ML22292A104

From kanterella
Jump to navigation Jump to search
5 to Updated Final Safety Analysis Report, Chapter 7, Sections 7.4 Thru 7.7
ML22292A104
Person / Time
Site: Nine Mile Point Constellation icon.png
Issue date: 10/05/2022
From:
Constellation Energy Generation
To:
Office of Nuclear Reactor Regulation
Shared Package
ML22292A107 List: ... further results
References
NMP2L2821
Download: ML22292A104 (139)
v  d  e


Text

NMP Unit 2 USAR 7.4 SYSTEMS REQUIRED FOR SAFE SHUTDOWN 7.4.1 Description This section discusses the instrumentation and controls of the following systems which can be used for safe plant shutdown:

1. RCIC system.
2. SLCS system.
3. RHR RSCM.
4. RSS system.

The sources that supply power to the safe shutdown systems originate from onsite ac/dc safety-related buses. Refer to Chapter 8 for a complete discussion of the safety-related power sources.

7.4.1.1 Reactor Core Isolation Cooling System System Function The RCIC system is designed to assure that sufficient reactor water inventory is maintained in the reactor vessel thus assuring continuity of core cooling. Reactor vessel water is maintained or supplemented by the RCIC system during the following conditions:

1. When the reactor vessel is isolated and maintained in the hot standby condition.
2. When the reactor vessel is isolated and accompanied by a loss of normal coolant flow from the reactor feedwater system.
3. When a complete plant shutdown under conditions of loss of normal feedwater system is started before the reactor is depressurized to a level where the RSCM of the RHR system can be placed into operation.

System Operation Schematic arrangements of system mechanical equipment and instrumentation and a description of system design and operation are provided in Section 5.4.6. The instrumentation specifications are listed in Table 7.4-1. The control logic is shown on Figure 7.4-1.

Initiating Circuits Reactor vessel low water level is monitored by four level transmitters.

The RCIC system is automatically initiated by low water level utilizing a one-out-of-two twice logic. When the amount of water delivered to the reactor vessel is adequate to restore Chapter 07 7.4-1 Rev. 25, October 2022

NMP Unit 2 USAR vessel level, the RCIC system automatically shuts down. The controls are arranged to allow remote-manual startup, operation, and shutdown. The RCIC logic is further described in Section 1.10 Task II.K.3.13, Task II.K.3.15, and Task II.K.3.22.

Redundancy and Diversity The RCIC system is redundant to the HPCS for the safe shutdown function. The RCIC instrument channels are redundant for operation availability purposes.

System level diversity exists between the RCIC and HPCS for plant conditions identified in Chapter 15.

Actuated Devices All automatic valves in the RCIC system have remote manual capability so that the entire system can be operated and tested from the main control room. The system is capable of initiation independent of ac power provided that the steam supply valves are open.

Separation As in the ECCS, the RCIC system is separated into divisions designated I and II. The RCIC is a Division I system, but the inside steam line isolation valve, steam line warmup line isolation valve, inside vacuum breaker isolation valve, and inside turbine exhaust drain isolation valve are Division II; therefore, part of the RCIC logic is Division II. The inside and outside steam supply line isolation valves and steam line warmup line isolation valve are ac-powered valves. The rest of the valves are dc powered. In order to maintain the required separation, RCIC logic relays, instruments, and manual controls are mounted so that separation from Division II is maintained.

All power and signal cables and cable trays are clearly identified by division and safety classification.

Auxiliary systems that support the RCIC system are the gland seal system (which prevents turbine steam leakage) and the lube oil cooling water system. A RCIC initiation signal activates the gland seal compressor and opens the cooling water supply valve, thereby initiating the gland seal and lube oil cooling functions. These systems remain on until manually turned off.

Testability A functional test of the RCIC system at design flow rate may be performed during normal plant operation by drawing suction from the CST and discharging through a full flow test return line to the CST. The discharge valve to the head cooling spray nozzle remains closed during the test, and reactor operation remains undisturbed. All components of the RCIC system are capable of individual functional testing during normal plant operation, except valves 2ICS*V156 and 2ICS*V157, which are tested during reactor shutdown. The control system provides automatic return from test to operating mode if system initiation is required.

There are two exceptions.

Chapter 07 7.4-2 Rev. 25, October 2022

NMP Unit 2 USAR

1. The flow controller in the auto/manual mode. This feature is required for operation flexibility during system operation.
2. Steam inside/outside isolation valves. Closure of either or both of these valves requires Operator action to properly sequence their opening.

Environmental Conditions The only RCIC control components located inside the drywell that must remain functional in the environment resulting from a LOCA are the control mechanisms for the inside isolation valve and the steam line warmup line isolation valve. The environmental capabilities of these devices are discussed in Chapter 3.

7.4.1.2 Standby Liquid Control System The SLCS is an independent backup system for the CRD system.

The SLCS is capable of shutting down the reactor from a full-power condition and maintaining it subcritical until the cold shutdown condition is achieved without control rod movement.

The SLCS is not required to operate in this mode when the reactor has been shut down by the CRD system. In the event of an anticipated transient without scram (ATWS), injection of the sodium pentaborate solution can be initiated manually by the Operator.

The SLCS also provides suppression pool buffering following a LOCA accompanied by significant fuel damage, preventing re-evolution of iodine from the suppression pool by maintaining the pool pH above 7.0, in support of the alternative source term (AST) methodology.

System Function The instrumentation and controls for the SLCS are designed to initiate and continue injection of a liquid neutron absorber into the reactor. This equipment also provides the necessary controls to maintain this liquid chemical solution well above saturation temperature in readiness for injection.

System Operation Schematic arrangements of system mechanical equipment and instrumentation and a description of system design and operation are provided in Section 9.3.5. The control logic is shown on Figure 7.4-2.

Initiating Circuits The SLCS is initiated manually from the main control room by turning a keylocked switch for System A to the pump A RUN position or a different keylocked switch for System B to the pump B RUN position. The key is removable in the NORMAL position. The SLCS is initiated automatically by signals from the RRCS system.

Logic and Sequencing When one division of the SLCS is manually initiated, one explosive injection valve fires and the tank discharge valve starts to open immediately. Automatic Chapter 07 7.4-3 Rev. 25, October 2022

NMP Unit 2 USAR initiation by RRCS fires both explosive injection valves and both tank discharge valves start to open immediately. Pumps that have been selected for injection will not start until the associated tank discharge valve is full open.

Bypasses and Interlocks Pumps are interlocked so that the storage tank discharge valve must be open, or the SLS system test switch must be in the test position, for the pump to run.

When the SLCS is initiated to inject the neutron absorber into the reactor, the outside isolation valve of the RWCU system is automatically closed from the Division I logic and the inside valve from Division II logic.

Redundancy and Diversity Under special shutdown conditions, the SLCS is functionally redundant to the CRD system in achieving and maintaining the reactor subcritical. The active components and instrument channels are redundant for serviceability.

Separation The SLCS is separated both physically and electrically from the CRD system. Additionally, the redundant components of the SLCS are physically and electrically separated. The injection portions of the SLCS have been designed electrically as a Class 1E redundant system. The reactivity control function of the SLCS is not designed to safety system single failure criteria due to adequate control rod redundancy.

For the suppression pool pH control function, the SLCS design relative to single failures was reviewed and determined to be acceptable by the NRC with the issuance of License Amendment 125. Therefore, the SLCS with one tank, one injection point, and nonredundant and non-Class 1E heaters is adequately designed.

The controls and instrumentation required to perform the injection function are redundant, and the logic circuitry and instrumentation are separated into Channels A and B so that failure of any single electrical component will not prevent injection. The SLCS pumps, squib valves, and injection logic circuitry, including the initiation switches, are redundant Class 1E and electrically and physically separated (Section 8.3).

Environmental Conditions The environmental capabilities of these devices are discussed in Chapter 3.

7.4.1.3 RHR/Reactor Shutdown Cooling Mode System Function The RSCM (Section 5.4.7.1) is used during a normal reactor shutdown or for long-term cooling after vessel water level has been restored following accident conditions.

The RSCM consists of equipment designed to provide decay heat removal capability for the core by accomplishing the following:

1. Reactor cooling during shutdown operation after the vessel pressure is reduced to approximately 135 psig.

Chapter 07 7.4-4 Rev. 25, October 2022

NMP Unit 2 USAR

2. Cooling the reactor water to a temperature at which reactor refueling and servicing can be accomplished.
3. Diverting part of the shutdown flow to the reactor vessel head to condense the steam generated from the hot walls of the vessel while it is being flooded.

System Operation Schematic arrangements of system mechanical equipment and instrumentation and a description of system design and operation are provided in Section 5.4.7. The instrumentation specifications are listed in Table 7.3-7. The control logic is shown on Figure 7.3-6.

7.4.1.4 Remote Shutdown System System Function The RSS is designed to achieve a hot and then a cold reactor shutdown from outside the main control room following these postulated conditions:

1. The plant is at normal operating conditions and all plant personnel have been evacuated from the main control room and it is inaccessible.
2. The initial event that causes the main control room to become inaccessible is assumed to be such that the RO can manually scram the reactor before leaving the main control room. Though the capability exists to manually scram from outside the control room, plant procedures realistically call for scramming before exiting the control room.
3. Under normal conditions, the main turbine pressure regulators control reactor pressure by way of the bypass valves. However, in the interest of demonstrating that the plant can accommodate even loss of the turbine controls, it is assumed that this turbine generator control panel function is also lost.

Therefore, main steam line isolation is assumed to occur at a specified low turbine inlet pressure and reactor pressure is relieved through the relief valves to the suppression pool.

4. The reactor feedwater system that is normally available is also assumed to be inoperable. Reactor vessel water inventory is provided by the RCIC system.

If RCIC is not available, the "pseudo" LPCI mode of the RHR system operation can be used.

5. Division I or II emergency dc power is assumed to be available.

The RSS is required only when the main control room is inaccessible when normal plant operating conditions (or fires in Chapter 07 7.4-5 Rev. 25, October 2022

NMP Unit 2 USAR the control room or relay room) exist, i.e., no transients or accidents are occurring.

System Operation The RSS instrument location drawings and elementary diagrams are identified in Section 1.7. Some of the existing systems used for normal reactor shutdown operation are also utilized in the remote shutdown capability to shut down the reactor from outside the main control room. The remote shutdown capability is designed to control the required shutdown systems from outside the main control room irrespective of shorts, opens, or grounds in the control circuit in the main control room that may have resulted from an event causing an evacuation.

Functions needed for remote shutdown control are provided with manual keylock transfer switches that override controls from the main control room and transfer controls to the remote shutdown control. Remote shutdown control is not possible without actuation of the transfer devices. All necessary power supplies and control logic are also transferred. Operation of the transfer devices causes an alarm in the main control room.

Access to the remote shutdown panel (RSP) is administratively and procedurally controlled. All system equipment (i.e.,

controls for valves and pumps) necessary for proper system lineup and complete system control are located on the RSP.

The ECCS low-pressure interlocks remain operable during and after transfer switch operation from the remote shutdown room.

After the scram and subsequent control room evacuation, if RCIC controls are available at the RSP, RCIC will be used to maintain reactor water level. SRVs will be used to depressurize the RPV if required. If RCIC controls are unavailable, the "pseudo" LPCI mode of the RHR system will be used to maintain reactor water level. Prior to initiation of the "pseudo" LPCI mode of the RHR system operation, the RPV will be depressurized manually to a level where the "pseudo" LPCI mode of the RHR system can be used. The suppression pool will be cooled by the suppression pool cooling mode of the RHR system. The shutdown cooling mode of the RHR system will be used to cool the reactor and bring the reactor to cold shutdown.

Power supplies to the RHR shutdown cooling mode supply valves 2RHS*MOV112 and 2RHS*MOV113, and shutdown cooling mode (Loop B) associated warm-up and flushing valves 2RHS*MOV142 and 2RHS*MOV149 will be disconnected. These valves will be de-energized in the closed position during the normal plant operations and will be administratively controlled.

The following RSS control switches and push buttons are provided on the remote shutdown control panel:

1. Shutdown cooling mode MOV isolation reset push buttons (Divisions I and II).

Chapter 07 7.4-6 Rev. 25, October 2022

NMP Unit 2 USAR

2. Remote shutdown room air conditioning control switches (Divisions I and II).
3. Manual RCIC turbine trip push button (Division I).
4. RCIC manual isolation signal push button (Division I).
5. RCIC isolation signal seal-in and reset control switches (Divisions I and II).
6. RCIC initiation signal seal-in and reset push button (Division I).
7. RCIC manual initiation signal push button (Division I).

The following RSS transfer switches are provided on the remote shutdown control panel:

1. RHR pump suction MOV transfer switches (Divisions I and II).
2. RHR heat exchanger shell side outlet MOV transfer switch (Division II).
3. RHR heat exchanger shell side inlet MOV transfer switch (Division I).
4. RHR shutdown cooling injection MOV transfer switches (Divisions I and II).
5. RHR pumps transfer switches (Divisions I and II).
6. ADS/SRV transfer switches (Divisions I and II).
7. RCIC turbine speed and flow control transfer switch (Division I).
8. RCIC steam supply line inboard isolation MOV transfer switch (Division II).
9. RCIC pump suction from suppression pool MOV transfer switch (Division I).
10. RCIC test return to CST MOV transfer switch (Division I).
11. RCIC steam to turbine MOV transfer switch (Division I).
12. Service water pumps Division I transfer switches.
13. Service water pumps Division II transfer switches.

Chapter 07 7.4-7 Rev. 25, October 2022

NMP Unit 2 USAR The following RCIC system control switches are located on the remote shutdown control panel:

1. RCIC steam supply line outside isolation valve 2ICS*MOV121 (E51-F064) (Division I).
2. RCIC steam supply line inside isolation valve 2ICS*MOV128 (E51-F063) (Division II).
3. RCIC steam line warmup line inside isolation valve 2ICS*MOV170 (E51-F076) (Division II).
4. RCIC turbine trip and throttling valve 2ICS*MOV150 (E51-C002) (Division I).
5. RCIC injection shutoff valve 2ICS*MOV126 (E51-F013)

(Division I).

6. RCIC steam to turbine valve 2ICS*MOV120 (E51-F045)

(Division I).

7. RCIC turbine exhaust to suppression pool valve 2ICS*MOV122 (E51-F068) (Division I).
8. RCIC pump suction from suppression pool valve 2ICS*MOV136 (E51-F031) (Division I).
9. RCIC vacuum breaker isolation outboard MOV (2ICS*MOV164) (Division I).
10. RCIC vacuum breaker isolation inboard MOV (2ICS*MOV148) (Division II).

The following instrumentation is provided on the remote shutdown control panel:

1. RCIC turbine speed indicator (Division I).
2. RCIC pump discharge flow indicating controller (Division I).
3. CST 1A level indicator (Division I).
4. CST 1B level indicator (Division II).

The following RCIC system indicating lights are provided on the remote shutdown control panel:

1. RCIC governor valve supervisory (Division I).
2. RCIC trip and throttle valve supervisory (Division I).

The following RHR system control switches are located on the remote shutdown control panel:

Chapter 07 7.4-8 Rev. 25, October 2022

NMP Unit 2 USAR

1. RHR shutdown cooling isolation valve 2RHS*MOV112 (E12-F009) (Division II) inside.
2. RHR shutdown cooling isolation valve 2RHS*MOV113 (E12-F008) (Division I) outside.
3. RHR suction shutdown cooling valve 2RHS*MOV2A (E12-F006A) (Division I).
4. RHR pump suction valve 2RHS*MOV1A (E12-F004A)

(Division I).

5. RHR pump 2RHS*P1A (E12-C002A) (Division I).
6. RHR heat exchanger shell side inlet valve 2RHS*MOV9A (E12-F047A) (Division I).
7. RHR heat exchanger tube side inlet valve 2SWP*MOV90A (Division I).
8. RHR heat exchanger shell side bypass valve 2RHS*MOV8A (E12-F048A) (Division I).
9. RHR heat exchanger shell side outlet valve 2RHS*MOV12A (E12-F003A) (Division I).
10. RHR heat exchanger tube side outlet valve 2RHS*MOV33A (E12-F027A) (Division I).
11. RHR test return line valve 2RHS*FV38A (E12-F024A)

(Division I).

12. RHR shutdown cooling injection isolation valve 2RHS*MOV40A (E12-F053A) (Division I) outside.
13. RHR shutdown cooling testable check valve bypass valve 2RHS*MOV67A (E12-F099A) (Division I).
14. RHR suction shutdown cooling valve 2RHS*MOV2B (E12-F006B) (Division II).
15. RHR pump suction valve 2RHS*MOV1B (E12-F004B)

(Division II).

16. RHR pump 2RHS*P1B (E12-C002B) (Division II).
17. RHR heat exchanger shell side inlet valve 2RHS*MOV9B (E12-F047B) (Division II).
18. RHR heat exchanger tube side inlet valve 2SWP*MOV90B (Division II).

Chapter 07 7.4-9 Rev. 25, October 2022

NMP Unit 2 USAR

19. RHR heat exchanger shell side bypass valve 2RHS*MOV8B (E12-F048B) (Division II).
20. RHR heat exchanger shell side outlet valve 2RHS*MOV12B (E12-F003B) (Division II).
21. RHR heat exchanger tube side outlet valve 2RHS*MOV33B (E12-F027B) (Division II).
22. RHR test return line valve 2RHS*FV38B (E12-F024B)

(Division II).

23. RHR shutdown cooling injection outside isolation valve 2RHS*MOV40B (E12-F053B) (Division II).
24. RHR shutdown cooling testable check valve bypass valve 2RHS*MOV67B (E12-F099B) (Division II).
25. RHR head spray outside isolation valve 2RHS*MOV104 (E12-F023) (Division I).
26. RHR discharge to radwaste outside isolation valve 2RHS*MOV142 (E12-F040) (Division I).
27. RHR discharge to radwaste inside isolation valve 2RHS*MOV149 (E12-F049) (Division II).
28. RHR A/LPCS return to suppression pool outside isolation valve 2RHS*MOV30A (Division I).
29. RHR B/C return to suppression pool outside isolation valve 2RHS*MOV30B (Division II).

The following RHR system instrumentation is provided on the remote shutdown control panel:

1. RHR heat exchanger water inlet/outlet temperature recorder (Loop A).
2. RHR heat exchanger water inlet/outlet temperature recorder (Loop B).
3. RHR heat exchanger service water outlet temperature indicator (Loop A).
4. RHR heat exchanger service water outlet temperature indicator (Loop B).
5. RHR discharge to radwaste temperature indicator.
6. RHR Loop A flow.
7. RHR Loop B flow.

Chapter 07 7.4-10 Rev. 25, October 2022

NMP Unit 2 USAR The following RHR system indicating lights are provided on the remote shutdown control panel:

1. Minimum flow to suppression pool (Loop A) valve 2RHS*MOV4A (Division I).
2. Minimum flow to suppression pool (Loop B) valve 2RHS*MOV4B (Division II).

The following nuclear boiler system control switches and indicating lights are located on the remote shutdown control panel:

1. Nuclear boiler manual relief valve 2MSS*PSV121 (B22-F013M) (Division I).
2. Nuclear boiler manual relief valve 2MSS*PSV127 (B22-F013H) (Division I).
3. Nuclear boiler manual relief valve 2MSS*PSV121 (B22-F013M) (Division II).
4. Nuclear boiler manual relief valve 2MSS*PSV127 (B22-F013H) (Division II).
5. Nuclear boiler manual relief valve 2MSS*PSV129 (B22-F013U) (Division I).
6. Nuclear boiler manual relief valve 2MSS*PSV137 (B22-F013C) (Division I).
7. Nuclear boiler manual relief valve 2MSS*PSV129 (B22-F013U) (Division II).
8. Nuclear boiler manual relief valve 2MSS*PSV137 (B22-F013C) (Division II).
9. ADS air primary containment isolation valve (2IAS*SOV164) (Division I).
10. ADS air header "A" high flow supply valve (2IAS*SOVX181) (Division I).
11. ADS air primary containment isolation valve (2IAS*SOV165) (Division II).
12. ADS air header "B" high flow supply valve (2IAS*SOVX186) (Division II).

The following nuclear boiler instrumentation is provided on the remote shutdown control panel:

1. Reactor vessel pressure indicator (Divisions I and II).

Chapter 07 7.4-11 Rev. 25, October 2022

NMP Unit 2 USAR

2. Reactor vessel level indicator (wide range) (Divisions I and II).
3. Reactor vessel level indicator (narrow range)

(Divisions I and II).

4. ADS accumulator TK 32 pressure indicator.
5. ADS accumulator TK 33 pressure indicator.
6. ADS accumulator TK 38 pressure indicator.
7. ADS accumulator TK 35 pressure indicator.
8. Reactor vessel shell flange and bottom head temperature recorder.

The following SWP system control switches are located on the remote shutdown control panel:

1. Service water pump 2SWP*P1A (Division I).
2. Service water pump 2SWP*P1C (Division I).
3. Service water pump 2SWP*P1E (Division I).
4. Service water pump 2SWP*P1B (Division II).
5. Service water pump 2SWP*P1D (Division II).
6. Service water pump 2SWP*P1F (Division II).
7. Service water from 2EGS*EG1 CLR (2SWP*MOV66A)

(Division I).

8. Service water pump 2SWP*P1A discharge valve (2SWP*MOV74A) (Division I).
9. Service water pump 2SWP*P1C discharge valve (2SWP*MOV74C) (Division I).
10. Service water pump 2SWP*P1E discharge valve (2SWP*MOV74E) (Division I).
11. Service water from 2EGS*EG3 CLR (2SWP*MOV66B)

(Division II).

12. Service water pump 2SWP*P1B discharge valve (2SWP*MOV74B) (Division II).
13. Service water pump 2SWP*P1D discharge valve (2SWP*MOV74D) (Division II).

Chapter 07 7.4-12 Rev. 25, October 2022

NMP Unit 2 USAR

14. Service water pump 2SWP*P1F discharge valve (2SWP*MOV74F) (Division II).

The following SWP system instrumentation is provided on the remote shutdown control panel:

1. Service water pump 2SWP*P1A discharge flow indicator (Division I).
2. Service water pump 2SWP*P1C discharge flow indicator (Division I).
3. Service water pump 2SWP*P1E discharge flow indicator (Division I).
4. Service water pump 2SWP*P1B discharge flow indicator (Division II).
5. Service water pump 2SWP*P1D discharge flow (Loop A) indicator (Division II).
6. Service water pump 2SWP*P1F discharge flow indicator (Division II).
7. Service water to RHR heat exchanger flow indicator (Division I).
8. Service water to RHR heat exchanger flow (Loop B) indicator (Division II).

The following containment atmosphere monitoring devices are located on the RSP:

1. Suppression pool temperature selector switch and indicator (5 temperature inputs) (Division I).
2. Suppression pool temperature selector switch and indicator (5 temperature inputs) (Division II).
3. Suppression pool level indicator (Divisions I and II).

7.4.1.5 Design Basis The safe shutdown systems are designed to provide timely protection against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB.

Chapter 15 and Appendix A identify and evaluate events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are also presented in Chapter 15. No design basis accident (DBA) is considered for the RSS system (including LOCA). Therefore, complete control of ESF systems for protective action outside the main control room is not required. See Section 7.2.1.4.7 Chapter 07 7.4-13 Rev. 25, October 2022

NMP Unit 2 USAR for minimum performance requirements for RPS instrumentation and controls.

7.4.1.5.1 Variables Monitored to Provide Protective Actions Reactor vessel low water level (Trip Level 2) is monitored to provide protective actions to the RCIC and the SLCS. The Level 2 signal to the SLCS is provided by the RRCS which also provides input to the SLCS on high dome pressure. All other safe shutdown systems identified in Section 7.4 are initiated by Operator action, with the exception of the SLCS which can be initiated automatically by RRCS signals. The plant conditions that require protective action involving safe shutdown are described in Chapter 15 and Appendix 15A.

7.4.1.5.2 Location and Minimum Number of Sensors See Technical Specifications and TRM Section 3.3.3.2 for the minimum number of sensors required to monitor safety-related variables. There are no sensors in these safe shutdown systems that have a spatial dependence.

7.4.1.5.3 Prudent Operational Limits Prudent operational limits for each safety-related variable trip setting are selected with sufficient margin that a spurious safe shutdown system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or the nuclear system process barrier, is kept within acceptable bounds.

7.4.1.5.4 Margin Adequate margin between safety limits and instrument setpoints is provided to allow for instrument error. The appropriate allowable values are listed in Technical Specifications. The bases are discussed in the Technical Specifications Bases.

7.4.1.5.5 Levels Levels requiring protective action are established in Technical Specifications.

7.4.1.5.6 Range of Transient, Steady-State, and Environmental Conditions Refer to Section 3.11 for environmental conditions. Refer to Sections 8.2.1 and 8.3.1 for the maximum and minimum ranges of energy supply to the safe shutdown systems' instrumentation and controls. All safety-related instrumentation and controls are specified and purchased to withstand the effects of energy supply extremes.

Chapter 07 7.4-14 Rev. 25, October 2022

NMP Unit 2 USAR 7.4.1.5.7 Malfunctions, Accidents, and Other Unusual Events That Could Cause Damage to Safety System Floods The buildings containing safe shutdown system components are protected against floods as described in Section 3.4.

Storms and Tornadoes All buildings, except the turbine building, that contain safe shutdown system components are protected against storms and tornadoes as described in Section 3.3.

Earthquakes All structures, except the turbine building, that contain safe shutdown system components have been seismically qualified as described in Sections 3.7 and 3.8. Seismic qualification of instrumentation and electrical equipment is discussed in Section 3.10.

Fires These safe shutdown systems are protected from the effects of fire as described in Section 9.5.1.

LOCA Events The safe shutdown system components located inside the drywell which are functionally required following a LOCA have been environmentally qualified to remain functional as discussed in Section 3.11. Other LOCA events such as pipe break outside containment and feedwater line break are discussed in Sections 3.6 and 15.6.

Missiles These safe shutdown systems are protected against the effects of missiles as described in Section 3.5.

7.4.1.5.8 Minimum Performance Requirements Minimum performance requirements for safe shutdown systems instrumentation and controls are provided in Technical Specifications and the TRM.

7.4.1.6 Final System Drawings The following final system drawings have been provided for the safe shutdown systems:

1. P&IDs.

Chapter 07 7.4-15 Rev. 25, October 2022

NMP Unit 2 USAR

2. FCDs/Control Logic Diagrams.

Functional and architectural design differences between the PSAR and FSAR are listed in Table 1.3-8.

7.4.2 Analysis 7.4.2.1 Reactor Core Isolation Cooling System Instrumentation and Controls 7.4.2.1.1 Conformance to General Requirements For events other than pipe breaks, such as RCPB isolations, the RCIC system has a makeup capacity sufficient to prevent the reactor vessel water level from decreasing to the level where the core is uncovered. To provide a high degree of assurance that the RCIC system will operate when necessary and in time to provide adequate inventory makeup, the power supply for the system is taken from energy sources of high reliability that are immediately available. Evaluation of instrument reliability for the RCIC system shows that no failure of a single initiating sensor either prevents or falsely starts the system.

A design flow functional test of the RCIC system can be performed during plant operation by taking suction from the demineralized water in the CST and discharging through the full flow test return line back to the CST. During the test, the discharge valve to the reactor vessel remains closed and the reactor operation is not disturbed. Control system design provides automatic return from the test mode to the operating mode if initiation is required during testing.

7.4.2.1.2 Conformance to 10CFR50 Appendix A The general design criteria conformance discussions provided in Section 3.1 apply to the RCIC system as specified in Table 7.1-3. In addition, the following comments pertain specifically to the RCIC system.

General Design Criterion 29 - Protection Against Anticipated Operational Occurrences - The RCIC maintains the reactor vessel water level by providing makeup water if the reactor becomes isolated from the main condenser during normal operation.

General Design Criterion 33 - Reactor Coolant Makeup - If the reactor should become isolated from the main condenser, the RCIC system maintains reactor water level by providing the makeup water. Initiation and control are automatic.

7.4.2.1.3 Conformance to IEEE Standards The IEEE standards that apply to the RCIC system are specified in Table 7.1-3. The following conformance discussions apply Chapter 07 7.4-16 Rev. 25, October 2022

NMP Unit 2 USAR specifically to the RCIC system. Refer to Section 7.1.2.2 for conformance discussions applying generically to all safety-related systems.

7.4.2.1.3.1 Conformance with IEEE-279-1971 Paragraph 4.1 The RCIC is automatically initiated by reactor low water level measurements.

Paragraph 4.2 The RCIC system is not required to meet the single-failure criterion. The RCIC initiation sensors and associated logic do, however, meet the single-failure criterion for automatic system initiation through physical and electrical separation.

Paragraph 4.3 The components and modules of the RCIC instrumentation and control are the same high quality as those of the ESF systems (Section 7.3.2.1.2.1). The safety-related portion of the RCIC control and instrumentation components and modules is seismically qualified to remain functional following a SSE.

Paragraph 4.4 No components of the RCIC control system are required to operate in the drywell environment except the RCIC steam line isolation valve and steam line warmup line isolation valve. All other equipment for RCIC initiation is located outside the drywell and is capable of accurate operation in ambient temperature conditions that result from abnormal conditions. The components in the RCIC control system have demonstrated their reliable operability in previous applications in nuclear power plant protection systems or in extensive industrial use.

Paragraph 4.5 The RCIC system instrument initiation channels satisfy the channel integrity objective.

Paragraph 4.6 Channel independence for initiation sensors is provided by electrical and mechanical separation.

Paragraph 4.7 The RCIC system has no interaction with other plant control systems.

Paragraph 4.8 All inputs to RCIC system that are essential to its operation are direct measures of appropriate variables.

Paragraph 4.9 All sensors are installed with calibration taps and instrument valves to permit testing during normal plant operation or during shutdown.

Paragraph 4.10 The RCIC system is capable of being completely tested during normal plant operation, except valves 2ICS*V156 and 2ICS*V157, which are tested during reactor shutdown, to verify that each element of the system, whether active or inactive, is capable of performing its intended function.

Chapter 07 7.4-17 Rev. 25, October 2022

NMP Unit 2 USAR Paragraph 4.11 Calibration of a sensor that introduces a single instrument channel trip will not cause a protective action without the coincident trip of a second channel. Removal of a sensor from operation during calibration does not prevent the redundant instrument channel from functioning.

