ML23062A220
| ML23062A220 | |
| Person / Time | |
|---|---|
| Site: | Peach Bottom  |
| Issue date: | 03/03/2023 |
| From: | Audrey Klett Exelon Generation Co |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| Download: ML23062A220 (1) | |
Text
PBAPS UFSAR 7.10 FEEDWATER CONTROL SYSTEM 7.10.1 Power Generation Objective The power generation objective of the feedwater control system is to maintain a pre-established water level in the reactor vessel during normal plant operation.
7.10.2 Power Generation Design Basis The feedwater control system regulates the feedwater flow so that the proper water level in the reactor vessel is maintained to meet the requirements of the steam separators over the entire power range of the reactor.
7.10.3 Description The feedwater control system, during normal plant operation, automatically regulates feedwater flow into the reactor vessel.
The system is capable of being manually operated.
The automatic feedwater control system (DFCS) is a redundant, fault tolerant digital control system (see Figure 7.10.1). The digital control system provides effective feedwater control over a wide range of conditions without Operator intervention.
There are two modes of operation; Low Power and High Power.
The two modes work as one to provide the demanded valve positions to flow control valves and the demanded speed to the Turbine Driven feedwater Pumps speed governor.
The automatic feedwater control system incorporates fault tolerance in its design so that any single failure, internal or external to the feedwater control system, will not result in the loss of feedwater control. The control system continuously monitors the status of components, input signals and output signals. Upon detection of a failed component, the system automatically switches over to the redundant component. If a failed input is detected, the input signal validation logic, described in Section 7.10.3.4.10, takes the appropriate action to prevent the failure from affecting system operation. This can include changing the way the validated signal is generated (2-input average versus 3-input median), automatically switch to another sensor variable (narrow range failure switches to wide range input) or transfer the input to manual control.
CHAPTER 07 7.10-1 REV. 28, APRIL 2021
PBAPS UFSAR The feedwater flow control instrumentation measures the water level in the reactor vessel, the feedwater flow rate into the reactor vessel, and the steam flow rate from the reactor vessel.
During automatic operation, these three measurements are used for controlling feedwater flow.
The optimum reactor vessel water level is determined by the requirements of the steam separators which limit the water carryover with the steam going to the turbines and limit the steam carryunder with the water returning to the core. The water level in the reactor vessel is maintained within +/-1 in during steady state operation. This control capability is achieved during plant load changes by balancing the mass flow rate of feedwater to the reactor vessel with the steam flow from the reactor vessel.
The feedwater flow regulation is achieved by adjusting the steam flow to the turbine driven feedwater pumps to deliver the required feedwater flow to the reactor vessel.
7.10.3.1 Reactor Vessel Water Level Measurement Narrow range reactor vessel water level is measured by three sensing systems. Two of the sensing systems are connected to the same reactor vessel instrumentation taps. The third is connected to a separate set of taps and provides independent signals. The power for each of the three instrument loops is provided by the DFCS auxiliary power, which is redundant, auctioneered power.
Each system uses a differential pressure transmitter that senses the difference between the pressure due to a constant reference column of water and the pressure due to the variable height of water in the reactor vessel. These differential pressure transmitters are installed on lines that serve other systems (subsection 7.8, "Reactor Vessel Instrumentation"). Pressure transmitters supply reactor vessel pressure signals which are used to correct for density changes in the reactor vessel water. The differential pressure and pressure signals are fed into the digital control system which calculates the corrected level signal for indication and control. The corrected reactor vessel water level and pressure from each sensing system are indicated in the control room. The corrected level signal from any of the sensing systems can be automatically selected (by digital control system) or manually (by control room operator) as the signal to be used for feedwater flow control. The corrected level signals are used to trip the main and reactor feedpump turbines on high reactor water level. The main and reactor feedpump turbines reactor high level trip signal is derived by a two-out-of-two logic taken once.
The two-out-of-two logic consists of each feedwater digital control controller providing an input to trip. Each digital CHAPTER 07 7.10-2 REV. 28, APRIL 2021
PBAPS UFSAR control controller trip logic consists of multiple contacts in parallel. Two contacts actuate via testable digital outputs and the other contact monitors the status (online/offline) of the digital controller . The two testable digital outputs normally actuate on a high reactor level signal. These outputs can be tested within the control program to allow functional testing of the trip circuit while at power (per NRC generic letter 89-19).
The high-level trip circuit includes four (4) controllers arranged in two (2) channels. Each channel has a primary and a backup controller. Each channel has two (2) status monitoring contacts arranged in series, one for each controller. Any one controller in each channel can perform the trip function. The reactor vessel water level and pressure are continually recorded in the control room. High and low level alarms are also provided in the control room.
Three (3) pressure compensated wide range reactor water level signals are also used by the feedwater control system. These wide range level signals are only used if all three of the narrow range level signals are bad or on the downscale side of their calibrated range. The main function of these wide range level signals within the feedwater control system is to provide a level signal to this control system when reactor level is below the narrow range following a reactor scram.
7.10.3.2 Steam Flow Measurement The steam flow is measured across each main steam line flow restrictor by a differential pressure transmitter. This differential pressure steam flow signal is then inputted into the digital control system which linearize the signal to produce a mass flow rate. The steam flow signals are added to produce a total steam flow signal for indication and feedwater flow control.
The steam flow rate from each main steam line is indicated in the control room. The total steam flow is recorded in the control room.
7.10.3.3 Feedwater Flow Measurement The feedwater flow measurement normally used in the plant heat balance computation is obtained from a dedicated system (Leading Edge Flow Meter, or LEFM) that utilizes ultrasonic technology to accurately determine feedwater mass flow.
Feedwater flow is also measured as differential pressure at each reactor feed pump discharge. This differential pressure feedwater flow signal is then inputted into the digital control system which CHAPTER 07 7.10-3 REV. 28, APRIL 2021
PBAPS UFSAR linearizes the signal to produce a mass flow rate. The total feedwater mass flow rate signal is used for indication and feedwater flow control. The individual line and total feedwater flows are recorded in the control room. When the LEFM is not in service, these feedwater flow signals are used in the plant heat balance.
Additionally, feedwater flow is measured at the inlet of the third feedwater heaters for condensate recirculation flow control and is separately logged on the process computer (subsection 7.16),
"Process Computer System").
7.10.3.4 Feedwater Control System The digital feedwater control system provides control for the following functions:
- 1. Three (3) element reactor level control.
- 2. Single or one (1) element reactor level control.
- 3. High pressure startup level control.
- 4. Low pressure startup level control.
- 5. Reactor feedwater pump min flow protection.
- 6. Reactor feedwater pump discharge check valve control on low flow.
- 7. ATWS control mode.
- 8. Interlocks to rod worth minimizer from total feedwater and steam flow signals.
- 9. Runbacks to the reactor recirculation control system.
- 10. input signal validation logic.
- 11. 90% flow limiter on loss of condensate pump or reactor scram.
- 12. Not used.
- 14. Not used.
- 15. Not used.
- 16. Fault tolerant logic.
- 17. Bumpless transfer between automatic and manual modes.
- 18. Testability and maintainability.
- 19. Total feedwater flow signal to the Hydrogen Water Chemistry System 7.10.3.4.1 Three (3) Element Reactor Level Control In three (3) element control the feedwater control system determines the difference between the total feedwater flow signal against the total steam flow signal. This difference is designated as steam flow/feedwater flow error signal. If steam CHAPTER 07 7.10-4 REV. 28, APRIL 2021
PBAPS UFSAR flow is greater than feedwater flow, this difference is increased from its normal value of zero when steam and feedwater flows are equal. The reverse is also true. This steam flow/feedwater flow error is then added to the reactor water level signal to provide an adjusted level signal. The feedwater control system controls reactor feedwater pump speed in order to control the adjusted level signal to the operator selected setpoint. The three (3) element control mode is the control mode normally used during power operation (nominally 30% to 100% power).
7.10.3.4.2 Single or One (1) Element Reactor Level Control Single element control is similar to the three element control (described in 7.10.3.4.1). However, single element control does not use the steam flow/feedwater flow error signal to adjust the reactor level signal. In single element control the feedwater control system controls the reactor feedpump speed in order to control the unadjusted reactor level signal to the operator selected setpoint. The single element control mode is the control mode normally used during low power operation (nominally 5-30%
power).
7.10.3.4.3 High Pressure Startup Level Control The high pressure startup level control uses single element control (discussed in 7.10.3.4.2) to control the "C" reactor feedwater pump discharge valve bypass control valve position.
This valve uses the "C" reactor feedwater pump discharge (which is variable based on pump speed selected by operator) as its source of water. The feedwater control system modulates the flow through this valve in order to maintain unadjusted reactor level (single element) to the operator selected setpoint. The high pressure startup level control is used during low power/high pressure operation (nominally 450 psig to 10% power). This control method can be used at low pressures by allowing condensate to windmill through the "C" reactor feedwater pump.
7.10.3.4.4 Low Pressure Startup Level Control The low pressure startup level control uses single element control (discussed in 7.10.3.4.2) to control the reactor feedwater pump bypass control valve position. This valve uses condensate header pressure as its source of water. The feedwater control system modulates the flow through this valve in order to maintain unadjusted reactor level (single element) to the operator selected setpoint. The low pressure startup level control is used during CHAPTER 07 7.10-5 REV. 28, APRIL 2021
PBAPS UFSAR shutdown (0 psig) up to a maximum of the condensate pump shutoff head (approx. 600 psig).
7.10.3.4.5 Reactor Feedwater Pump Minimum Flow Protection The feedwater control system provides three (3) digital outputs which operate on low reactor feedwater pump flow (one per pump).
These digital outputs provide control signals to their respective minimum flow control valves. Opening these minimum flow valves ensures that the pump net positive suction head requirements are maintained. These digital outputs also go to three (3) reactor feedwater pump low flow annunciators (one per pump) via an auxiliary relay.
7.10.3.4.6 Reactor Feedwater Pump Discharge Check Valve Control on Low Flow The feedwater control system provides three (3) digital outputs which operate on low reactor feedwater pump flow (one per pump).
These digital outputs provide control signals to their respective reactor feedwater pump discharge check valves. Closing the discharge check valve on low flow reduces the probability of the check valve sticking open and then slamming closed on reverse flow.
7.10.3.4.7 ATWS Control Mode For abnormal operating conditions, such as Anticipated Transient Without Scram (ATWS), a control mode is available to the Operator that uses control based on the single element of wide range level or fuel zone level. The level input signal is chosen automatically based on vessel level. Level is maintained by deviation from setpoint. Entry into this mode is permitted when narrow range level is below a predefined setpoint and the manual/automatic (M/A) stations are in manual.
7.10.3.4.8 Interlocks to Rod Worth Minimizer From Total Feedwater and Steam Flow Signals The feedwater control system provides two (2) digital outputs to the rod worth minimizer system. One output is a combination of low/high feedwater and steam flow which is used for the rod worth minimizer low power setpoint. The second output is on low/high steam flow and is used for the rod worth minimizer low power alarm point.
7.10.3.4.9 Runbacks to the Recirculation Control System CHAPTER 07 7.10-6 REV. 28, APRIL 2021
PBAPS UFSAR The feedwater control system provides three (3) digital outputs to each recirculation pump control system. The first output provides a low total feedwater flow signal, with time delay, or a combination of a reactor scram signal in conjunction with low reactor level which runs back the respective reactor recirculation pump to lower flow limit (30%) speed limiter. This runback ensures sufficient net positive suction pressure to the reactor recirculation pump(s) and improves reactor water level response following a scram from high power. The second and third outputs are part of the high speed runback circuit. The second output provides a high total feedwater flow signal which, in conjunction with less than three (3) condensate pumps in service, results in reactor recirculation runback. A reactor recirculation system runback on this condition is required to reduce total feedwater flow to within the capabilities of two (2) condensate pumps and thereby maintaining the required reactor feedwater pump net positive suction head requirements. The third output is a combination of less than three (3) reactor feedwater pumps in service (as sensed by any lowest reactor feedwater pump flow being low) and a simultaneous low level in the reactor. A reactor recirculation system runback on this condition is required since the remaining reactor feedwater pumps are not able to maintain reactor level at this power level. (Reference Section 7.9.4.3) 7.10.3.4.10 Input Signal Validation Logic Where multiple parameter measurements are available, signal validation is utilized as a functional means to increase the fault tolerance of the control function. The nature of the signal validation is contingent on the redundancy available in the various process measurements. The operator has the ability to over-ride the signal validation logic, and select a single channel for use, or place a single channel out of service.
7.10.3.4.11 90% Flow Limiter on Loss of Condensate Pump or Reactor Scram The feedwater control system will limit reactor feedwater pump speed on less than three (3) condensate pumps in-service or a full reactor scram with three (3) reactor feedwater pumps in-service.
The reactor feedwater pump speed is limited to a speed which is equivalent to ninety percent (90%) nuclear boiler rated flow.
There are two (2) separate speed limiters within the feedwater control system. One speed limiter is set for three (3) reactor feedwater pumps in-service. The second limiter is set for only CHAPTER 07 7.10-7 REV. 28, APRIL 2021
PBAPS UFSAR two (2) reactor feedwater pumps in-service. Both limiters are set for only two (2) condensate pumps in-service.
With only two (2) condensate pumps in-service the condensate system can only support ninety percent (90%) nuclear boiler rate flow. (At this power level the required reactor feedwater pump suction pressures will be maintained.)
Due to reactor level shrink following a scram, the reactor feedwater control system increases its reactor feedwater pump speed demand signal to 100 percent (maximum speed). The condensate system cannot support three (3) reactor feedwater pumps operating at maximum speed even with three (3) condensate pumps in-service. Therefore, the feedwater control system will limit the reactor feedwater pumps to a speed equivalent to ninety percent (90%) nuclear boiler rated flow (with two (2) condensate pumps in-service) on a reactor scram with three (3) reactor feedwater pumps in-service (if three (3) condensate pumps are in-service the resultant flow rate will be something greater than 90% nuclear boiler rated).
7.10.3.4.12 Deleted 7.10.3.4.13 Feedwater Flow Response Following a Reactor Scram The feedwater control system design provides the rapid post Scram increase in feedwater flow required to prevent vessel water level from dropping to the ECCS initiation setpoint during the post Scram shrink period.
Following a reactor scram, the water inventory being displaced by steam voids within the reactor are no longer displaced and water level drops. However, no actual water inventory is lost. This is referred to as shrink. In response to the shrink, the feedwater control maximizes feedwater flow to recover water level. After the feedwater system recovers water level to some point, the decay heat in the reactor core heats the cool feedwater which results in expanding the water. This expansion of the water results in the reactor water level rising. This is referred to as swell. The purpose of modifying feedwater flow following a scram is to prevent the water level from reaching a low level Emergency Core Cooling System (ECCS) pump start due to shrink effects and prevent a high level Reactor Feedwater Pump Turbine trip due to swell effects.
CHAPTER 07 7.10-8 REV. 28, APRIL 2021
PBAPS UFSAR 7.10.3.4.14 Deleted 7.10.3.4.15 Deleted 7.10.3.4.16 Fault Tolerant Logic The feedwater control system incorporates fault tolerance in its design so that any single failure to the feedwater control system will not result in the loss of feedwater control. This fault tolerant logic is designed to handle failures internal to the actual control system or failures external to the control system (field transmitters). Field signal failures are detected by either being out-of-range or violating a spread check with an equivalent-independent field signal (redundant transmitter). On field signal failures the control system will switch to another redundant field signal or change to another method of control. On internal failures the control system will fail over to the backup controller. All detected failures will result in a control room alarm to alert the operator of the problem. Means are provided local to the digital feedwater control system to identify which control controller is in control and if any trouble alarm is up for that control controller. With a permanent HMI/keyboard the source of any trouble alarm can be easily narrowed down to a given input/output instrument loop and/or internal computer trouble.
The basis of the system is to have a mean time between failures of greater than 10 years (failure here is defined as a failure of the feedwater control system that results in a unit trip) which is based on a component mean time between failure rate of greater than one year and a mean time to repair of less than eight hours.
(Mean time to repair is defined as time from first identification of trouble to time system is returned to full service). During this period of maintenance, the system does not have complete fault tolerance protection. That is, a single failure during this maintenance period may not be protected against and therefore could result in a loss of feedwater control and/or a plant trip.
