standby liquid storage tank high or low temperature.

7.4-15 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Standby liquid tank high and low level.

The following items are located locally at the equipment for operator utilization:

Analog Indication

a. Storage tank level.

b. System pressure.

c. Storage tank temperature.

Indicating Lamps

a. Pump status.

b. Storage tank operating heater status.

c. Storage tank mixing heater status.

d. Heat trace status.

7.4.1.2.5.3 Set Points The standby liquid control system has set points for the various instruments as follows:

a. The loss of continuity meter is set to activate the annunciator just below the trickle current that is observed when the primers of the explosive valves are new.

b. The high- and low-standby liquid temperature switch is set to activate the annunciator when the temperature reaches predetermined high and low set points.

c. The high- and low-standby liquid storage tank level switch is set to activate the annunciator when the high and low storage tank capacity levels are reached.

d. The thermostatic controller is set to turn the operating heater on and off in order to maintain the standby liquid temperature at the desired value.

7.4-16 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.1.3 RHR/Reactor Shutdown Cooling System Mode -

Instrumentation and Controls 7.4.1.3.1 System Identification 7.4.1.3.1.1 Function The shutdown cooling mode of the RHR system is used during a normal reactor shutdown and cooldown. The shutdown cooling mode utilizes most of the safety classified portions of the RHR system although this mode of operation is not so classified.

The reactor shutdown cooling system consists of a set of pumps, valves, heat exchangers, and instrumentation designed to provide decay heat removal capability for the core. The system specifically accomplishes the following:

a. The reactor shutdown cooling system is capable of providing cooling for the reactor during shutdown operation after the vessel pressure is reduced to approximately 135 psig.

b. The system is capable of cooling the reactor water to a temperature at which reactor refueling and servicing can be accomplished.

c. Deleted The system can accomplish its design objectives by a preferred means by directly extracting reactor vessel water from the vessel via the recirculation loop suction line and routing it to a heat exchanger and back to the vessel, or by an alternate means by indirectly extracting the water via relief valve discharge lines to the suppression pool and routing pool water to the heat exchanger and back to the vessel.

7.4.1.3.1.2 Classification Electrical modules for the reactor shutdown cooling mode of the residual heat removal system are classified as safety class 3 and seismic Category I.

7.4-17 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.1.3.2 Power Sources This system utilizes normal plant power sources. These include 4160 V ac, 480 V ac, 120 V ac instrument busses, and dc sources.

If for any reason the normal plant sources become unavailable, the system is designed to utilize onsite power sources since the RHR system has safety modes of operation (e.g., LPCI) associated with this equipment.

7.4.1.3.3 Equipment Design 7.4.1.3.3.1 General The reactor water is cooled by taking suction from one of the recirculation loops; the water is pumped through the system heat exchanger and back to the reactor vessel via the feedwater lines.

Shutdown cooling flow is returned to the reactor vessel through the LPCI A or B lines. The use of LPCI A or B lines for shutdown cooling flow and LPCI C for the operation of alternate decay heat removal system is administratively controlled to operational conditions 4 and 5 with restrictions placed on such system parameters as flow rates, maximum temperature differential, duration, cycles and fuel movement in the vicinity of the LPCI nozzles. The use of LPCI lines (A, B and C) for shutdown cooling flow was evaluated for possible effects on LPCI nozzles, flow deflectors, thermal shields, core shroud and incore instrumentation. The LPCI lines are an acceptable shutdown cooling return flowpath to the reactor vessel.

During the initial phase of the shutdown cooling mode, only a portion of the RHR system heat exchanger capacity is required.

This allows the remaining portion of the RHR system with its heat exchanger, associated pumps, and valving to be available for the suppression pool cooling mode. If it is necessary to discharge a complete core load of reactor fuel to the fuel pool, a means is provided for making a physical intertie between the spent fuel pool cooling and clean-up system and the RHR heat exchangers. This method increases the cooling capacity of the spent fuel pool cooling and clean-up system to handle the heat load for this situation.

7.4.1.3.3.2 Initiating Circuits The reactor shutdown cooling system is initiated by manual operator actions. There is no requirement for automatic control.

7.4-18 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.1.3.3.3 Logic and Sequencing The following reactor shutdown cooling operating sequence is utilized:

a. The RHR valving is aligned for shutdown cooling mode.

b. The recirculation loop suction valve is opened.

c. The RHR heat exchangers are lined up for water-water heat transfer.

7.4.1.3.3.4 Bypasses and Interlocks Interlocks are provided, as shown in Table 7.4-2, to prevent opening the reactor shutdown cooling valves except under proper conditions.

The two RHR pumps used for shutdown cooling are interlocked to trip if the reactor shutdown cooling valves and suction valves from the suppression pool are not properly positioned.

7.4.1.3.3.5 Redundancy and Diversity The reactor shutdown cooling system contains two loops. Either loop is sufficient to satisfy the cooling requirements for shutdown cooling. A diverse method of shutdown cooling is provided by the alternate shutdown cooling mode, which is actually an extension of the LPCI mode. To establish the alternate mode, the normal shutdown cooling loop is bypassed by manually switching to take suction water from the suppression pool and manually opening the ADS valves to allow reactor water to flow back to the suppression pool. The ADS valves may be actuated by either division 1 or division 2 power thus providing redundancy in the event of a divisional power failure.

Refer to Chapter 15 and Appendix 15A for a system-level FMEA examination of the above operation.

The alternate shutdown cooling mode should not be confused with injection through the LPCI lines during normal shutdown cooling.

(See Section 5.4.7.1.5 for additional detail on the operation of the alternate shutdown cooling mode.) In normal shutdown cooling the ADS valves remain closed and suction is taken from the recirculation loop.

7.4-19 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Although there is no instrumentation diversity requirement for the reactor shutdown cooling system, the design basis objective is achieved by two diverse shutdown cooling means.

7.4.1.3.3.6 Actuated Devices All valves in the shutdown cooling system are equipped with remote manual switches in the control room. Further discussion can be found in subsection 7.3.1.1.1 relative to the general operation of the RHR system, including its other modes of operation.

7.4.1.3.3.7 Separation Since various subfunctions of the RHR system perform safety related action (LPCI and containment cooling), all of the system equipment that is safety related satisfies the appropriate safety separation criteria (refer to section 7.3.1.1).

7.4.1.3.3.8 Testability The reactor shutdown cooling system pumps (RHR) may be tested to full capacity during normal plant operation. All valves in the system may be tested during normal plant operation from the remote switches in the control room.

7.4.1.3.4 Environmental Considerations The only reactor shutdown cooling control component located inside the drywell that must remain functional in the environment is the control mechanism for the inboard isolation shutdown cooling suction valve. The environmental capabilities of this valve are discussed in subsection 7.3.1.1.2. The control and instrumentation equipment located outside the drywell is selected in consideration of the normal and accident environments in which it must operate.

RHR equipment is seismically qualified and environmentally classified as discussed in Sections 3.2, 3.10 and 3.11.

7.4-20 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.1.3.5 Operational Considerations 7.4.1.3.5.1 7.4.1.3.5.1 General Information All controls for the reactor shutdown cooling system are located in the control room. Operator information is provided as described in the RHR discussion of the LPCI mode in subsection 7.3.1.1.1.6.11.

7.4.1.3.5.2 Operator Information Refer to subsection 7.3.1.1.1.6.11.2 for operator information associated with the RHR system in general.

7.4.1.3.5.3 Set Points There are no safety-related set points involved in the operation of the shutdown cooling mode of the RHR system.

7.4.1.4 Remote Shutdown System 7.4.1.4.1 System Identification 7.4.1.4.1.1 Function The remote shutdown system provides the necessary controls and instrumentation outside the main control room, for reactor systems and secondary support systems needed for prompt hot shutdown of the reactor, in addition to providing the capability to achieve cold shutdown through the use of suitable procedures.

Remote shutdown capability shall be available at times when the main control room is uninhabitable. Controls and instrumentation are provided on remote shutdown panels outside the main control room for systems necessary to maintain water level in the reactor pressure vessel (RPV) following an isolation/scram, depressurize the RPV by discharging steam to the suppression pool, cool the suppression pool, and cool the RPV after it is depressurized. In the event that the control room becomes uninhabitable the reactor will be manually scrammed before evacuating the control room or the RPS breakers will be tripped in route to the remote shutdown panels.

7.4-21 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.1.4.1.2 Classification Since the remote shutdown system interfaces with ESF Safety Class 2 and 3 circuits that are not shed following a design basis accident it has been designed to seismic Category I requirements.

7.4.1.4.2 Power Sources Power for the systems and controls necessary to support safe shutdown is provided from ESF Division 1 and 2 sources. Each of the two remote shutdown panels are supplied with 120-volt ac and 125-volt dc power from their respective divisional power sources.

7.4.1.4.3 Equipment Design 7.4.1.4.3.1 Design Bases In designing for safe reactor shutdown in the event of control room evacuation, the following design bases are applied:

a. Control room evacuation is initiated from an undefined cause, other than a control room exposure fire as postulated in 10 CFR 50, Appendix R: for example, control room environment not habitable. Allowing for a single failure, either ESF division of remote shutdown controls may be used achieving safe shutdown in accordance with GDC-34.

b. Design basis accidents are not assumed to occur concurrent with control room evacuation. However, loss of offsite power has been considered.

c. The operator will manually scram the reactor before leaving the control room or else may trip the RPS breakers outside the control room on his way to the remote shutdown room.

d. Access back into the control room continues to be denied.

e. Systems, controls, and indications essential to the residual heat removal function during hot shutdown are designed with suitable redundancy in accordance with GDC-34.

7.4-22 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

f. Loss of safety system redundancy does not occur as a result of the event requiring control room evacuation. All automatic controls continue to function as required.

g. Loss of turbine pressure control and feedwater systems are assumed concurrent with control room evacuation.

h. The standby diesel generators are assumed to start automatically if required due to a loss of offsite power.

However, manual controls are available locally at the diesel generator control panels as a backup to the automatic initiation.

7.4.1.4.3.2 Description Remote shutdown controls and instrumentation are physically located on two panels. One panel, 1H22-P150, contains control and instrumentation of systems powered from the ESF Division 1 bus, while the other panel, 1H22-P151, supports systems powered from the ESF Division 2 bus.

The two remote shutdown panels are located in 2 rooms adjacent to the ESF switchgear rooms on elevation 111' of the control building. These rooms are designated as OC208 and OC208A (see Figure 6.4-1).

The controls on the remote shutdown system panels (1H22-P150 &

1H22-Pl51) functionally duplicate and are in parallel with their control room counterparts.

The use of transfer switches for the remote shutdown panels (1H22-P150 & 1H22-P151) has been limited to instances where the control room switch operates by maintained contacts. Otherwise, momentary contact switches, similar to their control room counterparts, are used without transfer switches. The momentary contact switches used in both locations are spring return to "auto" or "norm". The position of the control room switches cannot compromise the remote shutdown controls.

Portions of the following systems have controls and instrumentation located on the remote shutdown panels:

a. Reactor core isolation cooling (RCIC) system (1H22-P150 Division I only)

b. Residual heat removal (RHR) systems A & B 7.4-23 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Standby service water (SSW) systems A & B

d. Nuclear boiler system (safety-relief valves)

e. Control Rod Drive system The controls provided on the remote shutdown panels are listed in Table 7.4-3. Display instrumentation is listed in Table 7.4-4.

The remote shutdown panel's arrangement drawings have been provided by reference in section 1.7, (Drawings J-1487A thru D and J-1488A & B).

7.4.1.4.3.3 Separation The two remote shutdown panels are 9 feet apart, located in 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> fire rated rooms with a 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> fire rated sliding door between them. All cabling associated with the panels and the systems which they operate are separated as described in subsections 7.1.2.2 and 8.3.1.4.

7.4.1.4.3.4 Redundancy Redundant controls and instrumentation have been provided in accordance with GDC-34 on the remote shutdown panels for those systems necessary to achieve and maintain cold shutdown of the reactor. Although RCIC is a safety-related system, it does not contain redundant components and cannot be protected against a single failure. However it is the desired system for maintaining reactor water inventory at high reactor pressures, if available.

7.4.1.4.4 Environmental Considerations The remote shutdown panels and related instrumentation are designed for anticipated abnormal environments and are qualified to meet IEEE 323-1971.

7.4.1.4.5 Operational Considerations 7.4.1.4.5.1 Hot Shutdown From Outside the Control Room Scram and isolation are achieved by removing reactor protection system power. During this phase of shutdown, the suppression pool is cooled by operating the residual heat removal (RHR) system in the suppression pool cooling mode. Suppression pool temperature and level indicators are provided on each remote shutdown panel to assist the operator while in this mode. Reactor pressure is 7.4-24 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) controlled, and core decay and sensible heat are rejected to the suppression pool by relieving steam pressure through the relief valves. A reactor pressure indicator is provided on each remote shutdown panel which enables the operator to determine reactor pressure and verify relief valve operation. It is not necessary to monitor reactor temperature explicitly, since reactor pressure is monitored and temperature is a function of pressure in the boiling water reactor. If available reactor water inventory will be maintained by the RCIC system. Controls are provided on the Division 1 remote shutdown panel to manually start the RCIC System before it starts automatically on low reactor vessel water level.

An indicator is provided on each remote shutdown panel which allows the operator to observe coolant level in the reactor.

In addition, controls are provided on the remote shutdown panels for the operation of the CRD pumps. Although the CRD system is not a safety-related system, the CRD pumps are powered from an associated Class IE source and may be used as an alternative for supplying high pressure water to the reactor.

7.4.1.4.5.2 Cold Shutdown From Outside the Control Room Manual control of the relief valves cools the reactor and reduces its pressure at a controlled rate until reactor pressure becomes so low that the RCIC system will discontinue operation. This condition is reached at 50 to 100 psig reactor pressure. The RHR system is then placed into the shutdown cooling mode to bring the reactor to a cold low-pressure condition. In addition to the RHR system controls, indicators for standby service water system flow and RHR flow through the heat exchangers are provided on each remote shutdown panel.

7.4.1.4.5.3 Cold Shutdown From Outside the Control Room Assuming a Single Failure In the event of a loss of one ESF division of power (i.e., one remote shutdown panel) as the single failure, cold shutdown is possible by using the controls and monitoring instrumentation provided on the remaining operable remote shutdown panel in the manner discussed below.

If the RHR A and B common suction line for shutdown cooling becomes inoperable due to some event, such as inability to open the shutdown cooling suction line valves either electrically or manually, and the normal shutdown cooling mode of RHR cannot be accomplished, the RHR system may be operated in the alternate 7.4-25 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) shutdown cooling mode of LPCI. In this procedure, water is drawn from the suppression pool, pumped through the RHR heat exchangers, and delivered into the shroud region of the reactor.

The vessel water is allowed to overflow the steam lines and discharge back to the suppression pool via open SRV discharge lines. A complete loop is thereby established, with sensible and decay heat being transferred to the pool and then to the SSW system via the RHR heat exchangers.

Given that the suppression pool is within technical specification limits at the time of the event, sufficient inventory will be available to dissipate heat loads resulting from RPV depressurization. The suppression pool level will not change significantly due to the closed loop operation associated with the RHR operating in the alternate shutdown cooling mode.

Suppression pool temperature indication is provided on both remote shutdown panels to assist the operator by providing indication of pool heat capacity after blowdown. A reactor pressure indicator is also provided on each remote shutdown panel to enable the operator to determine reactor pressure and verify relief valve operation. It is not necessary to monitor reactor temperature explicitly, since reactor pressure is monitored and temperature is a function of pressure in the boiling water reactor. Reactor water level is monitored by indicators located on each remote shutdown panel.

7.4.1.5 Alternate Shutdown System 7.4.1.5.1 System Identification 7.4.1.5.1.1 Function In accordance with the intent of 10 CFR 50, Appendix R, Sections III.G and III.L. one train of systems has been protected to achieve and maintain the reactor in a safe cold shutdown condition following an exposure fire in a specific fire area. For a postulated fire inside the main control room, transfer switches have been provided for circuits on the ESF Division 1 remote shutdown panel and other local alternate shutdown controls as necessary. The function of these switches is to isolate the ESF Division 1 control room circuits that are required for safe shutdown in order to allow the necessary safe shutdown components to be operated from the remote and/or alternate shutdown panels regardless of any faults that may have resulted from a control room fire.

7.4-26 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.1.5.1.2 Classification Since the remote shutdown and alternate shutdown panels and related monitoring instrumentation interface with ESF Safety Class 2 and 3 circuits that are not shed following a design basis accident they have been designed to meet seismic Category I requirements.

7.4.1.5.2 Power Sources Power for systems and controls necessary to support alternate safe shutdown is provided from the ESF Division 1 AC and DC distribution systems. 125-volt dc power is supplied to the Division 1 remote shutdown and transfer switch panels. 120-volt ac power is supplied only to the Division 1 remote shutdown panel.

7.4.1.5.3 Equipment Design 7.4.1.5.3.1 Design Bases In designing for safe reactor shutdown in the event of a control room fire, the following design bases are applied:

a. A control room exposure fire and any resulting consequences shall be considered the single failure. One ESF division of remote shutdown controls shall be available to achieve safe shutdown in accordance with 10 CFR 50, Appendix R requirements.

b. The alternate shutdown system is designed to control the required shutdown systems from outside the control room irrespective of shorts, opens, or grounds in the control circuits in the control room that may have resulted from a control room fire.

c. The operator will manually scram the reactor before leaving the control room or else may trip the RPS breakers outside the control room on his way to the remote shutdown room.

d. Design basis accidents are not assumed to occur concurrent with control room evacuation due to a control room fire.

However, a loss of offsite power has been considered.

e. Access back into the control room continues to be denied.

7.4-27 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

f. Loss of turbine pressure control and feedwater systems are assumed concurrent with control room evacuation.

g. The standby diesel generator is assumed to start automatically if required due to a loss of offsite power.

However, manual controls are available locally at the diesel generator control panel as a backup to the automatic initiation.

7.4.1.5.3.2 Description Alternate shutdown controls and instrumentation, are physically located on 1H22-P150, the ESF Division 1 remote shutdown panel.

The ESF Division 1 remote shutdown panel is located in a room adjacent to the ESF switchgear room at elevation 111' of the control building. The room is designated as OC208A (see Figure 6.4-1). Four additional panels (1H22-P295, 1H22-P296, 1H22-P298 and 1H22-P299) contain controls and indication for the operation of components required to support those systems controlled from the Division 1 remote shutdown panel. These panels are located as follows:

1H22-P295 Auxiliary Bldg, El. 119, Rm 1A208 1H22-P296 Auxiliary Bldg, El. 119, Rm 1A219 1H22-P298 Auxiliary Bldg, El. 166, Rm 1A410 1H22-P299 Control Bldg, El. 111, Rm OC202 In addition, the local control panels, 1H22-P113 and 1H22-P400, located in the diesel generator building, room 1D310 (see Figure 9.5-21) support operation of the Division 1 standby diesel generator.

The transfer of controls from the control room to the remote shutdown panel (1H22-P150) is accomplished through a transfer switch located on the transfer panel (1H22-P152) within the Division 1 switchgear room. This room is located between the control room and the remote shutdown room. The function of this transfer switch is to isolate the Division 1 control room circuits which are duplicated on the remote shutdown panel. Actuation of this transfer switch is alarmed in the main control room.

Similarly, the four alternate shutdown panels identified above have been provided with transfer switches that will isolate the Division 1 control room circuits. Actuation of these switches will also alarm in the main control room.

7.4-28 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The use of transfer switches for the remote shutdown panel (1H22-P150) has been limited to instances where the control room switch operates by maintained contacts. Otherwise, momentary contact switches, similar to their control room counterparts, are used without transfer switches. The momentary contact switches used in both locations are spring return to "auto" or "norm". The position of the control room switches will not compromise the remote shutdown controls.

The controls of the remote shutdown panel (1H22-P150) and alternate shutdown panels (1H22-P295, 1H22-P296, 1H22-P298 and 1H22-P299) have functionally duplicated and are in parallel with their control room counterparts, where applicable. Where controls have not been provided for equipment governed by the alternate shutdown panels, the transfer switch governing the equipment will, in all cases, isolate the control room and allow the equipment to operate automatically or place the governed equipment in the desired position for the shutdown process.

In the case of the standby diesel generator controls and instrumentation, the transfer of control from the control room to the local diesel generator control panels via a selector switch on 1H22-P400 will also isolate the control room.

Portions of the following systems have controls and instrumentation located on the remote and/or alternate shutdown panels:

a. Residual heat removal (RHR) system A

b. Standby service water (SSW) system A

c. Nuclear boiler system (safety-relief and containment isolation valves)

d. 480V Distribution system

e. 4.16kv Distribution system

f. ESF electrical switchgear room cooling system

g. Emergency pump room cooling system

h. Standby service water pump house ventilation system

i. Emergency switchgear and battery rooms ventilation systems 7.4-29 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

j. Diesel generator building ventilation system The controls provided on the remote shutdown panel are listed in Table 7.4-3. Display instrumentation is listed in Table 7.4-4.

The remote shutdown panel arrangement drawings have been provided by reference in Section 1.7, (Drawings J-1487A thru D).

The controls provided on the alternate shutdown panels are listed in Table 7.4-6. The alternate shutdown engraving (arrangement) drawings have been provided by reference in Section 1.7, (Drawings E-1358-1F, 1G, 1J, and 1K).

7.4.1.5.3.3 Separation All cabling associated with the remote and alternate shutdown panels and the systems which they operate are separated as described in subsections 7.1.2.2 and 8.3.1.4.

7.4.1.5.3.4 Redundancy The transfer scheme is imposed on one division of remote and alternate shutdown controls and instrumentation, thus assuring one train of safe shutdown systems will be available to achieve safe shutdown in the event of a postulated exposure fire in the control room, in accordance with 10 CFR 50, Appendix R, Sections III.G and III.L.

7.4.1.5.4 Environmental Considerations The remote and alternate shutdown panels and related components are designed to meet anticipated abnormal environments and are qualified to IEEE 323-1971.

7.4.1.5.5 Operational Considerations 7.4.1.5.5.1 Alternate Safe Shutdown From Outside the Control Room The following discussion concerns the minimum requirements of safe shutdown assuming a completely disabled control room resulting from fire damage. However, other systems and modes of operation as previously discussed in 7.4.1.4.5 will be used until rendered disabled by the control room fire.

7.4-30 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Manual activation of relief valves (minimum of 6 required for rapid depressurization) and the residual heat removal (RHR) system (aligned in the alternate shutdown mode of LPCI) will bring the reactor to a cold shutdown condition after scram and isolation are achieved by removing reactor protection system power.

Following recovery and stabilization of reactor water level, the RHR system would then operate in the shutdown cooling mode with the RHR heat exchanger connected directly into the reactor water circuit to bring the reactor to the cold low-pressure condition.

Suppression pool temperature and level indicators are provided on the Division 1 remote shutdown panel (1H22-P150) to assist the operator. Monitoring of suppression pool water level is available at the Remote Shutdown Panel during a Control Room fire for safe shutdown. Given that the suppression pool is within technical specification limits at the time of the event, sufficient inventory will be available to dissipate heat loads resulting from RPV depressurization. Suppression pool temperature will provide indication of pool heat capacity after initial blowdown.

In addition to the above indication, reactor water level and pressure, standby service water and RHR flow through the heat exchanger are provided on the Division 1 remote shutdown panel (1H22-P150).

7.4.2 Analysis 7.4.2.1 Reactor Core Isolation Cooling (RCIC) System -

Instrumentation and Control 7.4.2.1.1 Conformance to General Functional Requirements For events other than pipe breaks, such as reactor coolant pressure boundary (RCPB) isolations, the RCIC system has a makeup capacity sufficient to prevent the reactor vessel water level from decreasing to the level where the core is uncovered.

To provide a high degree of assurance that the RCIC system shall operate when necessary and in time to provide adequate inventory makeup, the power supply for the system is taken from energy sources of high reliability which are immediately available.

Evaluation of instrumentation reliability for the RCIC system shows that no failure of a single initiating sensor either prevents or falsely starts the system.

7.4-31 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

A design flow functional test of the RCIC system can be performed during plant operation by taking suction from the demineralized water in the condensate storage tank and discharging through the full flow test return line back to the condensate storage tank.

During the test, the discharge valve to the reactor vessel remains closed and reactor operation is not disturbed. Control system design provides automatic return from the test mode to the operating mode if system initiation is required during testing, except for the conditions described in subsection 7.4.1.1.3.1.

Chapter 15 and Appendix 15A examine the system-level qualitative FMEA aspects of this system in plant operation and consider its function under various plant transient events.

7.4.2.1.2 Conformance with Specific Regulatory Requirements 7.4.2.1.2.1 Conformance with NRC Regulatory Guides General exceptions and positions taken on the Regulatory Guides, and the Revision of the guide that is followed, are discussed in Appendix 3A. Specific applications of selected guides to the RCIC system are discussed in this subsection.

7.4.2.1.2.1.1 Regulatory Guide 1.6 - Independence Between Redundant Standby Power Sources and Between Their Distribution Systems Although it is not required that RCIC alone meet the single failure criterion, redundant DC power sources are required for inboard and outboard RCIC isolation valves. These power sources are consistent with the guidelines of RG 1.6 for DC power supplies under Position 3.

7.4.2.1.2.1.2 Regulatory Guide 1.11 - Instrument Lines Penetrating Primary Reactor Containment All RCIC instrument lines penetrating or connected to the (primary) reactor containment meet the requirements of Regulatory Position C.1 of Regulatory Guide 1.11.

7.4.2.1.2.1.3 Regulatory Guide 1.22 - Periodic Testing of Protection System Actuation Functions RCIC is fully testable from initiating sensors to actuated devices during full power operation.

7.4-32 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.1.2.1.4 Regulatory Guide 1.29 - Seismic Design Classification The safety-related portion of RCIC instrumentation and control is classified as seismic Category I and is qualified to remain functional following an SSE.

7.4.2.1.2.1.5 Regulatory Guide 1.30 - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment The post-operation quality assurance program is discussed in Chapter 17.

7.4.2.1.2.1.6 Regulatory Guide 1.32 - Use of IEEE - Std 308-1971 Conformance to Regulatory Guide 1.32, as discussed in Section 8.3, is applicable to RCIC safety-related control instrumentation.

7.4.2.1.2.1.7 Regulatory Guide 1.47 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety System The bypassed and inoperable status indication meets the requirements of Regulatory Guide 1.47, as stated in subsection 7.5.2.5.5 and as discussed in subsection 7.5.1.3.

7.4.2.1.2.1.8 Regulatory Guide 1.53 - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems RCIC meets the single-failure criterion on a network basis in conjunction with HPCS. It is not necessary for RCIC alone to meet the single-failure criterion in itself since its function is duplicated or backed up by other systems. Redundant sensors are discussed in subsection 7.4.2.1.2.3.1.6.

7.4.2.1.2.1.9 Regulatory Guide 1.62 - Manual Initiation of Protective Actions RCIC may be automatically as well as manually initiated inside the control room as well as at the remote shutdown panel outside the control room.

7.4-33 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.1.2.1.10 Regulatory Guide 1.63 - Electric Penetration Assemblies In Containment Structures for Light-Water-Cooled Nuclear Power Plants Conformance to Regulatory Guide 1.63 is discussed in subsection 8.3.1.2.3.1.

7.4.2.1.2.1.11 Regulatory Guide 1.75 - Physical Independence of Electrical Systems Conformance to Regulatory Guide 1.75 is discussed in subsections 7.1.2.2 and 8.3.1.4.

7.4.2.1.2.1.12 Regulatory Guide 1.89 - Qualification of Class IE Equipment for Nuclear Power Plants Conformance to Regulatory Guide 1.89 is discussed in Section 3.11.

7.4.2.1.2.2 Conformance to NRC Regulations - 10 CFR 50 Appendix A Requirements 7.4.2.1.2.2.1 General Design Criterion 13 The reactor vessel water level, RCIC pump discharge pressure, and RCIC flow rate are monitored and displayed in the control room.

7.4.2.1.2.2.2 Deleted 7.4.2.1.2.2.3 Deleted 7.4.2.1.2.2.4 Deleted 7.4.2.1.2.2.5 Deleted 7.4.2.1.2.2.6 General Design Criterion 33 The RCIC system conforms to General Design Criterion 33 by performing the functions as described in subsection 7.4.1.1.1.1.

7.4.2.1.2.2.7 General Design Criterion 37 RCIC is not part of the ECCS.

7.4-34 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.1.2.3 Conformance to Industry Codes and Standards 7.4.2.1.2.3.1 IEEE Std. 279-1971 7.4.2.1.2.3.1.1 General Functional Requirement (IEEE Std. 279 -

1971 Paragraph 4.1)

RCIC is automatically initiated by reactor low-water level measurements.

7.4.2.1.2.3.1.2 Single-Failure Criterion (IEEE Std. 279-1971 Paragraph 4.2)

The RCIC system is not required to meet the single-failure criterion. The logic circuits for the RCIC subsystem initiation and control are housed in a single relay cabinet and the power supply for the logic and other RCIC equipment is from a single dc power source.

The RCIC initiation sensors wiring and relay logic cabinet do, however, meet the single-failure criterion. Physical separation of instrument lines is provided so that no single instrument rack destruction or single instrument line (pipe) failure can prevent RCIC initiation. Wiring separation between divisions also provides tolerance to single wireway destruction (including shorts, opens, and grounds) in the accident detection portion of the control logic. The single-failure criterion is not applied to the logic relay cabinet or to other equipment required to function for RCIC operation.

7.4.2.1.2.3.1.3 Quality of Components and Modules The components and modules of the RCIC instrumentation and control are of the same high quality as the ECCS systems. The safety-related portion of the RCIC control and instrumentation components and modules is seismically qualified to remain functional following a safe shutdown earthquake (SSE).

7.4.2.1.2.3.1.4 Equipment Qualification (IEEE Std. 279-1971, Paragraph 4.4) Environmental No components of the RCIC control system are required to operate in the drywell environment except the RCIC steamline isolation valve and the RCIC steamline warm up valve.

7.4-35 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

All other equipment for RCIC initiation is located outside the drywell and is capable of accurate operation in ambient temperature conditions that result from abnormal conditions.

Panels and relay cabinets are located in the control room environment so environmental testing of components mounted in these enclosures is not warranted.

The components in the RCIC control system have demonstrated their reliable operability in previous applications in nuclear power plant protection systems or in extensive industrial use.

7.4.2.1.2.3.1.5 Channel Integrity (IEEE Std. 279-1971, Paragraph 4.5)

The RCIC system instrument initiation channels satisfy the channel integrity objective.

7.4.2.1.2.3.1.6 Channel Independence (IEEE Std. 279-1971, Paragraph 4.6)

Channel independence for initiation sensors is provided by electrical and mechanical separation. The A sensors for reactor vessel level, for instance, are located on one local instrument rack identified as division 1 equipment and the B sensors are located on a second instrument rack widely separated from the first and identified as division 2 equipment. The A sensors have a common pair of process taps which are widely separated from the corresponding taps for the B sensors.

Disabling of one or both sensors in one location does not disable the control for RCIC initiation.

7.4.2.1.2.3.1.7 Control and Protection Interaction (IEEE Std.

279-1971, Paragraph 4.7)

The RCIC system has no interaction with plant control systems.

Annunciator circuits using contacts of sensors and logic relays cannot impair the operability of the RCIC system control because of electrical isolation.

7.4.2.1.2.3.1.8 Derivation of System Inputs (IEEE Std. 279-1971, Paragraph 4.8)

The RCIC system uses a direct measure of the need for coolant inventory makeup, e.g., reactor vessel low-water level.

7.4-36 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.1.2.3.1.9 Capability for Sensor Checks (IEEE Std. 279-1971, Paragraph 4.9)

All sensors are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown.

The reactor vessel level transmitters can be checked for operability by closing the low-side instrument valve and bleeding off a small amount of water through the low-side bleed valves (which are provided for venting the instruments), while observing the scale reading and channel trip indication in the control room, and then reopening the instrument valve.

7.4.2.1.2.3.1.10 Capability for Test and Calibration (IEEE Std.

279-1971, Paragraph 4.10)

The RCIC control system is capable of being completely tested during normal plant operation to verify that each element of the system, whether active or passive, is capable of performing its intended function. Sensors can be exercised by applying test pressures. The RCIC pump can be started and pumped against the system check valves (or return to condensate storage tank through test valves) while the reactor is at pressure. Motor operated valves can be exercised by the appropriate control relays and starters, and all indications and annunciations can be observed as the system is tested.

7.4.2.1.2.3.1.11 Channel Bypass or Removal from Operation (IEEE Std. 279-1971 Paragraph 4.11)

Calibration of a sensor which introduces a single instrument channel trip will not cause a protective function without the coincident trip of a second channel. There are no instrument channel bypasses. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning. Removal of an instrument channel from service during calibration will be brief.

7.4.2.1.2.3.1.12 Operating Bypasses (IEEE Std. 279-1971, Paragraph 4.12)

RCIC operating bypasses are not automatically defeated by initiating signals. This is not a violation of IEEE 279-1971, para. 4.12, because RCIC and HPCS cannot be simultaneously bypassed.

7.4-37 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.1.2.3.1.13 Indication of Bypasses (IEEE Std. 279-1971, Paragraph 4.13)

Automatic indication of bypasses is provided by individual annunciators to indicate what function of the system is out of service, bypassed or otherwise inoperative. In addition, each of the indicated bypasses also activates a system out-of-service annunciator. Manual system out-of-service switches are provided for operator use for items that are only under supervisory control.

There are several means by which the RCIC system could be deliberately rendered inoperative by plant operating personnel:

a. Manually opening feeder breakers to the motor starter for valves, etc., that are required to function during RCIC operation. Manually opening a breaker for a specific motor will deenergize the control power to the motor starter activating an RCIC out-of-service annunciator. Tagging procedures are also used to indicate out-of-service equipment and are considered an adequate indication of equipment status. Manual opening of breakers is a requirement for safe maintenance of equipment.

b. Manually opening dc control power feeder breakers.

Tripping or opening a dc control power feeder breaker will give both loss of power and RCIC OOSVC indications.

c. Manually shutting off instrument line valves in various specific combinations.

d. Placing of the flow controller from Auto to Manual operation in the control room or adjusting Auto set point to the incorrect position. Manual operation of the flow controller is provided to allow operator intervention should the auto portion of the controller fail. The availability of an auto set point control on the controller is desirable so that the operator can regulate the flow to maintain water level rather than cycling the turbine between the auto trip and start level set points and without going to the Manual mode of operation. The controller is in the control room and therefore under the direct supervision of the control room operator.

All of these items are under supervisory control and are not automatically defeated by RCIC initiation signals.

7.4-38 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The following is a list of trip conditions which can render the RCIC system inoperative:

a. RCIC steam line isolation signal

b. RCIC turbine trip caused by:

(1)RCIC isolation signal (2)RCIC pump suction pressure low (3)RCIC turbine exhaust pressure high (4)Deleted (5)RCIC turbine overspeed These functions are discussed in subsection 7.4.1.1.3.2.

7.4.2.1.2.3.1.14 Access to Means for Bypassing (IEEE Std. 279-1971, Paragraph 4.14)

Access to motor control centers and instrument valves is controlled as discussed in subsection 7.4.2.1.2.3.1.12. Access to other means of bypassing is located in the control room and therefore under the administrative control of the operators.

7.4.2.1.2.3.1.15 Multiple Set Points (IEEE Std. 279-1971, Paragraph 4.15)

This is not applicable because all set points are fixed.

7.4.2.1.2.3.1.16 Completion of Protective Action Once it is Initiated (IEEE Std. 279-1971, Paragraph 4.16)

The final control elements for the RCIC system are essentially bistable, i.e., motor-operated valves stay open or closed once they have reached their desired position, even though their starter may drop out. In the case of the gland seal compressor starter, the auto initiation signal is electrically sealed-in.

Thus, once protective action is initiated (i.e., flow established), it must go to completion until terminated by deliberate operator action or automatically stopped on high-vessel-water level or system malfunction trip signals.

7.4-39 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.1.2.3.1.17 Manual Actuation (IEEE Std. 279-1971, Paragraph 4.17)

Each piece of RCIC actuation equipment required to operate (pumps and valves) is capable of manual initiation from the control room.

Failure of logic circuitry to initiate the RCIC system will not affect the manual control of equipment.

However, failures of active components or control circuits which produce a turbine trip may disable the manual actuation of the RCIC system. Failures of this type are continuously monitored by alarms.

7.4.2.1.2.3.1.18 Access to Set Point Adjustment (IEEE Std. 279-1971, Paragraph 4.18)

Access to set point adjustments and logic cabinets for the RCIC system is under the administrative control of plant operations personnel.

Because of these restrictions, compliance with this requirement of IEEE Std. 279-1971 is considered complete.

7.4.2.1.2.3.1.19 Identification of Protective Actions (IEEE Std.

279-1971, Paragraph 4.19)

Protective actions are directly indicated and identified by annunciator operation and instrument channel trip indicator lights. The combination of annunciation and visible verification is considered to fulfill the requirements of this criterion.

7.4.2.1.2.3.1.20 Information Readout (IEEE Std. 279-1971, Paragraph 4.20)

The RCIC control system is designed to provide the operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the operator. Periodic testing is provided for verifying the operability of the RCIC components and, by proper selection of test periods to be compatible with the historically established reliability of the components tested, complete and timely indications are made available. Sufficient information is provided on a continuous basis so that the operator can have a high degree of confidence that the RCIC function is available and/or operating properly.

7.4-40 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.1.2.3.1.21 System Repair (IEEE Std. 279-1971, Paragraph 4.21)

The RCIC control system is designed to permit repair or replacement of components. All devices in the system are designed for a 40-year lifetime under the imposed duty cycles. Since this duty cycle is composed mainly of periodic testing rather than operation, lifetime is more a matter of shelf life than active life. However, all components are selected for continuous duty plus thousands of cycles of operation, far beyond that anticipated in actual service.

Recognition and location of a failed component will be accomplished during periodic testing. The simplicity of the logic will make the detection and location relatively easy, and components are mounted in such a way that they can be conveniently replaced in a short time. For example, estimated replacement time for the type relay used is less than 30 minutes. Sensors which are connected to the instrument piping cannot be changed so readily, but they are required to be connected with separable screwed or bolted fittings and electrical connectors are used for ease of removal.

7.4.2.1.2.3.1.22 Identification (IEEE Std. 279-1971, Paragraph 4.22)

All controls and instruments are located in one section of the control room panel and clearly identified by nameplates. Relays are located in one panel for RCIC use only. Relays and panels are identified by nameplates.

7.4.2.1.2.3.2 IEEE Std. 308-1971 The RCIC actuators and logics are powered from division 1 and 2 power. The criteria for the divisional power systems are discussed in detail in Chapter 8.

7.4.2.1.2.3.3 IEEE Std. 317-1972/1983 Conformance to IEEE Std. 317 is discussed in subsection 8.3.1.2.3.g. (Note: IEEE 317-1983 applies only to fiber optic penetration assemblies.)

7.4.2.1.2.3.4 IEEE Std. 323-1971 Specific conformance to requirements of IEEE Std. 323 is covered in Section 3.11.

7.4-41 Revision 2020-009

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.1.2.3.5 IEEE Std. 336-1971 The post-operation quality assurance program is discussed in Chapter 17.

7.4.2.1.2.3.6 IEEE Std. 338-1971 The RCIC system is fully testable during normal operation in conformance with IEEE Std 338-1971. For further discussions of how the system designs conform, refer to FSAR subsections 7.4.2.1.2.3.1.9 and 7.4.2.1.2.3.1.10.

Operation of each instrument channel is testable from the sensor to trip system output. The pressure sensor may be valved out of service and test pressures applied to the sensor to check operation of the complete instrument channel, sensor to trip unit. The channels monitoring the same variable may be cross compared. A calibration module may be used to test the trip unit of each channel. These tests will not interfere with automatic operation of the system if required by an initiation signal.

Periodic testing is performed in accordance with plant procedures. These procedures establish the administrative control for removing from service only one instrument channel at a time.

Plant procedures establish the frequency schedule and documentation required for the testing. The testing is performed at intervals so that credible failure may be detected and repaired before it would reduce reliability of the system.

7.4.2.1.2.3.7 IEEE Std. 344-1971/1975 The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975.

Qualification during the plant operating license stage is in accordance with IEEE 344-1975. See Section 3.10.

7.4.2.1.2.3.8 IEEE Std. 379-1972 The RCIC system is not single-failure proof by itself, but is functionally redundant to HPCS for safe shutdown. No single failure can prevent both RCIC and HPCS from operating.

7.4-42 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.1.2.3.9 IEEE Std. 384-1974 The RCIC equipment, wiring, and cables are separated into division 1 and division 2 such that no failure in one division will affect the other division. The equipment, wiring, and cables are identified as to their division. Where the redundant divisions come together or where class IE wiring interfaces with non-class IE wiring, Class IE isolation devices are used to assure separation.

7.4.2.2 Standby Liquid Control System (SLCS) Instrumentation and Controls 7.4.2.2.1 General Functional Requirements Conformance Redundant positive displacement pumps, explosive valves, motoroperated valves, and control circuits for the standby liquid control system components have been provided as described in subsection 7.4.1.2. This constitutes all of the active equipment required for injection of the sodium pentaborate solution.

Continuity relays provide monitoring of the explosive valves, and indicator lights provide indication on the reactor core cooling bench board of system status. Testability and redundant power sources are described in subsections 14.2.12.1.3 and 7.4.1.2.2.

Chapter 15 and Appendix 15A examine the system-level qualitative FMEA of the subject system under applicable plant events.

7.4.2.2.2 Conformance to Specific Regulatory Requirements General exceptions and positions taken on the regulatory guides, and the revisions of the guides that are followed, are discussed in Appendix 3A. Specific applications of selected guides to the SLCS are discussed in this subsection.

7.4.2.2.2.1 Conformance to NRC Regulatory Guides 7.4.2.2.2.1.1 Regulatory Guide 1.22 - Periodic Testing of Protection System Actuation Functions SLCS, with the exception of the explosive valves, is capable of testing from initiation to actuated devices during normal operation. In the test mode, demineralized water is circulated in the SLCS loops rather than sodium pentaborate. The explosive 7.4-43 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) valves may be tested when plant is shut down. Otherwise, continuity in the explosive valve initiation circuits is continuously monitored during plant operation.

7.4.2.2.2.1.2 Regulatory Guide 1.29 - Seismic Design Classification The control instrumentation of SLCS is classified as seismic Category I and is qualified to remain functional following an SSE.

7.4.2.2.2.1.3 Regulatory Guide 1.30 - Quality Assurance Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment The post-operation quality assurance program is discussed in Chapter 17.

7.4.2.2.2.1.4 Regulatory Guide 1.32 - Use of IEEE Std 308-1971 Conformance to IEEE 308 as discussed in Section 8.3 is applicable to SLCS control instrumentation.

7.4.2.2.2.1.5 Regulatory Guide 1.47 - Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety System The continuity of the explosive valve circuit is continuously monitored and loss of continuity is annunciated in the control room. The level and temperature of the sodium pentaborate tank are monitored, with the high and low levels and high and low temperature conditions annunciated in the control room. The removal of all other equipment for servicing is administratively controlled.

7.4.2.2.2.1.6 Regulatory Guide 1.53 - Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems The SLCS serves as a back-up to scram. It is not necessary for the SLCS to meet the single-failure criterion. The heating elements, discharge pumps and pump motors, and the explosive valves are redundant so that no single failure in these components will cause or prevent initiation of the SLCS.

7.4-44 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.2.2.1.7 Regulatory Guide 1.62 - Manual Initiation of Protective Action The SLCS may be initiated manually from the control room. The timing associated with the need for SLCS initiation is large compared to ten minutes so that the operator will have sufficient time to initiate SLCS if necessary.

7.4.2.2.2.1.8 Regulatory Guide 1.63 - Electric Penetration Assemblies in Containment Structures for Light-Water-Cooled Nuclear Power Plants Conformance to Regulatory Guide 1.63 is discussed in subsection 8.3.1.2.3.1.

7.4.2.2.2.1.9 Regulatory Guide 1.75 - Physical Independence of Electric Systems Conformance to Regulatory Guide 1.75 is discussed in subsections 8.3.1.4 and 7.1.2.2.

7.4.2.2.2.1.10 Regulatory Guide 1.89 - Qualification of Class IE Equipment for Nuclear Power Plants Conformance to Regulatory Guide 1.89 is discussed in subsection 3.11.2.

7.4.2.2.2.2 Conformance to NRC Regulations - 10 CFR 50 Appendix A Requirements 7.4.2.2.2.2.1 General Design Criterion 13 The sodium pentaborate tank temperature and level and explosive valves control circuit continuity are monitored and annunciated.

The sodium pentaborate solution discharge pressure is monitored and displayed in the control room.

7.4-45 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.2.2.2.2 Deleted 7.4.2.2.2.2.3 Deleted 7.4.2.2.2.2.4 Deleted 7.4.2.2.2.2.5 General Design Criterion 26 Two reactivity control systems are employed in accordance with GDC 26. The first is the control rod drive system; the second is the reactor coolant recirculation system. The design also takes credit for the standby liquid control system to provide additional margin for malfunctions which may occur in the control rod drive system such as stuck rods, which would hinder the capability of the control rod drive to render the core subcritical, or keep it subcritical during cooldown.

7.4.2.2.2.2.6 Deleted 7.4.2.2.2.2.7 General Design Criterion 29 The SLCS has redundant actuation and provides capability for testing.

7.4.2.2.2.3 Conformance to Industry Codes and Standards 7.4.2.2.2.3.1 IEEE Std. 279-1971 7.4.2.2.2.3.1.1 General Functional Requirement (IEEE Std. 279-1971, Paragraph 4.1)

The SLCS is manually initiated by operator action. Display instrumentation in the control room provides the operator with information on reactor vessel water level, pressure, neutron flux level, control rod position, and scram valve status.

7.4.2.2.2.3.1.2 Single-Failure Criterion (IEEE Std. 279-1971, Paragraph 4.2)

SLCS serves as backup to the control rod scram in controlling reactivity. It is not necessary for SLCS to meet the single-failure criterion. However, the heating elements in the sodium pentaborate tank, the discharge pumps and pump motors, the explosive valves, and the storage tank outlet valves are redundant so that no single failure in these components will cause or prevent initiation of the SLCS.

7.4-46 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.2.2.3.1.3 Quality of Components and Modules (IEEE Std. 279-1971, Paragraph 4.3)

The controls and instrumentation of the SLCS are qualified Class IE in accordance with IEEE Std. 323-1971.

7.4.2.2.2.3.1.4 Equipment Qualification (IEEE Std. 279-1971, Paragraph 4.4)

No electrical components of the SLCS are required to operate in the drywell environment.

7.4.2.2.2.3.1.5 Channel Integrity (IEEE Std. 279-1971, Paragraph 4.5)

The SLCS is not required to operate during a design basis accident. It is designed to remain functional following an SSE.

7.4.2.2.2.3.1.6 Channel Independence (IEEE Std. 279-1971, Paragraph 4.6)

There are two channels of control circuits, discharge pumps and motors, and explosive valves. These two channels are independent of each other, so that failure in one channel will not prevent the other from operating.

7.4.2.2.2.3.1.7 Control and Protection Interaction The SLCS has no interaction with plant control systems. It has no function during normal plant operation and it is completely independent of control systems and other safety systems.

7.4.2.2.2.3.1.8 Derivation of System Inputs (IEEE Std. 279-1971, Paragraph 4.8)

Since the SLCS is a manually initiated system, inputs are derived directly from the operator. Display instrumentation in the control room provides the operator with information on reactor vessel water level, pressure, neutron flux level, control rod position and scram valve status. Based on this information, the operator decides whether or not to initiate the SLCS.

7.4-47 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.2.2.3.1.9 Capability of Sensor Checks (IEEE Std. 279-1971, Paragraph 4.9)

The operational availability is checked for by the operator. The sensor checks are made by operator observation of analog indicators, indicating lamps, annunciators and status lights located in the control room and locally at the equipment. Refer to subsections 7.4.1.2.5.2 and 7.4.1.2.5.3 for further clarification.

7.4.2.2.2.3.1.10 Capability for Test and Calibration (IEEE Std.279-1971, Paragraph 4.10)

The explosive valves may be tested during plant shutdown. The explosive valve control circuits are continuously monitored, and loss of continuity is annunciated in the control room. The remainder of the SLCS may be tested during normal plant operation to verify that each element, passive or active, is capable of performing its intended function. In the test mode, demineralized water instead of sodium pentaborate solution is circulated from and back to the test tank.

7.4.2.2.2.3.1.11 Channel Bypass or Removal from Operation (IEEE Std. 279-1971, Paragraph 4.11)

The discharge pumps and pump motors are redundant, so that one pump may be removed from service during normal plant operation.

7.4.2.2.2.3.1.12 Operating Bypass (IEEE Std. 279-1971, Paragraph 4.12)

The SLCS has no function during normal plant operation.

7.4.2.2.2.3.1.13 Indication of Bypass (IEEE Std. 279-1971, Paragraph 4.13)

Removal of components from service is annunciated in the control room.

7.4.2.2.2.3.1.14 Access to Means for Bypass (IEEE Std. 279-1971, Paragraph 4.14)

Removal of components from service during normal plant operation is under administrative control.

7.4-48 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.2.2.3.1.15 Multiple Set Points (IEEE Std. 279-1971, Paragraph 4.15)

The operation of the SLCS is not dependent on or affected by set points.

7.4.2.2.2.3.1.16 Completion of Protective Action Once it is Initiated (IEEE Std. 279-1971, Paragraph 4.16)

The explosive valves remain open once fired, and the injection valves and discharge pump motors once initiated will not close or stop running unless terminated by operator action.

7.4.2.2.2.3.1.17 Manual Initiation (IEEE Std. 279-1971, Paragraph 4.17)

The SLCS may be manually initiated.

7.4.2.2.2.3.1.18 Access to Set Point Adjustments, Calibration, and Test Points (IEEE Std. 279-1971, Paragraph 4.18)

The operation of the SLCS is not dependent on or affected by any set point adjustment or calibration. The control circuits, discharge pumps, pump motors, and motor-operated valves are accessible for test and service.

7.4.2.2.2.3.1.19 Identification of Protective Actions (IEEE Std.

279-1971, Paragraph 4.19)

The explosive valve status, once fired, is indicated in the control room.

7.4.2.2.2.3.1.20 Information Read-out (IEEE Std. 279-1971, Paragraph 4.20)

The discharge pressure of the sodium pentaborate solution, storage tank level and valve status is indicated in the control room.

7.4.2.2.2.3.1.21 System Repair (IEEE Std. 279-1971, Paragraph 4.21)

The control circuits, pumps and pump motors may be repaired or replaced during normal plant operation.

7.4-49 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.2.2.3.1.22 Identification (IEEE Std. 279-1971, Paragraph 4.22)

All controls and instrumentation are located in one control room panel and are clearly identified by nameplates.

7.4.2.2.2.3.2 IEEE Std. 308-1971 The SLCS loads are physically separated and electrically isolated into redundant load groups so that safety actions provided by redundant counterparts are not compromised.

7.4.2.2.2.3.3 IEEE Std 323-1971 The controls and instrumentation of the SLCS are qualified Class IE. Specific conformance to requirements of IEEE 323 is covered in subsection 3.11.2.

7.4.2.2.2.3.4 IEEE Std. 336-1971 The post-operation quality assurance program is discussed in chapter 17.

7.4.2.2.2.3.5 IEEE Std. 338-1971 The design of the SLCS permits periodic testing of the system from initiation to actuated devices except the explosive valves. The explosive valves control circuit continuity is continuously monitored and loss of continuity is annunciated in the main control room.

7.4.2.2.2.3.6 IEEE Std. 344-1971/1975 The controls and instrumentation of the SLCS are classified as seismic Category I and will remain functional following an SSE.

Qualification and documentation procedures used for seismic Category I equipment is discussed in Section 3.10.

The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975.

Qualification during the plant operating license stage is in accordance with IEEE 344-1975. See Section 3.10.

7.4-50 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.3 Residual Heat Removal System - Reactor Shutdown Cooling Subsystem - Instrumentation and Controls 7.4.2.3.1 General Functional Requirements Conformance The design of the RHR reactor shutdown cooling subsystem meets the general functional requirements as follows:

a. Valves Manual controls and position indication are provided in the control room. No single failure in the valves electrical system can result in a loss of capability to perform a safety function.

Interlocks are provided to close the valves if an isolation signal is present or if high reactor pressure exists.

b. Instrumentation Shutdown flow indication is provided. Heat exchanger shutdown cooling water and service water temperatures are provided.

c. Annunciation Annunciators are provided for valve motor overload, heat exchanger cooling water outlet high temperature, heat exchanger inlet high temperature, shutdown suction header high pressure and pump motor overload.

d. Pumps Manual controls and stop and start indicators are provided in the control room. Interlocks are provided to trip the pumps if the shutdown cooling valves are not properly lined up.

Appendix 15A examines the protective sequences relative to the above event and equipment. Chapter 15 considers the operation and the system level qualitative and FMEA aspects of this system.

7.4-51 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.3.2 Conformance with Specific Regulatory Requirements 7.4.2.3.2.1 Conformance with NRC Regulatory Guides General exceptions and positions taken on the regulatory guides, and the revisions of the guides that are followed, are discussed in Appendix 3A. Specific applications of selected guides to the RHR shutdown cooling system are discussed in this subsection.

7.4.2.3.2.1.1 Regulatory Guide 1.6 In accordance with Regulatory Guide 1.6, RHR electric power loads are rigorously divided into Division 1 and Division 2 so that loss of any one group will not prevent the minimum safety functions from being performed. No interconnections exist which can compromise redundant power sources.

7.4.2.3.2.1.2 Regulatory Guide 1.22 Conformance to this regulatory guide is achieved by providing periodic system and component testing, including actuation devices, either during reactor power operation or shutdown.

7.4.2.3.2.1.3 Regulatory Guide 1.29 Instrumentation is classified as seismic Category I and is covered under Section 3.10.

7.4.2.3.2.1.4 Regulatory Guide 1.30 The post-operation quality assurance program is discussed in Chapter 17.

7.4.2.3.2.1.5 Regulatory Guide 1.32 Conformance to Regulatory Guide 1.32 is discussed in Sections 8.2 and 8.3.

7.4.2.3.2.1.6 Regulatory Guide 1.47 Bypassed and inoperable status indication meets the requirements of Regulatory Guide 1.47 as stated in subsection 7.5.2.5.5 and as discussed in subsection 7.5.1.3.

7.4-52 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.3.2.1.7 Regulatory Guide 1.53 Compliance with NRC Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the RHR system so that it meets the single-failure criterion described in Section 4.2 of IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, and IEEE 379-1972, IEEE Trial-Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection System. Separated channels are employed, so that a fault affecting one channel will not prevent the other channel from operating properly. Specifications are provided to define channel separation for wiring not included with General Electric supplied equipment.

Facilities for testing are provided so that the equipment can be operated in various test modes to confirm that it will operate properly when called upon. Testing incorporates all elements of the system under one test mode or another. The testing is planned to be performed at intervals so that there is an extremely low probability of failure in the periods between tests.

7.4.2.3.2.1.8 Regulatory Guide 1.63 Conformance to Regulatory Guide 1.63 is discussed in subsection 8.3.1.2.3.1.

7.4.2.3.2.1.9 Regulatory Guide 1.75 General Separation Criteria-Section 4.0.

Separation within the shutdown cooling system is such that controls, instrumentation, equipment and wiring are segregated into two separate divisions designated 1 and 2. Control and motive power separation is maintained in the same manner. Separation is provided to maintain the independence of the two divisions of circuitry and equipment so that the protection functions required during and following any design basis event can be accomplished.

a. All redundant equipment and circuits within the shutdown cooling system require divisional separation. All pertinent documents and drawings identify in a distinctive manner separation and safety related status for each redundant division.

7.4-53 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. All redundant circuits and equipment are located within safety class enclosures. Separation is achieved by barriers, isolation devices and/or physical distance. This type of separation between redundant systems assures that a single failure of one system will not affect the operation of the other redundant system.

c. The separation of redundant Class IE circuits and equipment within the shutdown cooling system is such that no physical connections are made between divisions. This separation criterion assures that the failure of equipment of one redundant system cannot disable circuits or equipment essential to the operation of the other redundant system.

d. Associated circuits are in accordance with Class IE circuit requirements up to and including the isolation devices. Associated circuits beyond the isolation devices do not again become associated with Class IE circuits.

Associated circuits within the shutdown cooling system are segregated into the three safety related divisions and meet all separation requirements imposed upon redundant safety-related circuits.

Pertinent documents and drawings identify the associated circuits in a distinctive manner.

e. Separation between Class IE and non-Class IE circuits will meet the same minimum requirements for redundant Class IE circuits or they will be treated as associated circuits.

7.4.2.3.2.1.10 Regulatory Guide 1.89 Conformance to Regulatory Guide 1.89 is discussed in subsection 3.11.2.

7.4.2.3.2.1.11 Regulatory Guide 1.106 Conformance to Regulatory Guide 1.106 is discussed in subsection 7.1.2.6.2.1 7.4-54 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.3.2.2 Conformance with NRC Regulations - 10 CFR 50 Appendix A Requirements 7.4.2.3.2.2.1 Deleted 7.4.2.3.2.2.2 General Design Criterion 20 The RHR shutdown cooling system is a manually actuated mode of the RHR system. It is a safe shutdown function only and is not required to operate automatically.

7.4.2.3.2.2.3 General Design Criterion 21 The RHR shutdown cooling system design includes highly reliable components and is testable during reactor operation.

7.4.2.3.2.2.4 General Design Criterion 22 The redundant portions of the RHR shutdown cooling system are independent.

7.4.2.3.2.2.5 General Design Criterion 23 Class IE power supplies are provided to assure that the safe shutdown action can be performed. Because the system function requires that pumps operate, the system is not fail-safe on loss of power.

7.4.2.3.2.2.6 General Design Criterion 24 There are no control system functions which use the shutdown cooling equipment.

7.4.2.3.2.2.7 General Design Criterion 29 The shutdown cooling system function will be performed even in the event of anticipated operational occurrences.

7.4.2.3.2.2.8 General Design Criterion 34 The reactor shutdown cooling system removes residual heat from the reactor when it is shutdown and/or the main steamlines are isolated to maintain the fuel and reactor coolant pressure boundary within design limits. Redundant channels are provided to assure performance, even with a single failure. Onsite and offsite power are provided in the event that either source is not available when shutdown cooling is needed.

7.4-55 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.3.2.3 Conformance With Industry Codes and Standards The only applicable industry codes or standards which apply to the RHR shutdown cooling mode are those considered for the LPCI and containment spray cooling modes described in subsections 7.3.2.1.2.3 and 7.3.2.4.3 respectively.

7.4.2.4 Remote Shutdown System 7.4.2.4.1 General Design Criteria General design criteria established in Appendix A of 10 CFR 50, which are applicable to the Remote Shutdown System are listed in Table 7.1-3. Additional information is provided below.

a. Deleted

b. Deleted

c. Deleted

d. Deleted

e. Deleted

f. Criterion 13 - Instrumentation and Control Instrumentation is provided to monitor necessary variables and systems over their anticipated ranges during a loss of control room habitability occurrence. Appropriate controls are provided to maintain these variables and systems within prescribed operating ranges. These instruments and controls are on the remote shutdown panels and are listed in Tables 7.4-3 and 7.4-4.

g. Criterion 19 - Control Room The control room layout is described in Section 7.5.

Control room isolation is described in subsection 7.3.1.1.10. Plant shutdown from outside the control room is described in subsection 7.4.1.4. For further discussion of Criterion 19 see subsection 7.3.2.10.

h. Criterion 21 - Protection System Reliability and Testability 7.4-56 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Functional reliability of the system is assured by compliance with the requirements of IEEE Standard 279-1971 as described in subsection 7.4.2.4.2.

i. Criterion 22 - Protection System Independence System independence is assured by redundancy and physical and electrical separation in accordance with IEEE Std.