Paragraph 4.12 There are no operating bypasses within the RCIC system.

Paragraph 4.13 For discussion of bypass and inoperability indication refer to Section 7.1.2.3.

Paragraph 4.14 Access to means of bypassing any safety action or function for the RCIC is under administrative control. The Operator is alerted to bypasses as described in Section 7.1.2.3.

Paragraph 4.15 There are no multiple setpoints within the RCIC system. All setpoints are fixed.

Paragraph 4.16 Once the RCIC is initiated by reactor low water level, the logic seals in and system operation must go to completion until terminated by deliberate Operator action or automatically stopped on high vessel water level or system malfunction trip signal.

Paragraph 4.17 Each piece of RCIC actuation equipment required to operate pumps and valves is capable of manual initiation from the control room. Failure of logic circuitry to initiate the RCIC system will not affect manual control of equipment.

Paragraph 4.18 All access to setpoint adjustments for the RCIC are under administrative control of the Control Room Operator.

Paragraph 4.19 Protective actions are directly indicated and identified by annunciator operation and instrument channel trip indicator lights.

Paragraph 4.20 The RCIC system is designed to provide the Operator with accurate and timely information pertinent to its status. It does not introduce signals into other systems that could cause anomalous indications confusing to the Operator.

Paragraph 4.21 The RCIC system is designed to permit repair or replacement of components during normal plant operation.

Recognition and location of a failed component will be accomplished during periodic testing or by annunciation in the control room.

Paragraph 4.22 All controls and instruments are located in one section of the control room panel and clearly identified by nameplates. Relays are located in one panel for RCIC use only.

Relays and panels are identified by nameplates.

7.4.2.1.3.2 Conformance to IEEE-379-1972 Chapter 07 7.4-18 Rev. 25, October 2022

NMP Unit 2 USAR See Section 7.4.2.1.3, IEEE-279, Paragraph 4.2.

7.4.2.1.4 Conformance to Regulatory Guides The regulatory guides that apply to the RCIC system are specified in Table 7.1-3. The following conformance discussions apply specifically to the RCIC system. Refer to Section 7.1.2.3 for conformance discussions applying generically to all safety-related systems.

Regulatory Guide 1.22 While not a design basis, the RCIC is fully testable from initiating sensors to actuated devices during full-power operation.

Regulatory Guide 1.53 While this regulatory guide is not a design basis, the RCIC system conforms to the guide in the following manner. See also Section 7.4.2.1.3, IEEE-279, Paragraph 4.2.

Position C.1 The RCIC system is initiated manually or automatically. The turbine-driven pump supplies demineralized makeup water from the CST or water from the suppression pool to the reactor vessel.

The RCIC is not an ESF system and is not required to meet the single-failure criterion. The HPCS is a backup to RCIC for its safe shutdown function.

Position C.2 The RCIC system is fully testable.

Position C.3 Separate controls are provided for RCIC and HPCS.

The HPCS and RCIC systems are located in separate areas of the secondary containment. Control independence of HPCS and RCIC is provided by using different battery systems to provide control power to each unit. Separate automatic initiation logics are also used.

Position C.4 A single electrical failure of the RCIC will not affect HPCS from providing backup safety protection.

See also Section 7.4.2.1.3, IEEE-279, Paragraph 4.2.

Regulatory Guide 1.62 The RCIC may be automatically and manually initiated inside the main control room as well as at the RSP outside the main control room.

7.4.2.2 Standby Liquid Control System Instrumentation and Controls 7.4.2.2.1 Conformance to General Requirements Redundant positive displacement pumps, explosive valves, MOVs, and control circuits for the SLCS have been provided as Chapter 07 7.4-19 Rev. 25, October 2022

NMP Unit 2 USAR described in Section 7.4.1.2. This constitutes all of the active equipment required for injection of the sodium pentaborate solution. Continuity relays provide monitoring of the explosive valves and indicator lights provide indication on the reactor core cooling benchboard of system status.

7.4.2.2.2 Conformance to 10CFR50 Appendix A The general design criteria conformance discussions provided in Section 3.1 apply to the SLCS as specified by Table 7.1-3.

7.4.2.2.3 Conformance to IEEE Standards The IEEE standards that apply to the SLCS are specified in Table 7.1-3. The following conformance discussions apply specifically to the SLCS. Refer to Section 7.1.2.2 for conformance discussions applying generically to all safety-related systems.

7.4.2.2.3.1 Conformance to IEEE-279-1971 Paragraph 4.1 The SLCS is initiated either manually by Operator action or automatically by the RRCS system. Display instrumentation in the control room provides the Operator with information on reactor vessel water level, pressure, neutron flux level, control rod position, and scram valve status.

Paragraph 4.2 The SLCS is a backup method of shutting down the reactor. It is not necessary for the SLCS to meet single-failure criterion for this function. However, pumps and pump motors, explosive valves, and storage tank outlet valves are redundant so that no single failure in these components will cause or prevent initiation of the SLCS.

For the suppression pool pH control function, the SLCS design relative to single failures was reviewed and determined to be acceptable by the NRC with the issuance of License Amendment 125.

Paragraph 4.3 Components used in the SLCS have been carefully selected on the basis of suitability for specific application.

Ratings have been selected with sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant. Furthermore, a quality control and assurance program has been implemented and documented by equipment vendors to comply with the requirements set forth in 10CFR50 Appendix B. The qualification of SLCS control and instrumentation is discussed in Sections 3.2, 3.10, and 3.11.

Paragraph 4.4 No components of the SLCS are required to operate in the drywell environment. Besides the isolation check valve, a maintenance valve is the only component located inside the drywell and is normally locked open. Other SLCS equipment is located in the reactor building and is capable of operation following a SSE and a LOCA.

Chapter 07 7.4-20 Rev. 25, October 2022

NMP Unit 2 USAR Paragraph 4.5 The SLCS is designed to remain functional following a SSE and a LOCA.

Paragraph 4.6 There are two channels of control circuits, discharge pumps, motors, tank outlet valves, and explosive valves that are independent of each other. Failure in one channel will not prevent the other from operating.

Paragraph 4.7 The SLCS has no interaction with the normal plant control system and no function during normal plant operation.

It is completely independent of control systems and other safety systems.

Paragraph 4.8 The SLCS is initiated either manually by Operator action or automatically by the RRCS. Display instrumentation in the control room provides the Operator with information on reactor vessel water level, pressure, neutron flux level, control rod position, and scram valve status. Based on this information the Operator decides whether or not to initiate the SLCS.

Paragraph 4.9 Operational availability is checked by the Operator. Sensor checks are made by Operator observations of analog indicators, indicating lamps, annunciators, and status lights located in control room and locally at the equipment.

Paragraph 4.10 The explosive valves may be tested during plant shutdown. The explosive valve control circuits are continuously monitored and loss of continuity is indicated in the control room. The remainder of the SLCS may be tested during normal operation to verify that each element is capable of performing its function.

Paragraph 4.11 There are two redundant discharge pumps so that one pump may be removed from service during normal plant operation.

Paragraph 4.12 The SLCS has no function during normal plant operation.

Paragraph 4.13 Removal of components from service is annunciated in the control room.

Paragraph 4.14 Removal of components from service during normal plant operation is under administrative control.

Paragraph 4.15 There are no multiple setpoints.

Paragraph 4.16 Upon SLCS initiation, the squib valves fire and remain open, the tank discharge valves open, and the SLCS injection pumps start. The tank discharge valves can be closed and the pumps stopped either by manual action or automatically when the storage tank level drops below a setpoint.

Chapter 07 7.4-21 Rev. 25, October 2022

NMP Unit 2 USAR Paragraph 4.17 The SLCS can be manually initiated.

Paragraph 4.18 The control circuits, discharge pump, pump motors, and MOVs are accessible for test and service.

Paragraph 4.19 The explosive valve status once fired is indicated in control room.

Paragraph 4.20 The discharge pressure of sodium pentaborate solution, storage tank level, and pump suction MOVs status are indicated in control room.

Paragraph 4.21 The control circuits, pumps, and pump motors may be repaired or replaced during normal plant operation.

Paragraph 4.22 All controls and instrumentation are clearly identified by nameplates.

7.4.2.2.3.2 Conformance to IEEE-338-1971 The design of the SLCS system permits periodic testing of the system from initiation to actuated devices except explosive valves. The explosive valve control circuit is continuously monitored and annunciated in control room.

7.4.2.2.3.3 Conformance to IEEE-379-1972 See Section 7.4.2.1.3, IEEE-279, Paragraph 4.2.

7.4.2.2.4 Conformance to Regulatory Guides The regulatory guides that apply to the SLCS are specified in Table 7.1-3. The following conformance discussions apply specifically to the SLCS. Refer to Section 7.1.2.3 for conformance discussions applying generically to all safety-related systems.

Regulatory Guide 1.22 While this regulatory guide is not a design basis, the SLCS is fully testable from initiation to actuated devices, except for the squib valves, during normal operation.

Regulatory Guide 1.47 The continuity of the explosive valve circuit is continuously monitored and is indicated in the control room. The level and temperature of the sodium pentaborate are monitored with the high and low levels and high and low temperature conditions annunciated in control room. The removal of all other equipment for servicing is administratively controlled.

Regulatory Guide 1.53 See Section 7.4.2.2.3, IEEE-279, Paragraph 4.2.

Chapter 07 7.4-22 Rev. 25, October 2022

NMP Unit 2 USAR While this regulatory guide is not a design basis, the following defines the SLCS conformance with the regulatory guide:

Position C.1 For the reactivity control function, SLCS is a special event capability backup system, not an ESF system.

Therefore, the SLCS is not required to meet the single-failure criterion at the system level. The two separate and independent control loops of the SLCS use a common supply tank and share a portion of the injection piping into the reactor. However, each loop has its own divisional power, SLCS pump, explosive injection valve, tank discharge valve, and associated controls.

For the suppression pool pH control function, the SLCS design relative to single failures was reviewed and determined to be acceptable by the NRC with the issuance of License Amendment 125. A detailed system description is provided in Section 7.4.1.2.

Position C.2 The SLCS is fully testable.

Position C.3 Independent and separate control switches are provided for control of the redundant components in each loop of the SLCS. No switch supplies signals to redundant loops.

Position C.4 Under special shutdown conditions, the SLCS is functionally redundant to the CRD system in achieving and maintaining the reactor subcritical. The SLCS is separated both physically and electrically from the CRD system. Thus, it is not required that the SLCS meet the single-failure criterion for its reactivity control function. Furthermore, the two channels of SLCS are independent of each other, and failure in one channel will not prevent the other from operating. For the suppression pool pH control function, the SLCS design relative to single failures was reviewed and determined to be acceptable by the NRC with the issuance of License Amendment 125.

Regulatory Guide 1.62 The SLCS can be manually initiated from the control room.

7.4.2.3 RHRS/Reactor Shutdown Cooling Mode (RSCM)

Instrumentation and Controls The RSCM of the RHRS uses the same equipment as that used by the LPCI mode. Therefore, refer to Section 7.3.2 for the RSCM standards and regulatory compliance as indicated in Table 7.1-3.

7.4.2.4 Remote Shutdown System 7.4.2.4.1 Conformance to General Requirements The RSS consists of equipment located outside the control room that provides and assures prompt hot shutdown of the reactor and maintains safe conditions during hot shutdown. The equipment also provides capability for subsequent cold shutdown of the reactor.

Chapter 07 7.4-23 Rev. 25, October 2022

NMP Unit 2 USAR Access to the RSS controls is controlled by the plant security system. Access is restricted, as with other vital areas. In the event of failure of the card reader, access is possible by use of metal keys. Additionally, keylock switches requiring the use of metal keys are utilized for panel transfer/override functions. These keys are administratively controlled according to key control procedures and readily available to both the Control Room Operator and the Shift Manager (SM) in the event of a control room evacuation.

Use of communications to coordinate Operator actions is not required since all functions to safely shut down the plant can be performed independently from either the control room or the RSS controls.

A description of how cold shutdown is achieved utilizing the RSP is contained in Section 7.4.1.4.

A description of control room annunciation when transfer switches are changed to the emergency position is contained in Section 7.4.1.4.

A separate startup test procedure, as described in test abstracts, Section 14.2, was performed to demonstrate the capability of the RSS to safely shut down the plant within guidelines provided by RG 1.68.2.

Instrumentation and controls associated with the RSS are calibrated and functionally verified by surveillance testing as required in the Technical Specifications. RSS design is such that functional testing of systems verifies the operational capability to provide remote shutdown. Additionally, periodic testing of the transfer switches is performed to verify control functions.

Equipment classification for the RSP is as shown in Table 3.2-1.

7.4.2.4.2 Conformance to 10CFR50 Appendix A The general design criteria conformance discussions provided in Section 3.1 apply to the RSS, as specified by Table 7.1-3.

The following provides additional information regarding RSS conformance to GDC 19 utilizing ICSB interpretation guidance.

The RSP is designed to achieve and maintain hot shutdown in the event the control room is inaccessible. This is achieved by the use of redundant, safety grade instrumentation and redundant, safety grade control circuits identical (in most all cases) to those used in the control room. Additionally, some nonsafety-related indicators and recorders are provided for operation use. As a result of the Unit 2 Appendix R spurious analysis study, provisions have been made to disconnect the Chapter 07 7.4-24 Rev. 25, October 2022

NMP Unit 2 USAR automatic interlocks between the control/relay room and the safety-related equipment required for safe shutdown. The disconnected switches would prevent spurious actuation of safety-related equipment resulting from automatic signals generated from the control/relay room. These disconnect switches ensure total manual control from the RSP.

The transfer of control from the control/relay room to the RSP will be performed in such a way as not to cause spurious actuation of safety-related equipment. The transfer of control from the control/relay room to remote shutdown will not cause any change in equipment status. Upon completion of the control transfer to the RSP, safety-related equipment required for safe shutdown will operate only under manual control. Process indication provided on the RSP is sufficient for the Operator to achieve and maintain hot shutdown.

Additionally, specific procedures and Operator training are provided to ensure safe operations from the RSP.

No jumping, rewiring, circuit disconnection, or manual action (in locations other than the RSP) is used to achieve the desired shutdown condition.

The design of the RSP is such that cold shutdown is achieved using safety grade, redundant instrumentation.

Loss of offsite power (LOOP) will not negate shutdown capability since power is supplied by reliable safety grade power sources.

Transfer of control to the RSP does not disable any ESF function or change the operating status of any equipment. The RHR isolation valves on the RSP are of a spring-return type.

Access to the remote shutdown room is controlled at all times, and the transfer switches are the lockable type.

Design of the RSP conforms to the requirements of Appendix R to 10CFR50.

7.4.2.4.3 Conformance to IEEE Standards IEEE standards that apply to the RSS are specified in Table 7.1-3. The following conformance discussion applies specifically to the RSS. Refer to Section 7.1.2.3 for conformance discussions that apply generically to all safety-related systems.

IEEE-279-1971 The RSS interfaces with safety-related systems such as RHR and RCIC, and during normal operation becomes part of those systems and meets the design criteria for those systems.

7.4.2.4.4 Conformance to Regulatory Guides Chapter 07 7.4-25 Rev. 25, October 2022

NMP Unit 2 USAR The regulatory guides that apply to the RSS are specified in Table 7.1-3. Regulatory guide conformance for remote shutdown control and instrumentation is provided in the analysis sections of Chapter 7 for each system whose instrumentation and controls interface with the RSS. Refer to Section 7.1.2.3 for conformance discussions that apply generically to all safety-related systems.

Chapter 07 7.4-26 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.4-1 REACTOR CORE ISOLATION COOLING INSTRUMENT SPECIFICATIONS RCIC Function Instrument Range Reactor vessel high water Level 0 - 750" H2O level turbine trip transmitter (Level 8)(1)

Turbine exhaust high Pressure 0 - 300 psig pressure transmitter RCIC system pump high Pressure 0 - 300 psig suction pressure transmitter RCIC system pump Pressure 0 - 750" H2O low suction pressure transmitter Reactor vessel low water Level 0 - 750" H2O level (Level 2)(1) transmitter RCIC system steam supply Pressure 0 - 3,000 psig pressure E51-N007 transmitter Turbine overspeed Centrifugal N/A device RCIC system pump Pressure 0 - 3,000 psig discharge pressure high transmitter Condensate storage tank Level 0 - 150" H2O level transmitter RCIC system steam supply Pressure 0 - 300 psia pressure low transmitter (1) Instrument zero equal to 380.7 in above vessel zero.

Chapter 07 7.4-27 Rev. 25, October 2022

NMP Unit 2 USAR 7.5 SAFETY-RELATED DISPLAY INSTRUMENTATION 7.5.1 Description 7.5.1.1 General This section describes the instrumentation that provides information to the Operator to enable him to assess the status of safety-related systems and the need to perform required safety functions.

Select SRDI located in the main control room is listed in Table 7.5-1 which tabulates Operator information displays for the various systems described in Sections 7.2, 7.3, 7.4, and 7.6.

The safety parameter display system (SPDS) is further discussed in Section 1.10, Task I.D.2.

The instrumentation and ranges shown in Table 7.5-1 are selected to provide the RO with the necessary information to perform normal plant operations and the capability to track process variables pertinent to safety following DBAs.

The power sources to the instrumentation described in this section are discussed in Chapter 8. The following information is provided to the Main Control Room Operator to monitor reactor conditions and allow assessment of safety system status following a DBA.

7.5.1.1.1 Transmitter/Trip Unit Main Control Room Indication The plant protection system electronic trip system provides continuous main control room indication of each variable monitored by the RPS, ESF, and RCIC systems. Each variable is sensed by an analog transmitter that continually transmits a signal, proportional to the variable range, to a trip unit located in the main control room. A meter located on each master trip unit displays the transmitted signal. The meter allows visual cross-checking between instrument channels to verify operability and variable level. All trip units display trip status using an indicator light.

The trip units used at Unit 2 are those described in the GE Topical Report NEDO-21617, "Analog Transmitter/Trip Unit System for Engineered Safeguard Sensor Trip Input."

The master trip unit receives its signal directly from its transmitters and displays that transmitted signal. The slave trip unit does not receive a direct signal. The signal received by the slave trip unit goes through the master trip unit. The slave trip unit does not have a display to show this transmitted signal.

7.5.1.1.2 Reactor Water Level Chapter 07 7.5-1 Rev. 25, October 2022

NMP Unit 2 USAR Unit 2 is provided with analog water level measurement instrumentation. Reactor water level is recorded on two multichannel recorders. One channel on each recorder records water level and the other records reactor pressure (Section 7.5.1.1.3).

Wide-range water level signals to the two recorders are transmitted from level transmitters in the nuclear boiler instrumentation system.

The reactor water level common reference is discussed in Section 1.10, Task II.K.3.27.

7.5.1.1.3 Reactor Pressure Two reactor pressure signals are transmitted from two independent differential pressure transmitters and are recorded on two multichannel recorders. One channel on each recorder records pressure and the other records the wide range level (Section 7.5.1.1.2).

7.5.1.2 Reactor Shutdown Indication The following information is provided to the main control room Operator to monitor reactor shutdown:

1. Control rod status lights indicate each rod fully inserted and control rod scram pilot valve position status lights indicate open valves.
2. Neutron monitoring power range channels and recorders downscale.
3. Annunciators for RPS variables and trip logic in the tripped state.
4. The (nonsafety-related) plant computer logs trip and control rod position and provides thermal-hydraulic information to the Operator that he uses to keep the plant operating within Technical Specification limits.

7.5.1.3 Primary Containment and Reactor Vessel Isolation Indication The following information is provided to the main control room Operator to monitor the integrity of the primary containment:

1. Isolation valve position lamps indicating valve closure.
2. Main steam line flow indication.

Chapter 07 7.5-2 Rev. 25, October 2022

NMP Unit 2 USAR

3. Annunciators for the primary containment and reactor vessel isolation system variables and trip logic in the tripped state.
4. Plant computer logging of trips.

7.5.1.4 ECCS and RCIC Indication The following information is provided to the Main Control Room Operator to monitor ECCS and RCIC system status:

1. Annunciators for HPCS, LPCS, RHR, ADS, and RCIC variables and trip logic in the trip state.
2. Flow and/or pressure indications for each ECCS and RCIC.
3. ECCS and RCIC valve position indication except check valve 2ICS*V157.
4. Plant computer logging of trips in the ECCS and RCIC.
5. Relief valve discharge pipe temperature monitors.

7.5.1.5 Other Systems Indications Information on other systems is provided to the Main Control Room Operator to monitor the status of these systems (Table 7.5-1). This information is provided by indicators, recorders, and meters for monitoring the various system parameters; indicating lights for monitoring position of valves, vents, dampers, etc., or for indication of energized or de-energized equipment; and status lights for indication of equipment inoperability or off-normal condition. Annunciators and computer monitoring of various system variables are also provided. These additional systems are:

1. Primary containment atmosphere monitoring system.
2. SWP system.
3. CGCS system (DBA hydrogen recombiners).
4. SGTS system.
5. Reactor building HVAC system.
6. Control building HVAC system.
7. Control building chilled water system.
8. Standby power system.
9. Diesel generator building HVAC system.

Chapter 07 7.5-3 Rev. 25, October 2022

NMP Unit 2 USAR

10. Service water pump bays ventilating system.
11. Fuel pool cooling system.
12. Radiation monitoring system.
13. Instrument air system (IAS).
14. Feedwater system (feedwater isolation valves/PCRVICS).
15. Reactor building floor drains system (used for LDS).
16. Reactor building equipment drains system (used for LDS).
17. Main steam SRVs, vents, and drains system.
18. RWCU system.
19. Reactor plant component cooling water system.
20. Fire protection system.
21. Main steam system (MSIVs/PCRVICS).

Table 7.5-1 is applicable to the standby diesel generator fuel oil system in that the out-of-service status light is listed.

7.5.2 Analysis The SRDI provides adequate information to allow the RO to perform the necessary manual safety functions during normal operation, transients, and accident conditions.

1. Normal Operation The information channel ranges and indicators were selected to give the RO the information necessary to perform all the normal plant startup and steady-state maneuvers, and to be able to track all the process variables pertinent to safety.
2. Abnormal Transient Occurrences The ranges of indicators and recorders provided are capable of covering the extremes of process variables and provide adequate information for all abnormal transient events.
3. Accident Conditions Information readouts are designed to accommodate all credible accidents for Operator actions, information, and event tracking requirements, and cover all other design basis events or incident requirements. Instrumentation for accident monitoring is further discussed in Section 1.10, Task II.F.1.

Chapter 07 7.5-4 Rev. 25, October 2022

NMP Unit 2 USAR

4. Post-accident Monitoring The following SRDI is in compliance with safety-related system requirements (Section 7.1.2) and provides information to the Operator after a DBA-LOCA for monitoring plant conditions.
a. Reactor Water Level and Pressure Reactor water level and reactor pressure sensor instrumentation described in Sections 7.5.1.1.2 and 7.5.1.1.3, respectively, is redundant, electrically independent, and qualified to be operable during and after a LOCA in conjunction with a SSE.

Power is from independent instrument buses supplied from the two divisional ac buses. This instrumentation complies with the independence and redundancy requirements of IEEE-279-1971 and provides recorded outputs.

The reactor water level and pressure sensors are mounted on two independent local panels. The sensors and recorders are designed to operate during normal operation and/or post-accident environmental conditions. The design criteria that the instruments must meet are discussed in Section 7.1.2. There are two complete and independent channels of wide-range reactor water level and reactor vessel pressure, with each channel having its readout on a separate two-pen recorder or water level indicator.

The design, considering the accuracy, range, and quality of the instrumentation, is adequate to provide the Operator with accurate reactor water level and reactor pressure information during normal operation, abnormal, transient, and accident conditions.

The Division 1 and 2 recorders are located on the reactor core cooling control board in the main control room.

b. Suppression Pool Water Level and Temperature The sensors and indicators/recorders are designed to operate during normal operation and during accident conditions. This instrumentation complies with the requirements of IEEE-279-1971 and provides recorded outputs.

Division I indicators are located on the reactor core cooling control board in the main control room. Division II recorders are located on the post-accident monitoring panel in the main control room. Additional suppression pool water level indicators for post-accident monitoring Chapter 07 7.5-5 Rev. 25, October 2022

NMP Unit 2 USAR will be provided in accordance with Task II.F.1.5 in Section 1.10.

c. Drywell and Suppression Chamber Pressure This instrumentation is redundant, electrically independent, and qualified to be operable during and after a LOCA. Power is from independent buses and the instrumentation complies with the requirements of IEEE-279-1971 and provides recorded outputs.

Division I indicators are located on the reactor core cooling control board in the main control room. Division II recorders are located on the post-accident monitoring panel in the main control room. Additional suppression chamber pressure indicators for post-accident monitoring will be provided in accordance with Task II.F.1.4 in Section 1.10.

d. Radiation Monitoring Primary containment atmosphere radiation monitors (indicators and recorders) are provided on the process and area radiation monitoring panel in the main control room. Additional monitors for post-accident monitoring will be provided in accordance with Task II.F.1.1 in Section 1.10.

RHR service water radiation monitors (indicators and recorders) are provided for post-accident monitoring and are located on the process and area radiation monitoring panel in the main control room.

Main stack and radwaste reactor building ventilation noble gas effluent radiation monitors for post-accident monitoring will be provided in accordance with Task II.F.1.1 in Section 1.10.

Sampling and analysis of plant iodine and particulate effluents will be provided for post-accident monitoring in accordance with Task II.F.1.2 of NUREG-0737.

e. Primary Containment Hydrogen and Oxygen Concentration Division I indicators are located on the reactor core cooling control board in the main control room. Division II recorders are located on the post-accident monitoring panel in the main control room. Additional primary containment hydrogen concentration monitors for post-accident monitoring will be provided in accordance with Task II.F.1.6 in Section 1.10.

Chapter 07 7.5-6 Rev. 25, October 2022

NMP Unit 2 USAR

f. Drywell and Suppression Chamber Air Temperature The sensors and indicators/recorders are designed to operate during normal operation and accident conditions. See Section 6.2.1.7 for instrument requirements. Also, see TRM Section 3.3.3.1 for suppression chamber air temperature requirements.
g. Safety/Relief Valve Position Indicators Indicators and annunciators are provided in the main control room to identify SRVs opening.

7.5.2.1 Compliance With Regulatory/Industry Standards The SRDI is designed in compliance with the system requirements for which the instrument components are a part.

Implementation of recommendations for accident monitoring instrumentation presented in RG 1.97 Revision 3, "Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident," is shown in Table 7.5-2.

Five types of RG 1.97 variables are defined for the purpose of aiding the design, specification, selection, and qualification of accident-monitoring instrumentation. These types, and the associated definition for each, are as follows:

Type A Those plant-specific variables that provide primary information needed to permit control room operating personnel to take the specified manually-controlled actions for which no automatic control is provided, and that are required for safety systems to accomplish their safety functions for design basis accidents.

Note: In the context of the above definition, primary information is information that is essential for the direct accomplishment of the specified safety function; it does not include those variables that are associated with contingency actions that may also be identified in written procedures.

Type B Those variables that provide information to indicate whether plant safety functions are being accomplished. Plant safety functions are: 1) reactivity control, 2) core cooling, 3) maintenance of reactor coolant system integrity, and 4) maintenance of primary containment Chapter 07 7.5-7 Rev. 25, October 2022

NMP Unit 2 USAR integrity (including radioactive effluent control).

Type C Those variables that provide information to indicate the potential for being breached or the actual breach of the barriers to fission product release (i.e., fuel cladding, primary coolant pressure boundary, and containment).

Type D Those variables that provide information to indicate the operation of individual safety systems and other systems important to safety.

Type E Those variables to be monitored as required for use in determining the magnitude of the release of radioactive materials and for continuously assessing such releases.

The five "Type" classifications of RG 1.97 variables are not mutually exclusive. A particular variable (and the associated monitoring instrumentation) may be designated as applying to more than one type, as well as to monitoring normal plant operations and/or the required initiation and operation of safety systems.

Design and qualification criteria for instrumentation used to monitor RG 1.97 variables are divided into three distinct categories as follows:

Category 1 Designates instrumentation subject to design and qualification in accordance with the most stringent guidelines and standards; applies to principal instrumentation for monitoring the status (and trend) of key variables.

Category 2 Designates instrumentation subject to design and qualification in accordance with less stringent guidelines and standards as compared to those which apply to Category 1 instrumentation; generally applies to principal instrumentation for monitoring system operating status.

Category 3 Designates instrumentation subject to design and qualification in accordance with the least stringent guidelines and standards, yet adequate to ensure that high-quality off-the-shelf instrumentation is used; applies to backup and diagnostic instrumentation, and may also apply when the state of the art will not support the recommended use of higher qualified instrumentation.

Chapter 07 7.5-8 Rev. 25, October 2022

NMP Unit 2 USAR The scheme of Category 1, Category 2, and Category 3 classifications provides a method of implementing a graded approach for RG 1.97 instrument design based on, and consistent with, the relative importance to safety of the measurement and display of the status of each particular variable.

The list of plant-specific variables for which post-accident monitoring instrumentation is to be provided at Unit 2 is shown in Table 7.5-2. This table also shows the associated type(s) and instrument category designated for each RG 1.97 variable.

General remarks applicable to Table 7.5-2 are as follows:

1. All of the variables listed in RG 1.97 Table 2 are included. Additional variables determined (on a plant-specific basis) to be relevant and important to assessing the safety status of the plant or environs during or following an accident are also included.
2. Variables are listed only once; if more than one type designation applies to a variable, then all of the applicable types are explicitly listed (in the "Type" column) with the associated instrument category (1, 2 or 3) identified for each of the type designations.
3. The variable type (i.e., A, B, C, D, E) and instrument category (i.e., 1, 2, 3) are specific to Unit 2.

Where the specified type or category differs from that recommended by RG 1.97, the difference is explicitly identified as a deviation and the basis for the difference is documented in an associated (referenced) note.

4. Detailed information regarding plant-specific features of instrument design and qualification is contained and maintained in data bases and various documents issued and controlled by the Nuclear Engineering and Licensing departments. Where the design or qualification of instrumentation for a variable differs from that recommended by RG 1.97, the difference is explicitly identified as a deviation and the basis for the difference is documented in an associated (referenced) note.
5. Notes identified within the table are located at the end of the table.