7.10.3.4.17 Bumpless Transfer Between Automatic and Manual Modes Bumpless transfer between automatic and manual modes reduces control system induced transients. The manual control stations operate within the DFCS logic. The automatic demand algorithm is upstream of the manual control algorithm in the logic so when transferring to manual there is no change in demand. When in manual, the automatic control algorithm tracks the manual CHAPTER 07 7.10-9 REV. 28, APRIL 2021
PBAPS UFSAR demand, so when transferring from manual to automatic there is also no change in demand.
7.10.3.4.18 Testability and Maintainability With the addition of fault tolerance, additional testability and maintainability is added. In particular, the system is designed to allow for system testing without lifting any permanent plant wiring (this is accomplished with knife switch or slide link type terminal blocks with integral test connections). The reactor high level trip circuit to the RFPT's and the main turbine is designed to allow testing of this logic while at power. The system is also designed to permit the removal, repair, and return to service of any discrete component within the control system while at power.
During the periods of testing and/or maintenance complete fault tolerance is not necessarily available. Therefore, certain single failures during these periods could result in a plant transient.
7.10.3.4.19 Total Feedwater Flow Signal to the Hydrogen Water Chemistry System The feedwater control system provides a total feedwater flow signal to the hydrogen water chemistry system 7.10.4 Turbine Driven Feedwater Pump Control Feedwater is delivered to the reactor vessel by three turbine driven feedwater pumps arranged in parallel. The turbines are normally driven by steam taken from the main high pressure turbine exhaust lines. Under low load conditions or a sudden load increase condition, each turbine is supplied with main steam through a separate high pressure admission valve. The dual steam admission system operates from a common control linkage. The low pressure admission valves open first, followed by high pressure admission valves as required by the feedwater control system.
The turbine drive speed is controlled by a electro-hydraulically boosted electromechanical servo positioning system. The feedwater control system provides the signal to adjust steam flow directly to the turbines.
Each turbine is controlled by the digital control system.
7.10.4.1 Turbine Trips To protect the feedwater pump and/or feedwater pump turbine, the following conditions initiate closure of the turbine stop valve:
CHAPTER 07 7.10-10 REV. 28, APRIL 2021
- 1. Feedwater pump turbine low control oil or bearing oil pressure.
- 3. Deleted.
- 4. Deleted.
- 5. Deleted.
- 6. Feedwater pump turbine manual trip (local and remote).
- 7. Low feed pump suction pressure (after time-delay). This trip has been temporarily removed from the 3C feedwater pump due to a failed cable.
- 8. Reactor vessel high water level.
- 9. Trip signal from the turbine speed control system which include A. Secondary overspeed (x2)
B. Deleted C. Deleted D. Deleted A probalistic missile evaluation has been performed on the feedwater pump turbine and is described in subsection 11.2.
7.10.4.2 Loss of Control Signal to RFPT There are redundant demand signals to each RFPT. The redundancy logic executing in the feedwater level system controller monitors each of the two redundant demand output signals in such a way that a primary input/output module failure is quickly detected. This results in a fail over command to switch to the backup output. An alarm is actuated to identify the failure. If a loss of all three speed feedback signals from a RFPT were to occur, the feedwater pump speed control M/A station is switched to manual.
CHAPTER 07 7.10-11 REV. 28, APRIL 2021
PBAPS UFSAR 7.10.4.3 Feedwater Controller Failure Maximum Demand A failure of the DFCS controller software in the direction of increasing feedwater flow will result in an increase in speed demand to the RFPTs. This will result in an increase in speed of the feedwater pumps and an increase in feedwater flow to the reactor. This event is discussed in Section 14.5.2.2.
Feedwater pump speed will continue to increase until the feedwater pumps reach their high speed limiter setpoint.
CHAPTER 07 7.10-12 REV. 28, APRIL 2021
PBAPS UFSAR 7.11 PRESSURE REGULATOR AND TURBINE-GENERATOR CONTROL SYSTEM 7.11.1 Power Generation Objective The power generation objective of the pressure regulator and turbine-generator control system is to maintain constant reactor pressure.
7.11.2 Power Generation Design Basis The pressure regulator and turbine-generator control system maintains constant reactor pressure during planned operations and operates the steam bypass system up to 21.96 percent of full load to assist in maintaining constant reactor pressure.
The pressure regulator and turbine-generator control system accomplishes the following control functions:
- 1. Controls speed and acceleration from 0 to 111 percent speed with nominal speed reference settings. At 100 percent speed with the circuit breaker closed, the 100 percent speed reference signal is locked in.
- 2. Controls reactor pressure in the range from 50 psig to approximately 1,050 psig.
7.11.3 Description 7.11.3.1 Normal Control System Normal operating control of the pressure regulator and turbine control system is an electrohydraulic servo positioning system basically consisting of interconnected control functions (Figure 7.11.2). These control functions combine their signals to modulate the position of the control, bypass, and combined intermediate valves on the turbine. These subsystems can be designated as speed control, load control, pressure control, bypass control, and valve positioning control functions. The functions of speed control, load control, pressure control, and steam bypass control are performed by dual redundant digital controllers in the Turbine Control System (TCS). The description of these functions is as follows:
- 1. Speed Control Unit The speed control function receives a speed signal from the shaft speed pickups and compares it to a speed CHAPTER 07 7.11-1 REV. 27, APRIL 2019
PBAPS UFSAR reference signal to produce a speed error signal. The speed control function also differentiates the speed signal to produce an acceleration signal. This signal is compared against the acceleration reference to produce an acceleration error signal, which is integrated and combined with the speed error signal to produce output of the speed control unit. Redundancy is provided by the use of a validated speed signal using three speed sensors.
- 2. Load Control Unit The load control function accepts the speed-acceleration error signal, conditions it to establish the proper loop gain for the applicable control valve servo positioners, compares the speed-acceleration signal with the manually selected load set signal, and provides the output signals to position the control and combined intermediate valves on the turbine. The function closes the main control valves at 105 percent of speed and closes the combined intermediate valves at 107 percent of speed. An operating bias keeps the combined intermediate valves wide open until the control valves reach a fully closed position. The load control function also accepts the limit signal (e.g., load limits, maximum combined flow limit, valve position limit, power-load unbalance limit, etc) and combines them to modify or limit the output signals.
- 3. Pressure Control The pressure control function is a redundant pressure controller which maintains constant reactor pressure in coordination with the speed and load control. The pressure control function accepts two independent main steam pressure signals which are measured ahead of the main stop valves, compares them with manually selected pressure reference signals, and produces lead or lag compensated pressure error signals. Two redundant pressure controllers are provided with one controller in control and one controller in standby, where both controllers use a validated pressure signal from two main steam pressure signals. The compensated pressure error signal is conditioned to provide the proper control loop gain and produces the total flow demand signal. For Unit 2 and Unit 3, this signal passes through a pressure-load low value gate wherein the load CHAPTER 07 7.11-2 REV. 27, APRIL 2019
PBAPS UFSAR control unit's control valve signal is compared with the total steam flow signal and the lower of the two is allowed to pass as an input to the control valve-positioning servo mechanisms.
- 4. Bypass Control The total flow demand signal of the pressure control function and the control valve flow signal output from the pressure-load low value gate are sent to the bypass control function. The bypass control function adds a bias to the control valve flow signal and subtracts this sum from the total steam flow to produce the total flow error signal. The total flow signal passes through a high value gate where the bypass opening jack reference signal can override it. The signal can be interrupted by the maximum combined flow limit or condenser low pressure. The output of the bypass control function is the bypass flow signal to the bypass valve servo mechanisms. In this manner, if the total steam flow signal exceeds the control valve flow signal, the bypass valve will open to bypass the excess to the condenser without interrupting turbine speed control, and at the same time maintain a constant reactor pressure. An annunciator has been provided to indicate when a bypass valve is open.
- 5. Valve Positioning The control valve-positioning units are essentially electrohydraulic, close-looped, servo-mechanism position control systems receiving the control valve flow signal from the low value gate, which compares the output of the load control function with the pressure control unit and selects the lower of the two.
In this manner, during normal operation, the pressure regulator and turbine-generator control system sets reactor pressure and turbine speed. The speed control and load control functions generate the necessary signals to position the control valves through a low value gate over which the pressure control unit can exercise its influence.
7.11.3.2 Emergency Control System CHAPTER 07 7.11-3 REV. 27, APRIL 2019
PBAPS UFSAR This system closes all valves, thereby shutting down the turbine on the following signals:
- 1. Turbine approximately 9 percent above rated speed. On overspeed, the tripping is performed by an electrical trip.
The electrical trip is provided by the Emergency Trip System (ETS) that includes a Diverse Turbine Overspeed Protection System (DTOPS). DTOPS uses a diverse and separate act of magnetic pickups which are comprised of 3 passive speed sensors for sensing speed from a toothed wheel mounted to the turbine shaft. When the turbine speed reaches the trip speed (approximately 109%), the three independent overspeed protection trip modules located inside the DTOPS device provides three independent trip outputs that interface to the three ETS Testable Dump Manifold (TDM) solenoids. The ETS TDM utilizes a two-out-of-three (2/3) trip logic configuration to depressurize ETS fluid resulting in fast closure of the main stop valves. the control valves, the intercept valves and the intercept stop valves.
Cross trip functions are provided for interlocking the DTOPS trip with the TCS trip.
- 2. Turbine approximately 10.5 percent above rated speed while testing the overspeed trip device.
The backup electrical overspeed trip uses a diverse and separate set of magnetic pickups which are comprised of 3 active speed sensors for sensing speed from a toothed wheel mounted to the turbine shaft.
When the turbine speed reaches the trip speed (approximately 110.5%), the Turbine Control System (TCS) provides a trip output to the TCS TDM unit, which utilizes a two-out-of-three (2/3) trip logic configuration to trip the turbine.
Cross trip functions are provided for interlocking the DTOPS trip with the TCS trip.
- 3. Vacuum decreases to less than 20 in Hg.
- 4. Excessive thrust bearing wear.
CHAPTER 07 7.11-4 REV. 27, APRIL 2019
- 5. Deleted
- 6. Loss of generator stator coolant after a time delay.
- 7. External trip signals, including remote manual trip on the control panel via HMI.
- 8. Loss of hydraulic fluid supply pressure or loss of Emergency Trip System fluid pressure.
- 9. Failure of shaft-driven lubrication oil pump with the turbine-generator over 1,300 rpm (nominal).
- 10. Deleted.
- 11. Loss of 2-out-of-3 signals.
- 12. Loss of both primary and secondary EHC dc power supplies (24 Vdc or 125 Vdc).
- 13. Manual electrical trip via pushbuttons at front standard or main control panel.
- 14. High level in moisture separators.
- 15. Deleted.
- 16. Reactor high water level.
- 17. Low bearing oil pressure.
7.11.4 Power Generation Evaluation The pressure regulator and turbine-generator control system design is such that it provides a stable control response to normal load fluctuations.
The main turbine bypass valves are capable of responding to the maximum closure rate of the turbine admission valves such that reactor steam flow is not significantly affected until the magnitude of the load rejection exceeds the capacity of the bypass valves (21.96 percent of full load).
Load rejections in excess of bypass valve capacity may cause the reactor to scram. Any condition causing the turbine stop valves CHAPTER 07 7.11-5 REV. 27, APRIL 2019
PBAPS UFSAR to close will directly initiate a scram before reactor pressure or neutron flux have risen to the trip level.
Abnormal operational transient analyses have been made for a component failure in the turbine-generator system and included in Section 14.0, "Plant Safety Analysis."
The pressure regulator and turbine-generator control system can fail in such a manner as to cause the control and bypass valves to either fully open or fully close. In neither case would fuel damage occur. However, if a pressure regulator fails downscale while the second regulator is out of service the resulting transient could be limiting. Operation with only one pressure regulator is discussed in section 14.5.4.
In the event that the control valves fully opened, the emergency trip system would cause all valves to close. Loss of electrical or hydraulic power causes all valves to close.
In the event that the control valves are failed fully closed, the reactor will scram with the excess steam flow absorbed by the bypass system.
7.11.5 Inspection and Testing 7.11.5.1 Turbine-Generator Supervisory Instruments The turbine and all turbine control system components can be tested and inspected prior to plant operation and during scheduled shutdown. The turbine supervisory instrumentation located in the control room is sufficient to detect any potential maloperation.
The turbine supervisory instrumentation includes monitoring of the following variables:
- 1. Vibration and eccentricity.
- 2. Thrust bearing wear.
- 3. Exhaust hood temperature and spray pressure.
- 4. Oil system pressures, levels, and temperatures.
- 5. Bearing metal and drain temperatures.
- 6. Shell temperatures.
- 7. Valves positions (Unit 3 only).
CHAPTER 07 7.11-6 REV. 27, APRIL 2019
- 8. Shell and rotor differential expansion.
- 9. Shaft speed (Unit 3 only), electrical load, and control valve inlet pressure indication.
- 10. Hydrogen temperature, pressure, and purity (Unit 3 only). For Unit 2, the HMI will display these parameters because their panel meters are removed.
- 11. Stator coolant temperature, pressure, and conductivity.
- 12. Stator winding temperature.
- 13. Alternator air coolant temperatures.
- 14. Steam seal pressure.
- 15. Steam packing exhauster vacuum.
- 16. Steam chest pressure.
- 17. Seal oil pressure.
7.11.5.2 Testing Provisions Provisions are made for testing each of the following devices while the unit is operating:
- 1. Main stop valves.
- 2. Main control valves.
- 3. Bypass valves.
- 4. Combined intermediate valves.
- 5. Overspeed trip.
- 6. Bleeder trip valves.
- 7. Vacuum trip.
- 8. Deleted
- 9. TDM trip solenoids.
CHAPTER 07 7.11-7 REV. 27, APRIL 2019
PBAPS UFSAR 7.12 PROCESS RADIATION MONITORING A number of radiation monitors and monitoring systems are provided on process liquid and gas lines that may serve as discharge routes for radioactive materials. These include the following:
- 1. Main steam line radiation monitoring system.
- 2. Air ejector off-gas radiation monitoring system.
- 3. Stack radiation monitoring system.
- 4. Liquid process radiation monitors.
- 5. Ventilation radiation monitoring system.
These systems are described individually in the following paragraphs. Process sampling systems are described in subsection 10.20.
7.12.1 Main Steam Line Radiation Monitoring System 7.12.1.1 Safety Objective The safety objective of the main steam line radiation monitoring system is to monitor for the gross release of fission products from the fuel and, upon indication of such failure, to initiate appropriate action to limit fuel damage and contain the released fission products.
7.12.1.2 Safety Design Basis
- 1. The main steam line radiation monitoring system is designed to give prompt indication of a gross release of fission products from the fuel.
- 2. The main steam line radiation monitoring system is capable of detecting a gross release of fission products from the fuel under any anticipated operating combination of main steam lines.
- 3. Upon detection of a gross release of fission products from the fuel, the main steam line radiation monitoring system initiates an alarm to alert Operators. Trending of radiation monitor recorder data will be evaluated and reactor coolant samples may be taken to determine if additional action is required to maintain radiations CHAPTER 07 7.12-1 REV. 26, APRIL 2017
PBAPS UFSAR levels within limits. Initiation of high-high radiation alarm alerts the Operators to close any open reactor coolant sample lines and trips the mechanical vacuum pump, if running.
7.12.1.3 Description Four gamma-sensitive instrumentation channels monitor the gross gamma radiation from the main steam lines. The detectors are physically located near the main steam lines just downstream of the outboard main steam line isolation valves. The detectors are geometrically arranged so that the system is capable of detecting significant increases in radiation level from any number of main steam lines in operation. Their location along the main steam lines allows the earliest practical detection of a gross fuel failure. Two of the channels are powered from one reactor protection system bus, and the other two channels are powered from the other reactor protection system bus.
When a significant increase in the main steam line radiation level is detected, an alarm is initiated to alert Operators. Trending of radiation monitor recorder data will be evaluated and reactor coolant samples may be taken to determine if additional action is required to maintain radiations levels within limits. Initiation of high-high radiation alarm alerts the Operators to close any open reactor coolant sample lines and trips the mechanical vacuum pump, if running.
The radiation trip setting is selected so that a high radiation trip results from the fission products released in the design basis rod drop accident. The setting so selected is enough above the background radiation level in the vicinity of the main steam lines that spurious trips are avoided at rated power. The setting is low enough that the monitor can respond to the fission products released during the design basis rod drop accident, which occurs at a low steam flow condition.