279-1971, Paragraphs 4.2 and 4.6, as described in subsection 7.4.2.4.2.

j. Criterion 23 - Protection System Failure Modes System redundancy and physical and electrical separation assures a safe state of operation. Refer to subsections 7.4.2.4.2.b, 7.4.2.4.2.f, 7.4.2.4.2.g and 7.4.2.4.3.

k. Criterion 24 - Separation of Protection and Control Systems The remote shutdown system is not used for both control and protection. See subsection 7.4.2.4.2, Requirement 4.7.

l. Criterion 29 - Protection Against Anticipated Operational Occurrences The redundancy and physical and electrical separation of the remote shutdown system assures an extremely high probability of accomplishing the safe shutdown function in the event of any operational occurrence.

m. Criterion 34 - Residual Heat Removal System provision is described in subsections 7.4.1.4.3 and 7.4.1.4.5. Single-failure criterion is discussed in subsections 7.4.2.4.2.b and 7.4.2.4.2.f.

7.4.2.4.2 Conformance to IEEE Standard 279-1971 IEEE Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, establishes minimum requirements for the reactor protective and engineered safety features instrumentation and control systems. The instrumentation and controls associated with the remote shutdown system are not defined as a protective system in IEEE Standard 279; however, many 7.4-57 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) criteria of IEEE Standard 279 have been incorporated in the design of the instrumentation and controls for the remote shutdown system.

Conformance with the applicable portions of IEEE Standard 279, Section 4, is discussed below:

a. Requirement 4.1 - General Functional Requirement The instrumentation and controls of the remote shutdown system enable the operator to:

1. Determine when a condition monitored by display instrumentation reaches a predetermined level requiring action.

2. Manually accomplish the appropriate safety actions.

b. Requirement 4.2 - Single-Failure Criterion The instrumentation and controls required for remote shutdown are designed and arranged so that no single failure can prevent a safe shutdown. Compliance with the single-failure criterion is accomplished by providing two redundant remote shutdown panels. In the event of a single system failure:

1. Either RHR system is a backup for the other

2. Either SSW system is a backup for the other

3. The controls for power relief valves and display instrumentation are redundant and back up each other.

4. The reactor shutdown cooling system contains two loops. Either loop is sufficient to satisfy the cooling requirements for shutdown cooling. However, both loops share a common suction line with two suction valves in series. In the event that one of the suction valves fails closed and normal shutdown cooling is not available, an alternate shutdown cooling loop may be established. The normal shutdown cooling loop may be bypassed by manually switching to take suction water from the suppression pool and manually opening the safety-relief valve(s) to allow reactor water to flow back to the suppression pool.

7.4-58 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Requirement 4.3 - Quality of Components and Modules The quality control enforced during design, fabrication, shipment, field storage, installation, and component checkout used for instrumentation and control components required for safe shutdown, and the documentation of quality control, is consistent with the recommendations of Regulatory Guides 1.28 and 1.38. Refer to Appendix 3A.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

d. Requirement 4.4 - Equipment Qualification The instrumentation and controls necessary to achieve remote shutdown are designed to operate in the design ambient conditions in the area in which they are located.

Environmental design and qualification of electrical and instrumentation equipment are discussed in subsection 3.11.1.

e. Requirement 4.5 - Channel Integrity Preoperational testing and inspection are performed to verify that all components and controls of the integrated systems provided for remote shutdown accomplish the intended design function.

Essential instrumentation and controls required to achieve remote shutdown are designated as seismic Category I equipment to ensure functional capability during and following a safe shutdown earthquake (SSE). Seismic qualification and testing are discussed in Section 3.10.

f. Requirement 4.6 - Channel Independence Remote shutdown system channel independence is achieved by redundant panels with electrical and physical separation.

g. Requirement 4.7 - Control and Protection System Interaction 7.4-59 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

This section is not applicable. The remote shutdown system is a manually actuated system and is not automatically initiated by protective action(s).

h. Requirement 4.8 - Derivation of System Inputs The remote shutdown system monitoring signals are direct measures of the desired variables.

i. Requirement 4.9 - Capability for Sensor Checks The remote shutdown system monitoring sensors are checked by perturbing the monitored variable,and by cross-checking between channels.

j. Requirement 4.10 - Capability for Test and Calibration The instrumentation and control components required for remote shutdown, which are not normally in operation, will be periodically tested. Testing of remote shutdown controls can be performed in conjunction with testing of the corresponding ESF systems.

k. Requirement 4.11 - Channel Bypass or Removal from Operation This section is not applicable. See paragraph g, this section.

l. Requirement 4.12 - Operating Bypasses This section is not applicable. See paragraph g, this section.

m. Requirement 4.13 - Indication of Bypasses This section is not applicable. See paragraph g, this section.

n. Requirement 4.14 - Access to Means for Bypassing This section is not applicable. See paragraph g, this section.

o. Requirement 4.15 - Multiple Set Points This section is not applicable. There are no set points.

7.4-60 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

p. Requirement 4.16 - Completion of Protective Action Once It Is Initiated This section is not applicable. See paragraph g, this section.

q. Requirement 4.17 - Manual Initiation The remote shutdown system is manually actuated. No single failure will prevent safe shutdown. System level manual initiation is not applicable.

r. Requirement 4.18 - Access to Set Point Adjustments, Calibration, and Test Points Access to calibration adjustments and test points is under administrative control.

s. Requirement 4.19 - Identification of Protective Actions This section is not applicable. See paragraph g, this section.

t. Requirement 4.20 - Information Read-out Remote shutdown system monitoring instrumentation is listed in Table 7.4-4.

u. Requirement 4.21 - System Repair The remote shutdown system is a manually actuated, "backup" safe shutdown system which is not in use during normal plant operation. Repair or replacement of components can be accomplished in reasonable time when the system is not in use. Outage of system components for replacement or repair will be limited as specified by the Technical Specifications.

v. Requirement 4.22 - Identification Refer to subsection 7.1.2.3 and 8.3.1.3 for a description of the identification system used for safety-related systems.

7.4.2.4.3 Consideration of Selected Plant Contingencies

a. Loss of Instrument Air Systems 7.4-61 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

None of the essential monitoring instrumentation required for safe shutdown is pneumatic. Electrical instrumentation is powered from the Class IE power system. Therefore, the loss of nonseismic Category I instrument air will not degrade instrumentation systems required for safe shutdown of the plant.

b. Loss of Cooling Water to Vital Equipment Cooling water to equipment vital for safe shutdown is provided by the standby service water (SSW) system which has two 100-percent redundant loops. Therefore, the loss of one SSW loop will not stop the supply of cooling water to all vital equipment.

c. Plant Load Rejection, Turbine Trip, and Loss of Offsite Power In event of loss of offsite power associated with plant load rejection or turbine trip, power for remote shutdown is provided by the onsite Class 1E power system. The description and analysis of the emergency power system is discussed fully in Section 8.3. The standby diesel generators provide power for operation of pumps and valves. The station batteries provide dc power for operation of control and instrumentation systems required to actuate and control essential components.

7.4.2.5 Alternate Shutdown System 7.4.2.5.1 10 CFR 50 Appendix R The alternate shutdown system is designed in accordance with design criteria identified in Section III.G and III.L of 10 CFR 50, Appendix R, such that in the event of an exposure fire in a specific area, the plant may be brought to a safe cold shutdown condition. For a postulated fire in the main control room that disables redundant divisions of safe shutdown systems, transfer switches have been provided for circuits on the ESF Division 1 remote and alternate shutdown panels to isolate them from the main control room.

7.4-62 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.4.2.5.2 General Design Criteria General design criteria, established in Appendix A of 10 CFR 50, which are applicable to the alternate shutdown system are listed in Table 7.1-3. Additional information is provided below.

a. Criterion 13 - Instrumentation and Control Instrumentation is provided to monitor necessary variables and systems over their anticipated ranges during a loss of control room habitability due to a control room exposure fire. Appropriate controls are provided to maintain these variables and systems within prescribed operating ranges.

These instruments and controls are on the Division 1 remote shutdown and alternate shutdown panels and are listed in Tables 7.4-3, 7.4-4 and 7.4-6.

b. Criterion 19 - Control Room Plant shutdown from outside the control room is described in 7.4.1.4. Discussions pertaining to additional requirements related to Appendix R criteria are discussed in 7.4.1.5.

c. Criterion 21 - Protection System Reliability and Testability Functional reliability of the system is assured by compliance with the requirements of IEEE Standard 279-1971 as described in subsection 7.4.2.5.3

d. Criterion 29 - Protection Against Anticipated Operational Occurrences The physical and electrical separation/isolation of the alternate shutdown controls and instrumentation from the control room assures an extremely high probability of accomplishing the safe shutdown function in the event of a main control room exposure fire.

e. Criterion 34 - Residual Heat Removal System provision is described in subsections 7.4.1.5.3 and 7.4.1.5.5. As noted in the bases for the alternate shutdown system, the postulated exposure fire in the main control room and any consequences is considered to be the 7.4-63 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) single failure. No other system related failures are postulated in accordance with 10 CFR 50, Appendix R criteria.

7.4.2.5.3 Conformance to IEEE 279-1971 IEEE standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, establishes minimum requirements for the reactor protective and engineered safety features instrumentation and control systems. The instrumentation and controls associated with the alternate shutdown system are not defined as a protective system in IEEE Standard 279; however, many criteria of IEEE Standard 279 have been incorporated in the design of the instrumentation and controls for the alternate shutdown system.

Conformance with the applicable portions of IEEE Standard 279 Section 4, is discussed below:

a. Requirement 4.1 - General Functional Requirement The instrumentation and controls of the alternate shutdown system enable the operator to:

1. Determine when a condition monitored by display instrumentation reaches a predetermined level requiring action.

2. Manually accomplish the appropriate safety actions.

b. Requirement 4.2 - Single Failure Criterion The fire and any resulting consequences is considered to be the single failure. The alternate shutdown system is designed in accordance with 10 CFR 50 Appendix R, Section III.G such that one train of safe shutdown systems will be available in the event of a control room fire.

c. Requirement 4.3 - Quality of Components and Modules The quality control enforced during design, fabrication, shipment, field storage, installation, and component checkout used for instrumentation and control components required for alternate shutdown, and the documentation of quality control, is consistent with the recommendations of Regulatory Guides 1.28 and 1.38. Refer to Appendix 3A.

7.4-64 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

d. Requirement 4.4 - Equipment Qualification The instrumentation and controls necessary to achieve alternate shutdown are designed to operate in the design ambient conditions in the area in which they are located.

Environmental design and qualification of electrical equipment are discussed in subsection 3.11.1.

e. Requirement 4.5 - Channel Integrity Preoperational testing and inspection are performed to verify that all components and controls of the integrated systems provided for alternate shutdown accomplish the intended design function.

f. Requirement 4.6 - Channel Independence This section is not applicable to alternate shutdown since only one train of safe shutdown systems are required in accordance with Appendix R Criteria.

g. Requirement 4.7 - Control and Protection System This section is not applicable. The alternate shutdown system is a manually activated system and is not automatically initiated by protective action(s).

h. Requirement 4.8 - Derivation of System Inputs The alternate shutdown system monitoring signals are direct measures of the desired variables.

i. Requirement 4.9 - Capability for Sensor Checks The alternate shutdown system monitoring sensors, which are also the Division I remote shutdown monitoring sensors, are checked by pertubating the monitored variable and by cross checking between redundant remote shutdown channels.

j. Requirement 4.10 - Capability for Test and Calibration The instrumentation and control components required for alternate shutdown, which are not normally in operation, will be periodically tested. Testing of alternate shutdown controls can be performed in conjunction with the testing of the corresponding ESF systems.

7.4-65 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

k. Requirement 4.11 - Channel Bypass or Removal from Operation This section is not applicable. See paragraph g, this section.

l. Requirement 4.12 - Operating Bypasses This section is not applicable. See paragraph g, this section.

m. Requirement 4.13 - Indication of Bypasses This section is not applicable. See paragraph g, this section.

n. Requirement 4.14 - Access to Means for Bypassing This section is not applicable. See paragraph g, this section.

o. Requirement 4.15 - Multiple Set Points This section is not applicable. See paragraph g, this section.

p. Requirement 4.16 - Completion of Protective Action once it is Initiated This section is not applicable. See paragraph g, this section.

q. Requirement 4.17 - Manual Initiation The alternate shutdown system is manually actuated. No additional failure beyond the fire and its consequences is postulated. System level manual initiation is not applicable.

r. Requirement 4.18 - Access to Set Point Adjustments, Calibration, and Test Points Access to calibration adjustments and test points is under administrative control.

s. Requirement 4.19 - Identification of Protective Actions 7.4-66 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

This section is not applicable. See paragraph g, this section.

t. Requirement 4.20 - Information Read-out Alternate shutdown system monitoring instrumentation are those items located on the Division 1 remote shutdown panel 1H22-P150 as listed in Table 7.4-4.

u. Requirement 4.21 - System Repair The alternate shutdown system is a manually actuated "backup" safe shutdown system which is not in use during normal plant operation. Repair or replacement of components can be accomplished in reasonable time when the system is not in use. Outage of system components for replacement or repair will be limited as specified by the Technical Specifications.

v. Requirement 4.22 - Identification Refer to subsection 7.1.2.3. and 8.3.1.3 for a description of the identification system used for safety-related systems.

7.4-67 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.4-1: REACTOR CORE ISOLATION COOLING INSTRUMENT SPECIFICATIONS RCIC Function Instrument Range Reactor vessel high water Level 0" to 60" **

level turbine trip transmitter Turbine exhaust high Pressure 0-100 psig pressure transmitter RCIC system pump Pressure 30 in. Hg vac.-

low suction pressure transmitter 0 psig RCIC system pump high Pressure 30 in. Hg vac.-

suction pressure transmitter 85 psig Reactor vessel low water Level -160/0/+60 level* transmitter inches**

RCIC system steam supply Pressure 0-200 psig low pressure*** transmitter Turbine overspeed Centrifugal device RCIC system pump discharge Pressure 0-1500 psig pressure high transmitter Suppression pool level Level 0 to 30 transmitter Condensate storage Level 0-40ft tank level transmitter

• Incident detection circuitry instrumentation.

• • With zero Ref. 533.0" above vessel zero

• • • RCIC steam supply low pressure control function is derived from the Leak Detection System (E31) instrumentation.

7.4-68 Revision 2016-00

TABLE 7.4-2: REACTOR SHUTDOWN COOLING BYPASSES AND INTERLOCKS Reactor Pressure Isolation Valve Valve Function Manual Open Exceeds Shutdown Closure Signal Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Inboard suction isolation Cannot open Cannot open Outboard suction isolation Cannot open Cannot open Reactor injection Cannot open Cannot open Radwaste discharge inboard Can Open Cannot open Radwaste discharge outboard Can Open Cannot close Upper Pool Isolation Can Open Cannot close Valve Function 7.4-69 Auto (A) close or manual (M) close Inboard suction isolation Closes A and M Closes A and M Outboard suction isolation Closes A and M Closes A and M Reactor injection Closes A and M Closes A and M Radwaste discharge inboard Closes M Closes A and M Radwaste discharge outboard Closes M Closes A and M Revision 2016-00 Upper Pool Isolation Closes M Closes A and M

TABLE 7.4-3: CONTROLS ON REMOTE SHUTDOWN PANEL Instrument Number Panel Equipment No. Description lC61 HS M00lA 1H22P150 Q1P41-C001A-A STANDBY SERVICE WATER PUMP A lC61 HS M00lB 1H22P151 Q1P41-C001B-B STANDBY SERVICE WATER PUMP B Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION lC61 HS M002A 1H22P150 Q1P41-F001A-A SSW PUMP A DISCHARGE VALVE lC61 HS M002B 1H22P151 Q1P41-F001B-B SSW PUMP B DISCHARGE VALVE lC61 HS M003A 1H22P150 Q1P41-F007A-A SSW A BASIN TRANSFER VALVE lC61 HS M003B 1H22P151 Q1P41-F007B-B SSW B BASIN TRANSFER VALVE lC61 HS M004A 1H22P150 Q1P41-F006A-A SSW PUMP A RECIRC VALVE lC61 HS M004B 1H22P151 Q1P41-F006B-B SSW PUMP B RECIRC VALVE lC61 HS M007A 1H22P150 Q1P41-F014A-A RHR HX A INLET VALVE lC61 HS M007B 1H22P151 Q1P41-F014B-B RHR HX B INLET VALVE lC61 HS M008A 1H22P150 Q1P41-F068A-A RHR HX A OUTLET VALVE 7.4-70 lC61 HS M008B 1H22P151 Q1P41-F068B-B RHR HX B OUTLET VALVE lC61 HS M009A 1H22P150 Q1P41-F018A-A DSL GEN 11 HT EXCH IN VLV lC61 HS M009B 1H22P151 Q1P41-F018B-B DSL GEN 12 HT EXCH IN VLV lC61 HS M010A 1H22P150 Q1P41-F005A-A SSW A RTN VLV TO CLG TOWER lC61 HS M010B 1H22P151 Q1P41-F005B-B SSW B RTN VLV TO CLG TOWER lC61 HS M0llA 1H22P150 Q1P41-C003A-A SSW A CLG TWR FAN A lC61 HS M0llB 1H22P151 Q1P41-C003C-B SSW B CLG TWR FAN C lC61 HS M012A 1H22P150 Q1P41-C003B-A SSW A CLG TWR FAN B lC61 HS M012B 1H22P151 Q1P41-C003D-B SSW B CLG TWR FAN D Revision 2016-00 lC61 HS Ml00 1H22P150 Q1E51-F031-A SUCT FROM SUPPR POOL VALVE lC61 HS Ml01 1H22P150 Q1E51-F013-A RCIC INJECTION SHUTOFF VALVE lC61 HS Ml04 1H22P150 Q1E51-F010-A SUCT FROM CONDENSATE TANK lC61 HS Ml06 1H22P150 Q1E51-F019-A RCIRC MIN FLOW BYP VALVE lC61 HS Ml07 1H22P150 Q1E51-F022-A RCIC TEST FCV TO COND TANK lC61 HS Ml08 1H22P150 Q1E51-F059-A RCIC TEST RTN TO COND TANK

TABLE 7.4-3: CONTROLS ON REMOTE SHUTDOWN PANEL (Continued)

Instrument Number Panel Equipment No. Description lC61 HS Ml11 1H22P150 Q1E51-F045-A/F095 STEAM TO RCIC TURB & BYPASS VALVE lC61 HS Ml12 1H22P150 Q1E51-C002 RCIC TURB TRIP & THROT VALVE Updated Final Safety Analysis Report (UFSAR) lC61 HS Ml17 1H22P150 Q1E51-F046A RCIC TURBINE CLG WTR VALVE GRAND GULF NUCLEAR GENERATING STATION lC61 HSS Ml21 1H22P150 Q1E51-C002 RCIC TURB LOCAL CONT SEL SW lC61 HS Ml23 1H22P150 Q1E51-C002 RCIC GLAND SEAL CPRSR lC61 HS M200A 1H22P150 Q1E12-C002A-A RHR PUMP A 1C61 HS M200B 1H22P151 Q1E12-C002B-B RHR PUMP B lC61 HS M202A 1H22P150 Q1E12-F004A-A RHR PUMP A SUCTION VALVE lC61 HS M202B 1H22P151 Q1E12-F004B-B RHR PUMP B SUCTION VALVE lC61 HS M203 1H22P151 Q1E12-F009-A SHUTDOWN CLG IB ISO VALVE lC61 HS M204 1H22P150 Q1E12-F008-A SHUTDOWN CLG DB ISO VALVE 7.4-71 lC61 HS M205A 1H22P150 Q1E12-F006A-A SHUTDOWN CLG TO SYS A VALVE lC61 HS M205B 1H22P151 Q1E12-F006B-B SHUTDOWN CLG TO SYS B VALVE lC61 HS M206A 1H22P150 Q1E12-F047A-A RHR HT EXCH A INLET VALVE lC61 HS M206B 1H22P151 Q1E12-F047B-B RHR HT EXCH B INLET VALVE lC61 HS M207A 1H22P150 Q1E12-F003A-A RHR HT EXCH A OUTLET VALVE lC61 HS M207B 1H22P151 Q1E12-F003B-B RHR HT EXCH B OUTLET VALVE lC61 HS M208A 1H22P150 Q1E12-F048A-A RHR HT EXCH A BYPASS VALVE lC61 HS M208B 1H22P151 Q1E12-F048B-B RHR HT EXCH B BYPASS VALVE lC61 HS M209A 1H22P150 Q1E12-F042A-A RHR A INJECTION VALVE 1C61 HS M209B 1H22P151 Q1E12-F042B-B RHR B INJECTION VALVE Revision 2016-00 lC61 HS M210A 1H22P150 Q1E12-F042A-A RHR A INJECTION DISABLE lC61 HS M2l0B 1H22Pl51 Q1E12-F042B-B RHR B INJECTION DISABLE lC6l HS M21lA 1H22P150 Q1E12-F027A-A RHR A INJECTION VALVE lC61 HS M211B 1H22P151 Q1E12-F027B-B RHR B INJECTION VALVE lC61 HS M215A 1H22P150 Q1E12-F053A-A SHUTDOWN CLG INJECTION VALVE

TABLE 7.4-3: CONTROLS ON REMOTE SHUTDOWN PANEL (Continued)

Instrument Number Panel Equipment No. Description lC61 HS M215B 1H22P151 Q1E12-F053B-B SHUTDOWN CLG INJECTION VALVE lC61 HS M222A 1H22P150 Q1E12-F024A-A RHR A TEST LINE VALVE Updated Final Safety Analysis Report (UFSAR) lC61 HS M222B 1H22P151 Q1E12-F024B-B RHR B TEST LINE VALVE GRAND GULF NUCLEAR GENERATING STATION lC61 HS M23lA 1H22P150 Q1E12-F011A-A RHR HX A FLOW TO SUPPR POOL lC61 HS M231B 1H22P151 Q1E12-F011B-B RHR HX B FLOW TO SUPPR POOL 1C61 HS M235 1H22P151 Q1E12-F049-B RHR DISCHARGE TO RADWASTE lC61 HS M236 1H22P150 Q1E12-F040-A RHR DISCHARGE TO RADWASTE lC61 HS M240 1H22P151 Q1E12-F094-B SERVICE WATER BYPASS VALVE lC61 HS M241 1H22P151 Q1E12-F096-B SERVICE WATER BYPASS VALVE lC61 HSS M252A 1H22P150 Q1E12-F004A-A RHR PUMP A SUCT VALVE XFR SW 1C61 HSS M252B 1H22P151 Q1E12-F004B-B RHR PUMP B SUCT VALVE XFR SW 7.4-72 lC61 HSS M255A 1H22P150 Q1E12-F006A-A SHUTDOWN CLG VLV TRANSFER SW lC61 HSS M255B 1H22P151 Q1E12-F006B-B SHUTDOWN CLG VLV TRANSFER SW lC61 HSS M256A 1H22P150 Q1E12-F047A-A RHR HX A IN VLV XFR SW lC61 HSS M256B 1H22P151 Q1E12-F047B-B RHR HX B IN VLV XFR SW lC61 HS M260A 1H22P150 Q1E12-F008-A SHUTDOWN CLG ISOL VLV RESET SW, DIV 1 lC61 HS M260A 1H22P150 Q1E12-F023-A SHUTDOWN CLG ISOL VLV RESET SW, DIV 1 lC61 HS M260A 1H22P150 Q1E12-F037A-A SHUTDOWN CLG ISOL VLV RESET SW, DIV 1 lC61 HS M260A 1H22P150 Q1E12-F040-A SHUTDOWN CLG ISOL VLV RESET SW, DIV 1 lC61 HS M260B 1H22P151 Q1E12-F009-B SHUTDOWN CLG ISOL VLV RESET SW, DIV 2 lC61 HS M260B 1H22P151 Q1E12-F394 SHUTDOWN CLG ISOL VLV RESET SW, DIV 2 Revision 2016-00 lC61 HS M260B 1H22P151 Q1E12-F037B-B SHUTDOWN CLG ISOL VLV RESET SW, DIV 2 lC61 HS M260B 1H22P151 Q1E12-F049-B SHUTDOWN CLG ISOL VLV RESET SW, DIV 2 lC61 HSS M290 1H22P151 Q1E12-F094-B SERV WTR BYP VALVE XFR SW lC61 HSS M291 1H22P151 Q1E12-F096-B SERV WTR BYP VALVE XFR SW 1C61 HS M301A 1H22P150 N1C11-C001A-A CRD PUMP A

TABLE 7.4-3: CONTROLS ON REMOTE SHUTDOWN PANEL (Continued)

Instrument Number Panel Equipment No. Description 1C61 HS M301B 1H22P151 N1C11-C001B-B CRD PUMP B 1C61 HS M400B 1H22P150 Q1B21-F051A SAFETY/RELIEF VALVE F051A Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION 1C61 HS M400C 1H22P150 Q1B21-F051B SAFETY/RELIEF VALVE F051B 1C61 HS M400D 1H22P150 Q1B21-F051D SAFETY/RELIEF VALVE F051D 1C61 HS M401B 1H22P151 Q1B21-F051A SAFETY/RELIEF VALVE F051A 1C61 HS M401C 1H22P151 Q1B21-F051B SAFETY/RELIEF VALVE F051B 1C61 HS M401D 1H22P151 Q1B21-F051D SAFETY/RELIEF VALVE F051D 1C61 FK R100 1H22P150 Q1E51-C002R CIC TURB FLOW CONTROLLER 1C61 HS M400E 1H22P150 Q1B21-F047D SAFETY/RELIEF VALVE F047D 1C61 HS M400F 1H22P150 Q1B21-F047G SAFETY/RELIEF VALVE F047G 1C61 HS M400G 1H22P150 Q1B21-F051F SAFETY/RELIEF VALVE F051F 7.4-73 1C61 HS M401E 1H22P151 Q1B21-F047D SAFETY/RELIEF VALVE F047D 1C61 HS M401F 1H22P151 Q1B21-F047G SAFETY/RELIEF VALVE F047G 1C61 HS M401G 1H22P151 Q1B21-F051F SAFETY/RELIEF VALVE F051F 1C61 HS M302A 1H22P150 N1C11-C001A-A CRD AUX LUBE OIL PUMP A 1C61 HS M302B 1H22P151 N1C11-C001B-B CRD AUX LUBE OIL PUMP B Revision 2016-00

TABLE 7.4-4: REMOTE SHUTDOWN PANEL DISPLAY INSTRUMENTATION

1. of Parameter Measured Channels Range Type Panel No Instrument No SSW SYSTEM A FLOW 1 0-15000 GPM Meter 1H22P150 1C61 FI R001A Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION SSW SYSTEM B FLOW 1 0-15000 GPM Meter 1H22P151 1C61 FI R001B RCIC TURB SPEED 1 0-6000 RPM Meter 1H22P150 1C61 SI R101 CONDENSATE STOR TANK LEVEL 1 0-40 FT Meter 1H22P150 1C61 LI R102 RCIC TURB TRIPPED 1 - Light 1H22P150 1C61 ZL R103 TURB HP BRG OIL TEMP HIGH 1 - Light 1H22P150 1C61 TL R104 TURB LP BRG OIL TEMP HIGH 1 - Light 1H22P150 1C61 TL R105 TURB BRG OIL PRESS LOW 1 - Light 1H22P150 1C61 PL R106 7.4-74 TURB LUBE OIL TEMP HIGH 1 - Light 1H22P150 1C61 TL R107 RHR SYSTEM A FLOW 1 0-10000 GPM Meter 1H22P150 1C61 FI R200A RHR SYSTEM B FLOW 1 0-10000 GPM Meter 1H22P151 1C61 FI R200B SHUTDOWN CLG MANUAL SUCT 1 - Light 1H22P151 1C61 ZL R201 VLV (E12-F010)

REACTOR VESSEL LEVEL 2 -160/0/+140 IN Meter 1H22P150 1C61 LI R400A 1H22P151 1C61 LI R400B Revision 2016-00 REACTOR VESSEL PRESS 2 0-1500 psig Meter 1H22P150 1C61 PI R401A 1H22P151 1C61 PI R401B SUPPRESSION POOL LEVEL 2 10.5-25.5 FT Meter 1H22P150 1C61 LI R402A 1H22P151 1C61 LI R402B

TABLE 7.4-4: REMOTE SHUTDOWN PANEL DISPLAY INSTRUMENTATION

1. of Parameter Measured Channels Range Type Panel No Instrument No SUPPRESSION POOL TEMP 2 30-230F Meter 1H22P150 1C61 TI R403A Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION 1H22P151 1C61 TI R403B TRANSFER SWITCH STATUS 1 -- Light 1H22P150 1C61 ZL R300 (TRANSFER PNL PWR AVAILABLE)

TRANSFER SWITCH STATUS 1 -- Light 1H22P150 1C61 ZL R301 (TRANSFER PANEL CONTROL ROOM ISOLATION 7.4-75 Revision 2016-00

AUXILIARY SUPPORTING SYTEMS Heating, Ventilating, and Air Conditioning Systems Standby Service Water System Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION ESF Electrical Switchgear Diesel Generator Systems Diesel Generator Building Safeguard Switchgear and TABLE 7.4-5: AUXILIARY Standby Power Systems Standby Service Water SUPPORTING SYSTEMS REQUIREMENTS Rooms ECCS Pump Rooms Pumphouse Battery Rooms 7.4-76 Systems Required for Safe Shutdown Reactor core isolation cooling DC system Standby liquid control system X X X X X X X RHRS - Reactor shutdown cooling X X X X X X X X system Revision 2016-00 Remote shutdown system X X X X X X X X Referenced subsection for 7.3.1.1.7 8.3.1.1 9.5.4 9.4.5 9.4.5 9.4.5 9.4.5 9.4.5 description of auxiliary 8.3.1.2 9.5.5 supporting systems 9.5.6 9.5.7 9.5.8

TABLE 7.4-6: CONTROLS ON APPENDIX R - ALTERNATE SAFE SHUTDOWN PANELS TRANSFER/ISOLATION INSTRUMENT NO. INSTRUMENT NO. PANEL EQUIPMENT NO. DESCRIPTION lC61-HS-M550 lC61-HSS-M500 1H22-P295 Q1B21F019-A NSSSS MAIN STEAM LINE DRAIN OTBD ISOL. VALVE Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION lC61-HS-M551 lC61-HSS-M500 1H22-P295 01B33F020-A NSSSS REACTOR WATER SAMPLE LINE OTBD ISOL. VALVE lC61-HS-M552 1C61-HSS-M500 1H22-P295 QlG33F034-A NSSSS RWCU OTBD ISOJ,. VALVE lC61-HS-M553 1C61-HSS-M501 1H22-P295 QlE12F028A-A RHR CONTAINMENT SPRAY VALVE

---

lC61-HSS-MS01 1H22-P295 QlE12F037A-A RHR SHUTDOWN COOLING UPPER POOL VALVE

---

lC61-HSS-M501 lH32-P295 QlE12F073A-A RFR HT EXCH A VENT VALVE

---

lC61-HSS-M501 lH22-P295 Q1E12SVF075A RHR SAMPLE LINE VALVE lC61-HS-M554 lC61-HSS-M502 lH22-P295 QlE12F064A-A RHR PUMP MINIMUM FLOW VALVE 7.4-77 lC61-HS-M555 lC61-HSS-M502 1H22-P295 QlE12F082A-A RHR JOCKEY PUMP ISOLATION VALVE

---

lC61-HSS-M502 1H22-P295 QlE12F290A-A FEEDWATER LEAKAGE BLOCK FLOW VALVE lC61-HS-M556 lC61-HSS-M503 lH22-P295 QlT46BOOlA-A ESF ELECTRICAL SWGR RM COOLER

---

lC61-HSS-M503 lH22-P295 QlP41F121A-A SSW SYS RHR HT EXCH A IN VENT VALVE

---

lC61-HSS-M504 lH22-P296 15BAl (52-15101) 4ROV INCOMING FDR BREAKER

---

1C61-HSS-M504 lH22-P296 15BA3 (52-15301) 480V INCOMING FDR BREAKER

---

1C61-HSS-M505 lH22-P296 Q1P41F241-A ESF SWGR RM COOLER ISOL FROM FSW VALVE lC61-HS-M558 1C61-HSS-M506 1H22-P296 QlT46B002A-A ESF ELECTRICAL SWGR RM COOLER Revision 2016-00 lC61-HS-M557 1C61-HSS-M506 lH22-P296 QlT51B003-A RHR PUMP RM A COOLER

---

lC61-HSS-M507 1H22-P296 QlP41F237-A SSW INLET TO ESF RM COOLERS A

---

1C61-HSS-M507 1H22-P296 QlP41F238-A SSW OUTLET TO ESF RM COOLERS A lC61-HS-M559 lC61-HSS-M508 lH22-P296 QlX77COOlA-A DIESEL GEN RM OUTSIDE AIR FAN

---

lC61-HSS-M508 lH22-P296 QlX77FOOlA-A DIESEL GEN RM OUTSIDE AIR DAMPERS lC61-HS-M563 lC61-ASS-M510 lH22-P298 15BA2 (52-15201) 480V INCOMING FDR BREAKER lC61-HS-M564 lC61-HSS-M511 lH22-P298 QlT46B004A-A ESF ELECTRICAL SWGR RM COOLERS

TABLE 7.4-6: CONTROLS ON APPENDIX R - ALTERNATE SAFE SHUTDOWN PANELS (Continued)

TRANSFER/ISOLATION INSTRUMENT NO. INSTRUMENT NO. PANEL EQUIPMENT NO. DESCRIPTION

---

lC61-HSS-M511 lH22-P298 QlZ77BOOlA-A SFGD SWGR & BATT RM ATR HANDLING UNIT

---

lC61-HSS-M511 lH22-P298 QlZ77F034A-A SFGD SWGR & BATT RM HVAC EQUIP RM Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION SUPPLY DAMPER

---

lC61-HSS-M512 1H22-P299 15AA 1152-1511) 4.16KV INCOMING BREAKER-ESF XFMR NO.

12 lC61-HS-M565 lC61-HSS-M513 1H22-P299 15AA (152-1507) 4.16KV FDR BREAKER FOR 15BA1 & 15BA3 lC61-HS-M566 lC61-HSS-M513 lH22-P299 15AA (152-1513) 4.16KV FDR BREAKER FOR 15BA2 & 15BA4

---

1C61-HSS-M514 lH22-P299 15AA (152-1501) 4.16KV INCOMING BREAKER-ESF XFMR NO.

21

---

lC61-HSS-M514 lH22-P299 15AA (152-1514) 4.16KV INCOMING BREAKER-ESF XFMR NO.

11 lC61-HS-M568 lC61-HSS-M515 lH22-P299 15AA (152-1504) 4.16KV FDR BREAKER FOR 15BA5 7.4-78 lC61-HS-M567 lC61-HSS-M515 lH22-P299 15AA (152-1513) 4.16KV FDR BREAKER FOR 15BA6

---

lC61-HSS-M516 lH22-P299 15AA (152-1508) 4.16KV DIESEL GFN BREAKER 1C61-HS-569 lC61-HSS-M517 lH22-P299 15BA5 (52-15503) 480V INCOMING FDR BREAKER

---

1C61-HSS-M517 lH22-P299 15BA6 (52-15601) 480V INCOMING FDR BREAKER lC61-HS-M570 lC61-HSS-M518 1H22-P299 Q1P41F016A-A SSW SYS A BLOWDOWN TO DISCHARGE BASIN VALVE lC61-HS-M571 lC61-HSS-M519 1H22-P299 Q1Z77COOIA-A SFGD SWGR & RATT RM EXHAUST FAN

---

lC61-HSS-M519 lH22-P299 Q1Z77F036A-A SFGD SWGR & BATT RM EXHAUST DAMPER

---

1~6l-H~~-~519 1H22-P299 Q1Z77F001A SFGD SWGR & BATT RM HVAC DAMPER Revision 2016-00

---

lC61-HSS-M519 1H22-P299 QlZ77F002A SFGD SWGR & BATT RM HVAC DAMPER

---

lC61-HSS-M519 1H22-P299 QlZ77F003A SFGD SWCR & BATT RM HVAC DAMPER

---

lC61-HSS-M519 1H22-P299 QlZ77F035A SFGD SWGR & BATT RM HVAC DAMPER

---

lC61-HSS-M519 1H22-P299 Q2Z77FOOlA SFGD SWGR & BATT RM HVAC DAMPER

---

lC63-HSS-M519 1H22-P299 Q2277F002A SFGD SWGR & BATT RM HVAC DAMPER

---

lC61-HSS-M519 1H22-P299 Q2Z77F003A SFGD SWGR & FATT FM HVAC DAMPER

TABLE 7.4-6: CONTROLS ON APPENDIX R - ALTERNATE SAFE SHUTDOWN PANELS (Continued)

TRANSFER/ISOLATION INSTRUMENT NO. INSTRUMENT NO. PANEL EQUIPMENT NO. DESCRIPTION

---

lC61-HSS-M519 1H22-P299 Q2Z77F035A SFGD SWGR & BATT RM HVAC DAMPER lC61-HS-M572 lC61-HSS-M520 1H22-P299 QlY47COOlA-A SSW PUMP HSE OUTSIDE AIR FAN Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION

---

lC61-HSS-M520 1H22-P299 QlY47FOOlA-A SSW PUMP HSE EXHAUST DAMPER

---

lC61-HSS-M520 1H22-P299 QlY47F002A-A SSW PUMP FSE INTAKE DAMPER

---

lC61-HSS-M520 1H22-P299 Q1Y47F003A-A SSW PUMP HSE RETURN DAMPER 7.4-79 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5.1 Description This section describes the instrumentation which provides information to the operator to enable him to perform required safety functions. Table 7.5-1 is a listing of all safety related display instrumentation. This instrumentation provides required operator information for normal, upset and accident conditions as well as accident mitigation system performance information.

Table 7.5-2 is a listing of instrumentation required to monitor the course of accidents for compliance to Regulatory Guide 1.97, Rev. 2. The safety related components of Table 7.5-2 are repeated in Table 7.5-1 for clarity.

The elementary and loop diagrams illustrate separation of redundant display instrumentation and electrical isolation of redundant sensors and channels. The P&IDs, IEDs, FCDs, and elementary diagrams illustrate the redundancy of monitored variables and component sensors and channels. Figures 7.5-1 through 7.5-4 illustrate physical separation of redundant display instrumentation located on panels in the control room. The means for identifying redundant elements of the SRDI is described in subsections 7.1.2.3 and 8.3.1.3. Where redundancy is provided for Reg. Guide 1.97 variables, it is so indicated in Table 7.5-2.

7.5.1.1 Design Bases 7.5.1.1.1 Normal Operation The information channel ranges and indicators were selected on the basis of giving the operator the necessary information to perform all the normal plant startup, steady state maneuvers, and to be able to track all the process variables pertinent to safety during expected operational perturbations.

7.5.1.1.2 Abnormal Transient Occurrences The ranges of indicators and recorders provided cover the extremes of process variables and provide adequate information to the operator for all abnormal transient events.

7.5-1 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.1.1.3 Accident Conditions Accidents may cause large parameter excursions. Information readouts are designed to accommodate all credible accidents from the standpoint of operator action, information, event tracking requirements, and accident mitigation equipment performance providing assurance that all other credible events or incidents requirements will be covered.

7.5.1.1.3.1 Initial Accident Event

[HISTORICAL INFORMATION] [The design basis of all engineered safety features to mitigate the accident event condition takes into consideration that no operator action or assistance is assumed for the first ten minutes of the event. This requirement makes it mandatory that all protective action necessary in the first ten minutes be "automatic." Therefore, although continuous tracking of process variables may be available, no operator action based on them is required during this interval.]

7.5.1.1.3.2 Post-Accident Monitoring No operator action (and, therefore, post-accident information) is required for at least ten minutes following an accident although the various monitoring devices may be continuously tracking and indicating important parameter information and displaying it to the operator as well as recording appropriate data.

The worst-case transient or accident for each parameter considered serves as the envelope sequence event to provide and demonstrate the plant's post-accident monitoring capabilities.

All other transients and accidents have less severe and less limiting monitoring requirements.

The specific regulatory requirements applicable to SRDI are cited in Table 7.1-3.

7.5.1.1.4 Safe Shutdown Instrumentation is available to provide the operator with adequate information to maintain the plant safely in a shutdown condition during all design basis events.

7.5-2 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.1.1.5 System Operation Information-Display Equipment Qualification The safety-related display instrumentation sensors, modules, cabling, and display equipment are of the same high quality as the safety system's instrumentation. The environmental and seismic qualification of the sensors and modules is discussed in Sections 3.10 and 3.11. The post-accident monitoring display instrumentation is of a quality consistent with the requirements of Regulatory Guide 1.97, Rev. 2, except where specific exceptions are noted in Table 7.5-2 or general exceptions noted in Appendix 3A.

Redundant elements (such as cables, cable tray components, modules, and interconnecting wiring) are identified according to the requirements of IEEE 384-1974.

7.5.1.1.6 Instrument Accuracies Instrument accuracies will be controlled as a part of the Grand Gulf specific Instrumentation and Setpoint Control Program.

This program considers the effects of the expanded ranges and environmental conditions for design bases accidents and ensures that instrument accuracies are appropriate for the required normal operating, abnormal, or accident conditions.

7.5.1.2 System Description 7.5.1.2.1 Reactor Shutdown Operator verification that reactor shutdown has occurred may be made by observing one or more of the following indications:

a. Control rod status lamps indicating each rod fully inserted. The power source is the non-Class 1E UPS (see Table 7.5-1).

b. Control rod scram valve status lamps indicating open valves. The power source is the non-Class 1E UPS (see Table 7.5-1).

c. Neutron monitoring power range channels and recorders downscale. The power sources are described in Table 7.5-2.

7.5-3 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

d. Annunciators for the reactor protection system variables and trip logic in the tripped state. The power source is dc from a plant battery.

7.5.1.2.2 Reactor Coolant (Nuclear Boiler) System 7.5.1.2.2.1 Reactor Water Level Two wide range water level signals are transmitted from two independent differential pressure transmitters and are recorded on two recorders which are operable before and after a Safe Shutdown Earthquake (SSE). One input provides the wide range level and the other the reactor pressure on each of the two recorders. Two shutdown range water level signals (which share a reference leg, drywell sensing lines and drywell penetration) and two fuel zone water level signals are transmitted from four differential pressure transmitters and are recorded on two recorders.

The fuel zone differential pressure transmitters are connected to the variable leg of the narrow range differential pressure transmitters on one side, with the other side connected to a vessel nozzle at the jet pump diffuser skirt.

The shut-down range differential pressure transmitters have one side connected to a condensing chamber reference leg and the other side connected to a vessel nozzle for the variable leg. The water level system is uncompensated for variation in reactor water density. During reactor power operation, the reference legs are continuously backfilled to preclude the effects of noncondensible gas accumulation. The wide range level system is calibrated to be most accurate at operational pressure and temperature conditions.

The fuel zone and shutdown range water level systems are calibrated for water density conditions which are expected to occur during accident or shutdown conditions. These instruments do not provide accurate indications during normal reactor operation, and are only used for plant shutdown, startup or accident monitoring. The range of the recorded level is from the top of the feedwater control range (just above the high level turbine trip point) down to the bottom of the core support plate.

The power sources for the two channels of wide range instruments are the two instrument ac buses feeding from the two standby ac buses. The fuel zone and shutdown range channels are powered from Class 1E, UPS power sources.

7.5-4 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.1.2.2.2 Reactor Pressure Two reactor pressure signals are transmitted from two independent pressure transmitters and are recorded on the wide range recorders discussed in 7.5.1.2.2.1 above. The range of recorded pressure is from 0 to 1500 psig. Power sources for the two channels are from two independent 120 Vac ESF uninterruptible power sources.

7.5.1.2.2.3 Reactor Isolation The reactor operator may verify reactor isolation by observing one or more of the following indications:

a. Isolation valve position lamps indicating valve closure.

See Figure 7.5-2. The power source is the same as for the associated valve motor-operator.

b. Main steam line flow indication downscale. See Figure 7.5-

1. The power source is instrument ac from one of the standby ac buses.

7.5.1.2.3 Containment and Drywell 7.5.1.2.3.1 Containment and Drywell Pressure Two wide-range containment pressure signals, two narrow-range containment pressure signals, and two wide-range drywell pressure signals are transmitted from six separate pressure transmitters and are continuously recorded and displayed on two recorders in the control room. One input provides the wide-range containment pressure, one the narrow-range containment pressure, and one the wide-range drywell pressure on each of the two independent recorders. All six inputs record simultaneously, thus providing a constant indication of the full range of pressure monitoring. The containment and drywell pressure indication is exclusively for operator information and does not perform a control function. The total response time for these pressure monitoring systems is on the order of 1.2 seconds, which is adequate to detect and record any significant pressure impulses. The accuracy of the recorder is sufficient to provide the operator with an adequate indication of drywell and containment pressure. The power sources for the two channels each of containment and drywell pressure are from the two ESF dc buses through two independent inverters. The containment and drywell pressure monitoring instrumentation is shown in Figure 7.5-5.

7.5-5 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.1.2.3.2 Containment and Drywell Temperature Containment and drywell air temperatures are monitored at 32 locations in all quadrants and at various elevations as shown in Figure 7.5-5. These temperatures are recorded on multi- input recorders in the control room. The temperature instrumentation is divided into two separate and independent groups. The power sources for the two groups of drywell and containment temperature instrumentation are the two Class 1E UPS panels and two ESF busses, respectively.

7.5.1.2.3.3 Suppression Pool Level Two wide-range and two narrow-range suppression pool level signals are transmitted from four separate differential pressure transmitters and are continuously recorded on two recorders in the control room. One input provides the wide-range level, and the other the narrow-range level on each of the two independent recorders. The wide-range water level indicators monitor the suppression pool level from the centerline of the ECCS suction lines to above the top of the weir wall. This range provides adequate information to the operator to assess the status of this water supply to ECC systems. The system accuracy is sufficient to provide the operator with an adequate indication of containment water level. The power sources for the two channels each of narrow- and wide-range suppression pool level are from the two ESF dc buses through two independent inverters.

7.5.1.2.3.4 Suppression Pool Temperature The suppression pool temperature monitoring system is provided so that trends in suppression pool temperature may be established in sufficient time for appropriate action to be taken to prevent steam quenching vibrations in the suppression pool.

Twenty-four temperature sensors are arranged in six groups of four independent and redundant channels each, located such that there is a group of sensors within 30 feet (line of sight) of each relief valve discharge location. Each of the six groups is made up of one sensor from each channel. Each group of four sensors includes two sensors for normal suppression pool temperature monitoring and two sensors for post-LOCA monitoring. The outputs of the post-LOCA sensors are recorded on four independent and redundant (channels A and C are redundant to channels B and D, respectively) recorders in the control room. This arrangement is shown in Figure 7.5-6. The system is powered from the 125V DC 7.5-6 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Class 1E ESF supply system described in Section 8.3.2. During normal operation, the power source is the ESF load centers backed by 125V ESF DC batteries.

The temperature sensors are located on the outside of the drywell wall below the minimum suppression pool water level. They and their supports will withstand pool dynamic forces and operate in a post-LOCA environment. The sensors for normal suppression pool temperature monitoring are located no more than 12 inches below the minimum water level allowed by the Technical Specification.

The sensors for post-LOCA monitoring are located no more than 12 inches below the minimum water level encountered during a LOCA.

The suppression pool temperature monitoring system consists of type T (copper-constantan) thermocouple temperature sensors, control room mounted temperature transmitters, alarm units, and recorders.

The suppression pool temperature monitoring system uses a trip unit/calibration system as described in subsection 7.1.3. Use of this system facilitates inservice testing and calibration, provides the means to bypass individual thermocouples, and includes failure and alarm indicating lights to inform the operator of system status. The accuracy of the recorders is sufficient to provide the operator with an adequate indication of suppression pool temperature conditions.

7.5.1.2.3.5 Containment and Drywell Isolation The reactor operator may verify containment and drywell isolation by observing the following indication:

a. Isolation valve position lamps indicating valve closure.

See Figures 7.5-2 and 7.5-3. The power sources are the same as for the associated valve motor-operators or solenoid pilot valves, except for the MSIVs. The MSIV position lamps are powered from a Class 1E uninterruptible power source.

7.5.1.2.3.6 In-Containment Area Radiation Two high-range containment radiation signals and two high-range drywell radiation signals are transmitted from four separate radiation detectors to two control room monitors, two upper cable spreading room monitors, and two recorders. One input provides containment radiation and one drywell radiation on each of the two 7.5-7 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) independent recorders. Two radiation detectors are located at opposite sides of the containment, and two detectors are located at opposite sides of the drywell. All detectors are accessible for maintenance, removal for calibration, or replacement, when entry to those areas is permissible. The monitors are qualified to function under a loss-of-coolant accident condition over a range of 1 to 10^7 R/hr. The energy dependence of the system is 60 KeV to 3 MeV photons with +/-20 percent accuracy for photons of 0.1 to 3.0 MeV. The power sources for the four channels are fed from two separate ESF UPS power supplies.

7.5.1.2.3.7 Suppression Pool Level Accident Range The suppression pool level accident range is monitored by two water level monitoring channels (one per division) which measure a level range from 20 to 35 ft. in containment (113 to 128 ft.

elev.). Each channel of instrumentation consists of a continuous level probe located in the containment, a level transmitter located in the control building and a level indicator located in the control room. The power sources for the two channels are Class 1E power from 120VAC MCC distribution panels.

7.5.1.2.3.8 Containment Water Level Accident Range The containment water level accident range is monitored by two water level monitoring channels (one per division) which measure a level range from 60 to 75 ft. in containment (153 to 168 ft.

elev.). Each channel of instrumentation consists of a continuous level probe located in the containment, a level transmitter located in the control building and a level indicator located in the control room. The power sources for the two channels are Class 1E power from 120VAC MCC distribution panels.

7.5.1.2.4 Emergency Core Cooling Systems/RCIC Operation of the emergency core cooling and the RCIC system following an accident may be verified by observing the following indications:

a. Flow and pressure indications for each emergency core cooling system are provided and are operable before and after a safe shutdown earthquake (SSE). See Figure 7.5-2.

The power sources are independent and from the same standby buses as the driven equipment.

7.5-8 LBDCR 2020-014

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

1. RCIC Two meters, one displaying RCIC discharge flow rate and one displaying RCIC pump discharge pressure, are located in the control room.

2. HPCS Two meters, one displaying HPCS discharge flow rate and one displaying HPCS pump discharge pressure, are located in the control room.

3. LPCS One meter displaying LPCS flow rate is located in the control room.

4. RHR One meter displaying RHR flow rate for each of the three RHR loops, and one meter displaying RHR service water flow rate for each of the two service water loops, are located in the control room. RHR heat exchanger outlet temperature is also displayed on a multipoint recorder located in the control room. One pen records the A Train heat exchanger outlet temperature, while the other pen records the B Train temperature. System valve position indication lights allow the operator to determine in which mode (RHR, LPCI, or containment spray) the RHR pumps are operating.

5. LPCI/Containment Spray The RHR flow meters discussed above also provide the operator with indication of containment spray flow or low pressure coolant injection flow (RHR A & B only).

Indirect and diverse methods are available to confirm LPCI or containment spray operation (e.g.,

containment pressure and temperature to verify containment spray operation and RPV level and pressure to evaluate LPCI performance).

7.5-9 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. RCIC isolation valve position indicating open valves. See Figure 7.5-2. The power source is from the same bus as the valve motive power.

c. Injection valve position lights indicating either open or closed valves. See Figure 7.5-2. The power source is the same as the valve motor.

d. ADS/relief valve initiation circuit status by open or closed indicator lamps. See Figure 7.5-2. The power source is the same as for the pilot solenoid.

e. ADS/relief valve position may be inferred from reactor pressure indications. See Figures 7.5-1 and 7.5-2. The power source is instrument ac from the standby ac systems.

f. ADS/relief valve position may be inferred by the downstream tail pipe pressure alarm and status lights provided in the control room. The power source for these detectors is from an ESF bus through an independent inverter.

7.5.1.2.5 Standby Service Water System Operation of the standby service water (SSW) system may be verified by observing the following indications:

a. SSW pump and cooling tower fan operating lights indicating running equipment. See Figure 7.5-3. The power sources are from the same ESF dc buses which provide control power for the circuit breakers for the associated equipment.

b. System valve position lights indicating either open or closed valves as appropriate. See Figure 7.5-3. The power sources are the same as for the associated valve motors.

c. SSW discharge flow and pressure indications for each SSW loop are provided. The display for these measurements is provided via the plant computer and available for on-demand "call up". The power sources are independent and fed from the same ESF buses as the driven equipment. In addition to SSW pump discharge flow loop A and B are provided with a recorded return flow in the control room.

7.5-10 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

d. Standby Service Water System temperature is also provided and recorded in the control room. This information used concurrently with RHR system flow and RHR heat exchanger outlet temperature (see Section 7.5.1.2.4.a.4) can be used to infer SSW system operation.

In addition, two recorders are provided to record the level in each SSW basin. One recorder for each basin is located on the auxiliary control benchboard. See Figure 7.5-3. Each of the four channels is provided with its own transmitter. The power sources are fed from the same ESF ac buses as the equipment associated with each basin.

7.5.1.2.6 Main Steamline Isolation Valve Leakage Control System The following meters are located in the control room displaying reactor and steam line pressures:

a. 0-50 psia meter displaying main steam line pressure for each of the four MSLs

b. Two 0-100 psig range meters displaying reactor pressure

c. One 0-100 psig (high pressure) range meter and one 0-50 psia (low pressure) range meter displaying outboard steam line header pressure

d. One 0-100 psig range meter displaying inboard steam line pressure for each of the four steam lines 7.5.1.2.7 Feedwater Leakage Control System Operation of the feedwater leakage control (FWLC) system may be verified by observing the following indications:

a. Reactor pressure recorders indicating that reactor pressure has dropped sufficiently low enough for feedwater leakage control to be initiated. See subsection 7.5.1.2.2.2.

b. RHR jockey pump operating lights indicating running pumps and FWLC valve position lights indicating open valves. See Figure 7.5-3. The power sources are the same as for the associated valve and pump motors.

7.5-11 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.1.2.8 Combustible Gas Control System 7.5.1.2.8.1 Drywell Purge System Operation of the drywell purge system may be verified by observing the following indications:

a. Drywell purge compressor operating lights indicating running equipment. See Figure 7.5-3. The power sources are from the same ESF dc buses which provide control power to the circuit breakers for the associated compressors.

b. Purge inlet and vacuum relief valve position lights indicating open valves. See Figure 7.5-3. The power sources are the same as for the associated valve motors.

c. Drywell referenced to containment differential pressure indicating that LOCA blowdown is complete and that the drywell purge compressors have repressurized the drywell.

Two drywell referenced to containment differential pressure signals are transmitted from separate transmitters and recorded on two separate recorders in the control room. The power sources are from the two ESF dc buses through two independent inverters.

7.5.1.2.8.2 Hydrogen Control System Operation of the hydrogen control system recombiners and igniters may be verified by observing the following indications:

a. Hydrogen recombiner operating lights indicating that the recombiners are energized. See Figure 7.5-3. The power sources are the same as for the associated recombiners.

b. Two meters, one displaying recombiner temperature and the other displaying recombiner heater power input, for each recombiner are located in the control room. Each recombiner is equipped with three thermocouples, any one of which may be selected to be displayed on the associated meter. See Figure 7.5-3. The power sources are fed from the same ESF buses as the hydrogen recombiners.

c. Hydrogen igniter operating lights indicating that igniter circuits are energized (see Figure 7.5-3). The power sources are the same as for the associated igniters.

7.5-12 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.1.2.8.3 Containment and Drywell Hydrogen Monitoring Two containment hydrogen concentration and two drywell hydrogen concentration signals are transmitted from four separate hydrogen analyzers and are recorded on two recorders in the control room.

One input provides the containment hydrogen concentration and one the drywell hydrogen concentration on each of the two independent recorders. Measurement capability is provided over the range of 0 to 10 percent hydrogen concentration under both positive and negative ambient pressure. Each hydrogen analyzer uses a sample drawing system which removes the sample from the containment or drywell, as appropriate, and employs a thermal conductivity analyzer. The sample drawing points are located at widely separated and appropriately placed points inside the containment and drywell. Each hydrogen analyzer can be calibrated by introducing zero and span gasses into the sample system of the analyzer. Calibration is initiated and adjustments are made, if necessary, at the hydrogen analyzer sample panels in the auxiliary building. See Figure 7.5-3. The system accuracy is sufficient to provide the operator with an adequate indication of hydrogen concentration. The hydrogen monitoring and the low pressure coolant injection systems are simultaneously and automatically activated upon a loss-of-coolant accident. Within 60 seconds, the hydrogen analyzers are sufficiently warm to continuously analyze and record containment and drywell hydrogen concentration. It was confirmed, as part of MP&L's (SERI's)

Action Plan 39 to address Humphrey Issue 6.4, that the hydrogen analyzers measure the thermal conductivity of the sample at an elevated temperature. The elevated temperature exceeds the saturation temperature of the environment at the analyzer location and precludes measurement failure due to condensation.

The power sources are fed from the two ESF ac buses. The containment and drywell hydrogen analyzing instrumentation is shown in Figure 6.2-81.

7.5.1.2.9 Standby Gas Treatment System (SGTS)

Operation of the SGTS may be verified by observing the following indications:

a. Charcoal filter train fan and enclosure building recirculation fan operating lights indicating running equipment. See Figure 7.5-3. The power sources are from 7.5-13 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) the same ESF dc buses which provide control power for the circuit breakers for the associated recirculation fans and from the same sources as the charcoal filter train fans.

b. System valve and damper position lights indicating either open or closed valves and dampers. See Figure 7.5-3. The power sources are the same as for the associated valve or damper motors.

c. Enclosure building referenced to outside atmosphere differential pressure indicating that SGTS drawdown has been accomplished. Four enclosure building pressure signals are transmitted from separate transmitters and recorded on two recorders in the control room. The power sources are from the two ESF dc buses through two independent inverters.

d. Charcoal filter train flow indicating that the filter trains are operating. One recorder for each filter train recording charcoal filter train flow is located in the control room. In addition, one recorder recording differential pressure across the charcoal filter and the two HEPA filters is provided in the control room for each filter train. See Figure 7.5-3. The power sources are fed from the same ESF buses as the filter train fans.

7.5.1.2.10 Secondary Containment (Auxiliary Building)

Isolation The operator may verify secondary containment isolation by observing the following indication:

a. Isolation valve position lamps indicating valve closure.

See Figure 7.5-3. The power sources are the same as for the associated solenoid pilot valves.

7.5.1.2.11 Standby Electrical Power Systems Operation of the standby electrical power system may be verified by observing the following indications:

a. Diesel generator operating lights indicating that the diesel engines are running at operating speed. See Figure 7.5-4. The power sources are from the same ESF dc buses which provide control power for the associated circuit breakers.

7.5-14 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Circuit breaker position lights indicating either closed or tripped circuit breakers as required. See Figure 7.5-4.

The power sources are from the same ESF dc buses which provide control power for the associated circuit breakers.

c. Seven meters for each standby diesel generator are provided in the control room. These meters display generator voltage, frequency, watts, vars, amperes, field voltage, and field amperes. See Figure 7.5-4. The power source is the associated standby diesel generator.

d. Four meters are provided for the HPCS diesel generator in the control room. These meters display bus voltage, watts, vars, and amperes. The power source is the HPCS diesel generator.

e. Bus voltmeters and ammeters. Three ammeters, indicating current flow through each of the three incoming offsite power breakers, and one voltmeter are provided in the control room for each 4160 V ESF bus. One ammeter and one voltmeter are provided for each 480 V ESF bus, and one voltmeter is provided in the control room for each 125 V dc bus. See Figure 7.5-4. The power sources are the associated ESF buses.

f. In addition, one meter is provided in the control room to display the level in each fuel oil storage and day tank.

See Figures 7.5-3 and 7.5-4. The power sources are fed from the same ESF ac bus associated with each diesel generator.