7.5.3 Testing Testing of the SRV position indication, RHR heat exchanger service water radiation monitor, refuel platform area radiation monitor and neutron flux (APRM, IRM, SRM) accident monitoring instrumentation will include a channel check and a channel Chapter 07 7.5-9 Rev. 25, October 2022

NMP Unit 2 USAR calibration in accordance with the Surveillance Frequency Control Program. Testing is applicable for Operational Conditions (OC) 1 and 2, except for the SRMs (OC 1) and the refuel platform area radiation monitor, which is required when handling fuel or components in the fuel pool or reactor cavity.

The acoustic monitor for each SRV shall be demonstrated operable, with the setpoint verified to be less than or equal to 0.25 of the full-open noise level by performance of:

1. A channel functional test in accordance with the Surveillance Frequency Control Program.
2. A channel calibration in accordance with the Surveillance Frequency Control Program.

This testing is applicable for OCs 1, 2 and 3.

Chapter 07 7.5-10 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-1 SAFETY-RELATED DISPLAY INSTRUMENTATION Number of System Parameter Type Readout Channels Range Nuclear boiler Reactor vessel pressure Recorder 2 0 - 1,500 psig Reactor vessel water level Recorder 2 -5 to 205" W.C.

RCIC RCIC flow Meter 1 0 - 800 gpm RCIC discharge pressure Meter 1 0 - 1,500 psig Emergency core cooling HPCS flow Meter 1 0 - 10,000 gpm HPCS discharge pressure Meter 1 0 - 1,500 psig LPCS flow Meter 1 0 - 10,000 gpm RHR flow (LPCI and shutdown cooling) Meter 3 0 - 10,000 gpm RHR service water flow Meter 2 0 - 10,000 gpm Primary containment atmosphere Drywell pressure (normal range) Indicator 2 +5 psig monitoring Recorder 1 +5 psig Drywell pressure (expanded range) Indicator 1 0 - 150 psig Recorder 1 0 - 150 psig Suppression chamber pressure Indicator 1 0 - 150 psig Recorder 1 0 - 150 psig Suppression chamber temperature Recorder 2 50 - 350°F Drywell temperature Recorder 4 50 - 350°F Suppression pool level (expanded Indicator 1 192 - 217' range) Recorder 1 192 - 217' Suppression pool level (normal Indicator 2 198 - 202' range)

Primary containment H2 concentration Indicator 1 0 - 30%

Recorder 1 0 - 30%

Drywell area highest temperature Indicator 2 50 - 350°F Drywell area lowest temperature Indicator 2 50 - 350°F Suppression chamber area highest Indicator 2 50 - 350°F temperature Chapter 07 7.5-11 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-1 (Cont'd.)

Number of System Parameter Type Readout Channels Range Suppression chamber area lowest Indicator 2 50 - 350°F temperature Suppression pool water temperature Indicator 4 50°F - 250°F Recorder 4 50°F - 250°F Primary containment O2 concentration Indicator 1 0 - 10%

Recorder 1 0 - 10%

Inoperability Status lights 28 N/A Drywell isolation valves position Indicating lights 24 N/A Containment atmosphere monitoring Indicating lights 10 N/A sampling valve position Instrument isolation valves position Indicating lights 4 N/A Service Water SW pump suction pressure Indicator 6 0 - 20 psig SW pump discharge header pressure Indicator 2 0 - 100 psig SW discharge header temperature Indicator 2 35°F - 130°F SW pump discharge flow Indicator 6 0 - 12,000 gpm SW header flow to lake Indicator 2 0 - 35,000 gpm SW header to circulating water Indicator 2 0 - 25,000 gpm system flow SW valves position Indicating lights 29 N/A SW isolation valves position Indicating lights 9 N/A Low flow indication for SW header Status lights 2 N/A Inoperability Status lights 45 N/A SW pumps status Indicating lights 6 N/A Control building chiller condensing Indicating lights 2 N/A water pump status Intake shaft gate position Indicating lights 2 N/A Intake/screenwell level equalizer Indicating lights 2 N/A gate position Chapter 07 7.5-12 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-1 (Cont'd.)

Number of System Parameter Type Readout Channels Range Intake tunnel bar rack heaters Indicating lights 4 N/A status Combustible gas control (DBA Inoperability Status lights 22 N/A hydrogen recombiners)

H2 recombiner inlet pressure Indicator 2 0 - 50 psia H2 recombiner through gas flow Indicator 2 0 - 200 scfm H2 recombiner cooling water valve Indicating lights 6 N/A position Blower inlet temperature Indicator 2 100°F - 400°F Heater wall temperature Indicator 2 500°F - 1800°F Reaction chamber shell temperature Indicator 2 500°F - 1800°F Return gas temperature Indicator 2 100°F - 400°F Reaction chamber temperature Indicator 2 75°F - 1800°F Reaction chamber inlet temperature Indicator 2 60°F - 300°F Heat gas temperature Indicator 2 500°F - 1800°F Heater outlet gas temperature Indicator 2 500°F - 1800°F H2 recombiner isolation valves Indicating lights 14 N/A position H2 recombiner reaction chamber white Indicating lights 6 N/A indicating lights for STARTUP, READY, and OPERATE status Standby gas treatment Reactor building differential Indicator 2 +3 in W. G.

pressure SGTS filter differential pressure Recorder 2 0 - 100%

SGTS filter train air flow Recorder 2 0 - 100%

SGTS filter train electric heater Indicator 2 0°F - 250°F inlet temperature Chapter 07 7.5-13 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-1 (Cont'd.)

Number of System Parameter Type Readout Channels Range SGTS filter train electric heater Indicator 2 0°F - 250°F outlet temperature SGTS valves position Indicating lights 10 N/A Primary containment purge to SGTS Indicating lights 2 N/A isolation valve position Filter train fan status Indicating lights 2 N/A Inoperability Status lights 20 N/A Reactor building HVAC Reactor building HVAC isolation Indicating lights 6 N/A damper position Auxiliary filter damper position Indicating lights 1 N/A Reactor building HVAC ventilation Indicating lights 4 N/A dampers position Inoperability Status lights 16 N/A Emergency ventilation recirculation Indicating lights 2 N/A unit coolers status Unit coolers status Indicating lights 35 N/A SW to emergency vent unit cooler Indicating lights 2 N/A valve position Primary containment purge Purge isolation valves position Indicating lights 14 N/A Amber indication for primary Indicating lights 2 N/A containment manual isolation Control building HVAC Control building HVAC fan status Indicating lights 10 N/A Control building HVAC dampers Indicating lights 25 N/A position Outside air isolation valve position Indicating lights 2 N/A Air inlet isolations damper position Indicating lights 2 N/A Inoperability Status lights 56 N/A Chapter 07 7.5-14 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-1 (Cont'd.)

Number of System Parameter Type Readout Channels Range Heater inlet air temperature Indicator 2 0°F - 100°F Heater outlet air temperature Indicator 2 5°F - 105°F Filter train outlet temperature Indicator 2 15°F - 115°F Control room A/C return air Indicator 2 50°F - 105°F temperature Special filter train flow Recorder 2 0 - 100%

Special filter train overall Recorder 2 0 - 100%

differential pressure Relay room A/C return air Indicator 2 50°F - 105°F temperature Control building HVAC unit coolers Indicating lights 11 N/A status Standby SWGR room area temperature Indicator 3 45°F - 120°F Unit cooler return air temperature Indicator 4 45°F - 120°F Control building chilled water Control building chilled water Indicating lights 2 N/A status circulating pump Control building chilled water Indicating lights 2 N/A compressor status Chiller-compressor auxiliary oil Indicating lights 2 N/A pump position Chilled water valves position Indicating lights 6 N/A Inoperability Status lights 10 N/A Standby power Emergency diesel generator current Meter 2 0 - 1,000 A ac Emergency diesel generator voltage Meter 2 0 - 5,250 V ac Emergency diesel generator power Meter 2 0 - 6 MW Emergency diesel generator reactive Meter 2 -4.5 to +4.5 Mvar power Chapter 07 7.5-15 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-1 (Cont'd.)

Number of System Parameter Type Readout Channels Range Emergency diesel generator frequency Meter 2 55 - 65 Hz Emergency diesel generator rpm Meter 2 0 - 700 rpm Emergency diesel generator exciter Meter 2 0 - 125 V dc field volts Position of air circuit breakers Indicating lights 8 N/A Diesel generator control switch Indicating lights 2 N/A status Emergency diesel generator output Indicating lights 2 N/A breaker position Emergency diesel generator neutral Indicating lights 2 N/A breaker position Voltage regulator mode status Indicating lights 2 N/A Service water to emergency diesel Indicating lights 2 N/A generator cooler MOV position Inoperability Status lights 58 N/A HPCS power HPCS diesel generator current Ammeter 1 0 - 600 A HPCS diesel generator VARS Meter 1 0 - 4,200 KVAR HPCS diesel generator kW Meter 1 0 - 4,200 kW HPCS diesel generator rpm Meter 1 0 - 1,000 rpm HPCS 125-V dc bus voltage Voltmeter 1 0 - 150 V HPCS normal supply source current Ammeter 1 0 - 1,500 A HPCS emergency supply source current Ammeter 1 0 - 1,500 A HPCS auxiliary transformer current Ammeter 1 0 - 750 A HPCS diesel generator voltage Voltmeter 1 0 - 5.25 kV HPCS diesel generator frequency Meter 1 55 - 65 Hz Chapter 07 7.5-16 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-1 (Cont'd.)

Number of System Parameter Type Readout Channels Range HPCS pump motor current Ammeter 1 0 - 600 A SW to diesel generator valve Indicating lights 4 N/A position inoperability Status lights 14 N/A Diesel generator building HVAC Ventilation exhaust fan position Indicating lights 6 N/A HVAC dampers position Indicating lights 18 N/A Inoperability Status lights 30 N/A Emergency diesel generator room Indicator 3 50°F - 150°F temperature Diesel generator control room unit Indicating lights 3 N/A cooler status Service water pump bays Pump bay unit cooler status Indicating lights 4 N/A ventilating Inoperability Status lights 8 N/A Spent fuel pool cooling System valves position (including Indicating lights 28 N/A SWP and CCP valves)

Filter header inlet isolation valves Indicating lights 2 N/A position Water circulating pumps status Indicating lights 2 N/A Inoperability Status lights 22 N/A Surge tank water temperature Indicator 2 30°F - 150°F Surge tank water level Indicator 2 0 - 20' Water heat exchanger outlet Indicator 2 30°F - 150°F temperature Pump suction pressure Indicator 2 0 - 50 psig Pump discharge pressure Indicator 2 0 - 300 psig Flow Indicator 2 0 - 3,000 gpm Radiation Monitoring Control room air intake radiation Indicator 4 10 10-1 uCi/cc Recorder 4 10 10-1 uCi/cc RHR heat exchanger service water Indicator 2 10 10-1 uCi/cc discharge radiation Recorder 2 10 10-1 uCi/cc Chapter 07 7.5-17 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-1 (Cont'd.)

Number of System Parameter Type Readout Channels Range Service water effluent discharge Indicator 2 10 10-1 uCi/cc radiation Recorder 2 10 10-1 uCi/cc Drywell atmosphere train leakage - Indicator 2 10 10-1 uCi/cc gaseous radiation level Recorder 2 Drywell atmosphere train leakage - Indicator 2 10 10-5 uCi/cc particulate radiation level Recorder 2 Inside drywell primary containment Indicator 4 100 - 107 R/hr radiation Recorder 4 100 - 107 R/hr Radiation level above refueling Indicator 2 10 10-1 uCi/cc floor - gas Recorder 2 10 10-1 uCi/cc Radiation level below refueling Indicator 2 10 10-1 uCi/cc floor - gas Recorder 2 10 10-1 uCi/cc Channel failure inoperability Status lights 12 N/A Instrument, service and breathing ADS primary containment isolation Indicating lights 4 N/A air valve position Instrument air primary containment Indicating lights 8 N/A isolation valve position ADS header pressure Indicator 2 140 - 240 psig Inoperability Status lights 10 N/A Service air and breathing air manual Indicating lights 8 N/A isolation valves position Feedwater Feedwater block valves position Indicating lights 2 N/A Reactor building floor drains Floor drain containment isolation Indicating lights 4 N/A valves position Inoperability Status lights 6 N/A Chapter 07 7.5-18 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-1 (Cont'd.)

Number of System Parameter Type Readout Channels Range Reactor building equipment drains Reactor water drain isolation valve Indicating lights 1 N/A position Reactor water drain control valve Indicating lights 1 N/A position Drywell equipment drains isolation Indicating lights 4 N/A valve position Inoperability Status lights 6 N/A Main steam safety valves Safety/relief valve position Indicating lights 18 N/A Reactor water cleanup RWCU isolation valves position Indicating lights 2 N/A RWCU return valve position Indicating lights 1 N/A Inoperability Status lights 3 N/A Reactor plant component cooling RPCCW containment isolation valves Indicating lights 12 N/A water position Main steam MSIVs position Indicating lights 8 N/A Inoperability Status lights 9 N/A NOTES: 1. The number of channels indicated in this table applies to the number of times a particular parameter exists in the main control room on the identified type of readout.

2. A single channel of indicating lights typically consists of both a red and green light.

Chapter 07 7.5-19 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-2 CONFORMANCE TO REGULATORY GUIDE 1.97 (REVISION 3)

Variable Type Category Notes

1. Local Power Range Neutron Flux B - 1
2. Average Power Range Neutron Flux B - 1
3. Intermediate Range Neutron Flux B 3 2
4. Source Range Neutron Flux B 3 2
5. Control Rod Position B 3
6. Reactor Vessel Water Level A 1 3 B 1,3
7. Core Temperature - - 4
8. Reactor Vessel Pressure A 1 B 1 C 1
9. Drywell (Primary Containment) Pressure A 1 B 1 C 1 D 2
10. Suppression Chamber Airspace Pressure B 1
11. Drywell Drain Sumps Water Level B 3 5 C 3
12. Primary Containment Isolation Valve Position B 1 6,27
13. Radioactivity Concentration or Radiation Level in Circulating Primary - - 7 Coolant
14. Drywell Area High Range Radiation Level C 3 E 1
15. Suppression Pool Water Level C 1 8
16. Primary Containment Hydrogen Concentration A 1 30 C 1
17. Primary Containment Oxygen Concentration A 1 30 C 1 Chapter 07 7.5-21 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-2 (Cont'd.)

Variable Type Category Notes

18. Containment Effluent Radioactivity; Main Steam Line Radiation Level C 2 9,10
19. Containment Effluent Radioactivity; Offgas System Pretreatment C 3 9,10,11 Radioactivity
20. Containment Effluent Radioactivity; Standby Gas Treatment System Effluent C 3 11 Radioactivity
21. Containment Effluent Radioactivity; Turbine Building Ventilation System C 3 10,11 Effluent Gaseous Radioactivity
22. Containment Effluent Radioactivity; Turbine Building Ventilation System C 3 10,11 Effluent Particulate Radioactivity
23. Reactor Building Effluent Radioactivity; Above Refuel Floor Ventilation C 2 12 Effluent Gaseous Radioactivity
24. Not Used - - -
25. Reactor Building Effluent Radioactivity; Below Refuel Floor Ventilation C 2 12 Effluent Gaseous Radioactivity
26. Not Used - - -
27. Main Feedwater Flow Rate D 3
28. Condensate Storage Tanks Water Level D 3 13
29. Suppression Chamber Spray Header Flow Rate D 2
30. Suppression Pool Water Level (Weir Wall) - - 14
31. Suppression Pool Bulk Average Water Temperature A 1 15 D 2
32. Drywell Bulk Average Air Temperature A 1 16 D 2
33. Suppression Chamber Air Temperature D 2
34. Drywell Spray Header Flow Rate D 2
35. Main Steam Line Isolation Valve Leakage Control System Pressure - - 17
36. Primary System Safety/Relief Valve Position D 3 29 Chapter 07 7.5-22 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-2 (Cont'd.)

Variable Type Category Notes

37. Primary System Safety/Relief Valve Automatic Depressurization System D 2 Instrument Air Header Pressure
38. Primary System Safety/Relief Valve Automatic Depressurization System D 2 Instrument Air Accumulator Tank Pressure
39. Isolation Condenser Shell Side Water Level - - 18
40. Isolation Condenser Valve Position - - 18
41. Reactor Core Isolation Cooling System Flow Rate (to reactor vessel) D 2
42. High-Pressure Core Spray System Flow Rate (to reactor vessel) D 2
43. Low-Pressure Core Spray System Flow Rate (to reactor vessel) D 2
44. Low-Pressure Coolant Injection (Residual Heat Removal) System Flow Rate D 2 (to reactor vessel)
45. Standby Liquid Control System Flow Rate (to reactor vessel) D 2
46. Standby Liquid Control System Storage Tank Liquid Level D 2
47. Residual Heat Removal System Heat Exchanger Outlet Temperature (Primary D 2 19 Coolant)
48. Residual Heat Removal System Heat Exchanger Bypass Valves Position D 2 20
49. Residual Heat Removal System Heat Exchanger Service Water Inlet D 2 21 Temperature
50. Residual Heat Removal System Heat Exchanger Service Water Flow Rate D 2
51. Service Water Flow Rate from Emergency Diesel Generators D 2
52. High Radioactivity Liquid Tank Level D 3
53. Reactor Building Emergency Ventilation System Damper Position D 2
54. Status of Standby Electrical Power Sources D 2
55. Radiation Level in Secondary Containment Areas - - 22
56. Radiation Level in Vital Areas E 3 23
57. Plant Effluent Radioactivity; Main Stack Discharge Noble Gas Radioactivity E 2
58. Plant Effluent Radioactivity; Main Stack Discharge Particulate Sampling E 3 (Radioactivity)

Chapter 07 7.5-23 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-2 (Cont'd.)

Variable Type Category Notes

59. Plant Effluent Radioactivity; Main Stack Discharge Iodine Sampling E 3 (Radioactivity)
60. Plant Effluent Radioactivity; Main Stack Discharge Flow Rate E 2
61. Plant Effluent Radioactivity; Reactor/Radwaste Building Ventilation E 2 Exhaust Noble Gas Radioactivity
62. Plant Effluent Radioactivity; Reactor/Radwaste Building Ventilation E 3 Exhaust Particulate Sampling (Radioactivity)
63. Plant Effluent Radioactivity; Reactor/Radwaste Building Ventilation E 3 Exhaust Iodine Sampling (Radioactivity)
64. Plant Effluent Radioactivity; Reactor/Radwaste Building Ventilation E 2 Exhaust Flow Rate
65. Plant and Environs Radiation and Radioactivity (portable monitoring E 3 24 instruments)
66. Meteorology; Wind Speed E 3
67. Meteorology; Wind Direction E 3
68. Meteorology; Estimation of Atmospheric Stability E 3
69. Post-accident Sampling of Primary Coolant and Sump; Boron Concentration B 3 25,28 E 3
70. Post-accident Sampling of Primary Coolant and Sump; Chloride Concentration E 3 25,28
71. Post-accident Sampling of Primary Coolant and Sump; pH E 3 25,28
72. Post-accident Sampling of Primary Coolant and Sump; Gamma Spectral C 3 25,28 Analysis (Isotopic) E 3
73. Post-accident Sampling of Primary Coolant and Sump; Total Dissolved Gas E 3 25,26,28
74. Post-accident Sampling of Primary Coolant and Sump; Dissolved Hydrogen E 3 25,26,28
75. Post-accident Sampling of Primary Coolant and Sump; Dissolved Oxygen E 3 25,26,28
76. Post-accident Sampling of Primary Containment Atmosphere; Hydrogen E 3 28
77. Post-accident Sampling of Primary Containment Atmosphere; Oxygen E 3 28 Chapter 07 7.5-24 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-2 (Cont'd.)

Variable Type Category Notes

78. Post-accident Sampling of Primary Containment Atmosphere; Isotopic (Gamma E 3 28 Spectrum) Analysis NOTES:
1. Power range neutron flux instrument design and qualification criteria specified in BWROG and GE report NEDO-31558-A (Reference 1) apply in lieu of the Category 1 criteria recommended by RG 1.97.
2. Neutron flux level below the APRM range is not a key variable for accomplishing mitigative actions for any DBA or transient (including those anticipated operational occurrences required to be considered in the implementation of the ATWS Rule (10CFR50.62)); required Operator actions specified in the plant EOPs for such events can be accomplished without reliance on reactor power information below the APRM range. On this basis, the designation of Category 3 instrumentation (in lieu of Category 1 instrumentation as recommended by RG 1.97) is appropriate for monitoring intermediate range and source range neutron flux.
3. Reactor vessel water level instrument (indicator) scale "zero reference" is 380.7 in above the inside invert of the reactor vessel bottom head. The TAF is at approximately -14 in (indicated value); the bottom of active fuel, immediately above the core support plate, is at approximately -164 in (indicated value); the centerline of the main steam lines is at 267.3 in (indicated value). The utilization of Category 3 (in lieu of Category 1) instrumentation to monitor the range of reactor vessel water level between 205 in (top end of Wide Range instrumentation) and the centerline of the main steam lines (indicated value of approximately 267 in) was specifically reviewed by the NRC and, per documentation in Appendix M of NUREG-1047 (Reference 2),

judged to be acceptable.

4. Monitoring of this variable (i.e., installation of BWR in-core thermocouples) is not required pending the further development and NRC consideration of BWR in-core thermocouples as a design requirement (

Reference:

Section 6.1.b of Supplement 1 to NUREG-0737).

5. Deviates from the Category 1 designation recommended by RG 1.97. The designation of Category 3 instrumentation (rather than Category 1) for this variable was specifically reviewed by the NRC and, per documentation in Appendix M of NUREG-1047 (Reference 2), judged to be acceptable.
6. Per the variable definition documented in RG 1.97, check valves are excluded. Also excluded are those SRVs for which no manual operating capability is provided. Also excluded are motor operated valves with their power supply breaker open during normal plant operation to prevent their spurious operation during and following an Appendix R fire event. TIP system ball valve and shear valve position indication instrumentation deviates from Category 1 design criteria recommended by RG 1.97; the nonconformances with the Category 1 design criteria specified in RG 1.97 were specifically reviewed by the NRC and, per documentation in Appendix M of NUREG-1047 (Reference 2), judged to be acceptable.
7. Direct monitoring of this variable is not implemented at Unit 2. Per RG 1.97, the purpose for monitoring this variable is stated to be detection of a breach in fuel cladding (i.e., detection of fuel cladding failure). Alternate variables, which provide more useful information to accomplish this detection function, are monitored; these variables are (a) "Post-Accident Sampling of Primary Coolant," (b) "Off-Gas Pretreatment Radioactivity," (c) "Main Steam Line Radiation Level," (d) "Primary Containment (Drywell) Area High Range Radiation Level," and (e) "Primary Containment Hydrogen Concentration." Refer to the associated entries in Table 7.5-2 (items 72, 19, 18, 14 and 16, respectively) for information for each of these variables. The substitution of (monitoring) the identified alternate variables was specifically reviewed by the NRC and, per documentation in Appendix M of NUREG-1047 (Reference 2), judged to be acceptable.

Chapter 07 7.5-25 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-2 (Cont'd.)

NOTES: (cont'd.)

8. The bottom of the monitored range is higher than that recommended by RG 1.97. RG 1.97 recommends providing indication down to the location of the lowest ECCS pump suction line; for Unit 2, this would be 188 ft 2 in, the location of the top of the suction strainer for the LPCS pump. Elevation 192 ft (the bottom of the monitored range for suppression pool water level at Unit 2) corresponds to the elevation 2 ft above the bottom of the downcomers. At suppression pool water levels below the downcomer openings, the pressure suppression function of the primary containment is no longer assured. This association between downcomer submergence and the accomplishment of the primary containment's pressure suppression function is one of the bases for the construction of the heat capacity temperature limit (showing the heat capacity of the suppression pool as a function of water level) and pressure suppression curves in the plant EOPs. Accordingly, when this low suppression pool water level condition occurs, the associated mitigative action directed in the EOP for control of primary containment conditions is to rapidly and completely depressurize the reactor vessel by opening all of the ADS SRVs. No further (additional) actions are specified in the EOPs for suppression pool water levels below 192 ft (except for authorizing operation of ECCS and RCIC pumps irrespective of their NPSH and vortex limits, under certain degraded conditions). Since, per RG 1.97, accomplishment of mitigation is the principal purpose stated for monitoring this variable, implementing 192 ft as the bottom of the monitored range is sufficient to accomplish the associated objective.
9. Implemented as an alternative to the direct monitoring of "Radioactivity Concentration or Radiation Level in Circulating Primary Coolant" (refer to Note 7, above).
10. Implementation as a RG 1.97 parameter at Unit 2 is based on providing containment radioactivity information explicitly required by the EOP for control of radioactive releases which might occur via leakage past the MSIVs.
11. Discharges to the environment via the main stack; refer to Table 7.5-2 entries for "Main Stack Effluent Radioactivity and Flow Rate" (items 57 and 60, respectively).
12. Discharges to the environment via the reactor/radwaste building vent; refer to Table 7.5-2 entries for "Reactor/Radwaste Building Ventilation Exhaust Radioactivity and Flow Rate" (items 61 and 64, respectively).
13. The bottom of the monitored range (5.3 ft above the bottom of the tanks) is higher than that recommended by RG 1.97. This deviation from RG 1.97 has been evaluated and judged to be acceptable based on the following combination of relevant factors:

(1) All tank inlet and outlet nozzles, other than the nozzle for the RCIC pump suction line (from tank 1A) and the nozzle for the HPCS pump suction line (from tank 1B), are located above the bottom of the monitored range; (2) Low water level in the tanks is alarmed in the control room; (3) All automatic actions initiated directly by a low tank water level condition occur above the bottom of the monitored range; (4) RCIC and HPCS pump suction automatic transfer (from the CST to the suppression pool) actuates upon receipt of a low pump suction pressure signal rather than a low CST water level signal.

14. Monitoring this variable applies only to those plants which have a Mark III containment. Unit 2 has a Mark II containment and, therefore, this parameter does not apply to Unit 2.
15. The bottom of the monitored range is higher, by 10°F, than that recommended by RG 1.97. This deviation from the recommended range was specifically reviewed by the NRC and, per documentation in Appendix M of NUREG-1047 (Reference 2), judged to be acceptable.

Chapter 07 7.5-26 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-2 (Cont'd.)

NOTES: (cont'd.)

16. Deviates from the monitoring range recommended by RG 1.97.
a. The bottom of the monitored range is higher, by 10°F, than that recommended by RG 1.97. Relative to the full span of the monitored range, this difference is small and of no significance for monitoring of this variable under post-accident conditions.
b. The top of the monitored range is lower, by 90°F, than that recommended by RG 1.97. Drywell design temperature is 340°F and, per analysis results documented in Section 6.2 (Table 6.2-4), drywell temperature will not increase above 340°F for the worst-case postulated LOCA. Also, the 350°F top end of the monitored range is appropriately reflected in the Operator actions specified in the Unit 2 EOPs. Based on these factors, the 350°F value for the top of the monitored range for drywell temperature is acceptable.
17. Unit 2 has no MSIV leakage control system; therefore, this parameter does not apply to Unit 2.
18. Unit 2 has no isolation condenser; therefore, this parameter does not apply to Unit 2.
19. RG 1.97 recommends that Category 2 instrumentation meet environmental qualification (EQ) program requirements. The EQ status of the equipment for monitoring this parameter deviates from that recommended by RG 1.97. This deviation regarding EQ status was specifically reviewed by the NRC and, per documentation in Supplement 5 of NUREG-1047 (Reference 2), judged to be acceptable.
20. Implemented as supplemental RG 1.97 instrumentation required for monitoring RHR system (heat exchanger) performance; see Supplement 5 of NUREG-1047 (Reference 2).
21. Instrument range deviates from that recommended by RG 1.97. This instrument range deviation was specifically reviewed by the NRC and, per documentation in Supplement 5 of NUREG-1047 (Reference 2), judged to be acceptable.
22. Monitoring of this variable (as specifically regards RG 1.97 instrumentation) is not implemented at Unit 2. The use of main stack discharge (effluent) radiation monitoring instrumentation and reactor/radwaste building vent discharge (effluent) radiation monitoring instrumentation is more appropriate (and fully sufficient) for accomplishing the functions that are identified in RG 1.97 as the basis for monitoring this variable (specifically: detection of releases, release assessment and long-term surveillance). The use of the identified alternate instrumentation (in lieu of monitoring secondary containment area radiation) was specifically reviewed by the NRC and, per documentation in Appendix M of NUREG-1047 (Reference 2), judged to be acceptable.
23. The top of the monitored range for some area radiation monitors is below that recommended by RG 1.97. If the radiation level in the area reaches or exceeds the upper limit of the instrument range, personnel would not be permitted into the area without portable monitoring (except for lifesaving). This approach for monitoring this variable was specifically reviewed by the NRC and, per documentation in Appendix M of NUREG-1047 (Reference 2), judged to be acceptable.
24. Monitoring of this variable is accomplished by the use of two types of portable instruments: ion chamber detector (for low-level gamma and beta radiation), and Geiger-Mueller Teletector type detector (for high-level gamma radiation). Although the upper end of the monitoring range for some of these instruments is lower than that recommended by RG 1.97, these deviations were specifically reviewed by the NRC and, per documentation in Appendix M of NUREG-1047 (Reference 2), judged to be acceptable.

Chapter 07 7.5-27 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.5-2 (Cont'd.)

NOTES: (cont'd.)