The trips of the four instrumentation channels are arranged in a one-out-of-two-twice logic to provide redundancy and prevent inadvertent alarms as a result of instrumentation malfunctions.
Each monitoring channel consists of a gamma sensitive ion chamber and a log radiation monitor, as shown in Drawing M-1-T-29, Sheets 1 and 2. Capabilities of the monitoring channel are listed in Table 7.12.1. Each log radiation monitor has two trip circuits.
One trip circuit comprises the upscale trip setting that is used CHAPTER 07 7.12-2 REV. 26, APRIL 2017
PBAPS UFSAR to initiate alarm and pump trip. The other trip circuit is a downscale trip that actuates an instrument trouble alarm in the control room. A CRDA will trip the high-high radiation alarm.
The control room Operator must manually isolate the reactor sample lines within 40 minutes of the alarm actuation. The output from each log radiation monitor is displayed in the control room on a digital display with a 1E0 to 1E6 mR/hr range.
The trip circuits for each monitoring channel operate normally energized, so that failures in which power to monitoring components is interrupted result in a trip signal. The environmental capabilities of the components of each monitoring channel are selected in consideration of the locations in which the components are to be placed.
A two-pen recorder is used to record the outputs from any one of two channels on each trip system of the four monitoring channels.
Manual selector switches allow the outputs of any two of the four channels to be recorded. The recorder has one upscale alarm circuit. The alarm setting is lower than the log radiation monitor upscale trip setting, so that an alarm is received in the control room before scram and steam line isolation are effected.
7.12.1.4 Safety Evaluation The number and location of the detectors meet safety design bases 1 and 2. The closure of the MSIV's, stopping the mechanical vacuum pump, and closing the mechanical vacuum pump suction valve effect containment of radioactive materials. This meets safety design basis 3. The system is capable of initiating safety action at the level of fuel damage resulting from the design basis rod drop accident. In Section 14.0, "Plant Safety Analysis," it is shown that the amount of fuel damage and fission product release involved in this accident is relatively small. It can be concluded that for any situation involving gross fission product release, the main steam line radiation monitoring system is capable of providing prompt safety action.
7.12.1.5 Inspection and Testing A built-in adjustable current source is provided for test purposes with each log radiation monitor. Routine verification of the operability of each monitoring channel can be made by comparing the outputs of the channels during power operation and by the use of check sources when shut down.
CHAPTER 07 7.12-3 REV. 26, APRIL 2017
PBAPS UFSAR 7.12.2 Air Ejector Discharge And Adsorber Bed Outlet Radiation Monitoring System 7.12.2.1 Power Generation Objective The power generation objective of the air ejector discharge and Adsorber Bed Outlet radiation monitoring system is to indicate when radioactivity levels of the Off-gas system increase above expected normal limits.
7.12.2.2 Power Generation Design Basis
- 1. The air ejector discharge radiation monitoring system provides an alarm to operations personnel whenever the radioactivity level of the air ejector off-gas reaches short-term limits.
- 2. The air ejector discharge radiation monitoring system provides a record of the radioactivity released from the air ejector outlet to the adsorber bed inlet.
- 3. The Adsorber Bed Outlet radiation monitoring system provides an alarm to operations personnel whenever the radioactivity level at the adsorber bed outlet exceeds expected normal levels.
7.12.2.3 Description 7.12.2.3.1 Air Ejector Discharge Radiation Monitor The air ejector discharge radiation monitoring system is shown in Drawing M-310, Sheets 2 and 4 and specifications are given in Table 7.12.1. The system has three instrumentation channels, two logarithmic and one linear. Each channel consists of a gamma-sensitive detector, a logarithmic or linear radiation monitor, and a strip chart recorder. The monitors and the recorders are located in the main control room. Each channel of the logarithmic radiation monitor is powered from a different bus of the RPS. The linear channel is powered from the 24-V dc bus.
Each logarithmic monitor has an upscale trip and a downscale trip indicating high radiation and instrument trouble, respectively.
Any one trip will give an alarm in the control room.
Three gamma-sensitive ion chambers are positioned adjacent to a vertical sample chamber that is internally polished to minimize plateout. A sample is drawn from the off-gas line through the sample chamber and returned to the air ejector suction line. The CHAPTER 07 7.12-4 REV. 26, APRIL 2017
PBAPS UFSAR sample system is arranged to give a 2-minute time delay before the sample is monitored. This time delay allows nitrogen-16 to decay reducing some of the background radiation. The detectors are influenced by radioactive gases such as nitrogen-13 and oxygen-19 when a fuel defect is not present. At higher fission release rates when a fuel defect is present or during periods of high recoil, the detectors more accurately reflect fission isotopes like Xe and Kr.
Small changes in the off-gas gross fission product concentration can be detected by the continuous use of the linear radiation monitor. The detector monitors the same sample as the air ejector off-gas logarithmic detectors. The system uses a linear readout with a range switch instead of a logarithmic readout. The output from the monitor is recorded on a one-pen recorder.
The environmental and power supply design conditions are given in Table 7.12.2.
7.12.2.3.2 Adsorber Bed Outlet Radiation Monitor The off-gas adsorber bed outlet radiation monitor specifications are given in Table 7.12.1. The system consists of a gamma-sensitive pipe-mounted detector and a readout module located in the main control room.
The monitor has an upscale trip and a downscale trip indicating high radiation and instrument trouble, respectively. Upscale or downscale trips will sound an alarm in the control room.
7.12.2.4 Power Generation Evaluation The air ejector discharge radiation monitors have been selected with monitoring characteristics sufficient to provide plant operations personnel with accurate indication of radioactivity in the air ejector off-gas. The system thus provides the operator with enough information to control the activity release rate.
Sufficient redundancy is provided to allow maintenance on one channel without losing the indications provided by the system.
7.12.2.5 Inspection, Testing, and Calibration 7.12.2.5.1 Air Ejector Discharge Radiation Monitor The air ejector discharge radiation monitors are periodically calibrated by taking a grab sample of the gases with the off-gas vial sampler. The sample is analyzed and a factor relating the CHAPTER 07 7.12-5 REV. 26, APRIL 2017
PBAPS UFSAR response of the monitors to the off-gas activity is calculated.
These monitors are provided with two alarm level set points. The lower alarm level is set below the normal background reading of the monitor so that an alarm is sounded if the instrument reading falls below this level. The upper alarm level is selected at a value greater than the normal full power background to detect an increase in radioactivity in the off-gas system. The instrument range is 1.0 to 106 mR/hr.
7.12.2.5.2 Adsorber Bed Outlet Radiation Monitor The adsorber bed outlet radiation monitor is periodically calibrated by exposing the radiation sensor to a radioactive source of known field strength. This monitor is provided with two alarm level set points. The lower alarm level is set below the normal background reading of the monitor so that an alarm is sounded if the instrument reading falls below this level. The high alarm setpoint is set at less than or equal to 105 mR/hr. The instrument range is 0.1 to 104 mR/hr.
7.12.3 Stack Radiation Monitoring System 7.12.3.1 Safety Objective The safety objectives of the stack radiation monitoring system are to indicate whenever limits on the release of radioactive material to the environs are reached and to indicate the rate of radioactive material release during planned operation and accident conditions.
7.12.3.2 Safety Design Basis
- 1. The stack radiation monitoring system provides a clear indication to operations personnel whenever limits on the release of radioactive material to the environs are reached.
- 2. The stack radiation monitoring system indicates the rate of release of radioactive material from values above release rate limits, including accident conditions, down to the release rates normally encountered during high power operation.
- 3. The stack radiation monitoring system records the rate of release of radioactive material to the environs, so that determination of the total amounts of activity released is possible.
CHAPTER 07 7.12-6 REV. 26, APRIL 2017
PBAPS UFSAR 7.12.3.3 Description The stack radiation monitoring system is a microprocessor-based state-of the-art system consisting of a wide range gas monitor (WRGM) and a normal range fixed filter particulate, iodine, and gas (PIG) monitor. The probe assembly consists of two isokinetic probes, one for the WRGM and one for the PIG, and two sets of stack flow sensing devices.
The WRGM has four channel -- the low, mid, and high range channels provide radioactivity concentration indication in Ci/cc and the fourth channel (i.e., the effluent release channel) providing radioactivity release rate information in Ci/sec. The low, mid, and high range channels of the WRGM have overlapping ranges with each other and are suitable for monitoring radioactive stack releases during normal full-power operation and accident conditions. These ranges satisfy the requirements of Regulatory Guide 1.97, Rev. 3.
The PIG monitor also has four channels -- particulate channel, the iodine channel, the noble gas channel, and the effluent channel.
The first three channels provide radioactivity concentration indication in Ci/cc and the fourth channel (i.e., the effluent release channel) provides radioactivity release rate information in Ci/sec. Unlike the WRGM, the PIG covers only normal full-power operation releases.
Both WRGM and PIG monitors provide contact outputs to radiation alarms and analog outputs to the plant computer and to the radiation recorder. In addition, both monitors provide trip signals on a HIGH-HIGH alarm to Group III isolation valves. These signals (which fulfill the requirements of NUREG-0737, item II.E.4.2(7)) are required only when purging the containment through the SGTS and containment integrity is required. The trip signals isolate primary containment vent and purge valves greater than two inches in diameter to prevent accidental release of radioactivity offsite when the valves are open.
7.12.3.4 Safety Evaluation The main stack radiation monitors have been selected with monitoring characteristics sufficient to provide plant operations personnel with accurate indication of radioactivity being released to the environs via the stack. During normal operation, sufficient redundancy is provided to allow maintenance on one CHAPTER 07 7.12-7 REV. 26, APRIL 2017
PBAPS UFSAR monitor without losing the indication provided by the radiation monitoring system.
A sampling system has been provided as described in Section 10.20 to identify sources of radioactive leakage detected by the main stack radiation monitors.
7.12.3.5 Inspection, Testing, and Calibration Each individual monitor includes a built-in check source and a purge line to purge the vent gas from the sampling chamber. The built-in check source and purge capability can be used to provide testing flexibility. Both the purge valve and the check source are operated from the control room.
Appendix E relates the equivalence of the Ci/sec release rate to the mR/hr created by the released effluent. The WRGM low range and PIG normal range gas monitors are provided with two radiation alarm level set points -- HIGH and HIGH-HIGH. The HIGH alarm level is set at a factor times normal monitor reading to indicate presence of an abnormal radiation level in accordance with the Offsite Dose Calculation Manual (ODCM). The HIGH-HIGH alarm level is set below the maximum allowable release limit in accordance with the ODCM.
The main stack monitor effluent channel is capable of detecting activity as low as 100 Ci/sec. The minimum detectable release rate will be a function of the background environment. Assuming that 100 Ci/sec at 30-min decay exists continuously all year, the total release would be 3,150 Ci/yr. This value should not be considered the total activity because many of the half lives of the gaseous radioisotopes are short lived compared to a year. The annual average whole body dose would be about 0.1 mRem/yr at the worst off-site location. Considering reasonable occupancy and shielding dose reduction factors, the dose would be lower by factors of about 3 to 10.
Within the band of 100 Ci/sec and the set point at the annual average stack release rate limit the operator has knowledge of the release rate performance of the plant. Release rates up to the annual average stack release rate limit are within the 10CFR20 permissible whole body dose. Exceeding this limit for short periods of time could be allowed because the release rate limit represents an average over one hour. The release rate limit is not expected, but it is the maximum calculated release rate allowable by the regulations when considering off-gas design, size CHAPTER 07 7.12-8 REV. 26, APRIL 2017
PBAPS UFSAR and shape of site, and meteorological data. Expected release rates and doses would be much less than permissible.
7.12.4 Liquid Process Radiation Monitoring System 7.12.4.1 Power Generation Objective Process liquid radiation monitors are provided to indicate when operational limits for the normal release of radioactive material to the environs are being approached and to indicate process system malfunctions by detecting the presence of radioactive material in a normally uncontaminated system.
7.12.4.2 Power Generation Design Basis Process liquid radiation monitors located in streams that normally discharge to the environs provide a clear indication to operations personnel whenever the radioactivity level in a stream approaches or exceeds pre-established operational limits for the discharge of radioactive material to the environs, or exceeds a pre-established limit above the normal radiation level of the stream.
CHAPTER 07 7.12-9 REV. 26, APRIL 2017
PBAPS UFSAR 7.12.4.3 Description The process liquids radiation monitoring system consists of the following subsystems (Figure 7.12.2):
- 1. Reactor building cooling water radiation monitor (Drawing M-316, Sheets 1 and 2).
- 2. Service water radiation monitor (Drawing M-314).
- 3. Emergency service water radiation monitor (Drawing M-330).
- 4. Radwaste discharge radiation monitor.
- 5. Fuel storage pool radiation monitor (Drawing M-363, Sheets 1 and 2).
- 6. RHR heat exchanger high-pressure service water intake and discharge monitors (Drawing M-315, Sheets 1 through 7; not shown in Figure 7.12.2).
A reactor building cooling water monitor, a service water monitor, and a fuel storage pool radiation monitor are supplied with each reactor unit. The emergency service water and radwaste discharge radiation monitors are common to both reactor plants.
Each subsystem consists of a gamma-sensitive scintillation detector, suitably mounted, which transmits to a log count ratemeter with an integral dual level alarm trip circuit. The ratemeter performs the pulse-to-analog conversion and transmits to a strip chart recorder (except for the fuel storage pool radiation monitor). Each detector is installed in such a manner as to reduce background radiation and plateout. All ratemeters, recorders, and controls are mounted in the main or radwaste control room, as appropriate.
Each ratemeter trip circuit has an upscale trip to indicate high radiation level and a downscale trip to indicate instrument trouble. The trips give an alarm and for the radwaste discharge monitor, initiates automatic control action.
Service water is used to cool normally non-radioactive services and equipment. It also cools the reactor building cooling water system via a heat exchanger. The presence of radiation in the service water discharge may indicate that a leak into the system from a contaminated stream has occurred.
CHAPTER 07 7.12-10 REV. 26, APRIL 2017
PBAPS UFSAR The reactor building cooling water system cools potentially contaminated services and equipment. The system may contain activity due to activation of added corrosion inhibitors. Changes in the normal radiation level could indicate leaks of radioactive water into the system.
The liquid radwaste system provides for collection of waste liquids through various drainage systems. Because of conductivity not all of the waste liquids can be economically purified by demineralization. Consequently, some liquid containing radioactivity is eventually discharged from the system. The liquid radwaste monitor indicates and records the radiation levels in this discharge.
The emergency service water system provides cooling water to the core standby cooling equipment in case of a loss of off-site power. Changes in the normal radiation level of the emergency service water discharge could indicate leakage in the core standby cooling equipment.
Radiation monitors have been provided on each high-pressure service water intake and discharge of the RHR heat exchangers for Unit 2 and 3. In the event that a heat exchanger leak occurs in conjunction with a reversal of normal heat exchanger differential pressure, these monitors will annunciate, in the control room, the presence of radioactivity in the high-pressure service water system. Two monitors have been provided for each unit. Samples are drawn from either the upstream or downstream piping of the RHR heat exchanger depending on HPSW system function (active or idle).
This will assure RHR leakage through the heat exchanger is monitored periodically. After HPSW operation, water in the system will drain through the HPSW pump discharge check valve, lowering the water level in the inlet and discharge piping to the RHR heat exchangers. Radiation monitoring will be temporarily suspended during periods when a solid water column in the header does not exist. Without the water column present, the transmission path for contamination does not exist, and continued sampling is not required. This will also protect the sample pumps from running dry.
Leakage from fuel elements stored in the fuel storage pool would be detected by radiation monitors suitably located in each spent fuel pool.
The environmental and power supply design conditions are given in Table 7.12.2.
CHAPTER 07 7.12-11 REV. 26, APRIL 2017
PBAPS UFSAR 7.12.4.4 Power Generation Evaluation The process liquid radiation monitoring system possesses radiation detection and monitoring characteristics sufficient to inform plant operations personnel whenever radiation levels in the processes rise above preset limits.
7.12.4.5 Inspection and Testing The operational integrity of the detectors, ratemeters, and alarm trip circuits can be tested by using test signals or portable gamma sources.