7.5.1.2.12 Standby Power Air Systems Operation of the Standby Power Air Systems may be verified by observing the following indications:

a. ADS air receiver and accumulator pressure is indicated in the control room. The power sources are fed from the ESF bus.

b. Starting air pressure from the standby diesel generator is one component of the diesel generator common trouble alarm. The power sources are the associated ESF buses.

7.5-15 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. A starting air pressure low signal is provided to the HPCS diesel generator common trouble alarm for control room annunciation.

7.5.1.2.13 Control Room Atmospheric Control and Isolation System (CRACIS)

Operation of the CRACIS may be verified by observing the following indications:

a. Standby fresh air unit fan, air-conditioning unit fan, and compressor operating lights indicating running equipment.

The power sources are the same as for the driven equipment.

b. System valve and damper position lights indicating either open or closed valves and dampers as appropriate. The power sources are the same as the associated valve or damper motors.

c. Standby fresh air unit flow indicating that the fresh air units are operating. One recorder for each fresh air unit recording flow is located in the control room. In addition, one recorder recording differential pressure across the charcoal filter and two HEPA filters is provided in the control room for each standby fresh air unit. The power sources are fed from the same ESF buses as for the standby fresh air units.

7.5.1.2.14 Heating, Ventilating, and Air-Conditioning Systems for ESF Areas Operation of HVAC systems for ESF areas may be verified by observing the following indications:

a. Fan-operating lights indicating that fans are running. See Figures 7.5-3 and 7.5-4. The power sources are the same as for the driven equipment.

b. System damper position lights indicating either open or closed dampers as appropriate. See Figures 7.5-3 and 7.5-

4. The power sources are the same as for the damper motors.

7.5-16 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.1.2.15 Reactor Coolant System Operator verification that leakage from the Reactor Coolant System exists may be made by observing one or more of the following indications:

a. Unidentified Leakage

1. Air cooler condensate leakage. This variable provides a measurement of the moisture condensed from the drywell air by the air coolers.

2. Drywell air temperature is monitored and recorded as discussed in Section 7.5.1.2.3.2.

3. Drywell pressure is monitored and recorded as discussed in Section 7.5.1.2.3.1.

4. Drywell equipment and floor drain sump level are discussed in Section 7.6.2.4.2.1.

b. Identified Leakage

1. Recirculation pump seal leakage indicators. The power supply for these indicators is fed from Non-1E power.

2. Reactor vessel head leakage monitoring indication.

The power supply for this indicator is fed from Non-1E power.

3. Relief valve downstream temperature monitors. The power supply for these indicators are fed from 1E power.

7.5.1.2.16 Effluent Monitoring The release of radioactive noble gases or particulates from the power plant may be verified by observing one or more of the following indications:

a. Standby gas treatment train A Eberline SPING and AXM monitors.

b. Offgas and radwaste ventilations Eberline SPING and AXM monitors or G.E. noble gas monitors.

7.5-17 LBDCR 2015-052

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Turbine Building ventilation Eberline SPING and AXM monitors or G.E. noble gas monitors.

d. Containment ventilation Eberline SPING and AXM monitors or G.E. noble gas monitors.

e. Fuel handling area ventilation Eberline SPING and AXM monitors or G.E. noble gas monitors.

f. Standby gas treatment train B Canberra NORMAL and HIGH range monitors.

Section 11.5.2.2.4 discusses the operation and modes of indication provided by the Effluent Monitoring Systems.

7.5.1.2.17 Meteorological Parameters Meteorological information, as discussed in subsection 2.3.3, is available in the control room from the BOP computer. The power supply for meteorological instrumentation is from normal station power.

7.5.1.2.18 Post-Accident Sampling The chemical condition and radioisotopic analysis of the reactor coolant may be determined by collecting a grab sample via the post-accident sampling system (PASS) and analyzing these samples in the hot chemistry lab.

The PASS is powered from BOP station power and can draw samples of reactor coolant and containment atmospheres. After the results of the chemical and radioisotopic analyses are determined, the results can then be communicated to the control room. (Reference Section 9.3.2) 7.5.1.2.19 Automatic Depressurization System Air Receivers Two pressure signals are transmitted from two independent pressure transmitters to pressure switches which input into meters to provide monitoring as shown in Figure 5.2-8. These pressure switches also provide signals to annunciators and BOP computers. The power is supplied from the 125V Class 1E dc system.

7.5-18 LBDCR 2015-052

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.1.3 Bypassed and Inoperable Status Indication Bypasses within the engineered safety feature systems are indicated on the ESF panels by lights and are alarmed by the plant annunciator.

Automatic indication is provided in the control room to inform the operator that a system is inoperable. Annunciation is provided to indicate that a system or part of a system is not operable. For example, the reactor protection (trip) and the containment and reactor vessel isolation control system have annunciators lighting and sounding whenever one or more channels of an input variable are bypassed. Bypassing is not allowed in the trip logic or actuator logic. Bypasses of certain infrequently used pieces of equipment, such as manual locked open valves, are not automatically annunciated in the control room; however, capability for manual activation of each system level bypass indicator is provided by means of handswitches in the control room for those systems that have these infrequently used bypasses.

Further examples of automatic indication of inoperability are listed below.

If any circuit breaker of an engineered safety feature system is racked out, indication is provided in the control room.

All motor control center control circuits related to engineered safety feature systems are individually monitored. If control voltage is lost as a result of tripping of a motor starter feeder breaker or removal of a fuse in the control circuit, indication is provided in the control room.

All engineered safety feature systems which contain a control switch with test mode capability, or may be put into a test mode by the insertion of a test jack, are designed to provide continuous control room indication that the test mode has been selected.

Operation of manual valves, use of manual disconnects, or other operations occurring once a year or less frequently which could impair engineered safety feature system performance, are controlled by administrative procedures which require the manual activation of the system inoperative indication prior to performing any operation. Following the completion of such 7.5-19 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) operations, operability is verified by system testing prior to placing the system back in service. Thus, the probability of system bypasses existing undisclosed between periodic functional tests is minimal.

The following discussion expands the explanation of the bypasses and inoperable status indication to reflect the importance of providing accurate information for the operator and reducing the possibility for the indicating equipment to adversely affect its monitored safety system.

a. Individual indicators for each ESF system are arranged together on the control room panels to indicate what function of the system is out of service, bypassed, or otherwise inoperable. All bypass and inoperability indicators, both at a system level and component level, are grouped only with items that will prevent a system from operating if needed. Indication of pressures, temperatures, and other system variables that are a result of system operation are not included with the bypass and inoperability indicators. In addition to the indication, annunciation is provided for each ESF system train. A bypass of one or more components within a system train actuates a corresponding annunciator to alarm the fact that a given system is impaired.

The system of status lights for bypass indication, together with other display information available to the operator, and periodic testing provide assurance that the operator will be constantly aware of the status of engineered safety features systems. The indication system described previously assures that frequent or routine bypass operations with control circuits or manual process valves which could affect system performance are made obvious.

b. As a result of design, preoperational testing, and startup testing, no erroneous bypass indication is anticipated.

The operator has no means of cancelling automatic bypass indication.

7.5-20 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. These indication provisions serve to supplement administrative controls and aid the operator in assessing the availability of component and system level protective actions. This indication does not perform functions that are essential to the health and safety of the public.

d. All indicator circuits for the ESF system of each division are physically and electrically separated to maintain the same independence of systems which perform safety functions. The annunciator circuits are physically and electrically isolated from safety circuits so that no credible failure of the annunciator circuits will have an adverse effect on safety.

e. Each indicator is provided with dual lamps. The lamps on the operator's control console can be tested by depressing the indicators. Also, all the annunciators can be tested by depressing the annunciator test switches in the control room.

f. The inoperable and bypass indicators serve to inform the operator of the status of safety systems during normal plant operations. As such, they are not qualified to withstand the effects of design basis accidents.

Schematic and control panel display diagrams illustrating system and component level automatic bypass indicators are provided by reference in Section 1.7.

7.5-21 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The following is a list of those lockouts or safety-related components that have static trips that must be manually reset and that are not monitored by an inoperable and bypassed status indicator:

Not Monitored Justification Bus lockout (186B) The operation of the bus lockout relays (186B) associated with the 4.16 kV safety-related switchgear is not monitored directly. Operation of these lockouts will cause a trip of the incoming breaker to the bus and a subsequent bus under-voltage. This under-voltage condition will be detected by: 1) the testable status indicating lights of the respective safety-related loads which are fed from the bus, and 2) by the actuation of the load shedding and sequencing system.

Feeder breakers The operation of the instantaneous and (186T) time overcurrent lockout trip (186T) associated with the 480 V incoming breakers of the safety-related load centers is not directly monitored.

However, the individual safety-related loads that are powered from these load centers are provided with testable status indication which monitors, in addition to other parameters, the availability of power. These system status indicators thus indirectly monitor the trip condition of the 186T devices by virtue of detecting the under-voltage condition that would occur on a particular load center bus following a trip of its respective incoming breaker.

Battery chargers Trip of the battery charger feeder breakers will result in a loss of input power to the battery chargers.

This is alarmed in the control room and by the BOP computer.

7.5-22 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Not Monitored Justification Diesel generator lube Diesel generators will operate without oil pumps, diesel these pumps. Electric-driven pumps are generator jacket used for backup only. Primary lube oil water pumps and jacket water flow are operated by shaft-driven pumps.

Diesel generator room Diesel generators will operate without outside air fans these fans. Diesel generators will draw room air from the open corridor between the diesel generator building and the auxiliary building (refer to Figure 3.8-111).

Fuel pool cooling Two 100-percent-capacity pumps are pumps provided. Should the pumps have their motor protection devices not reset, the operator has approximately 5-1/4 hours before he has to restore fuel pool cooling.

7.5.2 Analysis 7.5.2.1 General The safety-related display instrumentation and the accident monitoring instrumentation provide adequate information to allow the operator to make the necessary manual control actions (while being properly informed relative to the plant's actual condition and status) required under normal, abnormal, transient, and accident conditions.

All protective actions required under accident conditions for the NSSS equipment are automatic, redundant, and decisive such that immediate operator information or intervention is unnecessary.

The SRDI that is part of a safety-related system and is necessary for safety-related operator actions is in compliance with the requirements applicable to safety-related systems and receives power from ESF power sources, as indicated in Tables 7.5-1 and 7.5-2.

The qualified SRDI has no unique method of identification. Plant operating procedures direct the operator as to what instrumentation should be observed in the case of an accident, and what actions should be taken, if any, based on those indications.

7.5-23 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

A minimum set of instrumentation for monitoring during and after an accident is listed in Table 7.5-2. This list of instruments was developed based on the information guidelines of Regulatory Guide 1.97, Rev. 2).

Information for later operator initiated protective actions is provided by safety classified and qualified instrumentation, except as noted in Section 7.5.2.4.2.

Information from other instrumentation systems will be assessed by the operator on the basis of its reliability, verification by comparative means, and by need for non-standard control actions.

7.5.2.2 Normal Operation Subsection 7.5.1.1 describes the basis for selecting ranges for instrumentation and since abnormal, transient, or accident conditions monitoring requirements exceed those for normal operation, the normal ranges are covered adequately. Accuracy values for this display instrumentation will be determined and controlled by the Instrumentation and Setpoint Control Program.

7.5.2.3 Abnormal Transient Occurrences The variety of indications which may be utilized to verify that shutdown and isolation safety actions have been accomplished as required (see subsection 7.5.1.2) are adequate to comply with requirements of IEEE 279-1971.

7.5.2.4 Accident Conditions Information readouts are designed to accommodate the worst-case transient or accident for each parameter from the standpoint of operator actions, information, and event tracking requirements, and therefore, will cover all other design basis events or incident requirements.

7.5.2.4.1 Initial Accident Event

[HISTORICAL INFORMATION] [The design basis of all engineered safety features used to mitigate accident event conditions takes into consideration that no operator action or assistance is required or recommended for the first ten minutes of the event.

This requirement therefore makes it mandatory that all protective 7.5-24 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) action necessary in the first ten minutes be automatic.

Therefore, although continuous tracking of variables may be available, no operator action based on them is intended.]

7.5.2.4.2 Post-Accident Monitoring Regulatory Guide 1.97 provides guidance to ensure that instrumentation necessary to measure certain prescribed variables during and after an accident is available to control room personnel.

Table 7.5-2 identifies the GGNS instrumentation available for monitoring the variables listed in Table 1 of Regulatory Guide 1.97, Rev. 2. Table 7.5-2 includes instrument range, environmental and seismic qualification, redundance and sensor numbers, power supply, display location, and quality assurance.

Those items which are not in complete compliance with Regulatory Guide 1.97 are discussed in the notes to Table 7.5-2, Appendix 3A, and the NRC SER dated January 12, 1987.

7.5.2.4.2.1 Design Bases 7.5.2.4.2.1.1 Variable Type Definitions

a. Type A variables are those variables to be monitored that provide the primary information required to permit the control room operators to take the specified manually controlled actions for which no automatic control is provided and that are required for safety systems to accomplish their safety function for design basis accident events. (Variables associated with contingency actions that may be identified in written procedures are excluded from this definition of primary information). The Type A variables were determined from a review of the existing GGNS Emergency Procedures and the BWR Emergency Procedure Guidelines. Uninterruptible power supplies (UPS) for these variables were evaluated where momentary interruption is not tolerable. The Type A variables for GGNS are identified in Table 7.5-2.

b. Type B variables are those variables that provide information to indicate whether plant safety functions are being accomplished.

7.5-25 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Type C variables are those variables that provide information to indicate the potential for being breached or the actual breach of the barriers to fission product release, i.e., fuel cladding, primary coolant pressure boundary, and containment (modified to reflect NRC staff position; see Appendix 3A). The sources of potential breach are limited to the energy sources within the barrier itself.

d. Type D variables are those variables that provide information to indicate the operation of individual safety systems and other systems important to safety.

e. Type E variables are those variables to be monitored as required for use in determining the magnitude of the release of radioactive materials and for continuously assessing such releases.

7.5.2.4.3 Safe Shutdown Display The instrumentation used is described in subsection 7.5.1.2 and includes the control rod status lamps, scram pilot valve status lamps, and neutron monitoring instrumentation. These displays are expected to remain operable for a long enough time following an accident to indicate the occurrence of safe and orderly shutdown.

The neutron monitoring requirements for post accident monitoring are discussed in the NRC SER dated January 1987.

The displays provide redundancy by being in three separate systems and the rod position and neutron monitoring outputs are recorded (the former by the process computer). The systems cited are manually connectable to the standby ac power.

7.5.2.4.4 NSSS Engineered Safety Feature Operation Display The other operating instruments covered in subsection 7.5.1 and not marked as R.G. 1.97 variables provide indication of operation of various safety systems but do not constitute post-accident surveillance or safe shutdown display. The devices meet only qualification of redundancy and power requirements.

7.5.2.5 Compliance with Regulatory/Industry Standards A tabulation of those regulatory/industry standards applicable to the safety-related display instrumentation is provided in Table 7.1-3. Additional information is provided below.

7.5-26 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.2.5.1 Conformance with IEEE Std.-279 The rod status and scram valve status circuitry do not alone meet the requirements of IEEE-279. Jointly, however, they do meet the requirements applicable to display instrumentation except for seismic qualification.

The neutron monitoring system is designed to meet all the requirements of IEEE-279 as part of the reactor protection system. However, its RPS function is a "fail-safe" function whereas safe shutdown display is not. Further, its RPS function terminates with the generation and maintenance of a shutdown signal. In this regard, post DBA environment conditions may cause malfunction but not until the RPS function of scram generation is concluded. This makes it impossible to claim continuous indicating capability for safe shutdown display by the neutron monitoring system. In addition, loss of power is acceptable to the RPS performance, but not to the safe shutdown display performance although such a condition is highly unlikely. Redundancy, power switching capabilities, RPS capabilities, and expected time to failure under DBA environment conditions allow the neutron monitoring system to meet the functional requirements of IEEE-279 as applicable to display instrumentation.

a. Requirement 4.1 General Functional Requirement It is not the intent of the SRDI design to prevent exceeding specified fuel, fuel cladding, and coolant limits. Instrument performance characteristics, response times, and accuracy are selected for compatibility with the design goal of providing the operator with long-term monitoring and surveillance capabilities after the plant has reached a stable condition.

It is the intent of Regulatory Guide 1.97 to provide the operator with sufficient information to determine the current plant status and the status of accident mitigating components during and after an accident. This information will be used by the operator for the emergency procedures and to determine the actions required to place the plant in a safe condition.

b. Requirement 4.2 Single-Failure Criterion The SRDI is designed so that any single failure does not 7.5-27 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) result in the loss of the surveillance function on the system level after an accident. The wiring is arranged so that no single fault or failure, including either an open or shorted circuit, results in the loss of surveillance capability at the system level.

Simple redundancy is provided in the indication of reactor water level and reactor pressure. In the event of a discrepancy in the redundant indications, the operator is directed to observe all available instrumentation to determine the correct value for the parameter. If (as is the case for level instrumentation) there are external environmental conditions that can affect the accuracy of the indication, he is instructed on the maximum possible error during these extreme environmental conditions. The operators are trained to observe instruments in operation for signs of failure, such as offscale, erratic, or stationary readings (stuck pens) and to observe redundant instrumentation to detect failure and erroneous readings.

The control room operator will respond conservatively to a discrepancy in redundant RPV level instrumentation, whereby no other available instrumentation is able to provide verification of a non-conservative level indication.

c. Requirement 4.3 Quality Control of Components and Modules The quality assurance of design and construction includes appropriate requirements for design review, procurement, inspection, and testing which ensure that SRDI components are of a quality consistent with minimum maintenance requirements and low failure rates.

d. Requirement 4.4 Equipment Qualification All safety-related display instrumentation indicated in Table 7.5-1 as used for post-accident monitoring is qualified to assure performance of their safety-related functions, including post-seismic performance, as described in the response to Regulatory Guide 1.97 Rev. 2, which was submitted via separate letter from L. F. Dale, MP&L (SERI) to H. R. Denton, NRC, on February 28, 1985.

7.5-28 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

e. Requirement 4.5 Channel Integrity Type testing of components, separation of sensors and channels, and qualification of cabling has been utilized to ensure that the channels will maintain the functional capability required under applicable extreme conditions.

f. Requirement 4.6 Channel Independence The locations of the sensors and the points at which the sensing lines are connected to the process loop have been selected to provide physical separation of the channels to the maximum extent practicable, thereby precluding a situation in which a single event could cause failure of both SRDI channels. The routing of cables away from each other and from power cabling minimizes the likelihood of common mode failures. This includes separation at the containment penetration area. One exception to channel independence conformance is the redundant shutdown range channels for reactor water level. The two divisions of shutdown range instruments will share a reference leg, drywell sensing line, and drywell penetration.

g. Requirement 4.7 Control and Protection System Interaction Some instruments used for safety-related display instrumentation are also used for protective actions, but none are used for control functions.

h. Requirement 4.8 Derivation of System Inputs All system inputs are derived from signals that are direct measures of the desired variables.

i. Requirement 4.9 Capability of Sensor Checks Performance of the surveillance instrumentation will be verified during reactor operation subject to the following:

1. Testing will not adversely affect the safety or operability of the plant.

2. Normal system operation is considered an acceptable method of verifying surveillance instrumentation performance if system operating parameters are 7.5-29 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) similar to those anticipated following a LOCA.

Also, reactor power changes which occur as part of normal operation perturb parameters associated with the reactor and nuclear boiler system and provide a means for checking SRDI channels.

3. Where surveillance instrument performance cannot be verified under the conditions of 1 and 2 above, periodic testing is performed.

j. Requirement 4.10 Capability for Test and Calibration The SRDI can be checked from the sensor signal through the readout located in the control room. Some of the sensors used in SRDI are also used for protective actions and therefore will be tested during protection system testing.

SRDI channels which monitor performance of ESF systems are tested when the systems they monitor are tested.

For those sensors that do not perform protective actions, testing will be performed on a periodic basis. Testing of process type sensing instruments is accomplished by application of a test signal through calibration taps.

Testing and calibration of the neutron monitoring system is discussed in subsection 7.6.1.5.

k. Requirement 4.11 Channel Bypass or Removal from Operation Any one of the channels may be tested, calibrated, or repaired without detrimental effects on the redundant channel.

l. Requirement 4.12 Operating Bypasses This section is not applicable to SRDI.

m. Requirement 4.13 Indication of Bypasses This section is not applicable to SRDI.

n. Requirement 4.14 Access to Means for Bypassing This section is not applicable to SRDI.

7.5-30 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

o. Requirement 4.15 Multiple Set Points This section is not applicable to SRDI.

p. Requirement 4.16 Completion of Protective Action Once it is Initiated This section is not applicable to SRDI.

q. Requirement 4.17 Manual Initiation This section is not applicable to SRDI.

r. Requirement 4.18 Access to Set Point Adjustments, Calibration and Test Points Administrative controls are provided for access to calibration points.

s. Requirement 4.19 Identification of Protection Action This section is not applicable to SRDI.

t. Requirement 4.20 Information Readout Indicators and recorders are provided to allow the operator to assess the status of plant safety as described in subsection 7.5.1.

u. Requirement 4.21 System Repair A defective SRDI channel can be detected by testing as previously discussed. Replacement or repair of one SRDI channel will not affect the other channels.

v. Requirement 4.22 Identification The method used to identify safety-related instrumentation and control equipment is discussed in subsections 7.1.2.3 and 8.3.1.3.

7.5.2.5.2 Conformance to IEEE 323-1971 Environmental qualification of instrumentation is discussed in subsection 3.11.2.

7.5-31 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.2.5.3 Conformance to IEEE 336-1971 The post-operation quality assurance program is discussed in a separate topical report as referenced in Chapter 17.

7.5.2.5.4 Conformance to IEEE 344-1971/1975 The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975.

Qualification during the plant operating license stage is in accordance with IEEE 344-1975. Seismic Qualification of instrumentation is discussed in Section 3.10.

7.5.2.5.5 Regulatory Guide 1.47 Regulatory Guide 1.47 is not applicable to the safety-related display instrumentation (SRDI) because the SRDI is designed to operate continuously and thereby allows continuous instrument status monitoring. Removal of instrumentation for servicing during plant operation is administratively controlled. The bypassed and inoperable status indications for the ESF systems are automatically activated and indicated in the control room should any system or part of a system become inoperable. The bypassed and inoperable status annunciators and indicators are capable of being manually tested from the control room.

7.5.2.5.6 10 CFR 50, Appendix B, Quality Assurance The SRDIs are the same type and subject to the same qualification testing, quality control, and documentation in accordance with the recommendation of 10 CFR 50, Appendix B, as the safety systems instrumentation. The displays are of a high quality consistent with the rest of the SRDIs, and are proven through industrial usage. The display's qualification testing, quality assurance program, and documentation are provided and maintained by the vendors. Quality assurance is discussed further in Chapter 17.

7.5.2.5.7 Conformance To Regulatory Guide 1.97 Rev. 2 Conformance and exceptions to Regulatory Guide 1.97, Revision 2 are discussed in Appendix 3A.

7.5-32 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5.2.6 System Drawings The applicable safety-related display instrumentation system schematics, loop diagrams, electrical distribution drawings, functional control diagrams, instrument location drawings, and control room layout drawings have been provided and are listed in Section 1.7. P&IDs are located in Chapters 5, 6, and 9.

7.5-33 Revision 2016-00

TABLE 7.5-1: SAFETY-RELATED DISPLAY INSTRUMENTATION Post-Accident Type of Number of Readout Monitoring Class 1E System Parameter Readout Channels Range Location (Type/Cat) Power Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Rod control and Control rod Lights 2/Rod Full in-not CR B3 No information position full in system Control rod Lights 1/Valve NA CR No No scram valves Neutron Power range Recorder 4 0-125% CR B1 See monitoring neutron flux Table 7.5-2 Nuclear Reactor vessel Recorder 2 0-1500 psig CR A1 Yes 7.5-34 boiler pressure Reactor vessel Recorder 2 -320/0/+400 CR Al/B2 See Yes water level Table 7.5-2 Containment Drywell Recorder 2 -10/0/+40 psig CR Al Yes and drywell pressure Containment Recorder 4 2 -5/0/ +5 CR Al Yes pressure psig 2 0-50 psig Drywell and Recorder 16 0-400 F CR Al Yes CRD Cavity Revision 2016-00 temperature Containment Recorder 16 0-400 F CR Al Yes temperature Containments Meter 1 0-10 KGPM CR D2 Yes spray flow

TABLE 7.5-1: SAFETY-RELATED DISPLAY INSTRUMENTATION (Continued)

Post-Accident Type of Number of Readout Monitoring Class 1E System Parameter Readout Channels Range Location (Type/Cat) Power Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Suppression Recorder 2 10'6"-25'6 CR Al Yes pool level 18'-19' Suppression Recorder 24 30-230 F CR Al Yes pool temperature Isolation Lights 1 per NA CR Al Yes valve position valve (Group 1)

Isolation Lights 1 per NA CR BI Yes valve position valve 7.5-35 (other than group 1 Emergency vent Lights 1 per NA CR D2 Yes damper damper position RCIC RCIC flow Meter 1 0-1000 gpm CR D2 Yes RCIC discharge Meter 1 0-1500 psig CR No Yes pressure Emergency core HPCS flow Meter 1 0-10,000 gpm CR D2 Yes Revision 2016-00 cooling systems HPCS discharge Meter 1 500-1500 psig CR No Yes pressure LPCS flow Meter 1 0-10,000 gpm CR D2 Yes

TABLE 7.5-1: SAFETY-RELATED DISPLAY INSTRUMENTATION (Continued)

Post-Accident Type of Number of Readout Monitoring Class 1E System Parameter Readout Channels Range Location (Type/Cat) Power Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION RHR flow (LPCI Meter 1 per 0-10,000 gpm CR D2 Yes and shutdown loop cooling)

RHR HX service Meter 1 per 0-10,000 gpm CR No Yes water flow loop RHR HX outlet Recorder 1 0-750° CR D2 No temperature ECCS pumps Lights 1 per NA CR No Yes on/off pump 7.5-36 ECCS valve Lights 1 per NA CR No Yes positions valve ADS/relief Lights 1 per 0-100 psig CR D2 Yes valve Alarm valve positions ADS air Meter 2 0-300 psig CR D2 Yes receiver pressure Standby SSW loops A & Computer 1 per 0-15,000 gpm CR D2 Yes service water B flow call-up loop Revision 2016-00 SSW loops A & Recorder 1 per 0-200 psig CR No Yes B discharge loop pressure SSW System Recorder 1 0-750° CR D2 No discharge temperature

TABLE 7.5-1: SAFETY-RELATED DISPLAY INSTRUMENTATION (Continued)

Post-Accident Type of Number of Readout Monitoring Class 1E System Parameter Readout Channels Range Location (Type/Cat) Power Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Standby HPCS service Computer 1 0-1000 gpm CR D2 Yes service water discharge call-up water flow HPCS service Meter 1 0-150 psig CR No Yes discharge pressure Standby Recorder 2 0-10 ft CR No Yes service water basin level 7.5-37 SSW pumps Lights 1 per NA CR No Yes on/off pump SSW cooling Lights 1 per NA CR No Yes tower fans fan on/off SSW valve Lights 1 per NA CR No Yes positions valve valve Revision 2016-00

TABLE 7.5-1: SAFETY-RELATED DISPLAY INSTRUMENTATION (Continued)

Post-Accident Type of Number of Readout Monitoring Class 1E System Parameter Readout Channels Range Location (Type/Cat) Power MSIVLCS Steam line Meter 5 0-50 psia CR D2 Yes pressure (low)

Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Steam line Meter 5 0-100 psia CR D2 Yes pressure (high)

Reactor Meter 5 0-100 psia CR D2 Yes pressure FWLC FWLC valve Lights 1 per NA CR No Yes positions valve Combustible Gas Drywell Recorder 2 -10/0/+20 psid CR No Yes 7.5-38 Control System /Containment differential pressure Drywell Recorder 2 0-10% CR A3 Yes Hydrogen Containment Recorder 2 0-10% CR A3 Yes Hydrogen Hydrogen Meter 1 per 0 - 2000 F CR No Yes Recombiner recombiner temperature LBDCR Hydrogen Meter 1 per 0-100 KW CR No Yes Recombiner recombiner power 2021-022

TABLE 7.5-1: SAFETY-RELATED DISPLAY INSTRUMENTATION (Continued)

Post-Accident Type of Number of Readout Monitoring Class 1E System Parameter Readout Channels Range Location (Type/Cat) Power Combustible Gas Drywell purge Lights 1 per NA CR No Yes Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Control System compressor on/off compressor Drywell purge Lights 1 per valve NA CR No Yes valve position Hydrogen Lights 1 per NA CR No Yes recombiner on/off recombiner Hydrogen ignitors Lights 1 per train NA CR No Yes on/off Standby gas Enclosure Recorder 4 -1/0/+1 CR No Yes treatment bldg./outside inches atmosphere water differential 7.5-39 pressure Charcoal filter Recorder 1 per train 1-5000 cfm CR No Yes train flow Charcoal filter Recorder 1 per 0-10 inches CR No Yes differential filter water pressure HEPA filter Recorder 1 per 0-5 inches CR No Yes differential filter water pressure Revision 2016-00 SGTS fans on/off Lights 1 per fan NA CR No Yes SGTS damper and Lights 1 per NA CR No Yes valve positions damper

TABLE 7.5-1: SAFETY-RELATED DISPLAY INSTRUMENTATION (Continued)

Post-Accident Type of Number of Readout Monitoring Class 1E System Parameter Readout Channels Range Location (Type/Cat) Power Standby power Diesel generator Meter 1 per DG 0-5.25 kV CR D3 NA system voltage Diesel generator Meter 1 per DG 0-1500 Aac CR D3 NA current Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Diesel generator Meter 1 per DG 1-10 MW CR D3 NA power Diesel generator Meter 1 per DG -10/0/10 MVAR CR D3 NA reactive power Diesel generator Meter 1 per DG 55-65 Hz CR D3 NA frequency Diesel generator Meter 1 per DG 0-300 Vdc CR D2 NA field voltage Diesel generator Meter 1 per DG 0-400 Aac CR D2 NA 7.5-40 field current Fuel oil storage Meter 1 per DG 0-12 ft CR D3 Yes tank level Fuel oil day tank Meter 1 per DG 0-60 in. CR D3 Yes level Diesel generator Light 1 per DG NA CR No Yes running/stopped 4.16 kV ESF bus Meter 1 per bus 0-5.25 kV CR D3 NA voltage Revision 2016-00 4.16 kV ESF bus Meter 1 per 0-1500 Aac CR D3 NA incoming breaker circuit current breaker 4.16 kV circuit Light 1 per NA CR D3 NA breaker position circuit breaker

TABLE 7.5-1: SAFETY-RELATED DISPLAY INSTRUMENTATION (Continued)

Post-Accident Type of Number of Readout Monitoring Class 1E System Parameter Readout Channels Range Location (Type/Cat) Power Standby power 480 V bus voltage Meter 1 per bus 0-600 Vac CR D3 NA Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION system 480 V bus current Meter 1 per bus 0-1200 Aac CR D3 NA 480 V load center Lights 1 per NA CR No Yes feeder circuit circuit breaker position breaker 125 V dc ESF bus Meter 1 per bus 0-150 V CR D2 NA voltage Control room Standby fresh air Recorder 1 per 0-5000 cfm CR No Yes atmospheric unit flow fresh air 7.5-41 control and unit isolation Charcoal filter Recorder 1 per 0-5 inches CR No Yes differential filter water pressure HEPA filter Recorder 1 per 0-5 inches CR No Yes differential filter water pressure Control room fans Lights 1 per fan NA CR No Yes on/off Revision 2016-00 Control room air- Lights 1 per NA CR No Yes conditioning compressor compressor on/off Control rom Lights 1 per NA CR No Yes damper and valve damper positions

TABLE 7.5-1: SAFETY-RELATED DISPLAY INSTRUMENTATION (Continued)

Post-Accident Type of Number of Readout Monitoring Class 1E System Parameter Readout Channels Range Location (Type/Cat) Power HVAC for ESF ESF HVAC fans Lights 1 per fan NA CR No Yes areas on/off Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION SF HVAC damper Lights 1 per NA CR D2 Yes positions damper Automatic ADS air receivers Meter 2 0-300 psig CR Yes Yes Depressuriza- pressure tion System Radiation Primary Recorder 4 (2 ctmt. See Table 7.5- CR C1 Yes Monitoring containment area and meter And 2 2 radiation drywell Containment vent Monitor 1 See Table 7.5- CR E2 Yes 7.5-42 noble gases 2 monitor SGTS A&B Monitor 1 per See Table 7.5- CR E3 Yes (Auxiliary Bldg.) train 2 noble gases monitor Revision 2016-00 Note 1: The type and category indication in the post accident monitoring column indicates that these variables are also used for post accident monitoring as further discussed in Table 7.5-2

TABLE 7.5-2: POST-ACCIDENT MONITORING INSTRUMENTATION Qualification GGNS Control Measured Type/Cat Environ Seismic GGNS Power Room QA Variable Note 1 Note 4 Note 5 Range Supply Redundancy Display SPDS Note 3 Instrument RPV Level A/1 Yes Yes +60 to -160 IE 2 divs. Recorded Yes Yes B21-LT-N091 A,B Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Wide Range in. wc. No B21-UR-R623 A,B Note 6 Fuel Zone A/1 Yes Yes -20.0 to IE 2 divs. Recorded Yes Yes B21-LT-N044 C,D Note 6 -320.0 in. UPS No B21-LR-R615 A,B w.c.

Shutdown B/2 Yes Yes 0 to 400 in. IE 2 divs. Recorded Yes Yes B21-LT-N027 A,B Range w.c. UPS Note 6 No B21-LR-R615 A,B Note 6 RPV A/1 Yes Yes 0-1500 psig IE 2 divs. Recorded Yes Yes B21-PT-N062 A,B Pressure UPS No B21-UR-R623 A,B 7.5-43 Drywell A/1 Yes Yes -10 to +40 IE 2 divs. Recorded Yes Yes M71-PDT-N001 Pressure psig UPS No A,B M71-PDR-R601 A,B Drywell/ D/2 Yes Yes +2/0/-2 psid IE 2 divs. on Available No Yes E61-PDT-NO13A,B Containment computer for call-up No E61-PDIS-Differential N600A,B Pressure Drywell A/1 Yes Yes 0-400 F IE 2 divs. per Recorded No Yes M71-TE-N013 Atmosphere measurement Yes A,B,C,D Temperature location No M71-TE-N008 Revision 2016-00 No A,B,C,D M71-TR-R602 A,B M71-TR-R603 A,B Primary A/1 Yes Yes -5/0/5 psig IE 2 divs. Recorded Yes Yes M71-PDT-N002A,B CTMT 0-50 psig UPS Yes M71-PDT-N027A,B Pressure No M71-PDR-R601A,B

TABLE 7.5-2: POST-ACCIDENT MONITORING INSTRUMENTATION (CONTINUED)

Qualification GGNS Control Measured Type/Cat Environ Seismic GGNS Power Room QA Variable Note 1 Note 4 Note 5 Range Supply Redundancy Display SPDS Note 3 Instrument Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Primary A/1 Yes Yes 0-400°F IE 2 divs. Recorded Yes Yes M71-TE-N007 CTMT Note 7 No A,B,C,D Temperature No M71-TR-R602A,B M71-TR-R603A,B Suppression A/1 Yes Yes 30-230F IE 2 divs. per Recorded Yes Yes M71-TE-N012 A,B Pool Water measurement Yes, N022 A,B; Temperature location Yes N023 A,B Yes, N024 A,B; Yes N025 A,B N026 A,B M71-TR-R605 A,B,C,D 7.5-44 Suppression A/1 Yes Yes 0-180 in. IE 2 divs. Recorded Yes Yes E30-LT-N003 C,D Pool Water w.c UPS No E30-LR-R600 A,B Level 103'6"-

118'6" plant elevation CTMT A/3 No Yes 0-10% H2 IE 2 divs. Recorded Yes Yes E61-AITS-K002 Hydrogen No A,B Concentration E61-AR-R602 A,B Drywell A/3 No Yes 0-10% H2 IE 2 divs. Recorded Yes Yes E61-AITS-K001 Hydrogen No A,B LBDCR Concentration E61-AR-R602 A,B Group 1 A/1 Yes Yes Closed, IE None Indicated No Yes Note 31 Isolation open UPS Neutron B/1 No No 0-9-125% Note 8 Note 8 Recorded Yes No Note 10 2021-022 Flux Note 8 Note 8 Note 8 power Note 2 Control Rod B/3 No No Note 12 Non-IE N/A Indication Yes None C11-ZS-N124 Position UPS No C11-ZS-N125

TABLE 7.5-2: POST-ACCIDENT MONITORING INSTRUMENTATION (CONTINUED)

Qualification GGNS Control Measured Type/Cat Environ Seismic GGNS Power Room QA Variable Note 1 Note 4 Note 5 Range Supply Redundancy Display SPDS Note 3 Instrument Drywell Floor B/3 No No 0-28"H2O Non-IE 2 channels Plant No No P45-LT-N451A,B Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Sump Level (Note 32) (UPS for Computer Computer) (Note 32)

Drywell Eqmt B/3 No No 0-28"H2O Non-IE 2 channels Plant No No P45-LT-N452A,B Sump Level (Note 32) (UPS for Computer Computer) (Note 32)

Primary B/1 Yes Yes Closed, IE No Indication No Yes Note 11 Containment open Isolation Valve Position (except Group 1) 7.5-45 Primary C/1 Yes Yes 1-107R/hr IE 2 divs. Indication Yes Yes D21-RE-N048 A,C CTMT UPS and No D21-RR-R601 A Area Recorded No D21-RE-N048 B,D Radiation No D21-RR-R601 B Suppression C/2 Yes No 0-180 in. IE 2 divs. Indication No Yes E30-LE-NO96A/B Pool Level w.c. No E30-LT-N604A/B Accident 113'0"- No E30-LI-R604A/B Range 128'0" plant elev.

Containment C/2 Yes No 0-180 in. IE 2 divs. Indication No Yes E30-LE-N095A/B Revision 2016-00 Water Level w.c. No E30-LT-N603A/B Accident 153'0" No E30-LI-R603A/B Range 168'0" plant elev.

Main Feed- D/3 No No 0-14 mlb/hr Non-IE 2 channels Indication Yes No N21-FT-N087 A,B water Flow per line UPS Note 2 N21-FI-R686 A,B CST Level D/3 No No 1'1" to Non-IE None Indication No No P11-LT-N003 41'1" level UPS No P11-LI-R601

TABLE 7.5-2: POST-ACCIDENT MONITORING INSTRUMENTATION (CONTINUED)

Qualification GGNS Control Measured Type/Cat Environ Seismic GGNS Power Room QA Variable Note 1 Note 4 Note 5 Range Supply Redundancy Display SPDS Note 3 Instrument Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION CTMT Spray D/2 Yes Yes 0-10 kgpm IE None Indication Yes Yes E12-FT-N015 A,B Flow No E12-FI-R603 A,B MSIV Leakage D/2 Yes Yes 0-50 psia IE 2 divs. Indication No Yes E32-PT-N051 Control 0-100 psig No A,E,J,N System No E32-PIS-N651 Pressure No A,E,J,N E32-PT-N061 A,E,J,N E32-PIS-N661 A,E,J,N SRV Position D/3 No No 0-100 psig IE None Indication Yes Yes B21-PS-N150 A-7.5-46 Pressure UPS H,J-N, in Valve Line P,R-W B21-XA-L634 RCIC Flow D/2 Yes Yes 0-1,000 gpm IE None Indication Yes Yes E51-FT-N003 UPS No E51-FI-R606 HPCS Flow D/2 Yes Yes 0-10,000 gpm IE None Indication Yes Yes E22-FT-N005 UPS No E22-FI-R603 LPCS Flow D/2 N/A Yes 0-10,000 gpm IE None Indication Yes Yes E21-FT-N003 No E21-FI-R600 LBDCR LPCI Flow/ D/2 Yes Yes 0-10,000 gpm IE None Indication Yes Yes E12-FT-N015 RHR System No A,B,C Flow E12-FI-R603 A,B,C SLCS D/3 No No 0-5000 gal IE None Indication No None C41-LT-N001 2021-088 Storage No C41-LI-R601 Tank Level (Note 27)

TABLE 7.5-2: POST-ACCIDENT MONITORING INSTRUMENTATION (CONTINUED)

Qualification GGNS Control Measured Type/Cat Environ Seismic GGNS Power Room QA Variable Note 1 Note 4 Note 5 Range Supply Redundancy Display SPDS Note 3 Instrument Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION RHR Heat D/2 Yes Yes 0-750°F Non-IE None Recorded No Yes E12-TE-N027 A,B Exchanger (Note 28) UPS (0-600°F) No E12-TJRS-R601 Outlet Temperature Clg Wtr D/2 N/A Yes 0-750°F Non-IE None Recorded No Yes P41-TE-N011 A,B Temp to ESF (Note 28) UPS (0-600°F) No E12-TJRS-R601 System Components Clg Wtr D/2 N/A Yes 0-15,000 gpm IE UPS None Available No Yes P41-FT-N016A&B Flow to ESF SSW SSW for call-up SSW System 0-1,000 gpm IE on computer No P41-FT-N016C 7.5-47 Components HPCS HPCS HPCS High D/3 No No 10 5/8" to Non-IE 2 channels Available No No SG17-LT-N280 Radioactivity overflow for call-up A,B Liquid Tank on computer No SG17-LT-N283 Level Emergency D/2 Yes Yes Open/close IE None Indication No Yes Note 13 Ventilation Damper Position Status of Standby Power

& Other Revision 2016-00 Energy Sources Important to Safety (Hydraulic Pnuematic)

ADS Air D/2 Yes Yes 0-300 psig IE None Indication No Yes B21-PT-N201 A,B Receiver No B21-PI-R702 A,B Press

TABLE 7.5-2: POST-ACCIDENT MONITORING INSTRUMENTATION (CONTINUED)

Qualification GGNS Control Measured Type/Cat Environ Seismic GGNS Power Room QA Variable Note 1 Note 4 Note 5 Range Supply Redundancy Display SPDS Note 3 Instrument AC Power D/3 Note 14 Note 14 Note 14 Note 14 None Indication No Note 14 Note 14 Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION DC Power D/2 Note 14 Note 14 Note 14 Note 14 None Indication No Note 14 Note 14 STBY DSL D/3 No No 7.5.1.2.12 7.5.1.2.1 None Alarm No Yes P75-PSLL-N059 GEN. STRT 2 No A,B AIR PRESS No P75-PSLL-N060 No A,B No P75-PSLL-N085 A,B P75-PSLL-N086 A,B P75-UA-L608 A,B 7.5-48 HPCS DSL D/2 N/A Yes 7.5.1.2.12 7.5.1.2.1 None Alarm No Yes P81-PSL-N111 GEN STRT 2 No A,B AIR PRESS No P81-PSL-N112 No A,B No P81-PSL-N115 A,B P81-PSL-N116 A,B P81-XA-L619 Airborne E/3 No No 10-9 to 10-3 N/A N/A No No No Note 22 Radiohalogens Ci/cc and Particulates (Portable sampling Revision 2016-00 with on-site analysis capability)

Plant and E/3 No No 10-3 to N/A N/A No No No Note 23 Environs 2 x 104 Radiation R/hr Photons (Portable) and Beta

TABLE 7.5-2: POST-ACCIDENT MONITORING INSTRUMENTATION (CONTINUED)

Qualification GGNS Control Measured Type/Cat Environ Seismic GGNS Power Room QA Variable Note 1 Note 4 Note 5 Range Supply Redundancy Display SPDS Note 3 Instrument Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Plant and E/3 No No Multichannel N/A N/A No No No Note 24 Environs Analyzer Radioactivity Radiation E/3 No No Note 15 Non-IE None Recorder No No Note 15 Exposure Rate UPS Fuel Handling E/2 N/A No Note 16 Note 16 None Note 17 No No Note 16 SGTS & CTMT Vent Discharge Accident Range Noble Gas 7.5-49 Fuel Hand E/3 No No Note 16 Note 16 None Note 17 Yes No Note 16 ling SGTS &

CTMT Vent Discharge Normal Range Noble Gas Vent Flow For E/3 No No Note 20 Note 20 None Note 20 Yes No Note 20 Fuel Handling Area SGTS &

CTMT Vent Normal Monitor Revision 2016-00 Vent Flow For E/2 N/A No Note 20 Note 20 None Note 20 Yes No Note 20 Fuel Handling No Area SGTS &

CTMT Vent Accident Monitor

TABLE 7.5-2: POST-ACCIDENT MONITORING INSTRUMENTATION (CONTINUED)

Qualification GGNS Control Measured Type/Cat Environ Seismic GGNS Power Room QA Variable Note 1 Note 4 Note 5 Range Supply Redundancy Display SPDS Note 3 Instrument Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Turbine Bld E/3 No No Note 18 Non-IE None Note 19 No Note 18 and Offgas/Rad Waste Bld Normal & Yes Accident No Range Noble Gas Vent Flow for E/3 No No Note 20 Non-IE None Note 20 No Note 20 Turbine Bld and Offgas/Rad Waste Bld Yes 7.5-50 Normal Range No Accident Range Particulates E/3 No No Note 21 Note 21 None Note 17 No No Note 21 Halogens All and Identified Note 19 Plant Release Points; Sampling w/Onsite Analysis Capability Revision 2016-00 Wind E/3 No No 0-360° Non-IE Note 25 Indication No No C84-ZT-N002, Direction No N005 & N031 Wind Speed E/3 No No 0-125 mph Non-IE Note 25 Indication No No C84-ST-N001 No N004 & N030 Estimation of E/3 No No -10°F - Non-IE Note 25 Indication No No C84-UJ-K001 Atmospheric +20°F T No & K002 Stability

TABLE 7.5-2: POST-ACCIDENT MONITORING INSTRUMENTATION (CONTINUED)

Qualification GGNS Control Measured Type/Cat Environ Seismic GGNS Power Room QA Variable Note 1 Note 4 Note 5 Range Supply Redundancy Display SPDS Note 3 Instrument Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Accident Sampling

1. Primary Coolant and Suppression Pool Gross E/3 No No 10 Ci/ml to Non-IE None None N/A N/A Grab Sample Activity/Gamm 10 a Spectrum Ci/ml*/Isoto pic Boron Content E/3 No No Analysis 0- Non-IE None None N/A N/A Grab Sample 7.5-51 6000 ppm*

• Minimum range 2.

Containment Air Hydrogen E/3 No No 0 to 10%* Non-IE None None N/A N/A Grab Sample Note 26 Oxygen E/3 No No 0 to 30%* Non-IE None None N/A N/A Grab Sample Note 26 Revision 2016-00 Gamma E/3 No No Isotopic Non-IE None None N/A N/A Grab Sample Spectrum Analysis

• Minimum range

TABLE 7.5-2: NOTES Note 1: Variable types and categories are defined in Regulatory Guide 1.97, Rev. 2.

Note 2: The Safety Parameter Display System (SPDS) monitors the same variables provided by Regulatory Guide 1.97, Rev. 2. However, the specific instruments provided on the SPDS may not be the same as identified for Regulatory Guide Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION 1.97, Rev. 2.

Note 3: Items indicated as "Yes" were installed under the existing QA programs in effect at that time which met the requirements of 10 CFR 50, Appendix B.

Note 4: Yes indicates that the instrumentation complies with 10 CFR 50.49 if it is located in a harsh environment. NA indicates that the instrument is either installed in a mild environment, or its function time or fail condition is such that environmental qualification is not required.

Note 5: Yes indicates that the instrument seismic qualification meets the requirements of IEEE 344-1975 to the extent needed to assure the required 7.5-52 level of instrument operability.

Note 6: Reactor Pressure Vessel Level Table 1 of Regulatory Guide 1.97 requires a range extending from the bottom of the core support plate to the centerline of the main steam line. To comply with this requirement, GGNS will use two Fuel zone, two normal Wide Range, and two Shutdown Range instruments.

The two divisions of shutdown range instruments share a reference leg, drywell sensing lines and drywell penetrations.

Revision 2016-00 Note 7: Based on the energy transfer rate between drywell and containment atmospheres (Reference FSAR Chapter 6.2), primary containment temperature will remain relatively constant over the time period standby power would be unavailable (approximately 10 seconds). Therefore, uninterruptible power is not required.

TABLE 7.5-2: NOTES (Continued)

Note 8: Present Status of Neutron Monitoring System Equipment SRMs IRMs LPRMs/APRMs Drive Non-1E power, Non-1E power, Not applicable Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Mechanisms No qualification No qualification Detectors & Class 1E UPS Class 1E UPS Class IE UPS Amplifiers No qualification No qualification Recorders & Non-1E UPS pwr, Redundant Non-IE Redundant Non-IE Indicators No qualification UPS UPS power UPS power No qualification No qualification Instrumentation for Neutron Flux Monitoring complies with NEDO-31558-A, Licensing 7.5-53 Topical Report; Position on NRC Regulatory Guide 1.97, Revision 3 Requirements for Post-Accident Neutron Monitoring System instead of with Regulatory Guide 1.97.

Note 9: Deleted Note 10: Instrument Recorder C51-NE-N001 A,C,E C51-NR-R602A SRM Recorder A C51-NE-N001 B,D,F C51-NR-R602B SRM Recorder B C51-NE-N002 A,E C51-NR-R603A IRM/APRM Recorder A C51-NE-N002 B,F C51-NR-R603B IRM/APRM Recorder B Revision 2016-00 C51-NE-N002 C,G C51-NR-R603C IRM/APRM Recorder C C51-NE-N002 D,H C51-NR-R603D IRM/APRM Recorder D (APRM Channel 1) C51-NR-R603A IRM/APRM Recorder A C51-NE-N011 CC,GQ,CL,LL,GG,QG,LC C51-NE-N012 JN,EJ,NJ,JE C51-NE-N013 LQ,GL,QL,CG,LG,GC C51-NE-N014 EN,NN,JJ,EE,NE C51-NR-R603A IRM/APRM Recorder A

TABLE 7.5-2: NOTES (Continued)

C51-NE-N011 LQ,GL,QL,CG,LG,GC C51-NE-N012 EN,NN,JJ,EE,NE C51-NE-N013 CC,GQ,CL,LL,GG,QG,LC C51-NE-N014 JN,EJ,NJ,JE Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION (APRM Channel 2) C51-NR-R603B IRM/APRM Recorder B C51-NE-N011 JQ,EL,NL,JG,EC,NC C51-NE-N012 CN,LN,GJ,QJ,CE,LE C51-NE-N013 EQ,JL,EG,NG,JC C51-NE-N014 GN,CJ,LJ,GE,QE C51-NR-R603B IRM/APRM Recorder B C51-NE-N011 EQ,JL,EG,NG,JC C51-NE-N012 GN,CJ,LJ,GE,QE C51-NE-N013 JQ,EL,NL,JG,EC,NC 7.5-54 C51-NE-N014-CN,LN,GJ,QJ,CE,LE (APRM Channel 3) C51-NR-R603C IRM/APRM Recorder C C51-NE-N011 EN,NN,JJ,EE,NE C51-NE-N012 CC,GQ,CL,LL,GG,QG,LC C51-NE-N013 JN,EJ,NJ,JE C51-NE-N014 LQ,GL,QL,CG,LG,GC C51-NR-R603C IRM/APRM Recorder C C51-NE-N011 JN,EJ,NJ,JE C51-NE-N012 LQ,GL,QL,CG,LG,GC C51-NE-N013 EN,NN,JJ,EE,NE Revision 2016-00 C51-NE-N014 CC,GQ,CL,LL,GG,QG,LC (APRM Channel 4) C51-NR-R603D IRM/APRM Recorder D C51-NE-N011 GN,CJ,LJ,GE,QE C51-NE-N012 TQ,EL,NL,JG,EC,NC C51-NE-N013 CN,LN,GJ,QJ,CE,LE C51-NE-N014 EQ,JL,EG,NG,JC

TABLE 7.5-2: NOTES (Continued)

C51-NR-R603D IRM/APRM Recorder D C51-NE-N011 CN,LN,GJ,QJ,CE,LE C51-NE-N012 EQ,JL,EG,NG,JC C51-NE-N013 GN,CJ,LJ,GE,QE Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION C51-NE-N014 JQ,EL,NL,JG,EC,NC Note 11: Primary Containment Isolation: The following table provides the existing instrument numbers for the primary containment automatic isolation valve position indication (except Group 1 isolation which is provided in Table 7.5-2).

Position also Indicated on The Valve Instrument Isolation Valve Status Panel P71-F148 P71-ZS-N020 Yes P71-F149 P71-ZS-N021 Yes 7.5-55 P52-F105 P52-ZS-N012 Yes P53-F001 P53-ZS-N011 Yes P45-F067 P45-ZS-N079 Yes P45-F061 P45-ZS-N071 Yes P45-F068 P45-ZS-N080 Yes P45-F062 P45-ZS-N072 Yes P45-F273 P45-ZS-N506 Yes P45-F274 P45-ZS-N507 Yes P45-F098 P45-ZS-N027 Yes Revision 2016-00 P45-F099 P45-ZS-N028 Yes P11-F075 P11-ZS-N005 Yes P11-F130 P11-ZS-N070 Yes P11-F131 P11-ZS-N071 Yes

TABLE 7.5-2: NOTES (Continued)

P21-F017 P21-ZS-N017 Yes P21-F018 P21-ZS-N003 Yes P53-F003 P53-ZS-N012 Yes P60-F009 P60-ZS-N009 Yes Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION P60-F010 P60-ZS-N010 Yes P72-F121 P72-ZS-N046 Yes P72-F123 P72-ZS-N034 Yes P72-F122 P72-ZS-N047 Yes P71-F150 P71-ZS-N022 Yes E61-F009 E61-ZS-N019 Yes E61-F010 E61-ZS-N020 Yes 7.5-56 E61-F056 E61-ZS-N027 Yes E61-F057 E61-ZS-N028 Yes E12-F011A E12-ZS-N131A Yes E12-F011B E12-ZS-N131B Yes E12-F024A E12-ZS-N122A Yes E12-F024B E12-ZS-N122B Yes E12-F028A E12-ZS-N110A Yes E12-F028B E12-ZS-N110B Yes Revision 2016-00 E12-F037A E12-ZS-N119A Yes E12-F037B E12-ZS-N119B Yes G33-F053 G33-ZS-N121B Yes G33-F054 G33-ZS-N121A Yes G33-F252 G33-ZS-N128 Yes G36-F101 G36-ZS-N138 Yes

TABLE 7.5-2: NOTES (Continued)

G36-F106 G36-ZS-N136 Yes M41-F011 M41-ZS-N026 Yes M41-F012 M41-ZS-N027 Yes D23-F591 D23-ZS-N091 No Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION D23-F592 D23-ZS-N093 No D23-F593 D23-ZS-N092 No D23-F594 D23-ZS-N094 No M71-F594 M71-ZS-N094 No M71-F595 M71-ZS-N095 No M41-F034 M41-ZS-N018 Yes M41-F035 M41-ZS-N019 Yes 7.5-57 G41-F028 G41-ZS-N103 Yes G41-F029 G41-ZS-N102 Yes G41-F044 G41-ZS-N101 Yes E12-F021 E12-ZS-N122C Yes E12-F008 E12-ZS-N104 Yes E12-F009 E12-ZS-N103 Yes E21-F012 E21-ZS-N106 Yes Revision 2019-001 E22-F023 E22-ZS-N106 Yes E51-F078 E51-ZS-N134 Yes E51-F031 E51-ZS-N100 Yes E51-F077 E51-ZS-N133 Yes E51-F063 E51-ZS-N109 Yes E51-F064 E51-ZS-N110 Yes

TABLE 7.5-2: NOTES (Continued)

E51-F076 E51-ZS-N120 Yes G33-F028 G33-ZS-N113 Yes G33-F034 G33-ZS-N114 Yes G33-F001 G33-ZS-N104 Yes Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION G33-F004 G33-ZS-N105 Yes G33-F039 G33-ZS-N110 Yes G33-F040 G33-ZS-N109 Yes E51-F068 E51-ZS-N103 Yes Relief valves E12-F017A/B/C, E12-F025C, E12-F055A/B, E12-F036, E12-F005, E22-F014, E21-F018 and manual valves G41-F053 and G41-F201 are containment isolation valves that do not have position indication. In addition, the fuel transfer tube in the G41 system also does not have position indication. The two manual valves and the fuel transfer tube can be locked closed and kept 7.5-58 under administrative control. The G41F201 valve operator is a motor actuator which is not normally powered and is to be energized via local battery to support Beyond-Design-Basis External Event FLEX mitigation strategies only or for testing when primary containment integrity is not required or is assured by entering LCO 3.6.1.3 with the manual outboard isolation valve 1G41F053 closed. This valve is to be manually operated under all other design basis conditions. The 10 relief valves are not capable of being fitted with position switches (Reference NRC SER, dated January 12, 1987, Section 3.3.4.)

Revision 2016-00

TABLE 7.5-2: NOTES (Continued)

Note 12: The Control Rod Position System consists of two independent channels in monitoring control rod position. Both channels have separate signals and perform exactly the same function. There are 53 control rod position switches per rod, 49 for rod travel, 2 full in, 1 full out, 1 over travel per channel. The control room operator may select Channel A, Channel B, or both Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION for display on a 2-character, seven segment L.E.D. display device for each rod. Additionally, there is a single indicating lamp for each rod fully inserted.