25. The acceptability of the capability to take samples from the suppression pool (via the RHR system) in lieu of obtaining a sample from the drywell sump is documented in NRC letter (from Mr. William V. Johnston) to GE (Mr. Glenn G. Sherwood), dated July 17, 1984.
26. Upper limit of analysis capability does not meet the range recommended by RG 1.97. NRC review and acceptance of the 400 cc/kg upper limit analysis capability is documented in NRC letter (from Mr. William V. Johnston) to GE (Mr. Glenn G. Sherwood), dated July 17, 1984.
27. Deviates from recommendation in RG 1.97 (Revision 3) Part C, "Regulatory Position," Table 1, "Design and Qualification Criteria for Instrumentation," Item 8, "Equipment Identification," which states that Types A, B, and C instruments designated as Categories 1 and 2 should be specifically identified with a common designation to discern intended usage under accident conditions. Primary containment isolation valve position indications (red and green indicating lights) are designated Type B, Category 1 but will not be specifically marked (with red trim plates) due to the negative impact such marking would effect on plant Operators. There are in excess of 175 isolation valves with indicating lights on various control room panels and marking such would, in effect, significantly lessen the visual impact of the marking of other RG 1.97 instruments. Additionally, the SPDS is available for assessing the safety status of the plant for all plant operating conditions. Note: Operational status assessments for SPDS are not applicable during cold shutdowns. Two SPDS stations are located in the control room for Operators' use for verification of valve group status. Therefore, based on the above evaluation, this deviation from the recommendation of specific marking has been determined by Engineering to be acceptable.
28. As documented in License Amendment No. 106 (NRC letter from P. S. Tam to J. T. Conway dated August 9, 2002), the requirements to have and maintain a post-accident sampling system were eliminated. The justification was provided in NEDO-32991-A (Reference 3).
29. The main steam SRVs acoustic position indication system has been downgraded from RG 1.97 Category 2 to Category 3 in accordance with BWROG LTR NEDO-33160-A, Rev. 1 (Reference 4).
30. As per NRC revision of 10CFR50.44, which eliminated the design basis LOCA hydrogen release, along with NRC-approved License Amendment 124, which removed the hydrogen and oxygen monitor requirements from Technical Specifications, the hydrogen monitors and oxygen monitors are no longer required to provide mitigation of a DBA LOCA. The hydrogen and oxygen monitors are, however, required to diagnose the course of beyond DBAs and a regulatory commitment has been made to maintain the monitors in Section 3.3.3.1.1 of the Technical Requirements Manual.

REFERENCES:

1. General Electric Company Report NEDO-31558-A, "Position on NRC Regulatory Guide 1.97, Revision 3, Requirement for Post-Accident Neutron Monitoring System," March 1993.
2. NUREG-1047, "Safety Evaluation Report Related to the Operation of Nine Mile Point Nuclear Station, Unit 2," February 1985; Appendix M of Supplement 4 thereto, September 1986; Supplement 5 thereto, October 1986.
3. BWROG Licensing Topical Report NEDO-32991-A, "Regulatory Relaxation for BWR Post-Accident Sampling Stations (PASS)," dated August 2001.
4. BWROG Licensing Topical Report NEDO-33160-A, Rev. 1, "Regulatory Relaxation for the Post-Accident SRV Position Indication System."

Chapter 07 7.5-28 Rev. 25, October 2022

NMP Unit 2 USAR 7.6 ALL OTHER INSTRUMENTATION SYSTEMS REQUIRED FOR SAFETY 7.6.1 Description This section describes the instrumentation and control systems required for safety that are not discussed in other sections of this chapter. These systems are:

1. PRMS system.
2. High-pressure/low-pressure interlocks.
3. LDS system.
4. NMS system.
5. RPT system.
6. SRVs - relief function.
7. SFC system.
8. RRCS system.

The sources that supply power to the safety-related systems described in this section originate from onsite ac and/or dc safety-related buses or, as in the case of the fail-safe logic NMS and portions of the LDS, from the nonsafety-related RPS motor generator (MG) sets, and nonsafety-related UPS system.

Refer to Chapter 8 for a complete description of the safety-related systems power sources.

7.6.1.1 Process Radiation Monitoring System - Instrumentation and Controls The following safety-related portions of the PRMS system that perform a control or alarm function are described in the referenced sections:

1. Main steam line radiation monitoring (11.5.2).
2. Reactor building ventilation above/below refueling floor (7.3.1.1.7, 9.4.2, and 11.5.2).
3. Main control room air intakes (7.3.1.1.10, 9.4.1, and 11.5.2).
4. Containment and drywell atmosphere (6.2.1.7 and 11.5.2).
5. RHR heat exchangers service water discharge (6.3.1, 9.2.1, and 11.5.2).

Chapter 07 7.6-1 Rev. 25, October 2022

NMP Unit 2 USAR

6. Service water discharge to Lake Ontario (9.2.5 and 11.5.2).
7. Liquid waste discharge (11.2 and 11.5.2).

For conformance to RG 1.53, see Sections 7.2.2.3 and 7.3.2.1.3.

7.6.1.2 High-Pressure/Low-Pressure Interlocks - Instrumentation and Controls System Function Instrumentation and controls are provided to prevent overpressurization of low pressure systems that interface with the RCPB.

System Operation The schematic arrangement of mechanical equipment for the systems involved is shown on Figures 5.4-13 and 6.3-7a.

Component control logic for the systems involved is shown on Figure 7.3-5 and 7.3-6. Electrical schematics are identified in Section 1.7. Instrument specifications are listed in Table 7.6-1 and Technical Specifications.

The RHR shutdown cooling supply valves, E12-F008 and E12-F009, have independent absolute pressure interlocks to prevent a valve opening when the primary system pressure is above the subsystem design pressure. These valves also receive a signal to close when reactor pressure is above system pressure. Each valve control circuit requires two reactor low-pressure permissive signals to open. Therefore, four-out-of-four logic is required to open the shutdown cooling suction line. Removal of the signal (one-out-of-four logic) isolates the line. The pressure permissive components rely on transmitter trip-unit combinations which are testable from the control room. Reactor pressure instrumentation used by the Operator to initiate shutdown cooling is independent of the interlocks. Procedural controls ensure that the manually-initiated shutdown cooling mode is not started until the reactor pressure is low. Valve position indication for these valves is provided in the control room.

In the RHR shutdown cooling return line, testable check valves E12-F050A and B are in series with MOVs E12-F053A and B. Two low reactor pressure permissive signals (two-out-of-two logic) are required for MOVs F053 to open. Removal of either of the permissive signals whenever the primary system pressure exceeds subsystem design pressure will close MOVs F053 (one-out-of-two logic), isolating the line. Valve position indication for these valves is provided in the control room.

In the RHR head spray line, check valves E51-F065 and E51-F066 are in series with MOV E12-F023. Two low reactor pressure Chapter 07 7.6-2 Rev. 25, October 2022

NMP Unit 2 USAR permissive signals (two-out-of-two logic) are required for MOV F023 to open. Removal of either signal will close the valve (one-out-of-two logic). Valve position indication for E51-F065 and E12-F023 is provided in the control room, with the following exception for E12-F023.

Position indication for E12-F023 is only available when the valve is energized. During normal plant operation, the power supply breaker to this valve is locked open and administratively controlled to prevent its spurious operation during and following an Appendix R fire event.

Because LPCI injection valves E12-F042A, B, and C are part of the ECCS, only a LOCA signal and low differential pressure permissive signal are provided to open valves F042 as is required. Testable check valves E12-F041A, B, and C are downstream of valves F042.

LPCS injection valve E21-F005 is part of the ECCS and includes only a LOCA signal and a low differential pressure permissive signal to open as is required. Testable check valve E21-F006 is downstream of valve F005.

For conformance to RG 1.53, see Section 7.3.2.1.3.

7.6.1.3 Leak Detection System - Instrumentation and Controls The safety-related portions of the LDS are as follows:

1. Main steam line leak detection (7.3.1).
2. RCIC system leak detection.
3. RHR system leak detection (7.3.1).
4. RWCU leak detection (7.3.1).
5. LPCS, RHR-A, -B, -C, RCIC, HPCS pump cubicles, and reactor building general area (el 175 ft) leak detection - floor water level (9.3.3.3).

System Function The safety-related portion of the LDS instrumentation and controls is designed to monitor reactor coolant leakage from systems external to the containment and initiate alarms and/or isolation when predetermined limits are exceeded.

System Operation A description of system design and operation is provided in Section 5.2.5. Schematic arrangements of system mechanical equipment and Operator information displays are shown on Figure Chapter 07 7.6-3 Rev. 25, October 2022

NMP Unit 2 USAR 7.6-1. LDS component control logic is shown on Figures 7.3-4, 7.4-1, 7.3-6 and 7.3-7. Instrument specifications are listed in Table 7.6-3. Plant layout drawings and electrical schematics are identified in Section 1.7. For conformance to RG 1.53, see Section 7.3.2.1.3.

7.6.1.4 Neutron Monitoring System - Instrumentation and Controls The safety-related subsystems of the NMS, the IRM, and the APRM/oscillation power range monitor (OPRM) including the LPRMs, are discussed in this section. See Section 7.7 for discussions of the nonsafety-related portions of the NMS. The safety-related NMS instrumentation and controls are designed to monitor reactor power (neutron flux), and to trip the RPS when predetermined limits are reached. The NMS also provides the Operator with real-time information about the core power level and flux distribution both during normal operation and during and after accident conditions. The scram trip functions are discussed in Section 7.2.1.2.1.

7.6.1.4.1 Intermediate Range Monitor Subsystem The IRM monitors neutron flux from the upper portion of the SRM range to the lower portion of the power range is shown on Figure 7.6-2. Eight IRM detectors feed flux level signals to eight channels of instrumentation (Figure 7.6-3). Each detector can be moved vertically in the reactor core; normally it is fully inserted during startup and normal shutdown and withdrawn after the reactor mode switch is placed in RUN (Figure 7.6-4). The mode switch is placed in RUN when the APRMs are on scale (4 to 12 percent power) assuring IRM/APRM overlap and continuity of flux monitoring.

One manual selector switch in the control room is assigned to each of two groups for four IRM channels. Each selector switch permits bypassing of only one IRM channel at a time in each of the two RPS trip systems. Procedural controls regulate the bypass of a selected IRM channel. Each bypassed IRM channel is indicated by a light in the control room.

If one channel were bypassed and another channel in the same trip system group were failed, six IRM channels would remain operable. The remaining two channels of the first group and the four channels of the second group can provide the necessary inputs for a reactor scram.

If one channel from each selector switch were bypassed and a second channel in one group were failed, five IRM channels would remain operable. The three operable channels of one group and the two operable channels of the second group can provide the necessary inputs for a reactor scram.

Each IRM detector is a miniature fission chamber attached to an insulated transmission cable. The detector cable is connected Chapter 07 7.6-4 Rev. 25, October 2022

NMP Unit 2 USAR underneath the reactor vessel to a second cable which carries the signal to a preamplifier (Figure 7.6-4). IRM preamplification is selected by a range switch located in the control room. It provides 10 ranges of increasing attenuation as the neutron flux in the reactor core increases, keeping the input signal to the IRM signal conditioning equipment in the same range. The signal conditioning equipment electronically converts the detector signal into a signal proportional to the neutron flux at the detector and provides gamma discrimination.

The output signal is amplified and supplied to a locally-mounted meter, and to a remote recorder located on the main control panel. The IRM neutron flux signal is also applied to trip units where IRM downscale, inoperable, upscale alarm, and upscale scram trips are generated for use in the RPS or reactor manual control system (RMCS) (Figure 7.6-6). Table 7.6-4 lists the IRM instrument trip function and specifications. Refer to Technical Specifications. The IRM range switches must be upranged or downranged to follow increases and decreases in power within the range of the IRM to prevent either a scram or a rod block. The IRM detectors should be inserted into the core whenever these channels are needed, and withdrawn from the core, when permitted, to prevent unnecessary burnup.

7.6.1.4.2 Local Power Range Monitors The LPRMs provide localized neutron flux detection over the full power range for input to the APRM. The LPRMs are mounted in strings of four with 43 strings for a total of 172 detectors, distributed throughout the core as shown on Figure 7.6-3. The detector at the bottom of each string (the A level detector) is located approximately 18 in above the bottom of the core. Each succeedingly higher level detector (B, C, and D) is 36 in above the one below (Figures 7.6-3 and 7.6-7). This places the D level detectors in all strings approximately 18 in below the top of the core. In this manner flux is monitored throughout the volume of the core. Radially the LPRM detector strings are placed in such a way that every location or its symmetrical counterpart in another quadrant is monitored. The LPRM detector position is not adjustable.

The loss of one or several LPRM detectors will not adversely affect the operation of the safety-related APRM they supply input to. Each individual chamber of the assembly is a moisture-proof, pressure-sealed unit. They are designed to operate throughout the normal and transient pressures and temperatures encountered within the reactor vessel. Their wiring, cables, and connectors located within the drywell are designed for continuous duty in the drywell environment.

The current signals from the LPRM detectors are transmitted to APRM/LPRM NUMAC chassis in the control room. The APRM/LPRM NUMAC chassis convert the current signals from the LPRM detectors to digital signals for processing.

Chapter 07 7.6-5 Rev. 25, October 2022

NMP Unit 2 USAR Power for the LPRMs is supplied by the two redundant power supplies in each APRM/LPRM chassis.

The trip circuits for the LPRM provide trip signals to activate lights and annunciators. Table 7.6-5 lists the LPRM instrument specifications. There are no safety-related LPRM trips.

Each LPRM may be individually bypassed via a switch on the APRM/LPRM NUMAC chassis. Placing a LPRM in BYPASS sends a signal to the assigned APRM, electronically causing it to adjust its averaging amplifier's gain to allow for one less LPRM input.

In this way, each APRM can continue to produce an accurate signal representing average core power even if some of the assigned LPRMs become inoperable during operation. If the number of functional assigned LPRMs drops below the minimum allowed or the minimum number at each level (A, B, C, and D) in the core is not maintained, the APRM automatically initiates a rod block and alarm.

In addition to the signals supplied to the APRMs, the LPRM flux signals are provided to the rod block monitor (RBM). When a central control rod is selected for movement, the output signals from the nearest 16 LPRM detectors are displayed on reactor control panel meters. The four LPRM detector signals from each of the four LPRM assemblies are displayed on 16 separate meters.

The Operator can readily obtain readings from all the LPRM detectors by selecting the control rods in order. Select signals from the four LPRM strings (16 detectors) surrounding the selected rod are used in the RBM to provide protection against local fuel overpower conditions. See Section 7.7.1.1.1 for a discussion of the RBM.

The LPRM strings are located inside the vessel, each string enclosed in an in-core assembly consisting of a metal instrument tube containing the LPRMs, their associated cable, and a dry interior traversing in-core probe (TIP) tube. The metal instrument tube is penetrated by small holes that allow circulation of the reactor coolant water to cool the LPRM fission chambers.

7.6.1.4.3 Average Power Range Monitor Subsystem The APRM monitors neutron flux from approximately 1 percent to above 100 percent power. There are four channels of APRM, each receiving core flux level signals from 43 LPRM fission detectors. Each APRM averages the separate flux signals from the LPRMs assigned to it, and generates a signal representing core average power. This signal is used to drive a local display, and a remote recorder located on the main control panel. Each of the four APRM channels compares the core average power to preset trip levels or criteria to generate APRM downscale, inoperable, upscale alarm, and upscale scram trip signals for use in the RPS or RMCS. The RMCS signals are provided directly while the RPS signals are sent to four two-out-of-four voter Chapter 07 7.6-6 Rev. 25, October 2022

NMP Unit 2 USAR channels which pass them on to the RPS only if two APRM channels indicate a trip. Refer to Technical Specifications.

The APRMs also provide downscale, INOP, or bypass signals to the RRCS permissive logic for the following functions:

1. Trip low-frequency motor generator (LFMG) circuit (RPT) in recirculation system.
2. Start feedwater runback.
3. Initiate SLCS.
4. Isolate RWCU system.

APRM "not downscale" or INOP signals provide the permissive.

APRM channel bypass prevents permissive signals from being sent.

The RRCS is discussed in Section 7.6.1.8.

Section 7.2.1.1 describes the APRM inputs to the RPS, and Figure 7.6-8 shows the RPS trip circuit input arrangement. APRM instrument specifications are summarized in Table 7.6-6. The APRM trip logic is set for a scram trip at 15 percent core power in the REFUEL, SHUTDOWN and STARTUP modes. When the mode switch is in RUN, in addition to the fixed APRM scram trip, there is also a simulated thermal power APRM scram trip that varies with recirculation flow. This provides a power-following scram setpoint. As power increases, the scram trip setpoint also increases up to a fixed setpoint above 100 percent. See Figure 7.6-8 for the APRM circuit arrangement of the RPS input.

A manual bypass selector switch, located in the control room, permits bypassing of only one APRM at a time. Procedural controls regulate the bypass of a selected APRM. A bypassed APRM is indicated by a light in the control room. Bypass of APRM two-out-of-four voter channels is not permitted.

The worst single-failure scenario would include the bypass of one APRM channel and the failure of an additional APRM channel.

Two APRM channels and three two-out-of-four voter channels would remain operable and can provide the necessary inputs for a reactor scram prior to damaging fuel.

An APRM INOP condition results when there is a loss of power to the APRM chassis, the firmware/software watchdog timer has timed out, the APRM key switch is taken out of OPER (Operate), or a critical self-test fault is detected. An INOP trip causes a half-trip in the two-out-of-four voter channels, a rod block, and annunciation.

The APRM channels receive power from two 120-V ac UPS systems.

Each APRM channel is powered redundantly from the two 120-V ac UPS systems. The RPS trip outputs from the two-out-of-four Chapter 07 7.6-7 Rev. 25, October 2022

NMP Unit 2 USAR voter channels are powered from the same bus used for its associated RPS trip system.

In compliance with NRC Generic Letter 94-02, the neutron monitoring system at Unit 2 was replaced with a GE nuclear measurement analysis and control (NUMAC) power range neutron monitoring (PRNM) system that incorporates an OPRM function into the APRMs. The original Option III OPRM has been upgraded to the Detector and Suppress Solution-Confirmation Density (DSS-CD). The OPRM monitors LPRM detector signals to detect thermal-hydraulic instabilities in the reactor core and generate an automatic suppression signal to terminate the instability if the oscillations exceed predefined levels. The OPRM system consists of four redundant and separate channels that are incorporated into the NUMAC APRM chassis. Each OPRM channel monitors for oscillations using four different algorithms. These algorithms are the Confirmation Density Algorithm (CDA) and the three Defence-in-Depth Algorithms (DIDA);.period based detection algorithm (PBDA), the amplitude based algorithm (ABA), and the growth rate based algorithsm (GRBA). Automatic protection is actuated if any of the four algorithms meet their trip conditions. However, only the CDA is used to demonstrate protection of the minimum critical power ratio (MCPR) safety limit for anticipated reactor instabilities. The other three algorithms are included as defence-in-depth features.

An OPRM channel only processes LPRM detector data and total recirculation flow data associated with the APRM channel in which the OPRM is located. Manual bypass of an APRM channel also causes a bypass of the corresponding OPRM channel.

The OPRM monitors for thermal-hydraulic instabilities by monitoring LPRM detector signals since the pressure and flow perturbations that occur during these instabilities cause localized oscillation of the LPRM detector signals. The non-bypassed LPRM detector signals received by an OPRM channel are grouped into "cells" and a cell reference value is calculated.

The OPRM includes a period based algorithm (PBA) that monitors the peaks and valleys of each cells relative signal that occur with oscillatory behavior. The frequency of the oscillation is determined by measuring the time between the peaks and the valleys. Oscillations with frequency outside the range of interst are ignored by the algorithm. If the period of the cell relative signal is consistant with the frequency range of interest, the confirmation count for that cell is incremented from zero and the period is storedas the base period. The confirmation count is incremented until the period of the cells relative signal at a peak or valley is not consistant with the frequency range of interest, and the confirmation count and base period for that cell are reset to zero. The confirmation count of each cell is provided to the CDA and PBDA.

Chapter 07 7.6-8 Rev. 25, October 2022

NMP Unit 2 USAR The CDA determines the Confirmation Density (CD). The CD is the number of operable cells whose confirmation count meets or exceeds the CDA confirmation count setpoint. The OPRM generates a CDA trip signal when the OPRM trip is enabled, the CD is greater than a pre-set value, and the relative value of one of the cells included in the confirmation density exceeds the amplitude discriminator setpoint.

The PBDA monitors the cell relative signal amplitude and cell confirmation count. The OPRM generates a PBDA trip signal when the OPRM trip is enabled and the cells confirmation count and relative amplitude exceed their setpoints.

The ABA monitors the cell relative signal amplitude. The OPRM generates an ABA trip signal when the OPRM trip is enabled and the cells relative amplitude exceeds its setpoint.

The GRBA monitors the cell relative signal amplitude. The OPRM generates a GRBA trip signal when the OPRM trip is enabled and the cells relative amplitude growth rate exceeds its setpoint.

The OPRM upscale trip and oscillation alarms are enabled only when the reactor core flow as measured by recirculation flow is below approximately 75 percent and the reactor power is above approximately 23 percent. An alarm is generated to alert the Operators when the OPRM trip is enabled.

The OPRM provides an alarm and an upscale trip. In addition, an OPRM INOP alarm is generated to alert the Operator of any event that compromises the operability of the OPRM channel. The upscale trip is sent to the safety-related section of the 2/4 logic module and the other signals are sent to the nonsafety-related section.

In the event the OPRM function is declared inoperable, Technical Specifications require a Manual Backup Stability Protection (BSP) be implemented immediately. The Manual BSP Regions are procedurally established and require specific manual operator actions if certain predefined operational conditions occur. In addition, an Automatic Backup Stability Protection is required to be implemented within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of OPRM inoperability. The Auotmatic BSP modifies the APRM Simulated Thermal Power-High scram setpoint and prevents entry into the region of the power and flow-operating map that is susceptible to reactor instability. The BSP is enabled via soft keys on the APRM chassis.

Similar to the APRM upscale trip, the OPRM upscale trip is voted in a two-out-of-four logic within the 2/4 logic module. The APRM trip and the OPRM trip are voted independently such that an APRM trip in one channel and a concurrent OPRM trip in another channel will not produce a reactor scram.

Chapter 07 7.6-9 Rev. 25, October 2022

NMP Unit 2 USAR Figure 7.6-8 shows the RPS trip circuit input arrangement. The OPRM function specifications are summarized in Table 7.6-6.

7.6.1.5 Recirculation Pump Trip System - Instrumentation and Controls Purpose The reason for transferring the recirculation pumps to low speed is to reduce the severity on the fuel of thermal transients caused by turbine trip, generator trip, or load rejection. By transferring the recirculation pumps to low speed early in the event, the rapid core flow reduction increases void content and thereby reduces reactivity in conjunction with control rod insertion. RPT logic is shown on Figure 7.2-1.

Logic and Operation The RPS detects turbine control valve fast closure and turbine stop valve closure using four channels of sensor logic. These four channels of sensor logic are combined into two divisions of RPT logic. Trip of either division of RPT logic will trip both recirculation pumps from the normal power supply. Trip of either logic division also transfers both recirculation pumps to low speed operation on the LFMG sets. Trip requires two sensor channel confirmations for trip conditions: turbine control valve fast closure and turbine first-stage pressure greater than setpoint or turbine stop valve closure and turbine first-stage pressure greater than setpoint. The power supply for RPT logic is supplied from the RPS UPS.

The response time limits for EOC RPT system instrumentation are presented in TRM Section 3.3.4.

7.6.1.6 Safety/Relief Valves - Relief Function SRV Function The relief function of the SRVs is to relieve high-pressure conditions that could lead to the failure of the RCPB. The reactor system high pressure activates the SRV to vent steam to the suppression pool and reduce reactor pressure. See Section 7.3 for the ADS function of selected SRVs.

SRV Operation Operation of the SRVs is described in Section 5.2.2.

7.6.1.7 Spent Fuel Pool Cooling and Cleanup System -

Instrumentation and Controls System Function Chapter 07 7.6-10 Rev. 25, October 2022

NMP Unit 2 USAR The function of the SFC system is to remove decay heat from the spent fuel storage pool to ensure adequate cooling of the stored spent fuel assemblies.

System Operation Schematic arrangement of the SFC system mechanical equipment and instrumentation and a description of system design and operation are provided in Section 9.1.3. The system control logic is shown on Figure 9.1-6. Instrument location drawings and elementary diagrams are identified in Section 1.7. The system instrumentation and control logic is discussed in Section 9.1.3.5.

7.6.1.8 Redundant Reactivity Control System - Instrumentation and Controls The RRCS is designed in conjunction with other systems to mitigate the potential consequences of an ATWS event.

The RRCS consists of vessel pressure and level sensors, solid-state logic, control room cabinets and indications, and interfaces with several systems which may be actuated to mitigate an ATWS event (Figure 7.6-9). The solid-state logic is divided into Divisions 1 and 2, each of which is subdivided into two channels. The logic is energized to trip, and both channels of either division must be tripped in order to initiate the RRCS protective actions. The system can be manually initiated by depressing two push buttons (tripping both channels) in the same division. This manual initiation function is designed so that no single Operator action can result in an inadvertent initiation. The push button's collar is rotated to arm the switch before depressing, which will trip the logic. The manual initiation push buttons are located in the control room near the RPS manual scram push buttons. There are four manual initiation push buttons for RRCS.

The RRCS logic monitors reactor dome pressure and water level.

High pressure or low water level (Level 2) or RRCS manual initiation will cause the alternate rod insertion (ARI) valves to scram the reactor independently of the RPS.

Low water level alone will, in addition to an ARI scram, cause an immediate RPT by tripping circuit breakers B35-CB3A, 3B, 4A, and 4B (in the normal supply lines to the recirculation pump motors) and circuit breakers B35-CB1A, 1B, 2A and 2B (in the LFMG supply to the pump motors). After 98 sec of continued low water level, and if the APRM channels are not downscale or are INOP, the RRCS initiates SLCS and isolates the RWCU system.

High reactor dome pressure alone will, in addition to an ARI scram, immediately trip circuit breakers B35-CB3A, 3B, 4A, and 4B and initiate transfer of the recirculation pumps to LFMG (low Chapter 07 7.6-11 Rev. 25, October 2022

NMP Unit 2 USAR speed) operation. After 25 sec of continued high pressure, and if the APRM channels are not downscale or are inoperable, the RRCS trips circuit breakers B35-CB1A, 1B, 2A, and 2B to complete the RPT. In addition, feedwater runback is initiated provided the feedwater runback disable switch is in the OFF position.

After an additional 73 sec of continued high pressure and with the APRM channels still not downscale or inoperable, the RRCS initiates SLCS and isolates RWCU. The feedwater runback disable switch is discussed in Section 7.7.1.3.

The ATWS-RPT consists of a high vessel pressure trip and a low water level (Level 2) ATWS trip. Either trip will cut power to the recirculation pumps, thus reducing core flow and consequently lowering core power.

The ATWS-RPT has two separate divisions of instrumentation, each with a separate power supply. Each division has two logic channels, with each channel having a high reactor dome pressure sensor and a low water level (Level 2) sensor. Each channel generates an ATWS trip signal if high dome pressure exists or if a low water level (Level 2) signal exists. Both recirculation pumps are tripped if both channels in either instrument generate a trip signal.

If both channels in either division generate a low water level signal, both pumps' normal recirculation pump power supply breakers and the breakers from the LFMGs are immediately tripped.

If both channels in either division generate a high reactor pressure signal, the normal recirculation pump power supply breakers will immediately trip, and the recirculation pump motors will be powered by their respective LFMG power supply.

If, after 25 sec, both channels in either division still signal a high reactor pressure and the APRM power signal is not downscale, the breakers from the LFMGs to both recirculation pumps will be tripped.

Division 1 ATWS logic trips normal power supply breakers 3A and 3B to recirculation pumps A and B and transfers or trips LFMG breakers 1A and 1B plus 2A and 2B. Similarly, Division 2 ATWS logic trips normal power supply breakers 4A and 4B, which are in series with 3A and 3B, and also transfers or trips LFMG breakers 1A and 1B plus 2A and 2B.

The ATWS-RPT trip circuitry is separate from and independent of the RPS-RPT trip circuitry. Breakers 3A, 3B, 4A, and 4B each have dual trip coils, one coil for the ATWS-RPT and one for the RPS-RPT. Both trip coils are fed from the same power supply.

The ATWS-RPT logic is in a de-energized state during normal plant operation and in an energized state given a trip demand.

The trip circuits, including the sensors, logic, and normal supply pump breaker trip coils, are Class 1E. The entire trip Chapter 07 7.6-12 Rev. 25, October 2022

NMP Unit 2 USAR circuits may be tested during plant operation except for opening of the pump breakers. ATWS-RPT circuitry is separated from non-Class 1E circuitry.

Indicators and annunciators in the control room provide the status of the trip coils and the mechanical position of the pump circuit breakers. Actuation of the ATWS-RPT is recorded in the control room.

Manual initiation alone causes an immediate ARI scram. After 98 sec, if the APRM channels are not downscale or are INOP, the RRCS initiates SLCS and isolates RWCU. Manual initiation does not cause a RPT or feedwater runback.

The APRMs provide downscale trip signals to the RRCS permissive logic. These signals are Class 1E and contain all available channels of input. The APRM signals from NMS Division 1 are routed to RRCS Division 1 through signal conditioners; APRM signals from NMS Division 2 are routed to RRCS Division 1 through isolators; and APRM signals from NMS Divisions 3 and 4 are sent to RRCS Division 2 through isolators (see Figure 7.6-9). Loss of power to an APRM channel or an APRM INOP condition will result in a RRCS permissive signal. Bypassing an APRM channel will prevent the bypassed APRMs "not downscale" or INOP signals from supplying a permissive.

Approximately 11.6 min after RRCS, the RRCS logic (except for ARI initiation) can be reset by means of four manual reset push buttons (one for each channel) if the reactor level is above Level 2 and reactor pressure is below the setpoint.

The RRCS ARI function is reset by the RRCS ARI reset push buttons. This second set of four push buttons (one for each channel) resets the ARI logic 30 sec after initiation of ARI provided that initiating signals have cleared. This 30-sec time delay before the ARI reset permissive appears ensures that the RRCS ARI scram goes to completion.

The RRCS is continuously checked by a solid-state, microprocessor-based, self-test system. This system checks RRCS sensors, logic, protective devices, and itself.