7.12.5 Ventilation Radiation Monitoring 7.12.5.1 Safety Objective The safety objective of the ventilation radiation monitoring system is to indicate whenever preset limits on the release of radioactive material are reached, to indicate the rate of radioactive material release, and to effect appropriate action when necessary, so that the release of radioactive material does not exceed the guideline values of published regulations.
7.12.5.2 Safety Design Basis
- 1. The ventilation radiation monitoring system provides an indication to operations personnel of the presence of abnormal amounts of radioactive material and indicates whenever limits on the release of radioactive material to the environs are reached.
- 2. The ventilation radiation monitoring system effects the necessary action to ensure that the release of radioactive material does not exceed the guideline values of published regulations.
7.12.5.3 Power Generation Objective The power generation objective of the ventilation radiation monitoring system is to indicate and record the quantities of radioactive material present in the ventilation effluents during planned operations.
The ODCM contains the release limits and monitoring system operability and utilization requirements to demonstrate CHAPTER 07 7.12-12 REV. 26, APRIL 2017
PBAPS UFSAR conformance to the release limits. Refer to Appendix E for the station atmospheric release limit calculations. Table E.6.1 shows the release limits from all the release points of Units 2 and 3.
Each release point is monitored as described in this section.
The alarm set points will be set so that the total release will satisfy the conditions of Table E.6.1, even if all release points should be discharging at their alarm set points.
Radioactive releases will be documented through analyses of filter depositions, analyses of grab samples, and recorded effluent radiation monitor values.
7.12.5.4 Power Generation Design Basis The ventilation radiation monitoring system indicates and records the rate of release of radioactive material to the environs.
7.12.5.5 Description The ventilation radiation monitoring system is illustrated in Drawing M-334, Sheets 1 through 4 and is composed of the following subsystems:
- 1. Ventilation stack radiation monitoring.
- 2. Reactor building ventilation exhaust radiation monitoring.
- 3. Refueling floor ventilation exhaust radiation monitoring.
- 4. Control room ventilation intake radiation monitoring.
- 5. Radwaste ventilation exhaust radiation monitoring.
- 6. Off-gas recombiner building duct ventilation exhaust radiation monitoring.
The reactor building, refueling floor, and control room intake monitors are designed to meet the safety design bases.
7.12.5.5.1 Ventilation Stack Radiation Monitoring The ventilation stack receives effluent from the following sources:
- 1. Reactor building reactor zones.
- 2. Reactor building refueling floor.
CHAPTER 07 7.12-13 REV. 26, APRIL 2017
- 3. Reactor building equipment cells.
- 4. Radwaste building. (Unit 2 only)
- 5. Radiochemistry laboratory and counting room. (Unit 2 only)
- 6. Radiochemistry hood. (Unit 2 only)
- 7. Turbine building.
- 8. Ventilation stack radiation monitors.
- 9. Offgas recombiner building exhaust. (Unit 3 only)
- 10. Pearl building, RCA exhaust. (Unit 3 only)
- 11. Pearl building fume hood exhaust.(Unit 3 only)
The ventilation stack radiation monitoring subsystem consists of a wide range gas monitor (WRGM) and a normal range fixed filter particulate, iodine, and gas (PIG) monitor per unit. The ventilation stack effluent is sampled by a probe assembly that consists of two isokinetic probes, one for WRGM and one for the PIG.
The wide range gas monitor detects and measures beta and gamma radiation levels. The WRGM is an off-line monitor that draws a representative sample from the vent stack. The sample is separated and routed to three different detectors, one low, mid and high range. The sample is filtered to prevent contamination of the detector chambers. The WRGM consists of four channels: a low radiation, mid radiation, high radiation and an effluent channel.
The WRGM range is sufficient to cover post-accident effluent. The three radiation channels overlap each other to provide an overall range of 1x10-7 Ci/cc to 1.0x105 Ci/cc. The WRGM has a local microprocessor that communicates with a display and alarm unit in the main control room. The alarm logic is discussed in paragraph 7.12.5.6. The WRGM has provisions for taking grab samples for laboratory analysis. The grab sampler can be controlled locally or from the main control room.
The fixed filter particulate, iodine, gas monitor detects and measures effluent beta and gamma radiation levels. The PIG is an off-line monitor that draws a representative sample from the vent stack through the radiation detector sample chambers. The PIG provides continuous iodine and particulate monitoring so that the actual time and duration of a release can be determined. The PIG monitor has a local microprocessor and a display and alarm unit in the main control room. The alarm logic is discussed in paragraph CHAPTER 07 7.12-14 REV. 26, APRIL 2017
PBAPS UFSAR 7.12.5.6. The PIG also has provisions for taking grab samples for laboratory analysis.
The monitors read out in Ci/cc based upon an analytically determined counts/minute per Ci/cc conversion factor which is input to the monitor processor. These monitors have two radiation alarms -- HIGH and HIGH-HIGH. The HIGH alarm is field set at a factor times normal monitor reading of the monitor to indicate the presence of an abnormal radiation level in accordance with the Offsite Dose Calculation Manual (ODCM), and an alarm is sounded if the reading rises above this level. The HIGH-HIGH alarm is set below the maximum allowable release limit in accordance with the ODCM.
The radiation level in the ventilation stack radiation monitoring system would depend upon the nature of an accidental release inside the plant. The actual specific activity of the mixture released is impossible to calculate or to establish by empirical standards or a sampling program. The most probable release would be one which produced a mixture of fission products, corrosion products, and activation products. Calibration on the basis of the most difficult isotopes to detect in this mixture is, therefore, conservative.
7.12.5.5.2 Reactor Building Ventilation Exhaust Radiation Monitoring and Refueling Floor Ventilation Exhaust Radiation Monitoring Each of these subsystems employs four dual-channel G-M detectors mounted directly on the duct. The radiation monitors are installed on both the refueling floor exhaust ducts and the building exhaust system ducts which serve the area below the refueling floor. Duct isolation valve closure time is 3 to 10 sec. The monitors for the refueling floor exhaust duct are located after the last exhaust branch duct and at a distance equivalent to or better than exhaust air travel time from the monitors to the isolation valve. For the reactor building area ventilation exhaust duct, no such delay is incorporated since the consequences of such an accidental release over the 3- to 10-sec valve closure are not significant by comparison with the limits of 10CFR100. This mounting provides a minimum response time to detect an abnormal release during a refueling operation. The signal that causes isolation also initiates the standby gas treatment systems. Each of the detectors transmits to a ratemeter with an integral three output, dual-level trip unit. Two of the outputs are recorded on a 2-pen strip chart recorder. All controls, recording, and readout are located in the main control CHAPTER 07 7.12-15 REV. 26, APRIL 2017
PBAPS UFSAR room. The environmental and power supply design conditions are given in Table 7.12.2.
These monitors are calibrated using a portable calibration source.
The monitors read true gamma dose rate. The isolation set point is established on the basis of an analysis performed utilizing the specific plant ductwork at the detector location. The isolation set point also determines the gamma dose rate that would result from the amount of radioactivity released into the duct during the refueling accident. The monitor range is 0.01 to 100 mR/hr, and the isolation allowable value is established at 16 mR/hr which is conservatively less than that which would result from the refueling accident. This allowable value corresponds to a release rate of 0.13 Ci/sec. The alarm setpoint is established at one-tenth the isolation allowable value or a release rate of 0.013 Ci/sec.
7.12.5.5.3 Control Room Ventilation Intake Radiation Monitoring The control room ventilation intake radiation monitoring equipment consists of six (6) induct beta/gamma scintillation radiation detectors, four (4) radiation detectors mounted in the intake plenum and two (2) radiation detectors mounted in the emergency ventilation supply fan plenum. The radiation detectors measure the radioactivity in the ventilation ducts utilizing background subtraction. Each detector transmits through a radiation pre-amplifier to a local radiation indicating switch with a three-level alarm/trip unit. The alarm and isolation logic is discussed in paragraph 7.12.5.6.3. The local radiation indicating switches then transmit to radiation indicators, with two of the indicators providing inputs to a strip chart recorder in the control room.
Each independent loop has controls for testing, using a simulated check source to indicate high radiation thereby ensuring the operational integrity and calibration. The flow in the ventilation duct is recorded and a loss of flow in the duct is annunciated in the control room. Most controls, recordings and readouts are located in the main control room; many are also provided in a local cabinet in the fan room (radwaste building elev. 165). The environmental and power supply conditions are given in Table 7.12.2.
7.12.5.5.4 Radwaste Ventilation Exhaust Radiation Monitoring and Off-Gas Recombiner Building Duct Ventilation Exhaust Radiation Monitoring CHAPTER 07 7.12-16 REV. 26, APRIL 2017
PBAPS UFSAR The radwaste ventilation exhaust and off-gas recombiner building duct ventilation exhaust radiation monitors are process monitors, the purpose of which is to monitor radwaste exhaust and off-gas recombiner building duct ventilation exhaust feed streams to the vent stack effluent release points. As such, these monitors provide alarm function only. In the event that one of the vent stack effluent release point monitors should alarm on a high radiation signal, readings and/or setpoint-level alarms from one of the upstream process monitors (i.e., the radwaste exhaust monitor, or the off-gas recombiner building duct ventilation exhaust monitor as the case may be) will help to identify the origin of the suspected high radiation effluent release problem.
These process monitors are single-channel noble gas microprocessor-controlled off-line monitors that utilize beta scintillation detectors mounted in 3-inch-thick 4 solid lead shields. They provide radioactivity concentration indication in Ci/cc and cover a range from 1.12 x 10-7 Ci/cc to 3.0 x 10-1 Ci/cc. Each detector has a 0.05 Ci Cl-36 beta-emitting check-source to verify proper operation. The gas detector consists of a photomultiplier tube and a 2-inch diameter by 0.01-inch-thick plastic beta scintillator. The sample enters the shield, passes through a 3250 cc fixed volume sample chamber, and exits the shield. The fixed volume is viewed by the plastic scintillator that senses beta radiation from the decay of noble gas radioisotopes.
7.12.5.6 Alarm and Isolation Logic The alarm and isolation logic of the various ventilation radiation monitoring systems is discussed in the following subsections.
7.12.5.6.1 Reactor Building and Refueling Floor Alarm and Isolation The reactor building and refueling floor ventilation exhaust equipment can isolate the monitored duct upon actuation of the correct two channels of the one-out-of-two-twice logic system.
HIGH-HIGH signals from the reactor building or refueling floor duct-mounted monitors will initiate the standby gas treatment system and send a signal to the primary containment and reactor vessel isolation control logic (subsection 7.3). Alarms will annunciate in the control room at the DOWNSCALE level, the HIGH level, and at the HIGH-HIGH level.
7.12.5.6.2 Ventilation Stack Alarms CHAPTER 07 7.12-17 REV. 26, APRIL 2017
PBAPS UFSAR The ventilation stack monitors (WRGM and PIG) each have two alarms in the main control room Vent Exh Stack Rad Monitor Hi-Hi, and Vent Exh Stack Rad Monitor HI/TROUBLE. The HIGH alarm is field set at a factor times normal monitor reading to indicate the presence of an abnormal radiation level in accordance with the Offsite Dose Calculation Manual (ODCM), and an alarm is sounded if the reading rises above this level. The HIGH-HIGH alarm is set below the maximum allowable release limit in accordance with the ODCM. Administrative actions will be implemented to detect and isolate the source of release until corrective maintenance eliminates the problem. In addition to high radiation, the HI/TROUBLE alarm annunciates on low/loss vent stack flow or equipment failures or loss of power.
7.12.5.6.3 Control Room Ventilation Intake Alarm and Bypass The control room ventilation intake radiation monitors are used to switch from control room normal ventilation to control room emergency ventilation. A high radiation level or a downscale/failure from channels (A OR B) and (C OR D) will initiate the control room emergency ventilation system which diverts the intake air through absolute particulate and halogen filters. A high radiation level or downscale/failure will also annunciate in the control room. Low flow in the control room normal ventilation duct will also initiate the control room emergency ventilation system and annunciate in the main control room.
7.12.5.6.4 Radwaste Ventilation Alarm and Isolation The radwaste ventilation exhaust radiation monitor HIGH level is set below the maximum allowable release level and will alert the operator of the approach to the maximum limit. Administrative actions will be implemented to detect and isolate the source of release until corrective maintenance eliminates the problem.
7.12.5.6.5 Off-Gas Recombiner Building Duct Ventilation Exhaust Radiation Monitoring The off-gas recombiner building duct ventilation exhaust radiation monitor HIGH level is set below the maximum allowable release level and will alert the operator of the approach to the maximum limit. Administrative actions will be implemented to detect and isolate the source of release until corrective maintenance eliminates the problem.
CHAPTER 07 7.12-18 REV. 26, APRIL 2017
PBAPS UFSAR 7.12.5.7 Safety Evaluation The radiation monitors are duct-mounted for the reactor building and refueling floor ventilation system and for the control room ventilation system. The physical location and monitoring characteristics are adequate to detect accident generated radiation levels and initiate appropriate isolation signals. The design basis accidents are discussed and evaluated in Section 14.0, "Plant Safety Analysis." The redundancy of channels is sufficient to ensure that no single failure can prevent isolation when required.
The reactor building, refueling floor, and control room ventilation radiation monitoring equipment meet the requirements of IEEE-279 criteria. Should one monitor fail, failure being indicated by a downscale alarm, administrative action may be taken to remedy the situation.
CHAPTER 07 7.12-19 REV. 26, APRIL 2017
PBAPS UFSAR 7.12.5.8 Inspection and Testing The operational integrity of the detectors, ratemeters, and alarm trip circuits can be tested by using test signals, portable calibration sources, or built-in design features. Built-in check sources are provided for the detectors in the Vent Stack, Radwaste Ventilation Exhaust and the Offgas Recombiner radiation monitoring systems which could be used to verify system operational integrity. A simulated check source is provided in the Control Room ventilation intake radiation monitoring system and may be used to ensure system operational integrity and calibration.
Sample flows are monitored and will cause alarms if they go out of limits.
CHAPTER 07 7.12-20 REV. 26, APRIL 2017
PBAPS UFSAR TABLE 7.12.1 PROCESS RADIATION MONITORING SYSTEMS CHARACTERISTICS Upscale Downscale/
Monitoring Instrument Instrument Alarms Per INOP Alarms Trips Per System Range(1) Scale Channel Per Channel Channel Main Steam 1-106 mR/hr Digital Line 2 1 1 Upscale Air Ejector 1-106 mR/hr Digital Discharge 2 1 0 (Logarithmic)
Air Ejector 1-10-12 to (5)
Discharge 3.16 x 10-3 0-40 0 0 0 (Linear) amps 0-125 Adsorber 0.1-104 mR/hr 5-Decade log Bed 1 1 0 Outlet Main Stack 10-7 to 105 Digital Wide Range Ci/cc 2 1 1 Upscale Noble Gas Monitor Main Stack 10-7 to 10-1 Digital Particulate, Ci/cc 2 1 1 Upscale Iodine Noble Gas Monitor (Noble Gas Only)
Liquid 10-1 to 106 7-Decade log Process counts per 2 2 1 Upscale(3) second(2) 1 INOP(3)
Reactor .01-100 mR/hr 4-Decade log Zones 2 1 1 Upscale Exhaust Refueling .01-100 mR/hr 4-Decade log Floor 2 1 1 Upscale Exhaust CHAPTER 07 7.12-21 REV. 21, APRIL 2007
PBAPS UFSAR TABLE 7.12.1 (Continued)
Upscale Downscale/
Monitoring Instrument Instrument Alarms Per INOP Alarms Trips Per System Range (1) Scale Channel Per Channel Channel Ventilation 10-7 to 105 Digital Stack Ci/cc 2 1 0 Wide Range Noble Gas Monitor Ventilation 10-7 to 10-1 Digital Stack Ci/cc 2 1 0 Particulate, Iodine and Noble Gas Monitor (Noble Gas Only)
Control Room 0 to 106 Digital Vent Intake counts per 2 1 Note 4 minute Radwaste 1.12 x 10-7 Digital Ventilation Ci/cc to 1 1 0 Exhaust 3.0 x 10-1 Ci/cc Recombiner 1.12 x 10-7 Digital Building Ci/cc to 1 1 0 Ventilation 3.0 x 10-1 Exhaust Ci/cc (1) Range of measurements is dependent on items such as the source of geometry, background radiation, shielding, energy levels, and methods of sampling.