Note 13: Primary containment penetrations for vents and purges are covered in containment isolation valve position section of Table 7.5-2. The secondary containment dampers are as follows:

Position also Indicated on The Valve (Damper) Instrument Isolation Valve Status Panel 7.5-59 Q1T41F006 T41-ZS-N025 Yes Q1T41F007 T41-ZS-N026 Yes Q1T42F003 T42-ZS-N017 Yes Q1T42F004 T42-ZS-N016 Yes Q1T42F011 T42-ZS-N002 Yes Q1T42F012 T42-ZS-N001 Yes Q1T42F019 T42-ZS-N022 Yes Q1T42F020 T42-ZS-N021 Yes Revision 2016-00 Q1M41F007 M41-ZS-N023 Yes Q1M41F008 M41-ZS-N022 Yes Q1M41F036 M41-ZS-N020 Yes Q1M41F037 M41-ZS-N021 Yes

TABLE 7.5-2: NOTES (Continued)

Note 14: Status Of Standby Power Indicators Divison 1 Function Instrument Range LCC 15 BA4 INCM FDR 52-15401 R20-II-R627A+ 0-1200A ac 480 V LCC 15 BA4 R20-EI-R628A+ 0-600 V ac Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION LCC 15 BA2 INCM FDR 51-15201 R20-II-R629A+ 0-1200A ac 480 V LCC 15BA2 R20-EI-R630A+ 0-600 V ac Bus 15AA INCM FDR 152-1511 R21-II-R613A+ 0-1500A ac 4.16 kV Bus 15AA R21-EI-R615A+ 0-5.25 kV ac LCC 15 BA6 INCM FDR 51-15601 R20-II-R648A+ 0-1200A ac 480 V LCC 15 BA6 R20-EI-R647A+ 0-600 V ac Bus 15AA INCM FDR 152-1501 R21-II-R616A+ 0-1500A ac 7.5-60 Bus 15AA INCM FDR 152-1514 R21-II-R617A+ 0-1500A ac LCC 15 BA5 INCM FDR 52-15501 R20-II-R631A+ 0-1200A ac 480 V LCC 15 BA5 R20-EI-R632A+ 0-600 V ac LCC 15 BA1 INCM FDR 52-15101 R20-II-R633A+ 0-1200A ac 480 V LCC 15 BA1 R20-EI-R634A+ 0-600 V ac LCC 15 BA3 INCM FDR 52-15301 R20-II-R635A+ 0-1200A ac 480 V LCC 15 BA3 R20-EI-R636A+ 0-600 V ac DIESEL GENERATOR 11 (DIV. 1)

Revision 2016-00 Volts P75-EI-R600A 0-5.25 kV ac Frequency P75-SI-R601A 55-65 Hz Amps P75-II-R604A 0-1500A ac Field Volt P75-EI-R605A 0-300 V dc Field Amp P75-II-R606A 0-400 A dc Watts P75-JI-R602A 0-10 MW Vars P75-JI-R603A -10/0/+10 MVAR

TABLE 7.5-2: NOTES (Continued)

Division 2 Function Instrument Range 125 V dc Bus 11DA L21-EI-R603A 0-150 V dc LCC 16 BB4 INCM FDR 52-16401 R20-II-R627B+ 0-1200A ac Updated Final Safety Analysis Report (UFSAR) 480 V LCC 16 BB4 R20-EI-R628B+ 0-600 V ac GRAND GULF NUCLEAR GENERATING STATION LCC 16 BB2 INCM FDR 52-16201 R20-II-R629B+ 0-1200A ac 480 V LCC 16 BB2 R20-EI-R630B+ 0-600 V ac LCC 16 BB6 INCM FDR 52-16601 R20-II-R648B+ 0-1200A ac 480 V LCC 16 BB6 R20-EI-R647B+ 0-600 V ac LCC 16 BB5 INCM FDR 52-16501 R20-II-R631B+ 0-1200A ac 480 V LCC 16 BB5 R20-EI-R632B+ 0-600 V ac LCC 16 BB1 INCM FDR 52-16101 R20-II-R633B+ 0-1200A ac 7.5-61 480 V LCC 16 BB1 R20-EI-R634B+ 0-600 V ac LCC 16 BB3 INCM FDR 52-16301 R20-II-R635B+ 0-1200A ac 480 V LCC 16 BB3 R20-EI-R636B+ 0-600 V ac Bus 16 AB INCM FDR 152-1611 R21-II-R613B+ 0-1500A ac 4.16 kV Bus 16 AB R21-EI-R615B+ 0-5.25 kV ac Bus 16 AB INCM FDR 152-1614 R21-II-R617B+ 0-1500A ac Bus 16 AB INCM FDR 152-1601 R21-II-R616B+ 0-1500A ac DIESEL GENERATOR 12 (DIV. 2)

Volts P75-EI-R600B 0-5.25 kV ac Revision 2016-00 Frequency P75-SI-R601B 55-65 Hz Amps P75-II-R604B 0-1500A ac Field Volts P75-EI-R605B 0-300 V dc Watts P75-JI-R602B 0-10 MW Vars P75-JI-R603B -10/0/+10 MVAR Field Amps P75-II-R606B 0-400 A dc

TABLE 7.5-2: NOTES (Continued)

Division 3 Function Instrument Range 125 V dc Bus 11DB L21-EI-R603B 0-150 V dc Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Bus 17AC INCM FDR 152-1706 E22-II-R622 0-1500A ac Bus 17AC INCM FDR 152-1704 E22-II-R619 0-1500A ac Bus 17AC INCM FDR 152-1705 E22-II-R620 0-1500A ac MCC 17B01 INCM FDR 152-1703 E22-II-R621 0-300A ac DIESEL GENERATOR 13 (HPCS, DIV. 3)

Amps E22-II-R607 0-800A ac Vars E22-JI-R608 -4/0/+4 MVAR Watts E22-JI-R609 0-6000KW ac 7.5-62 Bus Voltage E22-EI-R610 0-5.25 kV ac Bus Frequency E22-SI-R615 55-65 Hz 480 V MCC 17B01 Voltage E22-EI-R617 0-600 V ac DC Bus Voltage 125 V dc Bus 11 dc E22-EI-R618 0-150 V dc The dc indicators were evaluated in accordance with IEEE 344-1975 and are qualified to function at least 100 days after, but not during, a safe shut-down earthquake. The indicators are located in a mild environment (Control Revision 2016-00 Room) and are not required to be environmentally qualified per 10CFR50.49.

Some ac indicators were shown to be qualified under the same test program as the dc indicators. The ac indicators which were not qualified by test were evaluated for the effects of a failure on class 1E power. No adverse effects were predicted. ac indicators, which were evaluated in this manner, are E22-R607, 608, 609, 617, 618, and 621.

TABLE 7.5-2: NOTES (Continued)

The indicators denoted by '+' are not qualified or required to function af-ter a safe shutdown earthquake. However, they are qualified not to interrupt the operation of any Class 1E device by remaining structurally intact. The power supply for each device is the bus/LCC which that device monitors. No environmental effects have been evaluated for the indicator since they are Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION all located in a mild environment.

HPCS Standby Power, Voltage, Current and Frequency The parameters requiring instrumentation to monitor the status of the HPCS Standby Power Supply are voltage and current at the 4.16 kV bus. Additional indication of the operability of the power supply is obtained from readings of the 4.16 kV bus frequency and the voltage on the Division III dc system.

Should the normal control room indication of bus voltage be lost, the same 7.5-63 voltage can be monitored in the control room using the synchronizing circuits.

The normal current monitoring in the control room is accomplished using the HPCS diesel generator ammeter. Since there are only two feeder breakers sup-plied by the HPCS power supply, each of which is equipped with local amme-ters, the total current supplied by the diesel generator could be obtained by summing these two readings should the normal indication fail.

Revision 2016-00 Control room indication of diesel generator frequency is normally provided by the HPCS diesel generator frequency meter. Should this instrument be un-available, the reading is displayed on the bus frequency meter when the gen-erator is supplying bus 17AC.

TABLE 7.5-2: NOTES (Continued)

The voltage of the Division III dc bus is displayed in the control room by the bus voltmeter and by an independent meter local to the bus (Reference NRC SER, dated January 12, 1987, Section 3.3.18.)

Updated Final Safety Analysis Report (UFSAR)

DC Power Voltage and Current GRAND GULF NUCLEAR GENERATING STATION The existing Grand Gulf design provides instruments in the control room to monitor the Class 1E dc power systems and voltage which meet Category 2 re-quirements (Reference NRC SER Section 8.3.2 for Operational Conditions and NRC SER, dated January 12, 1987, Section 3.3.18.)

Battery Current (Ammeter-Charge Rate)

For the Class 1E batteries, Grand Gulf has a battery monitoring device which is like an extremely sensitive undervoltage relay. This device compares half 7.5-64 of the battery cells to the other half to determine if there is a voltage imbalance greater than +2%. If differences are detected, the general trouble alarm is activated and an operator is dispatched to correct the situation.

Battery Charger Output Current (ammeter)

This ammeter is located on the front of the charger panel where it provides useful information to maintenance or service personnel. Battery charger out-put current is not required in the main control room since any current devi-ations of significance would result in the charger undervoltage or overvoltage alarm which are in the control room.

Revision 2016-00 Battery Charger Output Voltage (voltmeter)

Instead of a voltmeter on the charger output, a voltmeter is provided for the dc bus in addition to overvoltage and undervoltage alarms provided for the battery chargers.

TABLE 7.5-2: NOTES (Continued)

Note 15: Instruments for the Detection of Radiation Exposure Rate Low range area monitors are provided at the following locations throughout the plant where radiation could be present.

Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Instrument Function Range Recorder D21-RE-N001 Radn Det RHR Room 1-100,000 mR/hr D21-RJR-R600 A

D21-RE-N002 Radn Det RHR Room 1-100,000 mR/hr D21-RJR-R600 B

D21-RE-N003 Radn Det RCIC Room 1-100,000 mR/hr D21-RJR-R600 D21-RE-N004 Radn Det Comp Clg 0.01-1000 mR/hr D21-RJR-R600 Wtr HX 7.5-65 D21-RE-N005 Radn Det Tip 0.01-1000 mR/hr D21-RJR-R600 Mechanism Area D21-RE-N006 Radn Det Drwl 0.01-1000 mR/hr D21-RJR-R600 Equip Hatch D21-RE-N007 Radn Det Drwl Pers 1-100,000 mR/hr D21-RJR-R600 Airlock D21-RE-N008 Radn Det Ctmt Pers 0.01-1000 mR/hr D21-RJR-R600 Airlock D21-RE-N009 Radn Det Crd Hyd 0.01-1000 mR/hr D21-RJR-R600 Revision 2016-00 Units North D21-RE-N010 Radn Det Crd Hyd 0.01-1000 mR/hr D21-RJR-R600 Units South D21-RE-N011 Radn Det RHR HX A 1-100,000 mR/hr D21-RJR-R600 Hatch D21-RE-N012 Radn Det RHR HX B 1-100,000 mR/hr D21-RJR-R600 Hatch

TABLE 7.5-2: NOTES (Continued)

D21-RE-N013 Radn Det SGTS Fltr 0.01-1000 mR/hr D21-RJR-R600 Train D21-RE-N014 Radn Det CRD 0.01-1000 mR/hr D21-RJR-R600 Repair Room Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION D21-RE-N015 Radn Det Outside 0.01-1000 mR/hr D21-RJR-R600 CRD Rpr Room D21-RE-N016 Radn Det Aux Bldg 0.01-1000 mR/hr D21-RJR-R600 Sample Sta D21-RE-N017 Radn Det Ctmt Vent 0.01-1000 mR/hr D21-RJR-R600 Equip Rm D21-RE-N018 Radn Det H2 Sample 0.01-1000 mR/hr D21-RJR-R600 Panel A 7.5-66 D21-RE-N019 Radn Det H2 Sample 0.01-1000 mR/hr D21-RJR-R600 Panel B D21-RE-N020 Radn Det Ctmt Vent 0.01-1000 mR/hr D21-RJR-R600 Fltr Tn D21-RE-N021 Radn Det Ctmt 0.1-10,000 mR/hr D21-RJR-R600 Sample Sta D21-RE-N022 Radn Det Fuel 0.01-1000 mR/hr D21-RJR-R600 Handling Area D21-RE-N023 Radn Det Fuel 0.01-1000 mR/hr D21-RJR-R600 Revision 2016-00 Handling Area D21-RE-N024 Radn Det Fuel 0.01-1000 mR/hr D21-RJR-R600 Handling Area D21-RE-N025 Radn Det Fuel 0.01-1000 mR/hr D21-RJR-R600 Handling Area D21-RE-N026 Radn Det Dryer 0.01-1000 mR/hr D21-RJR-R600 Storage Area

TABLE 7.5-2: NOTES (Continued)

D21-RE-N027 Radn Det Sep 0.01-1000 mR/hr D21-RJR-R600 Storage Area D21-RE-N028 Radn Det Ctmt Fuel 0.01-1000 mR/hr D21-RJR-R600 Area N Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION D21-RE-N029 Radn Det Ctmt Fuel 0.01-1000 mR/hr D21-RJR-R600 Area S D21-RE-N030 Radn Det Ctmt Pers 0.01-1000 mR/hr D21-RJR-R600 Airlock D21-RE-N031 Radn Det Turb Bldg 0.1-10,000 mR/hr D21-RJR-R600 Filtr Tn D21-RE-N032 Radn Det Turb Bldg 0.1-10,000 mR/hr D21-RJR-R600 Smpl Sta 7.5-67 D21-RE-N033 Radn Det Mech Vac 0.1-10,000 mR/hr D21-RJR-R600 Pump Area D21-RE-N034 Radn Det Turb Bldg 0.01-1000 mR/hr D21-RJR-R600 Inst Rack D21-RE-N035 Radn Det RX Feed 1-100,000 mR/hr D21-RJR-R600 Pump Area D21-RE-N036 Radn Det Turb Bldg 0.01-1000 mR/hr D21-RJR-R600 Oper F1 D21-RE-N037 Radn Det Turb Bldg 0.01-1000 mR/hr D21-RJR-R600 Revision 2016-00 Oper F1 D21-RE-N038 Radn Det Turb Bldg 0.01-1000 mR/hr D21-RJR-R600 Oper F1 D21-RE-N039 Radn Det Turb Bldg 0.01-1000 mR/hr D21-RJR-R600 Oper F1 D21-RE-N040 Radn Det Rmt 0.01-1000 mR/hr D21-RJR-R600 Shutdown Area

TABLE 7.5-2: NOTES (Continued)

D21-RE-N041 Radn Det Hot 0.01-1000 mR/hr D21-RJR-R600 Machine Shop D21-RE-N042 Radn Det Rad Bldg 0.01-1000 mR/hr D21-RJR-R600 Inst Rack Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION D21-RE-N043 Radn Det Rad Bldg 0.01-1000 mR/hr D21-RJR-R600 Sample Sta D21-RE-N044 Radn Det Rad Bldg 0.01-1000 mR/hr D21-RJR-R600 Contr Sta D21-RE-N045 Radn Det Distlt 0.01-1000 mR/hr D21-RJR-R600 Smpl Tk Rm D21-RE-N046 Radn Det Rad Bldg 0.1-10,000 mR/hr D21-RJR-R600 HVAC Room D21-RE-N047 Radn Det Solid 1-100,000 mR/hr D21-RJR-R600 7.5-68 Radwaste Area D21-RE-N049 Radn Det Tech 0.01-1000 mR/hr D21-RJR-R600 Support Center D21-RE-N050 Radn Det Post ACC 1-100,000 mR/hr D21-RJR-R600 Smpl Area D21-RE-N600 Radn Det Control 0.01-1000 mR/hr D21-RJR-R600 Room Note 16: Noble Gases Power Supply All Revision 2016-00 Range non-UPS Location and Function Instrument Ci/cc (unless noted)

I. FUEL HANDLING AREA

a. Eberline SPING (D17P020)

TABLE 7.5-2: NOTES (Continued)

1. Low Range Noble D17-RE-N130 10-7 to 6x10-2 Non-1E Gas (NG)

Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION

2. Mid-Range NG D17-RE-N131 2x10-2 to 4x102 Non-1E

b. GE Sample Panel (D17P003)

Log Count Rate D17-RITS-K619 1.92x10-6 Non-1E Meter (LCRM) to 7.69x10-2 UPS

c. Eberline AXM (D17P021)

1. Mid-Range D17-RE-N132 10-4 to 10-1 Non-1E Accident NG 7.5-69

2. High Range Accident NG D17-RE-N133 101 to 105 Non-1E II. STANDBY GAS TREATMENT B

a. Canberra NORMAL RANGE MONITOR (1D17P024)

1. Noble Gas D17-J204E 5.8x10-8 to 10-1 1E (15B41)

b. Canberra HIGH RANGE MONITOR (1D17P025)

LBDCR 2018-034

1. Noble Gas D17-J303E 5.0x10-1 to 1E (15B41) 9.9x104

TABLE 7.5-2: NOTES (Continued)

III. STANDBY GAS TREATMENT A

a. Eberline SPING (D17P026)

Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION

1. Low Range NG D17-RE-N148 10-7 to 6x10-2 1E (15B41)

2. Mid-Range NG D17-RE-N149 2x10-2 to 4x102 1E (15B41)

b. Eberline AXM.

(D17P027)

1. Mid-Range D17-RE-N150 10-4 to 101 1E (15B41)

Accident NG

2. High Range 7.5-70 Accident NG D17-RE-N151 101 to 105 1E (15B41)

IV. CONTAINMENT AREA

a. Eberline SPING (D17P018)

1. Low Range NG D17-RE-N124 10-7 to 6x10-2 Non-1E

2. Mid-Range NG D17-RE-N125 2x 10-2 to 4x102 Non-1E

b. GE Sample Panel (D17P002)

Revision 2016-00

1. LCRM D17-RITS-K603 1.92 x 10-6 to Non-1E 7.69 x 10-2 Non-1E

TABLE 7.5-2: NOTES (Continued)

c. Eberline AXM (D17P019)

1. Mid-Range D17-RE-N126 10-4 to 101 Non-1E Accident NG Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION

2. High Range Accident NG D17-RE-N127 101 to 105 Non-1E Note 17: The Eberline microprocessor-controlled noble gas, particulate, and iodine monitors will give an annunciator in the control room. The Standby Gas Treatment B radiation monitor system is a Canberra model that uses the Horizon software. This system is interfaced with the Plant Data System (PDS) 7.5-71 that will provide Control Room annunciation. Post accident or any station information may be "called up" on any plant computer terminal with PDS access at any time. The General Electric (G.E.) noble gas monitor channels are continuously recorded in the control room on the following recorders:

Containment, Off Gas and Radwaste Building Vents - D17-RR-R600 Turbine Building, Fuel Handling Area Vents - D17-RR-R607.

These indicators/recorders will only be used to determine the noble gas ac-tivities released. To determine the iodine and particulate release activi-ties, personnel will be required to remove the iodine/particulate filters from either the Eberline SPING, GE Sample Panel, Eberline AXM grab sample LBDCR 2015-052 pallet or, for the standby gas treatment system, from the alternate sample station on auxiliary building 139' elevation. The Standby Gas Treatment B radiation monitor system has the ability to obtain an iodine/particulate grab sample from the normal range monitor (1D7P024).

TABLE 7.5-2: NOTES (Continued)

The containment purge, fuel handling area ventilation, and standby gas treatment systems are monitored by either the non-1E microprocessor-based system with on-demand callup available in the control room, or the General Electric-supplied sample panel (except SGTS A and B) with recording avail-able in the control room. The present system uses two separate sections to Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION monitor the full range of noble gas required by the Regulatory Guide. The Air Monitor Corporation (AMC) FM&IS panel controls sample flow to the Eber-line SPING detection system (for a range 10-7 to 4 x 102 Ci/cc), or the GE Sample Panel, which has an installed sample pump and manual sample flow rate control (for a range 1.92 x 10-6 to 7.69 x 10-2 Ci/cc, except SGTS A and B).

The FM&IS panel also controls sample flow to the Canberra Normal Range panel (for Standby Gas Treatment B radiation monitor system) for a range of 5.8 x 10-8 to 1 x 10-1 Ci/cc.

7.5-72 The Eberline AXM Panel, with its installed vacuum pump, draws and analyzes a sample from the ventilation duct. (Note that this sample method meets the requirements of ANSI N13.1 at the design ventilation flow rate only.) The sample results are transmitted to the control room via the data acquisition module (range 10-4 to 105 Ci/cc). The Standby Gas Treatment B radiation mon-itoring system uses Canberra skids and uses the installed vacuum pump locat-ed on the Normal Range panel (1D17P024) to draw samples from the ventilation duct. Results are sent to the Horizon software console and then to the con-trol room via a PDS interface. For post-LOCA conditions the release rate through the standby gas treatment system will be 1 x 10-3 Ci/cc and release rate through the containment and fuel handling area vent systems will be 1 LBDCR 2015-052 x 10-2 Ci/cc prior to system isolation. Based on these release rates, it is not necessary to place Category 2 requirements on any low range instruments.

TABLE 7.5-2: NOTES (Continued)

Power Supply All Location and Range non-UPS Function Instrument Ci/cc (unless noted)

Updated Final Safety Analysis Report (UFSAR)

Note 18: Noble Gases GRAND GULF NUCLEAR GENERATING STATION I. OFFGAS AND RADWASTE VENT

a. Eberline SPING (D17P016)

1. Low Range D17-RE-N118 10-7 to 6x10-2 Non-1E Noble Gas (NG)

2. Mid-Range NG D17-RE-N119 2x10-2 to 4x102 Non-1E

b. GE Sample Panel 7.5-73 (D17P001)

1. LCRM D17-RITS-K602 1.92 x 10-6 to Non-1E 7.69 x 10-2 UPS

c. Eberline AXM (D17P017)

1. Mid-Range D17-RE-N120 10-4 to 101 Non-1E Accident NG

2. High Range Accident NG D17-RE-N121 101 to 105 Non-1E Revision 2016-00 II. TURBINE BUILDING VENT

a. Eberline SPING (D17P022)

1. Low Range NG D17-RE-N136 10-7 to 6x10-2 Non-1E

2. Mid-Range NG D17-RE-N137 2x10-2 to 4x102 Non-1E

TABLE 7.5-2: NOTES (Continued)

b. GE Sample Panel (D17P004)

1. LCRM D17-RITS-K620 1.92 x 10-6 Non-1E Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION to 7.69 x 10-2 UPS

c. Eberline AXM (D17P023)

1. Mid-Range D17-RE-N138 10-4 to 101 Non-1E Accident NG

2. High-Range Accident NG D17-RE-N139 101 to 105 Non-1E 7.5-74 Note 19: The Turbine Building and Radwaste Building ventilation systems are monitored by a non-1E microprocessor-based system with on-demand callup available in the control room, or a General Electric-supplied Sample Panel with recording available in the control room. The present system uses two separate sections to monitor the full range required by the Regulatory Guide. The Air Monitor Corporation (AMC) FM&IS panel controls sample flow to the Eberline SPING de-tection system, which transmits its information to the control room (for a range 10-7 to 4 x 102 Ci/cc), or the GE Sample Panel, which has an installed sample pump and manual sample flow rate control (for a range 1.92 x 10-6 to 7.69 x 10-2 Ci/cc).

Revision 2016-00 The Eberline AXM Panel, with its installed vacuum pump, draws and analyzes a sample from the ventilation duct. (Note that this sample method meets the requirements of ANSI N13.1 at the design ventilation flow rate only). The sample results are transmitted to the control room via the data acquisition module (range 10-4 to 105 Ci/cc).

TABLE 7.5-2: NOTES (Continued)

These indicators/recorders will only be used to determine the noble gas ac-tivities released. To determine the iodine and particulate release activi-ties, personnel will be required to remove the iodine/particulate filters from either the Eberline Sping, GE Sample Panel, or Eberline AXM grab sample pallet Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Note 20:

STACK FLOW INSTRUMENTS (Normal Range)

Fuel Handling Area D17-FT-N200C 0-34,100 cfm Non-1E Standby Gas Treatment B D17-FT-N200E 0-4730 cfm 1E(15B41)

Standby Gas Treatment A D17-FT-N200F 0-4730 cfm 1E(15B41)

Containment Vent D17-FT-N200B 0-6375 cfm Non-1E 7.5-75 Offgas and Radwaste D17-FT-N200A 0-52,800 cfm Non-1E Turbine Building D17-FT-N200D 0-16,500 cfm Non-1E STACK FLOW INSTRUMENTS (Accident Monitor)

Containment Vent D17-FT-N200H 0-6375 cfm Non-1E Fuel Handling Area D17-FT-N200I 0-34,100 cfm Non-1E Turbine Building D17-FT-N200J 0-16,500 cfm Non-1E Offgas and Radwaste D17-FT-N200G 0-52,800 cfm Non-1E SGTS B D17-FT-N200K 0-4730 cfm 1E(15B41)

LBDCR 2015-052 SGTS A D17-FT-N200L 0-4730 cfm 1E(15B41)

TABLE 7.5-2: NOTES (Continued)

The normal monitor stack flow instruments are part of the AMC FM&IS and provide a local indication and a control room indication for call-up on any PDS terminal via the SPING microprocessor. The accident monitor flow instruments are capable of providing a control room indication for call-up on any PDS terminal via the Eberline data acquisition module. For the Standby Gas Treatment B radiation monitoring system, Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION indication for the Normal (1D17P024) and High (1D17P025) Range monitors are capable of providing a control room indication for a call-up on any PDS terminal via the ratemeters and Horizon software console.

The instrumentation in the Turbine Building and Radwaste Building are not located in a harsh environment. Therefore, these instruments are not required to be qualified to 10CFR50.49.

When the Containment Ventilation system is operated in the Low Volume Purge mode, 7.5-76 M41R600 is used to monitor containment vent discharge flow.

Note 21: Iodine and Particulate Power Supply All Location and Range non-UPS Function Instrument Ci/cc (unless noted)

I. FUEL HANDLING AREA

a. Eberline SPING (D17P020)

1. Particulate D17-RE-N128 8.43 x 10-5 to 8.43 Non-1E*

LBDCR 2018-034

2. Iodine D17-RE-N129 1.89 x 10-4 to 18.9 Non-1E*

TABLE 7.5-2: NOTES (Continued)

II. STANDBY GAS TREATMENT B

a. Canberra NORMAL RANGE MONITOR (1D17P024)

1. Particulate D17-J203E 2.40 x 10-12 to 1E (15B41)*

Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION 4.20 x 10-6

2. Iodine D17-J203E 1E (15B41)*

2.10 x 10-11 to 4.90 x 10-6 III. STANDBY GAS TREATMENT A

a. Eberline SPING (D17P026)

1. Particulate D17-RE-N146 8.43 x 10-5 to 8.43 1E (15B41)*

2. Iodine D17-RE-N147 1.89 x 10-4 to 18.9 1E (15B41)*

7.5-77 IV. CONTAINMENT AREA

a. Eberline SPING (D17P018)

1. Particulate D17-RE-N122 8.43 x 10-5 to 8.43 Non-1E*

2. Iodine D17-RE-N123 1.89 x 10-4 to 18.9 Non-1E*

V. OFFGAS AND RADWASTE VENT

a. Eberline SPING (D17P016)

1. Particulate D17-RE-N116 8.43 x 10-5 to 8.43 Non-1E*

2. Iodine D17-RE-N117 1.89 x 10-4 to 18.9 Non-1E*

LBDCR 2015-052

TABLE 7.5-2: NOTES (Continued)

VI. TURBINE BUILDING VENT

a. Eberline SPING (D17P022)

D17-RE-N134 8.43 x 10-5 to 8.43 Non-1E*

Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION

1. Particulate D17-RE-N135 1.89 x 10-4 to 18.9 Non-1E*

2. Iodine Note 22: Sufficient air samplers are provided for field sampling with particulate filters and iodine sensitive sampling cartridges. The onsite analysis capa-bility includes multichannel analyzers installed in the plant.

Note 23: Sufficient dose rate meters are available to measure radiation levels in the range of 1 mR/hr to 10,000 mr/hr throughout the facility and the site envi-7.5-78 rons.

Note 24: Field monitor teams have access to a portable multichannel analyzer.

Note 25: Meteorological information is available in the control room, either from the BOP computer or the met tower console located in the met tower shed.

Both primary and backup instruments are available for meteorological param-eters.

Note 26: This analysis will be performed using a gas chromatograph and will have an effective range of 0 to 100 percent volume for hydrogen, oxygen, nitrogen, and trace gases.

Revision 2016-00 Note 27: The SLCS storage tank level instrumentation is provided with a backup air accumulator for the bubbler tube air supply.

Note 28: Only those portions of the variable instrumentation required to maintain pressure boundary integrity are seismically qualified.

Note 29: E61-AITS-K002 is environmentally qualified as part of E61-J002.

Note 30: E61-AITS-K001 is environmentally qualified as part of E61-J001.

TABLE 7.5-2: NOTES (Continued)

Note 31: Group 1 Isolation Position Switches.

Valve Instrument Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION B21F022A B21-ZS-N101 A1,A2 B21F022B B21-ZS-N101 B1,B2 B21F022C B21-ZS-N101 C1,C2 B21F022D B21-ZS-N101 D1,D2 B21F028A B21-ZS-N102 A1,A2 B21F028B B21-ZS-N102 B1,B2 B21F028C B21-ZS-N102 C1,C2 B21F028D B21-ZS-N102 D1,D2 7.5-79 B21F067A B21-ZS-N104 A B21F067B B21-ZS-N104 B B21F067C B21-ZS-N104 C B21F067D B21-ZS-N104 D B21F016 B21-ZS-N116 B21F019 B21-ZS-N117 Revision 2016-00

TABLE 7.5-2: NOTES (Continued)

Note 32: Regulatory Guide 1.97 specifies the indication range for sump level should be from the bottom to the top of the sump. Contrary to this requirement, the indications for the Equipment Drain Sump (Identified Leakage) and Floor Drain Sump (Unidentified Leakage) ranges from 6 inches above the bottom to 2 inches below the top of the 36 inch deep sumps. This minor deviation from RG Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION 1.97 was necessary due to installation limitations and is acceptable. The bottom of the range is below the low level pump trip setpoint. The top of the range is well above the high-high alarm setpoint. Control room indica-tion of sump level and calculated leakage rate trends are obtained from the plant computer. The same data can also be obtained from recorders in the auxiliary building.

7.5-80 These installed monitoring instruments will be used for problem detection.

Actual release rates will be determined by removing the collection filter, from either the GE, SPING or AXM and counting these filters with an onsite multichannel analyzer which has a range of 10-3 to 102 Ci/cc.

Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5-81 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5-82 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5-83 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5-84 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5-85 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.5-86 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY 7.6.1 Description This section will examine and discuss the instrumentation and control aspects of the following plant systems:

a. Refueling interlocks system

b. Process radiation monitoring system

c. High-pressure/low-pressure systems interlocks

d. Leak detection system

e. Neutron monitoring system (NMS) (SRM, IRM, LPRM, and APRM)

f. Deleted

g. Rod pattern control system (RPCS)

h. Recirculation pump trip system (RPT)

i. Spent fuel pool cooling and cleanup system

j. Component cooling water system (fuel pool cooling)

k. Auxiliary building isolation control system A number of very important, special observations are cited relative to the evaluation of the instrumentation and control portions of the subject systems.

a. The systems themselves and their I&C portion serve design bases that are both safety and power generation.

b. Many systems inherently perform mechanical or containment safety functions but need little I&C protective support.

c. Many systems provide protective functions in selective minor events and are not required for other major plant occurrences.

7.6-1 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

d. Several systems perform safety functions with other parallel and complementary systems in a network protective manner and as such the network, not the individual system, is to be evaluated for redundancy, diversity, and separation considerations.

e. Several systems have only a small portion of their I&C participating in safety functions.

f. Most of the I&C systems described in this section are an integral part of the total system function described in other sections.

g. A system/safety function, qualitative-level FMEA is presented in Appendix 15A. The interrelated design basis of the various safety system functions are also analyzed in Appendix 15A.

7.6.1.1 Refueling Interlocks System - Instrumentation and Controls 7.6.1.1.1 System Identification The purpose of the refueling interlocks system is to restrict the movement of control rods and the operation of refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations.

This equipment is not required to operate during a seismic event.

The operability of the equipment can be verified after a seismic event without jeopardizing safety.

7.6.1.1.2 Power Sources There is only one source of power for both channels of the logic circuits (see subsection 7.6.1.1.3.2). However, this power source supplies the control rod drive system as well. A failure of this power supply will prevent any rod motion.

7.6.1.1.3 Equipment Design 7.6.1.1.3.1 Circuit Description The refueling interlocks circuitry senses the condition of the refueling equipment and the control rods. Depending on the sensed condition, interlocks are actuated to prevent the movement of the 7.6-2 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) refueling equipment or withdrawal of control rods (rod block).

The main fuel-loaded rod block channels utilize a solid state load sensing system consisting of a common sensor that provides inputs to two independent trip units to provide process signals and loss of power protection. These two channels of instrumentation are provided to sense the following conditions:

a. Refueling platform positioned near or over the core

b. Refueling platform main hoist fuel-loaded (fuel grapple)

c. Reactor Mode Switch in Refuel position 7.6.1.1.3.2 Logic and Sequencing

[HISTORICAL INFORMATION] [The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operations and control rod movement. A two-channel circuit indicates that all rods are in. The rod-in condition for each rod is established by the closure of a magnetically operated reed switch in the rod position indicator probe. The rod-in switch must be closed for each rod before the all-rods-in signal is generated. This is not the same switch that provides rod position information to the process computer and four rod position display. Both channels must register the all-rods-in signal in order for the refueling interlock circuitry to indicate the all-rods-in condition.

During refueling operations, no more than one control rod is permitted to be withdrawn; this is enforced by a redundant logic circuit that uses the all-rods-in signal and a rod selection signal to prevent the selection of a second rod for movement with any other rod not fully inserted. Control rod withdrawal is prevented by comparison checking between the A and B portions of the rod control and information system and subsequent message transmission to the affected control rod. The simultaneous selection of two control rods is prevented by the interconnection arrangement of the select push buttons. With the mode switch in the REFUEL position, the circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn.

Operation of refueling equipment is prevented by interrupting the power supply to the equipment. The refueling platform is provided with two mechanical switches attached to the platform, which are tripped open by a long, stationary ramp mounted adjacent to the 7.6-3 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) platform rail. The switches open before the platform or any of its hoists are physically located over the reactor vessel to indicate the approach of the platform toward its position over the core.]

Load cell readout is provided for all hoists. Indicators display given hoist loads directly to the operator. Load sensing is by a strain gage type transducer that converts load to an electrical signal that is displayed in a digital readout. Associated interlocks and load functions are performed by relay switches that are set to open at predetermined load settings.

The main hoist on the refueling platform is provided with switches that open when the hoist is fuel-loaded. The switches open at a load weight that is lighter than that of a single fuel assembly.

This indicates when fuel is loaded on the hoist.

7.6.1.1.3.3 Bypasses and Interlocks The rod block interlocks, which prevent control rod withdrawal whenever the fuel loaded refueling platform is over the core, and the refueling platform interlocks, which prevent operation of the fuel loaded refueling equipment over the core whenever any control rod is withdrawn, provide two independent levels of interlock action. It is pertinent to note that the strict procedural control exercised during refueling operations may be considered another level of backup.

7.6.1.1.3.4 Redundancy and Diversity Although the refueling interlocks are not designed nor required to meet the IEEE 279-1971 criteria for nuclear power plant protection systems, a single interlock failure will not cause an accident. They are provided for use during planned refueling operations. Criticality is prevented during the insertion of fuel, provided control rods in the vicinity of the vacant fuel space are fully inserted during the fuel insertion. The interlock systems accomplish this by:

a. Preventing operation of the fuel loaded refueling equipment over the core whenever any control rod is withdrawn

b. Preventing control rod withdrawal whenever the fuel loaded refueling platform is over the core 7.6-4 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Preventing withdrawal of more than one control rod when the mode switch is in the refuel position The refueling interlocks have been carefully designed utilizing redundancy of sensors and circuitry to provide a high level of reliability and assurance that the stated design bases will be met. The main fuel-loaded rod block channels utilize a solid state load sensing system consisting of a common sensor that provides inputs to two independent trip units to provide process signals and loss of power protection. Each of the individual refueling interlocks discussed above need not meet the single failure criterion because the essentially independent levels of protection as described in Section 7.6.1.1.3.3 provide assurance that the design basis will be met. For any of the situations listed in Table 7.6-1 a single interlock failure will not cause an accident or result in potential physical damage to fuel or result in radiation exposure to personnel during fuel handling operations.

7.6.1.1.3.5 Actuated Devices The refueling interlocks from the rod control and information system to the refueling equipment de-energizes a relay in the refueling equipment controls which interrupts power to the equipment and prevents it from moving over the core.

The interlocks from the refueling equipment to the rod control and information system actuate circuitry that provides a control rod block. The rod block prevents the operator from withdrawing any control rods.

7.6.1.1.3.6 Separation The refueling interlocks are not designed to nor required to meet the IEEE 279-1971 criteria for nuclear power plant protection systems. However, a single interlock failure will not cause an accident. They are for use during planned refueling operations.

Criticality is prevented during the insertion of fuel providing control rods in the vicinity of the vacant fuel space are fully inserted during the fuel insertion. Separation is provided, to a degree, for two of the three interlocks. The interlock that prevents control rod withdrawal whenever fuel loading equipment is over the core, has two separate channels (a common sensor providing input to two independent relay trip units is used for the main hoist-loaded rod block channels). These are generated from separate contacts on separate relays in the refueling 7.6-5 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) equipment controls and input to two separate rod activity control systems in the RC&IS. The refueling equipment interlocks are generated by two separate channels in the RC&IS and interrupts power to the refueling equipment via a relay in the refueling equipment controls to prevent unacceptable refueling equipment operation over the core.

7.6.1.1.3.7 Testability Complete functional testing of all refueling interlocks before any refueling outage will positively indicate that the interlocks operate in the situations for which they were designed. The interlocks can be subjected to valid operational tests by loading the main hoist with a dummy fuel assembly, positioning the refueling platform, and withdrawing control rods. Where redundancy is provided in the logic circuitry, tests are performed automatically, on a periodic basis, to assure that each redundant logic element can independently perform its function.

7.6.1.1.4 Environmental Considerations The refueling interlocks are required to operate when subjected to the normal environment conditions listed in Table 3.11-1.

Although the refueling interlocks are not required to operate under the conditions listed in Table 3.11-3, they would be capable of operation, with repair if needed, after being subjected to the conditions. The selection of normal environment for qualification is based on the fact that the refueling interlocks are not required at times other than refueling which coincides with normal plant environment.

Refueling components are capable of surviving design basis events such as earthquakes, accidents, and anticipated operational occurrences without consequential damage, but are not required to be functional during or after the event without repair.

7.6.1.1.5 Operational Considerations 7.6.1.1.5.1 General Information The refueling interlocks system is required only during refueling operations.

7.6-6 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.1.5.2 Operator Information In the refueling mode, the control room operator has an indicator light for Refueling Mode Select Permissive whenever any of the control rods are not fully inserted. He can compare this indication with control rod position data from the computer as well as control rod in-out status on the full core status display.

Furthermore, whenever a control rod withdrawal block situation occurs, the operator receives annunciation and computer logging of the rod block. He can compare these outputs with the status of the variable providing the rod block condition. Both channels of the control rod withdrawal interlocks must agree that permissive conditions exist in order to move control rods; otherwise, a control rod withdrawal block is placed into effect. Failure of one channel may initiate a rod withdrawal block, and will not prevent application of a valid control rod withdrawal block from the remaining operable channel.

In terms of refueling platform interlocks, the platform operator has digital type readout indicators for the platform x-y position relative to the reactor core.

The position of the grapple is shown on a digital indicator immediately below the platform position indicators. Digital load cell indications of hoist loads are given for each hoist by locally mounted indicators. Individual push button and rotary control switches are provided for local control of the platform and its hoists. The platform operator can immediately determine whether the platform and hoists are responding to his local instructions, and can, in conjunction with the control room operator, verify proper operation of each of the three categories of interlocks listed previously.

7.6.1.1.5.3 Set Points There are no safety set points associated with this system.

7.6.1.2 Process Radiation Monitoring System - Instrumentation and Controls A number of radiation monitors and monitoring subsystems are provided on process liquid and gas lines that may serve as discharge routes for radioactive materials. These include the following safety-related monitors discussed in this section:

a. Main steam line radiation monitoring system.

7.6-7 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Ventilation Systems - radiation monitoring subsystems.

1. Containment/drywell ventilation exhaust radiation monitoring subsystem.

2. Auxiliary building - fuel handling area ventilation exhaust - radiation monitoring subsystem.

3. Auxiliary building fuel handling area pool sweep exhaust - radiation monitoring subsystem.

4. Control room intake - radiation monitoring subsystem.

Area and airborne radiation monitors are discussed in subsection 12.3.4. The following non-safety-related process radiation monitors are discussed in Section 11.5*:

a. For gaseous effluent streams

1. Containment ventilation exhaust RMS.

2. Radwaste building ventilation RMS.

3. Fuel handing area ventilation RMS.

4. Turbine building ventilation RMS.

5. Standby gas treatment A and B exhaust ventilation RMS.

b. For liquid effluent streams

1. Radwaste effluent RMS.

c. For gaseous process streams

1. Offgas pretreatment RMS.

2. Offgas post-treatment RMS.

3. Carbon bed vault RMS.

d. For liquid process streams

• The SSW radiation monitors have a passive safety function of maintaining SSW system pressure boundary.

7.6-8 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

1. Service water system RMS (loops A and B).*

2. Component cooling water RMS.

3. Plant Service Water RMS (ADHRS effluent).

The process radiation monitoring system is shown in Figure 7.6-1.

7.6.1.2.1 Main Steam Line Radiation Monitoring Subsystem The main steam line radiation subsystem is discussed in subsections 7.3.1, and 11.5.1.1.1.

7.6.1.2.2 Ventilation Systems - Radiation Monitoring Subsystem A number of radiation monitors and monitoring and sampling subsystems are provided for ventilation systems. These include:

a. Containment and drywell ventilation exhaust - radiation monitoring subsystem.

b. Fuel handling area vent - radiation monitoring subsystem.

c. Auxiliary building fuel handling area pool sweep exhaust -

radiation monitoring subsystem.

d. Control room intake - radiation monitoring subsystem.

7.6.1.2.2.1 Containment and Drywell Ventilation Exhaust -

Radiation Monitoring Subsystem The containment and drywell ventilation exhaust radiation monitoring subsystem is discussed in subsection 7.3.1.1.2.4.1.7.

7.6.1.2.2.2 Fuel Handling Area Vent - Radiation Monitoring Subsystem This subsystem initiates the standby gas treatment system. Since its function utilizes the same type equipment as discussed in subsection 7.3.1.1.2.4.1.7, the equipment description will not be repeated.

• The SSW radiation monitors have a passive safety function of maintaining SSW system pressure boundary.

7.6-9 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.2.2.3 Auxiliary Building Fuel Handling Area Pool Sweep Exhaust - Radiation Monitoring Subsystem This subsystem initiates the standby gas treatment system. Since its function utilizes the same type equipment as discussed in subsection 7.3.1.1.2.4.1.7, the equipment description will not be repeated.

7.6.1.2.2.4 Control Room Intake - Radiation Monitoring Subsystem This subsystem initiates control room isolation. Since its function utilizes the same type equipment as discussed in subsection 7.3.1.1.2.4.1.7, the equipment description will not be repeated.

7.6.1.3 High-Pressure/Low-Pressure Systems Interlocks 7.6.1.3.1 Function Identification The low-pressure systems which interface with the reactor coolant pressure boundary and the instrumentation which protects them from overpressurization are discussed in this section.

7.6.1.3.2 Power Sources The power for the interlocks is provided from the essential power supplies for the associated systems (RHR for the RHR valves and LPCS for the LPCS valves).

7.6.1.3.3 Equipment Design The following high-pressure/low-pressure interlock equipment is provided:

Process Line Type Valve Parameter Purpose Sensed Shutdown MO E12-F009 Reactor Prevents valve Cooling MO E12-F008 pressure opening until Suction reactor pressure is low Shutdown MO E12-F053A Reactor Prevents valve Cooling E12-F053B pressure opening until Discharge reactor pressure is low 7.6-10 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Process Line Type Valve Parameter Purpose Sensed Feedwater MO E38-F001A Feedwater Prevents valve Leakage E38-F001B Pressure opening until Control feedwater System pressure is low LPCS MO E21-F005 Reactor Prevents valve Discharge pressure opening until reactor pressure is low FRHR/LPCI MO E12-F042A Reactor Prevents valve A, B, & C E12-F042B pressure opening until Discharge E12-F042C reactor pressure is low 7.6.1.3.3.1 Circuit Description Motor-operated RHR shutdown inboard and outboard suction valves E12-F009 and E12-F008 are in series for isolation from the primary system boundary. The valves are provided with four trip unit activated interlocks (two per valve) and four separate (by division) pressure transmitters which are connected to four physically separated instrumentation lines. All four interlocks must indicate low pressure before both valves are permitted to open. Valves E12-F008 and E12-F009 close automatically whenever the primary pressure exceeds the subsystem design pressure.

Motor-operated RHR shutdown discharge valve E12-F053A/B and check valve E12-F050A/B are in series for isolation from the primary system boundary. Motor-operated valve E12-F053A/B is provided with two trip unit activated interlocks and two separate (by division) pressure transmitters which are connected to two physically separated instrumentation lines. Both interlocks must indicate low pressure before the discharge valve can open. The discharge valve closes automatically whenever the primary pressure exceeds the subsystem design pressure.

The inboard and outboard feedwater leakage control subsystems are equipped with one motor-operated valve F001A/B in series with two parallel check valves F002A/B and F003A/B providing isolation from the primary system boundary to prevent high feedwater back pressure. Motor-operated valve F001 is provided with a trip unit activated interlock to prevent the valve from opening whenever the pressure sensed between the MOV and the check valves is above 7.6-11 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) the subsystem design pressure and to automatically close whenever the primary pressure exceeds the subsystem design pressure. The outboard subsystem also requires the main feedwater lines isolation valves to be fully closed before subsystem initiation.

Motor operated LPCS & RHR/LPCI A, B, C system injection valves E21-F005, E12-F042A, B, C and testable check valves E21-F006, E12-F041A, B, C are in series for isolation from the primary system (high pressure) boundary. The injection valves are interlocked closed until reactor pressure is reduced below the low pressure system limits. For automatic system initiation, reactor pressure is sensed by four pressure transmitters (two per division) which supply analog signals to eight trip units (four per division) arranged in a one-out-of-two-twice logic configuration. For manual (testing) opening of the injection valves by means of remote manual switches, pressure downstream of the injection valves is sensed by a single pressure transmitter which provides an analog signal to a single trip unit.

7.6.1.3.3.2 Logic and Sequencing There is no logic as such, since the sensor inputs operate the interlocks without logic combination.

7.6.1.3.3.3 Bypasses and Interlocks There are no bypasses in the high-pressure/low-pressure interlocks except at remote shutdown panel.

7.6.1.3.3.4 Redundancy and Diversity As described in subsection 7.6.1.3.3.1, each process line has two valves in series which are redundant in assuring the interlock.

7.6.1.3.3.5 Actuated Devices The motor-operated valves listed in 7.6.1.3.3 are the actuated devices.

7.6.1.3.3.6 Separation Separation is maintained in the instrumentation portion of the high-pressure/low-pressure interlocks by assigning the interlocks, including sensors and cabling, to the same ESF division as valves controlled by these interlocks.

7.6-12 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.3.3.7 Testability The actuated devices cannot be tested during reactor operation but are verified during startup and shutdown. The sensors can be tested during reactor operation in the same manner that the ECCS sensors are tested. Refer to paragraph 7.3.1.1.1.3.9 for a discussion of typical ECCS testing.

7.6.1.3.4 Environmental Considerations The instrumentation and controls for the high-pressure/low-pressure interlocks are qualified as Class IE equipment. The sensors are mounted on local instrument racks and the control circuitry is housed in control panels in the control room.

7.6.1.3.5 Operational Considerations 7.6.1.3.5.1 General Information The high-pressure/low-pressure interlocks are strictly automatic.

There is no manual actuation capability. If the operator initiates a low-pressure system, the interlocks will prevent exposure to the high pressure.

7.6.1.3.5.2 Reactor Operator Information The status of each valve providing the high-pressure/low-pressure boundary is indicated in the control room. The state of the sensors is also indicated in the control room.

7.6.1.3.5.3 Set Points The set points are listed in Technical Requirements Manual (TRM) for the LPCS and RHR systems and Table 7.3-16 for the FWLC system.

7.6.1.4 Leak Detection System - Instrumentation and Controls The leak detection system consists of the following subsystems:

a. Main steam line leak detection

b. RCIC system leak detection

c. Recirculation pump leak detection

d. RHR system leak detection 7.6-13 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

e. Reactor water cleanup system leak detection

f. Drywell/containment leak detection

g. Safety/relief valve leak detection

h. Reactor vessel head leak detection

i. HPCS system leak detection

j. LPCS system leak detection 7.6.1.4.1 System Identification This section discusses the instrumentation and controls associated with the leak detection system. The system itself is discussed in subsection 5.2.5. Associated automatic valve isolating logic is defined to be part of the containment and reactor vessel isolation control system (subsection 7.3.1.1.2) and RCIC instrumentation and control system (subsection 7.4.1.1) and is described in those sections.

The purpose of the leak detection system instrumentation and controls is to monitor leakage from the reactor coolant pressure boundary and initiate alarms and/or an isolation function before predetermined limits are exceeded.

Safety and seismic classifications for the leak detection system are discussed in Sections 3.10 and 3.11.

7.6.1.4.2 Power Sources Power separation is applicable to leak detection signals that are associated with the isolation valve systems. Two power sources are used to comply with separation criteria. Equipment associated with trip system A is powered by 120 V ac instrument bus A. Trip system B equipment is powered by 120 V ac instrument bus B. Power sources for the containment and reactor vessel isolation control system (CRVICS) are described in subsection 7.3.1.1.2.

7.6-14 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3 Equipment Design 7.6.1.4.3.1 General The systems or parts of systems which contain water or steam coming from the reactor vessel or supply water to the reactor vessel, and which are in direct communication with the reactor vessel, are provided with leakage detection systems (Figures 7.6-2, 7.6-16, and 7.6-17).

The systems within the drywell share a common area; therefore their leakage detection systems are common. Each of the required leakage detection systems inside the drywell is designed with a capability to detect leakage less than established leakage rate limits.

Major components within the drywell that by nature of their design are sources of leakage (e.g., pump seals, valve stem packing, equipment warming drains), are contained and piped to an equipment drain sump and thereby identified.

Equipment associated with systems within the drywell (e.g.,

vessels, piping, fittings) share a common free volume; therefore their leakage detection systems are common. Steam or water leaks from such equipment are collected ultimately in the floor drain sumps.

Each of the sumps are protected against overflowing to prevent leaks of an identified source from masking those from unidentified sources.

The floor drains collecting system is designed to detect leakage in excess of 1 gpm.

Outside the drywell, the piping within each system monitored for leakage is in compartments or rooms separate from other systems wherever feasible so that leakage may be detected in drains, by area temperature indications, or high process flow.

The operator can calculate total and unidentified leakage based on sump pump run times and from the change in sump level as described in plant procedures. The leak rate will be logged in the daily surveillance log. This will provide reference data and a long-term record of leakage.

7.6-15 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

A summary of the types of instruments, control readouts, alarms, computer points and reference P&IDs is provided in Table 7.6-14.

7.6.1.4.3.2 Main Steam Line Leak Detection The main steam line leak detection subsystem is discussed in subsections 7.3.1.1.2.4.1.3 and 7.3.1.1.2.4.1.4.

7.6.1.4.3.3 RCIC System Leak Detection 7.6.1.4.3.3.1 Subsystem Identification The steam lines of the RCIC system are constantly monitored for leaks by the leak detection system. Leaks from the RCIC will cause a change in at least one of the following monitored operating parameters: sensed area temperature, steam pressure, or steam flow rate. If the monitored parameters indicate that a leak may exist, the detection system (Figure 7.6-2) responds by activating an annunciator and initiating a RCIC isolation trip logic signal.

The RCIC leak detection subsystem consists of three types of monitoring circuits. The first of these monitors ambient and differential temperature, triggering an annunciator when the observed temperature rises above a preset maximum. The second type of circuit utilized by the leak detection system monitors the flow rate (differential pressure) through the steam line, triggering an annunciator when the observed differential pressure rises above a preset maximum. The third type of circuit utilized by the leak detection system monitors the steam line pressure upstream of the differential pressure element and also is annunciated. Alarm outputs from all three circuits are also used to generate the RCIC auto-isolation signal.

7.6.1.4.3.3.2 RCIC Area Temperature Monitoring 7.6.1.4.3.3.2.1 Circuit Description The area temperature monitoring circuit is similar to the one described for the main steam line tunnel temperature monitoring system. (See subsection 7.3.1.1.2.4.1.3.) The leak detection system logic that provides the isolation signal to RCIC for main steam tunnel high temperature includes a time delay. This allows time to permit the tunnel ventilation system to lower the temperature below the trip set point after isolation of a leak.

7.6-16 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.3.2.2 Logic and Sequencing Using one-out-of-two logic, the RCIC area temperature-monitoring circuit activates an annunciator and initiates a RCIC isolation signal when the observed temperature rises above a preset limit.

7.6.1.4.3.3.2.3 Bypasses and Interlocks A bypass/test switch is provided in each logic division for the purpose of testing the temperature monitor without initiating RCIC system isolation. Placing the keyswitch in Bypass position in one division will not prevent operation of the temperature monitor in the opposite division when required for RCIC system isolation. No other interlocks are provided from this subsystem.

7.6.1.4.3.3.2.4 Redundancy and Diversity Two physically and electrically independent leak detection channels are supplied to those systems designed to isolate upon receipt of the leak detection signal(s) and required to meet the single failure and redundancy criteria.

7.6.1.4.3.3.3 RCIC Steam Line Pressure Monitoring 7.6.1.4.3.3.3.1 Circuit Description Steam line pressure for the common RHR/RCIC steam line is monitored to detect gross system leaks that may occur upstream of the flow element (elbow), causing the line pressure to drop to an abnormally low level. This line pressure is monitored by two pressure transmitters actuating on low pressure. The low-pressure signals provide automatic closure of the common RHR/RCIC inboard and outboard isolation valves.

7.6.1.4.3.3.3.2 Logic and Sequencing Pressure sensors using one-out-of-two logic detect abnormal low steam line pressure and initiate RCIC isolation signal.

7.6.1.4.3.3.3.3 Bypasses and Interlocks No bypasses or interlocks are provided.

7.6-17 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.3.3.4 Redundancy and Diversity A single pressure sensing transmitter in each trip system provides low-pressure monitoring in the common RHR/RCIC steam line. Since isolation of RHR and RCIC systems is accomplished by independent actuation of either trip system, a single failure of a system component in one trip system will not prevent the required isolation function. No diverse method is employed to detect gross system leaks upstream of the elbow.

7.6.1.4.3.3.4 RCIC Flow Rate Monitoring 7.6.1.4.3.3.4.1 Circuit Description The steam line from the nuclear boiler leading to the RCIC turbine is instrumented with two sets of two differential pressure sensors connected to measure the differential pressure created as steam flows past an elbow in the line, so that the steam flow rate through it can be monitored and used to indicate the presence of a leak (or break). In the presence of a leak, the RCIC system responds by generating the auto-isolation signal. Where required, time delays have been incorporated in this isolation logic to prevent spurious isolation due to pressure spikes which accompany system startups.

7.6.1.4.3.3.4.2 Logic and Sequencing

[HISTORICAL INFORMATION] [Redundant instrumentation consists of two channels of pressure monitoring equipment in each trip system, (one-out-of-two) sensing low steam pressure (high flow) in the common steam line. Since isolation of the RCIC system is accomplished by independent actuation of either trip system, a single failure of a system component in either trip system will not prevent the required isolation function.]

7.6.1.4.3.3.4.3 Bypasses and Interlocks No bypasses or interlocks are provided.

7.6.1.4.3.3.4.4 Redundancy and Diversity Isolation of the RCIC system is accomplished using two separate trip systems, each feeding its respective inboard or outboard isolation valves. Each trip system incorporates two channels of high steam flow monitoring instrumentation. Closure of the RCIC 7.6-18 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) isolation valves are also provided from a second flow monitoring channel which senses high flow in the common steam line serving both the RCIC and RHR systems.

7.6.1.4.3.4 Recirculation Pump Leak Detection 7.6.1.4.3.4.1 Subsystem Identification The purpose of the recirculation pump leak detection subsystem is to monitor the rate of coolant seepage or leakage past the pump shaft seals. Excessively high rates of coolant flow past the seal will result in annunciator activation.

There are two recirculation pump leak detection systems, one for each of the pumps in the recirculation loop. The recirculation pump leak detection system consists of two types of monitoring circuits, (Figure 7.6-3). The first of these monitors the pressure levels within the seal cavities, presenting the plant operator with a visual display of the sensed pressure in each of the two cavities. The second type of monitoring circuit utilized by the leak detection system monitors the rate of liquid flow from the seal cavities.

7.6.1.4.3.4.2 Pump Seal Cavity Pressure Monitoring 7.6.1.4.3.4.2.1 Circuit Description The pressure levels within seal cavity No. 1 and seal cavity No. 2 are measured with identical instruments arranged similarly. Only one circuit, seal cavity No. 1 pressure monitoring, will be discussed. The pressure within seal cavity No. 1 is measured using a pressure transmitter. The pressure transmitter produces an output signal whose magnitude is proportional to the sensed pressure within its dynamic range. This output signal is then applied to pressure indicators for plant operator readout.

7.6.1.4.3.4.2.2 Logic and Sequencing No action is initiated by the pump seal cavity pressure monitoring circuit.

7.6.1.4.3.4.2.3 Bypasses and Interlocks No bypasses or interlocks are provided.

7.6-19 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.4.2.4 Redundancy and Diversity No redundancy is provided in this monitoring circuit. The pump seal cavity pressure monitoring is a diverse method of leak detection to the seal cavity flow rate monitoring.

7.6.1.4.3.4.3 Liquid Flow Rate Monitoring 7.6.1.4.3.4.3.1 Circuit Description All condensate flowing past the recirculation pump seal packings and into the seal cavities is collected and sent by one of two drain systems to the drywell equipment drain sump for disposal.

The first drain system drains the major portion of the condensate collected within the No. 2 seal cavity. The condensate flow rate through the drain system is measured by a flow transmitter.

Excessively high or low flow rates through this drain system will activate an annunciator in the control room.

The second drain system drains the cavity beyond the No. 2 seal cavity collecting the condensate that has seeped (or leaked) past the outer seal. The condensate flow rate through this drain system is also measured using a flow transmitter. A high flow rate through this system will activate an annunciator in the control room.

7.6.1.4.3.4.3.2 Logic and Sequencing No action is initiated by the liquid flow rate monitoring circuit.

7.6.1.4.3.4.3.3 Bypasses and Interlocks There are no bypasses or interlocks associated with this subsystem.

7.6.1.4.3.4.3.4 Redundancy and Diversity Redundant pressure and flow sensing instrumentation for detecting shaft seal leakage is not provided since the main function served by this instrumentation is to provide indication and annunciation. Back-up indication of seal leakage is provided, however, by monitoring both seal cavities to allow verification of seal failure. Excessive shaft seal leakage is collected by the drywell equipment drain sump.

7.6-20 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.5 RHR System Leak Detection 7.6.1.4.3.5.1 Subsystem Identification The steam lines of the RHR system are constantly monitored for leaks by the leak detection system (Figure 7.6-2). Leaks from the RHR system are detected by ambient and differential temperature monitoring, and in addition, by flow rate similar to the RCIC system. Logic from all these channels is used to generate RHR auto isolation signals and alarm communication. If the monitored parameters indicate that a leak may exist, the detection system responds by activating an annunciator and initiating a RHR isolation trip logic signal. Differential temperature circuits provide alarm functions only. No isolation signal is created by high T conditions.

The RHR leak detection subsystem consists of three types of monitoring circuits. The first of these monitors, ambient and differential temperature, triggers an annunciator when the observed temperature rises above a preset maximum. The second type of circuit utilized by this leak detection subsystem monitors the flow rate (differential pressure) through the steam line, triggering an annunciator when the observed differential pressure (flow) rises above a preset maximum. Outputs from these two circuits are also used to generate the RHR auto-isolation signal. Differential temperature circuits provide alarm functions only. No isolation signal is created by high T conditions.

The third type of circuit monitors sump levels in the RHR pump rooms triggering annunciators when the level rises above a preset maximum. In addition, a dropping or low level in the suppression pool may be indicative of an RHR line break.

7.6.1.4.3.5.2 RHR Area Temperature Monitoring 7.6.1.4.3.5.2.1 Circuit Description The area temperature monitoring circuit is similar to the one described for the main steam line tunnel temperature monitoring system (See subsection 7.3.1.1.2.4.1.3 and Figure 7.6-4).

7.6.1.4.3.5.2.2 Logic and Sequencing Using one-out-of-two logic, the RHR area ambient temperature monitor activates an annunciator and initiates an RHR isolation signal when the observed temperature exceeds a preset limit.

7.6-21 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.5.2.3 Bypasses and Interlocks A bypass/test keyswitch is provided in each logic train for the purpose of testing the temperature monitor without initiating RHR system isolation. Placing the keyswitch in Bypass position on one train will not prevent operation of the temperature monitor in the opposite train from initiating RHR system isolation. RHR temperature monitoring interlocks are also provided in the RCIC isolation system. Contacts from the bypass/test keyswitch noted above allow testing of the RHR temperature monitor without initiating RCIC isolation.

7.6.1.4.3.5.2.4 Redundancy and Diversity Dual channels of ambient temperature monitoring are provided for leak detection in the RHR system equipment area for each of the two logic trains A and B. Since RHR system isolation is accomplished by independent actuation of the inboard and outboard isolation valves from their respective trip system, a single failure of a system component in either trip system will not prevent the required isolation function.

7.6.1.4.3.5.3 RHR Flow Rate Monitoring 7.6.1.4.3.5.3.1 Circuit Description Flow rate monitoring is provided on the RHR/RCIC steam line.

Flow rates in excess of the predetermined maximum are indicative of a line leak or break, and will generate a differential pressure signal of sufficient magnitude to cause differential pressure trip unit actuation and provide automatic closure of RCIC inboard and outboard isolation valves.

7.6.1.4.3.5.3.2 Logic and Sequencing Using one-out-of-two logic, the flow rate monitoring circuit initiates a signal to isolate RCIC inboard and outboard isolation valves when the flow rate exceeds a preset limit.