7.6.1.9 Design Basis The safety-related systems described in Section 7.6 are designed to provide timely protective action inputs to other safety systems to protect against the onset and consequences of conditions that threaten the integrity of the fuel barrier and the RCPB. Chapter 15, Appendix 15A and Appendix A identify and evaluate events that jeopardize the fuel barrier and RCPB. The methods of assessing barrier damage and radioactive material releases, along with the methods by which abnormal events are identified, are also presented in Chapter 15. The conditions Chapter 07 7.6-13 Rev. 25, October 2022

NMP Unit 2 USAR that require protective actions are described in Chapter 15 and Appendix 15A.

7.6.1.9.1 Variables Monitored to Provide Protective Actions The following variables are monitored to provide protective action inputs:

1. PRMS system:
a. Deleted.
b. Reactor building ventilation above refueling floor radiation level.
c. Reactor building ventilation below refueling floor radiation level.
d. Main control room air intakes radiation level.
e. RHR heat exchangers service water discharge radiation level.
f. Service water discharge to Lake Ontario radiation level.
g. Liquid waste discharge radiation level.
h. Drywell atmosphere radiation level.
i. Offgas radiation level.
2. High-pressure/low-pressure interlocks:
a. Reactor pressure.
b. Differential pressure across the LPCS and LPCI injection valves.
3. LDS system:
a. RCIC area temperatures, ambient.
b. RCIC steam line flow rate.
c. RCIC turbine exhaust diaphragm pressure.
d. RCIC steam line pressure.
e. RHR area temperatures, ambient.
f. RWCU area temperatures, ambient.

Chapter 07 7.6-14 Rev. 25, October 2022

NMP Unit 2 USAR

g. RWCU differential flow.
h. LPCS, RHR-A, -B, -C, RCIC, HPCS pump cubicles floor water level.
i. Reactor building general area at el 175 ft floor water level.
j. Main steam line tunnel temperatures, differential, and ambient.
k. Reactor building pipe chase ambient temperature.
l. Reactor building ambient temperature.
m. Main steam line turbine building, area temperatures, ambient.
n. Main steam line flow rate.
4. NMS system:
a. Neutron flux during startup and normal shutdown (IRM).
b. Core average neutron flux (APRM, LPRM).
c. Oscillation power range monitor (OPRM).
5. RPT system:
a. Turbine stop valve closure.
b. Turbine control valve fast closure.
c. Turbine first-stage pressure (permissive).
6. SRVs - relief function:
a. Reactor vessel pressure.
7. SFC system:
a. Spent fuel pool temperature.
b. Spent fuel pool level.
8. RRCS system:
a. Reactor vessel dome pressure.
b. Reactor vessel water level.

Chapter 07 7.6-15 Rev. 25, October 2022

NMP Unit 2 USAR

c. Reactor power level (APRM not downscale permissive).

7.6.1.9.2 Location and Minimum Number of Sensors See Technical Specifications for the minimum number of sensors required to monitor safety-related variables. LPRM detectors are the only NMS sensors that have spatial dependence as referenced in IEEE-279-1971, Paragraph 3.(3).

7.6.1.9.3 Prudent Operational Limits Prudent operational limits for each safety-related variable trip setting are selected to be far enough above or below normal operating levels that a spurious safety system initiation is avoided. It is then verified by analysis that the release of radioactive materials, following postulated gross failures of the fuel or nuclear system process barrier, is kept within acceptable bounds.

7.6.1.9.4 Margin Adequate margin between safety limits and instrument setpoints is provided to allow for instrument error. The appropriate allowable values are listed in Technical Specifications. The bases are discussed in the Technical Specifications Bases.

7.6.1.9.5 Levels Levels requiring protective action are established in Technical Specifications.

7.6.1.9.6 Range of Transient, Steady-State, and Environmental Conditions Environmental conditions are given in Section 3.11. Refer to Sections 8.2 and 8.3 for the maximum and minimum range of power supply to the safety-related instrumentation and controls of the systems described in Section 7.6. All safety-related instrumentation and controls are specified and purchased to withstand the effects of power supply ranges. Seismic and environmental conditions for proper operation of the systems described in Section 7.6 are discussed in Sections 3.10 and 3.11.

7.6.1.9.7 Malfunctions, Accidents, and Other Unusual Events That Could Cause Damage to Safety Systems Chapter 15 and Appendix 15A describe the following credible accidents and events: floods, storms, tornadoes, earthquakes, fires, LOCA events, and missiles. Each of these events is discussed below for the safety systems presented in this section.

Chapter 07 7.6-16 Rev. 25, October 2022

NMP Unit 2 USAR Floods The buildings containing safety-related components have been designed to withstand the PMF at the site location (Section 3.4).

Storms and Tornadoes The buildings containing safety-related components have been designed to withstand all credible meteorological events and tornadoes as described in Section 3.3.

Earthquakes The structures containing safety-related system components have been seismically qualified as described in Sections 3.7 and 3.8.

Fires The functions of these safety-related systems are protected from the effects of fire (Section 9.5.1).

LOCA Events The safety-related system components described in this section that are located inside the drywell and functionally required during and/or following a LOCA have been environmentally qualified to remain functional as discussed in Section 3.11.

Missiles Protection for safety-related components is provided as described in Section 3.5.

7.6.1.9.8 Minimum Performance Requirements Minimum performance requirements for safety-related systems instrumentation and controls are provided in Technical Specifications.

7.6.1.10 Final System Drawings The following final system drawings have been provided for the safety-related systems:

1. P&IDs.
2. FCDs/control logic diagrams.
3. IEDs.

7.6.2 Analysis Chapter 15 and Appendix A evaluate the individual and combined capabilities of the safety-related systems described in Section Chapter 07 7.6-17 Rev. 25, October 2022

NMP Unit 2 USAR 7.6. These systems are designed in such a way that a loss of instrument air, a plant load rejection, or a turbine trip will not prevent the completion of the safety function.

7.6.2.1 Process Radiation Monitoring System - Analysis The analyses for radiation monitoring (Section 7.6.1.1) are discussed in the given references and in Sections 7.2, 7.3, and 11.5.3.

7.6.2.2 High-Pressure/Low-Pressure Interlocks - Analysis 7.6.2.2.1 Conformance to General Functional Requirements The high-pressure/low-pressure interlocks provide an interface between low-pressure systems and reactor pressure. When reactor pressure is low enough that it is not harmful to the low-pressure systems, the valves are permitted to be opened. The interlocks are automatic and the Operator is given indication of their status.

7.6.2.2.2 Conformance to 10CFR50 Appendix A The general design criteria conformance discussions provided in Section 3.1 apply to the high-pressure/low-pressure interlocks as specified in Table 7.1-3.

Specific requirements regarding pressure isolation valves are described in TRM Section 3.4.6.

7.6.2.2.3 Conformance to IEEE Standards The IEEE standards that apply to the high-pressure/low-pressure interlocks are specified in Table 7.1-3. The following conformance discussions apply specifically to the high-pressure/low-pressure interlocks. Refer to Section 7.1.2.2 for conformance discussions that apply generically to all safety-related systems.

IEEE-279-1971 The interlocks are designed in accordance with the single-failure criterion, redundancy requirements, and the testability criterion.

IEEE-338-1971 The design of the interlocks is such that they can be tested during reactor operation except for the actuated devices (valves). The valves can be tested during startup and shutdown. Details concerning testing of the interlocks can be found in Technical Specifications.

7.6.2.2.4 Conformance to Regulatory Guides The regulatory guides that apply to the high-pressure/low-pressure interlocks are specified in Table Chapter 07 7.6-18 Rev. 25, October 2022

NMP Unit 2 USAR 7.1-3. The following conformance discussions apply specifically to the high-pressure/low-pressure interlocks. Refer to Section 7.1.2.3 for conformance discussions that apply generically to all safety-related systems.

Regulatory Guide 1.22 See Section 7.6.2.2.3, Conformance to IEEE-338-1971.

7.6.2.3 Leak Detection System (Safety Related) - Analysis 7.6.2.3.1 Conformance to General Functional Requirements The part of the LDS instrumentation and controls that is related to the various subsystem isolation circuitry is designed to meet requirements of the containment and reactor vessel isolation control systems cited in Section 7.3.2.

7.6.2.3.2 Specific Regulatory Requirements Conformance 7.6.2.3.2.1 Conformance to 10CFR50 Appendix A The general design criteria conformance discussions provided in Section 3.1 apply to the LDS as specified in Table 7.1-3.

7.6.2.3.2.2 Conformance to IEEE Standards The IEEE standards that apply to the LDS are specified in Table 7.1-3. The following conformance discussions apply specifically to the LDS. Refer to Section 7.1.2.2 for conformance discussions applying generically to all safety-related systems.

IEEE-279-1971 LDS isolation functions comply with IEEE-279 and are included in the IEEE-279 compliance discussions of the PCRVICS system (Section 7.3.2) for which this system provides logic trip signals.

IEEE-338 Leak detection complies with IEEE-338. All active components of the LDS associated with the isolation signal can be tested during plant operation.

IEEE-379 The LDS isolation functions, in compliance with IEEE-279 and IEEE-379, are included in the IEEE-279 compliance discussion of ESF systems in Section 7.3.2 for which the LDS system provides logic trip signals.

7.6.2.3.2.3 Conformance to Regulatory Guides The regulatory guides that apply to the LDS are specified in Table 7.1-3. The following conformance discussions apply specifically to the LDS. Refer to Section 7.1.2.3 for conformance discussions that apply generically to all safety-related systems.

Regulatory Guide 1.22 (NSSS only) The portion of the leak detection subsystem that provides outputs to the system Chapter 07 7.6-19 Rev. 25, October 2022

NMP Unit 2 USAR isolation logic is designed so that complete periodic testing of the isolation system actuation function is provided. This is accomplished by tripping the LDS one channel at a time from the leak detection panel in the main control room. An indicator lamp is provided to show that the particular channel is tripped.

Regulatory Guide 1.53 The portions of the LDS that provide outputs to system isolation logic comply with this guide.

Discussion is provided in Section 7.3.2 under RG 1.53.

7.6.2.4 Neutron Monitoring System - Analysis 7.6.2.4.1 Conformance to General Functional Requirements -

Intermediate Range Monitor Subsystem The analysis for the RPS trip inputs from the IRM subsystem is discussed in Section 7.2.2.

The IRM is the primary source of information as the reactor approaches the power range. Its linear steps and the rod-blocking features on both high flux level and low flux level require that all the IRMs remain on the correct range as core reactivity is increased by rod withdrawal. This arrangement ensures that the IRMs always provide a good indication of reactor power, that adequate margin is maintained between the flux reading and the trip point to prevent unnecessary trips, and during a reactivity addition transient (such as a cold water slug injection or refueling accident) that the trip point will be reached soon enough to eliminate a large power transient.

The sensitivity of the IRM is such that the IRM is on scale on the least sensitive (highest) range with approximately 15 percent power.

The number and locations of the IRM detectors have been selected to provide sufficient intermediate range flux level information under the worst-permitted bypass or detector failure conditions.

In addition to this, an APRM setdown scram is provided to limit core power transients when the reactor is not in the RUN mode.

To assure that each IRM is on the correct range, a rod block is initiated any time the IRM is downscale and not on the most sensitive (lowest) scale. A rod block is initiated if the IRM detectors are not fully inserted in the core unless the reactor mode switch is in the RUN position. The IRM scram trips and the IRM rod block trips are automatically bypassed when the reactor mode switch is in the RUN position and the APRM system is providing NMS scram trips and rod blocks appropriate to this higher power regime of reactor operation.

Local Power Range Monitors The LPRMs provide detailed information about neutron flux throughout the reactor core and they provide flux information Chapter 07 7.6-20 Rev. 25, October 2022

NMP Unit 2 USAR for the APRM system(1) and the OPRM system. The LPRMs are powered from two redundant high-voltage power supplies, allowing operation with one ac power supply failed or out of service without limiting reactor operation. Individual failed LPRM detector chambers can be bypassed. The flux information for a failed chamber location:

1. Can be interpolated from nearby chambers,
2. Can be derived from an octant-symmetric chamber, or
3. An actual flux measurement can be made at the failed detector's location using the TIP system.

The APRM electronics automatically adjusts its flux averaging operation for bypassed detector inputs. If a given APRM has too few inputs or the number of failed or bypassed LPRMs inputting to an APRM from each detector level (A, B, C, or D) is too low, a rod block and alarm will be initiated.

The OPRM automatically excludes any bypassed LPRM detectors from OPRM monitoring. The OPRM groups LPRM signals into cells. If the number of operating LPRM input signals to an OPRM cell is less than the minimum required, the cell is inoperable and excluded from OPRM monitoring.

Average Power Range Monitoring Subsystem Each APRM derives its signal from LPRM information. There are 43 LPRMs assigned to each of the four APRMs. Each APRM provides trip inputs to the four two-out-of-four voter channels. Each two-out-of-four voter channel provides trip inputs to one RPS division. The assignment, power separation, cabinet separation, and LPRM signal isolation are in accordance with the safety design basis of the RPS. The number and arrangement of APRM channels is such that one undetected failure or one bypassed channel in each trip system can be tolerated and still satisfy the RPS safety design bases.

The flow-referenced APRM scram setpoint is adequate to prevent fuel damage during an abnormal operational transient, as demonstrated in Chapter 15.

Oscillation Power Range Monitor Subsystem Each OPRM derives its signal from LPRM information. An OPRM channel is contained in each APRM chassis. The OPRM uses the same LPRM detectors assigned to its respective APRM. Each OPRM provides trip inputs to the four two-out-of-four voter channels.

Each two-out-of-four voter channel provides trip inputs to one RPS division. The OPRMs meet the same separation and isolation requirements as the APRMs. In addition, the OPRMs meet the same failure and bypass tolerance as the APRMs.

Chapter 07 7.6-21 Rev. 25, October 2022

NMP Unit 2 USAR 7.6.2.4.2 Conformance to 10CFR50 Appendix A The general design criteria conformance discussions provided in Section 3.1 apply to the NMS system as specified in Table 7.1-3.

7.6.2.4.3 Conformance to IEEE Standards The IEEE standards that apply to the NMS are specified in Table 7.1-3. The following conformance discussion applies specifically to the NMS. Refer to Section 7.1.2.2 for conformance discussions applying generically to all safety-related systems.

7.6.2.4.3.1 Conformance to IEEE-279-1971 Paragraph 4.1 The NMS automatically initiates both downscale and upscale rod block trips and scram trips whenever measured nuclear flux exceeds certain trip setpoints. The NMS is designed to provide these protective trips in all operating modes. As the reactor operating mode is changed, the NMS subsystem used and the protective trip specifications are automatically changed to guarantee that core flux is adequately monitored.

Paragraph 4.2 The IRM and APRM/OPRM subsystems of the NMS are designed so that failure or bypass of one NMS channel inputting trip signals to each of the RPS division pairs will not compromise the RPS design basis. The system can initiate rod block trips or scram trips even if a single failure removes a channel from the trip system.

Paragraph 4.3 Components used in the NMS have been carefully selected on the basis of suitability for the specific application. Ratings have been selected with sufficient conservatism to ensure against significant deterioration during anticipated duty over the lifetime of the plant. Furthermore, a quality control and assurance program has been implemented and documented by equipment vendors to comply with the requirements set forth in 10CFR50 Appendix B. The quality of NMS components and modules is discussed in Sections 3.2 and 3.11.

Paragraph 4.4 Test data and the operating experience gained by the use of similar NMS equipment at operating plants confirm that the equipment will meet, on a continuing basis, the performance requirements determined to be necessary for achieving the system requirements.

Paragraph 4.5 The NMS equipment is designed to operate and to perform its safety-related functions in the environment of the mounting location of the components (Section 3.11). The NMS is not required to be operational after an accident, nor are components of the NMS required to be operational in accident environments, except the IRM and LPRM cables.

Paragraph 4.6 Each NMS channel supplying trip signals to the RPS system is independent and physically separated from NMS channels supplying trip signals to other RPS divisions. This Chapter 07 7.6-22 Rev. 25, October 2022

NMP Unit 2 USAR separation is accomplished through the choice of cable routing, cabinet construction, and circuit signal isolation, resulting in the decoupling of the effects of unsafe environmental factors, electrical transients, and the physical accident consequences documented in the design basis. The rod block signal outputs are likewise isolated.

Paragraph 4.7 The transmission of signals from protection system equipment for control system use is accomplished through isolation devices classified as part of the protection system.

No credible failure of the output of an isolation device will prevent the associated protection system channel from meeting the minimum performance requirements specified in the design basis.

The scram trip logic requires one NMS scram trip into RPS Division 1 or 3 and one NMS scram trip into RPS Division 2 or 4.

With one IRM channel bypassed in the group of IRM channels feeding RPS Division 1 or 3, one channel bypassed in the group of IRM channels feeding RPS Division 2 or 4, or one APRM/OPRM channel bypassed, and an additional single random failure in a control system requiring protective action, the remaining redundant protection channels (six IRM or three APRM/OPRM) will provide protective action with one-out-of-two twice logic for the IRMs and a two-out-of-three logic for the APRMs/OPRMs.

Paragraph 4.8 The NMS protection system inputs are derived from trip units set to trip when core flux level signals or averaged signals exceed specified limits. The neutron flux is converted into an electrical current signal and applied to the NMS trip units. The tripped or nontripped protection system input state is therefore a direct measure of the flux level being measured.

Paragraph 4.9 Each NMS input sensor can be checked during reactor operation. This check can be accomplished by cross-checking between IRM channels while considering their relative core positions. Detector response to flux can be verified by withdrawing or inserting the IRM being checked and observing the appropriate response. Core power changes during startup and shutdown also provide a "perturbed monitored variable" which will cause an observable flux change. In addition to this, the individual IRM detector's output can be read as an input to the IRM preamplifier located outside the control room.

The APRM/OPRM detector signals (LPRM inputs) can be individually selected and displayed in the control room during reactor operation. Changing reactor power can be monitored to provide evidence the LPRM is correctly tracking power. The signal from each LPRM can also be cross-checked with the other LPRMs, or can be checked by running the TIP probe up into the instrument tube to a position near the LPRM being checked.

Chapter 07 7.6-23 Rev. 25, October 2022

NMP Unit 2 USAR Paragraph 4.10 Each IRM and each APRM/OPRM channel can be calibrated and/or tested during reactor operation. Trip setpoint checks can be done at each channel drawer, and calibration of LPRMs, APRMs, and IRM can be done during reactor operation using core heat balance calculations.

Paragraph 4.11 The NMS system is designed to permit a channel to be bypassed for maintenance or calibration without initiating protective action at the system level. Four IRMs supply RPS trip signals to RPS Division 1 or 3, and the four other IRMs supply scram trips to RPS Division 2 or 4. (A trip of Division 1 or 3 coincident with a trip of Division 2 or 4 will result in a full scram.) One IRM in each set of four may be bypassed.

Removing more than one from each set of four will result in an IRM INOP condition, which is an automatic trip of the related RPS logic.

The APRM/OPRM arrangement includes four APRM/OPRM channels, only one of which can be bypassed at a time. Each of the four APRM/OPRM channels provides RPS trip inputs to all four two-out-of-four voter channels, none of which can be bypassed.

Removing a second APRM/OPRM channel from operation with one already bypassed will result in an APRM INOP condition. This automatically trips one input to the two-out-of-four voter channels. When IRM or APRM channels are bypassed, the remaining active parts of the system continue to operate to meet the single-failure criterion.

Paragraph 4.12 The IRM scram trip is bypassed whenever the reactor mode switch is placed in the RUN position. Although this is not distinctly an operating bypass since it requires manual manipulation of the mode switch, it is an automatic consequence of placing the mode switch in RUN. The APRM setdown scram trip (15 percent power scram) is also bypassed in the run mode. Moving the mode switch to RUN replaces the IRM scram and APRM setdown scram with the fixed setpoint APRM scram trip. The reactor mode switch is considered part of the protection system and is designed in accordance with protection system criteria.

Paragraph 4.13 Whenever an IRM or APRM channel is bypassed, this condition is continuously indicated by a BYPASSED status light in the control room. In addition to this, each channel's bypassed condition is indicated at the IRM or APRM signal conditioning equipment. Whenever an IRM or APRM channel is deliberately rendered inoperative, an IRM INOP or APRM INOP condition is continuously indicated on the main control panel, at the respective signal condition equipment, and by an annunciator.

Paragraph 4.14 The bypass switch for the APRM and the bypass switch for the IRM system function to permit only one APRM channel and only one IRM channel in each trip system to be bypassed at a time. Manipulating the switch to bypass a second APRM channel or a second IRM on the same trip system is possible Chapter 07 7.6-24 Rev. 25, October 2022

NMP Unit 2 USAR only by first returning the originally bypassed channel to service.

IRM and APRM channels may be taken out of service with the operating function switch on their respective signal conditioning equipment drawers; however, this will result in an IRM INOP or APRM INOP if that particular channel is not bypassed with the main control panel bypass switch when the operating function switch is taken out of the OPERATE position.

Therefore, removing an unbypassed IRM or APRM channel from OPERATE and placing it in STANDBY (INOP for the APRMs) or some other test mode in order to bypass the channel will result in a half-scram trip of the RPS, or a half-trip of the APRM two-out-of-four voter channels and all the associated alarms. Access to means of bypassing any safety action or function for these systems is under administrative control.

Paragraph 4.15 Both the APRM setdown in the STARTUP mode and the APRM flow-biased scram in the RUN mode are multiple setpoints. The setdown scram is placed into service and removed from service by the positioning of the reactor mode switch. The APRM flow-biased scram setpoint is automatically changed to more restrictive setpoints as recirculation flow is reduced. The mode switch and flow units used to prevent improper application of less restrictive scram trip setpoints are considered part of the protection system and are designed accordingly.

Paragraph 4.16 The NMS scram trip signals do not seal in at the IRM, APRM or OPRM trip units. The trip signal will return to the nontripped state as soon as core flux conditions warrant.

However, the RPS system does contain built-in seal-in circuitry so that a momentary excursion of a NMS flux level above a trip setpoint will result in sealed-in-tripped RPS logic even after the NMS flux returns to normal levels. See Section 7.2.2, IEEE-279-1971 Paragraph 4.16 for details.

Paragraph 4.17 The RO can initiate a manual IRM flux scram by ranging down with one IRM range switch in each trip system provided that core flux is above the Range 1 scram trip setpoint. A NMS flux scram trip can also be manually initiated by taking one unbypassed IRM or APRM in each trip system out of OPERATE, or by placing the reactor mode switch in STARTUP when APRM flux is greater than 15 percent. More appropriate means of manually tripping the RPS system are discussed in Section 7.2.2, IEEE-279-1971, Paragraph 4.17.

Paragraph 4.18 The IRM, APRM, OPRM, LPRM, and flow monitoring signal conditioning drawers, and related power supplies are mounted in cabinets within the main control room. Trip setpoint adjustment controls are not accessible except via administrative control.

Chapter 07 7.6-25 Rev. 25, October 2022

NMP Unit 2 USAR Paragraph 4.19 Status lights on the main control panel and the signal conditioning equipment indicate and identify each channel's tripped or nontripped status.

Paragraph 4.20 Recordings of each channel and metered indications of each channel are provided for both IRMs and APRMs. Indication can easily be compared channel to channel for verification of proper system operation.

Paragraph 4.21 The NMS signal conditioning equipment is designed to facilitate the recognition, location, replacement, repair, and adjustment of malfunctioning components or modules.

Paragraph 4.22 NMS equipment is distinctively identified as to its function and channel.

7.6.2.4.3.2 Conformance to IEEE-338-1971 Compliance is shown in Section 7.6.2.4.3.1, IEEE-279-1971 conformance, Paragraphs 4.9 and 4.10.

7.6.2.4.3.3 Conformance to IEEE-384-1974 The NMS equipment is designed to conform to IEEE-384 in accordance with RG 1.75 requirements only. See Section 7.6.2.4.4, RG 1.75.

7.6.2.4.4 Conformance to Regulatory Guides The regulatory guides that apply to the NMS are specified in Table 7.1-3. The following conformance discussions apply specifically to the NMS. Refer to Section 7.1.2.3 for conformance discussions that apply generically to all safety-related systems.

Regulatory Guide 1.47 The NMS meets the requirements of RG 1.47 through the use of bypass indication as described in Section 7.6.2.4.3.1, IEEE-279-1971 Conformance, Paragraph 4.13.

Regulatory Guide 1.53 While not a design basis, the NMS conforms to this guide in the following manner:

Position C.1 - The IRM and APRM/OPRM subsystems of the NMS are designed so that failure or bypass of one NMS channel inputting trip signals to each of the RPS trip systems will not compromise the RPS design basis. The system can initiate rod block trips or scram trips even if a single failure removes a channel from either of the trip systems. Functional details of the NMS are provided in Section 7.6.1.4.

Position C.2 - The number and arrangement of APRM/OPRM channels is such that failure of a single channel or a bypassed channel is acceptable. All channels are fully testable.

Chapter 07 7.6-26 Rev. 25, October 2022

NMP Unit 2 USAR Position C.3 - The bypass switch for the IRM subsystem provides input to more than one RPS trip logic channel.

Position C.4 - No credible failure of the logic output will prevent the RPS channels from meeting the minimum performance requirements specified in the design basis.

The scram trip logic requires one NMS scram trip into RPS Division A1 or A2 and one NMS scram trip into RPS Division B1 or B2. With one NMS channel bypassed and an additional single random failure in a control system requiring protective action, the remaining redundant protection channels (six IRM or two APRM/OPRM) will provide protective action with one-out-of-two twice logic for the IRMs and two-out-of-two logic for the APRM/OPRM channels.

Regulatory Guide 1.75 The NMS meets RG 1.75 with the requirements that: 1) isolators or physical separation may be provided without affecting building or control/relay room arrangement, and 2) physical separation between divisions of essential systems and between essential systems and essential circuits are not required to be maintained. See the discussion of compliance in Section 7.2.2, and in Section 7.6.2.4.3.1, Paragraph 4.6.

7.6.2.5 Recirculation Pump (Trip) System - Analysis 7.6.2.5.1 Conformance to 10CFR50 Appendix A The general design criteria conformance discussions provided in Section 3.1 apply to the RPT system as specified in Table 7.1-3.

7.6.2.5.2 Conformance to IEEE Standards The IEEE standards that apply to the RPT system are specified in Table 7.1-3. The following conformance discussion applies specifically to the RPT system. Refer to Section 7.1.2.2 for conformance discussions applying generically to all safety-related systems.

7.6.2.5.2.1 Conformance to IEEE-279-1971 Paragraph 4.1 Protective action occurs automatically in response to preset values of the sensed variables. This is accomplished by the use of pressure and position sensors which automatically initiate the relay operated trip logic, which trips the recirculation pump circuit breakers without the necessity for manual action. Protective action is completed upon trip of the recirculation pump from the line frequency power source.

Paragraph 4.2 No single failure will disable the capability to trip both recirculation pumps from high speed operation. This Chapter 07 7.6-27 Rev. 25, October 2022

NMP Unit 2 USAR is accomplished by using redundant and divisionally separated sensor and trip circuitry. Either division will trip both recirculation pumps. The transfer to low speed operation is not necessary to satisfy the functional requirement of RPT, which is to rapidly reduce core flow. Therefore, the circuitry to start up the LFMG set is not required to satisfy the single-failure criterion. Those portions of the circuitry that do not satisfy this criterion are isolated from safety portions.

Paragraph 4.3 For a discussion of quality of RPS components and modules, refer to Sections 3.2 and 3.11.

Paragraph 4.4 Detailed discussion of qualification is contained in Sections 3.10 and 3.11.

Paragraph 4.5 Refer to Sections 3.10 and 3.11.

Paragraph 4.6 Channel independence is assured by the utilization of physical separation, electrical independence, and mechanical barriers.

Paragraph 4.7 Each of the two RPS-RPT logic circuits generates two signals used for disconnecting the recirculation pumps from their normal power supply and transferring them to low-speed operation on their LFMG sets. The first signal from either logic circuit will disconnect both recirculation pumps from their normal power supply. The second signal initiates transfer of both pumps to the LFMG set.

Undesirable interaction between systems is prevented in circuitry associated with the first signal (disconnect recirculation pump from normal power supply) by the use of separate, Class 1E trip coils on the circuit breakers used for this function. Circuitry associated with the second signal includes isolators for system protection.

Paragraph 4.8 Turbine stop valve closure is detected by a position switch that responds to valve position. Turbine control valve fast closure is detected by a pressure switch that detects valve hydraulic pressure.

Paragraph 4.9 Provisions exist to allow closure of stop valve and fast closure of turbine control valve separately at least one valve at one time for test purposes without causing a recirculation pump transfer to low speed. The input sensors and the division logic can be checked one channel at a time.

Paragraph 4.10 The design requirement is met. See Section 7.6.2.5.3, RG 1.22.

Paragraph 4.11 Either RPT channel can be removed from service without affecting the capability of the remaining channel to perform the expected trip and transfer functions. This is accomplished by using two separate, independent logic circuits, Chapter 07 7.6-28 Rev. 25, October 2022

NMP Unit 2 USAR either of which can generate the necessary trip signals for both pumps and transfer signal for its associated pump.

Paragraph 4.12

1. Automatic Bypass At low reactor power, the recirculation pump transfer to low speed is not required. When power is low, the function is automatically bypassed. When power is above the setpoint, the bypass is automatically removed by de-energizing the bypass relay.
2. Manual Bypass Recirculation pump transfer to low speed can be manually bypassed. No provision exists for automatically removing the manual bypass.

Paragraph 4.13

1. Automatic Bypass Low power level automatic bypass is automatically annunciated in the control room by the same relay logic that activates the bypass.
2. Manual Bypass The manual bypass is annunciated in the control room by the same switch that is used to activate the bypass.

Paragraph 4.14 Access to means for bypassing is under administrative controls.

Paragraph 4.15 There are no multiple setpoints in the recirculation pump transfer to low speed.

Paragraph 4.16 Except for the manual and automatic bypasses, the logic is designed to progress automatically from sensor activation to the trip function without interruption. The automatic transfer to low-speed operation may be inhibited by certain conditions. The start sequence for the recirculation pumps can only be initiated manually.

Paragraph 4.17 The recirculation pumps may be transferred to low speed by simultaneous operation of manual switches in the control room.

Paragraph 4.18 This design requirement is met (Section 7.2.2.2.1).

Paragraph 4.19 Main control room annunciators and indicators are provided to identify the tripped portions of the RPT.

Paragraph 4.20 The information presented to the Main Control Room Operator satisfies this design requirement.