(2) Readout is dependent upon the pulse height discriminator setting.
(3) Liquid radwaste effluent radiation monitor only.
(4) Uses one-out-of-two-twice logic [(A or B) and (C or D)].
(5) Range of measurement is dependent on Range Switch Setting.
CHAPTER 07 7.12-22 REV. 21, APRIL 2007
PBAPS UFSAR TABLE 7.12.2 PROCESS RADIATION MONITORING SYSTEM ENVIRONMENTAL AND POWER SUPPLY DESIGN CONDITIONS Sensor Location Control Room Design Design Parameter Center Range Center Range Temperature 25C 0C to 25C 5 to
+60C +50C Relative Humidity 50% 20 to 98% 50% 20 to 90%
Power, AC 115 V +/-10% 115 V +/-10%
60 Hz +/-5% 60 Hz +5%
Power, DC +24 VDC +22 to +24 VDC +22 to
+29 VDC +29 VDC
-24 VDC -22 to -24 VDC -22 to
-29 VDC -29 VDC CHAPTER 07 7.12-23 REV. 21, APRIL 2007
PBAPS UFSAR 7.13 AREA RADIATION MONITORING SYSTEM 7.13.1 Power Generation Objective The power generation objective of the area radiation monitoring system is to warn of abnormal gamma radiation levels in selected areas and to indicate post-accident radiation levels in containment.
7.13.2 Power Generation Design Basis
- 1. The area radiation monitoring system provides a record and an indication in the control room of gamma radiation levels at selected locations within the various plant buildings.
- 2. The area radiation monitoring system provides local alarms to warn personnel of significant increases in radiation levels.
- 3. The containment high range area monitoring system provides a record and indication in the control room of containment post-accident radiation levels.
7.13.3 Description 7.13.3.1 Monitors The normal range area radiation monitoring system is shown as a functional block diagram in Drawing M-1-CC-11, Sheets 1 and 2.
Each channel consists of a combined sensor and converter unit, a combined indicator and trip unit, and a shared power supply. Each channel has, in addition, a control room audio alarm and a local audio alarm auxiliary unit. Those channels designated as Reg.
Guide 1.97 variables are recorded by the PMS computer.
Each monitor has an upscale trip that indicates high radiation and a downscale trip that may indicate instrument trouble. These trips sound alarms but cause no control action. The system is powered from the 120V AC instrument bus. The trip circuits are set so that loss of power causes an alarm. The environmental and power supply design conditions are given in Table 7.13.1.
The containment high range area monitoring system consists of four high range, 1 to 108-R/hr monitors for each unit. Monitors are environmentally and seismically qualified and provided with divisional power to protect against single failure. Recorders for CHAPTER 07 7.13-1 REV. 25, APRIL 2015
PBAPS UFSAR these monitors are located in the control room. The radiation detectors are located in the drywell. The system provides for indication of post-accident levels of radiation in containment for use in implementing emergency action plans.
The Primary Containment High Range Radiation Monitoring System installed at Peach Bottom Atomic Power Station meets the Regulatory Guide 1.97 requirement where containment radiation after an event be measured to within a factor of two. Under certain extreme conditions of high drywell temperature conditions, Insulation Resistance (IR) leakage current will cause a system error. The induced error decreases exponentially with drywell temperature and becomes insignificant below a drywell temperature of 230°F. This induced error is significant (not within a factor of two) only under low radiation conditions coincident with high drywell temperatures, whereas the system will operate to perform its principal function under normal and varying temperature conditions during and following an accident. EPRI Report TR-112582 "High Range Radiation Monitor Cable Study: Phase II" (May 2000) states the following: "A strong positive thermally induced current of relatively short duration (minutes) occurs in response to the steep temperature increase at the start of a thermal event such as a loss-of-coolant accident (LOCA). Such a positive transient will be over before an operator would need the high range radiation monitor system to analyze a DBE condition."
PBAPS has chosen to comply with 10CFR50.68(b) for monitoring of accidental criticality in lieu of the requirements of 10CFR70.24.
7.13.3.2 Locations Work areas where normal operation monitors are located are tabulated in Table 7.13.2.
7.13.4 Inspection and Testing An internal trip test circuit, adjustable over the full range of the trip circuit, is provided for each normal range monitor. The test signal is fed into the indicator and trip unit input so that a meter reading is provided in addition to a real trip. All trip circuits are of the latching type and must be manually reset at the front panel. A portable calibration unit is also provided.
This is a test unit designed for use in the adjustment procedure for the area radiation monitor sensor and converter unit. A cavity in the sensor and converter unit is designed to receive the calibration unit.
The containment high range area monitors are provided with an internal electronic check source which is automatically actuated every 25 min.
CHAPTER 07 7.13-2 REV. 25, APRIL 2015
PBAPS UFSAR TABLE 7.13.1 AREA RADIATION MONITORING SYSTEM ENVIRONMENTAL AND POWER SUPPLY DESIGN CONDITIONS Sensor Location Control Room Design Design Parameter Center Range Center Range Temperature 25C -30C 25C 0 to to 60C +50C Relative 50% 20 to 50% 20 to Humidity 100% 95%
Power 115V/230V +/-10% 115V/230V +/-10%
50/60 Hz +/-5% 50/60 Hz +/-5%
CHAPTER 07 7.13-3 REV. 21, APRIL 2007
PBAPS UFSAR TABLE 7.13.2 LOCATION OF AREA RADIATION MONITORS General Location Channel No. Nameplate Legend Reactor Building (3) 1 Reactor Bldg Sump Area Reactor Building (3) 2 Torus Comp't Reactor Building (3) 3 HPCI Pump Room Reactor Building (3) 4 RCIC Pump Room Reactor Building (3) 5 RHR Pump Room "D" Reactor Building (3) 6 RHR Pump Room "A" Reactor Building (3) 7 Core Spray Pump Room "D" (Unit 2)
Core Spray Pump Room "C" (Unit 3)
Turbine Building 8 Condensate Pumps Area Reactor Building (3) 9 Recirc. Pump Inst. Rack Area Reactor Building (3) 10 Steam Flow Inst. Rack Area Reactor Building (3) 11 Cooling Water Pump Area Turbine Building 12 Condensate Demin. Area Turbine Building 13 Condensate Serv. Pump Area South (Unit 2)
Reactor Building (3) 15 Reactor Bldg Equipment Access Lock & TIP Control Area on Unit 2 only.
Reactor Building (3) 16 Reactor Bldg Personnel Access-South (Unit 2),
North (Unit 3) 1 of 3 CHAPTER 07 7.13-4 REV. 28, APRIL 2021
PBAPS UFSAR TABLE 7.13.2 (Continued)
General Location Channel No. Nameplate Legend Reactor Building (3) 17 Reactor Bldg Personnel Access-North (Unit 2),
South (Unit 3)
Reactor Building (3) 18 TIP Withdrawal Area Turbine Building 19 Access Corridor Reactor Building (3) 21 Reactor Bldg Operating Areas Reactor Building (3) 22 Reactor Building Access Turbine Building 23 Heater & RFPT Area-South (Unit 2)
Heater & RFPT Area-North (Unit 3)
Turbine Building 24 Heater & RFPT Area-North (Unit 2)
Heater & RFPT Area-South (Unit 3)
Turbine Building 25 H.P. Turbine Area Reactor Building (3) 27 Reactor Building Exh. Fans Area Reactor Building (3) 28 Steam Separator Pool Area Reactor Building (3) 29 Reactor Refuel Slot Area Reactor Building (3) 30 Fuel Pool Area Reactor Building (3) 31 Refueling Bridge Turbine Building 32 Pipe Tunnel Sump Areas Plant(1)
Turbine Building 33 Turbine Building RR Access 2 of 3 CHAPTER 07 7.13-5 REV. 28, APRIL 2021
PBAPS UFSAR TABLE 7.13.2 (Continued)
General Location Channel No. Nameplate Legend Turbine Building 34 Turbine Building Access Turbine Building 35 Turbine Building Access Area Turbine Building (3) 36 Main Control Room Reactor Building 37 Radwaste Sump Area Radwaste Building 38 Radwaste Filter Pump Area Radwaste Building 39 Radwaste Condensate Phase Separator Room - East Room Radwaste Building 40 Drum Storage Area Radwaste Building 41 Conveyor Operating Area Access Radwaste Building 42 Radwaste Filter Hatch Area Access Radwaste Building 43 Waste Sample Tank Area Admin. Building 44 Administration Building Reactor Building (3) 45 Source Storage Vault and Calibration Room Turbine Building 48 Turbine Building Cranes(2)
(1) Channel Nos. 32 to 45 are common for both units.
(2) Every channel, except Channel No. 48, has both local and control room readout and alarm, Channel No. 48 is located in the turbine building on both of the overhead cranes.
(3) Channel designated as Regulatory Guide 1.97 Category 3 variable.
3 of 3 CHAPTER 07 7.13-6 REV. 28, APRIL 2021
PBAPS UFSAR 7.14 SITE ENVIRONS RADIATION MONITORING PROGRAM The environmental monitoring program is described in Section 2.6, "Environmental Radiation Monitoring Program."
Site environmental monitoring is performed by several ThermoLuminescent Dosimeters (TLDs) stations located at various locations on the site. The TLDs are collected at least annually for analysis.
CHAPTER 07 7.14-1 REV. 21, APRIL 2007
PBAPS UFSAR 7.15 HEALTH PHYSICS AND LABORATORY ANALYSIS RADIATION MONITORS Portable radiation survey instruments are available for the measurement of alpha, beta, gamma, and neutron radiation expected during normal operation, and in emergencies. Personal monitoring devices are furnished to and worn by all personnel in those areas where required by 10CFR20. Counters are located at exits from potentially contaminated areas.
Laboratory instruments are provided for measuring alpha, beta, and gamma radiation, and for the analysis of radioactive gaseous, liquid, and solid samples.
CHAPTER 07 7.15-1 REV. 21, APRIL 2007
PBAPS UFSAR 7.16 PROCESS COMPUTER SYSTEM 7.16.1 Power Generation Objective The power generation objectives of the process computer system (PMS) are to provide a quick and accurate determination of core thermal performance; to improve data reduction, accounting, and logging functions; and to supplement procedural requirements for control rod manipulation.
7.16.2 Power Generation Design Basis
- 1. The PMS is designed to periodically determine the three dimensional power density distribution for the reactor core and to provide printed logs which permit accurate assessment of core thermal performance.
- 2. The PMS provides continuous monitoring of the core operating level and appropriate alarms based on established core operating limits to aid the operator in assuring that the core is operating within acceptable limits at all times.
- 3. The PMS provides inputs to the rod block circuitry to supplement and aid in the enforcement of procedural restrictions on control rod manipulation, so that rod worth is limited to the values assumed in the plant safety analyses.
- 4. The PMS provides the Safety Parameter Display System, and the information needed by both the Technical Support Center, and the Emergency Operations Facility.
- 5. The PMS provides information to support Post Trip Reviews.
7.16.3 Description 7.16.3.1 Computer System Components 7.16.3.1.1 Central Processor The PMS computer system consists of two Central Processing Units (CPUs) per unit. For Unit 2, both computers provide data acquisition and processing functions. Both computers provide peripheral interface to ensure data availability in the event of a component failure. For Unit 3, one CPU is referred to as the CHAPTER 07 7.16-1 REV. 28, APRIL 2021
PBAPS UFSAR Primary Computer; the other as the Backup Computer. The Primary Computer is responsible for data acquisition and processing for the PMS. The Backup Computer provides the redundancy needed to achieve the high availability time required. In the event of a failure of the Primary Computer, the Backup Computer becomes the new Primary Computer within an appropriate time to meet availability goals. In the event any programs are executing on the Backup Computer at the time of a failover, noncritical tasks are automatically aborted so that the Backup Computer can assume the dedicated role as the new Primary Computer. Overall system design provides for redundancy of key critical functions to minimize single points of failure.
The computer also consists of peripheral devices for loading and storing information. The computer consists of high capacity disk drives and other magnetic and optical storage peripherals.
The RWM is provided on dual redundant processors, also in a primary/backup configuration.
7.16.3.1.2 Deleted 7.16.3.1.3 Deleted 7.16.3.1.4 Process Input/Output Subsystem Data Acquisition Hardware consists of remote multiplexers located in the Cable Spreading Room and Computer room. The Unit 2 system includes network switches in the Administration Building and Main Control Room. Redundant communications links to each multiplexer have been provided to ensure that accurate and reliable field information is provided.
Should the primary system detect communication problems with a multiplexer, and if the problems are not present on the backup system, a fail over to the backup computer will occur thus maintaining reliable field input processing.
Process input from the Power Range Neutron Monitoring System (PRNMS) is obtained via a dedicated interface using fiber optics technology.
7.16.3.1.5 Operator Console The operator interface to the computer is through color graphic video monitors. The monitors are integrated with plant communication stations into consoles located in the main control CHAPTER 07 7.16-2 REV. 28, APRIL 2021
PBAPS UFSAR room, providing a coordinated workstation. Digital displays and printers for hard copy are also available to the operator.
7.16.3.1.6 Programming and Maintenance Console The programming and maintenance console is provided to permit necessary control of the system for trouble shooting and maintenance functions. This console is located in the computer equipment room fourth floor Administration building. For hardware maintenance in the cable spreading room, a terminal is provided in the plant computer room.
7.16.3.2 Reactor Core Performance Function 7.16.3.2.1 Power Distribution Evaluation The local power density of every 6-in segment for every fuel assembly is calculated, using plant inputs of pressure, temperature, flow, LPRM levels (optional), control rod positions, and the calculated fuel exposure. Total core thermal power is calculated from a reactor heat balance. Iterative computational methods are used to establish a compatible relationship between the core coolant flow and core power distribution. The results are subsequently interpreted as local power at specified axial segments for each fuel bundle in the core.
After calculating the power distribution within the core, the computer uses appropriate reactor operating limit criteria to determine thermal limits. Alarms are generated to aid the operator in assuring that the core is operating within acceptable limit at all times.
The core evaluation analytical sequence is completed periodically and on demand. Subsequent to executing the program the computer prints a periodic log for record purposes.
7.16.3.2.2 Fast Core Monitoring This section is no longer applicable. LPRMs and APRMs are effectively monitored on a fifteen second bases for core evaluation purposes.
7.16.3.2.3 Local Power Range Monitor Calibration Flux level and position data from the TIP equipment are read into the computer. The computer evaluates the data and determines gain adjustment factors by which the LPRM amplifier gains can be CHAPTER 07 7.16-3 REV. 28, APRIL 2021
PBAPS UFSAR altered to compensate for exposure-induced sensitivity loss. The LPRM amplifier gains are not to be physically altered except immediately prior to a whole core calibration using TIP data. The gain adjustment factor computations help to indicate to the operator when such a calibration procedure is necessary. An LPRM calibration can be performed properly, even if the data is unavailable from some of TIP locations (up to 1/3 of the total).
7.16.3.2.4 Fuel Exposure Using the power distribution data, a distribution of fuel exposure increments from the time of a previous power distribution calculation is determined and is used to update the distribution of cumulative fuel exposure. Each fuel bundle is identified by batch and location, and its exposure is stored for each of the axial segments used in the power distribution calculation. These data are printed out on demand by the operator.
7.16.3.3 Rod Worth Minimizer Function The RWM function assists and supplements the operator with an effective backup control rod monitoring routine that enforces adherence to established startup, shutdown, and low power level control rod procedures. The computer prevents the operator from establishing control rod patterns that are not consistent with prestored RWM sequences by initiating appropriate rod withdrawal block, and rod insert block interlock signals to the reactor manual control system's rod block circuitry (Figure 7.16.1). The RWM sequences stored in the computer memory are based on control rod withdrawal procedures designed to limit (and thereby minimize) individual control rod worths to acceptable levels as determined by the design basis rod drop accident.
The RWM function does not interfere with normal reactor operation, and in the event of a failure, does not itself cause rod patterns to be established which would violate the above objective. The RWM function may be bypassed and its rod block function disabled only by specific procedural control initiated by the operator.
7.16.3.3.1 Rod Worth Minimizer Inputs The following are the essential operator and sensor inputs utilized by the RWM:
- 1. Sequence CHAPTER 07 7.16-4 REV. 28, APRIL 2021
PBAPS UFSAR The operator can select sequences to be enforced by the computer. The operator is permitted to perform the selection only when the RWM is in the inoperable state.