7.6.1.4.3.5.3.3 Bypasses and Interlocks No bypasses or interlocks are provided.

7.6-22 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.5.3.4 Redundancy and Diversity RHR steam line isolation is accomplished using the combined RCIC/

RHR flow monitoring system described in subsection 7.6.1.4.3.3.4.1. An independent flow monitoring channel is provided for each trip system. RHR isolation is accomplished by independent actuation of either trip system; consequently, a single failure in either division will not prevent the required isolation function.

7.6.1.4.3.6 Reactor Water Cleanup System Leak Detection 7.6.1.4.3.6.1 Subsystem Identification The purpose of this part of the leak detection system is to monitor the reactor cleanup system components, activating a system annunciator should a system leak of sufficient magnitude occur. In addition to annunciation, a high differential flow comparison will activate automatic isolation of the cleanup system.

The reactor water cleanup (RWCU) leak detection subsystem consists of the following circuits.

a. The floor drain monitoring system. This monitoring subsystem activates an annunciator when the drain flow exceeds a predetermined value.

b. Leakage monitoring by the flow comparison of RWCU system water inlet and outlet flow rate.

c. See subsection 7.3.1.1.2.4.1.9 for the automatic isolation circuits. The remaining circuits provide alarm function only.

7.6.1.4.3.6.2 Containment Floor Drain Monitoring The containment floor drain monitoring system consists of three circuits/subsystems. The first circuit employs two timers and relaying associated with the floor drain sump pumps. One timer measures the amount of time required for the sump to be pumped out, and the other timer measures the time between pump-out cycles. An abnormally high leakage rate will cause the pump to run for a longer period to pump out the sump and will cause an increase in pumping frequency. Either of these two conditions actuates an annunciator in the control room. The second circuit 7.6-23 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) employs a level switch which activates an annunciator in the control room when the sump level becomes abnormally high. The third circuit activates an annunciator in the control room when the temperature of the liquid in the sump becomes abnormally high, which is indicative of excessive leakage.

7.6.1.4.3.6.3 Flow Comparison Monitoring 7.6.1.4.3.6.3.1 Circuit Description RWCU system inlet flow is compared to RWCU outlet flow to the feedwater lines or to the main condenser. A flow element, the flow transmitters, and two square root converters for each of these three lines provides signals to two flow summers which trip two timers at a preselected difference in flows. After a time delay to avoid spurious trips, the time switches trip differential flow alarm units activating alarm and isolation. Flow indication for each of these three lines and differential flow indication are provided in the control room.

7.6.1.4.3.6.3.2 Logic and Sequencing Using one-out-of-two logic, the RWCU flow comparison monitoring circuit initiates a RWCU isolation signal after a time delay from the time the flow rate difference exceeds a preset limit.

7.6.1.4.3.6.3.3 Bypasses and Interlocks The output signal from the flow comparison monitor is interlocked with the instrument power bus monitor for each separate logic train. A bypass circuit is provided which allows testing of the power monitor without disrupting the signal from the flow comparison monitor.

7.6.1.4.3.6.3.4 Redundancy and Diversity RWCU system isolation is accomplished by independent actuation of the inboard and outboard isolation valves from redundant signals derived from two separate trip systems. Inlet and outlet flow are measured with three flow monitoring sensors per trip system. Each flow sensor provides an independent output signal for one of the two trip systems (i.e., inboard and outboard isolation logic).

The signals from three of the flow sensors are fed to a summer unit which generates an inboard isolation signal whenever a given flow mismatch occurs. Similarly, the signals from the other three flow sensors are fed to a redundant summer unit to generate the 7.6-24 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) outboard isolation signal. Isolation is accomplished by independent actuation of the inboard and outboard isolation valves from separate trip systems so that a single failure of a system component in either trip system will not prevent the required isolation function.

7.6.1.4.3.7 Safety/Relief Valve Leak Detection 7.6.1.4.3.7.1 Subsystem Identification Normally, the safety/relief valves are in the shut tight condition and are all at about the same temperature. Steam passage through any valve will elevate the sensed temperature at the exhaust, causing an abnormal temperature reading on the recorder. Relay contacts on the recorder close at a predetermined set point to complete an annunciator circuit. Safety valve operation usually occurs only after relief valve actuation.

Leakage from a valve is usually characterized by a temperature increase on a single input.

7.6.1.4.3.7.2 Safety/Relief Valve Discharge Line Temperature Monitoring 7.6.1.4.3.7.2.1 Circuit Description A temperature element (sensor) is placed in the vicinity of the exhaust line of each safety/relief valve in order to remotely detect the passage of steam through each exhaust line. The output of the temperature elements are, in turn, connected to a common temperature recorder.

7.6.1.4.3.7.2.2 Logic and Sequencing No action is initiated by the safety/relief valve temperature monitoring circuit.

7.6.1.4.3.7.2.3 Bypasses and Interlocks There are no bypasses or interlocks associated with this subsystem.

7.6-25 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.7.2.4 Redundancy and Diversity The main function served by the temperature monitor in question is to provide recording and annunciation. Redundancy of this subsystem is not required since it does not serve a safety function.

7.6.1.4.3.8 Reactor Vessel Head Leak Detection 7.6.1.4.3.8.1 Subsystem Identification The pressure between the inner and outer head seal ring is sensed by a pressure transmitter. If the inner seal fails, the pressure at the pressure transmitter is the vessel pressure and the associated trip unit will trip and actuate an alarm. The plant will continue to operate with the outer seal as a backup and the inner seal can be repaired at the next outage when the head is removed. If both the inner and outer head seals fail, the leak will be detected by an increase in drywell temperature and pressure.

7.6.1.4.3.8.2 Head Seal Integrity Pressure Monitoring 7.6.1.4.3.8.2.1 Circuit Description A pressure transmitter monitors the pressure between the inner and outer head seals.

7.6.1.4.3.8.2.2 Logic and Sequencing No action is initiated by the reactor vessel head pressure monitoring circuit.

7.6.1.4.3.8.2.3 Bypasses and Interlocks There are no bypasses or interlocks associated with this subsystem.

7.6.1.4.3.8.2.4 Redundancy and Diversity The only function served by the pressure monitor is that of annunciation. Redundant pressure-sensing instrumentation for detecting inner seal failure is not provided. The outer seal assembly provides back-up in the event that inner seal failure should occur. Should both inner and outer seals fail simultaneously, a steam leak will be detected by instruments which monitor drywell temperature and pressure.

7.6-26 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.9 Drywell Leak Detection 7.6.1.4.3.9.1 Subsystem Identification The purpose of the drywell leak detection subsystem is to monitor various parameters in the drywell and to activate annunciators should the identified or unidentified leakage rates exceed the allowed limits.

The drywell leak detection subsystem consists of the following circuits to monitor unidentified leakage:

a. Floor drain monitoring subsystem. The monitoring subsystem activates annunciators when drain flow, sump level, or sump temperature exceed predetermined values.

b. Airborne radioactivity monitoring. The drywell monitoring system activates annunciators when the airborne particulate or gaseous activity exceeds predetermined values.

c. Drywell air cooler condensate flow monitoring.

d. Drywell cooler inlet and outlet cooling water temperature difference.

e. Drywell air temperature monitoring.

f. Drywell pressure monitoring.

The drywell leak detection system consists of the following circuits to monitor identified sources of leakage.

a. Equipment drain monitoring subsystem. The monitoring system activates annunciators when the drain flow, sump level, or sump temperatures exceed predetermined values.

b. Valve stem packing leakoff monitoring.

c. Recirculation pump seal monitoring.

d. Reactor vessel head seal monitoring.

e. Safety/relief valve monitoring.

7.6-27 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.9.2 Circuit Description 7.6.1.4.3.9.2.1 Floor Drain Monitoring Subsystem The floor drain monitoring subsystem consists of three circuits.

The first circuit employs two timers and relaying associated with the floor drain sump pumps. One timer measures the amount of time required for the sump to be pumped out, and the other timer measures the time between pump-out cycles. An abnormally high leakage rate will cause the pump to run for a longer period to pump out the sump and will cause an increase in pumping frequency.

Either of these two conditions actuates an annunciator in the control room. The second circuit (credited for RG 1.45 leakage monitoring) uses two level transmitters that provide input to the plant computer and redundant level recorders located in the auxiliary building. Either recorder will activate a control room annunciator on high sump level. The recorders and plant computer independently calculate sump in-leakage based on the level rate of change. The plant computer activates a control room annunciator when the in-leakage is excessive. The third circuit activates an annunciator in the control room when the temperature of the liquid in the sump becomes abnormally high, which is indicative of excessive leakage.

7.6.1.4.3.9.2.2 Equipment Drain Monitoring Subsystem The equipment drain monitoring subsystem is similar to the floor drain monitoring subsystem.

7.6.1.4.3.9.2.3 Deleted.

7.6.1.4.3.9.2.4 Airborne Radioactivity Monitoring The drywell radioactivity monitoring system is described in subsection 12.3.4.2.3.1.

7.6.1.4.3.9.2.5 Drywell Air Cooler Condensate Flow Monitoring This circuit is described in subsection 5.2.5.2.

7.6-28 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.9.2.6 Drywell Cooler Inlet and Outlet Cooling Water Temperature Difference Thermocouples are provided in the inlet and outlet cooling water lines to each of the drywell coolers. An abnormal leakage rate will increase the heat load on the drywell coolers and therefore increase the cooling water temperature rise across the coolers.

This is monitored and alarmed by the plant computer.

7.6.1.4.3.9.2.7 Drywell Air Temperature Monitoring Instrumentation provided for drywell air temperature monitoring is described in subsection 7.5.1.2.3.2.

7.6.1.4.3.9.2.8 Drywell Pressure Monitoring Instrumentation provided for drywell pressure monitoring is described in subsections 7.3.1.1.2.4.1.6 and 7.5.1.2.3.1.

7.6.1.4.3.9.2.9 Valve Stem Packing Leakoff Monitoring This circuit is described in subsection 5.2.5.2.

7.6.1.4.3.9.2.10 Recirculation Pump Seal Monitoring These circuits are described in subsection 7.6.1.4.3.4.

7.6.1.4.3.9.2.11 Reactor Vessel Head Seal Monitoring This circuit is described in subsection 7.6.1.4.3.8.

7.6.1.4.3.9.2.12 Safety/Relief Valve Monitoring These circuits are described in subsection 7.6.1.4.3.7.

7.6.1.4.3.9.3 Logic and Sequencing No action is initiated by the drywell leak detection subsystem except for drywell pressure as discussed in subsection 7.3.1.1.2.4.1.6.

7.6.1.4.3.9.4 Bypasses and Interlocks There are no bypasses or interlocks associated with this subsystem.

7.6-29 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.3.9.5 Redundancy and Diversity Redundant instrumentation for detecting leakage within the drywell is not provided (except for drywell temperature and pressure, which have other safety-related functions) since the main function served by this instrumentation is to provide indication and annunciation. Several diverse means for detecting identified and unidentified leakage in the drywell are provided as described above.

7.6.1.4.4 System and Subsystem Separation Criteria Separation is maintained within the leak detection system and its subsystems by assigning controls and instrumentation to divisions that are consistent with interfacing monitored equipment.

7.6.1.4.5 System and Subsystem Testability The proper operation of the sensor and the logic associated with the leak detection systems is verified during the leak detection system preoperational test and during inspection tests that are provided for the various components during plant operation. Each temperature switch, both ambient and differential types, is connected to dual thermocouple elements.

Each temperature switch contains a trip light which lights when the temperature exceeds the set point. In addition, keylock test switches are provided so that logic can be tested without sending an isolation signal to the system involved. Thus, a complete system check can be confirmed by checking activation of the isolation relay associated with each switch.

RWCU differential flow leak detection alarm units are tested by inputting a millivolt signal to simulate a high differential flow. Alarm and indicator lights monitor the status of the trip circuit.

Testing of flow, reactor vessel level, and pressure leak detection equipment is described in the Containment and Reactor Vessel Isolation Section, subsection 7.3.1.2, in the ECCS subsection 7.3.1.1, and other applicable system description sections.

7.6-30 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.4.6 System and Subsystem Environmental Considerations The sensors, wiring, and electronics of the leak detection system which are associated with the isolation valve logic are designed to withstand the envelope conditions that follow a design basis loss-of-coolant accident. (See Tables 3.11-1, 3.11-2, and 3.11-3.)

All portions of the leak detection system which provide for isolation of other systems or portions of systems are environmentally qualified to meet the requirements for Class IE electrical equipment of subsection 3.11.2.1.

7.6.1.4.7 System and Subsystem Operational Considerations The operator is kept aware of the status of the leak detection system through meters and recorders which indicate the measured variables in the control room. If a trip occurs, the condition is continuously annunciated in the control room.

Leak detection system bypass switches are provided in the control room to allow bypassing of certain trip functions during testing.

The operator can manually operate valves which are affected by the leak detection system during normal operation. When a trip conditions exists, the isolation logic must be reset before further manual valve operations can be performed. Manual reset switches are provided in the control room.

7.6.1.5 Neutron Monitoring System - Instrumentation and Controls The neutron monitoring system consists of five major subsystems:

a. Source range monitor subsystem (SRM)

b. Intermediate range monitor subsystem (IRM)

c. Local power range monitor subsystem (LPRM)

d. Average power range monitor subsystem (APRM)

e. Traversing in-core probe subsystem (TIP) 7.6-31 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.5.1 System Identification The purpose of this system is to detect excessive power generation in the core and in the case of the IRMs and APRMs to provide signals to the reactor protection system. It also provides information for operation and control of the reactor.

The IRM and APRM subsystems provide a safety function, and have been designed to meet particular requirements established by the NRC. The LPRM subsystem has been designed to provide a sufficient number of LPRM inputs to the APRM subsystem to meet the APRM requirements. All other portions of the neutron monitoring system have no safety function. The system is classified as shown in Table 3.2-1. The safety-related subsystems are qualified in accordance with Sections 3.10 and 3.11 (see also subsection 7.2.1.1.2).

7.6.1.5.2 Power Source The power sources for each system are discussed in the individual circuit descriptions.

7.6.1.5.3 Source Range Monitor (SRM) Subsystem 7.6.1.5.3.1 Equipment Design 7.6.1.5.3.1.1 Circuit Description The SRM provides neutron flux information during reactor startup and low flux level operations. There are six SRM channels. Each includes one detector that can be physically positioned in the core from the control room (see Figure 7.6-5).

The detectors are inserted into the core for a reactor startup.

They can be withdrawn if the indicated count rate is between preset limits or if the IRM is on the third range or above.

During low power operation and when the reactor is shutdown with fuel in the vessel, neutron flux is monitored by the source range neutron monitors. In addition, the source range neutron monitors can provide a scram signal when a preset flux level of any channel has been reached by the removal of the shorting links. Removal of the shorting links also changes the IRM trips to noncoincidence scram trips. Normally the shorting links are installed in the logic and if removed must be reinstalled to restore the logic configurations prior to operation of the unit.

7.6-32 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Two operable SRMs provide redundant neutron monitoring of the core during refueling operations. At least one of the operable SRMs is in the quadrant of the core in which the alterations are taking place and the other is in an adjacent quadrant. These quadrants are defined by dividing the core into four 90 degree sections beginning at any azimuth. Both of the SRMs are adjacent to or surrounded by the fueled region of the core where the alterations are taking place, if there is sufficient fuel in the vessel. At the end of a total offload of the core, and at the beginning of reloading the core following a total core offload, there is insufficient fuel in the vessel to include two SRMs in the fueled region. As a result, at the end of a total core offload, the fueled region is reduced from including both operable SRMs to include only one operable SRM. This process is reversed to reload the core. Reloading the core begins by loading fuel assemblies next to one of the operable SRMs and expanding the fueled region to include the second operable SRM.

a. Power Supply The power for the six monitors is supplied from four separate 120 V ac ESF Uninterruptible Power Supplies (UPS). Two each of these monitors are powered from UPS division 1 and 2 and the remaining two are powered from UPS division 3 and 4 respectively.

b. Physical Arrangement Each detector assembly consists of a miniature fission chamber and low-noise quartz-fiber-insulated transmission cable. The sensitivity of the detector is 1.2 x 10-3 cps/

nv nominal, 5.0 x 10-4 cps/nv minimum, and 2.5 x 10-3 cps/

nv maximum. The detector cable is connected underneath the reactor vessel to the multiple-shielded coaxial cable.

This shielded cable carries the pulses to a pulse current preamplifier located outside the drywell.

The detector and cable are located inside the reactor vessel in a dry tube sealed against reactor vessel pressure. A remote-controlled detector drive system moves the detector along the dry tube. Vertical positioning of the chamber is possible from above the centerline of the active length of fuel to 30 inches below the reactor fuel region (see Figure 7.6-7 and 7.6-8). When a detector 7.6-33 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) arrives at a travel end point, detector motion is automatically stopped. SRM/IRM drive control arrangement is presented in Figure 7.6-8. The electronics for the source range monitors, their trips, and their bypasses are located in four cabinets. Source range signal conditioning equipment is designed so that it can be used for open vessel experiments.

c. Signal Conditioning A current pulse preamplifier provides amplification and impedance matching for the signal conditioning electronics (Figure 7.6-9).

The signal conditioning equipment converts the current pulses to analog dc currents that correspond to the logarithm of the count rate (LCR). The equipment also derives the period. The output is displayed on front panel meters and is provided to remote meters and recorders. The LCR meter displays the rate of occurrence of the input current pulses. The period meter displays the time in seconds for the count rate to change by a factor of 2.7.

In addition, the equipment contains integral test and calibration circuits, trip circuits, power supplies, and selector circuits.

d. Trip Functions The trip outputs of the SRM operate in the fail-safe mode.

Loss of power to the SRM causes the associated outputs to become tripped.

The SRM provides signals indicating SRM upscale, downscale, inoperative, and incorrect detector position to the rod control and information system to block rod withdrawal under certain conditions. Any SRM channel can initiate a rod block. Appropriate lights and annunciators are also actuated to indicate the existence of these conditions (Table 7.6-3).

7.6.1.5.3.1.1.1 Bypasses and Interlocks One of each group of three SRM channels can be bypassed at any one time by the operation of a switch on the operator's control panel.

7.6-34 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.5.3.1.2 Redundancy and Diversity SRM channels are not redundant because SRM detectors are spatially dependent and do not serve as a backup to other detectors.

7.6.1.5.3.1.3 Testability Each SRM channel is tested and calibrated using the procedures in the SRM instruction manual. Inspection and testing are performed as required on the SRM detector drive mechanism; the mechanism can be checked for full insertion and retraction capability. The various combinations of SRM trips can be introduced to ensure the operability of the rod blocking functions.

7.6.1.5.3.2 Environmental Considerations The wiring, cables, and connectors located within the drywell are designed for continuous duty in the conditions described in Table 3.11-1. The SRM system components are designed to operate during and after certain design basis events such as earthquakes and anticipated operational occurrences.

7.6.1.5.3.3 Operational Considerations The SRM system provides information to the operator and does not require any operation other than insertion of the SRM detectors into the core whenever these channels are needed, and withdrawal of the SRM detectors, when permitted, to prevent their burnup.

7.6.1.5.4 Intermediate Range Monitor (IRM) Subsystem 7.6.1.5.4.1 Equipment Design 7.6.1.5.4.1.1 Circuit Description The IRM monitors neutron flux from the upper portion of the SRM range to the lower portion of the power range. The IRM subsystem has eight IRM channels, each of which includes one detector that can be positioned in the core by remote control. The detectors are inserted into the core for a reactor startup and are withdrawn after the reactor mode selector switch is turned to RUN.

a. Power Supply Power is supplied separately from four 120 V ac ESF UPS sources.

7.6-35 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Physical Arrangement Each detector assembly consists of a miniature fission chamber attached to a low-loss, quartz-fiber-insulated transmission cable. When coupled to the signal conditioning equipment, the detector produces a reading of full scale on the most sensitive range with a neutron flux of 4 x 108 nv. The detector cable is connected underneath the reactor vessel to a triple-shielded cable that carries the pulses generated in the fission chamber to the preamplifier.

The detector and cable are located in the drywell. They are movable in the same manner as the SRM detectors and use the same type of mechanical arrangement (see Figures 7.6-7, 7.6-8, and Ref. 1).

c. Signal Conditioning A voltage amplifier unit located outside the drywell serves as a preamplifier. This unit converts the current pulses to voltage pulses, modifies the voltage signal, and provides impedance matching. The preamplifier output signal is coupled by a cable to the IRM signal conditioning electronics (see Figure 7.6-10).

Each IRM channel receives its input signal from the preamplifier and operates on it with various combinations of preamplification gain and amplifier attenuation ratios.

The amplification and attenuation ratios of the IRM and preamplifier are selected by a remote range switch that provides 10 ranges of increasing attenuation (the first 6 called low range and the last 4 called high range) acting on the signal from the fission chamber. As the neutron flux of the reactor core increases from 1 x 108 nv to 1.5 x 1013 nv, the signal from the fission chamber is attenuated to keep the input signal to the inverter in the same range. The output signal, which is proportional to neutron flux at the detector, is amplified and supplied to a locally mounted meter. Outputs are also provided for a remote meter and recorder.

d. Trip Functions The IRM Scram Trip Functions are discussed in Section 7.2.

7.6-36 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.5.4.1.1.1 Bypasses and Interlocks The arrangement of IRM channels allows one IRM channel in each group to be bypassed without compromising intermediate range neutron monitoring.

7.6.1.5.4.1.2 Redundancy The IRM system consists of 8 IRM channels, four of which are connected to one trip system, and the other four are connected to the other trip system. The redundancy and single failure requirements are met because any single failure in the IRM system cannot prevent needed safety action of the IRM system. (See also subsection 7.2.1.1.4.1) 7.6.1.5.4.1.3 Testability Each IRM channel is tested and calibrated using the procedures listed in the IRM instruction manual. The IRM detector drive mechanisms and the IRM rod blocking functions are checked in the same manner as for the SRM channels. Each IRM channel can be checked to ensure that the IRM high flux scram function is operable.

7.6.1.5.4.2 Environmental Considerations The wiring, cables, and connectors located in the drywell are designed for the same environmental conditions as the SRMs.

The IRM pre-amplifiers, located outside the containment, and the monitor located in the control room, are designed to operate under all expected environmental conditions in those areas. The IRM system components are designed to operate during and after certain design basis events such as earthquakes, accidents, and anticipated operational occurrences.

7.6.1.5.4.3 Operational Considerations The IRM range switches must be upranged or downranged to follow increases and decreases in power within the range of the IRM to prevent either a scram or a rod block. The IRM detectors must be inserted into the core whenever these channels are needed, and withdrawn from the core, when permitted, to prevent their burnup.

The identification scheme for the IRM subsystem is given in subsection 7.2.2.1.2.3.1.22.

7.6-37 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The method used for identifying power and signal cables and cable trays as safety-related equipment, and the identification scheme used to distinguish between redundant cables, cable trays, and instrument panels is in accordance with the recommendations of Regulatory Guide 1.75.

7.6.1.5.5 Local Power Range Monitor (LPRM) Subsystem 7.6.1.5.5.1 Equipment Design 7.6.1.5.5.1.1 Circuit Description The LPRM consists of fission chamber detectors, signal conditioning equipment, and trip functions. The LPRM also provides outputs to the APRM, the rod block trip system, and the process computer.

a. Power Supply Power for the LPRM is supplied separately from four 120 V ac ESF UPS. Each LPRM amplifier has a separate power supply in the control room, which furnishes the detector polarizing potential. This power supply is adjustable from 75 to 200 V dc. The maximum current output is three milliamps. This ensures that the chambers can be operated in the saturated region at the maximum specified neutron fluxes. For maximum variation in the input voltage or line frequency, and over extended ranges of temperature and humidity, the output voltage varies no more than two volts. Each page of amplifiers is supplied operating voltages from a separate low-voltage power supply.

b. Physical Arrangement The LPRM includes 44 LPRM detector strings having detectors located at different axial heights in the core; each detector string contains four fission chambers. These assemblies are distributed to monitor four horizontal planes throughout the core. Figure 7.6-5 shows the LPRM detector radial layout scheme that provides a detector assembly at every fourth intersection not containing control crosses of the water channels around the fuel bundles. Thus, the uncontrolled water gap has either an actual detector assembly or a symmetrically equivalent assembly in some other quadrant. The LPRM assembly consists of four neutron detectors contained in a multiple 7.6-38 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) dry tube assembly. The detectors may be replaced individually from below the vessel. The assembly is illustrated schematically in Figure 7.6-11. The dry tube assemblies are installed and removed through the top of the vessel. The upper end of the assembly is held to the top fuel guide by means of a spring-loaded plunger. A permanently installed incore guide tube locates and constrains the assembly from the lower core plate to the top of the CRD housing. Thimbles which are welded to the vessel extend to the access area below the vessel where they terminate in a replaceable flange. The flange mates to a machined sealing surface on the incore dry tube assembly.

Each LPRM detector assembly contains four miniature ion chambers with an associated solid sheath cable. The chambers are vertically spaced in the LPRM detector assemblies in a way that gives adequate axial coverage of the core, complementing the radial coverage given by the horizontal arrangement of the LPRM detector assemblies.

Each ion chamber produces a current that is coupled with the LPRM signal conditioning equipment to provide the desired scale indications.

Each miniature chamber consists of two concentric cylinders, which act as electrodes. The inner cylinder (the collector) is mounted on insulators and is separated from the outer cylinder by a small gap. The gas between the electrodes is ionized by the charged particles produced as a result of neutron fissioning of the uranium-coated outer electrode. The chamber is operated at a polarizing potential of approximately 100 V dc. The negative ions produced in the gas are accelerated to the collector by the potential difference maintained between the electrodes. In a given neutron flux, all the ions produced in the ion chamber can be collected if the polarizing voltage is high enough. When this situation exists, the ion chamber is considered to be saturated.

Output current is then independent of operating voltage, (Ref. 1).

Each assembly also contains a calibration tube for a traversing incore probe. The enclosing tube around the entire assembly contains holes that allow circulation of the reactor coolant water to cool the ion chambers.

7.6-39 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Numerous tests have been performed on the chamber assemblies including tests of linearity, lifetime, gamma sensitivity, and cable effects, (Ref. 1). These tests and experience in operating reactors provide confidence in the ability of the LPRM subsystem to monitor neutron flux to the design accuracy throughout the design lifetime.

c. Signal Conditioning The current signals from the LPRM detectors are transmitted to the LPRM amplifiers in the control room.

The current signal from a chamber is transmitted directly to its amplifier through coaxial cable. The amplifier is a linear current amplifier whose voltage output is proportional to the current input and therefore proportional to the magnitude of the neutron flux. Low-level output signals are provided that are suitable as an input to the computer, recorders, etc. The output of each LPRM amplifier is isolated to prevent interference of the signal by inadvertent grounding or application of stray voltage at the signal terminal point.

When a central control rod is selected for movement, the output signals from the amplifiers associated with the 4 LPRM detectors adjacent to the selected control rod are displayed at the operator's control console. The 4 LPRM detector signals from the selected LPRM string are displayed in four windows below the full core status display. The operator can readily obtain readings of all the LPRM amplifiers by selecting the control rods in order.

d. Trip Functions The trip circuits for the LPRM provide trip signals to activate lights, instrument inoperative signals, and annunciators. These trip circuits use the dc power supply and are set to trip on loss of power. They also trip when power is not available for the LPRM amplifiers.

The trip levels can be adjusted to within +/- 0.5 percent of full-scale deflection and are accurate to 1 percent of full-scale deflection in the normal operating environment.

7.6-40 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.5.5.1.2 Bypasses and Interlocks Each LPRM channel may be individually bypassed. When the maximum number of bypassed LPRMs associated with any APRM channel has been exceeded, an inoperative trip is generated by that APRM.

7.6.1.5.5.1.3 Redundancy The LPRM channels meet the redundancy criterion because of the multiplicity of sensing channels. The minimum number of LPRMs that must be in service is shown in Figure 7.2-2.

7.6.1.5.5.1.4 Testability LPRM channels are calibrated using data from previous full power runs and TIP data and are tested with procedures in the applicable instruction manual.

7.6.1.5.5.2 Environmental Considerations Each individual chamber of the assembly is a moisture-proof, pressure-sealed unit. The chambers are designed to operate up to 575 F and 1250 psig. The wiring, cables, and connectors located within the drywell are designed for continuous duty up to 270 F; 100 percent relative humidity; and a 4-hour single exposure rating of 482 F at 100 percent relative humidity. The LPRMs are capable of functioning during and after certain design basis events such as earthquakes and anticipated operational occurrences.

7.6.1.5.5.3 Operational Considerations The LPRM is a monitoring system with no special operating considerations.

7.6.1.5.6 Average Power Range Monitor (APRM) Subsystem 7.6.1.5.6.1 Equipment Design 7.6.1.5.6.1.1 Description The APRM subsystem has four APRM channels. Each channel uses input signals from a number of LPRM channels. Each APRM channel is associated with each trip system of the reactor protection system.

a. Power Supply 7.6-41 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The APRM channels receive power separately from two redundant low voltage power supplies (LVPS) contained in a Quad LVPS chassis. The Quad LVPS chassis receives power from two separate 120-VAC ESF UPS input lines. Power for each APRM trip unit is supplied from the same power supply as the APRM it services. APRM channels 1 and 3 are powered from the ac bus used for trip system A of the reactor protection system; APRM channels 2 and 4 are powered from the ac bus used for trip system B. The ac bus used for a given APRM channel also supplies power to its associated LPRMs.

b. Signal Conditioning The APRM channel uses electronic equipment that averages the output signals from a selected set of LPRMs, trip units that actuate automatic devices, and signal readout equipment. Each APRM channel can average the output signals from as many as 44 LPRMs. Assignment of LPRMs to an APRM follows the pattern shown in Figure 7.6-6.

Position A is the bottom position, positions B and C are above position A, and position D is the topmost LPRM detector position. The pattern provides LPRM signals from all four core axial LPRM detector positions.

The APRM gains are adjusted using the instruments front panel display or accepting the APRM gain calculated from the percent core thermal power (% CTP) downloaded from the Plant Process Computer. The averaging circuit automatically corrects for the number of unbypassed LPRM amplifiers providing inputs to the APRM.

Each APRM channel receives two flow signals representative of recirculation driving loop flow. The flow signals (Figure 5.4-002-1&2) are sensed from two pairs of elbow taps, one in each recirculation loop. Total recirculation flow rate is calculated by each APRM chassis by adding the flow values for each loop to obtain total flow. The total flow value is used to produce flow-biased APRM scram and rod block setpoint values so that the setpoint value increases with the total recirculation flow rate value.

The total recirculation flow is also used in the Oscillation Power Range Monitor (OPRM) enable logic.

7.6-42 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The OPRM upscale function monitors LPRMs combined into cells of 4 LPRMs each. The OPRM consists of four independent channels capable of detecting thermal-hydraulic instability by monitoring the neutron flux within the reactor core. The OPRM combines the signals from each LPRM in an OPRM cell and evaluates the combined cell signal using the OPRM algorithms to detect thermal-hydraulic instabilities. An OPRM upscale trip output is generated from an APRM channel when the Period-Based Detection algorithm in that channel detects oscillatory changes in the neutron flux, indicated by the combined signals for the LPRM detectors in a cell, with the period confirmations and relative cell amplitude exceeding specific setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel trip.

An OPRM upscale trip is also issued from any APRM channel if either the Growth-Rate or Amplitude-Based algorithm detects growing oscillatory changes in the neutron flux from one or more cells in that channel.

The OPRM upscale trip output is automatically enabled (not bypassed) when the APRM Simulated Thermal Power is equal to or above the OPRM auto-enable power setpoint and recirculation flow is equal to or below the OPRM auto-enable flow setpoint. The OPRM upscale trip output is automatically bypassed when Simulated Thermal Power and recirculation flow are not within the OPRM trip enabled region. The OPRM upscale trip is active only when the reactor mode switch is in the RUN position.

c. Trip Function The APRM scram trip function is discussed in Section 7.2.

The APRM circuit arrangement for RPS trip input is shown in Figure 7.6-12.

7.6.1.5.6.1.2 Bypasses and Interlocks The operator can bypass only one APRM channel.

7.6-43 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.5.6.1.3 Redundancy Four independent channels of APRMs monitor neutron flux. Any one of the four APRMs indicating an abnormal condition will initiate its associated trip system. Initiation of both trip systems causes a reactor scram.

7.6.1.5.6.1.4 Testability APRM channels are calibrated to core thermal power values as calculated by a heat balance and are tested by procedures in the applicable instruction manual. Each APRM channel can be tested individually for the operability of the APRM scram and rod blocking functions by introducing test signals.

Each APRM instrument is designed to provide automatic periodic testing of the replacement hardware modules in an APRM channel at least every 15 minutes. The ARPM firmware (or software) continuously cycles through a series of tests when the instrument keylock switch is in the OPER position. When the switch is in the INOP position, the module tests are performed under user control.

7.6.1.5.6.2 Environmental Considerations All APRM equipment is installed and operated in a control room environment as described in Table 3.11-1. The APRM system is capable of functioning during and after certain design basis events such as earthquakes and anticipated operational occurrences.

7.6.1.5.6.3 Operational Considerations Setpoint values for the flow-referenced scram and rod-block trip setpoints for different reactor operating conditions may be selected by operator controls on the APRM instruments front panel.

The method used for identifying power and signal cables and cable trays as safety-related equipment, and the identification scheme used to distinguish between redundant cables, cable trays, and instrument panels is in accordance with the requirements of Regulatory Guide 1.75.

7.6.1.5.7 Traversing Incore Probe Subsystem The TIP system is discussed in subsection 7.7.1.6.1.

7.6-44 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.6 Deleted.

7.6.1.7 Rod Pattern Control System (RPCS) - Instrumentation and Controls 7.6.1.7.1 System Identification The rod pattern control system (RPCS) is a subsystem of the rod control and information system (RC&IS).

The purpose of the rod pattern control system (RPCS) is to reduce the consequences of the postulated rod drop accident to an acceptable level by restricting the patterns of control rods that can be established to predetermined sets.

7.6.1.7.2 Power Sources 120 V ac essential power is supplied to the two redundant channels of RPCS through the RC&IS from the Division 1 and Division 2 120 V ac instrument bus.

7.6.1.7.3 Equipment Design The rod pattern control system (RPCS) is a dual division system designed as a safety-related system. The control logic for the RPCS is contained in the rod activity control cabinets, one cabinet for each division. These electronic circuits will have, in permanent storage, the identification of all rod groups and logic control information required to prevent movement of rods into unacceptable rod patterns. The logic will be hardwired and will not be site programmable except through engineering design change requiring new electronic circuit cards.

There is a dual rod position probe for each drive. Each probe has two sets of reed switches for rod position information and will provide, through different connectors, inputs to different rod position multiplexers. Two rod position multiplexers are provided, one for each division. These multiplexers transmit rod position data to the rod action controls. These controls will decode the multiplexed data and provide rod position data to the RPCS controller for all rods. The rod position multiplexers and controls are arranged in two divisions.

7.6-45 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Rod position is the primary data input for RPCS. Other inputs to the RPCS controllers include reactor power level, mode of operation, identification of selected rod, drive mode requested by the operator, and special modes of operation such as shutdown margin test.

A means of comparing the outputs of the RPCS logic devices is provided as a way of monitoring the performance of the two divisions. Both divisions must be operable and have identical insert and withdraw permissive signals before rod motion is permitted. Failed comparison and circuit failures or inoperative conditions will be indicated in the control room. RPCS outputs are transmitted to the two activity control sections of the RC&IS in the form of a rod drive permissive interlock. The two RPCS divisions provide inputs separately to the two separate activity controls. These two inputs are then treated as other rod block interlocks and further compared in the non-divisional rod drive portion of the RC&IS.

From 0 percent power and 100 percent rod density (all rods full in) either sequence A or B may be used for startup. Rod movement below the low-power set point (LPSP) is controlled in accordance with the Banked Position Withdrawal Sequence (BPWS) (15.4.10, Ref. 3) in order to limit the effects of a postulated control rod drop accident. (See Section 4.3 for group assignments.) The first two rod groups are always moved from full-in to full-out. These motions can be either single rod or gang rods and single notch or continuous withdrawal.

After the first two groups are fully withdrawn, all subsequent groups are controlled by use of BPWS banked (or intermediate) positions between full-in and full-out below the LPSP. These positions are part of the permanent logic of the RPCS but may vary from cycle to cycle, requiring new circuit cards. Gang rod or single rod motion is permitted in this range: however, all control rods within a group must be withdrawn to their designated positions before proceeding to the next bank positions.

The limits of rod travel are strictly enforced. When a control rod reaches the limit of acceptable motion, a rod block is applied to that rod to inhibit any further travel in that direction. Any deviation in position data from the accepted pattern programmed into the RPCS causes insert and withdraw blocks to be applied to all rods not position bypassed.

7.6-46 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

When the LPSP is reached, the rod pattern controller no longer inhibits control rod motion. Should a rod drop accident occur at power levels above LPSP, the reactivity change would have less effect than if it occurred at power levels below LPSP. This power level is derived directly from the Power Range Neutron Monitoring System. There are two channels of instruments which are redundant and separated divisionally. These trip functions are input to the proper rod activity control cabinet and both instrument channels must trip to bypass the RPCS. These instruments are continuously monitored, and any instruments out of service or gross failure is alarmed and indicated in the control room.

From the LPSP to the HPSP, rod withdrawals are restricted to prevent excessive changes in the heat flux rate. From the HPSP to 100-percent power, rod withdrawals are further restricted to prevent excessive change in the heat flux rate. A fixed number of notches is allowed for rod movement, and motion beyond this point is blocked.

Shutdown follows the same rules as above but in reverse. The only difference is that an approach alarm, called the low-power alarm point, is provided so that the operator may prepare valid rod positions for proper shutdown below the LPSP.

Implementing EPU resulted in rescaling the lower bound of the LPSP to maintain the AL in terms of absolute power. The upper bound AL for LPSP was not rescaled. Additionally, because the high pressure turbine was modified to support EPU power levels, new allowable values (AVs) were established for both the upper and lower bounds of LPSP in units of psig.

7.6.1.7.3.1 Bypass of the RPCS Because of the possibility of stuck rods, provisions are made to bypass failed inputs per the following rules. Substitute rod positions may be entered into the RPCS providing:

a. Only one entry per channel per subgroup is allowed.

b. The same position cannot be entered into both channels.

c. Upon rod motion and a new position scan, the substitute rod position will be overlayed with new data.

d. Unknown and substitute positions are logged and indicated in the control room.

7.6-47 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Failed rods may be bypassed entirely. The maximum expected number of bypassed rods is 8. Bypassed rods will not be checked by the RPCS. All bypass switches are under keylock control. All bypass conditions including substitute rod positions are alarmed, indicated, and logged in the control room and process computer.

In addition to the periodic self-test mode of system operation, the RC&IS can be routinely checked for correct operation by manipulating control rods using the various methods of control.

Detailed testing and calibration can be performed by using standard test and calibration procedures for the various components of the reactor manual control circuitry.

7.6.1.7.4 Environmental Considerations The rod control and information system is not required for safety functions, nor required to operate after the design basis accident. The rod control and information system is required to operate in the normal plant environments for power generation purposes only.

The hydraulic control units are located in the containment.

The logic, control units, and instrumentation readout are located in the control room.

The control rod position detectors are located beneath the reactor vessel in zone 3 of the drywell. For the normal design environments encountered in these areas, see Tables 3.11-1 and 3.11-2.

7.6.1.7.5 Operational Consideration 7.6.1.7.5.1 General Information The rod control and information system (RC&IS) is totally operable from the control room. Manual operation of individual control rods is possible with pushbuttons to effect control rod insertion, withdrawal, or settle. Rod position indicators, described in subsection 7.7.1.2, provide the necessary information to ascertain the operating state and position of all control rods. Conditions which prohibit control rod insertion are alarmed with the rod block annunciator.

7.6-48 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The instrumentation and electrical equipment, cabling, cable trays related to, and structures housing parts of other instrumentation systems required for safety are designed in accordance with criteria required for Class IE and seismic Category I systems and structures, respectively. Identification of equipment, cabling, and cable trays is in accordance with the recommendations of Regulatory Guide 1.75.

7.6.1.7.6 Separation The RPCS is a two division system. Separation is maintained between the redundant portions of the system to assure compliance with the separation and single failure criteria.

7.6.1.8 Recirculation Pump Trip (End of Cycle RPT) System -

Instrumentation and Controls 7.6.1.8.1 System Identification The recirculation system pump trip is provided to supplement shutdown at the end of fuel cycle when rodworths are reduced by core nuclear characteristics. The trip system includes the sensors, logic circuitry, load drivers and circuit breakers that cause main power to be disconnected from both recirculation pumps upon closure signals from the turbine stop valves or turbine control valves in the event of a turbine trip or generator load rejection, above 40 percent reactor power.

The recirculation pump trip system is designed to aide the RPS in protecting the integrity of the fuel barrier. Turbine stop valve closure or turbine control valve fast closure will initiate a scram and concurrent recirculation pump trip above 40 percent reactor power in order to keep the core within the thermal hydraulic safety limits during operational transients.

When a RPT system A trip signal is generated to trip the A recirculation pump, an automatic initiation signal is transmitted to start the A low frequency MG. Similarly, when a signal trips the B recirculation pump, an automatic initiation signal starts the B low frequency MG. Although the low frequency MG starts on the aforementioned sequence the safety function is met when the last speed breakers trip.

7.6-49 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.8.1.1 Safety Classification The recirculation pump trip (RPT) system is a nuclear safety-related (class IE) system. The initiation signals for low frequency MG start are non-class IE and are isolated from the class IE circuits.

7.6.1.8.1.2 Circuit Sharing Sensors and logic circuitry are shared with RPS.

7.6.1.8.2 Power Sources The RPT system utilizes two types of power from the same sources as the reactor protection system (RPS); 120 V ac from nonessential RPS motor-generators is supplied for the sensor channels and essential 125 V dc from station batteries is supplied for the logic trip circuits for RPT.

7.6.1.8.3 Equipment Design 7.6.1.8.3.1 Initiating Circuits RPS inputs sense turbine stop valve closure (turbine trip) or turbine control valve fast closure (load rejection). These inputs utilize four-division RPS logic and are combined into the two-divisional two-out-of-two systems utilized for RPT function. The devices utilized to sense turbine trip and full load rejection are discussed in subsection 7.2.1.1.4.2. Figure 7.2-7 is typical of the RPT initiation circuitry.

7.6.1.8.3.2 Logic

[HISTORICAL INFORMATION] [The basic logic arrangement is shown on Figure 7.2-3. It is a two-divisional two-out-of-two design for the turbine control valve and two-out-of-two for the turbine stop valve. It receives signals from each of four RPS divisions.

Initiation requires confirmation by sensors located in two or more RPS divisions. Failure to initiate requires failure in more than two RPS divisions. Inputs per division are combined in two-out-of-two configurations.]

Each RPT division causes both recirculation pumps to trip off the main power supply.

7.6-50 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

RPT is automatically bypassed when reactor power, as indicated by the Power Range Neutron Monitoring System, is less than the bypass setpoint.

7.6.1.8.3.3 Actuated Devices The output from the trip system allows current to flow into the breaker trip coils when a trip signal is received. The breakers interrupt the main power supply when the coil is energized.

7.6.1.8.3.4 Separation Sensors utilized to monitor for turbine trip and full load rejection are incorporated in the reactor protection system, where they are combined into a two-divisional system for input to the RPT system. All system wiring outside the cabinets is run in accordance with applicable separation requirements. Cables from sensors and power cables are routed such that no single event involving a single panel, cabinet, or raceway can disable the RPT function.

7.6.1.8.3.5 Testability See subsection 7.2.1.1.4.8.

7.6.1.8.4 Environmental Considerations The electrical modules and sensors are located in the control room and/or the turbine building. The environmental conditions for these areas are shown in Section 3.11.

7.6.1.8.5 Operational Considerations 7.6.1.8.5.1 General Information Trip logic is designated by divisions A, B, C, and D and actuation devices (breaker trip coil) by divisions 1 and 2. The trip conditions of sensors and logic devices are shown in Figure 7.2-1 (RPS IED).

7.6.1.8.5.2 Operator Information

a. Indicators 7.6-51 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

1. Trip initiate indicators, wired across the trip contacts, extinguish when the trip system closes the contact to the breaker trip coil.

2. Trip condition indicators will be energized when the breaker is in an untripped condition as indicated by switch contacts mechanically tied to the breaker mechanism.

3. Trip coil continuity lights.

b. Annunciators

1. Trip initiation is annunciated

2. Trip condition of the breakers is annunciated.

7.6.1.8.5.3 Set Points Initiation signals are provided by the RPS and are covered in subsection 7.2.1.1.6.3.

7.6.1.8.6 IEEE Std. 279 Design Basis Considerations IEEE Standard 279-1971, Section 3, Paragraphs 1 through 9, defines the design basis requirements. A listing of each of these requirements and its applicability to the RPT system is as follows:

a. Document the Generating Station conditions which require protective action - RPT is a system which provides more rapid reactor shutdown for two types of transients. No additional conditions requiring protective action are involved.

b. Generating station variables - the RPT system monitors turbine trip fluid pressure and turbine control fluid pressure which are indicative of turbine stop valve closure and turbine control valve fast closure, respectively.

c. Documentation of minimal number and function of sensors required to monitor adequately are shown in the Technical Specifications.

d. Operational Limits - not applicable for RPT.

7.6-52 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

e. Margin between Operational Limit and Unsafe Condition -

not applicable to RPT.

f. Levels that when reached will require protective action -

not applicable for RPT.

g. Document the Range of Transient and Steady State Conditions Throughout Which the System Must Perform - see subsections 8.3.1 and 8.3.2.

h. Document the Malfunctions, Accidents and Other Unusual Events which could cause Damage - see subsection 7.2.1.2.8.

i. Document minimum performance requirements - see the Technical Specifications.

7.6.1.9 Spent Fuel Pool Cooling and Cleanup System -

Instrumentation and Controls 7.6.1.9.1 System Identification The fuel pool cooling portion of the fuel pool cooling and cleanup system is classified as Safety Class 3. Instrumentation is supplied to maintain the fuel pool temperature within safe limits. The filter/demineralizer portion is not safety related.

The instrumentation is for plant equipment protection and for the operator only.

The fuel pool cooling and cleanup system is an independent system during normal operations. Evaporative losses in the system are replaced by the condensate storage system. If the heat load should become excessive, the shutdown cooling portion of the residual heat removal system is operated in parallel with this system to remove the excess heat load.

7.6.1.9.2 Power Sources The fuel pool cooling portion operates off Division I and II 120 V ac ESF power bus. The filter/demineralizer portion receives its power from a reliable 120 V ac bus.

7.6.1.9.3 Equipment Design The essential components of the fuel pool cooling system have been designed to seismic Category I requirements.

7.6-53 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.9.4 Circuit Description Temperature indication, alarm high, and level indication, alarm both high and low, is provided for the pools. The drain tank is also provided with level indication, alarm high and low.

Drain tank low-low level trip will automatically shut off the fuel pool pumps.

A standpipe in the area around the cleanup portion of the system monitors leaks or breaks in this non-seismic area. When a sizeable leak occurs the leak detection function automatically shuts off the fuel pool pumps and isolates the cleanup loop. The pumps and seismic bypass must then be remotely activated to continue cooling. When only one division of the cleanup portion is in service, an automatic shut off of the pumps, from leak detection will not occur, however, the isolation of the cleanup portion will occur.

The filter demineralizer controls are carried out by a process control subsystem. Discussion of circuit design is not presented since the total failure or malfunction of the subject control subsystem does not involve any safety function or ramification.

The logic provided within the controller activates and carries out process activities such as backwashing, precoating, and filtering, based on the process variable condition.

7.6.1.9.5 Bypasses and Interlocks There are no bypasses or interlocks provided in this system.

7.6.1.9.6 Redundancy and Diversity The cooling portion of the spent fuel pool cooling and cleanup system is redundant, i.e., there are two independent cooling loops each capable of providing the required cooling for a normal quantity of fuel. The RHR system can be used as a backup to cool the pool.

7.6.1.9.7 Testability The proper operation of the system can be verified by visual cross check between divisions.

7.6.1.9.8 Environmental Considerations Since the Fuel Pool Cooling and Cleanup equipment and piping contains water recirculated from the spent fuel pool, the radiation levels in these areas is expected to be closer to that 7.6-54 LBDCR 2021-089 LBDCR 2021-090

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) specified for the RHR, RCIC and LPCS areas rather than the general floor. The remaining environmental factors (i.e. pressure, temperature and relative humidity) are enveloped by the expected values for the RHR, RCIC and LPCS areas. All equipment is located within a mild environment. The normal and accident conditions are essentially the same. See Table 3.11-1-III, A, C, D and M.

7.6.1.9.9 Operational Considerations There are no special operating considerations.

7.6.1.10 Component Cooling Water System (Fuel Pool Cooling)

Refer to subsection 9.2.2 for a description of the component cooling water (CCW) system. The CCW system provides an intermediate cooling loop between the plant service water system and plant auxiliary equipment which have the potential of transferring corrosion or fission products to their coolant.

Final system drawings for the CCW system are provided by reference in Section 1.7. The logic diagram is Drawing J-1224. The electrical schematic is Drawing E-1226. The system P&ID is provided in Figures 9.2-9 and 9.2-10.

Only two portions of the CCW system perform a safety-related protective action. One safety-related portion is the intertie of the fuel pool heat exchangers to the standby service water (SSW) system for fuel pool cooling, the other is the containment and drywell isolation valves. Containment and drywell isolation is discussed in subsections 6.2.4 and 7.3.1.1.2. The fuel pool cooling portion of the CCW system is discussed in this section.

7.6.1.10.1 Initiating Circuits The CCW system operates continuously during normal plant operation. The fuel pool heat exchangers are automatically isolated from the CCW system and from each other by two-out-of-two logic low-flow signals. The intertie valves to the SSW system are manually opened.

7.6.1.10.2 Logic

[HISTORICAL INFORMATION] [Automatic closing of the component cooling water isolation valve associated with each fuel pool heat exchanger is initiated by separate two-out-of-two, low-flow signals in the common inlet header.

7.6-55 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The standby service water supply and return valves for the fuel pool heat exchangers may be manually opened only if the component cooling water isolation valves for the associated heat exchanger are fully closed.

Standby service water isolation valves must be fully closed before a component cooling water isolation valve can be opened.]

7.6.1.10.3 Bypasses If heat exchanger A inlet and outlet isolation valves are fully closed (i.e., heat exchanger A is valved out for service) a one-out-of-two taken twice signal, generated by two position switches on each valve, inhibits the low-flow close signal to the system A isolation valves so that heat exchanger B may be returned to operation with component cooling water after completion of operation on standby service water.

7.6.1.10.4 Interlocks The fuel pool heat exchanger CCW valves are interlocked with the SSW valves to ensure that the SSW valves are closed prior to opening the CCW valves.

7.6.1.10.5 Redundancy During emergency conditions, when the fuel pool heat exchangers are served by the SSW system, each heat exchanger is served by an independent and redundant SSW train. Refer to subsections 7.3.1.1.7 and 9.2.1 for a description of the SSW system.

The low-flow isolation signal is developed from two pairs of independent and redundant flow transmitters and trip units.

All valves and controls associated with fuel pool heat exchanger A are powered from ESF Division 1 and all valves and controls associated with fuel pool heat exchanger B are powered from ESF Division 2.

7.6.1.10.6 Diversity Diversity is provided for the fuel pool heat exchangers by providing cooling from two separate safety-related cooling loops, the SSW system and the CCW system. (CCW system is not safety-related. However, piping and valves associated with fuel pool cooling heat exchangers are safety-related.)

7.6-56 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.10.7 Actuated Devices Component devices actuated by the CCW system for fuel pool cooling are given in Table 7.6-10.

7.6.1.10.8 Supporting Systems The supporting systems required for the CCW system are identified in Table 7.6-13.

7.6.1.10.9 Design Bases Refer to subsection 9.2.2 for a discussion of the design bases for the CCW system. Compliance with the design bases given in Section 3 of IEEE Standard 279-1971 is as discussed in subsection 7.3.1.2 and as follows:

(NOTE: Numbers correspond to those in the IEEE Standard.)

1. The plant conditions which require protective action involving the CCW system are subsection 9.2.2.

2. The generating station variables monitored by CCW instrumentation are given in Table 7.6-9.

3. The quantity and location of sensors for these variables are also given in Table 7.6-9.

4. Operational limits for each mode of operation are given in Table 7.6-9.

5. The margin between operational limits and the level considered to mark the onset of unsafe conditions is given in Table 7.6-9.

6. The level at which action is initiated is given in Table 7.6-9.

7. See subsection 7.3.1.2(7).

8. See subsection 7.3.1.2(8).

9. System accuracies and ranges are given in Table 7.6-9.

7.6-57 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.11 Deleted 7.6.1.12 Auxiliary Building Isolation System The auxiliary building isolation system serves to close all penetrations through the secondary containment boundary upon detection of a LOCA, except as noted in subsection 6.2.3. Refer to subsection 6.2.3 for a discussion of the secondary containment.

Final system drawings for the auxiliary building isolation system are provided by reference in Section 1.7. The logic diagram is Drawing J-1260. The electrical schematic is Drawing E-1219.

7.6.1.12.1 Initiating Circuits The auxiliary building isolation system is automatically initiated by a LOCA signal from the containment and reactor vessel isolation control system (CRVICS). Manual initiation is also possible on a system level by manually initiating the CRVICS, which initiates both the NSSS and non-NSSS portions of the CRVICS as well as the auxiliary building isolation system, or on a device level from control room handswitches.

7.6.1.12.2 Logic

[HISTORICAL INFORMATION] [The signals which initiate the auxiliary building isolation system are arranged in a one-out-of-two-taken-twice logic and are part of the CRVICS.] The system is divided into two independent and redundant divisions composed of solid state bistables and electromechanical relays.

Once actuated, each component valve in the auxiliary building isolation system remains closed until individually returned to its normal condition. Return to normal is inhibited as long as the initiating signal is present, except as noted below.

7.6.1.12.3 Bypasses There are no bypasses in the auxiliary building isolation system.

7.6.1.12.4 Interlocks There are no interlocks in the auxiliary building isolation system.

7.6-58 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.1.12.5 Redundancy Two completely independent and redundant auxiliary building isolation systems are provided, including independent and redundant logic systems. The two logic systems are powered from separate ESF buses. Physical and electrical separation is maintained between the two systems.

7.6.1.12.6 Diversity Auxiliary building isolation is initiated automatically by a diverse LOCA signal from CRVICS (reactor water level and drywell pressure). Additional diversity is not necessary or required.

7.6.1.12.7 Actuated Devices Component devices actuated by the auxiliary building isolation system are shown in Table 7.6-12.

7.6.1.12.8 Supporting Systems The supporting systems required for auxiliary building isolation system actuation are identified in Table 7.6-13.

7.6.1.12.9 Design Bases Refer to subsection 6.2.3 for a discussion of the design bases for the secondary containment. The auxiliary building isolation system is designed in accordance with the design bases established by Section 3 of IEEE Standard 279-1971 as described in subsection 7.3.1.2 for the CRVICS and as follows:

(NOTE: Numbers correspond to those in the IEEE Standard.)

1. The plant conditions which require protective action involving the auxiliary building isolation system are examined and presented in Chapter 15 and Appendix 15A.

2-6. The auxiliary building isolation system is initiated manually or by a signal from the containment and reactor vessel isolation control system. Refer to Section 7.3.1.1.2 for a description of the sensors which initiate these systems.

3. See subsection 7.3.1.2(7).

7.6-59 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

4. See subsection 7.3.1.2(8).

5. Since the auxiliary building isolation system does not include sensors, its response time is essentially the closing time of the associated isolation valves.

7.6.2 Analysis 7.6.2.1 Refueling Interlocks System - Instrumentation and Controls 7.6.2.1.1 Conformance to General Functional Requirements The refueling interlocks, in combination with core nuclear design and refueling procedures, limit the probability of an inadvertent criticality. The nuclear characteristics of the core assure that the reactor is subcritical even when the highest worth control rod is fully withdrawn. Refueling procedures are written to avoid situations in which inadvertent criticality is possible. The combination of refueling interlocks for control rods and the refueling platform provides redundant methods of preventing inadvertent criticality even after procedural violations. The interlocks on hoists provide yet another method of avoiding inadvertent criticality.

Table 7.6-1 illustrates the effectiveness of the refueling interlocks. This table considers various operational situations involving rod movement, hoist load conditions, refueling platform movement and position, and mode switch manipulation. In all cases, correct operation of the refueling interlock will prevent either the operation of loaded refueling equipment over the core when any control rod is withdrawn or the withdrawal of any control rod when fuel-loaded refueling equipment is operating over the core. In addition, when the mode switch is in REFUEL, only one rod can be withdrawn; selection of a second rod initiates a rod block.

7.6.2.1.2 Conformance to Specific Regulatory Requirement The reactor mode switch is qualified to meet IEEE Std. 344-1971.

Refueling interlocks associated with the refueling platform and hoists need not be qualified since no electrical failure or combination of failures can result in a situation resulting in a significant release of radioactive materials.

There are no specific General Design Criteria requirements for this system.

7.6-60 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.2.2 Process Radiation Monitoring System - Instrumentation and Controls 7.6.2.2.1 Main Steam line Radiation Monitoring Subsystem The analysis for the main steam line radiation monitoring subsystem is discussed in subsection 7.3.2.2.

7.6.2.2.1.1 Conformance to General Functional Requirement Refer to subsection 7.3.2.2.1.

7.6.2.2.1.2 Conformance to Specific Regulatory Requirement Refer to subsection 7.3.2.2.2.

7.6.2.2.2 Ventilation Subsystems - Radiation Monitoring Subsystems 7.6.2.2.2.1 Containment and Drywell Ventilation Exhaust -

Radiation Monitoring Subsystem The analysis for this subsystem is presented in subsection 7.3.2.2.

7.6.2.2.2.2 Auxiliary Building Fuel Handling Area Vent -

Radiation Monitoring Subsystem The analysis for this subsystem is the same as that presented in subsection 7.3.2.2.

7.6.2.2.2.3 Auxiliary Building Fuel Handling Area Pool Sweep Exhaust - Radiation Monitoring Subsystem The analysis for this subsystem is the same as that presented in subsection 7.3.2.2.

7.6.2.2.2.4 Control Room Intake - Radiation Monitoring Subsystem The analysis for this subsystem is the same as that presented in subsection 7.3.2.2.

7.6-61 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.2.3 High-Pressure/Low-Pressure Systems Interlocks 7.6.2.3.1 Conformance to General Functional Requirements The high-pressure/low-pressure interlocks provide an interface between low-pressure systems and reactor pressure. When reactor pressure is low enough as to not be harmful to the low-pressure systems, the valves may be opened exposing the low-pressure system to reactor pressure. The interlocks are automatic and the operator is given indication of their status.

7.6.2.3.2 Conformance to Specific Regulatory Requirements 7.6.2.3.2.1 Conformance to General Design Criteria There are no General Design Criteria that apply to the high-pressure/low-pressure interlocks.

7.6.2.3.2.2 Conformance to IEEE Standards 7.6.2.3.2.2.1 Conformance to IEEE Standard 279-1971 The interlocks are designed in accordance with the single failure criterion, redundancy requirements, and testability criterion.

7.6.2.3.2.2.2 Conformance to IEEE Standard 336-1971 The post-operation quality assurance program is discussed in Chapter 17.

7.6.2.3.2.2.3 Conformance to IEEE Standard 338-1971 The design of the interlocks is such that they can be tested during reactor operation except for the actuated devices (valves). The valves can be tested during startup and shutdown.

7.6.2.3.2.2.4 Conformance to IEEE Standard 379-1972 Two valves in each low-pressure system process line and separate actuation paths assure that the interlocks comply with the single failure criterion.