Chapter 07 7.6-29 Rev. 25, October 2022

NMP Unit 2 USAR Paragraph 4.21 The design complies with this design requirement.

Paragraph 4.22 Refer to Section 8.3.

7.6.2.5.2.2 Conformance to IEEE-379-1972 See discussion of IEEE-279, Paragraph 4.2.

7.6.2.5.2.3 Conformance to IEEE-384-1974 See discussion of IEEE-279, Paragraphs 4.2, 4.6, 4.7, and 4.11, and Section 7.1.2.2.

7.6.2.5.3 Conformance to Regulatory Guides The regulatory guides that apply to the RPT are specified in Table 7.1-3. The following conformance discussions apply specifically to the RPT. Refer to Section 7.1.2.3 for conformance discussions that apply generically to all safety-related systems.

Regulatory Guide 1.22 The system is designed so that it may be tested and calibrated during plant operation from sensor device to final output logic.

Regulatory Guide 1.53 See Section 7.6.2.5.2, Conformance to IEEE-279-1971, Paragraph 4.2.

Regulatory Guide 1.62 See Section 7.6.2.5.2, Conformance to IEEE-279, Paragraph 4.17.

7.6.2.6 Safety/Relief Valves - Relief Function - Analysis Analysis for the SRVs relief function is provided in the ESF systems analysis (Section 7.3.2).

7.6.2.7 Spent Fuel Pool Cooling and Cleanup System - Analysis 7.6.2.7.1 Conformance to General Functional Requirements The SFC system provides reliable spent fuel pool residual heat removal capability.

7.6.2.7.2 Conformance to 10CFR50 Appendix A The general design criteria conformance discussions provided in Section 3.1 apply to the SFC system as specified in Table 7.1-3.

7.6.2.7.3 Conformance to IEEE Standards The IEEE standards that apply to the SFC system are specified in Table 7.1-3. The following conformance discussions apply Chapter 07 7.6-30 Rev. 25, October 2022

NMP Unit 2 USAR specifically to the SFC system. Refer to Section 7.1.2.3 for conformance discussions that apply generically to all safety-related systems.

IEEE-279, Paragraph 4.16 The SFC system is initiated manually for continuous pool cooling when the pool contains spent fuel.

7.6.2.7.4 Conformance to Regulatory Guides The regulatory guides that apply to the SFC system are specified in Table 7.1-3. The following conformance discussion applies specifically to the SFC system. Refer to Section 7.1.2.4 for conformance discussions that apply generically to all safety-related systems.

Regulatory Guide 1.62 The SFC system is manually initiated from the main control room by actuation of system pump and valve controls.

7.6.2.8 Redundant Reactivity Control System 7.6.2.8.1 Conformance to General Functional Requirements The sensors, transmitters, trip units, and other assigned associated logic for the RRCS are Class 1E, separate and independent from the RPS, and environmentally qualified to expected ATWS conditions.

The RRCS is diverse from the RPS. No credible common mode failure can prevent both normal scram and ATWS prevention or mitigation functions. The RRCS is designed to independently monitor reactor pressure and water level and to shut down the nuclear chain reaction if these variables reach their respective trip setpoints.

7.6.2.8.2 Conformance to 10CFR50 Appendix A General design criteria established in Appendix A of 10CFR50 which are generally applicable to all safety-related systems are discussed in Section 3.1. Those with specific impact on RRCS are discussed below.

General Design Criteria 21 The RRCS is designed for high functional reliability and its logic can be tested for the safety functions to be performed.

No single failure in this two-divisional, four-channel protection system will result in the loss of the protective functions.

General Design Criteria 22 Chapter 07 7.6-31 Rev. 25, October 2022

NMP Unit 2 USAR The RRCS is a two-division Class 1E system separate and diverse from the RPS. It has functional diversity via ARI scram, RPT, SLCS, and feedwater runback.

General Design Criteria 24 The RRCS protection system interfaces with control systems through isolation devices. Specifically, the RRCS signals to the recirculation system and the signal to the feedwater system to initiate runback both pass through isolators. This ensures that electrical failures in the control systems cannot propagate back into the RRCS system and therefore cannot prevent other channels in the RRCS divisions from performing their protective functions.

General Design Criteria 29 The RRCS is highly reliable because it is redundant, Class 1E, functionally diverse, and has a continuous self-test capability.

7.6.2.8.3 Conformance to IEEE Standards The IEEE Standards that apply to the RRCS are specified in Table 7.1-3. The following conformance discussions apply specifically to the RRCS. Refer to Section 7.1.2.2 for conformance discussions applying generically to all safety-related systems.

7.6.2.8.3.1 IEEE Standard 279-1971 General Functional Requirement (Paragraph 4.1)

The RRCS will automatically initiate the appropriate protective actions whenever reactor high pressure or low water level 2 is received. These actions include an ARI scram, tripping of the recirculation pump motor and LFMG breakers, initiating a feedwater runback, RWCU system isolation, and initiation of the SLCS.

Single-Failure Criteria (Paragraph 4.2)

The RRCS is two-divisional with two channels (A and B) in each division. The RRCS protective action will be initiated when both Channels A and B in either division are tripped. Separate water level and pressure sensors feed each of the four channels of trip logic. Trip signals to transfer to the LFMG or trip the recirculation pump act on duplicated breaker trip circuitry.

The ARI scram, feedwater runback, RWCU system isolation, and SLC injection are all capable of being initiated from either division. Thus, any single failure within RRCS cannot prevent the protective actions at the system level from taking place.

Quality of Components and Modules (Paragraph 4.3)

Chapter 07 7.6-32 Rev. 25, October 2022

NMP Unit 2 USAR RRCS components and modules, and equipment in non-Class 1E systems supporting the RRCS (such as the recirculation system pump motor breaker ATWS trip coils), are Class 1E electrical, suitable for and consistent with the low failure rates required for nuclear power station safety-related equipment, except as noted below.

High-quality equipment, although not necessarily safety grade, is used to meet the feedwater control runback ATWS reliability requirements.

Equipment Qualification (Paragraph 4.4)

Type test data or engineering extrapolations based on test data are available to verify that the RRCS can meet its performance requirements on a continuing basis. Detailed discussion of qualification is discussed in Sections 3.10 and 3.11.

Channel Integrity (Paragraph 4.5)

RRCS channels and components meet the necessary functional requirements of the environmental conditions for components listed in Section 3.11.

Channel Independence (Paragraph 4.6)

Each channel, A and B, of each division of logic is independent and physically separated from the other channel. Separate sensors provide signals of reactor pressure and water level for each channel of each division. Signals are routed through separate cabling to separate analog trip modules (ATMs) and RRCS logic. Actuation signals also travel to the trip-actuated devices via divisionally separated cabling. This design effectively decouples the effects of unsafe environmental factors, electrical transients, and physical accident consequences.

The initiation of both SLCS pumps by the RRCS signals is excluded from IEEE-279 separation requirements. IEEE-279 is met at the overall system level because RRCS/SLCS is redundant to the RPS.

Control and Protection System Interaction (Paragraph 4.7)

The transmission of signals from the RRCS protection system equipment for control system use is accomplished through isolation devices which are classified as part of the protection system and meet all the requirements of this standard. No credible failure at these isolators will prevent the associated protection system channel from meeting its design requirements.

Derivation of System Inputs (Paragraph 4.8)

Chapter 07 7.6-33 Rev. 25, October 2022

NMP Unit 2 USAR The RRCS system inputs (reactor pressure and water level) are derived from pressure and level transmitters that produce signals that are, to the extent feasible and practical, direct measures of these desired variables.

Capability for Sensor Checks (Paragraph 4.9)

The RRCS self-test unit automatically checks the RRCS level and pressure sensors. The automatic check determines if the sensor output is downscale, within the normal operating bounds, or too high. If the sensor output is found to be abnormal, an alarm is sounded. The sensor's output can be observed and compared at the middle bay of the RRCS cabinet where the ATM diagnostic display is mounted.

Capability for Test and Calibration (Paragraph 4.10)

Each RRCS sensor provides input to an ATM. The ATM electronically monitors the incoming sensor signal level and provides the appropriate output to the RRCS logic if that sensor signal level goes beyond its trip setpoints. Sensor signal level can be read at the ATM and compared to the known characteristics of the transmitter. Trip setpoint can be adjusted at the ATM, and the operability of this trip module is checked repeatedly by the RRCS self test unit.

RRCS sensors, logic, timers, and actuated devices are continuously checked by the RRCS self-test unit, meeting Paragraph 4.10.

Channel Bypass or Removal for Operation (Paragraph 4.11)

The RRCS is designed such that portions may be removed from service for maintenance of testing without initiating the RRCS protective actions at the system level.

Removal of portions of the RRCS for service will not result in protective actions because the system is normally de-energized.

Operating Bypasses (Paragraph 4.12)

There is no operating bypass affecting the RRCS.

Indication of Bypasses (Paragraph 4.13)

There is no manual bypass of the RRCS. Indication that a channel is rendered inoperable for test or calibration is continuously indicated in the control room.

Access to Means for Bypassing (Paragraph 4.14)

The RRCS cannot be manually bypassed.

Multiple Setpoints (Paragraph 4.15)

Chapter 07 7.6-34 Rev. 25, October 2022

NMP Unit 2 USAR There are no multiple setpoints applicable to the RRCS.

Completion of Protective Action Once it is Initiated (Paragraph 4.16)

The RRCS protective actions are sealed in by the solid-state logic. The RRCS ARI function cannot be reset for 30 sec after its initiation. This ensures that the scram will go to completion because the ARI valves are designed to vent the scram air header to cause all rods to begin scramming within 15 sec.

All other RRCS protective actions cannot be reset for 10.0 min after SLC injection has begun. Operator control of the feedwater system can be regained 30 sec after initiation of the RRCS feedwater runback, independent of APRM power. Since the runback is designed to bring feedwater flow to 0 percent within 15 sec, this protective function will also go to completion. Up to 100 gpm of feedwater leakage per valve is evaluated for a feedwater runback resulting from an ATWS event. The 100 pgm is considered insignificant and does not impact the ATWS analysis.

Manual Initiation (Paragraph 4.17)

The RRCS can be manually initiated by depressing the manual initiation push buttons. The manual initiation signal is immediately sealed into the RRCS ARI logic, SLC logic, and RWCU isolation logic.

Access to Setpoint Adjustments (Paragraph 4.18)

The design of RRCS permits the administrative control of access to all setpoint adjustments, module calibration adjustments, and test points via enclosing the ATMs and logic in keylocked cabinets.

Identification of Protective Actions (Paragraph 4.19)

RRCS protective actions are indicated and identified down to the channel level by status lights and annunciators.

Information Read-Out (Paragraph 4.20)

The RRCS provides the Operator with pertinent information as to its condition via status lights and annunciators. This includes indication of the various stages of the RRCS logic actuation such as ARI scram initiation, recirculation pump transfer to LFMG, RPT, feedwater runback, SLC initiation, RWCU isolation, and both potential and confirmed ATWS. A RRCS trouble annunciator is provided to signal a test fault, ATM in calibration or gross failure, or any of several RRCS logic state changes. Loss of power to RRCS is signaled by the RRCS out-of-service annunciators.

System Repair (Paragraph 4.21)

Chapter 07 7.6-35 Rev. 25, October 2022

NMP Unit 2 USAR The RRCS system is designed to facilitate the recognition, location, replacement, repair, or adjustment of malfunctioning components or modules. The use of the analog trip module facilitates the calibration, adjustment, or repair of the trip system. The modules are plug-in units which can be easily replaced. RRCS logic is separated by division and channel onto individual cards which can be easily replaced by spares.

Identification (Paragraph 4.22)

The RRCS protection system equipment is identified distinctively as being in the protection system, and its equipment is marked to clearly indicate divisional separation. Panels are labeled with distinctive marker plates.

7.6.2.8.3.2 IEEE Standard 338-1975 See Section 7.6.2.8.3.1, IEEE-279, Paragraphs 4.9 and 4.10.

7.6.2.8.3.3 IEEE Standard 379-1972 See Section 7.6.2.8.3.1, IEEE-279, Paragraph 4.2.

7.6.2.8.4 Conformance to Regulatory Guides The regulatory guides that apply to the RRCS are specified in Table 7.1-3. The following conformance discussions apply specifically to the RRCS. Refer to Section 7.1.2.3 for conformance discussions that apply generically to all safety-related systems.

Regulatory Guide 1.22 The RRCS is designed so that integrated system testing can be performed to verify overall system performance (see Section 7.6.2.8.3.1, IEEE-279, Paragraphs 4.9 and 4.10).

Regulatory Guide 1.47 A "RRCS FW Auto Init Runback-Disable" control switch is provided to allow the Operators to inhibit the RRCS auto FWRB signal during in-service testing (IST) of the RRCS system, when spurious ATWS trip signals may occur. The RRCS meets the requirements of RG 1.47 through the use of annunciation in the control room whenever the disable switch is placed in the "ON" position by the Operator.

Regulatory Guide 1.53 See Section 7.6.2.8.3.1, IEEE-279, Paragraph 4.2.

Regulatory Guide 1.62 Chapter 07 7.6-36 Rev. 25, October 2022

NMP Unit 2 USAR Means are provided for manual initiation of the RRCS protective actions. The RRCS ARI scram function and, after time delays, the SLC system are initiated upon depression of the RRCS manual initiation push button. The RRCS LFMG transfer, RPT, and feedwater runback are not initiated by manual initiation of RRCS. These may be manually initiated at the respective control panels using system breaker control switches. SLC can also be initiated using SLC system pump control switches.

Regulatory Guide 1.118 See Section 7.6.2.8.3.1, IEEE-279, Paragraphs 4.9 and 4.10.

7.6.3 References

1. Morgan, W. R. In-Core Neutron Monitoring System for General Electric Boiling Water Reactors, APED-5706, November 1968 (Rev. April 1969).
2. Reigel, D. W. NUMAC Power Range Neutron Monitor (PRNM)

Panel Separation Analysis, Nine Mile Point 2, DRF No.

C51-00183 (5.9).

Chapter 07 7.6-37 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.6-1 HIGH-PRESSURE/LOW-PRESSURE INTERLOCKS INSTRUMENTATION SPECIFICATIONS Instrument No. of Function Instrument Range Channels RHR shutdown Pressure 0-1,200 psig* 2 cooling isolation transmitter pressure high LPCI injection Differential 0-700 psid* 3 valve differential pressure pressure high transmitter LPCS injection Differential 0-1,000 psid* 1 valve differential pressure pressure high transmitter

  • See Technical Specifications for Allowable Values.

Chapter 07 7.6-38 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.6-2 THIS TABLE HAS BEEN DELETED Chapter 07 7.6-39 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.6-3 LEAK DETECTION SYSTEM INSTRUMENTATION SPECIFICATIONS Instrument No. of Function Instrument Range(1) Channels RCIC turbine Pressure 0-30 psig 4 exhaust diaphragm switch pressure high RWCU equipment Temperature 50-350°F 6 area ambient switch temperature high RCIC equipment Temperature 50-350°F 2 area ambient switch temperature high RCIC pipe routing Temperature 50-350°F 2 area ambient switch temperature high Main steam line Temperature 50-350°F 4 tunnel ambient switch temperature high Main steam line Differential 0-150°F 4 tunnel differential temperature temperature high switch RHR equipment Temperature 50-350°F 4 area ambient switch temperature high Main steam line Temperature 50-350°F 4 pipe routing area switch in turbine building ambient temperature high RWCU differential Differential 0-200 gpm 2 flow high pressure switch Main steam line Differential 0-300 psid 4 flow high pressure transmitter Chapter 07 7.6-40 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.6-3 (Cont'd.)

Instrument No. of Function Instrument Range(1) Channels RCIC steam supply Differential 0-750" H2O 2 line flow high pressure transmitter RCIC steam supply Pressure 0-300 psia 4 pressure low transmitter Reactor building Temperature 50-350°F 2 radioactive pipe switch chase ambient temperature high Reactor building Temperature 0-250°F 2 general area switch ambient temperature high (1) See the Technical Specifications for Allowable Values.

Chapter 07 7.6-41 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.6-4 IRM INSTRUMENT SPECIFICATIONS Instrument Trip Function Range Trip Action IRM upscale 0 - 125% Scram, annunciator, red (high-high) Full scale light display IRM inoperative* N/A Scram, annunciator, red light display IRM upscale (high) 0 - 125% Rod block, annunciator, Full scale amber light display IRM downscale 0 - 125% Rod block (exception on Full scale most sensitive scale),

annunciator white light display IRM bypassed N/A White light display

  • IRM is inoperative if module interlock chain is broken, OPERATE-CALIBRATE switch is not in OPERATE position, or detector polarizing voltage is low.

Chapter 07 7.6-42 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.6-5 LPRM SYSTEM INSTRUMENT SPECIFICATIONS Trip Function LPRM Range Trip Action LPRM downscale 0 to 125% White light and Full scale annunciator LPRM upscale 0 to 125% Amber light and Full scale annunciator LPRM bypass Manual Local indication and switch APRM averaging compensation Chapter 07 7.6-43 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.6-6 APRM SYSTEM TRIPS INSTRUMENT SPECIFICATION Trip Function APRM Power Range Trip Action APRM 0 to 125% full scale Rod block, downscale (4% nominal) annunciator, alarm white light display APRM Setpoint varies Rod block, upscale with flow, slope annunciator, alarm(1) adjustable, amber light intercepts display separately adjustable APRM 7 to 27% full scale Rod block, upscale (12% nominal) annunciator, setdown amber light display APRM Setpoint varies Scram, upscale(2)(3) with flow, slope annunciator, red (thermal trip) adjustable, light display intercepts separately adjustable APRM 10 to 125% full scale Scram, upscale (fixed (118% nominal) annunciator, red neutron trip) light display APRM 10 to 30% full scale Scram, upscale (15% nominal) annunciator, red setdown light display APRM INOP-OPER switch Scram, rod block inoperative annunciator, red light display APRM bypass Manual switch White light OPRM enabled 23% power and <75% Annunciator, core flow (nominal) white light display Chapter 07 7.6-44 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.6-6 (Contd.)

Trip Function APRM Power Range Trip Action OPRM alarm 23% power and 75% Annunciator, core flow (nominal) amber light display OPRM upscale 23% power and 75% Scram, trip core flow (nominal) annunciator, red light display OPRM inop 23% power and 75% Annunciator, red core flow (nominal) light display (1) With single-loop alarm setpoint of 0.52 (W) + 38.5%

(nominal), and two-loop alarm setpoint of 0.61 (W) + 55.4%

RTP (nominal).

(2) APRM signal passes through a 6-sec time constant filter to simulate heat flux.

(3) With single-loop trip setpoint of 0.52 (W) + 46.8%

(nominal), and two-loop trip setpoint of 0.61 (W) + 61.4%

(nominal).

Chapter 07 7.6-45 Rev. 25, October 2022

NMP Unit 2 USAR 7.7 CONTROL SYSTEMS NOT REQUIRED FOR SAFETY 7.7.1 Description Section 7.7 describes instrumentation and controls of major plant control systems whose functions are not essential for the safety of the plant. The systems include:

1. RMCS system.
2. Recirculation flow control system.
3. Feedwater control system.
4. Refueling interlocks.
5. Steam bypass and pressure regulation system.
6. Performance monitoring system.
7. NMS system (TIP, RBM, SRM).
8. RWCU system.
9. LDS system.

Refer to Tables 7.7-1 and 7.7-2 for system design and supply responsibility and similarity to other plants previously reviewed by the NRC, respectively. The comparisons shown in Table 7.7-2 were considered valid at the time the operating license was issued.

All these systems are powered from the 120-V ac normal unit power supply.

7.7.1.1 Reactor Manual Control System - Instrumentation and Controls 7.7.1.1.1 Reactor Manual Control System Function The RMCS provides the Operator with the means to make changes in nuclear reactivity via the manipulation of control rods so that reactor power level and core power distribution can be controlled. This system is a power generation system, and is not classified as safety related.

The RMCS, in conjunction with the nuclear measurement analysis and control rod worth minimizer (NUMAC RWM), is designed to prevent rod movement (rod block) which could be potentially unsafe, leading to possible fuel damage or reactor scram. The RMCS does not include any of the circuitry or devices used to automatically or manually scram the reactor; these devices are discussed in Section 7.2. In addition, the mechanical devices Chapter 07 7.7-1 Rev. 25, October 2022

NMP Unit 2 USAR of the CRDs and the CRD hydraulic system are not included in the RMCS. The latter mechanical components are described in Section 4.6.1.

System Power Sources The RMCS receives electrical power from the 120-V ac normal UPS.

7.7.1.1.2 RMCS Operation The RMCS includes the following:

1. CRD control system.
2. Rod block trip system.
3. Rod position probes.
4. Position indication electronics.

Figure 4.6-5 shows the layout of the CRD hydraulic system.

Figure 7.7-1 shows the functional arrangement of devices for the control of components in the CRD hydraulic system. The block diagram for the RMCS is shown on Figure 7.7-2. Although the figures also show the arrangement of scram devices, these devices are not part of the RMCS. Control rods are moved by water pressure from a CRD pump. The pressurized water moves a piston, attached by a connecting rod to the control rod. Three modes of control rod operation are used: insert, withdraw, and settle. Four SOVs are associated with each control rod to accomplish these actions.

Rod Drive Control When the Operator selects a control rod for motion and operates the rod insert or withdraw control switch, independent messages are formulated in the A and B portions of the rod drive control system (Figure 7.7-3). A comparison test is made of these two messages, and identical results confirmed; then a serial message in the form of electrical pulses is transmitted to all hydraulic control units (HCUs). The message contains two portions: 1) the identity or address of the selected HCU, and 2) operation data on the action to be executed. Only the addressed HCU responds to this message and proceeds to execute the rod movement commands. On receipt of the transmitted signal, the responding HCU transmits a message back to the control room for comparison with the original command. It contains:

1. Its own hard-wire identity address.
2. Its own operations currently being executed.

Chapter 07 7.7-2 Rev. 25, October 2022

NMP Unit 2 USAR

3. Status indication of valve positions, accumulator conditions, and test switch positions.

In either rod motion direction, the A and B messages are formulated and compared each millisecond and, if they agree, are transmitted to the HCU selected by the Operator. Continued rod motion depends on receipt of a train of sequential messages because the HCU insert, withdraw, and settle valve control circuits are ac coupled. The system must operate in a dynamic manner to affect rod motion. Any disagreement between A and B formulated messages or the responding echo message will prevent further rod motion. Electrical noise disruptions will have only a momentary effect on the system operation. On Figure 7.7-4, three action loops of the solid-state RMCS are depicted:

1. Loop A The high-speed loop (duration 200 usec) alternately:
a. Commands the selected rod, and
b. Either scans a rod for status information or directs a portion of a single HCU self-test.
2. Loop B The medium-speed loop (143 msec duration) alternately:
a. Monitors the status of all rods.
b. Completes two five-step self-checks of one HCU unit.
3. Loop C The low-speed loop (41 to 253 sec duration) self-tests all HCUs one at a time to ensure correct execution of actions commanded. These tests are of such short duration that the valves do not move.

If a HCU fails a test or the return digital word is altered by electrical noise, Loop B automatically performs additional self-test checks. If these tests obtain good results, the loops proceed as usual, but if a preset number of errors is detected the system stops all rod motion by removing the ac power supplied to the drive control valves. Operator action is then necessary to restore the system to normal operation.

The rod selection circuitry is arranged so that a rod selection is sustained until either another rod is selected or separate action is taken to revert the selection circuitry to a no-rod-selection condition. Initiating movement of the selected rod prevents the selection of any other rod until the movement cycle of the selected rod has been completed. Reversion to the no-rod-selected condition is not possible (except for loss of control circuit power) until any moving rod has completed the movement cycle.

Chapter 07 7.7-3 Rev. 25, October 2022

NMP Unit 2 USAR The direction in which the selected rod moves is determined by the position of four switches located on the main reactor control panel. These four switches (INSERT, WITHDRAW, CONTINUOUS INSERT, and CONTINUOUS WITHDRAW) are push buttons that return by spring action to a contact open position.

Rod Motion Insert Cycle The following is a description of the operation of the RMCS during the insert cycle. The cycle is described in terms of the insert, withdraw, and settle commands from the RMCS.

With a control rod selected for movement, depressing the INSERT switch and then releasing the switch energizes the insert command for a limited time. Just as the insert command is removed, the settle command is automatically energized and remains energized for a limited time. The insert command time setting and the rate of drive water flow provided by the CRD hydraulic system determine the distance traveled by a rod. The time setting results in a one-notch (6-in) insertion of the selected rod when the insert push button is depressed.

Continuous insertion of a selected control rod is possible by holding the INSERT switch.

A second switch, continuous insert, can be used to effect continuous insertion of a selected control rod. By holding this switch in, the unit maintains the insert command in a continuous, energized state to cause continuous insertion of the selected control rod. When released, the timers are no longer bypassed and normal insert and settle cycles resume to time out and stop the drive.

Rod Motion Withdraw Cycle The following is a description of the operation of the RMCS during a withdraw cycle. The cycle is described in terms of the insert, withdraw, and settle commands.

With a control rod selected for movement, depressing the WITHDRAW switch energizes the insert valves at the beginning of the withdrawal cycle to allow the collet fingers to disengage the index tube. When the insert valves are de-energized, the withdraw and settle valves are energized for a controlled period of time. The withdraw valve is de-energized before motion is complete; the drive then settles until the collet fingers engage. The settle valve is then de-energized, completing the withdraw cycle.

This withdraw cycle is the same whether the WITHDRAW switch is held continuously or momentarily depressed. The timers that control the withdraw cycle are set so that the rod travels one notch (6 in) per cycle. Provisions are included to prevent further control rod motion in the event of timer failure.

A selected control rod can be continuously withdrawn if the WITHDRAW switch is held in the depressed position at the same time that the CONTINUOUS WITHDRAW switch is held in the depressed position. With both switches held in these positions, Chapter 07 7.7-4 Rev. 25, October 2022

NMP Unit 2 USAR the withdraw and settle commands are continuously energized, and the selected rod will continuously withdraw until the buttons are released and the withdraw timer completes its cycle or a rod block is generated.

Rod Block Trip System The rod block trip portion of the RMCS inhibits movement or selection of control rods upon receipt of input signals from other systems. The same grouping of neutron monitoring equipment that is used in the RPS is also used in the rod block circuitry.

Half of the monitors (SRM, IRM, APRM, and RBM) provide inputs to one of the RMCS rod block logic circuits. The remaining half provide inputs to the other RMCS rod block logic circuit. SDV high water level signals are provided as inputs into both of the two rod block logic circuits. Both rod block logic circuits sense when the high water level scram trip for the SDV is bypassed.

The rod withdrawal block from the NUMAC RWM trip affects both rod block logic circuits. The rod insert block from the NUMAC RWM prevents both notch insertion and continuous insertion.

The APRM rod block settings are determined from 100-percent recirculation flow. The RBM rod block settings are determined from APRM simulated thermal power (STP) level. Analyses show that the selected settings are sufficient to avoid both RPS action and control rod withdrawal error (RWE) under normal operating conditions. Mechanical switches in the SRM and IRM detector drive systems provide the position signals used to indicate that a detector is not fully inserted. The rod block from SDV high water level utilizes two nonindicating float switches installed on the SDV. Two additional float switches provide control room annunciation of increasing level below the level at which a rod block occurs.

Rod Block Functions The following discussion describes the various rod block functions and explains the intent of each function. The instruments used to sense the conditions for which a rod block is provided are discussed in the following sections. Figure 7.7-1 shows all the rod block functions on a logic diagram. The rod block functions provided specifically for refueling situations are described in Section 7.7.1.4. The Technical Specifications and TRM Section 3.3.2 provide specific operability requirements.

1. With the mode switch in the SHUTDOWN position, no control rod can be withdrawn. This enforces compliance with the intent of the shutdown mode.

Chapter 07 7.7-5 Rev. 25, October 2022

NMP Unit 2 USAR

2. The circuitry is arranged to initiate a rod block regardless of the position of the mode switch for the following conditions:
a. Any APRM upscale rod block alarm. The purpose of this rod block function is to avoid conditions that would require RPS action if allowed to proceed. The APRM upscale rod block alarm setting is selected to initiate a rod block before the APRM high neutron flux scram setting is reached.
b. Any APRM inoperative alarm. This ensures that no control rod is withdrawn unless the APRM channels are either in service or correctly bypassed.
c. SDV high water level. This ensures that no control rod is withdrawn unless enough capacity is available in the SDV to accommodate a scram.

The setting is selected to initiate a rod block earlier than the scram that is initiated on SDV high water level.

d. SDV high water level scram trip bypassed. This ensures that no control rod is withdrawn while the SDV high water level scram function is out of service.
e. The NUMAC RWM can initiate a rod insert block and a rod withdrawal block. The purpose of these functions is to reinforce procedural controls that limit the reactivity worth of control rods under lower power conditions. The rod block trip settings are based on the allowable control rod worth limits established for the design basis rod drop accident. Adherence to prescribed control rod patterns is the normal method by which this reactivity restriction is observed.
f. The RSCS function has been removed and can no longer initiate a rod insert block and rod withdrawal block.
g. Rod position information system (RPIS) malfunction. This ensures that no control rod can be withdrawn unless the RPIS is in service.
h. Either RBM upscale alarm. This function stops the erroneous withdrawal of a control rod so that local fuel damage does not result. The trip setting is selected so that no local fuel damage results from a single control RWE during power range operation.