- 2. Rod Test By selecting this input option, the operator is permitted to withdraw and re-insert any single control rod in the core while all other control rods are maintained in the fully inserted position.
- 3. Bypass Mode A key lock switch is provided to permit the operator to apply permissives to RWM rod block functions at any time during plant operation.
- 4. System Initialize/Reset This input is initiated by the operator to start or restart the RWM programs and system at any time during plant operation.
- 5. Substituted Position Values The operator can input a substitute position for a control rod which the RPIS does not have a valid value.
- 6. Control Rod Selected The RWM recognizes the binary coded identification of the control rod selected by the operator.
- 7. Control Rod Position The RWM recognizes the binary coded identification of the control rod position.
- 8. Control Rod Drive Selected and Driving The RWM utilizes this input as a logic diagnostic verification of the integrity of the rod input data.
- 9. Control Rod Drift The RWM recognizes a position change of any control rod using the control rod drift indication. This information is used CHAPTER 07 7.16-5 REV. 28, APRIL 2021
PBAPS UFSAR to evaluate permissible withdrawal or insertion of subsequently selected rods.
- 10. Reactor Power Level Feedwater flow and steam flow signals are used to implement two digital inputs to permit program control of the RWM function. These two inputs, the low power set point and the low power alarm set point, may be used to disable the RWM blocking function at power levels above the intended service range of the RWM function.
- 11. Permissive Echoes Rod withdraw, and rod insert permissive echo inputs are utilized by the RWM as a verification "echo" feedback to the system hardware to assure proper response of an RWM output.
- 12. Diagnostic Inputs The RWM utilizes selected diagnostic inputs to verify the integrity and performance of the processor.
- 13. Deleted 7.16.3.3.2 Rod Worth Minimizer Outputs The RWM provides isolated contacts to plant instrumentation as follows:
- 1. Blocks The RWM is interlocked with the reactor manual control system to permit or inhibit withdrawal, or insertion of a control rod. These actions do not affect any normal instrumentation displays associated with the selection of a control rod (Figure 7.16.1).
- 2. Scan Mode This RWM output is used to synchronize acquisition of control rod position data during the scan mode.
The RWM also provides control rod position information to the main computer.
7.16.3.3.3 Rod Worth Minimizer Indications CHAPTER 07 7.16-6 REV. 28, APRIL 2021
PBAPS UFSAR The RWM display monitor and panel provides RWM system and process information. The following is some of the information available:
- 1. Insert Error Control rod coordinate identification for up to two insert errors.
- 2. Withdrawal Error Control rod coordinate identification for one withdrawal error.
- 3. Rod Group Identification of the RWM sequence group number currently latched by the computer.
- 4. Rod Worth Minimizer Bypass Indication that the RWM is manually bypassed (key position).
- 5. Select Error Indication of a control rod selection error.
- 6. Blocks Indication that a withdrawal block or insertion block is in effect for all control rods.
7.16.3.4 Monitor, Alarm, and Logging Functions 7.16.3.4.1 Analog Monitor and Alarm General The system is capable of checking each analog input variable against principally two types of limits for alarming purposes: (1) process alarm limits as determined by the computer during computation or as pre-programmed at some fixed value, and (2) a CHAPTER 07 7.16-7 REV. 28, APRIL 2021
PBAPS UFSAR reasonableness limit of the analog input signal level as programmed.
The alarming sequence consists of a audible tone, and a video message for the variables exceeding process alarm limits. For Unit 2, Acknowledgement is required for all alarms. For Unit 3, Acknowledgement is required for those alarms categorized as major.
The system provides the capability to alarm the main control room annunciator system in the event of abnormal PMS operation. The abnormal condition for alarm is PMS computer trouble.
Event Recall Logging The system measures and stores the values of selected analog variables at 100 msec (Unit 2) and 10 second (Unit 3) intervals to provide a history of pre- and post-event data. The data is available for display on all Control Room and Computer Room workstations as well as in the Technical Support Center (TSC) and the Emergency Offsite Facility (EOF). Event logging occurs when a predetermined set of data indicate that an event is occurring-Trend Logging For Unit 2, historical and real-time data is trend-able at all workstations. Easily configurable screens for data trending are provided that allows the operator to set up new trends or groups of trends. For Unit 3, a digital trend capability is provided for logging the values of operator-selected analog inputs and calculated variables. The periodicity of the log is limited to a nominal selection of intervals, which can be adjusted as desired by program control.
7.16.3.4.2 Digital Monitor and Alarm Sequence Annunciator Recording Selected digital inputs are monitored for high resolution detection of contact status changes. Changes detected are sequentially differentiated and logged in the Sequence of Events (SOE) log. The log includes point description and time of occurrence. For Unit 2, the time resolution is accurate to within 1 msec of the occurrence. The log is available for display by the operator. For Unit 3, the time resolution is accurate to a tenth of a second relative to the computer clock.
CHAPTER 07 7.16-8 REV. 28, APRIL 2021
PBAPS UFSAR Alarm Status Indication For Unit 2, an alarm status indication for both major and minor alarms is shown on the alarm display.
Acknowledged alarms are differentiated from alarms that have not been acknowledged. For Unit 3, the status alarm function scans digital inputs once each second and provides a record of system alarms. The record includes point description and time of occurrence.
7.16.3.4.3 Alarm Logging The alarm log is generated by the PMS computer. This is a chronological listing of computer system malfunctions, system operation exceeding acceptable limits, and potentially unreasonable, off-normal, or failed input sensors.
7.16.4 Power Generation Evaluation Should the RWM program be inoperative for any reason, the reactor operator can maintain acceptable rod worth by simply adhering to prescribed control rod patterns and sequences.
7.16.5 Inspection and Testing The PMS performs diagnostic checks to determine the operability of certain portions of the system hardware, and it performs internal programming checks to verify that input signals and selected program computations are either within specific limits or within reasonable bounds.
CHAPTER 07 7.16-9 REV. 28, APRIL 2021
PBAPS UFSAR Table 17.6.1 DELETED CHAPTER 07 7.16-10 REV. 28, APRIL 2021
PBAPS UFSAR TABLE 7.16.2 INSTRUMENTATION OUTPUT
SUMMARY
SIGNAL OUTPUT DESCRIPTION Latching TIP Scan TIP Core Top Enable RPIS Scan Mode Enable RPIS Next Rod Enable RWM Sequence Select RWM Shutdown Margin Select RWM Select Error RWM Low Power RWM Insert Error 1 Display (X. Y. location)
RWM Insert Error 2 Display (X. Y. location)
RWM Withdraw Error 1 Display (X. Y. location)
RWM Sequence Group Display (group no.)
RWM Insert Block RWM Select Withdraw Block RWM Program Operating Non-Latching Stall Error Detection Parity Error Detection CHAPTER 07 7.16-11 REV. 23, APRIL 2011
PBAPS UFSAR 7.17 NUCLEAR SYSTEM STABILITY ANALYSIS 7.17.1 Safety Objective The safety objective of the nuclear system stability analysis is to demonstrate that in the event of small disturbances, the reactor will always return to its normal operating state without compromising the integrity of the fuel or nuclear system process barrier.
7.17.2 Safety Design Basis To ensure that radioactive material barriers are not in danger of compromise, the nuclear system exhibits no inherent tendency toward divergent or limit cycle oscillations for most normal operating conditions. If divergent or limit cycle oscillations occur as a result of off-normal operating conditions, such oscillations will be automatically detected by the Oscillation Power Range Monitor (OPRM) system which will provide a reactor scram prior to exceeding the MCPR Safety Limit.
7.17.3 Power Generation Design Basis To facilitate normal maneuvering and control, the nuclear system exhibits at least a specified minimum calculated amount of damping of its responses over all normally expected operating conditions.
7.17.4 Description and Performance Analysis A BWR plant consists of many interacting dynamic processes and associated control systems. A dynamic process may be defined as one in which the inter-related variables are time varying, e.g.,
the boiling of water in the reactor core. The process may be self-regulating in that it exhibits a negative feedback effect.
In a BWR, when a control rod is withdrawn, core power increases due to the reactivity insertion. This causes increased boiling.
The increased boiling increases the steam volume in the core resulting in decreased neutron moderation. This is equivalent to removing reactivity and tends to counteract the reactivity addition of the withdrawn control rod. Thus, a rise in core power is limited by the negative feedback effect of the increased steam volume. This inherent negative feedback effect present in BWR's serves as a self-regulating mechanism upon core dynamics. A secondary inherent negative feedback effect, Doppler reactivity, also occurs as the fuel temperature varies with power. Whenever there is a negative feedback in a system, whether it be inherently self-regulated in the process or added CHAPTER 07 7.17-1 REV. 26, APRIL 2017
PBAPS UFSAR to the process by a control system, the stability characteristics must be considered. There are many definitions of stability, but for feedback processes and control systems, the following definitions may be used: a system is stable if, following a disturbance, the transient settles to a steady, non-cyclic state. A system may also be acceptably safe even if oscillatory, provided the limit cycle of the oscillations is less than a prescribed magnitude. Instability, then, is a continuous departure from a final steady-state value, or it may be a greater-than-prescribed limit cycle about the final steady-state value.
The mechanism for instability can be explained in terms of frequency response. Consider a sinusoidal input to a feedback control system which for the moment has the feedback disconnected.
If there were no time lags or delays between input and output, the output will be in phase with the input. Connecting the output so as to subtract from the input (negative feedback or 180 out-of-phase connection) would result in stable closed loop operation.
However, natural laws would cause phase shift between output and input and should the phase shift reach 180, the feedback signal would be reinforcing the input signal rather than subtracting from it. If the feedback signal were equal to or larger than the input signal (loop gain equal to one or greater), the input signal could be disconnected and the system would continue to oscillate. If the feedback signal were less than one (loop gain less than one),
the oscillations would die out.
It is possible for an unstable process to be stabilized by the addition of a control system. In general, however, it is preferable that a process with inherent feedback be designed to be stable by itself before it is combined with other processes and control systems. The design of the BWR is based on this premise, that individual system components are stable.
Three types of stability are considered in the design of BWR's:
(1) reactor core (reactivity) stability, (2) channel hydrodynamic stability, and (3) total system stability. A stable system is analytically demonstrated if no inherent limit cycle or divergent oscillation develops within the system as a result of calculated step disturbances of any critical variable, such as steam flow, pressure, neutron flux, or recirculation flow. The criteria for evaluating reactor dynamic performance and stability are stated in terms of two compatible parameters. First is the decay ratio, x2/x0, which is the ratio of the magnitude of the second overshoot resulting from a step perturbation. A plot of the decay ratio is a graphic representation of the physical responsiveness of the CHAPTER 07 7.17-2 REV. 26, APRIL 2017
PBAPS UFSAR system which is readily evaluated in a time-domain analysis.
There is a direct relationship between the decay ratio and the damping coefficient for any dominant response as shown in Figure 7.17.1. Second is the damping coefficient, n the definition of which corresponds to the dominant pole pair closest to the imaginary axis in the s-plane for the system closed-loop transfer function. As n decreases, the closed-loop roots approach the imaginary axis and the response becomes increasingly oscillatory.
This parameter also applies to the frequency-domain interpretation. Limits for the decay ratio provided in reference 1.
References 2 and 3, provide the details of the models and also a significant base of experimental confirmation which verifies the suitability of the analytical models used.
While the design is shown to be inherently stable, the OPRM Upscale Function provides compliance with GDC 12 by providing a hardware system that detects and acts to suppress thermal-hydraulic instabilities, thereby providing protection against exceeding the MCPR Safety Limit due to thermal-hydraulic power oscillations. The OPRM Upscale Function is described in References 4 through 8. In the event the OPRM system is declared inoperable, the plant can continue to operate under the BWROG guidelines for Backup stability Protection as described in Reference 9.
7.17.5 Operational Verification of Nuclear System Stability The stability of the nuclear system was verified during startup testing by introducing the same near-step perturbations which were used during the analytical simulation. Compliance with the ultimate performance limit was demonstrated at selected responsive plant conditions by the absence of divergent or limit cycle oscillations, excluding those minor limit cycles which can be induced by controller deadband characteristics.
7.17.6 Conclusion Analysis of the stability of the nuclear system demonstrates that the system can be operated safely, within the operating conditions defined in reference 4, without danger of compromising any radioactive material barriers because of instability. A detailed treatment of the stability and dynamic performance of the BWR can be found in references 2 and 3.
CHAPTER 07 7.17-3 REV. 26, APRIL 2017
PBAPS UFSAR 7.17 NUCLEAR SYSTEM STABILITY ANALYSIS REFERENCES
- 1. "General Electric Standard Application for Reactor Fuel,"
including the United States Supplement, NEDE 24011-P-A and NEDE-24011-P-A-US, (latest approved revision).
- 2. "Stability and Dynamic Performance of the General Electric Boiling Water Reactor," NEDO-21506, January 1977.
- 3. "Compliance of the General Electric Boiling Water Reactor Fuel Designs to Stability Licensing Criteria," NEDE-22277-P-1, December 1982.
- 4. NRC Generic Letter 94-02, "Long Term Solutions and Upgrade of Interim Operating Recommendations for Thermal Hydraulic Instabilities in Boiling Water Reactors," July 11, 1994.
- 5. NEDO-31960-A and NEDO-31960-A, Supplement 1, BWR Owners Group Long-Term Stability Licensing Methodology, November 1995.
- 6. GE Nuclear Energy, "Reactor Stability Detect and Suppress Solutions Licensing Basis Methodology for Reload Applications," NEDO-32465-A, August 1996.
- 7. NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC-PRNM) Retrofit Plus Option III Stability Trip Function, October 1995.
- 8. NEDC-32140P-A, Supplement 1, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC-PRNM)
Retrofit Plus Option III Stability Trip Function, November 1997.
- 9. GE Nuclear Energy, Backup Stability Protection (BSP) for Inoperable Option III Solutions, OG 02-0119-260, July 17, 2002.
CHAPTER 07 7.17-4 REV. 26, APRIL 2017
PBAPS UFSAR 7.18 SEPARATE SHUTDOWN CONTROL PANELS 7.18.1 Power Generation Objective The objective of the Remote Shutdown System (for each unit) is to provide the capability to shut down the reactor and to maintain it in a safe shutdown condition from outside the main control room if access to the main control room is lost for events other than Fire Safe Shutdown Events described in the Fire Protection Program..
7.18.2 Power Generation Design Basis
- 1. The Remote Shutdown System for each unit provides the necessary controls and instrumentation to shut down the reactor and maintain it in a safe shutdown condition. The design is based on the following considerations:
- a. No total loss of off-site power exists at the time.
- b. No accident situation occurs.
- c. Access to the main control room is lost due to a toxic gas event, smoke event, or as a result of failure of one control panel.
- d. Safe shutdown is defined as MODE 3 (hot shutdown)
- 2. The remote shutdown panels are located in a seismic Class I structure.
- 3. Nothing in the design of the separate shutdown control panels or the station precludes taking both units to the cold shutdown condition.
7.18.3 Description 7.18.3.1 Control Panels The control panels contain, where appropriate, transfer switches which avoid interaction with any damaged equipment in the control room. Each unit is controlled from two adjacent panels. These panels are powered from the emergency buses. The panels provide control of the emergency service water system pump, the RCIC system supply valves from the condensate storage tank and the suppression pool and RHR pump shutdown cooling mode suction CHAPTER 07 7.18-1 REV. 26, APRIL 2017
PBAPS UFSAR valves. The panels also provide reactor containment, switchgear and RCIC system instrumentation. Although not required for this licensing basis event, the RSS also provides indication and controls for Emergency Service Water (ESW), 4 KV Breaker controls, and Control Rod Drive pumps. In addition, controls are provided to support placing shutdown cooling in service which is considered beyond the licensing basis of this event..
7.18.3.2 Operation 7.18.3.2.1 Reactor Shutdown Prior to leaving the control room, operators attempt to scram both reactors, close the Main Steam Isolation Valves (MSIVs),
and start suppression pool cooling on both units. In the event that these actions cannot be performed, the reactors can be scrammed and the MSIVs can be closed from outside of the control room by opening the AC supply breakers for the Reactor Protection Systems (RPS). De-energizing the RPS systems results in reactor trips and main steam line isolations.