7.6-62 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.2.3.2.3 Conformance to Regulatory Guides General exceptions to and positions taken on the Regulatory Guides, and the revision of the guide that is followed, are discussed in Appendix 3A. Specific applications of selected guides to the HP/LP systems interlocks are discussed in this subsection.

7.6.2.3.2.3.1 Conformance to Regulatory Guide 1.22 See paragraph 7.6.2.3.2.2.3 for conformance to IEEE Standard 338-1971.

7.6.2.3.2.3.2 Conformance to Regulatory Guide 1.53 See paragraph 7.6.2.3.2.2.4 for conformance to IEEE Standard 379-1972.

7.6.2.3.2.3.3 Conformance to Regulatory Guide 1.68 Conformance to Regulatory Guide 1.68 is discussed in Chapter 14.

7.6.2.3.2.3.4 Conformance to Regulatory Guide 1.75 The sensors and instrument and control panels that are part of the high-pressure/low-pressure interlock feature are separated and identified in accordance with the Regulatory Guide.

7.6.2.4 Leak Detection System - Instrumentation and Controls A tabulation of those regulatory/industry standards applicable to the Leak Detection System is provided in Table 7.1-3. Additional information is provided below.

7.6.2.4.1 Conformance to General Functional Requirements The part of the leak detection system instrumentation and controls that is related to the various subsystem isolation circuitry is designed to meet requirements of the containment and reactor vessel isolation control systems cited in subsection 7.3.2.2.

7.6-63 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.2.4.2 Conformance to Specific Regulatory Requirements 7.6.2.4.2.1 Conformance to Regulatory Guides General exceptions to and positions taken on the regulatory guides, and the revision to the guide that is followed, are discussed in Appendix 3A. Specific applications of selected guides to the leak detection system instrumentation and controls are discussed in this subsection.

Regulatory Guide 1.22 The portion of the leak detection subsystem that provides outputs to the system isolation logic is designed to provide complete periodic testing of the isolation system trip system. This is accomplished by tripping the leak detection system one channel at a time from the leak detection panel in the control room. An indicator lamp is provided to show that the particular channel is tripped.

Regulatory Guide 1.29 All equipment that performs an isolation function is qualified seismic Category I.

Regulatory Guide 1.30 The post-operation quality assurance program is discussed in Chapter 17.

Regulatory Guide 1.45 The leakage to the drywell from identified sources such as valve stem packing, recirculation pump seals, upper containment pool, head seal, etc. is separated so that containment flow rates are monitored separately from unidentified leakage and total flow rate can be established and monitored. The leakage from the main steam line safety/relief valves is identified leakage because of the location of the sensors which detect this leakage, but the leakage is not completely separated from unidentified sources.

Separation of this leakage is not required since any leak from the main steam line safety/relief valves would not be from a crack or break in the line and would necessitate a plant shutdown for 7.6-64 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) repair, so there would be no identified leakage from the safety/

relief valve lines during plant operation which necessitates separation from unidentified leakage.

Major components within the drywell that by nature of their design are sources of leakage (e.g., pump seals, valve stem packing), are contained and piped to the equipment drain sump and thereby identified.

The leakage to the reactor containment from unidentified sources is collected and this flow rate is monitored with a sensitivity of one gallon per minute.

Equipment associated with systems within the drywell (e.g.,

vessels, piping, fittings) share a common free volume; therefore, their leakage detection systems are common. Steam or water leaks from such equipment are collected ultimately in a floor drain sump.

Each of the sumps is protected against overflowing leaks from one source masking those from another.

The floor drains collecting system is designed to detect leakage in excess of 1 gpm.

The following required detection methods are used to monitor unidentified leakage:

a. Sump level and flow monitoring

b. Airborne particulate radioactivity monitoring

c. Air cooler condensate flow rate monitoring

d. Airborne gaseous radioactivity monitoring Provisions are made to monitor systems connected to the RCPB for signs of intersystem leakage, including radioactivity monitoring of process fluids (component cooling water and standby service water) and reactor vessel water level monitoring.

The sensitivity of each system for detection of unidentified leakage is one gallon per minute within one hour except for the airborne particulate radioactivity and airborne gaseous activity monitoring channels, which have sensitivities of 10-10Ci/cm3 Cs-7.6-65 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 137 and 10-6 Ci/cm3 for Kr-85, which are at least the sensitivities suggested for these channels by Regulatory Guide 1.45.

The particulate and gaseous radioactivity monitoring channels are qualified for operation following an SSE. The equipment used for drywell floor drain sump level/flow monitoring and drywell air cooler condensate flow rate monitoring are not seismically qualified for an operating basis earthquake (OBE) as specified in Position 6 of NRC Regulatory Guide 1.45. This deviation is acceptable based on the following.

The credited sump level/flow monitoring system consists of the transmitters and associated instrumentation that are part of the floor and equipment drain system and control the associated pumps and valves. The plant computer and the digital recorders calculate the leakage rate based on the rate of change in sump level. If the plant computer calculated leakage rate is high, the LDS trouble annunciator will be activated.

A failure of the sump level/flow monitoring instrumentation or the air cooler condensate flow rate monitoring instrumentation because of an earthquake below an OBE is unlikely because at GGNS the OBE limit is very low. A failure because of an earthquake that would cause all three loops to appear operable but read non-conservative is very unlikely.

The drywell sump level instrumentation is classified in NRC Regulatory Guide 1.97 as a Type B category 1 which would require seismic and environmental qualification. GGNS took exception to this in AECM-85/0059, and classified the equipment as Category 3 with no environmental or seismic qualification. The justification was that the drywell sump systems are deliberately isolated at the primary containment penetration upon receipt of a LOCA isolation signal. Once the sumps are isolated and full, they cannot provide any information which could be useful for accident mitigation or long term surveillance. This exception to NRC Regulatory Guide 1.97 was approved by the NRC in MAEC-87/0013 and is noted in FSAR Appendix 3A.

Indicators and alarms for each leakage detection subsystem are provided in the control room as described in subsection 7.6.1.4.3.9.2. Since more than one method is available for detecting a leak in any one area, the operator can correlate one 7.6-66 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) or more indications to help determine that a leak does exist (for example, a high-temperature alarm with an associated high sump level alarm).

At the site, procedures for computing individual flow rates from indications, e.g., temperature, differential temperature, and pressure, by means of conversion curves will be used whenever meaningful.

The leakage detection system is equipped with provisions to readily permit testing for operability and calibration during plant operation in accordance with IEEE Standard 279-1971 (see subsections 7.6.2.4.2.3 and 7.3.2.2.2.3.1.10). Each leak detection method is verified to be operable and calibrated independently of any other leak detection method. A discussion of the testability and operational considerations is provided in subsections 7.6.1.4.5, 7.6.1.4.7, and 9.3.3.4.

The limiting conditions for identified and unidentified leakage are established by the Technical Specifications and address the action to be taken should any limit specified be exceeded.

Regulatory Guide 1.47 The leak detection system annunciates all bypass conditions.

Regulatory Guide 1.53 The portions of the leak detection system that provide outputs to system isolation logic complies with this guide. Discussion is provided in paragraph 7.3.2.2.2.1.6 under Regulatory Guide 1.53.

Regulatory Guide 1.63 Conformance to Regulatory Guide 1.63 is discussed in subsection 8.3.1.2.3.1.

Regulatory Guide 1.89 Conformance to Regulatory Guide 1.89 is discussed in subsection 3.11.2.

7.6.2.4.2.2 Conformance to 10 CFR 50 Appendix A Criterion 10 7.6-67 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The leak detection system has been designed with appropriate margin to monitor leaks from the RCPB.

Criterion 13 The leak detection sensors and associated electronics are designed to monitor the reactor coolant leakage over all expected ranges required for the safety of the plant.

Automatic initiation of the system isolation action, reliability, testability, independence, and separation have been factored into leak detection design as required for isolation systems.

Criterion 20 Leak detection equipment senses accident conditions and initiates the containment and reactor vessel isolation control system when appropriate.

Criterion 21 Protection-related equipment is arranged in two redundant divisions and maintained separately. Testing is covered in the conformance discussion for Regulatory Guide 1.22.

Criterion 22 Protection-related equipment is arranged in two redundant divisions so no single failure can prevent isolation. Functional diversity of sensed variables is utilized.

Criterion 23 Signals provided are such that isolation logic is fail safe.

Criterion 24 The system has no control functions.

Criterion 30 The leak detection system with its subsystems, provides means for detection and location of the source of reactor coolant leakage.

7.6-68 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Criterion 34 Leak detection is provided for the RHR shutdown cooling and RCIC lines penetrating the drywell.

Criterion 35 ECCS leak detection is augmented by the sump monitoring system portion of the leak detection system. ECCS leaks can easily be identified by operator correlation of various flow, pressure, and reactor vessel level signals transmitted to the control room.

Criterion 54 Leak detection is provided for main steam, RCIC, RHR shutdown cooling, and reactor water cleanup lines penetrating the drywell.

Sump fill rate monitoring provides leak detection for other pipes penetrating the drywell and containment.

7.6.2.4.2.3 Conformance to Industry Standards IEEE Std. 279-1971 and 379-1972 Leak detection system isolation functions compliance with IEEE Std. 279-1971 and 379-1972 is included in the IEEE Std. 279 and 379 compliance discussions of the containment and reactor vessel isolation control system, subsections 7.3.2.2.2.3.1 and 7.3.2.2.2.3.8, for which this system provides trip signals.

IEEE Std. 323-1971 Conformance to IEEE Std. 323 is discussed in subsection 3.11.2.

IEEE Std. 338-1971 Leak detection complies with IEEE Std. 338-1971. All active components of the leak detection system associated with the isolation signal can be tested during plant operation.

IEEE Std. 344-1971/1975 Leak detection system compliance is shown in Section 3.10. The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10.

7.6-69 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

SQRT review was subsequently performed against IEEE 344-1975.

Qualification during the plant operating license stage is in accordance with IEEE 344-1975.

7.6.2.5 Neutron Monitoring System - Instrumentation and Controls 7.6.2.5.1 Source Range Monitor Subsystem 7.6.2.5.1.1 Conformance to General Functional Requirements The arrangement of the neutron sources and startup chambers in the reactor is shown in Figure 7.6-5. This arrangement produces at least 0.7 counts per second in the SRM using the sensitivity noted in subsection 7.6.1.5.3.1.1 and the design source strength at initial reactor startup. If the discriminator setting is adjusted to produce the specified sensitivity, the signal-to-noise count ratio is well above the 2:1 design basis for cold startup.

Normal startup procedures ensure that withdrawal of control rods is distributed about the core to prevent excessive multiplication in any one section of the core.

Hence, each SRM chamber can respond in some degree during the initial rod withdrawal. This procedure also ensures one of the four control rods adjacent to each SRM chamber is withdrawn early in the startup sequence, which reduces detector shadowing and assures increases in the detector signals as the core average neutron multiplication increases.

Examination of the sensitivity of the SRM detectors and their operating ranges of 106 counts/sec indicates that the IRM is on scale before the SRM reaches full scale (Figure 7.6-13).

7.6.2.5.1.2 Conformance to Specific Regulatory Requirements There are no specific regulatory or IEEE requirements for the source range monitor subsystem.

7.6.2.5.2 Intermediate Range Monitor Subsystem 7.6.2.5.2.1 Conformance to General Functional Requirements The analysis for the RPS trip inputs from the intermediate range monitor subsystem are discussed in subsection 7.2.2.

7.6-70 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The IRM is the primary source of information as the reactor approaches the power range. Its linear steps (approximately a half decade) and the rod blocking features on both high-flux level and low-flux level require that all the IRMs are on the correct range as core reactivity is increased by rod withdrawal. The SRM overlaps the IRM.

The number and locations of the IRM detectors have been determined to provide sufficient intermediate range neutron flux level information under the worst permitted bypass conditions. To assure that each IRM is on the correct range, a rod block is initiated any time the IRM is both downscale and not on the most sensitive (lowest) scale. A rod block is initiated if the IRM detectors are not fully inserted in the core unless the reactor mode switch is in the RUN position. The IRM scram trips and the IRM rod block trips are automatically bypassed when the reactor mode switch is in the RUN position.

The IRM detectors and electronics have been tested under operating conditions and verified to have the operational characteristics described. They provide the level of precision and reliability required by the RPS safety design bases.

7.6.2.5.2.2 Conformance to Specific Regulatory Requirements IEEE Std. 279-1971 The IRM design is shown to comply with the design requirements of IEEE Std. 279 in subsection 7.2.2.1.2.3.1 under IEEE 279 Neutron Monitoring (IRM) Trip.

IEEE Std. 323-1971 Conformance to IEEE Std. 323 is discussed in subsection 3.11.2.

IEEE Std. 338-1971 IRM compliance with IEEE Std. 338 is shown in subsection 7.2.2.1.2.3.1 under IEEE Std. 279 Conformance - Neutron Monitoring (IRM) Trip. (Paragraph 4.9 and 4.10).

IEEE Std. 344-1971/1975 7.6-71 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The IRMs are qualified for seismic events. The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975. Qualification during the plant operating license stage is in accordance with IEEE 344-1975. See Section 3.10.

IEEE Std. 379-1972 IRM signal separation, cabinet separation, use of isolation circuitry, and number of channels per trip system are methods used to meet the single-failure criterion. Convenient test and calibration circuits permit frequent checks for undetected failures.

10 CFR 50 Appendix A Criteria 13, 20, 21, 22, 23, 24, 28, and 29 The IRM detectors and associated electronics are designed to monitor the incore flux over all expected ranges required for safety of the plant.

Automatic initiation of protection system action, reliability, testability, independence, and separation have been factored into the IRM design as required for protection systems.

7.6.2.5.2.2.1 Conformance to NRC Regulatory Guides General exceptions to and positions taken on the Regulatory Guides, and the Revision of the Guide that is followed, are discussed in Appendix 3A. Specific applications of selected guides to the IRM are discussed in this subsection.

Regulatory Guide 1.22 The portion of the IRM subsystem that provides outputs to the reactor protection system is designed to provide complete periodic testing of protection system actuation function as desired. The provision is accomplished by initiating an output trip of one IRM channel at any given time which will result in tripping one of the two RPS trip systems. Details are provided in subsection 7.2.2.1.2.3.1 under IEEE 279 Neutron Monitoring System (IRM) Trip.

7.6-72 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Operator indication of IRM bypass is provided by indicator lamps.

Regulatory Guide 1.47 The IRM complies with this Guide. Discussion of bypassed and inoperable status indication is provided in subsection 7.5.1.3.

Regulatory Guide 1.53 The IRM complies with this Guide. Discussion is provided in subsection 7.2.2.1.2.1.6 under Regulatory Guide 1.53.

Regulatory Guide 1.89 Conformance to Regulatory Guide 1.89 is discussed in subsection 3.11.2.

7.6.2.5.3 Local Power Range Monitor Subsystem 7.6.2.5.3.1 Conformance to General Functional Requirements The LPRM provides detailed information about neutron flux throughout the reactor core. The number of LPRM assemblies and their distribution is determined by extensive calculational and experimental procedures. The division of the LPRM into various groups for ac power supply allows operation with one ac power supply failed or out of service without limiting reactor operation. Individual failed chambers can be bypassed. Neutron flux information for a failed chamber location can be interpolated from nearby chambers. A substitute reading for a failed chamber can be derived from an octant-symmetric chamber or the Core Performance Monitoring System, or an actual flux indication can be obtained by inserting a TIP to the failed chamber position. Each output is electrically isolated so that an event (grounding the signal or applying a stray voltage) on the reception end does not destroy the validity of the LPRM signal.

Tests and experience attest to the ability of the detector to respond proportionally to the local neutron flux changes. (Ref.

1) 7.6.2.5.3.2 Conformance to Specific Regulatory Requirements IEEE Std. 279-1971 7.6-73 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The large number of individual LPRM channels, physical separation of groups of LPRMs, and electrical separation of these groups of LPRMs allow the LPRM system to meet single failure, channel independence, and separation requirements. Equipment quality requirements are met by the qualification of the LPRM equipment.

IEEE Std. 323-1971 LPRM equipment is qualified per the requirements of this standard.

IEEE Std. 338-1971 LPRM equipment is designed so that individual channels may be taken out of service for test or calibration without affecting the remaining channels.

IEEE Std. 344-1971/1975 The LPRM equipment is designed and qualified to function during and after the design basis seismic event. The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975. Qualification during the plant operating license stage is in accordance with IEEE 344-1975. See Section 3.10.

IEEE Std. 379-1972 The LPRM equipment is designed so that a single failure will not prevent needed safety functions.

7.6.2.5.4 Average Power Range Monitor Subsystem The analysis for the average power range monitor subsystem is discussed in subsection 7.2.2.

7.6.2.5.4.1 Conformance to General Functional Requirement Each APRM derives its signal from LPRM information. The assignment, power separation, cabinet separation, and LPRM signal isolation are in accord with the safety design bases of the RPS.

There are four APRM channels, four 2-Out-Of-4 Voters, each 7.6-74 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) sending signals to each RPS trip system logic to allow one undetected failure in each trip system and still satisfy the RPS safety design bases.

The tracking ability of the APRMs through power changes resulting from flow control and control rod manipulation is illustrated for a typical plant in General Electric Topical Report APED 5706.

The flow-referenced APRM scram set point is adequate to prevent reactor operation in states that could result in development of power oscillations due to neutronic/thermal-hydraulic instability considering reasonably limiting anticipated operational occurrences, as discussed in Chapter 4.4.

7.6.2.5.4.2 Conformance to Specific Regulatory Requirements 10 CFR 50 Criteria 13, 20, 21, 22, 23, 24, 28, and 29 The APRM detection and associated electronics are designed to monitor the incore flux over all expected ranges required for safety of the plant.

Automatic initiation of protection system action, reliability, testability, independence, and separation have been factored into the APRM design as required for protection systems.

IEEE Std. 279-1971 The APRM design is shown to comply with the design requirements of IEEE Std. 279 in subsection 7.2.2.1.2.3.1 under IEEE Std. 279-1971 Conformance - Neutron Monitoring System (APRM) Trip.

IEEE Std. 323-1971 Compliance with IEEE Std. 323 is shown in subsection 3.11.2.

IEEE Std. 338-1971 APRM compliance with IEEE Std. 338 is shown in subsection 7.2.2.1.2.3.1 under IEEE Std. 279 Conformance - Neutron Monitoring System (APRM) Trip (Par. 4.9 and 4.10).

IEEE Std. 379-1972 7.6-75 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

LPRM signal separation, cabinet separation, use of isolation circuitry, and number of channels per trip system are methods used to meet the single failure criterion. Convenient test and calibration circuits permit frequent checks for undetected failures.

7.6.2.5.4.2.1 Conformance to NRC Regulatory Guides General exceptions to and positions taken on regulatory guides, and the revision to the guide that is followed, are discussed in Appendix 3A. Specific applications of selected Guides to the APRM are discussed in this subsection.

Regulatory Guide 1.22 The portion of the APRM subsystem that provides outputs to the reactor protection system is designed to provide complete periodic testing of protection system trip functions. This provision is accomplished by initiating an output trip of one APRM channel at any given time which will result in tripping one of the two RPS trip systems. Details are provided in subsection 7.2.2.1.2.3.1 under IEEE Std. 279-1971 Neutron Monitoring System (APRM) Trip.

Operator indication of APRM bypass is provided by indicator lamps.

Regulatory Guide 1.47 The APRM complies with this guide. Discussion of bypassed and inoperable status indication is provided in subsection 7.5.1.3.

Regulatory Guide 1.89 Conformance with Regulatory Guide 1.89 is discussed in subsection 3.11.2.

7.6.2.5.5 Traversing In-Core Probe Subsystem (TIPS)

The analysis for the Traversing In-Core Probe Subsystem is discussed in subsection 7.7.2.6.1.

7.6-76 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.2.6 Rod Pattern Control System 7.6.2.6.1 Conformance to General Functional Requirements The requirements for the rod pattern control portions of RC&IS include tolerance of single failures and component quality. The rod pattern control portions of the RC&IS include both channels of the rod position probe, the associated rod position multiplexers and the rod pattern controllers.

These portions of the RC&IS are designed such that no single failure can result in rod motion. On loss of power to the system, rod motion is prohibited. All manual inputs from the RC&IS are through isolation devices.

Data on rod positions for each rod pattern controller are dynamic with time and the position of all rods is continuously being scanned and updated. These data are decoded and transmitted to the rod pattern controller. Failed closed, open, or shorted reed switches appear as illegal data and are not accepted by the affected channel of rod pattern control.

Any failure in one channel of the rod pattern controller results in the transmission of false or illegal data to the RC&IS. Since the command signals of each division of the pattern controller is compared with the other division, a rod block would occur. A permissive signal to move rods occurs only when the comparator portion of the RC&IS will transmit the rod motion data to the corresponding rod. Transmission of rod motion data to the hydraulic control units can occur only when both divisions of the rod pattern controller input identical command signals to the RC&IS. Failures producing identical false data from the probes, rod pattern controllers, or rod position multiplexers for both divisions simultaneously would be required to effect incorrect rod motion. All data faults are displayed and rod blocks indicated.

7.6.2.6.2 Conformance to Specific Regulatory Requirements 10 CFR 50 Appendix A (1975)

Criterion 13 7.6-77 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The rod pattern control system provides instrumentation allowing the operator to make rod movements during startup, shutdown, and at power, while minimizing rod worth. The instrumentation provides monitoring of variables over their anticipated ranges, preventing the operator from attaining a rod pattern of high worth.

Criterion 24 No failure in the rod pattern control portion of RC&IS can prevent a protective system action.

Criterion 27 The rod pattern control system provides reactivity control with sufficient margin to reliably control reactivity changes.

7.6.2.7 Recirculation Pump Trip System (End of Cycle) 7.6.2.7.1 Conformance to General Functional Requirements The RPT system is designed to aid the RPS in protecting the integrity of the fuel barrier. Turbine stop valve closure or turbine control valve fast closure will initiate a scram and recirculation pump trip in time to keep the core within the thermal-hydraulic safety limit during operational transients.

Recirculation pump trip is a two-out-of-two logic system for the turbine control valve and a two-out-of-two logic system for the turbine stop valve. Each of the trip systems is initiated by logic from the RPS system.

Failure to trip in a single RPS division will not violate single-failure criteria. Channel bypass switches for the four RPS logic trains are provided for the turbine stop valve closure tripped inputs to the recirculation pump trip (RPT) logic only. There are no channel bypass switches for turbine control valve fast closure RPT trip signals. For the RPT trip systems the installed bypass (INOP) switches actually prevent any RPT trip in the associated division. Sensors, channels, and logics of the RPT system are not used directly for automatic control of process systems.

Therefore, failure in the controls and instrumentation of process systems cannot induce failure of any portion of the system. Design of the system to safety class requirements and the redundancy of 7.6-78 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Class IE power supplies as breaker trip sources assures actuation of the pump trip function if required during design-basis earthquake ground motion.

Operator verification that two-pump trip has occurred may be made by observing one or more of the following functions:

a. Recirculation flow indicators on the operator's control console

b. Breaker trip indicating lights on the operator's control console

c. Two-pump trip initiation annunciation (two windows) 7.6.2.7.2 Conformance to Specific Regulatory Requirements IEEE Std. 279-1971 General Functional Requirement (IEEE Std. 279 Paragraph 4.1)

Four sensor channels are connected to each trip system. In the trip logics, the channels lose their identity since they are combined. The combination is two-out-of-two. When both sensor channels inputting a common logic and monitoring the same variable exceed their set point, RPT will occur if an inhibit is not present.

Single-Failure Criterion (IEEE Std. 279 Paragraph 4.2)

A single failure in either division will not prevent the RPT system from performing its intended function.

Quality of Components and Modules (IEEE Std. 279 Paragraph 4.3)

The trip system consists of high-quality circuitry that has been proven to be highly reliable and is qualified per IEEE Std. 323-1971.

The actuators are devices selected to be operated substantially within their capabilities and are of high quality and reliability and qualified for their application per IEEE Std. 323-1971.

Equipment Qualification (IEEE Std. 279 Paragraph 4.4) 7.6-79 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

At the component level, vendor certification is required that these parts will operate in accordance with the requirements of the purchase specification. General Electric qualifies the system, its components, modules, and subassemblies. In addition, in situ operational tests will be performed on the system during the preoperational test phase.

Channel Integrity (IEEE Std. 279 Paragraph 4.5)

Channels are designed to maintain functional capabilities under extremes of environmental conditions, energy supply, malfunctions, and accidents. Further discussion is provided in subsection 3.10.1 and Appendix 15A.

Channel Independence (IEEE Std. 279 Paragraph 4.6)

Channel independence is accomplished by utilizing a two-division arrangement.

Control and Protection System Interaction (IEEE Std. 279 Paragraph 4.7)

The two trip systems are totally separate from any nonprotection system. Due to the design of this output and separation of the cabling, there is no interaction with control systems of the plant. The trip system has no interaction with any other plant system, and the breaker trips are physically separate and electrically isolated from the other portions of the recirculation pump power supply. Consequently, this design requirement is met by this equipment.

Derivation of System Inputs (IEEE Std. 279 Paragraph 4.8)

This design is met by the sensor channels selected for inputs.

Capability for Sensor Checks (IEEE STd. 279 Paragraph 4.9)

This design requirement is not literally applicable but by interpretation can be applied and is fully complied with by the input tests, logic tests, and output tests for which provisions are made. The system utilizes RPS sensors addressed in subsection 7.2.2.1.2.3.1.9.

Capability for Test and Calibration (IEEE Std. 279 Paragraph 4.10) 7.6-80 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Refer to subsection 7.2.2.1.2.3.1.10.

Channel Bypass or Removal from Operation (IEEE Std. 279 Paragraph 4.11)

All four RPS turbine stop valve trip channels and both divisions of the recirculation pump trip system include bypasses as discussed in subsection 7.2.2.1.2.3.1.11.

Operating Bypasses (IEEE Std. 279 Paragraph 4.12)

See subsection 7.2.2.1.2.3.1.12 Indication of Bypasses (IEEE Std. 279 Paragraph 4.13)

This design requirement is complied with by indication of test bypasses and system inoperative switches as discussed in subsection 7.2.2.1.2.3.1.13. Control room indication also exists for the recirculation pump trip system automatic bypass of both the turbine stop valve trip and the turbine control valve fast closure trip when the valves are closed during low power operation (reactor power less than approximately 40 percent).

Access to Means for Bypassing (IEEE Std. 279 Paragraph 4.14)

The manual bypass of sensors can be performed for maintenance purposes. The access to the bypasses is administratively controlled.

Multiple Set Points (IEEE Std. 279 Paragraph 4.15)

This design requirement is not applicable.

Completion of Protective Action Once It Is Initiated (IEEE Std.

279 Paragraph 4.16)

Once the RPT relays are tripped, they in turn trip the trip coils of the recirculation pump breakers.

Manual Actuation (IEEE Std. 279 Paragraph 4.17)

Manual activation is provided in the recirculation system.

7.6-81 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Access to Set Point Adjustments, Calibration, and Test Points (IEEE Std. 279 Paragraph 4.18)

This design requirement is met. See subsection 7.2.2.1.2.3.1.18.

Identification of Protective Actions (IEEE Std. 279 Paragraph 4.19)

Control room annunciators are provided to identify the tripped portions of RPT in addition to the previously described instrument channel annunciators associated with the RPS:

a. Division 1 logic tripped

b. Division 2 logic tripped.

These same functions are connected to the process computer to provide a typed record of the system status.

Information Readout (IEEE 279 Paragraph 4.20)

The information presented to the control room operator satisfies this design requirement.

Systems Repair (IEEE Std. 279 Paragraph 4.21)

Repair of sensors and logics are discussed in subsection 7.2.2.1.2.3.1.21.

Identification of Protection Systems (IEEE Std. 279 Paragraph 4.22)

Refer to subsection 7.2.2.1.2.3.1.22.

IEEE Std. 308-1971 This does not apply to the trip system, which is fail safe. Its power supplies are thus unnecessary for RPT. A Class IE system is provided to energize the breaker trip coils.

IEEE Std. 323-1971 See subsection 3.11.2.

IEEE Std. 338-1971 7.6-82 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Refer to subsection 7.2.2.1.2.3.6.

IEEE Std. 344-1971/1975 All Class IE Equipment meets the requirements of Section 3.10.

The Grand Gulf initial design conforms to the requirements of IEEE 344-1971 as modified by EICSB Branch Technical Position 10. SQRT review was subsequently performed against IEEE 344-1975.

Qualification during the plant operating license stage is in accordance with IEEE 344-1975.

IEEE Std. 379-1972 These requirements are satisfied by consideration of the different types of failure and carefully designing all violations of the single-failure criterion out of the system. An exception is imposed during periodic logic testing.

Conformance to Regulatory Guides General exceptions to and positions taken on the regulatory guides, and the revision of the guide that is followed, are discussed in Appendix 3A. Specific applications of selected guides to the RPT are discussed in this subsection.

Regulatory Guide 1.22 The system is designed so that it may be tested during plant operation from sensor device to trip system output. Circuit breakers will be tested as per Plant Procedures.

Regulatory Guide 1.47 Bypassed and inoperable status indication is described in subsection 7.5.1.3.

Regulatory Guide 1.53 Compliance with Regulatory Guide 1.53 is achieved by specifying, designing, and constructing the recirculation pump trip system to meet the single-failure criterion (Section 4.2 of IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Station Protection Systems, and IEEE Std. 379-1972, IEEE Trial 7.6-83 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Use Guide for the Application of the Single-Failure Criterion to Nuclear Power Generating Station Protection Systems.) Redundant sensors are used and the logic is arranged to ensure that a failure in a sensing element logic or trip system will not prevent RPT. Separate trip systems are employed so that a fault affecting one trip system will not prevent the other trip system from operating properly. System separation requirements are presented in subsection 7.1.2.2.1.

10 CFR 50 Appendix A - General Design Criteria

a. Criterion 13 - Each system input is monitored and annunciated.

b. Deleted

c. Criterion 20 - The system constantly monitors the appropriate plant variables and initiates RPT automatically when the variables exceed set points.

d. Criterion 21 - The system is designed with 8 independent and separated sensor channels consisting of two independent and separate trip systems. No single failure or operator action can prevent RPT. The instrumentation and logic can be tested during plant operation to assure its availability.

e. Criterion 22 - The redundant portions of the system are separated such that no single failure or credible natural disaster can prevent a trip.

f. Criterion 23 - Where the system is not fail safe, redundant Class IE sources are utilized. Postulated adverse environments will not prevent the system from performing its intended function.

g. Criterion 24 - The system has no control function. Signals for control room annunciation are isolated.

h. Criterion 29 - The system is highly reliable so that it will trip, when required, in the event of anticipated operational occurrences.

7.6-84 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.2.8 Spent Fuel Pool Cooling and Cleanup System -

Instrumentation and Controls 7.6.2.8.1 Conformance to General Functional Requirements The spent fuel pool cooling and cleanup system is monitored for conductivity, temperature, pool level, flow rate, and leakage.

The conductivity measurement provides the operator with information required to assure that impurities in the water are maintained at acceptable levels.

The low flow (pump discharge pressure) and temperature monitoring provide the operator with information required to assure that the desired temperature is not exceeded and that filtering is maintained. Pool level and leakage monitoring provide the operator with information assuring the maintenance of adequate shielding and cooling.

7.6.2.8.2 Conformance to Specific Regulatory Requirements 7.6.2.8.2.1 Conformance to NRC Regulatory Guides General exceptions to and positions taken on the Regulatory Guides and the revision of the guide that is followed are discussed in Appendix 3A. Specific applications of selected guides to the fuel pool cooling and cleanup system are discussed in this subsection.

7.6.2.8.2.1.1 Regulatory Guide 1.75 The cooling portion of the fuel pool cooling and cleanup system complies, maintaining separation between divisions and between associated circuits. Identification of cabling and cable trays is discussed in subsection 8.3.1.3. The cabinets and Class IE equipment are identified with divisional name tags.

7.6.2.8.2.2 Conformance to 10 CFR 50 Appendix A (1975) 7.6.2.8.2.2.1 General Design Criterion 61 The fuel pool cooling and cleanup system provides residual heat removal capability with high reliability. It also includes a filtering system to reduce the radioactivity in the pool water to assure adequate safety under normal conditions. The design provides the capability for periodic testing and inspection.

7.6-85 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

During postulated accident conditions, the filtering system is isolated but the cooling capability continues to function. The radiation levels do not exceed those required for postulated accident conditions.

7.6.2.8.2.2.2 General Design Criterion 63 A malfunction of the fuel pool cooling and cleanup system which could result in loss of residual heat removal capability and excessive radiation levels is alarmed in the control room.

Alarmed conditions include high/low fuel pool cooling water pump discharge pressure and high/low level in the fuel storage pool and fuel pool drain tanks. System temperature is also continuously monitored and alarmed in the control room.

7.6.2.9 Component Cooling Water System (Fuel Pool Cooling) 7.6.2.9.1 Conformance to 10 CFR 50 General Design Criteria General Design Criteria, established in Appendix A of 10 CFR 50, which are applicable to the CCW System are listed in Table 7.1-3.

Additional information is provided below.

a. Criterion 13: Instrumentation and Controls The fuel pool cooling portion of the CCW system includes instrumentation to monitor cooling water flow to the fuel pool heat exchangers over the full range of expected values for all modes of operation.

b. Criterion 21: Protection System Reliability and Testability Functional reliability of the CCW system is assured by compliance with the requirements of IEEE Standard 279-1971 as discussed in subsections 7.6.1.10.9 and 7.6.2.9.2.

Testing is discussed in subsection 7.6.2.9.2, requirement 4.10.

c. Criterion 22: Protection System Independence Independence of those portions of the CCW system which perform safety-related protective functions is assured by design which includes separation of redundant devices as 7.6-86 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) described in subsection 7.6.1.10.5. Physical separation is discussed in conjunction with conformance to IEEE Standard 384 in subsection 7.1.2.4.10.

d. Criterion 23: Protection System Failure Modes Those portions of the CCW system which perform a safety-related protective function are designed with sufficient redundancy to ensure that failure of any one device will not prevent protective action.

e. Criterion 24: Separation of Protection and Control Systems All protective and control actions associated with the safety-related portion of the CCW system are completely separated from and independent of the remaining portions of the CCW system. There is therefore no interconnection between protective and control circuits in the CCW system.

f. Criterion 44: Cooling Water The CCW system serves to transfer heat from the fuel pool heat exchangers under normal operating conditions. Valving is provided to transfer these heat exchangers to the two redundant SSW trains for heat rejection to the ultimate heat sink during accident conditions. Redundancy and assurance of operability under loss of onsite or offsite power is provided by supplying power for these valves and the SSW trains from separate and redundant ESF power supplies. Refer to subsection 7.3.1.1.7 for a description of the SSW system including redundancy and leak detection.

g. Criterion 46: Testing of Cooling Water System Structural and leaktight integrity, operability, and performance of the CCW system can be constantly monitored because the system is normally in operation. Verification of the operability of the safety-related valves in the CCW system may be made at any time from control room handswitches.

h. Criterion 56: Primary Containment Isolation 7.6-87 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Those portions of the CCW system that penetrate the containment and drywell are provided with isolation valves that can be remotely actuated by the operator in the control room.

i. Criterion 64: Monitoring Radioactivity Releases The CCW system is provided with a radiation monitor to detect the presence of fission products in the coolant.

The radiation detector provides alarms in the control room for high radiation or detector failure.

Since the CCW system is a closed system, release of radioactivity to the environment is minimized.

7.6.2.9.2 Conformance to IEEE Standard 279-1971 The fuel pool cooling portion of the CCW system is designed to conform to the requirements of Section 4 of IEEE Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, as described in this section:

a. Requirement 4.1: General Functional Requirement Transfer of the fuel pool heat exchangers to the SSW system is initiated manually from the control room when required by plant conditions. The fuel pool heat exchangers are automatically isolated from the CCW system on a low-flow signal from the CCW system. Protective action can be initiated over the entire range of anticipated operational and accident conditions.

b. Requirement 4.2: Single Failure Criterion Those portions of the CCW system which perform a safety-related protective function are designed with sufficient redundancy to ensure that any single failure will not prevent protective action.

c. Requirement 4.3: Quality of Components and Modules The quality control enforced during design, fabrication, shipment, field storage, installation, and component checkout used for instrumentation and control components 7.6-88 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) and the documentation of quality control is in accordance with Regulatory Guides 1.28, 1.30, and 1.38. Refer to Appendix 3A.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

d. Requirement 4.4: Equipment Qualification The CCW system components meet the equipment requirements described in Sections 3.10 and 3.11.

e. Requirement 4.5: Channel Integrity Type test of components, separation of channels, and qualification of cabling for the protective portions of the CCW system are utilized to ensure that the channels will maintain the functional capability required under applicable extremes of conditions relating to environment, energy supply, malfunctions, and accidents.

Loss of or damage to one path will not prevent the protective action.

f. Requirement 4.6: Channel Independence Refer to subsection 7.6.2.9.1, Criterion 22.

g. Requirement 4.7: Control and Protection System Interaction Refer to subsection 7.6.2.9.1, Criterion 24.

h. Requirement 4.8: Derivation of System Inputs Protective actions of the CCW system are manually initiated. Automatic functions, such as fuel pool heat exchanger isolation, are initiated by signals which are a direct measure of the desired variables.

i. Requirement 4.9: Capability for Sensor Checks Protective functions of the CCW system do not require the operation of any of the system sensors. The fuel pool heat exchanger flow transmitters may be checked by cross-7.6-89 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) checking between channels. A defective transmitter may be identified by comparing the readings of the four flow indicators which monitor the same variables.

j. Requirement 4.10: Capability for Test and Calibration The fuel pool heat exchanger flow transmitters and trip units utilize an electronic trip and calibration system. A calibration unit mounted in control room panels with the trip units provides the means to perform an in-place calibration check or set point adjustment. (Refer to subsection 7.1.3 for a discussion of inservice testability.)

k. Requirement 4.11: Channel Bypass or Removal from Operation Any single component or channel of the protective portions of the CCW system may be bypassed without initiating or preventing the protective action, if required.

l. Requirement 4.12: Operating Bypasses There are no operating bypasses in the CCW system. Any of the valves can be rendered inoperative by manually racking out a starter in a motor control center. The CCW flow transmitters may be bypassed by closing the instrument valves on the flow element.

m. Requirement 4.13: Indication of Bypasses Loss of control power to any safety-related motor-operated valve is continuously indicated in the control room.

n. Requirement 4.14: Access to Means for Bypassing All means for bypassing components of the CCW which perform protective actions are under administrative control.

Motor control centers are equipped with lockable control switch handles. Instrument valves are under the administrative control of plant operations personnel and cannot be operated without permission of responsible authorized personnel.

o. Requirement 4.15: Multiple Set Points 7.6-90 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

There are no multiple set points in the CCW system.

p. Requirement 4.16: Completion of Protective Action Once It Is Initiated The motor-operated valves of the fuel pool cooling portion of the CCW system are essentially bistable. Once initiated, operator action is required to return the system to its normal state.

q. Requirement 4.17: Manual Initiation All components, both those with and without protective function, of the CCW system may be manually actuated from the control room.

r. Requirement 4.18: Access to Set Point Adjustments Set point adjustments for the fuel pool heat exchanger CCW flow are under administrative control in the control room.

Set point and calibration controls require the use of tools for adjustment.

s. Requirement 4.19: Identification of Protective Action The status of each safety-related device in the CCW system is indicated in the control room. Actuation of the SSW system is annunciated in the control room.

t. Requirement 4.20: Information Readout There are no safety-related readouts associated with the CCW System.

u. Requirement 4.21: System Repair Identification of a defective channel will be accomplished by observation of system status lights or by testing.

Replacement or repair of safety-related components is accomplished with the affected component or channel bypassed.

v. Requirement 4.22: Identification Refer to subsections 7.1.2.3 and 8.3.1.3 for a description of the safety-related system identification system.

7.6-91 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.2.9.3 Conformance to NRC Regulatory Guides The NRC Regulatory Guides which are applicable to the CCW system are identified in Table 7.1-3. Additional information is provided below.

7.6.2.9.3.1 Regulatory Guide 1.22 All safety-related portions of the CCW system may be tested during normal power operation. A low-flow initiation signal may be generated by manually closing the CCW supply valve from the control room. Manually operated valves may be operated from the control room and their operation verified by observing the system status lights in the control room.

7.6.2.10 Deleted 7.6.2.11 Auxiliary Building Isolation System 7.6.2.11.1 Conformance to 10 CFR 50 General Design Criteria General Design Criteria, established in Appendix A of 10 CFR 50, which are applicable to the Auxiliary Building Isolation System are listed in Table 7.1-3.

a. Criterion 13: Instrumentation and Control The auxiliary building isolation system includes instrumentation to monitor the status of all component valves over the full range of normal and accident conditions.

b. Criterion 20: Protection System Functions The plant conditions under which the auxiliary building isolation system is required to operate are the same as those for the CRVICS as shown in Chapter 15 and Appendix 15A. Initiation circuits are automatic as discussed in subsection 7.6.1.12.1. No operator action is required to initiate the system under accident conditions.

c. Criterion 21: Protection System Reliability and Testability 7.6-92 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Functional reliability of the auxiliary building isolation system is assured by compliance with the requirements of IEEE Standard 279-1971 as described in subsections 7.6.1.12.9 and 7.6.1.12.2. The system may be tested on a component level from control room handswitches.

d. Criterion 22: Protection System Independence Independence of the auxiliary building isolation system is assured by design which includes separation of redundant devices as discussed in subsection 7.6.1.12.5. Physical separation is discussed in conjunction with IEEE Standard 384 in subsection 7.1.2.4.10.

e. Criterion 23: Protection System Failure Modes The auxiliary building isolation system is designed to fail in a safe condition. It employs all air-operated isolation valves which fail closed. Solenoid pilot valves are de-energized to initiate protective action.

f. Criterion 24: Separation of Protection and Control Systems No portion of the auxiliary building isolation system is used for both protection and control.

7.6.2.11.2 Conformance to IEEE Standard 279-1971 The auxiliary building isolation system is designed to conform to the requirements of Section 4 of IEEE Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, as described in this section.

a. Requirement 4.1: General Functional Requirement Actuation of the auxiliary building isolation system is automatic upon the detection of a LOCA by the CRVICS.

b. Requirement 4.2: Single Failure Criterion The auxiliary building isolation system, comprised of two independent sets of controls for the two physically separate trip systems, meets all credible aspects of the single failure criterion.

7.6-93 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Some small penetrations through the auxiliary building are provided with only one isolation valve. However, each of these valves is provided with redundant, physically separated solenoid pilot valves and position switches.

Failure of any one of these isolation valves to close, with the consequent opening of the small penetration, will not violate the secondary containment design bases as set forth in subsection 6.2.3.1.

c. Requirement 4.3: Quality of Components and Modules The quality control enforced during design, fabrication, shipment, field storage, installation, and component checkout used for instrumentation and control components and the documentation of quality control is in accordance with Regulatory Guides 1.28 and 1.38. Refer to Appendix 3A.

Furthermore, equipment vendors are required to implement and document a quality control and assurance program with the intent of complying with the requirements set forth in 10 CFR 50, Appendix B.

d. Requirement 4.4: Equipment Qualification The auxiliary building isolation system components meet the equipment qualification requirements described in Sections 3.10 and 3.11.

e. Requirement 4.5: Channel Integrity Type testing of components, separation of channels, and qualification of cabling are utilized to ensure that the channels will maintain the functional capability required under applicable extremes of conditions relating to environment, energy supply, malfunctions, and accidents.

Loss of or damage of any one path will not prevent the protective action of the redundant path.

f. Requirement 4.6: Channel Independence Channel independence is provided by electrical and mechanical separation.

7.6-94 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Channel independence is not compromised by the use of a common air supply to all isolation valves since protective action does not depend on the supply of air.

g. Requirement 4.7: Control and Protection System Interaction The auxiliary building isolation system valves serve no control function.

h. Requirement 4.8: Deviation of System Inputs The auxiliary building isolation system initiation is provided by signals from the CRVICS which detects a LOCA by sensors which directly measure drywell pressure and reactor level. See subsection 7.3.2.2.

i. Requirement 4.9: Capability for Sensor Checks Because the auxiliary building isolation system initiation signals are derived from another system, process variables are not monitored by this system. See subsection 7.3.2.2 for analysis of the CRVICS.

j. Requirement 4.10: Capability for Test and Calibration The operation of each valve in the auxiliary building isolation system may be verified by operating the valve from a control room handswitch. Testability of the sensors is discussed with the CRVICS in subsection 7.3.2.2.

k. Requirement 4.11: Channel Bypass or Removal from Operation The sensors which initiate the auxiliary building isolation system are arranged in one-out-of-two-taken-twice logic. Testing one sensor will introduce a single channel trip. This does not cause system initiation without a coincident trip on a second channel.

The auxiliary building isolation system is designed as a redundant system so that removal of one channel from service will not prevent the protective action of the redundant channel.

l. Requirement 4.12: Operating Bypasses Bypass capability removed.

7.6-95 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

m. Requirement 4.13: Indication of Bypasses Bypass capability removed.

n. Requirement 4.14: Access to Means for Bypassing Bypass capability removed.

o. Requirement 4.15: Multiple Set Points There are no multiple set points in the auxiliary building isolation system.

p. Requirement 4.16: Completion of Protective Action Once It Is Initiated The auxiliary building isolation system is essentially a bistable system. Once initiated, operator action is required to return each component of the system to its normal condition. Return to normal is prevented by the control system as long as the initiation signal is present.

q. Requirement 4.17: Manual Initiation Each valve in the auxiliary building isolation system is capable of manual operation from the control room. Each of the two automatic systems may be manually initiated on a system level, together with the containment and drywell isolation.

r. Requirement 4.18: Access to Set Point Adjustments, Calibration, and Test Points The auxiliary building isolation system does not include any process sensors. There are therefore no set point adjustments in the system. Refer to subsection 7.3.1.1.2 for a discussion of the CRVICS sensors.

s. Requirement 4.19: Identification of Protective Actions Isolation of the auxiliary building by either of the two automatic redundant systems is annunciated in the control room. The status of each valve in the system is indicated by lights in the control room.

t. Requirement 4.20: Information Readout 7.6-96 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Refer to Section 7.5 for a discussion of safety-related display instrumentation.

u. Requirement 4.21: System Repair Identification of a defective channel will be accomplished by observation of system status lights or by periodic testing. The redundant auxiliary building isolation system provides isolation while repairs are made.

v. Requirement 4.22: Identification Refer to subsections 7.1.2.3 and 8.3.1.3 for a description of the ESF system identification system.

7.6.2.11.3 Conformance to NRC Regulatory Guides The NRC Regulatory Guides which are applicable to the auxiliary building isolation system are identified in Table 7.1-3.

Additional information is provided below.

7.6.2.11.3.1 Regulatory Guide 1.22 All valves in the auxiliary building isolation system may be tested by manually cycling the valves during normal power operation. Testing of the actuation devices is discussed with the CRVICS in subsection 7.3.2.2.

7.6.2.12 Additional Design Considerations Analyses 7.6.2.12.1 General Plant Safety Analyses The examination of the subject safety systems at the plant safety analyses level is presented in Chapter 15 and Appendix 15A.

7.6.2.12.2 Cold Water Slug Injection Refer to subsection 15.5.1.

7.6.2.12.3 Refueling Accidents Refer to subsection 15.7.4.

7.6.2.12.4 Overpressurization of Low-Pressure System Refer to subsection 7.6.1.3.

7.6-97 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6.3 References

1. Morgan, W.R., In-Core Neutron Monitoring System for General Electric Boiling Water Reactors, APED-5706, November, 1968 (Rev. April, 1969).

2. Hatch Amendment 7, June 24, 1969, pages 7-3.0-1 and 7-5.0-1.

3. GNRI-209/00030, Grand Gulf Nuclear Station, Unit 1 - Issuance of Amendment to Modify the Updated Safety Analysis Report to Replace First Stage Pressure Signals with Power Range Neutron Monitoring System Signals (EPID L-2018-LLA-0072),

March 12, 2019. [Amendment No. 217]

7.6-98 LBDCR 2019-021

TABLE 7.6-1: REFUELING INTERLOCK EFFECTIVENESS Refueling Auxiliary Platform Refueling Platform Hoists Platform Control Mode Situation position TMH* FMH* FG* Hoist Rods Switch Attempt Result

1. Not near UL* UL* UL* UL* All rods Refuel Move No Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION core in refueling restrictions platform over core

2. Not near UL UL UL UL All rods Refuel Withdraw Cannot core in rods withdraw more than one rod

3. Not near UL UL UL UL One rod Refuel Move No core withdrawn refueling restrictions platform over core 7.6-99

4. Not near UL UL L UL One rod Refuel Move Platform core withdrawn refueling stopped before platform over core over core

5. Not near UL UL UL UL More than Refuel Move Platform core one rod refueling stopped before withdrawn platform over core over core

6. Over core UL UL UL UL All rods Refuel Withdraw Cannot in rods withdraw more than one rod Revision 2016-00

7. Over core UL UL L All rods Refuel Withdraw Rod block in rods

8. Not near UL UL UL L* All rods Refuel Withdraw Rod block core in rods

9. Not near UL UL UL L All rods Refuel Operate No core in service restrictions platform hoist

TABLE 7.6-1: REFUELING INTERLOCK EFFECTIVENESS (Continued)

Refueling Auxiliary Platform Refueling Platform Hoists Platform Control Mode Situation position TMH* FMH* FG* Hoist Rods Switch Attempt Result

10. Not near UL UL UL L One rod Refuel Operate Hoist Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION core withdrawn service operation platform prevented hoist

11. Not near UL UL UL UL All rods Startup Move Platform core in refueling stopped before platform over core over core

12. Not near UL UL UL L All rods Startup Operate No core in service restrictions platform hoist 7.6-100

13. Not near UL UL UL L One rod Startup Operate Hoist core withdrawn service operation platform prevented hoist

14. Not near UL UL UL L All rods Startup Withdraw Rod block core in rods

15. Not near UL UL UL UL All rods Startup Withdraw No restriction core in rods

16. Over core UL UL UL UL All rods Startup Withdraw Rod block in rods Revision 2016-00

• LEGEND TMH - Trolley-mounted FMH - Frame-mounted FG - Fuel Grapple UL - Unloaded L - Fuel Loaded Hoist Hoist

TABLE 7.6-2: PROCESS RADIATION MONITORING SYSTEMS-INSTRUMENT CHARACTERISTICS Instrument Instrument Scale Trips Per Channel Monitoring Subsystem Range* (Decade Log) Upscale Downscale Updated Final Safety Analysis Report (UFSAR)

1. Main steam line 1 to 106 mR/hr 6 2 1 GRAND GULF NUCLEAR GENERATING STATION

2. Aux bldg fuel handling 0.01 to 100 mR/hr 4 1 1 area vent exhaust

3. Aux bldg fuel handling 0.01 to 100 mR/hr 4 1 1 area pool sweep exhaust

4. Containment and drywell 0.01 to 100 mR/hr 4 1 1 vent exhaust

5. Control room vent 0.01 to 100 mR/hr 4 1 1 7.6-101

• Range of measurements depends on items such as source geometry, background radiation, shielding, energy levels, and method of sampling.

For instrument characteristics of nonsafety-related monitors, see Table 11.5-1.

Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-3: SRM SYSTEM TRIPS TRIP FUNCTION NORMAL SET POINT TRIP ACTION SRM upscale (high) 105 c/s Rod block, amber light display annunciator.

SRM instrument (See Note) Rod block, amber light inoperative display annunciator.

Detector Retraction 100 c/s* Bypass detector full-in Permissive limit switch when above (SRM downscale) preset limit display, rod block when below preset limit with IRM range switches on first two ranges. Annunciator, green light display.

SRM period 50 sec Annunciator, amber light display SRM downscale 0.7 c/s Rod block, annunciator, amber light display.

SRM bypassed White light display.

• The stated setpoint is the nominal value from GE Design Specification Data Sheet 22A3739AE. Actual plant setpoint has been established > 100 cps to ensure the rod block function is operable at 100 cps.

Note: SRM is inoperative if module interlock chain is broken, an operate-calibrate switch is not in operate position, or detector polarizing voltage is below the INOP setpoint (300 V min.).

7.6-102 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-4: IRM TRIPS TRIP FUNCTION NORMAL SET POINT TRIP ACTION IRM upscale 120/125 full scale Scram, annunciator, (high-high) red light display Inoperative IRM (See Note) Scram, annunciator, red light display IRM upscale (high) 108/125 full scale Rod block, annunciator, amber light display.

IRM downscale 5/125 full scale Rod block (exception on most sensitive scale), annunciator, amber light display IRM bypassed White light display Note: IRM is inoperative if module interlock chain is broken, an operate-calibrate switch is not in operate position, or detector voltage is below the INOP setpoint (80 V min.).

7.6-103 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-5: LPRM SYSTEM TRIPS TRIP FUNCTION TRIP RANGE TRIP SETPOINT TRIP ACTION LPRM downscale 2% to full scale 3% White light and annunciator LPRM upscale 2% to full scale 100% Amber light and annunciator LPRM bypass Manual switch White light and APRM averaging compensation 7.6-104 Revision 2016-00

TABLE 7.6-6: APRM SYSTEM TRIPS TRIP POINT NOMINAL TRIP FUNCTION RANGE SET POINT ACTION APRM downscale Fixed voltage level 4% of rated thermal Rod block, annunciator, Updated Final Safety Analysis Report (UFSAR) power white light display GRAND GULF NUCLEAR GENERATING STATION APRM upscale Set point varies with maximum of 108% rated Rod block, annunciator, (high) flow. thermal power in run mode; amber light display 12% not in run mode

• • APRM upscale Set point varies with maximum of 111.0% of Scram, annunciator, red (thermal power) flow. rated thermal power light display APRM upscale Fixed voltage level 118% in run mode; 15% Scram, annunciator, red (high-high) not in run mode light display APRM inoperative Calibrate switch or too NA* Scram, rod block, 7.6-105 few inputs annunciator, red light display, white light on neutron monitoring system cabinet APRM Bypass Manual switch NA Annunciator, white light display Recirculation Flow Fixed voltage level 111% of rated flow Rod block, annunciator, Unit upscale white light display

• APRM inoperative means not in operate mode, or module interlock chain broken, or less than 14 of 22 inputs Revision 2016-00

• • APRM signal passes through a 6-second time constant filter to simulate heat flux.