Chapter 07 7.7-6 Rev. 25, October 2022

NMP Unit 2 USAR

i. Either RBM inoperative alarm. This ensures that no control rod is withdrawn unless the RBM channels are in service or correctly bypassed.
j. Low LPRM count for any APRM will initiate a rod withdrawal block.
3. With the reactor mode switch in the RUN position, any of these additional conditions initiate a rod block:
a. Any APRM downscale alarm. This ensures that no control rod will be withdrawn during power range operation unless the APRM channels are operating correctly or are correctly bypassed. All unbypassed APRMs must be on scale during reactor operations in the RUN mode.
b. Either RBM downscale alarm. This ensures that no control rod is withdrawn during power range operation unless the RBM channels are operated correctly or are correctly bypassed. Unbypassed RBMs must be on scale during reactor operations in the RUN mode.
c. Any recirculation flow unit upscale or inoperative. This ensures that no control rod is withdrawn unless the flow channels are operable and the flow rate is not unusually high.
4. With the mode switch in the STARTUP or REFUEL position, any of these additional conditions initiate a rod block:
a. Any SRM detector not fully inserted into the core when the SRM count level is below the retract permit level and any IRM range switch on either of the two lowest ranges. This ensures that no control rod is withdrawn unless all SRM detectors are correctly inserted when they must be relied on to provide the Operator with neutron flux level information.
b. Any SRM upscale alarm and IRM range switch not on Range 8 or above. This ensures that no control rod is withdrawn unless the SRM detectors are correctly retracted during a reactor startup.

The rod block setting is selected at the upper end of the range over which the SRM is designed to detect and measure neutron flux.

c. Any SRM downscale alarm and IRM range switch on the lowest two ranges. This ensures that no control rod is withdrawn unless the SRM count Chapter 07 7.7-7 Rev. 25, October 2022

NMP Unit 2 USAR rate is above the minimum prescribed for low neutron flux level monitoring.

d. Any SRM inoperative alarm and any IRM range switch on Range 7 or below. This ensures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available.
e. Any IRM detector not fully inserted into the core. This ensures that no control rod is withdrawn during low neutron flux level operations unless proper neutron monitoring capability is available.
f. Any IRM upscale alarm. This ensures that no control rod is withdrawn unless the IRM equipment is correctly upranged during a reactor startup.

This rod block also provides a means to stop rod withdrawal in time to avoid conditions requiring RPS action (scram) in the event that a RWE is made during low neutron flux level operations.

g. Any IRM downscale alarm except when range switch is on the lowest range. This ensures that no control rod is withdrawn during low neutron flux level operations unless the neutron flux is being correctly monitored. This rod block prevents the continuation of a reactor startup if the Operator upranges the IRM too far for the existing flux level. Thus, the rod block ensures that the IRM is on scale if control rods are to be withdrawn.
h. Any IRM inoperative alarm. This ensures that no control rod is withdrawn during low neutron flux level operations unless neutron monitoring capability is available.

Rod Block Bypasses The APRM, SRM, and IRM trip functions (a total of 12) to the rod block are provided with additional channels beyond the Technical Specification or TRM Section 3.3.2 minimum. To permit continued power operation during repair or calibration of equipment for selected functions that provide rod block interlocks, a limited number of manual bypasses are permitted as follows:

1. One SRM channel.
2. Two IRM channels (one on RPS Bus A and one on RPS Bus B).
3. One APRM channel.
4. One RBM channel.

Chapter 07 7.7-8 Rev. 25, October 2022

NMP Unit 2 USAR The permissible IRM and APRM bypasses are arranged in the same way as in the RPS. The IRMs are arranged as two groups of equal numbers of channels. One manual bypass is allowed in each group. The groups are chosen so that adequate monitoring of the core is maintained with one channel bypassed in each group. The arrangement allows the bypassing of one IRM in each rod block logic circuit and one APRM. These bypasses are affected by positioning switches in the control room. A light in the control room indicates the bypassed condition.

An automatic bypass of the SRM detector position rod block is affected as the neutron flux increases beyond a preset low level of the SRM instrumentation. The bypass allows the detectors to be partially or completely withdrawn as a reactor startup is continued.

An automatic bypass of the RBM rod block occurs when the power level is below a preselected level or when a peripheral control rod is selected. Either condition indicates that local fuel damage is not threatened and that RBM action is not required.

The NUMAC RWM rod block function is automatically bypassed when reactor power increases above a preselected value in the power range. The RWM can be manually bypassed for maintenance at any time, provided that administrative requirements are satisfied.

Rod Position Probes The rod position probe is a long cylindrical assembly that fits inside the CRD. It includes 53 magnetically operated reed switches, located along the length of the probe and operated by a permanent magnet fixed to the moving part of the hydraulic drive mechanism. As the drive and control rod blade move along its length, the magnet causes reed switches to close as it passes over the switch locations. The particular switch closed then indicates where the CRD, and hence the rod itself, is positioned. The switches are located as follows:

No. of Switches Switch Indication 1 Beyond full in 2 Full in at notch 00 23 Even notch positions 02-46 24 Odd midnotch positions 01-47 2 Full out at notch 48 1 Overtravel - beyond full out All of the midnotch or odd switches are wired in parallel and treated as one switch (for purposes of external connections),

and the two full-in switches are wired in parallel and treated as one switch. These and the remaining switches are routed out in an 11-wire cable to the processing electronics. (The probe Chapter 07 7.7-9 Rev. 25, October 2022

NMP Unit 2 USAR also includes a thermocouple which is wired out separately

[Figure 7.7-5].)

Position Indication Electronics The position indication electronics consist of a set of probe multiplexer cards (one per 4-rod group), a set of file control cards (one per 11 multiplexer cards), and one set of master control and processing cards serving the whole system. All probe multiplexer cards are the same except that each has a pair of plug-in daughter cards containing the identity code of one 4-rod group (the probes for the corresponding four rods are connected to the probe multiplexer card). The system operates on a continuous scanning basis with a complete cycle every 45 msec.

The operation is as follows: The control logic generates the identity code of one rod in the set, and transmits it using time multiplexing to all the file control cards. These in turn transmit the identity with timing signals to all of the probe multiplexer cards. The one multiplexer card with the matching rod identity will respond and transmit its identity (locally generated) plus the raw probe data for that rod back through the file control card to the master control and processing logic.

The processing logic does several checks on the returning data.

First, a check is made to verify that an answer was received.

Next, the identity of the answering data is checked against that which was sent. Finally, the format of the data is checked for legitimacy. Only a single even position, full-in plus position 00, full-out plus position 48, odd, overtravel, or blank (no switch closed) are legitimate. Any other combination of switches is flagged as a fault.

If the data pass all of these tests, they are:

1. Decoded and transmitted in multiplexed form to the displays in the main control panel, and
2. Loaded into a memory to be read by the computer as required.

As soon as the rod's identity is processed, the next rod's identity is generated and processed and so on for all of the rods. When data for all rods have been gathered, the cycle repeats. The RMCS is totally operable from the main control room. Manual operation of individual control rods is possible with a jog switch to affect the control rod insertion and withdrawal. Rod position indicators, described below, provide the necessary information to ascertain the operating state and position of all control rods. Conditions that prohibit control rod insertion are alarmed with the rod block annunciator.

7.7.1.1.3 RMCS Control Room Displays Chapter 07 7.7-10 Rev. 25, October 2022

NMP Unit 2 USAR The rod information display on the reactor control panel is patterned after a top view of the reactor core. The display is designed to allow the Operator to rapidly acquire information by scanning. Across the face of the full core display are marks indicating the location of the rods in the core. Next to each mark are several indicators that illuminate to indicate specific conditions associated with the rod. These indicators are as follows:

Indicator Lamp Color Meaning XX-YY White Rod selected Drift Red Rod is drifting Accum Amber Accumulator trouble Scram Blue Scram valves have opened Full in Green Rod is full in Full out Red Rod is full out During operation, all rods either fully withdrawn or fully inserted are indicated on the full core display with the full-in or full-out lights. In addition to the indication on the full core display, a drifting rod is indicated by an alarm and light in the control room. The rod drift condition is also monitored by the process computer through the NUMAC RWM.

Surrounding every group of four rods on the full core display are four LPRM displays. Each display consists of an amber LPRM upscale and a white LPRM downscale indicator for each detector (A, B, C, and D level) in that particular LPRM string.

In nonperipheral regions of the core, the volume within the perimeter of the square formed by four LPRM strings contains four control rods. This is represented by another display using four digital windows displaying the notch position of four rods inside four LPRM strings. The selected rod determines which group of four rods is displayed. When a rod is selected, the digital window corresponding to the selected rod is backlit, and the backlit window indicates the selected rod's position. The other three rods of the four-rod group have their notch positions displayed in the digital windows in the same geometric arrangement as exists between those four rods in the core. Rod groups at the periphery of the core may have less than four rods. When the selected rod is a member of a group with less than four rods, the rod positions are displayed as before and the digital window corresponding to a rod that does not exist remains blank. The Operator can also obtain a computer printout of all rod positions.

On either side of the 4-rod position display are 8 meters indicating the readings of the 16 LPRMs surrounding the core volume containing the selected rod. These 16 LPRM displays Chapter 07 7.7-11 Rev. 25, October 2022

NMP Unit 2 USAR permit the Operator to monitor changes in local flux around each rod as it is moved. By changing the selected rod, the Operator can examine the flux at each LPRM in the core.

If a rod drive piston moves to the overtravel position, an alarm is sounded in the control room. This provides a means to verify that the drive-to-rod coupling is intact because, with the coupling in its normal condition, the drive cannot be physically withdrawn to the overtravel position. Coupling integrity can be checked by attempting to withdraw the drive to the overtravel position.

The rod drive control system provides data for display to the selected rod identification, accumulator trouble, and rod scram indicators. The LPRM high and low flux levels and the 16 LPRM readings are provided by the power range NMS. The remaining information to the displays and the position information for the process computer are provided by the RPIS of RMCS.

The following main control room indicators are provided to allow the Operator to know the conditions of the CRD hydraulic system and the control circuitry:

1. Stabilizer valve selector switch position.
2. Insert command energized.
3. Withdraw command energized.
4. Settle command energized.
5. Withdrawal not permissive.
6. Continuous withdrawal.
7. Pressure control valve position.
8. Flow control valve (FCV) position.
9. Drive water pump low suction pressure (alarm and pump trip).
10. Drive water filter high differential pressure (alarm only).
11. Charging water (to accumulator) low pressure (alarm only).
12. CRD high temperature (alarm only).
13. SDV not drained (alarm only).

Chapter 07 7.7-12 Rev. 25, October 2022

NMP Unit 2 USAR

14. Scram valve pilot air header high/low pressure (alarm only).

7.7.1.1.4 Environmental Consideration The RMCS (control and position indication circuitry) is not required for any plant safety function, nor is it required to operate during any associated DBA or transient occurrence. The reactor manual control circuitry is required to operate only in the normal plant environments during normal power generation operations.

The CRD HCUs are located outside the drywell in the reactor building. The logic, control units, and readout instrumentation are located in the main control room.

The CRD and position detectors are located beneath the reactor vessel in the drywell. The normal design environments encountered in these areas are given in Section 3.11.

Setpoints The RMCS has no safety setpoints.

7.7.1.1.5 Rod Sequence Control Subsystem to the RMCS The RSCS function has been removed in support of the NRC Safety Evaluation for Amendement 17 of GE Licensing Topical Report NEDE-24011-P-A, dated December 27, 1987.

7.7.1.1.6 Nuclear Measurement Analysis and Control Rod Worth Minimizer (NUMAC RWM)

The NUMAC RWM is a standalone microprocessor-based system used to assist the Operator in effecting rod pattern control. The principal function of the RWM is to limit rod motion such that high worth rods are not created, thereby limiting the maximum increase due to control rod drop accident (CRDA). The NUMAC RWM monitors and enforces adherence to established low power level rod insert and withdraw sequences. This function prevents the initiation of control rod patterns that are not consistent with the prescribed sequence by initiating appropriate rod select error warning, rod withdraw block and rod insert block signals.

The NUMAC RWM enforces control rod sequencing procedures to limit (and thereby minimize) individual control rod worth to acceptable levels as determined by the rod drop accident design basis.

7.7.1.2 Recirculation Flow Control System - Instrumentation and Controls System Function Chapter 07 7.7-13 Rev. 25, October 2022

NMP Unit 2 USAR The function of the recirculation flow control system is to circulate reactor coolant through the core and to provide a means of controlling reactor power output, over a limited range, by varying the rate of flow of the coolant.

System Description

The recirculation flow control system consists of the electrical circuitry, switches, indicators, motors, and alarm devices provided for operational manipulation of the recirculation FCVs and the LFMG set and for surveillance of associated equipment.

This system is a power generation system and is classified as not related to safety.

Reactor recirculation flow is varied by throttling the recirculation pump discharge with control valves. The recirculation pumps operate at constant speed on either the LFMG or normal 60-Hz power. By adjusting the position of the discharge throttling valves, the recirculation system can automatically change the reactor power level.

The recirculation pump/motor will operate from the normal plant electrical supply during normal plant power operation. During periods of low power level such as plant startup and shutdown, the recirculation pump and motor will be powered by the LFMG set and will operate at approximately 25 percent of rated full load speeds.

For a rod pattern where rated power accompanies 100-percent flow, power can be reduced to approximately 65 percent of full power by manual flow variation. An increase in recirculation flow temporarily reduces the void content of the moderator by increasing the flow of coolant through the core. The additional neutron moderation increases reactivity of the core, which causes reactor power level to increase. The increased steam generation rate increases the steam volume in the core with a consequent negative reactivity effect, and a new steady-state power level is established. When recirculation flow is reduced, the power level is reduced in the reverse manner. The recirculation flow control system operates in conjunction with the main turbine pressure regulator controls.

Each FCV has its individual manual control system as well as the capability of being controlled in unison (Figure 7.7-7). With the system in flux automatic, the Operator demands a certain neutron flux level in the reactor which is compared with a filtered measurement of neutron flux. The resulting error is fed into a flux controller, which in turn demands a drive flow in each loop. Each loop has an individual flow controller that causes adjustment of valve position to meet a demanded change in loop flow and hence core flow and core power. This process continues until the error existing at the input of the flux controller is driven to zero.

Chapter 07 7.7-14 Rev. 25, October 2022

NMP Unit 2 USAR The reactor power change resulting from change in recirculation flow causes the pressure regulator to reposition the turbine control valves (TCVs) and, hence, the power output.

Low-Frequency Motor Generator Set The LFMG set consists of a 16-pole ac induction motor that drives a four-pole ac synchronous generator through a flexible coupling. This arrangement provides one-quarter normal plant frequency at the output of the generator. The generator exciter is directly connected to the generator to provide a brushless excitation system. The voltage regulator for the excitation system is located in the auxiliary relay panel, which is separate from the LFMG set.

Valve Position Control Components The main flow regulating valves can be controlled individually or jointly. The flux demand limiter, flux controller, and total drive flow limiter are common to the control of both valves. The signal from these components is fed to two separate sets of control system components, one for each valve, which are: a manual/automatic transfer station, an error limiter, a flow controller, a high-low signal failure alarm, a loss of signal valve motion inhibit interlock, a drive flow feedback signal to each flow controller, a valve actuator, and a limiter. The limiter closes the main flow regulating valve if one of the reactor feed pumps should trip, with a coincident or subsequent reactor vessel low water level.

Flux Demand Limiter The flux demand limiter is adjustable. Its purpose is to limit the neutron flux demanded by the flux controller, keeping it sufficiently below the high flux scram point to prevent scrams during reactor power increases.

Flux Controller The flux controller supplies a total drive flow demand signal to a flow controller station, which in turn supplies each flow loop with a demand signal. Under automatic control, the flux controller output is compared to the sensed loop flow from the feedback proportional amplifiers in each loop. The error signal is fed via the flow controller amplifier to the valve position, resulting in a change of loop flow and therefore core power.

Neutron flux is sensitive to changes in core flow in the frequency range of approximately 0.015 - 0.15 Hz. The flux controller compensates for this effect. To respond to system feedwater or pressure disturbances, it provides a high gain output for low-frequency input signals.

Drive Flow Limiter The drive flow demand limiter is adjustable.

The high signal limit is to limit the flow demand signal input to the flow controller. The low signal limit is determined from reactor core stability aspects when on automatic flow control.

Chapter 07 7.7-15 Rev. 25, October 2022

NMP Unit 2 USAR There is no low flow limit in the manual mode, and the valve can be fully closed.

Flux Feedback Isolation Amplifier The flux feedback isolation amplifier performs a dual function. It is a secondary amplifier that completely isolates the reactor flow control system from the NUMAC PRNM system that supplies the APRM input signal. It also filters process noise above approximately 1 Hz in the flux signal. A failure in the amplifier cannot interfere with the protection system function of the PRNM system. Rod block monitor A in the PRNM system provides an isolated APRM signal so that the system complies with the requirements of IEEE-279-1971, Paragraph 4.7.

Manual/Automatic Transfer Stations Switching between manual and automatic operations is done on the flux and individual flow controllers using a manually operated switch.

Setting the flow control transfer switches to manual provides separate signals to the FCVs. Setting the flow control transfer switches to the automatic position provides ganged parallel operation of the flow control loops from the flux control station. Setting the flux control transfer switch to automatic allows the manual control to provide the setpoint for the flux controller and, hence, the signal to the valves if the individual controllers are in automatic.

Flow Controller The individual flow controller (one for each valve) transmits the signal that adjusts the valve position.

During automatic operation, the input signal is received from the flux controller. During manual operation, each flow-regulating valve can be manually positioned with the manual output signal raise/lower push buttons provided on each flow controller.

Limiter A limiting function is provided. Electronic limiting with reasonable range adjustment is provided in each main flow control loop. This limiter normally is held bypassed by auxiliary devices such as relay contacts. When the limiting permissive condition is reached, the main regulating valve control signal is limited to close the valve to the desired position.

Valve Actuator The valve actuator (one for each valve) is the electrohydraulic device that moves the FCV to the desired position and maintains it there. The valve control system is designed to maintain the valve in the last position demanded if control power is lost.

The valve actuator has an inherent rate-limiting feature that will limit the resulting rate of change of core flow and power to within safe limits in the event of an upscale or downscale failure of the valve position or velocity control system.

Chapter 07 7.7-16 Rev. 25, October 2022

NMP Unit 2 USAR Recirculation Pump Trip In addition to the RPT discussed in Section 7.6.1.5, and the normal motor-protection pump trips, the RRCS will trip the recirculation pump motors from the normal and low-frequency power sources. Upon sensing reactor vessel low water level (Level 2) and/or high dome pressure, or when initiated manually, the RRCS will provide the signals to trip the various pump power supply circuit breakers. The RRCS is discussed in Section 7.6.1.8.

Control Interlocks Operating conditions have been identified which could result in cavitation of the FCV, recirculation pump, and/or jet pumps. Operating procedures require the plant Operator to avoid these conditions. In the event that, due to Operator error, these conditions are not avoided, automatic interlocks exist which will prevent operation at these conditions. These interlocks are discussed under system operation.

System Operation Reactor Low Power Level - LFMG Set Auto Sequence During plant startup, when reactor power level is not high enough (less than 30 percent of rated power) to provide sufficient subcooling to prevent cavitation of the FCV, a signal to start the recirculation pumps closes the main power source breaker, accelerating the pump from zero to 100-percent speed, starts the LFMG set, trips the main power breaker at 100-percent speed, and closes in the LFMG set generator breaker when the pump coasts down to 25-percent speed.

The pump start can only occur if the recirculation suction and discharge valves are open, the FCV is at a minimum position, the M/A station is in manual, control power is available to the LFMG set breakers, and the electrical protection relays on the LFMG set have not actuated.

Reactor Normal Power Level Low Speed to High Speed Transfer Once reactor power level is greater than 30 percent, the Operator may transfer the recirculation pumps to the main power source from the LFMG set or, if the pumps are tripped, they may be started by the main power source and will not transfer back to the LFMG set. These sequences can only occur if the suction and discharge valves are greater than 90-percent open, the FCV is at minimum position*, the M/A station is in manual, pump

  • If a recirculation FCV becomes stuck at minimum position after pump upshift to high speed, the pump may be downshifted and the valve position switch interlock temporarily bypassed to allow recirculation pump upshift with valve position up to 22-percent open (hot indicated) for the first pump upshifted and up to 20-percent open (hot indicated) for the second pump upshifted.

Chapter 07 7.7-17 Rev. 25, October 2022

NMP Unit 2 USAR speed is less than 20 percent, feedwater flow is normal, reactor water level is normal, steam line to recirculation suction T is normal, and RPT has not occurred.

The power transfer signal trips the LFMG set and, once the generator breaker is open, closes the main power source breaker which causes the pump to accelerate to 100-percent speed. The FCV can then be used to control flow.

High Speed to Low Speed Auto Transfer Sequence During plant shutdown, when reactor power level approaches 26 percent decreasing, the Operator will transfer the recirculation pumps from high-speed to low-speed operation. Interlocks require this transfer to be performed on both pumps simultaneously, thus avoiding an undesirable loop flow mismatch. Placing the control switch for both pumps into the transfer position automatically starts both LFMG sets, trips the main power source breakers, and closes the LFMG generator breakers when the pumps reach 25 percent speed. High- to low-speed transfer will automatically occur on RPT (Section 7.6.1.5), less than 26-percent feedwater flow with less than 60-percent recirculation flow, reactor water low level (Figure 7.7-6). During high- to low-speed transfer, a tripped pump will not be energized by the LFMG set at 25-percent speed if the other pump has failed to trip.

Single Loop Operation With one RCS recirculation loop not in operation, the following operational limits apply:

1. Operate the recirculation flow control system in the Loop Manual (Position Control) mode;
2. Maintain THERMAL POWER; and
3. Maintain the volumetric drive flow rate of the operating recirculation loop steady state drive flow 41,800 gpm. The drive flow limit in SLO was determinedduring the startup test program at Unit 2 to be 41,800 gpm. In addition, full flow testing performed at the BWRVIP/EPRI jet pump test facility with the slip joint clamps installed ensures no slip joint instability induced vibration for drive flows greater than the steady state flow limit of 41,800 gpm (Reference 9). For single reactor recirculation loop operation (SLO), an interim drive flow operating limit of 35,000 gpm is required to prevent the onset of unacceptable jet pump slip joint instability induced reactor vessel internals (jet pumps) vibration. This will remain an interim limit until full flow testing at the BWRVIP/EPRI jet pump test facility can be completed.

Verify items 1, 2, and 3 above at least once per 12 hr.

Chapter 07 7.7-18 Rev. 25, October 2022

NMP Unit 2 USAR 7.7.1.3 Feedwater Control System - Instrumentation and Controls System Function The feedwater control system controls the flow of feedwater into the reactor vessel to maintain the vessel water level within predetermined limits during all normal plant operating modes.

The range of water level is based on the requirements of the steam separators; this includes limiting carry-over, which affects turbine performance, and carry-under, which affects recirculation pump operation. The feedwater control system utilizes vessel water level, steam flow, and feedwater flow as a three-element control (Figure 7.7-8).

Single-element control is also available based on water level only. Normally, the signal from the feedwater flow is equal to the steam flow signal; thus, if a change in the steam flow occurs, the feedwater flow follows. The steam flow signal provides anticipation of the change in water level that will result from change in load. The level signal provides a correction for any mismatch between the steam and feedwater flow which causes the level of the water in the reactor vessel to rise or fall accordingly.

System Operation During normal plant operation, the feedwater control system automatically regulates feedwater flow into the reactor vessel.

The system can be manually operated (Figure 7.7-8).

The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel.

During automatic operation, these three measurements are used for controlling feedwater flow.

The optimum reactor vessel water level is determined by the requirements of the steam separators. The separators limit water carry-over in the steam going to the turbines and limit steam carry-under in water returning to the core. The water level in the reactor vessel is maintained within +/-2 in of the setpoint value during normal operation and within the high and low level trip setpoints during normal plant maneuvering transients. This control capability is achieved during plant load changes by balancing the mass flow from the reactor vessel.

The feedwater control system utilizes constant-speed induction motor-driven feed pumps and a flow output which is controlled by throttling valves (Figure 10.4-11).

The RRCS can initiate a feedwater runback reducing flow to zero within 15 sec. Up to 100 gpm of feedwater leakage per valve is evaluated for a feedwater runback resulting from an ATWS event.

The 100 gpm is considered insignificant and does not impact the ATWS analysis. This runback is independent of normal feedwater control operation and overrides the loss-of-signal interlock which prohibits change of feed pump output under loss of control signal conditions. The RRCS initiates feedwater runback after high dome pressure has been sensed for 25 sec and if the APRM Chapter 07 7.7-19 Rev. 25, October 2022

NMP Unit 2 USAR output channels are not downscale or are inoperative. A "RRCS FW Auto Init Runback-Disable" control switch is provided to allow the Operators to inhibit the RRCS auto FWRB signal during IST of the RRCS system, when spurious ATWS trip signals may occur. Use of this switch is controlled administratively and will be annunciated in the control room. The RRCS is discussed in Section 7.6.1.8.

The following is a discussion of the variables sensed for system operation:

Reactor Vessel Water Level Reactor vessel narrow range water level is measured by three sensing systems. For each channel a differential pressure transmitter senses the difference between the pressure caused by a constant reference column of water and the pressure caused by the variable height of water in the reactor vessel. The differential pressure transmitter is installed on lines that serve other systems. The transmitters are qualified as safety grade pressure integrity instruments since they share a common instrument line with those of other systems. The instruments themselves are separated both physically and electrically from Class 1E instruments since they are supplied from non-1E buses and supply non-1E equipment. The three differential pressure signals are used for feedwater control, control room indication, control room high water level annunciation, and trip function. The three level signals are processed through the digital feedwater control system (DFWCS) validation logic with the validated signal used for feedwater flow control. All three narrow range level signals are supplied to alarm units which are independent of the DFWCS.

Should any of the three channels indicate high reactor vessel water level, the associated alarm unit will cause annunciation in the control room. The high water level trip outputs of the three alarm units are arranged in a two-out-of-three logic configuration to trip the main turbine and three feedwater pump motors. Reactor pressure is measured by a single sensing channel and is indicated in the control room along with narrow range water level indications. A fourth level sensing system (upset range) provides level information beyond the span of the narrow range devices. The selected narrow range water level and upset range water level signals are displayed on a trend graphic of the DFWCS.

Main Steam Line Flow Steam flow is sensed at each main steam line flow restrictor by a differential pressure transmitter. A signal proportional to the true mass steam flow rate is linearized and indicated in the main control room. The signals are processed through the DFWCS validation logic to produce a total steam flow signal for feedwater flow control. The total steam flow signal is displayed on a trend graphic of the DFWCS.

Feedwater Flow Feedwater flow is sensed at a flow element in each feedwater line by differential pressure transmitters. The Chapter 07 7.7-20 Rev. 25, October 2022

NMP Unit 2 USAR feedwater signals are processed through the DFWCS validation logic to provide a total mass flow signal. The total mass flow signal is displayed on a trend graphic of the DFWCS. Valve position control is the flow adjustment technique involved.

Three modes of feedwater flow control are provided:

1. Low power automatic level control.
2. High power automatic level control.
3. Manual control.

Separate level controllers are provided for each automatic mode.

A master level control station contains a setpoint indicator, process variable indicator, an output indicator, a manual output control, manual automatic switching capability, and a manual setpoint adjustment. In the low power level control mode, measured level is compared to level setpoint. The resulting signal is conditioned by the proportional plus integral controller and transmitted to the startup level control valves.

During normal operation single-element or three-element automatic control is provided. The single-element source is the reactor water level. The three-element source includes measurements of steam flow, feedwater flow, and reactor water level. High power level control normally operates in three-element control. Failures in the steam flow or feedwater flow signals will cause the high power controller to automatically transfer to single-element control. During automatic operation of the feedwater control system, the level controller output is a function of the level and flow errors in the system.

Manual control is available by selecting manual on the manual-automatic (M/A) control stations. Flow change is accomplished by depressing the RAISE button or LOWER button depending on the desired flow change. Output is indicated on the M/A control station.

The level control system also provides interlocks and control functions to other systems. If less than two feedwater pumps or less than three condensate booster pumps are in operation and reactor power, as measured by steam flow, is above a predetermined setpoint, recirculation flow is reduced to within the power capability of the remaining reactor feed pump. The runback on a condensate booster pump trip prevents a low-suction pressure trip of the feedwater pumps. This reduction aids in avoiding a low level scram by reducing the steaming rate.

Reactor recirculation flow is also reduced on sustained low feedwater flow coincident with low recirculation flow control valve position to ensure that adequate net positive suction head (NPSH) will be provided for the recirculation system.

Alarms on steam flow are provided for use in the NUMAC RWM logic. Interlocks from steam flow and feedwater flow are used to initiate insertion of the NUMAC RWM block. An alarm on low Chapter 07 7.7-21 Rev. 25, October 2022

NMP Unit 2 USAR steam flow indicates that the NUMAC RWM insertion interlock setpoint is being approached. Alarms are also provided for: 1) high and low water level, and 2) reactor high pressure.

Interlocks will trip the plant turbine and feedwater pumps in the event of reactor high water level.

Feedwater is delivered to the reactor vessel through two constant-speed, induction motor-driven pumps arranged in parallel. A third constant-speed, induction motor-driven pump is on standby as a backup for either of the other two pumps.

During planned operation, the feedwater control signal from the level controller is fed to the valve position control systems that adjust the position of their associated throttling valves, so that the feedwater flow is proportional to the feedwater demand signal. Each valve can be controlled by its manual/automatic transfer station. If the feedwater control signal is lost, the valve positioner locks the control valve at its position just prior to losing the signal.

7.7.1.4 Refueling Interlocks - Instrumentation and Controls 7.7.1.4.1 Refueling Interlocks Function The purpose of the refueling interlocks is to restrict the movement of more than one control rod during the refueling mode of operation.

The refueling interlocks system is not required to function during a LOCA, nor is its purpose to limit the release of radioactive materials. Thus, it is not considered a safety-related system.

7.7.1.4.2 Refueling Interlocks Operation and Equipment The refueling interlocks circuitry senses the condition of the refueling equipment and the control rod position to prevent movement of refueling equipment or control rods that might place refueling floor operating personnel in a potentially unsafe situation. These interlocks are a backup to administrative procedures that limit core reactivity during refueling operations. Redundant circuitry is provided to sense the following conditions:

1. All rods inserted.
2. Refueling platform positioned near or over the core.
3. Service platform jib crane loaded.
4. Fuel grapple, frame-mounted hoist, or monorail hoist fuel loaded.

Chapter 07 7.7-22 Rev. 25, October 2022

NMP Unit 2 USAR Additional circuitry monitors the mode switch in REFUEL position. The indicated conditions are combined in logic circuits to satisfy all restrictions on refueling equipment operations and control rod movement (Table 7.7-3).