7.18.3.2.2 Reactor Level Control The Remote Shutdown System (RSS) for each unit is designed to provide the ability to control reactor vessel water level. This is primarily accomplished by the use of RCIC. The remote shutdown panel contains reactor vessel level indication and the necessary controls for the operation of RCIC. In the event that RCIC does not auto-start, it can be manually started from the panel. HPCI automatic operation may occur, but RCIC is credited for reactor water level control.
Although not required for the RSS function, Control Rod Drive pumps can be started from the RSS panel to protect the control rod drive seals from overheating and to assist the RCIC system in controlling reactor vessel level.
7.18.3.2.3 Reactor Pressure Control Main steam Safety Relief Valves (SRVs) E, H and L can be manually operated from the RSS to maintain pressure below the automatic relief setpoint. SRV position indication is provided.
Automatic operation of the SRVs occurs as a result of closure of the MSIVs.
7.18.3.2.4 Heat Removal CHAPTER 07 7.18-2 REV. 26, APRIL 2017
PBAPS UFSAR Decay heat is transferred from the reactor vessel to the suppression pool via the SRVs and RCIC operation. RSS and plant design allow for this operation to continue for one hour prior to the initiation of suppression pool cooling. If operation from the control room cannot be resumed within one hour, or if the controls for the shutdown cooling suction valves (RHR panel) in the control room are damaged, shutdown cooling suction valves can be initiated by the RSS. In addition, equipment installed to meet Appendix R requirements for post-fire safe shutdown, as described in the PBAPS Fire Protection Plan, can be used to establish suppression pool cooling. The above heat removal process can maintain the reactor in hot shutdown or be used as directed in emergency operating procedures to bring the plant to a cold shutdown condition.
7.18.3.2.5 Instrumentation and Controls In addition to the instrumentation and controls previously described, the RSS contains other instruments and controls that, although not required, provide assistance to the operator. This includes 4kV breaker indication (no loss of offsite power is assumed), ESW status and control (ESW is not required for RCIC room cooling), CST level, containment and reactor parameters.
Security Related Information Withheld under 10 CFR 2.390 7.18.4 Inspection and Testing The instrumentation of the separate shutdown control panels can be tested during plant operations.
CHAPTER 07 7.18-3 REV. 26, APRIL 2017
PBAPS UFSAR 7.19 CLASS 1E EQUIPMENT ENVIRONMENTAL QUALIFICATION The environmental qualification of Class 1E equipment has been reviewed against the NRC Division of Operating Reactors' "Guidelines for Evaluating Environmental Qualification of Class 1E Electrical Equipment in Operating Reactors" which was an enclosure to IE Bulletin 79-01B, dated January 14, 1980.
The environmental qualification central file contains summary information in the form of Equipment Qualification review records and backup documentation, which supports the conclusion that the safety system Class 1E equipment required to operate during the postulated accident, is adequately qualified for service. The environmental qualification files are subdivided by equipment type. Each package contains a type of Class 1E equipment associated with various safety systems and a summary of the environmental qualification parameters for the equipment. The Master List/CRL contains the equipment component number and the location for each device. The Master List provides a description of the equipment, the name of the associated system, the equipment component number, the manufacturer, the model number, and the design function of the qualified item. The environment for which the equipment must be qualified is listed in the controlled specification titled "Environmental Service Conditions for PBAPS" and referenced in the EQ packages. The environmental parameters for which the device is qualified are listed on the summary EQRRs (Equipment Qualification Review Record) in the EQ package. The qualification method for each of the environmental parameters is also indicated in the EQ package.
7.19.1 Effects of Loss of Air Conditioning and Ventila-tion on Control Room and Equipment Room Equipment The criteria governing the design of the air conditioning and ventilation systems for the control room and other safety-related equipment rooms require that required safety-related functions be maintained in the event of any active component failure or loss of off-site power. All cooling and ventilation systems for these rooms are installed in seismic Class I structures. They are provided with 100 percent redundancy except for the CSCS pump rooms which are provided with one operational unit cooler and one installed spare. The fan unit for the 3C RHR Component Room Cooler 3CE058 is installed spare, without a dedicated power source. The control room chiller and air conditioning supply and return fans do not run during loss of off-site power. The control room ventilation fans and safety-related equipment room coolers are capable of being supplied by the standby ac power system in CHAPTER 07 7.19-1 REV. 28, APRIL 2021
PBAPS UFSAR the event of loss of off-site power. The control room ventilation system, without refrigerated cooling, and the cooling systems for the other safety-related equipment rooms are designed to limit maximum space temperatures to the following values, based upon design outside ambient temperatures of 95F dry bulb for the control room, switchgear, battery room, and standby diesel-generator rooms and heat rejection to spaces for operating equipment in safety-related CSCS rooms.
Room Max. Normal Temp.
Control room 114F (without air condi-tioning-ventila-tion only)
Battery rooms 120.6F Emergency switchgear rooms 128.8F CSCS rooms 115F Standby diesel-generator rooms 105F (without EDG running)
ESW/HPSW Compartment All equipment located in these rooms is rated for operation at these temperatures or higher.
For the core spray and RHR pump rooms, loss of ventilation in one room as a result of single active failure could result in loss of function for ECCS equipment in that room. However, sufficient redundancy exists in the core spray and RHR components to ensure accomplishing the required core standby cooling system functions.
Allowable post-LOCA temperatures have been established for the HPCI and RCIC pump components such that operation of room coolers in these compartments is not required to support operability of the HPCI and RCIC systems.
An analysis has determined that the RHR subsystems can still perform their design function even if emergency service water /
service water is not available to the RHR fan-coil units during shutdown conditions (Modes 4 and 5) with RHR suction temperature less than 105°F. For this condition, it was determined that although the RHR functions would be maintained, local temperatures in the RHR pump rooms could rise to 176.6°F at worst-case water temperature and operating conditions.
For the standby diesel-generator rooms, loss of ventilation in one room as a result of a single active failure could result in loss of the function of the associated diesel generator due to insufficient cooling. However, the total number of standby diesel CHAPTER 07 7.19-2 REV. 28, APRIL 2021
PBAPS UFSAR generator units is such that sufficient power is available to provide for the functioning of required engineered safeguard systems for one reactor unit and the shutting down of the other unit, assuming failure of one standby diesel generator and loss of all off site power sources (Reference 8.5.2.3). Furthermore, the diesel generator room ventilation is powered from the diesels during the loss of offsite power (Reference 10.14.3.2).
If all control room normal ventilation and air conditioning were lost, the control room operator would initiate an emergency shutdown of non-essential equipment and lighting to reduce the heat generation to a minimum. Heat removal would be accomplished by conduction through the floors, ceilings, and walls to adjacent rooms and to the environment.
The equilibrium condition for temperature and humidity in the control room following the loss of all air conditioning and normal ventilation would be a maximum of 114F, 27 percent relative humidity. The equilibrium temperature of 114F could be achieved during ambient conditions of 95F, 50 percent relative humidity.
The equilibrium temperature for the diesel generator rooms with the diesel generator and associated ventilation operation is 107F at an outside air temperature of 95F. The design maximum diesel generator room temperature is limited by the qualified maximum diesel generator combustion air temperature of 110F for the 3101KW to 3250 KW rating range. Below the 3101KW rating range the qualified maximum diesel generator room temperature is 122F.
All control board instrumentation is specified to be operable at or better than 114F and 50 percent relative humidity. Therefore, the temperature within the control room will not increase to a point that will require reactor shutdown. All instrumentation was functionally tested after installation and prior to plant startup to confirm satisfactory operability of control and electrical equipment under normal environmental conditions. The extreme of environmental conditions is less than the design requirement of the instrumentation. Operation below this design value is always expected so that additional testing is not warranted.
The maximum equilibrium temperatures in the emergency switchgear and battery rooms following a design basis accident with a loss of instrument air are 128.8F and 120.6F, respectively. This assumes a maximum outside air temperature of 95F db and the ESBR HVAC system enters a recirculation mode for switchgear room air.
CHAPTER 07 7.19-3 REV. 28, APRIL 2021
PBAPS UFSAR Design analysis has determined that all safety-related equipment in the switchgear and battery rooms are acceptable for operation at these maximum ambient room temperatures.
The maximum equilibrium temperature in the ESW/HPSW Compartments following a design basis event is 128F. This assumes a maximum outside air temperature of 95F (dry bulb) and the pump structure ventilation system in operation. An evaluation has determined that all safety-related equipment in the ESW/HPSW compartments are acceptable for operation at this maximum ambient compartment temperature.
Since two sets of 100 percent capacity redundant supply and exhaust fans are installed for each system and since maximum room temperatures are lower than the design maximum equipment temperatures, forced shutdown of the reactor due to high temperature in the control room, battery room, and emergency switchgear room, and ESW/HPSW compartment is not anticipated.
Similarly, proper component maintenance and surveillance testing ensures reliable operation of ventilation equipment in the CSCS rooms. Exceeding maximum room temperatures for equipment would be the basis for considering the affected equipment inoperable.
Reactor shutdown requirements will be in accordance with Technical Specifications for equipment operability.
7.19.2 Seismic Qualification 7.19.2.1 General The RPS, engineered safety feature instrumentation systems, and the emergency power system are designed to perform their required functions during and following a design earthquake and maximum credible earthquake of 0.05g and 0.12g horizontal.
7.19.2.2 Nuclear Steam Supply System - GE-Supplied Equipment Seismic qualification of GE-supplied equipment has been performed as follows.
Design Criteria states that all engineered safety features instrumentation shall be capable of performing their respective essential functions while being subjected to a peak horizontal acceleration of 1.5g and a peak vertical acceleration of 0.5g over the frequency range of 5 Hz to 30 Hz at the point of attachment to the building structure.
CHAPTER 07 7.19-4 REV. 28, APRIL 2021
PBAPS UFSAR This capability has been demonstrated by vibration testing of representative complete assemblies. Results of separate tests of representative components, panels, or racks have been combined analytically to fully take into account the transmissibility or amplification of the floor accelerations by the panel or rack structures.
The vibration testing was accomplished by securing the equipment being tested to a mounting bracket on the testing machine which was sufficiently rigid to ensure that the motion of the testing machine would be effectively transmitted to the equipment being tested at all test frequencies. Tests were repeated for each of the three rectilinear axes of the equipment, and operational verification of essential functions during vibration was obtained.
Acceptability was based upon the ability of the equipment to withstand the specified vibration without mechanical failure and the ability to perform its essential functions during and after vibration testing. The equipment supplier has been required to submit a test report to show compliance with the seismic qualifications outlined above.
Seismic test data showing a device to have a tolerance less than the maximum values specified has been reviewed and exceptions made on the basis of ability to tolerate the actual acceleration imposed by design basis conditions as located and applied (taking into account building amplification of the maximum credible earthquake ground accelerations) without failure to perform its essential function when called upon to do so.
7.19.2.3 Non-Nuclear Steam Supply System Equipment - Bechtel-Supplied Equipment Seismic qualification of non-nuclear steam supply system, Bechtel-supplied equipment has been performed as follows.
Qualification of the equipment for its particular acceleration was ascertained by either analytical techniques or vibration testing techniques. A seismic specification covering design criteria is stated in the purchase requisition or specification, or attachments thereto. Vendor certification for compliance to the specification requirements assures conformance to the design criteria.
CHAPTER 07 7.19-5 REV. 28, APRIL 2021
PBAPS UFSAR 7.20 Accident Monitoring 7.20.1 Safety Objective The safety objective of the accident monitoring instrumentation is to provide appropriate wide range information for remote monitoring of post-accident conditions within the primary containment for the full spectrum of postulated accidents.
7.20.2 Safety Design Basis The accident monitoring instrumentation provides the operator in the control room with the information required to make specified manual control actions, to monitor the results of these actions, and to verify adequate core cooling and containment integrity.
7.20.3 Power Generation Design Bases The accident monitoring instruments that are also used for power generation are designed so that all the expected power operation actions and maneuvers can be reasonably accomplished by the reactor operator.
7.20.4 Description The following instrumentation provides the operator with information for monitoring primary containment conditions after a postulated accident. Refer to Table 7.20.1 for Regulatory Guide 1.97, Category 1 instruments and ranges.
7.20.4.1 Reactor Water Level Two post-accident reactor water level recorders are located in the control room. Each recorder has two channels, one for wide range reactor water level and one for fuel zone reactor water level.
These overlapping ranges provide level information from the bottom of the active fuel through normal water level.
Each recorder and its associated instrumentation is assigned to a separate safeguard power electrical division to ensure that a single failure will not disable both recorders. These reactor level indications are derived from differential pressure transmitters having separate condensing chamber type reference legs and pressure compensation instruments.
Other reactor water level indications are detailed in subsection 7.8.
CHAPTER 07 7.20-1 REV. 25, APRIL 2015
PBAPS UFSAR 7.20.4.2 Reactor Pressure Two post-accident Reactor pressure recorders are located in the main control room. Each recorder and its associated instrumentation are assigned to two independent safeguard power electrical divisions. This is to ensure that reactor pressure indication is available in the event that a single failure disables one of the recorders. Additional reactor pressure indication is available in the main control room for use during normal operations. See subsection 7.8.5.4 for details of this instrumentation.
7.20.4.3 Containment Pressure The primary containment pressure is monitored by two electronic pressure transmitters (0 to 70 psig) located external to the containment in the reactor building and transmitting to two separate recorders located in the main control room.
Two post-accident, drywell pressure recorders have been provided in the control room to allow pressure measurement from 5 psia to in excess of four times design pressure of the drywell. This involves four instrument channels. Two channels are connected to pressure transmitters with the range 0 to 225 psig. Two channels are connected to absolute pressure transmitters with the range 5 to 25 psia. One channel of each range is connected to each of the recorders. Each recorder and its associated instrumentation is assigned to a separate safeguard power electrical division to ensure control room indication in the event of single failure.
7.20.4.4 Containment Temperature Twenty-six strategically placed temperature sensors monitor containment ambient temperatures. Twenty-five sensors are read out by a digital indicator in the main control room. The remaining sensor is monitored by a recorder in the control room.
7.20.4.5 Containment Atmosphere Analysis Redundant containment monitoring systems are provided to monitor the containment for hydrogen and oxygen concentration during CAC operation and CAD operation, as discussed in paragraph 5.2.3.8 and 5.2.3.9.
In addition, a gaseous radiation monitoring system is included to monitor the radioactive content of containment atmosphere. This monitor may be operated in conjunction with the CAD/CAC analyzer CHAPTER 07 7.20-2 REV. 25, APRIL 2015
PBAPS UFSAR in either the CAD or CAC mode of operation. Subsection 4.10 contains details of this system.
Post-accident containment radiation levels are monitored by four instrument channels with a range of 1 to 108 R/hr. These radiation monitors drive two dual channel recorders located in the control room. Each recorder and the two associated channels are in a separate division and are powered from safeguard power. The purpose of the system is to provide information on the magnitude of radiation release to containment so that appropriate emergency actions can be implemented.
The Primary containment High Range Radiation Monitoring System installed at Peach Bottom Atomic Power Station meets the Regulatory Guide 1.97 requirement where containment radiation after an event be measured to within a factor of two. Under certain extreme conditions of high drywell temperature and low radiation levels, the accuracy requirement of Regulatory Guide 1.97 is not satisfied. Under high drywell temperature conditions, Insulation Resistance (IR) leakage current will cause a system error. The induced error decreases exponentially with drywell temperature and becomes insignificant below a drywell temperature of 230°F. This induced error is significant (not within a factor of two) only under low radiation conditions coincident with high drywell temperatures, whereas the system will operate to perform its principal function under normal and varying temperature conditions during and following an accident. EPRI Report TR-112582 "High Range Radiation Monitor Cable Study: Phase II" (May 2000) states the following: "A strong positive thermally induced current of relatively short duration (minutes) occurs in response to the steep temperature increase at the start of a thermal event such as a loss-of-coolant accident (LOCA). Such a positive transient will be over before an operator would need the high range radiation monitor system to analyze a DBE condition."
Grab samples can be taken from the post-accident sampling stations described below.
7.20.4.6 Coolant Sampling and Analysis The Post Accident Sampling System is shown on Drawing M-374 (Sheets 1 and 2).
PBAPS license amendment number 248 to Renewed Operating License Number DPR-44 and license amendment number 251 to Renewed Operating License Number DPR-56 approve the elimination of the requirement to have and maintain the Post Accident Sampling System CHAPTER 07 7.20-3 REV. 25, APRIL 2015
PBAPS UFSAR (PASS). The following items were committed to as part of the subject license amendments.