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-7: Deleted 7.6-106 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-8: Deleted 7.6-107 Revision 2016-00

TABLE 7.6-9: COMPONENT COOLING WATER SYSTEM ACTUATION

SUMMARY

VARIABLE SENSORS NOMINAL VALUES CHAN- NOMI- ACTUA- CHANNEL REMARKS NEL NAL TION ACCURACY NUMBER TYPE LOCA- SUP- NORMAL START HOT COLD REFU- ACCI-RANGE MARGIN SET TION PLIER POWER UP SHUT- SHUT- ELING DENT POINT OPERA- DOWN DOWN Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION TION CCW Flow 4 Differ Commen Non- 2000 2000 1065 1065 2000 1065 0-2500 1000 1000 +- 50 Flow to Fuel ential Inlet NSSS gpm gpm gpm gpm gpm gpm gpm gpm gpm gpm transmi Pool Press. Header (from (from (from tter Heat Ex- Trans- SSW SSW SSW sees changers mitter system) system) system) flow only to heat exchang er A during shutdow n and 7.6-108 acciden t

conditi ons Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-10: COMPONENT COOLING WATER SYSTEM ACTUATED EQUIPMENT LIST Figure Equipment No. ESF Actuating Number (P&ID) Description Division Function Signal F105 9.2-9 CCW Supply to Fuel 1 Close Manual or Low CCW Pool Heat Exchangers Flow to Fuel Pool Heat Exchangers F203 9.2-9 CCW Supply to Fuel 1 Close Manual or Low CCW Pool Heat Exchanger Flow to Fuel Pool B Heat Exchangers F204 9.2-9 CCW Outlet From Fuel 1 Close Manual or Low CCW Pool Heat Exchanger Flow to Fuel Pool B Heat Exchangers F205 9.2-9 CCW Outlet From Fuel 1 Close Manual or Low CCW Pool Heat Exchangers Flow to Fuel Pool Heat Exchangers F028B 9.2-9 CCW Supply to Fuel 2 Close Manual or Low CCW Pool Heat Exchanger Flow to Fuel Pool B Heat Exchangers F032B 9.2-9 CCW Outlet From Fuel 2 Close Manual or Low CCW Pool Heat Exchanger Flow to Fuel Pool B Heat Exchangers F028A 9.2-9 Fuel Pool Heat 1 Open/ Manual Exchanger A supply Close valve F032A 9.2-9 Fuel Pool Heat 1 Open/ Manual Exchanger A Outlet Close Valve F200A 9.2-9 Fuel Pool Heat 1 Open Manual (only if Exchanger A SSW CCW valves are Inlet valve closed)

F200B 9.2-9 Fuel Pool Heat 2 Open Manual (only if Exchanger B SSW CCW valves are Inlet Valve closed)

F201A 9.2-9 Fuel Pool Heat 1 Open Manual (only if Exchanger A SSW CCW valves are Outlet Valve closed)

F201B 9.2-9 Fuel Pool Heat 2 Open Manual (only if Exchanger B SSW CCW valves are Outlet Valve closed) 7.6-109 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-11: Deleted 7.6-110 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-12: AUXILIARY BUILDING ISOLATION SYSTEM ACTUATED EQUIPMENT LIST Figure Equipment No. ESF Actuating Number (P&ID) Description Division Function Signal P52-F221A 9.3-3 Service Air Close LOCA or System Aux Bldg Manual Iso Vlv Pilot Vlv: P52-F505A 1 P52-F160A 9.3-3 Service Air Close LOCA or System Aux Bldg Manual Iso Vlv Pilot Vlv: P52-F505B 1 P52-F221B 9.3-3 Service Air Close LOCA or System Aux Bldg. Manual Isol Vlv Pilot Vlv: P52-F506 A 2 P52-F160B 9.3-3 Service Air Close LOCA or System Aux Bldg Manual Isol Vlv Pilot Vlv: P52-F506B 2 G46-F253 9.1-28 FPCC Filt-demin Close LOCA or Sys Backwash Aux Manual Bldg Isol Vlv Pilot Valves:

G46-F528A 1 G46-F528B 2 G36-F108 5.4-26 RWCU Backwash Close LOCA or RCVG Tk Aux Bldg Manual Isol Vlv Pilot Valve: G36-F539 1 G36-F109 5.4-26 RWCU Backwash Close LOCA or RCVG Tk Aux Bldg Manual Isol Vlv Pilot Valve: G36-F541 2 B21-F113 5.2-6 Nuclear Boiler Close LOCA or Sys Aux Bldg Isol Manual Valve Pilot Valve: B21-F536 1 7.6-111 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-12: AUXILIARY BUILDING ISOLATION SYSTEM ACTUATED EQUIPMENT LIST (CONTINUED)

Figure Equipment No. ESF Actuating Number (P&ID) Description Division Function Signal B21-F114 5.2-6 Nuclear Boiler Close LOCA or Sys Aux Bldg Isol Manual Valve Pilot Valve: B21-F537 2 G33-F235 5.4-21 RWCU Aux Bldg Close LOCA or Isol Vlv Pilot Manual Valve: G33-F517A 1 G33-F234 5.4-21 RWCU Aux Bldg Close LOCA or Isol Vlv Pilot Manual Valve: G33-F517B 2 P60-F003 9.3-23 SPCU Aux Bldg Close LOCA or Isol Vlv Pilot Manual Valve: P60-F503 1 P60-F004 9.3-23 SPCU Aux Bldg Close LOCA or Isol Vlv Pilot Manual Valve: P60-F504 2 P60-F007 9.3-23 SPCU Aux Bldg Close LOCA or Isol Vlv Pilot Manual Valve: P60-F507 2 P60-F008 9.3-23 SPCU Aux Bldg Close LOCA or Isol Vlv Pilot Manual Valve: P60-F508 1 P11-F062 9.2-16 Cond & Refuel Wtr Close LOCA or Transf Aux Bldg Manual Isol Vlv Pilot Valve: P11-F518 1 P11-F064 9.2-16 Cond & Refuel Wtr Close LOCA or Transf Aux Bldg Manual Isol Vlv Pilot Valve: P11-F516 1 P11-F066 9.2-16 Cond & Refuel Wtr Close LOCA or Transf Aux Bldg Manual Isol Vlv Pilot Valve: P11-F526 1 7.6-112 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-12: AUXILIARY BUILDING ISOLATION SYSTEM ACTUATED EQUIPMENT LIST (CONTINUED)

Figure Equipment No. ESF Actuating Number (P&ID) Description Division Function Signal P11-F047 9.2-16 Cond & Refuel Wtr Close LOCA or Transf Aux Bldg Manual Isol Vlv Pilot Valve: P11-F512 1 P11-F063 9.2-16 Cond & Refuel Wtr Close LOCA or Transf Aux Bldg Manual Isol Vlv Pilot Valve: P11-F519 2 P11-F065 9.2-16 Cond & Refuel Wtr Close LOCA or Transf Aux Bldg Manual Isol Vlv Pilot Valve: P11-F517 2 P11-F067 9.2-16 Cond & Refuel Wtr Close LOCA or Transf Aux Bldg Manual Isol Vlv Pilot Valve: P11-F507 2 P11-F061 9.2-16 Cond & Refuel Wtr Close LOCA or Transf Aux Bldg Manual Isol Vlv Pilot Valve: P11-F508 2 P45-F158 9.3-11 Floor and Equip Close LOCA or Drains Sys Aux Manual Bldg Isol Valve Pilot Valve: P45-F528 1 P45-F160 9.3-11 Floor and Equip Close LOCA or Drains Sys Aux Manual Bldg Isol Valve Pilot Valve: P45-F530 1 7.6-113 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.6-12: AUXILIARY BUILDING ISOLATION SYSTEM ACTUATED EQUIPMENT LIST (CONTINUED)

Figure Equipment No. ESF Actuating Number (P&ID) Description Division Function Signal P45-F163 9.3-11 Floor and Equip Close LOCA or Drains Sys Aux Manual Bldg Isol Valve Pilot Valves:

P45-F532 1 P45-F533 2 P45-F159 9.3-11 Floor and Equip Close LOCA or Drains Sys Aux Manual Bldg Isol Valve Pilot Valve: P45-F529 2 P45-F161 9.3-11 Floor and Equip Close LOCA or Drains Sys Aux Manual Bldg Isol Valve Pilot Valve: P45-F531 2 P21-F024 9.2-12 Makeup Water Close LOCA or Treatment Sys. Manual Aux Bldg Isol Vlv Pilot Valves:

P21-F501 1 P21-F500 2 P66-F029A 9.2-14 Domestic Water Close LOCA or System Aux Bldg Manual Isol Vlv Pilot Valves:

P66-F500 1 P66-F504 2 E12-F203 5.4-17 RHR "A" Loop Close LOCA or Discharge to Manual Liquid Radwaste Pilot Valves:

E12-F537A 1 E12-F537B 2 7.6-114 Revision 2016-00

TABLE 7.6-13: AUXILIARY SUPPORTING SYSTEM REQUIREMENTS AUXILIARY SUPPORTING SYSTEMS Heating, Ventilating, and Air Conditioning Systems Standby Service Water System ESF Electrical Switchgear Diesel Generator Systems Diesel Generator Building Safegyard Switchgear and Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION Standby Power Systems Standby Service Water ECCS Pump Rooms AUXILIARY SUPPORTING Battery Rooms Rooms SYSTEM REQUIREMENTS Pumphouse ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY 7.6-115 Refueling Interlocks Process Radiation Monitoring System DC Leak Detection System X X X X X X X Neutron Monitoring System Road Block Trip System X X X X X X X Rod Pattern Control System X X X X X X X Recirculation Pump Trip System DC Spent Fuel Pool Cooling and Cleanup X X X X X X X System Component Cooling Water System X X X X X X X (Fuel Pool Cooling)

Revision 2016-00 Suppression Pool Temperature Monitoring X X X X X X X Auxiliary Building Isolation Control Referenced Section for Description 7.3.1.1.7 8.3.1.1 9.5.4 9.4.5 9.4.5 9.4.5 9.4.5 9.4.5 Auxiliary Supporting Systems 8.3.2.1 9.5.5 9.5.6 9.5.7 9.5.8

TABLE 7.6-14: REACTOR COOLANT PRESSURE BOUNDARY LEAK DETECTION Control Room Control Rm FSAR Subsystem Type Sensor Indications Alarm Computer Figure Updated Final Safety Analysis Report (UFSAR)

1. Main Steam Line Leak Temperature & Temperature Yes Yes 7.6-17 GRAND GULF NUCLEAR GENERATING STATION Detection Temperature Recorders

2. Main Steam Line Leak Differential Indicating Trip Yes Yes 7.6-16 Detection Pressure Units

3. RCIC System Leak Temperature & Temperature Yes Yes 7.6-17 Detection Temperature Recorders

4. RCIC System Leak Differential Indicating Trip Yes Yes 7.6-16 Detection Pressure Units

5. RCIC System Leak Pressure Indicating Trip Yes Yes 7.6-16 Detection Units 7.6-116

6. Recirc Pump Leak Pressure (Seals) Pressure Yes Yes 7.6-3 Detection Indicators

7. Recirc Pump Leak Flow Transmitter Computer Points Yes Yes 7.6-3 Detection (Seals)

8. RHR System Leak Temperature & Temperature Yes Yes 7.6-17 Detection Temperature Recorders

9. RHR System Leak Differential Indicating Trip Yes No 7.6-16 Detection Pressure Units

10. RHR System Leak Level Switches None Yes Yes 7.6-17/

Revision 2016-00 Detection (Sump & Room) 9.3-10

11. RWCU System Leak Level Switches & Timer Indication Yes Yes 9.3-10 Detection Timers (Sump)

12. RWCU System Leak Temperature None Yes Yes 9.3-10 Detection (Sump)

TABLE 7.6-14: REACTOR COOLANT PRESSURE BOUNDARY LEAK DETECTION (Continued)

Control Room Control Rm FSAR Subsystem Type Sensor Indications Alarm Computer Figure

13. RWCU System Leak Flow Flow Indicators Yes Yes 7.6-17 Updated Final Safety Analysis Report (UFSAR)

Detection GRAND GULF NUCLEAR GENERATING STATION

14. RWCU System Leak Temperature & Temperature Yes Yes 7.6-17 Detection Temperature Recorders

15. Drywell/Containment Particulate, Noble Indicating Trip Yes Yes 7.5-5 Leak Detection Gas Radn Mon. Units & Radn Rec.

16. Drywell/Containment Level Transmitter Level Recorder Yes Yes 7.6-17 Leak Detection (Floor Drain Sump)

17. Drywell/Containment Level Switches & Timer Indication Yes Yes 9.3-9 Leak Detection Timers (Sump) 7.6-117

18. Drywell/Containment Temperature None Yes Yes 9.3-9 Leak Detection (Sump)

19. Drywell/Containment Temperature None Yes Yes 9.4-13 Leak Detection (Coolers)

20. Drywell/Containment Temperature Temperature Yes Yes 7.5-5 Leak Detection Recorders

21. Drywell/Containment Pressure Indicating Trip Yes Yes 7.5-5 Leak Detection Units

22. Drywell/Containment Temperature & Flow None Yes Yes 7.6-17 Leak Detection (Valve Leakoff)

Revision 2016-00

23. Drywell/Containment Transmitter (Cooler Indicating Trip Yes Yes 7.6-17 Leak Detection Drain) Units

24. HPCS System Leak Differential Indicating Trip Yes Yes 7.6-16 Detection Pressure Units

25. HPCS System Leak Level Switches (Sump None Yes Yes 7.6-17/

Detection & Room) 9.3-10

TABLE 7.6-14: REACTOR COOLANT PRESSURE BOUNDARY LEAK DETECTION (Continued)

Control Room Control Rm FSAR Subsystem Type Sensor Indications Alarm Computer Figure

26. LPCS System Leak Differential Indicating Trip Yes Yes 7.6-16 Detection Pressure Units Updated Final Safety Analysis Report (UFSAR) GRAND GULF NUCLEAR GENERATING STATION

26. LPCS System Leak Level Switches (Sump None Yes Yes 7.6-17/

Detection & Room) 9.3-10 7.6-118 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-119 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-120 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-121 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-122 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-123 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-124 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-125 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-126 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-127 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-128 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-129 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-130 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-131 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-132 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-133 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-134 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-135 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-136 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-137 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-138 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-139 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-140 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Figure 7.6-14 Deleted 7.6-141 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Figure 7.6-15 Deleted 7.6-142 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-143 LBDCR 2016-193

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.6-144 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY 7.7.1 Description This subsection discusses instrumentation and controls of systems whose functions are not essential for the safety of the plant and permits an understanding of the way the reactor and important subsystems are controlled. The systems include:

a. Reactor vessel - instrumentation

b. Rod control and information system

c. Recirculation flow control system

d. Feedwater control system

e. Pressure control and turbine-generator system

f. Neutron monitoring system (NMS) - traversing in-core probe (TIP) subsystem

g. NSSS process computer system

h. Reactor water cleanup system

i. Gaseous radwaste system

j. Auxiliary building pressure control system

k. Process sampling system (PSS) 7.7.1.1 Reactor Vessel - Instrumentation Figure 5.2-7 shows the instrument numbers, arrangements of the sensors, and sensing equipment used to monitor the reactor vessel conditions. Because the reactor vessel sensors used for safety systems, engineered safeguards, and control systems are described and evaluated in other portions of this document, only the sensors that are not required for those systems are described in this subsection.

7.7-1 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.1.1 System Identification 7.7.1.1.1.1 General The purpose of the reactor vessel instrumentation is to monitor the key reactor vessel operating variables during plant operation.

These instruments and systems are used to provide the operator with information during normal plant operation, startup, and shutdown. They are monitoring devices and provide no active power control or safety functions.

7.7.1.1.1.2 Classification The systems and instruments discussed in this subsection are designed to operate under normal and peak operating conditions of system pressures and ambient pressures and temperatures and are classified as not related to safety.

7.7.1.1.1.3 Reference Design Table 7.1-2 lists the reference design information. The reactor vessel instrumentation is an operational system and has no safety function. Therefore, there are no safety design differences between this system and those of the reference design facilities.

This system is functionally identical to the referenced system.

7.7.1.1.2 Power Sources The systems and instruments discussed in this subsection are powered from the instrument bus.

7.7.1.1.3 Equipment Design For instruments which are located below the process tap, the sensing lines slope downward from the process tap to the instrument a minimum of 1 in/ft. (minimum 1/2 in/ft. for those lines which cannot be sloped a minimum 1 in/ft. due to obstructions) so that air traps are not formed. Where it is impractical to locate the instruments below the process tap, the sensing lines descend for at least 36 inches close to the process connection before sloping a minimum of 1 in/ft. up to a high point vent located at an accessible elevation above the instrument. The purpose of this is to prevent entrapment of a noncondensable gas in the sensing line.

7.7-2 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.1.3.1 Circuit Description 7.7.1.1.3.1.1 Reactor Vessel Temperature The reactor vessel temperature is determined on the basis of reactor coolant temperature. Temperatures needed for operation and for compliance with the technical specification operating limits are obtained from one of several sources, depending on the operating condition. During normal operation, either reactor pressure and/or the inlet temperature of the coolant in the recirculation loops can be used to determine the vessel temperature. Below the operating span of the resistance temperature detectors in the recirculation loop and above 212 F, the vessel pressure is used for determining the temperature.

Below 212 F, the vessel coolant, and thus the vessel temperature, is reasonably well shown by the reactor water cleanup system inlet temperature. These three sources of input are most conveniently available from the process computer. During normal operation, vessel thermal transients are limited via operational constraints on parameters other than temperature.

7.7.1.1.3.1.2 Reactor Vessel Water Level Figure 7.7-1 shows the water level range and the vessel penetration for each water level range. The instruments that sense the water level are strictly differential pressure devices calibrated to be accurate at a specific vessel pressure and liquid temperature condition. The following is a description of each water level shown on Figure 7.7-1.

a. Shutdown water level range: This range is used to monitor the reactor water level during the shutdown condition when the reactor system is flooded for maintenance and head removal. The water level measurement design is the condensate chamber reference leg type that is not compensated for changes in density. The vessel temperature and pressure condition that is used for the calibration is 0 psig and 120 F water in the vessel. The two vessel instrument penetration elevations used for this water level measurement are located at the top of the RPV head and the instrument tap just below the bottom of the dryer skirt.

b. Upset water level range: This range is used to monitor the reactor water when the level of the water goes off the narrow range scale on the high side. The design and vessel 7.7-3 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) taps are the same as outlined above. The vessel pressure and temperature condition for accurate indication is at the normal operating point. The upset water level is continuously indicated by a recorder in the control room.

The upset range and narrow range recorders are located in close proximity of each other. The upset range upper limit is higher than the narrow range upper limit. Therefore when the indication goes off scale in the upscale direction on the narrow range recorder, water level indication may be read immediately from the upset range recorder. Further information as to the range and control room indication is discussed in the feedwater control system subsection 7.7.1.4.

c. Narrow water level range: This range uses the RPV taps at the elevation near the top of the dryer skirt and the taps at an elevation near the bottom of the dryer skirt. The zero of the instrument is approximately 15 inches above the bottom of the dryer skirt and the instruments calibrated to be accurate at the normal operating point.

The water level measurement design is the condensate chamber reference leg type, is not density compensated, and uses differential pressure devices as its primary elements. The feedwater control system uses this range for its water level control and indication inputs. For more information as to the range, trip points, number of channels, and control room indication, see the discussion on the feedwater control system, subsection 7.7.1.4.

d. Wide water level range: This range uses the RPV taps at the elevation near the top of the dryer skirt and the taps at an elevation near the top of the active fuel. The zero of the instrument is approximately 15 inches above the bottom of the dryer skirt and the instruments are calibrated to be accurate at the normal power operating point. The water level measurement design is the condensate chamber reference leg type, is not density compensated, and uses differential pressure devices as its primary elements.

e. Fuel zone water level range: This range uses the RPV taps at the elevation near the bottom of the dryer skirt and the taps at the jet pump diffuser skirt. The zero of the instrument is approximately 15 inches above the bottom of the dryer skirt and the instruments are calibrated to be 7.7-4 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) accurate at 0 psig and saturated condition. The water level design is not density compensated, and uses differential pressure devices as its primary element.

These instruments provide input water level indication.

The condensate chamber reference leg for the narrow-range and wide-range water level range is common as discussed in Section 7.3.

In order to decouple the change in measured water level with changes in drywell temperature, the elevation drop from RPV penetration to the drywell penetration will remain uniform for the narrow-range and wide-range water level instrument lines.

Reactor water level instrumentation that initiates safety systems and engineered safeguards systems is discussed in subsections 7.2.1 and 7.3.1. Reactor water level instrumentation that is used as part of the feedwater control system is discussed in subsection 7.7.1.4. The reactor water level that pertains to this subsection is used to monitor the reactor water level during the shutdown conditions when the reactor system is flooded for maintenance and head removal. The water level design is the condensate chamber reference leg type that is not compensated for change in density.

During reactor power operation, the reference legs are continuously backfilled to preclude the effects on non-condensible gas accumulation. The vessel condition that will provide accurate water level information is 0 psig pressure and ambient temperature. The range of the instrument is from the bottom of the feedwater control operating range to a level over the top of the reactor vessel head.

7.7.1.1.3.1.6 Reactor Core Hydraulics A differential pressure transmitter indicates core plate pressure drop by measuring the pressure difference between the core inlet plenum and the space just above the core support assembly. The instrument sensing line used to determine the pressure below the core support assembly attaches to the same reactor vessel tap that was originally used for the injection of the liquid from the standby liquid control system. An instrument sensing line is provided for measuring pressure above the core support assembly.

The differential pressure of the core plate is recorded in the main control room.

7.7-5 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Another differential pressure device indicates the jet-pump-developed head by measuring the pressure difference between the pressure above the core and the pressure below the core plate.

This indication is indicated locally.

7.7.1.1.3.1.7 Reactor Vessel Pressure Pressure indicators and transmitters detect reactor vessel internal pressure from the same instrument lines used for measuring reactor vessel water level.

The following list shows the subsections in which the reactor vessel pressure measuring instruments are discussed:

a. Pressure transmitters and trip units for initiating scram, and pressure transmitters and trip units for bypassing the main steam line isolation valve closure are discussed in subsections 7.2.1.1 and 7.3.1.1.2.

b. Pressure transmitters and trip units used for HPCS, LPCS, LPCI, and ADS are discussed in subsection 7.3.1.1.1.

c. Pressure transmitters and recorders used for feedwater control are discussed in subsection 7.7.1.4.

d. Pressure transmitters that are used for pressure recording are discussed in subsection 7.5.1.2.2.2.

7.7.1.1.3.1.5 Reactor Vessel Head Seal Leak Detection Pressure between the inner and outer reactor vessel head seal ring is sensed by a pressure transmitter. If the inner seal fails, the pressure at the pressure transmitter is the vessel pressure and the associated trip unit will trip and actuate an alarm. The plant will continue to operate with the outer seal as a backup, and the inner seal can be repaired at the next outage when the head is removed. If both the inner and outer head seals fail, the leak will be detected by an increase in drywell temperature and pressure.

7.7-6 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.1.3.1.6 Safety/Relief Valve Seat Leak Detection Thermocouples are located near the discharge of the safety/relief valve seat. The temperature signal goes to a multipoint recorder with an alarm. The alarm will be activated by any temperature in excess of a set temperature signalling that one of the safety/

relief valve seats has started to leak.

7.7.1.1.3.1.7 Other Instruments

a. The feedwater temperature is measured and transmitted to the control room.

b. The feedwater corrosion products are monitored and the signal is transmitted to the control room for recording.

7.7.1.1.3.2 Testability Pressure, differential pressure, water level, and flow instruments are located outside the drywell and are piped so that calibration and test signals can be applied during reactor operation, if desired.

7.7.1.1.4 Environmental Considerations There are no special environmental considerations for the instruments described in this subsection.

7.7.1.1.5 Operational Considerations 7.7.1.1.5.1 General Information The reactor vessel instrumentation discussed in this subsection is designed to augment the existing information from the engineered safeguards and safety system such that the operator can start up, operate at power, shut down, and service the reactor vessel in an efficient manner. None of this instrumentation is required to initiate any engineered safeguard or safety system.

7.7.1.1.5.2 Operator Information The information that the operator has at his disposal from the instrumentation discussed in this subsection is discussed below:

a. The shutdown flooding water level is indicated in the control room.

7.7-7 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. The core plate differential pressure is recorded on a recorder. A second input is used for total core flow.

c. The jet-pump-developed head is indicated at a local instrument rack.

d. The reactor pressure is indicated at two local racks in the containment by pressure gages.

e. The reactor head seal leak detection system actuates an annunciator when the inner reactor head seal fails.

f. The discharge temperatures of all the safety/relief valves are shown on a multipoint recorder in the control room.

Any temperature point that has exceeded the trip setting will actuate an annunciator indicating that a safety/

relief valve seat has started to leak.

g. The feedwater corrosion products are recorded in the control room. The recorder will actuate an annunciator in the control room for either a high or low signal.

7.7.1.1.5.3 Set Points The annunciator alarm set points for the reactor head seal leak detection, safety/relief valve seat leak detection, and feedwater corrosion product monitor are set so the sensitivity to the variable being measured will provide adequate information.

Figure 7.7-1 shows the relative indicated water levels, 1 through 8, at which various automatic alarms and safety actions are initiated. Specific level values are shown in Tables 7.3-2 through 7.3-5 and 7.3-10. Each of the listed actions is described and evaluated in the subsection of this report where the system involved is described. The following list tells where various level measuring components and their set points are discussed.

a. Level transmitters and trip units for initiating scram are discussed in subsection 7.2.1.1.

b. Level transmitters and trip units for initiating containment or vessel isolation are discussed in subsection 7.3.1.1.2.

7.7-8 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Level transmitters and trip units used for initiating HPCS, LPCI, LPCS, and ADS and the level switches used to shut down the HPCS pump are discussed in subsection 7.3.1.

d. Level transmitters and trip units to initiate RCIC and the level switches to shut down the RCIC pump drive turbine are discussed in subsection 7.4.1.1.

e. Level trips to initiate various alarms and trip the main turbine and the feedpumps are discussed in subsection 7.7.1.4.

7.7.1.2 Rod Control and Information System - Instrumentation and Controls 7.7.1.2.1 System Identification 7.7.1.2.1.1 General The objective of the rod control and information system is to provide the operator with the means to make changes in nuclear reactivity so that reactor power level and power distribution can be controlled. The system allows the operator to manipulate control rods.

The rod control and information system instrumentation and controls consist of the electrical circuitry, switches, indicators, and alarm devices provided for operational manipulation of the control rods and the surveillance of associated equipment.

This system includes the interlocks that inhibit rod movement (rod block) under certain conditions. The rod control and information system does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in Section 7.2, Reactor Protection System. In addition, the mechanical devices of the control rod drives and the control rod drive hydraulic system are not included in the rod control and information system. The latter mechanical components are described in subsection 4.1.3, Reactivity Control System.

7.7-9 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.2.1.2 Classification This system is a power generation system, and is classified as not related to safety. However, certain portions of the system pertaining to rod blocks and pattern control are classified essential (safety related).

7.7.1.2.1.3 Reference Design Table 7.1-2 lists reference design information. The rod control and information system is an operational system with some safety functions. It is functionally identical to the referenced system.

7.7.1.2.2 Power Sources Normal:

The rod control and information system receives its power from the 120 V ac instrumentation buses, A and B. Each of these buses receives its normal power supply from the appropriate 480 V ac standby power system. (See subsection 8.3.1, AC Power Systems.)

Alternate:

On loss of normal auxiliary power, the station diesel generators provide backup power to the 480-volt standby ac power systems.

7.7.1.2.3 Equipment Design 7.7.1.2.3.1 General The following discussions examine the control rod movement instrumentation and control aspects of the subject system and the control rod position information system aspects. The control descriptions include:

a. Control rod drive - control system

b. Control rod drive - hydraulic system

c. Rod block interlocks The position descriptions include:

a. Rod position probes

b. Display electronics 7.7-10 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Figures 4.6-7 and 4.6-8 show the layout of the control rod drive-hydraulic system. The CRD FCD (see Section 1.7) shows the functional arrangement of devices for the control of components in the control rod drive-hydraulic system. The logic diagram for the rod control and information system is provided by reference in Section 1.7. Although the drawings also show the arrangement of scram devices, these devices are not part of the rod control and information system. Control rods are moved by admitting water, under pressure from a control rod drive water pump, into the appropriate end of the control rod drive cylinder. The pressurized water forces the piston, which is attached by a connecting rod to the control rod, to move. Three modes of control rod operation are used: insert, withdraw, and settle. Four solenoid-operated valves are associated with each control rod to accomplish the actions required for the operational modes. The valves control the path that the control rod drive water takes to the cylinder. The control rod drive control system, a subsystem of the rod control and information system, controls the valves.

7.7.1.2.3.2 Rod Movement Controls 7.7.1.2.3.2.1 Control Rod Drive Control System 7.7.1.2.3.2.1.1 Introduction When the operator selects a control rod for motion and operates the rod insertion control switch as shown in Figure 7.7-2, messages are formulated in the A and B portions of the rod drive control system. A comparison test is made of these two messages, and identical results confirmed; then a serial message in the form of electrical pulses is transmitted to all hydraulic control units (HCU). The message contains two portions, (1) the identity or address of the selected HCU, and (2) operation data on the action to be executed. Only one HCU responds to this transmission; for example, it proceeds to execute the rod insertion commands.

Hence, the two insert valves for the selected rod open, and allow the control rod drive water to follow a path that results in control rod insertion. In the ganged rod mode, up to 4 HCU's will respond.

On receipt of the transmitted signal as shown in Figure 7.7-2, the responding HCU transmits three portions of a message back to the control room for comparison with the original message:

a. Its own hard-wire identity address 7.7-11 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

b. Its own operations currently being executed

c. Status indications of valve positions, accumulator conditions, and test switch positions In a similar manner, rod withdrawal is accomplished by formulating a message containing a different operation code. The responding HCU decodes the message and proceeds to execute the withdrawal command by operation of HCU valves shown in Figure 4.6-5.

In either rod motion direction, the division 1 and division 2 messages are formulated and compared each millisecond and, if they agree, the comparison message is transmitted to the HCU selected by the operator. Continued rod motion depends on receipt of a train of sequential messages because the HCU insert, withdraw, and settle valve control circuits are ac-coupled. The system must operate in a dynamic manner to effect rod motion.

Postulated failures within the rod control and information system generally will result in a static condition within the system, which will prevent further rod motion.

Any disagreement between the division 1 and division 2 formulated messages or the acknowledge responding echo message will prevent further rod motion. However, electrical noise disruptions will have only a momentary effect on the system in proportion to the duration of the offending source. Correct operation of the system will resume when the noise source ceases.

In Figure 7.7-3, three action loops of the solid-state rod control and information system are depicted:

a. The high-speed loop (0.0002-sec duration) services the control rod selected by the operator to transmit action commands and receive status indications

b. The medium-speed loop (0.045-sec duration) monitors the other control rods in the reactor, one at a time, to update their status display

c. The low-speed loop (on the order of 80 to 500-sec duration) exercises one HCU at a time to ensure correct execution of actions commanded. This provides for a continuous, periodic self-test of the entire rod control and information system.

7.7-12 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the selection circuitry to a no-rod-selection condition. Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod-selected condition is not possible (except for loss of control circuit power) until any moving rod has completed the movement cycle.

Two of the valves on the HCU, labeled withdraw, permit rod withdrawal. The withdrawal valve that connects the insert drive water supply line to the exhaust water header is also the one that is associated with the settle operation. The remaining withdraw valve is associated only with the withdraw operation. The settle mode of control rod operation is provided to decelerate the control rod at the end of either an insert cycle or a withdraw cycle. The settle action smooths out the control rod movement and prolongs the life of control rod drive-hydraulic system components. During the settle mode, the withdraw valve associated with the settle operation is opened or remains open while the other three solenoid-operated valves are closed.

During an insert cycle, the settle action vents the pressure from the insert drive water supply line to the exhaust header and thus gradually reduces the differential pressure across the drive piston of the selected rod. During a withdraw cycle, the settle action holds open the discharge path for withdraw water while the withdraw drive water supply is shut off. This also allows a gradual reduction in the differential pressure across the control rod drive piston. After the control rod has slowed down, the collect fingers engage the index tube and lock the rod in position.

The direction in which the selected rod moves is determined by the position of four switches located on the reactor control panel.

These four switches, insert, withdraw, continuous insert, and continuous withdraw, are pushbuttons which return by spring action to an off position.

7.7.1.2.3.2.1.2 Insert Cycle Following is a description of the detailed operation of the rod control and information system during an insert cycle. The cycle is described in terms of the insert, withdraw, and settle commands emanating from the rod control and information system. The 7.7-13 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) response of a selected rod when the various commands are transmitted has been explained previously. The CRD FCD (See Section 1.7) can be used to follow the sequence of an insert cycle.

With a control rod selected for movement, depressing the insert switch and then releasing the switch energizes the insert command for a limited time.

By depressing the continuous pushbutton at the same time as the insert pushbutton, the logic maintains the insert command in a continuously energized state to cause continuous insertion of the selected control rod.

Just before the insert command is removed, the settle command is automatically energized and remains energized for a limited time.

The insert command time setting and the rate of drive water flow provided by the control rod drive-hydraulic system determine the distance traveled by a rod. The time setting results in a one-notch (6-in.) insertion of the selected rod for each momentary application of a rod-in signal from the rod movement switch.

Continuous insertion of a selected control rod is possible by holding the insert pushbutton.

7.7.1.2.3.2.1.3 Withdraw Cycle Following is a description of the detailed operation of the rod control and information system during a withdraw cycle. The cycle is described in terms of the insert, withdraw, and settle commands. The response of a selected rod when the various commands are transmitted has been explained previously. The CRD FCD can be used to follow the sequence of a withdraw cycle.

With a control rod selected for movement, depressing the withdrawal switch energizes the insert valves for a short time.

Energizing the insert valves at the beginning of the withdrawal cycle is necessary to allow the collet fingers to disengage the index tube. When the insert valves are deenergized, the withdraw and settle valves are energized for a controlled period of time.

The withdraw valve is deenergized before the settle valve; this tends to decelerate the selected rod. When the settle valve is deenergized, the withdraw cycle is complete. This withdraw cycle is the same whether the withdraw switch is held continuously or is released. The timers that control the withdraw cycle are set so 7.7-14 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) that the rod travels one notch (6-in.) per cycle. Provisions are included to prevent further control rod motion in the event of timer failure.

A selected control rod can be continuously withdrawn if the withdraw switch is held in the depressed position at the same time that the continuous withdraw switch is held in the depressed position. With both switches held in these positions, the withdraw command is continuously energized.

7.7.1.2.3.2.1.4 Ganged Rod Motion In the ganged rod mode of operation, more than one rod may be moved at a time. This mode of operation facilitates plant startup and load following. Ganged rod movement can be used for either insert or withdrawal and the operation of the HCUs is the same as described for the withdraw and insert cycle. Ganged rod movement can be initiated at any power level and is subject to the constraints of the rod pattern control system.

To initiate ganged rod movement, the operator places a mode selector switch located on the operator control module in the gang motion position. To select a gang of rods for motion, the operator can select any rod in that gang and the other rods in the gang are automatically selected. There are from one to four rods in a gang.

The selected gang may be inserted or withdrawn in either the notch mode or the continuous mode. Movement of the selected gang of rods is accomplished by operating the insert or withdraw pushbutton for single notch gang movement; and the simultaneous operation of the continuous pushbutton if continuous gang movement is desired.

During gang mode control rod movement, the positions of all rods in the gang are continuously monitored by both channels of the RPIS and rod pattern control system (RPC). From 0 percent to the rod control and information system (RC&IS) low power set point (approximately 20 percent reactor power), gang motion is blocked whenever one or more rods in the gang exceed the RPC specified notch limit. This function is similar to the constraints placed on single rod movement.

7.7.1.2.3.2.2 Control Rod Drive-Hydraulic System Control One motor-operated pressure control valve, two air-operated flow control valves, and four pairs (eight individual) of solenoid-operated stabilizer valves are included in the control rod drive-hydraulic system to maintain smooth and regulated system 7.7-15 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) operation. These devices are shown in Figures 4.6-7 and 4.6-8. The motor-operated pressure control valve is positioned by manipulating switch in the control room. The switch for the valve is located close to the pressure indicators that respond to the pressure changes caused by the movements of the valve. The air-operated flow control valves are automatically positioned in response to signals from an upstream flow measuring device. The stabilizer valves are automatically controlled by the energization of the insert and withdraw commands. The control scheme is shown in the CRD FCD (See Section 1.7). There are two drive water pumps which are controlled by switches in the control room. Each pump automatically stops on indication of low suction pressure.

7.7.1.2.3.2.3 Rod Block Trip System - Instrumentation and Controls A portion of the rod control and information system (RC&IS), upon receipt of input signals from other systems and subsystems, inhibits movement or selection of control rods.

7.7.1.2.3.2.3.1 Grouping of Channels The same grouping of neutron monitoring equipment (SRM, IRM, and APRM) that is used in the reactor protection system is also used in the rod block circuitry.

Half of the total monitors (SRM, IRM, and APRM) provide inputs to one of the RC&IS rod block logic circuits and the remaining half provide inputs to the other RC&IS rod block logic circuit. Scram discharge volume high water level signals are provided as inputs into each of the two rod block logic circuits. Both rod block logic circuits sense when the high water level trip for the scram discharge volume is bypassed.

The APRM rod block setting is varied as a function of recirculation flow. Analyses show that the selected setting is sufficient to avoid both reactor protection system action and local fuel damage as a result of a single control rod withdrawal error. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. Additional detail on all the neutron monitoring system trip channels is available in subsection 7.6.1.5, Neutron Monitoring System. The rod block from scram discharge volume high water level utilizes two transmitters 7.7-16 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) installed on the scram discharge volume. A second trip unit on each transmitter provides a control room annunciation of increasing level below the level at which a rod block occurs.

7.7.1.2.3.2.3.2 Rod Block Functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed in subsection 7.6.1.5. The RC&IS logic (see Section 1.7) shows all the rod block functions on a logic diagram. The rod block functions provided specifically for refueling situations are described in subsection 7.6.1.1, Refueling Interlocks.

a. With the mode switch in the SHUTDOWN position, no control rod can be withdrawn. This enforces compliance with the intent of the shutdown mode.

b. The circuitry is arranged to initiate a rod block, regardless of the position of the mode switch for the following conditions:

1. Any average power range monitor (APRM) upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require reactor protection system action if allowed to proceed. The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached.

2. Any APRM inoperative alarm. This assures that no control rod is withdrawn unless the average power range neutron monitoring channels are either in service or correctly bypassed.

3. Scram discharge volume high water level. This assures that no control rod is withdrawn unless enough capacity is available in the scram discharge volume to accommodate a scram. The setting is selected to initiate a rod block earlier than the scram that is initiated on scram discharge volume high water level.

4. Scram discharge volume high-water-level scram trip bypassed is provided with the mode switch in the shutdown or refuel position. This assures that no 7.7-17 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) control rod is withdrawn while the scram discharge volume high-water-level scram function is out of service.

5. Rod position information system malfunction. This assures that no control rod can be withdrawn unless the rod position information system is in service.

6. Rod movement timer malfunction during withdrawal.

This assures no control rod can be withdrawn unless the timer is in service.

c. With the mode switch in the RUN position, any of the following additional conditions initiates a rod block.

1. Any APRM downscale or flow reference upscale alarm.

This assures that no control rod will be withdrawn during power range operation unless the average power range neutron monitoring channels are operating correctly or are correctly bypassed. All unbypassed APRMs must be on scale during reactor operations in the RUN mode.

d. With the mode switch in the STARTUP or REFUEL position, any of the following conditions initiates a rod block:

1. Any source range monitor (SRM) detector not fully inserted into the core when the SRM count level is below the retract permit level and any IRM range switch on either of the two lowest ranges. This assures that no control rod is withdrawn unless all SRM detectors are correctly inserted when they must be relied on to provide the operator with neutron flux level information.

2. Any SRM upscale level alarm. This assures that no control rod is withdrawn unless the SRM detectors are correctly retracted during a reactor startup. The rod block setting is selected at the upper end of the range over which the SRM is designed to detect and measure neutron flux.

3. Any SRM downscale alarm. This assures that no control rod is withdrawn unless the SRM count rate is above the minimum prescribed for low neutron flux level monitoring.

7.7-18 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

4. Any SRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available, i.e., all SRM channels are in service or correctly bypassed.

5. Any intermediate range monitor (IRM) detector not fully inserted into the core. This assures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available, i.e., all IRM detectors are correctly located.

6. Any IRM upscale alarm. This assures that no control rod is withdrawn unless the intermediate range neutron monitoring equipment is correctly upranged during a reactor startup. This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring reactor protection system action (scram) in the event that a rod withdrawal error is made during low neutron flux level operations.

7. Any IRM downscale alarm except when the range switch is on the lowest range. This assures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being correctly monitored. This rod block prevents the continuation of a reactor startup if the operator upranges the IRM too far for the existing flux level. Thus, the rod block ensures that the intermediate range monitor is on scale if control rods are to be withdrawn.

8. Any IRM inoperative alarm. This assures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available, i.e., all IRM channels are in service or are correctly bypassed.

7.7-19 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.2.3.2.3.3 Rod Block Bypasses To permit continued power operation during repair or calibration of equipment for selected functions that provide rod block interlocks, a limited number of manual bypasses are permitted as follows:

2 SRM channels (1 on either Bus A or Bus B) 2 IRM channels (1 on either Bus A or Bus B) 1 APRM channels The IRMs are arranged as two groups of equal numbers of channels.

One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. The same type of grouping and bypass arrangement is used for the SRMs. The APRM subsystem is designed so that only one APRM may be bypassed at any given time.

The arrangement allows the bypassing of one SRM, one IRM, and one APRM in each rod block logic circuit.

These bypasses are effected by positioning switches in the control room. A light in the control room indicates the bypassed condition.

An automatic bypass of the SRM detector position rod block is effected as the neutron flux increases beyond a preset low level on the SRM instrumentation. The bypass allows the detectors to be partially or completely withdrawn as a reactor startup is continued.

7.7.1.2.3.2.3.4 Rod Block Interlocks The RC&IS logic and the neutron monitoring system FCD (see Section 1.7) show the rod block interlocks used in the rod control and information system. The RC&IS logic shows the general functional arrangement of the interlocks, and the neutron monitoring system FCD shows in greater detail the rod blocking functions that originate in the neutron monitoring system.

7.7.1.2.3.2.3.5 Redundancy To achieve an operationally desirable performance objective where most failures of individual components would be easily detectable or would not disable the rod movement inhibiting functions, the 7.7-20 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) rod block logic circuitry is arranged as two redundant and separate logic circuits. These circuits are energized when control rod movement is allowed. Each logic circuit receives input trip signals from a number of channels and each logic circuit can provide a separate rod block signal to inhibit rod withdrawal.

The output of each logic circuit is coupled to a comparator by the use of isolation devices in the rod drive control cabinet. The formulated A and B signals are compared and rod blocks applied when either A or B trip signals are present. Rod withdrawal is permitted only if the two signals agree at all times. Because the transmitted signals are dynamic and vary with time, any rod control and information system failure that interrupts the dynamic signals transmitted to the hydraulic control units will prevent further control rod motion. Hence, failures consisting of short circuits, open circuits, loss of circuit continuity, loss of power, or cards or instruments out of file will inhibit rod movement.

The rod block circuitry is effective in preventing rod withdrawal, if required, during both normal (notch) withdrawal and continuous withdrawal. If a rod block signal is received during a rod withdrawal, the control rod is automatically stopped at the next notch position, even during a continuous rod withdrawal. It is designed so that no single failure can prevent a rod block.

The components used to initiate rod blocks in combination with refueling operations provide rod block trip signals to these same rod block circuits. These refueling rod b1ocks are described in subsection 7.6.1.1, Refueling Interlocks.

7.7.1.2.3.2.3.6 Testability On-line testability of the systems and indication of bypassed or inoperable status of the system is provided.

7.7.1.2.3.2.3.7 Environmental Considerations The equipment is qualified by tests or analyses to meet the environmental conditions in Table 3.11-3. The equipment is mounted in the control room and will not see design basis accident or anticipated operational occurrence environments.

7.7-21 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.2.3.2.3.8 Operational Considerations The rod block trips prevent an operator from withdrawing rods if the associated equipment is not capable of monitoring core response or, if unchecked, the withdrawals might require a protective system action (scram). There are no special operational considerations.

7.7.1.2.3.2.4 Testability In addition to the periodic self-test mode of system operation, the rod control and information circuitry can be routinely checked for correct operation by manipulating control rods using the various methods of control. Detailed testing and calibration can be performed by using standard test and calibration procedures for the various components of the rod control and information circuitry.

7.7.1.2.3.3 Rod Position Information This subsystem includes the rod position probes and the electronic hardware that processes the probe signals and provides the data described above.

Control rod position information is obtained from reed switches in the control rod drive that open or close as a magnet attached to the rod drive piston passes during rod movement. Reed switches are provided at each 3-in. increment of piston travel. Because a notch is 6 inches, indication is available for each half-notch of rod travel. The reed switches located at the half-notch positions for each rod are used to indicate rod drift. Both a rod selected for movement and the rods not selected for movement are monitored for drift. A drifting rod is indicated by an alarm and indicator in the control room. The rod drift condition is also monitored by the process computer.

Reed switches are also provided at locations that are beyond the limits of normal rod movement. If the rod drive piston moves to these overtravel positions, an alarm is sounded in the control room. The overtravel alarm provides a means to verify that the drive-to-rod coupling is intact because, with the coupling in its normal condition, the drive cannot be physically withdrawn to the overtravel position. Coupling integrity can be checked by attempting to withdraw the drive to the overtravel position. All position data for each rod are arranged in two 11-wire (5 by 6) matrices for transmission to the control room. See Figure 7.7-4.

7.7-22 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Each control rod drive has two complete sets of reed switches for redundant indication of all the information specified above.

These two sets of switches are electrically and mechanically separate within a common enclosure.

7.7.1.2.4 Environmental Considerations The rod control and information system (control and position indication circuitry) is not required for any plant safety function, nor is it required to operate in any associated design basis accident or transient occurrence. The rod control and information circuitry is required to operate only in the normal plant environments during normal power generation operations.

The control rod drives and their hydraulic control units are located in the containment. (See Table 3.11-1).

The logic, control units, and readout instrumentation are located in the control room. (See Table 3.11-1).

The control rod position detectors are located beneath the reactor vessel in the drywell. The normal design environments encountered in these areas are given in Table 3.11-1.

7.7.1.2.5 Operational Considerations 7.7.1.2.5.1 General Information The rod control and information system is totally operable from the control room. Manual operation of individual control rods is possible with a control switch to effect control rod insertion, withdrawal, or settle. Rod position indicators, described below, provide the necessary information to ascertain the operating state and position of all control rods. Conditions which prohibit control rod insertion are alarmed with the rod block annunciator.

7.7.1.2.5.2 Operator Information Table 7.7-1 gives information on instruments for the Control Rod Drive system. A large rod information display on the reactor control panel is patterned after a top view of the reactor core.

The display allows the operator to acquire information rapidly by scanning. The following information for each control rod is presented in the display:

7.7-23 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Rod fully inserted Rod fully withdrawn Selected rod identification Rod position (numeric) of selected rod or rods Dispersed throughout the display, in locations representative of the physical location of LPRM strings in the core, are LPRM indicators as follows:

LPRM low flux level LPRM high flux level Also dispersed throughout the display, in locations representative of the physical location of the current sensors utilized, is indication of loss of AC power for each of the groups of pilot scram solenoid valves.

The following indications are displayed in an on-demand function as selected by the operator:

Accumulator trouble Rod scram Rod drift Rod position (numeric) of all rods A continuous core rod position display is provided from both of the rod position information system cabinets. The data for the display may be automatically alternated between the two RPIS outputs at a rate that is visible to the operator so that position data faults are easily detected.

A separate, smaller display below the full core status display will provide the LPRM reading adjacent to the selected rod. The associated LPRM string for each rod in a gang may be selected and displayed so that the operator can easily observe proper motion of the gang rods. Proper gang motion can be further confirmed by observing rod position changes indicated by the full core display.

7.7-24 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The position signals of selected control rods, together with a rod identification signal, are provided as inputs to the on-line process computer. The acquisition of the rod position signal does not interrupt the rod position indication signal in the control room. The computer can, on demand, provide a full core printout of control rod positions.

The following control room lights are provided to allow the operator to know the conditions of the control rod drive hydraulic system and the control circuitry:

Insert command energized Withdrawal command energized Settle command energized Insert not permissive Withdrawal not permissive Insert required Continuous withdrawal Pressure control valve position Flow control valve position Drive water pump low suction pressure (alarm and pump trip)

Drive water filter high differential pressure alarm only)

Charging water (to accumulator) low pressure (alarm only)

Control rod drive temperature (alarm only)

Scram discharge volume not drained (alarm only)

Scram valve pilot air header low pressure (alarm only) 7.7.1.2.5.3 Set Points The subject system has no safety set points.

7.7.1.3 Recirculation Flow Control System - Instrumentation and Controls 7.7.1.3.1 System Identification 7.7.1.3.1.1 General The objective of the recirculation flow control system is to control reactor power level, over a limited range, by controlling the flow rate of the reactor recirculating water.

7.7-25 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The recirculation flow control system consists of the electrical circuitry, switches, indicators, motors, and alarm devices provided for operational manipulation of the recirculation flow control valves, low frequency M-G (LFMG) set, and the surveillance of associated equipment. During periods of low power operation, such as plant startup and shutdown, the recirculation pump and motor is powered by the LFMG set and operates at approximately 25 percent rated full load speed.

7.7.1.3.1.2 Classification This system is a power generation system and is classified as not required for safety.

7.7.1.3.1.3 Reference Design Table 7.1-2 lists reference design information. The recirculation flow control system is an operational system and has no safety function; therefore, there are no safety differences between this system and those of the above referenced facilities. The subject system is functionally identical to the referenced system.

7.7.1.3.2 Power Sources Normal:

The recirculation flow control system power is supplied by two 120 V ac instrument buses. Flow control loop A is powered from bus D and flow control loop B from bus E. That portion of the control system which is common to both loops A and B (master controller, etc.) is powered from either bus D or E. Each bus receives its normal power supply from the appropriate 480 V ac normal auxiliary power system. The LFMG sets (one for each recirculation loop) are supplied power from the 4160 V ac auxiliary power system. (See subsection 8.3.1, AC Power Systems)

Alternate:

On loss of normal auxiliary power, the startup transformer provides backup power to the 480 V ac normal auxiliary power systems.

7.7-26 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.3.3 Equipment Design 7.7.1.3.3.1 General An increase in recirculation flow temporarily reduces the void content of the moderator by increasing the flow of coolant through the core. The additional neutron moderation increases reactivity of the core, which causes reactor power level to increase. The increased steam generation rate increases the steam volume in the core with a consequent negative reactivity effect, and a new steady-state power level is established. When recirculation flow is reduced, the power level is reduced in the reverse manner.

Reactor recirculation flow is varied by throttling the recirculation pump discharge flow with control valves. The recirculation pumps operate at constant speed, on either LFMG set or normal 60-cycle power. By adjusting the position of the discharge throttling valves, the recirculation system can change the reactor power level.

The reactor power change resulting from the change in recirculation flow causes the pressure controller to reposition the turbine control valves. If the original demand signal was a turbine load/speed error signal, the turbine responds to the change in reactor power level by adjusting the control valves, and hence its power output, until the load/speed error signal is reduced to zero.

7.7.1.3.3.2 Pump Motor Control The recirculation pump/motor will operate from the normal plant electrical supply during normal plant power operation. At plant low-power levels, the recirculation pump/motor will operate from the electrical output of the low-frequency M-G (LFMG) set. Since the LFMG set electrical output frequency is at approximately one-fourth the normal plant electrical frequency, the recirculation pump/motor will be driven at approximately one-fourth of its rated speed.

The LFMG set is not intended to be capable of starting the recirculation pump/motor with the pump/motor initially at zero speed. At low reactor power levels the pump/motor start is initiated on the normal plant electrical power supply. As the pump/motor speed approaches rated full load speed, it is automatically tripped. When the pump/motor speed coastdown is about 25 percent of rated full load speed, the pump/motor will be 7.7-27 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) reenergized from the LFMG set and driven at about 25 percent rated full load speed. Preceding initiation of the pump/motor, the plant operator may manually start the LFMG set. If the LFMG set is not operating when the pump/motor start is initiated, the LFMG will be automatically started.

If pump/motor start is initiated at higher reactor power levels, the LFMG set will not start automatically, and the pump/motor will continue to operate at rated full load speed.

Certain trip functions, as defined in the reactor recirculation FCD, (See Section 1.7), will trip the pump/motor and automatically transfer it to the LFMG set. Other trip functions will trip the pump/motor without transfer to the LFMG set.

The pump drive motor is an ac, four-pole induction motor.

Anticipated Transient Without Scram In addition to the normal drive motor trips, a high vessel pressure or low-low vessel level (Level 2) will initiate a recirculation pump motor trip without transfer to the low frequency motor generator set. Each sensor and channel is separate and independent from the reactor protection system, and includes a testability feature that will allow testing of each sensor while the recirculation system is in operation. The abnormal position of the test switch is annunciated.

7.7.1.3.3.3 Low-Frequency Motor-Generator (LFMG) Set The LFMG set consists of a 16-pole ac induction motor driving a 4-pole ac synchronous generator through a flexible coupling. This arrangement provides one-quarter normal plant frequency at the output of the generator. The generator exciter is directly connected to the generator to provide a brushless excitation system. The voltage regulator for the excitation system is located in the auxiliary relay panel which is separate from the LFMG set.

Several permissives, described on the reactor recirculation system FCD, must be satisfied before the recirculation pump/

motor can be operated from either the normal plant electrical system or the LFMG set. These permissives prohibit pump start until conditions assure there will be no damage to the system.

Subsection 4.4.3 describes the regions of the operational map where operation is not permitted.

7.7-28 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.3.3.4 Valve Position Control Components The desired recirculation flow is achieved by manually positioning each of the flow control valves with the raise/lower lever provided on each flow controller. Automatic flow control and the neutron flux loop have been disabled.

A drywell pressure transmitter, which is independent of any safety-related switches, actuates a monitor switch when the drywell pressure increases to a level indicative of a LOCA. During normal operation, actuation of the monitor switch will actuate the motion inhibit interlock to the flow control valve so that its position cannot be changed. This circuit can be tested during operation by placing the drywell high-pressure test switch in the test position and externally applying pressure to the transmitter. Lockup of both valves will occur during test.

However, the hydraulic system for the flow control valve will not be shut down as it would during an actual disturbance. The position of the test switch is annunciated.

7.7.1.3.3.4.1 Deleted 7.7.1.3.3.4.2 Deleted 7.7.1.3.3.4.3 Deleted 7.7.1.3.3.4.4 Deleted 7.7.1.3.3.4.5 Deleted 7.7.1.3.3.4.6 Deleted 7.7.1.3.3.4.7 Flow Controller The individual flow controller (one for each valve) transmits the signal that adjusts the valve position. Each flow regulating valve is manually positioned with the manual output signal raise/

lower lever provided on each flow controller.

7.7.1.3.3.4.8 Limiter A limiting function is required (as briefly outlined in foregoing paragraphs). Electronic limiting, with reasonable range adjustment, is provided in each main flow control loop. This limiter is normally held bypassed by auxiliary devices such as relay contacts. If reduced feedwater pump capacity exists and 7.7-29 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) reactor vessel water level is low and the limiting permissive condition is exceeded, the main regulating valve will close to a position equal to that as if the limiting permissive condition had only been equalled, but not exceeded.

7.7.1.3.3.4.9 Valve Actuator The valve actuator (one for each valve) is the electro-hydraulic device that moves the flow control valve to the desired position and maintains it there. The valve control system is designed to maintain the valve in the last position demanded if control power is lost.

The valve actuator has an inherent rate limiting feature that will keep the resulting rate of change of core flow and power to within safe limits in the event of an upscale or downscale failure of the valve position or velocity control system.

A more detailed description of the valve actuator may be found in Section 5.4.

7.7.1.3.3.5 Testability All the recirculation flow control system components are tested and inspected according to the component manufacturers' recommendations as deemed appropriate.

7.7.1.3.4 Environmental Considerations The recirculation flow control system is not required for safety purposes, nor required to operate during or after any design basis accident. The system is required to operate in the normal plant environment for power generation purposes only.

The recirculation flow control equipment in the drywell, namely, the hydraulic actuator and pump isolation valve motors, is subject to the environment under design conditions listed in Table 3.11-1.

The logic, control units and instrumentation terminals are located in the control room and subject to the normal control room environment as listed in Table 3.11-1.

7.7-30 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.3.5 Operational Considerations 7.7.1.3.5.1 General Information Controllers for positioning the flow control valve are located in the control room. Control switches for LFMG set, pump/motor, pump isolation valves and interlock reset functions are also located in the control room. Switches and indicators for control of the flow control valve hydraulic system are located on a back row panel and in the control room for easy accessibility.

Flow control valve positioning circuit controls are manual and require operator action.

The LFMG set is required to supply power to the recirculation pump/motor only during plant low power conditions. Provisions are made to allow operation of the LFMG set independently of pump/

motor operation during normal plant power operation as well as during plant shutdown.

7.7.1.3.5.2 Operator Information Indication and alarms are provided to keep the operator informed of the status of systems and equipment, and to quickly determine the location of malfunctioning equipment.

Visual display consists of loop flow, valve position, and controller output and input deviation meters. Alarms are provided to alert the operator of malfunctioning control signals, inability to change valve position, condition of the hydraulic system, pump, and motor, and temperatures of cooling water. In most cases alarms are supplemented by light indicators to more closely define the problem area.

Indicating lights are provided to indicate status of the LFMG set and pump/motor control breakers. A pump/motor speed indicator is provided to indicate (in addition to the breaker indicating lights) to the operator which power supply is driving the pump/

motor. Alarms are provided to alert the operator of automatic trips and transfers of the pump/motor, malfunctions, and availability of automatic control circuitry.

7.7.1.3.5.3 Set Points The subject system has no safety set points.

7.7-31 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.4 Feedwater Control System - Instrumentation and Controls 7.7.1.4.1 System Identification 7.7.1.4.1.1 General The feedwater control system controls the flow of feedwater into the reactor pressure vessel to maintain the water in the vessel within predetermined levels during all plant operating modes. The range of water level is based upon the requirements of the steam separators (this includes limiting carry-over and carry-under, which affects turbine performance), and recirculation pump operation and the need to prevent exposure of the reactor core.

The feedwater control system employs water level, steam flow, and feedwater flow as a three-element control.

Single-element control is also available based on water level only. Normally, the signal from the feedwater flow is equal to the steam flow signal; thus, if a change in the steam flow occurs, the feedwater flow follows. The steam flow signal provides anticipation of the change in water level that will result from a change in load. The level signal provides a correction for any mismatch between the steam and feedwater flow which causes the level of the water in the reactor vessel to rise or fall accordingly.

7.7.1.4.1.2 Classification This system is a power generation system and is classified as not related to safety.

7.7.1.4.1.3 Reference Design Table 7.1-2 lists reference design information. The feedwater control system is an operational system and has no safety function.

7.7.1.4.2 Power Sources The Feedwater Control System power is configured such that no single power source failure can incapacitate more than one controlling level sensing element. The feedwater control systems power is derived from two diverse sources, designated the primary and secondary source. Change over from the primary source to the secondary source occurs automatically upon loss of input from the 7.7-32 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) primary source. The primary source is from a 125 VDC/120 VAC static inverter. The 125 VDC is from a BOP station battery. Inside the inverter cabinet is a static transfer switch. On failure of the static inverter, the static switch "bumplessly" transfers to an alternate AC source provided by a 480 VAC/120 VAC single phase shielded isolation transformer. The 480 VAC source is from a BOP Motor Control Center (MCC). The static inverter is also equipped with a manual transfer switch to allow inverter maintenance for increased reliability. The secondary source is provided by a BOP power panel. The two BOP AC sources (MCC and power panel) are from separate AC busses. The 24 VDC instrumentation power is derived from the 120 VAC feedwater control system power. Multiple 24 VDC power supplies are configured in a parallel fashion such that failure of a single 24 VDC source will not affect system operation.

7.7.1.4.3 Equipment Design 7.7.1.4.3.1 General During normal plant operation, the feedwater control system automatically regulates feedwater flow into the reactor vessel.

The system can be manually operated. (See Figure 7.7-6.)

The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel.

During automatic operation, these three measurements are used for controlling feedwater flow.

The optimum reactor vessel water level is determined by the requirements of the steam separators. The separators limit water carry-over in the steam going to the turbines and limit steam carry-under in water returning to the core. For optimum limitation of carry-over and carry-under, the steam separators require that the reactor vessel water level decrease functionally as reactor power level increases. The water level in the reactor vessel is maintained within 2 inches of the optimum level. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel. The feedwater flow is regulated by controlling the speed of the turbine-driven feedwater pumps to deliver the required flow to the reactor vessel.

7.7-33 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.4.3.2 Reactor Vessel Water Level Measurement Reactor vessel narrow-range water level is measured by three identical sensing systems. For each channel, a differential pressure transmitter senses the difference between the pressure caused by a constant reference column of water and the pressure caused by the variable height of water in the reactor vessel. The differential pressure transmitter is installed on lines that serve other systems. (See subsection 7.7.1.1, Reactor Vessel Instrumentation.) The differential pressure signals are used for indication and control. The narrow range level signal from one of the sensing channels can be selected by the operator as the signal to be used for feedwater flow control. The selected narrow-range water level and wide-range water level signals are continually recorded in the control room. The narrow-range level sensing channels provide indication and failure tolerant trips of the main turbine and reactor feed pump turbines. A fourth level sensing channel (upset range) provides level indication beyond the capability of the narrow-range channels, and may be used as a control input in the event of a narrow range transmitter failure. All four reactor level signals and reactor pressure are indicated in the control room.

7.7.1.4.3.3 Steam Flow Measurement Steam flow is sensed in each main steam line by a venturi in conjunction with a differential pressure transmitter. A signal proportional to the true mass steam flow rate is linearized and indicated in the control room. The signals are summed to produce a total steam flow signal for indication and feedwater flow control. The total steam flow signal is recorded in the control room.

7.7.1.4.3.4 Feedwater Flow Measurement Two different systems are utilized to measure feedwater flow.

The first system consists of two venturi type flow elements (one in each line) each of which has two differential pressure transmitters. One transmitter from each loop provides input to the Plant Data System (PDS) and the Circulating Water Make-up Control system. The other transmitter provides input to control room indicators/recorders, PDS and the feedwater control system.

Each venturi also has two RTD temperature elements that also provide input to PDS via temperature transmitters.

7.7-34 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The second system (LEFM) consists of two strap-on transit time ultrasonic flow elements (one for each feedwater line) and an electronics panel. Each flow element has eight transducers for four different measurement paths. The electronics panel provides flow, temperature and system status signals to PDS.

7.7.1.4.3.5 Feedwater/Level Control Multi-function microprocessors and manual/automatic control stations produce the feedwater control signal. The signal can be controlled either manually or automatically.

The Master Level Control manual/auto station displays the level setpoint, the corrected level signal and the controller output.

The system may be operated in two modes, single element control mode and three element control mode. Reactor water level is used as the control input in the single element control mode. Steam flow, feedwater flow and reactor water level are used as the control inputs in the three element mode. During automatic operation of the feedwater control system, the Master Level Control station demand output is developed from the level setpoint signal and feedwater-steam mismatch signal.

Selection of automatic or manual reactor feed pump control is made at the manual/automatic transfer station (one from each reactor feed pump). Both reactor feed pump control stations incorporate a bias feature, where the control signal from the Master Level Control station can be modified by a small amount when the station is in automatic mode. During normal automatic operation, the optimum reactor vessel water level is automatically determined by the system microprocessors. During manual operation, the auto control signal from the Master Level Control station is blocked and the demand output is set by the operator at each control station. Each station displays master level control speed demand, RFPT bias, and control output for the corresponding feed pump.

The feedwater control system uses the three-element control signal to maintain reactor vessel water level within a small margin of optimum water level during plant load changes.

7.7.1.4.3.5.1 Interlocks The level control system also provides interlocks and control functions to other systems. When one of the reactor feed pumps is lost and coincident or subsequent low water level exists, provided recirculation pump speed is greater than 95 percent, 7.7-35 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) recirculation flow is reduced to within the power capabilities of the remaining reactor feed pumps. This reduction aids in avoiding a low level scram by reducing the steaming rate. Reactor recirculation flow is also reduced on sustained low feedwater flow to ensure that adequate NPSH will be provided for the recirculation system.

Alarms are also provided for (1) high- and low-water level and (2) reactor high pressure. Interlocks will trip the plant turbine and feedwater pumps in the event of reactor high water level.

7.7.1.4.3.6 Turbine-Driven Feedwater Pump Control Feedwater is delivered to the reactor vessel through turbinedriven feedwater pumps, which are arranged in parallel.

The turbines are driven by steam from the reactor vessel. During planned operation, the feedwater control signal from the master level controller is fed to the turbine speed control systems, which adjust the speed of their associated turbines so that feedwater flow is proportional to the feedwater demand signal.

Each turbine can be controlled by its manual/automatic transfer station. If the feedwater control to the turbine signal is lost, the turbine speed control system locks the turbine speed as is and initiates an alarm in the control room. The master level controller, and the manual/automatic transfer stations associated with each turbine speed controller, are the bumpless transfer types.