Refueling Interlock Sensors The refueling interlock sensors include the following:

1. Position limit switches for the refueling platform "over the vessel" location. These limit switches provide inputs (permissives) in conjunction with the reactor control circuitry to the bridge reverse motion control circuit. Either switch can send a signal to the RMCS to cause a rod block with the reactor in the refuel mode and the fuel grapple loaded, or a rod block in the startup mode if the platform is near or over the core. These two mechanical switches are attached to the platform, and are tripped open by a long, stationary ramp mounted adjacent to the platform rail. These switches open before the platform or any of its hoists is physically located over the reactor vessel to indicate the approach of the platform toward the core.
2. Load limit switches on the fuel grapple, the monorail-mounted hoist, and the frame-mounted hoist.

These switches are set to operate when the hoist is loaded with a fuel bundle. The hoist loaded signal can initiate a rod block or prevent the motion of the refueling bridge toward the core if conditions warrant. The load switches open at a load weight that is lighter than that of a single fuel assembly.

In addition to the above, the mode switch and RMCS provide signals to the refueling interlocks to prevent hoist and platform motions under certain conditions (Table 7.7-3). The two portions of the RMCS operate two contacts to indicate an all-rods-in condition. The full-in condition for each rod is established by closure of a magnetically operated reed switch in the rod's position indicator probe (Section 7.7.1.1.2). The circuitry in the RMCS requires that the FULL IN switch must be closed for each rod before the all-rods-in signal to the refueling equipment is generated.

In the refueling mode, the control room Operator has an indicator light for REFUELING MODE SELECT PERMISSIVE whenever all control rods are fully inserted. He can compare this indication with control rod position data from the computer as well as control rod in-out status on the full core display.

Whenever a control rod withdrawal block situation occurs, the Operator receives annunciation and computer logs of the rod block. The Operator can compare these outputs with the status of the variable providing the rod block condition. Both channels of the control rod withdrawal interlocks must agree Chapter 07 7.7-23 Rev. 25, October 2022

NMP Unit 2 USAR that permissive conditions exist to move control rods; otherwise, a control rod withdrawal block occurs. Failure of one channel may initiate a rod withdrawal block, and will not prevent application of a valid control rod withdrawal block from the remaining operable channel (Table 7.7-3).

During refueling operations, no more than one control rod is permitted to be withdrawn. This is enforced by logic within the RMCS that prevents the selection of a second rod for movement with any other rod not fully inserted in the refuel mode. With the mode switch in REFUEL, the RMCS circuitry prevents the withdrawal of more than one control rod and the movement of the loaded refueling platform over the core with any control rod withdrawn.

During refueling operations, bypassing of individual control rod position indication inputs to the one-rod-out refueling interlock is permitted, as described in Appendix 15E, for full core offload, and the Technical Specifications for any other refueling condition.

Operation of refueling equipment is prevented by interrupting the power supply to the equipment. Interlock de-energization of the bridge drive power prevents its motion, and de-energization of the hoist power supply opens the hoist load switches giving a false indication that the hoist is loaded. This indication prevents control rod withdrawal with the mode switch in the STARTUP or REFUEL positions.

Refueling Interlock Indication and Controls Each hoist has a digital load cell readout that displays hoist load directly to the Operator. Load sensing is by electrical load cells. Associated interlock for the main hoist is performed by programmable logic controller (PLC) logic which receives signals from the load cell. For the frame-mounted auxiliary hoist and the monorail auxiliary hoist, associated interlock is performed by electronic setpoint modules which receive a signal from their respective load cells.

The vertical position of the grapple is shown by an indicator in the Refueling Bridge Operator cab. After calibration this readout allows the Operator to know the relative separation between fuel assemblies in the core and the grapple. Elsewhere in the Operator's cab are individual push buttons and rotary control switches for local control of the platform and its hoists, and a digital-type readout for the platform's X-Y position relative to the reactor core. The Platform Operator can immediately determine whether the platform and hoists are responding to his local instructions and can, in conjunction with the Control Room Operator, verify proper operation of each of the three categories of interlocks (hoist loaded, bridge position, and rod position).

Refueling Interlocks Service Platform Bypass A bypass for the service platform hoist load interlock is provided. When the service platform is no longer needed, its Chapter 07 7.7-24 Rev. 25, October 2022

NMP Unit 2 USAR power plug is removed. This de-energizes the power supply to the hoist. De-energizing the service platform hoist power supply opens the hoist load switches and gives a false indication that the hoist is loaded. This indication prevents control rod withdrawal with the mode switch in the STARTUP or REFUEL positions. The bypass plug is physically arranged to prevent the connection of the service platform power plug unless the bypass plug is removed.

7.7.1.4.3 Level of Interlock Action The rod block interlocks and refueling platform interlocks provide two independent levels of interlock action. The interlocks that restrict operation of the platform hoist and grapple provide a third level of interlock action since they are required only after a failure of a rod block and refueling platform interlock.

7.7.1.5 Steam Bypass and Pressure Regulation System 7.7.1.5.1 System Function As a direct-cycle BWR, the turbine is slaved to the reactor in that all steam generated by the reactor (except steam to the moisture separator reheaters) is normally accepted by the turbine. The operation of the reactor requires that pressure regulation be employed to maintain a constant (within the range of the regulator controller proportional band setting) turbine inlet pressure with load following ability accomplished by variation of the reactor recirculation flow.

The turbine pressure regulator normally controls the TCVs to maintain constant (within the range of the regulator controller proportional band setting) turbine inlet pressure at a particular value. In addition, the pressure regulator also operates the steam bypass valves in such a way that a portion of nuclear boiler rated (NBR) flow can be bypassed when operating at steam flow loads above those which can be accepted by the turbine as well as during the startup and shutdown phases.

The overall turbine generator and pressure control system accomplishes the following:

1. Control turbine speed and turbine acceleration.
2. Control the steam bypass system to keep reactor pressure within limits, and avoid large power transients.
3. Control main turbine inlet pressure within the proportional band setting of the pressure regulator.

7.7.1.5.2 System Operation Chapter 07 7.7-25 Rev. 25, October 2022

NMP Unit 2 USAR Pressure control is accomplished by controlling main steam pressure immediately upstream of the main turbine stop and control valves through modulation of the turbine control or steam bypass valves (Figure 7.7-9). Command signals to these valves are generated by redundant control elements using the sensed turbine inlet pressure signals as the feedback. For normal operation, the TCVs regulate steam pressure; however, whenever the total steam flow demand from the pressure regulator exceeds the capacity of the TCVs, the pressure control system sends the excess steam flow directly to the main condenser, through the steam bypass valves. The plant ability to follow grid-system load demands is enabled by adjusting reactor power level, by varying reactor recirculation flow manually, or by manually moving control rods. In response to the resulting turbine steam flow changes, the pressure control system adjusts the TCV to accept the steam output change, thereby regulating steam pressure.

Steam Pressure Control During normal plant operation, steam pressure is controlled by the main TCVs, positioned in response to the pressure regulation demand signal. The steam bypass valves are normally closed.

The turbine control system (TCS) has two redundant digital controllers, one in control and the other in standby. The median signal from three main steam pressure transmitters is used for pressure control.

The TCV (steam flow) demand signal is limited, after passage through the low value gate (Figure 7.7-10), to that required for full opening of the TCVs. Thus, if the pressure control system requests additional steam flow from the reactor when the control valves reach wide open, the control signal error to the bypass valves increases and causes bypass actuation.

Control for the TCV is designed so that the valves close upon loss of control system electric power or loss of hydraulic system pressure.

Steam Bypass System The steam bypass equipment is designed to control steam pressure when reactor steam generation exceeds turbine requirements, such as during startup (pressure, speed ramping, and synchronizing),

sudden load reduction, and cooldown.

The bypass capacity of the system is approximately 18.5 percent of the turbine valve wide open (VWO) flow; sudden load reductions of up to the capacity of the steam bypass can be accommodated without reactor scram.

Chapter 07 7.7-26 Rev. 25, October 2022

NMP Unit 2 USAR Normally, the bypass valves are held closed and the pressure regulator controls the TCVs, directing all steam flow to the turbine. If the speed governor or the load limiter restricts steam flow to the turbine, the regulator controls system pressure by opening the bypass valves. If the capacity of the bypass valves is exceeded while the turbine cannot accept an increase in steam flow, the system pressure rises and RPS action causes shutdown of the reactor.

The bypass valves are an automatically operated, regulating type which are proportionally controlled by the turbine pressure regulator and turbine control system.

The turbine control system provides a signal to the bypass valves corresponding to the error between the TCV opening required by the controlling pressure regulator and the TCV position demanded by the output of the low valve gate circuit (Figure 7.7-9 and 7.7-10). An adjustable bias signal is provided to maintain the bypass valves closed for momentary differences during normal operational transients. Refer to Section 10.4.4 for a detailed description of the turbine bypass system.

Turbine Speed/Load Control System The control signals supplied by the pressure regulator to the turbine control system and the signals that the pressure regulator requires from the turbine control system are shown on Figure 7.7-10. The turbine control system is designed to receive and supply the following signals (Figure 7.7-9):

1. Signal 1 - The load demand signal varies from no load to rated load.
2. Signal 2 - The pressure control demand signal varies from no load to rated load.
3. Signal 3 - The flow limit signal range varies from 90-percent flow to 130-percent flow.
4. Signal 4 - The control valve position (flow) demand signal varies to close or open the valve. The turbine flow limiter limits the control valve position demand signal so that it does not exceed the value corresponding to valves fully open. Signal 3 is used by the pressure regulator to operate the bypass valves when high steam pressure causes the pressure control signal, Signal 2, to be higher than Signal 4.

Turbine Speed-Load Control Interfaces Normal Operation During normal base-load plant operation, the turbine load reference is held above the desired load, in such a way that the pressure regulation demand governs the TCVs.

Chapter 07 7.7-27 Rev. 25, October 2022

NMP Unit 2 USAR Behavior of Turbine Outside of Normal Operation Turbine Startup Before turbine startup, sufficient reactor steam flow is generated to permit the steam bypass valves to maintain reactor pressure control while the turbine is brought up to speed and synchronized under its speed-load control.

Partial Load Rejection During partial load rejection transients that are apparent to the reactor as a reduction in turbine load demand resulting from an increase in generator frequency above rated, the turbine pressure control scheme allows the reduced turbine speed-load demand to bias the pressure regulation demand and thereby directly regulate the TCVs.

Turbine Shutdown or Turbine Generator Trip During turbine shutdown or turbine generator trip conditions, the main turbine stop valves and control valves are closed. Reactor steam flow then passes through the steam bypass valves under steam pressure control, and through the reactor SRVs, as needed.

Steam Bypass Operation Fast opening of the steam bypass valves during turbine trips or generator load rejections requires coordinated action with the turbine control system. When the TCVs are under pressure control, no bypass steam flow is demanded; conversely, when the turbine speed-load demand falls below the pressure regulation demand, a net bypass flow demand is computed. During turbine or generator trip events resulting in fast-closure of the turbine stop or control valves, the TCV demand is immediately tripped to zero as an anticipatory response, causing the bypass steam flow demand to equal the initial pressure regulation demand.

Loss of Turbine Control System Power Turbine controls and valves are designed so that the turbine stop and control valves close upon loss of control system power or hydraulic pressure.

Operator Information Process variables which are controlled by the pressure regulator, speed-load control system are displayed on the turbine generator section of the main control board.

Control modes for the various turbine generator operational modes (such as startup, normal operation, and shutdown) are available to the Operator from the Digital Electro-Hydraulic Control System (DEHC) Human Machine Interface (HMI) located on the main control board. HMI displays provide information to the Operator as to the operating mode and status of the turbine generator unit.

Two redundant turbine control system (TCS) channels control pressure, one in control and one in standby. In the event the in-control controller fails, the TCS will seamlessly transfer to the standby controller. The two redundant TCS channels receive inputs from three independent pressure transducers in the main steam line upstream of the main steam stop valves. The TCS Chapter 07 7.7-28 Rev. 25, October 2022

NMP Unit 2 USAR controllers use the median pressure of the three pressure signals. Main steam pressure indications and controls are located on the turbine control HMI panel.

The pressure control display on the main control room display includes the following controls and information:

1. Main steam pressure.
2. Main steam pressure setpoint.
3. Pressure increase/decrease pushbuttons (+/-0.1 psig and

+/-1.0 psig) and 950 psig select pushbutton.

4. Target main steam pressure setpoint and pressure rate of change .
5. Individual valve position.
6. Auto Cooldown/heatup rate.
7. Total control valve position and individual control valve position.

7.7.1.6 Plant Process Computer System (PPC)

System Functions The function of the nonsafety-related plant PPC system is to provide a determination of the plant status through a series of operations and calculations; to improve data reduction, accounting, and logging functions; and to supplement procedural requirements for control and manipulation during plant reactor startup and shutdown. The process computer functions are divided into three groups:

1. Nuclear boiler functions.
2. System scan-log-alarm functions.
3. BOP functions.

System Operation Central Processor - The primary/backup central processor performs various calculations, makes necessary interpretations, and provides for general input/output device control and buffered transmission between I/O devices and memory.

Automatic priority interrupt (API) modules provide processor capability to respond rapidly to important process functions and to operate at optimum speed.

Chapter 07 7.7-29 Rev. 25, October 2022

NMP Unit 2 USAR Memory - Memory is an electronic storage drive, random access memory type utilizing a 64-bit word and operating at less than 600-nanosecond cycle time. A processor parity check feature is capable of stopping computer operation subsequent to completing an instruction in which a parity error is detected. Capability is provided to maintain real time by utilizing necessary calendar-type programs to compute year, month, day, hour, minute, second, and cycle. This is done automatically even in the event of a processor shutdown. In this case, the date and time are maintained by a battery backup capable of maintaining the current date and time throughout a loss of power event.

Disk Subsystem - The disk subsystem is comprised of multiple electronic storage drives and is used to store all programs and initialization data. Real-time data are also stored to the disk subsystem. Disk mirroring is used to maintain data during a single disk failure.

Loading Devices - There are electronic and optical storage devices provided to load computer programs.

I/O Hardware - The process I/O hardware is configured as distributed I/O. There are two Nodes that communicate with the slave chassis. Each Slave Chassis consists of analog inputs, digital inputs, an I/O processor, corresponding I/O terminations, communication processors, and signal conditioning.

The analog input cards accept analog signals from plant instrumentation and converts them to digital representation for use by the computer software programs. Analog outputs are (also provided to drive trend recorders.

The digital I/O cards sense the plant contact actuations and status change and is used to read status information from plant instrumentation, such as alarms and relay closures.

Intermittent signals and puls-type inputs are sensed by automatic program interrupt change detection hardware (also known as Sequence of Events (SOE)) in the digital input cards, and allow immediate processing of information (1mSec resolution) that might otherwise be lost if digital scanning were used. The controller also provides latched and momentary digital outputs to operate displays, turn trend recorders on and off, turn on alarms, etc.

During routine operation, the Operator uses the keyboards, mice, touch screens, and monitors located in the control room to read and enter information and interact with the computer system, and for requesting various special functions from it. Information from the computer can be directed by the Operator to video displays, trend recorders, or printers which comprise the log and alarm devices.

Chapter 07 7.7-30 Rev. 25, October 2022

NMP Unit 2 USAR Testability - The process computer system has diagnostic provisions. It performs diagnostic checks to determine the operability of certain portions of the system hardware and performs internal programming checks to verify that input signals and selected program computations are either within specific limits or within reasonable bounds.

Environmental Considerations - All computer equipment, except for peripherals, and workstation CPUs is designed for continuous duty from 0°C to 50°C and 5- to 95-percent relative humidity without condensation. The peripherals are designed to operate under more restrictive environmental conditions. All components, with the exception of the generator temperature monitoring cabinet, are installed in controlled air conditioned areas.

Operator Information - The processor is capable of checking each analog input variable against three types of limits for alarm and status purposes:

1. Process alarm limits are determined by the computer during computation or as programmed at some fixed value by the Operator.
2. A reasonable limit of the analog input signals programmed.
3. Status change alarms to the Operator.

The alarming sequence consists of typewritten messages via the I/O typers and video monitor messages for the variables that exceed process alarm limits. A variable that is returning to normal is signified by a typewritten and displayable message.

The process computer provides to the Operator a means of monitoring, displaying, and recording both NSSS and BOP events.

These functions are performed by the following software programs:

1. Status alarm monitor
2. Sequence annunciator
3. Digital trending (special logs)
4. Postdata recall
5. Turbine and generator log
6. Process computer interface with RC, IS, and LPRM
7. Computer Generated Alarms (CGA)

Chapter 07 7.7-31 Rev. 25, October 2022

NMP Unit 2 USAR CGAs are alarm conditions that the PPC calculates from inputs aand sets a digital output to the plant annunciator system 3D Monicore System - The nonsafety 3D Monicore is a core monitoring and predicting computer system that uses PANACEA, a three-dimensional, neutron diffusion theory code for all technical evaluations of the Reactor Core. The hardware configuration for the system is the 3D Monicore software operating on its own redundant computer system and receiving the required live plant and TIP data from the Plant Process Computer (PPC), described in Section 7.7.1.6. Control Rod position data is received either from the NUMAC RWM computer or the PPC. The actual data source is manually selected, on the 3DM, with a databank change. The 3D Monicore computer performs the core monitoring functions in conjunction with a Windows-based client 3DWinR. Communication (plant data and alarm messages) between the 3D Monicore computer and the PPC computer is by Ethernet (TCP/IP). The communications between the 3DM and NUMAC RWM is by RS232 serial data link. Logs and displays are output in the control room on a printer and the 3D Monicore workstation computer. The main or backup host in the computer room will provide user access to 3D Monicore functions, logs and color displays. The 3D Monicore system has built-in security access features that allow only authorized users to access the system.

The 3D Monicore system communicates with the NUMAC PRNM system over the Ethernet through a NUMAC Interface Computer (NIC).

This allows the transfer of gain adjustment factor values for all LPRMs and percent core thermal power from 3D Monicore to the NUMAC PRNM and the transfer of LPRM detector I/V data from the NUMAC PRNM to 3D Monicore.

3D Monicore software consists of software which obtains plant data and updates its live plant and TIP data bases, executes core performance monitoring and exposure accounting calculations periodically and on demand. It also creates output files and logs following such calculations. Special logs of performance parameters and color displays are provided on demand.

3D Monicore provides the capability for monitoring reactor cores consisting of any combination of fuel bundles supplied by GE or other vendors. There is also a core performance prediction function which is used to study proposed reactor maneuvers with results output to logs and color displays.

7.7.1.7 Neutron Monitoring System (TIP, SRM, RBM) 7.7.1.7.1 Neutron Monitoring System - Traversing In-Core Probe (TIP) Subsystem 7.7.1.7.1.1 System Function Chapter 07 7.7-32 Rev. 25, October 2022

NMP Unit 2 USAR The TIP system allows calibration of LPRM signals by correlating TIP signals to LPRM signals as the TIP is positioned in various radial and axial locations in the core.

Flux readings along the axial length of the core are obtained by fully inserting the traversing ion chamber into one of the calibration guide tubes. Data are then taken as the chamber is withdrawn. These analog data are available as inputs to a recorder and the PPC. The guide tubes inside the reactor are divided into specific groups. Each group has its own associated TIP machine.

7.7.1.7.1.2 TIP System Operation A TIP drive mechanism uses a fission chamber attached to a flexible drive cable. The cable is driven from outside the drywell by a gearbox assembly. The flexible cable is contained by guide tubes that penetrate the reactor core. The guide tubes are a part of the LPRM detector assembly. An indexing mechanism allows the use of a single detector in any one of 10 different tube paths. The 10th tube is used for TIP cross calibration with the other TIP machines. The control system provides for both manual and semiautomatic operation. Electronics of the TIP panel amplify and display the TIP signal. Core position versus neutron flux is recorded on an X-Y recorder in the main control room and is provided to the PPC.

A valve system is provided with a valve on each guide tube entering the drywell. A ball valve and a cable shear valve are mounted in the guide tubing just outside the drywell. The ball valves are closed except when the TIP is in operation. They maintain the leak-tightness integrity of the drywell. A valve is also provided for a nitrogen gas purge line to the indexing mechanisms. The guide tube ball valve is only open when the TIP is inserted. The shear valve is used only if containment isolation is required when the TIP is beyond the ball valve and power to the TIP fails. The shear valve, which is controlled by a manually-operated keylock switch, can cut the cable and close off the guide tube. The shear valves are actuated by explosive squibs.

The continuity of the squib circuits is monitored by indicator lights in the main control room. Upon receipt of a containment isolation command from the NSSS, all TIP drives are put in automatic full speed withdraw condition, removing the TIP detector from the containment and allowing the ball valves to close. The purge valve is also closed automatically at this time.

Operability requirements are described in TRM Section 3.3.7.3.

7.7.1.7.2 Source Range Monitor Chapter 07 7.7-33 Rev. 25, October 2022

NMP Unit 2 USAR 7.7.1.7.2.1 Source Range Monitor Function The SRM provides neutron flux information during reactor startup and low flux level operations.

7.7.1.7.2.2 Source Range Monitor Operation During initial fuel load, neutron flux is monitored by four SRM channels, providing a scram signal when the preset flux level of any channel has been reached. This logic is removed from the scram circuitry after completion of initial fueling. For subsequent refueling operations, the ability of the SRMs to produce a noncoincident NMS trip signal is governed by the method of refueling and the associated Technical Specification and TRM implications.

Each SRM channel has one detector that can be physically positioned in the core from the control room. The detectors are inserted into the core for reactor startup. They are withdrawn if the indicated count rate is between preset limits or if the IRM is on the third range or above.

The detector and cable are located inside the reactor vessel in a dry tube sealed against reactor vessel pressure. A remote-controlled detector drive system moves the detector along the dry tube. When a detector arrives at a travel end point, detector motion is automatically stopped.

Each detector assembly consists of a miniature fission chamber and a low-noise transmission cable. This detector cable is connected underneath the reactor vessel to a multiple-shielded coaxial cable. This shielded cable carries the pulses to a pulse current preamplifier located outside the drywell.

Signal conditioning equipment converts the current pulses to analog dc currents corresponding to the logarithm of the count rate (LCR). The output is displayed on front panel meters as well as remote meters and recorders. The LCR meter displays the rate of occurrence of the input current pulses. In addition, the signal conditioning equipment contains integral test and calibration circuits, trip circuits, power supplies, and selector circuits. It is also designed to be used for open vessel experiments.

The trip outputs of the SRM operate in the fail-safe mode. Loss of power to the SRM trips the associated outputs.

The SRM provides signals indicating SRM upscale, downscale, inoperative, and incorrect detector position to the RMCS to block rod withdrawal under certain conditions. Any SRM channel can initiate a rod block. These rod blocking functions are discussed in Section 7.7.1.1.2.

Chapter 07 7.7-34 Rev. 25, October 2022

NMP Unit 2 USAR An Operator in the control room can bypass one of the four SRM channels at any time. Inspection and testing are performed as required on the SRM detector drive mechanism. The mechanism can be checked for full insertion and retraction capability.

Various combinations of SRM trips can be introduced to ensure the operability of the rod blocking functions.

7.7.1.7.3 Rod Block Monitor 7.7.1.7.3.1 Rod Block Monitor Function The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during Operator control rod manipulations.

7.7.1.7.3.2 Rod Block Monitor Operation Each of the two RBM channels uses input signals from a number of LPRM channels. A trip signal from either channel initiates a rod block. One RBM channel can be bypassed without loss of subsystem function. The quantity of LPRM detectors used to calculate local average neutron flux level may vary from a minimum of two to a maximum of eight, depending upon the control rod selected and the number of bypassed LPRM detectors.

The RBM shall be automatically bypassed when a peripheral control rod is selected.

The RBM signal is generated by averaging a set of LPRM signals.

The RBM channels use the specific LPRMs as given in the table below.

RBM Channel A RBM Channel B A B C D A B C D UR X X UR X X LR X X LR X X UL X X UL X X LL X X LL X X In relation to the selected rod, Channel "A" RBM averages the upper right (UR) and lower left (LL) "B," all four "C," and the lower right (LR) and upper left (UL) "D" LPRMs to calculate the LPRM average. In relation to the selected rod, Channel "B" RBM averages the lower right and upper left "B," all four "C," and the upper right and lower left "D" LPRMs to calculate the LPRM average.

Assignment of assemblies used in RBM averaging is controlled by the selection of control rods. If a peripheral rod is selected, the RBM is automatically bypassed and the RBM output is set to zero. If any LPRM detector assigned to a RBM is bypassed, the computed average signal is adjusted automatically to compensate for the number of LPRM input signals.

Chapter 07 7.7-35 Rev. 25, October 2022

NMP Unit 2 USAR The RBM instruments receive the STP level from each APRM via fiber optic cables. The RBM uses the STP level from its reference APRM channel as the reference STP level for RBM calculations. When a control rod is selected, the RBM signals are calibrated to a fixed (constant) reference signal. The reference signal is held constant during the movement of that particular control rod to provide an indication of the change in the relative local power level. If the reference APRM flux used to normalize the RBM reading is indicating less than 26-percent power (nominal), the RBM is zeroed and the RBM outputs are bypassed. The RBM automatically substitutes an alternate reference STP level when the primary reference APRM channel is bypassed or inoperative.

The RBM can prevent control rod withdrawal by supplying a trip signal to the RMCS. The trip is initiated when RBM output exceeds the rod block setpoint. The upscale trip levels are set at a fixed level above the reference STP level and will automatically vary as step functions of the reference STP level.

7.7.1.8 Reactor Water Cleanup System See Section 5.4.8 for a description of this system.

7.7.1.9 Leak Detection System 7.7.1.9.1 Reactor Vessel Head Seal Leak Detection Pressure between the inner and outer reactor vessel head seal ring is sensed by a pressure transmitter. If the inner seal fails, the pressure transmitter will sense vessel pressure and the associated trip unit will trip, actuating an alarm. The plant will continue to operate with the outer seal as a backup, and the inner seal can be repaired at the next outage when the head is removed. If both the inner and outer head seals fail, the leak will be detected by an increase in drywell temperature and pressure.

7.7.1.9.2 Safety/Relief Valve Seal Leak Detection Thermocouples are located in the discharge exhaust pipe of the SRVs. The temperature signal goes to a multipoint recorder with an alarm. Any temperature in excess of a set temperature will activate this alarm, signaling that one of the SRV seats is leaking.

7.7.2 Analysis Refer to the safety evaluations in Chapter 15 and Appendix A which show that the systems described in Section 7.7 are not utilized to provide any DBA safety function. Safety functions are provided by other systems.

Chapter 07 7.7-36 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.7-1 DESIGN AND SUPPLY RESPONSIBILITY OF PLANT CONTROL SYSTEM GE GE Others Design Supply Supply Reactor manual control system X X Recirculation flow control system X X Feedwater control system X X X Refueling interlocks X X Steam bypass and pressure X regulation system Performance monitoring X X system Neutron monitoring system X X Reactor water cleanup X X system Leak detection system X X Chapter 07 7.7-37 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.7-2 SIMILARITY OF UNIT 2 TO OTHER PLANTS Plants Applying for Instrumentation or Having Construction and Controls Permit or Operating Similarity (System) License of Design Reactor manual Zimmer-1 Identical control system Recirculation flow Grand Gulf Similar(1) control system Feedwater control River Bend Similar(2) system Refueling interlocks Hanford Identical Steam bypass and LaSalle Similar pressure regulation system Performance monitoring Perry Similar(3) system Neutron monitoring Zimmer Identical(5) system Reactor water Susquehanna Identical cleanup system Leak detection Perry Identical(4) system (1)

Grand Gulf does not have RRCS.

(2) River Bend does not have gain change logic. It has only one low flow control valve and uses "steam programming" function.

(3) Some hardware differences (quantity not type), but hardware function is the same.

(4) Identical design for functions described in Section 7.7.

(5) The power range neutron monitoring system at Unit 2 was replaced with a GE NUMAC PRNM system similar to Hatch plants.

Chapter 07 7.7-38 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.7-3 REFUELING INTERLOCK EFFECTIVENESS Refueling Service Platform Refueling Platform Hoists Platform Mode Situation Position TMH FMH FG Hoist Control Rods Switch Attempt Result 1 Not near UL UL UL UL All rods in Refuel Move refueling No restrictions core platform over core 2 Not near UL UL UL UL All rods in Refuel Withdraw rods Cannot withdraw core more than one rod 3 Not near UL UL UL UL One rod Refuel Move refueling No restriction core withdrawn platform over core 4 Not near Any hoist or FG loaded UL One or more rods Refuel Move refueling Platform stopped core withdrawn platform over core before over core 5 Not near UL UL UL UL More than one Refuel Move refueling Platform stopped core rod withdrawn platform over core before over core 6 Over core UL UL UL UL All rods in Refuel Withdraw rods Cannot withdraw more than one rod 7 Over core Any hoist or FG loaded All rods in Refuel Withdraw rods Rod block 8 Not near UL UL UL L All rods in Refuel Withdraw rods Rod block core 9 Not near UL UL UL L All rods in Refuel Operate service No restrictions core platform hoist 10 Not near UL UL UL L One rod Refuel Operate service Hoist operation core withdrawn platform hoist prevented 11 Not near UL UL UL UL All rods in Startup Move refueling Platform stopped core platform over core before over core 12 Not near UL UL UL L All rods in Startup Operate service No restrictions core platform hoist 13 Not near UL UL UL L One rod Startup Operate service Hoist operation core withdrawn platform hoist prevented 14 Not near UL UL UL L All rods in Startup Withdraw rods Rod block core 15 Not near UL UL UL UL All rods in Startup Withdraw rods No restrictions core Chapter 07 7.7-39 Rev. 25, October 2022

NMP Unit 2 USAR TABLE 7.7-3 (Cont'd.)

Refueling Service Platform Refueling Platform Hoists Platform Mode Situation Position TMH FMH FG Hoist Control Rods Switch Attempt Result 16 Over core UL UL UL UL All rods in Startup Withdraw rods Rod block KEY: TMH = Trolley mounted hoist FMH = Frame mounted hoist FG = Fuel grapple UL = Unloaded L = Loaded Chapter 07 7.7-40 Rev. 25, October 2022

Retrieved from "https://kanterella.com/w/index.php?title=ML22292A104&oldid=3538643"