PBAPS has developed contingency plans for obtaining and analyzing highly radioactive samples of reactor coolant, suppression pool, and containment atmosphere. The contingency plans will be contained in the PBAPS chemistry procedures and implemented with the implementation of the license amendment. Establishment of contingency plans is considered a regulatory commitment.
The capability for classifying fuel damage events at the Alert level threshold will be established at a level of core damage associated with radioactivity levels of 300 micro-curies/gm dose equivalent iodine. This capability will be described in emergency plan and emergency plan implementing procedures and implemented with the implementation of the license amendment. The capability for classifying fuel damage events is considered a regulatory commitment.
PBAPS has established the capability to monitor radioactive Iodines that have been released offsite to the environs. This capability is described in emergency plans and emergency plan implementing procedures. The capability to monitor radioactive Iodines is considered a regulatory commitment.
The following information contained in the UFSAR regarding the regulatory requirements for post accident sampling is retained for historical purposes.
Security Related Information Withheld under 10 CFR 2.390 Sampling activities are controlled from the sample station control panels which are designed for sequential, manual operation. The control panels are located at a distance of at least 6 feet from the sample stations.
The sample stations may be powered from either a station auxiliary bus or an emergency bus so that sampling can be performed during a loss of off-site power. This design feature exists although the CHAPTER 07 7.20-4 REV. 25, APRIL 2015
PBAPS UFSAR heat sink, emergency service water (ESW), for the reactor building closed cooling water (RBCCW) system has been eliminated as a result of locking closed the ESW-RBCCW cross-tie valves.
Therefore, little, if any, cooling would be provided to the sample station during a loss of off-site power.
The onsite radiological and chemical laboratory facilities are equipped with gamma spectral analysis equipment to quantify the radionuclides present in gas and liquid samples. Shielded caves are provided for the radiation detectors to minimize the effect of background radiation. Initial dilutions are performed in the process of taking liquid samples at the sample stations. Any additional dilutions required will be performed in the laboratory fume hood behind a lead brick pile.
The onsite radiological and chemical laboratory facilities are equipped with gamma spectral analysis equipment to quantify the radionuclides present in gas and liquid samples. Shielded caves are provided for the radiation detectors to minimize the effect of background radiation. Initial dilutions are performed in the process of taking liquid samples at the sample stations. Any additional dilutions required will be performed in the laboratory fume hood behind a lead brick pile.
A procedure to assess the extent of core damage based on radionuclide concentrations and other parameters has been prepared.
The sampling and analysis provisions at Peach Bottom have been designed such that it will be possible to obtain and analyze a sample at any time without exceeding the radiation exposure limits of general design criteria 19 in Appendix A of 10CFR50.
7.20.4.7 Suppression Pool Water Temperature Suppression pool temperature is monitored by redundant suppression pool monitoring systems. Each monitoring system consists of thirteen (13) resistance temperature detectors (RTD) mounted in thermowells installed in the torus shell below the minimum water level, a processor/indicator/printer located in the control room, and a recorder located in the control room. The RTD inputs are averaged by the processor to provide a bulk average temperature.
Annunciation is provided for high temperature and signal/system failure. Each system is assigned to a separate safeguard power electrical division to ensure control room indication in the event of a single failure.
CHAPTER 07 7.20-5 REV. 25, APRIL 2015
PBAPS UFSAR 7.20.4.8 Suppression Pool Water Level Suppression pool water level is continuously monitored by two electronic transmitters located external to the suppression pool.
One transmitter is connected to a recorder and the other is connected to an indicator and a recorder in the main control room.
The range is sufficient to cover the addition of the reactor coolant system inventory to the suppression pool inventory, as well as any inventory contribution from the condensate storage tank prior to CSCS suction from the suppression pool. Each transmitter and its associated instrumentation is assigned to a separate safeguard power electrical division to ensure control room indication in the event of a single failure.
7.20.4.9 Safety/Relief Valve Position Indication A direct method of indicating the position of safety/relief and safety valves has been provided. The indication and alarm system is based on acoustic monitoring techniques. Each safety/relief and safety valve has its own instrumentation channel. Each channel consists of a sensor mounted inside the primary containment, a preamplifier mounted in the reactor building, an electronics module mounted in the cable spreading room in the accident monitoring panels, and indicating lights in the control room which indicate that the safety/relief or safety valve has opened. An indication has also been provided for each valve to show that a valve was open if it opened and then reclosed.
7.20.4.10 Vent Stack Wide Range and Main Stack Wide Range Noble Gas Monitors A wide range noble gas radiation monitor has been provided on each unit vent stack. The vent stack monitors are located in the Turbine Building Ventilation Equipment Area. The overall range of the wide range vent stack monitors is 1x10-7 Ci/cc to 1.0x105 Ci/cc. The radiation levels are displayed on a recorder in the control room. Power has been provided for the instrument channels from the standby AC power system.
A Wide Range Noble Gas Monitor (WRGM) has been provided for the main stack. The main stack monitoring skids are installed in a pre-engineered building located next to the main stack. The range of the main stack monitor is 1x10-7 Ci/cc to 1.0x105 Ci/cc. This range is sufficient to cover post-accident effluent releases. The display of radiation levels is facilitated by a subsystem comprised of a local microprocessor, an indicating unit, and a recorder located in the main control room. Also, the WRGM has CHAPTER 07 7.20-6 REV. 25, APRIL 2015
PBAPS UFSAR provisions for taking grab samples for laboratory analysis. The grab sampler can be controlled locally or from the main control room.
7.20.4.11 Primary Containment Isolation Valve Position Indication PCIV position is provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. The PCIV position PAM instrumentation consists of position switches, associated wiring and control room indicating lamps for active PCIV's (check valves, manual valves and relief valves installed per GL 96-06 are not required to have position indication).
7.20.5 Safety Evaluation The accident monitoring instrumentation provides adequate information to enable the operator to monitor transient reactor plant behavior and to verify proper safety system performance following an accident. The performance of the accident monitoring system provides sufficient time for the operator to make reasoned judgments and take action when required.
7.20.6 Inspection and Testing Periodic testing is in accordance with Technical Specifications or the Technical Requirements Manual, as applicable.
CHAPTER 07 7.20-7 REV. 25, APRIL 2015
PBAPS UFSAR TABLE 7.20.1 REGULATORY GUIDE 1.97 CATEGORY 1 INSTRUMENTATION Type Indication Parameter Instrument and Range Reactor Water Level LR-2(3)-02-3-110A,B Recorder -165 to +60 inches (wide range)
Reactor Water Level LR-2(3)-02-3-110A,B Recorder -325 to +60 inches (fuel zone)
Reactor Pressure PR/LR-2(3)-02-3-404A Recorder 0 to 1500 psig PR/RR-2(3)-02-3-404B Drywell Pressure PR-8(9)102A,B Recorder 0 to 225 psig (wide range)
Drywell Pressure PR-8(9)102A,B Recorder 5 to 25 psia (subatmospheric range)
Suppression Chamber LR/TR-8(9)123A,B Recorder 30 to 310 degrees F Water Temperature TIS-2(3)-02-071A,B Indicator 30 to 310 degrees F CHAPTER 07 7.20-8 REV. 23, APRIL 2011
PBAPS UFSAR TABLE 7.20.1 REGULATORY GUIDE 1.97 CATEGORY 1 INSTRUMENTATION (Continued)
Type Indication Parameter Instrument and Range Suppression Chamber LR/TR(9)123A, B Recorder 1-21 ft.
Water Level (wide range) LI-8(9)123A,AX Indicator 1-21 ft.
Drywell High RR-8(9)103A,B Recorder Range Radiation 1-1E(+8) R/hr Monitors Primary Containment Valve Limit Switches Isolation Valve (for Direct Position Position Indication Indication)
Valve Control Circuit Open/Closed Lights (for Indirect Position Indication)
CHAPTER 07 7.20-9 REV. 23, APRIL 2011
PBAPS UFSAR 7.21 SEISMIC INSTRUMENTATION 7.21.1 Safety Design Objective The safety design objective of the seismic monitoring system is to provide the operator with timely information on the severity of an earthquake so that the operator can determine the effects of the earthquake on the operations of the plant.
7.21.2 Safety Design Basis
- 1. The seismic monitoring and recording system operates automatically to detect and record vibratory ground motion and the resulting vibratory responses of representative Category I structures.
- 2. The system is non-safety related and classified as seismic Category I.
7.21.3 Description Six triaxial accelerometers and recorders input to a seismic instrumentation panel located in the Cable Spreading Room.
The accelerometers are located at:
- 1. Unit 2, Reactor Building Sump Pump Room, Security Related Information Withheld under 1
- 2. Unit 2, Reactor Building, Security Related Information Withheld under 10 CFR 2.390
- 3. Unit 2, Reactor Building Refueling Floor, Security Related Information Withh
- 4. "C" Diesel-Generator Building, Security Related Information Withheld under 10 CFR 2.390
- 5. "C" Diesel-Generator Building Fan Room, Security Related Information Withheld under 10 CF
- 6. Free Field Sensor Security Related Information Withheld under 10 CFR 2.390 The seismic instrumentation panel is powered from a non-safeguard distribution panel that is fed from safeguard power.
CHAPTER 07 7.21-1 REV. 27, APRIL 2019
PBAPS UFSAR The seismic instruments have sufficient recording capacity and backup power supply to provide 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of recording.
Vibratory motion is sensed by the accelerometers, each of their signals is continuously recorded by a recorder and information sent to the Network Control Center (NCC). When the seismic trigger threshold is exceeded on the containment foundation or free field accelerometer, a permanent recording of the time-history response of all of these sensors is made. The recorder is programmed to record both pre-event and post-event data. The threshold level is adjustable from 0.005g to 0.02g. The accelerograph has sufficient capability to allow for resolution of signals between 0 and 50 Hz with a dynamic range of at least 100:1. A graph of the time-history response of any sensor can be obtained by using the dedicated computer to recall the data and display it or transfer to another computer.
If the free field sensor exceeds the pre-programmed response spectrum of the Peach Bottom site operating basis earthquake (OBE) and exceeds the Cumulative Absolute Velocity (CAV) criteria, then the NCC indicates the OBE has been exceeded. If the free-field sensor fails and the containment foundation sensor exceeds the pre-programmed response spectrum of the Peach Bottom site Operating Basis Earthquake (OBE), the NCC will also indicate the OBE has been exceeded. An alarm is provided if the OBE is exceeded. The response spectrum of any of the sensors can be obtained by using the dedicated computer to recall the data and display it or transfer to another computer.
The operator is aware of the status of the seismic monitoring instrumentation through alarms in the control room that indicate there has been a Seismic Monitoring System (SMS) Trouble, that the threshold trigger level has been exceeded, and that the operating basis earthquake has been exceeded.
This seismic monitoring system provides sufficient information to determine the status of both units at Peach Bottom, since the units are equivalent design.
7.21.4 Safety Evaluation The seismic monitoring instrumentation system is designed to provide the operator with timely information on the effects of an earthquake on the structures, systems, and components of the plant that are necessary for continued operation without undue risk to the health and safety of the public. If the Seismic system indicates that the OBE has been exceeded, or if significant plant damage has occurred, the plant is shutdown in CHAPTER 07 7.21-2 REV. 27, APRIL 2019
PBAPS UFSAR an orderly manner. The system meets the intent of Regulatory Guide 1.12, Rev. 2, Regulatory Guide 1.166 (March 1997)and Regulatory Guide 1.167 (March 1997).
7.21.5 Inspection and Testing Abnormal operation of any of the seismic monitoring components can be detected during plant operation with an "SMS Trouble" alarm through periodic testing of the equipment. The system is designed so that testing and repair can be scheduled to eliminate the need to take all the instrumentation out of service simultaneously.
Section 7.1.1 of the UFSAR was revised by EC 556261 to remove seismic monitoring from the list of safety related instrumentation. This is discussed on Page 31 of 698 of EC 556261.
The term "safety-related" is not defined in the UFSAR.
Therefore, the definition in 10CFR50.2 is used, which states an SSC is safety-related if it:
- 1. Maintains the integrity of the reactor coolant pressure boundary.
- 2. Assures the capability to shutdown the reactor and maintain it in a safe shutdown condition.
- 3. Assures the capability to prevent or mitigate accidents.
The seismic monitoring system does not perform any of these functions.
The question was raised as to why the seismic monitoring system description in the UFSAR states that the system has a safety design objective, a safety design basis, and a safety evaluation if the equipment is not safety-related. These terms were in the original FSAR, developed in the late 1960's. At that time, any plant equipment that was not related to generating electricity was considered to be for safety purposes and, in general, contains a description of the safety objective, safety basis and safety evaluation. These terms are defined in Section 1.2 of the FSAR. The terms all tie back to the definition of safety, which is (in definition 4) plant equipment that serves a purpose other than the plant's mission, which is generation of electricity.
CHAPTER 07 7.21-3 REV. 27, APRIL 2019
PBAPS UFSAR The primary importance of the seismic monitoring system is to let the operator know if the QBE has been exceeded. Various commitments and regulations (10CFR100 App A.V(a)(2)) require the plant to be shutdown if the QBE is exceeded. This is the basis for having a safety objective, basis and evaluation in the UFSAR.
Section 7.21.2 says the system is classified as Category I. This is the seismic classification and indicates the system is designed for the SSD earthquake. Seismic qualification of the system is also discussed on Page 31 of 698 of EC 556261.
CHAPTER 07 7.21-4 REV. 27, APRIL 2019
PBAPS UFSAR 7.22 HIGH PRESSURE SERVICE WATER (HPSW) POWER TRANSFER SWITCH 7.22.1 Power Generation Objective The objective of the HPSW power transfer switch is to ensure that the HPSW cross-tie valve remains functional following a OBA or transient.
7.22.2 Power Generation Design Basis The HPSW power transfer switch provides the capability of powering the HPSW cross-tie valve from safety related normal and safety related alternate power supplies. The redundant power supplies ensure that a single failure will not prevent the HPSW cross-tie valve from being opened when required during a design basis event.
7.22.3 Description 7.22.3.l Power Transfer Switch
- l. The HPSW power transfer switch provides redundancy to the safety related 480 Vac Motor Control Centers that supply power to the operators of the HPSW cross-tie valves.
- 2. The HPSW power transfer switch provides the capability of transferring power from the normal power source to the alternate power source via a remote switch in the Main Control Room or using a local switch at the transfer switch panel.
7.22.3.2 Operation The operator takes action as directed station procedures.
Security Related Information Withheld under 10 CFR 2.390 7.22.4 Inspection and Testing The HPSW power transfer switch can be tested during plant operations.
CHAPTER 07 7.22-1 REV. 26, APRIL 2017
PBAPS UFSAR 7.23 RESIDUAL HEAT REMOVAL (RHR) POWER TRANSFER SWITCH 7.23.1 Power Generation Objective The objective of the RHR power transfer switch is to ensure that the RHR Heat Exchanger Control, Cross-tie Isolation and Cooling Water Discharge valves remain functional following a LOOP/LOCA, the loss of a Diesel Generator or 4kV bus, with a need for Containment Cooling.
7.23.2 Power Generation Design Basis The RHR power transfer switch provides the capability of powering the RHR Heat Exchanger Control, Cross-tie Isolation and Cooling Water Discharge valves from safety related normal and safety related alternate power supplies. The redundant power supplies ensure that a single failure will not prevent these valves from being operated when require during a design basis event.
7.23.3 Description 7.23.3.1 Power Transfer Switch
- 1. The RHR power transfer switch provides redundancy to the safety related 480 Vac Motor Control Centers that supply power to the operators of the RHR Heat Exchanger Control, Cross-tie Isolation and Cooling Water Discharge valves.
- 2. The RHR power transfer switch provides the capability of transferring power from the normal power source to the alternate power source via a switch on the associated diesel panel in the Main Control Room.
7.23.3.2 Operation The operator takes action as directed by station procedures.
Security Related Information Withheld under 10 CFR 2.390 7.23.4 Inspection and Testing CHAPTER 07 7.23-1 REV. 26, APRIL 2017
PBAPS UFSAR The RHR power transfer switch can be tested during plant operations.
CHAPTER 07 7.23-2 REV. 26, APRIL 2017