7.7.1.4.3.7 Startup Control During startup under low feedwater flow conditions, a signal from the startup level controller is used to modulate the startup feedwater control valve, and control reactor level, rather than controlling reactor feed pump turbine speed. The startup level controller is a single-element system which senses only reactor water level.

7.7.1.4.3.8 Testability All feedwater flow control system components can be tested and inspected according to manufacturers' recommendations. This can be done prior to plant operation and during scheduled shutdowns.

Reactor vessel water level indications from the three water level sensing systems can be compared during normal operation to detect instrument malfunctions. Steam mass flow rate and feedwater mass flow rate can be compared during constant load operation to detect 7.7-36 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) inconsistencies in their signals. The level controller can be tested while the feedwater control system is being controlled by the manual/automatic transfer stations.

7.7.1.4.4 Environmental Considerations The feedwater control system is not required for safety purposes, nor is it required to operate after the design basis accident.

This system is required to operate in the normal plant environment for power generation purposes only. The reactor feed pumps in the turbine building experience the normal design environments listed in Table 3.11-1.

7.7.1.4.5 Operational Considerations 7.7.1.4.5.1 General Information The level controller is located in the control room where, at the operator's discretion, the system can be operated either manually or automatically via the manual/automatic control selector.

Manual control of the individual feedwater reactor turbine-driven pumps is available to the operator in the control room. This includes control of any low flow feedwater bypass valve that may be used for startup when steam is not available to run the turbine-driven reactor feed pumps.

7.7.1.4.5.2 Operator Information Indicators and alarms, provided to keep the operator informed of the status of the system, are as noted in previous subsections.

7.7.1.4.5.3 Set Points The subject system has no safety set points.

7.7.1.5 Pressure Control and Turbine-Generator System -

Instrumentation and Controls 7.7.1.5.1 System Identification 7.7.1.5.1.1 General One of the features of direct cycle boiling water reactors is the direct passage of the nuclear boiler generated steam through the turbine and regenerative system. In this system the turbine is slaved to the reactor in that all steam generated by the reactor 7.7-37 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) is normally accepted by the turbine. The operation of the reactor demands that a pressure control concept be employed to maintain a constant (within the range of the controller proportional band setting) turbine inlet pressure.

The turbine pressure controller normally controls the turbine control valves to maintain constant (within the range of the controller proportional band setting) turbine inlet pressure. In addition, the pressure controller also operates the steam bypass valves such that a portion of nuclear boiler rated flow can be bypassed when operating at steam flow loads above that which can be accepted by the turbine as well as during the startup and shutdown phase.

The overall turbine-generator and pressure control system accomplishes the following:

a. Control turbine speed and turbine acceleration

b. Operate the steam bypass system to keep reactor pressure within limits, and avoid large power transients

c. Control main turbine inlet pressure within the proportional band setting of the pressure controller Additional information pertaining to the turbine is discussed in Sections 10.1, 10.2, and 10.4.

7.7.1.5.1.2 Classification The main turbine-generator control and pressure control system is classified as a primary power generation system. That is, it is not a safety system but its operation is essential to the power production cycle.

7.7.1.5.2 Power Sources Power to the turbine-generator electro-hydraulic control system controllers and local input-output modules is supplied by two sources of 24VDC power. One set of remote input-output modules are supplied by two 120VAC, uninterruptible sources. The other set of remote input-output modules are supplied by one 120VAC, uninterruptible source and one 125VDC battery backed source.

Additional information is available in subsections 8.3.2.1.4 and 8.3.1.

7.7-38 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.5.3 Equipment Design 7.7.1.5.3.1 General Control and supervisory equipment for the turbine-generator is arranged for remote operation from the control room console Turbine control Protection System (TCPS) Human Machine Interfaces (HMI). Normally, the pressure controller adjusts the main turbine control valve position to maintain operating reactor pressure. After generator synchronization, the turbine operates in the turbine-follow-reactor mode, where reactor power changes are made. Either by changing flow in the reactor recirculating system or moving control rods. The turbine speed control system will override the pressure control, and will close the turbine control valves when an increase in system frequency or a loss of generator load causes the speed of the turbine to increase. In the event that the reactor is delivering more steam than the control valves will pass, the excess steam will be bypassed directly to the main condenser by the bypass valves.

See Figure 7.7-8, for a general illustration of the turbine-generator controls and supervisory equipment.

7.7.1.5.3.2 Steam Pressure Control During normal plant operation steam pressure is controlled by the turbine control valves which are positioned in response to either the pressure control signal or the turbine speed-load signal as selected by a low value gate circuit: (see Figure 7.7-7). The change in steam production is sensed by the pressure controller which operates the turbine control valves to accept the change in steam flow, thereby maintaining the steam pressure at the control setting.

Control for the turbine stop and control valves is designed so that the valves will close upon loss of complete system power or loss of hydraulic system pressure.

7.7-39 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.5.3.3 Steam Bypass System The steam bypass equipment is designed to control steam pressure when reactor steam generation exceeds turbine requirements such as during startup (pressure, speed ramping, and synchronizing),

sudden load reduction, and cooldown.

The bypass capacity of the system is 30.4 percent of NSSS rated steam flow; sudden load reductions of up to the capacity of the steam bypass can be accommodated without reactor scram.

Normally, the bypass control valves are held closed and the pressure regulator controls the turbine control valves, directing all steam flow to the turbine. If the speed control load restricts steam flow to the turbine, the regulator controls system pressure by opening the bypass valves. If the capacity of the bypass valves is exceeded while the turbine can not accept an increase in steam flow, the system pressure will rise and the reactor protection system action will cause shutdown of the reactor.

7.7.1.5.3.3 The bypass control valves are an automatically operated, regulating type which are proportionally controlled by the turbine pressure control system. Upon loss of complete system electrical power or hydraulic pressure the bypass stop and control valves are designed to fail closed. The bypass steam flow demand is the difference between the total steam flow demand from the pressure controller and the turbine control valve steam flow demand. (See Figure 7.7-7.) An adjustable bias signal is provided to maintain the bypass control valves closed for momentary differences during normal operational transients.

7.7.1.5.3.4 Turbine Speed-Load Control Interfaces 7.7.1.5.3.4.1 Normal Operation During base-load plant operation, the turbine load reference is held above the desired load, such that the pressure regulation demand governs the turbine control valves in the turbine-follow-reactor mode.

7.7-40 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.5.3.4.2 Behavior of Turbine Outside of Normal Operation

a. Turbine startup Prior to turbine startup, sufficient reactor steam flow is generated to permit the steam bypass valves to maintain reactor pressure control while the turbine is brought up to speed and synchronized under its speed control.

b. Partial-load rejection During partial-load rejection transients, which are apparent to the reactor as a reduction in turbine load demand, the turbine-pressure control scheme allows the reduced turbine speed-load demand to override the pressure regulation demand and thereby directly regulate the turbine control valves.

c. Turbine shutdown or turbine-generator trip During turbine shutdown or turbine-generator trip conditions, the main turbine stop valves and control valves are, or will be, closed. Reactor steam flow will then be passed through the steam bypass valves under steam pressure control, and through the reactor safety/relief valves, as needed.

d. Steam bypass operation Fast opening of the steam bypass valves during turbine trips or generator load rejections requires coordinated action with the turbine control system. When the turbine control valves are under pressure control, no bypass steam flow is demanded; conversely, when the turbine speed-load demand falls below the pressure controller demand, a net bypass flow demand is computed. During a turbine-generator trip or a generator breaker opening event resulting in fast-closure of the turbine stop and control valves, the turbine speed/load control signal is immediately reduced by removal of the load demand signal, causing the bypass steam flow demand to equal the initial pressure control demand.

e. Loss of turbine control system power 7.7-41 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Turbine controls and valves are designed so that the turbine stop and control valves will close upon loss of complete system power or hydraulic pressure.

7.7.1.5.3.4.3 Turbine Generator to Reactor Protection System Interface Two conditions which initiate reactor scram are turbine stop valve closure and turbine control valve fast closure when reactor power is above a preselected percent of rated power. (See subsection 7.2.1.1.4.4.2.)

The turbine stop valve closure signal is generated before the turbine stop valves have closed more than 10 percent. This signal originates from pressure transmitters and trip units which sense hydraulic trip fluid pressure decay which is indicative of stop valve motion away from fully open. Two pressure transmitters and trip units are provided for each turbine stop valve. The pressure transmitters and trip units are electrically isolated from each other and from other turbine plant equipment.

The control valve fast closure signal is monitored by the turbine trip fluid pressure transmitters and trip units which sense trip fluid pressure decay which is indicative of fast control valve closure. These transmitters provide the RPS inputs within 30 milliseconds after the control valves start to close in a fast closure mode.

Power Range Neutron Monitoring System reactor power signals are provided for bypassing the stop valve closure and control valve fast closure inputs at low power levels.

7.7.1.5.3.4.4 Turbine-Generator to Containment and Reactor Vessel Isolation Control System Interface 7.7.1.5.3.4.4.1 Main Condenser Vacuum Switches There are four independent main condenser vacuum transmitters and trip units for the purpose of providing an isolation signal to the NSSS main steam isolation valves. Each vacuum sensor has its own isolation (root) valve. The trip units actuate on low vacuum. The trip unit setting is selected so that it is compatible with safe turbine and main condenser operating and design conditions should loss of vacuum occur. Condenser vacuum transmitters and trip units are also discussed in subsection 7.3.1.1.2.4.1.13.

7.7-42 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.5.3.5 Testability Testing controls are provided for testing the turbine valve/

reactor protection system interface in the following ways:

a. Actuate each stop valve individually from full open to full closed with no interaction with other stop valves

b. Actuate the following pairs of stop valves from full open to full closed, one valve at a time: 1 and 2; 3 and 4; 1 and 3; 2 and 4 To test Main Stop Valves 1 and 2 the following sequence is used:

1. Close main control valve No. 1

2. Close main stop valve No. 1

3. Operate stop valve test switch No. 2. (This simulates main stop valve No. 2 closure for half scram trip)

4. Open stop valve No. 1

5. Open main control valve No. 1

6. Reset half scram

7. Close main control valve No. 2

8. Close main stop valve No. 2

9. Operate stop valve test switch No. 1

10. Open stop valve No. 2

11. Open main control valve No. 2

12. Reset half scram To test main stop valves No.'s. 3 & 4, 1 & 3, or 2 & 4, reiterate the above procedure for the appropriate valves.

c. Actuate any one trip unit (turbine stop valve closure, control valve closure or condenser vacuum) at a time with a built-in calibration unit 7.7-43 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.5.4 Environmental Considerations The turbine-generator control system is required to operate in the normal plant environment for power generation purpose only.

Instruments and controls on the turbine that experience the turbine building normal design environment are listed in Table 3.11-1. The logic, remote control units, and instrument terminals located in the control room experience the environment listed in Table 3.11-1.

7.7.1.5.5 Operational Considerations 7.7.1.5.5.1 General Information Process variables which are controlled by the pressure controller, speed/load control system are displayed on the turbine-generator section of the operator's control console.

Manual and automatic controls are provided for the various turbine-generator operational modes (such as startup, normal operation, and shutdown), and are available to the operator from the operator's control console. Indications are provided to inform the operator as to the operating status of the turbine-generator unit.

The turbine generator is equipped with a digital Turbine Control and Protection System (TPCS), consisting of a set of dual redundant controllers for turbine control system (TCS) and a separate set of dual redundant controllers for the Emergency Trip System (ETS). The TCS is a highly reliable system employing three active speed sensors for normal speed control and backup overspeed trip, load, and flow control, and eight throttle pressure transmitters for throttle pressure control.

The ETS includes a separate, redundant, and diverse overspeed protection system (DOPS). DOPS utilizes three passive speed probes and three separate overspeed trip modules to trip the turbine using two-out-of-three trip logic. These systems protect the turbine-generator from destructive overspeed events.

If one pressure controller fails, an alarm will be generated and result in a bumpless transfer to the backup controller. TCPS will continue to regulate pressure and will maintain control of the bypass valves and turbine control valves. The postulated scenarios are discussed in Chapter 15, Accident Analyses.

7.7-44 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The TCS system of TCPS is organized into three major functions to minimize interactions. The speed control function compares actual turbine speed with the speed reference and the acceleration reference to control speed during turbine startup. The pressure control function uses the throttle pressure feedback signals to determine the steam flow demand, and interfaces with the load control function to determine the turbine control valve flow demand and steam bypass flow demand, such that the turbine operates in the turbine-follow-reactor mode. The load control function combines the speed regulator output with the load reference signal to interface with the pressure regulator steam flow demand. Finally, the valve flow control functions accurately position the appropriate valves to obtain the desired steam flows to the turbine. These functions are performed by TCS dual redundant controllers.

Two separate measurements of actual pressure are made in each of the four main steam lines. Pressure signals in each steam line are validated, with each validated signal inputting into a four-signal validation algorithm. The output of this validation algorithm is used as a feedback to both TCS controllers.

7.7.1.5.5.2 Operator Information Operator controls and displays include the following:

a. Main steam pressure

b. Main steam pressure control set point 7.7-44a Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Turbine stop and control valve position

d. Bypass stop and control valve position

e. Turbine stop and control valve test controls

f. Bypass stop and control valve test controls

g. Turbine load and speed controls

h. Turbine manual trip 7.7.1.6 Neutron Monitoring System - Traversing In-Core Probe (TIP) Subsystem - Instrumentation and Controls 7.7.1.6.1 System Identification 7.7.1.6.1.1 General Flux readings along the axial length of the core are obtained by fully inserting the traversing ion chamber into one of the calibration guide tubes, then taking data as the chamber is withdrawn. The data goes directly to the computer. Five traversing chambers and associated drive mechanisms are provided.

7.7.1.6.1.2 Classification This system is a power generation system, and is classified as not related to safety.

7.7.1.6.1.3 Reference Design Table 7.1-2 lists reference design information. The subject instrumentation and control system is an operational system and has no safety function. Therefore, there are no safety design differences between this system and those of the reference design facilities. This system is functionally identical to the referenced system.

7.7.1.6.2 Power Sources The power for the subject system is supplied from the instrument ac power source.

7.7-45 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.6.3 Equipment Design 7.7.1.6.3.1 General The number of TIP machines is indicated in Table 1.3-1. The TIP machines have the following components:

a. One traversing in-core probe (TIP)

b. One drive mechanism

c. One indexing mechanism

d. Up to 10 in-core guide tubes The subsystem allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core. The guide tubes inside the reactor are divided into groups. Each group has its own associated TIP machine.

7.7.1.6.3.2 Equipment Arrangement A TIP drive mechanism uses a fission chamber attached to a flexible drive cable (Figure 7.7-10). The cable is driven from outside the drywell by a gearbox assembly. The flexible cable is contained by guide tubes that penetrate the reactor core. The guide tubes are a part of the LPRM detector assembly. The indexing mechanism allows the use of a single detector in any one of ten different tube paths. The 10th tube is used for TIP cross calibration with the other TIP machines. The control system provides for both manual and semi-automatic operation.

Electronics of the TIP panel amplify and display the TIP signal.

Core position versus neutron flux is recorded on an X-Y recorder in the control room and is provided to the computer. A block diagram of the drive system is shown in Figure 7.7-9. Actual operating experience has shown the system to reproduce within 1.0 percent of full scale in a sequence of tests (Ref. 1).

7.7.1.6.3.3 Testability The TIP equipment is tested and calibrated using heat balance data and procedures described in the instruction manual.

7.7-46 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.6.4 Environmental Considerations The equipment and cabling located in the drywell are designed for continuous duty up to 150 F and 100 percent relative humidity.

7.7.1.6.5 Operational Considerations The TIP can be operated during reactor operation to calibrate the LPRMs. The subject system has no safety set points.

7.7.1.7 Core Performance Monitoring System - Instrumentation 7.7.1.7.1 System Identification 7.7.1.7.1.1 General The objectives of the core performance monitoring system are to provide a quick and accurate determination of core thermal performance; to improve data reduction, accounting, and logging functions; and to supplement procedural requirements for control rod manipulation during reactor startup and shutdown.

7.7.1.7.1.2 Classification This system is a power generation system and is classified as not related to safety.

7.7.1.7.1.3 Deleted 7.7.1.7.2 Power Sources The power for the core performance monitoring system is supplied from a reliable ac source.

7.7.1.7.3 Equipment Design 7.7.1.7.3.1 Circuit Description "The system consists of a desktop central processor (workstation) which performs the necessary calculations and checks, along with peripheral storage and output capabilities. User interface is provided via either keyboard or satellite personal computer terminal. The system connects to the Plant Data System (PDS) network for acquisition of the live plant data needed for determination of core conditions and calibration of the neutron instruments. In addition to screen display of output, I/O devices include printers, magnetic disc, and tape.

7.7-47 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

A second, virtually identical workstation is available for redundancy. Core performance monitoring information is periodically transferred to the backup machine to maintain current data files should the primary machine fail.

A computer terminal is located in the control room for use by the operating staff to determine core conditions as necessary. Other terminals, and the workstations themselves, are located remotely for ease in hardware and software maintenance."

7.7.1.7.3.2 Testability The core performance monitoring system has self-checking provisions. It performs diagnostic checks to determine the operability of certain portions of the system hardware and performs internal programming checks to verify that input signals and selected program computations are either within specific limits or within reasonable bounds.

7.7.1.7.4 Environmental Considerations The equipment is installed in air-conditioned rooms suitable for the proper operation of computer equipment.

7.7.1.7.5 Operational Considerations 7.7.1.7.5.1 General Information The local power density of every 6-inch segment for every fuel assembly is calculated, using plant inputs of pressure, temperature, flow, LPRM levels, control rod positions, and the calculated fuel exposure. Total core thermal power is calculated from a reactor heat balance. The core power distribution is calculated using three-dimensional neutron diffusion theory given the necessary live data inputs. This requires iteration to converge on a solution which is consistent in terms of thermal, hydraulic, and nuclear parameters. Calculated nodal powers are adjusted during the process to better approximate the power shape measured by the LPRMs. Adjustment constants are stored to improve the accuracy of projected calculations. The results are subsequently interpreted as local power at specified axial segments for each fuel bundle in the core.

7.7-48 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

"The core power distribution calculation is performed periodically and on demand. Subsequent to executing the core monitoring program, the system prepares a core performance edit for record purposes. This edit may be printed or viewed on a video screen as desired."

Flux level and position data from the traversing in-core probe (TIP) equipment are read into the system. The system evaluates the data and determines gain adjustment factors by which the LPRM amplifier gains can be altered to compensate for exposure induced sensitivity loss. The core monitoring system can also calculate LPRM gain adjustment factors for LPRM strings not scanned by the TIP system (one TIP machine out of service or up to the number of strings equivalent to one TIP machine out of service).

Using the power distribution data, a distribution of fuel exposure increments from the time of previous power distribution calculation is determined and is used to update the distribution of cumulative fuel exposure. Each fuel bundle is identified by batch and location, and its exposure is stored for each of the axial segments used in the power distribution calculation. These data are available on user demand.

Exposure increments are determined periodically for each quarter-length section of each control rod. The corresponding cumulative blade fluence (snuts) totals are periodically updated and are available on user demand.

The exposure increment of each local power range monitor is determined periodically and is used to update both the cumulative ion chamber exposures and the correction factors for exposure-dependent LPRM sensitivity loss. These data are available on user demand.

The system provides on-line capability to determine monthly and on-demand isotopic composition for each fuel bundle in the core.

This evaluation consists of computing the weight of one neptunium, three uranium, and five plutonium isotopes as well as the total uranium and total plutonium content. The isotopic composition is calculated for each six-inch segment of each fuel bundle and summed accordingly by bundles and batches.

7.7-49 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.7.5.2 Operator Information "The system is capable of checking process parameter values obtained from PDS against reasonableness limits programmed by the user. Should these limits be exceeded, an alarm message is generated on the terminal screen and written to a message log.

Certain key parameters may also be designated critical to the monitoring calculation, and will automatically stop the calculation if limits are violated. Additional message logs are created for various types of system errors unrelated to core monitor operations, but important to system management.

Capability exists to substitute conservative values for invalid process parameters."

7.7.1.7.5.3 Set Points The core performance monitoring system has no safety set points.

7.7.1.8 Reactor Water Cleanup (RWCU) System -

Instrumentation and Controls 7.7.1.8.1 System Identification 7.7.1.8.1.1 General The purpose of the reactor water cleanup system instrumentation and control is to provide protection for the system equipment from over-heating and over-pressurization and to provide operator information concerning the effectiveness of operation of the system.

7.7.1.8.1.2 Classification This is a power generation system and is classified as not related to safety.

7.7.1.8.1.3 Reference Design Table 7.1-2 lists reference design information. The subject control system is an operational system and has no safety function. Therefore, there are no safety design differences between this system and those of the reference design facilities.

This system is functionally identical to the referenced system.

7.7-50 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.8.2 Power Sources The RWCU system instrumentation and controls are fed from the plant instrumentation bus. No backup power source is necessary since the RWCU system is not a safety-related system. Adequate fuse protection is provided so that a short circuit within the system will have only a local effect which can be easily corrected without interrupting reactor operation.

7.7.1.8.3 Equipment Design 7.7.1.8.3.1 General The reactor water cleanup system is described in subsection 5.4.8. This subsection describes the systems used to protect the resin and the filter demineralizer. These circuits are shown in Figure 5.4-21 and the operating logic is shown in the RWCU FCD (see Section 1.7).

7.7.1.8.3.2 Circuit Description A strainer is installed on the outlet of each filter-demineralizer unit to prevent resins from entering the reactor recirculation system in the event of a filter-demineralizer resin support failure. Each strainer is provided with a control room alarm, which is energized by high differential pressure. A bypass line is provided around the filter-demineralizer units for bypassing the units when necessary. Figures 5.4-25 and 5.4-26 describe the filter-demineralizer instrumentation and control.

Relief valves and instrumentation are provided to protect the equipment against over-pressurization and the resins against over-heating. The system is automatically isolated for the reasons indicated when signaled by any of the following occurrences:

a. High temperature downstream of the nonregenerative heat exchanger - to protect the ion exchange resins from deterioration due to high temperature

b. Reactor vessel low water level - to protect the core in case of a possible break in the reactor water cleanup system piping and equipment (see subsection 7.3.1.1.2.4.1.1) 7.7-51 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

c. Standby liquid control system actuation - to prevent removal of the boron by the cleanup system filterdemineralizers

d. High cleanup system ambient temperature - (part of the plant leak detection system) (See subsection 7.3.1.1.2.4.1.9.)

e. High temperature increase across the system's ventilation ducts - (part of the plant leak detection system) (See subsection 7.3.1.1.2.4.1.9.)

f. High change in system inlet flow in comparison to the system outlet flow - (part of the plant leak detection system) (See subsection 7.3.1.1.2.4.1.8.)

In the event of low flow or loss of flow in the system, flow is maintained through each filter-demineralizer by its own holding pump. Sample points are provided upstream and downstream of each filter-demineralizer unit for continuous indication and recording of system conductivity. High conductivity is annunciated in the control room. The influent sample point is also used as the normal source of reactor coolant samples. Sample analysis also indicates the effectiveness of the filter-demineralizer units.

7.7.1.8.3.3 Testability Because the reactor water cleanup system is usually in service during plant operation, satisfactory performance is demonstrated without the need for any special inspection or testing beyond that specified in the manufacturer's instructions.

7.7.1.8.4 Environmental Considerations The reactor water cleanup system is not required for safety purposes, nor required to operate after the design basis accident. The reactor water cleanup system is required to operate in the normal plant environment for power generation purposes only.

RWCU instrumentation and controls located in the RWCU equipment area are subject to the environment described in Table 3.11-1.

7.7-52 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.8.5 Operational Considerations 7.7.1.8.5.1 General Information The reactor water cleanup system instrumentation and control is not required for safe operation of the plant. It provides a means of monitoring parameters of the system and protecting the system.

7.7.1.8.5.2 Operator Information Refer to the RWCU system FCD (See Section 1.7).

7.7.1.8.5.3 Set Points Safety set points associated with the subject system are discussed in Subsection 7.6.1.4.3.6.

7.7.1.9 Auxiliary Building Pressure Control 7.7.1.9.1 System Identification 7.7.1.9.1.1 General The auxiliary building pressure control system operates to maintain the fuel pool area in the auxiliary building at the required pressure and to provide the operator with sufficient indication to maintain proper operating conditions.

This system is shown in Figures 9.4-2 and 9.4-3.

7.7.1.9.1.2 Classification The auxiliary building pressure control system is not a safety system.

7.7.1.9.2 Power Sources The systems and instruments discussed in this subsection are powered from non-essential busses.

7.7.1.9.3 Equipment Design 7.7.1.9.3.1 System Description Two differential pressure transmitters, located at opposite ends of the auxiliary building fuel handling area, are used for pressure control. The transmitters measure atmospheric pressure 7.7-53 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) inside the auxiliary building versus outside atmospheric pressure. Either transmitter output may be operator selected or automatically (lower differential signal) selected as the pressure controller input signal. The signal from the pressure controller is fed to an actuator which operates a damper on the fuel handling area air supply fans suction to maintain a preselected negative pressure in the range of -0.05 to -0.25 inches W.G.

7.7.1.9.3.2 Testability Differential pressure instruments are located in the auxiliary building and are piped so that calibration and test signals may be applied during reactor operation.

7.7.1.9.4 Environmental Considerations There are no special environmental considerations for the instruments described in this subsection. The instruments are located in areas supplied by outside air which is conditioned to meet design requirements of temperature and humidity. Air flow pattern is from the instrument areas to areas of higher potential radioactivity.

7.7.1.9.5 Operational Considerations 7.7.1.9.5.1 General Information The auxiliary building pressure control system discussed in this subsection is designed to augment the information found in subsection 9.4.2, by explaining the operation of the pressure controls which regulate the auxiliary building pressure to provide an inward air flow pattern from the outside environment to the areas of higher potential radioactivity.

7.7.1.9.5.2 Operator Information The outputs of the two differential transmitters are indicated on a recorder in the control room. A low differential alarm is provided for each transmitter. A differential limit alarm is provided which indicates an excessive deviation between the signals from the differential pressure transmitters, thereby giving an on-line channel comparison which will provide the operator with indication of system trouble or equipment malfunction.

7.7-54 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.9.5.3 Set Points The auxiliary building pressure control system has no safety set points.

7.7.1.10 Gaseous Radwaste System - Instrumentation and Controls 7.7.1.10.1 System Identification 7.7.1.10.1.1 General The objective of the gaseous radwaste system is to process and control the release of gaseous radioactive wastes to the site environs so that the total radiation exposure to persons outside the controlled area is as low as practicable and does not exceed applicable regulations.

7.7.1.10.1.2 Classification This system is required for power generation only and is classified as not related to safety.

7.7.1.10.1.3 Reference Design The subject instrumentation and control system is an operational system and has no safety function. Therefore, there are no safety design differences between this system and those of the reference design facilities. This system is functionally identical to the referenced system.

7.7.1.10.2 Power Sources The 120 V ac instrument bus provides power for the gaseous radwaste system instrumentation.

7.7.1.10.3 Equipment Design 7.7.1.10.3.1 General The radiation levels at the air-ejector offgas treatment system are continuously monitored by detectors described in Section 11.5, Process and Effluent Radiological Monitoring and Sampling Systems.

7.7-55 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

A radiation monitor is also provided at the outlet of the charcoal adsorbers to continuously monitor the radioactivity from the adsorber beds. This radiation monitor is used to isolate the offgas system on high radioactivity to prevent treated gas of unacceptably high activity from entering the vent.

The radioactivity of the gas entering and leaving the offgas treatment system is continuously monitored. Thus, system performance is known to the operator at all times. Provision is made for sampling and periodic analysis of the influent and effluent gases for purposes of determining their compositions.

This information is used in calibrating the monitors and in relating the release to calculated environs dose.

The offgas system is monitored by flow, pressure, temperature, and moisture instrumentation to ensure correct operation and control, and by the hydrogen analyzers to ensure that hydrogen concentration is maintained below the flammable limit. See Figure 11.3-2, the system P&ID, for details of the instrumentation.

7.7.1.10.3.2 Catalytic Recombiner Instrumentation The catalytic recombiner vessel catalyst temperature profile is monitored by thermocouples and recorded. High or low temperatures are annunciated in the control room. The standby recombiner is temperature controlled, monitored, and recorded.

Inlet process gas is monitored for pressure and temperature and annunciated in the control room if temperatures or pressures are not normal.

7.7.1.10.3.3 Offgas Condenser Condensate Level Control The system has two condensers in parallel with only one being used at any time. Each offgas condenser's condensate level is maintained at a given level within the condenser shell. The level control system provides drainage of condensate from the condenser shell if the liquid level becomes higher than the level control set point. A control room switch provides the level control valve with manual override control if an equipment malfunction should occur in the liquid level control system. High and low level are annunciated in the control room.

7.7-56 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.10.3.4 Offgas System Flow Measurements The flow measurements are made downstream of the charcoal adsorbers and upstream of the afterfilters. Four flow instrumentation loops are provided. The flow of the A offgas loop, the flow of the B offgass loop, the narrow (normal) range total offgas flow through the main header and the wide (startup) range total offgas flow through the main header. The wide range is provided to measure the higher flows while the main condenser vacuum is being established. The reading from each of the four flow instrumentation loops is recorded in the control room and is monitored by the plant computer. Each loop has a high and a low flow annunciation. The low flow annunciation indicates air should be added to the offgas system to provide possible hydrogen concentration dilution. The high flow annunciation indicates possible catalytic recombiner failure by an increase in flow or a large turbine seal leaking excess air into the main condidenser.

Excessive flow can result in the loss of the offgas loop seals.

7.7.1.10.3.5 Offgas Combustible Gas (Hydrogen/Oxygen) Analyzer Measurement System Two parallel independent analyzers are used to measure the hydrogen and oxygen content of the offgas process stream downstream of the offgas condenser and water separator. The hydrogen concentration percentage outputs from the analyzers are indicated and recorded in the control room along with independent alarm annunciation for a high hydrogen concentration percentage in the offgas process stream. The hydrogen concentration percentage output from the analyzers is also separately output to the Hydrogen Water Chemistry control system in panel 1H22-P172.

An oxygen analyzer for verification of Hydrogen Water Chemistry system performance is provided in series with each hydrogen analyzer. The oxygen analyzer concentration percentage outputs from the analyzers are output to the Hydrogen Water Chemistry control system in panel 1H22-P172 and are not used by any other system.

Each analyzer continuously withdraws a sample of the process offgas, analyzes the hydrogen and oxygen content, and returns the sample gas to the main condenser. During normal plant operation, the main condenser vacuum provides the driving force to withdraw the sample gas from the offgas process line and through the hydrogen analyzer system. A manually operated auxiliary vacuum pump is provided in each panel to withdraw sample gas in the event 7.7-57 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) of there being insufficient vacuum in the main condenser, a status light on control room panel 1H13-P845 indicates when this pump is on. Both of these analyzers are intrinsically not ignition sources. All of the panel valves have soft seats and therefore do not present a sparking hazard. Hydrogen and oxygen percentage calibration checks are made by closing off the process sample line and admitting a calibration or purge gas.

Internal panel diagnostics monitor panel operation and provide annunciation to the control room in the event of improper operation such as low process monitoring flow (low process monitoring flow is also indicated locally with a status light on the panel) or if the panel operation/maintenance switch is not in operate. Annunciation is also provided in the control room in the event of a complete loss of power to the panels.

7.7.1.10.3.6 Moisture or Dew Point Measurement Two independent dew point detectors are placed downstream of the moisture removal system and upstream of the charcoal beds to measure the efficiency of the moisture removal or dryer system.

The dew point is indicated on a local panel, and a high or above normal dew point alarms and annunciates in the control room to notify the operator of the possibility that corrective action may have to be taken.

7.7.1.10.3.7 Charcoal Vessel and Vault Temperature and Flow Monitoring and Control Each charcoal vessel train temperature profile is monitored and recorded in the control room. High vessel temperature is alarmed and annunciated in the control room. The charcoal vessel vault is also temperature monitored and recorded in the control room along with high temperature alarm and annunciation. Two independent refrigeration units with independent temperature controls maintain the vault at a constant temperature.

Each of the two charcoal vessel trains are independently flow monitored at the outlet and indicated and recorded in the control room along with high- and low-flow alarm and annunciation. The indication allows the operator to balance the flow between the parallel trains.

7.7-58 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.10.3.8 Differential Pressure Measurements Differential pressure measurements are made across each recombiner, the pre-filter, the charcoal vessel trains, and the after-filter. These are all indicated in the control room along with high differential pressure alarms and annunciation except for the recombiners which are just indicated.

7.7.1.10.3.9 Testability Since this is a process-on-line monitoring control system with redundant instrumentation, the cross-correlation of the data provides sufficient confirmation of the systems' correct operation.

7.7.1.10.4 Environmental Considerations 7.7.1.10.4.1 General The gaseous radwaste control system is not required for safety purposes, nor required to operate after the design basis accident. The control system is required to operate in the normal plant environment for power generation purposes only.

Radwaste control and instrumentation located in the offgas equipment area are subject to environment and design conditions listed in Table 3.11-1.

7.7.1.10.4.2 Local Instrument Panels The local instrument panels are located in the operating area outside of the shield wall from the process lines. Specially designed racks are placed inside an enclosure to house all of the instruments with sensing lines connected to the offgas system process stream. The enclosures are furnished with exhaust blowers which discharge out through a duct which is routed into a radiation control portion of the building. This keeps the inside of the panels at a negative pressure with respect to the immediate area. This will exhaust any offgas leak, if it should develop, into a control area or duct. All instruments and connecting lines are purchased, installed, and tested to the maximum leak rate of 1 x 10-6 atm cc/sec requirement. Air and water purging and drainage means are provided within the racks to flush out process gas or liquid back to the process system to permit instrument or device removal for maintenance purposes.

7.7-59 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.10.4.3 Offgas Combustible Gas (Hydrogen/Oxygen) Analyzer Enclosures The offgas sample analyzers are housed in the stainless steel enclosures with a polycarbonate door which allows viewing of gages and meters without having to open the door. The analyzer is provided with nitrogen purge and drainage back to the main condenser.

7.7.1.10.4.4 Special Considerations A pressure reducing regulator valve is installed on the sample inlet of the analyzer panels. This will minimize the potential for a catastrophic panel failure if a hydrogen detonation were to occur in the process line.

7.7.1.10.4.5 Set Points An alarm will annunciate in the control room prior to the hydrogen level of the offgas pretreatment exceeding 4 percent.

A low process monitoring flow (i.e. offgas sample flow through the analyzer) of 100-150 cc/min will result in annunciation to the control room and lighting of an indicating lamp on the panel.

7.7.1.10.5 Operational Considerations 7.7.1.10.5.1 General Information No operator action is required on the equipment described unless an alarmed condition occurs.

7.7.1.10.5.2 Operator Information Operator indicators and alarms are shown in Figure 11.3-2.

7.7.1.11 Process Sampling System -

Instrumentation and Controls 7.7.1.11.1 System Identification 7.7-60 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.1.11.1.1 General The purpose of the process sampling system instrumentation and controls is to collect representative liquid and gas samples for analysis and to provide analytical information required to monitor plant and equipment performance and changes to operating parameters.

7.7.1.11.1.2 Classification This is a power generation system and is classified as not related to safety.

7.7.1.11.2 Power Sources The PSS instrumentation and controls are powered from non-essential buses.

7.7.1.11.3 Equipment Design 7.7.1.11.3.1 General The process sampling system is described in subsection 9.3.2.

7.7.1.11.3.2 Testability Since the process sampling system is usually in service during plant operation, satisfactory performance is demonstrated without the need for special inspection or testing beyond that specified in the manufacturer's instructions.

7.7.1.11.4 Operational Considerations 7.7.1.11.4.1 General Information The process sampling system is manually operated at grab sample panels located throughout the plant. The sampling panels are designed to minimize contamination and radiation at the sample station. Appropriate shielding and area radiation monitors will minimize radiation effects.

7.7.1.11.4.2 Post-Accident Sampling Station The post-accident portion of the process sampling system is designed with the following operational considerations:

7.7-61 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

a. The system is capable of obtaining and analyzing reactor coolant and containment atmosphere samples.

b. Facilities are provided on site to perform the analysis described in subsection 9.3.2.2.4.

c. Reactor coolant and containment atmosphere sampling during post-accident conditions does not require an isolated auxiliary system to be placed in operation in order to use the sampling system.

d. Post-accident analyses described in subsection 9.3.2.2.4 will be performed via grab sampling.

e. The post-accident sampling station is designed to provide adequate radiation protection so that it is possible for an operator to obtain and analyze a sample without radiation exposures exceeding the criteria of GDC 19.

f. The system's primary method of sampling is grab sampling.

g. Through laboratory dilutions, the radiological and chemical analysis capability of laboratory equipment includes provisions to identify and quantify the isotopes of the nuclide categories of concern to levels corresponding to the source terms given in Regulatory Guides 1.3 and 1.7.

h. Laboratory dilution allow the counting room's gamma detection system the ability to monitor reactor coolant activity over the ranges required. Liquid geometries and laboratory germanium detectors are used to meet 10-6 to 101 Ci/cc reactor coolant and containment atmosphere of 10-6 to 101 Ci/cc.

i. Deleted

j. Reactor coolant sample lines are of a diameter such that the rupture of a sample line will limit reactor coolant loss.

k. The post-accident sampling system (PASS) components required for drawing and analyzing a sample of the reactor coolant and the containment atmosphere are powered from a Class 1E motor control center (MCC). To provide isolation 7.7-62 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) between the Class 1E power supply and the non-Class 1E MCC will be shed on a LOCA signal and will require operator action to be manually reconnected. The Class 1E MCC will be shed on a LOSP signal; however, it will be automatically reconnected when the Class 1E power supply is restored.

7.7.1.11.4.3 Operator Information The most important process streams are analyzed continuously by the PSS with alarms in the water inventory control station area or control room when measured values go beyond normal limits. Analog signals are indicated on recorders and/or processed in the computer.

Classroom training will be provided on system operation and proper handling of highly radioactive samples.

For training and operability testing, a containment sample will be taken once every 18 months.

The Suppression Pool, RHR-A and RHR-B shall be sampled through the Post Accident Sample System separately in consecutive six-month intervals, rotating sampling personnel for training purposes, such that all three points are sampled on an 18-month interval.

7.7.1.12 Startup Transient Monitoring System A startup transient monitoring system will provide recordings for selected parameters during startup and warranty testing. This system will remain as a permanent plant monitoring system upon completion of the startup test program.

All permanent cables and equipment will be installed to the same standards as all other plant equipment as described in Section 8.3.1.2.3.

All temporary cabling will be associated only with instrumentation which is also temporary. No temporary connections will be made to permanent plant circuitry which is safety related.

All temporary circuitry will be installed in a manner consistent with the separation requirements of Regulatory Guide 1.75.

Isolation will be accomplished by converting signals for transmission via optical fiber cable. The optical isolation will be accomplished downstream of signal conditioning, multiplexing, 7.7-63 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) and analog-to-digital conversion in blocks of up to 32 channels.

These remote multiplexers shall be classified as associated divisional devices. Thus, within a given connected. The signal conditioning and multiplexer unit will be qualified in accordance with Regulatory Guides 1.89 and 1.100. The associated portion of the optical isolation shall be qualified in accordance with Regulatory Guides 1.75, 1.89, and 1.100.

To maintain the signal conditioning and multiplexing equipment as associated devices, the power for these devices will be supplied from divisional inverters qualified to Regulatory Guides 1.75 and 1.89. In addition, each signal input to the multiplexers will be individually conditioned and buffered from all other signals in the same multiplexer.

Refer to Figure 7.7-11 for a block diagram of the transient monitoring system.

7.7.2 Analysis The mission of this subsection is to:

a. Demonstrate by direction or referenced analysis that the subject described systems are not required for any plant safety function

b. Demonstrate by direct or referenced analysis that the plant protection systems described elsewhere are capable of coping with all failure modes of the subject control systems.

In response to item a. above, the following is cited. Upon considering the design basis, descriptions, and evaluations presented here and elsewhere throughout the document relative to the subject system, it can be concluded that these systems do not perform any safety function.

Design basis: refer to subsection 7.1.1

Description:

refer to subsection 7.7.1 The individual system analysis in this section concludes that the subject systems are not required for any plant safety action.

For consideration of item b. above, it is necessary to refer to the safety evaluations in Chapter 15 and Appendix 15A.

7.7-64 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

In that chapter, it is first shown that the subject systems are not utilized to provide any design basis accident safety function. Safety functions, where required, are provided by other qualified systems. For expected or abnormal transient incidents following the single operator error (SOE) or single component failure (SCF) criteria, protective functions are also shown to be provided by other systems. The expected or abnormal transients cited are the limiting FMEA for the subject systems.

Next, further considerations of situations beyond the SOE and SCF, specified as single active component failure (SACF), are analyzed in Chapter 15 and Appendix 15A. Although these are not design basis requirements, the ability of the plant to provide at least one single protective function, even under these stringent assumptions, is demonstrated.

7.7.2.1 Reactor Vessel - Instrumentation 7.7.2.1.1 Conformance to General Functional Requirements The reactor vessel instrumentation is designed to provide redundant or augmented information to the existing information required from the engineered safeguards and safety systems. The operator utilizes this information to start up, operate at power, shut down, and service the reactor system in an efficient manner.

None of this instrumentation is required to initiate or control any engineered safeguard or safety system.

7.7.2.1.2 Conformance to Specific Regulatory Requirements There are no specific regulatory requirements imposed on this reactor vessel instrumentation but the following general considerations are offered:

a. Conformance with GDC 13 The reactor vessel information provides the operator with information on the reactor vessel operating variables during normal plant operation and anticipated operational occurrences so that the need to use the safety systems, although ready and able to respond, is minimized. This instrumentation does not serve in any direct controlling functions. Controls that maintain the reactor vessel operating variables within prescribed operating ranges are performed by the:

7.7-65 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

1. Feedwater system

2. Recirculation flow control system

3. Rod control and information system

b. Conformance with GDC 24 This instrumentation is not part of or related to any safety system. The circuitry of the safety systems is completely independent of this instrumentation such that failures of this instrumentation will not cause or prevent any action to be initiated by the safety systems.

c. Conformance to IEEE Std 279, Section 4.7 for Control and Protection System Interaction This instrumentation is separate from and independent of the safety systems circuitry. There is no direct circuit-to-circuit or functional interactions between this instrumentation and the safety systems. No single random or multiple failures in this instrumentation can prevent the safety systems from meeting the minimum performance requirements specified in the design basis of that system.

7.7.2.2 Rod Control and Information System - Instrumentation and Controls 7.7.2.2.1 Conformance to General Functional Requirements The circuitry described for the rod control and information system is completely independent of the circuitry controlling the scram valves. This separation of the scram and normal rod control functions prevents failures in the rod control and information circuitry from affecting the scram circuitry. The scram circuitry is discussed in Section 7.2. Because each control rod is controlled as an individual unit, a failure that results in energizing of any of the insert or withdraw solenoid valves can affect only one control rod. The effectiveness of a reactor scram is not impaired by the malfunctioning of any one control rod. It can be concluded that no single failure in the rod control and information system can result in the prevention of a reactor scram, and that repair, adjustment, or maintenance of the rod control and information system components does not affect the scram circuitry.

7.7-66 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

The rod withdrawal block functions prevent an operator from carrying out actions which, if unchecked, might result in a protective system action (scram). A fixed margin separates the rod withdrawal block set points and the scram set points in IRM and APRM. There are no safety considerations.

Chapter 15 and Appendix 15A examine the various failure mode considerations for this system. The expected and abnormal transients and accident events analyzed envelope the NSOA associated with this system's components. These include:

a. Control rod withdrawal errors

b. Control rod drop accident To be very specific, the following is cited:

a. The RC&IS is not required for plant safety functions. The system has no function associated with any design basis accident.

b. This system is not used for plant shutdown resulting from an accident or nonstandard operational conditions.

c. The function of the RC&IS is to control core reactivity and thus power level. Interlocks from many different sources are incorporated to prevent the spurious operation of drives or undesirable rod patterns throughout all ranges of operation.

d. This system contains no components, circuits, or instruments required for reactor trip or scram. There are no operator manual controls which can prevent scram.

e. The consequence of improper operator action or the failure of rod block interlocks results in a reactor scram.

7.7.2.2.2 Conformance to Specific Regulatory Requirements No specific regulatory requirements apply. The circuits are designed to be normally energized (fail-safe on loss of power) and single-failure tolerant. The equipment is designed to prevent the rod block trip circuitry from affecting the protection system trips in the IRM and APRM channels through use of separate trip 7.7-67 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) circuits and relays. IEEE Standards do not apply because rod block trips are not required for any postulated design basis accident or for safe shutdown.

There are no specific requirements imposed on this system, but the following general considerations are offered:

a. General Design Criterion 24 No part of the RC&IS is required for scram. The rod block functions provided by the NMS are the only instances where the RC&IS uses any instruments or devices related to RPS functions. The rod block signals received from the NMS prevent improper rod motion before limits causing reactor scram are reached. Common APRM, IRM, and SRM detectors are used, but electrically separate trip units provide signals for the RC&IS and RPS. See subsections 7.6.1.5 and 7.6.2.5 for a description of this interface. In addition to separate trip units for the RPS and RC&IS, the inputs to the RC&IS are isolated from the logic via optical isolators. Single failure of a control component therefore will not degrade the protection system.

b. General Design Criterion 26 The RC&IS, which controls the CRD system, is one of the two, independent reactivity control systems required by this criterion.

7.7.2.3 Recirculation Flow Control System - Instrumentation and Controls 7.7.2.3.1 Conformance to General Functional Requirements The controls and interlocks are not required nor designed to comply with the single-failure criterion. However, a degree of redundancy is provided for the more important operational and equipment protective functions. System single failures or single operator errors are evaluated in the transient analysis in Chapter 15, Accident Analysis. It is shown that no malfunction in the recirculation flow control system or LFMG system can cause a transient sufficient to damage the fuel barrier or exceed the nuclear system pressure limits, as required by the safety design basis.

7.7-68 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Each APRM instrument interfaces with the PRNM Communication Interface (PCI) instruments via high-speed fiber-optic communication links to provide electrical isolation between the channels.

Recirculation control system failures (e.g., transistors, resistors, etc.) causing upscale signal failure will initiate the master controller, flux controller, or flow controller, and high signal alarms; the reactor being protected by high-pressure or high-flux scram. Such faults have been analyzed in Chapter 15 and include both FCVs opening simultaneously.

Recirculation system flow control failures causing downscale signal failures may cause one or both recirculation flow control valves to close simultaneously. Valve velocity is limited to not more than 10 percent per second. Closure of both valves might result from failure of the master controller, automatic range limiter, flux controller, or upscale failure of APRM isolation amplifier and filter unit.

Control component failures, such as the flow controller set point station, error limiter, flow controller, function generator, and recirculation flow limiters, result in a single flow control valve closure of 10 percent per second. The function generator limits the load demand error signals from the turbine pressure controller to a normal maximum of +/-7.5 percent.

The drive flow limiter (high) limits the output to 110 percent (nominal) rated flux to prevent demand from exceeding a high-flux trip set point in normal operation. The drive flow limiter (low) prevents the automatic system from reducing power below approximately 75 percent power, the minimum limit of the full rod pattern power/flow control range.

The recirculation pump valves are treated as conventional remote motor-operated valves. From a circuit viewpoint, each recirculation pump valve is independent of the other, and has its own benchboard mounted control switch for manual operation. Each valve has open/close travel limit switches and remote benchboard pilot lamp indication. (See Figure 7.5-1.)

Chapter 15 and Appendix A of Chapter 15 examine the various failure mode considerations for this system. The expected and abnormal transients and accident events analyzed envelope the NSOA associated with this system's components. These include:

7.7-69 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

a. Recirculation flow controller failures

b. Recirculation pump seizure and pump shaft failures 7.7.2.3.2 Conformance to Specific Regulatory Requirements There are no specific regulatory requirements imposed on this system, but the following observations are offered:

There are no connections to safety-related systems except for the APRM signal to the flux controller interface. The criteria for the interface design are taken from the IEEE Std. 279-1971; the particular sections that have been considered are listed below, together with discussions on compliance with the criteria.

a. Compliance with IEEE Std. 279-1971 Requirement 4.7a Classified as RPS equipment 4.7b Isolation amplifiers used as part of RPS equipment 4.7c Single-random-failure tolerance satisfied by maximum rate limited 10 percent per second control system response.

Remaining flux channels, and backup reactor pressure channels 4.7d Multiple-failure tolerance satisfied by rate limited control system response and backup pressure channels

b. General Design Criterion 24 The protection system interfaces with the recirculation flow control system in two places. The first is the sensing of recirculation flow for the purpose of varying the APRM trip set point. There is no control system function for these sensors and, therefore, no actual control/protection system interface. Secondly, the recirculation pump trip (RPT) system uses the recirculation pump motor breakers as its actuators. The RPT uses separated Class IE trip coils on the breakers to assure that no single failure in the recirculation system 7.7-70 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) prevents the RPT safety function.

With double isolation provided as discussed above, the interface of this system with the neutron monitoring system assures that no single failure will impair safety system performance.

c. General Design Criterion 26 As the second reactivity control system, the recirculation system is capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes to assure that acceptable fuel design limits are not exceeded.

7.7.2.4 Feedwater Control System -Instrumentation and Controls 7.7.2.4.1 Conformance to General Functional Requirements The feedwater control system is a power generation system for purposes of maintaining proper vessel water level. Interlocks are provided to lock the flow changing capabilities in the as-is condition in the event of control signal failure. Should the vessel level rise too high, the feedwater pumps and main turbine would be tripped. This is an equipment protective action which would result in reactor shutdown by the RPS system as outlined in Section 7.2. Lowering of the vessel level would also result in action of the RPS to shutdown the reactor.

Chapter 15 and Appendix 15A examine the various failure mode considerations for this system relative to plant safety and operational effects. The expected and abnormal transients and accident events analyzed in the appendix envelope the NSOA associated with this system's components. These include:

a. Loss of all feedwater flow (pumps)

b. Loss of feedwater heater

c. Malfunction of feedwater controller

d. Failure of feedwater line 7.7-71 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.2.4.2 Conformance to Specific Regulatory Requirements The feedwater system is not a safety-related system and is not required for safe shutdown of the plant, nor is it required during or after accident conditions.

There are no interconnections with safety-related systems and no specific regulatory requirements are imposed on the system.

7.7.2.5 Pressure Control and Turbine-Generator System -

Instrumentation and Controls 7.7.2.5.1 Conformance to General Functional Requirements Turbine speed and acceleration control is provided by the initial pressure regulator which controls steam throttle valve position to maintain constant reactor pressure. The turbine speed governor overrides the pressure controller on increase of system frequency or loss of generator load. Excess steam is automatically bypassed directly to the main condenser by the pressure controlled bypass valves. Detailed description of conformance to these design bases is contained in subsection 7.7.1.5.

Chapter 15 and Appendix 15A examine the various failure mode considerations for this system relative to plant safety and operational effects. The expected and abnormal transient and accident events analyzed in this appendix envelope the NSOA associated with this system's components. These include:

a. Failure of pressure control

b. Turbine/generator trips

c. Main condenser failures

d. Breaks outside containment 7.7-72 Revision 2018-076

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.2.5.2 Conformance to Specific Regulatory Requirements No specific regulatory requirements are imposed on the subject system.

The turbine-generator control system is not a safety-related system. Protection systems which are provided as an integral part of the turbine-generator equipment override the turbine-generator control system. In the event of a turbine-generator trip due to a protective action, the control valve fast-closure and the stop valve closure inputs to the RPS initiate reactor scram. (See subsections 7.2.1.1.4.2.d and 7.2.1.1.4.2.e.)

A pressure control malfunction which leads to low turbine inlet pressure is detected by pressure transmitters and trip units provided in the main steam isolation system which in turn initiates closure of the main steam line isolation valves. (See subsection 7.3.1.1.2.) Similarly, high turbine inlet pressure leads to detection of high reactor pressure by the RPS which initiates reactor scram. (See subsection 7.2.1.1.4.b.)

Control malfunction (e.g., pressure controller malfunction -

upscale) which results in high flow through the turbine control valves and the bypass valves is detected by main steam flow transmitter and trip units of the containment and reactor vessel isolation control system which initiate closure of the main steam level isolation valves (see subsection 7.3.1.1.2) and a subsequent reactor scram. (See subsection 7.2.1.1.4.f.)

Interfaces between the subject non-safety systems and their components with safety-related systems (RPS, containment and reactor vessel isolation control system, etc) are designed in such a manner that failure of the non-safety components will not negate the necessary safety system functions.

7.7.2.6 Neutron Monitoring System Traversing In-Core Probe Subsystem (TIP) - Instrumentation and Controls 7.7.2.6.1 Conformance to General Functional Requirements An adequate number of TIP machines is supplied to assure that each LPRM assembly can be probed by a TIP and that one LPRM assembly (the central one) can be probed by every TIP to allow intercalibration. Typical TIPs have been tested to prove linearity. (Ref. 1) The system has been field-tested in an operating reactor to assure reproducibility for repetitive 7.7-73 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) measurements. The mechanical equipment has undergone life testing under simulated operating conditions to assure that all specifications can be met. The system design allows semi-automatic operation for LPRM calibration and core performance monitoring system use. The TIP machines can be operated manually to allow pointwise flux mapping.

7.7.2.6.2 Conformance to Specific Regulatory Requirements There are no specific regulatory requirements for the TIP subsystem.

7.7.2.7 Core Performance Monitoring System - Instrumentation 7.7.2.7.1 Conformance to General Functional Requirements The core performance monitoring system is designed to provide the operator with certain categories of information as defined in the equipment description (subsection 7.7.1.7) and to supplement procedural requirements for control rod manipulation during reactor startup and shut down. The system augments existing information from other systems such that the operator can start up, operate at power, and shut down in an efficient manner. This system is not required to initiate or control any engineered safeguard or safety-related system.

7.7.2.7.2 Conformance to Specific Regulatory Requirements The core performance monitoring system has no specific regulatory requirements.

7.7.2.8 Reactor Water Cleanup System - Instrumentation and Controls 7.7.2.8.1 Conformance to General Functional Requirements The RWCU is not a safety-related system. Therefore, the instrumentation supplied is for the plant equipment protection and for operator information only.

The cleanup system is protected against over-pressurization by relief valves. The ion exchange resin is protected from high temperature by temperature switches upstream of the filter demineralizer unit. One switch activates an alarm while a second switch closes the isolation valve which subsequently trips the cleanup pumps. The isolation valves will also close automatically 7.7-74 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) on a reactor low water level signal and when the standby liquid control system is actuated. The pumps will also trip on high cooling water temperature or low discharge flow.

A high differential pressure across the filter-demineralizer or its discharge strainer will automatically close the units outlet valve after sounding an alarm. The holding pump starts whenever there is low flow through a filter-demineralizer. The precoat pump will not start or stop when the level in the precoat tank is low.

Sampling stations are provided to obtain reactor water samples from the entrance and exit of both filter-demineralizers.

The system control and instrumentation for flow, pressure, temperature, and conductivity are recorded or indicated on a panel in the control room. Instrumentation and control for backwashing and precoating the filter-demineralizers are on a local panel outside the drywell. Alarms are sounded in the control room to alert the operator to abnormal conditions.

7.7.2.8.2 Conformance to Specific Regulatory Requirements The subject system has no specific regulatory requirements imposed on it but the following observation is included:

a. Regulatory Guide 1.56 The reactor water cleanup (RWCU) system provides the recorded conductivity measurements and alarms of influents and effluents of the demineralizers and records of the flow rate through each demineralizer as recommended in the guide. (See also Appendix 3A).

7.7.2.9 Auxiliary Building Pressure Control The auxiliary building pressure control system is part of the normal auxiliary building fuel handling area ventilation system discussed in subsection 9.4.2. This system operates to maintain a negative pressure in the auxiliary building and an air flow pattern from areas of lower potential radioactivity to areas of higher radioactivity. This system is independent of the isolation functions required for the standby gas treatment system. Since no credit is taken in the accident analysis for the auxiliary building being at a negative pressure when the SGTS starts, the failure of the auxiliary building pressure control will have no 7.7-75 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) effect on safety. Failure of the auxiliary building pressure control system will not prevent operation of any safety-related system or prevent safe reactor shutdown.

7.7.2.10 Gaseous Radwaste System - Instrumentation and Controls 7.7.2.10.1 Conformance to General Functional Requirements This system is not designed or required to be considered as a safety-related system.

The following section contains historical information:

[The dose rate at and beyond the site boundary due to the gaseous effluents is calculated based on offgas flow measurements in conjunction with measured offgas activity. The loop uncertainty of the narrow (normal) range flow computer point indication is approximately 5 percent of reading at 30 SCFM, the lowest expected flow. The loop uncertainty of the sum of the A & B loop flow computer points is 4% at 30 SCFM. The loop uncertainty of the wide range (startup) range flow computer point is 15% at 30 SCFM.]

All instrumentation with connections to the offgas process lines are purchased and installed to not exceed a maximum leak rate of 1 x 10-6 atm cc/sec to limit any release of radioactive gases other than through the controlled process system release point after treatment.

The offgas system is rated as a quality group D system. Refer to GE Licensing Topical Report NEDO-10734 for details.

The offgas system provides locations in the process line to allow grab samples or process gas for delay daughter particulate count.

In the event that the discharge exceeds a prescribed safety limit, an isolation signal from the process radiation monitoring equipment will close the valve to the discharge vent.

Chapter 15 and Appendix 15A examine the various failure mode considerations for this system. The expected and abnormal accident events analyzed envelope the NSOA associated with this system's components. These include:

a. Failure of carbon bed

b. Failure of delay piping 7.7-76 LBDCR 2018-060

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7.2.10.2 Conformance to Specific Regulatory Requirements There are no specific regulatory requirements imposed on this system but the following is noted:

a. Regulatory Guide 1.21 The offgas flow measurements provide the methods of measuring the effluent that are required to be reported.

(See also Appendix 3A.)

7.7.2.11 Process Sampling System - Instrumentation and Controls 7.7.2.11.1 Conformance to General Functional Requirements The process sampling system is not a safety-related system.

Therefore, the instrumentation supplied is for the plant equipment protection and for operator information only. None of this instrumentation is required to initiate or control any engineered safeguards or safety systems.

7.7.2.11.2 Conformance to Specific Regulatory Requirements Conformance with Regulatory Guide 1.97 is as described in Appendix 3A (see also Reference 2).

7.7.3 References

1. Morgan, W. R., "In Core Neutron Monitoring System for General Electric Boiling Water Reactors," APED-5706, November 1968 (Rev. April 1969).

2. Letter from L. F. Dale, MP&L (SERI), to H. R. Denton NRC) dated February 28, 1985 (AECM-85/0059).

3. GNRI-209/00030, Grand Gulf Nuclear Station, Unit 1 -

Issuance of Amendment to Modify the Updated Safety Analysis Report to Replace First Stage Pressure Signals with Power Range Neutron Monitoring System Signals (EPID L-2018-LLA-0072), March 12, 2019. [Amendment No. 217]

7.7-77 LBDCR 2019-021

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.7-1 CRD HYDRAULIC SYSTEM INDICATORS MEASURED VARIABLE CONTROL ROOM INDICATORS Total system flow Flow Indicator Drive water pump suction Annunciator pressure Drive water filter Annunciator differential pressure Cooling water header pressure Pressure indicator Charging water header pressure Annunciator Drive water flow rate Flow indicator Cooling water header Flow indicator Control rod drive temp Annunciator Control rod position Rod status display (normal range)

MEASURED VARIABLE Scram Discharge volume Annunciator not drained 7.7-78 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

TABLE 7.7-2: DELETED 7.7-79 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7-80 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7-81 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7-82 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7-83 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR)

Figure 7.7-5 Deleted 7.7-84 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7-85 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7-86 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7-87 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7-88 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7-89 Revision 2016-00

GRAND GULF NUCLEAR GENERATING STATION Updated Final Safety Analysis Report (UFSAR) 7.7-90 Revision 2016-00